1d8a7b7a3SRobert Watson /*- 2d8a7b7a3SRobert Watson * Copyright (c) 1999, 2000, 2001, 2002 Robert N. M. Watson 3250ee706SRobert Watson * Copyright (c) 2001, 2002, 2003 Networks Associates Technology, Inc. 4d8a7b7a3SRobert Watson * All rights reserved. 5d8a7b7a3SRobert Watson * 6d8a7b7a3SRobert Watson * This software was developed by Robert Watson for the TrustedBSD Project. 7d8a7b7a3SRobert Watson * 8dc858fcaSRobert Watson * This software was developed for the FreeBSD Project in part by Network 9dc858fcaSRobert Watson * Associates Laboratories, the Security Research Division of Network 10dc858fcaSRobert Watson * Associates, Inc. under DARPA/SPAWAR contract N66001-01-C-8035 ("CBOSS"), 11dc858fcaSRobert Watson * as part of the DARPA CHATS research program. 12d8a7b7a3SRobert Watson * 13d8a7b7a3SRobert Watson * Redistribution and use in source and binary forms, with or without 14d8a7b7a3SRobert Watson * modification, are permitted provided that the following conditions 15d8a7b7a3SRobert Watson * are met: 16d8a7b7a3SRobert Watson * 1. Redistributions of source code must retain the above copyright 17d8a7b7a3SRobert Watson * notice, this list of conditions and the following disclaimer. 18d8a7b7a3SRobert Watson * 2. Redistributions in binary form must reproduce the above copyright 19d8a7b7a3SRobert Watson * notice, this list of conditions and the following disclaimer in the 20d8a7b7a3SRobert Watson * documentation and/or other materials provided with the distribution. 21d8a7b7a3SRobert Watson * 22d8a7b7a3SRobert Watson * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND 23d8a7b7a3SRobert Watson * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 24d8a7b7a3SRobert Watson * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 25d8a7b7a3SRobert Watson * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE 26d8a7b7a3SRobert Watson * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 27d8a7b7a3SRobert Watson * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 28d8a7b7a3SRobert Watson * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 29d8a7b7a3SRobert Watson * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 30d8a7b7a3SRobert Watson * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 31d8a7b7a3SRobert Watson * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 32d8a7b7a3SRobert Watson * SUCH DAMAGE. 33d8a7b7a3SRobert Watson * 34d8a7b7a3SRobert Watson * $FreeBSD$ 35d8a7b7a3SRobert Watson */ 36d8a7b7a3SRobert Watson 37d8a7b7a3SRobert Watson /* 38d8a7b7a3SRobert Watson * Developed by the TrustedBSD Project. 39d8a7b7a3SRobert Watson * Generic mandatory access module that does nothing. 40d8a7b7a3SRobert Watson */ 41d8a7b7a3SRobert Watson 42d8a7b7a3SRobert Watson #include <sys/types.h> 43d8a7b7a3SRobert Watson #include <sys/param.h> 44d8a7b7a3SRobert Watson #include <sys/acl.h> 45d8a7b7a3SRobert Watson #include <sys/conf.h> 46763bbd2fSRobert Watson #include <sys/extattr.h> 47d8a7b7a3SRobert Watson #include <sys/kernel.h> 48d8a7b7a3SRobert Watson #include <sys/mac.h> 490712b254SRobert Watson #include <sys/malloc.h> 50d8a7b7a3SRobert Watson #include <sys/mount.h> 51d8a7b7a3SRobert Watson #include <sys/proc.h> 52d8a7b7a3SRobert Watson #include <sys/systm.h> 53d8a7b7a3SRobert Watson #include <sys/sysproto.h> 54d8a7b7a3SRobert Watson #include <sys/sysent.h> 55d8a7b7a3SRobert Watson #include <sys/vnode.h> 56d8a7b7a3SRobert Watson #include <sys/file.h> 57d8a7b7a3SRobert Watson #include <sys/socket.h> 58d8a7b7a3SRobert Watson #include <sys/socketvar.h> 59d8a7b7a3SRobert Watson #include <sys/sysctl.h> 60d8a7b7a3SRobert Watson 61d8a7b7a3SRobert Watson #include <fs/devfs/devfs.h> 62d8a7b7a3SRobert Watson 63d8a7b7a3SRobert Watson #include <net/bpfdesc.h> 64d8a7b7a3SRobert Watson #include <net/if.h> 65d8a7b7a3SRobert Watson #include <net/if_types.h> 66d8a7b7a3SRobert Watson #include <net/if_var.h> 67d8a7b7a3SRobert Watson 68d8a7b7a3SRobert Watson #include <vm/vm.h> 69d8a7b7a3SRobert Watson 70d8a7b7a3SRobert Watson #include <sys/mac_policy.h> 71d8a7b7a3SRobert Watson 72d8a7b7a3SRobert Watson SYSCTL_DECL(_security_mac); 73d8a7b7a3SRobert Watson 74d8a7b7a3SRobert Watson SYSCTL_NODE(_security_mac, OID_AUTO, test, CTLFLAG_RW, 0, 75d8a7b7a3SRobert Watson "TrustedBSD mac_test policy controls"); 76d8a7b7a3SRobert Watson 77eba0370dSRobert Watson static int mac_test_enabled = 1; 78d8a7b7a3SRobert Watson SYSCTL_INT(_security_mac_test, OID_AUTO, enabled, CTLFLAG_RW, 79d8a7b7a3SRobert Watson &mac_test_enabled, 0, "Enforce test policy"); 80d8a7b7a3SRobert Watson 81d8a7b7a3SRobert Watson #define BPFMAGIC 0xfe1ad1b6 82d8a7b7a3SRobert Watson #define DEVFSMAGIC 0x9ee79c32 83d8a7b7a3SRobert Watson #define IFNETMAGIC 0xc218b120 84a557af22SRobert Watson #define INPCBMAGIC 0x4440f7bb 85d8a7b7a3SRobert Watson #define IPQMAGIC 0x206188ef 86d8a7b7a3SRobert Watson #define MBUFMAGIC 0xbbefa5bb 87d8a7b7a3SRobert Watson #define MOUNTMAGIC 0xc7c46e47 88d8a7b7a3SRobert Watson #define SOCKETMAGIC 0x9199c6cd 89d8a7b7a3SRobert Watson #define PIPEMAGIC 0xdc6c9919 90ca26e8baSRobert Watson #define PROCMAGIC 0x3b4be98f 91d8a7b7a3SRobert Watson #define CREDMAGIC 0x9a5a4987 92d8a7b7a3SRobert Watson #define VNODEMAGIC 0x1a67a45c 93d8a7b7a3SRobert Watson #define EXMAGIC 0x849ba1fd 94d8a7b7a3SRobert Watson 95d8a7b7a3SRobert Watson #define SLOT(x) LABEL_TO_SLOT((x), test_slot).l_long 96250ee706SRobert Watson 97250ee706SRobert Watson #define ASSERT_BPF_LABEL(x) KASSERT(SLOT(x) == BPFMAGIC || \ 98250ee706SRobert Watson SLOT(x) == 0, ("%s: Bad BPF label", __func__ )) 99250ee706SRobert Watson #define ASSERT_DEVFS_LABEL(x) KASSERT(SLOT(x) == DEVFSMAGIC || \ 100250ee706SRobert Watson SLOT(x) == 0, ("%s: Bad DEVFS label", __func__ )) 101250ee706SRobert Watson #define ASSERT_IFNET_LABEL(x) KASSERT(SLOT(x) == IFNETMAGIC || \ 102250ee706SRobert Watson SLOT(x) == 0, ("%s: Bad IFNET label", __func__ )) 103a557af22SRobert Watson #define ASSERT_INPCB_LABEL(x) KASSERT(SLOT(x) == INPCBMAGIC || \ 104a557af22SRobert Watson SLOT(x) == 0, ("%s: Bad INPCB label", __func__ )) 105250ee706SRobert Watson #define ASSERT_IPQ_LABEL(x) KASSERT(SLOT(x) == IPQMAGIC || \ 106250ee706SRobert Watson SLOT(x) == 0, ("%s: Bad IPQ label", __func__ )) 107250ee706SRobert Watson #define ASSERT_MBUF_LABEL(x) KASSERT(SLOT(x) == MBUFMAGIC || \ 108250ee706SRobert Watson SLOT(x) == 0, ("%s: Bad MBUF label", __func__ )) 109250ee706SRobert Watson #define ASSERT_MOUNT_LABEL(x) KASSERT(SLOT(x) == MOUNTMAGIC || \ 110250ee706SRobert Watson SLOT(x) == 0, ("%s: Bad MOUNT label", __func__ )) 111250ee706SRobert Watson #define ASSERT_SOCKET_LABEL(x) KASSERT(SLOT(x) == SOCKETMAGIC || \ 112250ee706SRobert Watson SLOT(x) == 0, ("%s: Bad SOCKET label", __func__ )) 113250ee706SRobert Watson #define ASSERT_PIPE_LABEL(x) KASSERT(SLOT(x) == PIPEMAGIC || \ 114250ee706SRobert Watson SLOT(x) == 0, ("%s: Bad PIPE label", __func__ )) 115250ee706SRobert Watson #define ASSERT_PROC_LABEL(x) KASSERT(SLOT(x) == PROCMAGIC || \ 116250ee706SRobert Watson SLOT(x) == 0, ("%s: Bad PROC label", __func__ )) 117250ee706SRobert Watson #define ASSERT_CRED_LABEL(x) KASSERT(SLOT(x) == CREDMAGIC || \ 118250ee706SRobert Watson SLOT(x) == 0, ("%s: Bad CRED label", __func__ )) 119250ee706SRobert Watson #define ASSERT_VNODE_LABEL(x) KASSERT(SLOT(x) == VNODEMAGIC || \ 120250ee706SRobert Watson SLOT(x) == 0, ("%s: Bad VNODE label", __func__ )) 121250ee706SRobert Watson 122d8a7b7a3SRobert Watson static int test_slot; 123d8a7b7a3SRobert Watson SYSCTL_INT(_security_mac_test, OID_AUTO, slot, CTLFLAG_RD, 124d8a7b7a3SRobert Watson &test_slot, 0, "Slot allocated by framework"); 125d8a7b7a3SRobert Watson 126d8a7b7a3SRobert Watson static int init_count_bpfdesc; 127d8a7b7a3SRobert Watson SYSCTL_INT(_security_mac_test, OID_AUTO, init_count_bpfdesc, CTLFLAG_RD, 128d8a7b7a3SRobert Watson &init_count_bpfdesc, 0, "bpfdesc init calls"); 129d8a7b7a3SRobert Watson static int init_count_cred; 130d8a7b7a3SRobert Watson SYSCTL_INT(_security_mac_test, OID_AUTO, init_count_cred, CTLFLAG_RD, 131d8a7b7a3SRobert Watson &init_count_cred, 0, "cred init calls"); 132d8a7b7a3SRobert Watson static int init_count_devfsdirent; 133d8a7b7a3SRobert Watson SYSCTL_INT(_security_mac_test, OID_AUTO, init_count_devfsdirent, CTLFLAG_RD, 134d8a7b7a3SRobert Watson &init_count_devfsdirent, 0, "devfsdirent init calls"); 135d8a7b7a3SRobert Watson static int init_count_ifnet; 136d8a7b7a3SRobert Watson SYSCTL_INT(_security_mac_test, OID_AUTO, init_count_ifnet, CTLFLAG_RD, 137d8a7b7a3SRobert Watson &init_count_ifnet, 0, "ifnet init calls"); 138a557af22SRobert Watson static int init_count_inpcb; 139a557af22SRobert Watson SYSCTL_INT(_security_mac_test, OID_AUTO, init_count_inpcb, CTLFLAG_RD, 140a557af22SRobert Watson &init_count_inpcb, 0, "inpcb init calls"); 141d8a7b7a3SRobert Watson static int init_count_ipq; 142d8a7b7a3SRobert Watson SYSCTL_INT(_security_mac_test, OID_AUTO, init_count_ipq, CTLFLAG_RD, 143d8a7b7a3SRobert Watson &init_count_ipq, 0, "ipq init calls"); 144d8a7b7a3SRobert Watson static int init_count_mbuf; 145d8a7b7a3SRobert Watson SYSCTL_INT(_security_mac_test, OID_AUTO, init_count_mbuf, CTLFLAG_RD, 146d8a7b7a3SRobert Watson &init_count_mbuf, 0, "mbuf init calls"); 147d8a7b7a3SRobert Watson static int init_count_mount; 148d8a7b7a3SRobert Watson SYSCTL_INT(_security_mac_test, OID_AUTO, init_count_mount, CTLFLAG_RD, 149d8a7b7a3SRobert Watson &init_count_mount, 0, "mount init calls"); 15096adb909SRobert Watson static int init_count_mount_fslabel; 15196adb909SRobert Watson SYSCTL_INT(_security_mac_test, OID_AUTO, init_count_mount_fslabel, CTLFLAG_RD, 15296adb909SRobert Watson &init_count_mount_fslabel, 0, "mount_fslabel init calls"); 153d8a7b7a3SRobert Watson static int init_count_socket; 154d8a7b7a3SRobert Watson SYSCTL_INT(_security_mac_test, OID_AUTO, init_count_socket, CTLFLAG_RD, 155d8a7b7a3SRobert Watson &init_count_socket, 0, "socket init calls"); 15696adb909SRobert Watson static int init_count_socket_peerlabel; 15796adb909SRobert Watson SYSCTL_INT(_security_mac_test, OID_AUTO, init_count_socket_peerlabel, 15896adb909SRobert Watson CTLFLAG_RD, &init_count_socket_peerlabel, 0, 15996adb909SRobert Watson "socket_peerlabel init calls"); 160d8a7b7a3SRobert Watson static int init_count_pipe; 161d8a7b7a3SRobert Watson SYSCTL_INT(_security_mac_test, OID_AUTO, init_count_pipe, CTLFLAG_RD, 162d8a7b7a3SRobert Watson &init_count_pipe, 0, "pipe init calls"); 163ca26e8baSRobert Watson static int init_count_proc; 164ca26e8baSRobert Watson SYSCTL_INT(_security_mac_test, OID_AUTO, init_count_proc, CTLFLAG_RD, 165ca26e8baSRobert Watson &init_count_proc, 0, "proc init calls"); 166d8a7b7a3SRobert Watson static int init_count_vnode; 167d8a7b7a3SRobert Watson SYSCTL_INT(_security_mac_test, OID_AUTO, init_count_vnode, CTLFLAG_RD, 168d8a7b7a3SRobert Watson &init_count_vnode, 0, "vnode init calls"); 169d8a7b7a3SRobert Watson 170d8a7b7a3SRobert Watson static int destroy_count_bpfdesc; 171d8a7b7a3SRobert Watson SYSCTL_INT(_security_mac_test, OID_AUTO, destroy_count_bpfdesc, CTLFLAG_RD, 172d8a7b7a3SRobert Watson &destroy_count_bpfdesc, 0, "bpfdesc destroy calls"); 173d8a7b7a3SRobert Watson static int destroy_count_cred; 174d8a7b7a3SRobert Watson SYSCTL_INT(_security_mac_test, OID_AUTO, destroy_count_cred, CTLFLAG_RD, 175d8a7b7a3SRobert Watson &destroy_count_cred, 0, "cred destroy calls"); 176d8a7b7a3SRobert Watson static int destroy_count_devfsdirent; 177d8a7b7a3SRobert Watson SYSCTL_INT(_security_mac_test, OID_AUTO, destroy_count_devfsdirent, CTLFLAG_RD, 178d8a7b7a3SRobert Watson &destroy_count_devfsdirent, 0, "devfsdirent destroy calls"); 179d8a7b7a3SRobert Watson static int destroy_count_ifnet; 180d8a7b7a3SRobert Watson SYSCTL_INT(_security_mac_test, OID_AUTO, destroy_count_ifnet, CTLFLAG_RD, 181d8a7b7a3SRobert Watson &destroy_count_ifnet, 0, "ifnet destroy calls"); 182a557af22SRobert Watson static int destroy_count_inpcb; 183a557af22SRobert Watson SYSCTL_INT(_security_mac_test, OID_AUTO, destroy_count_inpcb, CTLFLAG_RD, 184a557af22SRobert Watson &destroy_count_inpcb, 0, "inpcb destroy calls"); 185d8a7b7a3SRobert Watson static int destroy_count_ipq; 186d8a7b7a3SRobert Watson SYSCTL_INT(_security_mac_test, OID_AUTO, destroy_count_ipq, CTLFLAG_RD, 187d8a7b7a3SRobert Watson &destroy_count_ipq, 0, "ipq destroy calls"); 188d8a7b7a3SRobert Watson static int destroy_count_mbuf; 189d8a7b7a3SRobert Watson SYSCTL_INT(_security_mac_test, OID_AUTO, destroy_count_mbuf, CTLFLAG_RD, 190d8a7b7a3SRobert Watson &destroy_count_mbuf, 0, "mbuf destroy calls"); 191d8a7b7a3SRobert Watson static int destroy_count_mount; 192d8a7b7a3SRobert Watson SYSCTL_INT(_security_mac_test, OID_AUTO, destroy_count_mount, CTLFLAG_RD, 193d8a7b7a3SRobert Watson &destroy_count_mount, 0, "mount destroy calls"); 19496adb909SRobert Watson static int destroy_count_mount_fslabel; 19596adb909SRobert Watson SYSCTL_INT(_security_mac_test, OID_AUTO, destroy_count_mount_fslabel, 19696adb909SRobert Watson CTLFLAG_RD, &destroy_count_mount_fslabel, 0, 19796adb909SRobert Watson "mount_fslabel destroy calls"); 198d8a7b7a3SRobert Watson static int destroy_count_socket; 199d8a7b7a3SRobert Watson SYSCTL_INT(_security_mac_test, OID_AUTO, destroy_count_socket, CTLFLAG_RD, 200d8a7b7a3SRobert Watson &destroy_count_socket, 0, "socket destroy calls"); 20196adb909SRobert Watson static int destroy_count_socket_peerlabel; 20296adb909SRobert Watson SYSCTL_INT(_security_mac_test, OID_AUTO, destroy_count_socket_peerlabel, 20396adb909SRobert Watson CTLFLAG_RD, &destroy_count_socket_peerlabel, 0, 20496adb909SRobert Watson "socket_peerlabel destroy calls"); 205d8a7b7a3SRobert Watson static int destroy_count_pipe; 206d8a7b7a3SRobert Watson SYSCTL_INT(_security_mac_test, OID_AUTO, destroy_count_pipe, CTLFLAG_RD, 207d8a7b7a3SRobert Watson &destroy_count_pipe, 0, "pipe destroy calls"); 208ca26e8baSRobert Watson static int destroy_count_proc; 209ca26e8baSRobert Watson SYSCTL_INT(_security_mac_test, OID_AUTO, destroy_count_proc, CTLFLAG_RD, 210ca26e8baSRobert Watson &destroy_count_proc, 0, "proc destroy calls"); 211d8a7b7a3SRobert Watson static int destroy_count_vnode; 212d8a7b7a3SRobert Watson SYSCTL_INT(_security_mac_test, OID_AUTO, destroy_count_vnode, CTLFLAG_RD, 213d8a7b7a3SRobert Watson &destroy_count_vnode, 0, "vnode destroy calls"); 214d8a7b7a3SRobert Watson 215d8a7b7a3SRobert Watson static int externalize_count; 216d8a7b7a3SRobert Watson SYSCTL_INT(_security_mac_test, OID_AUTO, externalize_count, CTLFLAG_RD, 217d8a7b7a3SRobert Watson &externalize_count, 0, "Subject/object externalize calls"); 218d8a7b7a3SRobert Watson static int internalize_count; 219d8a7b7a3SRobert Watson SYSCTL_INT(_security_mac_test, OID_AUTO, internalize_count, CTLFLAG_RD, 220d8a7b7a3SRobert Watson &internalize_count, 0, "Subject/object internalize calls"); 221d8a7b7a3SRobert Watson 222d8a7b7a3SRobert Watson /* 223d8a7b7a3SRobert Watson * Policy module operations. 