1 /*- 2 * Copyright (c) 1999-2002, 2007 Robert N. M. Watson 3 * Copyright (c) 2001-2005 McAfee, Inc. 4 * All rights reserved. 5 * 6 * This software was developed by Robert Watson for the TrustedBSD Project. 7 * 8 * This software was developed for the FreeBSD Project in part by McAfee 9 * Research, the Security Research Division of McAfee, Inc. under 10 * DARPA/SPAWAR contract N66001-01-C-8035 ("CBOSS"), as part of the DARPA 11 * CHATS research program. 12 * 13 * Redistribution and use in source and binary forms, with or without 14 * modification, are permitted provided that the following conditions 15 * are met: 16 * 1. Redistributions of source code must retain the above copyright 17 * notice, this list of conditions and the following disclaimer. 18 * 2. Redistributions in binary form must reproduce the above copyright 19 * notice, this list of conditions and the following disclaimer in the 20 * documentation and/or other materials provided with the distribution. 21 * 22 * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND 23 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 24 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 25 * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE 26 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 27 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 28 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 29 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 30 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 31 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 32 * SUCH DAMAGE. 33 * 34 * $FreeBSD$ 35 */ 36 37 /* 38 * Developed by the TrustedBSD Project. 39 * 40 * MAC Test policy - tests MAC Framework labeling by assigning object class 41 * magic numbers to each label and validates that each time an object label 42 * is passed into the policy, it has a consistent object type, catching 43 * incorrectly passed labels, labels passed after free, etc. 44 */ 45 46 #include <sys/param.h> 47 #include <sys/acl.h> 48 #include <sys/kdb.h> 49 #include <sys/kernel.h> 50 #include <sys/ksem.h> 51 #include <sys/malloc.h> 52 #include <sys/module.h> 53 #include <sys/mount.h> 54 #include <sys/msg.h> 55 #include <sys/proc.h> 56 #include <sys/vnode.h> 57 #include <sys/sem.h> 58 #include <sys/shm.h> 59 #include <sys/socket.h> 60 #include <sys/socketvar.h> 61 #include <sys/sx.h> 62 #include <sys/sysctl.h> 63 64 #include <fs/devfs/devfs.h> 65 66 #include <net/bpfdesc.h> 67 #include <net/if.h> 68 #include <net/if_types.h> 69 #include <net/if_var.h> 70 71 #include <security/mac/mac_policy.h> 72 73 SYSCTL_DECL(_security_mac); 74 75 SYSCTL_NODE(_security_mac, OID_AUTO, test, CTLFLAG_RW, 0, 76 "TrustedBSD mac_test policy controls"); 77 78 #define MAGIC_BPF 0xfe1ad1b6 79 #define MAGIC_DEVFS 0x9ee79c32 80 #define MAGIC_IFNET 0xc218b120 81 #define MAGIC_INPCB 0x4440f7bb 82 #define MAGIC_IPQ 0x206188ef 83 #define MAGIC_MBUF 0xbbefa5bb 84 #define MAGIC_MOUNT 0xc7c46e47 85 #define MAGIC_SOCKET 0x9199c6cd 86 #define MAGIC_SYSV_MSG 0x8bbba61e 87 #define MAGIC_SYSV_MSQ 0xea672391 88 #define MAGIC_SYSV_SEM 0x896e8a0b 89 #define MAGIC_SYSV_SHM 0x76119ab0 90 #define MAGIC_PIPE 0xdc6c9919 91 #define MAGIC_POSIX_SEM 0x78ae980c 92 #define MAGIC_PROC 0x3b4be98f 93 #define MAGIC_CRED 0x9a5a4987 94 #define MAGIC_VNODE 0x1a67a45c 95 #define MAGIC_FREE 0x849ba1fd 96 97 #define SLOT(x) mac_label_get((x), test_slot) 98 #define SLOT_SET(x, v) mac_label_set((x), test_slot, (v)) 99 100 static int test_slot; 101 SYSCTL_INT(_security_mac_test, OID_AUTO, slot, CTLFLAG_RD, 102 &test_slot, 0, "Slot allocated by framework"); 103 104 SYSCTL_NODE(_security_mac_test, OID_AUTO, counter, CTLFLAG_RW, 0, 105 "TrustedBSD mac_test counters controls"); 106 107 #define COUNTER_DECL(variable) \ 108 static int counter_##variable; \ 109 SYSCTL_INT(_security_mac_test_counter, OID_AUTO, variable, \ 110 CTLFLAG_RD, &counter_##variable, 0, #variable) 111 112 #define COUNTER_INC(variable) atomic_add_int(&counter_##variable, 1) 113 114 #ifdef KDB 115 #define DEBUGGER(func, string) kdb_enter((string)) 116 #else 117 #define DEBUGGER(func, string) printf("mac_test: %s: %s\n", (func), (string)) 118 #endif 119 120 #define LABEL_CHECK(label, magic) do { \ 121 if (label != NULL) { \ 122 KASSERT(SLOT(label) == magic || SLOT(label) == 0, \ 123 ("%s: bad %s label", __func__, #magic)); \ 124 } \ 125 } while (0) 126 127 #define LABEL_DESTROY(label, magic) do { \ 128 if (SLOT(label) == magic || SLOT(label) == 0) { \ 129 SLOT_SET(label, MAGIC_FREE); \ 130 } else if (SLOT(label) == MAGIC_FREE) { \ 131 DEBUGGER("%s: dup destroy", __func__); \ 132 } else { \ 133 DEBUGGER("%s: corrupted label", __func__); \ 134 } \ 135 } while (0) 136 137 #define LABEL_INIT(label, magic) do { \ 138 SLOT_SET(label, magic); \ 139 } while (0) 140 141 #define LABEL_NOTFREE(label) do { \ 142 KASSERT(SLOT(label) != MAGIC_FREE, \ 143 ("%s: destroyed label", __func__)); \ 144 } while (0) 145 146 /* 147 * Label operations. 148 */ 149 COUNTER_DECL(init_bpfdesc_label); 150 static void 151 mac_test_init_bpfdesc_label(struct label *label) 152 { 153 154 LABEL_INIT(label, MAGIC_BPF); 155 COUNTER_INC(init_bpfdesc_label); 156 } 157 158 COUNTER_DECL(init_cred_label); 159 static void 160 mac_test_init_cred_label(struct label *label) 161 { 162 163 LABEL_INIT(label, MAGIC_CRED); 164 COUNTER_INC(init_cred_label); 165 } 166 167 COUNTER_DECL(init_devfs_label); 168 static void 169 mac_test_init_devfs_label(struct label *label) 170 { 171 172 LABEL_INIT(label, MAGIC_DEVFS); 173 COUNTER_INC(init_devfs_label); 174 } 175 176 COUNTER_DECL(init_ifnet_label); 177 static void 178 mac_test_init_ifnet_label(struct label *label) 179 { 180 181 LABEL_INIT(label, MAGIC_IFNET); 182 COUNTER_INC(init_ifnet_label); 183 } 184 185 COUNTER_DECL(init_inpcb_label); 186 static int 187 mac_test_init_inpcb_label(struct label *label, int flag) 188 { 189 190 if (flag & M_WAITOK) 191 WITNESS_WARN(WARN_GIANTOK | WARN_SLEEPOK, NULL, 192 "mac_test_init_inpcb_label() at %s:%d", __FILE__, 193 __LINE__); 194 195 LABEL_INIT(label, MAGIC_INPCB); 196 COUNTER_INC(init_inpcb_label); 197 return (0); 198 } 199 200 COUNTER_DECL(init_sysv_msg_label); 201 static void 202 mac_test_init_sysv_msgmsg_label(struct label *label) 203 { 204 LABEL_INIT(label, MAGIC_SYSV_MSG); 205 COUNTER_INC(init_sysv_msg_label); 206 } 207 208 COUNTER_DECL(init_sysv_msq_label); 209 static void 210 mac_test_init_sysv_msgqueue_label(struct label *label) 211 { 212 LABEL_INIT(label, MAGIC_SYSV_MSQ); 213 COUNTER_INC(init_sysv_msq_label); 214 } 215 216 COUNTER_DECL(init_sysv_sem_label); 217 static void 218 mac_test_init_sysv_sem_label(struct label *label) 219 { 220 LABEL_INIT(label, MAGIC_SYSV_SEM); 221 COUNTER_INC(init_sysv_sem_label); 222 } 223 224 COUNTER_DECL(init_sysv_shm_label); 225 static void 226 mac_test_init_sysv_shm_label(struct label *label) 227 { 228 LABEL_INIT(label, MAGIC_SYSV_SHM); 229 COUNTER_INC(init_sysv_shm_label); 230 } 231 232 COUNTER_DECL(init_ipq_label); 233 static int 234 mac_test_init_ipq_label(struct label *label, int flag) 235 { 236 237 if (flag & M_WAITOK) 238 WITNESS_WARN(WARN_GIANTOK | WARN_SLEEPOK, NULL, 239 "mac_test_init_ipq_label() at %s:%d", __FILE__, 240 __LINE__); 241 242 LABEL_INIT(label, MAGIC_IPQ); 243 COUNTER_INC(init_ipq_label); 244 return (0); 245 } 246 247 COUNTER_DECL(init_mbuf_label); 248 static int 249 mac_test_init_mbuf_label(struct label *label, int flag) 250 { 251 252 if (flag & M_WAITOK) 253 WITNESS_WARN(WARN_GIANTOK | WARN_SLEEPOK, NULL, 254 "mac_test_init_mbuf_label() at %s:%d", __FILE__, 255 __LINE__); 256 257 LABEL_INIT(label, MAGIC_MBUF); 258 COUNTER_INC(init_mbuf_label); 259 return (0); 260 } 261 262 COUNTER_DECL(init_mount_label); 263 static void 264 mac_test_init_mount_label(struct label *label) 265 { 266 267 LABEL_INIT(label, MAGIC_MOUNT); 268 COUNTER_INC(init_mount_label); 269 } 270 271 COUNTER_DECL(init_socket_label); 272 static int 273 mac_test_init_socket_label(struct label *label, int flag) 274 { 275 276 if (flag & M_WAITOK) 277 WITNESS_WARN(WARN_GIANTOK | WARN_SLEEPOK, NULL, 278 "mac_test_init_socket_label() at %s:%d", __FILE__, 279 __LINE__); 280 281 LABEL_INIT(label, MAGIC_SOCKET); 282 COUNTER_INC(init_socket_label); 283 return (0); 284 } 285 286 COUNTER_DECL(init_socket_peer_label); 287 static int 288 mac_test_init_socket_peer_label(struct label *label, int flag) 289 { 290 291 if (flag & M_WAITOK) 292 WITNESS_WARN(WARN_GIANTOK | WARN_SLEEPOK, NULL, 293 "mac_test_init_socket_peer_label() at %s:%d", __FILE__, 294 __LINE__); 295 296 LABEL_INIT(label, MAGIC_SOCKET); 297 COUNTER_INC(init_socket_peer_label); 298 return (0); 299 } 300 301 COUNTER_DECL(init_pipe_label); 302 static void 303 mac_test_init_pipe_label(struct label *label) 304 { 305 306 LABEL_INIT(label, MAGIC_PIPE); 307 COUNTER_INC(init_pipe_label); 308 } 309 310 COUNTER_DECL(init_posix_sem_label); 311 static void 312 mac_test_init_posix_sem_label(struct label *label) 313 { 314 315 LABEL_INIT(label, MAGIC_POSIX_SEM); 316 COUNTER_INC(init_posix_sem_label); 317 } 318 319 COUNTER_DECL(init_proc_label); 320 static void 321 mac_test_init_proc_label(struct label *label) 322 { 323 324 LABEL_INIT(label, MAGIC_PROC); 325 COUNTER_INC(init_proc_label); 326 } 327 328 COUNTER_DECL(init_vnode_label); 329 static void 330 mac_test_init_vnode_label(struct label *label) 331 { 332 333 LABEL_INIT(label, MAGIC_VNODE); 334 COUNTER_INC(init_vnode_label); 335 } 336 337 COUNTER_DECL(destroy_bpfdesc_label); 338 static void 339 mac_test_destroy_bpfdesc_label(struct label *label) 340 { 341 342 LABEL_DESTROY(label, MAGIC_BPF); 343 COUNTER_INC(destroy_bpfdesc_label); 344 } 345 346 COUNTER_DECL(destroy_cred_label); 347 static void 348 mac_test_destroy_cred_label(struct label *label) 349 { 350 351 LABEL_DESTROY(label, MAGIC_CRED); 352 