1 /*- 2 * Copyright (c) 1999-2002, 2007-2008 Robert N. M. Watson 3 * Copyright (c) 2001-2005 McAfee, Inc. 4 * Copyright (c) 2006 SPARTA, Inc. 5 * Copyright (c) 2008 Apple Inc. 6 * All rights reserved. 7 * 8 * This software was developed by Robert Watson for the TrustedBSD Project. 9 * 10 * This software was developed for the FreeBSD Project in part by McAfee 11 * Research, the Security Research Division of McAfee, Inc. under 12 * DARPA/SPAWAR contract N66001-01-C-8035 ("CBOSS"), as part of the DARPA 13 * CHATS research program. 14 * 15 * This software was enhanced by SPARTA ISSO under SPAWAR contract 16 * N66001-04-C-6019 ("SEFOS"). 17 * 18 * Redistribution and use in source and binary forms, with or without 19 * modification, are permitted provided that the following conditions 20 * are met: 21 * 1. Redistributions of source code must retain the above copyright 22 * notice, this list of conditions and the following disclaimer. 23 * 2. Redistributions in binary form must reproduce the above copyright 24 * notice, this list of conditions and the following disclaimer in the 25 * documentation and/or other materials provided with the distribution. 26 * 27 * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND 28 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 29 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 30 * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE 31 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 32 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 33 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 34 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 35 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 36 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 37 * SUCH DAMAGE. 38 * 39 * $FreeBSD$ 40 */ 41 42 /* 43 * Developed by the TrustedBSD Project. 44 * 45 * MAC Test policy - tests MAC Framework labeling by assigning object class 46 * magic numbers to each label and validates that each time an object label 47 * is passed into the policy, it has a consistent object type, catching 48 * incorrectly passed labels, labels passed after free, etc. 49 */ 50 51 #include <sys/param.h> 52 #include <sys/acl.h> 53 #include <sys/kdb.h> 54 #include <sys/kernel.h> 55 #include <sys/ksem.h> 56 #include <sys/malloc.h> 57 #include <sys/module.h> 58 #include <sys/mount.h> 59 #include <sys/msg.h> 60 #include <sys/proc.h> 61 #include <sys/vnode.h> 62 #include <sys/sem.h> 63 #include <sys/shm.h> 64 #include <sys/socket.h> 65 #include <sys/socketvar.h> 66 #include <sys/sx.h> 67 #include <sys/sysctl.h> 68 69 #include <fs/devfs/devfs.h> 70 71 #include <net/bpfdesc.h> 72 #include <net/if.h> 73 #include <net/if_types.h> 74 #include <net/if_var.h> 75 76 #include <security/mac/mac_policy.h> 77 78 SYSCTL_DECL(_security_mac); 79 80 SYSCTL_NODE(_security_mac, OID_AUTO, test, CTLFLAG_RW, 0, 81 "TrustedBSD mac_test policy controls"); 82 83 #define MAGIC_BPF 0xfe1ad1b6 84 #define MAGIC_DEVFS 0x9ee79c32 85 #define MAGIC_IFNET 0xc218b120 86 #define MAGIC_INPCB 0x4440f7bb 87 #define MAGIC_IP6Q 0x0870e1b7 88 #define MAGIC_IPQ 0x206188ef 89 #define MAGIC_MBUF 0xbbefa5bb 90 #define MAGIC_MOUNT 0xc7c46e47 91 #define MAGIC_SOCKET 0x9199c6cd 92 #define MAGIC_SYNCACHE 0x7fb838a8 93 #define MAGIC_SYSV_MSG 0x8bbba61e 94 #define MAGIC_SYSV_MSQ 0xea672391 95 #define MAGIC_SYSV_SEM 0x896e8a0b 96 #define MAGIC_SYSV_SHM 0x76119ab0 97 #define MAGIC_PIPE 0xdc6c9919 98 #define MAGIC_POSIX_SEM 0x78ae980c 99 #define MAGIC_POSIX_SHM 0x4e853fc9 100 #define MAGIC_PROC 0x3b4be98f 101 #define MAGIC_CRED 0x9a5a4987 102 #define MAGIC_VNODE 0x1a67a45c 103 #define MAGIC_FREE 0x849ba1fd 104 105 #define SLOT(x) mac_label_get((x), test_slot) 106 #define SLOT_SET(x, v) mac_label_set((x), test_slot, (v)) 107 108 static int test_slot; 109 SYSCTL_INT(_security_mac_test, OID_AUTO, slot, CTLFLAG_RD, 110 &test_slot, 0, "Slot allocated by framework"); 111 112 SYSCTL_NODE(_security_mac_test, OID_AUTO, counter, CTLFLAG_RW, 0, 113 "TrustedBSD mac_test counters controls"); 114 115 #define COUNTER_DECL(variable) \ 116 static int counter_##variable; \ 117 SYSCTL_INT(_security_mac_test_counter, OID_AUTO, variable, \ 118 CTLFLAG_RD, &counter_##variable, 0, #variable) 119 120 #define COUNTER_INC(variable) atomic_add_int(&counter_##variable, 1) 121 122 #ifdef KDB 123 #define DEBUGGER(func, string) kdb_enter(KDB_WHY_MAC, (string)) 124 #else 125 #define DEBUGGER(func, string) printf("mac_test: %s: %s\n", (func), (string)) 126 #endif 127 128 #define LABEL_CHECK(label, magic) do { \ 129 if (label != NULL) { \ 130 KASSERT(SLOT(label) == magic || SLOT(label) == 0, \ 131 ("%s: bad %s label", __func__, #magic)); \ 132 } \ 133 } while (0) 134 135 #define LABEL_DESTROY(label, magic) do { \ 136 if (SLOT(label) == magic || SLOT(label) == 0) { \ 137 SLOT_SET(label, MAGIC_FREE); \ 138 } else if (SLOT(label) == MAGIC_FREE) { \ 139 DEBUGGER("%s: dup destroy", __func__); \ 140 } else { \ 141 DEBUGGER("%s: corrupted label", __func__); \ 142 } \ 143 } while (0) 144 145 #define LABEL_INIT(label, magic) do { \ 146 SLOT_SET(label, magic); \ 147 } while (0) 148 149 #define LABEL_NOTFREE(label) do { \ 150 KASSERT(SLOT(label) != MAGIC_FREE, \ 151 ("%s: destroyed label", __func__)); \ 152 } while (0) 153 154 /* 155 * Object-specific entry point implementations are sorted alphabetically by 156 * object type name and then by operation. 157 */ 158 COUNTER_DECL(bpfdesc_check_receive); 159 static int 160 test_bpfdesc_check_receive(struct bpf_d *d, struct label *dlabel, 161 struct ifnet *ifp, struct label *ifplabel) 162 { 163 164 LABEL_CHECK(dlabel, MAGIC_BPF); 165 LABEL_CHECK(ifplabel, MAGIC_IFNET); 166 COUNTER_INC(bpfdesc_check_receive); 167 168 return (0); 169 } 170 171 COUNTER_DECL(bpfdesc_create); 172 static void 173 test_bpfdesc_create(struct ucred *cred, struct bpf_d *d, 174 struct label *dlabel) 175 { 176 177 LABEL_CHECK(cred->cr_label, MAGIC_CRED); 178 LABEL_CHECK(dlabel, MAGIC_BPF); 179 COUNTER_INC(bpfdesc_create); 180 } 181 182 COUNTER_DECL(bpfdesc_create_mbuf); 183 static void 184 test_bpfdesc_create_mbuf(struct bpf_d *d, struct label *dlabel, 185 struct mbuf *m, struct label *mlabel) 186 { 187 188 LABEL_CHECK(dlabel, MAGIC_BPF); 189 LABEL_CHECK(mlabel, MAGIC_MBUF); 190 COUNTER_INC(bpfdesc_create_mbuf); 191 } 192 193 COUNTER_DECL(bpfdesc_destroy_label); 194 static void 195 test_bpfdesc_destroy_label(struct label *label) 196 { 197 198 LABEL_DESTROY(label, MAGIC_BPF); 199 COUNTER_INC(bpfdesc_destroy_label); 200 } 201 202 COUNTER_DECL(bpfdesc_init_label); 203 static void 204 test_bpfdesc_init_label(struct label *label) 205 { 206 207 LABEL_INIT(label, MAGIC_BPF); 208 COUNTER_INC(bpfdesc_init_label); 209 } 210 211 COUNTER_DECL(cred_check_relabel); 212 static int 213 test_cred_check_relabel(struct ucred *cred, struct label *newlabel) 214 { 215 216 LABEL_CHECK(cred->cr_label, MAGIC_CRED); 217 LABEL_CHECK(newlabel, MAGIC_CRED); 218 COUNTER_INC(cred_check_relabel); 219 220 return (0); 221 } 222 223 COUNTER_DECL(cred_check_visible); 224 static int 225 test_cred_check_visible(struct ucred *u1, struct ucred *u2) 226 { 227 228 LABEL_CHECK(u1->cr_label, MAGIC_CRED); 229 LABEL_CHECK(u2->cr_label, MAGIC_CRED); 230 COUNTER_INC(cred_check_visible); 231 232 return (0); 233 } 234 235 COUNTER_DECL(cred_copy_label); 236 static void 237 test_cred_copy_label(struct label *src, struct label *dest) 238 { 239 240 LABEL_CHECK(src, MAGIC_CRED); 241 LABEL_CHECK(dest, MAGIC_CRED); 242 COUNTER_INC(cred_copy_label); 243 } 244 245 COUNTER_DECL(cred_create_init); 246 static void 247 test_cred_create_init(struct ucred *cred) 248 { 249 250 LABEL_CHECK(cred->cr_label, MAGIC_CRED); 251 COUNTER_INC(cred_create_init); 252 } 253 254 COUNTER_DECL(cred_create_swapper); 255 static void 256 test_cred_create_swapper(struct ucred *cred) 257 { 258 259 LABEL_CHECK(cred->cr_label, MAGIC_CRED); 260 COUNTER_INC(cred_create_swapper); 261 } 262 263 COUNTER_DECL(cred_destroy_label); 264 static void 265 test_cred_destroy_label(struct label *label) 266 { 267 268 LABEL_DESTROY(label, MAGIC_CRED); 269 COUNTER_INC(cred_destroy_label); 270 } 271 272 COUNTER_DECL(cred_externalize_label); 273 static int 274 test_cred_externalize_label(struct label *label, char *element_name, 275 struct sbuf *sb, int *claimed) 276 { 277 278 LABEL_CHECK(label, MAGIC_CRED); 279 COUNTER_INC(cred_externalize_label); 280 281 return (0); 282 } 283 284 COUNTER_DECL(cred_init_label); 285 static void 286 test_cred_init_label(struct label *label) 287 { 288 289 LABEL_INIT(label, MAGIC_CRED); 290 COUNTER_INC(cred_init_label); 291 } 292 293 COUNTER_DECL(cred_internalize_label); 294 static int 295 test_cred_internalize_label(struct label *label, char *element_name, 296 char *element_data, int *claimed) 297 { 298 299 LABEL_CHECK(label, MAGIC_CRED); 300 COUNTER_INC(cred_internalize_label); 301 302 return (0); 303 } 304 305 COUNTER_DECL(cred_relabel); 306 static void 307 test_cred_relabel(struct ucred *cred, struct label *newlabel) 308 { 309 310 LABEL_CHECK(cred->cr_label, MAGIC_CRED); 311 LABEL_CHECK(newlabel, MAGIC_CRED); 312 COUNTER_INC(cred_relabel); 313 } 314 315 COUNTER_DECL(devfs_create_device); 316 static void 317 test_devfs_create_device(struct ucred *cred, struct mount *mp, 318 struct cdev *dev, struct devfs_dirent *de, struct label *delabel) 319 { 320 321 if (cred != NULL) 322 LABEL_CHECK(cred->cr_label, MAGIC_CRED); 323 LABEL_CHECK(delabel, MAGIC_DEVFS); 324 COUNTER_INC(devfs_create_device); 325 } 326 327 COUNTER_DECL(devfs_create_directory); 328 static void 329 test_devfs_create_directory(struct mount *mp, char *dirname, 330 int dirnamelen, struct devfs_dirent *de, struct label *delabel) 331 { 332 333 LABEL_CHECK(delabel, MAGIC_DEVFS); 334 COUNTER_INC(devfs_create_directory); 335 } 336 337 COUNTER_DECL(devfs_create_symlink); 338 static void 339 test_devfs_create_symlink(struct ucred *cred, struct mount *mp, 340 struct devfs_dirent *dd, struct label *ddlabel, struct devfs_dirent *de, 341 struct label *delabel) 342 { 343 344 LABEL_CHECK(cred->cr_label, MAGIC_CRED); 345 LABEL_CHECK(ddlabel, MAGIC_DEVFS); 346 LABEL_CHECK(delabel, MAGIC_DEVFS); 347 COUNTER_INC(devfs_create_symlink); 348 } 349 350 COUNTER_DECL(devfs_destroy_label); 351 static void 352 test_devfs_destroy_label(struct label *label) 353 { 354 355 LABEL_DESTROY(label, MAGIC_DEVFS); 356 COUNTER_INC(devfs_destroy_label); 357 } 358 359 COUNTER_DECL(devfs_init_label); 360 static void 361 test_devfs_init_label(struct label *label) 362 { 363 364 LABEL_INIT(label, MAGIC_DEVFS); 365 COUNTER_INC(devfs_init_label); 366 } 367 368 COUNTER_DECL(devfs_update); 369 static void 370 test_devfs_update(struct mount *mp, struct devfs_dirent *devfs_dirent, 371 struct label *direntlabel, struct vnode *vp, struct label *vplabel) 372 { 373 374 LABEL_CHECK(direntlabel, MAGIC_DEVFS); 375 LABEL_CHECK(vplabel, MAGIC_VNODE); 376 COUNTER_INC(devfs_update); 377 } 378 379 COUNTER_DECL(devfs_vnode_associate); 380 static void 381 test_devfs_vnode_associate(struct mount *mp, struct label *mplabel, 382 struct devfs_dirent *de, struct label *delabel, struct vnode *vp, 383 struct label *vplabel) 384 { 385 386 