1 /*- 2 * Copyright (c) 1999-2002 Robert N. M. Watson 3 * Copyright (c) 2001-2004 Networks Associates Technology, Inc. 4 * All rights reserved. 5 * 6 * This software was developed by Robert Watson for the TrustedBSD Project. 7 * 8 * This software was developed for the FreeBSD Project in part by Network 9 * Associates Laboratories, the Security Research Division of Network 10 * Associates, Inc. under DARPA/SPAWAR contract N66001-01-C-8035 ("CBOSS"), 11 * as part of the DARPA CHATS research program. 12 * 13 * Redistribution and use in source and binary forms, with or without 14 * modification, are permitted provided that the following conditions 15 * are met: 16 * 1. Redistributions of source code must retain the above copyright 17 * notice, this list of conditions and the following disclaimer. 18 * 2. Redistributions in binary form must reproduce the above copyright 19 * notice, this list of conditions and the following disclaimer in the 20 * documentation and/or other materials provided with the distribution. 21 * 22 * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND 23 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 24 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 25 * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE 26 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 27 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 28 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 29 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 30 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 31 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 32 * SUCH DAMAGE. 33 * 34 * $FreeBSD$ 35 */ 36 37 /* 38 * Developed by the TrustedBSD Project. 39 * Generic mandatory access module that does nothing. 40 */ 41 42 #include <sys/types.h> 43 #include <sys/param.h> 44 #include <sys/acl.h> 45 #include <sys/conf.h> 46 #include <sys/extattr.h> 47 #include <sys/kernel.h> 48 #include <sys/mac.h> 49 #include <sys/malloc.h> 50 #include <sys/mount.h> 51 #include <sys/proc.h> 52 #include <sys/systm.h> 53 #include <sys/sysproto.h> 54 #include <sys/sysent.h> 55 #include <sys/vnode.h> 56 #include <sys/file.h> 57 #include <sys/socket.h> 58 #include <sys/socketvar.h> 59 #include <sys/sysctl.h> 60 61 #include <fs/devfs/devfs.h> 62 63 #include <net/bpfdesc.h> 64 #include <net/if.h> 65 #include <net/if_types.h> 66 #include <net/if_var.h> 67 68 #include <vm/vm.h> 69 70 #include <sys/mac_policy.h> 71 72 SYSCTL_DECL(_security_mac); 73 74 SYSCTL_NODE(_security_mac, OID_AUTO, test, CTLFLAG_RW, 0, 75 "TrustedBSD mac_test policy controls"); 76 77 static int mac_test_enabled = 1; 78 SYSCTL_INT(_security_mac_test, OID_AUTO, enabled, CTLFLAG_RW, 79 &mac_test_enabled, 0, "Enforce test policy"); 80 81 #define BPFMAGIC 0xfe1ad1b6 82 #define DEVFSMAGIC 0x9ee79c32 83 #define IFNETMAGIC 0xc218b120 84 #define INPCBMAGIC 0x4440f7bb 85 #define IPQMAGIC 0x206188ef 86 #define MBUFMAGIC 0xbbefa5bb 87 #define MOUNTMAGIC 0xc7c46e47 88 #define SOCKETMAGIC 0x9199c6cd 89 #define PIPEMAGIC 0xdc6c9919 90 #define PROCMAGIC 0x3b4be98f 91 #define CREDMAGIC 0x9a5a4987 92 #define VNODEMAGIC 0x1a67a45c 93 #define EXMAGIC 0x849ba1fd 94 95 #define SLOT(x) LABEL_TO_SLOT((x), test_slot).l_long 96 97 #define ASSERT_BPF_LABEL(x) KASSERT(SLOT(x) == BPFMAGIC || \ 98 SLOT(x) == 0, ("%s: Bad BPF label", __func__ )) 99 #define ASSERT_DEVFS_LABEL(x) KASSERT(SLOT(x) == DEVFSMAGIC || \ 100 SLOT(x) == 0, ("%s: Bad DEVFS label", __func__ )) 101 #define ASSERT_IFNET_LABEL(x) KASSERT(SLOT(x) == IFNETMAGIC || \ 102 SLOT(x) == 0, ("%s: Bad IFNET label", __func__ )) 103 #define ASSERT_INPCB_LABEL(x) KASSERT(SLOT(x) == INPCBMAGIC || \ 104 SLOT(x) == 0, ("%s: Bad INPCB label", __func__ )) 105 #define ASSERT_IPQ_LABEL(x) KASSERT(SLOT(x) == IPQMAGIC || \ 106 SLOT(x) == 0, ("%s: Bad IPQ label", __func__ )) 107 #define ASSERT_MBUF_LABEL(x) KASSERT(x == NULL || \ 108 SLOT(x) == MBUFMAGIC || SLOT(x) == 0, \ 109 ("%s: Bad MBUF label", __func__ )) 110 #define ASSERT_MOUNT_LABEL(x) KASSERT(SLOT(x) == MOUNTMAGIC || \ 111 SLOT(x) == 0, ("%s: Bad MOUNT label", __func__ )) 112 #define ASSERT_SOCKET_LABEL(x) KASSERT(SLOT(x) == SOCKETMAGIC || \ 113 SLOT(x) == 0, ("%s: Bad SOCKET label", __func__ )) 114 #define ASSERT_PIPE_LABEL(x) KASSERT(SLOT(x) == PIPEMAGIC || \ 115 SLOT(x) == 0, ("%s: Bad PIPE label", __func__ )) 116 #define ASSERT_PROC_LABEL(x) KASSERT(SLOT(x) == PROCMAGIC || \ 117 SLOT(x) == 0, ("%s: Bad PROC label", __func__ )) 118 #define ASSERT_CRED_LABEL(x) KASSERT(SLOT(x) == CREDMAGIC || \ 119 SLOT(x) == 0, ("%s: Bad CRED label", __func__ )) 120 #define ASSERT_VNODE_LABEL(x) KASSERT(SLOT(x) == VNODEMAGIC || \ 121 SLOT(x) == 0, ("%s: Bad VNODE label", __func__ )) 122 123 static int test_slot; 124 SYSCTL_INT(_security_mac_test, OID_AUTO, slot, CTLFLAG_RD, 125 &test_slot, 0, "Slot allocated by framework"); 126 127 static int init_count_bpfdesc; 128 SYSCTL_INT(_security_mac_test, OID_AUTO, init_count_bpfdesc, CTLFLAG_RD, 129 &init_count_bpfdesc, 0, "bpfdesc init calls"); 130 static int init_count_cred; 131 SYSCTL_INT(_security_mac_test, OID_AUTO, init_count_cred, CTLFLAG_RD, 132 &init_count_cred, 0, "cred init calls"); 133 static int init_count_devfsdirent; 134 SYSCTL_INT(_security_mac_test, OID_AUTO, init_count_devfsdirent, CTLFLAG_RD, 135 &init_count_devfsdirent, 0, "devfsdirent init calls"); 136 static int init_count_ifnet; 137 SYSCTL_INT(_security_mac_test, OID_AUTO, init_count_ifnet, CTLFLAG_RD, 138 &init_count_ifnet, 0, "ifnet init calls"); 139 static int init_count_inpcb; 140 SYSCTL_INT(_security_mac_test, OID_AUTO, init_count_inpcb, CTLFLAG_RD, 141 &init_count_inpcb, 0, "inpcb init calls"); 142 static int init_count_ipq; 143 SYSCTL_INT(_security_mac_test, OID_AUTO, init_count_ipq, CTLFLAG_RD, 144 &init_count_ipq, 0, "ipq init calls"); 145 static int init_count_mbuf; 146 SYSCTL_INT(_security_mac_test, OID_AUTO, init_count_mbuf, CTLFLAG_RD, 147 &init_count_mbuf, 0, "mbuf init calls"); 148 static int init_count_mount; 149 SYSCTL_INT(_security_mac_test, OID_AUTO, init_count_mount, CTLFLAG_RD, 150 &init_count_mount, 0, "mount init calls"); 151 static int init_count_mount_fslabel; 152 SYSCTL_INT(_security_mac_test, OID_AUTO, init_count_mount_fslabel, CTLFLAG_RD, 153 &init_count_mount_fslabel, 0, "mount_fslabel init calls"); 154 static int init_count_socket; 155 SYSCTL_INT(_security_mac_test, OID_AUTO, init_count_socket, CTLFLAG_RD, 156 &init_count_socket, 0, "socket init calls"); 157 static int init_count_socket_peerlabel; 158 SYSCTL_INT(_security_mac_test, OID_AUTO, init_count_socket_peerlabel, 159 CTLFLAG_RD, &init_count_socket_peerlabel, 0, 160 "socket_peerlabel init calls"); 161 static int init_count_pipe; 162 SYSCTL_INT(_security_mac_test, OID_AUTO, init_count_pipe, CTLFLAG_RD, 163 &init_count_pipe, 0, "pipe init calls"); 164 static int init_count_proc; 165 SYSCTL_INT(_security_mac_test, OID_AUTO, init_count_proc, CTLFLAG_RD, 166 &init_count_proc, 0, "proc init calls"); 167 static int init_count_vnode; 168 SYSCTL_INT(_security_mac_test, OID_AUTO, init_count_vnode, CTLFLAG_RD, 169 &init_count_vnode, 0, "vnode init calls"); 170 171 static int destroy_count_bpfdesc; 172 SYSCTL_INT(_security_mac_test, OID_AUTO, destroy_count_bpfdesc, CTLFLAG_RD, 173 &destroy_count_bpfdesc, 0, "bpfdesc destroy calls"); 174 static int destroy_count_cred; 175 SYSCTL_INT(_security_mac_test, OID_AUTO, destroy_count_cred, CTLFLAG_RD, 