COUNTER_INC(destroy_cred_label); 353 } 354 355 COUNTER_DECL(destroy_devfs_label); 356 static void 357 mac_test_destroy_devfs_label(struct label *label) 358 { 359 360 LABEL_DESTROY(label, MAGIC_DEVFS); 361 COUNTER_INC(destroy_devfs_label); 362 } 363 364 COUNTER_DECL(destroy_ifnet_label); 365 static void 366 mac_test_destroy_ifnet_label(struct label *label) 367 { 368 369 LABEL_DESTROY(label, MAGIC_IFNET); 370 COUNTER_INC(destroy_ifnet_label); 371 } 372 373 COUNTER_DECL(destroy_inpcb_label); 374 static void 375 mac_test_destroy_inpcb_label(struct label *label) 376 { 377 378 LABEL_DESTROY(label, MAGIC_INPCB); 379 COUNTER_INC(destroy_inpcb_label); 380 } 381 382 COUNTER_DECL(destroy_sysv_msg_label); 383 static void 384 mac_test_destroy_sysv_msgmsg_label(struct label *label) 385 { 386 387 LABEL_DESTROY(label, MAGIC_SYSV_MSG); 388 COUNTER_INC(destroy_sysv_msg_label); 389 } 390 391 COUNTER_DECL(destroy_sysv_msq_label); 392 static void 393 mac_test_destroy_sysv_msgqueue_label(struct label *label) 394 { 395 396 LABEL_DESTROY(label, MAGIC_SYSV_MSQ); 397 COUNTER_INC(destroy_sysv_msq_label); 398 } 399 400 COUNTER_DECL(destroy_sysv_sem_label); 401 static void 402 mac_test_destroy_sysv_sem_label(struct label *label) 403 { 404 405 LABEL_DESTROY(label, MAGIC_SYSV_SEM); 406 COUNTER_INC(destroy_sysv_sem_label); 407 } 408 409 COUNTER_DECL(destroy_sysv_shm_label); 410 static void 411 mac_test_destroy_sysv_shm_label(struct label *label) 412 { 413 414 LABEL_DESTROY(label, MAGIC_SYSV_SHM); 415 COUNTER_INC(destroy_sysv_shm_label); 416 } 417 418 COUNTER_DECL(destroy_ipq_label); 419 static void 420 mac_test_destroy_ipq_label(struct label *label) 421 { 422 423 LABEL_DESTROY(label, MAGIC_IPQ); 424 COUNTER_INC(destroy_ipq_label); 425 } 426 427 COUNTER_DECL(destroy_mbuf_label); 428 static void 429 mac_test_destroy_mbuf_label(struct label *label) 430 { 431 432 /* 433 * If we're loaded dynamically, there may be mbufs in flight that 434 * didn't have label storage allocated for them. Handle this 435 * gracefully. 436 */ 437 if (label == NULL) 438 return; 439 440 LABEL_DESTROY(label, MAGIC_MBUF); 441 COUNTER_INC(destroy_mbuf_label); 442 } 443 444 COUNTER_DECL(destroy_mount_label); 445 static void 446 mac_test_destroy_mount_label(struct label *label) 447 { 448 449 LABEL_DESTROY(label, MAGIC_MOUNT); 450 COUNTER_INC(destroy_mount_label); 451 } 452 453 COUNTER_DECL(destroy_socket_label); 454 static void 455 mac_test_destroy_socket_label(struct label *label) 456 { 457 458 LABEL_DESTROY(label, MAGIC_SOCKET); 459 COUNTER_INC(destroy_socket_label); 460 } 461 462 COUNTER_DECL(destroy_socket_peer_label); 463 static void 464 mac_test_destroy_socket_peer_label(struct label *label) 465 { 466 467 LABEL_DESTROY(label, MAGIC_SOCKET); 468 COUNTER_INC(destroy_socket_peer_label); 469 } 470 471 COUNTER_DECL(destroy_pipe_label); 472 static void 473 mac_test_destroy_pipe_label(struct label *label) 474 { 475 476 LABEL_DESTROY(label, MAGIC_PIPE); 477 COUNTER_INC(destroy_pipe_label); 478 } 479 480 COUNTER_DECL(destroy_posix_sem_label); 481 static void 482 mac_test_destroy_posix_sem_label(struct label *label) 483 { 484 485 LABEL_DESTROY(label, MAGIC_POSIX_SEM); 486 COUNTER_INC(destroy_posix_sem_label); 487 } 488 489 COUNTER_DECL(destroy_proc_label); 490 static void 491 mac_test_destroy_proc_label(struct label *label) 492 { 493 494 LABEL_DESTROY(label, MAGIC_PROC); 495 COUNTER_INC(destroy_proc_label); 496 } 497 498 COUNTER_DECL(destroy_vnode_label); 499 static void 500 mac_test_destroy_vnode_label(struct label *label) 501 { 502 503 LABEL_DESTROY(label, MAGIC_VNODE); 504 COUNTER_INC(destroy_vnode_label); 505 } 506 507 COUNTER_DECL(copy_cred_label); 508 static void 509 mac_test_copy_cred_label(struct label *src, struct label *dest) 510 { 511 512 LABEL_CHECK(src, MAGIC_CRED); 513 LABEL_CHECK(dest, MAGIC_CRED); 514 COUNTER_INC(copy_cred_label); 515 } 516 517 COUNTER_DECL(copy_ifnet_label); 518 static void 519 mac_test_copy_ifnet_label(struct label *src, struct label *dest) 520 { 521 522 LABEL_CHECK(src, MAGIC_IFNET); 523 LABEL_CHECK(dest, MAGIC_IFNET); 524 COUNTER_INC(copy_ifnet_label); 525 } 526 527 COUNTER_DECL(copy_mbuf_label); 528 static void 529 mac_test_copy_mbuf_label(struct label *src, struct label *dest) 530 { 531 532 LABEL_CHECK(src, MAGIC_MBUF); 533 LABEL_CHECK(dest, MAGIC_MBUF); 534 COUNTER_INC(copy_mbuf_label); 535 } 536 537 COUNTER_DECL(copy_pipe_label); 538 static void 539 mac_test_copy_pipe_label(struct label *src, struct label *dest) 540 { 541 542 LABEL_CHECK(src, MAGIC_PIPE); 543 LABEL_CHECK(dest, MAGIC_PIPE); 544 COUNTER_INC(copy_pipe_label); 545 } 546 547 COUNTER_DECL(copy_socket_label); 548 static void 549 mac_test_copy_socket_label(struct label *src, struct label *dest) 550 { 551 552 LABEL_CHECK(src, MAGIC_SOCKET); 553 LABEL_CHECK(dest, MAGIC_SOCKET); 554 COUNTER_INC(copy_socket_label); 555 } 556 557 COUNTER_DECL(copy_vnode_label); 558 static void 559 mac_test_copy_vnode_label(struct label *src, struct label *dest) 560 { 561 562 LABEL_CHECK(src, MAGIC_VNODE); 563 LABEL_CHECK(dest, MAGIC_VNODE); 564 COUNTER_INC(copy_vnode_label); 565 } 566 567 COUNTER_DECL(externalize_label); 568 static int 569 mac_test_externalize_label(struct label *label, char *element_name, 570 struct sbuf *sb, int *claimed) 571 { 572 573 LABEL_NOTFREE(label); 574 COUNTER_INC(externalize_label); 575 576 return (0); 577 } 578 579 COUNTER_DECL(internalize_label); 580 static int 581 mac_test_internalize_label(struct label *label, char *element_name, 582 char *element_data, int *claimed) 583 { 584 585 LABEL_NOTFREE(label); 586 COUNTER_INC(internalize_label); 587 588 return (0); 589 } 590 591 /* 592 * Labeling event operations: file system objects, and things that look 593 * a lot like file system objects. 594 */ 595 COUNTER_DECL(associate_vnode_devfs); 596 static void 597 mac_test_associate_vnode_devfs(struct mount *mp, struct label *mplabel, 598 struct devfs_dirent *de, struct label *delabel, struct vnode *vp, 599 struct label *vplabel) 600 { 601 602 LABEL_CHECK(mplabel, MAGIC_MOUNT); 603 LABEL_CHECK(delabel, MAGIC_DEVFS); 604 LABEL_CHECK(vplabel, MAGIC_VNODE); 605 COUNTER_INC(associate_vnode_devfs); 606 } 607 608 COUNTER_DECL(associate_vnode_extattr); 609 static int 610 mac_test_associate_vnode_extattr(struct mount *mp, struct label *mplabel, 611 struct vnode *vp, struct label *vplabel) 612 { 613 614 LABEL_CHECK(mplabel, MAGIC_MOUNT); 615 LABEL_CHECK(vplabel, MAGIC_VNODE); 616 COUNTER_INC(associate_vnode_extattr); 617 618 return (0); 619 } 620 621 COUNTER_DECL(associate_vnode_singlelabel); 622 static void 623 mac_test_associate_vnode_singlelabel(struct mount *mp, struct label *mplabel, 624 struct vnode *vp, struct label *vplabel) 625 { 626 627 LABEL_CHECK(mplabel, MAGIC_MOUNT); 628 LABEL_CHECK(vplabel, MAGIC_VNODE); 629 COUNTER_INC(associate_vnode_singlelabel); 630 } 631 632 COUNTER_DECL(create_devfs_device); 633 static void 634 mac_test_create_devfs_device(struct ucred *cred, struct mount *mp, 635 struct cdev *dev, struct devfs_dirent *de, struct label *delabel) 636 { 637 638 if (cred != NULL) 639 LABEL_CHECK(cred->cr_label, MAGIC_CRED); 640 LABEL_CHECK(delabel, MAGIC_DEVFS); 641 COUNTER_INC(create_devfs_device); 642 } 643 644 COUNTER_DECL(create_devfs_directory); 645 static void 646 mac_test_create_devfs_directory(struct mount *mp, char *dirname, 647 int dirnamelen, struct devfs_dirent *de, struct label *delabel) 648 { 649 650 LABEL_CHECK(delabel, MAGIC_DEVFS); 651 COUNTER_INC(create_devfs_directory); 652 } 653 654 COUNTER_DECL(create_devfs_symlink); 655 static void 656 mac_test_create_devfs_symlink(struct ucred *cred, struct mount *mp, 657 struct devfs_dirent *dd, struct label *ddlabel, struct devfs_dirent *de, 658 struct label *delabel) 659 { 660 661 LABEL_CHECK(cred->cr_label, MAGIC_CRED); 662 LABEL_CHECK(ddlabel, MAGIC_DEVFS); 663 LABEL_CHECK(delabel, MAGIC_DEVFS); 664 COUNTER_INC(create_devfs_symlink); 665 } 666 667 COUNTER_DECL(create_vnode_extattr); 668 static int 669 mac_test_create_vnode_extattr(struct ucred *cred, struct mount *mp, 670 struct label *mplabel, struct vnode *dvp, struct label *dvplabel, 671 struct vnode *vp, struct label *vplabel, struct componentname *cnp) 672 { 673 674 LABEL_CHECK(cred->cr_label, MAGIC_CRED); 675 LABEL_CHECK(mplabel, MAGIC_MOUNT); 676 LABEL_CHECK(dvplabel, MAGIC_VNODE); 677 COUNTER_INC(create_vnode_extattr); 678 679 return (0); 680 } 681 682 COUNTER_DECL(create_mount); 683 static void 684 mac_test_create_mount(struct ucred *cred, struct mount *mp, 685 struct label *mplabel) 686 { 687 688 LABEL_CHECK(cred->cr_label, MAGIC_CRED); 689 LABEL_CHECK(mplabel, MAGIC_MOUNT); 690 COUNTER_INC(create_mount); 691 } 692 693 COUNTER_DECL(relabel_vnode); 694 static void 695 mac_test_relabel_vnode(struct ucred *cred, struct vnode *vp, 696 struct label *vplabel, struct label *label) 697 { 698 699 LABEL_CHECK(cred->cr_label, MAGIC_CRED); 700 LABEL_CHECK(vplabel, MAGIC_VNODE); 701 LABEL_CHECK(label, MAGIC_VNODE); 702 COUNTER_INC(relabel_vnode); 703 } 704 705 COUNTER_DECL(setlabel_vnode_extattr); 706 static int 707 mac_test_setlabel_vnode_extattr(struct ucred *cred, struct vnode *vp, 708 struct label *vplabel, struct label *intlabel) 709 { 710 711 LABEL_CHECK(cred->cr_label, MAGIC_CRED); 712 LABEL_CHECK(vplabel, MAGIC_VNODE); 713 LABEL_CHECK(intlabel, MAGIC_VNODE); 714 COUNTER_INC(setlabel_vnode_extattr); 715 716 return (0); 717 } 718 719 COUNTER_DECL(update_devfs); 720 static void 721 mac_test_update_devfs(struct mount *mp, struct devfs_dirent *devfs_dirent, 722 struct label *direntlabel, struct vnode *vp, struct label *vplabel) 723 { 724 725 LABEL_CHECK(direntlabel, MAGIC_DEVFS); 726 LABEL_CHECK(vplabel, MAGIC_VNODE); 727 COUNTER_INC(update_devfs); 728 } 729 730 /* 731 * Labeling event operations: IPC object. 