1 /*- 2 * Copyright (c) 1999-2002 Robert N. M. Watson 3 * Copyright (c) 2001-2004 Networks Associates Technology, Inc. 4 * All rights reserved. 5 * 6 * This software was developed by Robert Watson for the TrustedBSD Project. 7 * 8 * This software was developed for the FreeBSD Project in part by Network 9 * Associates Laboratories, the Security Research Division of Network 10 * Associates, Inc. under DARPA/SPAWAR contract N66001-01-C-8035 ("CBOSS"), 11 * as part of the DARPA CHATS research program. 12 * 13 * Redistribution and use in source and binary forms, with or without 14 * modification, are permitted provided that the following conditions 15 * are met: 16 * 1. Redistributions of source code must retain the above copyright 17 * notice, this list of conditions and the following disclaimer. 18 * 2. Redistributions in binary form must reproduce the above copyright 19 * notice, this list of conditions and the following disclaimer in the 20 * documentation and/or other materials provided with the distribution. 21 * 22 * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND 23 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 24 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 25 * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE 26 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 27 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 28 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 29 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 30 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 31 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 32 * SUCH DAMAGE. 33 * 34 * $FreeBSD$ 35 */ 36 37 /* 38 * Developed by the TrustedBSD Project. 39 * Generic mandatory access module that does nothing. 40 */ 41 42 #include <sys/types.h> 43 #include <sys/param.h> 44 #include <sys/acl.h> 45 #include <sys/conf.h> 46 #include <sys/kdb.h> 47 #include <sys/extattr.h> 48 #include <sys/kernel.h> 49 #include <sys/mac.h> 50 #include <sys/malloc.h> 51 #include <sys/mount.h> 52 #include <sys/proc.h> 53 #include <sys/systm.h> 54 #include <sys/sysproto.h> 55 #include <sys/sysent.h> 56 #include <sys/vnode.h> 57 #include <sys/file.h> 58 #include <sys/socket.h> 59 #include <sys/socketvar.h> 60 #include <sys/sysctl.h> 61 62 #include <fs/devfs/devfs.h> 63 64 #include <net/bpfdesc.h> 65 #include <net/if.h> 66 #include <net/if_types.h> 67 #include <net/if_var.h> 68 69 #include <vm/vm.h> 70 71 #include <sys/mac_policy.h> 72 73 SYSCTL_DECL(_security_mac); 74 75 SYSCTL_NODE(_security_mac, OID_AUTO, test, CTLFLAG_RW, 0, 76 "TrustedBSD mac_test policy controls"); 77 78 static int mac_test_enabled = 1; 79 SYSCTL_INT(_security_mac_test, OID_AUTO, enabled, CTLFLAG_RW, 80 &mac_test_enabled, 0, "Enforce test policy"); 81 82 #define BPFMAGIC 0xfe1ad1b6 83 #define DEVFSMAGIC 0x9ee79c32 84 #define IFNETMAGIC 0xc218b120 85 #define INPCBMAGIC 0x4440f7bb 86 #define IPQMAGIC 0x206188ef 87 #define MBUFMAGIC 0xbbefa5bb 88 #define MOUNTMAGIC 0xc7c46e47 89 #define SOCKETMAGIC 0x9199c6cd 90 #define PIPEMAGIC 0xdc6c9919 91 #define PROCMAGIC 0x3b4be98f 92 #define CREDMAGIC 0x9a5a4987 93 #define VNODEMAGIC 0x1a67a45c 94 #define EXMAGIC 0x849ba1fd 95 96 #define SLOT(x) LABEL_TO_SLOT((x), test_slot).l_long 97 98 #define ASSERT_BPF_LABEL(x) KASSERT(SLOT(x) == BPFMAGIC || \ 99 SLOT(x) == 0, ("%s: Bad BPF label", __func__ )) 100 #define ASSERT_DEVFS_LABEL(x) KASSERT(SLOT(x) == DEVFSMAGIC || \ 101 SLOT(x) == 0, ("%s: Bad DEVFS label", __func__ )) 102 #define ASSERT_IFNET_LABEL(x) KASSERT(SLOT(x) == IFNETMAGIC || \ 103 SLOT(x) == 0, ("%s: Bad IFNET label", __func__ )) 104 #define ASSERT_INPCB_LABEL(x) KASSERT(SLOT(x) == INPCBMAGIC || \ 105 SLOT(x) == 0, ("%s: Bad INPCB label", __func__ )) 106 #define ASSERT_IPQ_LABEL(x) KASSERT(SLOT(x) == IPQMAGIC || \ 107 SLOT(x) == 0, ("%s: Bad IPQ label", __func__ )) 108 #define ASSERT_MBUF_LABEL(x) KASSERT(x == NULL || \ 109 SLOT(x) == MBUFMAGIC || SLOT(x) == 0, \ 110 ("%s: Bad MBUF label", __func__ )) 111 #define ASSERT_MOUNT_LABEL(x) KASSERT(SLOT(x) == MOUNTMAGIC || \ 112 SLOT(x) == 0, ("%s: Bad MOUNT label", __func__ )) 113 #define ASSERT_SOCKET_LABEL(x) KASSERT(SLOT(x) == SOCKETMAGIC || \ 114 SLOT(x) == 0, ("%s: Bad SOCKET label", __func__ )) 115 #define ASSERT_PIPE_LABEL(x) KASSERT(SLOT(x) == PIPEMAGIC || \ 116 SLOT(x) == 0, ("%s: Bad PIPE label", __func__ )) 117 #define ASSERT_PROC_LABEL(x) KASSERT(SLOT(x) == PROCMAGIC || \ 118 SLOT(x) == 0, ("%s: Bad PROC label", __func__ )) 119 #define ASSERT_CRED_LABEL(x) KASSERT(SLOT(x) == CREDMAGIC || \ 120 SLOT(x) == 0, ("%s: Bad CRED label", __func__ )) 121 #define ASSERT_VNODE_LABEL(x) KASSERT(SLOT(x) == VNODEMAGIC || \ 122 SLOT(x) == 0, ("%s: Bad VNODE label", __func__ )) 123 124 static int test_slot; 125 SYSCTL_INT(_security_mac_test, OID_AUTO, slot, CTLFLAG_RD, 126 &test_slot, 0, "Slot allocated by framework"); 127 128 static int init_count_bpfdesc; 129 SYSCTL_INT(_security_mac_test, OID_AUTO, init_count_bpfdesc, CTLFLAG_RD, 130 &init_count_bpfdesc, 0, "bpfdesc init calls"); 131 static int init_count_cred; 132 SYSCTL_INT(_security_mac_test, OID_AUTO, init_count_cred, CTLFLAG_RD, 133 &init_count_cred, 0, "cred init calls"); 134 static int init_count_devfsdirent; 135 SYSCTL_INT(_security_mac_test, OID_AUTO, init_count_devfsdirent, CTLFLAG_RD, 136 &init_count_devfsdirent, 0, "devfsdirent init calls"); 137 static int init_count_ifnet; 138 SYSCTL_INT(_security_mac_test, OID_AUTO, init_count_ifnet, CTLFLAG_RD, 139 &init_count_ifnet, 0, "ifnet init calls"); 140 static int init_count_inpcb; 141 SYSCTL_INT(_security_mac_test, OID_AUTO, init_count_inpcb, CTLFLAG_RD, 142 &init_count_inpcb, 0, "inpcb init calls"); 143 static int init_count_ipq; 144 SYSCTL_INT(_security_mac_test, OID_AUTO, init_count_ipq, CTLFLAG_RD, 145 &init_count_ipq, 0, "ipq init calls"); 146 static int init_count_mbuf; 147 SYSCTL_INT(_security_mac_test, OID_AUTO, init_count_mbuf, CTLFLAG_RD, 148 &init_count_mbuf, 0, "mbuf init calls"); 149 static int init_count_mount; 150 SYSCTL_INT(_security_mac_test, OID_AUTO, init_count_mount, CTLFLAG_RD, 151 &init_count_mount, 0, "mount init calls"); 152 static int init_count_mount_fslabel; 153 SYSCTL_INT(_security_mac_test, OID_AUTO, init_count_mount_fslabel, CTLFLAG_RD, 154 &init_count_mount_fslabel, 0, "mount_fslabel init calls"); 155 static int init_count_socket; 156 SYSCTL_INT(_security_mac_test, OID_AUTO, init_count_socket, CTLFLAG_RD, 157 &init_count_socket, 0, "socket init calls"); 158 static int init_count_socket_peerlabel; 159 SYSCTL_INT(_security_mac_test, OID_AUTO, init_count_socket_peerlabel, 160 CTLFLAG_RD, &init_count_socket_peerlabel, 0, 161 "socket_peerlabel init calls"); 162 static int init_count_pipe; 163 SYSCTL_INT(_security_mac_test, OID_AUTO, init_count_pipe, CTLFLAG_RD, 164 &init_count_pipe, 0, "pipe init calls"); 165 static int init_count_proc; 166 SYSCTL_INT(_security_mac_test, OID_AUTO, init_count_proc, CTLFLAG_RD, 167 &init_count_proc, 0, "proc init calls"); 168 static int init_count_vnode; 169 SYSCTL_INT(_security_mac_test, OID_AUTO, init_count_vnode, CTLFLAG_RD, 170 &init_count_vnode, 0, "vnode init calls"); 171 172 static int destroy_count_bpfdesc; 173 SYSCTL_INT(_security_mac_test, OID_AUTO, destroy_count_bpfdesc, CTLFLAG_RD, 174 &destroy_count_bpfdesc, 0, "bpfdesc destroy calls"); 175 static int destroy_count_cred; 176 SYSCTL_INT(_security_mac_test, OID_AUTO, destroy_count_cred, CTLFLAG_RD, 177 &destroy_count_cred, 0, "cred destroy calls"); 178 static int destroy_count_devfsdirent; 179 SYSCTL_INT(_security_mac_test, OID_AUTO, destroy_count_devfsdirent, CTLFLAG_RD, 180 &destroy_count_devfsdirent, 0, "devfsdirent destroy calls"); 181 static int destroy_count_ifnet; 182 SYSCTL_INT(_security_mac_test, OID_AUTO, destroy_count_ifnet, CTLFLAG_RD, 183 &destroy_count_ifnet, 0, "ifnet destroy calls"); 184 static int destroy_count_inpcb; 185 SYSCTL_INT(_security_mac_test, OID_AUTO, destroy_count_inpcb, CTLFLAG_RD, 186 &destroy_count_inpcb, 0, "inpcb destroy calls"); 187 static int destroy_count_ipq; 188 SYSCTL_INT(_security_mac_test, OID_AUTO, destroy_count_ipq, CTLFLAG_RD, 189 &destroy_count_ipq, 0, "ipq destroy calls"); 190 static int destroy_count_mbuf; 191 SYSCTL_INT(_security_mac_test, OID_AUTO, destroy_count_mbuf, CTLFLAG_RD, 192 &destroy_count_mbuf, 0, "mbuf destroy calls"); 193 static int destroy_count_mount; 194 SYSCTL_INT(_security_mac_test, OID_AUTO, destroy_count_mount, CTLFLAG_RD, 195 &destroy_count_mount, 0, "mount destroy calls"); 196 static int destroy_count_mount_fslabel; 197 SYSCTL_INT(_security_mac_test, OID_AUTO, destroy_count_mount_fslabel, 198 CTLFLAG_RD, &destroy_count_mount_fslabel, 0, 199 "mount_fslabel destroy calls"); 200 static int destroy_count_socket; 201 SYSCTL_INT(_security_mac_test, OID_AUTO, destroy_count_socket, CTLFLAG_RD, 202 &destroy_count_socket, 0, "socket destroy calls"); 203 static int destroy_count_socket_peerlabel; 204 SYSCTL_INT(_security_mac_test, OID_AUTO, destroy_count_socket_peerlabel, 205 CTLFLAG_RD, &destroy_count_socket_peerlabel, 0, 206 "socket_peerlabel destroy calls"); 207 static int destroy_count_pipe; 208 SYSCTL_INT(_security_mac_test, OID_AUTO, destroy_count_pipe, CTLFLAG_RD, 209 &destroy_count_pipe, 0, "pipe destroy calls"); 210 static int destroy_count_proc; 211 SYSCTL_INT(_security_mac_test, OID_AUTO, destroy_count_proc, CTLFLAG_RD, 212 &destroy_count_proc, 0, "proc destroy calls"); 213 static int destroy_count_vnode; 214 SYSCTL_INT(_security_mac_test, OID_AUTO, destroy_count_vnode, CTLFLAG_RD, 215 &destroy_count_vnode, 0, "vnode destroy calls"); 216 217 static int externalize_count; 218 SYSCTL_INT(_security_mac_test, OID_AUTO, externalize_count, CTLFLAG_RD, 219 &externalize_count, 0, "Subject/object externalize calls"); 220 static int internalize_count; 221 SYSCTL_INT(_security_mac_test, OID_AUTO, internalize_count, CTLFLAG_RD, 222 &internalize_count, 0, "Subject/object internalize calls"); 223 224 #ifdef KDB 225 #define DEBUGGER(x) kdb_enter(x) 226 #else 227 #define DEBUGGER(x) printf("mac_test: %s\n", (x)) 228 #endif 229 230 /* 231 * Policy module operations. 232 */ 233 static void 234 mac_test_destroy(struct mac_policy_conf *conf) 235 { 236 237 } 238 239 static void 240 mac_test_init(struct mac_policy_conf *conf) 241 { 242 243 } 244 245 static int 246 mac_test_syscall(struct thread *td, int call, void *arg) 247 { 248 249 return (0); 250 } 251 252 /* 253 * Label operations. 254 */ 255 static void 256 mac_test_init_bpfdesc_label(struct label *label) 257 { 258 259 SLOT(label) = BPFMAGIC; 260 atomic_add_int(&init_count_bpfdesc, 1); 261 } 262 263 static void 264 mac_test_init_cred_label(struct label *label) 265 { 266 267 SLOT(label) = CREDMAGIC; 268 atomic_add_int(&init_count_cred, 1); 269 } 270 271 static void 272 mac_test_init_devfsdirent_label(struct label *label) 273 { 274 275 SLOT(label) = DEVFSMAGIC; 276 atomic_add_int(&init_count_devfsdirent, 1); 277 } 278 279 static void 280 mac_test_init_ifnet_label(struct label *label) 281 { 282 283 SLOT(label) = IFNETMAGIC; 284 atomic_add_int(&init_count_ifnet, 1); 285 } 286 287 static int 288 mac_test_init_inpcb_label(struct label *label, int flag) 289 { 290 291 if (flag & M_WAITOK) 292 WITNESS_WARN(WARN_GIANTOK | WARN_SLEEPOK, NULL, 293 "mac_test_init_inpcb_label() at %s:%d", __FILE__, 294 __LINE__); 295 296 SLOT(label) = INPCBMAGIC; 297 atomic_add_int(&init_count_inpcb, 1); 298 return (0); 299 } 300 301 static int 302 mac_test_init_ipq_label(struct label *label, int flag) 303 { 304 305 if (flag & M_WAITOK) 306 WITNESS_WARN(WARN_GIANTOK | WARN_SLEEPOK, NULL, 307 "mac_test_init_ipq_label() at %s:%d", __FILE__, 308 __LINE__); 309 310 SLOT(label) = IPQMAGIC; 311 atomic_add_int(&init_count_ipq, 1); 312 return (0); 313 } 314 315 static int 316 mac_test_init_mbuf_label(struct label *label, int flag) 317 { 318 319 if (flag & M_WAITOK) 320 WITNESS_WARN(WARN_GIANTOK | WARN_SLEEPOK, NULL, 321 "mac_test_init_mbuf_label() at %s:%d", __FILE__, 322 __LINE__); 323 324 SLOT(label) = MBUFMAGIC; 325 atomic_add_int(&init_count_mbuf, 1); 326 return (0); 327 } 328 329 static void 330 mac_test_init_mount_label(struct label *label) 331 { 332 333 SLOT(label) = MOUNTMAGIC; 334 atomic_add_int(&init_count_mount, 1); 335 } 336 337 static void 338 mac_test_init_mount_fs_label(struct label *label) 339 { 340 341 SLOT(label) = MOUNTMAGIC; 342 atomic_add_int(&init_count_mount_fslabel, 1); 343 } 344 345 static int 346 mac_test_init_socket_label(struct label *label, int flag) 347 { 348 349 if (flag & M_WAITOK) 350 WITNESS_WARN(WARN_GIANTOK | WARN_SLEEPOK, NULL, 351 "mac_test_init_socket_label() at %s:%d", __FILE__, 352 __LINE__); 353 354 SLOT(label) = SOCKETMAGIC; 355 atomic_add_int(&init_count_socket, 1); 356 return (0); 357 } 358 359 static int 360 mac_test_init_socket_peer_label(struct label *label, int flag) 361 { 362 363 if (flag & M_WAITOK) 364 WITNESS_WARN(WARN_GIANTOK | WARN_SLEEPOK, NULL, 365 "mac_test_init_socket_peer_label() at %s:%d", __FILE__, 366 __LINE__); 367 368 SLOT(label) = SOCKETMAGIC; 369 atomic_add_int(&init_count_socket_peerlabel, 1); 370 return (0); 371 } 372 373 static void 374 mac_test_init_pipe_label(struct label *label) 375 { 376 377 SLOT(label) = PIPEMAGIC; 378 atomic_add_int(&init_count_pipe, 1); 379 } 380 381 static void 382 mac_test_init_proc_label(struct label *label) 383 { 384 385 SLOT(label) = PROCMAGIC; 386 atomic_add_int(&init_count_proc, 1); 387 } 388 389 static void 390 mac_test_init_vnode_label(struct label *label) 391 { 392 393 SLOT(label) = VNODEMAGIC; 394 atomic_add_int(&init_count_vnode, 1); 395 } 396 397 static void 398 mac_test_destroy_bpfdesc_label(struct label *label) 399 { 400 401 if (SLOT(label) == BPFMAGIC || SLOT(label) == 0) { 402 atomic_add_int(&destroy_count_bpfdesc, 1); 403 SLOT(label) = EXMAGIC; 404 } else if (SLOT(label) == EXMAGIC) { 405 DEBUGGER("mac_test_destroy_bpfdesc: dup destroy"); 406 } else { 407 DEBUGGER("mac_test_destroy_bpfdesc: corrupted label"); 408 } 409 } 410 411 static void 412 mac_test_destroy_cred_label(struct label *label) 413 { 414 415 if (SLOT(label) == CREDMAGIC || SLOT(label) == 0) { 416 atomic_add_int(&destroy_count_cred, 1); 417 SLOT(label) = EXMAGIC; 418 } else if (SLOT(label) == EXMAGIC) { 419 DEBUGGER("mac_test_destroy_cred: dup destroy"); 420 } else { 421 DEBUGGER("mac_test_destroy_cred: corrupted label"); 422 } 423 } 424 425 static void 426 mac_test_destroy_devfsdirent_label(struct label *label) 427 { 428 429 if (SLOT(label) == DEVFSMAGIC || SLOT(label) == 0) { 430 atomic_add_int(&destroy_count_devfsdirent, 1); 431 SLOT(label) = EXMAGIC; 432 } else if (SLOT(label) == EXMAGIC) { 433 DEBUGGER("mac_test_destroy_devfsdirent: dup destroy"); 434 } else { 435 DEBUGGER("mac_test_destroy_devfsdirent: corrupted label"); 436 } 437 } 438 439 static void 440 mac_test_destroy_ifnet_label(struct label *label) 441 { 442 443 if (SLOT(label) == IFNETMAGIC || SLOT(label) == 0) { 444 atomic_add_int(&destroy_count_ifnet, 1); 445 SLOT(label) = EXMAGIC; 446 } else if (SLOT(label) == EXMAGIC) { 447 DEBUGGER("mac_test_destroy_ifnet: dup destroy"); 448 } else { 449 DEBUGGER("mac_test_destroy_ifnet: corrupted label"); 450 } 451 } 452 453 static void 454 mac_test_destroy_inpcb_label(struct label *label) 455 { 456 457 if (SLOT(label) == INPCBMAGIC || SLOT(label) == 0) { 458 atomic_add_int(&destroy_count_inpcb, 1); 459 SLOT(label) = EXMAGIC; 460 } else if (SLOT(label) == EXMAGIC) { 461 DEBUGGER("mac_test_destroy_inpcb: dup destroy"); 462 } else { 463 DEBUGGER("mac_test_destroy_inpcb: corrupted label"); 464 } 465 } 466 467 static void 468 mac_test_destroy_ipq_label(struct label *label) 469 { 470 471 if (SLOT(label) == IPQMAGIC || SLOT(label) == 0) { 472 atomic_add_int(&destroy_count_ipq, 1); 473 SLOT(label) = EXMAGIC; 474 } else if (SLOT(label) == EXMAGIC) { 475 DEBUGGER("mac_test_destroy_ipq: dup destroy"); 476 } else { 477 DEBUGGER("mac_test_destroy_ipq: corrupted label"); 478 } 479 } 480 481 static void 482 mac_test_destroy_mbuf_label(struct label *label) 483 { 484 485 /* 486 * If we're loaded dynamically, there may be mbufs in flight that 487 * didn't have label storage allocated for them. Handle this 488 * gracefully. 489 */ 490 if (label == NULL) 491 return; 492 493 if (SLOT(label) == MBUFMAGIC || SLOT(label) == 0) { 494 atomic_add_int(&destroy_count_mbuf, 1); 495 SLOT(label) = EXMAGIC; 496 } else if (SLOT(label) == EXMAGIC) { 497 DEBUGGER("mac_test_destroy_mbuf: dup destroy"); 498 } else { 499 DEBUGGER("mac_test_destroy_mbuf: corrupted label"); 500 } 501 } 502 503 static void 504 mac_test_destroy_mount_label(struct label *label) 505 { 506 507 if ((SLOT(label) == MOUNTMAGIC || SLOT(label) == 0)) { 508 atomic_add_int(&destroy_count_mount, 1); 509 SLOT(label) = EXMAGIC; 510 } else if (SLOT(label) == EXMAGIC) { 511 DEBUGGER("mac_test_destroy_mount: dup destroy"); 512 } else { 513 DEBUGGER("mac_test_destroy_mount: corrupted label"); 514 } 515 } 516 517 static void 518 mac_test_destroy_mount_fs_label(struct label *label) 519 { 520 521 if ((SLOT(label) == MOUNTMAGIC || SLOT(label) == 0)) { 522 atomic_add_int(&destroy_count_mount_fslabel, 1); 523 SLOT(label) = EXMAGIC; 524 } else if (SLOT(label) == EXMAGIC) { 525 DEBUGGER("mac_test_destroy_mount_fslabel: dup destroy"); 526 } else { 527 DEBUGGER("mac_test_destroy_mount_fslabel: corrupted label"); 528 } 529 } 530 531 static void 532 mac_test_destroy_socket_label(struct label *label) 533 { 534 535 if ((SLOT(label) == SOCKETMAGIC || SLOT(label) == 0)) { 536 atomic_add_int(&destroy_count_socket, 1); 537 SLOT(label) = EXMAGIC; 538 } else if (SLOT(label) == EXMAGIC) { 539 DEBUGGER("mac_test_destroy_socket: dup destroy"); 540 } else { 541 DEBUGGER("mac_test_destroy_socket: corrupted label"); 542 } 543 } 544 545 static void 546 mac_test_destroy_socket_peer_label(struct label *label) 547 { 548 549 if ((SLOT(label) == SOCKETMAGIC || SLOT(label) == 0)) { 550 atomic_add_int(&destroy_count_socket_peerlabel, 1); 551 SLOT(label) = EXMAGIC; 552 } else if (SLOT(label) == EXMAGIC) { 553 DEBUGGER("mac_test_destroy_socket_peerlabel: dup destroy"); 554 } else { 555 DEBUGGER("mac_test_destroy_socket_peerlabel: corrupted label"); 556 } 557 } 558 559 static void 560 mac_test_destroy_pipe_label(struct label *label) 561 { 562 563 if ((SLOT(label) == PIPEMAGIC || SLOT(label) == 0)) { 564 atomic_add_int(&destroy_count_pipe, 1); 565 SLOT(label) = EXMAGIC; 566 } else if (SLOT(label) == EXMAGIC) { 567 DEBUGGER("mac_test_destroy_pipe: dup destroy"); 568 } else { 569 DEBUGGER("mac_test_destroy_pipe: corrupted label"); 570 } 571 } 572 573 static void 574 mac_test_destroy_proc_label(struct label *label) 575 { 576 577 if ((SLOT(label) == PROCMAGIC || SLOT(label) == 0)) { 578 atomic_add_int(&destroy_count_proc, 1); 579 SLOT(label) = EXMAGIC; 580 } else if (SLOT(label) == EXMAGIC) { 581 DEBUGGER("mac_test_destroy_proc: dup destroy"); 582 } else { 583 DEBUGGER("mac_test_destroy_proc: corrupted label"); 584 } 585 } 586 587 static void 588 mac_test_destroy_vnode_label(struct label *label) 589 { 590 591 if (SLOT(label) == VNODEMAGIC || SLOT(label) == 0) { 592 atomic_add_int(&destroy_count_vnode, 1); 593 SLOT(label) = EXMAGIC; 594 } else if (SLOT(label) == EXMAGIC) { 595 DEBUGGER("mac_test_destroy_vnode: dup destroy"); 596 } else { 597 DEBUGGER("mac_test_destroy_vnode: corrupted label"); 598 } 599 } 600 601 static void 602 mac_test_copy_cred_label(struct label *src, struct label *dest) 603 { 604 605 ASSERT_CRED_LABEL(src); 606 ASSERT_CRED_LABEL(dest); 607 } 608 609 static void 610 mac_test_copy_ifnet_label(struct label *src, struct label *dest) 611 { 612 613 ASSERT_IFNET_LABEL(src); 614 ASSERT_IFNET_LABEL(dest); 615 } 616 617 static void 618 mac_test_copy_mbuf_label(struct label *src, struct label *dest) 619 { 620 621 ASSERT_MBUF_LABEL(src); 622 ASSERT_MBUF_LABEL(dest); 623 } 624 625 static void 626 mac_test_copy_pipe_label(struct label *src, struct label *dest) 627 { 628 629 ASSERT_PIPE_LABEL(src); 630 ASSERT_PIPE_LABEL(dest); 631 } 632 633 static void 634 mac_test_copy_socket_label(struct label *src, struct label *dest) 635 { 636 637 ASSERT_SOCKET_LABEL(src); 638 ASSERT_SOCKET_LABEL(dest); 639 } 640 641 static void 642 mac_test_copy_vnode_label(struct label *src, struct label *dest) 643 { 644 645 ASSERT_VNODE_LABEL(src); 646 ASSERT_VNODE_LABEL(dest); 647 } 648 649 static int 650 mac_test_externalize_label(struct label *label, char *element_name, 651 struct sbuf *sb, int *claimed) 652 { 653 654 atomic_add_int(&externalize_count, 1); 655 656 KASSERT(SLOT(label) != EXMAGIC, 657 ("mac_test_externalize_label: destroyed label")); 658 659 return (0); 660 } 661 662 static int 663 mac_test_internalize_label(struct label *label, char *element_name, 664 char *element_data, int *claimed) 665 { 666 667 atomic_add_int(&internalize_count, 1); 668 669 KASSERT(SLOT(label) != EXMAGIC, 670 ("mac_test_internalize_label: destroyed label")); 671 672 return (0); 673 } 674 675 /* 676 * Labeling event operations: file system objects, and things that look 677 * a lot like file system objects. 678 */ 679 static void 680 mac_test_associate_vnode_devfs(struct mount *mp, struct label *fslabel, 681 struct devfs_dirent *de, struct label *delabel, struct vnode *vp, 682 struct label *vlabel) 683 { 684 685 ASSERT_MOUNT_LABEL(fslabel); 686 ASSERT_DEVFS_LABEL(delabel); 687 ASSERT_VNODE_LABEL(vlabel); 688 } 689 690 static int 691 mac_test_associate_vnode_extattr(struct mount *mp, struct label *fslabel, 692 struct vnode *vp, struct label *vlabel) 693 { 694 695 ASSERT_MOUNT_LABEL(fslabel); 696 ASSERT_VNODE_LABEL(vlabel); 697 return (0); 698 } 699 700 static void 701 mac_test_associate_vnode_singlelabel(struct mount *mp, 702 struct label *fslabel, struct vnode *vp, struct label *vlabel) 703 { 704 705 ASSERT_MOUNT_LABEL(fslabel); 706 ASSERT_VNODE_LABEL(vlabel); 707 } 708 709 static void 710 mac_test_create_devfs_device(struct mount *mp, struct cdev *dev, 711 struct devfs_dirent *devfs_dirent, struct label *label) 712 { 713 714 ASSERT_DEVFS_LABEL(label); 715 } 716 717 static void 718 mac_test_create_devfs_directory(struct mount *mp, char *dirname, 719 int dirnamelen, struct devfs_dirent *devfs_dirent, struct label *label) 720 { 721 722 ASSERT_DEVFS_LABEL(label); 723 } 724 725 static void 726 mac_test_create_devfs_symlink(struct ucred *cred, struct mount *mp, 727 struct devfs_dirent *dd, struct label *ddlabel, struct devfs_dirent *de, 728 struct label *delabel) 729 { 730 731 ASSERT_CRED_LABEL(cred->cr_label); 732 ASSERT_DEVFS_LABEL(ddlabel); 733 ASSERT_DEVFS_LABEL(delabel); 734 } 735 736 static int 737 mac_test_create_vnode_extattr(struct ucred *cred, struct mount *mp, 738 struct label *fslabel, struct vnode *dvp, struct label *dlabel, 739 struct vnode *vp, struct label *vlabel, struct componentname *cnp) 740 { 741 742 ASSERT_CRED_LABEL(cred->cr_label); 743 ASSERT_MOUNT_LABEL(fslabel); 744 ASSERT_VNODE_LABEL(dlabel); 745 746 return (0); 747 } 748 749 static void 750 mac_test_create_mount(struct ucred *cred, struct mount *mp, 751 struct label *mntlabel, struct label *fslabel) 752 { 753 754 ASSERT_CRED_LABEL(cred->cr_label); 755 ASSERT_MOUNT_LABEL(mntlabel); 756 ASSERT_MOUNT_LABEL(fslabel); 757 } 758 759 static void 760 mac_test_create_root_mount(struct ucred *cred, struct mount *mp, 761 struct label *mntlabel, struct label *fslabel) 762 { 763 764 ASSERT_CRED_LABEL(cred->cr_label); 765 ASSERT_MOUNT_LABEL(mntlabel); 766 ASSERT_MOUNT_LABEL(fslabel); 767 } 768 769 static void 770 mac_test_relabel_vnode(struct ucred *cred, struct vnode *vp, 771 struct label *vnodelabel, struct label *label) 772 { 773 774 ASSERT_CRED_LABEL(cred->cr_label); 775 ASSERT_VNODE_LABEL(vnodelabel); 776 ASSERT_VNODE_LABEL(label); 777 } 778 779 static int 780 mac_test_setlabel_vnode_extattr(struct ucred *cred, struct vnode *vp, 781 struct label *vlabel, struct label *intlabel) 782 { 783 784 ASSERT_CRED_LABEL(cred->cr_label); 785 ASSERT_VNODE_LABEL(vlabel); 786 ASSERT_VNODE_LABEL(intlabel); 787 return (0); 788 } 789 790 static void 791 mac_test_update_devfsdirent(struct mount *mp, 792 struct devfs_dirent *devfs_dirent, struct label *direntlabel, 793 struct vnode *vp, struct label *vnodelabel) 794 { 795 796 ASSERT_DEVFS_LABEL(direntlabel); 797 ASSERT_VNODE_LABEL(vnodelabel); 798 } 799 800 /* 801 * Labeling event operations: IPC object. 802 */ 803 static void 804 mac_test_create_mbuf_from_socket(struct socket *so, struct label *socketlabel, 805 struct mbuf *m, struct label *mbuflabel) 806 { 807 808 ASSERT_SOCKET_LABEL(socketlabel); 809 ASSERT_MBUF_LABEL(mbuflabel); 810 } 811 812 static void 813 mac_test_create_socket(struct ucred *cred, struct socket *socket, 814 struct label *socketlabel) 815 { 816 817 ASSERT_CRED_LABEL(cred->cr_label); 818 ASSERT_SOCKET_LABEL(socketlabel); 819 } 820 821 static void 822 mac_test_create_pipe(struct ucred *cred, struct pipepair *pp, 823 struct label *pipelabel) 824 { 825 826 ASSERT_CRED_LABEL(cred->cr_label); 827 ASSERT_PIPE_LABEL(pipelabel); 828 } 829 830 static void 831 mac_test_create_socket_from_socket(struct socket *oldsocket, 832 struct label *oldsocketlabel, struct socket *newsocket, 833 struct label *newsocketlabel) 834 { 835 836 ASSERT_SOCKET_LABEL(oldsocketlabel); 837 ASSERT_SOCKET_LABEL(newsocketlabel); 838 } 839 840 static void 841 mac_test_relabel_socket(struct ucred *cred, struct socket *socket, 842 struct label *socketlabel, struct label *newlabel) 843 { 844 845 ASSERT_CRED_LABEL(cred->cr_label); 846 ASSERT_SOCKET_LABEL(newlabel); 847 } 848 849 static void 850 mac_test_relabel_pipe(struct ucred *cred, struct pipepair *pp, 851 struct label *pipelabel, struct label *newlabel) 852 { 853 854 ASSERT_CRED_LABEL(cred->cr_label); 855 ASSERT_PIPE_LABEL(pipelabel); 856 ASSERT_PIPE_LABEL(newlabel); 857 } 858 859 static void 860 mac_test_set_socket_peer_from_mbuf(struct mbuf *mbuf, struct label *mbuflabel, 861 struct socket *socket, struct label *socketpeerlabel) 862 { 863 864 ASSERT_MBUF_LABEL(mbuflabel); 865 ASSERT_SOCKET_LABEL(socketpeerlabel); 866 } 867 868 /* 869 * Labeling event operations: network objects. 870 */ 871 static void 872 mac_test_set_socket_peer_from_socket(struct socket *oldsocket, 873 struct label *oldsocketlabel, struct socket *newsocket, 874 struct label *newsocketpeerlabel) 875 { 876 877 ASSERT_SOCKET_LABEL(oldsocketlabel); 878 ASSERT_SOCKET_LABEL(newsocketpeerlabel); 879 } 880 881 static void 882 mac_test_create_bpfdesc(struct ucred *cred, struct bpf_d *bpf_d, 883 struct label *bpflabel) 884 { 885 886 ASSERT_CRED_LABEL(cred->cr_label); 887 ASSERT_BPF_LABEL(bpflabel); 888 } 889 890 static void 891 mac_test_create_datagram_from_ipq(struct ipq *ipq, struct label *ipqlabel, 892 struct mbuf *datagram, struct label *datagramlabel) 893 { 894 895 ASSERT_IPQ_LABEL(ipqlabel); 896 ASSERT_MBUF_LABEL(datagramlabel); 897 } 898 899 static void 900 mac_test_create_fragment(struct mbuf *datagram, struct label *datagramlabel, 901 struct mbuf *fragment, struct label *fragmentlabel) 902 { 903 904 ASSERT_MBUF_LABEL(datagramlabel); 905 ASSERT_MBUF_LABEL(fragmentlabel); 906 } 907 908 static void 909 mac_test_create_ifnet(struct ifnet *ifnet, struct label *ifnetlabel) 910 { 911 912 ASSERT_IFNET_LABEL(ifnetlabel); 913 } 914 915 static void 916 mac_test_create_inpcb_from_socket(struct socket *so, struct label *solabel, 917 struct inpcb *inp, struct label *inplabel) 918 { 919 920 ASSERT_SOCKET_LABEL(solabel); 921 ASSERT_INPCB_LABEL(inplabel); 922 } 923 924 static void 925 mac_test_create_ipq(struct mbuf *fragment, struct label *fragmentlabel, 926 struct ipq *ipq, struct label *ipqlabel) 927 { 928 929 ASSERT_MBUF_LABEL(fragmentlabel); 930 ASSERT_IPQ_LABEL(ipqlabel); 931 } 932 933 static void 934 mac_test_create_mbuf_from_inpcb(struct inpcb *inp, struct label *inplabel, 935 struct mbuf *m, struct label *mlabel) 936 { 937 938 ASSERT_INPCB_LABEL(inplabel); 939 ASSERT_MBUF_LABEL(mlabel); 940 } 941 942 static void 943 mac_test_create_mbuf_from_mbuf(struct mbuf *oldmbuf, 944 struct label *oldmbuflabel, struct mbuf *newmbuf, 945 struct label *newmbuflabel) 946 { 947 948 ASSERT_MBUF_LABEL(oldmbuflabel); 949 ASSERT_MBUF_LABEL(newmbuflabel); 950 } 951 952 static void 953 mac_test_create_mbuf_linklayer(struct ifnet *ifnet, struct label *ifnetlabel, 954 struct mbuf *mbuf, struct label *mbuflabel) 955 { 956 957 ASSERT_IFNET_LABEL(ifnetlabel); 958 ASSERT_MBUF_LABEL(mbuflabel); 959 } 960 961 static void 962 mac_test_create_mbuf_from_bpfdesc(struct bpf_d *bpf_d, struct label *bpflabel, 963 struct mbuf *mbuf, struct label *mbuflabel) 964 { 965 966 ASSERT_BPF_LABEL(bpflabel); 967 ASSERT_MBUF_LABEL(mbuflabel); 968 } 969 970 static void 971 mac_test_create_mbuf_from_ifnet(struct ifnet *ifnet, struct label *ifnetlabel, 972 struct mbuf *m, struct label *mbuflabel) 973 { 974 975 ASSERT_IFNET_LABEL(ifnetlabel); 976 ASSERT_MBUF_LABEL(mbuflabel); 977 } 978 979 static void 980 mac_test_create_mbuf_multicast_encap(struct mbuf *oldmbuf, 981 struct label *oldmbuflabel, struct ifnet *ifnet, struct label *ifnetlabel, 982 struct mbuf *newmbuf, struct label *newmbuflabel) 983 { 984 985 ASSERT_MBUF_LABEL(oldmbuflabel); 986 ASSERT_IFNET_LABEL(ifnetlabel); 987 ASSERT_MBUF_LABEL(newmbuflabel); 988 } 989 990 static void 991 mac_test_create_mbuf_netlayer(struct mbuf *oldmbuf, 992 struct label *oldmbuflabel, struct mbuf *newmbuf, 993 struct label *newmbuflabel) 994 { 995 996 ASSERT_MBUF_LABEL(oldmbuflabel); 997 ASSERT_MBUF_LABEL(newmbuflabel); 998 } 999 1000 static int 1001 mac_test_fragment_match(struct mbuf *fragment, struct label *fragmentlabel, 1002 struct ipq *ipq, struct label *ipqlabel) 1003 { 1004 1005 ASSERT_MBUF_LABEL(fragmentlabel); 1006 ASSERT_IPQ_LABEL(ipqlabel); 1007 1008 return (1); 1009 } 1010 1011 static void 1012 mac_test_reflect_mbuf_icmp(struct mbuf *m, struct label *mlabel) 1013 { 1014 1015 ASSERT_MBUF_LABEL(mlabel); 1016 } 1017 1018 static void 1019 mac_test_reflect_mbuf_tcp(struct mbuf *m, struct label *mlabel) 1020 { 1021 1022 ASSERT_MBUF_LABEL(mlabel); 1023 } 1024 1025 static void 1026 mac_test_relabel_ifnet(struct ucred *cred, struct ifnet *ifnet, 1027 struct label *ifnetlabel, struct label *newlabel) 1028 { 1029 1030 ASSERT_CRED_LABEL(cred->cr_label); 1031 ASSERT_IFNET_LABEL(ifnetlabel); 1032 ASSERT_IFNET_LABEL(newlabel); 1033 } 1034 1035 static void 1036 mac_test_update_ipq(struct mbuf *fragment, struct label *fragmentlabel, 1037 struct ipq *ipq, struct label *ipqlabel) 1038 { 1039 1040 ASSERT_MBUF_LABEL(fragmentlabel); 1041 ASSERT_IPQ_LABEL(ipqlabel); 1042 } 1043 1044 static void 1045 mac_test_inpcb_sosetlabel(struct socket *so, struct label *solabel, 1046 struct inpcb *inp, struct label *inplabel) 1047 { 1048 1049 ASSERT_SOCKET_LABEL(solabel); 1050 ASSERT_INPCB_LABEL(inplabel); 1051 } 1052 1053 /* 1054 * Labeling event operations: processes. 