1 /*- 2 * Copyright (c) 1999-2002, 2007 Robert N. M. Watson 3 * Copyright (c) 2001-2005 McAfee, Inc. 4 * All rights reserved. 5 * 6 * This software was developed by Robert Watson for the TrustedBSD Project. 7 * 8 * This software was developed for the FreeBSD Project in part by McAfee 9 * Research, the Security Research Division of McAfee, Inc. under 10 * DARPA/SPAWAR contract N66001-01-C-8035 ("CBOSS"), as part of the DARPA 11 * CHATS research program. 12 * 13 * Redistribution and use in source and binary forms, with or without 14 * modification, are permitted provided that the following conditions 15 * are met: 16 * 1. Redistributions of source code must retain the above copyright 17 * notice, this list of conditions and the following disclaimer. 18 * 2. Redistributions in binary form must reproduce the above copyright 19 * notice, this list of conditions and the following disclaimer in the 20 * documentation and/or other materials provided with the distribution. 21 * 22 * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND 23 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 24 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 25 * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE 26 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 27 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 28 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 29 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 30 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 31 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 32 * SUCH DAMAGE. 33 * 34 * $FreeBSD$ 35 */ 36 37 /* 38 * Developed by the TrustedBSD Project. 39 * 40 * MAC Test policy - tests MAC Framework labeling by assigning object class 41 * magic numbers to each label and validates that each time an object label 42 * is passed into the policy, it has a consistent object type, catching 43 * incorrectly passed labels, labels passed after free, etc. 44 */ 45 46 #include <sys/param.h> 47 #include <sys/acl.h> 48 #include <sys/kdb.h> 49 #include <sys/kernel.h> 50 #include <sys/ksem.h> 51 #include <sys/malloc.h> 52 #include <sys/module.h> 53 #include <sys/mount.h> 54 #include <sys/msg.h> 55 #include <sys/proc.h> 56 #include <sys/vnode.h> 57 #include <sys/sem.h> 58 #include <sys/shm.h> 59 #include <sys/socket.h> 60 #include <sys/socketvar.h> 61 #include <sys/sx.h> 62 #include <sys/sysctl.h> 63 64 #include <fs/devfs/devfs.h> 65 66 #include <net/bpfdesc.h> 67 #include <net/if.h> 68 #include <net/if_types.h> 69 #include <net/if_var.h> 70 71 #include <security/mac/mac_policy.h> 72 73 SYSCTL_DECL(_security_mac); 74 75 SYSCTL_NODE(_security_mac, OID_AUTO, test, CTLFLAG_RW, 0, 76 "TrustedBSD mac_test policy controls"); 77 78 #define MAGIC_BPF 0xfe1ad1b6 79 #define MAGIC_DEVFS 0x9ee79c32 80 #define MAGIC_IFNET 0xc218b120 81 #define MAGIC_INPCB 0x4440f7bb 82 #define MAGIC_IPQ 0x206188ef 83 #define MAGIC_MBUF 0xbbefa5bb 84 #define MAGIC_MOUNT 0xc7c46e47 85 #define MAGIC_SOCKET 0x9199c6cd 86 #define MAGIC_SYSV_MSG 0x8bbba61e 87 #define MAGIC_SYSV_MSQ 0xea672391 88 #define MAGIC_SYSV_SEM 0x896e8a0b 89 #define MAGIC_SYSV_SHM 0x76119ab0 90 #define MAGIC_PIPE 0xdc6c9919 91 #define MAGIC_POSIX_SEM 0x78ae980c 92 #define MAGIC_PROC 0x3b4be98f 93 #define MAGIC_CRED 0x9a5a4987 94 #define MAGIC_VNODE 0x1a67a45c 95 #define MAGIC_FREE 0x849ba1fd 96 97 #define SLOT(x) mac_label_get((x), test_slot) 98 #define SLOT_SET(x, v) mac_label_set((x), test_slot, (v)) 99 100 static int test_slot; 101 SYSCTL_INT(_security_mac_test, OID_AUTO, slot, CTLFLAG_RD, 102 &test_slot, 0, "Slot allocated by framework"); 103 104 SYSCTL_NODE(_security_mac_test, OID_AUTO, counter, CTLFLAG_RW, 0, 105 "TrustedBSD mac_test counters controls"); 106 107 #define COUNTER_DECL(variable) \ 108 static int counter_##variable; \ 109 SYSCTL_INT(_security_mac_test_counter, OID_AUTO, variable, \ 110 CTLFLAG_RD, &counter_##variable, 0, #variable) 111 112 #define COUNTER_INC(variable) atomic_add_int(&counter_##variable, 1) 113 114 #ifdef KDB 115 #define DEBUGGER(func, string) kdb_enter((string)) 116 #else 117 #define DEBUGGER(func, string) printf("mac_test: %s: %s\n", (func), (string)) 118 #endif 119 120 #define LABEL_CHECK(label, magic) do { \ 121 if (label != NULL) { \ 122 KASSERT(SLOT(label) == magic || SLOT(label) == 0, \ 123 ("%s: bad %s label", __func__, #magic)); \ 124 } \ 125 } while (0) 126 127 #define LABEL_DESTROY(label, magic) do { \ 128 if (SLOT(label) == magic || SLOT(label) == 0) { \ 129 SLOT_SET(label, MAGIC_FREE); \ 130 } else if (SLOT(label) == MAGIC_FREE) { \ 131 DEBUGGER("%s: dup destroy", __func__); \ 132 } else { \ 133 DEBUGGER("%s: corrupted label", __func__); \ 134 } \ 135 } while (0) 136 137 #define LABEL_INIT(label, magic) do { \ 138 SLOT_SET(label, magic); \ 139 } while (0) 140 141 #define LABEL_NOTFREE(label) do { \ 142 KASSERT(SLOT(label) != MAGIC_FREE, \ 143 ("%s: destroyed label", __func__)); \ 144 } while (0) 145 146 /* 147 * Label operations. 148 */ 149 COUNTER_DECL(init_bpfdesc_label); 150 static void 151 mac_test_init_bpfdesc_label(struct label *label) 152 { 153 154 LABEL_INIT(label, MAGIC_BPF); 155 COUNTER_INC(init_bpfdesc_label); 156 } 157 158 COUNTER_DECL(init_cred_label); 159 static void 160 mac_test_init_cred_label(struct label *label) 161 { 162 163 LABEL_INIT(label, MAGIC_CRED); 164 COUNTER_INC(init_cred_label); 165 } 166 167 COUNTER_DECL(init_devfs_label); 168 static void 169 mac_test_init_devfs_label(struct label *label) 170 { 171 172 LABEL_INIT(label, MAGIC_DEVFS); 173 COUNTER_INC(init_devfs_label); 174 } 175 176 COUNTER_DECL(init_ifnet_label); 177 static void 178 mac_test_init_ifnet_label(struct label *label) 179 { 180 181 LABEL_INIT(label, MAGIC_IFNET); 182 COUNTER_INC(init_ifnet_label); 183 } 184 185 COUNTER_DECL(init_inpcb_label); 186 static int 187 mac_test_init_inpcb_label(struct label *label, int flag) 188 { 189 190 if (flag & M_WAITOK) 191 WITNESS_WARN(WARN_GIANTOK | WARN_SLEEPOK, NULL, 192 "mac_test_init_inpcb_label() at %s:%d", __FILE__, 193 __LINE__); 194 195 LABEL_INIT(label, MAGIC_INPCB); 196 COUNTER_INC(init_inpcb_label); 197 return (0); 198 } 199 200 COUNTER_DECL(init_sysv_msg_label); 201 static void 202 mac_test_init_sysv_msgmsg_label(struct label *label) 203 { 204 LABEL_INIT(label, MAGIC_SYSV_MSG); 205 COUNTER_INC(init_sysv_msg_label); 206 } 207 208 COUNTER_DECL(init_sysv_msq_label); 209 static void 210 mac_test_init_sysv_msgqueue_label(struct label *label) 211 { 212 LABEL_INIT(label, MAGIC_SYSV_MSQ); 213 COUNTER_INC(init_sysv_msq_label); 214 } 215 216 COUNTER_DECL(init_sysv_sem_label); 217 static void 218 mac_test_init_sysv_sem_label(struct label *label) 219 { 220 LABEL_INIT(label, MAGIC_SYSV_SEM); 221 COUNTER_INC(init_sysv_sem_label); 222 } 223 224 COUNTER_DECL(init_sysv_shm_label); 225 static void 226 mac_test_init_sysv_shm_label(struct label *label) 227 { 228 LABEL_INIT(label, MAGIC_SYSV_SHM); 229 COUNTER_INC(init_sysv_shm_label); 230 } 231 232 COUNTER_DECL(init_ipq_label); 233 static int 234 mac_test_init_ipq_label(struct label *label, int flag) 235 { 236 237 if (flag & M_WAITOK) 238 WITNESS_WARN(WARN_GIANTOK | WARN_SLEEPOK, NULL, 239 "mac_test_init_ipq_label() at %s:%d", __FILE__, 240 __LINE__); 241 242 LABEL_INIT(label, MAGIC_IPQ); 243 COUNTER_INC(init_ipq_label); 244 return (0); 245 } 246 247 COUNTER_DECL(init_mbuf_label); 248 static int 249 mac_test_init_mbuf_label(struct label *label, int flag) 250 { 251 252 if (flag & M_WAITOK) 253 WITNESS_WARN(WARN_GIANTOK | WARN_SLEEPOK, NULL, 254 "mac_test_init_mbuf_label() at %s:%d", __FILE__, 255 __LINE__); 256 257 LABEL_INIT(label, MAGIC_MBUF); 258 COUNTER_INC(init_mbuf_label); 259 return (0); 260 } 261 262 COUNTER_DECL(init_mount_label); 263 static void 264 mac_test_init_mount_label(struct label *label) 265 { 266 267 LABEL_INIT(label, MAGIC_MOUNT); 268 COUNTER_INC(init_mount_label); 269 } 270 271 COUNTER_DECL(init_socket_label); 272 static int 273 mac_test_init_socket_label(struct label *label, int flag) 274 { 275 276 if (flag & M_WAITOK) 277 WITNESS_WARN(WARN_GIANTOK | WARN_SLEEPOK, NULL, 278 "mac_test_init_socket_label() at %s:%d", __FILE__, 279 __LINE__); 280 281 LABEL_INIT(label, MAGIC_SOCKET); 282 COUNTER_INC(init_socket_label); 283 return (0); 284 } 285 286 COUNTER_DECL(init_socket_peer_label); 287 static int 288 mac_test_init_socket_peer_label(struct label *label, int flag) 289 { 290 291 if (flag & M_WAITOK) 292 WITNESS_WARN(WARN_GIANTOK | WARN_SLEEPOK, NULL, 293 "mac_test_init_socket_peer_label() at %s:%d", __FILE__, 294 __LINE__); 295 296 LABEL_INIT(label, MAGIC_SOCKET); 297 COUNTER_INC(init_socket_peer_label); 298 return (0); 299 } 300 301 COUNTER_DECL(init_pipe_label); 302 static void 303 mac_test_init_pipe_label(struct label *label) 304 { 305 306 LABEL_INIT(label, MAGIC_PIPE); 307 COUNTER_INC(init_pipe_label); 308 } 309 310 COUNTER_DECL(init_posix_sem_label); 311 static void 312 mac_test_init_posix_sem_label(struct label *label) 313 { 314 315 LABEL_INIT(label, MAGIC_POSIX_SEM); 316 COUNTER_INC(init_posix_sem_label); 317 } 318 319 COUNTER_DECL(init_proc_label); 320 static void 321 mac_test_init_proc_label(struct label *label) 322 { 323 324 LABEL_INIT(label, MAGIC_PROC); 325 COUNTER_INC(init_proc_label); 326 } 327 328 COUNTER_DECL(init_vnode_label); 329 static void 330 mac_test_init_vnode_label(struct label *label) 331 { 332 333 LABEL_INIT(label, MAGIC_VNODE); 334 COUNTER_INC(init_vnode_label); 335 } 336 337 COUNTER_DECL(destroy_bpfdesc_label); 338 static void 339 mac_test_destroy_bpfdesc_label(struct label *label) 340 { 341 342 LABEL_DESTROY(label, MAGIC_BPF); 343 COUNTER_INC(destroy_bpfdesc_label); 344 } 345 346 COUNTER_DECL(destroy_cred_label); 347 static void 348 mac_test_destroy_cred_label(struct label *label) 349 { 350 351 LABEL_DESTROY(label, MAGIC_CRED); 352 COUNTER_INC(destroy_cred_label); 353 } 354 355 