1 /*- 2 * Copyright (c) 1999-2002 Robert N. M. Watson 3 * Copyright (c) 2001-2004 Networks Associates Technology, Inc. 4 * All rights reserved. 5 * 6 * This software was developed by Robert Watson for the TrustedBSD Project. 7 * 8 * This software was developed for the FreeBSD Project in part by Network 9 * Associates Laboratories, the Security Research Division of Network 10 * Associates, Inc. under DARPA/SPAWAR contract N66001-01-C-8035 ("CBOSS"), 11 * as part of the DARPA CHATS research program. 12 * 13 * Redistribution and use in source and binary forms, with or without 14 * modification, are permitted provided that the following conditions 15 * are met: 16 * 1. Redistributions of source code must retain the above copyright 17 * notice, this list of conditions and the following disclaimer. 18 * 2. Redistributions in binary form must reproduce the above copyright 19 * notice, this list of conditions and the following disclaimer in the 20 * documentation and/or other materials provided with the distribution. 21 * 22 * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND 23 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 24 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 25 * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE 26 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 27 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 28 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 29 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 30 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 31 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 32 * SUCH DAMAGE. 33 * 34 * $FreeBSD$ 35 */ 36 37 /* 38 * Developed by the TrustedBSD Project. 39 * Generic mandatory access module that does nothing. 40 */ 41 42 #include <sys/types.h> 43 #include <sys/param.h> 44 #include <sys/acl.h> 45 #include <sys/conf.h> 46 #include <sys/extattr.h> 47 #include <sys/kernel.h> 48 #include <sys/mac.h> 49 #include <sys/malloc.h> 50 #include <sys/mount.h> 51 #include <sys/proc.h> 52 #include <sys/systm.h> 53 #include <sys/sysproto.h> 54 #include <sys/sysent.h> 55 #include <sys/vnode.h> 56 #include <sys/file.h> 57 #include <sys/socket.h> 58 #include <sys/socketvar.h> 59 #include <sys/sysctl.h> 60 61 #include <fs/devfs/devfs.h> 62 63 #include <net/bpfdesc.h> 64 #include <net/if.h> 65 #include <net/if_types.h> 66 #include <net/if_var.h> 67 68 #include <vm/vm.h> 69 70 #include <sys/mac_policy.h> 71 72 SYSCTL_DECL(_security_mac); 73 74 SYSCTL_NODE(_security_mac, OID_AUTO, test, CTLFLAG_RW, 0, 75 "TrustedBSD mac_test policy controls"); 76 77 static int mac_test_enabled = 1; 78 SYSCTL_INT(_security_mac_test, OID_AUTO, enabled, CTLFLAG_RW, 79 &mac_test_enabled, 0, "Enforce test policy"); 80 81 #define BPFMAGIC 0xfe1ad1b6 82 #define DEVFSMAGIC 0x9ee79c32 83 #define IFNETMAGIC 0xc218b120 84 #define INPCBMAGIC 0x4440f7bb 85 #define IPQMAGIC 0x206188ef 86 #define MBUFMAGIC 0xbbefa5bb 87 #define MOUNTMAGIC 0xc7c46e47 88 #define SOCKETMAGIC 0x9199c6cd 89 #define PIPEMAGIC 0xdc6c9919 90 #define PROCMAGIC 0x3b4be98f 91 #define CREDMAGIC 0x9a5a4987 92 #define VNODEMAGIC 0x1a67a45c 93 #define EXMAGIC 0x849ba1fd 94 95 #define SLOT(x) LABEL_TO_SLOT((x), test_slot).l_long 96 97 #define ASSERT_BPF_LABEL(x) KASSERT(SLOT(x) == BPFMAGIC || \ 98 SLOT(x) == 0, ("%s: Bad BPF label", __func__ )) 99 #define ASSERT_DEVFS_LABEL(x) KASSERT(SLOT(x) == DEVFSMAGIC || \ 100 SLOT(x) == 0, ("%s: Bad DEVFS label", __func__ )) 101 #define ASSERT_IFNET_LABEL(x) KASSERT(SLOT(x) == IFNETMAGIC || \ 102 SLOT(x) == 0, ("%s: Bad IFNET label", __func__ )) 103 #define ASSERT_INPCB_LABEL(x) KASSERT(SLOT(x) == INPCBMAGIC || \ 104 SLOT(x) == 0, ("%s: Bad INPCB label", __func__ )) 105 #define ASSERT_IPQ_LABEL(x) KASSERT(SLOT(x) == IPQMAGIC || \ 106 SLOT(x) == 0, ("%s: Bad IPQ label", __func__ )) 107 #define ASSERT_MBUF_LABEL(x) KASSERT(x == NULL || \ 108 SLOT(x) == MBUFMAGIC || SLOT(x) == 0, \ 109 ("%s: Bad MBUF label", __func__ )) 110 #define ASSERT_MOUNT_LABEL(x) KASSERT(SLOT(x) == MOUNTMAGIC || \ 111 SLOT(x) == 0, ("%s: Bad MOUNT label", __func__ )) 112 #define ASSERT_SOCKET_LABEL(x) KASSERT(SLOT(x) == SOCKETMAGIC || \ 113 SLOT(x) == 0, ("%s: Bad SOCKET label", __func__ )) 114 #define ASSERT_PIPE_LABEL(x) KASSERT(SLOT(x) == PIPEMAGIC || \ 115 SLOT(x) == 0, ("%s: Bad PIPE label", __func__ )) 116 #define ASSERT_PROC_LABEL(x) KASSERT(SLOT(x) == PROCMAGIC || \ 117 SLOT(x) == 0, ("%s: Bad PROC label", __func__ )) 118 #define ASSERT_CRED_LABEL(x) KASSERT(SLOT(x) == CREDMAGIC || \ 119 SLOT(x) == 0, ("%s: Bad CRED label", __func__ )) 120 #define ASSERT_VNODE_LABEL(x) KASSERT(SLOT(x) == VNODEMAGIC || \ 121 SLOT(x) == 0, ("%s: Bad VNODE label", __func__ )) 122 123 static int test_slot; 124 SYSCTL_INT(_security_mac_test, OID_AUTO, slot, CTLFLAG_RD, 125 &test_slot, 0, "Slot allocated by framework"); 126 127 static int init_count_bpfdesc; 128 SYSCTL_INT(_security_mac_test, OID_AUTO, init_count_bpfdesc, CTLFLAG_RD, 129 &init_count_bpfdesc, 0, "bpfdesc init calls"); 130 static int init_count_cred; 131 SYSCTL_INT(_security_mac_test, OID_AUTO, init_count_cred, CTLFLAG_RD, 132 &init_count_cred, 0, "cred init calls"); 133 static int init_count_devfsdirent; 134 SYSCTL_INT(_security_mac_test, OID_AUTO, init_count_devfsdirent, CTLFLAG_RD, 135 &init_count_devfsdirent, 0, "devfsdirent init calls"); 136 static int init_count_ifnet; 137 SYSCTL_INT(_security_mac_test, OID_AUTO, init_count_ifnet, CTLFLAG_RD, 138 &init_count_ifnet, 0, "ifnet init calls"); 139 static int init_count_inpcb; 140 SYSCTL_INT(_security_mac_test, OID_AUTO, init_count_inpcb, CTLFLAG_RD, 141 &init_count_inpcb, 0, "inpcb init calls"); 142 static int init_count_ipq; 143 SYSCTL_INT(_security_mac_test, OID_AUTO, init_count_ipq, CTLFLAG_RD, 144 &init_count_ipq, 0, "ipq init calls"); 145 static int init_count_mbuf; 146 SYSCTL_INT(_security_mac_test, OID_AUTO, init_count_mbuf, CTLFLAG_RD, 147 &init_count_mbuf, 0, "mbuf init calls"); 148 static int init_count_mount; 149 SYSCTL_INT(_security_mac_test, OID_AUTO, init_count_mount, CTLFLAG_RD, 150 &init_count_mount, 0, "mount init calls"); 151 static int init_count_mount_fslabel; 152 SYSCTL_INT(_security_mac_test, OID_AUTO, init_count_mount_fslabel, CTLFLAG_RD, 153 &init_count_mount_fslabel, 0, "mount_fslabel init calls"); 154 static int init_count_socket; 155 SYSCTL_INT(_security_mac_test, OID_AUTO, init_count_socket, CTLFLAG_RD, 156 &init_count_socket, 0, "socket init calls"); 157 static int init_count_socket_peerlabel; 158 SYSCTL_INT(_security_mac_test, OID_AUTO, init_count_socket_peerlabel, 159 CTLFLAG_RD, &init_count_socket_peerlabel, 0, 160 "socket_peerlabel init calls"); 161 static int init_count_pipe; 162 SYSCTL_INT(_security_mac_test, OID_AUTO, init_count_pipe, CTLFLAG_RD, 163 &init_count_pipe, 0, "pipe init calls"); 164 static int init_count_proc; 165 SYSCTL_INT(_security_mac_test, OID_AUTO, init_count_proc, CTLFLAG_RD, 166 &init_count_proc, 0, "proc init calls"); 167 static int init_count_vnode; 168 SYSCTL_INT(_security_mac_test, OID_AUTO, init_count_vnode, CTLFLAG_RD, 169 &init_count_vnode, 0, "vnode init calls"); 170 171 static int destroy_count_bpfdesc; 172 SYSCTL_INT(_security_mac_test, OID_AUTO, destroy_count_bpfdesc, CTLFLAG_RD, 173 &destroy_count_bpfdesc, 0, "bpfdesc destroy calls"); 174 static int destroy_count_cred; 175 SYSCTL_INT(_security_mac_test, OID_AUTO, destroy_count_cred, CTLFLAG_RD, 176 &destroy_count_cred, 0, "cred destroy calls"); 177 static int destroy_count_devfsdirent; 178 SYSCTL_INT(_security_mac_test, OID_AUTO, destroy_count_devfsdirent, CTLFLAG_RD, 179 &destroy_count_devfsdirent, 0, "devfsdirent destroy calls"); 180 static int destroy_count_ifnet; 181 SYSCTL_INT(_security_mac_test, OID_AUTO, destroy_count_ifnet, CTLFLAG_RD, 182 &destroy_count_ifnet, 0, "ifnet destroy calls"); 183 static int destroy_count_inpcb; 184 SYSCTL_INT(_security_mac_test, OID_AUTO, destroy_count_inpcb, CTLFLAG_RD, 185 &destroy_count_inpcb, 0, "inpcb destroy calls"); 186 static int destroy_count_ipq; 187 SYSCTL_INT(_security_mac_test, OID_AUTO, destroy_count_ipq, CTLFLAG_RD, 188 &destroy_count_ipq, 0, "ipq destroy calls"); 189 static int destroy_count_mbuf; 190 SYSCTL_INT(_security_mac_test, OID_AUTO, destroy_count_mbuf, CTLFLAG_RD, 191 &destroy_count_mbuf, 0, "mbuf destroy calls"); 192 static int destroy_count_mount; 193 SYSCTL_INT(_security_mac_test, OID_AUTO, destroy_count_mount, CTLFLAG_RD, 194 &destroy_count_mount, 0, "mount destroy calls"); 195 static int destroy_count_mount_fslabel; 196 SYSCTL_INT(_security_mac_test, OID_AUTO, destroy_count_mount_fslabel, 197 CTLFLAG_RD, &destroy_count_mount_fslabel, 0, 198 "mount_fslabel destroy calls"); 199 static int destroy_count_socket; 200 SYSCTL_INT(_security_mac_test, OID_AUTO, destroy_count_socket, CTLFLAG_RD, 201 &destroy_count_socket, 0, "socket destroy calls"); 202 static int destroy_count_socket_peerlabel; 203 SYSCTL_INT(_security_mac_test, OID_AUTO, destroy_count_socket_peerlabel, 204 CTLFLAG_RD, &destroy_count_socket_peerlabel, 0, 205 "socket_peerlabel destroy calls"); 206 static int destroy_count_pipe; 207 SYSCTL_INT(_security_mac_test, OID_AUTO, destroy_count_pipe, CTLFLAG_RD, 208 &destroy_count_pipe, 0, "pipe destroy calls"); 209 static int destroy_count_proc; 210 SYSCTL_INT(_security_mac_test, OID_AUTO, destroy_count_proc, CTLFLAG_RD, 211 &destroy_count_proc, 0, "proc destroy calls"); 212 static int destroy_count_vnode; 213 SYSCTL_INT(_security_mac_test, OID_AUTO, destroy_count_vnode, CTLFLAG_RD, 214 &destroy_count_vnode, 0, "vnode destroy calls"); 215 216 static int externalize_count; 217 SYSCTL_INT(_security_mac_test, OID_AUTO, externalize_count, CTLFLAG_RD, 218 &externalize_count, 0, "Subject/object externalize calls"); 219 static int internalize_count; 220 SYSCTL_INT(_security_mac_test, OID_AUTO, internalize_count, CTLFLAG_RD, 221 &internalize_count, 0, "Subject/object internalize calls"); 222 223 /* 224 * Policy module operations. 225 */ 226 static void 227 mac_test_destroy(struct mac_policy_conf *conf) 228 { 229 230 } 231 232 static void 233 mac_test_init(struct mac_policy_conf *conf) 234 { 235 236 } 237 238 static int 239 mac_test_syscall(struct thread *td, int call, void *arg) 240 { 241 242 return (0); 243 } 244 245 /* 246 * Label operations. 247 */ 248 static void 249 mac_test_init_bpfdesc_label(struct label *label) 250 { 251 252 SLOT(label) = BPFMAGIC; 253 atomic_add_int(&init_count_bpfdesc, 1); 254 } 255 256 static void 257 mac_test_init_cred_label(struct label *label) 258 { 259 260 SLOT(label) = CREDMAGIC; 261 atomic_add_int(&init_count_cred, 1); 262 } 263 264 static void 265 mac_test_init_devfsdirent_label(struct label *label) 266 { 267 268 SLOT(label) = DEVFSMAGIC; 269 atomic_add_int(&init_count_devfsdirent, 1); 270 } 271 272 static void 273 mac_test_init_ifnet_label(struct label *label) 274 { 275 276 SLOT(label) = IFNETMAGIC; 277 atomic_add_int(&init_count_ifnet, 1); 278 } 279 280 static int 281 mac_test_init_inpcb_label(struct label *label, int flag) 282 { 283 284 if (flag & M_WAITOK) 285 WITNESS_WARN(WARN_GIANTOK | WARN_SLEEPOK, NULL, 286 "mac_test_init_inpcb_label() at %s:%d", __FILE__, 287 __LINE__); 288 289 SLOT(label) = INPCBMAGIC; 290 atomic_add_int(&init_count_inpcb, 1); 291 return (0); 292 } 293 294 static int 295 mac_test_init_ipq_label(struct label *label, int flag) 296 { 297 298 if (flag & M_WAITOK) 299 WITNESS_WARN(WARN_GIANTOK | WARN_SLEEPOK, NULL, 300 "mac_test_init_ipq_label() at %s:%d", __FILE__, 301 __LINE__); 302 303 SLOT(label) = IPQMAGIC; 304 atomic_add_int(&init_count_ipq, 1); 305 return (0); 306 } 307 308 static int 309 mac_test_init_mbuf_label(struct label *label, int flag) 310 { 311 312 if (flag & M_WAITOK) 313 WITNESS_WARN(WARN_GIANTOK | WARN_SLEEPOK, NULL, 314 "mac_test_init_mbuf_label() at %s:%d", __FILE__, 315 __LINE__); 316 317 SLOT(label) = MBUFMAGIC; 318 atomic_add_int(&init_count_mbuf, 1); 319 return (0); 320 } 321 322 static void 323 mac_test_init_mount_label(struct label *label) 324 { 325 326 SLOT(label) = MOUNTMAGIC; 327 atomic_add_int(&init_count_mount, 1); 328 } 329 330 static void 331 mac_test_init_mount_fs_label(struct label *label) 332 { 333 334 SLOT(label) = MOUNTMAGIC; 335 atomic_add_int(&init_count_mount_fslabel, 1); 336 } 337 338 static int 339 mac_test_init_socket_label(struct label *label, int flag) 340 { 341 342 if (flag & M_WAITOK) 343 WITNESS_WARN(WARN_GIANTOK | WARN_SLEEPOK, NULL, 344 "mac_test_init_socket_label() at %s:%d", __FILE__, 345 __LINE__); 346 347 SLOT(label) = SOCKETMAGIC; 348 atomic_add_int(&init_count_socket, 1); 349 return (0); 350 } 351 352 static int 353 mac_test_init_socket_peer_label(struct label *label, int flag) 354 { 355 356 if (flag & M_WAITOK) 357 WITNESS_WARN(WARN_GIANTOK | WARN_SLEEPOK, NULL, 358 "mac_test_init_socket_peer_label() at %s:%d", __FILE__, 359 __LINE__); 360 361 SLOT(label) = SOCKETMAGIC; 362 atomic_add_int(&init_count_socket_peerlabel, 1); 363 return (0); 364 } 365 366 static void 367 mac_test_init_pipe_label(struct label *label) 368 { 369 370 SLOT(label) = PIPEMAGIC; 371 atomic_add_int(&init_count_pipe, 1); 372 } 373 374 static void 375 mac_test_init_proc_label(struct label *label) 376 { 377 378 SLOT(label) = PROCMAGIC; 379 atomic_add_int(&init_count_proc, 1); 380 } 381 382 static void 383 mac_test_init_vnode_label(struct label *label) 384 { 385 386 SLOT(label) = VNODEMAGIC; 387 atomic_add_int(&init_count_vnode, 1); 388 } 389 390 static void 391 mac_test_destroy_bpfdesc_label(struct label *label) 392 { 393 394 if (SLOT(label) == BPFMAGIC || SLOT(label) == 0) { 395 atomic_add_int(&destroy_count_bpfdesc, 1); 396 SLOT(label) = EXMAGIC; 397 } else if (SLOT(label) == EXMAGIC) { 398 Debugger("mac_test_destroy_bpfdesc: dup destroy"); 399 } else { 400 Debugger("mac_test_destroy_bpfdesc: corrupted label"); 401 } 402 } 403 404 static void 405 mac_test_destroy_cred_label(struct label *label) 406 { 407 408 if (SLOT(label) == CREDMAGIC || SLOT(label) == 0) { 409 atomic_add_int(&destroy_count_cred, 1); 410 SLOT(label) = EXMAGIC; 411 } else if (SLOT(label) == EXMAGIC) { 412 Debugger("mac_test_destroy_cred: dup destroy"); 413 } else { 414 Debugger("mac_test_destroy_cred: corrupted label"); 415 } 416 } 417 418 static void 419 mac_test_destroy_devfsdirent_label(struct label *label) 420 { 421 422 if (SLOT(label) == DEVFSMAGIC || SLOT(label) == 0) { 423 atomic_add_int(&destroy_count_devfsdirent, 1); 424 SLOT(label) = EXMAGIC; 425 } else if (SLOT(label) == EXMAGIC) { 426 Debugger("mac_test_destroy_devfsdirent: dup destroy"); 427 } else { 428 Debugger("mac_test_destroy_devfsdirent: corrupted label"); 429 } 430 } 431 432 static void 433 mac_test_destroy_ifnet_label(struct label *label) 434 { 435 436 if (SLOT(label) == IFNETMAGIC || SLOT(label) == 0) { 437 atomic_add_int(&destroy_count_ifnet, 1); 438 SLOT(label) = EXMAGIC; 439 } else if (SLOT(label) == EXMAGIC) { 440 Debugger("mac_test_destroy_ifnet: dup destroy"); 441 } else { 442 Debugger("mac_test_destroy_ifnet: corrupted label"); 443 } 444 } 445 446 static void 447 mac_test_destroy_inpcb_label(struct label *label) 448 { 449 450 if (SLOT(label) == INPCBMAGIC || SLOT(label) == 0) { 451 atomic_add_int(&destroy_count_inpcb, 1); 452 SLOT(label) = EXMAGIC; 453 } else if (SLOT(label) == EXMAGIC) { 454 Debugger("mac_test_destroy_inpcb: dup destroy"); 455 } else { 456 Debugger("mac_test_destroy_inpcb: corrupted label"); 457 } 458 } 459 460 static void 461 mac_test_destroy_ipq_label(struct label *label) 462 { 463 464 if (SLOT(label) == IPQMAGIC || SLOT(label) == 0) { 465 atomic_add_int(&destroy_count_ipq, 1); 466 SLOT(label) = EXMAGIC; 467 } else if (SLOT(label) == EXMAGIC) { 468 Debugger("mac_test_destroy_ipq: dup destroy"); 469 } else { 470 Debugger("mac_test_destroy_ipq: corrupted label"); 471 } 472 } 473 474 static void 475 mac_test_destroy_mbuf_label(struct label *label) 476 { 477 478 /* 479 * If we're loaded dynamically, there may be mbufs in flight that 480 * didn't have label storage allocated for them. Handle this 481 * gracefully. 482 */ 483 if (label == NULL) 484 return; 485 486 if (SLOT(label) == MBUFMAGIC || SLOT(label) == 0) { 487 atomic_add_int(&destroy_count_mbuf, 1); 488 SLOT(label) = EXMAGIC; 489 } else if (SLOT(label) == EXMAGIC) { 490 Debugger("mac_test_destroy_mbuf: dup destroy"); 491 } else { 492 Debugger("mac_test_destroy_mbuf: corrupted label"); 493 } 494 } 495 496 static void 497 mac_test_destroy_mount_label(struct label *label) 498 { 499 500 if ((SLOT(label) == MOUNTMAGIC || SLOT(label) == 0)) { 501 atomic_add_int(&destroy_count_mount, 1); 502 SLOT(label) = EXMAGIC; 503 } else if (SLOT(label) == EXMAGIC) { 504 Debugger("mac_test_destroy_mount: dup destroy"); 505 } else { 506 Debugger("mac_test_destroy_mount: corrupted label"); 507 } 508 } 509 510 static void 511 mac_test_destroy_mount_fs_label(struct label *label) 512 { 513 514 if ((SLOT(label) == MOUNTMAGIC || SLOT(label) == 0)) { 515 atomic_add_int(&destroy_count_mount_fslabel, 1); 516 SLOT(label) = EXMAGIC; 517 } else if (SLOT(label) == EXMAGIC) { 518 Debugger("mac_test_destroy_mount_fslabel: dup destroy"); 519 } else { 520 Debugger("mac_test_destroy_mount_fslabel: corrupted label"); 521 } 522 } 523 524 static void 525 mac_test_destroy_socket_label(struct label *label) 526 { 527 528 if ((SLOT(label) == SOCKETMAGIC || SLOT(label) == 0)) { 529 atomic_add_int(&destroy_count_socket, 1); 530 SLOT(label) = EXMAGIC; 531 } else if (SLOT(label) == EXMAGIC) { 532 Debugger("mac_test_destroy_socket: dup destroy"); 533 } else { 534 Debugger("mac_test_destroy_socket: corrupted label"); 535 } 536 } 537 538 static void 539 mac_test_destroy_socket_peer_label(struct label *label) 540 { 541 542 if ((SLOT(label) == SOCKETMAGIC || SLOT(label) == 0)) { 543 atomic_add_int(&destroy_count_socket_peerlabel, 1); 544 SLOT(label) = EXMAGIC; 545 } else if (SLOT(label) == EXMAGIC) { 546 Debugger("mac_test_destroy_socket_peerlabel: dup destroy"); 547 } else { 548 Debugger("mac_test_destroy_socket_peerlabel: corrupted label"); 549 } 550 } 551 552 static void 553 mac_test_destroy_pipe_label(struct label *label) 554 { 555 556 if ((SLOT(label) == PIPEMAGIC || SLOT(label) == 0)) { 557 atomic_add_int(&destroy_count_pipe, 1); 558 SLOT(label) = EXMAGIC; 559 } else if (SLOT(label) == EXMAGIC) { 560 Debugger("mac_test_destroy_pipe: dup destroy"); 561 } else { 562 Debugger("mac_test_destroy_pipe: corrupted label"); 563 } 564 } 565 566 static void 567 mac_test_destroy_proc_label(struct label *label) 568 { 569 570 if ((SLOT(label) == PROCMAGIC || SLOT(label) == 0)) { 571 atomic_add_int(&destroy_count_proc, 1); 572 SLOT(label) = EXMAGIC; 573 } else if (SLOT(label) == EXMAGIC) { 574 Debugger("mac_test_destroy_proc: dup destroy"); 575 } else { 576 Debugger("mac_test_destroy_proc: corrupted label"); 577 } 578 } 579 580 static void 581 mac_test_destroy_vnode_label(struct label *label) 582 { 583 584 if (SLOT(label) == VNODEMAGIC || SLOT(label) == 0) { 585 atomic_add_int(&destroy_count_vnode, 1); 586 SLOT(label) = EXMAGIC; 587 } else if (SLOT(label) == EXMAGIC) { 588 Debugger("mac_test_destroy_vnode: dup destroy"); 589 } else { 590 Debugger("mac_test_destroy_vnode: corrupted label"); 591 } 592 } 593 594 static void 595 mac_test_copy_cred_label(struct label *src, struct label *dest) 596 { 597 598 ASSERT_CRED_LABEL(src); 599 ASSERT_CRED_LABEL(dest); 600 } 601 602 static void 603 mac_test_copy_ifnet_label(struct label *src, struct label *dest) 604 { 605 606 ASSERT_IFNET_LABEL(src); 607 ASSERT_IFNET_LABEL(dest); 608 } 609 610 static void 611 mac_test_copy_mbuf_label(struct label *src, struct label *dest) 612 { 613 614 ASSERT_MBUF_LABEL(src); 615 ASSERT_MBUF_LABEL(dest); 616 } 617 618 static void 619 mac_test_copy_pipe_label(struct label *src, struct label *dest) 620 { 621 622 ASSERT_PIPE_LABEL(src); 623 ASSERT_PIPE_LABEL(dest); 624 } 625 626 static void 627 mac_test_copy_socket_label(struct label *src, struct label *dest) 628 { 629 630 ASSERT_SOCKET_LABEL(src); 631 ASSERT_SOCKET_LABEL(dest); 632 } 633 634 static void 635 mac_test_copy_vnode_label(struct label *src, struct label *dest) 636 { 637 638 ASSERT_VNODE_LABEL(src); 639 ASSERT_VNODE_LABEL(dest); 640 } 641 642 static int 643 mac_test_externalize_label(struct label *label, char *element_name, 644 struct sbuf *sb, int *claimed) 645 { 646 647 atomic_add_int(&externalize_count, 1); 648 649 KASSERT(SLOT(label) != EXMAGIC, 650 ("mac_test_externalize_label: destroyed label")); 651 652 return (0); 653 } 654 655 static int 656 mac_test_internalize_label(struct label *label, char *element_name, 657 char *element_data, int *claimed) 658 { 659 660 atomic_add_int(&internalize_count, 1); 661 662 KASSERT(SLOT(label) != EXMAGIC, 663 ("mac_test_internalize_label: destroyed label")); 664 665 return (0); 666 } 667 668 /* 669 * Labeling event operations: file system objects, and things that look 670 * a lot like file system objects. 671 */ 672 static void 673 mac_test_associate_vnode_devfs(struct mount *mp, struct label *fslabel, 674 struct devfs_dirent *de, struct label *delabel, struct vnode *vp, 675 struct label *vlabel) 676 { 677 678 ASSERT_MOUNT_LABEL(fslabel); 679 ASSERT_DEVFS_LABEL(delabel); 680 ASSERT_VNODE_LABEL(vlabel); 681 } 682 683 static int 684 mac_test_associate_vnode_extattr(struct mount *mp, struct label *fslabel, 685 struct vnode *vp, struct label *vlabel) 686 { 687 688 ASSERT_MOUNT_LABEL(fslabel); 689 ASSERT_VNODE_LABEL(vlabel); 690 return (0); 691 } 692 693 static void 694 mac_test_associate_vnode_singlelabel(struct mount *mp, 695 struct label *fslabel, struct vnode *vp, struct label *vlabel) 696 { 697 698 ASSERT_MOUNT_LABEL(fslabel); 699 ASSERT_VNODE_LABEL(vlabel); 700 } 701 702 static void 703 mac_test_create_devfs_device(struct mount *mp, struct cdev *dev, 704 struct devfs_dirent *devfs_dirent, struct label *label) 705 { 706 707 ASSERT_DEVFS_LABEL(label); 708 } 709 710 static void 711 mac_test_create_devfs_directory(struct mount *mp, char *dirname, 712 int dirnamelen, struct devfs_dirent *devfs_dirent, struct label *label) 713 { 714 715 ASSERT_DEVFS_LABEL(label); 716 } 717 718 static void 719 mac_test_create_devfs_symlink(struct ucred *cred, struct mount *mp, 720 struct devfs_dirent *dd, struct label *ddlabel, struct devfs_dirent *de, 721 struct label *delabel) 722 { 723 