1 /*- 2 * Copyright (c) 1999, 2000, 2001, 2002 Robert N. M. Watson 3 * Copyright (c) 2001, 2002, 2003 Networks Associates Technology, Inc. 4 * All rights reserved. 5 * 6 * This software was developed by Robert Watson for the TrustedBSD Project. 7 * 8 * This software was developed for the FreeBSD Project in part by Network 9 * Associates Laboratories, the Security Research Division of Network 10 * Associates, Inc. under DARPA/SPAWAR contract N66001-01-C-8035 ("CBOSS"), 11 * as part of the DARPA CHATS research program. 12 * 13 * Redistribution and use in source and binary forms, with or without 14 * modification, are permitted provided that the following conditions 15 * are met: 16 * 1. Redistributions of source code must retain the above copyright 17 * notice, this list of conditions and the following disclaimer. 18 * 2. Redistributions in binary form must reproduce the above copyright 19 * notice, this list of conditions and the following disclaimer in the 20 * documentation and/or other materials provided with the distribution. 21 * 22 * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND 23 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 24 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 25 * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE 26 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 27 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 28 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 29 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 30 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 31 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 32 * SUCH DAMAGE. 33 * 34 * $FreeBSD$ 35 */ 36 37 /* 38 * Developed by the TrustedBSD Project. 39 * Generic mandatory access module that does nothing. 40 */ 41 42 #include <sys/types.h> 43 #include <sys/param.h> 44 #include <sys/acl.h> 45 #include <sys/conf.h> 46 #include <sys/extattr.h> 47 #include <sys/kernel.h> 48 #include <sys/mac.h> 49 #include <sys/malloc.h> 50 #include <sys/mount.h> 51 #include <sys/proc.h> 52 #include <sys/systm.h> 53 #include <sys/sysproto.h> 54 #include <sys/sysent.h> 55 #include <sys/vnode.h> 56 #include <sys/file.h> 57 #include <sys/socket.h> 58 #include <sys/socketvar.h> 59 #include <sys/sysctl.h> 60 61 #include <fs/devfs/devfs.h> 62 63 #include <net/bpfdesc.h> 64 #include <net/if.h> 65 #include <net/if_types.h> 66 #include <net/if_var.h> 67 68 #include <vm/vm.h> 69 70 #include <sys/mac_policy.h> 71 72 SYSCTL_DECL(_security_mac); 73 74 SYSCTL_NODE(_security_mac, OID_AUTO, test, CTLFLAG_RW, 0, 75 "TrustedBSD mac_test policy controls"); 76 77 static int mac_test_enabled = 1; 78 SYSCTL_INT(_security_mac_test, OID_AUTO, enabled, CTLFLAG_RW, 79 &mac_test_enabled, 0, "Enforce test policy"); 80 81 #define BPFMAGIC 0xfe1ad1b6 82 #define DEVFSMAGIC 0x9ee79c32 83 #define IFNETMAGIC 0xc218b120 84 #define IPQMAGIC 0x206188ef 85 #define MBUFMAGIC 0xbbefa5bb 86 #define MOUNTMAGIC 0xc7c46e47 87 #define SOCKETMAGIC 0x9199c6cd 88 #define PIPEMAGIC 0xdc6c9919 89 #define PROCMAGIC 0x3b4be98f 90 #define CREDMAGIC 0x9a5a4987 91 #define VNODEMAGIC 0x1a67a45c 92 #define EXMAGIC 0x849ba1fd 93 94 #define SLOT(x) LABEL_TO_SLOT((x), test_slot).l_long 95 96 #define ASSERT_BPF_LABEL(x) KASSERT(SLOT(x) == BPFMAGIC || \ 97 SLOT(x) == 0, ("%s: Bad BPF label", __func__ )) 98 #define ASSERT_DEVFS_LABEL(x) KASSERT(SLOT(x) == DEVFSMAGIC || \ 99 SLOT(x) == 0, ("%s: Bad DEVFS label", __func__ )) 100 #define ASSERT_IFNET_LABEL(x) KASSERT(SLOT(x) == IFNETMAGIC || \ 101 SLOT(x) == 0, ("%s: Bad IFNET label", __func__ )) 102 #define ASSERT_IPQ_LABEL(x) KASSERT(SLOT(x) == IPQMAGIC || \ 103 SLOT(x) == 0, ("%s: Bad IPQ label", __func__ )) 104 #define ASSERT_MBUF_LABEL(x) KASSERT(SLOT(x) == MBUFMAGIC || \ 105 SLOT(x) == 0, ("%s: Bad MBUF label", __func__ )) 106 #define ASSERT_MOUNT_LABEL(x) KASSERT(SLOT(x) == MOUNTMAGIC || \ 107 SLOT(x) == 0, ("%s: Bad MOUNT label", __func__ )) 108 #define ASSERT_SOCKET_LABEL(x) KASSERT(SLOT(x) == SOCKETMAGIC || \ 109 SLOT(x) == 0, ("%s: Bad SOCKET label", __func__ )) 110 #define ASSERT_PIPE_LABEL(x) KASSERT(SLOT(x) == PIPEMAGIC || \ 111 SLOT(x) == 0, ("%s: Bad PIPE label", __func__ )) 112 #define ASSERT_PROC_LABEL(x) KASSERT(SLOT(x) == PROCMAGIC || \ 113 SLOT(x) == 0, ("%s: Bad PROC label", __func__ )) 114 #define ASSERT_CRED_LABEL(x) KASSERT(SLOT(x) == CREDMAGIC || \ 115 SLOT(x) == 0, ("%s: Bad CRED label", __func__ )) 116 #define ASSERT_VNODE_LABEL(x) KASSERT(SLOT(x) == VNODEMAGIC || \ 117 SLOT(x) == 0, ("%s: Bad VNODE label", __func__ )) 118 119 static int test_slot; 120 SYSCTL_INT(_security_mac_test, OID_AUTO, slot, CTLFLAG_RD, 121 &test_slot, 0, "Slot allocated by framework"); 122 123 static int init_count_bpfdesc; 124 SYSCTL_INT(_security_mac_test, OID_AUTO, init_count_bpfdesc, CTLFLAG_RD, 125 &init_count_bpfdesc, 0, "bpfdesc init calls"); 126 static int init_count_cred; 127 SYSCTL_INT(_security_mac_test, OID_AUTO, init_count_cred, CTLFLAG_RD, 128 &init_count_cred, 0, "cred init calls"); 129 static int init_count_devfsdirent; 130 SYSCTL_INT(_security_mac_test, OID_AUTO, init_count_devfsdirent, CTLFLAG_RD, 131 &init_count_devfsdirent, 0, "devfsdirent init calls"); 132 static int init_count_ifnet; 133 SYSCTL_INT(_security_mac_test, OID_AUTO, init_count_ifnet, CTLFLAG_RD, 134 &init_count_ifnet, 0, "ifnet init calls"); 135 static int init_count_ipq; 136 SYSCTL_INT(_security_mac_test, OID_AUTO, init_count_ipq, CTLFLAG_RD, 137 &init_count_ipq, 0, "ipq init calls"); 138 static int init_count_mbuf; 139 SYSCTL_INT(_security_mac_test, OID_AUTO, init_count_mbuf, CTLFLAG_RD, 140 &init_count_mbuf, 0, "mbuf init calls"); 141 static int init_count_mount; 142 SYSCTL_INT(_security_mac_test, OID_AUTO, init_count_mount, CTLFLAG_RD, 143 &init_count_mount, 0, "mount init calls"); 144 static int init_count_mount_fslabel; 145 SYSCTL_INT(_security_mac_test, OID_AUTO, init_count_mount_fslabel, CTLFLAG_RD, 146 &init_count_mount_fslabel, 0, "mount_fslabel init calls"); 147 static int init_count_socket; 148 SYSCTL_INT(_security_mac_test, OID_AUTO, init_count_socket, CTLFLAG_RD, 149 &init_count_socket, 0, "socket init calls"); 150 static int init_count_socket_peerlabel; 151 SYSCTL_INT(_security_mac_test, OID_AUTO, init_count_socket_peerlabel, 152 CTLFLAG_RD, &init_count_socket_peerlabel, 0, 153 "socket_peerlabel init calls"); 154 static int init_count_pipe; 155 SYSCTL_INT(_security_mac_test, OID_AUTO, init_count_pipe, CTLFLAG_RD, 156 &init_count_pipe, 0, "pipe init calls"); 157 static int init_count_proc; 158 SYSCTL_INT(_security_mac_test, OID_AUTO, init_count_proc, CTLFLAG_RD, 159 &init_count_proc, 0, "proc init calls"); 160 static int init_count_vnode; 161 SYSCTL_INT(_security_mac_test, OID_AUTO, init_count_vnode, CTLFLAG_RD, 162 &init_count_vnode, 0, "vnode init calls"); 163 164 static int destroy_count_bpfdesc; 165 SYSCTL_INT(_security_mac_test, OID_AUTO, destroy_count_bpfdesc, CTLFLAG_RD, 166 &destroy_count_bpfdesc, 0, "bpfdesc