COUNTER_DECL(destroy_devfs_label); 356 static void 357 mac_test_destroy_devfs_label(struct label *label) 358 { 359 360 LABEL_DESTROY(label, MAGIC_DEVFS); 361 COUNTER_INC(destroy_devfs_label); 362 } 363 364 COUNTER_DECL(destroy_ifnet_label); 365 static void 366 mac_test_destroy_ifnet_label(struct label *label) 367 { 368 369 LABEL_DESTROY(label, MAGIC_IFNET); 370 COUNTER_INC(destroy_ifnet_label); 371 } 372 373 COUNTER_DECL(destroy_inpcb_label); 374 static void 375 mac_test_destroy_inpcb_label(struct label *label) 376 { 377 378 LABEL_DESTROY(label, MAGIC_INPCB); 379 COUNTER_INC(destroy_inpcb_label); 380 } 381 382 COUNTER_DECL(destroy_sysv_msg_label); 383 static void 384 mac_test_destroy_sysv_msgmsg_label(struct label *label) 385 { 386 387 LABEL_DESTROY(label, MAGIC_SYSV_MSG); 388 COUNTER_INC(destroy_sysv_msg_label); 389 } 390 391 COUNTER_DECL(destroy_sysv_msq_label); 392 static void 393 mac_test_destroy_sysv_msgqueue_label(struct label *label) 394 { 395 396 LABEL_DESTROY(label, MAGIC_SYSV_MSQ); 397 COUNTER_INC(destroy_sysv_msq_label); 398 } 399 400 COUNTER_DECL(destroy_sysv_sem_label); 401 static void 402 mac_test_destroy_sysv_sem_label(struct label *label) 403 { 404 405 LABEL_DESTROY(label, MAGIC_SYSV_SEM); 406 COUNTER_INC(destroy_sysv_sem_label); 407 } 408 409 COUNTER_DECL(destroy_sysv_shm_label); 410 static void 411 mac_test_destroy_sysv_shm_label(struct label *label) 412 { 413 414 LABEL_DESTROY(label, MAGIC_SYSV_SHM); 415 COUNTER_INC(destroy_sysv_shm_label); 416 } 417 418 COUNTER_DECL(destroy_ipq_label); 419 static void 420 mac_test_destroy_ipq_label(struct label *label) 421 { 422 423 LABEL_DESTROY(label, MAGIC_IPQ); 424 COUNTER_INC(destroy_ipq_label); 425 } 426 427 COUNTER_DECL(destroy_mbuf_label); 428 static void 429 mac_test_destroy_mbuf_label(struct label *label) 430 { 431 432 /* 433 * If we're loaded dynamically, there may be mbufs in flight that 434 * didn't have label storage allocated for them. Handle this 435 * gracefully. 436 */ 437 if (label == NULL) 438 return; 439 440 LABEL_DESTROY(label, MAGIC_MBUF); 441 COUNTER_INC(destroy_mbuf_label); 442 } 443 444 COUNTER_DECL(destroy_mount_label); 445 static void 446 mac_test_destroy_mount_label(struct label *label) 447 { 448 449 LABEL_DESTROY(label, MAGIC_MOUNT); 450 COUNTER_INC(destroy_mount_label); 451 } 452 453 COUNTER_DECL(destroy_socket_label); 454 static void 455 mac_test_destroy_socket_label(struct label *label) 456 { 457 458 LABEL_DESTROY(label, MAGIC_SOCKET); 459 COUNTER_INC(destroy_socket_label); 460 } 461 462 COUNTER_DECL(destroy_socket_peer_label); 463 static void 464 mac_test_destroy_socket_peer_label(struct label *label) 465 { 466 467 LABEL_DESTROY(label, MAGIC_SOCKET); 468 COUNTER_INC(destroy_socket_peer_label); 469 } 470 471 COUNTER_DECL(destroy_pipe_label); 472 static void 473 mac_test_destroy_pipe_label(struct label *label) 474 { 475 476 LABEL_DESTROY(label, MAGIC_PIPE); 477 COUNTER_INC(destroy_pipe_label); 478 } 479 480 COUNTER_DECL(destroy_posix_sem_label); 481 static void 482 mac_test_destroy_posix_sem_label(struct label *label) 483 { 484 485 LABEL_DESTROY(label, MAGIC_POSIX_SEM); 486 COUNTER_INC(destroy_posix_sem_label); 487 } 488 489 COUNTER_DECL(destroy_proc_label); 490 static void 491 mac_test_destroy_proc_label(struct label *label) 492 { 493 494 LABEL_DESTROY(label, MAGIC_PROC); 495 COUNTER_INC(destroy_proc_label); 496 } 497 498 COUNTER_DECL(destroy_vnode_label); 499 static void 500 mac_test_destroy_vnode_label(struct label *label) 501 { 502 503 LABEL_DESTROY(label, MAGIC_VNODE); 504 COUNTER_INC(destroy_vnode_label); 505 } 506 507 COUNTER_DECL(copy_cred_label); 508 static void 509 mac_test_copy_cred_label(struct label *src, struct label *dest) 510 { 511 512 LABEL_CHECK(src, MAGIC_CRED); 513 LABEL_CHECK(dest, MAGIC_CRED); 514 COUNTER_INC(copy_cred_label); 515 } 516 517 COUNTER_DECL(copy_ifnet_label); 518 static void 519 mac_test_copy_ifnet_label(struct label *src, struct label *dest) 520 { 521 522 LABEL_CHECK(src, MAGIC_IFNET); 523 LABEL_CHECK(dest, MAGIC_IFNET); 524 COUNTER_INC(copy_ifnet_label); 525 } 526 527 COUNTER_DECL(copy_mbuf_label); 528 static void 529 mac_test_copy_mbuf_label(struct label *src, struct label *dest) 530 { 531 532 LABEL_CHECK(src, MAGIC_MBUF); 533 LABEL_CHECK(dest, MAGIC_MBUF); 534 COUNTER_INC(copy_mbuf_label); 535 } 536 537 COUNTER_DECL(copy_pipe_label); 538 static void 539 mac_test_copy_pipe_label(struct label *src, struct label *dest) 540 { 541 542 LABEL_CHECK(src, MAGIC_PIPE); 543 LABEL_CHECK(dest, MAGIC_PIPE); 544 COUNTER_INC(copy_pipe_label); 545 } 546 547 COUNTER_DECL(copy_socket_label); 548 static void 549 mac_test_copy_socket_label(struct label *src, struct label *dest) 550 { 551 552 LABEL_CHECK(src, MAGIC_SOCKET); 553 LABEL_CHECK(dest, MAGIC_SOCKET); 554 COUNTER_INC(copy_socket_label); 555 } 556 557 COUNTER_DECL(copy_vnode_label); 558 static void 559 mac_test_copy_vnode_label(struct label *src, struct label *dest) 560 { 561 562 LABEL_CHECK(src, MAGIC_VNODE); 563 LABEL_CHECK(dest, MAGIC_VNODE); 564 COUNTER_INC(copy_vnode_label); 565 } 566 567 COUNTER_DECL(externalize_label); 568 static int 569 mac_test_externalize_label(struct label *label, char *element_name, 570 struct sbuf *sb, int *claimed) 571 { 572 573 LABEL_NOTFREE(label); 574 COUNTER_INC(externalize_label); 575 576 return (0); 577 } 578 579 COUNTER_DECL(internalize_label); 580 static int 581 mac_test_internalize_label(struct label *label, char *element_name, 582 char *element_data, int *claimed) 583 { 584 585 LABEL_NOTFREE(label); 586 COUNTER_INC(internalize_label); 587 588 return (0); 589 } 590 591 /* 592 * Labeling event operations: file system objects, and things that look 593 * a lot like file system objects. 594 */ 595 COUNTER_DECL(associate_vnode_devfs); 596 static void 597 mac_test_associate_vnode_devfs(struct mount *mp, struct label *mplabel, 598 struct devfs_dirent *de, struct label *delabel, struct vnode *vp, 599 struct label *vplabel) 600 { 601 602 LABEL_CHECK(mplabel, MAGIC_MOUNT); 603 LABEL_CHECK(delabel, MAGIC_DEVFS); 604 LABEL_CHECK(vplabel, MAGIC_VNODE); 605 COUNTER_INC(associate_vnode_devfs); 606 } 607 608 COUNTER_DECL(associate_vnode_extattr); 609 static int 610 mac_test_associate_vnode_extattr(struct mount *mp, struct label *mplabel, 611 struct vnode *vp, struct label *vplabel) 612 { 613 614 LABEL_CHECK(mplabel, MAGIC_MOUNT); 615 LABEL_CHECK(vplabel, MAGIC_VNODE); 616 COUNTER_INC(associate_vnode_extattr); 617 618 return (0); 619 } 620 621 COUNTER_DECL(associate_vnode_singlelabel); 622 static void 623 mac_test_associate_vnode_singlelabel(struct mount *mp, struct label *mplabel, 624 struct vnode *vp, struct label *vplabel) 625 { 626 627 LABEL_CHECK(mplabel, MAGIC_MOUNT); 628 LABEL_CHECK(vplabel, MAGIC_VNODE); 629 COUNTER_INC(associate_vnode_singlelabel); 630 } 631 632 COUNTER_DECL(create_devfs_device); 633 static void 634 mac_test_create_devfs_device(struct ucred *cred, struct mount *mp, 635 struct cdev *dev, struct devfs_dirent *de, struct label *delabel) 636 { 637 638 if (cred != NULL) 639 LABEL_CHECK(cred->cr_label, MAGIC_CRED); 640 LABEL_CHECK(delabel, MAGIC_DEVFS); 641 COUNTER_INC(create_devfs_device); 642 } 643 644 COUNTER_DECL(create_devfs_directory); 645 static void 646 mac_test_create_devfs_directory(struct mount *mp, char *dirname, 647 int dirnamelen, struct devfs_dirent *de, struct label *delabel) 648 { 649 650 LABEL_CHECK(delabel, MAGIC_DEVFS); 651 COUNTER_INC(create_devfs_directory); 652 } 653 654 COUNTER_DECL(create_devfs_symlink); 655 static void 656 mac_test_create_devfs_symlink(struct ucred *cred, struct mount *mp, 657 struct devfs_dirent *dd, struct label *ddlabel, struct devfs_dirent *de, 658 struct label *delabel) 659 { 660 661 LABEL_CHECK(cred->cr_label, MAGIC_CRED); 662 LABEL_CHECK(ddlabel, MAGIC_DEVFS); 663 LABEL_CHECK(delabel, MAGIC_DEVFS); 664 COUNTER_INC(create_devfs_symlink); 665 } 666 667 COUNTER_DECL(create_vnode_extattr); 668 static int 669 mac_test_create_vnode_extattr(struct ucred *cred, struct mount *mp, 670 struct label *mplabel, struct vnode *dvp, struct label *dvplabel, 671 struct vnode *vp, struct label *vplabel, struct componentname *cnp) 672 { 673 674 LABEL_CHECK(cred->cr_label, MAGIC_CRED); 675 LABEL_CHECK(mplabel, MAGIC_MOUNT); 676 LABEL_CHECK(dvplabel, MAGIC_VNODE); 677 COUNTER_INC(create_vnode_extattr); 678 679 return (0); 680 } 681 682 COUNTER_DECL(create_mount); 683 static void 684 mac_test_create_mount(struct ucred *cred, struct mount *mp, 685 struct label *mplabel) 686 { 687 688 LABEL_CHECK(cred->cr_label, MAGIC_CRED); 689 LABEL_CHECK(mplabel, MAGIC_MOUNT); 690 COUNTER_INC(create_mount); 691 } 692 693 COUNTER_DECL(relabel_vnode); 694 static void 695 mac_test_relabel_vnode(struct ucred *cred, struct vnode *vp, 696 struct label *vplabel, struct label *label) 697 { 698 699 LABEL_CHECK(cred->cr_label, MAGIC_CRED); 700 LABEL_CHECK(vplabel, MAGIC_VNODE); 701 LABEL_CHECK(label, MAGIC_VNODE); 702 COUNTER_INC(relabel_vnode); 703 } 704 705 COUNTER_DECL(setlabel_vnode_extattr); 706 static int 707 mac_test_setlabel_vnode_extattr(struct ucred *cred, struct vnode *vp, 708 struct label *vplabel, struct label *intlabel) 709 { 710 711 LABEL_CHECK(cred->cr_label, MAGIC_CRED); 712 LABEL_CHECK(vplabel, MAGIC_VNODE); 713 LABEL_CHECK(intlabel, MAGIC_VNODE); 714 COUNTER_INC(setlabel_vnode_extattr); 715 716 return (0); 717 } 718 719 COUNTER_DECL(update_devfs); 720 static void 721 mac_test_update_devfs(struct mount *mp, struct devfs_dirent *devfs_dirent, 722 struct label *direntlabel, struct vnode *vp, struct label *vplabel) 723 { 724 725 LABEL_CHECK(direntlabel, MAGIC_DEVFS); 726 LABEL_CHECK(vplabel, MAGIC_VNODE); 727 COUNTER_INC(update_devfs); 728 } 729 730 /* 731 * Labeling event operations: IPC object. 