1 /*- 2 * Copyright (c) 1999-2002, 2007 Robert N. M. Watson 3 * Copyright (c) 2001-2005 McAfee, Inc. 4 * All rights reserved. 5 * 6 * This software was developed by Robert Watson for the TrustedBSD Project. 7 * 8 * This software was developed for the FreeBSD Project in part by McAfee 9 * Research, the Security Research Division of McAfee, Inc. under 10 * DARPA/SPAWAR contract N66001-01-C-8035 ("CBOSS"), as part of the DARPA 11 * CHATS research program. 12 * 13 * Redistribution and use in source and binary forms, with or without 14 * modification, are permitted provided that the following conditions 15 * are met: 16 * 1. Redistributions of source code must retain the above copyright 17 * notice, this list of conditions and the following disclaimer. 18 * 2. Redistributions in binary form must reproduce the above copyright 19 * notice, this list of conditions and the following disclaimer in the 20 * documentation and/or other materials provided with the distribution. 21 * 22 * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND 23 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 24 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 25 * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE 26 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 27 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 28 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 29 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 30 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 31 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 32 * SUCH DAMAGE. 33 * 34 * $FreeBSD$ 35 */ 36 37 /* 38 * Developed by the TrustedBSD Project. 39 * 40 * MAC Test policy - tests MAC Framework labeling by assigning object class 41 * magic numbers to each label and validates that each time an object label 42 * is passed into the policy, it has a consistent object type, catching 43 * incorrectly passed labels, labels passed after free, etc. 44 */ 45 46 #include <sys/param.h> 47 #include <sys/acl.h> 48 #include <sys/kdb.h> 49 #include <sys/kernel.h> 50 #include <sys/ksem.h> 51 #include <sys/malloc.h> 52 #include <sys/module.h> 53 #include <sys/mount.h> 54 #include <sys/msg.h> 55 #include <sys/proc.h> 56 #include <sys/vnode.h> 57 #include <sys/sem.h> 58 #include <sys/shm.h> 59 #include <sys/socket.h> 60 #include <sys/socketvar.h> 61 #include <sys/sx.h> 62 #include <sys/sysctl.h> 63 64 #include <fs/devfs/devfs.h> 65 66 #include <net/bpfdesc.h> 67 #include <net/if.h> 68 #include <net/if_types.h> 69 #include <net/if_var.h> 70 71 #include <security/mac/mac_policy.h> 72 73 SYSCTL_DECL(_security_mac); 74 75 SYSCTL_NODE(_security_mac, OID_AUTO, test, CTLFLAG_RW, 0, 76 "TrustedBSD mac_test policy controls"); 77 78 #define MAGIC_BPF 0xfe1ad1b6 79 #define MAGIC_DEVFS 0x9ee79c32 80 #define MAGIC_IFNET 0xc218b120 81 #define MAGIC_INPCB 0x4440f7bb 82 #define MAGIC_IPQ 0x206188ef 83 #define MAGIC_MBUF 0xbbefa5bb 84 #define MAGIC_MOUNT 0xc7c46e47 85 #define MAGIC_SOCKET 0x9199c6cd 86 #define MAGIC_SYSV_MSG 0x8bbba61e 87 #define MAGIC_SYSV_MSQ 0xea672391 88 #define MAGIC_SYSV_SEM 0x896e8a0b 89 #define MAGIC_SYSV_SHM 0x76119ab0 90 #define MAGIC_PIPE 0xdc6c9919 91 #define MAGIC_POSIX_SEM 0x78ae980c 92 #define MAGIC_PROC 0x3b4be98f 93 #define MAGIC_CRED 0x9a5a4987 94 #define MAGIC_VNODE 0x1a67a45c 95 #define MAGIC_FREE 0x849ba1fd 96 97 #define SLOT(x) mac_label_get((x), test_slot) 98 #define SLOT_SET(x, v) mac_label_set((x), test_slot, (v)) 99 100 static int test_slot; 101 SYSCTL_INT(_security_mac_test, OID_AUTO, slot, CTLFLAG_RD, 102 &test_slot, 0, "Slot allocated by framework"); 103 104 SYSCTL_NODE(_security_mac_test, OID_AUTO, counter, CTLFLAG_RW, 0, 105 "TrustedBSD mac_test counters controls"); 106 107 #define COUNTER_DECL(variable) \ 108 static int counter_##variable; \ 109 SYSCTL_INT(_security_mac_test_counter, OID_AUTO, variable, \ 110 CTLFLAG_RD, &counter_##variable, 0, #variable) 111 112 #define COUNTER_INC(variable) atomic_add_int(&counter_##variable, 1) 113 114 #ifdef KDB 115 #define DEBUGGER(func, string) kdb_enter((string)) 116 #else 117 #define DEBUGGER(func, string) printf("mac_test: %s: %s\n", (func), (string)) 118 #endif 119 120 #define LABEL_CHECK(label, magic) do { \ 121 if (label != NULL) { \ 122 KASSERT(SLOT(label) == magic || SLOT(label) == 0, \ 123 ("%s: bad %s label", __func__, #magic)); \ 124 } \ 125 } while (0) 126 127 #define LABEL_DESTROY(label, magic) do { \ 128 if (SLOT(label) == magic || SLOT(label) == 0) { \ 129 SLOT_SET(label, MAGIC_FREE); \ 130 } else if (SLOT(label) == MAGIC_FREE) { \ 131 DEBUGGER("%s: dup destroy", __func__); \ 132 } else { \ 133 DEBUGGER("%s: corrupted label", __func__); \ 134 } \ 135 } while (0) 136 137 #define LABEL_INIT(label, magic) do { \ 138 SLOT_SET(label, magic); \ 139 } while (0) 140 141 #define LABEL_NOTFREE(label) do { \ 142 KASSERT(SLOT(label) != MAGIC_FREE, \ 143 ("%s: destroyed label", __func__)); \ 144 } while (0) 145 146 /* 147 * Label operations. 148 */ 149 COUNTER_DECL(init_bpfdesc_label); 150 static void 151 mac_test_init_bpfdesc_label(struct label *label) 152 { 153 154 LABEL_INIT(label, MAGIC_BPF); 155 COUNTER_INC(init_bpfdesc_label); 156 } 157 158 COUNTER_DECL(init_cred_label); 159 static void 160 mac_test_init_cred_label(struct label *label) 161 { 162 163 LABEL_INIT(label, MAGIC_CRED); 164 COUNTER_INC(init_cred_label); 165 } 166 167 COUNTER_DECL(init_devfsdirent_label); 168 static void 169 mac_test_init_devfsdirent_label(struct label *label) 170 { 171 172 LABEL_INIT(label, MAGIC_DEVFS); 173 COUNTER_INC(init_devfsdirent_label); 174 } 175 176 COUNTER_DECL(init_ifnet_label); 177 static void 178 mac_test_init_ifnet_label(struct label *label) 179 { 180 181 LABEL_INIT(label, MAGIC_IFNET); 182 COUNTER_INC(init_ifnet_label); 183 } 184 185 COUNTER_DECL(init_inpcb_label); 186 static int 187 mac_test_init_inpcb_label(struct label *label, int flag) 188 { 189 190 if (flag & M_WAITOK) 191 WITNESS_WARN(WARN_GIANTOK | WARN_SLEEPOK, NULL, 192 "mac_test_init_inpcb_label() at %s:%d", __FILE__, 193 __LINE__); 194 195 LABEL_INIT(label, MAGIC_INPCB); 196 COUNTER_INC(init_inpcb_label); 197 return (0); 198 } 199 200 COUNTER_DECL(init_sysv_msg_label); 201 static void 202 mac_test_init_sysv_msgmsg_label(struct label *label) 203 { 204 LABEL_INIT(label, MAGIC_SYSV_MSG); 205 COUNTER_INC(init_sysv_msg_label); 206 } 207 208 COUNTER_DECL(init_sysv_msq_label); 209 static void 210 mac_test_init_sysv_msgqueue_label(struct label *label) 211 { 212 LABEL_INIT(label, MAGIC_SYSV_MSQ); 213 COUNTER_INC(init_sysv_msq_label); 214 } 215 216 COUNTER_DECL(init_sysv_sem_label); 217 static void 218 mac_test_init_sysv_sem_label(struct label *label) 219 { 220 LABEL_INIT(label, MAGIC_SYSV_SEM); 221 COUNTER_INC(init_sysv_sem_label); 222 } 223 224 COUNTER_DECL(init_sysv_shm_label); 225 static void 226 mac_test_init_sysv_shm_label(struct label *label) 227 { 228 LABEL_INIT(label, MAGIC_SYSV_SHM); 229 COUNTER_INC(init_sysv_shm_label); 230 } 231 232 COUNTER_DECL(init_ipq_label); 233 static int 234 mac_test_init_ipq_label(struct label *label, int flag) 235 { 236 237 if (flag & M_WAITOK) 238 WITNESS_WARN(WARN_GIANTOK | WARN_SLEEPOK, NULL, 239 "mac_test_init_ipq_label() at %s:%d", __FILE__, 240 __LINE__); 241 242 LABEL_INIT(label, MAGIC_IPQ); 243 COUNTER_INC(init_ipq_label); 244 return (0); 245 } 246 247 COUNTER_DECL(init_mbuf_label); 248 static int 249 mac_test_init_mbuf_label(struct label *label, int flag) 250 { 251 252 if (flag & M_WAITOK) 253 WITNESS_WARN(WARN_GIANTOK | WARN_SLEEPOK, NULL, 254 "mac_test_init_mbuf_label() at %s:%d", __FILE__, 255 __LINE__); 256 257 LABEL_INIT(label, MAGIC_MBUF); 258 COUNTER_INC(init_mbuf_label); 259 return (0); 260 } 261 262 COUNTER_DECL(init_mount_label); 263 static void 264 mac_test_init_mount_label(struct label *label) 265 { 266 267 LABEL_INIT(label, MAGIC_MOUNT); 268 COUNTER_INC(init_mount_label); 269 } 270 271 COUNTER_DECL(init_socket_label); 272 static int 273 mac_test_init_socket_label(struct label *label, int flag) 274 { 275 276 if (flag & M_WAITOK) 277 WITNESS_WARN(WARN_GIANTOK | WARN_SLEEPOK, NULL, 278 "mac_test_init_socket_label() at %s:%d", __FILE__, 279 __LINE__); 280 281 LABEL_INIT(label, MAGIC_SOCKET); 282 COUNTER_INC(init_socket_label); 283 return (0); 284 } 285 286 COUNTER_DECL(init_socket_peer_label); 287 static int 288 mac_test_init_socket_peer_label(struct label *label, int flag) 289 { 290 291 if (flag & M_WAITOK) 292 WITNESS_WARN(WARN_GIANTOK | WARN_SLEEPOK, NULL, 293 "mac_test_init_socket_peer_label() at %s:%d", __FILE__, 294 __LINE__); 295 296 LABEL_INIT(label, MAGIC_SOCKET); 297 COUNTER_INC(init_socket_peer_label); 298 return (0); 299 } 300 301 COUNTER_DECL(init_pipe_label); 302 static void 303 mac_test_init_pipe_label(struct label *label) 304 { 305 306 LABEL_INIT(label, MAGIC_PIPE); 307 COUNTER_INC(init_pipe_label); 308 } 309 310 COUNTER_DECL(init_posix_sem_label); 311 static void 312 mac_test_init_posix_sem_label(struct label *label) 313 { 314 315 LABEL_INIT(label, MAGIC_POSIX_SEM); 316 COUNTER_INC(init_posix_sem_label); 317 } 318 319 COUNTER_DECL(init_proc_label); 320 static void 321 mac_test_init_proc_label(struct label *label) 322 { 323 324 LABEL_INIT(label, MAGIC_PROC); 325 COUNTER_INC(init_proc_label); 326 } 327 328 COUNTER_DECL(init_vnode_label); 329 static void 330 mac_test_init_vnode_label(struct label *label) 331 { 332 333 LABEL_INIT(label, MAGIC_VNODE); 334 COUNTER_INC(init_vnode_label); 335 } 336 337 COUNTER_DECL(destroy_bpfdesc_label); 338 static void 339 mac_test_destroy_bpfdesc_label(struct label *label) 340 { 341 342 LABEL_DESTROY(label, MAGIC_BPF); 343 COUNTER_INC(destroy_bpfdesc_label); 344 } 345 346 COUNTER_DECL(destroy_cred_label); 347 static void 348 mac_test_destroy_cred_label(struct label *label) 349 { 350 351 LABEL_DESTROY(label, MAGIC_CRED); 352 