destroy calls"); 167 static int destroy_count_cred; 168 SYSCTL_INT(_security_mac_test, OID_AUTO, destroy_count_cred, CTLFLAG_RD, 169 &destroy_count_cred, 0, "cred destroy calls"); 170 static int destroy_count_devfsdirent; 171 SYSCTL_INT(_security_mac_test, OID_AUTO, destroy_count_devfsdirent, CTLFLAG_RD, 172 &destroy_count_devfsdirent, 0, "devfsdirent destroy calls"); 173 static int destroy_count_ifnet; 174 SYSCTL_INT(_security_mac_test, OID_AUTO, destroy_count_ifnet, CTLFLAG_RD, 175 &destroy_count_ifnet, 0, "ifnet destroy calls"); 176 static int destroy_count_ipq; 177 SYSCTL_INT(_security_mac_test, OID_AUTO, destroy_count_ipq, CTLFLAG_RD, 178 &destroy_count_ipq, 0, "ipq destroy calls"); 179 static int destroy_count_mbuf; 180 SYSCTL_INT(_security_mac_test, OID_AUTO, destroy_count_mbuf, CTLFLAG_RD, 181 &destroy_count_mbuf, 0, "mbuf destroy calls"); 182 static int destroy_count_mount; 183 SYSCTL_INT(_security_mac_test, OID_AUTO, destroy_count_mount, CTLFLAG_RD, 184 &destroy_count_mount, 0, "mount destroy calls"); 185 static int destroy_count_mount_fslabel; 186 SYSCTL_INT(_security_mac_test, OID_AUTO, destroy_count_mount_fslabel, 187 CTLFLAG_RD, &destroy_count_mount_fslabel, 0, 188 "mount_fslabel destroy calls"); 189 static int destroy_count_socket; 190 SYSCTL_INT(_security_mac_test, OID_AUTO, destroy_count_socket, CTLFLAG_RD, 191 &destroy_count_socket, 0, "socket destroy calls"); 192 static int destroy_count_socket_peerlabel; 193 SYSCTL_INT(_security_mac_test, OID_AUTO, destroy_count_socket_peerlabel, 194 CTLFLAG_RD, &destroy_count_socket_peerlabel, 0, 195 "socket_peerlabel destroy calls"); 196 static int destroy_count_pipe; 197 SYSCTL_INT(_security_mac_test, OID_AUTO, destroy_count_pipe, CTLFLAG_RD, 198 &destroy_count_pipe, 0, "pipe destroy calls"); 199 static int destroy_count_proc; 200 SYSCTL_INT(_security_mac_test, OID_AUTO, destroy_count_proc, CTLFLAG_RD, 201 &destroy_count_proc, 0, "proc destroy calls"); 202 static int destroy_count_vnode; 203 SYSCTL_INT(_security_mac_test, OID_AUTO, destroy_count_vnode, CTLFLAG_RD, 204 &destroy_count_vnode, 0, "vnode destroy calls"); 205 206 static int externalize_count; 207 SYSCTL_INT(_security_mac_test, OID_AUTO, externalize_count, CTLFLAG_RD, 208 &externalize_count, 0, "Subject/object externalize calls"); 209 static int internalize_count; 210 SYSCTL_INT(_security_mac_test, OID_AUTO, internalize_count, CTLFLAG_RD, 211 &internalize_count, 0, "Subject/object internalize calls"); 212 213 /* 214 * Policy module operations. 215 */ 216 static void 217 mac_test_destroy(struct mac_policy_conf *conf) 218 { 219 220 } 221 222 static void 223 mac_test_init(struct mac_policy_conf *conf) 224 { 225 226 } 227 228 static int 229 mac_test_syscall(struct thread *td, int call, void *arg) 230 { 231 232 return (0); 233 } 234 235 /* 236 * Label operations. 237 */ 238 static void 239 mac_test_init_bpfdesc_label(struct label *label) 240 { 241 242 SLOT(label) = BPFMAGIC; 243 atomic_add_int(&init_count_bpfdesc, 1); 244 } 245 246 static void 247 mac_test_init_cred_label(struct label *label) 248 { 249 250 SLOT(label) = CREDMAGIC; 251 atomic_add_int(&init_count_cred, 1); 252 } 253 254 static void 255 mac_test_init_devfsdirent_label(struct label *label) 256 { 257 258 SLOT(label) = DEVFSMAGIC; 259 atomic_add_int(&init_count_devfsdirent, 1); 260 } 261 262 static void 263 mac_test_init_ifnet_label(struct label *label) 264 { 265 266 SLOT(label) = IFNETMAGIC; 267 atomic_add_int(&init_count_ifnet, 1); 268 } 269 270 static int 271 mac_test_init_ipq_label(struct label *label, int flag) 272 { 273 274 if (flag & M_WAITOK) 275 WITNESS_WARN(WARN_GIANTOK | WARN_SLEEPOK, NULL, 276 "mac_test_init_ipq_label() at %s:%d", __FILE__, 277 __LINE__); 278 279 SLOT(label) = IPQMAGIC; 280 atomic_add_int(&init_count_ipq, 1); 281 return (0); 282 } 283 284 static int 285 mac_test_init_mbuf_label(struct label *label, int flag) 286 { 287 288 if (flag & M_WAITOK) 289 WITNESS_WARN(WARN_GIANTOK | WARN_SLEEPOK, NULL, 290 "mac_test_init_mbuf_label() at %s:%d", __FILE__, 291 __LINE__); 292 293 SLOT(label) = MBUFMAGIC; 294 atomic_add_int(&init_count_mbuf, 1); 295 return (0); 296 } 297 298 static void 299 mac_test_init_mount_label(struct label *label) 300 { 301 302 SLOT(label) = MOUNTMAGIC; 303 atomic_add_int(&init_count_mount, 1); 304 } 305 306 static void 307 mac_test_init_mount_fs_label(struct label *label) 308 { 309 310 SLOT(label) = MOUNTMAGIC; 311 atomic_add_int(&init_count_mount_fslabel, 1); 312 } 313 314 static int 315 mac_test_init_socket_label(struct label *label, int flag) 316 { 317 318 if (flag & M_WAITOK) 319 WITNESS_WARN(WARN_GIANTOK | WARN_SLEEPOK, NULL, 320 "mac_test_init_socket_label() at %s:%d", __FILE__, 321 __LINE__); 322 323 SLOT(label) = SOCKETMAGIC; 324 atomic_add_int(&init_count_socket, 1); 325 return (0); 326 } 327 328 static int 329 mac_test_init_socket_peer_label(struct label *label, int flag) 330 { 331 332 if (flag & M_WAITOK) 333 WITNESS_WARN(WARN_GIANTOK | WARN_SLEEPOK, NULL, 334 "mac_test_init_socket_peer_label() at %s:%d", __FILE__, 335 __LINE__); 336 337 SLOT(label) = SOCKETMAGIC; 338 atomic_add_int(&init_count_socket_peerlabel, 1); 339 return (0); 340 } 341 342 static void 343 mac_test_init_pipe_label(struct label *label) 344 { 345 346 SLOT(label) = PIPEMAGIC; 347 atomic_add_int(&init_count_pipe, 1); 348 } 349 350 static void 351 mac_test_init_proc_label(struct label *label) 352 { 353 354 SLOT(label) = PROCMAGIC; 355 atomic_add_int(&init_count_proc, 1); 356 } 357 358 static void 359 mac_test_init_vnode_label(struct label *label) 360 { 361 362 SLOT(label) = VNODEMAGIC; 363 atomic_add_int(&init_count_vnode, 1); 364 } 365 366 static void 367 mac_test_destroy_bpfdesc_label(struct label *label) 368 { 369 370 if (SLOT(label) == BPFMAGIC || SLOT(label) == 0) { 371 atomic_add_int(&destroy_count_bpfdesc, 1); 372 SLOT(label) = EXMAGIC; 373 } else if (SLOT(label) == EXMAGIC) { 374 Debugger("mac_test_destroy_bpfdesc: dup destroy"); 375 } else { 376 Debugger("mac_test_destroy_bpfdesc: corrupted label"); 377 } 378 } 379 380 static void 381 mac_test_destroy_cred_label(struct label *label) 382 { 383 384 if (SLOT(label) == CREDMAGIC || SLOT(label) == 0) { 385 atomic_add_int(&destroy_count_cred, 1); 386 SLOT(label) = EXMAGIC; 387 } else if (SLOT(label) == EXMAGIC) { 388 Debugger("mac_test_destroy_cred: dup destroy"); 389 } else { 390 Debugger("mac_test_destroy_cred: corrupted label"); 391 } 392 } 393 394 static void 395 mac_test_destroy_devfsdirent_label(struct label *label) 396 { 397 398 if (SLOT(label) == DEVFSMAGIC || SLOT(label) == 0) { 399 atomic_add_int(&destroy_count_devfsdirent, 1); 400 SLOT(label) = EXMAGIC; 401 } else if (SLOT(label) == EXMAGIC) { 402 Debugger("mac_test_destroy_devfsdirent: dup destroy"); 403 } else { 404 Debugger("mac_test_destroy_devfsdirent: corrupted label"); 405 } 406 } 407 408 static void 409 mac_test_destroy_ifnet_label(struct label *label) 410 { 411 412 if (SLOT(label) == IFNETMAGIC || SLOT(label) == 0) { 413 atomic_add_int(&destroy_count_ifnet, 1); 414 SLOT(label) = EXMAGIC; 415 } else if (SLOT(label) == EXMAGIC) { 416 Debugger("mac_test_destroy_ifnet: dup destroy"); 417 } else { 418 Debugger("mac_test_destroy_ifnet: corrupted label"); 419 } 420 } 421 422 static void 423 mac_test_destroy_ipq_label(struct label *label) 424 { 425 426 if (SLOT(label) == IPQMAGIC || SLOT(label) == 0) { 427 atomic_add_int(&destroy_count_ipq, 1); 428 SLOT(label) = EXMAGIC; 429 } else if (SLOT(label) == EXMAGIC) { 430 Debugger("mac_test_destroy_ipq: dup destroy"); 431 } else { 432 Debugger("mac_test_destroy_ipq: corrupted label"); 433 } 434 } 435 436 static void 437 mac_test_destroy_mbuf_label(struct label *label) 438 { 439 440 /* 441 * If we're loaded dynamically, there may be mbufs in flight that 442 * didn't have label storage allocated for them. Handle this 443 * gracefully. 