xref: /freebsd/sys/security/mac_test/mac_test.c (revision 87569f75a91f298c52a71823c04d41cf53c88889)
1 /*-
2  * Copyright (c) 1999-2002 Robert N. M. Watson
3  * Copyright (c) 2001-2005 McAfee, Inc.
4  * All rights reserved.
5  *
6  * This software was developed by Robert Watson for the TrustedBSD Project.
7  *
8  * This software was developed for the FreeBSD Project in part by McAfee
9  * Research, the Security Research Division of McAfee, Inc. under
10  * DARPA/SPAWAR contract N66001-01-C-8035 ("CBOSS"), as part of the DARPA
11  * CHATS research program.
12  *
13  * Redistribution and use in source and binary forms, with or without
14  * modification, are permitted provided that the following conditions
15  * are met:
16  * 1. Redistributions of source code must retain the above copyright
17  *    notice, this list of conditions and the following disclaimer.
18  * 2. Redistributions in binary form must reproduce the above copyright
19  *    notice, this list of conditions and the following disclaimer in the
20  *    documentation and/or other materials provided with the distribution.
21  *
22  * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
23  * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
24  * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
25  * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
26  * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
27  * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
28  * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
29  * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
30  * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
31  * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
32  * SUCH DAMAGE.
33  *
34  * $FreeBSD$
35  */
36 
37 /*
38  * Developed by the TrustedBSD Project.
39  * Generic mandatory access module that does nothing.
40  */
41 
42 #include <sys/types.h>
43 #include <sys/param.h>
44 #include <sys/acl.h>
45 #include <sys/conf.h>
46 #include <sys/kdb.h>
47 #include <sys/extattr.h>
48 #include <sys/kernel.h>
49 #include <sys/mac.h>
50 #include <sys/malloc.h>
51 #include <sys/mount.h>
52 #include <sys/proc.h>
53 #include <sys/systm.h>
54 #include <sys/sysproto.h>
55 #include <sys/sysent.h>
56 #include <sys/vnode.h>
57 #include <sys/file.h>
58 #include <sys/socket.h>
59 #include <sys/socketvar.h>
60 #include <sys/sx.h>
61 #include <sys/sysctl.h>
62 #include <sys/msg.h>
63 #include <sys/sem.h>
64 #include <sys/shm.h>
65 
66 #include <posix4/ksem.h>
67 
68 #include <fs/devfs/devfs.h>
69 
70 #include <net/bpfdesc.h>
71 #include <net/if.h>
72 #include <net/if_types.h>
73 #include <net/if_var.h>
74 
75 #include <vm/vm.h>
76 
77 #include <sys/mac_policy.h>
78 
79 SYSCTL_DECL(_security_mac);
80 
81 SYSCTL_NODE(_security_mac, OID_AUTO, test, CTLFLAG_RW, 0,
82     "TrustedBSD mac_test policy controls");
83 
84 static int	mac_test_enabled = 1;
85 SYSCTL_INT(_security_mac_test, OID_AUTO, enabled, CTLFLAG_RW,
86     &mac_test_enabled, 0, "Enforce test policy");
87 
88 #define	BPFMAGIC	0xfe1ad1b6
89 #define	DEVFSMAGIC	0x9ee79c32
90 #define	IFNETMAGIC	0xc218b120
91 #define	INPCBMAGIC	0x4440f7bb
92 #define	IPQMAGIC	0x206188ef
93 #define	MBUFMAGIC	0xbbefa5bb
94 #define	MOUNTMAGIC	0xc7c46e47
95 #define	SOCKETMAGIC	0x9199c6cd
96 #define	SYSVIPCMSQMAGIC	0xea672391
97 #define	SYSVIPCMSGMAGIC	0x8bbba61e
98 #define	SYSVIPCSEMMAGIC	0x896e8a0b
99 #define	SYSVIPCSHMMAGIC	0x76119ab0
100 #define	PIPEMAGIC	0xdc6c9919
101 #define	POSIXSEMMAGIC	0x78ae980c
102 #define	PROCMAGIC	0x3b4be98f
103 #define	CREDMAGIC	0x9a5a4987
104 #define	VNODEMAGIC	0x1a67a45c
105 #define	EXMAGIC		0x849ba1fd
106 
107 #define	SLOT(x)	LABEL_TO_SLOT((x), test_slot).l_long
108 
109 #define	ASSERT_BPF_LABEL(x)	KASSERT(SLOT(x) == BPFMAGIC ||		\
110 	SLOT(x) == 0, ("%s: Bad BPF label", __func__ ))
111 #define	ASSERT_DEVFS_LABEL(x)	KASSERT(SLOT(x) == DEVFSMAGIC ||	\
112 	SLOT(x) == 0, ("%s: Bad DEVFS label", __func__ ))
113 #define	ASSERT_IFNET_LABEL(x)	KASSERT(SLOT(x) == IFNETMAGIC ||	\
114 	SLOT(x) == 0, ("%s: Bad IFNET label", __func__ ))
115 #define	ASSERT_INPCB_LABEL(x)	KASSERT(SLOT(x) == INPCBMAGIC ||	\
116 	SLOT(x) == 0, ("%s: Bad INPCB label", __func__ ))
117 #define	ASSERT_IPQ_LABEL(x)	KASSERT(SLOT(x) == IPQMAGIC ||	\
118 	SLOT(x) == 0, ("%s: Bad IPQ label", __func__ ))
119 #define	ASSERT_MBUF_LABEL(x)	KASSERT(x == NULL ||			\
120 	SLOT(x) == MBUFMAGIC ||	SLOT(x) == 0,				\
121 	("%s: Bad MBUF label", __func__ ))
122 #define	ASSERT_MOUNT_LABEL(x)	KASSERT(SLOT(x) == MOUNTMAGIC ||	\
123 	SLOT(x) == 0, ("%s: Bad MOUNT label", __func__ ))
124 #define	ASSERT_SOCKET_LABEL(x)	KASSERT(SLOT(x) == SOCKETMAGIC ||	\
125 	SLOT(x) == 0, ("%s: Bad SOCKET label", __func__ ))
126 #define	ASSERT_SYSVIPCMSQ_LABEL(x) KASSERT(SLOT(x) == SYSVIPCMSQMAGIC || \
127 	SLOT(x) == 0, ("%s: Bad SYSVIPCMSQ label", __func__ ))
128 #define	ASSERT_SYSVIPCMSG_LABEL(x) KASSERT(SLOT(x) == SYSVIPCMSGMAGIC || \
129 	SLOT(x) == 0, ("%s: Bad SYSVIPCMSG label", __func__ ))
130 #define	ASSERT_SYSVIPCSEM_LABEL(x) KASSERT(SLOT(x) == SYSVIPCSEMMAGIC || \
131 	SLOT(x) == 0, ("%s: Bad SYSVIPCSEM label", __func__ ))
132 #define	ASSERT_SYSVIPCSHM_LABEL(x) KASSERT(SLOT(x) == SYSVIPCSHMMAGIC || \
133 	SLOT(x) == 0, ("%s: Bad SYSVIPCSHM label", __func__ ))
134 #define	ASSERT_PIPE_LABEL(x)	KASSERT(SLOT(x) == PIPEMAGIC ||		\
135 	SLOT(x) == 0, ("%s: Bad PIPE label", __func__ ))
136 #define	ASSERT_POSIX_LABEL(x)	KASSERT(SLOT(x) == POSIXSEMMAGIC ||	\
137 	SLOT(x) == 0, ("%s: Bad POSIX ksem label", __func__ ))
138 #define	ASSERT_PROC_LABEL(x)	KASSERT(SLOT(x) == PROCMAGIC ||		\
139 	SLOT(x) == 0, ("%s: Bad PROC label", __func__ ))
140 #define	ASSERT_CRED_LABEL(x)	KASSERT(SLOT(x) == CREDMAGIC ||		\
141 	SLOT(x) == 0, ("%s: Bad CRED label", __func__ ))
142 #define	ASSERT_VNODE_LABEL(x)	KASSERT(SLOT(x) == VNODEMAGIC ||	\
143 	SLOT(x) == 0, ("%s: Bad VNODE label", __func__ ))
144 
145 static int	test_slot;
146 SYSCTL_INT(_security_mac_test, OID_AUTO, slot, CTLFLAG_RD,
147     &test_slot, 0, "Slot allocated by framework");
148 
149 static int	init_count_bpfdesc;
150 SYSCTL_INT(_security_mac_test, OID_AUTO, init_count_bpfdesc, CTLFLAG_RD,
151     &init_count_bpfdesc, 0, "bpfdesc init calls");
152 static int	init_count_cred;
153 SYSCTL_INT(_security_mac_test, OID_AUTO, init_count_cred, CTLFLAG_RD,
154     &init_count_cred, 0, "cred init calls");
155 static int	init_count_devfsdirent;
156 SYSCTL_INT(_security_mac_test, OID_AUTO, init_count_devfsdirent, CTLFLAG_RD,
157     &init_count_devfsdirent, 0, "devfsdirent init calls");
158 static int	init_count_ifnet;
159 SYSCTL_INT(_security_mac_test, OID_AUTO, init_count_ifnet, CTLFLAG_RD,
160     &init_count_ifnet, 0, "ifnet init calls");
161 static int	init_count_inpcb;
162 SYSCTL_INT(_security_mac_test, OID_AUTO, init_count_inpcb, CTLFLAG_RD,
163     &init_count_inpcb, 0, "inpcb init calls");
164 static int	init_count_sysv_msg;
165 SYSCTL_INT(_security_mac_test, OID_AUTO, init_count_sysv_msg, CTLFLAG_RD,
166     &init_count_sysv_msg, 0, "ipc_msg init calls");
167 static int	init_count_sysv_msq;
168 SYSCTL_INT(_security_mac_test, OID_AUTO, init_count_sysv_msq, CTLFLAG_RD,
169     &init_count_sysv_msq, 0, "ipc_msq init calls");
170 static int	init_count_sysv_sem;
171 SYSCTL_INT(_security_mac_test, OID_AUTO, init_count_sysv_sem, CTLFLAG_RD,
172     &init_count_sysv_sem, 0, "ipc_sema init calls");
173 static int	init_count_sysv_shm;
174 SYSCTL_INT(_security_mac_test, OID_AUTO, init_count_sysv_shm, CTLFLAG_RD,
175     &init_count_sysv_shm, 0, "ipc_shm init calls");
176 static int	init_count_ipq;
177 SYSCTL_INT(_security_mac_test, OID_AUTO, init_count_ipq, CTLFLAG_RD,
178     &init_count_ipq, 0, "ipq init calls");
179 static int	init_count_mbuf;
180 SYSCTL_INT(_security_mac_test, OID_AUTO, init_count_mbuf, CTLFLAG_RD,
181     &init_count_mbuf, 0, "mbuf init calls");
182 static int	init_count_mount;
183 SYSCTL_INT(_security_mac_test, OID_AUTO, init_count_mount, CTLFLAG_RD,
184     &init_count_mount, 0, "mount init calls");
185 static int	init_count_mount_fslabel;
186 SYSCTL_INT(_security_mac_test, OID_AUTO, init_count_mount_fslabel, CTLFLAG_RD,
187     &init_count_mount_fslabel, 0, "mount_fslabel init calls");
188 static int	init_count_socket;
189 SYSCTL_INT(_security_mac_test, OID_AUTO, init_count_socket, CTLFLAG_RD,
190     &init_count_socket, 0, "socket init calls");
191 static int	init_count_socket_peerlabel;
192 SYSCTL_INT(_security_mac_test, OID_AUTO, init_count_socket_peerlabel,
193     CTLFLAG_RD, &init_count_socket_peerlabel, 0,
194     "socket_peerlabel init calls");
195 static int	init_count_pipe;
196 SYSCTL_INT(_security_mac_test, OID_AUTO, init_count_pipe, CTLFLAG_RD,
197     &init_count_pipe, 0, "pipe init calls");
198 static int	init_count_posixsems;
199 SYSCTL_INT(_security_mac_test, OID_AUTO, init_count_posixsems, CTLFLAG_RD,
200     &init_count_posixsems, 0, "posix sems init calls");
201 static int	init_count_proc;
202 SYSCTL_INT(_security_mac_test, OID_AUTO, init_count_proc, CTLFLAG_RD,
203     &init_count_proc, 0, "proc init calls");
204 static int	init_count_vnode;
205 SYSCTL_INT(_security_mac_test, OID_AUTO, init_count_vnode, CTLFLAG_RD,
206     &init_count_vnode, 0, "vnode init calls");
207 
208 static int	destroy_count_bpfdesc;
209 SYSCTL_INT(_security_mac_test, OID_AUTO, destroy_count_bpfdesc, CTLFLAG_RD,
210     &destroy_count_bpfdesc, 0, "bpfdesc destroy calls");
211 static int	destroy_count_cred;
212 SYSCTL_INT(_security_mac_test, OID_AUTO, destroy_count_cred, CTLFLAG_RD,
213     &destroy_count_cred, 0, "cred destroy calls");
214 static int	destroy_count_devfsdirent;
215 SYSCTL_INT(_security_mac_test, OID_AUTO, destroy_count_devfsdirent, CTLFLAG_RD,
216     &destroy_count_devfsdirent, 0, "devfsdirent destroy calls");
217 static int	destroy_count_ifnet;
218 SYSCTL_INT(_security_mac_test, OID_AUTO, destroy_count_ifnet, CTLFLAG_RD,
219     &destroy_count_ifnet, 0, "ifnet destroy calls");
220 static int	destroy_count_inpcb;
221 SYSCTL_INT(_security_mac_test, OID_AUTO, destroy_count_inpcb, CTLFLAG_RD,
222     &destroy_count_inpcb, 0, "inpcb destroy calls");
223 static int	destroy_count_sysv_msg;
224 SYSCTL_INT(_security_mac_test, OID_AUTO, destroy_count_sysv_msg, CTLFLAG_RD,
225     &destroy_count_sysv_msg, 0, "ipc_msg destroy calls");
226 static int	destroy_count_sysv_msq;
227 SYSCTL_INT(_security_mac_test, OID_AUTO, destroy_count_sysv_msq, CTLFLAG_RD,
228     &destroy_count_sysv_msq, 0, "ipc_msq destroy calls");
229 static int	destroy_count_sysv_sem;
230 SYSCTL_INT(_security_mac_test, OID_AUTO, destroy_count_sysv_sem, CTLFLAG_RD,
231     &destroy_count_sysv_sem, 0, "ipc_sema destroy calls");
232 static int	destroy_count_sysv_shm;
233 SYSCTL_INT(_security_mac_test, OID_AUTO, destroy_count_sysv_shm, CTLFLAG_RD,
234     &destroy_count_sysv_shm, 0, "ipc_shm destroy calls");
235 static int	destroy_count_ipq;
236 SYSCTL_INT(_security_mac_test, OID_AUTO, destroy_count_ipq, CTLFLAG_RD,
237     &destroy_count_ipq, 0, "ipq destroy calls");
238 static int      destroy_count_mbuf;
