Cross Reference: /freebsd-10.3-release/sys/security/mac_test/mac

Deleted Added

sdiff udiff text old ( 122875 ) new ( 123173 )

full compact

1/*-
2 * Copyright (c) 1999, 2000, 2001, 2002 Robert N. M. Watson
3 * Copyright (c) 2001, 2002, 2003 Networks Associates Technology, Inc.
4 * All rights reserved.
5 *
6 * This software was developed by Robert Watson for the TrustedBSD Project.
7 *
8 * This software was developed for the FreeBSD Project in part by Network
9 * Associates Laboratories, the Security Research Division of Network
10 * Associates, Inc. under DARPA/SPAWAR contract N66001-01-C-8035 ("CBOSS"),
11 * as part of the DARPA CHATS research program.
12 *
13 * Redistribution and use in source and binary forms, with or without
14 * modification, are permitted provided that the following conditions
15 * are met:
16 * 1. Redistributions of source code must retain the above copyright
17 * notice, this list of conditions and the following disclaimer.
18 * 2. Redistributions in binary form must reproduce the above copyright
19 * notice, this list of conditions and the following disclaimer in the
20 * documentation and/or other materials provided with the distribution.
21 *
22 * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
23 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
24 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
25 * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
26 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
27 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
28 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
29 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
30 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
31 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
32 * SUCH DAMAGE.
33 *

34 * $FreeBSD: head/sys/security/mac_test/mac_test.c 122875 2003-11-18 00:39:07Z rwatson $

34 * $FreeBSD: head/sys/security/mac_test/mac_test.c 123173 2003-12-06 21:48:03Z rwatson $

35 */
36
37/*
38 * Developed by the TrustedBSD Project.
39 * Generic mandatory access module that does nothing.
40 */
41
42#include <sys/types.h>
43#include <sys/param.h>
44#include <sys/acl.h>
45#include <sys/conf.h>
46#include <sys/extattr.h>
47#include <sys/kernel.h>
48#include <sys/mac.h>
49#include <sys/malloc.h>
50#include <sys/mount.h>
51#include <sys/proc.h>
52#include <sys/systm.h>
53#include <sys/sysproto.h>
54#include <sys/sysent.h>
55#include <sys/vnode.h>
56#include <sys/file.h>
57#include <sys/socket.h>
58#include <sys/socketvar.h>
59#include <sys/sysctl.h>
60
61#include <fs/devfs/devfs.h>
62
63#include <net/bpfdesc.h>
64#include <net/if.h>
65#include <net/if_types.h>
66#include <net/if_var.h>
67
68#include <vm/vm.h>
69
70#include <sys/mac_policy.h>
71
72SYSCTL_DECL(_security_mac);
73
74SYSCTL_NODE(_security_mac, OID_AUTO, test, CTLFLAG_RW, 0,
75 "TrustedBSD mac_test policy controls");
76
77static int mac_test_enabled = 1;
78SYSCTL_INT(_security_mac_test, OID_AUTO, enabled, CTLFLAG_RW,
79 &mac_test_enabled, 0, "Enforce test policy");
80
81#define BPFMAGIC 0xfe1ad1b6
82#define DEVFSMAGIC 0x9ee79c32
83#define IFNETMAGIC 0xc218b120
84#define INPCBMAGIC 0x4440f7bb
85#define IPQMAGIC 0x206188ef
86#define MBUFMAGIC 0xbbefa5bb
87#define MOUNTMAGIC 0xc7c46e47
88#define SOCKETMAGIC 0x9199c6cd
89#define PIPEMAGIC 0xdc6c9919
90#define PROCMAGIC 0x3b4be98f
91#define CREDMAGIC 0x9a5a4987
92#define VNODEMAGIC 0x1a67a45c
93#define EXMAGIC 0x849ba1fd
94
95#define SLOT(x) LABEL_TO_SLOT((x), test_slot).l_long
96
97#define ASSERT_BPF_LABEL(x) KASSERT(SLOT(x) == BPFMAGIC || \
98 SLOT(x) == 0, ("%s: Bad BPF label", __func__ ))
99#define ASSERT_DEVFS_LABEL(x) KASSERT(SLOT(x) == DEVFSMAGIC || \
100 SLOT(x) == 0, ("%s: Bad DEVFS label", __func__ ))
101#define ASSERT_IFNET_LABEL(x) KASSERT(SLOT(x) == IFNETMAGIC || \
102 SLOT(x) == 0, ("%s: Bad IFNET label", __func__ ))
103#define ASSERT_INPCB_LABEL(x) KASSERT(SLOT(x) == INPCBMAGIC || \
104 SLOT(x) == 0, ("%s: Bad INPCB label", __func__ ))
105#define ASSERT_IPQ_LABEL(x) KASSERT(SLOT(x) == IPQMAGIC || \
106 SLOT(x) == 0, ("%s: Bad IPQ label", __func__ ))
107#define ASSERT_MBUF_LABEL(x) KASSERT(SLOT(x) == MBUFMAGIC || \
108 SLOT(x) == 0, ("%s: Bad MBUF label", __func__ ))
109#define ASSERT_MOUNT_LABEL(x) KASSERT(SLOT(x) == MOUNTMAGIC || \
110 SLOT(x) == 0, ("%s: Bad MOUNT label", __func__ ))
111#define ASSERT_SOCKET_LABEL(x) KASSERT(SLOT(x) == SOCKETMAGIC || \
112 SLOT(x) == 0, ("%s: Bad SOCKET label", __func__ ))
113#define ASSERT_PIPE_LABEL(x) KASSERT(SLOT(x) == PIPEMAGIC || \
114 SLOT(x) == 0, ("%s: Bad PIPE label", __func__ ))
115#define ASSERT_PROC_LABEL(x) KASSERT(SLOT(x) == PROCMAGIC || \
116 SLOT(x) == 0, ("%s: Bad PROC label", __func__ ))
117#define ASSERT_CRED_LABEL(x) KASSERT(SLOT(x) == CREDMAGIC || \
118 SLOT(x) == 0, ("%s: Bad CRED label", __func__ ))
119#define ASSERT_VNODE_LABEL(x) KASSERT(SLOT(x) == VNODEMAGIC || \
120 SLOT(x) == 0, ("%s: Bad VNODE label", __func__ ))
121
122static int test_slot;
123SYSCTL_INT(_security_mac_test, OID_AUTO, slot, CTLFLAG_RD,
124 &test_slot, 0, "Slot allocated by framework");