444 */ 445 if (label == NULL) 446 return; 447 448 if (SLOT(label) == MBUFMAGIC || SLOT(label) == 0) { 449 atomic_add_int(&destroy_count_mbuf, 1); 450 SLOT(label) = EXMAGIC; 451 } else if (SLOT(label) == EXMAGIC) { 452 Debugger("mac_test_destroy_mbuf: dup destroy"); 453 } else { 454 Debugger("mac_test_destroy_mbuf: corrupted label"); 455 } 456 } 457 458 static void 459 mac_test_destroy_mount_label(struct label *label) 460 { 461 462 if ((SLOT(label) == MOUNTMAGIC || SLOT(label) == 0)) { 463 atomic_add_int(&destroy_count_mount, 1); 464 SLOT(label) = EXMAGIC; 465 } else if (SLOT(label) == EXMAGIC) { 466 Debugger("mac_test_destroy_mount: dup destroy"); 467 } else { 468 Debugger("mac_test_destroy_mount: corrupted label"); 469 } 470 } 471 472 static void 473 mac_test_destroy_mount_fs_label(struct label *label) 474 { 475 476 if ((SLOT(label) == MOUNTMAGIC || SLOT(label) == 0)) { 477 atomic_add_int(&destroy_count_mount_fslabel, 1); 478 SLOT(label) = EXMAGIC; 479 } else if (SLOT(label) == EXMAGIC) { 480 Debugger("mac_test_destroy_mount_fslabel: dup destroy"); 481 } else { 482 Debugger("mac_test_destroy_mount_fslabel: corrupted label"); 483 } 484 } 485 486 static void 487 mac_test_destroy_socket_label(struct label *label) 488 { 489 490 if ((SLOT(label) == SOCKETMAGIC || SLOT(label) == 0)) { 491 atomic_add_int(&destroy_count_socket, 1); 492 SLOT(label) = EXMAGIC; 493 } else if (SLOT(label) == EXMAGIC) { 494 Debugger("mac_test_destroy_socket: dup destroy"); 495 } else { 496 Debugger("mac_test_destroy_socket: corrupted label"); 497 } 498 } 499 500 static void 501 mac_test_destroy_socket_peer_label(struct label *label) 502 { 503 504 if ((SLOT(label) == SOCKETMAGIC || SLOT(label) == 0)) { 505 atomic_add_int(&destroy_count_socket_peerlabel, 1); 506 SLOT(label) = EXMAGIC; 507 } else if (SLOT(label) == EXMAGIC) { 508 Debugger("mac_test_destroy_socket_peerlabel: dup destroy"); 509 } else { 510 Debugger("mac_test_destroy_socket_peerlabel: corrupted label"); 511 } 512 } 513 514 static void 515 mac_test_destroy_pipe_label(struct label *label) 516 { 517 518 if ((SLOT(label) == PIPEMAGIC || SLOT(label) == 0)) { 519 atomic_add_int(&destroy_count_pipe, 1); 520 SLOT(label) = EXMAGIC; 521 } else if (SLOT(label) == EXMAGIC) { 522 Debugger("mac_test_destroy_pipe: dup destroy"); 523 } else { 524 Debugger("mac_test_destroy_pipe: corrupted label"); 525 } 526 } 527 528 static void 529 mac_test_destroy_proc_label(struct label *label) 530 { 531 532 if ((SLOT(label) == PROCMAGIC || SLOT(label) == 0)) { 533 atomic_add_int(&destroy_count_proc, 1); 534 SLOT(label) = EXMAGIC; 535 } else if (SLOT(label) == EXMAGIC) { 536 Debugger("mac_test_destroy_proc: dup destroy"); 537 } else { 538 Debugger("mac_test_destroy_proc: corrupted label"); 539 } 540 } 541 542 static void 543 mac_test_destroy_vnode_label(struct label *label) 544 { 545 546 if (SLOT(label) == VNODEMAGIC || SLOT(label) == 0) { 547 atomic_add_int(&destroy_count_vnode, 1); 548 SLOT(label) = EXMAGIC; 549 } else if (SLOT(label) == EXMAGIC) { 550 Debugger("mac_test_destroy_vnode: dup destroy"); 551 } else { 552 Debugger("mac_test_destroy_vnode: corrupted label"); 553 } 554 } 555 556 static int 557 mac_test_externalize_label(struct label *label, char *element_name, 558 struct sbuf *sb, int *claimed) 559 { 560 561 atomic_add_int(&externalize_count, 1); 562 563 KASSERT(SLOT(label) != EXMAGIC, 564 ("mac_test_externalize_label: destroyed label")); 565 566 return (0); 567 } 568 569 static int 570 mac_test_internalize_label(struct label *label, char *element_name, 571 char *element_data, int *claimed) 572 { 573 574 atomic_add_int(&internalize_count, 1); 575 576 KASSERT(SLOT(label) != EXMAGIC, 577 ("mac_test_internalize_label: destroyed label")); 578 579 return (0); 580 } 581 582 /* 583 * Labeling event operations: file system objects, and things that look 584 * a lot like file system objects. 585 */ 586 static void 587 mac_test_associate_vnode_devfs(struct mount *mp, struct label *fslabel, 588 struct devfs_dirent *de, struct label *delabel, struct vnode *vp, 589 struct label *vlabel) 590 { 591 592 ASSERT_MOUNT_LABEL(fslabel); 593 ASSERT_DEVFS_LABEL(delabel); 594 ASSERT_VNODE_LABEL(vlabel); 595 } 596 597 static int 598 mac_test_associate_vnode_extattr(struct mount *mp, struct label *fslabel, 599 struct vnode *vp, struct label *vlabel) 600 { 601 602 ASSERT_MOUNT_LABEL(fslabel); 603 ASSERT_VNODE_LABEL(vlabel); 604 return (0); 605 } 606 607 static void 608 mac_test_associate_vnode_singlelabel(struct mount *mp, 609 struct label *fslabel, struct vnode *vp, struct label *vlabel) 610 { 611 612 ASSERT_MOUNT_LABEL(fslabel); 613 ASSERT_VNODE_LABEL(vlabel); 614 } 615 616 static void 617 mac_test_create_devfs_device(struct mount *mp, dev_t dev, 618 struct devfs_dirent *devfs_dirent, struct label *label) 619 { 620 621 ASSERT_DEVFS_LABEL(label); 622 } 623 624 static void 625 mac_test_create_devfs_directory(struct mount *mp, char *dirname, 626 int dirnamelen, struct devfs_dirent *devfs_dirent, struct label *label) 627 { 628 629 ASSERT_DEVFS_LABEL(label); 630 } 631 632 static void 633 mac_test_create_devfs_symlink(struct ucred *cred, struct mount *mp, 634 struct devfs_dirent *dd, struct label *ddlabel, struct devfs_dirent *de, 635 struct label *delabel) 636 { 637 638 ASSERT_CRED_LABEL(&cred->cr_label); 639 ASSERT_DEVFS_LABEL(ddlabel); 640 ASSERT_DEVFS_LABEL(delabel); 641 } 642 643 static int 644 mac_test_create_vnode_extattr(struct ucred *cred, struct mount *mp, 645 struct label *fslabel, struct vnode *dvp, struct label *dlabel, 646 struct vnode *vp, struct label *vlabel, struct componentname *cnp) 647 { 648 649 ASSERT_CRED_LABEL(&cred->cr_label); 650 ASSERT_MOUNT_LABEL(fslabel); 651 ASSERT_VNODE_LABEL(dlabel); 652 653 return (0); 654 } 655 656 static void 657 mac_test_create_mount(struct ucred *cred, struct mount *mp, 658 struct label *mntlabel, struct label *fslabel) 659 { 660 661 ASSERT_CRED_LABEL(&cred->cr_label); 662 ASSERT_MOUNT_LABEL(mntlabel); 663 ASSERT_MOUNT_LABEL(fslabel); 664 } 665 666 static void 667 mac_test_create_root_mount(struct ucred *cred, struct mount *mp, 