1 /*- 2 * Copyright (c) 1999-2002 Robert N. M. Watson 3 * Copyright (c) 2001-2005 McAfee, Inc. 4 * All rights reserved. 5 * 6 * This software was developed by Robert Watson for the TrustedBSD Project. 7 * 8 * This software was developed for the FreeBSD Project in part by McAfee 9 * Research, the Security Research Division of McAfee, Inc. under 10 * DARPA/SPAWAR contract N66001-01-C-8035 ("CBOSS"), as part of the DARPA 11 * CHATS research program. 12 * 13 * Redistribution and use in source and binary forms, with or without 14 * modification, are permitted provided that the following conditions 15 * are met: 16 * 1. Redistributions of source code must retain the above copyright 17 * notice, this list of conditions and the following disclaimer. 18 * 2. Redistributions in binary form must reproduce the above copyright 19 * notice, this list of conditions and the following disclaimer in the 20 * documentation and/or other materials provided with the distribution. 21 * 22 * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND 23 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 24 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 25 * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE 26 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 27 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 28 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 29 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 30 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 31 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 32 * SUCH DAMAGE. 33 * 34 * $FreeBSD$ 35 */ 36 37 /* 38 * Developed by the TrustedBSD Project. 39 * Generic mandatory access module that does nothing. 40 */ 41 42 #include <sys/types.h> 43 #include <sys/param.h> 44 #include <sys/acl.h> 45 #include <sys/conf.h> 46 #include <sys/kdb.h> 47 #include <sys/extattr.h> 48 #include <sys/kernel.h> 49 #include <sys/mac.h> 50 #include <sys/malloc.h> 51 #include <sys/mount.h> 52 #include <sys/proc.h> 53 #include <sys/systm.h> 54 #include <sys/sysproto.h> 55 #include <sys/sysent.h> 56 #include <sys/vnode.h> 57 #include <sys/file.h> 58 #include <sys/socket.h> 59 #include <sys/socketvar.h> 60 #include <sys/sysctl.h> 61 #include <sys/msg.h> 62 #include <sys/sem.h> 63 #include <sys/shm.h> 64 65 #include <fs/devfs/devfs.h> 66 67 #include <net/bpfdesc.h> 68 #include <net/if.h> 69 #include <net/if_types.h> 70 #include <net/if_var.h> 71 72 #include <vm/vm.h> 73 74 #include <sys/mac_policy.h> 75 76 SYSCTL_DECL(_security_mac); 77 78 SYSCTL_NODE(_security_mac, OID_AUTO, test, CTLFLAG_RW, 0, 79 "TrustedBSD mac_test policy controls"); 80 81 static int mac_test_enabled = 1; 82 SYSCTL_INT(_security_mac_test, OID_AUTO, enabled, CTLFLAG_RW, 83 &mac_test_enabled, 0, "Enforce test policy"); 84 85 #define BPFMAGIC 0xfe1ad1b6 86 #define DEVFSMAGIC 0x9ee79c32 87 #define IFNETMAGIC 0xc218b120 88 #define INPCBMAGIC 0x4440f7bb 89 #define IPQMAGIC 0x206188ef 90 #define MBUFMAGIC 0xbbefa5bb 91 #define MOUNTMAGIC 0xc7c46e47 92 #define SOCKETMAGIC 0x9199c6cd 93 #define SYSVIPCMSQMAGIC 0xea672391 94 #define SYSVIPCMSGMAGIC 0x8bbba61e 95 #define SYSVIPCSEMMAGIC 0x896e8a0b 96 #define SYSVIPCSHMMAGIC 0x76119ab0 97 #define PIPEMAGIC 0xdc6c9919 98 #define POSIXSEMMAGIC 0x78ae980c 99 #define PROCMAGIC 0x3b4be98f 100 #define CREDMAGIC 0x9a5a4987 101 #define VNODEMAGIC 0x1a67a45c 102 #define EXMAGIC 0x849ba1fd 103 104 #define SLOT(x) LABEL_TO_SLOT((x), test_slot).l_long 105 106 #define ASSERT_BPF_LABEL(x) KASSERT(SLOT(x) == BPFMAGIC || \ 107 SLOT(x) == 0, ("%s: Bad BPF label", __func__ )) 108 #define ASSERT_DEVFS_LABEL(x) KASSERT(SLOT(x) == DEVFSMAGIC || \ 109 SLOT(x) == 0, ("%s: Bad DEVFS label", __func__ )) 110 #define ASSERT_IFNET_LABEL(x) KASSERT(SLOT(x) == IFNETMAGIC || \ 111 SLOT(x) == 0, ("%s: Bad IFNET label", __func__ )) 112 #define ASSERT_INPCB_LABEL(x) KASSERT(SLOT(x) == INPCBMAGIC || \ 113 SLOT(x) == 0, ("%s: Bad INPCB label", __func__ )) 114 #define ASSERT_IPQ_LABEL(x) KASSERT(SLOT(x) == IPQMAGIC || \ 115 SLOT(x) == 0, ("%s: Bad IPQ label", __func__ )) 116 #define ASSERT_MBUF_LABEL(x) KASSERT(x == NULL || \ 117 SLOT(x) == MBUFMAGIC || SLOT(x) == 0, \ 118 ("%s: Bad MBUF label", __func__ )) 119 #define ASSERT_MOUNT_LABEL(x) KASSERT(SLOT(x) == MOUNTMAGIC || \ 120 SLOT(x) == 0, ("%s: Bad MOUNT label", __func__ )) 121 #define ASSERT_SOCKET_LABEL(x) KASSERT(SLOT(x) == SOCKETMAGIC || \ 122 SLOT(x) == 0, ("%s: Bad SOCKET label", __func__ )) 123 #define ASSERT_SYSVIPCMSQ_LABEL(x) KASSERT(SLOT(x) == SYSVIPCMSQMAGIC || \ 124 SLOT(x) == 0, ("%s: Bad SYSVIPCMSQ label", __func__ )) 125 #define ASSERT_SYSVIPCMSG_LABEL(x) KASSERT(SLOT(x) == SYSVIPCMSGMAGIC || \ 126 SLOT(x) == 0, ("%s: Bad SYSVIPCMSG label", __func__ )) 127 #define ASSERT_SYSVIPCSEM_LABEL(x) KASSERT(SLOT(x) == SYSVIPCSEMMAGIC || \ 128 SLOT(x) == 0, ("%s: Bad SYSVIPCSEM label", __func__ )) 129 #define ASSERT_SYSVIPCSHM_LABEL(x) KASSERT(SLOT(x) == SYSVIPCSHMMAGIC || \ 130 SLOT(x) == 0, ("%s: Bad SYSVIPCSHM label", __func__ )) 131 #define ASSERT_PIPE_LABEL(x) KASSERT(SLOT(x) == PIPEMAGIC || \ 132 SLOT(x) == 0, ("%s: Bad PIPE label", __func__ )) 133 #define ASSERT_PROC_LABEL(x) KASSERT(SLOT(x) == PROCMAGIC || \ 134 SLOT(x) == 0, ("%s: Bad PROC label", __func__ )) 135 #define ASSERT_CRED_LABEL(x) KASSERT(SLOT(x) == CREDMAGIC || \ 136 SLOT(x) == 0, ("%s: Bad CRED label", __func__ )) 137 #define ASSERT_VNODE_LABEL(x) KASSERT(SLOT(x) == VNODEMAGIC || \ 138 SLOT(x) == 0, ("%s: Bad VNODE label", __func__ )) 139 140 static int test_slot; 141 SYSCTL_INT(_security_mac_test, OID_AUTO, slot, CTLFLAG_RD, 142 &test_slot, 0, "Slot allocated by framework"); 143 144 static int init_count_bpfdesc; 145 SYSCTL_INT(_security_mac_test, OID_AUTO, init_count_bpfdesc, CTLFLAG_RD, 146 &init_count_bpfdesc, 0, "bpfdesc init calls"); 147 static int init_count_cred; 148 SYSCTL_INT(_security_mac_test, OID_AUTO, init_count_cred, CTLFLAG_RD, 149 &init_count_cred, 0, "cred init calls"); 150 static int init_count_devfsdirent; 151 SYSCTL_INT(_security_mac_test, OID_AUTO, init_count_devfsdirent, CTLFLAG_RD, 152 &init_count_devfsdirent, 0, "devfsdirent init calls"); 153 static int init_count_ifnet; 154 SYSCTL_INT(_security_mac_test, OID_AUTO, init_count_ifnet, CTLFLAG_RD, 155 &init_count_ifnet, 0, "ifnet init calls"); 156 static int init_count_inpcb; 157 SYSCTL_INT(_security_mac_test, OID_AUTO, init_count_inpcb, CTLFLAG_RD, 158 &init_count_inpcb, 0, "inpcb init calls"); 159 static int init_count_sysv_msg; 160 SYSCTL_INT(_security_mac_test, OID_AUTO, init_count_sysv_msg, CTLFLAG_RD, 161 &init_count_sysv_msg, 0, "ipc_msg init calls"); 162 static int init_count_sysv_msq; 163 SYSCTL_INT(_security_mac_test, OID_AUTO, init_count_sysv_msq, CTLFLAG_RD, 164 &init_count_sysv_msq, 0, "ipc_msq init calls"); 165 static int init_count_sysv_sema; 166 SYSCTL_INT(_security_mac_test, OID_AUTO, init_count_sysv_sema, CTLFLAG_RD, 167 &init_count_sysv_sema, 0, "ipc_sema init calls"); 168 static int init_count_sysv_shm; 169 SYSCTL_INT(_security_mac_test, OID_AUTO, init_count_sysv_shm, CTLFLAG_RD, 170 &init_count_sysv_shm, 0, "ipc_shm init calls"); 171 static int init_count_ipq; 172 SYSCTL_INT(_security_mac_test, OID_AUTO, init_count_ipq, CTLFLAG_RD, 173 &init_count_ipq, 0, "ipq init calls"); 174 static int init_count_mbuf; 175 SYSCTL_INT(_security_mac_test, OID_AUTO, init_count_mbuf, CTLFLAG_RD, 176 &init_count_mbuf, 0, "mbuf init calls"); 177 static int init_count_mount; 178 SYSCTL_INT(_security_mac_test, OID_AUTO, init_count_mount, CTLFLAG_RD, 179 &init_count_mount, 0, "mount init calls"); 180 static int init_count_mount_fslabel; 181 SYSCTL_INT(_security_mac_test, OID_AUTO, init_count_mount_fslabel, CTLFLAG_RD, 182 &init_count_mount_fslabel, 0, "mount_fslabel init calls"); 183 static int init_count_socket; 184 SYSCTL_INT(_security_mac_test, OID_AUTO, init_count_socket, CTLFLAG_RD, 185 &init_count_socket, 0, "socket init calls"); 186 static int init_count_socket_peerlabel; 187 SYSCTL_INT(_security_mac_test, OID_AUTO, init_count_socket_peerlabel, 188 CTLFLAG_RD, &init_count_socket_peerlabel, 0, 189 "socket_peerlabel init calls"); 190 static int init_count_pipe; 191 SYSCTL_INT(_security_mac_test, OID_AUTO, init_count_pipe, CTLFLAG_RD, 192 &init_count_pipe, 0, "pipe init calls"); 193 static int init_count_proc; 194 SYSCTL_INT(_security_mac_test, OID_AUTO, init_count_proc, CTLFLAG_RD, 195 &init_count_proc, 0, "proc init calls"); 196 static int init_count_vnode; 197 SYSCTL_INT(_security_mac_test, OID_AUTO, init_count_vnode, CTLFLAG_RD, 198 &init_count_vnode, 0, "vnode init calls"); 199 200 static int destroy_count_bpfdesc; 201 SYSCTL_INT(_security_mac_test, OID_AUTO, destroy_count_bpfdesc, CTLFLAG_RD, 202 &destroy_count_bpfdesc, 0, "bpfdesc destroy calls"); 203 static int destroy_count_cred; 204 SYSCTL_INT(_security_mac_test, OID_AUTO, destroy_count_cred, CTLFLAG_RD, 