224d8a7b7a3SRobert Watson */ 225d8a7b7a3SRobert Watson static void 226d8a7b7a3SRobert Watson mac_test_destroy(struct mac_policy_conf *conf) 227d8a7b7a3SRobert Watson { 228d8a7b7a3SRobert Watson 229d8a7b7a3SRobert Watson } 230d8a7b7a3SRobert Watson 231d8a7b7a3SRobert Watson static void 232d8a7b7a3SRobert Watson mac_test_init(struct mac_policy_conf *conf) 233d8a7b7a3SRobert Watson { 234d8a7b7a3SRobert Watson 235d8a7b7a3SRobert Watson } 236d8a7b7a3SRobert Watson 2378a97ecf6SRobert Watson static int 2388a97ecf6SRobert Watson mac_test_syscall(struct thread *td, int call, void *arg) 2398a97ecf6SRobert Watson { 2408a97ecf6SRobert Watson 2418a97ecf6SRobert Watson return (0); 2428a97ecf6SRobert Watson } 2438a97ecf6SRobert Watson 244d8a7b7a3SRobert Watson /* 245d8a7b7a3SRobert Watson * Label operations. 246d8a7b7a3SRobert Watson */ 247d8a7b7a3SRobert Watson static void 24896adb909SRobert Watson mac_test_init_bpfdesc_label(struct label *label) 249d8a7b7a3SRobert Watson { 250d8a7b7a3SRobert Watson 251d8a7b7a3SRobert Watson SLOT(label) = BPFMAGIC; 252d8a7b7a3SRobert Watson atomic_add_int(&init_count_bpfdesc, 1); 253d8a7b7a3SRobert Watson } 254d8a7b7a3SRobert Watson 255d8a7b7a3SRobert Watson static void 25696adb909SRobert Watson mac_test_init_cred_label(struct label *label) 257d8a7b7a3SRobert Watson { 258d8a7b7a3SRobert Watson 259d8a7b7a3SRobert Watson SLOT(label) = CREDMAGIC; 260d8a7b7a3SRobert Watson atomic_add_int(&init_count_cred, 1); 261d8a7b7a3SRobert Watson } 262d8a7b7a3SRobert Watson 263d8a7b7a3SRobert Watson static void 26496adb909SRobert Watson mac_test_init_devfsdirent_label(struct label *label) 265d8a7b7a3SRobert Watson { 266d8a7b7a3SRobert Watson 267d8a7b7a3SRobert Watson SLOT(label) = DEVFSMAGIC; 268d8a7b7a3SRobert Watson atomic_add_int(&init_count_devfsdirent, 1); 269d8a7b7a3SRobert Watson } 270d8a7b7a3SRobert Watson 271d8a7b7a3SRobert Watson static void 27296adb909SRobert Watson mac_test_init_ifnet_label(struct label *label) 273d8a7b7a3SRobert Watson { 274d8a7b7a3SRobert Watson 275d8a7b7a3SRobert Watson SLOT(label) = IFNETMAGIC; 276d8a7b7a3SRobert Watson atomic_add_int(&init_count_ifnet, 1); 277d8a7b7a3SRobert Watson } 278d8a7b7a3SRobert Watson 2795e7ce478SRobert Watson static int 280a557af22SRobert Watson mac_test_init_inpcb_label(struct label *label, int flag) 281a557af22SRobert Watson { 282a557af22SRobert Watson 283a557af22SRobert Watson if (flag & M_WAITOK) 284a557af22SRobert Watson WITNESS_WARN(WARN_GIANTOK | WARN_SLEEPOK, NULL, 285a557af22SRobert Watson "mac_test_init_inpcb_label() at %s:%d", __FILE__, 286a557af22SRobert Watson __LINE__); 287a557af22SRobert Watson 288a557af22SRobert Watson SLOT(label) = INPCBMAGIC; 289a557af22SRobert Watson atomic_add_int(&init_count_inpcb, 1); 290a557af22SRobert Watson return (0); 291a557af22SRobert Watson } 292a557af22SRobert Watson 293a557af22SRobert Watson static int 2945e7ce478SRobert Watson mac_test_init_ipq_label(struct label *label, int flag) 295d8a7b7a3SRobert Watson { 296d8a7b7a3SRobert Watson 2970712b254SRobert Watson if (flag & M_WAITOK) 2980712b254SRobert Watson WITNESS_WARN(WARN_GIANTOK | WARN_SLEEPOK, NULL, 2990712b254SRobert Watson "mac_test_init_ipq_label() at %s:%d", __FILE__, 3000712b254SRobert Watson __LINE__); 3010712b254SRobert Watson 302d8a7b7a3SRobert Watson SLOT(label) = IPQMAGIC; 303d8a7b7a3SRobert Watson atomic_add_int(&init_count_ipq, 1); 3045e7ce478SRobert Watson return (0); 305d8a7b7a3SRobert Watson } 306d8a7b7a3SRobert Watson 307d8a7b7a3SRobert Watson static int 30896adb909SRobert Watson mac_test_init_mbuf_label(struct label *label, int flag) 309d8a7b7a3SRobert Watson { 310d8a7b7a3SRobert Watson 3110712b254SRobert Watson if (flag & M_WAITOK) 3120712b254SRobert Watson WITNESS_WARN(WARN_GIANTOK | WARN_SLEEPOK, NULL, 3130712b254SRobert Watson "mac_test_init_mbuf_label() at %s:%d", __FILE__, 3140712b254SRobert Watson __LINE__); 3150712b254SRobert Watson 316d8a7b7a3SRobert Watson SLOT(label) = MBUFMAGIC; 317d8a7b7a3SRobert Watson atomic_add_int(&init_count_mbuf, 1); 318d8a7b7a3SRobert Watson return (0); 319d8a7b7a3SRobert Watson } 320d8a7b7a3SRobert Watson 321d8a7b7a3SRobert Watson static void 32296adb909SRobert Watson mac_test_init_mount_label(struct label *label) 323d8a7b7a3SRobert Watson { 324d8a7b7a3SRobert Watson 32596adb909SRobert Watson SLOT(label) = MOUNTMAGIC; 326d8a7b7a3SRobert Watson atomic_add_int(&init_count_mount, 1); 327d8a7b7a3SRobert Watson } 328d8a7b7a3SRobert Watson 329d8a7b7a3SRobert Watson static void 33096adb909SRobert Watson mac_test_init_mount_fs_label(struct label *label) 33196adb909SRobert Watson { 33296adb909SRobert Watson 33396adb909SRobert Watson SLOT(label) = MOUNTMAGIC; 33496adb909SRobert Watson atomic_add_int(&init_count_mount_fslabel, 1); 33596adb909SRobert Watson } 33696adb909SRobert Watson 33783985c26SRobert Watson static int 33883985c26SRobert Watson mac_test_init_socket_label(struct label *label, int flag) 339d8a7b7a3SRobert Watson { 340d8a7b7a3SRobert Watson 3410712b254SRobert Watson if (flag & M_WAITOK) 3420712b254SRobert Watson WITNESS_WARN(WARN_GIANTOK | WARN_SLEEPOK, NULL, 3430712b254SRobert Watson "mac_test_init_socket_label() at %s:%d", __FILE__, 3440712b254SRobert Watson __LINE__); 3450712b254SRobert Watson 346d8a7b7a3SRobert Watson SLOT(label) = SOCKETMAGIC; 347d8a7b7a3SRobert Watson atomic_add_int(&init_count_socket, 1); 34883985c26SRobert Watson return (0); 349d8a7b7a3SRobert Watson } 350d8a7b7a3SRobert Watson 35183985c26SRobert Watson static int 35283985c26SRobert Watson mac_test_init_socket_peer_label(struct label *label, int flag) 35396adb909SRobert Watson { 35496adb909SRobert Watson 3550712b254SRobert Watson if (flag & M_WAITOK) 3560712b254SRobert Watson WITNESS_WARN(WARN_GIANTOK | WARN_SLEEPOK, NULL, 3570712b254SRobert Watson "mac_test_init_socket_peer_label() at %s:%d", __FILE__, 3580712b254SRobert Watson __LINE__); 3590712b254SRobert Watson 36096adb909SRobert Watson SLOT(label) = SOCKETMAGIC; 36196adb909SRobert Watson atomic_add_int(&init_count_socket_peerlabel, 1); 36283985c26SRobert Watson return (0); 36396adb909SRobert Watson } 36496adb909SRobert Watson 36596adb909SRobert Watson static void 36696adb909SRobert Watson mac_test_init_pipe_label(struct label *label) 367d8a7b7a3SRobert Watson { 368d8a7b7a3SRobert Watson 369d8a7b7a3SRobert Watson SLOT(label) = PIPEMAGIC; 370d8a7b7a3SRobert Watson atomic_add_int(&init_count_pipe, 1); 371d8a7b7a3SRobert Watson } 372d8a7b7a3SRobert Watson 373d8a7b7a3SRobert Watson static void 374ca26e8baSRobert Watson mac_test_init_proc_label(struct label *label) 375ca26e8baSRobert Watson { 376ca26e8baSRobert Watson 377ca26e8baSRobert Watson SLOT(label) = PROCMAGIC; 378ca26e8baSRobert Watson atomic_add_int(&init_count_proc, 1); 379ca26e8baSRobert Watson } 380ca26e8baSRobert Watson 381ca26e8baSRobert Watson static void 38296adb909SRobert Watson mac_test_init_vnode_label(struct label *label) 383d8a7b7a3SRobert Watson { 384d8a7b7a3SRobert Watson 385d8a7b7a3SRobert Watson SLOT(label) = VNODEMAGIC; 386d8a7b7a3SRobert Watson atomic_add_int(&init_count_vnode, 1); 387d8a7b7a3SRobert Watson } 388d8a7b7a3SRobert Watson 389d8a7b7a3SRobert Watson static void 39096adb909SRobert Watson mac_test_destroy_bpfdesc_label(struct label *label) 391d8a7b7a3SRobert Watson { 392d8a7b7a3SRobert Watson 393d8a7b7a3SRobert Watson if (SLOT(label) == BPFMAGIC || SLOT(label) == 0) { 394d8a7b7a3SRobert Watson atomic_add_int(&destroy_count_bpfdesc, 1); 395d8a7b7a3SRobert Watson SLOT(label) = EXMAGIC; 396d8a7b7a3SRobert Watson } else if (SLOT(label) == EXMAGIC) { 397d8a7b7a3SRobert Watson Debugger("mac_test_destroy_bpfdesc: dup destroy"); 398d8a7b7a3SRobert Watson } else { 399d8a7b7a3SRobert Watson Debugger("mac_test_destroy_bpfdesc: corrupted label"); 400d8a7b7a3SRobert Watson } 401d8a7b7a3SRobert Watson } 402d8a7b7a3SRobert Watson 403d8a7b7a3SRobert Watson static void 40496adb909SRobert Watson mac_test_destroy_cred_label(struct label *label) 405d8a7b7a3SRobert Watson { 406d8a7b7a3SRobert Watson 407d8a7b7a3SRobert Watson if (SLOT(label) == CREDMAGIC || SLOT(label) == 0) { 408d8a7b7a3SRobert Watson atomic_add_int(&destroy_count_cred, 1); 409d8a7b7a3SRobert Watson SLOT(label) = EXMAGIC; 410d8a7b7a3SRobert Watson } else if (SLOT(label) == EXMAGIC) { 411d8a7b7a3SRobert Watson Debugger("mac_test_destroy_cred: dup destroy"); 412d8a7b7a3SRobert Watson } else { 413d8a7b7a3SRobert Watson Debugger("mac_test_destroy_cred: corrupted label"); 414d8a7b7a3SRobert Watson } 415d8a7b7a3SRobert Watson } 416d8a7b7a3SRobert Watson 417d8a7b7a3SRobert Watson static void 41896adb909SRobert Watson mac_test_destroy_devfsdirent_label(struct label *label) 419d8a7b7a3SRobert Watson { 420d8a7b7a3SRobert Watson 421d8a7b7a3SRobert Watson if (SLOT(label) == DEVFSMAGIC || SLOT(label) == 0) { 422d8a7b7a3SRobert Watson atomic_add_int(&destroy_count_devfsdirent, 1); 423d8a7b7a3SRobert Watson SLOT(label) = EXMAGIC; 424d8a7b7a3SRobert Watson } else if (SLOT(label) == EXMAGIC) { 425d8a7b7a3SRobert Watson Debugger("mac_test_destroy_devfsdirent: dup destroy"); 426d8a7b7a3SRobert Watson } else { 427d8a7b7a3SRobert Watson Debugger("mac_test_destroy_devfsdirent: corrupted label"); 428d8a7b7a3SRobert Watson } 429d8a7b7a3SRobert Watson } 430d8a7b7a3SRobert Watson 431d8a7b7a3SRobert Watson static void 43296adb909SRobert Watson mac_test_destroy_ifnet_label(struct label *label) 433d8a7b7a3SRobert Watson { 434d8a7b7a3SRobert Watson 435d8a7b7a3SRobert Watson if (SLOT(label) == IFNETMAGIC || SLOT(label) == 0) { 436d8a7b7a3SRobert Watson atomic_add_int(&destroy_count_ifnet, 1); 437d8a7b7a3SRobert Watson SLOT(label) = EXMAGIC; 438d8a7b7a3SRobert Watson } else if (SLOT(label) == EXMAGIC) { 439d8a7b7a3SRobert Watson Debugger("mac_test_destroy_ifnet: dup destroy"); 440d8a7b7a3SRobert Watson } else { 441d8a7b7a3SRobert Watson Debugger("mac_test_destroy_ifnet: corrupted label"); 442d8a7b7a3SRobert Watson } 443d8a7b7a3SRobert Watson } 444d8a7b7a3SRobert Watson 445d8a7b7a3SRobert Watson static void 446a557af22SRobert Watson mac_test_destroy_inpcb_label(struct label *label) 447a557af22SRobert Watson { 448a557af22SRobert Watson 449a557af22SRobert Watson if (SLOT(label) == INPCBMAGIC || SLOT(label) == 0) { 450a557af22SRobert Watson atomic_add_int(&destroy_count_inpcb, 1); 451a557af22SRobert Watson SLOT(label) = EXMAGIC; 452a557af22SRobert Watson } else if (SLOT(label) == EXMAGIC) { 453a557af22SRobert Watson Debugger("mac_test_destroy_inpcb: dup destroy"); 454a557af22SRobert Watson } else { 455a557af22SRobert Watson Debugger("mac_test_destroy_inpcb: corrupted label"); 456a557af22SRobert Watson } 457a557af22SRobert Watson } 458a557af22SRobert Watson 459a557af22SRobert Watson static void 46096adb909SRobert Watson mac_test_destroy_ipq_label(struct label *label) 461d8a7b7a3SRobert Watson { 462d8a7b7a3SRobert Watson 463d8a7b7a3SRobert Watson if (SLOT(label) == IPQMAGIC || SLOT(label) == 0) { 464d8a7b7a3SRobert Watson atomic_add_int(&destroy_count_ipq, 1); 465d8a7b7a3SRobert Watson SLOT(label) = EXMAGIC; 466d8a7b7a3SRobert Watson } else if (SLOT(label) == EXMAGIC) { 467d8a7b7a3SRobert Watson Debugger("mac_test_destroy_ipq: dup destroy"); 468d8a7b7a3SRobert Watson } else { 469d8a7b7a3SRobert Watson Debugger("mac_test_destroy_ipq: corrupted label"); 470d8a7b7a3SRobert Watson } 471d8a7b7a3SRobert Watson } 472d8a7b7a3SRobert Watson 473d8a7b7a3SRobert Watson static void 47496adb909SRobert Watson mac_test_destroy_mbuf_label(struct label *label) 475d8a7b7a3SRobert Watson { 476d8a7b7a3SRobert Watson 4770712b254SRobert Watson /* 4780712b254SRobert Watson * If we're loaded dynamically, there may be mbufs in flight that 4790712b254SRobert Watson * didn't have label storage allocated for them. Handle this 4800712b254SRobert Watson * gracefully. 