732 */ 733 COUNTER_DECL(create_mbuf_from_socket); 734 static void 735 mac_test_create_mbuf_from_socket(struct socket *so, struct label *socketlabel, 736 struct mbuf *m, struct label *mbuflabel) 737 { 738 739 LABEL_CHECK(socketlabel, MAGIC_SOCKET); 740 LABEL_CHECK(mbuflabel, MAGIC_MBUF); 741 COUNTER_INC(create_mbuf_from_socket); 742 } 743 744 COUNTER_DECL(create_socket); 745 static void 746 mac_test_create_socket(struct ucred *cred, struct socket *socket, 747 struct label *socketlabel) 748 { 749 750 LABEL_CHECK(cred->cr_label, MAGIC_CRED); 751 LABEL_CHECK(socketlabel, MAGIC_SOCKET); 752 COUNTER_INC(create_socket); 753 } 754 755 COUNTER_DECL(create_pipe); 756 static void 757 mac_test_create_pipe(struct ucred *cred, struct pipepair *pp, 758 struct label *pipelabel) 759 { 760 761 LABEL_CHECK(cred->cr_label, MAGIC_CRED); 762 LABEL_CHECK(pipelabel, MAGIC_PIPE); 763 COUNTER_INC(create_pipe); 764 } 765 766 COUNTER_DECL(create_posix_sem); 767 static void 768 mac_test_create_posix_sem(struct ucred *cred, struct ksem *ksem, 769 struct label *posixlabel) 770 { 771 772 LABEL_CHECK(cred->cr_label, MAGIC_CRED); 773 LABEL_CHECK(posixlabel, MAGIC_POSIX_SEM); 774 COUNTER_INC(create_posix_sem); 775 } 776 777 COUNTER_DECL(create_socket_from_socket); 778 static void 779 mac_test_create_socket_from_socket(struct socket *oldsocket, 780 struct label *oldsocketlabel, struct socket *newsocket, 781 struct label *newsocketlabel) 782 { 783 784 LABEL_CHECK(oldsocketlabel, MAGIC_SOCKET); 785 LABEL_CHECK(newsocketlabel, MAGIC_SOCKET); 786 COUNTER_INC(create_socket_from_socket); 787 } 788 789 COUNTER_DECL(relabel_socket); 790 static void 791 mac_test_relabel_socket(struct ucred *cred, struct socket *socket, 792 struct label *socketlabel, struct label *newlabel) 793 { 794 795 LABEL_CHECK(cred->cr_label, MAGIC_CRED); 796 LABEL_CHECK(newlabel, MAGIC_SOCKET); 797 COUNTER_INC(relabel_socket); 798 } 799 800 COUNTER_DECL(relabel_pipe); 801 static void 802 mac_test_relabel_pipe(struct ucred *cred, struct pipepair *pp, 803 struct label *pipelabel, struct label *newlabel) 804 { 805 806 LABEL_CHECK(cred->cr_label, MAGIC_CRED); 807 LABEL_CHECK(pipelabel, MAGIC_PIPE); 808 LABEL_CHECK(newlabel, MAGIC_PIPE); 809 COUNTER_INC(relabel_pipe); 810 } 811 812 COUNTER_DECL(set_socket_peer_from_mbuf); 813 static void 814 mac_test_set_socket_peer_from_mbuf(struct mbuf *mbuf, struct label *mbuflabel, 815 struct socket *socket, struct label *socketpeerlabel) 816 { 817 818 LABEL_CHECK(mbuflabel, MAGIC_MBUF); 819 LABEL_CHECK(socketpeerlabel, MAGIC_SOCKET); 820 COUNTER_INC(set_socket_peer_from_mbuf); 821 } 822 823 /* 824 * Labeling event operations: network objects. 825 */ 826 COUNTER_DECL(set_socket_peer_from_socket); 827 static void 828 mac_test_set_socket_peer_from_socket(struct socket *oldsocket, 829 struct label *oldsocketlabel, struct socket *newsocket, 830 struct label *newsocketpeerlabel) 831 { 832 833 LABEL_CHECK(oldsocketlabel, MAGIC_SOCKET); 834 LABEL_CHECK(newsocketpeerlabel, MAGIC_SOCKET); 835 COUNTER_INC(set_socket_peer_from_socket); 836 } 837 838 COUNTER_DECL(create_bpfdesc); 839 static void 840 mac_test_create_bpfdesc(struct ucred *cred, struct bpf_d *bpf_d, 841 struct label *bpflabel) 842 { 843 844 LABEL_CHECK(cred->cr_label, MAGIC_CRED); 845 LABEL_CHECK(bpflabel, MAGIC_BPF); 846 COUNTER_INC(create_bpfdesc); 847 } 848 849 COUNTER_DECL(create_datagram_from_ipq); 850 static void 851 mac_test_create_datagram_from_ipq(struct ipq *ipq, struct label *ipqlabel, 852 struct mbuf *datagram, struct label *datagramlabel) 853 { 854 855 LABEL_CHECK(ipqlabel, MAGIC_IPQ); 856 LABEL_CHECK(datagramlabel, MAGIC_MBUF); 857 COUNTER_INC(create_datagram_from_ipq); 858 } 859 860 COUNTER_DECL(create_fragment); 861 static void 862 mac_test_create_fragment(struct mbuf *datagram, struct label *datagramlabel, 863 struct mbuf *fragment, struct label *fragmentlabel) 864 { 865 866 LABEL_CHECK(datagramlabel, MAGIC_MBUF); 867 LABEL_CHECK(fragmentlabel, MAGIC_MBUF); 868 COUNTER_INC(create_fragment); 869 } 870 871 COUNTER_DECL(create_ifnet); 872 static void 873 mac_test_create_ifnet(struct ifnet *ifnet, struct label *ifnetlabel) 874 { 875 876 LABEL_CHECK(ifnetlabel, MAGIC_IFNET); 877 COUNTER_INC(create_ifnet); 878 } 879 880 COUNTER_DECL(create_inpcb_from_socket); 881 static void 882 mac_test_create_inpcb_from_socket(struct socket *so, struct label *solabel, 883 struct inpcb *inp, struct label *inplabel) 884 { 885 886 LABEL_CHECK(solabel, MAGIC_SOCKET); 887 LABEL_CHECK(inplabel, MAGIC_INPCB); 888 COUNTER_INC(create_inpcb_from_socket); 889 } 890 891 COUNTER_DECL(create_sysv_msgmsg); 892 static void 893 mac_test_create_sysv_msgmsg(struct ucred *cred, struct msqid_kernel *msqkptr, 894 struct label *msqlabel, struct msg *msgptr, struct label *msglabel) 895 { 896 897 LABEL_CHECK(msglabel, MAGIC_SYSV_MSG); 898 LABEL_CHECK(msqlabel, MAGIC_SYSV_MSQ); 899 COUNTER_INC(create_sysv_msgmsg); 900 } 901 902 COUNTER_DECL(create_sysv_msgqueue); 903 static void 904 mac_test_create_sysv_msgqueue(struct ucred *cred, 905 struct msqid_kernel *msqkptr, struct label *msqlabel) 906 { 907 908 LABEL_CHECK(msqlabel, MAGIC_SYSV_MSQ); 909 COUNTER_INC(create_sysv_msgqueue); 910 } 911 912 COUNTER_DECL(create_sysv_sem); 913 static void 914 mac_test_create_sysv_sem(struct ucred *cred, struct semid_kernel *semakptr, 915 struct label *semalabel) 916 { 917 918 LABEL_CHECK(semalabel, MAGIC_SYSV_SEM); 919 COUNTER_INC(create_sysv_sem); 920 } 921 922 COUNTER_DECL(create_sysv_shm); 923 static void 924 mac_test_create_sysv_shm(struct ucred *cred, struct shmid_kernel *shmsegptr, 925 struct label *shmlabel) 926 { 927 928 LABEL_CHECK(shmlabel, MAGIC_SYSV_SHM); 929 COUNTER_INC(create_sysv_shm); 930 } 931 932 COUNTER_DECL(create_ipq); 933 static void 934 mac_test_create_ipq(struct mbuf *fragment, struct label *fragmentlabel, 935 struct ipq *ipq, struct label *ipqlabel) 936 { 937 938 LABEL_CHECK(fragmentlabel, MAGIC_MBUF); 939 LABEL_CHECK(ipqlabel, MAGIC_IPQ); 940 COUNTER_INC(create_ipq); 941 } 942 943 COUNTER_DECL(create_mbuf_from_inpcb); 944 static void 945 mac_test_create_mbuf_from_inpcb(struct inpcb *inp, struct label *inplabel, 946 struct mbuf *m, struct label *mlabel) 947 { 948 949 LABEL_CHECK(inplabel, MAGIC_INPCB); 950 LABEL_CHECK(mlabel, MAGIC_MBUF); 951 COUNTER_INC(create_mbuf_from_inpcb); 952 } 953 954 COUNTER_DECL(create_mbuf_linklayer); 955 static void 956 mac_test_create_mbuf_linklayer(struct ifnet *ifnet, struct label *ifnetlabel, 957 struct mbuf *mbuf, struct label *mbuflabel) 958 { 959 960 LABEL_CHECK(ifnetlabel, MAGIC_IFNET); 961 LABEL_CHECK(mbuflabel, MAGIC_MBUF); 962 COUNTER_INC(create_mbuf_linklayer); 963 } 964 965 COUNTER_DECL(create_mbuf_from_bpfdesc); 966 static void 967 mac_test_create_mbuf_from_bpfdesc(struct bpf_d *bpf_d, struct label *bpflabel, 968 struct mbuf *mbuf, struct label *mbuflabel) 969 { 970 971 LABEL_CHECK(bpflabel, MAGIC_BPF); 972 LABEL_CHECK(mbuflabel, MAGIC_MBUF); 973 COUNTER_INC(create_mbuf_from_bpfdesc); 974 } 975 976 COUNTER_DECL(create_mbuf_from_ifnet); 977 static void 978 mac_test_create_mbuf_from_ifnet(struct ifnet *ifnet, struct label *ifnetlabel, 979 struct mbuf *m, struct label *mbuflabel) 980 { 981 982 LABEL_CHECK(ifnetlabel, MAGIC_IFNET); 983 LABEL_CHECK(mbuflabel, MAGIC_MBUF); 984 COUNTER_INC(create_mbuf_from_ifnet); 985 } 986 987 COUNTER_DECL(create_mbuf_multicast_encap); 988 static void 989 mac_test_create_mbuf_multicast_encap(struct mbuf *oldmbuf, 990 struct label *oldmbuflabel, struct ifnet *ifnet, struct label *ifnetlabel, 991 struct mbuf *newmbuf, struct label *newmbuflabel) 992 { 993 994 LABEL_CHECK(oldmbuflabel, MAGIC_MBUF); 995 LABEL_CHECK(ifnetlabel, MAGIC_IFNET); 996 LABEL_CHECK(newmbuflabel, MAGIC_MBUF); 997 COUNTER_INC(create_mbuf_multicast_encap); 998 } 999 1000 COUNTER_DECL(create_mbuf_netlayer); 1001 static void 1002 mac_test_create_mbuf_netlayer(struct mbuf *oldmbuf, 1003 struct label *oldmbuflabel, struct mbuf *newmbuf, 1004 struct label *newmbuflabel) 1005 { 1006 1007 LABEL_CHECK(oldmbuflabel, MAGIC_MBUF); 1008 LABEL_CHECK(newmbuflabel, MAGIC_MBUF); 1009 COUNTER_INC(create_mbuf_netlayer); 1010 } 1011 1012 COUNTER_DECL(fragment_match); 1013 static int 1014 mac_test_fragment_match(struct mbuf *fragment, struct label *fragmentlabel, 1015 struct ipq *ipq, struct label *ipqlabel) 1016 { 1017 1018 LABEL_CHECK(fragmentlabel, MAGIC_MBUF); 1019 LABEL_CHECK(ipqlabel, MAGIC_IPQ); 1020 COUNTER_INC(fragment_match); 1021 1022 return (1); 1023 } 1024 1025 COUNTER_DECL(reflect_mbuf_icmp); 1026 static void 1027 mac_test_reflect_mbuf_icmp(struct mbuf *m, struct label *mlabel) 1028 { 1029 1030 LABEL_CHECK(mlabel, MAGIC_MBUF); 1031 COUNTER_INC(reflect_mbuf_icmp); 1032 } 1033 1034 COUNTER_DECL(reflect_mbuf_tcp); 1035 static void 1036 mac_test_reflect_mbuf_tcp(struct mbuf *m, struct label *mlabel) 1037 { 1038 1039 LABEL_CHECK(mlabel, MAGIC_MBUF); 1040 COUNTER_INC(reflect_mbuf_tcp); 1041 } 1042 1043 COUNTER_DECL(relabel_ifnet); 1044 static void 1045 mac_test_relabel_ifnet(struct ucred *cred, struct ifnet *ifnet, 1046 struct label *ifnetlabel, struct label *newlabel) 1047 { 1048 1049 LABEL_CHECK(cred->cr_label, MAGIC_CRED); 1050 LABEL_CHECK(ifnetlabel, MAGIC_IFNET); 1051 LABEL_CHECK(newlabel, MAGIC_IFNET); 1052 COUNTER_INC(relabel_ifnet); 1053 } 1054 1055 COUNTER_DECL(update_ipq); 1056 static void 1057 mac_test_update_ipq(struct mbuf *fragment, struct label *fragmentlabel, 1058 struct ipq *ipq, struct label *ipqlabel) 1059 { 1060 1061 LABEL_CHECK(fragmentlabel, MAGIC_MBUF); 1062 LABEL_CHECK(ipqlabel, MAGIC_IPQ); 1063 COUNTER_INC(update_ipq); 1064 } 1065 1066 COUNTER_DECL(inpcb_sosetlabel); 1067 static void 1068 mac_test_inpcb_sosetlabel(struct socket *so, struct label *solabel, 1069 struct inpcb *inp, struct label *inplabel) 1070 { 1071 1072 LABEL_CHECK(solabel, MAGIC_SOCKET); 1073 LABEL_CHECK(inplabel, MAGIC_INPCB); 1074 COUNTER_INC(inpcb_sosetlabel); 1075 } 1076 1077 /* 1078 * Labeling event operations: processes. 