1 /*- 2 * Copyright (c) 1999-2002 Robert N. M. Watson 3 * Copyright (c) 2001-2005 McAfee, Inc. 4 * All rights reserved. 5 * 6 * This software was developed by Robert Watson for the TrustedBSD Project. 7 * 8 * This software was developed for the FreeBSD Project in part by McAfee 9 * Research, the Security Research Division of McAfee, Inc. under 10 * DARPA/SPAWAR contract N66001-01-C-8035 ("CBOSS"), as part of the DARPA 11 * CHATS research program. 12 * 13 * Redistribution and use in source and binary forms, with or without 14 * modification, are permitted provided that the following conditions 15 * are met: 16 * 1. Redistributions of source code must retain the above copyright 17 * notice, this list of conditions and the following disclaimer. 18 * 2. Redistributions in binary form must reproduce the above copyright 19 * notice, this list of conditions and the following disclaimer in the 20 * documentation and/or other materials provided with the distribution. 21 * 22 * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND 23 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 24 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 25 * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE 26 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 27 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 28 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 29 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 30 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 31 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 32 * SUCH DAMAGE. 33 * 34 * $FreeBSD$ 35 */ 36 37 /* 38 * Developed by the TrustedBSD Project. 39 * Generic mandatory access module that does nothing. 40 */ 41 42 #include <sys/types.h> 43 #include <sys/param.h> 44 #include <sys/acl.h> 45 #include <sys/conf.h> 46 #include <sys/kdb.h> 47 #include <sys/extattr.h> 48 #include <sys/kernel.h> 49 #include <sys/mac.h> 50 #include <sys/malloc.h> 51 #include <sys/mount.h> 52 #include <sys/proc.h> 53 #include <sys/systm.h> 54 #include <sys/sysproto.h> 55 #include <sys/sysent.h> 56 #include <sys/vnode.h> 57 #include <sys/file.h> 58 #include <sys/socket.h> 59 #include <sys/socketvar.h> 60 #include <sys/sysctl.h> 61 #include <sys/msg.h> 62 #include <sys/sem.h> 63 #include <sys/shm.h> 64 65 #include <fs/devfs/devfs.h> 66 67 #include <net/bpfdesc.h> 68 #include <net/if.h> 69 #include <net/if_types.h> 70 #include <net/if_var.h> 71 72 #include <vm/vm.h> 73 74 #include <sys/mac_policy.h> 75 76 SYSCTL_DECL(_security_mac); 77 78 SYSCTL_NODE(_security_mac, OID_AUTO, test, CTLFLAG_RW, 0, 79 "TrustedBSD mac_test policy controls"); 80 81 static int mac_test_enabled = 1; 82 SYSCTL_INT(_security_mac_test, OID_AUTO, enabled, CTLFLAG_RW, 83 &mac_test_enabled, 0, "Enforce test policy"); 84 85 #define BPFMAGIC 0xfe1ad1b6 86 #define DEVFSMAGIC 0x9ee79c32 87 #define IFNETMAGIC 0xc218b120 88 #define INPCBMAGIC 0x4440f7bb 89 #define IPQMAGIC 0x206188ef 90 #define MBUFMAGIC 0xbbefa5bb 91 #define MOUNTMAGIC 0xc7c46e47 92 #define SOCKETMAGIC 0x9199c6cd 93 #define SYSVIPCMSQMAGIC 0xea672391 94 #define SYSVIPCMSGMAGIC 0x8bbba61e 95 #define SYSVIPCSEMMAGIC 0x896e8a0b 96 #define SYSVIPCSHMMAGIC 0x76119ab0 97 #define PIPEMAGIC 0xdc6c9919 98 #define POSIXSEMMAGIC 0x78ae980c 99 #define PROCMAGIC 0x3b4be98f 100 #define CREDMAGIC 0x9a5a4987 101 #define VNODEMAGIC 0x1a67a45c 102 #define EXMAGIC 0x849ba1fd 103 104 #define SLOT(x) LABEL_TO_SLOT((x), test_slot).l_long 105 106 #define ASSERT_BPF_LABEL(x) KASSERT(SLOT(x) == BPFMAGIC || \ 107 SLOT(x) == 0, ("%s: Bad BPF label", __func__ )) 108 #define ASSERT_DEVFS_LABEL(x) KASSERT(SLOT(x) == DEVFSMAGIC || \ 109 SLOT(x) == 0, ("%s: Bad DEVFS label", __func__ )) 110 #define ASSERT_IFNET_LABEL(x) KASSERT(SLOT(x) == IFNETMAGIC || \ 111 SLOT(x) == 0, ("%s: Bad IFNET label", __func__ )) 112 #define ASSERT_INPCB_LABEL(x) KASSERT(SLOT(x) == INPCBMAGIC || \ 113 SLOT(x) == 0, ("%s: Bad INPCB label", __func__ )) 114 #define ASSERT_IPQ_LABEL(x) KASSERT(SLOT(x) == IPQMAGIC || \ 115 SLOT(x) == 0, ("%s: Bad IPQ label", __func__ )) 116 #define ASSERT_MBUF_LABEL(x) KASSERT(x == NULL || \ 117 SLOT(x) == MBUFMAGIC || SLOT(x) == 0, \ 118 ("%s: Bad MBUF label", __func__ )) 119 #define ASSERT_MOUNT_LABEL(x) KASSERT(SLOT(x) == MOUNTMAGIC || \ 120 SLOT(x) == 0, ("%s: Bad MOUNT label", __func__ )) 121 #define ASSERT_SOCKET_LABEL(x) KASSERT(SLOT(x) == SOCKETMAGIC || \ 122 SLOT(x) == 0, ("%s: Bad SOCKET label", __func__ )) 123 #define ASSERT_SYSVIPCMSQ_LABEL(x) KASSERT(SLOT(x) == SYSVIPCMSQMAGIC || \ 124 SLOT(x) == 0, ("%s: Bad SYSVIPCMSQ label", __func__ )) 125 #define ASSERT_SYSVIPCMSG_LABEL(x) KASSERT(SLOT(x) == SYSVIPCMSGMAGIC || \ 126 SLOT(x) == 0, ("%s: Bad SYSVIPCMSG label", __func__ )) 127 #define ASSERT_SYSVIPCSEM_LABEL(x) KASSERT(SLOT(x) == SYSVIPCSEMMAGIC || \ 128 SLOT(x) == 0, ("%s: Bad SYSVIPCSEM label", __func__ )) 129 #define ASSERT_SYSVIPCSHM_LABEL(x) KASSERT(SLOT(x) == SYSVIPCSHMMAGIC || \ 130 SLOT(x) == 0, ("%s: Bad SYSVIPCSHM label", __func__ )) 131 #define ASSERT_PIPE_LABEL(x) KASSERT(SLOT(x) == PIPEMAGIC || \ 132 SLOT(x) == 0, ("%s: Bad PIPE label", __func__ )) 133 #define ASSERT_PROC_LABEL(x) KASSERT(SLOT(x) == PROCMAGIC || \ 134 SLOT(x) == 0, ("%s: Bad PROC label", __func__ )) 135 #define ASSERT_CRED_LABEL(x) KASSERT(SLOT(x) == CREDMAGIC || \ 136 SLOT(x) == 0, ("%s: Bad CRED label", __func__ )) 137 #define ASSERT_VNODE_LABEL(x) KASSERT(SLOT(x) == VNODEMAGIC || \ 138 SLOT(x) == 0, ("%s: Bad VNODE label", __func__ )) 139 140 static int test_slot; 141 SYSCTL_INT(_security_mac_test, OID_AUTO, slot, CTLFLAG_RD, 142 &test_slot, 0, "Slot allocated by framework"); 143 144 static int init_count_bpfdesc; 145 SYSCTL_INT(_security_mac_test, OID_AUTO, init_count_bpfdesc, CTLFLAG_RD, 146 &init_count_bpfdesc, 0, "bpfdesc init calls"); 147 static int init_count_cred; 148 SYSCTL_INT(_security_mac_test, OID_AUTO, init_count_cred, CTLFLAG_RD, 149 &init_count_cred, 0, "cred init calls"); 150 static int init_count_devfsdirent; 151 SYSCTL_INT(_security_mac_test, OID_AUTO, init_count_devfsdirent, CTLFLAG_RD, 152 &init_count_devfsdirent, 0, "devfsdirent init calls"); 153 static int init_count_ifnet; 154 SYSCTL_INT(_security_mac_test, OID_AUTO, init_count_ifnet, CTLFLAG_RD, 155 &init_count_ifnet, 0, "ifnet init calls"); 156 static int init_count_inpcb; 157 SYSCTL_INT(_security_mac_test, OID_AUTO, init_count_inpcb, CTLFLAG_RD, 158 &init_count_inpcb, 0, "inpcb init calls"); 159 static int init_count_sysv_msg; 160 SYSCTL_INT(_security_mac_test, OID_AUTO, init_count_sysv_msg, CTLFLAG_RD, 161 &init_count_sysv_msg, 0, "ipc_msg init calls"); 162 static int init_count_sysv_msq; 163 SYSCTL_INT(_security_mac_test, OID_AUTO, init_count_sysv_msq, CTLFLAG_RD, 164 &init_count_sysv_msq, 0, "ipc_msq init calls"); 165 static int init_count_sysv_sema; 166 SYSCTL_INT(_security_mac_test, OID_AUTO, init_count_sysv_sema, CTLFLAG_RD, 167 &init_count_sysv_sema, 0, "ipc_sema init calls"); 168 static int init_count_sysv_shm; 169 SYSCTL_INT(_security_mac_test, OID_AUTO, init_count_sysv_shm, CTLFLAG_RD, 170 &init_count_sysv_shm, 0, "ipc_shm init calls"); 171 static int init_count_ipq; 172 SYSCTL_INT(_security_mac_test, OID_AUTO, init_count_ipq, CTLFLAG_RD, 173 &init_count_ipq, 0, "ipq init calls"); 174 static int init_count_mbuf; 175 SYSCTL_INT(_security_mac_test, OID_AUTO, init_count_mbuf, CTLFLAG_RD, 176 &init_count_mbuf, 0, "mbuf init calls"); 177 static int init_count_mount; 178 SYSCTL_INT(_security_mac_test, OID_AUTO, init_count_mount, CTLFLAG_RD, 179 &init_count_mount, 0, "mount init calls"); 180 static int init_count_mount_fslabel; 181 SYSCTL_INT(_security_mac_test, OID_AUTO, init_count_mount_fslabel, CTLFLAG_RD, 182 &init_count_mount_fslabel, 0, "mount_fslabel init calls"); 183 static int init_count_socket; 184 SYSCTL_INT(_security_mac_test, OID_AUTO, init_count_socket, CTLFLAG_RD, 185 &init_count_socket, 0, "socket init calls"); 186 static int init_count_socket_peerlabel; 187 SYSCTL_INT(_security_mac_test, OID_AUTO, init_count_socket_peerlabel, 188 CTLFLAG_RD, &init_count_socket_peerlabel, 0, 189 "socket_peerlabel init calls"); 190 static int init_count_pipe; 191 SYSCTL_INT(_security_mac_test, OID_AUTO, init_count_pipe, CTLFLAG_RD, 192 &init_count_pipe, 0, "pipe init calls"); 193 static int init_count_proc; 194 SYSCTL_INT(_security_mac_test, OID_AUTO, init_count_proc, CTLFLAG_RD, 195 &init_count_proc, 0, "proc init calls"); 196 static int init_count_vnode; 197 SYSCTL_INT(_security_mac_test, OID_AUTO, init_count_vnode, CTLFLAG_RD, 198 &init_count_vnode, 0, "vnode init calls"); 199 200 static int destroy_count_bpfdesc; 201 SYSCTL_INT(_security_mac_test, OID_AUTO, destroy_count_bpfdesc, CTLFLAG_RD, 202 &destroy_count_bpfdesc, 0, "bpfdesc destroy calls"); 203 static int destroy_count_cred; 204 SYSCTL_INT(_security_mac_test, OID_AUTO, destroy_count_cred, CTLFLAG_RD, 205 &destroy_count_cred, 0, "cred destroy calls"); 206 static int destroy_count_devfsdirent; 207 SYSCTL_INT(_security_mac_test, OID_AUTO, destroy_count_devfsdirent, CTLFLAG_RD, 208 &destroy_count_devfsdirent, 0, "devfsdirent destroy calls"); 209 static int destroy_count_ifnet; 210 SYSCTL_INT(_security_mac_test, OID_AUTO, destroy_count_ifnet, CTLFLAG_RD, 211 &destroy_count_ifnet, 0, "ifnet destroy calls"); 212 static int destroy_count_inpcb; 213 SYSCTL_INT(_security_mac_test, OID_AUTO, destroy_count_inpcb, CTLFLAG_RD, 