1 /*- 2 * Copyright (c) 1999-2002, 2007-2009 Robert N. M. Watson 3 * Copyright (c) 2001-2005 McAfee, Inc. 4 * Copyright (c) 2006 SPARTA, Inc. 5 * Copyright (c) 2008 Apple Inc. 6 * All rights reserved. 7 * 8 * This software was developed by Robert Watson for the TrustedBSD Project. 9 * 10 * This software was developed for the FreeBSD Project in part by McAfee 11 * Research, the Security Research Division of McAfee, Inc. under 12 * DARPA/SPAWAR contract N66001-01-C-8035 ("CBOSS"), as part of the DARPA 13 * CHATS research program. 14 * 15 * This software was enhanced by SPARTA ISSO under SPAWAR contract 16 * N66001-04-C-6019 ("SEFOS"). 17 * 18 * This software was developed at the University of Cambridge Computer 19 * Laboratory with support from a grant from Google, Inc. 20 * 21 * Redistribution and use in source and binary forms, with or without 22 * modification, are permitted provided that the following conditions 23 * are met: 24 * 1. Redistributions of source code must retain the above copyright 25 * notice, this list of conditions and the following disclaimer. 26 * 2. Redistributions in binary form must reproduce the above copyright 27 * notice, this list of conditions and the following disclaimer in the 28 * documentation and/or other materials provided with the distribution. 29 * 30 * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND 31 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 32 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 33 * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE 34 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 35 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 36 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 37 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 38 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 39 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 40 * SUCH DAMAGE. 41 * 42 * $FreeBSD$ 43 */ 44 45 /* 46 * Developed by the TrustedBSD Project. 47 * 48 * MAC Test policy - tests MAC Framework labeling by assigning object class 49 * magic numbers to each label and validates that each time an object label 50 * is passed into the policy, it has a consistent object type, catching 51 * incorrectly passed labels, labels passed after free, etc. 52 */ 53 54 #include <sys/param.h> 55 #include <sys/acl.h> 56 #include <sys/kdb.h> 57 #include <sys/kernel.h> 58 #include <sys/ksem.h> 59 #include <sys/malloc.h> 60 #include <sys/module.h> 61 #include <sys/mount.h> 62 #include <sys/msg.h> 63 #include <sys/proc.h> 64 #include <sys/vnode.h> 65 #include <sys/sem.h> 66 #include <sys/shm.h> 67 #include <sys/socket.h> 68 #include <sys/socketvar.h> 69 #include <sys/sx.h> 70 #include <sys/sysctl.h> 71 72 #include <fs/devfs/devfs.h> 73 74 #include <net/bpfdesc.h> 75 #include <net/if.h> 76 #include <net/if_types.h> 77 #include <net/if_var.h> 78 79 #include <security/mac/mac_policy.h> 80 81 SYSCTL_DECL(_security_mac); 82 83 SYSCTL_NODE(_security_mac, OID_AUTO, test, CTLFLAG_RW, 0, 84 "TrustedBSD mac_test policy controls"); 85 86 #define MAGIC_BPF 0xfe1ad1b6 87 #define MAGIC_DEVFS 0x9ee79c32 88 #define MAGIC_IFNET 0xc218b120 89 #define MAGIC_INPCB 0x4440f7bb 90 #define MAGIC_IP6Q 0x0870e1b7 91 #define MAGIC_IPQ 0x206188ef 92 #define MAGIC_MBUF 0xbbefa5bb 93 #define MAGIC_MOUNT 0xc7c46e47 94 #define MAGIC_SOCKET 0x9199c6cd 95 #define MAGIC_SYNCACHE 0x7fb838a8 96 #define MAGIC_SYSV_MSG 0x8bbba61e 97 #define MAGIC_SYSV_MSQ 0xea672391 98 #define MAGIC_SYSV_SEM 0x896e8a0b 99 #define MAGIC_SYSV_SHM 0x76119ab0 100 #define MAGIC_PIPE 0xdc6c9919 101 #define MAGIC_POSIX_SEM 0x78ae980c 102 #define MAGIC_POSIX_SHM 0x4e853fc9 103 #define MAGIC_PROC 0x3b4be98f 104 #define MAGIC_CRED 0x9a5a4987 105 #define MAGIC_VNODE 0x1a67a45c 106 #define MAGIC_FREE 0x849ba1fd 107 108 #define SLOT(x) mac_label_get((x), test_slot) 109 #define SLOT_SET(x, v) mac_label_set((x), test_slot, (v)) 110 111 static int test_slot; 112 SYSCTL_INT(_security_mac_test, OID_AUTO, slot, CTLFLAG_RD, 113 &test_slot, 0, "Slot allocated by framework"); 114 115 SYSCTL_NODE(_security_mac_test, OID_AUTO, counter, CTLFLAG_RW, 0, 116 "TrustedBSD mac_test counters controls"); 117 118 #define COUNTER_DECL(variable) \ 119 static int counter_##variable; \ 120 SYSCTL_INT(_security_mac_test_counter, OID_AUTO, variable, \ 121 CTLFLAG_RD, &counter_##variable, 0, #variable) 122 123 #define COUNTER_INC(variable) atomic_add_int(&counter_##variable, 1) 124 125 #ifdef KDB 126 #define DEBUGGER(func, string) kdb_enter(KDB_WHY_MAC, (string)) 127 #else 128 #define DEBUGGER(func, string) printf("mac_test: %s: %s\n", (func), (string)) 129 #endif 130 131 #define LABEL_CHECK(label, magic) do { \ 132 if (label != NULL) { \ 133 KASSERT(SLOT(label) == magic || SLOT(label) == 0, \ 134 ("%s: bad %s label", __func__, #magic)); \ 135 } \ 136 } while (0) 137 138 #define LABEL_DESTROY(label, magic) do { \ 139 if (SLOT(label) == magic || SLOT(label) == 0) { \ 140 SLOT_SET(label, MAGIC_FREE); \ 141 } else if (SLOT(label) == MAGIC_FREE) { \ 142 DEBUGGER("%s: dup destroy", __func__); \ 143 } else { \ 144 DEBUGGER("%s: corrupted label", __func__); \ 145 } \ 146 } while (0) 147 148 #define LABEL_INIT(label, magic) do { \ 149 SLOT_SET(label, magic); \ 150 } while (0) 151 152 #define LABEL_NOTFREE(label) do { \ 153 KASSERT(SLOT(label) != MAGIC_FREE, \ 154 ("%s: destroyed label", __func__)); \ 155 } while (0) 156 157 /* 158 * Object-specific entry point implementations are sorted alphabetically by 159 * object type name and then by operation. 160 */ 161 COUNTER_DECL(bpfdesc_check_receive); 162 static int 163 test_bpfdesc_check_receive(struct bpf_d *d, struct label *dlabel, 164 struct ifnet *ifp, struct label *ifplabel) 165 { 166 167 LABEL_CHECK(dlabel, MAGIC_BPF); 168 LABEL_CHECK(ifplabel, MAGIC_IFNET); 169 COUNTER_INC(bpfdesc_check_receive); 170 171 return (0); 172 } 173 174 COUNTER_DECL(bpfdesc_create); 175 static void 176 test_bpfdesc_create(struct ucred *cred, struct bpf_d *d, 177 struct label *dlabel) 178 { 179 180 LABEL_CHECK(cred->cr_label, MAGIC_CRED); 181 LABEL_CHECK(dlabel, MAGIC_BPF); 182 COUNTER_INC(bpfdesc_create); 183 } 184 185 COUNTER_DECL(bpfdesc_create_mbuf); 186 static void 187 test_bpfdesc_create_mbuf(struct bpf_d *d, struct label *dlabel, 188 struct mbuf *m, struct label *mlabel) 189 { 190 191 LABEL_CHECK(dlabel, MAGIC_BPF); 192 LABEL_CHECK(mlabel, MAGIC_MBUF); 193 COUNTER_INC(bpfdesc_create_mbuf); 194 } 195 196 COUNTER_DECL(bpfdesc_destroy_label); 197 static void 198 test_bpfdesc_destroy_label(struct label *label) 199 { 200 201 LABEL_DESTROY(label, MAGIC_BPF); 202 COUNTER_INC(bpfdesc_destroy_label); 203 } 204 205 COUNTER_DECL(bpfdesc_init_label); 206 static void 207 test_bpfdesc_init_label(struct label *label) 208 { 209 210 LABEL_INIT(label, MAGIC_BPF); 211 COUNTER_INC(bpfdesc_init_label); 212 } 213 214 COUNTER_DECL(cred_check_relabel); 215 static int 216 test_cred_check_relabel(struct ucred *cred, struct label *newlabel) 217 { 218 219 LABEL_CHECK(cred->cr_label, MAGIC_CRED); 220 LABEL_CHECK(newlabel, MAGIC_CRED); 221 COUNTER_INC(cred_check_relabel); 222 223 return (0); 224 } 225 226 COUNTER_DECL(cred_check_setaudit); 227 static int 228 test_cred_check_setaudit(struct ucred *cred, struct auditinfo *ai) 229 { 230 231 LABEL_CHECK(cred->cr_label, MAGIC_CRED); 232 COUNTER_INC(cred_check_setaudit); 233 234 return (0); 235 } 236 237 COUNTER_DECL(cred_check_setaudit_addr); 238 static int 239 test_cred_check_setaudit_addr(struct ucred *cred, 240 struct auditinfo_addr *aia) 241 { 242 243 LABEL_CHECK(cred->cr_label, MAGIC_CRED); 244 COUNTER_INC(cred_check_setaudit_addr); 245 246 return (0); 247 } 248 249 COUNTER_DECL(cred_check_setauid); 250 static int 251 test_cred_check_setauid(struct ucred *cred, uid_t auid) 252 { 253 254 LABEL_CHECK(cred->cr_label, MAGIC_CRED); 255 COUNTER_INC(cred_check_setauid); 256 257 return (0); 258 } 259 260 COUNTER_DECL(cred_check_setegid); 261 static int 262 test_cred_check_setegid(struct ucred *cred, gid_t egid) 263 { 264 265 LABEL_CHECK(cred->cr_label, MAGIC_CRED); 266 COUNTER_INC(cred_check_setegid); 267 268 return (0); 269 } 270 271 COUNTER_DECL(proc_check_euid); 272 static int 273 test_cred_check_seteuid(struct ucred *cred, uid_t euid) 274 { 275 276 LABEL_CHECK(cred->cr_label, MAGIC_CRED); 277 COUNTER_INC(proc_check_euid); 278 279 return (0); 280 } 281 282 COUNTER_DECL(cred_check_setregid); 283 static int 284 test_cred_check_setregid(struct ucred *cred, gid_t rgid, gid_t egid) 285 { 286 287 LABEL_CHECK(cred->cr_label, MAGIC_CRED); 288 COUNTER_INC(cred_check_setregid); 289 290 return (0); 291 } 292 293 COUNTER_DECL(cred_check_setreuid); 294 static int 295 test_cred_check_setreuid(struct ucred *cred, uid_t ruid, uid_t euid) 296 { 297 298 LABEL_CHECK(cred->cr_label, MAGIC_CRED); 299 COUNTER_INC(cred_check_setreuid); 300 301 return (0); 302 } 303 304 COUNTER_DECL(cred_check_setgid); 305 static int 306 test_cred_check_setgid(struct ucred *cred, gid_t gid) 307 { 308 309 LABEL_CHECK(cred->cr_label, MAGIC_CRED); 310 COUNTER_INC(cred_check_setgid); 311 312 return (0); 313 } 314 315 COUNTER_DECL(cred_check_setgroups); 316 static int 317 test_cred_check_setgroups(struct ucred *cred, int ngroups, 318 gid_t *gidset) 319 { 320 321 LABEL_CHECK(cred->cr_label, MAGIC_CRED); 322 COUNTER_INC(cred_check_setgroups); 323 324 return (0); 325 } 326 327 COUNTER_DECL(cred_check_setresgid); 328 static int 329 test_cred_check_setresgid(struct ucred *cred, gid_t rgid, gid_t egid, 330 gid_t sgid) 331 { 332 333 LABEL_CHECK(cred->cr_label, MAGIC_CRED); 334 COUNTER_INC(cred_check_setresgid); 335 336 return (0); 337 } 338 339 COUNTER_DECL(cred_check_setresuid); 340 static int 341 test_cred_check_setresuid(struct ucred *cred, uid_t ruid, uid_t euid, 342 uid_t suid) 343 { 344 345 LABEL_CHECK(cred->cr_label, MAGIC_CRED); 346 COUNTER_INC(cred_check_setresuid); 347 348 return (0); 349 } 350 351 COUNTER_DECL(cred_check_setuid); 352 static int 353 test_cred_check_setuid(struct ucred *cred, uid_t uid) 354 { 355 356 LABEL_CHECK(cred->cr_label, MAGIC_CRED); 357 COUNTER_INC(cred_check_setuid); 358 359 return (0); 360 } 361 362 COUNTER_DECL(cred_check_visible); 363 static int 364 test_cred_check_visible(struct ucred *u1, struct ucred *u2) 365 { 366 367 LABEL_CHECK(u1->cr_label, MAGIC_CRED); 368 LABEL_CHECK(u2->cr_label, MAGIC_CRED); 369 COUNTER_INC(cred_check_visible); 370 371 return (0); 372 } 373 374 COUNTER_DECL(cred_copy_label); 375 static void 376 test_cred_copy_label(struct label *src, struct label *dest) 377 { 378 379 LABEL_CHECK(src, MAGIC_CRED); 380 LABEL_CHECK(dest, MAGIC_CRED); 381 COUNTER_INC(cred_copy_label); 382 } 383 384 COUNTER_DECL(cred_create_init); 385 static void 386 test_cred_create_init(struct ucred *cred) 387 { 388 389 LABEL_CHECK(cred->cr_label, MAGIC_CRED); 390 COUNTER_INC(cred_create_init); 391 } 392 393 COUNTER_DECL(cred_create_swapper); 394 static void 395 test_cred_create_swapper(struct ucred *cred) 396 { 397 398 LABEL_CHECK(cred->cr_label, MAGIC_CRED); 399 COUNTER_INC(cred_create_swapper); 400 } 401 402 COUNTER_DECL(cred_destroy_label); 403 static void 404 test_cred_destroy_label(struct label *label) 405 { 406 