Cross Reference: /freebsd-10.0-release/sys/security/mac_test/mac

Deleted Added

sdiff udiff text old ( 168951 ) new ( 168954 )

full compact

1/*-
2 * Copyright (c) 1999-2002, 2007 Robert N. M. Watson
3 * Copyright (c) 2001-2005 McAfee, Inc.
4 * All rights reserved.
5 *
6 * This software was developed by Robert Watson for the TrustedBSD Project.
7 *
8 * This software was developed for the FreeBSD Project in part by McAfee
9 * Research, the Security Research Division of McAfee, Inc. under
10 * DARPA/SPAWAR contract N66001-01-C-8035 ("CBOSS"), as part of the DARPA
11 * CHATS research program.
12 *
13 * Redistribution and use in source and binary forms, with or without
14 * modification, are permitted provided that the following conditions
15 * are met:
16 * 1. Redistributions of source code must retain the above copyright
17 * notice, this list of conditions and the following disclaimer.
18 * 2. Redistributions in binary form must reproduce the above copyright
19 * notice, this list of conditions and the following disclaimer in the
20 * documentation and/or other materials provided with the distribution.
21 *
22 * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
23 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
24 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
25 * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
26 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
27 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
28 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
29 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
30 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
31 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
32 * SUCH DAMAGE.
33 *

34 * $FreeBSD: head/sys/security/mac_test/mac_test.c 168951 2007-04-22 15:31:22Z rwatson $

34 * $FreeBSD: head/sys/security/mac_test/mac_test.c 168954 2007-04-22 16:18:10Z rwatson $

35 */
36
37/*
38 * Developed by the TrustedBSD Project.
39 *
40 * MAC Test policy - tests MAC Framework labeling by assigning object class
41 * magic numbers to each label and validates that each time an object label
42 * is passed into the policy, it has a consistent object type, catching
43 * incorrectly passed labels, labels passed after free, etc.
44 */
45
46#include <sys/param.h>
47#include <sys/acl.h>
48#include <sys/kdb.h>
49#include <sys/kernel.h>
50#include <sys/ksem.h>
51#include <sys/malloc.h>
52#include <sys/module.h>
53#include <sys/mount.h>
54#include <sys/msg.h>
55#include <sys/proc.h>
56#include <sys/vnode.h>
57#include <sys/sem.h>
58#include <sys/shm.h>
59#include <sys/socket.h>
60#include <sys/socketvar.h>
61#include <sys/sx.h>
62#include <sys/sysctl.h>
63
64#include <fs/devfs/devfs.h>
65
66#include <net/bpfdesc.h>
67#include <net/if.h>
68#include <net/if_types.h>
69#include <net/if_var.h>
70
71#include <security/mac/mac_policy.h>
72
73SYSCTL_DECL(_security_mac);
74
75SYSCTL_NODE(_security_mac, OID_AUTO, test, CTLFLAG_RW, 0,
76 "TrustedBSD mac_test policy controls");
77
78#define MAGIC_BPF 0xfe1ad1b6
79#define MAGIC_DEVFS 0x9ee79c32
80#define MAGIC_IFNET 0xc218b120
81#define MAGIC_INPCB 0x4440f7bb
82#define MAGIC_IPQ 0x206188ef
83#define MAGIC_MBUF 0xbbefa5bb
84#define MAGIC_MOUNT 0xc7c46e47
85#define MAGIC_SOCKET 0x9199c6cd
86#define MAGIC_SYSV_MSG 0x8bbba61e
87#define MAGIC_SYSV_MSQ 0xea672391
88#define MAGIC_SYSV_SEM 0x896e8a0b
89#define MAGIC_SYSV_SHM 0x76119ab0
90#define MAGIC_PIPE 0xdc6c9919
91#define MAGIC_POSIX_SEM 0x78ae980c
92#define MAGIC_PROC 0x3b4be98f
93#define MAGIC_CRED 0x9a5a4987
94#define MAGIC_VNODE 0x1a67a45c
95#define MAGIC_FREE 0x849ba1fd
96
97#define SLOT(x) mac_label_get((x), test_slot)
98#define SLOT_SET(x, v) mac_label_set((x), test_slot, (v))
99
100static int test_slot;
101SYSCTL_INT(_security_mac_test, OID_AUTO, slot, CTLFLAG_RD,
102 &test_slot, 0, "Slot allocated by framework");
103
104SYSCTL_NODE(_security_mac_test, OID_AUTO, counter, CTLFLAG_RW, 0,
105 "TrustedBSD mac_test counters controls");
106
107#define COUNTER_DECL(variable) \
108 static int counter_##variable; \
109 SYSCTL_INT(_security_mac_test_counter, OID_AUTO, variable, \
110 CTLFLAG_RD, &counter_##variable, 0, #variable)
111
112#define COUNTER_INC(variable) atomic_add_int(&counter_##variable, 1)
113
114#ifdef KDB
115#define DEBUGGER(func, string) kdb_enter((string))
116#else
117#define DEBUGGER(func, string) printf("mac_test: %s: %s\n", (func), (string))
118#endif
119
120#define LABEL_CHECK(label, magic) do { \
121 if (label != NULL) { \
122 KASSERT(SLOT(label) == magic || SLOT(label) == 0, \
123 ("%s: bad %s label", __func__, #magic)); \
124 } \
125} while (0)
126
127#define LABEL_DESTROY(label, magic) do { \
128 if (SLOT(label) == magic || SLOT(label) == 0) { \
129 SLOT_SET(label, MAGIC_FREE); \
130 } else if (SLOT(label) == MAGIC_FREE) { \
131 DEBUGGER("%s: dup destroy", __func__); \
132 } else { \
133 DEBUGGER("%s: corrupted label", __func__); \
134 } \
135} while (0)
136
137#define LABEL_INIT(label, magic) do { \
138 SLOT_SET(label, magic); \
139} while (0)
140
141#define LABEL_NOTFREE(label) do { \
142 KASSERT(SLOT(label) != MAGIC_FREE, \
143 ("%s: destroyed label", __func__)); \
144} while (0)
145
146/*
147 * Label operations.
148 */
149COUNTER_DECL(init_bpfdesc_label);
150static void
151mac_test_init_bpfdesc_label(struct label *label)
152{
153
154 LABEL_INIT(label, MAGIC_BPF);
155 COUNTER_INC(init_bpfdesc_label);
156}
157
158COUNTER_DECL(init_cred_label);
159static void
160mac_test_init_cred_label(struct label *label)
161{
162
163 LABEL_INIT(label, MAGIC_CRED);
164 COUNTER_INC(init_cred_label);
165}
166
167COUNTER_DECL(init_devfsdirent_label);
168static void
169mac_test_init_devfsdirent_label(struct label *label)
170{
171
172 LABEL_INIT(label, MAGIC_DEVFS);
173 COUNTER_INC(init_devfsdirent_label);
174}
175
176COUNTER_DECL(init_ifnet_label);
177static void
178mac_test_init_ifnet_label(struct label *label)
179{
180
181 LABEL_INIT(label, MAGIC_IFNET);
182 COUNTER_INC(init_ifnet_label);
183}
184
185COUNTER_DECL(init_inpcb_label);
186static int
187mac_test_init_inpcb_label(struct label *label, int flag)
188{
189
190 if (flag & M_WAITOK)
191 WITNESS_WARN(WARN_GIANTOK | WARN_SLEEPOK, NULL,
192 "mac_test_init_inpcb_label() at %s:%d", __FILE__,
193 __LINE__);
194
195 LABEL_INIT(label, MAGIC_INPCB);
196 COUNTER_INC(init_inpcb_label);
197 return (0);
198}
199
200COUNTER_DECL(init_sysv_msg_label);
201static void
202mac_test_init_sysv_msgmsg_label(struct label *label)
203{
204 LABEL_INIT(label, MAGIC_SYSV_MSG);
205 COUNTER_INC(init_sysv_msg_label);
206}
207
208COUNTER_DECL(init_sysv_msq_label);
209static void
210mac_test_init_sysv_msgqueue_label(struct label *label)
211{
212 LABEL_INIT(label, MAGIC_SYSV_MSQ);
213 COUNTER_INC(init_sysv_msq_label);
214}
215
216COUNTER_DECL(init_sysv_sem_label);
217static void
218mac_test_init_sysv_sem_label(struct label *label)
219{
220 LABEL_INIT(label, MAGIC_SYSV_SEM);
221 COUNTER_INC(init_sysv_sem_label);
222}
223
224COUNTER_DECL(init_sysv_shm_label);
225static void
226mac_test_init_sysv_shm_label(struct label *label)
227{
228 LABEL_INIT(label, MAGIC_SYSV_SHM);
229 COUNTER_INC(init_sysv_shm_label);
230}
231
232COUNTER_DECL(init_ipq_label);
233static int
234mac_test_init_ipq_label(struct label *label, int flag)
235{
236
237 if (flag & M_WAITOK)
238 WITNESS_WARN(WARN_GIANTOK | WARN_SLEEPOK, NULL,
239 "mac_test_init_ipq_label() at %s:%d", __FILE__,
240 __LINE__);
241
242 LABEL_INIT(label, MAGIC_IPQ);
243 COUNTER_INC(init_ipq_label);
244 return (0);
245}
246
247COUNTER_DECL(init_mbuf_label);
248static int
249mac_test_init_mbuf_label(struct label *label, int flag)
250{
251
252 if (flag & M_WAITOK)
253 WITNESS_WARN(WARN_GIANTOK | WARN_SLEEPOK, NULL,
254 "mac_test_init_mbuf_label() at %s:%d", __FILE__,
255 __LINE__);
256
257 LABEL_INIT(label, MAGIC_MBUF);
258 COUNTER_INC(init_mbuf_label);
259 return (0);
260}
261
262COUNTER_DECL(init_mount_label);
263static void
264mac_test_init_mount_label(struct label *label)
265{
266
267 LABEL_INIT(label, MAGIC_MOUNT);
268 COUNTER_INC(init_mount_label);
269}
270

~~271~~COUNTER_DECL(init_mount_fs_label);
~~272~~static void
~~273~~mac_test_init_mount_fs_label(struct label *label)
~~274~~{
~~275~~
~~276~~ LABEL_INIT(label, MAGIC_MOUNT);
~~277~~ COUNTER_INC(init_mount_fs_label);
~~278~~}
~~279~~

271COUNTER_DECL(init_socket_label);
272static int
273mac_test_init_socket_label(struct label *label, int flag)
274{
275
276 if (flag & M_WAITOK)
277 WITNESS_WARN(WARN_GIANTOK | WARN_SLEEPOK, NULL,
278 "mac_test_init_socket_label() at %s:%d", __FILE__,
279 __LINE__);
280
281 LABEL_INIT(label, MAGIC_SOCKET);
282 COUNTER_INC(init_socket_label);
283 return (0);
284}
285
286COUNTER_DECL(init_socket_peer_label);
287static int
288mac_test_init_socket_peer_label(struct label *label, int flag)
289{
290
291 if (flag & M_WAITOK)
292 WITNESS_WARN(WARN_GIANTOK | WARN_SLEEPOK, NULL,
293 "mac_test_init_socket_peer_label() at %s:%d", __FILE__,
294 __LINE__);
295
296 LABEL_INIT(label, MAGIC_SOCKET);
297 COUNTER_INC(init_socket_peer_label);
298 return (0);
299}
300
301COUNTER_DECL(init_pipe_label);
302static void
303mac_test_init_pipe_label(struct label *label)
304{
305
306 LABEL_INIT(label, MAGIC_PIPE);
307 COUNTER_INC(init_pipe_label);
308}
309
310COUNTER_DECL(init_posix_sem_label);
311static void
312mac_test_init_posix_sem_label(struct label *label)
313{
314
315 LABEL_INIT(label, MAGIC_POSIX_SEM);
316 COUNTER_INC(init_posix_sem_label);
317}
318
319COUNTER_DECL(init_proc_label);
320static void
321mac_test_init_proc_label(struct label *label)
322{
323
324 LABEL_INIT(label, MAGIC_PROC);
325 COUNTER_INC(init_proc_label);
326}
327
328COUNTER_DECL(init_vnode_label);
329static void
330mac_test_init_vnode_label(struct label *label)
331{
332
333 LABEL_INIT(label, MAGIC_VNODE);
334 COUNTER_INC(init_vnode_label);
335}
336
337COUNTER_DECL(destroy_bpfdesc_label);
338static void
339mac_test_destroy_bpfdesc_label(struct label *label)
340{
341
342 LABEL_DESTROY(label, MAGIC_BPF);
343 COUNTER_INC(destroy_bpfdesc_label);
344}
345
346COUNTER_DECL(destroy_cred_label);
347static void
348mac_test_destroy_cred_label(struct label *label)
349{
350
351 LABEL_DESTROY(label, MAGIC_CRED);
352 COUNTER_INC(destroy_cred_label);
353}
354
355COUNTER_DECL(destroy_devfsdirent_label);
356static void
357mac_test_destroy_devfsdirent_label(struct label *label)
358{
359
360 LABEL_DESTROY(label, MAGIC_DEVFS);
361 COUNTER_INC(destroy_devfsdirent_label);
362}
363
364COUNTER_DECL(destroy_ifnet_label);
365static void
366mac_test_destroy_ifnet_label(struct label *label)
367{
368
369 LABEL_DESTROY(label, MAGIC_IFNET);
370 COUNTER_INC(destroy_ifnet_label);
371}
372
373COUNTER_DECL(destroy_inpcb_label);
374static void
375mac_test_destroy_inpcb_label(struct label *label)
376{
377
378 LABEL_DESTROY(label, MAGIC_INPCB);
379 COUNTER_INC(destroy_inpcb_label);
380}
381
382COUNTER_DECL(destroy_sysv_msg_label);
383static void
384mac_test_destroy_sysv_msgmsg_label(struct label *label)
385{
386
387 LABEL_DESTROY(label, MAGIC_SYSV_MSG);
388 COUNTER_INC(destroy_sysv_msg_label);
389}
390
391COUNTER_DECL(destroy_sysv_msq_label);
392static void
393mac_test_destroy_sysv_msgqueue_label(struct label *label)
394{
395
396 LABEL_DESTROY(label, MAGIC_SYSV_MSQ);
397 COUNTER_INC(destroy_sysv_msq_label);
398}
399
400COUNTER_DECL(destroy_sysv_sem_label);
401static void
402mac_test_destroy_sysv_sem_label(struct label *label)
403{
404
405 LABEL_DESTROY(label, MAGIC_SYSV_SEM);
406 COUNTER_INC(destroy_sysv_sem_label);
407}
408
409COUNTER_DECL(destroy_sysv_shm_label);
410static void
411mac_test_destroy_sysv_shm_label(struct label *label)
412{
413
414 LABEL_DESTROY(label, MAGIC_SYSV_SHM);
415 COUNTER_INC(destroy_sysv_shm_label);
416}
417
418COUNTER_DECL(destroy_ipq_label);
419static void
420mac_test_destroy_ipq_label(struct label *label)
421{
422
423 LABEL_DESTROY(label, MAGIC_IPQ);
424 COUNTER_INC(destroy_ipq_label);
425}
426
427COUNTER_DECL(destroy_mbuf_label);
428static void
429mac_test_destroy_mbuf_label(struct label *label)
430{
431
432 /*
433 * If we're loaded dynamically, there may be mbufs in flight that
434 * didn't have label storage allocated for them. Handle this
435 * gracefully.
436 */
437 if (label == NULL)
438 return;
439
440 LABEL_DESTROY(label, MAGIC_MBUF);
441 COUNTER_INC(destroy_mbuf_label);
442}
443
444COUNTER_DECL(destroy_mount_label);
445static void
446mac_test_destroy_mount_label(struct label *label)
447{
448
449 LABEL_DESTROY(label, MAGIC_MOUNT);
450 COUNTER_INC(destroy_mount_label);
451}
452