214 &destroy_count_inpcb, 0, "inpcb destroy calls"); 215 static int destroy_count_sysv_msg; 216 SYSCTL_INT(_security_mac_test, OID_AUTO, destroy_count_sysv_msg, CTLFLAG_RD, 217 &destroy_count_sysv_msg, 0, "ipc_msg destroy calls"); 218 static int destroy_count_sysv_msq; 219 SYSCTL_INT(_security_mac_test, OID_AUTO, destroy_count_sysv_msq, CTLFLAG_RD, 220 &destroy_count_sysv_msq, 0, "ipc_msq destroy calls"); 221 static int destroy_count_sysv_sema; 222 SYSCTL_INT(_security_mac_test, OID_AUTO, destroy_count_sysv_sema, CTLFLAG_RD, 223 &destroy_count_sysv_sema, 0, "ipc_sema destroy calls"); 224 static int destroy_count_sysv_shm; 225 SYSCTL_INT(_security_mac_test, OID_AUTO, destroy_count_sysv_shm, CTLFLAG_RD, 226 &destroy_count_sysv_shm, 0, "ipc_shm destroy calls"); 227 static int destroy_count_ipq; 228 SYSCTL_INT(_security_mac_test, OID_AUTO, destroy_count_ipq, CTLFLAG_RD, 229 &destroy_count_ipq, 0, "ipq destroy calls"); 230 static int destroy_count_mbuf; 231 SYSCTL_INT(_security_mac_test, OID_AUTO, destroy_count_mbuf, CTLFLAG_RD, 232 &destroy_count_mbuf, 0, "mbuf destroy calls"); 233 static int destroy_count_mount; 234 SYSCTL_INT(_security_mac_test, OID_AUTO, destroy_count_mount, CTLFLAG_RD, 235 &destroy_count_mount, 0, "mount destroy calls"); 236 static int destroy_count_mount_fslabel; 237 SYSCTL_INT(_security_mac_test, OID_AUTO, destroy_count_mount_fslabel, 238 CTLFLAG_RD, &destroy_count_mount_fslabel, 0, 239 "mount_fslabel destroy calls"); 240 static int destroy_count_socket; 241 SYSCTL_INT(_security_mac_test, OID_AUTO, destroy_count_socket, CTLFLAG_RD, 242 &destroy_count_socket, 0, "socket destroy calls"); 243 static int destroy_count_socket_peerlabel; 244 SYSCTL_INT(_security_mac_test, OID_AUTO, destroy_count_socket_peerlabel, 245 CTLFLAG_RD, &destroy_count_socket_peerlabel, 0, 246 "socket_peerlabel destroy calls"); 247 static int destroy_count_pipe; 248 SYSCTL_INT(_security_mac_test, OID_AUTO, destroy_count_pipe, CTLFLAG_RD, 249 &destroy_count_pipe, 0, "pipe destroy calls"); 250 static int destroy_count_proc; 251 SYSCTL_INT(_security_mac_test, OID_AUTO, destroy_count_proc, CTLFLAG_RD, 252 &destroy_count_proc, 0, "proc destroy calls"); 253 static int destroy_count_vnode; 254 SYSCTL_INT(_security_mac_test, OID_AUTO, destroy_count_vnode, CTLFLAG_RD, 255 &destroy_count_vnode, 0, "vnode destroy calls"); 256 257 static int externalize_count; 258 SYSCTL_INT(_security_mac_test, OID_AUTO, externalize_count, CTLFLAG_RD, 259 &externalize_count, 0, "Subject/object externalize calls"); 260 static int internalize_count; 261 SYSCTL_INT(_security_mac_test, OID_AUTO, internalize_count, CTLFLAG_RD, 262 &internalize_count, 0, "Subject/object internalize calls"); 263 264 #ifdef KDB 265 #define DEBUGGER(x) kdb_enter(x) 266 #else 267 #define DEBUGGER(x) printf("mac_test: %s\n", (x)) 268 #endif 269 270 /* 271 * Policy module operations. 272 */ 273 static void 274 mac_test_destroy(struct mac_policy_conf *conf) 275 { 276 277 } 278 279 static void 280 mac_test_init(struct mac_policy_conf *conf) 281 { 282 283 } 284 285 static int 286 mac_test_syscall(struct thread *td, int call, void *arg) 287 { 288 289 return (0); 290 } 291 292 /* 293 * Label operations. 294 */ 295 static void 296 mac_test_init_bpfdesc_label(struct label *label) 297 { 298 299 SLOT(label) = BPFMAGIC; 300 atomic_add_int(&init_count_bpfdesc, 1); 301 } 302 303 static void 304 mac_test_init_cred_label(struct label *label) 305 { 306 307 SLOT(label) = CREDMAGIC; 308 atomic_add_int(&init_count_cred, 1); 309 } 310 311 static void 312 mac_test_init_devfsdirent_label(struct label *label) 313 { 314 315 SLOT(label) = DEVFSMAGIC; 316 atomic_add_int(&init_count_devfsdirent, 1); 317 } 318 319 static void 320 mac_test_init_ifnet_label(struct label *label) 321 { 322 323 SLOT(label) = IFNETMAGIC; 324 atomic_add_int(&init_count_ifnet, 1); 325 } 326 327 static int 328 mac_test_init_inpcb_label(struct label *label, int flag) 329 { 330 331 if (flag & M_WAITOK) 332 WITNESS_WARN(WARN_GIANTOK | WARN_SLEEPOK, NULL, 333 "mac_test_init_inpcb_label() at %s:%d", __FILE__, 334 __LINE__); 335 336 SLOT(label) = INPCBMAGIC; 337 atomic_add_int(&init_count_inpcb, 1); 338 return (0); 339 } 340 341 static void 342 mac_test_init_sysv_msgmsg_label(struct label *label) 343 { 344 SLOT(label) = SYSVIPCMSGMAGIC; 345 atomic_add_int(&init_count_sysv_msg, 1); 346 } 347 348 static void 349 mac_test_init_sysv_msgqueue_label(struct label *label) 350 { 351 SLOT(label) = SYSVIPCMSQMAGIC; 352 atomic_add_int(&init_count_sysv_msq, 1); 353 } 354 355 static void 356 mac_test_init_sysv_sema_label(struct label *label) 357 { 358 SLOT(label) = SYSVIPCSEMMAGIC; 359 atomic_add_int(&init_count_sysv_sema, 1); 360 } 361 362 static void 363 mac_test_init_sysv_shm_label(struct label *label) 364 { 365 SLOT(label) = SYSVIPCSHMMAGIC; 366 atomic_add_int(&init_count_sysv_shm, 1); 367 } 368 369 static int 370 mac_test_init_ipq_label(struct label *label, int flag) 371 { 372 373 if (flag & M_WAITOK) 374 WITNESS_WARN(WARN_GIANTOK | WARN_SLEEPOK, NULL, 375 "mac_test_init_ipq_label() at %s:%d", __FILE__, 376 __LINE__); 377 378 SLOT(label) = IPQMAGIC; 379 atomic_add_int(&init_count_ipq, 1); 380 return (0); 381 } 382 383 static int 384 mac_test_init_mbuf_label(struct label *label, int flag) 385 { 386 387 if (flag & M_WAITOK) 388 WITNESS_WARN(WARN_GIANTOK | WARN_SLEEPOK, NULL, 389 "mac_test_init_mbuf_label() at %s:%d", __FILE__, 390 __LINE__); 391 392 SLOT(label) = MBUFMAGIC; 393 atomic_add_int(&init_count_mbuf, 1); 394 return (0); 395 } 396 397 static void 398 mac_test_init_mount_label(struct label *label) 399 { 400 401 SLOT(label) = MOUNTMAGIC; 402 atomic_add_int(&init_count_mount, 1); 403 } 404 405 static void 406 mac_test_init_mount_fs_label(struct label *label) 407 { 408 409 SLOT(label) = MOUNTMAGIC; 410 atomic_add_int(&init_count_mount_fslabel, 1); 411 } 412 413 static int 414 mac_test_init_socket_label(struct label *label, int flag) 415 { 416 417 if (flag & M_WAITOK) 418 WITNESS_WARN(WARN_GIANTOK | WARN_SLEEPOK, NULL, 419 "mac_test_init_socket_label() at %s:%d", __FILE__, 420 __LINE__); 421 422 SLOT(label) = SOCKETMAGIC; 423 atomic_add_int(&init_count_socket, 1); 424 return (0); 425 } 426 427 static int 428 mac_test_init_socket_peer_label(struct label *label, int flag) 429 { 430 431 if (flag & M_WAITOK) 432 WITNESS_WARN(WARN_GIANTOK | WARN_SLEEPOK, NULL, 433 "mac_test_init_socket_peer_label() at %s:%d", __FILE__, 434 __LINE__); 435 436 SLOT(label) = SOCKETMAGIC; 437 atomic_add_int(&init_count_socket_peerlabel, 1); 438 return (0); 439 } 440 441 static void 442 mac_test_init_pipe_label(struct label *label) 443 { 444 445 SLOT(label) = PIPEMAGIC; 446 atomic_add_int(&init_count_pipe, 1); 447 } 448 449 static void 450 mac_test_init_proc_label(struct label *label) 451 { 452 453 SLOT(label) = PROCMAGIC; 454 atomic_add_int(&init_count_proc, 1); 455 } 456 457 static void 458 mac_test_init_vnode_label(struct label *label) 459 { 460 461 SLOT(label) = VNODEMAGIC; 462 atomic_add_int(&init_count_vnode, 1); 463 } 464 465 static void 466 mac_test_destroy_bpfdesc_label(struct label *label) 467 { 468 469 if (SLOT(label) == BPFMAGIC || SLOT(label) == 0) { 470 atomic_add_int(&destroy_count_bpfdesc, 1); 471 SLOT(label) = EXMAGIC; 472 } else if (SLOT(label) == EXMAGIC) { 473 DEBUGGER("mac_test_destroy_bpfdesc: dup destroy"); 474 } else { 475 DEBUGGER("mac_test_destroy_bpfdesc: corrupted label"); 476 } 477 } 478 479 static void 480 mac_test_destroy_cred_label(struct label *label) 481 { 482 483 if (SLOT(label) == CREDMAGIC || SLOT(label) == 0) { 484 atomic_add_int(&destroy_count_cred, 1); 485 SLOT(label) = EXMAGIC; 486 } else if (SLOT(label) == EXMAGIC) { 487 DEBUGGER("mac_test_destroy_cred: dup destroy"); 488 } else { 489 DEBUGGER("mac_test_destroy_cred: corrupted label"); 490 } 491 } 492 493 static void 494 mac_test_destroy_devfsdirent_label(struct label *label) 495 { 496 497 if (SLOT(label) == DEVFSMAGIC || SLOT(label) == 0) { 498 atomic_add_int(&destroy_count_devfsdirent, 1); 499 SLOT(label) = EXMAGIC; 500 } else if (SLOT(label) == EXMAGIC) { 501 DEBUGGER("mac_test_destroy_devfsdirent: dup destroy"); 502 } else { 503 DEBUGGER("mac_test_destroy_devfsdirent: corrupted label"); 504 } 505 } 506 507 static void 508 mac_test_destroy_ifnet_label(struct label *label) 509 { 510 511 if (SLOT(label) == IFNETMAGIC || SLOT(label) == 0) { 512 atomic_add_int(&destroy_count_ifnet, 1); 513 SLOT(label) = EXMAGIC; 514 } else if (SLOT(label) == EXMAGIC) { 515 DEBUGGER("mac_test_destroy_ifnet: dup destroy"); 516 } else { 517 DEBUGGER("mac_test_destroy_ifnet: corrupted label"); 518 } 519 } 520 521 static void 522 mac_test_destroy_inpcb_label(struct label *label) 523 { 524 525 if (SLOT(label) == INPCBMAGIC || SLOT(label) == 0) { 526 atomic_add_int(&destroy_count_inpcb, 1); 527 SLOT(label) = EXMAGIC; 528 } else if (SLOT(label) == EXMAGIC) { 529 DEBUGGER("mac_test_destroy_inpcb: dup destroy"); 530 } else { 531 DEBUGGER("mac_test_destroy_inpcb: corrupted label"); 532 } 533 } 534 535 static void 536 mac_test_destroy_sysv_msgmsg_label(struct label *label) 537 { 538 539 if (SLOT(label) == SYSVIPCMSGMAGIC || SLOT(label) == 0) { 540 atomic_add_int(&destroy_count_sysv_msg, 1); 541 SLOT(label) = EXMAGIC; 542 } else if (SLOT(label) == EXMAGIC) { 543 DEBUGGER("mac_test_destroy_sysv_msgmsg_label: dup destroy"); 544 } else { 545 DEBUGGER( 