COUNTER_INC(destroy_cred_label); 353 } 354 355 COUNTER_DECL(destroy_devfsdirent_label); 356 static void 357 mac_test_destroy_devfsdirent_label(struct label *label) 358 { 359 360 LABEL_DESTROY(label, MAGIC_DEVFS); 361 COUNTER_INC(destroy_devfsdirent_label); 362 } 363 364 COUNTER_DECL(destroy_ifnet_label); 365 static void 366 mac_test_destroy_ifnet_label(struct label *label) 367 { 368 369 LABEL_DESTROY(label, MAGIC_IFNET); 370 COUNTER_INC(destroy_ifnet_label); 371 } 372 373 COUNTER_DECL(destroy_inpcb_label); 374 static void 375 mac_test_destroy_inpcb_label(struct label *label) 376 { 377 378 LABEL_DESTROY(label, MAGIC_INPCB); 379 COUNTER_INC(destroy_inpcb_label); 380 } 381 382 COUNTER_DECL(destroy_sysv_msg_label); 383 static void 384 mac_test_destroy_sysv_msgmsg_label(struct label *label) 385 { 386 387 LABEL_DESTROY(label, MAGIC_SYSV_MSG); 388 COUNTER_INC(destroy_sysv_msg_label); 389 } 390 391 COUNTER_DECL(destroy_sysv_msq_label); 392 static void 393 mac_test_destroy_sysv_msgqueue_label(struct label *label) 394 { 395 396 LABEL_DESTROY(label, MAGIC_SYSV_MSQ); 397 COUNTER_INC(destroy_sysv_msq_label); 398 } 399 400 COUNTER_DECL(destroy_sysv_sem_label); 401 static void 402 mac_test_destroy_sysv_sem_label(struct label *label) 403 { 404 405 LABEL_DESTROY(label, MAGIC_SYSV_SEM); 406 COUNTER_INC(destroy_sysv_sem_label); 407 } 408 409 COUNTER_DECL(destroy_sysv_shm_label); 410 static void 411 mac_test_destroy_sysv_shm_label(struct label *label) 412 { 413 414 LABEL_DESTROY(label, MAGIC_SYSV_SHM); 415 COUNTER_INC(destroy_sysv_shm_label); 416 } 417 418 COUNTER_DECL(destroy_ipq_label); 419 static void 420 mac_test_destroy_ipq_label(struct label *label) 421 { 422 423 LABEL_DESTROY(label, MAGIC_IPQ); 424 COUNTER_INC(destroy_ipq_label); 425 } 426 427 COUNTER_DECL(destroy_mbuf_label); 428 static void 429 mac_test_destroy_mbuf_label(struct label *label) 430 { 431 432 /* 433 * If we're loaded dynamically, there may be mbufs in flight that 434 * didn't have label storage allocated for them. Handle this 435 * gracefully. 436 */ 437 if (label == NULL) 438 return; 439 440 LABEL_DESTROY(label, MAGIC_MBUF); 441 COUNTER_INC(destroy_mbuf_label); 442 } 443 444 COUNTER_DECL(destroy_mount_label); 445 static void 446 mac_test_destroy_mount_label(struct label *label) 447 { 448 449 LABEL_DESTROY(label, MAGIC_MOUNT); 450 COUNTER_INC(destroy_mount_label); 451 } 452 453 COUNTER_DECL(destroy_socket_label); 454 static void 455 mac_test_destroy_socket_label(struct label *label) 456 { 457 458 LABEL_DESTROY(label, MAGIC_SOCKET); 459 COUNTER_INC(destroy_socket_label); 460 } 461 462 COUNTER_DECL(destroy_socket_peer_label); 463 static void 464 mac_test_destroy_socket_peer_label(struct label *label) 465 { 466 467 LABEL_DESTROY(label, MAGIC_SOCKET); 468 COUNTER_INC(destroy_socket_peer_label); 469 } 470 471 COUNTER_DECL(destroy_pipe_label); 472 static void 473 mac_test_destroy_pipe_label(struct label *label) 474 { 475 476 LABEL_DESTROY(label, MAGIC_PIPE); 477 COUNTER_INC(destroy_pipe_label); 478 } 479 480 COUNTER_DECL(destroy_posix_sem_label); 481 static void 482 mac_test_destroy_posix_sem_label(struct label *label) 483 { 484 485 LABEL_DESTROY(label, MAGIC_POSIX_SEM); 486 COUNTER_INC(destroy_posix_sem_label); 487 } 488 489 COUNTER_DECL(destroy_proc_label); 490 static void 491 mac_test_destroy_proc_label(struct label *label) 492 { 493 494 LABEL_DESTROY(label, MAGIC_PROC); 495 COUNTER_INC(destroy_proc_label); 496 } 497 498 COUNTER_DECL(destroy_vnode_label); 499 static void 500 mac_test_destroy_vnode_label(struct label *label) 501 { 502 503 LABEL_DESTROY(label, MAGIC_VNODE); 504 COUNTER_INC(destroy_vnode_label); 505 } 506 507 COUNTER_DECL(copy_cred_label); 508 static void 509 mac_test_copy_cred_label(struct label *src, struct label *dest) 510 { 511 512 LABEL_CHECK(src, MAGIC_CRED); 513 LABEL_CHECK(dest, MAGIC_CRED); 514 COUNTER_INC(copy_cred_label); 515 } 516 517 COUNTER_DECL(copy_ifnet_label); 518 static void 519 mac_test_copy_ifnet_label(struct label *src, struct label *dest) 520 { 521 522 LABEL_CHECK(src, MAGIC_IFNET); 523 LABEL_CHECK(dest, MAGIC_IFNET); 524 COUNTER_INC(copy_ifnet_label); 525 } 526 527 COUNTER_DECL(copy_mbuf_label); 528 static void 529 mac_test_copy_mbuf_label(struct label *src, struct label *dest) 530 { 531 532 LABEL_CHECK(src, MAGIC_MBUF); 533 LABEL_CHECK(dest, MAGIC_MBUF); 534 COUNTER_INC(copy_mbuf_label); 535 } 536 537 COUNTER_DECL(copy_pipe_label); 538 static void 539 mac_test_copy_pipe_label(struct label *src, struct label *dest) 540 { 541 542 LABEL_CHECK(src, MAGIC_PIPE); 543 LABEL_CHECK(dest, MAGIC_PIPE); 544 COUNTER_INC(copy_pipe_label); 545 } 546 547 COUNTER_DECL(copy_socket_label); 548 static void 549 mac_test_copy_socket_label(struct label *src, struct label *dest) 550 { 551 552 LABEL_CHECK(src, MAGIC_SOCKET); 553 LABEL_CHECK(dest, MAGIC_SOCKET); 554 COUNTER_INC(copy_socket_label); 555 } 556 557 COUNTER_DECL(copy_vnode_label); 558 static void 559 mac_test_copy_vnode_label(struct label *src, struct label *dest) 560 { 561 562 LABEL_CHECK(src, MAGIC_VNODE); 563 LABEL_CHECK(dest, MAGIC_VNODE); 564 COUNTER_INC(copy_vnode_label); 565 } 566 567 COUNTER_DECL(externalize_label); 568 static int 569 mac_test_externalize_label(struct label *label, char *element_name, 570 struct sbuf *sb, int *claimed) 571 { 572 573 LABEL_NOTFREE(label); 574 COUNTER_INC(externalize_label); 575 576 return (0); 577 } 578 579 COUNTER_DECL(internalize_label); 580 static int 581 mac_test_internalize_label(struct label *label, char *element_name, 582 char *element_data, int *claimed) 583 { 584 585 LABEL_NOTFREE(label); 586 COUNTER_INC(internalize_label); 587 588 return (0); 589 } 590 591 /* 592 * Labeling event operations: file system objects, and things that look 593 * a lot like file system objects. 594 */ 595 COUNTER_DECL(associate_vnode_devfs); 596 static void 597 mac_test_associate_vnode_devfs(struct mount *mp, struct label *mplabel, 598 struct devfs_dirent *de, struct label *delabel, struct vnode *vp, 599 struct label *vplabel) 600 { 601 602 LABEL_CHECK(mplabel, MAGIC_MOUNT); 603 LABEL_CHECK(delabel, MAGIC_DEVFS); 604 LABEL_CHECK(vplabel, MAGIC_VNODE); 605 COUNTER_INC(associate_vnode_devfs); 606 } 607 608 COUNTER_DECL(associate_vnode_extattr); 609 static int 610 mac_test_associate_vnode_extattr(struct mount *mp, struct label *mplabel, 611 struct vnode *vp, struct label *vplabel) 612 { 613 614 LABEL_CHECK(mplabel, MAGIC_MOUNT); 615 LABEL_CHECK(vplabel, MAGIC_VNODE); 616 COUNTER_INC(associate_vnode_extattr); 617 618 return (0); 619 } 620 621 COUNTER_DECL(associate_vnode_singlelabel); 622 static void 623 mac_test_associate_vnode_singlelabel(struct mount *mp, struct label *mplabel, 624 struct vnode *vp, struct label *vplabel) 625 { 626 627 LABEL_CHECK(mplabel, MAGIC_MOUNT); 628 LABEL_CHECK(vplabel, MAGIC_VNODE); 629 COUNTER_INC(associate_vnode_singlelabel); 630 } 631 632 COUNTER_DECL(create_devfs_device); 633 static void 634 mac_test_create_devfs_device(struct ucred *cred, struct mount *mp, 635 struct cdev *dev, struct devfs_dirent *de, struct label *delabel) 636 { 637 638 if (cred != NULL) 639 LABEL_CHECK(cred->cr_label, MAGIC_CRED); 640 LABEL_CHECK(delabel, MAGIC_DEVFS); 641 COUNTER_INC(create_devfs_device); 642 } 643 644 COUNTER_DECL(create_devfs_directory); 645 static void 646 mac_test_create_devfs_directory(struct mount *mp, char *dirname, 647 int dirnamelen, struct devfs_dirent *de, struct label *delabel) 648 { 649 650 LABEL_CHECK(delabel, MAGIC_DEVFS); 651 COUNTER_INC(create_devfs_directory); 652 } 653 654 COUNTER_DECL(create_devfs_symlink); 655 static void 656 mac_test_create_devfs_symlink(struct ucred *cred, struct mount *mp, 657 struct devfs_dirent *dd, struct label *ddlabel, struct devfs_dirent *de, 658 struct label *delabel) 659 { 660 661 LABEL_CHECK(cred->cr_label, MAGIC_CRED); 662 LABEL_CHECK(ddlabel, MAGIC_DEVFS); 663 LABEL_CHECK(delabel, MAGIC_DEVFS); 664 COUNTER_INC(create_devfs_symlink); 665 } 666 667 COUNTER_DECL(create_vnode_extattr); 668 static int 669 mac_test_create_vnode_extattr(struct ucred *cred, struct mount *mp, 670 struct label *mplabel, struct vnode *dvp, struct label *dvplabel, 671 struct vnode *vp, struct label *vplabel, struct componentname *cnp) 672 { 673 674 LABEL_CHECK(cred->cr_label, MAGIC_CRED); 675 LABEL_CHECK(mplabel, MAGIC_MOUNT); 676 LABEL_CHECK(dvplabel, MAGIC_VNODE); 677 COUNTER_INC(create_vnode_extattr); 678 679 return (0); 680 } 681 682 COUNTER_DECL(create_mount); 683 static void 684 mac_test_create_mount(struct ucred *cred, struct mount *mp, 685 struct label *mplabel) 686 { 687 688 LABEL_CHECK(cred->cr_label, MAGIC_CRED); 689 LABEL_CHECK(mplabel, MAGIC_MOUNT); 690 COUNTER_INC(create_mount); 691 } 692 693 COUNTER_DECL(relabel_vnode); 694 static void 695 mac_test_relabel_vnode(struct ucred *cred, struct vnode *vp, 696 struct label *vplabel, struct label *label) 697 { 698 699 LABEL_CHECK(cred->cr_label, MAGIC_CRED); 700 LABEL_CHECK(vplabel, MAGIC_VNODE); 701 LABEL_CHECK(label, MAGIC_VNODE); 702 COUNTER_INC(relabel_vnode); 703 } 704 705 COUNTER_DECL(setlabel_vnode_extattr); 706 static int 707 mac_test_setlabel_vnode_extattr(struct ucred *cred, struct vnode *vp, 708 struct label *vplabel, struct label *intlabel) 709 { 710 711 LABEL_CHECK(cred->cr_label, MAGIC_CRED); 712 LABEL_CHECK(vplabel, MAGIC_VNODE); 713 LABEL_CHECK(intlabel, MAGIC_VNODE); 714 COUNTER_INC(setlabel_vnode_extattr); 715 716 return (0); 717 } 718 719 COUNTER_DECL(update_devfsdirent); 720 static void 721 mac_test_update_devfsdirent(struct mount *mp, 722 struct devfs_dirent *devfs_dirent, struct label *direntlabel, 723 struct vnode *vp, struct label *vplabel) 724 { 725 726 LABEL_CHECK(direntlabel, MAGIC_DEVFS); 727 LABEL_CHECK(vplabel, MAGIC_VNODE); 728 COUNTER_INC(update_devfsdirent); 729 } 730 731 /* 732 * Labeling event operations: IPC object. 