Cross Reference: /freebsd-10.3-release/sys/security/mac_test/mac_test.c

Deleted Added

sdiff udiff text old ( 113534 ) new ( 116701 )

full compact

mac_test.c (113534)	mac_test.c (116701)
1/- 2 Copyright (c) 1999, 2000, 2001, 2002 Robert N. M. Watson 3 * Copyright (c) 2001, 2002 Networks Associates Technology, Inc. 4 * All rights reserved. 5 * 6 * This software was developed by Robert Watson for the TrustedBSD Project. 7 * 8 * This software was developed for the FreeBSD Project in part by Network 9 * Associates Laboratories, the Security Research Division of Network 10 * Associates, Inc. under DARPA/SPAWAR contract N66001-01-C-8035 ("CBOSS"), 11 * as part of the DARPA CHATS research program. 12 * 13 * Redistribution and use in source and binary forms, with or without 14 * modification, are permitted provided that the following conditions 15 * are met: 16 * 1. Redistributions of source code must retain the above copyright 17 * notice, this list of conditions and the following disclaimer. 18 * 2. Redistributions in binary form must reproduce the above copyright 19 * notice, this list of conditions and the following disclaimer in the 20 * documentation and/or other materials provided with the distribution. 21 * 22 * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND 23 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 24 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 25 * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE 26 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 27 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 28 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 29 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 30 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 31 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 32 * SUCH DAMAGE. 33 *	1/- 2 Copyright (c) 1999, 2000, 2001, 2002 Robert N. M. Watson 3 * Copyright (c) 2001, 2002 Networks Associates Technology, Inc. 4 * All rights reserved. 5 * 6 * This software was developed by Robert Watson for the TrustedBSD Project. 7 * 8 * This software was developed for the FreeBSD Project in part by Network 9 * Associates Laboratories, the Security Research Division of Network 10 * Associates, Inc. under DARPA/SPAWAR contract N66001-01-C-8035 ("CBOSS"), 11 * as part of the DARPA CHATS research program. 12 * 13 * Redistribution and use in source and binary forms, with or without 14 * modification, are permitted provided that the following conditions 15 * are met: 16 * 1. Redistributions of source code must retain the above copyright 17 * notice, this list of conditions and the following disclaimer. 18 * 2. Redistributions in binary form must reproduce the above copyright 19 * notice, this list of conditions and the following disclaimer in the 20 * documentation and/or other materials provided with the distribution. 21 * 22 * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND 23 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 24 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 25 * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE 26 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 27 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 28 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 29 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 30 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 31 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 32 * SUCH DAMAGE. 33 *
34 * $FreeBSD: head/sys/security/mac_test/mac_test.c 113534 2003-04-15 21:20:34Z rwatson $	34 * $FreeBSD: head/sys/security/mac_test/mac_test.c 116701 2003-06-23 01:26:34Z rwatson $
35 / 36 37/ 38 * Developed by the TrustedBSD Project. 39 * Generic mandatory access module that does nothing. 40 / 41 42#include <sys/types.h> 43#include <sys/param.h> 44#include <sys/acl.h> 45#include <sys/conf.h> 46#include <sys/extattr.h> 47#include <sys/kernel.h> 48#include <sys/mac.h> 49#include <sys/malloc.h> 50#include <sys/mount.h> 51#include <sys/proc.h> 52#include <sys/systm.h> 53#include <sys/sysproto.h> 54#include <sys/sysent.h> 55#include <sys/vnode.h> 56#include <sys/file.h> 57#include <sys/socket.h> 58#include <sys/socketvar.h> 59#include <sys/sysctl.h> 60 61#include <fs/devfs/devfs.h> 62 63#include <net/bpfdesc.h> 64#include <net/if.h> 65#include <net/if_types.h> 66#include <net/if_var.h> 67 68#include <vm/vm.h> 69 70#include <sys/mac_policy.h> 71 72SYSCTL_DECL(_security_mac); 73 74SYSCTL_NODE(_security_mac, OID_AUTO, test, CTLFLAG_RW, 0, 75 "TrustedBSD mac_test policy controls"); 76 77static int mac_test_enabled = 1; 78SYSCTL_INT(_security_mac_test, OID_AUTO, enabled, CTLFLAG_RW, 79 &mac_test_enabled, 0, "Enforce test policy"); 80 81#define BPFMAGIC 0xfe1ad1b6 82#define DEVFSMAGIC 0x9ee79c32 83#define IFNETMAGIC 0xc218b120 84#define IPQMAGIC 0x206188ef 85#define MBUFMAGIC 0xbbefa5bb 86#define MOUNTMAGIC 0xc7c46e47 87#define SOCKETMAGIC 0x9199c6cd 88#define PIPEMAGIC 0xdc6c9919 89#define PROCMAGIC 0x3b4be98f 90#define CREDMAGIC 0x9a5a4987 91#define VNODEMAGIC 0x1a67a45c 92#define EXMAGIC 0x849ba1fd 93 94#define SLOT(x) LABEL_TO_SLOT((x), test_slot).l_long 95static int test_slot; 96SYSCTL_INT(_security_mac_test, OID_AUTO, slot, CTLFLAG_RD, 97 &test_slot, 0, "Slot allocated by framework"); 98 99static int init_count_bpfdesc; 100SYSCTL_INT(_security_mac_test, OID_AUTO, init_count_bpfdesc, CTLFLAG_RD, 101* &init_count_bpfdesc, 0, "bpfdesc init calls"); 102static int init_count_cred; 103SYSCTL_INT(_security_mac_test, OID_AUTO, init_count_cred, CTLFLAG_RD, 104 &init_count_cred, 0, "cred init calls"); 105static int init_count_devfsdirent; 106SYSCTL_INT(_security_mac_test, OID_AUTO, init_count_devfsdirent, CTLFLAG_RD, 107 &init_count_devfsdirent, 0, "devfsdirent init calls"); 108static int init_count_ifnet; 109SYSCTL_INT(_security_mac_test, OID_AUTO, init_count_ifnet, CTLFLAG_RD, 110 &init_count_ifnet, 0, "ifnet init calls"); 111static int init_count_ipq; 112SYSCTL_INT(_security_mac_test, OID_AUTO, init_count_ipq, CTLFLAG_RD, 113 &init_count_ipq, 0, "ipq init calls"); 114static int init_count_mbuf; 115SYSCTL_INT(_security_mac_test, OID_AUTO, init_count_mbuf, CTLFLAG_RD, 116 &init_count_mbuf, 0, "mbuf init calls"); 117static int init_count_mount; 118SYSCTL_INT(_security_mac_test, OID_AUTO, init_count_mount, CTLFLAG_RD, 119 &init_count_mount, 0, "mount init calls"); 120static int init_count_mount_fslabel; 121SYSCTL_INT(_security_mac_test, OID_AUTO, init_count_mount_fslabel, CTLFLAG_RD, 122 &init_count_mount_fslabel, 0, "mount_fslabel init calls"); 123static int init_count_socket; 124SYSCTL_INT(_security_mac_test, OID_AUTO, init_count_socket, CTLFLAG_RD, 125 &init_count_socket, 0, "socket init calls"); 126static int init_count_socket_peerlabel; 127SYSCTL_INT(_security_mac_test, OID_AUTO, init_count_socket_peerlabel, 128 CTLFLAG_RD, &init_count_socket_peerlabel, 0, 129 "socket_peerlabel init calls"); 130static int init_count_pipe; 131SYSCTL_INT(_security_mac_test, OID_AUTO, init_count_pipe, CTLFLAG_RD, 132 &init_count_pipe, 0, "pipe init calls"); 133static int init_count_proc; 134SYSCTL_INT(_security_mac_test, OID_AUTO, init_count_proc, CTLFLAG_RD, 135 &init_count_proc, 0, "proc init calls"); 136static int init_count_vnode; 137SYSCTL_INT(_security_mac_test, OID_AUTO, init_count_vnode, CTLFLAG_RD, 138 &init_count_vnode, 0, "vnode init calls"); 139 140static int destroy_count_bpfdesc; 141SYSCTL_INT(_security_mac_test, OID_AUTO, destroy_count_bpfdesc, CTLFLAG_RD, 142 &destroy_count_bpfdesc, 0, "bpfdesc destroy calls"); 143static int destroy_count_cred; 144SYSCTL_INT(_security_mac_test, OID_AUTO, destroy_count_cred, CTLFLAG_RD, 145 &destroy_count_cred, 0, "cred destroy calls"); 146static int destroy_count_devfsdirent; 147SYSCTL_INT(_security_mac_test, OID_AUTO, destroy_count_devfsdirent, CTLFLAG_RD, 148 &destroy_count_devfsdirent, 0, "devfsdirent destroy calls"); 149static int destroy_count_ifnet; 150SYSCTL_INT(_security_mac_test, OID_AUTO, destroy_count_ifnet, CTLFLAG_RD, 151 &destroy_count_ifnet, 0, "ifnet destroy calls"); 152static int destroy_count_ipq; 153SYSCTL_INT(_security_mac_test, OID_AUTO, destroy_count_ipq, CTLFLAG_RD, 154 &destroy_count_ipq, 0, "ipq destroy calls"); 155static int destroy_count_mbuf; 156SYSCTL_INT(_security_mac_test, OID_AUTO, destroy_count_mbuf, CTLFLAG_RD, 157 &destroy_count_mbuf, 0, "mbuf destroy calls"); 158static int destroy_count_mount; 159SYSCTL_INT(_security_mac_test, OID_AUTO, destroy_count_mount, CTLFLAG_RD, 160 &destroy_count_mount, 0, "mount destroy calls"); 161static int destroy_count_mount_fslabel; 162SYSCTL_INT(_security_mac_test, OID_AUTO, destroy_count_mount_fslabel, 163 CTLFLAG_RD, &destroy_count_mount_fslabel, 0, 164 "mount_fslabel destroy calls"); 165static int destroy_count_socket; 166SYSCTL_INT(_security_mac_test, OID_AUTO, destroy_count_socket, CTLFLAG_RD, 167 &destroy_count_socket, 0, "socket destroy calls"); 168static int destroy_count_socket_peerlabel; 169SYSCTL_INT(_security_mac_test, OID_AUTO, destroy_count_socket_peerlabel, 170 CTLFLAG_RD, &destroy_count_socket_peerlabel, 0, 171 "socket_peerlabel destroy calls"); 172static int destroy_count_pipe; 173SYSCTL_INT(_security_mac_test, OID_AUTO, destroy_count_pipe, CTLFLAG_RD, 174 &destroy_count_pipe, 0, "pipe destroy calls"); 175static int destroy_count_proc; 176SYSCTL_INT(_security_mac_test, OID_AUTO, destroy_count_proc, CTLFLAG_RD, 177 &destroy_count_proc, 0, "proc destroy calls"); 178static int destroy_count_vnode; 179SYSCTL_INT(_security_mac_test, OID_AUTO, destroy_count_vnode, CTLFLAG_RD, 180 &destroy_count_vnode, 0, "vnode destroy calls"); 181 182static int externalize_count; 183SYSCTL_INT(_security_mac_test, OID_AUTO, externalize_count, CTLFLAG_RD, 184 &externalize_count, 0, "Subject/object externalize calls"); 185static int internalize_count; 186SYSCTL_INT(_security_mac_test, OID_AUTO, internalize_count, CTLFLAG_RD, 187 &internalize_count, 0, "Subject/object internalize calls"); 188 189/* 190 * Policy module operations. 191 / 192static void 193mac_test_destroy(struct mac_policy_conf conf) 194{ 195 196} 197 198static void 199mac_test_init(struct mac_policy_conf conf) 200{ 201* 202} 203 204static int 205mac_test_syscall(struct thread td, int call, void arg) 206{ 207 208 return (0); 209} 210 211/* 212 * Label operations. 