~~462~~COUNTER_DECL(destroy_mount_fs_label);
~~463~~static void
~~464~~mac_test_destroy_mount_fs_label(struct label *label)
~~465~~{
~~466~~
~~467~~ LABEL_DESTROY(label, MAGIC_MOUNT);
~~468~~ COUNTER_INC(destroy_mount_fs_label);
~~469~~}
~~470~~

453COUNTER_DECL(destroy_socket_label);
454static void
455mac_test_destroy_socket_label(struct label *label)
456{
457
458 LABEL_DESTROY(label, MAGIC_SOCKET);
459 COUNTER_INC(destroy_socket_label);
460}
461
462COUNTER_DECL(destroy_socket_peer_label);
463static void
464mac_test_destroy_socket_peer_label(struct label *label)
465{
466
467 LABEL_DESTROY(label, MAGIC_SOCKET);
468 COUNTER_INC(destroy_socket_peer_label);
469}
470
471COUNTER_DECL(destroy_pipe_label);
472static void
473mac_test_destroy_pipe_label(struct label *label)
474{
475
476 LABEL_DESTROY(label, MAGIC_PIPE);
477 COUNTER_INC(destroy_pipe_label);
478}
479
480COUNTER_DECL(destroy_posix_sem_label);
481static void
482mac_test_destroy_posix_sem_label(struct label *label)
483{
484
485 LABEL_DESTROY(label, MAGIC_POSIX_SEM);
486 COUNTER_INC(destroy_posix_sem_label);
487}
488
489COUNTER_DECL(destroy_proc_label);
490static void
491mac_test_destroy_proc_label(struct label *label)
492{
493
494 LABEL_DESTROY(label, MAGIC_PROC);
495 COUNTER_INC(destroy_proc_label);
496}
497
498COUNTER_DECL(destroy_vnode_label);
499static void
500mac_test_destroy_vnode_label(struct label *label)
501{
502
503 LABEL_DESTROY(label, MAGIC_VNODE);
504 COUNTER_INC(destroy_vnode_label);
505}
506
507COUNTER_DECL(copy_cred_label);
508static void
509mac_test_copy_cred_label(struct label *src, struct label *dest)
510{
511
512 LABEL_CHECK(src, MAGIC_CRED);
513 LABEL_CHECK(dest, MAGIC_CRED);
514 COUNTER_INC(copy_cred_label);
515}
516
517COUNTER_DECL(copy_ifnet_label);
518static void
519mac_test_copy_ifnet_label(struct label *src, struct label *dest)
520{
521
522 LABEL_CHECK(src, MAGIC_IFNET);
523 LABEL_CHECK(dest, MAGIC_IFNET);
524 COUNTER_INC(copy_ifnet_label);
525}
526
527COUNTER_DECL(copy_mbuf_label);
528static void
529mac_test_copy_mbuf_label(struct label *src, struct label *dest)
530{
531
532 LABEL_CHECK(src, MAGIC_MBUF);
533 LABEL_CHECK(dest, MAGIC_MBUF);
534 COUNTER_INC(copy_mbuf_label);
535}
536
537COUNTER_DECL(copy_pipe_label);
538static void
539mac_test_copy_pipe_label(struct label *src, struct label *dest)
540{
541
542 LABEL_CHECK(src, MAGIC_PIPE);
543 LABEL_CHECK(dest, MAGIC_PIPE);
544 COUNTER_INC(copy_pipe_label);
545}
546
547COUNTER_DECL(copy_socket_label);
548static void
549mac_test_copy_socket_label(struct label *src, struct label *dest)
550{
551
552 LABEL_CHECK(src, MAGIC_SOCKET);
553 LABEL_CHECK(dest, MAGIC_SOCKET);
554 COUNTER_INC(copy_socket_label);
555}
556
557COUNTER_DECL(copy_vnode_label);
558static void
559mac_test_copy_vnode_label(struct label *src, struct label *dest)
560{
561
562 LABEL_CHECK(src, MAGIC_VNODE);
563 LABEL_CHECK(dest, MAGIC_VNODE);
564 COUNTER_INC(copy_vnode_label);
565}
566
567COUNTER_DECL(externalize_label);
568static int
569mac_test_externalize_label(struct label *label, char *element_name,
570 struct sbuf *sb, int *claimed)
571{
572
573 LABEL_NOTFREE(label);
574 COUNTER_INC(externalize_label);
575
576 return (0);
577}
578
579COUNTER_DECL(internalize_label);
580static int
581mac_test_internalize_label(struct label *label, char *element_name,
582 char *element_data, int *claimed)
583{
584
585 LABEL_NOTFREE(label);
586 COUNTER_INC(internalize_label);
587
588 return (0);
589}
590
591/*
592 * Labeling event operations: file system objects, and things that look
593 * a lot like file system objects.
594 */
595COUNTER_DECL(associate_vnode_devfs);
596static void

~~615~~mac_test_associate_vnode_devfs(struct mount *mp, struct label *fslabel,

597mac_test_associate_vnode_devfs(struct mount *mp, struct label *mntlabel,

598 struct devfs_dirent *de, struct label *delabel, struct vnode *vp,
599 struct label *vlabel)
600{
601

~~620~~ LABEL_CHECK(fslabel, MAGIC_MOUNT);

602 LABEL_CHECK(mntlabel, MAGIC_MOUNT);

603 LABEL_CHECK(delabel, MAGIC_DEVFS);
604 LABEL_CHECK(vlabel, MAGIC_VNODE);
605 COUNTER_INC(associate_vnode_devfs);
606}
607
608COUNTER_DECL(associate_vnode_extattr);
609static int

~~628~~mac_test_associate_vnode_extattr(struct mount *mp, struct label *fslabel,

610mac_test_associate_vnode_extattr(struct mount *mp, struct label *mntlabel,

611 struct vnode *vp, struct label *vlabel)
612{
613

~~632~~ LABEL_CHECK(fslabel, MAGIC_MOUNT);

614 LABEL_CHECK(mntlabel, MAGIC_MOUNT);

615 LABEL_CHECK(vlabel, MAGIC_VNODE);
616 COUNTER_INC(associate_vnode_extattr);
617
618 return (0);
619}
620
621COUNTER_DECL(associate_vnode_singlelabel);
622static void
623mac_test_associate_vnode_singlelabel(struct mount *mp,

~~642~~ struct label *fslabel, struct vnode *vp, struct label *vlabel)

624 struct label *mntlabel, struct vnode *vp, struct label *vlabel)

625{
626

~~645~~ LABEL_CHECK(fslabel, MAGIC_MOUNT);

627 LABEL_CHECK(mntlabel, MAGIC_MOUNT);

628 LABEL_CHECK(vlabel, MAGIC_VNODE);
629 COUNTER_INC(associate_vnode_singlelabel);
630}
631
632COUNTER_DECL(create_devfs_device);
633static void
634mac_test_create_devfs_device(struct ucred *cred, struct mount *mp,
635 struct cdev *dev, struct devfs_dirent *devfs_dirent, struct label *label)
636{
637
638 if (cred != NULL)
639 LABEL_CHECK(cred->cr_label, MAGIC_CRED);
640 LABEL_CHECK(label, MAGIC_DEVFS);
641 COUNTER_INC(create_devfs_device);
642}
643
644COUNTER_DECL(create_devfs_directory);
645static void
646mac_test_create_devfs_directory(struct mount *mp, char *dirname,
647 int dirnamelen, struct devfs_dirent *devfs_dirent, struct label *label)
648{
649
650 LABEL_CHECK(label, MAGIC_DEVFS);
651 COUNTER_INC(create_devfs_directory);
652}
653
654COUNTER_DECL(create_devfs_symlink);
655static void
656mac_test_create_devfs_symlink(struct ucred *cred, struct mount *mp,
657 struct devfs_dirent *dd, struct label *ddlabel, struct devfs_dirent *de,
658 struct label *delabel)
659{
660
661 LABEL_CHECK(cred->cr_label, MAGIC_CRED);
662 LABEL_CHECK(ddlabel, MAGIC_DEVFS);
663 LABEL_CHECK(delabel, MAGIC_DEVFS);
664 COUNTER_INC(create_devfs_symlink);
665}
666
667COUNTER_DECL(create_vnode_extattr);
668static int
669mac_test_create_vnode_extattr(struct ucred *cred, struct mount *mp,

~~688~~ struct label *fslabel, struct vnode *dvp, struct label *dlabel,

670 struct label *mntlabel, struct vnode *dvp, struct label *dlabel,

671 struct vnode *vp, struct label *vlabel, struct componentname *cnp)
672{
673
674 LABEL_CHECK(cred->cr_label, MAGIC_CRED);

~~693~~ LABEL_CHECK(fslabel, MAGIC_MOUNT);

675 LABEL_CHECK(mntlabel, MAGIC_MOUNT);

676 LABEL_CHECK(dlabel, MAGIC_VNODE);
677 COUNTER_INC(create_vnode_extattr);
678
679 return (0);
680}
681
682COUNTER_DECL(create_mount);
683static void
684mac_test_create_mount(struct ucred *cred, struct mount *mp,

~~703~~ struct label *mntlabel, struct label *fslabel)

685 struct label *mntlabel)

686{
687
688 LABEL_CHECK(cred->cr_label, MAGIC_CRED);
689 LABEL_CHECK(mntlabel, MAGIC_MOUNT);

~~708~~ LABEL_CHECK(fslabel, MAGIC_MOUNT);