546 "mac_test_destroy_sysv_msgmsg_label: corrupted label"); 547 } 548 } 549 550 static void 551 mac_test_destroy_sysv_msgqueue_label(struct label *label) 552 { 553 554 if (SLOT(label) == SYSVIPCMSQMAGIC || SLOT(label) == 0) { 555 atomic_add_int(&destroy_count_sysv_msq, 1); 556 SLOT(label) = EXMAGIC; 557 } else if (SLOT(label) == EXMAGIC) { 558 DEBUGGER("mac_test_destroy_sysv_msgqueue_label: dup destroy"); 559 } else { 560 DEBUGGER( 561 "mac_test_destroy_sysv_msgqueue_label: corrupted label"); 562 } 563 } 564 565 static void 566 mac_test_destroy_sysv_sema_label(struct label *label) 567 { 568 569 if (SLOT(label) == SYSVIPCSEMMAGIC || SLOT(label) == 0) { 570 atomic_add_int(&destroy_count_sysv_sema, 1); 571 SLOT(label) = EXMAGIC; 572 } else if (SLOT(label) == EXMAGIC) { 573 DEBUGGER("mac_test_destroy_sysv_sema_label: dup destroy"); 574 } else { 575 DEBUGGER("mac_test_destroy_sysv_sema_label: corrupted label"); 576 } 577 } 578 579 static void 580 mac_test_destroy_sysv_shm_label(struct label *label) 581 { 582 583 if (SLOT(label) == SYSVIPCSHMMAGIC || SLOT(label) == 0) { 584 atomic_add_int(&destroy_count_sysv_shm, 1); 585 SLOT(label) = EXMAGIC; 586 } else if (SLOT(label) == EXMAGIC) { 587 DEBUGGER("mac_test_destroy_sysv_shm_label: dup destroy"); 588 } else { 589 DEBUGGER("mac_test_destroy_sysv_shm_label: corrupted label"); 590 } 591 } 592 593 static void 594 mac_test_destroy_ipq_label(struct label *label) 595 { 596 597 if (SLOT(label) == IPQMAGIC || SLOT(label) == 0) { 598 atomic_add_int(&destroy_count_ipq, 1); 599 SLOT(label) = EXMAGIC; 600 } else if (SLOT(label) == EXMAGIC) { 601 DEBUGGER("mac_test_destroy_ipq: dup destroy"); 602 } else { 603 DEBUGGER("mac_test_destroy_ipq: corrupted label"); 604 } 605 } 606 607 static void 608 mac_test_destroy_mbuf_label(struct label *label) 609 { 610 611 /* 612 * If we're loaded dynamically, there may be mbufs in flight that 613 * didn't have label storage allocated for them. Handle this 614 * gracefully. 615 */ 616 if (label == NULL) 617 return; 618 619 if (SLOT(label) == MBUFMAGIC || SLOT(label) == 0) { 620 atomic_add_int(&destroy_count_mbuf, 1); 621 SLOT(label) = EXMAGIC; 622 } else if (SLOT(label) == EXMAGIC) { 623 DEBUGGER("mac_test_destroy_mbuf: dup destroy"); 624 } else { 625 DEBUGGER("mac_test_destroy_mbuf: corrupted label"); 626 } 627 } 628 629 static void 630 mac_test_destroy_mount_label(struct label *label) 631 { 632 633 if ((SLOT(label) == MOUNTMAGIC || SLOT(label) == 0)) { 634 atomic_add_int(&destroy_count_mount, 1); 635 SLOT(label) = EXMAGIC; 636 } else if (SLOT(label) == EXMAGIC) { 637 DEBUGGER("mac_test_destroy_mount: dup destroy"); 638 } else { 639 DEBUGGER("mac_test_destroy_mount: corrupted label"); 640 } 641 } 642 643 static void 644 mac_test_destroy_mount_fs_label(struct label *label) 645 { 646 647 if ((SLOT(label) == MOUNTMAGIC || SLOT(label) == 0)) { 648 atomic_add_int(&destroy_count_mount_fslabel, 1); 649 SLOT(label) = EXMAGIC; 650 } else if (SLOT(label) == EXMAGIC) { 651 DEBUGGER("mac_test_destroy_mount_fslabel: dup destroy"); 652 } else { 653 DEBUGGER("mac_test_destroy_mount_fslabel: corrupted label"); 654 } 655 } 656 657 static void 658 mac_test_destroy_socket_label(struct label *label) 659 { 660 661 if ((SLOT(label) == SOCKETMAGIC || SLOT(label) == 0)) { 662 atomic_add_int(&destroy_count_socket, 1); 663 SLOT(label) = EXMAGIC; 664 } else if (SLOT(label) == EXMAGIC) { 665 DEBUGGER("mac_test_destroy_socket: dup destroy"); 666 } else { 667 DEBUGGER("mac_test_destroy_socket: corrupted label"); 668 } 669 } 670 671 static void 672 mac_test_destroy_socket_peer_label(struct label *label) 673 { 674 675 if ((SLOT(label) == SOCKETMAGIC || SLOT(label) == 0)) { 676 atomic_add_int(&destroy_count_socket_peerlabel, 1); 677 SLOT(label) = EXMAGIC; 678 } else if (SLOT(label) == EXMAGIC) { 679 DEBUGGER("mac_test_destroy_socket_peerlabel: dup destroy"); 680 } else { 681 DEBUGGER("mac_test_destroy_socket_peerlabel: corrupted label"); 682 } 683 } 684 685 static void 686 mac_test_destroy_pipe_label(struct label *label) 687 { 688 689 if ((SLOT(label) == PIPEMAGIC || SLOT(label) == 0)) { 690 atomic_add_int(&destroy_count_pipe, 1); 691 SLOT(label) = EXMAGIC; 692 } else if (SLOT(label) == EXMAGIC) { 693 DEBUGGER("mac_test_destroy_pipe: dup destroy"); 694 } else { 695 DEBUGGER("mac_test_destroy_pipe: corrupted label"); 696 } 697 } 698 699 static void 700 mac_test_destroy_proc_label(struct label *label) 701 { 702 703 if ((SLOT(label) == PROCMAGIC || SLOT(label) == 0)) { 704 atomic_add_int(&destroy_count_proc, 1); 705 SLOT(label) = EXMAGIC; 706 } else if (SLOT(label) == EXMAGIC) { 707 DEBUGGER("mac_test_destroy_proc: dup destroy"); 708 } else { 709 DEBUGGER("mac_test_destroy_proc: corrupted label"); 710 } 711 } 712 713 static void 714 mac_test_destroy_vnode_label(struct label *label) 715 { 716 717 if (SLOT(label) == VNODEMAGIC || SLOT(label) == 0) { 718 atomic_add_int(&destroy_count_vnode, 1); 719 SLOT(label) = EXMAGIC; 720 } else if (SLOT(label) == EXMAGIC) { 721 DEBUGGER("mac_test_destroy_vnode: dup destroy"); 722 } else { 723 DEBUGGER("mac_test_destroy_vnode: corrupted label"); 724 } 725 } 726 727 static void 728 mac_test_copy_cred_label(struct label *src, struct label *dest) 729 { 730 731 ASSERT_CRED_LABEL(src); 732 ASSERT_CRED_LABEL(dest); 733 } 734 735 static void 736 mac_test_copy_ifnet_label(struct label *src, struct label *dest) 737 { 738 739 ASSERT_IFNET_LABEL(src); 740 ASSERT_IFNET_LABEL(dest); 741 } 742 743 static void 744 mac_test_copy_mbuf_label(struct label *src, struct label *dest) 745 { 746 747 ASSERT_MBUF_LABEL(src); 748 ASSERT_MBUF_LABEL(dest); 749 } 750 751 static void 752 mac_test_copy_pipe_label(struct label *src, struct label *dest) 753 { 754 755 ASSERT_PIPE_LABEL(src); 756 ASSERT_PIPE_LABEL(dest); 757 } 758 759 static void 760 mac_test_copy_socket_label(struct label *src, struct label *dest) 761 { 762 763 ASSERT_SOCKET_LABEL(src); 764 ASSERT_SOCKET_LABEL(dest); 765 } 766 767 static void 768 mac_test_copy_vnode_label(struct label *src, struct label *dest) 769 { 770 771 ASSERT_VNODE_LABEL(src); 772 ASSERT_VNODE_LABEL(dest); 773 } 774 775 static int 776 mac_test_externalize_label(struct label *label, char *element_name, 777 struct sbuf *sb, int *claimed) 778 { 779 780 atomic_add_int(&externalize_count, 1); 781 782 KASSERT(SLOT(label) != EXMAGIC, 783 ("mac_test_externalize_label: destroyed label")); 784 785 return (0); 786 } 787 788 static int 789 mac_test_internalize_label(struct label *label, char *element_name, 790 char *element_data, int *claimed) 791 { 792 793 atomic_add_int(&internalize_count, 1); 794 795 KASSERT(SLOT(label) != EXMAGIC, 796 ("mac_test_internalize_label: destroyed label")); 797 798 return (0); 799 } 800 801 /* 802 * Labeling event operations: file system objects, and things that look 803 * a lot like file system objects. 804 */ 805 static void 806 mac_test_associate_vnode_devfs(struct mount *mp, struct label *fslabel, 807 struct devfs_dirent *de, struct label *delabel, struct vnode *vp, 808 struct label *vlabel) 809 { 810 811 ASSERT_MOUNT_LABEL(fslabel); 812 ASSERT_DEVFS_LABEL(delabel); 813 ASSERT_VNODE_LABEL(vlabel); 814 } 815 816 static int 817 mac_test_associate_vnode_extattr(struct mount *mp, struct label *fslabel, 818 struct vnode *vp, struct label *vlabel) 819 { 820 821 ASSERT_MOUNT_LABEL(fslabel); 822 ASSERT_VNODE_LABEL(vlabel); 823 return (0); 824 } 825 826 static void 827 mac_test_associate_vnode_singlelabel(struct mount *mp, 828 struct label *fslabel, struct vnode *vp, struct label *vlabel) 829 { 830 831 ASSERT_MOUNT_LABEL(fslabel); 832 ASSERT_VNODE_LABEL(vlabel); 833 } 834 835 static void 836 mac_test_create_devfs_device(struct mount *mp, struct cdev *dev, 837 struct devfs_dirent *devfs_dirent, struct label *label) 838 { 839 840 ASSERT_DEVFS_LABEL(label); 841 } 842 843 static void 844 mac_test_create_devfs_directory(struct mount *mp, char *dirname, 845 int dirnamelen, struct devfs_dirent *devfs_dirent, struct label *label) 846 { 847 848 ASSERT_DEVFS_LABEL(label); 849 } 850 851 static void 852 mac_test_create_devfs_symlink(struct ucred *cred, struct mount *mp, 853 struct devfs_dirent *dd, struct label *ddlabel, struct devfs_dirent *de, 854 struct label *delabel) 855 { 856 857 ASSERT_CRED_LABEL(cred->cr_label); 858 ASSERT_DEVFS_LABEL(ddlabel); 859 ASSERT_DEVFS_LABEL(delabel); 860 } 861 862 static int 863 mac_test_create_vnode_extattr(struct ucred *cred, struct mount *mp, 864 struct label *fslabel, struct vnode *dvp, struct label *dlabel, 865 struct vnode *vp, struct label *vlabel, struct componentname *cnp) 866 { 867 868 ASSERT_CRED_LABEL(cred->cr_label); 869 ASSERT_MOUNT_LABEL(fslabel); 870 ASSERT_VNODE_LABEL(dlabel); 871 872 return (0); 873 } 874 875 static void 876 mac_test_create_mount(struct ucred *cred, struct mount *mp, 877 struct label *mntlabel, struct label *fslabel) 878 { 879 880 ASSERT_CRED_LABEL(cred->cr_label); 881 ASSERT_MOUNT_LABEL(mntlabel); 882 ASSERT_MOUNT_LABEL(fslabel); 883 } 884 885 static void 886 mac_test_create_root_mount(struct ucred *cred, struct mount *mp, 887 struct label *mntlabel, struct label *fslabel) 888 { 889 890 ASSERT_CRED_LABEL(cred->cr_label); 891 ASSERT_MOUNT_LABEL(mntlabel); 892 ASSERT_MOUNT_LABEL(fslabel); 893 } 894 895 static void 896 mac_test_relabel_vnode(struct ucred *cred, struct vnode *vp, 897 struct label *vnodelabel, struct label *label) 898 { 899 900 ASSERT_CRED_LABEL(cred->cr_label); 901 ASSERT_VNODE_LABEL(vnodelabel); 902 ASSERT_VNODE_LABEL(label); 903 } 904 905 static int 906 mac_test_setlabel_vnode_extattr(struct ucred *cred, struct vnode *vp, 907 struct label *vlabel, struct label *intlabel) 908 { 909 910 ASSERT_CRED_LABEL(cred->cr_label); 911 ASSERT_VNODE_LABEL(vlabel); 912 ASSERT_VNODE_LABEL(intlabel); 913 return (0); 914 } 915 916 static void 917 mac_test_update_devfsdirent(struct mount *mp, 918 struct devfs_dirent *devfs_dirent, struct label *direntlabel, 919 struct vnode *vp, struct label *vnodelabel) 920 { 921 922 ASSERT_DEVFS_LABEL(direntlabel); 923 ASSERT_VNODE_LABEL(vnodelabel); 924 } 925 926 /* 927 * Labeling event operations: IPC object. 