733 */ 734 COUNTER_DECL(create_mbuf_from_socket); 735 static void 736 mac_test_create_mbuf_from_socket(struct socket *so, struct label *socketlabel, 737 struct mbuf *m, struct label *mbuflabel) 738 { 739 740 LABEL_CHECK(socketlabel, MAGIC_SOCKET); 741 LABEL_CHECK(mbuflabel, MAGIC_MBUF); 742 COUNTER_INC(create_mbuf_from_socket); 743 } 744 745 COUNTER_DECL(create_socket); 746 static void 747 mac_test_create_socket(struct ucred *cred, struct socket *socket, 748 struct label *socketlabel) 749 { 750 751 LABEL_CHECK(cred->cr_label, MAGIC_CRED); 752 LABEL_CHECK(socketlabel, MAGIC_SOCKET); 753 COUNTER_INC(create_socket); 754 } 755 756 COUNTER_DECL(create_pipe); 757 static void 758 mac_test_create_pipe(struct ucred *cred, struct pipepair *pp, 759 struct label *pipelabel) 760 { 761 762 LABEL_CHECK(cred->cr_label, MAGIC_CRED); 763 LABEL_CHECK(pipelabel, MAGIC_PIPE); 764 COUNTER_INC(create_pipe); 765 } 766 767 COUNTER_DECL(create_posix_sem); 768 static void 769 mac_test_create_posix_sem(struct ucred *cred, struct ksem *ksem, 770 struct label *posixlabel) 771 { 772 773 LABEL_CHECK(cred->cr_label, MAGIC_CRED); 774 LABEL_CHECK(posixlabel, MAGIC_POSIX_SEM); 775 COUNTER_INC(create_posix_sem); 776 } 777 778 COUNTER_DECL(create_socket_from_socket); 779 static void 780 mac_test_create_socket_from_socket(struct socket *oldsocket, 781 struct label *oldsocketlabel, struct socket *newsocket, 782 struct label *newsocketlabel) 783 { 784 785 LABEL_CHECK(oldsocketlabel, MAGIC_SOCKET); 786 LABEL_CHECK(newsocketlabel, MAGIC_SOCKET); 787 COUNTER_INC(create_socket_from_socket); 788 } 789 790 COUNTER_DECL(relabel_socket); 791 static void 792 mac_test_relabel_socket(struct ucred *cred, struct socket *socket, 793 struct label *socketlabel, struct label *newlabel) 794 { 795 796 LABEL_CHECK(cred->cr_label, MAGIC_CRED); 797 LABEL_CHECK(newlabel, MAGIC_SOCKET); 798 COUNTER_INC(relabel_socket); 799 } 800 801 COUNTER_DECL(relabel_pipe); 802 static void 803 mac_test_relabel_pipe(struct ucred *cred, struct pipepair *pp, 804 struct label *pipelabel, struct label *newlabel) 805 { 806 807 LABEL_CHECK(cred->cr_label, MAGIC_CRED); 808 LABEL_CHECK(pipelabel, MAGIC_PIPE); 809 LABEL_CHECK(newlabel, MAGIC_PIPE); 810 COUNTER_INC(relabel_pipe); 811 } 812 813 COUNTER_DECL(set_socket_peer_from_mbuf); 814 static void 815 mac_test_set_socket_peer_from_mbuf(struct mbuf *mbuf, struct label *mbuflabel, 816 struct socket *socket, struct label *socketpeerlabel) 817 { 818 819 LABEL_CHECK(mbuflabel, MAGIC_MBUF); 820 LABEL_CHECK(socketpeerlabel, MAGIC_SOCKET); 821 COUNTER_INC(set_socket_peer_from_mbuf); 822 } 823 824 /* 825 * Labeling event operations: network objects. 826 */ 827 COUNTER_DECL(set_socket_peer_from_socket); 828 static void 829 mac_test_set_socket_peer_from_socket(struct socket *oldsocket, 830 struct label *oldsocketlabel, struct socket *newsocket, 831 struct label *newsocketpeerlabel) 832 { 833 834 LABEL_CHECK(oldsocketlabel, MAGIC_SOCKET); 835 LABEL_CHECK(newsocketpeerlabel, MAGIC_SOCKET); 836 COUNTER_INC(set_socket_peer_from_socket); 837 } 838 839 COUNTER_DECL(create_bpfdesc); 840 static void 841 mac_test_create_bpfdesc(struct ucred *cred, struct bpf_d *bpf_d, 842 struct label *bpflabel) 843 { 844 845 LABEL_CHECK(cred->cr_label, MAGIC_CRED); 846 LABEL_CHECK(bpflabel, MAGIC_BPF); 847 COUNTER_INC(create_bpfdesc); 848 } 849 850 COUNTER_DECL(create_datagram_from_ipq); 851 static void 852 mac_test_create_datagram_from_ipq(struct ipq *ipq, struct label *ipqlabel, 853 struct mbuf *datagram, struct label *datagramlabel) 854 { 855 856 LABEL_CHECK(ipqlabel, MAGIC_IPQ); 857 LABEL_CHECK(datagramlabel, MAGIC_MBUF); 858 COUNTER_INC(create_datagram_from_ipq); 859 } 860 861 COUNTER_DECL(create_fragment); 862 static void 863 mac_test_create_fragment(struct mbuf *datagram, struct label *datagramlabel, 864 struct mbuf *fragment, struct label *fragmentlabel) 865 { 866 867 LABEL_CHECK(datagramlabel, MAGIC_MBUF); 868 LABEL_CHECK(fragmentlabel, MAGIC_MBUF); 869 COUNTER_INC(create_fragment); 870 } 871 872 COUNTER_DECL(create_ifnet); 873 static void 874 mac_test_create_ifnet(struct ifnet *ifnet, struct label *ifnetlabel) 875 { 876 877 LABEL_CHECK(ifnetlabel, MAGIC_IFNET); 878 COUNTER_INC(create_ifnet); 879 } 880 881 COUNTER_DECL(create_inpcb_from_socket); 882 static void 883 mac_test_create_inpcb_from_socket(struct socket *so, struct label *solabel, 884 struct inpcb *inp, struct label *inplabel) 885 { 886 887 LABEL_CHECK(solabel, MAGIC_SOCKET); 888 LABEL_CHECK(inplabel, MAGIC_INPCB); 889 COUNTER_INC(create_inpcb_from_socket); 890 } 891 892 COUNTER_DECL(create_sysv_msgmsg); 893 static void 894 mac_test_create_sysv_msgmsg(struct ucred *cred, struct msqid_kernel *msqkptr, 895 struct label *msqlabel, struct msg *msgptr, struct label *msglabel) 896 { 897 898 LABEL_CHECK(msglabel, MAGIC_SYSV_MSG); 899 LABEL_CHECK(msqlabel, MAGIC_SYSV_MSQ); 900 COUNTER_INC(create_sysv_msgmsg); 901 } 902 903 COUNTER_DECL(create_sysv_msgqueue); 904 static void 905 mac_test_create_sysv_msgqueue(struct ucred *cred, 906 struct msqid_kernel *msqkptr, struct label *msqlabel) 907 { 908 909 LABEL_CHECK(msqlabel, MAGIC_SYSV_MSQ); 910 COUNTER_INC(create_sysv_msgqueue); 911 } 912 913 COUNTER_DECL(create_sysv_sem); 914 static void 915 mac_test_create_sysv_sem(struct ucred *cred, struct semid_kernel *semakptr, 916 struct label *semalabel) 917 { 918 919 LABEL_CHECK(semalabel, MAGIC_SYSV_SEM); 920 COUNTER_INC(create_sysv_sem); 921 } 922 923 COUNTER_DECL(create_sysv_shm); 924 static void 925 mac_test_create_sysv_shm(struct ucred *cred, struct shmid_kernel *shmsegptr, 926 struct label *shmlabel) 927 { 928 929 LABEL_CHECK(shmlabel, MAGIC_SYSV_SHM); 930 COUNTER_INC(create_sysv_shm); 931 } 932 933 COUNTER_DECL(create_ipq); 934 static void 935 mac_test_create_ipq(struct mbuf *fragment, struct label *fragmentlabel, 936 struct ipq *ipq, struct label *ipqlabel) 937 { 938 939 LABEL_CHECK(fragmentlabel, MAGIC_MBUF); 940 LABEL_CHECK(ipqlabel, MAGIC_IPQ); 941 COUNTER_INC(create_ipq); 942 } 943 944 COUNTER_DECL(create_mbuf_from_inpcb); 945 static void 946 mac_test_create_mbuf_from_inpcb(struct inpcb *inp, struct label *inplabel, 947 struct mbuf *m, struct label *mlabel) 948 { 949 950 LABEL_CHECK(inplabel, MAGIC_INPCB); 951 LABEL_CHECK(mlabel, MAGIC_MBUF); 952 COUNTER_INC(create_mbuf_from_inpcb); 953 } 954 955 COUNTER_DECL(create_mbuf_linklayer); 956 static void 957 mac_test_create_mbuf_linklayer(struct ifnet *ifnet, struct label *ifnetlabel, 958 struct mbuf *mbuf, struct label *mbuflabel) 959 { 960 961 LABEL_CHECK(ifnetlabel, MAGIC_IFNET); 962 LABEL_CHECK(mbuflabel, MAGIC_MBUF); 963 COUNTER_INC(create_mbuf_linklayer); 964 } 965 966 COUNTER_DECL(create_mbuf_from_bpfdesc); 967 static void 968 mac_test_create_mbuf_from_bpfdesc(struct bpf_d *bpf_d, struct label *bpflabel, 969 struct mbuf *mbuf, struct label *mbuflabel) 970 { 971 972 LABEL_CHECK(bpflabel, MAGIC_BPF); 973 LABEL_CHECK(mbuflabel, MAGIC_MBUF); 974 COUNTER_INC(create_mbuf_from_bpfdesc); 975 } 976 977 COUNTER_DECL(create_mbuf_from_ifnet); 978 static void 979 mac_test_create_mbuf_from_ifnet(struct ifnet *ifnet, struct label *ifnetlabel, 980 struct mbuf *m, struct label *mbuflabel) 981 { 982 983 LABEL_CHECK(ifnetlabel, MAGIC_IFNET); 984 LABEL_CHECK(mbuflabel, MAGIC_MBUF); 985 COUNTER_INC(create_mbuf_from_ifnet); 986 } 987 988 COUNTER_DECL(create_mbuf_multicast_encap); 989 static void 990 mac_test_create_mbuf_multicast_encap(struct mbuf *oldmbuf, 991 struct label *oldmbuflabel, struct ifnet *ifnet, struct label *ifnetlabel, 992 struct mbuf *newmbuf, struct label *newmbuflabel) 993 { 994 995 LABEL_CHECK(oldmbuflabel, MAGIC_MBUF); 996 LABEL_CHECK(ifnetlabel, MAGIC_IFNET); 997 LABEL_CHECK(newmbuflabel, MAGIC_MBUF); 998 COUNTER_INC(create_mbuf_multicast_encap); 999 } 1000 1001 COUNTER_DECL(create_mbuf_netlayer); 1002 static void 1003 mac_test_create_mbuf_netlayer(struct mbuf *oldmbuf, 1004 struct label *oldmbuflabel, struct mbuf *newmbuf, 1005 struct label *newmbuflabel) 1006 { 1007 1008 LABEL_CHECK(oldmbuflabel, MAGIC_MBUF); 1009 LABEL_CHECK(newmbuflabel, MAGIC_MBUF); 1010 COUNTER_INC(create_mbuf_netlayer); 1011 } 1012 1013 COUNTER_DECL(fragment_match); 1014 static int 1015 mac_test_fragment_match(struct mbuf *fragment, struct label *fragmentlabel, 1016 struct ipq *ipq, struct label *ipqlabel) 1017 { 1018 1019 LABEL_CHECK(fragmentlabel, MAGIC_MBUF); 1020 LABEL_CHECK(ipqlabel, MAGIC_IPQ); 1021 COUNTER_INC(fragment_match); 1022 1023 return (1); 1024 } 1025 1026 COUNTER_DECL(reflect_mbuf_icmp); 1027 static void 1028 mac_test_reflect_mbuf_icmp(struct mbuf *m, struct label *mlabel) 1029 { 1030 1031 LABEL_CHECK(mlabel, MAGIC_MBUF); 1032 COUNTER_INC(reflect_mbuf_icmp); 1033 } 1034 1035 COUNTER_DECL(reflect_mbuf_tcp); 1036 static void 1037 mac_test_reflect_mbuf_tcp(struct mbuf *m, struct label *mlabel) 1038 { 1039 1040 LABEL_CHECK(mlabel, MAGIC_MBUF); 1041 COUNTER_INC(reflect_mbuf_tcp); 1042 } 1043 1044 COUNTER_DECL(relabel_ifnet); 1045 static void 1046 mac_test_relabel_ifnet(struct ucred *cred, struct ifnet *ifnet, 1047 struct label *ifnetlabel, struct label *newlabel) 1048 { 1049 1050 LABEL_CHECK(cred->cr_label, MAGIC_CRED); 1051 LABEL_CHECK(ifnetlabel, MAGIC_IFNET); 1052 LABEL_CHECK(newlabel, MAGIC_IFNET); 1053 COUNTER_INC(relabel_ifnet); 1054 } 1055 1056 COUNTER_DECL(update_ipq); 1057 static void 1058 mac_test_update_ipq(struct mbuf *fragment, struct label *fragmentlabel, 1059 struct ipq *ipq, struct label *ipqlabel) 1060 { 1061 1062 LABEL_CHECK(fragmentlabel, MAGIC_MBUF); 1063 LABEL_CHECK(ipqlabel, MAGIC_IPQ); 1064 COUNTER_INC(update_ipq); 1065 } 1066 1067 COUNTER_DECL(inpcb_sosetlabel); 1068 static void 1069 mac_test_inpcb_sosetlabel(struct socket *so, struct label *solabel, 1070 struct inpcb *inp, struct label *inplabel) 1071 { 1072 1073 LABEL_CHECK(solabel, MAGIC_SOCKET); 1074 LABEL_CHECK(inplabel, MAGIC_INPCB); 1075 COUNTER_INC(inpcb_sosetlabel); 1076 } 1077 1078 /* 1079 * Labeling event operations: processes. 