125
126static int init_count_bpfdesc;
127SYSCTL_INT(_security_mac_test, OID_AUTO, init_count_bpfdesc, CTLFLAG_RD,
128 &init_count_bpfdesc, 0, "bpfdesc init calls");
129static int init_count_cred;
130SYSCTL_INT(_security_mac_test, OID_AUTO, init_count_cred, CTLFLAG_RD,
131 &init_count_cred, 0, "cred init calls");
132static int init_count_devfsdirent;
133SYSCTL_INT(_security_mac_test, OID_AUTO, init_count_devfsdirent, CTLFLAG_RD,
134 &init_count_devfsdirent, 0, "devfsdirent init calls");
135static int init_count_ifnet;
136SYSCTL_INT(_security_mac_test, OID_AUTO, init_count_ifnet, CTLFLAG_RD,
137 &init_count_ifnet, 0, "ifnet init calls");
138static int init_count_inpcb;
139SYSCTL_INT(_security_mac_test, OID_AUTO, init_count_inpcb, CTLFLAG_RD,
140 &init_count_inpcb, 0, "inpcb init calls");
141static int init_count_ipq;
142SYSCTL_INT(_security_mac_test, OID_AUTO, init_count_ipq, CTLFLAG_RD,
143 &init_count_ipq, 0, "ipq init calls");
144static int init_count_mbuf;
145SYSCTL_INT(_security_mac_test, OID_AUTO, init_count_mbuf, CTLFLAG_RD,
146 &init_count_mbuf, 0, "mbuf init calls");
147static int init_count_mount;
148SYSCTL_INT(_security_mac_test, OID_AUTO, init_count_mount, CTLFLAG_RD,
149 &init_count_mount, 0, "mount init calls");
150static int init_count_mount_fslabel;
151SYSCTL_INT(_security_mac_test, OID_AUTO, init_count_mount_fslabel, CTLFLAG_RD,
152 &init_count_mount_fslabel, 0, "mount_fslabel init calls");
153static int init_count_socket;
154SYSCTL_INT(_security_mac_test, OID_AUTO, init_count_socket, CTLFLAG_RD,
155 &init_count_socket, 0, "socket init calls");
156static int init_count_socket_peerlabel;
157SYSCTL_INT(_security_mac_test, OID_AUTO, init_count_socket_peerlabel,
158 CTLFLAG_RD, &init_count_socket_peerlabel, 0,
159 "socket_peerlabel init calls");
160static int init_count_pipe;
161SYSCTL_INT(_security_mac_test, OID_AUTO, init_count_pipe, CTLFLAG_RD,
162 &init_count_pipe, 0, "pipe init calls");
163static int init_count_proc;
164SYSCTL_INT(_security_mac_test, OID_AUTO, init_count_proc, CTLFLAG_RD,
165 &init_count_proc, 0, "proc init calls");
166static int init_count_vnode;
167SYSCTL_INT(_security_mac_test, OID_AUTO, init_count_vnode, CTLFLAG_RD,
168 &init_count_vnode, 0, "vnode init calls");
169
170static int destroy_count_bpfdesc;
171SYSCTL_INT(_security_mac_test, OID_AUTO, destroy_count_bpfdesc, CTLFLAG_RD,
172 &destroy_count_bpfdesc, 0, "bpfdesc destroy calls");
173static int destroy_count_cred;
174SYSCTL_INT(_security_mac_test, OID_AUTO, destroy_count_cred, CTLFLAG_RD,
175 &destroy_count_cred, 0, "cred destroy calls");
176static int destroy_count_devfsdirent;
177SYSCTL_INT(_security_mac_test, OID_AUTO, destroy_count_devfsdirent, CTLFLAG_RD,
178 &destroy_count_devfsdirent, 0, "devfsdirent destroy calls");
179static int destroy_count_ifnet;
180SYSCTL_INT(_security_mac_test, OID_AUTO, destroy_count_ifnet, CTLFLAG_RD,
181 &destroy_count_ifnet, 0, "ifnet destroy calls");
182static int destroy_count_inpcb;
183SYSCTL_INT(_security_mac_test, OID_AUTO, destroy_count_inpcb, CTLFLAG_RD,
184 &destroy_count_inpcb, 0, "inpcb destroy calls");
185static int destroy_count_ipq;
186SYSCTL_INT(_security_mac_test, OID_AUTO, destroy_count_ipq, CTLFLAG_RD,
187 &destroy_count_ipq, 0, "ipq destroy calls");
188static int destroy_count_mbuf;
189SYSCTL_INT(_security_mac_test, OID_AUTO, destroy_count_mbuf, CTLFLAG_RD,
190 &destroy_count_mbuf, 0, "mbuf destroy calls");
191static int destroy_count_mount;
192SYSCTL_INT(_security_mac_test, OID_AUTO, destroy_count_mount, CTLFLAG_RD,
193 &destroy_count_mount, 0, "mount destroy calls");
194static int destroy_count_mount_fslabel;
195SYSCTL_INT(_security_mac_test, OID_AUTO, destroy_count_mount_fslabel,
196 CTLFLAG_RD, &destroy_count_mount_fslabel, 0,
197 "mount_fslabel destroy calls");
198static int destroy_count_socket;
199SYSCTL_INT(_security_mac_test, OID_AUTO, destroy_count_socket, CTLFLAG_RD,
200 &destroy_count_socket, 0, "socket destroy calls");
201static int destroy_count_socket_peerlabel;
202SYSCTL_INT(_security_mac_test, OID_AUTO, destroy_count_socket_peerlabel,
203 CTLFLAG_RD, &destroy_count_socket_peerlabel, 0,
204 "socket_peerlabel destroy calls");
205static int destroy_count_pipe;
206SYSCTL_INT(_security_mac_test, OID_AUTO, destroy_count_pipe, CTLFLAG_RD,
207 &destroy_count_pipe, 0, "pipe destroy calls");
208static int destroy_count_proc;
209SYSCTL_INT(_security_mac_test, OID_AUTO, destroy_count_proc, CTLFLAG_RD,
210 &destroy_count_proc, 0, "proc destroy calls");
211static int destroy_count_vnode;
212SYSCTL_INT(_security_mac_test, OID_AUTO, destroy_count_vnode, CTLFLAG_RD,
213 &destroy_count_vnode, 0, "vnode destroy calls");
214
215static int externalize_count;
216SYSCTL_INT(_security_mac_test, OID_AUTO, externalize_count, CTLFLAG_RD,
217 &externalize_count, 0, "Subject/object externalize calls");
218static int internalize_count;
219SYSCTL_INT(_security_mac_test, OID_AUTO, internalize_count, CTLFLAG_RD,
220 &internalize_count, 0, "Subject/object internalize calls");
221
222/*
223 * Policy module operations.
