1 files changed, 29 insertions, 0 deletions

diff --git a/sys/security/mac_bsdextended/mac_bsdextended.c b/sys/security/mac_bsdextended/mac_bsdextended.c
index 7fae867..e6148cc 100644
--- a/sys/security/mac_bsdextended/mac_bsdextended.c
+++ b/sys/security/mac_bsdextended/mac_bsdextended.c
@@ -445,6 +445,33 @@ mac_bsdextended_check_vnode_getextattr(struct ucred *cred, struct vnode *vp,
 }
 
 static int
+mac_bsdextended_check_vnode_link(struct ucred *cred, struct vnode *dvp,
+    struct label *dlabel, struct vnode *vp, struct label *label,
+    struct componentname *cnp)
+{
+	struct vattr vap;
+	int error;
+
+	if (!mac_bsdextended_enabled)
+		return (0);
+
+	error = VOP_GETATTR(dvp, &vap, cred, curthread);
+	if (error)
+		return (error);
+	error = mac_bsdextended_check(cred, vap.va_uid, vap.va_gid, VWRITE);
+		if (error)  
+	return (error);
+
+	error = VOP_GETATTR(vp, &vap, cred, curthread);
+	if (error)
+		return (error);
+	error = mac_bsdextended_check(cred, vap.va_uid, vap.va_gid, VWRITE);
+	if (error)
+		return (error);
+	return (0);
+}
+
+static int
 mac_bsdextended_check_vnode_lookup(struct ucred *cred, struct vnode *dvp,
     struct label *dlabel, struct componentname *cnp)
 {
@@ -715,6 +742,8 @@ static struct mac_policy_op_entry mac_bsdextended_ops[] =
 	    (macop_t)mac_bsdextended_check_vnode_getacl },
 	{ MAC_CHECK_VNODE_GETEXTATTR,
 	    (macop_t)mac_bsdextended_check_vnode_getextattr },
+	{ MAC_CHECK_VNODE_LINK,
+	    (macop_t)mac_bsdextended_check_vnode_link },
 	{ MAC_CHECK_VNODE_LOOKUP,
 	    (macop_t)mac_bsdextended_check_vnode_lookup },
 	{ MAC_CHECK_VNODE_OPEN,