1d8a7b7a3SRobert Watson /*- 2d8a7b7a3SRobert Watson * Copyright (c) 1999, 2000, 2001, 2002 Robert N. M. Watson 3250ee706SRobert Watson * Copyright (c) 2001, 2002, 2003 Networks Associates Technology, Inc. 4d8a7b7a3SRobert Watson * All rights reserved. 5d8a7b7a3SRobert Watson * 6d8a7b7a3SRobert Watson * This software was developed by Robert Watson for the TrustedBSD Project. 7d8a7b7a3SRobert Watson * 8dc858fcaSRobert Watson * This software was developed for the FreeBSD Project in part by Network 9dc858fcaSRobert Watson * Associates Laboratories, the Security Research Division of Network 10dc858fcaSRobert Watson * Associates, Inc. under DARPA/SPAWAR contract N66001-01-C-8035 ("CBOSS"), 11dc858fcaSRobert Watson * as part of the DARPA CHATS research program. 12d8a7b7a3SRobert Watson * 13d8a7b7a3SRobert Watson * Redistribution and use in source and binary forms, with or without 14d8a7b7a3SRobert Watson * modification, are permitted provided that the following conditions 15d8a7b7a3SRobert Watson * are met: 16d8a7b7a3SRobert Watson * 1. Redistributions of source code must retain the above copyright 17d8a7b7a3SRobert Watson * notice, this list of conditions and the following disclaimer. 18d8a7b7a3SRobert Watson * 2. Redistributions in binary form must reproduce the above copyright 19d8a7b7a3SRobert Watson * notice, this list of conditions and the following disclaimer in the 20d8a7b7a3SRobert Watson * documentation and/or other materials provided with the distribution. 21d8a7b7a3SRobert Watson * 22d8a7b7a3SRobert Watson * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND 23d8a7b7a3SRobert Watson * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 24d8a7b7a3SRobert Watson * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 25d8a7b7a3SRobert Watson * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE 26d8a7b7a3SRobert Watson * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 27d8a7b7a3SRobert Watson * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 28d8a7b7a3SRobert Watson * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 29d8a7b7a3SRobert Watson * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 30d8a7b7a3SRobert Watson * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 31d8a7b7a3SRobert Watson * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 32d8a7b7a3SRobert Watson * SUCH DAMAGE. 33d8a7b7a3SRobert Watson * 34d8a7b7a3SRobert Watson * $FreeBSD$ 35d8a7b7a3SRobert Watson */ 36d8a7b7a3SRobert Watson 37d8a7b7a3SRobert Watson /* 38d8a7b7a3SRobert Watson * Developed by the TrustedBSD Project. 39d8a7b7a3SRobert Watson * Generic mandatory access module that does nothing. 40d8a7b7a3SRobert Watson */ 41d8a7b7a3SRobert Watson 42d8a7b7a3SRobert Watson #include <sys/types.h> 43d8a7b7a3SRobert Watson #include <sys/param.h> 44d8a7b7a3SRobert Watson #include <sys/acl.h> 45d8a7b7a3SRobert Watson #include <sys/conf.h> 46763bbd2fSRobert Watson #include <sys/extattr.h> 47d8a7b7a3SRobert Watson #include <sys/kernel.h> 48d8a7b7a3SRobert Watson #include <sys/mac.h> 490712b254SRobert Watson #include <sys/malloc.h> 50d8a7b7a3SRobert Watson #include <sys/mount.h> 51d8a7b7a3SRobert Watson #include <sys/proc.h> 52d8a7b7a3SRobert Watson #include <sys/systm.h> 53d8a7b7a3SRobert Watson #include <sys/sysproto.h> 54d8a7b7a3SRobert Watson #include <sys/sysent.h> 55d8a7b7a3SRobert Watson #include <sys/vnode.h> 56d8a7b7a3SRobert Watson #include <sys/file.h> 57d8a7b7a3SRobert Watson #include <sys/socket.h> 58d8a7b7a3SRobert Watson #include <sys/socketvar.h> 59d8a7b7a3SRobert Watson #include <sys/sysctl.h> 60d8a7b7a3SRobert Watson 61d8a7b7a3SRobert Watson #include <fs/devfs/devfs.h> 62d8a7b7a3SRobert Watson 63d8a7b7a3SRobert Watson #include <net/bpfdesc.h> 64d8a7b7a3SRobert Watson #include <net/if.h> 65d8a7b7a3SRobert Watson #include <net/if_types.h> 66d8a7b7a3SRobert Watson #include <net/if_var.h> 67d8a7b7a3SRobert Watson 68d8a7b7a3SRobert Watson #include <vm/vm.h> 69d8a7b7a3SRobert Watson 70d8a7b7a3SRobert Watson #include <sys/mac_policy.h> 71d8a7b7a3SRobert Watson 72d8a7b7a3SRobert Watson SYSCTL_DECL(_security_mac); 73d8a7b7a3SRobert Watson 74d8a7b7a3SRobert Watson SYSCTL_NODE(_security_mac, OID_AUTO, test, CTLFLAG_RW, 0, 75d8a7b7a3SRobert Watson "TrustedBSD mac_test policy controls"); 76d8a7b7a3SRobert Watson 77eba0370dSRobert Watson static int mac_test_enabled = 1; 78d8a7b7a3SRobert Watson SYSCTL_INT(_security_mac_test, OID_AUTO, enabled, CTLFLAG_RW, 79d8a7b7a3SRobert Watson &mac_test_enabled, 0, "Enforce test policy"); 80d8a7b7a3SRobert Watson 81d8a7b7a3SRobert Watson #define BPFMAGIC 0xfe1ad1b6 82d8a7b7a3SRobert Watson #define DEVFSMAGIC 0x9ee79c32 83d8a7b7a3SRobert Watson #define IFNETMAGIC 0xc218b120 84d8a7b7a3SRobert Watson #define IPQMAGIC 0x206188ef 85d8a7b7a3SRobert Watson #define MBUFMAGIC 0xbbefa5bb 86d8a7b7a3SRobert Watson #define MOUNTMAGIC 0xc7c46e47 87d8a7b7a3SRobert Watson #define SOCKETMAGIC 0x9199c6cd 88d8a7b7a3SRobert Watson #define PIPEMAGIC 0xdc6c9919 89ca26e8baSRobert Watson #define PROCMAGIC 0x3b4be98f 90d8a7b7a3SRobert Watson #define CREDMAGIC 0x9a5a4987 91d8a7b7a3SRobert Watson #define VNODEMAGIC 0x1a67a45c 92d8a7b7a3SRobert Watson #define EXMAGIC 0x849ba1fd 93d8a7b7a3SRobert Watson 94d8a7b7a3SRobert Watson #define SLOT(x) LABEL_TO_SLOT((x), test_slot).l_long 95250ee706SRobert Watson 96250ee706SRobert Watson #define ASSERT_BPF_LABEL(x) KASSERT(SLOT(x) == BPFMAGIC || \ 97250ee706SRobert Watson SLOT(x) == 0, ("%s: Bad BPF label", __func__ )) 98250ee706SRobert Watson #define ASSERT_DEVFS_LABEL(x) KASSERT(SLOT(x) == DEVFSMAGIC || \ 99250ee706SRobert Watson SLOT(x) == 0, ("%s: Bad DEVFS label", __func__ )) 100250ee706SRobert Watson #define ASSERT_IFNET_LABEL(x) KASSERT(SLOT(x) == IFNETMAGIC || \ 101250ee706SRobert Watson SLOT(x) == 0, ("%s: Bad IFNET label", __func__ )) 102250ee706SRobert Watson #define ASSERT_IPQ_LABEL(x) KASSERT(SLOT(x) == IPQMAGIC || \ 103250ee706SRobert Watson SLOT(x) == 0, ("%s: Bad IPQ label", __func__ )) 104250ee706SRobert Watson #define ASSERT_MBUF_LABEL(x) KASSERT(SLOT(x) == MBUFMAGIC || \ 105250ee706SRobert Watson SLOT(x) == 0, ("%s: Bad MBUF label", __func__ )) 106250ee706SRobert Watson #define ASSERT_MOUNT_LABEL(x) KASSERT(SLOT(x) == MOUNTMAGIC || \ 107250ee706SRobert Watson SLOT(x) == 0, ("%s: Bad MOUNT label", __func__ )) 108250ee706SRobert Watson #define ASSERT_SOCKET_LABEL(x) KASSERT(SLOT(x) == SOCKETMAGIC || \ 109250ee706SRobert Watson SLOT(x) == 0, ("%s: Bad SOCKET label", __func__ )) 110250ee706SRobert Watson #define ASSERT_PIPE_LABEL(x) KASSERT(SLOT(x) == PIPEMAGIC || \ 111250ee706SRobert Watson SLOT(x) == 0, ("%s: Bad PIPE label", __func__ )) 112250ee706SRobert Watson #define ASSERT_PROC_LABEL(x) KASSERT(SLOT(x) == PROCMAGIC || \ 113250ee706SRobert Watson SLOT(x) == 0, ("%s: Bad PROC label", __func__ )) 114250ee706SRobert Watson #define ASSERT_CRED_LABEL(x) KASSERT(SLOT(x) == CREDMAGIC || \ 115250ee706SRobert Watson SLOT(x) == 0, ("%s: Bad CRED label", __func__ )) 116250ee706SRobert Watson #define ASSERT_VNODE_LABEL(x) KASSERT(SLOT(x) == VNODEMAGIC || \ 117250ee706SRobert Watson SLOT(x) == 0, ("%s: Bad VNODE label", __func__ )) 118250ee706SRobert Watson 119d8a7b7a3SRobert Watson static int test_slot; 120d8a7b7a3SRobert Watson SYSCTL_INT(_security_mac_test, OID_AUTO, slot, CTLFLAG_RD, 121d8a7b7a3SRobert Watson &test_slot, 0, "Slot allocated by framework"); 122d8a7b7a3SRobert Watson 123d8a7b7a3SRobert Watson static int init_count_bpfdesc; 124d8a7b7a3SRobert Watson SYSCTL_INT(_security_mac_test, OID_AUTO, init_count_bpfdesc, CTLFLAG_RD, 125d8a7b7a3SRobert Watson &init_count_bpfdesc, 0, "bpfdesc init calls"); 126d8a7b7a3SRobert Watson static int init_count_cred; 127d8a7b7a3SRobert Watson SYSCTL_INT(_security_mac_test, OID_AUTO, init_count_cred, CTLFLAG_RD, 128d8a7b7a3SRobert Watson &init_count_cred, 0, "cred init calls"); 129d8a7b7a3SRobert Watson static int init_count_devfsdirent; 130d8a7b7a3SRobert Watson SYSCTL_INT(_security_mac_test, OID_AUTO, init_count_devfsdirent, CTLFLAG_RD, 131d8a7b7a3SRobert Watson &init_count_devfsdirent, 0, "devfsdirent init calls"); 132d8a7b7a3SRobert Watson static int init_count_ifnet; 133d8a7b7a3SRobert Watson SYSCTL_INT(_security_mac_test, OID_AUTO, init_count_ifnet, CTLFLAG_RD, 134d8a7b7a3SRobert Watson &init_count_ifnet, 0, "ifnet init calls"); 135d8a7b7a3SRobert Watson static int init_count_ipq; 136d8a7b7a3SRobert Watson SYSCTL_INT(_security_mac_test, OID_AUTO, init_count_ipq, CTLFLAG_RD, 137d8a7b7a3SRobert Watson &init_count_ipq, 0, "ipq init calls"); 138d8a7b7a3SRobert Watson static int init_count_mbuf; 139d8a7b7a3SRobert Watson SYSCTL_INT(_security_mac_test, OID_AUTO, init_count_mbuf, CTLFLAG_RD, 140d8a7b7a3SRobert Watson &init_count_mbuf, 0, "mbuf init calls"); 141d8a7b7a3SRobert Watson static int init_count_mount; 142d8a7b7a3SRobert Watson SYSCTL_INT(_security_mac_test, OID_AUTO, init_count_mount, CTLFLAG_RD, 143d8a7b7a3SRobert Watson &init_count_mount, 0, "mount init calls"); 14496adb909SRobert Watson static int init_count_mount_fslabel; 14596adb909SRobert Watson SYSCTL_INT(_security_mac_test, OID_AUTO, init_count_mount_fslabel, CTLFLAG_RD, 14696adb909SRobert Watson &init_count_mount_fslabel, 0, "mount_fslabel init calls"); 147d8a7b7a3SRobert Watson static int init_count_socket; 148d8a7b7a3SRobert Watson SYSCTL_INT(_security_mac_test, OID_AUTO, init_count_socket, CTLFLAG_RD, 149d8a7b7a3SRobert Watson &init_count_socket, 0, "socket init calls"); 15096adb909SRobert Watson static int init_count_socket_peerlabel; 15196adb909SRobert Watson SYSCTL_INT(_security_mac_test, OID_AUTO, init_count_socket_peerlabel, 15296adb909SRobert Watson CTLFLAG_RD, &init_count_socket_peerlabel, 0, 15396adb909SRobert Watson "socket_peerlabel init calls"); 154d8a7b7a3SRobert Watson static int init_count_pipe; 155d8a7b7a3SRobert Watson SYSCTL_INT(_security_mac_test, OID_AUTO, init_count_pipe, CTLFLAG_RD, 156d8a7b7a3SRobert Watson &init_count_pipe, 0, "pipe init calls"); 157ca26e8baSRobert Watson static int init_count_proc; 158ca26e8baSRobert Watson SYSCTL_INT(_security_mac_test, OID_AUTO, init_count_proc, CTLFLAG_RD, 159ca26e8baSRobert Watson &init_count_proc, 0, "proc init calls"); 160d8a7b7a3SRobert Watson static int init_count_vnode; 161d8a7b7a3SRobert Watson SYSCTL_INT(_security_mac_test, OID_AUTO, init_count_vnode, CTLFLAG_RD, 162d8a7b7a3SRobert Watson &init_count_vnode, 0, "vnode init calls"); 163d8a7b7a3SRobert Watson 164d8a7b7a3SRobert Watson static int destroy_count_bpfdesc; 165d8a7b7a3SRobert Watson SYSCTL_INT(_security_mac_test, OID_AUTO, destroy_count_bpfdesc, CTLFLAG_RD, 166d8a7b7a3SRobert Watson &destroy_count_bpfdesc, 0, "bpfdesc destroy calls"); 167d8a7b7a3SRobert Watson static int destroy_count_cred; 168d8a7b7a3SRobert Watson SYSCTL_INT(_security_mac_test, OID_AUTO, destroy_count_cred, CTLFLAG_RD, 169d8a7b7a3SRobert Watson &destroy_count_cred, 0, "cred destroy calls"); 170d8a7b7a3SRobert Watson static int destroy_count_devfsdirent; 171d8a7b7a3SRobert Watson SYSCTL_INT(_security_mac_test, OID_AUTO, destroy_count_devfsdirent, CTLFLAG_RD, 172d8a7b7a3SRobert Watson &destroy_count_devfsdirent, 0, "devfsdirent destroy calls"); 173d8a7b7a3SRobert Watson static int destroy_count_ifnet; 174d8a7b7a3SRobert Watson SYSCTL_INT(_security_mac_test, OID_AUTO, destroy_count_ifnet, CTLFLAG_RD, 175d8a7b7a3SRobert Watson &destroy_count_ifnet, 0, "ifnet destroy calls"); 176d8a7b7a3SRobert Watson static int destroy_count_ipq; 177d8a7b7a3SRobert Watson SYSCTL_INT(_security_mac_test, OID_AUTO, destroy_count_ipq, CTLFLAG_RD, 178d8a7b7a3SRobert Watson &destroy_count_ipq, 0, "ipq destroy calls"); 179d8a7b7a3SRobert Watson static int destroy_count_mbuf; 180d8a7b7a3SRobert Watson SYSCTL_INT(_security_mac_test, OID_AUTO, destroy_count_mbuf, CTLFLAG_RD, 181d8a7b7a3SRobert Watson &destroy_count_mbuf, 0, "mbuf destroy calls"); 182d8a7b7a3SRobert Watson static int destroy_count_mount; 183d8a7b7a3SRobert Watson SYSCTL_INT(_security_mac_test, OID_AUTO, destroy_count_mount, CTLFLAG_RD, 184d8a7b7a3SRobert Watson &destroy_count_mount, 0, "mount destroy calls"); 18596adb909SRobert Watson static int destroy_count_mount_fslabel; 18696adb909SRobert Watson SYSCTL_INT(_security_mac_test, OID_AUTO, destroy_count_mount_fslabel, 18796adb909SRobert Watson CTLFLAG_RD, &destroy_count_mount_fslabel, 0, 18896adb909SRobert Watson "mount_fslabel destroy calls"); 189d8a7b7a3SRobert Watson static int destroy_count_socket; 190d8a7b7a3SRobert Watson SYSCTL_INT(_security_mac_test, OID_AUTO, destroy_count_socket, CTLFLAG_RD, 191d8a7b7a3SRobert Watson &destroy_count_socket, 0, "socket destroy calls"); 19296adb909SRobert Watson static int destroy_count_socket_peerlabel; 19396adb909SRobert Watson SYSCTL_INT(_security_mac_test, OID_AUTO, destroy_count_socket_peerlabel, 19496adb909SRobert Watson CTLFLAG_RD, &destroy_count_socket_peerlabel, 0, 19596adb909SRobert Watson "socket_peerlabel destroy calls"); 196d8a7b7a3SRobert Watson static int destroy_count_pipe; 197d8a7b7a3SRobert Watson SYSCTL_INT(_security_mac_test, OID_AUTO, destroy_count_pipe, CTLFLAG_RD, 198d8a7b7a3SRobert Watson &destroy_count_pipe, 0, "pipe destroy calls"); 199ca26e8baSRobert Watson static int destroy_count_proc; 200ca26e8baSRobert Watson SYSCTL_INT(_security_mac_test, OID_AUTO, destroy_count_proc, CTLFLAG_RD, 201ca26e8baSRobert Watson &destroy_count_proc, 0, "proc destroy calls"); 202d8a7b7a3SRobert Watson static int destroy_count_vnode; 203d8a7b7a3SRobert Watson SYSCTL_INT(_security_mac_test, OID_AUTO, destroy_count_vnode, CTLFLAG_RD, 204d8a7b7a3SRobert Watson &destroy_count_vnode, 0, "vnode destroy calls"); 205d8a7b7a3SRobert Watson 206d8a7b7a3SRobert Watson static int externalize_count; 207d8a7b7a3SRobert Watson SYSCTL_INT(_security_mac_test, OID_AUTO, externalize_count, CTLFLAG_RD, 208d8a7b7a3SRobert Watson &externalize_count, 0, "Subject/object externalize calls"); 209d8a7b7a3SRobert Watson static int internalize_count; 210d8a7b7a3SRobert Watson SYSCTL_INT(_security_mac_test, OID_AUTO, internalize_count, CTLFLAG_RD, 211d8a7b7a3SRobert Watson &internalize_count, 0, "Subject/object internalize calls"); 212d8a7b7a3SRobert Watson 213d8a7b7a3SRobert Watson /* 214d8a7b7a3SRobert Watson * Policy module operations. 