xref: /freebsd/sys/security/mac_test/mac_test.c (revision 78007886c995898a9494648343e5236bca1cbba3)
1 /*-
2  * Copyright (c) 1999-2002, 2007 Robert N. M. Watson
3  * Copyright (c) 2001-2005 McAfee, Inc.
4  * All rights reserved.
5  *
6  * This software was developed by Robert Watson for the TrustedBSD Project.
7  *
8  * This software was developed for the FreeBSD Project in part by McAfee
9  * Research, the Security Research Division of McAfee, Inc. under
10  * DARPA/SPAWAR contract N66001-01-C-8035 ("CBOSS"), as part of the DARPA
11  * CHATS research program.
12  *
13  * Redistribution and use in source and binary forms, with or without
14  * modification, are permitted provided that the following conditions
15  * are met:
16  * 1. Redistributions of source code must retain the above copyright
17  *    notice, this list of conditions and the following disclaimer.
18  * 2. Redistributions in binary form must reproduce the above copyright
19  *    notice, this list of conditions and the following disclaimer in the
20  *    documentation and/or other materials provided with the distribution.
21  *
22  * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
23  * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
24  * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
25  * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
26  * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
27  * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
28  * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
29  * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
30  * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
31  * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
32  * SUCH DAMAGE.
33  *
34  * $FreeBSD$
35  */
36 
37 /*
38  * Developed by the TrustedBSD Project.
39  *
40  * MAC Test policy - tests MAC Framework labeling by assigning object class
41  * magic numbers to each label and validates that each time an object label
42  * is passed into the policy, it has a consistent object type, catching
43  * incorrectly passed labels, labels passed after free, etc.
44  */
45 
46 #include <sys/param.h>
47 #include <sys/acl.h>
48 #include <sys/kdb.h>
49 #include <sys/kernel.h>
50 #include <sys/ksem.h>
51 #include <sys/malloc.h>
52 #include <sys/module.h>
53 #include <sys/mount.h>
54 #include <sys/msg.h>
55 #include <sys/proc.h>
56 #include <sys/vnode.h>
57 #include <sys/sem.h>
58 #include <sys/shm.h>
59 #include <sys/socket.h>
60 #include <sys/socketvar.h>
61 #include <sys/sx.h>
62 #include <sys/sysctl.h>
63 
64 #include <fs/devfs/devfs.h>
65 
66 #include <net/bpfdesc.h>
67 #include <net/if.h>
68 #include <net/if_types.h>
69 #include <net/if_var.h>
70 
71 #include <security/mac/mac_policy.h>
72 
73 SYSCTL_DECL(_security_mac);
74 
75 SYSCTL_NODE(_security_mac, OID_AUTO, test, CTLFLAG_RW, 0,
76     "TrustedBSD mac_test policy controls");
77 
78 #define	MAGIC_BPF	0xfe1ad1b6
79 #define	MAGIC_DEVFS	0x9ee79c32
80 #define	MAGIC_IFNET	0xc218b120
81 #define	MAGIC_INPCB	0x4440f7bb
82 #define	MAGIC_IPQ	0x206188ef
83 #define	MAGIC_MBUF	0xbbefa5bb
84 #define	MAGIC_MOUNT	0xc7c46e47
85 #define	MAGIC_SOCKET	0x9199c6cd
86 #define	MAGIC_SYSV_MSG	0x8bbba61e
87 #define	MAGIC_SYSV_MSQ	0xea672391
88 #define	MAGIC_SYSV_SEM	0x896e8a0b
89 #define	MAGIC_SYSV_SHM	0x76119ab0
90 #define	MAGIC_PIPE	0xdc6c9919
91 #define	MAGIC_POSIX_SEM	0x78ae980c
92 #define	MAGIC_PROC	0x3b4be98f
93 #define	MAGIC_CRED	0x9a5a4987
94 #define	MAGIC_VNODE	0x1a67a45c
95 #define	MAGIC_FREE	0x849ba1fd
96 
97 #define	SLOT(x)	mac_label_get((x), test_slot)
98 #define	SLOT_SET(x, v)	mac_label_set((x), test_slot, (v))
99 
100 static int	test_slot;
101 SYSCTL_INT(_security_mac_test, OID_AUTO, slot, CTLFLAG_RD,
102     &test_slot, 0, "Slot allocated by framework");
103 
104 SYSCTL_NODE(_security_mac_test, OID_AUTO, counter, CTLFLAG_RW, 0,
105     "TrustedBSD mac_test counters controls");
106 
107 #define	COUNTER_DECL(variable)						\
108 	static int counter_##variable;					\
109 	SYSCTL_INT(_security_mac_test_counter, OID_AUTO, variable,	\
110 	CTLFLAG_RD, &counter_##variable, 0, #variable)
111 
112 #define	COUNTER_INC(variable)	atomic_add_int(&counter_##variable, 1)
113 
114 #ifdef KDB
115 #define	DEBUGGER(func, string)	kdb_enter((string))
116 #else
117 #define	DEBUGGER(func, string)	printf("mac_test: %s: %s\n", (func), (string))
118 #endif
119 
120 #define	LABEL_CHECK(label, magic) do {					\
121 	if (label != NULL) {						\
122 		KASSERT(SLOT(label) == magic ||	SLOT(label) == 0,	\
123 		    ("%s: bad %s label", __func__, #magic));		\
124 	}								\
125 } while (0)
126 
127 #define	LABEL_DESTROY(label, magic) do {				\
128 	if (SLOT(label) == magic || SLOT(label) == 0) {			\
129 		SLOT_SET(label, MAGIC_FREE);				\
130 	} else if (SLOT(label) == MAGIC_FREE) {				\
131 		DEBUGGER("%s: dup destroy", __func__);			\
132 	} else {							\
133 		DEBUGGER("%s: corrupted label", __func__);		\
134 	}								\
135 } while (0)
136 
137 #define	LABEL_INIT(label, magic) do {					\
138 	SLOT_SET(label, magic);						\
139 } while (0)
140 
141 #define	LABEL_NOTFREE(label) do {					\
142 	KASSERT(SLOT(label) != MAGIC_FREE,				\
143 	    ("%s: destroyed label", __func__));				\
144 } while (0)
145 
146 /*
147  * Label operations.
148  */
149 COUNTER_DECL(init_bpfdesc_label);
150 static void
151 mac_test_init_bpfdesc_label(struct label *label)
152 {
153 
154 	LABEL_INIT(label, MAGIC_BPF);
155 	COUNTER_INC(init_bpfdesc_label);
156 }
157 
158 COUNTER_DECL(init_cred_label);
159 static void
160 mac_test_init_cred_label(struct label *label)
161 {
162 
163 	LABEL_INIT(label, MAGIC_CRED);
164 	COUNTER_INC(init_cred_label);
165 }
166 
167 COUNTER_DECL(init_devfsdirent_label);
168 static void
169 mac_test_init_devfsdirent_label(struct label *label)
170 {
171 
172 	LABEL_INIT(label, MAGIC_DEVFS);
173 	COUNTER_INC(init_devfsdirent_label);
174 }
175 
176 COUNTER_DECL(init_ifnet_label);
177 static void
178 mac_test_init_ifnet_label(struct label *label)
179 {
180 
181 	LABEL_INIT(label, MAGIC_IFNET);
182 	COUNTER_INC(init_ifnet_label);
183 }
184 
185 COUNTER_DECL(init_inpcb_label);
186 static int
187 mac_test_init_inpcb_label(struct label *label, int flag)
188 {
189 
190 	if (flag & M_WAITOK)
191 		WITNESS_WARN(WARN_GIANTOK | WARN_SLEEPOK, NULL,
192 		    "mac_test_init_inpcb_label() at %s:%d", __FILE__,
193 		    __LINE__);
194 
195 	LABEL_INIT(label, MAGIC_INPCB);
196 	COUNTER_INC(init_inpcb_label);
197 	return (0);
198 }
199 
200 COUNTER_DECL(init_sysv_msg_label);
201 static void
202 mac_test_init_sysv_msgmsg_label(struct label *label)
203 {
204 	LABEL_INIT(label, MAGIC_SYSV_MSG);
205 	COUNTER_INC(init_sysv_msg_label);
206 }
207 
208 COUNTER_DECL(init_sysv_msq_label);
209 static void
210 mac_test_init_sysv_msgqueue_label(struct label *label)
211 {
212 	LABEL_INIT(label, MAGIC_SYSV_MSQ);
213 	COUNTER_INC(init_sysv_msq_label);
214 }
215 
216 COUNTER_DECL(init_sysv_sem_label);
217 static void
218 mac_test_init_sysv_sem_label(struct label *label)
219 {
220 	LABEL_INIT(label, MAGIC_SYSV_SEM);
221 	COUNTER_INC(init_sysv_sem_label);
222 }
223 
224 COUNTER_DECL(init_sysv_shm_label);
225 static void
226 mac_test_init_sysv_shm_label(struct label *label)
227 {
228 	LABEL_INIT(label, MAGIC_SYSV_SHM);
229 	COUNTER_INC(init_sysv_shm_label);
230 }
231 
232 COUNTER_DECL(init_ipq_label);
233 static int
234 mac_test_init_ipq_label(struct label *label, int flag)
235 {
236 
237 	if (flag & M_WAITOK)
238 		WITNESS_WARN(WARN_GIANTOK | WARN_SLEEPOK, NULL,
239 		    "mac_test_init_ipq_label() at %s:%d", __FILE__,
240 		    __LINE__);
241 
242 	LABEL_INIT(label, MAGIC_IPQ);
243 	COUNTER_INC(init_ipq_label);
244 	return (0);
245 }
246 
247 COUNTER_DECL(init_mbuf_label);
248 static int
249 mac_test_init_mbuf_label(struct label *label, int flag)
250 {
251 
252 	if (flag & M_WAITOK)
253 		WITNESS_WARN(WARN_GIANTOK | WARN_SLEEPOK, NULL,
254 		    "mac_test_init_mbuf_label() at %s:%d", __FILE__,
255 		    __LINE__);
256 
257 	LABEL_INIT(label, MAGIC_MBUF);
258 	COUNTER_INC(init_mbuf_label);
259 	return (0);
260 }
261 
262 COUNTER_DECL(init_mount_label);
263 static void
264 mac_test_init_mount_label(struct label *label)
265 {
266 
267 	LABEL_INIT(label, MAGIC_MOUNT);
268 	COUNTER_INC(init_mount_label);
269 }
270 
271 COUNTER_DECL(init_socket_label);
272 static int
273 mac_test_init_socket_label(struct label *label, int flag)
274 {
275 
276 	if (flag & M_WAITOK)
277 		WITNESS_WARN(WARN_GIANTOK | WARN_SLEEPOK, NULL,
278 		    "mac_test_init_socket_label() at %s:%d", __FILE__,
279 		    __LINE__);
280 
281 	LABEL_INIT(label, MAGIC_SOCKET);
282 	COUNTER_INC(init_socket_label);
283 	return (0);
284 }
285 
286 COUNTER_DECL(init_socket_peer_label);
287 static int
288 mac_test_init_socket_peer_label(struct label *label, int flag)
289 {
290 
291 	if (flag & M_WAITOK)
292 		WITNESS_WARN(WARN_GIANTOK | WARN_SLEEPOK, NULL,
293 		    "mac_test_init_socket_peer_label() at %s:%d", __FILE__,
294 		    __LINE__);
295 
296 	LABEL_INIT(label, MAGIC_SOCKET);
297 	COUNTER_INC(init_socket_peer_label);
298 	return (0);
299 }
300 
301 COUNTER_DECL(init_pipe_label);
302 static void
303 mac_test_init_pipe_label(struct label *label)
304 {
305 
306 	LABEL_INIT(label, MAGIC_PIPE);
307 	COUNTER_INC(init_pipe_label);
308 }
309 
310 COUNTER_DECL(init_posix_sem_label);
311 static void
312 mac_test_init_posix_sem_label(struct label *label)
313 {
314 
315 	LABEL_INIT(label, MAGIC_POSIX_SEM);
316 	COUNTER_INC(init_posix_sem_label);
317 }
318 
319 COUNTER_DECL(init_proc_label);
320 static void
321 mac_test_init_proc_label(struct label *label)
322 {
323 
324 	LABEL_INIT(label, MAGIC_PROC);
325 	COUNTER_INC(init_proc_label);
326 }
327 
328 COUNTER_DECL(init_vnode_label);
329 static void
330 mac_test_init_vnode_label(struct label *label)
331 {
332 
333 	LABEL_INIT(label, MAGIC_VNODE);
334 	COUNTER_INC(init_vnode_label);
335 }
336 
337 COUNTER_DECL(destroy_bpfdesc_label);
338 static void
339 mac_test_destroy_bpfdesc_label(struct label *label)
340 {
341 
342 	LABEL_DESTROY(label, MAGIC_BPF);
343 	COUNTER_INC(destroy_bpfdesc_label);
344 }
345 
346 COUNTER_DECL(destroy_cred_label);
347 static void
348 mac_test_destroy_cred_label(struct label *label)
349 {
350 
351 	LABEL_DESTROY(label, MAGIC_CRED);
352 	COUNTER_INC(destroy_cred_label);
353 }
354 
355 COUNTER_DECL(destroy_devfsdirent_label);
356 static void
357 mac_test_destroy_devfsdirent_label(struct label *label)
358 {
359 
360 	LABEL_DESTROY(label, MAGIC_DEVFS);
361 	COUNTER_INC(destroy_devfsdirent_label);
362 }
363 
364 COUNTER_DECL(destroy_ifnet_label);
365 static void
366 mac_test_destroy_ifnet_label(struct label *label)
367 {
368 
369 	LABEL_DESTROY(label, MAGIC_IFNET);
370 	COUNTER_INC(destroy_ifnet_label);
371 }
372 
373 COUNTER_DECL(destroy_inpcb_label);
374 static void
375 mac_test_destroy_inpcb_label(struct label *label)
376 {
377 
378 	LABEL_DESTROY(label, MAGIC_INPCB);
379 	COUNTER_INC(destroy_inpcb_label);
380 }
381 
382 COUNTER_DECL(destroy_sysv_msg_label);
383 static void
384 mac_test_destroy_sysv_msgmsg_label(struct label *label)
385 {
386 
387 	LABEL_DESTROY(label, MAGIC_SYSV_MSG);
388 	COUNTER_INC(destroy_sysv_msg_label);
389 }
390 
391 COUNTER_DECL(destroy_sysv_msq_label);
392 static void
393 mac_test_destroy_sysv_msgqueue_label(struct label *label)
394 {
395 
396 	LABEL_DESTROY(label, MAGIC_SYSV_MSQ);
397 	COUNTER_INC(destroy_sysv_msq_label);
398 }
399 
400 COUNTER_DECL(destroy_sysv_sem_label);
401 static void
402 mac_test_destroy_sysv_sem_label(struct label *label)
403 {
404 
405 	LABEL_DESTROY(label, MAGIC_SYSV_SEM);
406 	COUNTER_INC(destroy_sysv_sem_label);
407 }
408 
409 COUNTER_DECL(destroy_sysv_shm_label);
410 static void
411 mac_test_destroy_sysv_shm_label(struct label *label)
412 {
413 
414 	LABEL_DESTROY(label, MAGIC_SYSV_SHM);
415 	COUNTER_INC(destroy_sysv_shm_label);
416 }
417 
418 COUNTER_DECL(destroy_ipq_label);
419 static void
420 mac_test_destroy_ipq_label(struct label *label)
421 {
422 
423 	LABEL_DESTROY(label, MAGIC_IPQ);
424 	COUNTER_INC(destroy_ipq_label);
425 }
426 
427 COUNTER_DECL(destroy_mbuf_label);
428 static void
429 mac_test_destroy_mbuf_label(struct label *label)
430 {
431 
432 	/*
433 	 * If we're loaded dynamically, there may be mbufs in flight that
434 	 * didn't have label storage allocated for them.  Handle this
435 	 * gracefully.
