summaryrefslogtreecommitdiff
path: root/sys/security/mac
diff options
context:
space:
mode:
Diffstat (limited to 'sys/security/mac')
-rw-r--r--sys/security/mac/mac_framework.c28
-rw-r--r--sys/security/mac/mac_framework.h3
-rw-r--r--sys/security/mac/mac_internal.h28
-rw-r--r--sys/security/mac/mac_net.c28
-rw-r--r--sys/security/mac/mac_pipe.c28
-rw-r--r--sys/security/mac/mac_policy.h4
-rw-r--r--sys/security/mac/mac_process.c28
-rw-r--r--sys/security/mac/mac_syscalls.c28
-rw-r--r--sys/security/mac/mac_system.c28
-rw-r--r--sys/security/mac/mac_vfs.c28
10 files changed, 231 insertions, 0 deletions
diff --git a/sys/security/mac/mac_framework.c b/sys/security/mac/mac_framework.c
index 00ecd045bcac..c9ec6a1dc00c 100644
--- a/sys/security/mac/mac_framework.c
+++ b/sys/security/mac/mac_framework.c
@@ -151,6 +151,11 @@ SYSCTL_INT(_security_mac, OID_AUTO, enforce_socket, CTLFLAG_RW,
&mac_enforce_socket, 0, "Enforce MAC policy on socket operations");
TUNABLE_INT("security.mac.enforce_socket", &mac_enforce_socket);
+static int mac_enforce_sysctl = 1;
+SYSCTL_INT(_security_mac, OID_AUTO, enforce_sysctl, CTLFLAG_RW,
+ &mac_enforce_sysctl, 0, "Enforce MAC policy on sysctl operations");
+TUNABLE_INT("security.mac.enforce_sysctl", &mac_enforce_sysctl);
+
static int mac_enforce_vm = 1;
SYSCTL_INT(_security_mac, OID_AUTO, enforce_vm, CTLFLAG_RW,
&mac_enforce_vm, 0, "Enforce MAC policy on vm operations");
@@ -912,6 +917,10 @@ mac_policy_register(struct mac_policy_conf *mpc)
mpc->mpc_ops->mpo_check_system_swapon =
mpe->mpe_function;
break;
+ case MAC_CHECK_SYSTEM_SYSCTL:
+ mpc->mpc_ops->mpo_check_system_sysctl =
+ mpe->mpe_function;
+ break;
case MAC_CHECK_VNODE_ACCESS:
mpc->mpc_ops->mpo_check_vnode_access =
mpe->mpe_function;
@@ -3034,6 +3043,25 @@ mac_check_system_swapon(struct ucred *cred, struct vnode *vp)
}
int
+mac_check_system_sysctl(struct ucred *cred, int *name, u_int namelen,
+ void *old, size_t *oldlenp, int inkernel, void *new, size_t newlen)
+{
+ int error;
+
+ /*
+ * XXXMAC: We're very much like to assert the SYSCTL_LOCK here,
+ * but since it's not exported from kern_sysctl.c, we can't.