239 SYSCTL_INT(_security_mac_test, OID_AUTO, destroy_count_mbuf, CTLFLAG_RD,
240     &destroy_count_mbuf, 0, "mbuf destroy calls");
241 static int      destroy_count_mount;
242 SYSCTL_INT(_security_mac_test, OID_AUTO, destroy_count_mount, CTLFLAG_RD,
243     &destroy_count_mount, 0, "mount destroy calls");
244 static int      destroy_count_mount_fslabel;
245 SYSCTL_INT(_security_mac_test, OID_AUTO, destroy_count_mount_fslabel,
246     CTLFLAG_RD, &destroy_count_mount_fslabel, 0,
247     "mount_fslabel destroy calls");
248 static int      destroy_count_socket;
249 SYSCTL_INT(_security_mac_test, OID_AUTO, destroy_count_socket, CTLFLAG_RD,
250     &destroy_count_socket, 0, "socket destroy calls");
251 static int      destroy_count_socket_peerlabel;
252 SYSCTL_INT(_security_mac_test, OID_AUTO, destroy_count_socket_peerlabel,
253     CTLFLAG_RD, &destroy_count_socket_peerlabel, 0,
254     "socket_peerlabel destroy calls");
255 static int      destroy_count_pipe;
256 SYSCTL_INT(_security_mac_test, OID_AUTO, destroy_count_pipe, CTLFLAG_RD,
257     &destroy_count_pipe, 0, "pipe destroy calls");
258 static int	destroy_count_posixsems;
259 SYSCTL_INT(_security_mac_test, OID_AUTO, destroy_count_posixsems, CTLFLAG_RD,
260     &destroy_count_posixsems, 0, "posix sems destroy calls");
261 static int      destroy_count_proc;
262 SYSCTL_INT(_security_mac_test, OID_AUTO, destroy_count_proc, CTLFLAG_RD,
263     &destroy_count_proc, 0, "proc destroy calls");
264 static int      destroy_count_vnode;
265 SYSCTL_INT(_security_mac_test, OID_AUTO, destroy_count_vnode, CTLFLAG_RD,
266     &destroy_count_vnode, 0, "vnode destroy calls");
267 
268 static int externalize_count;
269 SYSCTL_INT(_security_mac_test, OID_AUTO, externalize_count, CTLFLAG_RD,
270     &externalize_count, 0, "Subject/object externalize calls");
271 static int internalize_count;
272 SYSCTL_INT(_security_mac_test, OID_AUTO, internalize_count, CTLFLAG_RD,
273     &internalize_count, 0, "Subject/object internalize calls");
274 
275 #ifdef KDB
276 #define	DEBUGGER(x)	kdb_enter(x)
277 #else
278 #define	DEBUGGER(x)	printf("mac_test: %s\n", (x))
279 #endif
280 
281 /*
282  * Policy module operations.
283  */
284 static void
285 mac_test_destroy(struct mac_policy_conf *conf)
286 {
287 
288 }
289 
290 static void
291 mac_test_init(struct mac_policy_conf *conf)
292 {
293 
294 }
295 
296 static int
297 mac_test_syscall(struct thread *td, int call, void *arg)
298 {
299 
300 	return (0);
301 }
302 
303 /*
304  * Label operations.
305  */
306 static void
307 mac_test_init_bpfdesc_label(struct label *label)
308 {
309 
310 	SLOT(label) = BPFMAGIC;
311 	atomic_add_int(&init_count_bpfdesc, 1);
312 }
313 
314 static void
315 mac_test_init_cred_label(struct label *label)
316 {
317 
318 	SLOT(label) = CREDMAGIC;
319 	atomic_add_int(&init_count_cred, 1);
320 }
321 
322 static void
323 mac_test_init_devfsdirent_label(struct label *label)
324 {
325 
326 	SLOT(label) = DEVFSMAGIC;
327 	atomic_add_int(&init_count_devfsdirent, 1);
328 }
329 
330 static void
331 mac_test_init_ifnet_label(struct label *label)
332 {
333 
334 	SLOT(label) = IFNETMAGIC;
335 	atomic_add_int(&init_count_ifnet, 1);
336 }
337 
338 static int
339 mac_test_init_inpcb_label(struct label *label, int flag)
340 {
341 
342 	if (flag & M_WAITOK)
343 		WITNESS_WARN(WARN_GIANTOK | WARN_SLEEPOK, NULL,
344 		    "mac_test_init_inpcb_label() at %s:%d", __FILE__,
345 		    __LINE__);
346 
347 	SLOT(label) = INPCBMAGIC;
348 	atomic_add_int(&init_count_inpcb, 1);
349 	return (0);
350 }
351 
352 static void
353 mac_test_init_sysv_msgmsg_label(struct label *label)
354 {
355 	SLOT(label) = SYSVIPCMSGMAGIC;
356 	atomic_add_int(&init_count_sysv_msg, 1);
357 }
358 
359 static void
360 mac_test_init_sysv_msgqueue_label(struct label *label)
361 {
362 	SLOT(label) = SYSVIPCMSQMAGIC;
363 	atomic_add_int(&init_count_sysv_msq, 1);
364 }
365 
366 static void
367 mac_test_init_sysv_sem_label(struct label *label)
368 {
369 	SLOT(label) = SYSVIPCSEMMAGIC;
370 	atomic_add_int(&init_count_sysv_sem, 1);
371 }
372 
373 static void
374 mac_test_init_sysv_shm_label(struct label *label)
375 {
376 	SLOT(label) = SYSVIPCSHMMAGIC;
377 	atomic_add_int(&init_count_sysv_shm, 1);
378 }
379 
380 static int
381 mac_test_init_ipq_label(struct label *label, int flag)
382 {
383 
384 	if (flag & M_WAITOK)
385 		WITNESS_WARN(WARN_GIANTOK | WARN_SLEEPOK, NULL,
386 		    "mac_test_init_ipq_label() at %s:%d", __FILE__,
387 		    __LINE__);
388 
389 	SLOT(label) = IPQMAGIC;
390 	atomic_add_int(&init_count_ipq, 1);
391 	return (0);
392 }
393 
394 static int
395 mac_test_init_mbuf_label(struct label *label, int flag)
396 {
397 
398 	if (flag & M_WAITOK)
399 		WITNESS_WARN(WARN_GIANTOK | WARN_SLEEPOK, NULL,
400 		    "mac_test_init_mbuf_label() at %s:%d", __FILE__,
401 		    __LINE__);
402 
403 	SLOT(label) = MBUFMAGIC;
404 	atomic_add_int(&init_count_mbuf, 1);
405 	return (0);
406 }
407 
408 static void
409 mac_test_init_mount_label(struct label *label)
410 {
411 
412 	SLOT(label) = MOUNTMAGIC;
413 	atomic_add_int(&init_count_mount, 1);
414 }
415 
416 static void
417 mac_test_init_mount_fs_label(struct label *label)
418 {
419 
420 	SLOT(label) = MOUNTMAGIC;
421 	atomic_add_int(&init_count_mount_fslabel, 1);
422 }
423 
424 static int
425 mac_test_init_socket_label(struct label *label, int flag)
426 {
427 
428 	if (flag & M_WAITOK)
429 		WITNESS_WARN(WARN_GIANTOK | WARN_SLEEPOK, NULL,
430 		    "mac_test_init_socket_label() at %s:%d", __FILE__,
431 		    __LINE__);
432 
433 	SLOT(label) = SOCKETMAGIC;
434 	atomic_add_int(&init_count_socket, 1);
435 	return (0);
436 }
437 
438 static int
439 mac_test_init_socket_peer_label(struct label *label, int flag)
440 {
441 
442 	if (flag & M_WAITOK)
443 		WITNESS_WARN(WARN_GIANTOK | WARN_SLEEPOK, NULL,
444 		    "mac_test_init_socket_peer_label() at %s:%d", __FILE__,
445 		    __LINE__);
446 
447 	SLOT(label) = SOCKETMAGIC;
448 	atomic_add_int(&init_count_socket_peerlabel, 1);
449 	return (0);
450 }
451 
452 static void
453 mac_test_init_pipe_label(struct label *label)
454 {
455 
456 	SLOT(label) = PIPEMAGIC;
457 	atomic_add_int(&init_count_pipe, 1);
458 }
459 
460 static void
461 mac_test_init_posix_sem_label(struct label *label)
462 {
463 
464 	SLOT(label) = POSIXSEMMAGIC;
465 	atomic_add_int(&init_count_posixsems, 1);
466 }
467 
468 static void
469 mac_test_init_proc_label(struct label *label)
470 {
471 
472 	SLOT(label) = PROCMAGIC;
473 	atomic_add_int(&init_count_proc, 1);
474 }
475 
476 static void
477 mac_test_init_vnode_label(struct label *label)
478 {
479 
480 	SLOT(label) = VNODEMAGIC;
481 	atomic_add_int(&init_count_vnode, 1);
482 }
483 
484 static void
485 mac_test_destroy_bpfdesc_label(struct label *label)
486 {
487 
488 	if (SLOT(label) == BPFMAGIC || SLOT(label) == 0) {
489 		atomic_add_int(&destroy_count_bpfdesc, 1);
490 		SLOT(label) = EXMAGIC;
491 	} else if (SLOT(label) == EXMAGIC) {
492 		DEBUGGER("mac_test_destroy_bpfdesc: dup destroy");
493 	} else {
494 		DEBUGGER("mac_test_destroy_bpfdesc: corrupted label");
495 	}
496 }
497 
498 static void
499 mac_test_destroy_cred_label(struct label *label)
500 {
501 
502 	if (SLOT(label) == CREDMAGIC || SLOT(label) == 0) {
503 		atomic_add_int(&destroy_count_cred, 1);
504 		SLOT(label) = EXMAGIC;
505 	} else if (SLOT(label) == EXMAGIC) {
506 		DEBUGGER("mac_test_destroy_cred: dup destroy");
507 	} else {
508 		DEBUGGER("mac_test_destroy_cred: corrupted label");
509 	}
510 }
511 
512 static void
513 mac_test_destroy_devfsdirent_label(struct label *label)
514 {
515 
516 	if (SLOT(label) == DEVFSMAGIC || SLOT(label) == 0) {
517 		atomic_add_int(&destroy_count_devfsdirent, 1);
518 		SLOT(label) = EXMAGIC;
519 	} else if (SLOT(label) == EXMAGIC) {
520 		DEBUGGER("mac_test_destroy_devfsdirent: dup destroy");
521 	} else {
522 		DEBUGGER("mac_test_destroy_devfsdirent: corrupted label");
523 	}
524 }
525 
526 static void
527 mac_test_destroy_ifnet_label(struct label *label)
528 {
529 
530 	if (SLOT(label) == IFNETMAGIC || SLOT(label) == 0) {
531 		atomic_add_int(&destroy_count_ifnet, 1);
532 		SLOT(label) = EXMAGIC;
533 	} else if (SLOT(label) == EXMAGIC) {
534 		DEBUGGER("mac_test_destroy_ifnet: dup destroy");
535 	} else {
536 		DEBUGGER("mac_test_destroy_ifnet: corrupted label");
537 	}
538 }
539 
540 static void
541 mac_test_destroy_inpcb_label(struct label *label)
542 {
543 
544 	if (SLOT(label) == INPCBMAGIC || SLOT(label) == 0) {
545 		atomic_add_int(&destroy_count_inpcb, 1);
546 		SLOT(label) = EXMAGIC;
547 	} else if (SLOT(label) == EXMAGIC) {
548 		DEBUGGER("mac_test_destroy_inpcb: dup destroy");
549 	} else {
550 		DEBUGGER("mac_test_destroy_inpcb: corrupted label");
551 	}
552 }
553 
554 static void
555 mac_test_destroy_sysv_msgmsg_label(struct label *label)
556 {
557 
558 	if (SLOT(label) == SYSVIPCMSGMAGIC || SLOT(label) == 0) {
559 		atomic_add_int(&destroy_count_sysv_msg, 1);
560 		SLOT(label) = EXMAGIC;
561 	} else if (SLOT(label) == EXMAGIC) {
562 		DEBUGGER("mac_test_destroy_sysv_msgmsg_label: dup destroy");
563 	} else {
564 		DEBUGGER(
565 		    "mac_test_destroy_sysv_msgmsg_label: corrupted label");
566 	}
567 }
568 
569 static void
570 mac_test_destroy_sysv_msgqueue_label(struct label *label)
571 {
572 
573 	if (SLOT(label) == SYSVIPCMSQMAGIC || SLOT(label) == 0) {
574 		atomic_add_int(&destroy_count_sysv_msq, 1);
575 		SLOT(label) = EXMAGIC;
576 	} else if (SLOT(label) == EXMAGIC) {
577 		DEBUGGER("mac_test_destroy_sysv_msgqueue_label: dup destroy");
578 	} else {
579 		DEBUGGER(
580 		    "mac_test_destroy_sysv_msgqueue_label: corrupted label");
581 	}
582 }
583 
584 static void
585 mac_test_destroy_sysv_sem_label(struct label *label)
586 {
587 
588 	if (SLOT(label) == SYSVIPCSEMMAGIC || SLOT(label) == 0) {
589 		atomic_add_int(&destroy_count_sysv_sem, 1);
590 		SLOT(label) = EXMAGIC;
591 	} else if (SLOT(label) == EXMAGIC) {
592 		DEBUGGER("mac_test_destroy_sysv_sem_label: dup destroy");
593 	} else {
594 		DEBUGGER("mac_test_destroy_sysv_sem_label: corrupted label");
595 	}
596 }
597 
598 static void
599 mac_test_destroy_sysv_shm_label(struct label *label)
600 {
601 
602 	if (SLOT(label) == SYSVIPCSHMMAGIC || SLOT(label) == 0) {
603 		atomic_add_int(&destroy_count_sysv_shm, 1);
604 		SLOT(label) = EXMAGIC;
605 	} else if (SLOT(label) == EXMAGIC) {
606 		DEBUGGER("mac_test_destroy_sysv_shm_label: dup destroy");
607 	} else {
608 		DEBUGGER("mac_test_destroy_sysv_shm_label: corrupted label");
609 	}
610 }
611 
612 static void
613 mac_test_destroy_ipq_label(struct label *label)
614 {
615 
616 	if (SLOT(label) == IPQMAGIC || SLOT(label) == 0) {
617 		atomic_add_int(&destroy_count_ipq, 1);
618 		SLOT(label) = EXMAGIC;
619 	} else if (SLOT(label) == EXMAGIC) {
620 		DEBUGGER("mac_test_destroy_ipq: dup destroy");
621 	} else {
622 		DEBUGGER("mac_test_destroy_ipq: corrupted label");
623 	}
624 }
625 
626 static void
627 mac_test_destroy_mbuf_label(struct label *label)
628 {
629 
630 	/*
631 	 * If we're loaded dynamically, there may be mbufs in flight that
632 	 * didn't have label storage allocated for them.  Handle this
633 	 * gracefully.