LABEL_CHECK(mplabel, MAGIC_MOUNT); 387 LABEL_CHECK(delabel, MAGIC_DEVFS); 388 LABEL_CHECK(vplabel, MAGIC_VNODE); 389 COUNTER_INC(devfs_vnode_associate); 390 } 391 392 COUNTER_DECL(ifnet_check_relabel); 393 static int 394 test_ifnet_check_relabel(struct ucred *cred, struct ifnet *ifp, 395 struct label *ifplabel, struct label *newlabel) 396 { 397 398 LABEL_CHECK(cred->cr_label, MAGIC_CRED); 399 LABEL_CHECK(ifplabel, MAGIC_IFNET); 400 LABEL_CHECK(newlabel, MAGIC_IFNET); 401 COUNTER_INC(ifnet_check_relabel); 402 403 return (0); 404 } 405 406 COUNTER_DECL(ifnet_check_transmit); 407 static int 408 test_ifnet_check_transmit(struct ifnet *ifp, struct label *ifplabel, 409 struct mbuf *m, struct label *mlabel) 410 { 411 412 LABEL_CHECK(ifplabel, MAGIC_IFNET); 413 LABEL_CHECK(mlabel, MAGIC_MBUF); 414 COUNTER_INC(ifnet_check_transmit); 415 416 return (0); 417 } 418 419 COUNTER_DECL(ifnet_copy_label); 420 static void 421 test_ifnet_copy_label(struct label *src, struct label *dest) 422 { 423 424 LABEL_CHECK(src, MAGIC_IFNET); 425 LABEL_CHECK(dest, MAGIC_IFNET); 426 COUNTER_INC(ifnet_copy_label); 427 } 428 429 COUNTER_DECL(ifnet_create); 430 static void 431 test_ifnet_create(struct ifnet *ifp, struct label *ifplabel) 432 { 433 434 LABEL_CHECK(ifplabel, MAGIC_IFNET); 435 COUNTER_INC(ifnet_create); 436 } 437 438 COUNTER_DECL(ifnet_create_mbuf); 439 static void 440 test_ifnet_create_mbuf(struct ifnet *ifp, struct label *ifplabel, 441 struct mbuf *m, struct label *mlabel) 442 { 443 444 LABEL_CHECK(ifplabel, MAGIC_IFNET); 445 LABEL_CHECK(mlabel, MAGIC_MBUF); 446 COUNTER_INC(ifnet_create_mbuf); 447 } 448 449 COUNTER_DECL(ifnet_destroy_label); 450 static void 451 test_ifnet_destroy_label(struct label *label) 452 { 453 454 LABEL_DESTROY(label, MAGIC_IFNET); 455 COUNTER_INC(ifnet_destroy_label); 456 } 457 458 COUNTER_DECL(ifnet_externalize_label); 459 static int 460 test_ifnet_externalize_label(struct label *label, char *element_name, 461 struct sbuf *sb, int *claimed) 462 { 463 464 LABEL_CHECK(label, MAGIC_IFNET); 465 COUNTER_INC(ifnet_externalize_label); 466 467 return (0); 468 } 469 470 COUNTER_DECL(ifnet_init_label); 471 static void 472 test_ifnet_init_label(struct label *label) 473 { 474 475 LABEL_INIT(label, MAGIC_IFNET); 476 COUNTER_INC(ifnet_init_label); 477 } 478 479 COUNTER_DECL(ifnet_internalize_label); 480 static int 481 test_ifnet_internalize_label(struct label *label, char *element_name, 482 char *element_data, int *claimed) 483 { 484 485 LABEL_CHECK(label, MAGIC_IFNET); 486 COUNTER_INC(ifnet_internalize_label); 487 488 return (0); 489 } 490 491 COUNTER_DECL(ifnet_relabel); 492 static void 493 test_ifnet_relabel(struct ucred *cred, struct ifnet *ifp, 494 struct label *ifplabel, struct label *newlabel) 495 { 496 497 LABEL_CHECK(cred->cr_label, MAGIC_CRED); 498 LABEL_CHECK(ifplabel, MAGIC_IFNET); 499 LABEL_CHECK(newlabel, MAGIC_IFNET); 500 COUNTER_INC(ifnet_relabel); 501 } 502 503 COUNTER_DECL(inpcb_check_deliver); 504 static int 505 test_inpcb_check_deliver(struct inpcb *inp, struct label *inplabel, 506 struct mbuf *m, struct label *mlabel) 507 { 508 509 LABEL_CHECK(inplabel, MAGIC_INPCB); 510 LABEL_CHECK(mlabel, MAGIC_MBUF); 511 COUNTER_INC(inpcb_check_deliver); 512 513 return (0); 514 } 515 516 COUNTER_DECL(inpcb_check_visible); 517 static int 518 test_inpcb_check_visible(struct ucred *cred, struct inpcb *inp, 519 struct label *inplabel) 520 { 521 522 LABEL_CHECK(cred->cr_label, MAGIC_CRED); 523 LABEL_CHECK(inplabel, MAGIC_INPCB); 524 COUNTER_INC(inpcb_check_visible); 525 526 return (0); 527 } 528 529 COUNTER_DECL(inpcb_create); 530 static void 531 test_inpcb_create(struct socket *so, struct label *solabel, 532 struct inpcb *inp, struct label *inplabel) 533 { 534 535 LABEL_CHECK(solabel, MAGIC_SOCKET); 536 LABEL_CHECK(inplabel, MAGIC_INPCB); 537 COUNTER_INC(inpcb_create); 538 } 539 540 COUNTER_DECL(inpcb_create_mbuf); 541 static void 542 test_inpcb_create_mbuf(struct inpcb *inp, struct label *inplabel, 543 struct mbuf *m, struct label *mlabel) 544 { 545 546 LABEL_CHECK(inplabel, MAGIC_INPCB); 547 LABEL_CHECK(mlabel, MAGIC_MBUF); 548 COUNTER_INC(inpcb_create_mbuf); 549 } 550 551 COUNTER_DECL(inpcb_destroy_label); 552 static void 553 test_inpcb_destroy_label(struct label *label) 554 { 555 556 LABEL_DESTROY(label, MAGIC_INPCB); 557 COUNTER_INC(inpcb_destroy_label); 558 } 559 560 COUNTER_DECL(inpcb_init_label); 561 static int 562 test_inpcb_init_label(struct label *label, int flag) 563 { 564 565 if (flag & M_WAITOK) 566 WITNESS_WARN(WARN_GIANTOK | WARN_SLEEPOK, NULL, 567 "test_inpcb_init_label() at %s:%d", __FILE__, 568 __LINE__); 569 570 LABEL_INIT(label, MAGIC_INPCB); 571 COUNTER_INC(inpcb_init_label); 572 return (0); 573 } 574 575 COUNTER_DECL(inpcb_sosetlabel); 576 static void 577 test_inpcb_sosetlabel(struct socket *so, struct label *solabel, 578 struct inpcb *inp, struct label *inplabel) 579 { 580 581 LABEL_CHECK(solabel, MAGIC_SOCKET); 582 LABEL_CHECK(inplabel, MAGIC_INPCB); 583 COUNTER_INC(inpcb_sosetlabel); 584 } 585 586 COUNTER_DECL(ip6q_create); 587 static void 588 test_ip6q_create(struct mbuf *fragment, struct label *fragmentlabel, 589 struct ip6q *q6, struct label *q6label) 590 { 591 592 LABEL_CHECK(fragmentlabel, MAGIC_MBUF); 593 LABEL_CHECK(q6label, MAGIC_IP6Q); 594 COUNTER_INC(ip6q_create); 595 } 596 597 COUNTER_DECL(ip6q_destroy_label); 598 static void 599 test_ip6q_destroy_label(struct label *label) 600 { 601 602 LABEL_DESTROY(label, MAGIC_IP6Q); 603 COUNTER_INC(ip6q_destroy_label); 604 } 605 606 COUNTER_DECL(ip6q_init_label); 607 static int 608 test_ip6q_init_label(struct label *label, int flag) 609 { 610 611 if (flag & M_WAITOK) 612 WITNESS_WARN(WARN_GIANTOK | WARN_SLEEPOK, NULL, 613 "test_ip6q_init_label() at %s:%d", __FILE__, 614 __LINE__); 615 616 LABEL_INIT(label, MAGIC_IP6Q); 617 COUNTER_INC(ip6q_init_label); 618 return (0); 619 } 620 621 COUNTER_DECL(ip6q_match); 622 static int 623 test_ip6q_match(struct mbuf *fragment, struct label *fragmentlabel, 624 struct ip6q *q6, struct label *q6label) 625 { 626 627 LABEL_CHECK(fragmentlabel, MAGIC_MBUF); 628 LABEL_CHECK(q6label, MAGIC_IP6Q); 629 COUNTER_INC(ip6q_match); 630 631 return (1); 632 } 633 634 COUNTER_DECL(ip6q_reassemble); 635 static void 636 test_ip6q_reassemble(struct ip6q *q6, struct label *q6label, struct mbuf *m, 637 struct label *mlabel) 638 { 639 640 LABEL_CHECK(q6label, MAGIC_IP6Q); 641 LABEL_CHECK(mlabel, MAGIC_MBUF); 642 COUNTER_INC(ip6q_reassemble); 643 } 644 645 COUNTER_DECL(ip6q_update); 646 static void 647 test_ip6q_update(struct mbuf *m, struct label *mlabel, struct ip6q *q6, 648 struct label *q6label) 649 { 650 651 LABEL_CHECK(mlabel, MAGIC_MBUF); 652 LABEL_CHECK(q6label, MAGIC_IP6Q); 653 COUNTER_INC(ip6q_update); 654 } 655 656 COUNTER_DECL(ipq_create); 657 static void 658 test_ipq_create(struct mbuf *fragment, struct label *fragmentlabel, 659 struct ipq *q, struct label *qlabel) 660 { 661 662 LABEL_CHECK(fragmentlabel, MAGIC_MBUF); 663 LABEL_CHECK(qlabel, MAGIC_IPQ); 664 COUNTER_INC(ipq_create); 665 } 666 667 COUNTER_DECL(ipq_destroy_label); 668 static void 669 test_ipq_destroy_label(struct label *label) 670 { 671 672 LABEL_DESTROY(label, MAGIC_IPQ); 673 COUNTER_INC(ipq_destroy_label); 674 } 675 676 COUNTER_DECL(ipq_init_label); 677 static int 678 test_ipq_init_label(struct label *label, int flag) 679 { 680 681 if (flag & M_WAITOK) 682 WITNESS_WARN(WARN_GIANTOK | WARN_SLEEPOK, NULL, 683 "test_ipq_init_label() at %s:%d", __FILE__, 684 __LINE__); 685 686 LABEL_INIT(label, MAGIC_IPQ); 687 COUNTER_INC(ipq_init_label); 688 return (0); 689 } 690 691 COUNTER_DECL(ipq_match); 692 static int 693 test_ipq_match(struct mbuf *fragment, struct label *fragmentlabel, 694 struct ipq *q, struct label *qlabel) 695 { 696 697 LABEL_CHECK(fragmentlabel, MAGIC_MBUF); 698 LABEL_CHECK(qlabel, MAGIC_IPQ); 699 COUNTER_INC(ipq_match); 700 701 return (1); 702 } 703 704 COUNTER_DECL(ipq_reassemble); 705 static void 706 test_ipq_reassemble(struct ipq *q, struct label *qlabel, struct mbuf *m, 707 struct label *mlabel) 708 { 709 710 LABEL_CHECK(qlabel, MAGIC_IPQ); 711 LABEL_CHECK(mlabel, MAGIC_MBUF); 712 COUNTER_INC(ipq_reassemble); 713 } 714 715 COUNTER_DECL(ipq_update); 716 static void 717 test_ipq_update(struct mbuf *m, struct label *mlabel, struct ipq *q, 718 struct label *qlabel) 719 { 720 721 LABEL_CHECK(mlabel, MAGIC_MBUF); 722 LABEL_CHECK(qlabel, MAGIC_IPQ); 723 COUNTER_INC(ipq_update); 724 } 725 726 COUNTER_DECL(kenv_check_dump); 727 static int 728 test_kenv_check_dump(struct ucred *cred) 729 { 730 731 LABEL_CHECK(cred->cr_label, MAGIC_CRED); 732 COUNTER_INC(kenv_check_dump); 733 734 return (0); 735 } 736 737 COUNTER_DECL(kenv_check_get); 738 static int 739 test_kenv_check_get(struct ucred *cred, char *name) 740 { 741 742 LABEL_CHECK(cred->cr_label, MAGIC_CRED); 743 COUNTER_INC(kenv_check_get); 744 745 return (0); 746 } 747 748 COUNTER_DECL(kenv_check_set); 749 static int 750 test_kenv_check_set(struct ucred *cred, char *name, char *value) 751 { 752 753 LABEL_CHECK(cred->cr_label, MAGIC_CRED); 754 COUNTER_INC(kenv_check_set); 755 756 return (0); 757 } 758 759 COUNTER_DECL(kenv_check_unset); 760 static int 761 test_kenv_check_unset(struct ucred *cred, char *name) 762 { 763 764 LABEL_CHECK(cred->cr_label, MAGIC_CRED); 765 COUNTER_INC(kenv_check_unset); 766 767 return (0); 768 } 769 770 COUNTER_DECL(kld_check_load); 771 static int 772 test_kld_check_load(struct ucred *cred, struct vnode *vp, 773 struct label *label) 774 { 775 776 LABEL_CHECK(cred->cr_label, MAGIC_CRED); 777 LABEL_CHECK(label, MAGIC_VNODE); 778 COUNTER_INC(kld_check_load); 779 780 return (0); 781 } 782 783 COUNTER_DECL(kld_check_stat); 784 static int 785 test_kld_check_stat(struct ucred *cred) 786 { 787 788 LABEL_CHECK(cred->cr_label, MAGIC_CRED); 789 COUNTER_INC(kld_check_stat); 790 791 return (0); 792 } 793 794 COUNTER_DECL(mbuf_copy_label); 795 static void 796 test_mbuf_copy_label(struct label *src, struct label *dest) 797 { 798 799 LABEL_CHECK(src, MAGIC_MBUF); 800 LABEL_CHECK(dest, MAGIC_MBUF); 801 COUNTER_INC(mbuf_copy_label); 802 } 803 804 COUNTER_DECL(mbuf_destroy_label); 805 static void 806 test_mbuf_destroy_label(struct label *label) 807 { 808 809 /* 810 * If we're loaded dynamically, there may be mbufs in flight that 811 * didn't have label storage allocated for them. Handle this 812 * gracefully. 