224 */
225static void
226mac_test_destroy(struct mac_policy_conf *conf)
227{
228
229}
230
231static void
232mac_test_init(struct mac_policy_conf *conf)
233{
234
235}
236
237static int
238mac_test_syscall(struct thread *td, int call, void *arg)
239{
240
241 return (0);
242}
243
244/*
245 * Label operations.
246 */
247static void
248mac_test_init_bpfdesc_label(struct label *label)
249{
250
251 SLOT(label) = BPFMAGIC;
252 atomic_add_int(&init_count_bpfdesc, 1);
253}
254
255static void
256mac_test_init_cred_label(struct label *label)
257{
258
259 SLOT(label) = CREDMAGIC;
260 atomic_add_int(&init_count_cred, 1);
261}
262
263static void
264mac_test_init_devfsdirent_label(struct label *label)
265{
266
267 SLOT(label) = DEVFSMAGIC;
268 atomic_add_int(&init_count_devfsdirent, 1);
269}
270
271static void
272mac_test_init_ifnet_label(struct label *label)
273{
274
275 SLOT(label) = IFNETMAGIC;
276 atomic_add_int(&init_count_ifnet, 1);
277}
278
279static int
280mac_test_init_inpcb_label(struct label *label, int flag)
281{
282
283 if (flag & M_WAITOK)
284 WITNESS_WARN(WARN_GIANTOK | WARN_SLEEPOK, NULL,
285 "mac_test_init_inpcb_label() at %s:%d", __FILE__,
286 __LINE__);
287
288 SLOT(label) = INPCBMAGIC;
289 atomic_add_int(&init_count_inpcb, 1);
290 return (0);
291}
292
293static int
294mac_test_init_ipq_label(struct label *label, int flag)
295{
296
297 if (flag & M_WAITOK)
298 WITNESS_WARN(WARN_GIANTOK | WARN_SLEEPOK, NULL,
299 "mac_test_init_ipq_label() at %s:%d", __FILE__,
300 __LINE__);
301
302 SLOT(label) = IPQMAGIC;
303 atomic_add_int(&init_count_ipq, 1);
304 return (0);
305}
306
307static int
308mac_test_init_mbuf_label(struct label *label, int flag)
309{
310
311 if (flag & M_WAITOK)
312 WITNESS_WARN(WARN_GIANTOK | WARN_SLEEPOK, NULL,
313 "mac_test_init_mbuf_label() at %s:%d", __FILE__,
314 __LINE__);
315
316 SLOT(label) = MBUFMAGIC;
317 atomic_add_int(&init_count_mbuf, 1);
318 return (0);
319}
320
321static void
322mac_test_init_mount_label(struct label *label)
323{
324
325 SLOT(label) = MOUNTMAGIC;
326 atomic_add_int(&init_count_mount, 1);
327}
328
329static void
330mac_test_init_mount_fs_label(struct label *label)
331{
332
333 SLOT(label) = MOUNTMAGIC;
334 atomic_add_int(&init_count_mount_fslabel, 1);
335}
336
337static int
338mac_test_init_socket_label(struct label *label, int flag)
339{
340
341 if (flag & M_WAITOK)
342 WITNESS_WARN(WARN_GIANTOK | WARN_SLEEPOK, NULL,
343 "mac_test_init_socket_label() at %s:%d", __FILE__,
344 __LINE__);
345
346 SLOT(label) = SOCKETMAGIC;
347 atomic_add_int(&init_count_socket, 1);
348 return (0);
349}
350
351static int
352mac_test_init_socket_peer_label(struct label *label, int flag)
353{
354
355 if (flag & M_WAITOK)
356 WITNESS_WARN(WARN_GIANTOK | WARN_SLEEPOK, NULL,
357 "mac_test_init_socket_peer_label() at %s:%d", __FILE__,
358 __LINE__);
359
360 SLOT(label) = SOCKETMAGIC;
361 atomic_add_int(&init_count_socket_peerlabel, 1);
362 return (0);
363}
364
365static void
366mac_test_init_pipe_label(struct label *label)
367{
368
369 SLOT(label) = PIPEMAGIC;
370 atomic_add_int(&init_count_pipe, 1);
371}
372
373static void
374mac_test_init_proc_label(struct label *label)
375{
376
377 SLOT(label) = PROCMAGIC;
378 atomic_add_int(&init_count_proc, 1);
379}
380
381static void
382mac_test_init_vnode_label(struct label *label)
383{
384
385 SLOT(label) = VNODEMAGIC;
386 atomic_add_int(&init_count_vnode, 1);
387}
388
389static void
390mac_test_destroy_bpfdesc_label(struct label *label)
391{
392
393 if (SLOT(label) == BPFMAGIC || SLOT(label) == 0) {
394 atomic_add_int(&destroy_count_bpfdesc, 1);
395 SLOT(label) = EXMAGIC;
396 } else if (SLOT(label) == EXMAGIC) {
397 Debugger("mac_test_destroy_bpfdesc: dup destroy");
398 } else {
399 Debugger("mac_test_destroy_bpfdesc: corrupted label");
400 }
401}
402
403static void
404mac_test_destroy_cred_label(struct label *label)
405{
406
407 if (SLOT(label) == CREDMAGIC || SLOT(label) == 0) {
408 atomic_add_int(&destroy_count_cred, 1);
409 SLOT(label) = EXMAGIC;
410 } else if (SLOT(label) == EXMAGIC) {
411 Debugger("mac_test_destroy_cred: dup destroy");
412 } else {
413 Debugger("mac_test_destroy_cred: corrupted label");
414 }
415}
416
417static void
418mac_test_destroy_devfsdirent_label(struct label *label)
419{
420
421 if (SLOT(label) == DEVFSMAGIC || SLOT(label) == 0) {
422 atomic_add_int(&destroy_count_devfsdirent, 1);
423 SLOT(label) = EXMAGIC;
424 } else if (SLOT(label) == EXMAGIC) {
425 Debugger("mac_test_destroy_devfsdirent: dup destroy");
426 } else {
427 Debugger("mac_test_destroy_devfsdirent: corrupted label");
428 }
429}
430
431static void
432mac_test_destroy_ifnet_label(struct label *label)
433{
434
435 if (SLOT(label) == IFNETMAGIC || SLOT(label) == 0) {
436 atomic_add_int(&destroy_count_ifnet, 1);
437 SLOT(label) = EXMAGIC;
438 } else if (SLOT(label) == EXMAGIC) {
439 Debugger("mac_test_destroy_ifnet: dup destroy");
440 } else {
441 Debugger("mac_test_destroy_ifnet: corrupted label");
442 }
443}
444
445static void
446mac_test_destroy_inpcb_label(struct label *label)
447{
448
449 if (SLOT(label) == INPCBMAGIC || SLOT(label) == 0) {
450 atomic_add_int(&destroy_count_inpcb, 1);
451 SLOT(label) = EXMAGIC;
452 } else if (SLOT(label) == EXMAGIC) {
453 Debugger("mac_test_destroy_inpcb: dup destroy");
454 } else {
455 Debugger("mac_test_destroy_inpcb: corrupted label");
456 }
457}
458
459static void
460mac_test_destroy_ipq_label(struct label *label)
461{
462
463 if (SLOT(label) == IPQMAGIC || SLOT(label) == 0) {
464 atomic_add_int(&destroy_count_ipq, 1);
465 SLOT(label) = EXMAGIC;
466 } else if (SLOT(label) == EXMAGIC) {
467 Debugger("mac_test_destroy_ipq: dup destroy");
468 } else {
469 Debugger("mac_test_destroy_ipq: corrupted label");
470 }
471}
472
473static void
474mac_test_destroy_mbuf_label(struct label *label)
475{
476
477 /*
478 * If we're loaded dynamically, there may be mbufs in flight that
479 * didn't have label storage allocated for them. Handle this
480 * gracefully.
