2 files changed, 19 insertions, 0 deletions

diff --git a/sys/ddb/db_command.c b/sys/ddb/db_command.c
index 71e9b039d7a9..ab7bec8f2ffc 100644
--- a/sys/ddb/db_command.c
+++ b/sys/ddb/db_command.c
@@ -59,6 +59,8 @@ __FBSDID("$FreeBSD$");
 #include <machine/cpu.h>
 #include <machine/setjmp.h>
 
+#include <security/mac/mac_framework.h>
+
 /*
  * Exported global variables
  */
@@ -236,6 +238,13 @@ db_command_register(struct db_command_table *list, struct db_command *cmd)
 {
 	struct db_command *c, *last;
 
+#ifdef MAC
+	if (mac_ddb_command_register(list, cmd)) {
+		printf("%s: MAC policy refused registration of command %s\n",
+		    __func__, cmd->name);
+		return;
+	}
+#endif
 	last = NULL;
 	LIST_FOREACH(c, list, next) {
 		int n = strcmp(cmd->name, c->name);
@@ -480,6 +489,13 @@ db_command(struct db_command **last_cmdp, struct db_command_table *cmd_table,
 
 	*last_cmdp = cmd;
 	if (cmd != NULL) {
+#ifdef MAC
+		if (mac_ddb_command_exec(cmd, addr, have_addr, count, modif)) {
+			db_printf("MAC prevented execution of command %s\n",
+			    cmd->name);
+			return;
+		}
+#endif
 		/*
 		 * Execute the command.
 		 */
diff --git a/sys/ddb/ddb.h b/sys/ddb/ddb.h
index dce4e80ac117..4c8a4f165461 100644
--- a/sys/ddb/ddb.h
+++ b/sys/ddb/ddb.h
@@ -119,8 +119,11 @@ struct db_command {
 #define	CS_SET_DOT	0x100	/* set dot after command */
 #define	DB_CMD_MEMSAFE	0x1000	/* Command does not allow reads or writes to
 				 * arbitrary memory. */
+#define	DB_MAC1		0x10000	/* For MAC policy use */
+#define	DB_MAC2		0x20000
 	struct db_command_table *more; /* another level of command */
 	LIST_ENTRY(db_command) next; /* next entry in the command table */
+	void *mac_priv;		/* For MAC policy use */
 };
 
 /*