213 / 214static void 215mac_test_init_bpfdesc_label(struct label label) 216{ 217 218 SLOT(label) = BPFMAGIC; 219 atomic_add_int(&init_count_bpfdesc, 1); 220} 221 222static void 223mac_test_init_cred_label(struct label label) 224{ 225* 226 SLOT(label) = CREDMAGIC; 227 atomic_add_int(&init_count_cred, 1); 228} 229 230static void 231mac_test_init_devfsdirent_label(struct label label) 232{ 233* 234 SLOT(label) = DEVFSMAGIC; 235 atomic_add_int(&init_count_devfsdirent, 1); 236} 237 238static void 239mac_test_init_ifnet_label(struct label label) 240{ 241* 242 SLOT(label) = IFNETMAGIC; 243 atomic_add_int(&init_count_ifnet, 1); 244} 245 246static int 247mac_test_init_ipq_label(struct label label, int flag) 248{ 249* 250 if (flag & M_WAITOK) 251 WITNESS_WARN(WARN_GIANTOK \| WARN_SLEEPOK, NULL, 252 "mac_test_init_ipq_label() at %s:%d", __FILE__, 253 __LINE__); 254 255 SLOT(label) = IPQMAGIC; 256 atomic_add_int(&init_count_ipq, 1); 257 return (0); 258} 259 260static int 261mac_test_init_mbuf_label(struct label label, int flag) 262{ 263* 264 if (flag & M_WAITOK) 265 WITNESS_WARN(WARN_GIANTOK \| WARN_SLEEPOK, NULL, 266 "mac_test_init_mbuf_label() at %s:%d", __FILE__, 267 __LINE__); 268 269 SLOT(label) = MBUFMAGIC; 270 atomic_add_int(&init_count_mbuf, 1); 271 return (0); 272} 273 274static void 275mac_test_init_mount_label(struct label label) 276{ 277* 278 SLOT(label) = MOUNTMAGIC; 279 atomic_add_int(&init_count_mount, 1); 280} 281 282static void 283mac_test_init_mount_fs_label(struct label label) 284{ 285* 286 SLOT(label) = MOUNTMAGIC; 287 atomic_add_int(&init_count_mount_fslabel, 1); 288} 289 290static int 291mac_test_init_socket_label(struct label label, int flag) 292{ 293* 294 if (flag & M_WAITOK) 295 WITNESS_WARN(WARN_GIANTOK \| WARN_SLEEPOK, NULL, 296 "mac_test_init_socket_label() at %s:%d", __FILE__, 297 __LINE__); 298 299 SLOT(label) = SOCKETMAGIC; 300 atomic_add_int(&init_count_socket, 1); 301 return (0); 302} 303 304static int 305mac_test_init_socket_peer_label(struct label label, int flag) 306{ 307* 308 if (flag & M_WAITOK) 309 WITNESS_WARN(WARN_GIANTOK \| WARN_SLEEPOK, NULL, 310 "mac_test_init_socket_peer_label() at %s:%d", __FILE__, 311 __LINE__); 312 313 SLOT(label) = SOCKETMAGIC; 314 atomic_add_int(&init_count_socket_peerlabel, 1); 315 return (0); 316} 317 318static void 319mac_test_init_pipe_label(struct label label) 320{ 321* 322 SLOT(label) = PIPEMAGIC; 323 atomic_add_int(&init_count_pipe, 1); 324} 325 326static void 327mac_test_init_proc_label(struct label label) 328{ 329* 330 SLOT(label) = PROCMAGIC; 331 atomic_add_int(&init_count_proc, 1); 332} 333 334static void 335mac_test_init_vnode_label(struct label label) 336{ 337* 338 SLOT(label) = VNODEMAGIC; 339 atomic_add_int(&init_count_vnode, 1); 340} 341 342static void 343mac_test_destroy_bpfdesc_label(struct label label) 344{ 345* 346 if (SLOT(label) == BPFMAGIC \|\| SLOT(label) == 0) { 347 atomic_add_int(&destroy_count_bpfdesc, 1); 348 SLOT(label) = EXMAGIC; 349 } else if (SLOT(label) == EXMAGIC) { 350 Debugger("mac_test_destroy_bpfdesc: dup destroy"); 351 } else { 352 Debugger("mac_test_destroy_bpfdesc: corrupted label"); 353 } 354} 355 356static void 357mac_test_destroy_cred_label(struct label label) 358{ 359* 360 if (SLOT(label) == CREDMAGIC \|\| SLOT(label) == 0) { 361 atomic_add_int(&destroy_count_cred, 1); 362 SLOT(label) = EXMAGIC; 363 } else if (SLOT(label) == EXMAGIC) { 364 Debugger("mac_test_destroy_cred: dup destroy"); 365 } else { 366 Debugger("mac_test_destroy_cred: corrupted label"); 367 } 368} 369 370static void 371mac_test_destroy_devfsdirent_label(struct label label) 372{ 373* 374 if (SLOT(label) == DEVFSMAGIC \|\| SLOT(label) == 0) { 375 atomic_add_int(&destroy_count_devfsdirent, 1); 376 SLOT(label) = EXMAGIC; 377 } else if (SLOT(label) == EXMAGIC) { 378 Debugger("mac_test_destroy_devfsdirent: dup destroy"); 379 } else { 380 Debugger("mac_test_destroy_devfsdirent: corrupted label"); 381 } 382} 383 384static void 385mac_test_destroy_ifnet_label(struct label label) 386{ 387* 388 if (SLOT(label) == IFNETMAGIC \|\| SLOT(label) == 0) { 389 atomic_add_int(&destroy_count_ifnet, 1); 390 SLOT(label) = EXMAGIC; 391 } else if (SLOT(label) == EXMAGIC) { 392 Debugger("mac_test_destroy_ifnet: dup destroy"); 393 } else { 394 Debugger("mac_test_destroy_ifnet: corrupted label"); 395 } 396} 397 398static void 399mac_test_destroy_ipq_label(struct label label) 400{ 401* 402 if (SLOT(label) == IPQMAGIC \|\| SLOT(label) == 0) { 403 atomic_add_int(&destroy_count_ipq, 1); 404 SLOT(label) = EXMAGIC; 405 } else if (SLOT(label) == EXMAGIC) { 406 Debugger("mac_test_destroy_ipq: dup destroy"); 407 } else { 408 Debugger("mac_test_destroy_ipq: corrupted label"); 409 } 410} 411 412static void 413mac_test_destroy_mbuf_label(struct label label) 414{ 415* 416 /* 417 * If we're loaded dynamically, there may be mbufs in flight that 418 * didn't have label storage allocated for them. Handle this 419 * gracefully. 420 / 421* if (label == NULL) 422 return; 423 424 if (SLOT(label) == MBUFMAGIC \|\| SLOT(label) == 0) { 425 atomic_add_int(&destroy_count_mbuf, 1); 426 SLOT(label) = EXMAGIC; 427 } else if (SLOT(label) == EXMAGIC) { 428 Debugger("mac_test_destroy_mbuf: dup destroy"); 429 } else { 430 Debugger("mac_test_destroy_mbuf: corrupted label"); 431 } 432} 433 434static void 435mac_test_destroy_mount_label(struct label label) 436{ 437* 438 if ((SLOT(label) == MOUNTMAGIC \|\| SLOT(label) == 0)) { 439 atomic_add_int(&destroy_count_mount, 1); 440 SLOT(label) = EXMAGIC; 441 } else if (SLOT(label) == EXMAGIC) { 442 Debugger("mac_test_destroy_mount: dup destroy"); 443 } else { 444 Debugger("mac_test_destroy_mount: corrupted label"); 445 } 446} 447 448static void 449mac_test_destroy_mount_fs_label(struct label label) 450{ 451* 452 if ((SLOT(label) == MOUNTMAGIC \|\| SLOT(label) == 0)) { 453 atomic_add_int(&destroy_count_mount_fslabel, 1); 454 SLOT(label) = EXMAGIC; 455 } else if (SLOT(label) == EXMAGIC) { 456 Debugger("mac_test_destroy_mount_fslabel: dup destroy"); 457 } else { 458 Debugger("mac_test_destroy_mount_fslabel: corrupted label"); 459 } 460} 461 462static void 463mac_test_destroy_socket_label(struct label label) 464{ 465* 466 if ((SLOT(label) == SOCKETMAGIC \|\| SLOT(label) == 0)) { 467 atomic_add_int(&destroy_count_socket, 1); 468 SLOT(label) = EXMAGIC; 469 } else if (SLOT(label) == EXMAGIC) { 470 Debugger("mac_test_destroy_socket: dup destroy"); 471 } else { 472 Debugger("mac_test_destroy_socket: corrupted label"); 473 } 474} 475 476static void 477mac_test_destroy_socket_peer_label(struct label label) 478{ 479* 480 if ((SLOT(label) == SOCKETMAGIC \|\| SLOT(label) == 0)) { 481 atomic_add_int(&destroy_count_socket_peerlabel, 1); 482 SLOT(label) = EXMAGIC; 483 } else if (SLOT(label) == EXMAGIC) { 484 Debugger("mac_test_destroy_socket_peerlabel: dup destroy"); 485 } else { 486 Debugger("mac_test_destroy_socket_peerlabel: corrupted label"); 487 } 488} 489 490static void 491mac_test_destroy_pipe_label(struct label label) 492{ 493* 494 if ((SLOT(label) == PIPEMAGIC \|\| SLOT(label) == 0)) { 495 atomic_add_int(&destroy_count_pipe, 1); 496 SLOT(label) = EXMAGIC; 497 } else if (SLOT(label) == EXMAGIC) { 498 Debugger("mac_test_destroy_pipe: dup destroy"); 499 } else { 500 Debugger("mac_test_destroy_pipe: corrupted label"); 501 } 502} 503 504static void 505mac_test_destroy_proc_label(struct label label) 506{ 507* 508 if ((SLOT(label) == PROCMAGIC \|\| SLOT(label) == 0)) { 509 atomic_add_int(&destroy_count_proc, 1); 510 SLOT(label) = EXMAGIC; 511 } else if (SLOT(label) == EXMAGIC) { 512 Debugger("mac_test_destroy_proc: dup destroy"); 513 } else { 514 Debugger("mac_test_destroy_proc: corrupted label"); 515 } 516} 517 518static void 519mac_test_destroy_vnode_label(struct label label) 520{ 521* 522 if (SLOT(label) == VNODEMAGIC \|\| SLOT(label) == 0) { 523 atomic_add_int(&destroy_count_vnode, 1); 524 SLOT(label) = EXMAGIC; 525 } else if (SLOT(label) == EXMAGIC) { 526 Debugger("mac_test_destroy_vnode: dup destroy"); 527 } else { 528 Debugger("mac_test_destroy_vnode: corrupted label"); 529 } 530} 531 532static int 533mac_test_externalize_label(struct label label, char element_name,	35 / 36 37/ 38 * Developed by the TrustedBSD Project. 39 * Generic mandatory access module that does nothing. 40 / 41 42#include <sys/types.h> 43#include <sys/param.h> 44#include <sys/acl.h> 45#include <sys/conf.h> 46#include <sys/extattr.h> 47#include <sys/kernel.h> 48#include <sys/mac.h> 49#include <sys/malloc.h> 50#include <sys/mount.h> 51#include <sys/proc.h> 52#include <sys/systm.h> 53#include <sys/sysproto.h> 54#include <sys/sysent.h> 55#include <sys/vnode.h> 56#include <sys/file.h> 57#include <sys/socket.h> 58#include <sys/socketvar.h> 59#include <sys/sysctl.h> 60 61#include <fs/devfs/devfs.h> 62 63#include <net/bpfdesc.h> 64#include <net/if.h> 65#include <net/if_types.h> 66#include <net/if_var.h> 67 68#include <vm/vm.h> 69 70#include <sys/mac_policy.h> 71 72SYSCTL_DECL(_security_mac); 73 74SYSCTL_NODE(_security_mac, OID_AUTO, test, CTLFLAG_RW, 0, 75 "TrustedBSD mac_test policy controls"); 76 77static int mac_test_enabled = 1; 78SYSCTL_INT(_security_mac_test, OID_AUTO, enabled, CTLFLAG_RW, 79 &mac_test_enabled, 0, "Enforce test policy"); 80 81#define BPFMAGIC 0xfe1ad1b6 82#define DEVFSMAGIC 0x9ee79c32 83#define IFNETMAGIC 0xc218b120 84#define IPQMAGIC 0x206188ef 85#define MBUFMAGIC 0xbbefa5bb 86#define MOUNTMAGIC 0xc7c46e47 87#define SOCKETMAGIC 0x9199c6cd 88#define PIPEMAGIC 0xdc6c9919 89#define PROCMAGIC 0x3b4be98f 90#define CREDMAGIC 0x9a5a4987 91#define VNODEMAGIC 0x1a67a45c 92#define EXMAGIC 0x849ba1fd 93 94#define SLOT(x) LABEL_TO_SLOT((x), test_slot).l_long 95static int test_slot; 96SYSCTL_INT(_security_mac_test, OID_AUTO, slot, CTLFLAG_RD, 97 &test_slot, 0, "Slot allocated by framework"); 98 99static int init_count_bpfdesc; 100SYSCTL_INT(_security_mac_test, OID_AUTO, init_count_bpfdesc, CTLFLAG_RD, 101* &init_count_bpfdesc, 0, "bpfdesc init calls"); 102static int init_count_cred; 103SYSCTL_INT(_security_mac_test, OID_AUTO, init_count_cred, CTLFLAG_RD, 104 &init_count_cred, 0, "cred init calls"); 105static int init_count_devfsdirent; 106SYSCTL_INT(_security_mac_test, OID_AUTO, init_count_devfsdirent, CTLFLAG_RD, 107 &init_count_devfsdirent, 0, "devfsdirent init calls"); 108static int init_count_ifnet; 109SYSCTL_INT(_security_mac_test, OID_AUTO, init_count_ifnet, CTLFLAG_RD, 110 &init_count_ifnet, 0, "ifnet init calls"); 111static int init_count_ipq; 112SYSCTL_INT(_security_mac_test, OID_AUTO, init_count_ipq, CTLFLAG_RD, 113 &init_count_ipq, 0, "ipq init calls"); 114static int init_count_mbuf; 115SYSCTL_INT(_security_mac_test, OID_AUTO, init_count_mbuf, CTLFLAG_RD, 116 &init_count_mbuf, 0, "mbuf init calls"); 117static int init_count_mount; 118SYSCTL_INT(_security_mac_test, OID_AUTO, init_count_mount, CTLFLAG_RD, 119 &init_count_mount, 0, "mount init calls"); 120static int init_count_mount_fslabel; 121SYSCTL_INT(_security_mac_test, OID_AUTO, init_count_mount_fslabel, CTLFLAG_RD, 122 &init_count_mount_fslabel, 0, "mount_fslabel init calls"); 123static int init_count_socket; 124SYSCTL_INT(_security_mac_test, OID_AUTO, init_count_socket, CTLFLAG_RD, 125 &init_count_socket, 0, "socket init calls"); 126static int