1 /*- 2 * Copyright (c) 1999-2002 Robert N. M. Watson 3 * Copyright (c) 2001-2004 Networks Associates Technology, Inc. 4 * All rights reserved. 5 * 6 * This software was developed by Robert Watson for the TrustedBSD Project. 7 * 8 * This software was developed for the FreeBSD Project in part by Network 9 * Associates Laboratories, the Security Research Division of Network 10 * Associates, Inc. under DARPA/SPAWAR contract N66001-01-C-8035 ("CBOSS"), 11 * as part of the DARPA CHATS research program. 12 * 13 * Redistribution and use in source and binary forms, with or without 14 * modification, are permitted provided that the following conditions 15 * are met: 16 * 1. Redistributions of source code must retain the above copyright 17 * notice, this list of conditions and the following disclaimer. 18 * 2. Redistributions in binary form must reproduce the above copyright 19 * notice, this list of conditions and the following disclaimer in the 20 * documentation and/or other materials provided with the distribution. 21 * 22 * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND 23 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 24 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 25 * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE 26 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 27 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 28 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 29 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 30 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 31 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 32 * SUCH DAMAGE. 33 * 34 * $FreeBSD$ 35 */ 36 37 /* 38 * Developed by the TrustedBSD Project. 39 * Generic mandatory access module that does nothing. 40 */ 41 42 #include <sys/types.h> 43 #include <sys/param.h> 44 #include <sys/acl.h> 45 #include <sys/conf.h> 46 #include <sys/kdb.h> 47 #include <sys/extattr.h> 48 #include <sys/kernel.h> 49 #include <sys/mac.h> 50 #include <sys/malloc.h> 51 #include <sys/mount.h> 52 #include <sys/proc.h> 53 #include <sys/systm.h> 54 #include <sys/sysproto.h> 55 #include <sys/sysent.h> 56 #include <sys/vnode.h> 57 #include <sys/file.h> 58 #include <sys/socket.h> 59 #include <sys/socketvar.h> 60 #include <sys/sysctl.h> 61 62 #include <fs/devfs/devfs.h> 63 64 #include <net/bpfdesc.h> 65 #include <net/if.h> 66 #include <net/if_types.h> 67 #include <net/if_var.h> 68 69 #include <vm/vm.h> 70 71 #include <sys/mac_policy.h> 72 73 SYSCTL_DECL(_security_mac); 74 75 SYSCTL_NODE(_security_mac, OID_AUTO, test, CTLFLAG_RW, 0, 76 "TrustedBSD mac_test policy controls"); 77 78 static int mac_test_enabled = 1; 79 SYSCTL_INT(_security_mac_test, OID_AUTO, enabled, CTLFLAG_RW, 80 &mac_test_enabled, 0, "Enforce test policy"); 81 82 #define BPFMAGIC 0xfe1ad1b6 83 #define DEVFSMAGIC 0x9ee79c32 84 #define IFNETMAGIC 0xc218b120 85 #define INPCBMAGIC 0x4440f7bb 86 #define IPQMAGIC 0x206188ef 87 #define MBUFMAGIC 0xbbefa5bb 88 #define MOUNTMAGIC 0xc7c46e47 89 #define SOCKETMAGIC 0x9199c6cd 90 #define PIPEMAGIC 0xdc6c9919 91 #define PROCMAGIC 0x3b4be98f 92 #define CREDMAGIC 0x9a5a4987 93 #define VNODEMAGIC 0x1a67a45c 94 #define EXMAGIC 0x849ba1fd 95 96 #define SLOT(x) LABEL_TO_SLOT((x), test_slot).l_long 97 98 #define ASSERT_BPF_LABEL(x) KASSERT(SLOT(x) == BPFMAGIC || \ 99 SLOT(x) == 0, ("%s: Bad BPF label", __func__ )) 100 #define ASSERT_DEVFS_LABEL(x) KASSERT(SLOT(x) == DEVFSMAGIC || \ 101 SLOT(x) == 0, ("%s: Bad DEVFS label", __func__ )) 102 #define ASSERT_IFNET_LABEL(x) KASSERT(SLOT(x) == IFNETMAGIC || \ 103 SLOT(x) == 0, ("%s: Bad IFNET label", __func__ )) 104 #define ASSERT_INPCB_LABEL(x) KASSERT(SLOT(x) == INPCBMAGIC || \ 105 SLOT(x) == 0, ("%s: Bad INPCB label", __func__ )) 106 #define ASSERT_IPQ_LABEL(x) KASSERT(SLOT(x) == IPQMAGIC || \ 107 SLOT(x) == 0, ("%s: Bad IPQ label", __func__ )) 108 #define ASSERT_MBUF_LABEL(x) KASSERT(x == NULL || \ 109 SLOT(x) == MBUFMAGIC || SLOT(x) == 0, \ 110 ("%s: Bad MBUF label", __func__ )) 111 #define ASSERT_MOUNT_LABEL(x) KASSERT(SLOT(x) == MOUNTMAGIC || \ 112 SLOT(x) == 0, ("%s: Bad MOUNT label", __func__ )) 113 #define ASSERT_SOCKET_LABEL(x) KASSERT(SLOT(x) == SOCKETMAGIC || \ 114 SLOT(x) == 0, ("%s: Bad SOCKET label", __func__ )) 115 #define ASSERT_PIPE_LABEL(x) KASSERT(SLOT(x) == PIPEMAGIC || \ 116 SLOT(x) == 0, ("%s: Bad PIPE label", __func__ )) 117 #define ASSERT_PROC_LABEL(x) KASSERT(SLOT(x) == PROCMAGIC || \ 118 SLOT(x) == 0, ("%s: Bad PROC label", __func__ )) 119 #define ASSERT_CRED_LABEL(x) KASSERT(SLOT(x) == CREDMAGIC || \ 120 SLOT(x) == 0, ("%s: Bad CRED label", __func__ )) 121 #define ASSERT_VNODE_LABEL(x) KASSERT(SLOT(x) == VNODEMAGIC || \ 122 SLOT(x) == 0, ("%s: Bad VNODE label", __func__ )) 123 124 static int test_slot; 125 SYSCTL_INT(_security_mac_test, OID_AUTO, slot, CTLFLAG_RD, 126 &test_slot, 0, "Slot allocated by framework"); 127 128 static int init_count_bpfdesc; 129 SYSCTL_INT(_security_mac_test, OID_AUTO, init_count_bpfdesc, CTLFLAG_RD, 130 &init_count_bpfdesc, 0, "bpfdesc init calls"); 131 static int init_count_cred; 132 SYSCTL_INT(_security_mac_test, OID_AUTO, init_count_cred, CTLFLAG_RD, 133 &init_count_cred, 0, "cred init calls"); 134 static int init_count_devfsdirent; 135 SYSCTL_INT(_security_mac_test, OID_AUTO, init_count_devfsdirent, CTLFLAG_RD, 136 &init_count_devfsdirent, 0, "devfsdirent init calls"); 137 static int init_count_ifnet; 138 SYSCTL_INT(_security_mac_test, OID_AUTO, init_count_ifnet, CTLFLAG_RD, 139 &init_count_ifnet, 0, "ifnet init calls"); 140 static int init_count_inpcb; 141 SYSCTL_INT(_security_mac_test, OID_AUTO, init_count_inpcb, CTLFLAG_RD, 142 &init_count_inpcb, 0, "inpcb init calls"); 143 static int init_count_ipq; 144 SYSCTL_INT(_security_mac_test, OID_AUTO, init_count_ipq, CTLFLAG_RD, 145 &init_count_ipq, 0, "ipq init calls"); 146 static int init_count_mbuf; 147 SYSCTL_INT(_security_mac_test, OID_AUTO, init_count_mbuf, CTLFLAG_RD, 148 &init_count_mbuf, 0, "mbuf init calls"); 149 static int init_count_mount; 150 SYSCTL_INT(_security_mac_test, OID_AUTO, init_count_mount, CTLFLAG_RD, 151 &init_count_mount, 0, "mount init calls"); 152 static int init_count_mount_fslabel; 153 SYSCTL_INT(_security_mac_test, OID_AUTO, init_count_mount_fslabel, CTLFLAG_RD, 154 &init_count_mount_fslabel, 0, "mount_fslabel init calls"); 155 static int init_count_socket; 156 SYSCTL_INT(_security_mac_test, OID_AUTO, init_count_socket, CTLFLAG_RD, 157 &init_count_socket, 0, "socket init calls"); 158 static int init_count_socket_peerlabel; 159 SYSCTL_INT(_security_mac_test, OID_AUTO, init_count_socket_peerlabel, 160 CTLFLAG_RD, &init_count_socket_peerlabel, 0, 161 "socket_peerlabel init calls"); 162 static int init_count_pipe; 163 SYSCTL_INT(_security_mac_test, OID_AUTO, init_count_pipe, CTLFLAG_RD, 164 &init_count_pipe, 0, "pipe init calls"); 165 static int init_count_proc; 166 SYSCTL_INT(_security_mac_test, OID_AUTO, init_count_proc, CTLFLAG_RD, 167 &init_count_proc, 0, "proc init calls"); 168 static int init_count_vnode; 169 SYSCTL_INT(_security_mac_test, OID_AUTO, init_count_vnode, CTLFLAG_RD, 170 &init_count_vnode, 0, "vnode init calls"); 171 172 static int destroy_count_bpfdesc; 173 SYSCTL_INT(_security_mac_test, OID_AUTO, destroy_count_bpfdesc, CTLFLAG_RD, 174 &destroy_count_bpfdesc, 0, "bpfdesc destroy calls"); 175 static int destroy_count_cred; 176 SYSCTL_INT(_security_mac_test, OID_AUTO, destroy_count_cred, CTLFLAG_RD, 