1055 */ 1056 static void 1057 mac_test_execve_transition(struct ucred *old, struct ucred *new, 1058 struct vnode *vp, struct label *filelabel, 1059 struct label *interpvnodelabel, struct image_params *imgp, 1060 struct label *execlabel) 1061 { 1062 1063 ASSERT_CRED_LABEL(old->cr_label); 1064 ASSERT_CRED_LABEL(new->cr_label); 1065 ASSERT_VNODE_LABEL(filelabel); 1066 if (interpvnodelabel != NULL) { 1067 ASSERT_VNODE_LABEL(interpvnodelabel); 1068 } 1069 if (execlabel != NULL) { 1070 ASSERT_CRED_LABEL(execlabel); 1071 } 1072 } 1073 1074 static int 1075 mac_test_execve_will_transition(struct ucred *old, struct vnode *vp, 1076 struct label *filelabel, struct label *interpvnodelabel, 1077 struct image_params *imgp, struct label *execlabel) 1078 { 1079 1080 ASSERT_CRED_LABEL(old->cr_label); 1081 ASSERT_VNODE_LABEL(filelabel); 1082 if (interpvnodelabel != NULL) { 1083 ASSERT_VNODE_LABEL(interpvnodelabel); 1084 } 1085 if (execlabel != NULL) { 1086 ASSERT_CRED_LABEL(execlabel); 1087 } 1088 1089 return (0); 1090 } 1091 1092 static void 1093 mac_test_create_proc0(struct ucred *cred) 1094 { 1095 1096 ASSERT_CRED_LABEL(cred->cr_label); 1097 } 1098 1099 static void 1100 mac_test_create_proc1(struct ucred *cred) 1101 { 1102 1103 ASSERT_CRED_LABEL(cred->cr_label); 1104 } 1105 1106 static void 1107 mac_test_relabel_cred(struct ucred *cred, struct label *newlabel) 1108 { 1109 1110 ASSERT_CRED_LABEL(cred->cr_label); 1111 ASSERT_CRED_LABEL(newlabel); 1112 } 1113 1114 static void 1115 mac_test_thread_userret(struct thread *td) 1116 { 1117 1118 printf("mac_test_thread_userret(process = %d)\n", 1119 curthread->td_proc->p_pid); 1120 } 1121 1122 /* 1123 * Access control checks. 1124 */ 1125 static int 1126 mac_test_check_bpfdesc_receive(struct bpf_d *bpf_d, struct label *bpflabel, 1127 struct ifnet *ifnet, struct label *ifnetlabel) 1128 { 1129 1130 ASSERT_BPF_LABEL(bpflabel); 1131 ASSERT_IFNET_LABEL(ifnetlabel); 1132 1133 return (0); 1134 } 1135 1136 static int 1137 mac_test_check_cred_relabel(struct ucred *cred, struct label *newlabel) 1138 { 1139 1140 ASSERT_CRED_LABEL(cred->cr_label); 1141 ASSERT_CRED_LABEL(newlabel); 1142 1143 return (0); 1144 } 1145 1146 static int 1147 mac_test_check_cred_visible(struct ucred *u1, struct ucred *u2) 1148 { 1149 1150 ASSERT_CRED_LABEL(u1->cr_label); 1151 ASSERT_CRED_LABEL(u2->cr_label); 1152 1153 return (0); 1154 } 1155 1156 static int 1157 mac_test_check_ifnet_relabel(struct ucred *cred, struct ifnet *ifnet, 1158 struct label *ifnetlabel, struct label *newlabel) 1159 { 1160 1161 ASSERT_CRED_LABEL(cred->cr_label); 1162 ASSERT_IFNET_LABEL(ifnetlabel); 1163 ASSERT_IFNET_LABEL(newlabel); 1164 return (0); 1165 } 1166 1167 static int 1168 mac_test_check_ifnet_transmit(struct ifnet *ifnet, struct label *ifnetlabel, 1169 struct mbuf *m, struct label *mbuflabel) 1170 { 1171 1172 ASSERT_IFNET_LABEL(ifnetlabel); 1173 ASSERT_MBUF_LABEL(mbuflabel); 1174 1175 return (0); 1176 } 1177 1178 static int 1179 mac_test_check_inpcb_deliver(struct inpcb *inp, struct label *inplabel, 1180 struct mbuf *m, struct label *mlabel) 1181 { 1182 1183 ASSERT_INPCB_LABEL(inplabel); 1184 ASSERT_MBUF_LABEL(mlabel); 1185 1186 return (0); 1187 } 1188 1189 static int 1190 mac_test_check_kenv_dump(struct ucred *cred) 1191 { 1192 1193 ASSERT_CRED_LABEL(cred->cr_label); 1194 1195 return (0); 1196 } 1197 1198 static int 1199 mac_test_check_kenv_get(struct ucred *cred, char *name) 1200 { 1201 1202 ASSERT_CRED_LABEL(cred->cr_label); 1203 1204 return (0); 1205 } 1206 1207 static int 1208 mac_test_check_kenv_set(struct ucred *cred, char *name, char *value) 1209 { 1210 1211 ASSERT_CRED_LABEL(cred->cr_label); 1212 1213 return (0); 1214 } 1215 1216 static int 1217 mac_test_check_kenv_unset(struct ucred *cred, char *name) 1218 { 1219 1220 ASSERT_CRED_LABEL(cred->cr_label); 1221 1222 return (0); 1223 } 1224 1225 static int 1226 mac_test_check_kld_load(struct ucred *cred, struct vnode *vp, 1227 struct label *label) 1228 { 1229 1230 ASSERT_CRED_LABEL(cred->cr_label); 1231 ASSERT_VNODE_LABEL(label); 1232 1233 return (0); 1234 } 1235 1236 static int 1237 mac_test_check_kld_stat(struct ucred *cred) 1238 { 1239 1240 ASSERT_CRED_LABEL(cred->cr_label); 1241 1242 return (0); 1243 } 1244 1245 static int 1246 mac_test_check_kld_unload(struct ucred *cred) 1247 { 1248 1249 ASSERT_CRED_LABEL(cred->cr_label); 1250 1251 return (0); 1252 } 1253 1254 static int 1255 mac_test_check_mount_stat(struct ucred *cred, struct mount *mp, 1256 struct label *mntlabel) 1257 { 1258 1259 ASSERT_CRED_LABEL(cred->cr_label); 1260 ASSERT_MOUNT_LABEL(mntlabel); 1261 1262 return (0); 1263 } 1264 1265 static int 1266 mac_test_check_pipe_ioctl(struct ucred *cred, struct pipepair *pp, 1267 struct label *pipelabel, unsigned long cmd, void /* caddr_t */ *data) 1268 { 1269 1270 ASSERT_CRED_LABEL(cred->cr_label); 1271 ASSERT_PIPE_LABEL(pipelabel); 1272 1273 return (0); 1274 } 1275 1276 static int 1277 mac_test_check_pipe_poll(struct ucred *cred, struct pipepair *pp, 1278 struct label *pipelabel) 1279 { 1280 1281 ASSERT_CRED_LABEL(cred->cr_label); 1282 ASSERT_PIPE_LABEL(pipelabel); 1283 1284 return (0); 1285 } 1286 1287 static int 1288 mac_test_check_pipe_read(struct ucred *cred, struct pipepair *pp, 1289 struct label *pipelabel) 1290 { 1291 1292 ASSERT_CRED_LABEL(cred->cr_label); 1293 ASSERT_PIPE_LABEL(pipelabel); 1294 1295 return (0); 1296 } 1297 1298 static int 1299 mac_test_check_pipe_relabel(struct ucred *cred, struct pipepair *pp, 1300 struct label *pipelabel, struct label *newlabel) 1301 { 1302 1303 ASSERT_CRED_LABEL(cred->cr_label); 1304 ASSERT_PIPE_LABEL(pipelabel); 1305 ASSERT_PIPE_LABEL(newlabel); 1306 1307 return (0); 1308 } 1309 1310 static int 1311 mac_test_check_pipe_stat(struct ucred *cred, struct pipepair *pp, 1312 struct label *pipelabel) 1313 { 1314 1315 ASSERT_CRED_LABEL(cred->cr_label); 1316 ASSERT_PIPE_LABEL(pipelabel); 1317 1318 return (0); 1319 } 1320 1321 static int 1322 mac_test_check_pipe_write(struct ucred *cred, struct pipepair *pp, 1323 struct label *pipelabel) 1324 { 1325 1326 ASSERT_CRED_LABEL(cred->cr_label); 1327 ASSERT_PIPE_LABEL(pipelabel); 1328 1329 return (0); 1330 } 1331 1332 static int 1333 mac_test_check_proc_debug(struct ucred *cred, struct proc *proc) 1334 { 1335 1336 ASSERT_CRED_LABEL(cred->cr_label); 1337 ASSERT_CRED_LABEL(proc->p_ucred->cr_label); 1338 1339 return (0); 1340 } 1341 1342 static int 1343 mac_test_check_proc_sched(struct ucred *cred, struct