1 /*- 2 * Copyright (c) 1999-2002 Robert N. M. Watson 3 * Copyright (c) 2001-2005 McAfee, Inc. 4 * All rights reserved. 5 * 6 * This software was developed by Robert Watson for the TrustedBSD Project. 7 * 8 * This software was developed for the FreeBSD Project in part by McAfee 9 * Research, the Security Research Division of McAfee, Inc. under 10 * DARPA/SPAWAR contract N66001-01-C-8035 ("CBOSS"), as part of the DARPA 11 * CHATS research program. 12 * 13 * Redistribution and use in source and binary forms, with or without 14 * modification, are permitted provided that the following conditions 15 * are met: 16 * 1. Redistributions of source code must retain the above copyright 17 * notice, this list of conditions and the following disclaimer. 18 * 2. Redistributions in binary form must reproduce the above copyright 19 * notice, this list of conditions and the following disclaimer in the 20 * documentation and/or other materials provided with the distribution. 21 * 22 * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND 23 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 24 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 25 * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE 26 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 27 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 28 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 29 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 30 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 31 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 32 * SUCH DAMAGE. 33 * 34 * $FreeBSD$ 35 */ 36 37 /* 38 * Developed by the TrustedBSD Project. 39 * Generic mandatory access module that does nothing. 40 */ 41 42 #include <sys/types.h> 43 #include <sys/param.h> 44 #include <sys/acl.h> 45 #include <sys/conf.h> 46 #include <sys/kdb.h> 47 #include <sys/extattr.h> 48 #include <sys/kernel.h> 49 #include <sys/mac.h> 50 #include <sys/malloc.h> 51 #include <sys/mount.h> 52 #include <sys/proc.h> 53 #include <sys/systm.h> 54 #include <sys/sysproto.h> 55 #include <sys/sysent.h> 56 #include <sys/vnode.h> 57 #include <sys/file.h> 58 #include <sys/socket.h> 59 #include <sys/socketvar.h> 60 #include <sys/sysctl.h> 61 #include <sys/msg.h> 62 #include <sys/sem.h> 63 #include <sys/shm.h> 64 65 #include <posix4/ksem.h> 66 67 #include <fs/devfs/devfs.h> 68 69 #include <net/bpfdesc.h> 70 #include <net/if.h> 71 #include <net/if_types.h> 72 #include <net/if_var.h> 73 74 #include <vm/vm.h> 75 76 #include <sys/mac_policy.h> 77 78 SYSCTL_DECL(_security_mac); 79 80 SYSCTL_NODE(_security_mac, OID_AUTO, test, CTLFLAG_RW, 0, 81 "TrustedBSD mac_test policy controls"); 82 83 static int mac_test_enabled = 1; 84 SYSCTL_INT(_security_mac_test, OID_AUTO, enabled, CTLFLAG_RW, 85 &mac_test_enabled, 0, "Enforce test policy"); 86 87 #define BPFMAGIC 0xfe1ad1b6 88 #define DEVFSMAGIC 0x9ee79c32 89 #define IFNETMAGIC 0xc218b120 90 #define INPCBMAGIC 0x4440f7bb 91 #define IPQMAGIC 0x206188ef 92 #define MBUFMAGIC 0xbbefa5bb 93 #define MOUNTMAGIC 0xc7c46e47 94 #define SOCKETMAGIC 0x9199c6cd 95 #define SYSVIPCMSQMAGIC 0xea672391 96 #define SYSVIPCMSGMAGIC 0x8bbba61e 97 #define SYSVIPCSEMMAGIC 0x896e8a0b 98 #define SYSVIPCSHMMAGIC 0x76119ab0 99 #define PIPEMAGIC 0xdc6c9919 100 #define POSIXSEMMAGIC 0x78ae980c 101 #define PROCMAGIC 0x3b4be98f 102 #define CREDMAGIC 0x9a5a4987 103 #define VNODEMAGIC 0x1a67a45c 104 #define EXMAGIC 0x849ba1fd 105 106 #define SLOT(x) LABEL_TO_SLOT((x), test_slot).l_long 107 108 #define ASSERT_BPF_LABEL(x) KASSERT(SLOT(x) == BPFMAGIC || \ 109 SLOT(x) == 0, ("%s: Bad BPF label", __func__ )) 110 #define ASSERT_DEVFS_LABEL(x) KASSERT(SLOT(x) == DEVFSMAGIC || \ 111 SLOT(x) == 0, ("%s: Bad DEVFS label", __func__ )) 112 #define ASSERT_IFNET_LABEL(x) KASSERT(SLOT(x) == IFNETMAGIC || \ 113 SLOT(x) == 0, ("%s: Bad IFNET label", __func__ )) 114 #define ASSERT_INPCB_LABEL(x) KASSERT(SLOT(x) == INPCBMAGIC || \ 115 SLOT(x) == 0, ("%s: Bad INPCB label", __func__ )) 116 #define ASSERT_IPQ_LABEL(x) KASSERT(SLOT(x) == IPQMAGIC || \ 117 SLOT(x) == 0, ("%s: Bad IPQ label", __func__ )) 118 #define ASSERT_MBUF_LABEL(x) KASSERT(x == NULL || \ 119 SLOT(x) == MBUFMAGIC || SLOT(x) == 0, \ 120 ("%s: Bad MBUF label", __func__ )) 121 #define ASSERT_MOUNT_LABEL(x) KASSERT(SLOT(x) == MOUNTMAGIC || \ 122 SLOT(x) == 0, ("%s: Bad MOUNT label", __func__ )) 123 #define ASSERT_SOCKET_LABEL(x) KASSERT(SLOT(x) == SOCKETMAGIC || \ 124 SLOT(x) == 0, ("%s: Bad SOCKET label", __func__ )) 125 #define ASSERT_SYSVIPCMSQ_LABEL(x) KASSERT(SLOT(x) == SYSVIPCMSQMAGIC || \ 126 SLOT(x) == 0, ("%s: Bad SYSVIPCMSQ label", __func__ )) 127 #define ASSERT_SYSVIPCMSG_LABEL(x) KASSERT(SLOT(x) == SYSVIPCMSGMAGIC || \ 128 SLOT(x) == 0, ("%s: Bad SYSVIPCMSG label", __func__ )) 129 #define ASSERT_SYSVIPCSEM_LABEL(x) KASSERT(SLOT(x) == SYSVIPCSEMMAGIC || \ 130 SLOT(x) == 0, ("%s: Bad SYSVIPCSEM label", __func__ )) 131 #define ASSERT_SYSVIPCSHM_LABEL(x) KASSERT(SLOT(x) == SYSVIPCSHMMAGIC || \ 132 SLOT(x) == 0, ("%s: Bad SYSVIPCSHM label", __func__ )) 133 #define ASSERT_PIPE_LABEL(x) KASSERT(SLOT(x) == PIPEMAGIC || \ 134 SLOT(x) == 0, ("%s: Bad PIPE label", __func__ )) 135 #define ASSERT_POSIX_LABEL(x) KASSERT(SLOT(x) == POSIXSEMMAGIC || \ 136 SLOT(x) == 0, ("%s: Bad POSIX ksem label", __func__ )) 137 #define ASSERT_PROC_LABEL(x) KASSERT(SLOT(x) == PROCMAGIC || \ 138 SLOT(x) == 0, ("%s: Bad PROC label", __func__ )) 139 #define ASSERT_CRED_LABEL(x) KASSERT(SLOT(x) == CREDMAGIC || \ 140 SLOT(x) == 0, ("%s: Bad CRED label", __func__ )) 141 #define ASSERT_VNODE_LABEL(x) KASSERT(SLOT(x) == VNODEMAGIC || \ 142 SLOT(x) == 0, ("%s: Bad VNODE label", __func__ )) 143 144 static int test_slot; 145 SYSCTL_INT(_security_mac_test, OID_AUTO, slot, CTLFLAG_RD, 146 &test_slot, 0, "Slot allocated by framework"); 147 148 static int init_count_bpfdesc; 149 SYSCTL_INT(_security_mac_test, OID_AUTO, init_count_bpfdesc, CTLFLAG_RD, 150 &init_count_bpfdesc, 0, "bpfdesc init calls"); 151 static int init_count_cred; 152 SYSCTL_INT(_security_mac_test, OID_AUTO, init_count_cred, CTLFLAG_RD, 153 &init_count_cred, 0, "cred init calls"); 154 static int init_count_devfsdirent; 155 SYSCTL_INT(_security_mac_test, OID_AUTO, init_count_devfsdirent, CTLFLAG_RD, 156 &init_count_devfsdirent, 0, "devfsdirent init calls"); 157 static int init_count_ifnet; 158 SYSCTL_INT(_security_mac_test, OID_AUTO, init_count_ifnet, CTLFLAG_RD, 159 &init_count_ifnet, 0, "ifnet init calls"); 160 static int init_count_inpcb; 161 SYSCTL_INT(_security_mac_test, OID_AUTO, init_count_inpcb, CTLFLAG_RD, 162 &init_count_inpcb, 0, "inpcb init calls"); 163 static int init_count_sysv_msg; 164 SYSCTL_INT(_security_mac_test, OID_AUTO, init_count_sysv_msg, CTLFLAG_RD, 165 &init_count_sysv_msg, 0, "ipc_msg init calls"); 166 static int init_count_sysv_msq; 167 SYSCTL_INT(_security_mac_test, OID_AUTO, init_count_sysv_msq, CTLFLAG_RD, 168 &init_count_sysv_msq, 0, "ipc_msq init calls"); 169 static int init_count_sysv_sem; 170 SYSCTL_INT(_security_mac_test, OID_AUTO, init_count_sysv_sem, CTLFLAG_RD, 171 &init_count_sysv_sem, 0, "ipc_sema init calls"); 172 static int init_count_sysv_shm; 173 SYSCTL_INT(_security_mac_test, OID_AUTO, init_count_sysv_shm, CTLFLAG_RD, 174 &init_count_sysv_shm, 0, "ipc_shm init calls"); 175 static int init_count_ipq; 176 SYSCTL_INT(_security_mac_test, OID_AUTO, init_count_ipq, CTLFLAG_RD, 177 &init_count_ipq, 0, "ipq init calls"); 178 static int init_count_mbuf; 179 SYSCTL_INT(_security_mac_test, OID_AUTO, init_count_mbuf, CTLFLAG_RD, 180 &init_count_mbuf, 0, "mbuf init calls"); 181 static int init_count_mount; 182 SYSCTL_INT(_security_mac_test, OID_AUTO, init_count_mount, CTLFLAG_RD, 183 &init_count_mount, 0, "mount init calls"); 184 static int init_count_mount_fslabel; 185 SYSCTL_INT(_security_mac_test, OID_AUTO, init_count_mount_fslabel, CTLFLAG_RD, 186 &init_count_mount_fslabel, 0, "mount_fslabel init calls"); 187 static int init_count_socket; 188 SYSCTL_INT(_security_mac_test, OID_AUTO, init_count_socket, CTLFLAG_RD, 189 &init_count_socket, 0, "socket init calls"); 190 static int init_count_socket_peerlabel; 191 SYSCTL_INT(_security_mac_test, OID_AUTO, init_count_socket_peerlabel, 192 CTLFLAG_RD, &init_count_socket_peerlabel, 0, 193 "socket_peerlabel init calls"); 194 static int init_count_pipe; 195 SYSCTL_INT(_security_mac_test, OID_AUTO, init_count_pipe, CTLFLAG_RD, 196 &init_count_pipe, 0, "pipe init calls"); 197 static int init_count_posixsems; 198 SYSCTL_INT(_security_mac_test, OID_AUTO, init_count_posixsems, CTLFLAG_RD, 199 &init_count_posixsems, 0, "posix sems init calls"); 200 static int init_count_proc; 201 SYSCTL_INT(_security_mac_test, OID_AUTO, init_count_proc, CTLFLAG_RD, 202 &init_count_proc, 0, "proc init calls"); 203 static int init_count_vnode; 204 SYSCTL_INT(_security_mac_test, OID_AUTO, init_count_vnode, CTLFLAG_RD, 205 &init_count_vnode, 0, "vnode init calls"); 206 207 static int destroy_count_bpfdesc; 208 SYSCTL_INT(_security_mac_test, OID_AUTO, destroy_count_bpfdesc, CTLFLAG_RD, 209 &destroy_count_bpfdesc, 0, "bpfdesc destroy calls"); 210 static int destroy_count_cred; 211 SYSCTL_INT(_security_mac_test, OID_AUTO, destroy_count_cred, CTLFLAG_RD, 212 &destroy_count_cred, 0, "cred destroy calls"); 213 static int destroy_count_devfsdirent; 214 SYSCTL_INT(_security_mac_test, OID_AUTO, destroy_count_devfsdirent, CTLFLAG_RD, 215 &destroy_count_devfsdirent, 0, "devfsdirent destroy calls"); 216 static int destroy_count_ifnet; 217 SYSCTL_INT(_security_mac_test, OID_AUTO, destroy_count_ifnet, CTLFLAG_RD, 218 &destroy_count_ifnet, 0, "ifnet destroy