Cross Reference: /freebsd-10.1-release/sys/security/mac_test/mac_test.c

Deleted Added

sdiff udiff text old ( 145167 ) new ( 145234 )

full compact

mac_test.c (145167)	mac_test.c (145234)
1/- 2 Copyright (c) 1999-2002 Robert N. M. Watson 3 * Copyright (c) 2001-2005 McAfee, Inc. 4 * All rights reserved. 5 * 6 * This software was developed by Robert Watson for the TrustedBSD Project. 7 * 8 * This software was developed for the FreeBSD Project in part by McAfee 9 * Research, the Security Research Division of McAfee, Inc. under 10 * DARPA/SPAWAR contract N66001-01-C-8035 ("CBOSS"), as part of the DARPA 11 * CHATS research program. 12 * 13 * Redistribution and use in source and binary forms, with or without 14 * modification, are permitted provided that the following conditions 15 * are met: 16 * 1. Redistributions of source code must retain the above copyright 17 * notice, this list of conditions and the following disclaimer. 18 * 2. Redistributions in binary form must reproduce the above copyright 19 * notice, this list of conditions and the following disclaimer in the 20 * documentation and/or other materials provided with the distribution. 21 * 22 * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND 23 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 24 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 25 * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE 26 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 27 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 28 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 29 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 30 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 31 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 32 * SUCH DAMAGE. 33 *	1/- 2 Copyright (c) 1999-2002 Robert N. M. Watson 3 * Copyright (c) 2001-2005 McAfee, Inc. 4 * All rights reserved. 5 * 6 * This software was developed by Robert Watson for the TrustedBSD Project. 7 * 8 * This software was developed for the FreeBSD Project in part by McAfee 9 * Research, the Security Research Division of McAfee, Inc. under 10 * DARPA/SPAWAR contract N66001-01-C-8035 ("CBOSS"), as part of the DARPA 11 * CHATS research program. 12 * 13 * Redistribution and use in source and binary forms, with or without 14 * modification, are permitted provided that the following conditions 15 * are met: 16 * 1. Redistributions of source code must retain the above copyright 17 * notice, this list of conditions and the following disclaimer. 18 * 2. Redistributions in binary form must reproduce the above copyright 19 * notice, this list of conditions and the following disclaimer in the 20 * documentation and/or other materials provided with the distribution. 21 * 22 * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND 23 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 24 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 25 * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE 26 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 27 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 28 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 29 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 30 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 31 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 32 * SUCH DAMAGE. 33 *
34 * $FreeBSD: head/sys/security/mac_test/mac_test.c 145167 2005-04-16 18:46:29Z rwatson $	34 * $FreeBSD: head/sys/security/mac_test/mac_test.c 145234 2005-04-18 13:36:57Z rwatson $
35 / 36 37/ 38 * Developed by the TrustedBSD Project. 39 * Generic mandatory access module that does nothing. 40 / 41 42#include <sys/types.h> 43#include <sys/param.h> 44#include <sys/acl.h> 45#include <sys/conf.h> 46#include <sys/kdb.h> 47#include <sys/extattr.h> 48#include <sys/kernel.h> 49#include <sys/mac.h> 50#include <sys/malloc.h> 51#include <sys/mount.h> 52#include <sys/proc.h> 53#include <sys/systm.h> 54#include <sys/sysproto.h> 55#include <sys/sysent.h> 56#include <sys/vnode.h> 57#include <sys/file.h> 58#include <sys/socket.h> 59#include <sys/socketvar.h> 60#include <sys/sysctl.h> 61#include <sys/msg.h> 62#include <sys/sem.h> 63#include <sys/shm.h> 64 65#include <fs/devfs/devfs.h> 66 67#include <net/bpfdesc.h> 68#include <net/if.h> 69#include <net/if_types.h> 70#include <net/if_var.h> 71 72#include <vm/vm.h> 73 74#include <sys/mac_policy.h> 75 76SYSCTL_DECL(_security_mac); 77 78SYSCTL_NODE(_security_mac, OID_AUTO, test, CTLFLAG_RW, 0, 79 "TrustedBSD mac_test policy controls"); 80 81static int mac_test_enabled = 1; 82SYSCTL_INT(_security_mac_test, OID_AUTO, enabled, CTLFLAG_RW, 83 &mac_test_enabled, 0, "Enforce test policy"); 84 85#define BPFMAGIC 0xfe1ad1b6 86#define DEVFSMAGIC 0x9ee79c32 87#define IFNETMAGIC 0xc218b120 88#define INPCBMAGIC 0x4440f7bb 89#define IPQMAGIC 0x206188ef 90#define MBUFMAGIC 0xbbefa5bb 91#define MOUNTMAGIC 0xc7c46e47 92#define SOCKETMAGIC 0x9199c6cd 93#define SYSVIPCMSQMAGIC 0xea672391 94#define SYSVIPCMSGMAGIC 0x8bbba61e 95#define SYSVIPCSEMMAGIC 0x896e8a0b 96#define SYSVIPCSHMMAGIC 0x76119ab0 97#define PIPEMAGIC 0xdc6c9919 98#define POSIXSEMMAGIC 0x78ae980c 99#define PROCMAGIC 0x3b4be98f 100#define CREDMAGIC 0x9a5a4987 101#define VNODEMAGIC 0x1a67a45c 102#define EXMAGIC 0x849ba1fd 103* 104#define SLOT(x) LABEL_TO_SLOT((x), test_slot).l_long 105 106#define ASSERT_BPF_LABEL(x) KASSERT(SLOT(x) == BPFMAGIC \|\| \ 107 SLOT(x) == 0, ("%s: Bad BPF label", __func__ )) 108#define ASSERT_DEVFS_LABEL(x) KASSERT(SLOT(x) == DEVFSMAGIC \|\| \ 109 SLOT(x) == 0, ("%s: Bad DEVFS label", __func__ )) 110#define ASSERT_IFNET_LABEL(x) KASSERT(SLOT(x) == IFNETMAGIC \|\| \ 111 SLOT(x) == 0, ("%s: Bad IFNET label", __func__ )) 112#define ASSERT_INPCB_LABEL(x) KASSERT(SLOT(x) == INPCBMAGIC \|\| \ 113 SLOT(x) == 0, ("%s: Bad INPCB label", __func__ )) 114#define ASSERT_IPQ_LABEL(x) KASSERT(SLOT(x) == IPQMAGIC \|\| \ 115 SLOT(x) == 0, ("%s: Bad IPQ label", __func__ )) 116#define ASSERT_MBUF_LABEL(x) KASSERT(x == NULL \|\| \ 117 SLOT(x) == MBUFMAGIC \|\| SLOT(x) == 0, \ 118 ("%s: Bad MBUF label", __func__ )) 119#define ASSERT_MOUNT_LABEL(x) KASSERT(SLOT(x) == MOUNTMAGIC \|\| \ 120 SLOT(x) == 0, ("%s: Bad MOUNT label", __func__ )) 121#define ASSERT_SOCKET_LABEL(x) KASSERT(SLOT(x) == SOCKETMAGIC \|\| \ 122 SLOT(x) == 0, ("%s: Bad SOCKET label", __func__ )) 123#define ASSERT_SYSVIPCMSQ_LABEL(x) KASSERT(SLOT(x) == SYSVIPCMSQMAGIC \|\| \ 124 SLOT(x) == 0, ("%s: Bad SYSVIPCMSQ label", __func__ )) 125#define ASSERT_SYSVIPCMSG_LABEL(x) KASSERT(SLOT(x) == SYSVIPCMSGMAGIC \|\| \ 126 SLOT(x) == 0, ("%s: Bad SYSVIPCMSG label", __func__ )) 127#define ASSERT_SYSVIPCSEM_LABEL(x) KASSERT(SLOT(x) == SYSVIPCSEMMAGIC \|\| \ 128 SLOT(x) == 0, ("%s: Bad SYSVIPCSEM label", __func__ )) 129#define ASSERT_SYSVIPCSHM_LABEL(x) KASSERT(SLOT(x) == SYSVIPCSHMMAGIC \|\| \ 130 SLOT(x) == 0, ("%s: Bad SYSVIPCSHM label", __func__ )) 131#define ASSERT_PIPE_LABEL(x) KASSERT(SLOT(x) == PIPEMAGIC \|\| \ 132 SLOT(x) == 0, ("%s: Bad PIPE label", __func__ )) 133#define ASSERT_PROC_LABEL(x) KASSERT(SLOT(x) == PROCMAGIC \|\| \ 134 SLOT(x) == 0, ("%s: Bad PROC label", __func__ )) 135#define ASSERT_CRED_LABEL(x) KASSERT(SLOT(x) == CREDMAGIC \|\| \ 136 SLOT(x) == 0, ("%s: Bad CRED label", __func__ )) 137#define ASSERT_VNODE_LABEL(x) KASSERT(SLOT(x) == VNODEMAGIC \|\| \ 138 SLOT(x) == 0, ("%s: Bad VNODE label", __func__ )) 139 140static int test_slot; 141SYSCTL_INT(_security_mac_test, OID_AUTO, slot, CTLFLAG_RD, 142 &test_slot, 0, "Slot allocated by framework"); 143 144static int init_count_bpfdesc; 145SYSCTL_INT(_security_mac_test, OID_AUTO, init_count_bpfdesc, CTLFLAG_RD, 146 &init_count_bpfdesc, 0, "bpfdesc init calls"); 147static int init_count_cred; 148SYSCTL_INT(_security_mac_test, OID_AUTO, init_count_cred, CTLFLAG_RD, 149 &init_count_cred, 0, "cred init calls"); 150static int init_count_devfsdirent; 151SYSCTL_INT(_security_mac_test, OID_AUTO, init_count_devfsdirent, CTLFLAG_RD, 152 &init_count_devfsdirent, 0, "devfsdirent init calls"); 153static int init_count_ifnet; 154SYSCTL_INT(_security_mac_test, OID_AUTO, init_count_ifnet, CTLFLAG_RD, 155 &init_count_ifnet, 0, "ifnet init calls"); 156static int init_count_inpcb; 157SYSCTL_INT(_security_mac_test, OID_AUTO, init_count_inpcb, CTLFLAG_RD, 158 &init_count_inpcb, 0, "inpcb init calls"); 159static int init_count_sysv_msg; 160SYSCTL_INT(_security_mac_test, OID_AUTO, init_count_sysv_msg, CTLFLAG_RD, 161 &init_count_sysv_msg, 0, "ipc_msg init calls"); 162static int init_count_sysv_msq; 163SYSCTL_INT(_security_mac_test, OID_AUTO, init_count_sysv_msq, CTLFLAG_RD, 164 &init_count_sysv_msq, 0, "ipc_msq init calls"); 165static int init_count_sysv_sema; 166SYSCTL_INT(_security_mac_test, OID_AUTO, init_count_sysv_sema, CTLFLAG_RD, 167 &init_count_sysv_sema, 0, "ipc_sema init calls"); 168static int init_count_sysv_shm; 169SYSCTL_INT(_security_mac_test, OID_AUTO, init_count_sysv_shm, CTLFLAG_RD, 170 &init_count_sysv_shm, 0, "ipc_shm init calls"); 171static int init_count_ipq; 172SYSCTL_INT(_security_mac_test, OID_AUTO, init_count_ipq, CTLFLAG_RD, 173 &init_count_ipq, 0, "ipq init calls"); 174static int init_count_mbuf; 175SYSCTL_INT(_security_mac_test, OID_AUTO, init_count_mbuf, CTLFLAG_RD, 176 &init_count_mbuf, 0, "mbuf init calls"); 177static int init_count_mount; 178SYSCTL_INT(_security_mac_test, OID_AUTO, init_count_mount, CTLFLAG_RD, 179 &init_count_mount, 0, "mount init calls"); 180static int init_count_mount_fslabel; 181SYSCTL_INT(_security_mac_test, OID_AUTO, init_count_mount_fslabel, CTLFLAG_RD, 182 &init_count_mount_fslabel, 0, "mount_fslabel init calls"); 183static int init_count_socket; 184SYSCTL_INT(_security_mac_test, OID_AUTO, init_count_socket, CTLFLAG_RD, 185 &init_count_socket, 0, "socket init calls"); 186static int init_count_socket_peerlabel; 187SYSCTL_INT(_security_mac_test, OID_AUTO, init_count_socket_peerlabel, 188 CTLFLAG_RD, &init_count_socket_peerlabel, 0, 189 "socket_peerlabel init calls"); 190static int init_count_pipe; 191SYSCTL_INT(_security_mac_test, OID_AUTO, init_count_pipe, CTLFLAG_RD, 192 &init_count_pipe, 0, "pipe init calls"); 193static int init_count_proc; 194SYSCTL_INT(_security_mac_test, OID_AUTO, init_count_proc, CTLFLAG_RD, 195 &init_count_proc, 0, "proc init calls"); 196static int init_count_vnode; 197SYSCTL_INT(_security_mac_test, OID_AUTO, init_count_vnode, CTLFLAG_RD, 198 &init_count_vnode, 0, "vnode init calls"); 199 200static int destroy_count_bpfdesc; 201SYSCTL_INT(_security_mac_test, OID_AUTO, destroy_count_bpfdesc, CTLFLAG_RD, 202 &destroy_count_bpfdesc, 0, "bpfdesc destroy calls"); 203static int destroy_count_cred; 204SYSCTL_INT(_security_mac_test, OID_AUTO, destroy_count_cred, CTLFLAG_RD, 205 &destroy_count_cred, 0, "cred destroy calls"); 206static int destroy_count_devfsdirent; 207SYSCTL_INT(_security_mac_test, OID_AUTO, destroy_count_devfsdirent, CTLFLAG_RD, 208 &destroy_count_devfsdirent, 0, "devfsdirent destroy calls"); 209static int destroy_count_ifnet; 210SYSCTL_INT(_security_mac_test, OID_AUTO, destroy_count_ifnet, CTLFLAG_RD, 211 &destroy_count_ifnet, 0, "ifnet destroy calls"); 212static int destroy_count_inpcb; 213SYSCTL_INT(_security_mac_test, OID_AUTO, destroy_count_inpcb, CTLFLAG_RD, 214 &destroy_count_inpcb, 0, "inpcb destroy calls"); 215static int destroy_count_sysv_msg; 216SYSCTL_INT(_security_mac_test, OID_AUTO, destroy_count_sysv_msg, CTLFLAG_RD, 217 &destroy_count_sysv_msg, 0, "ipc_msg destroy calls"); 218static int destroy_count_sysv_msq; 219SYSCTL_INT(_security_mac_test, OID_AUTO, destroy_count_sysv_msq, CTLFLAG_RD, 220 &destroy_count_sysv_msq, 0, "ipc_msq destroy calls"); 221static int destroy_count_sysv_sema; 222SYSCTL_INT(_security_mac_test, OID_AUTO, destroy_count_sysv_sema, CTLFLAG_RD, 223 &destroy_count_sysv_sema, 0, "ipc_sema destroy calls"); 224static int destroy_count_sysv_shm; 225SYSCTL_INT(_security_mac_test, OID_AUTO, destroy_count_sysv_shm, CTLFLAG_RD, 226 &destroy_count_sysv_shm, 0, "ipc_shm destroy calls"); 227static int destroy_count_ipq; 228SYSCTL_INT(_security_mac_test, OID_AUTO, destroy_count_ipq, CTLFLAG_RD, 229 &destroy_count_ipq, 0, "ipq destroy calls"); 230static int destroy_count_mbuf; 231SYSCTL_INT(_security_mac_test, OID_AUTO, destroy_count_mbuf, CTLFLAG_RD, 232 &destroy_count_mbuf, 0, "mbuf destroy calls"); 233static int destroy_count_mount; 234SYSCTL_INT(_security_mac_test, OID_AUTO, destroy_count_mount, CTLFLAG_RD, 235 &destroy_count_mount, 0, "mount destroy calls"); 236static int destroy_count_mount_fslabel; 237SYSCTL_INT(_security_mac_test, OID_AUTO, destroy_count_mount_fslabel, 238 CTLFLAG_RD, &destroy_count_mount_fslabel, 0, 239 "mount_fslabel destroy calls"); 240static int destroy_count_socket; 241SYSCTL_INT(_security_mac_test, OID_AUTO, destroy_count_socket, CTLFLAG_RD, 242 &destroy_count_socket, 0, "socket destroy calls"); 243static int destroy_count_socket_peerlabel; 244SYSCTL_INT(_security_mac_test, OID_AUTO, destroy_count_socket_peerlabel, 245 CTLFLAG_RD, &destroy_count_socket_peerlabel, 0, 246 "socket_peerlabel destroy calls"); 247static int destroy_count_pipe; 248SYSCTL_INT(_security_mac_test, OID_AUTO, destroy_count_pipe, CTLFLAG_RD, 249 &destroy_count_pipe, 0, "pipe destroy calls"); 250static int destroy_count_proc; 251SYSCTL_INT(_security_mac_test, OID_AUTO, destroy_count_proc, CTLFLAG_RD, 252 &destroy_count_proc, 0, "proc destroy calls"); 253static int destroy_count_vnode; 254SYSCTL_INT(_security_mac_test, OID_AUTO, destroy_count_vnode, CTLFLAG_RD, 255 &destroy_count_vnode, 0, "vnode destroy calls"); 256 257static int externalize_count; 258SYSCTL_INT(_security_mac_test, OID_AUTO, externalize_count, CTLFLAG_RD, 259 &externalize_count, 0, "Subject/object externalize calls"); 260static int internalize_count; 261SYSCTL_INT(_security_mac_test, OID_AUTO, internalize_count, CTLFLAG_RD, 262 &internalize_count, 0, "Subject/object internalize calls"); 263 264#ifdef KDB 265#define DEBUGGER(x) kdb_enter(x) 266#else 267#define DEBUGGER(x) printf("mac_test: %s\n", (x)) 268#endif 269 270/* 271 * Policy module operations. 272 / 273static void 274mac_test_destroy(struct mac_policy_conf conf) 275{ 276 277} 278 279static void 280mac_test_init(struct mac_policy_conf conf) 281{ 282* 283} 284 285static int 286mac_test_syscall(struct thread td, int call, void arg) 287{ 288 289 return (0); 290} 291 292/* 293 * Label operations. 294 / 295static void 296mac_test_init_bpfdesc_label(struct label label) 297{ 298 299 SLOT(label) = BPFMAGIC; 300 atomic_add_int(&init_count_bpfdesc, 1); 301} 302 303static void 304mac_test_init_cred_label(struct label label) 305{ 306* 307 SLOT(label) = CREDMAGIC; 308 atomic_add_int(&init_count_cred, 1); 309} 310 311static void 312mac_test_init_devfsdirent_label(struct label label) 313{ 314* 315 SLOT(label) = DEVFSMAGIC; 316 atomic_add_int(&init_count_devfsdirent, 1); 317} 318 319static void 320mac_test_init_ifnet_label(struct label label) 321{ 322* 323 SLOT(label) = IFNETMAGIC; 324 atomic_add_int(&init_count_ifnet, 1); 325} 326 327static int 328mac_test_init_inpcb_label(struct label label, int flag) 329{ 330* 331 if (flag & M_WAITOK) 332 WITNESS_WARN(WARN_GIANTOK \| WARN_SLEEPOK, NULL, 333 "mac_test_init_inpcb_label() at %s:%d", __FILE__, 334 __LINE__); 335 336 SLOT(label) = INPCBMAGIC; 337 atomic_add_int(&init_count_inpcb, 1); 338 return (0); 339} 340 341static void 342mac_test_init_sysv_msgmsg_label(struct label label) 343{ 344* SLOT(label) = SYSVIPCMSGMAGIC; 345 atomic_add_int(&init_count_sysv_msg, 1); 346} 347 348static void 349mac_test_init_sysv_msgqueue_label(struct label label) 350{ 351* SLOT(label) = SYSVIPCMSQMAGIC; 352 atomic_add_int(&init_count_sysv_msq, 1); 353} 354 355static void 356mac_test_init_sysv_sema_label(struct label label) 357{ 358* SLOT(label) = SYSVIPCSEMMAGIC; 359 atomic_add_int(&init_count_sysv_sema, 1); 360} 361 362static void 363mac_test_init_sysv_shm_label(struct label label) 364{ 365* SLOT(label) = SYSVIPCSHMMAGIC; 366 atomic_add_int(&init_count_sysv_shm, 1); 367} 368 369static int 370mac_test_init_ipq_label(struct label label, int flag) 371{ 372* 373 if (flag & M_WAITOK) 374 WITNESS_WARN(WARN_GIANTOK \| WARN_SLEEPOK, NULL, 375 "mac_test_init_ipq_label() at %s:%d", __FILE__, 376 __LINE__); 377 378 SLOT(label) = IPQMAGIC; 379 atomic_add_int(&init_count_ipq, 1); 380 return (0); 381} 382 383static int 384mac_test_init_mbuf_label(struct label label, int flag) 385{ 386* 387 if (flag & M_WAITOK) 388 WITNESS_WARN(WARN_GIANTOK \| WARN_SLEEPOK, NULL, 389 "mac_test_init_mbuf_label() at %s:%d", __FILE__, 390 __LINE__); 391 392 SLOT(label) = MBUFMAGIC; 393 atomic_add_int(&init_count_mbuf, 1); 394 return (0); 395} 396 397static void 398mac_test_init_mount_label(struct label label) 399{ 400* 401 SLOT(label) = MOUNTMAGIC; 402 atomic_add_int(&init_count_mount, 1); 403} 404 405static void 406mac_test_init_mount_fs_label(struct label label) 407{ 408* 409 SLOT(label) = MOUNTMAGIC; 410 atomic_add_int(&init_count_mount_fslabel, 1); 411} 412 413static int 414mac_test_init_socket_label(struct label label, int flag) 415{ 416* 417 if (flag & M_WAITOK) 418 WITNESS_WARN(WARN_GIANTOK \| WARN_SLEEPOK, NULL, 419 "mac_test_init_socket_label() at %s:%d", __FILE__, 420 __LINE__); 421 422 SLOT(label) = SOCKETMAGIC; 423 atomic_add_int(&init_count_socket, 1); 424 return (0); 425} 426 427static int 428mac_test_init_socket_peer_label(struct label label, int flag) 429{ 430* 431 if (flag & M_WAITOK) 432 WITNESS_WARN(WARN_GIANTOK \| WARN_SLEEPOK, NULL, 433 "mac_test_init_socket_peer_label() at %s:%d", __FILE__, 434 __LINE__); 435 436 SLOT(label) = SOCKETMAGIC; 437 atomic_add_int(&init_count_socket_peerlabel, 1); 438 return (0); 439} 440 441static void 442mac_test_init_pipe_label(struct label label) 443{ 444* 445 SLOT(label) = PIPEMAGIC; 446 atomic_add_int(&init_count_pipe, 1); 447} 448 449static void 450mac_test_init_proc_label(struct label label) 451{ 452* 453 SLOT(label) = PROCMAGIC; 454 atomic_add_int(&init_count_proc, 1); 455} 456 457static void 458mac_test_init_vnode_label(struct label label) 459{ 460* 461 SLOT(label) = VNODEMAGIC; 462 atomic_add_int(&init_count_vnode, 1); 463} 464 465static void 466mac_test_destroy_bpfdesc_label(struct label label) 467{ 468* 469 if (SLOT(label) == BPFMAGIC \|\| SLOT(label) == 0) { 470 atomic_add_int(&destroy_count_bpfdesc, 1); 471 SLOT(label) = EXMAGIC; 472 } else if (SLOT(label) == EXMAGIC) { 473 DEBUGGER("mac_test_destroy_bpfdesc: dup