481 */
482 if (label == NULL)
483 return;
484
485 if (SLOT(label) == MBUFMAGIC || SLOT(label) == 0) {
486 atomic_add_int(&destroy_count_mbuf, 1);
487 SLOT(label) = EXMAGIC;
488 } else if (SLOT(label) == EXMAGIC) {
489 Debugger("mac_test_destroy_mbuf: dup destroy");
490 } else {
491 Debugger("mac_test_destroy_mbuf: corrupted label");
492 }
493}
494
495static void
496mac_test_destroy_mount_label(struct label *label)
497{
498
499 if ((SLOT(label) == MOUNTMAGIC || SLOT(label) == 0)) {
500 atomic_add_int(&destroy_count_mount, 1);
501 SLOT(label) = EXMAGIC;
502 } else if (SLOT(label) == EXMAGIC) {
503 Debugger("mac_test_destroy_mount: dup destroy");
504 } else {
505 Debugger("mac_test_destroy_mount: corrupted label");
506 }
507}
508
509static void
510mac_test_destroy_mount_fs_label(struct label *label)
511{
512
513 if ((SLOT(label) == MOUNTMAGIC || SLOT(label) == 0)) {
514 atomic_add_int(&destroy_count_mount_fslabel, 1);
515 SLOT(label) = EXMAGIC;
516 } else if (SLOT(label) == EXMAGIC) {
517 Debugger("mac_test_destroy_mount_fslabel: dup destroy");
518 } else {
519 Debugger("mac_test_destroy_mount_fslabel: corrupted label");
520 }
521}
522
523static void
524mac_test_destroy_socket_label(struct label *label)
525{
526
527 if ((SLOT(label) == SOCKETMAGIC || SLOT(label) == 0)) {
528 atomic_add_int(&destroy_count_socket, 1);
529 SLOT(label) = EXMAGIC;
530 } else if (SLOT(label) == EXMAGIC) {
531 Debugger("mac_test_destroy_socket: dup destroy");
532 } else {
533 Debugger("mac_test_destroy_socket: corrupted label");
534 }
535}
536
537static void
538mac_test_destroy_socket_peer_label(struct label *label)
539{
540
541 if ((SLOT(label) == SOCKETMAGIC || SLOT(label) == 0)) {
542 atomic_add_int(&destroy_count_socket_peerlabel, 1);
543 SLOT(label) = EXMAGIC;
544 } else if (SLOT(label) == EXMAGIC) {
545 Debugger("mac_test_destroy_socket_peerlabel: dup destroy");
546 } else {
547 Debugger("mac_test_destroy_socket_peerlabel: corrupted label");
548 }
549}
550
551static void
552mac_test_destroy_pipe_label(struct label *label)
553{
554
555 if ((SLOT(label) == PIPEMAGIC || SLOT(label) == 0)) {
556 atomic_add_int(&destroy_count_pipe, 1);
557 SLOT(label) = EXMAGIC;
558 } else if (SLOT(label) == EXMAGIC) {
559 Debugger("mac_test_destroy_pipe: dup destroy");
560 } else {
561 Debugger("mac_test_destroy_pipe: corrupted label");
562 }
563}
564
565static void
566mac_test_destroy_proc_label(struct label *label)
567{
568
569 if ((SLOT(label) == PROCMAGIC || SLOT(label) == 0)) {
570 atomic_add_int(&destroy_count_proc, 1);
571 SLOT(label) = EXMAGIC;
572 } else if (SLOT(label) == EXMAGIC) {
573 Debugger("mac_test_destroy_proc: dup destroy");
574 } else {
575 Debugger("mac_test_destroy_proc: corrupted label");
576 }
577}
578
579static void
580mac_test_destroy_vnode_label(struct label *label)
581{
582
583 if (SLOT(label) == VNODEMAGIC || SLOT(label) == 0) {
584 atomic_add_int(&destroy_count_vnode, 1);
585 SLOT(label) = EXMAGIC;
586 } else if (SLOT(label) == EXMAGIC) {
587 Debugger("mac_test_destroy_vnode: dup destroy");
588 } else {
589 Debugger("mac_test_destroy_vnode: corrupted label");
590 }
591}
592
593static void

594mac_test_copy_cred_label(struct label *src, struct label *dest)
595{
596
597 ASSERT_CRED_LABEL(src);
598 ASSERT_CRED_LABEL(dest);
599}
600
601static void

602mac_test_copy_mbuf_label(struct label *src, struct label *dest)
603{
604
605 ASSERT_MBUF_LABEL(src);
606 ASSERT_MBUF_LABEL(dest);
607}
608
609static void
610mac_test_copy_pipe_label(struct label *src, struct label *dest)
611{
612
613 ASSERT_PIPE_LABEL(src);
614 ASSERT_PIPE_LABEL(dest);
615}
616
617static void
618mac_test_copy_socket_label(struct label *src, struct label *dest)
619{
620
621 ASSERT_SOCKET_LABEL(src);
622 ASSERT_SOCKET_LABEL(dest);
623}
624
625static void
626mac_test_copy_vnode_label(struct label *src, struct label *dest)
627{
628
629 ASSERT_VNODE_LABEL(src);
630 ASSERT_VNODE_LABEL(dest);
631}
632
633static int
634mac_test_externalize_label(struct label *label, char *element_name,
635 struct sbuf *sb, int *claimed)
636{
637
638 atomic_add_int(&externalize_count, 1);
639
640 KASSERT(SLOT(label) != EXMAGIC,
641 ("mac_test_externalize_label: destroyed label"));
642
643 return (0);
644}
645
646static int
647mac_test_internalize_label(struct label *label, char *element_name,
648 char *element_data, int *claimed)
649{
650
651 atomic_add_int(&internalize_count, 1);
652
653 KASSERT(SLOT(label) != EXMAGIC,
654 ("mac_test_internalize_label: destroyed label"));
655
656 return (0);
657}
658
659/*
660 * Labeling event operations: file system objects, and things that look
661 * a lot like file system objects.
