1 /*- 2 * Copyright (c) 1999-2002 Robert N. M. Watson 3 * Copyright (c) 2001-2005 McAfee, Inc. 4 * All rights reserved. 5 * 6 * This software was developed by Robert Watson for the TrustedBSD Project. 7 * 8 * This software was developed for the FreeBSD Project in part by McAfee 9 * Research, the Security Research Division of McAfee, Inc. under 10 * DARPA/SPAWAR contract N66001-01-C-8035 ("CBOSS"), as part of the DARPA 11 * CHATS research program. 12 * 13 * Redistribution and use in source and binary forms, with or without 14 * modification, are permitted provided that the following conditions 15 * are met: 16 * 1. Redistributions of source code must retain the above copyright 17 * notice, this list of conditions and the following disclaimer. 18 * 2. Redistributions in binary form must reproduce the above copyright 19 * notice, this list of conditions and the following disclaimer in the 20 * documentation and/or other materials provided with the distribution. 21 * 22 * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND 23 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 24 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 25 * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE 26 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 27 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 28 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 29 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 30 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 31 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 32 * SUCH DAMAGE. 33 * 34 * $FreeBSD$ 35 */ 36 37 /* 38 * Developed by the TrustedBSD Project. 39 * Generic mandatory access module that does nothing. 40 */ 41 42 #include <sys/types.h> 43 #include <sys/param.h> 44 #include <sys/acl.h> 45 #include <sys/conf.h> 46 #include <sys/kdb.h> 47 #include <sys/extattr.h> 48 #include <sys/kernel.h> 49 #include <sys/mac.h> 50 #include <sys/malloc.h> 51 #include <sys/mount.h> 52 #include <sys/proc.h> 53 #include <sys/systm.h> 54 #include <sys/sysproto.h> 55 #include <sys/sysent.h> 56 #include <sys/vnode.h> 57 #include <sys/file.h> 58 #include <sys/socket.h> 59 #include <sys/socketvar.h> 60 #include <sys/sx.h> 61 #include <sys/sysctl.h> 62 #include <sys/msg.h> 63 #include <sys/sem.h> 64 #include <sys/shm.h> 65 66 #include <posix4/ksem.h> 67 68 #include <fs/devfs/devfs.h> 69 70 #include <net/bpfdesc.h> 71 #include <net/if.h> 72 #include <net/if_types.h> 73 #include <net/if_var.h> 74 75 #include <vm/vm.h> 76 77 #include <sys/mac_policy.h> 78 79 SYSCTL_DECL(_security_mac); 80 81 SYSCTL_NODE(_security_mac, OID_AUTO, test, CTLFLAG_RW, 0, 82 "TrustedBSD mac_test policy controls"); 83 84 static int mac_test_enabled = 1; 85 SYSCTL_INT(_security_mac_test, OID_AUTO, enabled, CTLFLAG_RW, 86 &mac_test_enabled, 0, "Enforce test policy"); 87 88 #define BPFMAGIC 0xfe1ad1b6 89 #define DEVFSMAGIC 0x9ee79c32 90 #define IFNETMAGIC 0xc218b120 91 #define INPCBMAGIC 0x4440f7bb 92 #define IPQMAGIC 0x206188ef 93 #define MBUFMAGIC 0xbbefa5bb 94 #define MOUNTMAGIC 0xc7c46e47 95 #define SOCKETMAGIC 0x9199c6cd 96 #define SYSVIPCMSQMAGIC 0xea672391 97 #define SYSVIPCMSGMAGIC 0x8bbba61e 98 #define SYSVIPCSEMMAGIC 0x896e8a0b 99 #define SYSVIPCSHMMAGIC 0x76119ab0 100 #define PIPEMAGIC 0xdc6c9919 101 #define POSIXSEMMAGIC 0x78ae980c 102 #define PROCMAGIC 0x3b4be98f 103 #define CREDMAGIC 0x9a5a4987 104 #define VNODEMAGIC 0x1a67a45c 105 #define EXMAGIC 0x849ba1fd 106 107 #define SLOT(x) LABEL_TO_SLOT((x), test_slot).l_long 108 109 #define ASSERT_BPF_LABEL(x) KASSERT(SLOT(x) == BPFMAGIC || \ 110 SLOT(x) == 0, ("%s: Bad BPF label", __func__ )) 111 #define ASSERT_DEVFS_LABEL(x) KASSERT(SLOT(x) == DEVFSMAGIC || \ 112 SLOT(x) == 0, ("%s: Bad DEVFS label", __func__ )) 113 #define ASSERT_IFNET_LABEL(x) KASSERT(SLOT(x) == IFNETMAGIC || \ 114 SLOT(x) == 0, ("%s: Bad IFNET label", __func__ )) 115 #define ASSERT_INPCB_LABEL(x) KASSERT(SLOT(x) == INPCBMAGIC || \ 116 SLOT(x) == 0, ("%s: Bad INPCB label", __func__ )) 117 #define ASSERT_IPQ_LABEL(x) KASSERT(SLOT(x) == IPQMAGIC || \ 118 SLOT(x) == 0, ("%s: Bad IPQ label", __func__ )) 119 #define ASSERT_MBUF_LABEL(x) KASSERT(x == NULL || \ 120 SLOT(x) == MBUFMAGIC || SLOT(x) == 0, \ 121 ("%s: Bad MBUF label", __func__ )) 122 #define ASSERT_MOUNT_LABEL(x) KASSERT(SLOT(x) == MOUNTMAGIC || \ 123 SLOT(x) == 0, ("%s: Bad MOUNT label", __func__ )) 124 #define ASSERT_SOCKET_LABEL(x) KASSERT(SLOT(x) == SOCKETMAGIC || \ 125 SLOT(x) == 0, ("%s: Bad SOCKET label", __func__ )) 126 #define ASSERT_SYSVIPCMSQ_LABEL(x) KASSERT(SLOT(x) == SYSVIPCMSQMAGIC || \ 127 SLOT(x) == 0, ("%s: Bad SYSVIPCMSQ label", __func__ )) 128 #define ASSERT_SYSVIPCMSG_LABEL(x) KASSERT(SLOT(x) == SYSVIPCMSGMAGIC || \ 129 SLOT(x) == 0, ("%s: Bad SYSVIPCMSG label", __func__ )) 130 #define ASSERT_SYSVIPCSEM_LABEL(x) KASSERT(SLOT(x) == SYSVIPCSEMMAGIC || \ 131 SLOT(x) == 0, ("%s: Bad SYSVIPCSEM label", __func__ )) 132 #define ASSERT_SYSVIPCSHM_LABEL(x) KASSERT(SLOT(x) == SYSVIPCSHMMAGIC || \ 133 SLOT(x) == 0, ("%s: Bad SYSVIPCSHM label", __func__ )) 134 #define ASSERT_PIPE_LABEL(x) KASSERT(SLOT(x) == PIPEMAGIC || \ 135 SLOT(x) == 0, ("%s: Bad PIPE label", __func__ )) 136 #define ASSERT_POSIX_LABEL(x) KASSERT(SLOT(x) == POSIXSEMMAGIC || \ 137 SLOT(x) == 0, ("%s: Bad POSIX ksem label", __func__ )) 138 #define ASSERT_PROC_LABEL(x) KASSERT(SLOT(x) == PROCMAGIC || \ 139 SLOT(x) == 0, ("%s: Bad PROC label", __func__ )) 140 #define ASSERT_CRED_LABEL(x) KASSERT(SLOT(x) == CREDMAGIC || \ 141 SLOT(x) == 0, ("%s: Bad CRED label", __func__ )) 142 #define ASSERT_VNODE_LABEL(x) KASSERT(SLOT(x) == VNODEMAGIC || \ 143 SLOT(x) == 0, ("%s: Bad VNODE label", __func__ )) 144 145 static int test_slot; 146 SYSCTL_INT(_security_mac_test, OID_AUTO, slot, CTLFLAG_RD, 147 &test_slot, 0, "Slot allocated by framework"); 148 149 static int init_count_bpfdesc; 150 SYSCTL_INT(_security_mac_test, OID_AUTO, init_count_bpfdesc, CTLFLAG_RD, 151 &init_count_bpfdesc, 0, "bpfdesc init calls"); 152 static int init_count_cred; 153 SYSCTL_INT(_security_mac_test, OID_AUTO, init_count_cred, CTLFLAG_RD, 154 &init_count_cred, 0, "cred init calls"); 155 static int init_count_devfsdirent; 156 SYSCTL_INT(_security_mac_test, OID_AUTO, init_count_devfsdirent, CTLFLAG_RD, 157 &init_count_devfsdirent, 0, "devfsdirent init calls"); 158 static int init_count_ifnet; 159 SYSCTL_INT(_security_mac_test, OID_AUTO, init_count_ifnet, CTLFLAG_RD, 160 &init_count_ifnet, 0, "ifnet init calls"); 161 static int init_count_inpcb; 162 SYSCTL_INT(_security_mac_test, OID_AUTO, init_count_inpcb, CTLFLAG_RD, 163 &init_count_inpcb, 0, "inpcb init calls"); 164 static int init_count_sysv_msg; 165 SYSCTL_INT(_security_mac_test, OID_AUTO, init_count_sysv_msg, CTLFLAG_RD, 166 &init_count_sysv_msg, 0, "ipc_msg init calls"); 167 static int init_count_sysv_msq; 168 SYSCTL_INT(_security_mac_test, OID_AUTO, init_count_sysv_msq, CTLFLAG_RD, 169 &init_count_sysv_msq, 0, "ipc_msq init calls"); 170 static int init_count_sysv_sem; 171 SYSCTL_INT(_security_mac_test, OID_AUTO, init_count_sysv_sem, CTLFLAG_RD, 172 &init_count_sysv_sem, 0, "ipc_sema init calls"); 173 static int init_count_sysv_shm; 174 SYSCTL_INT(_security_mac_test, OID_AUTO, init_count_sysv_shm, CTLFLAG_RD, 175 &init_count_sysv_shm, 0, "ipc_shm init calls"); 176 static int init_count_ipq; 177 SYSCTL_INT(_security_mac_test, OID_AUTO, init_count_ipq, CTLFLAG_RD, 178 &init_count_ipq, 0, "ipq init calls"); 179 static int init_count_mbuf; 180 SYSCTL_INT(_security_mac_test, OID_AUTO, init_count_mbuf, CTLFLAG_RD, 181 &init_count_mbuf, 0, "mbuf init calls"); 182 static int init_count_mount; 183 SYSCTL_INT(_security_mac_test, OID_AUTO, init_count_mount, CTLFLAG_RD, 184 &init_count_mount, 0, "mount init calls"); 185 static int init_count_mount_fslabel; 186 SYSCTL_INT(_security_mac_test, OID_AUTO, init_count_mount_fslabel, CTLFLAG_RD, 187 &init_count_mount_fslabel, 0, "mount_fslabel init calls"); 188 static int init_count_socket; 189 SYSCTL_INT(_security_mac_test, OID_AUTO, init_count_socket, CTLFLAG_RD, 190 &init_count_socket, 0, "socket init calls"); 191 static int init_count_socket_peerlabel; 192 SYSCTL_INT(_security_mac_test, OID_AUTO, init_count_socket_peerlabel, 193 CTLFLAG_RD, &init_count_socket_peerlabel, 0, 194 "socket_peerlabel init calls"); 195 static int init_count_pipe; 196 SYSCTL_INT(_security_mac_test, OID_AUTO, init_count_pipe, CTLFLAG_RD, 197 &init_count_pipe, 0, "pipe init calls"); 198 static int init_count_posixsems; 199 SYSCTL_INT(_security_mac_test, OID_AUTO, init_count_posixsems, CTLFLAG_RD, 200 &init_count_posixsems, 0, "posix sems init calls"); 201 static int init_count_proc; 202 SYSCTL_INT(_security_mac_test, OID_AUTO, init_count_proc, CTLFLAG_RD, 203 &init_count_proc, 0, "proc init calls"); 204 static int init_count_vnode; 205 SYSCTL_INT(_security_mac_test, OID_AUTO, init_count_vnode, CTLFLAG_RD, 206 &init_count_vnode, 0, "vnode init calls"); 207 208 static int destroy_count_bpfdesc; 209 SYSCTL_INT(_security_mac_test, OID_AUTO, destroy_count_bpfdesc, CTLFLAG_RD, 210 &destroy_count_bpfdesc, 0, "bpfdesc destroy calls"); 211 static int destroy_count_cred; 212 SYSCTL_INT(_security_mac_test, OID_AUTO, destroy_count_cred, CTLFLAG_RD, 213 &destroy_count_cred, 0, "cred destroy calls"); 214 static int destroy_count_devfsdirent; 215 SYSCTL_INT(_security_mac_test, OID_AUTO, destroy_count_devfsdirent, CTLFLAG_RD, 216 &destroy_count_devfsdirent, 0, "devfsdirent destroy calls"); 217 static int destroy_count_ifnet; 218 SYSCTL_INT(_security_mac_test, OID_AUTO, destroy_count_ifnet, CTLFLAG_RD, 