destroy"); 474 } else { 475 DEBUGGER("mac_test_destroy_bpfdesc: corrupted label"); 476 } 477} 478 479static void 480mac_test_destroy_cred_label(struct label label) 481{ 482* 483 if (SLOT(label) == CREDMAGIC \|\| SLOT(label) == 0) { 484 atomic_add_int(&destroy_count_cred, 1); 485 SLOT(label) = EXMAGIC; 486 } else if (SLOT(label) == EXMAGIC) { 487 DEBUGGER("mac_test_destroy_cred: dup destroy"); 488 } else { 489 DEBUGGER("mac_test_destroy_cred: corrupted label"); 490 } 491} 492 493static void 494mac_test_destroy_devfsdirent_label(struct label label) 495{ 496* 497 if (SLOT(label) == DEVFSMAGIC \|\| SLOT(label) == 0) { 498 atomic_add_int(&destroy_count_devfsdirent, 1); 499 SLOT(label) = EXMAGIC; 500 } else if (SLOT(label) == EXMAGIC) { 501 DEBUGGER("mac_test_destroy_devfsdirent: dup destroy"); 502 } else { 503 DEBUGGER("mac_test_destroy_devfsdirent: corrupted label"); 504 } 505} 506 507static void 508mac_test_destroy_ifnet_label(struct label label) 509{ 510* 511 if (SLOT(label) == IFNETMAGIC \|\| SLOT(label) == 0) { 512 atomic_add_int(&destroy_count_ifnet, 1); 513 SLOT(label) = EXMAGIC; 514 } else if (SLOT(label) == EXMAGIC) { 515 DEBUGGER("mac_test_destroy_ifnet: dup destroy"); 516 } else { 517 DEBUGGER("mac_test_destroy_ifnet: corrupted label"); 518 } 519} 520 521static void 522mac_test_destroy_inpcb_label(struct label label) 523{ 524* 525 if (SLOT(label) == INPCBMAGIC \|\| SLOT(label) == 0) { 526 atomic_add_int(&destroy_count_inpcb, 1); 527 SLOT(label) = EXMAGIC; 528 } else if (SLOT(label) == EXMAGIC) { 529 DEBUGGER("mac_test_destroy_inpcb: dup destroy"); 530 } else { 531 DEBUGGER("mac_test_destroy_inpcb: corrupted label"); 532 } 533} 534 535static void 536mac_test_destroy_sysv_msgmsg_label(struct label label) 537{ 538* 539 if (SLOT(label) == SYSVIPCMSGMAGIC \|\| SLOT(label) == 0) { 540 atomic_add_int(&destroy_count_sysv_msg, 1); 541 SLOT(label) = EXMAGIC; 542 } else if (SLOT(label) == EXMAGIC) { 543 DEBUGGER("mac_test_destroy_sysv_msgmsg_label: dup destroy"); 544 } else { 545 DEBUGGER( 546 "mac_test_destroy_sysv_msgmsg_label: corrupted label"); 547 } 548} 549 550static void 551mac_test_destroy_sysv_msgqueue_label(struct label label) 552{ 553* 554 if (SLOT(label) == SYSVIPCMSQMAGIC \|\| SLOT(label) == 0) { 555 atomic_add_int(&destroy_count_sysv_msq, 1); 556 SLOT(label) = EXMAGIC; 557 } else if (SLOT(label) == EXMAGIC) { 558 DEBUGGER("mac_test_destroy_sysv_msgqueue_label: dup destroy"); 559 } else { 560 DEBUGGER( 561 "mac_test_destroy_sysv_msgqueue_label: corrupted label"); 562 } 563} 564 565static void 566mac_test_destroy_sysv_sema_label(struct label label) 567{ 568* 569 if (SLOT(label) == SYSVIPCSEMMAGIC \|\| SLOT(label) == 0) { 570 atomic_add_int(&destroy_count_sysv_sema, 1); 571 SLOT(label) = EXMAGIC; 572 } else if (SLOT(label) == EXMAGIC) { 573 DEBUGGER("mac_test_destroy_sysv_sema_label: dup destroy"); 574 } else { 575 DEBUGGER("mac_test_destroy_sysv_sema_label: corrupted label"); 576 } 577} 578 579static void 580mac_test_destroy_sysv_shm_label(struct label label) 581{ 582* 583 if (SLOT(label) == SYSVIPCSHMMAGIC \|\| SLOT(label) == 0) { 584 atomic_add_int(&destroy_count_sysv_shm, 1); 585 SLOT(label) = EXMAGIC; 586 } else if (SLOT(label) == EXMAGIC) { 587 DEBUGGER("mac_test_destroy_sysv_shm_label: dup destroy"); 588 } else { 589 DEBUGGER("mac_test_destroy_sysv_shm_label: corrupted label"); 590 } 591} 592 593static void 594mac_test_destroy_ipq_label(struct label label) 595{ 596* 597 if (SLOT(label) == IPQMAGIC \|\| SLOT(label) == 0) { 598 atomic_add_int(&destroy_count_ipq, 1); 599 SLOT(label) = EXMAGIC; 600 } else if (SLOT(label) == EXMAGIC) { 601 DEBUGGER("mac_test_destroy_ipq: dup destroy"); 602 } else { 603 DEBUGGER("mac_test_destroy_ipq: corrupted label"); 604 } 605} 606 607static void 608mac_test_destroy_mbuf_label(struct label label) 609{ 610* 611 /* 612 * If we're loaded dynamically, there may be mbufs in flight that 613 * didn't have label storage allocated for them. Handle this 614 * gracefully. 615 / 616* if (label == NULL) 617 return; 618 619 if (SLOT(label) == MBUFMAGIC \|\| SLOT(label) == 0) { 620 atomic_add_int(&destroy_count_mbuf, 1); 621 SLOT(label) = EXMAGIC; 622 } else if (SLOT(label) == EXMAGIC) { 623 DEBUGGER("mac_test_destroy_mbuf: dup destroy"); 624 } else { 625 DEBUGGER("mac_test_destroy_mbuf: corrupted label"); 626 } 627} 628 629static void 630mac_test_destroy_mount_label(struct label label) 631{ 632* 633 if ((SLOT(label) == MOUNTMAGIC \|\| SLOT(label) == 0)) { 634 atomic_add_int(&destroy_count_mount, 1); 635 SLOT(label) = EXMAGIC; 636 } else if (SLOT(label) == EXMAGIC) { 637 DEBUGGER("mac_test_destroy_mount: dup destroy"); 638 } else { 639 DEBUGGER("mac_test_destroy_mount: corrupted label"); 640 } 641} 642 643static void 644mac_test_destroy_mount_fs_label(struct label label) 645{ 646* 647 if ((SLOT(label) == MOUNTMAGIC \|\| SLOT(label) == 0)) { 648 atomic_add_int(&destroy_count_mount_fslabel, 1); 649 SLOT(label) = EXMAGIC; 650 } else if (SLOT(label) == EXMAGIC) { 651 DEBUGGER("mac_test_destroy_mount_fslabel: dup destroy"); 652 } else { 653 DEBUGGER("mac_test_destroy_mount_fslabel: corrupted label"); 654 } 655} 656 657static void 658mac_test_destroy_socket_label(struct label label) 659{ 660* 661 if ((SLOT(label) == SOCKETMAGIC \|\| SLOT(label) == 0)) { 662 atomic_add_int(&destroy_count_socket, 1); 663 SLOT(label) = EXMAGIC; 664 } else if (SLOT(label) == EXMAGIC) { 665 DEBUGGER("mac_test_destroy_socket: dup destroy"); 666 } else { 667 DEBUGGER("mac_test_destroy_socket: corrupted label"); 668 } 669} 670 671static void 672mac_test_destroy_socket_peer_label(struct label label) 673{ 674* 675 if ((SLOT(label) == SOCKETMAGIC \|\| SLOT(label) == 0)) { 676 atomic_add_int(&destroy_count_socket_peerlabel, 1); 677 SLOT(label) = EXMAGIC; 678 } else if (SLOT(label) == EXMAGIC) { 679 DEBUGGER("mac_test_destroy_socket_peerlabel: dup destroy"); 680 } else { 681 DEBUGGER("mac_test_destroy_socket_peerlabel: corrupted label"); 682 } 683} 684 685static void 686mac_test_destroy_pipe_label(struct label label) 687{ 688* 689 if ((SLOT(label) == PIPEMAGIC \|\| SLOT(label) == 0)) { 690 atomic_add_int(&destroy_count_pipe, 1); 691 SLOT(label) = EXMAGIC; 692 } else if (SLOT(label) == EXMAGIC) { 693 DEBUGGER("mac_test_destroy_pipe: dup destroy"); 694 } else { 695 DEBUGGER("mac_test_destroy_pipe: corrupted label"); 696 } 697} 698 699static void 700mac_test_destroy_proc_label(struct label label) 701{ 702* 703 if ((SLOT(label) == PROCMAGIC \|\| SLOT(label) == 0)) { 704 atomic_add_int(&destroy_count_proc, 1); 705 SLOT(label) = EXMAGIC; 706 } else if (SLOT(label) == EXMAGIC) { 707 DEBUGGER("mac_test_destroy_proc: dup destroy"); 708 } else { 709 DEBUGGER("mac_test_destroy_proc: corrupted label"); 710 } 711} 712 713static void 714mac_test_destroy_vnode_label(struct label label) 715{ 716* 717 if (SLOT(label) == VNODEMAGIC \|\| SLOT(label) == 0) { 718 atomic_add_int(&destroy_count_vnode, 1); 719 SLOT(label) = EXMAGIC; 720 } else if (SLOT(label) == EXMAGIC) { 721 DEBUGGER("mac_test_destroy_vnode: dup destroy"); 722 } else { 723 DEBUGGER("mac_test_destroy_vnode: corrupted label"); 724 } 725} 726 727static void 728mac_test_copy_cred_label(struct label src, struct label dest) 729{ 730 731 ASSERT_CRED_LABEL(src); 732 ASSERT_CRED_LABEL(dest); 733} 734 735static void 736mac_test_copy_ifnet_label(struct label src, struct label dest) 737{ 738 739 ASSERT_IFNET_LABEL(src); 740 ASSERT_IFNET_LABEL(dest); 741} 742 743static void 744mac_test_copy_mbuf_label(struct label src, struct label dest) 745{ 746 747 ASSERT_MBUF_LABEL(src); 748 ASSERT_MBUF_LABEL(dest); 749} 750 751static void 752mac_test_copy_pipe_label(struct label src, struct label dest) 753{ 754 755 ASSERT_PIPE_LABEL(src); 756 ASSERT_PIPE_LABEL(dest); 757} 758 759static void 760mac_test_copy_socket_label(struct label src, struct label dest) 761{ 762 763 ASSERT_SOCKET_LABEL(src); 764 ASSERT_SOCKET_LABEL(dest); 765} 766 767static void 768mac_test_copy_vnode_label(struct label src, struct label dest) 769{ 770 771 ASSERT_VNODE_LABEL(src); 772 ASSERT_VNODE_LABEL(dest); 773} 774 775static int 776mac_test_externalize_label(struct label label, char element_name, 777 struct sbuf sb, int claimed) 778{ 779 780 atomic_add_int(&externalize_count, 1); 781 782 KASSERT(SLOT(label) != EXMAGIC, 783 ("mac_test_externalize_label: destroyed label")); 784 785 return (0); 786} 787 788static int 789mac_test_internalize_label(struct label label, char element_name, 790 char element_data, int claimed) 791{ 792 793 atomic_add_int(&internalize_count, 1); 794 795 KASSERT(SLOT(label) != EXMAGIC, 796 ("mac_test_internalize_label: destroyed label")); 797 798 return (0); 799} 800 801/* 802 * Labeling event operations: file system objects, and things that look 803 * a lot like file system objects. 804 / 805static void 806mac_test_associate_vnode_devfs(struct mount mp, struct label fslabel, 807* struct devfs_dirent de, struct label delabel, struct vnode vp, 808* struct label vlabel) 809{ 810* 811 ASSERT_MOUNT_LABEL(fslabel); 812 ASSERT_DEVFS_LABEL(delabel); 813 ASSERT_VNODE_LABEL(vlabel); 814} 815 816static int 817mac_test_associate_vnode_extattr(struct mount mp, struct label fslabel, 818 struct vnode vp, struct label vlabel) 819{ 820 821 ASSERT_MOUNT_LABEL(fslabel); 822 ASSERT_VNODE_LABEL(vlabel); 823 return (0); 824} 825 826static void 827mac_test_associate_vnode_singlelabel(struct mount mp, 828* struct label fslabel, struct vnode vp, struct label vlabel) 829{ 830* 831 ASSERT_MOUNT_LABEL(fslabel); 832 ASSERT_VNODE_LABEL(vlabel); 833} 834 835static void 836mac_test_create_devfs_device(struct mount mp, struct cdev dev, 837 struct devfs_dirent devfs_dirent, struct label label) 838{ 839 840 ASSERT_DEVFS_LABEL(label); 841} 842 843static void 844mac_test_create_devfs_directory(struct mount mp, char dirname, 845 int dirnamelen, struct devfs_dirent devfs_dirent, struct label label) 846{ 847 848 ASSERT_DEVFS_LABEL(label); 849} 850 851static void 852mac_test_create_devfs_symlink(struct ucred cred, struct mount mp, 853 struct devfs_dirent dd, struct label ddlabel, struct devfs_dirent de, 854* struct label delabel) 855{ 856* 857 ASSERT_CRED_LABEL(cred->cr_label); 858 ASSERT_DEVFS_LABEL(ddlabel); 859 ASSERT_DEVFS_LABEL(delabel); 860} 861 862static int 863mac_test_create_vnode_extattr(struct ucred cred, struct mount mp, 864 struct label fslabel, struct vnode dvp, struct label dlabel, 865* struct vnode vp, struct label vlabel, struct componentname cnp) 866{ 867* 868 ASSERT_CRED_LABEL(cred->cr_label); 869 ASSERT_MOUNT_LABEL(fslabel); 870 ASSERT_VNODE_LABEL(dlabel); 871 872 return (0); 873} 874 875static void 876mac_test_create_mount(struct ucred cred, struct mount mp, 877 struct label mntlabel, struct label fslabel) 878{ 879 880 ASSERT_CRED_LABEL(cred->cr_label); 881 ASSERT_MOUNT_LABEL(mntlabel); 882 ASSERT_MOUNT_LABEL(fslabel); 883} 884 885static void 886mac_test_create_root_mount(struct ucred cred, struct mount mp, 887 struct label mntlabel, struct label fslabel) 888{ 889 890 ASSERT_CRED_LABEL(cred->cr_label); 891 ASSERT_MOUNT_LABEL(mntlabel); 892 ASSERT_MOUNT_LABEL(fslabel); 893} 894 895static void 896mac_test_relabel_vnode(struct ucred cred, struct vnode vp, 897 struct label vnodelabel, struct label label) 898{ 899 900 ASSERT_CRED_LABEL(cred->cr_label); 901 ASSERT_VNODE_LABEL(vnodelabel); 902 ASSERT_VNODE_LABEL(label); 903} 904 905static int 906mac_test_setlabel_vnode_extattr(struct ucred cred, struct vnode vp, 907 struct label vlabel, struct label intlabel) 908{ 909 910 ASSERT_CRED_LABEL(cred->cr_label); 911 ASSERT_VNODE_LABEL(vlabel); 912 ASSERT_VNODE_LABEL(intlabel); 913 return (0); 914} 915 916static void 917mac_test_update_devfsdirent(struct mount mp, 918* struct devfs_dirent devfs_dirent, struct label direntlabel, 919 struct vnode vp, struct label vnodelabel) 920{ 921 922 ASSERT_DEVFS_LABEL(direntlabel); 923 ASSERT_VNODE_LABEL(vnodelabel); 924} 925 926/* 927 * Labeling event operations: IPC object. 928 / 929static void 930mac_test_create_mbuf_from_socket(struct socket so, struct label socketlabel, 931* struct mbuf m, struct label mbuflabel) 932{ 933 934 ASSERT_SOCKET_LABEL(socketlabel); 935 ASSERT_MBUF_LABEL(mbuflabel); 936} 937 938static void 939mac_test_create_socket(struct ucred cred, struct socket socket, 940 struct label socketlabel) 941{ 942* 943 ASSERT_CRED_LABEL(cred->cr_label); 944 ASSERT_SOCKET_LABEL(socketlabel); 945} 946 947static void 948mac_test_create_pipe(struct ucred cred, struct pipepair pp, 949 struct label pipelabel) 950{ 951* 952 ASSERT_CRED_LABEL(cred->cr_label); 953 ASSERT_PIPE_LABEL(pipelabel); 954} 955 956static void 957mac_test_create_socket_from_socket(struct socket oldsocket, 958* struct label oldsocketlabel, struct socket newsocket, 959 struct label newsocketlabel) 960{ 961* 962 ASSERT_SOCKET_LABEL(oldsocketlabel); 963 ASSERT_SOCKET_LABEL(newsocketlabel); 964} 965 966static void 967mac_test_relabel_socket(struct ucred cred, struct socket socket, 968 struct label socketlabel, struct label newlabel) 969{ 970 971 ASSERT_CRED_LABEL(cred->cr_label); 972 ASSERT_SOCKET_LABEL(newlabel); 973} 974 975static void 976mac_test_relabel_pipe(struct ucred cred, struct pipepair pp, 977 struct label pipelabel, struct label newlabel) 978{ 979 980 ASSERT_CRED_LABEL(cred->cr_label); 981 ASSERT_PIPE_LABEL(pipelabel); 982 ASSERT_PIPE_LABEL(newlabel); 983} 984 985static void 986mac_test_set_socket_peer_from_mbuf(struct mbuf mbuf, struct label mbuflabel, 987 struct socket socket, struct label socketpeerlabel) 988{ 989 990 ASSERT_MBUF_LABEL(mbuflabel); 991 ASSERT_SOCKET_LABEL(socketpeerlabel); 992} 993 994/* 995 * Labeling event operations: network objects. 996 / 997static void 998mac_test_set_socket_peer_from_socket(struct socket oldsocket, 999 struct label oldsocketlabel, struct socket newsocket, 1000 struct label newsocketpeerlabel) 1001{ 1002* 1003 ASSERT_SOCKET_LABEL(oldsocketlabel); 1004 ASSERT_SOCKET_LABEL(newsocketpeerlabel); 1005} 1006 1007static void 1008mac_test_create_bpfdesc(struct ucred cred, struct bpf_d bpf_d, 1009 struct label bpflabel) 1010{ 1011* 1012 ASSERT_CRED_LABEL(cred->cr_label); 1013 ASSERT_BPF_LABEL(bpflabel); 1014} 1015 1016static void 1017mac_test_create_datagram_from_ipq(struct ipq ipq, struct label ipqlabel, 1018 struct mbuf datagram, struct label datagramlabel) 1019{ 1020 1021 ASSERT_IPQ_LABEL(ipqlabel); 1022 ASSERT_MBUF_LABEL(datagramlabel); 1023} 1024 1025static void 1026mac_test_create_fragment(struct mbuf datagram, struct label datagramlabel, 1027 struct mbuf fragment, struct label fragmentlabel) 1028{ 1029 1030 ASSERT_MBUF_LABEL(datagramlabel); 1031 ASSERT_MBUF_LABEL(fragmentlabel); 1032} 1033 1034static void 1035mac_test_create_ifnet(struct ifnet ifnet, struct label ifnetlabel) 1036{ 1037 1038 ASSERT_IFNET_LABEL(ifnetlabel); 1039} 1040 1041static void 1042mac_test_create_inpcb_from_socket(struct socket so, struct label solabel, 1043 struct inpcb inp, struct label inplabel) 1044{ 1045 1046 ASSERT_SOCKET_LABEL(solabel); 1047 ASSERT_INPCB_LABEL(inplabel); 1048} 1049 1050static void 1051mac_test_create_sysv_msgmsg(struct ucred cred, struct msqid_kernel msqkptr, 1052 struct label msqlabel, struct msg msgptr, struct label msglabel) 1053{ 1054* 1055 ASSERT_SYSVIPCMSG_LABEL(msglabel); 1056 ASSERT_SYSVIPCMSQ_LABEL(msqlabel); 1057} 1058 1059static void 1060mac_test_create_sysv_msgqueue(struct ucred cred, 1061* struct msqid_kernel msqkptr, struct label msqlabel) 1062{ 1063 1064 ASSERT_SYSVIPCMSQ_LABEL(msqlabel); 1065} 1066 1067static void 1068mac_test_create_sysv_sema(struct ucred cred, struct semid_kernel semakptr, 1069 struct label semalabel) 1070{ 1071* 1072 ASSERT_SYSVIPCSEM_LABEL(semalabel); 1073} 1074 1075static void 1076mac_test_create_sysv_shm(struct ucred cred, struct shmid_kernel shmsegptr, 1077 struct label shmlabel) 1078{ 1079* 1080 ASSERT_SYSVIPCSHM_LABEL(shmlabel); 1081} 1082 1083static void 1084mac_test_create_ipq(struct mbuf fragment, struct label fragmentlabel, 1085 struct ipq ipq, struct label ipqlabel) 1086{ 1087 1088 ASSERT_MBUF_LABEL(fragmentlabel); 1089 ASSERT_IPQ_LABEL(ipqlabel); 1090} 1091 1092static void 1093mac_test_create_mbuf_from_inpcb(struct inpcb inp, struct label inplabel, 1094 struct mbuf m, struct label mlabel) 1095{ 1096 1097 ASSERT_INPCB_LABEL(inplabel); 1098 ASSERT_MBUF_LABEL(mlabel); 1099} 1100 1101static void 1102mac_test_create_mbuf_from_mbuf(struct mbuf oldmbuf, 1103* struct label oldmbuflabel, struct mbuf newmbuf, 1104 struct label newmbuflabel) 1105{ 1106* 1107 ASSERT_MBUF_LABEL(oldmbuflabel); 1108 ASSERT_MBUF_LABEL(newmbuflabel); 1109} 1110 1111static void 1112mac_test_create_mbuf_linklayer(struct ifnet ifnet, struct label ifnetlabel, 1113 struct mbuf mbuf, struct label mbuflabel) 1114{ 1115 1116 ASSERT_IFNET_LABEL(ifnetlabel); 1117 ASSERT_MBUF_LABEL(mbuflabel); 1118} 1119 1120static void 1121mac_test_create_mbuf_from_bpfdesc(struct bpf_d bpf_d, struct label bpflabel, 1122 struct mbuf mbuf, struct label mbuflabel) 1123{ 1124 1125 ASSERT_BPF_LABEL(bpflabel); 1126 ASSERT_MBUF_LABEL(mbuflabel); 1127} 1128 1129static void 1130mac_test_create_mbuf_from_ifnet(struct ifnet ifnet, struct label ifnetlabel, 1131 struct mbuf m, struct label mbuflabel) 1132{ 1133 1134 ASSERT_IFNET_LABEL(ifnetlabel); 1135 ASSERT_MBUF_LABEL(mbuflabel); 1136} 1137 1138static void 1139mac_test_create_mbuf_multicast_encap(struct mbuf oldmbuf, 1140* struct label oldmbuflabel, struct ifnet ifnet, struct label ifnetlabel, 1141* struct mbuf newmbuf, struct label newmbuflabel) 1142{ 1143 1144 ASSERT_MBUF_LABEL(oldmbuflabel); 1145 ASSERT_IFNET_LABEL(ifnetlabel); 1146 ASSERT_MBUF_LABEL(newmbuflabel); 1147} 1148 1149static void 1150mac_test_create_mbuf_netlayer(struct mbuf oldmbuf, 1151* struct label oldmbuflabel, struct mbuf newmbuf, 1152 struct label newmbuflabel) 1153{ 1154* 1155 ASSERT_MBUF_LABEL(oldmbuflabel); 1156 ASSERT_MBUF_LABEL(newmbuflabel); 1157} 1158 1159static int 1160mac_test_fragment_match(struct mbuf fragment, struct label fragmentlabel, 1161 struct ipq ipq, struct label ipqlabel) 1162{ 1163 1164 ASSERT_MBUF_LABEL(fragmentlabel); 1165 ASSERT_IPQ_LABEL(ipqlabel); 1166 1167 return (1); 1168} 1169 1170static void 1171mac_test_reflect_mbuf_icmp(struct mbuf m, struct label mlabel) 1172{ 1173 1174 ASSERT_MBUF_LABEL(mlabel); 1175} 1176 1177static void 1178mac_test_reflect_mbuf_tcp(struct mbuf m, struct label mlabel) 1179{ 1180 1181 ASSERT_MBUF_LABEL(mlabel); 1182} 1183 1184static void 1185mac_test_relabel_ifnet(struct ucred cred, struct ifnet ifnet, 1186 struct label ifnetlabel, struct label newlabel) 1187{ 1188 1189 ASSERT_CRED_LABEL(cred->cr_label); 1190 ASSERT_IFNET_LABEL(ifnetlabel); 1191 ASSERT_IFNET_LABEL(newlabel); 1192} 1193 1194static void 1195mac_test_update_ipq(struct mbuf fragment, struct label fragmentlabel, 1196 struct ipq ipq, struct label ipqlabel) 1197{ 1198 1199 ASSERT_MBUF_LABEL(fragmentlabel); 1200 ASSERT_IPQ_LABEL(ipqlabel); 1201} 1202 1203static void 1204mac_test_inpcb_sosetlabel(struct socket so, struct label solabel, 1205 struct inpcb inp, struct label inplabel) 1206{ 1207 1208 ASSERT_SOCKET_LABEL(solabel); 1209 ASSERT_INPCB_LABEL(inplabel); 1210} 1211 1212/* 1213 * Labeling event operations: processes. 