662 */
663static void
664mac_test_associate_vnode_devfs(struct mount *mp, struct label *fslabel,
665 struct devfs_dirent *de, struct label *delabel, struct vnode *vp,
666 struct label *vlabel)
667{
668
669 ASSERT_MOUNT_LABEL(fslabel);
670 ASSERT_DEVFS_LABEL(delabel);
671 ASSERT_VNODE_LABEL(vlabel);
672}
673
674static int
675mac_test_associate_vnode_extattr(struct mount *mp, struct label *fslabel,
676 struct vnode *vp, struct label *vlabel)
677{
678
679 ASSERT_MOUNT_LABEL(fslabel);
680 ASSERT_VNODE_LABEL(vlabel);
681 return (0);
682}
683
684static void
685mac_test_associate_vnode_singlelabel(struct mount *mp,
686 struct label *fslabel, struct vnode *vp, struct label *vlabel)
687{
688
689 ASSERT_MOUNT_LABEL(fslabel);
690 ASSERT_VNODE_LABEL(vlabel);
691}
692
693static void
694mac_test_create_devfs_device(struct mount *mp, dev_t dev,
695 struct devfs_dirent *devfs_dirent, struct label *label)
696{
697
698 ASSERT_DEVFS_LABEL(label);
699}
700
701static void
702mac_test_create_devfs_directory(struct mount *mp, char *dirname,
703 int dirnamelen, struct devfs_dirent *devfs_dirent, struct label *label)
704{
705
706 ASSERT_DEVFS_LABEL(label);
707}
708
709static void
710mac_test_create_devfs_symlink(struct ucred *cred, struct mount *mp,
711 struct devfs_dirent *dd, struct label *ddlabel, struct devfs_dirent *de,
712 struct label *delabel)
713{
714
715 ASSERT_CRED_LABEL(cred->cr_label);
716 ASSERT_DEVFS_LABEL(ddlabel);
717 ASSERT_DEVFS_LABEL(delabel);
718}
719
720static int
721mac_test_create_vnode_extattr(struct ucred *cred, struct mount *mp,
722 struct label *fslabel, struct vnode *dvp, struct label *dlabel,
723 struct vnode *vp, struct label *vlabel, struct componentname *cnp)
724{
725
726 ASSERT_CRED_LABEL(cred->cr_label);
727 ASSERT_MOUNT_LABEL(fslabel);
728 ASSERT_VNODE_LABEL(dlabel);
729
730 return (0);
731}
732
733static void
734mac_test_create_mount(struct ucred *cred, struct mount *mp,
735 struct label *mntlabel, struct label *fslabel)
736{
737
738 ASSERT_CRED_LABEL(cred->cr_label);
739 ASSERT_MOUNT_LABEL(mntlabel);
740 ASSERT_MOUNT_LABEL(fslabel);
741}
742
743static void
744mac_test_create_root_mount(struct ucred *cred, struct mount *mp,
745 struct label *mntlabel, struct label *fslabel)
746{
747
748 ASSERT_CRED_LABEL(cred->cr_label);
749 ASSERT_MOUNT_LABEL(mntlabel);
750 ASSERT_MOUNT_LABEL(fslabel);
751}
752
753static void
754mac_test_relabel_vnode(struct ucred *cred, struct vnode *vp,
755 struct label *vnodelabel, struct label *label)
756{
757
758 ASSERT_CRED_LABEL(cred->cr_label);
759 ASSERT_VNODE_LABEL(vnodelabel);
760 ASSERT_VNODE_LABEL(label);
761}
762
763static int
764mac_test_setlabel_vnode_extattr(struct ucred *cred, struct vnode *vp,
765 struct label *vlabel, struct label *intlabel)
766{
767
768 ASSERT_CRED_LABEL(cred->cr_label);
769 ASSERT_VNODE_LABEL(vlabel);
770 ASSERT_VNODE_LABEL(intlabel);
771 return (0);
772}
773
774static void
775mac_test_update_devfsdirent(struct mount *mp,
776 struct devfs_dirent *devfs_dirent, struct label *direntlabel,
777 struct vnode *vp, struct label *vnodelabel)
778{
779
780 ASSERT_DEVFS_LABEL(direntlabel);
781 ASSERT_VNODE_LABEL(vnodelabel);
782}
783
784/*
785 * Labeling event operations: IPC object.
786 */
787static void
788mac_test_create_mbuf_from_socket(struct socket *so, struct label *socketlabel,
789 struct mbuf *m, struct label *mbuflabel)
790{
791
792 ASSERT_SOCKET_LABEL(socketlabel);
793 ASSERT_MBUF_LABEL(mbuflabel);
794}
795
796static void
797mac_test_create_socket(struct ucred *cred, struct socket *socket,
798 struct label *socketlabel)
799{
800
801 ASSERT_CRED_LABEL(cred->cr_label);
802 ASSERT_SOCKET_LABEL(socketlabel);
803}
804
805static void
806mac_test_create_pipe(struct ucred *cred, struct pipe *pipe,
807 struct label *pipelabel)
808{
809
810 ASSERT_CRED_LABEL(cred->cr_label);
811 ASSERT_PIPE_LABEL(pipelabel);
812}
813
814static void
815mac_test_create_socket_from_socket(struct socket *oldsocket,
816 struct label *oldsocketlabel, struct socket *newsocket,
817 struct label *newsocketlabel)
818{
819
820 ASSERT_SOCKET_LABEL(oldsocketlabel);
821 ASSERT_SOCKET_LABEL(newsocketlabel);
822}
823
824static void
825mac_test_relabel_socket(struct ucred *cred, struct socket *socket,
826 struct label *socketlabel, struct label *newlabel)
827{
828
829 ASSERT_CRED_LABEL(cred->cr_label);
830 ASSERT_SOCKET_LABEL(newlabel);
831}
832
833static void
834mac_test_relabel_pipe(struct ucred *cred, struct pipe *pipe,
835 struct label *pipelabel, struct label *newlabel)
836{
837
838 ASSERT_CRED_LABEL(cred->cr_label);
839 ASSERT_PIPE_LABEL(pipelabel);
840 ASSERT_PIPE_LABEL(newlabel);
841}
842
843static void
844mac_test_set_socket_peer_from_mbuf(struct mbuf *mbuf, struct label *mbuflabel,
845 struct socket *socket, struct label *socketpeerlabel)
846{
847
848 ASSERT_MBUF_LABEL(mbuflabel);
849 ASSERT_SOCKET_LABEL(socketpeerlabel);
850}
851
852/*
853 * Labeling event operations: network objects.