4810712b254SRobert Watson */ 4820712b254SRobert Watson if (label == NULL) 4830712b254SRobert Watson return; 4840712b254SRobert Watson 485d8a7b7a3SRobert Watson if (SLOT(label) == MBUFMAGIC || SLOT(label) == 0) { 486d8a7b7a3SRobert Watson atomic_add_int(&destroy_count_mbuf, 1); 487d8a7b7a3SRobert Watson SLOT(label) = EXMAGIC; 488d8a7b7a3SRobert Watson } else if (SLOT(label) == EXMAGIC) { 489d8a7b7a3SRobert Watson Debugger("mac_test_destroy_mbuf: dup destroy"); 490d8a7b7a3SRobert Watson } else { 491d8a7b7a3SRobert Watson Debugger("mac_test_destroy_mbuf: corrupted label"); 492d8a7b7a3SRobert Watson } 493d8a7b7a3SRobert Watson } 494d8a7b7a3SRobert Watson 495d8a7b7a3SRobert Watson static void 49696adb909SRobert Watson mac_test_destroy_mount_label(struct label *label) 497d8a7b7a3SRobert Watson { 498d8a7b7a3SRobert Watson 49996adb909SRobert Watson if ((SLOT(label) == MOUNTMAGIC || SLOT(label) == 0)) { 500d8a7b7a3SRobert Watson atomic_add_int(&destroy_count_mount, 1); 50196adb909SRobert Watson SLOT(label) = EXMAGIC; 50296adb909SRobert Watson } else if (SLOT(label) == EXMAGIC) { 503d8a7b7a3SRobert Watson Debugger("mac_test_destroy_mount: dup destroy"); 504d8a7b7a3SRobert Watson } else { 505d8a7b7a3SRobert Watson Debugger("mac_test_destroy_mount: corrupted label"); 506d8a7b7a3SRobert Watson } 507d8a7b7a3SRobert Watson } 508d8a7b7a3SRobert Watson 509d8a7b7a3SRobert Watson static void 51096adb909SRobert Watson mac_test_destroy_mount_fs_label(struct label *label) 511d8a7b7a3SRobert Watson { 512d8a7b7a3SRobert Watson 51396adb909SRobert Watson if ((SLOT(label) == MOUNTMAGIC || SLOT(label) == 0)) { 51496adb909SRobert Watson atomic_add_int(&destroy_count_mount_fslabel, 1); 51596adb909SRobert Watson SLOT(label) = EXMAGIC; 51696adb909SRobert Watson } else if (SLOT(label) == EXMAGIC) { 51796adb909SRobert Watson Debugger("mac_test_destroy_mount_fslabel: dup destroy"); 51896adb909SRobert Watson } else { 51996adb909SRobert Watson Debugger("mac_test_destroy_mount_fslabel: corrupted label"); 52096adb909SRobert Watson } 52196adb909SRobert Watson } 52296adb909SRobert Watson 52396adb909SRobert Watson static void 52496adb909SRobert Watson mac_test_destroy_socket_label(struct label *label) 52596adb909SRobert Watson { 52696adb909SRobert Watson 52796adb909SRobert Watson if ((SLOT(label) == SOCKETMAGIC || SLOT(label) == 0)) { 528d8a7b7a3SRobert Watson atomic_add_int(&destroy_count_socket, 1); 529d8a7b7a3SRobert Watson SLOT(label) = EXMAGIC; 53096adb909SRobert Watson } else if (SLOT(label) == EXMAGIC) { 531d8a7b7a3SRobert Watson Debugger("mac_test_destroy_socket: dup destroy"); 532d8a7b7a3SRobert Watson } else { 533d8a7b7a3SRobert Watson Debugger("mac_test_destroy_socket: corrupted label"); 534d8a7b7a3SRobert Watson } 535d8a7b7a3SRobert Watson } 53696adb909SRobert Watson 537d8a7b7a3SRobert Watson static void 53896adb909SRobert Watson mac_test_destroy_socket_peer_label(struct label *label) 53996adb909SRobert Watson { 54096adb909SRobert Watson 54196adb909SRobert Watson if ((SLOT(label) == SOCKETMAGIC || SLOT(label) == 0)) { 54296adb909SRobert Watson atomic_add_int(&destroy_count_socket_peerlabel, 1); 54396adb909SRobert Watson SLOT(label) = EXMAGIC; 54496adb909SRobert Watson } else if (SLOT(label) == EXMAGIC) { 54596adb909SRobert Watson Debugger("mac_test_destroy_socket_peerlabel: dup destroy"); 54696adb909SRobert Watson } else { 54796adb909SRobert Watson Debugger("mac_test_destroy_socket_peerlabel: corrupted label"); 54896adb909SRobert Watson } 54996adb909SRobert Watson } 55096adb909SRobert Watson 55196adb909SRobert Watson static void 55296adb909SRobert Watson mac_test_destroy_pipe_label(struct label *label) 553d8a7b7a3SRobert Watson { 554d8a7b7a3SRobert Watson 555d8a7b7a3SRobert Watson if ((SLOT(label) == PIPEMAGIC || SLOT(label) == 0)) { 556d8a7b7a3SRobert Watson atomic_add_int(&destroy_count_pipe, 1); 557d8a7b7a3SRobert Watson SLOT(label) = EXMAGIC; 558d8a7b7a3SRobert Watson } else if (SLOT(label) == EXMAGIC) { 559d8a7b7a3SRobert Watson Debugger("mac_test_destroy_pipe: dup destroy"); 560d8a7b7a3SRobert Watson } else { 561d8a7b7a3SRobert Watson Debugger("mac_test_destroy_pipe: corrupted label"); 562d8a7b7a3SRobert Watson } 563d8a7b7a3SRobert Watson } 564d8a7b7a3SRobert Watson 565d8a7b7a3SRobert Watson static void 566ca26e8baSRobert Watson mac_test_destroy_proc_label(struct label *label) 567ca26e8baSRobert Watson { 568ca26e8baSRobert Watson 569ca26e8baSRobert Watson if ((SLOT(label) == PROCMAGIC || SLOT(label) == 0)) { 570ca26e8baSRobert Watson atomic_add_int(&destroy_count_proc, 1); 571ca26e8baSRobert Watson SLOT(label) = EXMAGIC; 572ca26e8baSRobert Watson } else if (SLOT(label) == EXMAGIC) { 573ca26e8baSRobert Watson Debugger("mac_test_destroy_proc: dup destroy"); 574ca26e8baSRobert Watson } else { 575ca26e8baSRobert Watson Debugger("mac_test_destroy_proc: corrupted label"); 576ca26e8baSRobert Watson } 577ca26e8baSRobert Watson } 578ca26e8baSRobert Watson 579ca26e8baSRobert Watson static void 58096adb909SRobert Watson mac_test_destroy_vnode_label(struct label *label) 581d8a7b7a3SRobert Watson { 582d8a7b7a3SRobert Watson 583d8a7b7a3SRobert Watson if (SLOT(label) == VNODEMAGIC || SLOT(label) == 0) { 584d8a7b7a3SRobert Watson atomic_add_int(&destroy_count_vnode, 1); 585d8a7b7a3SRobert Watson SLOT(label) = EXMAGIC; 586d8a7b7a3SRobert Watson } else if (SLOT(label) == EXMAGIC) { 587d8a7b7a3SRobert Watson Debugger("mac_test_destroy_vnode: dup destroy"); 588d8a7b7a3SRobert Watson } else { 589d8a7b7a3SRobert Watson Debugger("mac_test_destroy_vnode: corrupted label"); 590d8a7b7a3SRobert Watson } 591d8a7b7a3SRobert Watson } 592d8a7b7a3SRobert Watson 5930196273bSRobert Watson static void 59456d9e932SRobert Watson mac_test_copy_cred_label(struct label *src, struct label *dest) 59556d9e932SRobert Watson { 59656d9e932SRobert Watson 59756d9e932SRobert Watson ASSERT_CRED_LABEL(src); 59856d9e932SRobert Watson ASSERT_CRED_LABEL(dest); 59956d9e932SRobert Watson } 60056d9e932SRobert Watson 60156d9e932SRobert Watson static void 6020196273bSRobert Watson mac_test_copy_mbuf_label(struct label *src, struct label *dest) 6030196273bSRobert Watson { 6040196273bSRobert Watson 6050196273bSRobert Watson ASSERT_MBUF_LABEL(src); 6060196273bSRobert Watson ASSERT_MBUF_LABEL(dest); 6070196273bSRobert Watson } 6080196273bSRobert Watson 6090196273bSRobert Watson static void 6100196273bSRobert Watson mac_test_copy_pipe_label(struct label *src, struct label *dest) 6110196273bSRobert Watson { 6120196273bSRobert Watson 6130196273bSRobert Watson ASSERT_PIPE_LABEL(src); 6140196273bSRobert Watson ASSERT_PIPE_LABEL(dest); 6150196273bSRobert Watson } 6160196273bSRobert Watson 6170196273bSRobert Watson static void 618b0323ea3SRobert Watson mac_test_copy_socket_label(struct label *src, struct label *dest) 619b0323ea3SRobert Watson { 620b0323ea3SRobert Watson 621b0323ea3SRobert Watson ASSERT_SOCKET_LABEL(src); 622b0323ea3SRobert Watson ASSERT_SOCKET_LABEL(dest); 623b0323ea3SRobert Watson } 624b0323ea3SRobert Watson 625b0323ea3SRobert Watson static void 6260196273bSRobert Watson mac_test_copy_vnode_label(struct label *src, struct label *dest) 6270196273bSRobert Watson { 6280196273bSRobert Watson 6290196273bSRobert Watson ASSERT_VNODE_LABEL(src); 6300196273bSRobert Watson ASSERT_VNODE_LABEL(dest); 6310196273bSRobert Watson } 6320196273bSRobert Watson 633d8a7b7a3SRobert Watson static int 63424e8d0d0SRobert Watson mac_test_externalize_label(struct label *label, char *element_name, 635f51e5803SRobert Watson struct sbuf *sb, int *claimed) 636d8a7b7a3SRobert Watson { 637d8a7b7a3SRobert Watson 638d8a7b7a3SRobert Watson atomic_add_int(&externalize_count, 1); 639d8a7b7a3SRobert Watson 640250ee706SRobert Watson KASSERT(SLOT(label) != EXMAGIC, 641250ee706SRobert Watson ("mac_test_externalize_label: destroyed label")); 642250ee706SRobert Watson 643d8a7b7a3SRobert Watson return (0); 644d8a7b7a3SRobert Watson } 645d8a7b7a3SRobert Watson 646d8a7b7a3SRobert Watson static int 6471979061bSRobert Watson mac_test_internalize_label(struct label *label, char *element_name, 6481979061bSRobert Watson char *element_data, int *claimed) 649d8a7b7a3SRobert Watson { 650d8a7b7a3SRobert Watson 651d8a7b7a3SRobert Watson atomic_add_int(&internalize_count, 1); 652d8a7b7a3SRobert Watson 653250ee706SRobert Watson KASSERT(SLOT(label) != EXMAGIC, 654250ee706SRobert Watson ("mac_test_internalize_label: destroyed label")); 655250ee706SRobert Watson 656d8a7b7a3SRobert Watson return (0); 657d8a7b7a3SRobert Watson } 658d8a7b7a3SRobert Watson 659d8a7b7a3SRobert Watson /* 660d8a7b7a3SRobert Watson * Labeling event operations: file system objects, and things that look 661d8a7b7a3SRobert Watson * a lot like file system objects. 662d8a7b7a3SRobert Watson */ 663d8a7b7a3SRobert Watson static void 664763bbd2fSRobert Watson mac_test_associate_vnode_devfs(struct mount *mp, struct label *fslabel, 665763bbd2fSRobert Watson struct devfs_dirent *de, struct label *delabel, struct vnode *vp, 666763bbd2fSRobert Watson struct label *vlabel) 667763bbd2fSRobert Watson { 668763bbd2fSRobert Watson 669250ee706SRobert Watson ASSERT_MOUNT_LABEL(fslabel); 670250ee706SRobert Watson ASSERT_DEVFS_LABEL(delabel); 671250ee706SRobert Watson ASSERT_VNODE_LABEL(vlabel); 672763bbd2fSRobert Watson } 673763bbd2fSRobert Watson 674763bbd2fSRobert Watson static int 675763bbd2fSRobert Watson mac_test_associate_vnode_extattr(struct mount *mp, struct label *fslabel, 676763bbd2fSRobert Watson struct vnode *vp, struct label *vlabel) 677763bbd2fSRobert Watson { 678763bbd2fSRobert Watson 679250ee706SRobert Watson ASSERT_MOUNT_LABEL(fslabel); 680250ee706SRobert Watson ASSERT_VNODE_LABEL(vlabel); 681763bbd2fSRobert Watson return (0); 682763bbd2fSRobert Watson } 683763bbd2fSRobert Watson 684763bbd2fSRobert Watson static void 685763bbd2fSRobert Watson mac_test_associate_vnode_singlelabel(struct mount *mp, 686763bbd2fSRobert Watson struct label *fslabel, struct vnode *vp, struct label *vlabel) 687763bbd2fSRobert Watson { 688763bbd2fSRobert Watson 689250ee706SRobert Watson ASSERT_MOUNT_LABEL(fslabel); 690250ee706SRobert Watson ASSERT_VNODE_LABEL(vlabel); 691763bbd2fSRobert Watson } 692763bbd2fSRobert Watson 693763bbd2fSRobert Watson static void 694990b4b2dSRobert Watson mac_test_create_devfs_device(struct mount *mp, dev_t dev, 695d8a7b7a3SRobert Watson struct devfs_dirent *devfs_dirent, struct label *label) 696d8a7b7a3SRobert Watson { 697d8a7b7a3SRobert Watson 698250ee706SRobert Watson ASSERT_DEVFS_LABEL(label); 699d8a7b7a3SRobert Watson } 700d8a7b7a3SRobert Watson 701d8a7b7a3SRobert Watson static void 702990b4b2dSRobert Watson mac_test_create_devfs_directory(struct mount *mp, char *dirname, 703990b4b2dSRobert Watson int dirnamelen, struct devfs_dirent *devfs_dirent, struct label *label) 704990b4b2dSRobert Watson { 705990b4b2dSRobert Watson 706250ee706SRobert Watson ASSERT_DEVFS_LABEL(label); 707990b4b2dSRobert Watson } 708990b4b2dSRobert Watson 709990b4b2dSRobert Watson static void 710990b4b2dSRobert Watson mac_test_create_devfs_symlink(struct ucred *cred, struct mount *mp, 711990b4b2dSRobert Watson struct devfs_dirent *dd, struct label *ddlabel, struct devfs_dirent *de, 712990b4b2dSRobert Watson struct label *delabel) 713eea8ea31SRobert Watson { 714eea8ea31SRobert Watson 715eca8a663SRobert Watson ASSERT_CRED_LABEL(cred->cr_label); 716250ee706SRobert Watson ASSERT_DEVFS_LABEL(ddlabel); 717250ee706SRobert Watson ASSERT_DEVFS_LABEL(delabel); 718eea8ea31SRobert Watson } 719eea8ea31SRobert Watson 720763bbd2fSRobert Watson static int 721763bbd2fSRobert Watson mac_test_create_vnode_extattr(struct ucred *cred, struct mount *mp, 722763bbd2fSRobert Watson struct label *fslabel, struct vnode *dvp, struct label *dlabel, 723763bbd2fSRobert Watson struct vnode *vp, struct label *vlabel, struct componentname *cnp) 724d8a7b7a3SRobert Watson { 725d8a7b7a3SRobert Watson 726eca8a663SRobert Watson ASSERT_CRED_LABEL(cred->cr_label); 727250ee706SRobert Watson ASSERT_MOUNT_LABEL(fslabel); 728250ee706SRobert Watson ASSERT_VNODE_LABEL(dlabel); 729250ee706SRobert Watson 730763bbd2fSRobert Watson return (0); 731d8a7b7a3SRobert Watson } 732d8a7b7a3SRobert Watson 733d8a7b7a3SRobert Watson static void 734d8a7b7a3SRobert Watson mac_test_create_mount(struct ucred *cred, struct mount *mp, 735d8a7b7a3SRobert Watson struct label *mntlabel, struct label *fslabel) 