1 files changed, 40 insertions, 0 deletions

diff --git a/sys/security/mac_mls/mac_mls.c b/sys/security/mac_mls/mac_mls.c
index b9001203ca83..e1cbc91d5128 100644
--- a/sys/security/mac_mls/mac_mls.c
+++ b/sys/security/mac_mls/mac_mls.c
@@ -2165,6 +2165,44 @@ mac_mls_check_socket_visible(struct ucred *cred, struct socket *socket,
 }
 
 static int
+mac_mls_check_system_acct(struct ucred *cred, struct vnode *vp,
+    struct label *label)
+{
+	struct mac_mls *subj, *obj;
+
+	if (!mac_mls_enabled)
+		return (0);
+
+	subj = SLOT(cred->cr_label);
+	obj = SLOT(label);
+
+	if (!mac_mls_dominate_effective(obj, subj) ||
+	    !mac_mls_dominate_effective(subj, obj))
+		return (EACCES);
+
+	return (0);
+}
+
+static int
+mac_mls_check_system_auditctl(struct ucred *cred, struct vnode *vp,
+    struct label *label)
+{
+	struct mac_mls *subj, *obj;
+
+	if (!mac_mls_enabled)
+		return (0);
+
+	subj = SLOT(cred->cr_label);
+	obj = SLOT(label);
+
+	if (!mac_mls_dominate_effective(obj, subj) ||
+	    !mac_mls_dominate_effective(subj, obj))
+		return (EACCES);
+
+	return (0);
+}
+
+static int
 mac_mls_check_system_swapon(struct ucred *cred, struct vnode *vp,
     struct label *label)
 {
@@ -2972,6 +3010,8 @@ static struct mac_policy_ops mac_mls_ops =
 	.mpo_check_socket_deliver = mac_mls_check_socket_deliver,
 	.mpo_check_socket_relabel = mac_mls_check_socket_relabel,
 	.mpo_check_socket_visible = mac_mls_check_socket_visible,
+	.mpo_check_system_acct = mac_mls_check_system_acct,
+	.mpo_check_system_auditctl = mac_mls_check_system_auditctl,
 	.mpo_check_system_swapon = mac_mls_check_system_swapon,
 	.mpo_check_vnode_access = mac_mls_check_vnode_open,
 	.mpo_check_vnode_chdir = mac_mls_check_vnode_chdir,