1214 / 1215static void 1216mac_test_execve_transition(struct ucred old, struct ucred new, 1217* struct vnode vp, struct label filelabel, 1218 struct label interpvnodelabel, struct image_params imgp, 1219 struct label execlabel) 1220{ 1221* 1222 ASSERT_CRED_LABEL(old->cr_label); 1223 ASSERT_CRED_LABEL(new->cr_label); 1224 ASSERT_VNODE_LABEL(filelabel); 1225 if (interpvnodelabel != NULL) { 1226 ASSERT_VNODE_LABEL(interpvnodelabel); 1227 } 1228 if (execlabel != NULL) { 1229 ASSERT_CRED_LABEL(execlabel); 1230 } 1231} 1232 1233static int 1234mac_test_execve_will_transition(struct ucred old, struct vnode vp, 1235 struct label filelabel, struct label interpvnodelabel, 1236 struct image_params imgp, struct label execlabel) 1237{ 1238 1239 ASSERT_CRED_LABEL(old->cr_label); 1240 ASSERT_VNODE_LABEL(filelabel); 1241 if (interpvnodelabel != NULL) { 1242 ASSERT_VNODE_LABEL(interpvnodelabel); 1243 } 1244 if (execlabel != NULL) { 1245 ASSERT_CRED_LABEL(execlabel); 1246 } 1247 1248 return (0); 1249} 1250 1251static void 1252mac_test_create_proc0(struct ucred cred) 1253{ 1254* 1255 ASSERT_CRED_LABEL(cred->cr_label); 1256} 1257 1258static void 1259mac_test_create_proc1(struct ucred cred) 1260{ 1261* 1262 ASSERT_CRED_LABEL(cred->cr_label); 1263} 1264 1265static void 1266mac_test_relabel_cred(struct ucred cred, struct label newlabel) 1267{ 1268 1269 ASSERT_CRED_LABEL(cred->cr_label); 1270 ASSERT_CRED_LABEL(newlabel); 1271} 1272 1273static void 1274mac_test_thread_userret(struct thread td) 1275{ 1276* 1277 printf("mac_test_thread_userret(process = %d)\n", 1278 curthread->td_proc->p_pid); 1279} 1280 1281/* 1282 * Label cleanup/flush operations 1283 / 1284static void 1285mac_test_cleanup_sysv_msgmsg(struct label msglabel) 1286{ 1287 1288 ASSERT_SYSVIPCMSG_LABEL(msglabel); 1289} 1290 1291static void 1292mac_test_cleanup_sysv_msgqueue(struct label msqlabel) 1293{ 1294* 1295 ASSERT_SYSVIPCMSQ_LABEL(msqlabel); 1296} 1297 1298static void 1299mac_test_cleanup_sysv_sema(struct label semalabel) 1300{ 1301* 1302 ASSERT_SYSVIPCSEM_LABEL(semalabel); 1303} 1304 1305static void 1306mac_test_cleanup_sysv_shm(struct label shmlabel) 1307{ 1308* 1309 ASSERT_SYSVIPCSHM_LABEL(shmlabel); 1310} 1311 1312/* 1313 * Access control checks. 1314 / 1315static int 1316mac_test_check_bpfdesc_receive(struct bpf_d bpf_d, struct label bpflabel, 1317* struct ifnet ifnet, struct label ifnetlabel) 1318{ 1319 1320 ASSERT_BPF_LABEL(bpflabel); 1321 ASSERT_IFNET_LABEL(ifnetlabel); 1322 1323 return (0); 1324} 1325 1326static int 1327mac_test_check_cred_relabel(struct ucred cred, struct label newlabel) 1328{ 1329 1330 ASSERT_CRED_LABEL(cred->cr_label); 1331 ASSERT_CRED_LABEL(newlabel); 1332 1333 return (0); 1334} 1335 1336static int 1337mac_test_check_cred_visible(struct ucred u1, struct ucred u2) 1338{ 1339 1340 ASSERT_CRED_LABEL(u1->cr_label); 1341 ASSERT_CRED_LABEL(u2->cr_label); 1342 1343 return (0); 1344} 1345 1346static int 1347mac_test_check_ifnet_relabel(struct ucred cred, struct ifnet ifnet, 1348 struct label ifnetlabel, struct label newlabel) 1349{ 1350 1351 ASSERT_CRED_LABEL(cred->cr_label); 1352 ASSERT_IFNET_LABEL(ifnetlabel); 1353 ASSERT_IFNET_LABEL(newlabel); 1354 return (0); 1355} 1356 1357static int 1358mac_test_check_ifnet_transmit(struct ifnet ifnet, struct label ifnetlabel, 1359 struct mbuf m, struct label mbuflabel) 1360{ 1361 1362 ASSERT_IFNET_LABEL(ifnetlabel); 1363 ASSERT_MBUF_LABEL(mbuflabel); 1364 1365 return (0); 1366} 1367 1368static int 1369mac_test_check_inpcb_deliver(struct inpcb inp, struct label inplabel, 1370 struct mbuf m, struct label mlabel) 1371{ 1372 1373 ASSERT_INPCB_LABEL(inplabel); 1374 ASSERT_MBUF_LABEL(mlabel); 1375 1376 return (0); 1377} 1378 1379static int 1380mac_test_check_sysv_msgmsq(struct ucred cred, struct msg msgptr, 1381 struct label msglabel, struct msqid_kernel msqkptr, 1382 struct label msqklabel) 1383{ 1384* 1385 ASSERT_SYSVIPCMSQ_LABEL(msqklabel); 1386 ASSERT_SYSVIPCMSG_LABEL(msglabel); 1387 ASSERT_CRED_LABEL(cred->cr_label); 1388 1389 return (0); 1390} 1391 1392static int 1393mac_test_check_sysv_msgrcv(struct ucred cred, struct msg msgptr, 1394 struct label msglabel) 1395{ 1396* 1397 ASSERT_SYSVIPCMSG_LABEL(msglabel); 1398 ASSERT_CRED_LABEL(cred->cr_label); 1399 1400 return (0); 1401} 1402 1403 1404static int 1405mac_test_check_sysv_msgrmid(struct ucred cred, struct msg msgptr, 1406 struct label msglabel) 1407{ 1408* 1409 ASSERT_SYSVIPCMSG_LABEL(msglabel); 1410 ASSERT_CRED_LABEL(cred->cr_label); 1411 1412 return (0); 1413} 1414 1415static int 1416mac_test_check_sysv_msqget(struct ucred cred, struct msqid_kernel msqkptr, 1417 struct label msqklabel) 1418{ 1419* 1420 ASSERT_SYSVIPCMSQ_LABEL(msqklabel); 1421 ASSERT_CRED_LABEL(cred->cr_label); 1422 1423 return (0); 1424} 1425 1426static int 1427mac_test_check_sysv_msqsnd(struct ucred cred, struct msqid_kernel msqkptr, 1428 struct label msqklabel) 1429{ 1430* 1431 ASSERT_SYSVIPCMSQ_LABEL(msqklabel); 1432 ASSERT_CRED_LABEL(cred->cr_label); 1433 1434 return (0); 1435} 1436 1437static int 1438mac_test_check_sysv_msqrcv(struct ucred cred, struct msqid_kernel msqkptr, 1439 struct label msqklabel) 1440{ 1441* 1442 ASSERT_SYSVIPCMSQ_LABEL(msqklabel); 1443 ASSERT_CRED_LABEL(cred->cr_label); 1444 1445 return (0); 1446} 1447 1448static int 1449mac_test_check_sysv_msqctl(struct ucred cred, struct msqid_kernel msqkptr, 1450 struct label msqklabel, int cmd) 1451{ 1452* 1453 ASSERT_SYSVIPCMSQ_LABEL(msqklabel); 1454 ASSERT_CRED_LABEL(cred->cr_label); 1455 1456 return (0); 1457} 1458 1459static int 1460mac_test_check_sysv_semctl(struct ucred cred, struct semid_kernel semakptr, 1461 struct label semaklabel, int cmd) 1462{ 1463* 1464 ASSERT_CRED_LABEL(cred->cr_label); 1465 ASSERT_SYSVIPCSEM_LABEL(semaklabel); 1466 1467 return (0); 1468} 1469 1470static int 1471mac_test_check_sysv_semget(struct ucred cred, struct semid_kernel semakptr, 1472 struct label semaklabel) 1473{ 1474* 1475 ASSERT_CRED_LABEL(cred->cr_label); 1476 ASSERT_SYSVIPCSEM_LABEL(semaklabel); 1477 1478 return (0); 1479} 1480 1481static int 1482mac_test_check_sysv_semop(struct ucred cred, struct semid_kernel semakptr, 1483 struct label semaklabel, size_t accesstype) 1484{ 1485* 1486 ASSERT_CRED_LABEL(cred->cr_label); 1487 ASSERT_SYSVIPCSEM_LABEL(semaklabel); 1488 1489 return (0); 1490} 1491 1492static int 1493mac_test_check_sysv_shmat(struct ucred cred, struct shmid_kernel shmsegptr, 1494 struct label shmseglabel, int shmflg) 1495{ 1496* 1497 ASSERT_CRED_LABEL(cred->cr_label); 1498 ASSERT_SYSVIPCSHM_LABEL(shmseglabel); 1499 1500 return (0); 1501} 1502 1503static int 1504mac_test_check_sysv_shmctl(struct ucred cred, struct shmid_kernel shmsegptr, 1505 struct label shmseglabel, int cmd) 1506{ 1507* 1508 ASSERT_CRED_LABEL(cred->cr_label); 1509 ASSERT_SYSVIPCSHM_LABEL(shmseglabel); 1510 1511 return (0); 1512} 1513 1514static int 1515mac_test_check_sysv_shmdt(struct ucred cred, struct shmid_kernel shmsegptr, 1516 struct label shmseglabel) 1517{ 1518* 1519 ASSERT_CRED_LABEL(cred->cr_label); 1520 ASSERT_SYSVIPCSHM_LABEL(shmseglabel); 1521 1522 return (0); 1523} 1524 1525static int 1526mac_test_check_sysv_shmget(struct ucred cred, struct shmid_kernel shmsegptr, 1527 struct label shmseglabel, int shmflg) 1528{ 1529* 1530 ASSERT_CRED_LABEL(cred->cr_label); 1531 ASSERT_SYSVIPCSHM_LABEL(shmseglabel); 1532 1533 return (0); 1534} 1535 1536static int 1537mac_test_check_kenv_dump(struct ucred cred) 1538{ 1539* 1540 ASSERT_CRED_LABEL(cred->cr_label); 1541 1542 return (0); 1543} 1544 1545static int 1546mac_test_check_kenv_get(struct ucred cred, char name) 1547{ 1548 1549 ASSERT_CRED_LABEL(cred->cr_label); 1550 1551 return (0); 1552} 1553 1554static int 1555mac_test_check_kenv_set(struct ucred cred, char name, char value) 1556{ 1557* 1558 ASSERT_CRED_LABEL(cred->cr_label); 1559 1560 return (0); 1561} 1562 1563static int 1564mac_test_check_kenv_unset(struct ucred cred, char name) 1565{ 1566 1567 ASSERT_CRED_LABEL(cred->cr_label); 1568 1569 return (0); 1570} 1571 1572static int 1573mac_test_check_kld_load(struct ucred cred, struct vnode vp, 1574 struct label label) 1575{ 1576* 1577 ASSERT_CRED_LABEL(cred->cr_label); 1578 ASSERT_VNODE_LABEL(label); 1579 1580 return (0); 1581} 1582 1583static int 1584mac_test_check_kld_stat(struct ucred cred) 1585{ 1586* 1587 ASSERT_CRED_LABEL(cred->cr_label); 1588 1589 return (0); 1590} 1591 1592static int 1593mac_test_check_kld_unload(struct ucred cred) 1594{ 1595* 1596 ASSERT_CRED_LABEL(cred->cr_label); 1597 1598 return (0); 1599} 1600 1601static int 1602mac_test_check_mount_stat(struct ucred cred, struct mount mp, 1603 struct label mntlabel) 1604{ 1605* 1606 ASSERT_CRED_LABEL(cred->cr_label); 1607 ASSERT_MOUNT_LABEL(mntlabel); 1608 1609 return (0); 1610} 1611 1612static int 1613mac_test_check_pipe_ioctl(struct ucred cred, struct pipepair pp, 1614 struct label pipelabel, unsigned long cmd, void / caddr_t / data) 1615{ 1616 1617 ASSERT_CRED_LABEL(cred->cr_label); 1618 ASSERT_PIPE_LABEL(pipelabel); 1619 1620 return (0); 1621} 1622 1623static int 1624mac_test_check_pipe_poll(struct ucred cred, struct pipepair pp, 1625 struct label pipelabel) 1626{ 1627* 1628 ASSERT_CRED_LABEL(cred->cr_label); 1629 ASSERT_PIPE_LABEL(pipelabel); 1630 1631 return (0); 1632} 1633 1634static int 1635mac_test_check_pipe_read(struct ucred cred, struct pipepair pp, 1636 struct label pipelabel) 1637{ 1638* 1639 ASSERT_CRED_LABEL(cred->cr_label); 1640 ASSERT_PIPE_LABEL(pipelabel); 1641 1642 return (0); 1643} 1644 1645static int 1646mac_test_check_pipe_relabel(struct ucred cred, struct pipepair pp, 1647 struct label pipelabel, struct label newlabel) 1648{ 1649 1650 ASSERT_CRED_LABEL(cred->cr_label); 1651 ASSERT_PIPE_LABEL(pipelabel); 1652 ASSERT_PIPE_LABEL(newlabel); 1653 1654 return (0); 1655} 1656 1657static int 1658mac_test_check_pipe_stat(struct ucred cred, struct pipepair pp, 1659 struct label pipelabel) 1660{ 1661* 1662 ASSERT_CRED_LABEL(cred->cr_label); 1663 ASSERT_PIPE_LABEL(pipelabel); 1664 1665 return (0); 1666} 1667 1668static int 1669mac_test_check_pipe_write(struct ucred cred, struct pipepair pp, 1670 struct label pipelabel) 1671{ 1672* 1673 ASSERT_CRED_LABEL(cred->cr_label); 1674 ASSERT_PIPE_LABEL(pipelabel); 1675 1676 return (0); 1677} 1678 1679static int 1680mac_test_check_proc_debug(struct ucred cred, struct proc proc) 1681{ 1682 1683 ASSERT_CRED_LABEL(cred->cr_label); 1684 ASSERT_CRED_LABEL(proc->p_ucred->cr_label); 1685 1686 return (0); 1687} 1688 1689static int 1690mac_test_check_proc_sched(struct ucred cred, struct proc proc) 1691{ 1692 1693 ASSERT_CRED_LABEL(cred->cr_label); 1694 ASSERT_CRED_LABEL(proc->p_ucred->cr_label); 1695 1696 return (0); 1697} 1698 1699static int 1700mac_test_check_proc_signal(struct ucred cred, struct proc proc, int signum) 1701{ 1702 1703 ASSERT_CRED_LABEL(cred->cr_label); 1704 ASSERT_CRED_LABEL(proc->p_ucred->cr_label); 1705 1706 return (0); 1707} 1708 1709static int 1710mac_test_check_proc_setuid(struct ucred cred, uid_t uid) 1711{ 1712* 1713 ASSERT_CRED_LABEL(cred->cr_label); 1714 1715 return (0); 1716} 1717 1718static int 1719mac_test_check_proc_seteuid(struct ucred cred, uid_t euid) 1720{ 1721* 1722 ASSERT_CRED_LABEL(cred->cr_label); 1723 1724 return (0); 1725} 1726 1727static int 1728mac_test_check_proc_setgid(struct ucred cred, gid_t gid) 1729{ 1730* 1731 ASSERT_CRED_LABEL(cred->cr_label); 1732 1733 return (0); 1734} 1735 1736static int 1737mac_test_check_proc_setegid(struct ucred cred, gid_t egid) 1738{ 1739* 1740 ASSERT_CRED_LABEL(cred->cr_label); 1741 1742 return (0); 1743} 1744 1745static int 1746mac_test_check_proc_setgroups(struct ucred cred, int ngroups, 1747* gid_t gidset) 1748{ 1749* 1750 ASSERT_CRED_LABEL(cred->cr_label); 1751 1752 return (0); 1753} 1754 1755static int 1756mac_test_check_proc_setreuid(struct ucred cred, uid_t ruid, uid_t euid) 1757{ 1758* 1759 ASSERT_CRED_LABEL(cred->cr_label); 1760 1761 return (0); 1762} 1763 1764static int 1765mac_test_check_proc_setregid(struct ucred cred, gid_t rgid, gid_t egid) 1766{ 1767* 1768 ASSERT_CRED_LABEL(cred->cr_label); 1769 1770 return (0); 1771} 1772 1773static int 1774mac_test_check_proc_setresuid(struct ucred cred, uid_t ruid, uid_t euid, 1775* uid_t suid) 1776{ 1777 1778 ASSERT_CRED_LABEL(cred->cr_label); 1779 1780 return (0); 1781} 1782 1783static int 1784mac_test_check_proc_setresgid(struct ucred cred, gid_t rgid, gid_t egid, 1785* gid_t sgid) 1786{ 1787 1788 ASSERT_CRED_LABEL(cred->cr_label); 1789 1790 return (0); 1791} 1792 1793static int	35 / 36 37/ 38 * Developed by the TrustedBSD Project. 39 * Generic mandatory access module that does nothing. 40 / 41 42#include <sys/types.h> 43#include <sys/param.h> 44#include <sys/acl.h> 45#include <sys/conf.h> 46#include <sys/kdb.h> 47#include <sys/extattr.h> 48#include <sys/kernel.h> 49#include <sys/mac.h> 50#include <sys/malloc.h> 51#include <sys/mount.h> 52#include <sys/proc.h> 53#include <sys/systm.h> 54#include <sys/sysproto.h> 55#include <sys/sysent.h> 56#include <sys/vnode.h> 57#include <sys/file.h> 58#include <sys/socket.h> 59#include <sys/socketvar.h> 60#include <sys/sysctl.h> 61#include <sys/msg.h> 62#include <sys/sem.h> 63#include <sys/shm.h> 64 65#include <fs/devfs/devfs.h> 66 67#include <net/bpfdesc.h> 68#include <net/if.h> 69#include <net/if_types.h> 70#include <net/if_var.h> 71 72#include <vm/vm.h> 73 74#include <sys/mac_policy.h> 75 76SYSCTL_DECL(_security_mac); 77 78SYSCTL_NODE(_security_mac, OID_AUTO, test, CTLFLAG_RW, 0, 79 "TrustedBSD mac_test policy controls"); 80 81static int mac_test_enabled = 1; 82SYSCTL_INT(_security_mac_test, OID_AUTO, enabled, CTLFLAG_RW, 83 &mac_test_enabled, 0, "Enforce test policy"); 84 85#define BPFMAGIC 0xfe1ad1b6 86#define DEVFSMAGIC 0x9ee79c32 87#define IFNETMAGIC 0xc218b120 88#define INPCBMAGIC 0x4440f7bb 89#define IPQMAGIC 0x206188ef 90#define MBUFMAGIC 0xbbefa5bb 91#define MOUNTMAGIC 0xc7c46e47 92#define SOCKETMAGIC 0x9199c6cd 93#define SYSVIPCMSQMAGIC 0xea672391 94#define SYSVIPCMSGMAGIC 0x8bbba61e 95#define SYSVIPCSEMMAGIC 0x896e8a0b 96#define SYSVIPCSHMMAGIC 0x76119ab0 97#define PIPEMAGIC 0xdc6c9919 98#define POSIXSEMMAGIC 0x78ae980c 99#define PROCMAGIC 0x3b4be98f 100#define CREDMAGIC 0x9a5a4987 101#define VNODEMAGIC 0x1a67a45c 102#define EXMAGIC 0x849ba1fd 103* 104#define SLOT(x) LABEL_TO_SLOT((x), test_slot).l_long 105 106#define ASSERT_BPF_LABEL(x) KASSERT(SLOT(x) == BPFMAGIC \|\| \ 107 SLOT(x) == 0, ("%s: Bad BPF label", __func__ )) 108#define ASSERT_DEVFS_LABEL(x) KASSERT(SLOT(x) == DEVFSMAGIC \|\| \ 109 SLOT(x) == 0, ("%s: Bad DEVFS label", __func__ )) 110#define ASSERT_IFNET_LABEL(x) KASSERT(SLOT(x) == IFNETMAGIC \|\| \ 111 SLOT(x) == 0, ("%s: Bad IFNET label", __func__ )) 112#define ASSERT_INPCB_LABEL(x) KASSERT(SLOT(x) == INPCBMAGIC \|\| \ 113 SLOT(x) == 0, ("%s: Bad INPCB label", __func__ )) 114#define ASSERT_IPQ_LABEL(x) KASSERT(SLOT(x) == IPQMAGIC \|\| \ 115 SLOT(x) == 0, ("%s: Bad IPQ label", __func__ )) 116#define ASSERT_MBUF_LABEL(x) KASSERT(x == NULL \|\| \ 117 SLOT(x) == MBUFMAGIC \|\| SLOT(x) == 0, \ 118 ("%s: Bad MBUF label", __func__ )) 119#define ASSERT_MOUNT_LABEL(x) KASSERT(SLOT(x) == MOUNTMAGIC \|\| \ 120 SLOT(x) == 0, ("%s: Bad MOUNT label", __func__ )) 121#define ASSERT_SOCKET_LABEL(x) KASSERT(SLOT(x) == SOCKETMAGIC \|\| \ 122 SLOT(x) == 0, ("%s: Bad SOCKET label", __func__ )) 123#define ASSERT_SYSVIPCMSQ_LABEL(x) KASSERT(SLOT(x) == SYSVIPCMSQMAGIC \|\| \ 124 SLOT(x) == 0, ("%s: Bad SYSVIPCMSQ label", __func__ )) 125#define ASSERT_SYSVIPCMSG_LABEL(x) KASSERT(SLOT(x) == SYSVIPCMSGMAGIC \|\| \ 126 SLOT(x) == 0, ("%s: Bad SYSVIPCMSG label", __func__ )) 127#define ASSERT_SYSVIPCSEM_LABEL(x) KASSERT(SLOT(x) == SYSVIPCSEMMAGIC \|\| \ 128 SLOT(x) == 0, ("%s: Bad SYSVIPCSEM label", __func__ )) 129#define ASSERT_SYSVIPCSHM_LABEL(x) KASSERT(SLOT(x) == SYSVIPCSHMMAGIC \|\| \ 130 SLOT(x) == 0, ("%s: Bad SYSVIPCSHM label", __func__ )) 131#define ASSERT_PIPE_LABEL(x) KASSERT(SLOT(x) == PIPEMAGIC \|\| \ 132 SLOT(x) == 0, ("%s: Bad PIPE label", __func__ )) 133#define ASSERT_PROC_LABEL(x) KASSERT(SLOT(x) == PROCMAGIC \|\| \ 134 SLOT(x) == 0, ("%s: Bad PROC label", __func__ )) 135#define ASSERT_CRED_LABEL(x) KASSERT(SLOT(x) == CREDMAGIC \|\| \ 136 SLOT(x) == 0, ("%s: Bad CRED label", __func__ )) 137#define ASSERT_VNODE_LABEL(x) KASSERT(SLOT(x) == VNODEMAGIC \|\| \ 138 SLOT(x) == 0, ("%s: Bad VNODE label", __func__ )) 139 140static int test_slot; 141SYSCTL_INT(_security_mac_test, OID_AUTO, slot, CTLFLAG_RD, 142 &test_slot, 0, "Slot allocated by framework"); 143 144static int init_count_bpfdesc; 145SYSCTL_INT(_security_mac_test, OID_AUTO, init_count_bpfdesc, CTLFLAG_RD, 146 &init_count_bpfdesc, 0, "bpfdesc init calls"); 147static int init_count_cred; 148SYSCTL_INT(_security_mac_test, OID_AUTO, init_count_cred, CTLFLAG_RD, 149 &init_count_cred, 0, "cred init calls"); 150static int init_count_devfsdirent; 151SYSCTL_INT(_security_mac_test, OID_AUTO, init_count_devfsdirent, CTLFLAG_RD, 152 &init_count_devfsdirent, 0, "devfsdirent init calls"); 153static int init_count_ifnet; 154SYSCTL_INT(_security_mac_test, OID_AUTO, init_count_ifnet, CTLFLAG_RD, 155 &init_count_ifnet, 0, "ifnet init calls"); 156static int init_count_inpcb; 157SYSCTL_INT(_security_mac_test, OID_AUTO, init_count_inpcb, CTLFLAG_RD, 158 &init_count_inpcb, 0, "inpcb init calls"); 159static int init_count_sysv_msg; 160SYSCTL_INT(_security_mac_test, OID_AUTO, init_count_sysv_msg, CTLFLAG_RD, 161 &init_count_sysv_msg, 0, "ipc_msg init calls"); 162static int init_count_sysv_msq; 163SYSCTL_INT(_security_mac_test, OID_AUTO, init_count_sysv_msq, CTLFLAG_RD, 164 &init_count_sysv_msq, 0, "ipc_msq init calls"); 165static int init_count_sysv_sema; 