736d8a7b7a3SRobert Watson { 737d8a7b7a3SRobert Watson 738eca8a663SRobert Watson ASSERT_CRED_LABEL(cred->cr_label); 739250ee706SRobert Watson ASSERT_MOUNT_LABEL(mntlabel); 740250ee706SRobert Watson ASSERT_MOUNT_LABEL(fslabel); 741d8a7b7a3SRobert Watson } 742d8a7b7a3SRobert Watson 743d8a7b7a3SRobert Watson static void 744d8a7b7a3SRobert Watson mac_test_create_root_mount(struct ucred *cred, struct mount *mp, 745d8a7b7a3SRobert Watson struct label *mntlabel, struct label *fslabel) 746d8a7b7a3SRobert Watson { 747d8a7b7a3SRobert Watson 748eca8a663SRobert Watson ASSERT_CRED_LABEL(cred->cr_label); 749250ee706SRobert Watson ASSERT_MOUNT_LABEL(mntlabel); 750250ee706SRobert Watson ASSERT_MOUNT_LABEL(fslabel); 751d8a7b7a3SRobert Watson } 752d8a7b7a3SRobert Watson 753d8a7b7a3SRobert Watson static void 754d8a7b7a3SRobert Watson mac_test_relabel_vnode(struct ucred *cred, struct vnode *vp, 755d8a7b7a3SRobert Watson struct label *vnodelabel, struct label *label) 756d8a7b7a3SRobert Watson { 757d8a7b7a3SRobert Watson 758eca8a663SRobert Watson ASSERT_CRED_LABEL(cred->cr_label); 759250ee706SRobert Watson ASSERT_VNODE_LABEL(vnodelabel); 760250ee706SRobert Watson ASSERT_VNODE_LABEL(label); 761d8a7b7a3SRobert Watson } 762d8a7b7a3SRobert Watson 763d8a7b7a3SRobert Watson static int 764763bbd2fSRobert Watson mac_test_setlabel_vnode_extattr(struct ucred *cred, struct vnode *vp, 765763bbd2fSRobert Watson struct label *vlabel, struct label *intlabel) 766d8a7b7a3SRobert Watson { 767d8a7b7a3SRobert Watson 768eca8a663SRobert Watson ASSERT_CRED_LABEL(cred->cr_label); 769250ee706SRobert Watson ASSERT_VNODE_LABEL(vlabel); 770250ee706SRobert Watson ASSERT_VNODE_LABEL(intlabel); 771d8a7b7a3SRobert Watson return (0); 772d8a7b7a3SRobert Watson } 773d8a7b7a3SRobert Watson 774d8a7b7a3SRobert Watson static void 775990b4b2dSRobert Watson mac_test_update_devfsdirent(struct mount *mp, 776990b4b2dSRobert Watson struct devfs_dirent *devfs_dirent, struct label *direntlabel, 777990b4b2dSRobert Watson struct vnode *vp, struct label *vnodelabel) 778d8a7b7a3SRobert Watson { 779d8a7b7a3SRobert Watson 780250ee706SRobert Watson ASSERT_DEVFS_LABEL(direntlabel); 781250ee706SRobert Watson ASSERT_VNODE_LABEL(vnodelabel); 782d8a7b7a3SRobert Watson } 783d8a7b7a3SRobert Watson 784d8a7b7a3SRobert Watson /* 785d8a7b7a3SRobert Watson * Labeling event operations: IPC object. 786d8a7b7a3SRobert Watson */ 787d8a7b7a3SRobert Watson static void 788d8a7b7a3SRobert Watson mac_test_create_mbuf_from_socket(struct socket *so, struct label *socketlabel, 789d8a7b7a3SRobert Watson struct mbuf *m, struct label *mbuflabel) 790d8a7b7a3SRobert Watson { 791d8a7b7a3SRobert Watson 792250ee706SRobert Watson ASSERT_SOCKET_LABEL(socketlabel); 793250ee706SRobert Watson ASSERT_MBUF_LABEL(mbuflabel); 794d8a7b7a3SRobert Watson } 795d8a7b7a3SRobert Watson 796d8a7b7a3SRobert Watson static void 797d8a7b7a3SRobert Watson mac_test_create_socket(struct ucred *cred, struct socket *socket, 798d8a7b7a3SRobert Watson struct label *socketlabel) 799d8a7b7a3SRobert Watson { 800d8a7b7a3SRobert Watson 801eca8a663SRobert Watson ASSERT_CRED_LABEL(cred->cr_label); 802250ee706SRobert Watson ASSERT_SOCKET_LABEL(socketlabel); 803d8a7b7a3SRobert Watson } 804d8a7b7a3SRobert Watson 805d8a7b7a3SRobert Watson static void 806d8a7b7a3SRobert Watson mac_test_create_pipe(struct ucred *cred, struct pipe *pipe, 807d8a7b7a3SRobert Watson struct label *pipelabel) 808d8a7b7a3SRobert Watson { 809d8a7b7a3SRobert Watson 810eca8a663SRobert Watson ASSERT_CRED_LABEL(cred->cr_label); 811250ee706SRobert Watson ASSERT_PIPE_LABEL(pipelabel); 812d8a7b7a3SRobert Watson } 813d8a7b7a3SRobert Watson 814d8a7b7a3SRobert Watson static void 815d8a7b7a3SRobert Watson mac_test_create_socket_from_socket(struct socket *oldsocket, 816d8a7b7a3SRobert Watson struct label *oldsocketlabel, struct socket *newsocket, 817d8a7b7a3SRobert Watson struct label *newsocketlabel) 818d8a7b7a3SRobert Watson { 819d8a7b7a3SRobert Watson 820250ee706SRobert Watson ASSERT_SOCKET_LABEL(oldsocketlabel); 821250ee706SRobert Watson ASSERT_SOCKET_LABEL(newsocketlabel); 822d8a7b7a3SRobert Watson } 823d8a7b7a3SRobert Watson 824d8a7b7a3SRobert Watson static void 825d8a7b7a3SRobert Watson mac_test_relabel_socket(struct ucred *cred, struct socket *socket, 826d8a7b7a3SRobert Watson struct label *socketlabel, struct label *newlabel) 827d8a7b7a3SRobert Watson { 828d8a7b7a3SRobert Watson 829eca8a663SRobert Watson ASSERT_CRED_LABEL(cred->cr_label); 830250ee706SRobert Watson ASSERT_SOCKET_LABEL(newlabel); 831d8a7b7a3SRobert Watson } 832d8a7b7a3SRobert Watson 833d8a7b7a3SRobert Watson static void 834d8a7b7a3SRobert Watson mac_test_relabel_pipe(struct ucred *cred, struct pipe *pipe, 835d8a7b7a3SRobert Watson struct label *pipelabel, struct label *newlabel) 836d8a7b7a3SRobert Watson { 837d8a7b7a3SRobert Watson 838eca8a663SRobert Watson ASSERT_CRED_LABEL(cred->cr_label); 839250ee706SRobert Watson ASSERT_PIPE_LABEL(pipelabel); 840250ee706SRobert Watson ASSERT_PIPE_LABEL(newlabel); 841d8a7b7a3SRobert Watson } 842d8a7b7a3SRobert Watson 843d8a7b7a3SRobert Watson static void 844d8a7b7a3SRobert Watson mac_test_set_socket_peer_from_mbuf(struct mbuf *mbuf, struct label *mbuflabel, 845d8a7b7a3SRobert Watson struct socket *socket, struct label *socketpeerlabel) 846d8a7b7a3SRobert Watson { 847d8a7b7a3SRobert Watson 848250ee706SRobert Watson ASSERT_MBUF_LABEL(mbuflabel); 849250ee706SRobert Watson ASSERT_SOCKET_LABEL(socketpeerlabel); 850d8a7b7a3SRobert Watson } 851d8a7b7a3SRobert Watson 852d8a7b7a3SRobert Watson /* 853d8a7b7a3SRobert Watson * Labeling event operations: network objects. 854d8a7b7a3SRobert Watson */ 855d8a7b7a3SRobert Watson static void 856d8a7b7a3SRobert Watson mac_test_set_socket_peer_from_socket(struct socket *oldsocket, 857d8a7b7a3SRobert Watson struct label *oldsocketlabel, struct socket *newsocket, 858d8a7b7a3SRobert Watson struct label *newsocketpeerlabel) 859d8a7b7a3SRobert Watson { 860d8a7b7a3SRobert Watson 861250ee706SRobert Watson ASSERT_SOCKET_LABEL(oldsocketlabel); 862250ee706SRobert Watson ASSERT_SOCKET_LABEL(newsocketpeerlabel); 863d8a7b7a3SRobert Watson } 864d8a7b7a3SRobert Watson 865d8a7b7a3SRobert Watson static void 866d8a7b7a3SRobert Watson mac_test_create_bpfdesc(struct ucred *cred, struct bpf_d *bpf_d, 867d8a7b7a3SRobert Watson struct label *bpflabel) 868d8a7b7a3SRobert Watson { 869d8a7b7a3SRobert Watson 870eca8a663SRobert Watson ASSERT_CRED_LABEL(cred->cr_label); 871250ee706SRobert Watson ASSERT_BPF_LABEL(bpflabel); 872d8a7b7a3SRobert Watson } 873d8a7b7a3SRobert Watson 874d8a7b7a3SRobert Watson static void 875d8a7b7a3SRobert Watson mac_test_create_datagram_from_ipq(struct ipq *ipq, struct label *ipqlabel, 876d8a7b7a3SRobert Watson struct mbuf *datagram, struct label *datagramlabel) 877d8a7b7a3SRobert Watson { 878d8a7b7a3SRobert Watson 879250ee706SRobert Watson ASSERT_IPQ_LABEL(ipqlabel); 880250ee706SRobert Watson ASSERT_MBUF_LABEL(datagramlabel); 881d8a7b7a3SRobert Watson } 882d8a7b7a3SRobert Watson 883d8a7b7a3SRobert Watson static void 884d8a7b7a3SRobert Watson mac_test_create_fragment(struct mbuf *datagram, struct label *datagramlabel, 885d8a7b7a3SRobert Watson struct mbuf *fragment, struct label *fragmentlabel) 886d8a7b7a3SRobert Watson { 887d8a7b7a3SRobert Watson 888250ee706SRobert Watson ASSERT_MBUF_LABEL(datagramlabel); 889250ee706SRobert Watson ASSERT_MBUF_LABEL(fragmentlabel); 890d8a7b7a3SRobert Watson } 891d8a7b7a3SRobert Watson 892d8a7b7a3SRobert Watson static void 893d8a7b7a3SRobert Watson mac_test_create_ifnet(struct ifnet *ifnet, struct label *ifnetlabel) 894d8a7b7a3SRobert Watson { 895d8a7b7a3SRobert Watson 896250ee706SRobert Watson ASSERT_IFNET_LABEL(ifnetlabel); 897d8a7b7a3SRobert Watson } 898d8a7b7a3SRobert Watson 899d8a7b7a3SRobert Watson static void 900a557af22SRobert Watson mac_test_create_inpcb_from_socket(struct socket *so, struct label *solabel, 901a557af22SRobert Watson struct inpcb *inp, struct label *inplabel) 902a557af22SRobert Watson { 903a557af22SRobert Watson 904a557af22SRobert Watson ASSERT_SOCKET_LABEL(solabel); 905a557af22SRobert Watson ASSERT_INPCB_LABEL(inplabel); 906a557af22SRobert Watson } 907a557af22SRobert Watson 908a557af22SRobert Watson static void 909d8a7b7a3SRobert Watson mac_test_create_ipq(struct mbuf *fragment, struct label *fragmentlabel, 910d8a7b7a3SRobert Watson struct ipq *ipq, struct label *ipqlabel) 911d8a7b7a3SRobert Watson { 912d8a7b7a3SRobert Watson 913250ee706SRobert Watson ASSERT_MBUF_LABEL(fragmentlabel); 914250ee706SRobert Watson ASSERT_IPQ_LABEL(ipqlabel); 915d8a7b7a3SRobert Watson } 916d8a7b7a3SRobert Watson 917d8a7b7a3SRobert Watson static void 9182d92ec98SRobert Watson mac_test_create_mbuf_from_inpcb(struct inpcb *inp, struct label *inplabel, 9192d92ec98SRobert Watson struct mbuf *m, struct label *mlabel) 9202d92ec98SRobert Watson { 9212d92ec98SRobert Watson 9222d92ec98SRobert Watson ASSERT_INPCB_LABEL(inplabel); 9232d92ec98SRobert Watson ASSERT_MBUF_LABEL(mlabel); 9242d92ec98SRobert Watson } 9252d92ec98SRobert Watson 9262d92ec98SRobert Watson static void 927d8a7b7a3SRobert Watson mac_test_create_mbuf_from_mbuf(struct mbuf *oldmbuf, 928d8a7b7a3SRobert Watson struct label *oldmbuflabel, struct mbuf *newmbuf, 929d8a7b7a3SRobert Watson struct label *newmbuflabel) 930d8a7b7a3SRobert Watson { 931d8a7b7a3SRobert Watson 932250ee706SRobert Watson ASSERT_MBUF_LABEL(oldmbuflabel); 933250ee706SRobert Watson ASSERT_MBUF_LABEL(newmbuflabel); 934d8a7b7a3SRobert Watson } 935d8a7b7a3SRobert Watson 936d8a7b7a3SRobert Watson static void 937d8a7b7a3SRobert Watson mac_test_create_mbuf_linklayer(struct ifnet *ifnet, struct label *ifnetlabel, 938d8a7b7a3SRobert Watson struct mbuf *mbuf, struct label *mbuflabel) 939d8a7b7a3SRobert Watson { 940d8a7b7a3SRobert Watson 941250ee706SRobert Watson ASSERT_IFNET_LABEL(ifnetlabel); 942250ee706SRobert Watson ASSERT_MBUF_LABEL(mbuflabel); 943d8a7b7a3SRobert Watson } 944d8a7b7a3SRobert Watson 945d8a7b7a3SRobert Watson static void 946d8a7b7a3SRobert Watson mac_test_create_mbuf_from_bpfdesc(struct bpf_d *bpf_d, struct label *bpflabel, 947d8a7b7a3SRobert Watson struct mbuf *mbuf, struct label *mbuflabel) 948d8a7b7a3SRobert Watson { 949d8a7b7a3SRobert Watson 950250ee706SRobert Watson ASSERT_BPF_LABEL(bpflabel); 951250ee706SRobert Watson ASSERT_MBUF_LABEL(mbuflabel); 952d8a7b7a3SRobert Watson } 953d8a7b7a3SRobert Watson 954d8a7b7a3SRobert Watson static void 955d8a7b7a3SRobert Watson mac_test_create_mbuf_from_ifnet(struct ifnet *ifnet, struct label *ifnetlabel, 956d8a7b7a3SRobert Watson struct mbuf *m, struct label *mbuflabel) 957d8a7b7a3SRobert Watson { 958d8a7b7a3SRobert Watson 959250ee706SRobert Watson ASSERT_IFNET_LABEL(ifnetlabel); 960250ee706SRobert Watson ASSERT_MBUF_LABEL(mbuflabel); 961d8a7b7a3SRobert Watson } 962d8a7b7a3SRobert Watson 963d8a7b7a3SRobert Watson static void 964d8a7b7a3SRobert Watson mac_test_create_mbuf_multicast_encap(struct mbuf *oldmbuf, 965d8a7b7a3SRobert Watson struct label *oldmbuflabel, struct ifnet *ifnet, struct label *ifnetlabel, 966d8a7b7a3SRobert Watson struct mbuf *newmbuf, struct label *newmbuflabel) 967d8a7b7a3SRobert Watson { 968d8a7b7a3SRobert Watson 969250ee706SRobert Watson ASSERT_MBUF_LABEL(oldmbuflabel); 970250ee706SRobert Watson ASSERT_IFNET_LABEL(ifnetlabel); 971250ee706SRobert Watson ASSERT_MBUF_LABEL(newmbuflabel); 972d8a7b7a3SRobert Watson } 973d8a7b7a3SRobert Watson 974d8a7b7a3SRobert Watson static void 975d8a7b7a3SRobert Watson mac_test_create_mbuf_netlayer(struct mbuf *oldmbuf, 976d8a7b7a3SRobert Watson struct label *oldmbuflabel, struct mbuf *newmbuf, 977d8a7b7a3SRobert Watson struct label *newmbuflabel) 978d8a7b7a3SRobert Watson { 979d8a7b7a3SRobert Watson 980250ee706SRobert Watson ASSERT_MBUF_LABEL(oldmbuflabel); 981250ee706SRobert Watson ASSERT_MBUF_LABEL(newmbuflabel); 982d8a7b7a3SRobert Watson } 983d8a7b7a3SRobert Watson 984d8a7b7a3SRobert Watson static int 985d8a7b7a3SRobert Watson mac_test_fragment_match(struct mbuf *fragment, struct label *fragmentlabel, 986d8a7b7a3SRobert Watson struct ipq *ipq, struct label *ipqlabel) 987d8a7b7a3SRobert Watson { 988d8a7b7a3SRobert Watson 989250ee706SRobert Watson ASSERT_MBUF_LABEL(fragmentlabel); 990250ee706SRobert Watson ASSERT_IPQ_LABEL(ipqlabel); 991250ee706SRobert Watson 992d8a7b7a3SRobert Watson return (1); 993d8a7b7a3SRobert Watson } 994d8a7b7a3SRobert Watson 995d8a7b7a3SRobert Watson static void 996250ee706SRobert Watson mac_test_reflect_mbuf_icmp(struct mbuf *m, struct label *mlabel) 997250ee706SRobert Watson { 998250ee706SRobert Watson 999250ee706SRobert Watson ASSERT_MBUF_LABEL(mlabel); 1000250ee706SRobert Watson } 1001250ee706SRobert Watson 1002250ee706SRobert Watson static void 1003250ee706SRobert Watson mac_test_reflect_mbuf_tcp(struct mbuf *m, struct label *mlabel) 1004250ee706SRobert Watson { 1005250ee706SRobert Watson 1006250ee706SRobert Watson ASSERT_MBUF_LABEL(mlabel); 1007250ee706SRobert Watson } 1008250ee706SRobert Watson 1009250ee706SRobert Watson static void 1010d8a7b7a3SRobert Watson mac_test_relabel_ifnet(struct ucred *cred, struct ifnet *ifnet, 1011d8a7b7a3SRobert Watson struct label *ifnetlabel, struct label *newlabel) 1012d8a7b7a3SRobert Watson { 1013d8a7b7a3SRobert Watson 1014eca8a663SRobert Watson ASSERT_CRED_LABEL(cred->cr_label); 1015250ee706SRobert Watson ASSERT_IFNET_LABEL(ifnetlabel); 1016250ee706SRobert Watson ASSERT_IFNET_LABEL(newlabel); 1017d8a7b7a3SRobert Watson } 1018d8a7b7a3SRobert Watson 1019d8a7b7a3SRobert Watson static void 1020d8a7b7a3SRobert Watson mac_test_update_ipq(struct mbuf *fragment, struct label *fragmentlabel, 1021d8a7b7a3SRobert Watson struct ipq *ipq, struct label *ipqlabel) 1022d8a7b7a3SRobert Watson { 1023d8a7b7a3SRobert Watson 1024250ee706SRobert Watson ASSERT_MBUF_LABEL(fragmentlabel); 1025250ee706SRobert Watson ASSERT_IPQ_LABEL(ipqlabel); 1026d8a7b7a3SRobert Watson } 1027d8a7b7a3SRobert Watson 1028a557af22SRobert Watson static void 1029a557af22SRobert Watson mac_test_inpcb_sosetlabel(struct socket *so, struct label *solabel, 1030a557af22SRobert Watson struct inpcb *inp, struct label *inplabel) 1031a557af22SRobert Watson { 1032a557af22SRobert Watson 1033a557af22SRobert Watson ASSERT_SOCKET_LABEL(solabel); 1034a557af22SRobert Watson ASSERT_INPCB_LABEL(inplabel); 1035a557af22SRobert Watson } 1036a557af22SRobert Watson 1037d8a7b7a3SRobert Watson /* 1038d8a7b7a3SRobert Watson * Labeling event operations: processes. 