205 &destroy_count_cred, 0, "cred destroy calls"); 206 static int destroy_count_devfsdirent; 207 SYSCTL_INT(_security_mac_test, OID_AUTO, destroy_count_devfsdirent, CTLFLAG_RD, 208 &destroy_count_devfsdirent, 0, "devfsdirent destroy calls"); 209 static int destroy_count_ifnet; 210 SYSCTL_INT(_security_mac_test, OID_AUTO, destroy_count_ifnet, CTLFLAG_RD, 211 &destroy_count_ifnet, 0, "ifnet destroy calls"); 212 static int destroy_count_inpcb; 213 SYSCTL_INT(_security_mac_test, OID_AUTO, destroy_count_inpcb, CTLFLAG_RD, 214 &destroy_count_inpcb, 0, "inpcb destroy calls"); 215 static int destroy_count_sysv_msg; 216 SYSCTL_INT(_security_mac_test, OID_AUTO, destroy_count_sysv_msg, CTLFLAG_RD, 217 &destroy_count_sysv_msg, 0, "ipc_msg destroy calls"); 218 static int destroy_count_sysv_msq; 219 SYSCTL_INT(_security_mac_test, OID_AUTO, destroy_count_sysv_msq, CTLFLAG_RD, 220 &destroy_count_sysv_msq, 0, "ipc_msq destroy calls"); 221 static int destroy_count_sysv_sema; 222 SYSCTL_INT(_security_mac_test, OID_AUTO, destroy_count_sysv_sema, CTLFLAG_RD, 223 &destroy_count_sysv_sema, 0, "ipc_sema destroy calls"); 224 static int destroy_count_sysv_shm; 225 SYSCTL_INT(_security_mac_test, OID_AUTO, destroy_count_sysv_shm, CTLFLAG_RD, 226 &destroy_count_sysv_shm, 0, "ipc_shm destroy calls"); 227 static int destroy_count_ipq; 228 SYSCTL_INT(_security_mac_test, OID_AUTO, destroy_count_ipq, CTLFLAG_RD, 229 &destroy_count_ipq, 0, "ipq destroy calls"); 230 static int destroy_count_mbuf; 231 SYSCTL_INT(_security_mac_test, OID_AUTO, destroy_count_mbuf, CTLFLAG_RD, 232 &destroy_count_mbuf, 0, "mbuf destroy calls"); 233 static int destroy_count_mount; 234 SYSCTL_INT(_security_mac_test, OID_AUTO, destroy_count_mount, CTLFLAG_RD, 235 &destroy_count_mount, 0, "mount destroy calls"); 236 static int destroy_count_mount_fslabel; 237 SYSCTL_INT(_security_mac_test, OID_AUTO, destroy_count_mount_fslabel, 238 CTLFLAG_RD, &destroy_count_mount_fslabel, 0, 239 "mount_fslabel destroy calls"); 240 static int destroy_count_socket; 241 SYSCTL_INT(_security_mac_test, OID_AUTO, destroy_count_socket, CTLFLAG_RD, 242 &destroy_count_socket, 0, "socket destroy calls"); 243 static int destroy_count_socket_peerlabel; 244 SYSCTL_INT(_security_mac_test, OID_AUTO, destroy_count_socket_peerlabel, 245 CTLFLAG_RD, &destroy_count_socket_peerlabel, 0, 246 "socket_peerlabel destroy calls"); 247 static int destroy_count_pipe; 248 SYSCTL_INT(_security_mac_test, OID_AUTO, destroy_count_pipe, CTLFLAG_RD, 249 &destroy_count_pipe, 0, "pipe destroy calls"); 250 static int destroy_count_proc; 251 SYSCTL_INT(_security_mac_test, OID_AUTO, destroy_count_proc, CTLFLAG_RD, 252 &destroy_count_proc, 0, "proc destroy calls"); 253 static int destroy_count_vnode; 254 SYSCTL_INT(_security_mac_test, OID_AUTO, destroy_count_vnode, CTLFLAG_RD, 255 &destroy_count_vnode, 0, "vnode destroy calls"); 256 257 static int externalize_count; 258 SYSCTL_INT(_security_mac_test, OID_AUTO, externalize_count, CTLFLAG_RD, 259 &externalize_count, 0, "Subject/object externalize calls"); 260 static int internalize_count; 261 SYSCTL_INT(_security_mac_test, OID_AUTO, internalize_count, CTLFLAG_RD, 262 &internalize_count, 0, "Subject/object internalize calls"); 263 264 #ifdef KDB 265 #define DEBUGGER(x) kdb_enter(x) 266 #else 267 #define DEBUGGER(x) printf("mac_test: %s\n", (x)) 268 #endif 269 270 /* 271 * Policy module operations. 272 */ 273 static void 274 mac_test_destroy(struct mac_policy_conf *conf) 275 { 276 277 } 278 279 static void 280 mac_test_init(struct mac_policy_conf *conf) 281 { 282 283 } 284 285 static int 286 mac_test_syscall(struct thread *td, int call, void *arg) 287 { 288 289 return (0); 290 } 291 292 /* 293 * Label operations. 294 */ 295 static void 296 mac_test_init_bpfdesc_label(struct label *label) 297 { 298 299 SLOT(label) = BPFMAGIC; 300 atomic_add_int(&init_count_bpfdesc, 1); 301 } 302 303 static void 304 mac_test_init_cred_label(struct label *label) 305 { 306 307 SLOT(label) = CREDMAGIC; 308 atomic_add_int(&init_count_cred, 1); 309 } 310 311 static void 312 mac_test_init_devfsdirent_label(struct label *label) 313 { 314 315 SLOT(label) = DEVFSMAGIC; 316 atomic_add_int(&init_count_devfsdirent, 1); 317 } 318 319 static void 320 mac_test_init_ifnet_label(struct label *label) 321 { 322 323 SLOT(label) = IFNETMAGIC; 324 atomic_add_int(&init_count_ifnet, 1); 325 } 326 327 static int 328 mac_test_init_inpcb_label(struct label *label, int flag) 329 { 330 331 if (flag & M_WAITOK) 332 WITNESS_WARN(WARN_GIANTOK | WARN_SLEEPOK, NULL, 333 "mac_test_init_inpcb_label() at %s:%d", __FILE__, 334 __LINE__); 335 336 SLOT(label) = INPCBMAGIC; 337 atomic_add_int(&init_count_inpcb, 1); 338 return (0); 339 } 340 341 static void 342 mac_test_init_sysv_msgmsg_label(struct label *label) 343 { 344 SLOT(label) = SYSVIPCMSGMAGIC; 345 atomic_add_int(&init_count_sysv_msg, 1); 346 } 347 348 static void 349 mac_test_init_sysv_msgqueue_label(struct label *label) 350 { 351 SLOT(label) = SYSVIPCMSQMAGIC; 352 atomic_add_int(&init_count_sysv_msq, 1); 353 } 354 355 static void 356 mac_test_init_sysv_sema_label(struct label *label) 357 { 358 SLOT(label) = SYSVIPCSEMMAGIC; 359 atomic_add_int(&init_count_sysv_sema, 1); 360 } 361 362 static void 363 mac_test_init_sysv_shm_label(struct label *label) 364 { 365 SLOT(label) = SYSVIPCSHMMAGIC; 366 atomic_add_int(&init_count_sysv_shm, 1); 367 } 368 369 static int 370 mac_test_init_ipq_label(struct label *label, int flag) 371 { 372 373 if (flag & M_WAITOK) 374 WITNESS_WARN(WARN_GIANTOK | WARN_SLEEPOK, NULL, 375 "mac_test_init_ipq_label() at %s:%d", __FILE__, 376 __LINE__); 377 378 SLOT(label) = IPQMAGIC; 379 atomic_add_int(&init_count_ipq, 1); 380 return (0); 381 } 382 383 static int 384 mac_test_init_mbuf_label(struct label *label, int flag) 385 { 386 387 if (flag & M_WAITOK) 388 WITNESS_WARN(WARN_GIANTOK | WARN_SLEEPOK, NULL, 389 "mac_test_init_mbuf_label() at %s:%d", __FILE__, 390 __LINE__); 391 392 SLOT(label) = MBUFMAGIC; 393 atomic_add_int(&init_count_mbuf, 1); 394 return (0); 395 } 396 397 static void 398 mac_test_init_mount_label(struct label *label) 399 { 400 401 SLOT(label) = MOUNTMAGIC; 402 atomic_add_int(&init_count_mount, 1); 403 } 404 405 static void 406 mac_test_init_mount_fs_label(struct label *label) 407 { 408 409 SLOT(label) = MOUNTMAGIC; 410 atomic_add_int(&init_count_mount_fslabel, 1); 411 } 412 413 static int 414 mac_test_init_socket_label(struct label *label, int flag) 415 { 416 417 if (flag & M_WAITOK) 418 WITNESS_WARN(WARN_GIANTOK | WARN_SLEEPOK, NULL, 419 "mac_test_init_socket_label() at %s:%d", __FILE__, 420 __LINE__); 421 422 SLOT(label) = SOCKETMAGIC; 423 atomic_add_int(&init_count_socket, 1); 424 return (0); 425 } 426 427 static int 428 mac_test_init_socket_peer_label(struct label *label, int flag) 429 { 430 431 if (flag & M_WAITOK) 432 WITNESS_WARN(WARN_GIANTOK | WARN_SLEEPOK, NULL, 433 "mac_test_init_socket_peer_label() at %s:%d", __FILE__, 434 __LINE__); 435 436 SLOT(label) = SOCKETMAGIC; 437 atomic_add_int(&init_count_socket_peerlabel, 1); 438 return (0); 439 } 440 441 static void 442 mac_test_init_pipe_label(struct label *label) 443 { 444 445 SLOT(label) = PIPEMAGIC; 446 atomic_add_int(&init_count_pipe, 1); 447 } 448 449 static void 450 mac_test_init_proc_label(struct label *label) 451 { 452 453 SLOT(label) = PROCMAGIC; 454 atomic_add_int(&init_count_proc, 1); 455 } 456 457 static void 458 mac_test_init_vnode_label(struct label *label) 459 { 460 461 SLOT(label) = VNODEMAGIC; 462 atomic_add_int(&init_count_vnode, 1); 463 } 464 465 static void 466 mac_test_destroy_bpfdesc_label(struct label *label) 467 { 468 469 if (SLOT(label) == BPFMAGIC || SLOT(label) == 0) { 470 atomic_add_int(&destroy_count_bpfdesc, 1); 471 SLOT(label) = EXMAGIC; 472 } else if (SLOT(label) == EXMAGIC) { 473 DEBUGGER("mac_test_destroy_bpfdesc: dup destroy"); 474 } else { 475 DEBUGGER("mac_test_destroy_bpfdesc: corrupted label"); 476 } 477 } 478 479 static void 480 mac_test_destroy_cred_label(struct label *label) 481 { 482 483 if (SLOT(label) == CREDMAGIC || SLOT(label) == 0) { 484 atomic_add_int(&destroy_count_cred, 1); 485 SLOT(label) = EXMAGIC; 486 } else if (SLOT(label) == EXMAGIC) { 487 DEBUGGER("mac_test_destroy_cred: dup destroy"); 488 } else { 489 DEBUGGER("mac_test_destroy_cred: corrupted label"); 490 } 491 } 492 493 static void 494 mac_test_destroy_devfsdirent_label(struct label *label) 495 { 496 497 if (SLOT(label) == DEVFSMAGIC || SLOT(label) == 0) { 498 atomic_add_int(&destroy_count_devfsdirent, 1); 499 SLOT(label) = EXMAGIC; 500 } else if (SLOT(label) == EXMAGIC) { 501 DEBUGGER("mac_test_destroy_devfsdirent: dup destroy"); 502 } else { 503 DEBUGGER("mac_test_destroy_devfsdirent: corrupted label"); 504 } 505 } 506 507 static void 508 mac_test_destroy_ifnet_label(struct label *label) 509 { 510 511 if (SLOT(label) == IFNETMAGIC || SLOT(label) == 