724 ASSERT_CRED_LABEL(cred->cr_label); 725 ASSERT_DEVFS_LABEL(ddlabel); 726 ASSERT_DEVFS_LABEL(delabel); 727 } 728 729 static int 730 mac_test_create_vnode_extattr(struct ucred *cred, struct mount *mp, 731 struct label *fslabel, struct vnode *dvp, struct label *dlabel, 732 struct vnode *vp, struct label *vlabel, struct componentname *cnp) 733 { 734 735 ASSERT_CRED_LABEL(cred->cr_label); 736 ASSERT_MOUNT_LABEL(fslabel); 737 ASSERT_VNODE_LABEL(dlabel); 738 739 return (0); 740 } 741 742 static void 743 mac_test_create_mount(struct ucred *cred, struct mount *mp, 744 struct label *mntlabel, struct label *fslabel) 745 { 746 747 ASSERT_CRED_LABEL(cred->cr_label); 748 ASSERT_MOUNT_LABEL(mntlabel); 749 ASSERT_MOUNT_LABEL(fslabel); 750 } 751 752 static void 753 mac_test_create_root_mount(struct ucred *cred, struct mount *mp, 754 struct label *mntlabel, struct label *fslabel) 755 { 756 757 ASSERT_CRED_LABEL(cred->cr_label); 758 ASSERT_MOUNT_LABEL(mntlabel); 759 ASSERT_MOUNT_LABEL(fslabel); 760 } 761 762 static void 763 mac_test_relabel_vnode(struct ucred *cred, struct vnode *vp, 764 struct label *vnodelabel, struct label *label) 765 { 766 767 ASSERT_CRED_LABEL(cred->cr_label); 768 ASSERT_VNODE_LABEL(vnodelabel); 769 ASSERT_VNODE_LABEL(label); 770 } 771 772 static int 773 mac_test_setlabel_vnode_extattr(struct ucred *cred, struct vnode *vp, 774 struct label *vlabel, struct label *intlabel) 775 { 776 777 ASSERT_CRED_LABEL(cred->cr_label); 778 ASSERT_VNODE_LABEL(vlabel); 779 ASSERT_VNODE_LABEL(intlabel); 780 return (0); 781 } 782 783 static void 784 mac_test_update_devfsdirent(struct mount *mp, 785 struct devfs_dirent *devfs_dirent, struct label *direntlabel, 786 struct vnode *vp, struct label *vnodelabel) 787 { 788 789 ASSERT_DEVFS_LABEL(direntlabel); 790 ASSERT_VNODE_LABEL(vnodelabel); 791 } 792 793 /* 794 * Labeling event operations: IPC object. 795 */ 796 static void 797 mac_test_create_mbuf_from_socket(struct socket *so, struct label *socketlabel, 798 struct mbuf *m, struct label *mbuflabel) 799 { 800 801 ASSERT_SOCKET_LABEL(socketlabel); 802 ASSERT_MBUF_LABEL(mbuflabel); 803 } 804 805 static void 806 mac_test_create_socket(struct ucred *cred, struct socket *socket, 807 struct label *socketlabel) 808 { 809 810 ASSERT_CRED_LABEL(cred->cr_label); 811 ASSERT_SOCKET_LABEL(socketlabel); 812 } 813 814 static void 815 mac_test_create_pipe(struct ucred *cred, struct pipepair *pp, 816 struct label *pipelabel) 817 { 818 819 ASSERT_CRED_LABEL(cred->cr_label); 820 ASSERT_PIPE_LABEL(pipelabel); 821 } 822 823 static void 824 mac_test_create_socket_from_socket(struct socket *oldsocket, 825 struct label *oldsocketlabel, struct socket *newsocket, 826 struct label *newsocketlabel) 827 { 828 829 ASSERT_SOCKET_LABEL(oldsocketlabel); 830 ASSERT_SOCKET_LABEL(newsocketlabel); 831 } 832 833 static void 834 mac_test_relabel_socket(struct ucred *cred, struct socket *socket, 835 struct label *socketlabel, struct label *newlabel) 836 { 837 838 ASSERT_CRED_LABEL(cred->cr_label); 839 ASSERT_SOCKET_LABEL(newlabel); 840 } 841 842 static void 843 mac_test_relabel_pipe(struct ucred *cred, struct pipepair *pp, 844 struct label *pipelabel, struct label *newlabel) 845 { 846 847 ASSERT_CRED_LABEL(cred->cr_label); 848 ASSERT_PIPE_LABEL(pipelabel); 849 ASSERT_PIPE_LABEL(newlabel); 850 } 851 852 static void 853 mac_test_set_socket_peer_from_mbuf(struct mbuf *mbuf, struct label *mbuflabel, 854 struct socket *socket, struct label *socketpeerlabel) 855 { 856 857 ASSERT_MBUF_LABEL(mbuflabel); 858 ASSERT_SOCKET_LABEL(socketpeerlabel); 859 } 860 861 /* 862 * Labeling event operations: network objects. 863 */ 864 static void 865 mac_test_set_socket_peer_from_socket(struct socket *oldsocket, 866 struct label *oldsocketlabel, struct socket *newsocket, 867 struct label *newsocketpeerlabel) 868 { 869 870 ASSERT_SOCKET_LABEL(oldsocketlabel); 871 ASSERT_SOCKET_LABEL(newsocketpeerlabel); 872 } 873 874 static void 875 mac_test_create_bpfdesc(struct ucred *cred, struct bpf_d *bpf_d, 876 struct label *bpflabel) 877 { 878 879 ASSERT_CRED_LABEL(cred->cr_label); 880 ASSERT_BPF_LABEL(bpflabel); 881 } 882 883 static void 884 mac_test_create_datagram_from_ipq(struct ipq *ipq, struct label *ipqlabel, 885 struct mbuf *datagram, struct label *datagramlabel) 886 { 887 888 ASSERT_IPQ_LABEL(ipqlabel); 889 ASSERT_MBUF_LABEL(datagramlabel); 890 } 891 892 static void 893 mac_test_create_fragment(struct mbuf *datagram, struct label *datagramlabel, 894 struct mbuf *fragment, struct label *fragmentlabel) 895 { 896 897 ASSERT_MBUF_LABEL(datagramlabel); 898 ASSERT_MBUF_LABEL(fragmentlabel); 899 } 900 901 static void 902 mac_test_create_ifnet(struct ifnet *ifnet, struct label *ifnetlabel) 903 { 904 905 ASSERT_IFNET_LABEL(ifnetlabel); 906 } 907 908 static void 909 mac_test_create_inpcb_from_socket(struct socket *so, struct label *solabel, 910 struct inpcb *inp, struct label *inplabel) 911 { 912 913 ASSERT_SOCKET_LABEL(solabel); 914 ASSERT_INPCB_LABEL(inplabel); 915 } 916 917 static void 918 mac_test_create_ipq(struct mbuf *fragment, struct label *fragmentlabel, 919 struct ipq *ipq, struct label *ipqlabel) 920 { 921 922 ASSERT_MBUF_LABEL(fragmentlabel); 923 ASSERT_IPQ_LABEL(ipqlabel); 924 } 925 926 static void 927 mac_test_create_mbuf_from_inpcb(struct inpcb *inp, struct label *inplabel, 928 struct mbuf *m, struct label *mlabel) 929 { 930 931 ASSERT_INPCB_LABEL(inplabel); 932 ASSERT_MBUF_LABEL(mlabel); 933 } 934 935 static void 936 mac_test_create_mbuf_from_mbuf(struct mbuf *oldmbuf, 937 struct label *oldmbuflabel, struct mbuf *newmbuf, 938 struct label *newmbuflabel) 939 { 940 941 ASSERT_MBUF_LABEL(oldmbuflabel); 942 ASSERT_MBUF_LABEL(newmbuflabel); 943 } 944 945 static void 946 mac_test_create_mbuf_linklayer(struct ifnet *ifnet, struct label *ifnetlabel, 947 struct mbuf *mbuf, struct label *mbuflabel) 948 { 949 950 ASSERT_IFNET_LABEL(ifnetlabel); 951 ASSERT_MBUF_LABEL(mbuflabel); 952 } 953 954 static void 955 mac_test_create_mbuf_from_bpfdesc(struct bpf_d *bpf_d, struct label *bpflabel, 956 struct mbuf *mbuf, struct label *mbuflabel) 957 { 958 959 ASSERT_BPF_LABEL(bpflabel); 960 ASSERT_MBUF_LABEL(mbuflabel); 961 } 962 963 static void 964 mac_test_create_mbuf_from_ifnet(struct ifnet *ifnet, struct label *ifnetlabel, 965 struct mbuf *m, struct label *mbuflabel) 966 { 967 968 ASSERT_IFNET_LABEL(ifnetlabel); 969 ASSERT_MBUF_LABEL(mbuflabel); 970 } 971 972 static void 973 mac_test_create_mbuf_multicast_encap(struct mbuf *oldmbuf, 974 struct label *oldmbuflabel, struct ifnet *ifnet, struct label *ifnetlabel, 975 struct mbuf *newmbuf, struct label *newmbuflabel) 976 { 977 978 ASSERT_MBUF_LABEL(oldmbuflabel); 979 ASSERT_IFNET_LABEL(ifnetlabel); 980 ASSERT_MBUF_LABEL(newmbuflabel); 981 } 982 983 static void 984 mac_test_create_mbuf_netlayer(struct mbuf *oldmbuf, 985 struct label *oldmbuflabel, struct mbuf *newmbuf, 986 struct label *newmbuflabel) 987 { 988 989 ASSERT_MBUF_LABEL(oldmbuflabel); 990 ASSERT_MBUF_LABEL(newmbuflabel); 991 } 992 993 static int 994 mac_test_fragment_match(struct mbuf *fragment, struct label *fragmentlabel, 995 struct ipq *ipq, struct label *ipqlabel) 996 { 997 998 ASSERT_MBUF_LABEL(fragmentlabel); 999 ASSERT_IPQ_LABEL(ipqlabel); 1000 1001 return (1); 1002 } 1003 1004 static void 1005 mac_test_reflect_mbuf_icmp(struct mbuf *m, struct label *mlabel) 1006 { 1007 1008 ASSERT_MBUF_LABEL(mlabel); 1009 } 1010 1011 static void 1012 mac_test_reflect_mbuf_tcp(struct mbuf *m, struct label *mlabel) 1013 { 1014 1015 ASSERT_MBUF_LABEL(mlabel); 1016 } 1017 1018 static void 1019 mac_test_relabel_ifnet(struct ucred *cred, struct ifnet *ifnet, 1020 struct label *ifnetlabel, struct label *newlabel) 1021 { 1022 1023 ASSERT_CRED_LABEL(cred->cr_label); 1024 ASSERT_IFNET_LABEL(ifnetlabel); 1025 ASSERT_IFNET_LABEL(newlabel); 1026 } 1027 1028 static void 1029 mac_test_update_ipq(struct mbuf *fragment, struct label *fragmentlabel, 1030 struct ipq *ipq, struct label *ipqlabel) 1031 { 1032 1033 ASSERT_MBUF_LABEL(fragmentlabel); 1034 ASSERT_IPQ_LABEL(ipqlabel); 1035 } 1036 1037 static void 1038 mac_test_inpcb_sosetlabel(struct socket *so, struct label *solabel, 1039 struct inpcb *inp, struct label *inplabel) 1040 { 1041 1042 ASSERT_SOCKET_LABEL(solabel); 1043 ASSERT_INPCB_LABEL(inplabel); 1044 } 1045 1046 /* 1047 * Labeling event operations: processes. 