1039d8a7b7a3SRobert Watson */ 1040d8a7b7a3SRobert Watson static void 1041d8a7b7a3SRobert Watson mac_test_execve_transition(struct ucred *old, struct ucred *new, 1042939b97cbSRobert Watson struct vnode *vp, struct label *filelabel, 1043ef5def59SRobert Watson struct label *interpvnodelabel, struct image_params *imgp, 1044ef5def59SRobert Watson struct label *execlabel) 1045d8a7b7a3SRobert Watson { 1046d8a7b7a3SRobert Watson 1047eca8a663SRobert Watson ASSERT_CRED_LABEL(old->cr_label); 1048eca8a663SRobert Watson ASSERT_CRED_LABEL(new->cr_label); 1049250ee706SRobert Watson ASSERT_VNODE_LABEL(filelabel); 10507b9ed9a7SRobert Watson if (interpvnodelabel != NULL) { 1051250ee706SRobert Watson ASSERT_VNODE_LABEL(interpvnodelabel); 10527b9ed9a7SRobert Watson } 1053250ee706SRobert Watson if (execlabel != NULL) { 1054250ee706SRobert Watson ASSERT_CRED_LABEL(execlabel); 1055250ee706SRobert Watson } 1056d8a7b7a3SRobert Watson } 1057d8a7b7a3SRobert Watson 1058d8a7b7a3SRobert Watson static int 1059d8a7b7a3SRobert Watson mac_test_execve_will_transition(struct ucred *old, struct vnode *vp, 1060939b97cbSRobert Watson struct label *filelabel, struct label *interpvnodelabel, 1061ef5def59SRobert Watson struct image_params *imgp, struct label *execlabel) 1062d8a7b7a3SRobert Watson { 1063d8a7b7a3SRobert Watson 1064eca8a663SRobert Watson ASSERT_CRED_LABEL(old->cr_label); 1065250ee706SRobert Watson ASSERT_VNODE_LABEL(filelabel); 1066250ee706SRobert Watson if (interpvnodelabel != NULL) { 1067250ee706SRobert Watson ASSERT_VNODE_LABEL(interpvnodelabel); 1068250ee706SRobert Watson } 1069250ee706SRobert Watson if (execlabel != NULL) { 1070250ee706SRobert Watson ASSERT_CRED_LABEL(execlabel); 1071250ee706SRobert Watson } 1072250ee706SRobert Watson 1073d8a7b7a3SRobert Watson return (0); 1074d8a7b7a3SRobert Watson } 1075d8a7b7a3SRobert Watson 1076d8a7b7a3SRobert Watson static void 1077d8a7b7a3SRobert Watson mac_test_create_proc0(struct ucred *cred) 1078d8a7b7a3SRobert Watson { 1079d8a7b7a3SRobert Watson 1080eca8a663SRobert Watson ASSERT_CRED_LABEL(cred->cr_label); 1081d8a7b7a3SRobert Watson } 1082d8a7b7a3SRobert Watson 1083d8a7b7a3SRobert Watson static void 1084d8a7b7a3SRobert Watson mac_test_create_proc1(struct ucred *cred) 1085d8a7b7a3SRobert Watson { 1086d8a7b7a3SRobert Watson 1087eca8a663SRobert Watson ASSERT_CRED_LABEL(cred->cr_label); 1088d8a7b7a3SRobert Watson } 1089d8a7b7a3SRobert Watson 1090d8a7b7a3SRobert Watson static void 1091d8a7b7a3SRobert Watson mac_test_relabel_cred(struct ucred *cred, struct label *newlabel) 1092d8a7b7a3SRobert Watson { 1093d8a7b7a3SRobert Watson 1094eca8a663SRobert Watson ASSERT_CRED_LABEL(cred->cr_label); 10951862cd57SRobert Watson ASSERT_CRED_LABEL(newlabel); 1096d8a7b7a3SRobert Watson } 1097d8a7b7a3SRobert Watson 1098ca26e8baSRobert Watson static void 1099ca26e8baSRobert Watson mac_test_thread_userret(struct thread *td) 1100ca26e8baSRobert Watson { 1101ca26e8baSRobert Watson 1102250ee706SRobert Watson printf("mac_test_thread_userret(process = %d)\n", 1103250ee706SRobert Watson curthread->td_proc->p_pid); 1104ca26e8baSRobert Watson } 1105ca26e8baSRobert Watson 1106d8a7b7a3SRobert Watson /* 1107d8a7b7a3SRobert Watson * Access control checks. 1108d8a7b7a3SRobert Watson */ 1109d8a7b7a3SRobert Watson static int 1110d8a7b7a3SRobert Watson mac_test_check_bpfdesc_receive(struct bpf_d *bpf_d, struct label *bpflabel, 1111d8a7b7a3SRobert Watson struct ifnet *ifnet, struct label *ifnetlabel) 1112d8a7b7a3SRobert Watson { 1113d8a7b7a3SRobert Watson 1114250ee706SRobert Watson ASSERT_BPF_LABEL(bpflabel); 1115250ee706SRobert Watson ASSERT_IFNET_LABEL(ifnetlabel); 1116250ee706SRobert Watson 1117d8a7b7a3SRobert Watson return (0); 1118d8a7b7a3SRobert Watson } 1119d8a7b7a3SRobert Watson 1120d8a7b7a3SRobert Watson static int 1121d8a7b7a3SRobert Watson mac_test_check_cred_relabel(struct ucred *cred, struct label *newlabel) 1122d8a7b7a3SRobert Watson { 1123d8a7b7a3SRobert Watson 1124eca8a663SRobert Watson ASSERT_CRED_LABEL(cred->cr_label); 1125250ee706SRobert Watson ASSERT_CRED_LABEL(newlabel); 1126250ee706SRobert Watson 1127d8a7b7a3SRobert Watson return (0); 1128d8a7b7a3SRobert Watson } 1129d8a7b7a3SRobert Watson 1130d8a7b7a3SRobert Watson static int 1131d8a7b7a3SRobert Watson mac_test_check_cred_visible(struct ucred *u1, struct ucred *u2) 1132d8a7b7a3SRobert Watson { 1133d8a7b7a3SRobert Watson 1134eca8a663SRobert Watson ASSERT_CRED_LABEL(u1->cr_label); 1135eca8a663SRobert Watson ASSERT_CRED_LABEL(u2->cr_label); 1136250ee706SRobert Watson 1137d8a7b7a3SRobert Watson return (0); 1138d8a7b7a3SRobert Watson } 1139d8a7b7a3SRobert Watson 1140d8a7b7a3SRobert Watson static int 1141d8a7b7a3SRobert Watson mac_test_check_ifnet_relabel(struct ucred *cred, struct ifnet *ifnet, 1142d8a7b7a3SRobert Watson struct label *ifnetlabel, struct label *newlabel) 1143d8a7b7a3SRobert Watson { 1144d8a7b7a3SRobert Watson 1145eca8a663SRobert Watson ASSERT_CRED_LABEL(cred->cr_label); 1146250ee706SRobert Watson ASSERT_IFNET_LABEL(ifnetlabel); 1147250ee706SRobert Watson ASSERT_IFNET_LABEL(newlabel); 1148d8a7b7a3SRobert Watson return (0); 1149d8a7b7a3SRobert Watson } 1150d8a7b7a3SRobert Watson 1151d8a7b7a3SRobert Watson static int 1152d8a7b7a3SRobert Watson mac_test_check_ifnet_transmit(struct ifnet *ifnet, struct label *ifnetlabel, 1153d8a7b7a3SRobert Watson struct mbuf *m, struct label *mbuflabel) 1154d8a7b7a3SRobert Watson { 1155d8a7b7a3SRobert Watson 1156250ee706SRobert Watson ASSERT_IFNET_LABEL(ifnetlabel); 1157250ee706SRobert Watson ASSERT_MBUF_LABEL(mbuflabel); 1158250ee706SRobert Watson 1159d8a7b7a3SRobert Watson return (0); 1160d8a7b7a3SRobert Watson } 1161d8a7b7a3SRobert Watson 1162d8a7b7a3SRobert Watson static int 1163a557af22SRobert Watson mac_test_check_inpcb_deliver(struct inpcb *inp, struct label *inplabel, 1164a557af22SRobert Watson struct mbuf *m, struct label *mlabel) 1165a557af22SRobert Watson { 1166a557af22SRobert Watson 1167a557af22SRobert Watson ASSERT_INPCB_LABEL(inplabel); 1168a557af22SRobert Watson ASSERT_MBUF_LABEL(mlabel); 1169a557af22SRobert Watson 1170a557af22SRobert Watson return (0); 1171a557af22SRobert Watson } 1172a557af22SRobert Watson 1173a557af22SRobert Watson static int 1174ca26e8baSRobert Watson mac_test_check_kenv_dump(struct ucred *cred) 1175ca26e8baSRobert Watson { 1176ca26e8baSRobert Watson 1177e5bc4f1bSJohn Baldwin ASSERT_CRED_LABEL(cred->cr_label); 1178250ee706SRobert Watson 1179ca26e8baSRobert Watson return (0); 1180ca26e8baSRobert Watson } 1181ca26e8baSRobert Watson 1182ca26e8baSRobert Watson static int 1183ca26e8baSRobert Watson mac_test_check_kenv_get(struct ucred *cred, char *name) 1184ca26e8baSRobert Watson { 1185ca26e8baSRobert Watson 1186eca8a663SRobert Watson ASSERT_CRED_LABEL(cred->cr_label); 1187250ee706SRobert Watson 1188ca26e8baSRobert Watson return (0); 1189ca26e8baSRobert Watson } 1190ca26e8baSRobert Watson 1191ca26e8baSRobert Watson static int 1192ca26e8baSRobert Watson mac_test_check_kenv_set(struct ucred *cred, char *name, char *value) 1193ca26e8baSRobert Watson { 1194ca26e8baSRobert Watson 1195eca8a663SRobert Watson ASSERT_CRED_LABEL(cred->cr_label); 1196250ee706SRobert Watson 1197ca26e8baSRobert Watson return (0); 1198ca26e8baSRobert Watson } 1199ca26e8baSRobert Watson 1200ca26e8baSRobert Watson static int 1201ca26e8baSRobert Watson mac_test_check_kenv_unset(struct ucred *cred, char *name) 1202ca26e8baSRobert Watson { 1203ca26e8baSRobert Watson 1204eca8a663SRobert Watson ASSERT_CRED_LABEL(cred->cr_label); 1205250ee706SRobert Watson 1206ca26e8baSRobert Watson return (0); 1207ca26e8baSRobert Watson } 1208ca26e8baSRobert Watson 1209ca26e8baSRobert Watson static int 1210ca26e8baSRobert Watson mac_test_check_kld_load(struct ucred *cred, struct vnode *vp, 1211ca26e8baSRobert Watson struct label *label) 1212ca26e8baSRobert Watson { 1213ca26e8baSRobert Watson 1214eca8a663SRobert Watson ASSERT_CRED_LABEL(cred->cr_label); 1215250ee706SRobert Watson ASSERT_VNODE_LABEL(label); 1216250ee706SRobert Watson 1217ca26e8baSRobert Watson return (0); 1218ca26e8baSRobert Watson } 1219ca26e8baSRobert Watson 1220ca26e8baSRobert Watson static int 1221ca26e8baSRobert Watson mac_test_check_kld_stat(struct ucred *cred) 1222ca26e8baSRobert Watson { 1223ca26e8baSRobert Watson 1224eca8a663SRobert Watson ASSERT_CRED_LABEL(cred->cr_label); 1225250ee706SRobert Watson 1226ca26e8baSRobert Watson return (0); 1227ca26e8baSRobert Watson } 1228ca26e8baSRobert Watson 1229ca26e8baSRobert Watson static int 1230ca26e8baSRobert Watson mac_test_check_kld_unload(struct ucred *cred) 1231ca26e8baSRobert Watson { 1232ca26e8baSRobert Watson 1233eca8a663SRobert Watson ASSERT_CRED_LABEL(cred->cr_label); 1234250ee706SRobert Watson 1235ca26e8baSRobert Watson return (0); 1236ca26e8baSRobert Watson } 1237ca26e8baSRobert Watson 1238ca26e8baSRobert Watson static int 1239d8a7b7a3SRobert Watson mac_test_check_mount_stat(struct ucred *cred, struct mount *mp, 1240d8a7b7a3SRobert Watson struct label *mntlabel) 1241d8a7b7a3SRobert Watson { 1242d8a7b7a3SRobert Watson 1243eca8a663SRobert Watson ASSERT_CRED_LABEL(cred->cr_label); 1244250ee706SRobert Watson ASSERT_MOUNT_LABEL(mntlabel); 1245250ee706SRobert Watson 1246d8a7b7a3SRobert Watson return (0); 1247d8a7b7a3SRobert Watson } 1248d8a7b7a3SRobert Watson 1249d8a7b7a3SRobert Watson static int 1250d8a7b7a3SRobert Watson mac_test_check_pipe_ioctl(struct ucred *cred, struct pipe *pipe, 1251d8a7b7a3SRobert Watson struct label *pipelabel, unsigned long cmd, void /* caddr_t */ *data) 1252d8a7b7a3SRobert Watson { 1253d8a7b7a3SRobert Watson 1254eca8a663SRobert Watson ASSERT_CRED_LABEL(cred->cr_label); 1255250ee706SRobert Watson ASSERT_PIPE_LABEL(pipelabel); 1256250ee706SRobert Watson 1257d8a7b7a3SRobert Watson return (0); 1258d8a7b7a3SRobert Watson } 1259d8a7b7a3SRobert Watson 1260d8a7b7a3SRobert Watson static int 1261c024c3eeSRobert Watson mac_test_check_pipe_poll(struct ucred *cred, struct pipe *pipe, 1262c024c3eeSRobert Watson struct label *pipelabel) 1263c024c3eeSRobert Watson { 1264c024c3eeSRobert Watson 1265eca8a663SRobert Watson ASSERT_CRED_LABEL(cred->cr_label); 1266250ee706SRobert Watson ASSERT_PIPE_LABEL(pipelabel); 1267250ee706SRobert Watson 1268c024c3eeSRobert Watson return (0); 1269c024c3eeSRobert Watson } 1270c024c3eeSRobert Watson 1271c024c3eeSRobert Watson static int 1272c024c3eeSRobert Watson mac_test_check_pipe_read(struct ucred *cred, struct pipe *pipe, 1273c024c3eeSRobert Watson struct label *pipelabel) 1274d8a7b7a3SRobert Watson { 1275d8a7b7a3SRobert Watson 1276eca8a663SRobert Watson ASSERT_CRED_LABEL(cred->cr_label); 1277250ee706SRobert Watson ASSERT_PIPE_LABEL(pipelabel); 1278250ee706SRobert Watson 1279d8a7b7a3SRobert Watson return (0); 1280d8a7b7a3SRobert Watson } 1281d8a7b7a3SRobert Watson 1282d8a7b7a3SRobert Watson static int 1283d8a7b7a3SRobert Watson mac_test_check_pipe_relabel(struct ucred *cred, struct pipe *pipe, 1284d8a7b7a3SRobert Watson struct label *pipelabel, struct label *newlabel) 1285d8a7b7a3SRobert Watson { 1286d8a7b7a3SRobert Watson 1287eca8a663SRobert Watson ASSERT_CRED_LABEL(cred->cr_label); 1288250ee706SRobert Watson ASSERT_PIPE_LABEL(pipelabel); 1289250ee706SRobert Watson ASSERT_PIPE_LABEL(newlabel); 1290250ee706SRobert Watson 1291d8a7b7a3SRobert Watson return (0); 1292d8a7b7a3SRobert Watson } 1293d8a7b7a3SRobert Watson 1294d8a7b7a3SRobert Watson static int 1295c024c3eeSRobert Watson mac_test_check_pipe_stat(struct ucred *cred, struct pipe *pipe, 1296c024c3eeSRobert Watson struct label *pipelabel) 1297c024c3eeSRobert Watson { 1298c024c3eeSRobert Watson 1299eca8a663SRobert Watson