407 LABEL_DESTROY(label, MAGIC_CRED); 408 COUNTER_INC(cred_destroy_label); 409 } 410 411 COUNTER_DECL(cred_externalize_label); 412 static int 413 test_cred_externalize_label(struct label *label, char *element_name, 414 struct sbuf *sb, int *claimed) 415 { 416 417 LABEL_CHECK(label, MAGIC_CRED); 418 COUNTER_INC(cred_externalize_label); 419 420 return (0); 421 } 422 423 COUNTER_DECL(cred_init_label); 424 static void 425 test_cred_init_label(struct label *label) 426 { 427 428 LABEL_INIT(label, MAGIC_CRED); 429 COUNTER_INC(cred_init_label); 430 } 431 432 COUNTER_DECL(cred_internalize_label); 433 static int 434 test_cred_internalize_label(struct label *label, char *element_name, 435 char *element_data, int *claimed) 436 { 437 438 LABEL_CHECK(label, MAGIC_CRED); 439 COUNTER_INC(cred_internalize_label); 440 441 return (0); 442 } 443 444 COUNTER_DECL(cred_relabel); 445 static void 446 test_cred_relabel(struct ucred *cred, struct label *newlabel) 447 { 448 449 LABEL_CHECK(cred->cr_label, MAGIC_CRED); 450 LABEL_CHECK(newlabel, MAGIC_CRED); 451 COUNTER_INC(cred_relabel); 452 } 453 454 COUNTER_DECL(devfs_create_device); 455 static void 456 test_devfs_create_device(struct ucred *cred, struct mount *mp, 457 struct cdev *dev, struct devfs_dirent *de, struct label *delabel) 458 { 459 460 if (cred != NULL) 461 LABEL_CHECK(cred->cr_label, MAGIC_CRED); 462 LABEL_CHECK(delabel, MAGIC_DEVFS); 463 COUNTER_INC(devfs_create_device); 464 } 465 466 COUNTER_DECL(devfs_create_directory); 467 static void 468 test_devfs_create_directory(struct mount *mp, char *dirname, 469 int dirnamelen, struct devfs_dirent *de, struct label *delabel) 470 { 471 472 LABEL_CHECK(delabel, MAGIC_DEVFS); 473 COUNTER_INC(devfs_create_directory); 474 } 475 476 COUNTER_DECL(devfs_create_symlink); 477 static void 478 test_devfs_create_symlink(struct ucred *cred, struct mount *mp, 479 struct devfs_dirent *dd, struct label *ddlabel, struct devfs_dirent *de, 480 struct label *delabel) 481 { 482 483 LABEL_CHECK(cred->cr_label, MAGIC_CRED); 484 LABEL_CHECK(ddlabel, MAGIC_DEVFS); 485 LABEL_CHECK(delabel, MAGIC_DEVFS); 486 COUNTER_INC(devfs_create_symlink); 487 } 488 489 COUNTER_DECL(devfs_destroy_label); 490 static void 491 test_devfs_destroy_label(struct label *label) 492 { 493 494 LABEL_DESTROY(label, MAGIC_DEVFS); 495 COUNTER_INC(devfs_destroy_label); 496 } 497 498 COUNTER_DECL(devfs_init_label); 499 static void 500 test_devfs_init_label(struct label *label) 501 { 502 503 LABEL_INIT(label, MAGIC_DEVFS); 504 COUNTER_INC(devfs_init_label); 505 } 506 507 COUNTER_DECL(devfs_update); 508 static void 509 test_devfs_update(struct mount *mp, struct devfs_dirent *devfs_dirent, 510 struct label *direntlabel, struct vnode *vp, struct label *vplabel) 511 { 512 513 LABEL_CHECK(direntlabel, MAGIC_DEVFS); 514 LABEL_CHECK(vplabel, MAGIC_VNODE); 515 COUNTER_INC(devfs_update); 516 } 517 518 COUNTER_DECL(devfs_vnode_associate); 519 static void 520 test_devfs_vnode_associate(struct mount *mp, struct label *mplabel, 521 struct devfs_dirent *de, struct label *delabel, struct vnode *vp, 522 struct label *vplabel) 523 { 524 525 LABEL_CHECK(mplabel, MAGIC_MOUNT); 526 LABEL_CHECK(delabel, MAGIC_DEVFS); 527 LABEL_CHECK(vplabel, MAGIC_VNODE); 528 COUNTER_INC(devfs_vnode_associate); 529 } 530 531 COUNTER_DECL(ifnet_check_relabel); 532 static int 533 test_ifnet_check_relabel(struct ucred *cred, struct ifnet *ifp, 534 struct label *ifplabel, struct label *newlabel) 535 { 536 537 LABEL_CHECK(cred->cr_label, MAGIC_CRED); 538 LABEL_CHECK(ifplabel, MAGIC_IFNET); 539 LABEL_CHECK(newlabel, MAGIC_IFNET); 540 COUNTER_INC(ifnet_check_relabel); 541 542 return (0); 543 } 544 545 COUNTER_DECL(ifnet_check_transmit); 546 static int 547 test_ifnet_check_transmit(struct ifnet *ifp, struct label *ifplabel, 548 struct mbuf *m, struct label *mlabel) 549 { 550 551 LABEL_CHECK(ifplabel, MAGIC_IFNET); 552 LABEL_CHECK(mlabel, MAGIC_MBUF); 553 COUNTER_INC(ifnet_check_transmit); 554 555 return (0); 556 } 557 558 COUNTER_DECL(ifnet_copy_label); 559 static void 560 test_ifnet_copy_label(struct label *src, struct label *dest) 561 { 562 563 LABEL_CHECK(src, MAGIC_IFNET); 564 LABEL_CHECK(dest, MAGIC_IFNET); 565 COUNTER_INC(ifnet_copy_label); 566 } 567 568 COUNTER_DECL(ifnet_create); 569 static void 570 test_ifnet_create(struct ifnet *ifp, struct label *ifplabel) 571 { 572 573 LABEL_CHECK(ifplabel, MAGIC_IFNET); 574 COUNTER_INC(ifnet_create); 575 } 576 577 COUNTER_DECL(ifnet_create_mbuf); 578 static void 579 test_ifnet_create_mbuf(struct ifnet *ifp, struct label *ifplabel, 580 struct mbuf *m, struct label *mlabel) 581 { 582 583 LABEL_CHECK(ifplabel, MAGIC_IFNET); 584 LABEL_CHECK(mlabel, MAGIC_MBUF); 585 COUNTER_INC(ifnet_create_mbuf); 586 } 587 588 COUNTER_DECL(ifnet_destroy_label); 589 static void 590 test_ifnet_destroy_label(struct label *label) 591 { 592 593 LABEL_DESTROY(label, MAGIC_IFNET); 594 COUNTER_INC(ifnet_destroy_label); 595 } 596 597 COUNTER_DECL(ifnet_externalize_label); 598 static int 599 test_ifnet_externalize_label(struct label *label, char *element_name, 600 struct sbuf *sb, int *claimed) 601 { 602 603 LABEL_CHECK(label, MAGIC_IFNET); 604 COUNTER_INC(ifnet_externalize_label); 605 606 return (0); 607 } 608 609 COUNTER_DECL(ifnet_init_label); 610 static void 611 test_ifnet_init_label(struct label *label) 612 { 613 614 LABEL_INIT(label, MAGIC_IFNET); 615 COUNTER_INC(ifnet_init_label); 616 } 617 618 COUNTER_DECL(ifnet_internalize_label); 619 static int 620 test_ifnet_internalize_label(struct label *label, char *element_name, 621 char *element_data, int *claimed) 622 { 623 624 LABEL_CHECK(label, MAGIC_IFNET); 625 COUNTER_INC(ifnet_internalize_label); 626 627 return (0); 628 } 629 630 COUNTER_DECL(ifnet_relabel); 631 static void 632 test_ifnet_relabel(struct ucred *cred, struct ifnet *ifp, 633 struct label *ifplabel, struct label *newlabel) 634 { 635 636 LABEL_CHECK(cred->cr_label, MAGIC_CRED); 637 LABEL_CHECK(ifplabel, MAGIC_IFNET); 638 LABEL_CHECK(newlabel, MAGIC_IFNET); 639 COUNTER_INC(ifnet_relabel); 640 } 641 642 COUNTER_DECL(inpcb_check_deliver); 643 static int 644 test_inpcb_check_deliver(struct inpcb *inp, struct label *inplabel, 645 struct mbuf *m, struct label *mlabel) 646 { 647 648 LABEL_CHECK(inplabel, MAGIC_INPCB); 649 LABEL_CHECK(mlabel, MAGIC_MBUF); 650 COUNTER_INC(inpcb_check_deliver); 651 652 return (0); 653 } 654 655 COUNTER_DECL(inpcb_check_visible); 656 static int 657 test_inpcb_check_visible(struct ucred *cred, struct inpcb *inp, 658 struct label *inplabel) 659 { 660 661 LABEL_CHECK(cred->cr_label, MAGIC_CRED); 662 LABEL_CHECK(inplabel, MAGIC_INPCB); 663 COUNTER_INC(inpcb_check_visible); 664 665 return (0); 666 } 667 668 COUNTER_DECL(inpcb_create); 669 static void 670 test_inpcb_create(struct socket *so, struct label *solabel, 671 struct inpcb *inp, struct label *inplabel) 672 { 673 674 LABEL_CHECK(solabel, MAGIC_SOCKET); 675 LABEL_CHECK(inplabel, MAGIC_INPCB); 676 COUNTER_INC(inpcb_create); 677 } 678 679 COUNTER_DECL(inpcb_create_mbuf); 680 static void 681 test_inpcb_create_mbuf(struct inpcb *inp, struct label *inplabel, 682 struct mbuf *m, struct label *mlabel) 683 { 684 685 LABEL_CHECK(inplabel, MAGIC_INPCB); 686 LABEL_CHECK(mlabel, MAGIC_MBUF); 687 COUNTER_INC(inpcb_create_mbuf); 688 } 689 690 COUNTER_DECL(inpcb_destroy_label); 691 static void 692 test_inpcb_destroy_label(struct label *label) 693 { 694 695 LABEL_DESTROY(label, MAGIC_INPCB); 696 COUNTER_INC(inpcb_destroy_label); 697 } 698 699 COUNTER_DECL(inpcb_init_label); 700 static int 701 test_inpcb_init_label(struct label *label, int flag) 702 { 703 704 if (flag & M_WAITOK) 705 WITNESS_WARN(WARN_GIANTOK | WARN_SLEEPOK, NULL, 706 "test_inpcb_init_label() at %s:%d", __FILE__, 707 __LINE__); 708 709 LABEL_INIT(label, MAGIC_INPCB); 710 COUNTER_INC(inpcb_init_label); 711 return (0); 712 } 713 714 COUNTER_DECL(inpcb_sosetlabel); 715 static void 716 test_inpcb_sosetlabel(struct socket *so, struct label *solabel, 717 struct inpcb *inp, struct label *inplabel) 718 { 719 720 LABEL_CHECK(solabel, MAGIC_SOCKET); 721 LABEL_CHECK(inplabel, MAGIC_INPCB); 722 COUNTER_INC(inpcb_sosetlabel); 723 } 724 725 COUNTER_DECL(ip6q_create); 726 static void 727 test_ip6q_create(struct mbuf *fragment, struct label *fragmentlabel, 728 struct ip6q *q6, struct label *q6label) 729 { 730 731 LABEL_CHECK(fragmentlabel, MAGIC_MBUF); 732 LABEL_CHECK(q6label, MAGIC_IP6Q); 733 COUNTER_INC(ip6q_create); 734 } 735 736 COUNTER_DECL(ip6q_destroy_label); 737 static void 738 test_ip6q_destroy_label(struct label *label) 739 { 740 741 LABEL_DESTROY(label, MAGIC_IP6Q); 742 COUNTER_INC(ip6q_destroy_label); 743 } 744 745 COUNTER_DECL(ip6q_init_label); 746 static int 747 test_ip6q_init_label(struct label *label, int flag) 748 { 749 750 if (flag & M_WAITOK) 751 WITNESS_WARN(WARN_GIANTOK | WARN_SLEEPOK, NULL, 752 "test_ip6q_init_label() at %s:%d", __FILE__, 753 __LINE__); 754 755 LABEL_INIT(label, MAGIC_IP6Q); 756 COUNTER_INC(ip6q_init_label); 757 return (0); 758 } 759 760 COUNTER_DECL(ip6q_match); 761 static int 762 test_ip6q_match(struct mbuf *fragment, struct label *fragmentlabel, 763 struct ip6q *q6, struct label *q6label) 764 { 765 766 LABEL_CHECK(fragmentlabel, MAGIC_MBUF); 767 LABEL_CHECK(q6label, MAGIC_IP6Q); 768 COUNTER_INC(ip6q_match); 769 770 return (1); 771 } 772 773 COUNTER_DECL(ip6q_reassemble); 774 static void 775 test_ip6q_reassemble(struct ip6q *q6, struct label *q6label, struct mbuf *m, 776 struct label *mlabel) 777 { 778 779 LABEL_CHECK(q6label, MAGIC_IP6Q); 780 LABEL_CHECK(mlabel, MAGIC_MBUF); 781 COUNTER_INC(ip6q_reassemble); 782 } 783 784 COUNTER_DECL(ip6q_update); 785 static void 786 test_ip6q_update(struct mbuf *m, struct label *mlabel, struct ip6q *q6, 787 struct label *q6label) 788 { 789 790 LABEL_CHECK(mlabel, MAGIC_MBUF); 791 LABEL_CHECK(q6label, MAGIC_IP6Q); 792 COUNTER_INC(ip6q_update); 793 } 794 795 COUNTER_DECL(ipq_create); 796 static void 797 test_ipq_create(struct mbuf *fragment, struct label *fragmentlabel, 798 struct ipq *q, struct label *qlabel) 799 { 800 801 LABEL_CHECK(fragmentlabel, MAGIC_MBUF); 802 LABEL_CHECK(qlabel, MAGIC_IPQ); 803 COUNTER_INC(ipq_create); 804 } 805 806 COUNTER_DECL(ipq_destroy_label); 807 static void 808 test_ipq_destroy_label(struct label *label) 809 { 810 811 LABEL_DESTROY(label, MAGIC_IPQ); 812 COUNTER_INC(ipq_destroy_label); 813 } 814 815 COUNTER_DECL(ipq_init_label); 816 static int 817 test_ipq_init_label(struct label *label, int flag) 818 { 819 820 if (flag & M_WAITOK) 821 WITNESS_WARN(WARN_GIANTOK | WARN_SLEEPOK, NULL, 822 "test_ipq_init_label() at %s:%d", __FILE__, 823 __LINE__); 824 825 LABEL_INIT(label, MAGIC_IPQ); 826 COUNTER_INC(ipq_init_label); 827 return (0); 828 } 829 830 COUNTER_DECL(ipq_match); 831 static int 832 test_ipq_match(struct mbuf *fragment, struct label *fragmentlabel, 833 struct ipq *q, struct label *qlabel) 834 { 835 836 LABEL_CHECK(fragmentlabel, MAGIC_MBUF); 837 LABEL_CHECK(qlabel, MAGIC_IPQ); 838 COUNTER_INC(ipq_match); 839 840 return (1); 841 } 842 843 COUNTER_DECL(ipq_reassemble); 844 static void 845 test_ipq_reassemble(struct ipq *q, struct label *qlabel, struct mbuf *m, 846 struct label *mlabel) 