219 &destroy_count_ifnet, 0, "ifnet destroy calls"); 220 static int destroy_count_inpcb; 221 SYSCTL_INT(_security_mac_test, OID_AUTO, destroy_count_inpcb, CTLFLAG_RD, 222 &destroy_count_inpcb, 0, "inpcb destroy calls"); 223 static int destroy_count_sysv_msg; 224 SYSCTL_INT(_security_mac_test, OID_AUTO, destroy_count_sysv_msg, CTLFLAG_RD, 225 &destroy_count_sysv_msg, 0, "ipc_msg destroy calls"); 226 static int destroy_count_sysv_msq; 227 SYSCTL_INT(_security_mac_test, OID_AUTO, destroy_count_sysv_msq, CTLFLAG_RD, 228 &destroy_count_sysv_msq, 0, "ipc_msq destroy calls"); 229 static int destroy_count_sysv_sem; 230 SYSCTL_INT(_security_mac_test, OID_AUTO, destroy_count_sysv_sem, CTLFLAG_RD, 231 &destroy_count_sysv_sem, 0, "ipc_sema destroy calls"); 232 static int destroy_count_sysv_shm; 233 SYSCTL_INT(_security_mac_test, OID_AUTO, destroy_count_sysv_shm, CTLFLAG_RD, 234 &destroy_count_sysv_shm, 0, "ipc_shm destroy calls"); 235 static int destroy_count_ipq; 236 SYSCTL_INT(_security_mac_test, OID_AUTO, destroy_count_ipq, CTLFLAG_RD, 237 &destroy_count_ipq, 0, "ipq destroy calls"); 238 static int destroy_count_mbuf; 239 SYSCTL_INT(_security_mac_test, OID_AUTO, destroy_count_mbuf, CTLFLAG_RD, 240 &destroy_count_mbuf, 0, "mbuf destroy calls"); 241 static int destroy_count_mount; 242 SYSCTL_INT(_security_mac_test, OID_AUTO, destroy_count_mount, CTLFLAG_RD, 243 &destroy_count_mount, 0, "mount destroy calls"); 244 static int destroy_count_mount_fslabel; 245 SYSCTL_INT(_security_mac_test, OID_AUTO, destroy_count_mount_fslabel, 246 CTLFLAG_RD, &destroy_count_mount_fslabel, 0, 247 "mount_fslabel destroy calls"); 248 static int destroy_count_socket; 249 SYSCTL_INT(_security_mac_test, OID_AUTO, destroy_count_socket, CTLFLAG_RD, 250 &destroy_count_socket, 0, "socket destroy calls"); 251 static int destroy_count_socket_peerlabel; 252 SYSCTL_INT(_security_mac_test, OID_AUTO, destroy_count_socket_peerlabel, 253 CTLFLAG_RD, &destroy_count_socket_peerlabel, 0, 254 "socket_peerlabel destroy calls"); 255 static int destroy_count_pipe; 256 SYSCTL_INT(_security_mac_test, OID_AUTO, destroy_count_pipe, CTLFLAG_RD, 257 &destroy_count_pipe, 0, "pipe destroy calls"); 258 static int destroy_count_posixsems; 259 SYSCTL_INT(_security_mac_test, OID_AUTO, destroy_count_posixsems, CTLFLAG_RD, 260 &destroy_count_posixsems, 0, "posix sems destroy calls"); 261 static int destroy_count_proc; 262 SYSCTL_INT(_security_mac_test, OID_AUTO, destroy_count_proc, CTLFLAG_RD, 263 &destroy_count_proc, 0, "proc destroy calls"); 264 static int destroy_count_vnode; 265 SYSCTL_INT(_security_mac_test, OID_AUTO, destroy_count_vnode, CTLFLAG_RD, 266 &destroy_count_vnode, 0, "vnode destroy calls"); 267 268 static int externalize_count; 269 SYSCTL_INT(_security_mac_test, OID_AUTO, externalize_count, CTLFLAG_RD, 270 &externalize_count, 0, "Subject/object externalize calls"); 271 static int internalize_count; 272 SYSCTL_INT(_security_mac_test, OID_AUTO, internalize_count, CTLFLAG_RD, 273 &internalize_count, 0, "Subject/object internalize calls"); 274 275 #ifdef KDB 276 #define DEBUGGER(x) kdb_enter(x) 277 #else 278 #define DEBUGGER(x) printf("mac_test: %s\n", (x)) 279 #endif 280 281 /* 282 * Policy module operations. 283 */ 284 static void 285 mac_test_destroy(struct mac_policy_conf *conf) 286 { 287 288 } 289 290 static void 291 mac_test_init(struct mac_policy_conf *conf) 292 { 293 294 } 295 296 static int 297 mac_test_syscall(struct thread *td, int call, void *arg) 298 { 299 300 return (0); 301 } 302 303 /* 304 * Label operations. 305 */ 306 static void 307 mac_test_init_bpfdesc_label(struct label *label) 308 { 309 310 SLOT(label) = BPFMAGIC; 311 atomic_add_int(&init_count_bpfdesc, 1); 312 } 313 314 static void 315 mac_test_init_cred_label(struct label *label) 316 { 317 318 SLOT(label) = CREDMAGIC; 319 atomic_add_int(&init_count_cred, 1); 320 } 321 322 static void 323 mac_test_init_devfsdirent_label(struct label *label) 324 { 325 326 SLOT(label) = DEVFSMAGIC; 327 atomic_add_int(&init_count_devfsdirent, 1); 328 } 329 330 static void 331 mac_test_init_ifnet_label(struct label *label) 332 { 333 334 SLOT(label) = IFNETMAGIC; 335 atomic_add_int(&init_count_ifnet, 1); 336 } 337 338 static int 339 mac_test_init_inpcb_label(struct label *label, int flag) 340 { 341 342 if (flag & M_WAITOK) 343 WITNESS_WARN(WARN_GIANTOK | WARN_SLEEPOK, NULL, 344 "mac_test_init_inpcb_label() at %s:%d", __FILE__, 345 __LINE__); 346 347 SLOT(label) = INPCBMAGIC; 348 atomic_add_int(&init_count_inpcb, 1); 349 return (0); 350 } 351 352 static void 353 mac_test_init_sysv_msgmsg_label(struct label *label) 354 { 355 SLOT(label) = SYSVIPCMSGMAGIC; 356 atomic_add_int(&init_count_sysv_msg, 1); 357 } 358 359 static void 360 mac_test_init_sysv_msgqueue_label(struct label *label) 361 { 362 SLOT(label) = SYSVIPCMSQMAGIC; 363 atomic_add_int(&init_count_sysv_msq, 1); 364 } 365 366 static void 367 mac_test_init_sysv_sem_label(struct label *label) 368 { 369 SLOT(label) = SYSVIPCSEMMAGIC; 370 atomic_add_int(&init_count_sysv_sem, 1); 371 } 372 373 static void 374 mac_test_init_sysv_shm_label(struct label *label) 375 { 376 SLOT(label) = SYSVIPCSHMMAGIC; 377 atomic_add_int(&init_count_sysv_shm, 1); 378 } 379 380 static int 381 mac_test_init_ipq_label(struct label *label, int flag) 382 { 383 384 if (flag & M_WAITOK) 385 WITNESS_WARN(WARN_GIANTOK | WARN_SLEEPOK, NULL, 386 "mac_test_init_ipq_label() at %s:%d", __FILE__, 387 __LINE__); 388 389 SLOT(label) = IPQMAGIC; 390 atomic_add_int(&init_count_ipq, 1); 391 return (0); 392 } 393 394 static int 395 mac_test_init_mbuf_label(struct label *label, int flag) 396 { 397 398 if (flag & M_WAITOK) 399 WITNESS_WARN(WARN_GIANTOK | WARN_SLEEPOK, NULL, 400 "mac_test_init_mbuf_label() at %s:%d", __FILE__, 401 __LINE__); 402 403 SLOT(label) = MBUFMAGIC; 404 atomic_add_int(&init_count_mbuf, 1); 405 return (0); 406 } 407 408 static void 409 mac_test_init_mount_label(struct label *label) 410 { 411 412 SLOT(label) = MOUNTMAGIC; 413 atomic_add_int(&init_count_mount, 1); 414 } 415 416 static void 417 mac_test_init_mount_fs_label(struct label *label) 418 { 419 420 SLOT(label) = MOUNTMAGIC; 421 atomic_add_int(&init_count_mount_fslabel, 1); 422 } 423 424 static int 425 mac_test_init_socket_label(struct label *label, int flag) 426 { 427 428 if (flag & M_WAITOK) 429 WITNESS_WARN(WARN_GIANTOK | WARN_SLEEPOK, NULL, 430 "mac_test_init_socket_label() at %s:%d", __FILE__, 431 __LINE__); 432 433 SLOT(label) = SOCKETMAGIC; 434 atomic_add_int(&init_count_socket, 1); 435 return (0); 436 } 437 438 static int 439 mac_test_init_socket_peer_label(struct label *label, int flag) 440 { 441 442 if (flag & M_WAITOK) 443 WITNESS_WARN(WARN_GIANTOK | WARN_SLEEPOK, NULL, 444 "mac_test_init_socket_peer_label() at %s:%d", __FILE__, 445 __LINE__); 446 447 SLOT(label) = SOCKETMAGIC; 448 atomic_add_int(&init_count_socket_peerlabel, 1); 449 return (0); 450 } 451 452 static void 453 mac_test_init_pipe_label(struct label *label) 454 { 455 456 SLOT(label) = PIPEMAGIC; 457 atomic_add_int(&init_count_pipe, 1); 458 } 459 460 static void 461 mac_test_init_posix_sem_label(struct label *label) 462 { 463 464 SLOT(label) = POSIXSEMMAGIC; 465 atomic_add_int(&init_count_posixsems, 1); 466 } 467 468 static void 469 mac_test_init_proc_label(struct label *label) 470 { 471 472 SLOT(label) = PROCMAGIC; 473 atomic_add_int(&init_count_proc, 1); 474 } 475 476 static void 477 mac_test_init_vnode_label(struct label *label) 478 { 479 480 SLOT(label) = VNODEMAGIC; 481 atomic_add_int(&init_count_vnode, 1); 482 } 483 484 static void 485 mac_test_destroy_bpfdesc_label(struct label *label) 486 { 487 488 if (SLOT(label) == BPFMAGIC || SLOT(label) == 0) { 489 atomic_add_int(&destroy_count_bpfdesc, 1); 490 SLOT(label) = EXMAGIC; 491 } else if (SLOT(label) == EXMAGIC) { 492 DEBUGGER("mac_test_destroy_bpfdesc: dup destroy"); 493 } else { 494 DEBUGGER("mac_test_destroy_bpfdesc: corrupted label"); 495 } 496 } 497 498 static void 499 mac_test_destroy_cred_label(struct label *label) 500 { 501 502 if (SLOT(label) == CREDMAGIC || SLOT(label) == 0) { 503 atomic_add_int(&destroy_count_cred, 1); 504 SLOT(label) = EXMAGIC; 505 } else if (SLOT(label) == EXMAGIC) { 506 DEBUGGER("mac_test_destroy_cred: dup destroy"); 507 } else { 508 DEBUGGER("mac_test_destroy_cred: corrupted label"); 509 } 510 } 511 512 static void 513 mac_test_destroy_devfsdirent_label(struct label *label) 514 { 515 516 if (SLOT(label) == DEVFSMAGIC || SLOT(label) == 0) { 517 atomic_add_int(&destroy_count_devfsdirent, 1); 518 SLOT(label) = EXMAGIC; 519 } else if (SLOT(label) == EXMAGIC) { 520 DEBUGGER("mac_test_destroy_devfsdirent: dup destroy"); 521 } else { 522 DEBUGGER("mac_test_destroy_devfsdirent: corrupted label"); 523 } 524 } 525 526 static void 527 mac_test_destroy_ifnet_label(struct label *label) 528 { 529 530 if (SLOT(label) == IFNETMAGIC || SLOT(label) == 0) { 531 atomic_add_int(&destroy_count_ifnet, 1); 532 SLOT(label) = EXMAGIC; 533 } else if (SLOT(label) == EXMAGIC) { 534 DEBUGGER("mac_test_destroy_ifnet: dup destroy"); 535 } else { 536 DEBUGGER("mac_test_destroy_ifnet: corrupted label"); 537 } 538 } 539 540 static void 541 mac_test_destroy_inpcb_label(struct label *label) 542 { 543 544 if (SLOT(label) == INPCBMAGIC || SLOT(label) == 0) { 545 atomic_add_int(&destroy_count_inpcb, 1); 546 SLOT(label) = EXMAGIC; 547 } else if (SLOT(label) == EXMAGIC) { 548 DEBUGGER("mac_test_destroy_inpcb: dup destroy"); 549 } else { 550 DEBUGGER("mac_test_destroy_inpcb: corrupted label"); 551 } 552 } 553 554 static void 555 mac_test_destroy_sysv_msgmsg_label(struct