1080 */ 1081 COUNTER_DECL(execve_transition); 1082 static void 1083 mac_test_execve_transition(struct ucred *old, struct ucred *new, 1084 struct vnode *vp, struct label *filelabel, 1085 struct label *interpvplabel, struct image_params *imgp, 1086 struct label *execlabel) 1087 { 1088 1089 LABEL_CHECK(old->cr_label, MAGIC_CRED); 1090 LABEL_CHECK(new->cr_label, MAGIC_CRED); 1091 LABEL_CHECK(filelabel, MAGIC_VNODE); 1092 LABEL_CHECK(interpvplabel, MAGIC_VNODE); 1093 LABEL_CHECK(execlabel, MAGIC_CRED); 1094 COUNTER_INC(execve_transition); 1095 } 1096 1097 COUNTER_DECL(execve_will_transition); 1098 static int 1099 mac_test_execve_will_transition(struct ucred *old, struct vnode *vp, 1100 struct label *filelabel, struct label *interpvplabel, 1101 struct image_params *imgp, struct label *execlabel) 1102 { 1103 1104 LABEL_CHECK(old->cr_label, MAGIC_CRED); 1105 LABEL_CHECK(filelabel, MAGIC_VNODE); 1106 LABEL_CHECK(interpvplabel, MAGIC_VNODE); 1107 LABEL_CHECK(execlabel, MAGIC_CRED); 1108 COUNTER_INC(execve_will_transition); 1109 1110 return (0); 1111 } 1112 1113 COUNTER_DECL(create_proc0); 1114 static void 1115 mac_test_create_proc0(struct ucred *cred) 1116 { 1117 1118 LABEL_CHECK(cred->cr_label, MAGIC_CRED); 1119 COUNTER_INC(create_proc0); 1120 } 1121 1122 COUNTER_DECL(create_proc1); 1123 static void 1124 mac_test_create_proc1(struct ucred *cred) 1125 { 1126 1127 LABEL_CHECK(cred->cr_label, MAGIC_CRED); 1128 COUNTER_INC(create_proc1); 1129 } 1130 1131 COUNTER_DECL(relabel_cred); 1132 static void 1133 mac_test_relabel_cred(struct ucred *cred, struct label *newlabel) 1134 { 1135 1136 LABEL_CHECK(cred->cr_label, MAGIC_CRED); 1137 LABEL_CHECK(newlabel, MAGIC_CRED); 1138 COUNTER_INC(relabel_cred); 1139 } 1140 1141 COUNTER_DECL(thread_userret); 1142 static void 1143 mac_test_thread_userret(struct thread *td) 1144 { 1145 1146 COUNTER_INC(thread_userret); 1147 } 1148 1149 /* 1150 * Label cleanup/flush operations 1151 */ 1152 COUNTER_DECL(cleanup_sysv_msgmsg); 1153 static void 1154 mac_test_cleanup_sysv_msgmsg(struct label *msglabel) 1155 { 1156 1157 LABEL_CHECK(msglabel, MAGIC_SYSV_MSG); 1158 COUNTER_INC(cleanup_sysv_msgmsg); 1159 } 1160 1161 COUNTER_DECL(cleanup_sysv_msgqueue); 1162 static void 1163 mac_test_cleanup_sysv_msgqueue(struct label *msqlabel) 1164 { 1165 1166 LABEL_CHECK(msqlabel, MAGIC_SYSV_MSQ); 1167 COUNTER_INC(cleanup_sysv_msgqueue); 1168 } 1169 1170 COUNTER_DECL(cleanup_sysv_sem); 1171 static void 1172 mac_test_cleanup_sysv_sem(struct label *semalabel) 1173 { 1174 1175 LABEL_CHECK(semalabel, MAGIC_SYSV_SEM); 1176 COUNTER_INC(cleanup_sysv_sem); 1177 } 1178 1179 COUNTER_DECL(cleanup_sysv_shm); 1180 static void 1181 mac_test_cleanup_sysv_shm(struct label *shmlabel) 1182 { 1183 1184 LABEL_CHECK(shmlabel, MAGIC_SYSV_SHM); 1185 COUNTER_INC(cleanup_sysv_shm); 1186 } 1187 1188 /* 1189 * Access control checks. 1190 */ 1191 COUNTER_DECL(check_bpfdesc_receive); 1192 static int 1193 mac_test_check_bpfdesc_receive(struct bpf_d *bpf_d, struct label *bpflabel, 1194 struct ifnet *ifnet, struct label *ifnetlabel) 1195 { 1196 1197 LABEL_CHECK(bpflabel, MAGIC_BPF); 1198 LABEL_CHECK(ifnetlabel, MAGIC_IFNET); 1199 COUNTER_INC(check_bpfdesc_receive); 1200 1201 return (0); 1202 } 1203 1204 COUNTER_DECL(check_cred_relabel); 1205 static int 1206 mac_test_check_cred_relabel(struct ucred *cred, struct label *newlabel) 1207 { 1208 1209 LABEL_CHECK(cred->cr_label, MAGIC_CRED); 1210 LABEL_CHECK(newlabel, MAGIC_CRED); 1211 COUNTER_INC(check_cred_relabel); 1212 1213 return (0); 1214 } 1215 1216 COUNTER_DECL(check_cred_visible); 1217 static int 1218 mac_test_check_cred_visible(struct ucred *u1, struct ucred *u2) 1219 { 1220 1221 LABEL_CHECK(u1->cr_label, MAGIC_CRED); 1222 LABEL_CHECK(u2->cr_label, MAGIC_CRED); 1223 COUNTER_INC(check_cred_visible); 1224 1225 return (0); 1226 } 1227 1228 COUNTER_DECL(check_ifnet_relabel); 1229 static int 1230 mac_test_check_ifnet_relabel(struct ucred *cred, struct ifnet *ifnet, 1231 struct label *ifnetlabel, struct label *newlabel) 1232 { 1233 1234 LABEL_CHECK(cred->cr_label, MAGIC_CRED); 1235 LABEL_CHECK(ifnetlabel, MAGIC_IFNET); 1236 LABEL_CHECK(newlabel, MAGIC_IFNET); 1237 COUNTER_INC(check_ifnet_relabel); 1238 1239 return (0); 1240 } 1241 1242 COUNTER_DECL(check_ifnet_transmit); 1243 static int 1244 mac_test_check_ifnet_transmit(struct ifnet *ifnet, struct label *ifnetlabel, 1245 struct mbuf *m, struct label *mbuflabel) 1246 { 1247 1248 LABEL_CHECK(ifnetlabel, MAGIC_IFNET); 1249 LABEL_CHECK(mbuflabel, MAGIC_MBUF); 1250 COUNTER_INC(check_ifnet_transmit); 1251 1252 return (0); 1253 } 1254 1255 COUNTER_DECL(check_inpcb_deliver); 1256 static int 1257 mac_test_check_inpcb_deliver(struct inpcb *inp, struct label *inplabel, 1258 struct mbuf *m, struct label *mlabel) 1259 { 1260 1261 LABEL_CHECK(inplabel, MAGIC_INPCB); 1262 LABEL_CHECK(mlabel, MAGIC_MBUF); 1263 COUNTER_INC(check_inpcb_deliver); 1264 1265 return (0); 1266 } 1267 1268 COUNTER_DECL(check_sysv_msgmsq); 1269 static int 1270 mac_test_check_sysv_msgmsq(struct ucred *cred, struct msg *msgptr, 1271 struct label *msglabel, struct msqid_kernel *msqkptr, 1272 struct label *msqklabel) 1273 { 1274 1275 LABEL_CHECK(msqklabel, MAGIC_SYSV_MSQ); 1276 LABEL_CHECK(msglabel, MAGIC_SYSV_MSG); 1277 LABEL_CHECK(cred->cr_label, MAGIC_CRED); 1278 COUNTER_INC(check_sysv_msgmsq); 1279 1280 return (0); 1281 } 1282 1283 COUNTER_DECL(check_sysv_msgrcv); 1284 static int 1285 mac_test_check_sysv_msgrcv(struct ucred *cred, struct msg *msgptr, 1286 struct label *msglabel) 1287 { 1288 1289 LABEL_CHECK(msglabel, MAGIC_SYSV_MSG); 1290 LABEL_CHECK(cred->cr_label, MAGIC_CRED); 1291 COUNTER_INC(check_sysv_msgrcv); 1292 1293 return (0); 1294 } 1295 1296 COUNTER_DECL(check_sysv_msgrmid); 1297 static int 1298 mac_test_check_sysv_msgrmid(struct ucred *cred, struct msg *msgptr, 1299 struct label *msglabel) 1300 { 1301 1302 LABEL_CHECK(msglabel, MAGIC_SYSV_MSG); 1303 LABEL_CHECK(cred->cr_label, MAGIC_CRED); 1304 COUNTER_INC(check_sysv_msgrmid); 1305 1306 return (0); 1307 } 1308 1309 COUNTER_DECL(check_sysv_msqget); 1310 static int 1311 mac_test_check_sysv_msqget(struct ucred *cred, struct msqid_kernel *msqkptr, 1312 struct label *msqklabel) 1313 { 1314 1315 LABEL_CHECK(msqklabel, MAGIC_SYSV_MSQ); 1316 LABEL_CHECK(cred->cr_label, MAGIC_CRED); 1317 COUNTER_INC(check_sysv_msqget); 1318 1319 return (0); 1320 } 1321 1322 COUNTER_DECL(check_sysv_msqsnd); 1323 static int 1324 mac_test_check_sysv_msqsnd(struct ucred *cred, struct msqid_kernel *msqkptr, 1325 struct label *msqklabel) 1326 { 1327 1328 LABEL_CHECK(msqklabel, MAGIC_SYSV_MSQ); 1329 LABEL_CHECK(cred->cr_label, MAGIC_CRED); 1330 COUNTER_INC(check_sysv_msqsnd); 1331 1332 return (0); 1333 } 1334 1335 COUNTER_DECL(check_sysv_msqrcv); 1336 static int 1337 mac_test_check_sysv_msqrcv(struct ucred *cred, struct msqid_kernel *msqkptr, 1338 struct label *msqklabel) 1339 { 1340 1341 LABEL_CHECK(msqklabel, MAGIC_SYSV_MSQ); 1342 LABEL_CHECK(cred->cr_label, MAGIC_CRED); 1343 COUNTER_INC(check_sysv_msqrcv); 1344 1345 return (0); 1346 } 1347 1348 COUNTER_DECL(check_sysv_msqctl); 1349 static int 1350 mac_test_check_sysv_msqctl(struct ucred *cred, struct msqid_kernel *msqkptr, 1351 struct label *msqklabel, int cmd) 1352 { 1353 1354 LABEL_CHECK(msqklabel, MAGIC_SYSV_MSQ); 1355 LABEL_CHECK(cred->cr_label, MAGIC_CRED); 1356 COUNTER_INC(check_sysv_msqctl); 1357 1358 return (0); 1359 } 1360 1361 COUNTER_DECL(check_sysv_semctl); 1362 static int 1363 mac_test_check_sysv_semctl(struct ucred *cred, struct semid_kernel *semakptr, 1364 struct label *semaklabel, int cmd) 1365 { 1366 1367 LABEL_CHECK(cred->cr_label, MAGIC_CRED); 1368 LABEL_CHECK(semaklabel, MAGIC_SYSV_SEM); 1369 COUNTER_INC(check_sysv_semctl); 1370 1371 return (0); 1372 } 1373 1374 COUNTER_DECL(check_sysv_semget); 1375 static int 1376 mac_test_check_sysv_semget(struct ucred *cred, struct semid_kernel *semakptr, 1377 struct label *semaklabel) 1378 { 1379 1380 LABEL_CHECK(cred->cr_label, MAGIC_CRED); 1381 LABEL_CHECK(semaklabel, MAGIC_SYSV_SEM); 1382 COUNTER_INC(check_sysv_semget); 1383 1384 return (0); 1385 } 1386 1387 COUNTER_DECL(check_sysv_semop); 1388 static int 1389 mac_test_check_sysv_semop(struct ucred *cred, struct semid_kernel *semakptr, 1390 struct label *semaklabel, size_t accesstype) 1391 { 1392 1393 LABEL_CHECK(cred->cr_label, MAGIC_CRED); 1394 LABEL_CHECK(semaklabel, MAGIC_SYSV_SEM); 1395 COUNTER_INC(check_sysv_semop); 1396 1397 return (0); 1398 } 1399 1400 COUNTER_DECL(check_sysv_shmat); 1401 static int 1402 mac_test_check_sysv_shmat(struct ucred *cred, struct shmid_kernel *shmsegptr, 1403 struct label *shmseglabel, int shmflg) 1404 { 1405 1406 LABEL_CHECK(cred->cr_label, MAGIC_CRED); 1407 LABEL_CHECK(shmseglabel, MAGIC_SYSV_SHM); 1408 COUNTER_INC(check_sysv_shmat); 1409 1410 return (0); 1411 } 1412 1413 COUNTER_DECL(check_sysv_shmctl); 1414 static int 1415 mac_test_check_sysv_shmctl(struct ucred *cred, struct shmid_kernel *shmsegptr, 1416 struct label *shmseglabel, int cmd) 1417 { 1418 1419 LABEL_CHECK(cred->cr_label, MAGIC_CRED); 1420 LABEL_CHECK(shmseglabel, MAGIC_SYSV_SHM); 1421 COUNTER_INC(check_sysv_shmctl); 1422 1423 return (0); 1424 } 1425 1426 COUNTER_DECL(check_sysv_shmdt); 1427 static int 1428 mac_test_check_sysv_shmdt(struct ucred *cred, struct shmid_kernel *shmsegptr, 1429 struct label *shmseglabel) 1430 { 1431 1432 LABEL_CHECK(cred->cr_label, MAGIC_CRED); 1433 LABEL_CHECK(shmseglabel, MAGIC_SYSV_SHM); 1434 COUNTER_INC(check_sysv_shmdt); 1435 1436 return (0); 1437 } 1438 1439 COUNTER_DECL(check_sysv_shmget); 1440 static int 1441 mac_test_check_sysv_shmget(struct ucred *cred, struct shmid_kernel *shmsegptr, 1442 struct label *shmseglabel, int shmflg) 