1079 */ 1080 COUNTER_DECL(execve_transition); 1081 static void 1082 mac_test_execve_transition(struct ucred *old, struct ucred *new, 1083 struct vnode *vp, struct label *filelabel, 1084 struct label *interpvplabel, struct image_params *imgp, 1085 struct label *execlabel) 1086 { 1087 1088 LABEL_CHECK(old->cr_label, MAGIC_CRED); 1089 LABEL_CHECK(new->cr_label, MAGIC_CRED); 1090 LABEL_CHECK(filelabel, MAGIC_VNODE); 1091 LABEL_CHECK(interpvplabel, MAGIC_VNODE); 1092 LABEL_CHECK(execlabel, MAGIC_CRED); 1093 COUNTER_INC(execve_transition); 1094 } 1095 1096 COUNTER_DECL(execve_will_transition); 1097 static int 1098 mac_test_execve_will_transition(struct ucred *old, struct vnode *vp, 1099 struct label *filelabel, struct label *interpvplabel, 1100 struct image_params *imgp, struct label *execlabel) 1101 { 1102 1103 LABEL_CHECK(old->cr_label, MAGIC_CRED); 1104 LABEL_CHECK(filelabel, MAGIC_VNODE); 1105 LABEL_CHECK(interpvplabel, MAGIC_VNODE); 1106 LABEL_CHECK(execlabel, MAGIC_CRED); 1107 COUNTER_INC(execve_will_transition); 1108 1109 return (0); 1110 } 1111 1112 COUNTER_DECL(create_proc0); 1113 static void 1114 mac_test_create_proc0(struct ucred *cred) 1115 { 1116 1117 LABEL_CHECK(cred->cr_label, MAGIC_CRED); 1118 COUNTER_INC(create_proc0); 1119 } 1120 1121 COUNTER_DECL(create_proc1); 1122 static void 1123 mac_test_create_proc1(struct ucred *cred) 1124 { 1125 1126 LABEL_CHECK(cred->cr_label, MAGIC_CRED); 1127 COUNTER_INC(create_proc1); 1128 } 1129 1130 COUNTER_DECL(relabel_cred); 1131 static void 1132 mac_test_relabel_cred(struct ucred *cred, struct label *newlabel) 1133 { 1134 1135 LABEL_CHECK(cred->cr_label, MAGIC_CRED); 1136 LABEL_CHECK(newlabel, MAGIC_CRED); 1137 COUNTER_INC(relabel_cred); 1138 } 1139 1140 COUNTER_DECL(thread_userret); 1141 static void 1142 mac_test_thread_userret(struct thread *td) 1143 { 1144 1145 COUNTER_INC(thread_userret); 1146 } 1147 1148 /* 1149 * Label cleanup/flush operations 1150 */ 1151 COUNTER_DECL(cleanup_sysv_msgmsg); 1152 static void 1153 mac_test_cleanup_sysv_msgmsg(struct label *msglabel) 1154 { 1155 1156 LABEL_CHECK(msglabel, MAGIC_SYSV_MSG); 1157 COUNTER_INC(cleanup_sysv_msgmsg); 1158 } 1159 1160 COUNTER_DECL(cleanup_sysv_msgqueue); 1161 static void 1162 mac_test_cleanup_sysv_msgqueue(struct label *msqlabel) 1163 { 1164 1165 LABEL_CHECK(msqlabel, MAGIC_SYSV_MSQ); 1166 COUNTER_INC(cleanup_sysv_msgqueue); 1167 } 1168 1169 COUNTER_DECL(cleanup_sysv_sem); 1170 static void 1171 mac_test_cleanup_sysv_sem(struct label *semalabel) 1172 { 1173 1174 LABEL_CHECK(semalabel, MAGIC_SYSV_SEM); 1175 COUNTER_INC(cleanup_sysv_sem); 1176 } 1177 1178 COUNTER_DECL(cleanup_sysv_shm); 1179 static void 1180 mac_test_cleanup_sysv_shm(struct label *shmlabel) 1181 { 1182 1183 LABEL_CHECK(shmlabel, MAGIC_SYSV_SHM); 1184 COUNTER_INC(cleanup_sysv_shm); 1185 } 1186 1187 /* 1188 * Access control checks. 1189 */ 1190 COUNTER_DECL(check_bpfdesc_receive); 1191 static int 1192 mac_test_check_bpfdesc_receive(struct bpf_d *bpf_d, struct label *bpflabel, 1193 struct ifnet *ifnet, struct label *ifnetlabel) 1194 { 1195 1196 LABEL_CHECK(bpflabel, MAGIC_BPF); 1197 LABEL_CHECK(ifnetlabel, MAGIC_IFNET); 1198 COUNTER_INC(check_bpfdesc_receive); 1199 1200 return (0); 1201 } 1202 1203 COUNTER_DECL(check_cred_relabel); 1204 static int 1205 mac_test_check_cred_relabel(struct ucred *cred, struct label *newlabel) 1206 { 1207 1208 LABEL_CHECK(cred->cr_label, MAGIC_CRED); 1209 LABEL_CHECK(newlabel, MAGIC_CRED); 1210 COUNTER_INC(check_cred_relabel); 1211 1212 return (0); 1213 } 1214 1215 COUNTER_DECL(check_cred_visible); 1216 static int 1217 mac_test_check_cred_visible(struct ucred *u1, struct ucred *u2) 1218 { 1219 1220 LABEL_CHECK(u1->cr_label, MAGIC_CRED); 1221 LABEL_CHECK(u2->cr_label, MAGIC_CRED); 1222 COUNTER_INC(check_cred_visible); 1223 1224 return (0); 1225 } 1226 1227 COUNTER_DECL(check_ifnet_relabel); 1228 static int 1229 mac_test_check_ifnet_relabel(struct ucred *cred, struct ifnet *ifnet, 1230 struct label *ifnetlabel, struct label *newlabel) 1231 { 1232 1233 LABEL_CHECK(cred->cr_label, MAGIC_CRED); 1234 LABEL_CHECK(ifnetlabel, MAGIC_IFNET); 1235 LABEL_CHECK(newlabel, MAGIC_IFNET); 1236 COUNTER_INC(check_ifnet_relabel); 1237 1238 return (0); 1239 } 1240 1241 COUNTER_DECL(check_ifnet_transmit); 1242 static int 1243 mac_test_check_ifnet_transmit(struct ifnet *ifnet, struct label *ifnetlabel, 1244 struct mbuf *m, struct label *mbuflabel) 1245 { 1246 1247 LABEL_CHECK(ifnetlabel, MAGIC_IFNET); 1248 LABEL_CHECK(mbuflabel, MAGIC_MBUF); 1249 COUNTER_INC(check_ifnet_transmit); 1250 1251 return (0); 1252 } 1253 1254 COUNTER_DECL(check_inpcb_deliver); 1255 static int 1256 mac_test_check_inpcb_deliver(struct inpcb *inp, struct label *inplabel, 1257 struct mbuf *m, struct label *mlabel) 1258 { 1259 1260 LABEL_CHECK(inplabel, MAGIC_INPCB); 1261 LABEL_CHECK(mlabel, MAGIC_MBUF); 1262 COUNTER_INC(check_inpcb_deliver); 1263 1264 return (0); 1265 } 1266 1267 COUNTER_DECL(check_sysv_msgmsq); 1268 static int 1269 mac_test_check_sysv_msgmsq(struct ucred *cred, struct msg *msgptr, 1270 struct label *msglabel, struct msqid_kernel *msqkptr, 1271 struct label *msqklabel) 1272 { 1273 1274 LABEL_CHECK(msqklabel, MAGIC_SYSV_MSQ); 1275 LABEL_CHECK(msglabel, MAGIC_SYSV_MSG); 1276 LABEL_CHECK(cred->cr_label, MAGIC_CRED); 1277 COUNTER_INC(check_sysv_msgmsq); 1278 1279 return (0); 1280 } 1281 1282 COUNTER_DECL(check_sysv_msgrcv); 1283 static int 1284 mac_test_check_sysv_msgrcv(struct ucred *cred, struct msg *msgptr, 1285 struct label *msglabel) 1286 { 1287 1288 LABEL_CHECK(msglabel, MAGIC_SYSV_MSG); 1289 LABEL_CHECK(cred->cr_label, MAGIC_CRED); 1290 COUNTER_INC(check_sysv_msgrcv); 1291 1292 return (0); 1293 } 1294 1295 COUNTER_DECL(check_sysv_msgrmid); 1296 static int 1297 mac_test_check_sysv_msgrmid(struct ucred *cred, struct msg *msgptr, 1298 struct label *msglabel) 1299 { 1300 1301 LABEL_CHECK(msglabel, MAGIC_SYSV_MSG); 1302 LABEL_CHECK(cred->cr_label, MAGIC_CRED); 1303 COUNTER_INC(check_sysv_msgrmid); 1304 1305 return (0); 1306 } 1307 1308 COUNTER_DECL(check_sysv_msqget); 1309 static int 1310 mac_test_check_sysv_msqget(struct ucred *cred, struct msqid_kernel *msqkptr, 1311 struct label *msqklabel) 1312 { 1313 1314 LABEL_CHECK(msqklabel, MAGIC_SYSV_MSQ); 1315 LABEL_CHECK(cred->cr_label, MAGIC_CRED); 1316 COUNTER_INC(check_sysv_msqget); 1317 1318 return (0); 1319 } 1320 1321 COUNTER_DECL(check_sysv_msqsnd); 1322 static int 1323 mac_test_check_sysv_msqsnd(struct ucred *cred, struct msqid_kernel *msqkptr, 1324 struct label *msqklabel) 1325 { 1326 1327 LABEL_CHECK(msqklabel, MAGIC_SYSV_MSQ); 1328 LABEL_CHECK(cred->cr_label, MAGIC_CRED); 1329 COUNTER_INC(check_sysv_msqsnd); 1330 1331 return (0); 1332 } 1333 1334 COUNTER_DECL(check_sysv_msqrcv); 1335 static int 1336 mac_test_check_sysv_msqrcv(struct ucred *cred, struct msqid_kernel *msqkptr, 1337 struct label *msqklabel) 1338 { 1339 1340 LABEL_CHECK(msqklabel, MAGIC_SYSV_MSQ); 1341 LABEL_CHECK(cred->cr_label, MAGIC_CRED); 1342 COUNTER_INC(check_sysv_msqrcv); 1343 1344 return (0); 1345 } 1346 1347 COUNTER_DECL(check_sysv_msqctl); 1348 static int 1349 mac_test_check_sysv_msqctl(struct ucred *cred, struct msqid_kernel *msqkptr, 1350 struct label *msqklabel, int cmd) 1351 { 1352 1353 LABEL_CHECK(msqklabel, MAGIC_SYSV_MSQ); 1354 LABEL_CHECK(cred->cr_label, MAGIC_CRED); 1355 COUNTER_INC(check_sysv_msqctl); 1356 1357 return (0); 1358 } 1359 1360 COUNTER_DECL(check_sysv_semctl); 1361 static int 1362 mac_test_check_sysv_semctl(struct ucred *cred, struct semid_kernel *semakptr, 1363 struct label *semaklabel, int cmd) 1364 { 1365 1366 LABEL_CHECK(cred->cr_label, MAGIC_CRED); 1367 LABEL_CHECK(semaklabel, MAGIC_SYSV_SEM); 1368 COUNTER_INC(check_sysv_semctl); 1369 1370 return (0); 1371 } 1372 1373 COUNTER_DECL(check_sysv_semget); 1374 static int 1375 mac_test_check_sysv_semget(struct ucred *cred, struct semid_kernel *semakptr, 1376 struct label *semaklabel) 1377 { 1378 1379 LABEL_CHECK(cred->cr_label, MAGIC_CRED); 1380 LABEL_CHECK(semaklabel, MAGIC_SYSV_SEM); 1381 COUNTER_INC(check_sysv_semget); 1382 1383 return (0); 1384 } 1385 1386 COUNTER_DECL(check_sysv_semop); 1387 static int 1388 mac_test_check_sysv_semop(struct ucred *cred, struct semid_kernel *semakptr, 1389 struct label *semaklabel, size_t accesstype) 1390 { 1391 1392 LABEL_CHECK(cred->cr_label, MAGIC_CRED); 1393 LABEL_CHECK(semaklabel, MAGIC_SYSV_SEM); 1394 COUNTER_INC(check_sysv_semop); 1395 1396 return (0); 1397 } 1398 1399 COUNTER_DECL(check_sysv_shmat); 1400 static int 1401 mac_test_check_sysv_shmat(struct ucred *cred, struct shmid_kernel *shmsegptr, 1402 struct label *shmseglabel, int shmflg) 1403 { 1404 1405 LABEL_CHECK(cred->cr_label, MAGIC_CRED); 1406 LABEL_CHECK(shmseglabel, MAGIC_SYSV_SHM); 1407 COUNTER_INC(check_sysv_shmat); 1408 1409 return (0); 1410 } 1411 1412 COUNTER_DECL(check_sysv_shmctl); 1413 static int 1414 mac_test_check_sysv_shmctl(struct ucred *cred, struct shmid_kernel *shmsegptr, 1415 struct label *shmseglabel, int cmd) 1416 { 1417 1418 LABEL_CHECK(cred->cr_label, MAGIC_CRED); 1419 LABEL_CHECK(shmseglabel, MAGIC_SYSV_SHM); 1420 COUNTER_INC(check_sysv_shmctl); 1421 1422 return (0); 1423 } 1424 1425 COUNTER_DECL(check_sysv_shmdt); 1426 static int 1427 mac_test_check_sysv_shmdt(struct ucred *cred, struct shmid_kernel *shmsegptr, 1428 struct label *shmseglabel) 1429 { 1430 1431 LABEL_CHECK(cred->cr_label, MAGIC_CRED); 1432 LABEL_CHECK(shmseglabel, MAGIC_SYSV_SHM); 1433 COUNTER_INC(check_sysv_shmdt); 1434 1435 return (0); 1436 } 1437 1438 COUNTER_DECL(check_sysv_shmget); 1439 static int 1440 mac_test_check_sysv_shmget(struct ucred *cred, struct shmid_kernel *shmsegptr, 1441 struct label *shmseglabel, int shmflg) 1442 { 