813 */ 814 if (label == NULL) 815 return; 816 817 LABEL_DESTROY(label, MAGIC_MBUF); 818 COUNTER_INC(mbuf_destroy_label); 819 } 820 821 COUNTER_DECL(mbuf_init_label); 822 static int 823 test_mbuf_init_label(struct label *label, int flag) 824 { 825 826 if (flag & M_WAITOK) 827 WITNESS_WARN(WARN_GIANTOK | WARN_SLEEPOK, NULL, 828 "test_mbuf_init_label() at %s:%d", __FILE__, 829 __LINE__); 830 831 LABEL_INIT(label, MAGIC_MBUF); 832 COUNTER_INC(mbuf_init_label); 833 return (0); 834 } 835 836 COUNTER_DECL(mount_check_stat); 837 static int 838 test_mount_check_stat(struct ucred *cred, struct mount *mp, 839 struct label *mplabel) 840 { 841 842 LABEL_CHECK(cred->cr_label, MAGIC_CRED); 843 LABEL_CHECK(mplabel, MAGIC_MOUNT); 844 COUNTER_INC(mount_check_stat); 845 846 return (0); 847 } 848 849 COUNTER_DECL(mount_create); 850 static void 851 test_mount_create(struct ucred *cred, struct mount *mp, 852 struct label *mplabel) 853 { 854 855 LABEL_CHECK(cred->cr_label, MAGIC_CRED); 856 LABEL_CHECK(mplabel, MAGIC_MOUNT); 857 COUNTER_INC(mount_create); 858 } 859 860 COUNTER_DECL(mount_destroy_label); 861 static void 862 test_mount_destroy_label(struct label *label) 863 { 864 865 LABEL_DESTROY(label, MAGIC_MOUNT); 866 COUNTER_INC(mount_destroy_label); 867 } 868 869 COUNTER_DECL(mount_init_label); 870 static void 871 test_mount_init_label(struct label *label) 872 { 873 874 LABEL_INIT(label, MAGIC_MOUNT); 875 COUNTER_INC(mount_init_label); 876 } 877 878 COUNTER_DECL(netatalk_aarp_send); 879 static void 880 test_netatalk_aarp_send(struct ifnet *ifp, struct label *ifplabel, 881 struct mbuf *m, struct label *mlabel) 882 { 883 884 LABEL_CHECK(ifplabel, MAGIC_IFNET); 885 LABEL_CHECK(mlabel, MAGIC_MBUF); 886 COUNTER_INC(netatalk_aarp_send); 887 } 888 889 COUNTER_DECL(netinet_arp_send); 890 static void 891 test_netinet_arp_send(struct ifnet *ifp, struct label *ifplabel, 892 struct mbuf *m, struct label *mlabel) 893 { 894 895 LABEL_CHECK(ifplabel, MAGIC_IFNET); 896 LABEL_CHECK(mlabel, MAGIC_MBUF); 897 COUNTER_INC(netinet_arp_send); 898 } 899 900 COUNTER_DECL(netinet_fragment); 901 static void 902 test_netinet_fragment(struct mbuf *m, struct label *mlabel, 903 struct mbuf *frag, struct label *fraglabel) 904 { 905 906 LABEL_CHECK(mlabel, MAGIC_MBUF); 907 LABEL_CHECK(fraglabel, MAGIC_MBUF); 908 COUNTER_INC(netinet_fragment); 909 } 910 911 COUNTER_DECL(netinet_icmp_reply); 912 static void 913 test_netinet_icmp_reply(struct mbuf *mrecv, struct label *mrecvlabel, 914 struct mbuf *msend, struct label *msendlabel) 915 { 916 917 LABEL_CHECK(mrecvlabel, MAGIC_MBUF); 918 LABEL_CHECK(msendlabel, MAGIC_MBUF); 919 COUNTER_INC(netinet_icmp_reply); 920 } 921 922 COUNTER_DECL(netinet_icmp_replyinplace); 923 static void 924 test_netinet_icmp_replyinplace(struct mbuf *m, struct label *mlabel) 925 { 926 927 LABEL_CHECK(mlabel, MAGIC_MBUF); 928 COUNTER_INC(netinet_icmp_replyinplace); 929 } 930 931 COUNTER_DECL(netinet_igmp_send); 932 static void 933 test_netinet_igmp_send(struct ifnet *ifp, struct label *ifplabel, 934 struct mbuf *m, struct label *mlabel) 935 { 936 937 LABEL_CHECK(ifplabel, MAGIC_IFNET); 938 LABEL_CHECK(mlabel, MAGIC_MBUF); 939 COUNTER_INC(netinet_igmp_send); 940 } 941 942 COUNTER_DECL(netinet_tcp_reply); 943 static void 944 test_netinet_tcp_reply(struct mbuf *m, struct label *mlabel) 945 { 946 947 LABEL_CHECK(mlabel, MAGIC_MBUF); 948 COUNTER_INC(netinet_tcp_reply); 949 } 950 951 COUNTER_DECL(netinet6_nd6_send); 952 static void 953 test_netinet6_nd6_send(struct ifnet *ifp, struct label *ifplabel, 954 struct mbuf *m, struct label *mlabel) 955 { 956 957 LABEL_CHECK(ifplabel, MAGIC_IFNET); 958 LABEL_CHECK(mlabel, MAGIC_MBUF); 959 COUNTER_INC(netinet6_nd6_send); 960 } 961 962 COUNTER_DECL(pipe_check_ioctl); 963 static int 964 test_pipe_check_ioctl(struct ucred *cred, struct pipepair *pp, 965 struct label *pplabel, unsigned long cmd, void /* caddr_t */ *data) 966 { 967 968 LABEL_CHECK(cred->cr_label, MAGIC_CRED); 969 LABEL_CHECK(pplabel, MAGIC_PIPE); 970 COUNTER_INC(pipe_check_ioctl); 971 972 return (0); 973 } 974 975 COUNTER_DECL(pipe_check_poll); 976 static int 977 test_pipe_check_poll(struct ucred *cred, struct pipepair *pp, 978 struct label *pplabel) 979 { 980 981 LABEL_CHECK(cred->cr_label, MAGIC_CRED); 982 LABEL_CHECK(pplabel, MAGIC_PIPE); 983 COUNTER_INC(pipe_check_poll); 984 985 return (0); 986 } 987 988 COUNTER_DECL(pipe_check_read); 989 static int 990 test_pipe_check_read(struct ucred *cred, struct pipepair *pp, 991 struct label *pplabel) 992 { 993 994 LABEL_CHECK(cred->cr_label, MAGIC_CRED); 995 LABEL_CHECK(pplabel, MAGIC_PIPE); 996 COUNTER_INC(pipe_check_read); 997 998 return (0); 999 } 1000 1001 COUNTER_DECL(pipe_check_relabel); 1002 static int 1003 test_pipe_check_relabel(struct ucred *cred, struct pipepair *pp, 1004 struct label *pplabel, struct label *newlabel) 1005 { 1006 1007 LABEL_CHECK(cred->cr_label, MAGIC_CRED); 1008 LABEL_CHECK(pplabel, MAGIC_PIPE); 1009 LABEL_CHECK(newlabel, MAGIC_PIPE); 1010 COUNTER_INC(pipe_check_relabel); 1011 1012 return (0); 1013 } 1014 1015 COUNTER_DECL(pipe_check_stat); 1016 static int 1017 test_pipe_check_stat(struct ucred *cred, struct pipepair *pp, 1018 struct label *pplabel) 1019 { 1020 1021 LABEL_CHECK(cred->cr_label, MAGIC_CRED); 1022 LABEL_CHECK(pplabel, MAGIC_PIPE); 1023 COUNTER_INC(pipe_check_stat); 1024 1025 return (0); 1026 } 1027 1028 COUNTER_DECL(pipe_check_write); 1029 static int 1030 test_pipe_check_write(struct ucred *cred, struct pipepair *pp, 1031 struct label *pplabel) 1032 { 1033 1034 LABEL_CHECK(cred->cr_label, MAGIC_CRED); 1035 LABEL_CHECK(pplabel, MAGIC_PIPE); 1036 COUNTER_INC(pipe_check_write); 1037 1038 return (0); 1039 } 1040 1041 COUNTER_DECL(pipe_copy_label); 1042 static void 1043 test_pipe_copy_label(struct label *src, struct label *dest) 1044 { 1045 1046 LABEL_CHECK(src, MAGIC_PIPE); 1047 LABEL_CHECK(dest, MAGIC_PIPE); 1048 COUNTER_INC(pipe_copy_label); 1049 } 1050 1051 COUNTER_DECL(pipe_create); 1052 static void 1053 test_pipe_create(struct ucred *cred, struct pipepair *pp, 1054 struct label *pplabel) 1055 { 1056 1057 LABEL_CHECK(cred->cr_label, MAGIC_CRED); 1058 LABEL_CHECK(pplabel, MAGIC_PIPE); 1059 COUNTER_INC(pipe_create); 1060 } 1061 1062 COUNTER_DECL(pipe_destroy_label); 1063 static void 1064 test_pipe_destroy_label(struct label *label) 1065 { 1066 1067 LABEL_DESTROY(label, MAGIC_PIPE); 1068 COUNTER_INC(pipe_destroy_label); 1069 } 1070 1071 COUNTER_DECL(pipe_externalize_label); 1072 static int 1073 test_pipe_externalize_label(struct label *label, char *element_name, 1074 struct sbuf *sb, int *claimed) 1075 { 1076 1077 LABEL_CHECK(label, MAGIC_PIPE); 1078 COUNTER_INC(pipe_externalize_label); 1079 1080 return (0); 1081 } 1082 1083 COUNTER_DECL(pipe_init_label); 1084 static void 1085 test_pipe_init_label(struct label *label) 1086 { 1087 1088 LABEL_INIT(label, MAGIC_PIPE); 1089 COUNTER_INC(pipe_init_label); 1090 } 1091 1092 COUNTER_DECL(pipe_internalize_label); 1093 static int 1094 test_pipe_internalize_label(struct label *label, char *element_name, 1095 char *element_data, int *claimed) 1096 { 1097 1098 LABEL_CHECK(label, MAGIC_PIPE); 1099 COUNTER_INC(pipe_internalize_label); 1100 1101 return (0); 1102 } 1103 1104 COUNTER_DECL(pipe_relabel); 1105 static void 1106 test_pipe_relabel(struct ucred *cred, struct pipepair *pp, 1107 struct label *pplabel, struct label *newlabel) 1108 { 1109 1110 LABEL_CHECK(cred->cr_label, MAGIC_CRED); 1111 LABEL_CHECK(pplabel, MAGIC_PIPE); 1112 LABEL_CHECK(newlabel, MAGIC_PIPE); 1113 COUNTER_INC(pipe_relabel); 1114 } 1115 1116 COUNTER_DECL(posixsem_check_getvalue); 1117 static int 1118 test_posixsem_check_getvalue(struct ucred *active_cred, struct ucred *file_cred, 1119 struct ksem *ks, struct label *kslabel) 1120 { 1121 1122 LABEL_CHECK(active_cred->cr_label, MAGIC_CRED); 1123 LABEL_CHECK(file_cred->cr_label, MAGIC_CRED); 1124 LABEL_CHECK(kslabel, MAGIC_POSIX_SEM); 1125 COUNTER_INC(posixsem_check_getvalue); 1126 1127 return (0); 1128 } 1129 1130 COUNTER_DECL(posixsem_check_open); 1131 static int 1132 test_posixsem_check_open(struct ucred *cred, struct ksem *ks, 1133 struct label *kslabel) 1134 { 1135 1136 LABEL_CHECK(cred->cr_label, MAGIC_CRED); 1137 LABEL_CHECK(kslabel, MAGIC_POSIX_SEM); 1138 COUNTER_INC(posixsem_check_open); 1139 1140 return (0); 1141 } 1142 1143 COUNTER_DECL(posixsem_check_post); 1144 static int 1145 test_posixsem_check_post(struct ucred *active_cred, struct ucred *file_cred, 1146 struct ksem *ks, struct label *kslabel) 1147 { 1148 1149 LABEL_CHECK(active_cred->cr_label, MAGIC_CRED); 1150 LABEL_CHECK(file_cred->cr_label, MAGIC_CRED); 1151 LABEL_CHECK(kslabel, MAGIC_POSIX_SEM); 1152 COUNTER_INC(posixsem_check_post); 1153 1154 return (0); 1155 } 1156 1157 COUNTER_DECL(posixsem_check_stat); 1158 static int 1159 test_posixsem_check_stat(struct ucred *active_cred, 1160 struct ucred *file_cred, struct ksem *ks, struct label *kslabel) 1161 { 1162 1163 LABEL_CHECK(active_cred->cr_label, MAGIC_CRED); 1164 LABEL_CHECK(file_cred->cr_label, MAGIC_CRED); 1165 LABEL_CHECK(kslabel, MAGIC_POSIX_SEM); 1166 COUNTER_INC(posixsem_check_stat); 1167 return (0); 1168 } 1169 1170 COUNTER_DECL(posixsem_check_unlink); 1171 static int 1172 test_posixsem_check_unlink(struct ucred *cred, struct ksem *ks, 1173 struct label *kslabel) 1174 { 1175 1176 LABEL_CHECK(cred->cr_label, MAGIC_CRED); 1177 LABEL_CHECK(kslabel, MAGIC_POSIX_SEM); 1178 COUNTER_INC(posixsem_check_unlink); 1179 1180 return (0); 1181 } 1182 1183 COUNTER_DECL(posixsem_check_wait); 1184 static int 1185 test_posixsem_check_wait(struct ucred *active_cred, struct ucred *file_cred, 1186 struct ksem *ks, struct label *kslabel) 1187 { 1188 1189 LABEL_CHECK(active_cred->cr_label, MAGIC_CRED); 1190 LABEL_CHECK(file_cred->cr_label, MAGIC_CRED); 1191 LABEL_CHECK(kslabel, MAGIC_POSIX_SEM); 1192 COUNTER_INC(posixsem_check_wait); 1193 1194 return (0); 1195 } 1196 1197 COUNTER_DECL(posixsem_create); 1198 static void 1199 test_posixsem_create(struct ucred *cred, struct ksem *ks, 1200 struct label *kslabel) 1201 { 1202 1203 LABEL_CHECK(cred->cr_label, MAGIC_CRED); 1204 LABEL_CHECK(kslabel, MAGIC_POSIX_SEM); 1205 COUNTER_INC(posixsem_create); 1206 } 1207 1208 COUNTER_DECL(posixsem_destroy_label); 1209 static void 1210 test_posixsem_destroy_label(struct label *label) 1211 { 1212 1213 LABEL_DESTROY(label, MAGIC_POSIX_SEM); 1214 COUNTER_INC(posixsem_destroy_label); 1215 } 1216 1217 COUNTER_DECL(posixsem_init_label); 1218 static void 1219 test_posixsem_init_label(struct label *label) 1220 { 1221 1222 LABEL_INIT(label, MAGIC_POSIX_SEM); 1223 COUNTER_INC(posixsem_init_label); 1224 } 1225 1226 COUNTER_DECL(posixshm_check_mmap); 1227 static int 1228 test_posixshm_check_mmap(struct ucred *cred, struct shmfd *shmfd, 1229 struct label *shmfdlabel, int prot, int flags) 1230 { 1231 1232 LABEL_CHECK(cred->cr_label, MAGIC_CRED); 1233 LABEL_CHECK(shmfdlabel, MAGIC_POSIX_SHM); 1234 COUNTER_INC(posixshm_check_mmap); 1235 return (0); 1236 } 1237 1238 COUNTER_DECL(posixshm_check_open); 1239 static int 1240 test_posixshm_check_open(struct ucred *cred, struct shmfd *shmfd, 1241 struct label *shmfdlabel) 1242 { 1243 1244 LABEL_CHECK(cred->cr_label, MAGIC_CRED); 1245 LABEL_CHECK(shmfdlabel, MAGIC_POSIX_SHM); 1246 COUNTER_INC(posixshm_check_open); 1247 return (0); 1248 } 1249 1250 COUNTER_DECL(posixshm_check_stat); 1251 static int 1252 test_posixshm_check_stat(struct ucred *active_cred, 1253 struct ucred *file_cred, struct shmfd *shmfd, struct label *shmfdlabel) 1254 { 1255 1256 LABEL_CHECK(active_cred->cr_label, MAGIC_CRED); 1257 LABEL_CHECK(file_cred->cr_label, MAGIC_CRED); 1258 LABEL_CHECK(shmfdlabel, MAGIC_POSIX_SHM); 1259 COUNTER_INC(posixshm_check_stat); 1260 return (0); 1261 } 1262 1263 COUNTER_DECL(posixshm_check_truncate); 1264 static int 1265 test_posixshm_check_truncate(struct ucred *active_cred, 1266 struct ucred *file_cred, struct shmfd *shmfd, struct label *shmfdlabel) 1267 { 1268 