label *label) 556 { 557 558 if (SLOT(label) == SYSVIPCMSGMAGIC || SLOT(label) == 0) { 559 atomic_add_int(&destroy_count_sysv_msg, 1); 560 SLOT(label) = EXMAGIC; 561 } else if (SLOT(label) == EXMAGIC) { 562 DEBUGGER("mac_test_destroy_sysv_msgmsg_label: dup destroy"); 563 } else { 564 DEBUGGER( 565 "mac_test_destroy_sysv_msgmsg_label: corrupted label"); 566 } 567 } 568 569 static void 570 mac_test_destroy_sysv_msgqueue_label(struct label *label) 571 { 572 573 if (SLOT(label) == SYSVIPCMSQMAGIC || SLOT(label) == 0) { 574 atomic_add_int(&destroy_count_sysv_msq, 1); 575 SLOT(label) = EXMAGIC; 576 } else if (SLOT(label) == EXMAGIC) { 577 DEBUGGER("mac_test_destroy_sysv_msgqueue_label: dup destroy"); 578 } else { 579 DEBUGGER( 580 "mac_test_destroy_sysv_msgqueue_label: corrupted label"); 581 } 582 } 583 584 static void 585 mac_test_destroy_sysv_sem_label(struct label *label) 586 { 587 588 if (SLOT(label) == SYSVIPCSEMMAGIC || SLOT(label) == 0) { 589 atomic_add_int(&destroy_count_sysv_sem, 1); 590 SLOT(label) = EXMAGIC; 591 } else if (SLOT(label) == EXMAGIC) { 592 DEBUGGER("mac_test_destroy_sysv_sem_label: dup destroy"); 593 } else { 594 DEBUGGER("mac_test_destroy_sysv_sem_label: corrupted label"); 595 } 596 } 597 598 static void 599 mac_test_destroy_sysv_shm_label(struct label *label) 600 { 601 602 if (SLOT(label) == SYSVIPCSHMMAGIC || SLOT(label) == 0) { 603 atomic_add_int(&destroy_count_sysv_shm, 1); 604 SLOT(label) = EXMAGIC; 605 } else if (SLOT(label) == EXMAGIC) { 606 DEBUGGER("mac_test_destroy_sysv_shm_label: dup destroy"); 607 } else { 608 DEBUGGER("mac_test_destroy_sysv_shm_label: corrupted label"); 609 } 610 } 611 612 static void 613 mac_test_destroy_ipq_label(struct label *label) 614 { 615 616 if (SLOT(label) == IPQMAGIC || SLOT(label) == 0) { 617 atomic_add_int(&destroy_count_ipq, 1); 618 SLOT(label) = EXMAGIC; 619 } else if (SLOT(label) == EXMAGIC) { 620 DEBUGGER("mac_test_destroy_ipq: dup destroy"); 621 } else { 622 DEBUGGER("mac_test_destroy_ipq: corrupted label"); 623 } 624 } 625 626 static void 627 mac_test_destroy_mbuf_label(struct label *label) 628 { 629 630 /* 631 * If we're loaded dynamically, there may be mbufs in flight that 632 * didn't have label storage allocated for them. Handle this 633 * gracefully. 634 */ 635 if (label == NULL) 636 return; 637 638 if (SLOT(label) == MBUFMAGIC || SLOT(label) == 0) { 639 atomic_add_int(&destroy_count_mbuf, 1); 640 SLOT(label) = EXMAGIC; 641 } else if (SLOT(label) == EXMAGIC) { 642 DEBUGGER("mac_test_destroy_mbuf: dup destroy"); 643 } else { 644 DEBUGGER("mac_test_destroy_mbuf: corrupted label"); 645 } 646 } 647 648 static void 649 mac_test_destroy_mount_label(struct label *label) 650 { 651 652 if ((SLOT(label) == MOUNTMAGIC || SLOT(label) == 0)) { 653 atomic_add_int(&destroy_count_mount, 1); 654 SLOT(label) = EXMAGIC; 655 } else if (SLOT(label) == EXMAGIC) { 656 DEBUGGER("mac_test_destroy_mount: dup destroy"); 657 } else { 658 DEBUGGER("mac_test_destroy_mount: corrupted label"); 659 } 660 } 661 662 static void 663 mac_test_destroy_mount_fs_label(struct label *label) 664 { 665 666 if ((SLOT(label) == MOUNTMAGIC || SLOT(label) == 0)) { 667 atomic_add_int(&destroy_count_mount_fslabel, 1); 668 SLOT(label) = EXMAGIC; 669 } else if (SLOT(label) == EXMAGIC) { 670 DEBUGGER("mac_test_destroy_mount_fslabel: dup destroy"); 671 } else { 672 DEBUGGER("mac_test_destroy_mount_fslabel: corrupted label"); 673 } 674 } 675 676 static void 677 mac_test_destroy_socket_label(struct label *label) 678 { 679 680 if ((SLOT(label) == SOCKETMAGIC || SLOT(label) == 0)) { 681 atomic_add_int(&destroy_count_socket, 1); 682 SLOT(label) = EXMAGIC; 683 } else if (SLOT(label) == EXMAGIC) { 684 DEBUGGER("mac_test_destroy_socket: dup destroy"); 685 } else { 686 DEBUGGER("mac_test_destroy_socket: corrupted label"); 687 } 688 } 689 690 static void 691 mac_test_destroy_socket_peer_label(struct label *label) 692 { 693 694 if ((SLOT(label) == SOCKETMAGIC || SLOT(label) == 0)) { 695 atomic_add_int(&destroy_count_socket_peerlabel, 1); 696 SLOT(label) = EXMAGIC; 697 } else if (SLOT(label) == EXMAGIC) { 698 DEBUGGER("mac_test_destroy_socket_peerlabel: dup destroy"); 699 } else { 700 DEBUGGER("mac_test_destroy_socket_peerlabel: corrupted label"); 701 } 702 } 703 704 static void 705 mac_test_destroy_pipe_label(struct label *label) 706 { 707 708 if ((SLOT(label) == PIPEMAGIC || SLOT(label) == 0)) { 709 atomic_add_int(&destroy_count_pipe, 1); 710 SLOT(label) = EXMAGIC; 711 } else if (SLOT(label) == EXMAGIC) { 712 DEBUGGER("mac_test_destroy_pipe: dup destroy"); 713 } else { 714 DEBUGGER("mac_test_destroy_pipe: corrupted label"); 715 } 716 } 717 718 static void 719 mac_test_destroy_posix_sem_label(struct label *label) 720 { 721 722 if ((SLOT(label) == POSIXSEMMAGIC || SLOT(label) == 0)) { 723 atomic_add_int(&destroy_count_posixsems, 1); 724 SLOT(label) = EXMAGIC; 725 } else if (SLOT(label) == EXMAGIC) { 726 DEBUGGER("mac_test_destroy_posix_sem: dup destroy"); 727 } else { 728 DEBUGGER("mac_test_destroy_posix_sem: corrupted label"); 729 } 730 } 731 732 static void 733 mac_test_destroy_proc_label(struct label *label) 734 { 735 736 if ((SLOT(label) == PROCMAGIC || SLOT(label) == 0)) { 737 atomic_add_int(&destroy_count_proc, 1); 738 SLOT(label) = EXMAGIC; 739 } else if (SLOT(label) == EXMAGIC) { 740 DEBUGGER("mac_test_destroy_proc: dup destroy"); 741 } else { 742 DEBUGGER("mac_test_destroy_proc: corrupted label"); 743 } 744 } 745 746 static void 747 mac_test_destroy_vnode_label(struct label *label) 748 { 749 750 if (SLOT(label) == VNODEMAGIC || SLOT(label) == 0) { 751 atomic_add_int(&destroy_count_vnode, 1); 752 SLOT(label) = EXMAGIC; 753 } else if (SLOT(label) == EXMAGIC) { 754 DEBUGGER("mac_test_destroy_vnode: dup destroy"); 755 } else { 756 DEBUGGER("mac_test_destroy_vnode: corrupted label"); 757 } 758 } 759 760 static void 761 mac_test_copy_cred_label(struct label *src, struct label *dest) 762 { 763 764 ASSERT_CRED_LABEL(src); 765 ASSERT_CRED_LABEL(dest); 766 } 767 768 static void 769 mac_test_copy_ifnet_label(struct label *src, struct label *dest) 770 { 771 772 ASSERT_IFNET_LABEL(src); 773 ASSERT_IFNET_LABEL(dest); 774 } 775 776 static void 777 mac_test_copy_mbuf_label(struct label *src, struct label *dest) 778 { 779 780 ASSERT_MBUF_LABEL(src); 781 ASSERT_MBUF_LABEL(dest); 782 } 783 784 static void 785 mac_test_copy_pipe_label(struct label *src, struct label *dest) 786 { 787 788 ASSERT_PIPE_LABEL(src); 789 ASSERT_PIPE_LABEL(dest); 790 } 791 792 static void 793 mac_test_copy_socket_label(struct label *src, struct label *dest) 794 { 795 796 ASSERT_SOCKET_LABEL(src); 797 ASSERT_SOCKET_LABEL(dest); 798 } 799 800 static void 801 mac_test_copy_vnode_label(struct label *src, struct label *dest) 802 { 803 804 ASSERT_VNODE_LABEL(src); 805 ASSERT_VNODE_LABEL(dest); 806 } 807 808 static int 809 mac_test_externalize_label(struct label *label, char *element_name, 810 struct sbuf *sb, int *claimed) 811 { 812 813 atomic_add_int(&externalize_count, 1); 814 815 KASSERT(SLOT(label) != EXMAGIC, 816 ("mac_test_externalize_label: destroyed label")); 817 818 return (0); 819 } 820 821 static int 822 mac_test_internalize_label(struct label *label, char *element_name, 823 char *element_data, int *claimed) 824 { 825 826 atomic_add_int(&internalize_count, 1); 827 828 KASSERT(SLOT(label) != EXMAGIC, 829 ("mac_test_internalize_label: destroyed label")); 830 831 return (0); 832 } 833 834 /* 835 * Labeling event operations: file system objects, and things that look 836 * a lot like file system objects. 837 */ 838 static void 839 mac_test_associate_vnode_devfs(struct mount *mp, struct label *fslabel, 840 struct devfs_dirent *de, struct label *delabel, struct vnode *vp, 841 struct label *vlabel) 842 { 843 844 ASSERT_MOUNT_LABEL(fslabel); 845 ASSERT_DEVFS_LABEL(delabel); 846 ASSERT_VNODE_LABEL(vlabel); 847 } 848 849 static int 850 mac_test_associate_vnode_extattr(struct mount *mp, struct label *fslabel, 851 struct vnode *vp, struct label *vlabel) 852 { 853 854 ASSERT_MOUNT_LABEL(fslabel); 855 ASSERT_VNODE_LABEL(vlabel); 856 return (0); 857 } 858 859 static void 860 mac_test_associate_vnode_singlelabel(struct mount *mp, 861 struct label *fslabel, struct vnode *vp, struct label *vlabel) 862 { 863 864 ASSERT_MOUNT_LABEL(fslabel); 865 ASSERT_VNODE_LABEL(vlabel); 866 } 867 868 static void 869 mac_test_create_devfs_device(struct ucred *cred, struct mount *mp, 870 struct cdev *dev, struct devfs_dirent *devfs_dirent, struct label *label) 871 { 872 873 if (cred != NULL) { 874 ASSERT_CRED_LABEL(cred->cr_label); 875 } 876 ASSERT_DEVFS_LABEL(label); 877 } 878 879 static void 880 mac_test_create_devfs_directory(struct mount *mp, char *dirname, 881 int dirnamelen, struct devfs_dirent *devfs_dirent, struct label *label) 882 { 883 884 ASSERT_DEVFS_LABEL(label); 885 } 886 887 static void 888 mac_test_create_devfs_symlink(struct ucred *cred, struct mount *mp, 889 struct devfs_dirent *dd, struct label *ddlabel, struct devfs_dirent *de, 890 struct label *delabel) 891 { 892 893 ASSERT_CRED_LABEL(cred->cr_label); 894 ASSERT_DEVFS_LABEL(ddlabel); 895 ASSERT_DEVFS_LABEL(delabel); 896 } 897 898 static int 899 mac_test_create_vnode_extattr(struct ucred *cred, struct mount *mp, 900 struct label *fslabel, struct vnode *dvp, struct label *dlabel, 901 struct vnode *vp, struct label *vlabel, struct componentname *cnp) 902 { 903 904 ASSERT_CRED_LABEL(cred->cr_label); 905 ASSERT_MOUNT_LABEL(fslabel); 906 ASSERT_VNODE_LABEL(dlabel); 907 908 return (0); 909 } 910 911 static void 912 mac_test_create_mount(struct ucred *cred, struct mount *mp, 913 struct label *mntlabel, struct label *fslabel) 914 { 915 916 ASSERT_CRED_LABEL(cred->cr_label); 917 ASSERT_MOUNT_LABEL(mntlabel); 918 ASSERT_MOUNT_LABEL(fslabel); 919 } 920 921 static void 922 mac_test_relabel_vnode(struct ucred *cred, struct vnode *vp, 923 struct label *vnodelabel, struct label *label) 924 { 925 926 ASSERT_CRED_LABEL(cred->cr_label); 927 ASSERT_VNODE_LABEL(vnodelabel); 928 ASSERT_VNODE_LABEL(label); 929 } 930 931 static int 932 mac_test_setlabel_vnode_extattr(struct ucred *cred, struct vnode *vp, 933 struct label *vlabel, struct label *intlabel) 934 { 935 936 ASSERT_CRED_LABEL(cred->cr_label); 937 ASSERT_VNODE_LABEL(vlabel); 938 ASSERT_VNODE_LABEL(intlabel); 939 return (0); 940 } 941 942 static void 943 mac_test_update_devfsdirent(struct mount *mp, 944 struct devfs_dirent *devfs_dirent, struct label *direntlabel, 945 struct vnode *vp, struct label *vnodelabel) 946 { 947 948 ASSERT_DEVFS_LABEL(direntlabel); 949 ASSERT_VNODE_LABEL(vnodelabel); 950 } 951 952 /* 953 * Labeling event operations: IPC object. 