1 /*- 2 * Copyright (c) 1999-2002, 2007 Robert N. M. Watson 3 * Copyright (c) 2001-2005 McAfee, Inc. 4 * All rights reserved. 5 * 6 * This software was developed by Robert Watson for the TrustedBSD Project. 7 * 8 * This software was developed for the FreeBSD Project in part by McAfee 9 * Research, the Security Research Division of McAfee, Inc. under 10 * DARPA/SPAWAR contract N66001-01-C-8035 ("CBOSS"), as part of the DARPA 11 * CHATS research program. 12 * 13 * Redistribution and use in source and binary forms, with or without 14 * modification, are permitted provided that the following conditions 15 * are met: 16 * 1. Redistributions of source code must retain the above copyright 17 * notice, this list of conditions and the following disclaimer. 18 * 2. Redistributions in binary form must reproduce the above copyright 19 * notice, this list of conditions and the following disclaimer in the 20 * documentation and/or other materials provided with the distribution. 21 * 22 * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND 23 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 24 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 25 * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE 26 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 27 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 28 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 29 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 30 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 31 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 32 * SUCH DAMAGE. 33 * 34 * $FreeBSD$ 35 */ 36 37 /* 38 * Developed by the TrustedBSD Project. 39 * Generic mandatory access module that does nothing. 40 */ 41 42 #include <sys/param.h> 43 #include <sys/acl.h> 44 #include <sys/kdb.h> 45 #include <sys/kernel.h> 46 #include <sys/ksem.h> 47 #include <sys/malloc.h> 48 #include <sys/module.h> 49 #include <sys/mount.h> 50 #include <sys/msg.h> 51 #include <sys/proc.h> 52 #include <sys/vnode.h> 53 #include <sys/sem.h> 54 #include <sys/shm.h> 55 #include <sys/socket.h> 56 #include <sys/socketvar.h> 57 #include <sys/sx.h> 58 #include <sys/sysctl.h> 59 60 #include <fs/devfs/devfs.h> 61 62 #include <net/bpfdesc.h> 63 #include <net/if.h> 64 #include <net/if_types.h> 65 #include <net/if_var.h> 66 67 #include <security/mac/mac_policy.h> 68 69 SYSCTL_DECL(_security_mac); 70 71 SYSCTL_NODE(_security_mac, OID_AUTO, test, CTLFLAG_RW, 0, 72 "TrustedBSD mac_test policy controls"); 73 74 static int mac_test_enabled = 1; 75 SYSCTL_INT(_security_mac_test, OID_AUTO, enabled, CTLFLAG_RW, 76 &mac_test_enabled, 0, "Enforce test policy"); 77 78 #define BPFMAGIC 0xfe1ad1b6 79 #define DEVFSMAGIC 0x9ee79c32 80 #define IFNETMAGIC 0xc218b120 81 #define INPCBMAGIC 0x4440f7bb 82 #define IPQMAGIC 0x206188ef 83 #define MBUFMAGIC 0xbbefa5bb 84 #define MOUNTMAGIC 0xc7c46e47 85 #define SOCKETMAGIC 0x9199c6cd 86 #define SYSVIPCMSQMAGIC 0xea672391 87 #define SYSVIPCMSGMAGIC 0x8bbba61e 88 #define SYSVIPCSEMMAGIC 0x896e8a0b 89 #define SYSVIPCSHMMAGIC 0x76119ab0 90 #define PIPEMAGIC 0xdc6c9919 91 #define POSIXSEMMAGIC 0x78ae980c 92 #define PROCMAGIC 0x3b4be98f 93 #define CREDMAGIC 0x9a5a4987 94 #define VNODEMAGIC 0x1a67a45c 95 #define EXMAGIC 0x849ba1fd 96 97 #define SLOT(x) mac_label_get((x), test_slot) 98 #define SLOT_SET(x, v) mac_label_set((x), test_slot, (v)) 99 100 #define ASSERT_BPF_LABEL(x) KASSERT(SLOT(x) == BPFMAGIC || \ 101 SLOT(x) == 0, ("%s: Bad BPF label", __func__ )) 102 #define ASSERT_DEVFS_LABEL(x) KASSERT(SLOT(x) == DEVFSMAGIC || \ 103 SLOT(x) == 0, ("%s: Bad DEVFS label", __func__ )) 104 #define ASSERT_IFNET_LABEL(x) KASSERT(SLOT(x) == IFNETMAGIC || \ 105 SLOT(x) == 0, ("%s: Bad IFNET label", __func__ )) 106 #define ASSERT_INPCB_LABEL(x) KASSERT(SLOT(x) == INPCBMAGIC || \ 107 SLOT(x) == 0, ("%s: Bad INPCB label", __func__ )) 108 #define ASSERT_IPQ_LABEL(x) KASSERT(SLOT(x) == IPQMAGIC || \ 109 SLOT(x) == 0, ("%s: Bad IPQ label", __func__ )) 110 #define ASSERT_MBUF_LABEL(x) KASSERT(x == NULL || \ 111 SLOT(x) == MBUFMAGIC || SLOT(x) == 0, \ 112 ("%s: Bad MBUF label", __func__ )) 113 #define ASSERT_MOUNT_LABEL(x) KASSERT(SLOT(x) == MOUNTMAGIC || \ 114 SLOT(x) == 0, ("%s: Bad MOUNT label", __func__ )) 115 #define ASSERT_SOCKET_LABEL(x) KASSERT(SLOT(x) == SOCKETMAGIC || \ 116 SLOT(x) == 0, ("%s: Bad SOCKET label", __func__ )) 117 #define ASSERT_SYSVIPCMSQ_LABEL(x) KASSERT(SLOT(x) == SYSVIPCMSQMAGIC || \ 118 SLOT(x) == 0, ("%s: Bad SYSVIPCMSQ label", __func__ )) 119 #define ASSERT_SYSVIPCMSG_LABEL(x) KASSERT(SLOT(x) == SYSVIPCMSGMAGIC || \ 120 SLOT(x) == 0, ("%s: Bad SYSVIPCMSG label", __func__ )) 121 #define ASSERT_SYSVIPCSEM_LABEL(x) KASSERT(SLOT(x) == SYSVIPCSEMMAGIC || \ 122 SLOT(x) == 0, ("%s: Bad SYSVIPCSEM label", __func__ )) 123 #define ASSERT_SYSVIPCSHM_LABEL(x) KASSERT(SLOT(x) == SYSVIPCSHMMAGIC || \ 124 SLOT(x) == 0, ("%s: Bad SYSVIPCSHM label", __func__ )) 125 #define ASSERT_PIPE_LABEL(x) KASSERT(SLOT(x) == PIPEMAGIC || \ 126 SLOT(x) == 0, ("%s: Bad PIPE label", __func__ )) 127 #define ASSERT_POSIX_LABEL(x) KASSERT(SLOT(x) == POSIXSEMMAGIC || \ 128 SLOT(x) == 0, ("%s: Bad POSIX ksem label", __func__ )) 129 #define ASSERT_PROC_LABEL(x) KASSERT(SLOT(x) == PROCMAGIC || \ 130 SLOT(x) == 0, ("%s: Bad PROC label", __func__ )) 131 #define ASSERT_CRED_LABEL(x) KASSERT(SLOT(x) == CREDMAGIC || \ 132 SLOT(x) == 0, ("%s: Bad CRED label", __func__ )) 133 #define ASSERT_VNODE_LABEL(x) KASSERT(SLOT(x) == VNODEMAGIC || \ 134 SLOT(x) == 0, ("%s: Bad VNODE label", __func__ )) 135 136 static int test_slot; 137 SYSCTL_INT(_security_mac_test, OID_AUTO, slot, CTLFLAG_RD, 138 &test_slot, 0, "Slot allocated by framework"); 139 140 static int init_count_bpfdesc; 141 SYSCTL_INT(_security_mac_test, OID_AUTO, init_count_bpfdesc, CTLFLAG_RD, 142 &init_count_bpfdesc, 0, "bpfdesc init calls"); 143 static int init_count_cred; 144 SYSCTL_INT(_security_mac_test, OID_AUTO, init_count_cred, CTLFLAG_RD, 145 &init_count_cred, 0, "cred init calls"); 146 static int init_count_devfsdirent; 147 SYSCTL_INT(_security_mac_test, OID_AUTO, init_count_devfsdirent, CTLFLAG_RD, 148 &init_count_devfsdirent, 0, "devfsdirent init calls"); 149 static int init_count_ifnet; 150 SYSCTL_INT(_security_mac_test, OID_AUTO, init_count_ifnet, CTLFLAG_RD, 151 &init_count_ifnet, 0, "ifnet init calls"); 152 static int init_count_inpcb; 153 SYSCTL_INT(_security_mac_test, OID_AUTO, init_count_inpcb, CTLFLAG_RD, 154 &init_count_inpcb, 0, "inpcb init calls"); 155 static int init_count_sysv_msg; 156 SYSCTL_INT(_security_mac_test, OID_AUTO, init_count_sysv_msg, CTLFLAG_RD, 157 &init_count_sysv_msg, 0, "ipc_msg init calls"); 158 static int init_count_sysv_msq; 159 SYSCTL_INT(_security_mac_test, OID_AUTO, init_count_sysv_msq, CTLFLAG_RD, 160 &init_count_sysv_msq, 0, "ipc_msq init calls"); 161 static int init_count_sysv_sem; 162 SYSCTL_INT(_security_mac_test, OID_AUTO, init_count_sysv_sem, CTLFLAG_RD, 163 &init_count_sysv_sem, 0, "ipc_sema init calls"); 164 static int init_count_sysv_shm; 165 SYSCTL_INT(_security_mac_test, OID_AUTO, init_count_sysv_shm, CTLFLAG_RD, 166 &init_count_sysv_shm, 0, "ipc_shm init calls"); 167 static int init_count_ipq; 168 SYSCTL_INT(_security_mac_test, OID_AUTO, init_count_ipq, CTLFLAG_RD, 169 &init_count_ipq, 0, "ipq init calls"); 170 static int init_count_mbuf; 171 SYSCTL_INT(_security_mac_test, OID_AUTO, init_count_mbuf, CTLFLAG_RD, 172 &init_count_mbuf, 0, "mbuf init calls"); 173 static int init_count_mount; 174 SYSCTL_INT(_security_mac_test, OID_AUTO, init_count_mount, CTLFLAG_RD, 175 &init_count_mount, 0, "mount init calls"); 176 static int init_count_mount_fslabel; 177 SYSCTL_INT(_security_mac_test, OID_AUTO, init_count_mount_fslabel, CTLFLAG_RD, 178 &init_count_mount_fslabel, 0, "mount_fslabel init calls"); 179 static int init_count_socket; 180 SYSCTL_INT(_security_mac_test, OID_AUTO, init_count_socket, CTLFLAG_RD, 181 &init_count_socket, 0, "socket init calls"); 182 static int init_count_socket_peerlabel; 183 SYSCTL_INT(_security_mac_test, OID_AUTO, init_count_socket_peerlabel, 184 CTLFLAG_RD, &init_count_socket_peerlabel, 0, 185 "socket_peerlabel init calls"); 186 static int init_count_pipe; 187 SYSCTL_INT(_security_mac_test, OID_AUTO, init_count_pipe, CTLFLAG_RD, 188 &init_count_pipe, 0, "pipe init calls"); 189 static int init_count_posixsems; 190 SYSCTL_INT(_security_mac_test, OID_AUTO, init_count_posixsems, CTLFLAG_RD, 191 &init_count_posixsems, 0, "posix sems init calls"); 192 static int init_count_proc; 193 SYSCTL_INT(_security_mac_test, OID_AUTO, init_count_proc, CTLFLAG_RD, 194 &init_count_proc, 0, "proc init calls"); 195 static int init_count_vnode; 196 SYSCTL_INT(_security_mac_test, OID_AUTO, init_count_vnode, CTLFLAG_RD, 197 &init_count_vnode, 0, "vnode init calls"); 198 199 static int destroy_count_bpfdesc; 200 SYSCTL_INT(_security_mac_test, OID_AUTO, destroy_count_bpfdesc, CTLFLAG_RD, 201 &destroy_count_bpfdesc, 0, "bpfdesc destroy calls"); 202 static int destroy_count_cred; 203 SYSCTL_INT(_security_mac_test, OID_AUTO, destroy_count_cred, CTLFLAG_RD, 204 &destroy_count_cred, 0, "cred destroy calls"); 205 static int destroy_count_devfsdirent; 206 SYSCTL_INT(_security_mac_test, OID_AUTO, destroy_count_devfsdirent, CTLFLAG_RD, 207 &destroy_count_devfsdirent, 0, "devfsdirent destroy calls"); 208 static int destroy_count_ifnet; 209 SYSCTL_INT(_security_mac_test, OID_AUTO, destroy_count_ifnet, CTLFLAG_RD, 210 &destroy_count_ifnet, 0, "ifnet destroy calls"); 211 static int