1443 1444 LABEL_CHECK(cred->cr_label, MAGIC_CRED); 1445 LABEL_CHECK(shmseglabel, MAGIC_SYSV_SHM); 1446 COUNTER_INC(check_sysv_shmget); 1447 1448 return (0); 1449 } 1450 1451 COUNTER_DECL(check_kenv_dump); 1452 static int 1453 mac_test_check_kenv_dump(struct ucred *cred) 1454 { 1455 1456 LABEL_CHECK(cred->cr_label, MAGIC_CRED); 1457 COUNTER_INC(check_kenv_dump); 1458 1459 return (0); 1460 } 1461 1462 COUNTER_DECL(check_kenv_get); 1463 static int 1464 mac_test_check_kenv_get(struct ucred *cred, char *name) 1465 { 1466 1467 LABEL_CHECK(cred->cr_label, MAGIC_CRED); 1468 COUNTER_INC(check_kenv_get); 1469 1470 return (0); 1471 } 1472 1473 COUNTER_DECL(check_kenv_set); 1474 static int 1475 mac_test_check_kenv_set(struct ucred *cred, char *name, char *value) 1476 { 1477 1478 LABEL_CHECK(cred->cr_label, MAGIC_CRED); 1479 COUNTER_INC(check_kenv_set); 1480 1481 return (0); 1482 } 1483 1484 COUNTER_DECL(check_kenv_unset); 1485 static int 1486 mac_test_check_kenv_unset(struct ucred *cred, char *name) 1487 { 1488 1489 LABEL_CHECK(cred->cr_label, MAGIC_CRED); 1490 COUNTER_INC(check_kenv_unset); 1491 1492 return (0); 1493 } 1494 1495 COUNTER_DECL(check_kld_load); 1496 static int 1497 mac_test_check_kld_load(struct ucred *cred, struct vnode *vp, 1498 struct label *label) 1499 { 1500 1501 LABEL_CHECK(cred->cr_label, MAGIC_CRED); 1502 LABEL_CHECK(label, MAGIC_VNODE); 1503 COUNTER_INC(check_kld_load); 1504 1505 return (0); 1506 } 1507 1508 COUNTER_DECL(check_kld_stat); 1509 static int 1510 mac_test_check_kld_stat(struct ucred *cred) 1511 { 1512 1513 LABEL_CHECK(cred->cr_label, MAGIC_CRED); 1514 COUNTER_INC(check_kld_stat); 1515 1516 return (0); 1517 } 1518 1519 COUNTER_DECL(check_mount_stat); 1520 static int 1521 mac_test_check_mount_stat(struct ucred *cred, struct mount *mp, 1522 struct label *mplabel) 1523 { 1524 1525 LABEL_CHECK(cred->cr_label, MAGIC_CRED); 1526 LABEL_CHECK(mplabel, MAGIC_MOUNT); 1527 COUNTER_INC(check_mount_stat); 1528 1529 return (0); 1530 } 1531 1532 COUNTER_DECL(check_pipe_ioctl); 1533 static int 1534 mac_test_check_pipe_ioctl(struct ucred *cred, struct pipepair *pp, 1535 struct label *pipelabel, unsigned long cmd, void /* caddr_t */ *data) 1536 { 1537 1538 LABEL_CHECK(cred->cr_label, MAGIC_CRED); 1539 LABEL_CHECK(pipelabel, MAGIC_PIPE); 1540 COUNTER_INC(check_pipe_ioctl); 1541 1542 return (0); 1543 } 1544 1545 COUNTER_DECL(check_pipe_poll); 1546 static int 1547 mac_test_check_pipe_poll(struct ucred *cred, struct pipepair *pp, 1548 struct label *pipelabel) 1549 { 1550 1551 LABEL_CHECK(cred->cr_label, MAGIC_CRED); 1552 LABEL_CHECK(pipelabel, MAGIC_PIPE); 1553 COUNTER_INC(check_pipe_poll); 1554 1555 return (0); 1556 } 1557 1558 COUNTER_DECL(check_pipe_read); 1559 static int 1560 mac_test_check_pipe_read(struct ucred *cred, struct pipepair *pp, 1561 struct label *pipelabel) 1562 { 1563 1564 LABEL_CHECK(cred->cr_label, MAGIC_CRED); 1565 LABEL_CHECK(pipelabel, MAGIC_PIPE); 1566 COUNTER_INC(check_pipe_read); 1567 1568 return (0); 1569 } 1570 1571 COUNTER_DECL(check_pipe_relabel); 1572 static int 1573 mac_test_check_pipe_relabel(struct ucred *cred, struct pipepair *pp, 1574 struct label *pipelabel, struct label *newlabel) 1575 { 1576 1577 LABEL_CHECK(cred->cr_label, MAGIC_CRED); 1578 LABEL_CHECK(pipelabel, MAGIC_PIPE); 1579 LABEL_CHECK(newlabel, MAGIC_PIPE); 1580 COUNTER_INC(check_pipe_relabel); 1581 1582 return (0); 1583 } 1584 1585 COUNTER_DECL(check_pipe_stat); 1586 static int 1587 mac_test_check_pipe_stat(struct ucred *cred, struct pipepair *pp, 1588 struct label *pipelabel) 1589 { 1590 1591 LABEL_CHECK(cred->cr_label, MAGIC_CRED); 1592 LABEL_CHECK(pipelabel, MAGIC_PIPE); 1593 COUNTER_INC(check_pipe_stat); 1594 1595 return (0); 1596 } 1597 1598 COUNTER_DECL(check_pipe_write); 1599 static int 1600 mac_test_check_pipe_write(struct ucred *cred, struct pipepair *pp, 1601 struct label *pipelabel) 1602 { 1603 1604 LABEL_CHECK(cred->cr_label, MAGIC_CRED); 1605 LABEL_CHECK(pipelabel, MAGIC_PIPE); 1606 COUNTER_INC(check_pipe_write); 1607 1608 return (0); 1609 } 1610 1611 COUNTER_DECL(check_posix_sem); 1612 static int 1613 mac_test_check_posix_sem(struct ucred *cred, struct ksem *ksemptr, 1614 struct label *ks_label) 1615 { 1616 1617 LABEL_CHECK(cred->cr_label, MAGIC_CRED); 1618 LABEL_CHECK(ks_label, MAGIC_POSIX_SEM); 1619 COUNTER_INC(check_posix_sem); 1620 1621 return (0); 1622 } 1623 1624 COUNTER_DECL(check_proc_debug); 1625 static int 1626 mac_test_check_proc_debug(struct ucred *cred, struct proc *p) 1627 { 1628 1629 LABEL_CHECK(cred->cr_label, MAGIC_CRED); 1630 LABEL_CHECK(p->p_ucred->cr_label, MAGIC_CRED); 1631 COUNTER_INC(check_proc_debug); 1632 1633 return (0); 1634 } 1635 1636 COUNTER_DECL(check_proc_sched); 1637 static int 1638 mac_test_check_proc_sched(struct ucred *cred, struct proc *p) 1639 { 1640 1641 LABEL_CHECK(cred->cr_label, MAGIC_CRED); 1642 LABEL_CHECK(p->p_ucred->cr_label, MAGIC_CRED); 1643 COUNTER_INC(check_proc_sched); 1644 1645 return (0); 1646 } 1647 1648 COUNTER_DECL(check_proc_signal); 1649 static int 1650 mac_test_check_proc_signal(struct ucred *cred, struct proc *p, int signum) 1651 { 1652 1653 LABEL_CHECK(cred->cr_label, MAGIC_CRED); 1654 LABEL_CHECK(p->p_ucred->cr_label, MAGIC_CRED); 1655 COUNTER_INC(check_proc_signal); 1656 1657 return (0); 1658 } 1659 1660 COUNTER_DECL(check_proc_setaudit); 1661 static int 1662 mac_test_check_proc_setaudit(struct ucred *cred, struct auditinfo *ai) 1663 { 1664 1665 LABEL_CHECK(cred->cr_label, MAGIC_CRED); 1666 COUNTER_INC(check_proc_setaudit); 1667 1668 return (0); 1669 } 1670 1671 COUNTER_DECL(check_proc_setauid); 1672 static int 1673 mac_test_check_proc_setauid(struct ucred *cred, uid_t auid) 1674 { 1675 1676 LABEL_CHECK(cred->cr_label, MAGIC_CRED); 1677 COUNTER_INC(check_proc_setauid); 1678 1679 return (0); 1680 } 1681 1682 COUNTER_DECL(check_proc_setuid); 1683 static int 1684 mac_test_check_proc_setuid(struct ucred *cred, uid_t uid) 1685 { 1686 1687 LABEL_CHECK(cred->cr_label, MAGIC_CRED); 1688 COUNTER_INC(check_proc_setuid); 1689 1690 return (0); 1691 } 1692 1693 COUNTER_DECL(check_proc_euid); 1694 static int 1695 mac_test_check_proc_seteuid(struct ucred *cred, uid_t euid) 1696 { 1697 1698 LABEL_CHECK(cred->cr_label, MAGIC_CRED); 1699 COUNTER_INC(check_proc_euid); 1700 1701 return (0); 1702 } 1703 1704 COUNTER_DECL(check_proc_setgid); 1705 static int 1706 mac_test_check_proc_setgid(struct ucred *cred, gid_t gid) 1707 { 1708 1709 LABEL_CHECK(cred->cr_label, MAGIC_CRED); 1710 COUNTER_INC(check_proc_setgid); 1711 1712 return (0); 1713 } 1714 1715 COUNTER_DECL(check_proc_setegid); 1716 static int 1717 mac_test_check_proc_setegid(struct ucred *cred, gid_t egid) 1718 { 1719 1720 LABEL_CHECK(cred->cr_label, MAGIC_CRED); 1721 COUNTER_INC(check_proc_setegid); 1722 1723 return (0); 1724 } 1725 1726 COUNTER_DECL(check_proc_setgroups); 1727 static int 1728 mac_test_check_proc_setgroups(struct ucred *cred, int ngroups, 1729 gid_t *gidset) 1730 { 1731 1732 LABEL_CHECK(cred->cr_label, MAGIC_CRED); 1733 COUNTER_INC(check_proc_setgroups); 1734 1735 return (0); 1736 } 1737 1738 COUNTER_DECL(check_proc_setreuid); 1739 static int 1740 mac_test_check_proc_setreuid(struct ucred *cred, uid_t ruid, uid_t euid) 1741 { 1742 1743 LABEL_CHECK(cred->cr_label, MAGIC_CRED); 1744 COUNTER_INC(check_proc_setreuid); 1745 1746 return (0); 1747 } 1748 1749 COUNTER_DECL(check_proc_setregid); 1750 static int 1751 mac_test_check_proc_setregid(struct ucred *cred, gid_t rgid, gid_t egid) 1752 { 1753 1754 LABEL_CHECK(cred->cr_label, MAGIC_CRED); 1755 COUNTER_INC(check_proc_setregid); 1756 1757 return (0); 1758 } 1759 1760 COUNTER_DECL(check_proc_setresuid); 1761 static int 1762 mac_test_check_proc_setresuid(struct ucred *cred, uid_t ruid, uid_t euid, 1763 uid_t suid) 1764 { 1765 1766 LABEL_CHECK(cred->cr_label, MAGIC_CRED); 1767 COUNTER_INC(check_proc_setresuid); 1768 1769 return (0); 1770 } 1771 1772 COUNTER_DECL(check_proc_setresgid); 1773 static int 1774 mac_test_check_proc_setresgid(struct ucred *cred, gid_t rgid, gid_t egid, 1775 gid_t sgid) 1776 { 1777 1778 LABEL_CHECK(cred->cr_label, MAGIC_CRED); 1779 COUNTER_INC(check_proc_setresgid); 1780 1781 return (0); 1782 } 1783 1784 COUNTER_DECL(check_proc_wait); 1785 static int 1786 mac_test_check_proc_wait(struct ucred *cred, struct proc *p) 1787 { 1788 1789 LABEL_CHECK(cred->cr_label, MAGIC_CRED); 1790 LABEL_CHECK(p->p_ucred->cr_label, MAGIC_CRED); 1791 COUNTER_INC(check_proc_wait); 1792 1793 return (0); 1794 } 1795 1796 COUNTER_DECL(check_socket_accept); 1797 static int 1798 mac_test_check_socket_accept(struct ucred *cred, struct socket *so, 1799 struct label *solabel) 1800 { 1801 1802 LABEL_CHECK(cred->cr_label, MAGIC_CRED); 1803 LABEL_CHECK(solabel, MAGIC_SOCKET); 1804 COUNTER_INC(check_socket_accept); 1805 1806 return (0); 1807 } 1808 1809 COUNTER_DECL(check_socket_bind); 1810 static int 1811 mac_test_check_socket_bind(struct ucred *cred, struct socket *so, 1812 struct label *solabel, struct sockaddr *sa) 1813 { 1814 1815 LABEL_CHECK(cred->cr_label, MAGIC_CRED); 1816 LABEL_CHECK(solabel, MAGIC_SOCKET); 1817 COUNTER_INC(check_socket_bind); 1818 1819 return (0); 1820 } 1821 1822 COUNTER_DECL(check_socket_connect); 1823 static int 1824 mac_test_check_socket_connect(struct ucred *cred, struct socket *so, 1825 struct label *solabel, struct sockaddr *sa) 1826 { 1827 1828 LABEL_CHECK(cred->cr_label, MAGIC_CRED); 1829 LABEL_CHECK(solabel, MAGIC_SOCKET); 1830 COUNTER_INC(check_socket_connect); 1831 1832 return (0); 1833 } 1834 1835 COUNTER_DECL(check_socket_deliver); 1836 static int 1837 mac_test_check_socket_deliver(struct socket *so, struct label *solabel, 1838 struct mbuf *m, struct label *mlabel) 1839 { 1840 1841 LABEL_CHECK(solabel, MAGIC_SOCKET); 1842 LABEL_CHECK(mlabel, MAGIC_MBUF); 1843 COUNTER_INC(check_socket_deliver); 