177 &destroy_count_cred, 0, "cred destroy calls"); 178 static int destroy_count_devfsdirent; 179 SYSCTL_INT(_security_mac_test, OID_AUTO, destroy_count_devfsdirent, CTLFLAG_RD, 180 &destroy_count_devfsdirent, 0, "devfsdirent destroy calls"); 181 static int destroy_count_ifnet; 182 SYSCTL_INT(_security_mac_test, OID_AUTO, destroy_count_ifnet, CTLFLAG_RD, 183 &destroy_count_ifnet, 0, "ifnet destroy calls"); 184 static int destroy_count_inpcb; 185 SYSCTL_INT(_security_mac_test, OID_AUTO, destroy_count_inpcb, CTLFLAG_RD, 186 &destroy_count_inpcb, 0, "inpcb destroy calls"); 187 static int destroy_count_ipq; 188 SYSCTL_INT(_security_mac_test, OID_AUTO, destroy_count_ipq, CTLFLAG_RD, 189 &destroy_count_ipq, 0, "ipq destroy calls"); 190 static int destroy_count_mbuf; 191 SYSCTL_INT(_security_mac_test, OID_AUTO, destroy_count_mbuf, CTLFLAG_RD, 192 &destroy_count_mbuf, 0, "mbuf destroy calls"); 193 static int destroy_count_mount; 194 SYSCTL_INT(_security_mac_test, OID_AUTO, destroy_count_mount, CTLFLAG_RD, 195 &destroy_count_mount, 0, "mount destroy calls"); 196 static int destroy_count_mount_fslabel; 197 SYSCTL_INT(_security_mac_test, OID_AUTO, destroy_count_mount_fslabel, 198 CTLFLAG_RD, &destroy_count_mount_fslabel, 0, 199 "mount_fslabel destroy calls"); 200 static int destroy_count_socket; 201 SYSCTL_INT(_security_mac_test, OID_AUTO, destroy_count_socket, CTLFLAG_RD, 202 &destroy_count_socket, 0, "socket destroy calls"); 203 static int destroy_count_socket_peerlabel; 204 SYSCTL_INT(_security_mac_test, OID_AUTO, destroy_count_socket_peerlabel, 205 CTLFLAG_RD, &destroy_count_socket_peerlabel, 0, 206 "socket_peerlabel destroy calls"); 207 static int destroy_count_pipe; 208 SYSCTL_INT(_security_mac_test, OID_AUTO, destroy_count_pipe, CTLFLAG_RD, 209 &destroy_count_pipe, 0, "pipe destroy calls"); 210 static int destroy_count_proc; 211 SYSCTL_INT(_security_mac_test, OID_AUTO, destroy_count_proc, CTLFLAG_RD, 212 &destroy_count_proc, 0, "proc destroy calls"); 213 static int destroy_count_vnode; 214 SYSCTL_INT(_security_mac_test, OID_AUTO, destroy_count_vnode, CTLFLAG_RD, 215 &destroy_count_vnode, 0, "vnode destroy calls"); 216 217 static int externalize_count; 218 SYSCTL_INT(_security_mac_test, OID_AUTO, externalize_count, CTLFLAG_RD, 219 &externalize_count, 0, "Subject/object externalize calls"); 220 static int internalize_count; 221 SYSCTL_INT(_security_mac_test, OID_AUTO, internalize_count, CTLFLAG_RD, 222 &internalize_count, 0, "Subject/object internalize calls"); 223 224 /* 225 * Policy module operations. 226 */ 227 static void 228 mac_test_destroy(struct mac_policy_conf *conf) 229 { 230 231 } 232 233 static void 234 mac_test_init(struct mac_policy_conf *conf) 235 { 236 237 } 238 239 static int 240 mac_test_syscall(struct thread *td, int call, void *arg) 241 { 242 243 return (0); 244 } 245 246 /* 247 * Label operations. 248 */ 249 static void 250 mac_test_init_bpfdesc_label(struct label *label) 251 { 252 253 SLOT(label) = BPFMAGIC; 254 atomic_add_int(&init_count_bpfdesc, 1); 255 } 256 257 static void 258 mac_test_init_cred_label(struct label *label) 259 { 260 261 SLOT(label) = CREDMAGIC; 262 atomic_add_int(&init_count_cred, 1); 263 } 264 265 static void 266 mac_test_init_devfsdirent_label(struct label *label) 267 { 268 269 SLOT(label) = DEVFSMAGIC; 270 atomic_add_int(&init_count_devfsdirent, 1); 271 } 272 273 static void 274 mac_test_init_ifnet_label(struct label *label) 275 { 276 277 SLOT(label) = IFNETMAGIC; 278 atomic_add_int(&init_count_ifnet, 1); 279 } 280 281 static int 282 mac_test_init_inpcb_label(struct label *label, int flag) 283 { 284 285 if (flag & M_WAITOK) 286 WITNESS_WARN(WARN_GIANTOK | WARN_SLEEPOK, NULL, 287 "mac_test_init_inpcb_label() at %s:%d", __FILE__, 288 __LINE__); 289 290 SLOT(label) = INPCBMAGIC; 291 atomic_add_int(&init_count_inpcb, 1); 292 return (0); 293 } 294 295 static int 296 mac_test_init_ipq_label(struct label *label, int flag) 297 { 298 299 if (flag & M_WAITOK) 300 WITNESS_WARN(WARN_GIANTOK | WARN_SLEEPOK, NULL, 301 "mac_test_init_ipq_label() at %s:%d", __FILE__, 302 __LINE__); 303 304 SLOT(label) = IPQMAGIC; 305 atomic_add_int(&init_count_ipq, 1); 306 return (0); 307 } 308 309 static int 310 mac_test_init_mbuf_label(struct label *label, int flag) 311 { 312 313 if (flag & M_WAITOK) 314 WITNESS_WARN(WARN_GIANTOK | WARN_SLEEPOK, NULL, 315 "mac_test_init_mbuf_label() at %s:%d", __FILE__, 316 __LINE__); 317 318 SLOT(label) = MBUFMAGIC; 319 atomic_add_int(&init_count_mbuf, 1); 320 return (0); 321 } 322 323 static void 324 mac_test_init_mount_label(struct label *label) 325 { 326 327 SLOT(label) = MOUNTMAGIC; 328 atomic_add_int(&init_count_mount, 1); 329 } 330 331 static void 332 mac_test_init_mount_fs_label(struct label *label) 333 { 334 335 SLOT(label) = MOUNTMAGIC; 336 atomic_add_int(&init_count_mount_fslabel, 1); 337 } 338 339 static int 340 mac_test_init_socket_label(struct label *label, int flag) 341 { 342 343 if (flag & M_WAITOK) 344 WITNESS_WARN(WARN_GIANTOK | WARN_SLEEPOK, NULL, 345 "mac_test_init_socket_label() at %s:%d", __FILE__, 346 __LINE__); 347 348 SLOT(label) = SOCKETMAGIC; 349 atomic_add_int(&init_count_socket, 1); 350 return (0); 351 } 352 353 static int 354 mac_test_init_socket_peer_label(struct label *label, int flag) 355 { 356 357 if (flag & M_WAITOK) 358 WITNESS_WARN(WARN_GIANTOK | WARN_SLEEPOK, NULL, 359 "mac_test_init_socket_peer_label() at %s:%d", __FILE__, 360 __LINE__); 361 362 SLOT(label) = SOCKETMAGIC; 363 atomic_add_int(&init_count_socket_peerlabel, 1); 364 return (0); 365 } 366 367 static void 368 mac_test_init_pipe_label(struct label *label) 369 { 370 371 SLOT(label) = PIPEMAGIC; 372 atomic_add_int(&init_count_pipe, 1); 373 } 374 375 static void 376 mac_test_init_proc_label(struct label *label) 377 { 378 379 SLOT(label) = PROCMAGIC; 380 atomic_add_int(&init_count_proc, 1); 381 } 382 383 static void 384 mac_test_init_vnode_label(struct label *label) 385 { 386 387 SLOT(label) = VNODEMAGIC; 388 atomic_add_int(&init_count_vnode, 1); 389 } 390 391 static void 392 mac_test_destroy_bpfdesc_label(struct label *label) 393 { 394 395 if (SLOT(label) == BPFMAGIC || SLOT(label) == 0) { 396 atomic_add_int(&destroy_count_bpfdesc, 1); 397 SLOT(label) = EXMAGIC; 398 } else if (SLOT(label) == EXMAGIC) { 399 kdb_enter("mac_test_destroy_bpfdesc: dup destroy"); 400 } else { 401 kdb_enter("mac_test_destroy_bpfdesc: corrupted label"); 402 } 403 } 404 405 static void 406 mac_test_destroy_cred_label(struct label *label) 407 { 408 409 if (SLOT(label) == CREDMAGIC || SLOT(label) == 0) { 410 atomic_add_int(&destroy_count_cred, 1); 411 SLOT(label) = EXMAGIC; 412 } else if (SLOT(label) == EXMAGIC) { 413 kdb_enter("mac_test_destroy_cred: dup destroy"); 414 } else { 415 kdb_enter("mac_test_destroy_cred: corrupted label"); 416 } 417 } 418 419 static void 420 mac_test_destroy_devfsdirent_label(struct label *label) 421 { 422 423 if (SLOT(label) == DEVFSMAGIC || SLOT(label) == 0) { 424 atomic_add_int(&destroy_count_devfsdirent, 1); 425 SLOT(label) = EXMAGIC; 426 } else if (SLOT(label) == EXMAGIC) { 427 kdb_enter("mac_test_destroy_devfsdirent: dup destroy"); 428 } else { 429 kdb_enter("mac_test_destroy_devfsdirent: corrupted label"); 430 } 431 } 432 433 static void 434 mac_test_destroy_ifnet_label(struct label *label) 435 { 436 437 if (SLOT(label) == IFNETMAGIC || SLOT(label) == 0) { 438 atomic_add_int(&destroy_count_ifnet, 1); 439 SLOT(label) = EXMAGIC; 