destroy_count_inpcb; 212 SYSCTL_INT(_security_mac_test, OID_AUTO, destroy_count_inpcb, CTLFLAG_RD, 213 &destroy_count_inpcb, 0, "inpcb destroy calls"); 214 static int destroy_count_sysv_msg; 215 SYSCTL_INT(_security_mac_test, OID_AUTO, destroy_count_sysv_msg, CTLFLAG_RD, 216 &destroy_count_sysv_msg, 0, "ipc_msg destroy calls"); 217 static int destroy_count_sysv_msq; 218 SYSCTL_INT(_security_mac_test, OID_AUTO, destroy_count_sysv_msq, CTLFLAG_RD, 219 &destroy_count_sysv_msq, 0, "ipc_msq destroy calls"); 220 static int destroy_count_sysv_sem; 221 SYSCTL_INT(_security_mac_test, OID_AUTO, destroy_count_sysv_sem, CTLFLAG_RD, 222 &destroy_count_sysv_sem, 0, "ipc_sema destroy calls"); 223 static int destroy_count_sysv_shm; 224 SYSCTL_INT(_security_mac_test, OID_AUTO, destroy_count_sysv_shm, CTLFLAG_RD, 225 &destroy_count_sysv_shm, 0, "ipc_shm destroy calls"); 226 static int destroy_count_ipq; 227 SYSCTL_INT(_security_mac_test, OID_AUTO, destroy_count_ipq, CTLFLAG_RD, 228 &destroy_count_ipq, 0, "ipq destroy calls"); 229 static int destroy_count_mbuf; 230 SYSCTL_INT(_security_mac_test, OID_AUTO, destroy_count_mbuf, CTLFLAG_RD, 231 &destroy_count_mbuf, 0, "mbuf destroy calls"); 232 static int destroy_count_mount; 233 SYSCTL_INT(_security_mac_test, OID_AUTO, destroy_count_mount, CTLFLAG_RD, 234 &destroy_count_mount, 0, "mount destroy calls"); 235 static int destroy_count_mount_fslabel; 236 SYSCTL_INT(_security_mac_test, OID_AUTO, destroy_count_mount_fslabel, 237 CTLFLAG_RD, &destroy_count_mount_fslabel, 0, 238 "mount_fslabel destroy calls"); 239 static int destroy_count_socket; 240 SYSCTL_INT(_security_mac_test, OID_AUTO, destroy_count_socket, CTLFLAG_RD, 241 &destroy_count_socket, 0, "socket destroy calls"); 242 static int destroy_count_socket_peerlabel; 243 SYSCTL_INT(_security_mac_test, OID_AUTO, destroy_count_socket_peerlabel, 244 CTLFLAG_RD, &destroy_count_socket_peerlabel, 0, 245 "socket_peerlabel destroy calls"); 246 static int destroy_count_pipe; 247 SYSCTL_INT(_security_mac_test, OID_AUTO, destroy_count_pipe, CTLFLAG_RD, 248 &destroy_count_pipe, 0, "pipe destroy calls"); 249 static int destroy_count_posixsems; 250 SYSCTL_INT(_security_mac_test, OID_AUTO, destroy_count_posixsems, CTLFLAG_RD, 251 &destroy_count_posixsems, 0, "posix sems destroy calls"); 252 static int destroy_count_proc; 253 SYSCTL_INT(_security_mac_test, OID_AUTO, destroy_count_proc, CTLFLAG_RD, 254 &destroy_count_proc, 0, "proc destroy calls"); 255 static int destroy_count_vnode; 256 SYSCTL_INT(_security_mac_test, OID_AUTO, destroy_count_vnode, CTLFLAG_RD, 257 &destroy_count_vnode, 0, "vnode destroy calls"); 258 259 static int externalize_count; 260 SYSCTL_INT(_security_mac_test, OID_AUTO, externalize_count, CTLFLAG_RD, 261 &externalize_count, 0, "Subject/object externalize calls"); 262 static int internalize_count; 263 SYSCTL_INT(_security_mac_test, OID_AUTO, internalize_count, CTLFLAG_RD, 264 &internalize_count, 0, "Subject/object internalize calls"); 265 266 #ifdef KDB 267 #define DEBUGGER(x) kdb_enter(x) 268 #else 269 #define DEBUGGER(x) printf("mac_test: %s\n", (x)) 270 #endif 271 272 /* 273 * Label operations. 274 */ 275 static void 276 mac_test_init_bpfdesc_label(struct label *label) 277 { 278 279 SLOT_SET(label, BPFMAGIC); 280 atomic_add_int(&init_count_bpfdesc, 1); 281 } 282 283 static void 284 mac_test_init_cred_label(struct label *label) 285 { 286 287 SLOT_SET(label, CREDMAGIC); 288 atomic_add_int(&init_count_cred, 1); 289 } 290 291 static void 292 mac_test_init_devfsdirent_label(struct label *label) 293 { 294 295 SLOT_SET(label, DEVFSMAGIC); 296 atomic_add_int(&init_count_devfsdirent, 1); 297 } 298 299 static void 300 mac_test_init_ifnet_label(struct label *label) 301 { 302 303 SLOT_SET(label, IFNETMAGIC); 304 atomic_add_int(&init_count_ifnet, 1); 305 } 306 307 static int 308 mac_test_init_inpcb_label(struct label *label, int flag) 309 { 310 311 if (flag & M_WAITOK) 312 WITNESS_WARN(WARN_GIANTOK | WARN_SLEEPOK, NULL, 313 "mac_test_init_inpcb_label() at %s:%d", __FILE__, 314 __LINE__); 315 316 SLOT_SET(label, INPCBMAGIC); 317 atomic_add_int(&init_count_inpcb, 1); 318 return (0); 319 } 320 321 static void 322 mac_test_init_sysv_msgmsg_label(struct label *label) 323 { 324 SLOT_SET(label, SYSVIPCMSGMAGIC); 325 atomic_add_int(&init_count_sysv_msg, 1); 326 } 327 328 static void 329 mac_test_init_sysv_msgqueue_label(struct label *label) 330 { 331 SLOT_SET(label, SYSVIPCMSQMAGIC); 332 atomic_add_int(&init_count_sysv_msq, 1); 333 } 334 335 static void 336 mac_test_init_sysv_sem_label(struct label *label) 337 { 338 SLOT_SET(label, SYSVIPCSEMMAGIC); 339 atomic_add_int(&init_count_sysv_sem, 1); 340 } 341 342 static void 343 mac_test_init_sysv_shm_label(struct label *label) 344 { 345 SLOT_SET(label, SYSVIPCSHMMAGIC); 346 atomic_add_int(&init_count_sysv_shm, 1); 347 } 348 349 static int 350 mac_test_init_ipq_label(struct label *label, int flag) 351 { 352 353 if (flag & M_WAITOK) 354 WITNESS_WARN(WARN_GIANTOK | WARN_SLEEPOK, NULL, 355 "mac_test_init_ipq_label() at %s:%d", __FILE__, 356 __LINE__); 357 358 SLOT_SET(label, IPQMAGIC); 359 atomic_add_int(&init_count_ipq, 1); 360 return (0); 361 } 362 363 static int 364 mac_test_init_mbuf_label(struct label *label, int flag) 365 { 366 367 if (flag & M_WAITOK) 368 WITNESS_WARN(WARN_GIANTOK | WARN_SLEEPOK, NULL, 369 "mac_test_init_mbuf_label() at %s:%d", __FILE__, 370 __LINE__); 371 372 SLOT_SET(label, MBUFMAGIC); 373 atomic_add_int(&init_count_mbuf, 1); 374 return (0); 375 } 376 377 static void 378 mac_test_init_mount_label(struct label *label) 379 { 380 381 SLOT_SET(label, MOUNTMAGIC); 382 atomic_add_int(&init_count_mount, 1); 383 } 384 385 static void 386 mac_test_init_mount_fs_label(struct label *label) 387 { 388 389 SLOT_SET(label, MOUNTMAGIC); 390 atomic_add_int(&init_count_mount_fslabel, 1); 391 } 392 393 static int 394 mac_test_init_socket_label(struct label *label, int flag) 395 { 396 397 if (flag & M_WAITOK) 398 WITNESS_WARN(WARN_GIANTOK | WARN_SLEEPOK, NULL, 399 "mac_test_init_socket_label() at %s:%d", __FILE__, 400 __LINE__); 401 402 SLOT_SET(label, SOCKETMAGIC); 403 atomic_add_int(&init_count_socket, 1); 404 return (0); 405 } 406 407 static int 408 mac_test_init_socket_peer_label(struct label *label, int flag) 409 { 410 411 if (flag & M_WAITOK) 412 WITNESS_WARN(WARN_GIANTOK | WARN_SLEEPOK, NULL, 413 "mac_test_init_socket_peer_label() at %s:%d", __FILE__, 414 __LINE__); 415 416 SLOT_SET(label, SOCKETMAGIC); 417 atomic_add_int(&init_count_socket_peerlabel, 1); 418 return (0); 419 } 420 421 static void 422 mac_test_init_pipe_label(struct label *label) 423 { 424 425 SLOT_SET(label, PIPEMAGIC); 426 atomic_add_int(&init_count_pipe, 1); 427 } 428 429 static void 430 mac_test_init_posix_sem_label(struct label *label) 431 { 432 433 SLOT_SET(label, POSIXSEMMAGIC); 434 atomic_add_int(&init_count_posixsems, 1); 435 } 436 437 static void 438 mac_test_init_proc_label(struct label *label) 439 { 440 441 SLOT_SET(label, PROCMAGIC); 442 atomic_add_int(&init_count_proc, 1); 443 } 444 445 static void 446 mac_test_init_vnode_label(struct label *label) 447 { 448 449 SLOT_SET(label, VNODEMAGIC); 450 atomic_add_int(&init_count_vnode, 1); 451 } 452 453 static void 454 mac_test_destroy_bpfdesc_label(struct label *label) 455 { 456 457 if (SLOT(label) == BPFMAGIC || SLOT(label) == 0) { 458 atomic_add_int(&destroy_count_bpfdesc, 1); 459 SLOT_SET(label, EXMAGIC); 460 } else if (SLOT(label) == EXMAGIC) { 461 DEBUGGER("mac_test_destroy_bpfdesc: dup destroy"); 462 } else { 463 DEBUGGER("mac_test_destroy_bpfdesc: corrupted label"); 464 } 465 } 466 467 static void 468 mac_test_destroy_cred_label(struct label *label) 469 { 470 471 if (SLOT(label) == CREDMAGIC || SLOT(label) == 0) { 472 atomic_add_int(&destroy_count_cred, 1); 473 SLOT_SET(label, EXMAGIC); 474 } else if (SLOT(label) == EXMAGIC) { 475 DEBUGGER("mac_test_destroy_cred: dup destroy"); 476 } else { 477 DEBUGGER("mac_test_destroy_cred: corrupted label"); 478 } 479 } 480 481 static void 482 mac_test_destroy_devfsdirent_label(struct label *label) 483 { 484 485 if (SLOT(label) == DEVFSMAGIC || SLOT(label) == 0) { 486 atomic_add_int(&destroy_count_devfsdirent, 1); 487 SLOT_SET(label, EXMAGIC); 488 } else if (SLOT(label) == EXMAGIC) { 489 DEBUGGER("mac_test_destroy_devfsdirent: dup destroy"); 490 } else { 491 DEBUGGER("mac_test_destroy_devfsdirent: corrupted label"); 492 } 493 } 494 495 static void 496 mac_test_destroy_ifnet_label(struct label *label) 497 { 498 499 if (SLOT(label) == IFNETMAGIC || SLOT(label) == 0) { 500 atomic_add_int(&destroy_count_ifnet, 1); 501 SLOT_SET(label, EXMAGIC); 502 } else if (SLOT(label) == EXMAGIC) { 503 DEBUGGER("mac_test_destroy_ifnet: dup destroy"); 504 } else { 505 DEBUGGER("mac_test_destroy_ifnet: corrupted label"); 506 } 507 } 508 509 static void 510 mac_test_destroy_inpcb_label(struct label *label) 511 { 512 513 if (SLOT(label) == INPCBMAGIC || SLOT(label) == 0) { 514 atomic_add_int(&destroy_count_inpcb, 1); 515 SLOT_SET(label, EXMAGIC); 516 } else if (SLOT(label) == EXMAGIC) { 517 DEBUGGER("mac_test_destroy_inpcb: dup destroy"); 518 } else { 519 DEBUGGER("mac_test_destroy_inpcb: corrupted label"); 520 } 521 } 522 523 static void 524 mac_test_destroy_sysv_msgmsg_label(struct label *label) 525 { 526 527 if (SLOT(label) == SYSVIPCMSGMAGIC || SLOT(label) == 0) { 528 atomic_add_int(&destroy_count_sysv_msg, 1); 529 SLOT_SET(label, EXMAGIC); 530 } else if (SLOT(label) == EXMAGIC) { 531 DEBUGGER("mac_test_destroy_sysv_msgmsg_label: dup destroy"); 