1844 1845 return (0); 1846 } 1847 1848 COUNTER_DECL(check_socket_listen); 1849 static int 1850 mac_test_check_socket_listen(struct ucred *cred, struct socket *so, 1851 struct label *solabel) 1852 { 1853 1854 LABEL_CHECK(cred->cr_label, MAGIC_CRED); 1855 LABEL_CHECK(solabel, MAGIC_SOCKET); 1856 COUNTER_INC(check_socket_listen); 1857 1858 return (0); 1859 } 1860 1861 COUNTER_DECL(check_socket_poll); 1862 static int 1863 mac_test_check_socket_poll(struct ucred *cred, struct socket *so, 1864 struct label *solabel) 1865 { 1866 1867 LABEL_CHECK(cred->cr_label, MAGIC_CRED); 1868 LABEL_CHECK(solabel, MAGIC_SOCKET); 1869 COUNTER_INC(check_socket_poll); 1870 1871 return (0); 1872 } 1873 1874 COUNTER_DECL(check_socket_receive); 1875 static int 1876 mac_test_check_socket_receive(struct ucred *cred, struct socket *so, 1877 struct label *solabel) 1878 { 1879 1880 LABEL_CHECK(cred->cr_label, MAGIC_CRED); 1881 LABEL_CHECK(solabel, MAGIC_SOCKET); 1882 COUNTER_INC(check_socket_receive); 1883 1884 return (0); 1885 } 1886 1887 COUNTER_DECL(check_socket_relabel); 1888 static int 1889 mac_test_check_socket_relabel(struct ucred *cred, struct socket *so, 1890 struct label *solabel, struct label *newlabel) 1891 { 1892 1893 LABEL_CHECK(cred->cr_label, MAGIC_CRED); 1894 LABEL_CHECK(solabel, MAGIC_SOCKET); 1895 LABEL_CHECK(newlabel, MAGIC_SOCKET); 1896 COUNTER_INC(check_socket_relabel); 1897 1898 return (0); 1899 } 1900 1901 COUNTER_DECL(check_socket_send); 1902 static int 1903 mac_test_check_socket_send(struct ucred *cred, struct socket *so, 1904 struct label *solabel) 1905 { 1906 1907 LABEL_CHECK(cred->cr_label, MAGIC_CRED); 1908 LABEL_CHECK(solabel, MAGIC_SOCKET); 1909 COUNTER_INC(check_socket_send); 1910 1911 return (0); 1912 } 1913 1914 COUNTER_DECL(check_socket_stat); 1915 static int 1916 mac_test_check_socket_stat(struct ucred *cred, struct socket *so, 1917 struct label *solabel) 1918 { 1919 1920 LABEL_CHECK(cred->cr_label, MAGIC_CRED); 1921 LABEL_CHECK(solabel, MAGIC_SOCKET); 1922 COUNTER_INC(check_socket_stat); 1923 1924 return (0); 1925 } 1926 1927 COUNTER_DECL(check_socket_visible); 1928 static int 1929 mac_test_check_socket_visible(struct ucred *cred, struct socket *so, 1930 struct label *solabel) 1931 { 1932 1933 LABEL_CHECK(cred->cr_label, MAGIC_CRED); 1934 LABEL_CHECK(solabel, MAGIC_SOCKET); 1935 COUNTER_INC(check_socket_visible); 1936 1937 return (0); 1938 } 1939 1940 COUNTER_DECL(check_system_acct); 1941 static int 1942 mac_test_check_system_acct(struct ucred *cred, struct vnode *vp, 1943 struct label *vplabel) 1944 { 1945 1946 LABEL_CHECK(cred->cr_label, MAGIC_CRED); 1947 LABEL_CHECK(vplabel, MAGIC_VNODE); 1948 COUNTER_INC(check_system_acct); 1949 1950 return (0); 1951 } 1952 1953 COUNTER_DECL(check_system_audit); 1954 static int 1955 mac_test_check_system_audit(struct ucred *cred, void *record, int length) 1956 { 1957 1958 LABEL_CHECK(cred->cr_label, MAGIC_CRED); 1959 COUNTER_INC(check_system_audit); 1960 1961 return (0); 1962 } 1963 1964 COUNTER_DECL(check_system_auditctl); 1965 static int 1966 mac_test_check_system_auditctl(struct ucred *cred, struct vnode *vp, 1967 struct label *vplabel) 1968 { 1969 1970 LABEL_CHECK(cred->cr_label, MAGIC_CRED); 1971 LABEL_CHECK(vplabel, MAGIC_VNODE); 1972 COUNTER_INC(check_system_auditctl); 1973 1974 return (0); 1975 } 1976 1977 COUNTER_DECL(check_system_auditon); 1978 static int 1979 mac_test_check_system_auditon(struct ucred *cred, int cmd) 1980 { 1981 1982 LABEL_CHECK(cred->cr_label, MAGIC_CRED); 1983 COUNTER_INC(check_system_auditon); 1984 1985 return (0); 1986 } 1987 1988 COUNTER_DECL(check_system_reboot); 1989 static int 1990 mac_test_check_system_reboot(struct ucred *cred, int how) 1991 { 1992 1993 LABEL_CHECK(cred->cr_label, MAGIC_CRED); 1994 COUNTER_INC(check_system_reboot); 1995 1996 return (0); 1997 } 1998 1999 COUNTER_DECL(check_system_swapoff); 2000 static int 2001 mac_test_check_system_swapoff(struct ucred *cred, struct vnode *vp, 2002 struct label *vplabel) 2003 { 2004 2005 LABEL_CHECK(cred->cr_label, MAGIC_CRED); 2006 LABEL_CHECK(vplabel, MAGIC_VNODE); 2007 COUNTER_INC(check_system_swapoff); 2008 2009 return (0); 2010 } 2011 2012 COUNTER_DECL(check_system_swapon); 2013 static int 2014 mac_test_check_system_swapon(struct ucred *cred, struct vnode *vp, 2015 struct label *vplabel) 2016 { 2017 2018 LABEL_CHECK(cred->cr_label, MAGIC_CRED); 2019 LABEL_CHECK(vplabel, MAGIC_VNODE); 2020 COUNTER_INC(check_system_swapon); 2021 2022 return (0); 2023 } 2024 2025 COUNTER_DECL(check_system_sysctl); 2026 static int 2027 mac_test_check_system_sysctl(struct ucred *cred, struct sysctl_oid *oidp, 2028 void *arg1, int arg2, struct sysctl_req *req) 2029 { 2030 2031 LABEL_CHECK(cred->cr_label, MAGIC_CRED); 2032 COUNTER_INC(check_system_sysctl); 2033 2034 return (0); 2035 } 2036 2037 COUNTER_DECL(check_vnode_access); 2038 static int 2039 mac_test_check_vnode_access(struct ucred *cred, struct vnode *vp, 2040 struct label *vplabel, int acc_mode) 2041 { 2042 2043 LABEL_CHECK(cred->cr_label, MAGIC_CRED); 2044 LABEL_CHECK(vplabel, MAGIC_VNODE); 2045 COUNTER_INC(check_vnode_access); 2046 2047 return (0); 2048 } 2049 2050 COUNTER_DECL(check_vnode_chdir); 2051 static int 2052 mac_test_check_vnode_chdir(struct ucred *cred, struct vnode *dvp, 2053 struct label *dvplabel) 2054 { 2055 2056 LABEL_CHECK(cred->cr_label, MAGIC_CRED); 2057 LABEL_CHECK(dvplabel, MAGIC_VNODE); 2058 COUNTER_INC(check_vnode_chdir); 2059 2060 return (0); 2061 } 2062 2063 COUNTER_DECL(check_vnode_chroot); 2064 static int 2065 mac_test_check_vnode_chroot(struct ucred *cred, struct vnode *dvp, 2066 struct label *dvplabel) 2067 { 2068 2069 LABEL_CHECK(cred->cr_label, MAGIC_CRED); 2070 LABEL_CHECK(dvplabel, MAGIC_VNODE); 2071 COUNTER_INC(check_vnode_chroot); 2072 2073 return (0); 2074 } 2075 2076 COUNTER_DECL(check_vnode_create); 2077 static int 2078 mac_test_check_vnode_create(struct ucred *cred, struct vnode *dvp, 2079 struct label *dvplabel, struct componentname *cnp, struct vattr *vap) 2080 { 2081 2082 LABEL_CHECK(cred->cr_label, MAGIC_CRED); 2083 LABEL_CHECK(dvplabel, MAGIC_VNODE); 2084 COUNTER_INC(check_vnode_create); 2085 2086 return (0); 2087 } 2088 2089 COUNTER_DECL(check_vnode_delete); 2090 static int 2091 mac_test_check_vnode_delete(struct ucred *cred, struct vnode *dvp, 2092 struct label *dvplabel, struct vnode *vp, struct label *vplabel, 2093 struct componentname *cnp) 2094 { 2095 2096 LABEL_CHECK(cred->cr_label, MAGIC_CRED); 2097 LABEL_CHECK(dvplabel, MAGIC_VNODE); 2098 LABEL_CHECK(vplabel, MAGIC_VNODE); 2099 COUNTER_INC(check_vnode_delete); 2100 2101 return (0); 2102 } 2103 2104 COUNTER_DECL(check_vnode_deleteacl); 2105 static int 2106 mac_test_check_vnode_deleteacl(struct ucred *cred, struct vnode *vp, 2107 struct label *vplabel, acl_type_t type) 2108 { 2109 2110 LABEL_CHECK(cred->cr_label, MAGIC_CRED); 2111 LABEL_CHECK(vplabel, MAGIC_VNODE); 2112 COUNTER_INC(check_vnode_deleteacl); 2113 2114 return (0); 2115 } 2116 2117 COUNTER_DECL(check_vnode_deleteextattr); 2118 static int 2119 mac_test_check_vnode_deleteextattr(struct ucred *cred, struct vnode *vp, 2120 struct label *vplabel, int attrnamespace, const char *name) 2121 { 2122 2123 LABEL_CHECK(cred->cr_label, MAGIC_CRED); 2124 LABEL_CHECK(vplabel, MAGIC_VNODE); 2125 COUNTER_INC(check_vnode_deleteextattr); 2126 2127 return (0); 2128 } 2129 2130 COUNTER_DECL(check_vnode_exec); 2131 static int 2132 mac_test_check_vnode_exec(struct ucred *cred, struct vnode *vp, 2133 struct label *vplabel, struct image_params *imgp, 2134 struct label *execlabel) 2135 { 2136 2137 LABEL_CHECK(cred->cr_label, MAGIC_CRED); 2138 LABEL_CHECK(vplabel, MAGIC_VNODE); 2139 LABEL_CHECK(execlabel, MAGIC_CRED); 2140 COUNTER_INC(check_vnode_exec); 2141 2142 return (0); 2143 } 2144 2145 COUNTER_DECL(check_vnode_getacl); 2146 static int 2147 mac_test_check_vnode_getacl(struct ucred *cred, struct vnode *vp, 2148 struct label *vplabel, acl_type_t type) 2149 { 2150 2151 LABEL_CHECK(cred->cr_label, MAGIC_CRED); 2152 LABEL_CHECK(vplabel, MAGIC_VNODE); 2153 COUNTER_INC(check_vnode_getacl); 2154 2155 return (0); 2156 } 2157 2158 COUNTER_DECL(check_vnode_getextattr); 2159 static int 2160 mac_test_check_vnode_getextattr(struct ucred *cred, struct vnode *vp, 2161 struct label *vplabel, int attrnamespace, const char *name, 2162 struct uio *uio) 2163 { 2164 2165 LABEL_CHECK(cred->cr_label, MAGIC_CRED); 2166 LABEL_CHECK(vplabel, MAGIC_VNODE); 2167 COUNTER_INC(check_vnode_getextattr); 2168 2169 return (0); 2170 } 2171 2172 COUNTER_DECL(check_vnode_link); 2173 static int 2174 mac_test_check_vnode_link(struct ucred *cred, struct vnode *dvp, 2175 struct label *dvplabel, struct vnode *vp, struct label *vplabel, 2176 struct componentname *cnp) 2177 { 2178 2179 LABEL_CHECK(cred->cr_label, MAGIC_CRED); 2180 LABEL_CHECK(dvplabel, MAGIC_VNODE); 2181 LABEL_CHECK(vplabel, MAGIC_VNODE); 2182 COUNTER_INC(check_vnode_link); 2183 2184 return (0); 2185 } 2186 2187 COUNTER_DECL(check_vnode_listextattr); 2188 static int 2189 mac_test_check_vnode_listextattr(struct ucred *cred, struct vnode *vp, 2190 struct label *vplabel, int attrnamespace) 2191 { 2192 2193 LABEL_CHECK(cred->cr_label, MAGIC_CRED); 2194 LABEL_CHECK(vplabel, MAGIC_VNODE); 2195 COUNTER_INC(check_vnode_listextattr); 2196 2197 return (0); 2198 } 2199 2200 COUNTER_DECL(check_vnode_lookup); 2201 static int 2202 mac_test_check_vnode_lookup(struct ucred *cred, struct vnode *dvp, 2203 struct label *dvplabel, struct componentname *cnp) 2204 { 2205 2206 LABEL_CHECK(cred->cr_label, MAGIC_CRED); 2207 LABEL_CHECK(dvplabel, MAGIC_VNODE); 2208 COUNTER_INC(check_vnode_lookup); 2209 2210 return (0); 2211 } 2212 2213 COUNTER_DECL(check_vnode_mmap); 2214 static int 2215 mac_test_check_vnode_mmap(struct ucred *cred, struct vnode *vp, 2216 struct label *vplabel, int