854 */
855static void
856mac_test_set_socket_peer_from_socket(struct socket *oldsocket,
857 struct label *oldsocketlabel, struct socket *newsocket,
858 struct label *newsocketpeerlabel)
859{
860
861 ASSERT_SOCKET_LABEL(oldsocketlabel);
862 ASSERT_SOCKET_LABEL(newsocketpeerlabel);
863}
864
865static void
866mac_test_create_bpfdesc(struct ucred *cred, struct bpf_d *bpf_d,
867 struct label *bpflabel)
868{
869
870 ASSERT_CRED_LABEL(cred->cr_label);
871 ASSERT_BPF_LABEL(bpflabel);
872}
873
874static void
875mac_test_create_datagram_from_ipq(struct ipq *ipq, struct label *ipqlabel,
876 struct mbuf *datagram, struct label *datagramlabel)
877{
878
879 ASSERT_IPQ_LABEL(ipqlabel);
880 ASSERT_MBUF_LABEL(datagramlabel);
881}
882
883static void
884mac_test_create_fragment(struct mbuf *datagram, struct label *datagramlabel,
885 struct mbuf *fragment, struct label *fragmentlabel)
886{
887
888 ASSERT_MBUF_LABEL(datagramlabel);
889 ASSERT_MBUF_LABEL(fragmentlabel);
890}
891
892static void
893mac_test_create_ifnet(struct ifnet *ifnet, struct label *ifnetlabel)
894{
895
896 ASSERT_IFNET_LABEL(ifnetlabel);
897}
898
899static void
900mac_test_create_inpcb_from_socket(struct socket *so, struct label *solabel,
901 struct inpcb *inp, struct label *inplabel)
902{
903
904 ASSERT_SOCKET_LABEL(solabel);
905 ASSERT_INPCB_LABEL(inplabel);
906}
907
908static void
909mac_test_create_ipq(struct mbuf *fragment, struct label *fragmentlabel,
910 struct ipq *ipq, struct label *ipqlabel)
911{
912
913 ASSERT_MBUF_LABEL(fragmentlabel);
914 ASSERT_IPQ_LABEL(ipqlabel);
915}
916
917static void
918mac_test_create_mbuf_from_mbuf(struct mbuf *oldmbuf,
919 struct label *oldmbuflabel, struct mbuf *newmbuf,
920 struct label *newmbuflabel)
921{
922
923 ASSERT_MBUF_LABEL(oldmbuflabel);
924 ASSERT_MBUF_LABEL(newmbuflabel);
925}
926
927static void
928mac_test_create_mbuf_linklayer(struct ifnet *ifnet, struct label *ifnetlabel,
929 struct mbuf *mbuf, struct label *mbuflabel)
930{
931
932 ASSERT_IFNET_LABEL(ifnetlabel);
933 ASSERT_MBUF_LABEL(mbuflabel);
934}
935
936static void
937mac_test_create_mbuf_from_bpfdesc(struct bpf_d *bpf_d, struct label *bpflabel,
938 struct mbuf *mbuf, struct label *mbuflabel)
939{
940
941 ASSERT_BPF_LABEL(bpflabel);
942 ASSERT_MBUF_LABEL(mbuflabel);
943}
944
945static void
946mac_test_create_mbuf_from_ifnet(struct ifnet *ifnet, struct label *ifnetlabel,
947 struct mbuf *m, struct label *mbuflabel)
948{
949
950 ASSERT_IFNET_LABEL(ifnetlabel);
951 ASSERT_MBUF_LABEL(mbuflabel);
952}
953
954static void
955mac_test_create_mbuf_multicast_encap(struct mbuf *oldmbuf,
956 struct label *oldmbuflabel, struct ifnet *ifnet, struct label *ifnetlabel,
957 struct mbuf *newmbuf, struct label *newmbuflabel)
958{
959
960 ASSERT_MBUF_LABEL(oldmbuflabel);
961 ASSERT_IFNET_LABEL(ifnetlabel);
962 ASSERT_MBUF_LABEL(newmbuflabel);
963}
964
965static void
966mac_test_create_mbuf_netlayer(struct mbuf *oldmbuf,
967 struct label *oldmbuflabel, struct mbuf *newmbuf,
968 struct label *newmbuflabel)
969{
970
971 ASSERT_MBUF_LABEL(oldmbuflabel);
972 ASSERT_MBUF_LABEL(newmbuflabel);
973}
974
975static int
976mac_test_fragment_match(struct mbuf *fragment, struct label *fragmentlabel,
977 struct ipq *ipq, struct label *ipqlabel)
978{
979
980 ASSERT_MBUF_LABEL(fragmentlabel);
981 ASSERT_IPQ_LABEL(ipqlabel);
982
983 return (1);
984}
985
986static void
987mac_test_reflect_mbuf_icmp(struct mbuf *m, struct label *mlabel)
988{
989
990 ASSERT_MBUF_LABEL(mlabel);
991}
992
993static void
994mac_test_reflect_mbuf_tcp(struct mbuf *m, struct label *mlabel)
995{
996
997 ASSERT_MBUF_LABEL(mlabel);
998}
999
1000static void
1001mac_test_relabel_ifnet(struct ucred *cred, struct ifnet *ifnet,
1002 struct label *ifnetlabel, struct label *newlabel)
1003{
1004
1005 ASSERT_CRED_LABEL(cred->cr_label);
1006 ASSERT_IFNET_LABEL(ifnetlabel);
1007 ASSERT_IFNET_LABEL(newlabel);
1008}
1009
1010static void
1011mac_test_update_ipq(struct mbuf *fragment, struct label *fragmentlabel,
1012 struct ipq *ipq, struct label *ipqlabel)
1013{
1014
1015 ASSERT_MBUF_LABEL(fragmentlabel);
1016 ASSERT_IPQ_LABEL(ipqlabel);
1017}
1018
1019static void
1020mac_test_inpcb_sosetlabel(struct socket *so, struct label *solabel,
1021 struct inpcb *inp, struct label *inplabel)
1022{
1023
1024 ASSERT_SOCKET_LABEL(solabel);
1025 ASSERT_INPCB_LABEL(inplabel);
1026}
1027
1028/*
1029 * Labeling event operations: processes.