928 */ 929 static void 930 mac_test_create_mbuf_from_socket(struct socket *so, struct label *socketlabel, 931 struct mbuf *m, struct label *mbuflabel) 932 { 933 934 ASSERT_SOCKET_LABEL(socketlabel); 935 ASSERT_MBUF_LABEL(mbuflabel); 936 } 937 938 static void 939 mac_test_create_socket(struct ucred *cred, struct socket *socket, 940 struct label *socketlabel) 941 { 942 943 ASSERT_CRED_LABEL(cred->cr_label); 944 ASSERT_SOCKET_LABEL(socketlabel); 945 } 946 947 static void 948 mac_test_create_pipe(struct ucred *cred, struct pipepair *pp, 949 struct label *pipelabel) 950 { 951 952 ASSERT_CRED_LABEL(cred->cr_label); 953 ASSERT_PIPE_LABEL(pipelabel); 954 } 955 956 static void 957 mac_test_create_socket_from_socket(struct socket *oldsocket, 958 struct label *oldsocketlabel, struct socket *newsocket, 959 struct label *newsocketlabel) 960 { 961 962 ASSERT_SOCKET_LABEL(oldsocketlabel); 963 ASSERT_SOCKET_LABEL(newsocketlabel); 964 } 965 966 static void 967 mac_test_relabel_socket(struct ucred *cred, struct socket *socket, 968 struct label *socketlabel, struct label *newlabel) 969 { 970 971 ASSERT_CRED_LABEL(cred->cr_label); 972 ASSERT_SOCKET_LABEL(newlabel); 973 } 974 975 static void 976 mac_test_relabel_pipe(struct ucred *cred, struct pipepair *pp, 977 struct label *pipelabel, struct label *newlabel) 978 { 979 980 ASSERT_CRED_LABEL(cred->cr_label); 981 ASSERT_PIPE_LABEL(pipelabel); 982 ASSERT_PIPE_LABEL(newlabel); 983 } 984 985 static void 986 mac_test_set_socket_peer_from_mbuf(struct mbuf *mbuf, struct label *mbuflabel, 987 struct socket *socket, struct label *socketpeerlabel) 988 { 989 990 ASSERT_MBUF_LABEL(mbuflabel); 991 ASSERT_SOCKET_LABEL(socketpeerlabel); 992 } 993 994 /* 995 * Labeling event operations: network objects. 996 */ 997 static void 998 mac_test_set_socket_peer_from_socket(struct socket *oldsocket, 999 struct label *oldsocketlabel, struct socket *newsocket, 1000 struct label *newsocketpeerlabel) 1001 { 1002 1003 ASSERT_SOCKET_LABEL(oldsocketlabel); 1004 ASSERT_SOCKET_LABEL(newsocketpeerlabel); 1005 } 1006 1007 static void 1008 mac_test_create_bpfdesc(struct ucred *cred, struct bpf_d *bpf_d, 1009 struct label *bpflabel) 1010 { 1011 1012 ASSERT_CRED_LABEL(cred->cr_label); 1013 ASSERT_BPF_LABEL(bpflabel); 1014 } 1015 1016 static void 1017 mac_test_create_datagram_from_ipq(struct ipq *ipq, struct label *ipqlabel, 1018 struct mbuf *datagram, struct label *datagramlabel) 1019 { 1020 1021 ASSERT_IPQ_LABEL(ipqlabel); 1022 ASSERT_MBUF_LABEL(datagramlabel); 1023 } 1024 1025 static void 1026 mac_test_create_fragment(struct mbuf *datagram, struct label *datagramlabel, 1027 struct mbuf *fragment, struct label *fragmentlabel) 1028 { 1029 1030 ASSERT_MBUF_LABEL(datagramlabel); 1031 ASSERT_MBUF_LABEL(fragmentlabel); 1032 } 1033 1034 static void 1035 mac_test_create_ifnet(struct ifnet *ifnet, struct label *ifnetlabel) 1036 { 1037 1038 ASSERT_IFNET_LABEL(ifnetlabel); 1039 } 1040 1041 static void 1042 mac_test_create_inpcb_from_socket(struct socket *so, struct label *solabel, 1043 struct inpcb *inp, struct label *inplabel) 1044 { 1045 1046 ASSERT_SOCKET_LABEL(solabel); 1047 ASSERT_INPCB_LABEL(inplabel); 1048 } 1049 1050 static void 1051 mac_test_create_sysv_msgmsg(struct ucred *cred, struct msqid_kernel *msqkptr, 1052 struct label *msqlabel, struct msg *msgptr, struct label *msglabel) 1053 { 1054 1055 ASSERT_SYSVIPCMSG_LABEL(msglabel); 1056 ASSERT_SYSVIPCMSQ_LABEL(msqlabel); 1057 } 1058 1059 static void 1060 mac_test_create_sysv_msgqueue(struct ucred *cred, 1061 struct msqid_kernel *msqkptr, struct label *msqlabel) 1062 { 1063 1064 ASSERT_SYSVIPCMSQ_LABEL(msqlabel); 1065 } 1066 1067 static void 1068 mac_test_create_sysv_sema(struct ucred *cred, struct semid_kernel *semakptr, 1069 struct label *semalabel) 1070 { 1071 1072 ASSERT_SYSVIPCSEM_LABEL(semalabel); 1073 } 1074 1075 static void 1076 mac_test_create_sysv_shm(struct ucred *cred, struct shmid_kernel *shmsegptr, 1077 struct label *shmlabel) 1078 { 1079 1080 ASSERT_SYSVIPCSHM_LABEL(shmlabel); 1081 } 1082 1083 static void 1084 mac_test_create_ipq(struct mbuf *fragment, struct label *fragmentlabel, 1085 struct ipq *ipq, struct label *ipqlabel) 1086 { 1087 1088 ASSERT_MBUF_LABEL(fragmentlabel); 1089 ASSERT_IPQ_LABEL(ipqlabel); 1090 } 1091 1092 static void 1093 mac_test_create_mbuf_from_inpcb(struct inpcb *inp, struct label *inplabel, 1094 struct mbuf *m, struct label *mlabel) 1095 { 1096 1097 ASSERT_INPCB_LABEL(inplabel); 1098 ASSERT_MBUF_LABEL(mlabel); 1099 } 1100 1101 static void 1102 mac_test_create_mbuf_from_mbuf(struct mbuf *oldmbuf, 1103 struct label *oldmbuflabel, struct mbuf *newmbuf, 1104 struct label *newmbuflabel) 1105 { 1106 1107 ASSERT_MBUF_LABEL(oldmbuflabel); 1108 ASSERT_MBUF_LABEL(newmbuflabel); 1109 } 1110 1111 static void 1112 mac_test_create_mbuf_linklayer(struct ifnet *ifnet, struct label *ifnetlabel, 1113 struct mbuf *mbuf, struct label *mbuflabel) 1114 { 1115 1116 ASSERT_IFNET_LABEL(ifnetlabel); 1117 ASSERT_MBUF_LABEL(mbuflabel); 1118 } 1119 1120 static void 1121 mac_test_create_mbuf_from_bpfdesc(struct bpf_d *bpf_d, struct label *bpflabel, 1122 struct mbuf *mbuf, struct label *mbuflabel) 1123 { 1124 1125 ASSERT_BPF_LABEL(bpflabel); 1126 ASSERT_MBUF_LABEL(mbuflabel); 1127 } 1128 1129 static void 1130 mac_test_create_mbuf_from_ifnet(struct ifnet *ifnet, struct label *ifnetlabel, 1131 struct mbuf *m, struct label *mbuflabel) 1132 { 1133 1134 ASSERT_IFNET_LABEL(ifnetlabel); 1135 ASSERT_MBUF_LABEL(mbuflabel); 1136 } 1137 1138 static void 1139 mac_test_create_mbuf_multicast_encap(struct mbuf *oldmbuf, 1140 struct label *oldmbuflabel, struct ifnet *ifnet, struct label *ifnetlabel, 1141 struct mbuf *newmbuf, struct label *newmbuflabel) 1142 { 1143 1144 ASSERT_MBUF_LABEL(oldmbuflabel); 1145 ASSERT_IFNET_LABEL(ifnetlabel); 1146 ASSERT_MBUF_LABEL(newmbuflabel); 1147 } 1148 1149 static void 1150 mac_test_create_mbuf_netlayer(struct mbuf *oldmbuf, 1151 struct label *oldmbuflabel, struct mbuf *newmbuf, 1152 struct label *newmbuflabel) 1153 { 1154 1155 ASSERT_MBUF_LABEL(oldmbuflabel); 1156 ASSERT_MBUF_LABEL(newmbuflabel); 1157 } 1158 1159 static int 1160 mac_test_fragment_match(struct mbuf *fragment, struct label *fragmentlabel, 1161 struct ipq *ipq, struct label *ipqlabel) 1162 { 1163 1164 ASSERT_MBUF_LABEL(fragmentlabel); 1165 ASSERT_IPQ_LABEL(ipqlabel); 1166 1167 return (1); 1168 } 1169 1170 static void 1171 mac_test_reflect_mbuf_icmp(struct mbuf *m, struct label *mlabel) 1172 { 1173 1174 ASSERT_MBUF_LABEL(mlabel); 1175 } 1176 1177 static void 1178 mac_test_reflect_mbuf_tcp(struct mbuf *m, struct label *mlabel) 1179 { 1180 1181 ASSERT_MBUF_LABEL(mlabel); 1182 } 1183 1184 static void 1185 mac_test_relabel_ifnet(struct ucred *cred, struct ifnet *ifnet, 1186 struct label *ifnetlabel, struct label *newlabel) 1187 { 1188 1189 ASSERT_CRED_LABEL(cred->cr_label); 1190 ASSERT_IFNET_LABEL(ifnetlabel); 1191 ASSERT_IFNET_LABEL(newlabel); 1192 } 1193 1194 static void 1195 mac_test_update_ipq(struct mbuf *fragment, struct label *fragmentlabel, 1196 struct ipq *ipq, struct label *ipqlabel) 1197 { 1198 1199 ASSERT_MBUF_LABEL(fragmentlabel); 1200 ASSERT_IPQ_LABEL(ipqlabel); 1201 } 1202 1203 static void 1204 mac_test_inpcb_sosetlabel(struct socket *so, struct label *solabel, 1205 struct inpcb *inp, struct label *inplabel) 1206 { 1207 1208 ASSERT_SOCKET_LABEL(solabel); 1209 ASSERT_INPCB_LABEL(inplabel); 1210 } 1211 1212 /* 1213 * Labeling event operations: processes. 1214 */ 1215 static void 1216 mac_test_execve_transition(struct ucred *old, struct ucred *new, 1217 struct vnode *vp, struct label *filelabel, 1218 struct label *interpvnodelabel, struct image_params *imgp, 1219 struct label *execlabel) 1220 { 1221 1222 ASSERT_CRED_LABEL(old->cr_label); 1223 ASSERT_CRED_LABEL(new->cr_label); 1224 ASSERT_VNODE_LABEL(filelabel); 1225 if (interpvnodelabel != NULL) { 1226 ASSERT_VNODE_LABEL(interpvnodelabel); 1227 } 1228 if (execlabel != NULL) { 1229 ASSERT_CRED_LABEL(execlabel); 1230 } 1231 } 1232 1233 static int 1234 mac_test_execve_will_transition(struct ucred *old, struct vnode *vp, 1235 struct label *filelabel, struct label *interpvnodelabel, 1236 struct image_params *imgp, struct label *execlabel) 1237 { 1238 1239 ASSERT_CRED_LABEL(old->cr_label); 1240 ASSERT_VNODE_LABEL(filelabel); 1241 if (interpvnodelabel != NULL) { 1242 ASSERT_VNODE_LABEL(interpvnodelabel); 1243 } 1244 if (execlabel != NULL) { 1245 ASSERT_CRED_LABEL(execlabel); 1246 } 1247 1248 return (0); 1249 } 1250 1251 static void 1252 mac_test_create_proc0(struct ucred *cred) 1253 { 1254 1255 ASSERT_CRED_LABEL(cred->cr_label); 1256 } 1257 1258 static void 1259 mac_test_create_proc1(struct ucred *cred) 1260 { 1261 1262 ASSERT_CRED_LABEL(cred->cr_label); 1263 } 1264 1265 static void 1266 mac_test_relabel_cred(struct ucred *cred, struct label *newlabel) 1267 { 1268 1269 ASSERT_CRED_LABEL(cred->cr_label); 1270 ASSERT_CRED_LABEL(newlabel); 1271 } 1272 1273 static void 1274 mac_test_thread_userret(struct thread *td) 1275 { 1276 1277 printf("mac_test_thread_userret(process = %d)\n", 1278 curthread->td_proc->p_pid); 1279 } 1280 1281 /* 1282 * Label cleanup/flush operations 1283 */ 1284 static void 1285 mac_test_cleanup_sysv_msgmsg(struct label *msglabel) 1286 { 1287 1288 ASSERT_SYSVIPCMSG_LABEL(msglabel); 1289 } 1290 1291 static void 1292 mac_test_cleanup_sysv_msgqueue(struct label *msqlabel) 1293 { 1294 1295 ASSERT_SYSVIPCMSQ_LABEL(msqlabel); 1296 } 1297 1298 static void 1299 mac_test_cleanup_sysv_sema(struct label *semalabel) 1300 { 1301 1302 ASSERT_SYSVIPCSEM_LABEL(semalabel); 1303 } 1304 1305 static void 1306 mac_test_cleanup_sysv_shm(struct label *shmlabel) 1307 { 1308 1309 ASSERT_SYSVIPCSHM_LABEL(shmlabel); 1310 } 1311 1312 /* 1313 * Access control checks. 