1269 LABEL_CHECK(active_cred->cr_label, MAGIC_CRED); 1270 LABEL_CHECK(file_cred->cr_label, MAGIC_CRED); 1271 LABEL_CHECK(shmfdlabel, MAGIC_POSIX_SHM); 1272 COUNTER_INC(posixshm_check_truncate); 1273 return (0); 1274 } 1275 1276 COUNTER_DECL(posixshm_check_unlink); 1277 static int 1278 test_posixshm_check_unlink(struct ucred *cred, struct shmfd *shmfd, 1279 struct label *shmfdlabel) 1280 { 1281 1282 LABEL_CHECK(cred->cr_label, MAGIC_CRED); 1283 LABEL_CHECK(shmfdlabel, MAGIC_POSIX_SHM); 1284 COUNTER_INC(posixshm_check_unlink); 1285 return (0); 1286 } 1287 1288 COUNTER_DECL(posixshm_create); 1289 static void 1290 test_posixshm_create(struct ucred *cred, struct shmfd *shmfd, 1291 struct label *shmfdlabel) 1292 { 1293 1294 LABEL_CHECK(cred->cr_label, MAGIC_CRED); 1295 LABEL_CHECK(shmfdlabel, MAGIC_POSIX_SHM); 1296 COUNTER_INC(posixshm_create); 1297 } 1298 1299 COUNTER_DECL(posixshm_destroy_label); 1300 static void 1301 test_posixshm_destroy_label(struct label *label) 1302 { 1303 1304 LABEL_DESTROY(label, MAGIC_POSIX_SHM); 1305 COUNTER_INC(posixshm_destroy_label); 1306 } 1307 1308 COUNTER_DECL(posixshm_init_label); 1309 static void 1310 test_posixshm_init_label(struct label *label) 1311 { 1312 1313 LABEL_INIT(label, MAGIC_POSIX_SHM); 1314 COUNTER_INC(posixshm_init_label); 1315 } 1316 1317 COUNTER_DECL(proc_check_debug); 1318 static int 1319 test_proc_check_debug(struct ucred *cred, struct proc *p) 1320 { 1321 1322 LABEL_CHECK(cred->cr_label, MAGIC_CRED); 1323 LABEL_CHECK(p->p_ucred->cr_label, MAGIC_CRED); 1324 COUNTER_INC(proc_check_debug); 1325 1326 return (0); 1327 } 1328 1329 COUNTER_DECL(proc_check_sched); 1330 static int 1331 test_proc_check_sched(struct ucred *cred, struct proc *p) 1332 { 1333 1334 LABEL_CHECK(cred->cr_label, MAGIC_CRED); 1335 LABEL_CHECK(p->p_ucred->cr_label, MAGIC_CRED); 1336 COUNTER_INC(proc_check_sched); 1337 1338 return (0); 1339 } 1340 1341 COUNTER_DECL(proc_check_signal); 1342 static int 1343 test_proc_check_signal(struct ucred *cred, struct proc *p, int signum) 1344 { 1345 1346 LABEL_CHECK(cred->cr_label, MAGIC_CRED); 1347 LABEL_CHECK(p->p_ucred->cr_label, MAGIC_CRED); 1348 COUNTER_INC(proc_check_signal); 1349 1350 return (0); 1351 } 1352 1353 COUNTER_DECL(proc_check_setaudit); 1354 static int 1355 test_proc_check_setaudit(struct ucred *cred, struct auditinfo *ai) 1356 { 1357 1358 LABEL_CHECK(cred->cr_label, MAGIC_CRED); 1359 COUNTER_INC(proc_check_setaudit); 1360 1361 return (0); 1362 } 1363 1364 COUNTER_DECL(proc_check_setaudit_addr); 1365 static int 1366 test_proc_check_setaudit_addr(struct ucred *cred, 1367 struct auditinfo_addr *aia) 1368 { 1369 1370 LABEL_CHECK(cred->cr_label, MAGIC_CRED); 1371 COUNTER_INC(proc_check_setaudit_addr); 1372 1373 return (0); 1374 } 1375 1376 COUNTER_DECL(proc_check_setauid); 1377 static int 1378 test_proc_check_setauid(struct ucred *cred, uid_t auid) 1379 { 1380 1381 LABEL_CHECK(cred->cr_label, MAGIC_CRED); 1382 COUNTER_INC(proc_check_setauid); 1383 1384 return (0); 1385 } 1386 1387 COUNTER_DECL(proc_check_setegid); 1388 static int 1389 test_proc_check_setegid(struct ucred *cred, gid_t egid) 1390 { 1391 1392 LABEL_CHECK(cred->cr_label, MAGIC_CRED); 1393 COUNTER_INC(proc_check_setegid); 1394 1395 return (0); 1396 } 1397 1398 COUNTER_DECL(proc_check_euid); 1399 static int 1400 test_proc_check_seteuid(struct ucred *cred, uid_t euid) 1401 { 1402 1403 LABEL_CHECK(cred->cr_label, MAGIC_CRED); 1404 COUNTER_INC(proc_check_euid); 1405 1406 return (0); 1407 } 1408 1409 COUNTER_DECL(proc_check_setregid); 1410 static int 1411 test_proc_check_setregid(struct ucred *cred, gid_t rgid, gid_t egid) 1412 { 1413 1414 LABEL_CHECK(cred->cr_label, MAGIC_CRED); 1415 COUNTER_INC(proc_check_setregid); 1416 1417 return (0); 1418 } 1419 1420 COUNTER_DECL(proc_check_setreuid); 1421 static int 1422 test_proc_check_setreuid(struct ucred *cred, uid_t ruid, uid_t euid) 1423 { 1424 1425 LABEL_CHECK(cred->cr_label, MAGIC_CRED); 1426 COUNTER_INC(proc_check_setreuid); 1427 1428 return (0); 1429 } 1430 1431 COUNTER_DECL(proc_check_setgid); 1432 static int 1433 test_proc_check_setgid(struct ucred *cred, gid_t gid) 1434 { 1435 1436 LABEL_CHECK(cred->cr_label, MAGIC_CRED); 1437 COUNTER_INC(proc_check_setgid); 1438 1439 return (0); 1440 } 1441 1442 COUNTER_DECL(proc_check_setgroups); 1443 static int 1444 test_proc_check_setgroups(struct ucred *cred, int ngroups, 1445 gid_t *gidset) 1446 { 1447 1448 LABEL_CHECK(cred->cr_label, MAGIC_CRED); 1449 COUNTER_INC(proc_check_setgroups); 1450 1451 return (0); 1452 } 1453 1454 COUNTER_DECL(proc_check_setresgid); 1455 static int 1456 test_proc_check_setresgid(struct ucred *cred, gid_t rgid, gid_t egid, 1457 gid_t sgid) 1458 { 1459 1460 LABEL_CHECK(cred->cr_label, MAGIC_CRED); 1461 COUNTER_INC(proc_check_setresgid); 1462 1463 return (0); 1464 } 1465 1466 COUNTER_DECL(proc_check_setresuid); 1467 static int 1468 test_proc_check_setresuid(struct ucred *cred, uid_t ruid, uid_t euid, 1469 uid_t suid) 1470 { 1471 1472 LABEL_CHECK(cred->cr_label, MAGIC_CRED); 1473 COUNTER_INC(proc_check_setresuid); 1474 1475 return (0); 1476 } 1477 1478 COUNTER_DECL(proc_check_setuid); 1479 static int 1480 test_proc_check_setuid(struct ucred *cred, uid_t uid) 1481 { 1482 1483 LABEL_CHECK(cred->cr_label, MAGIC_CRED); 1484 COUNTER_INC(proc_check_setuid); 1485 1486 return (0); 1487 } 1488 1489 COUNTER_DECL(proc_check_wait); 1490 static int 1491 test_proc_check_wait(struct ucred *cred, struct proc *p) 1492 { 1493 1494 LABEL_CHECK(cred->cr_label, MAGIC_CRED); 1495 LABEL_CHECK(p->p_ucred->cr_label, MAGIC_CRED); 1496 COUNTER_INC(proc_check_wait); 1497 1498 return (0); 1499 } 1500 1501 COUNTER_DECL(proc_destroy_label); 1502 static void 1503 test_proc_destroy_label(struct label *label) 1504 { 1505 1506 LABEL_DESTROY(label, MAGIC_PROC); 1507 COUNTER_INC(proc_destroy_label); 1508 } 1509 1510 COUNTER_DECL(proc_init_label); 1511 static void 1512 test_proc_init_label(struct label *label) 1513 { 1514 1515 LABEL_INIT(label, MAGIC_PROC); 1516 COUNTER_INC(proc_init_label); 1517 } 1518 1519 COUNTER_DECL(socket_check_accept); 1520 static int 1521 test_socket_check_accept(struct ucred *cred, struct socket *so, 1522 struct label *solabel) 1523 { 1524 1525 LABEL_CHECK(cred->cr_label, MAGIC_CRED); 1526 LABEL_CHECK(solabel, MAGIC_SOCKET); 1527 COUNTER_INC(socket_check_accept); 1528 1529 return (0); 1530 } 1531 1532 COUNTER_DECL(socket_check_bind); 1533 static int 1534 test_socket_check_bind(struct ucred *cred, struct socket *so, 1535 struct label *solabel, struct sockaddr *sa) 1536 { 1537 1538 LABEL_CHECK(cred->cr_label, MAGIC_CRED); 1539 LABEL_CHECK(solabel, MAGIC_SOCKET); 1540 COUNTER_INC(socket_check_bind); 1541 1542 return (0); 1543 } 1544 1545 COUNTER_DECL(socket_check_connect); 1546 static int 1547 test_socket_check_connect(struct ucred *cred, struct socket *so, 1548 struct label *solabel, struct sockaddr *sa) 1549 { 1550 1551 LABEL_CHECK(cred->cr_label, MAGIC_CRED); 1552 LABEL_CHECK(solabel, MAGIC_SOCKET); 1553 COUNTER_INC(socket_check_connect); 1554 1555 return (0); 1556 } 1557 1558 COUNTER_DECL(socket_check_deliver); 1559 static int 1560 test_socket_check_deliver(struct socket *so, struct label *solabel, 1561 struct mbuf *m, struct label *mlabel) 1562 { 1563 1564 LABEL_CHECK(solabel, MAGIC_SOCKET); 1565 LABEL_CHECK(mlabel, MAGIC_MBUF); 1566 COUNTER_INC(socket_check_deliver); 1567 1568 return (0); 1569 } 1570 1571 COUNTER_DECL(socket_check_listen); 1572 static int 1573 test_socket_check_listen(struct ucred *cred, struct socket *so, 1574 struct label *solabel) 1575 { 1576 1577 LABEL_CHECK(cred->cr_label, MAGIC_CRED); 1578 LABEL_CHECK(solabel, MAGIC_SOCKET); 1579 COUNTER_INC(socket_check_listen); 1580 1581 return (0); 1582 } 1583 1584 COUNTER_DECL(socket_check_poll); 1585 static int 1586 test_socket_check_poll(struct ucred *cred, struct socket *so, 1587 struct label *solabel) 1588 { 1589 1590 LABEL_CHECK(cred->cr_label, MAGIC_CRED); 1591 LABEL_CHECK(solabel, MAGIC_SOCKET); 1592 COUNTER_INC(socket_check_poll); 1593 1594 return (0); 1595 } 1596 1597 COUNTER_DECL(socket_check_receive); 1598 static int 1599 test_socket_check_receive(struct ucred *cred, struct socket *so, 1600 struct label *solabel) 1601 { 1602 1603 LABEL_CHECK(cred->cr_label, MAGIC_CRED); 1604 LABEL_CHECK(solabel, MAGIC_SOCKET); 1605 COUNTER_INC(socket_check_receive); 1606 1607 return (0); 1608 } 1609 1610 COUNTER_DECL(socket_check_relabel); 1611 static int 1612 test_socket_check_relabel(struct ucred *cred, struct socket *so, 1613 struct label *solabel, struct label *newlabel) 1614 { 1615 1616 LABEL_CHECK(cred->cr_label, MAGIC_CRED); 1617 LABEL_CHECK(solabel, MAGIC_SOCKET); 1618 LABEL_CHECK(newlabel, MAGIC_SOCKET); 1619 COUNTER_INC(socket_check_relabel); 1620 1621 return (0); 1622 } 1623 1624 COUNTER_DECL(socket_check_send); 1625 static int 1626 test_socket_check_send(struct ucred *cred, struct socket *so, 1627 struct label *solabel) 1628 { 1629 1630 LABEL_CHECK(cred->cr_label, MAGIC_CRED); 1631 LABEL_CHECK(solabel, MAGIC_SOCKET); 1632 COUNTER_INC(socket_check_send); 1633 1634 return (0); 1635 } 1636 1637 COUNTER_DECL(socket_check_stat); 1638 static int 1639 test_socket_check_stat(struct ucred *cred, struct socket *so, 1640 struct label *solabel) 1641 { 1642 1643 LABEL_CHECK(cred->cr_label, MAGIC_CRED); 1644 LABEL_CHECK(solabel, MAGIC_SOCKET); 1645 COUNTER_INC(socket_check_stat); 1646 1647 return (0); 1648 } 1649 1650 COUNTER_DECL(socket_check_visible); 1651 static int 1652 test_socket_check_visible(struct ucred *cred, struct socket *so, 1653 struct label *solabel) 1654 { 1655 1656 LABEL_CHECK(cred->cr_label, MAGIC_CRED); 1657 LABEL_CHECK(solabel, MAGIC_SOCKET); 1658 COUNTER_INC(socket_check_visible); 1659 1660 return (0); 1661 } 1662 1663 COUNTER_DECL(socket_copy_label); 1664 static void 1665 test_socket_copy_label(struct label *src, struct label *dest) 1666 { 1667 1668 LABEL_CHECK(src, MAGIC_SOCKET); 1669 LABEL_CHECK(dest, MAGIC_SOCKET); 1670 COUNTER_INC(socket_copy_label); 1671 } 1672 1673 COUNTER_DECL(socket_create); 1674 static void 1675 test_socket_create(struct ucred *cred, struct socket *so, 1676 struct label *solabel) 1677 { 1678 1679 LABEL_CHECK(cred->cr_label, MAGIC_CRED); 1680 LABEL_CHECK(solabel, MAGIC_SOCKET); 1681 COUNTER_INC(socket_create); 1682 } 1683 1684 COUNTER_DECL(socket_create_mbuf); 1685 static void 1686 test_socket_create_mbuf(struct socket *so, struct label *socketlabel, 1687 struct mbuf *m, struct label *mlabel) 1688 { 1689 1690 LABEL_CHECK(socketlabel, MAGIC_SOCKET); 1691 LABEL_CHECK(mlabel, MAGIC_MBUF); 1692 COUNTER_INC(socket_create_mbuf); 1693 } 1694 1695 COUNTER_DECL(socket_destroy_label); 1696 static void 1697 test_socket_destroy_label(struct label *label) 1698 { 1699 1700 LABEL_DESTROY(label, MAGIC_SOCKET); 1701 COUNTER_INC(socket_destroy_label); 1702 } 1703 1704 COUNTER_DECL(socket_externalize_label); 1705 static int 1706 test_socket_externalize_label(struct label *label, char *element_name, 1707 struct sbuf *sb, int *claimed) 1708 { 1709 1710 LABEL_CHECK(label, MAGIC_SOCKET); 1711 COUNTER_INC(socket_externalize_label); 1712 1713 return (0); 1714 } 1715 1716 COUNTER_DECL(socket_init_label); 