1 /*- 2 * Copyright (c) 1999-2002, 2007 Robert N. M. Watson 3 * Copyright (c) 2001-2005 McAfee, Inc. 4 * Copyright (c) 2006 SPARTA, Inc. 5 * Copyright (c) 2008 Apple Inc. 6 * All rights reserved. 7 * 8 * This software was developed by Robert Watson for the TrustedBSD Project. 9 * 10 * This software was developed for the FreeBSD Project in part by McAfee 11 * Research, the Security Research Division of McAfee, Inc. under 12 * DARPA/SPAWAR contract N66001-01-C-8035 ("CBOSS"), as part of the DARPA 13 * CHATS research program. 14 * 15 * This software was enhanced by SPARTA ISSO under SPAWAR contract 16 * N66001-04-C-6019 ("SEFOS"). 17 * 18 * Redistribution and use in source and binary forms, with or without 19 * modification, are permitted provided that the following conditions 20 * are met: 21 * 1. Redistributions of source code must retain the above copyright 22 * notice, this list of conditions and the following disclaimer. 23 * 2. Redistributions in binary form must reproduce the above copyright 24 * notice, this list of conditions and the following disclaimer in the 25 * documentation and/or other materials provided with the distribution. 26 * 27 * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND 28 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 29 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 30 * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE 31 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 32 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 33 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 34 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 35 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 36 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 37 * SUCH DAMAGE. 38 * 39 * $FreeBSD$ 40 */ 41 42 /* 43 * Developed by the TrustedBSD Project. 44 * 45 * MAC Test policy - tests MAC Framework labeling by assigning object class 46 * magic numbers to each label and validates that each time an object label 47 * is passed into the policy, it has a consistent object type, catching 48 * incorrectly passed labels, labels passed after free, etc. 49 */ 50 51 #include <sys/param.h> 52 #include <sys/acl.h> 53 #include <sys/kdb.h> 54 #include <sys/kernel.h> 55 #include <sys/ksem.h> 56 #include <sys/malloc.h> 57 #include <sys/module.h> 58 #include <sys/mount.h> 59 #include <sys/msg.h> 60 #include <sys/proc.h> 61 #include <sys/vnode.h> 62 #include <sys/sem.h> 63 #include <sys/shm.h> 64 #include <sys/socket.h> 65 #include <sys/socketvar.h> 66 #include <sys/sx.h> 67 #include <sys/sysctl.h> 68 69 #include <fs/devfs/devfs.h> 70 71 #include <net/bpfdesc.h> 72 #include <net/if.h> 73 #include <net/if_types.h> 74 #include <net/if_var.h> 75 76 #include <security/mac/mac_policy.h> 77 78 SYSCTL_DECL(_security_mac); 79 80 SYSCTL_NODE(_security_mac, OID_AUTO, test, CTLFLAG_RW, 0, 81 "TrustedBSD mac_test policy controls"); 82 83 #define MAGIC_BPF 0xfe1ad1b6 84 #define MAGIC_DEVFS 0x9ee79c32 85 #define MAGIC_IFNET 0xc218b120 86 #define MAGIC_INPCB 0x4440f7bb 87 #define MAGIC_IPQ 0x206188ef 88 #define MAGIC_MBUF 0xbbefa5bb 89 #define MAGIC_MOUNT 0xc7c46e47 90 #define MAGIC_SOCKET 0x9199c6cd 91 #define MAGIC_SYNCACHE 0x7fb838a8 92 #define MAGIC_SYSV_MSG 0x8bbba61e 93 #define MAGIC_SYSV_MSQ 0xea672391 94 #define MAGIC_SYSV_SEM 0x896e8a0b 95 #define MAGIC_SYSV_SHM 0x76119ab0 96 #define MAGIC_PIPE 0xdc6c9919 97 #define MAGIC_POSIX_SEM 0x78ae980c 98 #define MAGIC_POSIX_SHM 0x4e853fc9 99 #define MAGIC_PROC 0x3b4be98f 100 #define MAGIC_CRED 0x9a5a4987 101 #define MAGIC_VNODE 0x1a67a45c 102 #define MAGIC_FREE 0x849ba1fd 103 104 #define SLOT(x) mac_label_get((x), test_slot) 105 #define SLOT_SET(x, v) mac_label_set((x), test_slot, (v)) 106 107 static int test_slot; 108 SYSCTL_INT(_security_mac_test, OID_AUTO, slot, CTLFLAG_RD, 109 &test_slot, 0, "Slot allocated by framework"); 110 111 SYSCTL_NODE(_security_mac_test, OID_AUTO, counter, CTLFLAG_RW, 0, 112 "TrustedBSD mac_test counters controls"); 113 114 #define COUNTER_DECL(variable) \ 115 static int counter_##variable; \ 116 SYSCTL_INT(_security_mac_test_counter, OID_AUTO, variable, \ 117 CTLFLAG_RD, &counter_##variable, 0, #variable) 118 119 #define COUNTER_INC(variable) atomic_add_int(&counter_##variable, 1) 120 121 #ifdef KDB 122 #define DEBUGGER(func, string) kdb_enter(KDB_WHY_MAC, (string)) 123 #else 124 #define DEBUGGER(func, string) printf("mac_test: %s: %s\n", (func), (string)) 125 #endif 126 127 #define LABEL_CHECK(label, magic) do { \ 128 if (label != NULL) { \ 129 KASSERT(SLOT(label) == magic || SLOT(label) == 0, \ 130 ("%s: bad %s label", __func__, #magic)); \ 131 } \ 132 } while (0) 133 134 #define LABEL_DESTROY(label, magic) do { \ 135 if (SLOT(label) == magic || SLOT(label) == 0) { \ 136 SLOT_SET(label, MAGIC_FREE); \ 137 } else if (SLOT(label) == MAGIC_FREE) { \ 138 DEBUGGER("%s: dup destroy", __func__); \ 139 } else { \ 140 DEBUGGER("%s: corrupted label", __func__); \ 141 } \ 142 } while (0) 143 144 #define LABEL_INIT(label, magic) do { \ 145 SLOT_SET(label, magic); \ 146 } while (0) 147 148 #define LABEL_NOTFREE(label) do { \ 149 KASSERT(SLOT(label) != MAGIC_FREE, \ 150 ("%s: destroyed label", __func__)); \ 151 } while (0) 152 153 /* 154 * Object-specific entry point implementations are sorted alphabetically by 155 * object type name and then by operation. 156 */ 157 COUNTER_DECL(bpfdesc_check_receive); 158 static int 159 test_bpfdesc_check_receive(struct bpf_d *d, struct label *dlabel, 160 struct ifnet *ifp, struct label *ifplabel) 161 { 162 163 LABEL_CHECK(dlabel, MAGIC_BPF); 164 LABEL_CHECK(ifplabel, MAGIC_IFNET); 165 COUNTER_INC(bpfdesc_check_receive); 166 167 return (0); 168 } 169 170 COUNTER_DECL(bpfdesc_create); 171 static void 172 test_bpfdesc_create(struct ucred *cred, struct bpf_d *d, 173 struct label *dlabel) 174 { 175 176 LABEL_CHECK(cred->cr_label, MAGIC_CRED); 177 LABEL_CHECK(dlabel, MAGIC_BPF); 178 COUNTER_INC(bpfdesc_create); 179 } 180 181 COUNTER_DECL(bpfdesc_create_mbuf); 182 static void 183 test_bpfdesc_create_mbuf(struct bpf_d *d, struct label *dlabel, 184 struct mbuf *m, struct label *mlabel) 185 { 186 187 LABEL_CHECK(dlabel, MAGIC_BPF); 188 LABEL_CHECK(mlabel, MAGIC_MBUF); 189 COUNTER_INC(bpfdesc_create_mbuf); 190 } 191 192 COUNTER_DECL(bpfdesc_destroy_label); 193 static void 194 test_bpfdesc_destroy_label(struct label *label) 195 { 196 197 LABEL_DESTROY(label, MAGIC_BPF); 198 COUNTER_INC(bpfdesc_destroy_label); 199 } 200 201 COUNTER_DECL(bpfdesc_init_label); 202 static void 203 test_bpfdesc_init_label(struct label *label) 204 { 205 206 LABEL_INIT(label, MAGIC_BPF); 207 COUNTER_INC(bpfdesc_init_label); 208 } 209 210 COUNTER_DECL(cred_check_relabel); 211 static int 212 test_cred_check_relabel(struct ucred *cred, struct label *newlabel) 213 { 214 215 LABEL_CHECK(cred->cr_label, MAGIC_CRED); 216 LABEL_CHECK(newlabel, MAGIC_CRED); 217 COUNTER_INC(cred_check_relabel); 218 219 return (0); 220 } 221 222 COUNTER_DECL(cred_check_visible); 223 static int 224 test_cred_check_visible(struct ucred *u1, struct ucred *u2) 225 { 226 227 LABEL_CHECK(u1->cr_label, MAGIC_CRED); 228 LABEL_CHECK(u2->cr_label, MAGIC_CRED); 229 COUNTER_INC(cred_check_visible); 230 231 return (0); 232 } 233 234 COUNTER_DECL(cred_copy_label); 235 static void 236 test_cred_copy_label(struct label *src, struct label *dest) 237 { 238 239 LABEL_CHECK(src, MAGIC_CRED); 240 LABEL_CHECK(dest, MAGIC_CRED); 241 COUNTER_INC(cred_copy_label); 242 } 243 244 COUNTER_DECL(cred_destroy_label); 245 static void 246 test_cred_destroy_label(struct label *label) 247 { 248 249 LABEL_DESTROY(label, MAGIC_CRED); 250 COUNTER_INC(cred_destroy_label); 251 } 252 253 COUNTER_DECL(cred_externalize_label); 254 static int 255 test_cred_externalize_label(struct label *label, char *element_name, 256 struct sbuf *sb, int *claimed) 257 { 258 259 LABEL_CHECK(label, MAGIC_CRED); 260 COUNTER_INC(cred_externalize_label); 261 262 return (0); 263 } 264 265 COUNTER_DECL(cred_init_label); 266 static void 267 test_cred_init_label(struct label *label) 268 { 269 270 LABEL_INIT(label, MAGIC_CRED); 271 COUNTER_INC(cred_init_label); 272 } 273 274 COUNTER_DECL(cred_internalize_label); 275 static int 276 test_cred_internalize_label(struct label *label, char *element_name, 277 char *element_data, int *claimed) 278 { 279 280 LABEL_CHECK(label, MAGIC_CRED); 281 COUNTER_INC(cred_internalize_label); 282 283 return (0); 284 } 285 286 COUNTER_DECL(cred_relabel); 287 static void 288 test_cred_relabel(struct ucred *cred, struct label *newlabel) 289 { 290 291 LABEL_CHECK(cred->cr_label, MAGIC_CRED); 292 LABEL_CHECK(newlabel, MAGIC_CRED); 293 COUNTER_INC(cred_relabel); 294 } 295 296 COUNTER_DECL(devfs_create_device); 297 static void 298 test_devfs_create_device(struct ucred *cred, struct mount *mp, 299 struct cdev *dev, struct devfs_dirent *de, struct label *delabel) 300 { 301 302 if (cred != NULL) 303 LABEL_CHECK(cred->cr_label, MAGIC_CRED); 304 LABEL_CHECK(delabel, MAGIC_DEVFS); 305 COUNTER_INC(devfs_create_device); 306 } 307 308 COUNTER_DECL(devfs_create_directory); 309 static void 310 test_devfs_create_directory(struct mount *mp, char *dirname, 311 int dirnamelen, struct devfs_dirent *de, struct label *delabel) 312 { 313 314 LABEL_CHECK(delabel, MAGIC_DEVFS); 315 COUNTER_INC(devfs_create_directory); 316 } 317 318 COUNTER_DECL(devfs_create_symlink); 319 static void 320 test_devfs_create_symlink(struct ucred *cred, struct mount *mp, 321 struct devfs_dirent *dd, struct label *ddlabel, struct devfs_dirent *de, 322 struct label *delabel) 323 { 324 325 LABEL_CHECK(cred->cr_label, MAGIC_CRED); 326 LABEL_CHECK(ddlabel, MAGIC_DEVFS); 327 LABEL_CHECK(delabel, MAGIC_DEVFS); 328 COUNTER_INC(devfs_create_symlink); 329 } 330 331 COUNTER_DECL(devfs_destroy_label); 332 static void 333 test_devfs_destroy_label(struct label *label) 334 { 335 336 LABEL_DESTROY(label, MAGIC_DEVFS); 337 COUNTER_INC(devfs_destroy_label); 338 } 339 340 COUNTER_DECL(devfs_init_label); 341 static void 342 test_devfs_init_label(struct label *label) 343 { 344 345 LABEL_INIT(label, MAGIC_DEVFS); 346 COUNTER_INC(devfs_init_label); 347 } 348 349 COUNTER_DECL(devfs_update); 350 static void 351 test_devfs_update(struct mount *mp, struct devfs_dirent *devfs_dirent, 352 struct label *direntlabel, struct vnode *vp, struct label *vplabel) 353 { 354 355 LABEL_CHECK(direntlabel, MAGIC_DEVFS); 356 LABEL_CHECK(vplabel, MAGIC_VNODE); 357 COUNTER_INC(devfs_update); 358 } 359 360 COUNTER_DECL(devfs_vnode_associate); 361 static void 362 test_devfs_vnode_associate(struct mount *mp, struct label *mplabel, 363 struct devfs_dirent *de, struct label *delabel, struct vnode *vp, 364 struct label *vplabel) 365 { 366 367 LABEL_CHECK(mplabel, MAGIC_MOUNT); 368 LABEL_CHECK(delabel, MAGIC_DEVFS); 369 LABEL_CHECK(vplabel, MAGIC_VNODE); 370 COUNTER_INC(devfs_vnode_associate); 371 } 372 373 COUNTER_DECL(ifnet_check_relabel); 