668 struct label *mntlabel, struct label *fslabel) 669 { 670 671 ASSERT_CRED_LABEL(&cred->cr_label); 672 ASSERT_MOUNT_LABEL(mntlabel); 673 ASSERT_MOUNT_LABEL(fslabel); 674 } 675 676 static void 677 mac_test_relabel_vnode(struct ucred *cred, struct vnode *vp, 678 struct label *vnodelabel, struct label *label) 679 { 680 681 ASSERT_CRED_LABEL(&cred->cr_label); 682 ASSERT_VNODE_LABEL(vnodelabel); 683 ASSERT_VNODE_LABEL(label); 684 } 685 686 static int 687 mac_test_setlabel_vnode_extattr(struct ucred *cred, struct vnode *vp, 688 struct label *vlabel, struct label *intlabel) 689 { 690 691 ASSERT_CRED_LABEL(&cred->cr_label); 692 ASSERT_VNODE_LABEL(vlabel); 693 ASSERT_VNODE_LABEL(intlabel); 694 return (0); 695 } 696 697 static void 698 mac_test_update_devfsdirent(struct mount *mp, 699 struct devfs_dirent *devfs_dirent, struct label *direntlabel, 700 struct vnode *vp, struct label *vnodelabel) 701 { 702 703 ASSERT_DEVFS_LABEL(direntlabel); 704 ASSERT_VNODE_LABEL(vnodelabel); 705 } 706 707 /* 708 * Labeling event operations: IPC object. 709 */ 710 static void 711 mac_test_create_mbuf_from_socket(struct socket *so, struct label *socketlabel, 712 struct mbuf *m, struct label *mbuflabel) 713 { 714 715 ASSERT_SOCKET_LABEL(socketlabel); 716 ASSERT_MBUF_LABEL(mbuflabel); 717 } 718 719 static void 720 mac_test_create_socket(struct ucred *cred, struct socket *socket, 721 struct label *socketlabel) 722 { 723 724 ASSERT_CRED_LABEL(&cred->cr_label); 725 ASSERT_SOCKET_LABEL(socketlabel); 726 } 727 728 static void 729 mac_test_create_pipe(struct ucred *cred, struct pipe *pipe, 730 struct label *pipelabel) 731 { 732 733 ASSERT_CRED_LABEL(&cred->cr_label); 734 ASSERT_PIPE_LABEL(pipelabel); 735 } 736 737 static void 738 mac_test_create_socket_from_socket(struct socket *oldsocket, 739 struct label *oldsocketlabel, struct socket *newsocket, 740 struct label *newsocketlabel) 741 { 742 743 ASSERT_SOCKET_LABEL(oldsocketlabel); 744 ASSERT_SOCKET_LABEL(newsocketlabel); 745 } 746 747 static void 748 mac_test_relabel_socket(struct ucred *cred, struct socket *socket, 749 struct label *socketlabel, struct label *newlabel) 750 { 751 752 ASSERT_CRED_LABEL(&cred->cr_label); 753 ASSERT_SOCKET_LABEL(newlabel); 754 } 755 756 static void 757 mac_test_relabel_pipe(struct ucred *cred, struct pipe *pipe, 758 struct label *pipelabel, struct label *newlabel) 759 { 760 761 ASSERT_CRED_LABEL(&cred->cr_label); 762 ASSERT_PIPE_LABEL(pipelabel); 763 ASSERT_PIPE_LABEL(newlabel); 764 } 765 766 static void 767 mac_test_set_socket_peer_from_mbuf(struct mbuf *mbuf, struct label *mbuflabel, 768 struct socket *socket, struct label *socketpeerlabel) 769 { 770 771 ASSERT_MBUF_LABEL(mbuflabel); 772 ASSERT_SOCKET_LABEL(socketpeerlabel); 773 } 774 775 /* 776 * Labeling event operations: network objects. 777 */ 778 static void 779 mac_test_set_socket_peer_from_socket(struct socket *oldsocket, 780 struct label *oldsocketlabel, struct socket *newsocket, 781 struct label *newsocketpeerlabel) 782 { 783 784 ASSERT_SOCKET_LABEL(oldsocketlabel); 785 ASSERT_SOCKET_LABEL(newsocketpeerlabel); 786 } 787 788 static void 789 mac_test_create_bpfdesc(struct ucred *cred, struct bpf_d *bpf_d, 790 struct label *bpflabel) 791 { 792 793 ASSERT_CRED_LABEL(&cred->cr_label); 794 ASSERT_BPF_LABEL(bpflabel); 795 } 796 797 static void 798 mac_test_create_datagram_from_ipq(struct ipq *ipq, struct label *ipqlabel, 799 struct mbuf *datagram, struct label *datagramlabel) 800 { 801 802 ASSERT_IPQ_LABEL(ipqlabel); 803 ASSERT_MBUF_LABEL(datagramlabel); 804 } 805 806 static void 807 mac_test_create_fragment(struct mbuf *datagram, struct label *datagramlabel, 808 struct mbuf *fragment, struct label *fragmentlabel) 809 { 810 811 ASSERT_MBUF_LABEL(datagramlabel); 812 ASSERT_MBUF_LABEL(fragmentlabel); 813 } 814 815 static void 816 mac_test_create_ifnet(struct ifnet *ifnet, struct label *ifnetlabel) 817 { 818 819 ASSERT_IFNET_LABEL(ifnetlabel); 820 } 821 822 static void 823 mac_test_create_ipq(struct mbuf *fragment, struct label *fragmentlabel, 824 struct ipq *ipq, struct label *ipqlabel) 825 { 826 827 ASSERT_MBUF_LABEL(fragmentlabel); 828 ASSERT_IPQ_LABEL(ipqlabel); 829 } 830 831 static void 832 mac_test_create_mbuf_from_mbuf(struct mbuf *oldmbuf, 833 struct label *oldmbuflabel, struct mbuf *newmbuf, 834 struct label *newmbuflabel) 835 { 836 837 ASSERT_MBUF_LABEL(oldmbuflabel); 838 ASSERT_MBUF_LABEL(newmbuflabel); 839 } 840 841 static void 842 mac_test_create_mbuf_linklayer(struct ifnet *ifnet, struct label *ifnetlabel, 843 struct mbuf *mbuf, struct label *mbuflabel) 844 { 845 846 ASSERT_IFNET_LABEL(ifnetlabel); 847 ASSERT_MBUF_LABEL(mbuflabel); 848 } 849 850 static void 851 mac_test_create_mbuf_from_bpfdesc(struct bpf_d *bpf_d, struct label *bpflabel, 852 struct mbuf *mbuf, struct label *mbuflabel) 853 { 854 855 ASSERT_BPF_LABEL(bpflabel); 856 ASSERT_MBUF_LABEL(mbuflabel); 857 } 858 859 static void 860 mac_test_create_mbuf_from_ifnet(struct ifnet *ifnet, struct label *ifnetlabel, 861 struct mbuf *m, struct label *mbuflabel) 862 { 863 864 ASSERT_IFNET_LABEL(ifnetlabel); 865 ASSERT_MBUF_LABEL(mbuflabel); 866 } 867 868 static void 869 mac_test_create_mbuf_multicast_encap(struct mbuf *oldmbuf, 870 struct label *oldmbuflabel, struct ifnet *ifnet, struct label *ifnetlabel, 871 struct mbuf *newmbuf, struct label *newmbuflabel) 872 { 873 874 ASSERT_MBUF_LABEL(oldmbuflabel); 875 ASSERT_IFNET_LABEL(ifnetlabel); 876 ASSERT_MBUF_LABEL(newmbuflabel); 877 } 878 879 static void 880 mac_test_create_mbuf_netlayer(struct mbuf *oldmbuf, 881 struct label *oldmbuflabel, struct mbuf *newmbuf, 882 struct label *newmbuflabel) 883 { 884 885 ASSERT_MBUF_LABEL(oldmbuflabel); 886 ASSERT_MBUF_LABEL(newmbuflabel); 887 } 888 889 static int 890 mac_test_fragment_match(struct mbuf *fragment, struct label *fragmentlabel, 891 struct ipq *ipq, struct label *ipqlabel) 892 { 893 894 ASSERT_MBUF_LABEL(fragmentlabel); 895 ASSERT_IPQ_LABEL(ipqlabel); 896 897 return (1); 898 } 899 900 static void 901 mac_test_reflect_mbuf_icmp(struct mbuf *m, struct label *mlabel) 902 { 903 904 ASSERT_MBUF_LABEL(mlabel); 905 } 906 907 static void 908 mac_test_reflect_mbuf_tcp(struct mbuf *m, struct label *mlabel) 909 { 910 911 ASSERT_MBUF_LABEL(mlabel); 912 } 913 914 static void 915 mac_test_relabel_ifnet(struct ucred *cred, struct ifnet *ifnet, 916 struct label *ifnetlabel, struct label *newlabel) 917 { 918 919 ASSERT_CRED_LABEL(&cred->cr_label); 920 ASSERT_IFNET_LABEL(ifnetlabel); 921 ASSERT_IFNET_LABEL(newlabel); 922 } 923 924 static void 925 mac_test_update_ipq(struct mbuf *fragment, struct label *fragmentlabel, 926 struct ipq *ipq, struct label *ipqlabel) 927 { 928 929 ASSERT_MBUF_LABEL(fragmentlabel); 930 ASSERT_IPQ_LABEL(ipqlabel); 931 } 932 933 /* 934 * Labeling event operations: processes. 