1443 { 1444 1445 LABEL_CHECK(cred->cr_label, MAGIC_CRED); 1446 LABEL_CHECK(shmseglabel, MAGIC_SYSV_SHM); 1447 COUNTER_INC(check_sysv_shmget); 1448 1449 return (0); 1450 } 1451 1452 COUNTER_DECL(check_kenv_dump); 1453 static int 1454 mac_test_check_kenv_dump(struct ucred *cred) 1455 { 1456 1457 LABEL_CHECK(cred->cr_label, MAGIC_CRED); 1458 COUNTER_INC(check_kenv_dump); 1459 1460 return (0); 1461 } 1462 1463 COUNTER_DECL(check_kenv_get); 1464 static int 1465 mac_test_check_kenv_get(struct ucred *cred, char *name) 1466 { 1467 1468 LABEL_CHECK(cred->cr_label, MAGIC_CRED); 1469 COUNTER_INC(check_kenv_get); 1470 1471 return (0); 1472 } 1473 1474 COUNTER_DECL(check_kenv_set); 1475 static int 1476 mac_test_check_kenv_set(struct ucred *cred, char *name, char *value) 1477 { 1478 1479 LABEL_CHECK(cred->cr_label, MAGIC_CRED); 1480 COUNTER_INC(check_kenv_set); 1481 1482 return (0); 1483 } 1484 1485 COUNTER_DECL(check_kenv_unset); 1486 static int 1487 mac_test_check_kenv_unset(struct ucred *cred, char *name) 1488 { 1489 1490 LABEL_CHECK(cred->cr_label, MAGIC_CRED); 1491 COUNTER_INC(check_kenv_unset); 1492 1493 return (0); 1494 } 1495 1496 COUNTER_DECL(check_kld_load); 1497 static int 1498 mac_test_check_kld_load(struct ucred *cred, struct vnode *vp, 1499 struct label *label) 1500 { 1501 1502 LABEL_CHECK(cred->cr_label, MAGIC_CRED); 1503 LABEL_CHECK(label, MAGIC_VNODE); 1504 COUNTER_INC(check_kld_load); 1505 1506 return (0); 1507 } 1508 1509 COUNTER_DECL(check_kld_stat); 1510 static int 1511 mac_test_check_kld_stat(struct ucred *cred) 1512 { 1513 1514 LABEL_CHECK(cred->cr_label, MAGIC_CRED); 1515 COUNTER_INC(check_kld_stat); 1516 1517 return (0); 1518 } 1519 1520 COUNTER_DECL(check_mount_stat); 1521 static int 1522 mac_test_check_mount_stat(struct ucred *cred, struct mount *mp, 1523 struct label *mplabel) 1524 { 1525 1526 LABEL_CHECK(cred->cr_label, MAGIC_CRED); 1527 LABEL_CHECK(mplabel, MAGIC_MOUNT); 1528 COUNTER_INC(check_mount_stat); 1529 1530 return (0); 1531 } 1532 1533 COUNTER_DECL(check_pipe_ioctl); 1534 static int 1535 mac_test_check_pipe_ioctl(struct ucred *cred, struct pipepair *pp, 1536 struct label *pipelabel, unsigned long cmd, void /* caddr_t */ *data) 1537 { 1538 1539 LABEL_CHECK(cred->cr_label, MAGIC_CRED); 1540 LABEL_CHECK(pipelabel, MAGIC_PIPE); 1541 COUNTER_INC(check_pipe_ioctl); 1542 1543 return (0); 1544 } 1545 1546 COUNTER_DECL(check_pipe_poll); 1547 static int 1548 mac_test_check_pipe_poll(struct ucred *cred, struct pipepair *pp, 1549 struct label *pipelabel) 1550 { 1551 1552 LABEL_CHECK(cred->cr_label, MAGIC_CRED); 1553 LABEL_CHECK(pipelabel, MAGIC_PIPE); 1554 COUNTER_INC(check_pipe_poll); 1555 1556 return (0); 1557 } 1558 1559 COUNTER_DECL(check_pipe_read); 1560 static int 1561 mac_test_check_pipe_read(struct ucred *cred, struct pipepair *pp, 1562 struct label *pipelabel) 1563 { 1564 1565 LABEL_CHECK(cred->cr_label, MAGIC_CRED); 1566 LABEL_CHECK(pipelabel, MAGIC_PIPE); 1567 COUNTER_INC(check_pipe_read); 1568 1569 return (0); 1570 } 1571 1572 COUNTER_DECL(check_pipe_relabel); 1573 static int 1574 mac_test_check_pipe_relabel(struct ucred *cred, struct pipepair *pp, 1575 struct label *pipelabel, struct label *newlabel) 1576 { 1577 1578 LABEL_CHECK(cred->cr_label, MAGIC_CRED); 1579 LABEL_CHECK(pipelabel, MAGIC_PIPE); 1580 LABEL_CHECK(newlabel, MAGIC_PIPE); 1581 COUNTER_INC(check_pipe_relabel); 1582 1583 return (0); 1584 } 1585 1586 COUNTER_DECL(check_pipe_stat); 1587 static int 1588 mac_test_check_pipe_stat(struct ucred *cred, struct pipepair *pp, 1589 struct label *pipelabel) 1590 { 1591 1592 LABEL_CHECK(cred->cr_label, MAGIC_CRED); 1593 LABEL_CHECK(pipelabel, MAGIC_PIPE); 1594 COUNTER_INC(check_pipe_stat); 1595 1596 return (0); 1597 } 1598 1599 COUNTER_DECL(check_pipe_write); 1600 static int 1601 mac_test_check_pipe_write(struct ucred *cred, struct pipepair *pp, 1602 struct label *pipelabel) 1603 { 1604 1605 LABEL_CHECK(cred->cr_label, MAGIC_CRED); 1606 LABEL_CHECK(pipelabel, MAGIC_PIPE); 1607 COUNTER_INC(check_pipe_write); 1608 1609 return (0); 1610 } 1611 1612 COUNTER_DECL(check_posix_sem); 1613 static int 1614 mac_test_check_posix_sem(struct ucred *cred, struct ksem *ksemptr, 1615 struct label *ks_label) 1616 { 1617 1618 LABEL_CHECK(cred->cr_label, MAGIC_CRED); 1619 LABEL_CHECK(ks_label, MAGIC_POSIX_SEM); 1620 COUNTER_INC(check_posix_sem); 1621 1622 return (0); 1623 } 1624 1625 COUNTER_DECL(check_proc_debug); 1626 static int 1627 mac_test_check_proc_debug(struct ucred *cred, struct proc *p) 1628 { 1629 1630 LABEL_CHECK(cred->cr_label, MAGIC_CRED); 1631 LABEL_CHECK(p->p_ucred->cr_label, MAGIC_CRED); 1632 COUNTER_INC(check_proc_debug); 1633 1634 return (0); 1635 } 1636 1637 COUNTER_DECL(check_proc_sched); 1638 static int 1639 mac_test_check_proc_sched(struct ucred *cred, struct proc *p) 1640 { 1641 1642 LABEL_CHECK(cred->cr_label, MAGIC_CRED); 1643 LABEL_CHECK(p->p_ucred->cr_label, MAGIC_CRED); 1644 COUNTER_INC(check_proc_sched); 1645 1646 return (0); 1647 } 1648 1649 COUNTER_DECL(check_proc_signal); 1650 static int 1651 mac_test_check_proc_signal(struct ucred *cred, struct proc *p, int signum) 1652 { 1653 1654 LABEL_CHECK(cred->cr_label, MAGIC_CRED); 1655 LABEL_CHECK(p->p_ucred->cr_label, MAGIC_CRED); 1656 COUNTER_INC(check_proc_signal); 1657 1658 return (0); 1659 } 1660 1661 COUNTER_DECL(check_proc_setaudit); 1662 static int 1663 mac_test_check_proc_setaudit(struct ucred *cred, struct auditinfo *ai) 1664 { 1665 1666 LABEL_CHECK(cred->cr_label, MAGIC_CRED); 1667 COUNTER_INC(check_proc_setaudit); 1668 1669 return (0); 1670 } 1671 1672 COUNTER_DECL(check_proc_setauid); 1673 static int 1674 mac_test_check_proc_setauid(struct ucred *cred, uid_t auid) 1675 { 1676 1677 LABEL_CHECK(cred->cr_label, MAGIC_CRED); 1678 COUNTER_INC(check_proc_setauid); 1679 1680 return (0); 1681 } 1682 1683 COUNTER_DECL(check_proc_setuid); 1684 static int 1685 mac_test_check_proc_setuid(struct ucred *cred, uid_t uid) 1686 { 1687 1688 LABEL_CHECK(cred->cr_label, MAGIC_CRED); 1689 COUNTER_INC(check_proc_setuid); 1690 1691 return (0); 1692 } 1693 1694 COUNTER_DECL(check_proc_euid); 1695 static int 1696 mac_test_check_proc_seteuid(struct ucred *cred, uid_t euid) 1697 { 1698 1699 LABEL_CHECK(cred->cr_label, MAGIC_CRED); 1700 COUNTER_INC(check_proc_euid); 1701 1702 return (0); 1703 } 1704 1705 COUNTER_DECL(check_proc_setgid); 1706 static int 1707 mac_test_check_proc_setgid(struct ucred *cred, gid_t gid) 1708 { 1709 1710 LABEL_CHECK(cred->cr_label, MAGIC_CRED); 1711 COUNTER_INC(check_proc_setgid); 1712 1713 return (0); 1714 } 1715 1716 COUNTER_DECL(check_proc_setegid); 1717 static int 1718 mac_test_check_proc_setegid(struct ucred *cred, gid_t egid) 1719 { 1720 1721 LABEL_CHECK(cred->cr_label, MAGIC_CRED); 1722 COUNTER_INC(check_proc_setegid); 1723 1724 return (0); 1725 } 1726 1727 COUNTER_DECL(check_proc_setgroups); 1728 static int 1729 mac_test_check_proc_setgroups(struct ucred *cred, int ngroups, 1730 gid_t *gidset) 1731 { 1732 1733 LABEL_CHECK(cred->cr_label, MAGIC_CRED); 1734 COUNTER_INC(check_proc_setgroups); 1735 1736 return (0); 1737 } 1738 1739 COUNTER_DECL(check_proc_setreuid); 1740 static int 1741 mac_test_check_proc_setreuid(struct ucred *cred, uid_t ruid, uid_t euid) 1742 { 1743 1744 LABEL_CHECK(cred->cr_label, MAGIC_CRED); 1745 COUNTER_INC(check_proc_setreuid); 1746 1747 return (0); 1748 } 1749 1750 COUNTER_DECL(check_proc_setregid); 1751 static int 1752 mac_test_check_proc_setregid(struct ucred *cred, gid_t rgid, gid_t egid) 1753 { 1754 1755 LABEL_CHECK(cred->cr_label, MAGIC_CRED); 1756 COUNTER_INC(check_proc_setregid); 1757 1758 return (0); 1759 } 1760 1761 COUNTER_DECL(check_proc_setresuid); 1762 static int 1763 mac_test_check_proc_setresuid(struct ucred *cred, uid_t ruid, uid_t euid, 1764 uid_t suid) 1765 { 1766 1767 LABEL_CHECK(cred->cr_label, MAGIC_CRED); 1768 COUNTER_INC(check_proc_setresuid); 1769 1770 return (0); 1771 } 1772 1773 COUNTER_DECL(check_proc_setresgid); 1774 static int 1775 mac_test_check_proc_setresgid(struct ucred *cred, gid_t rgid, gid_t egid, 1776 gid_t sgid) 1777 { 1778 1779 LABEL_CHECK(cred->cr_label, MAGIC_CRED); 1780 COUNTER_INC(check_proc_setresgid); 1781 1782 return (0); 1783 } 1784 1785 COUNTER_DECL(check_proc_wait); 1786 static int 1787 mac_test_check_proc_wait(struct ucred *cred, struct proc *p) 1788 { 1789 1790 LABEL_CHECK(cred->cr_label, MAGIC_CRED); 1791 LABEL_CHECK(p->p_ucred->cr_label, MAGIC_CRED); 1792 COUNTER_INC(check_proc_wait); 1793 1794 return (0); 1795 } 1796 1797 COUNTER_DECL(check_socket_accept); 1798 static int 1799 mac_test_check_socket_accept(struct ucred *cred, struct socket *so, 1800 struct label *solabel) 1801 { 1802 1803 LABEL_CHECK(cred->cr_label, MAGIC_CRED); 1804 LABEL_CHECK(solabel, MAGIC_SOCKET); 1805 COUNTER_INC(check_socket_accept); 1806 1807 return (0); 1808 } 1809 1810 COUNTER_DECL(check_socket_bind); 1811 static int 1812 mac_test_check_socket_bind(struct ucred *cred, struct socket *so, 1813 struct label *solabel, struct sockaddr *sa) 1814 { 1815 1816 LABEL_CHECK(cred->cr_label, MAGIC_CRED); 1817 LABEL_CHECK(solabel, MAGIC_SOCKET); 1818 COUNTER_INC(check_socket_bind); 1819 1820 return (0); 1821 } 1822 1823 COUNTER_DECL(check_socket_connect); 1824 static int 1825 mac_test_check_socket_connect(struct ucred *cred, struct socket *so, 1826 struct label *solabel, struct sockaddr *sa) 1827 { 1828 1829 LABEL_CHECK(cred->cr_label, MAGIC_CRED); 1830 LABEL_CHECK(solabel, MAGIC_SOCKET); 1831 COUNTER_INC(check_socket_connect); 1832 1833 return (0); 1834 } 1835 1836 COUNTER_DECL(check_socket_deliver); 1837 static int 1838 mac_test_check_socket_deliver(struct socket *so, struct label *solabel, 1839 struct mbuf *m, struct label *mlabel) 1840 { 1841 1842 LABEL_CHECK(solabel, MAGIC_SOCKET); 1843 LABEL_CHECK(mlabel, MAGIC_MBUF); 1844 COUNTER_INC(check_socket_deliver); 