+ */
+ if (!mac_enforce_sysctl)
+ return (0);
+
+ MAC_CHECK(check_system_sysctl, cred, name, namelen, old, oldlenp,
+ inkernel, new, newlen);
+
+ return (error);
+}
+
+int
mac_ioctl_ifnet_get(struct ucred *cred, struct ifreq *ifr,
struct ifnet *ifnet)
{
diff --git a/sys/security/mac/mac_framework.h b/sys/security/mac/mac_framework.h
index e43139de3984..0e07753288f9 100644
--- a/sys/security/mac/mac_framework.h
+++ b/sys/security/mac/mac_framework.h
@@ -299,6 +299,9 @@ int mac_check_socket_send(struct ucred *cred, struct socket *so);
int mac_check_socket_visible(struct ucred *cred, struct socket *so);
int mac_check_system_reboot(struct ucred *cred, int howto);
int mac_check_system_swapon(struct ucred *cred, struct vnode *vp);
+int mac_check_system_sysctl(struct ucred *cred, int *name,
+ u_int namelen, void *old, size_t *oldlenp, int inkernel,
+ void *new, size_t newlen);
int mac_check_vnode_access(struct ucred *cred, struct vnode *vp,
int flags);
int mac_check_vnode_chdir(struct ucred *cred, struct vnode *dvp);
diff --git a/sys/security/mac/mac_internal.h b/sys/security/mac/mac_internal.h
index 00ecd045bcac..c9ec6a1dc00c 100644
--- a/sys/security/mac/mac_internal.h
+++ b/sys/security/mac/mac_internal.h
@@ -151,6 +151,11 @@ SYSCTL_INT(_security_mac, OID_AUTO, enforce_socket, CTLFLAG_RW,
&mac_enforce_socket, 0, "Enforce MAC policy on socket operations");
TUNABLE_INT("security.mac.enforce_socket", &mac_enforce_socket);
+static int mac_enforce_sysctl = 1;
+SYSCTL_INT(_security_mac, OID_AUTO, enforce_sysctl, CTLFLAG_RW,
+ &mac_enforce_sysctl, 0, "Enforce MAC policy on sysctl operations");
+TUNABLE_INT("security.mac.enforce_sysctl", &mac_enforce_sysctl);
+
static int mac_enforce_vm = 1;
SYSCTL_INT(_security_mac, OID_AUTO, enforce_vm, CTLFLAG_RW,
&mac_enforce_vm, 0, "Enforce MAC policy on vm operations");
@@ -912,6 +917,10 @@ mac_policy_register(struct mac_policy_conf *mpc)
mpc->mpc_ops->mpo_check_system_swapon =
mpe->mpe_function;
break;
+ case MAC_CHECK_SYSTEM_SYSCTL:
+ mpc->mpc_ops->mpo_check_system_sysctl =
+ mpe->mpe_function;
+ break;
case MAC_CHECK_VNODE_ACCESS:
mpc->mpc_ops->mpo_check_vnode_access =
mpe->mpe_function;
@@ -3034,6 +3043,25 @@ mac_check_system_swapon(struct ucred *cred, struct vnode *vp)
}
int
+mac_check_system_sysctl(struct ucred *cred, int *name, u_int namelen,
+ void *old, size_t *oldlenp, int inkernel, void *new, size_t newlen)
+{
+ int error;
+
+ /*
+ * XXXMAC: We're very much like to assert the SYSCTL_LOCK here,
+ * but since it's not exported from kern_sysctl.c, we can't.
+ */
+ if (!mac_enforce_sysctl)
+ return (0);
+
+ MAC_CHECK(check_system_sysctl, cred, name, namelen, old, oldlenp,
+ inkernel, new, newlen);
+
+ return (error);
+}
+
+int
mac_ioctl_ifnet_get(struct ucred *cred, struct ifreq *ifr,
struct ifnet *ifnet)
{
diff --git a/sys/security/mac/mac_net.c b/sys/security/mac/mac_net.c
index 00ecd045bcac..c9ec6a1dc00c 100644
--- a/sys/security/mac/mac_net.c
+++ b/sys/security/mac/mac_net.c
@@ -151,6 +151,11 @@ SYSCTL_INT(_security_mac, OID_AUTO, enforce_socket, CTLFLAG_RW,
&mac_enforce_socket, 0, "Enforce MAC policy on socket operations");
TUNABLE_INT("security.mac.enforce_socket", &mac_enforce_socket);
+static int mac_enforce_sysctl = 1;
+SYSCTL_INT(_security_mac, OID_AUTO, enforce_sysctl, CTLFLAG_RW,
+ &mac_enforce_sysctl, 0, "Enforce MAC policy on sysctl operations");
+TUNABLE_INT("security.mac.enforce_sysctl", &mac_enforce_sysctl);
+
static int mac_enforce_vm = 1;
SYSCTL_INT(_security_mac, OID_AUTO, enforce_vm, CTLFLAG_RW,
&mac_enforce_vm, 0, "Enforce MAC policy on vm operations");
@@ -912,6 +917,10 @@ mac_policy_register(struct mac_policy_conf *mpc)
mpc->mpc_ops->mpo_check_system_swapon =
mpe->mpe_function;
break;
+ case MAC_CHECK_SYSTEM_SYSCTL:
+ mpc->mpc_ops->mpo_check_system_sysctl =
+ mpe->mpe_function;
+ break;
case MAC_CHECK_VNODE_ACCESS:
mpc->mpc_ops->mpo_check_vnode_access =
mpe->mpe_function;
@@ -3034,6 +3043,25 @@ mac_check_system_swapon(struct ucred *cred, struct vnode *vp)
}
int
+mac_check_system_sysctl(struct ucred *cred, int *name, u_int namelen,
+ void *old, size_t *oldlenp, int inkernel, void *new, size_t newlen)
+{
+ int error;
+
+ /*
+ * XXXMAC: We're very much like to assert the SYSCTL_LOCK here,
+ * but since it's not exported from kern_sysctl.c, we can't.