532 } else { 533 DEBUGGER( 534 "mac_test_destroy_sysv_msgmsg_label: corrupted label"); 535 } 536 } 537 538 static void 539 mac_test_destroy_sysv_msgqueue_label(struct label *label) 540 { 541 542 if (SLOT(label) == SYSVIPCMSQMAGIC || SLOT(label) == 0) { 543 atomic_add_int(&destroy_count_sysv_msq, 1); 544 SLOT_SET(label, EXMAGIC); 545 } else if (SLOT(label) == EXMAGIC) { 546 DEBUGGER("mac_test_destroy_sysv_msgqueue_label: dup destroy"); 547 } else { 548 DEBUGGER( 549 "mac_test_destroy_sysv_msgqueue_label: corrupted label"); 550 } 551 } 552 553 static void 554 mac_test_destroy_sysv_sem_label(struct label *label) 555 { 556 557 if (SLOT(label) == SYSVIPCSEMMAGIC || SLOT(label) == 0) { 558 atomic_add_int(&destroy_count_sysv_sem, 1); 559 SLOT_SET(label, EXMAGIC); 560 } else if (SLOT(label) == EXMAGIC) { 561 DEBUGGER("mac_test_destroy_sysv_sem_label: dup destroy"); 562 } else { 563 DEBUGGER("mac_test_destroy_sysv_sem_label: corrupted label"); 564 } 565 } 566 567 static void 568 mac_test_destroy_sysv_shm_label(struct label *label) 569 { 570 571 if (SLOT(label) == SYSVIPCSHMMAGIC || SLOT(label) == 0) { 572 atomic_add_int(&destroy_count_sysv_shm, 1); 573 SLOT_SET(label, EXMAGIC); 574 } else if (SLOT(label) == EXMAGIC) { 575 DEBUGGER("mac_test_destroy_sysv_shm_label: dup destroy"); 576 } else { 577 DEBUGGER("mac_test_destroy_sysv_shm_label: corrupted label"); 578 } 579 } 580 581 static void 582 mac_test_destroy_ipq_label(struct label *label) 583 { 584 585 if (SLOT(label) == IPQMAGIC || SLOT(label) == 0) { 586 atomic_add_int(&destroy_count_ipq, 1); 587 SLOT_SET(label, EXMAGIC); 588 } else if (SLOT(label) == EXMAGIC) { 589 DEBUGGER("mac_test_destroy_ipq: dup destroy"); 590 } else { 591 DEBUGGER("mac_test_destroy_ipq: corrupted label"); 592 } 593 } 594 595 static void 596 mac_test_destroy_mbuf_label(struct label *label) 597 { 598 599 /* 600 * If we're loaded dynamically, there may be mbufs in flight that 601 * didn't have label storage allocated for them. Handle this 602 * gracefully. 603 */ 604 if (label == NULL) 605 return; 606 607 if (SLOT(label) == MBUFMAGIC || SLOT(label) == 0) { 608 atomic_add_int(&destroy_count_mbuf, 1); 609 SLOT_SET(label, EXMAGIC); 610 } else if (SLOT(label) == EXMAGIC) { 611 DEBUGGER("mac_test_destroy_mbuf: dup destroy"); 612 } else { 613 DEBUGGER("mac_test_destroy_mbuf: corrupted label"); 614 } 615 } 616 617 static void 618 mac_test_destroy_mount_label(struct label *label) 619 { 620 621 if ((SLOT(label) == MOUNTMAGIC || SLOT(label) == 0)) { 622 atomic_add_int(&destroy_count_mount, 1); 623 SLOT_SET(label, EXMAGIC); 624 } else if (SLOT(label) == EXMAGIC) { 625 DEBUGGER("mac_test_destroy_mount: dup destroy"); 626 } else { 627 DEBUGGER("mac_test_destroy_mount: corrupted label"); 628 } 629 } 630 631 static void 632 mac_test_destroy_mount_fs_label(struct label *label) 633 { 634 635 if ((SLOT(label) == MOUNTMAGIC || SLOT(label) == 0)) { 636 atomic_add_int(&destroy_count_mount_fslabel, 1); 637 SLOT_SET(label, EXMAGIC); 638 } else if (SLOT(label) == EXMAGIC) { 639 DEBUGGER("mac_test_destroy_mount_fslabel: dup destroy"); 640 } else { 641 DEBUGGER("mac_test_destroy_mount_fslabel: corrupted label"); 642 } 643 } 644 645 static void 646 mac_test_destroy_socket_label(struct label *label) 647 { 648 649 if ((SLOT(label) == SOCKETMAGIC || SLOT(label) == 0)) { 650 atomic_add_int(&destroy_count_socket, 1); 651 SLOT_SET(label, EXMAGIC); 652 } else if (SLOT(label) == EXMAGIC) { 653 DEBUGGER("mac_test_destroy_socket: dup destroy"); 654 } else { 655 DEBUGGER("mac_test_destroy_socket: corrupted label"); 656 } 657 } 658 659 static void 660 mac_test_destroy_socket_peer_label(struct label *label) 661 { 662 663 if ((SLOT(label) == SOCKETMAGIC || SLOT(label) == 0)) { 664 atomic_add_int(&destroy_count_socket_peerlabel, 1); 665 SLOT_SET(label, EXMAGIC); 666 } else if (SLOT(label) == EXMAGIC) { 667 DEBUGGER("mac_test_destroy_socket_peerlabel: dup destroy"); 668 } else { 669 DEBUGGER("mac_test_destroy_socket_peerlabel: corrupted label"); 670 } 671 } 672 673 static void 674 mac_test_destroy_pipe_label(struct label *label) 675 { 676 677 if ((SLOT(label) == PIPEMAGIC || SLOT(label) == 0)) { 678 atomic_add_int(&destroy_count_pipe, 1); 679 SLOT_SET(label, EXMAGIC); 680 } else if (SLOT(label) == EXMAGIC) { 681 DEBUGGER("mac_test_destroy_pipe: dup destroy"); 682 } else { 683 DEBUGGER("mac_test_destroy_pipe: corrupted label"); 684 } 685 } 686 687 static void 688 mac_test_destroy_posix_sem_label(struct label *label) 689 { 690 691 if ((SLOT(label) == POSIXSEMMAGIC || SLOT(label) == 0)) { 692 atomic_add_int(&destroy_count_posixsems, 1); 693 SLOT_SET(label, EXMAGIC); 694 } else if (SLOT(label) == EXMAGIC) { 695 DEBUGGER("mac_test_destroy_posix_sem: dup destroy"); 696 } else { 697 DEBUGGER("mac_test_destroy_posix_sem: corrupted label"); 698 } 699 } 700 701 static void 702 mac_test_destroy_proc_label(struct label *label) 703 { 704 705 if ((SLOT(label) == PROCMAGIC || SLOT(label) == 0)) { 706 atomic_add_int(&destroy_count_proc, 1); 707 SLOT_SET(label, EXMAGIC); 708 } else if (SLOT(label) == EXMAGIC) { 709 DEBUGGER("mac_test_destroy_proc: dup destroy"); 710 } else { 711 DEBUGGER("mac_test_destroy_proc: corrupted label"); 712 } 713 } 714 715 static void 716 mac_test_destroy_vnode_label(struct label *label) 717 { 718 719 if (SLOT(label) == VNODEMAGIC || SLOT(label) == 0) { 720 atomic_add_int(&destroy_count_vnode, 1); 721 SLOT_SET(label, EXMAGIC); 722 } else if (SLOT(label) == EXMAGIC) { 723 DEBUGGER("mac_test_destroy_vnode: dup destroy"); 724 } else { 725 DEBUGGER("mac_test_destroy_vnode: corrupted label"); 726 } 727 } 728 729 static void 730 mac_test_copy_cred_label(struct label *src, struct label *dest) 731 { 732 733 ASSERT_CRED_LABEL(src); 734 ASSERT_CRED_LABEL(dest); 735 } 736 737 static void 738 mac_test_copy_ifnet_label(struct label *src, struct label *dest) 739 { 740 741 ASSERT_IFNET_LABEL(src); 742 ASSERT_IFNET_LABEL(dest); 743 } 744 745 static void 746 mac_test_copy_mbuf_label(struct label *src, struct label *dest) 747 { 748 749 ASSERT_MBUF_LABEL(src); 750 ASSERT_MBUF_LABEL(dest); 751 } 752 753 static void 754 mac_test_copy_pipe_label(struct label *src, struct label *dest) 755 { 756 757 ASSERT_PIPE_LABEL(src); 758 ASSERT_PIPE_LABEL(dest); 759 } 760 761 static void 762 mac_test_copy_socket_label(struct label *src, struct label *dest) 763 { 764 765 ASSERT_SOCKET_LABEL(src); 766 ASSERT_SOCKET_LABEL(dest); 767 } 768 769 static void 770 mac_test_copy_vnode_label(struct label *src, struct label *dest) 771 { 772 773 ASSERT_VNODE_LABEL(src); 774 ASSERT_VNODE_LABEL(dest); 775 } 776 777 static int 778 mac_test_externalize_label(struct label *label, char *element_name, 779 struct sbuf *sb, int *claimed) 780 { 781 782 atomic_add_int(&externalize_count, 1); 783 784 KASSERT(SLOT(label) != EXMAGIC, 785 ("mac_test_externalize_label: destroyed label")); 786 787 return (0); 788 } 789 790 static int 791 mac_test_internalize_label(struct label *label, char *element_name, 792 char *element_data, int *claimed) 793 { 794 795 atomic_add_int(&internalize_count, 1); 796 797 KASSERT(SLOT(label) != EXMAGIC, 798 ("mac_test_internalize_label: destroyed label")); 799 800 return (0); 801 } 802 803 /* 804 * Labeling event operations: file system objects, and things that look 805 * a lot like file system objects. 806 */ 807 static void 808 mac_test_associate_vnode_devfs(struct mount *mp, struct label *fslabel, 809 struct devfs_dirent *de, struct label *delabel, struct vnode *vp, 810 struct label *vlabel) 811 { 812 813 ASSERT_MOUNT_LABEL(fslabel); 814 ASSERT_DEVFS_LABEL(delabel); 815 ASSERT_VNODE_LABEL(vlabel); 816 } 817 818 static int 819 mac_test_associate_vnode_extattr(struct mount *mp, struct label *fslabel, 820 struct vnode *vp, struct label *vlabel) 821 { 822 823 ASSERT_MOUNT_LABEL(fslabel); 824 ASSERT_VNODE_LABEL(vlabel); 825 return (0); 826 } 827 828 static void 829 mac_test_associate_vnode_singlelabel(struct mount *mp, 830 struct label *fslabel, struct vnode *vp, struct label *vlabel) 831 { 832 833 ASSERT_MOUNT_LABEL(fslabel); 834 ASSERT_VNODE_LABEL(vlabel); 835 } 836 837 static void 838 mac_test_create_devfs_device(struct ucred *cred, struct mount *mp, 839 struct cdev *dev, struct devfs_dirent *devfs_dirent, struct label *label) 840 { 841 842 if (cred != NULL) { 843 ASSERT_CRED_LABEL(cred->cr_label); 844 } 845 ASSERT_DEVFS_LABEL(label); 846 } 847 848 static void 849 mac_test_create_devfs_directory(struct mount *mp, char *dirname, 850 int dirnamelen, struct devfs_dirent *devfs_dirent, struct label *label) 851 { 852 853 ASSERT_DEVFS_LABEL(label); 854 } 855 856 static void 857 mac_test_create_devfs_symlink(struct ucred *cred, struct mount *mp, 858 struct devfs_dirent *dd, struct label *ddlabel, struct devfs_dirent *de, 859 struct label *delabel) 860 { 861 862 ASSERT_CRED_LABEL(cred->cr_label); 863 ASSERT_DEVFS_LABEL(ddlabel); 864 ASSERT_DEVFS_LABEL(delabel); 865 } 866 867 static int 868 mac_test_create_vnode_extattr(struct ucred *cred, struct mount *mp, 869 struct label *fslabel, struct vnode *dvp, struct label *dlabel, 870 struct vnode *vp, struct label *vlabel, struct componentname *cnp) 871 { 872 873 ASSERT_CRED_LABEL(cred->cr_label); 874 ASSERT_MOUNT_LABEL(fslabel); 875 ASSERT_VNODE_LABEL(dlabel); 876 877 return (0); 878 } 879 880 static void 881 mac_test_create_mount(struct ucred *cred, struct mount *mp, 882 struct label *mntlabel, struct label *fslabel) 883 { 884 885 ASSERT_CRED_LABEL(cred->cr_label); 886 ASSERT_MOUNT_LABEL(mntlabel); 887 ASSERT_MOUNT_LABEL(fslabel); 888 } 889 890 static void 891 mac_test_relabel_vnode(struct ucred *cred, struct vnode *vp, 892 struct label *vnodelabel, struct label *label) 893 { 894 895 ASSERT_CRED_LABEL(cred->cr_label); 896 ASSERT_VNODE_LABEL(vnodelabel); 897 ASSERT_VNODE_LABEL(label); 898 } 899 900 static int 901 mac_test_setlabel_vnode_extattr(struct ucred *cred, struct vnode *vp, 902 struct label *vlabel, struct label *intlabel) 903 { 904 905 ASSERT_CRED_LABEL(cred->cr_label); 906 ASSERT_VNODE_LABEL(vlabel); 907 ASSERT_VNODE_LABEL(intlabel); 908 return (0); 909 } 910 911 static void 912 mac_test_update_devfsdirent(struct mount *mp, 913 struct devfs_dirent *devfs_dirent, struct label *direntlabel, 914 struct vnode *vp, struct label *vnodelabel) 915 { 916 917 ASSERT_DEVFS_LABEL(direntlabel); 918 ASSERT_VNODE_LABEL(vnodelabel); 919 } 920 921 /* 922 * Labeling event operations: IPC object. 