954 */ 955 static void 956 mac_test_create_mbuf_from_socket(struct socket *so, struct label *socketlabel, 957 struct mbuf *m, struct label *mbuflabel) 958 { 959 960 ASSERT_SOCKET_LABEL(socketlabel); 961 ASSERT_MBUF_LABEL(mbuflabel); 962 } 963 964 static void 965 mac_test_create_socket(struct ucred *cred, struct socket *socket, 966 struct label *socketlabel) 967 { 968 969 ASSERT_CRED_LABEL(cred->cr_label); 970 ASSERT_SOCKET_LABEL(socketlabel); 971 } 972 973 static void 974 mac_test_create_pipe(struct ucred *cred, struct pipepair *pp, 975 struct label *pipelabel) 976 { 977 978 ASSERT_CRED_LABEL(cred->cr_label); 979 ASSERT_PIPE_LABEL(pipelabel); 980 } 981 982 static void 983 mac_test_create_posix_sem(struct ucred *cred, struct ksem *ksem, 984 struct label *posixlabel) 985 { 986 987 ASSERT_CRED_LABEL(cred->cr_label); 988 ASSERT_POSIX_LABEL(posixlabel); 989 } 990 991 static void 992 mac_test_create_socket_from_socket(struct socket *oldsocket, 993 struct label *oldsocketlabel, struct socket *newsocket, 994 struct label *newsocketlabel) 995 { 996 997 ASSERT_SOCKET_LABEL(oldsocketlabel); 998 ASSERT_SOCKET_LABEL(newsocketlabel); 999 } 1000 1001 static void 1002 mac_test_relabel_socket(struct ucred *cred, struct socket *socket, 1003 struct label *socketlabel, struct label *newlabel) 1004 { 1005 1006 ASSERT_CRED_LABEL(cred->cr_label); 1007 ASSERT_SOCKET_LABEL(newlabel); 1008 } 1009 1010 static void 1011 mac_test_relabel_pipe(struct ucred *cred, struct pipepair *pp, 1012 struct label *pipelabel, struct label *newlabel) 1013 { 1014 1015 ASSERT_CRED_LABEL(cred->cr_label); 1016 ASSERT_PIPE_LABEL(pipelabel); 1017 ASSERT_PIPE_LABEL(newlabel); 1018 } 1019 1020 static void 1021 mac_test_set_socket_peer_from_mbuf(struct mbuf *mbuf, struct label *mbuflabel, 1022 struct socket *socket, struct label *socketpeerlabel) 1023 { 1024 1025 ASSERT_MBUF_LABEL(mbuflabel); 1026 ASSERT_SOCKET_LABEL(socketpeerlabel); 1027 } 1028 1029 /* 1030 * Labeling event operations: network objects. 1031 */ 1032 static void 1033 mac_test_set_socket_peer_from_socket(struct socket *oldsocket, 1034 struct label *oldsocketlabel, struct socket *newsocket, 1035 struct label *newsocketpeerlabel) 1036 { 1037 1038 ASSERT_SOCKET_LABEL(oldsocketlabel); 1039 ASSERT_SOCKET_LABEL(newsocketpeerlabel); 1040 } 1041 1042 static void 1043 mac_test_create_bpfdesc(struct ucred *cred, struct bpf_d *bpf_d, 1044 struct label *bpflabel) 1045 { 1046 1047 ASSERT_CRED_LABEL(cred->cr_label); 1048 ASSERT_BPF_LABEL(bpflabel); 1049 } 1050 1051 static void 1052 mac_test_create_datagram_from_ipq(struct ipq *ipq, struct label *ipqlabel, 1053 struct mbuf *datagram, struct label *datagramlabel) 1054 { 1055 1056 ASSERT_IPQ_LABEL(ipqlabel); 1057 ASSERT_MBUF_LABEL(datagramlabel); 1058 } 1059 1060 static void 1061 mac_test_create_fragment(struct mbuf *datagram, struct label *datagramlabel, 1062 struct mbuf *fragment, struct label *fragmentlabel) 1063 { 1064 1065 ASSERT_MBUF_LABEL(datagramlabel); 1066 ASSERT_MBUF_LABEL(fragmentlabel); 1067 } 1068 1069 static void 1070 mac_test_create_ifnet(struct ifnet *ifnet, struct label *ifnetlabel) 1071 { 1072 1073 ASSERT_IFNET_LABEL(ifnetlabel); 1074 } 1075 1076 static void 1077 mac_test_create_inpcb_from_socket(struct socket *so, struct label *solabel, 1078 struct inpcb *inp, struct label *inplabel) 1079 { 1080 1081 ASSERT_SOCKET_LABEL(solabel); 1082 ASSERT_INPCB_LABEL(inplabel); 1083 } 1084 1085 static void 1086 mac_test_create_sysv_msgmsg(struct ucred *cred, struct msqid_kernel *msqkptr, 1087 struct label *msqlabel, struct msg *msgptr, struct label *msglabel) 1088 { 1089 1090 ASSERT_SYSVIPCMSG_LABEL(msglabel); 1091 ASSERT_SYSVIPCMSQ_LABEL(msqlabel); 1092 } 1093 1094 static void 1095 mac_test_create_sysv_msgqueue(struct ucred *cred, 1096 struct msqid_kernel *msqkptr, struct label *msqlabel) 1097 { 1098 1099 ASSERT_SYSVIPCMSQ_LABEL(msqlabel); 1100 } 1101 1102 static void 1103 mac_test_create_sysv_sem(struct ucred *cred, struct semid_kernel *semakptr, 1104 struct label *semalabel) 1105 { 1106 1107 ASSERT_SYSVIPCSEM_LABEL(semalabel); 1108 } 1109 1110 static void 1111 mac_test_create_sysv_shm(struct ucred *cred, struct shmid_kernel *shmsegptr, 1112 struct label *shmlabel) 1113 { 1114 1115 ASSERT_SYSVIPCSHM_LABEL(shmlabel); 1116 } 1117 1118 static void 1119 mac_test_create_ipq(struct mbuf *fragment, struct label *fragmentlabel, 1120 struct ipq *ipq, struct label *ipqlabel) 1121 { 1122 1123 ASSERT_MBUF_LABEL(fragmentlabel); 1124 ASSERT_IPQ_LABEL(ipqlabel); 1125 } 1126 1127 static void 1128 mac_test_create_mbuf_from_inpcb(struct inpcb *inp, struct label *inplabel, 1129 struct mbuf *m, struct label *mlabel) 1130 { 1131 1132 ASSERT_INPCB_LABEL(inplabel); 1133 ASSERT_MBUF_LABEL(mlabel); 1134 } 1135 1136 static void 1137 mac_test_create_mbuf_linklayer(struct ifnet *ifnet, struct label *ifnetlabel, 1138 struct mbuf *mbuf, struct label *mbuflabel) 1139 { 1140 1141 ASSERT_IFNET_LABEL(ifnetlabel); 1142 ASSERT_MBUF_LABEL(mbuflabel); 1143 } 1144 1145 static void 1146 mac_test_create_mbuf_from_bpfdesc(struct bpf_d *bpf_d, struct label *bpflabel, 1147 struct mbuf *mbuf, struct label *mbuflabel) 1148 { 1149 1150 ASSERT_BPF_LABEL(bpflabel); 1151 ASSERT_MBUF_LABEL(mbuflabel); 1152 } 1153 1154 static void 1155 mac_test_create_mbuf_from_ifnet(struct ifnet *ifnet, struct label *ifnetlabel, 1156 struct mbuf *m, struct label *mbuflabel) 1157 { 1158 1159 ASSERT_IFNET_LABEL(ifnetlabel); 1160 ASSERT_MBUF_LABEL(mbuflabel); 1161 } 1162 1163 static void 1164 mac_test_create_mbuf_multicast_encap(struct mbuf *oldmbuf, 1165 struct label *oldmbuflabel, struct ifnet *ifnet, struct label *ifnetlabel, 1166 struct mbuf *newmbuf, struct label *newmbuflabel) 1167 { 1168 1169 ASSERT_MBUF_LABEL(oldmbuflabel); 1170 ASSERT_IFNET_LABEL(ifnetlabel); 1171 ASSERT_MBUF_LABEL(newmbuflabel); 1172 } 1173 1174 static void 1175 mac_test_create_mbuf_netlayer(struct mbuf *oldmbuf, 1176 struct label *oldmbuflabel, struct mbuf *newmbuf, 1177 struct label *newmbuflabel) 1178 { 1179 1180 ASSERT_MBUF_LABEL(oldmbuflabel); 1181 ASSERT_MBUF_LABEL(newmbuflabel); 1182 } 1183 1184 static int 1185 mac_test_fragment_match(struct mbuf *fragment, struct label *fragmentlabel, 1186 struct ipq *ipq, struct label *ipqlabel) 1187 { 1188 1189 ASSERT_MBUF_LABEL(fragmentlabel); 1190 ASSERT_IPQ_LABEL(ipqlabel); 1191 1192 return (1); 1193 } 1194 1195 static void 1196 mac_test_reflect_mbuf_icmp(struct mbuf *m, struct label *mlabel) 1197 { 1198 1199 ASSERT_MBUF_LABEL(mlabel); 1200 } 1201 1202 static void 1203 mac_test_reflect_mbuf_tcp(struct mbuf *m, struct label *mlabel) 1204 { 1205 1206 ASSERT_MBUF_LABEL(mlabel); 1207 } 1208 1209 static void 1210 mac_test_relabel_ifnet(struct ucred *cred, struct ifnet *ifnet, 1211 struct label *ifnetlabel, struct label *newlabel) 1212 { 1213 1214 ASSERT_CRED_LABEL(cred->cr_label); 1215 ASSERT_IFNET_LABEL(ifnetlabel); 1216 ASSERT_IFNET_LABEL(newlabel); 1217 } 1218 1219 static void 1220 mac_test_update_ipq(struct mbuf *fragment, struct label *fragmentlabel, 1221 struct ipq *ipq, struct label *ipqlabel) 1222 { 1223 1224 ASSERT_MBUF_LABEL(fragmentlabel); 1225 ASSERT_IPQ_LABEL(ipqlabel); 1226 } 1227 1228 static void 1229 mac_test_inpcb_sosetlabel(struct socket *so, struct label *solabel, 1230 struct inpcb *inp, struct label *inplabel) 1231 { 1232 1233 ASSERT_SOCKET_LABEL(solabel); 1234 ASSERT_INPCB_LABEL(inplabel); 1235 } 1236 1237 /* 1238 * Labeling event operations: processes. 