690 COUNTER_INC(create_mount);
691}
692
693COUNTER_DECL(relabel_vnode);
694static void
695mac_test_relabel_vnode(struct ucred *cred, struct vnode *vp,
696 struct label *vnodelabel, struct label *label)
697{
698
699 LABEL_CHECK(cred->cr_label, MAGIC_CRED);
700 LABEL_CHECK(vnodelabel, MAGIC_VNODE);
701 LABEL_CHECK(label, MAGIC_VNODE);
702 COUNTER_INC(relabel_vnode);
703}
704
705COUNTER_DECL(setlabel_vnode_extattr);
706static int
707mac_test_setlabel_vnode_extattr(struct ucred *cred, struct vnode *vp,
708 struct label *vlabel, struct label *intlabel)
709{
710
711 LABEL_CHECK(cred->cr_label, MAGIC_CRED);
712 LABEL_CHECK(vlabel, MAGIC_VNODE);
713 LABEL_CHECK(intlabel, MAGIC_VNODE);
714 COUNTER_INC(setlabel_vnode_extattr);
715
716 return (0);
717}
718
719COUNTER_DECL(update_devfsdirent);
720static void
721mac_test_update_devfsdirent(struct mount *mp,
722 struct devfs_dirent *devfs_dirent, struct label *direntlabel,
723 struct vnode *vp, struct label *vnodelabel)
724{
725
726 LABEL_CHECK(direntlabel, MAGIC_DEVFS);
727 LABEL_CHECK(vnodelabel, MAGIC_VNODE);
728 COUNTER_INC(update_devfsdirent);
729}
730
731/*
732 * Labeling event operations: IPC object.
733 */
734COUNTER_DECL(create_mbuf_from_socket);
735static void
736mac_test_create_mbuf_from_socket(struct socket *so, struct label *socketlabel,
737 struct mbuf *m, struct label *mbuflabel)
738{
739
740 LABEL_CHECK(socketlabel, MAGIC_SOCKET);
741 LABEL_CHECK(mbuflabel, MAGIC_MBUF);
742 COUNTER_INC(create_mbuf_from_socket);
743}
744
745COUNTER_DECL(create_socket);
746static void
747mac_test_create_socket(struct ucred *cred, struct socket *socket,
748 struct label *socketlabel)
749{
750
751 LABEL_CHECK(cred->cr_label, MAGIC_CRED);
752 LABEL_CHECK(socketlabel, MAGIC_SOCKET);
753 COUNTER_INC(create_socket);
754}
755
756COUNTER_DECL(create_pipe);
757static void
758mac_test_create_pipe(struct ucred *cred, struct pipepair *pp,
759 struct label *pipelabel)
760{
761
762 LABEL_CHECK(cred->cr_label, MAGIC_CRED);
763 LABEL_CHECK(pipelabel, MAGIC_PIPE);
764 COUNTER_INC(create_pipe);
765}
766
767COUNTER_DECL(create_posix_sem);
768static void
769mac_test_create_posix_sem(struct ucred *cred, struct ksem *ksem,
770 struct label *posixlabel)
771{
772
773 LABEL_CHECK(cred->cr_label, MAGIC_CRED);
774 LABEL_CHECK(posixlabel, MAGIC_POSIX_SEM);
775 COUNTER_INC(create_posix_sem);
776}
777
778COUNTER_DECL(create_socket_from_socket);
779static void
780mac_test_create_socket_from_socket(struct socket *oldsocket,
781 struct label *oldsocketlabel, struct socket *newsocket,
782 struct label *newsocketlabel)
783{
784
785 LABEL_CHECK(oldsocketlabel, MAGIC_SOCKET);
786 LABEL_CHECK(newsocketlabel, MAGIC_SOCKET);
787 COUNTER_INC(create_socket_from_socket);
788}
789
790COUNTER_DECL(relabel_socket);
791static void
792mac_test_relabel_socket(struct ucred *cred, struct socket *socket,
793 struct label *socketlabel, struct label *newlabel)
794{
795
796 LABEL_CHECK(cred->cr_label, MAGIC_CRED);
797 LABEL_CHECK(newlabel, MAGIC_SOCKET);
798 COUNTER_INC(relabel_socket);
799}
800
801COUNTER_DECL(relabel_pipe);
802static void
803mac_test_relabel_pipe(struct ucred *cred, struct pipepair *pp,
804 struct label *pipelabel, struct label *newlabel)
805{
806
807 LABEL_CHECK(cred->cr_label, MAGIC_CRED);
808 LABEL_CHECK(pipelabel, MAGIC_PIPE);
809 LABEL_CHECK(newlabel, MAGIC_PIPE);
810 COUNTER_INC(relabel_pipe);
811}
812
813COUNTER_DECL(set_socket_peer_from_mbuf);
814static void
815mac_test_set_socket_peer_from_mbuf(struct mbuf *mbuf, struct label *mbuflabel,
816 struct socket *socket, struct label *socketpeerlabel)
817{
818
819 LABEL_CHECK(mbuflabel, MAGIC_MBUF);
820 LABEL_CHECK(socketpeerlabel, MAGIC_SOCKET);
821 COUNTER_INC(set_socket_peer_from_mbuf);
822}
823
824/*
825 * Labeling event operations: network objects.
826 */
827COUNTER_DECL(set_socket_peer_from_socket);
828static void
829mac_test_set_socket_peer_from_socket(struct socket *oldsocket,
830 struct label *oldsocketlabel, struct socket *newsocket,
831 struct label *newsocketpeerlabel)
832{
833
834 LABEL_CHECK(oldsocketlabel, MAGIC_SOCKET);
835 LABEL_CHECK(newsocketpeerlabel, MAGIC_SOCKET);
836 COUNTER_INC(set_socket_peer_from_socket);
837}
838
839COUNTER_DECL(create_bpfdesc);
840static void
841mac_test_create_bpfdesc(struct ucred *cred, struct bpf_d *bpf_d,
842 struct label *bpflabel)
843{
844
845 LABEL_CHECK(cred->cr_label, MAGIC_CRED);
846 LABEL_CHECK(bpflabel, MAGIC_BPF);
847 COUNTER_INC(create_bpfdesc);
848}
849
850COUNTER_DECL(create_datagram_from_ipq);
851static void
852mac_test_create_datagram_from_ipq(struct ipq *ipq, struct label *ipqlabel,
853 struct mbuf *datagram, struct label *datagramlabel)
854{
855
856 LABEL_CHECK(ipqlabel, MAGIC_IPQ);
857 LABEL_CHECK(datagramlabel, MAGIC_MBUF);
858 COUNTER_INC(create_datagram_from_ipq);
859}
860
861COUNTER_DECL(create_fragment);
862static void
863mac_test_create_fragment(struct mbuf *datagram, struct label *datagramlabel,
864 struct mbuf *fragment, struct label *fragmentlabel)
865{
866
867 LABEL_CHECK(datagramlabel, MAGIC_MBUF);
868 LABEL_CHECK(fragmentlabel, MAGIC_MBUF);
869 COUNTER_INC(create_fragment);
870}
871
872COUNTER_DECL(create_ifnet);
873static void
874mac_test_create_ifnet(struct ifnet *ifnet, struct label *ifnetlabel)
875{
876
877 LABEL_CHECK(ifnetlabel, MAGIC_IFNET);
878 COUNTER_INC(create_ifnet);
879}
880
881COUNTER_DECL(create_inpcb_from_socket);
882static void
883mac_test_create_inpcb_from_socket(struct socket *so, struct label *solabel,
884 struct inpcb *inp, struct label *inplabel)
885{
886
887 LABEL_CHECK(solabel, MAGIC_SOCKET);
888 LABEL_CHECK(inplabel, MAGIC_INPCB);
889 COUNTER_INC(create_inpcb_from_socket);
890}
891
892COUNTER_DECL(create_sysv_msgmsg);
893static void
894mac_test_create_sysv_msgmsg(struct ucred *cred, struct msqid_kernel *msqkptr,
895 struct label *msqlabel, struct msg *msgptr, struct label *msglabel)
896{
897
898 LABEL_CHECK(msglabel, MAGIC_SYSV_MSG);
899 LABEL_CHECK(msqlabel, MAGIC_SYSV_MSQ);
900 COUNTER_INC(create_sysv_msgmsg);
901}
902
903COUNTER_DECL(create_sysv_msgqueue);
904static void
905mac_test_create_sysv_msgqueue(struct ucred *cred,
906 struct msqid_kernel *msqkptr, struct label *msqlabel)
907{
908
909 LABEL_CHECK(msqlabel, MAGIC_SYSV_MSQ);
910 COUNTER_INC(create_sysv_msgqueue);
911}
912
913COUNTER_DECL(create_sysv_sem);
914static void
915mac_test_create_sysv_sem(struct ucred *cred, struct semid_kernel *semakptr,
916 struct label *semalabel)
917{
918
919 LABEL_CHECK(semalabel, MAGIC_SYSV_SEM);
920 COUNTER_INC(create_sysv_sem);
921}
922
923COUNTER_DECL(create_sysv_shm);
924static void
925mac_test_create_sysv_shm(struct ucred *cred, struct shmid_kernel *shmsegptr,
926 struct label *shmlabel)
927{
928
929 LABEL_CHECK(shmlabel, MAGIC_SYSV_SHM);
930 COUNTER_INC(create_sysv_shm);
931}
932
933COUNTER_DECL(create_ipq);
934static void
935mac_test_create_ipq(struct mbuf *fragment, struct label *fragmentlabel,
936 struct ipq *ipq, struct label *ipqlabel)
937{
938
939 LABEL_CHECK(fragmentlabel, MAGIC_MBUF);
940 LABEL_CHECK(ipqlabel, MAGIC_IPQ);
941 COUNTER_INC(create_ipq);
942}
943
944COUNTER_DECL(create_mbuf_from_inpcb);
945static void
946mac_test_create_mbuf_from_inpcb(struct inpcb *inp, struct label *inplabel,
947 struct mbuf *m, struct label *mlabel)
948{
949
950 LABEL_CHECK(inplabel, MAGIC_INPCB);
951 LABEL_CHECK(mlabel, MAGIC_MBUF);
952 COUNTER_INC(create_mbuf_from_inpcb);
953}
954
955COUNTER_DECL(create_mbuf_linklayer);
956static void
957mac_test_create_mbuf_linklayer(struct ifnet *ifnet, struct label *ifnetlabel,
958 struct mbuf *mbuf, struct label *mbuflabel)
959{
960
961 LABEL_CHECK(ifnetlabel, MAGIC_IFNET);
962 LABEL_CHECK(mbuflabel, MAGIC_MBUF);
963 COUNTER_INC(create_mbuf_linklayer);
964}
965
966COUNTER_DECL(create_mbuf_from_bpfdesc);
967static void
968mac_test_create_mbuf_from_bpfdesc(struct bpf_d *bpf_d, struct label *bpflabel,
969 struct mbuf *mbuf, struct label *mbuflabel)
970{
971
972 LABEL_CHECK(bpflabel, MAGIC_BPF);
973 LABEL_CHECK(mbuflabel, MAGIC_MBUF);
974 COUNTER_INC(create_mbuf_from_bpfdesc);
975}
976
977COUNTER_DECL(create_mbuf_from_ifnet);
978static void
979mac_test_create_mbuf_from_ifnet(struct ifnet *ifnet, struct label *ifnetlabel,
980 struct mbuf *m, struct label *mbuflabel)
981{
982
983 LABEL_CHECK(ifnetlabel, MAGIC_IFNET);
984 LABEL_CHECK(mbuflabel, MAGIC_MBUF);
985 COUNTER_INC(create_mbuf_from_ifnet);
986}
987
988COUNTER_DECL(create_mbuf_multicast_encap);
989static void
990mac_test_create_mbuf_multicast_encap(struct mbuf *oldmbuf,
991 struct label *oldmbuflabel, struct ifnet *ifnet, struct label *ifnetlabel,
992 struct mbuf *newmbuf, struct label *newmbuflabel)
993{
994
995 LABEL_CHECK(oldmbuflabel, MAGIC_MBUF);
996 LABEL_CHECK(ifnetlabel, MAGIC_IFNET);
997 LABEL_CHECK(newmbuflabel, MAGIC_MBUF);
998 COUNTER_INC(create_mbuf_multicast_encap);
999}
1000
1001COUNTER_DECL(create_mbuf_netlayer);
1002static void
1003mac_test_create_mbuf_netlayer(struct mbuf *oldmbuf,
1004 struct label *oldmbuflabel, struct mbuf *newmbuf,
1005 struct label *newmbuflabel)
1006{
1007
1008 LABEL_CHECK(oldmbuflabel, MAGIC_MBUF);
1009 LABEL_CHECK(newmbuflabel, MAGIC_MBUF);
1010 COUNTER_INC(create_mbuf_netlayer);
1011}
1012
1013COUNTER_DECL(fragment_match);
1014static int
1015mac_test_fragment_match(struct mbuf *fragment, struct label *fragmentlabel,
1016 struct ipq *ipq, struct label *ipqlabel)
1017{
1018
1019 LABEL_CHECK(fragmentlabel, MAGIC_MBUF);
1020 LABEL_CHECK(ipqlabel, MAGIC_IPQ);
1021 COUNTER_INC(fragment_match);
1022
1023 return (1);
1024}
1025
1026COUNTER_DECL(reflect_mbuf_icmp);
1027static void
1028mac_test_reflect_mbuf_icmp(struct mbuf *m, struct label *mlabel)
1029{
1030
1031 LABEL_CHECK(mlabel, MAGIC_MBUF);
1032 COUNTER_INC(reflect_mbuf_icmp);
1033}
1034
1035COUNTER_DECL(reflect_mbuf_tcp);
1036static void
1037mac_test_reflect_mbuf_tcp(struct mbuf *m, struct label *mlabel)
1038{
1039
1040 LABEL_CHECK(mlabel, MAGIC_MBUF);
1041 COUNTER_INC(reflect_mbuf_tcp);
1042}
1043
1044COUNTER_DECL(relabel_ifnet);
1045static void
1046mac_test_relabel_ifnet(struct ucred *cred, struct ifnet *ifnet,
1047 struct label *ifnetlabel, struct label *newlabel)
1048{
1049
1050 LABEL_CHECK(cred->cr_label, MAGIC_CRED);
1051 LABEL_CHECK(ifnetlabel, MAGIC_IFNET);
1052 LABEL_CHECK(newlabel, MAGIC_IFNET);
1053 COUNTER_INC(relabel_ifnet);
1054}
1055
1056COUNTER_DECL(update_ipq);
1057static void
1058mac_test_update_ipq(struct mbuf *fragment, struct label *fragmentlabel,
1059 struct ipq *ipq, struct label *ipqlabel)
1060{
1061
1062 LABEL_CHECK(fragmentlabel, MAGIC_MBUF);
1063 LABEL_CHECK(ipqlabel, MAGIC_IPQ);
1064 COUNTER_INC(update_ipq);
1065}
1066
1067COUNTER_DECL(inpcb_sosetlabel);
1068static void
1069mac_test_inpcb_sosetlabel(struct socket *so, struct label *solabel,
1070 struct inpcb *inp, struct label *inplabel)
1071{
1072
1073 LABEL_CHECK(solabel, MAGIC_SOCKET);
1074 LABEL_CHECK(inplabel, MAGIC_INPCB);
1075 COUNTER_INC(inpcb_sosetlabel);
1076}
1077
1078/*
1079 * Labeling event operations: processes.
1080 */
1081COUNTER_DECL(execve_transition);
1082static void
1083mac_test_execve_transition(struct ucred *old, struct ucred *new,
1084 struct vnode *vp, struct label *filelabel,
1085 struct label *interpvnodelabel, struct image_params *imgp,
1086 struct label *execlabel)
1087{
1088
1089 LABEL_CHECK(old->cr_label, MAGIC_CRED);
1090 LABEL_CHECK(new->cr_label, MAGIC_CRED);
1091 LABEL_CHECK(filelabel, MAGIC_VNODE);
1092 LABEL_CHECK(interpvnodelabel, MAGIC_VNODE);
1093 LABEL_CHECK(execlabel, MAGIC_CRED);
1094 COUNTER_INC(execve_transition);
1095}
1096
1097COUNTER_DECL(execve_will_transition);
1098static int
1099mac_test_execve_will_transition(struct ucred *old, struct vnode *vp,
1100 struct label *filelabel, struct label *interpvnodelabel,
1101 struct image_params *imgp, struct label *execlabel)
1102{
1103
1104 LABEL_CHECK(old->cr_label, MAGIC_CRED);
