diff options
| -rw-r--r-- | sys/kern/kern_mac.c | 28 | ||||
| -rw-r--r-- | sys/kern/kern_sysctl.c | 11 | ||||
| -rw-r--r-- | sys/security/mac/mac_framework.c | 28 | ||||
| -rw-r--r-- | sys/security/mac/mac_framework.h | 3 | ||||
| -rw-r--r-- | sys/security/mac/mac_internal.h | 28 | ||||
| -rw-r--r-- | sys/security/mac/mac_net.c | 28 | ||||
| -rw-r--r-- | sys/security/mac/mac_pipe.c | 28 | ||||
| -rw-r--r-- | sys/security/mac/mac_policy.h | 4 | ||||
| -rw-r--r-- | sys/security/mac/mac_process.c | 28 | ||||
| -rw-r--r-- | sys/security/mac/mac_syscalls.c | 28 | ||||
| -rw-r--r-- | sys/security/mac/mac_system.c | 28 | ||||
| -rw-r--r-- | sys/security/mac/mac_vfs.c | 28 | ||||
| -rw-r--r-- | sys/sys/mac.h | 3 | ||||
| -rw-r--r-- | sys/sys/mac_policy.h | 4 |
14 files changed, 277 insertions, 0 deletions
diff --git a/sys/kern/kern_mac.c b/sys/kern/kern_mac.c index 00ecd045bcac..c9ec6a1dc00c 100644 --- a/sys/kern/kern_mac.c +++ b/sys/kern/kern_mac.c @@ -151,6 +151,11 @@ SYSCTL_INT(_security_mac, OID_AUTO, enforce_socket, CTLFLAG_RW, &mac_enforce_socket, 0, "Enforce MAC policy on socket operations"); TUNABLE_INT("security.mac.enforce_socket", &mac_enforce_socket); +static int mac_enforce_sysctl = 1; +SYSCTL_INT(_security_mac, OID_AUTO, enforce_sysctl, CTLFLAG_RW, + &mac_enforce_sysctl, 0, "Enforce MAC policy on sysctl operations"); +TUNABLE_INT("security.mac.enforce_sysctl", &mac_enforce_sysctl); + static int mac_enforce_vm = 1; SYSCTL_INT(_security_mac, OID_AUTO, enforce_vm, CTLFLAG_RW, &mac_enforce_vm, 0, "Enforce MAC policy on vm operations"); @@ -912,6 +917,10 @@ mac_policy_register(struct mac_policy_conf *mpc) mpc->mpc_ops->mpo_check_system_swapon = mpe->mpe_function; break; + case MAC_CHECK_SYSTEM_SYSCTL: + mpc->mpc_ops->mpo_check_system_sysctl = + mpe->mpe_function; + break; case MAC_CHECK_VNODE_ACCESS: mpc->mpc_ops->mpo_check_vnode_access = mpe->mpe_function; @@ -3034,6 +3043,25 @@ mac_check_system_swapon(struct ucred *cred, struct vnode *vp) } int +mac_check_system_sysctl(struct ucred *cred, int *name, u_int namelen, + void *old, size_t *oldlenp, int inkernel, void *new, size_t newlen) +{ + int error; + + /* + * XXXMAC: We're very much like to assert the SYSCTL_LOCK here, + * but since it's not exported from kern_sysctl.c, we can't. + */ + if (!mac_enforce_sysctl) + return (0); + + MAC_CHECK(check_system_sysctl, cred, name, namelen, old, oldlenp, + inkernel, new, newlen); + + return (error); +} + +int mac_ioctl_ifnet_get(struct ucred *cred, struct ifreq *ifr, struct ifnet *ifnet) { diff --git a/sys/kern/kern_sysctl.c b/sys/kern/kern_sysctl.c index b229701b534e..984e022b1b8c 100644 --- a/sys/kern/kern_sysctl.c +++ b/sys/kern/kern_sysctl.c @@ -41,11 +41,13 @@ */ #include "opt_compat.h" +#include "opt_mac.h" #include <sys/param.h> #include <sys/systm.h> #include <sys/kernel.h> #include <sys/sysctl.h> +#include <sys/mac.h> #include <sys/malloc.h> #include <sys/proc.h> #include <sys/lock.h> @@ -1238,6 +1240,15 @@ userland_sysctl(struct thread *td, int *name, u_int namelen, void *old, SYSCTL_LOCK(); +#ifdef MAC + error = mac_check_system_sysctl(td->td_ucred, name, namelen, old, + oldlenp, inkernel, new, newlen); + if (error) { + SYSCTL_UNLOCK(); + return (error); + } +#endif + do { req2 = req; error = sysctl_root(0, name, namelen, &req2); diff --git a/sys/security/mac/mac_framework.c b/sys/security/mac/mac_framework.c index 00ecd045bcac..c9ec6a1dc00c 100644 --- a/sys/security/mac/mac_framework.c +++ b/sys/security/mac/mac_framework.c @@ -151,6 +151,11 @@ SYSCTL_INT(_security_mac, OID_AUTO, enforce_socket, CTLFLAG_RW, &mac_enforce_socket, 0, "Enforce MAC policy on socket operations"); TUNABLE_INT("security.mac.enforce_socket", &mac_enforce_socket); +static int mac_enforce_sysctl = 1; +SYSCTL_INT(_security_mac, OID_AUTO, enforce_sysctl, CTLFLAG_RW, + &mac_enforce_sysctl, 0, "Enforce MAC policy on sysctl operations"); +TUNABLE_INT("security.mac.enforce_sysctl", &mac_enforce_sysctl); + static int mac_enforce_vm = 1; SYSCTL_INT(_security_mac, OID_AUTO, enforce_vm, CTLFLAG_RW, &mac_enforce_vm, 0, "Enforce MAC policy on vm operations"); @@ -912,6 +917,10 @@ mac_policy_register(struct mac_policy_conf *mpc) mpc->mpc_ops->mpo_check_system_swapon = mpe->mpe_function; break; + case MAC_CHECK_SYSTEM_SYSCTL: + mpc->mpc_ops->mpo_check_system_sysctl = + mpe->mpe_function; + break; case MAC_CHECK_VNODE_ACCESS: mpc->mpc_ops->mpo_check_vnode_access = mpe->mpe_function; @@ -3034,6 +3043,25 @@ mac_check_system_swapon(struct ucred *cred, struct vnode *vp) } int +mac_check_system_sysctl(struct ucred *cred, int *name, u_int namelen, + void *old, size_t *oldlenp, int inkernel, void *new, size_t newlen) +{ + int error; + + /* + * XXXMAC: We're very much like to assert the SYSCTL_LOCK here, + * but since it's not exported from kern_sysctl.c, we can't. + */ + if (!mac_enforce_sysctl) + return (0); + + MAC_CHECK(check_system_sysctl, cred, name, namelen, old, oldlenp, + inkernel, new, newlen); + + return (error); +} + +int mac_ioctl_ifnet_get(struct ucred *cred, struct ifreq *ifr, struct ifnet *ifnet) { diff --git a/sys/security/mac/mac_framework.h b/sys/security/mac/mac_framework.h index e43139de3984..0e07753288f9 100644 --- a/sys/security/mac/mac_framework.h +++ b/sys/security/mac/mac_framework.h @@ -299,6 +299,9 @@ int mac_check_socket_send(struct ucred *cred, struct socket *so); int mac_check_socket_visible(struct ucred *cred, struct socket *so); int mac_check_system_reboot(struct ucred *cred, int howto); int mac_check_system_swapon(struct ucred *cred, struct vnode *vp); +int mac_check_system_sysctl(struct ucred *cred, int *name, + u_int namelen, void *old, size_t *oldlenp, int inkernel, + void *new, size_t newlen); int mac_check_vnode_access(struct ucred *cred, struct vnode *vp, int flags); int mac_check_vnode_chdir(struct ucred *cred, struct vnode *dvp); diff --git a/sys/security/mac/mac_internal.h