1717 static int 1718 test_socket_init_label(struct label *label, int flag) 1719 { 1720 1721 if (flag & M_WAITOK) 1722 WITNESS_WARN(WARN_GIANTOK | WARN_SLEEPOK, NULL, 1723 "test_socket_init_label() at %s:%d", __FILE__, 1724 __LINE__); 1725 1726 LABEL_INIT(label, MAGIC_SOCKET); 1727 COUNTER_INC(socket_init_label); 1728 return (0); 1729 } 1730 1731 COUNTER_DECL(socket_internalize_label); 1732 static int 1733 test_socket_internalize_label(struct label *label, char *element_name, 1734 char *element_data, int *claimed) 1735 { 1736 1737 LABEL_CHECK(label, MAGIC_SOCKET); 1738 COUNTER_INC(socket_internalize_label); 1739 1740 return (0); 1741 } 1742 1743 COUNTER_DECL(socket_newconn); 1744 static void 1745 test_socket_newconn(struct socket *oldso, struct label *oldsolabel, 1746 struct socket *newso, struct label *newsolabel) 1747 { 1748 1749 LABEL_CHECK(oldsolabel, MAGIC_SOCKET); 1750 LABEL_CHECK(newsolabel, MAGIC_SOCKET); 1751 COUNTER_INC(socket_newconn); 1752 } 1753 1754 COUNTER_DECL(socket_relabel); 1755 static void 1756 test_socket_relabel(struct ucred *cred, struct socket *so, 1757 struct label *solabel, struct label *newlabel) 1758 { 1759 1760 LABEL_CHECK(cred->cr_label, MAGIC_CRED); 1761 LABEL_CHECK(solabel, MAGIC_SOCKET); 1762 LABEL_CHECK(newlabel, MAGIC_SOCKET); 1763 COUNTER_INC(socket_relabel); 1764 } 1765 1766 COUNTER_DECL(socketpeer_destroy_label); 1767 static void 1768 test_socketpeer_destroy_label(struct label *label) 1769 { 1770 1771 LABEL_DESTROY(label, MAGIC_SOCKET); 1772 COUNTER_INC(socketpeer_destroy_label); 1773 } 1774 1775 COUNTER_DECL(socketpeer_externalize_label); 1776 static int 1777 test_socketpeer_externalize_label(struct label *label, char *element_name, 1778 struct sbuf *sb, int *claimed) 1779 { 1780 1781 LABEL_CHECK(label, MAGIC_SOCKET); 1782 COUNTER_INC(socketpeer_externalize_label); 1783 1784 return (0); 1785 } 1786 1787 COUNTER_DECL(socketpeer_init_label); 1788 static int 1789 test_socketpeer_init_label(struct label *label, int flag) 1790 { 1791 1792 if (flag & M_WAITOK) 1793 WITNESS_WARN(WARN_GIANTOK | WARN_SLEEPOK, NULL, 1794 "test_socketpeer_init_label() at %s:%d", __FILE__, 1795 __LINE__); 1796 1797 LABEL_INIT(label, MAGIC_SOCKET); 1798 COUNTER_INC(socketpeer_init_label); 1799 return (0); 1800 } 1801 1802 COUNTER_DECL(socketpeer_set_from_mbuf); 1803 static void 1804 test_socketpeer_set_from_mbuf(struct mbuf *m, struct label *mlabel, 1805 struct socket *socket, struct label *socketpeerlabel) 1806 { 1807 1808 LABEL_CHECK(mlabel, MAGIC_MBUF); 1809 LABEL_CHECK(socketpeerlabel, MAGIC_SOCKET); 1810 COUNTER_INC(socketpeer_set_from_mbuf); 1811 } 1812 1813 COUNTER_DECL(socketpeer_set_from_socket); 1814 static void 1815 test_socketpeer_set_from_socket(struct socket *oldso, 1816 struct label *oldsolabel, struct socket *newso, 1817 struct label *newsopeerlabel) 1818 { 1819 1820 LABEL_CHECK(oldsolabel, MAGIC_SOCKET); 1821 LABEL_CHECK(newsopeerlabel, MAGIC_SOCKET); 1822 COUNTER_INC(socketpeer_set_from_socket); 1823 } 1824 1825 COUNTER_DECL(syncache_create); 1826 static void 1827 test_syncache_create(struct label *label, struct inpcb *inp) 1828 { 1829 1830 LABEL_CHECK(label, MAGIC_SYNCACHE); 1831 COUNTER_INC(syncache_create); 1832 } 1833 1834 COUNTER_DECL(syncache_create_mbuf); 1835 static void 1836 test_syncache_create_mbuf(struct label *sc_label, struct mbuf *m, 1837 struct label *mlabel) 1838 { 1839 1840 LABEL_CHECK(sc_label, MAGIC_SYNCACHE); 1841 LABEL_CHECK(mlabel, MAGIC_MBUF); 1842 COUNTER_INC(syncache_create_mbuf); 1843 } 1844 1845 COUNTER_DECL(syncache_destroy_label); 1846 static void 1847 test_syncache_destroy_label(struct label *label) 1848 { 1849 1850 LABEL_DESTROY(label, MAGIC_SYNCACHE); 1851 COUNTER_INC(syncache_destroy_label); 1852 } 1853 1854 COUNTER_DECL(syncache_init_label); 1855 static int 1856 test_syncache_init_label(struct label *label, int flag) 1857 { 1858 1859 if (flag & M_WAITOK) 1860 WITNESS_WARN(WARN_GIANTOK | WARN_SLEEPOK, NULL, 1861 "test_syncache_init_label() at %s:%d", __FILE__, 1862 __LINE__); 1863 LABEL_INIT(label, MAGIC_SYNCACHE); 1864 COUNTER_INC(syncache_init_label); 1865 return (0); 1866 } 1867 1868 COUNTER_DECL(system_check_acct); 1869 static int 1870 test_system_check_acct(struct ucred *cred, struct vnode *vp, 1871 struct label *vplabel) 1872 { 1873 1874 LABEL_CHECK(cred->cr_label, MAGIC_CRED); 1875 LABEL_CHECK(vplabel, MAGIC_VNODE); 1876 COUNTER_INC(system_check_acct); 1877 1878 return (0); 1879 } 1880 1881 COUNTER_DECL(system_check_audit); 1882 static int 1883 test_system_check_audit(struct ucred *cred, void *record, int length) 1884 { 1885 1886 LABEL_CHECK(cred->cr_label, MAGIC_CRED); 1887 COUNTER_INC(system_check_audit); 1888 1889 return (0); 1890 } 1891 1892 COUNTER_DECL(system_check_auditctl); 1893 static int 1894 test_system_check_auditctl(struct ucred *cred, struct vnode *vp, 1895 struct label *vplabel) 1896 { 1897 1898 LABEL_CHECK(cred->cr_label, MAGIC_CRED); 1899 LABEL_CHECK(vplabel, MAGIC_VNODE); 1900 COUNTER_INC(system_check_auditctl); 1901 1902 return (0); 1903 } 1904 1905 COUNTER_DECL(system_check_auditon); 1906 static int 1907 test_system_check_auditon(struct ucred *cred, int cmd) 1908 { 1909 1910 LABEL_CHECK(cred->cr_label, MAGIC_CRED); 1911 COUNTER_INC(system_check_auditon); 1912 1913 return (0); 1914 } 1915 1916 COUNTER_DECL(system_check_reboot); 1917 static int 1918 test_system_check_reboot(struct ucred *cred, int how) 1919 { 1920 1921 LABEL_CHECK(cred->cr_label, MAGIC_CRED); 1922 COUNTER_INC(system_check_reboot); 1923 1924 return (0); 1925 } 1926 1927 COUNTER_DECL(system_check_swapoff); 1928 static int 1929 test_system_check_swapoff(struct ucred *cred, struct vnode *vp, 1930 struct label *vplabel) 1931 { 1932 1933 LABEL_CHECK(cred->cr_label, MAGIC_CRED); 1934 LABEL_CHECK(vplabel, MAGIC_VNODE); 1935 COUNTER_INC(system_check_swapoff); 1936 1937 return (0); 1938 } 1939 1940 COUNTER_DECL(system_check_swapon); 1941 static int 1942 test_system_check_swapon(struct ucred *cred, struct vnode *vp, 1943 struct label *vplabel) 1944 { 1945 1946 LABEL_CHECK(cred->cr_label, MAGIC_CRED); 1947 LABEL_CHECK(vplabel, MAGIC_VNODE); 1948 COUNTER_INC(system_check_swapon); 1949 1950 return (0); 1951 } 1952 1953 COUNTER_DECL(system_check_sysctl); 1954 static int 1955 test_system_check_sysctl(struct ucred *cred, struct sysctl_oid *oidp, 1956 void *arg1, int arg2, struct sysctl_req *req) 1957 { 1958 1959 LABEL_CHECK(cred->cr_label, MAGIC_CRED); 1960 COUNTER_INC(system_check_sysctl); 1961 1962 return (0); 1963 } 1964 1965 COUNTER_DECL(sysvmsg_cleanup); 1966 static void 1967 test_sysvmsg_cleanup(struct label *msglabel) 1968 { 1969 1970 LABEL_CHECK(msglabel, MAGIC_SYSV_MSG); 1971 COUNTER_INC(sysvmsg_cleanup); 1972 } 1973 1974 COUNTER_DECL(sysvmsg_create); 1975 static void 1976 test_sysvmsg_create(struct ucred *cred, struct msqid_kernel *msqkptr, 1977 struct label *msqlabel, struct msg *msgptr, struct label *msglabel) 1978 { 1979 1980 LABEL_CHECK(msglabel, MAGIC_SYSV_MSG); 1981 LABEL_CHECK(msqlabel, MAGIC_SYSV_MSQ); 1982 COUNTER_INC(sysvmsg_create); 1983 } 1984 1985 COUNTER_DECL(sysvmsg_destroy_label); 1986 static void 1987 test_sysvmsg_destroy_label(struct label *label) 1988 { 1989 1990 LABEL_DESTROY(label, MAGIC_SYSV_MSG); 1991 COUNTER_INC(sysvmsg_destroy_label); 1992 } 1993 1994 COUNTER_DECL(sysvmsg_init_label); 1995 static void 1996 test_sysvmsg_init_label(struct label *label) 1997 { 1998 LABEL_INIT(label, MAGIC_SYSV_MSG); 1999 COUNTER_INC(sysvmsg_init_label); 2000 } 2001 2002 COUNTER_DECL(sysvmsq_check_msgmsq); 2003 static int 2004 test_sysvmsq_check_msgmsq(struct ucred *cred, struct msg *msgptr, 2005 struct label *msglabel, struct msqid_kernel *msqkptr, 2006 struct label *msqklabel) 2007 { 2008 2009 LABEL_CHECK(msqklabel, MAGIC_SYSV_MSQ); 2010 LABEL_CHECK(msglabel, MAGIC_SYSV_MSG); 2011 LABEL_CHECK(cred->cr_label, MAGIC_CRED); 2012 COUNTER_INC(sysvmsq_check_msgmsq); 2013 2014 return (0); 2015 } 2016 2017 COUNTER_DECL(sysvmsq_check_msgrcv); 2018 static int 2019 test_sysvmsq_check_msgrcv(struct ucred *cred, struct msg *msgptr, 2020 struct label *msglabel) 2021 { 2022 2023 LABEL_CHECK(msglabel, MAGIC_SYSV_MSG); 2024 LABEL_CHECK(cred->cr_label, MAGIC_CRED); 2025 COUNTER_INC(sysvmsq_check_msgrcv); 2026 2027 return (0); 2028 } 2029 2030 COUNTER_DECL(sysvmsq_check_msgrmid); 2031 static int 2032 test_sysvmsq_check_msgrmid(struct ucred *cred, struct msg *msgptr, 2033 struct label *msglabel) 2034 { 2035 2036 LABEL_CHECK(msglabel, MAGIC_SYSV_MSG); 2037 LABEL_CHECK(cred->cr_label, MAGIC_CRED); 2038 COUNTER_INC(sysvmsq_check_msgrmid); 2039 2040 return (0); 2041 } 2042 2043 COUNTER_DECL(sysvmsq_check_msqget); 2044 static int 2045 test_sysvmsq_check_msqget(struct ucred *cred, 2046 struct msqid_kernel *msqkptr, struct label *msqklabel) 2047 { 2048 2049 LABEL_CHECK(msqklabel, MAGIC_SYSV_MSQ); 2050 LABEL_CHECK(cred->cr_label, MAGIC_CRED); 2051 COUNTER_INC(sysvmsq_check_msqget); 2052 2053 return (0); 2054 } 2055 2056 COUNTER_DECL(sysvmsq_check_msqsnd); 2057 static int 2058 test_sysvmsq_check_msqsnd(struct ucred *cred, 2059 struct msqid_kernel *msqkptr, struct label *msqklabel) 2060 { 2061 2062 LABEL_CHECK(msqklabel, MAGIC_SYSV_MSQ); 2063 LABEL_CHECK(cred->cr_label, MAGIC_CRED); 2064 COUNTER_INC(sysvmsq_check_msqsnd); 2065 2066 return (0); 2067 } 2068 2069 COUNTER_DECL(sysvmsq_check_msqrcv); 2070 static int 2071 test_sysvmsq_check_msqrcv(struct ucred *cred, 2072 struct msqid_kernel *msqkptr, struct label *msqklabel) 2073 { 2074 2075 LABEL_CHECK(msqklabel, MAGIC_SYSV_MSQ); 2076 LABEL_CHECK(cred->cr_label, MAGIC_CRED); 2077 COUNTER_INC(sysvmsq_check_msqrcv); 2078 2079 return (0); 2080 } 2081 2082 COUNTER_DECL(sysvmsq_check_msqctl); 2083 static int 2084 test_sysvmsq_check_msqctl(struct ucred *cred, 2085 struct msqid_kernel *msqkptr, struct label *msqklabel, int cmd) 2086 { 2087 2088 LABEL_CHECK(msqklabel, MAGIC_SYSV_MSQ); 2089 LABEL_CHECK(cred->cr_label, MAGIC_CRED); 2090 COUNTER_INC(sysvmsq_check_msqctl); 2091 2092 return (0); 2093 } 2094 2095 COUNTER_DECL(sysvmsq_cleanup); 2096 static void 2097 test_sysvmsq_cleanup(struct label *msqlabel) 2098 { 2099 2100 LABEL_CHECK(msqlabel, MAGIC_SYSV_MSQ); 2101 COUNTER_INC(sysvmsq_cleanup); 2102 } 2103 2104 COUNTER_DECL(sysvmsq_create); 2105 static void 2106 test_sysvmsq_create(struct ucred *cred, 2107 struct msqid_kernel *msqkptr, struct label *msqlabel) 2108 { 2109 2110 LABEL_CHECK(msqlabel, MAGIC_SYSV_MSQ); 2111 COUNTER_INC(sysvmsq_create); 2112 } 2113 2114 COUNTER_DECL(sysvmsq_destroy_label); 2115 static void 2116 test_sysvmsq_destroy_label(struct label *label) 2117 { 2118 2119 LABEL_DESTROY(label, MAGIC_SYSV_MSQ); 2120 COUNTER_INC(sysvmsq_destroy_label); 2121 } 2122 2123 COUNTER_DECL(sysvmsq_init_label); 2124 static void 2125 test_sysvmsq_init_label(struct label *label) 2126 { 2127 LABEL_INIT(label, MAGIC_SYSV_MSQ); 2128 COUNTER_INC(sysvmsq_init_label); 2129 } 2130 2131 COUNTER_DECL(sysvsem_check_semctl); 2132 static int 2133 test_sysvsem_check_semctl(struct ucred *cred, 2134 struct semid_kernel *semakptr, struct label *semaklabel, int cmd) 2135 { 2136 2137 LABEL_CHECK(cred->cr_label, MAGIC_CRED); 2138 LABEL_CHECK(semaklabel, MAGIC_SYSV_SEM); 