847 { 848 849 LABEL_CHECK(qlabel, MAGIC_IPQ); 850 LABEL_CHECK(mlabel, MAGIC_MBUF); 851 COUNTER_INC(ipq_reassemble); 852 } 853 854 COUNTER_DECL(ipq_update); 855 static void 856 test_ipq_update(struct mbuf *m, struct label *mlabel, struct ipq *q, 857 struct label *qlabel) 858 { 859 860 LABEL_CHECK(mlabel, MAGIC_MBUF); 861 LABEL_CHECK(qlabel, MAGIC_IPQ); 862 COUNTER_INC(ipq_update); 863 } 864 865 COUNTER_DECL(kenv_check_dump); 866 static int 867 test_kenv_check_dump(struct ucred *cred) 868 { 869 870 LABEL_CHECK(cred->cr_label, MAGIC_CRED); 871 COUNTER_INC(kenv_check_dump); 872 873 return (0); 874 } 875 876 COUNTER_DECL(kenv_check_get); 877 static int 878 test_kenv_check_get(struct ucred *cred, char *name) 879 { 880 881 LABEL_CHECK(cred->cr_label, MAGIC_CRED); 882 COUNTER_INC(kenv_check_get); 883 884 return (0); 885 } 886 887 COUNTER_DECL(kenv_check_set); 888 static int 889 test_kenv_check_set(struct ucred *cred, char *name, char *value) 890 { 891 892 LABEL_CHECK(cred->cr_label, MAGIC_CRED); 893 COUNTER_INC(kenv_check_set); 894 895 return (0); 896 } 897 898 COUNTER_DECL(kenv_check_unset); 899 static int 900 test_kenv_check_unset(struct ucred *cred, char *name) 901 { 902 903 LABEL_CHECK(cred->cr_label, MAGIC_CRED); 904 COUNTER_INC(kenv_check_unset); 905 906 return (0); 907 } 908 909 COUNTER_DECL(kld_check_load); 910 static int 911 test_kld_check_load(struct ucred *cred, struct vnode *vp, 912 struct label *label) 913 { 914 915 LABEL_CHECK(cred->cr_label, MAGIC_CRED); 916 LABEL_CHECK(label, MAGIC_VNODE); 917 COUNTER_INC(kld_check_load); 918 919 return (0); 920 } 921 922 COUNTER_DECL(kld_check_stat); 923 static int 924 test_kld_check_stat(struct ucred *cred) 925 { 926 927 LABEL_CHECK(cred->cr_label, MAGIC_CRED); 928 COUNTER_INC(kld_check_stat); 929 930 return (0); 931 } 932 933 COUNTER_DECL(mbuf_copy_label); 934 static void 935 test_mbuf_copy_label(struct label *src, struct label *dest) 936 { 937 938 LABEL_CHECK(src, MAGIC_MBUF); 939 LABEL_CHECK(dest, MAGIC_MBUF); 940 COUNTER_INC(mbuf_copy_label); 941 } 942 943 COUNTER_DECL(mbuf_destroy_label); 944 static void 945 test_mbuf_destroy_label(struct label *label) 946 { 947 948 /* 949 * If we're loaded dynamically, there may be mbufs in flight that 950 * didn't have label storage allocated for them. Handle this 951 * gracefully. 952 */ 953 if (label == NULL) 954 return; 955 956 LABEL_DESTROY(label, MAGIC_MBUF); 957 COUNTER_INC(mbuf_destroy_label); 958 } 959 960 COUNTER_DECL(mbuf_init_label); 961 static int 962 test_mbuf_init_label(struct label *label, int flag) 963 { 964 965 if (flag & M_WAITOK) 966 WITNESS_WARN(WARN_GIANTOK | WARN_SLEEPOK, NULL, 967 "test_mbuf_init_label() at %s:%d", __FILE__, 968 __LINE__); 969 970 LABEL_INIT(label, MAGIC_MBUF); 971 COUNTER_INC(mbuf_init_label); 972 return (0); 973 } 974 975 COUNTER_DECL(mount_check_stat); 976 static int 977 test_mount_check_stat(struct ucred *cred, struct mount *mp, 978 struct label *mplabel) 979 { 980 981 LABEL_CHECK(cred->cr_label, MAGIC_CRED); 982 LABEL_CHECK(mplabel, MAGIC_MOUNT); 983 COUNTER_INC(mount_check_stat); 984 985 return (0); 986 } 987 988 COUNTER_DECL(mount_create); 989 static void 990 test_mount_create(struct ucred *cred, struct mount *mp, 991 struct label *mplabel) 992 { 993 994 LABEL_CHECK(cred->cr_label, MAGIC_CRED); 995 LABEL_CHECK(mplabel, MAGIC_MOUNT); 996 COUNTER_INC(mount_create); 997 } 998 999 COUNTER_DECL(mount_destroy_label); 1000 static void 1001 test_mount_destroy_label(struct label *label) 1002 { 1003 1004 LABEL_DESTROY(label, MAGIC_MOUNT); 1005 COUNTER_INC(mount_destroy_label); 1006 } 1007 1008 COUNTER_DECL(mount_init_label); 1009 static void 1010 test_mount_init_label(struct label *label) 1011 { 1012 1013 LABEL_INIT(label, MAGIC_MOUNT); 1014 COUNTER_INC(mount_init_label); 1015 } 1016 1017 COUNTER_DECL(netatalk_aarp_send); 1018 static void 1019 test_netatalk_aarp_send(struct ifnet *ifp, struct label *ifplabel, 1020 struct mbuf *m, struct label *mlabel) 1021 { 1022 1023 LABEL_CHECK(ifplabel, MAGIC_IFNET); 1024 LABEL_CHECK(mlabel, MAGIC_MBUF); 1025 COUNTER_INC(netatalk_aarp_send); 1026 } 1027 1028 COUNTER_DECL(netinet_arp_send); 1029 static void 1030 test_netinet_arp_send(struct ifnet *ifp, struct label *ifplabel, 1031 struct mbuf *m, struct label *mlabel) 1032 { 1033 1034 LABEL_CHECK(ifplabel, MAGIC_IFNET); 1035 LABEL_CHECK(mlabel, MAGIC_MBUF); 1036 COUNTER_INC(netinet_arp_send); 1037 } 1038 1039 COUNTER_DECL(netinet_fragment); 1040 static void 1041 test_netinet_fragment(struct mbuf *m, struct label *mlabel, 1042 struct mbuf *frag, struct label *fraglabel) 1043 { 1044 1045 LABEL_CHECK(mlabel, MAGIC_MBUF); 1046 LABEL_CHECK(fraglabel, MAGIC_MBUF); 1047 COUNTER_INC(netinet_fragment); 1048 } 1049 1050 COUNTER_DECL(netinet_icmp_reply); 1051 static void 1052 test_netinet_icmp_reply(struct mbuf *mrecv, struct label *mrecvlabel, 1053 struct mbuf *msend, struct label *msendlabel) 1054 { 1055 1056 LABEL_CHECK(mrecvlabel, MAGIC_MBUF); 1057 LABEL_CHECK(msendlabel, MAGIC_MBUF); 1058 COUNTER_INC(netinet_icmp_reply); 1059 } 1060 1061 COUNTER_DECL(netinet_icmp_replyinplace); 1062 static void 1063 test_netinet_icmp_replyinplace(struct mbuf *m, struct label *mlabel) 1064 { 1065 1066 LABEL_CHECK(mlabel, MAGIC_MBUF); 1067 COUNTER_INC(netinet_icmp_replyinplace); 1068 } 1069 1070 COUNTER_DECL(netinet_igmp_send); 1071 static void 1072 test_netinet_igmp_send(struct ifnet *ifp, struct label *ifplabel, 1073 struct mbuf *m, struct label *mlabel) 1074 { 1075 1076 LABEL_CHECK(ifplabel, MAGIC_IFNET); 1077 LABEL_CHECK(mlabel, MAGIC_MBUF); 1078 COUNTER_INC(netinet_igmp_send); 1079 } 1080 1081 COUNTER_DECL(netinet_tcp_reply); 1082 static void 1083 test_netinet_tcp_reply(struct mbuf *m, struct label *mlabel) 1084 { 1085 1086 LABEL_CHECK(mlabel, MAGIC_MBUF); 1087 COUNTER_INC(netinet_tcp_reply); 1088 } 1089 1090 COUNTER_DECL(netinet6_nd6_send); 1091 static void 1092 test_netinet6_nd6_send(struct ifnet *ifp, struct label *ifplabel, 1093 struct mbuf *m, struct label *mlabel) 1094 { 1095 1096 LABEL_CHECK(ifplabel, MAGIC_IFNET); 1097 LABEL_CHECK(mlabel, MAGIC_MBUF); 1098 COUNTER_INC(netinet6_nd6_send); 1099 } 1100 1101 COUNTER_DECL(pipe_check_ioctl); 1102 static int 1103 test_pipe_check_ioctl(struct ucred *cred, struct pipepair *pp, 1104 struct label *pplabel, unsigned long cmd, void /* caddr_t */ *data) 1105 { 1106 1107 LABEL_CHECK(cred->cr_label, MAGIC_CRED); 1108 LABEL_CHECK(pplabel, MAGIC_PIPE); 1109 COUNTER_INC(pipe_check_ioctl); 1110 1111 return (0); 1112 } 1113 1114 COUNTER_DECL(pipe_check_poll); 1115 static int 1116 test_pipe_check_poll(struct ucred *cred, struct pipepair *pp, 1117 struct label *pplabel) 1118 { 1119 1120 LABEL_CHECK(cred->cr_label, MAGIC_CRED); 1121 LABEL_CHECK(pplabel, MAGIC_PIPE); 1122 COUNTER_INC(pipe_check_poll); 1123 1124 return (0); 1125 } 1126 1127 COUNTER_DECL(pipe_check_read); 1128 static int 1129 test_pipe_check_read(struct ucred *cred, struct pipepair *pp, 1130 struct label *pplabel) 1131 { 1132 1133 LABEL_CHECK(cred->cr_label, MAGIC_CRED); 1134 LABEL_CHECK(pplabel, MAGIC_PIPE); 1135 COUNTER_INC(pipe_check_read); 1136 1137 return (0); 1138 } 1139 1140 COUNTER_DECL(pipe_check_relabel); 1141 static int 1142 test_pipe_check_relabel(struct ucred *cred, struct pipepair *pp, 1143 struct label *pplabel, struct label *newlabel) 1144 { 1145 1146 LABEL_CHECK(cred->cr_label, MAGIC_CRED); 1147 LABEL_CHECK(pplabel, MAGIC_PIPE); 1148 LABEL_CHECK(newlabel, MAGIC_PIPE); 1149 COUNTER_INC(pipe_check_relabel); 1150 1151 return (0); 1152 } 1153 1154 COUNTER_DECL(pipe_check_stat); 1155 static int 1156 test_pipe_check_stat(struct ucred *cred, struct pipepair *pp, 1157 struct label *pplabel) 1158 { 1159 1160 LABEL_CHECK(cred->cr_label, MAGIC_CRED); 1161 LABEL_CHECK(pplabel, MAGIC_PIPE); 1162 COUNTER_INC(pipe_check_stat); 1163 1164 return (0); 1165 } 1166 1167 COUNTER_DECL(pipe_check_write); 1168 static int 1169 test_pipe_check_write(struct ucred *cred, struct pipepair *pp, 1170 struct label *pplabel) 1171 { 1172 1173 LABEL_CHECK(cred->cr_label, MAGIC_CRED); 1174 LABEL_CHECK(pplabel, MAGIC_PIPE); 1175 COUNTER_INC(pipe_check_write); 1176 1177 return (0); 1178 } 1179 1180 COUNTER_DECL(pipe_copy_label); 1181 static void 1182 test_pipe_copy_label(struct label *src, struct label *dest) 1183 { 1184 1185 LABEL_CHECK(src, MAGIC_PIPE); 1186 LABEL_CHECK(dest, MAGIC_PIPE); 1187 COUNTER_INC(pipe_copy_label); 1188 } 1189 1190 COUNTER_DECL(pipe_create); 1191 static void 1192 test_pipe_create(struct ucred *cred, struct pipepair *pp, 1193 struct label *pplabel) 1194 { 1195 1196 LABEL_CHECK(cred->cr_label, MAGIC_CRED); 1197 LABEL_CHECK(pplabel, MAGIC_PIPE); 1198 COUNTER_INC(pipe_create); 1199 } 1200 1201 COUNTER_DECL(pipe_destroy_label); 1202 static void 1203 test_pipe_destroy_label(struct label *label) 1204 { 1205 1206 LABEL_DESTROY(label, MAGIC_PIPE); 1207 COUNTER_INC(pipe_destroy_label); 1208 } 1209 1210 COUNTER_DECL(pipe_externalize_label); 1211 static int 1212 test_pipe_externalize_label(struct label *label, char *element_name, 1213 struct sbuf *sb, int *claimed) 1214 { 1215 1216 LABEL_CHECK(label, MAGIC_PIPE); 1217 COUNTER_INC(pipe_externalize_label); 1218 1219 return (0); 1220 } 1221 1222 COUNTER_DECL(pipe_init_label); 1223 static void 1224 test_pipe_init_label(struct label *label) 1225 { 1226 1227 LABEL_INIT(label, MAGIC_PIPE); 1228 COUNTER_INC(pipe_init_label); 1229 } 1230 1231 COUNTER_DECL(pipe_internalize_label); 1232 static int 1233 test_pipe_internalize_label(struct label *label, char *element_name, 1234 char *element_data, int *claimed) 1235 { 1236 1237 LABEL_CHECK(label, MAGIC_PIPE); 1238 COUNTER_INC(pipe_internalize_label); 1239 1240 return (0); 1241 } 1242 1243 COUNTER_DECL(pipe_relabel); 1244 static void 1245 test_pipe_relabel(struct ucred *cred, struct pipepair *pp, 1246 struct label *pplabel, struct label *newlabel) 1247 { 1248 1249 LABEL_CHECK(cred->cr_label, MAGIC_CRED); 1250 LABEL_CHECK(pplabel, MAGIC_PIPE); 1251 LABEL_CHECK(newlabel, MAGIC_PIPE); 1252 COUNTER_INC(pipe_relabel); 1253 } 1254 1255 COUNTER_DECL(posixsem_check_getvalue); 1256 static int 1257 test_posixsem_check_getvalue(struct ucred *active_cred, struct ucred *file_cred, 1258 struct ksem *ks, struct label *kslabel) 1259 { 1260 1261 LABEL_CHECK(active_cred->cr_label, MAGIC_CRED); 1262 LABEL_CHECK(file_cred->cr_label, MAGIC_CRED); 1263 LABEL_CHECK(kslabel, MAGIC_POSIX_SEM); 1264 COUNTER_INC(posixsem_check_getvalue); 1265 1266 return (0); 1267 } 1268 1269 COUNTER_DECL(posixsem_check_open); 1270 static int 1271 test_posixsem_check_open(struct ucred *cred, struct ksem *ks, 1272 struct label *kslabel) 1273 { 1274 1275 LABEL_CHECK(cred->cr_label, MAGIC_CRED); 1276 LABEL_CHECK(kslabel, MAGIC_POSIX_SEM); 1277 COUNTER_INC(posixsem_check_open); 1278 1279 return (0); 1280 } 1281 1282 COUNTER_DECL(posixsem_check_post); 1283 static int 1284 test_posixsem_check_post(struct ucred *active_cred, struct ucred *file_cred, 1285 struct ksem *ks, struct label *kslabel) 1286 { 1287 1288 LABEL_CHECK(active_cred->cr_label, MAGIC_CRED); 1289 LABEL_CHECK(file_cred->cr_label, MAGIC_CRED); 1290 LABEL_CHECK(kslabel, MAGIC_POSIX_SEM); 1291 COUNTER_INC(posixsem_check_post); 1292 1293 