1239 */ 1240 static void 1241 mac_test_execve_transition(struct ucred *old, struct ucred *new, 1242 struct vnode *vp, struct label *filelabel, 1243 struct label *interpvnodelabel, struct image_params *imgp, 1244 struct label *execlabel) 1245 { 1246 1247 ASSERT_CRED_LABEL(old->cr_label); 1248 ASSERT_CRED_LABEL(new->cr_label); 1249 ASSERT_VNODE_LABEL(filelabel); 1250 if (interpvnodelabel != NULL) { 1251 ASSERT_VNODE_LABEL(interpvnodelabel); 1252 } 1253 if (execlabel != NULL) { 1254 ASSERT_CRED_LABEL(execlabel); 1255 } 1256 } 1257 1258 static int 1259 mac_test_execve_will_transition(struct ucred *old, struct vnode *vp, 1260 struct label *filelabel, struct label *interpvnodelabel, 1261 struct image_params *imgp, struct label *execlabel) 1262 { 1263 1264 ASSERT_CRED_LABEL(old->cr_label); 1265 ASSERT_VNODE_LABEL(filelabel); 1266 if (interpvnodelabel != NULL) { 1267 ASSERT_VNODE_LABEL(interpvnodelabel); 1268 } 1269 if (execlabel != NULL) { 1270 ASSERT_CRED_LABEL(execlabel); 1271 } 1272 1273 return (0); 1274 } 1275 1276 static void 1277 mac_test_create_proc0(struct ucred *cred) 1278 { 1279 1280 ASSERT_CRED_LABEL(cred->cr_label); 1281 } 1282 1283 static void 1284 mac_test_create_proc1(struct ucred *cred) 1285 { 1286 1287 ASSERT_CRED_LABEL(cred->cr_label); 1288 } 1289 1290 static void 1291 mac_test_relabel_cred(struct ucred *cred, struct label *newlabel) 1292 { 1293 1294 ASSERT_CRED_LABEL(cred->cr_label); 1295 ASSERT_CRED_LABEL(newlabel); 1296 } 1297 1298 static void 1299 mac_test_thread_userret(struct thread *td) 1300 { 1301 1302 printf("mac_test_thread_userret(process = %d)\n", 1303 curthread->td_proc->p_pid); 1304 } 1305 1306 /* 1307 * Label cleanup/flush operations 1308 */ 1309 static void 1310 mac_test_cleanup_sysv_msgmsg(struct label *msglabel) 1311 { 1312 1313 ASSERT_SYSVIPCMSG_LABEL(msglabel); 1314 } 1315 1316 static void 1317 mac_test_cleanup_sysv_msgqueue(struct label *msqlabel) 1318 { 1319 1320 ASSERT_SYSVIPCMSQ_LABEL(msqlabel); 1321 } 1322 1323 static void 1324 mac_test_cleanup_sysv_sem(struct label *semalabel) 1325 { 1326 1327 ASSERT_SYSVIPCSEM_LABEL(semalabel); 1328 } 1329 1330 static void 1331 mac_test_cleanup_sysv_shm(struct label *shmlabel) 1332 { 1333 1334 ASSERT_SYSVIPCSHM_LABEL(shmlabel); 1335 } 1336 1337 /* 1338 * Access control checks. 1339 */ 1340 static int 1341 mac_test_check_bpfdesc_receive(struct bpf_d *bpf_d, struct label *bpflabel, 1342 struct ifnet *ifnet, struct label *ifnetlabel) 1343 { 1344 1345 ASSERT_BPF_LABEL(bpflabel); 1346 ASSERT_IFNET_LABEL(ifnetlabel); 1347 1348 return (0); 1349 } 1350 1351 static int 1352 mac_test_check_cred_relabel(struct ucred *cred, struct label *newlabel) 1353 { 1354 1355 ASSERT_CRED_LABEL(cred->cr_label); 1356 ASSERT_CRED_LABEL(newlabel); 1357 1358 return (0); 1359 } 1360 1361 static int 1362 mac_test_check_cred_visible(struct ucred *u1, struct ucred *u2) 1363 { 1364 1365 ASSERT_CRED_LABEL(u1->cr_label); 1366 ASSERT_CRED_LABEL(u2->cr_label); 1367 1368 return (0); 1369 } 1370 1371 static int 1372 mac_test_check_ifnet_relabel(struct ucred *cred, struct ifnet *ifnet, 1373 struct label *ifnetlabel, struct label *newlabel) 1374 { 1375 1376 ASSERT_CRED_LABEL(cred->cr_label); 1377 ASSERT_IFNET_LABEL(ifnetlabel); 1378 ASSERT_IFNET_LABEL(newlabel); 1379 return (0); 1380 } 1381 1382 static int 1383 mac_test_check_ifnet_transmit(struct ifnet *ifnet, struct label *ifnetlabel, 1384 struct mbuf *m, struct label *mbuflabel) 1385 { 1386 1387 ASSERT_IFNET_LABEL(ifnetlabel); 1388 ASSERT_MBUF_LABEL(mbuflabel); 1389 1390 return (0); 1391 } 1392 1393 static int 1394 mac_test_check_inpcb_deliver(struct inpcb *inp, struct label *inplabel, 1395 struct mbuf *m, struct label *mlabel) 1396 { 1397 1398 ASSERT_INPCB_LABEL(inplabel); 1399 ASSERT_MBUF_LABEL(mlabel); 1400 1401 return (0); 1402 } 1403 1404 static int 1405 mac_test_check_sysv_msgmsq(struct ucred *cred, struct msg *msgptr, 1406 struct label *msglabel, struct msqid_kernel *msqkptr, 1407 struct label *msqklabel) 1408 { 1409 1410 ASSERT_SYSVIPCMSQ_LABEL(msqklabel); 1411 ASSERT_SYSVIPCMSG_LABEL(msglabel); 1412 ASSERT_CRED_LABEL(cred->cr_label); 1413 1414 return (0); 1415 } 1416 1417 static int 1418 mac_test_check_sysv_msgrcv(struct ucred *cred, struct msg *msgptr, 1419 struct label *msglabel) 1420 { 1421 1422 ASSERT_SYSVIPCMSG_LABEL(msglabel); 1423 ASSERT_CRED_LABEL(cred->cr_label); 1424 1425 return (0); 1426 } 1427 1428 1429 static int 1430 mac_test_check_sysv_msgrmid(struct ucred *cred, struct msg *msgptr, 1431 struct label *msglabel) 1432 { 1433 1434 ASSERT_SYSVIPCMSG_LABEL(msglabel); 1435 ASSERT_CRED_LABEL(cred->cr_label); 1436 1437 return (0); 1438 } 1439 1440 static int 1441 mac_test_check_sysv_msqget(struct ucred *cred, struct msqid_kernel *msqkptr, 1442 struct label *msqklabel) 1443 { 1444 1445 ASSERT_SYSVIPCMSQ_LABEL(msqklabel); 1446 ASSERT_CRED_LABEL(cred->cr_label); 1447 1448 return (0); 1449 } 1450 1451 static int 1452 mac_test_check_sysv_msqsnd(struct ucred *cred, struct msqid_kernel *msqkptr, 1453 struct label *msqklabel) 1454 { 1455 1456 ASSERT_SYSVIPCMSQ_LABEL(msqklabel); 1457 ASSERT_CRED_LABEL(cred->cr_label); 1458 1459 return (0); 1460 } 1461 1462 static int 1463 mac_test_check_sysv_msqrcv(struct ucred *cred, struct msqid_kernel *msqkptr, 1464 struct label *msqklabel) 1465 { 1466 1467 ASSERT_SYSVIPCMSQ_LABEL(msqklabel); 1468 ASSERT_CRED_LABEL(cred->cr_label); 1469 1470 return (0); 1471 } 1472 1473 static int 1474 mac_test_check_sysv_msqctl(struct ucred *cred, struct msqid_kernel *msqkptr, 1475 struct label *msqklabel, int cmd) 1476 { 1477 1478 ASSERT_SYSVIPCMSQ_LABEL(msqklabel); 1479 ASSERT_CRED_LABEL(cred->cr_label); 1480 1481 return (0); 1482 } 1483 1484 static int 1485 mac_test_check_sysv_semctl(struct ucred *cred, struct semid_kernel *semakptr, 1486 struct label *semaklabel, int cmd) 1487 { 1488 1489 ASSERT_CRED_LABEL(cred->cr_label); 1490 ASSERT_SYSVIPCSEM_LABEL(semaklabel); 1491 1492 return (0); 1493 } 1494 1495 static int 1496 mac_test_check_sysv_semget(struct ucred *cred, struct semid_kernel *semakptr, 1497 struct label *semaklabel) 1498 { 1499 1500 ASSERT_CRED_LABEL(cred->cr_label); 1501 ASSERT_SYSVIPCSEM_LABEL(semaklabel); 1502 1503 return (0); 1504 } 1505 1506 static int 1507 mac_test_check_sysv_semop(struct ucred *cred, struct semid_kernel *semakptr, 1508 struct label *semaklabel, size_t accesstype) 1509 { 1510 1511 ASSERT_CRED_LABEL(cred->cr_label); 1512 ASSERT_SYSVIPCSEM_LABEL(semaklabel); 1513 1514 return (0); 1515 } 1516 1517 static int 1518 mac_test_check_sysv_shmat(struct ucred *cred, struct shmid_kernel *shmsegptr, 1519 struct label *shmseglabel, int shmflg) 1520 { 1521 1522 ASSERT_CRED_LABEL(cred->cr_label); 1523 ASSERT_SYSVIPCSHM_LABEL(shmseglabel); 1524 1525 return (0); 1526 } 1527 1528 static int 1529 mac_test_check_sysv_shmctl(struct ucred *cred, struct shmid_kernel *shmsegptr, 1530 struct label *shmseglabel, int cmd) 1531 { 1532 1533 ASSERT_CRED_LABEL(cred->cr_label); 1534 ASSERT_SYSVIPCSHM_LABEL(shmseglabel); 1535 1536 return (0); 1537 } 1538 1539 static int 1540 mac_test_check_sysv_shmdt(struct ucred *cred, struct shmid_kernel *shmsegptr, 1541 struct label *shmseglabel) 1542 { 1543 1544 ASSERT_CRED_LABEL(cred->cr_label); 1545 ASSERT_SYSVIPCSHM_LABEL(shmseglabel); 1546 1547 return (0); 1548 } 1549 1550 static int 1551 mac_test_check_sysv_shmget(struct ucred *cred, struct shmid_kernel *shmsegptr, 1552 struct label *shmseglabel, int shmflg) 1553 { 1554 1555 ASSERT_CRED_LABEL(cred->cr_label); 1556 ASSERT_SYSVIPCSHM_LABEL(shmseglabel); 1557 1558 return (0); 1559 } 1560 1561 static int 1562 mac_test_check_kenv_dump(struct ucred *cred) 1563 { 1564 1565 ASSERT_CRED_LABEL(cred->cr_label); 1566 1567 return (0); 1568 } 1569 1570 static int 1571 mac_test_check_kenv_get(struct ucred *cred, char *name) 1572 { 1573 1574 ASSERT_CRED_LABEL(cred->cr_label); 1575 1576 return (0); 1577 } 1578 1579 static int 1580 mac_test_check_kenv_set(struct ucred *cred, char *name, char *value) 1581 { 1582 1583 ASSERT_CRED_LABEL(cred->cr_label); 1584 1585 return (0); 1586 } 1587 1588 static int 1589 mac_test_check_kenv_unset(struct ucred *cred, char *name) 1590 { 1591 1592 ASSERT_CRED_LABEL(cred->cr_label); 1593 1594 return (0); 1595 } 1596 1597 static int 1598 mac_test_check_kld_load(struct ucred *cred, struct vnode *vp, 1599 struct label *label) 1600 { 1601 1602 ASSERT_CRED_LABEL(cred->cr_label); 1603 ASSERT_VNODE_LABEL(label); 1604 1605 return (0); 1606 } 1607 1608 static int 1609 mac_test_check_kld_stat(struct ucred *cred) 1610 { 1611 1612 ASSERT_CRED_LABEL(cred->cr_label); 1613 1614 return (0); 1615 } 1616 1617 static int 1618 mac_test_check_kld_unload(struct ucred *cred) 1619 { 1620 1621 ASSERT_CRED_LABEL(cred->cr_label); 1622 1623 return (0); 1624 } 1625 1626 static int 1627 mac_test_check_mount_stat(struct ucred *cred, struct mount *mp, 1628 struct label *mntlabel) 1629 { 1630 1631 ASSERT_CRED_LABEL(cred->cr_label); 1632 ASSERT_MOUNT_LABEL(mntlabel); 1633 1634 return (0); 1635 } 1636 1637 static int 1638 mac_test_check_pipe_ioctl(struct ucred *cred, struct pipepair *pp, 1639 struct label *pipelabel, unsigned long cmd, void /* caddr_t */ *data) 1640 { 1641 1642 ASSERT_CRED_LABEL(cred->cr_label); 1643 ASSERT_PIPE_LABEL(pipelabel); 1644 1645 return (0); 1646 } 1647 1648 static int 1649 mac_test_check_pipe_poll(struct ucred *cred, struct pipepair *pp, 1650 struct label *pipelabel) 1651 { 1652 1653 ASSERT_CRED_LABEL(cred->cr_label); 1654 ASSERT_PIPE_LABEL(pipelabel); 1655 1656 return (0); 1657 } 1658 1659 static int 1660 mac_test_check_pipe_read(struct ucred *cred, struct pipepair *pp, 1661 struct label *pipelabel) 1662 { 1663 1664 ASSERT_CRED_LABEL(cred->cr_label); 1665 ASSERT_PIPE_LABEL(pipelabel); 1666 1667 return (0); 1668 } 1669 1670 static int 1671 mac_test_check_pipe_relabel(struct ucred *cred, struct pipepair *pp, 1672 struct label *pipelabel, struct label *newlabel) 1673 { 1674 1675 ASSERT_CRED_LABEL(cred->cr_label); 1676 ASSERT_PIPE_LABEL(pipelabel); 1677 ASSERT_PIPE_LABEL(newlabel); 1678 1679 return (0); 1680 } 1681 1682 static int 1683 mac_test_check_pipe_stat(struct ucred *cred, struct pipepair *pp, 1684 struct label *pipelabel) 1685 { 1686 1687 ASSERT_CRED_LABEL(cred->cr_label); 1688 ASSERT_PIPE_LABEL(pipelabel); 1689 1690 return (0); 1691 } 1692 1693 static int 1694 mac_test_check_pipe_write(struct ucred *cred, struct pipepair *pp, 1695 struct label *pipelabel) 1696 { 1697 1698 ASSERT_CRED_LABEL(cred->cr_label); 1699 ASSERT_PIPE_LABEL(pipelabel); 1700 1701 return (0); 1702 } 1703 1704 static int 1705 mac_test_check_posix_sem(struct ucred *cred, struct ksem *ksemptr, 1706 struct label *ks_label) 