176 &destroy_count_cred, 0, "cred destroy calls"); 177 static int destroy_count_devfsdirent; 178 SYSCTL_INT(_security_mac_test, OID_AUTO, destroy_count_devfsdirent, CTLFLAG_RD, 179 &destroy_count_devfsdirent, 0, "devfsdirent destroy calls"); 180 static int destroy_count_ifnet; 181 SYSCTL_INT(_security_mac_test, OID_AUTO, destroy_count_ifnet, CTLFLAG_RD, 182 &destroy_count_ifnet, 0, "ifnet destroy calls"); 183 static int destroy_count_inpcb; 184 SYSCTL_INT(_security_mac_test, OID_AUTO, destroy_count_inpcb, CTLFLAG_RD, 185 &destroy_count_inpcb, 0, "inpcb destroy calls"); 186 static int destroy_count_ipq; 187 SYSCTL_INT(_security_mac_test, OID_AUTO, destroy_count_ipq, CTLFLAG_RD, 188 &destroy_count_ipq, 0, "ipq destroy calls"); 189 static int destroy_count_mbuf; 190 SYSCTL_INT(_security_mac_test, OID_AUTO, destroy_count_mbuf, CTLFLAG_RD, 191 &destroy_count_mbuf, 0, "mbuf destroy calls"); 192 static int destroy_count_mount; 193 SYSCTL_INT(_security_mac_test, OID_AUTO, destroy_count_mount, CTLFLAG_RD, 194 &destroy_count_mount, 0, "mount destroy calls"); 195 static int destroy_count_mount_fslabel; 196 SYSCTL_INT(_security_mac_test, OID_AUTO, destroy_count_mount_fslabel, 197 CTLFLAG_RD, &destroy_count_mount_fslabel, 0, 198 "mount_fslabel destroy calls"); 199 static int destroy_count_socket; 200 SYSCTL_INT(_security_mac_test, OID_AUTO, destroy_count_socket, CTLFLAG_RD, 201 &destroy_count_socket, 0, "socket destroy calls"); 202 static int destroy_count_socket_peerlabel; 203 SYSCTL_INT(_security_mac_test, OID_AUTO, destroy_count_socket_peerlabel, 204 CTLFLAG_RD, &destroy_count_socket_peerlabel, 0, 205 "socket_peerlabel destroy calls"); 206 static int destroy_count_pipe; 207 SYSCTL_INT(_security_mac_test, OID_AUTO, destroy_count_pipe, CTLFLAG_RD, 208 &destroy_count_pipe, 0, "pipe destroy calls"); 209 static int destroy_count_proc; 210 SYSCTL_INT(_security_mac_test, OID_AUTO, destroy_count_proc, CTLFLAG_RD, 211 &destroy_count_proc, 0, "proc destroy calls"); 212 static int destroy_count_vnode; 213 SYSCTL_INT(_security_mac_test, OID_AUTO, destroy_count_vnode, CTLFLAG_RD, 214 &destroy_count_vnode, 0, "vnode destroy calls"); 215 216 static int externalize_count; 217 SYSCTL_INT(_security_mac_test, OID_AUTO, externalize_count, CTLFLAG_RD, 218 &externalize_count, 0, "Subject/object externalize calls"); 219 static int internalize_count; 220 SYSCTL_INT(_security_mac_test, OID_AUTO, internalize_count, CTLFLAG_RD, 221 &internalize_count, 0, "Subject/object internalize calls"); 222 223 /* 224 * Policy module operations. 225 */ 226 static void 227 mac_test_destroy(struct mac_policy_conf *conf) 228 { 229 230 } 231 232 static void 233 mac_test_init(struct mac_policy_conf *conf) 234 { 235 236 } 237 238 static int 239 mac_test_syscall(struct thread *td, int call, void *arg) 240 { 241 242 return (0); 243 } 244 245 /* 246 * Label operations. 247 */ 248 static void 249 mac_test_init_bpfdesc_label(struct label *label) 250 { 251 252 SLOT(label) = BPFMAGIC; 253 atomic_add_int(&init_count_bpfdesc, 1); 254 } 255 256 static void 257 mac_test_init_cred_label(struct label *label) 258 { 259 260 SLOT(label) = CREDMAGIC; 261 atomic_add_int(&init_count_cred, 1); 262 } 263 264 static void 265 mac_test_init_devfsdirent_label(struct label *label) 266 { 267 268 SLOT(label) = DEVFSMAGIC; 269 atomic_add_int(&init_count_devfsdirent, 1); 270 } 271 272 static void 273 mac_test_init_ifnet_label(struct label *label) 274 { 275 276 SLOT(label) = IFNETMAGIC; 277 atomic_add_int(&init_count_ifnet, 1); 278 } 279 280 static int 281 mac_test_init_inpcb_label(struct label *label, int flag) 282 { 283 284 if (flag & M_WAITOK) 285 WITNESS_WARN(WARN_GIANTOK | WARN_SLEEPOK, NULL, 286 "mac_test_init_inpcb_label() at %s:%d", __FILE__, 287 __LINE__); 288 289 SLOT(label) = INPCBMAGIC; 290 atomic_add_int(&init_count_inpcb, 1); 291 return (0); 292 } 293 294 static int 295 mac_test_init_ipq_label(struct label *label, int flag) 296 { 297 298 if (flag & M_WAITOK) 299 WITNESS_WARN(WARN_GIANTOK | WARN_SLEEPOK, NULL, 300 "mac_test_init_ipq_label() at %s:%d", __FILE__, 301 __LINE__); 302 303 SLOT(label) = IPQMAGIC; 304 atomic_add_int(&init_count_ipq, 1); 305 return (0); 306 } 307 308 static int 309 mac_test_init_mbuf_label(struct label *label, int flag) 310 { 311 312 if (flag & M_WAITOK) 313 WITNESS_WARN(WARN_GIANTOK | WARN_SLEEPOK, NULL, 314 "mac_test_init_mbuf_label() at %s:%d", __FILE__, 315 __LINE__); 316 317 SLOT(label) = MBUFMAGIC; 318 atomic_add_int(&init_count_mbuf, 1); 319 return (0); 320 } 321 322 static void 323 mac_test_init_mount_label(struct label *label) 324 { 325 326 SLOT(label) = MOUNTMAGIC; 327 atomic_add_int(&init_count_mount, 1); 328 } 329 330 static void 331 mac_test_init_mount_fs_label(struct label *label) 332 { 333 334 SLOT(label) = MOUNTMAGIC; 335 atomic_add_int(&init_count_mount_fslabel, 1); 336 } 337 338 static int 339 mac_test_init_socket_label(struct label *label, int flag) 340 { 341 342 if (flag & M_WAITOK) 343 WITNESS_WARN(WARN_GIANTOK | WARN_SLEEPOK, NULL, 344 "mac_test_init_socket_label() at %s:%d", __FILE__, 345 __LINE__); 346 347 SLOT(label) = SOCKETMAGIC; 348 atomic_add_int(&init_count_socket, 1); 349 return (0); 350 } 351 352 static int 353 mac_test_init_socket_peer_label(struct label *label, int flag) 354 { 355 356 if (flag & M_WAITOK) 357 WITNESS_WARN(WARN_GIANTOK | WARN_SLEEPOK, NULL, 358 "mac_test_init_socket_peer_label() at %s:%d", __FILE__, 359 __LINE__); 360 361 SLOT(label) = SOCKETMAGIC; 362 atomic_add_int(&init_count_socket_peerlabel, 1); 363 return (0); 364 } 365 366 static void 367 mac_test_init_pipe_label(struct label *label) 368 { 369 370 SLOT(label) = PIPEMAGIC; 371 atomic_add_int(&init_count_pipe, 1); 372 } 373 374 static void 375 mac_test_init_proc_label(struct label *label) 376 { 377 378 SLOT(label) = PROCMAGIC; 379 atomic_add_int(&init_count_proc, 1); 380 } 381 382 static void 383 mac_test_init_vnode_label(struct label *label) 384 { 385 386 SLOT(label) = VNODEMAGIC; 387 atomic_add_int(&init_count_vnode, 1); 388 } 389 390 static void 391 mac_test_destroy_bpfdesc_label(struct label *label) 392 { 393 394 if (SLOT(label) == BPFMAGIC || SLOT(label) == 0) { 395 atomic_add_int(&destroy_count_bpfdesc, 1); 396 SLOT(label) = EXMAGIC; 397 } else if (SLOT(label) == EXMAGIC) { 398 Debugger("mac_test_destroy_bpfdesc: dup destroy"); 399 } else { 400 Debugger("mac_test_destroy_bpfdesc: corrupted label"); 401 } 402 } 403 404 static void 405 mac_test_destroy_cred_label(struct label *label) 406 { 407 408 if (SLOT(label) == CREDMAGIC || SLOT(label) == 0) { 409 atomic_add_int(&destroy_count_cred, 1); 410 SLOT(label) = EXMAGIC; 411 } else if (SLOT(label) == EXMAGIC) { 412 Debugger("mac_test_destroy_cred: dup destroy"); 413 } else { 414 Debugger("mac_test_destroy_cred: corrupted label"); 415 } 416 } 417 418 static void 419 mac_test_destroy_devfsdirent_label(struct label *label) 420 { 421 422 if (SLOT(label) == DEVFSMAGIC || SLOT(label) == 0) { 423 atomic_add_int(&destroy_count_devfsdirent, 1); 424 SLOT(label) = EXMAGIC; 425 } else if (SLOT(label) == EXMAGIC) { 426 Debugger("mac_test_destroy_devfsdirent: dup destroy"); 427 } else { 428 Debugger("mac_test_destroy_devfsdirent: corrupted label"); 429 } 430 } 431 432 static void 433 mac_test_destroy_ifnet_label(struct label *label) 434 { 435 436 if (SLOT(label) == IFNETMAGIC || SLOT(label) == 0) { 437 atomic_add_int(&destroy_count_ifnet, 