935 */ 936 static void 937 mac_test_create_cred(struct ucred *cred_parent, struct ucred *cred_child) 938 { 939 940 ASSERT_CRED_LABEL(&cred_parent->cr_label); 941 ASSERT_CRED_LABEL(&cred_child->cr_label); 942 } 943 944 static void 945 mac_test_execve_transition(struct ucred *old, struct ucred *new, 946 struct vnode *vp, struct label *filelabel, 947 struct label *interpvnodelabel, struct image_params *imgp, 948 struct label *execlabel) 949 { 950 951 ASSERT_CRED_LABEL(&old->cr_label); 952 ASSERT_CRED_LABEL(&new->cr_label); 953 ASSERT_VNODE_LABEL(filelabel); 954 ASSERT_VNODE_LABEL(interpvnodelabel); 955 if (execlabel != NULL) { 956 ASSERT_CRED_LABEL(execlabel); 957 } 958 } 959 960 static int 961 mac_test_execve_will_transition(struct ucred *old, struct vnode *vp, 962 struct label *filelabel, struct label *interpvnodelabel, 963 struct image_params *imgp, struct label *execlabel) 964 { 965 966 ASSERT_CRED_LABEL(&old->cr_label); 967 ASSERT_VNODE_LABEL(filelabel); 968 if (interpvnodelabel != NULL) { 969 ASSERT_VNODE_LABEL(interpvnodelabel); 970 } 971 if (execlabel != NULL) { 972 ASSERT_CRED_LABEL(execlabel); 973 } 974 975 return (0); 976 } 977 978 static void 979 mac_test_create_proc0(struct ucred *cred) 980 { 981 982 ASSERT_CRED_LABEL(&cred->cr_label); 983 } 984 985 static void 986 mac_test_create_proc1(struct ucred *cred) 987 { 988 989 ASSERT_CRED_LABEL(&cred->cr_label); 990 } 991 992 static void 993 mac_test_relabel_cred(struct ucred *cred, struct label *newlabel) 994 { 995 996 ASSERT_CRED_LABEL(&cred->cr_label); 997 ASSERT_VNODE_LABEL(newlabel); 998 } 999 1000 static void 1001 mac_test_thread_userret(struct thread *td) 1002 { 1003 1004 printf("mac_test_thread_userret(process = %d)\n", 1005 curthread->td_proc->p_pid); 1006 } 1007 1008 /* 1009 * Access control checks. 1010 */ 1011 static int 1012 mac_test_check_bpfdesc_receive(struct bpf_d *bpf_d, struct label *bpflabel, 1013 struct ifnet *ifnet, struct label *ifnetlabel) 1014 { 1015 1016 ASSERT_BPF_LABEL(bpflabel); 1017 ASSERT_IFNET_LABEL(ifnetlabel); 1018 1019 return (0); 1020 } 1021 1022 static int 1023 mac_test_check_cred_relabel(struct ucred *cred, struct label *newlabel) 1024 { 1025 1026 ASSERT_CRED_LABEL(&cred->cr_label); 1027 ASSERT_CRED_LABEL(newlabel); 1028 1029 return (0); 1030 } 1031 1032 static int 1033 mac_test_check_cred_visible(struct ucred *u1, struct ucred *u2) 1034 { 1035 1036 ASSERT_CRED_LABEL(&u1->cr_label); 1037 ASSERT_CRED_LABEL(&u2->cr_label); 1038 1039 return (0); 1040 } 1041 1042 static int 1043 mac_test_check_ifnet_relabel(struct ucred *cred, struct ifnet *ifnet, 1044 struct label *ifnetlabel, struct label *newlabel) 1045 { 1046 1047 ASSERT_CRED_LABEL(&cred->cr_label); 1048 ASSERT_IFNET_LABEL(ifnetlabel); 1049 ASSERT_IFNET_LABEL(newlabel); 1050 return (0); 1051 } 1052 1053 static int 1054 mac_test_check_ifnet_transmit(struct ifnet *ifnet, struct label *ifnetlabel, 1055 struct mbuf *m, struct label *mbuflabel) 1056 { 1057 1058 ASSERT_IFNET_LABEL(ifnetlabel); 1059 ASSERT_MBUF_LABEL(mbuflabel); 1060 1061 return (0); 1062 } 1063 1064 static int 1065 mac_test_check_kenv_dump(struct ucred *cred) 1066 { 1067 1068 ASSERT_CRED_LABEL(&cred->cr_label); 1069 1070 return (0); 1071 } 1072 1073 static int 1074 mac_test_check_kenv_get(struct ucred *cred, char *name) 1075 { 1076 1077 ASSERT_CRED_LABEL(&cred->cr_label); 1078 1079 return (0); 1080 } 1081 1082 static int 1083 mac_test_check_kenv_set(struct ucred *cred, char *name, char *value) 1084 { 1085 1086 ASSERT_CRED_LABEL(&cred->cr_label); 1087 1088 return (0); 1089 } 1090 1091 static int 1092 mac_test_check_kenv_unset(struct ucred *cred, char *name) 1093 { 1094 1095 ASSERT_CRED_LABEL(&cred->cr_label); 1096 1097 return (0); 1098 } 1099 1100 static int 1101 mac_test_check_kld_load(struct ucred *cred, struct vnode *vp, 1102 struct label *label) 1103 { 1104 1105 ASSERT_CRED_LABEL(&cred->cr_label); 1106 ASSERT_VNODE_LABEL(label); 1107 1108 return (0); 1109 } 1110 1111 static int 1112 mac_test_check_kld_stat(struct ucred *cred) 1113 { 1114 1115 ASSERT_CRED_LABEL(&cred->cr_label); 1116 1117 return (0); 1118 } 1119 1120 static int 1121 mac_test_check_kld_unload(struct ucred *cred) 1122 { 1123 1124 ASSERT_CRED_LABEL(&cred->cr_label); 1125 1126 return (0); 1127 } 1128 1129 static int 1130 mac_test_check_mount_stat(struct ucred *cred, struct mount *mp, 1131 struct label *mntlabel) 1132 { 1133 1134 ASSERT_CRED_LABEL(&cred->cr_label); 1135 ASSERT_MOUNT_LABEL(mntlabel); 1136 1137 return (0); 1138 } 1139 1140 static int 1141 mac_test_check_pipe_ioctl(struct ucred *cred, struct pipe *pipe, 1142 struct label *pipelabel, unsigned long cmd, void /* caddr_t */ *data) 1143 { 1144 1145 ASSERT_CRED_LABEL(&cred->cr_label); 1146 ASSERT_PIPE_LABEL(pipelabel); 1147 1148 return (0); 1149 } 1150 1151 static int 1152 mac_test_check_pipe_poll(struct ucred *cred, struct pipe *pipe, 1153 struct label *pipelabel) 1154 { 1155 1156 ASSERT_CRED_LABEL(&cred->cr_label); 1157 ASSERT_PIPE_LABEL(pipelabel); 1158 1159 return (0); 1160 } 1161 1162 static int 1163 mac_test_check_pipe_read(struct ucred *cred, struct pipe *pipe, 1164 struct label *pipelabel) 1165 { 1166 1167 ASSERT_CRED_LABEL(&cred->cr_label); 1168 ASSERT_PIPE_LABEL(pipelabel); 1169 1170 return (0); 1171 } 1172 1173 static int 1174 mac_test_check_pipe_relabel(struct ucred *cred, struct pipe *pipe, 1175 struct label *pipelabel, struct label *newlabel) 1176 { 1177 1178 ASSERT_CRED_LABEL(&cred->cr_label); 1179 ASSERT_PIPE_LABEL(pipelabel); 1180 ASSERT_PIPE_LABEL(newlabel); 1181 1182 return (0); 1183 } 1184 1185 static int 1186 mac_test_check_pipe_stat(struct ucred *cred, struct pipe *pipe, 1187 struct label *pipelabel) 1188 { 1189 1190 ASSERT_CRED_LABEL(&cred->cr_label); 1191 ASSERT_PIPE_LABEL(pipelabel); 1192 1193 return (0); 1194 } 1195 1196 static int 1197 mac_test_check_pipe_write(struct ucred *cred, struct pipe *pipe, 1198 struct label *pipelabel) 1199 { 1200 1201 ASSERT_CRED_LABEL(&cred->cr_label); 1202 ASSERT_PIPE_LABEL(pipelabel); 1203 1204 return (0); 1205 } 1206 1207 static int 1208 mac_test_check_proc_debug(struct ucred *cred, struct proc *proc) 1209 { 1210 1211 ASSERT_CRED_LABEL(&cred->cr_label); 1212 ASSERT_CRED_LABEL(&proc->p_ucred->cr_label); 1213 1214 return (0); 1215 } 1216 1217 static int 1218 mac_test_check_proc_sched(struct ucred *cred, struct proc *proc) 1219 { 1220 1221 ASSERT_CRED_LABEL(&cred->cr_label); 1222 ASSERT_CRED_LABEL(&proc->p_ucred->cr_label); 1223 1224 return (0); 1225 } 1226 1227 static int 1228 mac_test_check_proc_signal(struct ucred *cred, struct proc *proc, int signum) 1229 { 1230 1231 ASSERT_CRED_LABEL(&cred->cr_label); 1232 ASSERT_CRED_LABEL(&proc->p_ucred->cr_label); 1233 1234 return (0); 1235 } 1236 1237 static int 1238 mac_test_check_socket_bind(struct ucred *cred, struct socket *socket, 1239 struct label *socketlabel, struct sockaddr *sockaddr) 1240 { 1241 1242 ASSERT_CRED_LABEL(&cred->cr_label); 1243 ASSERT_SOCKET_LABEL(socketlabel); 1244 1245 return (0); 1246 } 1247 1248 static int 1249 mac_test_check_socket_connect(struct ucred *cred, struct socket *socket, 1250 struct label *socketlabel, struct sockaddr *sockaddr) 1251 { 1252 1253 