436 	 */
437 	if (label == NULL)
438 		return;
439 
440 	LABEL_DESTROY(label, MAGIC_MBUF);
441 	COUNTER_INC(destroy_mbuf_label);
442 }
443 
444 COUNTER_DECL(destroy_mount_label);
445 static void
446 mac_test_destroy_mount_label(struct label *label)
447 {
448 
449 	LABEL_DESTROY(label, MAGIC_MOUNT);
450 	COUNTER_INC(destroy_mount_label);
451 }
452 
453 COUNTER_DECL(destroy_socket_label);
454 static void
455 mac_test_destroy_socket_label(struct label *label)
456 {
457 
458 	LABEL_DESTROY(label, MAGIC_SOCKET);
459 	COUNTER_INC(destroy_socket_label);
460 }
461 
462 COUNTER_DECL(destroy_socket_peer_label);
463 static void
464 mac_test_destroy_socket_peer_label(struct label *label)
465 {
466 
467 	LABEL_DESTROY(label, MAGIC_SOCKET);
468 	COUNTER_INC(destroy_socket_peer_label);
469 }
470 
471 COUNTER_DECL(destroy_pipe_label);
472 static void
473 mac_test_destroy_pipe_label(struct label *label)
474 {
475 
476 	LABEL_DESTROY(label, MAGIC_PIPE);
477 	COUNTER_INC(destroy_pipe_label);
478 }
479 
480 COUNTER_DECL(destroy_posix_sem_label);
481 static void
482 mac_test_destroy_posix_sem_label(struct label *label)
483 {
484 
485 	LABEL_DESTROY(label, MAGIC_POSIX_SEM);
486 	COUNTER_INC(destroy_posix_sem_label);
487 }
488 
489 COUNTER_DECL(destroy_proc_label);
490 static void
491 mac_test_destroy_proc_label(struct label *label)
492 {
493 
494 	LABEL_DESTROY(label, MAGIC_PROC);
495 	COUNTER_INC(destroy_proc_label);
496 }
497 
498 COUNTER_DECL(destroy_vnode_label);
499 static void
500 mac_test_destroy_vnode_label(struct label *label)
501 {
502 
503 	LABEL_DESTROY(label, MAGIC_VNODE);
504 	COUNTER_INC(destroy_vnode_label);
505 }
506 
507 COUNTER_DECL(copy_cred_label);
508 static void
509 mac_test_copy_cred_label(struct label *src, struct label *dest)
510 {
511 
512 	LABEL_CHECK(src, MAGIC_CRED);
513 	LABEL_CHECK(dest, MAGIC_CRED);
514 	COUNTER_INC(copy_cred_label);
515 }
516 
517 COUNTER_DECL(copy_ifnet_label);
518 static void
519 mac_test_copy_ifnet_label(struct label *src, struct label *dest)
520 {
521 
522 	LABEL_CHECK(src, MAGIC_IFNET);
523 	LABEL_CHECK(dest, MAGIC_IFNET);
524 	COUNTER_INC(copy_ifnet_label);
525 }
526 
527 COUNTER_DECL(copy_mbuf_label);
528 static void
529 mac_test_copy_mbuf_label(struct label *src, struct label *dest)
530 {
531 
532 	LABEL_CHECK(src, MAGIC_MBUF);
533 	LABEL_CHECK(dest, MAGIC_MBUF);
534 	COUNTER_INC(copy_mbuf_label);
535 }
536 
537 COUNTER_DECL(copy_pipe_label);
538 static void
539 mac_test_copy_pipe_label(struct label *src, struct label *dest)
540 {
541 
542 	LABEL_CHECK(src, MAGIC_PIPE);
543 	LABEL_CHECK(dest, MAGIC_PIPE);
544 	COUNTER_INC(copy_pipe_label);
545 }
546 
547 COUNTER_DECL(copy_socket_label);
548 static void
549 mac_test_copy_socket_label(struct label *src, struct label *dest)
550 {
551 
552 	LABEL_CHECK(src, MAGIC_SOCKET);
553 	LABEL_CHECK(dest, MAGIC_SOCKET);
554 	COUNTER_INC(copy_socket_label);
555 }
556 
557 COUNTER_DECL(copy_vnode_label);
558 static void
559 mac_test_copy_vnode_label(struct label *src, struct label *dest)
560 {
561 
562 	LABEL_CHECK(src, MAGIC_VNODE);
563 	LABEL_CHECK(dest, MAGIC_VNODE);
564 	COUNTER_INC(copy_vnode_label);
565 }
566 
567 COUNTER_DECL(externalize_label);
568 static int
569 mac_test_externalize_label(struct label *label, char *element_name,
570     struct sbuf *sb, int *claimed)
571 {
572 
573 	LABEL_NOTFREE(label);
574 	COUNTER_INC(externalize_label);
575 
576 	return (0);
577 }
578 
579 COUNTER_DECL(internalize_label);
580 static int
581 mac_test_internalize_label(struct label *label, char *element_name,
582     char *element_data, int *claimed)
583 {
584 
585 	LABEL_NOTFREE(label);
586 	COUNTER_INC(internalize_label);
587 
588 	return (0);
589 }
590 
591 /*
592  * Labeling event operations: file system objects, and things that look
593  * a lot like file system objects.
594  */
595 COUNTER_DECL(associate_vnode_devfs);
596 static void
597 mac_test_associate_vnode_devfs(struct mount *mp, struct label *mplabel,
598     struct devfs_dirent *de, struct label *delabel, struct vnode *vp,
599     struct label *vplabel)
600 {
601 
602 	LABEL_CHECK(mplabel, MAGIC_MOUNT);
603 	LABEL_CHECK(delabel, MAGIC_DEVFS);
604 	LABEL_CHECK(vplabel, MAGIC_VNODE);
605 	COUNTER_INC(associate_vnode_devfs);
606 }
607 
608 COUNTER_DECL(associate_vnode_extattr);
609 static int
610 mac_test_associate_vnode_extattr(struct mount *mp, struct label *mplabel,
611     struct vnode *vp, struct label *vplabel)
612 {
613 
614 	LABEL_CHECK(mplabel, MAGIC_MOUNT);
615 	LABEL_CHECK(vplabel, MAGIC_VNODE);
616 	COUNTER_INC(associate_vnode_extattr);
617 
618 	return (0);
619 }
620 
621 COUNTER_DECL(associate_vnode_singlelabel);
622 static void
623 mac_test_associate_vnode_singlelabel(struct mount *mp, struct label *mplabel,
624     struct vnode *vp, struct label *vplabel)
625 {
626 
627 	LABEL_CHECK(mplabel, MAGIC_MOUNT);
628 	LABEL_CHECK(vplabel, MAGIC_VNODE);
629 	COUNTER_INC(associate_vnode_singlelabel);
630 }
631 
632 COUNTER_DECL(create_devfs_device);
633 static void
634 mac_test_create_devfs_device(struct ucred *cred, struct mount *mp,
635     struct cdev *dev, struct devfs_dirent *de, struct label *delabel)
636 {
637 
638 	if (cred != NULL)
639 		LABEL_CHECK(cred->cr_label, MAGIC_CRED);
640 	LABEL_CHECK(delabel, MAGIC_DEVFS);
641 	COUNTER_INC(create_devfs_device);
642 }
643 
644 COUNTER_DECL(create_devfs_directory);
645 static void
646 mac_test_create_devfs_directory(struct mount *mp, char *dirname,
647     int dirnamelen, struct devfs_dirent *de, struct label *delabel)
648 {
649 
650 	LABEL_CHECK(delabel, MAGIC_DEVFS);
651 	COUNTER_INC(create_devfs_directory);
652 }
653 
654 COUNTER_DECL(create_devfs_symlink);
655 static void
656 mac_test_create_devfs_symlink(struct ucred *cred, struct mount *mp,
657     struct devfs_dirent *dd, struct label *ddlabel, struct devfs_dirent *de,
658     struct label *delabel)
659 {
660 
661 	LABEL_CHECK(cred->cr_label, MAGIC_CRED);
662 	LABEL_CHECK(ddlabel, MAGIC_DEVFS);
663 	LABEL_CHECK(delabel, MAGIC_DEVFS);
664 	COUNTER_INC(create_devfs_symlink);
665 }
666 
667 COUNTER_DECL(create_vnode_extattr);
668 static int
669 mac_test_create_vnode_extattr(struct ucred *cred, struct mount *mp,
670     struct label *mplabel, struct vnode *dvp, struct label *dvplabel,
671     struct vnode *vp, struct label *vplabel, struct componentname *cnp)
672 {
673 
674 	LABEL_CHECK(cred->cr_label, MAGIC_CRED);
675 	LABEL_CHECK(mplabel, MAGIC_MOUNT);
676 	LABEL_CHECK(dvplabel, MAGIC_VNODE);
677 	COUNTER_INC(create_vnode_extattr);
678 
679 	return (0);
680 }
681 
682 COUNTER_DECL(create_mount);
683 static void
684 mac_test_create_mount(struct ucred *cred, struct mount *mp,
685     struct label *mplabel)
686 {
687 
688 	LABEL_CHECK(cred->cr_label, MAGIC_CRED);
689 	LABEL_CHECK(mplabel, MAGIC_MOUNT);
690 	COUNTER_INC(create_mount);
691 }
692 
693 COUNTER_DECL(relabel_vnode);
694 static void
695 mac_test_relabel_vnode(struct ucred *cred, struct vnode *vp,
696     struct label *vplabel, struct label *label)
697 {
698 
699 	LABEL_CHECK(cred->cr_label, MAGIC_CRED);
700 	LABEL_CHECK(vplabel, MAGIC_VNODE);
701 	LABEL_CHECK(label, MAGIC_VNODE);
702 	COUNTER_INC(relabel_vnode);
703 }
704 
705 COUNTER_DECL(setlabel_vnode_extattr);
706 static int
707 mac_test_setlabel_vnode_extattr(struct ucred *cred, struct vnode *vp,
708     struct label *vplabel, struct label *intlabel)
709 {
710 
711 	LABEL_CHECK(cred->cr_label, MAGIC_CRED);
712 	LABEL_CHECK(vplabel, MAGIC_VNODE);
713 	LABEL_CHECK(intlabel, MAGIC_VNODE);
714 	COUNTER_INC(setlabel_vnode_extattr);
715 
716 	return (0);
717 }
718 
719 COUNTER_DECL(update_devfsdirent);
720 static void
721 mac_test_update_devfsdirent(struct mount *mp,
722     struct devfs_dirent *devfs_dirent, struct label *direntlabel,
723     struct vnode *vp, struct label *vplabel)
724 {
725 
726 	LABEL_CHECK(direntlabel, MAGIC_DEVFS);
727 	LABEL_CHECK(vplabel, MAGIC_VNODE);
728 	COUNTER_INC(update_devfsdirent);
729 }
730 
731 /*
732  * Labeling event operations: IPC object.