923 */ 924 static void 925 mac_test_create_mbuf_from_socket(struct socket *so, struct label *socketlabel, 926 struct mbuf *m, struct label *mbuflabel) 927 { 928 929 ASSERT_SOCKET_LABEL(socketlabel); 930 ASSERT_MBUF_LABEL(mbuflabel); 931 } 932 933 static void 934 mac_test_create_socket(struct ucred *cred, struct socket *socket, 935 struct label *socketlabel) 936 { 937 938 ASSERT_CRED_LABEL(cred->cr_label); 939 ASSERT_SOCKET_LABEL(socketlabel); 940 } 941 942 static void 943 mac_test_create_pipe(struct ucred *cred, struct pipepair *pp, 944 struct label *pipelabel) 945 { 946 947 ASSERT_CRED_LABEL(cred->cr_label); 948 ASSERT_PIPE_LABEL(pipelabel); 949 } 950 951 static void 952 mac_test_create_posix_sem(struct ucred *cred, struct ksem *ksem, 953 struct label *posixlabel) 954 { 955 956 ASSERT_CRED_LABEL(cred->cr_label); 957 ASSERT_POSIX_LABEL(posixlabel); 958 } 959 960 static void 961 mac_test_create_socket_from_socket(struct socket *oldsocket, 962 struct label *oldsocketlabel, struct socket *newsocket, 963 struct label *newsocketlabel) 964 { 965 966 ASSERT_SOCKET_LABEL(oldsocketlabel); 967 ASSERT_SOCKET_LABEL(newsocketlabel); 968 } 969 970 static void 971 mac_test_relabel_socket(struct ucred *cred, struct socket *socket, 972 struct label *socketlabel, struct label *newlabel) 973 { 974 975 ASSERT_CRED_LABEL(cred->cr_label); 976 ASSERT_SOCKET_LABEL(newlabel); 977 } 978 979 static void 980 mac_test_relabel_pipe(struct ucred *cred, struct pipepair *pp, 981 struct label *pipelabel, struct label *newlabel) 982 { 983 984 ASSERT_CRED_LABEL(cred->cr_label); 985 ASSERT_PIPE_LABEL(pipelabel); 986 ASSERT_PIPE_LABEL(newlabel); 987 } 988 989 static void 990 mac_test_set_socket_peer_from_mbuf(struct mbuf *mbuf, struct label *mbuflabel, 991 struct socket *socket, struct label *socketpeerlabel) 992 { 993 994 ASSERT_MBUF_LABEL(mbuflabel); 995 ASSERT_SOCKET_LABEL(socketpeerlabel); 996 } 997 998 /* 999 * Labeling event operations: network objects. 1000 */ 1001 static void 1002 mac_test_set_socket_peer_from_socket(struct socket *oldsocket, 1003 struct label *oldsocketlabel, struct socket *newsocket, 1004 struct label *newsocketpeerlabel) 1005 { 1006 1007 ASSERT_SOCKET_LABEL(oldsocketlabel); 1008 ASSERT_SOCKET_LABEL(newsocketpeerlabel); 1009 } 1010 1011 static void 1012 mac_test_create_bpfdesc(struct ucred *cred, struct bpf_d *bpf_d, 1013 struct label *bpflabel) 1014 { 1015 1016 ASSERT_CRED_LABEL(cred->cr_label); 1017 ASSERT_BPF_LABEL(bpflabel); 1018 } 1019 1020 static void 1021 mac_test_create_datagram_from_ipq(struct ipq *ipq, struct label *ipqlabel, 1022 struct mbuf *datagram, struct label *datagramlabel) 1023 { 1024 1025 ASSERT_IPQ_LABEL(ipqlabel); 1026 ASSERT_MBUF_LABEL(datagramlabel); 1027 } 1028 1029 static void 1030 mac_test_create_fragment(struct mbuf *datagram, struct label *datagramlabel, 1031 struct mbuf *fragment, struct label *fragmentlabel) 1032 { 1033 1034 ASSERT_MBUF_LABEL(datagramlabel); 1035 ASSERT_MBUF_LABEL(fragmentlabel); 1036 } 1037 1038 static void 1039 mac_test_create_ifnet(struct ifnet *ifnet, struct label *ifnetlabel) 1040 { 1041 1042 ASSERT_IFNET_LABEL(ifnetlabel); 1043 } 1044 1045 static void 1046 mac_test_create_inpcb_from_socket(struct socket *so, struct label *solabel, 1047 struct inpcb *inp, struct label *inplabel) 1048 { 1049 1050 ASSERT_SOCKET_LABEL(solabel); 1051 ASSERT_INPCB_LABEL(inplabel); 1052 } 1053 1054 static void 1055 mac_test_create_sysv_msgmsg(struct ucred *cred, struct msqid_kernel *msqkptr, 1056 struct label *msqlabel, struct msg *msgptr, struct label *msglabel) 1057 { 1058 1059 ASSERT_SYSVIPCMSG_LABEL(msglabel); 1060 ASSERT_SYSVIPCMSQ_LABEL(msqlabel); 1061 } 1062 1063 static void 1064 mac_test_create_sysv_msgqueue(struct ucred *cred, 1065 struct msqid_kernel *msqkptr, struct label *msqlabel) 1066 { 1067 1068 ASSERT_SYSVIPCMSQ_LABEL(msqlabel); 1069 } 1070 1071 static void 1072 mac_test_create_sysv_sem(struct ucred *cred, struct semid_kernel *semakptr, 1073 struct label *semalabel) 1074 { 1075 1076 ASSERT_SYSVIPCSEM_LABEL(semalabel); 1077 } 1078 1079 static void 1080 mac_test_create_sysv_shm(struct ucred *cred, struct shmid_kernel *shmsegptr, 1081 struct label *shmlabel) 1082 { 1083 1084 ASSERT_SYSVIPCSHM_LABEL(shmlabel); 1085 } 1086 1087 static void 1088 mac_test_create_ipq(struct mbuf *fragment, struct label *fragmentlabel, 1089 struct ipq *ipq, struct label *ipqlabel) 1090 { 1091 1092 ASSERT_MBUF_LABEL(fragmentlabel); 1093 ASSERT_IPQ_LABEL(ipqlabel); 1094 } 1095 1096 static void 1097 mac_test_create_mbuf_from_inpcb(struct inpcb *inp, struct label *inplabel, 1098 struct mbuf *m, struct label *mlabel) 1099 { 1100 1101 ASSERT_INPCB_LABEL(inplabel); 1102 ASSERT_MBUF_LABEL(mlabel); 1103 } 1104 1105 static void 1106 mac_test_create_mbuf_linklayer(struct ifnet *ifnet, struct label *ifnetlabel, 1107 struct mbuf *mbuf, struct label *mbuflabel) 1108 { 1109 1110 ASSERT_IFNET_LABEL(ifnetlabel); 1111 ASSERT_MBUF_LABEL(mbuflabel); 1112 } 1113 1114 static void 1115 mac_test_create_mbuf_from_bpfdesc(struct bpf_d *bpf_d, struct label *bpflabel, 1116 struct mbuf *mbuf, struct label *mbuflabel) 1117 { 1118 1119 ASSERT_BPF_LABEL(bpflabel); 1120 ASSERT_MBUF_LABEL(mbuflabel); 1121 } 1122 1123 static void 1124 mac_test_create_mbuf_from_ifnet(struct ifnet *ifnet, struct label *ifnetlabel, 1125 struct mbuf *m, struct label *mbuflabel) 1126 { 1127 1128 ASSERT_IFNET_LABEL(ifnetlabel); 1129 ASSERT_MBUF_LABEL(mbuflabel); 1130 } 1131 1132 static void 1133 mac_test_create_mbuf_multicast_encap(struct mbuf *oldmbuf, 1134 struct label *oldmbuflabel, struct ifnet *ifnet, struct label *ifnetlabel, 1135 struct mbuf *newmbuf, struct label *newmbuflabel) 1136 { 1137 1138 ASSERT_MBUF_LABEL(oldmbuflabel); 1139 ASSERT_IFNET_LABEL(ifnetlabel); 1140 ASSERT_MBUF_LABEL(newmbuflabel); 1141 } 1142 1143 static void 1144 mac_test_create_mbuf_netlayer(struct mbuf *oldmbuf, 1145 struct label *oldmbuflabel, struct mbuf *newmbuf, 1146 struct label *newmbuflabel) 1147 { 1148 1149 ASSERT_MBUF_LABEL(oldmbuflabel); 1150 ASSERT_MBUF_LABEL(newmbuflabel); 1151 } 1152 1153 static int 1154 mac_test_fragment_match(struct mbuf *fragment, struct label *fragmentlabel, 1155 struct ipq *ipq, struct label *ipqlabel) 1156 { 1157 1158 ASSERT_MBUF_LABEL(fragmentlabel); 1159 ASSERT_IPQ_LABEL(ipqlabel); 1160 1161 return (1); 1162 } 1163 1164 static void 1165 mac_test_reflect_mbuf_icmp(struct mbuf *m, struct label *mlabel) 1166 { 1167 1168 ASSERT_MBUF_LABEL(mlabel); 1169 } 1170 1171 static void 1172 mac_test_reflect_mbuf_tcp(struct mbuf *m, struct label *mlabel) 1173 { 1174 1175 ASSERT_MBUF_LABEL(mlabel); 1176 } 1177 1178 static void 1179 mac_test_relabel_ifnet(struct ucred *cred, struct ifnet *ifnet, 1180 struct label *ifnetlabel, struct label *newlabel) 1181 { 1182 1183 ASSERT_CRED_LABEL(cred->cr_label); 1184 ASSERT_IFNET_LABEL(ifnetlabel); 1185 ASSERT_IFNET_LABEL(newlabel); 1186 } 1187 1188 static void 1189 mac_test_update_ipq(struct mbuf *fragment, struct label *fragmentlabel, 1190 struct ipq *ipq, struct label *ipqlabel) 1191 { 1192 1193 ASSERT_MBUF_LABEL(fragmentlabel); 1194 ASSERT_IPQ_LABEL(ipqlabel); 1195 } 1196 1197 static void 1198 mac_test_inpcb_sosetlabel(struct socket *so, struct label *solabel, 1199 struct inpcb *inp, struct label *inplabel) 1200 { 1201 1202 ASSERT_SOCKET_LABEL(solabel); 1203 ASSERT_INPCB_LABEL(inplabel); 1204 } 1205 1206 /* 1207 * Labeling event operations: processes. 1208 */ 1209 static void 1210 mac_test_execve_transition(struct ucred *old, struct ucred *new, 1211 struct vnode *vp, struct label *filelabel, 1212 struct label *interpvnodelabel, struct image_params *imgp, 1213 struct label *execlabel) 1214 { 1215 1216 ASSERT_CRED_LABEL(old->cr_label); 1217 ASSERT_CRED_LABEL(new->cr_label); 1218 ASSERT_VNODE_LABEL(filelabel); 1219 if (interpvnodelabel != NULL) { 1220 ASSERT_VNODE_LABEL(interpvnodelabel); 1221 } 1222 if (execlabel != NULL) { 1223 ASSERT_CRED_LABEL(execlabel); 1224 } 1225 } 1226 1227 static int 1228 mac_test_execve_will_transition(struct ucred *old, struct vnode *vp, 1229 struct label *filelabel, struct label *interpvnodelabel, 1230 struct image_params *imgp, struct label *execlabel) 1231 { 1232 1233 ASSERT_CRED_LABEL(old->cr_label); 1234 ASSERT_VNODE_LABEL(filelabel); 1235 if (interpvnodelabel != NULL) { 1236 ASSERT_VNODE_LABEL(interpvnodelabel); 1237 } 1238 if (execlabel != NULL) { 1239 ASSERT_CRED_LABEL(execlabel); 1240 } 1241 1242 return (0); 1243 } 1244 1245 static void 1246 mac_test_create_proc0(struct ucred *cred) 1247 { 1248 1249 ASSERT_CRED_LABEL(cred->cr_label); 1250 } 1251 1252 static void 1253 mac_test_create_proc1(struct ucred *cred) 1254 { 1255 1256 ASSERT_CRED_LABEL(cred->cr_label); 1257 } 1258 1259 static void 1260 mac_test_relabel_cred(struct ucred *cred, struct label *newlabel) 1261 { 1262 1263 ASSERT_CRED_LABEL(cred->cr_label); 1264 ASSERT_CRED_LABEL(newlabel); 1265 } 1266 1267 static void 1268 mac_test_thread_userret(struct thread *td) 1269 { 1270 1271 printf("mac_test_thread_userret(process = %d)\n", 1272 curthread->td_proc->p_pid); 1273 } 1274 1275 /* 1276 * Label cleanup/flush operations 1277 */ 1278 static void 1279 mac_test_cleanup_sysv_msgmsg(struct label *msglabel) 1280 { 1281 1282 ASSERT_SYSVIPCMSG_LABEL(msglabel); 1283 } 1284 1285 static void 1286 mac_test_cleanup_sysv_msgqueue(struct label *msqlabel) 1287 { 1288 1289 ASSERT_SYSVIPCMSQ_LABEL(msqlabel); 1290 } 1291 1292 static void 1293 mac_test_cleanup_sysv_sem(struct label *semalabel) 1294 { 1295 1296 ASSERT_SYSVIPCSEM_LABEL(semalabel); 1297 } 1298 1299 static void 1300 mac_test_cleanup_sysv_shm(struct label *shmlabel) 1301 { 1302 1303 ASSERT_SYSVIPCSHM_LABEL(shmlabel); 1304 } 1305 1306 /* 1307 * Access control checks. 