215d8a7b7a3SRobert Watson */ 216d8a7b7a3SRobert Watson static void 217d8a7b7a3SRobert Watson mac_test_destroy(struct mac_policy_conf *conf) 218d8a7b7a3SRobert Watson { 219d8a7b7a3SRobert Watson 220d8a7b7a3SRobert Watson } 221d8a7b7a3SRobert Watson 222d8a7b7a3SRobert Watson static void 223d8a7b7a3SRobert Watson mac_test_init(struct mac_policy_conf *conf) 224d8a7b7a3SRobert Watson { 225d8a7b7a3SRobert Watson 226d8a7b7a3SRobert Watson } 227d8a7b7a3SRobert Watson 2288a97ecf6SRobert Watson static int 2298a97ecf6SRobert Watson mac_test_syscall(struct thread *td, int call, void *arg) 2308a97ecf6SRobert Watson { 2318a97ecf6SRobert Watson 2328a97ecf6SRobert Watson return (0); 2338a97ecf6SRobert Watson } 2348a97ecf6SRobert Watson 235d8a7b7a3SRobert Watson /* 236d8a7b7a3SRobert Watson * Label operations. 237d8a7b7a3SRobert Watson */ 238d8a7b7a3SRobert Watson static void 23996adb909SRobert Watson mac_test_init_bpfdesc_label(struct label *label) 240d8a7b7a3SRobert Watson { 241d8a7b7a3SRobert Watson 242d8a7b7a3SRobert Watson SLOT(label) = BPFMAGIC; 243d8a7b7a3SRobert Watson atomic_add_int(&init_count_bpfdesc, 1); 244d8a7b7a3SRobert Watson } 245d8a7b7a3SRobert Watson 246d8a7b7a3SRobert Watson static void 24796adb909SRobert Watson mac_test_init_cred_label(struct label *label) 248d8a7b7a3SRobert Watson { 249d8a7b7a3SRobert Watson 250d8a7b7a3SRobert Watson SLOT(label) = CREDMAGIC; 251d8a7b7a3SRobert Watson atomic_add_int(&init_count_cred, 1); 252d8a7b7a3SRobert Watson } 253d8a7b7a3SRobert Watson 254d8a7b7a3SRobert Watson static void 25596adb909SRobert Watson mac_test_init_devfsdirent_label(struct label *label) 256d8a7b7a3SRobert Watson { 257d8a7b7a3SRobert Watson 258d8a7b7a3SRobert Watson SLOT(label) = DEVFSMAGIC; 259d8a7b7a3SRobert Watson atomic_add_int(&init_count_devfsdirent, 1); 260d8a7b7a3SRobert Watson } 261d8a7b7a3SRobert Watson 262d8a7b7a3SRobert Watson static void 26396adb909SRobert Watson mac_test_init_ifnet_label(struct label *label) 264d8a7b7a3SRobert Watson { 265d8a7b7a3SRobert Watson 266d8a7b7a3SRobert Watson SLOT(label) = IFNETMAGIC; 267d8a7b7a3SRobert Watson atomic_add_int(&init_count_ifnet, 1); 268d8a7b7a3SRobert Watson } 269d8a7b7a3SRobert Watson 2705e7ce478SRobert Watson static int 2715e7ce478SRobert Watson mac_test_init_ipq_label(struct label *label, int flag) 272d8a7b7a3SRobert Watson { 273d8a7b7a3SRobert Watson 2740712b254SRobert Watson if (flag & M_WAITOK) 2750712b254SRobert Watson WITNESS_WARN(WARN_GIANTOK | WARN_SLEEPOK, NULL, 2760712b254SRobert Watson "mac_test_init_ipq_label() at %s:%d", __FILE__, 2770712b254SRobert Watson __LINE__); 2780712b254SRobert Watson 279d8a7b7a3SRobert Watson SLOT(label) = IPQMAGIC; 280d8a7b7a3SRobert Watson atomic_add_int(&init_count_ipq, 1); 2815e7ce478SRobert Watson return (0); 282d8a7b7a3SRobert Watson } 283d8a7b7a3SRobert Watson 284d8a7b7a3SRobert Watson static int 28596adb909SRobert Watson mac_test_init_mbuf_label(struct label *label, int flag) 286d8a7b7a3SRobert Watson { 287d8a7b7a3SRobert Watson 2880712b254SRobert Watson if (flag & M_WAITOK) 2890712b254SRobert Watson WITNESS_WARN(WARN_GIANTOK | WARN_SLEEPOK, NULL, 2900712b254SRobert Watson "mac_test_init_mbuf_label() at %s:%d", __FILE__, 2910712b254SRobert Watson __LINE__); 2920712b254SRobert Watson 293d8a7b7a3SRobert Watson SLOT(label) = MBUFMAGIC; 294d8a7b7a3SRobert Watson atomic_add_int(&init_count_mbuf, 1); 295d8a7b7a3SRobert Watson return (0); 296d8a7b7a3SRobert Watson } 297d8a7b7a3SRobert Watson 298d8a7b7a3SRobert Watson static void 29996adb909SRobert Watson mac_test_init_mount_label(struct label *label) 300d8a7b7a3SRobert Watson { 301d8a7b7a3SRobert Watson 30296adb909SRobert Watson SLOT(label) = MOUNTMAGIC; 303d8a7b7a3SRobert Watson atomic_add_int(&init_count_mount, 1); 304d8a7b7a3SRobert Watson } 305d8a7b7a3SRobert Watson 306d8a7b7a3SRobert Watson static void 30796adb909SRobert Watson mac_test_init_mount_fs_label(struct label *label) 30896adb909SRobert Watson { 30996adb909SRobert Watson 31096adb909SRobert Watson SLOT(label) = MOUNTMAGIC; 31196adb909SRobert Watson atomic_add_int(&init_count_mount_fslabel, 1); 31296adb909SRobert Watson } 31396adb909SRobert Watson 31483985c26SRobert Watson static int 31583985c26SRobert Watson mac_test_init_socket_label(struct label *label, int flag) 316d8a7b7a3SRobert Watson { 317d8a7b7a3SRobert Watson 3180712b254SRobert Watson if (flag & M_WAITOK) 3190712b254SRobert Watson WITNESS_WARN(WARN_GIANTOK | WARN_SLEEPOK, NULL, 3200712b254SRobert Watson "mac_test_init_socket_label() at %s:%d", __FILE__, 3210712b254SRobert Watson __LINE__); 3220712b254SRobert Watson 323d8a7b7a3SRobert Watson SLOT(label) = SOCKETMAGIC; 324d8a7b7a3SRobert Watson atomic_add_int(&init_count_socket, 1); 32583985c26SRobert Watson return (0); 326d8a7b7a3SRobert Watson } 327d8a7b7a3SRobert Watson 32883985c26SRobert Watson static int 32983985c26SRobert Watson mac_test_init_socket_peer_label(struct label *label, int flag) 33096adb909SRobert Watson { 33196adb909SRobert Watson 3320712b254SRobert Watson if (flag & M_WAITOK) 3330712b254SRobert Watson WITNESS_WARN(WARN_GIANTOK | WARN_SLEEPOK, NULL, 3340712b254SRobert Watson "mac_test_init_socket_peer_label() at %s:%d", __FILE__, 3350712b254SRobert Watson __LINE__); 3360712b254SRobert Watson 33796adb909SRobert Watson SLOT(label) = SOCKETMAGIC; 33896adb909SRobert Watson atomic_add_int(&init_count_socket_peerlabel, 1); 33983985c26SRobert Watson return (0); 34096adb909SRobert Watson } 34196adb909SRobert Watson 34296adb909SRobert Watson static void 34396adb909SRobert Watson mac_test_init_pipe_label(struct label *label) 344d8a7b7a3SRobert Watson { 345d8a7b7a3SRobert Watson 346d8a7b7a3SRobert Watson SLOT(label) = PIPEMAGIC; 347d8a7b7a3SRobert Watson atomic_add_int(&init_count_pipe, 1); 348d8a7b7a3SRobert Watson } 349d8a7b7a3SRobert Watson 350d8a7b7a3SRobert Watson static void 351ca26e8baSRobert Watson mac_test_init_proc_label(struct label *label) 352ca26e8baSRobert Watson { 353ca26e8baSRobert Watson 354ca26e8baSRobert Watson SLOT(label) = PROCMAGIC; 355ca26e8baSRobert Watson atomic_add_int(&init_count_proc, 1); 356ca26e8baSRobert Watson } 357ca26e8baSRobert Watson 358ca26e8baSRobert Watson static void 35996adb909SRobert Watson mac_test_init_vnode_label(struct label *label) 360d8a7b7a3SRobert Watson { 361d8a7b7a3SRobert Watson 362d8a7b7a3SRobert Watson SLOT(label) = VNODEMAGIC; 363d8a7b7a3SRobert Watson atomic_add_int(&init_count_vnode, 1); 364d8a7b7a3SRobert Watson } 365d8a7b7a3SRobert Watson 366d8a7b7a3SRobert Watson static void 36796adb909SRobert Watson mac_test_destroy_bpfdesc_label(struct label *label) 368d8a7b7a3SRobert Watson { 369d8a7b7a3SRobert Watson 370d8a7b7a3SRobert Watson if (SLOT(label) == BPFMAGIC || SLOT(label) == 0) { 371d8a7b7a3SRobert Watson atomic_add_int(&destroy_count_bpfdesc, 1); 372d8a7b7a3SRobert Watson SLOT(label) = EXMAGIC; 373d8a7b7a3SRobert Watson } else if (SLOT(label) == EXMAGIC) { 374d8a7b7a3SRobert Watson Debugger("mac_test_destroy_bpfdesc: dup destroy"); 375d8a7b7a3SRobert Watson } else { 376d8a7b7a3SRobert Watson Debugger("mac_test_destroy_bpfdesc: corrupted label"); 377d8a7b7a3SRobert Watson } 378d8a7b7a3SRobert Watson } 379d8a7b7a3SRobert Watson 380d8a7b7a3SRobert Watson static void 38196adb909SRobert Watson mac_test_destroy_cred_label(struct label *label) 382d8a7b7a3SRobert Watson { 383d8a7b7a3SRobert Watson 384d8a7b7a3SRobert Watson if (SLOT(label) == CREDMAGIC || SLOT(label) == 0) { 385d8a7b7a3SRobert Watson atomic_add_int(&destroy_count_cred, 1); 386d8a7b7a3SRobert Watson SLOT(label) = EXMAGIC; 387d8a7b7a3SRobert Watson } else if (SLOT(label) == EXMAGIC) { 388d8a7b7a3SRobert Watson Debugger("mac_test_destroy_cred: dup destroy"); 389d8a7b7a3SRobert Watson } else { 390d8a7b7a3SRobert Watson Debugger("mac_test_destroy_cred: corrupted label"); 391d8a7b7a3SRobert Watson } 392d8a7b7a3SRobert Watson } 393d8a7b7a3SRobert Watson 394d8a7b7a3SRobert Watson static void 39596adb909SRobert Watson mac_test_destroy_devfsdirent_label(struct label *label) 396d8a7b7a3SRobert Watson { 397d8a7b7a3SRobert Watson 398d8a7b7a3SRobert Watson if (SLOT(label) == DEVFSMAGIC || SLOT(label) == 0) { 399d8a7b7a3SRobert Watson atomic_add_int(&destroy_count_devfsdirent, 1); 400d8a7b7a3SRobert Watson SLOT(label) = EXMAGIC; 401d8a7b7a3SRobert Watson } else if (SLOT(label) == EXMAGIC) { 402d8a7b7a3SRobert Watson Debugger("mac_test_destroy_devfsdirent: dup destroy"); 403d8a7b7a3SRobert Watson } else { 404d8a7b7a3SRobert Watson Debugger("mac_test_destroy_devfsdirent: corrupted label"); 405d8a7b7a3SRobert Watson } 406d8a7b7a3SRobert Watson } 407d8a7b7a3SRobert Watson 408d8a7b7a3SRobert Watson static void 40996adb909SRobert Watson mac_test_destroy_ifnet_label(struct label *label) 410d8a7b7a3SRobert Watson { 411d8a7b7a3SRobert Watson 412d8a7b7a3SRobert Watson if (SLOT(label) == IFNETMAGIC || SLOT(label) == 0) { 413d8a7b7a3SRobert Watson atomic_add_int(&destroy_count_ifnet, 1); 414d8a7b7a3SRobert Watson SLOT(label) = EXMAGIC; 415d8a7b7a3SRobert Watson } else if (SLOT(label) == EXMAGIC) { 416d8a7b7a3SRobert Watson Debugger("mac_test_destroy_ifnet: dup destroy"); 417d8a7b7a3SRobert Watson } else { 418d8a7b7a3SRobert Watson Debugger("mac_test_destroy_ifnet: corrupted label"); 419d8a7b7a3SRobert Watson } 420d8a7b7a3SRobert Watson } 421d8a7b7a3SRobert Watson 422d8a7b7a3SRobert Watson static void 42396adb909SRobert Watson mac_test_destroy_ipq_label(struct label *label) 424d8a7b7a3SRobert Watson { 425d8a7b7a3SRobert Watson 426d8a7b7a3SRobert Watson if (SLOT(label) == IPQMAGIC || SLOT(label) == 0) { 427d8a7b7a3SRobert Watson atomic_add_int(&destroy_count_ipq, 1); 428d8a7b7a3SRobert Watson SLOT(label) = EXMAGIC; 429d8a7b7a3SRobert Watson } else if (SLOT(label) == EXMAGIC) { 430d8a7b7a3SRobert Watson Debugger("mac_test_destroy_ipq: dup destroy"); 431d8a7b7a3SRobert Watson } else { 432d8a7b7a3SRobert Watson Debugger("mac_test_destroy_ipq: corrupted label"); 433d8a7b7a3SRobert Watson } 434d8a7b7a3SRobert Watson } 435d8a7b7a3SRobert Watson 436d8a7b7a3SRobert Watson static void 43796adb909SRobert Watson mac_test_destroy_mbuf_label(struct label *label) 438d8a7b7a3SRobert Watson { 439d8a7b7a3SRobert Watson 4400712b254SRobert Watson /* 4410712b254SRobert Watson * If we're loaded dynamically, there may be mbufs in flight that 4420712b254SRobert Watson * didn't have label storage allocated for them. Handle this 4430712b254SRobert Watson * gracefully. 