b/sys/security/mac/mac_internal.h index 00ecd045bcac..c9ec6a1dc00c 100644 --- a/sys/security/mac/mac_internal.h +++ b/sys/security/mac/mac_internal.h @@ -151,6 +151,11 @@ SYSCTL_INT(_security_mac, OID_AUTO, enforce_socket, CTLFLAG_RW, &mac_enforce_socket, 0, "Enforce MAC policy on socket operations"); TUNABLE_INT("security.mac.enforce_socket", &mac_enforce_socket); +static int mac_enforce_sysctl = 1; +SYSCTL_INT(_security_mac, OID_AUTO, enforce_sysctl, CTLFLAG_RW, + &mac_enforce_sysctl, 0, "Enforce MAC policy on sysctl operations"); +TUNABLE_INT("security.mac.enforce_sysctl", &mac_enforce_sysctl); + static int mac_enforce_vm = 1; SYSCTL_INT(_security_mac, OID_AUTO, enforce_vm, CTLFLAG_RW, &mac_enforce_vm, 0, "Enforce MAC policy on vm operations"); @@ -912,6 +917,10 @@ mac_policy_register(struct mac_policy_conf *mpc) mpc->mpc_ops->mpo_check_system_swapon = mpe->mpe_function; break; + case MAC_CHECK_SYSTEM_SYSCTL: + mpc->mpc_ops->mpo_check_system_sysctl = + mpe->mpe_function; + break; case MAC_CHECK_VNODE_ACCESS: mpc->mpc_ops->mpo_check_vnode_access = mpe->mpe_function; @@ -3034,6 +3043,25 @@ mac_check_system_swapon(struct ucred *cred, struct vnode *vp) } int +mac_check_system_sysctl(struct ucred *cred, int *name, u_int namelen, + void *old, size_t *oldlenp, int inkernel, void *new, size_t newlen) +{ + int error; + + /* + * XXXMAC: We're very much like to assert the SYSCTL_LOCK here, + * but since it's not exported from kern_sysctl.c, we can't. + */ + if (!mac_enforce_sysctl) + return (0); + + MAC_CHECK(check_system_sysctl, cred, name, namelen, old, oldlenp, + inkernel, new, newlen); + + return (error); +} + +int mac_ioctl_ifnet_get(struct ucred *cred, struct ifreq *ifr, struct ifnet *ifnet) { diff --git a/sys/security/mac/mac_net.c b/sys/security/mac/mac_net.c index 00ecd045bcac..c9ec6a1dc00c 100644 --- a/sys/security/mac/mac_net.c +++ b/sys/security/mac/mac_net.c @@ -151,6 +151,11 @@ SYSCTL_INT(_security_mac, OID_AUTO, enforce_socket, CTLFLAG_RW, &mac_enforce_socket, 0, "Enforce MAC policy on socket operations"); TUNABLE_INT("security.mac.enforce_socket", &mac_enforce_socket); +static int mac_enforce_sysctl = 1; +SYSCTL_INT(_security_mac, OID_AUTO, enforce_sysctl, CTLFLAG_RW, + &mac_enforce_sysctl, 0, "Enforce MAC policy on sysctl operations"); +TUNABLE_INT("security.mac.enforce_sysctl", &mac_enforce_sysctl); + static int mac_enforce_vm = 1; SYSCTL_INT(_security_mac, OID_AUTO, enforce_vm, CTLFLAG_RW, &mac_enforce_vm, 0, "Enforce MAC policy on vm operations"); @@ -912,6 +917,10 @@ mac_policy_register(struct mac_policy_conf *mpc) mpc->mpc_ops->mpo_check_system_swapon = mpe->mpe_function; break; + case MAC_CHECK_SYSTEM_SYSCTL: + mpc->mpc_ops->mpo_check_system_sysctl = + mpe->mpe_function; + break; case MAC_CHECK_VNODE_ACCESS: mpc->mpc_ops->mpo_check_vnode_access = mpe->mpe_function; @@ -3034,6 +3043,25 @@ mac_check_system_swapon(struct ucred *cred, struct vnode *vp) } int +mac_check_system_sysctl(struct