634 	 */
635 	if (label == NULL)
636 		return;
637 
638 	if (SLOT(label) == MBUFMAGIC || SLOT(label) == 0) {
639 		atomic_add_int(&destroy_count_mbuf, 1);
640 		SLOT(label) = EXMAGIC;
641 	} else if (SLOT(label) == EXMAGIC) {
642 		DEBUGGER("mac_test_destroy_mbuf: dup destroy");
643 	} else {
644 		DEBUGGER("mac_test_destroy_mbuf: corrupted label");
645 	}
646 }
647 
648 static void
649 mac_test_destroy_mount_label(struct label *label)
650 {
651 
652 	if ((SLOT(label) == MOUNTMAGIC || SLOT(label) == 0)) {
653 		atomic_add_int(&destroy_count_mount, 1);
654 		SLOT(label) = EXMAGIC;
655 	} else if (SLOT(label) == EXMAGIC) {
656 		DEBUGGER("mac_test_destroy_mount: dup destroy");
657 	} else {
658 		DEBUGGER("mac_test_destroy_mount: corrupted label");
659 	}
660 }
661 
662 static void
663 mac_test_destroy_mount_fs_label(struct label *label)
664 {
665 
666 	if ((SLOT(label) == MOUNTMAGIC || SLOT(label) == 0)) {
667 		atomic_add_int(&destroy_count_mount_fslabel, 1);
668 		SLOT(label) = EXMAGIC;
669 	} else if (SLOT(label) == EXMAGIC) {
670 		DEBUGGER("mac_test_destroy_mount_fslabel: dup destroy");
671 	} else {
672 		DEBUGGER("mac_test_destroy_mount_fslabel: corrupted label");
673 	}
674 }
675 
676 static void
677 mac_test_destroy_socket_label(struct label *label)
678 {
679 
680 	if ((SLOT(label) == SOCKETMAGIC || SLOT(label) == 0)) {
681 		atomic_add_int(&destroy_count_socket, 1);
682 		SLOT(label) = EXMAGIC;
683 	} else if (SLOT(label) == EXMAGIC) {
684 		DEBUGGER("mac_test_destroy_socket: dup destroy");
685 	} else {
686 		DEBUGGER("mac_test_destroy_socket: corrupted label");
687 	}
688 }
689 
690 static void
691 mac_test_destroy_socket_peer_label(struct label *label)
692 {
693 
694 	if ((SLOT(label) == SOCKETMAGIC || SLOT(label) == 0)) {
695 		atomic_add_int(&destroy_count_socket_peerlabel, 1);
696 		SLOT(label) = EXMAGIC;
697 	} else if (SLOT(label) == EXMAGIC) {
698 		DEBUGGER("mac_test_destroy_socket_peerlabel: dup destroy");
699 	} else {
700 		DEBUGGER("mac_test_destroy_socket_peerlabel: corrupted label");
701 	}
702 }
703 
704 static void
705 mac_test_destroy_pipe_label(struct label *label)
706 {
707 
708 	if ((SLOT(label) == PIPEMAGIC || SLOT(label) == 0)) {
709 		atomic_add_int(&destroy_count_pipe, 1);
710 		SLOT(label) = EXMAGIC;
711 	} else if (SLOT(label) == EXMAGIC) {
712 		DEBUGGER("mac_test_destroy_pipe: dup destroy");
713 	} else {
714 		DEBUGGER("mac_test_destroy_pipe: corrupted label");
715 	}
716 }
717 
718 static void
719 mac_test_destroy_posix_sem_label(struct label *label)
720 {
721 
722 	if ((SLOT(label) == POSIXSEMMAGIC || SLOT(label) == 0)) {
723 		atomic_add_int(&destroy_count_posixsems, 1);
724 		SLOT(label) = EXMAGIC;
725 	} else if (SLOT(label) == EXMAGIC) {
726 		DEBUGGER("mac_test_destroy_posix_sem: dup destroy");
727 	} else {
728 		DEBUGGER("mac_test_destroy_posix_sem: corrupted label");
729 	}
730 }
731 
732 static void
733 mac_test_destroy_proc_label(struct label *label)
734 {
735 
736 	if ((SLOT(label) == PROCMAGIC || SLOT(label) == 0)) {
737 		atomic_add_int(&destroy_count_proc, 1);
738 		SLOT(label) = EXMAGIC;
739 	} else if (SLOT(label) == EXMAGIC) {
740 		DEBUGGER("mac_test_destroy_proc: dup destroy");
741 	} else {
742 		DEBUGGER("mac_test_destroy_proc: corrupted label");
743 	}
744 }
745 
746 static void
747 mac_test_destroy_vnode_label(struct label *label)
748 {
749 
750 	if (SLOT(label) == VNODEMAGIC || SLOT(label) == 0) {
751 		atomic_add_int(&destroy_count_vnode, 1);
752 		SLOT(label) = EXMAGIC;
753 	} else if (SLOT(label) == EXMAGIC) {
754 		DEBUGGER("mac_test_destroy_vnode: dup destroy");
755 	} else {
756 		DEBUGGER("mac_test_destroy_vnode: corrupted label");
757 	}
758 }
759 
760 static void
761 mac_test_copy_cred_label(struct label *src, struct label *dest)
762 {
763 
764 	ASSERT_CRED_LABEL(src);
765 	ASSERT_CRED_LABEL(dest);
766 }
767 
768 static void
769 mac_test_copy_ifnet_label(struct label *src, struct label *dest)
770 {
771 
772 	ASSERT_IFNET_LABEL(src);
773 	ASSERT_IFNET_LABEL(dest);
774 }
775 
776 static void
777 mac_test_copy_mbuf_label(struct label *src, struct label *dest)
778 {
779 
780 	ASSERT_MBUF_LABEL(src);
781 	ASSERT_MBUF_LABEL(dest);
782 }
783 
784 static void
785 mac_test_copy_pipe_label(struct label *src, struct label *dest)
786 {
787 
788 	ASSERT_PIPE_LABEL(src);
789 	ASSERT_PIPE_LABEL(dest);
790 }
791 
792 static void
793 mac_test_copy_socket_label(struct label *src, struct label *dest)
794 {
795 
796 	ASSERT_SOCKET_LABEL(src);
797 	ASSERT_SOCKET_LABEL(dest);
798 }
799 
800 static void
801 mac_test_copy_vnode_label(struct label *src, struct label *dest)
802 {
803 
804 	ASSERT_VNODE_LABEL(src);
805 	ASSERT_VNODE_LABEL(dest);
806 }
807 
808 static int
809 mac_test_externalize_label(struct label *label, char *element_name,
810     struct sbuf *sb, int *claimed)
811 {
812 
813 	atomic_add_int(&externalize_count, 1);
814 
815 	KASSERT(SLOT(label) != EXMAGIC,
816 	    ("mac_test_externalize_label: destroyed label"));
817 
818 	return (0);
819 }
820 
821 static int
822 mac_test_internalize_label(struct label *label, char *element_name,
823     char *element_data, int *claimed)
824 {
825 
826 	atomic_add_int(&internalize_count, 1);
827 
828 	KASSERT(SLOT(label) != EXMAGIC,
829 	    ("mac_test_internalize_label: destroyed label"));
830 
831 	return (0);
832 }
833 
834 /*
835  * Labeling event operations: file system objects, and things that look
836  * a lot like file system objects.
837  */
838 static void
839 mac_test_associate_vnode_devfs(struct mount *mp, struct label *fslabel,
840     struct devfs_dirent *de, struct label *delabel, struct vnode *vp,
841     struct label *vlabel)
842 {
843 
844 	ASSERT_MOUNT_LABEL(fslabel);
845 	ASSERT_DEVFS_LABEL(delabel);
846 	ASSERT_VNODE_LABEL(vlabel);
847 }
848 
849 static int
850 mac_test_associate_vnode_extattr(struct mount *mp, struct label *fslabel,
851     struct vnode *vp, struct label *vlabel)
852 {
853 
854 	ASSERT_MOUNT_LABEL(fslabel);
855 	ASSERT_VNODE_LABEL(vlabel);
856 	return (0);
857 }
858 
859 static void
860 mac_test_associate_vnode_singlelabel(struct mount *mp,
861     struct label *fslabel, struct vnode *vp, struct label *vlabel)
862 {
863 
864 	ASSERT_MOUNT_LABEL(fslabel);
865 	ASSERT_VNODE_LABEL(vlabel);
866 }
867 
868 static void
869 mac_test_create_devfs_device(struct ucred *cred, struct mount *mp,
870     struct cdev *dev, struct devfs_dirent *devfs_dirent, struct label *label)
871 {
872 
873 	if (cred != NULL) {
874 		ASSERT_CRED_LABEL(cred->cr_label);
875 	}
876 	ASSERT_DEVFS_LABEL(label);
877 }
878 
879 static void
880 mac_test_create_devfs_directory(struct mount *mp, char *dirname,
881     int dirnamelen, struct devfs_dirent *devfs_dirent, struct label *label)
882 {
883 
884 	ASSERT_DEVFS_LABEL(label);
885 }
886 
887 static void
888 mac_test_create_devfs_symlink(struct ucred *cred, struct mount *mp,
889     struct devfs_dirent *dd, struct label *ddlabel, struct devfs_dirent *de,
890     struct label *delabel)
891 {
892 
893 	ASSERT_CRED_LABEL(cred->cr_label);
894 	ASSERT_DEVFS_LABEL(ddlabel);
895 	ASSERT_DEVFS_LABEL(delabel);
896 }
897 
898 static int
899 mac_test_create_vnode_extattr(struct ucred *cred, struct mount *mp,
900     struct label *fslabel, struct vnode *dvp, struct label *dlabel,
901     struct vnode *vp, struct label *vlabel, struct componentname *cnp)
902 {
903 
904 	ASSERT_CRED_LABEL(cred->cr_label);
905 	ASSERT_MOUNT_LABEL(fslabel);
906 	ASSERT_VNODE_LABEL(dlabel);
907 
908 	return (0);
909 }
910 
911 static void
912 mac_test_create_mount(struct ucred *cred, struct mount *mp,
913     struct label *mntlabel, struct label *fslabel)
914 {
915 
916 	ASSERT_CRED_LABEL(cred->cr_label);
917 	ASSERT_MOUNT_LABEL(mntlabel);
918 	ASSERT_MOUNT_LABEL(fslabel);
919 }
920 
921 static void
922 mac_test_relabel_vnode(struct ucred *cred, struct vnode *vp,
923     struct label *vnodelabel, struct label *label)
924 {
925 
926 	ASSERT_CRED_LABEL(cred->cr_label);
927 	ASSERT_VNODE_LABEL(vnodelabel);
928 	ASSERT_VNODE_LABEL(label);
929 }
930 
931 static int
932 mac_test_setlabel_vnode_extattr(struct ucred *cred, struct vnode *vp,
933     struct label *vlabel, struct label *intlabel)
934 {
935 
936 	ASSERT_CRED_LABEL(cred->cr_label);
937 	ASSERT_VNODE_LABEL(vlabel);
938 	ASSERT_VNODE_LABEL(intlabel);
939 	return (0);
940 }
941 
942 static void
943 mac_test_update_devfsdirent(struct mount *mp,
944     struct devfs_dirent *devfs_dirent, struct label *direntlabel,
945     struct vnode *vp, struct label *vnodelabel)
946 {
947 
948 	ASSERT_DEVFS_LABEL(direntlabel);
949 	ASSERT_VNODE_LABEL(vnodelabel);
950 }
951 
952 /*
953  * Labeling event operations: IPC object.