ASSERT_CRED_LABEL(&cred->cr_label); 1254 ASSERT_SOCKET_LABEL(socketlabel); 1255 1256 return (0); 1257 } 1258 1259 static int 1260 mac_test_check_socket_deliver(struct socket *socket, struct label *socketlabel, 1261 struct mbuf *m, struct label *mbuflabel) 1262 { 1263 1264 ASSERT_SOCKET_LABEL(socketlabel); 1265 ASSERT_MBUF_LABEL(mbuflabel); 1266 1267 return (0); 1268 } 1269 1270 static int 1271 mac_test_check_socket_listen(struct ucred *cred, struct socket *socket, 1272 struct label *socketlabel) 1273 { 1274 1275 ASSERT_CRED_LABEL(&cred->cr_label); 1276 ASSERT_SOCKET_LABEL(socketlabel); 1277 1278 return (0); 1279 } 1280 1281 static int 1282 mac_test_check_socket_visible(struct ucred *cred, struct socket *socket, 1283 struct label *socketlabel) 1284 { 1285 1286 ASSERT_CRED_LABEL(&cred->cr_label); 1287 ASSERT_SOCKET_LABEL(socketlabel); 1288 1289 return (0); 1290 } 1291 1292 static int 1293 mac_test_check_socket_relabel(struct ucred *cred, struct socket *socket, 1294 struct label *socketlabel, struct label *newlabel) 1295 { 1296 1297 ASSERT_CRED_LABEL(&cred->cr_label); 1298 ASSERT_SOCKET_LABEL(socketlabel); 1299 ASSERT_SOCKET_LABEL(newlabel); 1300 1301 return (0); 1302 } 1303 1304 static int 1305 mac_test_check_sysarch_ioperm(struct ucred *cred) 1306 { 1307 1308 ASSERT_CRED_LABEL(&cred->cr_label); 1309 1310 return (0); 1311 } 1312 1313 static int 1314 mac_test_check_system_acct(struct ucred *cred, struct vnode *vp, 1315 struct label *label) 1316 { 1317 1318 ASSERT_CRED_LABEL(&cred->cr_label); 1319 1320 return (0); 1321 } 1322 1323 static int 1324 mac_test_check_system_reboot(struct ucred *cred, int how) 1325 { 1326 1327 ASSERT_CRED_LABEL(&cred->cr_label); 1328 1329 return (0); 1330 } 1331 1332 static int 1333 mac_test_check_system_settime(struct ucred *cred) 1334 { 1335 1336 ASSERT_CRED_LABEL(&cred->cr_label); 1337 1338 return (0); 1339 } 1340 1341 static int 1342 mac_test_check_system_swapon(struct ucred *cred, struct vnode *vp, 1343 struct label *label) 1344 { 1345 1346 ASSERT_CRED_LABEL(&cred->cr_label); 1347 ASSERT_VNODE_LABEL(label); 1348 1349 return (0); 1350 } 1351 1352 static int 1353 mac_test_check_system_swapoff(struct ucred *cred, struct vnode *vp, 1354 struct label *label) 1355 { 1356 1357 ASSERT_CRED_LABEL(&cred->cr_label); 1358 ASSERT_VNODE_LABEL(label); 1359 1360 return (0); 1361 } 1362 1363 static int 1364 mac_test_check_system_sysctl(struct ucred *cred, int *name, u_int namelen, 1365 void *old, size_t *oldlenp, int inkernel, void *new, size_t newlen) 1366 { 1367 1368 ASSERT_CRED_LABEL(&cred->cr_label); 1369 1370 return (0); 1371 } 1372 1373 static int 1374 mac_test_check_vnode_access(struct ucred *cred, struct vnode *vp, 1375 struct label *label, int acc_mode) 1376 { 1377 1378 ASSERT_CRED_LABEL(&cred->cr_label); 1379 ASSERT_VNODE_LABEL(label); 1380 1381 return (0); 1382 } 1383 1384 static int 1385 mac_test_check_vnode_chdir(struct ucred *cred, struct vnode *dvp, 1386 struct label *dlabel) 1387 { 1388 1389 ASSERT_CRED_LABEL(&cred->cr_label); 1390 ASSERT_VNODE_LABEL(dlabel); 1391 1392 return (0); 1393 } 1394 1395 static int 1396 mac_test_check_vnode_chroot(struct ucred *cred, struct vnode *dvp, 1397 struct label *dlabel) 1398 { 1399 1400 ASSERT_CRED_LABEL(&cred->cr_label); 1401 ASSERT_VNODE_LABEL(dlabel); 1402 1403 return (0); 1404 } 1405 1406 static int 1407 mac_test_check_vnode_create(struct ucred *cred, struct vnode *dvp, 1408 struct label *dlabel, struct componentname *cnp, struct vattr *vap) 1409 { 1410 1411 ASSERT_CRED_LABEL(&cred->cr_label); 1412 ASSERT_VNODE_LABEL(dlabel); 1413 1414 return (0); 1415 } 1416 1417 static int 1418 mac_test_check_vnode_delete(struct ucred *cred, struct vnode *dvp, 1419 struct label *dlabel, struct vnode *vp, struct label *label, 1420 struct componentname *cnp) 1421 { 1422 1423 ASSERT_CRED_LABEL(&cred->cr_label); 1424 ASSERT_VNODE_LABEL(dlabel); 1425 ASSERT_VNODE_LABEL(label); 1426 1427 return (0); 1428 } 1429 1430 static int 1431 mac_test_check_vnode_deleteacl(struct ucred *cred, struct vnode *vp, 1432 struct label *label, acl_type_t type) 1433 { 1434 1435 ASSERT_CRED_LABEL(&cred->cr_label); 1436 ASSERT_VNODE_LABEL(label); 1437 1438 return (0); 1439 } 1440 1441 static int 1442 mac_test_check_vnode_deleteextattr(struct ucred *cred, struct vnode *vp, 1443 struct label *label, int attrnamespace, const char *name) 1444 { 1445 1446 ASSERT_CRED_LABEL(&cred->cr_label); 1447 ASSERT_VNODE_LABEL(label); 1448 1449 return (0); 1450 } 1451 1452 static int 1453 mac_test_check_vnode_exec(struct ucred *cred, struct vnode *vp, 1454 struct label *label, struct image_params *imgp, 1455 struct label *execlabel) 1456 { 1457 1458 ASSERT_CRED_LABEL(&cred->cr_label); 1459 ASSERT_VNODE_LABEL(label); 1460 if (execlabel != NULL) { 1461 ASSERT_CRED_LABEL(execlabel); 1462 } 1463 1464 return (0); 1465 } 1466 1467 static int 1468 mac_test_check_vnode_getacl(struct ucred *cred, struct vnode *vp, 1469 struct label *label, acl_type_t type) 1470 { 1471 1472 ASSERT_CRED_LABEL(&cred->cr_label); 1473 ASSERT_VNODE_LABEL(label); 1474 1475 return (0); 1476 } 1477 1478 static int 1479 mac_test_check_vnode_getextattr(struct ucred *cred, struct vnode *vp, 1480 struct label *label, int attrnamespace, const char *name, struct uio *uio) 1481 { 1482 1483 ASSERT_CRED_LABEL(&cred->cr_label); 1484 ASSERT_VNODE_LABEL(label); 1485 1486 return (0); 1487 } 1488 1489 static int 1490 mac_test_check_vnode_link(struct ucred *cred, struct vnode *dvp, 1491 struct label *dlabel, struct vnode *vp, struct label *label, 1492 struct componentname *cnp) 1493 { 1494 1495 ASSERT_CRED_LABEL(&cred->cr_label); 1496 ASSERT_VNODE_LABEL(dlabel); 1497 ASSERT_VNODE_LABEL(label); 1498 1499 return (0); 1500 } 1501 1502 static int 1503 mac_test_check_vnode_listextattr(struct ucred *cred, struct vnode *vp, 1504 struct label *label, int attrnamespace) 1505 { 1506 1507 ASSERT_CRED_LABEL(&cred->cr_label); 1508 ASSERT_VNODE_LABEL(label); 1509 1510 return (0); 1511 } 1512 1513 static int 1514 mac_test_check_vnode_lookup(struct ucred *cred, struct vnode *dvp, 1515 struct label *dlabel, struct componentname *cnp) 1516 { 1517 1518 ASSERT_CRED_LABEL(&cred->cr_label); 1519 ASSERT_VNODE_LABEL(dlabel); 1520 1521 return (0); 1522 } 1523 1524 static int 1525 mac_test_check_vnode_mmap(struct ucred *cred, struct vnode *vp, 1526 struct label *label, int prot) 1527 { 1528 1529 ASSERT_CRED_LABEL(&cred->cr_label); 1530 ASSERT_VNODE_LABEL(label); 1531 1532 return (0); 1533 } 1534 1535 static int 1536 mac_test_check_vnode_mprotect(struct ucred *cred, struct vnode *vp, 1537 struct label *label, int prot) 1538 { 1539 1540 ASSERT_CRED_LABEL(&cred->cr_label); 1541 ASSERT_VNODE_LABEL(label); 1542 1543 return (0); 1544 } 1545 1546 static int 1547 mac_test_check_vnode_open(struct ucred *cred, struct vnode *vp, 1548 struct label *filelabel, int acc_mode) 1549 { 1550 1551 ASSERT_CRED_LABEL(&cred->cr_label); 1552 ASSERT_VNODE_LABEL(filelabel); 1553 1554 return (0); 1555 } 1556 1557 static