ucred *cred, int *name, u_int namelen, + void *old, size_t *oldlenp, int inkernel, void *new, size_t newlen) +{ + int error; + + /* + * XXXMAC: We're very much like to assert the SYSCTL_LOCK here, + * but since it's not exported from kern_sysctl.c, we can't. + */ + if (!mac_enforce_sysctl) + return (0); + + MAC_CHECK(check_system_sysctl, cred, name, namelen, old, oldlenp, + inkernel, new, newlen); + + return (error); +} + +int mac_ioctl_ifnet_get(struct ucred *cred, struct ifreq *ifr, struct ifnet *ifnet) { diff --git a/sys/security/mac/mac_pipe.c b/sys/security/mac/mac_pipe.c index 00ecd045bcac..c9ec6a1dc00c 100644 --- a/sys/security/mac/mac_pipe.c +++ b/sys/security/mac/mac_pipe.c @@ -151,6 +151,11 @@ SYSCTL_INT(_security_mac, OID_AUTO, enforce_socket, CTLFLAG_RW, &mac_enforce_socket, 0, "Enforce MAC policy on socket operations"); TUNABLE_INT("security.mac.enforce_socket", &mac_enforce_socket); +static int mac_enforce_sysctl = 1; +SYSCTL_INT(_security_mac, OID_AUTO, enforce_sysctl, CTLFLAG_RW, + &mac_enforce_sysctl, 0, "Enforce MAC policy on sysctl operations"); +TUNABLE_INT("security.mac.enforce_sysctl", &mac_enforce_sysctl); + static int mac_enforce_vm = 1; SYSCTL_INT(_security_mac, OID_AUTO, enforce_vm, CTLFLAG_RW, &mac_enforce_vm, 0, "Enforce MAC policy on vm operations"); @@ -912,6 +917,10 @@ mac_policy_register(struct mac_policy_conf *mpc) mpc->mpc_ops->mpo_check_system_swapon = mpe->mpe_function; break; + case MAC_CHECK_SYSTEM_SYSCTL: + mpc->mpc_ops->mpo_check_system_sysctl = + mpe->mpe_function; + break; case MAC_CHECK_VNODE_ACCESS: mpc->mpc_ops->mpo_check_vnode_access = mpe->mpe_function; @@ -3034,6 +3043,25 @@ mac_check_system_swapon(struct ucred *cred, struct vnode *vp) } int +mac_check_system_sysctl(struct ucred *cred, int *name, u_int namelen, + void *old, size_t *oldlenp, int inkernel, void *new, size_t newlen) +{ + int error; + + /* + * XXXMAC: We're very much like to assert the SYSCTL_LOCK here, + * but since it's not exported from kern_sysctl.c, we can't. + */ + if (!mac_enforce_sysctl) + return (0); + + MAC_CHECK(check_system_sysctl, cred, name, namelen, old, oldlenp, + inkernel, new, newlen); + + return (error); +} + +int mac_ioctl_ifnet_get(struct ucred *cred, struct ifreq *ifr, struct ifnet *ifnet) { diff --git a/sys/security/mac/mac_policy.h b/sys/security/mac/mac_policy.h index d92bcf7b98f6..6485743f81ac 100644 --- a/sys/security/mac/mac_policy.h +++ b/sys/security/mac/mac_policy.h @@ -313,6 +313,9 @@ struct mac_policy_ops { int (*mpo_check_system_reboot)(struct ucred *cred, int howto); int (*mpo_check_system_swapon)(struct ucred *cred, struct vnode *vp, struct label *label); + int (*mpo_check_system_sysctl)(struct ucred *cred, int *name, + u_int namelen, void *old, size_t *oldlenp, int inkernel, + void *new, size_t newlen); int (*mpo_check_vnode_access)(struct ucred *cred, struct vnode *vp, struct label *label, int flags); int (*mpo_check_vnode_chdir)(struct