init_count_socket_peerlabel; 127SYSCTL_INT(_security_mac_test, OID_AUTO, init_count_socket_peerlabel, 128 CTLFLAG_RD, &init_count_socket_peerlabel, 0, 129 "socket_peerlabel init calls"); 130static int init_count_pipe; 131SYSCTL_INT(_security_mac_test, OID_AUTO, init_count_pipe, CTLFLAG_RD, 132 &init_count_pipe, 0, "pipe init calls"); 133static int init_count_proc; 134SYSCTL_INT(_security_mac_test, OID_AUTO, init_count_proc, CTLFLAG_RD, 135 &init_count_proc, 0, "proc init calls"); 136static int init_count_vnode; 137SYSCTL_INT(_security_mac_test, OID_AUTO, init_count_vnode, CTLFLAG_RD, 138 &init_count_vnode, 0, "vnode init calls"); 139 140static int destroy_count_bpfdesc; 141SYSCTL_INT(_security_mac_test, OID_AUTO, destroy_count_bpfdesc, CTLFLAG_RD, 142 &destroy_count_bpfdesc, 0, "bpfdesc destroy calls"); 143static int destroy_count_cred; 144SYSCTL_INT(_security_mac_test, OID_AUTO, destroy_count_cred, CTLFLAG_RD, 145 &destroy_count_cred, 0, "cred destroy calls"); 146static int destroy_count_devfsdirent; 147SYSCTL_INT(_security_mac_test, OID_AUTO, destroy_count_devfsdirent, CTLFLAG_RD, 148 &destroy_count_devfsdirent, 0, "devfsdirent destroy calls"); 149static int destroy_count_ifnet; 150SYSCTL_INT(_security_mac_test, OID_AUTO, destroy_count_ifnet, CTLFLAG_RD, 151 &destroy_count_ifnet, 0, "ifnet destroy calls"); 152static int destroy_count_ipq; 153SYSCTL_INT(_security_mac_test, OID_AUTO, destroy_count_ipq, CTLFLAG_RD, 154 &destroy_count_ipq, 0, "ipq destroy calls"); 155static int destroy_count_mbuf; 156SYSCTL_INT(_security_mac_test, OID_AUTO, destroy_count_mbuf, CTLFLAG_RD, 157 &destroy_count_mbuf, 0, "mbuf destroy calls"); 158static int destroy_count_mount; 159SYSCTL_INT(_security_mac_test, OID_AUTO, destroy_count_mount, CTLFLAG_RD, 160 &destroy_count_mount, 0, "mount destroy calls"); 161static int destroy_count_mount_fslabel; 162SYSCTL_INT(_security_mac_test, OID_AUTO, destroy_count_mount_fslabel, 163 CTLFLAG_RD, &destroy_count_mount_fslabel, 0, 164 "mount_fslabel destroy calls"); 165static int destroy_count_socket; 166SYSCTL_INT(_security_mac_test, OID_AUTO, destroy_count_socket, CTLFLAG_RD, 167 &destroy_count_socket, 0, "socket destroy calls"); 168static int destroy_count_socket_peerlabel; 169SYSCTL_INT(_security_mac_test, OID_AUTO, destroy_count_socket_peerlabel, 170 CTLFLAG_RD, &destroy_count_socket_peerlabel, 0, 171 "socket_peerlabel destroy calls"); 172static int destroy_count_pipe; 173SYSCTL_INT(_security_mac_test, OID_AUTO, destroy_count_pipe, CTLFLAG_RD, 174 &destroy_count_pipe, 0, "pipe destroy calls"); 175static int destroy_count_proc; 176SYSCTL_INT(_security_mac_test, OID_AUTO, destroy_count_proc, CTLFLAG_RD, 177 &destroy_count_proc, 0, "proc destroy calls"); 178static int destroy_count_vnode; 179SYSCTL_INT(_security_mac_test, OID_AUTO, destroy_count_vnode, CTLFLAG_RD, 180 &destroy_count_vnode, 0, "vnode destroy calls"); 181 182static int externalize_count; 183SYSCTL_INT(_security_mac_test, OID_AUTO, externalize_count, CTLFLAG_RD, 184 &externalize_count, 0, "Subject/object externalize calls"); 185static int internalize_count; 186SYSCTL_INT(_security_mac_test, OID_AUTO, internalize_count, CTLFLAG_RD, 187 &internalize_count, 0, "Subject/object internalize calls"); 188 189/* 190 * Policy module operations. 191 / 192static void 193mac_test_destroy(struct mac_policy_conf conf) 194{ 195 196} 197 198static void 199mac_test_init(struct mac_policy_conf conf) 200{ 201* 202} 203 204static int 205mac_test_syscall(struct thread td, int call, void arg) 206{ 207 208 return (0); 209} 210 211/* 212 * Label operations. 213 / 214static void 215mac_test_init_bpfdesc_label(struct label label) 216{ 217 218 SLOT(label) = BPFMAGIC; 219 atomic_add_int(&init_count_bpfdesc, 1); 220} 221 222static void 223mac_test_init_cred_label(struct label label) 224{ 225* 226 SLOT(label) = CREDMAGIC; 227 atomic_add_int(&init_count_cred, 1); 228} 229 230static void 231mac_test_init_devfsdirent_label(struct label label) 232{ 233* 234 SLOT(label) = DEVFSMAGIC; 235 atomic_add_int(&init_count_devfsdirent, 1); 236} 237 238static void 239mac_test_init_ifnet_label(struct label label) 240{ 241* 242 SLOT(label) = IFNETMAGIC; 243 atomic_add_int(&init_count_ifnet, 1); 244} 245 246static int 247mac_test_init_ipq_label(struct label label, int flag) 248{ 249* 250 if (flag & M_WAITOK) 251 WITNESS_WARN(WARN_GIANTOK \| WARN_SLEEPOK, NULL, 252 "mac_test_init_ipq_label() at %s:%d", __FILE__, 253 __LINE__); 254 255 SLOT(label) = IPQMAGIC; 256 atomic_add_int(&init_count_ipq, 1); 257 return (0); 258} 259 260static int 261mac_test_init_mbuf_label(struct label label, int flag) 262{ 263* 264 if (flag & M_WAITOK) 265 WITNESS_WARN(WARN_GIANTOK \| WARN_SLEEPOK, NULL, 266 "mac_test_init_mbuf_label() at %s:%d", __FILE__, 267 __LINE__); 268 269 SLOT(label) = MBUFMAGIC; 270 atomic_add_int(&init_count_mbuf, 1); 271 return (0); 272} 273 274static void 275mac_test_init_mount_label(struct label label) 276{ 277* 278 SLOT(label) = MOUNTMAGIC; 279 atomic_add_int(&init_count_mount, 1); 280} 281 282static void 283mac_test_init_mount_fs_label(struct label label) 284{ 285* 286 SLOT(label) = MOUNTMAGIC; 287 atomic_add_int(&init_count_mount_fslabel, 1); 288} 289 290static int 291mac_test_init_socket_label(struct label label, int flag) 292{ 293* 294 if (flag & M_WAITOK) 295 WITNESS_WARN(WARN_GIANTOK \| WARN_SLEEPOK, NULL, 296 "mac_test_init_socket_label() at %s:%d", __FILE__, 297 __LINE__); 298 299 SLOT(label) = SOCKETMAGIC; 300 atomic_add_int(&init_count_socket, 1); 301 return (0); 302} 303 304static int 305mac_test_init_socket_peer_label(struct label label, int flag) 306{ 307* 308 if (flag & M_WAITOK) 309 WITNESS_WARN(WARN_GIANTOK \| WARN_SLEEPOK, NULL, 310 "mac_test_init_socket_peer_label() at %s:%d", __FILE__, 311 __LINE__); 312 313 SLOT(label) = SOCKETMAGIC; 314 atomic_add_int(&init_count_socket_peerlabel, 1); 315 return (0); 316} 317 318static void 319mac_test_init_pipe_label(struct label label) 320{ 321* 322 SLOT(label) = PIPEMAGIC; 323 atomic_add_int(&init_count_pipe, 1); 324} 325 326static void 327mac_test_init_proc_label(struct label label) 328{ 329* 330 SLOT(label) = PROCMAGIC; 331 atomic_add_int(&init_count_proc, 1); 332} 333 334static void 335mac_test_init_vnode_label(struct label label) 336{ 337* 338 SLOT(label) = VNODEMAGIC; 339 atomic_add_int(&init_count_vnode, 1); 340} 341 342static void 343mac_test_destroy_bpfdesc_label(struct label label) 344{ 345* 346 if (SLOT(label) == BPFMAGIC \|\| SLOT(label) == 0) { 347 atomic_add_int(&destroy_count_bpfdesc, 1); 348 SLOT(label) = EXMAGIC; 349 } else if (SLOT(label) == EXMAGIC) { 350 Debugger("mac_test_destroy_bpfdesc: dup destroy"); 351 } else { 352 Debugger("mac_test_destroy_bpfdesc: corrupted label"); 353 } 354} 355 356static void 357mac_test_destroy_cred_label(struct label label) 358{ 359* 360 if (SLOT(label) == CREDMAGIC \|\| SLOT(label) == 0) { 361 atomic_add_int(&destroy_count_cred, 1); 362 SLOT(label) = EXMAGIC; 363 } else if (SLOT(label) == EXMAGIC) { 364 Debugger("mac_test_destroy_cred: dup destroy"); 365 } else { 366 Debugger("mac_test_destroy_cred: corrupted label"); 367 } 368} 369 370static void 371mac_test_destroy_devfsdirent_label(struct label label) 372{ 373* 374 if (SLOT(label) == DEVFSMAGIC \|\| SLOT(label) == 0) { 375 atomic_add_int(&destroy_count_devfsdirent, 1); 376 SLOT(label) = EXMAGIC; 377 } else if (SLOT(label) == EXMAGIC) { 378 Debugger("mac_test_destroy_devfsdirent: dup destroy"); 379 } else { 380 Debugger("mac_test_destroy_devfsdirent: corrupted label"); 381 } 382} 383 384static void 385mac_test_destroy_ifnet_label(struct label label) 386{ 387* 388 if (SLOT(label) == IFNETMAGIC \|\| SLOT(label) == 0) { 389 atomic_add_int(&destroy_count_ifnet, 1); 390 SLOT(label) = EXMAGIC; 391 } else if (SLOT(label) == EXMAGIC) { 392 Debugger("mac_test_destroy_ifnet: dup destroy"); 393 } else { 394 Debugger("mac_test_destroy_ifnet: corrupted label"); 395 } 396} 397 398static void 399mac_test_destroy_ipq_label(struct label label) 400{ 401* 402 if (SLOT(label) == IPQMAGIC \|\| SLOT(label) == 0) { 403 atomic_add_int(&destroy_count_ipq, 1); 404 SLOT(label) = EXMAGIC; 405 } else if (SLOT(label) == EXMAGIC) { 406 Debugger("mac_test_destroy_ipq: dup destroy"); 407 } else { 408 Debugger("mac_test_destroy_ipq: corrupted label"); 409 } 410} 411 412static void 413mac_test_destroy_mbuf_label(struct label label) 414{ 415* 416 /* 417 * If we're loaded dynamically, there may be mbufs in flight that 418 * didn't have label storage allocated for them. Handle this 419 * gracefully. 420 / 421* if (label == NULL) 422 return; 423 424 if (SLOT(label) == MBUFMAGIC \|\| SLOT(label) == 0) { 425 atomic_add_int(&destroy_count_mbuf, 1); 426 SLOT(label) = EXMAGIC; 427 } else if (SLOT(label) == EXMAGIC) { 428 Debugger("mac_test_destroy_mbuf: dup destroy"); 429 } else { 430 Debugger("mac_test_destroy_mbuf: corrupted label"); 431 } 432} 433 434static void 435mac_test_destroy_mount_label(struct label label) 436{ 437* 438 if ((SLOT(label) == MOUNTMAGIC \|\| SLOT(label) == 0)) { 439 atomic_add_int(&destroy_count_mount, 1); 440 SLOT(label) = EXMAGIC; 441 } else if (SLOT(label) == EXMAGIC) { 442 Debugger("mac_test_destroy_mount: dup destroy"); 443 } else { 444 Debugger("mac_test_destroy_mount: corrupted label"); 445 } 446} 447 448static void 449mac_test_destroy_mount_fs_label(struct label label) 450{ 451* 452 if ((SLOT(label) == MOUNTMAGIC \|\| SLOT(label) == 0)) { 453 atomic_add_int(&destroy_count_mount_fslabel, 1); 454 SLOT(label) = EXMAGIC; 455 } else if (SLOT(label) == EXMAGIC) { 456 Debugger("mac_test_destroy_mount_fslabel: dup destroy"); 457 } else { 458 Debugger("mac_test_destroy_mount_fslabel: corrupted label"); 459 } 460} 461 462static void 463mac_test_destroy_socket_label(struct label label) 464{ 465* 466 if ((SLOT(label) == SOCKETMAGIC \|\| SLOT(label) == 0)) { 467 atomic_add_int(&destroy_count_socket, 1); 468 SLOT(label) = EXMAGIC; 469 } else if (SLOT(label) == EXMAGIC) { 470 Debugger("mac_test_destroy_socket: dup destroy"); 471 } else { 472 Debugger("mac_test_destroy_socket: corrupted label"); 473 } 474} 475 476static void 477mac_test_destroy_socket_peer_label(struct label label) 478{ 479* 480 if ((SLOT(label) == SOCKETMAGIC \|\| SLOT(label) == 0)) { 481 atomic_add_int(&destroy_count_socket_peerlabel, 1); 482 SLOT(label) = EXMAGIC; 483 } else if (SLOT(label) == EXMAGIC) { 484 Debugger("mac_test_destroy_socket_peerlabel: dup destroy"); 485 } else { 486 Debugger("mac_test_destroy_socket_peerlabel: corrupted label"); 487 } 488} 489 490static void 491mac_test_destroy_pipe_label(struct label label) 492{ 493* 494 if ((SLOT(label) == PIPEMAGIC \|\| SLOT(label) == 0)) { 495 atomic_add_int(&destroy_count_pipe, 1); 496 SLOT(label) = EXMAGIC; 497 } else if (SLOT(label) == EXMAGIC) { 498 Debugger("mac_test_destroy_pipe: dup destroy"); 499 } else { 500 Debugger("mac_test_destroy_pipe: corrupted label"); 501 } 502} 503 504static void 505mac_test_destroy_proc_label(struct label label) 506{ 507* 508 if ((SLOT(label) == PROCMAGIC \|\| SLOT(label) == 0)) { 509 atomic_add_int(&destroy_count_proc, 1); 510 SLOT(label) = EXMAGIC; 511 } else if (SLOT(label) == EXMAGIC) { 512 Debugger("mac_test_destroy_proc: dup destroy"); 513 } else { 514 Debugger("mac_test_destroy_proc: corrupted label"); 515 } 516} 517 518static void 519mac_test_destroy_vnode_label(struct label label) 520{ 521* 522 if (SLOT(label) == VNODEMAGIC \|\| SLOT(label) == 0) { 523 atomic_add_int(&destroy_count_vnode, 1); 524 SLOT(label) = EXMAGIC; 525 } else if (SLOT(label) == EXMAGIC) { 526 Debugger("mac_test_destroy_vnode: dup destroy"); 527 } else { 528 Debugger("mac_test_destroy_vnode: corrupted label"); 529 } 530} 531 532static int 533mac_test_externalize_label(struct label label, char element_name,