calls"); 219 static int destroy_count_inpcb; 220 SYSCTL_INT(_security_mac_test, OID_AUTO, destroy_count_inpcb, CTLFLAG_RD, 221 &destroy_count_inpcb, 0, "inpcb destroy calls"); 222 static int destroy_count_sysv_msg; 223 SYSCTL_INT(_security_mac_test, OID_AUTO, destroy_count_sysv_msg, CTLFLAG_RD, 224 &destroy_count_sysv_msg, 0, "ipc_msg destroy calls"); 225 static int destroy_count_sysv_msq; 226 SYSCTL_INT(_security_mac_test, OID_AUTO, destroy_count_sysv_msq, CTLFLAG_RD, 227 &destroy_count_sysv_msq, 0, "ipc_msq destroy calls"); 228 static int destroy_count_sysv_sem; 229 SYSCTL_INT(_security_mac_test, OID_AUTO, destroy_count_sysv_sem, CTLFLAG_RD, 230 &destroy_count_sysv_sem, 0, "ipc_sema destroy calls"); 231 static int destroy_count_sysv_shm; 232 SYSCTL_INT(_security_mac_test, OID_AUTO, destroy_count_sysv_shm, CTLFLAG_RD, 233 &destroy_count_sysv_shm, 0, "ipc_shm destroy calls"); 234 static int destroy_count_ipq; 235 SYSCTL_INT(_security_mac_test, OID_AUTO, destroy_count_ipq, CTLFLAG_RD, 236 &destroy_count_ipq, 0, "ipq destroy calls"); 237 static int destroy_count_mbuf; 238 SYSCTL_INT(_security_mac_test, OID_AUTO, destroy_count_mbuf, CTLFLAG_RD, 239 &destroy_count_mbuf, 0, "mbuf destroy calls"); 240 static int destroy_count_mount; 241 SYSCTL_INT(_security_mac_test, OID_AUTO, destroy_count_mount, CTLFLAG_RD, 242 &destroy_count_mount, 0, "mount destroy calls"); 243 static int destroy_count_mount_fslabel; 244 SYSCTL_INT(_security_mac_test, OID_AUTO, destroy_count_mount_fslabel, 245 CTLFLAG_RD, &destroy_count_mount_fslabel, 0, 246 "mount_fslabel destroy calls"); 247 static int destroy_count_socket; 248 SYSCTL_INT(_security_mac_test, OID_AUTO, destroy_count_socket, CTLFLAG_RD, 249 &destroy_count_socket, 0, "socket destroy calls"); 250 static int destroy_count_socket_peerlabel; 251 SYSCTL_INT(_security_mac_test, OID_AUTO, destroy_count_socket_peerlabel, 252 CTLFLAG_RD, &destroy_count_socket_peerlabel, 0, 253 "socket_peerlabel destroy calls"); 254 static int destroy_count_pipe; 255 SYSCTL_INT(_security_mac_test, OID_AUTO, destroy_count_pipe, CTLFLAG_RD, 256 &destroy_count_pipe, 0, "pipe destroy calls"); 257 static int destroy_count_posixsems; 258 SYSCTL_INT(_security_mac_test, OID_AUTO, destroy_count_posixsems, CTLFLAG_RD, 259 &destroy_count_posixsems, 0, "posix sems destroy calls"); 260 static int destroy_count_proc; 261 SYSCTL_INT(_security_mac_test, OID_AUTO, destroy_count_proc, CTLFLAG_RD, 262 &destroy_count_proc, 0, "proc destroy calls"); 263 static int destroy_count_vnode; 264 SYSCTL_INT(_security_mac_test, OID_AUTO, destroy_count_vnode, CTLFLAG_RD, 265 &destroy_count_vnode, 0, "vnode destroy calls"); 266 267 static int externalize_count; 268 SYSCTL_INT(_security_mac_test, OID_AUTO, externalize_count, CTLFLAG_RD, 269 &externalize_count, 0, "Subject/object externalize calls"); 270 static int internalize_count; 271 SYSCTL_INT(_security_mac_test, OID_AUTO, internalize_count, CTLFLAG_RD, 272 &internalize_count, 0, "Subject/object internalize calls"); 273 274 #ifdef KDB 275 #define DEBUGGER(x) kdb_enter(x) 276 #else 277 #define DEBUGGER(x) printf("mac_test: %s\n", (x)) 278 #endif 279 280 /* 281 * Policy module operations. 282 */ 283 static void 284 mac_test_destroy(struct mac_policy_conf *conf) 285 { 286 287 } 288 289 static void 290 mac_test_init(struct mac_policy_conf *conf) 291 { 292 293 } 294 295 static int 296 mac_test_syscall(struct thread *td, int call, void *arg) 297 { 298 299 return (0); 300 } 301 302 /* 303 * Label operations. 304 */ 305 static void 306 mac_test_init_bpfdesc_label(struct label *label) 307 { 308 309 SLOT(label) = BPFMAGIC; 310 atomic_add_int(&init_count_bpfdesc, 1); 311 } 312 313 static void 314 mac_test_init_cred_label(struct label *label) 315 { 316 317 SLOT(label) = CREDMAGIC; 318 atomic_add_int(&init_count_cred, 1); 319 } 320 321 static void 322 mac_test_init_devfsdirent_label(struct label *label) 323 { 324 325 SLOT(label) = DEVFSMAGIC; 326 atomic_add_int(&init_count_devfsdirent, 1); 327 } 328 329 static void 330 mac_test_init_ifnet_label(struct label *label) 331 { 332 333 SLOT(label) = IFNETMAGIC; 334 atomic_add_int(&init_count_ifnet, 1); 335 } 336 337 static int 338 mac_test_init_inpcb_label(struct label *label, int flag) 339 { 340 341 if (flag & M_WAITOK) 342 WITNESS_WARN(WARN_GIANTOK | WARN_SLEEPOK, NULL, 343 "mac_test_init_inpcb_label() at %s:%d", __FILE__, 344 __LINE__); 345 346 SLOT(label) = INPCBMAGIC; 347 atomic_add_int(&init_count_inpcb, 1); 348 return (0); 349 } 350 351 static void 352 mac_test_init_sysv_msgmsg_label(struct label *label) 353 { 354 SLOT(label) = SYSVIPCMSGMAGIC; 355 atomic_add_int(&init_count_sysv_msg, 1); 356 } 357 358 static void 359 mac_test_init_sysv_msgqueue_label(struct label *label) 360 { 361 SLOT(label) = SYSVIPCMSQMAGIC; 362 atomic_add_int(&init_count_sysv_msq, 1); 363 } 364 365 static void 366 mac_test_init_sysv_sem_label(struct label *label) 367 { 368 SLOT(label) = SYSVIPCSEMMAGIC; 369 atomic_add_int(&init_count_sysv_sem, 1); 370 } 371 372 static void 373 mac_test_init_sysv_shm_label(struct label *label) 374 { 375 SLOT(label) = SYSVIPCSHMMAGIC; 376 atomic_add_int(&init_count_sysv_shm, 1); 377 } 378 379 static int 380 mac_test_init_ipq_label(struct label *label, int flag) 381 { 382 383 if (flag & M_WAITOK) 384 WITNESS_WARN(WARN_GIANTOK | WARN_SLEEPOK, NULL, 385 "mac_test_init_ipq_label() at %s:%d", __FILE__, 386 __LINE__); 387 388 SLOT(label) = IPQMAGIC; 389 atomic_add_int(&init_count_ipq, 1); 390 return (0); 391 } 392 393 static int 394 mac_test_init_mbuf_label(struct label *label, int flag) 395 { 396 397 if (flag & M_WAITOK) 398 WITNESS_WARN(WARN_GIANTOK | WARN_SLEEPOK, NULL, 399 "mac_test_init_mbuf_label() at %s:%d", __FILE__, 400 __LINE__); 401 402 SLOT(label) = MBUFMAGIC; 403 atomic_add_int(&init_count_mbuf, 1); 404 return (0); 405 } 406 407 static void 408 mac_test_init_mount_label(struct label *label) 409 { 410 411 SLOT(label) = MOUNTMAGIC; 412 atomic_add_int(&init_count_mount, 1); 413 } 414 415 static void 416 mac_test_init_mount_fs_label(struct label *label) 417 { 418 419 SLOT(label) = MOUNTMAGIC; 420 atomic_add_int(&init_count_mount_fslabel, 1); 421 } 422 423 static int 424 mac_test_init_socket_label(struct label *label, int flag) 425 { 426 427 if (flag & M_WAITOK) 428 WITNESS_WARN(WARN_GIANTOK | WARN_SLEEPOK, NULL, 429 "mac_test_init_socket_label() at %s:%d", __FILE__, 430 __LINE__); 431 432 SLOT(label) = SOCKETMAGIC; 433 atomic_add_int(&init_count_socket, 1); 434 return (0); 435 } 436 437 static int 438 mac_test_init_socket_peer_label(struct label *label, int flag) 439 { 440 441 if (flag & M_WAITOK) 442 WITNESS_WARN(WARN_GIANTOK | WARN_SLEEPOK, NULL, 443 "mac_test_init_socket_peer_label() at %s:%d", __FILE__, 444 __LINE__); 445 446 SLOT(label) = SOCKETMAGIC; 447 atomic_add_int(&init_count_socket_peerlabel, 1); 448 return (0); 449 } 450 451 static void 452 mac_test_init_pipe_label(struct label *label) 453 { 454 455 SLOT(label) = PIPEMAGIC; 456 atomic_add_int(&init_count_pipe, 1); 457 } 458 459 static void 460 mac_test_init_posix_sem_label(struct label *label) 461 { 462 463 SLOT(label) = POSIXSEMMAGIC; 464 atomic_add_int(&init_count_posixsems, 1); 465 } 466 467 static void 468 mac_test_init_proc_label(struct label *label) 469 { 470 471 SLOT(label) = PROCMAGIC; 472 atomic_add_int(&init_count_proc, 1); 473 } 474 475 static void 476 mac_test_init_vnode_label(struct label *label) 477 { 478 479 SLOT(label) = VNODEMAGIC; 480 atomic_add_int(&init_count_vnode, 1); 481 } 482 483 static void 484 mac_test_destroy_bpfdesc_label(struct label *label) 485 { 486 487 if (SLOT(label) == BPFMAGIC || SLOT(label) == 0) { 488 atomic_add_int(&destroy_count_bpfdesc, 1); 489 SLOT(label) = EXMAGIC; 490 } else if (SLOT(label) == EXMAGIC) { 491 DEBUGGER("mac_test_destroy_bpfdesc: dup destroy"); 492 } else { 493 DEBUGGER("mac_test_destroy_bpfdesc: corrupted label"); 494 } 495 } 496 497 static void 498 mac_test_destroy_cred_label(struct label *label) 499 { 500 501 if (SLOT(label) == CREDMAGIC || SLOT(label) == 0) { 502 atomic_add_int(&destroy_count_cred, 1); 503 SLOT(label) = EXMAGIC; 504 } else if (SLOT(label) == EXMAGIC) { 505 DEBUGGER("mac_test_destroy_cred: dup destroy"); 506 } else { 507 DEBUGGER("mac_test_destroy_cred: corrupted label"); 508 } 509 } 510 511 static void 512 mac_test_destroy_devfsdirent_label(struct label *label) 513 { 514 515 if (SLOT(label) == DEVFSMAGIC || SLOT(label) == 0) { 516 atomic_add_int(&destroy_count_devfsdirent, 1); 517 SLOT(label) = EXMAGIC; 518 } else if (SLOT(label) == EXMAGIC) { 519 DEBUGGER("mac_test_destroy_devfsdirent: dup destroy"); 520 } else { 521 DEBUGGER("mac_test_destroy_devfsdirent: corrupted label"); 522 } 523 } 524 525 static void 526 mac_test_destroy_ifnet_label(struct label *label) 527 { 528 529 if (SLOT(label) == IFNETMAGIC || SLOT(label) == 0) { 530 atomic_add_int(&destroy_count_ifnet, 1); 531 SLOT(label) = EXMAGIC; 532 } else if (SLOT(label) == EXMAGIC) { 533 DEBUGGER("mac_test_destroy_ifnet: dup destroy"); 534 } else { 535 DEBUGGER("mac_test_destroy_ifnet: corrupted label"); 536 } 537 } 538 539 static void 540 mac_test_destroy_inpcb_label(struct label *label) 541 { 542 543 if (SLOT(label) == INPCBMAGIC || SLOT(label) == 0) { 544 atomic_add_int(&destroy_count_inpcb, 1); 545 SLOT(label) = EXMAGIC; 546 } else if (SLOT(label) == EXMAGIC) { 547 DEBUGGER("mac_test_destroy_inpcb: dup destroy"); 548 } else { 549 DEBUGGER("mac_test_destroy_inpcb: corrupted label"); 550 } 551 } 552 553 static void 554 mac_test_destroy_sysv_msgmsg_label(struct label *label) 555 { 556 557 if (SLOT(label) == SYSVIPCMSGMAGIC || SLOT(label) == 