1707 { 1708 1709 ASSERT_CRED_LABEL(cred->cr_label); 1710 ASSERT_POSIX_LABEL(ks_label); 1711 1712 return (0); 1713 } 1714 1715 static int 1716 mac_test_check_proc_debug(struct ucred *cred, struct proc *proc) 1717 { 1718 1719 ASSERT_CRED_LABEL(cred->cr_label); 1720 ASSERT_CRED_LABEL(proc->p_ucred->cr_label); 1721 1722 return (0); 1723 } 1724 1725 static int 1726 mac_test_check_proc_sched(struct ucred *cred, struct proc *proc) 1727 { 1728 1729 ASSERT_CRED_LABEL(cred->cr_label); 1730 ASSERT_CRED_LABEL(proc->p_ucred->cr_label); 1731 1732 return (0); 1733 } 1734 1735 static int 1736 mac_test_check_proc_signal(struct ucred *cred, struct proc *proc, int signum) 1737 { 1738 1739 ASSERT_CRED_LABEL(cred->cr_label); 1740 ASSERT_CRED_LABEL(proc->p_ucred->cr_label); 1741 1742 return (0); 1743 } 1744 1745 static int 1746 mac_test_check_proc_setuid(struct ucred *cred, uid_t uid) 1747 { 1748 1749 ASSERT_CRED_LABEL(cred->cr_label); 1750 1751 return (0); 1752 } 1753 1754 static int 1755 mac_test_check_proc_seteuid(struct ucred *cred, uid_t euid) 1756 { 1757 1758 ASSERT_CRED_LABEL(cred->cr_label); 1759 1760 return (0); 1761 } 1762 1763 static int 1764 mac_test_check_proc_setgid(struct ucred *cred, gid_t gid) 1765 { 1766 1767 ASSERT_CRED_LABEL(cred->cr_label); 1768 1769 return (0); 1770 } 1771 1772 static int 1773 mac_test_check_proc_setegid(struct ucred *cred, gid_t egid) 1774 { 1775 1776 ASSERT_CRED_LABEL(cred->cr_label); 1777 1778 return (0); 1779 } 1780 1781 static int 1782 mac_test_check_proc_setgroups(struct ucred *cred, int ngroups, 1783 gid_t *gidset) 1784 { 1785 1786 ASSERT_CRED_LABEL(cred->cr_label); 1787 1788 return (0); 1789 } 1790 1791 static int 1792 mac_test_check_proc_setreuid(struct ucred *cred, uid_t ruid, uid_t euid) 1793 { 1794 1795 ASSERT_CRED_LABEL(cred->cr_label); 1796 1797 return (0); 1798 } 1799 1800 static int 1801 mac_test_check_proc_setregid(struct ucred *cred, gid_t rgid, gid_t egid) 1802 { 1803 1804 ASSERT_CRED_LABEL(cred->cr_label); 1805 1806 return (0); 1807 } 1808 1809 static int 1810 mac_test_check_proc_setresuid(struct ucred *cred, uid_t ruid, uid_t euid, 1811 uid_t suid) 1812 { 1813 1814 ASSERT_CRED_LABEL(cred->cr_label); 1815 1816 return (0); 1817 } 1818 1819 static int 1820 mac_test_check_proc_setresgid(struct ucred *cred, gid_t rgid, gid_t egid, 1821 gid_t sgid) 1822 { 1823 1824 ASSERT_CRED_LABEL(cred->cr_label); 1825 1826 return (0); 1827 } 1828 1829 static int 1830 mac_test_check_proc_wait(struct ucred *cred, struct proc *proc) 1831 { 1832 1833 ASSERT_CRED_LABEL(cred->cr_label); 1834 ASSERT_CRED_LABEL(proc->p_ucred->cr_label); 1835 1836 return (0); 1837 } 1838 1839 static int 1840 mac_test_check_socket_accept(struct ucred *cred, struct socket *socket, 1841 struct label *socketlabel) 1842 { 1843 1844 ASSERT_CRED_LABEL(cred->cr_label); 1845 ASSERT_SOCKET_LABEL(socketlabel); 1846 1847 return (0); 1848 } 1849 1850 static int 1851 mac_test_check_socket_bind(struct ucred *cred, struct socket *socket, 1852 struct label *socketlabel, struct sockaddr *sockaddr) 1853 { 1854 1855 ASSERT_CRED_LABEL(cred->cr_label); 1856 ASSERT_SOCKET_LABEL(socketlabel); 1857 1858 return (0); 1859 } 1860 1861 static int 1862 mac_test_check_socket_connect(struct ucred *cred, struct socket *socket, 1863 struct label *socketlabel, struct sockaddr *sockaddr) 1864 { 1865 1866 ASSERT_CRED_LABEL(cred->cr_label); 1867 ASSERT_SOCKET_LABEL(socketlabel); 1868 1869 return (0); 1870 } 1871 1872 static int 1873 mac_test_check_socket_deliver(struct socket *socket, struct label *socketlabel, 1874 struct mbuf *m, struct label *mbuflabel) 1875 { 1876 1877 ASSERT_SOCKET_LABEL(socketlabel); 1878 ASSERT_MBUF_LABEL(mbuflabel); 1879 1880 return (0); 1881 } 1882 1883 static int 1884 mac_test_check_socket_listen(struct ucred *cred, struct socket *socket, 1885 struct label *socketlabel) 1886 { 1887 1888 ASSERT_CRED_LABEL(cred->cr_label); 1889 ASSERT_SOCKET_LABEL(socketlabel); 1890 1891 return (0); 1892 } 1893 1894 static int 1895 mac_test_check_socket_poll(struct ucred *cred, struct socket *socket, 1896 struct label *socketlabel) 1897 { 1898 1899 ASSERT_CRED_LABEL(cred->cr_label); 1900 ASSERT_SOCKET_LABEL(socketlabel); 1901 1902 return (0); 1903 } 1904 1905 static int 1906 mac_test_check_socket_receive(struct ucred *cred, struct socket *socket, 1907 struct label *socketlabel) 1908 { 1909 1910 ASSERT_CRED_LABEL(cred->cr_label); 1911 ASSERT_SOCKET_LABEL(socketlabel); 1912 1913 return (0); 1914 } 1915 1916 static int 1917 mac_test_check_socket_relabel(struct ucred *cred, struct socket *socket, 1918 struct label *socketlabel, struct label *newlabel) 1919 { 1920 1921 ASSERT_CRED_LABEL(cred->cr_label); 1922 ASSERT_SOCKET_LABEL(socketlabel); 1923 ASSERT_SOCKET_LABEL(newlabel); 1924 1925 return (0); 1926 } 1927 1928 static int 1929 mac_test_check_socket_send(struct ucred *cred, struct socket *socket, 1930 struct label *socketlabel) 1931 { 1932 1933 ASSERT_CRED_LABEL(cred->cr_label); 1934 ASSERT_SOCKET_LABEL(socketlabel); 1935 1936 return (0); 1937 } 1938 1939 static int 1940 mac_test_check_socket_stat(struct ucred *cred, struct socket *socket, 1941 struct label *socketlabel) 1942 { 1943 1944 ASSERT_CRED_LABEL(cred->cr_label); 1945 ASSERT_SOCKET_LABEL(socketlabel); 1946 1947 return (0); 1948 } 1949 1950 static int 1951 mac_test_check_socket_visible(struct ucred *cred, struct socket *socket, 1952 struct label *socketlabel) 1953 { 1954 1955 ASSERT_CRED_LABEL(cred->cr_label); 1956 ASSERT_SOCKET_LABEL(socketlabel); 1957 1958 return (0); 1959 } 1960 1961 static int 1962 mac_test_check_sysarch_ioperm(struct ucred *cred) 1963 { 1964 1965 ASSERT_CRED_LABEL(cred->cr_label); 1966 1967 return (0); 1968 } 1969 1970 static int 1971 mac_test_check_system_acct(struct ucred *cred, struct vnode *vp, 1972 struct label *label) 1973 { 1974 1975 ASSERT_CRED_LABEL(cred->cr_label); 1976 1977 return (0); 1978 } 1979 1980 static int 1981 mac_test_check_system_reboot(struct ucred *cred, int how) 1982 { 1983 1984 ASSERT_CRED_LABEL(cred->cr_label); 1985 1986 return (0); 1987 } 1988 1989 static int 1990 mac_test_check_system_settime(struct ucred *cred) 1991 { 1992 1993 ASSERT_CRED_LABEL(cred->cr_label); 1994 1995 return (0); 1996 } 1997 1998 static int 1999 mac_test_check_system_swapon(struct ucred *cred, struct vnode *vp, 2000 struct label *label) 2001 { 2002 2003 ASSERT_CRED_LABEL(cred->cr_label); 2004 ASSERT_VNODE_LABEL(label); 2005 2006 return (0); 2007 } 2008 2009 static int 2010 mac_test_check_system_swapoff(struct ucred *cred, struct vnode *vp, 2011 struct label *label) 2012 { 2013 2014 ASSERT_CRED_LABEL(cred->cr_label); 2015 ASSERT_VNODE_LABEL(label); 2016 2017 return (0); 2018 } 2019 2020 static int 2021 mac_test_check_system_sysctl(struct ucred *cred, struct sysctl_oid *oidp, 2022 void *arg1, int arg2, struct sysctl_req *req) 2023 { 2024 2025 ASSERT_CRED_LABEL(cred->cr_label); 2026 2027 return (0); 2028 } 2029 2030 static int 2031 mac_test_check_vnode_access(struct ucred *cred, struct vnode *vp, 2032 struct label *label, int acc_mode) 2033 { 2034 2035 ASSERT_CRED_LABEL(cred->cr_label); 2036 ASSERT_VNODE_LABEL(label); 2037 2038 return (0); 2039 } 2040 2041 static int 2042 mac_test_check_vnode_chdir(struct ucred *cred, struct vnode *dvp, 2043 struct label *dlabel) 2044 { 2045 2046 ASSERT_CRED_LABEL(cred->cr_label); 2047 ASSERT_VNODE_LABEL(dlabel); 2048 2049 return (0); 2050 } 2051 2052 static int 2053 mac_test_check_vnode_chroot(struct ucred *cred, struct vnode *dvp, 2054 struct label *dlabel) 2055 { 2056 2057 ASSERT_CRED_LABEL(cred->cr_label); 2058 ASSERT_VNODE_LABEL(dlabel); 2059 2060 return (0); 2061 } 2062 2063 static int 2064 mac_test_check_vnode_create(struct ucred *cred, struct vnode *dvp, 2065 struct label *dlabel, struct componentname *cnp, struct vattr *vap) 2066 { 2067 2068 ASSERT_CRED_LABEL(cred->cr_label); 2069 ASSERT_VNODE_LABEL(dlabel); 2070 2071 return (0); 2072 } 2073 2074 static int 2075 mac_test_check_vnode_delete(struct ucred *cred, struct vnode *dvp, 2076 struct label *dlabel, struct vnode *vp, struct label *label, 2077 struct componentname *cnp) 2078 { 2079 2080 ASSERT_CRED_LABEL(cred->cr_label); 2081 ASSERT_VNODE_LABEL(dlabel); 2082 ASSERT_VNODE_LABEL(label); 2083 2084 return (0); 2085 } 2086 2087 static int 2088 mac_test_check_vnode_deleteacl(struct ucred *cred, struct vnode *vp, 2089 struct label *label, acl_type_t type) 2090 { 2091 2092 ASSERT_CRED_LABEL(cred->cr_label); 2093 ASSERT_VNODE_LABEL(label); 2094 2095 return (0); 2096 } 2097 2098 static int 2099 mac_test_check_vnode_deleteextattr(struct ucred *cred, struct vnode *vp, 2100 struct label *label, int attrnamespace, const char *name) 2101 { 2102 2103 ASSERT_CRED_LABEL(cred->cr_label); 2104 ASSERT_VNODE_LABEL(label); 2105 2106 return (0); 2107 } 2108 2109 static int 2110 mac_test_check_vnode_exec(struct ucred *cred, struct vnode *vp, 2111 struct label *label, struct image_params *imgp, 2112 struct label *execlabel) 2113 { 2114 2115 ASSERT_CRED_LABEL(cred->cr_label); 2116 ASSERT_VNODE_LABEL(label); 2117 if (execlabel != NULL) { 2118 ASSERT_CRED_LABEL(execlabel); 2119 } 2120 2121 return (0); 2122 } 2123 2124 static int 2125 mac_test_check_vnode_getacl(struct ucred *cred, struct vnode *vp, 2126 struct label *label, acl_type_t type) 2127 { 2128 2129 ASSERT_CRED_LABEL(cred->cr_label); 2130 ASSERT_VNODE_LABEL(label); 2131 2132 return (0); 2133 } 2134 2135 static int 2136 mac_test_check_vnode_getextattr(struct ucred *cred, struct vnode *vp, 2137 struct label *label, int attrnamespace, const char *name, struct uio *uio) 2138 { 2139 2140 ASSERT_CRED_LABEL(cred->cr_label); 