0) { 512 atomic_add_int(&destroy_count_ifnet, 1); 513 SLOT(label) = EXMAGIC; 514 } else if (SLOT(label) == EXMAGIC) { 515 DEBUGGER("mac_test_destroy_ifnet: dup destroy"); 516 } else { 517 DEBUGGER("mac_test_destroy_ifnet: corrupted label"); 518 } 519 } 520 521 static void 522 mac_test_destroy_inpcb_label(struct label *label) 523 { 524 525 if (SLOT(label) == INPCBMAGIC || SLOT(label) == 0) { 526 atomic_add_int(&destroy_count_inpcb, 1); 527 SLOT(label) = EXMAGIC; 528 } else if (SLOT(label) == EXMAGIC) { 529 DEBUGGER("mac_test_destroy_inpcb: dup destroy"); 530 } else { 531 DEBUGGER("mac_test_destroy_inpcb: corrupted label"); 532 } 533 } 534 535 static void 536 mac_test_destroy_sysv_msgmsg_label(struct label *label) 537 { 538 539 if (SLOT(label) == SYSVIPCMSGMAGIC || SLOT(label) == 0) { 540 atomic_add_int(&destroy_count_sysv_msg, 1); 541 SLOT(label) = EXMAGIC; 542 } else if (SLOT(label) == EXMAGIC) { 543 DEBUGGER("mac_test_destroy_sysv_msgmsg_label: dup destroy"); 544 } else { 545 DEBUGGER( 546 "mac_test_destroy_sysv_msgmsg_label: corrupted label"); 547 } 548 } 549 550 static void 551 mac_test_destroy_sysv_msgqueue_label(struct label *label) 552 { 553 554 if (SLOT(label) == SYSVIPCMSQMAGIC || SLOT(label) == 0) { 555 atomic_add_int(&destroy_count_sysv_msq, 1); 556 SLOT(label) = EXMAGIC; 557 } else if (SLOT(label) == EXMAGIC) { 558 DEBUGGER("mac_test_destroy_sysv_msgqueue_label: dup destroy"); 559 } else { 560 DEBUGGER( 561 "mac_test_destroy_sysv_msgqueue_label: corrupted label"); 562 } 563 } 564 565 static void 566 mac_test_destroy_sysv_sema_label(struct label *label) 567 { 568 569 if (SLOT(label) == SYSVIPCSEMMAGIC || SLOT(label) == 0) { 570 atomic_add_int(&destroy_count_sysv_sema, 1); 571 SLOT(label) = EXMAGIC; 572 } else if (SLOT(label) == EXMAGIC) { 573 DEBUGGER("mac_test_destroy_sysv_sema_label: dup destroy"); 574 } else { 575 DEBUGGER("mac_test_destroy_sysv_sema_label: corrupted label"); 576 } 577 } 578 579 static void 580 mac_test_destroy_sysv_shm_label(struct label *label) 581 { 582 583 if (SLOT(label) == SYSVIPCSHMMAGIC || SLOT(label) == 0) { 584 atomic_add_int(&destroy_count_sysv_shm, 1); 585 SLOT(label) = EXMAGIC; 586 } else if (SLOT(label) == EXMAGIC) { 587 DEBUGGER("mac_test_destroy_sysv_shm_label: dup destroy"); 588 } else { 589 DEBUGGER("mac_test_destroy_sysv_shm_label: corrupted label"); 590 } 591 } 592 593 static void 594 mac_test_destroy_ipq_label(struct label *label) 595 { 596 597 if (SLOT(label) == IPQMAGIC || SLOT(label) == 0) { 598 atomic_add_int(&destroy_count_ipq, 1); 599 SLOT(label) = EXMAGIC; 600 } else if (SLOT(label) == EXMAGIC) { 601 DEBUGGER("mac_test_destroy_ipq: dup destroy"); 602 } else { 603 DEBUGGER("mac_test_destroy_ipq: corrupted label"); 604 } 605 } 606 607 static void 608 mac_test_destroy_mbuf_label(struct label *label) 609 { 610 611 /* 612 * If we're loaded dynamically, there may be mbufs in flight that 613 * didn't have label storage allocated for them. Handle this 614 * gracefully. 615 */ 616 if (label == NULL) 617 return; 618 619 if (SLOT(label) == MBUFMAGIC || SLOT(label) == 0) { 620 atomic_add_int(&destroy_count_mbuf, 1); 621 SLOT(label) = EXMAGIC; 622 } else if (SLOT(label) == EXMAGIC) { 623 DEBUGGER("mac_test_destroy_mbuf: dup destroy"); 624 } else { 625 DEBUGGER("mac_test_destroy_mbuf: corrupted label"); 626 } 627 } 628 629 static void 630 mac_test_destroy_mount_label(struct label *label) 631 { 632 633 if ((SLOT(label) == MOUNTMAGIC || SLOT(label) == 0)) { 634 atomic_add_int(&destroy_count_mount, 1); 635 SLOT(label) = EXMAGIC; 636 } else if (SLOT(label) == EXMAGIC) { 637 DEBUGGER("mac_test_destroy_mount: dup destroy"); 638 } else { 639 DEBUGGER("mac_test_destroy_mount: corrupted label"); 640 } 641 } 642 643 static void 644 mac_test_destroy_mount_fs_label(struct label *label) 645 { 646 647 if ((SLOT(label) == MOUNTMAGIC || SLOT(label) == 0)) { 648 atomic_add_int(&destroy_count_mount_fslabel, 1); 649 SLOT(label) = EXMAGIC; 650 } else if (SLOT(label) == EXMAGIC) { 651 DEBUGGER("mac_test_destroy_mount_fslabel: dup destroy"); 652 } else { 653 DEBUGGER("mac_test_destroy_mount_fslabel: corrupted label"); 654 } 655 } 656 657 static void 658 mac_test_destroy_socket_label(struct label *label) 659 { 660 661 if ((SLOT(label) == SOCKETMAGIC || SLOT(label) == 0)) { 662 atomic_add_int(&destroy_count_socket, 1); 663 SLOT(label) = EXMAGIC; 664 } else if (SLOT(label) == EXMAGIC) { 665 DEBUGGER("mac_test_destroy_socket: dup destroy"); 666 } else { 667 DEBUGGER("mac_test_destroy_socket: corrupted label"); 668 } 669 } 670 671 static void 672 mac_test_destroy_socket_peer_label(struct label *label) 673 { 674 675 if ((SLOT(label) == SOCKETMAGIC || SLOT(label) == 0)) { 676 atomic_add_int(&destroy_count_socket_peerlabel, 1); 677 SLOT(label) = EXMAGIC; 678 } else if (SLOT(label) == EXMAGIC) { 679 DEBUGGER("mac_test_destroy_socket_peerlabel: dup destroy"); 680 } else { 681 DEBUGGER("mac_test_destroy_socket_peerlabel: corrupted label"); 682 } 683 } 684 685 static void 686 mac_test_destroy_pipe_label(struct label *label) 687 { 688 689 if ((SLOT(label) == PIPEMAGIC || SLOT(label) == 0)) { 690 atomic_add_int(&destroy_count_pipe, 1); 691 SLOT(label) = EXMAGIC; 692 } else if (SLOT(label) == EXMAGIC) { 693 DEBUGGER("mac_test_destroy_pipe: dup destroy"); 694 } else { 695 DEBUGGER("mac_test_destroy_pipe: corrupted label"); 696 } 697 } 698 699 static void 700 mac_test_destroy_proc_label(struct label *label) 701 { 702 703 if ((SLOT(label) == PROCMAGIC || SLOT(label) == 0)) { 704 atomic_add_int(&destroy_count_proc, 1); 705 SLOT(label) = EXMAGIC; 706 } else if (SLOT(label) == EXMAGIC) { 707 DEBUGGER("mac_test_destroy_proc: dup destroy"); 708 } else { 709 DEBUGGER("mac_test_destroy_proc: corrupted label"); 710 } 711 } 712 713 static void 714 mac_test_destroy_vnode_label(struct label *label) 715 { 716 717 if (SLOT(label) == VNODEMAGIC || SLOT(label) == 0) { 718 atomic_add_int(&destroy_count_vnode, 1); 719 SLOT(label) = EXMAGIC; 720 } else if (SLOT(label) == EXMAGIC) { 721 DEBUGGER("mac_test_destroy_vnode: dup destroy"); 722 } else { 723 DEBUGGER("mac_test_destroy_vnode: corrupted label"); 724 } 725 } 726 727 static void 728 mac_test_copy_cred_label(struct label *src, struct label *dest) 729 { 730 731 ASSERT_CRED_LABEL(src); 732 ASSERT_CRED_LABEL(dest); 733 } 734 735 static void 736 mac_test_copy_ifnet_label(struct label *src, struct label *dest) 737 { 738 739 ASSERT_IFNET_LABEL(src); 740 ASSERT_IFNET_LABEL(dest); 741 } 742 743 static void 744 mac_test_copy_mbuf_label(struct label *src, struct label *dest) 745 { 746 747 ASSERT_MBUF_LABEL(src); 748 ASSERT_MBUF_LABEL(dest); 749 } 750 751 static void 752 mac_test_copy_pipe_label(struct label *src, struct label *dest) 753 { 754 755 ASSERT_PIPE_LABEL(src); 756 ASSERT_PIPE_LABEL(dest); 757 } 758 759 static void 760 mac_test_copy_socket_label(struct label *src, struct label *dest) 761 { 762 763 ASSERT_SOCKET_LABEL(src); 764 ASSERT_SOCKET_LABEL(dest); 765 } 766 767 static void 768 mac_test_copy_vnode_label(struct label *src, struct label *dest) 769 { 770 771 ASSERT_VNODE_LABEL(src); 772 ASSERT_VNODE_LABEL(dest); 773 } 774 775 static int 776 mac_test_externalize_label(struct label *label, char *element_name, 777 struct sbuf *sb, int *claimed) 778 { 779 780 atomic_add_int(&externalize_count, 1); 781 782 KASSERT(SLOT(label) != EXMAGIC, 783 ("mac_test_externalize_label: destroyed label")); 784 785 return (0); 786 } 787 788 static int 789 mac_test_internalize_label(struct label *label, char *element_name, 790 char *element_data, int *claimed) 791 { 792 793 atomic_add_int(&internalize_count, 1); 794 795 KASSERT(SLOT(label) != EXMAGIC, 796 ("mac_test_internalize_label: destroyed label")); 797 798 return (0); 799 } 800 801 /* 802 * Labeling event operations: file system objects, and things that look 803 * a lot like file system objects. 