374 static int 375 test_ifnet_check_relabel(struct ucred *cred, struct ifnet *ifp, 376 struct label *ifplabel, struct label *newlabel) 377 { 378 379 LABEL_CHECK(cred->cr_label, MAGIC_CRED); 380 LABEL_CHECK(ifplabel, MAGIC_IFNET); 381 LABEL_CHECK(newlabel, MAGIC_IFNET); 382 COUNTER_INC(ifnet_check_relabel); 383 384 return (0); 385 } 386 387 COUNTER_DECL(ifnet_check_transmit); 388 static int 389 test_ifnet_check_transmit(struct ifnet *ifp, struct label *ifplabel, 390 struct mbuf *m, struct label *mlabel) 391 { 392 393 LABEL_CHECK(ifplabel, MAGIC_IFNET); 394 LABEL_CHECK(mlabel, MAGIC_MBUF); 395 COUNTER_INC(ifnet_check_transmit); 396 397 return (0); 398 } 399 400 COUNTER_DECL(ifnet_copy_label); 401 static void 402 test_ifnet_copy_label(struct label *src, struct label *dest) 403 { 404 405 LABEL_CHECK(src, MAGIC_IFNET); 406 LABEL_CHECK(dest, MAGIC_IFNET); 407 COUNTER_INC(ifnet_copy_label); 408 } 409 410 COUNTER_DECL(ifnet_create); 411 static void 412 test_ifnet_create(struct ifnet *ifp, struct label *ifplabel) 413 { 414 415 LABEL_CHECK(ifplabel, MAGIC_IFNET); 416 COUNTER_INC(ifnet_create); 417 } 418 419 COUNTER_DECL(ifnet_create_mbuf); 420 static void 421 test_ifnet_create_mbuf(struct ifnet *ifp, struct label *ifplabel, 422 struct mbuf *m, struct label *mlabel) 423 { 424 425 LABEL_CHECK(ifplabel, MAGIC_IFNET); 426 LABEL_CHECK(mlabel, MAGIC_MBUF); 427 COUNTER_INC(ifnet_create_mbuf); 428 } 429 430 COUNTER_DECL(ifnet_destroy_label); 431 static void 432 test_ifnet_destroy_label(struct label *label) 433 { 434 435 LABEL_DESTROY(label, MAGIC_IFNET); 436 COUNTER_INC(ifnet_destroy_label); 437 } 438 439 COUNTER_DECL(ifnet_externalize_label); 440 static int 441 test_ifnet_externalize_label(struct label *label, char *element_name, 442 struct sbuf *sb, int *claimed) 443 { 444 445 LABEL_CHECK(label, MAGIC_IFNET); 446 COUNTER_INC(ifnet_externalize_label); 447 448 return (0); 449 } 450 451 COUNTER_DECL(ifnet_init_label); 452 static void 453 test_ifnet_init_label(struct label *label) 454 { 455 456 LABEL_INIT(label, MAGIC_IFNET); 457 COUNTER_INC(ifnet_init_label); 458 } 459 460 COUNTER_DECL(ifnet_internalize_label); 461 static int 462 test_ifnet_internalize_label(struct label *label, char *element_name, 463 char *element_data, int *claimed) 464 { 465 466 LABEL_CHECK(label, MAGIC_IFNET); 467 COUNTER_INC(ifnet_internalize_label); 468 469 return (0); 470 } 471 472 COUNTER_DECL(ifnet_relabel); 473 static void 474 test_ifnet_relabel(struct ucred *cred, struct ifnet *ifp, 475 struct label *ifplabel, struct label *newlabel) 476 { 477 478 LABEL_CHECK(cred->cr_label, MAGIC_CRED); 479 LABEL_CHECK(ifplabel, MAGIC_IFNET); 480 LABEL_CHECK(newlabel, MAGIC_IFNET); 481 COUNTER_INC(ifnet_relabel); 482 } 483 484 COUNTER_DECL(inpcb_check_deliver); 485 static int 486 test_inpcb_check_deliver(struct inpcb *inp, struct label *inplabel, 487 struct mbuf *m, struct label *mlabel) 488 { 489 490 LABEL_CHECK(inplabel, MAGIC_INPCB); 491 LABEL_CHECK(mlabel, MAGIC_MBUF); 492 COUNTER_INC(inpcb_check_deliver); 493 494 return (0); 495 } 496 497 COUNTER_DECL(inpcb_create); 498 static void 499 test_inpcb_create(struct socket *so, struct label *solabel, 500 struct inpcb *inp, struct label *inplabel) 501 { 502 503 LABEL_CHECK(solabel, MAGIC_SOCKET); 504 LABEL_CHECK(inplabel, MAGIC_INPCB); 505 COUNTER_INC(inpcb_create); 506 } 507 508 COUNTER_DECL(inpcb_create_mbuf); 509 static void 510 test_inpcb_create_mbuf(struct inpcb *inp, struct label *inplabel, 511 struct mbuf *m, struct label *mlabel) 512 { 513 514 LABEL_CHECK(inplabel, MAGIC_INPCB); 515 LABEL_CHECK(mlabel, MAGIC_MBUF); 516 COUNTER_INC(inpcb_create_mbuf); 517 } 518 519 COUNTER_DECL(inpcb_destroy_label); 520 static void 521 test_inpcb_destroy_label(struct label *label) 522 { 523 524 LABEL_DESTROY(label, MAGIC_INPCB); 525 COUNTER_INC(inpcb_destroy_label); 526 } 527 528 COUNTER_DECL(inpcb_init_label); 529 static int 530 test_inpcb_init_label(struct label *label, int flag) 531 { 532 533 if (flag & M_WAITOK) 534 WITNESS_WARN(WARN_GIANTOK | WARN_SLEEPOK, NULL, 535 "test_inpcb_init_label() at %s:%d", __FILE__, 536 __LINE__); 537 538 LABEL_INIT(label, MAGIC_INPCB); 539 COUNTER_INC(inpcb_init_label); 540 return (0); 541 } 542 543 COUNTER_DECL(inpcb_sosetlabel); 544 static void 545 test_inpcb_sosetlabel(struct socket *so, struct label *solabel, 546 struct inpcb *inp, struct label *inplabel) 547 { 548 549 LABEL_CHECK(solabel, MAGIC_SOCKET); 550 LABEL_CHECK(inplabel, MAGIC_INPCB); 551 COUNTER_INC(inpcb_sosetlabel); 552 } 553 554 COUNTER_DECL(ipq_create); 555 static void 556 test_ipq_create(struct mbuf *fragment, struct label *fragmentlabel, 557 struct ipq *q, struct label *qlabel) 558 { 559 560 LABEL_CHECK(fragmentlabel, MAGIC_MBUF); 561 LABEL_CHECK(qlabel, MAGIC_IPQ); 562 COUNTER_INC(ipq_create); 563 } 564 565 COUNTER_DECL(ipq_destroy_label); 566 static void 567 test_ipq_destroy_label(struct label *label) 568 { 569 570 LABEL_DESTROY(label, MAGIC_IPQ); 571 COUNTER_INC(ipq_destroy_label); 572 } 573 574 COUNTER_DECL(ipq_init_label); 575 static int 576 test_ipq_init_label(struct label *label, int flag) 577 { 578 579 if (flag & M_WAITOK) 580 WITNESS_WARN(WARN_GIANTOK | WARN_SLEEPOK, NULL, 581 "test_ipq_init_label() at %s:%d", __FILE__, 582 __LINE__); 583 584 LABEL_INIT(label, MAGIC_IPQ); 585 COUNTER_INC(ipq_init_label); 586 return (0); 587 } 588 589 COUNTER_DECL(ipq_match); 590 static int 591 test_ipq_match(struct mbuf *fragment, struct label *fragmentlabel, 592 struct ipq *q, struct label *qlabel) 593 { 594 595 LABEL_CHECK(fragmentlabel, MAGIC_MBUF); 596 LABEL_CHECK(qlabel, MAGIC_IPQ); 597 COUNTER_INC(ipq_match); 598 599 return (1); 600 } 601 602 COUNTER_DECL(ipq_reassemble); 603 static void 604 test_ipq_reassemble(struct ipq *q, struct label *qlabel, struct mbuf *m, 605 struct label *mlabel) 606 { 607 608 LABEL_CHECK(qlabel, MAGIC_IPQ); 609 LABEL_CHECK(mlabel, MAGIC_MBUF); 610 COUNTER_INC(ipq_reassemble); 611 } 612 613 COUNTER_DECL(ipq_update); 614 static void 615 test_ipq_update(struct mbuf *m, struct label *mlabel, struct ipq *q, 616 struct label *qlabel) 617 { 618 619 LABEL_CHECK(mlabel, MAGIC_MBUF); 620 LABEL_CHECK(qlabel, MAGIC_IPQ); 621 COUNTER_INC(ipq_update); 622 } 623 624 COUNTER_DECL(kenv_check_dump); 625 static int 626 test_kenv_check_dump(struct ucred *cred) 627 { 628 629 LABEL_CHECK(cred->cr_label, MAGIC_CRED); 630 COUNTER_INC(kenv_check_dump); 631 632 return (0); 633 } 634 635 COUNTER_DECL(kenv_check_get); 636 static int 637 test_kenv_check_get(struct ucred *cred, char *name) 638 { 639 640 LABEL_CHECK(cred->cr_label, MAGIC_CRED); 641 COUNTER_INC(kenv_check_get); 642 643 return (0); 644 } 645 646 COUNTER_DECL(kenv_check_set); 647 static int 648 test_kenv_check_set(struct ucred *cred, char *name, char *value) 649 { 650 651 LABEL_CHECK(cred->cr_label, MAGIC_CRED); 652 COUNTER_INC(kenv_check_set); 653 654 return (0); 655 } 656 657 COUNTER_DECL(kenv_check_unset); 658 static int 659 test_kenv_check_unset(struct ucred *cred, char *name) 660 { 661 662 LABEL_CHECK(cred->cr_label, MAGIC_CRED); 663 COUNTER_INC(kenv_check_unset); 664 665 return (0); 666 } 667 668 COUNTER_DECL(kld_check_load); 669 static int 670 test_kld_check_load(struct ucred *cred, struct vnode *vp, 671 struct label *label) 672 { 673 674 LABEL_CHECK(cred->cr_label, MAGIC_CRED); 675 LABEL_CHECK(label, MAGIC_VNODE); 676 COUNTER_INC(kld_check_load); 677 678 return (0); 679 } 680 681 COUNTER_DECL(kld_check_stat); 682 static int 683 test_kld_check_stat(struct ucred *cred) 684 { 685 686 LABEL_CHECK(cred->cr_label, MAGIC_CRED); 687 COUNTER_INC(kld_check_stat); 688 689 return (0); 690 } 691 692 COUNTER_DECL(mbuf_copy_label); 693 static void 694 test_mbuf_copy_label(struct label *src, struct label *dest) 695 { 696 697 LABEL_CHECK(src, MAGIC_MBUF); 698 LABEL_CHECK(dest, MAGIC_MBUF); 699 COUNTER_INC(mbuf_copy_label); 700 } 701 702 COUNTER_DECL(mbuf_destroy_label); 703 static void 704 test_mbuf_destroy_label(struct label *label) 705 { 706 707 /* 708 * If we're loaded dynamically, there may be mbufs in flight that 709 * didn't have label storage allocated for them. Handle this 710 * gracefully. 711 */ 712 if (label == NULL) 713 return; 714 715 LABEL_DESTROY(label, MAGIC_MBUF); 716 COUNTER_INC(mbuf_destroy_label); 717 } 718 719 COUNTER_DECL(mbuf_init_label); 720 static int 721 test_mbuf_init_label(struct label *label, int flag) 722 { 723 724 if (flag & M_WAITOK) 725 WITNESS_WARN(WARN_GIANTOK | WARN_SLEEPOK, NULL, 726 "test_mbuf_init_label() at %s:%d", __FILE__, 727 __LINE__); 728 729 LABEL_INIT(label, MAGIC_MBUF); 730 COUNTER_INC(mbuf_init_label); 731 return (0); 732 } 733 734 COUNTER_DECL(mount_check_stat); 735 static int 736 test_mount_check_stat(struct ucred *cred, struct mount *mp, 737 struct label *mplabel) 738 { 739 740 LABEL_CHECK(cred->cr_label, MAGIC_CRED); 741 LABEL_CHECK(mplabel, MAGIC_MOUNT); 742 COUNTER_INC(mount_check_stat); 743 744 return (0); 745 } 746 747 COUNTER_DECL(mount_create); 748 static void 749 test_mount_create(struct ucred *cred, struct mount *mp, 750 struct label *mplabel) 751 { 752 753 LABEL_CHECK(cred->cr_label, MAGIC_CRED); 754 LABEL_CHECK(mplabel, MAGIC_MOUNT); 755 COUNTER_INC(mount_create); 756 } 757 758 COUNTER_DECL(mount_destroy_label); 759 static void 760 test_mount_destroy_label(struct label *label) 761 { 762 763 LABEL_DESTROY(label, MAGIC_MOUNT); 764 COUNTER_INC(mount_destroy_label); 765 } 766 767 COUNTER_DECL(mount_init_label); 768 static void 769 test_mount_init_label(struct label *label) 770 { 771 772 LABEL_INIT(label, MAGIC_MOUNT); 773 COUNTER_INC(mount_init_label); 774 } 775 776 COUNTER_DECL(netatalk_aarp_send); 777 static void 778 test_netatalk_aarp_send(struct ifnet *ifp, struct label *ifplabel, 779 struct mbuf *m, struct label *mlabel) 780 { 781 782 LABEL_CHECK(ifplabel, MAGIC_IFNET); 783 LABEL_CHECK(mlabel, MAGIC_MBUF); 784 COUNTER_INC(netatalk_aarp_send); 785 } 786 787 COUNTER_DECL(netinet_arp_send); 788 static void 789 test_netinet_arp_send(struct ifnet *ifp, struct label *ifplabel, 790 struct mbuf *m, struct label *mlabel) 791 { 792 793 LABEL_CHECK(ifplabel, MAGIC_IFNET); 794 LABEL_CHECK(mlabel, MAGIC_MBUF); 795 COUNTER_INC(netinet_arp_send); 796 } 797 798 COUNTER_DECL(netinet_fragment); 799 static void 800 test_netinet_fragment(struct mbuf *m, struct label *mlabel, 801 struct mbuf *frag, struct label *fraglabel) 802 { 803 804 LABEL_CHECK(mlabel, MAGIC_MBUF); 805 LABEL_CHECK(fraglabel, MAGIC_MBUF); 806 COUNTER_INC(netinet_fragment); 807 } 808 809 COUNTER_DECL(netinet_icmp_reply); 810 static void 811 test_netinet_icmp_reply(struct mbuf *mrecv, struct label *mrecvlabel, 812 struct mbuf *msend, struct label *msendlabel) 813 { 814 815 LABEL_CHECK(mrecvlabel, MAGIC_MBUF); 816 LABEL_CHECK(msendlabel, MAGIC_MBUF); 817 COUNTER_INC(netinet_icmp_reply); 818 } 819 820 COUNTER_DECL(netinet_icmp_replyinplace); 821 static void 822 test_netinet_icmp_replyinplace(struct mbuf *m, struct