0) { 558 atomic_add_int(&destroy_count_sysv_msg, 1); 559 SLOT(label) = EXMAGIC; 560 } else if (SLOT(label) == EXMAGIC) { 561 DEBUGGER("mac_test_destroy_sysv_msgmsg_label: dup destroy"); 562 } else { 563 DEBUGGER( 564 "mac_test_destroy_sysv_msgmsg_label: corrupted label"); 565 } 566 } 567 568 static void 569 mac_test_destroy_sysv_msgqueue_label(struct label *label) 570 { 571 572 if (SLOT(label) == SYSVIPCMSQMAGIC || SLOT(label) == 0) { 573 atomic_add_int(&destroy_count_sysv_msq, 1); 574 SLOT(label) = EXMAGIC; 575 } else if (SLOT(label) == EXMAGIC) { 576 DEBUGGER("mac_test_destroy_sysv_msgqueue_label: dup destroy"); 577 } else { 578 DEBUGGER( 579 "mac_test_destroy_sysv_msgqueue_label: corrupted label"); 580 } 581 } 582 583 static void 584 mac_test_destroy_sysv_sem_label(struct label *label) 585 { 586 587 if (SLOT(label) == SYSVIPCSEMMAGIC || SLOT(label) == 0) { 588 atomic_add_int(&destroy_count_sysv_sem, 1); 589 SLOT(label) = EXMAGIC; 590 } else if (SLOT(label) == EXMAGIC) { 591 DEBUGGER("mac_test_destroy_sysv_sem_label: dup destroy"); 592 } else { 593 DEBUGGER("mac_test_destroy_sysv_sem_label: corrupted label"); 594 } 595 } 596 597 static void 598 mac_test_destroy_sysv_shm_label(struct label *label) 599 { 600 601 if (SLOT(label) == SYSVIPCSHMMAGIC || SLOT(label) == 0) { 602 atomic_add_int(&destroy_count_sysv_shm, 1); 603 SLOT(label) = EXMAGIC; 604 } else if (SLOT(label) == EXMAGIC) { 605 DEBUGGER("mac_test_destroy_sysv_shm_label: dup destroy"); 606 } else { 607 DEBUGGER("mac_test_destroy_sysv_shm_label: corrupted label"); 608 } 609 } 610 611 static void 612 mac_test_destroy_ipq_label(struct label *label) 613 { 614 615 if (SLOT(label) == IPQMAGIC || SLOT(label) == 0) { 616 atomic_add_int(&destroy_count_ipq, 1); 617 SLOT(label) = EXMAGIC; 618 } else if (SLOT(label) == EXMAGIC) { 619 DEBUGGER("mac_test_destroy_ipq: dup destroy"); 620 } else { 621 DEBUGGER("mac_test_destroy_ipq: corrupted label"); 622 } 623 } 624 625 static void 626 mac_test_destroy_mbuf_label(struct label *label) 627 { 628 629 /* 630 * If we're loaded dynamically, there may be mbufs in flight that 631 * didn't have label storage allocated for them. Handle this 632 * gracefully. 633 */ 634 if (label == NULL) 635 return; 636 637 if (SLOT(label) == MBUFMAGIC || SLOT(label) == 0) { 638 atomic_add_int(&destroy_count_mbuf, 1); 639 SLOT(label) = EXMAGIC; 640 } else if (SLOT(label) == EXMAGIC) { 641 DEBUGGER("mac_test_destroy_mbuf: dup destroy"); 642 } else { 643 DEBUGGER("mac_test_destroy_mbuf: corrupted label"); 644 } 645 } 646 647 static void 648 mac_test_destroy_mount_label(struct label *label) 649 { 650 651 if ((SLOT(label) == MOUNTMAGIC || SLOT(label) == 0)) { 652 atomic_add_int(&destroy_count_mount, 1); 653 SLOT(label) = EXMAGIC; 654 } else if (SLOT(label) == EXMAGIC) { 655 DEBUGGER("mac_test_destroy_mount: dup destroy"); 656 } else { 657 DEBUGGER("mac_test_destroy_mount: corrupted label"); 658 } 659 } 660 661 static void 662 mac_test_destroy_mount_fs_label(struct label *label) 663 { 664 665 if ((SLOT(label) == MOUNTMAGIC || SLOT(label) == 0)) { 666 atomic_add_int(&destroy_count_mount_fslabel, 1); 667 SLOT(label) = EXMAGIC; 668 } else if (SLOT(label) == EXMAGIC) { 669 DEBUGGER("mac_test_destroy_mount_fslabel: dup destroy"); 670 } else { 671 DEBUGGER("mac_test_destroy_mount_fslabel: corrupted label"); 672 } 673 } 674 675 static void 676 mac_test_destroy_socket_label(struct label *label) 677 { 678 679 if ((SLOT(label) == SOCKETMAGIC || SLOT(label) == 0)) { 680 atomic_add_int(&destroy_count_socket, 1); 681 SLOT(label) = EXMAGIC; 682 } else if (SLOT(label) == EXMAGIC) { 683 DEBUGGER("mac_test_destroy_socket: dup destroy"); 684 } else { 685 DEBUGGER("mac_test_destroy_socket: corrupted label"); 686 } 687 } 688 689 static void 690 mac_test_destroy_socket_peer_label(struct label *label) 691 { 692 693 if ((SLOT(label) == SOCKETMAGIC || SLOT(label) == 0)) { 694 atomic_add_int(&destroy_count_socket_peerlabel, 1); 695 SLOT(label) = EXMAGIC; 696 } else if (SLOT(label) == EXMAGIC) { 697 DEBUGGER("mac_test_destroy_socket_peerlabel: dup destroy"); 698 } else { 699 DEBUGGER("mac_test_destroy_socket_peerlabel: corrupted label"); 700 } 701 } 702 703 static void 704 mac_test_destroy_pipe_label(struct label *label) 705 { 706 707 if ((SLOT(label) == PIPEMAGIC || SLOT(label) == 0)) { 708 atomic_add_int(&destroy_count_pipe, 1); 709 SLOT(label) = EXMAGIC; 710 } else if (SLOT(label) == EXMAGIC) { 711 DEBUGGER("mac_test_destroy_pipe: dup destroy"); 712 } else { 713 DEBUGGER("mac_test_destroy_pipe: corrupted label"); 714 } 715 } 716 717 static void 718 mac_test_destroy_posix_sem_label(struct label *label) 719 { 720 721 if ((SLOT(label) == POSIXSEMMAGIC || SLOT(label) == 0)) { 722 atomic_add_int(&destroy_count_posixsems, 1); 723 SLOT(label) = EXMAGIC; 724 } else if (SLOT(label) == EXMAGIC) { 725 DEBUGGER("mac_test_destroy_posix_sem: dup destroy"); 726 } else { 727 DEBUGGER("mac_test_destroy_posix_sem: corrupted label"); 728 } 729 } 730 731 static void 732 mac_test_destroy_proc_label(struct label *label) 733 { 734 735 if ((SLOT(label) == PROCMAGIC || SLOT(label) == 0)) { 736 atomic_add_int(&destroy_count_proc, 1); 737 SLOT(label) = EXMAGIC; 738 } else if (SLOT(label) == EXMAGIC) { 739 DEBUGGER("mac_test_destroy_proc: dup destroy"); 740 } else { 741 DEBUGGER("mac_test_destroy_proc: corrupted label"); 742 } 743 } 744 745 static void 746 mac_test_destroy_vnode_label(struct label *label) 747 { 748 749 if (SLOT(label) == VNODEMAGIC || SLOT(label) == 0) { 750 atomic_add_int(&destroy_count_vnode, 1); 751 SLOT(label) = EXMAGIC; 752 } else if (SLOT(label) == EXMAGIC) { 753 DEBUGGER("mac_test_destroy_vnode: dup destroy"); 754 } else { 755 DEBUGGER("mac_test_destroy_vnode: corrupted label"); 756 } 757 } 758 759 static void 760 mac_test_copy_cred_label(struct label *src, struct label *dest) 761 { 762 763 ASSERT_CRED_LABEL(src); 764 ASSERT_CRED_LABEL(dest); 765 } 766 767 static void 768 mac_test_copy_ifnet_label(struct label *src, struct label *dest) 769 { 770 771 ASSERT_IFNET_LABEL(src); 772 ASSERT_IFNET_LABEL(dest); 773 } 774 775 static void 776 mac_test_copy_mbuf_label(struct label *src, struct label *dest) 777 { 778 779 ASSERT_MBUF_LABEL(src); 780 ASSERT_MBUF_LABEL(dest); 781 } 782 783 static void 784 mac_test_copy_pipe_label(struct label *src, struct label *dest) 785 { 786 787 ASSERT_PIPE_LABEL(src); 788 ASSERT_PIPE_LABEL(dest); 789 } 790 791 static void 792 mac_test_copy_socket_label(struct label *src, struct label *dest) 793 { 794 795 ASSERT_SOCKET_LABEL(src); 796 ASSERT_SOCKET_LABEL(dest); 797 } 798 799 static void 800 mac_test_copy_vnode_label(struct label *src, struct label *dest) 801 { 802 803 ASSERT_VNODE_LABEL(src); 804 ASSERT_VNODE_LABEL(dest); 805 } 806 807 static int 808 mac_test_externalize_label(struct label *label, char *element_name, 809 struct sbuf *sb, int *claimed) 810 { 811 812 atomic_add_int(&externalize_count, 1); 813 814 KASSERT(SLOT(label) != EXMAGIC, 815 ("mac_test_externalize_label: destroyed label")); 816 817 return (0); 818 } 819 820 static int 821 mac_test_internalize_label(struct label *label, char *element_name, 822 char *element_data, int *claimed) 823 { 824 825 atomic_add_int(&internalize_count, 1); 826 827 KASSERT(SLOT(label) != EXMAGIC, 828 ("mac_test_internalize_label: destroyed label")); 829 830 return (0); 831 } 832 833 /* 834 * Labeling event operations: file system objects, and things that look 835 * a lot like file system objects. 836 */ 837 static void 838 mac_test_associate_vnode_devfs(struct mount *mp, struct label *fslabel, 839 struct devfs_dirent *de, struct label *delabel, struct vnode *vp, 840 struct label *vlabel) 841 { 842 843 ASSERT_MOUNT_LABEL(fslabel); 844 ASSERT_DEVFS_LABEL(delabel); 845 ASSERT_VNODE_LABEL(vlabel); 846 } 847 848 static int 849 mac_test_associate_vnode_extattr(struct mount *mp, struct label *fslabel, 850 struct vnode *vp, struct label *vlabel) 851 { 852 853 ASSERT_MOUNT_LABEL(fslabel); 854 ASSERT_VNODE_LABEL(vlabel); 855 return (0); 856 } 857 858 static void 859 mac_test_associate_vnode_singlelabel(struct mount *mp, 860 struct label *fslabel, struct vnode *vp, struct label *vlabel) 861 { 862 863 ASSERT_MOUNT_LABEL(fslabel); 864 ASSERT_VNODE_LABEL(vlabel); 865 } 866 867 static void 868 mac_test_create_devfs_device(struct ucred *cred, struct mount *mp, 869 struct cdev *dev, struct devfs_dirent *devfs_dirent, struct label *label) 870 { 871 872 if (cred != NULL) { 873 ASSERT_CRED_LABEL(cred->cr_label); 874 } 875 ASSERT_DEVFS_LABEL(label); 876 } 877 878 static void 879 mac_test_create_devfs_directory(struct mount *mp, char *dirname, 880 int dirnamelen, struct devfs_dirent *devfs_dirent, struct label *label) 881 { 882 883 ASSERT_DEVFS_LABEL(label); 884 } 885 886 static void 887 mac_test_create_devfs_symlink(struct ucred *cred, struct mount *mp, 888 struct devfs_dirent *dd, struct label *ddlabel, struct devfs_dirent *de, 889 struct label *delabel) 890 { 891 892 ASSERT_CRED_LABEL(cred->cr_label); 893 ASSERT_DEVFS_LABEL(ddlabel); 894 ASSERT_DEVFS_LABEL(delabel); 895 } 896 897 static int 898 mac_test_create_vnode_extattr(struct ucred *cred, struct mount *mp, 899 struct label *fslabel, struct vnode *dvp, struct label *dlabel, 900 struct vnode *vp, struct label *vlabel, struct componentname *cnp) 901 { 902 903 ASSERT_CRED_LABEL(cred->cr_label); 904 ASSERT_MOUNT_LABEL(fslabel); 905 ASSERT_VNODE_LABEL(dlabel); 906 907 return (0); 908 } 909 910 static void 911 mac_test_create_mount(struct ucred *cred, struct mount *mp, 912 struct label *mntlabel, struct label *fslabel) 913 { 914 915 ASSERT_CRED_LABEL(cred->cr_label); 916 ASSERT_MOUNT_LABEL(mntlabel); 917 ASSERT_MOUNT_LABEL(fslabel); 918 } 919 920 static void 921 mac_test_create_root_mount(struct ucred *cred, struct mount *mp, 922 struct label *mntlabel, struct label *fslabel) 923 { 924 925 ASSERT_CRED_LABEL(cred->cr_label); 926 ASSERT_MOUNT_LABEL(mntlabel); 927 ASSERT_MOUNT_LABEL(fslabel); 928 } 929 930 static void 931 mac_test_relabel_vnode(struct ucred *cred, struct vnode *vp, 932 struct label *vnodelabel, struct label *label) 933 { 934 935 ASSERT_CRED_LABEL(cred->cr_label); 936 ASSERT_VNODE_LABEL(vnodelabel); 937 ASSERT_VNODE_LABEL(label); 938 } 939 940 static int 941 mac_test_setlabel_vnode_extattr(struct ucred *cred, struct vnode *vp, 942 struct label *vlabel, struct label *intlabel) 943 { 944 945 ASSERT_CRED_LABEL(cred->cr_label); 946 ASSERT_VNODE_LABEL(vlabel); 947 ASSERT_VNODE_LABEL(intlabel); 948 return (0); 949 } 950 951 static void 952 mac_test_update_devfsdirent(struct mount *mp, 953 struct devfs_dirent *devfs_dirent, struct label *direntlabel, 954 struct vnode *vp, struct label *vnodelabel) 955 { 956 957 ASSERT_DEVFS_LABEL(direntlabel); 958 ASSERT_VNODE_LABEL(vnodelabel); 959 } 960 961 /* 962 * Labeling event operations: IPC object. 