1314 */ 1315 static int 1316 mac_test_check_bpfdesc_receive(struct bpf_d *bpf_d, struct label *bpflabel, 1317 struct ifnet *ifnet, struct label *ifnetlabel) 1318 { 1319 1320 ASSERT_BPF_LABEL(bpflabel); 1321 ASSERT_IFNET_LABEL(ifnetlabel); 1322 1323 return (0); 1324 } 1325 1326 static int 1327 mac_test_check_cred_relabel(struct ucred *cred, struct label *newlabel) 1328 { 1329 1330 ASSERT_CRED_LABEL(cred->cr_label); 1331 ASSERT_CRED_LABEL(newlabel); 1332 1333 return (0); 1334 } 1335 1336 static int 1337 mac_test_check_cred_visible(struct ucred *u1, struct ucred *u2) 1338 { 1339 1340 ASSERT_CRED_LABEL(u1->cr_label); 1341 ASSERT_CRED_LABEL(u2->cr_label); 1342 1343 return (0); 1344 } 1345 1346 static int 1347 mac_test_check_ifnet_relabel(struct ucred *cred, struct ifnet *ifnet, 1348 struct label *ifnetlabel, struct label *newlabel) 1349 { 1350 1351 ASSERT_CRED_LABEL(cred->cr_label); 1352 ASSERT_IFNET_LABEL(ifnetlabel); 1353 ASSERT_IFNET_LABEL(newlabel); 1354 return (0); 1355 } 1356 1357 static int 1358 mac_test_check_ifnet_transmit(struct ifnet *ifnet, struct label *ifnetlabel, 1359 struct mbuf *m, struct label *mbuflabel) 1360 { 1361 1362 ASSERT_IFNET_LABEL(ifnetlabel); 1363 ASSERT_MBUF_LABEL(mbuflabel); 1364 1365 return (0); 1366 } 1367 1368 static int 1369 mac_test_check_inpcb_deliver(struct inpcb *inp, struct label *inplabel, 1370 struct mbuf *m, struct label *mlabel) 1371 { 1372 1373 ASSERT_INPCB_LABEL(inplabel); 1374 ASSERT_MBUF_LABEL(mlabel); 1375 1376 return (0); 1377 } 1378 1379 static int 1380 mac_test_check_sysv_msgmsq(struct ucred *cred, struct msg *msgptr, 1381 struct label *msglabel, struct msqid_kernel *msqkptr, 1382 struct label *msqklabel) 1383 { 1384 1385 ASSERT_SYSVIPCMSQ_LABEL(msqklabel); 1386 ASSERT_SYSVIPCMSG_LABEL(msglabel); 1387 ASSERT_CRED_LABEL(cred->cr_label); 1388 1389 return (0); 1390 } 1391 1392 static int 1393 mac_test_check_sysv_msgrcv(struct ucred *cred, struct msg *msgptr, 1394 struct label *msglabel) 1395 { 1396 1397 ASSERT_SYSVIPCMSG_LABEL(msglabel); 1398 ASSERT_CRED_LABEL(cred->cr_label); 1399 1400 return (0); 1401 } 1402 1403 1404 static int 1405 mac_test_check_sysv_msgrmid(struct ucred *cred, struct msg *msgptr, 1406 struct label *msglabel) 1407 { 1408 1409 ASSERT_SYSVIPCMSG_LABEL(msglabel); 1410 ASSERT_CRED_LABEL(cred->cr_label); 1411 1412 return (0); 1413 } 1414 1415 static int 1416 mac_test_check_sysv_msqget(struct ucred *cred, struct msqid_kernel *msqkptr, 1417 struct label *msqklabel) 1418 { 1419 1420 ASSERT_SYSVIPCMSQ_LABEL(msqklabel); 1421 ASSERT_CRED_LABEL(cred->cr_label); 1422 1423 return (0); 1424 } 1425 1426 static int 1427 mac_test_check_sysv_msqsnd(struct ucred *cred, struct msqid_kernel *msqkptr, 1428 struct label *msqklabel) 1429 { 1430 1431 ASSERT_SYSVIPCMSQ_LABEL(msqklabel); 1432 ASSERT_CRED_LABEL(cred->cr_label); 1433 1434 return (0); 1435 } 1436 1437 static int 1438 mac_test_check_sysv_msqrcv(struct ucred *cred, struct msqid_kernel *msqkptr, 1439 struct label *msqklabel) 1440 { 1441 1442 ASSERT_SYSVIPCMSQ_LABEL(msqklabel); 1443 ASSERT_CRED_LABEL(cred->cr_label); 1444 1445 return (0); 1446 } 1447 1448 static int 1449 mac_test_check_sysv_msqctl(struct ucred *cred, struct msqid_kernel *msqkptr, 1450 struct label *msqklabel, int cmd) 1451 { 1452 1453 ASSERT_SYSVIPCMSQ_LABEL(msqklabel); 1454 ASSERT_CRED_LABEL(cred->cr_label); 1455 1456 return (0); 1457 } 1458 1459 static int 1460 mac_test_check_sysv_semctl(struct ucred *cred, struct semid_kernel *semakptr, 1461 struct label *semaklabel, int cmd) 1462 { 1463 1464 ASSERT_CRED_LABEL(cred->cr_label); 1465 ASSERT_SYSVIPCSEM_LABEL(semaklabel); 1466 1467 return (0); 1468 } 1469 1470 static int 1471 mac_test_check_sysv_semget(struct ucred *cred, struct semid_kernel *semakptr, 1472 struct label *semaklabel) 1473 { 1474 1475 ASSERT_CRED_LABEL(cred->cr_label); 1476 ASSERT_SYSVIPCSEM_LABEL(semaklabel); 1477 1478 return (0); 1479 } 1480 1481 static int 1482 mac_test_check_sysv_semop(struct ucred *cred, struct semid_kernel *semakptr, 1483 struct label *semaklabel, size_t accesstype) 1484 { 1485 1486 ASSERT_CRED_LABEL(cred->cr_label); 1487 ASSERT_SYSVIPCSEM_LABEL(semaklabel); 1488 1489 return (0); 1490 } 1491 1492 static int 1493 mac_test_check_sysv_shmat(struct ucred *cred, struct shmid_kernel *shmsegptr, 1494 struct label *shmseglabel, int shmflg) 1495 { 1496 1497 ASSERT_CRED_LABEL(cred->cr_label); 1498 ASSERT_SYSVIPCSHM_LABEL(shmseglabel); 1499 1500 return (0); 1501 } 1502 1503 static int 1504 mac_test_check_sysv_shmctl(struct ucred *cred, struct shmid_kernel *shmsegptr, 1505 struct label *shmseglabel, int cmd) 1506 { 1507 1508 ASSERT_CRED_LABEL(cred->cr_label); 1509 ASSERT_SYSVIPCSHM_LABEL(shmseglabel); 1510 1511 return (0); 1512 } 1513 1514 static int 1515 mac_test_check_sysv_shmdt(struct ucred *cred, struct shmid_kernel *shmsegptr, 1516 struct label *shmseglabel) 1517 { 1518 1519 ASSERT_CRED_LABEL(cred->cr_label); 1520 ASSERT_SYSVIPCSHM_LABEL(shmseglabel); 1521 1522 return (0); 1523 } 1524 1525 static int 1526 mac_test_check_sysv_shmget(struct ucred *cred, struct shmid_kernel *shmsegptr, 1527 struct label *shmseglabel, int shmflg) 1528 { 1529 1530 ASSERT_CRED_LABEL(cred->cr_label); 1531 ASSERT_SYSVIPCSHM_LABEL(shmseglabel); 1532 1533 return (0); 1534 } 1535 1536 static int 1537 mac_test_check_kenv_dump(struct ucred *cred) 1538 { 1539 1540 ASSERT_CRED_LABEL(cred->cr_label); 1541 1542 return (0); 1543 } 1544 1545 static int 1546 mac_test_check_kenv_get(struct ucred *cred, char *name) 1547 { 1548 1549 ASSERT_CRED_LABEL(cred->cr_label); 1550 1551 return (0); 1552 } 1553 1554 static int 1555 mac_test_check_kenv_set(struct ucred *cred, char *name, char *value) 1556 { 1557 1558 ASSERT_CRED_LABEL(cred->cr_label); 1559 1560 return (0); 1561 } 1562 1563 static int 1564 mac_test_check_kenv_unset(struct ucred *cred, char *name) 1565 { 1566 1567 ASSERT_CRED_LABEL(cred->cr_label); 1568 1569 return (0); 1570 } 1571 1572 static int 1573 mac_test_check_kld_load(struct ucred *cred, struct vnode *vp, 1574 struct label *label) 1575 { 1576 1577 ASSERT_CRED_LABEL(cred->cr_label); 1578 ASSERT_VNODE_LABEL(label); 1579 1580 return (0); 1581 } 1582 1583 static int 1584 mac_test_check_kld_stat(struct ucred *cred) 1585 { 1586 1587 ASSERT_CRED_LABEL(cred->cr_label); 1588 1589 return (0); 1590 } 1591 1592 static int 1593 mac_test_check_kld_unload(struct ucred *cred) 1594 { 1595 1596 ASSERT_CRED_LABEL(cred->cr_label); 1597 1598 return (0); 1599 } 1600 1601 static int 1602 mac_test_check_mount_stat(struct ucred *cred, struct mount *mp, 1603 struct label *mntlabel) 1604 { 1605 1606 ASSERT_CRED_LABEL(cred->cr_label); 1607 ASSERT_MOUNT_LABEL(mntlabel); 1608 1609 return (0); 1610 } 1611 1612 static int 1613 mac_test_check_pipe_ioctl(struct ucred *cred, struct pipepair *pp, 1614 struct label *pipelabel, unsigned long cmd, void /* caddr_t */ *data) 1615 { 1616 1617 ASSERT_CRED_LABEL(cred->cr_label); 1618 ASSERT_PIPE_LABEL(pipelabel); 1619 1620 return (0); 1621 } 1622 1623 static int 1624 mac_test_check_pipe_poll(struct ucred *cred, struct pipepair *pp, 1625 struct label *pipelabel) 1626 { 1627 1628 ASSERT_CRED_LABEL(cred->cr_label); 1629 ASSERT_PIPE_LABEL(pipelabel); 1630 1631 return (0); 1632 } 1633 1634 static int 1635 mac_test_check_pipe_read(struct ucred *cred, struct pipepair *pp, 1636 struct label *pipelabel) 1637 { 1638 1639 ASSERT_CRED_LABEL(cred->cr_label); 1640 ASSERT_PIPE_LABEL(pipelabel); 1641 1642 return (0); 1643 } 1644 1645 static int 1646 mac_test_check_pipe_relabel(struct ucred *cred, struct pipepair *pp, 1647 struct label *pipelabel, struct label *newlabel) 1648 { 1649 1650 ASSERT_CRED_LABEL(cred->cr_label); 1651 ASSERT_PIPE_LABEL(pipelabel); 1652 ASSERT_PIPE_LABEL(newlabel); 1653 1654 return (0); 1655 } 1656 1657 static int 1658 mac_test_check_pipe_stat(struct ucred *cred, struct pipepair *pp, 1659 struct label *pipelabel) 1660 { 1661 1662 ASSERT_CRED_LABEL(cred->cr_label); 1663 ASSERT_PIPE_LABEL(pipelabel); 1664 1665 return (0); 1666 } 1667 1668 static int 1669 mac_test_check_pipe_write(struct ucred *cred, struct pipepair *pp, 1670 struct label *pipelabel) 1671 { 1672 1673 ASSERT_CRED_LABEL(cred->cr_label); 1674 ASSERT_PIPE_LABEL(pipelabel); 1675 1676 return (0); 1677 } 1678 1679 static int 1680 mac_test_check_proc_debug(struct