1 /*- 2 * Copyright (c) 1999-2002 Robert N. M. Watson 3 * Copyright (c) 2001-2003 Networks Associates Technology, Inc. 4 * All rights reserved. 5 * 6 * This software was developed by Robert Watson for the TrustedBSD Project. 7 * 8 * This software was developed for the FreeBSD Project in part by Network 9 * Associates Laboratories, the Security Research Division of Network 10 * Associates, Inc. under DARPA/SPAWAR contract N66001-01-C-8035 ("CBOSS"), 11 * as part of the DARPA CHATS research program. 12 * 13 * Redistribution and use in source and binary forms, with or without 14 * modification, are permitted provided that the following conditions 15 * are met: 16 * 1. Redistributions of source code must retain the above copyright 17 * notice, this list of conditions and the following disclaimer. 18 * 2. Redistributions in binary form must reproduce the above copyright 19 * notice, this list of conditions and the following disclaimer in the 20 * documentation and/or other materials provided with the distribution. 21 * 22 * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND 23 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 24 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 25 * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE 26 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 27 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 28 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 29 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 30 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 31 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 32 * SUCH DAMAGE. 33 * 34 * $FreeBSD$ 35 */ 36 37 /* 38 * Developed by the TrustedBSD Project. 39 * Generic mandatory access module that does nothing. 40 */ 41 42 #include <sys/types.h> 43 #include <sys/param.h> 44 #include <sys/acl.h> 45 #include <sys/conf.h> 46 #include <sys/extattr.h> 47 #include <sys/kernel.h> 48 #include <sys/mac.h> 49 #include <sys/malloc.h> 50 #include <sys/mount.h> 51 #include <sys/proc.h> 52 #include <sys/systm.h> 53 #include <sys/sysproto.h> 54 #include <sys/sysent.h> 55 #include <sys/vnode.h> 56 #include <sys/file.h> 57 #include <sys/socket.h> 58 #include <sys/socketvar.h> 59 #include <sys/sysctl.h> 60 61 #include <fs/devfs/devfs.h> 62 63 #include <net/bpfdesc.h> 64 #include <net/if.h> 65 #include <net/if_types.h> 66 #include <net/if_var.h> 67 68 #include <vm/vm.h> 69 70 #include <sys/mac_policy.h> 71 72 SYSCTL_DECL(_security_mac); 73 74 SYSCTL_NODE(_security_mac, OID_AUTO, test, CTLFLAG_RW, 0, 75 "TrustedBSD mac_test policy controls"); 76 77 static int mac_test_enabled = 1; 78 SYSCTL_INT(_security_mac_test, OID_AUTO, enabled, CTLFLAG_RW, 79 &mac_test_enabled, 0, "Enforce test policy"); 80 81 #define BPFMAGIC 0xfe1ad1b6 82 #define DEVFSMAGIC 0x9ee79c32 83 #define IFNETMAGIC 0xc218b120 84 #define INPCBMAGIC 0x4440f7bb 85 #define IPQMAGIC 0x206188ef 86 #define MBUFMAGIC 0xbbefa5bb 87 #define MOUNTMAGIC 0xc7c46e47 88 #define SOCKETMAGIC 0x9199c6cd 89 #define PIPEMAGIC 0xdc6c9919 90 #define PROCMAGIC 0x3b4be98f 91 #define CREDMAGIC 0x9a5a4987 92 #define VNODEMAGIC 0x1a67a45c 93 #define EXMAGIC 0x849ba1fd 94 95 #define SLOT(x) LABEL_TO_SLOT((x), test_slot).l_long 96 97 #define ASSERT_BPF_LABEL(x) KASSERT(SLOT(x) == BPFMAGIC || \ 98 SLOT(x) == 0, ("%s: Bad BPF label", __func__ )) 99 #define ASSERT_DEVFS_LABEL(x) KASSERT(SLOT(x) == DEVFSMAGIC || \ 100 SLOT(x) == 0, ("%s: Bad DEVFS label", __func__ )) 101 #define ASSERT_IFNET_LABEL(x) KASSERT(SLOT(x) == IFNETMAGIC || \ 102 SLOT(x) == 0, ("%s: Bad IFNET label", __func__ )) 103 #define ASSERT_INPCB_LABEL(x) KASSERT(SLOT(x) == INPCBMAGIC || \ 104 SLOT(x) == 0, ("%s: Bad INPCB label", __func__ )) 105 #define ASSERT_IPQ_LABEL(x) KASSERT(SLOT(x) == IPQMAGIC || \ 106 SLOT(x) == 0, ("%s: Bad IPQ label", __func__ )) 107 #define ASSERT_MBUF_LABEL(x) KASSERT(SLOT(x) == MBUFMAGIC || \ 108 SLOT(x) == 0, ("%s: Bad MBUF label", __func__ )) 109 #define ASSERT_MOUNT_LABEL(x) KASSERT(SLOT(x) == MOUNTMAGIC || \ 110 SLOT(x) == 0, ("%s: Bad MOUNT label", __func__ )) 111 #define ASSERT_SOCKET_LABEL(x) KASSERT(SLOT(x) == SOCKETMAGIC || \ 112 SLOT(x) == 0, ("%s: Bad SOCKET label", __func__ )) 113 #define ASSERT_PIPE_LABEL(x) KASSERT(SLOT(x) == PIPEMAGIC || \ 114 SLOT(x) == 0, ("%s: Bad PIPE label", __func__ )) 115 #define ASSERT_PROC_LABEL(x) KASSERT(SLOT(x) == PROCMAGIC || \ 116 SLOT(x) == 0, ("%s: Bad PROC label", __func__ )) 117 #define ASSERT_CRED_LABEL(x) KASSERT(SLOT(x) == CREDMAGIC || \ 118 SLOT(x) == 0, ("%s: Bad CRED label", __func__ )) 119 #define ASSERT_VNODE_LABEL(x) KASSERT(SLOT(x) == VNODEMAGIC || \ 120 SLOT(x) == 0, ("%s: Bad VNODE label", __func__ )) 121 122 static int test_slot; 123 SYSCTL_INT(_security_mac_test, OID_AUTO, slot, CTLFLAG_RD, 124 &test_slot, 0, "Slot allocated by framework"); 125 126 static int init_count_bpfdesc; 127 SYSCTL_INT(_security_mac_test, OID_AUTO, init_count_bpfdesc, CTLFLAG_RD, 128 &init_count_bpfdesc, 0, "bpfdesc init calls"); 129 static int init_count_cred; 130 SYSCTL_INT(_security_mac_test, OID_AUTO, init_count_cred, CTLFLAG_RD, 131 &init_count_cred, 0, "cred init calls"); 132 static int init_count_devfsdirent; 133 SYSCTL_INT(_security_mac_test, OID_AUTO, init_count_devfsdirent, CTLFLAG_RD, 134 &init_count_devfsdirent, 0, "devfsdirent init calls"); 135 static int init_count_ifnet; 136 SYSCTL_INT(_security_mac_test, OID_AUTO, init_count_ifnet, CTLFLAG_RD, 137 &init_count_ifnet, 0, "ifnet init calls"); 138 static int init_count_inpcb; 139 SYSCTL_INT(_security_mac_test, OID_AUTO, init_count_inpcb, CTLFLAG_RD, 140 &init_count_inpcb, 0, "inpcb init calls"); 141 static int init_count_ipq; 142 SYSCTL_INT(_security_mac_test, OID_AUTO, init_count_ipq, CTLFLAG_RD, 143 &init_count_ipq, 0, "ipq init calls"); 144 static int init_count_mbuf; 145 SYSCTL_INT(_security_mac_test, OID_AUTO, init_count_mbuf, CTLFLAG_RD, 146 &init_count_mbuf, 0, "mbuf init calls"); 147 static int init_count_mount; 148 SYSCTL_INT(_security_mac_test, OID_AUTO, init_count_mount, CTLFLAG_RD, 149 &init_count_mount, 0, "mount init calls"); 150 static int init_count_mount_fslabel; 151 SYSCTL_INT(_security_mac_test, OID_AUTO, init_count_mount_fslabel, CTLFLAG_RD, 152 &init_count_mount_fslabel, 0, "mount_fslabel init calls"); 153 static int init_count_socket; 154 SYSCTL_INT(_security_mac_test, OID_AUTO, init_count_socket, CTLFLAG_RD, 155 &init_count_socket, 0, "socket init calls"); 156 static int init_count_socket_peerlabel; 157 SYSCTL_INT(_security_mac_test, OID_AUTO, init_count_socket_peerlabel, 158 CTLFLAG_RD, &init_count_socket_peerlabel, 0, 159 "socket_peerlabel init calls"); 160 static int init_count_pipe; 161 SYSCTL_INT(_security_mac_test, OID_AUTO, init_count_pipe, CTLFLAG_RD, 162 &init_count_pipe, 0, "pipe init calls"); 163 static int init_count_proc; 164 SYSCTL_INT(_security_mac_test, OID_AUTO, init_count_proc, CTLFLAG_RD, 165 &init_count_proc, 0, "proc init calls"); 166 static int init_count_vnode; 167 SYSCTL_INT(_security_mac_test, OID_AUTO, init_count_vnode, CTLFLAG_RD, 168 &init_count_vnode, 0, "vnode init calls"); 169 170 static int destroy_count_bpfdesc; 171 SYSCTL_INT(_security_mac_test, OID_AUTO, destroy_count_bpfdesc, CTLFLAG_RD, 172 &destroy_count_bpfdesc, 0, "bpfdesc destroy calls"); 173 static int destroy_count_cred; 174 SYSCTL_INT(_security_mac_test, OID_AUTO, destroy_count_cred, CTLFLAG_RD, 