2139 COUNTER_INC(sysvsem_check_semctl); 2140 2141 return (0); 2142 } 2143 2144 COUNTER_DECL(sysvsem_check_semget); 2145 static int 2146 test_sysvsem_check_semget(struct ucred *cred, 2147 struct semid_kernel *semakptr, struct label *semaklabel) 2148 { 2149 2150 LABEL_CHECK(cred->cr_label, MAGIC_CRED); 2151 LABEL_CHECK(semaklabel, MAGIC_SYSV_SEM); 2152 COUNTER_INC(sysvsem_check_semget); 2153 2154 return (0); 2155 } 2156 2157 COUNTER_DECL(sysvsem_check_semop); 2158 static int 2159 test_sysvsem_check_semop(struct ucred *cred, 2160 struct semid_kernel *semakptr, struct label *semaklabel, size_t accesstype) 2161 { 2162 2163 LABEL_CHECK(cred->cr_label, MAGIC_CRED); 2164 LABEL_CHECK(semaklabel, MAGIC_SYSV_SEM); 2165 COUNTER_INC(sysvsem_check_semop); 2166 2167 return (0); 2168 } 2169 2170 COUNTER_DECL(sysvsem_cleanup); 2171 static void 2172 test_sysvsem_cleanup(struct label *semalabel) 2173 { 2174 2175 LABEL_CHECK(semalabel, MAGIC_SYSV_SEM); 2176 COUNTER_INC(sysvsem_cleanup); 2177 } 2178 2179 COUNTER_DECL(sysvsem_create); 2180 static void 2181 test_sysvsem_create(struct ucred *cred, struct semid_kernel *semakptr, 2182 struct label *semalabel) 2183 { 2184 2185 LABEL_CHECK(semalabel, MAGIC_SYSV_SEM); 2186 COUNTER_INC(sysvsem_create); 2187 } 2188 2189 COUNTER_DECL(sysvsem_destroy_label); 2190 static void 2191 test_sysvsem_destroy_label(struct label *label) 2192 { 2193 2194 LABEL_DESTROY(label, MAGIC_SYSV_SEM); 2195 COUNTER_INC(sysvsem_destroy_label); 2196 } 2197 2198 COUNTER_DECL(sysvsem_init_label); 2199 static void 2200 test_sysvsem_init_label(struct label *label) 2201 { 2202 LABEL_INIT(label, MAGIC_SYSV_SEM); 2203 COUNTER_INC(sysvsem_init_label); 2204 } 2205 2206 COUNTER_DECL(sysvshm_check_shmat); 2207 static int 2208 test_sysvshm_check_shmat(struct ucred *cred, 2209 struct shmid_kernel *shmsegptr, struct label *shmseglabel, int shmflg) 2210 { 2211 2212 LABEL_CHECK(cred->cr_label, MAGIC_CRED); 2213 LABEL_CHECK(shmseglabel, MAGIC_SYSV_SHM); 2214 COUNTER_INC(sysvshm_check_shmat); 2215 2216 return (0); 2217 } 2218 2219 COUNTER_DECL(sysvshm_check_shmctl); 2220 static int 2221 test_sysvshm_check_shmctl(struct ucred *cred, 2222 struct shmid_kernel *shmsegptr, struct label *shmseglabel, int cmd) 2223 { 2224 2225 LABEL_CHECK(cred->cr_label, MAGIC_CRED); 2226 LABEL_CHECK(shmseglabel, MAGIC_SYSV_SHM); 2227 COUNTER_INC(sysvshm_check_shmctl); 2228 2229 return (0); 2230 } 2231 2232 COUNTER_DECL(sysvshm_check_shmdt); 2233 static int 2234 test_sysvshm_check_shmdt(struct ucred *cred, 2235 struct shmid_kernel *shmsegptr, struct label *shmseglabel) 2236 { 2237 2238 LABEL_CHECK(cred->cr_label, MAGIC_CRED); 2239 LABEL_CHECK(shmseglabel, MAGIC_SYSV_SHM); 2240 COUNTER_INC(sysvshm_check_shmdt); 2241 2242 return (0); 2243 } 2244 2245 COUNTER_DECL(sysvshm_check_shmget); 2246 static int 2247 test_sysvshm_check_shmget(struct ucred *cred, 2248 struct shmid_kernel *shmsegptr, struct label *shmseglabel, int shmflg) 2249 { 2250 2251 LABEL_CHECK(cred->cr_label, MAGIC_CRED); 2252 LABEL_CHECK(shmseglabel, MAGIC_SYSV_SHM); 2253 COUNTER_INC(sysvshm_check_shmget); 2254 2255 return (0); 2256 } 2257 2258 COUNTER_DECL(sysvshm_cleanup); 2259 static void 2260 test_sysvshm_cleanup(struct label *shmlabel) 2261 { 2262 2263 LABEL_CHECK(shmlabel, MAGIC_SYSV_SHM); 2264 COUNTER_INC(sysvshm_cleanup); 2265 } 2266 2267 COUNTER_DECL(sysvshm_create); 2268 static void 2269 test_sysvshm_create(struct ucred *cred, struct shmid_kernel *shmsegptr, 2270 struct label *shmlabel) 2271 { 2272 2273 LABEL_CHECK(shmlabel, MAGIC_SYSV_SHM); 2274 COUNTER_INC(sysvshm_create); 2275 } 2276 2277 COUNTER_DECL(sysvshm_destroy_label); 2278 static void 2279 test_sysvshm_destroy_label(struct label *label) 2280 { 2281 2282 LABEL_DESTROY(label, MAGIC_SYSV_SHM); 2283 COUNTER_INC(sysvshm_destroy_label); 2284 } 2285 2286 COUNTER_DECL(sysvshm_init_label); 2287 static void 2288 test_sysvshm_init_label(struct label *label) 2289 { 2290 LABEL_INIT(label, MAGIC_SYSV_SHM); 2291 COUNTER_INC(sysvshm_init_label); 2292 } 2293 2294 COUNTER_DECL(thread_userret); 2295 static void 2296 test_thread_userret(struct thread *td) 2297 { 2298 2299 COUNTER_INC(thread_userret); 2300 } 2301 2302 COUNTER_DECL(vnode_associate_extattr); 2303 static int 2304 test_vnode_associate_extattr(struct mount *mp, struct label *mplabel, 2305 struct vnode *vp, struct label *vplabel) 2306 { 2307 2308 LABEL_CHECK(mplabel, MAGIC_MOUNT); 2309 LABEL_CHECK(vplabel, MAGIC_VNODE); 2310 COUNTER_INC(vnode_associate_extattr); 2311 2312 return (0); 2313 } 2314 2315 COUNTER_DECL(vnode_associate_singlelabel); 2316 static void 2317 test_vnode_associate_singlelabel(struct mount *mp, struct label *mplabel, 2318 struct vnode *vp, struct label *vplabel) 2319 { 2320 2321 LABEL_CHECK(mplabel, MAGIC_MOUNT); 2322 LABEL_CHECK(vplabel, MAGIC_VNODE); 2323 COUNTER_INC(vnode_associate_singlelabel); 2324 } 2325 2326 COUNTER_DECL(vnode_check_access); 2327 static int 2328 test_vnode_check_access(struct ucred *cred, struct vnode *vp, 2329 struct label *vplabel, accmode_t accmode) 2330 { 2331 2332 LABEL_CHECK(cred->cr_label, MAGIC_CRED); 2333 LABEL_CHECK(vplabel, MAGIC_VNODE); 2334 COUNTER_INC(vnode_check_access); 2335 2336 return (0); 2337 } 2338 2339 COUNTER_DECL(vnode_check_chdir); 2340 static int 2341 test_vnode_check_chdir(struct ucred *cred, struct vnode *dvp, 2342 struct label *dvplabel) 2343 { 2344 2345 LABEL_CHECK(cred->cr_label, MAGIC_CRED); 2346 LABEL_CHECK(dvplabel, MAGIC_VNODE); 2347 COUNTER_INC(vnode_check_chdir); 2348 2349 return (0); 2350 } 2351 2352 COUNTER_DECL(vnode_check_chroot); 2353 static int 2354 test_vnode_check_chroot(struct ucred *cred, struct vnode *dvp, 2355 struct label *dvplabel) 2356 { 2357 2358 LABEL_CHECK(cred->cr_label, MAGIC_CRED); 2359 LABEL_CHECK(dvplabel, MAGIC_VNODE); 2360 COUNTER_INC(vnode_check_chroot); 2361 2362 return (0); 2363 } 2364 2365 COUNTER_DECL(vnode_check_create); 2366 static int 2367 test_vnode_check_create(struct ucred *cred, struct vnode *dvp, 2368 struct label *dvplabel, struct componentname *cnp, struct vattr *vap) 2369 { 2370 2371 LABEL_CHECK(cred->cr_label, MAGIC_CRED); 2372 LABEL_CHECK(dvplabel, MAGIC_VNODE); 2373 COUNTER_INC(vnode_check_create); 2374 2375 return (0); 2376 } 2377 2378 COUNTER_DECL(vnode_check_deleteacl); 2379 static int 2380 test_vnode_check_deleteacl(struct ucred *cred, struct vnode *vp, 2381 struct label *vplabel, acl_type_t type) 2382 { 2383 2384 LABEL_CHECK(cred->cr_label, MAGIC_CRED); 2385 LABEL_CHECK(vplabel, MAGIC_VNODE); 2386 COUNTER_INC(vnode_check_deleteacl); 2387 2388 return (0); 2389 } 2390 2391 COUNTER_DECL(vnode_check_deleteextattr); 2392 static int 2393 test_vnode_check_deleteextattr(struct ucred *cred, struct vnode *vp, 2394 struct label *vplabel, int attrnamespace, const char *name) 2395 { 2396 2397 LABEL_CHECK(cred->cr_label, MAGIC_CRED); 2398 LABEL_CHECK(vplabel, MAGIC_VNODE); 2399 COUNTER_INC(vnode_check_deleteextattr); 2400 2401 return (0); 2402 } 2403 2404 COUNTER_DECL(vnode_check_exec); 2405 static int 2406 test_vnode_check_exec(struct ucred *cred, struct vnode *vp, 2407 struct label *vplabel, struct image_params *imgp, 2408 struct label *execlabel) 2409 { 2410 2411 LABEL_CHECK(cred->cr_label, MAGIC_CRED); 2412 LABEL_CHECK(vplabel, MAGIC_VNODE); 2413 LABEL_CHECK(execlabel, MAGIC_CRED); 2414 COUNTER_INC(vnode_check_exec); 2415 2416 return (0); 2417 } 2418 2419 COUNTER_DECL(vnode_check_getacl); 2420 static int 2421 test_vnode_check_getacl(struct ucred *cred, struct vnode *vp, 2422 struct label *vplabel, acl_type_t type) 2423 { 2424 2425 LABEL_CHECK(cred->cr_label, MAGIC_CRED); 2426 LABEL_CHECK(vplabel, MAGIC_VNODE); 2427 COUNTER_INC(vnode_check_getacl); 2428 2429 return (0); 2430 } 2431 2432 COUNTER_DECL(vnode_check_getextattr); 2433 static int 2434 test_vnode_check_getextattr(struct ucred *cred, struct vnode *vp, 2435 struct label *vplabel, int attrnamespace, const char *name, 2436 struct uio *uio) 2437 { 2438 2439 LABEL_CHECK(cred->cr_label, MAGIC_CRED); 2440 LABEL_CHECK(vplabel, MAGIC_VNODE); 2441 COUNTER_INC(vnode_check_getextattr); 2442 2443 return (0); 2444 } 2445 2446 COUNTER_DECL(vnode_check_link); 2447 static int 2448 test_vnode_check_link(struct ucred *cred, struct vnode *dvp, 2449 struct label *dvplabel, struct vnode *vp, struct label *vplabel, 2450 struct componentname *cnp) 2451 { 2452 2453 LABEL_CHECK(cred->cr_label, MAGIC_CRED); 2454 LABEL_CHECK(dvplabel, MAGIC_VNODE); 2455 LABEL_CHECK(vplabel, MAGIC_VNODE); 2456 COUNTER_INC(vnode_check_link); 2457 2458 return (0); 2459 } 2460 2461 COUNTER_DECL(vnode_check_listextattr); 2462 static int 2463 test_vnode_check_listextattr(struct ucred *cred, struct vnode *vp, 2464 struct label *vplabel, int attrnamespace) 2465 { 2466 2467 LABEL_CHECK(cred->cr_label, MAGIC_CRED); 2468 LABEL_CHECK(vplabel, MAGIC_VNODE); 2469 COUNTER_INC(vnode_check_listextattr); 2470 2471 return (0); 2472 } 2473 2474 COUNTER_DECL(vnode_check_lookup); 2475 static int 2476 test_vnode_check_lookup(struct ucred *cred, struct vnode *dvp, 2477 struct label *dvplabel, struct componentname *cnp) 2478 { 2479 2480 LABEL_CHECK(cred->cr_label, MAGIC_CRED); 2481 LABEL_CHECK(dvplabel, MAGIC_VNODE); 2482 COUNTER_INC(vnode_check_lookup); 2483 2484 return (0); 2485 } 2486 2487 COUNTER_DECL(vnode_check_mmap); 2488 static int 2489 test_vnode_check_mmap(struct ucred *cred, struct vnode *vp, 2490 struct label *vplabel, int prot, int flags) 2491 { 2492 2493 LABEL_CHECK(cred->cr_label, MAGIC_CRED); 2494 LABEL_CHECK(vplabel, MAGIC_VNODE); 2495 COUNTER_INC(vnode_check_mmap); 2496 2497 return (0); 2498 } 2499 2500 COUNTER_DECL(vnode_check_open); 2501 static int 2502 test_vnode_check_open(struct ucred *cred, struct vnode *vp, 2503 struct label *vplabel, accmode_t accmode) 2504 { 2505 2506 LABEL_CHECK(cred->cr_label, MAGIC_CRED); 2507 LABEL_CHECK(vplabel, MAGIC_VNODE); 2508 COUNTER_INC(vnode_check_open); 2509 2510 return (0); 2511 } 2512 2513 COUNTER_DECL(vnode_check_poll); 2514 static int 2515 test_vnode_check_poll(struct ucred *active_cred, struct ucred *file_cred, 2516 struct vnode *vp, struct label *vplabel) 2517 { 2518 2519 LABEL_CHECK(active_cred->cr_label, MAGIC_CRED); 2520 if (file_cred != NULL) 2521 LABEL_CHECK(file_cred->cr_label, MAGIC_CRED); 2522 LABEL_CHECK(vplabel, MAGIC_VNODE); 2523 COUNTER_INC(vnode_check_poll); 2524 2525 return (0); 2526 } 2527 2528 COUNTER_DECL(vnode_check_read); 2529 static int 2530 test_vnode_check_read(struct ucred *active_cred, struct ucred *file_cred, 2531 struct vnode *vp, struct label *vplabel) 2532 { 2533 2534 LABEL_CHECK(active_cred->cr_label, MAGIC_CRED); 2535 if (file_cred != NULL) 2536 LABEL_CHECK(file_cred->cr_label, MAGIC_CRED); 2537 LABEL_CHECK(vplabel, MAGIC_VNODE); 2538 COUNTER_INC(vnode_check_read); 2539 2540 return (0); 2541 } 2542 2543 COUNTER_DECL(vnode_check_readdir); 2544 static int 2545 test_vnode_check_readdir(struct ucred *cred, struct vnode *dvp, 2546 struct label *dvplabel) 2547 { 2548 2549 LABEL_CHECK(cred->cr_label, MAGIC_CRED); 2550 LABEL_CHECK(dvplabel, MAGIC_VNODE); 2551 COUNTER_INC(vnode_check_readdir); 2552 2553 return (0); 2554 } 2555 2556 COUNTER_DECL(vnode_check_readlink); 2557 