733  */
734 COUNTER_DECL(create_mbuf_from_socket);
735 static void
736 mac_test_create_mbuf_from_socket(struct socket *so, struct label *socketlabel,
737     struct mbuf *m, struct label *mbuflabel)
738 {
739 
740 	LABEL_CHECK(socketlabel, MAGIC_SOCKET);
741 	LABEL_CHECK(mbuflabel, MAGIC_MBUF);
742 	COUNTER_INC(create_mbuf_from_socket);
743 }
744 
745 COUNTER_DECL(create_socket);
746 static void
747 mac_test_create_socket(struct ucred *cred, struct socket *socket,
748    struct label *socketlabel)
749 {
750 
751 	LABEL_CHECK(cred->cr_label, MAGIC_CRED);
752 	LABEL_CHECK(socketlabel, MAGIC_SOCKET);
753 	COUNTER_INC(create_socket);
754 }
755 
756 COUNTER_DECL(create_pipe);
757 static void
758 mac_test_create_pipe(struct ucred *cred, struct pipepair *pp,
759    struct label *pipelabel)
760 {
761 
762 	LABEL_CHECK(cred->cr_label, MAGIC_CRED);
763 	LABEL_CHECK(pipelabel, MAGIC_PIPE);
764 	COUNTER_INC(create_pipe);
765 }
766 
767 COUNTER_DECL(create_posix_sem);
768 static void
769 mac_test_create_posix_sem(struct ucred *cred, struct ksem *ksem,
770    struct label *posixlabel)
771 {
772 
773 	LABEL_CHECK(cred->cr_label, MAGIC_CRED);
774 	LABEL_CHECK(posixlabel, MAGIC_POSIX_SEM);
775 	COUNTER_INC(create_posix_sem);
776 }
777 
778 COUNTER_DECL(create_socket_from_socket);
779 static void
780 mac_test_create_socket_from_socket(struct socket *oldsocket,
781     struct label *oldsocketlabel, struct socket *newsocket,
782     struct label *newsocketlabel)
783 {
784 
785 	LABEL_CHECK(oldsocketlabel, MAGIC_SOCKET);
786 	LABEL_CHECK(newsocketlabel, MAGIC_SOCKET);
787 	COUNTER_INC(create_socket_from_socket);
788 }
789 
790 COUNTER_DECL(relabel_socket);
791 static void
792 mac_test_relabel_socket(struct ucred *cred, struct socket *socket,
793     struct label *socketlabel, struct label *newlabel)
794 {
795 
796 	LABEL_CHECK(cred->cr_label, MAGIC_CRED);
797 	LABEL_CHECK(newlabel, MAGIC_SOCKET);
798 	COUNTER_INC(relabel_socket);
799 }
800 
801 COUNTER_DECL(relabel_pipe);
802 static void
803 mac_test_relabel_pipe(struct ucred *cred, struct pipepair *pp,
804     struct label *pipelabel, struct label *newlabel)
805 {
806 
807 	LABEL_CHECK(cred->cr_label, MAGIC_CRED);
808 	LABEL_CHECK(pipelabel, MAGIC_PIPE);
809 	LABEL_CHECK(newlabel, MAGIC_PIPE);
810 	COUNTER_INC(relabel_pipe);
811 }
812 
813 COUNTER_DECL(set_socket_peer_from_mbuf);
814 static void
815 mac_test_set_socket_peer_from_mbuf(struct mbuf *mbuf, struct label *mbuflabel,
816     struct socket *socket, struct label *socketpeerlabel)
817 {
818 
819 	LABEL_CHECK(mbuflabel, MAGIC_MBUF);
820 	LABEL_CHECK(socketpeerlabel, MAGIC_SOCKET);
821 	COUNTER_INC(set_socket_peer_from_mbuf);
822 }
823 
824 /*
825  * Labeling event operations: network objects.
826  */
827 COUNTER_DECL(set_socket_peer_from_socket);
828 static void
829 mac_test_set_socket_peer_from_socket(struct socket *oldsocket,
830     struct label *oldsocketlabel, struct socket *newsocket,
831     struct label *newsocketpeerlabel)
832 {
833 
834 	LABEL_CHECK(oldsocketlabel, MAGIC_SOCKET);
835 	LABEL_CHECK(newsocketpeerlabel, MAGIC_SOCKET);
836 	COUNTER_INC(set_socket_peer_from_socket);
837 }
838 
839 COUNTER_DECL(create_bpfdesc);
840 static void
841 mac_test_create_bpfdesc(struct ucred *cred, struct bpf_d *bpf_d,
842     struct label *bpflabel)
843 {
844 
845 	LABEL_CHECK(cred->cr_label, MAGIC_CRED);
846 	LABEL_CHECK(bpflabel, MAGIC_BPF);
847 	COUNTER_INC(create_bpfdesc);
848 }
849 
850 COUNTER_DECL(create_datagram_from_ipq);
851 static void
852 mac_test_create_datagram_from_ipq(struct ipq *ipq, struct label *ipqlabel,
853     struct mbuf *datagram, struct label *datagramlabel)
854 {
855 
856 	LABEL_CHECK(ipqlabel, MAGIC_IPQ);
857 	LABEL_CHECK(datagramlabel, MAGIC_MBUF);
858 	COUNTER_INC(create_datagram_from_ipq);
859 }
860 
861 COUNTER_DECL(create_fragment);
862 static void
863 mac_test_create_fragment(struct mbuf *datagram, struct label *datagramlabel,
864     struct mbuf *fragment, struct label *fragmentlabel)
865 {
866 
867 	LABEL_CHECK(datagramlabel, MAGIC_MBUF);
868 	LABEL_CHECK(fragmentlabel, MAGIC_MBUF);
869 	COUNTER_INC(create_fragment);
870 }
871 
872 COUNTER_DECL(create_ifnet);
873 static void
874 mac_test_create_ifnet(struct ifnet *ifnet, struct label *ifnetlabel)
875 {
876 
877 	LABEL_CHECK(ifnetlabel, MAGIC_IFNET);
878 	COUNTER_INC(create_ifnet);
879 }
880 
881 COUNTER_DECL(create_inpcb_from_socket);
882 static void
883 mac_test_create_inpcb_from_socket(struct socket *so, struct label *solabel,
884     struct inpcb *inp, struct label *inplabel)
885 {
886 
887 	LABEL_CHECK(solabel, MAGIC_SOCKET);
888 	LABEL_CHECK(inplabel, MAGIC_INPCB);
889 	COUNTER_INC(create_inpcb_from_socket);
890 }
891 
892 COUNTER_DECL(create_sysv_msgmsg);
893 static void
894 mac_test_create_sysv_msgmsg(struct ucred *cred, struct msqid_kernel *msqkptr,
895     struct label *msqlabel, struct msg *msgptr, struct label *msglabel)
896 {
897 
898 	LABEL_CHECK(msglabel, MAGIC_SYSV_MSG);
899 	LABEL_CHECK(msqlabel, MAGIC_SYSV_MSQ);
900 	COUNTER_INC(create_sysv_msgmsg);
901 }
902 
903 COUNTER_DECL(create_sysv_msgqueue);
904 static void
905 mac_test_create_sysv_msgqueue(struct ucred *cred,
906     struct msqid_kernel *msqkptr, struct label *msqlabel)
907 {
908 
909 	LABEL_CHECK(msqlabel, MAGIC_SYSV_MSQ);
910 	COUNTER_INC(create_sysv_msgqueue);
911 }
912 
913 COUNTER_DECL(create_sysv_sem);
914 static void
915 mac_test_create_sysv_sem(struct ucred *cred, struct semid_kernel *semakptr,
916     struct label *semalabel)
917 {
918 
919 	LABEL_CHECK(semalabel, MAGIC_SYSV_SEM);
920 	COUNTER_INC(create_sysv_sem);
921 }
922 
923 COUNTER_DECL(create_sysv_shm);
924 static void
925 mac_test_create_sysv_shm(struct ucred *cred, struct shmid_kernel *shmsegptr,
926     struct label *shmlabel)
927 {
928 
929 	LABEL_CHECK(shmlabel, MAGIC_SYSV_SHM);
930 	COUNTER_INC(create_sysv_shm);
931 }
932 
933 COUNTER_DECL(create_ipq);
934 static void
935 mac_test_create_ipq(struct mbuf *fragment, struct label *fragmentlabel,
936     struct ipq *ipq, struct label *ipqlabel)
937 {
938 
939 	LABEL_CHECK(fragmentlabel, MAGIC_MBUF);
940 	LABEL_CHECK(ipqlabel, MAGIC_IPQ);
941 	COUNTER_INC(create_ipq);
942 }
943 
944 COUNTER_DECL(create_mbuf_from_inpcb);
945 static void
946 mac_test_create_mbuf_from_inpcb(struct inpcb *inp, struct label *inplabel,
947     struct mbuf *m, struct label *mlabel)
948 {
949 
950 	LABEL_CHECK(inplabel, MAGIC_INPCB);
951 	LABEL_CHECK(mlabel, MAGIC_MBUF);
952 	COUNTER_INC(create_mbuf_from_inpcb);
953 }
954 
955 COUNTER_DECL(create_mbuf_linklayer);
956 static void
957 mac_test_create_mbuf_linklayer(struct ifnet *ifnet, struct label *ifnetlabel,
958     struct mbuf *mbuf, struct label *mbuflabel)
959 {
960 
961 	LABEL_CHECK(ifnetlabel, MAGIC_IFNET);
962 	LABEL_CHECK(mbuflabel, MAGIC_MBUF);
963 	COUNTER_INC(create_mbuf_linklayer);
964 }
965 
966 COUNTER_DECL(create_mbuf_from_bpfdesc);
967 static void
968 mac_test_create_mbuf_from_bpfdesc(struct bpf_d *bpf_d, struct label *bpflabel,
969     struct mbuf *mbuf, struct label *mbuflabel)
970 {
971 
972 	LABEL_CHECK(bpflabel, MAGIC_BPF);
973 	LABEL_CHECK(mbuflabel, MAGIC_MBUF);
974 	COUNTER_INC(create_mbuf_from_bpfdesc);
975 }
976 
977 COUNTER_DECL(create_mbuf_from_ifnet);
978 static void
979 mac_test_create_mbuf_from_ifnet(struct ifnet *ifnet, struct label *ifnetlabel,
980     struct mbuf *m, struct label *mbuflabel)
981 {
982 
983 	LABEL_CHECK(ifnetlabel, MAGIC_IFNET);
984 	LABEL_CHECK(mbuflabel, MAGIC_MBUF);
985 	COUNTER_INC(create_mbuf_from_ifnet);
986 }
987 
988 COUNTER_DECL(create_mbuf_multicast_encap);
989 static void
990 mac_test_create_mbuf_multicast_encap(struct mbuf *oldmbuf,
991     struct label *oldmbuflabel, struct ifnet *ifnet, struct label *ifnetlabel,
992     struct mbuf *newmbuf, struct label *newmbuflabel)
993 {
994 
995 	LABEL_CHECK(oldmbuflabel, MAGIC_MBUF);
996 	LABEL_CHECK(ifnetlabel, MAGIC_IFNET);
997 	LABEL_CHECK(newmbuflabel, MAGIC_MBUF);
998 	COUNTER_INC(create_mbuf_multicast_encap);
999 }
1000 
1001 COUNTER_DECL(create_mbuf_netlayer);
1002 static void
1003 mac_test_create_mbuf_netlayer(struct mbuf *oldmbuf,
1004     struct label *oldmbuflabel, struct mbuf *newmbuf,
1005     struct label *newmbuflabel)
1006 {
1007 
1008 	LABEL_CHECK(oldmbuflabel, MAGIC_MBUF);
1009 	LABEL_CHECK(newmbuflabel, MAGIC_MBUF);
1010 	COUNTER_INC(create_mbuf_netlayer);
1011 }
1012 
1013 COUNTER_DECL(fragment_match);
1014 static int
1015 mac_test_fragment_match(struct mbuf *fragment, struct label *fragmentlabel,
1016     struct ipq *ipq, struct label *ipqlabel)
1017 {
1018 
1019 	LABEL_CHECK(fragmentlabel, MAGIC_MBUF);
1020 	LABEL_CHECK(ipqlabel, MAGIC_IPQ);
1021 	COUNTER_INC(fragment_match);
1022 
1023 	return (1);
1024 }
1025 
1026 COUNTER_DECL(reflect_mbuf_icmp);
1027 static void
1028 mac_test_reflect_mbuf_icmp(struct mbuf *m, struct label *mlabel)
1029 {
1030 
1031 	LABEL_CHECK(mlabel, MAGIC_MBUF);
1032 	COUNTER_INC(reflect_mbuf_icmp);
1033 }
1034 
1035 COUNTER_DECL(reflect_mbuf_tcp);
1036 static void
1037 mac_test_reflect_mbuf_tcp(struct mbuf *m, struct label *mlabel)
1038 {
1039 
1040 	LABEL_CHECK(mlabel, MAGIC_MBUF);
1041 	COUNTER_INC(reflect_mbuf_tcp);
1042 }
1043 
1044 COUNTER_DECL(relabel_ifnet);
1045 static void
1046 mac_test_relabel_ifnet(struct ucred *cred, struct ifnet *ifnet,
1047     struct label *ifnetlabel, struct label *newlabel)
1048 {
1049 
1050 	LABEL_CHECK(cred->cr_label, MAGIC_CRED);
1051 	LABEL_CHECK(ifnetlabel, MAGIC_IFNET);
1052 	LABEL_CHECK(newlabel, MAGIC_IFNET);
1053 	COUNTER_INC(relabel_ifnet);
1054 }
1055 
1056 COUNTER_DECL(update_ipq);
1057 static void
1058 mac_test_update_ipq(struct mbuf *fragment, struct label *fragmentlabel,
1059     struct ipq *ipq, struct label *ipqlabel)
1060 {
1061 
1062 	LABEL_CHECK(fragmentlabel, MAGIC_MBUF);
1063 	LABEL_CHECK(ipqlabel, MAGIC_IPQ);
1064 	COUNTER_INC(update_ipq);
1065 }
1066 
1067 COUNTER_DECL(inpcb_sosetlabel);
1068 static void
1069 mac_test_inpcb_sosetlabel(struct socket *so, struct label *solabel,
1070     struct inpcb *inp, struct label *inplabel)
1071 {
1072 
1073 	LABEL_CHECK(solabel, MAGIC_SOCKET);
1074 	LABEL_CHECK(inplabel, MAGIC_INPCB);
1075 	COUNTER_INC(inpcb_sosetlabel);
1076 }
1077 
1078 /*
1079  * Labeling event operations: processes.