return (0); 1294 } 1295 1296 COUNTER_DECL(posixsem_check_stat); 1297 static int 1298 test_posixsem_check_stat(struct ucred *active_cred, 1299 struct ucred *file_cred, struct ksem *ks, struct label *kslabel) 1300 { 1301 1302 LABEL_CHECK(active_cred->cr_label, MAGIC_CRED); 1303 LABEL_CHECK(file_cred->cr_label, MAGIC_CRED); 1304 LABEL_CHECK(kslabel, MAGIC_POSIX_SEM); 1305 COUNTER_INC(posixsem_check_stat); 1306 return (0); 1307 } 1308 1309 COUNTER_DECL(posixsem_check_unlink); 1310 static int 1311 test_posixsem_check_unlink(struct ucred *cred, struct ksem *ks, 1312 struct label *kslabel) 1313 { 1314 1315 LABEL_CHECK(cred->cr_label, MAGIC_CRED); 1316 LABEL_CHECK(kslabel, MAGIC_POSIX_SEM); 1317 COUNTER_INC(posixsem_check_unlink); 1318 1319 return (0); 1320 } 1321 1322 COUNTER_DECL(posixsem_check_wait); 1323 static int 1324 test_posixsem_check_wait(struct ucred *active_cred, struct ucred *file_cred, 1325 struct ksem *ks, struct label *kslabel) 1326 { 1327 1328 LABEL_CHECK(active_cred->cr_label, MAGIC_CRED); 1329 LABEL_CHECK(file_cred->cr_label, MAGIC_CRED); 1330 LABEL_CHECK(kslabel, MAGIC_POSIX_SEM); 1331 COUNTER_INC(posixsem_check_wait); 1332 1333 return (0); 1334 } 1335 1336 COUNTER_DECL(posixsem_create); 1337 static void 1338 test_posixsem_create(struct ucred *cred, struct ksem *ks, 1339 struct label *kslabel) 1340 { 1341 1342 LABEL_CHECK(cred->cr_label, MAGIC_CRED); 1343 LABEL_CHECK(kslabel, MAGIC_POSIX_SEM); 1344 COUNTER_INC(posixsem_create); 1345 } 1346 1347 COUNTER_DECL(posixsem_destroy_label); 1348 static void 1349 test_posixsem_destroy_label(struct label *label) 1350 { 1351 1352 LABEL_DESTROY(label, MAGIC_POSIX_SEM); 1353 COUNTER_INC(posixsem_destroy_label); 1354 } 1355 1356 COUNTER_DECL(posixsem_init_label); 1357 static void 1358 test_posixsem_init_label(struct label *label) 1359 { 1360 1361 LABEL_INIT(label, MAGIC_POSIX_SEM); 1362 COUNTER_INC(posixsem_init_label); 1363 } 1364 1365 COUNTER_DECL(posixshm_check_mmap); 1366 static int 1367 test_posixshm_check_mmap(struct ucred *cred, struct shmfd *shmfd, 1368 struct label *shmfdlabel, int prot, int flags) 1369 { 1370 1371 LABEL_CHECK(cred->cr_label, MAGIC_CRED); 1372 LABEL_CHECK(shmfdlabel, MAGIC_POSIX_SHM); 1373 COUNTER_INC(posixshm_check_mmap); 1374 return (0); 1375 } 1376 1377 COUNTER_DECL(posixshm_check_open); 1378 static int 1379 test_posixshm_check_open(struct ucred *cred, struct shmfd *shmfd, 1380 struct label *shmfdlabel) 1381 { 1382 1383 LABEL_CHECK(cred->cr_label, MAGIC_CRED); 1384 LABEL_CHECK(shmfdlabel, MAGIC_POSIX_SHM); 1385 COUNTER_INC(posixshm_check_open); 1386 return (0); 1387 } 1388 1389 COUNTER_DECL(posixshm_check_stat); 1390 static int 1391 test_posixshm_check_stat(struct ucred *active_cred, 1392 struct ucred *file_cred, struct shmfd *shmfd, struct label *shmfdlabel) 1393 { 1394 1395 LABEL_CHECK(active_cred->cr_label, MAGIC_CRED); 1396 LABEL_CHECK(file_cred->cr_label, MAGIC_CRED); 1397 LABEL_CHECK(shmfdlabel, MAGIC_POSIX_SHM); 1398 COUNTER_INC(posixshm_check_stat); 1399 return (0); 1400 } 1401 1402 COUNTER_DECL(posixshm_check_truncate); 1403 static int 1404 test_posixshm_check_truncate(struct ucred *active_cred, 1405 struct ucred *file_cred, struct shmfd *shmfd, struct label *shmfdlabel) 1406 { 1407 1408 LABEL_CHECK(active_cred->cr_label, MAGIC_CRED); 1409 LABEL_CHECK(file_cred->cr_label, MAGIC_CRED); 1410 LABEL_CHECK(shmfdlabel, MAGIC_POSIX_SHM); 1411 COUNTER_INC(posixshm_check_truncate); 1412 return (0); 1413 } 1414 1415 COUNTER_DECL(posixshm_check_unlink); 1416 static int 1417 test_posixshm_check_unlink(struct ucred *cred, struct shmfd *shmfd, 1418 struct label *shmfdlabel) 1419 { 1420 1421 LABEL_CHECK(cred->cr_label, MAGIC_CRED); 1422 LABEL_CHECK(shmfdlabel, MAGIC_POSIX_SHM); 1423 COUNTER_INC(posixshm_check_unlink); 1424 return (0); 1425 } 1426 1427 COUNTER_DECL(posixshm_create); 1428 static void 1429 test_posixshm_create(struct ucred *cred, struct shmfd *shmfd, 1430 struct label *shmfdlabel) 1431 { 1432 1433 LABEL_CHECK(cred->cr_label, MAGIC_CRED); 1434 LABEL_CHECK(shmfdlabel, MAGIC_POSIX_SHM); 1435 COUNTER_INC(posixshm_create); 1436 } 1437 1438 COUNTER_DECL(posixshm_destroy_label); 1439 static void 1440 test_posixshm_destroy_label(struct label *label) 1441 { 1442 1443 LABEL_DESTROY(label, MAGIC_POSIX_SHM); 1444 COUNTER_INC(posixshm_destroy_label); 1445 } 1446 1447 COUNTER_DECL(posixshm_init_label); 1448 static void 1449 test_posixshm_init_label(struct label *label) 1450 { 1451 1452 LABEL_INIT(label, MAGIC_POSIX_SHM); 1453 COUNTER_INC(posixshm_init_label); 1454 } 1455 1456 COUNTER_DECL(proc_check_debug); 1457 static int 1458 test_proc_check_debug(struct ucred *cred, struct proc *p) 1459 { 1460 1461 LABEL_CHECK(cred->cr_label, MAGIC_CRED); 1462 LABEL_CHECK(p->p_ucred->cr_label, MAGIC_CRED); 1463 COUNTER_INC(proc_check_debug); 1464 1465 return (0); 1466 } 1467 1468 COUNTER_DECL(proc_check_sched); 1469 static int 1470 test_proc_check_sched(struct ucred *cred, struct proc *p) 1471 { 1472 1473 LABEL_CHECK(cred->cr_label, MAGIC_CRED); 1474 LABEL_CHECK(p->p_ucred->cr_label, MAGIC_CRED); 1475 COUNTER_INC(proc_check_sched); 1476 1477 return (0); 1478 } 1479 1480 COUNTER_DECL(proc_check_signal); 1481 static int 1482 test_proc_check_signal(struct ucred *cred, struct proc *p, int signum) 1483 { 1484 1485 LABEL_CHECK(cred->cr_label, MAGIC_CRED); 1486 LABEL_CHECK(p->p_ucred->cr_label, MAGIC_CRED); 1487 COUNTER_INC(proc_check_signal); 1488 1489 return (0); 1490 } 1491 1492 COUNTER_DECL(proc_check_wait); 1493 static int 1494 test_proc_check_wait(struct ucred *cred, struct proc *p) 1495 { 1496 1497 LABEL_CHECK(cred->cr_label, MAGIC_CRED); 1498 LABEL_CHECK(p->p_ucred->cr_label, MAGIC_CRED); 1499 COUNTER_INC(proc_check_wait); 1500 1501 return (0); 1502 } 1503 1504 COUNTER_DECL(proc_destroy_label); 1505 static void 1506 test_proc_destroy_label(struct label *label) 1507 { 1508 1509 LABEL_DESTROY(label, MAGIC_PROC); 1510 COUNTER_INC(proc_destroy_label); 1511 } 1512 1513 COUNTER_DECL(proc_init_label); 1514 static void 1515 test_proc_init_label(struct label *label) 1516 { 1517 1518 LABEL_INIT(label, MAGIC_PROC); 1519 COUNTER_INC(proc_init_label); 1520 } 1521 1522 COUNTER_DECL(socket_check_accept); 1523 static int 1524 test_socket_check_accept(struct ucred *cred, struct socket *so, 1525 struct label *solabel) 1526 { 1527 1528 LABEL_CHECK(cred->cr_label, MAGIC_CRED); 1529 LABEL_CHECK(solabel, MAGIC_SOCKET); 1530 COUNTER_INC(socket_check_accept); 1531 1532 return (0); 1533 } 1534 1535 COUNTER_DECL(socket_check_bind); 1536 static int 1537 test_socket_check_bind(struct ucred *cred, struct socket *so, 1538 struct label *solabel, struct sockaddr *sa) 1539 { 1540 1541 LABEL_CHECK(cred->cr_label, MAGIC_CRED); 1542 LABEL_CHECK(solabel, MAGIC_SOCKET); 1543 COUNTER_INC(socket_check_bind); 1544 1545 return (0); 1546 } 1547 1548 COUNTER_DECL(socket_check_connect); 1549 static int 1550 test_socket_check_connect(struct ucred *cred, struct socket *so, 1551 struct label *solabel, struct sockaddr *sa) 1552 { 1553 1554 LABEL_CHECK(cred->cr_label, MAGIC_CRED); 1555 LABEL_CHECK(solabel, MAGIC_SOCKET); 1556 COUNTER_INC(socket_check_connect); 1557 1558 return (0); 1559 } 1560 1561 COUNTER_DECL(socket_check_deliver); 1562 static int 1563 test_socket_check_deliver(struct socket *so, struct label *solabel, 1564 struct mbuf *m, struct label *mlabel) 1565 { 1566 1567 LABEL_CHECK(solabel, MAGIC_SOCKET); 1568 LABEL_CHECK(mlabel, MAGIC_MBUF); 1569 COUNTER_INC(socket_check_deliver); 1570 1571 return (0); 1572 } 1573 1574 COUNTER_DECL(socket_check_listen); 1575 static int 1576 test_socket_check_listen(struct ucred *cred, struct socket *so, 1577 struct label *solabel) 1578 { 1579 1580 LABEL_CHECK(cred->cr_label, MAGIC_CRED); 1581 LABEL_CHECK(solabel, MAGIC_SOCKET); 1582 COUNTER_INC(socket_check_listen); 1583 1584 return (0); 1585 } 1586 1587 COUNTER_DECL(socket_check_poll); 1588 static int 1589 test_socket_check_poll(struct ucred *cred, struct socket *so, 1590 struct label *solabel) 1591 { 1592 1593 LABEL_CHECK(cred->cr_label, MAGIC_CRED); 1594 LABEL_CHECK(solabel, MAGIC_SOCKET); 1595 COUNTER_INC(socket_check_poll); 1596 1597 return (0); 1598 } 1599 1600 COUNTER_DECL(socket_check_receive); 1601 static int 1602 test_socket_check_receive(struct ucred *cred, struct socket *so, 1603 struct label *solabel) 1604 { 1605 1606 LABEL_CHECK(cred->cr_label, MAGIC_CRED); 1607 LABEL_CHECK(solabel, MAGIC_SOCKET); 1608 COUNTER_INC(socket_check_receive); 1609 1610 return (0); 1611 } 1612 1613 COUNTER_DECL(socket_check_relabel); 1614 static int 1615 test_socket_check_relabel(struct ucred *cred, struct socket *so, 1616 struct label *solabel, struct label *newlabel) 1617 { 1618 1619 LABEL_CHECK(cred->cr_label, MAGIC_CRED); 1620 LABEL_CHECK(solabel, MAGIC_SOCKET); 1621 LABEL_CHECK(newlabel, MAGIC_SOCKET); 1622 COUNTER_INC(socket_check_relabel); 1623 1624 return (0); 1625 } 1626 1627 COUNTER_DECL(socket_check_send); 1628 static int 1629 test_socket_check_send(struct ucred *cred, struct socket *so, 1630 struct label *solabel) 1631 { 1632 1633 LABEL_CHECK(cred->cr_label, MAGIC_CRED); 1634 LABEL_CHECK(solabel, MAGIC_SOCKET); 1635 COUNTER_INC(socket_check_send); 1636 1637 return (0); 1638 } 1639 1640 COUNTER_DECL(socket_check_stat); 1641 static int 1642 test_socket_check_stat(struct ucred *cred, struct socket *so, 1643 struct label *solabel) 1644 { 1645 1646 LABEL_CHECK(cred->cr_label, MAGIC_CRED); 1647 LABEL_CHECK(solabel, MAGIC_SOCKET); 1648 COUNTER_INC(socket_check_stat); 1649 1650 return (0); 1651 } 1652 1653 COUNTER_DECL(socket_check_visible); 1654 static int 1655 test_socket_check_visible(struct ucred *cred, struct socket *so, 1656 struct label *solabel) 1657 { 1658 1659 LABEL_CHECK(cred->cr_label, MAGIC_CRED); 1660 LABEL_CHECK(solabel, MAGIC_SOCKET); 1661 COUNTER_INC(socket_check_visible); 1662 1663 return (0); 1664 } 1665 1666 COUNTER_DECL(socket_copy_label); 1667 static void 1668 test_socket_copy_label(struct label *src, struct label *dest) 1669 { 1670 1671 LABEL_CHECK(src, MAGIC_SOCKET); 1672 LABEL_CHECK(dest, MAGIC_SOCKET); 1673 COUNTER_INC(socket_copy_label); 1674 } 1675 1676 COUNTER_DECL(socket_create); 1677 static void 1678 test_socket_create(struct ucred *cred, struct socket *so, 1679 struct label *solabel) 1680 { 1681 1682 LABEL_CHECK(cred->cr_label, MAGIC_CRED); 1683 LABEL_CHECK(solabel, MAGIC_SOCKET); 1684 COUNTER_INC(socket_create); 1685 } 1686 1687 COUNTER_DECL(socket_create_mbuf); 1688 static void 1689 test_socket_create_mbuf(struct socket *so, struct label *socketlabel, 1690 struct mbuf *m, struct label *mlabel) 1691 { 1692 1693 LABEL_CHECK(socketlabel, MAGIC_SOCKET); 1694 LABEL_CHECK(mlabel, MAGIC_MBUF); 1695 COUNTER_INC(socket_create_mbuf); 1696 } 1697 1698 COUNTER_DECL(socket_destroy_label); 1699 static void 1700 test_socket_destroy_label(struct label *label) 1701 { 1702 1703 LABEL_DESTROY(label, MAGIC_SOCKET); 1704 COUNTER_INC(socket_destroy_label); 1705 } 1706 1707 COUNTER_DECL(socket_externalize_label); 1708 static int 1709 test_socket_externalize_label(struct label *label, char *element_name, 1710 struct sbuf *sb, int *claimed) 1711 { 1712 1713 LABEL_CHECK(label, MAGIC_SOCKET); 1714 