804 */ 805 static void 806 mac_test_associate_vnode_devfs(struct mount *mp, struct label *fslabel, 807 struct devfs_dirent *de, struct label *delabel, struct vnode *vp, 808 struct label *vlabel) 809 { 810 811 ASSERT_MOUNT_LABEL(fslabel); 812 ASSERT_DEVFS_LABEL(delabel); 813 ASSERT_VNODE_LABEL(vlabel); 814 } 815 816 static int 817 mac_test_associate_vnode_extattr(struct mount *mp, struct label *fslabel, 818 struct vnode *vp, struct label *vlabel) 819 { 820 821 ASSERT_MOUNT_LABEL(fslabel); 822 ASSERT_VNODE_LABEL(vlabel); 823 return (0); 824 } 825 826 static void 827 mac_test_associate_vnode_singlelabel(struct mount *mp, 828 struct label *fslabel, struct vnode *vp, struct label *vlabel) 829 { 830 831 ASSERT_MOUNT_LABEL(fslabel); 832 ASSERT_VNODE_LABEL(vlabel); 833 } 834 835 static void 836 mac_test_create_devfs_device(struct mount *mp, struct cdev *dev, 837 struct devfs_dirent *devfs_dirent, struct label *label) 838 { 839 840 ASSERT_DEVFS_LABEL(label); 841 } 842 843 static void 844 mac_test_create_devfs_directory(struct mount *mp, char *dirname, 845 int dirnamelen, struct devfs_dirent *devfs_dirent, struct label *label) 846 { 847 848 ASSERT_DEVFS_LABEL(label); 849 } 850 851 static void 852 mac_test_create_devfs_symlink(struct ucred *cred, struct mount *mp, 853 struct devfs_dirent *dd, struct label *ddlabel, struct devfs_dirent *de, 854 struct label *delabel) 855 { 856 857 ASSERT_CRED_LABEL(cred->cr_label); 858 ASSERT_DEVFS_LABEL(ddlabel); 859 ASSERT_DEVFS_LABEL(delabel); 860 } 861 862 static int 863 mac_test_create_vnode_extattr(struct ucred *cred, struct mount *mp, 864 struct label *fslabel, struct vnode *dvp, struct label *dlabel, 865 struct vnode *vp, struct label *vlabel, struct componentname *cnp) 866 { 867 868 ASSERT_CRED_LABEL(cred->cr_label); 869 ASSERT_MOUNT_LABEL(fslabel); 870 ASSERT_VNODE_LABEL(dlabel); 871 872 return (0); 873 } 874 875 static void 876 mac_test_create_mount(struct ucred *cred, struct mount *mp, 877 struct label *mntlabel, struct label *fslabel) 878 { 879 880 ASSERT_CRED_LABEL(cred->cr_label); 881 ASSERT_MOUNT_LABEL(mntlabel); 882 ASSERT_MOUNT_LABEL(fslabel); 883 } 884 885 static void 886 mac_test_create_root_mount(struct ucred *cred, struct mount *mp, 887 struct label *mntlabel, struct label *fslabel) 888 { 889 890 ASSERT_CRED_LABEL(cred->cr_label); 891 ASSERT_MOUNT_LABEL(mntlabel); 892 ASSERT_MOUNT_LABEL(fslabel); 893 } 894 895 static void 896 mac_test_relabel_vnode(struct ucred *cred, struct vnode *vp, 897 struct label *vnodelabel, struct label *label) 898 { 899 900 ASSERT_CRED_LABEL(cred->cr_label); 901 ASSERT_VNODE_LABEL(vnodelabel); 902 ASSERT_VNODE_LABEL(label); 903 } 904 905 static int 906 mac_test_setlabel_vnode_extattr(struct ucred *cred, struct vnode *vp, 907 struct label *vlabel, struct label *intlabel) 908 { 909 910 ASSERT_CRED_LABEL(cred->cr_label); 911 ASSERT_VNODE_LABEL(vlabel); 912 ASSERT_VNODE_LABEL(intlabel); 913 return (0); 914 } 915 916 static void 917 mac_test_update_devfsdirent(struct mount *mp, 918 struct devfs_dirent *devfs_dirent, struct label *direntlabel, 919 struct vnode *vp, struct label *vnodelabel) 920 { 921 922 ASSERT_DEVFS_LABEL(direntlabel); 923 ASSERT_VNODE_LABEL(vnodelabel); 924 } 925 926 /* 927 * Labeling event operations: IPC object. 928 */ 929 static void 930 mac_test_create_mbuf_from_socket(struct socket *so, struct label *socketlabel, 931 struct mbuf *m, struct label *mbuflabel) 932 { 933 934 ASSERT_SOCKET_LABEL(socketlabel); 935 ASSERT_MBUF_LABEL(mbuflabel); 936 } 937 938 static void 939 mac_test_create_socket(struct ucred *cred, struct socket *socket, 940 struct label *socketlabel) 941 { 942 943 ASSERT_CRED_LABEL(cred->cr_label); 944 ASSERT_SOCKET_LABEL(socketlabel); 945 } 946 947 static void 948 mac_test_create_pipe(struct ucred *cred, struct pipepair *pp, 949 struct label *pipelabel) 950 { 951 952 ASSERT_CRED_LABEL(cred->cr_label); 953 ASSERT_PIPE_LABEL(pipelabel); 954 } 955 956 static void 957 mac_test_create_socket_from_socket(struct socket *oldsocket, 958 struct label *oldsocketlabel, struct socket *newsocket, 959 struct label *newsocketlabel) 960 { 961 962 ASSERT_SOCKET_LABEL(oldsocketlabel); 963 ASSERT_SOCKET_LABEL(newsocketlabel); 964 } 965 966 static void 967 mac_test_relabel_socket(struct ucred *cred, struct socket *socket, 968 struct label *socketlabel, struct label *newlabel) 969 { 970 971 ASSERT_CRED_LABEL(cred->cr_label); 972 ASSERT_SOCKET_LABEL(newlabel); 973 } 974 975 static void 976 mac_test_relabel_pipe(struct ucred *cred, struct pipepair *pp, 977 struct label *pipelabel, struct label *newlabel) 978 { 979 980 ASSERT_CRED_LABEL(cred->cr_label); 981 ASSERT_PIPE_LABEL(pipelabel); 982 ASSERT_PIPE_LABEL(newlabel); 983 } 984 985 static void 986 mac_test_set_socket_peer_from_mbuf(struct mbuf *mbuf, struct label *mbuflabel, 987 struct socket *socket, struct label *socketpeerlabel) 988 { 989 990 ASSERT_MBUF_LABEL(mbuflabel); 991 ASSERT_SOCKET_LABEL(socketpeerlabel); 992 } 993 994 /* 995 * Labeling event operations: network objects. 996 */ 997 static void 998 mac_test_set_socket_peer_from_socket(struct socket *oldsocket, 999 struct label *oldsocketlabel, struct socket *newsocket, 1000 struct label *newsocketpeerlabel) 1001 { 1002 1003 ASSERT_SOCKET_LABEL(oldsocketlabel); 1004 ASSERT_SOCKET_LABEL(newsocketpeerlabel); 1005 } 1006 1007 static void 1008 mac_test_create_bpfdesc(struct ucred *cred, struct bpf_d *bpf_d, 1009 struct label *bpflabel) 1010 { 1011 1012 ASSERT_CRED_LABEL(cred->cr_label); 1013 ASSERT_BPF_LABEL(bpflabel); 1014 } 1015 1016 static void 1017 mac_test_create_datagram_from_ipq(struct ipq *ipq, struct label *ipqlabel, 1018 struct mbuf *datagram, struct label *datagramlabel) 1019 { 1020 1021 ASSERT_IPQ_LABEL(ipqlabel); 1022 ASSERT_MBUF_LABEL(datagramlabel); 1023 } 1024 1025 static void 1026 mac_test_create_fragment(struct mbuf *datagram, struct label *datagramlabel, 1027 struct mbuf *fragment, struct label *fragmentlabel) 1028 { 1029 1030 ASSERT_MBUF_LABEL(datagramlabel); 1031 ASSERT_MBUF_LABEL(fragmentlabel); 1032 } 1033 1034 static void 1035 mac_test_create_ifnet(struct ifnet *ifnet, struct label *ifnetlabel) 1036 { 1037 1038 ASSERT_IFNET_LABEL(ifnetlabel); 1039 } 1040 1041 static void 1042 mac_test_create_inpcb_from_socket(struct socket *so, struct label *solabel, 1043 struct inpcb *inp, struct label *inplabel) 1044 { 1045 1046 ASSERT_SOCKET_LABEL(solabel); 1047 ASSERT_INPCB_LABEL(inplabel); 1048 } 1049 1050 static void 1051 mac_test_create_sysv_msgmsg(struct ucred *cred, struct msqid_kernel *msqkptr, 1052 struct label *msqlabel, struct msg *msgptr, struct label *msglabel) 1053 { 1054 1055 ASSERT_SYSVIPCMSG_LABEL(msglabel); 1056 ASSERT_SYSVIPCMSQ_LABEL(msqlabel); 1057 } 1058 1059 static void 1060 mac_test_create_sysv_msgqueue(struct ucred *cred, 1061 struct msqid_kernel *msqkptr, struct label *msqlabel) 1062 { 1063 1064 ASSERT_SYSVIPCMSQ_LABEL(msqlabel); 1065 } 1066 1067 static void 1068 mac_test_create_sysv_sema(struct ucred *cred, struct semid_kernel *semakptr, 1069 struct label *semalabel) 1070 { 1071 1072 ASSERT_SYSVIPCSEM_LABEL(semalabel); 1073 } 1074 1075 static void 1076 mac_test_create_sysv_shm(struct ucred *cred, struct shmid_kernel *shmsegptr, 1077 struct label *shmlabel) 1078 { 1079 1080 ASSERT_SYSVIPCSHM_LABEL(shmlabel); 1081 } 1082 1083 static void 1084 mac_test_create_ipq(struct mbuf *fragment, struct label *fragmentlabel, 1085 struct ipq *ipq, struct label *ipqlabel) 1086 { 1087 1088 ASSERT_MBUF_LABEL(fragmentlabel); 1089 ASSERT_IPQ_LABEL(ipqlabel); 1090 } 1091 1092 static void 1093 mac_test_create_mbuf_from_inpcb(struct inpcb *inp, struct label *inplabel, 1094 struct mbuf *m, struct label *mlabel) 1095 { 1096 1097 ASSERT_INPCB_LABEL(inplabel); 1098 ASSERT_MBUF_LABEL(mlabel); 1099 } 1100 1101 static void 1102 mac_test_create_mbuf_from_mbuf(struct mbuf *oldmbuf, 1103 struct label *oldmbuflabel, struct mbuf *newmbuf, 1104 struct label *newmbuflabel) 1105 { 1106 1107 ASSERT_MBUF_LABEL(oldmbuflabel); 1108 ASSERT_MBUF_LABEL(newmbuflabel); 1109 } 1110 1111 static void 1112 mac_test_create_mbuf_linklayer(struct ifnet *ifnet, struct label *ifnetlabel, 1113 struct mbuf *mbuf, struct label *mbuflabel) 1114 { 1115 1116 ASSERT_IFNET_LABEL(ifnetlabel); 1117 ASSERT_MBUF_LABEL(mbuflabel); 1118 } 1119 1120 static void 1121 mac_test_create_mbuf_from_bpfdesc(struct bpf_d *bpf_d, struct label *bpflabel, 1122 struct mbuf *mbuf, struct label *mbuflabel) 1123 { 1124 1125 ASSERT_BPF_LABEL(bpflabel); 1126 ASSERT_MBUF_LABEL(mbuflabel); 1127 } 1128 1129 static void 1130 mac_test_create_mbuf_from_ifnet(struct ifnet *ifnet, struct label *ifnetlabel, 1131 struct mbuf *m, struct label *mbuflabel) 1132 { 1133 1134 ASSERT_IFNET_LABEL(ifnetlabel); 1135 ASSERT_MBUF_LABEL(mbuflabel); 1136 } 1137 1138 static void 1139 mac_test_create_mbuf_multicast_encap(struct mbuf *oldmbuf, 1140 struct label *oldmbuflabel, struct ifnet *ifnet, struct label *ifnetlabel, 1141 struct mbuf *newmbuf, struct label *newmbuflabel) 1142 { 1143 1144 ASSERT_MBUF_LABEL(oldmbuflabel); 1145 ASSERT_IFNET_LABEL(ifnetlabel); 1146 ASSERT_MBUF_LABEL(newmbuflabel); 1147 } 1148 1149 static void 1150 mac_test_create_mbuf_netlayer(struct mbuf *oldmbuf, 1151 struct label *oldmbuflabel, struct mbuf *newmbuf, 1152 struct label *newmbuflabel) 1153 { 1154 1155 ASSERT_MBUF_LABEL(oldmbuflabel); 1156 ASSERT_MBUF_LABEL(newmbuflabel); 1157 } 1158 1159 static int 1160 mac_test_fragment_match(struct mbuf *fragment, struct label *fragmentlabel, 1161 struct ipq *ipq, struct label *ipqlabel) 1162 { 1163 1164 ASSERT_MBUF_LABEL(fragmentlabel); 1165 ASSERT_IPQ_LABEL(ipqlabel); 1166 1167 return (1); 1168 } 1169 1170 static void 1171 mac_test_reflect_mbuf_icmp(struct mbuf *m, struct label *mlabel) 1172 { 1173 1174 ASSERT_MBUF_LABEL(mlabel); 1175 } 1176 1177 static void 1178 mac_test_reflect_mbuf_tcp(struct mbuf *m, struct label *mlabel) 1179 { 1180 1181 ASSERT_MBUF_LABEL(mlabel); 1182 } 1183 1184 static void 1185 mac_test_relabel_ifnet(struct ucred *cred, struct ifnet *ifnet, 1186 struct label *ifnetlabel, struct label *newlabel) 1187 { 1188 1189 ASSERT_CRED_LABEL(cred->cr_label); 1190 ASSERT_IFNET_LABEL(ifnetlabel); 1191 ASSERT_IFNET_LABEL(newlabel); 1192 } 1193 1194 static void 1195 mac_test_update_ipq(struct mbuf *fragment, struct label *fragmentlabel, 1196 struct ipq *ipq, struct label *ipqlabel) 1197 { 1198 1199 ASSERT_MBUF_LABEL(fragmentlabel); 1200 ASSERT_IPQ_LABEL(ipqlabel); 1201 } 1202 1203 static void 1204 mac_test_inpcb_sosetlabel(struct socket *so, struct label *solabel, 1205 struct inpcb *inp, struct label *inplabel) 1206 { 1207 1208 ASSERT_SOCKET_LABEL(solabel); 1209 ASSERT_INPCB_LABEL(inplabel); 1210 } 1211 1212 /* 1213 * Labeling event operations: processes. 