1105 LABEL_CHECK(filelabel, MAGIC_VNODE);
1106 LABEL_CHECK(interpvnodelabel, MAGIC_VNODE);
1107 LABEL_CHECK(execlabel, MAGIC_CRED);
1108 COUNTER_INC(execve_will_transition);
1109
1110 return (0);
1111}
1112
1113COUNTER_DECL(create_proc0);
1114static void
1115mac_test_create_proc0(struct ucred *cred)
1116{
1117
1118 LABEL_CHECK(cred->cr_label, MAGIC_CRED);
1119 COUNTER_INC(create_proc0);
1120}
1121
1122COUNTER_DECL(create_proc1);
1123static void
1124mac_test_create_proc1(struct ucred *cred)
1125{
1126
1127 LABEL_CHECK(cred->cr_label, MAGIC_CRED);
1128 COUNTER_INC(create_proc1);
1129}
1130
1131COUNTER_DECL(relabel_cred);
1132static void
1133mac_test_relabel_cred(struct ucred *cred, struct label *newlabel)
1134{
1135
1136 LABEL_CHECK(cred->cr_label, MAGIC_CRED);
1137 LABEL_CHECK(newlabel, MAGIC_CRED);
1138 COUNTER_INC(relabel_cred);
1139}
1140
1141COUNTER_DECL(thread_userret);
1142static void
1143mac_test_thread_userret(struct thread *td)
1144{
1145
1146 COUNTER_INC(thread_userret);
1147}
1148
1149/*
1150 * Label cleanup/flush operations
1151 */
1152COUNTER_DECL(cleanup_sysv_msgmsg);
1153static void
1154mac_test_cleanup_sysv_msgmsg(struct label *msglabel)
1155{
1156
1157 LABEL_CHECK(msglabel, MAGIC_SYSV_MSG);
1158 COUNTER_INC(cleanup_sysv_msgmsg);
1159}
1160
1161COUNTER_DECL(cleanup_sysv_msgqueue);
1162static void
1163mac_test_cleanup_sysv_msgqueue(struct label *msqlabel)
1164{
1165
1166 LABEL_CHECK(msqlabel, MAGIC_SYSV_MSQ);
1167 COUNTER_INC(cleanup_sysv_msgqueue);
1168}
1169
1170COUNTER_DECL(cleanup_sysv_sem);
1171static void
1172mac_test_cleanup_sysv_sem(struct label *semalabel)
1173{
1174
1175 LABEL_CHECK(semalabel, MAGIC_SYSV_SEM);
1176 COUNTER_INC(cleanup_sysv_sem);
1177}
1178
1179COUNTER_DECL(cleanup_sysv_shm);
1180static void
1181mac_test_cleanup_sysv_shm(struct label *shmlabel)
1182{
1183
1184 LABEL_CHECK(shmlabel, MAGIC_SYSV_SHM);
1185 COUNTER_INC(cleanup_sysv_shm);
1186}
1187
1188/*
1189 * Access control checks.
1190 */
1191COUNTER_DECL(check_bpfdesc_receive);
1192static int
1193mac_test_check_bpfdesc_receive(struct bpf_d *bpf_d, struct label *bpflabel,
1194 struct ifnet *ifnet, struct label *ifnetlabel)
1195{
1196
1197 LABEL_CHECK(bpflabel, MAGIC_BPF);
1198 LABEL_CHECK(ifnetlabel, MAGIC_IFNET);
1199 COUNTER_INC(check_bpfdesc_receive);
1200
1201 return (0);
1202}
1203
1204COUNTER_DECL(check_cred_relabel);
1205static int
1206mac_test_check_cred_relabel(struct ucred *cred, struct label *newlabel)
1207{
1208
1209 LABEL_CHECK(cred->cr_label, MAGIC_CRED);
1210 LABEL_CHECK(newlabel, MAGIC_CRED);
1211 COUNTER_INC(check_cred_relabel);
1212
1213 return (0);
1214}
1215
1216COUNTER_DECL(check_cred_visible);
1217static int
1218mac_test_check_cred_visible(struct ucred *u1, struct ucred *u2)
1219{
1220
1221 LABEL_CHECK(u1->cr_label, MAGIC_CRED);
1222 LABEL_CHECK(u2->cr_label, MAGIC_CRED);
1223 COUNTER_INC(check_cred_visible);
1224
1225 return (0);
1226}
1227
1228COUNTER_DECL(check_ifnet_relabel);
1229static int
1230mac_test_check_ifnet_relabel(struct ucred *cred, struct ifnet *ifnet,
1231 struct label *ifnetlabel, struct label *newlabel)
1232{
1233
1234 LABEL_CHECK(cred->cr_label, MAGIC_CRED);
1235 LABEL_CHECK(ifnetlabel, MAGIC_IFNET);
1236 LABEL_CHECK(newlabel, MAGIC_IFNET);
1237 COUNTER_INC(check_ifnet_relabel);
1238
1239 return (0);
1240}
1241
1242COUNTER_DECL(check_ifnet_transmit);
1243static int
1244mac_test_check_ifnet_transmit(struct ifnet *ifnet, struct label *ifnetlabel,
1245 struct mbuf *m, struct label *mbuflabel)
1246{
1247
1248 LABEL_CHECK(ifnetlabel, MAGIC_IFNET);
1249 LABEL_CHECK(mbuflabel, MAGIC_MBUF);
1250 COUNTER_INC(check_ifnet_transmit);
1251
1252 return (0);
1253}
1254
1255COUNTER_DECL(check_inpcb_deliver);
1256static int
1257mac_test_check_inpcb_deliver(struct inpcb *inp, struct label *inplabel,
1258 struct mbuf *m, struct label *mlabel)
1259{
1260
1261 LABEL_CHECK(inplabel, MAGIC_INPCB);
1262 LABEL_CHECK(mlabel, MAGIC_MBUF);
1263 COUNTER_INC(check_inpcb_deliver);
1264
1265 return (0);
1266}
1267
1268COUNTER_DECL(check_sysv_msgmsq);
1269static int
1270mac_test_check_sysv_msgmsq(struct ucred *cred, struct msg *msgptr,
1271 struct label *msglabel, struct msqid_kernel *msqkptr,
1272 struct label *msqklabel)
1273{
1274
1275 LABEL_CHECK(msqklabel, MAGIC_SYSV_MSQ);
1276 LABEL_CHECK(msglabel, MAGIC_SYSV_MSG);
1277 LABEL_CHECK(cred->cr_label, MAGIC_CRED);
1278 COUNTER_INC(check_sysv_msgmsq);
1279
1280 return (0);
1281}
1282
1283COUNTER_DECL(check_sysv_msgrcv);
1284static int
1285mac_test_check_sysv_msgrcv(struct ucred *cred, struct msg *msgptr,
1286 struct label *msglabel)
1287{
1288
1289 LABEL_CHECK(msglabel, MAGIC_SYSV_MSG);
1290 LABEL_CHECK(cred->cr_label, MAGIC_CRED);
1291 COUNTER_INC(check_sysv_msgrcv);
1292
1293 return (0);
1294}
1295
1296COUNTER_DECL(check_sysv_msgrmid);
1297static int
1298mac_test_check_sysv_msgrmid(struct ucred *cred, struct msg *msgptr,
1299 struct label *msglabel)
1300{
1301
1302 LABEL_CHECK(msglabel, MAGIC_SYSV_MSG);
1303 LABEL_CHECK(cred->cr_label, MAGIC_CRED);
1304 COUNTER_INC(check_sysv_msgrmid);
1305
1306 return (0);
1307}
1308
1309COUNTER_DECL(check_sysv_msqget);
1310static int
1311mac_test_check_sysv_msqget(struct ucred *cred, struct msqid_kernel *msqkptr,
1312 struct label *msqklabel)
1313{
1314
1315 LABEL_CHECK(msqklabel, MAGIC_SYSV_MSQ);
1316 LABEL_CHECK(cred->cr_label, MAGIC_CRED);
1317 COUNTER_INC(check_sysv_msqget);
1318
1319 return (0);
1320}
1321
1322COUNTER_DECL(check_sysv_msqsnd);
1323static int
1324mac_test_check_sysv_msqsnd(struct ucred *cred, struct msqid_kernel *msqkptr,
1325 struct label *msqklabel)
1326{
1327
1328 LABEL_CHECK(msqklabel, MAGIC_SYSV_MSQ);
1329 LABEL_CHECK(cred->cr_label, MAGIC_CRED);
1330 COUNTER_INC(check_sysv_msqsnd);
1331
1332 return (0);
1333}
1334
1335COUNTER_DECL(check_sysv_msqrcv);
1336static int
1337mac_test_check_sysv_msqrcv(struct ucred *cred, struct msqid_kernel *msqkptr,
1338 struct label *msqklabel)
1339{
1340
1341 LABEL_CHECK(msqklabel, MAGIC_SYSV_MSQ);
1342 LABEL_CHECK(cred->cr_label, MAGIC_CRED);
1343 COUNTER_INC(check_sysv_msqrcv);
1344
1345 return (0);
1346}
1347
1348COUNTER_DECL(check_sysv_msqctl);
1349static int
1350mac_test_check_sysv_msqctl(struct ucred *cred, struct msqid_kernel *msqkptr,
1351 struct label *msqklabel, int cmd)
1352{
1353
1354 LABEL_CHECK(msqklabel, MAGIC_SYSV_MSQ);
1355 LABEL_CHECK(cred->cr_label, MAGIC_CRED);
1356 COUNTER_INC(check_sysv_msqctl);
1357
1358 return (0);
1359}
1360
1361COUNTER_DECL(check_sysv_semctl);
1362static int
1363mac_test_check_sysv_semctl(struct ucred *cred, struct semid_kernel *semakptr,
1364 struct label *semaklabel, int cmd)
1365{
1366
1367 LABEL_CHECK(cred->cr_label, MAGIC_CRED);
1368 LABEL_CHECK(semaklabel, MAGIC_SYSV_SEM);
1369 COUNTER_INC(check_sysv_semctl);
1370
1371 return (0);
1372}
1373
1374COUNTER_DECL(check_sysv_semget);
1375static int
1376mac_test_check_sysv_semget(struct ucred *cred, struct semid_kernel *semakptr,
1377 struct label *semaklabel)
1378{
1379
1380 LABEL_CHECK(cred->cr_label, MAGIC_CRED);
1381 LABEL_CHECK(semaklabel, MAGIC_SYSV_SEM);
1382 COUNTER_INC(check_sysv_semget);
1383
1384 return (0);
1385}
1386
1387COUNTER_DECL(check_sysv_semop);
1388static int
1389mac_test_check_sysv_semop(struct ucred *cred, struct semid_kernel *semakptr,
1390 struct label *semaklabel, size_t accesstype)
1391{
1392
1393 LABEL_CHECK(cred->cr_label, MAGIC_CRED);
1394 LABEL_CHECK(semaklabel, MAGIC_SYSV_SEM);
1395 COUNTER_INC(check_sysv_semop);
1396
1397 return (0);
1398}
1399
1400COUNTER_DECL(check_sysv_shmat);
1401static int
1402mac_test_check_sysv_shmat(struct ucred *cred, struct shmid_kernel *shmsegptr,
1403 struct label *shmseglabel, int shmflg)
1404{
1405
1406 LABEL_CHECK(cred->cr_label, MAGIC_CRED);
1407 LABEL_CHECK(shmseglabel, MAGIC_SYSV_SHM);
1408 COUNTER_INC(check_sysv_shmat);
1409
1410 return (0);
1411}
1412
1413COUNTER_DECL(check_sysv_shmctl);
1414static int
1415mac_test_check_sysv_shmctl(struct ucred *cred, struct shmid_kernel *shmsegptr,
1416 struct label *shmseglabel, int cmd)
1417{
1418
1419 LABEL_CHECK(cred->cr_label, MAGIC_CRED);
1420 LABEL_CHECK(shmseglabel, MAGIC_SYSV_SHM);
1421 COUNTER_INC(check_sysv_shmctl);
1422
1423 return (0);
1424}
1425
1426COUNTER_DECL(check_sysv_shmdt);
1427static int
1428mac_test_check_sysv_shmdt(struct ucred *cred, struct shmid_kernel *shmsegptr,
1429 struct label *shmseglabel)
1430{
1431
1432 LABEL_CHECK(cred->cr_label, MAGIC_CRED);
1433 LABEL_CHECK(shmseglabel, MAGIC_SYSV_SHM);
1434 COUNTER_INC(check_sysv_shmdt);
1435
1436 return (0);
1437}
1438
1439COUNTER_DECL(check_sysv_shmget);
1440static int
1441mac_test_check_sysv_shmget(struct ucred *cred, struct shmid_kernel *shmsegptr,
1442 struct label *shmseglabel, int shmflg)
1443{
1444
1445 LABEL_CHECK(cred->cr_label, MAGIC_CRED);
1446 LABEL_CHECK(shmseglabel, MAGIC_SYSV_SHM);
1447 COUNTER_INC(check_sysv_shmget);
1448
1449 return (0);
1450}
1451
1452COUNTER_DECL(check_kenv_dump);
1453static int
1454mac_test_check_kenv_dump(struct ucred *cred)
1455{
1456
1457 LABEL_CHECK(cred->cr_label, MAGIC_CRED);
1458 COUNTER_INC(check_kenv_dump);
1459
1460 return (0);
1461}
1462
1463COUNTER_DECL(check_kenv_get);
1464static int
1465mac_test_check_kenv_get(struct ucred *cred, char *name)
1466{
1467
1468 LABEL_CHECK(cred->cr_label, MAGIC_CRED);
1469 COUNTER_INC(check_kenv_get);
1470
1471 return (0);
1472}
1473
1474COUNTER_DECL(check_kenv_set);
1475static int
1476mac_test_check_kenv_set(struct ucred *cred, char *name, char *value)
1477{
1478
1479 LABEL_CHECK(cred->cr_label, MAGIC_CRED);
1480 COUNTER_INC(check_kenv_set);
1481
1482 return (0);
1483}
1484
1485COUNTER_DECL(check_kenv_unset);
1486static int
1487mac_test_check_kenv_unset(struct ucred *cred, char *name)
1488{
1489
1490 LABEL_CHECK(cred->cr_label, MAGIC_CRED);
1491 COUNTER_INC(check_kenv_unset);
1492
1493 return (0);
1494}
1495
1496COUNTER_DECL(check_kld_load);
1497static int
1498mac_test_check_kld_load(struct ucred *cred, struct vnode *vp,
1499 struct label *label)
1500{
1501
1502 LABEL_CHECK(cred->cr_label, MAGIC_CRED);
1503 LABEL_CHECK(label, MAGIC_VNODE);
1504 COUNTER_INC(check_kld_load);
1505
1506 return (0);
1507}
1508
1509COUNTER_DECL(check_kld_stat);
1510static int
1511mac_test_check_kld_stat(struct ucred *cred)
1512{
1513
1514 LABEL_CHECK(cred->cr_label, MAGIC_CRED);
1515 COUNTER_INC(check_kld_stat);
1516
1517 return (0);
1518}
1519
1520COUNTER_DECL(check_mount_stat);
1521static int
1522mac_test_check_mount_stat(struct ucred *cred, struct mount *mp,
1523 struct label *mntlabel)
1524{
1525
1526 LABEL_CHECK(cred->cr_label, MAGIC_CRED);
1527 LABEL_CHECK(mntlabel, MAGIC_MOUNT);
1528 COUNTER_INC(check_mount_stat);
1529
1530 return (0);
1531}
1532
1533COUNTER_DECL(check_pipe_ioctl);
1534static int
1535mac_test_check_pipe_ioctl(struct ucred *cred, struct pipepair *pp,
1536 struct label *pipelabel, unsigned long cmd, void /* caddr_t */ *data)
1537{
1538
1539 LABEL_CHECK(cred->cr_label, MAGIC_CRED);
1540 LABEL_CHECK(pipelabel, MAGIC_PIPE);
1541 COUNTER_INC(check_pipe_ioctl);
1542
1543 return (0);
1544}
1545
1546COUNTER_DECL(check_pipe_poll);
1547static int
1548mac_test_check_pipe_poll(struct ucred *cred, struct pipepair *pp,
1549 struct label *pipelabel)
1550{
1551
1552 LABEL_CHECK(cred->cr_label, MAGIC_CRED);
1553 LABEL_CHECK(pipelabel, MAGIC_PIPE);
1554 COUNTER_INC(check_pipe_poll);
1555
1556 return (0);
1557}
1558
1559COUNTER_DECL(check_pipe_read);
1560static int
1561mac_test_check_pipe_read(struct ucred *cred, struct pipepair *pp,
1562 struct label *pipelabel)
1563{
1564
1565 LABEL_CHECK(cred->cr_label, MAGIC_CRED);
1566 LABEL_CHECK(pipelabel, MAGIC_PIPE);
1567 COUNTER_INC(check_pipe_read);
1568
1569 return (0);
1570}
1571
1572COUNTER_DECL(check_pipe_relabel);
1573static int
1574mac_test_check_pipe_relabel(struct ucred *cred, struct pipepair *pp,
1575 struct label *pipelabel, struct label *newlabel)