175 &destroy_count_cred, 0, "cred destroy calls"); 176 static int destroy_count_devfsdirent; 177 SYSCTL_INT(_security_mac_test, OID_AUTO, destroy_count_devfsdirent, CTLFLAG_RD, 178 &destroy_count_devfsdirent, 0, "devfsdirent destroy calls"); 179 static int destroy_count_ifnet; 180 SYSCTL_INT(_security_mac_test, OID_AUTO, destroy_count_ifnet, CTLFLAG_RD, 181 &destroy_count_ifnet, 0, "ifnet destroy calls"); 182 static int destroy_count_inpcb; 183 SYSCTL_INT(_security_mac_test, OID_AUTO, destroy_count_inpcb, CTLFLAG_RD, 184 &destroy_count_inpcb, 0, "inpcb destroy calls"); 185 static int destroy_count_ipq; 186 SYSCTL_INT(_security_mac_test, OID_AUTO, destroy_count_ipq, CTLFLAG_RD, 187 &destroy_count_ipq, 0, "ipq destroy calls"); 188 static int destroy_count_mbuf; 189 SYSCTL_INT(_security_mac_test, OID_AUTO, destroy_count_mbuf, CTLFLAG_RD, 190 &destroy_count_mbuf, 0, "mbuf destroy calls"); 191 static int destroy_count_mount; 192 SYSCTL_INT(_security_mac_test, OID_AUTO, destroy_count_mount, CTLFLAG_RD, 193 &destroy_count_mount, 0, "mount destroy calls"); 194 static int destroy_count_mount_fslabel; 195 SYSCTL_INT(_security_mac_test, OID_AUTO, destroy_count_mount_fslabel, 196 CTLFLAG_RD, &destroy_count_mount_fslabel, 0, 197 "mount_fslabel destroy calls"); 198 static int destroy_count_socket; 199 SYSCTL_INT(_security_mac_test, OID_AUTO, destroy_count_socket, CTLFLAG_RD, 200 &destroy_count_socket, 0, "socket destroy calls"); 201 static int destroy_count_socket_peerlabel; 202 SYSCTL_INT(_security_mac_test, OID_AUTO, destroy_count_socket_peerlabel, 203 CTLFLAG_RD, &destroy_count_socket_peerlabel, 0, 204 "socket_peerlabel destroy calls"); 205 static int destroy_count_pipe; 206 SYSCTL_INT(_security_mac_test, OID_AUTO, destroy_count_pipe, CTLFLAG_RD, 207 &destroy_count_pipe, 0, "pipe destroy calls"); 208 static int destroy_count_proc; 209 SYSCTL_INT(_security_mac_test, OID_AUTO, destroy_count_proc, CTLFLAG_RD, 210 &destroy_count_proc, 0, "proc destroy calls"); 211 static int destroy_count_vnode; 212 SYSCTL_INT(_security_mac_test, OID_AUTO, destroy_count_vnode, CTLFLAG_RD, 213 &destroy_count_vnode, 0, "vnode destroy calls"); 214 215 static int externalize_count; 216 SYSCTL_INT(_security_mac_test, OID_AUTO, externalize_count, CTLFLAG_RD, 217 &externalize_count, 0, "Subject/object externalize calls"); 218 static int internalize_count; 219 SYSCTL_INT(_security_mac_test, OID_AUTO, internalize_count, CTLFLAG_RD, 220 &internalize_count, 0, "Subject/object internalize calls"); 221 222 /* 223 * Policy module operations. 224 */ 225 static void 226 mac_test_destroy(struct mac_policy_conf *conf) 227 { 228 229 } 230 231 static void 232 mac_test_init(struct mac_policy_conf *conf) 233 { 234 235 } 236 237 static int 238 mac_test_syscall(struct thread *td, int call, void *arg) 239 { 240 241 return (0); 242 } 243 244 /* 245 * Label operations. 246 */ 247 static void 248 mac_test_init_bpfdesc_label(struct label *label) 249 { 250 251 SLOT(label) = BPFMAGIC; 252 atomic_add_int(&init_count_bpfdesc, 1); 253 } 254 255 static void 256 mac_test_init_cred_label(struct label *label) 257 { 258 259 SLOT(label) = CREDMAGIC; 260 atomic_add_int(&init_count_cred, 1); 261 } 262 263 static void 264 mac_test_init_devfsdirent_label(struct label *label) 265 { 266 267 SLOT(label) = DEVFSMAGIC; 268 atomic_add_int(&init_count_devfsdirent, 1); 269 } 270 271 static void 272 mac_test_init_ifnet_label(struct label *label) 273 { 274 275 SLOT(label) = IFNETMAGIC; 276 atomic_add_int(&init_count_ifnet, 1); 277 } 278 279 static int 280 mac_test_init_inpcb_label(struct label *label, int flag) 281 { 282 283 if (flag & M_WAITOK) 284 WITNESS_WARN(WARN_GIANTOK | WARN_SLEEPOK, NULL, 285 "mac_test_init_inpcb_label() at %s:%d", __FILE__, 286 __LINE__); 287 288 SLOT(label) = INPCBMAGIC; 289 atomic_add_int(&init_count_inpcb, 1); 290 return (0); 291 } 292 293 static int 294 mac_test_init_ipq_label(struct label *label, int flag) 295 { 296 297 if (flag & M_WAITOK) 298 WITNESS_WARN(WARN_GIANTOK | WARN_SLEEPOK, NULL, 299 "mac_test_init_ipq_label() at %s:%d", __FILE__, 300 __LINE__); 301 302 SLOT(label) = IPQMAGIC; 303 atomic_add_int(&init_count_ipq, 1); 304 return (0); 305 } 306 307 static int 308 mac_test_init_mbuf_label(struct label *label, int flag) 309 { 310 311 if (flag & M_WAITOK) 312 WITNESS_WARN(WARN_GIANTOK | WARN_SLEEPOK, NULL, 313 "mac_test_init_mbuf_label() at %s:%d", __FILE__, 314 __LINE__); 315 316 SLOT(label) = MBUFMAGIC; 317 atomic_add_int(&init_count_mbuf, 1); 318 return (0); 319 } 320 321 static void 322 mac_test_init_mount_label(struct label *label) 323 { 324 325 SLOT(label) = MOUNTMAGIC; 326 atomic_add_int(&init_count_mount, 1); 327 } 328 329 static void 330 mac_test_init_mount_fs_label(struct label *label) 331 { 332 333 SLOT(label) = MOUNTMAGIC; 334 atomic_add_int(&init_count_mount_fslabel, 1); 335 } 336 337 static int 338 mac_test_init_socket_label(struct label *label, int flag) 339 { 340 341 if (flag & M_WAITOK) 342 WITNESS_WARN(WARN_GIANTOK | WARN_SLEEPOK, NULL, 343 "mac_test_init_socket_label() at %s:%d", __FILE__, 344 __LINE__); 345 346 SLOT(label) = SOCKETMAGIC; 347 atomic_add_int(&init_count_socket, 1); 348 return (0); 349 } 350 351 static int 352 mac_test_init_socket_peer_label(struct label *label, int flag) 353 { 354 355 if (flag & M_WAITOK) 356 WITNESS_WARN(WARN_GIANTOK | WARN_SLEEPOK, NULL, 357 "mac_test_init_socket_peer_label() at %s:%d", __FILE__, 358 __LINE__); 359 360 SLOT(label) = SOCKETMAGIC; 361 atomic_add_int(&init_count_socket_peerlabel, 1); 362 return (0); 363 } 364 365 static void 366 mac_test_init_pipe_label(struct label *label) 367 { 368 369 SLOT(label) = PIPEMAGIC; 370 atomic_add_int(&init_count_pipe, 1); 371 } 372 373 static void 374 mac_test_init_proc_label(struct label *label) 375 { 376 377 SLOT(label) = PROCMAGIC; 378 atomic_add_int(&init_count_proc, 1); 379 } 380 381 static void 382 mac_test_init_vnode_label(struct label *label) 383 { 384 385 SLOT(label) = VNODEMAGIC; 386 atomic_add_int(&init_count_vnode, 1); 387 } 388 389 static void 390 mac_test_destroy_bpfdesc_label(struct label *label) 391 { 392 393 if (SLOT(label) == BPFMAGIC || SLOT(label) == 0) { 394 atomic_add_int(&destroy_count_bpfdesc, 1); 395 SLOT(label) = EXMAGIC; 396 } else if (SLOT(label) == EXMAGIC) { 397 Debugger("mac_test_destroy_bpfdesc: dup destroy"); 398 } else { 399 Debugger("mac_test_destroy_bpfdesc: corrupted label"); 400 } 401 } 402 403 static void 404 mac_test_destroy_cred_label(struct label *label) 405 { 406 407 if (SLOT(label) == CREDMAGIC || SLOT(label) == 0) { 408 atomic_add_int(&destroy_count_cred, 1); 409 SLOT(label) = EXMAGIC; 410 } else if (SLOT(label) == EXMAGIC) { 411 Debugger("mac_test_destroy_cred: dup destroy"); 412 } else { 413 Debugger("mac_test_destroy_cred: corrupted label"); 414 } 415 } 416 417 static void 418 mac_test_destroy_devfsdirent_label(struct label *label) 419 { 420 421 if (SLOT(label) == DEVFSMAGIC || SLOT(label) == 0) { 422 atomic_add_int(&destroy_count_devfsdirent, 1); 423 SLOT(label) = EXMAGIC; 424 } else if (SLOT(label) == EXMAGIC) { 425 Debugger("mac_test_destroy_devfsdirent: dup destroy"); 426 } else { 427 Debugger("mac_test_destroy_devfsdirent: corrupted label"); 428 } 429 } 430 431 static void 432 mac_test_destroy_ifnet_label(struct label *label) 433 { 434 435 if (SLOT(label) == IFNETMAGIC || SLOT(label) == 0) { 436 atomic_add_int(&destroy_count_ifnet, 