ASSERT_CRED_LABEL(cred->cr_label); 1300250ee706SRobert Watson ASSERT_PIPE_LABEL(pipelabel); 1301250ee706SRobert Watson 1302c024c3eeSRobert Watson return (0); 1303c024c3eeSRobert Watson } 1304c024c3eeSRobert Watson 1305c024c3eeSRobert Watson static int 1306c024c3eeSRobert Watson mac_test_check_pipe_write(struct ucred *cred, struct pipe *pipe, 1307c024c3eeSRobert Watson struct label *pipelabel) 1308c024c3eeSRobert Watson { 1309c024c3eeSRobert Watson 1310eca8a663SRobert Watson ASSERT_CRED_LABEL(cred->cr_label); 1311250ee706SRobert Watson ASSERT_PIPE_LABEL(pipelabel); 1312250ee706SRobert Watson 1313c024c3eeSRobert Watson return (0); 1314c024c3eeSRobert Watson } 1315c024c3eeSRobert Watson 1316c024c3eeSRobert Watson static int 1317d8a7b7a3SRobert Watson mac_test_check_proc_debug(struct ucred *cred, struct proc *proc) 1318d8a7b7a3SRobert Watson { 1319d8a7b7a3SRobert Watson 1320eca8a663SRobert Watson ASSERT_CRED_LABEL(cred->cr_label); 1321eca8a663SRobert Watson ASSERT_CRED_LABEL(proc->p_ucred->cr_label); 1322250ee706SRobert Watson 1323d8a7b7a3SRobert Watson return (0); 1324d8a7b7a3SRobert Watson } 1325d8a7b7a3SRobert Watson 1326d8a7b7a3SRobert Watson static int 1327d8a7b7a3SRobert Watson mac_test_check_proc_sched(struct ucred *cred, struct proc *proc) 1328d8a7b7a3SRobert Watson { 1329d8a7b7a3SRobert Watson 1330eca8a663SRobert Watson ASSERT_CRED_LABEL(cred->cr_label); 1331eca8a663SRobert Watson ASSERT_CRED_LABEL(proc->p_ucred->cr_label); 1332250ee706SRobert Watson 1333d8a7b7a3SRobert Watson return (0); 1334d8a7b7a3SRobert Watson } 1335d8a7b7a3SRobert Watson 1336d8a7b7a3SRobert Watson static int 13375c8dd342SRobert Watson mac_test_check_proc_signal(struct ucred *cred, struct proc *proc, int signum) 1338d8a7b7a3SRobert Watson { 1339d8a7b7a3SRobert Watson 1340eca8a663SRobert Watson ASSERT_CRED_LABEL(cred->cr_label); 1341eca8a663SRobert Watson ASSERT_CRED_LABEL(proc->p_ucred->cr_label); 1342250ee706SRobert Watson 1343d8a7b7a3SRobert Watson return (0); 1344d8a7b7a3SRobert Watson } 1345d8a7b7a3SRobert Watson 1346d8a7b7a3SRobert Watson static int 1347d8a7b7a3SRobert Watson mac_test_check_socket_bind(struct ucred *cred, struct socket *socket, 1348d8a7b7a3SRobert Watson struct label *socketlabel, struct sockaddr *sockaddr) 1349d8a7b7a3SRobert Watson { 1350d8a7b7a3SRobert Watson 1351eca8a663SRobert Watson ASSERT_CRED_LABEL(cred->cr_label); 1352250ee706SRobert Watson ASSERT_SOCKET_LABEL(socketlabel); 1353250ee706SRobert Watson 1354d8a7b7a3SRobert Watson return (0); 1355d8a7b7a3SRobert Watson } 1356d8a7b7a3SRobert Watson 1357d8a7b7a3SRobert Watson static int 1358d8a7b7a3SRobert Watson mac_test_check_socket_connect(struct ucred *cred, struct socket *socket, 1359d8a7b7a3SRobert Watson struct label *socketlabel, struct sockaddr *sockaddr) 1360d8a7b7a3SRobert Watson { 1361d8a7b7a3SRobert Watson 1362eca8a663SRobert Watson ASSERT_CRED_LABEL(cred->cr_label); 1363250ee706SRobert Watson ASSERT_SOCKET_LABEL(socketlabel); 1364250ee706SRobert Watson 1365d8a7b7a3SRobert Watson return (0); 1366d8a7b7a3SRobert Watson } 1367d8a7b7a3SRobert Watson 1368d8a7b7a3SRobert Watson static int 1369fb95b5d3SRobert Watson mac_test_check_socket_deliver(struct socket *socket, struct label *socketlabel, 1370fb95b5d3SRobert Watson struct mbuf *m, struct label *mbuflabel) 1371d8a7b7a3SRobert Watson { 1372d8a7b7a3SRobert Watson 1373250ee706SRobert Watson ASSERT_SOCKET_LABEL(socketlabel); 1374250ee706SRobert Watson ASSERT_MBUF_LABEL(mbuflabel); 1375250ee706SRobert Watson 1376d8a7b7a3SRobert Watson return (0); 1377d8a7b7a3SRobert Watson } 1378d8a7b7a3SRobert Watson 1379d8a7b7a3SRobert Watson static int 1380fb95b5d3SRobert Watson mac_test_check_socket_listen(struct ucred *cred, struct socket *socket, 13815c8dd342SRobert Watson struct label *socketlabel) 1382d8a7b7a3SRobert Watson { 1383d8a7b7a3SRobert Watson 1384eca8a663SRobert Watson ASSERT_CRED_LABEL(cred->cr_label); 1385250ee706SRobert Watson ASSERT_SOCKET_LABEL(socketlabel); 1386250ee706SRobert Watson 1387d8a7b7a3SRobert Watson return (0); 1388d8a7b7a3SRobert Watson } 1389d8a7b7a3SRobert Watson 1390d8a7b7a3SRobert Watson static int 1391d8a7b7a3SRobert Watson mac_test_check_socket_visible(struct ucred *cred, struct socket *socket, 1392d8a7b7a3SRobert Watson struct label *socketlabel) 1393d8a7b7a3SRobert Watson { 1394d8a7b7a3SRobert Watson 1395eca8a663SRobert Watson ASSERT_CRED_LABEL(cred->cr_label); 1396250ee706SRobert Watson ASSERT_SOCKET_LABEL(socketlabel); 1397250ee706SRobert Watson 1398d8a7b7a3SRobert Watson return (0); 1399d8a7b7a3SRobert Watson } 1400d8a7b7a3SRobert Watson 1401d8a7b7a3SRobert Watson static int 1402d8a7b7a3SRobert Watson mac_test_check_socket_relabel(struct ucred *cred, struct socket *socket, 1403d8a7b7a3SRobert Watson struct label *socketlabel, struct label *newlabel) 1404d8a7b7a3SRobert Watson { 1405d8a7b7a3SRobert Watson 1406eca8a663SRobert Watson ASSERT_CRED_LABEL(cred->cr_label); 1407250ee706SRobert Watson ASSERT_SOCKET_LABEL(socketlabel); 1408250ee706SRobert Watson ASSERT_SOCKET_LABEL(newlabel); 1409250ee706SRobert Watson 1410d8a7b7a3SRobert Watson return (0); 1411d8a7b7a3SRobert Watson } 1412d8a7b7a3SRobert Watson 1413d8a7b7a3SRobert Watson static int 1414ca26e8baSRobert Watson mac_test_check_sysarch_ioperm(struct ucred *cred) 1415ca26e8baSRobert Watson { 1416ca26e8baSRobert Watson 1417eca8a663SRobert Watson ASSERT_CRED_LABEL(cred->cr_label); 1418250ee706SRobert Watson 1419ca26e8baSRobert Watson return (0); 1420ca26e8baSRobert Watson } 1421ca26e8baSRobert Watson 1422ca26e8baSRobert Watson static int 1423ca26e8baSRobert Watson mac_test_check_system_acct(struct ucred *cred, struct vnode *vp, 1424ca26e8baSRobert Watson struct label *label) 1425ca26e8baSRobert Watson { 1426ca26e8baSRobert Watson 1427eca8a663SRobert Watson ASSERT_CRED_LABEL(cred->cr_label); 1428250ee706SRobert Watson 1429ca26e8baSRobert Watson return (0); 1430ca26e8baSRobert Watson } 1431ca26e8baSRobert Watson 1432ca26e8baSRobert Watson static int 1433ca26e8baSRobert Watson mac_test_check_system_reboot(struct ucred *cred, int how) 1434ca26e8baSRobert Watson { 1435ca26e8baSRobert Watson 1436eca8a663SRobert Watson ASSERT_CRED_LABEL(cred->cr_label); 1437250ee706SRobert Watson 1438ca26e8baSRobert Watson return (0); 1439ca26e8baSRobert Watson } 1440ca26e8baSRobert Watson 1441ca26e8baSRobert Watson static int 1442ca26e8baSRobert Watson mac_test_check_system_settime(struct ucred *cred) 1443ca26e8baSRobert Watson { 1444ca26e8baSRobert Watson 1445eca8a663SRobert Watson ASSERT_CRED_LABEL(cred->cr_label); 1446250ee706SRobert Watson 1447ca26e8baSRobert Watson return (0); 1448ca26e8baSRobert Watson } 1449ca26e8baSRobert Watson 1450ca26e8baSRobert Watson static int 1451ca26e8baSRobert Watson mac_test_check_system_swapon(struct ucred *cred, struct vnode *vp, 1452ca26e8baSRobert Watson struct label *label) 1453ca26e8baSRobert Watson { 1454ca26e8baSRobert Watson 1455eca8a663SRobert Watson ASSERT_CRED_LABEL(cred->cr_label); 1456250ee706SRobert Watson ASSERT_VNODE_LABEL(label); 1457250ee706SRobert Watson 1458ca26e8baSRobert Watson return (0); 1459ca26e8baSRobert Watson } 1460ca26e8baSRobert Watson 1461ca26e8baSRobert Watson static int 1462ca26e8baSRobert Watson mac_test_check_system_swapoff(struct ucred *cred, struct vnode *vp, 1463ca26e8baSRobert Watson struct label *label) 1464ca26e8baSRobert Watson { 1465ca26e8baSRobert Watson 1466eca8a663SRobert Watson ASSERT_CRED_LABEL(cred->cr_label); 1467250ee706SRobert Watson ASSERT_VNODE_LABEL(label); 1468250ee706SRobert Watson 1469ca26e8baSRobert Watson return (0); 1470ca26e8baSRobert Watson } 1471ca26e8baSRobert Watson 1472ca26e8baSRobert Watson static int 1473ca26e8baSRobert Watson mac_test_check_system_sysctl(struct ucred *cred, int *name, u_int namelen, 1474ca26e8baSRobert Watson void *old, size_t *oldlenp, int inkernel, void *new, size_t newlen) 1475ca26e8baSRobert Watson { 1476ca26e8baSRobert Watson 1477eca8a663SRobert Watson ASSERT_CRED_LABEL(cred->cr_label); 1478250ee706SRobert Watson 1479ca26e8baSRobert Watson return (0); 1480ca26e8baSRobert Watson } 1481ca26e8baSRobert Watson 1482ca26e8baSRobert Watson static int 1483d8a7b7a3SRobert Watson mac_test_check_vnode_access(struct ucred *cred, struct vnode *vp, 1484b914de36SRobert Watson struct label *label, int acc_mode) 1485d8a7b7a3SRobert Watson { 1486d8a7b7a3SRobert Watson 1487eca8a663SRobert Watson ASSERT_CRED_LABEL(cred->cr_label); 1488250ee706SRobert Watson ASSERT_VNODE_LABEL(label); 1489250ee706SRobert Watson 1490d8a7b7a3SRobert Watson return (0); 1491d8a7b7a3SRobert Watson } 1492d8a7b7a3SRobert Watson 1493d8a7b7a3SRobert Watson static int 1494d8a7b7a3SRobert Watson mac_test_check_vnode_chdir(struct ucred *cred, struct vnode *dvp, 1495d8a7b7a3SRobert Watson struct label *dlabel) 1496d8a7b7a3SRobert Watson { 1497d8a7b7a3SRobert Watson 1498eca8a663SRobert Watson ASSERT_CRED_LABEL(cred->cr_label); 1499250ee706SRobert Watson ASSERT_VNODE_LABEL(dlabel); 1500250ee706SRobert Watson 1501d8a7b7a3SRobert Watson return (0); 1502d8a7b7a3SRobert Watson } 1503d8a7b7a3SRobert Watson 1504d8a7b7a3SRobert Watson static int 1505d8a7b7a3SRobert Watson mac_test_check_vnode_chroot(struct ucred *cred, struct vnode *dvp, 1506d8a7b7a3SRobert Watson struct label *dlabel) 1507d8a7b7a3SRobert Watson { 1508d8a7b7a3SRobert Watson 1509eca8a663SRobert Watson ASSERT_CRED_LABEL(cred->cr_label); 1510250ee706SRobert Watson ASSERT_VNODE_LABEL(dlabel); 1511250ee706SRobert Watson 1512d8a7b7a3SRobert Watson return (0); 1513d8a7b7a3SRobert Watson } 1514d8a7b7a3SRobert Watson 1515d8a7b7a3SRobert Watson static int 1516d8a7b7a3SRobert Watson mac_test_check_vnode_create(struct ucred *cred, struct vnode *dvp, 1517d8a7b7a3SRobert Watson struct label *dlabel, struct componentname *cnp, struct vattr *vap) 1518d8a7b7a3SRobert Watson { 1519d8a7b7a3SRobert Watson 1520eca8a663SRobert Watson ASSERT_CRED_LABEL(cred->cr_label); 1521250ee706SRobert Watson ASSERT_VNODE_LABEL(dlabel); 1522250ee706SRobert Watson 1523d8a7b7a3SRobert Watson return (0); 1524d8a7b7a3SRobert Watson } 1525d8a7b7a3SRobert Watson 1526d8a7b7a3SRobert Watson static int 1527d8a7b7a3SRobert Watson mac_test_check_vnode_delete(struct ucred *cred, struct vnode *dvp, 1528d8a7b7a3SRobert Watson struct label *dlabel, struct vnode *vp, struct label *label, 1529d8a7b7a3SRobert Watson struct componentname *cnp) 1530d8a7b7a3SRobert Watson { 1531d8a7b7a3SRobert Watson 1532eca8a663SRobert Watson ASSERT_CRED_LABEL(cred->cr_label); 1533250ee706SRobert Watson ASSERT_VNODE_LABEL(dlabel); 1534250ee706SRobert Watson ASSERT_VNODE_LABEL(label); 1535250ee706SRobert Watson 1536d8a7b7a3SRobert Watson return (0); 1537d8a7b7a3SRobert Watson } 1538d8a7b7a3SRobert Watson 1539d8a7b7a3SRobert Watson static int 1540d8a7b7a3SRobert Watson mac_test_check_vnode_deleteacl(struct ucred *cred, struct vnode *vp, 1541d8a7b7a3SRobert Watson struct label *label, acl_type_t type) 1542d8a7b7a3SRobert Watson { 1543d8a7b7a3SRobert Watson 1544eca8a663SRobert Watson ASSERT_CRED_LABEL(cred->cr_label); 1545250ee706SRobert Watson ASSERT_VNODE_LABEL(label); 1546250ee706SRobert Watson 1547250ee706SRobert Watson return (0); 1548250ee706SRobert Watson } 1549250ee706SRobert Watson 1550250ee706SRobert Watson static int 1551250ee706SRobert Watson mac_test_check_vnode_deleteextattr(struct ucred *cred, struct vnode *vp, 1552250ee706SRobert Watson struct label *label, int attrnamespace, const char *name) 1553250ee706SRobert Watson { 1554250ee706SRobert Watson 1555eca8a663SRobert Watson ASSERT_CRED_LABEL(cred->cr_label); 1556250ee706SRobert Watson ASSERT_VNODE_LABEL(label); 1557250ee706SRobert Watson 1558d8a7b7a3SRobert Watson return (0); 1559d8a7b7a3SRobert Watson } 1560d8a7b7a3SRobert Watson 1561d8a7b7a3SRobert Watson static int 1562d8a7b7a3SRobert Watson mac_test_check_vnode_exec(struct ucred *cred, struct vnode *vp, 1563ef5def59SRobert Watson struct label *label, struct image_params *imgp, 1564ef5def59SRobert Watson struct label *execlabel) 1565d8a7b7a3SRobert Watson { 1566d8a7b7a3SRobert Watson 1567eca8a663SRobert Watson ASSERT_CRED_LABEL(cred->cr_label); 1568250ee706SRobert Watson ASSERT_VNODE_LABEL(label); 1569250ee706SRobert Watson if (execlabel != NULL) { 1570250ee706SRobert Watson ASSERT_CRED_LABEL(execlabel); 1571250ee706SRobert Watson } 1572250ee706SRobert Watson 1573d8a7b7a3SRobert Watson return (0); 1574d8a7b7a3SRobert Watson } 1575d8a7b7a3SRobert Watson 1576d8a7b7a3SRobert Watson static int 1577d8a7b7a3SRobert Watson mac_test_check_vnode_getacl(struct ucred *cred, struct vnode *vp, 1578d8a7b7a3SRobert Watson struct label *label, acl_type_t type) 1579d8a7b7a3SRobert Watson { 1580d8a7b7a3SRobert Watson 1581eca8a663SRobert Watson ASSERT_CRED_LABEL(cred->cr_label); 1582250ee706SRobert Watson ASSERT_VNODE_LABEL(label); 1583250ee706SRobert Watson 1584d8a7b7a3SRobert Watson return (0); 1585d8a7b7a3SRobert Watson } 1586d8a7b7a3SRobert Watson 1587d8a7b7a3SRobert Watson static int 1588d8a7b7a3SRobert Watson mac_test_check_vnode_getextattr(struct ucred *cred, struct vnode *vp, 