COUNTER_INC(socket_externalize_label); 1715 1716 return (0); 1717 } 1718 1719 COUNTER_DECL(socket_init_label); 1720 static int 1721 test_socket_init_label(struct label *label, int flag) 1722 { 1723 1724 if (flag & M_WAITOK) 1725 WITNESS_WARN(WARN_GIANTOK | WARN_SLEEPOK, NULL, 1726 "test_socket_init_label() at %s:%d", __FILE__, 1727 __LINE__); 1728 1729 LABEL_INIT(label, MAGIC_SOCKET); 1730 COUNTER_INC(socket_init_label); 1731 return (0); 1732 } 1733 1734 COUNTER_DECL(socket_internalize_label); 1735 static int 1736 test_socket_internalize_label(struct label *label, char *element_name, 1737 char *element_data, int *claimed) 1738 { 1739 1740 LABEL_CHECK(label, MAGIC_SOCKET); 1741 COUNTER_INC(socket_internalize_label); 1742 1743 return (0); 1744 } 1745 1746 COUNTER_DECL(socket_newconn); 1747 static void 1748 test_socket_newconn(struct socket *oldso, struct label *oldsolabel, 1749 struct socket *newso, struct label *newsolabel) 1750 { 1751 1752 LABEL_CHECK(oldsolabel, MAGIC_SOCKET); 1753 LABEL_CHECK(newsolabel, MAGIC_SOCKET); 1754 COUNTER_INC(socket_newconn); 1755 } 1756 1757 COUNTER_DECL(socket_relabel); 1758 static void 1759 test_socket_relabel(struct ucred *cred, struct socket *so, 1760 struct label *solabel, struct label *newlabel) 1761 { 1762 1763 LABEL_CHECK(cred->cr_label, MAGIC_CRED); 1764 LABEL_CHECK(solabel, MAGIC_SOCKET); 1765 LABEL_CHECK(newlabel, MAGIC_SOCKET); 1766 COUNTER_INC(socket_relabel); 1767 } 1768 1769 COUNTER_DECL(socketpeer_destroy_label); 1770 static void 1771 test_socketpeer_destroy_label(struct label *label) 1772 { 1773 1774 LABEL_DESTROY(label, MAGIC_SOCKET); 1775 COUNTER_INC(socketpeer_destroy_label); 1776 } 1777 1778 COUNTER_DECL(socketpeer_externalize_label); 1779 static int 1780 test_socketpeer_externalize_label(struct label *label, char *element_name, 1781 struct sbuf *sb, int *claimed) 1782 { 1783 1784 LABEL_CHECK(label, MAGIC_SOCKET); 1785 COUNTER_INC(socketpeer_externalize_label); 1786 1787 return (0); 1788 } 1789 1790 COUNTER_DECL(socketpeer_init_label); 1791 static int 1792 test_socketpeer_init_label(struct label *label, int flag) 1793 { 1794 1795 if (flag & M_WAITOK) 1796 WITNESS_WARN(WARN_GIANTOK | WARN_SLEEPOK, NULL, 1797 "test_socketpeer_init_label() at %s:%d", __FILE__, 1798 __LINE__); 1799 1800 LABEL_INIT(label, MAGIC_SOCKET); 1801 COUNTER_INC(socketpeer_init_label); 1802 return (0); 1803 } 1804 1805 COUNTER_DECL(socketpeer_set_from_mbuf); 1806 static void 1807 test_socketpeer_set_from_mbuf(struct mbuf *m, struct label *mlabel, 1808 struct socket *socket, struct label *socketpeerlabel) 1809 { 1810 1811 LABEL_CHECK(mlabel, MAGIC_MBUF); 1812 LABEL_CHECK(socketpeerlabel, MAGIC_SOCKET); 1813 COUNTER_INC(socketpeer_set_from_mbuf); 1814 } 1815 1816 COUNTER_DECL(socketpeer_set_from_socket); 1817 static void 1818 test_socketpeer_set_from_socket(struct socket *oldso, 1819 struct label *oldsolabel, struct socket *newso, 1820 struct label *newsopeerlabel) 1821 { 1822 1823 LABEL_CHECK(oldsolabel, MAGIC_SOCKET); 1824 LABEL_CHECK(newsopeerlabel, MAGIC_SOCKET); 1825 COUNTER_INC(socketpeer_set_from_socket); 1826 } 1827 1828 COUNTER_DECL(syncache_create); 1829 static void 1830 test_syncache_create(struct label *label, struct inpcb *inp) 1831 { 1832 1833 LABEL_CHECK(label, MAGIC_SYNCACHE); 1834 COUNTER_INC(syncache_create); 1835 } 1836 1837 COUNTER_DECL(syncache_create_mbuf); 1838 static void 1839 test_syncache_create_mbuf(struct label *sc_label, struct mbuf *m, 1840 struct label *mlabel) 1841 { 1842 1843 LABEL_CHECK(sc_label, MAGIC_SYNCACHE); 1844 LABEL_CHECK(mlabel, MAGIC_MBUF); 1845 COUNTER_INC(syncache_create_mbuf); 1846 } 1847 1848 COUNTER_DECL(syncache_destroy_label); 1849 static void 1850 test_syncache_destroy_label(struct label *label) 1851 { 1852 1853 LABEL_DESTROY(label, MAGIC_SYNCACHE); 1854 COUNTER_INC(syncache_destroy_label); 1855 } 1856 1857 COUNTER_DECL(syncache_init_label); 1858 static int 1859 test_syncache_init_label(struct label *label, int flag) 1860 { 1861 1862 if (flag & M_WAITOK) 1863 WITNESS_WARN(WARN_GIANTOK | WARN_SLEEPOK, NULL, 1864 "test_syncache_init_label() at %s:%d", __FILE__, 1865 __LINE__); 1866 LABEL_INIT(label, MAGIC_SYNCACHE); 1867 COUNTER_INC(syncache_init_label); 1868 return (0); 1869 } 1870 1871 COUNTER_DECL(system_check_acct); 1872 static int 1873 test_system_check_acct(struct ucred *cred, struct vnode *vp, 1874 struct label *vplabel) 1875 { 1876 1877 LABEL_CHECK(cred->cr_label, MAGIC_CRED); 1878 LABEL_CHECK(vplabel, MAGIC_VNODE); 1879 COUNTER_INC(system_check_acct); 1880 1881 return (0); 1882 } 1883 1884 COUNTER_DECL(system_check_audit); 1885 static int 1886 test_system_check_audit(struct ucred *cred, void *record, int length) 1887 { 1888 1889 LABEL_CHECK(cred->cr_label, MAGIC_CRED); 1890 COUNTER_INC(system_check_audit); 1891 1892 return (0); 1893 } 1894 1895 COUNTER_DECL(system_check_auditctl); 1896 static int 1897 test_system_check_auditctl(struct ucred *cred, struct vnode *vp, 1898 struct label *vplabel) 1899 { 1900 1901 LABEL_CHECK(cred->cr_label, MAGIC_CRED); 1902 LABEL_CHECK(vplabel, MAGIC_VNODE); 1903 COUNTER_INC(system_check_auditctl); 1904 1905 return (0); 1906 } 1907 1908 COUNTER_DECL(system_check_auditon); 1909 static int 1910 test_system_check_auditon(struct ucred *cred, int cmd) 1911 { 1912 1913 LABEL_CHECK(cred->cr_label, MAGIC_CRED); 1914 COUNTER_INC(system_check_auditon); 1915 1916 return (0); 1917 } 1918 1919 COUNTER_DECL(system_check_reboot); 1920 static int 1921 test_system_check_reboot(struct ucred *cred, int how) 1922 { 1923 1924 LABEL_CHECK(cred->cr_label, MAGIC_CRED); 1925 COUNTER_INC(system_check_reboot); 1926 1927 return (0); 1928 } 1929 1930 COUNTER_DECL(system_check_swapoff); 1931 static int 1932 test_system_check_swapoff(struct ucred *cred, struct vnode *vp, 1933 struct label *vplabel) 1934 { 1935 1936 LABEL_CHECK(cred->cr_label, MAGIC_CRED); 1937 LABEL_CHECK(vplabel, MAGIC_VNODE); 1938 COUNTER_INC(system_check_swapoff); 1939 1940 return (0); 1941 } 1942 1943 COUNTER_DECL(system_check_swapon); 1944 static int 1945 test_system_check_swapon(struct ucred *cred, struct vnode *vp, 1946 struct label *vplabel) 1947 { 1948 1949 LABEL_CHECK(cred->cr_label, MAGIC_CRED); 1950 LABEL_CHECK(vplabel, MAGIC_VNODE); 1951 COUNTER_INC(system_check_swapon); 1952 1953 return (0); 1954 } 1955 1956 COUNTER_DECL(system_check_sysctl); 1957 static int 1958 test_system_check_sysctl(struct ucred *cred, struct sysctl_oid *oidp, 1959 void *arg1, int arg2, struct sysctl_req *req) 1960 { 1961 1962 LABEL_CHECK(cred->cr_label, MAGIC_CRED); 1963 COUNTER_INC(system_check_sysctl); 1964 1965 return (0); 1966 } 1967 1968 COUNTER_DECL(sysvmsg_cleanup); 1969 static void 1970 test_sysvmsg_cleanup(struct label *msglabel) 1971 { 1972 1973 LABEL_CHECK(msglabel, MAGIC_SYSV_MSG); 1974 COUNTER_INC(sysvmsg_cleanup); 1975 } 1976 1977 COUNTER_DECL(sysvmsg_create); 1978 static void 1979 test_sysvmsg_create(struct ucred *cred, struct msqid_kernel *msqkptr, 1980 struct label *msqlabel, struct msg *msgptr, struct label *msglabel) 1981 { 1982 1983 LABEL_CHECK(msglabel, MAGIC_SYSV_MSG); 1984 LABEL_CHECK(msqlabel, MAGIC_SYSV_MSQ); 1985 COUNTER_INC(sysvmsg_create); 1986 } 1987 1988 COUNTER_DECL(sysvmsg_destroy_label); 1989 static void 1990 test_sysvmsg_destroy_label(struct label *label) 1991 { 1992 1993 LABEL_DESTROY(label, MAGIC_SYSV_MSG); 1994 COUNTER_INC(sysvmsg_destroy_label); 1995 } 1996 1997 COUNTER_DECL(sysvmsg_init_label); 1998 static void 1999 test_sysvmsg_init_label(struct label *label) 2000 { 2001 LABEL_INIT(label, MAGIC_SYSV_MSG); 2002 COUNTER_INC(sysvmsg_init_label); 2003 } 2004 2005 COUNTER_DECL(sysvmsq_check_msgmsq); 2006 static int 2007 test_sysvmsq_check_msgmsq(struct ucred *cred, struct msg *msgptr, 2008 struct label *msglabel, struct msqid_kernel *msqkptr, 2009 struct label *msqklabel) 2010 { 2011 2012 LABEL_CHECK(msqklabel, MAGIC_SYSV_MSQ); 2013 LABEL_CHECK(msglabel, MAGIC_SYSV_MSG); 2014 LABEL_CHECK(cred->cr_label, MAGIC_CRED); 2015 COUNTER_INC(sysvmsq_check_msgmsq); 2016 2017 return (0); 2018 } 2019 2020 COUNTER_DECL(sysvmsq_check_msgrcv); 2021 static int 2022 test_sysvmsq_check_msgrcv(struct ucred *cred, struct msg *msgptr, 2023 struct label *msglabel) 2024 { 2025 2026 LABEL_CHECK(msglabel, MAGIC_SYSV_MSG); 2027 LABEL_CHECK(cred->cr_label, MAGIC_CRED); 2028 COUNTER_INC(sysvmsq_check_msgrcv); 2029 2030 return (0); 2031 } 2032 2033 COUNTER_DECL(sysvmsq_check_msgrmid); 2034 static int 2035 test_sysvmsq_check_msgrmid(struct ucred *cred, struct msg *msgptr, 2036 struct label *msglabel) 2037 { 2038 2039 LABEL_CHECK(msglabel, MAGIC_SYSV_MSG); 2040 LABEL_CHECK(cred->cr_label, MAGIC_CRED); 2041 COUNTER_INC(sysvmsq_check_msgrmid); 2042 2043 return (0); 2044 } 2045 2046 COUNTER_DECL(sysvmsq_check_msqget); 2047 static int 2048 test_sysvmsq_check_msqget(struct ucred *cred, 2049 struct msqid_kernel *msqkptr, struct label *msqklabel) 2050 { 2051 2052 LABEL_CHECK(msqklabel, MAGIC_SYSV_MSQ); 2053 LABEL_CHECK(cred->cr_label, MAGIC_CRED); 2054 COUNTER_INC(sysvmsq_check_msqget); 2055 2056 return (0); 2057 } 2058 2059 COUNTER_DECL(sysvmsq_check_msqsnd); 2060 static int 2061 test_sysvmsq_check_msqsnd(struct ucred *cred, 2062 struct msqid_kernel *msqkptr, struct label *msqklabel) 2063 { 2064 2065 LABEL_CHECK(msqklabel, MAGIC_SYSV_MSQ); 2066 LABEL_CHECK(cred->cr_label, MAGIC_CRED); 2067 COUNTER_INC(sysvmsq_check_msqsnd); 2068 2069 return (0); 2070 } 2071 2072 COUNTER_DECL(sysvmsq_check_msqrcv); 2073 static int 2074 test_sysvmsq_check_msqrcv(struct ucred *cred, 2075 struct msqid_kernel *msqkptr, struct label *msqklabel) 2076 { 2077 2078 LABEL_CHECK(msqklabel, MAGIC_SYSV_MSQ); 2079 LABEL_CHECK(cred->cr_label, MAGIC_CRED); 2080 COUNTER_INC(sysvmsq_check_msqrcv); 2081 2082 return (0); 2083 } 2084 2085 COUNTER_DECL(sysvmsq_check_msqctl); 2086 static int 2087 test_sysvmsq_check_msqctl(struct ucred *cred, 2088 struct msqid_kernel *msqkptr, struct label *msqklabel, int cmd) 2089 { 2090 2091 LABEL_CHECK(msqklabel, MAGIC_SYSV_MSQ); 2092 LABEL_CHECK(cred->cr_label, MAGIC_CRED); 2093 COUNTER_INC(sysvmsq_check_msqctl); 2094 2095 return (0); 2096 } 2097 2098 COUNTER_DECL(sysvmsq_cleanup); 2099 static void 2100 test_sysvmsq_cleanup(struct label *msqlabel) 2101 { 2102 2103 LABEL_CHECK(msqlabel, MAGIC_SYSV_MSQ); 2104 COUNTER_INC(sysvmsq_cleanup); 2105 } 2106 2107 COUNTER_DECL(sysvmsq_create); 2108 static void 2109 test_sysvmsq_create(struct ucred *cred, 2110 struct msqid_kernel *msqkptr, struct label *msqlabel) 2111 { 2112 2113 LABEL_CHECK(msqlabel, MAGIC_SYSV_MSQ); 2114 COUNTER_INC(sysvmsq_create); 2115 } 2116 2117 COUNTER_DECL(sysvmsq_destroy_label); 2118 static void 2119 test_sysvmsq_destroy_label(struct label *label) 2120 { 2121 2122 LABEL_DESTROY(label, MAGIC_SYSV_MSQ); 2123 COUNTER_INC(sysvmsq_destroy_label); 2124 } 2125 2126 COUNTER_DECL(sysvmsq_init_label); 2127 static void 2128 test_sysvmsq_init_label(struct label *label) 2129 { 2130 LABEL_INIT(label, MAGIC_SYSV_MSQ); 2131 COUNTER_INC(sysvmsq_init_label); 2132 } 2133 2134 COUNTER_DECL(sysvsem_check_semctl); 2135 static int 2136 test_sysvsem_check_semctl(struct ucred *cred, 2137 struct semid_kernel *semakptr, struct label *semaklabel, int cmd) 2138 { 