ucred *cred, @@ -505,6 +508,7 @@ enum mac_op_constant { MAC_CHECK_SOCKET_VISIBLE, MAC_CHECK_SYSTEM_REBOOT, MAC_CHECK_SYSTEM_SWAPON, + MAC_CHECK_SYSTEM_SYSCTL, MAC_CHECK_VNODE_ACCESS, MAC_CHECK_VNODE_CHDIR, MAC_CHECK_VNODE_CHROOT, diff --git a/sys/security/mac/mac_process.c b/sys/security/mac/mac_process.c index 00ecd045bcac..c9ec6a1dc00c 100644 --- a/sys/security/mac/mac_process.c +++ b/sys/security/mac/mac_process.c @@ -151,6 +151,11 @@ SYSCTL_INT(_security_mac, OID_AUTO, enforce_socket, CTLFLAG_RW, &mac_enforce_socket, 0, "Enforce MAC policy on socket operations"); TUNABLE_INT("security.mac.enforce_socket", &mac_enforce_socket); +static int mac_enforce_sysctl = 1; +SYSCTL_INT(_security_mac, OID_AUTO, enforce_sysctl, CTLFLAG_RW, + &mac_enforce_sysctl, 0, "Enforce MAC policy on sysctl operations"); +TUNABLE_INT("security.mac.enforce_sysctl", &mac_enforce_sysctl); + static int mac_enforce_vm = 1; SYSCTL_INT(_security_mac, OID_AUTO, enforce_vm, CTLFLAG_RW, &mac_enforce_vm, 0, "Enforce MAC policy on vm operations"); @@ -912,6 +917,10 @@ mac_policy_register(struct mac_policy_conf *mpc) mpc->mpc_ops->mpo_check_system_swapon = mpe->mpe_function; break; + case MAC_CHECK_SYSTEM_SYSCTL: + mpc->mpc_ops->mpo_check_system_sysctl = + mpe->mpe_function; + break; case MAC_CHECK_VNODE_ACCESS: mpc->mpc_ops->mpo_check_vnode_access = mpe->mpe_function; @@ -3034,6 +3043,25 @@ mac_check_system_swapon(struct ucred *cred, struct vnode *vp) } int +mac_check_system_sysctl(struct ucred *cred, int *name, u_int namelen, + void *old, size_t *oldlenp, int inkernel, void *new, size_t newlen) +{ + int error; + + /* + * XXXMAC: We're very much like to assert the SYSCTL_LOCK here, + * but since it's not exported from kern_sysctl.c, we can't. + */ + if (!mac_enforce_sysctl) + return (0); + + MAC_CHECK(check_system_sysctl, cred, name, namelen, old, oldlenp, + inkernel, new, newlen); + + return (error); +} + +int mac_ioctl_ifnet_get(struct ucred *cred, struct ifreq *ifr, struct ifnet *ifnet) { diff --git a/sys/security/mac/mac_syscalls.c b/sys/security/mac/mac_syscalls.c index 00ecd045bcac..c9ec6a1dc00c 100644 --- a/sys/security/mac/mac_syscalls.c +++ b/sys/security/mac/mac_syscalls.c @@ -151,6 +151,11 @@ SYSCTL_INT(_security_mac, OID_AUTO, enforce_socket, CTLFLAG_RW, &mac_enforce_socket, 0, "Enforce MAC policy on socket operations"); TUNABLE_INT("security.mac.enforce_socket", &mac_enforce_socket); +static int mac_enforce_sysctl = 1; +SYSCTL_INT(_security_mac, OID_AUTO, enforce_sysctl, CTLFLAG_RW, + &mac_enforce_sysctl, 0, "Enforce MAC policy on sysctl operations"); +TUNABLE_INT("security.mac.enforce_sysctl", &mac_enforce_sysctl); + static int mac_enforce_vm = 1; SYSCTL_INT(_security_mac, OID_AUTO, enforce_vm, CTLFLAG_RW, &mac_enforce_vm, 0, "Enforce MAC policy on vm operations"); @@ -912,6 +917,10 @@ mac_policy_register(struct mac_policy_conf *mpc) mpc->mpc_ops->mpo_check_system_swapon = mpe->mpe_function; break; + case