1589d8a7b7a3SRobert Watson struct label *label, int attrnamespace, const char *name, struct uio *uio) 1590d8a7b7a3SRobert Watson { 1591d8a7b7a3SRobert Watson 1592eca8a663SRobert Watson ASSERT_CRED_LABEL(cred->cr_label); 1593250ee706SRobert Watson ASSERT_VNODE_LABEL(label); 1594250ee706SRobert Watson 1595d8a7b7a3SRobert Watson return (0); 1596d8a7b7a3SRobert Watson } 1597d8a7b7a3SRobert Watson 1598d8a7b7a3SRobert Watson static int 1599c27b50f5SRobert Watson mac_test_check_vnode_link(struct ucred *cred, struct vnode *dvp, 1600c27b50f5SRobert Watson struct label *dlabel, struct vnode *vp, struct label *label, 1601c27b50f5SRobert Watson struct componentname *cnp) 1602c27b50f5SRobert Watson { 1603c27b50f5SRobert Watson 1604eca8a663SRobert Watson ASSERT_CRED_LABEL(cred->cr_label); 1605250ee706SRobert Watson ASSERT_VNODE_LABEL(dlabel); 1606250ee706SRobert Watson ASSERT_VNODE_LABEL(label); 1607250ee706SRobert Watson 1608250ee706SRobert Watson return (0); 1609250ee706SRobert Watson } 1610250ee706SRobert Watson 1611250ee706SRobert Watson static int 1612250ee706SRobert Watson mac_test_check_vnode_listextattr(struct ucred *cred, struct vnode *vp, 1613250ee706SRobert Watson struct label *label, int attrnamespace) 1614250ee706SRobert Watson { 1615250ee706SRobert Watson 1616eca8a663SRobert Watson ASSERT_CRED_LABEL(cred->cr_label); 1617250ee706SRobert Watson ASSERT_VNODE_LABEL(label); 1618250ee706SRobert Watson 1619c27b50f5SRobert Watson return (0); 1620c27b50f5SRobert Watson } 1621c27b50f5SRobert Watson 1622c27b50f5SRobert Watson static int 1623d8a7b7a3SRobert Watson mac_test_check_vnode_lookup(struct ucred *cred, struct vnode *dvp, 1624d8a7b7a3SRobert Watson struct label *dlabel, struct componentname *cnp) 1625d8a7b7a3SRobert Watson { 1626d8a7b7a3SRobert Watson 1627eca8a663SRobert Watson ASSERT_CRED_LABEL(cred->cr_label); 1628250ee706SRobert Watson ASSERT_VNODE_LABEL(dlabel); 1629250ee706SRobert Watson 1630d8a7b7a3SRobert Watson return (0); 1631d8a7b7a3SRobert Watson } 1632d8a7b7a3SRobert Watson 1633d8a7b7a3SRobert Watson static int 1634e183f80eSRobert Watson mac_test_check_vnode_mmap(struct ucred *cred, struct vnode *vp, 1635e183f80eSRobert Watson struct label *label, int prot) 1636e183f80eSRobert Watson { 1637e183f80eSRobert Watson 1638eca8a663SRobert Watson ASSERT_CRED_LABEL(cred->cr_label); 1639250ee706SRobert Watson ASSERT_VNODE_LABEL(label); 1640250ee706SRobert Watson 1641e183f80eSRobert Watson return (0); 1642e183f80eSRobert Watson } 1643e183f80eSRobert Watson 1644e183f80eSRobert Watson static int 1645e183f80eSRobert Watson mac_test_check_vnode_mprotect(struct ucred *cred, struct vnode *vp, 1646e183f80eSRobert Watson struct label *label, int prot) 1647e183f80eSRobert Watson { 1648e183f80eSRobert Watson 1649eca8a663SRobert Watson ASSERT_CRED_LABEL(cred->cr_label); 1650250ee706SRobert Watson ASSERT_VNODE_LABEL(label); 1651250ee706SRobert Watson 1652e183f80eSRobert Watson return (0); 1653e183f80eSRobert Watson } 1654e183f80eSRobert Watson 1655e183f80eSRobert Watson static int 1656d8a7b7a3SRobert Watson mac_test_check_vnode_open(struct ucred *cred, struct vnode *vp, 1657b914de36SRobert Watson struct label *filelabel, int acc_mode) 1658d8a7b7a3SRobert Watson { 1659d8a7b7a3SRobert Watson 1660eca8a663SRobert Watson ASSERT_CRED_LABEL(cred->cr_label); 1661250ee706SRobert Watson ASSERT_VNODE_LABEL(filelabel); 1662250ee706SRobert Watson 1663d8a7b7a3SRobert Watson return (0); 1664d8a7b7a3SRobert Watson } 1665d8a7b7a3SRobert Watson 1666d8a7b7a3SRobert Watson static int 1667177142e4SRobert Watson mac_test_check_vnode_poll(struct ucred *active_cred, struct ucred *file_cred, 1668177142e4SRobert Watson struct vnode *vp, struct label *label) 16697f724f8bSRobert Watson { 16707f724f8bSRobert Watson 1671eca8a663SRobert Watson ASSERT_CRED_LABEL(active_cred->cr_label); 1672eca8a663SRobert Watson ASSERT_CRED_LABEL(file_cred->cr_label); 1673250ee706SRobert Watson ASSERT_VNODE_LABEL(label); 1674250ee706SRobert Watson 16757f724f8bSRobert Watson return (0); 16767f724f8bSRobert Watson } 16777f724f8bSRobert Watson 16787f724f8bSRobert Watson static int 1679177142e4SRobert Watson mac_test_check_vnode_read(struct ucred *active_cred, struct ucred *file_cred, 1680177142e4SRobert Watson struct vnode *vp, struct label *label) 16817f724f8bSRobert Watson { 16827f724f8bSRobert Watson 1683eca8a663SRobert Watson ASSERT_CRED_LABEL(active_cred->cr_label); 1684250ee706SRobert Watson if (file_cred != NULL) { 1685eca8a663SRobert Watson ASSERT_CRED_LABEL(file_cred->cr_label); 1686250ee706SRobert Watson } 1687250ee706SRobert Watson ASSERT_VNODE_LABEL(label); 1688250ee706SRobert Watson 16897f724f8bSRobert Watson return (0); 16907f724f8bSRobert Watson } 16917f724f8bSRobert Watson 16927f724f8bSRobert Watson static int 1693d8a7b7a3SRobert Watson mac_test_check_vnode_readdir(struct ucred *cred, struct vnode *dvp, 1694d8a7b7a3SRobert Watson struct label *dlabel) 1695d8a7b7a3SRobert Watson { 1696d8a7b7a3SRobert Watson 1697eca8a663SRobert Watson ASSERT_CRED_LABEL(cred->cr_label); 1698250ee706SRobert Watson ASSERT_VNODE_LABEL(dlabel); 1699250ee706SRobert Watson 1700d8a7b7a3SRobert Watson return (0); 1701d8a7b7a3SRobert Watson } 1702d8a7b7a3SRobert Watson 1703d8a7b7a3SRobert Watson static int 1704d8a7b7a3SRobert Watson mac_test_check_vnode_readlink(struct ucred *cred, struct vnode *vp, 1705d8a7b7a3SRobert Watson struct label *vnodelabel) 1706d8a7b7a3SRobert Watson { 1707d8a7b7a3SRobert Watson 1708eca8a663SRobert Watson ASSERT_CRED_LABEL(cred->cr_label); 1709250ee706SRobert Watson ASSERT_VNODE_LABEL(vnodelabel); 1710250ee706SRobert Watson 1711d8a7b7a3SRobert Watson return (0); 1712d8a7b7a3SRobert Watson } 1713d8a7b7a3SRobert Watson 1714d8a7b7a3SRobert Watson static int 1715d8a7b7a3SRobert Watson mac_test_check_vnode_relabel(struct ucred *cred, struct vnode *vp, 1716d8a7b7a3SRobert Watson struct label *vnodelabel, struct label *newlabel) 1717d8a7b7a3SRobert Watson { 1718d8a7b7a3SRobert Watson 1719eca8a663SRobert Watson ASSERT_CRED_LABEL(cred->cr_label); 1720250ee706SRobert Watson ASSERT_VNODE_LABEL(vnodelabel); 1721250ee706SRobert Watson ASSERT_VNODE_LABEL(newlabel); 1722250ee706SRobert Watson 1723d8a7b7a3SRobert Watson return (0); 1724d8a7b7a3SRobert Watson } 1725d8a7b7a3SRobert Watson 1726d8a7b7a3SRobert Watson static int 1727d8a7b7a3SRobert Watson mac_test_check_vnode_rename_from(struct ucred *cred, struct vnode *dvp, 1728d8a7b7a3SRobert Watson struct label *dlabel, struct vnode *vp, struct label *label, 1729d8a7b7a3SRobert Watson struct componentname *cnp) 1730d8a7b7a3SRobert Watson { 1731d8a7b7a3SRobert Watson 1732eca8a663SRobert Watson ASSERT_CRED_LABEL(cred->cr_label); 1733250ee706SRobert Watson ASSERT_VNODE_LABEL(dlabel); 1734250ee706SRobert Watson ASSERT_VNODE_LABEL(label); 1735250ee706SRobert Watson 1736d8a7b7a3SRobert Watson return (0); 1737d8a7b7a3SRobert Watson } 1738d8a7b7a3SRobert Watson 1739d8a7b7a3SRobert Watson static int 1740d8a7b7a3SRobert Watson mac_test_check_vnode_rename_to(struct ucred *cred, struct vnode *dvp, 1741d8a7b7a3SRobert Watson struct label *dlabel, struct vnode *vp, struct label *label, int samedir, 1742d8a7b7a3SRobert Watson struct componentname *cnp) 1743d8a7b7a3SRobert Watson { 1744d8a7b7a3SRobert Watson 1745eca8a663SRobert Watson ASSERT_CRED_LABEL(cred->cr_label); 1746250ee706SRobert Watson ASSERT_VNODE_LABEL(dlabel); 1747250ee706SRobert Watson 1748250ee706SRobert Watson if (vp != NULL) { 1749250ee706SRobert Watson ASSERT_VNODE_LABEL(label); 1750250ee706SRobert Watson } 1751250ee706SRobert Watson 1752d8a7b7a3SRobert Watson return (0); 1753d8a7b7a3SRobert Watson } 1754d8a7b7a3SRobert Watson 1755d8a7b7a3SRobert Watson static int 1756d8a7b7a3SRobert Watson mac_test_check_vnode_revoke(struct ucred *cred, struct vnode *vp, 1757d8a7b7a3SRobert Watson struct label *label) 1758d8a7b7a3SRobert Watson { 1759d8a7b7a3SRobert Watson 1760eca8a663SRobert Watson ASSERT_CRED_LABEL(cred->cr_label); 1761250ee706SRobert Watson ASSERT_VNODE_LABEL(label); 1762250ee706SRobert Watson 1763d8a7b7a3SRobert Watson return (0); 1764d8a7b7a3SRobert Watson } 1765d8a7b7a3SRobert Watson 1766d8a7b7a3SRobert Watson static int 1767d8a7b7a3SRobert Watson mac_test_check_vnode_setacl(struct ucred *cred, struct vnode *vp, 1768d8a7b7a3SRobert Watson struct label *label, acl_type_t type, struct acl *acl) 1769d8a7b7a3SRobert Watson { 1770d8a7b7a3SRobert Watson 1771eca8a663SRobert Watson ASSERT_CRED_LABEL(cred->cr_label); 1772250ee706SRobert Watson ASSERT_VNODE_LABEL(label); 1773250ee706SRobert Watson 1774d8a7b7a3SRobert Watson return (0); 1775d8a7b7a3SRobert Watson } 1776d8a7b7a3SRobert Watson 1777d8a7b7a3SRobert Watson static int 1778d8a7b7a3SRobert Watson mac_test_check_vnode_setextattr(struct ucred *cred, struct vnode *vp, 1779d8a7b7a3SRobert Watson struct label *label, int attrnamespace, const char *name, struct uio *uio) 1780d8a7b7a3SRobert Watson { 1781d8a7b7a3SRobert Watson 1782eca8a663SRobert Watson ASSERT_CRED_LABEL(cred->cr_label); 1783250ee706SRobert Watson ASSERT_VNODE_LABEL(label); 1784250ee706SRobert Watson 1785d8a7b7a3SRobert Watson return (0); 1786d8a7b7a3SRobert Watson } 1787d8a7b7a3SRobert Watson 1788d8a7b7a3SRobert Watson static int 1789d8a7b7a3SRobert Watson mac_test_check_vnode_setflags(struct ucred *cred, struct vnode *vp, 1790d8a7b7a3SRobert Watson struct label *label, u_long flags) 1791d8a7b7a3SRobert Watson { 1792d8a7b7a3SRobert Watson 1793eca8a663SRobert Watson ASSERT_CRED_LABEL(cred->cr_label); 1794250ee706SRobert Watson ASSERT_VNODE_LABEL(label); 1795250ee706SRobert Watson 1796d8a7b7a3SRobert Watson return (0); 1797d8a7b7a3SRobert Watson } 1798d8a7b7a3SRobert Watson 1799d8a7b7a3SRobert Watson static int 1800d8a7b7a3SRobert Watson mac_test_check_vnode_setmode(struct ucred *cred, struct vnode *vp, 1801d8a7b7a3SRobert Watson struct label *label, mode_t mode) 1802d8a7b7a3SRobert Watson { 1803d8a7b7a3SRobert Watson 1804eca8a663SRobert Watson ASSERT_CRED_LABEL(cred->cr_label); 1805250ee706SRobert Watson ASSERT_VNODE_LABEL(label); 1806250ee706SRobert Watson 1807d8a7b7a3SRobert Watson return (0); 1808d8a7b7a3SRobert Watson } 1809d8a7b7a3SRobert Watson 1810d8a7b7a3SRobert Watson static int 1811d8a7b7a3SRobert Watson mac_test_check_vnode_setowner(struct ucred *cred, struct vnode *vp, 1812d8a7b7a3SRobert Watson struct label *label, uid_t uid, gid_t gid) 1813d8a7b7a3SRobert Watson { 1814d8a7b7a3SRobert Watson 1815eca8a663SRobert Watson ASSERT_CRED_LABEL(cred->cr_label); 1816250ee706SRobert Watson ASSERT_VNODE_LABEL(label); 1817250ee706SRobert Watson 1818d8a7b7a3SRobert Watson return (0); 1819d8a7b7a3SRobert Watson } 1820d8a7b7a3SRobert Watson 1821d8a7b7a3SRobert Watson static int 1822d8a7b7a3SRobert Watson mac_test_check_vnode_setutimes(struct ucred *cred, struct vnode *vp, 1823d8a7b7a3SRobert Watson struct label *label, struct timespec atime, struct timespec mtime) 1824d8a7b7a3SRobert Watson { 1825d8a7b7a3SRobert Watson 1826eca8a663SRobert Watson ASSERT_CRED_LABEL(cred->cr_label); 1827250ee706SRobert Watson ASSERT_VNODE_LABEL(label); 1828250ee706SRobert Watson 1829d8a7b7a3SRobert Watson return (0); 1830d8a7b7a3SRobert Watson } 1831d8a7b7a3SRobert Watson 1832d8a7b7a3SRobert Watson static int 1833177142e4SRobert Watson mac_test_check_vnode_stat(struct ucred *active_cred, struct ucred *file_cred, 1834177142e4SRobert Watson struct vnode *vp, struct label *label) 1835d8a7b7a3SRobert Watson { 1836d8a7b7a3SRobert Watson 1837eca8a663SRobert Watson ASSERT_CRED_LABEL(active_cred->cr_label); 1838250ee706SRobert Watson if (file_cred != NULL) { 1839eca8a663SRobert Watson ASSERT_CRED_LABEL(file_cred->cr_label); 1840250ee706SRobert Watson } 1841250ee706SRobert Watson ASSERT_VNODE_LABEL(label); 1842250ee706SRobert Watson 1843d8a7b7a3SRobert Watson return (0); 1844d8a7b7a3SRobert Watson } 1845d8a7b7a3SRobert Watson 18467f724f8bSRobert Watson static int 1847177142e4SRobert Watson mac_test_check_vnode_write(struct ucred *active_cred, 1848177142e4SRobert Watson struct ucred *file_cred, struct vnode *vp, struct label *label) 18497f724f8bSRobert Watson { 18507f724f8bSRobert Watson 1851eca8a663SRobert Watson ASSERT_CRED_LABEL(active_cred->cr_label); 1852250ee706SRobert Watson if (file_cred != NULL) { 1853eca8a663SRobert Watson ASSERT_CRED_LABEL(file_cred->cr_label); 1854250ee706SRobert Watson } 1855250ee706SRobert Watson ASSERT_VNODE_LABEL(label); 1856250ee706SRobert Watson 18577f724f8bSRobert Watson return (0); 18587f724f8bSRobert Watson } 18597f724f8bSRobert Watson 18605c8dd342SRobert Watson static struct mac_policy_ops mac_test_ops = 1861d8a7b7a3SRobert Watson { 18625c8dd342SRobert Watson .mpo_destroy = mac_test_destroy, 18635c8dd342SRobert Watson .mpo_init = mac_test_init, 18645c8dd342SRobert Watson .mpo_syscall = mac_test_syscall, 18655c8dd342SRobert Watson .mpo_init_bpfdesc_label = mac_test_init_bpfdesc_label, 18665c8dd342SRobert Watson .mpo_init_cred_label = mac_test_init_cred_label, 18675c8dd342SRobert Watson .mpo_init_devfsdirent_label = mac_test_init_devfsdirent_label, 