1); 437 SLOT(label) = EXMAGIC; 438 } else if (SLOT(label) == EXMAGIC) { 439 Debugger("mac_test_destroy_ifnet: dup destroy"); 440 } else { 441 Debugger("mac_test_destroy_ifnet: corrupted label"); 442 } 443 } 444 445 static void 446 mac_test_destroy_inpcb_label(struct label *label) 447 { 448 449 if (SLOT(label) == INPCBMAGIC || SLOT(label) == 0) { 450 atomic_add_int(&destroy_count_inpcb, 1); 451 SLOT(label) = EXMAGIC; 452 } else if (SLOT(label) == EXMAGIC) { 453 Debugger("mac_test_destroy_inpcb: dup destroy"); 454 } else { 455 Debugger("mac_test_destroy_inpcb: corrupted label"); 456 } 457 } 458 459 static void 460 mac_test_destroy_ipq_label(struct label *label) 461 { 462 463 if (SLOT(label) == IPQMAGIC || SLOT(label) == 0) { 464 atomic_add_int(&destroy_count_ipq, 1); 465 SLOT(label) = EXMAGIC; 466 } else if (SLOT(label) == EXMAGIC) { 467 Debugger("mac_test_destroy_ipq: dup destroy"); 468 } else { 469 Debugger("mac_test_destroy_ipq: corrupted label"); 470 } 471 } 472 473 static void 474 mac_test_destroy_mbuf_label(struct label *label) 475 { 476 477 /* 478 * If we're loaded dynamically, there may be mbufs in flight that 479 * didn't have label storage allocated for them. Handle this 480 * gracefully. 481 */ 482 if (label == NULL) 483 return; 484 485 if (SLOT(label) == MBUFMAGIC || SLOT(label) == 0) { 486 atomic_add_int(&destroy_count_mbuf, 1); 487 SLOT(label) = EXMAGIC; 488 } else if (SLOT(label) == EXMAGIC) { 489 Debugger("mac_test_destroy_mbuf: dup destroy"); 490 } else { 491 Debugger("mac_test_destroy_mbuf: corrupted label"); 492 } 493 } 494 495 static void 496 mac_test_destroy_mount_label(struct label *label) 497 { 498 499 if ((SLOT(label) == MOUNTMAGIC || SLOT(label) == 0)) { 500 atomic_add_int(&destroy_count_mount, 1); 501 SLOT(label) = EXMAGIC; 502 } else if (SLOT(label) == EXMAGIC) { 503 Debugger("mac_test_destroy_mount: dup destroy"); 504 } else { 505 Debugger("mac_test_destroy_mount: corrupted label"); 506 } 507 } 508 509 static void 510 mac_test_destroy_mount_fs_label(struct label *label) 511 { 512 513 if ((SLOT(label) == MOUNTMAGIC || SLOT(label) == 0)) { 514 atomic_add_int(&destroy_count_mount_fslabel, 1); 515 SLOT(label) = EXMAGIC; 516 } else if (SLOT(label) == EXMAGIC) { 517 Debugger("mac_test_destroy_mount_fslabel: dup destroy"); 518 } else { 519 Debugger("mac_test_destroy_mount_fslabel: corrupted label"); 520 } 521 } 522 523 static void 524 mac_test_destroy_socket_label(struct label *label) 525 { 526 527 if ((SLOT(label) == SOCKETMAGIC || SLOT(label) == 0)) { 528 atomic_add_int(&destroy_count_socket, 1); 529 SLOT(label) = EXMAGIC; 530 } else if (SLOT(label) == EXMAGIC) { 531 Debugger("mac_test_destroy_socket: dup destroy"); 532 } else { 533 Debugger("mac_test_destroy_socket: corrupted label"); 534 } 535 } 536 537 static void 538 mac_test_destroy_socket_peer_label(struct label *label) 539 { 540 541 if ((SLOT(label) == SOCKETMAGIC || SLOT(label) == 0)) { 542 atomic_add_int(&destroy_count_socket_peerlabel, 1); 543 SLOT(label) = EXMAGIC; 544 } else if (SLOT(label) == EXMAGIC) { 545 Debugger("mac_test_destroy_socket_peerlabel: dup destroy"); 546 } else { 547 Debugger("mac_test_destroy_socket_peerlabel: corrupted label"); 548 } 549 } 550 551 static void 552 mac_test_destroy_pipe_label(struct label *label) 553 { 554 555 if ((SLOT(label) == PIPEMAGIC || SLOT(label) == 0)) { 556 atomic_add_int(&destroy_count_pipe, 1); 557 SLOT(label) = EXMAGIC; 558 } else if (SLOT(label) == EXMAGIC) { 559 Debugger("mac_test_destroy_pipe: dup destroy"); 560 } else { 561 Debugger("mac_test_destroy_pipe: corrupted label"); 562 } 563 } 564 565 static void 566 mac_test_destroy_proc_label(struct label *label) 567 { 568 569 if ((SLOT(label) == PROCMAGIC || SLOT(label) == 0)) { 570 atomic_add_int(&destroy_count_proc, 1); 571 SLOT(label) = EXMAGIC; 572 } else if (SLOT(label) == EXMAGIC) { 573 Debugger("mac_test_destroy_proc: dup destroy"); 574 } else { 575 Debugger("mac_test_destroy_proc: corrupted label"); 576 } 577 } 578 579 static void 580 mac_test_destroy_vnode_label(struct label *label) 581 { 582 583 if (SLOT(label) == VNODEMAGIC || SLOT(label) == 0) { 584 atomic_add_int(&destroy_count_vnode, 1); 585 SLOT(label) = EXMAGIC; 586 } else if (SLOT(label) == EXMAGIC) { 587 Debugger("mac_test_destroy_vnode: dup destroy"); 588 } else { 589 Debugger("mac_test_destroy_vnode: corrupted label"); 590 } 591 } 592 593 static void 594 mac_test_copy_cred_label(struct label *src, struct label *dest) 595 { 596 597 ASSERT_CRED_LABEL(src); 598 ASSERT_CRED_LABEL(dest); 599 } 600 601 static void 602 mac_test_copy_mbuf_label(struct label *src, struct label *dest) 603 { 604 605 ASSERT_MBUF_LABEL(src); 606 ASSERT_MBUF_LABEL(dest); 607 } 608 609 static void 610 mac_test_copy_pipe_label(struct label *src, struct label *dest) 611 { 612 613 ASSERT_PIPE_LABEL(src); 614 ASSERT_PIPE_LABEL(dest); 615 } 616 617 static void 618 mac_test_copy_socket_label(struct label *src, struct label *dest) 619 { 620 621 ASSERT_SOCKET_LABEL(src); 622 ASSERT_SOCKET_LABEL(dest); 623 } 624 625 static void 626 mac_test_copy_vnode_label(struct label *src, struct label *dest) 627 { 628 629 ASSERT_VNODE_LABEL(src); 630 ASSERT_VNODE_LABEL(dest); 631 } 632 633 static int 634 mac_test_externalize_label(struct label *label, char *element_name, 635 struct sbuf *sb, int *claimed) 636 { 637 638 atomic_add_int(&externalize_count, 1); 639 640 KASSERT(SLOT(label) != EXMAGIC, 641 ("mac_test_externalize_label: destroyed label")); 642 643 return (0); 644 } 645 646 static int 647 mac_test_internalize_label(struct label *label, char *element_name, 648 char *element_data, int *claimed) 649 { 650 651 atomic_add_int(&internalize_count, 1); 652 653 KASSERT(SLOT(label) != EXMAGIC, 654 ("mac_test_internalize_label: destroyed label")); 655 656 return (0); 657 } 658 659 /* 660 * Labeling event operations: file system objects, and things that look 661 * a lot like file system objects. 662 */ 663 static void 664 mac_test_associate_vnode_devfs(struct mount *mp, struct label *fslabel, 665 struct devfs_dirent *de, struct label *delabel, struct vnode *vp, 666 struct label *vlabel) 667 { 668 669 ASSERT_MOUNT_LABEL(fslabel); 670 ASSERT_DEVFS_LABEL(delabel); 671 ASSERT_VNODE_LABEL(vlabel); 672 } 673 674 static int 675 mac_test_associate_vnode_extattr(struct mount *mp, struct label *fslabel, 676 struct vnode *vp, struct label *vlabel) 677 { 678 679 ASSERT_MOUNT_LABEL(fslabel); 680 ASSERT_VNODE_LABEL(vlabel); 681 return (0); 682 } 683 684 static void 685 mac_test_associate_vnode_singlelabel(struct mount *mp, 686 struct label *fslabel, struct vnode *vp, struct label *vlabel) 687 { 688 689 ASSERT_MOUNT_LABEL(fslabel); 690 ASSERT_VNODE_LABEL(vlabel); 691 } 692 693 static void 694 mac_test_create_devfs_device(struct mount *mp, dev_t dev, 695 struct devfs_dirent *devfs_dirent, struct label *label) 696 { 697 698 ASSERT_DEVFS_LABEL(label); 699 } 700 701 static void 702 mac_test_create_devfs_directory(struct mount *mp, char *dirname, 703 int dirnamelen, struct devfs_dirent *devfs_dirent, struct label *label) 704 { 705 706 ASSERT_DEVFS_LABEL(label); 707 } 708 709 static void 710 mac_test_create_devfs_symlink(struct ucred *cred, struct mount *mp, 711 struct devfs_dirent *dd, struct label *ddlabel, struct devfs_dirent *de, 712 struct label *delabel) 713 { 714 715 ASSERT_CRED_LABEL(cred->cr_label); 716 ASSERT_DEVFS_LABEL(ddlabel); 717 ASSERT_DEVFS_LABEL(delabel); 