1308 */ 1309 static int 1310 mac_test_check_bpfdesc_receive(struct bpf_d *bpf_d, struct label *bpflabel, 1311 struct ifnet *ifnet, struct label *ifnetlabel) 1312 { 1313 1314 ASSERT_BPF_LABEL(bpflabel); 1315 ASSERT_IFNET_LABEL(ifnetlabel); 1316 1317 return (0); 1318 } 1319 1320 static int 1321 mac_test_check_cred_relabel(struct ucred *cred, struct label *newlabel) 1322 { 1323 1324 ASSERT_CRED_LABEL(cred->cr_label); 1325 ASSERT_CRED_LABEL(newlabel); 1326 1327 return (0); 1328 } 1329 1330 static int 1331 mac_test_check_cred_visible(struct ucred *u1, struct ucred *u2) 1332 { 1333 1334 ASSERT_CRED_LABEL(u1->cr_label); 1335 ASSERT_CRED_LABEL(u2->cr_label); 1336 1337 return (0); 1338 } 1339 1340 static int 1341 mac_test_check_ifnet_relabel(struct ucred *cred, struct ifnet *ifnet, 1342 struct label *ifnetlabel, struct label *newlabel) 1343 { 1344 1345 ASSERT_CRED_LABEL(cred->cr_label); 1346 ASSERT_IFNET_LABEL(ifnetlabel); 1347 ASSERT_IFNET_LABEL(newlabel); 1348 return (0); 1349 } 1350 1351 static int 1352 mac_test_check_ifnet_transmit(struct ifnet *ifnet, struct label *ifnetlabel, 1353 struct mbuf *m, struct label *mbuflabel) 1354 { 1355 1356 ASSERT_IFNET_LABEL(ifnetlabel); 1357 ASSERT_MBUF_LABEL(mbuflabel); 1358 1359 return (0); 1360 } 1361 1362 static int 1363 mac_test_check_inpcb_deliver(struct inpcb *inp, struct label *inplabel, 1364 struct mbuf *m, struct label *mlabel) 1365 { 1366 1367 ASSERT_INPCB_LABEL(inplabel); 1368 ASSERT_MBUF_LABEL(mlabel); 1369 1370 return (0); 1371 } 1372 1373 static int 1374 mac_test_check_sysv_msgmsq(struct ucred *cred, struct msg *msgptr, 1375 struct label *msglabel, struct msqid_kernel *msqkptr, 1376 struct label *msqklabel) 1377 { 1378 1379 ASSERT_SYSVIPCMSQ_LABEL(msqklabel); 1380 ASSERT_SYSVIPCMSG_LABEL(msglabel); 1381 ASSERT_CRED_LABEL(cred->cr_label); 1382 1383 return (0); 1384 } 1385 1386 static int 1387 mac_test_check_sysv_msgrcv(struct ucred *cred, struct msg *msgptr, 1388 struct label *msglabel) 1389 { 1390 1391 ASSERT_SYSVIPCMSG_LABEL(msglabel); 1392 ASSERT_CRED_LABEL(cred->cr_label); 1393 1394 return (0); 1395 } 1396 1397 1398 static int 1399 mac_test_check_sysv_msgrmid(struct ucred *cred, struct msg *msgptr, 1400 struct label *msglabel) 1401 { 1402 1403 ASSERT_SYSVIPCMSG_LABEL(msglabel); 1404 ASSERT_CRED_LABEL(cred->cr_label); 1405 1406 return (0); 1407 } 1408 1409 static int 1410 mac_test_check_sysv_msqget(struct ucred *cred, struct msqid_kernel *msqkptr, 1411 struct label *msqklabel) 1412 { 1413 1414 ASSERT_SYSVIPCMSQ_LABEL(msqklabel); 1415 ASSERT_CRED_LABEL(cred->cr_label); 1416 1417 return (0); 1418 } 1419 1420 static int 1421 mac_test_check_sysv_msqsnd(struct ucred *cred, struct msqid_kernel *msqkptr, 1422 struct label *msqklabel) 1423 { 1424 1425 ASSERT_SYSVIPCMSQ_LABEL(msqklabel); 1426 ASSERT_CRED_LABEL(cred->cr_label); 1427 1428 return (0); 1429 } 1430 1431 static int 1432 mac_test_check_sysv_msqrcv(struct ucred *cred, struct msqid_kernel *msqkptr, 1433 struct label *msqklabel) 1434 { 1435 1436 ASSERT_SYSVIPCMSQ_LABEL(msqklabel); 1437 ASSERT_CRED_LABEL(cred->cr_label); 1438 1439 return (0); 1440 } 1441 1442 static int 1443 mac_test_check_sysv_msqctl(struct ucred *cred, struct msqid_kernel *msqkptr, 1444 struct label *msqklabel, int cmd) 1445 { 1446 1447 ASSERT_SYSVIPCMSQ_LABEL(msqklabel); 1448 ASSERT_CRED_LABEL(cred->cr_label); 1449 1450 return (0); 1451 } 1452 1453 static int 1454 mac_test_check_sysv_semctl(struct ucred *cred, struct semid_kernel *semakptr, 1455 struct label *semaklabel, int cmd) 1456 { 1457 1458 ASSERT_CRED_LABEL(cred->cr_label); 1459 ASSERT_SYSVIPCSEM_LABEL(semaklabel); 1460 1461 return (0); 1462 } 1463 1464 static int 1465 mac_test_check_sysv_semget(struct ucred *cred, struct semid_kernel *semakptr, 1466 struct label *semaklabel) 1467 { 1468 1469 ASSERT_CRED_LABEL(cred->cr_label); 1470 ASSERT_SYSVIPCSEM_LABEL(semaklabel); 1471 1472 return (0); 1473 } 1474 1475 static int 1476 mac_test_check_sysv_semop(struct ucred *cred, struct semid_kernel *semakptr, 1477 struct label *semaklabel, size_t accesstype) 1478 { 1479 1480 ASSERT_CRED_LABEL(cred->cr_label); 1481 ASSERT_SYSVIPCSEM_LABEL(semaklabel); 1482 1483 return (0); 1484 } 1485 1486 static int 1487 mac_test_check_sysv_shmat(struct ucred *cred, struct shmid_kernel *shmsegptr, 1488 struct label *shmseglabel, int shmflg) 1489 { 1490 1491 ASSERT_CRED_LABEL(cred->cr_label); 1492 ASSERT_SYSVIPCSHM_LABEL(shmseglabel); 1493 1494 return (0); 1495 } 1496 1497 static int 1498 mac_test_check_sysv_shmctl(struct ucred *cred, struct shmid_kernel *shmsegptr, 1499 struct label *shmseglabel, int cmd) 1500 { 1501 1502 ASSERT_CRED_LABEL(cred->cr_label); 1503 ASSERT_SYSVIPCSHM_LABEL(shmseglabel); 1504 1505 return (0); 1506 } 1507 1508 static int 1509 mac_test_check_sysv_shmdt(struct ucred *cred, struct shmid_kernel *shmsegptr, 1510 struct label *shmseglabel) 1511 { 1512 1513 ASSERT_CRED_LABEL(cred->cr_label); 1514 ASSERT_SYSVIPCSHM_LABEL(shmseglabel); 1515 1516 return (0); 1517 } 1518 1519 static int 1520 mac_test_check_sysv_shmget(struct ucred *cred, struct shmid_kernel *shmsegptr, 1521 struct label *shmseglabel, int shmflg) 1522 { 1523 1524 ASSERT_CRED_LABEL(cred->cr_label); 1525 ASSERT_SYSVIPCSHM_LABEL(shmseglabel); 1526 1527 return (0); 1528 } 1529 1530 static int 1531 mac_test_check_kenv_dump(struct ucred *cred) 1532 { 1533 1534 ASSERT_CRED_LABEL(cred->cr_label); 1535 1536 return (0); 1537 } 1538 1539 static int 1540 mac_test_check_kenv_get(struct ucred *cred, char *name) 1541 { 1542 1543 ASSERT_CRED_LABEL(cred->cr_label); 1544 1545 return (0); 1546 } 1547 1548 static int 1549 mac_test_check_kenv_set(struct ucred *cred, char *name, char *value) 1550 { 1551 1552 ASSERT_CRED_LABEL(cred->cr_label); 1553 1554 return (0); 1555 } 1556 1557 static int 1558 mac_test_check_kenv_unset(struct ucred *cred, char *name) 1559 { 1560 1561 ASSERT_CRED_LABEL(cred->cr_label); 1562 1563 return (0); 1564 } 1565 1566 static int 1567 mac_test_check_kld_load(struct ucred *cred, struct vnode *vp, 1568 struct label *label) 1569 { 1570 1571 ASSERT_CRED_LABEL(cred->cr_label); 1572 ASSERT_VNODE_LABEL(label); 1573 1574 return (0); 1575 } 1576 1577 static int 1578 mac_test_check_kld_stat(struct ucred *cred) 1579 { 1580 1581 ASSERT_CRED_LABEL(cred->cr_label); 1582 1583 return (0); 1584 } 1585 1586 static int 1587 mac_test_check_kld_unload(struct ucred *cred) 1588 { 1589 1590 ASSERT_CRED_LABEL(cred->cr_label); 1591 1592 return (0); 1593 } 1594 1595 static int 1596 mac_test_check_mount_stat(struct ucred *cred, struct mount *mp, 1597 struct label *mntlabel) 1598 { 1599 1600 ASSERT_CRED_LABEL(cred->cr_label); 1601 ASSERT_MOUNT_LABEL(mntlabel); 1602 1603 return (0); 1604 } 1605 1606 static int 1607 mac_test_check_pipe_ioctl(struct ucred *cred, struct pipepair *pp, 1608 struct label *pipelabel, unsigned long cmd, void /* caddr_t */ *data) 1609 { 1610 1611 ASSERT_CRED_LABEL(cred->cr_label); 1612 ASSERT_PIPE_LABEL(pipelabel); 1613 1614 return (0); 1615 } 1616 1617 static int 1618 mac_test_check_pipe_poll(struct ucred *cred, struct pipepair *pp, 1619 struct label *pipelabel) 1620 { 1621 1622 ASSERT_CRED_LABEL(cred->cr_label); 1623 ASSERT_PIPE_LABEL(pipelabel); 1624 1625 return (0); 1626 } 1627 1628 static int 1629 mac_test_check_pipe_read(struct ucred *cred, struct pipepair *pp, 1630 struct label *pipelabel) 1631 { 1632 1633 ASSERT_CRED_LABEL(cred->cr_label); 1634 ASSERT_PIPE_LABEL(pipelabel); 1635 1636 return (0); 1637 } 1638 1639 static int 1640 mac_test_check_pipe_relabel(struct ucred *cred, struct pipepair *pp, 1641 struct label *pipelabel, struct label *newlabel) 1642 { 1643 1644 ASSERT_CRED_LABEL(cred->cr_label); 1645 ASSERT_PIPE_LABEL(pipelabel); 1646 ASSERT_PIPE_LABEL(newlabel); 1647 1648 return (0); 1649 } 1650 1651 static int 1652 mac_test_check_pipe_stat(struct ucred *cred, struct pipepair *pp, 1653 struct label *pipelabel) 1654 { 1655 1656 ASSERT_CRED_LABEL(cred->cr_label); 1657 ASSERT_PIPE_LABEL(pipelabel); 1658 1659 return (0); 1660 } 1661 1662 static int 1663 mac_test_check_pipe_write(struct ucred *cred, struct pipepair *pp, 1664 struct label *pipelabel) 1665 { 1666 1667 ASSERT_CRED_LABEL(cred->cr_label); 1668 ASSERT_PIPE_LABEL(pipelabel); 1669 1670 return (0); 1671 } 1672 1673 static int 1674 mac_test_check_posix_sem(struct ucred *cred, struct ksem *ksemptr, 1675 struct label *ks_label) 1676 { 1677 1678 ASSERT_CRED_LABEL(cred->cr_label); 1679 ASSERT_POSIX_LABEL(ks_label); 