ucred *cred, struct proc *proc) 1681 { 1682 1683 ASSERT_CRED_LABEL(cred->cr_label); 1684 ASSERT_CRED_LABEL(proc->p_ucred->cr_label); 1685 1686 return (0); 1687 } 1688 1689 static int 1690 mac_test_check_proc_sched(struct ucred *cred, struct proc *proc) 1691 { 1692 1693 ASSERT_CRED_LABEL(cred->cr_label); 1694 ASSERT_CRED_LABEL(proc->p_ucred->cr_label); 1695 1696 return (0); 1697 } 1698 1699 static int 1700 mac_test_check_proc_signal(struct ucred *cred, struct proc *proc, int signum) 1701 { 1702 1703 ASSERT_CRED_LABEL(cred->cr_label); 1704 ASSERT_CRED_LABEL(proc->p_ucred->cr_label); 1705 1706 return (0); 1707 } 1708 1709 static int 1710 mac_test_check_proc_setuid(struct ucred *cred, uid_t uid) 1711 { 1712 1713 ASSERT_CRED_LABEL(cred->cr_label); 1714 1715 return (0); 1716 } 1717 1718 static int 1719 mac_test_check_proc_seteuid(struct ucred *cred, uid_t euid) 1720 { 1721 1722 ASSERT_CRED_LABEL(cred->cr_label); 1723 1724 return (0); 1725 } 1726 1727 static int 1728 mac_test_check_proc_setgid(struct ucred *cred, gid_t gid) 1729 { 1730 1731 ASSERT_CRED_LABEL(cred->cr_label); 1732 1733 return (0); 1734 } 1735 1736 static int 1737 mac_test_check_proc_setegid(struct ucred *cred, gid_t egid) 1738 { 1739 1740 ASSERT_CRED_LABEL(cred->cr_label); 1741 1742 return (0); 1743 } 1744 1745 static int 1746 mac_test_check_proc_setgroups(struct ucred *cred, int ngroups, 1747 gid_t *gidset) 1748 { 1749 1750 ASSERT_CRED_LABEL(cred->cr_label); 1751 1752 return (0); 1753 } 1754 1755 static int 1756 mac_test_check_proc_setreuid(struct ucred *cred, uid_t ruid, uid_t euid) 1757 { 1758 1759 ASSERT_CRED_LABEL(cred->cr_label); 1760 1761 return (0); 1762 } 1763 1764 static int 1765 mac_test_check_proc_setregid(struct ucred *cred, gid_t rgid, gid_t egid) 1766 { 1767 1768 ASSERT_CRED_LABEL(cred->cr_label); 1769 1770 return (0); 1771 } 1772 1773 static int 1774 mac_test_check_proc_setresuid(struct ucred *cred, uid_t ruid, uid_t euid, 1775 uid_t suid) 1776 { 1777 1778 ASSERT_CRED_LABEL(cred->cr_label); 1779 1780 return (0); 1781 } 1782 1783 static int 1784 mac_test_check_proc_setresgid(struct ucred *cred, gid_t rgid, gid_t egid, 1785 gid_t sgid) 1786 { 1787 1788 ASSERT_CRED_LABEL(cred->cr_label); 1789 1790 return (0); 1791 } 1792 1793 static int 1794 mac_test_check_proc_wait(struct ucred *cred, struct proc *proc) 1795 { 1796 1797 ASSERT_CRED_LABEL(cred->cr_label); 1798 ASSERT_CRED_LABEL(proc->p_ucred->cr_label); 1799 1800 return (0); 1801 } 1802 1803 static int 1804 mac_test_check_socket_accept(struct ucred *cred, struct socket *socket, 1805 struct label *socketlabel) 1806 { 1807 1808 ASSERT_CRED_LABEL(cred->cr_label); 1809 ASSERT_SOCKET_LABEL(socketlabel); 1810 1811 return (0); 1812 } 1813 1814 static int 1815 mac_test_check_socket_bind(struct ucred *cred, struct socket *socket, 1816 struct label *socketlabel, struct sockaddr *sockaddr) 1817 { 1818 1819 ASSERT_CRED_LABEL(cred->cr_label); 1820 ASSERT_SOCKET_LABEL(socketlabel); 1821 1822 return (0); 1823 } 1824 1825 static int 1826 mac_test_check_socket_connect(struct ucred *cred, struct socket *socket, 1827 struct label *socketlabel, struct sockaddr *sockaddr) 1828 { 1829 1830 ASSERT_CRED_LABEL(cred->cr_label); 1831 ASSERT_SOCKET_LABEL(socketlabel); 1832 1833 return (0); 1834 } 1835 1836 static int 1837 mac_test_check_socket_deliver(struct socket *socket, struct label *socketlabel, 1838 struct mbuf *m, struct label *mbuflabel) 1839 { 1840 1841 ASSERT_SOCKET_LABEL(socketlabel); 1842 ASSERT_MBUF_LABEL(mbuflabel); 1843 1844 return (0); 1845 } 1846 1847 static int 1848 mac_test_check_socket_listen(struct ucred *cred, struct socket *socket, 1849 struct label *socketlabel) 1850 { 1851 1852 ASSERT_CRED_LABEL(cred->cr_label); 1853 ASSERT_SOCKET_LABEL(socketlabel); 1854 1855 return (0); 1856 } 1857 1858 static int 1859 mac_test_check_socket_poll(struct ucred *cred, struct socket *socket, 1860 struct label *socketlabel) 1861 { 1862 1863 ASSERT_CRED_LABEL(cred->cr_label); 1864 ASSERT_SOCKET_LABEL(socketlabel); 1865 1866 return (0); 1867 } 1868 1869 static int 1870 mac_test_check_socket_receive(struct ucred *cred, struct socket *socket, 1871 struct label *socketlabel) 1872 { 1873 1874 ASSERT_CRED_LABEL(cred->cr_label); 1875 ASSERT_SOCKET_LABEL(socketlabel); 1876 1877 return (0); 1878 } 1879 1880 static int 1881 mac_test_check_socket_relabel(struct ucred *cred, struct socket *socket, 1882 struct label *socketlabel, struct label *newlabel) 1883 { 1884 1885 ASSERT_CRED_LABEL(cred->cr_label); 1886 ASSERT_SOCKET_LABEL(socketlabel); 1887 ASSERT_SOCKET_LABEL(newlabel); 1888 1889 return (0); 1890 } 1891 1892 static int 1893 mac_test_check_socket_send(struct ucred *cred, struct socket *socket, 1894 struct label *socketlabel) 1895 { 1896 1897 ASSERT_CRED_LABEL(cred->cr_label); 1898 ASSERT_SOCKET_LABEL(socketlabel); 1899 1900 return (0); 1901 } 1902 1903 static int 1904 mac_test_check_socket_stat(struct ucred *cred, struct socket *socket, 1905 struct label *socketlabel) 1906 { 1907 1908 ASSERT_CRED_LABEL(cred->cr_label); 1909 ASSERT_SOCKET_LABEL(socketlabel); 1910 1911 return (0); 1912 } 1913 1914 static int 1915 mac_test_check_socket_visible(struct ucred *cred, struct socket *socket, 1916 struct label *socketlabel) 1917 { 1918 1919 ASSERT_CRED_LABEL(cred->cr_label); 1920 ASSERT_SOCKET_LABEL(socketlabel); 1921 1922 return (0); 1923 } 1924 1925 static int 1926 mac_test_check_sysarch_ioperm(struct ucred *cred) 1927 { 1928 1929 ASSERT_CRED_LABEL(cred->cr_label); 1930 1931 return (0); 1932 } 1933 1934 static int 1935 mac_test_check_system_acct(struct ucred *cred, struct vnode *vp, 1936 struct label *label) 1937 { 1938 1939 ASSERT_CRED_LABEL(cred->cr_label); 1940 1941 return (0); 1942 } 1943 1944 static int 1945 mac_test_check_system_reboot(struct ucred *cred, int how) 1946 { 1947 1948 ASSERT_CRED_LABEL(cred->cr_label); 1949 1950 return (0); 1951 } 1952 1953 static int 1954 mac_test_check_system_settime(struct ucred *cred) 1955 { 1956 1957 ASSERT_CRED_LABEL(cred->cr_label); 1958 1959 return (0); 1960 } 1961 1962 static int 1963 mac_test_check_system_swapon(struct ucred *cred, struct vnode *vp, 1964 struct label *label) 1965 { 1966 1967 ASSERT_CRED_LABEL(cred->cr_label); 1968 ASSERT_VNODE_LABEL(label); 1969 1970 return (0); 1971 } 1972 1973 static int 1974 mac_test_check_system_swapoff(struct ucred *cred, struct vnode *vp, 1975 struct label *label) 1976 { 1977 1978 ASSERT_CRED_LABEL(cred->cr_label); 1979 ASSERT_VNODE_LABEL(label); 1980 1981 return (0); 1982 } 1983 1984 static int 1985 mac_test_check_system_sysctl(struct ucred *cred, struct sysctl_oid *oidp, 1986 void *arg1, int arg2, struct sysctl_req *req) 1987 { 1988 1989 ASSERT_CRED_LABEL(cred->cr_label); 1990 1991 return (0); 1992 } 1993 1994 static int 1995 mac_test_check_vnode_access(struct ucred *cred, struct vnode *vp, 1996 struct label *label, int acc_mode) 1997 { 1998 1999 ASSERT_CRED_LABEL(cred->cr_label); 2000 ASSERT_VNODE_LABEL(label); 2001 2002 return (0); 2003 } 2004 2005 static int 2006 mac_test_check_vnode_chdir(struct ucred *cred, struct vnode *dvp, 2007 struct label *dlabel) 2008 { 2009 2010 ASSERT_CRED_LABEL(cred->cr_label); 2011 ASSERT_VNODE_LABEL(dlabel); 2012 2013 return (0); 2014 } 2015 2016 static int 2017 mac_test_check_vnode_chroot(struct ucred *cred, struct vnode *dvp, 2018 struct label *dlabel) 2019 { 2020 2021 ASSERT_CRED_LABEL(cred->cr_label); 2022 ASSERT_VNODE_LABEL(dlabel); 2023 2024 return (0); 2025 } 2026 2027 static int 2028 mac_test_check_vnode_create(struct ucred *cred, struct vnode *dvp, 2029 struct label *dlabel, struct componentname *cnp, struct vattr *vap) 2030 { 2031 2032 ASSERT_CRED_LABEL(cred->cr_label); 2033 ASSERT_VNODE_LABEL(dlabel); 2034 2035 return (0); 2036 } 2037 2038 static int 2039 mac_test_check_vnode_delete(struct ucred *cred, struct vnode *dvp, 2040 struct label *dlabel, struct vnode *vp, struct label *label, 2041 struct componentname *cnp) 2042 { 2043 2044 ASSERT_CRED_LABEL(cred->cr_label); 2045 ASSERT_VNODE_LABEL(dlabel); 2046 ASSERT_VNODE_LABEL(label); 2047 2048 return (0); 2049 } 2050 2051 static int 2052 mac_test_check_vnode_deleteacl(struct ucred *cred, struct vnode *vp, 2053 struct label *label, acl_type_t type) 2054 { 2055 2056 ASSERT_CRED_LABEL(cred->cr_label); 2057 ASSERT_VNODE_LABEL(label); 2058 2059 return (0); 2060 } 2061 2062 static int 2063 mac_test_check_vnode_deleteextattr(struct ucred *cred, struct vnode *vp, 2064 struct label *label, int attrnamespace, const char *name) 2065 { 2066 2067 ASSERT_CRED_LABEL(cred->cr_label); 2068 ASSERT_VNODE_LABEL(label); 2069 2070 return (0); 2071 } 2072 2073 static int 2074 mac_test_check_vnode_exec(struct ucred *cred, struct vnode *vp, 2075 struct label *label, struct image_params *imgp, 2076 struct label *execlabel) 2077 { 2078 2079 ASSERT_CRED_LABEL(cred->cr_label); 2080 ASSERT_VNODE_LABEL(label); 2081 if (execlabel != NULL) { 2082 ASSERT_CRED_LABEL(execlabel); 2083 } 2084 2085 return (0); 2086 } 2087 2088 static int 2089 mac_test_check_vnode_getacl(struct ucred *cred, struct vnode *vp, 2090 struct label *label, acl_type_t type) 2091 { 2092 2093 ASSERT_CRED_LABEL(cred->cr_label); 2094 ASSERT_VNODE_LABEL(label); 2095 2096 return (0); 2097 } 2098 2099 static int 2100 mac_test_check_vnode_getextattr(struct ucred *cred, struct vnode *vp, 2101 struct label *label, int attrnamespace, const char *name, struct uio *uio) 2102 { 2103 