1030 */
1031static void

~~1024~~mac_test_create_cred(struct ucred *cred_parent, struct ucred *cred_child)
~~1025~~{
~~1026~~
~~1027~~ ASSERT_CRED_LABEL(cred_parent->cr_label);
~~1028~~ ASSERT_CRED_LABEL(cred_child->cr_label);
~~1029~~}
~~1030~~
~~1031~~static void

1032mac_test_execve_transition(struct ucred *old, struct ucred *new,
1033 struct vnode *vp, struct label *filelabel,
1034 struct label *interpvnodelabel, struct image_params *imgp,
1035 struct label *execlabel)
1036{
1037
1038 ASSERT_CRED_LABEL(old->cr_label);
1039 ASSERT_CRED_LABEL(new->cr_label);
1040 ASSERT_VNODE_LABEL(filelabel);
1041 ASSERT_VNODE_LABEL(interpvnodelabel);
1042 if (execlabel != NULL) {
1043 ASSERT_CRED_LABEL(execlabel);
1044 }
1045}
1046
1047static int
1048mac_test_execve_will_transition(struct ucred *old, struct vnode *vp,
1049 struct label *filelabel, struct label *interpvnodelabel,
1050 struct image_params *imgp, struct label *execlabel)
1051{
1052
1053 ASSERT_CRED_LABEL(old->cr_label);
1054 ASSERT_VNODE_LABEL(filelabel);
1055 if (interpvnodelabel != NULL) {
1056 ASSERT_VNODE_LABEL(interpvnodelabel);
1057 }
1058 if (execlabel != NULL) {
1059 ASSERT_CRED_LABEL(execlabel);
1060 }
1061
1062 return (0);
1063}
1064
1065static void
1066mac_test_create_proc0(struct ucred *cred)
1067{
1068
1069 ASSERT_CRED_LABEL(cred->cr_label);
1070}
1071
1072static void
1073mac_test_create_proc1(struct ucred *cred)
1074{
1075
1076 ASSERT_CRED_LABEL(cred->cr_label);
1077}
1078
1079static void
1080mac_test_relabel_cred(struct ucred *cred, struct label *newlabel)
1081{
1082
1083 ASSERT_CRED_LABEL(cred->cr_label);
1084 ASSERT_CRED_LABEL(newlabel);
1085}
1086
1087static void
1088mac_test_thread_userret(struct thread *td)
1089{
1090
1091 printf("mac_test_thread_userret(process = %d)\n",
1092 curthread->td_proc->p_pid);
1093}
1094
1095/*
1096 * Access control checks.
1097 */
1098static int
1099mac_test_check_bpfdesc_receive(struct bpf_d *bpf_d, struct label *bpflabel,
1100 struct ifnet *ifnet, struct label *ifnetlabel)
1101{
1102
1103 ASSERT_BPF_LABEL(bpflabel);
1104 ASSERT_IFNET_LABEL(ifnetlabel);
1105
1106 return (0);
1107}
1108
1109static int
1110mac_test_check_cred_relabel(struct ucred *cred, struct label *newlabel)
1111{
1112
1113 ASSERT_CRED_LABEL(cred->cr_label);
1114 ASSERT_CRED_LABEL(newlabel);
1115
1116 return (0);
1117}
1118
1119static int
1120mac_test_check_cred_visible(struct ucred *u1, struct ucred *u2)
1121{
1122
1123 ASSERT_CRED_LABEL(u1->cr_label);
1124 ASSERT_CRED_LABEL(u2->cr_label);
1125
1126 return (0);
1127}
1128
1129static int
1130mac_test_check_ifnet_relabel(struct ucred *cred, struct ifnet *ifnet,
1131 struct label *ifnetlabel, struct label *newlabel)
1132{
1133
1134 ASSERT_CRED_LABEL(cred->cr_label);
1135 ASSERT_IFNET_LABEL(ifnetlabel);
1136 ASSERT_IFNET_LABEL(newlabel);
1137 return (0);
1138}
1139
1140static int
1141mac_test_check_ifnet_transmit(struct ifnet *ifnet, struct label *ifnetlabel,
1142 struct mbuf *m, struct label *mbuflabel)
1143{
1144
1145 ASSERT_IFNET_LABEL(ifnetlabel);
1146 ASSERT_MBUF_LABEL(mbuflabel);
1147
1148 return (0);
1149}
1150
1151static int
1152mac_test_check_inpcb_deliver(struct inpcb *inp, struct label *inplabel,
1153 struct mbuf *m, struct label *mlabel)
1154{
1155
1156 ASSERT_INPCB_LABEL(inplabel);
1157 ASSERT_MBUF_LABEL(mlabel);
1158
1159 return (0);
1160}
1161
1162static int
1163mac_test_check_kenv_dump(struct ucred *cred)
1164{
1165
1166 ASSERT_CRED_LABEL(cred->cr_label);
1167
1168 return (0);
1169}
1170
1171static int
1172mac_test_check_kenv_get(struct ucred *cred, char *name)
1173{
1174
1175 ASSERT_CRED_LABEL(cred->cr_label);
1176
1177 return (0);
1178}
1179
1180static int
1181mac_test_check_kenv_set(struct ucred *cred, char *name, char *value)
1182{
1183
1184 ASSERT_CRED_LABEL(cred->cr_label);
1185
1186 return (0);
1187}
1188
1189static int
1190mac_test_check_kenv_unset(struct ucred *cred, char *name)
1191{
1192
1193 ASSERT_CRED_LABEL(cred->cr_label);
1194
1195 return (0);
1196}
1197
1198static int
1199mac_test_check_kld_load(struct ucred *cred, struct vnode *vp,
1200 struct label *label)
1201{
1202
1203 ASSERT_CRED_LABEL(cred->cr_label);
1204 ASSERT_VNODE_LABEL(label);
1205
1206 return (0);
1207}
1208
1209static int
1210mac_test_check_kld_stat(struct ucred *cred)
1211{
1212
1213 ASSERT_CRED_LABEL(cred->cr_label);
1214
1215 return (0);
1216}
1217
1218static int
1219mac_test_check_kld_unload(struct ucred *cred)
1220{
1221
1222 ASSERT_CRED_LABEL(cred->cr_label);