1080  */
1081 COUNTER_DECL(execve_transition);
1082 static void
1083 mac_test_execve_transition(struct ucred *old, struct ucred *new,
1084     struct vnode *vp, struct label *filelabel,
1085     struct label *interpvplabel, struct image_params *imgp,
1086     struct label *execlabel)
1087 {
1088 
1089 	LABEL_CHECK(old->cr_label, MAGIC_CRED);
1090 	LABEL_CHECK(new->cr_label, MAGIC_CRED);
1091 	LABEL_CHECK(filelabel, MAGIC_VNODE);
1092 	LABEL_CHECK(interpvplabel, MAGIC_VNODE);
1093 	LABEL_CHECK(execlabel, MAGIC_CRED);
1094 	COUNTER_INC(execve_transition);
1095 }
1096 
1097 COUNTER_DECL(execve_will_transition);
1098 static int
1099 mac_test_execve_will_transition(struct ucred *old, struct vnode *vp,
1100     struct label *filelabel, struct label *interpvplabel,
1101     struct image_params *imgp, struct label *execlabel)
1102 {
1103 
1104 	LABEL_CHECK(old->cr_label, MAGIC_CRED);
1105 	LABEL_CHECK(filelabel, MAGIC_VNODE);
1106 	LABEL_CHECK(interpvplabel, MAGIC_VNODE);
1107 	LABEL_CHECK(execlabel, MAGIC_CRED);
1108 	COUNTER_INC(execve_will_transition);
1109 
1110 	return (0);
1111 }
1112 
1113 COUNTER_DECL(create_proc0);
1114 static void
1115 mac_test_create_proc0(struct ucred *cred)
1116 {
1117 
1118 	LABEL_CHECK(cred->cr_label, MAGIC_CRED);
1119 	COUNTER_INC(create_proc0);
1120 }
1121 
1122 COUNTER_DECL(create_proc1);
1123 static void
1124 mac_test_create_proc1(struct ucred *cred)
1125 {
1126 
1127 	LABEL_CHECK(cred->cr_label, MAGIC_CRED);
1128 	COUNTER_INC(create_proc1);
1129 }
1130 
1131 COUNTER_DECL(relabel_cred);
1132 static void
1133 mac_test_relabel_cred(struct ucred *cred, struct label *newlabel)
1134 {
1135 
1136 	LABEL_CHECK(cred->cr_label, MAGIC_CRED);
1137 	LABEL_CHECK(newlabel, MAGIC_CRED);
1138 	COUNTER_INC(relabel_cred);
1139 }
1140 
1141 COUNTER_DECL(thread_userret);
1142 static void
1143 mac_test_thread_userret(struct thread *td)
1144 {
1145 
1146 	COUNTER_INC(thread_userret);
1147 }
1148 
1149 /*
1150  * Label cleanup/flush operations
1151  */
1152 COUNTER_DECL(cleanup_sysv_msgmsg);
1153 static void
1154 mac_test_cleanup_sysv_msgmsg(struct label *msglabel)
1155 {
1156 
1157 	LABEL_CHECK(msglabel, MAGIC_SYSV_MSG);
1158 	COUNTER_INC(cleanup_sysv_msgmsg);
1159 }
1160 
1161 COUNTER_DECL(cleanup_sysv_msgqueue);
1162 static void
1163 mac_test_cleanup_sysv_msgqueue(struct label *msqlabel)
1164 {
1165 
1166 	LABEL_CHECK(msqlabel, MAGIC_SYSV_MSQ);
1167 	COUNTER_INC(cleanup_sysv_msgqueue);
1168 }
1169 
1170 COUNTER_DECL(cleanup_sysv_sem);
1171 static void
1172 mac_test_cleanup_sysv_sem(struct label *semalabel)
1173 {
1174 
1175 	LABEL_CHECK(semalabel, MAGIC_SYSV_SEM);
1176 	COUNTER_INC(cleanup_sysv_sem);
1177 }
1178 
1179 COUNTER_DECL(cleanup_sysv_shm);
1180 static void
1181 mac_test_cleanup_sysv_shm(struct label *shmlabel)
1182 {
1183 
1184 	LABEL_CHECK(shmlabel, MAGIC_SYSV_SHM);
1185 	COUNTER_INC(cleanup_sysv_shm);
1186 }
1187 
1188 /*
1189  * Access control checks.
1190  */
1191 COUNTER_DECL(check_bpfdesc_receive);
1192 static int
1193 mac_test_check_bpfdesc_receive(struct bpf_d *bpf_d, struct label *bpflabel,
1194     struct ifnet *ifnet, struct label *ifnetlabel)
1195 {
1196 
1197 	LABEL_CHECK(bpflabel, MAGIC_BPF);
1198 	LABEL_CHECK(ifnetlabel, MAGIC_IFNET);
1199 	COUNTER_INC(check_bpfdesc_receive);
1200 
1201 	return (0);
1202 }
1203 
1204 COUNTER_DECL(check_cred_relabel);
1205 static int
1206 mac_test_check_cred_relabel(struct ucred *cred, struct label *newlabel)
1207 {
1208 
1209 	LABEL_CHECK(cred->cr_label, MAGIC_CRED);
1210 	LABEL_CHECK(newlabel, MAGIC_CRED);
1211 	COUNTER_INC(check_cred_relabel);
1212 
1213 	return (0);
1214 }
1215 
1216 COUNTER_DECL(check_cred_visible);
1217 static int
1218 mac_test_check_cred_visible(struct ucred *u1, struct ucred *u2)
1219 {
1220 
1221 	LABEL_CHECK(u1->cr_label, MAGIC_CRED);
1222 	LABEL_CHECK(u2->cr_label, MAGIC_CRED);
1223 	COUNTER_INC(check_cred_visible);
1224 
1225 	return (0);
1226 }
1227 
1228 COUNTER_DECL(check_ifnet_relabel);
1229 static int
1230 mac_test_check_ifnet_relabel(struct ucred *cred, struct ifnet *ifnet,
1231     struct label *ifnetlabel, struct label *newlabel)
1232 {
1233 
1234 	LABEL_CHECK(cred->cr_label, MAGIC_CRED);
1235 	LABEL_CHECK(ifnetlabel, MAGIC_IFNET);
1236 	LABEL_CHECK(newlabel, MAGIC_IFNET);
1237 	COUNTER_INC(check_ifnet_relabel);
1238 
1239 	return (0);
1240 }
1241 
1242 COUNTER_DECL(check_ifnet_transmit);
1243 static int
1244 mac_test_check_ifnet_transmit(struct ifnet *ifnet, struct label *ifnetlabel,
1245     struct mbuf *m, struct label *mbuflabel)
1246 {
1247 
1248 	LABEL_CHECK(ifnetlabel, MAGIC_IFNET);
1249 	LABEL_CHECK(mbuflabel, MAGIC_MBUF);
1250 	COUNTER_INC(check_ifnet_transmit);
1251 
1252 	return (0);
1253 }
1254 
1255 COUNTER_DECL(check_inpcb_deliver);
1256 static int
1257 mac_test_check_inpcb_deliver(struct inpcb *inp, struct label *inplabel,
1258     struct mbuf *m, struct label *mlabel)
1259 {
1260 
1261 	LABEL_CHECK(inplabel, MAGIC_INPCB);
1262 	LABEL_CHECK(mlabel, MAGIC_MBUF);
1263 	COUNTER_INC(check_inpcb_deliver);
1264 
1265 	return (0);
1266 }
1267 
1268 COUNTER_DECL(check_sysv_msgmsq);
1269 static int
1270 mac_test_check_sysv_msgmsq(struct ucred *cred, struct msg *msgptr,
1271     struct label *msglabel, struct msqid_kernel *msqkptr,
1272     struct label *msqklabel)
1273 {
1274 
1275 	LABEL_CHECK(msqklabel, MAGIC_SYSV_MSQ);
1276 	LABEL_CHECK(msglabel, MAGIC_SYSV_MSG);
1277 	LABEL_CHECK(cred->cr_label, MAGIC_CRED);
1278 	COUNTER_INC(check_sysv_msgmsq);
1279 
1280   	return (0);
1281 }
1282 
1283 COUNTER_DECL(check_sysv_msgrcv);
1284 static int
1285 mac_test_check_sysv_msgrcv(struct ucred *cred, struct msg *msgptr,
1286     struct label *msglabel)
1287 {
1288 
1289 	LABEL_CHECK(msglabel, MAGIC_SYSV_MSG);
1290 	LABEL_CHECK(cred->cr_label, MAGIC_CRED);
1291 	COUNTER_INC(check_sysv_msgrcv);
1292 
1293 	return (0);
1294 }
1295 
1296 COUNTER_DECL(check_sysv_msgrmid);
1297 static int
1298 mac_test_check_sysv_msgrmid(struct ucred *cred, struct msg *msgptr,
1299     struct label *msglabel)
1300 {
1301 
1302 	LABEL_CHECK(msglabel, MAGIC_SYSV_MSG);
1303 	LABEL_CHECK(cred->cr_label, MAGIC_CRED);
1304 	COUNTER_INC(check_sysv_msgrmid);
1305 
1306 	return (0);
1307 }
1308 
1309 COUNTER_DECL(check_sysv_msqget);
1310 static int
1311 mac_test_check_sysv_msqget(struct ucred *cred, struct msqid_kernel *msqkptr,
1312     struct label *msqklabel)
1313 {
1314 
1315 	LABEL_CHECK(msqklabel, MAGIC_SYSV_MSQ);
1316 	LABEL_CHECK(cred->cr_label, MAGIC_CRED);
1317 	COUNTER_INC(check_sysv_msqget);
1318 
1319 	return (0);
1320 }
1321 
1322 COUNTER_DECL(check_sysv_msqsnd);
1323 static int
1324 mac_test_check_sysv_msqsnd(struct ucred *cred, struct msqid_kernel *msqkptr,
1325     struct label *msqklabel)
1326 {
1327 
1328 	LABEL_CHECK(msqklabel, MAGIC_SYSV_MSQ);
1329 	LABEL_CHECK(cred->cr_label, MAGIC_CRED);
1330 	COUNTER_INC(check_sysv_msqsnd);
1331 
1332 	return (0);
1333 }
1334 
1335 COUNTER_DECL(check_sysv_msqrcv);
1336 static int
1337 mac_test_check_sysv_msqrcv(struct ucred *cred, struct msqid_kernel *msqkptr,
1338     struct label *msqklabel)
1339 {
1340 
1341 	LABEL_CHECK(msqklabel, MAGIC_SYSV_MSQ);
1342 	LABEL_CHECK(cred->cr_label, MAGIC_CRED);
1343 	COUNTER_INC(check_sysv_msqrcv);
1344 
1345 	return (0);
1346 }
1347 
1348 COUNTER_DECL(check_sysv_msqctl);
1349 static int
1350 mac_test_check_sysv_msqctl(struct ucred *cred, struct msqid_kernel *msqkptr,
1351     struct label *msqklabel, int cmd)
1352 {
1353 
1354 	LABEL_CHECK(msqklabel, MAGIC_SYSV_MSQ);
1355 	LABEL_CHECK(cred->cr_label, MAGIC_CRED);
1356 	COUNTER_INC(check_sysv_msqctl);
1357 
1358 	return (0);
1359 }
1360 
1361 COUNTER_DECL(check_sysv_semctl);
1362 static int
1363 mac_test_check_sysv_semctl(struct ucred *cred, struct semid_kernel *semakptr,
1364     struct label *semaklabel, int cmd)
1365 {
1366 
1367 	LABEL_CHECK(cred->cr_label, MAGIC_CRED);
1368 	LABEL_CHECK(semaklabel, MAGIC_SYSV_SEM);
1369 	COUNTER_INC(check_sysv_semctl);
1370 
1371   	return (0);
1372 }
1373 
1374 COUNTER_DECL(check_sysv_semget);
1375 static int
1376 mac_test_check_sysv_semget(struct ucred *cred, struct semid_kernel *semakptr,
1377     struct label *semaklabel)
1378 {
1379 
1380 	LABEL_CHECK(cred->cr_label, MAGIC_CRED);
1381 	LABEL_CHECK(semaklabel, MAGIC_SYSV_SEM);
1382 	COUNTER_INC(check_sysv_semget);
1383 
1384 	return (0);
1385 }
1386 
1387 COUNTER_DECL(check_sysv_semop);
1388 static int
1389 mac_test_check_sysv_semop(struct ucred *cred, struct semid_kernel *semakptr,
1390     struct label *semaklabel, size_t accesstype)
1391 {
1392 
1393 	LABEL_CHECK(cred->cr_label, MAGIC_CRED);
1394 	LABEL_CHECK(semaklabel, MAGIC_SYSV_SEM);
1395 	COUNTER_INC(check_sysv_semop);
1396 
1397 	return (0);
1398 }
1399 
1400 COUNTER_DECL(check_sysv_shmat);
1401 static int
1402 mac_test_check_sysv_shmat(struct ucred *cred, struct shmid_kernel *shmsegptr,
1403     struct label *shmseglabel, int shmflg)
1404 {
1405 
1406 	LABEL_CHECK(cred->cr_label, MAGIC_CRED);
1407 	LABEL_CHECK(shmseglabel, MAGIC_SYSV_SHM);
1408 	COUNTER_INC(check_sysv_shmat);
1409 
1410   	return (0);
1411 }
1412 
1413 COUNTER_DECL(check_sysv_shmctl);
1414 static int
1415 mac_test_check_sysv_shmctl(struct ucred *cred, struct shmid_kernel *shmsegptr,
1416     struct label *shmseglabel, int cmd)
1417 {
1418 
1419 	LABEL_CHECK(cred->cr_label, MAGIC_CRED);
1420 	LABEL_CHECK(shmseglabel, MAGIC_SYSV_SHM);
1421 	COUNTER_INC(check_sysv_shmctl);
1422 
1423   	return (0);
1424 }
1425 
1426 COUNTER_DECL(check_sysv_shmdt);
1427 static int
1428 mac_test_check_sysv_shmdt(struct ucred *cred, struct shmid_kernel *shmsegptr,
1429     struct label *shmseglabel)
1430 {
1431 
1432 	LABEL_CHECK(cred->cr_label, MAGIC_CRED);
1433 	LABEL_CHECK(shmseglabel, MAGIC_SYSV_SHM);
1434 	COUNTER_INC(check_sysv_shmdt);
1435 
1436 	return (0);
1437 }
1438 
1439 COUNTER_DECL(check_sysv_shmget);
1440 static int
1441 mac_test_check_sysv_shmget(struct ucred *cred, struct shmid_kernel *shmsegptr,
1442     struct label *shmseglabel, int shmflg)
1443 {
1444 
1445 	LABEL_CHECK(cred->cr_label, MAGIC_CRED);