718 } 719 720 static int 721 mac_test_create_vnode_extattr(struct ucred *cred, struct mount *mp, 722 struct label *fslabel, struct vnode *dvp, struct label *dlabel, 723 struct vnode *vp, struct label *vlabel, struct componentname *cnp) 724 { 725 726 ASSERT_CRED_LABEL(cred->cr_label); 727 ASSERT_MOUNT_LABEL(fslabel); 728 ASSERT_VNODE_LABEL(dlabel); 729 730 return (0); 731 } 732 733 static void 734 mac_test_create_mount(struct ucred *cred, struct mount *mp, 735 struct label *mntlabel, struct label *fslabel) 736 { 737 738 ASSERT_CRED_LABEL(cred->cr_label); 739 ASSERT_MOUNT_LABEL(mntlabel); 740 ASSERT_MOUNT_LABEL(fslabel); 741 } 742 743 static void 744 mac_test_create_root_mount(struct ucred *cred, struct mount *mp, 745 struct label *mntlabel, struct label *fslabel) 746 { 747 748 ASSERT_CRED_LABEL(cred->cr_label); 749 ASSERT_MOUNT_LABEL(mntlabel); 750 ASSERT_MOUNT_LABEL(fslabel); 751 } 752 753 static void 754 mac_test_relabel_vnode(struct ucred *cred, struct vnode *vp, 755 struct label *vnodelabel, struct label *label) 756 { 757 758 ASSERT_CRED_LABEL(cred->cr_label); 759 ASSERT_VNODE_LABEL(vnodelabel); 760 ASSERT_VNODE_LABEL(label); 761 } 762 763 static int 764 mac_test_setlabel_vnode_extattr(struct ucred *cred, struct vnode *vp, 765 struct label *vlabel, struct label *intlabel) 766 { 767 768 ASSERT_CRED_LABEL(cred->cr_label); 769 ASSERT_VNODE_LABEL(vlabel); 770 ASSERT_VNODE_LABEL(intlabel); 771 return (0); 772 } 773 774 static void 775 mac_test_update_devfsdirent(struct mount *mp, 776 struct devfs_dirent *devfs_dirent, struct label *direntlabel, 777 struct vnode *vp, struct label *vnodelabel) 778 { 779 780 ASSERT_DEVFS_LABEL(direntlabel); 781 ASSERT_VNODE_LABEL(vnodelabel); 782 } 783 784 /* 785 * Labeling event operations: IPC object. 786 */ 787 static void 788 mac_test_create_mbuf_from_socket(struct socket *so, struct label *socketlabel, 789 struct mbuf *m, struct label *mbuflabel) 790 { 791 792 ASSERT_SOCKET_LABEL(socketlabel); 793 ASSERT_MBUF_LABEL(mbuflabel); 794 } 795 796 static void 797 mac_test_create_socket(struct ucred *cred, struct socket *socket, 798 struct label *socketlabel) 799 { 800 801 ASSERT_CRED_LABEL(cred->cr_label); 802 ASSERT_SOCKET_LABEL(socketlabel); 803 } 804 805 static void 806 mac_test_create_pipe(struct ucred *cred, struct pipepair *pp, 807 struct label *pipelabel) 808 { 809 810 ASSERT_CRED_LABEL(cred->cr_label); 811 ASSERT_PIPE_LABEL(pipelabel); 812 } 813 814 static void 815 mac_test_create_socket_from_socket(struct socket *oldsocket, 816 struct label *oldsocketlabel, struct socket *newsocket, 817 struct label *newsocketlabel) 818 { 819 820 ASSERT_SOCKET_LABEL(oldsocketlabel); 821 ASSERT_SOCKET_LABEL(newsocketlabel); 822 } 823 824 static void 825 mac_test_relabel_socket(struct ucred *cred, struct socket *socket, 826 struct label *socketlabel, struct label *newlabel) 827 { 828 829 ASSERT_CRED_LABEL(cred->cr_label); 830 ASSERT_SOCKET_LABEL(newlabel); 831 } 832 833 static void 834 mac_test_relabel_pipe(struct ucred *cred, struct pipepair *pp, 835 struct label *pipelabel, struct label *newlabel) 836 { 837 838 ASSERT_CRED_LABEL(cred->cr_label); 839 ASSERT_PIPE_LABEL(pipelabel); 840 ASSERT_PIPE_LABEL(newlabel); 841 } 842 843 static void 844 mac_test_set_socket_peer_from_mbuf(struct mbuf *mbuf, struct label *mbuflabel, 845 struct socket *socket, struct label *socketpeerlabel) 846 { 847 848 ASSERT_MBUF_LABEL(mbuflabel); 849 ASSERT_SOCKET_LABEL(socketpeerlabel); 850 } 851 852 /* 853 * Labeling event operations: network objects. 854 */ 855 static void 856 mac_test_set_socket_peer_from_socket(struct socket *oldsocket, 857 struct label *oldsocketlabel, struct socket *newsocket, 858 struct label *newsocketpeerlabel) 859 { 860 861 ASSERT_SOCKET_LABEL(oldsocketlabel); 862 ASSERT_SOCKET_LABEL(newsocketpeerlabel); 863 } 864 865 static void 866 mac_test_create_bpfdesc(struct ucred *cred, struct bpf_d *bpf_d, 867 struct label *bpflabel) 868 { 869 870 ASSERT_CRED_LABEL(cred->cr_label); 871 ASSERT_BPF_LABEL(bpflabel); 872 } 873 874 static void 875 mac_test_create_datagram_from_ipq(struct ipq *ipq, struct label *ipqlabel, 876 struct mbuf *datagram, struct label *datagramlabel) 877 { 878 879 ASSERT_IPQ_LABEL(ipqlabel); 880 ASSERT_MBUF_LABEL(datagramlabel); 881 } 882 883 static void 884 mac_test_create_fragment(struct mbuf *datagram, struct label *datagramlabel, 885 struct mbuf *fragment, struct label *fragmentlabel) 886 { 887 888 ASSERT_MBUF_LABEL(datagramlabel); 889 ASSERT_MBUF_LABEL(fragmentlabel); 890 } 891 892 static void 893 mac_test_create_ifnet(struct ifnet *ifnet, struct label *ifnetlabel) 894 { 895 896 ASSERT_IFNET_LABEL(ifnetlabel); 897 } 898 899 static void 900 mac_test_create_inpcb_from_socket(struct socket *so, struct label *solabel, 901 struct inpcb *inp, struct label *inplabel) 902 { 903 904 ASSERT_SOCKET_LABEL(solabel); 905 ASSERT_INPCB_LABEL(inplabel); 906 } 907 908 static void 909 mac_test_create_ipq(struct mbuf *fragment, struct label *fragmentlabel, 910 struct ipq *ipq, struct label *ipqlabel) 911 { 912 913 ASSERT_MBUF_LABEL(fragmentlabel); 914 ASSERT_IPQ_LABEL(ipqlabel); 915 } 916 917 static void 918 mac_test_create_mbuf_from_inpcb(struct inpcb *inp, struct label *inplabel, 919 struct mbuf *m, struct label *mlabel) 920 { 921 922 ASSERT_INPCB_LABEL(inplabel); 923 ASSERT_MBUF_LABEL(mlabel); 924 } 925 926 static void 927 mac_test_create_mbuf_from_mbuf(struct mbuf *oldmbuf, 928 struct label *oldmbuflabel, struct mbuf *newmbuf, 929 struct label *newmbuflabel) 930 { 931 932 ASSERT_MBUF_LABEL(oldmbuflabel); 933 ASSERT_MBUF_LABEL(newmbuflabel); 934 } 935 936 static void 937 mac_test_create_mbuf_linklayer(struct ifnet *ifnet, struct label *ifnetlabel, 938 struct mbuf *mbuf, struct label *mbuflabel) 939 { 940 941 ASSERT_IFNET_LABEL(ifnetlabel); 942 ASSERT_MBUF_LABEL(mbuflabel); 943 } 944 945 static void 946 mac_test_create_mbuf_from_bpfdesc(struct bpf_d *bpf_d, struct label *bpflabel, 947 struct mbuf *mbuf, struct label *mbuflabel) 948 { 949 950 ASSERT_BPF_LABEL(bpflabel); 951 ASSERT_MBUF_LABEL(mbuflabel); 952 } 953 954 static void 955 mac_test_create_mbuf_from_ifnet(struct ifnet *ifnet, struct label *ifnetlabel, 956 struct mbuf *m, struct label *mbuflabel) 957 { 958 959 ASSERT_IFNET_LABEL(ifnetlabel); 960 ASSERT_MBUF_LABEL(mbuflabel); 961 } 962 963 static void 964 mac_test_create_mbuf_multicast_encap(struct mbuf *oldmbuf, 965 struct label *oldmbuflabel, struct ifnet *ifnet, struct label *ifnetlabel, 966 struct mbuf *newmbuf, struct label *newmbuflabel) 967 { 968 969 ASSERT_MBUF_LABEL(oldmbuflabel); 970 ASSERT_IFNET_LABEL(ifnetlabel); 971 ASSERT_MBUF_LABEL(newmbuflabel); 972 } 973 974 static void 975 mac_test_create_mbuf_netlayer(struct mbuf *oldmbuf, 976 struct label *oldmbuflabel, struct mbuf *newmbuf, 977 struct label *newmbuflabel) 978 { 979 980 ASSERT_MBUF_LABEL(oldmbuflabel); 981 ASSERT_MBUF_LABEL(newmbuflabel); 982 } 983 984 static int 985 mac_test_fragment_match(struct mbuf *fragment, struct label *fragmentlabel, 986 struct ipq *ipq, struct label *ipqlabel) 987 { 988 989 ASSERT_MBUF_LABEL(fragmentlabel); 990 ASSERT_IPQ_LABEL(ipqlabel); 991 992 return (1); 993 } 994 995 static void 996 mac_test_reflect_mbuf_icmp(struct mbuf *m, struct label *mlabel) 997 { 998 999 ASSERT_MBUF_LABEL(mlabel); 1000 } 1001 1002 static void 1003 mac_test_reflect_mbuf_tcp(struct mbuf *m, struct label *mlabel) 1004 { 1005 1006 ASSERT_MBUF_LABEL(mlabel); 1007 } 1008 1009 static void 1010 mac_test_relabel_ifnet(struct ucred *cred, struct ifnet *ifnet, 1011 struct label *ifnetlabel, struct label *newlabel) 1012 { 1013 1014 ASSERT_CRED_LABEL(cred->cr_label); 1015 ASSERT_IFNET_LABEL(ifnetlabel); 1016 ASSERT_IFNET_LABEL(newlabel); 1017 } 1018 1019 static void 1020 mac_test_update_ipq(struct mbuf *fragment, struct label *fragmentlabel, 1021 struct ipq *ipq, struct label *ipqlabel) 1022 { 1023 1024 ASSERT_MBUF_LABEL(fragmentlabel); 1025 ASSERT_IPQ_LABEL(ipqlabel); 1026 } 1027 1028 static void 1029 mac_test_inpcb_sosetlabel(struct socket *so, struct label *solabel, 1030 struct inpcb *inp, struct label *inplabel) 1031 { 1032 1033 ASSERT_SOCKET_LABEL(solabel); 1034 ASSERT_INPCB_LABEL(inplabel); 1035 } 1036 1037 /* 1038 * Labeling event operations: processes. 