1576{
1577
1578 LABEL_CHECK(cred->cr_label, MAGIC_CRED);
1579 LABEL_CHECK(pipelabel, MAGIC_PIPE);
1580 LABEL_CHECK(newlabel, MAGIC_PIPE);
1581 COUNTER_INC(check_pipe_relabel);
1582
1583 return (0);
1584}
1585
1586COUNTER_DECL(check_pipe_stat);
1587static int
1588mac_test_check_pipe_stat(struct ucred *cred, struct pipepair *pp,
1589 struct label *pipelabel)
1590{
1591
1592 LABEL_CHECK(cred->cr_label, MAGIC_CRED);
1593 LABEL_CHECK(pipelabel, MAGIC_PIPE);
1594 COUNTER_INC(check_pipe_stat);
1595
1596 return (0);
1597}
1598
1599COUNTER_DECL(check_pipe_write);
1600static int
1601mac_test_check_pipe_write(struct ucred *cred, struct pipepair *pp,
1602 struct label *pipelabel)
1603{
1604
1605 LABEL_CHECK(cred->cr_label, MAGIC_CRED);
1606 LABEL_CHECK(pipelabel, MAGIC_PIPE);
1607 COUNTER_INC(check_pipe_write);
1608
1609 return (0);
1610}
1611
1612COUNTER_DECL(check_posix_sem);
1613static int
1614mac_test_check_posix_sem(struct ucred *cred, struct ksem *ksemptr,
1615 struct label *ks_label)
1616{
1617
1618 LABEL_CHECK(cred->cr_label, MAGIC_CRED);
1619 LABEL_CHECK(ks_label, MAGIC_POSIX_SEM);
1620 COUNTER_INC(check_posix_sem);
1621
1622 return (0);
1623}
1624
1625COUNTER_DECL(check_proc_debug);
1626static int
1627mac_test_check_proc_debug(struct ucred *cred, struct proc *proc)
1628{
1629
1630 LABEL_CHECK(cred->cr_label, MAGIC_CRED);
1631 LABEL_CHECK(proc->p_ucred->cr_label, MAGIC_CRED);
1632 COUNTER_INC(check_proc_debug);
1633
1634 return (0);
1635}
1636
1637COUNTER_DECL(check_proc_sched);
1638static int
1639mac_test_check_proc_sched(struct ucred *cred, struct proc *proc)
1640{
1641
1642 LABEL_CHECK(cred->cr_label, MAGIC_CRED);
1643 LABEL_CHECK(proc->p_ucred->cr_label, MAGIC_CRED);
1644 COUNTER_INC(check_proc_sched);
1645
1646 return (0);
1647}
1648
1649COUNTER_DECL(check_proc_signal);
1650static int
1651mac_test_check_proc_signal(struct ucred *cred, struct proc *proc, int signum)
1652{
1653
1654 LABEL_CHECK(cred->cr_label, MAGIC_CRED);
1655 LABEL_CHECK(proc->p_ucred->cr_label, MAGIC_CRED);
1656 COUNTER_INC(check_proc_signal);
1657
1658 return (0);
1659}
1660
1661COUNTER_DECL(check_proc_setaudit);
1662static int
1663mac_test_check_proc_setaudit(struct ucred *cred, struct auditinfo *ai)
1664{
1665
1666 LABEL_CHECK(cred->cr_label, MAGIC_CRED);
1667 COUNTER_INC(check_proc_setaudit);
1668
1669 return (0);
1670}
1671
1672COUNTER_DECL(check_proc_setauid);
1673static int
1674mac_test_check_proc_setauid(struct ucred *cred, uid_t auid)
1675{
1676
1677 LABEL_CHECK(cred->cr_label, MAGIC_CRED);
1678 COUNTER_INC(check_proc_setauid);
1679
1680 return (0);
1681}
1682
1683COUNTER_DECL(check_proc_setuid);
1684static int
1685mac_test_check_proc_setuid(struct ucred *cred, uid_t uid)
1686{
1687
1688 LABEL_CHECK(cred->cr_label, MAGIC_CRED);
1689 COUNTER_INC(check_proc_setuid);
1690
1691 return (0);
1692}
1693
1694COUNTER_DECL(check_proc_euid);
1695static int
1696mac_test_check_proc_seteuid(struct ucred *cred, uid_t euid)
1697{
1698
1699 LABEL_CHECK(cred->cr_label, MAGIC_CRED);
1700 COUNTER_INC(check_proc_euid);
1701
1702 return (0);
1703}
1704
1705COUNTER_DECL(check_proc_setgid);
1706static int
1707mac_test_check_proc_setgid(struct ucred *cred, gid_t gid)
1708{
1709
1710 LABEL_CHECK(cred->cr_label, MAGIC_CRED);
1711 COUNTER_INC(check_proc_setgid);
1712
1713 return (0);
1714}
1715
1716COUNTER_DECL(check_proc_setegid);
1717static int
1718mac_test_check_proc_setegid(struct ucred *cred, gid_t egid)
1719{
1720
1721 LABEL_CHECK(cred->cr_label, MAGIC_CRED);
1722 COUNTER_INC(check_proc_setegid);
1723
1724 return (0);
1725}
1726
1727COUNTER_DECL(check_proc_setgroups);
1728static int
1729mac_test_check_proc_setgroups(struct ucred *cred, int ngroups,
1730 gid_t *gidset)
1731{
1732
1733 LABEL_CHECK(cred->cr_label, MAGIC_CRED);
1734 COUNTER_INC(check_proc_setgroups);
1735
1736 return (0);
1737}
1738
1739COUNTER_DECL(check_proc_setreuid);
1740static int
1741mac_test_check_proc_setreuid(struct ucred *cred, uid_t ruid, uid_t euid)
1742{
1743
1744 LABEL_CHECK(cred->cr_label, MAGIC_CRED);
1745 COUNTER_INC(check_proc_setreuid);
1746
1747 return (0);
1748}
1749
1750COUNTER_DECL(check_proc_setregid);
1751static int
1752mac_test_check_proc_setregid(struct ucred *cred, gid_t rgid, gid_t egid)
1753{
1754
1755 LABEL_CHECK(cred->cr_label, MAGIC_CRED);
1756 COUNTER_INC(check_proc_setregid);
1757
1758 return (0);
1759}
1760
1761COUNTER_DECL(check_proc_setresuid);
1762static int
1763mac_test_check_proc_setresuid(struct ucred *cred, uid_t ruid, uid_t euid,
1764 uid_t suid)
1765{
1766
1767 LABEL_CHECK(cred->cr_label, MAGIC_CRED);
1768 COUNTER_INC(check_proc_setresuid);
1769
1770 return (0);
1771}
1772
1773COUNTER_DECL(check_proc_setresgid);
1774static int
1775mac_test_check_proc_setresgid(struct ucred *cred, gid_t rgid, gid_t egid,
1776 gid_t sgid)
1777{
1778
1779 LABEL_CHECK(cred->cr_label, MAGIC_CRED);
1780 COUNTER_INC(check_proc_setresgid);
1781
1782 return (0);
1783}
1784
1785COUNTER_DECL(check_proc_wait);
1786static int
1787mac_test_check_proc_wait(struct ucred *cred, struct proc *proc)
1788{
1789
1790 LABEL_CHECK(cred->cr_label, MAGIC_CRED);
1791 LABEL_CHECK(proc->p_ucred->cr_label, MAGIC_CRED);
1792 COUNTER_INC(check_proc_wait);
1793
1794 return (0);
1795}
1796
1797COUNTER_DECL(check_socket_accept);
1798static int
1799mac_test_check_socket_accept(struct ucred *cred, struct socket *socket,
1800 struct label *socketlabel)
1801{
1802
1803 LABEL_CHECK(cred->cr_label, MAGIC_CRED);
1804 LABEL_CHECK(socketlabel, MAGIC_SOCKET);
1805 COUNTER_INC(check_socket_accept);
1806
1807 return (0);
1808}
1809
1810COUNTER_DECL(check_socket_bind);
1811static int
1812mac_test_check_socket_bind(struct ucred *cred, struct socket *socket,
1813 struct label *socketlabel, struct sockaddr *sockaddr)
1814{
1815
1816 LABEL_CHECK(cred->cr_label, MAGIC_CRED);
1817 LABEL_CHECK(socketlabel, MAGIC_SOCKET);
1818 COUNTER_INC(check_socket_bind);
1819
1820 return (0);
1821}
1822
1823COUNTER_DECL(check_socket_connect);
1824static int
1825mac_test_check_socket_connect(struct ucred *cred, struct socket *socket,
1826 struct label *socketlabel, struct sockaddr *sockaddr)
1827{
1828
1829 LABEL_CHECK(cred->cr_label, MAGIC_CRED);
1830 LABEL_CHECK(socketlabel, MAGIC_SOCKET);
1831 COUNTER_INC(check_socket_connect);
1832
1833 return (0);
1834}
1835
1836COUNTER_DECL(check_socket_deliver);
1837static int
1838mac_test_check_socket_deliver(struct socket *socket, struct label *socketlabel,
1839 struct mbuf *m, struct label *mbuflabel)
1840{
1841
1842 LABEL_CHECK(socketlabel, MAGIC_SOCKET);
1843 LABEL_CHECK(mbuflabel, MAGIC_MBUF);
1844 COUNTER_INC(check_socket_deliver);
1845
1846 return (0);
1847}
1848
1849COUNTER_DECL(check_socket_listen);
1850static int
1851mac_test_check_socket_listen(struct ucred *cred, struct socket *socket,
1852 struct label *socketlabel)
1853{
1854
1855 LABEL_CHECK(cred->cr_label, MAGIC_CRED);
1856 LABEL_CHECK(socketlabel, MAGIC_SOCKET);
1857 COUNTER_INC(check_socket_listen);
1858
1859 return (0);
1860}
1861
1862COUNTER_DECL(check_socket_poll);
1863static int
1864mac_test_check_socket_poll(struct ucred *cred, struct socket *socket,
1865 struct label *socketlabel)
1866{
1867
1868 LABEL_CHECK(cred->cr_label, MAGIC_CRED);
1869 LABEL_CHECK(socketlabel, MAGIC_SOCKET);
1870 COUNTER_INC(check_socket_poll);
1871
1872 return (0);
1873}
1874
1875COUNTER_DECL(check_socket_receive);
1876static int
1877mac_test_check_socket_receive(struct ucred *cred, struct socket *socket,
1878 struct label *socketlabel)
1879{
1880
1881 LABEL_CHECK(cred->cr_label, MAGIC_CRED);
1882 LABEL_CHECK(socketlabel, MAGIC_SOCKET);
1883 COUNTER_INC(check_socket_receive);
1884
1885 return (0);
1886}
1887
1888COUNTER_DECL(check_socket_relabel);
1889static int
1890mac_test_check_socket_relabel(struct ucred *cred, struct socket *socket,
1891 struct label *socketlabel, struct label *newlabel)
1892{
1893
1894 LABEL_CHECK(cred->cr_label, MAGIC_CRED);
1895 LABEL_CHECK(socketlabel, MAGIC_SOCKET);
1896 LABEL_CHECK(newlabel, MAGIC_SOCKET);
1897 COUNTER_INC(check_socket_relabel);
1898
1899 return (0);
1900}
1901
1902COUNTER_DECL(check_socket_send);
1903static int
1904mac_test_check_socket_send(struct ucred *cred, struct socket *socket,
1905 struct label *socketlabel)
1906{
1907
1908 LABEL_CHECK(cred->cr_label, MAGIC_CRED);
1909 LABEL_CHECK(socketlabel, MAGIC_SOCKET);
1910 COUNTER_INC(check_socket_send);
1911
1912 return (0);
1913}
1914
1915COUNTER_DECL(check_socket_stat);
1916static int
1917mac_test_check_socket_stat(struct ucred *cred, struct socket *socket,
1918 struct label *socketlabel)
1919{
1920
1921 LABEL_CHECK(cred->cr_label, MAGIC_CRED);
1922 LABEL_CHECK(socketlabel, MAGIC_SOCKET);
1923 COUNTER_INC(check_socket_stat);
1924
1925 return (0);
1926}
1927
1928COUNTER_DECL(check_socket_visible);
1929static int
1930mac_test_check_socket_visible(struct ucred *cred, struct socket *socket,
1931 struct label *socketlabel)
1932{
1933
1934 LABEL_CHECK(cred->cr_label, MAGIC_CRED);
1935 LABEL_CHECK(socketlabel, MAGIC_SOCKET);
1936 COUNTER_INC(check_socket_visible);
1937
1938 return (0);
1939}
1940
1941COUNTER_DECL(check_system_acct);
1942static int
1943mac_test_check_system_acct(struct ucred *cred, struct vnode *vp,
1944 struct label *label)
1945{
1946
1947 LABEL_CHECK(cred->cr_label, MAGIC_CRED);
1948 LABEL_CHECK(label, MAGIC_VNODE);
1949 COUNTER_INC(check_system_acct);
1950
1951 return (0);
1952}
1953
1954COUNTER_DECL(check_system_audit);
1955static int
1956mac_test_check_system_audit(struct ucred *cred, void *record, int length)
1957{
1958
1959 LABEL_CHECK(cred->cr_label, MAGIC_CRED);
1960 COUNTER_INC(check_system_audit);
1961
1962 return (0);
1963}
1964
1965COUNTER_DECL(check_system_auditctl);
1966static int
1967mac_test_check_system_auditctl(struct ucred *cred, struct vnode *vp,
1968 struct label *label)
1969{
1970
1971 LABEL_CHECK(cred->cr_label, MAGIC_CRED);
1972 LABEL_CHECK(label, MAGIC_VNODE);
1973 COUNTER_INC(check_system_auditctl);
1974
1975 return (0);
1976}
1977
1978COUNTER_DECL(check_system_auditon);
1979static int
1980mac_test_check_system_auditon(struct ucred *cred, int cmd)
1981{
1982
1983 LABEL_CHECK(cred->cr_label, MAGIC_CRED);
1984 COUNTER_INC(check_system_auditon);
1985
1986 return (0);
1987}
1988
1989COUNTER_DECL(check_system_reboot);
1990static int
1991mac_test_check_system_reboot(struct ucred *cred, int how)
1992{
1993
1994 LABEL_CHECK(cred->cr_label, MAGIC_CRED);
1995 COUNTER_INC(check_system_reboot);
1996
1997 return (0);
1998}
1999
2000COUNTER_DECL(check_system_swapoff);
2001static int
2002mac_test_check_system_swapoff(struct ucred *cred, struct vnode *vp,
2003 struct label *label)
2004{
2005
2006 LABEL_CHECK(cred->cr_label, MAGIC_CRED);
2007 LABEL_CHECK(label, MAGIC_VNODE);
2008 COUNTER_INC(check_system_swapoff);
2009
2010 return (0);
2011}
2012
2013COUNTER_DECL(check_system_swapon);
2014static int
2015mac_test_check_system_swapon(struct ucred *cred, struct vnode *vp,
2016 struct label *label)
2017{
2018
2019 LABEL_CHECK(cred->cr_label, MAGIC_CRED);
2020 LABEL_CHECK(label, MAGIC_VNODE);
2021 COUNTER_INC(check_system_swapon);
2022
2023 return (0);
2024}
2025
2026COUNTER_DECL(check_system_sysctl);
2027static int
2028mac_test_check_system_sysctl(struct ucred *cred, struct sysctl_oid *oidp,
2029 void *arg1, int arg2, struct sysctl_req *req)
2030{
2031
2032 LABEL_CHECK(cred->cr_label, MAGIC_CRED);
2033 COUNTER_INC(check_system_sysctl);
2034
2035 return (0);
2036}
2037
2038COUNTER_DECL(check_vnode_access);
2039static int
2040mac_test_check_vnode_access(struct ucred *cred, struct vnode *vp,
2041 struct label *label, int acc_mode)
2042{
2043
2044 LABEL_CHECK(cred->cr_label, MAGIC_CRED);
2045 LABEL_CHECK(label, MAGIC_VNODE);
2046 COUNTER_INC(check_vnode_access);
2047
2048 return (0);
2049}
2050
2051COUNTER_DECL(check_vnode_chdir);
2052static int
2053mac_test_check_vnode_chdir(struct ucred *cred, struct vnode *dvp,