440 } else if (SLOT(label) == EXMAGIC) { 441 kdb_enter("mac_test_destroy_ifnet: dup destroy"); 442 } else { 443 kdb_enter("mac_test_destroy_ifnet: corrupted label"); 444 } 445 } 446 447 static void 448 mac_test_destroy_inpcb_label(struct label *label) 449 { 450 451 if (SLOT(label) == INPCBMAGIC || SLOT(label) == 0) { 452 atomic_add_int(&destroy_count_inpcb, 1); 453 SLOT(label) = EXMAGIC; 454 } else if (SLOT(label) == EXMAGIC) { 455 kdb_enter("mac_test_destroy_inpcb: dup destroy"); 456 } else { 457 kdb_enter("mac_test_destroy_inpcb: corrupted label"); 458 } 459 } 460 461 static void 462 mac_test_destroy_ipq_label(struct label *label) 463 { 464 465 if (SLOT(label) == IPQMAGIC || SLOT(label) == 0) { 466 atomic_add_int(&destroy_count_ipq, 1); 467 SLOT(label) = EXMAGIC; 468 } else if (SLOT(label) == EXMAGIC) { 469 kdb_enter("mac_test_destroy_ipq: dup destroy"); 470 } else { 471 kdb_enter("mac_test_destroy_ipq: corrupted label"); 472 } 473 } 474 475 static void 476 mac_test_destroy_mbuf_label(struct label *label) 477 { 478 479 /* 480 * If we're loaded dynamically, there may be mbufs in flight that 481 * didn't have label storage allocated for them. Handle this 482 * gracefully. 483 */ 484 if (label == NULL) 485 return; 486 487 if (SLOT(label) == MBUFMAGIC || SLOT(label) == 0) { 488 atomic_add_int(&destroy_count_mbuf, 1); 489 SLOT(label) = EXMAGIC; 490 } else if (SLOT(label) == EXMAGIC) { 491 kdb_enter("mac_test_destroy_mbuf: dup destroy"); 492 } else { 493 kdb_enter("mac_test_destroy_mbuf: corrupted label"); 494 } 495 } 496 497 static void 498 mac_test_destroy_mount_label(struct label *label) 499 { 500 501 if ((SLOT(label) == MOUNTMAGIC || SLOT(label) == 0)) { 502 atomic_add_int(&destroy_count_mount, 1); 503 SLOT(label) = EXMAGIC; 504 } else if (SLOT(label) == EXMAGIC) { 505 kdb_enter("mac_test_destroy_mount: dup destroy"); 506 } else { 507 kdb_enter("mac_test_destroy_mount: corrupted label"); 508 } 509 } 510 511 static void 512 mac_test_destroy_mount_fs_label(struct label *label) 513 { 514 515 if ((SLOT(label) == MOUNTMAGIC || SLOT(label) == 0)) { 516 atomic_add_int(&destroy_count_mount_fslabel, 1); 517 SLOT(label) = EXMAGIC; 518 } else if (SLOT(label) == EXMAGIC) { 519 kdb_enter("mac_test_destroy_mount_fslabel: dup destroy"); 520 } else { 521 kdb_enter("mac_test_destroy_mount_fslabel: corrupted label"); 522 } 523 } 524 525 static void 526 mac_test_destroy_socket_label(struct label *label) 527 { 528 529 if ((SLOT(label) == SOCKETMAGIC || SLOT(label) == 0)) { 530 atomic_add_int(&destroy_count_socket, 1); 531 SLOT(label) = EXMAGIC; 532 } else if (SLOT(label) == EXMAGIC) { 533 kdb_enter("mac_test_destroy_socket: dup destroy"); 534 } else { 535 kdb_enter("mac_test_destroy_socket: corrupted label"); 536 } 537 } 538 539 static void 540 mac_test_destroy_socket_peer_label(struct label *label) 541 { 542 543 if ((SLOT(label) == SOCKETMAGIC || SLOT(label) == 0)) { 544 atomic_add_int(&destroy_count_socket_peerlabel, 1); 545 SLOT(label) = EXMAGIC; 546 } else if (SLOT(label) == EXMAGIC) { 547 kdb_enter("mac_test_destroy_socket_peerlabel: dup destroy"); 548 } else { 549 kdb_enter("mac_test_destroy_socket_peerlabel: corrupted label"); 550 } 551 } 552 553 static void 554 mac_test_destroy_pipe_label(struct label *label) 555 { 556 557 if ((SLOT(label) == PIPEMAGIC || SLOT(label) == 0)) { 558 atomic_add_int(&destroy_count_pipe, 1); 559 SLOT(label) = EXMAGIC; 560 } else if (SLOT(label) == EXMAGIC) { 561 kdb_enter("mac_test_destroy_pipe: dup destroy"); 562 } else { 563 kdb_enter("mac_test_destroy_pipe: corrupted label"); 564 } 565 } 566 567 static void 568 mac_test_destroy_proc_label(struct label *label) 569 { 570 571 if ((SLOT(label) == PROCMAGIC || SLOT(label) == 0)) { 572 atomic_add_int(&destroy_count_proc, 1); 573 SLOT(label) = EXMAGIC; 574 } else if (SLOT(label) == EXMAGIC) { 575 kdb_enter("mac_test_destroy_proc: dup destroy"); 576 } else { 577 kdb_enter("mac_test_destroy_proc: corrupted label"); 578 } 579 } 580 581 static void 582 mac_test_destroy_vnode_label(struct label *label) 583 { 584 585 if (SLOT(label) == VNODEMAGIC || SLOT(label) == 0) { 586 atomic_add_int(&destroy_count_vnode, 1); 587 SLOT(label) = EXMAGIC; 588 } else if (SLOT(label) == EXMAGIC) { 589 kdb_enter("mac_test_destroy_vnode: dup destroy"); 590 } else { 591 kdb_enter("mac_test_destroy_vnode: corrupted label"); 592 } 593 } 594 595 static void 596 mac_test_copy_cred_label(struct label *src, struct label *dest) 597 { 598 599 ASSERT_CRED_LABEL(src); 600 ASSERT_CRED_LABEL(dest); 601 } 602 603 static void 604 mac_test_copy_ifnet_label(struct label *src, struct label *dest) 605 { 606 607 ASSERT_IFNET_LABEL(src); 608 ASSERT_IFNET_LABEL(dest); 609 } 610 611 static void 612 mac_test_copy_mbuf_label(struct label *src, struct label *dest) 613 { 614 615 ASSERT_MBUF_LABEL(src); 616 ASSERT_MBUF_LABEL(dest); 617 } 618 619 static void 620 mac_test_copy_pipe_label(struct label *src, struct label *dest) 621 { 622 623 ASSERT_PIPE_LABEL(src); 624 ASSERT_PIPE_LABEL(dest); 625 } 626 627 static void 628 mac_test_copy_socket_label(struct label *src, struct label *dest) 629 { 630 631 ASSERT_SOCKET_LABEL(src); 632 ASSERT_SOCKET_LABEL(dest); 633 } 634 635 static void 636 mac_test_copy_vnode_label(struct label *src, struct label *dest) 637 { 638 639 ASSERT_VNODE_LABEL(src); 640 ASSERT_VNODE_LABEL(dest); 641 } 642 643 static int 644 mac_test_externalize_label(struct label *label, char *element_name, 645 struct sbuf *sb, int *claimed) 646 { 647 648 atomic_add_int(&externalize_count, 1); 649 650 KASSERT(SLOT(label) != EXMAGIC, 651 ("mac_test_externalize_label: destroyed label")); 652 653 return (0); 654 } 655 656 static int 657 mac_test_internalize_label(struct label *label, char *element_name, 658 char *element_data, int *claimed) 659 { 660 661 atomic_add_int(&internalize_count, 1); 662 663 KASSERT(SLOT(label) != EXMAGIC, 664 ("mac_test_internalize_label: destroyed label")); 665 666 return (0); 667 } 668 669 /* 670 * Labeling event operations: file system objects, and things that look 671 * a lot like file system objects. 672 */ 673 static void 674 mac_test_associate_vnode_devfs(struct mount *mp, struct label *fslabel, 675 struct devfs_dirent *de, struct label *delabel, struct vnode *vp, 676 struct label *vlabel) 677 { 678 679 ASSERT_MOUNT_LABEL(fslabel); 680 ASSERT_DEVFS_LABEL(delabel); 681 ASSERT_VNODE_LABEL(vlabel); 682 } 683 684 static int 685 mac_test_associate_vnode_extattr(struct mount *mp, struct label *fslabel, 686 struct vnode *vp, struct label *vlabel) 687 { 688 689 ASSERT_MOUNT_LABEL(fslabel); 690 ASSERT_VNODE_LABEL(vlabel); 691 return (0); 692 } 693 694 static void 695 mac_test_associate_vnode_singlelabel(struct mount *mp, 696 struct label *fslabel, struct vnode *vp, struct label *vlabel) 697 { 698 699 ASSERT_MOUNT_LABEL(fslabel); 700 ASSERT_VNODE_LABEL(vlabel); 701 } 702 703 static void 704 mac_test_create_devfs_device(struct mount *mp, struct cdev *dev, 705 struct devfs_dirent *devfs_dirent, struct label *label) 706 { 707 708 ASSERT_DEVFS_LABEL(label); 709 } 710 711 static void 712 mac_test_create_devfs_directory(struct mount *mp, char *dirname, 713 int dirnamelen, struct devfs_dirent *devfs_dirent, struct label *label) 714 { 715 716 ASSERT_DEVFS_LABEL(label); 717 } 718 719 static void 720 mac_test_create_devfs_symlink(struct ucred *cred, struct mount *mp, 721 struct devfs_dirent *dd, struct label *ddlabel, struct devfs_dirent *de, 722 