+ */
+ if (!mac_enforce_sysctl)
+ return (0);
+
+ MAC_CHECK(check_system_sysctl, cred, name, namelen, old, oldlenp,
+ inkernel, new, newlen);
+
+ return (error);
+}
+
+int
mac_ioctl_ifnet_get(struct ucred *cred, struct ifreq *ifr,
struct ifnet *ifnet)
{
diff --git a/sys/security/mac/mac_pipe.c b/sys/security/mac/mac_pipe.c
index 00ecd045bcac..c9ec6a1dc00c 100644
--- a/sys/security/mac/mac_pipe.c
+++ b/sys/security/mac/mac_pipe.c
@@ -151,6 +151,11 @@ SYSCTL_INT(_security_mac, OID_AUTO, enforce_socket, CTLFLAG_RW,
&mac_enforce_socket, 0, "Enforce MAC policy on socket operations");
TUNABLE_INT("security.mac.enforce_socket", &mac_enforce_socket);
+static int mac_enforce_sysctl = 1;
+SYSCTL_INT(_security_mac, OID_AUTO, enforce_sysctl, CTLFLAG_RW,
+ &mac_enforce_sysctl, 0, "Enforce MAC policy on sysctl operations");
+TUNABLE_INT("security.mac.enforce_sysctl", &mac_enforce_sysctl);
+
static int mac_enforce_vm = 1;
SYSCTL_INT(_security_mac, OID_AUTO, enforce_vm, CTLFLAG_RW,
&mac_enforce_vm, 0, "Enforce MAC policy on vm operations");
@@ -912,6 +917,10 @@ mac_policy_register(struct mac_policy_conf *mpc)
mpc->mpc_ops->mpo_check_system_swapon =
mpe->mpe_function;
break;
+ case MAC_CHECK_SYSTEM_SYSCTL:
+ mpc->mpc_ops->mpo_check_system_sysctl =
+ mpe->mpe_function;
+ break;
case MAC_CHECK_VNODE_ACCESS:
mpc->mpc_ops->mpo_check_vnode_access =
mpe->mpe_function;
@@ -3034,6 +3043,25 @@ mac_check_system_swapon(struct ucred *cred, struct vnode *vp)
}
int
+mac_check_system_sysctl(struct ucred *cred, int *name, u_int namelen,
+ void *old, size_t *oldlenp, int inkernel, void *new, size_t newlen)
+{
+ int error;
+
+ /*
+ * XXXMAC: We're very much like to assert the SYSCTL_LOCK here,
+ * but since it's not exported from kern_sysctl.c, we can't.