954  */
955 static void
956 mac_test_create_mbuf_from_socket(struct socket *so, struct label *socketlabel,
957     struct mbuf *m, struct label *mbuflabel)
958 {
959 
960 	ASSERT_SOCKET_LABEL(socketlabel);
961 	ASSERT_MBUF_LABEL(mbuflabel);
962 }
963 
964 static void
965 mac_test_create_socket(struct ucred *cred, struct socket *socket,
966    struct label *socketlabel)
967 {
968 
969 	ASSERT_CRED_LABEL(cred->cr_label);
970 	ASSERT_SOCKET_LABEL(socketlabel);
971 }
972 
973 static void
974 mac_test_create_pipe(struct ucred *cred, struct pipepair *pp,
975    struct label *pipelabel)
976 {
977 
978 	ASSERT_CRED_LABEL(cred->cr_label);
979 	ASSERT_PIPE_LABEL(pipelabel);
980 }
981 
982 static void
983 mac_test_create_posix_sem(struct ucred *cred, struct ksem *ksem,
984    struct label *posixlabel)
985 {
986 
987 	ASSERT_CRED_LABEL(cred->cr_label);
988 	ASSERT_POSIX_LABEL(posixlabel);
989 }
990 
991 static void
992 mac_test_create_socket_from_socket(struct socket *oldsocket,
993     struct label *oldsocketlabel, struct socket *newsocket,
994     struct label *newsocketlabel)
995 {
996 
997 	ASSERT_SOCKET_LABEL(oldsocketlabel);
998 	ASSERT_SOCKET_LABEL(newsocketlabel);
999 }
1000 
1001 static void
1002 mac_test_relabel_socket(struct ucred *cred, struct socket *socket,
1003     struct label *socketlabel, struct label *newlabel)
1004 {
1005 
1006 	ASSERT_CRED_LABEL(cred->cr_label);
1007 	ASSERT_SOCKET_LABEL(newlabel);
1008 }
1009 
1010 static void
1011 mac_test_relabel_pipe(struct ucred *cred, struct pipepair *pp,
1012     struct label *pipelabel, struct label *newlabel)
1013 {
1014 
1015 	ASSERT_CRED_LABEL(cred->cr_label);
1016 	ASSERT_PIPE_LABEL(pipelabel);
1017 	ASSERT_PIPE_LABEL(newlabel);
1018 }
1019 
1020 static void
1021 mac_test_set_socket_peer_from_mbuf(struct mbuf *mbuf, struct label *mbuflabel,
1022     struct socket *socket, struct label *socketpeerlabel)
1023 {
1024 
1025 	ASSERT_MBUF_LABEL(mbuflabel);
1026 	ASSERT_SOCKET_LABEL(socketpeerlabel);
1027 }
1028 
1029 /*
1030  * Labeling event operations: network objects.
1031  */
1032 static void
1033 mac_test_set_socket_peer_from_socket(struct socket *oldsocket,
1034     struct label *oldsocketlabel, struct socket *newsocket,
1035     struct label *newsocketpeerlabel)
1036 {
1037 
1038 	ASSERT_SOCKET_LABEL(oldsocketlabel);
1039 	ASSERT_SOCKET_LABEL(newsocketpeerlabel);
1040 }
1041 
1042 static void
1043 mac_test_create_bpfdesc(struct ucred *cred, struct bpf_d *bpf_d,
1044     struct label *bpflabel)
1045 {
1046 
1047 	ASSERT_CRED_LABEL(cred->cr_label);
1048 	ASSERT_BPF_LABEL(bpflabel);
1049 }
1050 
1051 static void
1052 mac_test_create_datagram_from_ipq(struct ipq *ipq, struct label *ipqlabel,
1053     struct mbuf *datagram, struct label *datagramlabel)
1054 {
1055 
1056 	ASSERT_IPQ_LABEL(ipqlabel);
1057 	ASSERT_MBUF_LABEL(datagramlabel);
1058 }
1059 
1060 static void
1061 mac_test_create_fragment(struct mbuf *datagram, struct label *datagramlabel,
1062     struct mbuf *fragment, struct label *fragmentlabel)
1063 {
1064 
1065 	ASSERT_MBUF_LABEL(datagramlabel);
1066 	ASSERT_MBUF_LABEL(fragmentlabel);
1067 }
1068 
1069 static void
1070 mac_test_create_ifnet(struct ifnet *ifnet, struct label *ifnetlabel)
1071 {
1072 
1073 	ASSERT_IFNET_LABEL(ifnetlabel);
1074 }
1075 
1076 static void
1077 mac_test_create_inpcb_from_socket(struct socket *so, struct label *solabel,
1078     struct inpcb *inp, struct label *inplabel)
1079 {
1080 
1081 	ASSERT_SOCKET_LABEL(solabel);
1082 	ASSERT_INPCB_LABEL(inplabel);
1083 }
1084 
1085 static void
1086 mac_test_create_sysv_msgmsg(struct ucred *cred, struct msqid_kernel *msqkptr,
1087     struct label *msqlabel, struct msg *msgptr, struct label *msglabel)
1088 {
1089 
1090 	ASSERT_SYSVIPCMSG_LABEL(msglabel);
1091 	ASSERT_SYSVIPCMSQ_LABEL(msqlabel);
1092 }
1093 
1094 static void
1095 mac_test_create_sysv_msgqueue(struct ucred *cred,
1096     struct msqid_kernel *msqkptr, struct label *msqlabel)
1097 {
1098 
1099 	ASSERT_SYSVIPCMSQ_LABEL(msqlabel);
1100 }
1101 
1102 static void
1103 mac_test_create_sysv_sem(struct ucred *cred, struct semid_kernel *semakptr,
1104     struct label *semalabel)
1105 {
1106 
1107 	ASSERT_SYSVIPCSEM_LABEL(semalabel);
1108 }
1109 
1110 static void
1111 mac_test_create_sysv_shm(struct ucred *cred, struct shmid_kernel *shmsegptr,
1112     struct label *shmlabel)
1113 {
1114 
1115 	ASSERT_SYSVIPCSHM_LABEL(shmlabel);
1116 }
1117 
1118 static void
1119 mac_test_create_ipq(struct mbuf *fragment, struct label *fragmentlabel,
1120     struct ipq *ipq, struct label *ipqlabel)
1121 {
1122 
1123 	ASSERT_MBUF_LABEL(fragmentlabel);
1124 	ASSERT_IPQ_LABEL(ipqlabel);
1125 }
1126 
1127 static void
1128 mac_test_create_mbuf_from_inpcb(struct inpcb *inp, struct label *inplabel,
1129     struct mbuf *m, struct label *mlabel)
1130 {
1131 
1132 	ASSERT_INPCB_LABEL(inplabel);
1133 	ASSERT_MBUF_LABEL(mlabel);
1134 }
1135 
1136 static void
1137 mac_test_create_mbuf_linklayer(struct ifnet *ifnet, struct label *ifnetlabel,
1138     struct mbuf *mbuf, struct label *mbuflabel)
1139 {
1140 
1141 	ASSERT_IFNET_LABEL(ifnetlabel);
1142 	ASSERT_MBUF_LABEL(mbuflabel);
1143 }
1144 
1145 static void
1146 mac_test_create_mbuf_from_bpfdesc(struct bpf_d *bpf_d, struct label *bpflabel,
1147     struct mbuf *mbuf, struct label *mbuflabel)
1148 {
1149 
1150 	ASSERT_BPF_LABEL(bpflabel);
1151 	ASSERT_MBUF_LABEL(mbuflabel);
1152 }
1153 
1154 static void
1155 mac_test_create_mbuf_from_ifnet(struct ifnet *ifnet, struct label *ifnetlabel,
1156     struct mbuf *m, struct label *mbuflabel)
1157 {
1158 
1159 	ASSERT_IFNET_LABEL(ifnetlabel);
1160 	ASSERT_MBUF_LABEL(mbuflabel);
1161 }
1162 
1163 static void
1164 mac_test_create_mbuf_multicast_encap(struct mbuf *oldmbuf,
1165     struct label *oldmbuflabel, struct ifnet *ifnet, struct label *ifnetlabel,
1166     struct mbuf *newmbuf, struct label *newmbuflabel)
1167 {
1168 
1169 	ASSERT_MBUF_LABEL(oldmbuflabel);
1170 	ASSERT_IFNET_LABEL(ifnetlabel);
1171 	ASSERT_MBUF_LABEL(newmbuflabel);
1172 }
1173 
1174 static void
1175 mac_test_create_mbuf_netlayer(struct mbuf *oldmbuf,
1176     struct label *oldmbuflabel, struct mbuf *newmbuf,
1177     struct label *newmbuflabel)
1178 {
1179 
1180 	ASSERT_MBUF_LABEL(oldmbuflabel);
1181 	ASSERT_MBUF_LABEL(newmbuflabel);
1182 }
1183 
1184 static int
1185 mac_test_fragment_match(struct mbuf *fragment, struct label *fragmentlabel,
1186     struct ipq *ipq, struct label *ipqlabel)
1187 {
1188 
1189 	ASSERT_MBUF_LABEL(fragmentlabel);
1190 	ASSERT_IPQ_LABEL(ipqlabel);
1191 
1192 	return (1);
1193 }
1194 
1195 static void
1196 mac_test_reflect_mbuf_icmp(struct mbuf *m, struct label *mlabel)
1197 {
1198 
1199 	ASSERT_MBUF_LABEL(mlabel);
1200 }
1201 
1202 static void
1203 mac_test_reflect_mbuf_tcp(struct mbuf *m, struct label *mlabel)
1204 {
1205 
1206 	ASSERT_MBUF_LABEL(mlabel);
1207 }
1208 
1209 static void
1210 mac_test_relabel_ifnet(struct ucred *cred, struct ifnet *ifnet,
1211     struct label *ifnetlabel, struct label *newlabel)
1212 {
1213 
1214 	ASSERT_CRED_LABEL(cred->cr_label);
1215 	ASSERT_IFNET_LABEL(ifnetlabel);
1216 	ASSERT_IFNET_LABEL(newlabel);
1217 }
1218 
1219 static void
1220 mac_test_update_ipq(struct mbuf *fragment, struct label *fragmentlabel,
1221     struct ipq *ipq, struct label *ipqlabel)
1222 {
1223 
1224 	ASSERT_MBUF_LABEL(fragmentlabel);
1225 	ASSERT_IPQ_LABEL(ipqlabel);
1226 }
1227 
1228 static void
1229 mac_test_inpcb_sosetlabel(struct socket *so, struct label *solabel,
1230     struct inpcb *inp, struct label *inplabel)
1231 {
1232 
1233 	ASSERT_SOCKET_LABEL(solabel);
1234 	ASSERT_INPCB_LABEL(inplabel);
1235 }
1236 
1237 /*
1238  * Labeling event operations: processes.
1239  */
1240 static void
1241 mac_test_execve_transition(struct ucred *old, struct ucred *new,
1242     struct vnode *vp, struct label *filelabel,
1243     struct label *interpvnodelabel, struct image_params *imgp,
1244     struct label *execlabel)
1245 {
1246 
1247 	ASSERT_CRED_LABEL(old->cr_label);
1248 	ASSERT_CRED_LABEL(new->cr_label);
1249 	ASSERT_VNODE_LABEL(filelabel);
1250 	if (interpvnodelabel != NULL) {
1251 		ASSERT_VNODE_LABEL(interpvnodelabel);
1252 	}
1253 	if (execlabel != NULL) {
1254 		ASSERT_CRED_LABEL(execlabel);
1255 	}
1256 }
1257 
1258 static int
1259 mac_test_execve_will_transition(struct ucred *old, struct vnode *vp,
1260     struct label *filelabel, struct label *interpvnodelabel,
1261     struct image_params *imgp, struct label *execlabel)
1262 {
1263 
1264 	ASSERT_CRED_LABEL(old->cr_label);
1265 	ASSERT_VNODE_LABEL(filelabel);
1266 	if (interpvnodelabel != NULL) {
1267 		ASSERT_VNODE_LABEL(interpvnodelabel);
1268 	}
1269 	if (execlabel != NULL) {
1270 		ASSERT_CRED_LABEL(execlabel);
1271 	}
1272 
1273 	return (0);
1274 }
1275 
1276 static void
1277 mac_test_create_proc0(struct ucred *cred)
1278 {
1279 
1280 	ASSERT_CRED_LABEL(cred->cr_label);
1281 }
1282 
1283 static void
1284 mac_test_create_proc1(struct ucred *cred)
1285 {
1286 
1287 	ASSERT_CRED_LABEL(cred->cr_label);
1288 }
1289 
1290 static void
1291 mac_test_relabel_cred(struct ucred *cred, struct label *newlabel)
1292 {
1293 
1294 	ASSERT_CRED_LABEL(cred->cr_label);
1295 	ASSERT_CRED_LABEL(newlabel);
1296 }
1297 
1298 static void
1299 mac_test_thread_userret(struct thread *td)
1300 {
1301 
1302 	printf("mac_test_thread_userret(process = %d)\n",
1303 	    curthread->td_proc->p_pid);
1304 }
1305 
1306 /*
1307  * Label cleanup/flush operations
1308  */
1309 static void
1310 mac_test_cleanup_sysv_msgmsg(struct label *msglabel)
1311 {
1312 
1313 	ASSERT_SYSVIPCMSG_LABEL(msglabel);
1314 }
1315 
1316 static void
1317 mac_test_cleanup_sysv_msgqueue(struct label *msqlabel)
1318 {
1319 
1320 	ASSERT_SYSVIPCMSQ_LABEL(msqlabel);
1321 }
1322 
1323 static void
1324 mac_test_cleanup_sysv_sem(struct label *semalabel)
1325 {
1326 
1327 	ASSERT_SYSVIPCSEM_LABEL(semalabel);
1328 }
1329 
1330 static void
1331 mac_test_cleanup_sysv_shm(struct label *shmlabel)
1332 {
1333 
1334 	ASSERT_SYSVIPCSHM_LABEL(shmlabel);
1335 }
1336 
1337 /*
1338  * Access control checks.