2139 2140 LABEL_CHECK(cred->cr_label, MAGIC_CRED); 2141 LABEL_CHECK(semaklabel, MAGIC_SYSV_SEM); 2142 COUNTER_INC(sysvsem_check_semctl); 2143 2144 return (0); 2145 } 2146 2147 COUNTER_DECL(sysvsem_check_semget); 2148 static int 2149 test_sysvsem_check_semget(struct ucred *cred, 2150 struct semid_kernel *semakptr, struct label *semaklabel) 2151 { 2152 2153 LABEL_CHECK(cred->cr_label, MAGIC_CRED); 2154 LABEL_CHECK(semaklabel, MAGIC_SYSV_SEM); 2155 COUNTER_INC(sysvsem_check_semget); 2156 2157 return (0); 2158 } 2159 2160 COUNTER_DECL(sysvsem_check_semop); 2161 static int 2162 test_sysvsem_check_semop(struct ucred *cred, 2163 struct semid_kernel *semakptr, struct label *semaklabel, size_t accesstype) 2164 { 2165 2166 LABEL_CHECK(cred->cr_label, MAGIC_CRED); 2167 LABEL_CHECK(semaklabel, MAGIC_SYSV_SEM); 2168 COUNTER_INC(sysvsem_check_semop); 2169 2170 return (0); 2171 } 2172 2173 COUNTER_DECL(sysvsem_cleanup); 2174 static void 2175 test_sysvsem_cleanup(struct label *semalabel) 2176 { 2177 2178 LABEL_CHECK(semalabel, MAGIC_SYSV_SEM); 2179 COUNTER_INC(sysvsem_cleanup); 2180 } 2181 2182 COUNTER_DECL(sysvsem_create); 2183 static void 2184 test_sysvsem_create(struct ucred *cred, struct semid_kernel *semakptr, 2185 struct label *semalabel) 2186 { 2187 2188 LABEL_CHECK(semalabel, MAGIC_SYSV_SEM); 2189 COUNTER_INC(sysvsem_create); 2190 } 2191 2192 COUNTER_DECL(sysvsem_destroy_label); 2193 static void 2194 test_sysvsem_destroy_label(struct label *label) 2195 { 2196 2197 LABEL_DESTROY(label, MAGIC_SYSV_SEM); 2198 COUNTER_INC(sysvsem_destroy_label); 2199 } 2200 2201 COUNTER_DECL(sysvsem_init_label); 2202 static void 2203 test_sysvsem_init_label(struct label *label) 2204 { 2205 LABEL_INIT(label, MAGIC_SYSV_SEM); 2206 COUNTER_INC(sysvsem_init_label); 2207 } 2208 2209 COUNTER_DECL(sysvshm_check_shmat); 2210 static int 2211 test_sysvshm_check_shmat(struct ucred *cred, 2212 struct shmid_kernel *shmsegptr, struct label *shmseglabel, int shmflg) 2213 { 2214 2215 LABEL_CHECK(cred->cr_label, MAGIC_CRED); 2216 LABEL_CHECK(shmseglabel, MAGIC_SYSV_SHM); 2217 COUNTER_INC(sysvshm_check_shmat); 2218 2219 return (0); 2220 } 2221 2222 COUNTER_DECL(sysvshm_check_shmctl); 2223 static int 2224 test_sysvshm_check_shmctl(struct ucred *cred, 2225 struct shmid_kernel *shmsegptr, struct label *shmseglabel, int cmd) 2226 { 2227 2228 LABEL_CHECK(cred->cr_label, MAGIC_CRED); 2229 LABEL_CHECK(shmseglabel, MAGIC_SYSV_SHM); 2230 COUNTER_INC(sysvshm_check_shmctl); 2231 2232 return (0); 2233 } 2234 2235 COUNTER_DECL(sysvshm_check_shmdt); 2236 static int 2237 test_sysvshm_check_shmdt(struct ucred *cred, 2238 struct shmid_kernel *shmsegptr, struct label *shmseglabel) 2239 { 2240 2241 LABEL_CHECK(cred->cr_label, MAGIC_CRED); 2242 LABEL_CHECK(shmseglabel, MAGIC_SYSV_SHM); 2243 COUNTER_INC(sysvshm_check_shmdt); 2244 2245 return (0); 2246 } 2247 2248 COUNTER_DECL(sysvshm_check_shmget); 2249 static int 2250 test_sysvshm_check_shmget(struct ucred *cred, 2251 struct shmid_kernel *shmsegptr, struct label *shmseglabel, int shmflg) 2252 { 2253 2254 LABEL_CHECK(cred->cr_label, MAGIC_CRED); 2255 LABEL_CHECK(shmseglabel, MAGIC_SYSV_SHM); 2256 COUNTER_INC(sysvshm_check_shmget); 2257 2258 return (0); 2259 } 2260 2261 COUNTER_DECL(sysvshm_cleanup); 2262 static void 2263 test_sysvshm_cleanup(struct label *shmlabel) 2264 { 2265 2266 LABEL_CHECK(shmlabel, MAGIC_SYSV_SHM); 2267 COUNTER_INC(sysvshm_cleanup); 2268 } 2269 2270 COUNTER_DECL(sysvshm_create); 2271 static void 2272 test_sysvshm_create(struct ucred *cred, struct shmid_kernel *shmsegptr, 2273 struct label *shmlabel) 2274 { 2275 2276 LABEL_CHECK(shmlabel, MAGIC_SYSV_SHM); 2277 COUNTER_INC(sysvshm_create); 2278 } 2279 2280 COUNTER_DECL(sysvshm_destroy_label); 2281 static void 2282 test_sysvshm_destroy_label(struct label *label) 2283 { 2284 2285 LABEL_DESTROY(label, MAGIC_SYSV_SHM); 2286 COUNTER_INC(sysvshm_destroy_label); 2287 } 2288 2289 COUNTER_DECL(sysvshm_init_label); 2290 static void 2291 test_sysvshm_init_label(struct label *label) 2292 { 2293 LABEL_INIT(label, MAGIC_SYSV_SHM); 2294 COUNTER_INC(sysvshm_init_label); 2295 } 2296 2297 COUNTER_DECL(thread_userret); 2298 static void 2299 test_thread_userret(struct thread *td) 2300 { 2301 2302 COUNTER_INC(thread_userret); 2303 } 2304 2305 COUNTER_DECL(vnode_associate_extattr); 2306 static int 2307 test_vnode_associate_extattr(struct mount *mp, struct label *mplabel, 2308 struct vnode *vp, struct label *vplabel) 2309 { 2310 2311 LABEL_CHECK(mplabel, MAGIC_MOUNT); 2312 LABEL_CHECK(vplabel, MAGIC_VNODE); 2313 COUNTER_INC(vnode_associate_extattr); 2314 2315 return (0); 2316 } 2317 2318 COUNTER_DECL(vnode_associate_singlelabel); 2319 static void 2320 test_vnode_associate_singlelabel(struct mount *mp, struct label *mplabel, 2321 struct vnode *vp, struct label *vplabel) 2322 { 2323 2324 LABEL_CHECK(mplabel, MAGIC_MOUNT); 2325 LABEL_CHECK(vplabel, MAGIC_VNODE); 2326 COUNTER_INC(vnode_associate_singlelabel); 2327 } 2328 2329 COUNTER_DECL(vnode_check_access); 2330 static int 2331 test_vnode_check_access(struct ucred *cred, struct vnode *vp, 2332 struct label *vplabel, accmode_t accmode) 2333 { 2334 2335 LABEL_CHECK(cred->cr_label, MAGIC_CRED); 2336 LABEL_CHECK(vplabel, MAGIC_VNODE); 2337 COUNTER_INC(vnode_check_access); 2338 2339 return (0); 2340 } 2341 2342 COUNTER_DECL(vnode_check_chdir); 2343 static int 2344 test_vnode_check_chdir(struct ucred *cred, struct vnode *dvp, 2345 struct label *dvplabel) 2346 { 2347 2348 LABEL_CHECK(cred->cr_label, MAGIC_CRED); 2349 LABEL_CHECK(dvplabel, MAGIC_VNODE); 2350 COUNTER_INC(vnode_check_chdir); 2351 2352 return (0); 2353 } 2354 2355 COUNTER_DECL(vnode_check_chroot); 2356 static int 2357 test_vnode_check_chroot(struct ucred *cred, struct vnode *dvp, 2358 struct label *dvplabel) 2359 { 2360 2361 LABEL_CHECK(cred->cr_label, MAGIC_CRED); 2362 LABEL_CHECK(dvplabel, MAGIC_VNODE); 2363 COUNTER_INC(vnode_check_chroot); 2364 2365 return (0); 2366 } 2367 2368 COUNTER_DECL(vnode_check_create); 2369 static int 2370 test_vnode_check_create(struct ucred *cred, struct vnode *dvp, 2371 struct label *dvplabel, struct componentname *cnp, struct vattr *vap) 2372 { 2373 2374 LABEL_CHECK(cred->cr_label, MAGIC_CRED); 2375 LABEL_CHECK(dvplabel, MAGIC_VNODE); 2376 COUNTER_INC(vnode_check_create); 2377 2378 return (0); 2379 } 2380 2381 COUNTER_DECL(vnode_check_deleteacl); 2382 static int 2383 test_vnode_check_deleteacl(struct ucred *cred, struct vnode *vp, 2384 struct label *vplabel, acl_type_t type) 2385 { 2386 2387 LABEL_CHECK(cred->cr_label, MAGIC_CRED); 2388 LABEL_CHECK(vplabel, MAGIC_VNODE); 2389 COUNTER_INC(vnode_check_deleteacl); 2390 2391 return (0); 2392 } 2393 2394 COUNTER_DECL(vnode_check_deleteextattr); 2395 static int 2396 test_vnode_check_deleteextattr(struct ucred *cred, struct vnode *vp, 2397 struct label *vplabel, int attrnamespace, const char *name) 2398 { 2399 2400 LABEL_CHECK(cred->cr_label, MAGIC_CRED); 2401 LABEL_CHECK(vplabel, MAGIC_VNODE); 2402 COUNTER_INC(vnode_check_deleteextattr); 2403 2404 return (0); 2405 } 2406 2407 COUNTER_DECL(vnode_check_exec); 2408 static int 2409 test_vnode_check_exec(struct ucred *cred, struct vnode *vp, 2410 struct label *vplabel, struct image_params *imgp, 2411 struct label *execlabel) 2412 { 2413 2414 LABEL_CHECK(cred->cr_label, MAGIC_CRED); 2415 LABEL_CHECK(vplabel, MAGIC_VNODE); 2416 LABEL_CHECK(execlabel, MAGIC_CRED); 2417 COUNTER_INC(vnode_check_exec); 2418 2419 return (0); 2420 } 2421 2422 COUNTER_DECL(vnode_check_getacl); 2423 static int 2424 test_vnode_check_getacl(struct ucred *cred, struct vnode *vp, 2425 struct label *vplabel, acl_type_t type) 2426 { 2427 2428 LABEL_CHECK(cred->cr_label, MAGIC_CRED); 2429 LABEL_CHECK(vplabel, MAGIC_VNODE); 2430 COUNTER_INC(vnode_check_getacl); 2431 2432 return (0); 2433 } 2434 2435 COUNTER_DECL(vnode_check_getextattr); 2436 static int 2437 test_vnode_check_getextattr(struct ucred *cred, struct vnode *vp, 2438 struct label *vplabel, int attrnamespace, const char *name) 2439 { 2440 2441 LABEL_CHECK(cred->cr_label, MAGIC_CRED); 2442 LABEL_CHECK(vplabel, MAGIC_VNODE); 2443 COUNTER_INC(vnode_check_getextattr); 2444 2445 return (0); 2446 } 2447 2448 COUNTER_DECL(vnode_check_link); 2449 static int 2450 test_vnode_check_link(struct ucred *cred, struct vnode *dvp, 2451 struct label *dvplabel, struct vnode *vp, struct label *vplabel, 2452 struct componentname *cnp) 2453 { 2454 2455 LABEL_CHECK(cred->cr_label, MAGIC_CRED); 2456 LABEL_CHECK(dvplabel, MAGIC_VNODE); 2457 LABEL_CHECK(vplabel, MAGIC_VNODE); 2458 COUNTER_INC(vnode_check_link); 2459 2460 return (0); 2461 } 2462 2463 COUNTER_DECL(vnode_check_listextattr); 2464 static int 2465 test_vnode_check_listextattr(struct ucred *cred, struct vnode *vp, 2466 struct label *vplabel, int attrnamespace) 2467 { 2468 2469 LABEL_CHECK(cred->cr_label, MAGIC_CRED); 2470 LABEL_CHECK(vplabel, MAGIC_VNODE); 2471 COUNTER_INC(vnode_check_listextattr); 2472 2473 return (0); 2474 } 2475 2476 COUNTER_DECL(vnode_check_lookup); 2477 static int 2478 test_vnode_check_lookup(struct ucred *cred, struct vnode *dvp, 2479 struct label *dvplabel, struct componentname *cnp) 2480 { 2481 2482 LABEL_CHECK(cred->cr_label, MAGIC_CRED); 2483 LABEL_CHECK(dvplabel, MAGIC_VNODE); 2484 COUNTER_INC(vnode_check_lookup); 2485 2486 return (0); 2487 } 2488 2489 COUNTER_DECL(vnode_check_mmap); 2490 static int 2491 test_vnode_check_mmap(struct ucred *cred, struct vnode *vp, 2492 struct label *vplabel, int prot, int flags) 2493 { 2494 2495 LABEL_CHECK(cred->cr_label, MAGIC_CRED); 2496 LABEL_CHECK(vplabel, MAGIC_VNODE); 2497 COUNTER_INC(vnode_check_mmap); 2498 2499 return (0); 2500 } 2501 2502 COUNTER_DECL(vnode_check_open); 2503 static int 2504 test_vnode_check_open(struct ucred *cred, struct vnode *vp, 2505 struct label *vplabel, accmode_t accmode) 2506 { 2507 2508 LABEL_CHECK(cred->cr_label, MAGIC_CRED); 2509 LABEL_CHECK(vplabel, MAGIC_VNODE); 2510 COUNTER_INC(vnode_check_open); 2511 2512 return (0); 2513 } 2514 2515 COUNTER_DECL(vnode_check_poll); 2516 static int 2517 test_vnode_check_poll(struct ucred *active_cred, struct ucred *file_cred, 2518 struct vnode *vp, struct label *vplabel) 2519 { 2520 2521 LABEL_CHECK(active_cred->cr_label, MAGIC_CRED); 2522 if (file_cred != NULL) 2523 LABEL_CHECK(file_cred->cr_label, MAGIC_CRED); 2524 LABEL_CHECK(vplabel, MAGIC_VNODE); 2525 COUNTER_INC(vnode_check_poll); 2526 2527 return (0); 2528 } 2529 2530 COUNTER_DECL(vnode_check_read); 2531 static int 2532 test_vnode_check_read(struct ucred *active_cred, struct ucred *file_cred, 2533 struct vnode *vp, struct label *vplabel) 2534 { 2535 2536 LABEL_CHECK(active_cred->cr_label, MAGIC_CRED); 2537 if (file_cred != NULL) 2538 LABEL_CHECK(file_cred->cr_label, MAGIC_CRED); 2539 LABEL_CHECK(vplabel, MAGIC_VNODE); 2540 COUNTER_INC(vnode_check_read); 2541 2542 return (0); 2543 } 2544 2545 COUNTER_DECL(vnode_check_readdir); 2546 static int 2547 test_vnode_check_readdir(struct ucred *cred, struct vnode *dvp, 2548 struct label *dvplabel) 2549 { 2550 2551 LABEL_CHECK(cred->cr_label, MAGIC_CRED); 2552 LABEL_CHECK(dvplabel, MAGIC_VNODE); 2553 COUNTER_INC(vnode_check_readdir); 2554 2555 return (0); 2556 } 2557 