+ */
+ if (!mac_enforce_sysctl)
+ return (0);
+
+ MAC_CHECK(check_system_sysctl, cred, name, namelen, old, oldlenp,
+ inkernel, new, newlen);
+
+ return (error);
+}
+
+int
mac_ioctl_ifnet_get(struct ucred *cred, struct ifreq *ifr,
struct ifnet *ifnet)
{
diff --git a/sys/security/mac/mac_policy.h b/sys/security/mac/mac_policy.h
index d92bcf7b98f6..6485743f81ac 100644
--- a/sys/security/mac/mac_policy.h
+++ b/sys/security/mac/mac_policy.h
@@ -313,6 +313,9 @@ struct mac_policy_ops {
int (*mpo_check_system_reboot)(struct ucred *cred, int howto);
int (*mpo_check_system_swapon)(struct ucred *cred,
struct vnode *vp, struct label *label);
+ int (*mpo_check_system_sysctl)(struct ucred *cred, int *name,
+ u_int namelen, void *old, size_t *oldlenp, int inkernel,
+ void *new, size_t newlen);
int (*mpo_check_vnode_access)(struct ucred *cred,
struct vnode *vp, struct label *label, int flags);
int (*mpo_check_vnode_chdir)(struct ucred *cred,
@@ -505,6 +508,7 @@ enum mac_op_constant {
MAC_CHECK_SOCKET_VISIBLE,
MAC_CHECK_SYSTEM_REBOOT,
MAC_CHECK_SYSTEM_SWAPON,
+ MAC_CHECK_SYSTEM_SYSCTL,
MAC_CHECK_VNODE_ACCESS,
MAC_CHECK_VNODE_CHDIR,
MAC_CHECK_VNODE_CHROOT,
diff --git a/sys/security/mac/mac_process.c b/sys/security/mac/mac_process.c
index 00ecd045bcac..c9ec6a1dc00c 100644
--- a/sys/security/mac/mac_process.c
+++ b/sys/security/mac/mac_process.c
@@ -151,6 +151,11 @@ SYSCTL_INT(_security_mac, OID_AUTO, enforce_socket, CTLFLAG_RW,
&mac_enforce_socket, 0, "Enforce MAC policy on socket operations");
TUNABLE_INT("security.mac.enforce_socket", &mac_enforce_socket);
+static int mac_enforce_sysctl = 1;
+SYSCTL_INT(_security_mac, OID_AUTO, enforce_sysctl, CTLFLAG_RW,
+ &mac_enforce_sysctl, 0, "Enforce MAC policy on sysctl operations");
+TUNABLE_INT("security.mac.enforce_sysctl", &mac_enforce_sysctl);
+
static int mac_enforce_vm = 1;
SYSCTL_INT(_security_mac, OID_AUTO, enforce_vm, CTLFLAG_RW,
&mac_enforce_vm, 0, "Enforce MAC policy on vm operations");
@@ -912,6 +917,10 @@ mac_policy_register(struct mac_policy_conf *mpc)
mpc->mpc_ops->mpo_check_system_swapon =
mpe->mpe_function;
break;
+ case MAC_CHECK_SYSTEM_SYSCTL:
+ mpc->mpc_ops->mpo_check_system_sysctl =
+ mpe->mpe_function;
+ break;
case MAC_CHECK_VNODE_ACCESS:
mpc->mpc_ops->mpo_check_vnode_access =
mpe->mpe_function;
@@ -3034,6 +3043,25 @@ mac_check_system_swapon(struct ucred *cred, struct vnode *vp)
}
int
+mac_check_system_sysctl(struct ucred *cred, int *name, u_int namelen,
+ void *old, size_t *oldlenp, int inkernel, void *new, size_t newlen)
+{
+ int error;
+
+ /*
+ * XXXMAC: We're very much like to assert the SYSCTL_LOCK here,
+ * but since it's not exported from kern_sysctl.c, we can't.