1339  */
1340 static int
1341 mac_test_check_bpfdesc_receive(struct bpf_d *bpf_d, struct label *bpflabel,
1342     struct ifnet *ifnet, struct label *ifnetlabel)
1343 {
1344 
1345 	ASSERT_BPF_LABEL(bpflabel);
1346 	ASSERT_IFNET_LABEL(ifnetlabel);
1347 
1348 	return (0);
1349 }
1350 
1351 static int
1352 mac_test_check_cred_relabel(struct ucred *cred, struct label *newlabel)
1353 {
1354 
1355 	ASSERT_CRED_LABEL(cred->cr_label);
1356 	ASSERT_CRED_LABEL(newlabel);
1357 
1358 	return (0);
1359 }
1360 
1361 static int
1362 mac_test_check_cred_visible(struct ucred *u1, struct ucred *u2)
1363 {
1364 
1365 	ASSERT_CRED_LABEL(u1->cr_label);
1366 	ASSERT_CRED_LABEL(u2->cr_label);
1367 
1368 	return (0);
1369 }
1370 
1371 static int
1372 mac_test_check_ifnet_relabel(struct ucred *cred, struct ifnet *ifnet,
1373     struct label *ifnetlabel, struct label *newlabel)
1374 {
1375 
1376 	ASSERT_CRED_LABEL(cred->cr_label);
1377 	ASSERT_IFNET_LABEL(ifnetlabel);
1378 	ASSERT_IFNET_LABEL(newlabel);
1379 	return (0);
1380 }
1381 
1382 static int
1383 mac_test_check_ifnet_transmit(struct ifnet *ifnet, struct label *ifnetlabel,
1384     struct mbuf *m, struct label *mbuflabel)
1385 {
1386 
1387 	ASSERT_IFNET_LABEL(ifnetlabel);
1388 	ASSERT_MBUF_LABEL(mbuflabel);
1389 
1390 	return (0);
1391 }
1392 
1393 static int
1394 mac_test_check_inpcb_deliver(struct inpcb *inp, struct label *inplabel,
1395     struct mbuf *m, struct label *mlabel)
1396 {
1397 
1398 	ASSERT_INPCB_LABEL(inplabel);
1399 	ASSERT_MBUF_LABEL(mlabel);
1400 
1401 	return (0);
1402 }
1403 
1404 static int
1405 mac_test_check_sysv_msgmsq(struct ucred *cred, struct msg *msgptr,
1406     struct label *msglabel, struct msqid_kernel *msqkptr,
1407     struct label *msqklabel)
1408 {
1409 
1410 	ASSERT_SYSVIPCMSQ_LABEL(msqklabel);
1411 	ASSERT_SYSVIPCMSG_LABEL(msglabel);
1412 	ASSERT_CRED_LABEL(cred->cr_label);
1413 
1414   	return (0);
1415 }
1416 
1417 static int
1418 mac_test_check_sysv_msgrcv(struct ucred *cred, struct msg *msgptr,
1419     struct label *msglabel)
1420 {
1421 
1422 	ASSERT_SYSVIPCMSG_LABEL(msglabel);
1423 	ASSERT_CRED_LABEL(cred->cr_label);
1424 
1425 	 return (0);
1426 }
1427 
1428 
1429 static int
1430 mac_test_check_sysv_msgrmid(struct ucred *cred, struct msg *msgptr,
1431     struct label *msglabel)
1432 {
1433 
1434 	ASSERT_SYSVIPCMSG_LABEL(msglabel);
1435 	ASSERT_CRED_LABEL(cred->cr_label);
1436 
1437 	return (0);
1438 }
1439 
1440 static int
1441 mac_test_check_sysv_msqget(struct ucred *cred, struct msqid_kernel *msqkptr,
1442     struct label *msqklabel)
1443 {
1444 
1445 	ASSERT_SYSVIPCMSQ_LABEL(msqklabel);
1446 	ASSERT_CRED_LABEL(cred->cr_label);
1447 
1448 	return (0);
1449 }
1450 
1451 static int
1452 mac_test_check_sysv_msqsnd(struct ucred *cred, struct msqid_kernel *msqkptr,
1453     struct label *msqklabel)
1454 {
1455 
1456 	ASSERT_SYSVIPCMSQ_LABEL(msqklabel);
1457 	ASSERT_CRED_LABEL(cred->cr_label);
1458 
1459 	return (0);
1460 }
1461 
1462 static int
1463 mac_test_check_sysv_msqrcv(struct ucred *cred, struct msqid_kernel *msqkptr,
1464     struct label *msqklabel)
1465 {
1466 
1467 	ASSERT_SYSVIPCMSQ_LABEL(msqklabel);
1468 	ASSERT_CRED_LABEL(cred->cr_label);
1469 
1470 	return (0);
1471 }
1472 
1473 static int
1474 mac_test_check_sysv_msqctl(struct ucred *cred, struct msqid_kernel *msqkptr,
1475     struct label *msqklabel, int cmd)
1476 {
1477 
1478 	ASSERT_SYSVIPCMSQ_LABEL(msqklabel);
1479 	ASSERT_CRED_LABEL(cred->cr_label);
1480 
1481 	return (0);
1482 }
1483 
1484 static int
1485 mac_test_check_sysv_semctl(struct ucred *cred, struct semid_kernel *semakptr,
1486     struct label *semaklabel, int cmd)
1487 {
1488 
1489 	ASSERT_CRED_LABEL(cred->cr_label);
1490 	ASSERT_SYSVIPCSEM_LABEL(semaklabel);
1491 
1492   	return (0);
1493 }
1494 
1495 static int
1496 mac_test_check_sysv_semget(struct ucred *cred, struct semid_kernel *semakptr,
1497     struct label *semaklabel)
1498 {
1499 
1500 	ASSERT_CRED_LABEL(cred->cr_label);
1501 	ASSERT_SYSVIPCSEM_LABEL(semaklabel);
1502 
1503 	return (0);
1504 }
1505 
1506 static int
1507 mac_test_check_sysv_semop(struct ucred *cred, struct semid_kernel *semakptr,
1508     struct label *semaklabel, size_t accesstype)
1509 {
1510 
1511 	ASSERT_CRED_LABEL(cred->cr_label);
1512 	ASSERT_SYSVIPCSEM_LABEL(semaklabel);
1513 
1514 	return (0);
1515 }
1516 
1517 static int
1518 mac_test_check_sysv_shmat(struct ucred *cred, struct shmid_kernel *shmsegptr,
1519     struct label *shmseglabel, int shmflg)
1520 {
1521 
1522 	ASSERT_CRED_LABEL(cred->cr_label);
1523 	ASSERT_SYSVIPCSHM_LABEL(shmseglabel);
1524 
1525   	return (0);
1526 }
1527 
1528 static int
1529 mac_test_check_sysv_shmctl(struct ucred *cred, struct shmid_kernel *shmsegptr,
1530     struct label *shmseglabel, int cmd)
1531 {
1532 
1533 	ASSERT_CRED_LABEL(cred->cr_label);
1534 	ASSERT_SYSVIPCSHM_LABEL(shmseglabel);
1535 
1536   	return (0);
1537 }
1538 
1539 static int
1540 mac_test_check_sysv_shmdt(struct ucred *cred, struct shmid_kernel *shmsegptr,
1541     struct label *shmseglabel)
1542 {
1543 
1544 	ASSERT_CRED_LABEL(cred->cr_label);
1545 	ASSERT_SYSVIPCSHM_LABEL(shmseglabel);
1546 
1547 	return (0);
1548 }
1549 
1550 static int
1551 mac_test_check_sysv_shmget(struct ucred *cred, struct shmid_kernel *shmsegptr,
1552     struct label *shmseglabel, int shmflg)
1553 {
1554 
1555 	ASSERT_CRED_LABEL(cred->cr_label);
1556 	ASSERT_SYSVIPCSHM_LABEL(shmseglabel);
1557 
1558 	return (0);
1559 }
1560 
1561 static int
1562 mac_test_check_kenv_dump(struct ucred *cred)
1563 {
1564 
1565 	ASSERT_CRED_LABEL(cred->cr_label);
1566 
1567 	return (0);
1568 }
1569 
1570 static int
1571 mac_test_check_kenv_get(struct ucred *cred, char *name)
1572 {
1573 
1574 	ASSERT_CRED_LABEL(cred->cr_label);
1575 
1576 	return (0);
1577 }
1578 
1579 static int
1580 mac_test_check_kenv_set(struct ucred *cred, char *name, char *value)
1581 {
1582 
1583 	ASSERT_CRED_LABEL(cred->cr_label);
1584 
1585 	return (0);
1586 }
1587 
1588 static int
1589 mac_test_check_kenv_unset(struct ucred *cred, char *name)
1590 {
1591 
1592 	ASSERT_CRED_LABEL(cred->cr_label);
1593 
1594 	return (0);
1595 }
1596 
1597 static int
1598 mac_test_check_kld_load(struct ucred *cred, struct vnode *vp,
1599     struct label *label)
1600 {
1601 
1602 	ASSERT_CRED_LABEL(cred->cr_label);
1603 	ASSERT_VNODE_LABEL(label);
1604 
1605 	return (0);
1606 }
1607 
1608 static int
1609 mac_test_check_kld_stat(struct ucred *cred)
1610 {
1611 
1612 	ASSERT_CRED_LABEL(cred->cr_label);
1613 
1614 	return (0);
1615 }
1616 
1617 static int
1618 mac_test_check_kld_unload(struct ucred *cred)
1619 {
1620 
1621 	ASSERT_CRED_LABEL(cred->cr_label);
1622 
1623 	return (0);
1624 }
1625 
1626 static int
1627 mac_test_check_mount_stat(struct ucred *cred, struct mount *mp,
1628     struct label *mntlabel)
1629 {
1630 
1631 	ASSERT_CRED_LABEL(cred->cr_label);
1632 	ASSERT_MOUNT_LABEL(mntlabel);
1633 
1634 	return (0);
1635 }
1636 
1637 static int
1638 mac_test_check_pipe_ioctl(struct ucred *cred, struct pipepair *pp,
1639     struct label *pipelabel, unsigned long cmd, void /* caddr_t */ *data)
1640 {
1641 
1642 	ASSERT_CRED_LABEL(cred->cr_label);
1643 	ASSERT_PIPE_LABEL(pipelabel);
1644 
1645 	return (0);
1646 }
1647 
1648 static int
1649 mac_test_check_pipe_poll(struct ucred *cred, struct pipepair *pp,
1650     struct label *pipelabel)
1651 {
1652 
1653 	ASSERT_CRED_LABEL(cred->cr_label);
1654 	ASSERT_PIPE_LABEL(pipelabel);
1655 
1656 	return (0);
1657 }
1658 
1659 static int
1660 mac_test_check_pipe_read(struct ucred *cred, struct pipepair *pp,
1661     struct label *pipelabel)
1662 {
1663 
1664 	ASSERT_CRED_LABEL(cred->cr_label);
1665 	ASSERT_PIPE_LABEL(pipelabel);
1666 
1667 	return (0);
1668 }
1669 
1670 static int
1671 mac_test_check_pipe_relabel(struct ucred *cred, struct pipepair *pp,
1672     struct label *pipelabel, struct label *newlabel)
1673 {
1674 
1675 	ASSERT_CRED_LABEL(cred->cr_label);
1676 	ASSERT_PIPE_LABEL(pipelabel);
1677 	ASSERT_PIPE_LABEL(newlabel);
1678 
1679 	return (0);
1680 }
1681 
1682 static int
1683 mac_test_check_pipe_stat(struct ucred *cred, struct pipepair *pp,
1684     struct label *pipelabel)
1685 {
1686 
1687 	ASSERT_CRED_LABEL(cred->cr_label);
1688 	ASSERT_PIPE_LABEL(pipelabel);
1689 
1690 	return (0);
1691 }
1692 
1693 static int
1694 mac_test_check_pipe_write(struct ucred *cred, struct pipepair *pp,
1695     struct label *pipelabel)
1696 {
1697 
1698 	ASSERT_CRED_LABEL(cred->cr_label);
1699 	ASSERT_PIPE_LABEL(pipelabel);
1700 
1701 	return (0);
1702 }
1703 
1704 static int
1705 mac_test_check_posix_sem(struct ucred *cred, struct ksem *ksemptr,
1706     struct label *ks_label)
1707 {
1708 
1709 	ASSERT_CRED_LABEL(cred->cr_label);
1710 	ASSERT_POSIX_LABEL(ks_label);
1711 
1712 	return (0);
1713 }
1714 
1715 static int
1716 mac_test_check_proc_debug(struct ucred *cred, struct proc *proc)
1717 {
1718 
1719 	ASSERT_CRED_LABEL(cred->cr_label);
1720 	ASSERT_CRED_LABEL(proc->p_ucred->cr_label);
1721 
1722 	return (0);
1723 }
1724 
1725 static int
1726 mac_test_check_proc_sched(struct ucred *cred, struct proc *proc)
1727 {
1728 
1729 	ASSERT_CRED_LABEL(cred->cr_label);
1730 	ASSERT_CRED_LABEL(proc->p_ucred->cr_label);
1731 
1732 	return (0);
1733 }
1734 
1735 static int
1736 mac_test_check_proc_signal(struct ucred *cred, struct proc *proc, int signum)
1737 {
1738 
1739 	ASSERT_CRED_LABEL(cred->cr_label);
1740 	ASSERT_CRED_LABEL(proc->p_ucred->cr_label);
1741 
1742 	return (0);
1743 }
1744 
1745 static int
1746 mac_test_check_proc_setuid(struct ucred *cred, uid_t uid)