1446 	LABEL_CHECK(shmseglabel, MAGIC_SYSV_SHM);
1447 	COUNTER_INC(check_sysv_shmget);
1448 
1449 	return (0);
1450 }
1451 
1452 COUNTER_DECL(check_kenv_dump);
1453 static int
1454 mac_test_check_kenv_dump(struct ucred *cred)
1455 {
1456 
1457 	LABEL_CHECK(cred->cr_label, MAGIC_CRED);
1458 	COUNTER_INC(check_kenv_dump);
1459 
1460 	return (0);
1461 }
1462 
1463 COUNTER_DECL(check_kenv_get);
1464 static int
1465 mac_test_check_kenv_get(struct ucred *cred, char *name)
1466 {
1467 
1468 	LABEL_CHECK(cred->cr_label, MAGIC_CRED);
1469 	COUNTER_INC(check_kenv_get);
1470 
1471 	return (0);
1472 }
1473 
1474 COUNTER_DECL(check_kenv_set);
1475 static int
1476 mac_test_check_kenv_set(struct ucred *cred, char *name, char *value)
1477 {
1478 
1479 	LABEL_CHECK(cred->cr_label, MAGIC_CRED);
1480 	COUNTER_INC(check_kenv_set);
1481 
1482 	return (0);
1483 }
1484 
1485 COUNTER_DECL(check_kenv_unset);
1486 static int
1487 mac_test_check_kenv_unset(struct ucred *cred, char *name)
1488 {
1489 
1490 	LABEL_CHECK(cred->cr_label, MAGIC_CRED);
1491 	COUNTER_INC(check_kenv_unset);
1492 
1493 	return (0);
1494 }
1495 
1496 COUNTER_DECL(check_kld_load);
1497 static int
1498 mac_test_check_kld_load(struct ucred *cred, struct vnode *vp,
1499     struct label *label)
1500 {
1501 
1502 	LABEL_CHECK(cred->cr_label, MAGIC_CRED);
1503 	LABEL_CHECK(label, MAGIC_VNODE);
1504 	COUNTER_INC(check_kld_load);
1505 
1506 	return (0);
1507 }
1508 
1509 COUNTER_DECL(check_kld_stat);
1510 static int
1511 mac_test_check_kld_stat(struct ucred *cred)
1512 {
1513 
1514 	LABEL_CHECK(cred->cr_label, MAGIC_CRED);
1515 	COUNTER_INC(check_kld_stat);
1516 
1517 	return (0);
1518 }
1519 
1520 COUNTER_DECL(check_mount_stat);
1521 static int
1522 mac_test_check_mount_stat(struct ucred *cred, struct mount *mp,
1523     struct label *mplabel)
1524 {
1525 
1526 	LABEL_CHECK(cred->cr_label, MAGIC_CRED);
1527 	LABEL_CHECK(mplabel, MAGIC_MOUNT);
1528 	COUNTER_INC(check_mount_stat);
1529 
1530 	return (0);
1531 }
1532 
1533 COUNTER_DECL(check_pipe_ioctl);
1534 static int
1535 mac_test_check_pipe_ioctl(struct ucred *cred, struct pipepair *pp,
1536     struct label *pipelabel, unsigned long cmd, void /* caddr_t */ *data)
1537 {
1538 
1539 	LABEL_CHECK(cred->cr_label, MAGIC_CRED);
1540 	LABEL_CHECK(pipelabel, MAGIC_PIPE);
1541 	COUNTER_INC(check_pipe_ioctl);
1542 
1543 	return (0);
1544 }
1545 
1546 COUNTER_DECL(check_pipe_poll);
1547 static int
1548 mac_test_check_pipe_poll(struct ucred *cred, struct pipepair *pp,
1549     struct label *pipelabel)
1550 {
1551 
1552 	LABEL_CHECK(cred->cr_label, MAGIC_CRED);
1553 	LABEL_CHECK(pipelabel, MAGIC_PIPE);
1554 	COUNTER_INC(check_pipe_poll);
1555 
1556 	return (0);
1557 }
1558 
1559 COUNTER_DECL(check_pipe_read);
1560 static int
1561 mac_test_check_pipe_read(struct ucred *cred, struct pipepair *pp,
1562     struct label *pipelabel)
1563 {
1564 
1565 	LABEL_CHECK(cred->cr_label, MAGIC_CRED);
1566 	LABEL_CHECK(pipelabel, MAGIC_PIPE);
1567 	COUNTER_INC(check_pipe_read);
1568 
1569 	return (0);
1570 }
1571 
1572 COUNTER_DECL(check_pipe_relabel);
1573 static int
1574 mac_test_check_pipe_relabel(struct ucred *cred, struct pipepair *pp,
1575     struct label *pipelabel, struct label *newlabel)
1576 {
1577 
1578 	LABEL_CHECK(cred->cr_label, MAGIC_CRED);
1579 	LABEL_CHECK(pipelabel, MAGIC_PIPE);
1580 	LABEL_CHECK(newlabel, MAGIC_PIPE);
1581 	COUNTER_INC(check_pipe_relabel);
1582 
1583 	return (0);
1584 }
1585 
1586 COUNTER_DECL(check_pipe_stat);
1587 static int
1588 mac_test_check_pipe_stat(struct ucred *cred, struct pipepair *pp,
1589     struct label *pipelabel)
1590 {
1591 
1592 	LABEL_CHECK(cred->cr_label, MAGIC_CRED);
1593 	LABEL_CHECK(pipelabel, MAGIC_PIPE);
1594 	COUNTER_INC(check_pipe_stat);
1595 
1596 	return (0);
1597 }
1598 
1599 COUNTER_DECL(check_pipe_write);
1600 static int
1601 mac_test_check_pipe_write(struct ucred *cred, struct pipepair *pp,
1602     struct label *pipelabel)
1603 {
1604 
1605 	LABEL_CHECK(cred->cr_label, MAGIC_CRED);
1606 	LABEL_CHECK(pipelabel, MAGIC_PIPE);
1607 	COUNTER_INC(check_pipe_write);
1608 
1609 	return (0);
1610 }
1611 
1612 COUNTER_DECL(check_posix_sem);
1613 static int
1614 mac_test_check_posix_sem(struct ucred *cred, struct ksem *ksemptr,
1615     struct label *ks_label)
1616 {
1617 
1618 	LABEL_CHECK(cred->cr_label, MAGIC_CRED);
1619 	LABEL_CHECK(ks_label, MAGIC_POSIX_SEM);
1620 	COUNTER_INC(check_posix_sem);
1621 
1622 	return (0);
1623 }
1624 
1625 COUNTER_DECL(check_proc_debug);
1626 static int
1627 mac_test_check_proc_debug(struct ucred *cred, struct proc *p)
1628 {
1629 
1630 	LABEL_CHECK(cred->cr_label, MAGIC_CRED);
1631 	LABEL_CHECK(p->p_ucred->cr_label, MAGIC_CRED);
1632 	COUNTER_INC(check_proc_debug);
1633 
1634 	return (0);
1635 }
1636 
1637 COUNTER_DECL(check_proc_sched);
1638 static int
1639 mac_test_check_proc_sched(struct ucred *cred, struct proc *p)
1640 {
1641 
1642 	LABEL_CHECK(cred->cr_label, MAGIC_CRED);
1643 	LABEL_CHECK(p->p_ucred->cr_label, MAGIC_CRED);
1644 	COUNTER_INC(check_proc_sched);
1645 
1646 	return (0);
1647 }
1648 
1649 COUNTER_DECL(check_proc_signal);
1650 static int
1651 mac_test_check_proc_signal(struct ucred *cred, struct proc *p, int signum)
1652 {
1653 
1654 	LABEL_CHECK(cred->cr_label, MAGIC_CRED);
1655 	LABEL_CHECK(p->p_ucred->cr_label, MAGIC_CRED);
1656 	COUNTER_INC(check_proc_signal);
1657 
1658 	return (0);
1659 }
1660 
1661 COUNTER_DECL(check_proc_setaudit);
1662 static int
1663 mac_test_check_proc_setaudit(struct ucred *cred, struct auditinfo *ai)
1664 {
1665 
1666 	LABEL_CHECK(cred->cr_label, MAGIC_CRED);
1667 	COUNTER_INC(check_proc_setaudit);
1668 
1669 	return (0);
1670 }
1671 
1672 COUNTER_DECL(check_proc_setauid);
1673 static int
1674 mac_test_check_proc_setauid(struct ucred *cred, uid_t auid)
1675 {
1676 
1677 	LABEL_CHECK(cred->cr_label, MAGIC_CRED);
1678 	COUNTER_INC(check_proc_setauid);
1679 
1680 	return (0);
1681 }
1682 
1683 COUNTER_DECL(check_proc_setuid);
1684 static int
1685 mac_test_check_proc_setuid(struct ucred *cred, uid_t uid)
1686 {
1687 
1688 	LABEL_CHECK(cred->cr_label, MAGIC_CRED);
1689 	COUNTER_INC(check_proc_setuid);
1690 
1691 	return (0);
1692 }
1693 
1694 COUNTER_DECL(check_proc_euid);
1695 static int
1696 mac_test_check_proc_seteuid(struct ucred *cred, uid_t euid)
1697 {
1698 
1699 	LABEL_CHECK(cred->cr_label, MAGIC_CRED);
1700 	COUNTER_INC(check_proc_euid);
1701 
1702 	return (0);
1703 }
1704 
1705 COUNTER_DECL(check_proc_setgid);
1706 static int
1707 mac_test_check_proc_setgid(struct ucred *cred, gid_t gid)
1708 {
1709 
1710 	LABEL_CHECK(cred->cr_label, MAGIC_CRED);
1711 	COUNTER_INC(check_proc_setgid);
1712 
1713 	return (0);
1714 }
1715 
1716 COUNTER_DECL(check_proc_setegid);
1717 static int
1718 mac_test_check_proc_setegid(struct ucred *cred, gid_t egid)
1719 {
1720 
1721 	LABEL_CHECK(cred->cr_label, MAGIC_CRED);
1722 	COUNTER_INC(check_proc_setegid);
1723 
1724 	return (0);
1725 }
1726 
1727 COUNTER_DECL(check_proc_setgroups);
1728 static int
1729 mac_test_check_proc_setgroups(struct ucred *cred, int ngroups,
1730 	gid_t *gidset)
1731 {
1732 
1733 	LABEL_CHECK(cred->cr_label, MAGIC_CRED);
1734 	COUNTER_INC(check_proc_setgroups);
1735 
1736 	return (0);
1737 }
1738 
1739 COUNTER_DECL(check_proc_setreuid);
1740 static int
1741 mac_test_check_proc_setreuid(struct ucred *cred, uid_t ruid, uid_t euid)
1742 {
1743 
1744 	LABEL_CHECK(cred->cr_label, MAGIC_CRED);
1745 	COUNTER_INC(check_proc_setreuid);
1746 
1747 	return (0);
1748 }
1749 
1750 COUNTER_DECL(check_proc_setregid);
1751 static int
1752 mac_test_check_proc_setregid(struct ucred *cred, gid_t rgid, gid_t egid)
1753 {
1754 
1755 	LABEL_CHECK(cred->cr_label, MAGIC_CRED);
1756 	COUNTER_INC(check_proc_setregid);
1757 
1758 	return (0);
1759 }
1760 
1761 COUNTER_DECL(check_proc_setresuid);
1762 static int
1763 mac_test_check_proc_setresuid(struct ucred *cred, uid_t ruid, uid_t euid,
1764 	uid_t suid)
1765 {
1766 
1767 	LABEL_CHECK(cred->cr_label, MAGIC_CRED);
1768 	COUNTER_INC(check_proc_setresuid);
1769 
1770 	return (0);
1771 }
1772 
1773 COUNTER_DECL(check_proc_setresgid);
1774 static int
1775 mac_test_check_proc_setresgid(struct ucred *cred, gid_t rgid, gid_t egid,
1776 	gid_t sgid)
1777 {
1778 
1779 	LABEL_CHECK(cred->cr_label, MAGIC_CRED);
1780 	COUNTER_INC(check_proc_setresgid);
1781 
1782 	return (0);
1783 }
1784 
1785 COUNTER_DECL(check_proc_wait);
1786 static int
1787 mac_test_check_proc_wait(struct ucred *cred, struct proc *p)
1788 {
1789 
1790 	LABEL_CHECK(cred->cr_label, MAGIC_CRED);
1791 	LABEL_CHECK(p->p_ucred->cr_label, MAGIC_CRED);
1792 	COUNTER_INC(check_proc_wait);
1793 
1794 	return (0);
1795 }
1796 
1797 COUNTER_DECL(check_socket_accept);
1798 static int
1799 mac_test_check_socket_accept(struct ucred *cred, struct socket *so,
1800     struct label *solabel)
1801 {
1802 
1803 	LABEL_CHECK(cred->cr_label, MAGIC_CRED);
1804 	LABEL_CHECK(solabel, MAGIC_SOCKET);
1805 	COUNTER_INC(check_socket_accept);
1806 
1807 	return (0);
1808 }
1809 
1810 COUNTER_DECL(check_socket_bind);
1811 static int
1812 mac_test_check_socket_bind(struct ucred *cred, struct socket *so,
1813     struct label *solabel, struct sockaddr *sa)
1814 {
1815 
1816 	LABEL_CHECK(cred->cr_label, MAGIC_CRED);
1817 	LABEL_CHECK(solabel, MAGIC_SOCKET);
1818 	COUNTER_INC(check_socket_bind);
1819 
1820 	return (0);
1821 }
1822 
1823 COUNTER_DECL(check_socket_connect);
1824 static int
1825 mac_test_check_socket_connect(struct ucred *cred, struct socket *so,
1826     struct label *solabel, struct sockaddr *sa)
1827 {
1828 
1829 	LABEL_CHECK(cred->cr_label, MAGIC_CRED);
1830 	LABEL_CHECK(solabel, MAGIC_SOCKET);
1831 	COUNTER_INC(check_socket_connect);
1832 
1833 	return (0);
1834 }
1835 
1836 COUNTER_DECL(check_socket_deliver);
1837 static int
1838 mac_test_check_socket_deliver(struct socket *so, struct label *solabel,
1839     struct mbuf *m, struct label *mlabel)
1840 {
1841 
1842 	LABEL_CHECK(solabel, MAGIC_SOCKET);
1843 	LABEL_CHECK(mlabel, MAGIC_MBUF);
1844 	COUNTER_INC(check_socket_deliver);
1845 
1846 	return (0);
1847 }
1848 