166SYSCTL_INT(_security_mac_test, OID_AUTO, init_count_sysv_sema, CTLFLAG_RD, 167 &init_count_sysv_sema, 0, "ipc_sema init calls"); 168static int init_count_sysv_shm; 169SYSCTL_INT(_security_mac_test, OID_AUTO, init_count_sysv_shm, CTLFLAG_RD, 170 &init_count_sysv_shm, 0, "ipc_shm init calls"); 171static int init_count_ipq; 172SYSCTL_INT(_security_mac_test, OID_AUTO, init_count_ipq, CTLFLAG_RD, 173 &init_count_ipq, 0, "ipq init calls"); 174static int init_count_mbuf; 175SYSCTL_INT(_security_mac_test, OID_AUTO, init_count_mbuf, CTLFLAG_RD, 176 &init_count_mbuf, 0, "mbuf init calls"); 177static int init_count_mount; 178SYSCTL_INT(_security_mac_test, OID_AUTO, init_count_mount, CTLFLAG_RD, 179 &init_count_mount, 0, "mount init calls"); 180static int init_count_mount_fslabel; 181SYSCTL_INT(_security_mac_test, OID_AUTO, init_count_mount_fslabel, CTLFLAG_RD, 182 &init_count_mount_fslabel, 0, "mount_fslabel init calls"); 183static int init_count_socket; 184SYSCTL_INT(_security_mac_test, OID_AUTO, init_count_socket, CTLFLAG_RD, 185 &init_count_socket, 0, "socket init calls"); 186static int init_count_socket_peerlabel; 187SYSCTL_INT(_security_mac_test, OID_AUTO, init_count_socket_peerlabel, 188 CTLFLAG_RD, &init_count_socket_peerlabel, 0, 189 "socket_peerlabel init calls"); 190static int init_count_pipe; 191SYSCTL_INT(_security_mac_test, OID_AUTO, init_count_pipe, CTLFLAG_RD, 192 &init_count_pipe, 0, "pipe init calls"); 193static int init_count_proc; 194SYSCTL_INT(_security_mac_test, OID_AUTO, init_count_proc, CTLFLAG_RD, 195 &init_count_proc, 0, "proc init calls"); 196static int init_count_vnode; 197SYSCTL_INT(_security_mac_test, OID_AUTO, init_count_vnode, CTLFLAG_RD, 198 &init_count_vnode, 0, "vnode init calls"); 199 200static int destroy_count_bpfdesc; 201SYSCTL_INT(_security_mac_test, OID_AUTO, destroy_count_bpfdesc, CTLFLAG_RD, 202 &destroy_count_bpfdesc, 0, "bpfdesc destroy calls"); 203static int destroy_count_cred; 204SYSCTL_INT(_security_mac_test, OID_AUTO, destroy_count_cred, CTLFLAG_RD, 205 &destroy_count_cred, 0, "cred destroy calls"); 206static int destroy_count_devfsdirent; 207SYSCTL_INT(_security_mac_test, OID_AUTO, destroy_count_devfsdirent, CTLFLAG_RD, 208 &destroy_count_devfsdirent, 0, "devfsdirent destroy calls"); 209static int destroy_count_ifnet; 210SYSCTL_INT(_security_mac_test, OID_AUTO, destroy_count_ifnet, CTLFLAG_RD, 211 &destroy_count_ifnet, 0, "ifnet destroy calls"); 212static int destroy_count_inpcb; 213SYSCTL_INT(_security_mac_test, OID_AUTO, destroy_count_inpcb, CTLFLAG_RD, 214 &destroy_count_inpcb, 0, "inpcb destroy calls"); 215static int destroy_count_sysv_msg; 216SYSCTL_INT(_security_mac_test, OID_AUTO, destroy_count_sysv_msg, CTLFLAG_RD, 217 &destroy_count_sysv_msg, 0, "ipc_msg destroy calls"); 218static int destroy_count_sysv_msq; 219SYSCTL_INT(_security_mac_test, OID_AUTO, destroy_count_sysv_msq, CTLFLAG_RD, 220 &destroy_count_sysv_msq, 0, "ipc_msq destroy calls"); 221static int destroy_count_sysv_sema; 222SYSCTL_INT(_security_mac_test, OID_AUTO, destroy_count_sysv_sema, CTLFLAG_RD, 223 &destroy_count_sysv_sema, 0, "ipc_sema destroy calls"); 224static int destroy_count_sysv_shm; 225SYSCTL_INT(_security_mac_test, OID_AUTO, destroy_count_sysv_shm, CTLFLAG_RD, 226 &destroy_count_sysv_shm, 0, "ipc_shm destroy calls"); 227static int destroy_count_ipq; 228SYSCTL_INT(_security_mac_test, OID_AUTO, destroy_count_ipq, CTLFLAG_RD, 229 &destroy_count_ipq, 0, "ipq destroy calls"); 230static int destroy_count_mbuf; 231SYSCTL_INT(_security_mac_test, OID_AUTO, destroy_count_mbuf, CTLFLAG_RD, 232 &destroy_count_mbuf, 0, "mbuf destroy calls"); 233static int destroy_count_mount; 234SYSCTL_INT(_security_mac_test, OID_AUTO, destroy_count_mount, CTLFLAG_RD, 235 &destroy_count_mount, 0, "mount destroy calls"); 236static int destroy_count_mount_fslabel; 237SYSCTL_INT(_security_mac_test, OID_AUTO, destroy_count_mount_fslabel, 238 CTLFLAG_RD, &destroy_count_mount_fslabel, 0, 239 "mount_fslabel destroy calls"); 240static int destroy_count_socket; 241SYSCTL_INT(_security_mac_test, OID_AUTO, destroy_count_socket, CTLFLAG_RD, 242 &destroy_count_socket, 0, "socket destroy calls"); 243static int destroy_count_socket_peerlabel; 244SYSCTL_INT(_security_mac_test, OID_AUTO, destroy_count_socket_peerlabel, 245 CTLFLAG_RD, &destroy_count_socket_peerlabel, 0, 246 "socket_peerlabel destroy calls"); 247static int destroy_count_pipe; 248SYSCTL_INT(_security_mac_test, OID_AUTO, destroy_count_pipe, CTLFLAG_RD, 249 &destroy_count_pipe, 0, "pipe destroy calls"); 250static int destroy_count_proc; 251SYSCTL_INT(_security_mac_test, OID_AUTO, destroy_count_proc, CTLFLAG_RD, 252 &destroy_count_proc, 0, "proc destroy calls"); 253static int destroy_count_vnode; 254SYSCTL_INT(_security_mac_test, OID_AUTO, destroy_count_vnode, CTLFLAG_RD, 255 &destroy_count_vnode, 0, "vnode destroy calls"); 256 257static int externalize_count; 258SYSCTL_INT(_security_mac_test, OID_AUTO, externalize_count, CTLFLAG_RD, 259 &externalize_count, 0, "Subject/object externalize calls"); 260static int internalize_count; 261SYSCTL_INT(_security_mac_test, OID_AUTO, internalize_count, CTLFLAG_RD, 262 &internalize_count, 0, "Subject/object internalize calls"); 263 264#ifdef KDB 265#define DEBUGGER(x) kdb_enter(x) 266#else 267#define DEBUGGER(x) printf("mac_test: %s\n", (x)) 268#endif 269 270/* 271 * Policy module operations. 272 / 273static void 274mac_test_destroy(struct mac_policy_conf conf) 275{ 276 277} 278 279static void 280mac_test_init(struct mac_policy_conf conf) 281{ 282* 283} 284 285static int 286mac_test_syscall(struct thread td, int call, void arg) 287{ 288 289 return (0); 290} 291 292/* 293 * Label operations. 294 / 295static void 296mac_test_init_bpfdesc_label(struct label label) 297{ 298 299 SLOT(label) = BPFMAGIC; 300 atomic_add_int(&init_count_bpfdesc, 1); 301} 302 303static void 304mac_test_init_cred_label(struct label label) 305{ 306* 307 SLOT(label) = CREDMAGIC; 308 atomic_add_int(&init_count_cred, 1); 309} 310 311static void 312mac_test_init_devfsdirent_label(struct label label) 313{ 314* 315 SLOT(label) = DEVFSMAGIC; 316 atomic_add_int(&init_count_devfsdirent, 1); 317} 318 319static void 320mac_test_init_ifnet_label(struct label label) 321{ 322* 323 SLOT(label) = IFNETMAGIC; 324 atomic_add_int(&init_count_ifnet, 1); 325} 326 327static int 328mac_test_init_inpcb_label(struct label label, int flag) 329{ 330* 331 if (flag & M_WAITOK) 332 WITNESS_WARN(WARN_GIANTOK \| WARN_SLEEPOK, NULL, 333 "mac_test_init_inpcb_label() at %s:%d", __FILE__, 334 __LINE__); 335 336 SLOT(label) = INPCBMAGIC; 337 atomic_add_int(&init_count_inpcb, 1); 338 return (0); 339} 340 341static void 342mac_test_init_sysv_msgmsg_label(struct label label) 343{ 344* SLOT(label) = SYSVIPCMSGMAGIC; 345 atomic_add_int(&init_count_sysv_msg, 1); 346} 347 348static void 349mac_test_init_sysv_msgqueue_label(struct label label) 350{ 351* SLOT(label) = SYSVIPCMSQMAGIC; 352 atomic_add_int(&init_count_sysv_msq, 1); 353} 354 355static void 356mac_test_init_sysv_sema_label(struct label label) 357{ 358* SLOT(label) = SYSVIPCSEMMAGIC; 359 atomic_add_int(&init_count_sysv_sema, 1); 360} 361 362static void 363mac_test_init_sysv_shm_label(struct label label) 364{ 365* SLOT(label) = SYSVIPCSHMMAGIC; 366 atomic_add_int(&init_count_sysv_shm, 1); 367} 368 369static int 370mac_test_init_ipq_label(struct label label, int flag) 371{ 372* 373 if (flag & M_WAITOK) 374 WITNESS_WARN(WARN_GIANTOK \| WARN_SLEEPOK, NULL, 375 "mac_test_init_ipq_label() at %s:%d", __FILE__, 376 __LINE__); 377 378 SLOT(label) = IPQMAGIC; 379 atomic_add_int(&init_count_ipq, 1); 380 return (0); 381} 382 383static int 384mac_test_init_mbuf_label(struct label label, int flag) 385{ 386* 387 if (flag & M_WAITOK) 388 WITNESS_WARN(WARN_GIANTOK \| WARN_SLEEPOK, NULL, 389 "mac_test_init_mbuf_label() at %s:%d", __FILE__, 390 __LINE__); 391 392 SLOT(label) = MBUFMAGIC; 393 atomic_add_int(&init_count_mbuf, 1); 394 return (0); 395} 396 397static void 398mac_test_init_mount_label(struct label label) 399{ 400* 401 SLOT(label) = MOUNTMAGIC; 402 atomic_add_int(&init_count_mount, 1); 403} 404 405static void 406mac_test_init_mount_fs_label(struct label label) 407{ 408* 409 SLOT(label) = MOUNTMAGIC; 410 atomic_add_int(&init_count_mount_fslabel, 1); 411} 412 413static int 414mac_test_init_socket_label(struct label label, int flag) 415{ 416* 417 if (flag & M_WAITOK) 418 WITNESS_WARN(WARN_GIANTOK \| WARN_SLEEPOK, NULL, 419 "mac_test_init_socket_label() at %s:%d", __FILE__, 420 __LINE__); 421 422 SLOT(label) = SOCKETMAGIC; 423 atomic_add_int(&init_count_socket, 1); 424 return (0); 425} 426 427static int 428mac_test_init_socket_peer_label(struct label label, int flag) 429{ 430* 431 if (flag & M_WAITOK) 432 WITNESS_WARN(WARN_GIANTOK \| WARN_SLEEPOK, NULL, 433 "mac_test_init_socket_peer_label() at %s:%d", __FILE__, 434 __LINE__); 435 436 SLOT(label) = SOCKETMAGIC; 437 atomic_add_int(&init_count_socket_peerlabel, 1); 438 return (0); 439} 440 441static void 442mac_test_init_pipe_label(struct label label) 443{ 444* 445 SLOT(label) = PIPEMAGIC; 446 atomic_add_int(&init_count_pipe, 1); 447} 448 449static void 450mac_test_init_proc_label(struct label label) 451{ 452* 453 SLOT(label) = PROCMAGIC; 454 atomic_add_int(&init_count_proc, 1); 455} 456 457static void 458mac_test_init_vnode_label(struct label label) 459{ 460* 461 SLOT(label) = VNODEMAGIC; 462 atomic_add_int(&init_count_vnode, 1); 463} 464 465static void 466mac_test_destroy_bpfdesc_label(struct label label) 467{ 468* 469 if (SLOT(label) == BPFMAGIC \|\| SLOT(label) == 0) { 470 atomic_add_int(&destroy_count_bpfdesc, 1); 471 SLOT(label) = EXMAGIC; 472 } else if (SLOT(label) == EXMAGIC) { 473 DEBUGGER("mac_test_destroy_bpfdesc: dup destroy"); 474 } else { 475 DEBUGGER("mac_test_destroy_bpfdesc: corrupted label"); 476 } 477} 478 479static void 480mac_test_destroy_cred_label(struct label label) 481{ 482* 483 if (SLOT(label) == CREDMAGIC \|\| SLOT(label) == 0) { 484 atomic_add_int(&destroy_count_cred, 1); 485 SLOT(label) = EXMAGIC; 486 } else if (SLOT(label) == EXMAGIC) { 487 DEBUGGER("mac_test_destroy_cred: dup destroy"); 488 } else { 489 DEBUGGER("mac_test_destroy_cred: corrupted label"); 490 } 491} 492 493static void 494mac_test_destroy_devfsdirent_label(struct label label) 495{ 496* 497 if (SLOT(label) == DEVFSMAGIC \|\| SLOT(label) == 0) { 498 atomic_add_int(&destroy_count_devfsdirent, 1); 499 SLOT(label) = EXMAGIC; 500 } else if (SLOT(label) == EXMAGIC) { 501 DEBUGGER("mac_test_destroy_devfsdirent: dup destroy"); 502 } else { 503 DEBUGGER("mac_test_destroy_devfsdirent: corrupted label"); 504 } 505} 506 507static void 508mac_test_destroy_ifnet_label(struct label label) 509{ 510* 511 if (SLOT(label) == IFNETMAGIC \|\| SLOT(label) == 0) { 512 atomic_add_int(&destroy_count_ifnet, 1); 513 SLOT(label) = EXMAGIC; 514 } else if (SLOT(label) == EXMAGIC) { 515 DEBUGGER("mac_test_destroy_ifnet: dup destroy"); 516 } else { 517 DEBUGGER("mac_test_destroy_ifnet: corrupted label"); 518 } 519} 520 521static void 522mac_test_destroy_inpcb_label(struct label label) 523{ 524* 525 if (SLOT(label) == INPCBMAGIC \|\| SLOT(label) == 0) { 526 atomic_add_int(&destroy_count_inpcb, 1); 527 SLOT(label) = EXMAGIC; 528 } else if (SLOT(label) == EXMAGIC) { 529 DEBUGGER("mac_test_destroy_inpcb: dup destroy"); 530 } else { 531 DEBUGGER("mac_test_destroy_inpcb: corrupted label"); 532 } 533} 534 535static void 536mac_test_destroy_sysv_msgmsg_label(struct label label) 537{ 538* 539 if (SLOT(label) == SYSVIPCMSGMAGIC \|\| SLOT(label) == 0) { 540 atomic_add_int(&destroy_count_sysv_msg, 1); 541 SLOT(label) = EXMAGIC; 542 } else if (SLOT(label) == EXMAGIC) { 543 DEBUGGER("mac_test_destroy_sysv_msgmsg_label: dup destroy"); 544 } else { 545 DEBUGGER( 546 "mac_test_destroy_sysv_msgmsg_label: corrupted label"); 547 } 548} 549 550static void 551mac_test_destroy_sysv_msgqueue_label(struct label label) 552{ 553* 554 if (SLOT(label) == SYSVIPCMSQMAGIC \|\| SLOT(label) == 0) { 555 atomic_add_int(&destroy_count_sysv_msq, 1); 556 SLOT(label) = EXMAGIC; 557 } else if (SLOT(label) == EXMAGIC) { 558 DEBUGGER("mac_test_destroy_sysv_msgqueue_label: dup destroy"); 559 } else { 560 DEBUGGER( 561 "mac_test_destroy_sysv_msgqueue_label: corrupted label"); 562 } 563} 564 565static void 566mac_test_destroy_sysv_sema_label(struct label label) 567{ 568* 569 if (SLOT(label) == SYSVIPCSEMMAGIC \|\| SLOT(label) == 0) { 570 atomic_add_int(&destroy_count_sysv_sema, 1); 571 SLOT(label) = EXMAGIC; 572 } else if (SLOT(label) == EXMAGIC) { 573 DEBUGGER("mac_test_destroy_sysv_sema_label: dup destroy"); 574 } else { 575 DEBUGGER("mac_test_destroy_sysv_sema_label: corrupted label"); 576 } 577} 578 579static void 580mac_test_destroy_sysv_shm_label(struct label label) 581{ 582* 583 if (SLOT(label) == SYSVIPCSHMMAGIC \|\| SLOT(label) == 0) { 584 atomic_add_int(&destroy_count_sysv_shm, 1); 585 SLOT(label) = EXMAGIC; 586 } else if (SLOT(label) == EXMAGIC) { 587 DEBUGGER("mac_test_destroy_sysv_shm_label: dup destroy"); 588 } else { 589 DEBUGGER("mac_test_destroy_sysv_shm_label: corrupted label"); 590 } 591} 592 593static void 594mac_test_destroy_ipq_label(struct label label) 595{ 596* 597 if (SLOT(label) == IPQMAGIC \|\| SLOT(label) == 0) { 598 atomic_add_int(&destroy_count_ipq, 1); 599 SLOT(label) = EXMAGIC; 600 } else if (SLOT(label) == EXMAGIC) { 601 DEBUGGER("mac_test_destroy_ipq: dup destroy"); 602 } else { 603 DEBUGGER("mac_test_destroy_ipq: corrupted label"); 604 } 605} 606 607static void 608mac_test_destroy_mbuf_label(struct label label) 609{ 610* 611 /* 612 * If we're loaded dynamically, there may be mbufs in flight that 613 * didn't have label storage allocated for them. Handle this 614 * gracefully. 615 / 616* if (label == NULL) 617 return; 618 619 if (SLOT(label) == MBUFMAGIC \|\| SLOT(label) == 0) { 620 atomic_add_int(&destroy_count_mbuf, 1); 621 SLOT(label) = EXMAGIC; 622 } else if (SLOT(label) == EXMAGIC) { 623 DEBUGGER("mac_test_destroy_mbuf: dup destroy"); 624 } else { 625 DEBUGGER("mac_test_destroy_mbuf: corrupted label"); 626 } 627} 628 629static void 630mac_test_destroy_mount_label(struct label label) 631{ 632* 633 if ((SLOT(label) == MOUNTMAGIC \|\| SLOT(label) == 0)) { 634 atomic_add_int(&destroy_count_mount, 1); 635 SLOT(label) = EXMAGIC; 636 } else if (SLOT(label) == EXMAGIC) { 637 DEBUGGER("mac_test_destroy_mount: dup destroy"); 638 } else { 639 DEBUGGER("mac_test_destroy_mount: corrupted label"); 640 } 641} 642 643static void 644mac_test_destroy_mount_fs_label(struct label label) 645{ 646* 647 if ((SLOT(label) == MOUNTMAGIC \|\| SLOT(label) == 0)) { 648 atomic_add_int(&destroy_count_mount_fslabel, 1); 649 SLOT(label) = EXMAGIC; 650 } else if (SLOT(label) == EXMAGIC) { 651 DEBUGGER("mac_test_destroy_mount_fslabel: dup destroy"); 652 } else { 653 DEBUGGER("mac_test_destroy_mount_fslabel: corrupted label"); 654 } 655} 656 657static void 658mac_test_destroy_socket_label(struct label label) 659{ 660* 661 if ((SLOT(label) == SOCKETMAGIC \|\| SLOT(label) == 0)) { 662 atomic_add_int(&destroy_count_socket, 1); 663 SLOT(label) = EXMAGIC; 664 } else if (SLOT(label) == EXMAGIC) { 665 DEBUGGER("mac_test_destroy_socket: dup destroy"); 666 } else { 667 DEBUGGER("mac_test_destroy_socket: corrupted label"); 668 } 669} 670 671static void 672mac_test_destroy_socket_peer_label(struct label label) 673{ 674* 675 if ((SLOT(label) == SOCKETMAGIC \|\| SLOT(label) == 0)) { 676 atomic_add_int(&destroy_count_socket_peerlabel, 1); 677 SLOT(label) = EXMAGIC; 678 } else if (SLOT(label) == EXMAGIC) { 679 DEBUGGER("mac_test_destroy_socket_peerlabel: dup destroy"); 680 } else { 681 DEBUGGER("mac_test_destroy_socket_peerlabel: corrupted label"); 682 } 683} 684 685static void 686mac_test_destroy_pipe_label(struct label label) 687{ 688* 689 if ((SLOT(label) == PIPEMAGIC \|\| SLOT(label) == 0)) { 690 atomic_add_int(&destroy_count_pipe, 1); 691 SLOT(label) = EXMAGIC; 692 } else if (SLOT(label) == EXMAGIC) { 693 DEBUGGER("mac_test_destroy_pipe: dup destroy"); 694 } else { 695 DEBUGGER("mac_test_destroy_pipe: corrupted label"); 696 } 697} 698 699static void 700mac_test_destroy_proc_label(struct label label) 701{ 702* 703 if ((SLOT(label) == PROCMAGIC \|\| SLOT(label) == 0)) { 704 atomic_add_int(&destroy_count_proc, 1); 705 SLOT(label) = EXMAGIC; 706 } else if (SLOT(label) == EXMAGIC) { 707 DEBUGGER("mac_test_destroy_proc: dup destroy"); 708 } else { 709 DEBUGGER("mac_test_destroy_proc: corrupted label"); 710 } 711} 712 713static void 714mac_test_destroy_vnode_label(struct label label) 715{ 716* 717 if (SLOT(label) == VNODEMAGIC \|\| SLOT(label) == 0) { 718 atomic_add_int(&destroy_count_vnode, 1); 719 SLOT(label) = EXMAGIC; 720 } else if (SLOT(label) == EXMAGIC) { 721 DEBUGGER("mac_test_destroy_vnode: dup destroy"); 722 } else { 723 DEBUGGER("mac_test_destroy_vnode: corrupted label"); 724 } 725} 726 727static void 728mac_test_copy_cred_label(struct label src, struct label dest) 729{ 730 731 ASSERT_CRED_LABEL(src); 732 ASSERT_CRED_LABEL(dest); 733} 734 735static void 736mac_test_copy_ifnet_label(struct label src, struct label dest) 737{ 738 739 ASSERT_IFNET_LABEL(src); 740 ASSERT_IFNET_LABEL(dest); 741} 742 743static void 744mac_test_copy_mbuf_label(struct label src, struct label dest) 745{ 746 747 ASSERT_MBUF_LABEL(src); 748 ASSERT_MBUF_LABEL(dest); 749} 750 751static void 752mac_test_copy_pipe_label(struct label src, struct label dest) 753{ 754 755 ASSERT_PIPE_LABEL(src); 756 ASSERT_PIPE_LABEL(dest); 757} 758 759static void 760mac_test_copy_socket_label(struct label src, struct label dest) 761{ 762 763 ASSERT_SOCKET_LABEL(src); 764 ASSERT_SOCKET_LABEL(dest); 765} 766 767static void 768mac_test_copy_vnode_label(struct label src, struct label dest) 769{ 770 771 ASSERT_VNODE_LABEL(src); 772 ASSERT_VNODE_LABEL(dest); 773} 774 775static int 776mac_test_externalize_label(struct label label, char element_name, 777 struct sbuf sb, int claimed) 778{ 779 780 atomic_add_int(&externalize_count, 1); 781 782 KASSERT(SLOT(label) != EXMAGIC, 783 ("mac_test_externalize_label: destroyed label")); 784 785 return (0); 786} 787 788static int 789mac_test_internalize_label(struct label label, char element_name, 790 char element_data, int claimed) 791{ 792 793 atomic_add_int(&internalize_count, 1); 794 795 KASSERT(SLOT(label) != EXMAGIC, 796 ("mac_test_internalize_label: destroyed label")); 797 798 return (0); 799} 800 801/* 802 * Labeling event operations: file system objects, and things that look 803 * a lot like file system objects. 