1); 438 SLOT(label) = EXMAGIC; 439 } else if (SLOT(label) == EXMAGIC) { 440 Debugger("mac_test_destroy_ifnet: dup destroy"); 441 } else { 442 Debugger("mac_test_destroy_ifnet: corrupted label"); 443 } 444 } 445 446 static void 447 mac_test_destroy_inpcb_label(struct label *label) 448 { 449 450 if (SLOT(label) == INPCBMAGIC || SLOT(label) == 0) { 451 atomic_add_int(&destroy_count_inpcb, 1); 452 SLOT(label) = EXMAGIC; 453 } else if (SLOT(label) == EXMAGIC) { 454 Debugger("mac_test_destroy_inpcb: dup destroy"); 455 } else { 456 Debugger("mac_test_destroy_inpcb: corrupted label"); 457 } 458 } 459 460 static void 461 mac_test_destroy_ipq_label(struct label *label) 462 { 463 464 if (SLOT(label) == IPQMAGIC || SLOT(label) == 0) { 465 atomic_add_int(&destroy_count_ipq, 1); 466 SLOT(label) = EXMAGIC; 467 } else if (SLOT(label) == EXMAGIC) { 468 Debugger("mac_test_destroy_ipq: dup destroy"); 469 } else { 470 Debugger("mac_test_destroy_ipq: corrupted label"); 471 } 472 } 473 474 static void 475 mac_test_destroy_mbuf_label(struct label *label) 476 { 477 478 /* 479 * If we're loaded dynamically, there may be mbufs in flight that 480 * didn't have label storage allocated for them. Handle this 481 * gracefully. 482 */ 483 if (label == NULL) 484 return; 485 486 if (SLOT(label) == MBUFMAGIC || SLOT(label) == 0) { 487 atomic_add_int(&destroy_count_mbuf, 1); 488 SLOT(label) = EXMAGIC; 489 } else if (SLOT(label) == EXMAGIC) { 490 Debugger("mac_test_destroy_mbuf: dup destroy"); 491 } else { 492 Debugger("mac_test_destroy_mbuf: corrupted label"); 493 } 494 } 495 496 static void 497 mac_test_destroy_mount_label(struct label *label) 498 { 499 500 if ((SLOT(label) == MOUNTMAGIC || SLOT(label) == 0)) { 501 atomic_add_int(&destroy_count_mount, 1); 502 SLOT(label) = EXMAGIC; 503 } else if (SLOT(label) == EXMAGIC) { 504 Debugger("mac_test_destroy_mount: dup destroy"); 505 } else { 506 Debugger("mac_test_destroy_mount: corrupted label"); 507 } 508 } 509 510 static void 511 mac_test_destroy_mount_fs_label(struct label *label) 512 { 513 514 if ((SLOT(label) == MOUNTMAGIC || SLOT(label) == 0)) { 515 atomic_add_int(&destroy_count_mount_fslabel, 1); 516 SLOT(label) = EXMAGIC; 517 } else if (SLOT(label) == EXMAGIC) { 518 Debugger("mac_test_destroy_mount_fslabel: dup destroy"); 519 } else { 520 Debugger("mac_test_destroy_mount_fslabel: corrupted label"); 521 } 522 } 523 524 static void 525 mac_test_destroy_socket_label(struct label *label) 526 { 527 528 if ((SLOT(label) == SOCKETMAGIC || SLOT(label) == 0)) { 529 atomic_add_int(&destroy_count_socket, 1); 530 SLOT(label) = EXMAGIC; 531 } else if (SLOT(label) == EXMAGIC) { 532 Debugger("mac_test_destroy_socket: dup destroy"); 533 } else { 534 Debugger("mac_test_destroy_socket: corrupted label"); 535 } 536 } 537 538 static void 539 mac_test_destroy_socket_peer_label(struct label *label) 540 { 541 542 if ((SLOT(label) == SOCKETMAGIC || SLOT(label) == 0)) { 543 atomic_add_int(&destroy_count_socket_peerlabel, 1); 544 SLOT(label) = EXMAGIC; 545 } else if (SLOT(label) == EXMAGIC) { 546 Debugger("mac_test_destroy_socket_peerlabel: dup destroy"); 547 } else { 548 Debugger("mac_test_destroy_socket_peerlabel: corrupted label"); 549 } 550 } 551 552 static void 553 mac_test_destroy_pipe_label(struct label *label) 554 { 555 556 if ((SLOT(label) == PIPEMAGIC || SLOT(label) == 0)) { 557 atomic_add_int(&destroy_count_pipe, 1); 558 SLOT(label) = EXMAGIC; 559 } else if (SLOT(label) == EXMAGIC) { 560 Debugger("mac_test_destroy_pipe: dup destroy"); 561 } else { 562 Debugger("mac_test_destroy_pipe: corrupted label"); 563 } 564 } 565 566 static void 567 mac_test_destroy_proc_label(struct label *label) 568 { 569 570 if ((SLOT(label) == PROCMAGIC || SLOT(label) == 0)) { 571 atomic_add_int(&destroy_count_proc, 1); 572 SLOT(label) = EXMAGIC; 573 } else if (SLOT(label) == EXMAGIC) { 574 Debugger("mac_test_destroy_proc: dup destroy"); 575 } else { 576 Debugger("mac_test_destroy_proc: corrupted label"); 577 } 578 } 579 580 static void 581 mac_test_destroy_vnode_label(struct label *label) 582 { 583 584 if (SLOT(label) == VNODEMAGIC || SLOT(label) == 0) { 585 atomic_add_int(&destroy_count_vnode, 1); 586 SLOT(label) = EXMAGIC; 587 } else if (SLOT(label) == EXMAGIC) { 588 Debugger("mac_test_destroy_vnode: dup destroy"); 589 } else { 590 Debugger("mac_test_destroy_vnode: corrupted label"); 591 } 592 } 593 594 static void 595 mac_test_copy_cred_label(struct label *src, struct label *dest) 596 { 597 598 ASSERT_CRED_LABEL(src); 599 ASSERT_CRED_LABEL(dest); 600 } 601 602 static void 603 mac_test_copy_mbuf_label(struct label *src, struct label *dest) 604 { 605 606 ASSERT_MBUF_LABEL(src); 607 ASSERT_MBUF_LABEL(dest); 608 } 609 610 static void 611 mac_test_copy_pipe_label(struct label *src, struct label *dest) 612 { 613 614 ASSERT_PIPE_LABEL(src); 615 ASSERT_PIPE_LABEL(dest); 616 } 617 618 static void 619 mac_test_copy_socket_label(struct label *src, struct label *dest) 620 { 621 622 ASSERT_SOCKET_LABEL(src); 623 ASSERT_SOCKET_LABEL(dest); 624 } 625 626 static void 627 mac_test_copy_vnode_label(struct label *src, struct label *dest) 628 { 629 630 ASSERT_VNODE_LABEL(src); 631 ASSERT_VNODE_LABEL(dest); 632 } 633 634 static int 635 mac_test_externalize_label(struct label *label, char *element_name, 636 struct sbuf *sb, int *claimed) 637 { 638 639 atomic_add_int(&externalize_count, 1); 640 641 KASSERT(SLOT(label) != EXMAGIC, 642 ("mac_test_externalize_label: destroyed label")); 643 644 return (0); 645 } 646 647 static int 648 mac_test_internalize_label(struct label *label, char *element_name, 649 char *element_data, int *claimed) 650 { 651 652 atomic_add_int(&internalize_count, 1); 653 654 KASSERT(SLOT(label) != EXMAGIC, 655 ("mac_test_internalize_label: destroyed label")); 656 657 return (0); 658 } 659 660 /* 661 * Labeling event operations: file system objects, and things that look 662 * a lot like file system objects. 663 */ 664 static void 665 mac_test_associate_vnode_devfs(struct mount *mp, struct label *fslabel, 666 struct devfs_dirent *de, struct label *delabel, struct vnode *vp, 667 struct label *vlabel) 668 { 669 670 ASSERT_MOUNT_LABEL(fslabel); 671 ASSERT_DEVFS_LABEL(delabel); 672 ASSERT_VNODE_LABEL(vlabel); 673 } 674 675 static int 676 mac_test_associate_vnode_extattr(struct mount *mp, struct label *fslabel, 677 struct vnode *vp, struct label *vlabel) 678 { 679 680 ASSERT_MOUNT_LABEL(fslabel); 681 ASSERT_VNODE_LABEL(vlabel); 682 return (0); 683 } 684 685 static void 686 mac_test_associate_vnode_singlelabel(struct mount *mp, 687 struct label *fslabel, struct vnode *vp, struct label *vlabel) 688 { 689 690 ASSERT_MOUNT_LABEL(fslabel); 691 ASSERT_VNODE_LABEL(vlabel); 692 } 693 694 static void 695 mac_test_create_devfs_device(struct mount *mp, dev_t dev, 696 struct devfs_dirent *devfs_dirent, struct label *label) 697 { 698 699 ASSERT_DEVFS_LABEL(label); 700 } 701 702 static void 703 mac_test_create_devfs_directory(struct mount *mp, char *dirname, 704 int dirnamelen, struct devfs_dirent *devfs_dirent, struct label *label) 705 { 706 707 ASSERT_DEVFS_LABEL(label); 708 } 709 710 static void 711 mac_test_create_devfs_symlink(struct ucred *cred, struct mount *mp, 712 struct devfs_dirent *dd, struct label *ddlabel, struct devfs_dirent *de, 713 struct label *delabel) 714 { 715 716 ASSERT_CRED_LABEL(cred->cr_label); 717 ASSERT_DEVFS_LABEL(ddlabel); 718 