struct label *delabel) 723 { 724 725 ASSERT_CRED_LABEL(cred->cr_label); 726 ASSERT_DEVFS_LABEL(ddlabel); 727 ASSERT_DEVFS_LABEL(delabel); 728 } 729 730 static int 731 mac_test_create_vnode_extattr(struct ucred *cred, struct mount *mp, 732 struct label *fslabel, struct vnode *dvp, struct label *dlabel, 733 struct vnode *vp, struct label *vlabel, struct componentname *cnp) 734 { 735 736 ASSERT_CRED_LABEL(cred->cr_label); 737 ASSERT_MOUNT_LABEL(fslabel); 738 ASSERT_VNODE_LABEL(dlabel); 739 740 return (0); 741 } 742 743 static void 744 mac_test_create_mount(struct ucred *cred, struct mount *mp, 745 struct label *mntlabel, struct label *fslabel) 746 { 747 748 ASSERT_CRED_LABEL(cred->cr_label); 749 ASSERT_MOUNT_LABEL(mntlabel); 750 ASSERT_MOUNT_LABEL(fslabel); 751 } 752 753 static void 754 mac_test_create_root_mount(struct ucred *cred, struct mount *mp, 755 struct label *mntlabel, struct label *fslabel) 756 { 757 758 ASSERT_CRED_LABEL(cred->cr_label); 759 ASSERT_MOUNT_LABEL(mntlabel); 760 ASSERT_MOUNT_LABEL(fslabel); 761 } 762 763 static void 764 mac_test_relabel_vnode(struct ucred *cred, struct vnode *vp, 765 struct label *vnodelabel, struct label *label) 766 { 767 768 ASSERT_CRED_LABEL(cred->cr_label); 769 ASSERT_VNODE_LABEL(vnodelabel); 770 ASSERT_VNODE_LABEL(label); 771 } 772 773 static int 774 mac_test_setlabel_vnode_extattr(struct ucred *cred, struct vnode *vp, 775 struct label *vlabel, struct label *intlabel) 776 { 777 778 ASSERT_CRED_LABEL(cred->cr_label); 779 ASSERT_VNODE_LABEL(vlabel); 780 ASSERT_VNODE_LABEL(intlabel); 781 return (0); 782 } 783 784 static void 785 mac_test_update_devfsdirent(struct mount *mp, 786 struct devfs_dirent *devfs_dirent, struct label *direntlabel, 787 struct vnode *vp, struct label *vnodelabel) 788 { 789 790 ASSERT_DEVFS_LABEL(direntlabel); 791 ASSERT_VNODE_LABEL(vnodelabel); 792 } 793 794 /* 795 * Labeling event operations: IPC object. 796 */ 797 static void 798 mac_test_create_mbuf_from_socket(struct socket *so, struct label *socketlabel, 799 struct mbuf *m, struct label *mbuflabel) 800 { 801 802 ASSERT_SOCKET_LABEL(socketlabel); 803 ASSERT_MBUF_LABEL(mbuflabel); 804 } 805 806 static void 807 mac_test_create_socket(struct ucred *cred, struct socket *socket, 808 struct label *socketlabel) 809 { 810 811 ASSERT_CRED_LABEL(cred->cr_label); 812 ASSERT_SOCKET_LABEL(socketlabel); 813 } 814 815 static void 816 mac_test_create_pipe(struct ucred *cred, struct pipepair *pp, 817 struct label *pipelabel) 818 { 819 820 ASSERT_CRED_LABEL(cred->cr_label); 821 ASSERT_PIPE_LABEL(pipelabel); 822 } 823 824 static void 825 mac_test_create_socket_from_socket(struct socket *oldsocket, 826 struct label *oldsocketlabel, struct socket *newsocket, 827 struct label *newsocketlabel) 828 { 829 830 ASSERT_SOCKET_LABEL(oldsocketlabel); 831 ASSERT_SOCKET_LABEL(newsocketlabel); 832 } 833 834 static void 835 mac_test_relabel_socket(struct ucred *cred, struct socket *socket, 836 struct label *socketlabel, struct label *newlabel) 837 { 838 839 ASSERT_CRED_LABEL(cred->cr_label); 840 ASSERT_SOCKET_LABEL(newlabel); 841 } 842 843 static void 844 mac_test_relabel_pipe(struct ucred *cred, struct pipepair *pp, 845 struct label *pipelabel, struct label *newlabel) 846 { 847 848 ASSERT_CRED_LABEL(cred->cr_label); 849 ASSERT_PIPE_LABEL(pipelabel); 850 ASSERT_PIPE_LABEL(newlabel); 851 } 852 853 static void 854 mac_test_set_socket_peer_from_mbuf(struct mbuf *mbuf, struct label *mbuflabel, 855 struct socket *socket, struct label *socketpeerlabel) 856 { 857 858 ASSERT_MBUF_LABEL(mbuflabel); 859 ASSERT_SOCKET_LABEL(socketpeerlabel); 860 } 861 862 /* 863 * Labeling event operations: network objects. 864 */ 865 static void 866 mac_test_set_socket_peer_from_socket(struct socket *oldsocket, 867 struct label *oldsocketlabel, struct socket *newsocket, 868 struct label *newsocketpeerlabel) 869 { 870 871 ASSERT_SOCKET_LABEL(oldsocketlabel); 872 ASSERT_SOCKET_LABEL(newsocketpeerlabel); 873 } 874 875 static void 876 mac_test_create_bpfdesc(struct ucred *cred, struct bpf_d *bpf_d, 877 struct label *bpflabel) 878 { 879 880 ASSERT_CRED_LABEL(cred->cr_label); 881 ASSERT_BPF_LABEL(bpflabel); 882 } 883 884 static void 885 mac_test_create_datagram_from_ipq(struct ipq *ipq, struct label *ipqlabel, 886 struct mbuf *datagram, struct label *datagramlabel) 887 { 888 889 ASSERT_IPQ_LABEL(ipqlabel); 890 ASSERT_MBUF_LABEL(datagramlabel); 891 } 892 893 static void 894 mac_test_create_fragment(struct mbuf *datagram, struct label *datagramlabel, 895 struct mbuf *fragment, struct label *fragmentlabel) 896 { 897 898 ASSERT_MBUF_LABEL(datagramlabel); 899 ASSERT_MBUF_LABEL(fragmentlabel); 900 } 901 902 static void 903 mac_test_create_ifnet(struct ifnet *ifnet, struct label *ifnetlabel) 904 { 905 906 ASSERT_IFNET_LABEL(ifnetlabel); 907 } 908 909 static void 910 mac_test_create_inpcb_from_socket(struct socket *so, struct label *solabel, 911 struct inpcb *inp, struct label *inplabel) 912 { 913 914 ASSERT_SOCKET_LABEL(solabel); 915 ASSERT_INPCB_LABEL(inplabel); 916 } 917 918 static void 919 mac_test_create_ipq(struct mbuf *fragment, struct label *fragmentlabel, 920 struct ipq *ipq, struct label *ipqlabel) 921 { 922 923 ASSERT_MBUF_LABEL(fragmentlabel); 924 ASSERT_IPQ_LABEL(ipqlabel); 925 } 926 927 static void 928 mac_test_create_mbuf_from_inpcb(struct inpcb *inp, struct label *inplabel, 929 struct mbuf *m, struct label *mlabel) 930 { 931 932 ASSERT_INPCB_LABEL(inplabel); 933 ASSERT_MBUF_LABEL(mlabel); 934 } 935 936 static void 937 mac_test_create_mbuf_from_mbuf(struct mbuf *oldmbuf, 938 struct label *oldmbuflabel, struct mbuf *newmbuf, 939 struct label *newmbuflabel) 940 { 941 942 ASSERT_MBUF_LABEL(oldmbuflabel); 943 ASSERT_MBUF_LABEL(newmbuflabel); 944 } 945 946 static void 947 mac_test_create_mbuf_linklayer(struct ifnet *ifnet, struct label *ifnetlabel, 948 struct mbuf *mbuf, struct label *mbuflabel) 949 { 950 951 ASSERT_IFNET_LABEL(ifnetlabel); 952 ASSERT_MBUF_LABEL(mbuflabel); 953 } 954 955 static void 956 mac_test_create_mbuf_from_bpfdesc(struct bpf_d *bpf_d, struct label *bpflabel, 957 struct mbuf *mbuf, struct label *mbuflabel) 958 { 959 960 ASSERT_BPF_LABEL(bpflabel); 961 ASSERT_MBUF_LABEL(mbuflabel); 962 } 963 964 static void 965 mac_test_create_mbuf_from_ifnet(struct ifnet *ifnet, struct label *ifnetlabel, 966 struct mbuf *m, struct label *mbuflabel) 967 { 968 969 ASSERT_IFNET_LABEL(ifnetlabel); 970 ASSERT_MBUF_LABEL(mbuflabel); 971 } 972 973 static void 974 mac_test_create_mbuf_multicast_encap(struct mbuf *oldmbuf, 975 struct label *oldmbuflabel, struct ifnet *ifnet, struct label *ifnetlabel, 976 struct mbuf *newmbuf, struct label *newmbuflabel) 977 { 978 979 ASSERT_MBUF_LABEL(oldmbuflabel); 980 ASSERT_IFNET_LABEL(ifnetlabel); 981 ASSERT_MBUF_LABEL(newmbuflabel); 982 } 983 984 static void 985 mac_test_create_mbuf_netlayer(struct mbuf *oldmbuf, 986 struct label *oldmbuflabel, struct mbuf *newmbuf, 987 struct label *newmbuflabel) 988 { 989 990 ASSERT_MBUF_LABEL(oldmbuflabel); 991 ASSERT_MBUF_LABEL(newmbuflabel); 992 } 993 994 static int 995 mac_test_fragment_match(struct mbuf *fragment, struct label *fragmentlabel, 996 struct ipq *ipq, struct label *ipqlabel) 997 { 998 999 ASSERT_MBUF_LABEL(fragmentlabel); 1000 ASSERT_IPQ_LABEL(ipqlabel); 1001 1002 return (1); 1003 } 1004 1005 static void 1006 mac_test_reflect_mbuf_icmp(struct mbuf *m, struct label *mlabel) 1007 { 1008 1009 ASSERT_MBUF_LABEL(mlabel); 1010 } 1011 1012 static void 1013 mac_test_reflect_mbuf_tcp(struct mbuf *m, struct label *mlabel) 1014 { 1015 1016 ASSERT_MBUF_LABEL(mlabel); 1017 } 1018 1019 static void 1020 mac_test_relabel_ifnet(struct ucred *cred, struct ifnet *ifnet, 1021 struct label *ifnetlabel, struct label *newlabel) 1022 { 1023 1024 ASSERT_CRED_LABEL(cred->cr_label); 1025 ASSERT_IFNET_LABEL(ifnetlabel); 1026 ASSERT_IFNET_LABEL(newlabel); 1027 } 1028 1029 static void 1030 mac_test_update_ipq(struct mbuf *fragment, struct label *fragmentlabel, 1031 struct ipq *ipq, struct label *ipqlabel) 1032 { 1033 1034 ASSERT_MBUF_LABEL(fragmentlabel); 1035 ASSERT_IPQ_LABEL(ipqlabel); 1036 } 1037 1038 static void 1039 mac_test_inpcb_sosetlabel(struct socket *so, struct label *solabel, 1040 struct inpcb *inp, struct label *inplabel) 1041 { 1042 1043 ASSERT_SOCKET_LABEL(solabel); 1044 ASSERT_INPCB_LABEL(inplabel); 1045 } 1046 1047 /* 1048 * Labeling event operations: processes. 