963 */ 964 static void 965 mac_test_create_mbuf_from_socket(struct socket *so, struct label *socketlabel, 966 struct mbuf *m, struct label *mbuflabel) 967 { 968 969 ASSERT_SOCKET_LABEL(socketlabel); 970 ASSERT_MBUF_LABEL(mbuflabel); 971 } 972 973 static void 974 mac_test_create_socket(struct ucred *cred, struct socket *socket, 975 struct label *socketlabel) 976 { 977 978 ASSERT_CRED_LABEL(cred->cr_label); 979 ASSERT_SOCKET_LABEL(socketlabel); 980 } 981 982 static void 983 mac_test_create_pipe(struct ucred *cred, struct pipepair *pp, 984 struct label *pipelabel) 985 { 986 987 ASSERT_CRED_LABEL(cred->cr_label); 988 ASSERT_PIPE_LABEL(pipelabel); 989 } 990 991 static void 992 mac_test_create_posix_sem(struct ucred *cred, struct ksem *ksem, 993 struct label *posixlabel) 994 { 995 996 ASSERT_CRED_LABEL(cred->cr_label); 997 ASSERT_POSIX_LABEL(posixlabel); 998 } 999 1000 static void 1001 mac_test_create_socket_from_socket(struct socket *oldsocket, 1002 struct label *oldsocketlabel, struct socket *newsocket, 1003 struct label *newsocketlabel) 1004 { 1005 1006 ASSERT_SOCKET_LABEL(oldsocketlabel); 1007 ASSERT_SOCKET_LABEL(newsocketlabel); 1008 } 1009 1010 static void 1011 mac_test_relabel_socket(struct ucred *cred, struct socket *socket, 1012 struct label *socketlabel, struct label *newlabel) 1013 { 1014 1015 ASSERT_CRED_LABEL(cred->cr_label); 1016 ASSERT_SOCKET_LABEL(newlabel); 1017 } 1018 1019 static void 1020 mac_test_relabel_pipe(struct ucred *cred, struct pipepair *pp, 1021 struct label *pipelabel, struct label *newlabel) 1022 { 1023 1024 ASSERT_CRED_LABEL(cred->cr_label); 1025 ASSERT_PIPE_LABEL(pipelabel); 1026 ASSERT_PIPE_LABEL(newlabel); 1027 } 1028 1029 static void 1030 mac_test_set_socket_peer_from_mbuf(struct mbuf *mbuf, struct label *mbuflabel, 1031 struct socket *socket, struct label *socketpeerlabel) 1032 { 1033 1034 ASSERT_MBUF_LABEL(mbuflabel); 1035 ASSERT_SOCKET_LABEL(socketpeerlabel); 1036 } 1037 1038 /* 1039 * Labeling event operations: network objects. 1040 */ 1041 static void 1042 mac_test_set_socket_peer_from_socket(struct socket *oldsocket, 1043 struct label *oldsocketlabel, struct socket *newsocket, 1044 struct label *newsocketpeerlabel) 1045 { 1046 1047 ASSERT_SOCKET_LABEL(oldsocketlabel); 1048 ASSERT_SOCKET_LABEL(newsocketpeerlabel); 1049 } 1050 1051 static void 1052 mac_test_create_bpfdesc(struct ucred *cred, struct bpf_d *bpf_d, 1053 struct label *bpflabel) 1054 { 1055 1056 ASSERT_CRED_LABEL(cred->cr_label); 1057 ASSERT_BPF_LABEL(bpflabel); 1058 } 1059 1060 static void 1061 mac_test_create_datagram_from_ipq(struct ipq *ipq, struct label *ipqlabel, 1062 struct mbuf *datagram, struct label *datagramlabel) 1063 { 1064 1065 ASSERT_IPQ_LABEL(ipqlabel); 1066 ASSERT_MBUF_LABEL(datagramlabel); 1067 } 1068 1069 static void 1070 mac_test_create_fragment(struct mbuf *datagram, struct label *datagramlabel, 1071 struct mbuf *fragment, struct label *fragmentlabel) 1072 { 1073 1074 ASSERT_MBUF_LABEL(datagramlabel); 1075 ASSERT_MBUF_LABEL(fragmentlabel); 1076 } 1077 1078 static void 1079 mac_test_create_ifnet(struct ifnet *ifnet, struct label *ifnetlabel) 1080 { 1081 1082 ASSERT_IFNET_LABEL(ifnetlabel); 1083 } 1084 1085 static void 1086 mac_test_create_inpcb_from_socket(struct socket *so, struct label *solabel, 1087 struct inpcb *inp, struct label *inplabel) 1088 { 1089 1090 ASSERT_SOCKET_LABEL(solabel); 1091 ASSERT_INPCB_LABEL(inplabel); 1092 } 1093 1094 static void 1095 mac_test_create_sysv_msgmsg(struct ucred *cred, struct msqid_kernel *msqkptr, 1096 struct label *msqlabel, struct msg *msgptr, struct label *msglabel) 1097 { 1098 1099 ASSERT_SYSVIPCMSG_LABEL(msglabel); 1100 ASSERT_SYSVIPCMSQ_LABEL(msqlabel); 1101 } 1102 1103 static void 1104 mac_test_create_sysv_msgqueue(struct ucred *cred, 1105 struct msqid_kernel *msqkptr, struct label *msqlabel) 1106 { 1107 1108 ASSERT_SYSVIPCMSQ_LABEL(msqlabel); 1109 } 1110 1111 static void 1112 mac_test_create_sysv_sem(struct ucred *cred, struct semid_kernel *semakptr, 1113 struct label *semalabel) 1114 { 1115 1116 ASSERT_SYSVIPCSEM_LABEL(semalabel); 1117 } 1118 1119 static void 1120 mac_test_create_sysv_shm(struct ucred *cred, struct shmid_kernel *shmsegptr, 1121 struct label *shmlabel) 1122 { 1123 1124 ASSERT_SYSVIPCSHM_LABEL(shmlabel); 1125 } 1126 1127 static void 1128 mac_test_create_ipq(struct mbuf *fragment, struct label *fragmentlabel, 1129 struct ipq *ipq, struct label *ipqlabel) 1130 { 1131 1132 ASSERT_MBUF_LABEL(fragmentlabel); 1133 ASSERT_IPQ_LABEL(ipqlabel); 1134 } 1135 1136 static void 1137 mac_test_create_mbuf_from_inpcb(struct inpcb *inp, struct label *inplabel, 1138 struct mbuf *m, struct label *mlabel) 1139 { 1140 1141 ASSERT_INPCB_LABEL(inplabel); 1142 ASSERT_MBUF_LABEL(mlabel); 1143 } 1144 1145 static void 1146 mac_test_create_mbuf_linklayer(struct ifnet *ifnet, struct label *ifnetlabel, 1147 struct mbuf *mbuf, struct label *mbuflabel) 1148 { 1149 1150 ASSERT_IFNET_LABEL(ifnetlabel); 1151 ASSERT_MBUF_LABEL(mbuflabel); 1152 } 1153 1154 static void 1155 mac_test_create_mbuf_from_bpfdesc(struct bpf_d *bpf_d, struct label *bpflabel, 1156 struct mbuf *mbuf, struct label *mbuflabel) 1157 { 1158 1159 ASSERT_BPF_LABEL(bpflabel); 1160 ASSERT_MBUF_LABEL(mbuflabel); 1161 } 1162 1163 static void 1164 mac_test_create_mbuf_from_ifnet(struct ifnet *ifnet, struct label *ifnetlabel, 1165 struct mbuf *m, struct label *mbuflabel) 1166 { 1167 1168 ASSERT_IFNET_LABEL(ifnetlabel); 1169 ASSERT_MBUF_LABEL(mbuflabel); 1170 } 1171 1172 static void 1173 mac_test_create_mbuf_multicast_encap(struct mbuf *oldmbuf, 1174 struct label *oldmbuflabel, struct ifnet *ifnet, struct label *ifnetlabel, 1175 struct mbuf *newmbuf, struct label *newmbuflabel) 1176 { 1177 1178 ASSERT_MBUF_LABEL(oldmbuflabel); 1179 ASSERT_IFNET_LABEL(ifnetlabel); 1180 ASSERT_MBUF_LABEL(newmbuflabel); 1181 } 1182 1183 static void 1184 mac_test_create_mbuf_netlayer(struct mbuf *oldmbuf, 1185 struct label *oldmbuflabel, struct mbuf *newmbuf, 1186 struct label *newmbuflabel) 1187 { 1188 1189 ASSERT_MBUF_LABEL(oldmbuflabel); 1190 ASSERT_MBUF_LABEL(newmbuflabel); 1191 } 1192 1193 static int 1194 mac_test_fragment_match(struct mbuf *fragment, struct label *fragmentlabel, 1195 struct ipq *ipq, struct label *ipqlabel) 1196 { 1197 1198 ASSERT_MBUF_LABEL(fragmentlabel); 1199 ASSERT_IPQ_LABEL(ipqlabel); 1200 1201 return (1); 1202 } 1203 1204 static void 1205 mac_test_reflect_mbuf_icmp(struct mbuf *m, struct label *mlabel) 1206 { 1207 1208 ASSERT_MBUF_LABEL(mlabel); 1209 } 1210 1211 static void 1212 mac_test_reflect_mbuf_tcp(struct mbuf *m, struct label *mlabel) 1213 { 1214 1215 ASSERT_MBUF_LABEL(mlabel); 1216 } 1217 1218 static void 1219 mac_test_relabel_ifnet(struct ucred *cred, struct ifnet *ifnet, 1220 struct label *ifnetlabel, struct label *newlabel) 1221 { 1222 1223 ASSERT_CRED_LABEL(cred->cr_label); 1224 ASSERT_IFNET_LABEL(ifnetlabel); 1225 ASSERT_IFNET_LABEL(newlabel); 1226 } 1227 1228 static void 1229 mac_test_update_ipq(struct mbuf *fragment, struct label *fragmentlabel, 1230 struct ipq *ipq, struct label *ipqlabel) 1231 { 1232 1233 ASSERT_MBUF_LABEL(fragmentlabel); 1234 ASSERT_IPQ_LABEL(ipqlabel); 1235 } 1236 1237 static void 1238 mac_test_inpcb_sosetlabel(struct socket *so, struct label *solabel, 1239 struct inpcb *inp, struct label *inplabel) 1240 { 1241 1242 ASSERT_SOCKET_LABEL(solabel); 1243 ASSERT_INPCB_LABEL(inplabel); 1244 } 1245 1246 /* 1247 * Labeling event operations: processes. 