1849 COUNTER_DECL(check_socket_listen);
1850 static int
1851 mac_test_check_socket_listen(struct ucred *cred, struct socket *so,
1852     struct label *solabel)
1853 {
1854 
1855 	LABEL_CHECK(cred->cr_label, MAGIC_CRED);
1856 	LABEL_CHECK(solabel, MAGIC_SOCKET);
1857 	COUNTER_INC(check_socket_listen);
1858 
1859 	return (0);
1860 }
1861 
1862 COUNTER_DECL(check_socket_poll);
1863 static int
1864 mac_test_check_socket_poll(struct ucred *cred, struct socket *so,
1865     struct label *solabel)
1866 {
1867 
1868 	LABEL_CHECK(cred->cr_label, MAGIC_CRED);
1869 	LABEL_CHECK(solabel, MAGIC_SOCKET);
1870 	COUNTER_INC(check_socket_poll);
1871 
1872 	return (0);
1873 }
1874 
1875 COUNTER_DECL(check_socket_receive);
1876 static int
1877 mac_test_check_socket_receive(struct ucred *cred, struct socket *so,
1878     struct label *solabel)
1879 {
1880 
1881 	LABEL_CHECK(cred->cr_label, MAGIC_CRED);
1882 	LABEL_CHECK(solabel, MAGIC_SOCKET);
1883 	COUNTER_INC(check_socket_receive);
1884 
1885 	return (0);
1886 }
1887 
1888 COUNTER_DECL(check_socket_relabel);
1889 static int
1890 mac_test_check_socket_relabel(struct ucred *cred, struct socket *so,
1891     struct label *solabel, struct label *newlabel)
1892 {
1893 
1894 	LABEL_CHECK(cred->cr_label, MAGIC_CRED);
1895 	LABEL_CHECK(solabel, MAGIC_SOCKET);
1896 	LABEL_CHECK(newlabel, MAGIC_SOCKET);
1897 	COUNTER_INC(check_socket_relabel);
1898 
1899 	return (0);
1900 }
1901 
1902 COUNTER_DECL(check_socket_send);
1903 static int
1904 mac_test_check_socket_send(struct ucred *cred, struct socket *so,
1905     struct label *solabel)
1906 {
1907 
1908 	LABEL_CHECK(cred->cr_label, MAGIC_CRED);
1909 	LABEL_CHECK(solabel, MAGIC_SOCKET);
1910 	COUNTER_INC(check_socket_send);
1911 
1912 	return (0);
1913 }
1914 
1915 COUNTER_DECL(check_socket_stat);
1916 static int
1917 mac_test_check_socket_stat(struct ucred *cred, struct socket *so,
1918     struct label *solabel)
1919 {
1920 
1921 	LABEL_CHECK(cred->cr_label, MAGIC_CRED);
1922 	LABEL_CHECK(solabel, MAGIC_SOCKET);
1923 	COUNTER_INC(check_socket_stat);
1924 
1925 	return (0);
1926 }
1927 
1928 COUNTER_DECL(check_socket_visible);
1929 static int
1930 mac_test_check_socket_visible(struct ucred *cred, struct socket *so,
1931     struct label *solabel)
1932 {
1933 
1934 	LABEL_CHECK(cred->cr_label, MAGIC_CRED);
1935 	LABEL_CHECK(solabel, MAGIC_SOCKET);
1936 	COUNTER_INC(check_socket_visible);
1937 
1938 	return (0);
1939 }
1940 
1941 COUNTER_DECL(check_system_acct);
1942 static int
1943 mac_test_check_system_acct(struct ucred *cred, struct vnode *vp,
1944     struct label *vplabel)
1945 {
1946 
1947 	LABEL_CHECK(cred->cr_label, MAGIC_CRED);
1948 	LABEL_CHECK(vplabel, MAGIC_VNODE);
1949 	COUNTER_INC(check_system_acct);
1950 
1951 	return (0);
1952 }
1953 
1954 COUNTER_DECL(check_system_audit);
1955 static int
1956 mac_test_check_system_audit(struct ucred *cred, void *record, int length)
1957 {
1958 
1959 	LABEL_CHECK(cred->cr_label, MAGIC_CRED);
1960 	COUNTER_INC(check_system_audit);
1961 
1962 	return (0);
1963 }
1964 
1965 COUNTER_DECL(check_system_auditctl);
1966 static int
1967 mac_test_check_system_auditctl(struct ucred *cred, struct vnode *vp,
1968     struct label *vplabel)
1969 {
1970 
1971 	LABEL_CHECK(cred->cr_label, MAGIC_CRED);
1972 	LABEL_CHECK(vplabel, MAGIC_VNODE);
1973 	COUNTER_INC(check_system_auditctl);
1974 
1975 	return (0);
1976 }
1977 
1978 COUNTER_DECL(check_system_auditon);
1979 static int
1980 mac_test_check_system_auditon(struct ucred *cred, int cmd)
1981 {
1982 
1983 	LABEL_CHECK(cred->cr_label, MAGIC_CRED);
1984 	COUNTER_INC(check_system_auditon);
1985 
1986 	return (0);
1987 }
1988 
1989 COUNTER_DECL(check_system_reboot);
1990 static int
1991 mac_test_check_system_reboot(struct ucred *cred, int how)
1992 {
1993 
1994 	LABEL_CHECK(cred->cr_label, MAGIC_CRED);
1995 	COUNTER_INC(check_system_reboot);
1996 
1997 	return (0);
1998 }
1999 
2000 COUNTER_DECL(check_system_swapoff);
2001 static int
2002 mac_test_check_system_swapoff(struct ucred *cred, struct vnode *vp,
2003     struct label *vplabel)
2004 {
2005 
2006 	LABEL_CHECK(cred->cr_label, MAGIC_CRED);
2007 	LABEL_CHECK(vplabel, MAGIC_VNODE);
2008 	COUNTER_INC(check_system_swapoff);
2009 
2010 	return (0);
2011 }
2012 
2013 COUNTER_DECL(check_system_swapon);
2014 static int
2015 mac_test_check_system_swapon(struct ucred *cred, struct vnode *vp,
2016     struct label *vplabel)
2017 {
2018 
2019 	LABEL_CHECK(cred->cr_label, MAGIC_CRED);
2020 	LABEL_CHECK(vplabel, MAGIC_VNODE);
2021 	COUNTER_INC(check_system_swapon);
2022 
2023 	return (0);
2024 }
2025 
2026 COUNTER_DECL(check_system_sysctl);
2027 static int
2028 mac_test_check_system_sysctl(struct ucred *cred, struct sysctl_oid *oidp,
2029     void *arg1, int arg2, struct sysctl_req *req)
2030 {
2031 
2032 	LABEL_CHECK(cred->cr_label, MAGIC_CRED);
2033 	COUNTER_INC(check_system_sysctl);
2034 
2035 	return (0);
2036 }
2037 
2038 COUNTER_DECL(check_vnode_access);
2039 static int
2040 mac_test_check_vnode_access(struct ucred *cred, struct vnode *vp,
2041     struct label *vplabel, int acc_mode)
2042 {
2043 
2044 	LABEL_CHECK(cred->cr_label, MAGIC_CRED);
2045 	LABEL_CHECK(vplabel, MAGIC_VNODE);
2046 	COUNTER_INC(check_vnode_access);
2047 
2048 	return (0);
2049 }
2050 
2051 COUNTER_DECL(check_vnode_chdir);
2052 static int
2053 mac_test_check_vnode_chdir(struct ucred *cred, struct vnode *dvp,
2054     struct label *dvplabel)
2055 {
2056 
2057 	LABEL_CHECK(cred->cr_label, MAGIC_CRED);
2058 	LABEL_CHECK(dvplabel, MAGIC_VNODE);
2059 	COUNTER_INC(check_vnode_chdir);
2060 
2061 	return (0);
2062 }
2063 
2064 COUNTER_DECL(check_vnode_chroot);
2065 static int
2066 mac_test_check_vnode_chroot(struct ucred *cred, struct vnode *dvp,
2067     struct label *dvplabel)
2068 {
2069 
2070 	LABEL_CHECK(cred->cr_label, MAGIC_CRED);
2071 	LABEL_CHECK(dvplabel, MAGIC_VNODE);
2072 	COUNTER_INC(check_vnode_chroot);
2073 
2074 	return (0);
2075 }
2076 
2077 COUNTER_DECL(check_vnode_create);
2078 static int
2079 mac_test_check_vnode_create(struct ucred *cred, struct vnode *dvp,
2080     struct label *dvplabel, struct componentname *cnp, struct vattr *vap)
2081 {
2082 
2083 	LABEL_CHECK(cred->cr_label, MAGIC_CRED);
2084 	LABEL_CHECK(dvplabel, MAGIC_VNODE);
2085 	COUNTER_INC(check_vnode_create);
2086 
2087 	return (0);
2088 }
2089 
2090 COUNTER_DECL(check_vnode_delete);
2091 static int
2092 mac_test_check_vnode_delete(struct ucred *cred, struct vnode *dvp,
2093     struct label *dvplabel, struct vnode *vp, struct label *vplabel,
2094     struct componentname *cnp)
2095 {
2096 
2097 	LABEL_CHECK(cred->cr_label, MAGIC_CRED);
2098 	LABEL_CHECK(dvplabel, MAGIC_VNODE);
2099 	LABEL_CHECK(vplabel, MAGIC_VNODE);
2100 	COUNTER_INC(check_vnode_delete);
2101 
2102 	return (0);
2103 }
2104 
2105 COUNTER_DECL(check_vnode_deleteacl);
2106 static int
2107 mac_test_check_vnode_deleteacl(struct ucred *cred, struct vnode *vp,
2108     struct label *vplabel, acl_type_t type)
2109 {
2110 
2111 	LABEL_CHECK(cred->cr_label, MAGIC_CRED);
2112 	LABEL_CHECK(vplabel, MAGIC_VNODE);
2113 	COUNTER_INC(check_vnode_deleteacl);
2114 
2115 	return (0);
2116 }
2117 
2118 COUNTER_DECL(check_vnode_deleteextattr);
2119 static int
2120 mac_test_check_vnode_deleteextattr(struct ucred *cred, struct vnode *vp,
2121     struct label *vplabel, int attrnamespace, const char *name)
2122 {
2123 
2124 	LABEL_CHECK(cred->cr_label, MAGIC_CRED);
2125 	LABEL_CHECK(vplabel, MAGIC_VNODE);
2126 	COUNTER_INC(check_vnode_deleteextattr);
2127 
2128 	return (0);
2129 }
2130 
2131 COUNTER_DECL(check_vnode_exec);
2132 static int
2133 mac_test_check_vnode_exec(struct ucred *cred, struct vnode *vp,
2134     struct label *vplabel, struct image_params *imgp,
2135     struct label *execlabel)
2136 {
2137 
2138 	LABEL_CHECK(cred->cr_label, MAGIC_CRED);
2139 	LABEL_CHECK(vplabel, MAGIC_VNODE);
2140 	LABEL_CHECK(execlabel, MAGIC_CRED);
2141 	COUNTER_INC(check_vnode_exec);
2142 
2143 	return (0);
2144 }
2145 
2146 COUNTER_DECL(check_vnode_getacl);
2147 static int
2148 mac_test_check_vnode_getacl(struct ucred *cred, struct vnode *vp,
2149     struct label *vplabel, acl_type_t type)
2150 {
2151 
2152 	LABEL_CHECK(cred->cr_label, MAGIC_CRED);
2153 	LABEL_CHECK(vplabel, MAGIC_VNODE);
2154 	COUNTER_INC(check_vnode_getacl);
2155 
2156 	return (0);
2157 }
2158 
2159 COUNTER_DECL(check_vnode_getextattr);
2160 static int
2161 mac_test_check_vnode_getextattr(struct ucred *cred, struct vnode *vp,
2162     struct label *vplabel, int attrnamespace, const char *name,
2163     struct uio *uio)
2164 {
2165 
2166 	LABEL_CHECK(cred->cr_label, MAGIC_CRED);
2167 	LABEL_CHECK(vplabel, MAGIC_VNODE);
2168 	COUNTER_INC(check_vnode_getextattr);
2169 
2170 	return (0);
2171 }
2172 
2173 COUNTER_DECL(check_vnode_link);
2174 static int
2175 mac_test_check_vnode_link(struct ucred *cred, struct vnode *dvp,
2176     struct label *dvplabel, struct vnode *vp, struct label *vplabel,
2177     struct componentname *cnp)
2178 {
2179 
2180 	LABEL_CHECK(cred->cr_label, MAGIC_CRED);
2181 	LABEL_CHECK(dvplabel, MAGIC_VNODE);
2182 	LABEL_CHECK(vplabel, MAGIC_VNODE);
2183 	COUNTER_INC(check_vnode_link);
2184 
2185 	return (0);
2186 }
2187 
2188 COUNTER_DECL(check_vnode_listextattr);
2189 static int
2190 mac_test_check_vnode_listextattr(struct ucred *cred, struct vnode *vp,
2191     struct label *vplabel, int attrnamespace)
2192 {
2193 
2194 	LABEL_CHECK(cred->cr_label, MAGIC_CRED);
2195 	LABEL_CHECK(vplabel, MAGIC_VNODE);
2196 	COUNTER_INC(check_vnode_listextattr);
2197 
2198 	return (0);
2199 }
2200 
2201 COUNTER_DECL(check_vnode_lookup);
2202 static int
2203 mac_test_check_vnode_lookup(struct ucred *cred, struct vnode *dvp,
2204     struct label *dvplabel, struct componentname *cnp)
2205 {
2206 
2207 	LABEL_CHECK(cred->cr_label, MAGIC_CRED);
2208 	LABEL_CHECK(dvplabel, MAGIC_VNODE);
2209 	COUNTER_INC(check_vnode_lookup);
2210 
2211 	return (0);
2212 }
2213 
2214 COUNTER_DECL(check_vnode_mmap);
2215 static int
2216 mac_test_check_vnode_mmap(struct ucred *cred, struct vnode *vp,