+ */
+ if (!mac_enforce_sysctl)
+ return (0);
+
+ MAC_CHECK(check_system_sysctl, cred, name, namelen, old, oldlenp,
+ inkernel, new, newlen);
+
+ return (error);
+}
+
+int
mac_ioctl_ifnet_get(struct ucred *cred, struct ifreq *ifr,
struct ifnet *ifnet)
{
diff --git a/sys/security/mac/mac_syscalls.c b/sys/security/mac/mac_syscalls.c
index 00ecd045bcac..c9ec6a1dc00c 100644
--- a/sys/security/mac/mac_syscalls.c
+++ b/sys/security/mac/mac_syscalls.c
@@ -151,6 +151,11 @@ SYSCTL_INT(_security_mac, OID_AUTO, enforce_socket, CTLFLAG_RW,
&mac_enforce_socket, 0, "Enforce MAC policy on socket operations");
TUNABLE_INT("security.mac.enforce_socket", &mac_enforce_socket);
+static int mac_enforce_sysctl = 1;
+SYSCTL_INT(_security_mac, OID_AUTO, enforce_sysctl, CTLFLAG_RW,
+ &mac_enforce_sysctl, 0, "Enforce MAC policy on sysctl operations");
+TUNABLE_INT("security.mac.enforce_sysctl", &mac_enforce_sysctl);
+
static int mac_enforce_vm = 1;
SYSCTL_INT(_security_mac, OID_AUTO, enforce_vm, CTLFLAG_RW,
&mac_enforce_vm, 0, "Enforce MAC policy on vm operations");
@@ -912,6 +917,10 @@ mac_policy_register(struct mac_policy_conf *mpc)
mpc->mpc_ops->mpo_check_system_swapon =
mpe->mpe_function;
break;
+ case MAC_CHECK_SYSTEM_SYSCTL:
+ mpc->mpc_ops->mpo_check_system_sysctl =
+ mpe->mpe_function;
+ break;
case MAC_CHECK_VNODE_ACCESS:
mpc->mpc_ops->mpo_check_vnode_access =
mpe->mpe_function;
@@ -3034,6 +3043,25 @@ mac_check_system_swapon(struct ucred *cred, struct vnode *vp)
}
int
+mac_check_system_sysctl(struct ucred *cred, int *name, u_int namelen,
+ void *old, size_t *oldlenp, int inkernel, void *new, size_t newlen)
+{
+ int error;
+
+ /*
+ * XXXMAC: We're very much like to assert the SYSCTL_LOCK here,
+ * but since it's not exported from kern_sysctl.c, we can't.
+ */
+ if (!mac_enforce_sysctl)
+ return (0);
+
+ MAC_CHECK(check_system_sysctl, cred, name, namelen, old, oldlenp,
+ inkernel, new, newlen);
+
+ return (error);
+}
+
+int
mac_ioctl_ifnet_get(struct ucred *cred, struct ifreq *ifr,
struct ifnet *ifnet)
{
diff --git a/sys/security/mac/mac_system.c b/sys/security/mac/mac_system.c
index 00ecd045bcac..c9ec6a1dc00c 100644
--- a/sys/security/mac/mac_system.c
+++ b/sys/security/mac/mac_system.c
@@ -151,6 +151,11 @@ SYSCTL_INT(_security_mac, OID_AUTO, enforce_socket, CTLFLAG_RW,
&mac_enforce_socket, 0, "Enforce MAC policy on socket operations");
TUNABLE_INT("security.mac.enforce_socket", &mac_enforce_socket);
+static int mac_enforce_sysctl = 1;
+SYSCTL_INT(_security_mac, OID_AUTO, enforce_sysctl, CTLFLAG_RW,
+ &mac_enforce_sysctl, 0, "Enforce MAC policy on sysctl operations");
+TUNABLE_INT("security.mac.enforce_sysctl", &mac_enforce_sysctl);
+
static int mac_enforce_vm = 1;
SYSCTL_INT(_security_mac, OID_AUTO, enforce_vm, CTLFLAG_RW,
&mac_enforce_vm, 0, "Enforce MAC policy on vm operations");
@@ -912,6 +917,10 @@ mac_policy_register(struct mac_policy_conf *mpc)
mpc->mpc_ops->mpo_check_system_swapon =
mpe->mpe_function;
break;
+ case MAC_CHECK_SYSTEM_SYSCTL:
+ mpc->mpc_ops->mpo_check_system_sysctl =
+ mpe->mpe_function;
+ break;
case MAC_CHECK_VNODE_ACCESS:
mpc->mpc_ops->mpo_check_vnode_access =
mpe->mpe_function;
@@ -3034,6 +3043,25 @@ mac_check_system_swapon(struct ucred *cred, struct vnode *vp)
}
int
+mac_check_system_sysctl(struct ucred *cred, int *name, u_int namelen,
+ void *old, size_t *oldlenp, int inkernel, void *new, size_t newlen)
+{
+ int error;
+
+ /*
+ * XXXMAC: We're very much like to assert the SYSCTL_LOCK here,
+ * but since it's not exported from kern_sysctl.c, we can't.