4440712b254SRobert Watson */ 4450712b254SRobert Watson if (label == NULL) 4460712b254SRobert Watson return; 4470712b254SRobert Watson 448d8a7b7a3SRobert Watson if (SLOT(label) == MBUFMAGIC || SLOT(label) == 0) { 449d8a7b7a3SRobert Watson atomic_add_int(&destroy_count_mbuf, 1); 450d8a7b7a3SRobert Watson SLOT(label) = EXMAGIC; 451d8a7b7a3SRobert Watson } else if (SLOT(label) == EXMAGIC) { 452d8a7b7a3SRobert Watson Debugger("mac_test_destroy_mbuf: dup destroy"); 453d8a7b7a3SRobert Watson } else { 454d8a7b7a3SRobert Watson Debugger("mac_test_destroy_mbuf: corrupted label"); 455d8a7b7a3SRobert Watson } 456d8a7b7a3SRobert Watson } 457d8a7b7a3SRobert Watson 458d8a7b7a3SRobert Watson static void 45996adb909SRobert Watson mac_test_destroy_mount_label(struct label *label) 460d8a7b7a3SRobert Watson { 461d8a7b7a3SRobert Watson 46296adb909SRobert Watson if ((SLOT(label) == MOUNTMAGIC || SLOT(label) == 0)) { 463d8a7b7a3SRobert Watson atomic_add_int(&destroy_count_mount, 1); 46496adb909SRobert Watson SLOT(label) = EXMAGIC; 46596adb909SRobert Watson } else if (SLOT(label) == EXMAGIC) { 466d8a7b7a3SRobert Watson Debugger("mac_test_destroy_mount: dup destroy"); 467d8a7b7a3SRobert Watson } else { 468d8a7b7a3SRobert Watson Debugger("mac_test_destroy_mount: corrupted label"); 469d8a7b7a3SRobert Watson } 470d8a7b7a3SRobert Watson } 471d8a7b7a3SRobert Watson 472d8a7b7a3SRobert Watson static void 47396adb909SRobert Watson mac_test_destroy_mount_fs_label(struct label *label) 474d8a7b7a3SRobert Watson { 475d8a7b7a3SRobert Watson 47696adb909SRobert Watson if ((SLOT(label) == MOUNTMAGIC || SLOT(label) == 0)) { 47796adb909SRobert Watson atomic_add_int(&destroy_count_mount_fslabel, 1); 47896adb909SRobert Watson SLOT(label) = EXMAGIC; 47996adb909SRobert Watson } else if (SLOT(label) == EXMAGIC) { 48096adb909SRobert Watson Debugger("mac_test_destroy_mount_fslabel: dup destroy"); 48196adb909SRobert Watson } else { 48296adb909SRobert Watson Debugger("mac_test_destroy_mount_fslabel: corrupted label"); 48396adb909SRobert Watson } 48496adb909SRobert Watson } 48596adb909SRobert Watson 48696adb909SRobert Watson static void 48796adb909SRobert Watson mac_test_destroy_socket_label(struct label *label) 48896adb909SRobert Watson { 48996adb909SRobert Watson 49096adb909SRobert Watson if ((SLOT(label) == SOCKETMAGIC || SLOT(label) == 0)) { 491d8a7b7a3SRobert Watson atomic_add_int(&destroy_count_socket, 1); 492d8a7b7a3SRobert Watson SLOT(label) = EXMAGIC; 49396adb909SRobert Watson } else if (SLOT(label) == EXMAGIC) { 494d8a7b7a3SRobert Watson Debugger("mac_test_destroy_socket: dup destroy"); 495d8a7b7a3SRobert Watson } else { 496d8a7b7a3SRobert Watson Debugger("mac_test_destroy_socket: corrupted label"); 497d8a7b7a3SRobert Watson } 498d8a7b7a3SRobert Watson } 49996adb909SRobert Watson 500d8a7b7a3SRobert Watson static void 50196adb909SRobert Watson mac_test_destroy_socket_peer_label(struct label *label) 50296adb909SRobert Watson { 50396adb909SRobert Watson 50496adb909SRobert Watson if ((SLOT(label) == SOCKETMAGIC || SLOT(label) == 0)) { 50596adb909SRobert Watson atomic_add_int(&destroy_count_socket_peerlabel, 1); 50696adb909SRobert Watson SLOT(label) = EXMAGIC; 50796adb909SRobert Watson } else if (SLOT(label) == EXMAGIC) { 50896adb909SRobert Watson Debugger("mac_test_destroy_socket_peerlabel: dup destroy"); 50996adb909SRobert Watson } else { 51096adb909SRobert Watson Debugger("mac_test_destroy_socket_peerlabel: corrupted label"); 51196adb909SRobert Watson } 51296adb909SRobert Watson } 51396adb909SRobert Watson 51496adb909SRobert Watson static void 51596adb909SRobert Watson mac_test_destroy_pipe_label(struct label *label) 516d8a7b7a3SRobert Watson { 517d8a7b7a3SRobert Watson 518d8a7b7a3SRobert Watson if ((SLOT(label) == PIPEMAGIC || SLOT(label) == 0)) { 519d8a7b7a3SRobert Watson atomic_add_int(&destroy_count_pipe, 1); 520d8a7b7a3SRobert Watson SLOT(label) = EXMAGIC; 521d8a7b7a3SRobert Watson } else if (SLOT(label) == EXMAGIC) { 522d8a7b7a3SRobert Watson Debugger("mac_test_destroy_pipe: dup destroy"); 523d8a7b7a3SRobert Watson } else { 524d8a7b7a3SRobert Watson Debugger("mac_test_destroy_pipe: corrupted label"); 525d8a7b7a3SRobert Watson } 526d8a7b7a3SRobert Watson } 527d8a7b7a3SRobert Watson 528d8a7b7a3SRobert Watson static void 529ca26e8baSRobert Watson mac_test_destroy_proc_label(struct label *label) 530ca26e8baSRobert Watson { 531ca26e8baSRobert Watson 532ca26e8baSRobert Watson if ((SLOT(label) == PROCMAGIC || SLOT(label) == 0)) { 533ca26e8baSRobert Watson atomic_add_int(&destroy_count_proc, 1); 534ca26e8baSRobert Watson SLOT(label) = EXMAGIC; 535ca26e8baSRobert Watson } else if (SLOT(label) == EXMAGIC) { 536ca26e8baSRobert Watson Debugger("mac_test_destroy_proc: dup destroy"); 537ca26e8baSRobert Watson } else { 538ca26e8baSRobert Watson Debugger("mac_test_destroy_proc: corrupted label"); 539ca26e8baSRobert Watson } 540ca26e8baSRobert Watson } 541ca26e8baSRobert Watson 542ca26e8baSRobert Watson static void 54396adb909SRobert Watson mac_test_destroy_vnode_label(struct label *label) 544d8a7b7a3SRobert Watson { 545d8a7b7a3SRobert Watson 546d8a7b7a3SRobert Watson if (SLOT(label) == VNODEMAGIC || SLOT(label) == 0) { 547d8a7b7a3SRobert Watson atomic_add_int(&destroy_count_vnode, 1); 548d8a7b7a3SRobert Watson SLOT(label) = EXMAGIC; 549d8a7b7a3SRobert Watson } else if (SLOT(label) == EXMAGIC) { 550d8a7b7a3SRobert Watson Debugger("mac_test_destroy_vnode: dup destroy"); 551d8a7b7a3SRobert Watson } else { 552d8a7b7a3SRobert Watson Debugger("mac_test_destroy_vnode: corrupted label"); 553d8a7b7a3SRobert Watson } 554d8a7b7a3SRobert Watson } 555d8a7b7a3SRobert Watson 5560196273bSRobert Watson static void 5570196273bSRobert Watson mac_test_copy_mbuf_label(struct label *src, struct label *dest) 5580196273bSRobert Watson { 5590196273bSRobert Watson 5600196273bSRobert Watson ASSERT_MBUF_LABEL(src); 5610196273bSRobert Watson ASSERT_MBUF_LABEL(dest); 5620196273bSRobert Watson } 5630196273bSRobert Watson 5640196273bSRobert Watson static void 5650196273bSRobert Watson mac_test_copy_pipe_label(struct label *src, struct label *dest) 5660196273bSRobert Watson { 5670196273bSRobert Watson 5680196273bSRobert Watson ASSERT_PIPE_LABEL(src); 5690196273bSRobert Watson ASSERT_PIPE_LABEL(dest); 5700196273bSRobert Watson } 5710196273bSRobert Watson 5720196273bSRobert Watson static void 573b0323ea3SRobert Watson mac_test_copy_socket_label(struct label *src, struct label *dest) 574b0323ea3SRobert Watson { 575b0323ea3SRobert Watson 576b0323ea3SRobert Watson ASSERT_SOCKET_LABEL(src); 577b0323ea3SRobert Watson ASSERT_SOCKET_LABEL(dest); 578b0323ea3SRobert Watson } 579b0323ea3SRobert Watson 580b0323ea3SRobert Watson static void 5810196273bSRobert Watson mac_test_copy_vnode_label(struct label *src, struct label *dest) 5820196273bSRobert Watson { 5830196273bSRobert Watson 5840196273bSRobert Watson ASSERT_VNODE_LABEL(src); 5850196273bSRobert Watson ASSERT_VNODE_LABEL(dest); 5860196273bSRobert Watson } 5870196273bSRobert Watson 588d8a7b7a3SRobert Watson static int 58924e8d0d0SRobert Watson mac_test_externalize_label(struct label *label, char *element_name, 590f51e5803SRobert Watson struct sbuf *sb, int *claimed) 591d8a7b7a3SRobert Watson { 592d8a7b7a3SRobert Watson 593d8a7b7a3SRobert Watson atomic_add_int(&externalize_count, 1); 594d8a7b7a3SRobert Watson 595250ee706SRobert Watson KASSERT(SLOT(label) != EXMAGIC, 596250ee706SRobert Watson ("mac_test_externalize_label: destroyed label")); 597250ee706SRobert Watson 598d8a7b7a3SRobert Watson return (0); 599d8a7b7a3SRobert Watson } 600d8a7b7a3SRobert Watson 601d8a7b7a3SRobert Watson static int 6021979061bSRobert Watson mac_test_internalize_label(struct label *label, char *element_name, 6031979061bSRobert Watson char *element_data, int *claimed) 604d8a7b7a3SRobert Watson { 605d8a7b7a3SRobert Watson 606d8a7b7a3SRobert Watson atomic_add_int(&internalize_count, 1); 607d8a7b7a3SRobert Watson 608250ee706SRobert Watson KASSERT(SLOT(label) != EXMAGIC, 609250ee706SRobert Watson ("mac_test_internalize_label: destroyed label")); 610250ee706SRobert Watson 611d8a7b7a3SRobert Watson return (0); 612d8a7b7a3SRobert Watson } 613d8a7b7a3SRobert Watson 614d8a7b7a3SRobert Watson /* 615d8a7b7a3SRobert Watson * Labeling event operations: file system objects, and things that look 616d8a7b7a3SRobert Watson * a lot like file system objects. 617d8a7b7a3SRobert Watson */ 618d8a7b7a3SRobert Watson static void 619763bbd2fSRobert Watson mac_test_associate_vnode_devfs(struct mount *mp, struct label *fslabel, 620763bbd2fSRobert Watson struct devfs_dirent *de, struct label *delabel, struct vnode *vp, 621763bbd2fSRobert Watson struct label *vlabel) 622763bbd2fSRobert Watson { 623763bbd2fSRobert Watson 624250ee706SRobert Watson ASSERT_MOUNT_LABEL(fslabel); 625250ee706SRobert Watson ASSERT_DEVFS_LABEL(delabel); 626250ee706SRobert Watson ASSERT_VNODE_LABEL(vlabel); 627763bbd2fSRobert Watson } 628763bbd2fSRobert Watson 629763bbd2fSRobert Watson static int 630763bbd2fSRobert Watson mac_test_associate_vnode_extattr(struct mount *mp, struct label *fslabel, 631763bbd2fSRobert Watson struct vnode *vp, struct label *vlabel) 632763bbd2fSRobert Watson { 633763bbd2fSRobert Watson 634250ee706SRobert Watson ASSERT_MOUNT_LABEL(fslabel); 635250ee706SRobert Watson ASSERT_VNODE_LABEL(vlabel); 636763bbd2fSRobert Watson return (0); 637763bbd2fSRobert Watson } 638763bbd2fSRobert Watson 639763bbd2fSRobert Watson static void 640763bbd2fSRobert Watson mac_test_associate_vnode_singlelabel(struct mount *mp, 641763bbd2fSRobert Watson struct label *fslabel, struct vnode *vp, struct label *vlabel) 642763bbd2fSRobert Watson { 643763bbd2fSRobert Watson 644250ee706SRobert Watson ASSERT_MOUNT_LABEL(fslabel); 645250ee706SRobert Watson ASSERT_VNODE_LABEL(vlabel); 646763bbd2fSRobert Watson } 647763bbd2fSRobert Watson 648763bbd2fSRobert Watson static void 649990b4b2dSRobert Watson mac_test_create_devfs_device(struct mount *mp, dev_t dev, 650d8a7b7a3SRobert Watson struct devfs_dirent *devfs_dirent, struct label *label) 651d8a7b7a3SRobert Watson { 652d8a7b7a3SRobert Watson 653250ee706SRobert Watson ASSERT_DEVFS_LABEL(label); 654d8a7b7a3SRobert Watson } 655d8a7b7a3SRobert Watson 656d8a7b7a3SRobert Watson static void 657990b4b2dSRobert Watson mac_test_create_devfs_directory(struct mount *mp, char *dirname, 658990b4b2dSRobert Watson int dirnamelen, struct devfs_dirent *devfs_dirent, struct label *label) 659990b4b2dSRobert Watson { 660990b4b2dSRobert Watson 661250ee706SRobert Watson ASSERT_DEVFS_LABEL(label); 662990b4b2dSRobert Watson } 663990b4b2dSRobert Watson 664990b4b2dSRobert Watson static void 665990b4b2dSRobert Watson mac_test_create_devfs_symlink(struct ucred *cred, struct mount *mp, 666990b4b2dSRobert Watson struct devfs_dirent *dd, struct label *ddlabel, struct devfs_dirent *de, 667990b4b2dSRobert Watson struct label *delabel) 668eea8ea31SRobert Watson { 669eea8ea31SRobert Watson 670eca8a663SRobert Watson ASSERT_CRED_LABEL(cred->cr_label); 671250ee706SRobert Watson ASSERT_DEVFS_LABEL(ddlabel); 672250ee706SRobert Watson ASSERT_DEVFS_LABEL(delabel); 673eea8ea31SRobert Watson } 674eea8ea31SRobert Watson 675763bbd2fSRobert Watson static int 676763bbd2fSRobert Watson mac_test_create_vnode_extattr(struct ucred *cred, struct mount *mp, 677763bbd2fSRobert Watson struct label *fslabel, struct vnode *dvp, struct label *dlabel, 678763bbd2fSRobert Watson struct vnode *vp, struct label *vlabel, struct componentname *cnp) 679d8a7b7a3SRobert Watson { 680d8a7b7a3SRobert Watson 681eca8a663SRobert Watson ASSERT_CRED_LABEL(cred->cr_label); 682250ee706SRobert Watson ASSERT_MOUNT_LABEL(fslabel); 683250ee706SRobert Watson ASSERT_VNODE_LABEL(dlabel); 684250ee706SRobert Watson 685763bbd2fSRobert Watson return (0); 686d8a7b7a3SRobert Watson } 687d8a7b7a3SRobert Watson 688d8a7b7a3SRobert Watson static void 689d8a7b7a3SRobert Watson mac_test_create_mount(struct ucred *cred, struct mount *mp, 690d8a7b7a3SRobert Watson struct label *mntlabel, struct label *fslabel) 691d8a7b7a3SRobert Watson { 692d8a7b7a3SRobert Watson 693eca8a663SRobert Watson ASSERT_CRED_LABEL(cred->cr_label); 694250ee706SRobert Watson ASSERT_MOUNT_LABEL(mntlabel); 695250ee706SRobert Watson ASSERT_MOUNT_LABEL(fslabel); 696d8a7b7a3SRobert Watson } 697d8a7b7a3SRobert Watson 698d8a7b7a3SRobert Watson static void 699d8a7b7a3SRobert Watson mac_test_create_root_mount(struct ucred *cred, struct mount *mp, 700d8a7b7a3SRobert Watson struct label *mntlabel, struct label *fslabel) 701d8a7b7a3SRobert Watson { 702d8a7b7a3SRobert Watson 703eca8a663SRobert Watson ASSERT_CRED_LABEL(cred->cr_label); 704250ee706SRobert Watson ASSERT_MOUNT_LABEL(mntlabel); 705250ee706SRobert Watson ASSERT_MOUNT_LABEL(fslabel); 706d8a7b7a3SRobert Watson } 707d8a7b7a3SRobert Watson 708d8a7b7a3SRobert Watson static void 709d8a7b7a3SRobert Watson mac_test_relabel_vnode(struct ucred *cred, struct vnode *vp, 710d8a7b7a3SRobert Watson struct label *vnodelabel, struct label *label) 711d8a7b7a3SRobert Watson { 712d8a7b7a3SRobert Watson 713eca8a663SRobert Watson ASSERT_CRED_LABEL(cred->cr_label); 714250ee706SRobert Watson ASSERT_VNODE_LABEL(vnodelabel); 715250ee706SRobert Watson ASSERT_VNODE_LABEL(label); 716d8a7b7a3SRobert Watson } 717d8a7b7a3SRobert Watson 718d8a7b7a3SRobert Watson static int 719763bbd2fSRobert Watson mac_test_setlabel_vnode_extattr(struct ucred *cred, struct vnode *vp, 720763bbd2fSRobert Watson struct label *vlabel, struct label *intlabel) 721d8a7b7a3SRobert Watson { 722d8a7b7a3SRobert Watson 723eca8a663SRobert Watson ASSERT_CRED_LABEL(cred->cr_label); 724250ee706SRobert Watson ASSERT_VNODE_LABEL(vlabel); 725250ee706SRobert Watson ASSERT_VNODE_LABEL(intlabel); 726d8a7b7a3SRobert Watson return (0); 727d8a7b7a3SRobert Watson } 728d8a7b7a3SRobert Watson 729d8a7b7a3SRobert Watson static void 730990b4b2dSRobert Watson mac_test_update_devfsdirent(struct mount *mp, 731990b4b2dSRobert Watson struct devfs_dirent *devfs_dirent, struct label *direntlabel, 732990b4b2dSRobert Watson struct vnode *vp, struct label *vnodelabel) 733d8a7b7a3SRobert Watson { 734d8a7b7a3SRobert Watson 735250ee706SRobert Watson ASSERT_DEVFS_LABEL(direntlabel); 736250ee706SRobert Watson ASSERT_VNODE_LABEL(vnodelabel); 737d8a7b7a3SRobert Watson } 738d8a7b7a3SRobert Watson 739d8a7b7a3SRobert Watson /* 740d8a7b7a3SRobert Watson * Labeling event operations: IPC object. 