2104 ASSERT_CRED_LABEL(cred->cr_label); 2105 ASSERT_VNODE_LABEL(label); 2106 2107 return (0); 2108 } 2109 2110 static int 2111 mac_test_check_vnode_link(struct ucred *cred, struct vnode *dvp, 2112 struct label *dlabel, struct vnode *vp, struct label *label, 2113 struct componentname *cnp) 2114 { 2115 2116 ASSERT_CRED_LABEL(cred->cr_label); 2117 ASSERT_VNODE_LABEL(dlabel); 2118 ASSERT_VNODE_LABEL(label); 2119 2120 return (0); 2121 } 2122 2123 static int 2124 mac_test_check_vnode_listextattr(struct ucred *cred, struct vnode *vp, 2125 struct label *label, int attrnamespace) 2126 { 2127 2128 ASSERT_CRED_LABEL(cred->cr_label); 2129 ASSERT_VNODE_LABEL(label); 2130 2131 return (0); 2132 } 2133 2134 static int 2135 mac_test_check_vnode_lookup(struct ucred *cred, struct vnode *dvp, 2136 struct label *dlabel, struct componentname *cnp) 2137 { 2138 2139 ASSERT_CRED_LABEL(cred->cr_label); 2140 ASSERT_VNODE_LABEL(dlabel); 2141 2142 return (0); 2143 } 2144 2145 static int 2146 mac_test_check_vnode_mmap(struct ucred *cred, struct vnode *vp, 2147 struct label *label, int prot, int flags) 2148 { 2149 2150 ASSERT_CRED_LABEL(cred->cr_label); 2151 ASSERT_VNODE_LABEL(label); 2152 2153 return (0); 2154 } 2155 2156 static int 2157 mac_test_check_vnode_open(struct ucred *cred, struct vnode *vp, 2158 struct label *filelabel, int acc_mode) 2159 { 2160 2161 ASSERT_CRED_LABEL(cred->cr_label); 2162 ASSERT_VNODE_LABEL(filelabel); 2163 2164 return (0); 2165 } 2166 2167 static int 2168 mac_test_check_vnode_poll(struct ucred *active_cred, struct ucred *file_cred, 2169 struct vnode *vp, struct label *label) 2170 { 2171 2172 ASSERT_CRED_LABEL(active_cred->cr_label); 2173 ASSERT_CRED_LABEL(file_cred->cr_label); 2174 ASSERT_VNODE_LABEL(label); 2175 2176 return (0); 2177 } 2178 2179 static int 2180 mac_test_check_vnode_read(struct ucred *active_cred, struct ucred *file_cred, 2181 struct vnode *vp, struct label *label) 2182 { 2183 2184 ASSERT_CRED_LABEL(active_cred->cr_label); 2185 if (file_cred != NULL) { 2186 ASSERT_CRED_LABEL(file_cred->cr_label); 2187 } 2188 ASSERT_VNODE_LABEL(label); 2189 2190 return (0); 2191 } 2192 2193 static int 2194 mac_test_check_vnode_readdir(struct ucred *cred, struct vnode *dvp, 2195 struct label *dlabel) 2196 { 2197 2198 ASSERT_CRED_LABEL(cred->cr_label); 2199 ASSERT_VNODE_LABEL(dlabel); 2200 2201 return (0); 2202 } 2203 2204 static int 2205 mac_test_check_vnode_readlink(struct ucred *cred, struct vnode *vp, 2206 struct label *vnodelabel) 2207 { 2208 2209 ASSERT_CRED_LABEL(cred->cr_label); 2210 ASSERT_VNODE_LABEL(vnodelabel); 2211 2212 return (0); 2213 } 2214 2215 static int 2216 mac_test_check_vnode_relabel(struct ucred *cred, struct vnode *vp, 2217 struct label *vnodelabel, struct label *newlabel) 2218 { 2219 2220 ASSERT_CRED_LABEL(cred->cr_label); 2221 ASSERT_VNODE_LABEL(vnodelabel); 2222 ASSERT_VNODE_LABEL(newlabel); 2223 2224 return (0); 2225 } 2226 2227 static int 2228 mac_test_check_vnode_rename_from(struct ucred *cred, struct vnode *dvp, 2229 struct label *dlabel, struct vnode *vp, struct label *label, 2230 struct componentname *cnp) 2231 { 2232 2233 ASSERT_CRED_LABEL(cred->cr_label); 2234 ASSERT_VNODE_LABEL(dlabel); 2235 ASSERT_VNODE_LABEL(label); 2236 2237 return (0); 2238 } 2239 2240 static int 2241 mac_test_check_vnode_rename_to(struct ucred *cred, struct vnode *dvp, 2242 struct label *dlabel, struct vnode *vp, struct label *label, int samedir, 2243 struct componentname *cnp) 2244 { 2245 2246 ASSERT_CRED_LABEL(cred->cr_label); 2247 ASSERT_VNODE_LABEL(dlabel); 2248 2249 if (vp != NULL) { 2250 ASSERT_VNODE_LABEL(label); 2251 } 2252 2253 return (0); 2254 } 2255 2256 static int 2257 mac_test_check_vnode_revoke(struct ucred *cred, struct vnode *vp, 2258 struct label *label) 2259 { 2260 2261 ASSERT_CRED_LABEL(cred->cr_label); 2262 ASSERT_VNODE_LABEL(label); 2263 2264 return (0); 2265 } 2266 2267 static int 2268 mac_test_check_vnode_setacl(struct ucred *cred, struct vnode *vp, 2269 struct label *label, acl_type_t type, struct acl *acl) 2270 { 2271 2272 ASSERT_CRED_LABEL(cred->cr_label); 2273 ASSERT_VNODE_LABEL(label); 2274 2275 return (0); 2276 } 2277 2278 static int 2279 mac_test_check_vnode_setextattr(struct ucred *cred, struct vnode *vp, 2280 struct label *label, int attrnamespace, const char *name, struct uio *uio) 2281 { 2282 2283 ASSERT_CRED_LABEL(cred->cr_label); 2284 ASSERT_VNODE_LABEL(label); 2285 2286 return (0); 2287 } 2288 2289 static int 2290 mac_test_check_vnode_setflags(struct ucred *cred, struct vnode *vp, 2291 struct label *label, u_long flags) 2292 { 2293 2294 ASSERT_CRED_LABEL(cred->cr_label); 2295 ASSERT_VNODE_LABEL(label); 2296 2297 return (0); 2298 } 2299 2300 static int 2301 mac_test_check_vnode_setmode(struct ucred *cred, struct vnode *vp, 2302 struct label *label, mode_t mode) 2303 { 2304 2305 ASSERT_CRED_LABEL(cred->cr_label); 2306 ASSERT_VNODE_LABEL(label); 2307 2308 return (0); 2309 } 2310 2311 static int 2312 mac_test_check_vnode_setowner(struct ucred *cred, struct vnode *vp, 2313 struct label *label, uid_t uid, gid_t gid) 2314 { 2315 2316 ASSERT_CRED_LABEL(cred->cr_label); 2317 ASSERT_VNODE_LABEL(label); 2318 2319 return (0); 2320 } 2321 2322 static int 2323 mac_test_check_vnode_setutimes(struct ucred *cred, struct vnode *vp, 2324 struct label *label, struct timespec atime, struct timespec mtime) 2325 { 2326 2327 ASSERT_CRED_LABEL(cred->cr_label); 2328 ASSERT_VNODE_LABEL(label); 2329 2330 return (0); 2331 } 2332 2333 static int 2334 mac_test_check_vnode_stat(struct ucred *active_cred, struct ucred *file_cred, 2335 struct vnode *vp, struct label *label) 2336 { 2337 2338 ASSERT_CRED_LABEL(active_cred->cr_label); 2339 if (file_cred != NULL) { 2340 ASSERT_CRED_LABEL(file_cred->cr_label); 2341 } 2342 ASSERT_VNODE_LABEL(label); 2343 2344 return (0); 2345 } 2346 2347 static int 2348 mac_test_check_vnode_write(struct ucred *active_cred, 2349 struct ucred *file_cred, struct vnode *vp, struct label *label) 2350 { 2351 2352 ASSERT_CRED_LABEL(active_cred->cr_label); 2353 if (file_cred != NULL) { 2354 ASSERT_CRED_LABEL(file_cred->cr_label); 2355 } 2356 ASSERT_VNODE_LABEL(label); 2357 2358 return (0); 2359 } 2360 2361 static struct mac_policy_ops mac_test_ops = 2362 { 2363 .mpo_destroy = mac_test_destroy, 2364 .mpo_init = mac_test_init, 2365 .mpo_syscall = mac_test_syscall, 2366 .mpo_init_bpfdesc_label = mac_test_init_bpfdesc_label, 2367 .mpo_init_cred_label = mac_test_init_cred_label, 2368 .mpo_init_devfsdirent_label = mac_test_init_devfsdirent_label, 2369 .mpo_init_ifnet_label = mac_test_init_ifnet_label, 2370 .mpo_init_sysv_msgmsg_label = mac_test_init_sysv_msgmsg_label, 2371 .mpo_init_sysv_msgqueue_label = mac_test_init_sysv_msgqueue_label, 2372 .mpo_init_sysv_sema_label = mac_test_init_sysv_sema_label, 2373 .mpo_init_sysv_shm_label = mac_test_init_sysv_shm_label, 2374 .mpo_init_inpcb_label = mac_test_init_inpcb_label, 2375 .mpo_init_ipq_label = mac_test_init_ipq_label, 2376 .mpo_init_mbuf_label = mac_test_init_mbuf_label, 2377 .mpo_init_mount_label = mac_test_init_mount_label, 2378 .mpo_init_mount_fs_label = mac_test_init_mount_fs_label, 2379 .mpo_init_pipe_label = mac_test_init_pipe_label, 2380 .mpo_init_proc_label = mac_test_init_proc_label, 2381 .mpo_init_socket_label = mac_test_init_socket_label, 2382 .mpo_init_socket_peer_label = mac_test_init_socket_peer_label, 2383 .mpo_init_vnode_label = mac_test_init_vnode_label, 2384 .mpo_destroy_bpfdesc_label = mac_test_destroy_bpfdesc_label, 2385 .mpo_destroy_cred_label = mac_test_destroy_cred_label, 2386 .mpo_destroy_devfsdirent_label = mac_test_destroy_devfsdirent_label, 2387 .mpo_destroy_ifnet_label = mac_test_destroy_ifnet_label, 2388 .mpo_destroy_sysv_msgmsg_label = mac_test_destroy_sysv_msgmsg_label, 2389 .mpo_destroy_sysv_msgqueue_label = 2390 mac_test_destroy_sysv_msgqueue_label, 2391 .mpo_destroy_sysv_sema_label = mac_test_destroy_sysv_sema_label, 2392 .mpo_destroy_sysv_shm_label = mac_test_destroy_sysv_shm_label, 2393 .mpo_destroy_inpcb_label = mac_test_destroy_inpcb_label, 2394 .mpo_destroy_ipq_label = mac_test_destroy_ipq_label, 2395 .mpo_destroy_mbuf_label = mac_test_destroy_mbuf_label, 2396 .mpo_destroy_mount_label = mac_test_destroy_mount_label, 2397 .mpo_destroy_mount_fs_label = mac_test_destroy_mount_fs_label, 2398 .mpo_destroy_pipe_label = mac_test_destroy_pipe_label, 2399 .mpo_destroy_proc_label = mac_test_destroy_proc_label, 2400 .mpo_destroy_socket_label = mac_test_destroy_socket_label, 2401 .mpo_destroy_socket_peer_label = mac_test_destroy_socket_peer_label, 2402 .mpo_destroy_vnode_label = mac_test_destroy_vnode_label, 2403 .mpo_copy_cred_label = mac_test_copy_cred_label, 2404 .mpo_copy_ifnet_label = mac_test_copy_ifnet_label, 2405 .mpo_copy_mbuf_label = mac_test_copy_mbuf_label, 2406 .mpo_copy_pipe_label = mac_test_copy_pipe_label, 2407 .mpo_copy_socket_label = mac_test_copy_socket_label, 2408 .mpo_copy_vnode_label = mac_test_copy_vnode_label, 2409 .mpo_externalize_cred_label = mac_test_externalize_label, 2410 .mpo_externalize_ifnet_label = mac_test_externalize_label, 2411 .mpo_externalize_pipe_label = mac_test_externalize_label, 2412 .mpo_externalize_socket_label = mac_test_externalize_label, 2413 .mpo_externalize_socket_peer_label = mac_test_externalize_label, 2414 .mpo_externalize_vnode_label = mac_test_externalize_label, 2415 .mpo_internalize_cred_label = mac_test_internalize_label, 