804 / 805static void 806mac_test_associate_vnode_devfs(struct mount mp, struct label fslabel, 807* struct devfs_dirent de, struct label delabel, struct vnode vp, 808* struct label vlabel) 809{ 810* 811 ASSERT_MOUNT_LABEL(fslabel); 812 ASSERT_DEVFS_LABEL(delabel); 813 ASSERT_VNODE_LABEL(vlabel); 814} 815 816static int 817mac_test_associate_vnode_extattr(struct mount mp, struct label fslabel, 818 struct vnode vp, struct label vlabel) 819{ 820 821 ASSERT_MOUNT_LABEL(fslabel); 822 ASSERT_VNODE_LABEL(vlabel); 823 return (0); 824} 825 826static void 827mac_test_associate_vnode_singlelabel(struct mount mp, 828* struct label fslabel, struct vnode vp, struct label vlabel) 829{ 830* 831 ASSERT_MOUNT_LABEL(fslabel); 832 ASSERT_VNODE_LABEL(vlabel); 833} 834 835static void 836mac_test_create_devfs_device(struct mount mp, struct cdev dev, 837 struct devfs_dirent devfs_dirent, struct label label) 838{ 839 840 ASSERT_DEVFS_LABEL(label); 841} 842 843static void 844mac_test_create_devfs_directory(struct mount mp, char dirname, 845 int dirnamelen, struct devfs_dirent devfs_dirent, struct label label) 846{ 847 848 ASSERT_DEVFS_LABEL(label); 849} 850 851static void 852mac_test_create_devfs_symlink(struct ucred cred, struct mount mp, 853 struct devfs_dirent dd, struct label ddlabel, struct devfs_dirent de, 854* struct label delabel) 855{ 856* 857 ASSERT_CRED_LABEL(cred->cr_label); 858 ASSERT_DEVFS_LABEL(ddlabel); 859 ASSERT_DEVFS_LABEL(delabel); 860} 861 862static int 863mac_test_create_vnode_extattr(struct ucred cred, struct mount mp, 864 struct label fslabel, struct vnode dvp, struct label dlabel, 865* struct vnode vp, struct label vlabel, struct componentname cnp) 866{ 867* 868 ASSERT_CRED_LABEL(cred->cr_label); 869 ASSERT_MOUNT_LABEL(fslabel); 870 ASSERT_VNODE_LABEL(dlabel); 871 872 return (0); 873} 874 875static void 876mac_test_create_mount(struct ucred cred, struct mount mp, 877 struct label mntlabel, struct label fslabel) 878{ 879 880 ASSERT_CRED_LABEL(cred->cr_label); 881 ASSERT_MOUNT_LABEL(mntlabel); 882 ASSERT_MOUNT_LABEL(fslabel); 883} 884 885static void 886mac_test_create_root_mount(struct ucred cred, struct mount mp, 887 struct label mntlabel, struct label fslabel) 888{ 889 890 ASSERT_CRED_LABEL(cred->cr_label); 891 ASSERT_MOUNT_LABEL(mntlabel); 892 ASSERT_MOUNT_LABEL(fslabel); 893} 894 895static void 896mac_test_relabel_vnode(struct ucred cred, struct vnode vp, 897 struct label vnodelabel, struct label label) 898{ 899 900 ASSERT_CRED_LABEL(cred->cr_label); 901 ASSERT_VNODE_LABEL(vnodelabel); 902 ASSERT_VNODE_LABEL(label); 903} 904 905static int 906mac_test_setlabel_vnode_extattr(struct ucred cred, struct vnode vp, 907 struct label vlabel, struct label intlabel) 908{ 909 910 ASSERT_CRED_LABEL(cred->cr_label); 911 ASSERT_VNODE_LABEL(vlabel); 912 ASSERT_VNODE_LABEL(intlabel); 913 return (0); 914} 915 916static void 917mac_test_update_devfsdirent(struct mount mp, 918* struct devfs_dirent devfs_dirent, struct label direntlabel, 919 struct vnode vp, struct label vnodelabel) 920{ 921 922 ASSERT_DEVFS_LABEL(direntlabel); 923 ASSERT_VNODE_LABEL(vnodelabel); 924} 925 926/* 927 * Labeling event operations: IPC object. 928 / 929static void 930mac_test_create_mbuf_from_socket(struct socket so, struct label socketlabel, 931* struct mbuf m, struct label mbuflabel) 932{ 933 934 ASSERT_SOCKET_LABEL(socketlabel); 935 ASSERT_MBUF_LABEL(mbuflabel); 936} 937 938static void 939mac_test_create_socket(struct ucred cred, struct socket socket, 940 struct label socketlabel) 941{ 942* 943 ASSERT_CRED_LABEL(cred->cr_label); 944 ASSERT_SOCKET_LABEL(socketlabel); 945} 946 947static void 948mac_test_create_pipe(struct ucred cred, struct pipepair pp, 949 struct label pipelabel) 950{ 951* 952 ASSERT_CRED_LABEL(cred->cr_label); 953 ASSERT_PIPE_LABEL(pipelabel); 954} 955 956static void 957mac_test_create_socket_from_socket(struct socket oldsocket, 958* struct label oldsocketlabel, struct socket newsocket, 959 struct label newsocketlabel) 960{ 961* 962 ASSERT_SOCKET_LABEL(oldsocketlabel); 963 ASSERT_SOCKET_LABEL(newsocketlabel); 964} 965 966static void 967mac_test_relabel_socket(struct ucred cred, struct socket socket, 968 struct label socketlabel, struct label newlabel) 969{ 970 971 ASSERT_CRED_LABEL(cred->cr_label); 972 ASSERT_SOCKET_LABEL(newlabel); 973} 974 975static void 976mac_test_relabel_pipe(struct ucred cred, struct pipepair pp, 977 struct label pipelabel, struct label newlabel) 978{ 979 980 ASSERT_CRED_LABEL(cred->cr_label); 981 ASSERT_PIPE_LABEL(pipelabel); 982 ASSERT_PIPE_LABEL(newlabel); 983} 984 985static void 986mac_test_set_socket_peer_from_mbuf(struct mbuf mbuf, struct label mbuflabel, 987 struct socket socket, struct label socketpeerlabel) 988{ 989 990 ASSERT_MBUF_LABEL(mbuflabel); 991 ASSERT_SOCKET_LABEL(socketpeerlabel); 992} 993 994/* 995 * Labeling event operations: network objects. 996 / 997static void 998mac_test_set_socket_peer_from_socket(struct socket oldsocket, 999 struct label oldsocketlabel, struct socket newsocket, 1000 struct label newsocketpeerlabel) 1001{ 1002* 1003 ASSERT_SOCKET_LABEL(oldsocketlabel); 1004 ASSERT_SOCKET_LABEL(newsocketpeerlabel); 1005} 1006 1007static void 1008mac_test_create_bpfdesc(struct ucred cred, struct bpf_d bpf_d, 1009 struct label bpflabel) 1010{ 1011* 1012 ASSERT_CRED_LABEL(cred->cr_label); 1013 ASSERT_BPF_LABEL(bpflabel); 1014} 1015 1016static void 1017mac_test_create_datagram_from_ipq(struct ipq ipq, struct label ipqlabel, 1018 struct mbuf datagram, struct label datagramlabel) 1019{ 1020 1021 ASSERT_IPQ_LABEL(ipqlabel); 1022 ASSERT_MBUF_LABEL(datagramlabel); 1023} 1024 1025static void 1026mac_test_create_fragment(struct mbuf datagram, struct label datagramlabel, 1027 struct mbuf fragment, struct label fragmentlabel) 1028{ 1029 1030 ASSERT_MBUF_LABEL(datagramlabel); 1031 ASSERT_MBUF_LABEL(fragmentlabel); 1032} 1033 1034static void 1035mac_test_create_ifnet(struct ifnet ifnet, struct label ifnetlabel) 1036{ 1037 1038 ASSERT_IFNET_LABEL(ifnetlabel); 1039} 1040 1041static void 1042mac_test_create_inpcb_from_socket(struct socket so, struct label solabel, 1043 struct inpcb inp, struct label inplabel) 1044{ 1045 1046 ASSERT_SOCKET_LABEL(solabel); 1047 ASSERT_INPCB_LABEL(inplabel); 1048} 1049 1050static void 1051mac_test_create_sysv_msgmsg(struct ucred cred, struct msqid_kernel msqkptr, 1052 struct label msqlabel, struct msg msgptr, struct label msglabel) 1053{ 1054* 1055 ASSERT_SYSVIPCMSG_LABEL(msglabel); 1056 ASSERT_SYSVIPCMSQ_LABEL(msqlabel); 1057} 1058 1059static void 1060mac_test_create_sysv_msgqueue(struct ucred cred, 1061* struct msqid_kernel msqkptr, struct label msqlabel) 1062{ 1063 1064 ASSERT_SYSVIPCMSQ_LABEL(msqlabel); 1065} 1066 1067static void 1068mac_test_create_sysv_sema(struct ucred cred, struct semid_kernel semakptr, 1069 struct label semalabel) 1070{ 1071* 1072 ASSERT_SYSVIPCSEM_LABEL(semalabel); 1073} 1074 1075static void 1076mac_test_create_sysv_shm(struct ucred cred, struct shmid_kernel shmsegptr, 1077 struct label shmlabel) 1078{ 1079* 1080 ASSERT_SYSVIPCSHM_LABEL(shmlabel); 1081} 1082 1083static void 1084mac_test_create_ipq(struct mbuf fragment, struct label fragmentlabel, 1085 struct ipq ipq, struct label ipqlabel) 1086{ 1087 1088 ASSERT_MBUF_LABEL(fragmentlabel); 1089 ASSERT_IPQ_LABEL(ipqlabel); 1090} 1091 1092static void 1093mac_test_create_mbuf_from_inpcb(struct inpcb inp, struct label inplabel, 1094 struct mbuf m, struct label mlabel) 1095{ 1096 1097 ASSERT_INPCB_LABEL(inplabel); 1098 ASSERT_MBUF_LABEL(mlabel); 1099} 1100 1101static void 1102mac_test_create_mbuf_from_mbuf(struct mbuf oldmbuf, 1103* struct label oldmbuflabel, struct mbuf newmbuf, 1104 struct label newmbuflabel) 1105{ 1106* 1107 ASSERT_MBUF_LABEL(oldmbuflabel); 1108 ASSERT_MBUF_LABEL(newmbuflabel); 1109} 1110 1111static void 1112mac_test_create_mbuf_linklayer(struct ifnet ifnet, struct label ifnetlabel, 1113 struct mbuf mbuf, struct label mbuflabel) 1114{ 1115 1116 ASSERT_IFNET_LABEL(ifnetlabel); 1117 ASSERT_MBUF_LABEL(mbuflabel); 1118} 1119 1120static void 1121mac_test_create_mbuf_from_bpfdesc(struct bpf_d bpf_d, struct label bpflabel, 1122 struct mbuf mbuf, struct label mbuflabel) 1123{ 1124 1125 ASSERT_BPF_LABEL(bpflabel); 1126 ASSERT_MBUF_LABEL(mbuflabel); 1127} 1128 1129static void 1130mac_test_create_mbuf_from_ifnet(struct ifnet ifnet, struct label ifnetlabel, 1131 struct mbuf m, struct label mbuflabel) 1132{ 1133 1134 ASSERT_IFNET_LABEL(ifnetlabel); 1135 ASSERT_MBUF_LABEL(mbuflabel); 1136} 1137 1138static void 1139mac_test_create_mbuf_multicast_encap(struct mbuf oldmbuf, 1140* struct label oldmbuflabel, struct ifnet ifnet, struct label ifnetlabel, 1141* struct mbuf newmbuf, struct label newmbuflabel) 1142{ 1143 1144 ASSERT_MBUF_LABEL(oldmbuflabel); 1145 ASSERT_IFNET_LABEL(ifnetlabel); 1146 ASSERT_MBUF_LABEL(newmbuflabel); 1147} 1148 1149static void 1150mac_test_create_mbuf_netlayer(struct mbuf oldmbuf, 1151* struct label oldmbuflabel, struct mbuf newmbuf, 1152 struct label newmbuflabel) 1153{ 1154* 1155 ASSERT_MBUF_LABEL(oldmbuflabel); 1156 ASSERT_MBUF_LABEL(newmbuflabel); 1157} 1158 1159static int 1160mac_test_fragment_match(struct mbuf fragment, struct label fragmentlabel, 1161 struct ipq ipq, struct label ipqlabel) 1162{ 1163 1164 ASSERT_MBUF_LABEL(fragmentlabel); 1165 ASSERT_IPQ_LABEL(ipqlabel); 1166 1167 return (1); 1168} 1169 1170static void 1171mac_test_reflect_mbuf_icmp(struct mbuf m, struct label mlabel) 1172{ 1173 1174 ASSERT_MBUF_LABEL(mlabel); 1175} 1176 1177static void 1178mac_test_reflect_mbuf_tcp(struct mbuf m, struct label mlabel) 1179{ 1180 1181 ASSERT_MBUF_LABEL(mlabel); 1182} 1183 1184static void 1185mac_test_relabel_ifnet(struct ucred cred, struct ifnet ifnet, 1186 struct label ifnetlabel, struct label newlabel) 1187{ 1188 1189 ASSERT_CRED_LABEL(cred->cr_label); 1190 ASSERT_IFNET_LABEL(ifnetlabel); 1191 ASSERT_IFNET_LABEL(newlabel); 1192} 1193 1194static void 1195mac_test_update_ipq(struct mbuf fragment, struct label fragmentlabel, 1196 struct ipq ipq, struct label ipqlabel) 1197{ 1198 1199 ASSERT_MBUF_LABEL(fragmentlabel); 1200 ASSERT_IPQ_LABEL(ipqlabel); 1201} 1202 1203static void 1204mac_test_inpcb_sosetlabel(struct socket so, struct label solabel, 1205 struct inpcb inp, struct label inplabel) 1206{ 1207 1208 ASSERT_SOCKET_LABEL(solabel); 1209 ASSERT_INPCB_LABEL(inplabel); 1210} 1211 1212/* 1213 * Labeling event operations: processes. 1214 / 1215static void 1216mac_test_execve_transition(struct ucred old, struct ucred new, 1217* struct vnode vp, struct label filelabel, 1218 struct label interpvnodelabel, struct image_params imgp, 1219 struct label execlabel) 1220{ 1221* 1222 ASSERT_CRED_LABEL(old->cr_label); 1223 ASSERT_CRED_LABEL(new->cr_label); 1224 ASSERT_VNODE_LABEL(filelabel); 1225 if (interpvnodelabel != NULL) { 1226 ASSERT_VNODE_LABEL(interpvnodelabel); 1227 } 1228 if (execlabel != NULL) { 1229 ASSERT_CRED_LABEL(execlabel); 1230 } 1231} 1232 1233static int 1234mac_test_execve_will_transition(struct ucred old, struct vnode vp, 1235 struct label filelabel, struct label interpvnodelabel, 1236 struct image_params imgp, struct label execlabel) 1237{ 1238 1239 ASSERT_CRED_LABEL(old->cr_label); 1240 ASSERT_VNODE_LABEL(filelabel); 1241 if (interpvnodelabel != NULL) { 1242 ASSERT_VNODE_LABEL(interpvnodelabel); 1243 } 1244 if (execlabel != NULL) { 1245 ASSERT_CRED_LABEL(execlabel); 1246 } 1247 1248 return (0); 1249} 1250 1251static void 1252mac_test_create_proc0(struct ucred cred) 1253{ 1254* 1255 ASSERT_CRED_LABEL(cred->cr_label); 1256} 1257 1258static void 1259mac_test_create_proc1(struct ucred cred) 1260{ 1261* 1262 ASSERT_CRED_LABEL(cred->cr_label); 1263} 1264 1265static void 1266mac_test_relabel_cred(struct ucred cred, struct label newlabel) 1267{ 1268 1269 ASSERT_CRED_LABEL(cred->cr_label); 1270 ASSERT_CRED_LABEL(newlabel); 1271} 1272 1273static void 1274mac_test_thread_userret(struct thread td) 1275{ 1276* 1277 printf("mac_test_thread_userret(process = %d)\n", 1278 curthread->td_proc->p_pid); 1279} 1280 1281/* 1282 * Label cleanup/flush operations 1283 / 1284static void 1285mac_test_cleanup_sysv_msgmsg(struct label msglabel) 1286{ 1287 1288 ASSERT_SYSVIPCMSG_LABEL(msglabel); 1289} 1290 1291static void 1292mac_test_cleanup_sysv_msgqueue(struct label msqlabel) 1293{ 1294* 1295 ASSERT_SYSVIPCMSQ_LABEL(msqlabel); 1296} 1297 1298static void 1299mac_test_cleanup_sysv_sema(struct label semalabel) 1300{ 1301* 1302 ASSERT_SYSVIPCSEM_LABEL(semalabel); 1303} 1304 1305static void 1306mac_test_cleanup_sysv_shm(struct label shmlabel) 1307{ 1308* 1309 ASSERT_SYSVIPCSHM_LABEL(shmlabel); 1310} 1311 1312/* 1313 * Access control checks. 1314 / 1315static int 1316mac_test_check_bpfdesc_receive(struct bpf_d bpf_d, struct label bpflabel, 1317* struct ifnet ifnet, struct label ifnetlabel) 1318{ 1319 1320 ASSERT_BPF_LABEL(bpflabel); 1321 ASSERT_IFNET_LABEL(ifnetlabel); 1322 1323 return (0); 1324} 1325 1326static int 1327mac_test_check_cred_relabel(struct ucred cred, struct label newlabel) 1328{ 1329 1330 ASSERT_CRED_LABEL(cred->cr_label); 1331 ASSERT_CRED_LABEL(newlabel); 1332 1333 return (0); 1334} 1335 1336static int 1337mac_test_check_cred_visible(struct ucred u1, struct ucred u2) 1338{ 1339 1340 ASSERT_CRED_LABEL(u1->cr_label); 1341 ASSERT_CRED_LABEL(u2->cr_label); 1342 1343 return (0); 1344} 1345 1346static int 1347mac_test_check_ifnet_relabel(struct ucred cred, struct ifnet ifnet, 1348 struct label ifnetlabel, struct label newlabel) 1349{ 1350 1351 ASSERT_CRED_LABEL(cred->cr_label); 1352 ASSERT_IFNET_LABEL(ifnetlabel); 1353 ASSERT_IFNET_LABEL(newlabel); 1354 return (0); 1355} 1356 1357static int 1358mac_test_check_ifnet_transmit(struct ifnet ifnet, struct label ifnetlabel, 1359 struct mbuf m, struct label mbuflabel) 1360{ 1361 1362 ASSERT_IFNET_LABEL(ifnetlabel); 1363 ASSERT_MBUF_LABEL(mbuflabel); 1364 1365 return (0); 1366} 1367 1368static int 1369mac_test_check_inpcb_deliver(struct inpcb inp, struct label inplabel, 1370 struct mbuf m, struct label mlabel) 1371{ 1372 1373 ASSERT_INPCB_LABEL(inplabel); 1374 ASSERT_MBUF_LABEL(mlabel); 1375 1376 return (0); 1377} 1378 1379static int 1380mac_test_check_sysv_msgmsq(struct ucred cred, struct msg msgptr, 1381 struct label msglabel, struct msqid_kernel msqkptr, 1382 struct label msqklabel) 1383{ 1384* 1385 ASSERT_SYSVIPCMSQ_LABEL(msqklabel); 1386 ASSERT_SYSVIPCMSG_LABEL(msglabel); 1387 ASSERT_CRED_LABEL(cred->cr_label); 1388 1389 return (0); 1390} 1391 1392static int 1393mac_test_check_sysv_msgrcv(struct ucred cred, struct msg msgptr, 1394 struct label msglabel) 1395{ 1396* 1397 ASSERT_SYSVIPCMSG_LABEL(msglabel); 1398 ASSERT_CRED_LABEL(cred->cr_label); 1399 1400 return (0); 1401} 1402 1403 1404static int 1405mac_test_check_sysv_msgrmid(struct ucred cred, struct msg msgptr, 1406 struct label msglabel) 1407{ 1408* 1409 ASSERT_SYSVIPCMSG_LABEL(msglabel); 1410 ASSERT_CRED_LABEL(cred->cr_label); 1411 1412 return (0); 1413} 1414 1415static int 1416mac_test_check_sysv_msqget(struct ucred cred, struct msqid_kernel msqkptr, 1417 struct label msqklabel) 1418{ 1419* 1420 ASSERT_SYSVIPCMSQ_LABEL(msqklabel); 1421 ASSERT_CRED_LABEL(cred->cr_label); 1422 1423 return (0); 1424} 1425 1426static int 1427mac_test_check_sysv_msqsnd(struct ucred cred, struct msqid_kernel msqkptr, 1428 struct label msqklabel) 1429{ 1430* 1431 ASSERT_SYSVIPCMSQ_LABEL(msqklabel); 1432 ASSERT_CRED_LABEL(cred->cr_label); 1433 1434 return (0); 1435} 1436 1437static int 1438mac_test_check_sysv_msqrcv(struct ucred cred, struct msqid_kernel msqkptr, 1439 struct label msqklabel) 1440{ 1441* 1442 ASSERT_SYSVIPCMSQ_LABEL(msqklabel); 1443 ASSERT_CRED_LABEL(cred->cr_label); 1444 1445 return (0); 1446} 1447 1448static int 1449mac_test_check_sysv_msqctl(struct ucred cred, struct msqid_kernel msqkptr, 1450 struct label msqklabel, int cmd) 1451{ 1452* 1453 ASSERT_SYSVIPCMSQ_LABEL(msqklabel); 1454 ASSERT_CRED_LABEL(cred->cr_label); 1455 1456 return (0); 1457} 1458 1459static int 1460mac_test_check_sysv_semctl(struct ucred cred, struct semid_kernel semakptr, 1461 struct label semaklabel, int cmd) 1462{ 1463* 1464 ASSERT_CRED_LABEL(cred->cr_label); 1465 ASSERT_SYSVIPCSEM_LABEL(semaklabel); 1466 1467 return (0); 1468} 1469 1470static int 1471mac_test_check_sysv_semget(struct ucred cred, struct semid_kernel semakptr, 1472 struct label semaklabel) 1473{ 1474* 1475 ASSERT_CRED_LABEL(cred->cr_label); 1476 ASSERT_SYSVIPCSEM_LABEL(semaklabel); 1477 1478 return (0); 1479} 1480 1481static int 1482mac_test_check_sysv_semop(struct ucred cred, struct semid_kernel semakptr, 1483 struct label semaklabel, size_t accesstype) 1484{ 1485* 1486 ASSERT_CRED_LABEL(cred->cr_label); 1487 ASSERT_SYSVIPCSEM_LABEL(semaklabel); 1488 1489 return (0); 1490} 1491 1492static int 1493mac_test_check_sysv_shmat(struct ucred cred, struct shmid_kernel shmsegptr, 1494 struct label shmseglabel, int shmflg) 1495{ 1496* 1497 ASSERT_CRED_LABEL(cred->cr_label); 1498 ASSERT_SYSVIPCSHM_LABEL(shmseglabel); 1499 1500 return (0); 1501} 1502 1503static int 1504mac_test_check_sysv_shmctl(struct ucred cred, struct shmid_kernel shmsegptr, 1505 struct label shmseglabel, int cmd) 1506{ 1507* 1508 ASSERT_CRED_LABEL(cred->cr_label); 1509 ASSERT_SYSVIPCSHM_LABEL(shmseglabel); 1510 1511 return (0); 1512} 1513 1514static int 1515mac_test_check_sysv_shmdt(struct ucred cred, struct shmid_kernel shmsegptr, 1516 struct label shmseglabel) 1517{ 1518* 1519 ASSERT_CRED_LABEL(cred->cr_label); 1520 ASSERT_SYSVIPCSHM_LABEL(shmseglabel); 1521 1522 return (0); 1523} 1524 1525static int 1526mac_test_check_sysv_shmget(struct ucred cred, struct shmid_kernel shmsegptr, 1527 struct label shmseglabel, int shmflg) 1528{ 1529* 1530 ASSERT_CRED_LABEL(cred->cr_label); 1531 ASSERT_SYSVIPCSHM_LABEL(shmseglabel); 1532 1533 return (0); 1534} 1535 1536static int 1537mac_test_check_kenv_dump(struct ucred cred) 1538{ 1539* 1540 ASSERT_CRED_LABEL(cred->cr_label); 1541 1542 return (0); 1543} 1544 1545static int 1546mac_test_check_kenv_get(struct ucred cred, char name) 1547{ 1548 1549 ASSERT_CRED_LABEL(cred->cr_label); 1550 1551 return (0); 1552} 1553 1554static int 1555mac_test_check_kenv_set(struct ucred cred, char name, char value) 1556{ 1557* 1558 ASSERT_CRED_LABEL(cred->cr_label); 1559 1560 return (0); 1561} 1562 1563static int 1564mac_test_check_kenv_unset(struct ucred cred, char name) 1565{ 1566 1567 ASSERT_CRED_LABEL(cred->cr_label); 1568 1569 