741d8a7b7a3SRobert Watson */ 742d8a7b7a3SRobert Watson static void 743d8a7b7a3SRobert Watson mac_test_create_mbuf_from_socket(struct socket *so, struct label *socketlabel, 744d8a7b7a3SRobert Watson struct mbuf *m, struct label *mbuflabel) 745d8a7b7a3SRobert Watson { 746d8a7b7a3SRobert Watson 747250ee706SRobert Watson ASSERT_SOCKET_LABEL(socketlabel); 748250ee706SRobert Watson ASSERT_MBUF_LABEL(mbuflabel); 749d8a7b7a3SRobert Watson } 750d8a7b7a3SRobert Watson 751d8a7b7a3SRobert Watson static void 752d8a7b7a3SRobert Watson mac_test_create_socket(struct ucred *cred, struct socket *socket, 753d8a7b7a3SRobert Watson struct label *socketlabel) 754d8a7b7a3SRobert Watson { 755d8a7b7a3SRobert Watson 756eca8a663SRobert Watson ASSERT_CRED_LABEL(cred->cr_label); 757250ee706SRobert Watson ASSERT_SOCKET_LABEL(socketlabel); 758d8a7b7a3SRobert Watson } 759d8a7b7a3SRobert Watson 760d8a7b7a3SRobert Watson static void 761d8a7b7a3SRobert Watson mac_test_create_pipe(struct ucred *cred, struct pipe *pipe, 762d8a7b7a3SRobert Watson struct label *pipelabel) 763d8a7b7a3SRobert Watson { 764d8a7b7a3SRobert Watson 765eca8a663SRobert Watson ASSERT_CRED_LABEL(cred->cr_label); 766250ee706SRobert Watson ASSERT_PIPE_LABEL(pipelabel); 767d8a7b7a3SRobert Watson } 768d8a7b7a3SRobert Watson 769d8a7b7a3SRobert Watson static void 770d8a7b7a3SRobert Watson mac_test_create_socket_from_socket(struct socket *oldsocket, 771d8a7b7a3SRobert Watson struct label *oldsocketlabel, struct socket *newsocket, 772d8a7b7a3SRobert Watson struct label *newsocketlabel) 773d8a7b7a3SRobert Watson { 774d8a7b7a3SRobert Watson 775250ee706SRobert Watson ASSERT_SOCKET_LABEL(oldsocketlabel); 776250ee706SRobert Watson ASSERT_SOCKET_LABEL(newsocketlabel); 777d8a7b7a3SRobert Watson } 778d8a7b7a3SRobert Watson 779d8a7b7a3SRobert Watson static void 780d8a7b7a3SRobert Watson mac_test_relabel_socket(struct ucred *cred, struct socket *socket, 781d8a7b7a3SRobert Watson struct label *socketlabel, struct label *newlabel) 782d8a7b7a3SRobert Watson { 783d8a7b7a3SRobert Watson 784eca8a663SRobert Watson ASSERT_CRED_LABEL(cred->cr_label); 785250ee706SRobert Watson ASSERT_SOCKET_LABEL(newlabel); 786d8a7b7a3SRobert Watson } 787d8a7b7a3SRobert Watson 788d8a7b7a3SRobert Watson static void 789d8a7b7a3SRobert Watson mac_test_relabel_pipe(struct ucred *cred, struct pipe *pipe, 790d8a7b7a3SRobert Watson struct label *pipelabel, struct label *newlabel) 791d8a7b7a3SRobert Watson { 792d8a7b7a3SRobert Watson 793eca8a663SRobert Watson ASSERT_CRED_LABEL(cred->cr_label); 794250ee706SRobert Watson ASSERT_PIPE_LABEL(pipelabel); 795250ee706SRobert Watson ASSERT_PIPE_LABEL(newlabel); 796d8a7b7a3SRobert Watson } 797d8a7b7a3SRobert Watson 798d8a7b7a3SRobert Watson static void 799d8a7b7a3SRobert Watson mac_test_set_socket_peer_from_mbuf(struct mbuf *mbuf, struct label *mbuflabel, 800d8a7b7a3SRobert Watson struct socket *socket, struct label *socketpeerlabel) 801d8a7b7a3SRobert Watson { 802d8a7b7a3SRobert Watson 803250ee706SRobert Watson ASSERT_MBUF_LABEL(mbuflabel); 804250ee706SRobert Watson ASSERT_SOCKET_LABEL(socketpeerlabel); 805d8a7b7a3SRobert Watson } 806d8a7b7a3SRobert Watson 807d8a7b7a3SRobert Watson /* 808d8a7b7a3SRobert Watson * Labeling event operations: network objects. 809d8a7b7a3SRobert Watson */ 810d8a7b7a3SRobert Watson static void 811d8a7b7a3SRobert Watson mac_test_set_socket_peer_from_socket(struct socket *oldsocket, 812d8a7b7a3SRobert Watson struct label *oldsocketlabel, struct socket *newsocket, 813d8a7b7a3SRobert Watson struct label *newsocketpeerlabel) 814d8a7b7a3SRobert Watson { 815d8a7b7a3SRobert Watson 816250ee706SRobert Watson ASSERT_SOCKET_LABEL(oldsocketlabel); 817250ee706SRobert Watson ASSERT_SOCKET_LABEL(newsocketpeerlabel); 818d8a7b7a3SRobert Watson } 819d8a7b7a3SRobert Watson 820d8a7b7a3SRobert Watson static void 821d8a7b7a3SRobert Watson mac_test_create_bpfdesc(struct ucred *cred, struct bpf_d *bpf_d, 822d8a7b7a3SRobert Watson struct label *bpflabel) 823d8a7b7a3SRobert Watson { 824d8a7b7a3SRobert Watson 825eca8a663SRobert Watson ASSERT_CRED_LABEL(cred->cr_label); 826250ee706SRobert Watson ASSERT_BPF_LABEL(bpflabel); 827d8a7b7a3SRobert Watson } 828d8a7b7a3SRobert Watson 829d8a7b7a3SRobert Watson static void 830d8a7b7a3SRobert Watson mac_test_create_datagram_from_ipq(struct ipq *ipq, struct label *ipqlabel, 831d8a7b7a3SRobert Watson struct mbuf *datagram, struct label *datagramlabel) 832d8a7b7a3SRobert Watson { 833d8a7b7a3SRobert Watson 834250ee706SRobert Watson ASSERT_IPQ_LABEL(ipqlabel); 835250ee706SRobert Watson ASSERT_MBUF_LABEL(datagramlabel); 836d8a7b7a3SRobert Watson } 837d8a7b7a3SRobert Watson 838d8a7b7a3SRobert Watson static void 839d8a7b7a3SRobert Watson mac_test_create_fragment(struct mbuf *datagram, struct label *datagramlabel, 840d8a7b7a3SRobert Watson struct mbuf *fragment, struct label *fragmentlabel) 841d8a7b7a3SRobert Watson { 842d8a7b7a3SRobert Watson 843250ee706SRobert Watson ASSERT_MBUF_LABEL(datagramlabel); 844250ee706SRobert Watson ASSERT_MBUF_LABEL(fragmentlabel); 845d8a7b7a3SRobert Watson } 846d8a7b7a3SRobert Watson 847d8a7b7a3SRobert Watson static void 848d8a7b7a3SRobert Watson mac_test_create_ifnet(struct ifnet *ifnet, struct label *ifnetlabel) 849d8a7b7a3SRobert Watson { 850d8a7b7a3SRobert Watson 851250ee706SRobert Watson ASSERT_IFNET_LABEL(ifnetlabel); 852d8a7b7a3SRobert Watson } 853d8a7b7a3SRobert Watson 854d8a7b7a3SRobert Watson static void 855d8a7b7a3SRobert Watson mac_test_create_ipq(struct mbuf *fragment, struct label *fragmentlabel, 856d8a7b7a3SRobert Watson struct ipq *ipq, struct label *ipqlabel) 857d8a7b7a3SRobert Watson { 858d8a7b7a3SRobert Watson 859250ee706SRobert Watson ASSERT_MBUF_LABEL(fragmentlabel); 860250ee706SRobert Watson ASSERT_IPQ_LABEL(ipqlabel); 861d8a7b7a3SRobert Watson } 862d8a7b7a3SRobert Watson 863d8a7b7a3SRobert Watson static void 864d8a7b7a3SRobert Watson mac_test_create_mbuf_from_mbuf(struct mbuf *oldmbuf, 865d8a7b7a3SRobert Watson struct label *oldmbuflabel, struct mbuf *newmbuf, 866d8a7b7a3SRobert Watson struct label *newmbuflabel) 867d8a7b7a3SRobert Watson { 868d8a7b7a3SRobert Watson 869250ee706SRobert Watson ASSERT_MBUF_LABEL(oldmbuflabel); 870250ee706SRobert Watson ASSERT_MBUF_LABEL(newmbuflabel); 871d8a7b7a3SRobert Watson } 872d8a7b7a3SRobert Watson 873d8a7b7a3SRobert Watson static void 874d8a7b7a3SRobert Watson mac_test_create_mbuf_linklayer(struct ifnet *ifnet, struct label *ifnetlabel, 875d8a7b7a3SRobert Watson struct mbuf *mbuf, struct label *mbuflabel) 876d8a7b7a3SRobert Watson { 877d8a7b7a3SRobert Watson 878250ee706SRobert Watson ASSERT_IFNET_LABEL(ifnetlabel); 879250ee706SRobert Watson ASSERT_MBUF_LABEL(mbuflabel); 880d8a7b7a3SRobert Watson } 881d8a7b7a3SRobert Watson 882d8a7b7a3SRobert Watson static void 883d8a7b7a3SRobert Watson mac_test_create_mbuf_from_bpfdesc(struct bpf_d *bpf_d, struct label *bpflabel, 884d8a7b7a3SRobert Watson struct mbuf *mbuf, struct label *mbuflabel) 885d8a7b7a3SRobert Watson { 886d8a7b7a3SRobert Watson 887250ee706SRobert Watson ASSERT_BPF_LABEL(bpflabel); 888250ee706SRobert Watson ASSERT_MBUF_LABEL(mbuflabel); 889d8a7b7a3SRobert Watson } 890d8a7b7a3SRobert Watson 891d8a7b7a3SRobert Watson static void 892d8a7b7a3SRobert Watson mac_test_create_mbuf_from_ifnet(struct ifnet *ifnet, struct label *ifnetlabel, 893d8a7b7a3SRobert Watson struct mbuf *m, struct label *mbuflabel) 894d8a7b7a3SRobert Watson { 895d8a7b7a3SRobert Watson 896250ee706SRobert Watson ASSERT_IFNET_LABEL(ifnetlabel); 897250ee706SRobert Watson ASSERT_MBUF_LABEL(mbuflabel); 898d8a7b7a3SRobert Watson } 899d8a7b7a3SRobert Watson 900d8a7b7a3SRobert Watson static void 901d8a7b7a3SRobert Watson mac_test_create_mbuf_multicast_encap(struct mbuf *oldmbuf, 902d8a7b7a3SRobert Watson struct label *oldmbuflabel, struct ifnet *ifnet, struct label *ifnetlabel, 903d8a7b7a3SRobert Watson struct mbuf *newmbuf, struct label *newmbuflabel) 904d8a7b7a3SRobert Watson { 905d8a7b7a3SRobert Watson 906250ee706SRobert Watson ASSERT_MBUF_LABEL(oldmbuflabel); 907250ee706SRobert Watson ASSERT_IFNET_LABEL(ifnetlabel); 908250ee706SRobert Watson ASSERT_MBUF_LABEL(newmbuflabel); 909d8a7b7a3SRobert Watson } 910d8a7b7a3SRobert Watson 911d8a7b7a3SRobert Watson static void 912d8a7b7a3SRobert Watson mac_test_create_mbuf_netlayer(struct mbuf *oldmbuf, 913d8a7b7a3SRobert Watson struct label *oldmbuflabel, struct mbuf *newmbuf, 914d8a7b7a3SRobert Watson struct label *newmbuflabel) 915d8a7b7a3SRobert Watson { 916d8a7b7a3SRobert Watson 917250ee706SRobert Watson ASSERT_MBUF_LABEL(oldmbuflabel); 918250ee706SRobert Watson ASSERT_MBUF_LABEL(newmbuflabel); 919d8a7b7a3SRobert Watson } 920d8a7b7a3SRobert Watson 921d8a7b7a3SRobert Watson static int 922d8a7b7a3SRobert Watson mac_test_fragment_match(struct mbuf *fragment, struct label *fragmentlabel, 923d8a7b7a3SRobert Watson struct ipq *ipq, struct label *ipqlabel) 924d8a7b7a3SRobert Watson { 925d8a7b7a3SRobert Watson 926250ee706SRobert Watson ASSERT_MBUF_LABEL(fragmentlabel); 927250ee706SRobert Watson ASSERT_IPQ_LABEL(ipqlabel); 928250ee706SRobert Watson 929d8a7b7a3SRobert Watson return (1); 930d8a7b7a3SRobert Watson } 931d8a7b7a3SRobert Watson 932d8a7b7a3SRobert Watson static void 933250ee706SRobert Watson mac_test_reflect_mbuf_icmp(struct mbuf *m, struct label *mlabel) 934250ee706SRobert Watson { 935250ee706SRobert Watson 936250ee706SRobert Watson ASSERT_MBUF_LABEL(mlabel); 937250ee706SRobert Watson } 938250ee706SRobert Watson 939250ee706SRobert Watson static void 940250ee706SRobert Watson mac_test_reflect_mbuf_tcp(struct mbuf *m, struct label *mlabel) 941250ee706SRobert Watson { 942250ee706SRobert Watson 943250ee706SRobert Watson ASSERT_MBUF_LABEL(mlabel); 944250ee706SRobert Watson } 945250ee706SRobert Watson 946250ee706SRobert Watson static void 947d8a7b7a3SRobert Watson mac_test_relabel_ifnet(struct ucred *cred, struct ifnet *ifnet, 948d8a7b7a3SRobert Watson struct label *ifnetlabel, struct label *newlabel) 949d8a7b7a3SRobert Watson { 950d8a7b7a3SRobert Watson 951eca8a663SRobert Watson ASSERT_CRED_LABEL(cred->cr_label); 952250ee706SRobert Watson ASSERT_IFNET_LABEL(ifnetlabel); 953250ee706SRobert Watson ASSERT_IFNET_LABEL(newlabel); 954d8a7b7a3SRobert Watson } 955d8a7b7a3SRobert Watson 956d8a7b7a3SRobert Watson static void 957d8a7b7a3SRobert Watson mac_test_update_ipq(struct mbuf *fragment, struct label *fragmentlabel, 958d8a7b7a3SRobert Watson struct ipq *ipq, struct label *ipqlabel) 959d8a7b7a3SRobert Watson { 960d8a7b7a3SRobert Watson 961250ee706SRobert Watson ASSERT_MBUF_LABEL(fragmentlabel); 962250ee706SRobert Watson ASSERT_IPQ_LABEL(ipqlabel); 963d8a7b7a3SRobert Watson } 964d8a7b7a3SRobert Watson 965d8a7b7a3SRobert Watson /* 966d8a7b7a3SRobert Watson * Labeling event operations: processes. 