534 char element_data, size_t size, size_t len, int *claimed)	534 struct sbuf sb, int claimed)
535{ 536 537 atomic_add_int(&externalize_count, 1); 538 539 return (0); 540} 541 542static int 543mac_test_internalize_label(struct label label, char element_name, 544 char element_data, int claimed) 545{ 546 547 atomic_add_int(&internalize_count, 1); 548 549 return (0); 550} 551 552/* 553 * Labeling event operations: file system objects, and things that look 554 * a lot like file system objects. 555 / 556static void 557mac_test_associate_vnode_devfs(struct mount mp, struct label fslabel, 558* struct devfs_dirent de, struct label delabel, struct vnode vp, 559* struct label vlabel) 560{ 561* 562} 563 564static int 565mac_test_associate_vnode_extattr(struct mount mp, struct label fslabel, 566 struct vnode vp, struct label vlabel) 567{ 568 569 return (0); 570} 571 572static void 573mac_test_associate_vnode_singlelabel(struct mount mp, 574* struct label fslabel, struct vnode vp, struct label vlabel) 575{ 576* 577} 578 579static void 580mac_test_create_devfs_device(struct mount mp, dev_t dev, 581* struct devfs_dirent devfs_dirent, struct label label) 582{ 583 584} 585 586static void 587mac_test_create_devfs_directory(struct mount mp, char dirname, 588 int dirnamelen, struct devfs_dirent devfs_dirent, struct label label) 589{ 590 591} 592 593static void 594mac_test_create_devfs_symlink(struct ucred cred, struct mount mp, 595 struct devfs_dirent dd, struct label ddlabel, struct devfs_dirent de, 596* struct label delabel) 597{ 598* 599} 600 601static int 602mac_test_create_vnode_extattr(struct ucred cred, struct mount mp, 603 struct label fslabel, struct vnode dvp, struct label dlabel, 604* struct vnode vp, struct label vlabel, struct componentname cnp) 605{ 606* 607 return (0); 608} 609 610static void 611mac_test_create_mount(struct ucred cred, struct mount mp, 612 struct label mntlabel, struct label fslabel) 613{ 614 615} 616 617static void 618mac_test_create_root_mount(struct ucred cred, struct mount mp, 619 struct label mntlabel, struct label fslabel) 620{ 621 622} 623 624static void 625mac_test_relabel_vnode(struct ucred cred, struct vnode vp, 626 struct label vnodelabel, struct label label) 627{ 628 629} 630 631static int 632mac_test_setlabel_vnode_extattr(struct ucred cred, struct vnode vp, 633 struct label vlabel, struct label intlabel) 634{ 635 636 return (0); 637} 638 639static void 640mac_test_update_devfsdirent(struct mount mp, 641* struct devfs_dirent devfs_dirent, struct label direntlabel, 642 struct vnode vp, struct label vnodelabel) 643{ 644 645} 646 647/* 648 * Labeling event operations: IPC object. 649 / 650static void 651mac_test_create_mbuf_from_socket(struct socket so, struct label socketlabel, 652* struct mbuf m, struct label mbuflabel) 653{ 654 655} 656 657static void 658mac_test_create_socket(struct ucred cred, struct socket socket, 659 struct label socketlabel) 660{ 661* 662} 663 664static void 665mac_test_create_pipe(struct ucred cred, struct pipe pipe, 666 struct label pipelabel) 667{ 668* 669} 670 671static void 672mac_test_create_socket_from_socket(struct socket oldsocket, 673* struct label oldsocketlabel, struct socket newsocket, 674 struct label newsocketlabel) 675{ 676* 677} 678 679static void 680mac_test_relabel_socket(struct ucred cred, struct socket socket, 681 struct label socketlabel, struct label newlabel) 682{ 683 684} 685 686static void 687mac_test_relabel_pipe(struct ucred cred, struct pipe pipe, 688 struct label pipelabel, struct label newlabel) 689{ 690 691} 692 693static void 694mac_test_set_socket_peer_from_mbuf(struct mbuf mbuf, struct label mbuflabel, 695 struct socket socket, struct label socketpeerlabel) 696{ 697 698} 699 700/* 701 * Labeling event operations: network objects. 702 / 703static void 704mac_test_set_socket_peer_from_socket(struct socket oldsocket, 705 struct label oldsocketlabel, struct socket newsocket, 706 struct label newsocketpeerlabel) 707{ 708* 709} 710 711static void 712mac_test_create_bpfdesc(struct ucred cred, struct bpf_d bpf_d, 713 struct label bpflabel) 714{ 715* 716} 717 718static void 719mac_test_create_datagram_from_ipq(struct ipq ipq, struct label ipqlabel, 720 struct mbuf datagram, struct label datagramlabel) 721{ 722 723} 724 725static void 726mac_test_create_fragment(struct mbuf datagram, struct label datagramlabel, 727 struct mbuf fragment, struct label fragmentlabel) 728{ 729 730} 731 732static void 733mac_test_create_ifnet(struct ifnet ifnet, struct label ifnetlabel) 734{ 735 736} 737 738static void 739mac_test_create_ipq(struct mbuf fragment, struct label fragmentlabel, 740 struct ipq ipq, struct label ipqlabel) 741{ 742 743} 744 745static void 746mac_test_create_mbuf_from_mbuf(struct mbuf oldmbuf, 747* struct label oldmbuflabel, struct mbuf newmbuf, 748 struct label newmbuflabel) 749{ 750* 751} 752 753static void 754mac_test_create_mbuf_linklayer(struct ifnet ifnet, struct label ifnetlabel, 755 struct mbuf mbuf, struct label mbuflabel) 756{ 757 758} 759 760static void 761mac_test_create_mbuf_from_bpfdesc(struct bpf_d bpf_d, struct label bpflabel, 762 struct mbuf mbuf, struct label mbuflabel) 763{ 764 765} 766 767static void 768mac_test_create_mbuf_from_ifnet(struct ifnet ifnet, struct label ifnetlabel, 769 struct mbuf m, struct label mbuflabel) 770{ 771 772} 773 774static void 775mac_test_create_mbuf_multicast_encap(struct mbuf oldmbuf, 776* struct label oldmbuflabel, struct ifnet ifnet, struct label ifnetlabel, 777* struct mbuf newmbuf, struct label newmbuflabel) 778{ 779 780} 781 782static void 783mac_test_create_mbuf_netlayer(struct mbuf oldmbuf, 784* struct label oldmbuflabel, struct mbuf newmbuf, 785 struct label newmbuflabel) 786{ 787* 788} 789 790static int 791mac_test_fragment_match(struct mbuf fragment, struct label fragmentlabel, 792 struct ipq ipq, struct label ipqlabel) 793{ 794 795 return (1); 796} 797 798static void 799mac_test_relabel_ifnet(struct ucred cred, struct ifnet ifnet, 800 struct label ifnetlabel, struct label newlabel) 801{ 802 803} 804 805static void 806mac_test_update_ipq(struct mbuf fragment, struct label fragmentlabel, 807 struct ipq ipq, struct label ipqlabel) 808{ 809 810} 811 812/* 813 * Labeling event operations: processes. 814 / 815static void 816mac_test_create_cred(struct ucred cred_parent, struct ucred cred_child) 817{ 818* 819} 820 821static void 822mac_test_execve_transition(struct ucred old, struct ucred new, 823 struct vnode vp, struct label filelabel, 824 struct label interpvnodelabel, struct image_params imgp, 825 struct label execlabel) 826{ 827* 828} 829 830static int 831mac_test_execve_will_transition(struct ucred old, struct vnode vp, 832 struct label filelabel, struct label interpvnodelabel, 833 struct image_params imgp, struct label execlabel) 834{ 835 836 return (0); 837} 838 839static void 840mac_test_create_proc0(struct ucred cred) 841{ 842* 843} 844 845static void 846mac_test_create_proc1(struct ucred cred) 847{ 848* 849} 850 851static void 852mac_test_relabel_cred(struct ucred cred, struct label newlabel) 853{ 854 855} 856 857static void 858mac_test_thread_userret(struct thread td) 859{ 860* 861} 862 863/* 864 * Access control checks. 865 / 866static int 867mac_test_check_bpfdesc_receive(struct bpf_d bpf_d, struct label bpflabel, 868* struct ifnet ifnet, struct label ifnetlabel) 869{ 870 871 return (0); 872} 873 874static int 875mac_test_check_cred_relabel(struct ucred cred, struct label newlabel) 876{ 877 878 return (0); 879} 880 881static int 882mac_test_check_cred_visible(struct ucred u1, struct ucred u2) 883{ 884 885 return (0); 886} 887 888static int 889mac_test_check_ifnet_relabel(struct ucred cred, struct ifnet ifnet, 890 struct label ifnetlabel, struct label newlabel) 891{ 892 893 return (0); 894} 895 896static int 897mac_test_check_ifnet_transmit(struct ifnet ifnet, struct label ifnetlabel, 898 struct mbuf m, struct label mbuflabel) 899{ 900 901 return (0); 902} 903 904static int 905mac_test_check_kenv_dump(struct ucred cred) 906{ 907* 908 return (0); 909} 910 911static int 912mac_test_check_kenv_get(struct ucred cred, char name) 913{ 914 915 return (0); 916} 917 918static int 919mac_test_check_kenv_set(struct ucred cred, char name, char value) 920{ 921* 922 return (0); 923} 924 925static int 926mac_test_check_kenv_unset(struct ucred cred, char name) 927{ 928 929 return (0); 930} 931 932static int 933mac_test_check_kld_load(struct ucred cred, struct vnode vp, 934 struct label label) 935{ 936* 937 return (0); 938} 939 940static int 941mac_test_check_kld_stat(struct ucred cred) 942{ 943* 944 return (0); 945} 946 947static int 948mac_test_check_kld_unload(struct ucred cred) 949{ 950* 951 return (0); 952} 953 954static int 955mac_test_check_mount_stat(struct ucred cred, struct mount mp, 956 struct label mntlabel) 957{ 958* 959 return (0); 960} 961 962static int 963mac_test_check_pipe_ioctl(struct ucred cred, struct pipe pipe, 964 struct label pipelabel, unsigned long cmd, void / caddr_t / data) 965{ 966 967 return (0); 968} 969 970static int 971mac_test_check_pipe_poll(struct ucred cred, struct pipe pipe, 972 struct label pipelabel) 973{ 974* 975 return (0); 976} 977 978static int 979mac_test_check_pipe_read(struct ucred cred, struct pipe pipe, 980 struct label pipelabel) 981{ 982* 983 return (0); 984} 985 986static int 987mac_test_check_pipe_relabel(struct ucred cred, struct pipe pipe, 988 struct label pipelabel, struct label newlabel) 989{ 990 991 return (0); 992} 993 994static int 995mac_test_check_pipe_stat(struct ucred cred, struct pipe pipe, 996 struct label pipelabel) 997{ 998* 999 return (0); 1000} 1001 1002static int 1003mac_test_check_pipe_write(struct ucred cred, struct pipe pipe, 1004 struct label pipelabel) 1005{ 1006* 1007 return (0); 1008} 1009 1010static int 