2217     struct label *vplabel, int prot, int flags)
2218 {
2219 
2220 	LABEL_CHECK(cred->cr_label, MAGIC_CRED);
2221 	LABEL_CHECK(vplabel, MAGIC_VNODE);
2222 	COUNTER_INC(check_vnode_mmap);
2223 
2224 	return (0);
2225 }
2226 
2227 COUNTER_DECL(check_vnode_open);
2228 static int
2229 mac_test_check_vnode_open(struct ucred *cred, struct vnode *vp,
2230     struct label *vplabel, int acc_mode)
2231 {
2232 
2233 	LABEL_CHECK(cred->cr_label, MAGIC_CRED);
2234 	LABEL_CHECK(vplabel, MAGIC_VNODE);
2235 	COUNTER_INC(check_vnode_open);
2236 
2237 	return (0);
2238 }
2239 
2240 COUNTER_DECL(check_vnode_poll);
2241 static int
2242 mac_test_check_vnode_poll(struct ucred *active_cred, struct ucred *file_cred,
2243     struct vnode *vp, struct label *vplabel)
2244 {
2245 
2246 	LABEL_CHECK(active_cred->cr_label, MAGIC_CRED);
2247 	if (file_cred != NULL)
2248 		LABEL_CHECK(file_cred->cr_label, MAGIC_CRED);
2249 	LABEL_CHECK(vplabel, MAGIC_VNODE);
2250 	COUNTER_INC(check_vnode_poll);
2251 
2252 	return (0);
2253 }
2254 
2255 COUNTER_DECL(check_vnode_read);
2256 static int
2257 mac_test_check_vnode_read(struct ucred *active_cred, struct ucred *file_cred,
2258     struct vnode *vp, struct label *vplabel)
2259 {
2260 
2261 	LABEL_CHECK(active_cred->cr_label, MAGIC_CRED);
2262 	if (file_cred != NULL)
2263 		LABEL_CHECK(file_cred->cr_label, MAGIC_CRED);
2264 	LABEL_CHECK(vplabel, MAGIC_VNODE);
2265 	COUNTER_INC(check_vnode_read);
2266 
2267 	return (0);
2268 }
2269 
2270 COUNTER_DECL(check_vnode_readdir);
2271 static int
2272 mac_test_check_vnode_readdir(struct ucred *cred, struct vnode *dvp,
2273     struct label *dvplabel)
2274 {
2275 
2276 	LABEL_CHECK(cred->cr_label, MAGIC_CRED);
2277 	LABEL_CHECK(dvplabel, MAGIC_VNODE);
2278 	COUNTER_INC(check_vnode_readdir);
2279 
2280 	return (0);
2281 }
2282 
2283 COUNTER_DECL(check_vnode_readlink);
2284 static int
2285 mac_test_check_vnode_readlink(struct ucred *cred, struct vnode *vp,
2286     struct label *vplabel)
2287 {
2288 
2289 	LABEL_CHECK(cred->cr_label, MAGIC_CRED);
2290 	LABEL_CHECK(vplabel, MAGIC_VNODE);
2291 	COUNTER_INC(check_vnode_readlink);
2292 
2293 	return (0);
2294 }
2295 
2296 COUNTER_DECL(check_vnode_relabel);
2297 static int
2298 mac_test_check_vnode_relabel(struct ucred *cred, struct vnode *vp,
2299     struct label *vplabel, struct label *newlabel)
2300 {
2301 
2302 	LABEL_CHECK(cred->cr_label, MAGIC_CRED);
2303 	LABEL_CHECK(vplabel, MAGIC_VNODE);
2304 	LABEL_CHECK(newlabel, MAGIC_VNODE);
2305 	COUNTER_INC(check_vnode_relabel);
2306 
2307 	return (0);
2308 }
2309 
2310 COUNTER_DECL(check_vnode_rename_from);
2311 static int
2312 mac_test_check_vnode_rename_from(struct ucred *cred, struct vnode *dvp,
2313     struct label *dvplabel, struct vnode *vp, struct label *vplabel,
2314     struct componentname *cnp)
2315 {
2316 
2317 	LABEL_CHECK(cred->cr_label, MAGIC_CRED);
2318 	LABEL_CHECK(dvplabel, MAGIC_VNODE);
2319 	LABEL_CHECK(vplabel, MAGIC_VNODE);
2320 	COUNTER_INC(check_vnode_rename_from);
2321 
2322 	return (0);
2323 }
2324 
2325 COUNTER_DECL(check_vnode_rename_to);
2326 static int
2327 mac_test_check_vnode_rename_to(struct ucred *cred, struct vnode *dvp,
2328     struct label *dvplabel, struct vnode *vp, struct label *vplabel,
2329     int samedir, struct componentname *cnp)
2330 {
2331 
2332 	LABEL_CHECK(cred->cr_label, MAGIC_CRED);
2333 	LABEL_CHECK(dvplabel, MAGIC_VNODE);
2334 	LABEL_CHECK(vplabel, MAGIC_VNODE);
2335 	COUNTER_INC(check_vnode_rename_to);
2336 
2337 	return (0);
2338 }
2339 
2340 COUNTER_DECL(check_vnode_revoke);
2341 static int
2342 mac_test_check_vnode_revoke(struct ucred *cred, struct vnode *vp,
2343     struct label *vplabel)
2344 {
2345 
2346 	LABEL_CHECK(cred->cr_label, MAGIC_CRED);
2347 	LABEL_CHECK(vplabel, MAGIC_VNODE);
2348 	COUNTER_INC(check_vnode_revoke);
2349 
2350 	return (0);
2351 }
2352 
2353 COUNTER_DECL(check_vnode_setacl);
2354 static int
2355 mac_test_check_vnode_setacl(struct ucred *cred, struct vnode *vp,
2356     struct label *vplabel, acl_type_t type, struct acl *acl)
2357 {
2358 
2359 	LABEL_CHECK(cred->cr_label, MAGIC_CRED);
2360 	LABEL_CHECK(vplabel, MAGIC_VNODE);
2361 	COUNTER_INC(check_vnode_setacl);
2362 
2363 	return (0);
2364 }
2365 
2366 COUNTER_DECL(check_vnode_setextattr);
2367 static int
2368 mac_test_check_vnode_setextattr(struct ucred *cred, struct vnode *vp,
2369     struct label *vplabel, int attrnamespace, const char *name,
2370     struct uio *uio)
2371 {
2372 
2373 	LABEL_CHECK(cred->cr_label, MAGIC_CRED);
2374 	LABEL_CHECK(vplabel, MAGIC_VNODE);
2375 	COUNTER_INC(check_vnode_setextattr);
2376 
2377 	return (0);
2378 }
2379 
2380 COUNTER_DECL(check_vnode_setflags);
2381 static int
2382 mac_test_check_vnode_setflags(struct ucred *cred, struct vnode *vp,
2383     struct label *vplabel, u_long flags)
2384 {
2385 
2386 	LABEL_CHECK(cred->cr_label, MAGIC_CRED);
2387 	LABEL_CHECK(vplabel, MAGIC_VNODE);
2388 	COUNTER_INC(check_vnode_setflags);
2389 
2390 	return (0);
2391 }
2392 
2393 COUNTER_DECL(check_vnode_setmode);
2394 static int
2395 mac_test_check_vnode_setmode(struct ucred *cred, struct vnode *vp,
2396     struct label *vplabel, mode_t mode)
2397 {
2398 
2399 	LABEL_CHECK(cred->cr_label, MAGIC_CRED);
2400 	LABEL_CHECK(vplabel, MAGIC_VNODE);
2401 	COUNTER_INC(check_vnode_setmode);
2402 
2403 	return (0);
2404 }
2405 
2406 COUNTER_DECL(check_vnode_setowner);
2407 static int
2408 mac_test_check_vnode_setowner(struct ucred *cred, struct vnode *vp,
2409     struct label *vplabel, uid_t uid, gid_t gid)
2410 {
2411 
2412 	LABEL_CHECK(cred->cr_label, MAGIC_CRED);
2413 	LABEL_CHECK(vplabel, MAGIC_VNODE);
2414 	COUNTER_INC(check_vnode_setowner);
2415 
2416 	return (0);
2417 }
2418 
2419 COUNTER_DECL(check_vnode_setutimes);
2420 static int
2421 mac_test_check_vnode_setutimes(struct ucred *cred, struct vnode *vp,
2422     struct label *vplabel, struct timespec atime, struct timespec mtime)
2423 {
2424 
2425 	LABEL_CHECK(cred->cr_label, MAGIC_CRED);
2426 	LABEL_CHECK(vplabel, MAGIC_VNODE);
2427 	COUNTER_INC(check_vnode_setutimes);
2428 
2429 	return (0);
2430 }
2431 
2432 COUNTER_DECL(check_vnode_stat);
2433 static int
2434 mac_test_check_vnode_stat(struct ucred *active_cred, struct ucred *file_cred,
2435     struct vnode *vp, struct label *vplabel)
2436 {
2437 
2438 	LABEL_CHECK(active_cred->cr_label, MAGIC_CRED);
2439 	if (file_cred != NULL)
2440 		LABEL_CHECK(file_cred->cr_label, MAGIC_CRED);
2441 	LABEL_CHECK(vplabel, MAGIC_VNODE);
2442 	COUNTER_INC(check_vnode_stat);
2443 
2444 	return (0);
2445 }
2446 
2447 COUNTER_DECL(check_vnode_write);
2448 static int
2449 mac_test_check_vnode_write(struct ucred *active_cred,
2450     struct ucred *file_cred, struct vnode *vp, struct label *vplabel)
2451 {
2452 
2453 	LABEL_CHECK(active_cred->cr_label, MAGIC_CRED);
2454 	if (file_cred != NULL)
2455 		LABEL_CHECK(file_cred->cr_label, MAGIC_CRED);
2456 	LABEL_CHECK(vplabel, MAGIC_VNODE);
2457 	COUNTER_INC(check_vnode_write);
2458 
2459 	return (0);
2460 }
2461 
2462 static struct mac_policy_ops mac_test_ops =
2463 {
2464 	.mpo_init_bpfdesc_label = mac_test_init_bpfdesc_label,
2465 	.mpo_init_cred_label = mac_test_init_cred_label,
2466 	.mpo_init_devfsdirent_label = mac_test_init_devfsdirent_label,
2467 	.mpo_init_ifnet_label = mac_test_init_ifnet_label,
2468 	.mpo_init_sysv_msgmsg_label = mac_test_init_sysv_msgmsg_label,
2469 	.mpo_init_sysv_msgqueue_label = mac_test_init_sysv_msgqueue_label,
2470 	.mpo_init_sysv_sem_label = mac_test_init_sysv_sem_label,
2471 	.mpo_init_sysv_shm_label = mac_test_init_sysv_shm_label,
2472 	.mpo_init_inpcb_label = mac_test_init_inpcb_label,
2473 	.mpo_init_ipq_label = mac_test_init_ipq_label,
2474 	.mpo_init_mbuf_label = mac_test_init_mbuf_label,
2475 	.mpo_init_mount_label = mac_test_init_mount_label,
2476 	.mpo_init_pipe_label = mac_test_init_pipe_label,
2477 	.mpo_init_posix_sem_label = mac_test_init_posix_sem_label,
2478 	.mpo_init_proc_label = mac_test_init_proc_label,
2479 	.mpo_init_socket_label = mac_test_init_socket_label,
2480 	.mpo_init_socket_peer_label = mac_test_init_socket_peer_label,
2481 	.mpo_init_vnode_label = mac_test_init_vnode_label,
2482 	.mpo_destroy_bpfdesc_label = mac_test_destroy_bpfdesc_label,
2483 	.mpo_destroy_cred_label = mac_test_destroy_cred_label,
2484 	.mpo_destroy_devfsdirent_label = mac_test_destroy_devfsdirent_label,
2485 	.mpo_destroy_ifnet_label = mac_test_destroy_ifnet_label,
2486 	.mpo_destroy_sysv_msgmsg_label = mac_test_destroy_sysv_msgmsg_label,
2487 	.mpo_destroy_sysv_msgqueue_label =
2488 	    mac_test_destroy_sysv_msgqueue_label,
2489 	.mpo_destroy_sysv_sem_label = mac_test_destroy_sysv_sem_label,
2490 	.mpo_destroy_sysv_shm_label = mac_test_destroy_sysv_shm_label,
2491 	.mpo_destroy_inpcb_label = mac_test_destroy_inpcb_label,
2492 	.mpo_destroy_ipq_label = mac_test_destroy_ipq_label,
2493 	.mpo_destroy_mbuf_label = mac_test_destroy_mbuf_label,
2494 	.mpo_destroy_mount_label = mac_test_destroy_mount_label,
2495 	.mpo_destroy_pipe_label = mac_test_destroy_pipe_label,
2496 	.mpo_destroy_posix_sem_label = mac_test_destroy_posix_sem_label,
2497 	.mpo_destroy_proc_label = mac_test_destroy_proc_label,
2498 	.mpo_destroy_socket_label = mac_test_destroy_socket_label,
2499 	.mpo_destroy_socket_peer_label = mac_test_destroy_socket_peer_label,
2500 	.mpo_destroy_vnode_label = mac_test_destroy_vnode_label,
2501 	.mpo_copy_cred_label = mac_test_copy_cred_label,
2502 	.mpo_copy_ifnet_label = mac_test_copy_ifnet_label,
2503 	.mpo_copy_mbuf_label = mac_test_copy_mbuf_label,
2504 	.mpo_copy_pipe_label = mac_test_copy_pipe_label,
2505 	.mpo_copy_socket_label = mac_test_copy_socket_label,
2506 	.mpo_copy_vnode_label = mac_test_copy_vnode_label,
2507 	.mpo_externalize_cred_label = mac_test_externalize_label,
2508 	.mpo_externalize_ifnet_label = mac_test_externalize_label,
2509 	.mpo_externalize_pipe_label = mac_test_externalize_label,
2510 	.mpo_externalize_socket_label = mac_test_externalize_label,
2511 	.mpo_externalize_socket_peer_label = mac_test_externalize_label,
2512 	.mpo_externalize_vnode_label = mac_test_externalize_label,
