xref: /freebsd/libexec/rc/rc.d/ugidfw (revision 49086aa35d987b78dbc3c9ec94814fe338e07164)
1#!/bin/sh
2#
3
4# PROVIDE: ugidfw
5# REQUIRE: FILESYSTEMS
6# BEFORE: LOGIN
7# KEYWORD: nojail shutdown
8
9. /etc/rc.subr
10
11name="ugidfw"
12desc="Firewall-like access controls for file system objects"
13rcvar="ugidfw_enable"
14start_cmd="ugidfw_start"
15stop_cmd="ugidfw_stop"
16required_modules="mac_bsdextended"
17
18ugidfw_load()
19{
20	if [ -r "${bsdextended_script}" ]; then
21		. "${bsdextended_script}"
22	fi
23}
24
25ugidfw_start()
26{
27	[ -z "${bsdextended_script}" ] && bsdextended_script=/etc/rc.bsdextended
28
29	if [ -r "${bsdextended_script}" ]; then
30		ugidfw_load
31		echo "MAC bsdextended rules loaded."
32	fi
33}
34
35ugidfw_stop()
36{
37	local rulecount
38
39	# Disable the policy
40	#
41	# Check for the existence of rules and flush them if needed.
42	rulecount=$(sysctl -in security.mac.bsdextended.rule_count)
43	if [ ${rulecount:-0} -gt 0 ]; then
44		ugidfw list | sed -n '2,$p' | cut -d ' ' -f 1 | sort -r -n |
45		    xargs -n 1 ugidfw remove
46		echo "MAC bsdextended rules flushed."
47	fi
48}
49
50load_rc_config $name
51
52# doesn't make sense to run in a svcj: nojail keyword
53ugidfw_svcj="NO"
54
55run_rc_command "$1"
56