1845 1846 return (0); 1847 } 1848 1849 COUNTER_DECL(check_socket_listen); 1850 static int 1851 mac_test_check_socket_listen(struct ucred *cred, struct socket *so, 1852 struct label *solabel) 1853 { 1854 1855 LABEL_CHECK(cred->cr_label, MAGIC_CRED); 1856 LABEL_CHECK(solabel, MAGIC_SOCKET); 1857 COUNTER_INC(check_socket_listen); 1858 1859 return (0); 1860 } 1861 1862 COUNTER_DECL(check_socket_poll); 1863 static int 1864 mac_test_check_socket_poll(struct ucred *cred, struct socket *so, 1865 struct label *solabel) 1866 { 1867 1868 LABEL_CHECK(cred->cr_label, MAGIC_CRED); 1869 LABEL_CHECK(solabel, MAGIC_SOCKET); 1870 COUNTER_INC(check_socket_poll); 1871 1872 return (0); 1873 } 1874 1875 COUNTER_DECL(check_socket_receive); 1876 static int 1877 mac_test_check_socket_receive(struct ucred *cred, struct socket *so, 1878 struct label *solabel) 1879 { 1880 1881 LABEL_CHECK(cred->cr_label, MAGIC_CRED); 1882 LABEL_CHECK(solabel, MAGIC_SOCKET); 1883 COUNTER_INC(check_socket_receive); 1884 1885 return (0); 1886 } 1887 1888 COUNTER_DECL(check_socket_relabel); 1889 static int 1890 mac_test_check_socket_relabel(struct ucred *cred, struct socket *so, 1891 struct label *solabel, struct label *newlabel) 1892 { 1893 1894 LABEL_CHECK(cred->cr_label, MAGIC_CRED); 1895 LABEL_CHECK(solabel, MAGIC_SOCKET); 1896 LABEL_CHECK(newlabel, MAGIC_SOCKET); 1897 COUNTER_INC(check_socket_relabel); 1898 1899 return (0); 1900 } 1901 1902 COUNTER_DECL(check_socket_send); 1903 static int 1904 mac_test_check_socket_send(struct ucred *cred, struct socket *so, 1905 struct label *solabel) 1906 { 1907 1908 LABEL_CHECK(cred->cr_label, MAGIC_CRED); 1909 LABEL_CHECK(solabel, MAGIC_SOCKET); 1910 COUNTER_INC(check_socket_send); 1911 1912 return (0); 1913 } 1914 1915 COUNTER_DECL(check_socket_stat); 1916 static int 1917 mac_test_check_socket_stat(struct ucred *cred, struct socket *so, 1918 struct label *solabel) 1919 { 1920 1921 LABEL_CHECK(cred->cr_label, MAGIC_CRED); 1922 LABEL_CHECK(solabel, MAGIC_SOCKET); 1923 COUNTER_INC(check_socket_stat); 1924 1925 return (0); 1926 } 1927 1928 COUNTER_DECL(check_socket_visible); 1929 static int 1930 mac_test_check_socket_visible(struct ucred *cred, struct socket *so, 1931 struct label *solabel) 1932 { 1933 1934 LABEL_CHECK(cred->cr_label, MAGIC_CRED); 1935 LABEL_CHECK(solabel, MAGIC_SOCKET); 1936 COUNTER_INC(check_socket_visible); 1937 1938 return (0); 1939 } 1940 1941 COUNTER_DECL(check_system_acct); 1942 static int 1943 mac_test_check_system_acct(struct ucred *cred, struct vnode *vp, 1944 struct label *vplabel) 1945 { 1946 1947 LABEL_CHECK(cred->cr_label, MAGIC_CRED); 1948 LABEL_CHECK(vplabel, MAGIC_VNODE); 1949 COUNTER_INC(check_system_acct); 1950 1951 return (0); 1952 } 1953 1954 COUNTER_DECL(check_system_audit); 1955 static int 1956 mac_test_check_system_audit(struct ucred *cred, void *record, int length) 1957 { 1958 1959 LABEL_CHECK(cred->cr_label, MAGIC_CRED); 1960 COUNTER_INC(check_system_audit); 1961 1962 return (0); 1963 } 1964 1965 COUNTER_DECL(check_system_auditctl); 1966 static int 1967 mac_test_check_system_auditctl(struct ucred *cred, struct vnode *vp, 1968 struct label *vplabel) 1969 { 1970 1971 LABEL_CHECK(cred->cr_label, MAGIC_CRED); 1972 LABEL_CHECK(vplabel, MAGIC_VNODE); 1973 COUNTER_INC(check_system_auditctl); 1974 1975 return (0); 1976 } 1977 1978 COUNTER_DECL(check_system_auditon); 1979 static int 1980 mac_test_check_system_auditon(struct ucred *cred, int cmd) 1981 { 1982 1983 LABEL_CHECK(cred->cr_label, MAGIC_CRED); 1984 COUNTER_INC(check_system_auditon); 1985 1986 return (0); 1987 } 1988 1989 COUNTER_DECL(check_system_reboot); 1990 static int 1991 mac_test_check_system_reboot(struct ucred *cred, int how) 1992 { 1993 1994 LABEL_CHECK(cred->cr_label, MAGIC_CRED); 1995 COUNTER_INC(check_system_reboot); 1996 1997 return (0); 1998 } 1999 2000 COUNTER_DECL(check_system_swapoff); 2001 static int 2002 mac_test_check_system_swapoff(struct ucred *cred, struct vnode *vp, 2003 struct label *vplabel) 2004 { 2005 2006 LABEL_CHECK(cred->cr_label, MAGIC_CRED); 2007 LABEL_CHECK(vplabel, MAGIC_VNODE); 2008 COUNTER_INC(check_system_swapoff); 2009 2010 return (0); 2011 } 2012 2013 COUNTER_DECL(check_system_swapon); 2014 static int 2015 mac_test_check_system_swapon(struct ucred *cred, struct vnode *vp, 2016 struct label *vplabel) 2017 { 2018 2019 LABEL_CHECK(cred->cr_label, MAGIC_CRED); 2020 LABEL_CHECK(vplabel, MAGIC_VNODE); 2021 COUNTER_INC(check_system_swapon); 2022 2023 return (0); 2024 } 2025 2026 COUNTER_DECL(check_system_sysctl); 2027 static int 2028 mac_test_check_system_sysctl(struct ucred *cred, struct sysctl_oid *oidp, 2029 void *arg1, int arg2, struct sysctl_req *req) 2030 { 2031 2032 LABEL_CHECK(cred->cr_label, MAGIC_CRED); 2033 COUNTER_INC(check_system_sysctl); 2034 2035 return (0); 2036 } 2037 2038 COUNTER_DECL(check_vnode_access); 2039 static int 2040 mac_test_check_vnode_access(struct ucred *cred, struct vnode *vp, 2041 struct label *vplabel, int acc_mode) 2042 { 2043 2044 LABEL_CHECK(cred->cr_label, MAGIC_CRED); 2045 LABEL_CHECK(vplabel, MAGIC_VNODE); 2046 COUNTER_INC(check_vnode_access); 2047 2048 return (0); 2049 } 2050 2051 COUNTER_DECL(check_vnode_chdir); 2052 static int 2053 mac_test_check_vnode_chdir(struct ucred *cred, struct vnode *dvp, 2054 struct label *dvplabel) 2055 { 2056 2057 LABEL_CHECK(cred->cr_label, MAGIC_CRED); 2058 LABEL_CHECK(dvplabel, MAGIC_VNODE); 2059 COUNTER_INC(check_vnode_chdir); 2060 2061 return (0); 2062 } 2063 2064 COUNTER_DECL(check_vnode_chroot); 2065 static int 2066 mac_test_check_vnode_chroot(struct ucred *cred, struct vnode *dvp, 2067 struct label *dvplabel) 2068 { 2069 2070 LABEL_CHECK(cred->cr_label, MAGIC_CRED); 2071 LABEL_CHECK(dvplabel, MAGIC_VNODE); 2072 COUNTER_INC(check_vnode_chroot); 2073 2074 return (0); 2075 } 2076 2077 COUNTER_DECL(check_vnode_create); 2078 static int 2079 mac_test_check_vnode_create(struct ucred *cred, struct vnode *dvp, 2080 struct label *dvplabel, struct componentname *cnp, struct vattr *vap) 2081 { 2082 2083 LABEL_CHECK(cred->cr_label, MAGIC_CRED); 2084 LABEL_CHECK(dvplabel, MAGIC_VNODE); 2085 COUNTER_INC(check_vnode_create); 2086 2087 return (0); 2088 } 2089 2090 COUNTER_DECL(check_vnode_delete); 2091 static int 2092 mac_test_check_vnode_delete(struct ucred *cred, struct vnode *dvp, 2093 struct label *dvplabel, struct vnode *vp, struct label *vplabel, 2094 struct componentname *cnp) 2095 { 2096 2097 LABEL_CHECK(cred->cr_label, MAGIC_CRED); 2098 LABEL_CHECK(dvplabel, MAGIC_VNODE); 2099 LABEL_CHECK(vplabel, MAGIC_VNODE); 2100 COUNTER_INC(check_vnode_delete); 2101 2102 return (0); 2103 } 2104 2105 COUNTER_DECL(check_vnode_deleteacl); 2106 static int 2107 mac_test_check_vnode_deleteacl(struct ucred *cred, struct vnode *vp, 2108 struct label *vplabel, acl_type_t type) 2109 { 2110 2111 LABEL_CHECK(cred->cr_label, MAGIC_CRED); 2112 LABEL_CHECK(vplabel, MAGIC_VNODE); 2113 COUNTER_INC(check_vnode_deleteacl); 2114 2115 return (0); 2116 } 2117 2118 COUNTER_DECL(check_vnode_deleteextattr); 2119 static int 2120 mac_test_check_vnode_deleteextattr(struct ucred *cred, struct vnode *vp, 2121 struct label *vplabel, int attrnamespace, const char *name) 2122 { 2123 2124 LABEL_CHECK(cred->cr_label, MAGIC_CRED); 2125 LABEL_CHECK(vplabel, MAGIC_VNODE); 2126 COUNTER_INC(check_vnode_deleteextattr); 2127 2128 return (0); 2129 } 2130 2131 COUNTER_DECL(check_vnode_exec); 2132 static int 2133 mac_test_check_vnode_exec(struct ucred *cred, struct vnode *vp, 2134 struct label *vplabel, struct image_params *imgp, 2135 struct label *execlabel) 2136 { 2137 2138 LABEL_CHECK(cred->cr_label, MAGIC_CRED); 2139 LABEL_CHECK(vplabel, MAGIC_VNODE); 2140 LABEL_CHECK(execlabel, MAGIC_CRED); 2141 COUNTER_INC(check_vnode_exec); 2142 2143 return (0); 2144 } 2145 2146 COUNTER_DECL(check_vnode_getacl); 2147 static int 2148 mac_test_check_vnode_getacl(struct ucred *cred, struct vnode *vp, 2149 struct label *vplabel, acl_type_t type) 2150 { 2151 2152 LABEL_CHECK(cred->cr_label, MAGIC_CRED); 2153 LABEL_CHECK(vplabel, MAGIC_VNODE); 2154 COUNTER_INC(check_vnode_getacl); 2155 2156 return (0); 2157 } 2158 2159 COUNTER_DECL(check_vnode_getextattr); 2160 static int 2161 mac_test_check_vnode_getextattr(struct ucred *cred, struct vnode *vp, 2162 struct label *vplabel, int attrnamespace, const char *name, 2163 struct uio *uio) 2164 { 2165 2166 LABEL_CHECK(cred->cr_label, MAGIC_CRED); 2167 LABEL_CHECK(vplabel, MAGIC_VNODE); 2168 COUNTER_INC(check_vnode_getextattr); 2169 2170 return (0); 2171 } 2172 2173 COUNTER_DECL(check_vnode_link); 2174 static int 2175 mac_test_check_vnode_link(struct ucred *cred, struct vnode *dvp, 2176 struct label *dvplabel, struct vnode *vp, struct label *vplabel, 2177 struct componentname *cnp) 2178 { 2179 2180 LABEL_CHECK(cred->cr_label, MAGIC_CRED); 2181 LABEL_CHECK(dvplabel, MAGIC_VNODE); 2182 LABEL_CHECK(vplabel, MAGIC_VNODE); 2183 COUNTER_INC(check_vnode_link); 2184 2185 return (0); 2186 } 2187 2188 COUNTER_DECL(check_vnode_listextattr); 2189 static int 2190 mac_test_check_vnode_listextattr(struct ucred *cred, struct vnode *vp, 2191 struct label *vplabel, int attrnamespace) 2192 { 2193 2194 LABEL_CHECK(cred->cr_label, MAGIC_CRED); 2195 LABEL_CHECK(vplabel, MAGIC_VNODE); 2196 COUNTER_INC(check_vnode_listextattr); 2197 2198 return (0); 2199 } 2200 2201 COUNTER_DECL(check_vnode_lookup); 2202 static int 2203 mac_test_check_vnode_lookup(struct ucred *cred, struct vnode *dvp, 2204 struct label *dvplabel, struct componentname *cnp) 2205 { 2206 2207 LABEL_CHECK(cred->cr_label, MAGIC_CRED); 2208 LABEL_CHECK(dvplabel, MAGIC_VNODE); 2209 COUNTER_INC(check_vnode_lookup); 2210 2211 return (0); 2212 } 2213 2214 COUNTER_DECL(check_vnode_mmap); 2215 static int 2216 mac_test_check_vnode_mmap(struct ucred *cred, struct vnode *vp, 2217 struct label *vplabel, int prot, int flags) 