2416 .mpo_internalize_ifnet_label = mac_test_internalize_label, 2417 .mpo_internalize_pipe_label = mac_test_internalize_label, 2418 .mpo_internalize_socket_label = mac_test_internalize_label, 2419 .mpo_internalize_vnode_label = mac_test_internalize_label, 2420 .mpo_associate_vnode_devfs = mac_test_associate_vnode_devfs, 2421 .mpo_associate_vnode_extattr = mac_test_associate_vnode_extattr, 2422 .mpo_associate_vnode_singlelabel = mac_test_associate_vnode_singlelabel, 2423 .mpo_create_devfs_device = mac_test_create_devfs_device, 2424 .mpo_create_devfs_directory = mac_test_create_devfs_directory, 2425 .mpo_create_devfs_symlink = mac_test_create_devfs_symlink, 2426 .mpo_create_vnode_extattr = mac_test_create_vnode_extattr, 2427 .mpo_create_mount = mac_test_create_mount, 2428 .mpo_create_root_mount = mac_test_create_root_mount, 2429 .mpo_relabel_vnode = mac_test_relabel_vnode, 2430 .mpo_setlabel_vnode_extattr = mac_test_setlabel_vnode_extattr, 2431 .mpo_update_devfsdirent = mac_test_update_devfsdirent, 2432 .mpo_create_mbuf_from_socket = mac_test_create_mbuf_from_socket, 2433 .mpo_create_pipe = mac_test_create_pipe, 2434 .mpo_create_socket = mac_test_create_socket, 2435 .mpo_create_socket_from_socket = mac_test_create_socket_from_socket, 2436 .mpo_relabel_pipe = mac_test_relabel_pipe, 2437 .mpo_relabel_socket = mac_test_relabel_socket, 2438 .mpo_set_socket_peer_from_mbuf = mac_test_set_socket_peer_from_mbuf, 2439 .mpo_set_socket_peer_from_socket = mac_test_set_socket_peer_from_socket, 2440 .mpo_create_bpfdesc = mac_test_create_bpfdesc, 2441 .mpo_create_ifnet = mac_test_create_ifnet, 2442 .mpo_create_inpcb_from_socket = mac_test_create_inpcb_from_socket, 2443 .mpo_create_sysv_msgmsg = mac_test_create_sysv_msgmsg, 2444 .mpo_create_sysv_msgqueue = mac_test_create_sysv_msgqueue, 2445 .mpo_create_sysv_sema = mac_test_create_sysv_sema, 2446 .mpo_create_sysv_shm = mac_test_create_sysv_shm, 2447 .mpo_create_datagram_from_ipq = mac_test_create_datagram_from_ipq, 2448 .mpo_create_fragment = mac_test_create_fragment, 2449 .mpo_create_ipq = mac_test_create_ipq, 2450 .mpo_create_mbuf_from_inpcb = mac_test_create_mbuf_from_inpcb, 2451 .mpo_create_mbuf_from_mbuf = mac_test_create_mbuf_from_mbuf, 2452 .mpo_create_mbuf_linklayer = mac_test_create_mbuf_linklayer, 2453 .mpo_create_mbuf_from_bpfdesc = mac_test_create_mbuf_from_bpfdesc, 2454 .mpo_create_mbuf_from_ifnet = mac_test_create_mbuf_from_ifnet, 2455 .mpo_create_mbuf_multicast_encap = mac_test_create_mbuf_multicast_encap, 2456 .mpo_create_mbuf_netlayer = mac_test_create_mbuf_netlayer, 2457 .mpo_fragment_match = mac_test_fragment_match, 2458 .mpo_reflect_mbuf_icmp = mac_test_reflect_mbuf_icmp, 2459 .mpo_reflect_mbuf_tcp = mac_test_reflect_mbuf_tcp, 2460 .mpo_relabel_ifnet = mac_test_relabel_ifnet, 2461 .mpo_update_ipq = mac_test_update_ipq, 2462 .mpo_inpcb_sosetlabel = mac_test_inpcb_sosetlabel, 2463 .mpo_execve_transition = mac_test_execve_transition, 2464 .mpo_execve_will_transition = mac_test_execve_will_transition, 2465 .mpo_create_proc0 = mac_test_create_proc0, 2466 .mpo_create_proc1 = mac_test_create_proc1, 2467 .mpo_relabel_cred = mac_test_relabel_cred, 2468 .mpo_thread_userret = mac_test_thread_userret, 2469 .mpo_cleanup_sysv_msgmsg = mac_test_cleanup_sysv_msgmsg, 2470 .mpo_cleanup_sysv_msgqueue = mac_test_cleanup_sysv_msgqueue, 2471 .mpo_cleanup_sysv_sema = mac_test_cleanup_sysv_sema, 2472 .mpo_cleanup_sysv_shm = mac_test_cleanup_sysv_shm, 2473 .mpo_check_bpfdesc_receive = mac_test_check_bpfdesc_receive, 2474 .mpo_check_cred_relabel = mac_test_check_cred_relabel, 2475 .mpo_check_cred_visible = mac_test_check_cred_visible, 2476 .mpo_check_ifnet_relabel = mac_test_check_ifnet_relabel, 2477 .mpo_check_ifnet_transmit = mac_test_check_ifnet_transmit, 2478 .mpo_check_inpcb_deliver = mac_test_check_inpcb_deliver, 2479 .mpo_check_sysv_msgmsq = mac_test_check_sysv_msgmsq, 2480 .mpo_check_sysv_msgrcv = mac_test_check_sysv_msgrcv, 2481 .mpo_check_sysv_msgrmid = mac_test_check_sysv_msgrmid, 2482 .mpo_check_sysv_msqget = mac_test_check_sysv_msqget, 2483 .mpo_check_sysv_msqsnd = mac_test_check_sysv_msqsnd, 2484 .mpo_check_sysv_msqrcv = mac_test_check_sysv_msqrcv, 2485 .mpo_check_sysv_msqctl = mac_test_check_sysv_msqctl, 2486 .mpo_check_sysv_semctl = mac_test_check_sysv_semctl, 2487 .mpo_check_sysv_semget = mac_test_check_sysv_semget, 2488 .mpo_check_sysv_semop = mac_test_check_sysv_semop, 2489 .mpo_check_sysv_shmat = mac_test_check_sysv_shmat, 2490 .mpo_check_sysv_shmctl = mac_test_check_sysv_shmctl, 2491 .mpo_check_sysv_shmdt = mac_test_check_sysv_shmdt, 2492 .mpo_check_sysv_shmget = mac_test_check_sysv_shmget, 2493 .mpo_check_kenv_dump = mac_test_check_kenv_dump, 2494 .mpo_check_kenv_get = mac_test_check_kenv_get, 2495 .mpo_check_kenv_set = mac_test_check_kenv_set, 2496 .mpo_check_kenv_unset = mac_test_check_kenv_unset, 2497 .mpo_check_kld_load = mac_test_check_kld_load, 2498 .mpo_check_kld_stat = mac_test_check_kld_stat, 2499 .mpo_check_kld_unload = mac_test_check_kld_unload, 2500 .mpo_check_mount_stat = mac_test_check_mount_stat, 2501 .mpo_check_pipe_ioctl = mac_test_check_pipe_ioctl, 2502 .mpo_check_pipe_poll = mac_test_check_pipe_poll, 2503 .mpo_check_pipe_read = mac_test_check_pipe_read, 2504 .mpo_check_pipe_relabel = mac_test_check_pipe_relabel, 2505 .mpo_check_pipe_stat = mac_test_check_pipe_stat, 2506 .mpo_check_pipe_write = mac_test_check_pipe_write, 2507 .mpo_check_proc_debug = mac_test_check_proc_debug, 2508 .mpo_check_proc_sched = mac_test_check_proc_sched, 2509 .mpo_check_proc_setuid = mac_test_check_proc_setuid, 2510 .mpo_check_proc_seteuid = mac_test_check_proc_seteuid, 2511 .mpo_check_proc_setgid = mac_test_check_proc_setgid, 2512 .mpo_check_proc_setegid = mac_test_check_proc_setegid, 2513 .mpo_check_proc_setgroups = mac_test_check_proc_setgroups, 2514 .mpo_check_proc_setreuid = mac_test_check_proc_setreuid, 2515 .mpo_check_proc_setregid = mac_test_check_proc_setregid, 2516 .mpo_check_proc_setresuid = mac_test_check_proc_setresuid, 2517 .mpo_check_proc_setresgid = mac_test_check_proc_setresgid, 2518 .mpo_check_proc_signal = mac_test_check_proc_signal, 2519 .mpo_check_proc_wait = mac_test_check_proc_wait, 2520 .mpo_check_socket_accept = mac_test_check_socket_accept, 2521 .mpo_check_socket_bind = mac_test_check_socket_bind, 2522 .mpo_check_socket_connect = mac_test_check_socket_connect, 2523 .mpo_check_socket_deliver = mac_test_check_socket_deliver, 2524 .mpo_check_socket_listen = mac_test_check_socket_listen, 2525 .mpo_check_socket_poll = mac_test_check_socket_poll, 2526 .mpo_check_socket_receive = mac_test_check_socket_receive, 2527 .mpo_check_socket_relabel = mac_test_check_socket_relabel, 2528 .mpo_check_socket_send = mac_test_check_socket_send, 2529 .mpo_check_socket_stat = mac_test_check_socket_stat, 2530 .mpo_check_socket_visible = mac_test_check_socket_visible, 2531 .mpo_check_sysarch_ioperm = mac_test_check_sysarch_ioperm, 2532 .mpo_check_system_acct = mac_test_check_system_acct, 2533 .mpo_check_system_reboot = mac_test_check_system_reboot, 2534 .mpo_check_system_settime = mac_test_check_system_settime, 2535 .mpo_check_system_swapon = mac_test_check_system_swapon, 2536 .mpo_check_system_swapoff = mac_test_check_system_swapoff, 2537 .mpo_check_system_sysctl = mac_test_check_system_sysctl, 2538 .mpo_check_vnode_access = mac_test_check_vnode_access, 2539 .mpo_check_vnode_chdir = mac_test_check_vnode_chdir, 2540 .mpo_check_vnode_chroot = mac_test_check_vnode_chroot, 2541 .mpo_check_vnode_create = mac_test_check_vnode_create, 2542 .mpo_check_vnode_delete = mac_test_check_vnode_delete, 2543 .mpo_check_vnode_deleteacl = mac_test_check_vnode_deleteacl, 2544 .mpo_check_vnode_deleteextattr = mac_test_check_vnode_deleteextattr, 2545 .mpo_check_vnode_exec = mac_test_check_vnode_exec, 2546 .mpo_check_vnode_getacl = mac_test_check_vnode_getacl, 2547 .mpo_check_vnode_getextattr = mac_test_check_vnode_getextattr, 2548 .mpo_check_vnode_link = mac_test_check_vnode_link, 2549 .mpo_check_vnode_listextattr = mac_test_check_vnode_listextattr, 2550 .mpo_check_vnode_lookup = mac_test_check_vnode_lookup, 2551 .mpo_check_vnode_mmap = mac_test_check_vnode_mmap, 2552 .mpo_check_vnode_open = mac_test_check_vnode_open, 2553 .mpo_check_vnode_poll = mac_test_check_vnode_poll, 2554 .mpo_check_vnode_read = mac_test_check_vnode_read, 2555 .mpo_check_vnode_readdir = mac_test_check_vnode_readdir, 2556 .mpo_check_vnode_readlink = mac_test_check_vnode_readlink, 2557 .mpo_check_vnode_relabel = mac_test_check_vnode_relabel, 2558 .mpo_check_vnode_rename_from = mac_test_check_vnode_rename_from, 2559 .mpo_check_vnode_rename_to = mac_test_check_vnode_rename_to, 2560 .mpo_check_vnode_revoke = mac_test_check_vnode_revoke, 2561 .mpo_check_vnode_setacl = mac_test_check_vnode_setacl, 2562 .mpo_check_vnode_setextattr = mac_test_check_vnode_setextattr, 2563 .mpo_check_vnode_setflags = mac_test_check_vnode_setflags, 2564 .mpo_check_vnode_setmode = mac_test_check_vnode_setmode, 2565 .mpo_check_vnode_setowner = mac_test_check_vnode_setowner, 2566 .mpo_check_vnode_setutimes = mac_test_check_vnode_setutimes, 2567 .mpo_check_vnode_stat = mac_test_check_vnode_stat, 2568 .mpo_check_vnode_write = mac_test_check_vnode_write, 2569 }; 2570 2571 MAC_POLICY_SET(&mac_test_ops, mac_test, "TrustedBSD MAC/Test", 2572 MPC_LOADTIME_FLAG_UNLOADOK | MPC_LOADTIME_FLAG_LABELMBUFS, &test_slot); 2573