proc *proc) 1344 { 1345 1346 ASSERT_CRED_LABEL(cred->cr_label); 1347 ASSERT_CRED_LABEL(proc->p_ucred->cr_label); 1348 1349 return (0); 1350 } 1351 1352 static int 1353 mac_test_check_proc_signal(struct ucred *cred, struct proc *proc, int signum) 1354 { 1355 1356 ASSERT_CRED_LABEL(cred->cr_label); 1357 ASSERT_CRED_LABEL(proc->p_ucred->cr_label); 1358 1359 return (0); 1360 } 1361 1362 static int 1363 mac_test_check_socket_bind(struct ucred *cred, struct socket *socket, 1364 struct label *socketlabel, struct sockaddr *sockaddr) 1365 { 1366 1367 ASSERT_CRED_LABEL(cred->cr_label); 1368 ASSERT_SOCKET_LABEL(socketlabel); 1369 1370 return (0); 1371 } 1372 1373 static int 1374 mac_test_check_socket_connect(struct ucred *cred, struct socket *socket, 1375 struct label *socketlabel, struct sockaddr *sockaddr) 1376 { 1377 1378 ASSERT_CRED_LABEL(cred->cr_label); 1379 ASSERT_SOCKET_LABEL(socketlabel); 1380 1381 return (0); 1382 } 1383 1384 static int 1385 mac_test_check_socket_deliver(struct socket *socket, struct label *socketlabel, 1386 struct mbuf *m, struct label *mbuflabel) 1387 { 1388 1389 ASSERT_SOCKET_LABEL(socketlabel); 1390 ASSERT_MBUF_LABEL(mbuflabel); 1391 1392 return (0); 1393 } 1394 1395 static int 1396 mac_test_check_socket_listen(struct ucred *cred, struct socket *socket, 1397 struct label *socketlabel) 1398 { 1399 1400 ASSERT_CRED_LABEL(cred->cr_label); 1401 ASSERT_SOCKET_LABEL(socketlabel); 1402 1403 return (0); 1404 } 1405 1406 static int 1407 mac_test_check_socket_visible(struct ucred *cred, struct socket *socket, 1408 struct label *socketlabel) 1409 { 1410 1411 ASSERT_CRED_LABEL(cred->cr_label); 1412 ASSERT_SOCKET_LABEL(socketlabel); 1413 1414 return (0); 1415 } 1416 1417 static int 1418 mac_test_check_socket_relabel(struct ucred *cred, struct socket *socket, 1419 struct label *socketlabel, struct label *newlabel) 1420 { 1421 1422 ASSERT_CRED_LABEL(cred->cr_label); 1423 ASSERT_SOCKET_LABEL(socketlabel); 1424 ASSERT_SOCKET_LABEL(newlabel); 1425 1426 return (0); 1427 } 1428 1429 static int 1430 mac_test_check_sysarch_ioperm(struct ucred *cred) 1431 { 1432 1433 ASSERT_CRED_LABEL(cred->cr_label); 1434 1435 return (0); 1436 } 1437 1438 static int 1439 mac_test_check_system_acct(struct ucred *cred, struct vnode *vp, 1440 struct label *label) 1441 { 1442 1443 ASSERT_CRED_LABEL(cred->cr_label); 1444 1445 return (0); 1446 } 1447 1448 static int 1449 mac_test_check_system_reboot(struct ucred *cred, int how) 1450 { 1451 1452 ASSERT_CRED_LABEL(cred->cr_label); 1453 1454 return (0); 1455 } 1456 1457 static int 1458 mac_test_check_system_settime(struct ucred *cred) 1459 { 1460 1461 ASSERT_CRED_LABEL(cred->cr_label); 1462 1463 return (0); 1464 } 1465 1466 static int 1467 mac_test_check_system_swapon(struct ucred *cred, struct vnode *vp, 1468 struct label *label) 1469 { 1470 1471 ASSERT_CRED_LABEL(cred->cr_label); 1472 ASSERT_VNODE_LABEL(label); 1473 1474 return (0); 1475 } 1476 1477 static int 1478 mac_test_check_system_swapoff(struct ucred *cred, struct vnode *vp, 1479 struct label *label) 1480 { 1481 1482 ASSERT_CRED_LABEL(cred->cr_label); 1483 ASSERT_VNODE_LABEL(label); 1484 1485 return (0); 1486 } 1487 1488 static int 1489 mac_test_check_system_sysctl(struct ucred *cred, struct sysctl_oid *oidp, 1490 void *arg1, int arg2, struct sysctl_req *req) 1491 { 1492 1493 ASSERT_CRED_LABEL(cred->cr_label); 1494 1495 return (0); 1496 } 1497 1498 static int 1499 mac_test_check_vnode_access(struct ucred *cred, struct vnode *vp, 1500 struct label *label, int acc_mode) 1501 { 1502 1503 ASSERT_CRED_LABEL(cred->cr_label); 1504 ASSERT_VNODE_LABEL(label); 1505 1506 return (0); 1507 } 1508 1509 static int 1510 mac_test_check_vnode_chdir(struct ucred *cred, struct vnode *dvp, 1511 struct label *dlabel) 1512 { 1513 1514 ASSERT_CRED_LABEL(cred->cr_label); 1515 ASSERT_VNODE_LABEL(dlabel); 1516 1517 return (0); 1518 } 1519 1520 static int 1521 mac_test_check_vnode_chroot(struct ucred *cred, struct vnode *dvp, 1522 struct label *dlabel) 1523 { 1524 1525 ASSERT_CRED_LABEL(cred->cr_label); 1526 ASSERT_VNODE_LABEL(dlabel); 1527 1528 return (0); 1529 } 1530 1531 static int 1532 mac_test_check_vnode_create(struct ucred *cred, struct vnode *dvp, 1533 struct label *dlabel, struct componentname *cnp, struct vattr *vap) 1534 { 1535 1536 ASSERT_CRED_LABEL(cred->cr_label); 1537 ASSERT_VNODE_LABEL(dlabel); 1538 1539 return (0); 1540 } 1541 1542 static int 1543 mac_test_check_vnode_delete(struct ucred *cred, struct vnode *dvp, 1544 struct label *dlabel, struct vnode *vp, struct label *label, 1545 struct componentname *cnp) 1546 { 1547 1548 ASSERT_CRED_LABEL(cred->cr_label); 1549 ASSERT_VNODE_LABEL(dlabel); 1550 ASSERT_VNODE_LABEL(label); 1551 1552 return (0); 1553 } 1554 1555 static int 1556 mac_test_check_vnode_deleteacl(struct ucred *cred, struct vnode *vp, 1557 struct label *label, acl_type_t type) 1558 { 1559 1560 ASSERT_CRED_LABEL(cred->cr_label); 1561 ASSERT_VNODE_LABEL(label); 1562 1563 return (0); 1564 } 1565 1566 static int 1567 mac_test_check_vnode_deleteextattr(struct ucred *cred, struct vnode *vp, 1568 struct label *label, int attrnamespace, const char *name) 1569 { 1570 1571 ASSERT_CRED_LABEL(cred->cr_label); 1572 ASSERT_VNODE_LABEL(label); 1573 1574 return (0); 1575 } 1576 1577 static int 1578 mac_test_check_vnode_exec(struct ucred *cred, struct vnode *vp, 1579 struct label *label, struct image_params *imgp, 1580 struct label *execlabel) 1581 { 1582 1583 ASSERT_CRED_LABEL(cred->cr_label); 1584 ASSERT_VNODE_LABEL(label); 1585 if (execlabel != NULL) { 1586 ASSERT_CRED_LABEL(execlabel); 1587 } 1588 1589 return (0); 1590 } 1591 1592 static int 1593 mac_test_check_vnode_getacl(struct ucred *cred, struct vnode *vp, 1594 struct label *label, acl_type_t type) 1595 { 1596 1597 ASSERT_CRED_LABEL(cred->cr_label); 1598 ASSERT_VNODE_LABEL(label); 1599 1600 return (0); 1601 } 1602 1603 static int 1604 mac_test_check_vnode_getextattr(struct ucred *cred, struct vnode *vp, 1605 struct label *label, int attrnamespace, const char *name, struct uio *uio) 1606 { 1607 1608 ASSERT_CRED_LABEL(cred->cr_label); 1609 ASSERT_VNODE_LABEL(label); 1610 1611 return (0); 1612 } 1613 1614 static int 1615 mac_test_check_vnode_link(struct ucred *cred, struct vnode *dvp, 1616 struct label *dlabel, struct vnode *vp, struct label *label, 1617 struct componentname *cnp) 1618 { 1619 1620 ASSERT_CRED_LABEL(cred->cr_label); 1621 ASSERT_VNODE_LABEL(dlabel); 1622 ASSERT_VNODE_LABEL(label); 1623 1624 return (0); 1625 } 1626 1627 static int 1628 mac_test_check_vnode_listextattr(struct ucred *cred, struct vnode *vp, 1629 struct label *label, int attrnamespace) 1630 { 1631 1632 ASSERT_CRED_LABEL(cred->cr_label); 1633 ASSERT_VNODE_LABEL(label); 1634 1635 return (0); 1636 } 1637 1638 static int 1639 mac_test_check_vnode_lookup(struct ucred *cred, struct vnode *dvp, 1640 struct label *dlabel, struct componentname *cnp) 1641 { 1642 1643 ASSERT_CRED_LABEL(cred->cr_label); 1644 ASSERT_VNODE_LABEL(dlabel); 1645 1646 return (0); 1647 } 1648 1649 static int 1650 mac_test_check_vnode_mmap(struct ucred *cred, struct vnode *vp, 1651 struct label *label, int prot) 1652 { 1653 1654 ASSERT_CRED_LABEL(cred->cr_label); 1655 ASSERT_VNODE_LABEL(label); 1656 1657 return (0); 1658 } 1659 1660 static int 1661 mac_test_check_vnode_mprotect(struct ucred *cred, struct vnode *vp, 1662 struct label *label, int prot) 1663 { 1664 1665 ASSERT_CRED_LABEL(cred->cr_label); 1666 ASSERT_VNODE_LABEL(label); 