return (0); 1570} 1571 1572static int 1573mac_test_check_kld_load(struct ucred cred, struct vnode vp, 1574 struct label label) 1575{ 1576* 1577 ASSERT_CRED_LABEL(cred->cr_label); 1578 ASSERT_VNODE_LABEL(label); 1579 1580 return (0); 1581} 1582 1583static int 1584mac_test_check_kld_stat(struct ucred cred) 1585{ 1586* 1587 ASSERT_CRED_LABEL(cred->cr_label); 1588 1589 return (0); 1590} 1591 1592static int 1593mac_test_check_kld_unload(struct ucred cred) 1594{ 1595* 1596 ASSERT_CRED_LABEL(cred->cr_label); 1597 1598 return (0); 1599} 1600 1601static int 1602mac_test_check_mount_stat(struct ucred cred, struct mount mp, 1603 struct label mntlabel) 1604{ 1605* 1606 ASSERT_CRED_LABEL(cred->cr_label); 1607 ASSERT_MOUNT_LABEL(mntlabel); 1608 1609 return (0); 1610} 1611 1612static int 1613mac_test_check_pipe_ioctl(struct ucred cred, struct pipepair pp, 1614 struct label pipelabel, unsigned long cmd, void / caddr_t / data) 1615{ 1616 1617 ASSERT_CRED_LABEL(cred->cr_label); 1618 ASSERT_PIPE_LABEL(pipelabel); 1619 1620 return (0); 1621} 1622 1623static int 1624mac_test_check_pipe_poll(struct ucred cred, struct pipepair pp, 1625 struct label pipelabel) 1626{ 1627* 1628 ASSERT_CRED_LABEL(cred->cr_label); 1629 ASSERT_PIPE_LABEL(pipelabel); 1630 1631 return (0); 1632} 1633 1634static int 1635mac_test_check_pipe_read(struct ucred cred, struct pipepair pp, 1636 struct label pipelabel) 1637{ 1638* 1639 ASSERT_CRED_LABEL(cred->cr_label); 1640 ASSERT_PIPE_LABEL(pipelabel); 1641 1642 return (0); 1643} 1644 1645static int 1646mac_test_check_pipe_relabel(struct ucred cred, struct pipepair pp, 1647 struct label pipelabel, struct label newlabel) 1648{ 1649 1650 ASSERT_CRED_LABEL(cred->cr_label); 1651 ASSERT_PIPE_LABEL(pipelabel); 1652 ASSERT_PIPE_LABEL(newlabel); 1653 1654 return (0); 1655} 1656 1657static int 1658mac_test_check_pipe_stat(struct ucred cred, struct pipepair pp, 1659 struct label pipelabel) 1660{ 1661* 1662 ASSERT_CRED_LABEL(cred->cr_label); 1663 ASSERT_PIPE_LABEL(pipelabel); 1664 1665 return (0); 1666} 1667 1668static int 1669mac_test_check_pipe_write(struct ucred cred, struct pipepair pp, 1670 struct label pipelabel) 1671{ 1672* 1673 ASSERT_CRED_LABEL(cred->cr_label); 1674 ASSERT_PIPE_LABEL(pipelabel); 1675 1676 return (0); 1677} 1678 1679static int 1680mac_test_check_proc_debug(struct ucred cred, struct proc proc) 1681{ 1682 1683 ASSERT_CRED_LABEL(cred->cr_label); 1684 ASSERT_CRED_LABEL(proc->p_ucred->cr_label); 1685 1686 return (0); 1687} 1688 1689static int 1690mac_test_check_proc_sched(struct ucred cred, struct proc proc) 1691{ 1692 1693 ASSERT_CRED_LABEL(cred->cr_label); 1694 ASSERT_CRED_LABEL(proc->p_ucred->cr_label); 1695 1696 return (0); 1697} 1698 1699static int 1700mac_test_check_proc_signal(struct ucred cred, struct proc proc, int signum) 1701{ 1702 1703 ASSERT_CRED_LABEL(cred->cr_label); 1704 ASSERT_CRED_LABEL(proc->p_ucred->cr_label); 1705 1706 return (0); 1707} 1708 1709static int 1710mac_test_check_proc_setuid(struct ucred cred, uid_t uid) 1711{ 1712* 1713 ASSERT_CRED_LABEL(cred->cr_label); 1714 1715 return (0); 1716} 1717 1718static int 1719mac_test_check_proc_seteuid(struct ucred cred, uid_t euid) 1720{ 1721* 1722 ASSERT_CRED_LABEL(cred->cr_label); 1723 1724 return (0); 1725} 1726 1727static int 1728mac_test_check_proc_setgid(struct ucred cred, gid_t gid) 1729{ 1730* 1731 ASSERT_CRED_LABEL(cred->cr_label); 1732 1733 return (0); 1734} 1735 1736static int 1737mac_test_check_proc_setegid(struct ucred cred, gid_t egid) 1738{ 1739* 1740 ASSERT_CRED_LABEL(cred->cr_label); 1741 1742 return (0); 1743} 1744 1745static int 1746mac_test_check_proc_setgroups(struct ucred cred, int ngroups, 1747* gid_t gidset) 1748{ 1749* 1750 ASSERT_CRED_LABEL(cred->cr_label); 1751 1752 return (0); 1753} 1754 1755static int 1756mac_test_check_proc_setreuid(struct ucred cred, uid_t ruid, uid_t euid) 1757{ 1758* 1759 ASSERT_CRED_LABEL(cred->cr_label); 1760 1761 return (0); 1762} 1763 1764static int 1765mac_test_check_proc_setregid(struct ucred cred, gid_t rgid, gid_t egid) 1766{ 1767* 1768 ASSERT_CRED_LABEL(cred->cr_label); 1769 1770 return (0); 1771} 1772 1773static int 1774mac_test_check_proc_setresuid(struct ucred cred, uid_t ruid, uid_t euid, 1775* uid_t suid) 1776{ 1777 1778 ASSERT_CRED_LABEL(cred->cr_label); 1779 1780 return (0); 1781} 1782 1783static int 1784mac_test_check_proc_setresgid(struct ucred cred, gid_t rgid, gid_t egid, 1785* gid_t sgid) 1786{ 1787 1788 ASSERT_CRED_LABEL(cred->cr_label); 1789 1790 return (0); 1791} 1792 1793static int
	1794mac_test_check_proc_wait(struct ucred cred, struct proc proc) 1795{ 1796 1797 ASSERT_CRED_LABEL(cred->cr_label); 1798 ASSERT_CRED_LABEL(proc->p_ucred->cr_label); 1799 1800 return (0); 1801} 1802 1803static int
1794mac_test_check_socket_accept(struct ucred cred, struct socket socket, 1795 struct label socketlabel) 1796{ 1797* 1798 ASSERT_CRED_LABEL(cred->cr_label); 1799 ASSERT_SOCKET_LABEL(socketlabel); 1800 1801 return (0); 1802} 1803 1804static int 1805mac_test_check_socket_bind(struct ucred cred, struct socket socket, 1806 struct label socketlabel, struct sockaddr sockaddr) 1807{ 1808 1809 ASSERT_CRED_LABEL(cred->cr_label); 1810 ASSERT_SOCKET_LABEL(socketlabel); 1811 1812 return (0); 1813} 1814 1815static int 1816mac_test_check_socket_connect(struct ucred cred, struct socket socket, 1817 struct label socketlabel, struct sockaddr sockaddr) 1818{ 1819 1820 ASSERT_CRED_LABEL(cred->cr_label); 1821 ASSERT_SOCKET_LABEL(socketlabel); 1822 1823 return (0); 1824} 1825 1826static int 1827mac_test_check_socket_deliver(struct socket socket, struct label socketlabel, 1828 struct mbuf m, struct label mbuflabel) 1829{ 1830 1831 ASSERT_SOCKET_LABEL(socketlabel); 1832 ASSERT_MBUF_LABEL(mbuflabel); 1833 1834 return (0); 1835} 1836 1837static int 1838mac_test_check_socket_listen(struct ucred cred, struct socket socket, 1839 struct label socketlabel) 1840{ 1841* 1842 ASSERT_CRED_LABEL(cred->cr_label); 1843 ASSERT_SOCKET_LABEL(socketlabel); 1844 1845 return (0); 1846} 1847 1848static int 1849mac_test_check_socket_poll(struct ucred cred, struct socket socket, 1850 struct label socketlabel) 1851{ 1852* 1853 ASSERT_CRED_LABEL(cred->cr_label); 1854 ASSERT_SOCKET_LABEL(socketlabel); 1855 1856 return (0); 1857} 1858 1859static int 1860mac_test_check_socket_receive(struct ucred cred, struct socket socket, 1861 struct label socketlabel) 1862{ 1863* 1864 ASSERT_CRED_LABEL(cred->cr_label); 1865 ASSERT_SOCKET_LABEL(socketlabel); 1866 1867 return (0); 1868} 1869 1870static int 1871mac_test_check_socket_relabel(struct ucred cred, struct socket socket, 1872 struct label socketlabel, struct label newlabel) 1873{ 1874 1875 ASSERT_CRED_LABEL(cred->cr_label); 1876 ASSERT_SOCKET_LABEL(socketlabel); 1877 ASSERT_SOCKET_LABEL(newlabel); 1878 1879 return (0); 1880} 1881 1882static int 1883mac_test_check_socket_send(struct ucred cred, struct socket socket, 1884 struct label socketlabel) 1885{ 1886* 1887 ASSERT_CRED_LABEL(cred->cr_label); 1888 ASSERT_SOCKET_LABEL(socketlabel); 1889 1890 return (0); 1891} 1892 1893static int 1894mac_test_check_socket_stat(struct ucred cred, struct socket socket, 1895 struct label socketlabel) 1896{ 1897* 1898 ASSERT_CRED_LABEL(cred->cr_label); 1899 ASSERT_SOCKET_LABEL(socketlabel); 1900 1901 return (0); 1902} 1903 1904static int 1905mac_test_check_socket_visible(struct ucred cred, struct socket socket, 1906 struct label socketlabel) 1907{ 1908* 1909 ASSERT_CRED_LABEL(cred->cr_label); 1910 ASSERT_SOCKET_LABEL(socketlabel); 1911 1912 return (0); 1913} 1914 1915static int 1916mac_test_check_sysarch_ioperm(struct ucred cred) 1917{ 1918* 1919 ASSERT_CRED_LABEL(cred->cr_label); 1920 1921 return (0); 1922} 1923 1924static int 1925mac_test_check_system_acct(struct ucred cred, struct vnode vp, 1926 struct label label) 1927{ 1928* 1929 ASSERT_CRED_LABEL(cred->cr_label); 1930 1931 return (0); 1932} 1933 1934static int 1935mac_test_check_system_reboot(struct ucred cred, int how) 1936{ 1937* 1938 ASSERT_CRED_LABEL(cred->cr_label); 1939 1940 return (0); 1941} 1942 1943static int 1944mac_test_check_system_settime(struct ucred cred) 1945{ 1946* 1947 ASSERT_CRED_LABEL(cred->cr_label); 1948 1949 return (0); 1950} 1951 1952static int 1953mac_test_check_system_swapon(struct ucred cred, struct vnode vp, 1954 struct label label) 1955{ 1956* 1957 ASSERT_CRED_LABEL(cred->cr_label); 1958 ASSERT_VNODE_LABEL(label); 1959 1960 return (0); 1961} 1962 1963static int 1964mac_test_check_system_swapoff(struct ucred cred, struct vnode vp, 1965 struct label label) 1966{ 1967* 1968 ASSERT_CRED_LABEL(cred->cr_label); 1969 ASSERT_VNODE_LABEL(label); 1970 1971 return (0); 1972} 1973 1974static int 1975mac_test_check_system_sysctl(struct ucred cred, struct sysctl_oid oidp, 1976 void arg1, int arg2, struct sysctl_req req) 1977{ 1978 1979 ASSERT_CRED_LABEL(cred->cr_label); 1980 1981 return (0); 1982} 1983 1984static int 1985mac_test_check_vnode_access(struct ucred cred, struct vnode vp, 1986 struct label label, int acc_mode) 1987{ 1988* 1989 ASSERT_CRED_LABEL(cred->cr_label); 1990 ASSERT_VNODE_LABEL(label); 1991 1992 return (0); 1993} 1994 1995static int 1996mac_test_check_vnode_chdir(struct ucred cred, struct vnode dvp, 1997 struct label dlabel) 1998{ 1999* 2000 ASSERT_CRED_LABEL(cred->cr_label); 2001 ASSERT_VNODE_LABEL(dlabel); 2002 2003 return (0); 2004} 2005 2006static int 2007mac_test_check_vnode_chroot(struct ucred cred, struct vnode dvp, 2008 struct label dlabel) 2009{ 2010* 2011 ASSERT_CRED_LABEL(cred->cr_label); 2012 ASSERT_VNODE_LABEL(dlabel); 2013 2014 return (0); 2015} 2016 2017static int 2018mac_test_check_vnode_create(struct ucred cred, struct vnode dvp, 2019 struct label dlabel, struct componentname cnp, struct vattr vap) 2020{ 2021* 2022 ASSERT_CRED_LABEL(cred->cr_label); 2023 ASSERT_VNODE_LABEL(dlabel); 2024 2025 return (0); 2026} 2027 2028static int 2029mac_test_check_vnode_delete(struct ucred cred, struct vnode dvp, 2030 struct label dlabel, struct vnode vp, struct label label, 2031* struct componentname cnp) 2032{ 2033* 2034 ASSERT_CRED_LABEL(cred->cr_label); 2035 ASSERT_VNODE_LABEL(dlabel); 2036 ASSERT_VNODE_LABEL(label); 2037 2038 return (0); 2039} 2040 2041static int 2042mac_test_check_vnode_deleteacl(struct ucred cred, struct vnode vp, 2043 struct label label, acl_type_t type) 2044{ 2045* 2046 ASSERT_CRED_LABEL(cred->cr_label); 2047 ASSERT_VNODE_LABEL(label); 2048 2049 return (0); 2050} 2051 2052static int 2053mac_test_check_vnode_deleteextattr(struct ucred cred, struct vnode vp, 2054 struct label label, int attrnamespace, const char name) 2055{ 2056 2057 ASSERT_CRED_LABEL(cred->cr_label); 2058 ASSERT_VNODE_LABEL(label); 2059 2060 return (0); 2061} 2062 2063static int 2064mac_test_check_vnode_exec(struct ucred cred, struct vnode vp, 2065 struct label label, struct image_params imgp, 2066 struct label execlabel) 2067{ 2068* 2069 ASSERT_CRED_LABEL(cred->cr_label); 2070 ASSERT_VNODE_LABEL(label); 2071 if (execlabel != NULL) { 2072 ASSERT_CRED_LABEL(execlabel); 2073 } 2074 2075 return (0); 2076} 2077 2078static int 2079mac_test_check_vnode_getacl(struct ucred cred, struct vnode vp, 2080 struct label label, acl_type_t type) 2081{ 2082* 2083 ASSERT_CRED_LABEL(cred->cr_label); 2084 ASSERT_VNODE_LABEL(label); 2085 2086 return (0); 2087} 2088 2089static int 2090mac_test_check_vnode_getextattr(struct ucred cred, struct vnode vp, 2091 struct label label, int attrnamespace, const char name, struct uio uio) 2092{ 2093* 2094 ASSERT_CRED_LABEL(cred->cr_label); 2095 ASSERT_VNODE_LABEL(label); 2096 2097 return (0); 2098} 2099 2100static int 2101mac_test_check_vnode_link(struct ucred cred, struct vnode dvp, 2102 struct label dlabel, struct vnode vp, struct label label, 2103* struct componentname cnp) 2104{ 2105* 2106 ASSERT_CRED_LABEL(cred->cr_label); 2107 ASSERT_VNODE_LABEL(dlabel); 2108 ASSERT_VNODE_LABEL(label); 2109 2110 return (0); 2111} 2112 2113static int 2114mac_test_check_vnode_listextattr(struct ucred cred, struct vnode vp, 2115 struct label label, int attrnamespace) 2116{ 2117* 2118 ASSERT_CRED_LABEL(cred->cr_label); 2119 ASSERT_VNODE_LABEL(label); 2120 2121 return (0); 2122} 2123 2124static int 2125mac_test_check_vnode_lookup(struct ucred cred, struct vnode dvp, 2126 struct label dlabel, struct componentname cnp) 2127{ 2128 2129 ASSERT_CRED_LABEL(cred->cr_label); 2130 ASSERT_VNODE_LABEL(dlabel); 2131 2132 return (0); 2133} 2134 2135static int 2136mac_test_check_vnode_mmap(struct ucred cred, struct vnode vp, 2137 struct label label, int prot, int flags) 2138{ 2139* 2140 ASSERT_CRED_LABEL(cred->cr_label); 2141 ASSERT_VNODE_LABEL(label); 2142 2143 return (0); 2144} 2145 2146static int 2147mac_test_check_vnode_open(struct ucred cred, struct vnode vp, 2148 struct label filelabel, int acc_mode) 2149{ 2150* 2151 ASSERT_CRED_LABEL(cred->cr_label); 2152 ASSERT_VNODE_LABEL(filelabel); 2153 2154 return (0); 2155} 2156 2157static int 2158mac_test_check_vnode_poll(struct ucred active_cred, struct ucred file_cred, 2159 struct vnode vp, struct label label) 2160{ 2161 2162 ASSERT_CRED_LABEL(active_cred->cr_label); 2163 ASSERT_CRED_LABEL(file_cred->cr_label); 2164 ASSERT_VNODE_LABEL(label); 2165 2166 return (0); 2167} 2168 2169static int 2170mac_test_check_vnode_read(struct ucred active_cred, struct ucred file_cred, 2171 struct vnode vp, struct label label) 2172{ 2173 2174 ASSERT_CRED_LABEL(active_cred->cr_label); 2175 if (file_cred != NULL) { 2176 ASSERT_CRED_LABEL(file_cred->cr_label); 2177 } 2178 ASSERT_VNODE_LABEL(label); 2179 2180 return (0); 2181} 2182 2183static int 2184mac_test_check_vnode_readdir(struct ucred cred, struct vnode dvp, 2185 struct label dlabel) 2186{ 2187* 2188 ASSERT_CRED_LABEL(cred->cr_label); 2189 ASSERT_VNODE_LABEL(dlabel); 2190 2191 return (0); 2192} 2193 2194static int 2195mac_test_check_vnode_readlink(struct ucred cred, struct vnode vp, 2196 struct label vnodelabel) 2197{ 2198* 2199 ASSERT_CRED_LABEL(cred->cr_label); 2200 ASSERT_VNODE_LABEL(vnodelabel); 2201 2202 return (0); 2203} 2204 2205static int 2206mac_test_check_vnode_relabel(struct ucred cred, struct vnode vp, 2207 struct label vnodelabel, struct label newlabel) 2208{ 2209 2210 ASSERT_CRED_LABEL(cred->cr_label); 2211 ASSERT_VNODE_LABEL(vnodelabel); 2212 ASSERT_VNODE_LABEL(newlabel); 2213 2214 return (0); 2215} 2216 2217static int 2218mac_test_check_vnode_rename_from(struct ucred cred, struct vnode dvp, 2219 struct label dlabel, struct vnode vp, struct label label, 2220* struct componentname cnp) 2221{ 2222* 2223 ASSERT_CRED_LABEL(cred->cr_label); 2224 ASSERT_VNODE_LABEL(dlabel); 2225 ASSERT_VNODE_LABEL(label); 2226 2227 return (0); 2228} 2229 2230static int 2231mac_test_check_vnode_rename_to(struct ucred cred, struct vnode dvp, 2232 struct label dlabel, struct vnode vp, struct label label, int samedir, 2233* struct componentname cnp) 2234{ 2235* 2236 ASSERT_CRED_LABEL(cred->cr_label); 2237 ASSERT_VNODE_LABEL(dlabel); 2238 2239 if (vp != NULL) { 2240 ASSERT_VNODE_LABEL(label); 2241 } 2242 2243 return (0); 2244} 2245 2246static int 2247mac_test_check_vnode_revoke(struct ucred cred, struct vnode vp, 2248 struct label label) 2249{ 2250* 2251 ASSERT_CRED_LABEL(cred->cr_label); 2252 ASSERT_VNODE_LABEL(label); 2253 2254 return (0); 2255} 2256 2257static int 2258mac_test_check_vnode_setacl(struct ucred cred, struct vnode vp, 2259 struct label label, acl_type_t type, struct acl acl) 2260{ 2261 2262 ASSERT_CRED_LABEL(cred->cr_label); 2263 ASSERT_VNODE_LABEL(label); 2264 2265 return (0); 2266} 2267 2268static int 2269mac_test_check_vnode_setextattr(struct ucred cred, struct vnode vp, 2270 struct label label, int attrnamespace, const char name, struct uio uio) 2271{ 2272* 2273 ASSERT_CRED_LABEL(cred->cr_label); 2274 ASSERT_VNODE_LABEL(label); 2275 2276 return (0); 2277} 2278 2279static int 2280mac_test_check_vnode_setflags(struct ucred cred, struct vnode vp, 2281 struct label label, u_long flags) 2282{ 2283* 2284 ASSERT_CRED_LABEL(cred->cr_label); 2285 ASSERT_VNODE_LABEL(label); 2286 2287 return (0); 2288} 2289 2290static int 2291mac_test_check_vnode_setmode(struct ucred cred, struct vnode vp, 2292 struct label label, mode_t mode) 2293{ 2294* 2295 ASSERT_CRED_LABEL(cred->cr_label); 2296 ASSERT_VNODE_LABEL(label); 2297 2298 return (0); 2299} 2300 2301static int 2302mac_test_check_vnode_setowner(struct ucred cred, struct vnode vp, 2303 struct label label, uid_t uid, gid_t gid) 2304{ 2305* 2306 ASSERT_CRED_LABEL(cred->cr_label); 2307 ASSERT_VNODE_LABEL(label); 2308 2309 return (0); 2310} 2311 2312static int 2313mac_test_check_vnode_setutimes(struct ucred cred, struct vnode vp, 2314 struct label label, struct timespec atime, struct timespec mtime) 2315{ 2316* 2317 ASSERT_CRED_LABEL(cred->cr_label); 2318 ASSERT_VNODE_LABEL(label); 2319 2320 return (0); 2321} 2322 2323static int 2324mac_test_check_vnode_stat(struct ucred active_cred, struct ucred file_cred, 2325 struct vnode vp, struct label label) 2326{ 2327 2328 ASSERT_CRED_LABEL(active_cred->cr_label); 2329 if (file_cred != NULL) { 2330 ASSERT_CRED_LABEL(file_cred->cr_label); 2331 } 2332 ASSERT_VNODE_LABEL(label); 2333 2334 return (0); 2335} 2336 2337static int 2338mac_test_check_vnode_write(struct ucred active_cred, 2339* struct ucred file_cred, struct vnode vp, struct label label) 2340{ 2341* 2342 ASSERT_CRED_LABEL(active_cred->cr_label); 2343 if (file_cred != NULL) { 2344 ASSERT_CRED_LABEL(file_cred->cr_label); 2345 } 2346 ASSERT_VNODE_LABEL(label); 2347 2348 return (0); 2349} 2350 2351static struct mac_policy_ops mac_test_ops = 2352{ 2353 .mpo_destroy = mac_test_destroy, 2354 .mpo_init = mac_test_init, 2355 .mpo_syscall = mac_test_syscall, 2356 .mpo_init_bpfdesc_label = mac_test_init_bpfdesc_label, 2357 .mpo_init_cred_label = mac_test_init_cred_label, 2358 .mpo_init_devfsdirent_label = mac_test_init_devfsdirent_label, 2359 .mpo_init_ifnet_label = mac_test_init_ifnet_label, 2360 .mpo_init_sysv_msgmsg_label = mac_test_init_sysv_msgmsg_label, 2361 .mpo_init_sysv_msgqueue_label = mac_test_init_sysv_msgqueue_label, 2362 .mpo_init_sysv_sema_label = mac_test_init_sysv_sema_label, 2363 .mpo_init_sysv_shm_label = mac_test_init_sysv_shm_label, 2364 .mpo_init_inpcb_label = mac_test_init_inpcb_label, 2365 .mpo_init_ipq_label = mac_test_init_ipq_label, 2366 .mpo_init_mbuf_label = mac_test_init_mbuf_label, 2367 .mpo_init_mount_label = mac_test_init_mount_label, 2368 .mpo_init_mount_fs_label = mac_test_init_mount_fs_label, 2369 .mpo_init_pipe_label = mac_test_init_pipe_label, 2370 .mpo_init_proc_label = mac_test_init_proc_label, 2371 .mpo_init_socket_label = mac_test_init_socket_label, 2372 .mpo_init_socket_peer_label = mac_test_init_socket_peer_label, 2373 .mpo_init_vnode_label = mac_test_init_vnode_label, 2374 .mpo_destroy_bpfdesc_label = mac_test_destroy_bpfdesc_label, 2375 .mpo_destroy_cred_label = mac_test_destroy_cred_label, 2376 .mpo_destroy_devfsdirent_label = mac_test_destroy_devfsdirent_label, 2377 .mpo_destroy_ifnet_label = mac_test_destroy_ifnet_label, 2378 .mpo_destroy_sysv_msgmsg_label = mac_test_destroy_sysv_msgmsg_label, 2379 .mpo_destroy_sysv_msgqueue_label = 2380 mac_test_destroy_sysv_msgqueue_label, 2381 .mpo_destroy_sysv_sema_label = mac_test_destroy_sysv_sema_label, 2382 .mpo_destroy_sysv_shm_label = mac_test_destroy_sysv_shm_label, 2383 .mpo_destroy_inpcb_label = mac_test_destroy_inpcb_label, 2384 .mpo_destroy_ipq_label = mac_test_destroy_ipq_label, 2385 .mpo_destroy_mbuf_label = mac_test_destroy_mbuf_label, 2386 .mpo_destroy_mount_label = mac_test_destroy_mount_label, 2387 .mpo_destroy_mount_fs_label = mac_test_destroy_mount_fs_label, 2388 .mpo_destroy_pipe_label = mac_test_destroy_pipe_label, 2389 .mpo_destroy_proc_label = mac_test_destroy_proc_label, 2390 .mpo_destroy_socket_label = mac_test_destroy_socket_label, 2391 .mpo_destroy_socket_peer_label = mac_test_destroy_socket_peer_label, 2392 .mpo_destroy_vnode_label = mac_test_destroy_vnode_label, 2393 .mpo_copy_cred_label = mac_test_copy_cred_label, 2394 .mpo_copy_ifnet_label = mac_test_copy_ifnet_label, 2395 .mpo_copy_mbuf_label = mac_test_copy_mbuf_label, 2396 .mpo_copy_pipe_label = mac_test_copy_pipe_label, 2397 .mpo_copy_socket_label = mac_test_copy_socket_label, 2398 .mpo_copy_vnode_label = mac_test_copy_vnode_label, 2399 .mpo_externalize_cred_label = mac_test_externalize_label, 2400 .mpo_externalize_ifnet_label = mac_test_externalize_label, 2401 .mpo_externalize_pipe_label = mac_test_externalize_label, 2402 .mpo_externalize_socket_label = mac_test_externalize_label, 2403 .mpo_externalize_socket_peer_label = mac_test_externalize_label, 2404 .mpo_externalize_vnode_label = mac_test_externalize_label, 2405 .mpo_internalize_cred_label = mac_test_internalize_label, 2406 .mpo_internalize_ifnet_label = mac_test_internalize_label, 2407 .mpo_internalize_pipe_label = mac_test_internalize_label, 2408 .mpo_internalize_socket_label = mac_test_internalize_label, 2409 .mpo_internalize_vnode_label = mac_test_internalize_label, 2410 .mpo_associate_vnode_devfs = mac_test_associate_vnode_devfs, 2411 .mpo_associate_vnode_extattr = mac_test_associate_vnode_extattr, 2412 .mpo_associate_vnode_singlelabel = mac_test_associate_vnode_singlelabel, 2413 .mpo_create_devfs_device = mac_test_create_devfs_device, 2414 .mpo_create_devfs_directory = mac_test_create_devfs_directory, 2415 .mpo_create_devfs_symlink = mac_test_create_devfs_symlink, 2416 .mpo_create_vnode_extattr = mac_test_create_vnode_extattr, 2417 .mpo_create_mount = mac_test_create_mount, 2418 .mpo_create_root_mount = mac_test_create_root_mount, 2419 .mpo_relabel_vnode = mac_test_relabel_vnode, 2420 .mpo_setlabel_vnode_extattr = mac_test_setlabel_vnode_extattr, 2421 .mpo_update_devfsdirent = mac_test_update_devfsdirent, 2422 .mpo_create_mbuf_from_socket = mac_test_create_mbuf_from_socket, 2423 .mpo_create_pipe = mac_test_create_pipe, 2424 .mpo_create_socket = mac_test_create_socket, 2425 .mpo_create_socket_from_socket = mac_test_create_socket_from_socket, 2426 .mpo_relabel_pipe = mac_test_relabel_pipe, 2427 .mpo_relabel_socket = mac_test_relabel_socket, 2428 .mpo_set_socket_peer_from_mbuf = mac_test_set_socket_peer_from_mbuf, 2429 .mpo_set_socket_peer_from_socket = mac_test_set_socket_peer_from_socket, 2430 .mpo_create_bpfdesc = mac_test_create_bpfdesc, 2431 .mpo_create_ifnet = mac_test_create_ifnet, 2432 .mpo_create_inpcb_from_socket = mac_test_create_inpcb_from_socket, 2433 .mpo_create_sysv_msgmsg = mac_test_create_sysv_msgmsg, 2434 .mpo_create_sysv_msgqueue = mac_test_create_sysv_msgqueue, 2435 .mpo_create_sysv_sema = mac_test_create_sysv_sema, 2436 .mpo_create_sysv_shm = mac_test_create_sysv_shm, 2437 .mpo_create_datagram_from_ipq = mac_test_create_datagram_from_ipq, 2438 .mpo_create_fragment = mac_test_create_fragment, 2439 .mpo_create_ipq = mac_test_create_ipq, 2440 .mpo_create_mbuf_from_inpcb = mac_test_create_mbuf_from_inpcb, 2441 .mpo_create_mbuf_from_mbuf = mac_test_create_mbuf_from_mbuf, 2442 .mpo_create_mbuf_linklayer = mac_test_create_mbuf_linklayer, 2443 .mpo_create_mbuf_from_bpfdesc = mac_test_create_mbuf_from_bpfdesc, 2444 .mpo_create_mbuf_from_ifnet = mac_test_create_mbuf_from_ifnet, 2445 .mpo_create_mbuf_multicast_encap = mac_test_create_mbuf_multicast_encap, 2446 .mpo_create_mbuf_netlayer = mac_test_create_mbuf_netlayer, 2447 .mpo_fragment_match = mac_test_fragment_match, 2448 .mpo_reflect_mbuf_icmp = mac_test_reflect_mbuf_icmp, 2449 .mpo_reflect_mbuf_tcp = mac_test_reflect_mbuf_tcp, 2450 .mpo_relabel_ifnet = mac_test_relabel_ifnet, 2451 .mpo_update_ipq = mac_test_update_ipq, 2452 .mpo_inpcb_sosetlabel = mac_test_inpcb_sosetlabel, 2453 .mpo_execve_transition = mac_test_execve_transition, 2454 .mpo_execve_will_transition = mac_test_execve_will_transition, 2455 .mpo_create_proc0 = mac_test_create_proc0, 2456 .mpo_create_proc1 = mac_test_create_proc1, 2457 .mpo_relabel_cred = mac_test_relabel_cred, 2458 .mpo_thread_userret = mac_test_thread_userret, 2459 .mpo_cleanup_sysv_msgmsg = mac_test_cleanup_sysv_msgmsg, 2460 .mpo_cleanup_sysv_msgqueue = mac_test_cleanup_sysv_msgqueue, 2461 .mpo_cleanup_sysv_sema = mac_test_cleanup_sysv_sema, 2462 .mpo_cleanup_sysv_shm = mac_test_cleanup_sysv_shm, 2463 .mpo_check_bpfdesc_receive = mac_test_check_bpfdesc_receive, 2464 .mpo_check_cred_relabel = mac_test_check_cred_relabel, 2465 .mpo_check_cred_visible = mac_test_check_cred_visible, 2466 .mpo_check_ifnet_relabel = mac_test_check_ifnet_relabel, 2467 .mpo_check_ifnet_transmit = mac_test_check_ifnet_transmit, 2468 .mpo_check_inpcb_deliver = mac_test_check_inpcb_deliver, 2469 .mpo_check_sysv_msgmsq = mac_test_check_sysv_msgmsq, 2470 .mpo_check_sysv_msgrcv = mac_test_check_sysv_msgrcv, 2471 .mpo_check_sysv_msgrmid = mac_test_check_sysv_msgrmid, 2472 .mpo_check_sysv_msqget = mac_test_check_sysv_msqget, 2473 .mpo_check_sysv_msqsnd = mac_test_check_sysv_msqsnd, 2474 .mpo_check_sysv_msqrcv = mac_test_check_sysv_msqrcv, 2475 .mpo_check_sysv_msqctl = mac_test_check_sysv_msqctl, 2476 .mpo_check_sysv_semctl = mac_test_check_sysv_semctl, 2477 .mpo_check_sysv_semget = mac_test_check_sysv_semget, 2478 .mpo_check_sysv_semop = mac_test_check_sysv_semop, 2479 .mpo_check_sysv_shmat = mac_test_check_sysv_shmat, 2480 .mpo_check_sysv_shmctl = mac_test_check_sysv_shmctl, 2481 .mpo_check_sysv_shmdt = mac_test_check_sysv_shmdt, 2482 .mpo_check_sysv_shmget = mac_test_check_sysv_shmget, 2483 .mpo_check_kenv_dump = mac_test_check_kenv_dump, 2484 .mpo_check_kenv_get = mac_test_check_kenv_get, 2485 .mpo_check_kenv_set = mac_test_check_kenv_set, 2486 .mpo_check_kenv_unset = mac_test_check_kenv_unset, 2487 .mpo_check_kld_load = mac_test_check_kld_load, 2488 .mpo_check_kld_stat = mac_test_check_kld_stat, 2489 .mpo_check_kld_unload = mac_test_check_kld_unload, 2490 .mpo_check_mount_stat = mac_test_check_mount_stat, 2491 .mpo_check_pipe_ioctl = mac_test_check_pipe_ioctl, 2492 .mpo_check_pipe_poll = mac_test_check_pipe_poll, 2493 .mpo_check_pipe_read = mac_test_check_pipe_read, 2494 .mpo_check_pipe_relabel = mac_test_check_pipe_relabel, 2495 .mpo_check_pipe_stat = mac_test_check_pipe_stat, 2496 .mpo_check_pipe_write = mac_test_check_pipe_write, 2497 .mpo_check_proc_debug = mac_test_check_proc_debug, 2498 .mpo_check_proc_sched = mac_test_check_proc_sched, 2499 .mpo_check_proc_setuid = mac_test_check_proc_setuid, 2500 .mpo_check_proc_seteuid = mac_test_check_proc_seteuid, 2501 .mpo_check_proc_setgid = mac_test_check_proc_setgid, 2502 .mpo_check_proc_setegid = mac_test_check_proc_setegid, 2503 .mpo_check_proc_setgroups = mac_test_check_proc_setgroups, 2504 .mpo_check_proc_setreuid = mac_test_check_proc_setreuid, 2505 .mpo_check_proc_setregid = mac_test_check_proc_setregid, 2506 .mpo_check_proc_setresuid = mac_test_check_proc_setresuid, 2507 .mpo_check_proc_setresgid = mac_test_check_proc_setresgid, 2508 .mpo_check_proc_signal = mac_test_check_proc_signal,	1804mac_test_check_socket_accept(struct ucred cred, struct socket socket, 1805 struct label socketlabel) 1806{ 1807* 1808 ASSERT_CRED_LABEL(cred->cr_label); 1809 ASSERT_SOCKET_LABEL(socketlabel); 1810 1811 return (0); 1812} 1813 1814static int 1815mac_test_check_socket_bind(struct ucred cred, struct socket socket, 1816 struct label socketlabel, struct sockaddr sockaddr) 1817{ 1818 1819 ASSERT_CRED_LABEL(cred->cr_label); 1820 ASSERT_SOCKET_LABEL(socketlabel); 1821 1822 return (0); 1823} 1824 1825static int 1826mac_test_check_socket_connect(struct ucred cred, struct socket socket, 1827 struct label socketlabel, struct sockaddr sockaddr) 1828{ 1829 1830 ASSERT_CRED_LABEL(cred->cr_label); 1831 ASSERT_SOCKET_LABEL(socketlabel); 1832 1833 return (0); 1834} 1835 1836static int 1837mac_test_check_socket_deliver(struct socket socket, struct label socketlabel, 1838 struct mbuf m, struct label mbuflabel) 1839{ 1840 1841 ASSERT_SOCKET_LABEL(socketlabel); 1842 ASSERT_MBUF_LABEL(mbuflabel); 1843 1844 return (0); 1845} 1846 1847static int 1848mac_test_check_socket_listen(struct ucred cred, struct socket socket, 1849 struct label socketlabel) 1850{ 1851* 1852 ASSERT_CRED_LABEL(cred->cr_label); 1853 ASSERT_SOCKET_LABEL(socketlabel); 1854 1855 return (0); 1856} 1857 1858static int 1859mac_test_check_socket_poll(struct ucred cred, struct socket socket, 1860 struct label socketlabel) 1861{ 1862* 1863 ASSERT_CRED_LABEL(cred->cr_label); 1864 ASSERT_SOCKET_LABEL(socketlabel); 1865 1866 return (0); 1867} 1868 1869static int 1870mac_test_check_socket_receive(struct ucred cred, struct socket socket, 1871 struct label socketlabel) 1872{ 1873* 1874 ASSERT_CRED_LABEL(cred->cr_label); 1875 ASSERT_SOCKET_LABEL(socketlabel); 1876 1877 return (0); 1878} 1879 1880static int 1881mac_test_check_socket_relabel(struct ucred cred, struct socket socket, 1882 struct label socketlabel, struct label newlabel) 1883{ 1884 1885 ASSERT_CRED_LABEL(cred->cr_label); 1886 ASSERT_SOCKET_LABEL(socketlabel); 1887 ASSERT_SOCKET_LABEL(newlabel); 1888 1889 return (0); 1890} 1891 1892static int 1893mac_test_check_socket_send(struct ucred cred, struct socket socket, 1894 struct label socketlabel) 1895{ 1896* 1897 ASSERT_CRED_LABEL(cred->cr_label); 1898 ASSERT_SOCKET_LABEL(socketlabel); 1899 1900 return (0); 1901} 1902 1903static int 1904mac_test_check_socket_stat(struct ucred cred, struct socket socket, 1905 struct label socketlabel) 1906{ 1907* 1908 ASSERT_CRED_LABEL(cred->cr_label); 1909 ASSERT_SOCKET_LABEL(socketlabel); 1910 1911 return (0); 1912} 1913 1914static int 1915mac_test_check_socket_visible(struct ucred cred, struct socket socket, 1916 struct label socketlabel) 1917{ 1918* 1919 ASSERT_CRED_LABEL(cred->cr_label); 1920 ASSERT_SOCKET_LABEL(socketlabel); 1921 1922 return (0); 1923} 1924 1925static int 1926mac_test_check_sysarch_ioperm(struct ucred cred) 1927{ 1928* 1929 ASSERT_CRED_LABEL(cred->cr_label); 1930 1931 return (0); 1932} 1933 1934static int 1935mac_test_check_system_acct(struct ucred cred, struct vnode vp, 1936 struct label label) 1937{ 1938* 1939 ASSERT_CRED_LABEL(cred->cr_label); 1940 1941 return (0); 1942} 1943 1944static int 1945mac_test_check_system_reboot(struct ucred cred, int how) 1946{ 1947* 1948 ASSERT_CRED_LABEL(cred->cr_label); 1949 1950 return (0); 1951} 1952 1953static int 1954mac_test_check_system_settime(struct ucred cred) 1955{ 1956* 1957 ASSERT_CRED_LABEL(cred->cr_label); 1958 1959 return (0); 1960} 1961 1962static int 1963mac_test_check_system_swapon(struct ucred cred, struct vnode vp, 1964 struct label label) 1965{ 1966* 1967 ASSERT_CRED_LABEL(cred->cr_label); 1968 ASSERT_VNODE_LABEL(label); 1969 1970 return (0); 1971} 1972 1973static int 1974mac_test_check_system_swapoff(struct ucred cred, struct vnode vp, 1975 struct label label) 1976{ 1977* 1978 ASSERT_CRED_LABEL(cred->cr_label); 1979 ASSERT_VNODE_LABEL(label); 1980 1981 return (0); 1982} 1983 1984static int 1985mac_test_check_system_sysctl(struct ucred cred, struct sysctl_oid oidp, 1986 void arg1, int arg2, struct sysctl_req req) 1987{ 1988 1989 ASSERT_CRED_LABEL(cred->cr_label); 1990 1991 return (0); 1992} 1993 1994static int 1995mac_test_check_vnode_access(struct ucred cred, struct vnode vp, 1996 struct label label, int acc_mode) 1997{ 1998* 1999 ASSERT_CRED_LABEL(cred->cr_label); 2000 ASSERT_VNODE_LABEL(label); 2001 2002 return (0); 2003} 2004 2005static int 2006mac_test_check_vnode_chdir(struct ucred cred, struct vnode dvp, 2007 struct label dlabel) 2008{ 2009* 2010 ASSERT_CRED_LABEL(cred->cr_label); 2011 ASSERT_VNODE_LABEL(dlabel); 2012 2013 return (0); 2014} 2015 2016static int 2017mac_test_check_vnode_chroot(struct ucred cred, struct vnode dvp, 2018 struct label dlabel) 2019{ 2020* 2021 ASSERT_CRED_LABEL(cred->cr_label); 2022 ASSERT_VNODE_LABEL(dlabel); 2023 2024 return (0); 2025} 2026 2027static int 2028mac_test_check_vnode_create(struct ucred cred, struct vnode dvp, 2029 struct label dlabel, struct componentname cnp, struct vattr vap) 2030{ 2031* 2032 ASSERT_CRED_LABEL(cred->cr_label); 2033 ASSERT_VNODE_LABEL(dlabel); 2034 2035 return (0); 2036} 2037 2038static int 2039mac_test_check_vnode_delete(struct ucred cred, struct vnode dvp, 2040 struct label dlabel, struct vnode vp, struct label label, 2041* struct componentname cnp) 2042{ 2043* 2044 ASSERT_CRED_LABEL(cred->cr_label); 2045 ASSERT_VNODE_LABEL(dlabel); 2046 ASSERT_VNODE_LABEL(label); 2047 2048 return (0); 2049} 2050 2051static int 2052mac_test_check_vnode_deleteacl(struct ucred cred, struct vnode vp, 2053 struct label label, acl_type_t type) 2054{ 2055* 2056 ASSERT_CRED_LABEL(cred->cr_label); 2057 ASSERT_VNODE_LABEL(label); 2058 2059 return (0); 2060} 2061 2062static int 2063mac_test_check_vnode_deleteextattr(struct ucred cred, struct vnode vp, 2064 struct label label, int attrnamespace, const char name) 2065{ 2066 2067 ASSERT_CRED_LABEL(cred->cr_label); 2068 ASSERT_VNODE_LABEL(label); 2069 2070 return (0); 2071} 2072 2073static int 2074mac_test_check_vnode_exec(struct ucred cred, struct vnode vp, 2075 struct label label, struct image_params imgp, 2076 struct label execlabel) 2077{ 2078* 2079 ASSERT_CRED_LABEL(cred->cr_label); 2080 ASSERT_VNODE_LABEL(label); 2081 if (execlabel != NULL) { 2082 ASSERT_CRED_LABEL(execlabel); 2083 } 2084 2085 return (0); 2086} 2087 2088static int 2089mac_test_check_vnode_getacl(struct ucred cred, struct vnode vp, 2090 struct label label, acl_type_t type) 2091{ 2092* 2093 ASSERT_CRED_LABEL(cred->cr_label); 2094 ASSERT_VNODE_LABEL(label); 2095 2096 return (0); 2097} 2098 2099static int 2100mac_test_check_vnode_getextattr(struct ucred cred, struct vnode vp, 2101 struct label label, int attrnamespace, const char name, struct uio uio) 2102{ 2103* 2104 ASSERT_CRED_LABEL(cred->cr_label); 2105 ASSERT_VNODE_LABEL(label); 2106 2107 return (0); 2108} 2109 2110static int 2111mac_test_check_vnode_link(struct ucred cred, struct vnode dvp, 2112 struct label dlabel, struct vnode vp, struct label label, 2113* struct componentname cnp) 2114{ 2115* 2116 ASSERT_CRED_LABEL(cred->cr_label); 2117 ASSERT_VNODE_LABEL(dlabel); 2118 ASSERT_VNODE_LABEL(label); 2119 2120 return (0); 2121} 2122 2123static int 2124mac_test_check_vnode_listextattr(struct ucred cred, struct vnode vp, 2125 struct label label, int attrnamespace) 2126{ 2127* 2128 ASSERT_CRED_LABEL(cred->cr_label); 2129 ASSERT_VNODE_LABEL(label); 2130 2131 return (0); 2132} 2133 2134static int 2135mac_test_check_vnode_lookup(struct ucred cred, struct vnode dvp, 2136 struct label dlabel, struct componentname cnp) 2137{ 2138 2139 ASSERT_CRED_LABEL(cred->cr_label); 2140 ASSERT_VNODE_LABEL(dlabel); 2141 2142 return (0); 2143} 2144 2145static int 2146mac_test_check_vnode_mmap(struct ucred cred, struct vnode vp, 2147 struct label label, int prot, int flags) 2148{ 2149* 2150 ASSERT_CRED_LABEL(cred->cr_label); 2151 ASSERT_VNODE_LABEL(label); 2152 2153 return (0); 2154} 2155 2156static int 2157mac_test_check_vnode_open(struct ucred cred, struct vnode vp, 2158 struct label filelabel, int acc_mode) 2159{ 2160* 2161 ASSERT_CRED_LABEL(cred->cr_label); 2162 ASSERT_VNODE_LABEL(filelabel); 2163 2164 return (0); 2165} 2166 2167static int 2168mac_test_check_vnode_poll(struct ucred active_cred, struct ucred file_cred, 2169 struct vnode vp, struct label label) 2170{ 2171 2172 ASSERT_CRED_LABEL(active_cred->cr_label); 2173 ASSERT_CRED_LABEL(file_cred->cr_label); 2174 ASSERT_VNODE_LABEL(label); 2175 2176 return (0); 2177} 2178 2179static int 2180mac_test_check_vnode_read(struct ucred active_cred, struct ucred file_cred, 2181 struct vnode vp, struct label label) 2182{ 2183 2184 ASSERT_CRED_LABEL(active_cred->cr_label); 2185 if (file_cred != NULL) { 2186 ASSERT_CRED_LABEL(file_cred->cr_label); 2187 } 2188 ASSERT_VNODE_LABEL(label); 2189 2190 return (0); 2191} 2192 2193static int 2194mac_test_check_vnode_readdir(struct ucred cred, struct vnode dvp, 2195 struct label dlabel) 2196{ 2197* 2198 ASSERT_CRED_LABEL(cred->cr_label); 2199 ASSERT_VNODE_LABEL(dlabel); 2200 2201 return (0); 2202} 2203 2204static int 2205mac_test_check_vnode_readlink(struct ucred cred, struct vnode vp, 2206 struct label vnodelabel) 2207{ 2208* 2209 ASSERT_CRED_LABEL(cred->cr_label); 2210 ASSERT_VNODE_LABEL(vnodelabel); 2211 2212 return (0); 2213} 2214 2215static int 2216mac_test_check_vnode_relabel(struct ucred cred, struct vnode vp, 2217 struct label vnodelabel, struct label newlabel) 2218{ 2219 2220 ASSERT_CRED_LABEL(cred->cr_label); 2221 ASSERT_VNODE_LABEL(vnodelabel); 2222 ASSERT_VNODE_LABEL(newlabel); 2223 2224 return (0); 2225} 2226 2227static int 2228mac_test_check_vnode_rename_from(struct ucred cred, struct vnode dvp, 2229 struct label dlabel, struct vnode vp, struct label label, 2230* struct componentname cnp) 2231{ 2232* 2233 ASSERT_CRED_LABEL(cred->cr_label); 2234 ASSERT_VNODE_LABEL(dlabel); 2235 ASSERT_VNODE_LABEL(label); 2236 2237 return (0); 2238} 2239 2240static int 2241mac_test_check_vnode_rename_to(struct ucred cred, struct vnode dvp, 2242 struct label dlabel, struct vnode vp, struct label label, int samedir, 2243* struct