2558 COUNTER_DECL(vnode_check_readlink); 2559 static int 2560 test_vnode_check_readlink(struct ucred *cred, struct vnode *vp, 2561 struct label *vplabel) 2562 { 2563 2564 LABEL_CHECK(cred->cr_label, MAGIC_CRED); 2565 LABEL_CHECK(vplabel, MAGIC_VNODE); 2566 COUNTER_INC(vnode_check_readlink); 2567 2568 return (0); 2569 } 2570 2571 COUNTER_DECL(vnode_check_relabel); 2572 static int 2573 test_vnode_check_relabel(struct ucred *cred, struct vnode *vp, 2574 struct label *vplabel, struct label *newlabel) 2575 { 2576 2577 LABEL_CHECK(cred->cr_label, MAGIC_CRED); 2578 LABEL_CHECK(vplabel, MAGIC_VNODE); 2579 LABEL_CHECK(newlabel, MAGIC_VNODE); 2580 COUNTER_INC(vnode_check_relabel); 2581 2582 return (0); 2583 } 2584 2585 COUNTER_DECL(vnode_check_rename_from); 2586 static int 2587 test_vnode_check_rename_from(struct ucred *cred, struct vnode *dvp, 2588 struct label *dvplabel, struct vnode *vp, struct label *vplabel, 2589 struct componentname *cnp) 2590 { 2591 2592 LABEL_CHECK(cred->cr_label, MAGIC_CRED); 2593 LABEL_CHECK(dvplabel, MAGIC_VNODE); 2594 LABEL_CHECK(vplabel, MAGIC_VNODE); 2595 COUNTER_INC(vnode_check_rename_from); 2596 2597 return (0); 2598 } 2599 2600 COUNTER_DECL(vnode_check_rename_to); 2601 static int 2602 test_vnode_check_rename_to(struct ucred *cred, struct vnode *dvp, 2603 struct label *dvplabel, struct vnode *vp, struct label *vplabel, 2604 int samedir, struct componentname *cnp) 2605 { 2606 2607 LABEL_CHECK(cred->cr_label, MAGIC_CRED); 2608 LABEL_CHECK(dvplabel, MAGIC_VNODE); 2609 LABEL_CHECK(vplabel, MAGIC_VNODE); 2610 COUNTER_INC(vnode_check_rename_to); 2611 2612 return (0); 2613 } 2614 2615 COUNTER_DECL(vnode_check_revoke); 2616 static int 2617 test_vnode_check_revoke(struct ucred *cred, struct vnode *vp, 2618 struct label *vplabel) 2619 { 2620 2621 LABEL_CHECK(cred->cr_label, MAGIC_CRED); 2622 LABEL_CHECK(vplabel, MAGIC_VNODE); 2623 COUNTER_INC(vnode_check_revoke); 2624 2625 return (0); 2626 } 2627 2628 COUNTER_DECL(vnode_check_setacl); 2629 static int 2630 test_vnode_check_setacl(struct ucred *cred, struct vnode *vp, 2631 struct label *vplabel, acl_type_t type, struct acl *acl) 2632 { 2633 2634 LABEL_CHECK(cred->cr_label, MAGIC_CRED); 2635 LABEL_CHECK(vplabel, MAGIC_VNODE); 2636 COUNTER_INC(vnode_check_setacl); 2637 2638 return (0); 2639 } 2640 2641 COUNTER_DECL(vnode_check_setextattr); 2642 static int 2643 test_vnode_check_setextattr(struct ucred *cred, struct vnode *vp, 2644 struct label *vplabel, int attrnamespace, const char *name) 2645 { 2646 2647 LABEL_CHECK(cred->cr_label, MAGIC_CRED); 2648 LABEL_CHECK(vplabel, MAGIC_VNODE); 2649 COUNTER_INC(vnode_check_setextattr); 2650 2651 return (0); 2652 } 2653 2654 COUNTER_DECL(vnode_check_setflags); 2655 static int 2656 test_vnode_check_setflags(struct ucred *cred, struct vnode *vp, 2657 struct label *vplabel, u_long flags) 2658 { 2659 2660 LABEL_CHECK(cred->cr_label, MAGIC_CRED); 2661 LABEL_CHECK(vplabel, MAGIC_VNODE); 2662 COUNTER_INC(vnode_check_setflags); 2663 2664 return (0); 2665 } 2666 2667 COUNTER_DECL(vnode_check_setmode); 2668 static int 2669 test_vnode_check_setmode(struct ucred *cred, struct vnode *vp, 2670 struct label *vplabel, mode_t mode) 2671 { 2672 2673 LABEL_CHECK(cred->cr_label, MAGIC_CRED); 2674 LABEL_CHECK(vplabel, MAGIC_VNODE); 2675 COUNTER_INC(vnode_check_setmode); 2676 2677 return (0); 2678 } 2679 2680 COUNTER_DECL(vnode_check_setowner); 2681 static int 2682 test_vnode_check_setowner(struct ucred *cred, struct vnode *vp, 2683 struct label *vplabel, uid_t uid, gid_t gid) 2684 { 2685 2686 LABEL_CHECK(cred->cr_label, MAGIC_CRED); 2687 LABEL_CHECK(vplabel, MAGIC_VNODE); 2688 COUNTER_INC(vnode_check_setowner); 2689 2690 return (0); 2691 } 2692 2693 COUNTER_DECL(vnode_check_setutimes); 2694 static int 2695 test_vnode_check_setutimes(struct ucred *cred, struct vnode *vp, 2696 struct label *vplabel, struct timespec atime, struct timespec mtime) 2697 { 2698 2699 LABEL_CHECK(cred->cr_label, MAGIC_CRED); 2700 LABEL_CHECK(vplabel, MAGIC_VNODE); 2701 COUNTER_INC(vnode_check_setutimes); 2702 2703 return (0); 2704 } 2705 2706 COUNTER_DECL(vnode_check_stat); 2707 static int 2708 test_vnode_check_stat(struct ucred *active_cred, struct ucred *file_cred, 2709 struct vnode *vp, struct label *vplabel) 2710 { 2711 2712 LABEL_CHECK(active_cred->cr_label, MAGIC_CRED); 2713 if (file_cred != NULL) 2714 LABEL_CHECK(file_cred->cr_label, MAGIC_CRED); 2715 LABEL_CHECK(vplabel, MAGIC_VNODE); 2716 COUNTER_INC(vnode_check_stat); 2717 2718 return (0); 2719 } 2720 2721 COUNTER_DECL(vnode_check_unlink); 2722 static int 2723 test_vnode_check_unlink(struct ucred *cred, struct vnode *dvp, 2724 struct label *dvplabel, struct vnode *vp, struct label *vplabel, 2725 struct componentname *cnp) 2726 { 2727 2728 LABEL_CHECK(cred->cr_label, MAGIC_CRED); 2729 LABEL_CHECK(dvplabel, MAGIC_VNODE); 2730 LABEL_CHECK(vplabel, MAGIC_VNODE); 2731 COUNTER_INC(vnode_check_unlink); 2732 2733 return (0); 2734 } 2735 2736 COUNTER_DECL(vnode_check_write); 2737 static int 2738 test_vnode_check_write(struct ucred *active_cred, 2739 struct ucred *file_cred, struct vnode *vp, struct label *vplabel) 2740 { 2741 2742 LABEL_CHECK(active_cred->cr_label, MAGIC_CRED); 2743 if (file_cred != NULL) 2744 LABEL_CHECK(file_cred->cr_label, MAGIC_CRED); 2745 LABEL_CHECK(vplabel, MAGIC_VNODE); 2746 COUNTER_INC(vnode_check_write); 2747 2748 return (0); 2749 } 2750 2751 COUNTER_DECL(vnode_copy_label); 2752 static void 2753 test_vnode_copy_label(struct label *src, struct label *dest) 2754 { 2755 2756 LABEL_CHECK(src, MAGIC_VNODE); 2757 LABEL_CHECK(dest, MAGIC_VNODE); 2758 COUNTER_INC(vnode_copy_label); 2759 } 2760 2761 COUNTER_DECL(vnode_create_extattr); 2762 static int 2763 test_vnode_create_extattr(struct ucred *cred, struct mount *mp, 2764 struct label *mplabel, struct vnode *dvp, struct label *dvplabel, 2765 struct vnode *vp, struct label *vplabel, struct componentname *cnp) 2766 { 2767 2768 LABEL_CHECK(cred->cr_label, MAGIC_CRED); 2769 LABEL_CHECK(mplabel, MAGIC_MOUNT); 2770 LABEL_CHECK(dvplabel, MAGIC_VNODE); 2771 COUNTER_INC(vnode_create_extattr); 2772 2773 return (0); 2774 } 2775 2776 COUNTER_DECL(vnode_destroy_label); 2777 static void 2778 test_vnode_destroy_label(struct label *label) 2779 { 2780 2781 LABEL_DESTROY(label, MAGIC_VNODE); 2782 COUNTER_INC(vnode_destroy_label); 2783 } 2784 2785 COUNTER_DECL(vnode_execve_transition); 2786 static void 2787 test_vnode_execve_transition(struct ucred *old, struct ucred *new, 2788 struct vnode *vp, struct label *filelabel, 2789 struct label *interpvplabel, struct image_params *imgp, 2790 struct label *execlabel) 2791 { 2792 2793 LABEL_CHECK(old->cr_label, MAGIC_CRED); 2794 LABEL_CHECK(new->cr_label, MAGIC_CRED); 2795 LABEL_CHECK(filelabel, MAGIC_VNODE); 2796 LABEL_CHECK(interpvplabel, MAGIC_VNODE); 2797 LABEL_CHECK(execlabel, MAGIC_CRED); 2798 COUNTER_INC(vnode_execve_transition); 2799 } 2800 2801 COUNTER_DECL(vnode_execve_will_transition); 2802 static int 2803 test_vnode_execve_will_transition(struct ucred *old, struct vnode *vp, 2804 struct label *filelabel, struct label *interpvplabel, 2805 struct image_params *imgp, struct label *execlabel) 2806 { 2807 2808 LABEL_CHECK(old->cr_label, MAGIC_CRED); 2809 LABEL_CHECK(filelabel, MAGIC_VNODE); 2810 LABEL_CHECK(interpvplabel, MAGIC_VNODE); 2811 LABEL_CHECK(execlabel, MAGIC_CRED); 2812 COUNTER_INC(vnode_execve_will_transition); 2813 2814 return (0); 2815 } 2816 2817 COUNTER_DECL(vnode_externalize_label); 2818 static int 2819 test_vnode_externalize_label(struct label *label, char *element_name, 2820 struct sbuf *sb, int *claimed) 2821 { 2822 2823 LABEL_CHECK(label, MAGIC_VNODE); 2824 COUNTER_INC(vnode_externalize_label); 2825 2826 return (0); 2827 } 2828 2829 COUNTER_DECL(vnode_init_label); 2830 static void 2831 test_vnode_init_label(struct label *label) 2832 { 2833 2834 LABEL_INIT(label, MAGIC_VNODE); 2835 COUNTER_INC(vnode_init_label); 2836 } 2837 2838 COUNTER_DECL(vnode_internalize_label); 2839 static int 2840 test_vnode_internalize_label(struct label *label, char *element_name, 2841 char *element_data, int *claimed) 2842 { 2843 2844 LABEL_CHECK(label, MAGIC_VNODE); 2845 COUNTER_INC(vnode_internalize_label); 2846 2847 return (0); 2848 } 2849 2850 COUNTER_DECL(vnode_relabel); 2851 static void 2852 test_vnode_relabel(struct ucred *cred, struct vnode *vp, 2853 struct label *vplabel, struct label *label) 2854 { 2855 2856 LABEL_CHECK(cred->cr_label, MAGIC_CRED); 2857 LABEL_CHECK(vplabel, MAGIC_VNODE); 2858 LABEL_CHECK(label, MAGIC_VNODE); 2859 COUNTER_INC(vnode_relabel); 2860 } 2861 2862 COUNTER_DECL(vnode_setlabel_extattr); 2863 static int 2864 test_vnode_setlabel_extattr(struct ucred *cred, struct vnode *vp, 2865 struct label *vplabel, struct label *intlabel) 2866 { 2867 2868 LABEL_CHECK(cred->cr_label, MAGIC_CRED); 2869 LABEL_CHECK(vplabel, MAGIC_VNODE); 2870 LABEL_CHECK(intlabel, MAGIC_VNODE); 2871 COUNTER_INC(vnode_setlabel_extattr); 2872 2873 return (0); 2874 } 2875 2876 static struct mac_policy_ops test_ops = 2877 { 2878 .mpo_bpfdesc_check_receive = test_bpfdesc_check_receive, 2879 .mpo_bpfdesc_create = test_bpfdesc_create, 2880 .mpo_bpfdesc_create_mbuf = test_bpfdesc_create_mbuf, 2881 .mpo_bpfdesc_destroy_label = test_bpfdesc_destroy_label, 2882 .mpo_bpfdesc_init_label = test_bpfdesc_init_label, 2883 2884 .mpo_cred_check_relabel = test_cred_check_relabel, 2885 .mpo_cred_check_setaudit = test_cred_check_setaudit, 2886 .mpo_cred_check_setaudit_addr = test_cred_check_setaudit_addr, 2887 .mpo_cred_check_setauid = test_cred_check_setauid, 2888 .mpo_cred_check_seteuid = test_cred_check_seteuid, 2889 .mpo_cred_check_setegid = test_cred_check_setegid, 2890 .mpo_cred_check_setgid = test_cred_check_setgid, 2891 .mpo_cred_check_setgroups = test_cred_check_setgroups, 2892 .mpo_cred_check_setregid = test_cred_check_setregid, 2893 .mpo_cred_check_setresgid = test_cred_check_setresgid, 2894 .mpo_cred_check_setresuid = test_cred_check_setresuid, 2895 .mpo_cred_check_setreuid = test_cred_check_setreuid, 2896 .mpo_cred_check_setuid = test_cred_check_setuid, 2897 .mpo_cred_check_visible = test_cred_check_visible, 2898 .mpo_cred_copy_label = test_cred_copy_label, 2899 .mpo_cred_create_init = test_cred_create_init, 2900 .mpo_cred_create_swapper = test_cred_create_swapper, 2901 .mpo_cred_destroy_label = test_cred_destroy_label, 2902 .mpo_cred_externalize_label = test_cred_externalize_label, 2903 .mpo_cred_init_label = test_cred_init_label, 2904 .mpo_cred_internalize_label = test_cred_internalize_label, 2905 .mpo_cred_relabel = test_cred_relabel, 2906 2907 .mpo_devfs_create_device = test_devfs_create_device, 2908 .mpo_devfs_create_directory = test_devfs_create_directory, 2909 .mpo_devfs_create_symlink = test_devfs_create_symlink, 2910 .mpo_devfs_destroy_label = test_devfs_destroy_label, 2911 .mpo_devfs_init_label = test_devfs_init_label, 2912 .mpo_devfs_update = test_devfs_update, 2913 .mpo_devfs_vnode_associate = test_devfs_vnode_associate, 2914 2915 .mpo_ifnet_check_relabel = test_ifnet_check_relabel, 2916 .mpo_ifnet_check_transmit = test_ifnet_check_transmit, 2917 .mpo_ifnet_copy_label = test_ifnet_copy_label, 2918 .mpo_ifnet_create = test_ifnet_create, 2919 .mpo_ifnet_create_mbuf = test_ifnet_create_mbuf, 2920 .mpo_ifnet_destroy_label = test_ifnet_destroy_label, 2921 .mpo_ifnet_externalize_label = test_ifnet_externalize_label, 2922 .mpo_ifnet_init_label = test_ifnet_init_label, 2923 .mpo_ifnet_internalize_label = test_ifnet_internalize_label, 2924 .mpo_ifnet_relabel = test_ifnet_relabel, 2925 2926 .mpo_syncache_destroy_label = test_syncache_destroy_label, 2927 .mpo_syncache_init_label = test_syncache_init_label, 2928 2929 .mpo_sysvmsg_destroy_label = test_sysvmsg_destroy_label, 2930 .mpo_sysvmsg_init_label = test_sysvmsg_init_label, 2931 2932 .mpo_sysvmsq_destroy_label = test_sysvmsq_destroy_label, 2933 .mpo_sysvmsq_init_label = test_sysvmsq_init_label, 2934 2935 .mpo_sysvsem_destroy_label = test_sysvsem_destroy_label, 2936 .mpo_sysvsem_init_label = test_sysvsem_init_label, 2937 2938 .mpo_sysvshm_destroy_label = test_sysvshm_destroy_label, 2939 .mpo_sysvshm_init_label = test_sysvshm_init_label, 2940 2941 .mpo_inpcb_check_deliver = test_inpcb_check_deliver, 2942 .mpo_inpcb_check_visible = test_inpcb_check_visible, 2943 .mpo_inpcb_create = test_inpcb_create, 2944 .mpo_inpcb_create_mbuf = test_inpcb_create_mbuf, 2945 .mpo_inpcb_destroy_label = test_inpcb_destroy_label, 2946 .mpo_inpcb_init_label = test_inpcb_init_label, 2947 .mpo_inpcb_sosetlabel = test_inpcb_sosetlabel, 2948 2949 .mpo_ip6q_create = test_ip6q_create, 2950 .mpo_ip6q_destroy_label = test_ip6q_destroy_label, 2951 .mpo_ip6q_init_label = test_ip6q_init_label, 2952 .mpo_ip6q_match = test_ip6q_match, 2953 .mpo_ip6q_reassemble = test_ip6q_reassemble, 2954 .mpo_ip6q_update = test_ip6q_update, 2955 2956 .mpo_ipq_create = test_ipq_create, 2957 .mpo_ipq_destroy_label = test_ipq_destroy_label, 2958 .mpo_ipq_init_label = test_ipq_init_label, 2959 .mpo_ipq_match = test_ipq_match, 2960 .mpo_ipq_reassemble = test_ipq_reassemble, 2961 .mpo_ipq_update = test_ipq_update, 2962 2963 .mpo_kenv_check_dump = test_kenv_check_dump, 2964 .mpo_kenv_check_get = test_kenv_check_get, 2965 .mpo_kenv_check_set = test_kenv_check_set, 2966 .mpo_kenv_check_unset = test_kenv_check_unset, 2967 2968 .mpo_kld_check_load = test_kld_check_load, 2969 .mpo_kld_check_stat = test_kld_check_stat, 2970 2971 .mpo_mbuf_copy_label = test_mbuf_copy_label, 2972 .mpo_mbuf_destroy_label = test_mbuf_destroy_label, 2973 .mpo_mbuf_init_label = test_mbuf_init_label, 2974 2975 .mpo_mount_check_stat = test_mount_check_stat, 2976 .mpo_mount_create = test_mount_create, 2977 .mpo_mount_destroy_label = test_mount_destroy_label, 2978 .mpo_mount_init_label = test_mount_init_label, 2979 2980 .mpo_netatalk_aarp_send = test_netatalk_aarp_send, 2981 2982 .mpo_netinet_arp_send = test_netinet_arp_send, 2983 .mpo_netinet_fragment = test_netinet_fragment, 2984 .mpo_netinet_icmp_reply = test_netinet_icmp_reply, 2985 .mpo_netinet_icmp_replyinplace = test_netinet_icmp_replyinplace, 2986 .mpo_netinet_igmp_send = test_netinet_igmp_send, 2987 .mpo_netinet_tcp_reply = test_netinet_tcp_reply, 2988 2989 .mpo_netinet6_nd6_send = test_netinet6_nd6_send, 2990 2991 .mpo_pipe_check_ioctl = test_pipe_check_ioctl, 2992 .mpo_pipe_check_poll = test_pipe_check_poll, 2993 .mpo_pipe_check_read = test_pipe_check_read, 2994 .mpo_pipe_check_relabel = test_pipe_check_relabel, 2995 .mpo_pipe_check_stat = test_pipe_check_stat, 2996 .mpo_pipe_check_write = test_pipe_check_write, 2997 .mpo_pipe_copy_label = test_pipe_copy_label, 2998 .mpo_pipe_create = test_pipe_create, 2999 .mpo_pipe_destroy_label = test_pipe_destroy_label, 3000 .mpo_pipe_externalize_label = test_pipe_externalize_label, 3001 .mpo_pipe_init_label = test_pipe_init_label, 3002 .mpo_pipe_internalize_label = test_pipe_internalize_label, 3003 .mpo_pipe_relabel = test_pipe_relabel, 3004 3005 .mpo_posixsem_check_getvalue = test_posixsem_check_getvalue, 3006 .mpo_posixsem_check_open = test_posixsem_check_open, 3007 .mpo_posixsem_check_post = test_posixsem_check_post, 3008 .mpo_posixsem_check_stat = test_posixsem_check_stat, 3009 .mpo_posixsem_check_unlink = test_posixsem_check_unlink, 3010 .mpo_posixsem_check_wait = test_posixsem_check_wait, 3011 .mpo_posixsem_create = test_posixsem_create, 3012 .mpo_posixsem_destroy_label = test_posixsem_destroy_label, 3013 .mpo_posixsem_init_label = test_posixsem_init_label, 3014 3015 .mpo_posixshm_check_mmap = test_posixshm_check_mmap, 3016 .mpo_posixshm_check_open = test_posixshm_check_open, 3017 .mpo_posixshm_check_stat = test_posixshm_check_stat, 3018 .mpo_posixshm_check_truncate = test_posixshm_check_truncate, 3019 .mpo_posixshm_check_unlink = test_posixshm_check_unlink, 3020 .mpo_posixshm_create = test_posixshm_create, 3021 .mpo_posixshm_destroy_label = test_posixshm_destroy_label, 3022 .mpo_posixshm_init_label = test_posixshm_init_label, 3023 3024 .mpo_proc_check_debug = test_proc_check_debug, 3025 .mpo_proc_check_sched = test_proc_check_sched, 3026 .mpo_proc_check_signal = test_proc_check_signal, 3027 .mpo_proc_check_wait = test_proc_check_wait, 3028 .mpo_proc_destroy_label = test_proc_destroy_label, 3029 .mpo_proc_init_label = test_proc_init_label, 3030 3031 .mpo_socket_check_accept = test_socket_check_accept, 3032 .mpo_socket_check_bind = test_socket_check_bind, 3033 .mpo_socket_check_connect = test_socket_check_connect, 3034 .mpo_socket_check_deliver = test_socket_check_deliver, 3035 .mpo_socket_check_listen = test_socket_check_listen, 3036 .mpo_socket_check_poll = test_socket_check_poll, 3037 .mpo_socket_check_receive = test_socket_check_receive, 3038 .mpo_socket_check_relabel = test_socket_check_relabel, 3039 .mpo_socket_check_send = test_socket_check_send, 3040 .mpo_socket_check_stat = test_socket_check_stat, 3041 .mpo_socket_check_visible = test_socket_check_visible, 3042 .mpo_socket_copy_label = test_socket_copy_label, 3043 .mpo_socket_create = test_socket_create, 3044 .mpo_socket_create_mbuf = test_socket_create_mbuf, 3045 .mpo_socket_destroy_label = test_socket_destroy_label, 3046 .mpo_socket_externalize_label = test_socket_externalize_label, 3047 .mpo_socket_init_label = test_socket_init_label, 3048 .mpo_socket_internalize_label = test_socket_internalize_label, 3049 .mpo_socket_newconn = test_socket_newconn, 3050 .mpo_socket_relabel = test_socket_relabel, 3051 3052 .mpo_socketpeer_destroy_label = test_socketpeer_destroy_label, 3053 .mpo_socketpeer_externalize_label = test_socketpeer_externalize_label, 3054 .mpo_socketpeer_init_label = test_socketpeer_init_label, 3055 .mpo_socketpeer_set_from_mbuf = test_socketpeer_set_from_mbuf, 3056 .mpo_socketpeer_set_from_socket = test_socketpeer_set_from_socket, 3057 3058 .mpo_syncache_create = test_syncache_create, 3059 .mpo_syncache_create_mbuf = test_syncache_create_mbuf, 3060 3061 .mpo_system_check_acct = test_system_check_acct, 3062 .mpo_system_check_audit = test_system_check_audit, 3063 .mpo_system_check_auditctl = test_system_check_auditctl, 3064 .mpo_system_check_auditon = test_system_check_auditon, 3065 .mpo_system_check_reboot = test_system_check_reboot, 3066 .mpo_system_check_swapoff = test_system_check_swapoff, 3067 .mpo_system_check_swapon = test_system_check_swapon, 3068 .mpo_system_check_sysctl = test_system_check_sysctl, 3069 3070 .mpo_vnode_check_access = test_vnode_check_access, 3071 .mpo_sysvmsg_cleanup = test_sysvmsg_cleanup, 3072 .mpo_sysvmsg_create = test_sysvmsg_create, 3073 3074 .mpo_sysvmsq_check_msgmsq = test_sysvmsq_check_msgmsq, 3075 .mpo_sysvmsq_check_msgrcv = test_sysvmsq_check_msgrcv, 3076 .mpo_sysvmsq_check_msgrmid = test_sysvmsq_check_msgrmid, 3077 .mpo_sysvmsq_check_msqget = test_sysvmsq_check_msqget, 3078 .mpo_sysvmsq_check_msqsnd = test_sysvmsq_check_msqsnd, 3079 .mpo_sysvmsq_check_msqrcv = test_sysvmsq_check_msqrcv, 3080 .mpo_sysvmsq_check_msqctl = test_sysvmsq_check_msqctl, 3081 .mpo_sysvmsq_cleanup = test_sysvmsq_cleanup, 3082 .mpo_sysvmsq_create = test_sysvmsq_create, 3083 3084 .mpo_sysvsem_check_semctl = test_sysvsem_check_semctl, 3085 .mpo_sysvsem_check_semget = test_sysvsem_check_semget, 3086 .mpo_sysvsem_check_semop = test_sysvsem_check_semop, 3087 .mpo_sysvsem_cleanup = test_sysvsem_cleanup, 3088 .mpo_sysvsem_create = test_sysvsem_create, 3089 3090 .mpo_sysvshm_check_shmat = test_sysvshm_check_shmat, 3091 .mpo_sysvshm_check_shmctl = test_sysvshm_check_shmctl, 3092 .mpo_sysvshm_check_shmdt = test_sysvshm_check_shmdt, 3093 .mpo_sysvshm_check_shmget = test_sysvshm_check_shmget, 3094 .mpo_sysvshm_cleanup = test_sysvshm_cleanup, 3095 .mpo_sysvshm_create = test_sysvshm_create, 3096 3097 .mpo_thread_userret = test_thread_userret, 3098 3099 .mpo_vnode_associate_extattr = test_vnode_associate_extattr, 3100 .mpo_vnode_associate_singlelabel = test_vnode_associate_singlelabel, 3101 .mpo_vnode_check_chdir = test_vnode_check_chdir, 3102 .mpo_vnode_check_chroot = test_vnode_check_chroot, 3103 .mpo_vnode_check_create = test_vnode_check_create, 3104 .mpo_vnode_check_deleteacl = test_vnode_check_deleteacl, 3105 .mpo_vnode_check_deleteextattr = test_vnode_check_deleteextattr, 3106 .mpo_vnode_check_exec = test_vnode_check_exec, 3107 .mpo_vnode_check_getacl = test_vnode_check_getacl, 3108 .mpo_vnode_check_getextattr = test_vnode_check_getextattr, 3109 .mpo_vnode_check_link = test_vnode_check_link, 3110 .mpo_vnode_check_listextattr = test_vnode_check_listextattr, 3111 .mpo_vnode_check_lookup = test_vnode_check_lookup, 3112 .mpo_vnode_check_mmap = test_vnode_check_mmap, 3113 .mpo_vnode_check_open = test_vnode_check_open, 3114 .mpo_vnode_check_poll = test_vnode_check_poll, 3115 .mpo_vnode_check_read = test_vnode_check_read, 3116 .mpo_vnode_check_readdir = test_vnode_check_readdir, 3117 .mpo_vnode_check_readlink = test_vnode_check_readlink, 3118 .mpo_vnode_check_relabel = test_vnode_check_relabel, 3119 .mpo_vnode_check_rename_from = test_vnode_check_rename_from, 3120 .mpo_vnode_check_rename_to = test_vnode_check_rename_to, 3121 .mpo_vnode_check_revoke = test_vnode_check_revoke, 3122 .mpo_vnode_check_setacl = test_vnode_check_setacl, 3123 .mpo_vnode_check_setextattr = test_vnode_check_setextattr, 3124 .mpo_vnode_check_setflags = test_vnode_check_setflags, 3125 .mpo_vnode_check_setmode = test_vnode_check_setmode, 3126 .mpo_vnode_check_setowner = test_vnode_check_setowner, 3127 .mpo_vnode_check_setutimes = test_vnode_check_setutimes, 3128 .mpo_vnode_check_stat = test_vnode_check_stat, 3129 .mpo_vnode_check_unlink = test_vnode_check_unlink, 3130 .mpo_vnode_check_write = test_vnode_check_write, 3131 .mpo_vnode_copy_label = test_vnode_copy_label, 3132 .mpo_vnode_create_extattr = test_vnode_create_extattr, 3133 .mpo_vnode_destroy_label = test_vnode_destroy_label, 3134 .mpo_vnode_execve_transition = test_vnode_execve_transition, 3135 .mpo_vnode_execve_will_transition = test_vnode_execve_will_transition, 3136 .mpo_vnode_externalize_label = test_vnode_externalize_label, 3137 .mpo_vnode_init_label = test_vnode_init_label, 3138 .mpo_vnode_internalize_label = test_vnode_internalize_label, 3139 .mpo_vnode_relabel = test_vnode_relabel, 3140 .mpo_vnode_setlabel_extattr = test_vnode_setlabel_extattr, 3141 }; 3142 3143 MAC_POLICY_SET(&test_ops, mac_test, "TrustedBSD MAC/Test", 3144 MPC_LOADTIME_FLAG_UNLOADOK, &test_slot); 3145