732 */ 733 COUNTER_DECL(create_mbuf_from_socket); 734 static void 735 mac_test_create_mbuf_from_socket(struct socket *so, struct label *socketlabel, 736 struct mbuf *m, struct label *mbuflabel) 737 { 738 739 LABEL_CHECK(socketlabel, MAGIC_SOCKET); 740 LABEL_CHECK(mbuflabel, MAGIC_MBUF); 741 COUNTER_INC(create_mbuf_from_socket); 742 } 743 744 COUNTER_DECL(create_socket); 745 static void 746 mac_test_create_socket(struct ucred *cred, struct socket *socket, 747 struct label *socketlabel) 748 { 749 750 LABEL_CHECK(cred->cr_label, MAGIC_CRED); 751 LABEL_CHECK(socketlabel, MAGIC_SOCKET); 752 COUNTER_INC(create_socket); 753 } 754 755 COUNTER_DECL(create_pipe); 756 static void 757 mac_test_create_pipe(struct ucred *cred, struct pipepair *pp, 758 struct label *pipelabel) 759 { 760 761 LABEL_CHECK(cred->cr_label, MAGIC_CRED); 762 LABEL_CHECK(pipelabel, MAGIC_PIPE); 763 COUNTER_INC(create_pipe); 764 } 765 766 COUNTER_DECL(create_posix_sem); 767 static void 768 mac_test_create_posix_sem(struct ucred *cred, struct ksem *ksem, 769 struct label *posixlabel) 770 { 771 772 LABEL_CHECK(cred->cr_label, MAGIC_CRED); 773 LABEL_CHECK(posixlabel, MAGIC_POSIX_SEM); 774 COUNTER_INC(create_posix_sem); 775 } 776 777 COUNTER_DECL(create_socket_from_socket); 778 static void 779 mac_test_create_socket_from_socket(struct socket *oldsocket, 780 struct label *oldsocketlabel, struct socket *newsocket, 781 struct label *newsocketlabel) 782 { 783 784 LABEL_CHECK(oldsocketlabel, MAGIC_SOCKET); 785 LABEL_CHECK(newsocketlabel, MAGIC_SOCKET); 786 COUNTER_INC(create_socket_from_socket); 787 } 788 789 COUNTER_DECL(relabel_socket); 790 static void 791 mac_test_relabel_socket(struct ucred *cred, struct socket *socket, 792 struct label *socketlabel, struct label *newlabel) 793 { 794 795 LABEL_CHECK(cred->cr_label, MAGIC_CRED); 796 LABEL_CHECK(newlabel, MAGIC_SOCKET); 797 COUNTER_INC(relabel_socket); 798 } 799 800 COUNTER_DECL(relabel_pipe); 801 static void 802 mac_test_relabel_pipe(struct ucred *cred, struct pipepair *pp, 803 struct label *pipelabel, struct label *newlabel) 804 { 805 806 LABEL_CHECK(cred->cr_label, MAGIC_CRED); 807 LABEL_CHECK(pipelabel, MAGIC_PIPE); 808 LABEL_CHECK(newlabel, MAGIC_PIPE); 809 COUNTER_INC(relabel_pipe); 810 } 811 812 COUNTER_DECL(set_socket_peer_from_mbuf); 813 static void 814 mac_test_set_socket_peer_from_mbuf(struct mbuf *mbuf, struct label *mbuflabel, 815 struct socket *socket, struct label *socketpeerlabel) 816 { 817 818 LABEL_CHECK(mbuflabel, MAGIC_MBUF); 819 LABEL_CHECK(socketpeerlabel, MAGIC_SOCKET); 820 COUNTER_INC(set_socket_peer_from_mbuf); 821 } 822 823 /* 824 * Labeling event operations: network objects. 825 */ 826 COUNTER_DECL(set_socket_peer_from_socket); 827 static void 828 mac_test_set_socket_peer_from_socket(struct socket *oldsocket, 829 struct label *oldsocketlabel, struct socket *newsocket, 830 struct label *newsocketpeerlabel) 831 { 832 833 LABEL_CHECK(oldsocketlabel, MAGIC_SOCKET); 834 LABEL_CHECK(newsocketpeerlabel, MAGIC_SOCKET); 835 COUNTER_INC(set_socket_peer_from_socket); 836 } 837 838 COUNTER_DECL(create_bpfdesc); 839 static void 840 mac_test_create_bpfdesc(struct ucred *cred, struct bpf_d *bpf_d, 841 struct label *bpflabel) 842 { 843 844 LABEL_CHECK(cred->cr_label, MAGIC_CRED); 845 LABEL_CHECK(bpflabel, MAGIC_BPF); 846 COUNTER_INC(create_bpfdesc); 847 } 848 849 COUNTER_DECL(create_datagram_from_ipq); 850 static void 851 mac_test_create_datagram_from_ipq(struct ipq *ipq, struct label *ipqlabel, 852 struct mbuf *datagram, struct label *datagramlabel) 853 { 854 855 LABEL_CHECK(ipqlabel, MAGIC_IPQ); 856 LABEL_CHECK(datagramlabel, MAGIC_MBUF); 857 COUNTER_INC(create_datagram_from_ipq); 858 } 859 860 COUNTER_DECL(create_fragment); 861 static void 862 mac_test_create_fragment(struct mbuf *datagram, struct label *datagramlabel, 863 struct mbuf *fragment, struct label *fragmentlabel) 864 { 865 866 LABEL_CHECK(datagramlabel, MAGIC_MBUF); 867 LABEL_CHECK(fragmentlabel, MAGIC_MBUF); 868 COUNTER_INC(create_fragment); 869 } 870 871 COUNTER_DECL(create_ifnet); 872 static void 873 mac_test_create_ifnet(struct ifnet *ifnet, struct label *ifnetlabel) 874 { 875 876 LABEL_CHECK(ifnetlabel, MAGIC_IFNET); 877 COUNTER_INC(create_ifnet); 878 } 879 880 COUNTER_DECL(create_inpcb_from_socket); 881 static void 882 mac_test_create_inpcb_from_socket(struct socket *so, struct label *solabel, 883 struct inpcb *inp, struct label *inplabel) 884 { 885 886 LABEL_CHECK(solabel, MAGIC_SOCKET); 887 LABEL_CHECK(inplabel, MAGIC_INPCB); 888 COUNTER_INC(create_inpcb_from_socket); 889 } 890 891 COUNTER_DECL(create_sysv_msgmsg); 892 static void 893 mac_test_create_sysv_msgmsg(struct ucred *cred, struct msqid_kernel *msqkptr, 894 struct label *msqlabel, struct msg *msgptr, struct label *msglabel) 895 { 896 897 LABEL_CHECK(msglabel, MAGIC_SYSV_MSG); 898 LABEL_CHECK(msqlabel, MAGIC_SYSV_MSQ); 899 COUNTER_INC(create_sysv_msgmsg); 900 } 901 902 COUNTER_DECL(create_sysv_msgqueue); 903 static void 904 mac_test_create_sysv_msgqueue(struct ucred *cred, 905 struct msqid_kernel *msqkptr, struct label *msqlabel) 906 { 907 908 LABEL_CHECK(msqlabel, MAGIC_SYSV_MSQ); 909 COUNTER_INC(create_sysv_msgqueue); 910 } 911 912 COUNTER_DECL(create_sysv_sem); 913 static void 914 mac_test_create_sysv_sem(struct ucred *cred, struct semid_kernel *semakptr, 915 struct label *semalabel) 916 { 917 918 LABEL_CHECK(semalabel, MAGIC_SYSV_SEM); 919 COUNTER_INC(create_sysv_sem); 920 } 921 922 COUNTER_DECL(create_sysv_shm); 923 static void 924 mac_test_create_sysv_shm(struct ucred *cred, struct shmid_kernel *shmsegptr, 925 struct label *shmlabel) 926 { 927 928 LABEL_CHECK(shmlabel, MAGIC_SYSV_SHM); 929 COUNTER_INC(create_sysv_shm); 930 } 931 932 COUNTER_DECL(create_ipq); 933 static void 934 mac_test_create_ipq(struct mbuf *fragment, struct label *fragmentlabel, 935 struct ipq *ipq, struct label *ipqlabel) 936 { 937 938 LABEL_CHECK(fragmentlabel, MAGIC_MBUF); 939 LABEL_CHECK(ipqlabel, MAGIC_IPQ); 940 COUNTER_INC(create_ipq); 941 } 942 943 COUNTER_DECL(create_mbuf_from_inpcb); 944 static void 945 mac_test_create_mbuf_from_inpcb(struct inpcb *inp, struct label *inplabel, 946 struct mbuf *m, struct label *mlabel) 947 { 948 949 LABEL_CHECK(inplabel, MAGIC_INPCB); 950 LABEL_CHECK(mlabel, MAGIC_MBUF); 951 COUNTER_INC(create_mbuf_from_inpcb); 952 } 953 954 COUNTER_DECL(create_mbuf_linklayer); 955 static void 956 mac_test_create_mbuf_linklayer(struct ifnet *ifnet, struct label *ifnetlabel, 957 struct mbuf *mbuf, struct label *mbuflabel) 958 { 959 960 LABEL_CHECK(ifnetlabel, MAGIC_IFNET); 961 LABEL_CHECK(mbuflabel, MAGIC_MBUF); 962 COUNTER_INC(create_mbuf_linklayer); 963 } 964 965 COUNTER_DECL(create_mbuf_from_bpfdesc); 966 static void 967 mac_test_create_mbuf_from_bpfdesc(struct bpf_d *bpf_d, struct label *bpflabel, 968 struct mbuf *mbuf, struct label *mbuflabel) 969 { 970 971 LABEL_CHECK(bpflabel, MAGIC_BPF); 972 LABEL_CHECK(mbuflabel, MAGIC_MBUF); 973 COUNTER_INC(create_mbuf_from_bpfdesc); 974 } 975 976 COUNTER_DECL(create_mbuf_from_ifnet); 977 static void 978 mac_test_create_mbuf_from_ifnet(struct ifnet *ifnet, struct label *ifnetlabel, 979 struct mbuf *m, struct label *mbuflabel) 980 { 981 982 LABEL_CHECK(ifnetlabel, MAGIC_IFNET); 983 LABEL_CHECK(mbuflabel, MAGIC_MBUF); 984 COUNTER_INC(create_mbuf_from_ifnet); 985 } 986 987 COUNTER_DECL(create_mbuf_multicast_encap); 988 static void 989 mac_test_create_mbuf_multicast_encap(struct mbuf *oldmbuf, 990 struct label *oldmbuflabel, struct ifnet *ifnet, struct label *ifnetlabel, 991 struct mbuf *newmbuf, struct label *newmbuflabel) 992 { 993 994 LABEL_CHECK(oldmbuflabel, MAGIC_MBUF); 995 LABEL_CHECK(ifnetlabel, MAGIC_IFNET); 996 LABEL_CHECK(newmbuflabel, MAGIC_MBUF); 997 COUNTER_INC(create_mbuf_multicast_encap); 998 } 999 1000 COUNTER_DECL(create_mbuf_netlayer); 1001 static void 1002 mac_test_create_mbuf_netlayer(struct mbuf *oldmbuf, 1003 struct label *oldmbuflabel, struct mbuf *newmbuf, 1004 struct label *newmbuflabel) 1005 { 1006 1007 LABEL_CHECK(oldmbuflabel, MAGIC_MBUF); 1008 LABEL_CHECK(newmbuflabel, MAGIC_MBUF); 1009 COUNTER_INC(create_mbuf_netlayer); 1010 } 1011 1012 COUNTER_DECL(fragment_match); 1013 static int 1014 mac_test_fragment_match(struct mbuf *fragment, struct label *fragmentlabel, 1015 struct ipq *ipq, struct label *ipqlabel) 1016 { 1017 1018 LABEL_CHECK(fragmentlabel, MAGIC_MBUF); 1019 LABEL_CHECK(ipqlabel, MAGIC_IPQ); 1020 COUNTER_INC(fragment_match); 1021 1022 return (1); 1023 } 1024 1025 COUNTER_DECL(reflect_mbuf_icmp); 1026 static void 1027 mac_test_reflect_mbuf_icmp(struct mbuf *m, struct label *mlabel) 1028 { 1029 1030 LABEL_CHECK(mlabel, MAGIC_MBUF); 1031 COUNTER_INC(reflect_mbuf_icmp); 1032 } 1033 1034 COUNTER_DECL(reflect_mbuf_tcp); 1035 static void 1036 mac_test_reflect_mbuf_tcp(struct mbuf *m, struct label *mlabel) 1037 { 1038 1039 LABEL_CHECK(mlabel, MAGIC_MBUF); 1040 COUNTER_INC(reflect_mbuf_tcp); 1041 } 1042 1043 COUNTER_DECL(relabel_ifnet); 1044 static void 1045 mac_test_relabel_ifnet(struct ucred *cred, struct ifnet *ifnet, 1046 struct label *ifnetlabel, struct label *newlabel) 1047 { 1048 1049 LABEL_CHECK(cred->cr_label, MAGIC_CRED); 1050 LABEL_CHECK(ifnetlabel, MAGIC_IFNET); 1051 LABEL_CHECK(newlabel, MAGIC_IFNET); 1052 COUNTER_INC(relabel_ifnet); 1053 } 1054 1055 COUNTER_DECL(update_ipq); 1056 static void 1057 mac_test_update_ipq(struct mbuf *fragment, struct label *fragmentlabel, 1058 struct ipq *ipq, struct label *ipqlabel) 1059 { 1060 1061 LABEL_CHECK(fragmentlabel, MAGIC_MBUF); 1062 LABEL_CHECK(ipqlabel, MAGIC_IPQ); 1063 COUNTER_INC(update_ipq); 1064 } 1065 1066 COUNTER_DECL(inpcb_sosetlabel); 1067 static void 1068 mac_test_inpcb_sosetlabel(struct socket *so, struct label *solabel, 1069 struct inpcb *inp, struct label *inplabel) 1070 { 1071 1072 LABEL_CHECK(solabel, MAGIC_SOCKET); 1073 LABEL_CHECK(inplabel, MAGIC_INPCB); 1074 COUNTER_INC(inpcb_sosetlabel); 1075 } 1076 1077 /* 1078 * Labeling event operations: processes. 