967d8a7b7a3SRobert Watson */ 968d8a7b7a3SRobert Watson static void 969d8a7b7a3SRobert Watson mac_test_create_cred(struct ucred *cred_parent, struct ucred *cred_child) 970d8a7b7a3SRobert Watson { 971d8a7b7a3SRobert Watson 972eca8a663SRobert Watson ASSERT_CRED_LABEL(cred_parent->cr_label); 973eca8a663SRobert Watson ASSERT_CRED_LABEL(cred_child->cr_label); 974d8a7b7a3SRobert Watson } 975d8a7b7a3SRobert Watson 976d8a7b7a3SRobert Watson static void 977d8a7b7a3SRobert Watson mac_test_execve_transition(struct ucred *old, struct ucred *new, 978939b97cbSRobert Watson struct vnode *vp, struct label *filelabel, 979ef5def59SRobert Watson struct label *interpvnodelabel, struct image_params *imgp, 980ef5def59SRobert Watson struct label *execlabel) 981d8a7b7a3SRobert Watson { 982d8a7b7a3SRobert Watson 983eca8a663SRobert Watson ASSERT_CRED_LABEL(old->cr_label); 984eca8a663SRobert Watson ASSERT_CRED_LABEL(new->cr_label); 985250ee706SRobert Watson ASSERT_VNODE_LABEL(filelabel); 986250ee706SRobert Watson ASSERT_VNODE_LABEL(interpvnodelabel); 987250ee706SRobert Watson if (execlabel != NULL) { 988250ee706SRobert Watson ASSERT_CRED_LABEL(execlabel); 989250ee706SRobert Watson } 990d8a7b7a3SRobert Watson } 991d8a7b7a3SRobert Watson 992d8a7b7a3SRobert Watson static int 993d8a7b7a3SRobert Watson mac_test_execve_will_transition(struct ucred *old, struct vnode *vp, 994939b97cbSRobert Watson struct label *filelabel, struct label *interpvnodelabel, 995ef5def59SRobert Watson struct image_params *imgp, struct label *execlabel) 996d8a7b7a3SRobert Watson { 997d8a7b7a3SRobert Watson 998eca8a663SRobert Watson ASSERT_CRED_LABEL(old->cr_label); 999250ee706SRobert Watson ASSERT_VNODE_LABEL(filelabel); 1000250ee706SRobert Watson if (interpvnodelabel != NULL) { 1001250ee706SRobert Watson ASSERT_VNODE_LABEL(interpvnodelabel); 1002250ee706SRobert Watson } 1003250ee706SRobert Watson if (execlabel != NULL) { 1004250ee706SRobert Watson ASSERT_CRED_LABEL(execlabel); 1005250ee706SRobert Watson } 1006250ee706SRobert Watson 1007d8a7b7a3SRobert Watson return (0); 1008d8a7b7a3SRobert Watson } 1009d8a7b7a3SRobert Watson 1010d8a7b7a3SRobert Watson static void 1011d8a7b7a3SRobert Watson mac_test_create_proc0(struct ucred *cred) 1012d8a7b7a3SRobert Watson { 1013d8a7b7a3SRobert Watson 1014eca8a663SRobert Watson ASSERT_CRED_LABEL(cred->cr_label); 1015d8a7b7a3SRobert Watson } 1016d8a7b7a3SRobert Watson 1017d8a7b7a3SRobert Watson static void 1018d8a7b7a3SRobert Watson mac_test_create_proc1(struct ucred *cred) 1019d8a7b7a3SRobert Watson { 1020d8a7b7a3SRobert Watson 1021eca8a663SRobert Watson ASSERT_CRED_LABEL(cred->cr_label); 1022d8a7b7a3SRobert Watson } 1023d8a7b7a3SRobert Watson 1024d8a7b7a3SRobert Watson static void 1025d8a7b7a3SRobert Watson mac_test_relabel_cred(struct ucred *cred, struct label *newlabel) 1026d8a7b7a3SRobert Watson { 1027d8a7b7a3SRobert Watson 1028eca8a663SRobert Watson ASSERT_CRED_LABEL(cred->cr_label); 10291862cd57SRobert Watson ASSERT_CRED_LABEL(newlabel); 1030d8a7b7a3SRobert Watson } 1031d8a7b7a3SRobert Watson 1032ca26e8baSRobert Watson static void 1033ca26e8baSRobert Watson mac_test_thread_userret(struct thread *td) 1034ca26e8baSRobert Watson { 1035ca26e8baSRobert Watson 1036250ee706SRobert Watson printf("mac_test_thread_userret(process = %d)\n", 1037250ee706SRobert Watson curthread->td_proc->p_pid); 1038ca26e8baSRobert Watson } 1039ca26e8baSRobert Watson 1040d8a7b7a3SRobert Watson /* 1041d8a7b7a3SRobert Watson * Access control checks. 1042d8a7b7a3SRobert Watson */ 1043d8a7b7a3SRobert Watson static int 1044d8a7b7a3SRobert Watson mac_test_check_bpfdesc_receive(struct bpf_d *bpf_d, struct label *bpflabel, 1045d8a7b7a3SRobert Watson struct ifnet *ifnet, struct label *ifnetlabel) 1046d8a7b7a3SRobert Watson { 1047d8a7b7a3SRobert Watson 1048250ee706SRobert Watson ASSERT_BPF_LABEL(bpflabel); 1049250ee706SRobert Watson ASSERT_IFNET_LABEL(ifnetlabel); 1050250ee706SRobert Watson 1051d8a7b7a3SRobert Watson return (0); 1052d8a7b7a3SRobert Watson } 1053d8a7b7a3SRobert Watson 1054d8a7b7a3SRobert Watson static int 1055d8a7b7a3SRobert Watson mac_test_check_cred_relabel(struct ucred *cred, struct label *newlabel) 1056d8a7b7a3SRobert Watson { 1057d8a7b7a3SRobert Watson 1058eca8a663SRobert Watson ASSERT_CRED_LABEL(cred->cr_label); 1059250ee706SRobert Watson ASSERT_CRED_LABEL(newlabel); 1060250ee706SRobert Watson 1061d8a7b7a3SRobert Watson return (0); 1062d8a7b7a3SRobert Watson } 1063d8a7b7a3SRobert Watson 1064d8a7b7a3SRobert Watson static int 1065d8a7b7a3SRobert Watson mac_test_check_cred_visible(struct ucred *u1, struct ucred *u2) 1066d8a7b7a3SRobert Watson { 1067d8a7b7a3SRobert Watson 1068eca8a663SRobert Watson ASSERT_CRED_LABEL(u1->cr_label); 1069eca8a663SRobert Watson ASSERT_CRED_LABEL(u2->cr_label); 1070250ee706SRobert Watson 1071d8a7b7a3SRobert Watson return (0); 1072d8a7b7a3SRobert Watson } 1073d8a7b7a3SRobert Watson 1074d8a7b7a3SRobert Watson static int 1075d8a7b7a3SRobert Watson mac_test_check_ifnet_relabel(struct ucred *cred, struct ifnet *ifnet, 1076d8a7b7a3SRobert Watson struct label *ifnetlabel, struct label *newlabel) 1077d8a7b7a3SRobert Watson { 1078d8a7b7a3SRobert Watson 1079eca8a663SRobert Watson ASSERT_CRED_LABEL(cred->cr_label); 1080250ee706SRobert Watson ASSERT_IFNET_LABEL(ifnetlabel); 1081250ee706SRobert Watson ASSERT_IFNET_LABEL(newlabel); 1082d8a7b7a3SRobert Watson return (0); 1083d8a7b7a3SRobert Watson } 1084d8a7b7a3SRobert Watson 1085d8a7b7a3SRobert Watson static int 1086d8a7b7a3SRobert Watson mac_test_check_ifnet_transmit(struct ifnet *ifnet, struct label *ifnetlabel, 1087d8a7b7a3SRobert Watson struct mbuf *m, struct label *mbuflabel) 1088d8a7b7a3SRobert Watson { 1089d8a7b7a3SRobert Watson 1090250ee706SRobert Watson ASSERT_IFNET_LABEL(ifnetlabel); 1091250ee706SRobert Watson ASSERT_MBUF_LABEL(mbuflabel); 1092250ee706SRobert Watson 1093d8a7b7a3SRobert Watson return (0); 1094d8a7b7a3SRobert Watson } 1095d8a7b7a3SRobert Watson 1096d8a7b7a3SRobert Watson static int 1097ca26e8baSRobert Watson mac_test_check_kenv_dump(struct ucred *cred) 1098ca26e8baSRobert Watson { 1099ca26e8baSRobert Watson 1100e5bc4f1bSJohn Baldwin ASSERT_CRED_LABEL(cred->cr_label); 1101250ee706SRobert Watson 1102ca26e8baSRobert Watson return (0); 1103ca26e8baSRobert Watson } 1104ca26e8baSRobert Watson 1105ca26e8baSRobert Watson static int 1106ca26e8baSRobert Watson mac_test_check_kenv_get(struct ucred *cred, char *name) 1107ca26e8baSRobert Watson { 1108ca26e8baSRobert Watson 1109eca8a663SRobert Watson ASSERT_CRED_LABEL(cred->cr_label); 1110250ee706SRobert Watson 1111ca26e8baSRobert Watson return (0); 1112ca26e8baSRobert Watson } 1113ca26e8baSRobert Watson 1114ca26e8baSRobert Watson static int 1115ca26e8baSRobert Watson mac_test_check_kenv_set(struct ucred *cred, char *name, char *value) 1116ca26e8baSRobert Watson { 1117ca26e8baSRobert Watson 1118eca8a663SRobert Watson ASSERT_CRED_LABEL(cred->cr_label); 1119250ee706SRobert Watson 1120ca26e8baSRobert Watson return (0); 1121ca26e8baSRobert Watson } 1122ca26e8baSRobert Watson 1123ca26e8baSRobert Watson static int 1124ca26e8baSRobert Watson mac_test_check_kenv_unset(struct ucred *cred, char *name) 1125ca26e8baSRobert Watson { 1126ca26e8baSRobert Watson 1127eca8a663SRobert Watson ASSERT_CRED_LABEL(cred->cr_label); 1128250ee706SRobert Watson 1129ca26e8baSRobert Watson return (0); 1130ca26e8baSRobert Watson } 1131ca26e8baSRobert Watson 1132ca26e8baSRobert Watson static int 1133ca26e8baSRobert Watson mac_test_check_kld_load(struct ucred *cred, struct vnode *vp, 1134ca26e8baSRobert Watson struct label *label) 1135ca26e8baSRobert Watson { 1136ca26e8baSRobert Watson 1137eca8a663SRobert Watson ASSERT_CRED_LABEL(cred->cr_label); 1138250ee706SRobert Watson ASSERT_VNODE_LABEL(label); 1139250ee706SRobert Watson 1140ca26e8baSRobert Watson return (0); 1141ca26e8baSRobert Watson } 1142ca26e8baSRobert Watson 1143ca26e8baSRobert Watson static int 1144ca26e8baSRobert Watson mac_test_check_kld_stat(struct ucred *cred) 1145ca26e8baSRobert Watson { 1146ca26e8baSRobert Watson 1147eca8a663SRobert Watson ASSERT_CRED_LABEL(cred->cr_label); 1148250ee706SRobert Watson 1149ca26e8baSRobert Watson return (0); 1150ca26e8baSRobert Watson } 1151ca26e8baSRobert Watson 1152ca26e8baSRobert Watson static int 1153ca26e8baSRobert Watson mac_test_check_kld_unload(struct ucred *cred) 1154ca26e8baSRobert Watson { 1155ca26e8baSRobert Watson 1156eca8a663SRobert Watson ASSERT_CRED_LABEL(cred->cr_label); 1157250ee706SRobert Watson 1158ca26e8baSRobert Watson return (0); 1159ca26e8baSRobert Watson } 1160ca26e8baSRobert Watson 1161ca26e8baSRobert Watson static int 1162d8a7b7a3SRobert Watson mac_test_check_mount_stat(struct ucred *cred, struct mount *mp, 1163d8a7b7a3SRobert Watson struct label *mntlabel) 1164d8a7b7a3SRobert Watson { 1165d8a7b7a3SRobert Watson 1166eca8a663SRobert Watson ASSERT_CRED_LABEL(cred->cr_label); 1167250ee706SRobert Watson ASSERT_MOUNT_LABEL(mntlabel); 1168250ee706SRobert Watson 1169d8a7b7a3SRobert Watson return (0); 1170d8a7b7a3SRobert Watson } 1171d8a7b7a3SRobert Watson 1172d8a7b7a3SRobert Watson static int 1173d8a7b7a3SRobert Watson mac_test_check_pipe_ioctl(struct ucred *cred, struct pipe *pipe, 1174d8a7b7a3SRobert Watson struct label *pipelabel, unsigned long cmd, void /* caddr_t */ *data) 1175d8a7b7a3SRobert Watson { 1176d8a7b7a3SRobert Watson 1177eca8a663SRobert Watson ASSERT_CRED_LABEL(cred->cr_label); 1178250ee706SRobert Watson ASSERT_PIPE_LABEL(pipelabel); 1179250ee706SRobert Watson 1180d8a7b7a3SRobert Watson return (0); 1181d8a7b7a3SRobert Watson } 1182d8a7b7a3SRobert Watson 1183d8a7b7a3SRobert Watson static int 1184c024c3eeSRobert Watson mac_test_check_pipe_poll(struct ucred *cred, struct pipe *pipe, 1185c024c3eeSRobert Watson struct label *pipelabel) 1186c024c3eeSRobert Watson { 1187c024c3eeSRobert Watson 1188eca8a663SRobert Watson ASSERT_CRED_LABEL(cred->cr_label); 1189250ee706SRobert Watson ASSERT_PIPE_LABEL(pipelabel); 1190250ee706SRobert Watson 1191c024c3eeSRobert Watson return (0); 1192c024c3eeSRobert Watson } 1193c024c3eeSRobert Watson 1194c024c3eeSRobert Watson static int 1195c024c3eeSRobert Watson mac_test_check_pipe_read(struct ucred *cred, struct pipe *pipe, 1196c024c3eeSRobert Watson struct label *pipelabel) 1197d8a7b7a3SRobert Watson { 1198d8a7b7a3SRobert Watson 1199eca8a663SRobert Watson ASSERT_CRED_LABEL(cred->cr_label); 1200250ee706SRobert Watson ASSERT_PIPE_LABEL(pipelabel); 1201250ee706SRobert Watson 1202d8a7b7a3SRobert Watson return (0); 1203d8a7b7a3SRobert Watson } 1204d8a7b7a3SRobert Watson 1205d8a7b7a3SRobert Watson static int 1206d8a7b7a3SRobert Watson mac_test_check_pipe_relabel(struct ucred *cred, struct pipe *pipe, 1207d8a7b7a3SRobert Watson struct label *pipelabel, struct label *newlabel) 1208d8a7b7a3SRobert Watson { 1209d8a7b7a3SRobert Watson 1210eca8a663SRobert Watson ASSERT_CRED_LABEL(cred->cr_label); 1211250ee706SRobert Watson ASSERT_PIPE_LABEL(pipelabel); 1212250ee706SRobert Watson ASSERT_PIPE_LABEL(newlabel); 1213250ee706SRobert Watson 1214d8a7b7a3SRobert Watson return (0); 1215d8a7b7a3SRobert Watson } 1216d8a7b7a3SRobert Watson 1217d8a7b7a3SRobert Watson static int 1218c024c3eeSRobert Watson mac_test_check_pipe_stat(struct ucred *cred, struct pipe *pipe, 1219c024c3eeSRobert Watson struct label *pipelabel) 1220c024c3eeSRobert Watson { 1221c024c3eeSRobert Watson 1222eca8a663SRobert Watson ASSERT_CRED_LABEL(cred->cr_label); 1223250ee706SRobert Watson ASSERT_PIPE_LABEL(pipelabel); 1224250ee706SRobert Watson 1225c024c3eeSRobert Watson return (0); 1226c024c3eeSRobert Watson } 1227c024c3eeSRobert Watson 1228c024c3eeSRobert Watson static int 1229c024c3eeSRobert Watson mac_test_check_pipe_write(struct ucred *cred, struct pipe *pipe, 1230c024c3eeSRobert Watson struct label *pipelabel) 1231c024c3eeSRobert Watson { 1232c024c3eeSRobert Watson 1233eca8a663SRobert Watson ASSERT_CRED_LABEL(cred->cr_label); 1234250ee706SRobert Watson ASSERT_PIPE_LABEL(pipelabel); 1235250ee706SRobert Watson 1236c024c3eeSRobert Watson return (0); 1237c024c3eeSRobert Watson } 1238c024c3eeSRobert Watson 1239c024c3eeSRobert Watson static int 1240d8a7b7a3SRobert Watson mac_test_check_proc_debug(struct ucred *cred, struct proc *proc) 1241d8a7b7a3SRobert Watson { 1242d8a7b7a3SRobert Watson 1243eca8a663SRobert Watson ASSERT_CRED_LABEL(cred->cr_label); 1244eca8a663SRobert Watson ASSERT_CRED_LABEL(proc->p_ucred->cr_label); 1245250ee706SRobert Watson 1246d8a7b7a3SRobert Watson return (0); 1247d8a7b7a3SRobert Watson } 1248d8a7b7a3SRobert Watson 1249d8a7b7a3SRobert