1039 */ 1040 static void 1041 mac_test_execve_transition(struct ucred *old, struct ucred *new, 1042 struct vnode *vp, struct label *filelabel, 1043 struct label *interpvnodelabel, struct image_params *imgp, 1044 struct label *execlabel) 1045 { 1046 1047 ASSERT_CRED_LABEL(old->cr_label); 1048 ASSERT_CRED_LABEL(new->cr_label); 1049 ASSERT_VNODE_LABEL(filelabel); 1050 if (interpvnodelabel != NULL) { 1051 ASSERT_VNODE_LABEL(interpvnodelabel); 1052 } 1053 if (execlabel != NULL) { 1054 ASSERT_CRED_LABEL(execlabel); 1055 } 1056 } 1057 1058 static int 1059 mac_test_execve_will_transition(struct ucred *old, struct vnode *vp, 1060 struct label *filelabel, struct label *interpvnodelabel, 1061 struct image_params *imgp, struct label *execlabel) 1062 { 1063 1064 ASSERT_CRED_LABEL(old->cr_label); 1065 ASSERT_VNODE_LABEL(filelabel); 1066 if (interpvnodelabel != NULL) { 1067 ASSERT_VNODE_LABEL(interpvnodelabel); 1068 } 1069 if (execlabel != NULL) { 1070 ASSERT_CRED_LABEL(execlabel); 1071 } 1072 1073 return (0); 1074 } 1075 1076 static void 1077 mac_test_create_proc0(struct ucred *cred) 1078 { 1079 1080 ASSERT_CRED_LABEL(cred->cr_label); 1081 } 1082 1083 static void 1084 mac_test_create_proc1(struct ucred *cred) 1085 { 1086 1087 ASSERT_CRED_LABEL(cred->cr_label); 1088 } 1089 1090 static void 1091 mac_test_relabel_cred(struct ucred *cred, struct label *newlabel) 1092 { 1093 1094 ASSERT_CRED_LABEL(cred->cr_label); 1095 ASSERT_CRED_LABEL(newlabel); 1096 } 1097 1098 static void 1099 mac_test_thread_userret(struct thread *td) 1100 { 1101 1102 printf("mac_test_thread_userret(process = %d)\n", 1103 curthread->td_proc->p_pid); 1104 } 1105 1106 /* 1107 * Access control checks. 1108 */ 1109 static int 1110 mac_test_check_bpfdesc_receive(struct bpf_d *bpf_d, struct label *bpflabel, 1111 struct ifnet *ifnet, struct label *ifnetlabel) 1112 { 1113 1114 ASSERT_BPF_LABEL(bpflabel); 1115 ASSERT_IFNET_LABEL(ifnetlabel); 1116 1117 return (0); 1118 } 1119 1120 static int 1121 mac_test_check_cred_relabel(struct ucred *cred, struct label *newlabel) 1122 { 1123 1124 ASSERT_CRED_LABEL(cred->cr_label); 1125 ASSERT_CRED_LABEL(newlabel); 1126 1127 return (0); 1128 } 1129 1130 static int 1131 mac_test_check_cred_visible(struct ucred *u1, struct ucred *u2) 1132 { 1133 1134 ASSERT_CRED_LABEL(u1->cr_label); 1135 ASSERT_CRED_LABEL(u2->cr_label); 1136 1137 return (0); 1138 } 1139 1140 static int 1141 mac_test_check_ifnet_relabel(struct ucred *cred, struct ifnet *ifnet, 1142 struct label *ifnetlabel, struct label *newlabel) 1143 { 1144 1145 ASSERT_CRED_LABEL(cred->cr_label); 1146 ASSERT_IFNET_LABEL(ifnetlabel); 1147 ASSERT_IFNET_LABEL(newlabel); 1148 return (0); 1149 } 1150 1151 static int 1152 mac_test_check_ifnet_transmit(struct ifnet *ifnet, struct label *ifnetlabel, 1153 struct mbuf *m, struct label *mbuflabel) 1154 { 1155 1156 ASSERT_IFNET_LABEL(ifnetlabel); 1157 ASSERT_MBUF_LABEL(mbuflabel); 1158 1159 return (0); 1160 } 1161 1162 static int 1163 mac_test_check_inpcb_deliver(struct inpcb *inp, struct label *inplabel, 1164 struct mbuf *m, struct label *mlabel) 1165 { 1166 1167 ASSERT_INPCB_LABEL(inplabel); 1168 ASSERT_MBUF_LABEL(mlabel); 1169 1170 return (0); 1171 } 1172 1173 static int 1174 mac_test_check_kenv_dump(struct ucred *cred) 1175 { 1176 1177 ASSERT_CRED_LABEL(cred->cr_label); 1178 1179 return (0); 1180 } 1181 1182 static int 1183 mac_test_check_kenv_get(struct ucred *cred, char *name) 1184 { 1185 1186 ASSERT_CRED_LABEL(cred->cr_label); 1187 1188 return (0); 1189 } 1190 1191 static int 1192 mac_test_check_kenv_set(struct ucred *cred, char *name, char *value) 1193 { 1194 1195 ASSERT_CRED_LABEL(cred->cr_label); 1196 1197 return (0); 1198 } 1199 1200 static int 1201 mac_test_check_kenv_unset(struct ucred *cred, char *name) 1202 { 1203 1204 ASSERT_CRED_LABEL(cred->cr_label); 1205 1206 return (0); 1207 } 1208 1209 static int 1210 mac_test_check_kld_load(struct ucred *cred, struct vnode *vp, 1211 struct label *label) 1212 { 1213 1214 ASSERT_CRED_LABEL(cred->cr_label); 1215 ASSERT_VNODE_LABEL(label); 1216 1217 return (0); 1218 } 1219 1220 static int 1221 mac_test_check_kld_stat(struct ucred *cred) 1222 { 1223 1224 ASSERT_CRED_LABEL(cred->cr_label); 1225 1226 return (0); 1227 } 1228 1229 static int 1230 mac_test_check_kld_unload(struct ucred *cred) 1231 { 1232 1233 ASSERT_CRED_LABEL(cred->cr_label); 1234 1235 return (0); 1236 } 1237 1238 static int 1239 mac_test_check_mount_stat(struct ucred *cred, struct mount *mp, 1240 struct label *mntlabel) 1241 { 1242 1243 ASSERT_CRED_LABEL(cred->cr_label); 1244 ASSERT_MOUNT_LABEL(mntlabel); 1245 1246 return (0); 1247 } 1248 1249 static int 1250 mac_test_check_pipe_ioctl(struct ucred *cred, struct pipepair *pp, 1251 struct label *pipelabel, unsigned long cmd, void /* caddr_t */ *data) 1252 { 1253 1254 ASSERT_CRED_LABEL(cred->cr_label); 1255 ASSERT_PIPE_LABEL(pipelabel); 1256 1257 return (0); 1258 } 1259 1260 static int 1261 mac_test_check_pipe_poll(struct ucred *cred, struct pipepair *pp, 1262 struct label *pipelabel) 1263 { 1264 1265 ASSERT_CRED_LABEL(cred->cr_label); 1266 ASSERT_PIPE_LABEL(pipelabel); 1267 1268 return (0); 1269 } 1270 1271 static int 1272 mac_test_check_pipe_read(struct ucred *cred, struct pipepair *pp, 1273 struct label *pipelabel) 1274 { 1275 1276 ASSERT_CRED_LABEL(cred->cr_label); 1277 ASSERT_PIPE_LABEL(pipelabel); 1278 1279 return (0); 1280 } 1281 1282 static int 1283 mac_test_check_pipe_relabel(struct ucred *cred, struct pipepair *pp, 1284 struct label *pipelabel, struct label *newlabel) 1285 { 1286 1287 ASSERT_CRED_LABEL(cred->cr_label); 1288 ASSERT_PIPE_LABEL(pipelabel); 1289 ASSERT_PIPE_LABEL(newlabel); 1290 1291 return (0); 1292 } 1293 1294 static int 1295 mac_test_check_pipe_stat(struct ucred *cred, struct pipepair *pp, 1296 struct label *pipelabel) 1297 { 1298 1299 ASSERT_CRED_LABEL(cred->cr_label); 1300 ASSERT_PIPE_LABEL(pipelabel); 1301 1302 return (0); 1303 } 1304 1305 static int 1306 mac_test_check_pipe_write(struct ucred *cred, struct pipepair *pp, 1307 struct label *pipelabel) 1308 { 1309 1310 ASSERT_CRED_LABEL(cred->cr_label); 1311 ASSERT_PIPE_LABEL(pipelabel); 1312 1313 return (0); 1314 } 1315 1316 static int 1317 mac_test_check_proc_debug(struct ucred *cred, struct proc *proc) 1318 { 1319 1320 ASSERT_CRED_LABEL(cred->cr_label); 1321 ASSERT_CRED_LABEL(proc->p_ucred->cr_label); 1322 1323 return (0); 1324 } 1325 1326 static int 1327 mac_test_check_proc_sched(struct ucred *cred, struct proc *proc) 1328 { 1329 1330 ASSERT_CRED_LABEL(cred->cr_label); 1331 ASSERT_CRED_LABEL(proc->p_ucred->cr_label); 