2513 	.mpo_internalize_cred_label = mac_test_internalize_label,
2514 	.mpo_internalize_ifnet_label = mac_test_internalize_label,
2515 	.mpo_internalize_pipe_label = mac_test_internalize_label,
2516 	.mpo_internalize_socket_label = mac_test_internalize_label,
2517 	.mpo_internalize_vnode_label = mac_test_internalize_label,
2518 	.mpo_associate_vnode_devfs = mac_test_associate_vnode_devfs,
2519 	.mpo_associate_vnode_extattr = mac_test_associate_vnode_extattr,
2520 	.mpo_associate_vnode_singlelabel = mac_test_associate_vnode_singlelabel,
2521 	.mpo_create_devfs_device = mac_test_create_devfs_device,
2522 	.mpo_create_devfs_directory = mac_test_create_devfs_directory,
2523 	.mpo_create_devfs_symlink = mac_test_create_devfs_symlink,
2524 	.mpo_create_vnode_extattr = mac_test_create_vnode_extattr,
2525 	.mpo_create_mount = mac_test_create_mount,
2526 	.mpo_relabel_vnode = mac_test_relabel_vnode,
2527 	.mpo_setlabel_vnode_extattr = mac_test_setlabel_vnode_extattr,
2528 	.mpo_update_devfsdirent = mac_test_update_devfsdirent,
2529 	.mpo_create_mbuf_from_socket = mac_test_create_mbuf_from_socket,
2530 	.mpo_create_pipe = mac_test_create_pipe,
2531 	.mpo_create_posix_sem = mac_test_create_posix_sem,
2532 	.mpo_create_socket = mac_test_create_socket,
2533 	.mpo_create_socket_from_socket = mac_test_create_socket_from_socket,
2534 	.mpo_relabel_pipe = mac_test_relabel_pipe,
2535 	.mpo_relabel_socket = mac_test_relabel_socket,
2536 	.mpo_set_socket_peer_from_mbuf = mac_test_set_socket_peer_from_mbuf,
2537 	.mpo_set_socket_peer_from_socket = mac_test_set_socket_peer_from_socket,
2538 	.mpo_create_bpfdesc = mac_test_create_bpfdesc,
2539 	.mpo_create_ifnet = mac_test_create_ifnet,
2540 	.mpo_create_inpcb_from_socket = mac_test_create_inpcb_from_socket,
2541 	.mpo_create_sysv_msgmsg = mac_test_create_sysv_msgmsg,
2542 	.mpo_create_sysv_msgqueue = mac_test_create_sysv_msgqueue,
2543 	.mpo_create_sysv_sem = mac_test_create_sysv_sem,
2544 	.mpo_create_sysv_shm = mac_test_create_sysv_shm,
2545 	.mpo_create_datagram_from_ipq = mac_test_create_datagram_from_ipq,
2546 	.mpo_create_fragment = mac_test_create_fragment,
2547 	.mpo_create_ipq = mac_test_create_ipq,
2548 	.mpo_create_mbuf_from_inpcb = mac_test_create_mbuf_from_inpcb,
2549 	.mpo_create_mbuf_linklayer = mac_test_create_mbuf_linklayer,
2550 	.mpo_create_mbuf_from_bpfdesc = mac_test_create_mbuf_from_bpfdesc,
2551 	.mpo_create_mbuf_from_ifnet = mac_test_create_mbuf_from_ifnet,
2552 	.mpo_create_mbuf_multicast_encap = mac_test_create_mbuf_multicast_encap,
2553 	.mpo_create_mbuf_netlayer = mac_test_create_mbuf_netlayer,
2554 	.mpo_fragment_match = mac_test_fragment_match,
2555 	.mpo_reflect_mbuf_icmp = mac_test_reflect_mbuf_icmp,
2556 	.mpo_reflect_mbuf_tcp = mac_test_reflect_mbuf_tcp,
2557 	.mpo_relabel_ifnet = mac_test_relabel_ifnet,
2558 	.mpo_update_ipq = mac_test_update_ipq,
2559 	.mpo_inpcb_sosetlabel = mac_test_inpcb_sosetlabel,
2560 	.mpo_execve_transition = mac_test_execve_transition,
2561 	.mpo_execve_will_transition = mac_test_execve_will_transition,
2562 	.mpo_create_proc0 = mac_test_create_proc0,
2563 	.mpo_create_proc1 = mac_test_create_proc1,
2564 	.mpo_relabel_cred = mac_test_relabel_cred,
2565 	.mpo_thread_userret = mac_test_thread_userret,
2566 	.mpo_cleanup_sysv_msgmsg = mac_test_cleanup_sysv_msgmsg,
2567 	.mpo_cleanup_sysv_msgqueue = mac_test_cleanup_sysv_msgqueue,
2568 	.mpo_cleanup_sysv_sem = mac_test_cleanup_sysv_sem,
2569 	.mpo_cleanup_sysv_shm = mac_test_cleanup_sysv_shm,
2570 	.mpo_check_bpfdesc_receive = mac_test_check_bpfdesc_receive,
2571 	.mpo_check_cred_relabel = mac_test_check_cred_relabel,
2572 	.mpo_check_cred_visible = mac_test_check_cred_visible,
2573 	.mpo_check_ifnet_relabel = mac_test_check_ifnet_relabel,
2574 	.mpo_check_ifnet_transmit = mac_test_check_ifnet_transmit,
2575 	.mpo_check_inpcb_deliver = mac_test_check_inpcb_deliver,
2576 	.mpo_check_sysv_msgmsq = mac_test_check_sysv_msgmsq,
2577 	.mpo_check_sysv_msgrcv = mac_test_check_sysv_msgrcv,
2578 	.mpo_check_sysv_msgrmid = mac_test_check_sysv_msgrmid,
2579 	.mpo_check_sysv_msqget = mac_test_check_sysv_msqget,
2580 	.mpo_check_sysv_msqsnd = mac_test_check_sysv_msqsnd,
2581 	.mpo_check_sysv_msqrcv = mac_test_check_sysv_msqrcv,
2582 	.mpo_check_sysv_msqctl = mac_test_check_sysv_msqctl,
2583 	.mpo_check_sysv_semctl = mac_test_check_sysv_semctl,
2584 	.mpo_check_sysv_semget = mac_test_check_sysv_semget,
2585 	.mpo_check_sysv_semop = mac_test_check_sysv_semop,
2586 	.mpo_check_sysv_shmat = mac_test_check_sysv_shmat,
2587 	.mpo_check_sysv_shmctl = mac_test_check_sysv_shmctl,
2588 	.mpo_check_sysv_shmdt = mac_test_check_sysv_shmdt,
2589 	.mpo_check_sysv_shmget = mac_test_check_sysv_shmget,
2590 	.mpo_check_kenv_dump = mac_test_check_kenv_dump,
2591 	.mpo_check_kenv_get = mac_test_check_kenv_get,
2592 	.mpo_check_kenv_set = mac_test_check_kenv_set,
2593 	.mpo_check_kenv_unset = mac_test_check_kenv_unset,
2594 	.mpo_check_kld_load = mac_test_check_kld_load,
2595 	.mpo_check_kld_stat = mac_test_check_kld_stat,
2596 	.mpo_check_mount_stat = mac_test_check_mount_stat,
2597 	.mpo_check_pipe_ioctl = mac_test_check_pipe_ioctl,
2598 	.mpo_check_pipe_poll = mac_test_check_pipe_poll,
2599 	.mpo_check_pipe_read = mac_test_check_pipe_read,
2600 	.mpo_check_pipe_relabel = mac_test_check_pipe_relabel,
2601 	.mpo_check_pipe_stat = mac_test_check_pipe_stat,
2602 	.mpo_check_pipe_write = mac_test_check_pipe_write,
2603 	.mpo_check_posix_sem_destroy = mac_test_check_posix_sem,
2604 	.mpo_check_posix_sem_getvalue = mac_test_check_posix_sem,
2605 	.mpo_check_posix_sem_open = mac_test_check_posix_sem,
2606 	.mpo_check_posix_sem_post = mac_test_check_posix_sem,
2607 	.mpo_check_posix_sem_unlink = mac_test_check_posix_sem,
2608 	.mpo_check_posix_sem_wait = mac_test_check_posix_sem,
2609 	.mpo_check_proc_debug = mac_test_check_proc_debug,
2610 	.mpo_check_proc_sched = mac_test_check_proc_sched,
2611 	.mpo_check_proc_setaudit = mac_test_check_proc_setaudit,
2612 	.mpo_check_proc_setauid = mac_test_check_proc_setauid,
2613 	.mpo_check_proc_setuid = mac_test_check_proc_setuid,
2614 	.mpo_check_proc_seteuid = mac_test_check_proc_seteuid,
2615 	.mpo_check_proc_setgid = mac_test_check_proc_setgid,
2616 	.mpo_check_proc_setegid = mac_test_check_proc_setegid,
2617 	.mpo_check_proc_setgroups = mac_test_check_proc_setgroups,
2618 	.mpo_check_proc_setreuid = mac_test_check_proc_setreuid,
2619 	.mpo_check_proc_setregid = mac_test_check_proc_setregid,
2620 	.mpo_check_proc_setresuid = mac_test_check_proc_setresuid,
2621 	.mpo_check_proc_setresgid = mac_test_check_proc_setresgid,
2622 	.mpo_check_proc_signal = mac_test_check_proc_signal,
2623 	.mpo_check_proc_wait = mac_test_check_proc_wait,
2624 	.mpo_check_socket_accept = mac_test_check_socket_accept,
2625 	.mpo_check_socket_bind = mac_test_check_socket_bind,
2626 	.mpo_check_socket_connect = mac_test_check_socket_connect,
2627 	.mpo_check_socket_deliver = mac_test_check_socket_deliver,
2628 	.mpo_check_socket_listen = mac_test_check_socket_listen,
2629 	.mpo_check_socket_poll = mac_test_check_socket_poll,
2630 	.mpo_check_socket_receive = mac_test_check_socket_receive,
2631 	.mpo_check_socket_relabel = mac_test_check_socket_relabel,
2632 	.mpo_check_socket_send = mac_test_check_socket_send,
2633 	.mpo_check_socket_stat = mac_test_check_socket_stat,
2634 	.mpo_check_socket_visible = mac_test_check_socket_visible,
2635 	.mpo_check_system_acct = mac_test_check_system_acct,
2636 	.mpo_check_system_audit = mac_test_check_system_audit,
2637 	.mpo_check_system_auditctl = mac_test_check_system_auditctl,
2638 	.mpo_check_system_auditon = mac_test_check_system_auditon,
2639 	.mpo_check_system_reboot = mac_test_check_system_reboot,
2640 	.mpo_check_system_swapoff = mac_test_check_system_swapoff,
2641 	.mpo_check_system_swapon = mac_test_check_system_swapon,
2642 	.mpo_check_system_sysctl = mac_test_check_system_sysctl,
2643 	.mpo_check_vnode_access = mac_test_check_vnode_access,
2644 	.mpo_check_vnode_chdir = mac_test_check_vnode_chdir,
2645 	.mpo_check_vnode_chroot = mac_test_check_vnode_chroot,
2646 	.mpo_check_vnode_create = mac_test_check_vnode_create,
2647 	.mpo_check_vnode_delete = mac_test_check_vnode_delete,
2648 	.mpo_check_vnode_deleteacl = mac_test_check_vnode_deleteacl,
2649 	.mpo_check_vnode_deleteextattr = mac_test_check_vnode_deleteextattr,
2650 	.mpo_check_vnode_exec = mac_test_check_vnode_exec,
2651 	.mpo_check_vnode_getacl = mac_test_check_vnode_getacl,
2652 	.mpo_check_vnode_getextattr = mac_test_check_vnode_getextattr,
2653 	.mpo_check_vnode_link = mac_test_check_vnode_link,
2654 	.mpo_check_vnode_listextattr = mac_test_check_vnode_listextattr,
2655 	.mpo_check_vnode_lookup = mac_test_check_vnode_lookup,
2656 	.mpo_check_vnode_mmap = mac_test_check_vnode_mmap,
2657 	.mpo_check_vnode_open = mac_test_check_vnode_open,
2658 	.mpo_check_vnode_poll = mac_test_check_vnode_poll,
2659 	.mpo_check_vnode_read = mac_test_check_vnode_read,
2660 	.mpo_check_vnode_readdir = mac_test_check_vnode_readdir,
2661 	.mpo_check_vnode_readlink = mac_test_check_vnode_readlink,
2662 	.mpo_check_vnode_relabel = mac_test_check_vnode_relabel,
2663 	.mpo_check_vnode_rename_from = mac_test_check_vnode_rename_from,
2664 	.mpo_check_vnode_rename_to = mac_test_check_vnode_rename_to,
2665 	.mpo_check_vnode_revoke = mac_test_check_vnode_revoke,
2666 	.mpo_check_vnode_setacl = mac_test_check_vnode_setacl,
2667 	.mpo_check_vnode_setextattr = mac_test_check_vnode_setextattr,
2668 	.mpo_check_vnode_setflags = mac_test_check_vnode_setflags,
2669 	.mpo_check_vnode_setmode = mac_test_check_vnode_setmode,
2670 	.mpo_check_vnode_setowner = mac_test_check_vnode_setowner,
2671 	.mpo_check_vnode_setutimes = mac_test_check_vnode_setutimes,
2672 	.mpo_check_vnode_stat = mac_test_check_vnode_stat,
2673 	.mpo_check_vnode_write = mac_test_check_vnode_write,
2674 };
2675 
2676 MAC_POLICY_SET(&mac_test_ops, mac_test, "TrustedBSD MAC/Test",
2677     MPC_LOADTIME_FLAG_UNLOADOK | MPC_LOADTIME_FLAG_LABELMBUFS, &test_slot);
2678