1048 */ 1049 static void 1050 mac_test_execve_transition(struct ucred *old, struct ucred *new, 1051 struct vnode *vp, struct label *filelabel, 1052 struct label *interpvnodelabel, struct image_params *imgp, 1053 struct label *execlabel) 1054 { 1055 1056 ASSERT_CRED_LABEL(old->cr_label); 1057 ASSERT_CRED_LABEL(new->cr_label); 1058 ASSERT_VNODE_LABEL(filelabel); 1059 if (interpvnodelabel != NULL) { 1060 ASSERT_VNODE_LABEL(interpvnodelabel); 1061 } 1062 if (execlabel != NULL) { 1063 ASSERT_CRED_LABEL(execlabel); 1064 } 1065 } 1066 1067 static int 1068 mac_test_execve_will_transition(struct ucred *old, struct vnode *vp, 1069 struct label *filelabel, struct label *interpvnodelabel, 1070 struct image_params *imgp, struct label *execlabel) 1071 { 1072 1073 ASSERT_CRED_LABEL(old->cr_label); 1074 ASSERT_VNODE_LABEL(filelabel); 1075 if (interpvnodelabel != NULL) { 1076 ASSERT_VNODE_LABEL(interpvnodelabel); 1077 } 1078 if (execlabel != NULL) { 1079 ASSERT_CRED_LABEL(execlabel); 1080 } 1081 1082 return (0); 1083 } 1084 1085 static void 1086 mac_test_create_proc0(struct ucred *cred) 1087 { 1088 1089 ASSERT_CRED_LABEL(cred->cr_label); 1090 } 1091 1092 static void 1093 mac_test_create_proc1(struct ucred *cred) 1094 { 1095 1096 ASSERT_CRED_LABEL(cred->cr_label); 1097 } 1098 1099 static void 1100 mac_test_relabel_cred(struct ucred *cred, struct label *newlabel) 1101 { 1102 1103 ASSERT_CRED_LABEL(cred->cr_label); 1104 ASSERT_CRED_LABEL(newlabel); 1105 } 1106 1107 static void 1108 mac_test_thread_userret(struct thread *td) 1109 { 1110 1111 printf("mac_test_thread_userret(process = %d)\n", 1112 curthread->td_proc->p_pid); 1113 } 1114 1115 /* 1116 * Access control checks. 1117 */ 1118 static int 1119 mac_test_check_bpfdesc_receive(struct bpf_d *bpf_d, struct label *bpflabel, 1120 struct ifnet *ifnet, struct label *ifnetlabel) 1121 { 1122 1123 ASSERT_BPF_LABEL(bpflabel); 1124 ASSERT_IFNET_LABEL(ifnetlabel); 1125 1126 return (0); 1127 } 1128 1129 static int 1130 mac_test_check_cred_relabel(struct ucred *cred, struct label *newlabel) 1131 { 1132 1133 ASSERT_CRED_LABEL(cred->cr_label); 1134 ASSERT_CRED_LABEL(newlabel); 1135 1136 return (0); 1137 } 1138 1139 static int 1140 mac_test_check_cred_visible(struct ucred *u1, struct ucred *u2) 1141 { 1142 1143 ASSERT_CRED_LABEL(u1->cr_label); 1144 ASSERT_CRED_LABEL(u2->cr_label); 1145 1146 return (0); 1147 } 1148 1149 static int 1150 mac_test_check_ifnet_relabel(struct ucred *cred, struct ifnet *ifnet, 1151 struct label *ifnetlabel, struct label *newlabel) 1152 { 1153 1154 ASSERT_CRED_LABEL(cred->cr_label); 1155 ASSERT_IFNET_LABEL(ifnetlabel); 1156 ASSERT_IFNET_LABEL(newlabel); 1157 return (0); 1158 } 1159 1160 static int 1161 mac_test_check_ifnet_transmit(struct ifnet *ifnet, struct label *ifnetlabel, 1162 struct mbuf *m, struct label *mbuflabel) 1163 { 1164 1165 ASSERT_IFNET_LABEL(ifnetlabel); 1166 ASSERT_MBUF_LABEL(mbuflabel); 1167 1168 return (0); 1169 } 1170 1171 static int 1172 mac_test_check_inpcb_deliver(struct inpcb *inp, struct label *inplabel, 1173 struct mbuf *m, struct label *mlabel) 1174 { 1175 1176 ASSERT_INPCB_LABEL(inplabel); 1177 ASSERT_MBUF_LABEL(mlabel); 1178 1179 return (0); 1180 } 1181 1182 static int 1183 mac_test_check_kenv_dump(struct ucred *cred) 1184 { 1185 1186 ASSERT_CRED_LABEL(cred->cr_label); 1187 1188 return (0); 1189 } 1190 1191 static int 1192 mac_test_check_kenv_get(struct ucred *cred, char *name) 1193 { 1194 1195 ASSERT_CRED_LABEL(cred->cr_label); 1196 1197 return (0); 1198 } 1199 1200 static int 1201 mac_test_check_kenv_set(struct ucred *cred, char *name, char *value) 1202 { 1203 1204 ASSERT_CRED_LABEL(cred->cr_label); 1205 1206 return (0); 1207 } 1208 1209 static int 1210 mac_test_check_kenv_unset(struct ucred *cred, char *name) 1211 { 1212 1213 ASSERT_CRED_LABEL(cred->cr_label); 1214 1215 return (0); 1216 } 1217 1218 static int 1219 mac_test_check_kld_load(struct ucred *cred, struct vnode *vp, 1220 struct label *label) 1221 { 1222 1223 ASSERT_CRED_LABEL(cred->cr_label); 1224 ASSERT_VNODE_LABEL(label); 1225 1226 return (0); 1227 } 1228 1229 static int 1230 mac_test_check_kld_stat(struct ucred *cred) 1231 { 1232 1233 ASSERT_CRED_LABEL(cred->cr_label); 1234 1235 return (0); 1236 } 1237 1238 static int 1239 mac_test_check_kld_unload(struct ucred *cred) 1240 { 1241 1242 ASSERT_CRED_LABEL(cred->cr_label); 1243 1244 return (0); 1245 } 1246 1247 static int 1248 mac_test_check_mount_stat(struct ucred *cred, struct mount *mp, 1249 struct label *mntlabel) 1250 { 1251 1252 ASSERT_CRED_LABEL(cred->cr_label); 1253 ASSERT_MOUNT_LABEL(mntlabel); 1254 1255 return (0); 1256 } 1257 1258 static int 1259 mac_test_check_pipe_ioctl(struct ucred *cred, struct pipepair *pp, 1260 struct label *pipelabel, unsigned long cmd, void /* caddr_t */ *data) 1261 { 1262 1263 ASSERT_CRED_LABEL(cred->cr_label); 1264 ASSERT_PIPE_LABEL(pipelabel); 1265 1266 return (0); 1267 } 1268 1269 static int 1270 mac_test_check_pipe_poll(struct ucred *cred, struct pipepair *pp, 1271 struct label *pipelabel) 1272 { 1273 1274 ASSERT_CRED_LABEL(cred->cr_label); 1275 ASSERT_PIPE_LABEL(pipelabel); 1276 1277 return (0); 1278 } 1279 1280 static int 1281 mac_test_check_pipe_read(struct ucred *cred, struct pipepair *pp, 1282 struct label *pipelabel) 1283 { 1284 1285 ASSERT_CRED_LABEL(cred->cr_label); 1286 ASSERT_PIPE_LABEL(pipelabel); 1287 1288 return (0); 1289 } 1290 1291 static int 1292 mac_test_check_pipe_relabel(struct ucred *cred, struct pipepair *pp, 1293 struct label *pipelabel, struct label *newlabel) 1294 { 1295 1296 ASSERT_CRED_LABEL(cred->cr_label); 1297 ASSERT_PIPE_LABEL(pipelabel); 1298 ASSERT_PIPE_LABEL(newlabel); 1299 1300 return (0); 1301 } 1302 1303 static int 1304 mac_test_check_pipe_stat(struct ucred *cred, struct pipepair *pp, 1305 struct label *pipelabel) 1306 { 1307 1308 ASSERT_CRED_LABEL(cred->cr_label); 1309 ASSERT_PIPE_LABEL(pipelabel); 1310 1311 return (0); 1312 } 1313 1314 static int 1315 mac_test_check_pipe_write(struct ucred *cred, struct pipepair *pp, 1316 struct label *pipelabel) 1317 { 1318 1319 ASSERT_CRED_LABEL(cred->cr_label); 1320 ASSERT_PIPE_LABEL(pipelabel); 1321 1322 return (0); 1323 } 1324 1325 static int 1326 mac_test_check_proc_debug(struct ucred *cred, struct proc *proc) 1327 { 1328 1329 ASSERT_CRED_LABEL(cred->cr_label); 1330 ASSERT_CRED_LABEL(proc->p_ucred->cr_label); 1331 1332 return (0); 1333 } 1334 1335 static int 1336 mac_test_check_proc_sched(struct ucred *cred, struct proc *proc) 1337 { 1338 1339 ASSERT_CRED_LABEL(cred->cr_label); 