ASSERT_DEVFS_LABEL(delabel); 719 } 720 721 static int 722 mac_test_create_vnode_extattr(struct ucred *cred, struct mount *mp, 723 struct label *fslabel, struct vnode *dvp, struct label *dlabel, 724 struct vnode *vp, struct label *vlabel, struct componentname *cnp) 725 { 726 727 ASSERT_CRED_LABEL(cred->cr_label); 728 ASSERT_MOUNT_LABEL(fslabel); 729 ASSERT_VNODE_LABEL(dlabel); 730 731 return (0); 732 } 733 734 static void 735 mac_test_create_mount(struct ucred *cred, struct mount *mp, 736 struct label *mntlabel, struct label *fslabel) 737 { 738 739 ASSERT_CRED_LABEL(cred->cr_label); 740 ASSERT_MOUNT_LABEL(mntlabel); 741 ASSERT_MOUNT_LABEL(fslabel); 742 } 743 744 static void 745 mac_test_create_root_mount(struct ucred *cred, struct mount *mp, 746 struct label *mntlabel, struct label *fslabel) 747 { 748 749 ASSERT_CRED_LABEL(cred->cr_label); 750 ASSERT_MOUNT_LABEL(mntlabel); 751 ASSERT_MOUNT_LABEL(fslabel); 752 } 753 754 static void 755 mac_test_relabel_vnode(struct ucred *cred, struct vnode *vp, 756 struct label *vnodelabel, struct label *label) 757 { 758 759 ASSERT_CRED_LABEL(cred->cr_label); 760 ASSERT_VNODE_LABEL(vnodelabel); 761 ASSERT_VNODE_LABEL(label); 762 } 763 764 static int 765 mac_test_setlabel_vnode_extattr(struct ucred *cred, struct vnode *vp, 766 struct label *vlabel, struct label *intlabel) 767 { 768 769 ASSERT_CRED_LABEL(cred->cr_label); 770 ASSERT_VNODE_LABEL(vlabel); 771 ASSERT_VNODE_LABEL(intlabel); 772 return (0); 773 } 774 775 static void 776 mac_test_update_devfsdirent(struct mount *mp, 777 struct devfs_dirent *devfs_dirent, struct label *direntlabel, 778 struct vnode *vp, struct label *vnodelabel) 779 { 780 781 ASSERT_DEVFS_LABEL(direntlabel); 782 ASSERT_VNODE_LABEL(vnodelabel); 783 } 784 785 /* 786 * Labeling event operations: IPC object. 787 */ 788 static void 789 mac_test_create_mbuf_from_socket(struct socket *so, struct label *socketlabel, 790 struct mbuf *m, struct label *mbuflabel) 791 { 792 793 ASSERT_SOCKET_LABEL(socketlabel); 794 ASSERT_MBUF_LABEL(mbuflabel); 795 } 796 797 static void 798 mac_test_create_socket(struct ucred *cred, struct socket *socket, 799 struct label *socketlabel) 800 { 801 802 ASSERT_CRED_LABEL(cred->cr_label); 803 ASSERT_SOCKET_LABEL(socketlabel); 804 } 805 806 static void 807 mac_test_create_pipe(struct ucred *cred, struct pipepair *pp, 808 struct label *pipelabel) 809 { 810 811 ASSERT_CRED_LABEL(cred->cr_label); 812 ASSERT_PIPE_LABEL(pipelabel); 813 } 814 815 static void 816 mac_test_create_socket_from_socket(struct socket *oldsocket, 817 struct label *oldsocketlabel, struct socket *newsocket, 818 struct label *newsocketlabel) 819 { 820 821 ASSERT_SOCKET_LABEL(oldsocketlabel); 822 ASSERT_SOCKET_LABEL(newsocketlabel); 823 } 824 825 static void 826 mac_test_relabel_socket(struct ucred *cred, struct socket *socket, 827 struct label *socketlabel, struct label *newlabel) 828 { 829 830 ASSERT_CRED_LABEL(cred->cr_label); 831 ASSERT_SOCKET_LABEL(newlabel); 832 } 833 834 static void 835 mac_test_relabel_pipe(struct ucred *cred, struct pipepair *pp, 836 struct label *pipelabel, struct label *newlabel) 837 { 838 839 ASSERT_CRED_LABEL(cred->cr_label); 840 ASSERT_PIPE_LABEL(pipelabel); 841 ASSERT_PIPE_LABEL(newlabel); 842 } 843 844 static void 845 mac_test_set_socket_peer_from_mbuf(struct mbuf *mbuf, struct label *mbuflabel, 846 struct socket *socket, struct label *socketpeerlabel) 847 { 848 849 ASSERT_MBUF_LABEL(mbuflabel); 850 ASSERT_SOCKET_LABEL(socketpeerlabel); 851 } 852 853 /* 854 * Labeling event operations: network objects. 855 */ 856 static void 857 mac_test_set_socket_peer_from_socket(struct socket *oldsocket, 858 struct label *oldsocketlabel, struct socket *newsocket, 859 struct label *newsocketpeerlabel) 860 { 861 862 ASSERT_SOCKET_LABEL(oldsocketlabel); 863 ASSERT_SOCKET_LABEL(newsocketpeerlabel); 864 } 865 866 static void 867 mac_test_create_bpfdesc(struct ucred *cred, struct bpf_d *bpf_d, 868 struct label *bpflabel) 869 { 870 871 ASSERT_CRED_LABEL(cred->cr_label); 872 ASSERT_BPF_LABEL(bpflabel); 873 } 874 875 static void 876 mac_test_create_datagram_from_ipq(struct ipq *ipq, struct label *ipqlabel, 877 struct mbuf *datagram, struct label *datagramlabel) 878 { 879 880 ASSERT_IPQ_LABEL(ipqlabel); 881 ASSERT_MBUF_LABEL(datagramlabel); 882 } 883 884 static void 885 mac_test_create_fragment(struct mbuf *datagram, struct label *datagramlabel, 886 struct mbuf *fragment, struct label *fragmentlabel) 887 { 888 889 ASSERT_MBUF_LABEL(datagramlabel); 890 ASSERT_MBUF_LABEL(fragmentlabel); 891 } 892 893 static void 894 mac_test_create_ifnet(struct ifnet *ifnet, struct label *ifnetlabel) 895 { 896 897 ASSERT_IFNET_LABEL(ifnetlabel); 898 } 899 900 static void 901 mac_test_create_inpcb_from_socket(struct socket *so, struct label *solabel, 902 struct inpcb *inp, struct label *inplabel) 903 { 904 905 ASSERT_SOCKET_LABEL(solabel); 906 ASSERT_INPCB_LABEL(inplabel); 907 } 908 909 static void 910 mac_test_create_ipq(struct mbuf *fragment, struct label *fragmentlabel, 911 struct ipq *ipq, struct label *ipqlabel) 912 { 913 914 ASSERT_MBUF_LABEL(fragmentlabel); 915 ASSERT_IPQ_LABEL(ipqlabel); 916 } 917 918 static void 919 mac_test_create_mbuf_from_inpcb(struct inpcb *inp, struct label *inplabel, 920 struct mbuf *m, struct label *mlabel) 921 { 922 923 ASSERT_INPCB_LABEL(inplabel); 924 ASSERT_MBUF_LABEL(mlabel); 925 } 926 927 static void 928 mac_test_create_mbuf_from_mbuf(struct mbuf *oldmbuf, 929 struct label *oldmbuflabel, struct mbuf *newmbuf, 930 struct label *newmbuflabel) 931 { 932 933 ASSERT_MBUF_LABEL(oldmbuflabel); 934 ASSERT_MBUF_LABEL(newmbuflabel); 935 } 936 937 static void 938 mac_test_create_mbuf_linklayer(struct ifnet *ifnet, struct label *ifnetlabel, 939 struct mbuf *mbuf, struct label *mbuflabel) 940 { 941 942 ASSERT_IFNET_LABEL(ifnetlabel); 943 ASSERT_MBUF_LABEL(mbuflabel); 944 } 945 946 static void 947 mac_test_create_mbuf_from_bpfdesc(struct bpf_d *bpf_d, struct label *bpflabel, 948 struct mbuf *mbuf, struct label *mbuflabel) 949 { 950 951 ASSERT_BPF_LABEL(bpflabel); 952 ASSERT_MBUF_LABEL(mbuflabel); 953 } 954 955 static void 956 mac_test_create_mbuf_from_ifnet(struct ifnet *ifnet, struct label *ifnetlabel, 957 struct mbuf *m, struct label *mbuflabel) 958 { 959 960 ASSERT_IFNET_LABEL(ifnetlabel); 961 ASSERT_MBUF_LABEL(mbuflabel); 962 } 963 964 static void 965 mac_test_create_mbuf_multicast_encap(struct mbuf *oldmbuf, 966 struct label *oldmbuflabel, struct ifnet *ifnet, struct label *ifnetlabel, 967 struct mbuf *newmbuf, struct label *newmbuflabel) 968 { 969 970 ASSERT_MBUF_LABEL(oldmbuflabel); 971 ASSERT_IFNET_LABEL(ifnetlabel); 972 ASSERT_MBUF_LABEL(newmbuflabel); 973 } 974 975 static void 976 mac_test_create_mbuf_netlayer(struct mbuf *oldmbuf, 977 struct label *oldmbuflabel, struct mbuf *newmbuf, 978 struct label *newmbuflabel) 979 { 980 981 ASSERT_MBUF_LABEL(oldmbuflabel); 982 ASSERT_MBUF_LABEL(newmbuflabel); 983 } 984 985 static int 986 mac_test_fragment_match(struct mbuf *fragment, struct label *fragmentlabel, 987 struct ipq *ipq, struct label *ipqlabel) 988 { 989 990 ASSERT_MBUF_LABEL(fragmentlabel); 991 ASSERT_IPQ_LABEL(ipqlabel); 992 993 return (1); 994 } 995 996 static void 997 mac_test_reflect_mbuf_icmp(struct mbuf *m, struct label *mlabel) 998 { 999 1000 ASSERT_MBUF_LABEL(mlabel); 1001 } 1002 1003 static void 1004 mac_test_reflect_mbuf_tcp(struct mbuf *m, struct label *mlabel) 1005 { 1006 1007 ASSERT_MBUF_LABEL(mlabel); 1008 } 1009 1010 static void 1011 mac_test_relabel_ifnet(struct ucred *cred, struct ifnet *ifnet, 1012 struct label *ifnetlabel, struct label *newlabel) 1013 { 1014 1015 ASSERT_CRED_LABEL(cred->cr_label); 1016 ASSERT_IFNET_LABEL(ifnetlabel); 1017 ASSERT_IFNET_LABEL(newlabel); 1018 } 1019 1020 static void 1021 mac_test_update_ipq(struct mbuf *fragment, struct label *fragmentlabel, 1022 struct ipq *ipq, struct label *ipqlabel) 1023 { 1024 1025 ASSERT_MBUF_LABEL(fragmentlabel); 1026 ASSERT_IPQ_LABEL(ipqlabel); 1027 } 1028 1029 static void 1030 mac_test_inpcb_sosetlabel(struct socket *so, struct label *solabel, 1031 struct inpcb *inp, struct label *inplabel) 1032 { 1033 1034 ASSERT_SOCKET_LABEL(solabel); 1035 ASSERT_INPCB_LABEL(inplabel); 1036 } 1037 1038 /* 1039 * Labeling event operations: processes. 