2054 struct label *dlabel)
2055{
2056
2057 LABEL_CHECK(cred->cr_label, MAGIC_CRED);
2058 LABEL_CHECK(dlabel, MAGIC_VNODE);
2059 COUNTER_INC(check_vnode_chdir);
2060
2061 return (0);
2062}
2063
2064COUNTER_DECL(check_vnode_chroot);
2065static int
2066mac_test_check_vnode_chroot(struct ucred *cred, struct vnode *dvp,
2067 struct label *dlabel)
2068{
2069
2070 LABEL_CHECK(cred->cr_label, MAGIC_CRED);
2071 LABEL_CHECK(dlabel, MAGIC_VNODE);
2072 COUNTER_INC(check_vnode_chroot);
2073
2074 return (0);
2075}
2076
2077COUNTER_DECL(check_vnode_create);
2078static int
2079mac_test_check_vnode_create(struct ucred *cred, struct vnode *dvp,
2080 struct label *dlabel, struct componentname *cnp, struct vattr *vap)
2081{
2082
2083 LABEL_CHECK(cred->cr_label, MAGIC_CRED);
2084 LABEL_CHECK(dlabel, MAGIC_VNODE);
2085 COUNTER_INC(check_vnode_create);
2086
2087 return (0);
2088}
2089
2090COUNTER_DECL(check_vnode_delete);
2091static int
2092mac_test_check_vnode_delete(struct ucred *cred, struct vnode *dvp,
2093 struct label *dlabel, struct vnode *vp, struct label *label,
2094 struct componentname *cnp)
2095{
2096
2097 LABEL_CHECK(cred->cr_label, MAGIC_CRED);
2098 LABEL_CHECK(dlabel, MAGIC_VNODE);
2099 LABEL_CHECK(label, MAGIC_VNODE);
2100 COUNTER_INC(check_vnode_delete);
2101
2102 return (0);
2103}
2104
2105COUNTER_DECL(check_vnode_deleteacl);
2106static int
2107mac_test_check_vnode_deleteacl(struct ucred *cred, struct vnode *vp,
2108 struct label *label, acl_type_t type)
2109{
2110
2111 LABEL_CHECK(cred->cr_label, MAGIC_CRED);
2112 LABEL_CHECK(label, MAGIC_VNODE);
2113 COUNTER_INC(check_vnode_deleteacl);
2114
2115 return (0);
2116}
2117
2118COUNTER_DECL(check_vnode_deleteextattr);
2119static int
2120mac_test_check_vnode_deleteextattr(struct ucred *cred, struct vnode *vp,
2121 struct label *label, int attrnamespace, const char *name)
2122{
2123
2124 LABEL_CHECK(cred->cr_label, MAGIC_CRED);
2125 LABEL_CHECK(label, MAGIC_VNODE);
2126 COUNTER_INC(check_vnode_deleteextattr);
2127
2128 return (0);
2129}
2130
2131COUNTER_DECL(check_vnode_exec);
2132static int
2133mac_test_check_vnode_exec(struct ucred *cred, struct vnode *vp,
2134 struct label *label, struct image_params *imgp,
2135 struct label *execlabel)
2136{
2137
2138 LABEL_CHECK(cred->cr_label, MAGIC_CRED);
2139 LABEL_CHECK(label, MAGIC_VNODE);
2140 LABEL_CHECK(execlabel, MAGIC_CRED);
2141 COUNTER_INC(check_vnode_exec);
2142
2143 return (0);
2144}
2145
2146COUNTER_DECL(check_vnode_getacl);
2147static int
2148mac_test_check_vnode_getacl(struct ucred *cred, struct vnode *vp,
2149 struct label *label, acl_type_t type)
2150{
2151
2152 LABEL_CHECK(cred->cr_label, MAGIC_CRED);
2153 LABEL_CHECK(label, MAGIC_VNODE);
2154 COUNTER_INC(check_vnode_getacl);
2155
2156 return (0);
2157}
2158
2159COUNTER_DECL(check_vnode_getextattr);
2160static int
2161mac_test_check_vnode_getextattr(struct ucred *cred, struct vnode *vp,
2162 struct label *label, int attrnamespace, const char *name, struct uio *uio)
2163{
2164
2165 LABEL_CHECK(cred->cr_label, MAGIC_CRED);
2166 LABEL_CHECK(label, MAGIC_VNODE);
2167 COUNTER_INC(check_vnode_getextattr);
2168
2169 return (0);
2170}
2171
2172COUNTER_DECL(check_vnode_link);
2173static int
2174mac_test_check_vnode_link(struct ucred *cred, struct vnode *dvp,
2175 struct label *dlabel, struct vnode *vp, struct label *label,
2176 struct componentname *cnp)
2177{
2178
2179 LABEL_CHECK(cred->cr_label, MAGIC_CRED);
2180 LABEL_CHECK(dlabel, MAGIC_VNODE);
2181 LABEL_CHECK(label, MAGIC_VNODE);
2182 COUNTER_INC(check_vnode_link);
2183
2184 return (0);
2185}
2186
2187COUNTER_DECL(check_vnode_listextattr);
2188static int
2189mac_test_check_vnode_listextattr(struct ucred *cred, struct vnode *vp,
2190 struct label *label, int attrnamespace)
2191{
2192
2193 LABEL_CHECK(cred->cr_label, MAGIC_CRED);
2194 LABEL_CHECK(label, MAGIC_VNODE);
2195 COUNTER_INC(check_vnode_listextattr);
2196
2197 return (0);
2198}
2199
2200COUNTER_DECL(check_vnode_lookup);
2201static int
2202mac_test_check_vnode_lookup(struct ucred *cred, struct vnode *dvp,
2203 struct label *dlabel, struct componentname *cnp)
2204{
2205
2206 LABEL_CHECK(cred->cr_label, MAGIC_CRED);
2207 LABEL_CHECK(dlabel, MAGIC_VNODE);
2208 COUNTER_INC(check_vnode_lookup);
2209
2210 return (0);
2211}
2212
2213COUNTER_DECL(check_vnode_mmap);
2214static int
2215mac_test_check_vnode_mmap(struct ucred *cred, struct vnode *vp,
2216 struct label *label, int prot, int flags)
2217{
2218
2219 LABEL_CHECK(cred->cr_label, MAGIC_CRED);
2220 LABEL_CHECK(label, MAGIC_VNODE);
2221 COUNTER_INC(check_vnode_mmap);
2222
2223 return (0);
2224}
2225
2226COUNTER_DECL(check_vnode_open);
2227static int
2228mac_test_check_vnode_open(struct ucred *cred, struct vnode *vp,
2229 struct label *filelabel, int acc_mode)
2230{
2231
2232 LABEL_CHECK(cred->cr_label, MAGIC_CRED);
2233 LABEL_CHECK(filelabel, MAGIC_VNODE);
2234 COUNTER_INC(check_vnode_open);
2235
2236 return (0);
2237}
2238
2239COUNTER_DECL(check_vnode_poll);
2240static int
2241mac_test_check_vnode_poll(struct ucred *active_cred, struct ucred *file_cred,
2242 struct vnode *vp, struct label *label)
2243{
2244
2245 LABEL_CHECK(active_cred->cr_label, MAGIC_CRED);
2246 if (file_cred != NULL)
2247 LABEL_CHECK(file_cred->cr_label, MAGIC_CRED);
2248 LABEL_CHECK(label, MAGIC_VNODE);
2249 COUNTER_INC(check_vnode_poll);
2250
2251 return (0);
2252}
2253
2254COUNTER_DECL(check_vnode_read);
2255static int
2256mac_test_check_vnode_read(struct ucred *active_cred, struct ucred *file_cred,
2257 struct vnode *vp, struct label *label)
2258{
2259
2260 LABEL_CHECK(active_cred->cr_label, MAGIC_CRED);
2261 if (file_cred != NULL)
2262 LABEL_CHECK(file_cred->cr_label, MAGIC_CRED);
2263 LABEL_CHECK(label, MAGIC_VNODE);
2264 COUNTER_INC(check_vnode_read);
2265
2266 return (0);
2267}
2268
2269COUNTER_DECL(check_vnode_readdir);
2270static int
2271mac_test_check_vnode_readdir(struct ucred *cred, struct vnode *dvp,
2272 struct label *dlabel)
2273{
2274
2275 LABEL_CHECK(cred->cr_label, MAGIC_CRED);
2276 LABEL_CHECK(dlabel, MAGIC_VNODE);
2277 COUNTER_INC(check_vnode_readdir);
2278
2279 return (0);
2280}
2281
2282COUNTER_DECL(check_vnode_readlink);
2283static int
2284mac_test_check_vnode_readlink(struct ucred *cred, struct vnode *vp,
2285 struct label *vnodelabel)
2286{
2287
2288 LABEL_CHECK(cred->cr_label, MAGIC_CRED);
2289 LABEL_CHECK(vnodelabel, MAGIC_VNODE);
2290 COUNTER_INC(check_vnode_readlink);
2291
2292 return (0);
2293}
2294
2295COUNTER_DECL(check_vnode_relabel);
2296static int
2297mac_test_check_vnode_relabel(struct ucred *cred, struct vnode *vp,
2298 struct label *vnodelabel, struct label *newlabel)
2299{
2300
2301 LABEL_CHECK(cred->cr_label, MAGIC_CRED);
2302 LABEL_CHECK(vnodelabel, MAGIC_VNODE);
2303 LABEL_CHECK(newlabel, MAGIC_VNODE);
2304 COUNTER_INC(check_vnode_relabel);
2305
2306 return (0);
2307}
2308
2309COUNTER_DECL(check_vnode_rename_from);
2310static int
2311mac_test_check_vnode_rename_from(struct ucred *cred, struct vnode *dvp,
2312 struct label *dlabel, struct vnode *vp, struct label *label,
2313 struct componentname *cnp)
2314{
2315
2316 LABEL_CHECK(cred->cr_label, MAGIC_CRED);
2317 LABEL_CHECK(dlabel, MAGIC_VNODE);
2318 LABEL_CHECK(label, MAGIC_VNODE);
2319 COUNTER_INC(check_vnode_rename_from);
2320
2321 return (0);
2322}
2323
2324COUNTER_DECL(check_vnode_rename_to);
2325static int
2326mac_test_check_vnode_rename_to(struct ucred *cred, struct vnode *dvp,
2327 struct label *dlabel, struct vnode *vp, struct label *label, int samedir,
2328 struct componentname *cnp)
2329{
2330
2331 LABEL_CHECK(cred->cr_label, MAGIC_CRED);
2332 LABEL_CHECK(dlabel, MAGIC_VNODE);
2333 LABEL_CHECK(label, MAGIC_VNODE);
2334 COUNTER_INC(check_vnode_rename_to);
2335
2336 return (0);
2337}
2338
2339COUNTER_DECL(check_vnode_revoke);
2340static int
2341mac_test_check_vnode_revoke(struct ucred *cred, struct vnode *vp,
2342 struct label *label)
2343{
2344
2345 LABEL_CHECK(cred->cr_label, MAGIC_CRED);
2346 LABEL_CHECK(label, MAGIC_VNODE);
2347 COUNTER_INC(check_vnode_revoke);
2348
2349 return (0);
2350}
2351
2352COUNTER_DECL(check_vnode_setacl);
2353static int
2354mac_test_check_vnode_setacl(struct ucred *cred, struct vnode *vp,
2355 struct label *label, acl_type_t type, struct acl *acl)
2356{
2357
2358 LABEL_CHECK(cred->cr_label, MAGIC_CRED);
2359 LABEL_CHECK(label, MAGIC_VNODE);
2360 COUNTER_INC(check_vnode_setacl);
2361
2362 return (0);
2363}
2364
2365COUNTER_DECL(check_vnode_setextattr);
2366static int
2367mac_test_check_vnode_setextattr(struct ucred *cred, struct vnode *vp,
2368 struct label *label, int attrnamespace, const char *name, struct uio *uio)
2369{
2370
2371 LABEL_CHECK(cred->cr_label, MAGIC_CRED);
2372 LABEL_CHECK(label, MAGIC_VNODE);
2373 COUNTER_INC(check_vnode_setextattr);
2374
2375 return (0);
2376}
2377
2378COUNTER_DECL(check_vnode_setflags);
2379static int
2380mac_test_check_vnode_setflags(struct ucred *cred, struct vnode *vp,
2381 struct label *label, u_long flags)
2382{
2383
2384 LABEL_CHECK(cred->cr_label, MAGIC_CRED);
2385 LABEL_CHECK(label, MAGIC_VNODE);
2386 COUNTER_INC(check_vnode_setflags);
2387
2388 return (0);
2389}
2390
2391COUNTER_DECL(check_vnode_setmode);
2392static int
2393mac_test_check_vnode_setmode(struct ucred *cred, struct vnode *vp,
2394 struct label *label, mode_t mode)
2395{
2396
2397 LABEL_CHECK(cred->cr_label, MAGIC_CRED);
2398 LABEL_CHECK(label, MAGIC_VNODE);
2399 COUNTER_INC(check_vnode_setmode);
2400
2401 return (0);
2402}
2403
2404COUNTER_DECL(check_vnode_setowner);
2405static int
2406mac_test_check_vnode_setowner(struct ucred *cred, struct vnode *vp,
2407 struct label *label, uid_t uid, gid_t gid)
2408{
2409
2410 LABEL_CHECK(cred->cr_label, MAGIC_CRED);
2411 LABEL_CHECK(label, MAGIC_VNODE);
2412 COUNTER_INC(check_vnode_setowner);
2413
2414 return (0);
2415}
2416
2417COUNTER_DECL(check_vnode_setutimes);
2418static int
2419mac_test_check_vnode_setutimes(struct ucred *cred, struct vnode *vp,
2420 struct label *label, struct timespec atime, struct timespec mtime)
2421{
2422
2423 LABEL_CHECK(cred->cr_label, MAGIC_CRED);
2424 LABEL_CHECK(label, MAGIC_VNODE);
2425 COUNTER_INC(check_vnode_setutimes);
2426
2427 return (0);
2428}
2429
2430COUNTER_DECL(check_vnode_stat);
2431static int
2432mac_test_check_vnode_stat(struct ucred *active_cred, struct ucred *file_cred,
2433 struct vnode *vp, struct label *label)
2434{
2435
2436 LABEL_CHECK(active_cred->cr_label, MAGIC_CRED);
2437 if (file_cred != NULL)
2438 LABEL_CHECK(file_cred->cr_label, MAGIC_CRED);
2439 LABEL_CHECK(label, MAGIC_VNODE);
2440 COUNTER_INC(check_vnode_stat);
2441
2442 return (0);
2443}
2444
2445COUNTER_DECL(check_vnode_write);
2446static int
2447mac_test_check_vnode_write(struct ucred *active_cred,
2448 struct ucred *file_cred, struct vnode *vp, struct label *label)
2449{
2450
2451 LABEL_CHECK(active_cred->cr_label, MAGIC_CRED);
2452 if (file_cred != NULL)
2453 LABEL_CHECK(file_cred->cr_label, MAGIC_CRED);
2454 LABEL_CHECK(label, MAGIC_VNODE);
2455 COUNTER_INC(check_vnode_write);
2456
2457 return (0);
2458}
2459
2460static struct mac_policy_ops mac_test_ops =
2461{
2462 .mpo_init_bpfdesc_label = mac_test_init_bpfdesc_label,
2463 .mpo_init_cred_label = mac_test_init_cred_label,
2464 .mpo_init_devfsdirent_label = mac_test_init_devfsdirent_label,
2465 .mpo_init_ifnet_label = mac_test_init_ifnet_label,
2466 .mpo_init_sysv_msgmsg_label = mac_test_init_sysv_msgmsg_label,
2467 .mpo_init_sysv_msgqueue_label = mac_test_init_sysv_msgqueue_label,
2468 .mpo_init_sysv_sem_label = mac_test_init_sysv_sem_label,
2469 .mpo_init_sysv_shm_label = mac_test_init_sysv_shm_label,
2470 .mpo_init_inpcb_label = mac_test_init_inpcb_label,
2471 .mpo_init_ipq_label = mac_test_init_ipq_label,
2472 .mpo_init_mbuf_label = mac_test_init_mbuf_label,
2473 .mpo_init_mount_label = mac_test_init_mount_label,