1340 ASSERT_CRED_LABEL(proc->p_ucred->cr_label); 1341 1342 return (0); 1343 } 1344 1345 static int 1346 mac_test_check_proc_signal(struct ucred *cred, struct proc *proc, int signum) 1347 { 1348 1349 ASSERT_CRED_LABEL(cred->cr_label); 1350 ASSERT_CRED_LABEL(proc->p_ucred->cr_label); 1351 1352 return (0); 1353 } 1354 1355 static int 1356 mac_test_check_socket_bind(struct ucred *cred, struct socket *socket, 1357 struct label *socketlabel, struct sockaddr *sockaddr) 1358 { 1359 1360 ASSERT_CRED_LABEL(cred->cr_label); 1361 ASSERT_SOCKET_LABEL(socketlabel); 1362 1363 return (0); 1364 } 1365 1366 static int 1367 mac_test_check_socket_connect(struct ucred *cred, struct socket *socket, 1368 struct label *socketlabel, struct sockaddr *sockaddr) 1369 { 1370 1371 ASSERT_CRED_LABEL(cred->cr_label); 1372 ASSERT_SOCKET_LABEL(socketlabel); 1373 1374 return (0); 1375 } 1376 1377 static int 1378 mac_test_check_socket_deliver(struct socket *socket, struct label *socketlabel, 1379 struct mbuf *m, struct label *mbuflabel) 1380 { 1381 1382 ASSERT_SOCKET_LABEL(socketlabel); 1383 ASSERT_MBUF_LABEL(mbuflabel); 1384 1385 return (0); 1386 } 1387 1388 static int 1389 mac_test_check_socket_listen(struct ucred *cred, struct socket *socket, 1390 struct label *socketlabel) 1391 { 1392 1393 ASSERT_CRED_LABEL(cred->cr_label); 1394 ASSERT_SOCKET_LABEL(socketlabel); 1395 1396 return (0); 1397 } 1398 1399 static int 1400 mac_test_check_socket_visible(struct ucred *cred, struct socket *socket, 1401 struct label *socketlabel) 1402 { 1403 1404 ASSERT_CRED_LABEL(cred->cr_label); 1405 ASSERT_SOCKET_LABEL(socketlabel); 1406 1407 return (0); 1408 } 1409 1410 static int 1411 mac_test_check_socket_relabel(struct ucred *cred, struct socket *socket, 1412 struct label *socketlabel, struct label *newlabel) 1413 { 1414 1415 ASSERT_CRED_LABEL(cred->cr_label); 1416 ASSERT_SOCKET_LABEL(socketlabel); 1417 ASSERT_SOCKET_LABEL(newlabel); 1418 1419 return (0); 1420 } 1421 1422 static int 1423 mac_test_check_sysarch_ioperm(struct ucred *cred) 1424 { 1425 1426 ASSERT_CRED_LABEL(cred->cr_label); 1427 1428 return (0); 1429 } 1430 1431 static int 1432 mac_test_check_system_acct(struct ucred *cred, struct vnode *vp, 1433 struct label *label) 1434 { 1435 1436 ASSERT_CRED_LABEL(cred->cr_label); 1437 1438 return (0); 1439 } 1440 1441 static int 1442 mac_test_check_system_reboot(struct ucred *cred, int how) 1443 { 1444 1445 ASSERT_CRED_LABEL(cred->cr_label); 1446 1447 return (0); 1448 } 1449 1450 static int 1451 mac_test_check_system_settime(struct ucred *cred) 1452 { 1453 1454 ASSERT_CRED_LABEL(cred->cr_label); 1455 1456 return (0); 1457 } 1458 1459 static int 1460 mac_test_check_system_swapon(struct ucred *cred, struct vnode *vp, 1461 struct label *label) 1462 { 1463 1464 ASSERT_CRED_LABEL(cred->cr_label); 1465 ASSERT_VNODE_LABEL(label); 1466 1467 return (0); 1468 } 1469 1470 static int 1471 mac_test_check_system_swapoff(struct ucred *cred, struct vnode *vp, 1472 struct label *label) 1473 { 1474 1475 ASSERT_CRED_LABEL(cred->cr_label); 1476 ASSERT_VNODE_LABEL(label); 1477 1478 return (0); 1479 } 1480 1481 static int 1482 mac_test_check_system_sysctl(struct ucred *cred, struct sysctl_oid *oidp, 1483 void *arg1, int arg2, struct sysctl_req *req) 1484 { 1485 1486 ASSERT_CRED_LABEL(cred->cr_label); 1487 1488 return (0); 1489 } 1490 1491 static int 1492 mac_test_check_vnode_access(struct ucred *cred, struct vnode *vp, 1493 struct label *label, int acc_mode) 1494 { 1495 1496 ASSERT_CRED_LABEL(cred->cr_label); 1497 ASSERT_VNODE_LABEL(label); 1498 1499 return (0); 1500 } 1501 1502 static int 1503 mac_test_check_vnode_chdir(struct ucred *cred, struct vnode *dvp, 1504 struct label *dlabel) 1505 { 1506 1507 ASSERT_CRED_LABEL(cred->cr_label); 1508 ASSERT_VNODE_LABEL(dlabel); 1509 1510 return (0); 1511 } 1512 1513 static int 1514 mac_test_check_vnode_chroot(struct ucred *cred, struct vnode *dvp, 1515 struct label *dlabel) 1516 { 1517 1518 ASSERT_CRED_LABEL(cred->cr_label); 1519 ASSERT_VNODE_LABEL(dlabel); 1520 1521 return (0); 1522 } 1523 1524 static int 1525 mac_test_check_vnode_create(struct ucred *cred, struct vnode *dvp, 1526 struct label *dlabel, struct componentname *cnp, struct vattr *vap) 1527 { 1528 1529 ASSERT_CRED_LABEL(cred->cr_label); 1530 ASSERT_VNODE_LABEL(dlabel); 1531 1532 return (0); 1533 } 1534 1535 static int 1536 mac_test_check_vnode_delete(struct ucred *cred, struct vnode *dvp, 1537 struct label *dlabel, struct vnode *vp, struct label *label, 1538 struct componentname *cnp) 1539 { 1540 1541 ASSERT_CRED_LABEL(cred->cr_label); 1542 ASSERT_VNODE_LABEL(dlabel); 1543 ASSERT_VNODE_LABEL(label); 1544 1545 return (0); 1546 } 1547 1548 static int 1549 mac_test_check_vnode_deleteacl(struct ucred *cred, struct vnode *vp, 1550 struct label *label, acl_type_t type) 1551 { 1552 1553 ASSERT_CRED_LABEL(cred->cr_label); 1554 ASSERT_VNODE_LABEL(label); 1555 1556 return (0); 1557 } 1558 1559 static int 1560 mac_test_check_vnode_deleteextattr(struct ucred *cred, struct vnode *vp, 1561 struct label *label, int attrnamespace, const char *name) 1562 { 1563 1564 ASSERT_CRED_LABEL(cred->cr_label); 1565 ASSERT_VNODE_LABEL(label); 1566 1567 return (0); 1568 } 1569 1570 static int 1571 mac_test_check_vnode_exec(struct ucred *cred, struct vnode *vp, 1572 struct label *label, struct image_params *imgp, 1573 struct label *execlabel) 1574 { 1575 1576 ASSERT_CRED_LABEL(cred->cr_label); 1577 ASSERT_VNODE_LABEL(label); 1578 if (execlabel != NULL) { 1579 ASSERT_CRED_LABEL(execlabel); 1580 } 1581 1582 return (0); 1583 } 1584 1585 static int 1586 mac_test_check_vnode_getacl(struct ucred *cred, struct vnode *vp, 1587 struct label *label, acl_type_t type) 1588 { 1589 1590 ASSERT_CRED_LABEL(cred->cr_label); 1591 ASSERT_VNODE_LABEL(label); 1592 1593 return (0); 1594 } 1595 1596 static int 1597 mac_test_check_vnode_getextattr(struct ucred *cred, struct vnode *vp, 1598 struct label *label, int attrnamespace, const char *name, struct uio *uio) 1599 { 1600 1601 ASSERT_CRED_LABEL(cred->cr_label); 1602 ASSERT_VNODE_LABEL(label); 1603 1604 return (0); 1605 } 1606 1607 static int 1608 mac_test_check_vnode_link(struct ucred *cred, struct vnode *dvp, 1609 struct label *dlabel, struct vnode *vp, struct label *label, 1610 struct componentname *cnp) 1611 { 1612 1613 ASSERT_CRED_LABEL(cred->cr_label); 1614 ASSERT_VNODE_LABEL(dlabel); 1615 ASSERT_VNODE_LABEL(label); 1616 1617 return (0); 1618 } 1619 1620 static int 1621 mac_test_check_vnode_listextattr(struct ucred *cred, struct vnode *vp, 1622 struct label *label, int attrnamespace) 1623 { 1624 1625 ASSERT_CRED_LABEL(cred->cr_label); 1626 ASSERT_VNODE_LABEL(label); 1627 1628 return (0); 1629 } 1630 1631 static int 1632 mac_test_check_vnode_lookup(struct ucred *cred, struct vnode *dvp, 1633 struct label *dlabel, struct componentname *cnp) 1634 { 1635 1636 ASSERT_CRED_LABEL(cred->cr_label); 1637 ASSERT_VNODE_LABEL(dlabel); 1638 1639 return (0); 1640 } 1641 1642 static int 1643 mac_test_check_vnode_mmap(struct ucred *cred, struct vnode *vp, 1644 struct label *label, int prot) 1645 { 1646 1647 ASSERT_CRED_LABEL(cred->cr_label); 1648 ASSERT_VNODE_LABEL(label); 1649 1650 return (0); 1651 } 1652 1653 static int 1654 mac_test_check_vnode_mprotect(struct ucred *cred, struct vnode *vp, 1655 struct label *label, int prot) 1656 { 1657 1658 ASSERT_CRED_LABEL(cred->cr_label); 1659 ASSERT_VNODE_LABEL(label); 1660 1661 return (0); 1662 } 1663 