componentname cnp) 2244{ 2245* 2246 ASSERT_CRED_LABEL(cred->cr_label); 2247 ASSERT_VNODE_LABEL(dlabel); 2248 2249 if (vp != NULL) { 2250 ASSERT_VNODE_LABEL(label); 2251 } 2252 2253 return (0); 2254} 2255 2256static int 2257mac_test_check_vnode_revoke(struct ucred cred, struct vnode vp, 2258 struct label label) 2259{ 2260* 2261 ASSERT_CRED_LABEL(cred->cr_label); 2262 ASSERT_VNODE_LABEL(label); 2263 2264 return (0); 2265} 2266 2267static int 2268mac_test_check_vnode_setacl(struct ucred cred, struct vnode vp, 2269 struct label label, acl_type_t type, struct acl acl) 2270{ 2271 2272 ASSERT_CRED_LABEL(cred->cr_label); 2273 ASSERT_VNODE_LABEL(label); 2274 2275 return (0); 2276} 2277 2278static int 2279mac_test_check_vnode_setextattr(struct ucred cred, struct vnode vp, 2280 struct label label, int attrnamespace, const char name, struct uio uio) 2281{ 2282* 2283 ASSERT_CRED_LABEL(cred->cr_label); 2284 ASSERT_VNODE_LABEL(label); 2285 2286 return (0); 2287} 2288 2289static int 2290mac_test_check_vnode_setflags(struct ucred cred, struct vnode vp, 2291 struct label label, u_long flags) 2292{ 2293* 2294 ASSERT_CRED_LABEL(cred->cr_label); 2295 ASSERT_VNODE_LABEL(label); 2296 2297 return (0); 2298} 2299 2300static int 2301mac_test_check_vnode_setmode(struct ucred cred, struct vnode vp, 2302 struct label label, mode_t mode) 2303{ 2304* 2305 ASSERT_CRED_LABEL(cred->cr_label); 2306 ASSERT_VNODE_LABEL(label); 2307 2308 return (0); 2309} 2310 2311static int 2312mac_test_check_vnode_setowner(struct ucred cred, struct vnode vp, 2313 struct label label, uid_t uid, gid_t gid) 2314{ 2315* 2316 ASSERT_CRED_LABEL(cred->cr_label); 2317 ASSERT_VNODE_LABEL(label); 2318 2319 return (0); 2320} 2321 2322static int 2323mac_test_check_vnode_setutimes(struct ucred cred, struct vnode vp, 2324 struct label label, struct timespec atime, struct timespec mtime) 2325{ 2326* 2327 ASSERT_CRED_LABEL(cred->cr_label); 2328 ASSERT_VNODE_LABEL(label); 2329 2330 return (0); 2331} 2332 2333static int 2334mac_test_check_vnode_stat(struct ucred active_cred, struct ucred file_cred, 2335 struct vnode vp, struct label label) 2336{ 2337 2338 ASSERT_CRED_LABEL(active_cred->cr_label); 2339 if (file_cred != NULL) { 2340 ASSERT_CRED_LABEL(file_cred->cr_label); 2341 } 2342 ASSERT_VNODE_LABEL(label); 2343 2344 return (0); 2345} 2346 2347static int 2348mac_test_check_vnode_write(struct ucred active_cred, 2349* struct ucred file_cred, struct vnode vp, struct label label) 2350{ 2351* 2352 ASSERT_CRED_LABEL(active_cred->cr_label); 2353 if (file_cred != NULL) { 2354 ASSERT_CRED_LABEL(file_cred->cr_label); 2355 } 2356 ASSERT_VNODE_LABEL(label); 2357 2358 return (0); 2359} 2360 2361static struct mac_policy_ops mac_test_ops = 2362{ 2363 .mpo_destroy = mac_test_destroy, 2364 .mpo_init = mac_test_init, 2365 .mpo_syscall = mac_test_syscall, 2366 .mpo_init_bpfdesc_label = mac_test_init_bpfdesc_label, 2367 .mpo_init_cred_label = mac_test_init_cred_label, 2368 .mpo_init_devfsdirent_label = mac_test_init_devfsdirent_label, 2369 .mpo_init_ifnet_label = mac_test_init_ifnet_label, 2370 .mpo_init_sysv_msgmsg_label = mac_test_init_sysv_msgmsg_label, 2371 .mpo_init_sysv_msgqueue_label = mac_test_init_sysv_msgqueue_label, 2372 .mpo_init_sysv_sema_label = mac_test_init_sysv_sema_label, 2373 .mpo_init_sysv_shm_label = mac_test_init_sysv_shm_label, 2374 .mpo_init_inpcb_label = mac_test_init_inpcb_label, 2375 .mpo_init_ipq_label = mac_test_init_ipq_label, 2376 .mpo_init_mbuf_label = mac_test_init_mbuf_label, 2377 .mpo_init_mount_label = mac_test_init_mount_label, 2378 .mpo_init_mount_fs_label = mac_test_init_mount_fs_label, 2379 .mpo_init_pipe_label = mac_test_init_pipe_label, 2380 .mpo_init_proc_label = mac_test_init_proc_label, 2381 .mpo_init_socket_label = mac_test_init_socket_label, 2382 .mpo_init_socket_peer_label = mac_test_init_socket_peer_label, 2383 .mpo_init_vnode_label = mac_test_init_vnode_label, 2384 .mpo_destroy_bpfdesc_label = mac_test_destroy_bpfdesc_label, 2385 .mpo_destroy_cred_label = mac_test_destroy_cred_label, 2386 .mpo_destroy_devfsdirent_label = mac_test_destroy_devfsdirent_label, 2387 .mpo_destroy_ifnet_label = mac_test_destroy_ifnet_label, 2388 .mpo_destroy_sysv_msgmsg_label = mac_test_destroy_sysv_msgmsg_label, 2389 .mpo_destroy_sysv_msgqueue_label = 2390 mac_test_destroy_sysv_msgqueue_label, 2391 .mpo_destroy_sysv_sema_label = mac_test_destroy_sysv_sema_label, 2392 .mpo_destroy_sysv_shm_label = mac_test_destroy_sysv_shm_label, 2393 .mpo_destroy_inpcb_label = mac_test_destroy_inpcb_label, 2394 .mpo_destroy_ipq_label = mac_test_destroy_ipq_label, 2395 .mpo_destroy_mbuf_label = mac_test_destroy_mbuf_label, 2396 .mpo_destroy_mount_label = mac_test_destroy_mount_label, 2397 .mpo_destroy_mount_fs_label = mac_test_destroy_mount_fs_label, 2398 .mpo_destroy_pipe_label = mac_test_destroy_pipe_label, 2399 .mpo_destroy_proc_label = mac_test_destroy_proc_label, 2400 .mpo_destroy_socket_label = mac_test_destroy_socket_label, 2401 .mpo_destroy_socket_peer_label = mac_test_destroy_socket_peer_label, 2402 .mpo_destroy_vnode_label = mac_test_destroy_vnode_label, 2403 .mpo_copy_cred_label = mac_test_copy_cred_label, 2404 .mpo_copy_ifnet_label = mac_test_copy_ifnet_label, 2405 .mpo_copy_mbuf_label = mac_test_copy_mbuf_label, 2406 .mpo_copy_pipe_label = mac_test_copy_pipe_label, 2407 .mpo_copy_socket_label = mac_test_copy_socket_label, 2408 .mpo_copy_vnode_label = mac_test_copy_vnode_label, 2409 .mpo_externalize_cred_label = mac_test_externalize_label, 2410 .mpo_externalize_ifnet_label = mac_test_externalize_label, 2411 .mpo_externalize_pipe_label = mac_test_externalize_label, 2412 .mpo_externalize_socket_label = mac_test_externalize_label, 2413 .mpo_externalize_socket_peer_label = mac_test_externalize_label, 2414 .mpo_externalize_vnode_label = mac_test_externalize_label, 2415 .mpo_internalize_cred_label = mac_test_internalize_label, 2416 .mpo_internalize_ifnet_label = mac_test_internalize_label, 2417 .mpo_internalize_pipe_label = mac_test_internalize_label, 2418 .mpo_internalize_socket_label = mac_test_internalize_label, 2419 .mpo_internalize_vnode_label = mac_test_internalize_label, 2420 .mpo_associate_vnode_devfs = mac_test_associate_vnode_devfs, 2421 .mpo_associate_vnode_extattr = mac_test_associate_vnode_extattr, 2422 .mpo_associate_vnode_singlelabel = mac_test_associate_vnode_singlelabel, 2423 .mpo_create_devfs_device = mac_test_create_devfs_device, 2424 .mpo_create_devfs_directory = mac_test_create_devfs_directory, 2425 .mpo_create_devfs_symlink = mac_test_create_devfs_symlink, 2426 .mpo_create_vnode_extattr = mac_test_create_vnode_extattr, 2427 .mpo_create_mount = mac_test_create_mount, 2428 .mpo_create_root_mount = mac_test_create_root_mount, 2429 .mpo_relabel_vnode = mac_test_relabel_vnode, 2430 .mpo_setlabel_vnode_extattr = mac_test_setlabel_vnode_extattr, 2431 .mpo_update_devfsdirent = mac_test_update_devfsdirent, 2432 .mpo_create_mbuf_from_socket = mac_test_create_mbuf_from_socket, 2433 .mpo_create_pipe = mac_test_create_pipe, 2434 .mpo_create_socket = mac_test_create_socket, 2435 .mpo_create_socket_from_socket = mac_test_create_socket_from_socket, 2436 .mpo_relabel_pipe = mac_test_relabel_pipe, 2437 .mpo_relabel_socket = mac_test_relabel_socket, 2438 .mpo_set_socket_peer_from_mbuf = mac_test_set_socket_peer_from_mbuf, 2439 .mpo_set_socket_peer_from_socket = mac_test_set_socket_peer_from_socket, 2440 .mpo_create_bpfdesc = mac_test_create_bpfdesc, 2441 .mpo_create_ifnet = mac_test_create_ifnet, 2442 .mpo_create_inpcb_from_socket = mac_test_create_inpcb_from_socket, 2443 .mpo_create_sysv_msgmsg = mac_test_create_sysv_msgmsg, 2444 .mpo_create_sysv_msgqueue = mac_test_create_sysv_msgqueue, 2445 .mpo_create_sysv_sema = mac_test_create_sysv_sema, 2446 .mpo_create_sysv_shm = mac_test_create_sysv_shm, 2447 .mpo_create_datagram_from_ipq = mac_test_create_datagram_from_ipq, 2448 .mpo_create_fragment = mac_test_create_fragment, 2449 .mpo_create_ipq = mac_test_create_ipq, 2450 .mpo_create_mbuf_from_inpcb = mac_test_create_mbuf_from_inpcb, 2451 .mpo_create_mbuf_from_mbuf = mac_test_create_mbuf_from_mbuf, 2452 .mpo_create_mbuf_linklayer = mac_test_create_mbuf_linklayer, 2453 .mpo_create_mbuf_from_bpfdesc = mac_test_create_mbuf_from_bpfdesc, 2454 .mpo_create_mbuf_from_ifnet = mac_test_create_mbuf_from_ifnet, 2455 .mpo_create_mbuf_multicast_encap = mac_test_create_mbuf_multicast_encap, 2456 .mpo_create_mbuf_netlayer = mac_test_create_mbuf_netlayer, 2457 .mpo_fragment_match = mac_test_fragment_match, 2458 .mpo_reflect_mbuf_icmp = mac_test_reflect_mbuf_icmp, 2459 .mpo_reflect_mbuf_tcp = mac_test_reflect_mbuf_tcp, 2460 .mpo_relabel_ifnet = mac_test_relabel_ifnet, 2461 .mpo_update_ipq = mac_test_update_ipq, 2462 .mpo_inpcb_sosetlabel = mac_test_inpcb_sosetlabel, 2463 .mpo_execve_transition = mac_test_execve_transition, 2464 .mpo_execve_will_transition = mac_test_execve_will_transition, 2465 .mpo_create_proc0 = mac_test_create_proc0, 2466 .mpo_create_proc1 = mac_test_create_proc1, 2467 .mpo_relabel_cred = mac_test_relabel_cred, 2468 .mpo_thread_userret = mac_test_thread_userret, 2469 .mpo_cleanup_sysv_msgmsg = mac_test_cleanup_sysv_msgmsg, 2470 .mpo_cleanup_sysv_msgqueue = mac_test_cleanup_sysv_msgqueue, 2471 .mpo_cleanup_sysv_sema = mac_test_cleanup_sysv_sema, 2472 .mpo_cleanup_sysv_shm = mac_test_cleanup_sysv_shm, 2473 .mpo_check_bpfdesc_receive = mac_test_check_bpfdesc_receive, 2474 .mpo_check_cred_relabel = mac_test_check_cred_relabel, 2475 .mpo_check_cred_visible = mac_test_check_cred_visible, 2476 .mpo_check_ifnet_relabel = mac_test_check_ifnet_relabel, 2477 .mpo_check_ifnet_transmit = mac_test_check_ifnet_transmit, 2478 .mpo_check_inpcb_deliver = mac_test_check_inpcb_deliver, 2479 .mpo_check_sysv_msgmsq = mac_test_check_sysv_msgmsq, 2480 .mpo_check_sysv_msgrcv = mac_test_check_sysv_msgrcv, 2481 .mpo_check_sysv_msgrmid = mac_test_check_sysv_msgrmid, 2482 .mpo_check_sysv_msqget = mac_test_check_sysv_msqget, 2483 .mpo_check_sysv_msqsnd = mac_test_check_sysv_msqsnd, 2484 .mpo_check_sysv_msqrcv = mac_test_check_sysv_msqrcv, 2485 .mpo_check_sysv_msqctl = mac_test_check_sysv_msqctl, 2486 .mpo_check_sysv_semctl = mac_test_check_sysv_semctl, 2487 .mpo_check_sysv_semget = mac_test_check_sysv_semget, 2488 .mpo_check_sysv_semop = mac_test_check_sysv_semop, 2489 .mpo_check_sysv_shmat = mac_test_check_sysv_shmat, 2490 .mpo_check_sysv_shmctl = mac_test_check_sysv_shmctl, 2491 .mpo_check_sysv_shmdt = mac_test_check_sysv_shmdt, 2492 .mpo_check_sysv_shmget = mac_test_check_sysv_shmget, 2493 .mpo_check_kenv_dump = mac_test_check_kenv_dump, 2494 .mpo_check_kenv_get = mac_test_check_kenv_get, 2495 .mpo_check_kenv_set = mac_test_check_kenv_set, 2496 .mpo_check_kenv_unset = mac_test_check_kenv_unset, 2497 .mpo_check_kld_load = mac_test_check_kld_load, 2498 .mpo_check_kld_stat = mac_test_check_kld_stat, 2499 .mpo_check_kld_unload = mac_test_check_kld_unload, 2500 .mpo_check_mount_stat = mac_test_check_mount_stat, 2501 .mpo_check_pipe_ioctl = mac_test_check_pipe_ioctl, 2502 .mpo_check_pipe_poll = mac_test_check_pipe_poll, 2503 .mpo_check_pipe_read = mac_test_check_pipe_read, 2504 .mpo_check_pipe_relabel = mac_test_check_pipe_relabel, 2505 .mpo_check_pipe_stat = mac_test_check_pipe_stat, 2506 .mpo_check_pipe_write = mac_test_check_pipe_write, 2507 .mpo_check_proc_debug = mac_test_check_proc_debug, 2508 .mpo_check_proc_sched = mac_test_check_proc_sched, 2509 .mpo_check_proc_setuid = mac_test_check_proc_setuid, 2510 .mpo_check_proc_seteuid = mac_test_check_proc_seteuid, 2511 .mpo_check_proc_setgid = mac_test_check_proc_setgid, 2512 .mpo_check_proc_setegid = mac_test_check_proc_setegid, 2513 .mpo_check_proc_setgroups = mac_test_check_proc_setgroups, 2514 .mpo_check_proc_setreuid = mac_test_check_proc_setreuid, 2515 .mpo_check_proc_setregid = mac_test_check_proc_setregid, 2516 .mpo_check_proc_setresuid = mac_test_check_proc_setresuid, 2517 .mpo_check_proc_setresgid = mac_test_check_proc_setresgid, 2518 .mpo_check_proc_signal = mac_test_check_proc_signal,
	2519 .mpo_check_proc_wait = mac_test_check_proc_wait,
2509 .mpo_check_socket_accept = mac_test_check_socket_accept, 2510 .mpo_check_socket_bind = mac_test_check_socket_bind, 2511 .mpo_check_socket_connect = mac_test_check_socket_connect, 2512 .mpo_check_socket_deliver = mac_test_check_socket_deliver, 2513 .mpo_check_socket_listen = mac_test_check_socket_listen, 2514 .mpo_check_socket_poll = mac_test_check_socket_poll, 2515 .mpo_check_socket_receive = mac_test_check_socket_receive, 2516 .mpo_check_socket_relabel = mac_test_check_socket_relabel, 2517 .mpo_check_socket_send = mac_test_check_socket_send, 2518 .mpo_check_socket_stat = mac_test_check_socket_stat, 2519 .mpo_check_socket_visible = mac_test_check_socket_visible, 2520 .mpo_check_sysarch_ioperm = mac_test_check_sysarch_ioperm, 2521 .mpo_check_system_acct = mac_test_check_system_acct, 2522 .mpo_check_system_reboot = mac_test_check_system_reboot, 2523 .mpo_check_system_settime = mac_test_check_system_settime, 2524 .mpo_check_system_swapon = mac_test_check_system_swapon, 2525 .mpo_check_system_swapoff = mac_test_check_system_swapoff, 2526 .mpo_check_system_sysctl = mac_test_check_system_sysctl, 2527 .mpo_check_vnode_access = mac_test_check_vnode_access, 2528 .mpo_check_vnode_chdir = mac_test_check_vnode_chdir, 2529 .mpo_check_vnode_chroot = mac_test_check_vnode_chroot, 2530 .mpo_check_vnode_create = mac_test_check_vnode_create, 2531 .mpo_check_vnode_delete = mac_test_check_vnode_delete, 2532 .mpo_check_vnode_deleteacl = mac_test_check_vnode_deleteacl, 2533 .mpo_check_vnode_deleteextattr = mac_test_check_vnode_deleteextattr, 2534 .mpo_check_vnode_exec = mac_test_check_vnode_exec, 2535 .mpo_check_vnode_getacl = mac_test_check_vnode_getacl, 2536 .mpo_check_vnode_getextattr = mac_test_check_vnode_getextattr, 2537 .mpo_check_vnode_link = mac_test_check_vnode_link, 2538 .mpo_check_vnode_listextattr = mac_test_check_vnode_listextattr, 2539 .mpo_check_vnode_lookup = mac_test_check_vnode_lookup, 2540 .mpo_check_vnode_mmap = mac_test_check_vnode_mmap, 2541 .mpo_check_vnode_open = mac_test_check_vnode_open, 2542 .mpo_check_vnode_poll = mac_test_check_vnode_poll, 2543 .mpo_check_vnode_read = mac_test_check_vnode_read, 2544 .mpo_check_vnode_readdir = mac_test_check_vnode_readdir, 2545 .mpo_check_vnode_readlink = mac_test_check_vnode_readlink, 2546 .mpo_check_vnode_relabel = mac_test_check_vnode_relabel, 2547 .mpo_check_vnode_rename_from = mac_test_check_vnode_rename_from, 2548 .mpo_check_vnode_rename_to = mac_test_check_vnode_rename_to, 2549 .mpo_check_vnode_revoke = mac_test_check_vnode_revoke, 2550 .mpo_check_vnode_setacl = mac_test_check_vnode_setacl, 2551 .mpo_check_vnode_setextattr = mac_test_check_vnode_setextattr, 2552 .mpo_check_vnode_setflags = mac_test_check_vnode_setflags, 2553 .mpo_check_vnode_setmode = mac_test_check_vnode_setmode, 2554 .mpo_check_vnode_setowner = mac_test_check_vnode_setowner, 2555 .mpo_check_vnode_setutimes = mac_test_check_vnode_setutimes, 2556 .mpo_check_vnode_stat = mac_test_check_vnode_stat, 2557 .mpo_check_vnode_write = mac_test_check_vnode_write, 2558}; 2559 2560MAC_POLICY_SET(&mac_test_ops, mac_test, "TrustedBSD MAC/Test", 2561 MPC_LOADTIME_FLAG_UNLOADOK \| MPC_LOADTIME_FLAG_LABELMBUFS, &test_slot);	2520 .mpo_check_socket_accept = mac_test_check_socket_accept, 2521 .mpo_check_socket_bind = mac_test_check_socket_bind, 2522 .mpo_check_socket_connect = mac_test_check_socket_connect, 2523 .mpo_check_socket_deliver = mac_test_check_socket_deliver, 2524 .mpo_check_socket_listen = mac_test_check_socket_listen, 2525 .mpo_check_socket_poll = mac_test_check_socket_poll, 2526 .mpo_check_socket_receive = mac_test_check_socket_receive, 2527 .mpo_check_socket_relabel = mac_test_check_socket_relabel, 2528 .mpo_check_socket_send = mac_test_check_socket_send, 2529 .mpo_check_socket_stat = mac_test_check_socket_stat, 2530 .mpo_check_socket_visible = mac_test_check_socket_visible, 2531 .mpo_check_sysarch_ioperm = mac_test_check_sysarch_ioperm, 2532 .mpo_check_system_acct = mac_test_check_system_acct, 2533 .mpo_check_system_reboot = mac_test_check_system_reboot, 2534 .mpo_check_system_settime = mac_test_check_system_settime, 2535 .mpo_check_system_swapon = mac_test_check_system_swapon, 2536 .mpo_check_system_swapoff = mac_test_check_system_swapoff, 2537 .mpo_check_system_sysctl = mac_test_check_system_sysctl, 2538 .mpo_check_vnode_access = mac_test_check_vnode_access, 2539 .mpo_check_vnode_chdir = mac_test_check_vnode_chdir, 2540 .mpo_check_vnode_chroot = mac_test_check_vnode_chroot, 2541 .mpo_check_vnode_create = mac_test_check_vnode_create, 2542 .mpo_check_vnode_delete = mac_test_check_vnode_delete, 2543 .mpo_check_vnode_deleteacl = mac_test_check_vnode_deleteacl, 2544 .mpo_check_vnode_deleteextattr = mac_test_check_vnode_deleteextattr, 2545 .mpo_check_vnode_exec = mac_test_check_vnode_exec, 2546 .mpo_check_vnode_getacl = mac_test_check_vnode_getacl, 2547 .mpo_check_vnode_getextattr = mac_test_check_vnode_getextattr, 2548 .mpo_check_vnode_link = mac_test_check_vnode_link, 2549 .mpo_check_vnode_listextattr = mac_test_check_vnode_listextattr, 2550 .mpo_check_vnode_lookup = mac_test_check_vnode_lookup, 2551 .mpo_check_vnode_mmap = mac_test_check_vnode_mmap, 2552 .mpo_check_vnode_open = mac_test_check_vnode_open, 2553 .mpo_check_vnode_poll = mac_test_check_vnode_poll, 2554 .mpo_check_vnode_read = mac_test_check_vnode_read, 2555 .mpo_check_vnode_readdir = mac_test_check_vnode_readdir, 2556 .mpo_check_vnode_readlink = mac_test_check_vnode_readlink, 2557 .mpo_check_vnode_relabel = mac_test_check_vnode_relabel, 2558 .mpo_check_vnode_rename_from = mac_test_check_vnode_rename_from, 2559 .mpo_check_vnode_rename_to = mac_test_check_vnode_rename_to, 2560 .mpo_check_vnode_revoke = mac_test_check_vnode_revoke, 2561 .mpo_check_vnode_setacl = mac_test_check_vnode_setacl, 2562 .mpo_check_vnode_setextattr = mac_test_check_vnode_setextattr, 2563 .mpo_check_vnode_setflags = mac_test_check_vnode_setflags, 2564 .mpo_check_vnode_setmode = mac_test_check_vnode_setmode, 2565 .mpo_check_vnode_setowner = mac_test_check_vnode_setowner, 2566 .mpo_check_vnode_setutimes = mac_test_check_vnode_setutimes, 2567 .mpo_check_vnode_stat = mac_test_check_vnode_stat, 2568 .mpo_check_vnode_write = mac_test_check_vnode_write, 2569}; 2570 2571MAC_POLICY_SET(&mac_test_ops, mac_test, "TrustedBSD MAC/Test", 2572 MPC_LOADTIME_FLAG_UNLOADOK \| MPC_LOADTIME_FLAG_LABELMBUFS, &test_slot);