+ */
+ if (!mac_enforce_sysctl)
+ return (0);
+
+ MAC_CHECK(check_system_sysctl, cred, name, namelen, old, oldlenp,
+ inkernel, new, newlen);
+
+ return (error);
+}
+
+int
mac_ioctl_ifnet_get(struct ucred *cred, struct ifreq *ifr,
struct ifnet *ifnet)
{
diff --git a/sys/security/mac/mac_vfs.c b/sys/security/mac/mac_vfs.c
index 00ecd045bcac..c9ec6a1dc00c 100644
--- a/sys/security/mac/mac_vfs.c
+++ b/sys/security/mac/mac_vfs.c
@@ -151,6 +151,11 @@ SYSCTL_INT(_security_mac, OID_AUTO, enforce_socket, CTLFLAG_RW,
&mac_enforce_socket, 0, "Enforce MAC policy on socket operations");
TUNABLE_INT("security.mac.enforce_socket", &mac_enforce_socket);
+static int mac_enforce_sysctl = 1;
+SYSCTL_INT(_security_mac, OID_AUTO, enforce_sysctl, CTLFLAG_RW,
+ &mac_enforce_sysctl, 0, "Enforce MAC policy on sysctl operations");
+TUNABLE_INT("security.mac.enforce_sysctl", &mac_enforce_sysctl);
+
static int mac_enforce_vm = 1;
SYSCTL_INT(_security_mac, OID_AUTO, enforce_vm, CTLFLAG_RW,
&mac_enforce_vm, 0, "Enforce MAC policy on vm operations");
@@ -912,6 +917,10 @@ mac_policy_register(struct mac_policy_conf *mpc)
mpc->mpc_ops->mpo_check_system_swapon =
mpe->mpe_function;
break;
+ case MAC_CHECK_SYSTEM_SYSCTL:
+ mpc->mpc_ops->mpo_check_system_sysctl =
+ mpe->mpe_function;
+ break;
case MAC_CHECK_VNODE_ACCESS:
mpc->mpc_ops->mpo_check_vnode_access =
mpe->mpe_function;
@@ -3034,6 +3043,25 @@ mac_check_system_swapon(struct ucred *cred, struct vnode *vp)
}
int
+mac_check_system_sysctl(struct ucred *cred, int *name, u_int namelen,
+ void *old, size_t *oldlenp, int inkernel, void *new, size_t newlen)
+{
+ int error;
+
+ /*
+ * XXXMAC: We're very much like to assert the SYSCTL_LOCK here,
+ * but since it's not exported from kern_sysctl.c, we can't.
+ */
+ if (!mac_enforce_sysctl)
+ return (0);
+
+ MAC_CHECK(check_system_sysctl, cred, name, namelen, old, oldlenp,
+ inkernel, new, newlen);
+
+ return (error);
+}
+
+int
mac_ioctl_ifnet_get(struct ucred *cred, struct ifreq *ifr,
struct ifnet *ifnet)
{
generated by cgit v1.2.3 (git 2.25.1) at 2025-12-06 07:26:24 +0000