MAC_CHECK_SYSTEM_SYSCTL: + mpc->mpc_ops->mpo_check_system_sysctl = + mpe->mpe_function; + break; case MAC_CHECK_VNODE_ACCESS: mpc->mpc_ops->mpo_check_vnode_access = mpe->mpe_function; @@ -3034,6 +3043,25 @@ mac_check_system_swapon(struct ucred *cred, struct vnode *vp) } int +mac_check_system_sysctl(struct ucred *cred, int *name, u_int namelen, + void *old, size_t *oldlenp, int inkernel, void *new, size_t newlen) +{ + int error; + + /* + * XXXMAC: We're very much like to assert the SYSCTL_LOCK here, + * but since it's not exported from kern_sysctl.c, we can't. + */ + if (!mac_enforce_sysctl) + return (0); + + MAC_CHECK(check_system_sysctl, cred, name, namelen, old, oldlenp, + inkernel, new, newlen); + + return (error); +} + +int mac_ioctl_ifnet_get(struct ucred *cred, struct ifreq *ifr, struct ifnet *ifnet) { diff --git a/sys/security/mac/mac_system.c b/sys/security/mac/mac_system.c index 00ecd045bcac..c9ec6a1dc00c 100644 --- a/sys/security/mac/mac_system.c +++ b/sys/security/mac/mac_system.c @@ -151,6 +151,11 @@ SYSCTL_INT(_security_mac, OID_AUTO, enforce_socket, CTLFLAG_RW, &mac_enforce_socket, 0, "Enforce MAC policy on socket operations"); TUNABLE_INT("security.mac.enforce_socket", &mac_enforce_socket); +static int mac_enforce_sysctl = 1; +SYSCTL_INT(_security_mac, OID_AUTO, enforce_sysctl, CTLFLAG_RW, + &mac_enforce_sysctl, 0, "Enforce MAC policy on sysctl operations"); +TUNABLE_INT("security.mac.enforce_sysctl", &mac_enforce_sysctl); + static int mac_enforce_vm = 1; SYSCTL_INT(_security_mac, OID_AUTO, enforce_vm, CTLFLAG_RW, &mac_enforce_vm, 0, "Enforce MAC policy on vm operations"); @@ -912,6 +917,10 @@ mac_policy_register(struct mac_policy_conf *mpc) mpc->mpc_ops->mpo_check_system_swapon = mpe->mpe_function; break; + case MAC_CHECK_SYSTEM_SYSCTL: + mpc->mpc_ops->mpo_check_system_sysctl = + mpe->mpe_function; + break; case MAC_CHECK_VNODE_ACCESS: mpc->mpc_ops->mpo_check_vnode_access = mpe->mpe_function; @@ -3034,6 +3043,25 @@ mac_check_system_swapon(struct ucred *cred, struct vnode *vp) } int +mac_check_system_sysctl(struct ucred *cred, int *name, u_int namelen, + void *old, size_t *oldlenp, int inkernel, void *new, size_t newlen) +{ + int error; + + /* + * XXXMAC: We're very much like to assert the SYSCTL_LOCK here, + * but since it's not exported from kern_sysctl.c, we can't. + */ + if (!mac_enforce_sysctl) + return (0); + + MAC_CHECK(check_system_sysctl, cred, name, namelen, old, oldlenp, + inkernel, new, newlen); + + return (error); +} + +int mac_ioctl_ifnet_get(struct ucred *cred, struct ifreq *ifr, struct ifnet *ifnet) { diff --git a/sys/security/mac/mac_vfs.c b/sys/security/mac/mac_vfs.c index 00ecd045bcac..c9ec6a1dc00c 100644 --- a/sys/security/mac/mac_vfs.c +++ b/sys/security/mac/mac_vfs.c @@ -151,6 +151,11 @@ SYSCTL_INT(_security_mac, OID_AUTO, enforce_socket, CTLFLAG_RW, &mac_enforce_socket, 0, "Enforce MAC policy on socket operations"); TUNABLE_INT("security.mac.enforce_socket", &mac_enforce_socket); +static