prot, int flags) 2217 { 2218 2219 LABEL_CHECK(cred->cr_label, MAGIC_CRED); 2220 LABEL_CHECK(vplabel, MAGIC_VNODE); 2221 COUNTER_INC(check_vnode_mmap); 2222 2223 return (0); 2224 } 2225 2226 COUNTER_DECL(check_vnode_open); 2227 static int 2228 mac_test_check_vnode_open(struct ucred *cred, struct vnode *vp, 2229 struct label *vplabel, int acc_mode) 2230 { 2231 2232 LABEL_CHECK(cred->cr_label, MAGIC_CRED); 2233 LABEL_CHECK(vplabel, MAGIC_VNODE); 2234 COUNTER_INC(check_vnode_open); 2235 2236 return (0); 2237 } 2238 2239 COUNTER_DECL(check_vnode_poll); 2240 static int 2241 mac_test_check_vnode_poll(struct ucred *active_cred, struct ucred *file_cred, 2242 struct vnode *vp, struct label *vplabel) 2243 { 2244 2245 LABEL_CHECK(active_cred->cr_label, MAGIC_CRED); 2246 if (file_cred != NULL) 2247 LABEL_CHECK(file_cred->cr_label, MAGIC_CRED); 2248 LABEL_CHECK(vplabel, MAGIC_VNODE); 2249 COUNTER_INC(check_vnode_poll); 2250 2251 return (0); 2252 } 2253 2254 COUNTER_DECL(check_vnode_read); 2255 static int 2256 mac_test_check_vnode_read(struct ucred *active_cred, struct ucred *file_cred, 2257 struct vnode *vp, struct label *vplabel) 2258 { 2259 2260 LABEL_CHECK(active_cred->cr_label, MAGIC_CRED); 2261 if (file_cred != NULL) 2262 LABEL_CHECK(file_cred->cr_label, MAGIC_CRED); 2263 LABEL_CHECK(vplabel, MAGIC_VNODE); 2264 COUNTER_INC(check_vnode_read); 2265 2266 return (0); 2267 } 2268 2269 COUNTER_DECL(check_vnode_readdir); 2270 static int 2271 mac_test_check_vnode_readdir(struct ucred *cred, struct vnode *dvp, 2272 struct label *dvplabel) 2273 { 2274 2275 LABEL_CHECK(cred->cr_label, MAGIC_CRED); 2276 LABEL_CHECK(dvplabel, MAGIC_VNODE); 2277 COUNTER_INC(check_vnode_readdir); 2278 2279 return (0); 2280 } 2281 2282 COUNTER_DECL(check_vnode_readlink); 2283 static int 2284 mac_test_check_vnode_readlink(struct ucred *cred, struct vnode *vp, 2285 struct label *vplabel) 2286 { 2287 2288 LABEL_CHECK(cred->cr_label, MAGIC_CRED); 2289 LABEL_CHECK(vplabel, MAGIC_VNODE); 2290 COUNTER_INC(check_vnode_readlink); 2291 2292 return (0); 2293 } 2294 2295 COUNTER_DECL(check_vnode_relabel); 2296 static int 2297 mac_test_check_vnode_relabel(struct ucred *cred, struct vnode *vp, 2298 struct label *vplabel, struct label *newlabel) 2299 { 2300 2301 LABEL_CHECK(cred->cr_label, MAGIC_CRED); 2302 LABEL_CHECK(vplabel, MAGIC_VNODE); 2303 LABEL_CHECK(newlabel, MAGIC_VNODE); 2304 COUNTER_INC(check_vnode_relabel); 2305 2306 return (0); 2307 } 2308 2309 COUNTER_DECL(check_vnode_rename_from); 2310 static int 2311 mac_test_check_vnode_rename_from(struct ucred *cred, struct vnode *dvp, 2312 struct label *dvplabel, struct vnode *vp, struct label *vplabel, 2313 struct componentname *cnp) 2314 { 2315 2316 LABEL_CHECK(cred->cr_label, MAGIC_CRED); 2317 LABEL_CHECK(dvplabel, MAGIC_VNODE); 2318 LABEL_CHECK(vplabel, MAGIC_VNODE); 2319 COUNTER_INC(check_vnode_rename_from); 2320 2321 return (0); 2322 } 2323 2324 COUNTER_DECL(check_vnode_rename_to); 2325 static int 2326 mac_test_check_vnode_rename_to(struct ucred *cred, struct vnode *dvp, 2327 struct label *dvplabel, struct vnode *vp, struct label *vplabel, 2328 int samedir, struct componentname *cnp) 2329 { 2330 2331 LABEL_CHECK(cred->cr_label, MAGIC_CRED); 2332 LABEL_CHECK(dvplabel, MAGIC_VNODE); 2333 LABEL_CHECK(vplabel, MAGIC_VNODE); 2334 COUNTER_INC(check_vnode_rename_to); 2335 2336 return (0); 2337 } 2338 2339 COUNTER_DECL(check_vnode_revoke); 2340 static int 2341 mac_test_check_vnode_revoke(struct ucred *cred, struct vnode *vp, 2342 struct label *vplabel) 2343 { 2344 2345 LABEL_CHECK(cred->cr_label, MAGIC_CRED); 2346 LABEL_CHECK(vplabel, MAGIC_VNODE); 2347 COUNTER_INC(check_vnode_revoke); 2348 2349 return (0); 2350 } 2351 2352 COUNTER_DECL(check_vnode_setacl); 2353 static int 2354 mac_test_check_vnode_setacl(struct ucred *cred, struct vnode *vp, 2355 struct label *vplabel, acl_type_t type, struct acl *acl) 2356 { 2357 2358 LABEL_CHECK(cred->cr_label, MAGIC_CRED); 2359 LABEL_CHECK(vplabel, MAGIC_VNODE); 2360 COUNTER_INC(check_vnode_setacl); 2361 2362 return (0); 2363 } 2364 2365 COUNTER_DECL(check_vnode_setextattr); 2366 static int 2367 mac_test_check_vnode_setextattr(struct ucred *cred, struct vnode *vp, 2368 struct label *vplabel, int attrnamespace, const char *name, 2369 struct uio *uio) 2370 { 2371 2372 LABEL_CHECK(cred->cr_label, MAGIC_CRED); 2373 LABEL_CHECK(vplabel, MAGIC_VNODE); 2374 COUNTER_INC(check_vnode_setextattr); 2375 2376 return (0); 2377 } 2378 2379 COUNTER_DECL(check_vnode_setflags); 2380 static int 2381 mac_test_check_vnode_setflags(struct ucred *cred, struct vnode *vp, 2382 struct label *vplabel, u_long flags) 2383 { 2384 2385 LABEL_CHECK(cred->cr_label, MAGIC_CRED); 2386 LABEL_CHECK(vplabel, MAGIC_VNODE); 2387 COUNTER_INC(check_vnode_setflags); 2388 2389 return (0); 2390 } 2391 2392 COUNTER_DECL(check_vnode_setmode); 2393 static int 2394 mac_test_check_vnode_setmode(struct ucred *cred, struct vnode *vp, 2395 struct label *vplabel, mode_t mode) 2396 { 2397 2398 LABEL_CHECK(cred->cr_label, MAGIC_CRED); 2399 LABEL_CHECK(vplabel, MAGIC_VNODE); 2400 COUNTER_INC(check_vnode_setmode); 2401 2402 return (0); 2403 } 2404 2405 COUNTER_DECL(check_vnode_setowner); 2406 static int 2407 mac_test_check_vnode_setowner(struct ucred *cred, struct vnode *vp, 2408 struct label *vplabel, uid_t uid, gid_t gid) 2409 { 2410 2411 LABEL_CHECK(cred->cr_label, MAGIC_CRED); 2412 LABEL_CHECK(vplabel, MAGIC_VNODE); 2413 COUNTER_INC(check_vnode_setowner); 2414 2415 return (0); 2416 } 2417 2418 COUNTER_DECL(check_vnode_setutimes); 2419 static int 2420 mac_test_check_vnode_setutimes(struct ucred *cred, struct vnode *vp, 2421 struct label *vplabel, struct timespec atime, struct timespec mtime) 2422 { 2423 2424 LABEL_CHECK(cred->cr_label, MAGIC_CRED); 2425 LABEL_CHECK(vplabel, MAGIC_VNODE); 2426 COUNTER_INC(check_vnode_setutimes); 2427 2428 return (0); 2429 } 2430 2431 COUNTER_DECL(check_vnode_stat); 2432 static int 2433 mac_test_check_vnode_stat(struct ucred *active_cred, struct ucred *file_cred, 2434 struct vnode *vp, struct label *vplabel) 2435 { 2436 2437 LABEL_CHECK(active_cred->cr_label, MAGIC_CRED); 2438 if (file_cred != NULL) 2439 LABEL_CHECK(file_cred->cr_label, MAGIC_CRED); 2440 LABEL_CHECK(vplabel, MAGIC_VNODE); 2441 COUNTER_INC(check_vnode_stat); 2442 2443 return (0); 2444 } 2445 2446 COUNTER_DECL(check_vnode_write); 2447 static int 2448 mac_test_check_vnode_write(struct ucred *active_cred, 2449 struct ucred *file_cred, struct vnode *vp, struct label *vplabel) 2450 { 2451 2452 LABEL_CHECK(active_cred->cr_label, MAGIC_CRED); 2453 if (file_cred != NULL) 2454 LABEL_CHECK(file_cred->cr_label, MAGIC_CRED); 2455 LABEL_CHECK(vplabel, MAGIC_VNODE); 2456 COUNTER_INC(check_vnode_write); 2457 2458 return (0); 2459 } 2460 2461 static struct mac_policy_ops mac_test_ops = 2462 { 2463 .mpo_init_bpfdesc_label = mac_test_init_bpfdesc_label, 2464 .mpo_init_cred_label = mac_test_init_cred_label, 2465 .mpo_init_devfs_label = mac_test_init_devfs_label, 2466 .mpo_init_ifnet_label = mac_test_init_ifnet_label, 2467 .mpo_init_sysv_msgmsg_label = mac_test_init_sysv_msgmsg_label, 2468 .mpo_init_sysv_msgqueue_label = mac_test_init_sysv_msgqueue_label, 2469 .mpo_init_sysv_sem_label = mac_test_init_sysv_sem_label, 2470 .mpo_init_sysv_shm_label = mac_test_init_sysv_shm_label, 2471 .mpo_init_inpcb_label = mac_test_init_inpcb_label, 2472 .mpo_init_ipq_label = mac_test_init_ipq_label, 2473 .mpo_init_mbuf_label = mac_test_init_mbuf_label, 2474 .mpo_init_mount_label = mac_test_init_mount_label, 2475 .mpo_init_pipe_label = mac_test_init_pipe_label, 2476 .mpo_init_posix_sem_label = mac_test_init_posix_sem_label, 2477 .mpo_init_proc_label = mac_test_init_proc_label, 2478 .mpo_init_socket_label = mac_test_init_socket_label, 2479 .mpo_init_socket_peer_label = mac_test_init_socket_peer_label, 2480 .mpo_init_vnode_label = mac_test_init_vnode_label, 2481 .mpo_destroy_bpfdesc_label = mac_test_destroy_bpfdesc_label, 2482 .mpo_destroy_cred_label = mac_test_destroy_cred_label, 2483 .mpo_destroy_devfs_label = mac_test_destroy_devfs_label, 2484 .mpo_destroy_ifnet_label = mac_test_destroy_ifnet_label, 2485 .mpo_destroy_sysv_msgmsg_label = mac_test_destroy_sysv_msgmsg_label, 2486 .mpo_destroy_sysv_msgqueue_label = 2487 mac_test_destroy_sysv_msgqueue_label, 2488 .mpo_destroy_sysv_sem_label = mac_test_destroy_sysv_sem_label, 2489 .mpo_destroy_sysv_shm_label = mac_test_destroy_sysv_shm_label, 2490 .mpo_destroy_inpcb_label = mac_test_destroy_inpcb_label, 2491 .mpo_destroy_ipq_label = mac_test_destroy_ipq_label, 2492 .mpo_destroy_mbuf_label = mac_test_destroy_mbuf_label, 2493 .mpo_destroy_mount_label = mac_test_destroy_mount_label, 2494 .mpo_destroy_pipe_label = mac_test_destroy_pipe_label, 2495 .mpo_destroy_posix_sem_label = mac_test_destroy_posix_sem_label, 2496 .mpo_destroy_proc_label = mac_test_destroy_proc_label, 2497 .mpo_destroy_socket_label = mac_test_destroy_socket_label, 2498 .mpo_destroy_socket_peer_label = mac_test_destroy_socket_peer_label, 2499 .mpo_destroy_vnode_label = mac_test_destroy_vnode_label, 2500 .mpo_copy_cred_label = mac_test_copy_cred_label, 2501 .mpo_copy_ifnet_label = mac_test_copy_ifnet_label, 2502 .mpo_copy_mbuf_label = mac_test_copy_mbuf_label, 2503 .mpo_copy_pipe_label = mac_test_copy_pipe_label, 2504 .mpo_copy_socket_label = mac_test_copy_socket_label, 2505 .mpo_copy_vnode_label = mac_test_copy_vnode_label, 2506 .mpo_externalize_cred_label = mac_test_externalize_label, 2507 .mpo_externalize_ifnet_label = mac_test_externalize_label, 2508 .mpo_externalize_pipe_label = mac_test_externalize_label, 2509 .mpo_externalize_socket_label = mac_test_externalize_label, 2510 .mpo_externalize_socket_peer_label = mac_test_externalize_label, 2511 .mpo_externalize_vnode_label = mac_test_externalize_label, 2512 .mpo_internalize_cred_label = mac_test_internalize_label, 2513 .mpo_internalize_ifnet_label = mac_test_internalize_label, 2514 .mpo_internalize_pipe_label = mac_test_internalize_label, 2515 .mpo_internalize_socket_label = mac_test_internalize_label, 2516 .mpo_internalize_vnode_label = mac_test_internalize_label, 2517 .mpo_associate_vnode_devfs = mac_test_associate_vnode_devfs, 2518 .mpo_associate_vnode_extattr = mac_test_associate_vnode_extattr, 2519 .mpo_associate_vnode_singlelabel = mac_test_associate_vnode_singlelabel, 2520 .mpo_create_devfs_device = mac_test_create_devfs_device, 2521 .mpo_create_devfs_directory = mac_test_create_devfs_directory, 2522 .mpo_create_devfs_symlink = mac_test_create_devfs_symlink, 2523 .mpo_create_vnode_extattr = mac_test_create_vnode_extattr, 2524 .mpo_create_mount = mac_test_create_mount, 2525 .mpo_relabel_vnode = mac_test_relabel_vnode, 2526 .mpo_setlabel_vnode_extattr = mac_test_setlabel_vnode_extattr, 2527 .mpo_update_devfs = mac_test_update_devfs, 2528 .mpo_create_mbuf_from_socket = mac_test_create_mbuf_from_socket, 2529 .mpo_create_pipe = mac_test_create_pipe, 2530 .mpo_create_posix_sem = mac_test_create_posix_sem, 2531 .mpo_create_socket = mac_test_create_socket, 2532 .mpo_create_socket_from_socket = mac_test_create_socket_from_socket, 2533 .mpo_relabel_pipe = mac_test_relabel_pipe, 2534 .mpo_relabel_socket = mac_test_relabel_socket, 2535 .mpo_set_socket_peer_from_mbuf = mac_test_set_socket_peer_from_mbuf, 2536 .mpo_set_socket_peer_from_socket = mac_test_set_socket_peer_from_socket, 2537 .mpo_create_bpfdesc = mac_test_create_bpfdesc, 2538 .mpo_create_ifnet = mac_test_create_ifnet, 2539 .mpo_create_inpcb_from_socket = mac_test_create_inpcb_from_socket, 2540 .mpo_create_sysv_msgmsg = mac_test_create_sysv_msgmsg, 2541 .mpo_create_sysv_msgqueue = mac_test_create_sysv_msgqueue, 2542 .mpo_create_sysv_sem = mac_test_create_sysv_sem, 2543 .mpo_create_sysv_shm = mac_test_create_sysv_shm, 2544 .mpo_create_datagram_from_ipq = mac_test_create_datagram_from_ipq, 2545 .mpo_create_fragment = mac_test_create_fragment, 2546 .mpo_create_ipq = mac_test_create_ipq, 2547 .mpo_create_mbuf_from_inpcb = mac_test_create_mbuf_from_inpcb, 2548 .mpo_create_mbuf_linklayer = mac_test_create_mbuf_linklayer, 2549 .mpo_create_mbuf_from_bpfdesc = mac_test_create_mbuf_from_bpfdesc, 2550 .mpo_create_mbuf_from_ifnet = mac_test_create_mbuf_from_ifnet, 2551 .mpo_create_mbuf_multicast_encap = mac_test_create_mbuf_multicast_encap, 2552 .mpo_create_mbuf_netlayer = mac_test_create_mbuf_netlayer, 2553 .mpo_fragment_match = mac_test_fragment_match, 2554 .mpo_reflect_mbuf_icmp = mac_test_reflect_mbuf_icmp, 2555 .mpo_reflect_mbuf_tcp = mac_test_reflect_mbuf_tcp, 2556 .mpo_relabel_ifnet = mac_test_relabel_ifnet, 2557 .mpo_update_ipq = mac_test_update_ipq, 2558 .mpo_inpcb_sosetlabel = mac_test_inpcb_sosetlabel, 2559 .mpo_execve_transition = mac_test_execve_transition, 2560 .mpo_execve_will_transition = mac_test_execve_will_transition, 2561 .mpo_create_proc0 = mac_test_create_proc0, 2562 .mpo_create_proc1 = mac_test_create_proc1, 2563 .mpo_relabel_cred = mac_test_relabel_cred, 2564 .mpo_thread_userret = mac_test_thread_userret, 2565 .mpo_cleanup_sysv_msgmsg = mac_test_cleanup_sysv_msgmsg, 2566 .mpo_cleanup_sysv_msgqueue = mac_test_cleanup_sysv_msgqueue, 2567 .mpo_cleanup_sysv_sem = mac_test_cleanup_sysv_sem, 2568 .mpo_cleanup_sysv_shm = mac_test_cleanup_sysv_shm, 2569 .mpo_check_bpfdesc_receive = mac_test_check_bpfdesc_receive, 2570 .mpo_check_cred_relabel = mac_test_check_cred_relabel, 2571 .mpo_check_cred_visible = mac_test_check_cred_visible, 2572 .mpo_check_ifnet_relabel = mac_test_check_ifnet_relabel, 2573 .mpo_check_ifnet_transmit = mac_test_check_ifnet_transmit, 2574 .mpo_check_inpcb_deliver = mac_test_check_inpcb_deliver, 2575 .mpo_check_sysv_msgmsq = mac_test_check_sysv_msgmsq, 2576 .mpo_check_sysv_msgrcv = mac_test_check_sysv_msgrcv, 2577 .mpo_check_sysv_msgrmid = mac_test_check_sysv_msgrmid, 2578 .mpo_check_sysv_msqget = mac_test_check_sysv_msqget, 2579 .mpo_check_sysv_msqsnd = mac_test_check_sysv_msqsnd, 2580 .mpo_check_sysv_msqrcv = mac_test_check_sysv_msqrcv, 2581 .mpo_check_sysv_msqctl = mac_test_check_sysv_msqctl, 2582 .mpo_check_sysv_semctl = mac_test_check_sysv_semctl, 2583 .mpo_check_sysv_semget = mac_test_check_sysv_semget, 2584 .mpo_check_sysv_semop = mac_test_check_sysv_semop, 2585 .mpo_check_sysv_shmat = mac_test_check_sysv_shmat, 2586 .mpo_check_sysv_shmctl = mac_test_check_sysv_shmctl, 2587 .mpo_check_sysv_shmdt = mac_test_check_sysv_shmdt, 2588 .mpo_check_sysv_shmget = mac_test_check_sysv_shmget, 2589 .mpo_check_kenv_dump = mac_test_check_kenv_dump, 2590 .mpo_check_kenv_get = mac_test_check_kenv_get, 2591 .mpo_check_kenv_set = mac_test_check_kenv_set, 2592 .mpo_check_kenv_unset = mac_test_check_kenv_unset, 2593 .mpo_check_kld_load = mac_test_check_kld_load, 2594 .mpo_check_kld_stat = mac_test_check_kld_stat, 2595 .mpo_check_mount_stat = mac_test_check_mount_stat, 2596 .mpo_check_pipe_ioctl = mac_test_check_pipe_ioctl, 2597 .mpo_check_pipe_poll = mac_test_check_pipe_poll, 2598 .mpo_check_pipe_read = mac_test_check_pipe_read, 2599 .mpo_check_pipe_relabel = mac_test_check_pipe_relabel, 2600 .mpo_check_pipe_stat = mac_test_check_pipe_stat, 2601 .mpo_check_pipe_write = mac_test_check_pipe_write, 2602 .mpo_check_posix_sem_destroy = mac_test_check_posix_sem, 2603 .mpo_check_posix_sem_getvalue = mac_test_check_posix_sem, 2604 .mpo_check_posix_sem_open = mac_test_check_posix_sem, 2605 .mpo_check_posix_sem_post = mac_test_check_posix_sem, 2606 .mpo_check_posix_sem_unlink = mac_test_check_posix_sem, 2607 .mpo_check_posix_sem_wait = mac_test_check_posix_sem, 2608 .mpo_check_proc_debug = mac_test_check_proc_debug, 2609 .mpo_check_proc_sched = mac_test_check_proc_sched, 2610 .mpo_check_proc_setaudit = mac_test_check_proc_setaudit, 2611 .mpo_check_proc_setauid = mac_test_check_proc_setauid, 2612 .mpo_check_proc_setuid = mac_test_check_proc_setuid, 2613 .mpo_check_proc_seteuid = mac_test_check_proc_seteuid, 2614 .mpo_check_proc_setgid = mac_test_check_proc_setgid, 2615 .mpo_check_proc_setegid = mac_test_check_proc_setegid, 2616 .mpo_check_proc_setgroups = mac_test_check_proc_setgroups, 2617 .mpo_check_proc_setreuid = mac_test_check_proc_setreuid, 2618 .mpo_check_proc_setregid = mac_test_check_proc_setregid, 2619 .mpo_check_proc_setresuid = mac_test_check_proc_setresuid, 2620 .mpo_check_proc_setresgid = mac_test_check_proc_setresgid, 2621 .mpo_check_proc_signal = mac_test_check_proc_signal, 2622 .mpo_check_proc_wait = mac_test_check_proc_wait, 2623 .mpo_check_socket_accept = mac_test_check_socket_accept, 2624 .mpo_check_socket_bind = mac_test_check_socket_bind, 2625 .mpo_check_socket_connect = mac_test_check_socket_connect, 2626 .mpo_check_socket_deliver = mac_test_check_socket_deliver, 2627 .mpo_check_socket_listen = mac_test_check_socket_listen, 2628 .mpo_check_socket_poll = mac_test_check_socket_poll, 2629 .mpo_check_socket_receive = mac_test_check_socket_receive, 2630 .mpo_check_socket_relabel = mac_test_check_socket_relabel, 2631 .mpo_check_socket_send = mac_test_check_socket_send, 2632 .mpo_check_socket_stat = mac_test_check_socket_stat, 2633 .mpo_check_socket_visible = mac_test_check_socket_visible, 2634 .mpo_check_system_acct = mac_test_check_system_acct, 2635 .mpo_check_system_audit = mac_test_check_system_audit, 2636 .mpo_check_system_auditctl = mac_test_check_system_auditctl, 2637 .mpo_check_system_auditon = mac_test_check_system_auditon, 2638 .mpo_check_system_reboot = mac_test_check_system_reboot, 2639 .mpo_check_system_swapoff = mac_test_check_system_swapoff, 2640 .mpo_check_system_swapon = mac_test_check_system_swapon, 2641 .mpo_check_system_sysctl = mac_test_check_system_sysctl, 2642 .mpo_check_vnode_access = mac_test_check_vnode_access, 2643 .mpo_check_vnode_chdir = mac_test_check_vnode_chdir, 2644 .mpo_check_vnode_chroot = mac_test_check_vnode_chroot, 2645 .mpo_check_vnode_create = mac_test_check_vnode_create, 2646 .mpo_check_vnode_delete = mac_test_check_vnode_delete, 2647 .mpo_check_vnode_deleteacl = mac_test_check_vnode_deleteacl, 2648 .mpo_check_vnode_deleteextattr = mac_test_check_vnode_deleteextattr, 2649 .mpo_check_vnode_exec = mac_test_check_vnode_exec, 2650 .mpo_check_vnode_getacl = mac_test_check_vnode_getacl, 2651 .mpo_check_vnode_getextattr = mac_test_check_vnode_getextattr, 2652 .mpo_check_vnode_link = mac_test_check_vnode_link, 2653 .mpo_check_vnode_listextattr = mac_test_check_vnode_listextattr, 2654 .mpo_check_vnode_lookup = mac_test_check_vnode_lookup, 2655 .mpo_check_vnode_mmap = mac_test_check_vnode_mmap, 2656 .mpo_check_vnode_open = mac_test_check_vnode_open, 2657 .mpo_check_vnode_poll = mac_test_check_vnode_poll, 2658 .mpo_check_vnode_read = mac_test_check_vnode_read, 2659 .mpo_check_vnode_readdir = mac_test_check_vnode_readdir, 2660 .mpo_check_vnode_readlink = mac_test_check_vnode_readlink, 2661 .mpo_check_vnode_relabel = mac_test_check_vnode_relabel, 2662 .mpo_check_vnode_rename_from = mac_test_check_vnode_rename_from, 2663 .mpo_check_vnode_rename_to = mac_test_check_vnode_rename_to, 2664 .mpo_check_vnode_revoke = mac_test_check_vnode_revoke, 2665 .mpo_check_vnode_setacl = mac_test_check_vnode_setacl, 2666 .mpo_check_vnode_setextattr = mac_test_check_vnode_setextattr, 2667 .mpo_check_vnode_setflags = mac_test_check_vnode_setflags, 2668 .mpo_check_vnode_setmode = mac_test_check_vnode_setmode, 2669 .mpo_check_vnode_setowner = mac_test_check_vnode_setowner, 2670 .mpo_check_vnode_setutimes = mac_test_check_vnode_setutimes, 2671 .mpo_check_vnode_stat = mac_test_check_vnode_stat, 2672 .mpo_check_vnode_write = mac_test_check_vnode_write, 2673 }; 2674 2675 MAC_POLICY_SET(&mac_test_ops, mac_test, "TrustedBSD MAC/Test", 2676 MPC_LOADTIME_FLAG_UNLOADOK | MPC_LOADTIME_FLAG_LABELMBUFS, &test_slot); 2677