1747 {
1748 
1749 	ASSERT_CRED_LABEL(cred->cr_label);
1750 
1751 	return (0);
1752 }
1753 
1754 static int
1755 mac_test_check_proc_seteuid(struct ucred *cred, uid_t euid)
1756 {
1757 
1758 	ASSERT_CRED_LABEL(cred->cr_label);
1759 
1760 	return (0);
1761 }
1762 
1763 static int
1764 mac_test_check_proc_setgid(struct ucred *cred, gid_t gid)
1765 {
1766 
1767 	ASSERT_CRED_LABEL(cred->cr_label);
1768 
1769 	return (0);
1770 }
1771 
1772 static int
1773 mac_test_check_proc_setegid(struct ucred *cred, gid_t egid)
1774 {
1775 
1776 	ASSERT_CRED_LABEL(cred->cr_label);
1777 
1778 	return (0);
1779 }
1780 
1781 static int
1782 mac_test_check_proc_setgroups(struct ucred *cred, int ngroups,
1783 	gid_t *gidset)
1784 {
1785 
1786 	ASSERT_CRED_LABEL(cred->cr_label);
1787 
1788 	return (0);
1789 }
1790 
1791 static int
1792 mac_test_check_proc_setreuid(struct ucred *cred, uid_t ruid, uid_t euid)
1793 {
1794 
1795 	ASSERT_CRED_LABEL(cred->cr_label);
1796 
1797 	return (0);
1798 }
1799 
1800 static int
1801 mac_test_check_proc_setregid(struct ucred *cred, gid_t rgid, gid_t egid)
1802 {
1803 
1804 	ASSERT_CRED_LABEL(cred->cr_label);
1805 
1806 	return (0);
1807 }
1808 
1809 static int
1810 mac_test_check_proc_setresuid(struct ucred *cred, uid_t ruid, uid_t euid,
1811 	uid_t suid)
1812 {
1813 
1814 	ASSERT_CRED_LABEL(cred->cr_label);
1815 
1816 	return (0);
1817 }
1818 
1819 static int
1820 mac_test_check_proc_setresgid(struct ucred *cred, gid_t rgid, gid_t egid,
1821 	gid_t sgid)
1822 {
1823 
1824 	ASSERT_CRED_LABEL(cred->cr_label);
1825 
1826 	return (0);
1827 }
1828 
1829 static int
1830 mac_test_check_proc_wait(struct ucred *cred, struct proc *proc)
1831 {
1832 
1833 	ASSERT_CRED_LABEL(cred->cr_label);
1834 	ASSERT_CRED_LABEL(proc->p_ucred->cr_label);
1835 
1836 	return (0);
1837 }
1838 
1839 static int
1840 mac_test_check_socket_accept(struct ucred *cred, struct socket *socket,
1841     struct label *socketlabel)
1842 {
1843 
1844 	ASSERT_CRED_LABEL(cred->cr_label);
1845 	ASSERT_SOCKET_LABEL(socketlabel);
1846 
1847 	return (0);
1848 }
1849 
1850 static int
1851 mac_test_check_socket_bind(struct ucred *cred, struct socket *socket,
1852     struct label *socketlabel, struct sockaddr *sockaddr)
1853 {
1854 
1855 	ASSERT_CRED_LABEL(cred->cr_label);
1856 	ASSERT_SOCKET_LABEL(socketlabel);
1857 
1858 	return (0);
1859 }
1860 
1861 static int
1862 mac_test_check_socket_connect(struct ucred *cred, struct socket *socket,
1863     struct label *socketlabel, struct sockaddr *sockaddr)
1864 {
1865 
1866 	ASSERT_CRED_LABEL(cred->cr_label);
1867 	ASSERT_SOCKET_LABEL(socketlabel);
1868 
1869 	return (0);
1870 }
1871 
1872 static int
1873 mac_test_check_socket_deliver(struct socket *socket, struct label *socketlabel,
1874     struct mbuf *m, struct label *mbuflabel)
1875 {
1876 
1877 	ASSERT_SOCKET_LABEL(socketlabel);
1878 	ASSERT_MBUF_LABEL(mbuflabel);
1879 
1880 	return (0);
1881 }
1882 
1883 static int
1884 mac_test_check_socket_listen(struct ucred *cred, struct socket *socket,
1885     struct label *socketlabel)
1886 {
1887 
1888 	ASSERT_CRED_LABEL(cred->cr_label);
1889 	ASSERT_SOCKET_LABEL(socketlabel);
1890 
1891 	return (0);
1892 }
1893 
1894 static int
1895 mac_test_check_socket_poll(struct ucred *cred, struct socket *socket,
1896     struct label *socketlabel)
1897 {
1898 
1899 	ASSERT_CRED_LABEL(cred->cr_label);
1900 	ASSERT_SOCKET_LABEL(socketlabel);
1901 
1902 	return (0);
1903 }
1904 
1905 static int
1906 mac_test_check_socket_receive(struct ucred *cred, struct socket *socket,
1907     struct label *socketlabel)
1908 {
1909 
1910 	ASSERT_CRED_LABEL(cred->cr_label);
1911 	ASSERT_SOCKET_LABEL(socketlabel);
1912 
1913 	return (0);
1914 }
1915 
1916 static int
1917 mac_test_check_socket_relabel(struct ucred *cred, struct socket *socket,
1918     struct label *socketlabel, struct label *newlabel)
1919 {
1920 
1921 	ASSERT_CRED_LABEL(cred->cr_label);
1922 	ASSERT_SOCKET_LABEL(socketlabel);
1923 	ASSERT_SOCKET_LABEL(newlabel);
1924 
1925 	return (0);
1926 }
1927 
1928 static int
1929 mac_test_check_socket_send(struct ucred *cred, struct socket *socket,
1930     struct label *socketlabel)
1931 {
1932 
1933 	ASSERT_CRED_LABEL(cred->cr_label);
1934 	ASSERT_SOCKET_LABEL(socketlabel);
1935 
1936 	return (0);
1937 }
1938 
1939 static int
1940 mac_test_check_socket_stat(struct ucred *cred, struct socket *socket,
1941     struct label *socketlabel)
1942 {
1943 
1944 	ASSERT_CRED_LABEL(cred->cr_label);
1945 	ASSERT_SOCKET_LABEL(socketlabel);
1946 
1947 	return (0);
1948 }
1949 
1950 static int
1951 mac_test_check_socket_visible(struct ucred *cred, struct socket *socket,
1952     struct label *socketlabel)
1953 {
1954 
1955 	ASSERT_CRED_LABEL(cred->cr_label);
1956 	ASSERT_SOCKET_LABEL(socketlabel);
1957 
1958 	return (0);
1959 }
1960 
1961 static int
1962 mac_test_check_sysarch_ioperm(struct ucred *cred)
1963 {
1964 
1965 	ASSERT_CRED_LABEL(cred->cr_label);
1966 
1967 	return (0);
1968 }
1969 
1970 static int
1971 mac_test_check_system_acct(struct ucred *cred, struct vnode *vp,
1972     struct label *label)
1973 {
1974 
1975 	ASSERT_CRED_LABEL(cred->cr_label);
1976 
1977 	return (0);
1978 }
1979 
1980 static int
1981 mac_test_check_system_reboot(struct ucred *cred, int how)
1982 {
1983 
1984 	ASSERT_CRED_LABEL(cred->cr_label);
1985 
1986 	return (0);
1987 }
1988 
1989 static int
1990 mac_test_check_system_settime(struct ucred *cred)
1991 {
1992 
1993 	ASSERT_CRED_LABEL(cred->cr_label);
1994 
1995 	return (0);
1996 }
1997 
1998 static int
1999 mac_test_check_system_swapon(struct ucred *cred, struct vnode *vp,
2000     struct label *label)
2001 {
2002 
2003 	ASSERT_CRED_LABEL(cred->cr_label);
2004 	ASSERT_VNODE_LABEL(label);
2005 
2006 	return (0);
2007 }
2008 
2009 static int
2010 mac_test_check_system_swapoff(struct ucred *cred, struct vnode *vp,
2011     struct label *label)
2012 {
2013 
2014 	ASSERT_CRED_LABEL(cred->cr_label);
2015 	ASSERT_VNODE_LABEL(label);
2016 
2017 	return (0);
2018 }
2019 
2020 static int
2021 mac_test_check_system_sysctl(struct ucred *cred, struct sysctl_oid *oidp,
2022     void *arg1, int arg2, struct sysctl_req *req)
2023 {
2024 
2025 	ASSERT_CRED_LABEL(cred->cr_label);
2026 
2027 	return (0);
2028 }
2029 
2030 static int
2031 mac_test_check_vnode_access(struct ucred *cred, struct vnode *vp,
2032     struct label *label, int acc_mode)
2033 {
2034 
2035 	ASSERT_CRED_LABEL(cred->cr_label);
2036 	ASSERT_VNODE_LABEL(label);
2037 
2038 	return (0);
2039 }
2040 
2041 static int
2042 mac_test_check_vnode_chdir(struct ucred *cred, struct vnode *dvp,
2043     struct label *dlabel)
2044 {
2045 
2046 	ASSERT_CRED_LABEL(cred->cr_label);
2047 	ASSERT_VNODE_LABEL(dlabel);
2048 
2049 	return (0);
2050 }
2051 
2052 static int
2053 mac_test_check_vnode_chroot(struct ucred *cred, struct vnode *dvp,
2054     struct label *dlabel)
2055 {
2056 
2057 	ASSERT_CRED_LABEL(cred->cr_label);
2058 	ASSERT_VNODE_LABEL(dlabel);
2059 
2060 	return (0);
2061 }
2062 
2063 static int
2064 mac_test_check_vnode_create(struct ucred *cred, struct vnode *dvp,
2065     struct label *dlabel, struct componentname *cnp, struct vattr *vap)
2066 {
2067 
2068 	ASSERT_CRED_LABEL(cred->cr_label);
2069 	ASSERT_VNODE_LABEL(dlabel);
2070 
2071 	return (0);
2072 }
2073 
2074 static int
2075 mac_test_check_vnode_delete(struct ucred *cred, struct vnode *dvp,
2076     struct label *dlabel, struct vnode *vp, struct label *label,
2077     struct componentname *cnp)
2078 {
2079 
2080 	ASSERT_CRED_LABEL(cred->cr_label);
2081 	ASSERT_VNODE_LABEL(dlabel);
2082 	ASSERT_VNODE_LABEL(label);
2083 
2084 	return (0);
2085 }
2086 
2087 static int
2088 mac_test_check_vnode_deleteacl(struct ucred *cred, struct vnode *vp,
2089     struct label *label, acl_type_t type)
2090 {
2091 
2092 	ASSERT_CRED_LABEL(cred->cr_label);
2093 	ASSERT_VNODE_LABEL(label);
2094 
2095 	return (0);
2096 }
2097 
2098 static int
2099 mac_test_check_vnode_deleteextattr(struct ucred *cred, struct vnode *vp,
2100     struct label *label, int attrnamespace, const char *name)
2101 {
2102 
2103 	ASSERT_CRED_LABEL(cred->cr_label);
2104 	ASSERT_VNODE_LABEL(label);
2105 
2106 	return (0);
2107 }
2108 
2109 static int
2110 mac_test_check_vnode_exec(struct ucred *cred, struct vnode *vp,
2111     struct label *label, struct image_params *imgp,
2112     struct label *execlabel)
2113 {
2114 
2115 	ASSERT_CRED_LABEL(cred->cr_label);
2116 	ASSERT_VNODE_LABEL(label);
2117 	if (execlabel != NULL) {
2118 		ASSERT_CRED_LABEL(execlabel);
2119 	}
2120 
2121 	return (0);
2122 }
2123 
2124 static int
2125 mac_test_check_vnode_getacl(struct ucred *cred, struct vnode *vp,
2126     struct label *label, acl_type_t type)
2127 {
2128 
2129 	ASSERT_CRED_LABEL(cred->cr_label);
2130 	ASSERT_VNODE_LABEL(label);
2131 
2132 	return (0);
2133 }
2134 
2135 static int
2136 mac_test_check_vnode_getextattr(struct ucred *cred, struct vnode *vp,
2137     struct label *label, int attrnamespace, const char *name, struct uio *uio)
2138 {
2139 
2140 	ASSERT_CRED_LABEL(cred->cr_label);
2141 	ASSERT_VNODE_LABEL(label);
2142 
2143 	return (0);
2144 }
2145 
2146 static int
2147 mac_test_check_vnode_link(struct ucred *cred, struct vnode *dvp,
2148     struct label *dlabel, struct vnode *vp, struct label *label,
2149     struct componentname *cnp)
2150 {
2151 
2152 	ASSERT_CRED_LABEL(cred->cr_label);
2153 	ASSERT_VNODE_LABEL(dlabel);
2154 	ASSERT_VNODE_LABEL(label);
2155 
2156 	return (0);
2157 }
2158 
2159 static int
2160 mac_test_check_vnode_listextattr(struct ucred *cred, struct vnode *vp,