1680 1681 return (0); 1682 } 1683 1684 static int 1685 mac_test_check_proc_debug(struct ucred *cred, struct proc *proc) 1686 { 1687 1688 ASSERT_CRED_LABEL(cred->cr_label); 1689 ASSERT_CRED_LABEL(proc->p_ucred->cr_label); 1690 1691 return (0); 1692 } 1693 1694 static int 1695 mac_test_check_proc_sched(struct ucred *cred, struct proc *proc) 1696 { 1697 1698 ASSERT_CRED_LABEL(cred->cr_label); 1699 ASSERT_CRED_LABEL(proc->p_ucred->cr_label); 1700 1701 return (0); 1702 } 1703 1704 static int 1705 mac_test_check_proc_signal(struct ucred *cred, struct proc *proc, int signum) 1706 { 1707 1708 ASSERT_CRED_LABEL(cred->cr_label); 1709 ASSERT_CRED_LABEL(proc->p_ucred->cr_label); 1710 1711 return (0); 1712 } 1713 1714 static int 1715 mac_test_check_proc_setuid(struct ucred *cred, uid_t uid) 1716 { 1717 1718 ASSERT_CRED_LABEL(cred->cr_label); 1719 1720 return (0); 1721 } 1722 1723 static int 1724 mac_test_check_proc_seteuid(struct ucred *cred, uid_t euid) 1725 { 1726 1727 ASSERT_CRED_LABEL(cred->cr_label); 1728 1729 return (0); 1730 } 1731 1732 static int 1733 mac_test_check_proc_setgid(struct ucred *cred, gid_t gid) 1734 { 1735 1736 ASSERT_CRED_LABEL(cred->cr_label); 1737 1738 return (0); 1739 } 1740 1741 static int 1742 mac_test_check_proc_setegid(struct ucred *cred, gid_t egid) 1743 { 1744 1745 ASSERT_CRED_LABEL(cred->cr_label); 1746 1747 return (0); 1748 } 1749 1750 static int 1751 mac_test_check_proc_setgroups(struct ucred *cred, int ngroups, 1752 gid_t *gidset) 1753 { 1754 1755 ASSERT_CRED_LABEL(cred->cr_label); 1756 1757 return (0); 1758 } 1759 1760 static int 1761 mac_test_check_proc_setreuid(struct ucred *cred, uid_t ruid, uid_t euid) 1762 { 1763 1764 ASSERT_CRED_LABEL(cred->cr_label); 1765 1766 return (0); 1767 } 1768 1769 static int 1770 mac_test_check_proc_setregid(struct ucred *cred, gid_t rgid, gid_t egid) 1771 { 1772 1773 ASSERT_CRED_LABEL(cred->cr_label); 1774 1775 return (0); 1776 } 1777 1778 static int 1779 mac_test_check_proc_setresuid(struct ucred *cred, uid_t ruid, uid_t euid, 1780 uid_t suid) 1781 { 1782 1783 ASSERT_CRED_LABEL(cred->cr_label); 1784 1785 return (0); 1786 } 1787 1788 static int 1789 mac_test_check_proc_setresgid(struct ucred *cred, gid_t rgid, gid_t egid, 1790 gid_t sgid) 1791 { 1792 1793 ASSERT_CRED_LABEL(cred->cr_label); 1794 1795 return (0); 1796 } 1797 1798 static int 1799 mac_test_check_proc_wait(struct ucred *cred, struct proc *proc) 1800 { 1801 1802 ASSERT_CRED_LABEL(cred->cr_label); 1803 ASSERT_CRED_LABEL(proc->p_ucred->cr_label); 1804 1805 return (0); 1806 } 1807 1808 static int 1809 mac_test_check_socket_accept(struct ucred *cred, struct socket *socket, 1810 struct label *socketlabel) 1811 { 1812 1813 ASSERT_CRED_LABEL(cred->cr_label); 1814 ASSERT_SOCKET_LABEL(socketlabel); 1815 1816 return (0); 1817 } 1818 1819 static int 1820 mac_test_check_socket_bind(struct ucred *cred, struct socket *socket, 1821 struct label *socketlabel, struct sockaddr *sockaddr) 1822 { 1823 1824 ASSERT_CRED_LABEL(cred->cr_label); 1825 ASSERT_SOCKET_LABEL(socketlabel); 1826 1827 return (0); 1828 } 1829 1830 static int 1831 mac_test_check_socket_connect(struct ucred *cred, struct socket *socket, 1832 struct label *socketlabel, struct sockaddr *sockaddr) 1833 { 1834 1835 ASSERT_CRED_LABEL(cred->cr_label); 1836 ASSERT_SOCKET_LABEL(socketlabel); 1837 1838 return (0); 1839 } 1840 1841 static int 1842 mac_test_check_socket_deliver(struct socket *socket, struct label *socketlabel, 1843 struct mbuf *m, struct label *mbuflabel) 1844 { 1845 1846 ASSERT_SOCKET_LABEL(socketlabel); 1847 ASSERT_MBUF_LABEL(mbuflabel); 1848 1849 return (0); 1850 } 1851 1852 static int 1853 mac_test_check_socket_listen(struct ucred *cred, struct socket *socket, 1854 struct label *socketlabel) 1855 { 1856 1857 ASSERT_CRED_LABEL(cred->cr_label); 1858 ASSERT_SOCKET_LABEL(socketlabel); 1859 1860 return (0); 1861 } 1862 1863 static int 1864 mac_test_check_socket_poll(struct ucred *cred, struct socket *socket, 1865 struct label *socketlabel) 1866 { 1867 1868 ASSERT_CRED_LABEL(cred->cr_label); 1869 ASSERT_SOCKET_LABEL(socketlabel); 1870 1871 return (0); 1872 } 1873 1874 static int 1875 mac_test_check_socket_receive(struct ucred *cred, struct socket *socket, 1876 struct label *socketlabel) 1877 { 1878 1879 ASSERT_CRED_LABEL(cred->cr_label); 1880 ASSERT_SOCKET_LABEL(socketlabel); 1881 1882 return (0); 1883 } 1884 1885 static int 1886 mac_test_check_socket_relabel(struct ucred *cred, struct socket *socket, 1887 struct label *socketlabel, struct label *newlabel) 1888 { 1889 1890 ASSERT_CRED_LABEL(cred->cr_label); 1891 ASSERT_SOCKET_LABEL(socketlabel); 1892 ASSERT_SOCKET_LABEL(newlabel); 1893 1894 return (0); 1895 } 1896 1897 static int 1898 mac_test_check_socket_send(struct ucred *cred, struct socket *socket, 1899 struct label *socketlabel) 1900 { 1901 1902 ASSERT_CRED_LABEL(cred->cr_label); 1903 ASSERT_SOCKET_LABEL(socketlabel); 1904 1905 return (0); 1906 } 1907 1908 static int 1909 mac_test_check_socket_stat(struct ucred *cred, struct socket *socket, 1910 struct label *socketlabel) 1911 { 1912 1913 ASSERT_CRED_LABEL(cred->cr_label); 1914 ASSERT_SOCKET_LABEL(socketlabel); 1915 1916 return (0); 1917 } 1918 1919 static int 1920 mac_test_check_socket_visible(struct ucred *cred, struct socket *socket, 1921 struct label *socketlabel) 1922 { 1923 1924 ASSERT_CRED_LABEL(cred->cr_label); 1925 ASSERT_SOCKET_LABEL(socketlabel); 1926 1927 return (0); 1928 } 1929 1930 static int 1931 mac_test_check_sysarch_ioperm(struct ucred *cred) 1932 { 1933 1934 ASSERT_CRED_LABEL(cred->cr_label); 1935 1936 return (0); 1937 } 1938 1939 static int 1940 mac_test_check_system_acct(struct ucred *cred, struct vnode *vp, 1941 struct label *label) 1942 { 1943 1944 ASSERT_CRED_LABEL(cred->cr_label); 1945 1946 return (0); 1947 } 1948 1949 static int 1950 mac_test_check_system_reboot(struct ucred *cred, int how) 1951 { 1952 1953 ASSERT_CRED_LABEL(cred->cr_label); 1954 1955 return (0); 1956 } 1957 1958 static int 1959 mac_test_check_system_settime(struct ucred *cred) 1960 { 1961 1962 ASSERT_CRED_LABEL(cred->cr_label); 1963 1964 return (0); 1965 } 1966 1967 static int 1968 mac_test_check_system_swapon(struct ucred *cred, struct vnode *vp, 1969 struct label *label) 1970 { 1971 1972 ASSERT_CRED_LABEL(cred->cr_label); 1973 ASSERT_VNODE_LABEL(label); 1974 1975 return (0); 1976 } 1977 1978 static int 1979 mac_test_check_system_swapoff(struct ucred *cred, struct vnode *vp, 1980 struct label *label) 1981 { 1982 1983 ASSERT_CRED_LABEL(cred->cr_label); 1984 ASSERT_VNODE_LABEL(label); 1985 1986 return (0); 1987 } 1988 1989 static int 1990 mac_test_check_system_sysctl(struct ucred *cred, struct sysctl_oid *oidp, 1991 void *arg1, int arg2, struct sysctl_req *req) 1992 { 1993 1994 ASSERT_CRED_LABEL(cred->cr_label); 1995 1996 return (0); 1997 } 1998 1999 static int 2000 mac_test_check_vnode_access(struct ucred *cred, struct vnode *vp, 2001 struct label *label, int acc_mode) 2002 { 2003 2004 ASSERT_CRED_LABEL(cred->cr_label); 2005 ASSERT_VNODE_LABEL(label); 2006 2007 return (0); 2008 } 2009 2010 static int 2011 mac_test_check_vnode_chdir(struct ucred *cred, struct vnode *dvp, 2012 struct label *dlabel) 2013 { 2014 2015 ASSERT_CRED_LABEL(cred->cr_label); 2016 ASSERT_VNODE_LABEL(dlabel); 2017 2018 return (0); 2019 } 2020 2021 static int 2022 mac_test_check_vnode_chroot(struct ucred *cred, struct vnode *dvp, 2023 struct label *dlabel) 2024 { 2025 2026 ASSERT_CRED_LABEL(cred->cr_label); 2027 ASSERT_VNODE_LABEL(dlabel); 2028 2029 return (0); 2030 } 2031 2032 static int 2033 mac_test_check_vnode_create(struct ucred *cred, struct vnode *dvp, 2034 struct label *dlabel, struct componentname *cnp, struct vattr *vap) 2035 { 2036 2037 ASSERT_CRED_LABEL(cred->cr_label); 2038 ASSERT_VNODE_LABEL(dlabel); 2039 2040 return (0); 2041 } 2042 2043 static int 2044 mac_test_check_vnode_delete(struct ucred *cred, struct vnode *dvp, 2045 struct label *dlabel, struct vnode *vp, struct label *label, 2046 struct componentname *cnp) 2047 { 2048 2049 ASSERT_CRED_LABEL(cred->cr_label); 2050 ASSERT_VNODE_LABEL(dlabel); 2051 ASSERT_VNODE_LABEL(label); 2052 2053 return (0); 2054 } 2055 2056 static int 2057 mac_test_check_vnode_deleteacl(struct ucred *cred, struct vnode *vp, 2058 struct label *label, acl_type_t type) 2059 { 2060 2061 ASSERT_CRED_LABEL(cred->cr_label); 2062 ASSERT_VNODE_LABEL(label); 2063 2064 return (0); 2065 } 2066 2067 static int 2068 mac_test_check_vnode_deleteextattr(struct ucred *cred, struct vnode *vp, 2069 struct label *label, int attrnamespace, const char *name) 2070 { 2071 2072 ASSERT_CRED_LABEL(cred->cr_label); 2073 ASSERT_VNODE_LABEL(label); 2074 2075 return (0); 2076 } 2077 2078 static int 2079 mac_test_check_vnode_exec(struct ucred *cred, struct vnode *vp, 2080 struct label *label, struct image_params *imgp, 2081 struct label *execlabel) 2082 { 2083 2084 ASSERT_CRED_LABEL(cred->cr_label); 2085 ASSERT_VNODE_LABEL(label); 2086 if (execlabel != NULL) { 2087 ASSERT_CRED_LABEL(execlabel); 2088 } 2089 2090 return (0); 2091 } 2092 2093 static int 2094 mac_test_check_vnode_getacl(struct ucred *cred, struct vnode *vp, 2095 struct label *label, acl_type_t type) 2096 { 2097 2098 ASSERT_CRED_LABEL(cred->cr_label); 2099 ASSERT_VNODE_LABEL(label); 2100 2101 return (0); 2102 } 2103 2104 static int 2105 mac_test_check_vnode_getextattr(struct ucred *cred, struct vnode *vp, 2106 struct label *label, int attrnamespace, const char *name, struct uio *uio) 2107 { 2108 2109 ASSERT_CRED_LABEL(cred->cr_label); 2110 