int 1558 mac_test_check_vnode_poll(struct ucred *active_cred, struct ucred *file_cred, 1559 struct vnode *vp, struct label *label) 1560 { 1561 1562 ASSERT_CRED_LABEL(&active_cred->cr_label); 1563 ASSERT_CRED_LABEL(&file_cred->cr_label); 1564 ASSERT_VNODE_LABEL(label); 1565 1566 return (0); 1567 } 1568 1569 static int 1570 mac_test_check_vnode_read(struct ucred *active_cred, struct ucred *file_cred, 1571 struct vnode *vp, struct label *label) 1572 { 1573 1574 ASSERT_CRED_LABEL(&active_cred->cr_label); 1575 if (file_cred != NULL) { 1576 ASSERT_CRED_LABEL(&file_cred->cr_label); 1577 } 1578 ASSERT_VNODE_LABEL(label); 1579 1580 return (0); 1581 } 1582 1583 static int 1584 mac_test_check_vnode_readdir(struct ucred *cred, struct vnode *dvp, 1585 struct label *dlabel) 1586 { 1587 1588 ASSERT_CRED_LABEL(&cred->cr_label); 1589 ASSERT_VNODE_LABEL(dlabel); 1590 1591 return (0); 1592 } 1593 1594 static int 1595 mac_test_check_vnode_readlink(struct ucred *cred, struct vnode *vp, 1596 struct label *vnodelabel) 1597 { 1598 1599 ASSERT_CRED_LABEL(&cred->cr_label); 1600 ASSERT_VNODE_LABEL(vnodelabel); 1601 1602 return (0); 1603 } 1604 1605 static int 1606 mac_test_check_vnode_relabel(struct ucred *cred, struct vnode *vp, 1607 struct label *vnodelabel, struct label *newlabel) 1608 { 1609 1610 ASSERT_CRED_LABEL(&cred->cr_label); 1611 ASSERT_VNODE_LABEL(vnodelabel); 1612 ASSERT_VNODE_LABEL(newlabel); 1613 1614 return (0); 1615 } 1616 1617 static int 1618 mac_test_check_vnode_rename_from(struct ucred *cred, struct vnode *dvp, 1619 struct label *dlabel, struct vnode *vp, struct label *label, 1620 struct componentname *cnp) 1621 { 1622 1623 ASSERT_CRED_LABEL(&cred->cr_label); 1624 ASSERT_VNODE_LABEL(dlabel); 1625 ASSERT_VNODE_LABEL(label); 1626 1627 return (0); 1628 } 1629 1630 static int 1631 mac_test_check_vnode_rename_to(struct ucred *cred, struct vnode *dvp, 1632 struct label *dlabel, struct vnode *vp, struct label *label, int samedir, 1633 struct componentname *cnp) 1634 { 1635 1636 ASSERT_CRED_LABEL(&cred->cr_label); 1637 ASSERT_VNODE_LABEL(dlabel); 1638 1639 if (vp != NULL) { 1640 ASSERT_VNODE_LABEL(label); 1641 } 1642 1643 return (0); 1644 } 1645 1646 static int 1647 mac_test_check_vnode_revoke(struct ucred *cred, struct vnode *vp, 1648 struct label *label) 1649 { 1650 1651 ASSERT_CRED_LABEL(&cred->cr_label); 1652 ASSERT_VNODE_LABEL(label); 1653 1654 return (0); 1655 } 1656 1657 static int 1658 mac_test_check_vnode_setacl(struct ucred *cred, struct vnode *vp, 1659 struct label *label, acl_type_t type, struct acl *acl) 1660 { 1661 1662 ASSERT_CRED_LABEL(&cred->cr_label); 1663 ASSERT_VNODE_LABEL(label); 1664 1665 return (0); 1666 } 1667 1668 static int 1669 mac_test_check_vnode_setextattr(struct ucred *cred, struct vnode *vp, 1670 struct label *label, int attrnamespace, const char *name, struct uio *uio) 1671 { 1672 1673 ASSERT_CRED_LABEL(&cred->cr_label); 1674 ASSERT_VNODE_LABEL(label); 1675 1676 return (0); 1677 } 1678 1679 static int 1680 mac_test_check_vnode_setflags(struct ucred *cred, struct vnode *vp, 1681 struct label *label, u_long flags) 1682 { 1683 1684 ASSERT_CRED_LABEL(&cred->cr_label); 1685 ASSERT_VNODE_LABEL(label); 1686 1687 return (0); 1688 } 1689 1690 static int 1691 mac_test_check_vnode_setmode(struct ucred *cred, struct vnode *vp, 1692 struct label *label, mode_t mode) 1693 { 1694 1695 ASSERT_CRED_LABEL(&cred->cr_label); 1696 ASSERT_VNODE_LABEL(label); 1697 1698 return (0); 1699 } 1700 1701 static int 1702 mac_test_check_vnode_setowner(struct ucred *cred, struct vnode *vp, 1703 struct label *label, uid_t uid, gid_t gid) 1704 { 1705 1706 ASSERT_CRED_LABEL(&cred->cr_label); 1707 ASSERT_VNODE_LABEL(label); 1708 1709 return (0); 1710 } 1711 1712 static int 1713 mac_test_check_vnode_setutimes(struct ucred *cred, struct vnode *vp, 1714 struct label *label, struct timespec atime, struct timespec mtime) 1715 { 1716 1717 ASSERT_CRED_LABEL(&cred->cr_label); 1718 ASSERT_VNODE_LABEL(label); 1719 1720 return (0); 1721 } 1722 1723 static int 1724 mac_test_check_vnode_stat(struct ucred *active_cred, struct ucred *file_cred, 1725 struct vnode *vp, struct label *label) 1726 { 1727 1728 ASSERT_CRED_LABEL(&active_cred->cr_label); 1729 if (file_cred != NULL) { 1730 ASSERT_CRED_LABEL(&file_cred->cr_label); 1731 } 1732 ASSERT_VNODE_LABEL(label); 1733 1734 return (0); 1735 } 1736 1737 static int 1738 mac_test_check_vnode_write(struct ucred *active_cred, 1739 struct ucred *file_cred, struct vnode *vp, struct label *label) 1740 { 1741 1742 ASSERT_CRED_LABEL(&active_cred->cr_label); 1743 if (file_cred != NULL) { 1744 ASSERT_CRED_LABEL(&file_cred->cr_label); 1745 } 1746 ASSERT_VNODE_LABEL(label); 1747 1748 return (0); 1749 } 1750 1751 static struct mac_policy_ops mac_test_ops = 1752 { 1753 .mpo_destroy = mac_test_destroy, 1754 .mpo_init = mac_test_init, 1755 .mpo_syscall = mac_test_syscall, 1756 .mpo_init_bpfdesc_label = mac_test_init_bpfdesc_label, 1757 .mpo_init_cred_label = mac_test_init_cred_label, 1758 .mpo_init_devfsdirent_label = mac_test_init_devfsdirent_label, 1759 .mpo_init_ifnet_label = mac_test_init_ifnet_label, 1760 .mpo_init_ipq_label = mac_test_init_ipq_label, 1761 .mpo_init_mbuf_label = mac_test_init_mbuf_label, 1762 .mpo_init_mount_label = mac_test_init_mount_label, 1763 .mpo_init_mount_fs_label = mac_test_init_mount_fs_label, 1764 .mpo_init_pipe_label = mac_test_init_pipe_label, 1765 .mpo_init_proc_label = mac_test_init_proc_label, 1766 .mpo_init_socket_label = mac_test_init_socket_label, 1767 .mpo_init_socket_peer_label = mac_test_init_socket_peer_label, 1768 .mpo_init_vnode_label = mac_test_init_vnode_label, 1769 .mpo_destroy_bpfdesc_label = mac_test_destroy_bpfdesc_label, 1770 .mpo_destroy_cred_label = mac_test_destroy_cred_label, 1771 .mpo_destroy_devfsdirent_label = mac_test_destroy_devfsdirent_label, 1772 .mpo_destroy_ifnet_label = mac_test_destroy_ifnet_label, 1773 .mpo_destroy_ipq_label = mac_test_destroy_ipq_label, 1774 .mpo_destroy_mbuf_label = mac_test_destroy_mbuf_label, 1775 .mpo_destroy_mount_label = mac_test_destroy_mount_label, 1776 .mpo_destroy_mount_fs_label = mac_test_destroy_mount_fs_label, 1777 .mpo_destroy_pipe_label = mac_test_destroy_pipe_label, 1778 .mpo_destroy_proc_label = mac_test_destroy_proc_label, 1779 .mpo_destroy_socket_label = mac_test_destroy_socket_label, 1780 .mpo_destroy_socket_peer_label = mac_test_destroy_socket_peer_label, 1781 .mpo_destroy_vnode_label = mac_test_destroy_vnode_label, 1782 .mpo_externalize_cred_label = mac_test_externalize_label, 1783 .mpo_externalize_ifnet_label = mac_test_externalize_label, 1784 .mpo_externalize_pipe_label = mac_test_externalize_label, 1785 .mpo_externalize_socket_label = mac_test_externalize_label, 1786 .mpo_externalize_socket_peer_label = mac_test_externalize_label, 1787 .mpo_externalize_vnode_label = mac_test_externalize_label, 1788 .mpo_internalize_cred_label = mac_test_internalize_label, 1789 .mpo_internalize_ifnet_label = mac_test_internalize_label, 