From d3fc69ee6a260babbdd8f8b09169f9851dc4e1f0 Mon Sep 17 00:00:00 2001
From: Robert Watson <rwatson@FreeBSD.org>
Date: Sun, 27 Oct 2002 07:12:34 +0000
Subject: Implement mac_check_system_sysctl(), a MAC Framework entry point to
 permit MAC policies to augment the security protections on sysctl()
 operations.  This is not really a wonderful entry point, as we only have
 access to the MIB of the target sysctl entry, rather than the more useful
 entry name, but this is sufficient for policies like Biba that wish to use
 their notions of privilege or integrity to prevent inappropriate sysctl
 modification.  Affects MAC kernels only.  Since SYSCTL_LOCK isn't in
 sysctl.h, just kern_sysctl.c, we can't assert the SYSCTL subsystem lockin the
 MAC Framework.

Approved by:	re
Obtained from:	TrustedBSD Project
Sponsored by:	DARPA, Network Associates Laboratories
---
 sys/security/mac/mac_framework.c | 28 ++++++++++++++++++++++++++++
 1 file changed, 28 insertions(+)

(limited to 'sys/security/mac/mac_framework.c')

diff --git a/sys/security/mac/mac_framework.c b/sys/security/mac/mac_framework.c
index 00ecd045bcac..c9ec6a1dc00c 100644
--- a/sys/security/mac/mac_framework.c
+++ b/sys/security/mac/mac_framework.c
@@ -151,6 +151,11 @@ SYSCTL_INT(_security_mac, OID_AUTO, enforce_socket, CTLFLAG_RW,
     &mac_enforce_socket, 0, "Enforce MAC policy on socket operations");
 TUNABLE_INT("security.mac.enforce_socket", &mac_enforce_socket);
 
+static int	mac_enforce_sysctl = 1;
+SYSCTL_INT(_security_mac, OID_AUTO, enforce_sysctl, CTLFLAG_RW,
+    &mac_enforce_sysctl, 0, "Enforce MAC policy on sysctl operations");
+TUNABLE_INT("security.mac.enforce_sysctl", &mac_enforce_sysctl);
+
 static int     mac_enforce_vm = 1;
 SYSCTL_INT(_security_mac, OID_AUTO, enforce_vm, CTLFLAG_RW,
     &mac_enforce_vm, 0, "Enforce MAC policy on vm operations");
@@ -912,6 +917,10 @@ mac_policy_register(struct mac_policy_conf *mpc)
 			mpc->mpc_ops->mpo_check_system_swapon =
 			    mpe->mpe_function;
 			break;
+		case MAC_CHECK_SYSTEM_SYSCTL:
+			mpc->mpc_ops->mpo_check_system_sysctl =
+			    mpe->mpe_function;
+			break;
 		case MAC_CHECK_VNODE_ACCESS:
 			mpc->mpc_ops->mpo_check_vnode_access =
 			    mpe->mpe_function;
@@ -3033,6 +3042,25 @@ mac_check_system_swapon(struct ucred *cred, struct vnode *vp)
 	return (error);
 }
 
+int
+mac_check_system_sysctl(struct ucred *cred, int *name, u_int namelen,
+    void *old, size_t *oldlenp, int inkernel, void *new, size_t newlen)
+{
+	int error;
+
+	/*
+	 * XXXMAC: We're very much like to assert the SYSCTL_LOCK here,
+	 * but since it's not exported from kern_sysctl.c, we can't.
+	 */
+	if (!mac_enforce_sysctl)
+		return (0);
+
+	MAC_CHECK(check_system_sysctl, cred, name, namelen, old, oldlenp,
+	    inkernel, new, newlen);
+
+	return (error);
+}
+
 int
 mac_ioctl_ifnet_get(struct ucred *cred, struct ifreq *ifr,
     struct ifnet *ifnet)
-- 
cgit v1.2.3