1040 */ 1041 static void 1042 mac_test_execve_transition(struct ucred *old, struct ucred *new, 1043 struct vnode *vp, struct label *filelabel, 1044 struct label *interpvnodelabel, struct image_params *imgp, 1045 struct label *execlabel) 1046 { 1047 1048 ASSERT_CRED_LABEL(old->cr_label); 1049 ASSERT_CRED_LABEL(new->cr_label); 1050 ASSERT_VNODE_LABEL(filelabel); 1051 if (interpvnodelabel != NULL) { 1052 ASSERT_VNODE_LABEL(interpvnodelabel); 1053 } 1054 if (execlabel != NULL) { 1055 ASSERT_CRED_LABEL(execlabel); 1056 } 1057 } 1058 1059 static int 1060 mac_test_execve_will_transition(struct ucred *old, struct vnode *vp, 1061 struct label *filelabel, struct label *interpvnodelabel, 1062 struct image_params *imgp, struct label *execlabel) 1063 { 1064 1065 ASSERT_CRED_LABEL(old->cr_label); 1066 ASSERT_VNODE_LABEL(filelabel); 1067 if (interpvnodelabel != NULL) { 1068 ASSERT_VNODE_LABEL(interpvnodelabel); 1069 } 1070 if (execlabel != NULL) { 1071 ASSERT_CRED_LABEL(execlabel); 1072 } 1073 1074 return (0); 1075 } 1076 1077 static void 1078 mac_test_create_proc0(struct ucred *cred) 1079 { 1080 1081 ASSERT_CRED_LABEL(cred->cr_label); 1082 } 1083 1084 static void 1085 mac_test_create_proc1(struct ucred *cred) 1086 { 1087 1088 ASSERT_CRED_LABEL(cred->cr_label); 1089 } 1090 1091 static void 1092 mac_test_relabel_cred(struct ucred *cred, struct label *newlabel) 1093 { 1094 1095 ASSERT_CRED_LABEL(cred->cr_label); 1096 ASSERT_CRED_LABEL(newlabel); 1097 } 1098 1099 static void 1100 mac_test_thread_userret(struct thread *td) 1101 { 1102 1103 printf("mac_test_thread_userret(process = %d)\n", 1104 curthread->td_proc->p_pid); 1105 } 1106 1107 /* 1108 * Access control checks. 1109 */ 1110 static int 1111 mac_test_check_bpfdesc_receive(struct bpf_d *bpf_d, struct label *bpflabel, 1112 struct ifnet *ifnet, struct label *ifnetlabel) 1113 { 1114 1115 ASSERT_BPF_LABEL(bpflabel); 1116 ASSERT_IFNET_LABEL(ifnetlabel); 1117 1118 return (0); 1119 } 1120 1121 static int 1122 mac_test_check_cred_relabel(struct ucred *cred, struct label *newlabel) 1123 { 1124 1125 ASSERT_CRED_LABEL(cred->cr_label); 1126 ASSERT_CRED_LABEL(newlabel); 1127 1128 return (0); 1129 } 1130 1131 static int 1132 mac_test_check_cred_visible(struct ucred *u1, struct ucred *u2) 1133 { 1134 1135 ASSERT_CRED_LABEL(u1->cr_label); 1136 ASSERT_CRED_LABEL(u2->cr_label); 1137 1138 return (0); 1139 } 1140 1141 static int 1142 mac_test_check_ifnet_relabel(struct ucred *cred, struct ifnet *ifnet, 1143 struct label *ifnetlabel, struct label *newlabel) 1144 { 1145 1146 ASSERT_CRED_LABEL(cred->cr_label); 1147 ASSERT_IFNET_LABEL(ifnetlabel); 1148 ASSERT_IFNET_LABEL(newlabel); 1149 return (0); 1150 } 1151 1152 static int 1153 mac_test_check_ifnet_transmit(struct ifnet *ifnet, struct label *ifnetlabel, 1154 struct mbuf *m, struct label *mbuflabel) 1155 { 1156 1157 ASSERT_IFNET_LABEL(ifnetlabel); 1158 ASSERT_MBUF_LABEL(mbuflabel); 1159 1160 return (0); 1161 } 1162 1163 static int 1164 mac_test_check_inpcb_deliver(struct inpcb *inp, struct label *inplabel, 1165 struct mbuf *m, struct label *mlabel) 1166 { 1167 1168 ASSERT_INPCB_LABEL(inplabel); 1169 ASSERT_MBUF_LABEL(mlabel); 1170 1171 return (0); 1172 } 1173 1174 static int 1175 mac_test_check_kenv_dump(struct ucred *cred) 1176 { 1177 1178 ASSERT_CRED_LABEL(cred->cr_label); 1179 1180 return (0); 1181 } 1182 1183 static int 1184 mac_test_check_kenv_get(struct ucred *cred, char *name) 1185 { 1186 1187 ASSERT_CRED_LABEL(cred->cr_label); 1188 1189 return (0); 1190 } 1191 1192 static int 1193 mac_test_check_kenv_set(struct ucred *cred, char *name, char *value) 1194 { 1195 1196 ASSERT_CRED_LABEL(cred->cr_label); 1197 1198 return (0); 1199 } 1200 1201 static int 1202 mac_test_check_kenv_unset(struct ucred *cred, char *name) 1203 { 1204 1205 ASSERT_CRED_LABEL(cred->cr_label); 1206 1207 return (0); 1208 } 1209 1210 static int 1211 mac_test_check_kld_load(struct ucred *cred, struct vnode *vp, 1212 struct label *label) 1213 { 1214 1215 ASSERT_CRED_LABEL(cred->cr_label); 1216 ASSERT_VNODE_LABEL(label); 1217 1218 return (0); 1219 } 1220 1221 static int 1222 mac_test_check_kld_stat(struct ucred *cred) 1223 { 1224 1225 ASSERT_CRED_LABEL(cred->cr_label); 1226 1227 return (0); 1228 } 1229 1230 static int 1231 mac_test_check_kld_unload(struct ucred *cred) 1232 { 1233 1234 ASSERT_CRED_LABEL(cred->cr_label); 1235 1236 return (0); 1237 } 1238 1239 static int 1240 mac_test_check_mount_stat(struct ucred *cred, struct mount *mp, 1241 struct label *mntlabel) 1242 { 1243 1244 ASSERT_CRED_LABEL(cred->cr_label); 1245 ASSERT_MOUNT_LABEL(mntlabel); 1246 1247 return (0); 1248 } 1249 1250 static int 1251 mac_test_check_pipe_ioctl(struct ucred *cred, struct pipepair *pp, 1252 struct label *pipelabel, unsigned long cmd, void /* caddr_t */ *data) 1253 { 1254 1255 ASSERT_CRED_LABEL(cred->cr_label); 1256 ASSERT_PIPE_LABEL(pipelabel); 1257 1258 return (0); 1259 } 1260 1261 static int 1262 mac_test_check_pipe_poll(struct ucred *cred, struct pipepair *pp, 1263 struct label *pipelabel) 1264 { 1265 1266 ASSERT_CRED_LABEL(cred->cr_label); 1267 ASSERT_PIPE_LABEL(pipelabel); 1268 1269 return (0); 1270 } 1271 1272 static int 1273 mac_test_check_pipe_read(struct ucred *cred, struct pipepair *pp, 1274 struct label *pipelabel) 1275 { 1276 1277 ASSERT_CRED_LABEL(cred->cr_label); 1278 ASSERT_PIPE_LABEL(pipelabel); 1279 1280 return (0); 1281 } 1282 1283 static int 1284 mac_test_check_pipe_relabel(struct ucred *cred, struct pipepair *pp, 1285 struct label *pipelabel, struct label *newlabel) 1286 { 1287 1288 ASSERT_CRED_LABEL(cred->cr_label); 1289 ASSERT_PIPE_LABEL(pipelabel); 1290 ASSERT_PIPE_LABEL(newlabel); 1291 1292 return (0); 1293 } 1294 1295 static int 1296 mac_test_check_pipe_stat(struct ucred *cred, struct pipepair *pp, 1297 struct label *pipelabel) 1298 { 1299 1300 ASSERT_CRED_LABEL(cred->cr_label); 1301 ASSERT_PIPE_LABEL(pipelabel); 1302 1303 return (0); 1304 } 1305 1306 static int 1307 mac_test_check_pipe_write(struct ucred *cred, struct pipepair *pp, 1308 struct label *pipelabel) 1309 { 1310 1311 ASSERT_CRED_LABEL(cred->cr_label); 1312 ASSERT_PIPE_LABEL(pipelabel); 1313 1314 return (0); 1315 } 1316 1317 static int 1318 mac_test_check_proc_debug(struct ucred *cred, struct proc *proc) 1319 { 1320 1321 ASSERT_CRED_LABEL(cred->cr_label); 1322 ASSERT_CRED_LABEL(proc->p_ucred->cr_label); 1323 1324 return (0); 1325 } 1326 1327 static int 1328 mac_test_check_proc_sched(struct ucred *cred, struct proc *proc) 1329 { 1330 1331 ASSERT_CRED_LABEL(cred->cr_label); 1332 ASSERT_CRED_LABEL(proc->p_ucred->cr_label); 