summaryrefslogtreecommitdiff
path: root/sys/kern/kern_mac.c
diff options
context:
space:
mode:
Diffstat (limited to 'sys/kern/kern_mac.c')
-rw-r--r--sys/kern/kern_mac.c23
1 files changed, 23 insertions, 0 deletions
diff --git a/sys/kern/kern_mac.c b/sys/kern/kern_mac.c
index b757be65f2e4..00ecd045bcac 100644
--- a/sys/kern/kern_mac.c
+++ b/sys/kern/kern_mac.c
@@ -141,6 +141,11 @@ SYSCTL_INT(_security_mac, OID_AUTO, enforce_process, CTLFLAG_RW,
&mac_enforce_process, 0, "Enforce MAC policy on inter-process operations");
TUNABLE_INT("security.mac.enforce_process", &mac_enforce_process);
+static int mac_enforce_reboot = 1;
+SYSCTL_INT(_security_mac, OID_AUTO, enforce_reboot, CTLFLAG_RW,
+ &mac_enforce_reboot, 0, "Enforce MAC policy for reboot operations");
+TUNABLE_INT("security.mac.enforce_reboot", &mac_enforce_reboot);
+
static int mac_enforce_socket = 1;
SYSCTL_INT(_security_mac, OID_AUTO, enforce_socket, CTLFLAG_RW,
&mac_enforce_socket, 0, "Enforce MAC policy on socket operations");
@@ -899,6 +904,10 @@ mac_policy_register(struct mac_policy_conf *mpc)
mpc->mpc_ops->mpo_check_socket_visible =
mpe->mpe_function;
break;
+ case MAC_CHECK_SYSTEM_REBOOT:
+ mpc->mpc_ops->mpo_check_system_reboot =
+ mpe->mpe_function;
+ break;
case MAC_CHECK_SYSTEM_SWAPON:
mpc->mpc_ops->mpo_check_system_swapon =
mpe->mpe_function;
@@ -2997,6 +3006,20 @@ mac_check_socket_visible(struct ucred *cred, struct socket *socket)
}
int
+mac_check_system_reboot(struct ucred *cred, int howto)
+{
+ int error;
+
+ ASSERT_VOP_LOCKED(vp, "mac_check_system_reboot");
+
+ if (!mac_enforce_reboot)
+ return (0);
+
+ MAC_CHECK(check_system_reboot, cred, howto);
+ return (error);
+}
+
+int
mac_check_system_swapon(struct ucred *cred, struct vnode *vp)
{
int error;
generated by cgit v1.2.3 (git 2.25.1) at 2025-12-01 14:55:44 +0000