1664 static int 1665 mac_test_check_vnode_open(struct ucred *cred, struct vnode *vp, 1666 struct label *filelabel, int acc_mode) 1667 { 1668 1669 ASSERT_CRED_LABEL(cred->cr_label); 1670 ASSERT_VNODE_LABEL(filelabel); 1671 1672 return (0); 1673 } 1674 1675 static int 1676 mac_test_check_vnode_poll(struct ucred *active_cred, struct ucred *file_cred, 1677 struct vnode *vp, struct label *label) 1678 { 1679 1680 ASSERT_CRED_LABEL(active_cred->cr_label); 1681 ASSERT_CRED_LABEL(file_cred->cr_label); 1682 ASSERT_VNODE_LABEL(label); 1683 1684 return (0); 1685 } 1686 1687 static int 1688 mac_test_check_vnode_read(struct ucred *active_cred, struct ucred *file_cred, 1689 struct vnode *vp, struct label *label) 1690 { 1691 1692 ASSERT_CRED_LABEL(active_cred->cr_label); 1693 if (file_cred != NULL) { 1694 ASSERT_CRED_LABEL(file_cred->cr_label); 1695 } 1696 ASSERT_VNODE_LABEL(label); 1697 1698 return (0); 1699 } 1700 1701 static int 1702 mac_test_check_vnode_readdir(struct ucred *cred, struct vnode *dvp, 1703 struct label *dlabel) 1704 { 1705 1706 ASSERT_CRED_LABEL(cred->cr_label); 1707 ASSERT_VNODE_LABEL(dlabel); 1708 1709 return (0); 1710 } 1711 1712 static int 1713 mac_test_check_vnode_readlink(struct ucred *cred, struct vnode *vp, 1714 struct label *vnodelabel) 1715 { 1716 1717 ASSERT_CRED_LABEL(cred->cr_label); 1718 ASSERT_VNODE_LABEL(vnodelabel); 1719 1720 return (0); 1721 } 1722 1723 static int 1724 mac_test_check_vnode_relabel(struct ucred *cred, struct vnode *vp, 1725 struct label *vnodelabel, struct label *newlabel) 1726 { 1727 1728 ASSERT_CRED_LABEL(cred->cr_label); 1729 ASSERT_VNODE_LABEL(vnodelabel); 1730 ASSERT_VNODE_LABEL(newlabel); 1731 1732 return (0); 1733 } 1734 1735 static int 1736 mac_test_check_vnode_rename_from(struct ucred *cred, struct vnode *dvp, 1737 struct label *dlabel, struct vnode *vp, struct label *label, 1738 struct componentname *cnp) 1739 { 1740 1741 ASSERT_CRED_LABEL(cred->cr_label); 1742 ASSERT_VNODE_LABEL(dlabel); 1743 ASSERT_VNODE_LABEL(label); 1744 1745 return (0); 1746 } 1747 1748 static int 1749 mac_test_check_vnode_rename_to(struct ucred *cred, struct vnode *dvp, 1750 struct label *dlabel, struct vnode *vp, struct label *label, int samedir, 1751 struct componentname *cnp) 1752 { 1753 1754 ASSERT_CRED_LABEL(cred->cr_label); 1755 ASSERT_VNODE_LABEL(dlabel); 1756 1757 if (vp != NULL) { 1758 ASSERT_VNODE_LABEL(label); 1759 } 1760 1761 return (0); 1762 } 1763 1764 static int 1765 mac_test_check_vnode_revoke(struct ucred *cred, struct vnode *vp, 1766 struct label *label) 1767 { 1768 1769 ASSERT_CRED_LABEL(cred->cr_label); 1770 ASSERT_VNODE_LABEL(label); 1771 1772 return (0); 1773 } 1774 1775 static int 1776 mac_test_check_vnode_setacl(struct ucred *cred, struct vnode *vp, 1777 struct label *label, acl_type_t type, struct acl *acl) 1778 { 1779 1780 ASSERT_CRED_LABEL(cred->cr_label); 1781 ASSERT_VNODE_LABEL(label); 1782 1783 return (0); 1784 } 1785 1786 static int 1787 mac_test_check_vnode_setextattr(struct ucred *cred, struct vnode *vp, 1788 struct label *label, int attrnamespace, const char *name, struct uio *uio) 1789 { 1790 1791 ASSERT_CRED_LABEL(cred->cr_label); 1792 ASSERT_VNODE_LABEL(label); 1793 1794 return (0); 1795 } 1796 1797 static int 1798 mac_test_check_vnode_setflags(struct ucred *cred, struct vnode *vp, 1799 struct label *label, u_long flags) 1800 { 1801 1802 ASSERT_CRED_LABEL(cred->cr_label); 1803 ASSERT_VNODE_LABEL(label); 1804 1805 return (0); 1806 } 1807 1808 static int 1809 mac_test_check_vnode_setmode(struct ucred *cred, struct vnode *vp, 1810 struct label *label, mode_t mode) 1811 { 1812 1813 ASSERT_CRED_LABEL(cred->cr_label); 1814 ASSERT_VNODE_LABEL(label); 1815 1816 return (0); 1817 } 1818 1819 static int 1820 mac_test_check_vnode_setowner(struct ucred *cred, struct vnode *vp, 1821 struct label *label, uid_t uid, gid_t gid) 1822 { 1823 1824 ASSERT_CRED_LABEL(cred->cr_label); 1825 ASSERT_VNODE_LABEL(label); 1826 1827 return (0); 1828 } 1829 1830 static int 1831 mac_test_check_vnode_setutimes(struct ucred *cred, struct vnode *vp, 1832 struct label *label, struct timespec atime, struct timespec mtime) 1833 { 1834 1835 ASSERT_CRED_LABEL(cred->cr_label); 1836 ASSERT_VNODE_LABEL(label); 1837 1838 return (0); 1839 } 1840 1841 static int 1842 mac_test_check_vnode_stat(struct ucred *active_cred, struct ucred *file_cred, 1843 struct vnode *vp, struct label *label) 1844 { 1845 1846 ASSERT_CRED_LABEL(active_cred->cr_label); 1847 if (file_cred != NULL) { 1848 ASSERT_CRED_LABEL(file_cred->cr_label); 1849 } 1850 ASSERT_VNODE_LABEL(label); 1851 1852 return (0); 1853 } 1854 1855 static int 1856 mac_test_check_vnode_write(struct ucred *active_cred, 1857 struct ucred *file_cred, struct vnode *vp, struct label *label) 1858 { 1859 1860 ASSERT_CRED_LABEL(active_cred->cr_label); 1861 if (file_cred != NULL) { 1862 ASSERT_CRED_LABEL(file_cred->cr_label); 1863 } 1864 ASSERT_VNODE_LABEL(label); 1865 1866 return (0); 1867 } 1868 1869 static struct mac_policy_ops mac_test_ops = 1870 { 1871 .mpo_destroy = mac_test_destroy, 1872 .mpo_init = mac_test_init, 1873 .mpo_syscall = mac_test_syscall, 1874 .mpo_init_bpfdesc_label = mac_test_init_bpfdesc_label, 1875 .mpo_init_cred_label = mac_test_init_cred_label, 1876 .mpo_init_devfsdirent_label = mac_test_init_devfsdirent_label, 1877 .mpo_init_ifnet_label = mac_test_init_ifnet_label, 1878 .mpo_init_inpcb_label = mac_test_init_inpcb_label, 1879 .mpo_init_ipq_label = mac_test_init_ipq_label, 1880 .mpo_init_mbuf_label = mac_test_init_mbuf_label, 1881 .mpo_init_mount_label = mac_test_init_mount_label, 1882 .mpo_init_mount_fs_label = mac_test_init_mount_fs_label, 1883 .mpo_init_pipe_label = mac_test_init_pipe_label, 1884 .mpo_init_proc_label = mac_test_init_proc_label, 1885 .mpo_init_socket_label = mac_test_init_socket_label, 1886 .mpo_init_socket_peer_label = mac_test_init_socket_peer_label, 1887 .mpo_init_vnode_label = mac_test_init_vnode_label, 1888 .mpo_destroy_bpfdesc_label = mac_test_destroy_bpfdesc_label, 1889 .mpo_destroy_cred_label = mac_test_destroy_cred_label, 1890 .mpo_destroy_devfsdirent_label = mac_test_destroy_devfsdirent_label, 1891 .mpo_destroy_ifnet_label = mac_test_destroy_ifnet_label, 1892 .mpo_destroy_inpcb_label = mac_test_destroy_inpcb_label, 1893 .mpo_destroy_ipq_label = mac_test_destroy_ipq_label, 1894 .mpo_destroy_mbuf_label = mac_test_destroy_mbuf_label, 1895 .mpo_destroy_mount_label = mac_test_destroy_mount_label, 1896 .mpo_destroy_mount_fs_label = mac_test_destroy_mount_fs_label, 1897 .mpo_destroy_pipe_label = mac_test_destroy_pipe_label, 1898 .mpo_destroy_proc_label = mac_test_destroy_proc_label, 1899 .mpo_destroy_socket_label = mac_test_destroy_socket_label, 1900 .mpo_destroy_socket_peer_label = mac_test_destroy_socket_peer_label, 1901 .mpo_destroy_vnode_label = mac_test_destroy_vnode_label, 1902 .mpo_copy_cred_label = mac_test_copy_cred_label, 1903 .mpo_copy_ifnet_label = mac_test_copy_ifnet_label, 1904 .mpo_copy_mbuf_label = mac_test_copy_mbuf_label, 1905 .mpo_copy_pipe_label = mac_test_copy_pipe_label, 1906 .mpo_copy_socket_label = mac_test_copy_socket_label, 1907 .mpo_copy_vnode_label = mac_test_copy_vnode_label, 1908 .mpo_externalize_cred_label = mac_test_externalize_label, 1909 .mpo_externalize_ifnet_label = mac_test_externalize_label, 1910 .mpo_externalize_pipe_label = mac_test_externalize_label, 1911 .mpo_externalize_socket_label = mac_test_externalize_label, 1912 .mpo_externalize_socket_peer_label = mac_test_externalize_label, 1913 .mpo_externalize_vnode_label = mac_test_externalize_label, 1914 .mpo_internalize_cred_label = mac_test_internalize_label, 1915 .mpo_internalize_ifnet_label = mac_test_internalize_label, 1916 .mpo_internalize_pipe_label = mac_test_internalize_label, 1917 .mpo_internalize_socket_label = mac_test_internalize_label, 1918 .mpo_internalize_vnode_label = mac_test_internalize_label, 1919 .mpo_associate_vnode_devfs = mac_test_associate_vnode_devfs, 1920 .mpo_associate_vnode_extattr = mac_test_associate_vnode_extattr, 1921 .mpo_associate_vnode_singlelabel = mac_test_associate_vnode_singlelabel, 1922 .mpo_create_devfs_device = mac_test_create_devfs_device, 1923 .mpo_create_devfs_directory = mac_test_create_devfs_directory, 1924 .mpo_create_devfs_symlink = mac_test_create_devfs_symlink, 1925 .mpo_create_vnode_extattr = mac_test_create_vnode_extattr, 1926 .mpo_create_mount = mac_test_create_mount, 1927 .mpo_create_root_mount = mac_test_create_root_mount, 1928 .mpo_relabel_vnode = mac_test_relabel_vnode, 1929 .mpo_setlabel_vnode_extattr = mac_test_setlabel_vnode_extattr, 1930 .mpo_update_devfsdirent = mac_test_update_devfsdirent, 1931 .mpo_create_mbuf_from_socket = mac_test_create_mbuf_from_socket, 1932 .mpo_create_pipe = mac_test_create_pipe, 1933 .mpo_create_socket = mac_test_create_socket, 1934 .mpo_create_socket_from_socket = mac_test_create_socket_from_socket, 1935 .mpo_relabel_pipe = mac_test_relabel_pipe, 1936 .mpo_relabel_socket = mac_test_relabel_socket, 1937 .mpo_set_socket_peer_from_mbuf = mac_test_set_socket_peer_from_mbuf, 1938 .mpo_set_socket_peer_from_socket = mac_test_set_socket_peer_from_socket, 1939 .mpo_create_bpfdesc = mac_test_create_bpfdesc, 1940 .mpo_create_ifnet = mac_test_create_ifnet, 1941 .mpo_create_inpcb_from_socket = mac_test_create_inpcb_from_socket, 1942 .mpo_create_datagram_from_ipq = mac_test_create_datagram_from_ipq, 1943 .mpo_create_fragment = mac_test_create_fragment, 1944 .mpo_create_ipq = mac_test_create_ipq, 1945 .mpo_create_mbuf_from_inpcb = mac_test_create_mbuf_from_inpcb, 1946 .mpo_create_mbuf_from_mbuf = mac_test_create_mbuf_from_mbuf, 1947 .mpo_create_mbuf_linklayer = mac_test_create_mbuf_linklayer, 1948 .mpo_create_mbuf_from_bpfdesc = mac_test_create_mbuf_from_bpfdesc, 1949 .mpo_create_mbuf_from_ifnet = mac_test_create_mbuf_from_ifnet, 1950 .mpo_create_mbuf_multicast_encap = mac_test_create_mbuf_multicast_encap, 1951 .mpo_create_mbuf_netlayer = mac_test_create_mbuf_netlayer, 1952 .mpo_fragment_match = mac_test_fragment_match, 1953 .mpo_reflect_mbuf_icmp = mac_test_reflect_mbuf_icmp, 1954 .mpo_reflect_mbuf_tcp = mac_test_reflect_mbuf_tcp, 1955 .mpo_relabel_ifnet = mac_test_relabel_ifnet, 1956 .mpo_update_ipq = mac_test_update_ipq, 1957 .mpo_inpcb_sosetlabel = mac_test_inpcb_sosetlabel, 1958 .mpo_execve_transition = mac_test_execve_transition, 1959 .mpo_execve_will_transition = mac_test_execve_will_transition, 1960 .mpo_create_proc0 = mac_test_create_proc0, 1961 .mpo_create_proc1 = mac_test_create_proc1, 1962 .mpo_relabel_cred = mac_test_relabel_cred, 1963 .mpo_thread_userret = mac_test_thread_userret, 1964 .mpo_check_bpfdesc_receive = mac_test_check_bpfdesc_receive, 1965 .mpo_check_cred_relabel = mac_test_check_cred_relabel, 1966 .mpo_check_cred_visible = mac_test_check_cred_visible, 1967 .mpo_check_ifnet_relabel = mac_test_check_ifnet_relabel, 1968 .mpo_check_ifnet_transmit = mac_test_check_ifnet_transmit, 1969 .mpo_check_inpcb_deliver = mac_test_check_inpcb_deliver, 1970 .mpo_check_kenv_dump = mac_test_check_kenv_dump, 1971 .mpo_check_kenv_get = mac_test_check_kenv_get, 1972 .mpo_check_kenv_set = mac_test_check_kenv_set, 1973 .mpo_check_kenv_unset = mac_test_check_kenv_unset, 1974 .mpo_check_kld_load = mac_test_check_kld_load, 1975 .mpo_check_kld_stat = mac_test_check_kld_stat, 1976 .mpo_check_kld_unload = mac_test_check_kld_unload, 1977 .mpo_check_mount_stat = mac_test_check_mount_stat, 1978 .mpo_check_pipe_ioctl = mac_test_check_pipe_ioctl, 1979 .mpo_check_pipe_poll = mac_test_check_pipe_poll, 1980 .mpo_check_pipe_read = mac_test_check_pipe_read, 1981 .mpo_check_pipe_relabel = mac_test_check_pipe_relabel, 1982 .mpo_check_pipe_stat = mac_test_check_pipe_stat, 1983 .mpo_check_pipe_write = mac_test_check_pipe_write, 1984 .mpo_check_proc_debug = mac_test_check_proc_debug, 1985 .mpo_check_proc_sched = mac_test_check_proc_sched, 1986 .mpo_check_proc_signal = mac_test_check_proc_signal, 1987 .mpo_check_socket_bind = mac_test_check_socket_bind, 1988 .mpo_check_socket_connect = mac_test_check_socket_connect, 1989 .mpo_check_socket_deliver = mac_test_check_socket_deliver, 1990 .mpo_check_socket_listen = mac_test_check_socket_listen, 1991 .mpo_check_socket_relabel = mac_test_check_socket_relabel, 1992 .mpo_check_socket_visible = mac_test_check_socket_visible, 1993 .mpo_check_sysarch_ioperm = mac_test_check_sysarch_ioperm, 1994 .mpo_check_system_acct = mac_test_check_system_acct, 1995 .mpo_check_system_reboot = mac_test_check_system_reboot, 1996 .mpo_check_system_settime = mac_test_check_system_settime, 1997 .mpo_check_system_swapon = mac_test_check_system_swapon, 1998 .mpo_check_system_swapoff = mac_test_check_system_swapoff, 1999 .mpo_check_system_sysctl = mac_test_check_system_sysctl, 2000 .mpo_check_vnode_access = mac_test_check_vnode_access, 2001 .mpo_check_vnode_chdir = mac_test_check_vnode_chdir, 2002 .mpo_check_vnode_chroot = mac_test_check_vnode_chroot, 2003 .mpo_check_vnode_create = mac_test_check_vnode_create, 2004 .mpo_check_vnode_delete = mac_test_check_vnode_delete, 2005 .mpo_check_vnode_deleteacl = mac_test_check_vnode_deleteacl, 2006 .mpo_check_vnode_deleteextattr = mac_test_check_vnode_deleteextattr, 2007 .mpo_check_vnode_exec = mac_test_check_vnode_exec, 2008 .mpo_check_vnode_getacl = mac_test_check_vnode_getacl, 2009 .mpo_check_vnode_getextattr = mac_test_check_vnode_getextattr, 2010 .mpo_check_vnode_link = mac_test_check_vnode_link, 2011 .mpo_check_vnode_listextattr = mac_test_check_vnode_listextattr, 2012 .mpo_check_vnode_lookup = mac_test_check_vnode_lookup, 2013 .mpo_check_vnode_mmap = mac_test_check_vnode_mmap, 2014 .mpo_check_vnode_mprotect = mac_test_check_vnode_mprotect, 2015 .mpo_check_vnode_open = mac_test_check_vnode_open, 2016 .mpo_check_vnode_poll = mac_test_check_vnode_poll, 2017 .mpo_check_vnode_read = mac_test_check_vnode_read, 2018 .mpo_check_vnode_readdir = mac_test_check_vnode_readdir, 2019 .mpo_check_vnode_readlink = mac_test_check_vnode_readlink, 2020 .mpo_check_vnode_relabel = mac_test_check_vnode_relabel, 2021 .mpo_check_vnode_rename_from = mac_test_check_vnode_rename_from, 2022 .mpo_check_vnode_rename_to = mac_test_check_vnode_rename_to, 2023 .mpo_check_vnode_revoke = mac_test_check_vnode_revoke, 2024 .mpo_check_vnode_setacl = mac_test_check_vnode_setacl, 2025 .mpo_check_vnode_setextattr = mac_test_check_vnode_setextattr, 2026 .mpo_check_vnode_setflags = mac_test_check_vnode_setflags, 2027 .mpo_check_vnode_setmode = mac_test_check_vnode_setmode, 2028 .mpo_check_vnode_setowner = mac_test_check_vnode_setowner, 2029 .mpo_check_vnode_setutimes = mac_test_check_vnode_setutimes, 2030 .mpo_check_vnode_stat = mac_test_check_vnode_stat, 2031 .mpo_check_vnode_write = mac_test_check_vnode_write, 2032 }; 2033 2034 MAC_POLICY_SET(&mac_test_ops, mac_test, "TrustedBSD MAC/Test", 2035 MPC_LOADTIME_FLAG_UNLOADOK | MPC_LOADTIME_FLAG_LABELMBUFS, &test_slot); 2036