1049 */ 1050 static void 1051 mac_test_execve_transition(struct ucred *old, struct ucred *new, 1052 struct vnode *vp, struct label *filelabel, 1053 struct label *interpvnodelabel, struct image_params *imgp, 1054 struct label *execlabel) 1055 { 1056 1057 ASSERT_CRED_LABEL(old->cr_label); 1058 ASSERT_CRED_LABEL(new->cr_label); 1059 ASSERT_VNODE_LABEL(filelabel); 1060 if (interpvnodelabel != NULL) { 1061 ASSERT_VNODE_LABEL(interpvnodelabel); 1062 } 1063 if (execlabel != NULL) { 1064 ASSERT_CRED_LABEL(execlabel); 1065 } 1066 } 1067 1068 static int 1069 mac_test_execve_will_transition(struct ucred *old, struct vnode *vp, 1070 struct label *filelabel, struct label *interpvnodelabel, 1071 struct image_params *imgp, struct label *execlabel) 1072 { 1073 1074 ASSERT_CRED_LABEL(old->cr_label); 1075 ASSERT_VNODE_LABEL(filelabel); 1076 if (interpvnodelabel != NULL) { 1077 ASSERT_VNODE_LABEL(interpvnodelabel); 1078 } 1079 if (execlabel != NULL) { 1080 ASSERT_CRED_LABEL(execlabel); 1081 } 1082 1083 return (0); 1084 } 1085 1086 static void 1087 mac_test_create_proc0(struct ucred *cred) 1088 { 1089 1090 ASSERT_CRED_LABEL(cred->cr_label); 1091 } 1092 1093 static void 1094 mac_test_create_proc1(struct ucred *cred) 1095 { 1096 1097 ASSERT_CRED_LABEL(cred->cr_label); 1098 } 1099 1100 static void 1101 mac_test_relabel_cred(struct ucred *cred, struct label *newlabel) 1102 { 1103 1104 ASSERT_CRED_LABEL(cred->cr_label); 1105 ASSERT_CRED_LABEL(newlabel); 1106 } 1107 1108 static void 1109 mac_test_thread_userret(struct thread *td) 1110 { 1111 1112 printf("mac_test_thread_userret(process = %d)\n", 1113 curthread->td_proc->p_pid); 1114 } 1115 1116 /* 1117 * Access control checks. 1118 */ 1119 static int 1120 mac_test_check_bpfdesc_receive(struct bpf_d *bpf_d, struct label *bpflabel, 1121 struct ifnet *ifnet, struct label *ifnetlabel) 1122 { 1123 1124 ASSERT_BPF_LABEL(bpflabel); 1125 ASSERT_IFNET_LABEL(ifnetlabel); 1126 1127 return (0); 1128 } 1129 1130 static int 1131 mac_test_check_cred_relabel(struct ucred *cred, struct label *newlabel) 1132 { 1133 1134 ASSERT_CRED_LABEL(cred->cr_label); 1135 ASSERT_CRED_LABEL(newlabel); 1136 1137 return (0); 1138 } 1139 1140 static int 1141 mac_test_check_cred_visible(struct ucred *u1, struct ucred *u2) 1142 { 1143 1144 ASSERT_CRED_LABEL(u1->cr_label); 1145 ASSERT_CRED_LABEL(u2->cr_label); 1146 1147 return (0); 1148 } 1149 1150 static int 1151 mac_test_check_ifnet_relabel(struct ucred *cred, struct ifnet *ifnet, 1152 struct label *ifnetlabel, struct label *newlabel) 1153 { 1154 1155 ASSERT_CRED_LABEL(cred->cr_label); 1156 ASSERT_IFNET_LABEL(ifnetlabel); 1157 ASSERT_IFNET_LABEL(newlabel); 1158 return (0); 1159 } 1160 1161 static int 1162 mac_test_check_ifnet_transmit(struct ifnet *ifnet, struct label *ifnetlabel, 1163 struct mbuf *m, struct label *mbuflabel) 1164 { 1165 1166 ASSERT_IFNET_LABEL(ifnetlabel); 1167 ASSERT_MBUF_LABEL(mbuflabel); 1168 1169 return (0); 1170 } 1171 1172 static int 1173 mac_test_check_inpcb_deliver(struct inpcb *inp, struct label *inplabel, 1174 struct mbuf *m, struct label *mlabel) 1175 { 1176 1177 ASSERT_INPCB_LABEL(inplabel); 1178 ASSERT_MBUF_LABEL(mlabel); 1179 1180 return (0); 1181 } 1182 1183 static int 1184 mac_test_check_kenv_dump(struct ucred *cred) 1185 { 1186 1187 ASSERT_CRED_LABEL(cred->cr_label); 1188 1189 return (0); 1190 } 1191 1192 static int 1193 mac_test_check_kenv_get(struct ucred *cred, char *name) 1194 { 1195 1196 ASSERT_CRED_LABEL(cred->cr_label); 1197 1198 return (0); 1199 } 1200 1201 static int 1202 mac_test_check_kenv_set(struct ucred *cred, char *name, char *value) 1203 { 1204 1205 ASSERT_CRED_LABEL(cred->cr_label); 1206 1207 return (0); 1208 } 1209 1210 static int 1211 mac_test_check_kenv_unset(struct ucred *cred, char *name) 1212 { 1213 1214 ASSERT_CRED_LABEL(cred->cr_label); 1215 1216 return (0); 1217 } 1218 1219 static int 1220 mac_test_check_kld_load(struct ucred *cred, struct vnode *vp, 1221 struct label *label) 1222 { 1223 1224 ASSERT_CRED_LABEL(cred->cr_label); 1225 ASSERT_VNODE_LABEL(label); 1226 1227 return (0); 1228 } 1229 1230 static int 1231 mac_test_check_kld_stat(struct ucred *cred) 1232 { 1233 1234 ASSERT_CRED_LABEL(cred->cr_label); 1235 1236 return (0); 1237 } 1238 1239 static int 1240 mac_test_check_kld_unload(struct ucred *cred) 1241 { 1242 1243 ASSERT_CRED_LABEL(cred->cr_label); 1244 1245 return (0); 1246 } 1247 1248 static int 1249 mac_test_check_mount_stat(struct ucred *cred, struct mount *mp, 1250 struct label *mntlabel) 1251 { 1252 1253 ASSERT_CRED_LABEL(cred->cr_label); 1254 ASSERT_MOUNT_LABEL(mntlabel); 1255 1256 return (0); 1257 } 1258 1259 static int 1260 mac_test_check_pipe_ioctl(struct ucred *cred, struct pipepair *pp, 1261 struct label *pipelabel, unsigned long cmd, void /* caddr_t */ *data) 1262 { 1263 1264 ASSERT_CRED_LABEL(cred->cr_label); 1265 ASSERT_PIPE_LABEL(pipelabel); 1266 1267 return (0); 1268 } 1269 1270 static int 1271 mac_test_check_pipe_poll(struct ucred *cred, struct pipepair *pp, 1272 struct label *pipelabel) 1273 { 1274 1275 ASSERT_CRED_LABEL(cred->cr_label); 1276 ASSERT_PIPE_LABEL(pipelabel); 1277 1278 return (0); 1279 } 1280 1281 static int 1282 mac_test_check_pipe_read(struct ucred *cred, struct pipepair *pp, 1283 struct label *pipelabel) 1284 { 1285 1286 ASSERT_CRED_LABEL(cred->cr_label); 1287 ASSERT_PIPE_LABEL(pipelabel); 1288 1289 return (0); 1290 } 1291 1292 static int 1293 mac_test_check_pipe_relabel(struct ucred *cred, struct pipepair *pp, 1294 struct label *pipelabel, struct label *newlabel) 1295 { 1296 1297 ASSERT_CRED_LABEL(cred->cr_label); 1298 ASSERT_PIPE_LABEL(pipelabel); 1299 ASSERT_PIPE_LABEL(newlabel); 1300 1301 return (0); 1302 } 1303 1304 static int 1305 mac_test_check_pipe_stat(struct ucred *cred, struct pipepair *pp, 1306 struct label *pipelabel) 1307 { 1308 1309 ASSERT_CRED_LABEL(cred->cr_label); 1310 ASSERT_PIPE_LABEL(pipelabel); 1311 1312 return (0); 1313 } 1314 1315 static int 1316 mac_test_check_pipe_write(struct ucred *cred, struct pipepair *pp, 1317 struct label *pipelabel) 1318 { 1319 1320 ASSERT_CRED_LABEL(cred->cr_label); 1321 ASSERT_PIPE_LABEL(pipelabel); 1322 1323 return (0); 1324 } 1325 1326 static int 1327 mac_test_check_proc_debug(struct ucred *cred, struct proc *proc) 1328 { 1329 1330 ASSERT_CRED_LABEL(cred->cr_label); 1331 ASSERT_CRED_LABEL(proc->p_ucred->cr_label); 1332 1333 return (0); 1334 } 1335 1336 static int 1337 mac_test_check_proc_sched(struct ucred *cred, struct proc *proc) 1338 { 1339 1340 