1248 */ 1249 static void 1250 mac_test_execve_transition(struct ucred *old, struct ucred *new, 1251 struct vnode *vp, struct label *filelabel, 1252 struct label *interpvnodelabel, struct image_params *imgp, 1253 struct label *execlabel) 1254 { 1255 1256 ASSERT_CRED_LABEL(old->cr_label); 1257 ASSERT_CRED_LABEL(new->cr_label); 1258 ASSERT_VNODE_LABEL(filelabel); 1259 if (interpvnodelabel != NULL) { 1260 ASSERT_VNODE_LABEL(interpvnodelabel); 1261 } 1262 if (execlabel != NULL) { 1263 ASSERT_CRED_LABEL(execlabel); 1264 } 1265 } 1266 1267 static int 1268 mac_test_execve_will_transition(struct ucred *old, struct vnode *vp, 1269 struct label *filelabel, struct label *interpvnodelabel, 1270 struct image_params *imgp, struct label *execlabel) 1271 { 1272 1273 ASSERT_CRED_LABEL(old->cr_label); 1274 ASSERT_VNODE_LABEL(filelabel); 1275 if (interpvnodelabel != NULL) { 1276 ASSERT_VNODE_LABEL(interpvnodelabel); 1277 } 1278 if (execlabel != NULL) { 1279 ASSERT_CRED_LABEL(execlabel); 1280 } 1281 1282 return (0); 1283 } 1284 1285 static void 1286 mac_test_create_proc0(struct ucred *cred) 1287 { 1288 1289 ASSERT_CRED_LABEL(cred->cr_label); 1290 } 1291 1292 static void 1293 mac_test_create_proc1(struct ucred *cred) 1294 { 1295 1296 ASSERT_CRED_LABEL(cred->cr_label); 1297 } 1298 1299 static void 1300 mac_test_relabel_cred(struct ucred *cred, struct label *newlabel) 1301 { 1302 1303 ASSERT_CRED_LABEL(cred->cr_label); 1304 ASSERT_CRED_LABEL(newlabel); 1305 } 1306 1307 static void 1308 mac_test_thread_userret(struct thread *td) 1309 { 1310 1311 printf("mac_test_thread_userret(process = %d)\n", 1312 curthread->td_proc->p_pid); 1313 } 1314 1315 /* 1316 * Label cleanup/flush operations 1317 */ 1318 static void 1319 mac_test_cleanup_sysv_msgmsg(struct label *msglabel) 1320 { 1321 1322 ASSERT_SYSVIPCMSG_LABEL(msglabel); 1323 } 1324 1325 static void 1326 mac_test_cleanup_sysv_msgqueue(struct label *msqlabel) 1327 { 1328 1329 ASSERT_SYSVIPCMSQ_LABEL(msqlabel); 1330 } 1331 1332 static void 1333 mac_test_cleanup_sysv_sem(struct label *semalabel) 1334 { 1335 1336 ASSERT_SYSVIPCSEM_LABEL(semalabel); 1337 } 1338 1339 static void 1340 mac_test_cleanup_sysv_shm(struct label *shmlabel) 1341 { 1342 1343 ASSERT_SYSVIPCSHM_LABEL(shmlabel); 1344 } 1345 1346 /* 1347 * Access control checks. 1348 */ 1349 static int 1350 mac_test_check_bpfdesc_receive(struct bpf_d *bpf_d, struct label *bpflabel, 1351 struct ifnet *ifnet, struct label *ifnetlabel) 1352 { 1353 1354 ASSERT_BPF_LABEL(bpflabel); 1355 ASSERT_IFNET_LABEL(ifnetlabel); 1356 1357 return (0); 1358 } 1359 1360 static int 1361 mac_test_check_cred_relabel(struct ucred *cred, struct label *newlabel) 1362 { 1363 1364 ASSERT_CRED_LABEL(cred->cr_label); 1365 ASSERT_CRED_LABEL(newlabel); 1366 1367 return (0); 1368 } 1369 1370 static int 1371 mac_test_check_cred_visible(struct ucred *u1, struct ucred *u2) 1372 { 1373 1374 ASSERT_CRED_LABEL(u1->cr_label); 1375 ASSERT_CRED_LABEL(u2->cr_label); 1376 1377 return (0); 1378 } 1379 1380 static int 1381 mac_test_check_ifnet_relabel(struct ucred *cred, struct ifnet *ifnet, 1382 struct label *ifnetlabel, struct label *newlabel) 1383 { 1384 1385 ASSERT_CRED_LABEL(cred->cr_label); 1386 ASSERT_IFNET_LABEL(ifnetlabel); 1387 ASSERT_IFNET_LABEL(newlabel); 1388 return (0); 1389 } 1390 1391 static int 1392 mac_test_check_ifnet_transmit(struct ifnet *ifnet, struct label *ifnetlabel, 1393 struct mbuf *m, struct label *mbuflabel) 1394 { 1395 1396 ASSERT_IFNET_LABEL(ifnetlabel); 1397 ASSERT_MBUF_LABEL(mbuflabel); 1398 1399 return (0); 1400 } 1401 1402 static int 1403 mac_test_check_inpcb_deliver(struct inpcb *inp, struct label *inplabel, 1404 struct mbuf *m, struct label *mlabel) 1405 { 1406 1407 ASSERT_INPCB_LABEL(inplabel); 1408 ASSERT_MBUF_LABEL(mlabel); 1409 1410 return (0); 1411 } 1412 1413 static int 1414 mac_test_check_sysv_msgmsq(struct ucred *cred, struct msg *msgptr, 1415 struct label *msglabel, struct msqid_kernel *msqkptr, 1416 struct label *msqklabel) 1417 { 1418 1419 ASSERT_SYSVIPCMSQ_LABEL(msqklabel); 1420 ASSERT_SYSVIPCMSG_LABEL(msglabel); 1421 ASSERT_CRED_LABEL(cred->cr_label); 1422 1423 return (0); 1424 } 1425 1426 static int 1427 mac_test_check_sysv_msgrcv(struct ucred *cred, struct msg *msgptr, 1428 struct label *msglabel) 1429 { 1430 1431 ASSERT_SYSVIPCMSG_LABEL(msglabel); 1432 ASSERT_CRED_LABEL(cred->cr_label); 1433 1434 return (0); 1435 } 1436 1437 1438 static int 1439 mac_test_check_sysv_msgrmid(struct ucred *cred, struct msg *msgptr, 1440 struct label *msglabel) 1441 { 1442 1443 ASSERT_SYSVIPCMSG_LABEL(msglabel); 1444 ASSERT_CRED_LABEL(cred->cr_label); 1445 1446 return (0); 1447 } 1448 1449 static int 1450 mac_test_check_sysv_msqget(struct ucred *cred, struct msqid_kernel *msqkptr, 1451 struct label *msqklabel) 1452 { 1453 1454 ASSERT_SYSVIPCMSQ_LABEL(msqklabel); 1455 ASSERT_CRED_LABEL(cred->cr_label); 1456 1457 return (0); 1458 } 1459 1460 static int 1461 mac_test_check_sysv_msqsnd(struct ucred *cred, struct msqid_kernel *msqkptr, 1462 struct label *msqklabel) 1463 { 1464 1465 ASSERT_SYSVIPCMSQ_LABEL(msqklabel); 1466 ASSERT_CRED_LABEL(cred->cr_label); 1467 1468 return (0); 1469 } 1470 1471 static int 1472 mac_test_check_sysv_msqrcv(struct ucred *cred, struct msqid_kernel *msqkptr, 1473 struct label *msqklabel) 1474 { 1475 1476 ASSERT_SYSVIPCMSQ_LABEL(msqklabel); 1477 ASSERT_CRED_LABEL(cred->cr_label); 1478 1479 return (0); 1480 } 1481 1482 static int 1483 mac_test_check_sysv_msqctl(struct ucred *cred, struct msqid_kernel *msqkptr, 1484 struct label *msqklabel, int cmd) 1485 { 1486 1487 ASSERT_SYSVIPCMSQ_LABEL(msqklabel); 1488 ASSERT_CRED_LABEL(cred->cr_label); 1489 1490 return (0); 1491 } 1492 1493 static int 1494 mac_test_check_sysv_semctl(struct ucred *cred, struct semid_kernel *semakptr, 1495 struct label *semaklabel, int cmd) 1496 { 1497 1498 ASSERT_CRED_LABEL(cred->cr_label); 1499 ASSERT_SYSVIPCSEM_LABEL(semaklabel); 1500 1501 return (0); 1502 } 1503 1504 static int 1505 mac_test_check_sysv_semget(struct ucred *cred, struct semid_kernel *semakptr, 1506 struct label *semaklabel) 1507 { 1508 1509 ASSERT_CRED_LABEL(cred->cr_label); 1510 ASSERT_SYSVIPCSEM_LABEL(semaklabel); 1511 1512 return (0); 1513 } 1514 1515 static int 1516 mac_test_check_sysv_semop(struct ucred *cred, struct semid_kernel *semakptr, 1517 struct label *semaklabel, size_t accesstype) 1518 { 1519 1520 ASSERT_CRED_LABEL(cred->cr_label); 1521 ASSERT_SYSVIPCSEM_LABEL(semaklabel); 1522 1523 return (0); 1524 } 1525 1526 static int 1527 mac_test_check_sysv_shmat(struct ucred *cred, struct shmid_kernel *shmsegptr, 1528 struct label *shmseglabel, int shmflg) 1529 { 1530 1531 ASSERT_CRED_LABEL(cred->cr_label); 1532 ASSERT_SYSVIPCSHM_LABEL(shmseglabel); 1533 1534 return (0); 1535 } 1536 1537 static int 1538 mac_test_check_sysv_shmctl(struct ucred *cred, struct shmid_kernel *shmsegptr, 1539 struct label *shmseglabel, int cmd) 1540 { 1541 1542 ASSERT_CRED_LABEL(cred->cr_label); 1543 ASSERT_SYSVIPCSHM_LABEL(shmseglabel); 1544 1545 return (0); 1546 } 1547 1548 static int 1549 mac_test_check_sysv_shmdt(struct ucred *cred, struct shmid_kernel *shmsegptr, 1550 struct label *shmseglabel) 1551 { 1552 1553 ASSERT_CRED_LABEL(cred->cr_label); 1554 ASSERT_SYSVIPCSHM_LABEL(shmseglabel); 1555 1556 return (0); 1557 } 1558 1559 static int 1560 mac_test_check_sysv_shmget(struct ucred *cred, struct shmid_kernel *shmsegptr, 1561 struct label *shmseglabel, int shmflg) 1562 { 1563 1564 ASSERT_CRED_LABEL(cred->cr_label); 1565 ASSERT_SYSVIPCSHM_LABEL(shmseglabel); 1566 1567 return (0); 1568 } 1569 1570 static int 1571 mac_test_check_kenv_dump(struct ucred *cred) 1572 { 1573 1574 ASSERT_CRED_LABEL(cred->cr_label); 1575 1576 return (0); 1577 } 1578 1579 static int 1580 mac_test_check_kenv_get(struct ucred *cred, char *name) 1581 { 1582 1583 ASSERT_CRED_LABEL(cred->cr_label); 1584 1585 return (0); 1586 } 1587 1588 static int 1589 mac_test_check_kenv_set(struct ucred *cred, char *name, char *value) 1590 { 1591 1592 ASSERT_CRED_LABEL(cred->cr_label); 1593 1594 return (0); 1595 } 1596 1597 static int 1598 mac_test_check_kenv_unset(struct ucred *cred, char *name) 1599 { 1600 1601 ASSERT_CRED_LABEL(cred->cr_label); 1602 1603 return (0); 1604 } 1605 1606 static int 1607 mac_test_check_kld_load(struct ucred *cred, struct vnode *vp, 1608 struct label *label) 1609 { 1610 1611 ASSERT_CRED_LABEL(cred->cr_label); 1612 ASSERT_VNODE_LABEL(label); 1613 1614 return (0); 1615 } 1616 1617 static int 1618 mac_test_check_kld_stat(struct ucred *cred) 1619 { 1620 1621 ASSERT_CRED_LABEL(cred->cr_label); 1622 1623 return (0); 1624 } 1625 1626 static int 1627 mac_test_check_kld_unload(struct ucred *cred) 1628 { 1629 1630 ASSERT_CRED_LABEL(cred->cr_label); 1631 1632 return (0); 1633 } 1634 1635 static int 1636 mac_test_check_mount_stat(struct ucred *cred, struct mount *mp, 1637 struct label *mntlabel) 1638 { 1639 1640 ASSERT_CRED_LABEL(cred->cr_label); 1641 ASSERT_MOUNT_LABEL(mntlabel); 1642 1643 return (0); 1644 } 1645 1646 static int 1647 mac_test_check_pipe_ioctl(struct ucred *cred, struct pipepair *pp, 1648 struct label *pipelabel, unsigned long cmd, void /* caddr_t */ *data) 1649 { 1650 1651 ASSERT_CRED_LABEL(cred->cr_label); 1652 ASSERT_PIPE_LABEL(pipelabel); 1653 1654 return (0); 1655 } 1656 1657 static int 1658 mac_test_check_pipe_poll(struct ucred *cred, struct pipepair *pp, 1659 struct label *pipelabel) 1660 { 1661 1662 ASSERT_CRED_LABEL(cred->cr_label); 1663 ASSERT_PIPE_LABEL(pipelabel); 1664 1665 return (0); 1666 } 1667 1668 static int 1669 mac_test_check_pipe_read(struct ucred *cred, struct pipepair *pp, 1670 struct label *pipelabel) 1671 { 1672 1673 ASSERT_CRED_LABEL(cred->cr_label); 1674 ASSERT_PIPE_LABEL(pipelabel); 1675 1676 return (0); 1677 } 1678 1679 static int 1680 mac_test_check_pipe_relabel(struct ucred *cred, struct pipepair *pp, 1681 struct label *pipelabel, struct label *newlabel) 1682 { 1683 1684 ASSERT_CRED_LABEL(cred->cr_label); 1685 ASSERT_PIPE_LABEL(pipelabel); 1686 ASSERT_PIPE_LABEL(newlabel); 1687 1688 return (0); 1689 } 1690 1691 static int 1692 mac_test_check_pipe_stat(struct ucred *cred, struct pipepair *pp, 1693 struct label *pipelabel) 1694 { 1695 1696 ASSERT_CRED_LABEL(cred->cr_label); 1697 ASSERT_PIPE_LABEL(pipelabel); 1698 1699 return (0); 1700 } 1701 1702 static int 1703 mac_test_check_pipe_write(struct ucred *cred, struct pipepair *pp, 1704 struct label *pipelabel) 1705 { 1706 1707 ASSERT_CRED_LABEL(cred->cr_label); 1708 ASSERT_PIPE_LABEL(pipelabel); 1709 1710 return (0); 1711 } 1712 1713 static int 1714 mac_test_check_posix_sem(struct ucred *cred, struct ksem *ksemptr, 1715 struct label *ks_label) 1716 { 1717 1718 ASSERT_CRED_LABEL(cred->cr_label); 1719 ASSERT_POSIX_LABEL(ks_label); 1720 1721 return (0); 1722 } 1723 1724 static int 1725 mac_test_check_proc_debug(struct ucred *cred, struct proc *proc) 1726 { 1727 1728 ASSERT_CRED_LABEL(cred->cr_label); 1729 ASSERT_CRED_LABEL(proc->p_ucred->cr_label); 1730 1731 return (0); 1732 } 1733 1734 static int 1735 mac_test_check_proc_sched(struct ucred *cred, struct proc *proc) 1736 { 1737 1738 ASSERT_CRED_LABEL(cred->cr_label); 1739 ASSERT_CRED_LABEL(proc->p_ucred->cr_label); 1740 1741 return (0); 1742 } 1743 1744 static int 1745 mac_test_check_proc_signal(struct ucred *cred, struct proc *proc, int signum) 1746 { 1747 1748 ASSERT_CRED_LABEL(cred->cr_label); 1749 ASSERT_CRED_LABEL(proc->p_ucred->cr_label); 1750 1751 return (0); 1752 } 1753 1754 static int 1755 mac_test_check_proc_setuid(struct ucred *cred, uid_t uid) 1756 { 1757 1758 ASSERT_CRED_LABEL(cred->cr_label); 1759 1760 return (0); 1761 } 1762 1763 static int 1764 mac_test_check_proc_seteuid(struct ucred *cred, uid_t euid) 1765 { 1766 1767 ASSERT_CRED_LABEL(cred->cr_label); 1768 1769 return (0); 1770 } 1771 1772 static int 1773 mac_test_check_proc_setgid(struct ucred *cred, gid_t gid) 1774 { 1775 1776 ASSERT_CRED_LABEL(cred->cr_label); 1777 1778 return (0); 1779 } 1780 1781 static int 1782 mac_test_check_proc_setegid(struct ucred *cred, gid_t egid) 1783 { 1784 1785 ASSERT_CRED_LABEL(cred->cr_label); 1786 1787 return (0); 1788 } 1789 1790 static int 1791 mac_test_check_proc_setgroups(struct ucred *cred, int ngroups, 1792 gid_t *gidset) 1793 { 1794 1795 ASSERT_CRED_LABEL(cred->cr_label); 1796 1797 return (0); 1798 } 1799 1800 static int 1801 mac_test_check_proc_setreuid(struct ucred *cred, uid_t ruid, uid_t euid) 1802 { 1803 1804 ASSERT_CRED_LABEL(cred->cr_label); 1805 1806 return (0); 1807 } 1808 1809 static int 1810 mac_test_check_proc_setregid(struct ucred *cred, gid_t rgid, gid_t egid) 1811 { 1812 1813 ASSERT_CRED_LABEL(cred->cr_label); 1814 1815 return (0); 1816 } 1817 1818 static int 1819 mac_test_check_proc_setresuid(struct ucred *cred, uid_t ruid, uid_t euid, 1820 uid_t suid) 1821 { 1822 1823 ASSERT_CRED_LABEL(cred->cr_label); 1824 1825 return (0); 1826 } 1827 1828 static int 1829 mac_test_check_proc_setresgid(struct ucred *cred, gid_t rgid, gid_t egid, 1830 gid_t sgid) 1831 { 1832 1833 ASSERT_CRED_LABEL(cred->cr_label); 1834 1835 return (0); 1836 } 1837 1838 static int 1839 mac_test_check_proc_wait(struct ucred *cred, struct proc *proc) 1840 { 1841 1842 ASSERT_CRED_LABEL(cred->cr_label); 1843 ASSERT_CRED_LABEL(proc->p_ucred->cr_label); 1844 1845 return (0); 1846 } 1847 1848 static int 1849 mac_test_check_socket_accept(struct ucred *cred, struct socket *socket, 1850 struct label *socketlabel) 1851 { 1852 1853 ASSERT_CRED_LABEL(cred->cr_label); 1854 ASSERT_SOCKET_LABEL(socketlabel); 1855 1856 return (0); 1857 } 1858 1859 static int 1860 mac_test_check_socket_bind(struct ucred *cred, struct socket *socket, 1861 struct label *socketlabel, struct sockaddr *sockaddr) 1862 { 1863 1864 ASSERT_CRED_LABEL(cred->cr_label); 1865 ASSERT_SOCKET_LABEL(socketlabel); 1866 1867 return (0); 1868 } 1869 1870 static int 1871 mac_test_check_socket_connect(struct ucred *cred, struct socket *socket, 1872 struct label *socketlabel, struct sockaddr *sockaddr) 1873 { 1874 1875 ASSERT_CRED_LABEL(cred->cr_label); 1876 ASSERT_SOCKET_LABEL(socketlabel); 1877 1878 return (0); 1879 } 1880 1881 static int 1882 mac_test_check_socket_deliver(struct socket *socket, struct label *socketlabel, 1883 struct mbuf *m, struct label *mbuflabel) 1884 { 1885 1886 ASSERT_SOCKET_LABEL(socketlabel); 1887 ASSERT_MBUF_LABEL(mbuflabel); 1888 1889 return (0); 1890 } 1891 1892 static int 1893 mac_test_check_socket_listen(struct ucred *cred, struct socket *socket, 1894 struct label *socketlabel) 1895 { 1896 1897 ASSERT_CRED_LABEL(cred->cr_label); 1898 ASSERT_SOCKET_LABEL(socketlabel); 1899 1900 return (0); 1901 } 1902 1903 static int 1904 mac_test_check_socket_poll(struct ucred *cred, struct socket *socket, 1905 struct label *socketlabel) 1906 { 1907 1908 ASSERT_CRED_LABEL(cred->cr_label); 1909 ASSERT_SOCKET_LABEL(socketlabel); 1910 1911 return (0); 1912 } 1913 1914 static int 1915 mac_test_check_socket_receive(struct ucred *cred, struct socket *socket, 1916 struct label *socketlabel) 1917 { 1918 1919 ASSERT_CRED_LABEL(cred->cr_label); 1920 ASSERT_SOCKET_LABEL(socketlabel); 1921 1922 return (0); 1923 } 1924 1925 static int 1926 mac_test_check_socket_relabel(struct ucred *cred, struct socket *socket, 1927 struct label *socketlabel, struct label *newlabel) 1928 { 1929 1930 ASSERT_CRED_LABEL(cred->cr_label); 1931 ASSERT_SOCKET_LABEL(socketlabel); 1932 ASSERT_SOCKET_LABEL(newlabel); 1933 1934 return (0); 1935 } 1936 1937 static int 1938 mac_test_check_socket_send(struct ucred *cred, struct socket *socket, 1939 struct label *socketlabel) 1940 { 1941 1942 ASSERT_CRED_LABEL(cred->cr_label); 1943 ASSERT_SOCKET_LABEL(socketlabel); 1944 1945 return (0); 1946 } 1947 1948 static int 1949 mac_test_check_socket_stat(struct ucred *cred, struct socket *socket, 1950 struct label *socketlabel) 1951 { 1952 1953 ASSERT_CRED_LABEL(cred->cr_label); 1954 ASSERT_SOCKET_LABEL(socketlabel); 1955 1956 return (0); 1957 } 1958 1959 static int 1960 mac_test_check_socket_visible(struct ucred *cred, struct socket *socket, 1961 struct label *socketlabel) 1962 { 1963 1964 ASSERT_CRED_LABEL(cred->cr_label); 1965 ASSERT_SOCKET_LABEL(socketlabel); 1966 1967 return (0); 1968 } 1969 1970 static int 1971 mac_test_check_sysarch_ioperm(struct ucred *cred) 1972 { 1973 1974 ASSERT_CRED_LABEL(cred->cr_label); 1975 1976 return (0); 1977 } 1978 1979 static int 1980 mac_test_check_system_acct(struct ucred *cred, struct vnode *vp, 1981 struct label *label) 1982 { 1983 1984 ASSERT_CRED_LABEL(cred->cr_label); 1985 1986 return (0); 1987 } 1988 1989 static int 1990 mac_test_check_system_reboot(struct ucred *cred, int how) 1991 { 1992 1993 ASSERT_CRED_LABEL(cred->cr_label); 1994 1995 return (0); 1996 } 1997 1998 static int 1999 mac_test_check_system_settime(struct ucred *cred) 2000 { 2001 2002 ASSERT_CRED_LABEL(cred->cr_label); 2003 2004 return (0); 2005 } 2006 2007 static int 2008 mac_test_check_system_swapon(struct ucred *cred, struct vnode *vp, 2009 struct label *label) 2010 { 2011 2012 ASSERT_CRED_LABEL(cred->cr_label); 2013 ASSERT_VNODE_LABEL(label); 2014 2015 return (0); 2016 } 2017 2018 static int 2019 mac_test_check_system_swapoff(struct ucred *cred, struct vnode *vp, 2020 struct label *label) 2021 { 2022 2023 ASSERT_CRED_LABEL(cred->cr_label); 2024 ASSERT_VNODE_LABEL(label); 2025 2026 return (0); 2027 } 2028 2029 static int 2030 mac_test_check_system_sysctl(struct ucred *cred, struct sysctl_oid *oidp, 2031 void *arg1, int arg2, struct sysctl_req *req) 2032 { 2033 2034 ASSERT_CRED_LABEL(cred->cr_label); 2035 2036 return (0); 2037 } 2038 2039 static int 2040 mac_test_check_vnode_access(struct ucred *cred, struct vnode *vp, 2041 struct label *label, int acc_mode) 2042 { 2043 2044 ASSERT_CRED_LABEL(cred->cr_label); 2045 ASSERT_VNODE_LABEL(label); 2046 2047 return (0); 2048 } 2049 2050 static int 2051 mac_test_check_vnode_chdir(struct ucred *cred, struct vnode *dvp, 2052 struct label *dlabel) 2053 { 2054 2055 ASSERT_CRED_LABEL(cred->cr_label); 2056 ASSERT_VNODE_LABEL(dlabel); 2057 2058 return (0); 2059 } 2060 2061 static int 2062 mac_test_check_vnode_chroot(struct ucred *cred, struct vnode *dvp, 2063 struct label *dlabel) 2064 { 2065 2066 ASSERT_CRED_LABEL(cred->cr_label); 2067 ASSERT_VNODE_LABEL(dlabel); 2068 2069 return (0); 2070 } 2071 2072 static int 2073 mac_test_check_vnode_create(struct ucred *cred, struct vnode *dvp, 2074 struct label *dlabel, struct componentname *cnp, struct vattr *vap) 2075 { 2076 2077 ASSERT_CRED_LABEL(cred->cr_label); 2078 ASSERT_VNODE_LABEL(dlabel); 2079 2080 return (0); 2081 } 2082 2083 static int 2084 mac_test_check_vnode_delete(struct ucred *cred, struct vnode *dvp, 2085 struct label *dlabel, struct vnode *vp, struct label *label, 2086 struct componentname *cnp) 2087 { 2088 2089 ASSERT_CRED_LABEL(cred->cr_label); 2090 ASSERT_VNODE_LABEL(dlabel); 2091 ASSERT_VNODE_LABEL(label); 2092 2093 return (0); 2094 } 2095 2096 static int 2097 mac_test_check_vnode_deleteacl(struct ucred *cred, struct vnode *vp, 2098 struct label *label, acl_type_t type) 2099 { 2100 2101 ASSERT_CRED_LABEL(cred->cr_label); 2102 ASSERT_VNODE_LABEL(label); 2103 2104 return (0); 2105 } 2106 2107 static int 2108 mac_test_check_vnode_deleteextattr(struct ucred *cred, struct vnode *vp, 2109 struct label *label, int attrnamespace, const char *name) 2110 { 2111 2112 ASSERT_CRED_LABEL(cred->cr_label); 2113 ASSERT_VNODE_LABEL(label); 2114 2115 return (0); 2116 } 2117 2118 static int 2119 mac_test_check_vnode_exec(struct ucred *cred, struct vnode *vp, 2120 struct label *label, struct image_params *imgp, 2121 struct label *execlabel) 2122 { 2123 2124 ASSERT_CRED_LABEL(cred->cr_label); 2125 ASSERT_VNODE_LABEL(label); 2126 if (execlabel != NULL) { 2127 ASSERT_CRED_LABEL(execlabel); 2128 } 2129 2130 return (0); 2131 } 2132 2133 static int 2134 mac_test_check_vnode_getacl(struct ucred *cred, struct vnode *vp, 2135 struct label *label, acl_type_t type) 2136 { 2137 2138 ASSERT_CRED_LABEL(cred->cr_label); 2139 ASSERT_VNODE_LABEL(label); 2140 2141 return (0); 2142 } 2143 2144 static int 2145 mac_test_check_vnode_getextattr(struct ucred *cred, struct vnode *vp, 2146 struct label *label, int attrnamespace, const char *name, struct uio *uio) 2147 { 2148 2149 