~~2493~~ .mpo_init_mount_fs_label = mac_test_init_mount_fs_label,

2474 .mpo_init_pipe_label = mac_test_init_pipe_label,
2475 .mpo_init_posix_sem_label = mac_test_init_posix_sem_label,
2476 .mpo_init_proc_label = mac_test_init_proc_label,
2477 .mpo_init_socket_label = mac_test_init_socket_label,
2478 .mpo_init_socket_peer_label = mac_test_init_socket_peer_label,
2479 .mpo_init_vnode_label = mac_test_init_vnode_label,
2480 .mpo_destroy_bpfdesc_label = mac_test_destroy_bpfdesc_label,
2481 .mpo_destroy_cred_label = mac_test_destroy_cred_label,
2482 .mpo_destroy_devfsdirent_label = mac_test_destroy_devfsdirent_label,
2483 .mpo_destroy_ifnet_label = mac_test_destroy_ifnet_label,
2484 .mpo_destroy_sysv_msgmsg_label = mac_test_destroy_sysv_msgmsg_label,
2485 .mpo_destroy_sysv_msgqueue_label =
2486 mac_test_destroy_sysv_msgqueue_label,
2487 .mpo_destroy_sysv_sem_label = mac_test_destroy_sysv_sem_label,
2488 .mpo_destroy_sysv_shm_label = mac_test_destroy_sysv_shm_label,
2489 .mpo_destroy_inpcb_label = mac_test_destroy_inpcb_label,
2490 .mpo_destroy_ipq_label = mac_test_destroy_ipq_label,
2491 .mpo_destroy_mbuf_label = mac_test_destroy_mbuf_label,
2492 .mpo_destroy_mount_label = mac_test_destroy_mount_label,