1011mac_test_check_proc_debug(struct ucred cred, struct proc proc) 1012{ 1013 1014 return (0); 1015} 1016 1017static int 1018mac_test_check_proc_sched(struct ucred cred, struct proc proc) 1019{ 1020 1021 return (0); 1022} 1023 1024static int 1025mac_test_check_proc_signal(struct ucred cred, struct proc proc, int signum) 1026{ 1027 1028 return (0); 1029} 1030 1031static int 1032mac_test_check_socket_bind(struct ucred cred, struct socket socket, 1033 struct label socketlabel, struct sockaddr sockaddr) 1034{ 1035 1036 return (0); 1037} 1038 1039static int 1040mac_test_check_socket_connect(struct ucred cred, struct socket socket, 1041 struct label socketlabel, struct sockaddr sockaddr) 1042{ 1043 1044 return (0); 1045} 1046 1047static int 1048mac_test_check_socket_deliver(struct socket socket, struct label socketlabel, 1049 struct mbuf m, struct label mbuflabel) 1050{ 1051 1052 return (0); 1053} 1054 1055static int 1056mac_test_check_socket_listen(struct ucred cred, struct socket socket, 1057 struct label socketlabel) 1058{ 1059* 1060 return (0); 1061} 1062 1063static int 1064mac_test_check_socket_visible(struct ucred cred, struct socket socket, 1065 struct label socketlabel) 1066{ 1067* 1068 return (0); 1069} 1070 1071static int 1072mac_test_check_socket_relabel(struct ucred cred, struct socket socket, 1073 struct label socketlabel, struct label newlabel) 1074{ 1075 1076 return (0); 1077} 1078 1079static int 1080mac_test_check_sysarch_ioperm(struct ucred cred) 1081{ 1082* 1083 return (0); 1084} 1085 1086static int 1087mac_test_check_system_acct(struct ucred cred, struct vnode vp, 1088 struct label label) 1089{ 1090* 1091 return (0); 1092} 1093 1094static int 1095mac_test_check_system_reboot(struct ucred cred, int how) 1096{ 1097* 1098 return (0); 1099} 1100 1101static int 1102mac_test_check_system_settime(struct ucred cred) 1103{ 1104* 1105 return (0); 1106} 1107 1108static int 1109mac_test_check_system_swapon(struct ucred cred, struct vnode vp, 1110 struct label label) 1111{ 1112* 1113 return (0); 1114} 1115 1116static int 1117mac_test_check_system_swapoff(struct ucred cred, struct vnode vp, 1118 struct label label) 1119{ 1120* 1121 return (0); 1122} 1123 1124static int 1125mac_test_check_system_sysctl(struct ucred cred, int name, u_int namelen, 1126 void old, size_t oldlenp, int inkernel, void new, size_t newlen) 1127{ 1128* 1129 return (0); 1130} 1131 1132static int 1133mac_test_check_vnode_access(struct ucred cred, struct vnode vp, 1134 struct label label, int acc_mode) 1135{ 1136* 1137 return (0); 1138} 1139 1140static int 1141mac_test_check_vnode_chdir(struct ucred cred, struct vnode dvp, 1142 struct label dlabel) 1143{ 1144* 1145 return (0); 1146} 1147 1148static int 1149mac_test_check_vnode_chroot(struct ucred cred, struct vnode dvp, 1150 struct label dlabel) 1151{ 1152* 1153 return (0); 1154} 1155 1156static int 1157mac_test_check_vnode_create(struct ucred cred, struct vnode dvp, 1158 struct label dlabel, struct componentname cnp, struct vattr vap) 1159{ 1160* 1161 return (0); 1162} 1163 1164static int 1165mac_test_check_vnode_delete(struct ucred cred, struct vnode dvp, 1166 struct label dlabel, struct vnode vp, struct label label, 1167* struct componentname cnp) 1168{ 1169* 1170 return (0); 1171} 1172 1173static int 1174mac_test_check_vnode_deleteacl(struct ucred cred, struct vnode vp, 1175 struct label label, acl_type_t type) 1176{ 1177* 1178 return (0); 1179} 1180 1181static int 1182mac_test_check_vnode_exec(struct ucred cred, struct vnode vp, 1183 struct label label, struct image_params imgp, 1184 struct label execlabel) 1185{ 1186* 1187 return (0); 1188} 1189 1190static int 1191mac_test_check_vnode_getacl(struct ucred cred, struct vnode vp, 1192 struct label label, acl_type_t type) 1193{ 1194* 1195 return (0); 1196} 1197 1198static int 1199mac_test_check_vnode_getextattr(struct ucred cred, struct vnode vp, 1200 struct label label, int attrnamespace, const char name, struct uio uio) 1201{ 1202* 1203 return (0); 1204} 1205 1206static int 1207mac_test_check_vnode_link(struct ucred cred, struct vnode dvp, 1208 struct label dlabel, struct vnode vp, struct label label, 1209* struct componentname cnp) 1210{ 1211* 1212 return (0); 1213} 1214 1215static int 1216mac_test_check_vnode_lookup(struct ucred cred, struct vnode dvp, 1217 struct label dlabel, struct componentname cnp) 1218{ 1219 1220 return (0); 1221} 1222 1223static int 1224mac_test_check_vnode_mmap(struct ucred cred, struct vnode vp, 1225 struct label label, int prot) 1226{ 1227* 1228 return (0); 1229} 1230 1231static int 1232mac_test_check_vnode_mprotect(struct ucred cred, struct vnode vp, 1233 struct label label, int prot) 1234{ 1235* 1236 return (0); 1237} 1238 1239static int 1240mac_test_check_vnode_open(struct ucred cred, struct vnode vp, 1241 struct label filelabel, int acc_mode) 1242{ 1243* 1244 return (0); 1245} 1246 1247static int 1248mac_test_check_vnode_poll(struct ucred active_cred, struct ucred file_cred, 1249 struct vnode vp, struct label label) 1250{ 1251 1252 return (0); 1253} 1254 1255static int 1256mac_test_check_vnode_read(struct ucred active_cred, struct ucred file_cred, 1257 struct vnode vp, struct label label) 1258{ 1259 1260 return (0); 1261} 1262 1263static int 1264mac_test_check_vnode_readdir(struct ucred cred, struct vnode dvp, 1265 struct label dlabel) 1266{ 1267* 1268 return (0); 1269} 1270 1271static int 1272mac_test_check_vnode_readlink(struct ucred cred, struct vnode vp, 1273 struct label vnodelabel) 1274{ 1275* 1276 return (0); 1277} 1278 1279static int 1280mac_test_check_vnode_relabel(struct ucred cred, struct vnode vp, 1281 struct label vnodelabel, struct label newlabel) 1282{ 1283 1284 return (0); 1285} 1286 1287static int 1288mac_test_check_vnode_rename_from(struct ucred cred, struct vnode dvp, 1289 struct label dlabel, struct vnode vp, struct label label, 1290* struct componentname cnp) 1291{ 1292* 1293 return (0); 1294} 1295 1296static int 1297mac_test_check_vnode_rename_to(struct ucred cred, struct vnode dvp, 1298 struct label dlabel, struct vnode vp, struct label label, int samedir, 1299* struct componentname cnp) 1300{ 1301* 1302 return (0); 1303} 1304 1305static int 1306mac_test_check_vnode_revoke(struct ucred cred, struct vnode vp, 1307 struct label label) 1308{ 1309* 1310 return (0); 1311} 1312 1313static int 1314mac_test_check_vnode_setacl(struct ucred cred, struct vnode vp, 1315 struct label label, acl_type_t type, struct acl acl) 1316{ 1317 1318 return (0); 1319} 1320 1321static int 1322mac_test_check_vnode_setextattr(struct ucred cred, struct vnode vp, 1323 struct label label, int attrnamespace, const char name, struct uio uio) 1324{ 1325* 1326 return (0); 1327} 1328 1329static int 1330mac_test_check_vnode_setflags(struct ucred cred, struct vnode vp, 1331 struct label label, u_long flags) 1332{ 1333* 1334 return (0); 1335} 1336 1337static int 1338mac_test_check_vnode_setmode(struct ucred cred, struct vnode vp, 1339 struct label label, mode_t mode) 1340{ 1341* 1342 return (0); 1343} 1344 1345static int 1346mac_test_check_vnode_setowner(struct ucred cred, struct vnode vp, 1347 struct label label, uid_t uid, gid_t gid) 1348{ 1349* 1350 return (0); 1351} 1352 1353static int 1354mac_test_check_vnode_setutimes(struct ucred cred, struct vnode vp, 1355 struct label label, struct timespec atime, struct timespec mtime) 1356{ 1357* 1358 return (0); 1359} 1360 1361static int 1362mac_test_check_vnode_stat(struct ucred active_cred, struct ucred file_cred, 1363 struct vnode vp, struct label label) 1364{ 1365 1366 return (0); 1367} 1368 1369static int 1370mac_test_check_vnode_write(struct ucred active_cred, 1371* struct ucred file_cred, struct vnode vp, struct label label) 1372{ 1373* 1374 return (0); 1375} 1376 1377static struct mac_policy_ops mac_test_ops = 1378{ 1379 .mpo_destroy = mac_test_destroy, 1380 .mpo_init = mac_test_init, 1381 .mpo_syscall = mac_test_syscall, 1382 .mpo_init_bpfdesc_label = mac_test_init_bpfdesc_label, 1383 .mpo_init_cred_label = mac_test_init_cred_label, 1384 .mpo_init_devfsdirent_label = mac_test_init_devfsdirent_label, 1385 .mpo_init_ifnet_label = mac_test_init_ifnet_label, 1386 .mpo_init_ipq_label = mac_test_init_ipq_label, 1387 .mpo_init_mbuf_label = mac_test_init_mbuf_label, 1388 .mpo_init_mount_label = mac_test_init_mount_label, 1389 .mpo_init_mount_fs_label = mac_test_init_mount_fs_label, 1390 .mpo_init_pipe_label = mac_test_init_pipe_label, 1391 .mpo_init_proc_label = mac_test_init_proc_label, 1392 .mpo_init_socket_label = mac_test_init_socket_label, 1393 .mpo_init_socket_peer_label = mac_test_init_socket_peer_label, 1394 .mpo_init_vnode_label = mac_test_init_vnode_label, 1395 .mpo_destroy_bpfdesc_label = mac_test_destroy_bpfdesc_label, 1396 .mpo_destroy_cred_label = mac_test_destroy_cred_label, 1397 .mpo_destroy_devfsdirent_label = mac_test_destroy_devfsdirent_label, 1398 .mpo_destroy_ifnet_label = mac_test_destroy_ifnet_label, 1399 .mpo_destroy_ipq_label = mac_test_destroy_ipq_label, 1400 .mpo_destroy_mbuf_label = mac_test_destroy_mbuf_label, 1401 .mpo_destroy_mount_label = mac_test_destroy_mount_label, 1402 .mpo_destroy_mount_fs_label = mac_test_destroy_mount_fs_label, 1403 .mpo_destroy_pipe_label = mac_test_destroy_pipe_label, 1404 .mpo_destroy_proc_label = mac_test_destroy_proc_label, 1405 .mpo_destroy_socket_label = mac_test_destroy_socket_label, 1406 .mpo_destroy_socket_peer_label = mac_test_destroy_socket_peer_label, 1407 .mpo_destroy_vnode_label = mac_test_destroy_vnode_label, 1408 .mpo_externalize_cred_label = mac_test_externalize_label, 1409 .mpo_externalize_ifnet_label = mac_test_externalize_label, 1410 .mpo_externalize_pipe_label = mac_test_externalize_label, 1411 .mpo_externalize_socket_label = mac_test_externalize_label, 1412 .mpo_externalize_socket_peer_label = mac_test_externalize_label, 1413 .mpo_externalize_vnode_label = mac_test_externalize_label, 1414 .mpo_internalize_cred_label = mac_test_internalize_label, 1415 .mpo_internalize_ifnet_label = mac_test_internalize_label, 1416 .mpo_internalize_pipe_label = mac_test_internalize_label, 1417 .mpo_internalize_socket_label = mac_test_internalize_label, 1418 .mpo_internalize_vnode_label = mac_test_internalize_label, 1419 .mpo_associate_vnode_devfs = mac_test_associate_vnode_devfs, 1420 .mpo_associate_vnode_extattr = mac_test_associate_vnode_extattr, 1421 .mpo_associate_vnode_singlelabel = mac_test_associate_vnode_singlelabel, 1422 .mpo_create_devfs_device = mac_test_create_devfs_device, 1423 .mpo_create_devfs_directory = mac_test_create_devfs_directory, 1424 .mpo_create_devfs_symlink = mac_test_create_devfs_symlink, 1425 .mpo_create_vnode_extattr = mac_test_create_vnode_extattr, 1426 .mpo_create_mount = mac_test_create_mount, 1427 .mpo_create_root_mount = mac_test_create_root_mount, 1428 .mpo_relabel_vnode = mac_test_relabel_vnode, 1429 .mpo_setlabel_vnode_extattr = mac_test_setlabel_vnode_extattr, 1430 .mpo_update_devfsdirent = mac_test_update_devfsdirent, 1431 .mpo_create_mbuf_from_socket = mac_test_create_mbuf_from_socket, 1432 .mpo_create_pipe = mac_test_create_pipe, 1433 .mpo_create_socket = mac_test_create_socket, 1434 .mpo_create_socket_from_socket = mac_test_create_socket_from_socket, 1435 .mpo_relabel_pipe = mac_test_relabel_pipe, 1436 .mpo_relabel_socket = mac_test_relabel_socket, 1437 .mpo_set_socket_peer_from_mbuf = mac_test_set_socket_peer_from_mbuf, 1438 .mpo_set_socket_peer_from_socket = mac_test_set_socket_peer_from_socket, 1439 .mpo_create_bpfdesc = mac_test_create_bpfdesc, 1440 .mpo_create_ifnet = mac_test_create_ifnet, 1441 .mpo_create_datagram_from_ipq = mac_test_create_datagram_from_ipq, 1442 .mpo_create_fragment = mac_test_create_fragment, 1443 .mpo_create_ipq = mac_test_create_ipq, 1444 .mpo_create_mbuf_from_mbuf = mac_test_create_mbuf_from_mbuf, 1445 .mpo_create_mbuf_linklayer = mac_test_create_mbuf_linklayer, 1446 .mpo_create_mbuf_from_bpfdesc = mac_test_create_mbuf_from_bpfdesc, 1447 .mpo_create_mbuf_from_ifnet = mac_test_create_mbuf_from_ifnet, 1448 .mpo_create_mbuf_multicast_encap = mac_test_create_mbuf_multicast_encap, 1449 .mpo_create_mbuf_netlayer = mac_test_create_mbuf_netlayer, 1450 .mpo_fragment_match = mac_test_fragment_match, 1451 .mpo_relabel_ifnet = mac_test_relabel_ifnet, 1452 .mpo_update_ipq = mac_test_update_ipq, 1453 .mpo_create_cred = mac_test_create_cred, 1454 .mpo_execve_transition = mac_test_execve_transition, 1455 .mpo_execve_will_transition = mac_test_execve_will_transition, 1456 .mpo_create_proc0 = mac_test_create_proc0, 1457 .mpo_create_proc1 = mac_test_create_proc1, 1458 .mpo_relabel_cred = mac_test_relabel_cred, 1459 .mpo_thread_userret = mac_test_thread_userret, 1460 .mpo_check_bpfdesc_receive = mac_test_check_bpfdesc_receive, 1461 .mpo_check_cred_relabel = mac_test_check_cred_relabel, 1462 .mpo_check_cred_visible = mac_test_check_cred_visible, 1463 .mpo_check_ifnet_relabel = mac_test_check_ifnet_relabel, 1464 .mpo_check_ifnet_transmit = mac_test_check_ifnet_transmit, 1465 .mpo_check_kenv_dump = mac_test_check_kenv_dump, 1466 .mpo_check_kenv_get = mac_test_check_kenv_get, 1467 .mpo_check_kenv_set = mac_test_check_kenv_set, 1468 .mpo_check_kenv_unset = mac_test_check_kenv_unset, 1469 .mpo_check_kld_load = mac_test_check_kld_load, 1470 .mpo_check_kld_stat = mac_test_check_kld_stat, 1471 .mpo_check_kld_unload = mac_test_check_kld_unload, 1472 .mpo_check_mount_stat = mac_test_check_mount_stat, 1473 .mpo_check_pipe_ioctl = mac_test_check_pipe_ioctl, 1474 .mpo_check_pipe_poll = mac_test_check_pipe_poll, 1475 .mpo_check_pipe_read = mac_test_check_pipe_read, 1476 .mpo_check_pipe_relabel = mac_test_check_pipe_relabel, 1477 .mpo_check_pipe_stat = mac_test_check_pipe_stat, 1478 .mpo_check_pipe_write = mac_test_check_pipe_write, 1479 .mpo_check_proc_debug = mac_test_check_proc_debug, 1480 .mpo_check_proc_sched = mac_test_check_proc_sched, 1481 .mpo_check_proc_signal = mac_test_check_proc_signal, 1482 .mpo_check_socket_bind = mac_test_check_socket_bind, 1483 .mpo_check_socket_connect = mac_test_check_socket_connect, 1484 .mpo_check_socket_deliver = mac_test_check_socket_deliver, 1485 .mpo_check_socket_listen = mac_test_check_socket_listen, 1486 .mpo_check_socket_relabel = mac_test_check_socket_relabel, 1487 .mpo_check_socket_visible = mac_test_check_socket_visible, 1488 .mpo_check_sysarch_ioperm = mac_test_check_sysarch_ioperm, 1489 .mpo_check_system_acct = mac_test_check_system_acct, 1490 .mpo_check_system_reboot = mac_test_check_system_reboot, 1491 .mpo_check_system_settime = mac_test_check_system_settime, 1492 .mpo_check_system_swapon = mac_test_check_system_swapon, 1493 .mpo_check_system_swapoff = mac_test_check_system_swapoff, 1494 .mpo_check_system_sysctl = mac_test_check_system_sysctl, 1495 .mpo_check_vnode_access = mac_test_check_vnode_access, 1496 .mpo_check_vnode_chdir = mac_test_check_vnode_chdir, 1497 .mpo_check_vnode_chroot = mac_test_check_vnode_chroot, 1498 .mpo_check_vnode_create = mac_test_check_vnode_create, 1499 .mpo_check_vnode_delete = mac_test_check_vnode_delete, 1500 .mpo_check_vnode_deleteacl = mac_test_check_vnode_deleteacl, 1501 .mpo_check_vnode_exec = mac_test_check_vnode_exec, 1502 .mpo_check_vnode_getacl = mac_test_check_vnode_getacl, 1503 .mpo_check_vnode_getextattr = mac_test_check_vnode_getextattr, 1504 .mpo_check_vnode_link = mac_test_check_vnode_link, 1505 .mpo_check_vnode_lookup = mac_test_check_vnode_lookup, 1506 .mpo_check_vnode_mmap = mac_test_check_vnode_mmap, 1507 .mpo_check_vnode_mprotect = mac_test_check_vnode_mprotect, 1508 .mpo_check_vnode_open = mac_test_check_vnode_open, 1509 .mpo_check_vnode_poll = mac_test_check_vnode_poll, 1510 .mpo_check_vnode_read = mac_test_check_vnode_read, 1511 .mpo_check_vnode_readdir = mac_test_check_vnode_readdir, 1512 .mpo_check_vnode_readlink = mac_test_check_vnode_readlink, 1513 .mpo_check_vnode_relabel = mac_test_check_vnode_relabel, 1514 .mpo_check_vnode_rename_from = mac_test_check_vnode_rename_from, 1515 .mpo_check_vnode_rename_to = mac_test_check_vnode_rename_to, 1516 .mpo_check_vnode_revoke = mac_test_check_vnode_revoke, 1517 .mpo_check_vnode_setacl = mac_test_check_vnode_setacl, 1518 .mpo_check_vnode_setextattr = mac_test_check_vnode_setextattr, 1519 .mpo_check_vnode_setflags = mac_test_check_vnode_setflags, 1520 .mpo_check_vnode_setmode = mac_test_check_vnode_setmode, 1521 .mpo_check_vnode_setowner = mac_test_check_vnode_setowner, 1522 .mpo_check_vnode_setutimes = mac_test_check_vnode_setutimes, 1523 .mpo_check_vnode_stat = mac_test_check_vnode_stat, 1524 .mpo_check_vnode_write = mac_test_check_vnode_write, 1525}; 1526 1527MAC_POLICY_SET(&mac_test_ops, mac_test, "TrustedBSD MAC/Test", 1528 MPC_LOADTIME_FLAG_UNLOADOK \| MPC_LOADTIME_FLAG_LABELMBUFS, &test_slot);	535{ 536 537 atomic_add_int(&externalize_count, 1); 538 539 return (0); 540} 541 542static int 543mac_test_internalize_label(struct label label, char element_name, 544 char element_data, int claimed) 545{ 546 547 atomic_add_int(&internalize_count, 1); 548 549 return (0); 550} 551 552/* 553 * Labeling event operations: file system objects, and things that look 554 * a lot like file system objects. 555 / 556static void 557mac_test_associate_vnode_devfs(struct mount mp, struct label fslabel, 558* struct devfs_dirent de, struct label delabel, struct vnode vp, 559* struct label vlabel) 560{ 561* 562} 563 564static int 565mac_test_associate_vnode_extattr(struct mount mp, struct label fslabel, 566 struct vnode vp, struct label vlabel) 567{ 568 569 return (0); 570} 571 572static void 573mac_test_associate_vnode_singlelabel(struct mount mp, 574* struct label fslabel, struct vnode vp, struct label vlabel) 575{ 576* 577} 578 579static void 580mac_test_create_devfs_device(struct mount mp, dev_t dev, 581* struct devfs_dirent devfs_dirent, struct label label) 582{ 583 584} 585 586static void 587mac_test_create_devfs_directory(struct mount mp, char dirname, 588 int dirnamelen, struct devfs_dirent devfs_dirent, struct label label) 589{ 590 591} 592 593static void 594mac_test_create_devfs_symlink(struct ucred cred, struct mount mp, 595 struct devfs_dirent dd, struct label ddlabel, struct devfs_dirent de, 596* struct label delabel) 597{ 598* 599} 600 601static int 602mac_test_create_vnode_extattr(struct ucred cred, struct mount mp, 603 struct label fslabel, struct vnode dvp, struct label dlabel, 604* struct vnode vp, struct label vlabel, struct componentname cnp) 605{ 606* 607 return (0); 608} 609 610static void 611mac_test_create_mount(struct ucred cred, struct mount mp, 612 struct label mntlabel, struct label fslabel) 613{ 614 615} 616 617static void 618mac_test_create_root_mount(struct ucred cred, struct mount mp, 619 struct label mntlabel, struct label fslabel) 620{ 621 622} 623 624static void 625mac_test_relabel_vnode(struct ucred cred, struct vnode vp, 626 struct label vnodelabel, struct label label) 627{ 628 629} 630 631static int 632mac_test_setlabel_vnode_extattr(struct ucred cred, struct vnode vp, 633 struct label vlabel, struct label intlabel) 634{ 635 636 return (0); 637} 638 639static void 640mac_test_update_devfsdirent(struct mount mp, 641* struct devfs_dirent devfs_dirent, struct label direntlabel, 642 struct vnode vp, struct label vnodelabel) 643{ 644 645} 646 647/* 648 * Labeling event operations: IPC object. 649 / 650static void 651mac_test_create_mbuf_from_socket(struct socket so, struct label socketlabel, 652* struct mbuf m, struct label mbuflabel) 653{ 654 655} 656 657static void 658mac_test_create_socket(struct ucred cred, struct socket socket, 659 struct label socketlabel) 660{ 661* 662} 663 664static void 665mac_test_create_pipe(struct ucred cred, struct pipe pipe, 666 struct label pipelabel) 667{ 668* 669} 670 671static void 672mac_test_create_socket_from_socket(struct socket oldsocket, 673* struct label oldsocketlabel, struct socket newsocket, 674 struct label newsocketlabel) 675{ 676* 677} 678 679static void 680mac_test_relabel_socket(struct ucred cred, struct socket socket, 681 struct label socketlabel, struct label newlabel) 682{ 683 684} 685 686static void 687mac_test_relabel_pipe(struct ucred cred, struct pipe pipe, 688 struct label pipelabel, struct label newlabel) 689{ 690 691} 692 693static void 694mac_test_set_socket_peer_from_mbuf(struct mbuf mbuf, struct label mbuflabel, 695 struct socket socket, struct label socketpeerlabel) 696{ 697 698} 699 700/* 701 * Labeling event operations: network objects. 