ASSERT_CRED_LABEL(cred->cr_label); 1341 ASSERT_CRED_LABEL(proc->p_ucred->cr_label); 1342 1343 return (0); 1344 } 1345 1346 static int 1347 mac_test_check_proc_signal(struct ucred *cred, struct proc *proc, int signum) 1348 { 1349 1350 ASSERT_CRED_LABEL(cred->cr_label); 1351 ASSERT_CRED_LABEL(proc->p_ucred->cr_label); 1352 1353 return (0); 1354 } 1355 1356 static int 1357 mac_test_check_socket_bind(struct ucred *cred, struct socket *socket, 1358 struct label *socketlabel, struct sockaddr *sockaddr) 1359 { 1360 1361 ASSERT_CRED_LABEL(cred->cr_label); 1362 ASSERT_SOCKET_LABEL(socketlabel); 1363 1364 return (0); 1365 } 1366 1367 static int 1368 mac_test_check_socket_connect(struct ucred *cred, struct socket *socket, 1369 struct label *socketlabel, struct sockaddr *sockaddr) 1370 { 1371 1372 ASSERT_CRED_LABEL(cred->cr_label); 1373 ASSERT_SOCKET_LABEL(socketlabel); 1374 1375 return (0); 1376 } 1377 1378 static int 1379 mac_test_check_socket_deliver(struct socket *socket, struct label *socketlabel, 1380 struct mbuf *m, struct label *mbuflabel) 1381 { 1382 1383 ASSERT_SOCKET_LABEL(socketlabel); 1384 ASSERT_MBUF_LABEL(mbuflabel); 1385 1386 return (0); 1387 } 1388 1389 static int 1390 mac_test_check_socket_listen(struct ucred *cred, struct socket *socket, 1391 struct label *socketlabel) 1392 { 1393 1394 ASSERT_CRED_LABEL(cred->cr_label); 1395 ASSERT_SOCKET_LABEL(socketlabel); 1396 1397 return (0); 1398 } 1399 1400 static int 1401 mac_test_check_socket_visible(struct ucred *cred, struct socket *socket, 1402 struct label *socketlabel) 1403 { 1404 1405 ASSERT_CRED_LABEL(cred->cr_label); 1406 ASSERT_SOCKET_LABEL(socketlabel); 1407 1408 return (0); 1409 } 1410 1411 static int 1412 mac_test_check_socket_relabel(struct ucred *cred, struct socket *socket, 1413 struct label *socketlabel, struct label *newlabel) 1414 { 1415 1416 ASSERT_CRED_LABEL(cred->cr_label); 1417 ASSERT_SOCKET_LABEL(socketlabel); 1418 ASSERT_SOCKET_LABEL(newlabel); 1419 1420 return (0); 1421 } 1422 1423 static int 1424 mac_test_check_sysarch_ioperm(struct ucred *cred) 1425 { 1426 1427 ASSERT_CRED_LABEL(cred->cr_label); 1428 1429 return (0); 1430 } 1431 1432 static int 1433 mac_test_check_system_acct(struct ucred *cred, struct vnode *vp, 1434 struct label *label) 1435 { 1436 1437 ASSERT_CRED_LABEL(cred->cr_label); 1438 1439 return (0); 1440 } 1441 1442 static int 1443 mac_test_check_system_reboot(struct ucred *cred, int how) 1444 { 1445 1446 ASSERT_CRED_LABEL(cred->cr_label); 1447 1448 return (0); 1449 } 1450 1451 static int 1452 mac_test_check_system_settime(struct ucred *cred) 1453 { 1454 1455 ASSERT_CRED_LABEL(cred->cr_label); 1456 1457 return (0); 1458 } 1459 1460 static int 1461 mac_test_check_system_swapon(struct ucred *cred, struct vnode *vp, 1462 struct label *label) 1463 { 1464 1465 ASSERT_CRED_LABEL(cred->cr_label); 1466 ASSERT_VNODE_LABEL(label); 1467 1468 return (0); 1469 } 1470 1471 static int 1472 mac_test_check_system_swapoff(struct ucred *cred, struct vnode *vp, 1473 struct label *label) 1474 { 1475 1476 ASSERT_CRED_LABEL(cred->cr_label); 1477 ASSERT_VNODE_LABEL(label); 1478 1479 return (0); 1480 } 1481 1482 static int 1483 mac_test_check_system_sysctl(struct ucred *cred, struct sysctl_oid *oidp, 1484 void *arg1, int arg2, struct sysctl_req *req) 1485 { 1486 1487 ASSERT_CRED_LABEL(cred->cr_label); 1488 1489 return (0); 1490 } 1491 1492 static int 1493 mac_test_check_vnode_access(struct ucred *cred, struct vnode *vp, 1494 struct label *label, int acc_mode) 1495 { 1496 1497 ASSERT_CRED_LABEL(cred->cr_label); 1498 ASSERT_VNODE_LABEL(label); 1499 1500 return (0); 1501 } 1502 1503 static int 1504 mac_test_check_vnode_chdir(struct ucred *cred, struct vnode *dvp, 1505 struct label *dlabel) 1506 { 1507 1508 ASSERT_CRED_LABEL(cred->cr_label); 1509 ASSERT_VNODE_LABEL(dlabel); 1510 1511 return (0); 1512 } 1513 1514 static int 1515 mac_test_check_vnode_chroot(struct ucred *cred, struct vnode *dvp, 1516 struct label *dlabel) 1517 { 1518 1519 ASSERT_CRED_LABEL(cred->cr_label); 1520 ASSERT_VNODE_LABEL(dlabel); 1521 1522 return (0); 1523 } 1524 1525 static int 1526 mac_test_check_vnode_create(struct ucred *cred, struct vnode *dvp, 1527 struct label *dlabel, struct componentname *cnp, struct vattr *vap) 1528 { 1529 1530 ASSERT_CRED_LABEL(cred->cr_label); 1531 ASSERT_VNODE_LABEL(dlabel); 1532 1533 return (0); 1534 } 1535 1536 static int 1537 mac_test_check_vnode_delete(struct ucred *cred, struct vnode *dvp, 1538 struct label *dlabel, struct vnode *vp, struct label *label, 1539 struct componentname *cnp) 1540 { 1541 1542 ASSERT_CRED_LABEL(cred->cr_label); 1543 ASSERT_VNODE_LABEL(dlabel); 1544 ASSERT_VNODE_LABEL(label); 1545 1546 return (0); 1547 } 1548 1549 static int 1550 mac_test_check_vnode_deleteacl(struct ucred *cred, struct vnode *vp, 1551 struct label *label, acl_type_t type) 1552 { 1553 1554 ASSERT_CRED_LABEL(cred->cr_label); 1555 ASSERT_VNODE_LABEL(label); 1556 1557 return (0); 1558 } 1559 1560 static int 1561 mac_test_check_vnode_deleteextattr(struct ucred *cred, struct vnode *vp, 1562 struct label *label, int attrnamespace, const char *name) 1563 { 1564 1565 ASSERT_CRED_LABEL(cred->cr_label); 1566 ASSERT_VNODE_LABEL(label); 1567 1568 return (0); 1569 } 1570 1571 static int 1572 mac_test_check_vnode_exec(struct ucred *cred, struct vnode *vp, 1573 struct label *label, struct image_params *imgp, 1574 struct label *execlabel) 1575 { 1576 1577 ASSERT_CRED_LABEL(cred->cr_label); 1578 ASSERT_VNODE_LABEL(label); 1579 if (execlabel != NULL) { 1580 ASSERT_CRED_LABEL(execlabel); 1581 } 1582 1583 return (0); 1584 } 1585 1586 static int 1587 mac_test_check_vnode_getacl(struct ucred *cred, struct vnode *vp, 1588 struct label *label, acl_type_t type) 1589 { 1590 1591 ASSERT_CRED_LABEL(cred->cr_label); 1592 ASSERT_VNODE_LABEL(label); 1593 1594 return (0); 1595 } 1596 1597 static int 1598 mac_test_check_vnode_getextattr(struct ucred *cred, struct vnode *vp, 1599 struct label *label, int attrnamespace, const char *name, struct uio *uio) 1600 { 1601 1602 ASSERT_CRED_LABEL(cred->cr_label); 1603 ASSERT_VNODE_LABEL(label); 1604 1605 return (0); 1606 } 1607 1608 static int 1609 mac_test_check_vnode_link(struct ucred *cred, struct vnode *dvp, 1610 struct label *dlabel, struct vnode *vp, struct label *label, 1611 struct componentname *cnp) 1612 { 1613 1614 ASSERT_CRED_LABEL(cred->cr_label); 1615 ASSERT_VNODE_LABEL(dlabel); 1616 ASSERT_VNODE_LABEL(label); 1617 1618 return (0); 1619 } 1620 1621 static int 1622 mac_test_check_vnode_listextattr(struct ucred *cred, struct vnode *vp, 1623 struct label *label, int attrnamespace) 1624 { 1625 1626 ASSERT_CRED_LABEL(cred->cr_label); 1627 ASSERT_VNODE_LABEL(label); 1628 1629 return (0); 1630 } 1631 1632 static int 1633 mac_test_check_vnode_lookup(struct ucred *cred, struct vnode *dvp, 1634 struct label *dlabel, struct componentname *cnp) 1635 { 1636 1637 ASSERT_CRED_LABEL(cred->cr_label); 1638 ASSERT_VNODE_LABEL(dlabel); 1639 1640 return (0); 1641 } 1642 1643 static int 1644 mac_test_check_vnode_mmap(struct ucred *cred, struct vnode *vp, 1645 struct label *label, int prot) 1646 { 1647 1648 ASSERT_CRED_LABEL(cred->cr_label); 1649 ASSERT_VNODE_LABEL(label); 1650 1651 return (0); 1652 } 1653 1654 static int 1655 mac_test_check_vnode_mprotect(struct ucred *cred, struct vnode *vp, 1656 struct label *label, int prot) 1657 { 1658 1659 ASSERT_CRED_LABEL(cred->cr_label); 1660 ASSERT_VNODE_LABEL(label); 1661 1662 return (0); 1663 } 1664 1665 static int 1666 mac_test_check_vnode_open(struct ucred *cred, struct vnode *vp, 1667 struct label *filelabel, int acc_mode) 1668 { 1669 1670 ASSERT_CRED_LABEL(cred->cr_label); 1671 ASSERT_VNODE_LABEL(filelabel); 1672 1673 return (0); 1674 } 1675 1676 static int 1677 mac_test_check_vnode_poll(struct ucred *active_cred, struct ucred *file_cred, 1678 struct vnode *vp, struct label *label) 1679 { 1680 1681 ASSERT_CRED_LABEL(active_cred->cr_label); 1682 ASSERT_CRED_LABEL(file_cred->cr_label); 1683 ASSERT_VNODE_LABEL(label); 1684 1685 return (0); 1686 } 1687 1688 static int 1689 mac_test_check_vnode_read(struct ucred *active_cred, struct ucred *file_cred, 1690 struct vnode *vp, struct label *label) 1691 { 1692 1693 ASSERT_CRED_LABEL(active_cred->cr_label); 1694 if (file_cred != NULL) { 1695 ASSERT_CRED_LABEL(file_cred->cr_label); 1696 } 1697 ASSERT_VNODE_LABEL(label); 1698 1699 return (0); 1700 } 1701 1702 static int 1703 mac_test_check_vnode_readdir(struct ucred *cred, struct vnode *dvp, 1704 struct label *dlabel) 1705 { 1706 1707 ASSERT_CRED_LABEL(cred->cr_label); 1708 ASSERT_VNODE_LABEL(dlabel); 1709 1710 return (0); 1711 } 1712 1713 static int 1714 mac_test_check_vnode_readlink(struct ucred *cred, struct vnode *vp, 1715 struct label *vnodelabel) 1716 { 1717 1718 ASSERT_CRED_LABEL(cred->cr_label); 1719 ASSERT_VNODE_LABEL(vnodelabel); 1720 1721 return (0); 1722 } 1723 1724 static int 1725 mac_test_check_vnode_relabel(struct ucred *cred, struct vnode *vp, 1726 struct label *vnodelabel, struct label *newlabel) 1727 { 1728 1729 ASSERT_CRED_LABEL(cred->cr_label); 1730 ASSERT_VNODE_LABEL(vnodelabel); 1731 ASSERT_VNODE_LABEL(newlabel); 1732 1733 return (0); 1734 } 1735 1736 static int 1737 mac_test_check_vnode_rename_from(struct ucred *cred, struct vnode *dvp, 1738 struct label *dlabel, struct vnode *vp, struct label *label, 1739 struct componentname *cnp) 1740 { 1741 1742 ASSERT_CRED_LABEL(cred->cr_label); 1743 ASSERT_VNODE_LABEL(dlabel); 1744 ASSERT_VNODE_LABEL(label); 1745 1746 return (0); 1747 } 1748 1749 static int 1750 mac_test_check_vnode_rename_to(struct ucred *cred, struct vnode *dvp, 1751 struct label *dlabel, struct vnode *vp, struct label *label, int samedir, 1752 struct componentname *cnp) 1753 { 1754 1755 ASSERT_CRED_LABEL(cred->cr_label); 1756 ASSERT_VNODE_LABEL(dlabel); 1757 1758 if (vp != NULL) { 1759 ASSERT_VNODE_LABEL(label); 1760 } 1761 1762 return (0); 1763 } 1764 1765 static int 1766 mac_test_check_vnode_revoke(struct ucred *cred, struct vnode *vp, 1767 struct label *label) 1768 { 1769 1770 ASSERT_CRED_LABEL(cred->cr_label); 1771 ASSERT_VNODE_LABEL(label); 1772 1773 return (0); 1774 } 1775 1776 static int 1777 mac_test_check_vnode_setacl(struct ucred *cred, struct vnode *vp, 1778 struct label *label, acl_type_t type, struct acl *acl) 1779 { 1780 1781 ASSERT_CRED_LABEL(cred->cr_label); 1782 ASSERT_VNODE_LABEL(label); 1783 1784 return (0); 1785 } 1786 1787 static int 1788 mac_test_check_vnode_setextattr(struct ucred *cred, struct vnode *vp, 1789 struct label *label, int attrnamespace, const char *name, struct uio *uio) 1790 { 1791 1792 ASSERT_CRED_LABEL(cred->cr_label); 1793 ASSERT_VNODE_LABEL(label); 1794 1795 return (0); 1796 } 1797 1798 static int 1799 mac_test_check_vnode_setflags(struct ucred *cred, struct vnode *vp, 1800 struct label *label, u_long flags) 1801 { 1802 1803 ASSERT_CRED_LABEL(cred->cr_label); 1804 ASSERT_VNODE_LABEL(label); 1805 1806 return (0); 1807 } 1808 1809 static int 1810 mac_test_check_vnode_setmode(struct ucred *cred, struct vnode *vp, 1811 struct label *label, mode_t mode) 1812 { 1813 1814 ASSERT_CRED_LABEL(cred->cr_label); 1815 ASSERT_VNODE_LABEL(label); 1816 1817 return (0); 1818 } 1819 1820 static int 1821 mac_test_check_vnode_setowner(struct ucred *cred, struct vnode *vp, 1822 struct label *label, uid_t uid, gid_t gid) 1823 { 1824 1825 ASSERT_CRED_LABEL(cred->cr_label); 1826 ASSERT_VNODE_LABEL(label); 1827 1828 return (0); 1829 } 1830 1831 static int 1832 mac_test_check_vnode_setutimes(struct ucred *cred, struct vnode *vp, 1833 struct label *label, struct timespec atime, struct timespec mtime) 1834 { 1835 1836 ASSERT_CRED_LABEL(cred->cr_label); 1837 ASSERT_VNODE_LABEL(label); 1838 1839 return (0); 1840 } 1841 1842 static int 1843 mac_test_check_vnode_stat(struct ucred *active_cred, struct ucred *file_cred, 1844 struct vnode *vp, struct label *label) 1845 { 1846 1847 ASSERT_CRED_LABEL(active_cred->cr_label); 1848 if (file_cred != NULL) { 1849 ASSERT_CRED_LABEL(file_cred->cr_label); 1850 } 1851 ASSERT_VNODE_LABEL(label); 1852 1853 return (0); 1854 } 1855 1856 static int 1857 mac_test_check_vnode_write(struct ucred *active_cred, 1858 struct ucred *file_cred, struct vnode *vp, struct label *label) 1859 { 1860 1861 ASSERT_CRED_LABEL(active_cred->cr_label); 1862 if (file_cred != NULL) { 1863 ASSERT_CRED_LABEL(file_cred->cr_label); 1864 } 1865 ASSERT_VNODE_LABEL(label); 1866 1867 return (0); 1868 } 1869 1870 static struct mac_policy_ops mac_test_ops = 1871 { 1872 .mpo_destroy = mac_test_destroy, 1873 .mpo_init = mac_test_init, 1874 .mpo_syscall = mac_test_syscall, 1875 .mpo_init_bpfdesc_label = mac_test_init_bpfdesc_label, 1876 .mpo_init_cred_label = mac_test_init_cred_label, 1877 .mpo_init_devfsdirent_label = mac_test_init_devfsdirent_label, 1878 .mpo_init_ifnet_label = mac_test_init_ifnet_label, 1879 .mpo_init_inpcb_label = mac_test_init_inpcb_label, 1880 .mpo_init_ipq_label = mac_test_init_ipq_label, 1881 .mpo_init_mbuf_label = mac_test_init_mbuf_label, 1882 .mpo_init_mount_label = mac_test_init_mount_label, 1883 .mpo_init_mount_fs_label = mac_test_init_mount_fs_label, 1884 .mpo_init_pipe_label = mac_test_init_pipe_label, 1885 .mpo_init_proc_label = mac_test_init_proc_label, 1886 .mpo_init_socket_label = mac_test_init_socket_label, 1887 .mpo_init_socket_peer_label = mac_test_init_socket_peer_label, 1888 .mpo_init_vnode_label = mac_test_init_vnode_label, 1889 .mpo_destroy_bpfdesc_label = mac_test_destroy_bpfdesc_label, 1890 .mpo_destroy_cred_label = mac_test_destroy_cred_label, 1891 .mpo_destroy_devfsdirent_label = mac_test_destroy_devfsdirent_label, 1892 .mpo_destroy_ifnet_label = mac_test_destroy_ifnet_label, 1893 .mpo_destroy_inpcb_label = mac_test_destroy_inpcb_label, 1894 .mpo_destroy_ipq_label = mac_test_destroy_ipq_label, 1895 .mpo_destroy_mbuf_label = mac_test_destroy_mbuf_label, 1896 .mpo_destroy_mount_label = mac_test_destroy_mount_label, 1897 .mpo_destroy_mount_fs_label = mac_test_destroy_mount_fs_label, 1898 .mpo_destroy_pipe_label = mac_test_destroy_pipe_label, 1899 .mpo_destroy_proc_label = mac_test_destroy_proc_label, 1900 .mpo_destroy_socket_label = mac_test_destroy_socket_label, 1901 .mpo_destroy_socket_peer_label = mac_test_destroy_socket_peer_label, 1902 .mpo_destroy_vnode_label = mac_test_destroy_vnode_label, 1903 .mpo_copy_cred_label = mac_test_copy_cred_label, 1904 .mpo_copy_ifnet_label = mac_test_copy_ifnet_label, 1905 .mpo_copy_mbuf_label = mac_test_copy_mbuf_label, 1906 .mpo_copy_pipe_label = mac_test_copy_pipe_label, 1907 .mpo_copy_socket_label = mac_test_copy_socket_label, 1908 .mpo_copy_vnode_label = mac_test_copy_vnode_label, 1909 .mpo_externalize_cred_label = mac_test_externalize_label, 1910 .mpo_externalize_ifnet_label = mac_test_externalize_label, 1911 .mpo_externalize_pipe_label = mac_test_externalize_label, 1912 .mpo_externalize_socket_label = mac_test_externalize_label, 1913 .mpo_externalize_socket_peer_label = mac_test_externalize_label, 1914 .mpo_externalize_vnode_label = mac_test_externalize_label, 1915 .mpo_internalize_cred_label = mac_test_internalize_label, 1916 .mpo_internalize_ifnet_label = mac_test_internalize_label, 1917 .mpo_internalize_pipe_label = mac_test_internalize_label, 1918 .mpo_internalize_socket_label = mac_test_internalize_label, 1919 .mpo_internalize_vnode_label = mac_test_internalize_label, 1920 .mpo_associate_vnode_devfs = mac_test_associate_vnode_devfs, 1921 .mpo_associate_vnode_extattr = mac_test_associate_vnode_extattr, 1922 .mpo_associate_vnode_singlelabel = mac_test_associate_vnode_singlelabel, 1923 .mpo_create_devfs_device = mac_test_create_devfs_device, 1924 .mpo_create_devfs_directory = mac_test_create_devfs_directory, 1925 .mpo_create_devfs_symlink = mac_test_create_devfs_symlink, 1926 .mpo_create_vnode_extattr = mac_test_create_vnode_extattr, 1927 .mpo_create_mount = mac_test_create_mount, 1928 .mpo_create_root_mount = mac_test_create_root_mount, 1929 .mpo_relabel_vnode = mac_test_relabel_vnode, 1930 .mpo_setlabel_vnode_extattr = mac_test_setlabel_vnode_extattr, 1931 .mpo_update_devfsdirent = mac_test_update_devfsdirent, 1932 .mpo_create_mbuf_from_socket = mac_test_create_mbuf_from_socket, 1933 .mpo_create_pipe = mac_test_create_pipe, 1934 .mpo_create_socket = mac_test_create_socket, 1935 .mpo_create_socket_from_socket = mac_test_create_socket_from_socket, 1936 .mpo_relabel_pipe = mac_test_relabel_pipe, 1937 .mpo_relabel_socket = mac_test_relabel_socket, 1938 .mpo_set_socket_peer_from_mbuf = mac_test_set_socket_peer_from_mbuf, 1939 .mpo_set_socket_peer_from_socket = mac_test_set_socket_peer_from_socket, 1940 .mpo_create_bpfdesc = mac_test_create_bpfdesc, 1941 .mpo_create_ifnet = mac_test_create_ifnet, 1942 .mpo_create_inpcb_from_socket = mac_test_create_inpcb_from_socket, 1943 .mpo_create_datagram_from_ipq = mac_test_create_datagram_from_ipq, 1944 .mpo_create_fragment = mac_test_create_fragment, 1945 .mpo_create_ipq = mac_test_create_ipq, 1946 .mpo_create_mbuf_from_inpcb = mac_test_create_mbuf_from_inpcb, 1947 .mpo_create_mbuf_from_mbuf = mac_test_create_mbuf_from_mbuf, 1948 .mpo_create_mbuf_linklayer = mac_test_create_mbuf_linklayer, 1949 .mpo_create_mbuf_from_bpfdesc = mac_test_create_mbuf_from_bpfdesc, 1950 .mpo_create_mbuf_from_ifnet = mac_test_create_mbuf_from_ifnet, 1951 .mpo_create_mbuf_multicast_encap = mac_test_create_mbuf_multicast_encap, 1952 .mpo_create_mbuf_netlayer = mac_test_create_mbuf_netlayer, 1953 .mpo_fragment_match = mac_test_fragment_match, 1954 .mpo_reflect_mbuf_icmp = mac_test_reflect_mbuf_icmp, 1955 .mpo_reflect_mbuf_tcp = mac_test_reflect_mbuf_tcp, 1956 .mpo_relabel_ifnet = mac_test_relabel_ifnet, 1957 .mpo_update_ipq = mac_test_update_ipq, 1958 .mpo_inpcb_sosetlabel = mac_test_inpcb_sosetlabel, 1959 .mpo_execve_transition = mac_test_execve_transition, 1960 .mpo_execve_will_transition = mac_test_execve_will_transition, 1961 .mpo_create_proc0 = mac_test_create_proc0, 1962 .mpo_create_proc1 = mac_test_create_proc1, 1963 .mpo_relabel_cred = mac_test_relabel_cred, 1964 .mpo_thread_userret = mac_test_thread_userret, 1965 .mpo_check_bpfdesc_receive = mac_test_check_bpfdesc_receive, 1966 .mpo_check_cred_relabel = mac_test_check_cred_relabel, 1967 .mpo_check_cred_visible = mac_test_check_cred_visible, 1968 .mpo_check_ifnet_relabel = mac_test_check_ifnet_relabel, 1969 .mpo_check_ifnet_transmit = mac_test_check_ifnet_transmit, 1970 .mpo_check_inpcb_deliver = mac_test_check_inpcb_deliver, 1971 .mpo_check_kenv_dump = mac_test_check_kenv_dump, 1972 .mpo_check_kenv_get = mac_test_check_kenv_get, 1973 .mpo_check_kenv_set = mac_test_check_kenv_set, 1974 .mpo_check_kenv_unset = mac_test_check_kenv_unset, 1975 .mpo_check_kld_load = mac_test_check_kld_load, 1976 .mpo_check_kld_stat = mac_test_check_kld_stat, 1977 .mpo_check_kld_unload = mac_test_check_kld_unload, 1978 .mpo_check_mount_stat = mac_test_check_mount_stat, 1979 .mpo_check_pipe_ioctl = mac_test_check_pipe_ioctl, 1980 .mpo_check_pipe_poll = mac_test_check_pipe_poll, 1981 .mpo_check_pipe_read = mac_test_check_pipe_read, 1982 .mpo_check_pipe_relabel = mac_test_check_pipe_relabel, 1983 .mpo_check_pipe_stat = mac_test_check_pipe_stat, 1984 .mpo_check_pipe_write = mac_test_check_pipe_write, 1985 .mpo_check_proc_debug = mac_test_check_proc_debug, 1986 .mpo_check_proc_sched = mac_test_check_proc_sched, 1987 .mpo_check_proc_signal = mac_test_check_proc_signal, 1988 .mpo_check_socket_bind = mac_test_check_socket_bind, 1989 .mpo_check_socket_connect = mac_test_check_socket_connect, 1990 .mpo_check_socket_deliver = mac_test_check_socket_deliver, 1991 .mpo_check_socket_listen = mac_test_check_socket_listen, 1992 .mpo_check_socket_relabel = mac_test_check_socket_relabel, 1993 .mpo_check_socket_visible = mac_test_check_socket_visible, 1994 .mpo_check_sysarch_ioperm = mac_test_check_sysarch_ioperm, 1995 .mpo_check_system_acct = mac_test_check_system_acct, 1996 .mpo_check_system_reboot = mac_test_check_system_reboot, 1997 .mpo_check_system_settime = mac_test_check_system_settime, 1998 .mpo_check_system_swapon = mac_test_check_system_swapon, 1999 .mpo_check_system_swapoff = mac_test_check_system_swapoff, 2000 .mpo_check_system_sysctl = mac_test_check_system_sysctl, 2001 .mpo_check_vnode_access = mac_test_check_vnode_access, 2002 .mpo_check_vnode_chdir = mac_test_check_vnode_chdir, 2003 .mpo_check_vnode_chroot = mac_test_check_vnode_chroot, 2004 .mpo_check_vnode_create = mac_test_check_vnode_create, 2005 .mpo_check_vnode_delete = mac_test_check_vnode_delete, 2006 .mpo_check_vnode_deleteacl = mac_test_check_vnode_deleteacl, 2007 .mpo_check_vnode_deleteextattr = mac_test_check_vnode_deleteextattr, 2008 .mpo_check_vnode_exec = mac_test_check_vnode_exec, 2009 .mpo_check_vnode_getacl = mac_test_check_vnode_getacl, 2010 .mpo_check_vnode_getextattr = mac_test_check_vnode_getextattr, 2011 .mpo_check_vnode_link = mac_test_check_vnode_link, 2012 .mpo_check_vnode_listextattr = mac_test_check_vnode_listextattr, 2013 .mpo_check_vnode_lookup = mac_test_check_vnode_lookup, 2014 .mpo_check_vnode_mmap = mac_test_check_vnode_mmap, 2015 .mpo_check_vnode_mprotect = mac_test_check_vnode_mprotect, 2016 .mpo_check_vnode_open = mac_test_check_vnode_open, 2017 .mpo_check_vnode_poll = mac_test_check_vnode_poll, 2018 .mpo_check_vnode_read = mac_test_check_vnode_read, 2019 .mpo_check_vnode_readdir = mac_test_check_vnode_readdir, 2020 .mpo_check_vnode_readlink = mac_test_check_vnode_readlink, 2021 .mpo_check_vnode_relabel = mac_test_check_vnode_relabel, 2022 .mpo_check_vnode_rename_from = mac_test_check_vnode_rename_from, 2023 .mpo_check_vnode_rename_to = mac_test_check_vnode_rename_to, 2024 .mpo_check_vnode_revoke = mac_test_check_vnode_revoke, 2025 .mpo_check_vnode_setacl = mac_test_check_vnode_setacl, 2026 .mpo_check_vnode_setextattr = mac_test_check_vnode_setextattr, 2027 .mpo_check_vnode_setflags = mac_test_check_vnode_setflags, 2028 .mpo_check_vnode_setmode = mac_test_check_vnode_setmode, 2029 .mpo_check_vnode_setowner = mac_test_check_vnode_setowner, 2030 .mpo_check_vnode_setutimes = mac_test_check_vnode_setutimes, 2031 .mpo_check_vnode_stat = mac_test_check_vnode_stat, 2032 .mpo_check_vnode_write = mac_test_check_vnode_write, 2033 }; 2034 2035 MAC_POLICY_SET(&mac_test_ops, mac_test, "TrustedBSD MAC/Test", 2036 MPC_LOADTIME_FLAG_UNLOADOK | MPC_LOADTIME_FLAG_LABELMBUFS, &test_slot); 2037