label *mlabel) 823 { 824 825 LABEL_CHECK(mlabel, MAGIC_MBUF); 826 COUNTER_INC(netinet_icmp_replyinplace); 827 } 828 829 COUNTER_DECL(netinet_igmp_send); 830 static void 831 test_netinet_igmp_send(struct ifnet *ifp, struct label *ifplabel, 832 struct mbuf *m, struct label *mlabel) 833 { 834 835 LABEL_CHECK(ifplabel, MAGIC_IFNET); 836 LABEL_CHECK(mlabel, MAGIC_MBUF); 837 COUNTER_INC(netinet_igmp_send); 838 } 839 840 COUNTER_DECL(netinet_tcp_reply); 841 static void 842 test_netinet_tcp_reply(struct mbuf *m, struct label *mlabel) 843 { 844 845 LABEL_CHECK(mlabel, MAGIC_MBUF); 846 COUNTER_INC(netinet_tcp_reply); 847 } 848 849 COUNTER_DECL(netinet6_nd6_send); 850 static void 851 test_netinet6_nd6_send(struct ifnet *ifp, struct label *ifplabel, 852 struct mbuf *m, struct label *mlabel) 853 { 854 855 LABEL_CHECK(ifplabel, MAGIC_IFNET); 856 LABEL_CHECK(mlabel, MAGIC_MBUF); 857 COUNTER_INC(netinet6_nd6_send); 858 } 859 860 COUNTER_DECL(pipe_check_ioctl); 861 static int 862 test_pipe_check_ioctl(struct ucred *cred, struct pipepair *pp, 863 struct label *pplabel, unsigned long cmd, void /* caddr_t */ *data) 864 { 865 866 LABEL_CHECK(cred->cr_label, MAGIC_CRED); 867 LABEL_CHECK(pplabel, MAGIC_PIPE); 868 COUNTER_INC(pipe_check_ioctl); 869 870 return (0); 871 } 872 873 COUNTER_DECL(pipe_check_poll); 874 static int 875 test_pipe_check_poll(struct ucred *cred, struct pipepair *pp, 876 struct label *pplabel) 877 { 878 879 LABEL_CHECK(cred->cr_label, MAGIC_CRED); 880 LABEL_CHECK(pplabel, MAGIC_PIPE); 881 COUNTER_INC(pipe_check_poll); 882 883 return (0); 884 } 885 886 COUNTER_DECL(pipe_check_read); 887 static int 888 test_pipe_check_read(struct ucred *cred, struct pipepair *pp, 889 struct label *pplabel) 890 { 891 892 LABEL_CHECK(cred->cr_label, MAGIC_CRED); 893 LABEL_CHECK(pplabel, MAGIC_PIPE); 894 COUNTER_INC(pipe_check_read); 895 896 return (0); 897 } 898 899 COUNTER_DECL(pipe_check_relabel); 900 static int 901 test_pipe_check_relabel(struct ucred *cred, struct pipepair *pp, 902 struct label *pplabel, struct label *newlabel) 903 { 904 905 LABEL_CHECK(cred->cr_label, MAGIC_CRED); 906 LABEL_CHECK(pplabel, MAGIC_PIPE); 907 LABEL_CHECK(newlabel, MAGIC_PIPE); 908 COUNTER_INC(pipe_check_relabel); 909 910 return (0); 911 } 912 913 COUNTER_DECL(pipe_check_stat); 914 static int 915 test_pipe_check_stat(struct ucred *cred, struct pipepair *pp, 916 struct label *pplabel) 917 { 918 919 LABEL_CHECK(cred->cr_label, MAGIC_CRED); 920 LABEL_CHECK(pplabel, MAGIC_PIPE); 921 COUNTER_INC(pipe_check_stat); 922 923 return (0); 924 } 925 926 COUNTER_DECL(pipe_check_write); 927 static int 928 test_pipe_check_write(struct ucred *cred, struct pipepair *pp, 929 struct label *pplabel) 930 { 931 932 LABEL_CHECK(cred->cr_label, MAGIC_CRED); 933 LABEL_CHECK(pplabel, MAGIC_PIPE); 934 COUNTER_INC(pipe_check_write); 935 936 return (0); 937 } 938 939 COUNTER_DECL(pipe_copy_label); 940 static void 941 test_pipe_copy_label(struct label *src, struct label *dest) 942 { 943 944 LABEL_CHECK(src, MAGIC_PIPE); 945 LABEL_CHECK(dest, MAGIC_PIPE); 946 COUNTER_INC(pipe_copy_label); 947 } 948 949 COUNTER_DECL(pipe_create); 950 static void 951 test_pipe_create(struct ucred *cred, struct pipepair *pp, 952 struct label *pplabel) 953 { 954 955 LABEL_CHECK(cred->cr_label, MAGIC_CRED); 956 LABEL_CHECK(pplabel, MAGIC_PIPE); 957 COUNTER_INC(pipe_create); 958 } 959 960 COUNTER_DECL(pipe_destroy_label); 961 static void 962 test_pipe_destroy_label(struct label *label) 963 { 964 965 LABEL_DESTROY(label, MAGIC_PIPE); 966 COUNTER_INC(pipe_destroy_label); 967 } 968 969 COUNTER_DECL(pipe_externalize_label); 970 static int 971 test_pipe_externalize_label(struct label *label, char *element_name, 972 struct sbuf *sb, int *claimed) 973 { 974 975 LABEL_CHECK(label, MAGIC_PIPE); 976 COUNTER_INC(pipe_externalize_label); 977 978 return (0); 979 } 980 981 COUNTER_DECL(pipe_init_label); 982 static void 983 test_pipe_init_label(struct label *label) 984 { 985 986 LABEL_INIT(label, MAGIC_PIPE); 987 COUNTER_INC(pipe_init_label); 988 } 989 990 COUNTER_DECL(pipe_internalize_label); 991 static int 992 test_pipe_internalize_label(struct label *label, char *element_name, 993 char *element_data, int *claimed) 994 { 995 996 LABEL_CHECK(label, MAGIC_PIPE); 997 COUNTER_INC(pipe_internalize_label); 998 999 return (0); 1000 } 1001 1002 COUNTER_DECL(pipe_relabel); 1003 static void 1004 test_pipe_relabel(struct ucred *cred, struct pipepair *pp, 1005 struct label *pplabel, struct label *newlabel) 1006 { 1007 1008 LABEL_CHECK(cred->cr_label, MAGIC_CRED); 1009 LABEL_CHECK(pplabel, MAGIC_PIPE); 1010 LABEL_CHECK(newlabel, MAGIC_PIPE); 1011 COUNTER_INC(pipe_relabel); 1012 } 1013 1014 COUNTER_DECL(posixsem_check_getvalue); 1015 static int 1016 test_posixsem_check_getvalue(struct ucred *active_cred, struct ucred *file_cred, 1017 struct ksem *ks, struct label *kslabel) 1018 { 1019 1020 LABEL_CHECK(active_cred->cr_label, MAGIC_CRED); 1021 LABEL_CHECK(file_cred->cr_label, MAGIC_CRED); 1022 LABEL_CHECK(kslabel, MAGIC_POSIX_SEM); 1023 COUNTER_INC(posixsem_check_getvalue); 1024 1025 return (0); 1026 } 1027 1028 COUNTER_DECL(posixsem_check_open); 1029 static int 1030 test_posixsem_check_open(struct ucred *cred, struct ksem *ks, 1031 struct label *kslabel) 1032 { 1033 1034 LABEL_CHECK(cred->cr_label, MAGIC_CRED); 1035 LABEL_CHECK(kslabel, MAGIC_POSIX_SEM); 1036 COUNTER_INC(posixsem_check_open); 1037 1038 return (0); 1039 } 1040 1041 COUNTER_DECL(posixsem_check_post); 1042 static int 1043 test_posixsem_check_post(struct ucred *active_cred, struct ucred *file_cred, 1044 struct ksem *ks, struct label *kslabel) 1045 { 1046 1047 LABEL_CHECK(active_cred->cr_label, MAGIC_CRED); 1048 LABEL_CHECK(file_cred->cr_label, MAGIC_CRED); 1049 LABEL_CHECK(kslabel, MAGIC_POSIX_SEM); 1050 COUNTER_INC(posixsem_check_post); 1051 1052 return (0); 1053 } 1054 1055 COUNTER_DECL(posixsem_check_stat); 1056 static int 1057 test_posixsem_check_stat(struct ucred *active_cred, 1058 struct ucred *file_cred, struct ksem *ks, struct label *kslabel) 1059 { 1060 1061 LABEL_CHECK(active_cred->cr_label, MAGIC_CRED); 1062 LABEL_CHECK(file_cred->cr_label, MAGIC_CRED); 1063 LABEL_CHECK(kslabel, MAGIC_POSIX_SEM); 1064 COUNTER_INC(posixsem_check_stat); 1065 return (0); 1066 } 1067 1068 COUNTER_DECL(posixsem_check_unlink); 1069 static int 1070 test_posixsem_check_unlink(struct ucred *cred, struct ksem *ks, 1071 struct label *kslabel) 1072 { 1073 1074 LABEL_CHECK(cred->cr_label, MAGIC_CRED); 1075 LABEL_CHECK(kslabel, MAGIC_POSIX_SEM); 1076 COUNTER_INC(posixsem_check_unlink); 1077 1078 return (0); 1079 } 1080 1081 COUNTER_DECL(posixsem_check_wait); 1082 static int 1083 test_posixsem_check_wait(struct ucred *active_cred, struct ucred *file_cred, 1084 struct ksem *ks, struct label *kslabel) 1085 { 1086 1087 LABEL_CHECK(active_cred->cr_label, MAGIC_CRED); 1088 LABEL_CHECK(file_cred->cr_label, MAGIC_CRED); 1089 LABEL_CHECK(kslabel, MAGIC_POSIX_SEM); 1090 COUNTER_INC(posixsem_check_wait); 1091 1092 return (0); 1093 } 1094 1095 COUNTER_DECL(posixsem_create); 1096 static void 1097 test_posixsem_create(struct ucred *cred, struct ksem *ks, 1098 struct label *kslabel) 1099 { 1100 1101 LABEL_CHECK(cred->cr_label, MAGIC_CRED); 1102 LABEL_CHECK(kslabel, MAGIC_POSIX_SEM); 1103 COUNTER_INC(posixsem_create); 1104 } 1105 1106 COUNTER_DECL(posixsem_destroy_label); 1107 static void 1108 test_posixsem_destroy_label(struct label *label) 1109 { 1110 1111 LABEL_DESTROY(label, MAGIC_POSIX_SEM); 1112 COUNTER_INC(posixsem_destroy_label); 1113 } 1114 1115 COUNTER_DECL(posixsem_init_label); 1116 static void 1117 test_posixsem_init_label(struct label *label) 1118 { 1119 1120 LABEL_INIT(label, MAGIC_POSIX_SEM); 1121 COUNTER_INC(posixsem_init_label); 1122 } 1123 1124 COUNTER_DECL(posixshm_check_mmap); 1125 static int 1126 test_posixshm_check_mmap(struct ucred *cred, struct shmfd *shmfd, 1127 struct label *shmfdlabel, int prot, int flags) 1128 { 1129 1130 LABEL_CHECK(cred->cr_label, MAGIC_CRED); 1131 LABEL_CHECK(shmfdlabel, MAGIC_POSIX_SHM); 1132 COUNTER_INC(posixshm_check_mmap); 1133 return (0); 1134 } 1135 1136 COUNTER_DECL(posixshm_check_open); 1137 static int 1138 test_posixshm_check_open(struct ucred *cred, struct shmfd *shmfd, 1139 struct label *shmfdlabel) 1140 { 1141 1142 LABEL_CHECK(cred->cr_label, MAGIC_CRED); 1143 LABEL_CHECK(shmfdlabel, MAGIC_POSIX_SHM); 1144 COUNTER_INC(posixshm_check_open); 1145 return (0); 1146 } 1147 1148 COUNTER_DECL(posixshm_check_stat); 1149 static int 1150 test_posixshm_check_stat(struct ucred *active_cred, 1151 struct ucred *file_cred, struct shmfd *shmfd, struct label *shmfdlabel) 1152 { 1153 1154 LABEL_CHECK(active_cred->cr_label, MAGIC_CRED); 1155 LABEL_CHECK(file_cred->cr_label, MAGIC_CRED); 1156 LABEL_CHECK(shmfdlabel, MAGIC_POSIX_SHM); 1157 COUNTER_INC(posixshm_check_stat); 1158 return (0); 1159 } 1160 1161 COUNTER_DECL(posixshm_check_truncate); 1162 static int 1163 test_posixshm_check_truncate(struct ucred *active_cred, 1164 struct ucred *file_cred, struct shmfd *shmfd, struct label *shmfdlabel) 1165 { 1166 1167 LABEL_CHECK(active_cred->cr_label, MAGIC_CRED); 1168 LABEL_CHECK(file_cred->cr_label, MAGIC_CRED); 1169 LABEL_CHECK(shmfdlabel, MAGIC_POSIX_SHM); 1170 COUNTER_INC(posixshm_check_truncate); 1171 return (0); 1172 } 1173 1174 COUNTER_DECL(posixshm_check_unlink); 1175 static int 1176 test_posixshm_check_unlink(struct ucred *cred, struct shmfd *shmfd, 1177 struct label *shmfdlabel) 1178 { 1179 1180 LABEL_CHECK(cred->cr_label, MAGIC_CRED); 1181 LABEL_CHECK(shmfdlabel, MAGIC_POSIX_SHM); 1182 COUNTER_INC(posixshm_check_unlink); 1183 return (0); 1184 } 1185 1186 COUNTER_DECL(posixshm_create); 1187 static void 1188 test_posixshm_create(struct ucred *cred, struct shmfd *shmfd, 1189 struct label *shmfdlabel) 1190 { 1191 1192 LABEL_CHECK(cred->cr_label, MAGIC_CRED); 1193 LABEL_CHECK(shmfdlabel, MAGIC_POSIX_SHM); 1194 COUNTER_INC(posixshm_create); 1195 } 1196 1197 COUNTER_DECL(posixshm_destroy_label); 1198 static void 1199 test_posixshm_destroy_label(struct label *label) 1200 { 1201 1202 LABEL_DESTROY(label, MAGIC_POSIX_SHM); 1203 COUNTER_INC(posixshm_destroy_label); 1204 } 1205 1206 COUNTER_DECL(posixshm_init_label); 1207 static void 1208 test_posixshm_init_label(struct label *label) 1209 { 1210 1211 LABEL_INIT(label, MAGIC_POSIX_SHM); 1212 COUNTER_INC(posixshm_init_label); 1213 } 1214 1215 COUNTER_DECL(proc_check_debug); 1216 static int 1217 test_proc_check_debug(struct ucred *cred, struct proc *p) 1218 { 1219 1220 LABEL_CHECK(cred->cr_label, MAGIC_CRED); 1221 LABEL_CHECK(p->p_ucred->cr_label, MAGIC_CRED); 1222 COUNTER_INC(proc_check_debug); 1223 1224 return (0); 1225 } 1226 1227 COUNTER_DECL(proc_check_sched); 1228 static int 1229 test_proc_check_sched(struct ucred *cred, struct proc *p) 1230 { 1231 1232 LABEL_CHECK(cred->cr_label, MAGIC_CRED); 1233 LABEL_CHECK(p->p_ucred->cr_label, MAGIC_CRED); 1234 COUNTER_INC(proc_check_sched); 