1079 */ 1080 COUNTER_DECL(execve_transition); 1081 static void 1082 mac_test_execve_transition(struct ucred *old, struct ucred *new, 1083 struct vnode *vp, struct label *filelabel, 1084 struct label *interpvplabel, struct image_params *imgp, 1085 struct label *execlabel) 1086 { 1087 1088 LABEL_CHECK(old->cr_label, MAGIC_CRED); 1089 LABEL_CHECK(new->cr_label, MAGIC_CRED); 1090 LABEL_CHECK(filelabel, MAGIC_VNODE); 1091 LABEL_CHECK(interpvplabel, MAGIC_VNODE); 1092 LABEL_CHECK(execlabel, MAGIC_CRED); 1093 COUNTER_INC(execve_transition); 1094 } 1095 1096 COUNTER_DECL(execve_will_transition); 1097 static int 1098 mac_test_execve_will_transition(struct ucred *old, struct vnode *vp, 1099 struct label *filelabel, struct label *interpvplabel, 1100 struct image_params *imgp, struct label *execlabel) 1101 { 1102 1103 LABEL_CHECK(old->cr_label, MAGIC_CRED); 1104 LABEL_CHECK(filelabel, MAGIC_VNODE); 1105 LABEL_CHECK(interpvplabel, MAGIC_VNODE); 1106 LABEL_CHECK(execlabel, MAGIC_CRED); 1107 COUNTER_INC(execve_will_transition); 1108 1109 return (0); 1110 } 1111 1112 COUNTER_DECL(create_proc0); 1113 static void 1114 mac_test_create_proc0(struct ucred *cred) 1115 { 1116 1117 LABEL_CHECK(cred->cr_label, MAGIC_CRED); 1118 COUNTER_INC(create_proc0); 1119 } 1120 1121 COUNTER_DECL(create_proc1); 1122 static void 1123 mac_test_create_proc1(struct ucred *cred) 1124 { 1125 1126 LABEL_CHECK(cred->cr_label, MAGIC_CRED); 1127 COUNTER_INC(create_proc1); 1128 } 1129 1130 COUNTER_DECL(relabel_cred); 1131 static void 1132 mac_test_relabel_cred(struct ucred *cred, struct label *newlabel) 1133 { 1134 1135 LABEL_CHECK(cred->cr_label, MAGIC_CRED); 1136 LABEL_CHECK(newlabel, MAGIC_CRED); 1137 COUNTER_INC(relabel_cred); 1138 } 1139 1140 COUNTER_DECL(thread_userret); 1141 static void 1142 mac_test_thread_userret(struct thread *td) 1143 { 1144 1145 COUNTER_INC(thread_userret); 1146 } 1147 1148 /* 1149 * Label cleanup/flush operations 1150 */ 1151 COUNTER_DECL(cleanup_sysv_msgmsg); 1152 static void 1153 mac_test_cleanup_sysv_msgmsg(struct label *msglabel) 1154 { 1155 1156 LABEL_CHECK(msglabel, MAGIC_SYSV_MSG); 1157 COUNTER_INC(cleanup_sysv_msgmsg); 1158 } 1159 1160 COUNTER_DECL(cleanup_sysv_msgqueue); 1161 static void 1162 mac_test_cleanup_sysv_msgqueue(struct label *msqlabel) 1163 { 1164 1165 LABEL_CHECK(msqlabel, MAGIC_SYSV_MSQ); 1166 COUNTER_INC(cleanup_sysv_msgqueue); 1167 } 1168 1169 COUNTER_DECL(cleanup_sysv_sem); 1170 static void 1171 mac_test_cleanup_sysv_sem(struct label *semalabel) 1172 { 1173 1174 LABEL_CHECK(semalabel, MAGIC_SYSV_SEM); 1175 COUNTER_INC(cleanup_sysv_sem); 1176 } 1177 1178 COUNTER_DECL(cleanup_sysv_shm); 1179 static void 1180 mac_test_cleanup_sysv_shm(struct label *shmlabel) 1181 { 1182 1183 LABEL_CHECK(shmlabel, MAGIC_SYSV_SHM); 1184 COUNTER_INC(cleanup_sysv_shm); 1185 } 1186 1187 /* 1188 * Access control checks. 1189 */ 1190 COUNTER_DECL(check_bpfdesc_receive); 1191 static int 1192 mac_test_check_bpfdesc_receive(struct bpf_d *bpf_d, struct label *bpflabel, 1193 struct ifnet *ifnet, struct label *ifnetlabel) 1194 { 1195 1196 LABEL_CHECK(bpflabel, MAGIC_BPF); 1197 LABEL_CHECK(ifnetlabel, MAGIC_IFNET); 1198 COUNTER_INC(check_bpfdesc_receive); 1199 1200 return (0); 1201 } 1202 1203 COUNTER_DECL(check_cred_relabel); 1204 static int 1205 mac_test_check_cred_relabel(struct ucred *cred, struct label *newlabel) 1206 { 1207 1208 LABEL_CHECK(cred->cr_label, MAGIC_CRED); 1209 LABEL_CHECK(newlabel, MAGIC_CRED); 1210 COUNTER_INC(check_cred_relabel); 1211 1212 return (0); 1213 } 1214 1215 COUNTER_DECL(check_cred_visible); 1216 static int 1217 mac_test_check_cred_visible(struct ucred *u1, struct ucred *u2) 1218 { 1219 1220 LABEL_CHECK(u1->cr_label, MAGIC_CRED); 1221 LABEL_CHECK(u2->cr_label, MAGIC_CRED); 1222 COUNTER_INC(check_cred_visible); 1223 1224 return (0); 1225 } 1226 1227 COUNTER_DECL(check_ifnet_relabel); 1228 static int 1229 mac_test_check_ifnet_relabel(struct ucred *cred, struct ifnet *ifnet, 1230 struct label *ifnetlabel, struct label *newlabel) 1231 { 1232 1233 LABEL_CHECK(cred->cr_label, MAGIC_CRED); 1234 LABEL_CHECK(ifnetlabel, MAGIC_IFNET); 1235 LABEL_CHECK(newlabel, MAGIC_IFNET); 1236 COUNTER_INC(check_ifnet_relabel); 1237 1238 return (0); 1239 } 1240 1241 COUNTER_DECL(check_ifnet_transmit); 1242 static int 1243 mac_test_check_ifnet_transmit(struct ifnet *ifnet, struct label *ifnetlabel, 1244 struct mbuf *m, struct label *mbuflabel) 1245 { 1246 1247 LABEL_CHECK(ifnetlabel, MAGIC_IFNET); 1248 LABEL_CHECK(mbuflabel, MAGIC_MBUF); 1249 COUNTER_INC(check_ifnet_transmit); 1250 1251 return (0); 1252 } 1253 1254 COUNTER_DECL(check_inpcb_deliver); 1255 static int 1256 mac_test_check_inpcb_deliver(struct inpcb *inp, struct label *inplabel, 1257 struct mbuf *m, struct label *mlabel) 1258 { 1259 1260 LABEL_CHECK(inplabel, MAGIC_INPCB); 1261 LABEL_CHECK(mlabel, MAGIC_MBUF); 1262 COUNTER_INC(check_inpcb_deliver); 1263 1264 return (0); 1265 } 1266 1267 COUNTER_DECL(check_sysv_msgmsq); 1268 static int 1269 mac_test_check_sysv_msgmsq(struct ucred *cred, struct msg *msgptr, 1270 struct label *msglabel, struct msqid_kernel *msqkptr, 1271 struct label *msqklabel) 1272 { 1273 1274 LABEL_CHECK(msqklabel, MAGIC_SYSV_MSQ); 1275 LABEL_CHECK(msglabel, MAGIC_SYSV_MSG); 1276 LABEL_CHECK(cred->cr_label, MAGIC_CRED); 1277 COUNTER_INC(check_sysv_msgmsq); 1278 1279 return (0); 1280 } 1281 1282 COUNTER_DECL(check_sysv_msgrcv); 1283 static int 1284 mac_test_check_sysv_msgrcv(struct ucred *cred, struct msg *msgptr, 1285 struct label *msglabel) 1286 { 1287 1288 LABEL_CHECK(msglabel, MAGIC_SYSV_MSG); 1289 LABEL_CHECK(cred->cr_label, MAGIC_CRED); 1290 COUNTER_INC(check_sysv_msgrcv); 1291 1292 return (0); 1293 } 1294 1295 COUNTER_DECL(check_sysv_msgrmid); 1296 static int 1297 mac_test_check_sysv_msgrmid(struct ucred *cred, struct msg *msgptr, 1298 struct label *msglabel) 1299 { 1300 1301 LABEL_CHECK(msglabel, MAGIC_SYSV_MSG); 1302 LABEL_CHECK(cred->cr_label, MAGIC_CRED); 1303 COUNTER_INC(check_sysv_msgrmid); 1304 1305 return (0); 1306 } 1307 1308 COUNTER_DECL(check_sysv_msqget); 1309 static int 1310 mac_test_check_sysv_msqget(struct ucred *cred, struct msqid_kernel *msqkptr, 1311 struct label *msqklabel) 1312 { 1313 1314 LABEL_CHECK(msqklabel, MAGIC_SYSV_MSQ); 1315 LABEL_CHECK(cred->cr_label, MAGIC_CRED); 1316 COUNTER_INC(check_sysv_msqget); 1317 1318 return (0); 1319 } 1320 1321 COUNTER_DECL(check_sysv_msqsnd); 1322 static int 1323 mac_test_check_sysv_msqsnd(struct ucred *cred, struct msqid_kernel *msqkptr, 1324 struct label *msqklabel) 1325 { 1326 1327 LABEL_CHECK(msqklabel, MAGIC_SYSV_MSQ); 1328 LABEL_CHECK(cred->cr_label, MAGIC_CRED); 1329 COUNTER_INC(check_sysv_msqsnd); 1330 1331 return (0); 1332 } 1333 1334 COUNTER_DECL(check_sysv_msqrcv); 1335 static int 1336 mac_test_check_sysv_msqrcv(struct ucred *cred, struct msqid_kernel *msqkptr, 1337 struct label *msqklabel) 1338 { 1339 1340 LABEL_CHECK(msqklabel, MAGIC_SYSV_MSQ); 1341 LABEL_CHECK(cred->cr_label, MAGIC_CRED); 1342 COUNTER_INC(check_sysv_msqrcv); 1343 1344 return (0); 1345 } 1346 1347 COUNTER_DECL(check_sysv_msqctl); 1348 static int 1349 mac_test_check_sysv_msqctl(struct ucred *cred, struct msqid_kernel *msqkptr, 1350 struct label *msqklabel, int cmd) 1351 { 1352 1353 LABEL_CHECK(msqklabel, MAGIC_SYSV_MSQ); 1354 LABEL_CHECK(cred->cr_label, MAGIC_CRED); 1355 COUNTER_INC(check_sysv_msqctl); 1356 1357 return (0); 1358 } 1359 1360 COUNTER_DECL(check_sysv_semctl); 1361 static int 1362 mac_test_check_sysv_semctl(struct ucred *cred, struct semid_kernel *semakptr, 1363 struct label *semaklabel, int cmd) 1364 { 1365 1366 LABEL_CHECK(cred->cr_label, MAGIC_CRED); 1367 LABEL_CHECK(semaklabel, MAGIC_SYSV_SEM); 1368 COUNTER_INC(check_sysv_semctl); 1369 1370 return (0); 1371 } 1372 1373 COUNTER_DECL(check_sysv_semget); 1374 static int 1375 mac_test_check_sysv_semget(struct ucred *cred, struct semid_kernel *semakptr, 1376 struct label *semaklabel) 1377 { 1378 1379 LABEL_CHECK(cred->cr_label, MAGIC_CRED); 1380 LABEL_CHECK(semaklabel, MAGIC_SYSV_SEM); 1381 COUNTER_INC(check_sysv_semget); 1382 1383 return (0); 1384 } 1385 1386 COUNTER_DECL(check_sysv_semop); 1387 static int 1388 mac_test_check_sysv_semop(struct ucred *cred, struct semid_kernel *semakptr, 1389 struct label *semaklabel, size_t accesstype) 1390 { 1391 1392 LABEL_CHECK(cred->cr_label, MAGIC_CRED); 1393 LABEL_CHECK(semaklabel, MAGIC_SYSV_SEM); 1394 COUNTER_INC(check_sysv_semop); 1395 1396 return (0); 1397 } 1398 1399 COUNTER_DECL(check_sysv_shmat); 1400 static int 1401 mac_test_check_sysv_shmat(struct ucred *cred, struct shmid_kernel *shmsegptr, 1402 struct label *shmseglabel, int shmflg) 1403 { 1404 1405 LABEL_CHECK(cred->cr_label, MAGIC_CRED); 1406 LABEL_CHECK(shmseglabel, MAGIC_SYSV_SHM); 1407 COUNTER_INC(check_sysv_shmat); 1408 1409 return (0); 1410 } 1411 1412 COUNTER_DECL(check_sysv_shmctl); 1413 static int 1414 mac_test_check_sysv_shmctl(struct ucred *cred, struct shmid_kernel *shmsegptr, 1415 struct label *shmseglabel, int cmd) 1416 { 1417 1418 LABEL_CHECK(cred->cr_label, MAGIC_CRED); 1419 LABEL_CHECK(shmseglabel, MAGIC_SYSV_SHM); 1420 COUNTER_INC(check_sysv_shmctl); 1421 1422 return (0); 1423 } 1424 1425 COUNTER_DECL(check_sysv_shmdt); 1426 static int 1427 mac_test_check_sysv_shmdt(struct ucred *cred, struct shmid_kernel *shmsegptr, 1428 struct label *shmseglabel) 1429 { 1430 1431 LABEL_CHECK(cred->cr_label, MAGIC_CRED); 1432 LABEL_CHECK(shmseglabel, MAGIC_SYSV_SHM); 1433 COUNTER_INC(check_sysv_shmdt); 1434 1435 return (0); 1436 } 1437 1438 COUNTER_DECL(check_sysv_shmget); 1439 static int 1440 mac_test_check_sysv_shmget(struct ucred *cred, struct shmid_kernel *shmsegptr, 1441 struct label *shmseglabel, int shmflg) 1442 { 1443 1444 LABEL_CHECK(cred->cr_label, MAGIC_CRED); 1445 LABEL_CHECK(shmseglabel, MAGIC_SYSV_SHM); 1446 COUNTER_INC(check_sysv_shmget); 1447 1448 return (0); 1449 } 1450 1451 