2161     struct label *label, int attrnamespace)
2162 {
2163 
2164 	ASSERT_CRED_LABEL(cred->cr_label);
2165 	ASSERT_VNODE_LABEL(label);
2166 
2167 	return (0);
2168 }
2169 
2170 static int
2171 mac_test_check_vnode_lookup(struct ucred *cred, struct vnode *dvp,
2172     struct label *dlabel, struct componentname *cnp)
2173 {
2174 
2175 	ASSERT_CRED_LABEL(cred->cr_label);
2176 	ASSERT_VNODE_LABEL(dlabel);
2177 
2178 	return (0);
2179 }
2180 
2181 static int
2182 mac_test_check_vnode_mmap(struct ucred *cred, struct vnode *vp,
2183     struct label *label, int prot, int flags)
2184 {
2185 
2186 	ASSERT_CRED_LABEL(cred->cr_label);
2187 	ASSERT_VNODE_LABEL(label);
2188 
2189 	return (0);
2190 }
2191 
2192 static int
2193 mac_test_check_vnode_open(struct ucred *cred, struct vnode *vp,
2194     struct label *filelabel, int acc_mode)
2195 {
2196 
2197 	ASSERT_CRED_LABEL(cred->cr_label);
2198 	ASSERT_VNODE_LABEL(filelabel);
2199 
2200 	return (0);
2201 }
2202 
2203 static int
2204 mac_test_check_vnode_poll(struct ucred *active_cred, struct ucred *file_cred,
2205     struct vnode *vp, struct label *label)
2206 {
2207 
2208 	ASSERT_CRED_LABEL(active_cred->cr_label);
2209 	ASSERT_CRED_LABEL(file_cred->cr_label);
2210 	ASSERT_VNODE_LABEL(label);
2211 
2212 	return (0);
2213 }
2214 
2215 static int
2216 mac_test_check_vnode_read(struct ucred *active_cred, struct ucred *file_cred,
2217     struct vnode *vp, struct label *label)
2218 {
2219 
2220 	ASSERT_CRED_LABEL(active_cred->cr_label);
2221 	if (file_cred != NULL) {
2222 		ASSERT_CRED_LABEL(file_cred->cr_label);
2223 	}
2224 	ASSERT_VNODE_LABEL(label);
2225 
2226 	return (0);
2227 }
2228 
2229 static int
2230 mac_test_check_vnode_readdir(struct ucred *cred, struct vnode *dvp,
2231     struct label *dlabel)
2232 {
2233 
2234 	ASSERT_CRED_LABEL(cred->cr_label);
2235 	ASSERT_VNODE_LABEL(dlabel);
2236 
2237 	return (0);
2238 }
2239 
2240 static int
2241 mac_test_check_vnode_readlink(struct ucred *cred, struct vnode *vp,
2242     struct label *vnodelabel)
2243 {
2244 
2245 	ASSERT_CRED_LABEL(cred->cr_label);
2246 	ASSERT_VNODE_LABEL(vnodelabel);
2247 
2248 	return (0);
2249 }
2250 
2251 static int
2252 mac_test_check_vnode_relabel(struct ucred *cred, struct vnode *vp,
2253     struct label *vnodelabel, struct label *newlabel)
2254 {
2255 
2256 	ASSERT_CRED_LABEL(cred->cr_label);
2257 	ASSERT_VNODE_LABEL(vnodelabel);
2258 	ASSERT_VNODE_LABEL(newlabel);
2259 
2260 	return (0);
2261 }
2262 
2263 static int
2264 mac_test_check_vnode_rename_from(struct ucred *cred, struct vnode *dvp,
2265     struct label *dlabel, struct vnode *vp, struct label *label,
2266     struct componentname *cnp)
2267 {
2268 
2269 	ASSERT_CRED_LABEL(cred->cr_label);
2270 	ASSERT_VNODE_LABEL(dlabel);
2271 	ASSERT_VNODE_LABEL(label);
2272 
2273 	return (0);
2274 }
2275 
2276 static int
2277 mac_test_check_vnode_rename_to(struct ucred *cred, struct vnode *dvp,
2278     struct label *dlabel, struct vnode *vp, struct label *label, int samedir,
2279     struct componentname *cnp)
2280 {
2281 
2282 	ASSERT_CRED_LABEL(cred->cr_label);
2283 	ASSERT_VNODE_LABEL(dlabel);
2284 
2285 	if (vp != NULL) {
2286 		ASSERT_VNODE_LABEL(label);
2287 	}
2288 
2289 	return (0);
2290 }
2291 
2292 static int
2293 mac_test_check_vnode_revoke(struct ucred *cred, struct vnode *vp,
2294     struct label *label)
2295 {
2296 
2297 	ASSERT_CRED_LABEL(cred->cr_label);
2298 	ASSERT_VNODE_LABEL(label);
2299 
2300 	return (0);
2301 }
2302 
2303 static int
2304 mac_test_check_vnode_setacl(struct ucred *cred, struct vnode *vp,
2305     struct label *label, acl_type_t type, struct acl *acl)
2306 {
2307 
2308 	ASSERT_CRED_LABEL(cred->cr_label);
2309 	ASSERT_VNODE_LABEL(label);
2310 
2311 	return (0);
2312 }
2313 
2314 static int
2315 mac_test_check_vnode_setextattr(struct ucred *cred, struct vnode *vp,
2316     struct label *label, int attrnamespace, const char *name, struct uio *uio)
2317 {
2318 
2319 	ASSERT_CRED_LABEL(cred->cr_label);
2320 	ASSERT_VNODE_LABEL(label);
2321 
2322 	return (0);
2323 }
2324 
2325 static int
2326 mac_test_check_vnode_setflags(struct ucred *cred, struct vnode *vp,
2327     struct label *label, u_long flags)
2328 {
2329 
2330 	ASSERT_CRED_LABEL(cred->cr_label);
2331 	ASSERT_VNODE_LABEL(label);
2332 
2333 	return (0);
2334 }
2335 
2336 static int
2337 mac_test_check_vnode_setmode(struct ucred *cred, struct vnode *vp,
2338     struct label *label, mode_t mode)
2339 {
2340 
2341 	ASSERT_CRED_LABEL(cred->cr_label);
2342 	ASSERT_VNODE_LABEL(label);
2343 
2344 	return (0);
2345 }
2346 
2347 static int
2348 mac_test_check_vnode_setowner(struct ucred *cred, struct vnode *vp,
2349     struct label *label, uid_t uid, gid_t gid)
2350 {
2351 
2352 	ASSERT_CRED_LABEL(cred->cr_label);
2353 	ASSERT_VNODE_LABEL(label);
2354 
2355 	return (0);
2356 }
2357 
2358 static int
2359 mac_test_check_vnode_setutimes(struct ucred *cred, struct vnode *vp,
2360     struct label *label, struct timespec atime, struct timespec mtime)
2361 {
2362 
2363 	ASSERT_CRED_LABEL(cred->cr_label);
2364 	ASSERT_VNODE_LABEL(label);
2365 
2366 	return (0);
2367 }
2368 
2369 static int
2370 mac_test_check_vnode_stat(struct ucred *active_cred, struct ucred *file_cred,
2371     struct vnode *vp, struct label *label)
2372 {
2373 
2374 	ASSERT_CRED_LABEL(active_cred->cr_label);
2375 	if (file_cred != NULL) {
2376 		ASSERT_CRED_LABEL(file_cred->cr_label);
2377 	}
2378 	ASSERT_VNODE_LABEL(label);
2379 
2380 	return (0);
2381 }
2382 
2383 static int
2384 mac_test_check_vnode_write(struct ucred *active_cred,
2385     struct ucred *file_cred, struct vnode *vp, struct label *label)
2386 {
2387 
2388 	ASSERT_CRED_LABEL(active_cred->cr_label);
2389 	if (file_cred != NULL) {
2390 		ASSERT_CRED_LABEL(file_cred->cr_label);
2391 	}
2392 	ASSERT_VNODE_LABEL(label);
2393 
2394 	return (0);
2395 }
2396 
2397 static struct mac_policy_ops mac_test_ops =
2398 {
2399 	.mpo_destroy = mac_test_destroy,
2400 	.mpo_init = mac_test_init,
2401 	.mpo_syscall = mac_test_syscall,
2402 	.mpo_init_bpfdesc_label = mac_test_init_bpfdesc_label,
2403 	.mpo_init_cred_label = mac_test_init_cred_label,
2404 	.mpo_init_devfsdirent_label = mac_test_init_devfsdirent_label,
2405 	.mpo_init_ifnet_label = mac_test_init_ifnet_label,
2406 	.mpo_init_sysv_msgmsg_label = mac_test_init_sysv_msgmsg_label,
2407 	.mpo_init_sysv_msgqueue_label = mac_test_init_sysv_msgqueue_label,
2408 	.mpo_init_sysv_sem_label = mac_test_init_sysv_sem_label,
2409 	.mpo_init_sysv_shm_label = mac_test_init_sysv_shm_label,
2410 	.mpo_init_inpcb_label = mac_test_init_inpcb_label,
2411 	.mpo_init_ipq_label = mac_test_init_ipq_label,
2412 	.mpo_init_mbuf_label = mac_test_init_mbuf_label,
2413 	.mpo_init_mount_label = mac_test_init_mount_label,
2414 	.mpo_init_mount_fs_label = mac_test_init_mount_fs_label,
2415 	.mpo_init_pipe_label = mac_test_init_pipe_label,
2416 	.mpo_init_posix_sem_label = mac_test_init_posix_sem_label,
2417 	.mpo_init_proc_label = mac_test_init_proc_label,
2418 	.mpo_init_socket_label = mac_test_init_socket_label,
2419 	.mpo_init_socket_peer_label = mac_test_init_socket_peer_label,
2420 	.mpo_init_vnode_label = mac_test_init_vnode_label,
2421 	.mpo_destroy_bpfdesc_label = mac_test_destroy_bpfdesc_label,
2422 	.mpo_destroy_cred_label = mac_test_destroy_cred_label,
2423 	.mpo_destroy_devfsdirent_label = mac_test_destroy_devfsdirent_label,
2424 	.mpo_destroy_ifnet_label = mac_test_destroy_ifnet_label,
2425 	.mpo_destroy_sysv_msgmsg_label = mac_test_destroy_sysv_msgmsg_label,
2426 	.mpo_destroy_sysv_msgqueue_label =
2427 	    mac_test_destroy_sysv_msgqueue_label,
2428 	.mpo_destroy_sysv_sem_label = mac_test_destroy_sysv_sem_label,
2429 	.mpo_destroy_sysv_shm_label = mac_test_destroy_sysv_shm_label,
2430 	.mpo_destroy_inpcb_label = mac_test_destroy_inpcb_label,
2431 	.mpo_destroy_ipq_label = mac_test_destroy_ipq_label,
2432 	.mpo_destroy_mbuf_label = mac_test_destroy_mbuf_label,
2433 	.mpo_destroy_mount_label = mac_test_destroy_mount_label,
2434 	.mpo_destroy_mount_fs_label = mac_test_destroy_mount_fs_label,
2435 	.mpo_destroy_pipe_label = mac_test_destroy_pipe_label,
2436 	.mpo_destroy_posix_sem_label = mac_test_destroy_posix_sem_label,
2437 	.mpo_destroy_proc_label = mac_test_destroy_proc_label,
2438 	.mpo_destroy_socket_label = mac_test_destroy_socket_label,
2439 	.mpo_destroy_socket_peer_label = mac_test_destroy_socket_peer_label,
2440 	.mpo_destroy_vnode_label = mac_test_destroy_vnode_label,
2441 	.mpo_copy_cred_label = mac_test_copy_cred_label,
2442 	.mpo_copy_ifnet_label = mac_test_copy_ifnet_label,
2443 	.mpo_copy_mbuf_label = mac_test_copy_mbuf_label,
2444 	.mpo_copy_pipe_label = mac_test_copy_pipe_label,
2445 	.mpo_copy_socket_label = mac_test_copy_socket_label,
2446 	.mpo_copy_vnode_label = mac_test_copy_vnode_label,
2447 	.mpo_externalize_cred_label = mac_test_externalize_label,
2448 	.mpo_externalize_ifnet_label = mac_test_externalize_label,
2449 	.mpo_externalize_pipe_label = mac_test_externalize_label,
2450 	.mpo_externalize_socket_label = mac_test_externalize_label,
2451 	.mpo_externalize_socket_peer_label = mac_test_externalize_label,
2452 	.mpo_externalize_vnode_label = mac_test_externalize_label,
2453 	.mpo_internalize_cred_label = mac_test_internalize_label,
2454 	.mpo_internalize_ifnet_label = mac_test_internalize_label,
2455 	.mpo_internalize_pipe_label = mac_test_internalize_label,
2456 	.mpo_internalize_socket_label = mac_test_internalize_label,
2457 	.mpo_internalize_vnode_label = mac_test_internalize_label,