1235 1236 return (0); 1237 } 1238 1239 COUNTER_DECL(proc_check_signal); 1240 static int 1241 test_proc_check_signal(struct ucred *cred, struct proc *p, int signum) 1242 { 1243 1244 LABEL_CHECK(cred->cr_label, MAGIC_CRED); 1245 LABEL_CHECK(p->p_ucred->cr_label, MAGIC_CRED); 1246 COUNTER_INC(proc_check_signal); 1247 1248 return (0); 1249 } 1250 1251 COUNTER_DECL(proc_check_setaudit); 1252 static int 1253 test_proc_check_setaudit(struct ucred *cred, struct auditinfo *ai) 1254 { 1255 1256 LABEL_CHECK(cred->cr_label, MAGIC_CRED); 1257 COUNTER_INC(proc_check_setaudit); 1258 1259 return (0); 1260 } 1261 1262 COUNTER_DECL(proc_check_setaudit_addr); 1263 static int 1264 test_proc_check_setaudit_addr(struct ucred *cred, 1265 struct auditinfo_addr *aia) 1266 { 1267 1268 LABEL_CHECK(cred->cr_label, MAGIC_CRED); 1269 COUNTER_INC(proc_check_setaudit_addr); 1270 1271 return (0); 1272 } 1273 1274 COUNTER_DECL(proc_check_setauid); 1275 static int 1276 test_proc_check_setauid(struct ucred *cred, uid_t auid) 1277 { 1278 1279 LABEL_CHECK(cred->cr_label, MAGIC_CRED); 1280 COUNTER_INC(proc_check_setauid); 1281 1282 return (0); 1283 } 1284 1285 COUNTER_DECL(proc_check_setegid); 1286 static int 1287 test_proc_check_setegid(struct ucred *cred, gid_t egid) 1288 { 1289 1290 LABEL_CHECK(cred->cr_label, MAGIC_CRED); 1291 COUNTER_INC(proc_check_setegid); 1292 1293 return (0); 1294 } 1295 1296 COUNTER_DECL(proc_check_euid); 1297 static int 1298 test_proc_check_seteuid(struct ucred *cred, uid_t euid) 1299 { 1300 1301 LABEL_CHECK(cred->cr_label, MAGIC_CRED); 1302 COUNTER_INC(proc_check_euid); 1303 1304 return (0); 1305 } 1306 1307 COUNTER_DECL(proc_check_setregid); 1308 static int 1309 test_proc_check_setregid(struct ucred *cred, gid_t rgid, gid_t egid) 1310 { 1311 1312 LABEL_CHECK(cred->cr_label, MAGIC_CRED); 1313 COUNTER_INC(proc_check_setregid); 1314 1315 return (0); 1316 } 1317 1318 COUNTER_DECL(proc_check_setreuid); 1319 static int 1320 test_proc_check_setreuid(struct ucred *cred, uid_t ruid, uid_t euid) 1321 { 1322 1323 LABEL_CHECK(cred->cr_label, MAGIC_CRED); 1324 COUNTER_INC(proc_check_setreuid); 1325 1326 return (0); 1327 } 1328 1329 COUNTER_DECL(proc_check_setgid); 1330 static int 1331 test_proc_check_setgid(struct ucred *cred, gid_t gid) 1332 { 1333 1334 LABEL_CHECK(cred->cr_label, MAGIC_CRED); 1335 COUNTER_INC(proc_check_setgid); 1336 1337 return (0); 1338 } 1339 1340 COUNTER_DECL(proc_check_setgroups); 1341 static int 1342 test_proc_check_setgroups(struct ucred *cred, int ngroups, 1343 gid_t *gidset) 1344 { 1345 1346 LABEL_CHECK(cred->cr_label, MAGIC_CRED); 1347 COUNTER_INC(proc_check_setgroups); 1348 1349 return (0); 1350 } 1351 1352 COUNTER_DECL(proc_check_setresgid); 1353 static int 1354 test_proc_check_setresgid(struct ucred *cred, gid_t rgid, gid_t egid, 1355 gid_t sgid) 1356 { 1357 1358 LABEL_CHECK(cred->cr_label, MAGIC_CRED); 1359 COUNTER_INC(proc_check_setresgid); 1360 1361 return (0); 1362 } 1363 1364 COUNTER_DECL(proc_check_setresuid); 1365 static int 1366 test_proc_check_setresuid(struct ucred *cred, uid_t ruid, uid_t euid, 1367 uid_t suid) 1368 { 1369 1370 LABEL_CHECK(cred->cr_label, MAGIC_CRED); 1371 COUNTER_INC(proc_check_setresuid); 1372 1373 return (0); 1374 } 1375 1376 COUNTER_DECL(proc_check_setuid); 1377 static int 1378 test_proc_check_setuid(struct ucred *cred, uid_t uid) 1379 { 1380 1381 LABEL_CHECK(cred->cr_label, MAGIC_CRED); 1382 COUNTER_INC(proc_check_setuid); 1383 1384 return (0); 1385 } 1386 1387 COUNTER_DECL(proc_check_wait); 1388 static int 1389 test_proc_check_wait(struct ucred *cred, struct proc *p) 1390 { 1391 1392 LABEL_CHECK(cred->cr_label, MAGIC_CRED); 1393 LABEL_CHECK(p->p_ucred->cr_label, MAGIC_CRED); 1394 COUNTER_INC(proc_check_wait); 1395 1396 return (0); 1397 } 1398 1399 COUNTER_DECL(proc_create_init); 1400 static void 1401 test_proc_create_init(struct ucred *cred) 1402 { 1403 1404 LABEL_CHECK(cred->cr_label, MAGIC_CRED); 1405 COUNTER_INC(proc_create_init); 1406 } 1407 1408 COUNTER_DECL(proc_create_swapper); 1409 static void 1410 test_proc_create_swapper(struct ucred *cred) 1411 { 1412 1413 LABEL_CHECK(cred->cr_label, MAGIC_CRED); 1414 COUNTER_INC(proc_create_swapper); 1415 } 1416 1417 COUNTER_DECL(proc_destroy_label); 1418 static void 1419 test_proc_destroy_label(struct label *label) 1420 { 1421 1422 LABEL_DESTROY(label, MAGIC_PROC); 1423 COUNTER_INC(proc_destroy_label); 1424 } 1425 1426 COUNTER_DECL(proc_init_label); 1427 static void 1428 test_proc_init_label(struct label *label) 1429 { 1430 1431 LABEL_INIT(label, MAGIC_PROC); 1432 COUNTER_INC(proc_init_label); 1433 } 1434 1435 COUNTER_DECL(socket_check_accept); 1436 static int 1437 test_socket_check_accept(struct ucred *cred, struct socket *so, 1438 struct label *solabel) 1439 { 1440 1441 LABEL_CHECK(cred->cr_label, MAGIC_CRED); 1442 LABEL_CHECK(solabel, MAGIC_SOCKET); 1443 COUNTER_INC(socket_check_accept); 1444 1445 return (0); 1446 } 1447 1448 COUNTER_DECL(socket_check_bind); 1449 static int 1450 test_socket_check_bind(struct ucred *cred, struct socket *so, 1451 struct label *solabel, struct sockaddr *sa) 1452 { 1453 1454 LABEL_CHECK(cred->cr_label, MAGIC_CRED); 1455 LABEL_CHECK(solabel, MAGIC_SOCKET); 1456 COUNTER_INC(socket_check_bind); 1457 1458 return (0); 1459 } 1460 1461 COUNTER_DECL(socket_check_connect); 1462 static int 1463 test_socket_check_connect(struct ucred *cred, struct socket *so, 1464 struct label *solabel, struct sockaddr *sa) 1465 { 1466 1467 LABEL_CHECK(cred->cr_label, MAGIC_CRED); 1468 LABEL_CHECK(solabel, MAGIC_SOCKET); 1469 COUNTER_INC(socket_check_connect); 1470 1471 return (0); 1472 } 1473 1474 COUNTER_DECL(socket_check_deliver); 1475 static int 1476 test_socket_check_deliver(struct socket *so, struct label *solabel, 1477 struct mbuf *m, struct label *mlabel) 1478 { 1479 1480 LABEL_CHECK(solabel, MAGIC_SOCKET); 1481 LABEL_CHECK(mlabel, MAGIC_MBUF); 1482 COUNTER_INC(socket_check_deliver); 1483 1484 return (0); 1485 } 1486 1487 COUNTER_DECL(socket_check_listen); 1488 static int 1489 test_socket_check_listen(struct ucred *cred, struct socket *so, 1490 struct label *solabel) 1491 { 1492 1493 LABEL_CHECK(cred->cr_label, MAGIC_CRED); 1494 LABEL_CHECK(solabel, MAGIC_SOCKET); 1495 COUNTER_INC(socket_check_listen); 1496 1497 return (0); 1498 } 1499 1500 COUNTER_DECL(socket_check_poll); 1501 static int 1502 test_socket_check_poll(struct ucred *cred, struct socket *so, 1503 struct label *solabel) 1504 { 1505 1506 LABEL_CHECK(cred->cr_label, MAGIC_CRED); 1507 LABEL_CHECK(solabel, MAGIC_SOCKET); 1508 COUNTER_INC(socket_check_poll); 1509 1510 return (0); 1511 } 1512 1513 COUNTER_DECL(socket_check_receive); 1514 static int 1515 test_socket_check_receive(struct ucred *cred, struct socket *so, 1516 struct label *solabel) 1517 { 1518 1519 LABEL_CHECK(cred->cr_label, MAGIC_CRED); 1520 LABEL_CHECK(solabel, MAGIC_SOCKET); 1521 COUNTER_INC(socket_check_receive); 1522 1523 return (0); 1524 } 1525 1526 COUNTER_DECL(socket_check_relabel); 1527 static int 1528 test_socket_check_relabel(struct ucred *cred, struct socket *so, 1529 struct label *solabel, struct label *newlabel) 1530 { 1531 1532 LABEL_CHECK(cred->cr_label, MAGIC_CRED); 1533 LABEL_CHECK(solabel, MAGIC_SOCKET); 1534 LABEL_CHECK(newlabel, MAGIC_SOCKET); 1535 COUNTER_INC(socket_check_relabel); 1536 1537 return (0); 1538 } 1539 1540 COUNTER_DECL(socket_check_send); 1541 static int 1542 test_socket_check_send(struct ucred *cred, struct socket *so, 1543 struct label *solabel) 1544 { 1545 1546 LABEL_CHECK(cred->cr_label, MAGIC_CRED); 1547 LABEL_CHECK(solabel, MAGIC_SOCKET); 1548 COUNTER_INC(socket_check_send); 1549 1550 return (0); 1551 } 1552 1553 COUNTER_DECL(socket_check_stat); 1554 static int 1555 test_socket_check_stat(struct ucred *cred, struct socket *so, 1556 struct label *solabel) 1557 { 1558 1559 LABEL_CHECK(cred->cr_label, MAGIC_CRED); 1560 LABEL_CHECK(solabel, MAGIC_SOCKET); 1561 COUNTER_INC(socket_check_stat); 1562 1563 return (0); 1564 } 1565 1566 COUNTER_DECL(socket_check_visible); 1567 static int 1568 test_socket_check_visible(struct ucred *cred, struct socket *so, 1569 struct label *solabel) 1570 { 1571 1572 LABEL_CHECK(cred->cr_label, MAGIC_CRED); 1573 LABEL_CHECK(solabel, MAGIC_SOCKET); 1574 COUNTER_INC(socket_check_visible); 1575 1576 return (0); 1577 } 1578 1579 COUNTER_DECL(socket_copy_label); 1580 static void 1581 test_socket_copy_label(struct label *src, struct label *dest) 1582 { 1583 1584 LABEL_CHECK(src, MAGIC_SOCKET); 1585 LABEL_CHECK(dest, MAGIC_SOCKET); 1586 COUNTER_INC(socket_copy_label); 1587 } 1588 1589 COUNTER_DECL(socket_create); 1590 static void 1591 test_socket_create(struct ucred *cred, struct socket *so, 1592 struct label *solabel) 1593 { 1594 1595 LABEL_CHECK(cred->cr_label, MAGIC_CRED); 1596 LABEL_CHECK(solabel, MAGIC_SOCKET); 1597 COUNTER_INC(socket_create); 1598 } 1599 1600 COUNTER_DECL(socket_create_mbuf); 1601 static void 1602 test_socket_create_mbuf(struct socket *so, struct label *socketlabel, 1603 struct mbuf *m, struct label *mlabel) 1604 { 1605 1606 LABEL_CHECK(socketlabel, MAGIC_SOCKET); 1607 LABEL_CHECK(mlabel, MAGIC_MBUF); 1608 COUNTER_INC(socket_create_mbuf); 1609 } 1610 1611 COUNTER_DECL(socket_destroy_label); 1612 static void 1613 test_socket_destroy_label(struct label *label) 1614 { 1615 1616 LABEL_DESTROY(label, MAGIC_SOCKET); 1617 COUNTER_INC(socket_destroy_label); 1618 } 1619 1620 COUNTER_DECL(socket_externalize_label); 1621 static int 1622 test_socket_externalize_label(struct label *label, char *element_name, 1623 struct sbuf *sb, int *claimed) 1624 { 1625 1626 LABEL_CHECK(label, MAGIC_SOCKET); 1627 COUNTER_INC(socket_externalize_label); 1628 1629 return (0); 1630 } 1631 1632 COUNTER_DECL(socket_init_label); 1633 static int 1634 test_socket_init_label(struct label *label, int flag) 1635 { 1636 1637 if (flag & M_WAITOK) 1638 WITNESS_WARN(WARN_GIANTOK | WARN_SLEEPOK, NULL, 1639 "test_socket_init_label() at %s:%d", __FILE__, 1640 __LINE__); 1641 1642 LABEL_INIT(label, MAGIC_SOCKET); 1643 COUNTER_INC(socket_init_label); 1644 return (0); 1645 } 1646 1647 COUNTER_DECL(socket_internalize_label); 1648 static int 1649 test_socket_internalize_label(struct label *label, char *element_name, 1650 char *element_data, int *claimed) 1651 { 1652 1653 LABEL_CHECK(label, MAGIC_SOCKET); 1654 COUNTER_INC(socket_internalize_label); 1655 1656 return (0); 1657 } 1658 1659 COUNTER_DECL(socket_newconn); 1660 static void 1661 test_socket_newconn(struct socket *oldso, struct label *oldsolabel, 1662 struct socket *newso, struct label *newsolabel) 1663 { 1664 1665 LABEL_CHECK(oldsolabel, MAGIC_SOCKET); 1666 LABEL_CHECK(newsolabel, MAGIC_SOCKET); 1667 COUNTER_INC(socket_newconn); 1668 } 1669 1670 COUNTER_DECL(socket_relabel); 1671 static void 1672 test_socket_relabel(struct ucred *cred, struct socket *so, 1673 struct label *solabel, struct label *newlabel) 1674 { 1675 1676 