COUNTER_DECL(check_kenv_dump); 1452 static int 1453 mac_test_check_kenv_dump(struct ucred *cred) 1454 { 1455 1456 LABEL_CHECK(cred->cr_label, MAGIC_CRED); 1457 COUNTER_INC(check_kenv_dump); 1458 1459 return (0); 1460 } 1461 1462 COUNTER_DECL(check_kenv_get); 1463 static int 1464 mac_test_check_kenv_get(struct ucred *cred, char *name) 1465 { 1466 1467 LABEL_CHECK(cred->cr_label, MAGIC_CRED); 1468 COUNTER_INC(check_kenv_get); 1469 1470 return (0); 1471 } 1472 1473 COUNTER_DECL(check_kenv_set); 1474 static int 1475 mac_test_check_kenv_set(struct ucred *cred, char *name, char *value) 1476 { 1477 1478 LABEL_CHECK(cred->cr_label, MAGIC_CRED); 1479 COUNTER_INC(check_kenv_set); 1480 1481 return (0); 1482 } 1483 1484 COUNTER_DECL(check_kenv_unset); 1485 static int 1486 mac_test_check_kenv_unset(struct ucred *cred, char *name) 1487 { 1488 1489 LABEL_CHECK(cred->cr_label, MAGIC_CRED); 1490 COUNTER_INC(check_kenv_unset); 1491 1492 return (0); 1493 } 1494 1495 COUNTER_DECL(check_kld_load); 1496 static int 1497 mac_test_check_kld_load(struct ucred *cred, struct vnode *vp, 1498 struct label *label) 1499 { 1500 1501 LABEL_CHECK(cred->cr_label, MAGIC_CRED); 1502 LABEL_CHECK(label, MAGIC_VNODE); 1503 COUNTER_INC(check_kld_load); 1504 1505 return (0); 1506 } 1507 1508 COUNTER_DECL(check_kld_stat); 1509 static int 1510 mac_test_check_kld_stat(struct ucred *cred) 1511 { 1512 1513 LABEL_CHECK(cred->cr_label, MAGIC_CRED); 1514 COUNTER_INC(check_kld_stat); 1515 1516 return (0); 1517 } 1518 1519 COUNTER_DECL(check_mount_stat); 1520 static int 1521 mac_test_check_mount_stat(struct ucred *cred, struct mount *mp, 1522 struct label *mplabel) 1523 { 1524 1525 LABEL_CHECK(cred->cr_label, MAGIC_CRED); 1526 LABEL_CHECK(mplabel, MAGIC_MOUNT); 1527 COUNTER_INC(check_mount_stat); 1528 1529 return (0); 1530 } 1531 1532 COUNTER_DECL(check_pipe_ioctl); 1533 static int 1534 mac_test_check_pipe_ioctl(struct ucred *cred, struct pipepair *pp, 1535 struct label *pipelabel, unsigned long cmd, void /* caddr_t */ *data) 1536 { 1537 1538 LABEL_CHECK(cred->cr_label, MAGIC_CRED); 1539 LABEL_CHECK(pipelabel, MAGIC_PIPE); 1540 COUNTER_INC(check_pipe_ioctl); 1541 1542 return (0); 1543 } 1544 1545 COUNTER_DECL(check_pipe_poll); 1546 static int 1547 mac_test_check_pipe_poll(struct ucred *cred, struct pipepair *pp, 1548 struct label *pipelabel) 1549 { 1550 1551 LABEL_CHECK(cred->cr_label, MAGIC_CRED); 1552 LABEL_CHECK(pipelabel, MAGIC_PIPE); 1553 COUNTER_INC(check_pipe_poll); 1554 1555 return (0); 1556 } 1557 1558 COUNTER_DECL(check_pipe_read); 1559 static int 1560 mac_test_check_pipe_read(struct ucred *cred, struct pipepair *pp, 1561 struct label *pipelabel) 1562 { 1563 1564 LABEL_CHECK(cred->cr_label, MAGIC_CRED); 1565 LABEL_CHECK(pipelabel, MAGIC_PIPE); 1566 COUNTER_INC(check_pipe_read); 1567 1568 return (0); 1569 } 1570 1571 COUNTER_DECL(check_pipe_relabel); 1572 static int 1573 mac_test_check_pipe_relabel(struct ucred *cred, struct pipepair *pp, 1574 struct label *pipelabel, struct label *newlabel) 1575 { 1576 1577 LABEL_CHECK(cred->cr_label, MAGIC_CRED); 1578 LABEL_CHECK(pipelabel, MAGIC_PIPE); 1579 LABEL_CHECK(newlabel, MAGIC_PIPE); 1580 COUNTER_INC(check_pipe_relabel); 1581 1582 return (0); 1583 } 1584 1585 COUNTER_DECL(check_pipe_stat); 1586 static int 1587 mac_test_check_pipe_stat(struct ucred *cred, struct pipepair *pp, 1588 struct label *pipelabel) 1589 { 1590 1591 LABEL_CHECK(cred->cr_label, MAGIC_CRED); 1592 LABEL_CHECK(pipelabel, MAGIC_PIPE); 1593 COUNTER_INC(check_pipe_stat); 1594 1595 return (0); 1596 } 1597 1598 COUNTER_DECL(check_pipe_write); 1599 static int 1600 mac_test_check_pipe_write(struct ucred *cred, struct pipepair *pp, 1601 struct label *pipelabel) 1602 { 1603 1604 LABEL_CHECK(cred->cr_label, MAGIC_CRED); 1605 LABEL_CHECK(pipelabel, MAGIC_PIPE); 1606 COUNTER_INC(check_pipe_write); 1607 1608 return (0); 1609 } 1610 1611 COUNTER_DECL(check_posix_sem); 1612 static int 1613 mac_test_check_posix_sem(struct ucred *cred, struct ksem *ksemptr, 1614 struct label *ks_label) 1615 { 1616 1617 LABEL_CHECK(cred->cr_label, MAGIC_CRED); 1618 LABEL_CHECK(ks_label, MAGIC_POSIX_SEM); 1619 COUNTER_INC(check_posix_sem); 1620 1621 return (0); 1622 } 1623 1624 COUNTER_DECL(check_proc_debug); 1625 static int 1626 mac_test_check_proc_debug(struct ucred *cred, struct proc *p) 1627 { 1628 1629 LABEL_CHECK(cred->cr_label, MAGIC_CRED); 1630 LABEL_CHECK(p->p_ucred->cr_label, MAGIC_CRED); 1631 COUNTER_INC(check_proc_debug); 1632 1633 return (0); 1634 } 1635 1636 COUNTER_DECL(check_proc_sched); 1637 static int 1638 mac_test_check_proc_sched(struct ucred *cred, struct proc *p) 1639 { 1640 1641 LABEL_CHECK(cred->cr_label, MAGIC_CRED); 1642 LABEL_CHECK(p->p_ucred->cr_label, MAGIC_CRED); 1643 COUNTER_INC(check_proc_sched); 1644 1645 return (0); 1646 } 1647 1648 COUNTER_DECL(check_proc_signal); 1649 static int 1650 mac_test_check_proc_signal(struct ucred *cred, struct proc *p, int signum) 1651 { 1652 1653 LABEL_CHECK(cred->cr_label, MAGIC_CRED); 1654 LABEL_CHECK(p->p_ucred->cr_label, MAGIC_CRED); 1655 COUNTER_INC(check_proc_signal); 1656 1657 return (0); 1658 } 1659 1660 COUNTER_DECL(check_proc_setaudit); 1661 static int 1662 mac_test_check_proc_setaudit(struct ucred *cred, struct auditinfo *ai) 1663 { 1664 1665 LABEL_CHECK(cred->cr_label, MAGIC_CRED); 1666 COUNTER_INC(check_proc_setaudit); 1667 1668 return (0); 1669 } 1670 1671 COUNTER_DECL(check_proc_setaudit_addr); 1672 static int 1673 mac_test_check_proc_setaudit_addr(struct ucred *cred, 1674 struct auditinfo_addr *aia) 1675 { 1676 1677 LABEL_CHECK(cred->cr_label, MAGIC_CRED); 1678 COUNTER_INC(check_proc_setaudit_addr); 1679 1680 return (0); 1681 } 1682 1683 COUNTER_DECL(check_proc_setauid); 1684 static int 1685 mac_test_check_proc_setauid(struct ucred *cred, uid_t auid) 1686 { 1687 1688 LABEL_CHECK(cred->cr_label, MAGIC_CRED); 1689 COUNTER_INC(check_proc_setauid); 1690 1691 return (0); 1692 } 1693 1694 COUNTER_DECL(check_proc_setuid); 1695 static int 1696 mac_test_check_proc_setuid(struct ucred *cred, uid_t uid) 1697 { 1698 1699 LABEL_CHECK(cred->cr_label, MAGIC_CRED); 1700 COUNTER_INC(check_proc_setuid); 1701 1702 return (0); 1703 } 1704 1705 COUNTER_DECL(check_proc_euid); 1706 static int 1707 mac_test_check_proc_seteuid(struct ucred *cred, uid_t euid) 1708 { 1709 1710 LABEL_CHECK(cred->cr_label, MAGIC_CRED); 1711 COUNTER_INC(check_proc_euid); 1712 1713 return (0); 1714 } 1715 1716 COUNTER_DECL(check_proc_setgid); 1717 static int 1718 mac_test_check_proc_setgid(struct ucred *cred, gid_t gid) 1719 { 1720 1721 LABEL_CHECK(cred->cr_label, MAGIC_CRED); 1722 COUNTER_INC(check_proc_setgid); 1723 1724 return (0); 1725 } 1726 1727 COUNTER_DECL(check_proc_setegid); 1728 static int 1729 mac_test_check_proc_setegid(struct ucred *cred, gid_t egid) 1730 { 1731 1732 LABEL_CHECK(cred->cr_label, MAGIC_CRED); 1733 COUNTER_INC(check_proc_setegid); 1734 1735 return (0); 1736 } 1737 1738 COUNTER_DECL(check_proc_setgroups); 1739 static int 1740 mac_test_check_proc_setgroups(struct ucred *cred, int ngroups, 1741 gid_t *gidset) 1742 { 1743 1744 LABEL_CHECK(cred->cr_label, MAGIC_CRED); 1745 COUNTER_INC(check_proc_setgroups); 1746 1747 return (0); 1748 } 1749 1750 COUNTER_DECL(check_proc_setreuid); 1751 static int 1752 mac_test_check_proc_setreuid(struct ucred *cred, uid_t ruid, uid_t euid) 1753 { 1754 1755 LABEL_CHECK(cred->cr_label, MAGIC_CRED); 1756 COUNTER_INC(check_proc_setreuid); 1757 1758 return (0); 1759 } 1760 1761 COUNTER_DECL(check_proc_setregid); 1762 static int 1763 mac_test_check_proc_setregid(struct ucred *cred, gid_t rgid, gid_t egid) 1764 { 1765 1766 LABEL_CHECK(cred->cr_label, MAGIC_CRED); 1767 COUNTER_INC(check_proc_setregid); 1768 1769 return (0); 1770 } 1771 1772 COUNTER_DECL(check_proc_setresuid); 1773 static int 1774 mac_test_check_proc_setresuid(struct ucred *cred, uid_t ruid, uid_t euid, 1775 uid_t suid) 1776 { 1777 1778 LABEL_CHECK(cred->cr_label, MAGIC_CRED); 1779 COUNTER_INC(check_proc_setresuid); 1780 1781 return (0); 1782 } 1783 1784 COUNTER_DECL(check_proc_setresgid); 1785 static int 1786 mac_test_check_proc_setresgid(struct ucred *cred, gid_t rgid, gid_t egid, 1787 gid_t sgid) 1788 { 1789 1790 LABEL_CHECK(cred->cr_label, MAGIC_CRED); 1791 COUNTER_INC(check_proc_setresgid); 1792 1793 return (0); 1794 } 1795 1796 COUNTER_DECL(check_proc_wait); 1797 static int 1798 mac_test_check_proc_wait(struct ucred *cred, struct proc *p) 1799 { 1800 1801 LABEL_CHECK(cred->cr_label, MAGIC_CRED); 1802 LABEL_CHECK(p->p_ucred->cr_label, MAGIC_CRED); 1803 COUNTER_INC(check_proc_wait); 1804 1805 return (0); 1806 } 1807 1808 COUNTER_DECL(check_socket_accept); 1809 static int 1810 mac_test_check_socket_accept(struct ucred *cred, struct socket *so, 1811 struct label *solabel) 1812 { 1813 1814 LABEL_CHECK(cred->cr_label, MAGIC_CRED); 1815 LABEL_CHECK(solabel, MAGIC_SOCKET); 1816 COUNTER_INC(check_socket_accept); 1817 1818 return (0); 1819 } 1820 1821 COUNTER_DECL(check_socket_bind); 1822 static int 1823 mac_test_check_socket_bind(struct ucred *cred, struct socket *so, 1824 struct label *solabel, struct sockaddr *sa) 1825 { 1826 1827 LABEL_CHECK(cred->cr_label, MAGIC_CRED); 1828 LABEL_CHECK(solabel, MAGIC_SOCKET); 1829 COUNTER_INC(check_socket_bind); 1830 1831 return (0); 1832 } 1833 1834 COUNTER_DECL(check_socket_connect); 1835 static int 1836 mac_test_check_socket_connect(struct ucred *cred, struct socket *so, 1837 struct label *solabel, struct sockaddr *sa) 1838 { 1839 1840 LABEL_CHECK(cred->cr_label, MAGIC_CRED); 1841 LABEL_CHECK(solabel, MAGIC_SOCKET); 1842 COUNTER_INC(check_socket_connect); 1843 1844 return (0); 1845 } 1846 1847 COUNTER_DECL(check_socket_deliver); 1848 static int 1849 mac_test_check_socket_deliver(struct socket *so, struct label *solabel, 1850 struct mbuf *m, struct label *mlabel) 1851 { 1852 1853 LABEL_CHECK(solabel, MAGIC_SOCKET); 1854 