1214 */ 1215 static void 1216 mac_test_execve_transition(struct ucred *old, struct ucred *new, 1217 struct vnode *vp, struct label *filelabel, 1218 struct label *interpvnodelabel, struct image_params *imgp, 1219 struct label *execlabel) 1220 { 1221 1222 ASSERT_CRED_LABEL(old->cr_label); 1223 ASSERT_CRED_LABEL(new->cr_label); 1224 ASSERT_VNODE_LABEL(filelabel); 1225 if (interpvnodelabel != NULL) { 1226 ASSERT_VNODE_LABEL(interpvnodelabel); 1227 } 1228 if (execlabel != NULL) { 1229 ASSERT_CRED_LABEL(execlabel); 1230 } 1231 } 1232 1233 static int 1234 mac_test_execve_will_transition(struct ucred *old, struct vnode *vp, 1235 struct label *filelabel, struct label *interpvnodelabel, 1236 struct image_params *imgp, struct label *execlabel) 1237 { 1238 1239 ASSERT_CRED_LABEL(old->cr_label); 1240 ASSERT_VNODE_LABEL(filelabel); 1241 if (interpvnodelabel != NULL) { 1242 ASSERT_VNODE_LABEL(interpvnodelabel); 1243 } 1244 if (execlabel != NULL) { 1245 ASSERT_CRED_LABEL(execlabel); 1246 } 1247 1248 return (0); 1249 } 1250 1251 static void 1252 mac_test_create_proc0(struct ucred *cred) 1253 { 1254 1255 ASSERT_CRED_LABEL(cred->cr_label); 1256 } 1257 1258 static void 1259 mac_test_create_proc1(struct ucred *cred) 1260 { 1261 1262 ASSERT_CRED_LABEL(cred->cr_label); 1263 } 1264 1265 static void 1266 mac_test_relabel_cred(struct ucred *cred, struct label *newlabel) 1267 { 1268 1269 ASSERT_CRED_LABEL(cred->cr_label); 1270 ASSERT_CRED_LABEL(newlabel); 1271 } 1272 1273 static void 1274 mac_test_thread_userret(struct thread *td) 1275 { 1276 1277 printf("mac_test_thread_userret(process = %d)\n", 1278 curthread->td_proc->p_pid); 1279 } 1280 1281 /* 1282 * Label cleanup/flush operations 1283 */ 1284 static void 1285 mac_test_cleanup_sysv_msgmsg(struct label *msglabel) 1286 { 1287 1288 ASSERT_SYSVIPCMSG_LABEL(msglabel); 1289 } 1290 1291 static void 1292 mac_test_cleanup_sysv_msgqueue(struct label *msqlabel) 1293 { 1294 1295 ASSERT_SYSVIPCMSQ_LABEL(msqlabel); 1296 } 1297 1298 static void 1299 mac_test_cleanup_sysv_sema(struct label *semalabel) 1300 { 1301 1302 ASSERT_SYSVIPCSEM_LABEL(semalabel); 1303 } 1304 1305 static void 1306 mac_test_cleanup_sysv_shm(struct label *shmlabel) 1307 { 1308 1309 ASSERT_SYSVIPCSHM_LABEL(shmlabel); 1310 } 1311 1312 /* 1313 * Access control checks. 1314 */ 1315 static int 1316 mac_test_check_bpfdesc_receive(struct bpf_d *bpf_d, struct label *bpflabel, 1317 struct ifnet *ifnet, struct label *ifnetlabel) 1318 { 1319 1320 ASSERT_BPF_LABEL(bpflabel); 1321 ASSERT_IFNET_LABEL(ifnetlabel); 1322 1323 return (0); 1324 } 1325 1326 static int 1327 mac_test_check_cred_relabel(struct ucred *cred, struct label *newlabel) 1328 { 1329 1330 ASSERT_CRED_LABEL(cred->cr_label); 1331 ASSERT_CRED_LABEL(newlabel); 1332 1333 return (0); 1334 } 1335 1336 static int 1337 mac_test_check_cred_visible(struct ucred *u1, struct ucred *u2) 1338 { 1339 1340 ASSERT_CRED_LABEL(u1->cr_label); 1341 ASSERT_CRED_LABEL(u2->cr_label); 1342 1343 return (0); 1344 } 1345 1346 static int 1347 mac_test_check_ifnet_relabel(struct ucred *cred, struct ifnet *ifnet, 1348 struct label *ifnetlabel, struct label *newlabel) 1349 { 1350 1351 ASSERT_CRED_LABEL(cred->cr_label); 1352 ASSERT_IFNET_LABEL(ifnetlabel); 1353 ASSERT_IFNET_LABEL(newlabel); 1354 return (0); 1355 } 1356 1357 static int 1358 mac_test_check_ifnet_transmit(struct ifnet *ifnet, struct label *ifnetlabel, 1359 struct mbuf *m, struct label *mbuflabel) 1360 { 1361 1362 ASSERT_IFNET_LABEL(ifnetlabel); 1363 ASSERT_MBUF_LABEL(mbuflabel); 1364 1365 return (0); 1366 } 1367 1368 static int 1369 mac_test_check_inpcb_deliver(struct inpcb *inp, struct label *inplabel, 1370 struct mbuf *m, struct label *mlabel) 1371 { 1372 1373 ASSERT_INPCB_LABEL(inplabel); 1374 ASSERT_MBUF_LABEL(mlabel); 1375 1376 return (0); 1377 } 1378 1379 static int 1380 mac_test_check_sysv_msgmsq(struct ucred *cred, struct msg *msgptr, 1381 struct label *msglabel, struct msqid_kernel *msqkptr, 1382 struct label *msqklabel) 1383 { 1384 1385 ASSERT_SYSVIPCMSQ_LABEL(msqklabel); 1386 ASSERT_SYSVIPCMSG_LABEL(msglabel); 1387 ASSERT_CRED_LABEL(cred->cr_label); 1388 1389 return (0); 1390 } 1391 1392 static int 1393 mac_test_check_sysv_msgrcv(struct ucred *cred, struct msg *msgptr, 1394 struct label *msglabel) 1395 { 1396 1397 ASSERT_SYSVIPCMSG_LABEL(msglabel); 1398 ASSERT_CRED_LABEL(cred->cr_label); 1399 1400 return (0); 1401 } 1402 1403 1404 static int 1405 mac_test_check_sysv_msgrmid(struct ucred *cred, struct msg *msgptr, 1406 struct label *msglabel) 1407 { 1408 1409 ASSERT_SYSVIPCMSG_LABEL(msglabel); 1410 ASSERT_CRED_LABEL(cred->cr_label); 1411 1412 return (0); 1413 } 1414 1415 static int 1416 mac_test_check_sysv_msqget(struct ucred *cred, struct msqid_kernel *msqkptr, 1417 struct label *msqklabel) 1418 { 1419 1420 ASSERT_SYSVIPCMSQ_LABEL(msqklabel); 1421 ASSERT_CRED_LABEL(cred->cr_label); 1422 1423 return (0); 1424 } 1425 1426 static int 1427 mac_test_check_sysv_msqsnd(struct ucred *cred, struct msqid_kernel *msqkptr, 1428 struct label *msqklabel) 1429 { 1430 1431 ASSERT_SYSVIPCMSQ_LABEL(msqklabel); 1432 ASSERT_CRED_LABEL(cred->cr_label); 1433 1434 return (0); 1435 } 1436 1437 static int 1438 mac_test_check_sysv_msqrcv(struct ucred *cred, struct msqid_kernel *msqkptr, 1439 struct label *msqklabel) 1440 { 1441 1442 ASSERT_SYSVIPCMSQ_LABEL(msqklabel); 1443 ASSERT_CRED_LABEL(cred->cr_label); 1444 1445 return (0); 1446 } 1447 1448 static int 1449 mac_test_check_sysv_msqctl(struct ucred *cred, struct msqid_kernel *msqkptr, 1450 struct label *msqklabel, int cmd) 1451 { 1452 1453 ASSERT_SYSVIPCMSQ_LABEL(msqklabel); 1454 ASSERT_CRED_LABEL(cred->cr_label); 1455 1456 return (0); 1457 } 1458 1459 static int 1460 mac_test_check_sysv_semctl(struct ucred *cred, struct semid_kernel *semakptr, 1461 struct label *semaklabel, int cmd) 1462 { 1463 1464 ASSERT_CRED_LABEL(cred->cr_label); 1465 ASSERT_SYSVIPCSEM_LABEL(semaklabel); 1466 1467 return (0); 1468 } 1469 1470 static int 1471 mac_test_check_sysv_semget(struct ucred *cred, struct semid_kernel *semakptr, 1472 struct label *semaklabel) 1473 { 1474 1475 ASSERT_CRED_LABEL(cred->cr_label); 1476 ASSERT_SYSVIPCSEM_LABEL(semaklabel); 1477 1478 return (0); 1479 } 1480 1481 static int 1482 mac_test_check_sysv_semop(struct ucred *cred, struct semid_kernel *semakptr, 1483 struct label *semaklabel, size_t accesstype) 1484 { 1485 1486 ASSERT_CRED_LABEL(cred->cr_label); 1487 ASSERT_SYSVIPCSEM_LABEL(semaklabel); 1488 1489 return (0); 1490 } 1491 1492 static int 1493 mac_test_check_sysv_shmat(struct ucred *cred, struct shmid_kernel *shmsegptr, 1494 struct label *shmseglabel, int shmflg) 1495 { 1496 1497 ASSERT_CRED_LABEL(cred->cr_label); 1498 ASSERT_SYSVIPCSHM_LABEL(shmseglabel); 1499 1500 return (0); 1501 } 1502 1503 static int 1504 mac_test_check_sysv_shmctl(struct ucred *cred, struct shmid_kernel *shmsegptr, 1505 struct label *shmseglabel, int cmd) 1506 { 1507 1508 ASSERT_CRED_LABEL(cred->cr_label); 1509 ASSERT_SYSVIPCSHM_LABEL(shmseglabel); 1510 1511 return (0); 1512 } 1513 1514 static int 1515 mac_test_check_sysv_shmdt(struct ucred *cred, struct shmid_kernel *shmsegptr, 1516 struct label *shmseglabel) 1517 { 1518 1519 ASSERT_CRED_LABEL(cred->cr_label); 1520 ASSERT_SYSVIPCSHM_LABEL(shmseglabel); 1521 1522 return (0); 1523 } 1524 1525 static int 1526 mac_test_check_sysv_shmget(struct ucred *cred, struct shmid_kernel *shmsegptr, 1527 struct label *shmseglabel, int shmflg) 1528 { 1529 1530 ASSERT_CRED_LABEL(cred->cr_label); 1531 ASSERT_SYSVIPCSHM_LABEL(shmseglabel); 1532 1533 return (0); 1534 } 1535 1536 static int 1537 mac_test_check_kenv_dump(struct ucred *cred) 1538 { 1539 1540 ASSERT_CRED_LABEL(cred->cr_label); 1541 1542 return (0); 1543 } 1544 1545 static int 1546 mac_test_check_kenv_get(struct ucred *cred, char *name) 1547 { 1548 1549 ASSERT_CRED_LABEL(cred->cr_label); 1550 1551 return (0); 1552 } 1553 1554 static int 1555 mac_test_check_kenv_set(struct ucred *cred, char *name, char *value) 1556 { 1557 1558 ASSERT_CRED_LABEL(cred->cr_label); 1559 1560 return (0); 1561 } 1562 1563 static int 1564 