LABEL_CHECK(cred->cr_label, MAGIC_CRED); 1677 LABEL_CHECK(solabel, MAGIC_SOCKET); 1678 LABEL_CHECK(newlabel, MAGIC_SOCKET); 1679 COUNTER_INC(socket_relabel); 1680 } 1681 1682 COUNTER_DECL(socketpeer_destroy_label); 1683 static void 1684 test_socketpeer_destroy_label(struct label *label) 1685 { 1686 1687 LABEL_DESTROY(label, MAGIC_SOCKET); 1688 COUNTER_INC(socketpeer_destroy_label); 1689 } 1690 1691 COUNTER_DECL(socketpeer_externalize_label); 1692 static int 1693 test_socketpeer_externalize_label(struct label *label, char *element_name, 1694 struct sbuf *sb, int *claimed) 1695 { 1696 1697 LABEL_CHECK(label, MAGIC_SOCKET); 1698 COUNTER_INC(socketpeer_externalize_label); 1699 1700 return (0); 1701 } 1702 1703 COUNTER_DECL(socketpeer_init_label); 1704 static int 1705 test_socketpeer_init_label(struct label *label, int flag) 1706 { 1707 1708 if (flag & M_WAITOK) 1709 WITNESS_WARN(WARN_GIANTOK | WARN_SLEEPOK, NULL, 1710 "test_socketpeer_init_label() at %s:%d", __FILE__, 1711 __LINE__); 1712 1713 LABEL_INIT(label, MAGIC_SOCKET); 1714 COUNTER_INC(socketpeer_init_label); 1715 return (0); 1716 } 1717 1718 COUNTER_DECL(socketpeer_set_from_mbuf); 1719 static void 1720 test_socketpeer_set_from_mbuf(struct mbuf *m, struct label *mlabel, 1721 struct socket *socket, struct label *socketpeerlabel) 1722 { 1723 1724 LABEL_CHECK(mlabel, MAGIC_MBUF); 1725 LABEL_CHECK(socketpeerlabel, MAGIC_SOCKET); 1726 COUNTER_INC(socketpeer_set_from_mbuf); 1727 } 1728 1729 COUNTER_DECL(socketpeer_set_from_socket); 1730 static void 1731 test_socketpeer_set_from_socket(struct socket *oldso, 1732 struct label *oldsolabel, struct socket *newso, 1733 struct label *newsopeerlabel) 1734 { 1735 1736 LABEL_CHECK(oldsolabel, MAGIC_SOCKET); 1737 LABEL_CHECK(newsopeerlabel, MAGIC_SOCKET); 1738 COUNTER_INC(socketpeer_set_from_socket); 1739 } 1740 1741 COUNTER_DECL(syncache_create); 1742 static void 1743 test_syncache_create(struct label *label, struct inpcb *inp) 1744 { 1745 1746 LABEL_CHECK(label, MAGIC_SYNCACHE); 1747 COUNTER_INC(syncache_create); 1748 } 1749 1750 COUNTER_DECL(syncache_create_mbuf); 1751 static void 1752 test_syncache_create_mbuf(struct label *sc_label, struct mbuf *m, 1753 struct label *mlabel) 1754 { 1755 1756 LABEL_CHECK(sc_label, MAGIC_SYNCACHE); 1757 LABEL_CHECK(mlabel, MAGIC_MBUF); 1758 COUNTER_INC(syncache_create_mbuf); 1759 } 1760 1761 COUNTER_DECL(syncache_destroy_label); 1762 static void 1763 test_syncache_destroy_label(struct label *label) 1764 { 1765 1766 LABEL_DESTROY(label, MAGIC_SYNCACHE); 1767 COUNTER_INC(syncache_destroy_label); 1768 } 1769 1770 COUNTER_DECL(syncache_init_label); 1771 static int 1772 test_syncache_init_label(struct label *label, int flag) 1773 { 1774 1775 if (flag & M_WAITOK) 1776 WITNESS_WARN(WARN_GIANTOK | WARN_SLEEPOK, NULL, 1777 "test_syncache_init_label() at %s:%d", __FILE__, 1778 __LINE__); 1779 LABEL_INIT(label, MAGIC_SYNCACHE); 1780 COUNTER_INC(syncache_init_label); 1781 return (0); 1782 } 1783 1784 COUNTER_DECL(system_check_acct); 1785 static int 1786 test_system_check_acct(struct ucred *cred, struct vnode *vp, 1787 struct label *vplabel) 1788 { 1789 1790 LABEL_CHECK(cred->cr_label, MAGIC_CRED); 1791 LABEL_CHECK(vplabel, MAGIC_VNODE); 1792 COUNTER_INC(system_check_acct); 1793 1794 return (0); 1795 } 1796 1797 COUNTER_DECL(system_check_audit); 1798 static int 1799 test_system_check_audit(struct ucred *cred, void *record, int length) 1800 { 1801 1802 LABEL_CHECK(cred->cr_label, MAGIC_CRED); 1803 COUNTER_INC(system_check_audit); 1804 1805 return (0); 1806 } 1807 1808 COUNTER_DECL(system_check_auditctl); 1809 static int 1810 test_system_check_auditctl(struct ucred *cred, struct vnode *vp, 1811 struct label *vplabel) 1812 { 1813 1814 LABEL_CHECK(cred->cr_label, MAGIC_CRED); 1815 LABEL_CHECK(vplabel, MAGIC_VNODE); 1816 COUNTER_INC(system_check_auditctl); 1817 1818 return (0); 1819 } 1820 1821 COUNTER_DECL(system_check_auditon); 1822 static int 1823 test_system_check_auditon(struct ucred *cred, int cmd) 1824 { 1825 1826 LABEL_CHECK(cred->cr_label, MAGIC_CRED); 1827 COUNTER_INC(system_check_auditon); 1828 1829 return (0); 1830 } 1831 1832 COUNTER_DECL(system_check_reboot); 1833 static int 1834 test_system_check_reboot(struct ucred *cred, int how) 1835 { 1836 1837 LABEL_CHECK(cred->cr_label, MAGIC_CRED); 1838 COUNTER_INC(system_check_reboot); 1839 1840 return (0); 1841 } 1842 1843 COUNTER_DECL(system_check_swapoff); 1844 static int 1845 test_system_check_swapoff(struct ucred *cred, struct vnode *vp, 1846 struct label *vplabel) 1847 { 1848 1849 LABEL_CHECK(cred->cr_label, MAGIC_CRED); 1850 LABEL_CHECK(vplabel, MAGIC_VNODE); 1851 COUNTER_INC(system_check_swapoff); 1852 1853 return (0); 1854 } 1855 1856 COUNTER_DECL(system_check_swapon); 1857 static int 1858 test_system_check_swapon(struct ucred *cred, struct vnode *vp, 1859 struct label *vplabel) 1860 { 1861 1862 LABEL_CHECK(cred->cr_label, MAGIC_CRED); 1863 LABEL_CHECK(vplabel, MAGIC_VNODE); 1864 COUNTER_INC(system_check_swapon); 1865 1866 return (0); 1867 } 1868 1869 COUNTER_DECL(system_check_sysctl); 1870 static int 1871 test_system_check_sysctl(struct ucred *cred, struct sysctl_oid *oidp, 1872 void *arg1, int arg2, struct sysctl_req *req) 1873 { 1874 1875 LABEL_CHECK(cred->cr_label, MAGIC_CRED); 1876 COUNTER_INC(system_check_sysctl); 1877 1878 return (0); 1879 } 1880 1881 COUNTER_DECL(sysvmsg_cleanup); 1882 static void 1883 test_sysvmsg_cleanup(struct label *msglabel) 1884 { 1885 1886 LABEL_CHECK(msglabel, MAGIC_SYSV_MSG); 1887 COUNTER_INC(sysvmsg_cleanup); 1888 } 1889 1890 COUNTER_DECL(sysvmsg_create); 1891 static void 1892 test_sysvmsg_create(struct ucred *cred, struct msqid_kernel *msqkptr, 1893 struct label *msqlabel, struct msg *msgptr, struct label *msglabel) 1894 { 1895 1896 LABEL_CHECK(msglabel, MAGIC_SYSV_MSG); 1897 LABEL_CHECK(msqlabel, MAGIC_SYSV_MSQ); 1898 COUNTER_INC(sysvmsg_create); 1899 } 1900 1901 COUNTER_DECL(sysvmsg_destroy_label); 1902 static void 1903 test_sysvmsg_destroy_label(struct label *label) 1904 { 1905 1906 LABEL_DESTROY(label, MAGIC_SYSV_MSG); 1907 COUNTER_INC(sysvmsg_destroy_label); 1908 } 1909 1910 COUNTER_DECL(sysvmsg_init_label); 1911 static void 1912 test_sysvmsg_init_label(struct label *label) 1913 { 1914 LABEL_INIT(label, MAGIC_SYSV_MSG); 1915 COUNTER_INC(sysvmsg_init_label); 1916 } 1917 1918 COUNTER_DECL(sysvmsq_check_msgmsq); 1919 static int 1920 test_sysvmsq_check_msgmsq(struct ucred *cred, struct msg *msgptr, 1921 struct label *msglabel, struct msqid_kernel *msqkptr, 1922 struct label *msqklabel) 1923 { 1924 1925 LABEL_CHECK(msqklabel, MAGIC_SYSV_MSQ); 1926 LABEL_CHECK(msglabel, MAGIC_SYSV_MSG); 1927 LABEL_CHECK(cred->cr_label, MAGIC_CRED); 1928 COUNTER_INC(sysvmsq_check_msgmsq); 1929 1930 return (0); 1931 } 1932 1933 COUNTER_DECL(sysvmsq_check_msgrcv); 1934 static int 1935 test_sysvmsq_check_msgrcv(struct ucred *cred, struct msg *msgptr, 1936 struct label *msglabel) 1937 { 1938 1939 LABEL_CHECK(msglabel, MAGIC_SYSV_MSG); 1940 LABEL_CHECK(cred->cr_label, MAGIC_CRED); 1941 COUNTER_INC(sysvmsq_check_msgrcv); 1942 1943 return (0); 1944 } 1945 1946 COUNTER_DECL(sysvmsq_check_msgrmid); 1947 static int 1948 test_sysvmsq_check_msgrmid(struct ucred *cred, struct msg *msgptr, 1949 struct label *msglabel) 1950 { 1951 1952 LABEL_CHECK(msglabel, MAGIC_SYSV_MSG); 1953 LABEL_CHECK(cred->cr_label, MAGIC_CRED); 1954 COUNTER_INC(sysvmsq_check_msgrmid); 1955 1956 return (0); 1957 } 1958 1959 COUNTER_DECL(sysvmsq_check_msqget); 1960 static int 1961 test_sysvmsq_check_msqget(struct ucred *cred, 1962 struct msqid_kernel *msqkptr, struct label *msqklabel) 1963 { 1964 1965 LABEL_CHECK(msqklabel, MAGIC_SYSV_MSQ); 1966 LABEL_CHECK(cred->cr_label, MAGIC_CRED); 1967 COUNTER_INC(sysvmsq_check_msqget); 1968 1969 return (0); 1970 } 1971 1972 COUNTER_DECL(sysvmsq_check_msqsnd); 1973 static int 1974 test_sysvmsq_check_msqsnd(struct ucred *cred, 1975 struct msqid_kernel *msqkptr, struct label *msqklabel) 1976 { 1977 1978 LABEL_CHECK(msqklabel, MAGIC_SYSV_MSQ); 1979 LABEL_CHECK(cred->cr_label, MAGIC_CRED); 1980 COUNTER_INC(sysvmsq_check_msqsnd); 1981 1982 return (0); 1983 } 1984 1985 COUNTER_DECL(sysvmsq_check_msqrcv); 1986 static int 1987 test_sysvmsq_check_msqrcv(struct ucred *cred, 1988 struct msqid_kernel *msqkptr, struct label *msqklabel) 1989 { 1990 1991 LABEL_CHECK(msqklabel, MAGIC_SYSV_MSQ); 1992 LABEL_CHECK(cred->cr_label, MAGIC_CRED); 1993 COUNTER_INC(sysvmsq_check_msqrcv); 1994 1995 return (0); 1996 } 1997 1998 COUNTER_DECL(sysvmsq_check_msqctl); 1999 static int 2000 test_sysvmsq_check_msqctl(struct ucred *cred, 2001 struct msqid_kernel *msqkptr, struct label *msqklabel, int cmd) 2002 { 2003 2004 LABEL_CHECK(msqklabel, MAGIC_SYSV_MSQ); 2005 LABEL_CHECK(cred->cr_label, MAGIC_CRED); 2006 COUNTER_INC(sysvmsq_check_msqctl); 2007 2008 return (0); 2009 } 2010 2011 COUNTER_DECL(sysvmsq_cleanup); 2012 static void 2013 test_sysvmsq_cleanup(struct label *msqlabel) 2014 { 2015 2016 LABEL_CHECK(msqlabel, MAGIC_SYSV_MSQ); 2017 COUNTER_INC(sysvmsq_cleanup); 2018 } 2019 2020 COUNTER_DECL(sysvmsq_create); 2021 static void 2022 test_sysvmsq_create(struct ucred *cred, 2023 struct msqid_kernel *msqkptr, struct label *msqlabel) 2024 { 2025 2026 LABEL_CHECK(msqlabel, MAGIC_SYSV_MSQ); 2027 COUNTER_INC(sysvmsq_create); 2028 } 2029 2030 COUNTER_DECL(sysvmsq_destroy_label); 2031 static void 2032 test_sysvmsq_destroy_label(struct label *label) 2033 { 2034 2035 LABEL_DESTROY(label, MAGIC_SYSV_MSQ); 2036 COUNTER_INC(sysvmsq_destroy_label); 2037 } 2038 2039 COUNTER_DECL(sysvmsq_init_label); 2040 static void 2041 test_sysvmsq_init_label(struct label *label) 2042 { 2043 LABEL_INIT(label, MAGIC_SYSV_MSQ); 2044 COUNTER_INC(sysvmsq_init_label); 2045 } 2046 2047 COUNTER_DECL(sysvsem_check_semctl); 2048 static int 2049 test_sysvsem_check_semctl(struct ucred *cred, 2050 struct semid_kernel *semakptr, struct label *semaklabel, int cmd) 2051 { 2052 2053 LABEL_CHECK(cred->cr_label, MAGIC_CRED); 2054 LABEL_CHECK(semaklabel, MAGIC_SYSV_SEM); 2055 COUNTER_INC(sysvsem_check_semctl); 2056 2057 return (0); 2058 } 2059 2060 COUNTER_DECL(sysvsem_check_semget); 2061 static int 2062 test_sysvsem_check_semget(struct ucred *cred, 2063 struct semid_kernel *semakptr, struct label *semaklabel) 2064 { 2065 2066 LABEL_CHECK(cred->cr_label, MAGIC_CRED); 2067 LABEL_CHECK(semaklabel, MAGIC_SYSV_SEM); 2068 COUNTER_INC(sysvsem_check_semget); 2069 2070 return (0); 2071 } 2072 2073 COUNTER_DECL(sysvsem_check_semop); 2074 static int 2075 test_sysvsem_check_semop(struct ucred *cred, 2076 struct semid_kernel *semakptr, struct label *semaklabel, size_t accesstype) 2077 { 2078 2079 LABEL_CHECK(cred->cr_label, MAGIC_CRED); 2080 LABEL_CHECK(semaklabel, MAGIC_SYSV_SEM); 2081 COUNTER_INC(sysvsem_check_semop); 2082 2083 return (0); 2084 } 2085 2086 COUNTER_DECL(sysvsem_cleanup); 2087 static void 2088 test_sysvsem_cleanup(struct label *semalabel) 2089 { 2090 2091 