ASSERT_CRED_LABEL(cred->cr_label); 2150 ASSERT_VNODE_LABEL(label); 2151 2152 return (0); 2153 } 2154 2155 static int 2156 mac_test_check_vnode_link(struct ucred *cred, struct vnode *dvp, 2157 struct label *dlabel, struct vnode *vp, struct label *label, 2158 struct componentname *cnp) 2159 { 2160 2161 ASSERT_CRED_LABEL(cred->cr_label); 2162 ASSERT_VNODE_LABEL(dlabel); 2163 ASSERT_VNODE_LABEL(label); 2164 2165 return (0); 2166 } 2167 2168 static int 2169 mac_test_check_vnode_listextattr(struct ucred *cred, struct vnode *vp, 2170 struct label *label, int attrnamespace) 2171 { 2172 2173 ASSERT_CRED_LABEL(cred->cr_label); 2174 ASSERT_VNODE_LABEL(label); 2175 2176 return (0); 2177 } 2178 2179 static int 2180 mac_test_check_vnode_lookup(struct ucred *cred, struct vnode *dvp, 2181 struct label *dlabel, struct componentname *cnp) 2182 { 2183 2184 ASSERT_CRED_LABEL(cred->cr_label); 2185 ASSERT_VNODE_LABEL(dlabel); 2186 2187 return (0); 2188 } 2189 2190 static int 2191 mac_test_check_vnode_mmap(struct ucred *cred, struct vnode *vp, 2192 struct label *label, int prot, int flags) 2193 { 2194 2195 ASSERT_CRED_LABEL(cred->cr_label); 2196 ASSERT_VNODE_LABEL(label); 2197 2198 return (0); 2199 } 2200 2201 static int 2202 mac_test_check_vnode_open(struct ucred *cred, struct vnode *vp, 2203 struct label *filelabel, int acc_mode) 2204 { 2205 2206 ASSERT_CRED_LABEL(cred->cr_label); 2207 ASSERT_VNODE_LABEL(filelabel); 2208 2209 return (0); 2210 } 2211 2212 static int 2213 mac_test_check_vnode_poll(struct ucred *active_cred, struct ucred *file_cred, 2214 struct vnode *vp, struct label *label) 2215 { 2216 2217 ASSERT_CRED_LABEL(active_cred->cr_label); 2218 ASSERT_CRED_LABEL(file_cred->cr_label); 2219 ASSERT_VNODE_LABEL(label); 2220 2221 return (0); 2222 } 2223 2224 static int 2225 mac_test_check_vnode_read(struct ucred *active_cred, struct ucred *file_cred, 2226 struct vnode *vp, struct label *label) 2227 { 2228 2229 ASSERT_CRED_LABEL(active_cred->cr_label); 2230 if (file_cred != NULL) { 2231 ASSERT_CRED_LABEL(file_cred->cr_label); 2232 } 2233 ASSERT_VNODE_LABEL(label); 2234 2235 return (0); 2236 } 2237 2238 static int 2239 mac_test_check_vnode_readdir(struct ucred *cred, struct vnode *dvp, 2240 struct label *dlabel) 2241 { 2242 2243 ASSERT_CRED_LABEL(cred->cr_label); 2244 ASSERT_VNODE_LABEL(dlabel); 2245 2246 return (0); 2247 } 2248 2249 static int 2250 mac_test_check_vnode_readlink(struct ucred *cred, struct vnode *vp, 2251 struct label *vnodelabel) 2252 { 2253 2254 ASSERT_CRED_LABEL(cred->cr_label); 2255 ASSERT_VNODE_LABEL(vnodelabel); 2256 2257 return (0); 2258 } 2259 2260 static int 2261 mac_test_check_vnode_relabel(struct ucred *cred, struct vnode *vp, 2262 struct label *vnodelabel, struct label *newlabel) 2263 { 2264 2265 ASSERT_CRED_LABEL(cred->cr_label); 2266 ASSERT_VNODE_LABEL(vnodelabel); 2267 ASSERT_VNODE_LABEL(newlabel); 2268 2269 return (0); 2270 } 2271 2272 static int 2273 mac_test_check_vnode_rename_from(struct ucred *cred, struct vnode *dvp, 2274 struct label *dlabel, struct vnode *vp, struct label *label, 2275 struct componentname *cnp) 2276 { 2277 2278 ASSERT_CRED_LABEL(cred->cr_label); 2279 ASSERT_VNODE_LABEL(dlabel); 2280 ASSERT_VNODE_LABEL(label); 2281 2282 return (0); 2283 } 2284 2285 static int 2286 mac_test_check_vnode_rename_to(struct ucred *cred, struct vnode *dvp, 2287 struct label *dlabel, struct vnode *vp, struct label *label, int samedir, 2288 struct componentname *cnp) 2289 { 2290 2291 ASSERT_CRED_LABEL(cred->cr_label); 2292 ASSERT_VNODE_LABEL(dlabel); 2293 2294 if (vp != NULL) { 2295 ASSERT_VNODE_LABEL(label); 2296 } 2297 2298 return (0); 2299 } 2300 2301 static int 2302 mac_test_check_vnode_revoke(struct ucred *cred, struct vnode *vp, 2303 struct label *label) 2304 { 2305 2306 ASSERT_CRED_LABEL(cred->cr_label); 2307 ASSERT_VNODE_LABEL(label); 2308 2309 return (0); 2310 } 2311 2312 static int 2313 mac_test_check_vnode_setacl(struct ucred *cred, struct vnode *vp, 2314 struct label *label, acl_type_t type, struct acl *acl) 2315 { 2316 2317 ASSERT_CRED_LABEL(cred->cr_label); 2318 ASSERT_VNODE_LABEL(label); 2319 2320 return (0); 2321 } 2322 2323 static int 2324 mac_test_check_vnode_setextattr(struct ucred *cred, struct vnode *vp, 2325 struct label *label, int attrnamespace, const char *name, struct uio *uio) 2326 { 2327 2328 ASSERT_CRED_LABEL(cred->cr_label); 2329 ASSERT_VNODE_LABEL(label); 2330 2331 return (0); 2332 } 2333 2334 static int 2335 mac_test_check_vnode_setflags(struct ucred *cred, struct vnode *vp, 2336 struct label *label, u_long flags) 2337 { 2338 2339 ASSERT_CRED_LABEL(cred->cr_label); 2340 ASSERT_VNODE_LABEL(label); 2341 2342 return (0); 2343 } 2344 2345 static int 2346 mac_test_check_vnode_setmode(struct ucred *cred, struct vnode *vp, 2347 struct label *label, mode_t mode) 2348 { 2349 2350 ASSERT_CRED_LABEL(cred->cr_label); 2351 ASSERT_VNODE_LABEL(label); 2352 2353 return (0); 2354 } 2355 2356 static int 2357 mac_test_check_vnode_setowner(struct ucred *cred, struct vnode *vp, 2358 struct label *label, uid_t uid, gid_t gid) 2359 { 2360 2361 ASSERT_CRED_LABEL(cred->cr_label); 2362 ASSERT_VNODE_LABEL(label); 2363 2364 return (0); 2365 } 2366 2367 static int 2368 mac_test_check_vnode_setutimes(struct ucred *cred, struct vnode *vp, 2369 struct label *label, struct timespec atime, struct timespec mtime) 2370 { 2371 2372 ASSERT_CRED_LABEL(cred->cr_label); 2373 ASSERT_VNODE_LABEL(label); 2374 2375 return (0); 2376 } 2377 2378 static int 2379 mac_test_check_vnode_stat(struct ucred *active_cred, struct ucred *file_cred, 2380 struct vnode *vp, struct label *label) 2381 { 2382 2383 ASSERT_CRED_LABEL(active_cred->cr_label); 2384 if (file_cred != NULL) { 2385 ASSERT_CRED_LABEL(file_cred->cr_label); 2386 } 2387 ASSERT_VNODE_LABEL(label); 2388 2389 return (0); 2390 } 2391 2392 static int 2393 mac_test_check_vnode_write(struct ucred *active_cred, 2394 struct ucred *file_cred, struct vnode *vp, struct label *label) 2395 { 2396 2397 ASSERT_CRED_LABEL(active_cred->cr_label); 2398 if (file_cred != NULL) { 2399 ASSERT_CRED_LABEL(file_cred->cr_label); 2400 } 2401 ASSERT_VNODE_LABEL(label); 2402 2403 return (0); 2404 } 2405 2406 static struct mac_policy_ops mac_test_ops = 2407 { 2408 .mpo_destroy = mac_test_destroy, 2409 .mpo_init = mac_test_init, 2410 .mpo_syscall = mac_test_syscall, 2411 .mpo_init_bpfdesc_label = mac_test_init_bpfdesc_label, 2412 .mpo_init_cred_label = mac_test_init_cred_label, 2413 .mpo_init_devfsdirent_label = mac_test_init_devfsdirent_label, 2414 .mpo_init_ifnet_label = mac_test_init_ifnet_label, 2415 .mpo_init_sysv_msgmsg_label = mac_test_init_sysv_msgmsg_label, 2416 .mpo_init_sysv_msgqueue_label = mac_test_init_sysv_msgqueue_label, 2417 .mpo_init_sysv_sem_label = mac_test_init_sysv_sem_label, 2418 .mpo_init_sysv_shm_label = mac_test_init_sysv_shm_label, 2419 .mpo_init_inpcb_label = mac_test_init_inpcb_label, 2420 .mpo_init_ipq_label = mac_test_init_ipq_label, 2421 .mpo_init_mbuf_label = mac_test_init_mbuf_label, 2422 .mpo_init_mount_label = mac_test_init_mount_label, 2423 .mpo_init_mount_fs_label = mac_test_init_mount_fs_label, 2424 .mpo_init_pipe_label = mac_test_init_pipe_label, 2425 .mpo_init_posix_sem_label = mac_test_init_posix_sem_label, 2426 .mpo_init_proc_label = mac_test_init_proc_label, 2427 .mpo_init_socket_label = mac_test_init_socket_label, 2428 .mpo_init_socket_peer_label = mac_test_init_socket_peer_label, 2429 .mpo_init_vnode_label = mac_test_init_vnode_label, 2430 .mpo_destroy_bpfdesc_label = mac_test_destroy_bpfdesc_label, 2431 .mpo_destroy_cred_label = mac_test_destroy_cred_label, 2432 .mpo_destroy_devfsdirent_label = mac_test_destroy_devfsdirent_label, 2433 .mpo_destroy_ifnet_label = mac_test_destroy_ifnet_label, 2434 .mpo_destroy_sysv_msgmsg_label = mac_test_destroy_sysv_msgmsg_label, 2435 .mpo_destroy_sysv_msgqueue_label = 2436 mac_test_destroy_sysv_msgqueue_label, 2437 .mpo_destroy_sysv_sem_label = mac_test_destroy_sysv_sem_label, 2438 .mpo_destroy_sysv_shm_label = mac_test_destroy_sysv_shm_label, 2439 .mpo_destroy_inpcb_label = mac_test_destroy_inpcb_label, 2440 .mpo_destroy_ipq_label = mac_test_destroy_ipq_label, 2441 .mpo_destroy_mbuf_label = mac_test_destroy_mbuf_label, 2442 .mpo_destroy_mount_label = mac_test_destroy_mount_label, 2443 .mpo_destroy_mount_fs_label = mac_test_destroy_mount_fs_label, 2444 .mpo_destroy_pipe_label = mac_test_destroy_pipe_label, 2445 .mpo_destroy_posix_sem_label = mac_test_destroy_posix_sem_label, 2446 .mpo_destroy_proc_label = mac_test_destroy_proc_label, 2447 .mpo_destroy_socket_label = mac_test_destroy_socket_label, 2448 .mpo_destroy_socket_peer_label = mac_test_destroy_socket_peer_label, 2449 .mpo_destroy_vnode_label = mac_test_destroy_vnode_label, 2450 .mpo_copy_cred_label = mac_test_copy_cred_label, 2451 .mpo_copy_ifnet_label = mac_test_copy_ifnet_label, 2452 .mpo_copy_mbuf_label = mac_test_copy_mbuf_label, 2453 .mpo_copy_pipe_label = mac_test_copy_pipe_label, 2454 .mpo_copy_socket_label = mac_test_copy_socket_label, 2455 .mpo_copy_vnode_label = mac_test_copy_vnode_label, 2456 .mpo_externalize_cred_label = mac_test_externalize_label, 2457 .mpo_externalize_ifnet_label = mac_test_externalize_label, 2458 .mpo_externalize_pipe_label = mac_test_externalize_label, 2459 .mpo_externalize_socket_label = mac_test_externalize_label, 2460 .mpo_externalize_socket_peer_label = mac_test_externalize_label, 2461 .mpo_externalize_vnode_label = mac_test_externalize_label, 2462 .mpo_internalize_cred_label = mac_test_internalize_label, 2463 .mpo_internalize_ifnet_label = mac_test_internalize_label, 2464 .mpo_internalize_pipe_label = mac_test_internalize_label, 