LABEL_CHECK(mlabel, MAGIC_MBUF); 1855 COUNTER_INC(check_socket_deliver); 1856 1857 return (0); 1858 } 1859 1860 COUNTER_DECL(check_socket_listen); 1861 static int 1862 mac_test_check_socket_listen(struct ucred *cred, struct socket *so, 1863 struct label *solabel) 1864 { 1865 1866 LABEL_CHECK(cred->cr_label, MAGIC_CRED); 1867 LABEL_CHECK(solabel, MAGIC_SOCKET); 1868 COUNTER_INC(check_socket_listen); 1869 1870 return (0); 1871 } 1872 1873 COUNTER_DECL(check_socket_poll); 1874 static int 1875 mac_test_check_socket_poll(struct ucred *cred, struct socket *so, 1876 struct label *solabel) 1877 { 1878 1879 LABEL_CHECK(cred->cr_label, MAGIC_CRED); 1880 LABEL_CHECK(solabel, MAGIC_SOCKET); 1881 COUNTER_INC(check_socket_poll); 1882 1883 return (0); 1884 } 1885 1886 COUNTER_DECL(check_socket_receive); 1887 static int 1888 mac_test_check_socket_receive(struct ucred *cred, struct socket *so, 1889 struct label *solabel) 1890 { 1891 1892 LABEL_CHECK(cred->cr_label, MAGIC_CRED); 1893 LABEL_CHECK(solabel, MAGIC_SOCKET); 1894 COUNTER_INC(check_socket_receive); 1895 1896 return (0); 1897 } 1898 1899 COUNTER_DECL(check_socket_relabel); 1900 static int 1901 mac_test_check_socket_relabel(struct ucred *cred, struct socket *so, 1902 struct label *solabel, struct label *newlabel) 1903 { 1904 1905 LABEL_CHECK(cred->cr_label, MAGIC_CRED); 1906 LABEL_CHECK(solabel, MAGIC_SOCKET); 1907 LABEL_CHECK(newlabel, MAGIC_SOCKET); 1908 COUNTER_INC(check_socket_relabel); 1909 1910 return (0); 1911 } 1912 1913 COUNTER_DECL(check_socket_send); 1914 static int 1915 mac_test_check_socket_send(struct ucred *cred, struct socket *so, 1916 struct label *solabel) 1917 { 1918 1919 LABEL_CHECK(cred->cr_label, MAGIC_CRED); 1920 LABEL_CHECK(solabel, MAGIC_SOCKET); 1921 COUNTER_INC(check_socket_send); 1922 1923 return (0); 1924 } 1925 1926 COUNTER_DECL(check_socket_stat); 1927 static int 1928 mac_test_check_socket_stat(struct ucred *cred, struct socket *so, 1929 struct label *solabel) 1930 { 1931 1932 LABEL_CHECK(cred->cr_label, MAGIC_CRED); 1933 LABEL_CHECK(solabel, MAGIC_SOCKET); 1934 COUNTER_INC(check_socket_stat); 1935 1936 return (0); 1937 } 1938 1939 COUNTER_DECL(check_socket_visible); 1940 static int 1941 mac_test_check_socket_visible(struct ucred *cred, struct socket *so, 1942 struct label *solabel) 1943 { 1944 1945 LABEL_CHECK(cred->cr_label, MAGIC_CRED); 1946 LABEL_CHECK(solabel, MAGIC_SOCKET); 1947 COUNTER_INC(check_socket_visible); 1948 1949 return (0); 1950 } 1951 1952 COUNTER_DECL(check_system_acct); 1953 static int 1954 mac_test_check_system_acct(struct ucred *cred, struct vnode *vp, 1955 struct label *vplabel) 1956 { 1957 1958 LABEL_CHECK(cred->cr_label, MAGIC_CRED); 1959 LABEL_CHECK(vplabel, MAGIC_VNODE); 1960 COUNTER_INC(check_system_acct); 1961 1962 return (0); 1963 } 1964 1965 COUNTER_DECL(check_system_audit); 1966 static int 1967 mac_test_check_system_audit(struct ucred *cred, void *record, int length) 1968 { 1969 1970 LABEL_CHECK(cred->cr_label, MAGIC_CRED); 1971 COUNTER_INC(check_system_audit); 1972 1973 return (0); 1974 } 1975 1976 COUNTER_DECL(check_system_auditctl); 1977 static int 1978 mac_test_check_system_auditctl(struct ucred *cred, struct vnode *vp, 1979 struct label *vplabel) 1980 { 1981 1982 LABEL_CHECK(cred->cr_label, MAGIC_CRED); 1983 LABEL_CHECK(vplabel, MAGIC_VNODE); 1984 COUNTER_INC(check_system_auditctl); 1985 1986 return (0); 1987 } 1988 1989 COUNTER_DECL(check_system_auditon); 1990 static int 1991 mac_test_check_system_auditon(struct ucred *cred, int cmd) 1992 { 1993 1994 LABEL_CHECK(cred->cr_label, MAGIC_CRED); 1995 COUNTER_INC(check_system_auditon); 1996 1997 return (0); 1998 } 1999 2000 COUNTER_DECL(check_system_reboot); 2001 static int 2002 mac_test_check_system_reboot(struct ucred *cred, int how) 2003 { 2004 2005 LABEL_CHECK(cred->cr_label, MAGIC_CRED); 2006 COUNTER_INC(check_system_reboot); 2007 2008 return (0); 2009 } 2010 2011 COUNTER_DECL(check_system_swapoff); 2012 static int 2013 mac_test_check_system_swapoff(struct ucred *cred, struct vnode *vp, 2014 struct label *vplabel) 2015 { 2016 2017 LABEL_CHECK(cred->cr_label, MAGIC_CRED); 2018 LABEL_CHECK(vplabel, MAGIC_VNODE); 2019 COUNTER_INC(check_system_swapoff); 2020 2021 return (0); 2022 } 2023 2024 COUNTER_DECL(check_system_swapon); 2025 static int 2026 mac_test_check_system_swapon(struct ucred *cred, struct vnode *vp, 2027 struct label *vplabel) 2028 { 2029 2030 LABEL_CHECK(cred->cr_label, MAGIC_CRED); 2031 LABEL_CHECK(vplabel, MAGIC_VNODE); 2032 COUNTER_INC(check_system_swapon); 2033 2034 return (0); 2035 } 2036 2037 COUNTER_DECL(check_system_sysctl); 2038 static int 2039 mac_test_check_system_sysctl(struct ucred *cred, struct sysctl_oid *oidp, 2040 void *arg1, int arg2, struct sysctl_req *req) 2041 { 2042 2043 LABEL_CHECK(cred->cr_label, MAGIC_CRED); 2044 COUNTER_INC(check_system_sysctl); 2045 2046 return (0); 2047 } 2048 2049 COUNTER_DECL(check_vnode_access); 2050 static int 2051 mac_test_check_vnode_access(struct ucred *cred, struct vnode *vp, 2052 struct label *vplabel, int acc_mode) 2053 { 2054 2055 LABEL_CHECK(cred->cr_label, MAGIC_CRED); 2056 LABEL_CHECK(vplabel, MAGIC_VNODE); 2057 COUNTER_INC(check_vnode_access); 2058 2059 return (0); 2060 } 2061 2062 COUNTER_DECL(check_vnode_chdir); 2063 static int 2064 mac_test_check_vnode_chdir(struct ucred *cred, struct vnode *dvp, 2065 struct label *dvplabel) 2066 { 2067 2068 LABEL_CHECK(cred->cr_label, MAGIC_CRED); 2069 LABEL_CHECK(dvplabel, MAGIC_VNODE); 2070 COUNTER_INC(check_vnode_chdir); 2071 2072 return (0); 2073 } 2074 2075 COUNTER_DECL(check_vnode_chroot); 2076 static int 2077 mac_test_check_vnode_chroot(struct ucred *cred, struct vnode *dvp, 2078 struct label *dvplabel) 2079 { 2080 2081 LABEL_CHECK(cred->cr_label, MAGIC_CRED); 2082 LABEL_CHECK(dvplabel, MAGIC_VNODE); 2083 COUNTER_INC(check_vnode_chroot); 2084 2085 return (0); 2086 } 2087 2088 COUNTER_DECL(check_vnode_create); 2089 static int 2090 mac_test_check_vnode_create(struct ucred *cred, struct vnode *dvp, 2091 struct label *dvplabel, struct componentname *cnp, struct vattr *vap) 2092 { 2093 2094 LABEL_CHECK(cred->cr_label, MAGIC_CRED); 2095 LABEL_CHECK(dvplabel, MAGIC_VNODE); 2096 COUNTER_INC(check_vnode_create); 2097 2098 return (0); 2099 } 2100 2101 COUNTER_DECL(check_vnode_deleteacl); 2102 static int 2103 mac_test_check_vnode_deleteacl(struct ucred *cred, struct vnode *vp, 2104 struct label *vplabel, acl_type_t type) 2105 { 2106 2107 LABEL_CHECK(cred->cr_label, MAGIC_CRED); 2108 LABEL_CHECK(vplabel, MAGIC_VNODE); 2109 COUNTER_INC(check_vnode_deleteacl); 2110 2111 return (0); 2112 } 2113 2114 COUNTER_DECL(check_vnode_deleteextattr); 2115 static int 2116 mac_test_check_vnode_deleteextattr(struct ucred *cred, struct vnode *vp, 2117 struct label *vplabel, int attrnamespace, const char *name) 2118 { 2119 2120 LABEL_CHECK(cred->cr_label, MAGIC_CRED); 2121 LABEL_CHECK(vplabel, MAGIC_VNODE); 2122 COUNTER_INC(check_vnode_deleteextattr); 2123 2124 return (0); 2125 } 2126 2127 COUNTER_DECL(check_vnode_exec); 2128 static int 2129 mac_test_check_vnode_exec(struct ucred *cred, struct vnode *vp, 2130 struct label *vplabel, struct image_params *imgp, 2131 struct label *execlabel) 2132 { 2133 2134 LABEL_CHECK(cred->cr_label, MAGIC_CRED); 2135 LABEL_CHECK(vplabel, MAGIC_VNODE); 2136 LABEL_CHECK(execlabel, MAGIC_CRED); 2137 COUNTER_INC(check_vnode_exec); 2138 2139 return (0); 2140 } 2141 2142 COUNTER_DECL(check_vnode_getacl); 2143 static int 2144 mac_test_check_vnode_getacl(struct ucred *cred, struct vnode *vp, 2145 struct label *vplabel, acl_type_t type) 2146 { 2147 2148 LABEL_CHECK(cred->cr_label, MAGIC_CRED); 2149 LABEL_CHECK(vplabel, MAGIC_VNODE); 2150 COUNTER_INC(check_vnode_getacl); 2151 2152 return (0); 2153 } 2154 2155 COUNTER_DECL(check_vnode_getextattr); 2156 static int 2157 mac_test_check_vnode_getextattr(struct ucred *cred, struct vnode *vp, 2158 struct label *vplabel, int attrnamespace, const char *name, 2159 struct uio *uio) 2160 { 2161 2162 LABEL_CHECK(cred->cr_label, MAGIC_CRED); 2163 LABEL_CHECK(vplabel, MAGIC_VNODE); 2164 COUNTER_INC(check_vnode_getextattr); 2165 2166 return (0); 2167 } 2168 2169 COUNTER_DECL(check_vnode_link); 2170 static int 2171 mac_test_check_vnode_link(struct ucred *cred, struct vnode *dvp, 2172 struct label *dvplabel, struct vnode *vp, struct label *vplabel, 2173 struct componentname *cnp) 2174 { 2175 2176 LABEL_CHECK(cred->cr_label, MAGIC_CRED); 2177 LABEL_CHECK(dvplabel, MAGIC_VNODE); 2178 LABEL_CHECK(vplabel, MAGIC_VNODE); 2179 COUNTER_INC(check_vnode_link); 2180 2181 return (0); 2182 } 2183 2184 COUNTER_DECL(check_vnode_listextattr); 2185 static int 2186 mac_test_check_vnode_listextattr(struct ucred *cred, struct vnode *vp, 2187 struct label *vplabel, int attrnamespace) 2188 { 2189 2190 LABEL_CHECK(cred->cr_label, MAGIC_CRED); 2191 LABEL_CHECK(vplabel, MAGIC_VNODE); 2192 COUNTER_INC(check_vnode_listextattr); 2193 2194 return (0); 2195 } 2196 2197 COUNTER_DECL(check_vnode_lookup); 2198 static int 2199 mac_test_check_vnode_lookup(struct ucred *cred, struct vnode *dvp, 2200 struct label *dvplabel, struct componentname *cnp) 2201 { 2202 2203 LABEL_CHECK(cred->cr_label, MAGIC_CRED); 2204 LABEL_CHECK(dvplabel, MAGIC_VNODE); 2205 COUNTER_INC(check_vnode_lookup); 2206 2207 return (0); 2208 } 2209 2210 COUNTER_DECL(check_vnode_mmap); 2211 static int 2212 mac_test_check_vnode_mmap(struct ucred *cred, struct vnode *vp, 2213 struct label *vplabel, int prot, int flags) 2214 { 2215 2216 LABEL_CHECK(cred->cr_label, MAGIC_CRED); 2217 LABEL_CHECK(vplabel, MAGIC_VNODE); 2218 COUNTER_INC(check_vnode_mmap); 2219 2220 return (0); 2221 } 2222 2223 COUNTER_DECL(check_vnode_open); 2224 static int 2225 mac_test_check_vnode_open(struct ucred *cred, struct vnode *vp, 2226 struct label *vplabel, int acc_mode) 2227 { 2228 2229 LABEL_CHECK(cred->cr_label, MAGIC_CRED); 2230 