LABEL_CHECK(semalabel, MAGIC_SYSV_SEM); 2092 COUNTER_INC(sysvsem_cleanup); 2093 } 2094 2095 COUNTER_DECL(sysvsem_create); 2096 static void 2097 test_sysvsem_create(struct ucred *cred, struct semid_kernel *semakptr, 2098 struct label *semalabel) 2099 { 2100 2101 LABEL_CHECK(semalabel, MAGIC_SYSV_SEM); 2102 COUNTER_INC(sysvsem_create); 2103 } 2104 2105 COUNTER_DECL(sysvsem_destroy_label); 2106 static void 2107 test_sysvsem_destroy_label(struct label *label) 2108 { 2109 2110 LABEL_DESTROY(label, MAGIC_SYSV_SEM); 2111 COUNTER_INC(sysvsem_destroy_label); 2112 } 2113 2114 COUNTER_DECL(sysvsem_init_label); 2115 static void 2116 test_sysvsem_init_label(struct label *label) 2117 { 2118 LABEL_INIT(label, MAGIC_SYSV_SEM); 2119 COUNTER_INC(sysvsem_init_label); 2120 } 2121 2122 COUNTER_DECL(sysvshm_check_shmat); 2123 static int 2124 test_sysvshm_check_shmat(struct ucred *cred, 2125 struct shmid_kernel *shmsegptr, struct label *shmseglabel, int shmflg) 2126 { 2127 2128 LABEL_CHECK(cred->cr_label, MAGIC_CRED); 2129 LABEL_CHECK(shmseglabel, MAGIC_SYSV_SHM); 2130 COUNTER_INC(sysvshm_check_shmat); 2131 2132 return (0); 2133 } 2134 2135 COUNTER_DECL(sysvshm_check_shmctl); 2136 static int 2137 test_sysvshm_check_shmctl(struct ucred *cred, 2138 struct shmid_kernel *shmsegptr, struct label *shmseglabel, int cmd) 2139 { 2140 2141 LABEL_CHECK(cred->cr_label, MAGIC_CRED); 2142 LABEL_CHECK(shmseglabel, MAGIC_SYSV_SHM); 2143 COUNTER_INC(sysvshm_check_shmctl); 2144 2145 return (0); 2146 } 2147 2148 COUNTER_DECL(sysvshm_check_shmdt); 2149 static int 2150 test_sysvshm_check_shmdt(struct ucred *cred, 2151 struct shmid_kernel *shmsegptr, struct label *shmseglabel) 2152 { 2153 2154 LABEL_CHECK(cred->cr_label, MAGIC_CRED); 2155 LABEL_CHECK(shmseglabel, MAGIC_SYSV_SHM); 2156 COUNTER_INC(sysvshm_check_shmdt); 2157 2158 return (0); 2159 } 2160 2161 COUNTER_DECL(sysvshm_check_shmget); 2162 static int 2163 test_sysvshm_check_shmget(struct ucred *cred, 2164 struct shmid_kernel *shmsegptr, struct label *shmseglabel, int shmflg) 2165 { 2166 2167 LABEL_CHECK(cred->cr_label, MAGIC_CRED); 2168 LABEL_CHECK(shmseglabel, MAGIC_SYSV_SHM); 2169 COUNTER_INC(sysvshm_check_shmget); 2170 2171 return (0); 2172 } 2173 2174 COUNTER_DECL(sysvshm_cleanup); 2175 static void 2176 test_sysvshm_cleanup(struct label *shmlabel) 2177 { 2178 2179 LABEL_CHECK(shmlabel, MAGIC_SYSV_SHM); 2180 COUNTER_INC(sysvshm_cleanup); 2181 } 2182 2183 COUNTER_DECL(sysvshm_create); 2184 static void 2185 test_sysvshm_create(struct ucred *cred, struct shmid_kernel *shmsegptr, 2186 struct label *shmlabel) 2187 { 2188 2189 LABEL_CHECK(shmlabel, MAGIC_SYSV_SHM); 2190 COUNTER_INC(sysvshm_create); 2191 } 2192 2193 COUNTER_DECL(sysvshm_destroy_label); 2194 static void 2195 test_sysvshm_destroy_label(struct label *label) 2196 { 2197 2198 LABEL_DESTROY(label, MAGIC_SYSV_SHM); 2199 COUNTER_INC(sysvshm_destroy_label); 2200 } 2201 2202 COUNTER_DECL(sysvshm_init_label); 2203 static void 2204 test_sysvshm_init_label(struct label *label) 2205 { 2206 LABEL_INIT(label, MAGIC_SYSV_SHM); 2207 COUNTER_INC(sysvshm_init_label); 2208 } 2209 2210 COUNTER_DECL(thread_userret); 2211 static void 2212 test_thread_userret(struct thread *td) 2213 { 2214 2215 COUNTER_INC(thread_userret); 2216 } 2217 2218 COUNTER_DECL(vnode_associate_extattr); 2219 static int 2220 test_vnode_associate_extattr(struct mount *mp, struct label *mplabel, 2221 struct vnode *vp, struct label *vplabel) 2222 { 2223 2224 LABEL_CHECK(mplabel, MAGIC_MOUNT); 2225 LABEL_CHECK(vplabel, MAGIC_VNODE); 2226 COUNTER_INC(vnode_associate_extattr); 2227 2228 return (0); 2229 } 2230 2231 COUNTER_DECL(vnode_associate_singlelabel); 2232 static void 2233 test_vnode_associate_singlelabel(struct mount *mp, struct label *mplabel, 2234 struct vnode *vp, struct label *vplabel) 2235 { 2236 2237 LABEL_CHECK(mplabel, MAGIC_MOUNT); 2238 LABEL_CHECK(vplabel, MAGIC_VNODE); 2239 COUNTER_INC(vnode_associate_singlelabel); 2240 } 2241 2242 COUNTER_DECL(vnode_check_access); 2243 static int 2244 test_vnode_check_access(struct ucred *cred, struct vnode *vp, 2245 struct label *vplabel, int acc_mode) 2246 { 2247 2248 LABEL_CHECK(cred->cr_label, MAGIC_CRED); 2249 LABEL_CHECK(vplabel, MAGIC_VNODE); 2250 COUNTER_INC(vnode_check_access); 2251 2252 return (0); 2253 } 2254 2255 COUNTER_DECL(vnode_check_chdir); 2256 static int 2257 test_vnode_check_chdir(struct ucred *cred, struct vnode *dvp, 2258 struct label *dvplabel) 2259 { 2260 2261 LABEL_CHECK(cred->cr_label, MAGIC_CRED); 2262 LABEL_CHECK(dvplabel, MAGIC_VNODE); 2263 COUNTER_INC(vnode_check_chdir); 2264 2265 return (0); 2266 } 2267 2268 COUNTER_DECL(vnode_check_chroot); 2269 static int 2270 test_vnode_check_chroot(struct ucred *cred, struct vnode *dvp, 2271 struct label *dvplabel) 2272 { 2273 2274 LABEL_CHECK(cred->cr_label, MAGIC_CRED); 2275 LABEL_CHECK(dvplabel, MAGIC_VNODE); 2276 COUNTER_INC(vnode_check_chroot); 2277 2278 return (0); 2279 } 2280 2281 COUNTER_DECL(vnode_check_create); 2282 static int 2283 test_vnode_check_create(struct ucred *cred, struct vnode *dvp, 2284 struct label *dvplabel, struct componentname *cnp, struct vattr *vap) 2285 { 2286 2287 LABEL_CHECK(cred->cr_label, MAGIC_CRED); 2288 LABEL_CHECK(dvplabel, MAGIC_VNODE); 2289 COUNTER_INC(vnode_check_create); 2290 2291 return (0); 2292 } 2293 2294 COUNTER_DECL(vnode_check_deleteacl); 2295 static int 2296 test_vnode_check_deleteacl(struct ucred *cred, struct vnode *vp, 2297 struct label *vplabel, acl_type_t type) 2298 { 2299 2300 LABEL_CHECK(cred->cr_label, MAGIC_CRED); 2301 LABEL_CHECK(vplabel, MAGIC_VNODE); 2302 COUNTER_INC(vnode_check_deleteacl); 2303 2304 return (0); 2305 } 2306 2307 COUNTER_DECL(vnode_check_deleteextattr); 2308 static int 2309 test_vnode_check_deleteextattr(struct ucred *cred, struct vnode *vp, 2310 struct label *vplabel, int attrnamespace, const char *name) 2311 { 2312 2313 LABEL_CHECK(cred->cr_label, MAGIC_CRED); 2314 LABEL_CHECK(vplabel, MAGIC_VNODE); 2315 COUNTER_INC(vnode_check_deleteextattr); 2316 2317 return (0); 2318 } 2319 2320 COUNTER_DECL(vnode_check_exec); 2321 static int 2322 test_vnode_check_exec(struct ucred *cred, struct vnode *vp, 2323 struct label *vplabel, struct image_params *imgp, 2324 struct label *execlabel) 2325 { 2326 2327 LABEL_CHECK(cred->cr_label, MAGIC_CRED); 2328 LABEL_CHECK(vplabel, MAGIC_VNODE); 2329 LABEL_CHECK(execlabel, MAGIC_CRED); 2330 COUNTER_INC(vnode_check_exec); 2331 2332 return (0); 2333 } 2334 2335 COUNTER_DECL(vnode_check_getacl); 2336 static int 2337 test_vnode_check_getacl(struct ucred *cred, struct vnode *vp, 2338 struct label *vplabel, acl_type_t type) 2339 { 2340 2341 LABEL_CHECK(cred->cr_label, MAGIC_CRED); 2342 LABEL_CHECK(vplabel, MAGIC_VNODE); 2343 COUNTER_INC(vnode_check_getacl); 2344 2345 return (0); 2346 } 2347 2348 COUNTER_DECL(vnode_check_getextattr); 2349 static int 2350 test_vnode_check_getextattr(struct ucred *cred, struct vnode *vp, 2351 struct label *vplabel, int attrnamespace, const char *name, 2352 struct uio *uio) 2353 { 2354 2355 LABEL_CHECK(cred->cr_label, MAGIC_CRED); 2356 LABEL_CHECK(vplabel, MAGIC_VNODE); 2357 COUNTER_INC(vnode_check_getextattr); 2358 2359 return (0); 2360 } 2361 2362 COUNTER_DECL(vnode_check_link); 2363 static int 2364 test_vnode_check_link(struct ucred *cred, struct vnode *dvp, 2365 struct label *dvplabel, struct vnode *vp, struct label *vplabel, 2366 struct componentname *cnp) 2367 { 2368 2369 LABEL_CHECK(cred->cr_label, MAGIC_CRED); 2370 LABEL_CHECK(dvplabel, MAGIC_VNODE); 2371 LABEL_CHECK(vplabel, MAGIC_VNODE); 2372 COUNTER_INC(vnode_check_link); 2373 2374 return (0); 2375 } 2376 2377 COUNTER_DECL(vnode_check_listextattr); 2378 static int 2379 test_vnode_check_listextattr(struct ucred *cred, struct vnode *vp, 2380 struct label *vplabel, int attrnamespace) 2381 { 2382 2383 LABEL_CHECK(cred->cr_label, MAGIC_CRED); 2384 LABEL_CHECK(vplabel, MAGIC_VNODE); 2385 COUNTER_INC(vnode_check_listextattr); 2386 2387 return (0); 2388 } 2389 2390 COUNTER_DECL(vnode_check_lookup); 2391 static int 2392 test_vnode_check_lookup(struct ucred *cred, struct vnode *dvp, 2393 struct label *dvplabel, struct componentname *cnp) 2394 { 2395 2396 LABEL_CHECK(cred->cr_label, MAGIC_CRED); 2397 LABEL_CHECK(dvplabel, MAGIC_VNODE); 2398 COUNTER_INC(vnode_check_lookup); 2399 2400 return (0); 2401 } 2402 2403 COUNTER_DECL(vnode_check_mmap); 2404 static int 2405 test_vnode_check_mmap(struct ucred *cred, struct vnode *vp, 2406 struct label *vplabel, int prot, int flags) 2407 { 2408 2409 LABEL_CHECK(cred->cr_label, MAGIC_CRED); 2410 LABEL_CHECK(vplabel, MAGIC_VNODE); 2411 COUNTER_INC(vnode_check_mmap); 2412 2413 return (0); 2414 } 2415 2416 COUNTER_DECL(vnode_check_open); 2417 static int 2418 test_vnode_check_open(struct ucred *cred, struct vnode *vp, 2419 struct label *vplabel, int acc_mode) 2420 { 2421 2422 LABEL_CHECK(cred->cr_label, MAGIC_CRED); 2423 LABEL_CHECK(vplabel, MAGIC_VNODE); 2424 COUNTER_INC(vnode_check_open); 2425 2426 return (0); 2427 } 2428 2429 COUNTER_DECL(vnode_check_poll); 2430 static int 2431 test_vnode_check_poll(struct ucred *active_cred, struct ucred *file_cred, 2432 struct vnode *vp, struct label *vplabel) 2433 { 2434 2435 LABEL_CHECK(active_cred->cr_label, MAGIC_CRED); 2436 if (file_cred != NULL) 2437 LABEL_CHECK(file_cred->cr_label, MAGIC_CRED); 2438 LABEL_CHECK(vplabel, MAGIC_VNODE); 2439 COUNTER_INC(vnode_check_poll); 2440 2441 return (0); 2442 } 2443 2444 COUNTER_DECL(vnode_check_read); 2445 static int 2446 test_vnode_check_read(struct ucred *active_cred, struct ucred *file_cred, 2447 struct vnode *vp, struct label *vplabel) 2448 { 2449 2450 LABEL_CHECK(active_cred->cr_label, MAGIC_CRED); 2451 if (file_cred != NULL) 2452 LABEL_CHECK(file_cred->cr_label, MAGIC_CRED); 2453 LABEL_CHECK(vplabel, MAGIC_VNODE); 2454 COUNTER_INC(vnode_check_read); 2455 2456 return (0); 2457 } 2458 2459 COUNTER_DECL(vnode_check_readdir); 2460 static int 2461 test_vnode_check_readdir(struct ucred *cred, struct vnode *dvp, 2462 struct label *dvplabel) 2463 { 2464 2465 LABEL_CHECK(cred->cr_label, MAGIC_CRED); 2466 LABEL_CHECK(dvplabel, MAGIC_VNODE); 2467 COUNTER_INC(vnode_check_readdir); 2468 2469 return (0); 2470 } 2471 2472 COUNTER_DECL(vnode_check_readlink); 2473 static int 2474 test_vnode_check_readlink(struct ucred *cred, struct vnode *vp, 2475 struct label *vplabel) 2476 { 2477 2478 LABEL_CHECK(cred->cr_label, MAGIC_CRED); 2479 LABEL_CHECK(vplabel, MAGIC_VNODE); 2480 COUNTER_INC(vnode_check_readlink); 2481 2482 return (0); 2483 } 2484 2485 COUNTER_DECL(vnode_check_relabel); 2486 static int 2487 test_vnode_check_relabel(struct ucred *cred, struct vnode *vp, 2488 struct label *vplabel, struct label *newlabel) 2489 { 2490 2491 LABEL_CHECK(cred->cr_label, MAGIC_CRED); 2492 LABEL_CHECK(vplabel, MAGIC_VNODE); 2493 LABEL_CHECK(newlabel, MAGIC_VNODE); 2494 COUNTER_INC(vnode_check_relabel); 2495 2496 return (0); 2497 } 2498 2499 COUNTER_DECL(vnode_check_rename_from); 