1667 1668 return (0); 1669 } 1670 1671 static int 1672 mac_test_check_vnode_open(struct ucred *cred, struct vnode *vp, 1673 struct label *filelabel, int acc_mode) 1674 { 1675 1676 ASSERT_CRED_LABEL(cred->cr_label); 1677 ASSERT_VNODE_LABEL(filelabel); 1678 1679 return (0); 1680 } 1681 1682 static int 1683 mac_test_check_vnode_poll(struct ucred *active_cred, struct ucred *file_cred, 1684 struct vnode *vp, struct label *label) 1685 { 1686 1687 ASSERT_CRED_LABEL(active_cred->cr_label); 1688 ASSERT_CRED_LABEL(file_cred->cr_label); 1689 ASSERT_VNODE_LABEL(label); 1690 1691 return (0); 1692 } 1693 1694 static int 1695 mac_test_check_vnode_read(struct ucred *active_cred, struct ucred *file_cred, 1696 struct vnode *vp, struct label *label) 1697 { 1698 1699 ASSERT_CRED_LABEL(active_cred->cr_label); 1700 if (file_cred != NULL) { 1701 ASSERT_CRED_LABEL(file_cred->cr_label); 1702 } 1703 ASSERT_VNODE_LABEL(label); 1704 1705 return (0); 1706 } 1707 1708 static int 1709 mac_test_check_vnode_readdir(struct ucred *cred, struct vnode *dvp, 1710 struct label *dlabel) 1711 { 1712 1713 ASSERT_CRED_LABEL(cred->cr_label); 1714 ASSERT_VNODE_LABEL(dlabel); 1715 1716 return (0); 1717 } 1718 1719 static int 1720 mac_test_check_vnode_readlink(struct ucred *cred, struct vnode *vp, 1721 struct label *vnodelabel) 1722 { 1723 1724 ASSERT_CRED_LABEL(cred->cr_label); 1725 ASSERT_VNODE_LABEL(vnodelabel); 1726 1727 return (0); 1728 } 1729 1730 static int 1731 mac_test_check_vnode_relabel(struct ucred *cred, struct vnode *vp, 1732 struct label *vnodelabel, struct label *newlabel) 1733 { 1734 1735 ASSERT_CRED_LABEL(cred->cr_label); 1736 ASSERT_VNODE_LABEL(vnodelabel); 1737 ASSERT_VNODE_LABEL(newlabel); 1738 1739 return (0); 1740 } 1741 1742 static int 1743 mac_test_check_vnode_rename_from(struct ucred *cred, struct vnode *dvp, 1744 struct label *dlabel, struct vnode *vp, struct label *label, 1745 struct componentname *cnp) 1746 { 1747 1748 ASSERT_CRED_LABEL(cred->cr_label); 1749 ASSERT_VNODE_LABEL(dlabel); 1750 ASSERT_VNODE_LABEL(label); 1751 1752 return (0); 1753 } 1754 1755 static int 1756 mac_test_check_vnode_rename_to(struct ucred *cred, struct vnode *dvp, 1757 struct label *dlabel, struct vnode *vp, struct label *label, int samedir, 1758 struct componentname *cnp) 1759 { 1760 1761 ASSERT_CRED_LABEL(cred->cr_label); 1762 ASSERT_VNODE_LABEL(dlabel); 1763 1764 if (vp != NULL) { 1765 ASSERT_VNODE_LABEL(label); 1766 } 1767 1768 return (0); 1769 } 1770 1771 static int 1772 mac_test_check_vnode_revoke(struct ucred *cred, struct vnode *vp, 1773 struct label *label) 1774 { 1775 1776 ASSERT_CRED_LABEL(cred->cr_label); 1777 ASSERT_VNODE_LABEL(label); 1778 1779 return (0); 1780 } 1781 1782 static int 1783 mac_test_check_vnode_setacl(struct ucred *cred, struct vnode *vp, 1784 struct label *label, acl_type_t type, struct acl *acl) 1785 { 1786 1787 ASSERT_CRED_LABEL(cred->cr_label); 1788 ASSERT_VNODE_LABEL(label); 1789 1790 return (0); 1791 } 1792 1793 static int 1794 mac_test_check_vnode_setextattr(struct ucred *cred, struct vnode *vp, 1795 struct label *label, int attrnamespace, const char *name, struct uio *uio) 1796 { 1797 1798 ASSERT_CRED_LABEL(cred->cr_label); 1799 ASSERT_VNODE_LABEL(label); 1800 1801 return (0); 1802 } 1803 1804 static int 1805 mac_test_check_vnode_setflags(struct ucred *cred, struct vnode *vp, 1806 struct label *label, u_long flags) 1807 { 1808 1809 ASSERT_CRED_LABEL(cred->cr_label); 1810 ASSERT_VNODE_LABEL(label); 1811 1812 return (0); 1813 } 1814 1815 static int 1816 mac_test_check_vnode_setmode(struct ucred *cred, struct vnode *vp, 1817 struct label *label, mode_t mode) 1818 { 1819 1820 ASSERT_CRED_LABEL(cred->cr_label); 1821 ASSERT_VNODE_LABEL(label); 1822 1823 return (0); 1824 } 1825 1826 static int 1827 mac_test_check_vnode_setowner(struct ucred *cred, struct vnode *vp, 1828 struct label *label, uid_t uid, gid_t gid) 1829 { 1830 1831 ASSERT_CRED_LABEL(cred->cr_label); 1832 ASSERT_VNODE_LABEL(label); 1833 1834 return (0); 1835 } 1836 1837 static int 1838 mac_test_check_vnode_setutimes(struct ucred *cred, struct vnode *vp, 1839 struct label *label, struct timespec atime, struct timespec mtime) 1840 { 1841 1842 ASSERT_CRED_LABEL(cred->cr_label); 1843 ASSERT_VNODE_LABEL(label); 1844 1845 return (0); 1846 } 1847 1848 static int 1849 mac_test_check_vnode_stat(struct ucred *active_cred, struct ucred *file_cred, 1850 struct vnode *vp, struct label *label) 1851 { 1852 1853 ASSERT_CRED_LABEL(active_cred->cr_label); 1854 if (file_cred != NULL) { 1855 ASSERT_CRED_LABEL(file_cred->cr_label); 1856 } 1857 ASSERT_VNODE_LABEL(label); 1858 1859 return (0); 1860 } 1861 1862 static int 1863 mac_test_check_vnode_write(struct ucred *active_cred, 1864 struct ucred *file_cred, struct vnode *vp, struct label *label) 1865 { 1866 1867 ASSERT_CRED_LABEL(active_cred->cr_label); 1868 if (file_cred != NULL) { 1869 ASSERT_CRED_LABEL(file_cred->cr_label); 1870 } 1871 ASSERT_VNODE_LABEL(label); 1872 1873 return (0); 1874 } 1875 1876 static struct mac_policy_ops mac_test_ops = 1877 { 1878 .mpo_destroy = mac_test_destroy, 1879 .mpo_init = mac_test_init, 1880 .mpo_syscall = mac_test_syscall, 1881 .mpo_init_bpfdesc_label = mac_test_init_bpfdesc_label, 1882 .mpo_init_cred_label = mac_test_init_cred_label, 1883 .mpo_init_devfsdirent_label = mac_test_init_devfsdirent_label, 1884 .mpo_init_ifnet_label = mac_test_init_ifnet_label, 1885 .mpo_init_inpcb_label = mac_test_init_inpcb_label, 1886 .mpo_init_ipq_label = mac_test_init_ipq_label, 1887 .mpo_init_mbuf_label = mac_test_init_mbuf_label, 1888 .mpo_init_mount_label = mac_test_init_mount_label, 1889 .mpo_init_mount_fs_label = mac_test_init_mount_fs_label, 1890 .mpo_init_pipe_label = mac_test_init_pipe_label, 1891 .mpo_init_proc_label = mac_test_init_proc_label, 1892 .mpo_init_socket_label = mac_test_init_socket_label, 1893 .mpo_init_socket_peer_label = mac_test_init_socket_peer_label, 1894 .mpo_init_vnode_label = mac_test_init_vnode_label, 1895 .mpo_destroy_bpfdesc_label = mac_test_destroy_bpfdesc_label, 1896 .mpo_destroy_cred_label = mac_test_destroy_cred_label, 1897 .mpo_destroy_devfsdirent_label = mac_test_destroy_devfsdirent_label, 1898 .mpo_destroy_ifnet_label = mac_test_destroy_ifnet_label, 1899 .mpo_destroy_inpcb_label = mac_test_destroy_inpcb_label, 1900 .mpo_destroy_ipq_label = mac_test_destroy_ipq_label, 1901 .mpo_destroy_mbuf_label = mac_test_destroy_mbuf_label, 1902 .mpo_destroy_mount_label = mac_test_destroy_mount_label, 1903 .mpo_destroy_mount_fs_label = mac_test_destroy_mount_fs_label, 1904 .mpo_destroy_pipe_label = mac_test_destroy_pipe_label, 1905 .mpo_destroy_proc_label = mac_test_destroy_proc_label, 1906 .mpo_destroy_socket_label = mac_test_destroy_socket_label, 1907 .mpo_destroy_socket_peer_label = mac_test_destroy_socket_peer_label, 1908 .mpo_destroy_vnode_label = mac_test_destroy_vnode_label, 1909 .mpo_copy_cred_label = mac_test_copy_cred_label, 1910 .mpo_copy_ifnet_label = mac_test_copy_ifnet_label, 1911 .mpo_copy_mbuf_label = mac_test_copy_mbuf_label, 1912 .mpo_copy_pipe_label = mac_test_copy_pipe_label, 1913 .mpo_copy_socket_label = mac_test_copy_socket_label, 1914 .mpo_copy_vnode_label = mac_test_copy_vnode_label, 1915 .mpo_externalize_cred_label = mac_test_externalize_label, 1916 .mpo_externalize_ifnet_label = mac_test_externalize_label, 1917 .mpo_externalize_pipe_label = mac_test_externalize_label, 1918 .mpo_externalize_socket_label = mac_test_externalize_label, 