1790 .mpo_internalize_pipe_label = mac_test_internalize_label, 1791 .mpo_internalize_socket_label = mac_test_internalize_label, 1792 .mpo_internalize_vnode_label = mac_test_internalize_label, 1793 .mpo_associate_vnode_devfs = mac_test_associate_vnode_devfs, 1794 .mpo_associate_vnode_extattr = mac_test_associate_vnode_extattr, 1795 .mpo_associate_vnode_singlelabel = mac_test_associate_vnode_singlelabel, 1796 .mpo_create_devfs_device = mac_test_create_devfs_device, 1797 .mpo_create_devfs_directory = mac_test_create_devfs_directory, 1798 .mpo_create_devfs_symlink = mac_test_create_devfs_symlink, 1799 .mpo_create_vnode_extattr = mac_test_create_vnode_extattr, 1800 .mpo_create_mount = mac_test_create_mount, 1801 .mpo_create_root_mount = mac_test_create_root_mount, 1802 .mpo_relabel_vnode = mac_test_relabel_vnode, 1803 .mpo_setlabel_vnode_extattr = mac_test_setlabel_vnode_extattr, 1804 .mpo_update_devfsdirent = mac_test_update_devfsdirent, 1805 .mpo_create_mbuf_from_socket = mac_test_create_mbuf_from_socket, 1806 .mpo_create_pipe = mac_test_create_pipe, 1807 .mpo_create_socket = mac_test_create_socket, 1808 .mpo_create_socket_from_socket = mac_test_create_socket_from_socket, 1809 .mpo_relabel_pipe = mac_test_relabel_pipe, 1810 .mpo_relabel_socket = mac_test_relabel_socket, 1811 .mpo_set_socket_peer_from_mbuf = mac_test_set_socket_peer_from_mbuf, 1812 .mpo_set_socket_peer_from_socket = mac_test_set_socket_peer_from_socket, 1813 .mpo_create_bpfdesc = mac_test_create_bpfdesc, 1814 .mpo_create_ifnet = mac_test_create_ifnet, 1815 .mpo_create_datagram_from_ipq = mac_test_create_datagram_from_ipq, 1816 .mpo_create_fragment = mac_test_create_fragment, 1817 .mpo_create_ipq = mac_test_create_ipq, 1818 .mpo_create_mbuf_from_mbuf = mac_test_create_mbuf_from_mbuf, 1819 .mpo_create_mbuf_linklayer = mac_test_create_mbuf_linklayer, 1820 .mpo_create_mbuf_from_bpfdesc = mac_test_create_mbuf_from_bpfdesc, 1821 .mpo_create_mbuf_from_ifnet = mac_test_create_mbuf_from_ifnet, 1822 .mpo_create_mbuf_multicast_encap = mac_test_create_mbuf_multicast_encap, 1823 .mpo_create_mbuf_netlayer = mac_test_create_mbuf_netlayer, 1824 .mpo_fragment_match = mac_test_fragment_match, 1825 .mpo_reflect_mbuf_icmp = mac_test_reflect_mbuf_icmp, 1826 .mpo_reflect_mbuf_tcp = mac_test_reflect_mbuf_tcp, 1827 .mpo_relabel_ifnet = mac_test_relabel_ifnet, 1828 .mpo_update_ipq = mac_test_update_ipq, 1829 .mpo_create_cred = mac_test_create_cred, 1830 .mpo_execve_transition = mac_test_execve_transition, 1831 .mpo_execve_will_transition = mac_test_execve_will_transition, 1832 .mpo_create_proc0 = mac_test_create_proc0, 1833 .mpo_create_proc1 = mac_test_create_proc1, 1834 .mpo_relabel_cred = mac_test_relabel_cred, 1835 .mpo_thread_userret = mac_test_thread_userret, 1836 .mpo_check_bpfdesc_receive = mac_test_check_bpfdesc_receive, 1837 .mpo_check_cred_relabel = mac_test_check_cred_relabel, 1838 .mpo_check_cred_visible = mac_test_check_cred_visible, 1839 .mpo_check_ifnet_relabel = mac_test_check_ifnet_relabel, 1840 .mpo_check_ifnet_transmit = mac_test_check_ifnet_transmit, 1841 .mpo_check_kenv_dump = mac_test_check_kenv_dump, 1842 .mpo_check_kenv_get = mac_test_check_kenv_get, 1843 .mpo_check_kenv_set = mac_test_check_kenv_set, 1844 .mpo_check_kenv_unset = mac_test_check_kenv_unset, 1845 .mpo_check_kld_load = mac_test_check_kld_load, 1846 .mpo_check_kld_stat = mac_test_check_kld_stat, 1847 .mpo_check_kld_unload = mac_test_check_kld_unload, 1848 .mpo_check_mount_stat = mac_test_check_mount_stat, 1849 .mpo_check_pipe_ioctl = mac_test_check_pipe_ioctl, 1850 .mpo_check_pipe_poll = mac_test_check_pipe_poll, 1851 .mpo_check_pipe_read = mac_test_check_pipe_read, 1852 .mpo_check_pipe_relabel = mac_test_check_pipe_relabel, 1853 .mpo_check_pipe_stat = mac_test_check_pipe_stat, 1854 .mpo_check_pipe_write = mac_test_check_pipe_write, 1855 .mpo_check_proc_debug = mac_test_check_proc_debug, 1856 .mpo_check_proc_sched = mac_test_check_proc_sched, 1857 .mpo_check_proc_signal = mac_test_check_proc_signal, 1858 .mpo_check_socket_bind = mac_test_check_socket_bind, 1859 .mpo_check_socket_connect = mac_test_check_socket_connect, 1860 .mpo_check_socket_deliver = mac_test_check_socket_deliver, 1861 .mpo_check_socket_listen = mac_test_check_socket_listen, 1862 .mpo_check_socket_relabel = mac_test_check_socket_relabel, 1863 .mpo_check_socket_visible = mac_test_check_socket_visible, 1864 .mpo_check_sysarch_ioperm = mac_test_check_sysarch_ioperm, 1865 .mpo_check_system_acct = mac_test_check_system_acct, 1866 .mpo_check_system_reboot = mac_test_check_system_reboot, 1867 .mpo_check_system_settime = mac_test_check_system_settime, 1868 .mpo_check_system_swapon = mac_test_check_system_swapon, 1869 .mpo_check_system_swapoff = mac_test_check_system_swapoff, 1870 .mpo_check_system_sysctl = mac_test_check_system_sysctl, 1871 .mpo_check_vnode_access = mac_test_check_vnode_access, 1872 .mpo_check_vnode_chdir = mac_test_check_vnode_chdir, 1873 .mpo_check_vnode_chroot = mac_test_check_vnode_chroot, 1874 .mpo_check_vnode_create = mac_test_check_vnode_create, 1875 .mpo_check_vnode_delete = mac_test_check_vnode_delete, 1876 .mpo_check_vnode_deleteacl = mac_test_check_vnode_deleteacl, 1877 .mpo_check_vnode_deleteextattr = mac_test_check_vnode_deleteextattr, 1878 .mpo_check_vnode_exec = mac_test_check_vnode_exec, 1879 .mpo_check_vnode_getacl = mac_test_check_vnode_getacl, 1880 .mpo_check_vnode_getextattr = mac_test_check_vnode_getextattr, 1881 .mpo_check_vnode_link = mac_test_check_vnode_link, 1882 .mpo_check_vnode_listextattr = mac_test_check_vnode_listextattr, 1883 .mpo_check_vnode_lookup = mac_test_check_vnode_lookup, 1884 .mpo_check_vnode_mmap = mac_test_check_vnode_mmap, 1885 .mpo_check_vnode_mprotect = mac_test_check_vnode_mprotect, 1886 .mpo_check_vnode_open = mac_test_check_vnode_open, 1887 .mpo_check_vnode_poll = mac_test_check_vnode_poll, 1888 .mpo_check_vnode_read = mac_test_check_vnode_read, 1889 .mpo_check_vnode_readdir = mac_test_check_vnode_readdir, 1890 .mpo_check_vnode_readlink = mac_test_check_vnode_readlink, 1891 .mpo_check_vnode_relabel = mac_test_check_vnode_relabel, 1892 .mpo_check_vnode_rename_from = mac_test_check_vnode_rename_from, 1893 .mpo_check_vnode_rename_to = mac_test_check_vnode_rename_to, 1894 .mpo_check_vnode_revoke = mac_test_check_vnode_revoke, 1895 .mpo_check_vnode_setacl = mac_test_check_vnode_setacl, 1896 .mpo_check_vnode_setextattr = mac_test_check_vnode_setextattr, 1897 .mpo_check_vnode_setflags = mac_test_check_vnode_setflags, 1898 .mpo_check_vnode_setmode = mac_test_check_vnode_setmode, 1899 .mpo_check_vnode_setowner = mac_test_check_vnode_setowner, 1900 .mpo_check_vnode_setutimes = mac_test_check_vnode_setutimes, 1901 .mpo_check_vnode_stat = mac_test_check_vnode_stat, 1902 .mpo_check_vnode_write = mac_test_check_vnode_write, 1903 }; 1904 1905 MAC_POLICY_SET(&mac_test_ops, mac_test, "TrustedBSD MAC/Test", 1906 MPC_LOADTIME_FLAG_UNLOADOK | MPC_LOADTIME_FLAG_LABELMBUFS, &test_slot); 1907