2500 static int 2501 test_vnode_check_rename_from(struct ucred *cred, struct vnode *dvp, 2502 struct label *dvplabel, struct vnode *vp, struct label *vplabel, 2503 struct componentname *cnp) 2504 { 2505 2506 LABEL_CHECK(cred->cr_label, MAGIC_CRED); 2507 LABEL_CHECK(dvplabel, MAGIC_VNODE); 2508 LABEL_CHECK(vplabel, MAGIC_VNODE); 2509 COUNTER_INC(vnode_check_rename_from); 2510 2511 return (0); 2512 } 2513 2514 COUNTER_DECL(vnode_check_rename_to); 2515 static int 2516 test_vnode_check_rename_to(struct ucred *cred, struct vnode *dvp, 2517 struct label *dvplabel, struct vnode *vp, struct label *vplabel, 2518 int samedir, struct componentname *cnp) 2519 { 2520 2521 LABEL_CHECK(cred->cr_label, MAGIC_CRED); 2522 LABEL_CHECK(dvplabel, MAGIC_VNODE); 2523 LABEL_CHECK(vplabel, MAGIC_VNODE); 2524 COUNTER_INC(vnode_check_rename_to); 2525 2526 return (0); 2527 } 2528 2529 COUNTER_DECL(vnode_check_revoke); 2530 static int 2531 test_vnode_check_revoke(struct ucred *cred, struct vnode *vp, 2532 struct label *vplabel) 2533 { 2534 2535 LABEL_CHECK(cred->cr_label, MAGIC_CRED); 2536 LABEL_CHECK(vplabel, MAGIC_VNODE); 2537 COUNTER_INC(vnode_check_revoke); 2538 2539 return (0); 2540 } 2541 2542 COUNTER_DECL(vnode_check_setacl); 2543 static int 2544 test_vnode_check_setacl(struct ucred *cred, struct vnode *vp, 2545 struct label *vplabel, acl_type_t type, struct acl *acl) 2546 { 2547 2548 LABEL_CHECK(cred->cr_label, MAGIC_CRED); 2549 LABEL_CHECK(vplabel, MAGIC_VNODE); 2550 COUNTER_INC(vnode_check_setacl); 2551 2552 return (0); 2553 } 2554 2555 COUNTER_DECL(vnode_check_setextattr); 2556 static int 2557 test_vnode_check_setextattr(struct ucred *cred, struct vnode *vp, 2558 struct label *vplabel, int attrnamespace, const char *name, 2559 struct uio *uio) 2560 { 2561 2562 LABEL_CHECK(cred->cr_label, MAGIC_CRED); 2563 LABEL_CHECK(vplabel, MAGIC_VNODE); 2564 COUNTER_INC(vnode_check_setextattr); 2565 2566 return (0); 2567 } 2568 2569 COUNTER_DECL(vnode_check_setflags); 2570 static int 2571 test_vnode_check_setflags(struct ucred *cred, struct vnode *vp, 2572 struct label *vplabel, u_long flags) 2573 { 2574 2575 LABEL_CHECK(cred->cr_label, MAGIC_CRED); 2576 LABEL_CHECK(vplabel, MAGIC_VNODE); 2577 COUNTER_INC(vnode_check_setflags); 2578 2579 return (0); 2580 } 2581 2582 COUNTER_DECL(vnode_check_setmode); 2583 static int 2584 test_vnode_check_setmode(struct ucred *cred, struct vnode *vp, 2585 struct label *vplabel, mode_t mode) 2586 { 2587 2588 LABEL_CHECK(cred->cr_label, MAGIC_CRED); 2589 LABEL_CHECK(vplabel, MAGIC_VNODE); 2590 COUNTER_INC(vnode_check_setmode); 2591 2592 return (0); 2593 } 2594 2595 COUNTER_DECL(vnode_check_setowner); 2596 static int 2597 test_vnode_check_setowner(struct ucred *cred, struct vnode *vp, 2598 struct label *vplabel, uid_t uid, gid_t gid) 2599 { 2600 2601 LABEL_CHECK(cred->cr_label, MAGIC_CRED); 2602 LABEL_CHECK(vplabel, MAGIC_VNODE); 2603 COUNTER_INC(vnode_check_setowner); 2604 2605 return (0); 2606 } 2607 2608 COUNTER_DECL(vnode_check_setutimes); 2609 static int 2610 test_vnode_check_setutimes(struct ucred *cred, struct vnode *vp, 2611 struct label *vplabel, struct timespec atime, struct timespec mtime) 2612 { 2613 2614 LABEL_CHECK(cred->cr_label, MAGIC_CRED); 2615 LABEL_CHECK(vplabel, MAGIC_VNODE); 2616 COUNTER_INC(vnode_check_setutimes); 2617 2618 return (0); 2619 } 2620 2621 COUNTER_DECL(vnode_check_stat); 2622 static int 2623 test_vnode_check_stat(struct ucred *active_cred, struct ucred *file_cred, 2624 struct vnode *vp, struct label *vplabel) 2625 { 2626 2627 LABEL_CHECK(active_cred->cr_label, MAGIC_CRED); 2628 if (file_cred != NULL) 2629 LABEL_CHECK(file_cred->cr_label, MAGIC_CRED); 2630 LABEL_CHECK(vplabel, MAGIC_VNODE); 2631 COUNTER_INC(vnode_check_stat); 2632 2633 return (0); 2634 } 2635 2636 COUNTER_DECL(vnode_check_unlink); 2637 static int 2638 test_vnode_check_unlink(struct ucred *cred, struct vnode *dvp, 2639 struct label *dvplabel, struct vnode *vp, struct label *vplabel, 2640 struct componentname *cnp) 2641 { 2642 2643 LABEL_CHECK(cred->cr_label, MAGIC_CRED); 2644 LABEL_CHECK(dvplabel, MAGIC_VNODE); 2645 LABEL_CHECK(vplabel, MAGIC_VNODE); 2646 COUNTER_INC(vnode_check_unlink); 2647 2648 return (0); 2649 } 2650 2651 COUNTER_DECL(vnode_check_write); 2652 static int 2653 test_vnode_check_write(struct ucred *active_cred, 2654 struct ucred *file_cred, struct vnode *vp, struct label *vplabel) 2655 { 2656 2657 LABEL_CHECK(active_cred->cr_label, MAGIC_CRED); 2658 if (file_cred != NULL) 2659 LABEL_CHECK(file_cred->cr_label, MAGIC_CRED); 2660 LABEL_CHECK(vplabel, MAGIC_VNODE); 2661 COUNTER_INC(vnode_check_write); 2662 2663 return (0); 2664 } 2665 2666 COUNTER_DECL(vnode_copy_label); 2667 static void 2668 test_vnode_copy_label(struct label *src, struct label *dest) 2669 { 2670 2671 LABEL_CHECK(src, MAGIC_VNODE); 2672 LABEL_CHECK(dest, MAGIC_VNODE); 2673 COUNTER_INC(vnode_copy_label); 2674 } 2675 2676 COUNTER_DECL(vnode_create_extattr); 2677 static int 2678 test_vnode_create_extattr(struct ucred *cred, struct mount *mp, 2679 struct label *mplabel, struct vnode *dvp, struct label *dvplabel, 2680 struct vnode *vp, struct label *vplabel, struct componentname *cnp) 2681 { 2682 2683 LABEL_CHECK(cred->cr_label, MAGIC_CRED); 2684 LABEL_CHECK(mplabel, MAGIC_MOUNT); 2685 LABEL_CHECK(dvplabel, MAGIC_VNODE); 2686 COUNTER_INC(vnode_create_extattr); 2687 2688 return (0); 2689 } 2690 2691 COUNTER_DECL(vnode_destroy_label); 2692 static void 2693 test_vnode_destroy_label(struct label *label) 2694 { 2695 2696 LABEL_DESTROY(label, MAGIC_VNODE); 2697 COUNTER_INC(vnode_destroy_label); 2698 } 2699 2700 COUNTER_DECL(vnode_execve_transition); 2701 static void 2702 test_vnode_execve_transition(struct ucred *old, struct ucred *new, 2703 struct vnode *vp, struct label *filelabel, 2704 struct label *interpvplabel, struct image_params *imgp, 2705 struct label *execlabel) 2706 { 2707 2708 LABEL_CHECK(old->cr_label, MAGIC_CRED); 2709 LABEL_CHECK(new->cr_label, MAGIC_CRED); 2710 LABEL_CHECK(filelabel, MAGIC_VNODE); 2711 LABEL_CHECK(interpvplabel, MAGIC_VNODE); 2712 LABEL_CHECK(execlabel, MAGIC_CRED); 2713 COUNTER_INC(vnode_execve_transition); 2714 } 2715 2716 COUNTER_DECL(vnode_execve_will_transition); 2717 static int 2718 test_vnode_execve_will_transition(struct ucred *old, struct vnode *vp, 2719 struct label *filelabel, struct label *interpvplabel, 2720 struct image_params *imgp, struct label *execlabel) 2721 { 2722 2723 LABEL_CHECK(old->cr_label, MAGIC_CRED); 2724 LABEL_CHECK(filelabel, MAGIC_VNODE); 2725 LABEL_CHECK(interpvplabel, MAGIC_VNODE); 2726 LABEL_CHECK(execlabel, MAGIC_CRED); 2727 COUNTER_INC(vnode_execve_will_transition); 2728 2729 return (0); 2730 } 2731 2732 COUNTER_DECL(vnode_externalize_label); 2733 static int 2734 test_vnode_externalize_label(struct label *label, char *element_name, 2735 struct sbuf *sb, int *claimed) 2736 { 2737 2738 LABEL_CHECK(label, MAGIC_VNODE); 2739 COUNTER_INC(vnode_externalize_label); 2740 2741 return (0); 2742 } 2743 2744 COUNTER_DECL(vnode_init_label); 2745 static void 2746 test_vnode_init_label(struct label *label) 2747 { 2748 2749 LABEL_INIT(label, MAGIC_VNODE); 2750 COUNTER_INC(vnode_init_label); 2751 } 2752 2753 COUNTER_DECL(vnode_internalize_label); 2754 static int 2755 test_vnode_internalize_label(struct label *label, char *element_name, 2756 char *element_data, int *claimed) 2757 { 2758 2759 LABEL_CHECK(label, MAGIC_VNODE); 2760 COUNTER_INC(vnode_internalize_label); 2761 2762 return (0); 2763 } 2764 2765 COUNTER_DECL(vnode_relabel); 2766 static void 2767 test_vnode_relabel(struct ucred *cred, struct vnode *vp, 2768 struct label *vplabel, struct label *label) 2769 { 2770 2771 LABEL_CHECK(cred->cr_label, MAGIC_CRED); 2772 LABEL_CHECK(vplabel, MAGIC_VNODE); 2773 LABEL_CHECK(label, MAGIC_VNODE); 2774 COUNTER_INC(vnode_relabel); 2775 } 2776 2777 COUNTER_DECL(vnode_setlabel_extattr); 2778 static int 2779 test_vnode_setlabel_extattr(struct ucred *cred, struct vnode *vp, 2780 struct label *vplabel, struct label *intlabel) 2781 { 2782 2783 LABEL_CHECK(cred->cr_label, MAGIC_CRED); 2784 LABEL_CHECK(vplabel, MAGIC_VNODE); 2785 LABEL_CHECK(intlabel, MAGIC_VNODE); 2786 COUNTER_INC(vnode_setlabel_extattr); 2787 2788 return (0); 2789 } 2790 2791 static struct mac_policy_ops test_ops = 2792 { 2793 .mpo_bpfdesc_check_receive = test_bpfdesc_check_receive, 2794 .mpo_bpfdesc_create = test_bpfdesc_create, 2795 .mpo_bpfdesc_create_mbuf = test_bpfdesc_create_mbuf, 2796 .mpo_bpfdesc_destroy_label = test_bpfdesc_destroy_label, 2797 .mpo_bpfdesc_init_label = test_bpfdesc_init_label, 2798 2799 .mpo_cred_check_relabel = test_cred_check_relabel, 2800 .mpo_cred_check_visible = test_cred_check_visible, 2801 .mpo_cred_copy_label = test_cred_copy_label, 2802 .mpo_cred_destroy_label = test_cred_destroy_label, 2803 .mpo_cred_externalize_label = test_cred_externalize_label, 2804 .mpo_cred_init_label = test_cred_init_label, 2805 .mpo_cred_internalize_label = test_cred_internalize_label, 2806 .mpo_cred_relabel = test_cred_relabel, 2807 2808 .mpo_devfs_create_device = test_devfs_create_device, 2809 .mpo_devfs_create_directory = test_devfs_create_directory, 2810 .mpo_devfs_create_symlink = test_devfs_create_symlink, 2811 .mpo_devfs_destroy_label = test_devfs_destroy_label, 2812 .mpo_devfs_init_label = test_devfs_init_label, 2813 .mpo_devfs_update = test_devfs_update, 2814 .mpo_devfs_vnode_associate = test_devfs_vnode_associate, 2815 2816 .mpo_ifnet_check_relabel = test_ifnet_check_relabel, 2817 .mpo_ifnet_check_transmit = test_ifnet_check_transmit, 2818 .mpo_ifnet_copy_label = test_ifnet_copy_label, 2819 .mpo_ifnet_create = test_ifnet_create, 2820 .mpo_ifnet_create_mbuf = test_ifnet_create_mbuf, 2821 .mpo_ifnet_destroy_label = test_ifnet_destroy_label, 2822 .mpo_ifnet_externalize_label = test_ifnet_externalize_label, 2823 .mpo_ifnet_init_label = test_ifnet_init_label, 2824 .mpo_ifnet_internalize_label = test_ifnet_internalize_label, 2825 .mpo_ifnet_relabel = test_ifnet_relabel, 2826 2827 .mpo_syncache_destroy_label = test_syncache_destroy_label, 2828 .mpo_syncache_init_label = test_syncache_init_label, 2829 2830 .mpo_sysvmsg_destroy_label = test_sysvmsg_destroy_label, 2831 .mpo_sysvmsg_init_label = test_sysvmsg_init_label, 2832 2833 .mpo_sysvmsq_destroy_label = test_sysvmsq_destroy_label, 2834 .mpo_sysvmsq_init_label = test_sysvmsq_init_label, 2835 2836 .mpo_sysvsem_destroy_label = test_sysvsem_destroy_label, 2837 .mpo_sysvsem_init_label = test_sysvsem_init_label, 2838 2839 .mpo_sysvshm_destroy_label = test_sysvshm_destroy_label, 2840 .mpo_sysvshm_init_label = test_sysvshm_init_label, 2841 2842 .mpo_inpcb_check_deliver = test_inpcb_check_deliver, 2843 .mpo_inpcb_create = test_inpcb_create, 2844 .mpo_inpcb_create_mbuf = test_inpcb_create_mbuf, 2845 .mpo_inpcb_destroy_label = test_inpcb_destroy_label, 2846 .mpo_inpcb_init_label = test_inpcb_init_label, 2847 .mpo_inpcb_sosetlabel = test_inpcb_sosetlabel, 2848 2849 .mpo_ipq_create = test_ipq_create, 2850 .mpo_ipq_destroy_label = test_ipq_destroy_label, 2851 .mpo_ipq_init_label = test_ipq_init_label, 2852 .mpo_ipq_match = test_ipq_match, 2853 .mpo_ipq_reassemble = test_ipq_reassemble, 2854 .mpo_ipq_update = test_ipq_update, 2855 2856 .mpo_kenv_check_dump = test_kenv_check_dump, 2857 .mpo_kenv_check_get = test_kenv_check_get, 2858 .mpo_kenv_check_set = test_kenv_check_set, 2859 .mpo_kenv_check_unset = test_kenv_check_unset, 2860 2861 .mpo_kld_check_load = test_kld_check_load, 2862 .mpo_kld_check_stat = test_kld_check_stat, 2863 2864 .mpo_mbuf_copy_label = test_mbuf_copy_label, 2865 .mpo_mbuf_destroy_label = test_mbuf_destroy_label, 2866 .mpo_mbuf_init_label = test_mbuf_init_label, 2867 2868 .mpo_mount_check_stat = test_mount_check_stat, 2869 .mpo_mount_create = test_mount_create, 2870 .mpo_mount_destroy_label = test_mount_destroy_label, 2871 .mpo_mount_init_label = test_mount_init_label, 2872 2873 .mpo_netatalk_aarp_send = test_netatalk_aarp_send, 2874 2875 .mpo_netinet_arp_send = test_netinet_arp_send, 2876 .mpo_netinet_fragment = test_netinet_fragment, 2877 .mpo_netinet_icmp_reply = test_netinet_icmp_reply, 2878 .mpo_netinet_icmp_replyinplace = test_netinet_icmp_replyinplace, 2879 .mpo_netinet_igmp_send = test_netinet_igmp_send, 2880 .mpo_netinet_tcp_reply = test_netinet_tcp_reply, 2881 2882 .mpo_netinet6_nd6_send = test_netinet6_nd6_send, 2883 2884 .mpo_pipe_check_ioctl = test_pipe_check_ioctl, 2885 .mpo_pipe_check_poll = test_pipe_check_poll, 2886 .mpo_pipe_check_read = test_pipe_check_read, 2887 .mpo_pipe_check_relabel = test_pipe_check_relabel, 2888 .mpo_pipe_check_stat = test_pipe_check_stat, 2889 .mpo_pipe_check_write = test_pipe_check_write, 2890 .mpo_pipe_copy_label = test_pipe_copy_label, 2891 .mpo_pipe_create = test_pipe_create, 2892 .mpo_pipe_destroy_label = test_pipe_destroy_label, 2893 .mpo_pipe_externalize_label = test_pipe_externalize_label, 2894 .mpo_pipe_init_label = test_pipe_init_label, 2895 .mpo_pipe_internalize_label = test_pipe_internalize_label, 2896 .mpo_pipe_relabel = test_pipe_relabel, 2897 2898 .mpo_posixsem_check_getvalue = test_posixsem_check_getvalue, 2899 .mpo_posixsem_check_open = test_posixsem_check_open, 2900 .mpo_posixsem_check_post = test_posixsem_check_post, 2901 .mpo_posixsem_check_stat = test_posixsem_check_stat, 2902 .mpo_posixsem_check_unlink = test_posixsem_check_unlink, 2903 .mpo_posixsem_check_wait = test_posixsem_check_wait, 2904 .mpo_posixsem_create = test_posixsem_create, 2905 .mpo_posixsem_destroy_label = test_posixsem_destroy_label, 2906 .mpo_posixsem_init_label = test_posixsem_init_label, 2907 2908 .mpo_posixshm_check_mmap = test_posixshm_check_mmap, 2909 .mpo_posixshm_check_open = test_posixshm_check_open, 2910 .mpo_posixshm_check_stat = test_posixshm_check_stat, 2911 .mpo_posixshm_check_truncate = test_posixshm_check_truncate, 2912 .mpo_posixshm_check_unlink = test_posixshm_check_unlink, 2913 .mpo_posixshm_create = test_posixshm_create, 2914 .mpo_posixshm_destroy_label = test_posixshm_destroy_label, 2915 .mpo_posixshm_init_label = test_posixshm_init_label, 2916 2917 .mpo_proc_check_debug = test_proc_check_debug, 2918 .mpo_proc_check_sched = test_proc_check_sched, 2919 .mpo_proc_check_setaudit = test_proc_check_setaudit, 2920 .mpo_proc_check_setaudit_addr = test_proc_check_setaudit_addr, 2921 .mpo_proc_check_setauid = test_proc_check_setauid, 2922 .mpo_proc_check_seteuid = test_proc_check_seteuid, 2923 .mpo_proc_check_setegid = test_proc_check_setegid, 2924 .mpo_proc_check_setgid = test_proc_check_setgid, 2925 .mpo_proc_check_setgroups = test_proc_check_setgroups, 2926 .mpo_proc_check_setregid = test_proc_check_setregid, 2927 .mpo_proc_check_setresgid = test_proc_check_setresgid, 2928 .mpo_proc_check_setresuid = test_proc_check_setresuid, 2929 .mpo_proc_check_setreuid = test_proc_check_setreuid, 2930 .mpo_proc_check_setuid = test_proc_check_setuid, 2931 .mpo_proc_check_signal = test_proc_check_signal, 2932 .mpo_proc_check_wait = test_proc_check_wait, 2933 .mpo_proc_create_init = test_proc_create_init, 2934 .mpo_proc_create_swapper = test_proc_create_swapper, 2935 .mpo_proc_destroy_label = test_proc_destroy_label, 2936 .mpo_proc_init_label = test_proc_init_label, 2937 2938 .mpo_socket_check_accept = test_socket_check_accept, 2939 .mpo_socket_check_bind = test_socket_check_bind, 2940 .mpo_socket_check_connect = test_socket_check_connect, 2941 .mpo_socket_check_deliver = test_socket_check_deliver, 2942 .mpo_socket_check_listen = test_socket_check_listen, 2943 .mpo_socket_check_poll = test_socket_check_poll, 2944 .mpo_socket_check_receive = test_socket_check_receive, 2945 .mpo_socket_check_relabel = test_socket_check_relabel, 2946 .mpo_socket_check_send = test_socket_check_send, 2947 .mpo_socket_check_stat = test_socket_check_stat, 2948 .mpo_socket_check_visible = test_socket_check_visible, 2949 .mpo_socket_copy_label = test_socket_copy_label, 2950 .mpo_socket_create = test_socket_create, 2951 .mpo_socket_create_mbuf = test_socket_create_mbuf, 2952 .mpo_socket_destroy_label = test_socket_destroy_label, 2953 .mpo_socket_externalize_label = test_socket_externalize_label, 2954 .mpo_socket_init_label = test_socket_init_label, 2955 .mpo_socket_internalize_label = test_socket_internalize_label, 2956 .mpo_socket_newconn = test_socket_newconn, 2957 .mpo_socket_relabel = test_socket_relabel, 2958 2959 .mpo_socketpeer_destroy_label = test_socketpeer_destroy_label, 2960 .mpo_socketpeer_externalize_label = test_socketpeer_externalize_label, 2961 .mpo_socketpeer_init_label = test_socketpeer_init_label, 2962 .mpo_socketpeer_set_from_mbuf = test_socketpeer_set_from_mbuf, 2963 .mpo_socketpeer_set_from_socket = test_socketpeer_set_from_socket, 2964 2965 .mpo_syncache_create = test_syncache_create, 2966 .mpo_syncache_create_mbuf = test_syncache_create_mbuf, 2967 2968 .mpo_system_check_acct = test_system_check_acct, 2969 .mpo_system_check_audit = test_system_check_audit, 2970 .mpo_system_check_auditctl = test_system_check_auditctl, 2971 .mpo_system_check_auditon = test_system_check_auditon, 2972 .mpo_system_check_reboot = test_system_check_reboot, 2973 .mpo_system_check_swapoff = test_system_check_swapoff, 2974 .mpo_system_check_swapon = test_system_check_swapon, 2975 .mpo_system_check_sysctl = test_system_check_sysctl, 2976 2977 .mpo_vnode_check_access = test_vnode_check_access, 2978 .mpo_sysvmsg_cleanup = test_sysvmsg_cleanup, 2979 .mpo_sysvmsg_create = test_sysvmsg_create, 2980 2981 .mpo_sysvmsq_check_msgmsq = test_sysvmsq_check_msgmsq, 2982 .mpo_sysvmsq_check_msgrcv = test_sysvmsq_check_msgrcv, 2983 .mpo_sysvmsq_check_msgrmid = test_sysvmsq_check_msgrmid, 2984 .mpo_sysvmsq_check_msqget = test_sysvmsq_check_msqget, 2985 .mpo_sysvmsq_check_msqsnd = test_sysvmsq_check_msqsnd, 2986 .mpo_sysvmsq_check_msqrcv = test_sysvmsq_check_msqrcv, 2987 .mpo_sysvmsq_check_msqctl = test_sysvmsq_check_msqctl, 2988 .mpo_sysvmsq_cleanup = test_sysvmsq_cleanup, 2989 .mpo_sysvmsq_create = test_sysvmsq_create, 2990 2991 .mpo_sysvsem_check_semctl = test_sysvsem_check_semctl, 2992 .mpo_sysvsem_check_semget = test_sysvsem_check_semget, 2993 .mpo_sysvsem_check_semop = test_sysvsem_check_semop, 2994 .mpo_sysvsem_cleanup = test_sysvsem_cleanup, 2995 .mpo_sysvsem_create = test_sysvsem_create, 2996 2997 .mpo_sysvshm_check_shmat = test_sysvshm_check_shmat, 2998 .mpo_sysvshm_check_shmctl = test_sysvshm_check_shmctl, 2999 .mpo_sysvshm_check_shmdt = test_sysvshm_check_shmdt, 3000 .mpo_sysvshm_check_shmget = test_sysvshm_check_shmget, 3001 .mpo_sysvshm_cleanup = test_sysvshm_cleanup, 3002 .mpo_sysvshm_create = test_sysvshm_create, 3003 3004 .mpo_thread_userret = test_thread_userret, 3005 3006 .mpo_vnode_associate_extattr = test_vnode_associate_extattr, 3007 .mpo_vnode_associate_singlelabel = test_vnode_associate_singlelabel, 3008 .mpo_vnode_check_chdir = test_vnode_check_chdir, 3009 .mpo_vnode_check_chroot = test_vnode_check_chroot, 3010 .mpo_vnode_check_create = test_vnode_check_create, 3011 .mpo_vnode_check_deleteacl = test_vnode_check_deleteacl, 3012 .mpo_vnode_check_deleteextattr = test_vnode_check_deleteextattr, 3013 .mpo_vnode_check_exec = test_vnode_check_exec, 3014 .mpo_vnode_check_getacl = test_vnode_check_getacl, 3015 .mpo_vnode_check_getextattr = test_vnode_check_getextattr, 3016 .mpo_vnode_check_link = test_vnode_check_link, 3017 .mpo_vnode_check_listextattr = test_vnode_check_listextattr, 3018 .mpo_vnode_check_lookup = test_vnode_check_lookup, 3019 .mpo_vnode_check_mmap = test_vnode_check_mmap, 3020 .mpo_vnode_check_open = test_vnode_check_open, 3021 .mpo_vnode_check_poll = test_vnode_check_poll, 3022 .mpo_vnode_check_read = test_vnode_check_read, 3023 .mpo_vnode_check_readdir = test_vnode_check_readdir, 3024 .mpo_vnode_check_readlink = test_vnode_check_readlink, 3025 .mpo_vnode_check_relabel = test_vnode_check_relabel, 3026 .mpo_vnode_check_rename_from = test_vnode_check_rename_from, 3027 .mpo_vnode_check_rename_to = test_vnode_check_rename_to, 3028 .mpo_vnode_check_revoke = test_vnode_check_revoke, 3029 .mpo_vnode_check_setacl = test_vnode_check_setacl, 3030 .mpo_vnode_check_setextattr = test_vnode_check_setextattr, 3031 .mpo_vnode_check_setflags = test_vnode_check_setflags, 3032 .mpo_vnode_check_setmode = test_vnode_check_setmode, 3033 .mpo_vnode_check_setowner = test_vnode_check_setowner, 3034 .mpo_vnode_check_setutimes = test_vnode_check_setutimes, 3035 .mpo_vnode_check_stat = test_vnode_check_stat, 3036 .mpo_vnode_check_unlink = test_vnode_check_unlink, 3037 .mpo_vnode_check_write = test_vnode_check_write, 3038 .mpo_vnode_copy_label = test_vnode_copy_label, 3039 .mpo_vnode_create_extattr = test_vnode_create_extattr, 3040 .mpo_vnode_destroy_label = test_vnode_destroy_label, 3041 .mpo_vnode_execve_transition = test_vnode_execve_transition, 3042 .mpo_vnode_execve_will_transition = test_vnode_execve_will_transition, 3043 .mpo_vnode_externalize_label = test_vnode_externalize_label, 3044 .mpo_vnode_init_label = test_vnode_init_label, 3045 .mpo_vnode_internalize_label = test_vnode_internalize_label, 3046 .mpo_vnode_relabel = test_vnode_relabel, 3047 .mpo_vnode_setlabel_extattr = test_vnode_setlabel_extattr, 3048 }; 3049 3050 #define TEST_OBJECTS (MPC_OBJECT_CRED | \ 3051 MPC_OBJECT_PROC | \ 3052 MPC_OBJECT_VNODE | \ 3053 MPC_OBJECT_INPCB | \ 3054 MPC_OBJECT_SOCKET | \ 3055 MPC_OBJECT_DEVFS | \ 3056 MPC_OBJECT_MBUF | \ 3057 MPC_OBJECT_IPQ | \ 3058 MPC_OBJECT_IFNET | \ 3059 MPC_OBJECT_BPFDESC | \ 3060 MPC_OBJECT_PIPE | \ 3061 MPC_OBJECT_MOUNT | \ 3062 MPC_OBJECT_POSIXSEM | \ 3063 MPC_OBJECT_POSIXSHM | \ 3064 MPC_OBJECT_SYSVMSG | \ 3065 MPC_OBJECT_SYSVMSQ | \ 3066 MPC_OBJECT_SYSVSEM | \ 3067 MPC_OBJECT_SYSVSHM | \ 3068 MPC_OBJECT_SYNCACHE) 3069 3070 MAC_POLICY_SET(&test_ops, mac_test, "TrustedBSD MAC/Test", 3071 MPC_LOADTIME_FLAG_UNLOADOK, &test_slot, TEST_OBJECTS); 3072