2465 .mpo_internalize_socket_label = mac_test_internalize_label, 2466 .mpo_internalize_vnode_label = mac_test_internalize_label, 2467 .mpo_associate_vnode_devfs = mac_test_associate_vnode_devfs, 2468 .mpo_associate_vnode_extattr = mac_test_associate_vnode_extattr, 2469 .mpo_associate_vnode_singlelabel = mac_test_associate_vnode_singlelabel, 2470 .mpo_create_devfs_device = mac_test_create_devfs_device, 2471 .mpo_create_devfs_directory = mac_test_create_devfs_directory, 2472 .mpo_create_devfs_symlink = mac_test_create_devfs_symlink, 2473 .mpo_create_vnode_extattr = mac_test_create_vnode_extattr, 2474 .mpo_create_mount = mac_test_create_mount, 2475 .mpo_create_root_mount = mac_test_create_root_mount, 2476 .mpo_relabel_vnode = mac_test_relabel_vnode, 2477 .mpo_setlabel_vnode_extattr = mac_test_setlabel_vnode_extattr, 2478 .mpo_update_devfsdirent = mac_test_update_devfsdirent, 2479 .mpo_create_mbuf_from_socket = mac_test_create_mbuf_from_socket, 2480 .mpo_create_pipe = mac_test_create_pipe, 2481 .mpo_create_posix_sem = mac_test_create_posix_sem, 2482 .mpo_create_socket = mac_test_create_socket, 2483 .mpo_create_socket_from_socket = mac_test_create_socket_from_socket, 2484 .mpo_relabel_pipe = mac_test_relabel_pipe, 2485 .mpo_relabel_socket = mac_test_relabel_socket, 2486 .mpo_set_socket_peer_from_mbuf = mac_test_set_socket_peer_from_mbuf, 2487 .mpo_set_socket_peer_from_socket = mac_test_set_socket_peer_from_socket, 2488 .mpo_create_bpfdesc = mac_test_create_bpfdesc, 2489 .mpo_create_ifnet = mac_test_create_ifnet, 2490 .mpo_create_inpcb_from_socket = mac_test_create_inpcb_from_socket, 2491 .mpo_create_sysv_msgmsg = mac_test_create_sysv_msgmsg, 2492 .mpo_create_sysv_msgqueue = mac_test_create_sysv_msgqueue, 2493 .mpo_create_sysv_sem = mac_test_create_sysv_sem, 2494 .mpo_create_sysv_shm = mac_test_create_sysv_shm, 2495 .mpo_create_datagram_from_ipq = mac_test_create_datagram_from_ipq, 2496 .mpo_create_fragment = mac_test_create_fragment, 2497 .mpo_create_ipq = mac_test_create_ipq, 2498 .mpo_create_mbuf_from_inpcb = mac_test_create_mbuf_from_inpcb, 2499 .mpo_create_mbuf_linklayer = mac_test_create_mbuf_linklayer, 2500 .mpo_create_mbuf_from_bpfdesc = mac_test_create_mbuf_from_bpfdesc, 2501 .mpo_create_mbuf_from_ifnet = mac_test_create_mbuf_from_ifnet, 2502 .mpo_create_mbuf_multicast_encap = mac_test_create_mbuf_multicast_encap, 2503 .mpo_create_mbuf_netlayer = mac_test_create_mbuf_netlayer, 2504 .mpo_fragment_match = mac_test_fragment_match, 2505 .mpo_reflect_mbuf_icmp = mac_test_reflect_mbuf_icmp, 2506 .mpo_reflect_mbuf_tcp = mac_test_reflect_mbuf_tcp, 2507 .mpo_relabel_ifnet = mac_test_relabel_ifnet, 2508 .mpo_update_ipq = mac_test_update_ipq, 2509 .mpo_inpcb_sosetlabel = mac_test_inpcb_sosetlabel, 2510 .mpo_execve_transition = mac_test_execve_transition, 2511 .mpo_execve_will_transition = mac_test_execve_will_transition, 2512 .mpo_create_proc0 = mac_test_create_proc0, 2513 .mpo_create_proc1 = mac_test_create_proc1, 2514 .mpo_relabel_cred = mac_test_relabel_cred, 2515 .mpo_thread_userret = mac_test_thread_userret, 2516 .mpo_cleanup_sysv_msgmsg = mac_test_cleanup_sysv_msgmsg, 2517 .mpo_cleanup_sysv_msgqueue = mac_test_cleanup_sysv_msgqueue, 2518 .mpo_cleanup_sysv_sem = mac_test_cleanup_sysv_sem, 2519 .mpo_cleanup_sysv_shm = mac_test_cleanup_sysv_shm, 2520 .mpo_check_bpfdesc_receive = mac_test_check_bpfdesc_receive, 2521 .mpo_check_cred_relabel = mac_test_check_cred_relabel, 2522 .mpo_check_cred_visible = mac_test_check_cred_visible, 2523 .mpo_check_ifnet_relabel = mac_test_check_ifnet_relabel, 2524 .mpo_check_ifnet_transmit = mac_test_check_ifnet_transmit, 2525 .mpo_check_inpcb_deliver = mac_test_check_inpcb_deliver, 2526 .mpo_check_sysv_msgmsq = mac_test_check_sysv_msgmsq, 2527 .mpo_check_sysv_msgrcv = mac_test_check_sysv_msgrcv, 2528 .mpo_check_sysv_msgrmid = mac_test_check_sysv_msgrmid, 2529 .mpo_check_sysv_msqget = mac_test_check_sysv_msqget, 2530 .mpo_check_sysv_msqsnd = mac_test_check_sysv_msqsnd, 2531 .mpo_check_sysv_msqrcv = mac_test_check_sysv_msqrcv, 2532 .mpo_check_sysv_msqctl = mac_test_check_sysv_msqctl, 2533 .mpo_check_sysv_semctl = mac_test_check_sysv_semctl, 2534 .mpo_check_sysv_semget = mac_test_check_sysv_semget, 2535 .mpo_check_sysv_semop = mac_test_check_sysv_semop, 2536 .mpo_check_sysv_shmat = mac_test_check_sysv_shmat, 2537 .mpo_check_sysv_shmctl = mac_test_check_sysv_shmctl, 2538 .mpo_check_sysv_shmdt = mac_test_check_sysv_shmdt, 2539 .mpo_check_sysv_shmget = mac_test_check_sysv_shmget, 2540 .mpo_check_kenv_dump = mac_test_check_kenv_dump, 2541 .mpo_check_kenv_get = mac_test_check_kenv_get, 2542 .mpo_check_kenv_set = mac_test_check_kenv_set, 2543 .mpo_check_kenv_unset = mac_test_check_kenv_unset, 2544 .mpo_check_kld_load = mac_test_check_kld_load, 2545 .mpo_check_kld_stat = mac_test_check_kld_stat, 2546 .mpo_check_kld_unload = mac_test_check_kld_unload, 2547 .mpo_check_mount_stat = mac_test_check_mount_stat, 2548 .mpo_check_pipe_ioctl = mac_test_check_pipe_ioctl, 2549 .mpo_check_pipe_poll = mac_test_check_pipe_poll, 2550 .mpo_check_pipe_read = mac_test_check_pipe_read, 2551 .mpo_check_pipe_relabel = mac_test_check_pipe_relabel, 2552 .mpo_check_pipe_stat = mac_test_check_pipe_stat, 2553 .mpo_check_pipe_write = mac_test_check_pipe_write, 2554 .mpo_check_posix_sem_destroy = mac_test_check_posix_sem, 2555 .mpo_check_posix_sem_getvalue = mac_test_check_posix_sem, 2556 .mpo_check_posix_sem_open = mac_test_check_posix_sem, 2557 .mpo_check_posix_sem_post = mac_test_check_posix_sem, 2558 .mpo_check_posix_sem_unlink = mac_test_check_posix_sem, 2559 .mpo_check_posix_sem_wait = mac_test_check_posix_sem, 2560 .mpo_check_proc_debug = mac_test_check_proc_debug, 2561 .mpo_check_proc_sched = mac_test_check_proc_sched, 2562 .mpo_check_proc_setuid = mac_test_check_proc_setuid, 2563 .mpo_check_proc_seteuid = mac_test_check_proc_seteuid, 2564 .mpo_check_proc_setgid = mac_test_check_proc_setgid, 2565 .mpo_check_proc_setegid = mac_test_check_proc_setegid, 2566 .mpo_check_proc_setgroups = mac_test_check_proc_setgroups, 2567 .mpo_check_proc_setreuid = mac_test_check_proc_setreuid, 2568 .mpo_check_proc_setregid = mac_test_check_proc_setregid, 2569 .mpo_check_proc_setresuid = mac_test_check_proc_setresuid, 2570 .mpo_check_proc_setresgid = mac_test_check_proc_setresgid, 2571 .mpo_check_proc_signal = mac_test_check_proc_signal, 2572 .mpo_check_proc_wait = mac_test_check_proc_wait, 2573 .mpo_check_socket_accept = mac_test_check_socket_accept, 2574 .mpo_check_socket_bind = mac_test_check_socket_bind, 2575 .mpo_check_socket_connect = mac_test_check_socket_connect, 2576 .mpo_check_socket_deliver = mac_test_check_socket_deliver, 2577 .mpo_check_socket_listen = mac_test_check_socket_listen, 2578 .mpo_check_socket_poll = mac_test_check_socket_poll, 2579 .mpo_check_socket_receive = mac_test_check_socket_receive, 2580 .mpo_check_socket_relabel = mac_test_check_socket_relabel, 2581 .mpo_check_socket_send = mac_test_check_socket_send, 2582 .mpo_check_socket_stat = mac_test_check_socket_stat, 2583 .mpo_check_socket_visible = mac_test_check_socket_visible, 2584 .mpo_check_sysarch_ioperm = mac_test_check_sysarch_ioperm, 2585 .mpo_check_system_acct = mac_test_check_system_acct, 2586 .mpo_check_system_reboot = mac_test_check_system_reboot, 2587 .mpo_check_system_settime = mac_test_check_system_settime, 2588 .mpo_check_system_swapon = mac_test_check_system_swapon, 2589 .mpo_check_system_swapoff = mac_test_check_system_swapoff, 2590 .mpo_check_system_sysctl = mac_test_check_system_sysctl, 2591 .mpo_check_vnode_access = mac_test_check_vnode_access, 2592 .mpo_check_vnode_chdir = mac_test_check_vnode_chdir, 2593 .mpo_check_vnode_chroot = mac_test_check_vnode_chroot, 2594 .mpo_check_vnode_create = mac_test_check_vnode_create, 2595 .mpo_check_vnode_delete = mac_test_check_vnode_delete, 2596 .mpo_check_vnode_deleteacl = mac_test_check_vnode_deleteacl, 2597 .mpo_check_vnode_deleteextattr = mac_test_check_vnode_deleteextattr, 2598 .mpo_check_vnode_exec = mac_test_check_vnode_exec, 2599 .mpo_check_vnode_getacl = mac_test_check_vnode_getacl, 2600 .mpo_check_vnode_getextattr = mac_test_check_vnode_getextattr, 2601 .mpo_check_vnode_link = mac_test_check_vnode_link, 2602 .mpo_check_vnode_listextattr = mac_test_check_vnode_listextattr, 2603 .mpo_check_vnode_lookup = mac_test_check_vnode_lookup, 2604 .mpo_check_vnode_mmap = mac_test_check_vnode_mmap, 2605 .mpo_check_vnode_open = mac_test_check_vnode_open, 2606 .mpo_check_vnode_poll = mac_test_check_vnode_poll, 2607 .mpo_check_vnode_read = mac_test_check_vnode_read, 2608 .mpo_check_vnode_readdir = mac_test_check_vnode_readdir, 2609 .mpo_check_vnode_readlink = mac_test_check_vnode_readlink, 2610 .mpo_check_vnode_relabel = mac_test_check_vnode_relabel, 2611 .mpo_check_vnode_rename_from = mac_test_check_vnode_rename_from, 2612 .mpo_check_vnode_rename_to = mac_test_check_vnode_rename_to, 2613 .mpo_check_vnode_revoke = mac_test_check_vnode_revoke, 2614 .mpo_check_vnode_setacl = mac_test_check_vnode_setacl, 2615 .mpo_check_vnode_setextattr = mac_test_check_vnode_setextattr, 2616 .mpo_check_vnode_setflags = mac_test_check_vnode_setflags, 2617 .mpo_check_vnode_setmode = mac_test_check_vnode_setmode, 2618 .mpo_check_vnode_setowner = mac_test_check_vnode_setowner, 2619 .mpo_check_vnode_setutimes = mac_test_check_vnode_setutimes, 2620 .mpo_check_vnode_stat = mac_test_check_vnode_stat, 2621 .mpo_check_vnode_write = mac_test_check_vnode_write, 2622 }; 2623 2624 MAC_POLICY_SET(&mac_test_ops, mac_test, "TrustedBSD MAC/Test", 2625 MPC_LOADTIME_FLAG_UNLOADOK | MPC_LOADTIME_FLAG_LABELMBUFS, &test_slot); 2626