2141 ASSERT_VNODE_LABEL(label); 2142 2143 return (0); 2144 } 2145 2146 static int 2147 mac_test_check_vnode_link(struct ucred *cred, struct vnode *dvp, 2148 struct label *dlabel, struct vnode *vp, struct label *label, 2149 struct componentname *cnp) 2150 { 2151 2152 ASSERT_CRED_LABEL(cred->cr_label); 2153 ASSERT_VNODE_LABEL(dlabel); 2154 ASSERT_VNODE_LABEL(label); 2155 2156 return (0); 2157 } 2158 2159 static int 2160 mac_test_check_vnode_listextattr(struct ucred *cred, struct vnode *vp, 2161 struct label *label, int attrnamespace) 2162 { 2163 2164 ASSERT_CRED_LABEL(cred->cr_label); 2165 ASSERT_VNODE_LABEL(label); 2166 2167 return (0); 2168 } 2169 2170 static int 2171 mac_test_check_vnode_lookup(struct ucred *cred, struct vnode *dvp, 2172 struct label *dlabel, struct componentname *cnp) 2173 { 2174 2175 ASSERT_CRED_LABEL(cred->cr_label); 2176 ASSERT_VNODE_LABEL(dlabel); 2177 2178 return (0); 2179 } 2180 2181 static int 2182 mac_test_check_vnode_mmap(struct ucred *cred, struct vnode *vp, 2183 struct label *label, int prot, int flags) 2184 { 2185 2186 ASSERT_CRED_LABEL(cred->cr_label); 2187 ASSERT_VNODE_LABEL(label); 2188 2189 return (0); 2190 } 2191 2192 static int 2193 mac_test_check_vnode_open(struct ucred *cred, struct vnode *vp, 2194 struct label *filelabel, int acc_mode) 2195 { 2196 2197 ASSERT_CRED_LABEL(cred->cr_label); 2198 ASSERT_VNODE_LABEL(filelabel); 2199 2200 return (0); 2201 } 2202 2203 static int 2204 mac_test_check_vnode_poll(struct ucred *active_cred, struct ucred *file_cred, 2205 struct vnode *vp, struct label *label) 2206 { 2207 2208 ASSERT_CRED_LABEL(active_cred->cr_label); 2209 ASSERT_CRED_LABEL(file_cred->cr_label); 2210 ASSERT_VNODE_LABEL(label); 2211 2212 return (0); 2213 } 2214 2215 static int 2216 mac_test_check_vnode_read(struct ucred *active_cred, struct ucred *file_cred, 2217 struct vnode *vp, struct label *label) 2218 { 2219 2220 ASSERT_CRED_LABEL(active_cred->cr_label); 2221 if (file_cred != NULL) { 2222 ASSERT_CRED_LABEL(file_cred->cr_label); 2223 } 2224 ASSERT_VNODE_LABEL(label); 2225 2226 return (0); 2227 } 2228 2229 static int 2230 mac_test_check_vnode_readdir(struct ucred *cred, struct vnode *dvp, 2231 struct label *dlabel) 2232 { 2233 2234 ASSERT_CRED_LABEL(cred->cr_label); 2235 ASSERT_VNODE_LABEL(dlabel); 2236 2237 return (0); 2238 } 2239 2240 static int 2241 mac_test_check_vnode_readlink(struct ucred *cred, struct vnode *vp, 2242 struct label *vnodelabel) 2243 { 2244 2245 ASSERT_CRED_LABEL(cred->cr_label); 2246 ASSERT_VNODE_LABEL(vnodelabel); 2247 2248 return (0); 2249 } 2250 2251 static int 2252 mac_test_check_vnode_relabel(struct ucred *cred, struct vnode *vp, 2253 struct label *vnodelabel, struct label *newlabel) 2254 { 2255 2256 ASSERT_CRED_LABEL(cred->cr_label); 2257 ASSERT_VNODE_LABEL(vnodelabel); 2258 ASSERT_VNODE_LABEL(newlabel); 2259 2260 return (0); 2261 } 2262 2263 static int 2264 mac_test_check_vnode_rename_from(struct ucred *cred, struct vnode *dvp, 2265 struct label *dlabel, struct vnode *vp, struct label *label, 2266 struct componentname *cnp) 2267 { 2268 2269 ASSERT_CRED_LABEL(cred->cr_label); 2270 ASSERT_VNODE_LABEL(dlabel); 2271 ASSERT_VNODE_LABEL(label); 2272 2273 return (0); 2274 } 2275 2276 static int 2277 mac_test_check_vnode_rename_to(struct ucred *cred, struct vnode *dvp, 2278 struct label *dlabel, struct vnode *vp, struct label *label, int samedir, 2279 struct componentname *cnp) 2280 { 2281 2282 ASSERT_CRED_LABEL(cred->cr_label); 2283 ASSERT_VNODE_LABEL(dlabel); 2284 2285 if (vp != NULL) { 2286 ASSERT_VNODE_LABEL(label); 2287 } 2288 2289 return (0); 2290 } 2291 2292 static int 2293 mac_test_check_vnode_revoke(struct ucred *cred, struct vnode *vp, 2294 struct label *label) 2295 { 2296 2297 ASSERT_CRED_LABEL(cred->cr_label); 2298 ASSERT_VNODE_LABEL(label); 2299 2300 return (0); 2301 } 2302 2303 static int 2304 mac_test_check_vnode_setacl(struct ucred *cred, struct vnode *vp, 2305 struct label *label, acl_type_t type, struct acl *acl) 2306 { 2307 2308 ASSERT_CRED_LABEL(cred->cr_label); 2309 ASSERT_VNODE_LABEL(label); 2310 2311 return (0); 2312 } 2313 2314 static int 2315 mac_test_check_vnode_setextattr(struct ucred *cred, struct vnode *vp, 2316 struct label *label, int attrnamespace, const char *name, struct uio *uio) 2317 { 2318 2319 ASSERT_CRED_LABEL(cred->cr_label); 2320 ASSERT_VNODE_LABEL(label); 2321 2322 return (0); 2323 } 2324 2325 static int 2326 mac_test_check_vnode_setflags(struct ucred *cred, struct vnode *vp, 2327 struct label *label, u_long flags) 2328 { 2329 2330 ASSERT_CRED_LABEL(cred->cr_label); 2331 ASSERT_VNODE_LABEL(label); 2332 2333 return (0); 2334 } 2335 2336 static int 2337 mac_test_check_vnode_setmode(struct ucred *cred, struct vnode *vp, 2338 struct label *label, mode_t mode) 2339 { 2340 2341 ASSERT_CRED_LABEL(cred->cr_label); 2342 ASSERT_VNODE_LABEL(label); 2343 2344 return (0); 2345 } 2346 2347 static int 2348 mac_test_check_vnode_setowner(struct ucred *cred, struct vnode *vp, 2349 struct label *label, uid_t uid, gid_t gid) 2350 { 2351 2352 ASSERT_CRED_LABEL(cred->cr_label); 2353 ASSERT_VNODE_LABEL(label); 2354 2355 return (0); 2356 } 2357 2358 static int 2359 mac_test_check_vnode_setutimes(struct ucred *cred, struct vnode *vp, 2360 struct label *label, struct timespec atime, struct timespec mtime) 2361 { 2362 2363 ASSERT_CRED_LABEL(cred->cr_label); 2364 ASSERT_VNODE_LABEL(label); 2365 2366 return (0); 2367 } 2368 2369 static int 2370 mac_test_check_vnode_stat(struct ucred *active_cred, struct ucred *file_cred, 2371 struct vnode *vp, struct label *label) 2372 { 2373 2374 ASSERT_CRED_LABEL(active_cred->cr_label); 2375 if (file_cred != NULL) { 2376 ASSERT_CRED_LABEL(file_cred->cr_label); 2377 } 2378 ASSERT_VNODE_LABEL(label); 2379 2380 return (0); 2381 } 2382 2383 static int 2384 mac_test_check_vnode_write(struct ucred *active_cred, 2385 struct ucred *file_cred, struct vnode *vp, struct label *label) 2386 { 2387 2388 ASSERT_CRED_LABEL(active_cred->cr_label); 2389 if (file_cred != NULL) { 2390 ASSERT_CRED_LABEL(file_cred->cr_label); 2391 } 2392 ASSERT_VNODE_LABEL(label); 2393 2394 return (0); 2395 } 2396 2397 static struct mac_policy_ops mac_test_ops = 2398 { 2399 .mpo_destroy = mac_test_destroy, 2400 .mpo_init = mac_test_init, 2401 .mpo_syscall = mac_test_syscall, 2402 .mpo_init_bpfdesc_label = mac_test_init_bpfdesc_label, 2403 .mpo_init_cred_label = mac_test_init_cred_label, 2404 .mpo_init_devfsdirent_label = mac_test_init_devfsdirent_label, 2405 .mpo_init_ifnet_label = mac_test_init_ifnet_label, 2406 .mpo_init_sysv_msgmsg_label = mac_test_init_sysv_msgmsg_label, 2407 .mpo_init_sysv_msgqueue_label = mac_test_init_sysv_msgqueue_label, 2408 .mpo_init_sysv_sem_label = mac_test_init_sysv_sem_label, 2409 .mpo_init_sysv_shm_label = mac_test_init_sysv_shm_label, 2410 .mpo_init_inpcb_label = mac_test_init_inpcb_label, 2411 .mpo_init_ipq_label = mac_test_init_ipq_label, 2412 .mpo_init_mbuf_label = mac_test_init_mbuf_label, 2413 .mpo_init_mount_label = mac_test_init_mount_label, 2414 .mpo_init_mount_fs_label = mac_test_init_mount_fs_label, 2415 .mpo_init_pipe_label = mac_test_init_pipe_label, 2416 .mpo_init_posix_sem_label = mac_test_init_posix_sem_label, 2417 .mpo_init_proc_label = mac_test_init_proc_label, 2418 .mpo_init_socket_label = mac_test_init_socket_label, 2419 .mpo_init_socket_peer_label = mac_test_init_socket_peer_label, 2420 .mpo_init_vnode_label = mac_test_init_vnode_label, 2421 .mpo_destroy_bpfdesc_label = mac_test_destroy_bpfdesc_label, 2422 .mpo_destroy_cred_label = mac_test_destroy_cred_label, 2423 .mpo_destroy_devfsdirent_label = mac_test_destroy_devfsdirent_label, 2424 .mpo_destroy_ifnet_label = mac_test_destroy_ifnet_label, 2425 .mpo_destroy_sysv_msgmsg_label = mac_test_destroy_sysv_msgmsg_label, 2426 .mpo_destroy_sysv_msgqueue_label = 2427 mac_test_destroy_sysv_msgqueue_label, 2428 .mpo_destroy_sysv_sem_label = mac_test_destroy_sysv_sem_label, 2429 .mpo_destroy_sysv_shm_label = mac_test_destroy_sysv_shm_label, 2430 .mpo_destroy_inpcb_label = mac_test_destroy_inpcb_label, 2431 .mpo_destroy_ipq_label = mac_test_destroy_ipq_label, 2432 .mpo_destroy_mbuf_label = mac_test_destroy_mbuf_label, 2433 .mpo_destroy_mount_label = mac_test_destroy_mount_label, 2434 .mpo_destroy_mount_fs_label = mac_test_destroy_mount_fs_label, 2435 .mpo_destroy_pipe_label = mac_test_destroy_pipe_label, 2436 .mpo_destroy_posix_sem_label = mac_test_destroy_posix_sem_label, 2437 .mpo_destroy_proc_label = mac_test_destroy_proc_label, 2438 .mpo_destroy_socket_label = mac_test_destroy_socket_label, 2439 .mpo_destroy_socket_peer_label = mac_test_destroy_socket_peer_label, 2440 .mpo_destroy_vnode_label = mac_test_destroy_vnode_label, 2441 .mpo_copy_cred_label = mac_test_copy_cred_label, 2442 .mpo_copy_ifnet_label = mac_test_copy_ifnet_label, 2443 .mpo_copy_mbuf_label = mac_test_copy_mbuf_label, 2444 .mpo_copy_pipe_label = mac_test_copy_pipe_label, 2445 .mpo_copy_socket_label = mac_test_copy_socket_label, 2446 .mpo_copy_vnode_label = mac_test_copy_vnode_label, 2447 .mpo_externalize_cred_label = mac_test_externalize_label, 2448 .mpo_externalize_ifnet_label = mac_test_externalize_label, 2449 .mpo_externalize_pipe_label = mac_test_externalize_label, 2450 .mpo_externalize_socket_label = mac_test_externalize_label, 2451 .mpo_externalize_socket_peer_label = mac_test_externalize_label, 2452 .mpo_externalize_vnode_label = mac_test_externalize_label, 2453 .mpo_internalize_cred_label = mac_test_internalize_label, 2454 .mpo_internalize_ifnet_label = mac_test_internalize_label, 2455 .mpo_internalize_pipe_label = mac_test_internalize_label, 2456 .mpo_internalize_socket_label = mac_test_internalize_label, 2457 .mpo_internalize_vnode_label = mac_test_internalize_label, 2458 .mpo_associate_vnode_devfs = mac_test_associate_vnode_devfs, 2459 .mpo_associate_vnode_extattr = mac_test_associate_vnode_extattr, 2460 .mpo_associate_vnode_singlelabel = mac_test_associate_vnode_singlelabel, 2461 .mpo_create_devfs_device = mac_test_create_devfs_device, 2462 .mpo_create_devfs_directory = mac_test_create_devfs_directory, 2463 .mpo_create_devfs_symlink = mac_test_create_devfs_symlink, 2464 .mpo_create_vnode_extattr = mac_test_create_vnode_extattr, 2465 .mpo_create_mount = mac_test_create_mount, 2466 .mpo_relabel_vnode = mac_test_relabel_vnode, 2467 .mpo_setlabel_vnode_extattr = mac_test_setlabel_vnode_extattr, 2468 .mpo_update_devfsdirent = mac_test_update_devfsdirent, 2469 .mpo_create_mbuf_from_socket = mac_test_create_mbuf_from_socket, 2470 .mpo_create_pipe = mac_test_create_pipe, 2471 .mpo_create_posix_sem = mac_test_create_posix_sem, 2472 .mpo_create_socket = mac_test_create_socket, 2473 .mpo_create_socket_from_socket = mac_test_create_socket_from_socket, 2474 .mpo_relabel_pipe = mac_test_relabel_pipe, 2475 .mpo_relabel_socket = mac_test_relabel_socket, 2476 .mpo_set_socket_peer_from_mbuf = mac_test_set_socket_peer_from_mbuf, 2477 .mpo_set_socket_peer_from_socket = mac_test_set_socket_peer_from_socket, 2478 .mpo_create_bpfdesc = mac_test_create_bpfdesc, 2479 .mpo_create_ifnet = mac_test_create_ifnet, 2480 .mpo_create_inpcb_from_socket = mac_test_create_inpcb_from_socket, 2481 .mpo_create_sysv_msgmsg = mac_test_create_sysv_msgmsg, 2482 .mpo_create_sysv_msgqueue = mac_test_create_sysv_msgqueue, 2483 .mpo_create_sysv_sem = mac_test_create_sysv_sem, 2484 .mpo_create_sysv_shm = mac_test_create_sysv_shm, 2485 .mpo_create_datagram_from_ipq = mac_test_create_datagram_from_ipq, 2486 .mpo_create_fragment = mac_test_create_fragment, 2487 .mpo_create_ipq = mac_test_create_ipq, 2488 .mpo_create_mbuf_from_inpcb = mac_test_create_mbuf_from_inpcb, 2489 .mpo_create_mbuf_linklayer = mac_test_create_mbuf_linklayer, 2490 .mpo_create_mbuf_from_bpfdesc = mac_test_create_mbuf_from_bpfdesc, 2491 .mpo_create_mbuf_from_ifnet = mac_test_create_mbuf_from_ifnet, 2492 .mpo_create_mbuf_multicast_encap = mac_test_create_mbuf_multicast_encap, 2493 .mpo_create_mbuf_netlayer = mac_test_create_mbuf_netlayer, 2494 .mpo_fragment_match = mac_test_fragment_match, 2495 .mpo_reflect_mbuf_icmp = mac_test_reflect_mbuf_icmp, 2496 .mpo_reflect_mbuf_tcp = mac_test_reflect_mbuf_tcp, 2497 .mpo_relabel_ifnet = mac_test_relabel_ifnet, 2498 .mpo_update_ipq = mac_test_update_ipq, 2499 .mpo_inpcb_sosetlabel = mac_test_inpcb_sosetlabel, 2500 .mpo_execve_transition = mac_test_execve_transition, 2501 .mpo_execve_will_transition = mac_test_execve_will_transition, 2502 .mpo_create_proc0 = mac_test_create_proc0, 2503 .mpo_create_proc1 = mac_test_create_proc1, 2504 .mpo_relabel_cred = mac_test_relabel_cred, 2505 .mpo_thread_userret = mac_test_thread_userret, 2506 .mpo_cleanup_sysv_msgmsg = mac_test_cleanup_sysv_msgmsg, 2507 .mpo_cleanup_sysv_msgqueue = mac_test_cleanup_sysv_msgqueue, 2508 .mpo_cleanup_sysv_sem = mac_test_cleanup_sysv_sem, 2509 .mpo_cleanup_sysv_shm = mac_test_cleanup_sysv_shm, 2510 .mpo_check_bpfdesc_receive = mac_test_check_bpfdesc_receive, 2511 .mpo_check_cred_relabel = mac_test_check_cred_relabel, 2512 .mpo_check_cred_visible = mac_test_check_cred_visible, 2513 .mpo_check_ifnet_relabel = mac_test_check_ifnet_relabel, 2514 .mpo_check_ifnet_transmit = mac_test_check_ifnet_transmit, 2515 .mpo_check_inpcb_deliver = mac_test_check_inpcb_deliver, 2516 .mpo_check_sysv_msgmsq = mac_test_check_sysv_msgmsq, 2517 .mpo_check_sysv_msgrcv = mac_test_check_sysv_msgrcv, 2518 .mpo_check_sysv_msgrmid = mac_test_check_sysv_msgrmid, 2519 .mpo_check_sysv_msqget = mac_test_check_sysv_msqget, 2520 .mpo_check_sysv_msqsnd = mac_test_check_sysv_msqsnd, 2521 .mpo_check_sysv_msqrcv = mac_test_check_sysv_msqrcv, 2522 .mpo_check_sysv_msqctl = mac_test_check_sysv_msqctl, 2523 .mpo_check_sysv_semctl = mac_test_check_sysv_semctl, 2524 .mpo_check_sysv_semget = mac_test_check_sysv_semget, 2525 .mpo_check_sysv_semop = mac_test_check_sysv_semop, 2526 .mpo_check_sysv_shmat = mac_test_check_sysv_shmat, 2527 .mpo_check_sysv_shmctl = mac_test_check_sysv_shmctl, 2528 .mpo_check_sysv_shmdt = mac_test_check_sysv_shmdt, 2529 .mpo_check_sysv_shmget = mac_test_check_sysv_shmget, 2530 .mpo_check_kenv_dump = mac_test_check_kenv_dump, 2531 .mpo_check_kenv_get = mac_test_check_kenv_get, 2532 .mpo_check_kenv_set = mac_test_check_kenv_set, 2533 .mpo_check_kenv_unset = mac_test_check_kenv_unset, 2534 .mpo_check_kld_load = mac_test_check_kld_load, 2535 .mpo_check_kld_stat = mac_test_check_kld_stat, 2536 .mpo_check_kld_unload = mac_test_check_kld_unload, 2537 .mpo_check_mount_stat = mac_test_check_mount_stat, 2538 .mpo_check_pipe_ioctl = mac_test_check_pipe_ioctl, 2539 .mpo_check_pipe_poll = mac_test_check_pipe_poll, 2540 .mpo_check_pipe_read = mac_test_check_pipe_read, 2541 .mpo_check_pipe_relabel = mac_test_check_pipe_relabel, 2542 .mpo_check_pipe_stat = mac_test_check_pipe_stat, 2543 .mpo_check_pipe_write = mac_test_check_pipe_write, 2544 .mpo_check_posix_sem_destroy = mac_test_check_posix_sem, 2545 .mpo_check_posix_sem_getvalue = mac_test_check_posix_sem, 2546 .mpo_check_posix_sem_open = mac_test_check_posix_sem, 2547 .mpo_check_posix_sem_post = mac_test_check_posix_sem, 2548 .mpo_check_posix_sem_unlink = mac_test_check_posix_sem, 2549 .mpo_check_posix_sem_wait = mac_test_check_posix_sem, 2550 .mpo_check_proc_debug = mac_test_check_proc_debug, 2551 .mpo_check_proc_sched = mac_test_check_proc_sched, 2552 .mpo_check_proc_setuid = mac_test_check_proc_setuid, 2553 .mpo_check_proc_seteuid = mac_test_check_proc_seteuid, 2554 .mpo_check_proc_setgid = mac_test_check_proc_setgid, 2555 .mpo_check_proc_setegid = mac_test_check_proc_setegid, 2556 .mpo_check_proc_setgroups = mac_test_check_proc_setgroups, 2557 .mpo_check_proc_setreuid = mac_test_check_proc_setreuid, 2558 .mpo_check_proc_setregid = mac_test_check_proc_setregid, 2559 .mpo_check_proc_setresuid = mac_test_check_proc_setresuid, 2560 .mpo_check_proc_setresgid = mac_test_check_proc_setresgid, 2561 .mpo_check_proc_signal = mac_test_check_proc_signal, 2562 .mpo_check_proc_wait = mac_test_check_proc_wait, 2563 .mpo_check_socket_accept = mac_test_check_socket_accept, 2564 .mpo_check_socket_bind = mac_test_check_socket_bind, 2565 .mpo_check_socket_connect = mac_test_check_socket_connect, 2566 .mpo_check_socket_deliver = mac_test_check_socket_deliver, 2567 .mpo_check_socket_listen = mac_test_check_socket_listen, 2568 .mpo_check_socket_poll = mac_test_check_socket_poll, 2569 .mpo_check_socket_receive = mac_test_check_socket_receive, 2570 .mpo_check_socket_relabel = mac_test_check_socket_relabel, 2571 .mpo_check_socket_send = mac_test_check_socket_send, 2572 .mpo_check_socket_stat = mac_test_check_socket_stat, 2573 .mpo_check_socket_visible = mac_test_check_socket_visible, 2574 .mpo_check_sysarch_ioperm = mac_test_check_sysarch_ioperm, 2575 .mpo_check_system_acct = mac_test_check_system_acct, 2576 .mpo_check_system_reboot = mac_test_check_system_reboot, 2577 .mpo_check_system_settime = mac_test_check_system_settime, 2578 .mpo_check_system_swapon = mac_test_check_system_swapon, 2579 .mpo_check_system_swapoff = mac_test_check_system_swapoff, 2580 .mpo_check_system_sysctl = mac_test_check_system_sysctl, 2581 .mpo_check_vnode_access = mac_test_check_vnode_access, 2582 .mpo_check_vnode_chdir = mac_test_check_vnode_chdir, 2583 .mpo_check_vnode_chroot = mac_test_check_vnode_chroot, 2584 .mpo_check_vnode_create = mac_test_check_vnode_create, 2585 .mpo_check_vnode_delete = mac_test_check_vnode_delete, 2586 .mpo_check_vnode_deleteacl = mac_test_check_vnode_deleteacl, 2587 .mpo_check_vnode_deleteextattr = mac_test_check_vnode_deleteextattr, 2588 .mpo_check_vnode_exec = mac_test_check_vnode_exec, 2589 .mpo_check_vnode_getacl = mac_test_check_vnode_getacl, 2590 .mpo_check_vnode_getextattr = mac_test_check_vnode_getextattr, 2591 .mpo_check_vnode_link = mac_test_check_vnode_link, 2592 .mpo_check_vnode_listextattr = mac_test_check_vnode_listextattr, 2593 .mpo_check_vnode_lookup = mac_test_check_vnode_lookup, 2594 .mpo_check_vnode_mmap = mac_test_check_vnode_mmap, 2595 .mpo_check_vnode_open = mac_test_check_vnode_open, 2596 .mpo_check_vnode_poll = mac_test_check_vnode_poll, 2597 .mpo_check_vnode_read = mac_test_check_vnode_read, 2598 .mpo_check_vnode_readdir = mac_test_check_vnode_readdir, 2599 .mpo_check_vnode_readlink = mac_test_check_vnode_readlink, 2600 .mpo_check_vnode_relabel = mac_test_check_vnode_relabel, 2601 .mpo_check_vnode_rename_from = mac_test_check_vnode_rename_from, 2602 .mpo_check_vnode_rename_to = mac_test_check_vnode_rename_to, 2603 .mpo_check_vnode_revoke = mac_test_check_vnode_revoke, 2604 .mpo_check_vnode_setacl = mac_test_check_vnode_setacl, 2605 .mpo_check_vnode_setextattr = mac_test_check_vnode_setextattr, 2606 .mpo_check_vnode_setflags = mac_test_check_vnode_setflags, 2607 .mpo_check_vnode_setmode = mac_test_check_vnode_setmode, 2608 .mpo_check_vnode_setowner = mac_test_check_vnode_setowner, 2609 .mpo_check_vnode_setutimes = mac_test_check_vnode_setutimes, 2610 .mpo_check_vnode_stat = mac_test_check_vnode_stat, 2611 .mpo_check_vnode_write = mac_test_check_vnode_write, 2612 }; 2613 2614 MAC_POLICY_SET(&mac_test_ops, mac_test, "TrustedBSD MAC/Test", 2615 MPC_LOADTIME_FLAG_UNLOADOK | MPC_LOADTIME_FLAG_LABELMBUFS, &test_slot); 2616