int mac_enforce_sysctl = 1; +SYSCTL_INT(_security_mac, OID_AUTO, enforce_sysctl, CTLFLAG_RW, + &mac_enforce_sysctl, 0, "Enforce MAC policy on sysctl operations"); +TUNABLE_INT("security.mac.enforce_sysctl", &mac_enforce_sysctl); + static int mac_enforce_vm = 1; SYSCTL_INT(_security_mac, OID_AUTO, enforce_vm, CTLFLAG_RW, &mac_enforce_vm, 0, "Enforce MAC policy on vm operations"); @@ -912,6 +917,10 @@ mac_policy_register(struct mac_policy_conf *mpc) mpc->mpc_ops->mpo_check_system_swapon = mpe->mpe_function; break; + case MAC_CHECK_SYSTEM_SYSCTL: + mpc->mpc_ops->mpo_check_system_sysctl = + mpe->mpe_function; + break; case MAC_CHECK_VNODE_ACCESS: mpc->mpc_ops->mpo_check_vnode_access = mpe->mpe_function; @@ -3034,6 +3043,25 @@ mac_check_system_swapon(struct ucred *cred, struct vnode *vp) } int +mac_check_system_sysctl(struct ucred *cred, int *name, u_int namelen, + void *old, size_t *oldlenp, int inkernel, void *new, size_t newlen) +{ + int error; + + /* + * XXXMAC: We're very much like to assert the SYSCTL_LOCK here, + * but since it's not exported from kern_sysctl.c, we can't. + */ + if (!mac_enforce_sysctl) + return (0); + + MAC_CHECK(check_system_sysctl, cred, name, namelen, old, oldlenp, + inkernel, new, newlen); + + return (error); +} + +int mac_ioctl_ifnet_get(struct ucred *cred, struct ifreq *ifr, struct ifnet *ifnet) { diff --git a/sys/sys/mac.h b/sys/sys/mac.h index e43139de3984..0e07753288f9 100644 --- a/sys/sys/mac.h +++ b/sys/sys/mac.h @@ -299,6 +299,9 @@ int mac_check_socket_send(struct ucred *cred, struct socket *so); int mac_check_socket_visible(struct ucred *cred, struct socket *so); int mac_check_system_reboot(struct ucred *cred, int howto); int mac_check_system_swapon(struct ucred *cred, struct vnode *vp); +int mac_check_system_sysctl(struct ucred *cred, int *name, + u_int namelen, void *old, size_t *oldlenp, int inkernel, + void *new, size_t newlen); int mac_check_vnode_access(struct ucred *cred, struct vnode *vp, int flags); int mac_check_vnode_chdir(struct ucred *cred, struct vnode *dvp); diff --git a/sys/sys/mac_policy.h b/sys/sys/mac_policy.h index d92bcf7b98f6..6485743f81ac 100644 --- a/sys/sys/mac_policy.h +++ b/sys/sys/mac_policy.h @@ -313,6 +313,9 @@ struct mac_policy_ops { int (*mpo_check_system_reboot)(struct ucred *cred, int howto); int (*mpo_check_system_swapon)(struct ucred *cred, struct vnode *vp, struct label *label); + int (*mpo_check_system_sysctl)(struct ucred *cred, int *name, + u_int namelen, void *old, size_t *oldlenp, int inkernel, + void *new, size_t newlen); int (*mpo_check_vnode_access)(struct ucred *cred, struct vnode *vp, struct label *label, int flags); int (*mpo_check_vnode_chdir)(struct ucred *cred, @@ -505,6 +508,7 @@ enum mac_op_constant { MAC_CHECK_SOCKET_VISIBLE, MAC_CHECK_SYSTEM_REBOOT, MAC_CHECK_SYSTEM_SWAPON, + MAC_CHECK_SYSTEM_SYSCTL, MAC_CHECK_VNODE_ACCESS, MAC_CHECK_VNODE_CHDIR, MAC_CHECK_VNODE_CHROOT, |