702 / 703static void 704mac_test_set_socket_peer_from_socket(struct socket oldsocket, 705 struct label oldsocketlabel, struct socket newsocket, 706 struct label newsocketpeerlabel) 707{ 708* 709} 710 711static void 712mac_test_create_bpfdesc(struct ucred cred, struct bpf_d bpf_d, 713 struct label bpflabel) 714{ 715* 716} 717 718static void 719mac_test_create_datagram_from_ipq(struct ipq ipq, struct label ipqlabel, 720 struct mbuf datagram, struct label datagramlabel) 721{ 722 723} 724 725static void 726mac_test_create_fragment(struct mbuf datagram, struct label datagramlabel, 727 struct mbuf fragment, struct label fragmentlabel) 728{ 729 730} 731 732static void 733mac_test_create_ifnet(struct ifnet ifnet, struct label ifnetlabel) 734{ 735 736} 737 738static void 739mac_test_create_ipq(struct mbuf fragment, struct label fragmentlabel, 740 struct ipq ipq, struct label ipqlabel) 741{ 742 743} 744 745static void 746mac_test_create_mbuf_from_mbuf(struct mbuf oldmbuf, 747* struct label oldmbuflabel, struct mbuf newmbuf, 748 struct label newmbuflabel) 749{ 750* 751} 752 753static void 754mac_test_create_mbuf_linklayer(struct ifnet ifnet, struct label ifnetlabel, 755 struct mbuf mbuf, struct label mbuflabel) 756{ 757 758} 759 760static void 761mac_test_create_mbuf_from_bpfdesc(struct bpf_d bpf_d, struct label bpflabel, 762 struct mbuf mbuf, struct label mbuflabel) 763{ 764 765} 766 767static void 768mac_test_create_mbuf_from_ifnet(struct ifnet ifnet, struct label ifnetlabel, 769 struct mbuf m, struct label mbuflabel) 770{ 771 772} 773 774static void 775mac_test_create_mbuf_multicast_encap(struct mbuf oldmbuf, 776* struct label oldmbuflabel, struct ifnet ifnet, struct label ifnetlabel, 777* struct mbuf newmbuf, struct label newmbuflabel) 778{ 779 780} 781 782static void 783mac_test_create_mbuf_netlayer(struct mbuf oldmbuf, 784* struct label oldmbuflabel, struct mbuf newmbuf, 785 struct label newmbuflabel) 786{ 787* 788} 789 790static int 791mac_test_fragment_match(struct mbuf fragment, struct label fragmentlabel, 792 struct ipq ipq, struct label ipqlabel) 793{ 794 795 return (1); 796} 797 798static void 799mac_test_relabel_ifnet(struct ucred cred, struct ifnet ifnet, 800 struct label ifnetlabel, struct label newlabel) 801{ 802 803} 804 805static void 806mac_test_update_ipq(struct mbuf fragment, struct label fragmentlabel, 807 struct ipq ipq, struct label ipqlabel) 808{ 809 810} 811 812/* 813 * Labeling event operations: processes. 814 / 815static void 816mac_test_create_cred(struct ucred cred_parent, struct ucred cred_child) 817{ 818* 819} 820 821static void 822mac_test_execve_transition(struct ucred old, struct ucred new, 823 struct vnode vp, struct label filelabel, 824 struct label interpvnodelabel, struct image_params imgp, 825 struct label execlabel) 826{ 827* 828} 829 830static int 831mac_test_execve_will_transition(struct ucred old, struct vnode vp, 832 struct label filelabel, struct label interpvnodelabel, 833 struct image_params imgp, struct label execlabel) 834{ 835 836 return (0); 837} 838 839static void 840mac_test_create_proc0(struct ucred cred) 841{ 842* 843} 844 845static void 846mac_test_create_proc1(struct ucred cred) 847{ 848* 849} 850 851static void 852mac_test_relabel_cred(struct ucred cred, struct label newlabel) 853{ 854 855} 856 857static void 858mac_test_thread_userret(struct thread td) 859{ 860* 861} 862 863/* 864 * Access control checks. 865 / 866static int 867mac_test_check_bpfdesc_receive(struct bpf_d bpf_d, struct label bpflabel, 868* struct ifnet ifnet, struct label ifnetlabel) 869{ 870 871 return (0); 872} 873 874static int 875mac_test_check_cred_relabel(struct ucred cred, struct label newlabel) 876{ 877 878 return (0); 879} 880 881static int 882mac_test_check_cred_visible(struct ucred u1, struct ucred u2) 883{ 884 885 return (0); 886} 887 888static int 889mac_test_check_ifnet_relabel(struct ucred cred, struct ifnet ifnet, 890 struct label ifnetlabel, struct label newlabel) 891{ 892 893 return (0); 894} 895 896static int 897mac_test_check_ifnet_transmit(struct ifnet ifnet, struct label ifnetlabel, 898 struct mbuf m, struct label mbuflabel) 899{ 900 901 return (0); 902} 903 904static int 905mac_test_check_kenv_dump(struct ucred cred) 906{ 907* 908 return (0); 909} 910 911static int 912mac_test_check_kenv_get(struct ucred cred, char name) 913{ 914 915 return (0); 916} 917 918static int 919mac_test_check_kenv_set(struct ucred cred, char name, char value) 920{ 921* 922 return (0); 923} 924 925static int 926mac_test_check_kenv_unset(struct ucred cred, char name) 927{ 928 929 return (0); 930} 931 932static int 933mac_test_check_kld_load(struct ucred cred, struct vnode vp, 934 struct label label) 935{ 936* 937 return (0); 938} 939 940static int 941mac_test_check_kld_stat(struct ucred cred) 942{ 943* 944 return (0); 945} 946 947static int 948mac_test_check_kld_unload(struct ucred cred) 949{ 950* 951 return (0); 952} 953 954static int 955mac_test_check_mount_stat(struct ucred cred, struct mount mp, 956 struct label mntlabel) 957{ 958* 959 return (0); 960} 961 962static int 963mac_test_check_pipe_ioctl(struct ucred cred, struct pipe pipe, 964 struct label pipelabel, unsigned long cmd, void / caddr_t / data) 965{ 966 967 return (0); 968} 969 970static int 971mac_test_check_pipe_poll(struct ucred cred, struct pipe pipe, 972 struct label pipelabel) 973{ 974* 975 return (0); 976} 977 978static int 979mac_test_check_pipe_read(struct ucred cred, struct pipe pipe, 980 struct label pipelabel) 981{ 982* 983 return (0); 984} 985 986static int 987mac_test_check_pipe_relabel(struct ucred cred, struct pipe pipe, 988 struct label pipelabel, struct label newlabel) 989{ 990 991 return (0); 992} 993 994static int 995mac_test_check_pipe_stat(struct ucred cred, struct pipe pipe, 996 struct label pipelabel) 997{ 998* 999 return (0); 1000} 1001 1002static int 1003mac_test_check_pipe_write(struct ucred cred, struct pipe pipe, 1004 struct label pipelabel) 1005{ 1006* 1007 return (0); 1008} 1009 1010static int 1011mac_test_check_proc_debug(struct ucred cred, struct proc proc) 1012{ 1013 1014 return (0); 1015} 1016 1017static int 1018mac_test_check_proc_sched(struct ucred cred, struct proc proc) 1019{ 1020 1021 return (0); 1022} 1023 1024static int 1025mac_test_check_proc_signal(struct ucred cred, struct proc proc, int signum) 1026{ 1027 1028 return (0); 1029} 1030 1031static int 1032mac_test_check_socket_bind(struct ucred cred, struct socket socket, 1033 struct label socketlabel, struct sockaddr sockaddr) 1034{ 1035 1036 return (0); 1037} 1038 1039static int 1040mac_test_check_socket_connect(struct ucred cred, struct socket socket, 1041 struct label socketlabel, struct sockaddr sockaddr) 1042{ 1043 1044 return (0); 1045} 1046 1047static int 1048mac_test_check_socket_deliver(struct socket socket, struct label socketlabel, 1049 struct mbuf m, struct label mbuflabel) 1050{ 1051 1052 return (0); 1053} 1054 1055static int 1056mac_test_check_socket_listen(struct ucred cred, struct socket socket, 1057 struct label socketlabel) 1058{ 1059* 1060 return (0); 1061} 1062 1063static int 1064mac_test_check_socket_visible(struct ucred cred, struct socket socket, 1065 struct label socketlabel) 1066{ 1067* 1068 return (0); 1069} 1070 1071static int 1072mac_test_check_socket_relabel(struct ucred cred, struct socket socket, 1073 struct label socketlabel, struct label newlabel) 1074{ 1075 1076 return (0); 1077} 1078 1079static int 1080mac_test_check_sysarch_ioperm(struct ucred cred) 1081{ 1082* 1083 return (0); 1084} 1085 1086static int 1087mac_test_check_system_acct(struct ucred cred, struct vnode vp, 1088 struct label label) 1089{ 1090* 1091 return (0); 1092} 1093 1094static int 1095mac_test_check_system_reboot(struct ucred cred, int how) 1096{ 1097* 1098 return (0); 1099} 1100 1101static int 1102mac_test_check_system_settime(struct ucred cred) 1103{ 1104* 1105 return (0); 1106} 1107 1108static int 1109mac_test_check_system_swapon(struct ucred cred, struct vnode vp, 1110 struct label label) 1111{ 1112* 1113 return (0); 1114} 1115 1116static int 1117mac_test_check_system_swapoff(struct ucred cred, struct vnode vp, 1118 struct label label) 1119{ 1120* 1121 return (0); 1122} 1123 1124static int 1125mac_test_check_system_sysctl(struct ucred cred, int name, u_int namelen, 1126 void old, size_t oldlenp, int inkernel, void new, size_t newlen) 1127{ 1128* 1129 return (0); 1130} 1131 1132static int 1133mac_test_check_vnode_access(struct ucred cred, struct vnode vp, 1134 struct label label, int acc_mode) 1135{ 1136* 1137 return (0); 1138} 1139 1140static int 1141mac_test_check_vnode_chdir(struct ucred cred, struct vnode dvp, 1142 struct label dlabel) 1143{ 1144* 1145 return (0); 1146} 1147 1148static int 1149mac_test_check_vnode_chroot(struct ucred cred, struct vnode dvp, 1150 struct label dlabel) 1151{ 1152* 1153 return (0); 1154} 1155 1156static int 1157mac_test_check_vnode_create(struct ucred cred, struct vnode dvp, 1158 struct label dlabel, struct componentname cnp, struct vattr vap) 1159{ 1160* 1161 return (0); 1162} 1163 1164static int 1165mac_test_check_vnode_delete(struct ucred cred, struct vnode dvp, 1166 struct label dlabel, struct vnode vp, struct label label, 1167* struct componentname cnp) 1168{ 1169* 1170 return (0); 1171} 1172 1173static int 1174mac_test_check_vnode_deleteacl(struct ucred cred, struct vnode vp, 1175 struct label label, acl_type_t type) 1176{ 1177* 1178 return (0); 1179} 1180 1181static int 1182mac_test_check_vnode_exec(struct ucred cred, struct vnode vp, 1183 struct label label, struct image_params imgp, 1184 struct label execlabel) 1185{ 1186* 1187 return (0); 1188} 1189 1190static int 1191mac_test_check_vnode_getacl(struct ucred cred, struct vnode vp, 1192 struct label label, acl_type_t type) 1193{ 1194* 1195 return (0); 1196} 1197 1198static int 1199mac_test_check_vnode_getextattr(struct ucred cred, struct vnode vp, 1200 struct label label, int attrnamespace, const char name, struct uio uio) 1201{ 1202* 1203 return (0); 1204} 1205 1206static int 1207mac_test_check_vnode_link(struct ucred cred, struct vnode dvp, 1208 struct label dlabel, struct vnode vp, struct label label, 1209* struct componentname cnp) 1210{ 1211* 1212 return (0); 1213} 1214 1215static int 1216mac_test_check_vnode_lookup(struct ucred cred, struct vnode dvp, 1217 struct label dlabel, struct componentname cnp) 1218{ 1219 1220 return (0); 1221} 1222 1223static int 1224mac_test_check_vnode_mmap(struct ucred cred, struct vnode vp, 1225 struct label label, int prot) 1226{ 1227* 1228 return (0); 1229} 1230 1231static int 1232mac_test_check_vnode_mprotect(struct ucred cred, struct vnode vp, 1233 struct label label, int prot) 1234{ 1235* 1236 return (0); 1237} 1238 1239static int 1240mac_test_check_vnode_open(struct ucred cred, struct vnode vp, 1241 struct label filelabel, int acc_mode) 1242{ 1243* 1244 return (0); 1245} 1246 1247static int 1248mac_test_check_vnode_poll(struct ucred active_cred, struct ucred file_cred, 1249 struct vnode vp, struct label label) 1250{ 1251 1252 return (0); 1253} 1254 1255static int 1256mac_test_check_vnode_read(struct ucred active_cred, struct ucred file_cred, 1257 struct vnode vp, struct label label) 1258{ 1259 1260 return (0); 1261} 1262 1263static int 1264mac_test_check_vnode_readdir(struct ucred cred, struct vnode dvp, 1265 struct label dlabel) 1266{ 1267* 1268 return (0); 1269} 1270 1271static int 1272mac_test_check_vnode_readlink(struct ucred cred, struct vnode vp, 1273 struct label vnodelabel) 1274{ 1275* 1276 return (0); 1277} 1278 1279static int 1280mac_test_check_vnode_relabel(struct ucred cred, struct vnode vp, 1281 struct label vnodelabel, struct label newlabel) 1282{ 1283 1284 return (0); 1285} 1286 1287static int 1288mac_test_check_vnode_rename_from(struct ucred cred, struct vnode dvp, 1289 struct label dlabel, struct vnode vp, struct label label, 1290* struct componentname cnp) 1291{ 1292* 1293 return (0); 1294} 