1333 1334 return (0); 1335 } 1336 1337 static int 1338 mac_test_check_proc_signal(struct ucred *cred, struct proc *proc, int signum) 1339 { 1340 1341 ASSERT_CRED_LABEL(cred->cr_label); 1342 ASSERT_CRED_LABEL(proc->p_ucred->cr_label); 1343 1344 return (0); 1345 } 1346 1347 static int 1348 mac_test_check_socket_bind(struct ucred *cred, struct socket *socket, 1349 struct label *socketlabel, struct sockaddr *sockaddr) 1350 { 1351 1352 ASSERT_CRED_LABEL(cred->cr_label); 1353 ASSERT_SOCKET_LABEL(socketlabel); 1354 1355 return (0); 1356 } 1357 1358 static int 1359 mac_test_check_socket_connect(struct ucred *cred, struct socket *socket, 1360 struct label *socketlabel, struct sockaddr *sockaddr) 1361 { 1362 1363 ASSERT_CRED_LABEL(cred->cr_label); 1364 ASSERT_SOCKET_LABEL(socketlabel); 1365 1366 return (0); 1367 } 1368 1369 static int 1370 mac_test_check_socket_deliver(struct socket *socket, struct label *socketlabel, 1371 struct mbuf *m, struct label *mbuflabel) 1372 { 1373 1374 ASSERT_SOCKET_LABEL(socketlabel); 1375 ASSERT_MBUF_LABEL(mbuflabel); 1376 1377 return (0); 1378 } 1379 1380 static int 1381 mac_test_check_socket_listen(struct ucred *cred, struct socket *socket, 1382 struct label *socketlabel) 1383 { 1384 1385 ASSERT_CRED_LABEL(cred->cr_label); 1386 ASSERT_SOCKET_LABEL(socketlabel); 1387 1388 return (0); 1389 } 1390 1391 static int 1392 mac_test_check_socket_visible(struct ucred *cred, struct socket *socket, 1393 struct label *socketlabel) 1394 { 1395 1396 ASSERT_CRED_LABEL(cred->cr_label); 1397 ASSERT_SOCKET_LABEL(socketlabel); 1398 1399 return (0); 1400 } 1401 1402 static int 1403 mac_test_check_socket_relabel(struct ucred *cred, struct socket *socket, 1404 struct label *socketlabel, struct label *newlabel) 1405 { 1406 1407 ASSERT_CRED_LABEL(cred->cr_label); 1408 ASSERT_SOCKET_LABEL(socketlabel); 1409 ASSERT_SOCKET_LABEL(newlabel); 1410 1411 return (0); 1412 } 1413 1414 static int 1415 mac_test_check_sysarch_ioperm(struct ucred *cred) 1416 { 1417 1418 ASSERT_CRED_LABEL(cred->cr_label); 1419 1420 return (0); 1421 } 1422 1423 static int 1424 mac_test_check_system_acct(struct ucred *cred, struct vnode *vp, 1425 struct label *label) 1426 { 1427 1428 ASSERT_CRED_LABEL(cred->cr_label); 1429 1430 return (0); 1431 } 1432 1433 static int 1434 mac_test_check_system_reboot(struct ucred *cred, int how) 1435 { 1436 1437 ASSERT_CRED_LABEL(cred->cr_label); 1438 1439 return (0); 1440 } 1441 1442 static int 1443 mac_test_check_system_settime(struct ucred *cred) 1444 { 1445 1446 ASSERT_CRED_LABEL(cred->cr_label); 1447 1448 return (0); 1449 } 1450 1451 static int 1452 mac_test_check_system_swapon(struct ucred *cred, struct vnode *vp, 1453 struct label *label) 1454 { 1455 1456 ASSERT_CRED_LABEL(cred->cr_label); 1457 ASSERT_VNODE_LABEL(label); 1458 1459 return (0); 1460 } 1461 1462 static int 1463 mac_test_check_system_swapoff(struct ucred *cred, struct vnode *vp, 1464 struct label *label) 1465 { 1466 1467 ASSERT_CRED_LABEL(cred->cr_label); 1468 ASSERT_VNODE_LABEL(label); 1469 1470 return (0); 1471 } 1472 1473 static int 1474 mac_test_check_system_sysctl(struct ucred *cred, struct sysctl_oid *oidp, 1475 void *arg1, int arg2, struct sysctl_req *req) 1476 { 1477 1478 ASSERT_CRED_LABEL(cred->cr_label); 1479 1480 return (0); 1481 } 1482 1483 static int 1484 mac_test_check_vnode_access(struct ucred *cred, struct vnode *vp, 1485 struct label *label, int acc_mode) 1486 { 1487 1488 ASSERT_CRED_LABEL(cred->cr_label); 1489 ASSERT_VNODE_LABEL(label); 1490 1491 return (0); 1492 } 1493 1494 static int 1495 mac_test_check_vnode_chdir(struct ucred *cred, struct vnode *dvp, 1496 struct label *dlabel) 1497 { 1498 1499 ASSERT_CRED_LABEL(cred->cr_label); 1500 ASSERT_VNODE_LABEL(dlabel); 1501 1502 return (0); 1503 } 1504 1505 static int 1506 mac_test_check_vnode_chroot(struct ucred *cred, struct vnode *dvp, 1507 struct label *dlabel) 1508 { 1509 1510 ASSERT_CRED_LABEL(cred->cr_label); 1511 ASSERT_VNODE_LABEL(dlabel); 1512 1513 return (0); 1514 } 1515 1516 static int 1517 mac_test_check_vnode_create(struct ucred *cred, struct vnode *dvp, 1518 struct label *dlabel, struct componentname *cnp, struct vattr *vap) 1519 { 1520 1521 ASSERT_CRED_LABEL(cred->cr_label); 1522 ASSERT_VNODE_LABEL(dlabel); 1523 1524 return (0); 1525 } 1526 1527 static int 1528 mac_test_check_vnode_delete(struct ucred *cred, struct vnode *dvp, 1529 struct label *dlabel, struct vnode *vp, struct label *label, 1530 struct componentname *cnp) 1531 { 1532 1533 ASSERT_CRED_LABEL(cred->cr_label); 1534 ASSERT_VNODE_LABEL(dlabel); 1535 ASSERT_VNODE_LABEL(label); 1536 1537 return (0); 1538 } 1539 1540 static int 1541 mac_test_check_vnode_deleteacl(struct ucred *cred, struct vnode *vp, 1542 struct label *label, acl_type_t type) 1543 { 1544 1545 ASSERT_CRED_LABEL(cred->cr_label); 1546 ASSERT_VNODE_LABEL(label); 1547 1548 return (0); 1549 } 1550 1551 static int 1552 mac_test_check_vnode_deleteextattr(struct ucred *cred, struct vnode *vp, 1553 struct label *label, int attrnamespace, const char *name) 1554 { 1555 1556 ASSERT_CRED_LABEL(cred->cr_label); 1557 ASSERT_VNODE_LABEL(label); 1558 1559 return (0); 1560 } 1561 1562 static int 1563 mac_test_check_vnode_exec(struct ucred *cred, struct vnode *vp, 1564 struct label *label, struct image_params *imgp, 1565 struct label *execlabel) 1566 { 1567 1568 ASSERT_CRED_LABEL(cred->cr_label); 1569 ASSERT_VNODE_LABEL(label); 1570 if (execlabel != NULL) { 1571 ASSERT_CRED_LABEL(execlabel); 1572 } 1573 1574 return (0); 1575 } 1576 1577 static int 1578 mac_test_check_vnode_getacl(struct ucred *cred, struct vnode *vp, 1579 struct label *label, acl_type_t type) 1580 { 1581 1582 ASSERT_CRED_LABEL(cred->cr_label); 1583 ASSERT_VNODE_LABEL(label); 1584 1585 return (0); 1586 } 1587 1588 static int 1589 mac_test_check_vnode_getextattr(struct ucred *cred, struct vnode *vp, 1590 struct label *label, int attrnamespace, const char *name, struct uio *uio) 1591 { 1592 1593 ASSERT_CRED_LABEL(cred->cr_label); 1594 ASSERT_VNODE_LABEL(label); 1595 1596 return (0); 1597 } 1598 1599 static int 1600 mac_test_check_vnode_link(struct ucred *cred, struct vnode *dvp, 1601 struct label *dlabel, struct vnode *vp, struct label *label, 1602 struct componentname *cnp) 1603 { 1604 1605 ASSERT_CRED_LABEL(cred->cr_label); 1606 ASSERT_VNODE_LABEL(dlabel); 1607 ASSERT_VNODE_LABEL(label); 1608 1609 return (0); 1610 } 1611 1612 static int 1613 mac_test_check_vnode_listextattr(struct ucred *cred, struct vnode *vp, 1614 struct label *label, int attrnamespace) 1615 { 1616 1617 ASSERT_CRED_LABEL(cred->cr_label); 1618 ASSERT_VNODE_LABEL(label); 1619 1620 return (0); 1621 } 1622 1623 static int 1624 mac_test_check_vnode_lookup(struct ucred *cred, struct vnode *dvp, 1625 struct label *dlabel, struct componentname *cnp) 1626 { 1627 1628 ASSERT_CRED_LABEL(cred->cr_label); 1629 ASSERT_VNODE_LABEL(dlabel); 1630 1631 return (0); 1632 } 1633 1634 static int 1635 mac_test_check_vnode_mmap(struct ucred *cred, struct vnode *vp, 1636 struct label *label, int prot) 1637 { 1638 1639 ASSERT_CRED_LABEL(cred->cr_label); 1640 ASSERT_VNODE_LABEL(label); 1641 1642 return (0); 1643 } 1644 1645 static int 1646 mac_test_check_vnode_mprotect(struct ucred *cred, struct vnode *vp, 1647 struct label *label, int prot) 1648 { 1649 1650 ASSERT_CRED_LABEL(cred->cr_label); 1651 ASSERT_VNODE_LABEL(label); 1652 1653 return (0); 1654 } 1655 