2458 	.mpo_associate_vnode_devfs = mac_test_associate_vnode_devfs,
2459 	.mpo_associate_vnode_extattr = mac_test_associate_vnode_extattr,
2460 	.mpo_associate_vnode_singlelabel = mac_test_associate_vnode_singlelabel,
2461 	.mpo_create_devfs_device = mac_test_create_devfs_device,
2462 	.mpo_create_devfs_directory = mac_test_create_devfs_directory,
2463 	.mpo_create_devfs_symlink = mac_test_create_devfs_symlink,
2464 	.mpo_create_vnode_extattr = mac_test_create_vnode_extattr,
2465 	.mpo_create_mount = mac_test_create_mount,
2466 	.mpo_relabel_vnode = mac_test_relabel_vnode,
2467 	.mpo_setlabel_vnode_extattr = mac_test_setlabel_vnode_extattr,
2468 	.mpo_update_devfsdirent = mac_test_update_devfsdirent,
2469 	.mpo_create_mbuf_from_socket = mac_test_create_mbuf_from_socket,
2470 	.mpo_create_pipe = mac_test_create_pipe,
2471 	.mpo_create_posix_sem = mac_test_create_posix_sem,
2472 	.mpo_create_socket = mac_test_create_socket,
2473 	.mpo_create_socket_from_socket = mac_test_create_socket_from_socket,
2474 	.mpo_relabel_pipe = mac_test_relabel_pipe,
2475 	.mpo_relabel_socket = mac_test_relabel_socket,
2476 	.mpo_set_socket_peer_from_mbuf = mac_test_set_socket_peer_from_mbuf,
2477 	.mpo_set_socket_peer_from_socket = mac_test_set_socket_peer_from_socket,
2478 	.mpo_create_bpfdesc = mac_test_create_bpfdesc,
2479 	.mpo_create_ifnet = mac_test_create_ifnet,
2480 	.mpo_create_inpcb_from_socket = mac_test_create_inpcb_from_socket,
2481 	.mpo_create_sysv_msgmsg = mac_test_create_sysv_msgmsg,
2482 	.mpo_create_sysv_msgqueue = mac_test_create_sysv_msgqueue,
2483 	.mpo_create_sysv_sem = mac_test_create_sysv_sem,
2484 	.mpo_create_sysv_shm = mac_test_create_sysv_shm,
2485 	.mpo_create_datagram_from_ipq = mac_test_create_datagram_from_ipq,
2486 	.mpo_create_fragment = mac_test_create_fragment,
2487 	.mpo_create_ipq = mac_test_create_ipq,
2488 	.mpo_create_mbuf_from_inpcb = mac_test_create_mbuf_from_inpcb,
2489 	.mpo_create_mbuf_linklayer = mac_test_create_mbuf_linklayer,
2490 	.mpo_create_mbuf_from_bpfdesc = mac_test_create_mbuf_from_bpfdesc,
2491 	.mpo_create_mbuf_from_ifnet = mac_test_create_mbuf_from_ifnet,
2492 	.mpo_create_mbuf_multicast_encap = mac_test_create_mbuf_multicast_encap,
2493 	.mpo_create_mbuf_netlayer = mac_test_create_mbuf_netlayer,
2494 	.mpo_fragment_match = mac_test_fragment_match,
2495 	.mpo_reflect_mbuf_icmp = mac_test_reflect_mbuf_icmp,
2496 	.mpo_reflect_mbuf_tcp = mac_test_reflect_mbuf_tcp,
2497 	.mpo_relabel_ifnet = mac_test_relabel_ifnet,
2498 	.mpo_update_ipq = mac_test_update_ipq,
2499 	.mpo_inpcb_sosetlabel = mac_test_inpcb_sosetlabel,
2500 	.mpo_execve_transition = mac_test_execve_transition,
2501 	.mpo_execve_will_transition = mac_test_execve_will_transition,
2502 	.mpo_create_proc0 = mac_test_create_proc0,
2503 	.mpo_create_proc1 = mac_test_create_proc1,
2504 	.mpo_relabel_cred = mac_test_relabel_cred,
2505 	.mpo_thread_userret = mac_test_thread_userret,
2506 	.mpo_cleanup_sysv_msgmsg = mac_test_cleanup_sysv_msgmsg,
2507 	.mpo_cleanup_sysv_msgqueue = mac_test_cleanup_sysv_msgqueue,
2508 	.mpo_cleanup_sysv_sem = mac_test_cleanup_sysv_sem,
2509 	.mpo_cleanup_sysv_shm = mac_test_cleanup_sysv_shm,
2510 	.mpo_check_bpfdesc_receive = mac_test_check_bpfdesc_receive,
2511 	.mpo_check_cred_relabel = mac_test_check_cred_relabel,
2512 	.mpo_check_cred_visible = mac_test_check_cred_visible,
2513 	.mpo_check_ifnet_relabel = mac_test_check_ifnet_relabel,
2514 	.mpo_check_ifnet_transmit = mac_test_check_ifnet_transmit,
2515 	.mpo_check_inpcb_deliver = mac_test_check_inpcb_deliver,
2516 	.mpo_check_sysv_msgmsq = mac_test_check_sysv_msgmsq,
2517 	.mpo_check_sysv_msgrcv = mac_test_check_sysv_msgrcv,
2518 	.mpo_check_sysv_msgrmid = mac_test_check_sysv_msgrmid,
2519 	.mpo_check_sysv_msqget = mac_test_check_sysv_msqget,
2520 	.mpo_check_sysv_msqsnd = mac_test_check_sysv_msqsnd,
2521 	.mpo_check_sysv_msqrcv = mac_test_check_sysv_msqrcv,
2522 	.mpo_check_sysv_msqctl = mac_test_check_sysv_msqctl,
2523 	.mpo_check_sysv_semctl = mac_test_check_sysv_semctl,
2524 	.mpo_check_sysv_semget = mac_test_check_sysv_semget,
2525 	.mpo_check_sysv_semop = mac_test_check_sysv_semop,
2526 	.mpo_check_sysv_shmat = mac_test_check_sysv_shmat,
2527 	.mpo_check_sysv_shmctl = mac_test_check_sysv_shmctl,
2528 	.mpo_check_sysv_shmdt = mac_test_check_sysv_shmdt,
2529 	.mpo_check_sysv_shmget = mac_test_check_sysv_shmget,
2530 	.mpo_check_kenv_dump = mac_test_check_kenv_dump,
2531 	.mpo_check_kenv_get = mac_test_check_kenv_get,
2532 	.mpo_check_kenv_set = mac_test_check_kenv_set,
2533 	.mpo_check_kenv_unset = mac_test_check_kenv_unset,
2534 	.mpo_check_kld_load = mac_test_check_kld_load,
2535 	.mpo_check_kld_stat = mac_test_check_kld_stat,
2536 	.mpo_check_kld_unload = mac_test_check_kld_unload,
2537 	.mpo_check_mount_stat = mac_test_check_mount_stat,
2538 	.mpo_check_pipe_ioctl = mac_test_check_pipe_ioctl,
2539 	.mpo_check_pipe_poll = mac_test_check_pipe_poll,
2540 	.mpo_check_pipe_read = mac_test_check_pipe_read,
2541 	.mpo_check_pipe_relabel = mac_test_check_pipe_relabel,
2542 	.mpo_check_pipe_stat = mac_test_check_pipe_stat,
2543 	.mpo_check_pipe_write = mac_test_check_pipe_write,
2544 	.mpo_check_posix_sem_destroy = mac_test_check_posix_sem,
2545 	.mpo_check_posix_sem_getvalue = mac_test_check_posix_sem,
2546 	.mpo_check_posix_sem_open = mac_test_check_posix_sem,
2547 	.mpo_check_posix_sem_post = mac_test_check_posix_sem,
2548 	.mpo_check_posix_sem_unlink = mac_test_check_posix_sem,
2549 	.mpo_check_posix_sem_wait = mac_test_check_posix_sem,
2550 	.mpo_check_proc_debug = mac_test_check_proc_debug,
2551 	.mpo_check_proc_sched = mac_test_check_proc_sched,
2552 	.mpo_check_proc_setuid = mac_test_check_proc_setuid,
2553 	.mpo_check_proc_seteuid = mac_test_check_proc_seteuid,
2554 	.mpo_check_proc_setgid = mac_test_check_proc_setgid,
2555 	.mpo_check_proc_setegid = mac_test_check_proc_setegid,
2556 	.mpo_check_proc_setgroups = mac_test_check_proc_setgroups,
2557 	.mpo_check_proc_setreuid = mac_test_check_proc_setreuid,
2558 	.mpo_check_proc_setregid = mac_test_check_proc_setregid,
2559 	.mpo_check_proc_setresuid = mac_test_check_proc_setresuid,
2560 	.mpo_check_proc_setresgid = mac_test_check_proc_setresgid,
2561 	.mpo_check_proc_signal = mac_test_check_proc_signal,
2562 	.mpo_check_proc_wait = mac_test_check_proc_wait,
2563 	.mpo_check_socket_accept = mac_test_check_socket_accept,
2564 	.mpo_check_socket_bind = mac_test_check_socket_bind,
2565 	.mpo_check_socket_connect = mac_test_check_socket_connect,
2566 	.mpo_check_socket_deliver = mac_test_check_socket_deliver,
2567 	.mpo_check_socket_listen = mac_test_check_socket_listen,
2568 	.mpo_check_socket_poll = mac_test_check_socket_poll,
2569 	.mpo_check_socket_receive = mac_test_check_socket_receive,
2570 	.mpo_check_socket_relabel = mac_test_check_socket_relabel,
2571 	.mpo_check_socket_send = mac_test_check_socket_send,
2572 	.mpo_check_socket_stat = mac_test_check_socket_stat,
2573 	.mpo_check_socket_visible = mac_test_check_socket_visible,
2574 	.mpo_check_sysarch_ioperm = mac_test_check_sysarch_ioperm,
2575 	.mpo_check_system_acct = mac_test_check_system_acct,
2576 	.mpo_check_system_reboot = mac_test_check_system_reboot,
2577 	.mpo_check_system_settime = mac_test_check_system_settime,
2578 	.mpo_check_system_swapon = mac_test_check_system_swapon,
2579 	.mpo_check_system_swapoff = mac_test_check_system_swapoff,
2580 	.mpo_check_system_sysctl = mac_test_check_system_sysctl,
2581 	.mpo_check_vnode_access = mac_test_check_vnode_access,
2582 	.mpo_check_vnode_chdir = mac_test_check_vnode_chdir,
2583 	.mpo_check_vnode_chroot = mac_test_check_vnode_chroot,
2584 	.mpo_check_vnode_create = mac_test_check_vnode_create,
2585 	.mpo_check_vnode_delete = mac_test_check_vnode_delete,
2586 	.mpo_check_vnode_deleteacl = mac_test_check_vnode_deleteacl,
2587 	.mpo_check_vnode_deleteextattr = mac_test_check_vnode_deleteextattr,
2588 	.mpo_check_vnode_exec = mac_test_check_vnode_exec,
2589 	.mpo_check_vnode_getacl = mac_test_check_vnode_getacl,
2590 	.mpo_check_vnode_getextattr = mac_test_check_vnode_getextattr,
2591 	.mpo_check_vnode_link = mac_test_check_vnode_link,
2592 	.mpo_check_vnode_listextattr = mac_test_check_vnode_listextattr,
2593 	.mpo_check_vnode_lookup = mac_test_check_vnode_lookup,
2594 	.mpo_check_vnode_mmap = mac_test_check_vnode_mmap,
2595 	.mpo_check_vnode_open = mac_test_check_vnode_open,
2596 	.mpo_check_vnode_poll = mac_test_check_vnode_poll,
2597 	.mpo_check_vnode_read = mac_test_check_vnode_read,
2598 	.mpo_check_vnode_readdir = mac_test_check_vnode_readdir,
2599 	.mpo_check_vnode_readlink = mac_test_check_vnode_readlink,
2600 	.mpo_check_vnode_relabel = mac_test_check_vnode_relabel,
2601 	.mpo_check_vnode_rename_from = mac_test_check_vnode_rename_from,
2602 	.mpo_check_vnode_rename_to = mac_test_check_vnode_rename_to,
2603 	.mpo_check_vnode_revoke = mac_test_check_vnode_revoke,
2604 	.mpo_check_vnode_setacl = mac_test_check_vnode_setacl,
2605 	.mpo_check_vnode_setextattr = mac_test_check_vnode_setextattr,
2606 	.mpo_check_vnode_setflags = mac_test_check_vnode_setflags,
2607 	.mpo_check_vnode_setmode = mac_test_check_vnode_setmode,
2608 	.mpo_check_vnode_setowner = mac_test_check_vnode_setowner,
2609 	.mpo_check_vnode_setutimes = mac_test_check_vnode_setutimes,
2610 	.mpo_check_vnode_stat = mac_test_check_vnode_stat,
2611 	.mpo_check_vnode_write = mac_test_check_vnode_write,
2612 };
2613 
2614 MAC_POLICY_SET(&mac_test_ops, mac_test, "TrustedBSD MAC/Test",
2615     MPC_LOADTIME_FLAG_UNLOADOK | MPC_LOADTIME_FLAG_LABELMBUFS, &test_slot);
2616