1 files changed, 46 insertions, 0 deletions

diff --git a/sys/kern/kern_mac.c b/sys/kern/kern_mac.c
index 82eded874aa3..bf6c9995420d 100644
--- a/sys/kern/kern_mac.c
+++ b/sys/kern/kern_mac.c
@@ -125,6 +125,11 @@ SYSCTL_INT(_security_mac, OID_AUTO, enforce_fs, CTLFLAG_RW,
     &mac_enforce_fs, 0, "Enforce MAC policy on file system objects");
 TUNABLE_INT("security.mac.enforce_fs", &mac_enforce_fs);
 
+static int	mac_enforce_kld = 1;
+SYSCTL_INT(_security_mac, OID_AUTO, enforce_kld, CTLFLAG_RW,
+    &mac_enforce_kld, 0, "Enforce MAC policy on kld operations");
+TUNABLE_INT("security.mac.enforce_kld", &mac_enforce_kld);
+
 static int	mac_enforce_network = 1;
 SYSCTL_INT(_security_mac, OID_AUTO, enforce_network, CTLFLAG_RW,
     &mac_enforce_network, 0, "Enforce MAC policy on network packets");
@@ -2293,6 +2298,47 @@ mac_check_kenv_unset(struct ucred *cred, char *name)
 }
 
 int
+mac_check_kld_load(struct ucred *cred, struct vnode *vp)
+{
+	int error;
+
+	ASSERT_VOP_LOCKED(vp, "mac_check_kld_load");
+
+	if (!mac_enforce_kld)
+		return (0);
+
+	MAC_CHECK(check_kld_load, cred, vp, &vp->v_label);
+
+	return (error);
+}
+
+int
+mac_check_kld_stat(struct ucred *cred)
+{
+	int error;
+
+	if (!mac_enforce_kld)
+		return (0);
+
+	MAC_CHECK(check_kld_stat, cred);
+
+	return (error);
+}
+
+int
+mac_check_kld_unload(struct ucred *cred)
+{
+	int error;
+
+	if (!mac_enforce_kld)
+		return (0);
+
+	MAC_CHECK(check_kld_unload, cred);
+
+	return (error);
+}
+
+int
 mac_check_mount_stat(struct ucred *cred, struct mount *mount)
 {
 	int error;