LABEL_CHECK(vplabel, MAGIC_VNODE); 2231 COUNTER_INC(check_vnode_open); 2232 2233 return (0); 2234 } 2235 2236 COUNTER_DECL(check_vnode_poll); 2237 static int 2238 mac_test_check_vnode_poll(struct ucred *active_cred, struct ucred *file_cred, 2239 struct vnode *vp, struct label *vplabel) 2240 { 2241 2242 LABEL_CHECK(active_cred->cr_label, MAGIC_CRED); 2243 if (file_cred != NULL) 2244 LABEL_CHECK(file_cred->cr_label, MAGIC_CRED); 2245 LABEL_CHECK(vplabel, MAGIC_VNODE); 2246 COUNTER_INC(check_vnode_poll); 2247 2248 return (0); 2249 } 2250 2251 COUNTER_DECL(check_vnode_read); 2252 static int 2253 mac_test_check_vnode_read(struct ucred *active_cred, struct ucred *file_cred, 2254 struct vnode *vp, struct label *vplabel) 2255 { 2256 2257 LABEL_CHECK(active_cred->cr_label, MAGIC_CRED); 2258 if (file_cred != NULL) 2259 LABEL_CHECK(file_cred->cr_label, MAGIC_CRED); 2260 LABEL_CHECK(vplabel, MAGIC_VNODE); 2261 COUNTER_INC(check_vnode_read); 2262 2263 return (0); 2264 } 2265 2266 COUNTER_DECL(check_vnode_readdir); 2267 static int 2268 mac_test_check_vnode_readdir(struct ucred *cred, struct vnode *dvp, 2269 struct label *dvplabel) 2270 { 2271 2272 LABEL_CHECK(cred->cr_label, MAGIC_CRED); 2273 LABEL_CHECK(dvplabel, MAGIC_VNODE); 2274 COUNTER_INC(check_vnode_readdir); 2275 2276 return (0); 2277 } 2278 2279 COUNTER_DECL(check_vnode_readlink); 2280 static int 2281 mac_test_check_vnode_readlink(struct ucred *cred, struct vnode *vp, 2282 struct label *vplabel) 2283 { 2284 2285 LABEL_CHECK(cred->cr_label, MAGIC_CRED); 2286 LABEL_CHECK(vplabel, MAGIC_VNODE); 2287 COUNTER_INC(check_vnode_readlink); 2288 2289 return (0); 2290 } 2291 2292 COUNTER_DECL(check_vnode_relabel); 2293 static int 2294 mac_test_check_vnode_relabel(struct ucred *cred, struct vnode *vp, 2295 struct label *vplabel, struct label *newlabel) 2296 { 2297 2298 LABEL_CHECK(cred->cr_label, MAGIC_CRED); 2299 LABEL_CHECK(vplabel, MAGIC_VNODE); 2300 LABEL_CHECK(newlabel, MAGIC_VNODE); 2301 COUNTER_INC(check_vnode_relabel); 2302 2303 return (0); 2304 } 2305 2306 COUNTER_DECL(check_vnode_rename_from); 2307 static int 2308 mac_test_check_vnode_rename_from(struct ucred *cred, struct vnode *dvp, 2309 struct label *dvplabel, struct vnode *vp, struct label *vplabel, 2310 struct componentname *cnp) 2311 { 2312 2313 LABEL_CHECK(cred->cr_label, MAGIC_CRED); 2314 LABEL_CHECK(dvplabel, MAGIC_VNODE); 2315 LABEL_CHECK(vplabel, MAGIC_VNODE); 2316 COUNTER_INC(check_vnode_rename_from); 2317 2318 return (0); 2319 } 2320 2321 COUNTER_DECL(check_vnode_rename_to); 2322 static int 2323 mac_test_check_vnode_rename_to(struct ucred *cred, struct vnode *dvp, 2324 struct label *dvplabel, struct vnode *vp, struct label *vplabel, 2325 int samedir, struct componentname *cnp) 2326 { 2327 2328 LABEL_CHECK(cred->cr_label, MAGIC_CRED); 2329 LABEL_CHECK(dvplabel, MAGIC_VNODE); 2330 LABEL_CHECK(vplabel, MAGIC_VNODE); 2331 COUNTER_INC(check_vnode_rename_to); 2332 2333 return (0); 2334 } 2335 2336 COUNTER_DECL(check_vnode_revoke); 2337 static int 2338 mac_test_check_vnode_revoke(struct ucred *cred, struct vnode *vp, 2339 struct label *vplabel) 2340 { 2341 2342 LABEL_CHECK(cred->cr_label, MAGIC_CRED); 2343 LABEL_CHECK(vplabel, MAGIC_VNODE); 2344 COUNTER_INC(check_vnode_revoke); 2345 2346 return (0); 2347 } 2348 2349 COUNTER_DECL(check_vnode_setacl); 2350 static int 2351 mac_test_check_vnode_setacl(struct ucred *cred, struct vnode *vp, 2352 struct label *vplabel, acl_type_t type, struct acl *acl) 2353 { 2354 2355 LABEL_CHECK(cred->cr_label, MAGIC_CRED); 2356 LABEL_CHECK(vplabel, MAGIC_VNODE); 2357 COUNTER_INC(check_vnode_setacl); 2358 2359 return (0); 2360 } 2361 2362 COUNTER_DECL(check_vnode_setextattr); 2363 static int 2364 mac_test_check_vnode_setextattr(struct ucred *cred, struct vnode *vp, 2365 struct label *vplabel, int attrnamespace, const char *name, 2366 struct uio *uio) 2367 { 2368 2369 LABEL_CHECK(cred->cr_label, MAGIC_CRED); 2370 LABEL_CHECK(vplabel, MAGIC_VNODE); 2371 COUNTER_INC(check_vnode_setextattr); 2372 2373 return (0); 2374 } 2375 2376 COUNTER_DECL(check_vnode_setflags); 2377 static int 2378 mac_test_check_vnode_setflags(struct ucred *cred, struct vnode *vp, 2379 struct label *vplabel, u_long flags) 2380 { 2381 2382 LABEL_CHECK(cred->cr_label, MAGIC_CRED); 2383 LABEL_CHECK(vplabel, MAGIC_VNODE); 2384 COUNTER_INC(check_vnode_setflags); 2385 2386 return (0); 2387 } 2388 2389 COUNTER_DECL(check_vnode_setmode); 2390 static int 2391 mac_test_check_vnode_setmode(struct ucred *cred, struct vnode *vp, 2392 struct label *vplabel, mode_t mode) 2393 { 2394 2395 LABEL_CHECK(cred->cr_label, MAGIC_CRED); 2396 LABEL_CHECK(vplabel, MAGIC_VNODE); 2397 COUNTER_INC(check_vnode_setmode); 2398 2399 return (0); 2400 } 2401 2402 COUNTER_DECL(check_vnode_setowner); 2403 static int 2404 mac_test_check_vnode_setowner(struct ucred *cred, struct vnode *vp, 2405 struct label *vplabel, uid_t uid, gid_t gid) 2406 { 2407 2408 LABEL_CHECK(cred->cr_label, MAGIC_CRED); 2409 LABEL_CHECK(vplabel, MAGIC_VNODE); 2410 COUNTER_INC(check_vnode_setowner); 2411 2412 return (0); 2413 } 2414 2415 COUNTER_DECL(check_vnode_setutimes); 2416 static int 2417 mac_test_check_vnode_setutimes(struct ucred *cred, struct vnode *vp, 2418 struct label *vplabel, struct timespec atime, struct timespec mtime) 2419 { 2420 2421 LABEL_CHECK(cred->cr_label, MAGIC_CRED); 2422 LABEL_CHECK(vplabel, MAGIC_VNODE); 2423 COUNTER_INC(check_vnode_setutimes); 2424 2425 return (0); 2426 } 2427 2428 COUNTER_DECL(check_vnode_stat); 2429 static int 2430 mac_test_check_vnode_stat(struct ucred *active_cred, struct ucred *file_cred, 2431 struct vnode *vp, struct label *vplabel) 2432 { 2433 2434 LABEL_CHECK(active_cred->cr_label, MAGIC_CRED); 2435 if (file_cred != NULL) 2436 LABEL_CHECK(file_cred->cr_label, MAGIC_CRED); 2437 LABEL_CHECK(vplabel, MAGIC_VNODE); 2438 COUNTER_INC(check_vnode_stat); 2439 2440 return (0); 2441 } 2442 2443 COUNTER_DECL(check_vnode_unlink); 2444 static int 2445 mac_test_check_vnode_unlink(struct ucred *cred, struct vnode *dvp, 2446 struct label *dvplabel, struct vnode *vp, struct label *vplabel, 2447 struct componentname *cnp) 2448 { 2449 2450 LABEL_CHECK(cred->cr_label, MAGIC_CRED); 2451 LABEL_CHECK(dvplabel, MAGIC_VNODE); 2452 LABEL_CHECK(vplabel, MAGIC_VNODE); 2453 COUNTER_INC(check_vnode_unlink); 2454 2455 return (0); 2456 } 2457 2458 COUNTER_DECL(check_vnode_write); 2459 static int 2460 mac_test_check_vnode_write(struct ucred *active_cred, 2461 struct ucred *file_cred, struct vnode *vp, struct label *vplabel) 2462 { 2463 2464 LABEL_CHECK(active_cred->cr_label, MAGIC_CRED); 2465 if (file_cred != NULL) 2466 LABEL_CHECK(file_cred->cr_label, MAGIC_CRED); 2467 LABEL_CHECK(vplabel, MAGIC_VNODE); 2468 COUNTER_INC(check_vnode_write); 2469 2470 return (0); 2471 } 2472 2473 static struct mac_policy_ops mac_test_ops = 2474 { 2475 .mpo_init_bpfdesc_label = mac_test_init_bpfdesc_label, 2476 .mpo_init_cred_label = mac_test_init_cred_label, 2477 .mpo_init_devfs_label = mac_test_init_devfs_label, 2478 .mpo_init_ifnet_label = mac_test_init_ifnet_label, 2479 .mpo_init_sysv_msgmsg_label = mac_test_init_sysv_msgmsg_label, 2480 .mpo_init_sysv_msgqueue_label = mac_test_init_sysv_msgqueue_label, 2481 .mpo_init_sysv_sem_label = mac_test_init_sysv_sem_label, 2482 .mpo_init_sysv_shm_label = mac_test_init_sysv_shm_label, 2483 .mpo_init_inpcb_label = mac_test_init_inpcb_label, 2484 .mpo_init_ipq_label = mac_test_init_ipq_label, 2485 .mpo_init_mbuf_label = mac_test_init_mbuf_label, 2486 .mpo_init_mount_label = mac_test_init_mount_label, 2487 .mpo_init_pipe_label = mac_test_init_pipe_label, 2488 .mpo_init_posix_sem_label = mac_test_init_posix_sem_label, 2489 .mpo_init_proc_label = mac_test_init_proc_label, 2490 .mpo_init_socket_label = mac_test_init_socket_label, 2491 .mpo_init_socket_peer_label = mac_test_init_socket_peer_label, 2492 .mpo_init_vnode_label = mac_test_init_vnode_label, 2493 .mpo_destroy_bpfdesc_label = mac_test_destroy_bpfdesc_label, 2494 .mpo_destroy_cred_label = mac_test_destroy_cred_label, 2495 .mpo_destroy_devfs_label = mac_test_destroy_devfs_label, 2496 .mpo_destroy_ifnet_label = mac_test_destroy_ifnet_label, 2497 .mpo_destroy_sysv_msgmsg_label = mac_test_destroy_sysv_msgmsg_label, 2498 .mpo_destroy_sysv_msgqueue_label = 2499 mac_test_destroy_sysv_msgqueue_label, 2500 .mpo_destroy_sysv_sem_label = mac_test_destroy_sysv_sem_label, 2501 .mpo_destroy_sysv_shm_label = mac_test_destroy_sysv_shm_label, 2502 .mpo_destroy_inpcb_label = mac_test_destroy_inpcb_label, 2503 .mpo_destroy_ipq_label = mac_test_destroy_ipq_label, 2504 .mpo_destroy_mbuf_label = mac_test_destroy_mbuf_label, 2505 .mpo_destroy_mount_label = mac_test_destroy_mount_label, 2506 .mpo_destroy_pipe_label = mac_test_destroy_pipe_label, 2507 .mpo_destroy_posix_sem_label = mac_test_destroy_posix_sem_label, 2508 .mpo_destroy_proc_label = mac_test_destroy_proc_label, 2509 .mpo_destroy_socket_label = mac_test_destroy_socket_label, 2510 .mpo_destroy_socket_peer_label = mac_test_destroy_socket_peer_label, 2511 .mpo_destroy_vnode_label = mac_test_destroy_vnode_label, 2512 .mpo_copy_cred_label = mac_test_copy_cred_label, 2513 .mpo_copy_ifnet_label = mac_test_copy_ifnet_label, 2514 .mpo_copy_mbuf_label = mac_test_copy_mbuf_label, 2515 .mpo_copy_pipe_label = mac_test_copy_pipe_label, 2516 .mpo_copy_socket_label = mac_test_copy_socket_label, 2517 .mpo_copy_vnode_label = mac_test_copy_vnode_label, 2518 .mpo_externalize_cred_label = mac_test_externalize_label, 2519 .mpo_externalize_ifnet_label = mac_test_externalize_label, 2520 .mpo_externalize_pipe_label = mac_test_externalize_label, 2521 .mpo_externalize_socket_label = mac_test_externalize_label, 2522 .mpo_externalize_socket_peer_label = mac_test_externalize_label, 2523 .mpo_externalize_vnode_label = mac_test_externalize_label, 2524 .mpo_internalize_cred_label = mac_test_internalize_label, 2525 .mpo_internalize_ifnet_label = mac_test_internalize_label, 2526 .mpo_internalize_pipe_label = mac_test_internalize_label, 2527 .mpo_internalize_socket_label = mac_test_internalize_label, 2528 .mpo_internalize_vnode_label = mac_test_internalize_label, 2529 .mpo_associate_vnode_devfs = mac_test_associate_vnode_devfs, 2530 .mpo_associate_vnode_extattr = mac_test_associate_vnode_extattr, 2531 .mpo_associate_vnode_singlelabel = mac_test_associate_vnode_singlelabel, 2532 .mpo_create_devfs_device = mac_test_create_devfs_device, 2533 .mpo_create_devfs_directory = mac_test_create_devfs_directory, 2534 .mpo_create_devfs_symlink = mac_test_create_devfs_symlink, 2535 .mpo_create_vnode_extattr = mac_test_create_vnode_extattr, 2536 .mpo_create_mount = mac_test_create_mount, 2537 .mpo_relabel_vnode = mac_test_relabel_vnode, 2538 .mpo_setlabel_vnode_extattr = mac_test_setlabel_vnode_extattr, 2539 .mpo_update_devfs = mac_test_update_devfs, 2540 .mpo_create_mbuf_from_socket = mac_test_create_mbuf_from_socket, 2541 .mpo_create_pipe = mac_test_create_pipe, 2542 .mpo_create_posix_sem = mac_test_create_posix_sem, 2543 .mpo_create_socket = mac_test_create_socket, 2544 .mpo_create_socket_from_socket = mac_test_create_socket_from_socket, 2545 .mpo_relabel_pipe = mac_test_relabel_pipe, 2546 .mpo_relabel_socket = mac_test_relabel_socket, 2547 .mpo_set_socket_peer_from_mbuf = mac_test_set_socket_peer_from_mbuf, 2548 .mpo_set_socket_peer_from_socket = mac_test_set_socket_peer_from_socket, 2549 .mpo_create_bpfdesc = mac_test_create_bpfdesc, 2550 .mpo_create_ifnet = mac_test_create_ifnet, 2551 .mpo_create_inpcb_from_socket = mac_test_create_inpcb_from_socket, 2552 .mpo_create_sysv_msgmsg = mac_test_create_sysv_msgmsg, 2553 .mpo_create_sysv_msgqueue = mac_test_create_sysv_msgqueue, 2554 .mpo_create_sysv_sem = mac_test_create_sysv_sem, 2555 .mpo_create_sysv_shm = mac_test_create_sysv_shm, 2556 .mpo_create_datagram_from_ipq = mac_test_create_datagram_from_ipq, 2557 .mpo_create_fragment = mac_test_create_fragment, 2558 .mpo_create_ipq = mac_test_create_ipq, 2559 .mpo_create_mbuf_from_inpcb = mac_test_create_mbuf_from_inpcb, 2560 .mpo_create_mbuf_linklayer = mac_test_create_mbuf_linklayer, 2561 .mpo_create_mbuf_from_bpfdesc = mac_test_create_mbuf_from_bpfdesc, 2562 .mpo_create_mbuf_from_ifnet = mac_test_create_mbuf_from_ifnet, 2563 .mpo_create_mbuf_multicast_encap = mac_test_create_mbuf_multicast_encap, 2564 .mpo_create_mbuf_netlayer = mac_test_create_mbuf_netlayer, 2565 .mpo_fragment_match = mac_test_fragment_match, 2566 .mpo_reflect_mbuf_icmp = mac_test_reflect_mbuf_icmp, 2567 .mpo_reflect_mbuf_tcp = mac_test_reflect_mbuf_tcp, 2568 .mpo_relabel_ifnet = mac_test_relabel_ifnet, 2569 .mpo_update_ipq = mac_test_update_ipq, 2570 .mpo_inpcb_sosetlabel = mac_test_inpcb_sosetlabel, 2571 .mpo_execve_transition = mac_test_execve_transition, 2572 .mpo_execve_will_transition = mac_test_execve_will_transition, 2573 .mpo_create_proc0 = mac_test_create_proc0, 2574 .mpo_create_proc1 = mac_test_create_proc1, 2575 .mpo_relabel_cred = mac_test_relabel_cred, 2576 .mpo_thread_userret = mac_test_thread_userret, 2577 .mpo_cleanup_sysv_msgmsg = mac_test_cleanup_sysv_msgmsg, 2578 .mpo_cleanup_sysv_msgqueue = mac_test_cleanup_sysv_msgqueue, 2579 .mpo_cleanup_sysv_sem = mac_test_cleanup_sysv_sem, 2580 .mpo_cleanup_sysv_shm = mac_test_cleanup_sysv_shm, 2581 .mpo_check_bpfdesc_receive = mac_test_check_bpfdesc_receive, 2582 .mpo_check_cred_relabel = mac_test_check_cred_relabel, 2583 .mpo_check_cred_visible = mac_test_check_cred_visible, 2584 .mpo_check_ifnet_relabel = mac_test_check_ifnet_relabel, 2585 .mpo_check_ifnet_transmit = mac_test_check_ifnet_transmit, 2586 .mpo_check_inpcb_deliver = mac_test_check_inpcb_deliver, 2587 .mpo_check_sysv_msgmsq = mac_test_check_sysv_msgmsq, 2588 .mpo_check_sysv_msgrcv = mac_test_check_sysv_msgrcv, 2589 .mpo_check_sysv_msgrmid = mac_test_check_sysv_msgrmid, 2590 .mpo_check_sysv_msqget = mac_test_check_sysv_msqget, 2591 .mpo_check_sysv_msqsnd = mac_test_check_sysv_msqsnd, 2592 .mpo_check_sysv_msqrcv = mac_test_check_sysv_msqrcv, 2593 .mpo_check_sysv_msqctl = mac_test_check_sysv_msqctl, 2594 .mpo_check_sysv_semctl = mac_test_check_sysv_semctl, 2595 .mpo_check_sysv_semget = mac_test_check_sysv_semget, 2596 .mpo_check_sysv_semop = mac_test_check_sysv_semop, 2597 .mpo_check_sysv_shmat = mac_test_check_sysv_shmat, 2598 .mpo_check_sysv_shmctl = mac_test_check_sysv_shmctl, 2599 .mpo_check_sysv_shmdt = mac_test_check_sysv_shmdt, 2600 .mpo_check_sysv_shmget = mac_test_check_sysv_shmget, 2601 .mpo_check_kenv_dump = mac_test_check_kenv_dump, 2602 .mpo_check_kenv_get = mac_test_check_kenv_get, 2603 .mpo_check_kenv_set = mac_test_check_kenv_set, 2604 .mpo_check_kenv_unset = mac_test_check_kenv_unset, 2605 .mpo_check_kld_load = mac_test_check_kld_load, 2606 .mpo_check_kld_stat = mac_test_check_kld_stat, 2607 .mpo_check_mount_stat = mac_test_check_mount_stat, 2608 .mpo_check_pipe_ioctl = mac_test_check_pipe_ioctl, 2609 .mpo_check_pipe_poll = mac_test_check_pipe_poll, 2610 .mpo_check_pipe_read = mac_test_check_pipe_read, 2611 .mpo_check_pipe_relabel = mac_test_check_pipe_relabel, 2612 .mpo_check_pipe_stat = mac_test_check_pipe_stat, 2613 .mpo_check_pipe_write = mac_test_check_pipe_write, 2614 .mpo_check_posix_sem_destroy = mac_test_check_posix_sem, 2615 .mpo_check_posix_sem_getvalue = mac_test_check_posix_sem, 2616 .mpo_check_posix_sem_open = mac_test_check_posix_sem, 2617 .mpo_check_posix_sem_post = mac_test_check_posix_sem, 2618 .mpo_check_posix_sem_unlink = mac_test_check_posix_sem, 2619 .mpo_check_posix_sem_wait = mac_test_check_posix_sem, 2620 .mpo_check_proc_debug = mac_test_check_proc_debug, 2621 .mpo_check_proc_sched = mac_test_check_proc_sched, 2622 .mpo_check_proc_setaudit = mac_test_check_proc_setaudit, 2623 .mpo_check_proc_setaudit_addr = mac_test_check_proc_setaudit_addr, 2624 .mpo_check_proc_setauid = mac_test_check_proc_setauid, 2625 .mpo_check_proc_setuid = mac_test_check_proc_setuid, 2626 .mpo_check_proc_seteuid = mac_test_check_proc_seteuid, 2627 .mpo_check_proc_setgid = mac_test_check_proc_setgid, 2628 .mpo_check_proc_setegid = mac_test_check_proc_setegid, 2629 .mpo_check_proc_setgroups = mac_test_check_proc_setgroups, 2630 .mpo_check_proc_setreuid = mac_test_check_proc_setreuid, 2631 .mpo_check_proc_setregid = mac_test_check_proc_setregid, 2632 .mpo_check_proc_setresuid = mac_test_check_proc_setresuid, 2633 .mpo_check_proc_setresgid = mac_test_check_proc_setresgid, 2634 .mpo_check_proc_signal = mac_test_check_proc_signal, 2635 .mpo_check_proc_wait = mac_test_check_proc_wait, 2636 .mpo_check_socket_accept = mac_test_check_socket_accept, 2637 .mpo_check_socket_bind = mac_test_check_socket_bind, 2638 .mpo_check_socket_connect = mac_test_check_socket_connect, 2639 .mpo_check_socket_deliver = mac_test_check_socket_deliver, 2640 .mpo_check_socket_listen = mac_test_check_socket_listen, 2641 .mpo_check_socket_poll = mac_test_check_socket_poll, 2642 .mpo_check_socket_receive = mac_test_check_socket_receive, 2643 .mpo_check_socket_relabel = mac_test_check_socket_relabel, 2644 .mpo_check_socket_send = mac_test_check_socket_send, 2645 .mpo_check_socket_stat = mac_test_check_socket_stat, 2646 .mpo_check_socket_visible = mac_test_check_socket_visible, 2647 .mpo_check_system_acct = mac_test_check_system_acct, 2648 .mpo_check_system_audit = mac_test_check_system_audit, 2649 .mpo_check_system_auditctl = mac_test_check_system_auditctl, 2650 .mpo_check_system_auditon = mac_test_check_system_auditon, 2651 .mpo_check_system_reboot = mac_test_check_system_reboot, 2652 .mpo_check_system_swapoff = mac_test_check_system_swapoff, 2653 .mpo_check_system_swapon = mac_test_check_system_swapon, 2654 .mpo_check_system_sysctl = mac_test_check_system_sysctl, 2655 .mpo_check_vnode_access = mac_test_check_vnode_access, 2656 .mpo_check_vnode_chdir = mac_test_check_vnode_chdir, 2657 .mpo_check_vnode_chroot = mac_test_check_vnode_chroot, 2658 .mpo_check_vnode_create = mac_test_check_vnode_create, 2659 .mpo_check_vnode_deleteacl = mac_test_check_vnode_deleteacl, 2660 .mpo_check_vnode_deleteextattr = mac_test_check_vnode_deleteextattr, 2661 .mpo_check_vnode_exec = mac_test_check_vnode_exec, 2662 .mpo_check_vnode_getacl = mac_test_check_vnode_getacl, 2663 .mpo_check_vnode_getextattr = mac_test_check_vnode_getextattr, 2664 .mpo_check_vnode_link = mac_test_check_vnode_link, 2665 .mpo_check_vnode_listextattr = mac_test_check_vnode_listextattr, 2666 .mpo_check_vnode_lookup = mac_test_check_vnode_lookup, 2667 .mpo_check_vnode_mmap = mac_test_check_vnode_mmap, 2668 .mpo_check_vnode_open = mac_test_check_vnode_open, 2669 .mpo_check_vnode_poll = mac_test_check_vnode_poll, 2670 .mpo_check_vnode_read = mac_test_check_vnode_read, 2671 .mpo_check_vnode_readdir = mac_test_check_vnode_readdir, 2672 .mpo_check_vnode_readlink = mac_test_check_vnode_readlink, 2673 .mpo_check_vnode_relabel = mac_test_check_vnode_relabel, 2674 .mpo_check_vnode_rename_from = mac_test_check_vnode_rename_from, 2675 .mpo_check_vnode_rename_to = mac_test_check_vnode_rename_to, 2676 .mpo_check_vnode_revoke = mac_test_check_vnode_revoke, 2677 .mpo_check_vnode_setacl = mac_test_check_vnode_setacl, 2678 .mpo_check_vnode_setextattr = mac_test_check_vnode_setextattr, 2679 .mpo_check_vnode_setflags = mac_test_check_vnode_setflags, 2680 .mpo_check_vnode_setmode = mac_test_check_vnode_setmode, 2681 .mpo_check_vnode_setowner = mac_test_check_vnode_setowner, 2682 .mpo_check_vnode_setutimes = mac_test_check_vnode_setutimes, 2683 .mpo_check_vnode_stat = mac_test_check_vnode_stat, 2684 .mpo_check_vnode_unlink = mac_test_check_vnode_unlink, 2685 .mpo_check_vnode_write = mac_test_check_vnode_write, 2686 }; 2687 2688 MAC_POLICY_SET(&mac_test_ops, mac_test, "TrustedBSD MAC/Test", 2689 MPC_LOADTIME_FLAG_UNLOADOK | MPC_LOADTIME_FLAG_LABELMBUFS, &test_slot); 2690