mac_test_check_kenv_unset(struct ucred *cred, char *name) 1565 { 1566 1567 ASSERT_CRED_LABEL(cred->cr_label); 1568 1569 return (0); 1570 } 1571 1572 static int 1573 mac_test_check_kld_load(struct ucred *cred, struct vnode *vp, 1574 struct label *label) 1575 { 1576 1577 ASSERT_CRED_LABEL(cred->cr_label); 1578 ASSERT_VNODE_LABEL(label); 1579 1580 return (0); 1581 } 1582 1583 static int 1584 mac_test_check_kld_stat(struct ucred *cred) 1585 { 1586 1587 ASSERT_CRED_LABEL(cred->cr_label); 1588 1589 return (0); 1590 } 1591 1592 static int 1593 mac_test_check_kld_unload(struct ucred *cred) 1594 { 1595 1596 ASSERT_CRED_LABEL(cred->cr_label); 1597 1598 return (0); 1599 } 1600 1601 static int 1602 mac_test_check_mount_stat(struct ucred *cred, struct mount *mp, 1603 struct label *mntlabel) 1604 { 1605 1606 ASSERT_CRED_LABEL(cred->cr_label); 1607 ASSERT_MOUNT_LABEL(mntlabel); 1608 1609 return (0); 1610 } 1611 1612 static int 1613 mac_test_check_pipe_ioctl(struct ucred *cred, struct pipepair *pp, 1614 struct label *pipelabel, unsigned long cmd, void /* caddr_t */ *data) 1615 { 1616 1617 ASSERT_CRED_LABEL(cred->cr_label); 1618 ASSERT_PIPE_LABEL(pipelabel); 1619 1620 return (0); 1621 } 1622 1623 static int 1624 mac_test_check_pipe_poll(struct ucred *cred, struct pipepair *pp, 1625 struct label *pipelabel) 1626 { 1627 1628 ASSERT_CRED_LABEL(cred->cr_label); 1629 ASSERT_PIPE_LABEL(pipelabel); 1630 1631 return (0); 1632 } 1633 1634 static int 1635 mac_test_check_pipe_read(struct ucred *cred, struct pipepair *pp, 1636 struct label *pipelabel) 1637 { 1638 1639 ASSERT_CRED_LABEL(cred->cr_label); 1640 ASSERT_PIPE_LABEL(pipelabel); 1641 1642 return (0); 1643 } 1644 1645 static int 1646 mac_test_check_pipe_relabel(struct ucred *cred, struct pipepair *pp, 1647 struct label *pipelabel, struct label *newlabel) 1648 { 1649 1650 ASSERT_CRED_LABEL(cred->cr_label); 1651 ASSERT_PIPE_LABEL(pipelabel); 1652 ASSERT_PIPE_LABEL(newlabel); 1653 1654 return (0); 1655 } 1656 1657 static int 1658 mac_test_check_pipe_stat(struct ucred *cred, struct pipepair *pp, 1659 struct label *pipelabel) 1660 { 1661 1662 ASSERT_CRED_LABEL(cred->cr_label); 1663 ASSERT_PIPE_LABEL(pipelabel); 1664 1665 return (0); 1666 } 1667 1668 static int 1669 mac_test_check_pipe_write(struct ucred *cred, struct pipepair *pp, 1670 struct label *pipelabel) 1671 { 1672 1673 ASSERT_CRED_LABEL(cred->cr_label); 1674 ASSERT_PIPE_LABEL(pipelabel); 1675 1676 return (0); 1677 } 1678 1679 static int 1680 mac_test_check_proc_debug(struct ucred *cred, struct proc *proc) 1681 { 1682 1683 ASSERT_CRED_LABEL(cred->cr_label); 1684 ASSERT_CRED_LABEL(proc->p_ucred->cr_label); 1685 1686 return (0); 1687 } 1688 1689 static int 1690 mac_test_check_proc_sched(struct ucred *cred, struct proc *proc) 1691 { 1692 1693 ASSERT_CRED_LABEL(cred->cr_label); 1694 ASSERT_CRED_LABEL(proc->p_ucred->cr_label); 1695 1696 return (0); 1697 } 1698 1699 static int 1700 mac_test_check_proc_signal(struct ucred *cred, struct proc *proc, int signum) 1701 { 1702 1703 ASSERT_CRED_LABEL(cred->cr_label); 1704 ASSERT_CRED_LABEL(proc->p_ucred->cr_label); 1705 1706 return (0); 1707 } 1708 1709 static int 1710 mac_test_check_socket_bind(struct ucred *cred, struct socket *socket, 1711 struct label *socketlabel, struct sockaddr *sockaddr) 1712 { 1713 1714 ASSERT_CRED_LABEL(cred->cr_label); 1715 ASSERT_SOCKET_LABEL(socketlabel); 1716 1717 return (0); 1718 } 1719 1720 static int 1721 mac_test_check_socket_connect(struct ucred *cred, struct socket *socket, 1722 struct label *socketlabel, struct sockaddr *sockaddr) 1723 { 1724 1725 ASSERT_CRED_LABEL(cred->cr_label); 1726 ASSERT_SOCKET_LABEL(socketlabel); 1727 1728 return (0); 1729 } 1730 1731 static int 1732 mac_test_check_socket_deliver(struct socket *socket, struct label *socketlabel, 1733 struct mbuf *m, struct label *mbuflabel) 1734 { 1735 1736 ASSERT_SOCKET_LABEL(socketlabel); 1737 ASSERT_MBUF_LABEL(mbuflabel); 1738 1739 return (0); 1740 } 1741 1742 static int 1743 mac_test_check_socket_listen(struct ucred *cred, struct socket *socket, 1744 struct label *socketlabel) 1745 { 1746 1747 ASSERT_CRED_LABEL(cred->cr_label); 1748 ASSERT_SOCKET_LABEL(socketlabel); 1749 1750 return (0); 1751 } 1752 1753 static int 1754 mac_test_check_socket_visible(struct ucred *cred, struct socket *socket, 1755 struct label *socketlabel) 1756 { 1757 1758 ASSERT_CRED_LABEL(cred->cr_label); 1759 ASSERT_SOCKET_LABEL(socketlabel); 1760 1761 return (0); 1762 } 1763 1764 static int 1765 mac_test_check_socket_relabel(struct ucred *cred, struct socket *socket, 1766 struct label *socketlabel, struct label *newlabel) 1767 { 1768 1769 ASSERT_CRED_LABEL(cred->cr_label); 1770 ASSERT_SOCKET_LABEL(socketlabel); 1771 ASSERT_SOCKET_LABEL(newlabel); 1772 1773 return (0); 1774 } 1775 1776 static int 1777 mac_test_check_sysarch_ioperm(struct ucred *cred) 1778 { 1779 1780 ASSERT_CRED_LABEL(cred->cr_label); 1781 1782 return (0); 1783 } 1784 1785 static int 1786 mac_test_check_system_acct(struct ucred *cred, struct vnode *vp, 1787 struct label *label) 1788 { 1789 1790 ASSERT_CRED_LABEL(cred->cr_label); 1791 1792 return (0); 1793 } 1794 1795 static int 1796 mac_test_check_system_reboot(struct ucred *cred, int how) 1797 { 1798 1799 ASSERT_CRED_LABEL(cred->cr_label); 1800 1801 return (0); 1802 } 1803 1804 static int 1805 mac_test_check_system_settime(struct ucred *cred) 1806 { 1807 1808 ASSERT_CRED_LABEL(cred->cr_label); 1809 1810 return (0); 1811 } 1812 1813 static int 1814 mac_test_check_system_swapon(struct ucred *cred, struct vnode *vp, 1815 struct label *label) 1816 { 1817 1818 ASSERT_CRED_LABEL(cred->cr_label); 1819 ASSERT_VNODE_LABEL(label); 1820 1821 return (0); 1822 } 1823 1824 static int 1825 mac_test_check_system_swapoff(struct ucred *cred, struct vnode *vp, 1826 struct label *label) 1827 { 1828 1829 ASSERT_CRED_LABEL(cred->cr_label); 1830 ASSERT_VNODE_LABEL(label); 1831 1832 return (0); 1833 } 1834 1835 static int 1836 mac_test_check_system_sysctl(struct ucred *cred, struct sysctl_oid *oidp, 1837 void *arg1, int arg2, struct sysctl_req *req) 1838 { 1839 1840 ASSERT_CRED_LABEL(cred->cr_label); 1841 1842 return (0); 1843 } 1844 1845 static int 1846 mac_test_check_vnode_access(struct ucred *cred, struct vnode *vp, 1847 struct label *label, int acc_mode) 1848 { 1849 1850 ASSERT_CRED_LABEL(cred->cr_label); 1851 ASSERT_VNODE_LABEL(label); 1852 1853 return (0); 1854 } 1855 1856 static int 1857 mac_test_check_vnode_chdir(struct ucred *cred, struct vnode *dvp, 1858 struct label *dlabel) 1859 { 1860 1861 ASSERT_CRED_LABEL(cred->cr_label); 1862 ASSERT_VNODE_LABEL(dlabel); 1863 1864 return (0); 1865 } 1866 1867 static int 1868 mac_test_check_vnode_chroot(struct ucred *cred, struct vnode *dvp, 1869 struct label *dlabel) 1870 { 1871 1872 ASSERT_CRED_LABEL(cred->cr_label); 1873 ASSERT_VNODE_LABEL(dlabel); 1874 1875 return (0); 1876 } 1877 1878 static int 1879 mac_test_check_vnode_create(struct ucred *cred, struct vnode *dvp, 1880 struct label *dlabel, struct componentname *cnp, struct vattr *vap) 1881 { 1882 1883 ASSERT_CRED_LABEL(cred->cr_label); 1884 ASSERT_VNODE_LABEL(dlabel); 1885 1886 return (0); 1887 } 1888 1889 static int 1890 mac_test_check_vnode_delete(struct ucred *cred, struct vnode *dvp, 1891 struct label *dlabel, struct vnode *vp, struct label *label, 1892 struct componentname *cnp) 1893 { 1894 1895 ASSERT_CRED_LABEL(cred->cr_label); 1896 ASSERT_VNODE_LABEL(dlabel); 1897 ASSERT_VNODE_LABEL(label); 1898 1899 return (0); 1900 } 1901 1902 static int 1903 mac_test_check_vnode_deleteacl(struct ucred *cred, struct vnode *vp, 1904 struct label *label, acl_type_t type) 1905 { 1906 1907 ASSERT_CRED_LABEL(cred->cr_label); 1908 ASSERT_VNODE_LABEL(label); 1909 1910 return (0); 1911 } 1912 1913 static int 1914 mac_test_check_vnode_deleteextattr(struct ucred *cred, struct vnode *vp, 1915 struct label *label, int attrnamespace, const char *name) 1916 { 1917 1918 ASSERT_CRED_LABEL(cred->cr_label); 1919 ASSERT_VNODE_LABEL(label); 1920 1921 return (0); 1922 } 1923 1924 static int 1925 mac_test_check_vnode_exec(struct ucred *cred, struct vnode *vp, 1926 struct label *label, struct image_params *imgp, 1927 struct label *execlabel) 1928 { 1929 1930 ASSERT_CRED_LABEL(cred->cr_label); 1931 ASSERT_VNODE_LABEL(label); 1932 if (execlabel != NULL) { 1933 ASSERT_CRED_LABEL(execlabel); 1934 } 1935 1936 return (0); 1937 } 1938 1939 static int 1940 mac_test_check_vnode_getacl(struct ucred *cred, struct vnode *vp, 1941 struct label *label, acl_type_t type) 1942 { 1943 1944 ASSERT_CRED_LABEL(cred->cr_label); 1945 ASSERT_VNODE_LABEL(label); 1946 1947 return (0); 1948 } 1949 1950 static int 1951 mac_test_check_vnode_getextattr(struct ucred *cred, struct vnode *vp, 1952 struct label *label, int attrnamespace, const char *name, struct uio *uio) 1953 { 1954 1955 ASSERT_CRED_LABEL(cred->cr_label); 1956 ASSERT_VNODE_LABEL(label); 1957 1958 