2218 { 2219 2220 LABEL_CHECK(cred->cr_label, MAGIC_CRED); 2221 LABEL_CHECK(vplabel, MAGIC_VNODE); 2222 COUNTER_INC(check_vnode_mmap); 2223 2224 return (0); 2225 } 2226 2227 COUNTER_DECL(check_vnode_open); 2228 static int 2229 mac_test_check_vnode_open(struct ucred *cred, struct vnode *vp, 2230 struct label *vplabel, int acc_mode) 2231 { 2232 2233 LABEL_CHECK(cred->cr_label, MAGIC_CRED); 2234 LABEL_CHECK(vplabel, MAGIC_VNODE); 2235 COUNTER_INC(check_vnode_open); 2236 2237 return (0); 2238 } 2239 2240 COUNTER_DECL(check_vnode_poll); 2241 static int 2242 mac_test_check_vnode_poll(struct ucred *active_cred, struct ucred *file_cred, 2243 struct vnode *vp, struct label *vplabel) 2244 { 2245 2246 LABEL_CHECK(active_cred->cr_label, MAGIC_CRED); 2247 if (file_cred != NULL) 2248 LABEL_CHECK(file_cred->cr_label, MAGIC_CRED); 2249 LABEL_CHECK(vplabel, MAGIC_VNODE); 2250 COUNTER_INC(check_vnode_poll); 2251 2252 return (0); 2253 } 2254 2255 COUNTER_DECL(check_vnode_read); 2256 static int 2257 mac_test_check_vnode_read(struct ucred *active_cred, struct ucred *file_cred, 2258 struct vnode *vp, struct label *vplabel) 2259 { 2260 2261 LABEL_CHECK(active_cred->cr_label, MAGIC_CRED); 2262 if (file_cred != NULL) 2263 LABEL_CHECK(file_cred->cr_label, MAGIC_CRED); 2264 LABEL_CHECK(vplabel, MAGIC_VNODE); 2265 COUNTER_INC(check_vnode_read); 2266 2267 return (0); 2268 } 2269 2270 COUNTER_DECL(check_vnode_readdir); 2271 static int 2272 mac_test_check_vnode_readdir(struct ucred *cred, struct vnode *dvp, 2273 struct label *dvplabel) 2274 { 2275 2276 LABEL_CHECK(cred->cr_label, MAGIC_CRED); 2277 LABEL_CHECK(dvplabel, MAGIC_VNODE); 2278 COUNTER_INC(check_vnode_readdir); 2279 2280 return (0); 2281 } 2282 2283 COUNTER_DECL(check_vnode_readlink); 2284 static int 2285 mac_test_check_vnode_readlink(struct ucred *cred, struct vnode *vp, 2286 struct label *vplabel) 2287 { 2288 2289 LABEL_CHECK(cred->cr_label, MAGIC_CRED); 2290 LABEL_CHECK(vplabel, MAGIC_VNODE); 2291 COUNTER_INC(check_vnode_readlink); 2292 2293 return (0); 2294 } 2295 2296 COUNTER_DECL(check_vnode_relabel); 2297 static int 2298 mac_test_check_vnode_relabel(struct ucred *cred, struct vnode *vp, 2299 struct label *vplabel, struct label *newlabel) 2300 { 2301 2302 LABEL_CHECK(cred->cr_label, MAGIC_CRED); 2303 LABEL_CHECK(vplabel, MAGIC_VNODE); 2304 LABEL_CHECK(newlabel, MAGIC_VNODE); 2305 COUNTER_INC(check_vnode_relabel); 2306 2307 return (0); 2308 } 2309 2310 COUNTER_DECL(check_vnode_rename_from); 2311 static int 2312 mac_test_check_vnode_rename_from(struct ucred *cred, struct vnode *dvp, 2313 struct label *dvplabel, struct vnode *vp, struct label *vplabel, 2314 struct componentname *cnp) 2315 { 2316 2317 LABEL_CHECK(cred->cr_label, MAGIC_CRED); 2318 LABEL_CHECK(dvplabel, MAGIC_VNODE); 2319 LABEL_CHECK(vplabel, MAGIC_VNODE); 2320 COUNTER_INC(check_vnode_rename_from); 2321 2322 return (0); 2323 } 2324 2325 COUNTER_DECL(check_vnode_rename_to); 2326 static int 2327 mac_test_check_vnode_rename_to(struct ucred *cred, struct vnode *dvp, 2328 struct label *dvplabel, struct vnode *vp, struct label *vplabel, 2329 int samedir, struct componentname *cnp) 2330 { 2331 2332 LABEL_CHECK(cred->cr_label, MAGIC_CRED); 2333 LABEL_CHECK(dvplabel, MAGIC_VNODE); 2334 LABEL_CHECK(vplabel, MAGIC_VNODE); 2335 COUNTER_INC(check_vnode_rename_to); 2336 2337 return (0); 2338 } 2339 2340 COUNTER_DECL(check_vnode_revoke); 2341 static int 2342 mac_test_check_vnode_revoke(struct ucred *cred, struct vnode *vp, 2343 struct label *vplabel) 2344 { 2345 2346 LABEL_CHECK(cred->cr_label, MAGIC_CRED); 2347 LABEL_CHECK(vplabel, MAGIC_VNODE); 2348 COUNTER_INC(check_vnode_revoke); 2349 2350 return (0); 2351 } 2352 2353 COUNTER_DECL(check_vnode_setacl); 2354 static int 2355 mac_test_check_vnode_setacl(struct ucred *cred, struct vnode *vp, 2356 struct label *vplabel, acl_type_t type, struct acl *acl) 2357 { 2358 2359 LABEL_CHECK(cred->cr_label, MAGIC_CRED); 2360 LABEL_CHECK(vplabel, MAGIC_VNODE); 2361 COUNTER_INC(check_vnode_setacl); 2362 2363 return (0); 2364 } 2365 2366 COUNTER_DECL(check_vnode_setextattr); 2367 static int 2368 mac_test_check_vnode_setextattr(struct ucred *cred, struct vnode *vp, 2369 struct label *vplabel, int attrnamespace, const char *name, 2370 struct uio *uio) 2371 { 2372 2373 LABEL_CHECK(cred->cr_label, MAGIC_CRED); 2374 LABEL_CHECK(vplabel, MAGIC_VNODE); 2375 COUNTER_INC(check_vnode_setextattr); 2376 2377 return (0); 2378 } 2379 2380 COUNTER_DECL(check_vnode_setflags); 2381 static int 2382 mac_test_check_vnode_setflags(struct ucred *cred, struct vnode *vp, 2383 struct label *vplabel, u_long flags) 2384 { 2385 2386 LABEL_CHECK(cred->cr_label, MAGIC_CRED); 2387 LABEL_CHECK(vplabel, MAGIC_VNODE); 2388 COUNTER_INC(check_vnode_setflags); 2389 2390 return (0); 2391 } 2392 2393 COUNTER_DECL(check_vnode_setmode); 2394 static int 2395 mac_test_check_vnode_setmode(struct ucred *cred, struct vnode *vp, 2396 struct label *vplabel, mode_t mode) 2397 { 2398 2399 LABEL_CHECK(cred->cr_label, MAGIC_CRED); 2400 LABEL_CHECK(vplabel, MAGIC_VNODE); 2401 COUNTER_INC(check_vnode_setmode); 2402 2403 return (0); 2404 } 2405 2406 COUNTER_DECL(check_vnode_setowner); 2407 static int 2408 mac_test_check_vnode_setowner(struct ucred *cred, struct vnode *vp, 2409 struct label *vplabel, uid_t uid, gid_t gid) 2410 { 2411 2412 LABEL_CHECK(cred->cr_label, MAGIC_CRED); 2413 LABEL_CHECK(vplabel, MAGIC_VNODE); 2414 COUNTER_INC(check_vnode_setowner); 2415 2416 return (0); 2417 } 2418 2419 COUNTER_DECL(check_vnode_setutimes); 2420 static int 2421 mac_test_check_vnode_setutimes(struct ucred *cred, struct vnode *vp, 2422 struct label *vplabel, struct timespec atime, struct timespec mtime) 2423 { 2424 2425 LABEL_CHECK(cred->cr_label, MAGIC_CRED); 2426 LABEL_CHECK(vplabel, MAGIC_VNODE); 2427 COUNTER_INC(check_vnode_setutimes); 2428 2429 return (0); 2430 } 2431 2432 COUNTER_DECL(check_vnode_stat); 2433 static int 2434 mac_test_check_vnode_stat(struct ucred *active_cred, struct ucred *file_cred, 2435 struct vnode *vp, struct label *vplabel) 2436 { 2437 2438 LABEL_CHECK(active_cred->cr_label, MAGIC_CRED); 2439 if (file_cred != NULL) 2440 LABEL_CHECK(file_cred->cr_label, MAGIC_CRED); 2441 LABEL_CHECK(vplabel, MAGIC_VNODE); 2442 COUNTER_INC(check_vnode_stat); 2443 2444 return (0); 2445 } 2446 2447 COUNTER_DECL(check_vnode_write); 2448 static int 2449 mac_test_check_vnode_write(struct ucred *active_cred, 2450 struct ucred *file_cred, struct vnode *vp, struct label *vplabel) 2451 { 2452 2453 LABEL_CHECK(active_cred->cr_label, MAGIC_CRED); 2454 if (file_cred != NULL) 2455 LABEL_CHECK(file_cred->cr_label, MAGIC_CRED); 2456 LABEL_CHECK(vplabel, MAGIC_VNODE); 2457 COUNTER_INC(check_vnode_write); 2458 2459 return (0); 2460 } 2461 2462 static struct mac_policy_ops mac_test_ops = 2463 { 2464 .mpo_init_bpfdesc_label = mac_test_init_bpfdesc_label, 2465 .mpo_init_cred_label = mac_test_init_cred_label, 2466 .mpo_init_devfsdirent_label = mac_test_init_devfsdirent_label, 2467 .mpo_init_ifnet_label = mac_test_init_ifnet_label, 2468 .mpo_init_sysv_msgmsg_label = mac_test_init_sysv_msgmsg_label, 2469 .mpo_init_sysv_msgqueue_label = mac_test_init_sysv_msgqueue_label, 2470 .mpo_init_sysv_sem_label = mac_test_init_sysv_sem_label, 2471 .mpo_init_sysv_shm_label = mac_test_init_sysv_shm_label, 2472 .mpo_init_inpcb_label = mac_test_init_inpcb_label, 2473 .mpo_init_ipq_label = mac_test_init_ipq_label, 2474 .mpo_init_mbuf_label = mac_test_init_mbuf_label, 2475 .mpo_init_mount_label = mac_test_init_mount_label, 2476 .mpo_init_pipe_label = mac_test_init_pipe_label, 2477 .mpo_init_posix_sem_label = mac_test_init_posix_sem_label, 2478 .mpo_init_proc_label = mac_test_init_proc_label, 2479 .mpo_init_socket_label = mac_test_init_socket_label, 2480 .mpo_init_socket_peer_label = mac_test_init_socket_peer_label, 2481 .mpo_init_vnode_label = mac_test_init_vnode_label, 2482 .mpo_destroy_bpfdesc_label = mac_test_destroy_bpfdesc_label, 2483 .mpo_destroy_cred_label = mac_test_destroy_cred_label, 2484 .mpo_destroy_devfsdirent_label = mac_test_destroy_devfsdirent_label, 2485 .mpo_destroy_ifnet_label = mac_test_destroy_ifnet_label, 2486 .mpo_destroy_sysv_msgmsg_label = mac_test_destroy_sysv_msgmsg_label, 2487 .mpo_destroy_sysv_msgqueue_label = 2488 mac_test_destroy_sysv_msgqueue_label, 2489 .mpo_destroy_sysv_sem_label = mac_test_destroy_sysv_sem_label, 2490 .mpo_destroy_sysv_shm_label = mac_test_destroy_sysv_shm_label, 2491 .mpo_destroy_inpcb_label = mac_test_destroy_inpcb_label, 2492 .mpo_destroy_ipq_label = mac_test_destroy_ipq_label, 2493 .mpo_destroy_mbuf_label = mac_test_destroy_mbuf_label, 2494 .mpo_destroy_mount_label = mac_test_destroy_mount_label, 2495 .mpo_destroy_pipe_label = mac_test_destroy_pipe_label, 2496 .mpo_destroy_posix_sem_label = mac_test_destroy_posix_sem_label, 2497 .mpo_destroy_proc_label = mac_test_destroy_proc_label, 2498 .mpo_destroy_socket_label = mac_test_destroy_socket_label, 2499 .mpo_destroy_socket_peer_label = mac_test_destroy_socket_peer_label, 2500 .mpo_destroy_vnode_label = mac_test_destroy_vnode_label, 2501 .mpo_copy_cred_label = mac_test_copy_cred_label, 2502 .mpo_copy_ifnet_label = mac_test_copy_ifnet_label, 2503 .mpo_copy_mbuf_label = mac_test_copy_mbuf_label, 2504 .mpo_copy_pipe_label = mac_test_copy_pipe_label, 2505 .mpo_copy_socket_label = mac_test_copy_socket_label, 2506 .mpo_copy_vnode_label = mac_test_copy_vnode_label, 2507 .mpo_externalize_cred_label = mac_test_externalize_label, 2508 .mpo_externalize_ifnet_label = mac_test_externalize_label, 2509 .mpo_externalize_pipe_label = mac_test_externalize_label, 2510 .mpo_externalize_socket_label = mac_test_externalize_label, 2511 .mpo_externalize_socket_peer_label = mac_test_externalize_label, 2512 .mpo_externalize_vnode_label = mac_test_externalize_label, 2513 .mpo_internalize_cred_label = mac_test_internalize_label, 2514 .mpo_internalize_ifnet_label = mac_test_internalize_label, 2515 .mpo_internalize_pipe_label = mac_test_internalize_label, 2516 .mpo_internalize_socket_label = mac_test_internalize_label, 2517 .mpo_internalize_vnode_label = mac_test_internalize_label, 2518 .mpo_associate_vnode_devfs = mac_test_associate_vnode_devfs, 2519 .mpo_associate_vnode_extattr = mac_test_associate_vnode_extattr, 2520 .mpo_associate_vnode_singlelabel = mac_test_associate_vnode_singlelabel, 2521 .mpo_create_devfs_device = mac_test_create_devfs_device, 2522 .mpo_create_devfs_directory = mac_test_create_devfs_directory, 2523 .mpo_create_devfs_symlink = mac_test_create_devfs_symlink, 2524 .mpo_create_vnode_extattr = mac_test_create_vnode_extattr, 2525 .mpo_create_mount = mac_test_create_mount, 2526 .mpo_relabel_vnode = mac_test_relabel_vnode, 2527 .mpo_setlabel_vnode_extattr = mac_test_setlabel_vnode_extattr, 2528 .mpo_update_devfsdirent = mac_test_update_devfsdirent, 2529 .mpo_create_mbuf_from_socket = mac_test_create_mbuf_from_socket, 2530 .mpo_create_pipe = mac_test_create_pipe, 2531 .mpo_create_posix_sem = mac_test_create_posix_sem, 2532 .mpo_create_socket = mac_test_create_socket, 2533 .mpo_create_socket_from_socket = mac_test_create_socket_from_socket, 2534 .mpo_relabel_pipe = mac_test_relabel_pipe, 2535 .mpo_relabel_socket = mac_test_relabel_socket, 2536 .mpo_set_socket_peer_from_mbuf = mac_test_set_socket_peer_from_mbuf, 2537 .mpo_set_socket_peer_from_socket = mac_test_set_socket_peer_from_socket, 2538 .mpo_create_bpfdesc = mac_test_create_bpfdesc, 2539 .mpo_create_ifnet = mac_test_create_ifnet, 2540 .mpo_create_inpcb_from_socket = mac_test_create_inpcb_from_socket, 2541 .mpo_create_sysv_msgmsg = mac_test_create_sysv_msgmsg, 2542 .mpo_create_sysv_msgqueue = mac_test_create_sysv_msgqueue, 2543 .mpo_create_sysv_sem = mac_test_create_sysv_sem, 2544 .mpo_create_sysv_shm = mac_test_create_sysv_shm, 2545 .mpo_create_datagram_from_ipq = mac_test_create_datagram_from_ipq, 2546 .mpo_create_fragment = mac_test_create_fragment, 2547 .mpo_create_ipq = mac_test_create_ipq, 2548 .mpo_create_mbuf_from_inpcb = mac_test_create_mbuf_from_inpcb, 2549 .mpo_create_mbuf_linklayer = mac_test_create_mbuf_linklayer, 2550 .mpo_create_mbuf_from_bpfdesc = mac_test_create_mbuf_from_bpfdesc, 2551 .mpo_create_mbuf_from_ifnet = mac_test_create_mbuf_from_ifnet, 2552 .mpo_create_mbuf_multicast_encap = mac_test_create_mbuf_multicast_encap, 2553 .mpo_create_mbuf_netlayer = mac_test_create_mbuf_netlayer, 2554 .mpo_fragment_match = mac_test_fragment_match, 2555 .mpo_reflect_mbuf_icmp = mac_test_reflect_mbuf_icmp, 2556 .mpo_reflect_mbuf_tcp = mac_test_reflect_mbuf_tcp, 2557 .mpo_relabel_ifnet = mac_test_relabel_ifnet, 2558 .mpo_update_ipq = mac_test_update_ipq, 2559 .mpo_inpcb_sosetlabel = mac_test_inpcb_sosetlabel, 2560 .mpo_execve_transition = mac_test_execve_transition, 2561 .mpo_execve_will_transition = mac_test_execve_will_transition, 2562 .mpo_create_proc0 = mac_test_create_proc0, 2563 .mpo_create_proc1 = mac_test_create_proc1, 2564 .mpo_relabel_cred = mac_test_relabel_cred, 2565 .mpo_thread_userret = mac_test_thread_userret, 2566 .mpo_cleanup_sysv_msgmsg = mac_test_cleanup_sysv_msgmsg, 2567 .mpo_cleanup_sysv_msgqueue = mac_test_cleanup_sysv_msgqueue, 2568 .mpo_cleanup_sysv_sem = mac_test_cleanup_sysv_sem, 2569 .mpo_cleanup_sysv_shm = mac_test_cleanup_sysv_shm, 2570 .mpo_check_bpfdesc_receive = mac_test_check_bpfdesc_receive, 2571 .mpo_check_cred_relabel = mac_test_check_cred_relabel, 2572 .mpo_check_cred_visible = mac_test_check_cred_visible, 2573 .mpo_check_ifnet_relabel = mac_test_check_ifnet_relabel, 2574 .mpo_check_ifnet_transmit = mac_test_check_ifnet_transmit, 2575 .mpo_check_inpcb_deliver = mac_test_check_inpcb_deliver, 2576 .mpo_check_sysv_msgmsq = mac_test_check_sysv_msgmsq, 2577 .mpo_check_sysv_msgrcv = mac_test_check_sysv_msgrcv, 2578 .mpo_check_sysv_msgrmid = mac_test_check_sysv_msgrmid, 2579 .mpo_check_sysv_msqget = mac_test_check_sysv_msqget, 2580 .mpo_check_sysv_msqsnd = mac_test_check_sysv_msqsnd, 2581 .mpo_check_sysv_msqrcv = mac_test_check_sysv_msqrcv, 2582 .mpo_check_sysv_msqctl = mac_test_check_sysv_msqctl, 2583 .mpo_check_sysv_semctl = mac_test_check_sysv_semctl, 2584 .mpo_check_sysv_semget = mac_test_check_sysv_semget, 2585 .mpo_check_sysv_semop = mac_test_check_sysv_semop, 2586 .mpo_check_sysv_shmat = mac_test_check_sysv_shmat, 2587 .mpo_check_sysv_shmctl = mac_test_check_sysv_shmctl, 2588 .mpo_check_sysv_shmdt = mac_test_check_sysv_shmdt, 2589 .mpo_check_sysv_shmget = mac_test_check_sysv_shmget, 2590 .mpo_check_kenv_dump = mac_test_check_kenv_dump, 2591 .mpo_check_kenv_get = mac_test_check_kenv_get, 2592 .mpo_check_kenv_set = mac_test_check_kenv_set, 2593 .mpo_check_kenv_unset = mac_test_check_kenv_unset, 2594 .mpo_check_kld_load = mac_test_check_kld_load, 2595 .mpo_check_kld_stat = mac_test_check_kld_stat, 2596 .mpo_check_mount_stat = mac_test_check_mount_stat, 2597 .mpo_check_pipe_ioctl = mac_test_check_pipe_ioctl, 2598 .mpo_check_pipe_poll = mac_test_check_pipe_poll, 2599 .mpo_check_pipe_read = mac_test_check_pipe_read, 2600 .mpo_check_pipe_relabel = mac_test_check_pipe_relabel, 2601 .mpo_check_pipe_stat = mac_test_check_pipe_stat, 2602 .mpo_check_pipe_write = mac_test_check_pipe_write, 2603 .mpo_check_posix_sem_destroy = mac_test_check_posix_sem, 2604 .mpo_check_posix_sem_getvalue = mac_test_check_posix_sem, 2605 .mpo_check_posix_sem_open = mac_test_check_posix_sem, 2606 .mpo_check_posix_sem_post = mac_test_check_posix_sem, 2607 .mpo_check_posix_sem_unlink = mac_test_check_posix_sem, 2608 .mpo_check_posix_sem_wait = mac_test_check_posix_sem, 2609 .mpo_check_proc_debug = mac_test_check_proc_debug, 2610 .mpo_check_proc_sched = mac_test_check_proc_sched, 2611 .mpo_check_proc_setaudit = mac_test_check_proc_setaudit, 2612 .mpo_check_proc_setauid = mac_test_check_proc_setauid, 2613 .mpo_check_proc_setuid = mac_test_check_proc_setuid, 2614 .mpo_check_proc_seteuid = mac_test_check_proc_seteuid, 2615 .mpo_check_proc_setgid = mac_test_check_proc_setgid, 2616 .mpo_check_proc_setegid = mac_test_check_proc_setegid, 2617 .mpo_check_proc_setgroups = mac_test_check_proc_setgroups, 2618 .mpo_check_proc_setreuid = mac_test_check_proc_setreuid, 2619 .mpo_check_proc_setregid = mac_test_check_proc_setregid, 2620 .mpo_check_proc_setresuid = mac_test_check_proc_setresuid, 2621 .mpo_check_proc_setresgid = mac_test_check_proc_setresgid, 2622 .mpo_check_proc_signal = mac_test_check_proc_signal, 2623 .mpo_check_proc_wait = mac_test_check_proc_wait, 2624 .mpo_check_socket_accept = mac_test_check_socket_accept, 2625 .mpo_check_socket_bind = mac_test_check_socket_bind, 2626 .mpo_check_socket_connect = mac_test_check_socket_connect, 2627 .mpo_check_socket_deliver = mac_test_check_socket_deliver, 2628 .mpo_check_socket_listen = mac_test_check_socket_listen, 2629 .mpo_check_socket_poll = mac_test_check_socket_poll, 2630 .mpo_check_socket_receive = mac_test_check_socket_receive, 2631 .mpo_check_socket_relabel = mac_test_check_socket_relabel, 2632 .mpo_check_socket_send = mac_test_check_socket_send, 2633 .mpo_check_socket_stat = mac_test_check_socket_stat, 2634 .mpo_check_socket_visible = mac_test_check_socket_visible, 2635 .mpo_check_system_acct = mac_test_check_system_acct, 2636 .mpo_check_system_audit = mac_test_check_system_audit, 2637 .mpo_check_system_auditctl = mac_test_check_system_auditctl, 2638 .mpo_check_system_auditon = mac_test_check_system_auditon, 2639 .mpo_check_system_reboot = mac_test_check_system_reboot, 2640 .mpo_check_system_swapoff = mac_test_check_system_swapoff, 2641 .mpo_check_system_swapon = mac_test_check_system_swapon, 2642 .mpo_check_system_sysctl = mac_test_check_system_sysctl, 2643 .mpo_check_vnode_access = mac_test_check_vnode_access, 2644 .mpo_check_vnode_chdir = mac_test_check_vnode_chdir, 2645 .mpo_check_vnode_chroot = mac_test_check_vnode_chroot, 2646 .mpo_check_vnode_create = mac_test_check_vnode_create, 2647 .mpo_check_vnode_delete = mac_test_check_vnode_delete, 2648 .mpo_check_vnode_deleteacl = mac_test_check_vnode_deleteacl, 2649 .mpo_check_vnode_deleteextattr = mac_test_check_vnode_deleteextattr, 2650 .mpo_check_vnode_exec = mac_test_check_vnode_exec, 2651 .mpo_check_vnode_getacl = mac_test_check_vnode_getacl, 2652 .mpo_check_vnode_getextattr = mac_test_check_vnode_getextattr, 2653 .mpo_check_vnode_link = mac_test_check_vnode_link, 2654 .mpo_check_vnode_listextattr = mac_test_check_vnode_listextattr, 2655 .mpo_check_vnode_lookup = mac_test_check_vnode_lookup, 2656 .mpo_check_vnode_mmap = mac_test_check_vnode_mmap, 2657 .mpo_check_vnode_open = mac_test_check_vnode_open, 2658 .mpo_check_vnode_poll = mac_test_check_vnode_poll, 2659 .mpo_check_vnode_read = mac_test_check_vnode_read, 2660 .mpo_check_vnode_readdir = mac_test_check_vnode_readdir, 2661 .mpo_check_vnode_readlink = mac_test_check_vnode_readlink, 2662 .mpo_check_vnode_relabel = mac_test_check_vnode_relabel, 2663 .mpo_check_vnode_rename_from = mac_test_check_vnode_rename_from, 2664 .mpo_check_vnode_rename_to = mac_test_check_vnode_rename_to, 2665 .mpo_check_vnode_revoke = mac_test_check_vnode_revoke, 2666 .mpo_check_vnode_setacl = mac_test_check_vnode_setacl, 2667 .mpo_check_vnode_setextattr = mac_test_check_vnode_setextattr, 2668 .mpo_check_vnode_setflags = mac_test_check_vnode_setflags, 2669 .mpo_check_vnode_setmode = mac_test_check_vnode_setmode, 2670 .mpo_check_vnode_setowner = mac_test_check_vnode_setowner, 2671 .mpo_check_vnode_setutimes = mac_test_check_vnode_setutimes, 2672 .mpo_check_vnode_stat = mac_test_check_vnode_stat, 2673 .mpo_check_vnode_write = mac_test_check_vnode_write, 2674 }; 2675 2676 MAC_POLICY_SET(&mac_test_ops, mac_test, "TrustedBSD MAC/Test", 2677 MPC_LOADTIME_FLAG_UNLOADOK | MPC_LOADTIME_FLAG_LABELMBUFS, &test_slot); 2678