18685c8dd342SRobert Watson .mpo_init_ifnet_label = mac_test_init_ifnet_label, 1869a557af22SRobert Watson .mpo_init_inpcb_label = mac_test_init_inpcb_label, 18705c8dd342SRobert Watson .mpo_init_ipq_label = mac_test_init_ipq_label, 18715c8dd342SRobert Watson .mpo_init_mbuf_label = mac_test_init_mbuf_label, 18725c8dd342SRobert Watson .mpo_init_mount_label = mac_test_init_mount_label, 18735c8dd342SRobert Watson .mpo_init_mount_fs_label = mac_test_init_mount_fs_label, 18745c8dd342SRobert Watson .mpo_init_pipe_label = mac_test_init_pipe_label, 1875ca26e8baSRobert Watson .mpo_init_proc_label = mac_test_init_proc_label, 18765c8dd342SRobert Watson .mpo_init_socket_label = mac_test_init_socket_label, 18775c8dd342SRobert Watson .mpo_init_socket_peer_label = mac_test_init_socket_peer_label, 18785c8dd342SRobert Watson .mpo_init_vnode_label = mac_test_init_vnode_label, 18795c8dd342SRobert Watson .mpo_destroy_bpfdesc_label = mac_test_destroy_bpfdesc_label, 18805c8dd342SRobert Watson .mpo_destroy_cred_label = mac_test_destroy_cred_label, 18815c8dd342SRobert Watson .mpo_destroy_devfsdirent_label = mac_test_destroy_devfsdirent_label, 18825c8dd342SRobert Watson .mpo_destroy_ifnet_label = mac_test_destroy_ifnet_label, 1883a557af22SRobert Watson .mpo_destroy_inpcb_label = mac_test_destroy_inpcb_label, 18845c8dd342SRobert Watson .mpo_destroy_ipq_label = mac_test_destroy_ipq_label, 18855c8dd342SRobert Watson .mpo_destroy_mbuf_label = mac_test_destroy_mbuf_label, 18865c8dd342SRobert Watson .mpo_destroy_mount_label = mac_test_destroy_mount_label, 18875c8dd342SRobert Watson .mpo_destroy_mount_fs_label = mac_test_destroy_mount_fs_label, 18885c8dd342SRobert Watson .mpo_destroy_pipe_label = mac_test_destroy_pipe_label, 1889ca26e8baSRobert Watson .mpo_destroy_proc_label = mac_test_destroy_proc_label, 18905c8dd342SRobert Watson .mpo_destroy_socket_label = mac_test_destroy_socket_label, 18915c8dd342SRobert Watson .mpo_destroy_socket_peer_label = mac_test_destroy_socket_peer_label, 18925c8dd342SRobert Watson .mpo_destroy_vnode_label = mac_test_destroy_vnode_label, 189356d9e932SRobert Watson .mpo_copy_cred_label = mac_test_copy_cred_label, 18940196273bSRobert Watson .mpo_copy_mbuf_label = mac_test_copy_mbuf_label, 18950196273bSRobert Watson .mpo_copy_pipe_label = mac_test_copy_pipe_label, 1896b0323ea3SRobert Watson .mpo_copy_socket_label = mac_test_copy_socket_label, 18970196273bSRobert Watson .mpo_copy_vnode_label = mac_test_copy_vnode_label, 18985c8dd342SRobert Watson .mpo_externalize_cred_label = mac_test_externalize_label, 18995c8dd342SRobert Watson .mpo_externalize_ifnet_label = mac_test_externalize_label, 19005c8dd342SRobert Watson .mpo_externalize_pipe_label = mac_test_externalize_label, 19015c8dd342SRobert Watson .mpo_externalize_socket_label = mac_test_externalize_label, 19025c8dd342SRobert Watson .mpo_externalize_socket_peer_label = mac_test_externalize_label, 19035c8dd342SRobert Watson .mpo_externalize_vnode_label = mac_test_externalize_label, 19045c8dd342SRobert Watson .mpo_internalize_cred_label = mac_test_internalize_label, 19055c8dd342SRobert Watson .mpo_internalize_ifnet_label = mac_test_internalize_label, 19065c8dd342SRobert Watson .mpo_internalize_pipe_label = mac_test_internalize_label, 19075c8dd342SRobert Watson .mpo_internalize_socket_label = mac_test_internalize_label, 19085c8dd342SRobert Watson .mpo_internalize_vnode_label = mac_test_internalize_label, 19095c8dd342SRobert Watson .mpo_associate_vnode_devfs = mac_test_associate_vnode_devfs, 19105c8dd342SRobert Watson .mpo_associate_vnode_extattr = mac_test_associate_vnode_extattr, 19115c8dd342SRobert Watson .mpo_associate_vnode_singlelabel = mac_test_associate_vnode_singlelabel, 19125c8dd342SRobert Watson .mpo_create_devfs_device = mac_test_create_devfs_device, 19135c8dd342SRobert Watson .mpo_create_devfs_directory = mac_test_create_devfs_directory, 19145c8dd342SRobert Watson .mpo_create_devfs_symlink = mac_test_create_devfs_symlink, 19155c8dd342SRobert Watson .mpo_create_vnode_extattr = mac_test_create_vnode_extattr, 19165c8dd342SRobert Watson .mpo_create_mount = mac_test_create_mount, 19175c8dd342SRobert Watson .mpo_create_root_mount = mac_test_create_root_mount, 19185c8dd342SRobert Watson .mpo_relabel_vnode = mac_test_relabel_vnode, 19195c8dd342SRobert Watson .mpo_setlabel_vnode_extattr = mac_test_setlabel_vnode_extattr, 19205c8dd342SRobert Watson .mpo_update_devfsdirent = mac_test_update_devfsdirent, 19215c8dd342SRobert Watson .mpo_create_mbuf_from_socket = mac_test_create_mbuf_from_socket, 19225c8dd342SRobert Watson .mpo_create_pipe = mac_test_create_pipe, 19235c8dd342SRobert Watson .mpo_create_socket = mac_test_create_socket, 19245c8dd342SRobert Watson .mpo_create_socket_from_socket = mac_test_create_socket_from_socket, 19255c8dd342SRobert Watson .mpo_relabel_pipe = mac_test_relabel_pipe, 19265c8dd342SRobert Watson .mpo_relabel_socket = mac_test_relabel_socket, 19275c8dd342SRobert Watson .mpo_set_socket_peer_from_mbuf = mac_test_set_socket_peer_from_mbuf, 19285c8dd342SRobert Watson .mpo_set_socket_peer_from_socket = mac_test_set_socket_peer_from_socket, 19295c8dd342SRobert Watson .mpo_create_bpfdesc = mac_test_create_bpfdesc, 19305c8dd342SRobert Watson .mpo_create_ifnet = mac_test_create_ifnet, 1931a557af22SRobert Watson .mpo_create_inpcb_from_socket = mac_test_create_inpcb_from_socket, 19325c8dd342SRobert Watson .mpo_create_datagram_from_ipq = mac_test_create_datagram_from_ipq, 19335c8dd342SRobert Watson .mpo_create_fragment = mac_test_create_fragment, 19345c8dd342SRobert Watson .mpo_create_ipq = mac_test_create_ipq, 19352d92ec98SRobert Watson .mpo_create_mbuf_from_inpcb = mac_test_create_mbuf_from_inpcb, 19365c8dd342SRobert Watson .mpo_create_mbuf_from_mbuf = mac_test_create_mbuf_from_mbuf, 19375c8dd342SRobert Watson .mpo_create_mbuf_linklayer = mac_test_create_mbuf_linklayer, 19385c8dd342SRobert Watson .mpo_create_mbuf_from_bpfdesc = mac_test_create_mbuf_from_bpfdesc, 19395c8dd342SRobert Watson .mpo_create_mbuf_from_ifnet = mac_test_create_mbuf_from_ifnet, 19405c8dd342SRobert Watson .mpo_create_mbuf_multicast_encap = mac_test_create_mbuf_multicast_encap, 19415c8dd342SRobert Watson .mpo_create_mbuf_netlayer = mac_test_create_mbuf_netlayer, 19425c8dd342SRobert Watson .mpo_fragment_match = mac_test_fragment_match, 1943250ee706SRobert Watson .mpo_reflect_mbuf_icmp = mac_test_reflect_mbuf_icmp, 19442b6e8310SRobert Watson .mpo_reflect_mbuf_tcp = mac_test_reflect_mbuf_tcp, 19455c8dd342SRobert Watson .mpo_relabel_ifnet = mac_test_relabel_ifnet, 19465c8dd342SRobert Watson .mpo_update_ipq = mac_test_update_ipq, 1947a557af22SRobert Watson .mpo_inpcb_sosetlabel = mac_test_inpcb_sosetlabel, 19485c8dd342SRobert Watson .mpo_execve_transition = mac_test_execve_transition, 19495c8dd342SRobert Watson .mpo_execve_will_transition = mac_test_execve_will_transition, 19505c8dd342SRobert Watson .mpo_create_proc0 = mac_test_create_proc0, 19515c8dd342SRobert Watson .mpo_create_proc1 = mac_test_create_proc1, 19525c8dd342SRobert Watson .mpo_relabel_cred = mac_test_relabel_cred, 1953ca26e8baSRobert Watson .mpo_thread_userret = mac_test_thread_userret, 19545c8dd342SRobert Watson .mpo_check_bpfdesc_receive = mac_test_check_bpfdesc_receive, 19555c8dd342SRobert Watson .mpo_check_cred_relabel = mac_test_check_cred_relabel, 19565c8dd342SRobert Watson .mpo_check_cred_visible = mac_test_check_cred_visible, 19575c8dd342SRobert Watson .mpo_check_ifnet_relabel = mac_test_check_ifnet_relabel, 19585c8dd342SRobert Watson .mpo_check_ifnet_transmit = mac_test_check_ifnet_transmit, 1959a557af22SRobert Watson .mpo_check_inpcb_deliver = mac_test_check_inpcb_deliver, 1960ca26e8baSRobert Watson .mpo_check_kenv_dump = mac_test_check_kenv_dump, 1961ca26e8baSRobert Watson .mpo_check_kenv_get = mac_test_check_kenv_get, 1962ca26e8baSRobert Watson .mpo_check_kenv_set = mac_test_check_kenv_set, 1963ca26e8baSRobert Watson .mpo_check_kenv_unset = mac_test_check_kenv_unset, 1964ca26e8baSRobert Watson .mpo_check_kld_load = mac_test_check_kld_load, 1965ca26e8baSRobert Watson .mpo_check_kld_stat = mac_test_check_kld_stat, 1966ca26e8baSRobert Watson .mpo_check_kld_unload = mac_test_check_kld_unload, 19675c8dd342SRobert Watson .mpo_check_mount_stat = mac_test_check_mount_stat, 19685c8dd342SRobert Watson .mpo_check_pipe_ioctl = mac_test_check_pipe_ioctl, 19695c8dd342SRobert Watson .mpo_check_pipe_poll = mac_test_check_pipe_poll, 19705c8dd342SRobert Watson .mpo_check_pipe_read = mac_test_check_pipe_read, 19715c8dd342SRobert Watson .mpo_check_pipe_relabel = mac_test_check_pipe_relabel, 19725c8dd342SRobert Watson .mpo_check_pipe_stat = mac_test_check_pipe_stat, 19735c8dd342SRobert Watson .mpo_check_pipe_write = mac_test_check_pipe_write, 19745c8dd342SRobert Watson .mpo_check_proc_debug = mac_test_check_proc_debug, 19755c8dd342SRobert Watson .mpo_check_proc_sched = mac_test_check_proc_sched, 19765c8dd342SRobert Watson .mpo_check_proc_signal = mac_test_check_proc_signal, 19775c8dd342SRobert Watson .mpo_check_socket_bind = mac_test_check_socket_bind, 19785c8dd342SRobert Watson .mpo_check_socket_connect = mac_test_check_socket_connect, 19795c8dd342SRobert Watson .mpo_check_socket_deliver = mac_test_check_socket_deliver, 19805c8dd342SRobert Watson .mpo_check_socket_listen = mac_test_check_socket_listen, 19815c8dd342SRobert Watson .mpo_check_socket_relabel = mac_test_check_socket_relabel, 19825c8dd342SRobert Watson .mpo_check_socket_visible = mac_test_check_socket_visible, 1983ca26e8baSRobert Watson .mpo_check_sysarch_ioperm = mac_test_check_sysarch_ioperm, 1984ca26e8baSRobert Watson .mpo_check_system_acct = mac_test_check_system_acct, 1985ca26e8baSRobert Watson .mpo_check_system_reboot = mac_test_check_system_reboot, 1986ca26e8baSRobert Watson .mpo_check_system_settime = mac_test_check_system_settime, 1987ca26e8baSRobert Watson .mpo_check_system_swapon = mac_test_check_system_swapon, 1988ca26e8baSRobert Watson .mpo_check_system_swapoff = mac_test_check_system_swapoff, 1989ca26e8baSRobert Watson .mpo_check_system_sysctl = mac_test_check_system_sysctl, 19905c8dd342SRobert Watson .mpo_check_vnode_access = mac_test_check_vnode_access, 19915c8dd342SRobert Watson .mpo_check_vnode_chdir = mac_test_check_vnode_chdir, 19925c8dd342SRobert Watson .mpo_check_vnode_chroot = mac_test_check_vnode_chroot, 19935c8dd342SRobert Watson .mpo_check_vnode_create = mac_test_check_vnode_create, 19945c8dd342SRobert Watson .mpo_check_vnode_delete = mac_test_check_vnode_delete, 19955c8dd342SRobert Watson .mpo_check_vnode_deleteacl = mac_test_check_vnode_deleteacl, 1996250ee706SRobert Watson .mpo_check_vnode_deleteextattr = mac_test_check_vnode_deleteextattr, 19975c8dd342SRobert Watson .mpo_check_vnode_exec = mac_test_check_vnode_exec, 19985c8dd342SRobert Watson .mpo_check_vnode_getacl = mac_test_check_vnode_getacl, 19995c8dd342SRobert Watson .mpo_check_vnode_getextattr = mac_test_check_vnode_getextattr, 20005c8dd342SRobert Watson .mpo_check_vnode_link = mac_test_check_vnode_link, 2001250ee706SRobert Watson .mpo_check_vnode_listextattr = mac_test_check_vnode_listextattr, 20025c8dd342SRobert Watson .mpo_check_vnode_lookup = mac_test_check_vnode_lookup, 20035c8dd342SRobert Watson .mpo_check_vnode_mmap = mac_test_check_vnode_mmap, 20045c8dd342SRobert Watson .mpo_check_vnode_mprotect = mac_test_check_vnode_mprotect, 20055c8dd342SRobert Watson .mpo_check_vnode_open = mac_test_check_vnode_open, 20065c8dd342SRobert Watson .mpo_check_vnode_poll = mac_test_check_vnode_poll, 20075c8dd342SRobert Watson .mpo_check_vnode_read = mac_test_check_vnode_read, 20085c8dd342SRobert Watson .mpo_check_vnode_readdir = mac_test_check_vnode_readdir, 20095c8dd342SRobert Watson .mpo_check_vnode_readlink = mac_test_check_vnode_readlink, 20105c8dd342SRobert Watson .mpo_check_vnode_relabel = mac_test_check_vnode_relabel, 20115c8dd342SRobert Watson .mpo_check_vnode_rename_from = mac_test_check_vnode_rename_from, 20125c8dd342SRobert Watson .mpo_check_vnode_rename_to = mac_test_check_vnode_rename_to, 20135c8dd342SRobert Watson .mpo_check_vnode_revoke = mac_test_check_vnode_revoke, 20145c8dd342SRobert Watson .mpo_check_vnode_setacl = mac_test_check_vnode_setacl, 20155c8dd342SRobert Watson .mpo_check_vnode_setextattr = mac_test_check_vnode_setextattr, 20165c8dd342SRobert Watson .mpo_check_vnode_setflags = mac_test_check_vnode_setflags, 20175c8dd342SRobert Watson .mpo_check_vnode_setmode = mac_test_check_vnode_setmode, 20185c8dd342SRobert Watson .mpo_check_vnode_setowner = mac_test_check_vnode_setowner, 20195c8dd342SRobert Watson .mpo_check_vnode_setutimes = mac_test_check_vnode_setutimes, 20205c8dd342SRobert Watson .mpo_check_vnode_stat = mac_test_check_vnode_stat, 20215c8dd342SRobert Watson .mpo_check_vnode_write = mac_test_check_vnode_write, 2022d8a7b7a3SRobert Watson }; 2023d8a7b7a3SRobert Watson 202478183ac2SRobert Watson MAC_POLICY_SET(&mac_test_ops, mac_test, "TrustedBSD MAC/Test", 20259a1b0237SRobert Watson MPC_LOADTIME_FLAG_UNLOADOK | MPC_LOADTIME_FLAG_LABELMBUFS, &test_slot); 2026