static int 2558 test_vnode_check_readlink(struct ucred *cred, struct vnode *vp, 2559 struct label *vplabel) 2560 { 2561 2562 LABEL_CHECK(cred->cr_label, MAGIC_CRED); 2563 LABEL_CHECK(vplabel, MAGIC_VNODE); 2564 COUNTER_INC(vnode_check_readlink); 2565 2566 return (0); 2567 } 2568 2569 COUNTER_DECL(vnode_check_relabel); 2570 static int 2571 test_vnode_check_relabel(struct ucred *cred, struct vnode *vp, 2572 struct label *vplabel, struct label *newlabel) 2573 { 2574 2575 LABEL_CHECK(cred->cr_label, MAGIC_CRED); 2576 LABEL_CHECK(vplabel, MAGIC_VNODE); 2577 LABEL_CHECK(newlabel, MAGIC_VNODE); 2578 COUNTER_INC(vnode_check_relabel); 2579 2580 return (0); 2581 } 2582 2583 COUNTER_DECL(vnode_check_rename_from); 2584 static int 2585 test_vnode_check_rename_from(struct ucred *cred, struct vnode *dvp, 2586 struct label *dvplabel, struct vnode *vp, struct label *vplabel, 2587 struct componentname *cnp) 2588 { 2589 2590 LABEL_CHECK(cred->cr_label, MAGIC_CRED); 2591 LABEL_CHECK(dvplabel, MAGIC_VNODE); 2592 LABEL_CHECK(vplabel, MAGIC_VNODE); 2593 COUNTER_INC(vnode_check_rename_from); 2594 2595 return (0); 2596 } 2597 2598 COUNTER_DECL(vnode_check_rename_to); 2599 static int 2600 test_vnode_check_rename_to(struct ucred *cred, struct vnode *dvp, 2601 struct label *dvplabel, struct vnode *vp, struct label *vplabel, 2602 int samedir, struct componentname *cnp) 2603 { 2604 2605 LABEL_CHECK(cred->cr_label, MAGIC_CRED); 2606 LABEL_CHECK(dvplabel, MAGIC_VNODE); 2607 LABEL_CHECK(vplabel, MAGIC_VNODE); 2608 COUNTER_INC(vnode_check_rename_to); 2609 2610 return (0); 2611 } 2612 2613 COUNTER_DECL(vnode_check_revoke); 2614 static int 2615 test_vnode_check_revoke(struct ucred *cred, struct vnode *vp, 2616 struct label *vplabel) 2617 { 2618 2619 LABEL_CHECK(cred->cr_label, MAGIC_CRED); 2620 LABEL_CHECK(vplabel, MAGIC_VNODE); 2621 COUNTER_INC(vnode_check_revoke); 2622 2623 return (0); 2624 } 2625 2626 COUNTER_DECL(vnode_check_setacl); 2627 static int 2628 test_vnode_check_setacl(struct ucred *cred, struct vnode *vp, 2629 struct label *vplabel, acl_type_t type, struct acl *acl) 2630 { 2631 2632 LABEL_CHECK(cred->cr_label, MAGIC_CRED); 2633 LABEL_CHECK(vplabel, MAGIC_VNODE); 2634 COUNTER_INC(vnode_check_setacl); 2635 2636 return (0); 2637 } 2638 2639 COUNTER_DECL(vnode_check_setextattr); 2640 static int 2641 test_vnode_check_setextattr(struct ucred *cred, struct vnode *vp, 2642 struct label *vplabel, int attrnamespace, const char *name, 2643 struct uio *uio) 2644 { 2645 2646 LABEL_CHECK(cred->cr_label, MAGIC_CRED); 2647 LABEL_CHECK(vplabel, MAGIC_VNODE); 2648 COUNTER_INC(vnode_check_setextattr); 2649 2650 return (0); 2651 } 2652 2653 COUNTER_DECL(vnode_check_setflags); 2654 static int 2655 test_vnode_check_setflags(struct ucred *cred, struct vnode *vp, 2656 struct label *vplabel, u_long flags) 2657 { 2658 2659 LABEL_CHECK(cred->cr_label, MAGIC_CRED); 2660 LABEL_CHECK(vplabel, MAGIC_VNODE); 2661 COUNTER_INC(vnode_check_setflags); 2662 2663 return (0); 2664 } 2665 2666 COUNTER_DECL(vnode_check_setmode); 2667 static int 2668 test_vnode_check_setmode(struct ucred *cred, struct vnode *vp, 2669 struct label *vplabel, mode_t mode) 2670 { 2671 2672 LABEL_CHECK(cred->cr_label, MAGIC_CRED); 2673 LABEL_CHECK(vplabel, MAGIC_VNODE); 2674 COUNTER_INC(vnode_check_setmode); 2675 2676 return (0); 2677 } 2678 2679 COUNTER_DECL(vnode_check_setowner); 2680 static int 2681 test_vnode_check_setowner(struct ucred *cred, struct vnode *vp, 2682 struct label *vplabel, uid_t uid, gid_t gid) 2683 { 2684 2685 LABEL_CHECK(cred->cr_label, MAGIC_CRED); 2686 LABEL_CHECK(vplabel, MAGIC_VNODE); 2687 COUNTER_INC(vnode_check_setowner); 2688 2689 return (0); 2690 } 2691 2692 COUNTER_DECL(vnode_check_setutimes); 2693 static int 2694 test_vnode_check_setutimes(struct ucred *cred, struct vnode *vp, 2695 struct label *vplabel, struct timespec atime, struct timespec mtime) 2696 { 2697 2698 LABEL_CHECK(cred->cr_label, MAGIC_CRED); 2699 LABEL_CHECK(vplabel, MAGIC_VNODE); 2700 COUNTER_INC(vnode_check_setutimes); 2701 2702 return (0); 2703 } 2704 2705 COUNTER_DECL(vnode_check_stat); 2706 static int 2707 test_vnode_check_stat(struct ucred *active_cred, struct ucred *file_cred, 2708 struct vnode *vp, struct label *vplabel) 2709 { 2710 2711 LABEL_CHECK(active_cred->cr_label, MAGIC_CRED); 2712 if (file_cred != NULL) 2713 LABEL_CHECK(file_cred->cr_label, MAGIC_CRED); 2714 LABEL_CHECK(vplabel, MAGIC_VNODE); 2715 COUNTER_INC(vnode_check_stat); 2716 2717 return (0); 2718 } 2719 2720 COUNTER_DECL(vnode_check_unlink); 2721 static int 2722 test_vnode_check_unlink(struct ucred *cred, struct vnode *dvp, 2723 struct label *dvplabel, struct vnode *vp, struct label *vplabel, 2724 struct componentname *cnp) 2725 { 2726 2727 LABEL_CHECK(cred->cr_label, MAGIC_CRED); 2728 LABEL_CHECK(dvplabel, MAGIC_VNODE); 2729 LABEL_CHECK(vplabel, MAGIC_VNODE); 2730 COUNTER_INC(vnode_check_unlink); 2731 2732 return (0); 2733 } 2734 2735 COUNTER_DECL(vnode_check_write); 2736 static int 2737 test_vnode_check_write(struct ucred *active_cred, 2738 struct ucred *file_cred, struct vnode *vp, struct label *vplabel) 2739 { 2740 2741 LABEL_CHECK(active_cred->cr_label, MAGIC_CRED); 2742 if (file_cred != NULL) 2743 LABEL_CHECK(file_cred->cr_label, MAGIC_CRED); 2744 LABEL_CHECK(vplabel, MAGIC_VNODE); 2745 COUNTER_INC(vnode_check_write); 2746 2747 return (0); 2748 } 2749 2750 COUNTER_DECL(vnode_copy_label); 2751 static void 2752 test_vnode_copy_label(struct label *src, struct label *dest) 2753 { 2754 2755 LABEL_CHECK(src, MAGIC_VNODE); 2756 LABEL_CHECK(dest, MAGIC_VNODE); 2757 COUNTER_INC(vnode_copy_label); 2758 } 2759 2760 COUNTER_DECL(vnode_create_extattr); 2761 static int 2762 test_vnode_create_extattr(struct ucred *cred, struct mount *mp, 2763 struct label *mplabel, struct vnode *dvp, struct label *dvplabel, 2764 struct vnode *vp, struct label *vplabel, struct componentname *cnp) 2765 { 2766 2767 LABEL_CHECK(cred->cr_label, MAGIC_CRED); 2768 LABEL_CHECK(mplabel, MAGIC_MOUNT); 2769 LABEL_CHECK(dvplabel, MAGIC_VNODE); 2770 COUNTER_INC(vnode_create_extattr); 2771 2772 return (0); 2773 } 2774 2775 COUNTER_DECL(vnode_destroy_label); 2776 static void 2777 test_vnode_destroy_label(struct label *label) 2778 { 2779 2780 LABEL_DESTROY(label, MAGIC_VNODE); 2781 COUNTER_INC(vnode_destroy_label); 2782 } 2783 2784 COUNTER_DECL(vnode_execve_transition); 2785 static void 2786 test_vnode_execve_transition(struct ucred *old, struct ucred *new, 2787 struct vnode *vp, struct label *filelabel, 2788 struct label *interpvplabel, struct image_params *imgp, 2789 struct label *execlabel) 2790 { 2791 2792 LABEL_CHECK(old->cr_label, MAGIC_CRED); 2793 LABEL_CHECK(new->cr_label, MAGIC_CRED); 2794 LABEL_CHECK(filelabel, MAGIC_VNODE); 2795 LABEL_CHECK(interpvplabel, MAGIC_VNODE); 2796 LABEL_CHECK(execlabel, MAGIC_CRED); 2797 COUNTER_INC(vnode_execve_transition); 2798 } 2799 2800 COUNTER_DECL(vnode_execve_will_transition); 2801 static int 2802 test_vnode_execve_will_transition(struct ucred *old, struct vnode *vp, 2803 struct label *filelabel, struct label *interpvplabel, 2804 struct image_params *imgp, struct label *execlabel) 2805 { 2806 2807 LABEL_CHECK(old->cr_label, MAGIC_CRED); 2808 LABEL_CHECK(filelabel, MAGIC_VNODE); 2809 LABEL_CHECK(interpvplabel, MAGIC_VNODE); 2810 LABEL_CHECK(execlabel, MAGIC_CRED); 2811 COUNTER_INC(vnode_execve_will_transition); 2812 2813 return (0); 2814 } 2815 2816 COUNTER_DECL(vnode_externalize_label); 2817 static int 2818 test_vnode_externalize_label(struct label *label, char *element_name, 2819 struct sbuf *sb, int *claimed) 2820 { 2821 2822 LABEL_CHECK(label, MAGIC_VNODE); 2823 COUNTER_INC(vnode_externalize_label); 2824 2825 return (0); 2826 } 2827 2828 COUNTER_DECL(vnode_init_label); 2829 static void 2830 test_vnode_init_label(struct label *label) 2831 { 2832 2833 LABEL_INIT(label, MAGIC_VNODE); 2834 COUNTER_INC(vnode_init_label); 2835 } 2836 2837 COUNTER_DECL(vnode_internalize_label); 2838 static int 2839 test_vnode_internalize_label(struct label *label, char *element_name, 2840 char *element_data, int *claimed) 2841 { 2842 2843 LABEL_CHECK(label, MAGIC_VNODE); 2844 COUNTER_INC(vnode_internalize_label); 2845 2846 return (0); 2847 } 2848 2849 COUNTER_DECL(vnode_relabel); 2850 static void 2851 test_vnode_relabel(struct ucred *cred, struct vnode *vp, 2852 struct label *vplabel, struct label *label) 2853 { 2854 2855 LABEL_CHECK(cred->cr_label, MAGIC_CRED); 2856 LABEL_CHECK(vplabel, MAGIC_VNODE); 2857 LABEL_CHECK(label, MAGIC_VNODE); 2858 COUNTER_INC(vnode_relabel); 2859 } 2860 2861 COUNTER_DECL(vnode_setlabel_extattr); 2862 static int 2863 test_vnode_setlabel_extattr(struct ucred *cred, struct vnode *vp, 2864 struct label *vplabel, struct label *intlabel) 2865 { 2866 2867 LABEL_CHECK(cred->cr_label, MAGIC_CRED); 2868 LABEL_CHECK(vplabel, MAGIC_VNODE); 2869 LABEL_CHECK(intlabel, MAGIC_VNODE); 2870 COUNTER_INC(vnode_setlabel_extattr); 2871 2872 return (0); 2873 } 2874 2875 static struct mac_policy_ops test_ops = 2876 { 2877 .mpo_bpfdesc_check_receive = test_bpfdesc_check_receive, 2878 .mpo_bpfdesc_create = test_bpfdesc_create, 2879 .mpo_bpfdesc_create_mbuf = test_bpfdesc_create_mbuf, 2880 .mpo_bpfdesc_destroy_label = test_bpfdesc_destroy_label, 2881 .mpo_bpfdesc_init_label = test_bpfdesc_init_label, 2882 2883 .mpo_cred_check_relabel = test_cred_check_relabel, 2884 .mpo_cred_check_visible = test_cred_check_visible, 2885 .mpo_cred_copy_label = test_cred_copy_label, 2886 .mpo_cred_create_init = test_cred_create_init, 2887 .mpo_cred_create_swapper = test_cred_create_swapper, 2888 .mpo_cred_destroy_label = test_cred_destroy_label, 2889 .mpo_cred_externalize_label = test_cred_externalize_label, 2890 .mpo_cred_init_label = test_cred_init_label, 2891 .mpo_cred_internalize_label = test_cred_internalize_label, 2892 .mpo_cred_relabel = test_cred_relabel, 2893 2894 .mpo_devfs_create_device = test_devfs_create_device, 2895 .mpo_devfs_create_directory = test_devfs_create_directory, 2896 .mpo_devfs_create_symlink = test_devfs_create_symlink, 2897 .mpo_devfs_destroy_label = test_devfs_destroy_label, 2898 .mpo_devfs_init_label = test_devfs_init_label, 2899 .mpo_devfs_update = test_devfs_update, 2900 .mpo_devfs_vnode_associate = test_devfs_vnode_associate, 2901 2902 .mpo_ifnet_check_relabel = test_ifnet_check_relabel, 2903 .mpo_ifnet_check_transmit = test_ifnet_check_transmit, 2904 .mpo_ifnet_copy_label = test_ifnet_copy_label, 2905 .mpo_ifnet_create = test_ifnet_create, 2906 .mpo_ifnet_create_mbuf = test_ifnet_create_mbuf, 2907 .mpo_ifnet_destroy_label = test_ifnet_destroy_label, 2908 .mpo_ifnet_externalize_label = test_ifnet_externalize_label, 2909 .mpo_ifnet_init_label = test_ifnet_init_label, 2910 .mpo_ifnet_internalize_label = test_ifnet_internalize_label, 2911 .mpo_ifnet_relabel = test_ifnet_relabel, 2912 2913 .mpo_syncache_destroy_label = test_syncache_destroy_label, 2914 .mpo_syncache_init_label = test_syncache_init_label, 2915 2916 .mpo_sysvmsg_destroy_label = test_sysvmsg_destroy_label, 2917 .mpo_sysvmsg_init_label = test_sysvmsg_init_label, 2918 2919 .mpo_sysvmsq_destroy_label = test_sysvmsq_destroy_label, 2920 .mpo_sysvmsq_init_label = test_sysvmsq_init_label, 2921 2922 .mpo_sysvsem_destroy_label = test_sysvsem_destroy_label, 2923 .mpo_sysvsem_init_label = test_sysvsem_init_label, 2924 2925 .mpo_sysvshm_destroy_label = test_sysvshm_destroy_label, 2926 .mpo_sysvshm_init_label = test_sysvshm_init_label, 2927 2928 .mpo_inpcb_check_deliver = test_inpcb_check_deliver, 2929 .mpo_inpcb_check_visible = test_inpcb_check_visible, 2930 .mpo_inpcb_create = test_inpcb_create, 2931 .mpo_inpcb_create_mbuf = test_inpcb_create_mbuf, 2932 .mpo_inpcb_destroy_label = test_inpcb_destroy_label, 2933 .mpo_inpcb_init_label = test_inpcb_init_label, 2934 .mpo_inpcb_sosetlabel = test_inpcb_sosetlabel, 2935 2936 .mpo_ip6q_create = test_ip6q_create, 2937 .mpo_ip6q_destroy_label = test_ip6q_destroy_label, 2938 .mpo_ip6q_init_label = test_ip6q_init_label, 2939 .mpo_ip6q_match = test_ip6q_match, 2940 .mpo_ip6q_reassemble = test_ip6q_reassemble, 2941 .mpo_ip6q_update = test_ip6q_update, 2942 2943 .mpo_ipq_create = test_ipq_create, 2944 .mpo_ipq_destroy_label = test_ipq_destroy_label, 2945 .mpo_ipq_init_label = test_ipq_init_label, 2946 .mpo_ipq_match = test_ipq_match, 2947 .mpo_ipq_reassemble = test_ipq_reassemble, 2948 .mpo_ipq_update = test_ipq_update, 2949 2950 .mpo_kenv_check_dump = test_kenv_check_dump, 2951 .mpo_kenv_check_get = test_kenv_check_get, 2952 .mpo_kenv_check_set = test_kenv_check_set, 2953 .mpo_kenv_check_unset = test_kenv_check_unset, 2954 2955 .mpo_kld_check_load = test_kld_check_load, 2956 .mpo_kld_check_stat = test_kld_check_stat, 2957 2958 .mpo_mbuf_copy_label = test_mbuf_copy_label, 2959 .mpo_mbuf_destroy_label = test_mbuf_destroy_label, 2960 .mpo_mbuf_init_label = test_mbuf_init_label, 2961 2962 .mpo_mount_check_stat = test_mount_check_stat, 2963 .mpo_mount_create = test_mount_create, 2964 .mpo_mount_destroy_label = test_mount_destroy_label, 2965 .mpo_mount_init_label = test_mount_init_label, 2966 2967 .mpo_netatalk_aarp_send = test_netatalk_aarp_send, 2968 2969 .mpo_netinet_arp_send = test_netinet_arp_send, 2970 .mpo_netinet_fragment = test_netinet_fragment, 2971 .mpo_netinet_icmp_reply = test_netinet_icmp_reply, 2972 .mpo_netinet_icmp_replyinplace = test_netinet_icmp_replyinplace, 2973 .mpo_netinet_igmp_send = test_netinet_igmp_send, 2974 .mpo_netinet_tcp_reply = test_netinet_tcp_reply, 2975 2976 .mpo_netinet6_nd6_send = test_netinet6_nd6_send, 2977 2978 .mpo_pipe_check_ioctl = test_pipe_check_ioctl, 2979 .mpo_pipe_check_poll = test_pipe_check_poll, 2980 .mpo_pipe_check_read = test_pipe_check_read, 2981 .mpo_pipe_check_relabel = test_pipe_check_relabel, 2982 .mpo_pipe_check_stat = test_pipe_check_stat, 2983 .mpo_pipe_check_write = test_pipe_check_write, 2984 .mpo_pipe_copy_label = test_pipe_copy_label, 2985 .mpo_pipe_create = test_pipe_create, 2986 .mpo_pipe_destroy_label = test_pipe_destroy_label, 2987 .mpo_pipe_externalize_label = test_pipe_externalize_label, 2988 .mpo_pipe_init_label = test_pipe_init_label, 2989 .mpo_pipe_internalize_label = test_pipe_internalize_label, 2990 .mpo_pipe_relabel = test_pipe_relabel, 2991 2992 .mpo_posixsem_check_getvalue = test_posixsem_check_getvalue, 2993 .mpo_posixsem_check_open = test_posixsem_check_open, 2994 .mpo_posixsem_check_post = test_posixsem_check_post, 2995 .mpo_posixsem_check_stat = test_posixsem_check_stat, 2996 .mpo_posixsem_check_unlink = test_posixsem_check_unlink, 2997 .mpo_posixsem_check_wait = test_posixsem_check_wait, 2998 .mpo_posixsem_create = test_posixsem_create, 2999 .mpo_posixsem_destroy_label = test_posixsem_destroy_label, 3000 .mpo_posixsem_init_label = test_posixsem_init_label, 3001 3002 .mpo_posixshm_check_mmap = test_posixshm_check_mmap, 3003 .mpo_posixshm_check_open = test_posixshm_check_open, 3004 .mpo_posixshm_check_stat = test_posixshm_check_stat, 3005 .mpo_posixshm_check_truncate = test_posixshm_check_truncate, 3006 .mpo_posixshm_check_unlink = test_posixshm_check_unlink, 3007 .mpo_posixshm_create = test_posixshm_create, 3008 .mpo_posixshm_destroy_label = test_posixshm_destroy_label, 3009 .mpo_posixshm_init_label = test_posixshm_init_label, 3010 3011 .mpo_proc_check_debug = test_proc_check_debug, 3012 .mpo_proc_check_sched = test_proc_check_sched, 3013 .mpo_proc_check_setaudit = test_proc_check_setaudit, 3014 .mpo_proc_check_setaudit_addr = test_proc_check_setaudit_addr, 3015 .mpo_proc_check_setauid = test_proc_check_setauid, 3016 .mpo_proc_check_seteuid = test_proc_check_seteuid, 3017 .mpo_proc_check_setegid = test_proc_check_setegid, 3018 .mpo_proc_check_setgid = test_proc_check_setgid, 3019 .mpo_proc_check_setgroups = test_proc_check_setgroups, 3020 .mpo_proc_check_setregid = test_proc_check_setregid, 3021 .mpo_proc_check_setresgid = test_proc_check_setresgid, 3022 .mpo_proc_check_setresuid = test_proc_check_setresuid, 3023 .mpo_proc_check_setreuid = test_proc_check_setreuid, 3024 .mpo_proc_check_setuid = test_proc_check_setuid, 3025 .mpo_proc_check_signal = test_proc_check_signal, 3026 .mpo_proc_check_wait = test_proc_check_wait, 3027 .mpo_proc_destroy_label = test_proc_destroy_label, 3028 .mpo_proc_init_label = test_proc_init_label, 3029 3030 .mpo_socket_check_accept = test_socket_check_accept, 3031 .mpo_socket_check_bind = test_socket_check_bind, 3032 .mpo_socket_check_connect = test_socket_check_connect, 3033 .mpo_socket_check_deliver = test_socket_check_deliver, 3034 .mpo_socket_check_listen = test_socket_check_listen, 3035 .mpo_socket_check_poll = test_socket_check_poll, 3036 .mpo_socket_check_receive = test_socket_check_receive, 3037 .mpo_socket_check_relabel = test_socket_check_relabel, 3038 .mpo_socket_check_send = test_socket_check_send, 3039 .mpo_socket_check_stat = test_socket_check_stat, 3040 .mpo_socket_check_visible = test_socket_check_visible, 3041 .mpo_socket_copy_label = test_socket_copy_label, 3042 .mpo_socket_create = test_socket_create, 3043 .mpo_socket_create_mbuf = test_socket_create_mbuf, 3044 .mpo_socket_destroy_label = test_socket_destroy_label, 3045 .mpo_socket_externalize_label = test_socket_externalize_label, 3046 .mpo_socket_init_label = test_socket_init_label, 3047 .mpo_socket_internalize_label = test_socket_internalize_label, 3048 .mpo_socket_newconn = test_socket_newconn, 3049 .mpo_socket_relabel = test_socket_relabel, 3050 3051 .mpo_socketpeer_destroy_label = test_socketpeer_destroy_label, 3052 .mpo_socketpeer_externalize_label = test_socketpeer_externalize_label, 3053 .mpo_socketpeer_init_label = test_socketpeer_init_label, 3054 .mpo_socketpeer_set_from_mbuf = test_socketpeer_set_from_mbuf, 3055 .mpo_socketpeer_set_from_socket = test_socketpeer_set_from_socket, 3056 3057 .mpo_syncache_create = test_syncache_create, 3058 .mpo_syncache_create_mbuf = test_syncache_create_mbuf, 3059 3060 .mpo_system_check_acct = test_system_check_acct, 3061 .mpo_system_check_audit = test_system_check_audit, 3062 .mpo_system_check_auditctl = test_system_check_auditctl, 3063 .mpo_system_check_auditon = test_system_check_auditon, 3064 .mpo_system_check_reboot = test_system_check_reboot, 3065 .mpo_system_check_swapoff = test_system_check_swapoff, 3066 .mpo_system_check_swapon = test_system_check_swapon, 3067 .mpo_system_check_sysctl = test_system_check_sysctl, 3068 3069 .mpo_vnode_check_access = test_vnode_check_access, 3070 .mpo_sysvmsg_cleanup = test_sysvmsg_cleanup, 3071 .mpo_sysvmsg_create = test_sysvmsg_create, 3072 3073 .mpo_sysvmsq_check_msgmsq = test_sysvmsq_check_msgmsq, 3074 .mpo_sysvmsq_check_msgrcv = test_sysvmsq_check_msgrcv, 3075 .mpo_sysvmsq_check_msgrmid = test_sysvmsq_check_msgrmid, 3076 .mpo_sysvmsq_check_msqget = test_sysvmsq_check_msqget, 3077 .mpo_sysvmsq_check_msqsnd = test_sysvmsq_check_msqsnd, 3078 .mpo_sysvmsq_check_msqrcv = test_sysvmsq_check_msqrcv, 3079 .mpo_sysvmsq_check_msqctl = test_sysvmsq_check_msqctl, 3080 .mpo_sysvmsq_cleanup = test_sysvmsq_cleanup, 3081 .mpo_sysvmsq_create = test_sysvmsq_create, 3082 3083 .mpo_sysvsem_check_semctl = test_sysvsem_check_semctl, 3084 .mpo_sysvsem_check_semget = test_sysvsem_check_semget, 3085 .mpo_sysvsem_check_semop = test_sysvsem_check_semop, 3086 .mpo_sysvsem_cleanup = test_sysvsem_cleanup, 3087 .mpo_sysvsem_create = test_sysvsem_create, 3088 3089 .mpo_sysvshm_check_shmat = test_sysvshm_check_shmat, 3090 .mpo_sysvshm_check_shmctl = test_sysvshm_check_shmctl, 3091 .mpo_sysvshm_check_shmdt = test_sysvshm_check_shmdt, 3092 .mpo_sysvshm_check_shmget = test_sysvshm_check_shmget, 3093 .mpo_sysvshm_cleanup = test_sysvshm_cleanup, 3094 .mpo_sysvshm_create = test_sysvshm_create, 3095 3096 .mpo_thread_userret = test_thread_userret, 3097 3098 .mpo_vnode_associate_extattr = test_vnode_associate_extattr, 3099 .mpo_vnode_associate_singlelabel = test_vnode_associate_singlelabel, 3100 .mpo_vnode_check_chdir = test_vnode_check_chdir, 3101 .mpo_vnode_check_chroot = test_vnode_check_chroot, 3102 .mpo_vnode_check_create = test_vnode_check_create, 3103 .mpo_vnode_check_deleteacl = test_vnode_check_deleteacl, 3104 .mpo_vnode_check_deleteextattr = test_vnode_check_deleteextattr, 3105 .mpo_vnode_check_exec = test_vnode_check_exec, 3106 .mpo_vnode_check_getacl = test_vnode_check_getacl, 3107 .mpo_vnode_check_getextattr = test_vnode_check_getextattr, 3108 .mpo_vnode_check_link = test_vnode_check_link, 3109 .mpo_vnode_check_listextattr = test_vnode_check_listextattr, 3110 .mpo_vnode_check_lookup = test_vnode_check_lookup, 3111 .mpo_vnode_check_mmap = test_vnode_check_mmap, 3112 .mpo_vnode_check_open = test_vnode_check_open, 3113 .mpo_vnode_check_poll = test_vnode_check_poll, 3114 .mpo_vnode_check_read = test_vnode_check_read, 3115 .mpo_vnode_check_readdir = test_vnode_check_readdir, 3116 .mpo_vnode_check_readlink = test_vnode_check_readlink, 3117 .mpo_vnode_check_relabel = test_vnode_check_relabel, 3118 .mpo_vnode_check_rename_from = test_vnode_check_rename_from, 3119 .mpo_vnode_check_rename_to = test_vnode_check_rename_to, 3120 .mpo_vnode_check_revoke = test_vnode_check_revoke, 3121 .mpo_vnode_check_setacl = test_vnode_check_setacl, 3122 .mpo_vnode_check_setextattr = test_vnode_check_setextattr, 3123 .mpo_vnode_check_setflags = test_vnode_check_setflags, 3124 .mpo_vnode_check_setmode = test_vnode_check_setmode, 3125 .mpo_vnode_check_setowner = test_vnode_check_setowner, 3126 .mpo_vnode_check_setutimes = test_vnode_check_setutimes, 3127 .mpo_vnode_check_stat = test_vnode_check_stat, 3128 .mpo_vnode_check_unlink = test_vnode_check_unlink, 3129 .mpo_vnode_check_write = test_vnode_check_write, 3130 .mpo_vnode_copy_label = test_vnode_copy_label, 3131 .mpo_vnode_create_extattr = test_vnode_create_extattr, 3132 .mpo_vnode_destroy_label = test_vnode_destroy_label, 3133 .mpo_vnode_execve_transition = test_vnode_execve_transition, 3134 .mpo_vnode_execve_will_transition = test_vnode_execve_will_transition, 3135 .mpo_vnode_externalize_label = test_vnode_externalize_label, 3136 .mpo_vnode_init_label = test_vnode_init_label, 3137 .mpo_vnode_internalize_label = test_vnode_internalize_label, 3138 .mpo_vnode_relabel = test_vnode_relabel, 3139 .mpo_vnode_setlabel_extattr = test_vnode_setlabel_extattr, 3140 }; 3141 3142 MAC_POLICY_SET(&test_ops, mac_test, "TrustedBSD MAC/Test", 3143 MPC_LOADTIME_FLAG_UNLOADOK, &test_slot); 3144