return (0); 1959 } 1960 1961 static int 1962 mac_test_check_vnode_link(struct ucred *cred, struct vnode *dvp, 1963 struct label *dlabel, struct vnode *vp, struct label *label, 1964 struct componentname *cnp) 1965 { 1966 1967 ASSERT_CRED_LABEL(cred->cr_label); 1968 ASSERT_VNODE_LABEL(dlabel); 1969 ASSERT_VNODE_LABEL(label); 1970 1971 return (0); 1972 } 1973 1974 static int 1975 mac_test_check_vnode_listextattr(struct ucred *cred, struct vnode *vp, 1976 struct label *label, int attrnamespace) 1977 { 1978 1979 ASSERT_CRED_LABEL(cred->cr_label); 1980 ASSERT_VNODE_LABEL(label); 1981 1982 return (0); 1983 } 1984 1985 static int 1986 mac_test_check_vnode_lookup(struct ucred *cred, struct vnode *dvp, 1987 struct label *dlabel, struct componentname *cnp) 1988 { 1989 1990 ASSERT_CRED_LABEL(cred->cr_label); 1991 ASSERT_VNODE_LABEL(dlabel); 1992 1993 return (0); 1994 } 1995 1996 static int 1997 mac_test_check_vnode_mmap(struct ucred *cred, struct vnode *vp, 1998 struct label *label, int prot) 1999 { 2000 2001 ASSERT_CRED_LABEL(cred->cr_label); 2002 ASSERT_VNODE_LABEL(label); 2003 2004 return (0); 2005 } 2006 2007 static int 2008 mac_test_check_vnode_open(struct ucred *cred, struct vnode *vp, 2009 struct label *filelabel, int acc_mode) 2010 { 2011 2012 ASSERT_CRED_LABEL(cred->cr_label); 2013 ASSERT_VNODE_LABEL(filelabel); 2014 2015 return (0); 2016 } 2017 2018 static int 2019 mac_test_check_vnode_poll(struct ucred *active_cred, struct ucred *file_cred, 2020 struct vnode *vp, struct label *label) 2021 { 2022 2023 ASSERT_CRED_LABEL(active_cred->cr_label); 2024 ASSERT_CRED_LABEL(file_cred->cr_label); 2025 ASSERT_VNODE_LABEL(label); 2026 2027 return (0); 2028 } 2029 2030 static int 2031 mac_test_check_vnode_read(struct ucred *active_cred, struct ucred *file_cred, 2032 struct vnode *vp, struct label *label) 2033 { 2034 2035 ASSERT_CRED_LABEL(active_cred->cr_label); 2036 if (file_cred != NULL) { 2037 ASSERT_CRED_LABEL(file_cred->cr_label); 2038 } 2039 ASSERT_VNODE_LABEL(label); 2040 2041 return (0); 2042 } 2043 2044 static int 2045 mac_test_check_vnode_readdir(struct ucred *cred, struct vnode *dvp, 2046 struct label *dlabel) 2047 { 2048 2049 ASSERT_CRED_LABEL(cred->cr_label); 2050 ASSERT_VNODE_LABEL(dlabel); 2051 2052 return (0); 2053 } 2054 2055 static int 2056 mac_test_check_vnode_readlink(struct ucred *cred, struct vnode *vp, 2057 struct label *vnodelabel) 2058 { 2059 2060 ASSERT_CRED_LABEL(cred->cr_label); 2061 ASSERT_VNODE_LABEL(vnodelabel); 2062 2063 return (0); 2064 } 2065 2066 static int 2067 mac_test_check_vnode_relabel(struct ucred *cred, struct vnode *vp, 2068 struct label *vnodelabel, struct label *newlabel) 2069 { 2070 2071 ASSERT_CRED_LABEL(cred->cr_label); 2072 ASSERT_VNODE_LABEL(vnodelabel); 2073 ASSERT_VNODE_LABEL(newlabel); 2074 2075 return (0); 2076 } 2077 2078 static int 2079 mac_test_check_vnode_rename_from(struct ucred *cred, struct vnode *dvp, 2080 struct label *dlabel, struct vnode *vp, struct label *label, 2081 struct componentname *cnp) 2082 { 2083 2084 ASSERT_CRED_LABEL(cred->cr_label); 2085 ASSERT_VNODE_LABEL(dlabel); 2086 ASSERT_VNODE_LABEL(label); 2087 2088 return (0); 2089 } 2090 2091 static int 2092 mac_test_check_vnode_rename_to(struct ucred *cred, struct vnode *dvp, 2093 struct label *dlabel, struct vnode *vp, struct label *label, int samedir, 2094 struct componentname *cnp) 2095 { 2096 2097 ASSERT_CRED_LABEL(cred->cr_label); 2098 ASSERT_VNODE_LABEL(dlabel); 2099 2100 if (vp != NULL) { 2101 ASSERT_VNODE_LABEL(label); 2102 } 2103 2104 return (0); 2105 } 2106 2107 static int 2108 mac_test_check_vnode_revoke(struct ucred *cred, struct vnode *vp, 2109 struct label *label) 2110 { 2111 2112 ASSERT_CRED_LABEL(cred->cr_label); 2113 ASSERT_VNODE_LABEL(label); 2114 2115 return (0); 2116 } 2117 2118 static int 2119 mac_test_check_vnode_setacl(struct ucred *cred, struct vnode *vp, 2120 struct label *label, acl_type_t type, struct acl *acl) 2121 { 2122 2123 ASSERT_CRED_LABEL(cred->cr_label); 2124 ASSERT_VNODE_LABEL(label); 2125 2126 return (0); 2127 } 2128 2129 static int 2130 mac_test_check_vnode_setextattr(struct ucred *cred, struct vnode *vp, 2131 struct label *label, int attrnamespace, const char *name, struct uio *uio) 2132 { 2133 2134 ASSERT_CRED_LABEL(cred->cr_label); 2135 ASSERT_VNODE_LABEL(label); 2136 2137 return (0); 2138 } 2139 2140 static int 2141 mac_test_check_vnode_setflags(struct ucred *cred, struct vnode *vp, 2142 struct label *label, u_long flags) 2143 { 2144 2145 ASSERT_CRED_LABEL(cred->cr_label); 2146 ASSERT_VNODE_LABEL(label); 2147 2148 return (0); 2149 } 2150 2151 static int 2152 mac_test_check_vnode_setmode(struct ucred *cred, struct vnode *vp, 2153 struct label *label, mode_t mode) 2154 { 2155 2156 ASSERT_CRED_LABEL(cred->cr_label); 2157 ASSERT_VNODE_LABEL(label); 2158 2159 return (0); 2160 } 2161 2162 static int 2163 mac_test_check_vnode_setowner(struct ucred *cred, struct vnode *vp, 2164 struct label *label, uid_t uid, gid_t gid) 2165 { 2166 2167 ASSERT_CRED_LABEL(cred->cr_label); 2168 ASSERT_VNODE_LABEL(label); 2169 2170 return (0); 2171 } 2172 2173 static int 2174 mac_test_check_vnode_setutimes(struct ucred *cred, struct vnode *vp, 2175 struct label *label, struct timespec atime, struct timespec mtime) 2176 { 2177 2178 ASSERT_CRED_LABEL(cred->cr_label); 2179 ASSERT_VNODE_LABEL(label); 2180 2181 return (0); 2182 } 2183 2184 static int 2185 mac_test_check_vnode_stat(struct ucred *active_cred, struct ucred *file_cred, 2186 struct vnode *vp, struct label *label) 2187 { 2188 2189 ASSERT_CRED_LABEL(active_cred->cr_label); 2190 if (file_cred != NULL) { 2191 ASSERT_CRED_LABEL(file_cred->cr_label); 2192 } 2193 ASSERT_VNODE_LABEL(label); 2194 2195 return (0); 2196 } 2197 2198 static int 2199 mac_test_check_vnode_write(struct ucred *active_cred, 2200 struct ucred *file_cred, struct vnode *vp, struct label *label) 2201 { 2202 2203 ASSERT_CRED_LABEL(active_cred->cr_label); 2204 if (file_cred != NULL) { 2205 ASSERT_CRED_LABEL(file_cred->cr_label); 2206 } 2207 ASSERT_VNODE_LABEL(label); 2208 2209 return (0); 2210 } 2211 2212 static struct mac_policy_ops mac_test_ops = 2213 { 2214 .mpo_destroy = mac_test_destroy, 2215 .mpo_init = mac_test_init, 2216 .mpo_syscall = mac_test_syscall, 2217 .mpo_init_bpfdesc_label = mac_test_init_bpfdesc_label, 2218 .mpo_init_cred_label = mac_test_init_cred_label, 2219 .mpo_init_devfsdirent_label = mac_test_init_devfsdirent_label, 2220 .mpo_init_ifnet_label = mac_test_init_ifnet_label, 2221 .mpo_init_sysv_msgmsg_label = mac_test_init_sysv_msgmsg_label, 2222 .mpo_init_sysv_msgqueue_label = mac_test_init_sysv_msgqueue_label, 2223 .mpo_init_sysv_sema_label = mac_test_init_sysv_sema_label, 2224 .mpo_init_sysv_shm_label = mac_test_init_sysv_shm_label, 2225 .mpo_init_inpcb_label = mac_test_init_inpcb_label, 2226 .mpo_init_ipq_label = mac_test_init_ipq_label, 2227 .mpo_init_mbuf_label = mac_test_init_mbuf_label, 2228 .mpo_init_mount_label = mac_test_init_mount_label, 2229 .mpo_init_mount_fs_label = mac_test_init_mount_fs_label, 2230 .mpo_init_pipe_label = mac_test_init_pipe_label, 2231 .mpo_init_proc_label = mac_test_init_proc_label, 2232 .mpo_init_socket_label = mac_test_init_socket_label, 2233 .mpo_init_socket_peer_label = mac_test_init_socket_peer_label, 2234 .mpo_init_vnode_label = mac_test_init_vnode_label, 2235 .mpo_destroy_bpfdesc_label = mac_test_destroy_bpfdesc_label, 2236 .mpo_destroy_cred_label = mac_test_destroy_cred_label, 2237 .mpo_destroy_devfsdirent_label = mac_test_destroy_devfsdirent_label, 2238 .mpo_destroy_ifnet_label = mac_test_destroy_ifnet_label, 2239 .mpo_destroy_sysv_msgmsg_label = mac_test_destroy_sysv_msgmsg_label, 2240 .mpo_destroy_sysv_msgqueue_label = 2241 mac_test_destroy_sysv_msgqueue_label, 2242 .mpo_destroy_sysv_sema_label = mac_test_destroy_sysv_sema_label, 2243 .mpo_destroy_sysv_shm_label = mac_test_destroy_sysv_shm_label, 2244 .mpo_destroy_inpcb_label = mac_test_destroy_inpcb_label, 2245 .mpo_destroy_ipq_label = mac_test_destroy_ipq_label, 2246 .mpo_destroy_mbuf_label = mac_test_destroy_mbuf_label, 2247 .mpo_destroy_mount_label = mac_test_destroy_mount_label, 2248 .mpo_destroy_mount_fs_label = mac_test_destroy_mount_fs_label, 2249 .mpo_destroy_pipe_label = mac_test_destroy_pipe_label, 2250 .mpo_destroy_proc_label = mac_test_destroy_proc_label, 2251 .mpo_destroy_socket_label = mac_test_destroy_socket_label, 2252 .mpo_destroy_socket_peer_label = mac_test_destroy_socket_peer_label, 2253 .mpo_destroy_vnode_label = mac_test_destroy_vnode_label, 2254 .mpo_copy_cred_label = mac_test_copy_cred_label, 2255 .mpo_copy_ifnet_label = mac_test_copy_ifnet_label, 2256 .mpo_copy_mbuf_label = mac_test_copy_mbuf_label, 2257 .mpo_copy_pipe_label = mac_test_copy_pipe_label, 2258 .mpo_copy_socket_label = mac_test_copy_socket_label, 2259 .mpo_copy_vnode_label = mac_test_copy_vnode_label, 2260 .mpo_externalize_cred_label = mac_test_externalize_label, 2261 .mpo_externalize_ifnet_label = mac_test_externalize_label, 2262 .mpo_externalize_pipe_label = mac_test_externalize_label, 2263 .mpo_externalize_socket_label = mac_test_externalize_label, 2264 .mpo_externalize_socket_peer_label = mac_test_externalize_label, 2265 .mpo_externalize_vnode_label = mac_test_externalize_label, 2266 .mpo_internalize_cred_label = mac_test_internalize_label, 2267 .mpo_internalize_ifnet_label = mac_test_internalize_label, 2268 .mpo_internalize_pipe_label = mac_test_internalize_label, 2269 .mpo_internalize_socket_label = mac_test_internalize_label, 2270 .mpo_internalize_vnode_label = mac_test_internalize_label, 2271 .mpo_associate_vnode_devfs = mac_test_associate_vnode_devfs, 2272 .mpo_associate_vnode_extattr = mac_test_associate_vnode_extattr, 2273 .mpo_associate_vnode_singlelabel = mac_test_associate_vnode_singlelabel, 2274 .mpo_create_devfs_device = mac_test_create_devfs_device, 2275 .mpo_create_devfs_directory = mac_test_create_devfs_directory, 2276 .mpo_create_devfs_symlink = mac_test_create_devfs_symlink, 2277 .mpo_create_vnode_extattr = mac_test_create_vnode_extattr, 2278 .mpo_create_mount = mac_test_create_mount, 2279 .mpo_create_root_mount = mac_test_create_root_mount, 2280 .mpo_relabel_vnode = mac_test_relabel_vnode, 2281 .mpo_setlabel_vnode_extattr = mac_test_setlabel_vnode_extattr, 2282 .mpo_update_devfsdirent = mac_test_update_devfsdirent, 2283 .mpo_create_mbuf_from_socket = mac_test_create_mbuf_from_socket, 2284 .mpo_create_pipe = mac_test_create_pipe, 2285 .mpo_create_socket = mac_test_create_socket, 2286 .mpo_create_socket_from_socket = mac_test_create_socket_from_socket, 2287 .mpo_relabel_pipe = mac_test_relabel_pipe, 2288 .mpo_relabel_socket = mac_test_relabel_socket, 2289 .mpo_set_socket_peer_from_mbuf = mac_test_set_socket_peer_from_mbuf, 2290 .mpo_set_socket_peer_from_socket = mac_test_set_socket_peer_from_socket, 2291 .mpo_create_bpfdesc = mac_test_create_bpfdesc, 2292 .mpo_create_ifnet = mac_test_create_ifnet, 2293 .mpo_create_inpcb_from_socket = mac_test_create_inpcb_from_socket, 2294 .mpo_create_sysv_msgmsg = mac_test_create_sysv_msgmsg, 2295 .mpo_create_sysv_msgqueue = mac_test_create_sysv_msgqueue, 2296 .mpo_create_sysv_sema = mac_test_create_sysv_sema, 2297 .mpo_create_sysv_shm = mac_test_create_sysv_shm, 2298 .mpo_create_datagram_from_ipq = mac_test_create_datagram_from_ipq, 2299 .mpo_create_fragment = mac_test_create_fragment, 2300 .mpo_create_ipq = mac_test_create_ipq, 2301 .mpo_create_mbuf_from_inpcb = mac_test_create_mbuf_from_inpcb, 2302 .mpo_create_mbuf_from_mbuf = mac_test_create_mbuf_from_mbuf, 2303 .mpo_create_mbuf_linklayer = mac_test_create_mbuf_linklayer, 2304 .mpo_create_mbuf_from_bpfdesc = mac_test_create_mbuf_from_bpfdesc, 2305 .mpo_create_mbuf_from_ifnet = mac_test_create_mbuf_from_ifnet, 2306 .mpo_create_mbuf_multicast_encap = mac_test_create_mbuf_multicast_encap, 2307 .mpo_create_mbuf_netlayer = mac_test_create_mbuf_netlayer, 2308 .mpo_fragment_match = mac_test_fragment_match, 2309 .mpo_reflect_mbuf_icmp = mac_test_reflect_mbuf_icmp, 2310 .mpo_reflect_mbuf_tcp = mac_test_reflect_mbuf_tcp, 2311 .mpo_relabel_ifnet = mac_test_relabel_ifnet, 2312 .mpo_update_ipq = mac_test_update_ipq, 2313 .mpo_inpcb_sosetlabel = mac_test_inpcb_sosetlabel, 2314 .mpo_execve_transition = mac_test_execve_transition, 2315 .mpo_execve_will_transition = mac_test_execve_will_transition, 2316 .mpo_create_proc0 = mac_test_create_proc0, 2317 .mpo_create_proc1 = mac_test_create_proc1, 2318 .mpo_relabel_cred = mac_test_relabel_cred, 2319 .mpo_thread_userret = mac_test_thread_userret, 2320 .mpo_cleanup_sysv_msgmsg = mac_test_cleanup_sysv_msgmsg, 2321 .mpo_cleanup_sysv_msgqueue = mac_test_cleanup_sysv_msgqueue, 2322 .mpo_cleanup_sysv_sema = mac_test_cleanup_sysv_sema, 2323 .mpo_cleanup_sysv_shm = mac_test_cleanup_sysv_shm, 2324 .mpo_check_bpfdesc_receive = mac_test_check_bpfdesc_receive, 2325 .mpo_check_cred_relabel = mac_test_check_cred_relabel, 2326 .mpo_check_cred_visible = mac_test_check_cred_visible, 2327 .mpo_check_ifnet_relabel = mac_test_check_ifnet_relabel, 2328 .mpo_check_ifnet_transmit = mac_test_check_ifnet_transmit, 2329 .mpo_check_inpcb_deliver = mac_test_check_inpcb_deliver, 2330 .mpo_check_sysv_msgmsq = mac_test_check_sysv_msgmsq, 2331 .mpo_check_sysv_msgrcv = mac_test_check_sysv_msgrcv, 2332 .mpo_check_sysv_msgrmid = mac_test_check_sysv_msgrmid, 2333 .mpo_check_sysv_msqget = mac_test_check_sysv_msqget, 2334 .mpo_check_sysv_msqsnd = mac_test_check_sysv_msqsnd, 2335 .mpo_check_sysv_msqrcv = mac_test_check_sysv_msqrcv, 2336 .mpo_check_sysv_msqctl = mac_test_check_sysv_msqctl, 2337 .mpo_check_sysv_semctl = mac_test_check_sysv_semctl, 2338 .mpo_check_sysv_semget = mac_test_check_sysv_semget, 2339 .mpo_check_sysv_semop = mac_test_check_sysv_semop, 2340 .mpo_check_sysv_shmat = mac_test_check_sysv_shmat, 2341 .mpo_check_sysv_shmctl = mac_test_check_sysv_shmctl, 2342 .mpo_check_sysv_shmdt = mac_test_check_sysv_shmdt, 2343 .mpo_check_sysv_shmget = mac_test_check_sysv_shmget, 2344 .mpo_check_kenv_dump = mac_test_check_kenv_dump, 2345 .mpo_check_kenv_get = mac_test_check_kenv_get, 2346 .mpo_check_kenv_set = mac_test_check_kenv_set, 2347 .mpo_check_kenv_unset = mac_test_check_kenv_unset, 2348 .mpo_check_kld_load = mac_test_check_kld_load, 2349 .mpo_check_kld_stat = mac_test_check_kld_stat, 2350 .mpo_check_kld_unload = mac_test_check_kld_unload, 2351 .mpo_check_mount_stat = mac_test_check_mount_stat, 2352 .mpo_check_pipe_ioctl = mac_test_check_pipe_ioctl, 2353 .mpo_check_pipe_poll = mac_test_check_pipe_poll, 2354 .mpo_check_pipe_read = mac_test_check_pipe_read, 2355 .mpo_check_pipe_relabel = mac_test_check_pipe_relabel, 2356 .mpo_check_pipe_stat = mac_test_check_pipe_stat, 2357 .mpo_check_pipe_write = mac_test_check_pipe_write, 2358 .mpo_check_proc_debug = mac_test_check_proc_debug, 2359 .mpo_check_proc_sched = mac_test_check_proc_sched, 2360 .mpo_check_proc_signal = mac_test_check_proc_signal, 2361 .mpo_check_socket_bind = mac_test_check_socket_bind, 2362 .mpo_check_socket_connect = mac_test_check_socket_connect, 2363 .mpo_check_socket_deliver = mac_test_check_socket_deliver, 2364 .mpo_check_socket_listen = mac_test_check_socket_listen, 2365 .mpo_check_socket_relabel = mac_test_check_socket_relabel, 2366 .mpo_check_socket_visible = mac_test_check_socket_visible, 2367 .mpo_check_sysarch_ioperm = mac_test_check_sysarch_ioperm, 2368 .mpo_check_system_acct = mac_test_check_system_acct, 2369 .mpo_check_system_reboot = mac_test_check_system_reboot, 2370 .mpo_check_system_settime = mac_test_check_system_settime, 2371 .mpo_check_system_swapon = mac_test_check_system_swapon, 2372 .mpo_check_system_swapoff = mac_test_check_system_swapoff, 2373 .mpo_check_system_sysctl = mac_test_check_system_sysctl, 2374 .mpo_check_vnode_access = mac_test_check_vnode_access, 2375 .mpo_check_vnode_chdir = mac_test_check_vnode_chdir, 2376 .mpo_check_vnode_chroot = mac_test_check_vnode_chroot, 2377 .mpo_check_vnode_create = mac_test_check_vnode_create, 2378 .mpo_check_vnode_delete = mac_test_check_vnode_delete, 2379 .mpo_check_vnode_deleteacl = mac_test_check_vnode_deleteacl, 2380 .mpo_check_vnode_deleteextattr = mac_test_check_vnode_deleteextattr, 2381 .mpo_check_vnode_exec = mac_test_check_vnode_exec, 2382 .mpo_check_vnode_getacl = mac_test_check_vnode_getacl, 2383 .mpo_check_vnode_getextattr = mac_test_check_vnode_getextattr, 2384 .mpo_check_vnode_link = mac_test_check_vnode_link, 2385 .mpo_check_vnode_listextattr = mac_test_check_vnode_listextattr, 2386 .mpo_check_vnode_lookup = mac_test_check_vnode_lookup, 2387 .mpo_check_vnode_mmap = mac_test_check_vnode_mmap, 2388 .mpo_check_vnode_open = mac_test_check_vnode_open, 2389 .mpo_check_vnode_poll = mac_test_check_vnode_poll, 2390 .mpo_check_vnode_read = mac_test_check_vnode_read, 2391 .mpo_check_vnode_readdir = mac_test_check_vnode_readdir, 2392 .mpo_check_vnode_readlink = mac_test_check_vnode_readlink, 2393 .mpo_check_vnode_relabel = mac_test_check_vnode_relabel, 2394 .mpo_check_vnode_rename_from = mac_test_check_vnode_rename_from, 2395 .mpo_check_vnode_rename_to = mac_test_check_vnode_rename_to, 2396 .mpo_check_vnode_revoke = mac_test_check_vnode_revoke, 2397 .mpo_check_vnode_setacl = mac_test_check_vnode_setacl, 2398 .mpo_check_vnode_setextattr = mac_test_check_vnode_setextattr, 2399 .mpo_check_vnode_setflags = mac_test_check_vnode_setflags, 2400 .mpo_check_vnode_setmode = mac_test_check_vnode_setmode, 2401 .mpo_check_vnode_setowner = mac_test_check_vnode_setowner, 2402 .mpo_check_vnode_setutimes = mac_test_check_vnode_setutimes, 2403 .mpo_check_vnode_stat = mac_test_check_vnode_stat, 2404 .mpo_check_vnode_write = mac_test_check_vnode_write, 2405 }; 2406 2407 MAC_POLICY_SET(&mac_test_ops, mac_test, "TrustedBSD MAC/Test", 2408 MPC_LOADTIME_FLAG_UNLOADOK | MPC_LOADTIME_FLAG_LABELMBUFS, &test_slot); 2409