ASSERT_VNODE_LABEL(label); 2111 2112 return (0); 2113 } 2114 2115 static int 2116 mac_test_check_vnode_link(struct ucred *cred, struct vnode *dvp, 2117 struct label *dlabel, struct vnode *vp, struct label *label, 2118 struct componentname *cnp) 2119 { 2120 2121 ASSERT_CRED_LABEL(cred->cr_label); 2122 ASSERT_VNODE_LABEL(dlabel); 2123 ASSERT_VNODE_LABEL(label); 2124 2125 return (0); 2126 } 2127 2128 static int 2129 mac_test_check_vnode_listextattr(struct ucred *cred, struct vnode *vp, 2130 struct label *label, int attrnamespace) 2131 { 2132 2133 ASSERT_CRED_LABEL(cred->cr_label); 2134 ASSERT_VNODE_LABEL(label); 2135 2136 return (0); 2137 } 2138 2139 static int 2140 mac_test_check_vnode_lookup(struct ucred *cred, struct vnode *dvp, 2141 struct label *dlabel, struct componentname *cnp) 2142 { 2143 2144 ASSERT_CRED_LABEL(cred->cr_label); 2145 ASSERT_VNODE_LABEL(dlabel); 2146 2147 return (0); 2148 } 2149 2150 static int 2151 mac_test_check_vnode_mmap(struct ucred *cred, struct vnode *vp, 2152 struct label *label, int prot, int flags) 2153 { 2154 2155 ASSERT_CRED_LABEL(cred->cr_label); 2156 ASSERT_VNODE_LABEL(label); 2157 2158 return (0); 2159 } 2160 2161 static int 2162 mac_test_check_vnode_open(struct ucred *cred, struct vnode *vp, 2163 struct label *filelabel, int acc_mode) 2164 { 2165 2166 ASSERT_CRED_LABEL(cred->cr_label); 2167 ASSERT_VNODE_LABEL(filelabel); 2168 2169 return (0); 2170 } 2171 2172 static int 2173 mac_test_check_vnode_poll(struct ucred *active_cred, struct ucred *file_cred, 2174 struct vnode *vp, struct label *label) 2175 { 2176 2177 ASSERT_CRED_LABEL(active_cred->cr_label); 2178 ASSERT_CRED_LABEL(file_cred->cr_label); 2179 ASSERT_VNODE_LABEL(label); 2180 2181 return (0); 2182 } 2183 2184 static int 2185 mac_test_check_vnode_read(struct ucred *active_cred, struct ucred *file_cred, 2186 struct vnode *vp, struct label *label) 2187 { 2188 2189 ASSERT_CRED_LABEL(active_cred->cr_label); 2190 if (file_cred != NULL) { 2191 ASSERT_CRED_LABEL(file_cred->cr_label); 2192 } 2193 ASSERT_VNODE_LABEL(label); 2194 2195 return (0); 2196 } 2197 2198 static int 2199 mac_test_check_vnode_readdir(struct ucred *cred, struct vnode *dvp, 2200 struct label *dlabel) 2201 { 2202 2203 ASSERT_CRED_LABEL(cred->cr_label); 2204 ASSERT_VNODE_LABEL(dlabel); 2205 2206 return (0); 2207 } 2208 2209 static int 2210 mac_test_check_vnode_readlink(struct ucred *cred, struct vnode *vp, 2211 struct label *vnodelabel) 2212 { 2213 2214 ASSERT_CRED_LABEL(cred->cr_label); 2215 ASSERT_VNODE_LABEL(vnodelabel); 2216 2217 return (0); 2218 } 2219 2220 static int 2221 mac_test_check_vnode_relabel(struct ucred *cred, struct vnode *vp, 2222 struct label *vnodelabel, struct label *newlabel) 2223 { 2224 2225 ASSERT_CRED_LABEL(cred->cr_label); 2226 ASSERT_VNODE_LABEL(vnodelabel); 2227 ASSERT_VNODE_LABEL(newlabel); 2228 2229 return (0); 2230 } 2231 2232 static int 2233 mac_test_check_vnode_rename_from(struct ucred *cred, struct vnode *dvp, 2234 struct label *dlabel, struct vnode *vp, struct label *label, 2235 struct componentname *cnp) 2236 { 2237 2238 ASSERT_CRED_LABEL(cred->cr_label); 2239 ASSERT_VNODE_LABEL(dlabel); 2240 ASSERT_VNODE_LABEL(label); 2241 2242 return (0); 2243 } 2244 2245 static int 2246 mac_test_check_vnode_rename_to(struct ucred *cred, struct vnode *dvp, 2247 struct label *dlabel, struct vnode *vp, struct label *label, int samedir, 2248 struct componentname *cnp) 2249 { 2250 2251 ASSERT_CRED_LABEL(cred->cr_label); 2252 ASSERT_VNODE_LABEL(dlabel); 2253 2254 if (vp != NULL) { 2255 ASSERT_VNODE_LABEL(label); 2256 } 2257 2258 return (0); 2259 } 2260 2261 static int 2262 mac_test_check_vnode_revoke(struct ucred *cred, struct vnode *vp, 2263 struct label *label) 2264 { 2265 2266 ASSERT_CRED_LABEL(cred->cr_label); 2267 ASSERT_VNODE_LABEL(label); 2268 2269 return (0); 2270 } 2271 2272 static int 2273 mac_test_check_vnode_setacl(struct ucred *cred, struct vnode *vp, 2274 struct label *label, acl_type_t type, struct acl *acl) 2275 { 2276 2277 ASSERT_CRED_LABEL(cred->cr_label); 2278 ASSERT_VNODE_LABEL(label); 2279 2280 return (0); 2281 } 2282 2283 static int 2284 mac_test_check_vnode_setextattr(struct ucred *cred, struct vnode *vp, 2285 struct label *label, int attrnamespace, const char *name, struct uio *uio) 2286 { 2287 2288 ASSERT_CRED_LABEL(cred->cr_label); 2289 ASSERT_VNODE_LABEL(label); 2290 2291 return (0); 2292 } 2293 2294 static int 2295 mac_test_check_vnode_setflags(struct ucred *cred, struct vnode *vp, 2296 struct label *label, u_long flags) 2297 { 2298 2299 ASSERT_CRED_LABEL(cred->cr_label); 2300 ASSERT_VNODE_LABEL(label); 2301 2302 return (0); 2303 } 2304 2305 static int 2306 mac_test_check_vnode_setmode(struct ucred *cred, struct vnode *vp, 2307 struct label *label, mode_t mode) 2308 { 2309 2310 ASSERT_CRED_LABEL(cred->cr_label); 2311 ASSERT_VNODE_LABEL(label); 2312 2313 return (0); 2314 } 2315 2316 static int 2317 mac_test_check_vnode_setowner(struct ucred *cred, struct vnode *vp, 2318 struct label *label, uid_t uid, gid_t gid) 2319 { 2320 2321 ASSERT_CRED_LABEL(cred->cr_label); 2322 ASSERT_VNODE_LABEL(label); 2323 2324 return (0); 2325 } 2326 2327 static int 2328 mac_test_check_vnode_setutimes(struct ucred *cred, struct vnode *vp, 2329 struct label *label, struct timespec atime, struct timespec mtime) 2330 { 2331 2332 ASSERT_CRED_LABEL(cred->cr_label); 2333 ASSERT_VNODE_LABEL(label); 2334 2335 return (0); 2336 } 2337 2338 static int 2339 mac_test_check_vnode_stat(struct ucred *active_cred, struct ucred *file_cred, 2340 struct vnode *vp, struct label *label) 2341 { 2342 2343 ASSERT_CRED_LABEL(active_cred->cr_label); 2344 if (file_cred != NULL) { 2345 ASSERT_CRED_LABEL(file_cred->cr_label); 2346 } 2347 ASSERT_VNODE_LABEL(label); 2348 2349 return (0); 2350 } 2351 2352 static int 2353 mac_test_check_vnode_write(struct ucred *active_cred, 2354 struct ucred *file_cred, struct vnode *vp, struct label *label) 2355 { 2356 2357 ASSERT_CRED_LABEL(active_cred->cr_label); 2358 if (file_cred != NULL) { 2359 ASSERT_CRED_LABEL(file_cred->cr_label); 2360 } 2361 ASSERT_VNODE_LABEL(label); 2362 2363 return (0); 2364 } 2365 2366 static struct mac_policy_ops mac_test_ops = 2367 { 2368 .mpo_init_bpfdesc_label = mac_test_init_bpfdesc_label, 2369 .mpo_init_cred_label = mac_test_init_cred_label, 2370 .mpo_init_devfsdirent_label = mac_test_init_devfsdirent_label, 2371 .mpo_init_ifnet_label = mac_test_init_ifnet_label, 2372 .mpo_init_sysv_msgmsg_label = mac_test_init_sysv_msgmsg_label, 2373 .mpo_init_sysv_msgqueue_label = mac_test_init_sysv_msgqueue_label, 2374 .mpo_init_sysv_sem_label = mac_test_init_sysv_sem_label, 2375 .mpo_init_sysv_shm_label = mac_test_init_sysv_shm_label, 2376 .mpo_init_inpcb_label = mac_test_init_inpcb_label, 2377 .mpo_init_ipq_label = mac_test_init_ipq_label, 2378 .mpo_init_mbuf_label = mac_test_init_mbuf_label, 2379 .mpo_init_mount_label = mac_test_init_mount_label, 2380 .mpo_init_mount_fs_label = mac_test_init_mount_fs_label, 2381 .mpo_init_pipe_label = mac_test_init_pipe_label, 2382 .mpo_init_posix_sem_label = mac_test_init_posix_sem_label, 2383 .mpo_init_proc_label = mac_test_init_proc_label, 2384 .mpo_init_socket_label = mac_test_init_socket_label, 2385 .mpo_init_socket_peer_label = mac_test_init_socket_peer_label, 2386 .mpo_init_vnode_label = mac_test_init_vnode_label, 2387 .mpo_destroy_bpfdesc_label = mac_test_destroy_bpfdesc_label, 2388 .mpo_destroy_cred_label = mac_test_destroy_cred_label, 2389 .mpo_destroy_devfsdirent_label = mac_test_destroy_devfsdirent_label, 2390 .mpo_destroy_ifnet_label = mac_test_destroy_ifnet_label, 2391 .mpo_destroy_sysv_msgmsg_label = mac_test_destroy_sysv_msgmsg_label, 2392 .mpo_destroy_sysv_msgqueue_label = 2393 mac_test_destroy_sysv_msgqueue_label, 2394 .mpo_destroy_sysv_sem_label = mac_test_destroy_sysv_sem_label, 2395 .mpo_destroy_sysv_shm_label = mac_test_destroy_sysv_shm_label, 2396 .mpo_destroy_inpcb_label = mac_test_destroy_inpcb_label, 2397 .mpo_destroy_ipq_label = mac_test_destroy_ipq_label, 2398 .mpo_destroy_mbuf_label = mac_test_destroy_mbuf_label, 2399 .mpo_destroy_mount_label = mac_test_destroy_mount_label, 2400 .mpo_destroy_mount_fs_label = mac_test_destroy_mount_fs_label, 2401 .mpo_destroy_pipe_label = mac_test_destroy_pipe_label, 2402 .mpo_destroy_posix_sem_label = mac_test_destroy_posix_sem_label, 2403 .mpo_destroy_proc_label = mac_test_destroy_proc_label, 2404 .mpo_destroy_socket_label = mac_test_destroy_socket_label, 2405 .mpo_destroy_socket_peer_label = mac_test_destroy_socket_peer_label, 2406 .mpo_destroy_vnode_label = mac_test_destroy_vnode_label, 2407 .mpo_copy_cred_label = mac_test_copy_cred_label, 2408 .mpo_copy_ifnet_label = mac_test_copy_ifnet_label, 2409 .mpo_copy_mbuf_label = mac_test_copy_mbuf_label, 2410 .mpo_copy_pipe_label = mac_test_copy_pipe_label, 2411 .mpo_copy_socket_label = mac_test_copy_socket_label, 2412 .mpo_copy_vnode_label = mac_test_copy_vnode_label, 2413 .mpo_externalize_cred_label = mac_test_externalize_label, 2414 .mpo_externalize_ifnet_label = mac_test_externalize_label, 2415 .mpo_externalize_pipe_label = mac_test_externalize_label, 2416 .mpo_externalize_socket_label = mac_test_externalize_label, 2417 .mpo_externalize_socket_peer_label = mac_test_externalize_label, 2418 .mpo_externalize_vnode_label = mac_test_externalize_label, 2419 .mpo_internalize_cred_label = mac_test_internalize_label, 2420 .mpo_internalize_ifnet_label = mac_test_internalize_label, 2421 .mpo_internalize_pipe_label = mac_test_internalize_label, 2422 .mpo_internalize_socket_label = mac_test_internalize_label, 2423 .mpo_internalize_vnode_label = mac_test_internalize_label, 2424 .mpo_associate_vnode_devfs = mac_test_associate_vnode_devfs, 2425 .mpo_associate_vnode_extattr = mac_test_associate_vnode_extattr, 2426 .mpo_associate_vnode_singlelabel = mac_test_associate_vnode_singlelabel, 2427 .mpo_create_devfs_device = mac_test_create_devfs_device, 2428 .mpo_create_devfs_directory = mac_test_create_devfs_directory, 2429 .mpo_create_devfs_symlink = mac_test_create_devfs_symlink, 2430 .mpo_create_vnode_extattr = mac_test_create_vnode_extattr, 2431 .mpo_create_mount = mac_test_create_mount, 2432 .mpo_relabel_vnode = mac_test_relabel_vnode, 2433 .mpo_setlabel_vnode_extattr = mac_test_setlabel_vnode_extattr, 2434 .mpo_update_devfsdirent = mac_test_update_devfsdirent, 2435 .mpo_create_mbuf_from_socket = mac_test_create_mbuf_from_socket, 2436 .mpo_create_pipe = mac_test_create_pipe, 2437 .mpo_create_posix_sem = mac_test_create_posix_sem, 2438 .mpo_create_socket = mac_test_create_socket, 2439 .mpo_create_socket_from_socket = mac_test_create_socket_from_socket, 2440 .mpo_relabel_pipe = mac_test_relabel_pipe, 2441 .mpo_relabel_socket = mac_test_relabel_socket, 2442 .mpo_set_socket_peer_from_mbuf = mac_test_set_socket_peer_from_mbuf, 2443 .mpo_set_socket_peer_from_socket = mac_test_set_socket_peer_from_socket, 2444 .mpo_create_bpfdesc = mac_test_create_bpfdesc, 2445 .mpo_create_ifnet = mac_test_create_ifnet, 2446 .mpo_create_inpcb_from_socket = mac_test_create_inpcb_from_socket, 2447 .mpo_create_sysv_msgmsg = mac_test_create_sysv_msgmsg, 2448 .mpo_create_sysv_msgqueue = mac_test_create_sysv_msgqueue, 2449 .mpo_create_sysv_sem = mac_test_create_sysv_sem, 2450 .mpo_create_sysv_shm = mac_test_create_sysv_shm, 2451 .mpo_create_datagram_from_ipq = mac_test_create_datagram_from_ipq, 2452 .mpo_create_fragment = mac_test_create_fragment, 2453 .mpo_create_ipq = mac_test_create_ipq, 2454 .mpo_create_mbuf_from_inpcb = mac_test_create_mbuf_from_inpcb, 2455 .mpo_create_mbuf_linklayer = mac_test_create_mbuf_linklayer, 2456 .mpo_create_mbuf_from_bpfdesc = mac_test_create_mbuf_from_bpfdesc, 2457 .mpo_create_mbuf_from_ifnet = mac_test_create_mbuf_from_ifnet, 2458 .mpo_create_mbuf_multicast_encap = mac_test_create_mbuf_multicast_encap, 2459 .mpo_create_mbuf_netlayer = mac_test_create_mbuf_netlayer, 2460 .mpo_fragment_match = mac_test_fragment_match, 2461 .mpo_reflect_mbuf_icmp = mac_test_reflect_mbuf_icmp, 2462 .mpo_reflect_mbuf_tcp = mac_test_reflect_mbuf_tcp, 2463 .mpo_relabel_ifnet = mac_test_relabel_ifnet, 2464 .mpo_update_ipq = mac_test_update_ipq, 2465 .mpo_inpcb_sosetlabel = mac_test_inpcb_sosetlabel, 2466 .mpo_execve_transition = mac_test_execve_transition, 2467 .mpo_execve_will_transition = mac_test_execve_will_transition, 2468 .mpo_create_proc0 = mac_test_create_proc0, 2469 .mpo_create_proc1 = mac_test_create_proc1, 2470 .mpo_relabel_cred = mac_test_relabel_cred, 2471 .mpo_thread_userret = mac_test_thread_userret, 2472 .mpo_cleanup_sysv_msgmsg = mac_test_cleanup_sysv_msgmsg, 2473 .mpo_cleanup_sysv_msgqueue = mac_test_cleanup_sysv_msgqueue, 2474 .mpo_cleanup_sysv_sem = mac_test_cleanup_sysv_sem, 2475 .mpo_cleanup_sysv_shm = mac_test_cleanup_sysv_shm, 2476 .mpo_check_bpfdesc_receive = mac_test_check_bpfdesc_receive, 2477 .mpo_check_cred_relabel = mac_test_check_cred_relabel, 2478 .mpo_check_cred_visible = mac_test_check_cred_visible, 2479 .mpo_check_ifnet_relabel = mac_test_check_ifnet_relabel, 2480 .mpo_check_ifnet_transmit = mac_test_check_ifnet_transmit, 2481 .mpo_check_inpcb_deliver = mac_test_check_inpcb_deliver, 2482 .mpo_check_sysv_msgmsq = mac_test_check_sysv_msgmsq, 2483 .mpo_check_sysv_msgrcv = mac_test_check_sysv_msgrcv, 2484 .mpo_check_sysv_msgrmid = mac_test_check_sysv_msgrmid, 2485 .mpo_check_sysv_msqget = mac_test_check_sysv_msqget, 2486 .mpo_check_sysv_msqsnd = mac_test_check_sysv_msqsnd, 2487 .mpo_check_sysv_msqrcv = mac_test_check_sysv_msqrcv, 2488 .mpo_check_sysv_msqctl = mac_test_check_sysv_msqctl, 2489 .mpo_check_sysv_semctl = mac_test_check_sysv_semctl, 2490 .mpo_check_sysv_semget = mac_test_check_sysv_semget, 2491 .mpo_check_sysv_semop = mac_test_check_sysv_semop, 2492 .mpo_check_sysv_shmat = mac_test_check_sysv_shmat, 2493 .mpo_check_sysv_shmctl = mac_test_check_sysv_shmctl, 2494 .mpo_check_sysv_shmdt = mac_test_check_sysv_shmdt, 2495 .mpo_check_sysv_shmget = mac_test_check_sysv_shmget, 2496 .mpo_check_kenv_dump = mac_test_check_kenv_dump, 2497 .mpo_check_kenv_get = mac_test_check_kenv_get, 2498 .mpo_check_kenv_set = mac_test_check_kenv_set, 2499 .mpo_check_kenv_unset = mac_test_check_kenv_unset, 2500 .mpo_check_kld_load = mac_test_check_kld_load, 2501 .mpo_check_kld_stat = mac_test_check_kld_stat, 2502 .mpo_check_kld_unload = mac_test_check_kld_unload, 2503 .mpo_check_mount_stat = mac_test_check_mount_stat, 2504 .mpo_check_pipe_ioctl = mac_test_check_pipe_ioctl, 2505 .mpo_check_pipe_poll = mac_test_check_pipe_poll, 2506 .mpo_check_pipe_read = mac_test_check_pipe_read, 2507 .mpo_check_pipe_relabel = mac_test_check_pipe_relabel, 2508 .mpo_check_pipe_stat = mac_test_check_pipe_stat, 2509 .mpo_check_pipe_write = mac_test_check_pipe_write, 2510 .mpo_check_posix_sem_destroy = mac_test_check_posix_sem, 2511 .mpo_check_posix_sem_getvalue = mac_test_check_posix_sem, 2512 .mpo_check_posix_sem_open = mac_test_check_posix_sem, 2513 .mpo_check_posix_sem_post = mac_test_check_posix_sem, 2514 .mpo_check_posix_sem_unlink = mac_test_check_posix_sem, 2515 .mpo_check_posix_sem_wait = mac_test_check_posix_sem, 2516 .mpo_check_proc_debug = mac_test_check_proc_debug, 2517 .mpo_check_proc_sched = mac_test_check_proc_sched, 2518 .mpo_check_proc_setuid = mac_test_check_proc_setuid, 2519 .mpo_check_proc_seteuid = mac_test_check_proc_seteuid, 2520 .mpo_check_proc_setgid = mac_test_check_proc_setgid, 2521 .mpo_check_proc_setegid = mac_test_check_proc_setegid, 2522 .mpo_check_proc_setgroups = mac_test_check_proc_setgroups, 2523 .mpo_check_proc_setreuid = mac_test_check_proc_setreuid, 2524 .mpo_check_proc_setregid = mac_test_check_proc_setregid, 2525 .mpo_check_proc_setresuid = mac_test_check_proc_setresuid, 2526 .mpo_check_proc_setresgid = mac_test_check_proc_setresgid, 2527 .mpo_check_proc_signal = mac_test_check_proc_signal, 2528 .mpo_check_proc_wait = mac_test_check_proc_wait, 2529 .mpo_check_socket_accept = mac_test_check_socket_accept, 2530 .mpo_check_socket_bind = mac_test_check_socket_bind, 2531 .mpo_check_socket_connect = mac_test_check_socket_connect, 2532 .mpo_check_socket_deliver = mac_test_check_socket_deliver, 2533 .mpo_check_socket_listen = mac_test_check_socket_listen, 2534 .mpo_check_socket_poll = mac_test_check_socket_poll, 2535 .mpo_check_socket_receive = mac_test_check_socket_receive, 2536 .mpo_check_socket_relabel = mac_test_check_socket_relabel, 2537 .mpo_check_socket_send = mac_test_check_socket_send, 2538 .mpo_check_socket_stat = mac_test_check_socket_stat, 2539 .mpo_check_socket_visible = mac_test_check_socket_visible, 2540 .mpo_check_sysarch_ioperm = mac_test_check_sysarch_ioperm, 2541 .mpo_check_system_acct = mac_test_check_system_acct, 2542 .mpo_check_system_reboot = mac_test_check_system_reboot, 2543 .mpo_check_system_settime = mac_test_check_system_settime, 2544 .mpo_check_system_swapon = mac_test_check_system_swapon, 2545 .mpo_check_system_swapoff = mac_test_check_system_swapoff, 2546 .mpo_check_system_sysctl = mac_test_check_system_sysctl, 2547 .mpo_check_vnode_access = mac_test_check_vnode_access, 2548 .mpo_check_vnode_chdir = mac_test_check_vnode_chdir, 2549 .mpo_check_vnode_chroot = mac_test_check_vnode_chroot, 2550 .mpo_check_vnode_create = mac_test_check_vnode_create, 2551 .mpo_check_vnode_delete = mac_test_check_vnode_delete, 2552 .mpo_check_vnode_deleteacl = mac_test_check_vnode_deleteacl, 2553 .mpo_check_vnode_deleteextattr = mac_test_check_vnode_deleteextattr, 2554 .mpo_check_vnode_exec = mac_test_check_vnode_exec, 2555 .mpo_check_vnode_getacl = mac_test_check_vnode_getacl, 2556 .mpo_check_vnode_getextattr = mac_test_check_vnode_getextattr, 2557 .mpo_check_vnode_link = mac_test_check_vnode_link, 2558 .mpo_check_vnode_listextattr = mac_test_check_vnode_listextattr, 2559 .mpo_check_vnode_lookup = mac_test_check_vnode_lookup, 2560 .mpo_check_vnode_mmap = mac_test_check_vnode_mmap, 2561 .mpo_check_vnode_open = mac_test_check_vnode_open, 2562 .mpo_check_vnode_poll = mac_test_check_vnode_poll, 2563 .mpo_check_vnode_read = mac_test_check_vnode_read, 2564 .mpo_check_vnode_readdir = mac_test_check_vnode_readdir, 2565 .mpo_check_vnode_readlink = mac_test_check_vnode_readlink, 2566 .mpo_check_vnode_relabel = mac_test_check_vnode_relabel, 2567 .mpo_check_vnode_rename_from = mac_test_check_vnode_rename_from, 2568 .mpo_check_vnode_rename_to = mac_test_check_vnode_rename_to, 2569 .mpo_check_vnode_revoke = mac_test_check_vnode_revoke, 2570 .mpo_check_vnode_setacl = mac_test_check_vnode_setacl, 2571 .mpo_check_vnode_setextattr = mac_test_check_vnode_setextattr, 2572 .mpo_check_vnode_setflags = mac_test_check_vnode_setflags, 2573 .mpo_check_vnode_setmode = mac_test_check_vnode_setmode, 2574 .mpo_check_vnode_setowner = mac_test_check_vnode_setowner, 2575 .mpo_check_vnode_setutimes = mac_test_check_vnode_setutimes, 2576 .mpo_check_vnode_stat = mac_test_check_vnode_stat, 2577 .mpo_check_vnode_write = mac_test_check_vnode_write, 2578 }; 2579 2580 MAC_POLICY_SET(&mac_test_ops, mac_test, "TrustedBSD MAC/Test", 2581 MPC_LOADTIME_FLAG_UNLOADOK | MPC_LOADTIME_FLAG_LABELMBUFS, &test_slot); 2582