~~2513~~ .mpo_destroy_mount_fs_label = mac_test_destroy_mount_fs_label,

2493 .mpo_destroy_pipe_label = mac_test_destroy_pipe_label,
2494 .mpo_destroy_posix_sem_label = mac_test_destroy_posix_sem_label,
2495 .mpo_destroy_proc_label = mac_test_destroy_proc_label,
2496 .mpo_destroy_socket_label = mac_test_destroy_socket_label,
2497 .mpo_destroy_socket_peer_label = mac_test_destroy_socket_peer_label,
2498 .mpo_destroy_vnode_label = mac_test_destroy_vnode_label,
2499 .mpo_copy_cred_label = mac_test_copy_cred_label,
2500 .mpo_copy_ifnet_label = mac_test_copy_ifnet_label,
2501 .mpo_copy_mbuf_label = mac_test_copy_mbuf_label,
2502 .mpo_copy_pipe_label = mac_test_copy_pipe_label,
2503 .mpo_copy_socket_label = mac_test_copy_socket_label,
2504 .mpo_copy_vnode_label = mac_test_copy_vnode_label,
2505 .mpo_externalize_cred_label = mac_test_externalize_label,
2506 .mpo_externalize_ifnet_label = mac_test_externalize_label,
2507 .mpo_externalize_pipe_label = mac_test_externalize_label,
2508 .mpo_externalize_socket_label = mac_test_externalize_label,
2509 .mpo_externalize_socket_peer_label = mac_test_externalize_label,
2510 .mpo_externalize_vnode_label = mac_test_externalize_label,
2511 .mpo_internalize_cred_label = mac_test_internalize_label,
2512 .mpo_internalize_ifnet_label = mac_test_internalize_label,
2513 .mpo_internalize_pipe_label = mac_test_internalize_label,
2514 .mpo_internalize_socket_label = mac_test_internalize_label,
2515 .mpo_internalize_vnode_label = mac_test_internalize_label,
2516 .mpo_associate_vnode_devfs = mac_test_associate_vnode_devfs,
2517 .mpo_associate_vnode_extattr = mac_test_associate_vnode_extattr,
2518 .mpo_associate_vnode_singlelabel = mac_test_associate_vnode_singlelabel,
2519 .mpo_create_devfs_device = mac_test_create_devfs_device,
2520 .mpo_create_devfs_directory = mac_test_create_devfs_directory,
2521 .mpo_create_devfs_symlink = mac_test_create_devfs_symlink,
2522 .mpo_create_vnode_extattr = mac_test_create_vnode_extattr,
2523 .mpo_create_mount = mac_test_create_mount,
2524 .mpo_relabel_vnode = mac_test_relabel_vnode,
2525 .mpo_setlabel_vnode_extattr = mac_test_setlabel_vnode_extattr,
2526 .mpo_update_devfsdirent = mac_test_update_devfsdirent,
2527 .mpo_create_mbuf_from_socket = mac_test_create_mbuf_from_socket,
2528 .mpo_create_pipe = mac_test_create_pipe,
2529 .mpo_create_posix_sem = mac_test_create_posix_sem,
2530 .mpo_create_socket = mac_test_create_socket,
2531 .mpo_create_socket_from_socket = mac_test_create_socket_from_socket,
2532 .mpo_relabel_pipe = mac_test_relabel_pipe,
2533 .mpo_relabel_socket = mac_test_relabel_socket,
2534 .mpo_set_socket_peer_from_mbuf = mac_test_set_socket_peer_from_mbuf,
2535 .mpo_set_socket_peer_from_socket = mac_test_set_socket_peer_from_socket,
2536 .mpo_create_bpfdesc = mac_test_create_bpfdesc,
2537 .mpo_create_ifnet = mac_test_create_ifnet,
2538 .mpo_create_inpcb_from_socket = mac_test_create_inpcb_from_socket,
2539 .mpo_create_sysv_msgmsg = mac_test_create_sysv_msgmsg,
2540 .mpo_create_sysv_msgqueue = mac_test_create_sysv_msgqueue,
2541 .mpo_create_sysv_sem = mac_test_create_sysv_sem,
2542 .mpo_create_sysv_shm = mac_test_create_sysv_shm,
2543 .mpo_create_datagram_from_ipq = mac_test_create_datagram_from_ipq,
2544 .mpo_create_fragment = mac_test_create_fragment,
2545 .mpo_create_ipq = mac_test_create_ipq,
2546 .mpo_create_mbuf_from_inpcb = mac_test_create_mbuf_from_inpcb,
2547 .mpo_create_mbuf_linklayer = mac_test_create_mbuf_linklayer,
2548 .mpo_create_mbuf_from_bpfdesc = mac_test_create_mbuf_from_bpfdesc,
2549 .mpo_create_mbuf_from_ifnet = mac_test_create_mbuf_from_ifnet,
2550 .mpo_create_mbuf_multicast_encap = mac_test_create_mbuf_multicast_encap,
2551 .mpo_create_mbuf_netlayer = mac_test_create_mbuf_netlayer,
2552 .mpo_fragment_match = mac_test_fragment_match,
2553 .mpo_reflect_mbuf_icmp = mac_test_reflect_mbuf_icmp,
2554 .mpo_reflect_mbuf_tcp = mac_test_reflect_mbuf_tcp,
2555 .mpo_relabel_ifnet = mac_test_relabel_ifnet,
2556 .mpo_update_ipq = mac_test_update_ipq,
2557 .mpo_inpcb_sosetlabel = mac_test_inpcb_sosetlabel,
2558 .mpo_execve_transition = mac_test_execve_transition,
2559 .mpo_execve_will_transition = mac_test_execve_will_transition,
2560 .mpo_create_proc0 = mac_test_create_proc0,
2561 .mpo_create_proc1 = mac_test_create_proc1,
2562 .mpo_relabel_cred = mac_test_relabel_cred,
2563 .mpo_thread_userret = mac_test_thread_userret,
2564 .mpo_cleanup_sysv_msgmsg = mac_test_cleanup_sysv_msgmsg,
2565 .mpo_cleanup_sysv_msgqueue = mac_test_cleanup_sysv_msgqueue,
2566 .mpo_cleanup_sysv_sem = mac_test_cleanup_sysv_sem,
2567 .mpo_cleanup_sysv_shm = mac_test_cleanup_sysv_shm,
2568 .mpo_check_bpfdesc_receive = mac_test_check_bpfdesc_receive,
2569 .mpo_check_cred_relabel = mac_test_check_cred_relabel,
2570 .mpo_check_cred_visible = mac_test_check_cred_visible,
2571 .mpo_check_ifnet_relabel = mac_test_check_ifnet_relabel,
2572 .mpo_check_ifnet_transmit = mac_test_check_ifnet_transmit,
2573 .mpo_check_inpcb_deliver = mac_test_check_inpcb_deliver,
2574 .mpo_check_sysv_msgmsq = mac_test_check_sysv_msgmsq,
2575 .mpo_check_sysv_msgrcv = mac_test_check_sysv_msgrcv,
2576 .mpo_check_sysv_msgrmid = mac_test_check_sysv_msgrmid,
2577 .mpo_check_sysv_msqget = mac_test_check_sysv_msqget,
2578 .mpo_check_sysv_msqsnd = mac_test_check_sysv_msqsnd,
2579 .mpo_check_sysv_msqrcv = mac_test_check_sysv_msqrcv,
2580 .mpo_check_sysv_msqctl = mac_test_check_sysv_msqctl,
2581 .mpo_check_sysv_semctl = mac_test_check_sysv_semctl,
2582 .mpo_check_sysv_semget = mac_test_check_sysv_semget,
2583 .mpo_check_sysv_semop = mac_test_check_sysv_semop,
2584 .mpo_check_sysv_shmat = mac_test_check_sysv_shmat,
2585 .mpo_check_sysv_shmctl = mac_test_check_sysv_shmctl,
2586 .mpo_check_sysv_shmdt = mac_test_check_sysv_shmdt,
2587 .mpo_check_sysv_shmget = mac_test_check_sysv_shmget,
2588 .mpo_check_kenv_dump = mac_test_check_kenv_dump,
2589 .mpo_check_kenv_get = mac_test_check_kenv_get,
2590 .mpo_check_kenv_set = mac_test_check_kenv_set,
2591 .mpo_check_kenv_unset = mac_test_check_kenv_unset,
2592 .mpo_check_kld_load = mac_test_check_kld_load,
2593 .mpo_check_kld_stat = mac_test_check_kld_stat,
2594 .mpo_check_mount_stat = mac_test_check_mount_stat,
2595 .mpo_check_pipe_ioctl = mac_test_check_pipe_ioctl,
2596 .mpo_check_pipe_poll = mac_test_check_pipe_poll,
2597 .mpo_check_pipe_read = mac_test_check_pipe_read,
2598 .mpo_check_pipe_relabel = mac_test_check_pipe_relabel,
2599 .mpo_check_pipe_stat = mac_test_check_pipe_stat,
2600 .mpo_check_pipe_write = mac_test_check_pipe_write,
2601 .mpo_check_posix_sem_destroy = mac_test_check_posix_sem,
2602 .mpo_check_posix_sem_getvalue = mac_test_check_posix_sem,
2603 .mpo_check_posix_sem_open = mac_test_check_posix_sem,
2604 .mpo_check_posix_sem_post = mac_test_check_posix_sem,
2605 .mpo_check_posix_sem_unlink = mac_test_check_posix_sem,
2606 .mpo_check_posix_sem_wait = mac_test_check_posix_sem,
2607 .mpo_check_proc_debug = mac_test_check_proc_debug,
2608 .mpo_check_proc_sched = mac_test_check_proc_sched,
2609 .mpo_check_proc_setaudit = mac_test_check_proc_setaudit,
2610 .mpo_check_proc_setauid = mac_test_check_proc_setauid,
2611 .mpo_check_proc_setuid = mac_test_check_proc_setuid,
2612 .mpo_check_proc_seteuid = mac_test_check_proc_seteuid,
2613 .mpo_check_proc_setgid = mac_test_check_proc_setgid,
2614 .mpo_check_proc_setegid = mac_test_check_proc_setegid,
2615 .mpo_check_proc_setgroups = mac_test_check_proc_setgroups,
2616 .mpo_check_proc_setreuid = mac_test_check_proc_setreuid,
2617 .mpo_check_proc_setregid = mac_test_check_proc_setregid,
2618 .mpo_check_proc_setresuid = mac_test_check_proc_setresuid,
2619 .mpo_check_proc_setresgid = mac_test_check_proc_setresgid,
2620 .mpo_check_proc_signal = mac_test_check_proc_signal,
2621 .mpo_check_proc_wait = mac_test_check_proc_wait,
2622 .mpo_check_socket_accept = mac_test_check_socket_accept,
2623 .mpo_check_socket_bind = mac_test_check_socket_bind,
2624 .mpo_check_socket_connect = mac_test_check_socket_connect,
2625 .mpo_check_socket_deliver = mac_test_check_socket_deliver,
2626 .mpo_check_socket_listen = mac_test_check_socket_listen,
2627 .mpo_check_socket_poll = mac_test_check_socket_poll,
2628 .mpo_check_socket_receive = mac_test_check_socket_receive,
2629 .mpo_check_socket_relabel = mac_test_check_socket_relabel,
2630 .mpo_check_socket_send = mac_test_check_socket_send,
2631 .mpo_check_socket_stat = mac_test_check_socket_stat,
2632 .mpo_check_socket_visible = mac_test_check_socket_visible,
2633 .mpo_check_system_acct = mac_test_check_system_acct,
2634 .mpo_check_system_audit = mac_test_check_system_audit,
2635 .mpo_check_system_auditctl = mac_test_check_system_auditctl,
2636 .mpo_check_system_auditon = mac_test_check_system_auditon,
2637 .mpo_check_system_reboot = mac_test_check_system_reboot,
2638 .mpo_check_system_swapoff = mac_test_check_system_swapoff,
2639 .mpo_check_system_swapon = mac_test_check_system_swapon,
2640 .mpo_check_system_sysctl = mac_test_check_system_sysctl,
2641 .mpo_check_vnode_access = mac_test_check_vnode_access,
2642 .mpo_check_vnode_chdir = mac_test_check_vnode_chdir,
2643 .mpo_check_vnode_chroot = mac_test_check_vnode_chroot,
2644 .mpo_check_vnode_create = mac_test_check_vnode_create,
2645 .mpo_check_vnode_delete = mac_test_check_vnode_delete,
2646 .mpo_check_vnode_deleteacl = mac_test_check_vnode_deleteacl,
2647 .mpo_check_vnode_deleteextattr = mac_test_check_vnode_deleteextattr,
2648 .mpo_check_vnode_exec = mac_test_check_vnode_exec,
2649 .mpo_check_vnode_getacl = mac_test_check_vnode_getacl,
2650 .mpo_check_vnode_getextattr = mac_test_check_vnode_getextattr,
2651 .mpo_check_vnode_link = mac_test_check_vnode_link,
2652 .mpo_check_vnode_listextattr = mac_test_check_vnode_listextattr,
2653 .mpo_check_vnode_lookup = mac_test_check_vnode_lookup,
2654 .mpo_check_vnode_mmap = mac_test_check_vnode_mmap,
2655 .mpo_check_vnode_open = mac_test_check_vnode_open,
2656 .mpo_check_vnode_poll = mac_test_check_vnode_poll,
2657 .mpo_check_vnode_read = mac_test_check_vnode_read,
2658 .mpo_check_vnode_readdir = mac_test_check_vnode_readdir,
2659 .mpo_check_vnode_readlink = mac_test_check_vnode_readlink,
2660 .mpo_check_vnode_relabel = mac_test_check_vnode_relabel,
2661 .mpo_check_vnode_rename_from = mac_test_check_vnode_rename_from,
2662 .mpo_check_vnode_rename_to = mac_test_check_vnode_rename_to,
2663 .mpo_check_vnode_revoke = mac_test_check_vnode_revoke,
2664 .mpo_check_vnode_setacl = mac_test_check_vnode_setacl,
2665 .mpo_check_vnode_setextattr = mac_test_check_vnode_setextattr,
2666 .mpo_check_vnode_setflags = mac_test_check_vnode_setflags,
2667 .mpo_check_vnode_setmode = mac_test_check_vnode_setmode,
2668 .mpo_check_vnode_setowner = mac_test_check_vnode_setowner,
2669 .mpo_check_vnode_setutimes = mac_test_check_vnode_setutimes,
2670 .mpo_check_vnode_stat = mac_test_check_vnode_stat,
2671 .mpo_check_vnode_write = mac_test_check_vnode_write,
2672};
2673
2674MAC_POLICY_SET(&mac_test_ops, mac_test, "TrustedBSD MAC/Test",
2675 MPC_LOADTIME_FLAG_UNLOADOK | MPC_LOADTIME_FLAG_LABELMBUFS, &test_slot);