1295 1296static int 1297mac_test_check_vnode_rename_to(struct ucred cred, struct vnode dvp, 1298 struct label dlabel, struct vnode vp, struct label label, int samedir, 1299* struct componentname cnp) 1300{ 1301* 1302 return (0); 1303} 1304 1305static int 1306mac_test_check_vnode_revoke(struct ucred cred, struct vnode vp, 1307 struct label label) 1308{ 1309* 1310 return (0); 1311} 1312 1313static int 1314mac_test_check_vnode_setacl(struct ucred cred, struct vnode vp, 1315 struct label label, acl_type_t type, struct acl acl) 1316{ 1317 1318 return (0); 1319} 1320 1321static int 1322mac_test_check_vnode_setextattr(struct ucred cred, struct vnode vp, 1323 struct label label, int attrnamespace, const char name, struct uio uio) 1324{ 1325* 1326 return (0); 1327} 1328 1329static int 1330mac_test_check_vnode_setflags(struct ucred cred, struct vnode vp, 1331 struct label label, u_long flags) 1332{ 1333* 1334 return (0); 1335} 1336 1337static int 1338mac_test_check_vnode_setmode(struct ucred cred, struct vnode vp, 1339 struct label label, mode_t mode) 1340{ 1341* 1342 return (0); 1343} 1344 1345static int 1346mac_test_check_vnode_setowner(struct ucred cred, struct vnode vp, 1347 struct label label, uid_t uid, gid_t gid) 1348{ 1349* 1350 return (0); 1351} 1352 1353static int 1354mac_test_check_vnode_setutimes(struct ucred cred, struct vnode vp, 1355 struct label label, struct timespec atime, struct timespec mtime) 1356{ 1357* 1358 return (0); 1359} 1360 1361static int 1362mac_test_check_vnode_stat(struct ucred active_cred, struct ucred file_cred, 1363 struct vnode vp, struct label label) 1364{ 1365 1366 return (0); 1367} 1368 1369static int 1370mac_test_check_vnode_write(struct ucred active_cred, 1371* struct ucred file_cred, struct vnode vp, struct label label) 1372{ 1373* 1374 return (0); 1375} 1376 1377static struct mac_policy_ops mac_test_ops = 1378{ 1379 .mpo_destroy = mac_test_destroy, 1380 .mpo_init = mac_test_init, 1381 .mpo_syscall = mac_test_syscall, 1382 .mpo_init_bpfdesc_label = mac_test_init_bpfdesc_label, 1383 .mpo_init_cred_label = mac_test_init_cred_label, 1384 .mpo_init_devfsdirent_label = mac_test_init_devfsdirent_label, 1385 .mpo_init_ifnet_label = mac_test_init_ifnet_label, 1386 .mpo_init_ipq_label = mac_test_init_ipq_label, 1387 .mpo_init_mbuf_label = mac_test_init_mbuf_label, 1388 .mpo_init_mount_label = mac_test_init_mount_label, 1389 .mpo_init_mount_fs_label = mac_test_init_mount_fs_label, 1390 .mpo_init_pipe_label = mac_test_init_pipe_label, 1391 .mpo_init_proc_label = mac_test_init_proc_label, 1392 .mpo_init_socket_label = mac_test_init_socket_label, 1393 .mpo_init_socket_peer_label = mac_test_init_socket_peer_label, 1394 .mpo_init_vnode_label = mac_test_init_vnode_label, 1395 .mpo_destroy_bpfdesc_label = mac_test_destroy_bpfdesc_label, 1396 .mpo_destroy_cred_label = mac_test_destroy_cred_label, 1397 .mpo_destroy_devfsdirent_label = mac_test_destroy_devfsdirent_label, 1398 .mpo_destroy_ifnet_label = mac_test_destroy_ifnet_label, 1399 .mpo_destroy_ipq_label = mac_test_destroy_ipq_label, 1400 .mpo_destroy_mbuf_label = mac_test_destroy_mbuf_label, 1401 .mpo_destroy_mount_label = mac_test_destroy_mount_label, 1402 .mpo_destroy_mount_fs_label = mac_test_destroy_mount_fs_label, 1403 .mpo_destroy_pipe_label = mac_test_destroy_pipe_label, 1404 .mpo_destroy_proc_label = mac_test_destroy_proc_label, 1405 .mpo_destroy_socket_label = mac_test_destroy_socket_label, 1406 .mpo_destroy_socket_peer_label = mac_test_destroy_socket_peer_label, 1407 .mpo_destroy_vnode_label = mac_test_destroy_vnode_label, 1408 .mpo_externalize_cred_label = mac_test_externalize_label, 1409 .mpo_externalize_ifnet_label = mac_test_externalize_label, 1410 .mpo_externalize_pipe_label = mac_test_externalize_label, 1411 .mpo_externalize_socket_label = mac_test_externalize_label, 1412 .mpo_externalize_socket_peer_label = mac_test_externalize_label, 1413 .mpo_externalize_vnode_label = mac_test_externalize_label, 1414 .mpo_internalize_cred_label = mac_test_internalize_label, 1415 .mpo_internalize_ifnet_label = mac_test_internalize_label, 1416 .mpo_internalize_pipe_label = mac_test_internalize_label, 1417 .mpo_internalize_socket_label = mac_test_internalize_label, 1418 .mpo_internalize_vnode_label = mac_test_internalize_label, 1419 .mpo_associate_vnode_devfs = mac_test_associate_vnode_devfs, 1420 .mpo_associate_vnode_extattr = mac_test_associate_vnode_extattr, 1421 .mpo_associate_vnode_singlelabel = mac_test_associate_vnode_singlelabel, 1422 .mpo_create_devfs_device = mac_test_create_devfs_device, 1423 .mpo_create_devfs_directory = mac_test_create_devfs_directory, 1424 .mpo_create_devfs_symlink = mac_test_create_devfs_symlink, 1425 .mpo_create_vnode_extattr = mac_test_create_vnode_extattr, 1426 .mpo_create_mount = mac_test_create_mount, 1427 .mpo_create_root_mount = mac_test_create_root_mount, 1428 .mpo_relabel_vnode = mac_test_relabel_vnode, 1429 .mpo_setlabel_vnode_extattr = mac_test_setlabel_vnode_extattr, 1430 .mpo_update_devfsdirent = mac_test_update_devfsdirent, 1431 .mpo_create_mbuf_from_socket = mac_test_create_mbuf_from_socket, 1432 .mpo_create_pipe = mac_test_create_pipe, 1433 .mpo_create_socket = mac_test_create_socket, 1434 .mpo_create_socket_from_socket = mac_test_create_socket_from_socket, 1435 .mpo_relabel_pipe = mac_test_relabel_pipe, 1436 .mpo_relabel_socket = mac_test_relabel_socket, 1437 .mpo_set_socket_peer_from_mbuf = mac_test_set_socket_peer_from_mbuf, 1438 .mpo_set_socket_peer_from_socket = mac_test_set_socket_peer_from_socket, 1439 .mpo_create_bpfdesc = mac_test_create_bpfdesc, 1440 .mpo_create_ifnet = mac_test_create_ifnet, 1441 .mpo_create_datagram_from_ipq = mac_test_create_datagram_from_ipq, 1442 .mpo_create_fragment = mac_test_create_fragment, 1443 .mpo_create_ipq = mac_test_create_ipq, 1444 .mpo_create_mbuf_from_mbuf = mac_test_create_mbuf_from_mbuf, 1445 .mpo_create_mbuf_linklayer = mac_test_create_mbuf_linklayer, 1446 .mpo_create_mbuf_from_bpfdesc = mac_test_create_mbuf_from_bpfdesc, 1447 .mpo_create_mbuf_from_ifnet = mac_test_create_mbuf_from_ifnet, 1448 .mpo_create_mbuf_multicast_encap = mac_test_create_mbuf_multicast_encap, 1449 .mpo_create_mbuf_netlayer = mac_test_create_mbuf_netlayer, 1450 .mpo_fragment_match = mac_test_fragment_match, 1451 .mpo_relabel_ifnet = mac_test_relabel_ifnet, 1452 .mpo_update_ipq = mac_test_update_ipq, 1453 .mpo_create_cred = mac_test_create_cred, 1454 .mpo_execve_transition = mac_test_execve_transition, 1455 .mpo_execve_will_transition = mac_test_execve_will_transition, 1456 .mpo_create_proc0 = mac_test_create_proc0, 1457 .mpo_create_proc1 = mac_test_create_proc1, 1458 .mpo_relabel_cred = mac_test_relabel_cred, 1459 .mpo_thread_userret = mac_test_thread_userret, 1460 .mpo_check_bpfdesc_receive = mac_test_check_bpfdesc_receive, 1461 .mpo_check_cred_relabel = mac_test_check_cred_relabel, 1462 .mpo_check_cred_visible = mac_test_check_cred_visible, 1463 .mpo_check_ifnet_relabel = mac_test_check_ifnet_relabel, 1464 .mpo_check_ifnet_transmit = mac_test_check_ifnet_transmit, 1465 .mpo_check_kenv_dump = mac_test_check_kenv_dump, 1466 .mpo_check_kenv_get = mac_test_check_kenv_get, 1467 .mpo_check_kenv_set = mac_test_check_kenv_set, 1468 .mpo_check_kenv_unset = mac_test_check_kenv_unset, 1469 .mpo_check_kld_load = mac_test_check_kld_load, 1470 .mpo_check_kld_stat = mac_test_check_kld_stat, 1471 .mpo_check_kld_unload = mac_test_check_kld_unload, 1472 .mpo_check_mount_stat = mac_test_check_mount_stat, 1473 .mpo_check_pipe_ioctl = mac_test_check_pipe_ioctl, 1474 .mpo_check_pipe_poll = mac_test_check_pipe_poll, 1475 .mpo_check_pipe_read = mac_test_check_pipe_read, 1476 .mpo_check_pipe_relabel = mac_test_check_pipe_relabel, 1477 .mpo_check_pipe_stat = mac_test_check_pipe_stat, 1478 .mpo_check_pipe_write = mac_test_check_pipe_write, 1479 .mpo_check_proc_debug = mac_test_check_proc_debug, 1480 .mpo_check_proc_sched = mac_test_check_proc_sched, 1481 .mpo_check_proc_signal = mac_test_check_proc_signal, 1482 .mpo_check_socket_bind = mac_test_check_socket_bind, 1483 .mpo_check_socket_connect = mac_test_check_socket_connect, 1484 .mpo_check_socket_deliver = mac_test_check_socket_deliver, 1485 .mpo_check_socket_listen = mac_test_check_socket_listen, 1486 .mpo_check_socket_relabel = mac_test_check_socket_relabel, 1487 .mpo_check_socket_visible = mac_test_check_socket_visible, 1488 .mpo_check_sysarch_ioperm = mac_test_check_sysarch_ioperm, 1489 .mpo_check_system_acct = mac_test_check_system_acct, 1490 .mpo_check_system_reboot = mac_test_check_system_reboot, 1491 .mpo_check_system_settime = mac_test_check_system_settime, 1492 .mpo_check_system_swapon = mac_test_check_system_swapon, 1493 .mpo_check_system_swapoff = mac_test_check_system_swapoff, 1494 .mpo_check_system_sysctl = mac_test_check_system_sysctl, 1495 .mpo_check_vnode_access = mac_test_check_vnode_access, 1496 .mpo_check_vnode_chdir = mac_test_check_vnode_chdir, 1497 .mpo_check_vnode_chroot = mac_test_check_vnode_chroot, 1498 .mpo_check_vnode_create = mac_test_check_vnode_create, 1499 .mpo_check_vnode_delete = mac_test_check_vnode_delete, 1500 .mpo_check_vnode_deleteacl = mac_test_check_vnode_deleteacl, 1501 .mpo_check_vnode_exec = mac_test_check_vnode_exec, 1502 .mpo_check_vnode_getacl = mac_test_check_vnode_getacl, 1503 .mpo_check_vnode_getextattr = mac_test_check_vnode_getextattr, 1504 .mpo_check_vnode_link = mac_test_check_vnode_link, 1505 .mpo_check_vnode_lookup = mac_test_check_vnode_lookup, 1506 .mpo_check_vnode_mmap = mac_test_check_vnode_mmap, 1507 .mpo_check_vnode_mprotect = mac_test_check_vnode_mprotect, 1508 .mpo_check_vnode_open = mac_test_check_vnode_open, 1509 .mpo_check_vnode_poll = mac_test_check_vnode_poll, 1510 .mpo_check_vnode_read = mac_test_check_vnode_read, 1511 .mpo_check_vnode_readdir = mac_test_check_vnode_readdir, 1512 .mpo_check_vnode_readlink = mac_test_check_vnode_readlink, 1513 .mpo_check_vnode_relabel = mac_test_check_vnode_relabel, 1514 .mpo_check_vnode_rename_from = mac_test_check_vnode_rename_from, 1515 .mpo_check_vnode_rename_to = mac_test_check_vnode_rename_to, 1516 .mpo_check_vnode_revoke = mac_test_check_vnode_revoke, 1517 .mpo_check_vnode_setacl = mac_test_check_vnode_setacl, 1518 .mpo_check_vnode_setextattr = mac_test_check_vnode_setextattr, 1519 .mpo_check_vnode_setflags = mac_test_check_vnode_setflags, 1520 .mpo_check_vnode_setmode = mac_test_check_vnode_setmode, 1521 .mpo_check_vnode_setowner = mac_test_check_vnode_setowner, 1522 .mpo_check_vnode_setutimes = mac_test_check_vnode_setutimes, 1523 .mpo_check_vnode_stat = mac_test_check_vnode_stat, 1524 .mpo_check_vnode_write = mac_test_check_vnode_write, 1525}; 1526 1527MAC_POLICY_SET(&mac_test_ops, mac_test, "TrustedBSD MAC/Test", 1528 MPC_LOADTIME_FLAG_UNLOADOK \| MPC_LOADTIME_FLAG_LABELMBUFS, &test_slot);