1332 1333 return (0); 1334 } 1335 1336 static int 1337 mac_test_check_proc_signal(struct ucred *cred, struct proc *proc, int signum) 1338 { 1339 1340 ASSERT_CRED_LABEL(cred->cr_label); 1341 ASSERT_CRED_LABEL(proc->p_ucred->cr_label); 1342 1343 return (0); 1344 } 1345 1346 static int 1347 mac_test_check_socket_bind(struct ucred *cred, struct socket *socket, 1348 struct label *socketlabel, struct sockaddr *sockaddr) 1349 { 1350 1351 ASSERT_CRED_LABEL(cred->cr_label); 1352 ASSERT_SOCKET_LABEL(socketlabel); 1353 1354 return (0); 1355 } 1356 1357 static int 1358 mac_test_check_socket_connect(struct ucred *cred, struct socket *socket, 1359 struct label *socketlabel, struct sockaddr *sockaddr) 1360 { 1361 1362 ASSERT_CRED_LABEL(cred->cr_label); 1363 ASSERT_SOCKET_LABEL(socketlabel); 1364 1365 return (0); 1366 } 1367 1368 static int 1369 mac_test_check_socket_deliver(struct socket *socket, struct label *socketlabel, 1370 struct mbuf *m, struct label *mbuflabel) 1371 { 1372 1373 ASSERT_SOCKET_LABEL(socketlabel); 1374 ASSERT_MBUF_LABEL(mbuflabel); 1375 1376 return (0); 1377 } 1378 1379 static int 1380 mac_test_check_socket_listen(struct ucred *cred, struct socket *socket, 1381 struct label *socketlabel) 1382 { 1383 1384 ASSERT_CRED_LABEL(cred->cr_label); 1385 ASSERT_SOCKET_LABEL(socketlabel); 1386 1387 return (0); 1388 } 1389 1390 static int 1391 mac_test_check_socket_visible(struct ucred *cred, struct socket *socket, 1392 struct label *socketlabel) 1393 { 1394 1395 ASSERT_CRED_LABEL(cred->cr_label); 1396 ASSERT_SOCKET_LABEL(socketlabel); 1397 1398 return (0); 1399 } 1400 1401 static int 1402 mac_test_check_socket_relabel(struct ucred *cred, struct socket *socket, 1403 struct label *socketlabel, struct label *newlabel) 1404 { 1405 1406 ASSERT_CRED_LABEL(cred->cr_label); 1407 ASSERT_SOCKET_LABEL(socketlabel); 1408 ASSERT_SOCKET_LABEL(newlabel); 1409 1410 return (0); 1411 } 1412 1413 static int 1414 mac_test_check_sysarch_ioperm(struct ucred *cred) 1415 { 1416 1417 ASSERT_CRED_LABEL(cred->cr_label); 1418 1419 return (0); 1420 } 1421 1422 static int 1423 mac_test_check_system_acct(struct ucred *cred, struct vnode *vp, 1424 struct label *label) 1425 { 1426 1427 ASSERT_CRED_LABEL(cred->cr_label); 1428 1429 return (0); 1430 } 1431 1432 static int 1433 mac_test_check_system_reboot(struct ucred *cred, int how) 1434 { 1435 1436 ASSERT_CRED_LABEL(cred->cr_label); 1437 1438 return (0); 1439 } 1440 1441 static int 1442 mac_test_check_system_settime(struct ucred *cred) 1443 { 1444 1445 ASSERT_CRED_LABEL(cred->cr_label); 1446 1447 return (0); 1448 } 1449 1450 static int 1451 mac_test_check_system_swapon(struct ucred *cred, struct vnode *vp, 1452 struct label *label) 1453 { 1454 1455 ASSERT_CRED_LABEL(cred->cr_label); 1456 ASSERT_VNODE_LABEL(label); 1457 1458 return (0); 1459 } 1460 1461 static int 1462 mac_test_check_system_swapoff(struct ucred *cred, struct vnode *vp, 1463 struct label *label) 1464 { 1465 1466 ASSERT_CRED_LABEL(cred->cr_label); 1467 ASSERT_VNODE_LABEL(label); 1468 1469 return (0); 1470 } 1471 1472 static int 1473 mac_test_check_system_sysctl(struct ucred *cred, struct sysctl_oid *oidp, 1474 void *arg1, int arg2, struct sysctl_req *req) 1475 { 1476 1477 ASSERT_CRED_LABEL(cred->cr_label); 1478 1479 return (0); 1480 } 1481 1482 static int 1483 mac_test_check_vnode_access(struct ucred *cred, struct vnode *vp, 1484 struct label *label, int acc_mode) 1485 { 1486 1487 ASSERT_CRED_LABEL(cred->cr_label); 1488 ASSERT_VNODE_LABEL(label); 1489 1490 return (0); 1491 } 1492 1493 static int 1494 mac_test_check_vnode_chdir(struct ucred *cred, struct vnode *dvp, 1495 struct label *dlabel) 1496 { 1497 1498 ASSERT_CRED_LABEL(cred->cr_label); 1499 ASSERT_VNODE_LABEL(dlabel); 1500 1501 return (0); 1502 } 1503 1504 static int 1505 mac_test_check_vnode_chroot(struct ucred *cred, struct vnode *dvp, 1506 struct label *dlabel) 1507 { 1508 1509 ASSERT_CRED_LABEL(cred->cr_label); 1510 ASSERT_VNODE_LABEL(dlabel); 1511 1512 return (0); 1513 } 1514 1515 static int 1516 mac_test_check_vnode_create(struct ucred *cred, struct vnode *dvp, 1517 struct label *dlabel, struct componentname *cnp, struct vattr *vap) 1518 { 1519 1520 ASSERT_CRED_LABEL(cred->cr_label); 1521 ASSERT_VNODE_LABEL(dlabel); 1522 1523 return (0); 1524 } 1525 1526 static int 1527 mac_test_check_vnode_delete(struct ucred *cred, struct vnode *dvp, 1528 struct label *dlabel, struct vnode *vp, struct label *label, 1529 struct componentname *cnp) 1530 { 1531 1532 ASSERT_CRED_LABEL(cred->cr_label); 1533 ASSERT_VNODE_LABEL(dlabel); 1534 ASSERT_VNODE_LABEL(label); 1535 1536 return (0); 1537 } 1538 1539 static int 1540 mac_test_check_vnode_deleteacl(struct ucred *cred, struct vnode *vp, 1541 struct label *label, acl_type_t type) 1542 { 1543 1544 ASSERT_CRED_LABEL(cred->cr_label); 1545 ASSERT_VNODE_LABEL(label); 1546 1547 return (0); 1548 } 1549 1550 static int 1551 mac_test_check_vnode_deleteextattr(struct ucred *cred, struct vnode *vp, 1552 struct label *label, int attrnamespace, const char *name) 1553 { 1554 1555 ASSERT_CRED_LABEL(cred->cr_label); 1556 ASSERT_VNODE_LABEL(label); 1557 1558 return (0); 1559 } 1560 1561 static int 1562 mac_test_check_vnode_exec(struct ucred *cred, struct vnode *vp, 1563 struct label *label, struct image_params *imgp, 1564 struct label *execlabel) 1565 { 1566 1567 ASSERT_CRED_LABEL(cred->cr_label); 1568 ASSERT_VNODE_LABEL(label); 1569 if (execlabel != NULL) { 1570 ASSERT_CRED_LABEL(execlabel); 1571 } 1572 1573 return (0); 1574 } 1575 1576 static int 1577 mac_test_check_vnode_getacl(struct ucred *cred, struct vnode *vp, 1578 struct label *label, acl_type_t type) 1579 { 1580 1581 ASSERT_CRED_LABEL(cred->cr_label); 1582 ASSERT_VNODE_LABEL(label); 1583 1584 return (0); 1585 } 1586 1587 static int 1588 mac_test_check_vnode_getextattr(struct ucred *cred, struct vnode *vp, 1589 struct label *label, int attrnamespace, const char *name, struct uio *uio) 1590 { 1591 1592 ASSERT_CRED_LABEL(cred->cr_label); 1593 ASSERT_VNODE_LABEL(label); 1594 1595 return (0); 1596 } 1597 1598 static int 1599 mac_test_check_vnode_link(struct ucred *cred, struct vnode *dvp, 1600 struct label *dlabel, struct vnode *vp, struct label *label, 1601 struct componentname *cnp) 1602 { 1603 1604 ASSERT_CRED_LABEL(cred->cr_label); 1605 ASSERT_VNODE_LABEL(dlabel); 1606 ASSERT_VNODE_LABEL(label); 1607 1608 return (0); 1609 } 1610 1611 static int 1612 mac_test_check_vnode_listextattr(struct ucred *cred, struct vnode *vp, 1613 struct label *label, int attrnamespace) 1614 { 1615 1616 ASSERT_CRED_LABEL(cred->cr_label); 1617 ASSERT_VNODE_LABEL(label); 1618 1619 return (0); 1620 } 1621 1622 static int 1623 mac_test_check_vnode_lookup(struct ucred *cred, struct vnode *dvp, 1624 struct label *dlabel, struct componentname *cnp) 1625 { 1626 1627 ASSERT_CRED_LABEL(cred->cr_label); 1628 ASSERT_VNODE_LABEL(dlabel); 1629 1630 return (0); 1631 } 1632 1633 static int 1634 mac_test_check_vnode_mmap(struct ucred *cred, struct vnode *vp, 1635 struct label *label, int prot) 1636 { 1637 1638 ASSERT_CRED_LABEL(cred->cr_label); 1639 ASSERT_VNODE_LABEL(label); 1640 1641 return (0); 1642 } 1643 1644 static int 1645 mac_test_check_vnode_mprotect(struct ucred *cred, struct vnode *vp, 1646 struct label *label, int prot) 1647 { 1648 1649 ASSERT_CRED_LABEL(cred->cr_label); 1650 ASSERT_VNODE_LABEL(label); 1651 1652 return (0); 1653 } 1654 1655 