Watson static int 1250d8a7b7a3SRobert Watson mac_test_check_proc_sched(struct ucred *cred, struct proc *proc) 1251d8a7b7a3SRobert Watson { 1252d8a7b7a3SRobert Watson 1253eca8a663SRobert Watson ASSERT_CRED_LABEL(cred->cr_label); 1254eca8a663SRobert Watson ASSERT_CRED_LABEL(proc->p_ucred->cr_label); 1255250ee706SRobert Watson 1256d8a7b7a3SRobert Watson return (0); 1257d8a7b7a3SRobert Watson } 1258d8a7b7a3SRobert Watson 1259d8a7b7a3SRobert Watson static int 12605c8dd342SRobert Watson mac_test_check_proc_signal(struct ucred *cred, struct proc *proc, int signum) 1261d8a7b7a3SRobert Watson { 1262d8a7b7a3SRobert Watson 1263eca8a663SRobert Watson ASSERT_CRED_LABEL(cred->cr_label); 1264eca8a663SRobert Watson ASSERT_CRED_LABEL(proc->p_ucred->cr_label); 1265250ee706SRobert Watson 1266d8a7b7a3SRobert Watson return (0); 1267d8a7b7a3SRobert Watson } 1268d8a7b7a3SRobert Watson 1269d8a7b7a3SRobert Watson static int 1270d8a7b7a3SRobert Watson mac_test_check_socket_bind(struct ucred *cred, struct socket *socket, 1271d8a7b7a3SRobert Watson struct label *socketlabel, struct sockaddr *sockaddr) 1272d8a7b7a3SRobert Watson { 1273d8a7b7a3SRobert Watson 1274eca8a663SRobert Watson ASSERT_CRED_LABEL(cred->cr_label); 1275250ee706SRobert Watson ASSERT_SOCKET_LABEL(socketlabel); 1276250ee706SRobert Watson 1277d8a7b7a3SRobert Watson return (0); 1278d8a7b7a3SRobert Watson } 1279d8a7b7a3SRobert Watson 1280d8a7b7a3SRobert Watson static int 1281d8a7b7a3SRobert Watson mac_test_check_socket_connect(struct ucred *cred, struct socket *socket, 1282d8a7b7a3SRobert Watson struct label *socketlabel, struct sockaddr *sockaddr) 1283d8a7b7a3SRobert Watson { 1284d8a7b7a3SRobert Watson 1285eca8a663SRobert Watson ASSERT_CRED_LABEL(cred->cr_label); 1286250ee706SRobert Watson ASSERT_SOCKET_LABEL(socketlabel); 1287250ee706SRobert Watson 1288d8a7b7a3SRobert Watson return (0); 1289d8a7b7a3SRobert Watson } 1290d8a7b7a3SRobert Watson 1291d8a7b7a3SRobert Watson static int 1292fb95b5d3SRobert Watson mac_test_check_socket_deliver(struct socket *socket, struct label *socketlabel, 1293fb95b5d3SRobert Watson struct mbuf *m, struct label *mbuflabel) 1294d8a7b7a3SRobert Watson { 1295d8a7b7a3SRobert Watson 1296250ee706SRobert Watson ASSERT_SOCKET_LABEL(socketlabel); 1297250ee706SRobert Watson ASSERT_MBUF_LABEL(mbuflabel); 1298250ee706SRobert Watson 1299d8a7b7a3SRobert Watson return (0); 1300d8a7b7a3SRobert Watson } 1301d8a7b7a3SRobert Watson 1302d8a7b7a3SRobert Watson static int 1303fb95b5d3SRobert Watson mac_test_check_socket_listen(struct ucred *cred, struct socket *socket, 13045c8dd342SRobert Watson struct label *socketlabel) 1305d8a7b7a3SRobert Watson { 1306d8a7b7a3SRobert Watson 1307eca8a663SRobert Watson ASSERT_CRED_LABEL(cred->cr_label); 1308250ee706SRobert Watson ASSERT_SOCKET_LABEL(socketlabel); 1309250ee706SRobert Watson 1310d8a7b7a3SRobert Watson return (0); 1311d8a7b7a3SRobert Watson } 1312d8a7b7a3SRobert Watson 1313d8a7b7a3SRobert Watson static int 1314d8a7b7a3SRobert Watson mac_test_check_socket_visible(struct ucred *cred, struct socket *socket, 1315d8a7b7a3SRobert Watson struct label *socketlabel) 1316d8a7b7a3SRobert Watson { 1317d8a7b7a3SRobert Watson 1318eca8a663SRobert Watson ASSERT_CRED_LABEL(cred->cr_label); 1319250ee706SRobert Watson ASSERT_SOCKET_LABEL(socketlabel); 1320250ee706SRobert Watson 1321d8a7b7a3SRobert Watson return (0); 1322d8a7b7a3SRobert Watson } 1323d8a7b7a3SRobert Watson 1324d8a7b7a3SRobert Watson static int 1325d8a7b7a3SRobert Watson mac_test_check_socket_relabel(struct ucred *cred, struct socket *socket, 1326d8a7b7a3SRobert Watson struct label *socketlabel, struct label *newlabel) 1327d8a7b7a3SRobert Watson { 1328d8a7b7a3SRobert Watson 1329eca8a663SRobert Watson ASSERT_CRED_LABEL(cred->cr_label); 1330250ee706SRobert Watson ASSERT_SOCKET_LABEL(socketlabel); 1331250ee706SRobert Watson ASSERT_SOCKET_LABEL(newlabel); 1332250ee706SRobert Watson 1333d8a7b7a3SRobert Watson return (0); 1334d8a7b7a3SRobert Watson } 1335d8a7b7a3SRobert Watson 1336d8a7b7a3SRobert Watson static int 1337ca26e8baSRobert Watson mac_test_check_sysarch_ioperm(struct ucred *cred) 1338ca26e8baSRobert Watson { 1339ca26e8baSRobert Watson 1340eca8a663SRobert Watson ASSERT_CRED_LABEL(cred->cr_label); 1341250ee706SRobert Watson 1342ca26e8baSRobert Watson return (0); 1343ca26e8baSRobert Watson } 1344ca26e8baSRobert Watson 1345ca26e8baSRobert Watson static int 1346ca26e8baSRobert Watson mac_test_check_system_acct(struct ucred *cred, struct vnode *vp, 1347ca26e8baSRobert Watson struct label *label) 1348ca26e8baSRobert Watson { 1349ca26e8baSRobert Watson 1350eca8a663SRobert Watson ASSERT_CRED_LABEL(cred->cr_label); 1351250ee706SRobert Watson 1352ca26e8baSRobert Watson return (0); 1353ca26e8baSRobert Watson } 1354ca26e8baSRobert Watson 1355ca26e8baSRobert Watson static int 1356ca26e8baSRobert Watson mac_test_check_system_reboot(struct ucred *cred, int how) 1357ca26e8baSRobert Watson { 1358ca26e8baSRobert Watson 1359eca8a663SRobert Watson ASSERT_CRED_LABEL(cred->cr_label); 1360250ee706SRobert Watson 1361ca26e8baSRobert Watson return (0); 1362ca26e8baSRobert Watson } 1363ca26e8baSRobert Watson 1364ca26e8baSRobert Watson static int 1365ca26e8baSRobert Watson mac_test_check_system_settime(struct ucred *cred) 1366ca26e8baSRobert Watson { 1367ca26e8baSRobert Watson 1368eca8a663SRobert Watson ASSERT_CRED_LABEL(cred->cr_label); 1369250ee706SRobert Watson 1370ca26e8baSRobert Watson return (0); 1371ca26e8baSRobert Watson } 1372ca26e8baSRobert Watson 1373ca26e8baSRobert Watson static int 1374ca26e8baSRobert Watson mac_test_check_system_swapon(struct ucred *cred, struct vnode *vp, 1375ca26e8baSRobert Watson struct label *label) 1376ca26e8baSRobert Watson { 1377ca26e8baSRobert Watson 1378eca8a663SRobert Watson ASSERT_CRED_LABEL(cred->cr_label); 1379250ee706SRobert Watson ASSERT_VNODE_LABEL(label); 1380250ee706SRobert Watson 1381ca26e8baSRobert Watson return (0); 1382ca26e8baSRobert Watson } 1383ca26e8baSRobert Watson 1384ca26e8baSRobert Watson static int 1385ca26e8baSRobert Watson mac_test_check_system_swapoff(struct ucred *cred, struct vnode *vp, 1386ca26e8baSRobert Watson struct label *label) 1387ca26e8baSRobert Watson { 1388ca26e8baSRobert Watson 1389eca8a663SRobert Watson ASSERT_CRED_LABEL(cred->cr_label); 1390250ee706SRobert Watson ASSERT_VNODE_LABEL(label); 1391250ee706SRobert Watson 1392ca26e8baSRobert Watson return (0); 1393ca26e8baSRobert Watson } 1394ca26e8baSRobert Watson 1395ca26e8baSRobert Watson static int 1396ca26e8baSRobert Watson mac_test_check_system_sysctl(struct ucred *cred, int *name, u_int namelen, 1397ca26e8baSRobert Watson void *old, size_t *oldlenp, int inkernel, void *new, size_t newlen) 1398ca26e8baSRobert Watson { 1399ca26e8baSRobert Watson 1400eca8a663SRobert Watson ASSERT_CRED_LABEL(cred->cr_label); 1401250ee706SRobert Watson 1402ca26e8baSRobert Watson return (0); 1403ca26e8baSRobert Watson } 1404ca26e8baSRobert Watson 1405ca26e8baSRobert Watson static int 1406d8a7b7a3SRobert Watson mac_test_check_vnode_access(struct ucred *cred, struct vnode *vp, 1407b914de36SRobert Watson struct label *label, int acc_mode) 1408d8a7b7a3SRobert Watson { 1409d8a7b7a3SRobert Watson 1410eca8a663SRobert Watson ASSERT_CRED_LABEL(cred->cr_label); 1411250ee706SRobert Watson ASSERT_VNODE_LABEL(label); 1412250ee706SRobert Watson 1413d8a7b7a3SRobert Watson return (0); 1414d8a7b7a3SRobert Watson } 1415d8a7b7a3SRobert Watson 1416d8a7b7a3SRobert Watson static int 1417d8a7b7a3SRobert Watson mac_test_check_vnode_chdir(struct ucred *cred, struct vnode *dvp, 1418d8a7b7a3SRobert Watson struct label *dlabel) 1419d8a7b7a3SRobert Watson { 1420d8a7b7a3SRobert Watson 1421eca8a663SRobert Watson ASSERT_CRED_LABEL(cred->cr_label); 1422250ee706SRobert Watson ASSERT_VNODE_LABEL(dlabel); 1423250ee706SRobert Watson 1424d8a7b7a3SRobert Watson return (0); 1425d8a7b7a3SRobert Watson } 1426d8a7b7a3SRobert Watson 1427d8a7b7a3SRobert Watson static int 1428d8a7b7a3SRobert Watson mac_test_check_vnode_chroot(struct ucred *cred, struct vnode *dvp, 1429d8a7b7a3SRobert Watson struct label *dlabel) 1430d8a7b7a3SRobert Watson { 1431d8a7b7a3SRobert Watson 1432eca8a663SRobert Watson ASSERT_CRED_LABEL(cred->cr_label); 1433250ee706SRobert Watson ASSERT_VNODE_LABEL(dlabel); 1434250ee706SRobert Watson 1435d8a7b7a3SRobert Watson return (0); 1436d8a7b7a3SRobert Watson } 1437d8a7b7a3SRobert Watson 1438d8a7b7a3SRobert Watson static int 1439d8a7b7a3SRobert Watson mac_test_check_vnode_create(struct ucred *cred, struct vnode *dvp, 1440d8a7b7a3SRobert Watson struct label *dlabel, struct componentname *cnp, struct vattr *vap) 1441d8a7b7a3SRobert Watson { 1442d8a7b7a3SRobert Watson 1443eca8a663SRobert Watson ASSERT_CRED_LABEL(cred->cr_label); 1444250ee706SRobert Watson ASSERT_VNODE_LABEL(dlabel); 1445250ee706SRobert Watson 1446d8a7b7a3SRobert Watson return (0); 1447d8a7b7a3SRobert Watson } 1448d8a7b7a3SRobert Watson 1449d8a7b7a3SRobert Watson static int 1450d8a7b7a3SRobert Watson mac_test_check_vnode_delete(struct ucred *cred, struct vnode *dvp, 1451d8a7b7a3SRobert Watson struct label *dlabel, struct vnode *vp, struct label *label, 1452d8a7b7a3SRobert Watson struct componentname *cnp) 1453d8a7b7a3SRobert Watson { 1454d8a7b7a3SRobert Watson 1455eca8a663SRobert Watson ASSERT_CRED_LABEL(cred->cr_label); 1456250ee706SRobert Watson ASSERT_VNODE_LABEL(dlabel); 1457250ee706SRobert Watson ASSERT_VNODE_LABEL(label); 1458250ee706SRobert Watson 1459d8a7b7a3SRobert Watson return (0); 1460d8a7b7a3SRobert Watson } 1461d8a7b7a3SRobert Watson 1462d8a7b7a3SRobert Watson static int 1463d8a7b7a3SRobert Watson mac_test_check_vnode_deleteacl(struct ucred *cred, struct vnode *vp, 1464d8a7b7a3SRobert Watson struct label *label, acl_type_t type) 1465d8a7b7a3SRobert Watson { 1466d8a7b7a3SRobert Watson 1467eca8a663SRobert Watson ASSERT_CRED_LABEL(cred->cr_label); 1468250ee706SRobert Watson ASSERT_VNODE_LABEL(label); 1469250ee706SRobert Watson 1470250ee706SRobert Watson return (0); 1471250ee706SRobert Watson } 1472250ee706SRobert Watson 1473250ee706SRobert Watson static int 1474250ee706SRobert Watson mac_test_check_vnode_deleteextattr(struct ucred *cred, struct vnode *vp, 1475250ee706SRobert Watson struct label *label, int attrnamespace, const char *name) 1476250ee706SRobert Watson { 1477250ee706SRobert Watson 1478eca8a663SRobert Watson ASSERT_CRED_LABEL(cred->cr_label); 1479250ee706SRobert Watson ASSERT_VNODE_LABEL(label); 1480250ee706SRobert Watson 1481d8a7b7a3SRobert Watson return (0); 1482d8a7b7a3SRobert Watson } 1483d8a7b7a3SRobert Watson 1484d8a7b7a3SRobert Watson static int 1485d8a7b7a3SRobert Watson mac_test_check_vnode_exec(struct ucred *cred, struct vnode *vp, 1486ef5def59SRobert Watson struct label *label, struct image_params *imgp, 1487ef5def59SRobert Watson struct label *execlabel) 1488d8a7b7a3SRobert Watson { 1489d8a7b7a3SRobert Watson 1490eca8a663SRobert Watson ASSERT_CRED_LABEL(cred->cr_label); 1491250ee706SRobert Watson ASSERT_VNODE_LABEL(label); 1492250ee706SRobert Watson if (execlabel != NULL) { 1493250ee706SRobert Watson ASSERT_CRED_LABEL(execlabel); 1494250ee706SRobert Watson } 1495250ee706SRobert Watson 1496d8a7b7a3SRobert Watson return (0); 1497d8a7b7a3SRobert Watson } 1498d8a7b7a3SRobert Watson 1499d8a7b7a3SRobert Watson static int 1500d8a7b7a3SRobert Watson mac_test_check_vnode_getacl(struct ucred *cred, struct vnode *vp, 1501d8a7b7a3SRobert Watson struct label *label, acl_type_t type) 1502d8a7b7a3SRobert Watson { 1503d8a7b7a3SRobert Watson 1504eca8a663SRobert Watson ASSERT_CRED_LABEL(cred->cr_label); 1505250ee706SRobert Watson ASSERT_VNODE_LABEL(label); 1506250ee706SRobert Watson 1507d8a7b7a3SRobert Watson return (0); 1508d8a7b7a3SRobert Watson } 1509d8a7b7a3SRobert Watson 1510d8a7b7a3SRobert Watson static int 1511d8a7b7a3SRobert Watson mac_test_check_vnode_getextattr(struct ucred *cred, struct vnode *vp, 1512d8a7b7a3SRobert Watson struct label *label, int attrnamespace, const char *name, struct uio *uio) 1513d8a7b7a3SRobert Watson { 1514d8a7b7a3SRobert Watson 1515eca8a663SRobert Watson ASSERT_CRED_LABEL(cred->cr_label); 1516250ee706SRobert Watson ASSERT_VNODE_LABEL(label); 1517250ee706SRobert Watson 1518d8a7b7a3SRobert Watson return (0); 1519d8a7b7a3SRobert Watson } 1520d8a7b7a3SRobert Watson 1521d8a7b7a3SRobert Watson static int 1522c27b50f5SRobert Watson mac_test_check_vnode_link(struct ucred *cred, struct vnode *dvp, 1523c27b50f5SRobert Watson struct label *dlabel, struct vnode *vp, struct label *label, 1524c27b50f5SRobert Watson struct componentname *cnp) 1525c27b50f5SRobert Watson { 1526c27b50f5SRobert Watson 1527eca8a663SRobert Watson ASSERT_CRED_LABEL(cred->cr_label); 1528250ee706SRobert Watson ASSERT_VNODE_LABEL(dlabel); 1529250ee706SRobert Watson ASSERT_VNODE_LABEL(label); 1530250ee706SRobert Watson 1531250ee706SRobert Watson return (0); 1532250ee706SRobert Watson } 1533250ee706SRobert Watson 1534250ee706SRobert Watson static int 1535250ee706SRobert Watson mac_test_check_vnode_listextattr(struct ucred *cred, struct vnode *vp, 1536250ee706SRobert Watson struct label *label, int attrnamespace) 1537250ee706SRobert Watson { 1538250ee706SRobert Watson 1539eca8a663SRobert Watson ASSERT_CRED_LABEL(cred->cr_label); 1540250ee706SRobert Watson ASSERT_VNODE_LABEL(label); 1541250ee706SRobert Watson 1542c27b50f5SRobert Watson return (0); 1543c27b50f5SRobert Watson } 1544c27b50f5SRobert Watson 1545c27b50f5SRobert Watson static int 1546d8a7b7a3SRobert Watson mac_test_check_vnode_lookup(struct ucred *cred, struct vnode *dvp, 1547d8a7b7a3SRobert Watson struct label *dlabel, struct componentname *cnp) 1548d8a7b7a3SRobert Watson { 1549d8a7b7a3SRobert Watson 1550eca8a663SRobert Watson ASSERT_CRED_LABEL(cred->cr_label); 1551250ee706SRobert Watson ASSERT_VNODE_LABEL(dlabel); 1552250ee706SRobert Watson 1553d8a7b7a3SRobert Watson return (0); 1554d8a7b7a3SRobert Watson } 1555d8a7b7a3SRobert Watson 1556d8a7b7a3SRobert Watson static int 1557e183f80eSRobert Watson mac_test_check_vnode_mmap(struct ucred *cred, struct vnode *vp, 1558e183f80eSRobert Watson struct label *label, int prot) 1559e183f80eSRobert Watson { 1560e183f80eSRobert Watson 1561eca8a663SRobert Watson ASSERT_CRED_LABEL(cred->cr_label); 1562250ee706SRobert Watson ASSERT_VNODE_LABEL(label); 1563250ee706SRobert Watson 1564e183f80eSRobert Watson return (0); 1565e183f80eSRobert Watson } 1566e183f80eSRobert Watson 1567e183f80eSRobert Watson static int 1568e183f80eSRobert Watson mac_test_check_vnode_mprotect(struct ucred *cred, struct vnode *vp, 1569e183f80eSRobert Watson struct label *label, int prot) 1570e183f80eSRobert Watson { 1571e183f80eSRobert Watson 1572eca8a663SRobert Watson ASSERT_CRED_LABEL(cred->cr_label); 1573250ee706SRobert Watson ASSERT_VNODE_LABEL(label); 1574250ee706SRobert Watson 1575e183f80eSRobert Watson return (0); 1576e183f80eSRobert Watson } 1577e183f80eSRobert Watson 1578e183f80eSRobert Watson static int 1579d8a7b7a3SRobert Watson mac_test_check_vnode_open(struct ucred *cred, struct vnode *vp, 1580b914de36SRobert Watson struct label *filelabel, int acc_mode) 1581d8a7b7a3SRobert Watson { 1582d8a7b7a3SRobert Watson 1583eca8a663SRobert Watson ASSERT_CRED_LABEL(cred->cr_label); 1584250ee706SRobert Watson ASSERT_VNODE_LABEL(filelabel); 1585250ee706SRobert Watson 1586d8a7b7a3SRobert Watson return (0); 1587d8a7b7a3SRobert Watson } 1588d8a7b7a3SRobert Watson 1589d8a7b7a3SRobert Watson static int 1590177142e4SRobert Watson mac_test_check_vnode_poll(struct ucred *active_cred, struct ucred *file_cred, 1591177142e4SRobert Watson struct vnode *vp, struct label *label) 15927f724f8bSRobert Watson { 15937f724f8bSRobert Watson 1594eca8a663SRobert Watson ASSERT_CRED_LABEL(active_cred->cr_label); 1595eca8a663SRobert Watson ASSERT_CRED_LABEL(file_cred->cr_label); 1596250ee706SRobert Watson ASSERT_VNODE_LABEL(label); 1597250ee706SRobert Watson 15987f724f8bSRobert Watson return (0); 15997f724f8bSRobert Watson } 16007f724f8bSRobert Watson 16017f724f8bSRobert Watson static int 1602177142e4SRobert Watson mac_test_check_vnode_read(struct ucred *active_cred, struct ucred *file_cred, 1603177142e4SRobert Watson struct vnode *vp, struct label *label) 16047f724f8bSRobert Watson { 16057f724f8bSRobert Watson 1606eca8a663SRobert Watson ASSERT_CRED_LABEL(active_cred->cr_label); 1607250ee706SRobert Watson if (file_cred != NULL) { 1608eca8a663SRobert Watson ASSERT_CRED_LABEL(file_cred->cr_label); 1609250ee706SRobert Watson } 1610250ee706SRobert Watson ASSERT_VNODE_LABEL(label); 1611250ee706SRobert Watson 16127f724f8bSRobert Watson return (0); 16137f724f8bSRobert Watson } 16147f724f8bSRobert Watson 16157f724f8bSRobert Watson static int 1616d8a7b7a3SRobert Watson mac_test_check_vnode_readdir(struct ucred *cred, struct vnode *dvp, 1617d8a7b7a3SRobert Watson struct label *dlabel) 1618d8a7b7a3SRobert Watson { 1619d8a7b7a3SRobert Watson 1620eca8a663SRobert Watson ASSERT_CRED_LABEL(cred->cr_label); 1621250ee706SRobert Watson ASSERT_VNODE_LABEL(dlabel); 1622250ee706SRobert Watson 1623d8a7b7a3SRobert Watson return (0); 1624d8a7b7a3SRobert Watson } 1625d8a7b7a3SRobert Watson 1626d8a7b7a3SRobert Watson static int 1627d8a7b7a3SRobert Watson mac_test_check_vnode_readlink(struct ucred *cred, struct vnode *vp, 1628d8a7b7a3SRobert Watson struct label *vnodelabel) 1629d8a7b7a3SRobert Watson { 1630d8a7b7a3SRobert Watson 1631eca8a663SRobert Watson ASSERT_CRED_LABEL(cred->cr_label); 1632250ee706SRobert Watson ASSERT_VNODE_LABEL(vnodelabel); 1633250ee706SRobert Watson 1634d8a7b7a3SRobert Watson return (0); 1635d8a7b7a3SRobert Watson } 1636d8a7b7a3SRobert Watson 1637d8a7b7a3SRobert Watson static int 1638d8a7b7a3SRobert Watson mac_test_check_vnode_relabel(struct ucred *cred, struct vnode *vp, 1639d8a7b7a3SRobert Watson struct label *vnodelabel, struct label *newlabel) 1640d8a7b7a3SRobert Watson { 1641d8a7b7a3SRobert Watson 1642eca8a663SRobert Watson ASSERT_CRED_LABEL(cred->cr_label); 1643250ee706SRobert Watson ASSERT_VNODE_LABEL(vnodelabel); 1644250ee706SRobert Watson ASSERT_VNODE_LABEL(newlabel); 1645250ee706SRobert Watson 1646d8a7b7a3SRobert Watson return (0); 1647d8a7b7a3SRobert Watson } 1648d8a7b7a3SRobert Watson 1649d8a7b7a3SRobert Watson static int 1650d8a7b7a3SRobert Watson mac_test_check_vnode_rename_from(struct ucred *cred, struct vnode *dvp, 1651d8a7b7a3SRobert Watson struct label *dlabel, struct vnode *vp, struct label *label, 1652d8a7b7a3SRobert Watson struct componentname *cnp) 1653d8a7b7a3SRobert Watson { 1654d8a7b7a3SRobert Watson 1655eca8a663SRobert Watson ASSERT_CRED_LABEL(cred->cr_label); 1656250ee706SRobert Watson ASSERT_VNODE_LABEL(dlabel); 1657250ee706SRobert Watson ASSERT_VNODE_LABEL(label); 1658250ee706SRobert Watson 1659d8a7b7a3SRobert Watson return (0); 1660d8a7b7a3SRobert Watson } 1661d8a7b7a3SRobert Watson 1662d8a7b7a3SRobert Watson static int 1663d8a7b7a3SRobert Watson mac_test_check_vnode_rename_to(struct ucred *cred, struct vnode *dvp, 1664d8a7b7a3SRobert Watson struct label *dlabel, struct vnode *vp, struct label *label, int samedir, 1665d8a7b7a3SRobert Watson struct componentname *cnp) 1666d8a7b7a3SRobert Watson { 1667d8a7b7a3SRobert Watson 1668eca8a663SRobert Watson ASSERT_CRED_LABEL(cred->cr_label); 1669250ee706SRobert Watson ASSERT_VNODE_LABEL(dlabel); 1670250ee706SRobert Watson 1671250ee706SRobert Watson if (vp != NULL) { 1672250ee706SRobert Watson ASSERT_VNODE_LABEL(label); 1673250ee706SRobert Watson } 1674250ee706SRobert Watson 1675d8a7b7a3SRobert Watson return (0); 1676d8a7b7a3SRobert Watson } 1677d8a7b7a3SRobert Watson 1678d8a7b7a3SRobert Watson static int 1679d8a7b7a3SRobert Watson mac_test_check_vnode_revoke(struct ucred *cred, struct vnode *vp, 1680d8a7b7a3SRobert Watson struct label *label) 1681d8a7b7a3SRobert Watson { 1682d8a7b7a3SRobert Watson 1683eca8a663SRobert Watson ASSERT_CRED_LABEL(cred->cr_label); 1684250ee706SRobert Watson ASSERT_VNODE_LABEL(label); 1685250ee706SRobert Watson 1686d8a7b7a3SRobert Watson return (0); 1687d8a7b7a3SRobert Watson } 1688d8a7b7a3SRobert Watson 1689d8a7b7a3SRobert Watson static int 1690d8a7b7a3SRobert Watson mac_test_check_vnode_setacl(struct ucred *cred, struct vnode *vp, 1691d8a7b7a3SRobert Watson struct label *label, acl_type_t type, struct acl *acl) 1692d8a7b7a3SRobert Watson { 1693d8a7b7a3SRobert Watson 1694eca8a663SRobert Watson ASSERT_CRED_LABEL(cred->cr_label); 1695250ee706SRobert Watson ASSERT_VNODE_LABEL(label); 1696250ee706SRobert Watson 1697d8a7b7a3SRobert Watson return (0); 1698d8a7b7a3SRobert Watson } 1699d8a7b7a3SRobert Watson 1700d8a7b7a3SRobert Watson static int 1701d8a7b7a3SRobert Watson mac_test_check_vnode_setextattr(struct ucred *cred, struct vnode *vp, 1702d8a7b7a3SRobert Watson struct label *label, int attrnamespace, const char *name, struct uio *uio) 1703d8a7b7a3SRobert Watson { 1704d8a7b7a3SRobert Watson 1705eca8a663SRobert Watson ASSERT_CRED_LABEL(cred->cr_label); 1706250ee706SRobert Watson ASSERT_VNODE_LABEL(label); 1707250ee706SRobert Watson 1708d8a7b7a3SRobert Watson return (0); 1709d8a7b7a3SRobert Watson } 1710d8a7b7a3SRobert Watson 1711d8a7b7a3SRobert Watson static int 1712d8a7b7a3SRobert Watson mac_test_check_vnode_setflags(struct ucred *cred, struct vnode *vp, 1713d8a7b7a3SRobert Watson struct label *label, u_long flags) 1714d8a7b7a3SRobert Watson { 1715d8a7b7a3SRobert Watson 1716eca8a663SRobert Watson ASSERT_CRED_LABEL(cred->cr_label); 1717250ee706SRobert Watson ASSERT_VNODE_LABEL(label); 1718250ee706SRobert Watson 1719d8a7b7a3SRobert Watson return (0); 1720d8a7b7a3SRobert Watson } 1721d8a7b7a3SRobert Watson 1722d8a7b7a3SRobert Watson static int 1723d8a7b7a3SRobert Watson mac_test_check_vnode_setmode(struct ucred *cred, struct vnode *vp, 1724d8a7b7a3SRobert Watson struct label *label, mode_t mode) 1725d8a7b7a3SRobert Watson { 1726d8a7b7a3SRobert Watson 1727eca8a663SRobert Watson ASSERT_CRED_LABEL(cred->cr_label); 1728250ee706SRobert Watson ASSERT_VNODE_LABEL(label); 1729250ee706SRobert Watson 1730d8a7b7a3SRobert Watson return (0); 1731d8a7b7a3SRobert Watson } 1732d8a7b7a3SRobert Watson 1733d8a7b7a3SRobert Watson static int 1734d8a7b7a3SRobert Watson mac_test_check_vnode_setowner(struct ucred *cred, struct vnode *vp, 1735d8a7b7a3SRobert Watson struct label *label, uid_t uid, gid_t gid) 1736d8a7b7a3SRobert Watson { 1737d8a7b7a3SRobert Watson 1738eca8a663SRobert Watson ASSERT_CRED_LABEL(cred->cr_label); 1739250ee706SRobert Watson ASSERT_VNODE_LABEL(label); 1740250ee706SRobert Watson 1741d8a7b7a3SRobert Watson return (0); 1742d8a7b7a3SRobert Watson } 1743d8a7b7a3SRobert Watson 1744d8a7b7a3SRobert Watson static int 1745d8a7b7a3SRobert Watson mac_test_check_vnode_setutimes(struct ucred *cred, struct vnode *vp, 1746d8a7b7a3SRobert Watson struct label *label, struct timespec atime, struct timespec mtime) 1747d8a7b7a3SRobert Watson { 1748d8a7b7a3SRobert Watson 1749eca8a663SRobert Watson ASSERT_CRED_LABEL(cred->cr_label); 1750250ee706SRobert Watson ASSERT_VNODE_LABEL(label); 1751250ee706SRobert Watson 1752d8a7b7a3SRobert Watson return (0); 1753d8a7b7a3SRobert Watson } 1754d8a7b7a3SRobert Watson 1755d8a7b7a3SRobert Watson static int 1756177142e4SRobert Watson mac_test_check_vnode_stat(struct ucred *active_cred, struct ucred *file_cred, 1757177142e4SRobert Watson struct vnode *vp, struct label *label) 1758d8a7b7a3SRobert Watson { 1759d8a7b7a3SRobert Watson 1760eca8a663SRobert Watson ASSERT_CRED_LABEL(active_cred->cr_label); 1761250ee706SRobert Watson if (file_cred != NULL) { 1762eca8a663SRobert Watson ASSERT_CRED_LABEL(file_cred->cr_label); 1763250ee706SRobert Watson } 1764250ee706SRobert Watson ASSERT_VNODE_LABEL(label); 1765250ee706SRobert Watson 1766d8a7b7a3SRobert Watson return (0); 1767d8a7b7a3SRobert Watson } 1768d8a7b7a3SRobert Watson 17697f724f8bSRobert Watson static int 1770177142e4SRobert Watson mac_test_check_vnode_write(struct ucred *active_cred, 1771177142e4SRobert Watson struct ucred *file_cred, struct vnode *vp, struct label *label) 17727f724f8bSRobert Watson { 17737f724f8bSRobert Watson 1774eca8a663SRobert Watson ASSERT_CRED_LABEL(active_cred->cr_label); 1775250ee706SRobert Watson if (file_cred != NULL) { 1776eca8a663SRobert Watson ASSERT_CRED_LABEL(file_cred->cr_label); 1777250ee706SRobert Watson } 1778250ee706SRobert Watson ASSERT_VNODE_LABEL(label); 1779250ee706SRobert Watson 17807f724f8bSRobert Watson return (0); 17817f724f8bSRobert Watson } 17827f724f8bSRobert Watson 17835c8dd342SRobert Watson static struct mac_policy_ops mac_test_ops = 1784d8a7b7a3SRobert Watson { 17855c8dd342SRobert Watson .mpo_destroy = mac_test_destroy, 17865c8dd342SRobert Watson .mpo_init = mac_test_init, 17875c8dd342SRobert Watson .mpo_syscall = mac_test_syscall, 17885c8dd342SRobert Watson .mpo_init_bpfdesc_label = mac_test_init_bpfdesc_label, 17895c8dd342SRobert Watson .mpo_init_cred_label = mac_test_init_cred_label, 17905c8dd342SRobert Watson .mpo_init_devfsdirent_label = mac_test_init_devfsdirent_label, 17915c8dd342SRobert Watson .mpo_init_ifnet_label = mac_test_init_ifnet_label, 17925c8dd342SRobert Watson .mpo_init_ipq_label = mac_test_init_ipq_label, 17935c8dd342SRobert Watson .mpo_init_mbuf_label = mac_test_init_mbuf_label, 17945c8dd342SRobert Watson .mpo_init_mount_label = mac_test_init_mount_label, 17955c8dd342SRobert Watson .mpo_init_mount_fs_label = mac_test_init_mount_fs_label, 17965c8dd342SRobert Watson .mpo_init_pipe_label = mac_test_init_pipe_label, 1797ca26e8baSRobert Watson .mpo_init_proc_label = mac_test_init_proc_label, 17985c8dd342SRobert Watson .mpo_init_socket_label = mac_test_init_socket_label, 17995c8dd342SRobert Watson .mpo_init_socket_peer_label = mac_test_init_socket_peer_label, 18005c8dd342SRobert Watson .mpo_init_vnode_label = mac_test_init_vnode_label, 18015c8dd342SRobert Watson .mpo_destroy_bpfdesc_label = mac_test_destroy_bpfdesc_label, 18025c8dd342SRobert Watson .mpo_destroy_cred_label = mac_test_destroy_cred_label, 18035c8dd342SRobert Watson .mpo_destroy_devfsdirent_label = mac_test_destroy_devfsdirent_label, 18045c8dd342SRobert Watson .mpo_destroy_ifnet_label = mac_test_destroy_ifnet_label, 18055c8dd342SRobert Watson .mpo_destroy_ipq_label = mac_test_destroy_ipq_label, 18065c8dd342SRobert Watson .mpo_destroy_mbuf_label = mac_test_destroy_mbuf_label, 18075c8dd342SRobert Watson .mpo_destroy_mount_label = mac_test_destroy_mount_label, 18085c8dd342SRobert Watson .mpo_destroy_mount_fs_label = mac_test_destroy_mount_fs_label, 18095c8dd342SRobert Watson .mpo_destroy_pipe_label = mac_test_destroy_pipe_label, 1810ca26e8baSRobert Watson .mpo_destroy_proc_label = mac_test_destroy_proc_label, 18115c8dd342SRobert Watson .mpo_destroy_socket_label = mac_test_destroy_socket_label, 18125c8dd342SRobert Watson .mpo_destroy_socket_peer_label = mac_test_destroy_socket_peer_label, 18135c8dd342SRobert Watson .mpo_destroy_vnode_label = mac_test_destroy_vnode_label, 18140196273bSRobert Watson .mpo_copy_mbuf_label = mac_test_copy_mbuf_label, 18150196273bSRobert Watson .mpo_copy_pipe_label = mac_test_copy_pipe_label, 1816b0323ea3SRobert Watson .mpo_copy_socket_label = mac_test_copy_socket_label, 18170196273bSRobert Watson .mpo_copy_vnode_label = mac_test_copy_vnode_label, 18185c8dd342SRobert Watson .mpo_externalize_cred_label = mac_test_externalize_label, 18195c8dd342SRobert Watson .mpo_externalize_ifnet_label = mac_test_externalize_label, 18205c8dd342SRobert Watson .mpo_externalize_pipe_label = mac_test_externalize_label, 18215c8dd342SRobert Watson .mpo_externalize_socket_label = mac_test_externalize_label, 18225c8dd342SRobert Watson .mpo_externalize_socket_peer_label = mac_test_externalize_label, 18235c8dd342SRobert Watson .mpo_externalize_vnode_label = mac_test_externalize_label, 18245c8dd342SRobert Watson .mpo_internalize_cred_label = mac_test_internalize_label, 18255c8dd342SRobert Watson .mpo_internalize_ifnet_label = mac_test_internalize_label, 18265c8dd342SRobert Watson .mpo_internalize_pipe_label = mac_test_internalize_label, 18275c8dd342SRobert Watson .mpo_internalize_socket_label = mac_test_internalize_label, 18285c8dd342SRobert Watson .mpo_internalize_vnode_label = mac_test_internalize_label, 18295c8dd342SRobert Watson .mpo_associate_vnode_devfs = mac_test_associate_vnode_devfs, 18305c8dd342SRobert Watson .mpo_associate_vnode_extattr = mac_test_associate_vnode_extattr, 18315c8dd342SRobert Watson .mpo_associate_vnode_singlelabel = mac_test_associate_vnode_singlelabel, 18325c8dd342SRobert Watson .mpo_create_devfs_device = mac_test_create_devfs_device, 18335c8dd342SRobert Watson .mpo_create_devfs_directory = mac_test_create_devfs_directory, 18345c8dd342SRobert Watson .mpo_create_devfs_symlink = mac_test_create_devfs_symlink, 18355c8dd342SRobert Watson .mpo_create_vnode_extattr = mac_test_create_vnode_extattr, 18365c8dd342SRobert Watson .mpo_create_mount = mac_test_create_mount, 18375c8dd342SRobert Watson .mpo_create_root_mount = mac_test_create_root_mount, 18385c8dd342SRobert Watson .mpo_relabel_vnode = mac_test_relabel_vnode, 18395c8dd342SRobert Watson .mpo_setlabel_vnode_extattr = mac_test_setlabel_vnode_extattr, 18405c8dd342SRobert Watson .mpo_update_devfsdirent = mac_test_update_devfsdirent, 18415c8dd342SRobert Watson .mpo_create_mbuf_from_socket = mac_test_create_mbuf_from_socket, 18425c8dd342SRobert Watson .mpo_create_pipe = mac_test_create_pipe, 18435c8dd342SRobert Watson .mpo_create_socket = mac_test_create_socket, 18445c8dd342SRobert Watson .mpo_create_socket_from_socket = mac_test_create_socket_from_socket, 18455c8dd342SRobert Watson .mpo_relabel_pipe = mac_test_relabel_pipe, 18465c8dd342SRobert Watson .mpo_relabel_socket = mac_test_relabel_socket, 18475c8dd342SRobert Watson .mpo_set_socket_peer_from_mbuf = mac_test_set_socket_peer_from_mbuf, 18485c8dd342SRobert Watson .mpo_set_socket_peer_from_socket = mac_test_set_socket_peer_from_socket, 18495c8dd342SRobert Watson .mpo_create_bpfdesc = mac_test_create_bpfdesc, 18505c8dd342SRobert Watson .mpo_create_ifnet = mac_test_create_ifnet, 18515c8dd342SRobert Watson .mpo_create_datagram_from_ipq = mac_test_create_datagram_from_ipq, 18525c8dd342SRobert Watson .mpo_create_fragment = mac_test_create_fragment, 18535c8dd342SRobert Watson .mpo_create_ipq = mac_test_create_ipq, 18545c8dd342SRobert Watson .mpo_create_mbuf_from_mbuf = mac_test_create_mbuf_from_mbuf, 18555c8dd342SRobert Watson .mpo_create_mbuf_linklayer = mac_test_create_mbuf_linklayer, 18565c8dd342SRobert Watson .mpo_create_mbuf_from_bpfdesc = mac_test_create_mbuf_from_bpfdesc, 18575c8dd342SRobert Watson .mpo_create_mbuf_from_ifnet = mac_test_create_mbuf_from_ifnet, 18585c8dd342SRobert Watson .mpo_create_mbuf_multicast_encap = mac_test_create_mbuf_multicast_encap, 18595c8dd342SRobert Watson .mpo_create_mbuf_netlayer = mac_test_create_mbuf_netlayer, 18605c8dd342SRobert Watson .mpo_fragment_match = mac_test_fragment_match, 1861250ee706SRobert Watson .mpo_reflect_mbuf_icmp = mac_test_reflect_mbuf_icmp, 18622b6e8310SRobert Watson .mpo_reflect_mbuf_tcp = mac_test_reflect_mbuf_tcp, 18635c8dd342SRobert Watson .mpo_relabel_ifnet = mac_test_relabel_ifnet, 18645c8dd342SRobert Watson .mpo_update_ipq = mac_test_update_ipq, 18655c8dd342SRobert Watson .mpo_create_cred = mac_test_create_cred, 18665c8dd342SRobert Watson .mpo_execve_transition = mac_test_execve_transition, 18675c8dd342SRobert Watson .mpo_execve_will_transition = mac_test_execve_will_transition, 18685c8dd342SRobert Watson .mpo_create_proc0 = mac_test_create_proc0, 18695c8dd342SRobert Watson .mpo_create_proc1 = mac_test_create_proc1, 18705c8dd342SRobert Watson .mpo_relabel_cred = mac_test_relabel_cred, 1871ca26e8baSRobert Watson .mpo_thread_userret = mac_test_thread_userret, 18725c8dd342SRobert Watson .mpo_check_bpfdesc_receive = mac_test_check_bpfdesc_receive, 18735c8dd342SRobert Watson .mpo_check_cred_relabel = mac_test_check_cred_relabel, 18745c8dd342SRobert Watson .mpo_check_cred_visible = mac_test_check_cred_visible, 18755c8dd342SRobert Watson .mpo_check_ifnet_relabel = mac_test_check_ifnet_relabel, 18765c8dd342SRobert Watson .mpo_check_ifnet_transmit = mac_test_check_ifnet_transmit, 1877ca26e8baSRobert Watson .mpo_check_kenv_dump = mac_test_check_kenv_dump, 1878ca26e8baSRobert Watson .mpo_check_kenv_get = mac_test_check_kenv_get, 1879ca26e8baSRobert Watson .mpo_check_kenv_set = mac_test_check_kenv_set, 1880ca26e8baSRobert Watson .mpo_check_kenv_unset = mac_test_check_kenv_unset, 1881ca26e8baSRobert Watson .mpo_check_kld_load = mac_test_check_kld_load, 1882ca26e8baSRobert Watson .mpo_check_kld_stat = mac_test_check_kld_stat, 1883ca26e8baSRobert Watson .mpo_check_kld_unload = mac_test_check_kld_unload, 18845c8dd342SRobert Watson .mpo_check_mount_stat = mac_test_check_mount_stat, 18855c8dd342SRobert Watson .mpo_check_pipe_ioctl = mac_test_check_pipe_ioctl, 18865c8dd342SRobert Watson .mpo_check_pipe_poll = mac_test_check_pipe_poll, 18875c8dd342SRobert Watson .mpo_check_pipe_read = mac_test_check_pipe_read, 18885c8dd342SRobert Watson .mpo_check_pipe_relabel = mac_test_check_pipe_relabel, 18895c8dd342SRobert Watson .mpo_check_pipe_stat = mac_test_check_pipe_stat, 18905c8dd342SRobert Watson .mpo_check_pipe_write = mac_test_check_pipe_write, 18915c8dd342SRobert Watson .mpo_check_proc_debug = mac_test_check_proc_debug, 18925c8dd342SRobert Watson .mpo_check_proc_sched = mac_test_check_proc_sched, 18935c8dd342SRobert Watson .mpo_check_proc_signal = mac_test_check_proc_signal, 18945c8dd342SRobert Watson .mpo_check_socket_bind = mac_test_check_socket_bind, 18955c8dd342SRobert Watson .mpo_check_socket_connect = mac_test_check_socket_connect, 18965c8dd342SRobert Watson .mpo_check_socket_deliver = mac_test_check_socket_deliver, 18975c8dd342SRobert Watson .mpo_check_socket_listen = mac_test_check_socket_listen, 18985c8dd342SRobert Watson .mpo_check_socket_relabel = mac_test_check_socket_relabel, 18995c8dd342SRobert Watson .mpo_check_socket_visible = mac_test_check_socket_visible, 1900ca26e8baSRobert Watson .mpo_check_sysarch_ioperm = mac_test_check_sysarch_ioperm, 1901ca26e8baSRobert Watson .mpo_check_system_acct = mac_test_check_system_acct, 1902ca26e8baSRobert Watson .mpo_check_system_reboot = mac_test_check_system_reboot, 1903ca26e8baSRobert Watson .mpo_check_system_settime = mac_test_check_system_settime, 1904ca26e8baSRobert Watson .mpo_check_system_swapon = mac_test_check_system_swapon, 1905ca26e8baSRobert Watson .mpo_check_system_swapoff = mac_test_check_system_swapoff, 1906ca26e8baSRobert Watson .mpo_check_system_sysctl = mac_test_check_system_sysctl, 19075c8dd342SRobert Watson .mpo_check_vnode_access = mac_test_check_vnode_access, 19085c8dd342SRobert Watson .mpo_check_vnode_chdir = mac_test_check_vnode_chdir, 19095c8dd342SRobert Watson .mpo_check_vnode_chroot = mac_test_check_vnode_chroot, 19105c8dd342SRobert Watson .mpo_check_vnode_create = mac_test_check_vnode_create, 19115c8dd342SRobert Watson .mpo_check_vnode_delete = mac_test_check_vnode_delete, 19125c8dd342SRobert Watson .mpo_check_vnode_deleteacl = mac_test_check_vnode_deleteacl, 1913250ee706SRobert Watson .mpo_check_vnode_deleteextattr = mac_test_check_vnode_deleteextattr, 19145c8dd342SRobert Watson .mpo_check_vnode_exec = mac_test_check_vnode_exec, 19155c8dd342SRobert Watson .mpo_check_vnode_getacl = mac_test_check_vnode_getacl, 19165c8dd342SRobert Watson .mpo_check_vnode_getextattr = mac_test_check_vnode_getextattr, 19175c8dd342SRobert Watson .mpo_check_vnode_link = mac_test_check_vnode_link, 1918250ee706SRobert Watson .mpo_check_vnode_listextattr = mac_test_check_vnode_listextattr, 19195c8dd342SRobert Watson .mpo_check_vnode_lookup = mac_test_check_vnode_lookup, 19205c8dd342SRobert Watson .mpo_check_vnode_mmap = mac_test_check_vnode_mmap, 19215c8dd342SRobert Watson .mpo_check_vnode_mprotect = mac_test_check_vnode_mprotect, 19225c8dd342SRobert Watson .mpo_check_vnode_open = mac_test_check_vnode_open, 19235c8dd342SRobert Watson .mpo_check_vnode_poll = mac_test_check_vnode_poll, 19245c8dd342SRobert Watson .mpo_check_vnode_read = mac_test_check_vnode_read, 19255c8dd342SRobert Watson .mpo_check_vnode_readdir = mac_test_check_vnode_readdir, 19265c8dd342SRobert Watson .mpo_check_vnode_readlink = mac_test_check_vnode_readlink, 19275c8dd342SRobert Watson .mpo_check_vnode_relabel = mac_test_check_vnode_relabel, 19285c8dd342SRobert Watson .mpo_check_vnode_rename_from = mac_test_check_vnode_rename_from, 19295c8dd342SRobert Watson .mpo_check_vnode_rename_to = mac_test_check_vnode_rename_to, 19305c8dd342SRobert Watson .mpo_check_vnode_revoke = mac_test_check_vnode_revoke, 19315c8dd342SRobert Watson .mpo_check_vnode_setacl = mac_test_check_vnode_setacl, 19325c8dd342SRobert Watson .mpo_check_vnode_setextattr = mac_test_check_vnode_setextattr, 19335c8dd342SRobert Watson .mpo_check_vnode_setflags = mac_test_check_vnode_setflags, 19345c8dd342SRobert Watson .mpo_check_vnode_setmode = mac_test_check_vnode_setmode, 19355c8dd342SRobert Watson .mpo_check_vnode_setowner = mac_test_check_vnode_setowner, 19365c8dd342SRobert Watson .mpo_check_vnode_setutimes = mac_test_check_vnode_setutimes, 19375c8dd342SRobert Watson .mpo_check_vnode_stat = mac_test_check_vnode_stat, 19385c8dd342SRobert Watson .mpo_check_vnode_write = mac_test_check_vnode_write, 1939d8a7b7a3SRobert Watson }; 1940d8a7b7a3SRobert Watson 194178183ac2SRobert Watson MAC_POLICY_SET(&mac_test_ops, mac_test, "TrustedBSD MAC/Test", 19429a1b0237SRobert Watson MPC_LOADTIME_FLAG_UNLOADOK | MPC_LOADTIME_FLAG_LABELMBUFS, &test_slot); 1943