1919 .mpo_externalize_socket_peer_label = mac_test_externalize_label, 1920 .mpo_externalize_vnode_label = mac_test_externalize_label, 1921 .mpo_internalize_cred_label = mac_test_internalize_label, 1922 .mpo_internalize_ifnet_label = mac_test_internalize_label, 1923 .mpo_internalize_pipe_label = mac_test_internalize_label, 1924 .mpo_internalize_socket_label = mac_test_internalize_label, 1925 .mpo_internalize_vnode_label = mac_test_internalize_label, 1926 .mpo_associate_vnode_devfs = mac_test_associate_vnode_devfs, 1927 .mpo_associate_vnode_extattr = mac_test_associate_vnode_extattr, 1928 .mpo_associate_vnode_singlelabel = mac_test_associate_vnode_singlelabel, 1929 .mpo_create_devfs_device = mac_test_create_devfs_device, 1930 .mpo_create_devfs_directory = mac_test_create_devfs_directory, 1931 .mpo_create_devfs_symlink = mac_test_create_devfs_symlink, 1932 .mpo_create_vnode_extattr = mac_test_create_vnode_extattr, 1933 .mpo_create_mount = mac_test_create_mount, 1934 .mpo_create_root_mount = mac_test_create_root_mount, 1935 .mpo_relabel_vnode = mac_test_relabel_vnode, 1936 .mpo_setlabel_vnode_extattr = mac_test_setlabel_vnode_extattr, 1937 .mpo_update_devfsdirent = mac_test_update_devfsdirent, 1938 .mpo_create_mbuf_from_socket = mac_test_create_mbuf_from_socket, 1939 .mpo_create_pipe = mac_test_create_pipe, 1940 .mpo_create_socket = mac_test_create_socket, 1941 .mpo_create_socket_from_socket = mac_test_create_socket_from_socket, 1942 .mpo_relabel_pipe = mac_test_relabel_pipe, 1943 .mpo_relabel_socket = mac_test_relabel_socket, 1944 .mpo_set_socket_peer_from_mbuf = mac_test_set_socket_peer_from_mbuf, 1945 .mpo_set_socket_peer_from_socket = mac_test_set_socket_peer_from_socket, 1946 .mpo_create_bpfdesc = mac_test_create_bpfdesc, 1947 .mpo_create_ifnet = mac_test_create_ifnet, 1948 .mpo_create_inpcb_from_socket = mac_test_create_inpcb_from_socket, 1949 .mpo_create_datagram_from_ipq = mac_test_create_datagram_from_ipq, 1950 .mpo_create_fragment = mac_test_create_fragment, 1951 .mpo_create_ipq = mac_test_create_ipq, 1952 .mpo_create_mbuf_from_inpcb = mac_test_create_mbuf_from_inpcb, 1953 .mpo_create_mbuf_from_mbuf = mac_test_create_mbuf_from_mbuf, 1954 .mpo_create_mbuf_linklayer = mac_test_create_mbuf_linklayer, 1955 .mpo_create_mbuf_from_bpfdesc = mac_test_create_mbuf_from_bpfdesc, 1956 .mpo_create_mbuf_from_ifnet = mac_test_create_mbuf_from_ifnet, 1957 .mpo_create_mbuf_multicast_encap = mac_test_create_mbuf_multicast_encap, 1958 .mpo_create_mbuf_netlayer = mac_test_create_mbuf_netlayer, 1959 .mpo_fragment_match = mac_test_fragment_match, 1960 .mpo_reflect_mbuf_icmp = mac_test_reflect_mbuf_icmp, 1961 .mpo_reflect_mbuf_tcp = mac_test_reflect_mbuf_tcp, 1962 .mpo_relabel_ifnet = mac_test_relabel_ifnet, 1963 .mpo_update_ipq = mac_test_update_ipq, 1964 .mpo_inpcb_sosetlabel = mac_test_inpcb_sosetlabel, 1965 .mpo_execve_transition = mac_test_execve_transition, 1966 .mpo_execve_will_transition = mac_test_execve_will_transition, 1967 .mpo_create_proc0 = mac_test_create_proc0, 1968 .mpo_create_proc1 = mac_test_create_proc1, 1969 .mpo_relabel_cred = mac_test_relabel_cred, 1970 .mpo_thread_userret = mac_test_thread_userret, 1971 .mpo_check_bpfdesc_receive = mac_test_check_bpfdesc_receive, 1972 .mpo_check_cred_relabel = mac_test_check_cred_relabel, 1973 .mpo_check_cred_visible = mac_test_check_cred_visible, 1974 .mpo_check_ifnet_relabel = mac_test_check_ifnet_relabel, 1975 .mpo_check_ifnet_transmit = mac_test_check_ifnet_transmit, 1976 .mpo_check_inpcb_deliver = mac_test_check_inpcb_deliver, 1977 .mpo_check_kenv_dump = mac_test_check_kenv_dump, 1978 .mpo_check_kenv_get = mac_test_check_kenv_get, 1979 .mpo_check_kenv_set = mac_test_check_kenv_set, 1980 .mpo_check_kenv_unset = mac_test_check_kenv_unset, 1981 .mpo_check_kld_load = mac_test_check_kld_load, 1982 .mpo_check_kld_stat = mac_test_check_kld_stat, 1983 .mpo_check_kld_unload = mac_test_check_kld_unload, 1984 .mpo_check_mount_stat = mac_test_check_mount_stat, 1985 .mpo_check_pipe_ioctl = mac_test_check_pipe_ioctl, 1986 .mpo_check_pipe_poll = mac_test_check_pipe_poll, 1987 .mpo_check_pipe_read = mac_test_check_pipe_read, 1988 .mpo_check_pipe_relabel = mac_test_check_pipe_relabel, 1989 .mpo_check_pipe_stat = mac_test_check_pipe_stat, 1990 .mpo_check_pipe_write = mac_test_check_pipe_write, 1991 .mpo_check_proc_debug = mac_test_check_proc_debug, 1992 .mpo_check_proc_sched = mac_test_check_proc_sched, 1993 .mpo_check_proc_signal = mac_test_check_proc_signal, 1994 .mpo_check_socket_bind = mac_test_check_socket_bind, 1995 .mpo_check_socket_connect = mac_test_check_socket_connect, 1996 .mpo_check_socket_deliver = mac_test_check_socket_deliver, 1997 .mpo_check_socket_listen = mac_test_check_socket_listen, 1998 .mpo_check_socket_relabel = mac_test_check_socket_relabel, 1999 .mpo_check_socket_visible = mac_test_check_socket_visible, 2000 .mpo_check_sysarch_ioperm = mac_test_check_sysarch_ioperm, 2001 .mpo_check_system_acct = mac_test_check_system_acct, 2002 .mpo_check_system_reboot = mac_test_check_system_reboot, 2003 .mpo_check_system_settime = mac_test_check_system_settime, 2004 .mpo_check_system_swapon = mac_test_check_system_swapon, 2005 .mpo_check_system_swapoff = mac_test_check_system_swapoff, 2006 .mpo_check_system_sysctl = mac_test_check_system_sysctl, 2007 .mpo_check_vnode_access = mac_test_check_vnode_access, 2008 .mpo_check_vnode_chdir = mac_test_check_vnode_chdir, 2009 .mpo_check_vnode_chroot = mac_test_check_vnode_chroot, 2010 .mpo_check_vnode_create = mac_test_check_vnode_create, 2011 .mpo_check_vnode_delete = mac_test_check_vnode_delete, 2012 .mpo_check_vnode_deleteacl = mac_test_check_vnode_deleteacl, 2013 .mpo_check_vnode_deleteextattr = mac_test_check_vnode_deleteextattr, 2014 .mpo_check_vnode_exec = mac_test_check_vnode_exec, 2015 .mpo_check_vnode_getacl = mac_test_check_vnode_getacl, 2016 .mpo_check_vnode_getextattr = mac_test_check_vnode_getextattr, 2017 .mpo_check_vnode_link = mac_test_check_vnode_link, 2018 .mpo_check_vnode_listextattr = mac_test_check_vnode_listextattr, 2019 .mpo_check_vnode_lookup = mac_test_check_vnode_lookup, 2020 .mpo_check_vnode_mmap = mac_test_check_vnode_mmap, 2021 .mpo_check_vnode_mprotect = mac_test_check_vnode_mprotect, 2022 .mpo_check_vnode_open = mac_test_check_vnode_open, 2023 .mpo_check_vnode_poll = mac_test_check_vnode_poll, 2024 .mpo_check_vnode_read = mac_test_check_vnode_read, 2025 .mpo_check_vnode_readdir = mac_test_check_vnode_readdir, 2026 .mpo_check_vnode_readlink = mac_test_check_vnode_readlink, 2027 .mpo_check_vnode_relabel = mac_test_check_vnode_relabel, 2028 .mpo_check_vnode_rename_from = mac_test_check_vnode_rename_from, 2029 .mpo_check_vnode_rename_to = mac_test_check_vnode_rename_to, 2030 .mpo_check_vnode_revoke = mac_test_check_vnode_revoke, 2031 .mpo_check_vnode_setacl = mac_test_check_vnode_setacl, 2032 .mpo_check_vnode_setextattr = mac_test_check_vnode_setextattr, 2033 .mpo_check_vnode_setflags = mac_test_check_vnode_setflags, 2034 .mpo_check_vnode_setmode = mac_test_check_vnode_setmode, 2035 .mpo_check_vnode_setowner = mac_test_check_vnode_setowner, 2036 .mpo_check_vnode_setutimes = mac_test_check_vnode_setutimes, 2037 .mpo_check_vnode_stat = mac_test_check_vnode_stat, 2038 .mpo_check_vnode_write = mac_test_check_vnode_write, 2039 }; 2040 2041 MAC_POLICY_SET(&mac_test_ops, mac_test, "TrustedBSD MAC/Test", 2042 MPC_LOADTIME_FLAG_UNLOADOK | MPC_LOADTIME_FLAG_LABELMBUFS, &test_slot); 2043