static int 1656 mac_test_check_vnode_open(struct ucred *cred, struct vnode *vp, 1657 struct label *filelabel, int acc_mode) 1658 { 1659 1660 ASSERT_CRED_LABEL(cred->cr_label); 1661 ASSERT_VNODE_LABEL(filelabel); 1662 1663 return (0); 1664 } 1665 1666 static int 1667 mac_test_check_vnode_poll(struct ucred *active_cred, struct ucred *file_cred, 1668 struct vnode *vp, struct label *label) 1669 { 1670 1671 ASSERT_CRED_LABEL(active_cred->cr_label); 1672 ASSERT_CRED_LABEL(file_cred->cr_label); 1673 ASSERT_VNODE_LABEL(label); 1674 1675 return (0); 1676 } 1677 1678 static int 1679 mac_test_check_vnode_read(struct ucred *active_cred, struct ucred *file_cred, 1680 struct vnode *vp, struct label *label) 1681 { 1682 1683 ASSERT_CRED_LABEL(active_cred->cr_label); 1684 if (file_cred != NULL) { 1685 ASSERT_CRED_LABEL(file_cred->cr_label); 1686 } 1687 ASSERT_VNODE_LABEL(label); 1688 1689 return (0); 1690 } 1691 1692 static int 1693 mac_test_check_vnode_readdir(struct ucred *cred, struct vnode *dvp, 1694 struct label *dlabel) 1695 { 1696 1697 ASSERT_CRED_LABEL(cred->cr_label); 1698 ASSERT_VNODE_LABEL(dlabel); 1699 1700 return (0); 1701 } 1702 1703 static int 1704 mac_test_check_vnode_readlink(struct ucred *cred, struct vnode *vp, 1705 struct label *vnodelabel) 1706 { 1707 1708 ASSERT_CRED_LABEL(cred->cr_label); 1709 ASSERT_VNODE_LABEL(vnodelabel); 1710 1711 return (0); 1712 } 1713 1714 static int 1715 mac_test_check_vnode_relabel(struct ucred *cred, struct vnode *vp, 1716 struct label *vnodelabel, struct label *newlabel) 1717 { 1718 1719 ASSERT_CRED_LABEL(cred->cr_label); 1720 ASSERT_VNODE_LABEL(vnodelabel); 1721 ASSERT_VNODE_LABEL(newlabel); 1722 1723 return (0); 1724 } 1725 1726 static int 1727 mac_test_check_vnode_rename_from(struct ucred *cred, struct vnode *dvp, 1728 struct label *dlabel, struct vnode *vp, struct label *label, 1729 struct componentname *cnp) 1730 { 1731 1732 ASSERT_CRED_LABEL(cred->cr_label); 1733 ASSERT_VNODE_LABEL(dlabel); 1734 ASSERT_VNODE_LABEL(label); 1735 1736 return (0); 1737 } 1738 1739 static int 1740 mac_test_check_vnode_rename_to(struct ucred *cred, struct vnode *dvp, 1741 struct label *dlabel, struct vnode *vp, struct label *label, int samedir, 1742 struct componentname *cnp) 1743 { 1744 1745 ASSERT_CRED_LABEL(cred->cr_label); 1746 ASSERT_VNODE_LABEL(dlabel); 1747 1748 if (vp != NULL) { 1749 ASSERT_VNODE_LABEL(label); 1750 } 1751 1752 return (0); 1753 } 1754 1755 static int 1756 mac_test_check_vnode_revoke(struct ucred *cred, struct vnode *vp, 1757 struct label *label) 1758 { 1759 1760 ASSERT_CRED_LABEL(cred->cr_label); 1761 ASSERT_VNODE_LABEL(label); 1762 1763 return (0); 1764 } 1765 1766 static int 1767 mac_test_check_vnode_setacl(struct ucred *cred, struct vnode *vp, 1768 struct label *label, acl_type_t type, struct acl *acl) 1769 { 1770 1771 ASSERT_CRED_LABEL(cred->cr_label); 1772 ASSERT_VNODE_LABEL(label); 1773 1774 return (0); 1775 } 1776 1777 static int 1778 mac_test_check_vnode_setextattr(struct ucred *cred, struct vnode *vp, 1779 struct label *label, int attrnamespace, const char *name, struct uio *uio) 1780 { 1781 1782 ASSERT_CRED_LABEL(cred->cr_label); 1783 ASSERT_VNODE_LABEL(label); 1784 1785 return (0); 1786 } 1787 1788 static int 1789 mac_test_check_vnode_setflags(struct ucred *cred, struct vnode *vp, 1790 struct label *label, u_long flags) 1791 { 1792 1793 ASSERT_CRED_LABEL(cred->cr_label); 1794 ASSERT_VNODE_LABEL(label); 1795 1796 return (0); 1797 } 1798 1799 static int 1800 mac_test_check_vnode_setmode(struct ucred *cred, struct vnode *vp, 1801 struct label *label, mode_t mode) 1802 { 1803 1804 ASSERT_CRED_LABEL(cred->cr_label); 1805 ASSERT_VNODE_LABEL(label); 1806 1807 return (0); 1808 } 1809 1810 static int 1811 mac_test_check_vnode_setowner(struct ucred *cred, struct vnode *vp, 1812 struct label *label, uid_t uid, gid_t gid) 1813 { 1814 1815 ASSERT_CRED_LABEL(cred->cr_label); 1816 ASSERT_VNODE_LABEL(label); 1817 1818 return (0); 1819 } 1820 1821 static int 1822 mac_test_check_vnode_setutimes(struct ucred *cred, struct vnode *vp, 1823 struct label *label, struct timespec atime, struct timespec mtime) 1824 { 1825 1826 ASSERT_CRED_LABEL(cred->cr_label); 1827 ASSERT_VNODE_LABEL(label); 1828 1829 return (0); 1830 } 1831 1832 static int 1833 mac_test_check_vnode_stat(struct ucred *active_cred, struct ucred *file_cred, 1834 struct vnode *vp, struct label *label) 1835 { 1836 1837 ASSERT_CRED_LABEL(active_cred->cr_label); 1838 if (file_cred != NULL) { 1839 ASSERT_CRED_LABEL(file_cred->cr_label); 1840 } 1841 ASSERT_VNODE_LABEL(label); 1842 1843 return (0); 1844 } 1845 1846 static int 1847 mac_test_check_vnode_write(struct ucred *active_cred, 1848 struct ucred *file_cred, struct vnode *vp, struct label *label) 1849 { 1850 1851 ASSERT_CRED_LABEL(active_cred->cr_label); 1852 if (file_cred != NULL) { 1853 ASSERT_CRED_LABEL(file_cred->cr_label); 1854 } 1855 ASSERT_VNODE_LABEL(label); 1856 1857 return (0); 1858 } 1859 1860 static struct mac_policy_ops mac_test_ops = 1861 { 1862 .mpo_destroy = mac_test_destroy, 1863 .mpo_init = mac_test_init, 1864 .mpo_syscall = mac_test_syscall, 1865 .mpo_init_bpfdesc_label = mac_test_init_bpfdesc_label, 1866 .mpo_init_cred_label = mac_test_init_cred_label, 1867 .mpo_init_devfsdirent_label = mac_test_init_devfsdirent_label, 1868 .mpo_init_ifnet_label = mac_test_init_ifnet_label, 1869 .mpo_init_inpcb_label = mac_test_init_inpcb_label, 1870 .mpo_init_ipq_label = mac_test_init_ipq_label, 1871 .mpo_init_mbuf_label = mac_test_init_mbuf_label, 1872 .mpo_init_mount_label = mac_test_init_mount_label, 1873 .mpo_init_mount_fs_label = mac_test_init_mount_fs_label, 1874 .mpo_init_pipe_label = mac_test_init_pipe_label, 1875 .mpo_init_proc_label = mac_test_init_proc_label, 1876 .mpo_init_socket_label = mac_test_init_socket_label, 1877 .mpo_init_socket_peer_label = mac_test_init_socket_peer_label, 1878 .mpo_init_vnode_label = mac_test_init_vnode_label, 1879 .mpo_destroy_bpfdesc_label = mac_test_destroy_bpfdesc_label, 1880 .mpo_destroy_cred_label = mac_test_destroy_cred_label, 1881 .mpo_destroy_devfsdirent_label = mac_test_destroy_devfsdirent_label, 1882 .mpo_destroy_ifnet_label = mac_test_destroy_ifnet_label, 1883 .mpo_destroy_inpcb_label = mac_test_destroy_inpcb_label, 1884 .mpo_destroy_ipq_label = mac_test_destroy_ipq_label, 1885 .mpo_destroy_mbuf_label = mac_test_destroy_mbuf_label, 1886 .mpo_destroy_mount_label = mac_test_destroy_mount_label, 1887 .mpo_destroy_mount_fs_label = mac_test_destroy_mount_fs_label, 1888 .mpo_destroy_pipe_label = mac_test_destroy_pipe_label, 1889 .mpo_destroy_proc_label = mac_test_destroy_proc_label, 1890 .mpo_destroy_socket_label = mac_test_destroy_socket_label, 1891 .mpo_destroy_socket_peer_label = mac_test_destroy_socket_peer_label, 1892 .mpo_destroy_vnode_label = mac_test_destroy_vnode_label, 1893 .mpo_copy_cred_label = mac_test_copy_cred_label, 1894 .mpo_copy_mbuf_label = mac_test_copy_mbuf_label, 1895 .mpo_copy_pipe_label = mac_test_copy_pipe_label, 1896 .mpo_copy_socket_label = mac_test_copy_socket_label, 1897 .mpo_copy_vnode_label = mac_test_copy_vnode_label, 1898 .mpo_externalize_cred_label = mac_test_externalize_label, 1899 .mpo_externalize_ifnet_label = mac_test_externalize_label, 1900 .mpo_externalize_pipe_label = mac_test_externalize_label, 1901 .mpo_externalize_socket_label = mac_test_externalize_label, 1902 .mpo_externalize_socket_peer_label = mac_test_externalize_label, 1903 .mpo_externalize_vnode_label = mac_test_externalize_label, 1904 .mpo_internalize_cred_label = mac_test_internalize_label, 1905 .mpo_internalize_ifnet_label = mac_test_internalize_label, 1906 .mpo_internalize_pipe_label = mac_test_internalize_label, 1907 .mpo_internalize_socket_label = mac_test_internalize_label, 1908 .mpo_internalize_vnode_label = mac_test_internalize_label, 1909 .mpo_associate_vnode_devfs = mac_test_associate_vnode_devfs, 1910 .mpo_associate_vnode_extattr = mac_test_associate_vnode_extattr, 1911 .mpo_associate_vnode_singlelabel = mac_test_associate_vnode_singlelabel, 1912 .mpo_create_devfs_device = mac_test_create_devfs_device, 1913 .mpo_create_devfs_directory = mac_test_create_devfs_directory, 1914 .mpo_create_devfs_symlink = mac_test_create_devfs_symlink, 1915 .mpo_create_vnode_extattr = mac_test_create_vnode_extattr, 1916 .mpo_create_mount = mac_test_create_mount, 1917 .mpo_create_root_mount = mac_test_create_root_mount, 1918 .mpo_relabel_vnode = mac_test_relabel_vnode, 1919 .mpo_setlabel_vnode_extattr = mac_test_setlabel_vnode_extattr, 1920 .mpo_update_devfsdirent = mac_test_update_devfsdirent, 1921 .mpo_create_mbuf_from_socket = mac_test_create_mbuf_from_socket, 1922 .mpo_create_pipe = mac_test_create_pipe, 1923 .mpo_create_socket = mac_test_create_socket, 1924 .mpo_create_socket_from_socket = mac_test_create_socket_from_socket, 1925 .mpo_relabel_pipe = mac_test_relabel_pipe, 1926 .mpo_relabel_socket = mac_test_relabel_socket, 1927 .mpo_set_socket_peer_from_mbuf = mac_test_set_socket_peer_from_mbuf, 1928 .mpo_set_socket_peer_from_socket = mac_test_set_socket_peer_from_socket, 1929 .mpo_create_bpfdesc = mac_test_create_bpfdesc, 1930 .mpo_create_ifnet = mac_test_create_ifnet, 1931 .mpo_create_inpcb_from_socket = mac_test_create_inpcb_from_socket, 1932 .mpo_create_datagram_from_ipq = mac_test_create_datagram_from_ipq, 1933 .mpo_create_fragment = mac_test_create_fragment, 1934 .mpo_create_ipq = mac_test_create_ipq, 1935 .mpo_create_mbuf_from_inpcb = mac_test_create_mbuf_from_inpcb, 1936 .mpo_create_mbuf_from_mbuf = mac_test_create_mbuf_from_mbuf, 1937 .mpo_create_mbuf_linklayer = mac_test_create_mbuf_linklayer, 1938 .mpo_create_mbuf_from_bpfdesc = mac_test_create_mbuf_from_bpfdesc, 1939 .mpo_create_mbuf_from_ifnet = mac_test_create_mbuf_from_ifnet, 1940 .mpo_create_mbuf_multicast_encap = mac_test_create_mbuf_multicast_encap, 1941 .mpo_create_mbuf_netlayer = mac_test_create_mbuf_netlayer, 1942 .mpo_fragment_match = mac_test_fragment_match, 1943 .mpo_reflect_mbuf_icmp = mac_test_reflect_mbuf_icmp, 1944 .mpo_reflect_mbuf_tcp = mac_test_reflect_mbuf_tcp, 1945 .mpo_relabel_ifnet = mac_test_relabel_ifnet, 1946 .mpo_update_ipq = mac_test_update_ipq, 1947 .mpo_inpcb_sosetlabel = mac_test_inpcb_sosetlabel, 1948 .mpo_execve_transition = mac_test_execve_transition, 1949 .mpo_execve_will_transition = mac_test_execve_will_transition, 1950 .mpo_create_proc0 = mac_test_create_proc0, 1951 .mpo_create_proc1 = mac_test_create_proc1, 1952 .mpo_relabel_cred = mac_test_relabel_cred, 1953 .mpo_thread_userret = mac_test_thread_userret, 1954 .mpo_check_bpfdesc_receive = mac_test_check_bpfdesc_receive, 1955 .mpo_check_cred_relabel = mac_test_check_cred_relabel, 1956 .mpo_check_cred_visible = mac_test_check_cred_visible, 1957 .mpo_check_ifnet_relabel = mac_test_check_ifnet_relabel, 1958 .mpo_check_ifnet_transmit = mac_test_check_ifnet_transmit, 1959 .mpo_check_inpcb_deliver = mac_test_check_inpcb_deliver, 1960 .mpo_check_kenv_dump = mac_test_check_kenv_dump, 1961 .mpo_check_kenv_get = mac_test_check_kenv_get, 1962 .mpo_check_kenv_set = mac_test_check_kenv_set, 1963 .mpo_check_kenv_unset = mac_test_check_kenv_unset, 1964 .mpo_check_kld_load = mac_test_check_kld_load, 1965 .mpo_check_kld_stat = mac_test_check_kld_stat, 1966 .mpo_check_kld_unload = mac_test_check_kld_unload, 1967 .mpo_check_mount_stat = mac_test_check_mount_stat, 1968 .mpo_check_pipe_ioctl = mac_test_check_pipe_ioctl, 1969 .mpo_check_pipe_poll = mac_test_check_pipe_poll, 1970 .mpo_check_pipe_read = mac_test_check_pipe_read, 1971 .mpo_check_pipe_relabel = mac_test_check_pipe_relabel, 1972 .mpo_check_pipe_stat = mac_test_check_pipe_stat, 1973 .mpo_check_pipe_write = mac_test_check_pipe_write, 1974 .mpo_check_proc_debug = mac_test_check_proc_debug, 1975 .mpo_check_proc_sched = mac_test_check_proc_sched, 1976 .mpo_check_proc_signal = mac_test_check_proc_signal, 1977 .mpo_check_socket_bind = mac_test_check_socket_bind, 1978 .mpo_check_socket_connect = mac_test_check_socket_connect, 1979 .mpo_check_socket_deliver = mac_test_check_socket_deliver, 1980 .mpo_check_socket_listen = mac_test_check_socket_listen, 1981 .mpo_check_socket_relabel = mac_test_check_socket_relabel, 1982 .mpo_check_socket_visible = mac_test_check_socket_visible, 1983 .mpo_check_sysarch_ioperm = mac_test_check_sysarch_ioperm, 1984 .mpo_check_system_acct = mac_test_check_system_acct, 1985 .mpo_check_system_reboot = mac_test_check_system_reboot, 1986 .mpo_check_system_settime = mac_test_check_system_settime, 1987 .mpo_check_system_swapon = mac_test_check_system_swapon, 1988 .mpo_check_system_swapoff = mac_test_check_system_swapoff, 1989 .mpo_check_system_sysctl = mac_test_check_system_sysctl, 1990 .mpo_check_vnode_access = mac_test_check_vnode_access, 1991 .mpo_check_vnode_chdir = mac_test_check_vnode_chdir, 1992 .mpo_check_vnode_chroot = mac_test_check_vnode_chroot, 1993 .mpo_check_vnode_create = mac_test_check_vnode_create, 1994 .mpo_check_vnode_delete = mac_test_check_vnode_delete, 1995 .mpo_check_vnode_deleteacl = mac_test_check_vnode_deleteacl, 1996 .mpo_check_vnode_deleteextattr = mac_test_check_vnode_deleteextattr, 1997 .mpo_check_vnode_exec = mac_test_check_vnode_exec, 1998 .mpo_check_vnode_getacl = mac_test_check_vnode_getacl, 1999 .mpo_check_vnode_getextattr = mac_test_check_vnode_getextattr, 2000 .mpo_check_vnode_link = mac_test_check_vnode_link, 2001 .mpo_check_vnode_listextattr = mac_test_check_vnode_listextattr, 2002 .mpo_check_vnode_lookup = mac_test_check_vnode_lookup, 2003 .mpo_check_vnode_mmap = mac_test_check_vnode_mmap, 2004 .mpo_check_vnode_mprotect = mac_test_check_vnode_mprotect, 2005 .mpo_check_vnode_open = mac_test_check_vnode_open, 2006 .mpo_check_vnode_poll = mac_test_check_vnode_poll, 2007 .mpo_check_vnode_read = mac_test_check_vnode_read, 2008 .mpo_check_vnode_readdir = mac_test_check_vnode_readdir, 2009 .mpo_check_vnode_readlink = mac_test_check_vnode_readlink, 2010 .mpo_check_vnode_relabel = mac_test_check_vnode_relabel, 2011 .mpo_check_vnode_rename_from = mac_test_check_vnode_rename_from, 2012 .mpo_check_vnode_rename_to = mac_test_check_vnode_rename_to, 2013 .mpo_check_vnode_revoke = mac_test_check_vnode_revoke, 2014 .mpo_check_vnode_setacl = mac_test_check_vnode_setacl, 2015 .mpo_check_vnode_setextattr = mac_test_check_vnode_setextattr, 2016 .mpo_check_vnode_setflags = mac_test_check_vnode_setflags, 2017 .mpo_check_vnode_setmode = mac_test_check_vnode_setmode, 2018 .mpo_check_vnode_setowner = mac_test_check_vnode_setowner, 2019 .mpo_check_vnode_setutimes = mac_test_check_vnode_setutimes, 2020 .mpo_check_vnode_stat = mac_test_check_vnode_stat, 2021 .mpo_check_vnode_write = mac_test_check_vnode_write, 2022 }; 2023 2024 MAC_POLICY_SET(&mac_test_ops, mac_test, "TrustedBSD MAC/Test", 2025 MPC_LOADTIME_FLAG_UNLOADOK | MPC_LOADTIME_FLAG_LABELMBUFS, &test_slot); 2026