1656 static int 1657 mac_test_check_vnode_open(struct ucred *cred, struct vnode *vp, 1658 struct label *filelabel, int acc_mode) 1659 { 1660 1661 ASSERT_CRED_LABEL(cred->cr_label); 1662 ASSERT_VNODE_LABEL(filelabel); 1663 1664 return (0); 1665 } 1666 1667 static int 1668 mac_test_check_vnode_poll(struct ucred *active_cred, struct ucred *file_cred, 1669 struct vnode *vp, struct label *label) 1670 { 1671 1672 ASSERT_CRED_LABEL(active_cred->cr_label); 1673 ASSERT_CRED_LABEL(file_cred->cr_label); 1674 ASSERT_VNODE_LABEL(label); 1675 1676 return (0); 1677 } 1678 1679 static int 1680 mac_test_check_vnode_read(struct ucred *active_cred, struct ucred *file_cred, 1681 struct vnode *vp, struct label *label) 1682 { 1683 1684 ASSERT_CRED_LABEL(active_cred->cr_label); 1685 if (file_cred != NULL) { 1686 ASSERT_CRED_LABEL(file_cred->cr_label); 1687 } 1688 ASSERT_VNODE_LABEL(label); 1689 1690 return (0); 1691 } 1692 1693 static int 1694 mac_test_check_vnode_readdir(struct ucred *cred, struct vnode *dvp, 1695 struct label *dlabel) 1696 { 1697 1698 ASSERT_CRED_LABEL(cred->cr_label); 1699 ASSERT_VNODE_LABEL(dlabel); 1700 1701 return (0); 1702 } 1703 1704 static int 1705 mac_test_check_vnode_readlink(struct ucred *cred, struct vnode *vp, 1706 struct label *vnodelabel) 1707 { 1708 1709 ASSERT_CRED_LABEL(cred->cr_label); 1710 ASSERT_VNODE_LABEL(vnodelabel); 1711 1712 return (0); 1713 } 1714 1715 static int 1716 mac_test_check_vnode_relabel(struct ucred *cred, struct vnode *vp, 1717 struct label *vnodelabel, struct label *newlabel) 1718 { 1719 1720 ASSERT_CRED_LABEL(cred->cr_label); 1721 ASSERT_VNODE_LABEL(vnodelabel); 1722 ASSERT_VNODE_LABEL(newlabel); 1723 1724 return (0); 1725 } 1726 1727 static int 1728 mac_test_check_vnode_rename_from(struct ucred *cred, struct vnode *dvp, 1729 struct label *dlabel, struct vnode *vp, struct label *label, 1730 struct componentname *cnp) 1731 { 1732 1733 ASSERT_CRED_LABEL(cred->cr_label); 1734 ASSERT_VNODE_LABEL(dlabel); 1735 ASSERT_VNODE_LABEL(label); 1736 1737 return (0); 1738 } 1739 1740 static int 1741 mac_test_check_vnode_rename_to(struct ucred *cred, struct vnode *dvp, 1742 struct label *dlabel, struct vnode *vp, struct label *label, int samedir, 1743 struct componentname *cnp) 1744 { 1745 1746 ASSERT_CRED_LABEL(cred->cr_label); 1747 ASSERT_VNODE_LABEL(dlabel); 1748 1749 if (vp != NULL) { 1750 ASSERT_VNODE_LABEL(label); 1751 } 1752 1753 return (0); 1754 } 1755 1756 static int 1757 mac_test_check_vnode_revoke(struct ucred *cred, struct vnode *vp, 1758 struct label *label) 1759 { 1760 1761 ASSERT_CRED_LABEL(cred->cr_label); 1762 ASSERT_VNODE_LABEL(label); 1763 1764 return (0); 1765 } 1766 1767 static int 1768 mac_test_check_vnode_setacl(struct ucred *cred, struct vnode *vp, 1769 struct label *label, acl_type_t type, struct acl *acl) 1770 { 1771 1772 ASSERT_CRED_LABEL(cred->cr_label); 1773 ASSERT_VNODE_LABEL(label); 1774 1775 return (0); 1776 } 1777 1778 static int 1779 mac_test_check_vnode_setextattr(struct ucred *cred, struct vnode *vp, 1780 struct label *label, int attrnamespace, const char *name, struct uio *uio) 1781 { 1782 1783 ASSERT_CRED_LABEL(cred->cr_label); 1784 ASSERT_VNODE_LABEL(label); 1785 1786 return (0); 1787 } 1788 1789 static int 1790 mac_test_check_vnode_setflags(struct ucred *cred, struct vnode *vp, 1791 struct label *label, u_long flags) 1792 { 1793 1794 ASSERT_CRED_LABEL(cred->cr_label); 1795 ASSERT_VNODE_LABEL(label); 1796 1797 return (0); 1798 } 1799 1800 static int 1801 mac_test_check_vnode_setmode(struct ucred *cred, struct vnode *vp, 1802 struct label *label, mode_t mode) 1803 { 1804 1805 ASSERT_CRED_LABEL(cred->cr_label); 1806 ASSERT_VNODE_LABEL(label); 1807 1808 return (0); 1809 } 1810 1811 static int 1812 mac_test_check_vnode_setowner(struct ucred *cred, struct vnode *vp, 1813 struct label *label, uid_t uid, gid_t gid) 1814 { 1815 1816 ASSERT_CRED_LABEL(cred->cr_label); 1817 ASSERT_VNODE_LABEL(label); 1818 1819 return (0); 1820 } 1821 1822 static int 1823 mac_test_check_vnode_setutimes(struct ucred *cred, struct vnode *vp, 1824 struct label *label, struct timespec atime, struct timespec mtime) 1825 { 1826 1827 ASSERT_CRED_LABEL(cred->cr_label); 1828 ASSERT_VNODE_LABEL(label); 1829 1830 return (0); 1831 } 1832 1833 static int 1834 mac_test_check_vnode_stat(struct ucred *active_cred, struct ucred *file_cred, 1835 struct vnode *vp, struct label *label) 1836 { 1837 1838 ASSERT_CRED_LABEL(active_cred->cr_label); 1839 if (file_cred != NULL) { 1840 ASSERT_CRED_LABEL(file_cred->cr_label); 1841 } 1842 ASSERT_VNODE_LABEL(label); 1843 1844 return (0); 1845 } 1846 1847 static int 1848 mac_test_check_vnode_write(struct ucred *active_cred, 1849 struct ucred *file_cred, struct vnode *vp, struct label *label) 1850 { 1851 1852 ASSERT_CRED_LABEL(active_cred->cr_label); 1853 if (file_cred != NULL) { 1854 ASSERT_CRED_LABEL(file_cred->cr_label); 1855 } 1856 ASSERT_VNODE_LABEL(label); 1857 1858 return (0); 1859 } 1860 1861 static struct mac_policy_ops mac_test_ops = 1862 { 1863 .mpo_destroy = mac_test_destroy, 1864 .mpo_init = mac_test_init, 1865 .mpo_syscall = mac_test_syscall, 1866 .mpo_init_bpfdesc_label = mac_test_init_bpfdesc_label, 1867 .mpo_init_cred_label = mac_test_init_cred_label, 1868 .mpo_init_devfsdirent_label = mac_test_init_devfsdirent_label, 1869 .mpo_init_ifnet_label = mac_test_init_ifnet_label, 1870 .mpo_init_inpcb_label = mac_test_init_inpcb_label, 1871 .mpo_init_ipq_label = mac_test_init_ipq_label, 1872 .mpo_init_mbuf_label = mac_test_init_mbuf_label, 1873 .mpo_init_mount_label = mac_test_init_mount_label, 1874 .mpo_init_mount_fs_label = mac_test_init_mount_fs_label, 1875 .mpo_init_pipe_label = mac_test_init_pipe_label, 1876 .mpo_init_proc_label = mac_test_init_proc_label, 1877 .mpo_init_socket_label = mac_test_init_socket_label, 1878 .mpo_init_socket_peer_label = mac_test_init_socket_peer_label, 1879 .mpo_init_vnode_label = mac_test_init_vnode_label, 1880 .mpo_destroy_bpfdesc_label = mac_test_destroy_bpfdesc_label, 1881 .mpo_destroy_cred_label = mac_test_destroy_cred_label, 1882 .mpo_destroy_devfsdirent_label = mac_test_destroy_devfsdirent_label, 1883 .mpo_destroy_ifnet_label = mac_test_destroy_ifnet_label, 1884 .mpo_destroy_inpcb_label = mac_test_destroy_inpcb_label, 1885 .mpo_destroy_ipq_label = mac_test_destroy_ipq_label, 1886 .mpo_destroy_mbuf_label = mac_test_destroy_mbuf_label, 1887 .mpo_destroy_mount_label = mac_test_destroy_mount_label, 1888 .mpo_destroy_mount_fs_label = mac_test_destroy_mount_fs_label, 1889 .mpo_destroy_pipe_label = mac_test_destroy_pipe_label, 1890 .mpo_destroy_proc_label = mac_test_destroy_proc_label, 1891 .mpo_destroy_socket_label = mac_test_destroy_socket_label, 1892 .mpo_destroy_socket_peer_label = mac_test_destroy_socket_peer_label, 1893 .mpo_destroy_vnode_label = mac_test_destroy_vnode_label, 1894 .mpo_copy_cred_label = mac_test_copy_cred_label, 1895 .mpo_copy_mbuf_label = mac_test_copy_mbuf_label, 1896 .mpo_copy_pipe_label = mac_test_copy_pipe_label, 1897 .mpo_copy_socket_label = mac_test_copy_socket_label, 1898 .mpo_copy_vnode_label = mac_test_copy_vnode_label, 1899 .mpo_externalize_cred_label = mac_test_externalize_label, 1900 .mpo_externalize_ifnet_label = mac_test_externalize_label, 1901 .mpo_externalize_pipe_label = mac_test_externalize_label, 1902 .mpo_externalize_socket_label = mac_test_externalize_label, 1903 .mpo_externalize_socket_peer_label = mac_test_externalize_label, 1904 .mpo_externalize_vnode_label = mac_test_externalize_label, 1905 .mpo_internalize_cred_label = mac_test_internalize_label, 1906 .mpo_internalize_ifnet_label = mac_test_internalize_label, 1907 .mpo_internalize_pipe_label = mac_test_internalize_label, 1908 .mpo_internalize_socket_label = mac_test_internalize_label, 1909 .mpo_internalize_vnode_label = mac_test_internalize_label, 1910 .mpo_associate_vnode_devfs = mac_test_associate_vnode_devfs, 1911 .mpo_associate_vnode_extattr = mac_test_associate_vnode_extattr, 1912 .mpo_associate_vnode_singlelabel = mac_test_associate_vnode_singlelabel, 1913 .mpo_create_devfs_device = mac_test_create_devfs_device, 1914 .mpo_create_devfs_directory = mac_test_create_devfs_directory, 1915 .mpo_create_devfs_symlink = mac_test_create_devfs_symlink, 1916 .mpo_create_vnode_extattr = mac_test_create_vnode_extattr, 1917 .mpo_create_mount = mac_test_create_mount, 1918 .mpo_create_root_mount = mac_test_create_root_mount, 1919 .mpo_relabel_vnode = mac_test_relabel_vnode, 1920 .mpo_setlabel_vnode_extattr = mac_test_setlabel_vnode_extattr, 1921 .mpo_update_devfsdirent = mac_test_update_devfsdirent, 1922 .mpo_create_mbuf_from_socket = mac_test_create_mbuf_from_socket, 1923 .mpo_create_pipe = mac_test_create_pipe, 1924 .mpo_create_socket = mac_test_create_socket, 1925 .mpo_create_socket_from_socket = mac_test_create_socket_from_socket, 1926 .mpo_relabel_pipe = mac_test_relabel_pipe, 1927 .mpo_relabel_socket = mac_test_relabel_socket, 1928 .mpo_set_socket_peer_from_mbuf = mac_test_set_socket_peer_from_mbuf, 1929 .mpo_set_socket_peer_from_socket = mac_test_set_socket_peer_from_socket, 1930 .mpo_create_bpfdesc = mac_test_create_bpfdesc, 1931 .mpo_create_ifnet = mac_test_create_ifnet, 1932 .mpo_create_inpcb_from_socket = mac_test_create_inpcb_from_socket, 1933 .mpo_create_datagram_from_ipq = mac_test_create_datagram_from_ipq, 1934 .mpo_create_fragment = mac_test_create_fragment, 1935 .mpo_create_ipq = mac_test_create_ipq, 1936 .mpo_create_mbuf_from_inpcb = mac_test_create_mbuf_from_inpcb, 1937 .mpo_create_mbuf_from_mbuf = mac_test_create_mbuf_from_mbuf, 1938 .mpo_create_mbuf_linklayer = mac_test_create_mbuf_linklayer, 1939 .mpo_create_mbuf_from_bpfdesc = mac_test_create_mbuf_from_bpfdesc, 1940 .mpo_create_mbuf_from_ifnet = mac_test_create_mbuf_from_ifnet, 1941 .mpo_create_mbuf_multicast_encap = mac_test_create_mbuf_multicast_encap, 1942 .mpo_create_mbuf_netlayer = mac_test_create_mbuf_netlayer, 1943 .mpo_fragment_match = mac_test_fragment_match, 1944 .mpo_reflect_mbuf_icmp = mac_test_reflect_mbuf_icmp, 1945 .mpo_reflect_mbuf_tcp = mac_test_reflect_mbuf_tcp, 1946 .mpo_relabel_ifnet = mac_test_relabel_ifnet, 1947 .mpo_update_ipq = mac_test_update_ipq, 1948 .mpo_inpcb_sosetlabel = mac_test_inpcb_sosetlabel, 1949 .mpo_execve_transition = mac_test_execve_transition, 1950 .mpo_execve_will_transition = mac_test_execve_will_transition, 1951 .mpo_create_proc0 = mac_test_create_proc0, 1952 .mpo_create_proc1 = mac_test_create_proc1, 1953 .mpo_relabel_cred = mac_test_relabel_cred, 1954 .mpo_thread_userret = mac_test_thread_userret, 1955 .mpo_check_bpfdesc_receive = mac_test_check_bpfdesc_receive, 1956 .mpo_check_cred_relabel = mac_test_check_cred_relabel, 1957 .mpo_check_cred_visible = mac_test_check_cred_visible, 1958 .mpo_check_ifnet_relabel = mac_test_check_ifnet_relabel, 1959 .mpo_check_ifnet_transmit = mac_test_check_ifnet_transmit, 1960 .mpo_check_inpcb_deliver = mac_test_check_inpcb_deliver, 1961 .mpo_check_kenv_dump = mac_test_check_kenv_dump, 1962 .mpo_check_kenv_get = mac_test_check_kenv_get, 1963 .mpo_check_kenv_set = mac_test_check_kenv_set, 1964 .mpo_check_kenv_unset = mac_test_check_kenv_unset, 1965 .mpo_check_kld_load = mac_test_check_kld_load, 1966 .mpo_check_kld_stat = mac_test_check_kld_stat, 1967 .mpo_check_kld_unload = mac_test_check_kld_unload, 1968 .mpo_check_mount_stat = mac_test_check_mount_stat, 1969 .mpo_check_pipe_ioctl = mac_test_check_pipe_ioctl, 1970 .mpo_check_pipe_poll = mac_test_check_pipe_poll, 1971 .mpo_check_pipe_read = mac_test_check_pipe_read, 1972 .mpo_check_pipe_relabel = mac_test_check_pipe_relabel, 1973 .mpo_check_pipe_stat = mac_test_check_pipe_stat, 1974 .mpo_check_pipe_write = mac_test_check_pipe_write, 1975 .mpo_check_proc_debug = mac_test_check_proc_debug, 1976 .mpo_check_proc_sched = mac_test_check_proc_sched, 1977 .mpo_check_proc_signal = mac_test_check_proc_signal, 1978 .mpo_check_socket_bind = mac_test_check_socket_bind, 1979 .mpo_check_socket_connect = mac_test_check_socket_connect, 1980 .mpo_check_socket_deliver = mac_test_check_socket_deliver, 1981 .mpo_check_socket_listen = mac_test_check_socket_listen, 1982 .mpo_check_socket_relabel = mac_test_check_socket_relabel, 1983 .mpo_check_socket_visible = mac_test_check_socket_visible, 1984 .mpo_check_sysarch_ioperm = mac_test_check_sysarch_ioperm, 1985 .mpo_check_system_acct = mac_test_check_system_acct, 1986 .mpo_check_system_reboot = mac_test_check_system_reboot, 1987 .mpo_check_system_settime = mac_test_check_system_settime, 1988 .mpo_check_system_swapon = mac_test_check_system_swapon, 1989 .mpo_check_system_swapoff = mac_test_check_system_swapoff, 1990 .mpo_check_system_sysctl = mac_test_check_system_sysctl, 1991 .mpo_check_vnode_access = mac_test_check_vnode_access, 1992 .mpo_check_vnode_chdir = mac_test_check_vnode_chdir, 1993 .mpo_check_vnode_chroot = mac_test_check_vnode_chroot, 1994 .mpo_check_vnode_create = mac_test_check_vnode_create, 1995 .mpo_check_vnode_delete = mac_test_check_vnode_delete, 1996 .mpo_check_vnode_deleteacl = mac_test_check_vnode_deleteacl, 1997 .mpo_check_vnode_deleteextattr = mac_test_check_vnode_deleteextattr, 1998 .mpo_check_vnode_exec = mac_test_check_vnode_exec, 1999 .mpo_check_vnode_getacl = mac_test_check_vnode_getacl, 2000 .mpo_check_vnode_getextattr = mac_test_check_vnode_getextattr, 2001 .mpo_check_vnode_link = mac_test_check_vnode_link, 2002 .mpo_check_vnode_listextattr = mac_test_check_vnode_listextattr, 2003 .mpo_check_vnode_lookup = mac_test_check_vnode_lookup, 2004 .mpo_check_vnode_mmap = mac_test_check_vnode_mmap, 2005 .mpo_check_vnode_mprotect = mac_test_check_vnode_mprotect, 2006 .mpo_check_vnode_open = mac_test_check_vnode_open, 2007 .mpo_check_vnode_poll = mac_test_check_vnode_poll, 2008 .mpo_check_vnode_read = mac_test_check_vnode_read, 2009 .mpo_check_vnode_readdir = mac_test_check_vnode_readdir, 2010 .mpo_check_vnode_readlink = mac_test_check_vnode_readlink, 2011 .mpo_check_vnode_relabel = mac_test_check_vnode_relabel, 2012 .mpo_check_vnode_rename_from = mac_test_check_vnode_rename_from, 2013 .mpo_check_vnode_rename_to = mac_test_check_vnode_rename_to, 2014 .mpo_check_vnode_revoke = mac_test_check_vnode_revoke, 2015 .mpo_check_vnode_setacl = mac_test_check_vnode_setacl, 2016 .mpo_check_vnode_setextattr = mac_test_check_vnode_setextattr, 2017 .mpo_check_vnode_setflags = mac_test_check_vnode_setflags, 2018 .mpo_check_vnode_setmode = mac_test_check_vnode_setmode, 2019 .mpo_check_vnode_setowner = mac_test_check_vnode_setowner, 2020 .mpo_check_vnode_setutimes = mac_test_check_vnode_setutimes, 2021 .mpo_check_vnode_stat = mac_test_check_vnode_stat, 2022 .mpo_check_vnode_write = mac_test_check_vnode_write, 2023 }; 2024 2025 MAC_POLICY_SET(&mac_test_ops, mac_test, "TrustedBSD MAC/Test", 2026 MPC_LOADTIME_FLAG_UNLOADOK | MPC_LOADTIME_FLAG_LABELMBUFS, &test_slot); 2027