1223
1224 return (0);
1225}
1226
1227static int
1228mac_test_check_mount_stat(struct ucred *cred, struct mount *mp,
1229 struct label *mntlabel)
1230{
1231
1232 ASSERT_CRED_LABEL(cred->cr_label);
1233 ASSERT_MOUNT_LABEL(mntlabel);
1234
1235 return (0);
1236}
1237
1238static int
1239mac_test_check_pipe_ioctl(struct ucred *cred, struct pipe *pipe,
1240 struct label *pipelabel, unsigned long cmd, void /* caddr_t */ *data)
1241{
1242
1243 ASSERT_CRED_LABEL(cred->cr_label);
1244 ASSERT_PIPE_LABEL(pipelabel);
1245
1246 return (0);
1247}
1248
1249static int
1250mac_test_check_pipe_poll(struct ucred *cred, struct pipe *pipe,
1251 struct label *pipelabel)
1252{
1253
1254 ASSERT_CRED_LABEL(cred->cr_label);
1255 ASSERT_PIPE_LABEL(pipelabel);
1256
1257 return (0);
1258}
1259
1260static int
1261mac_test_check_pipe_read(struct ucred *cred, struct pipe *pipe,
1262 struct label *pipelabel)
1263{
1264
1265 ASSERT_CRED_LABEL(cred->cr_label);
1266 ASSERT_PIPE_LABEL(pipelabel);
1267
1268 return (0);
1269}
1270
1271static int
1272mac_test_check_pipe_relabel(struct ucred *cred, struct pipe *pipe,
1273 struct label *pipelabel, struct label *newlabel)
1274{
1275
1276 ASSERT_CRED_LABEL(cred->cr_label);
1277 ASSERT_PIPE_LABEL(pipelabel);
1278 ASSERT_PIPE_LABEL(newlabel);
1279
1280 return (0);
1281}
1282
1283static int
1284mac_test_check_pipe_stat(struct ucred *cred, struct pipe *pipe,
1285 struct label *pipelabel)
1286{
1287
1288 ASSERT_CRED_LABEL(cred->cr_label);
1289 ASSERT_PIPE_LABEL(pipelabel);
1290
1291 return (0);
1292}
1293
1294static int
1295mac_test_check_pipe_write(struct ucred *cred, struct pipe *pipe,
1296 struct label *pipelabel)
1297{
1298
1299 ASSERT_CRED_LABEL(cred->cr_label);
1300 ASSERT_PIPE_LABEL(pipelabel);
1301
1302 return (0);
1303}
1304
1305static int
1306mac_test_check_proc_debug(struct ucred *cred, struct proc *proc)
1307{
1308
1309 ASSERT_CRED_LABEL(cred->cr_label);
1310 ASSERT_CRED_LABEL(proc->p_ucred->cr_label);
1311
1312 return (0);
1313}
1314
1315static int
1316mac_test_check_proc_sched(struct ucred *cred, struct proc *proc)
1317{
1318
1319 ASSERT_CRED_LABEL(cred->cr_label);
1320 ASSERT_CRED_LABEL(proc->p_ucred->cr_label);
1321
1322 return (0);
1323}
1324
1325static int
1326mac_test_check_proc_signal(struct ucred *cred, struct proc *proc, int signum)
1327{
1328
1329 ASSERT_CRED_LABEL(cred->cr_label);
1330 ASSERT_CRED_LABEL(proc->p_ucred->cr_label);
1331
1332 return (0);
1333}
1334
1335static int
1336mac_test_check_socket_bind(struct ucred *cred, struct socket *socket,
1337 struct label *socketlabel, struct sockaddr *sockaddr)
1338{
1339
1340 ASSERT_CRED_LABEL(cred->cr_label);
1341 ASSERT_SOCKET_LABEL(socketlabel);
1342
1343 return (0);
1344}
1345
1346static int
1347mac_test_check_socket_connect(struct ucred *cred, struct socket *socket,
1348 struct label *socketlabel, struct sockaddr *sockaddr)
1349{
1350
1351 ASSERT_CRED_LABEL(cred->cr_label);
1352 ASSERT_SOCKET_LABEL(socketlabel);
1353
1354 return (0);
1355}
1356
1357static int
1358mac_test_check_socket_deliver(struct socket *socket, struct label *socketlabel,
1359 struct mbuf *m, struct label *mbuflabel)
1360{
1361
1362 ASSERT_SOCKET_LABEL(socketlabel);
1363 ASSERT_MBUF_LABEL(mbuflabel);
1364
1365 return (0);
1366}
1367
1368static int
1369mac_test_check_socket_listen(struct ucred *cred, struct socket *socket,
1370 struct label *socketlabel)
1371{
1372
1373 ASSERT_CRED_LABEL(cred->cr_label);
1374 ASSERT_SOCKET_LABEL(socketlabel);
1375
1376 return (0);
1377}
1378
1379static int
1380mac_test_check_socket_visible(struct ucred *cred, struct socket *socket,
1381 struct label *socketlabel)
1382{
1383
1384 ASSERT_CRED_LABEL(cred->cr_label);
1385 ASSERT_SOCKET_LABEL(socketlabel);
1386
1387 return (0);
1388}
1389
1390static int
1391mac_test_check_socket_relabel(struct ucred *cred, struct socket *socket,
1392 struct label *socketlabel, struct label *newlabel)
1393{
1394
1395 ASSERT_CRED_LABEL(cred->cr_label);
1396 ASSERT_SOCKET_LABEL(socketlabel);
1397 ASSERT_SOCKET_LABEL(newlabel);
1398
1399 return (0);
1400}
1401
1402static int
1403mac_test_check_sysarch_ioperm(struct ucred *cred)
1404{
1405
1406 ASSERT_CRED_LABEL(cred->cr_label);
1407
1408 return (0);
1409}
1410
1411static int
1412mac_test_check_system_acct(struct ucred *cred, struct vnode *vp,
1413 struct label *label)
1414{
1415
1416 ASSERT_CRED_LABEL(cred->cr_label);
1417
1418 return (0);
1419}
1420
1421static int
1422mac_test_check_system_reboot(struct ucred *cred, int how)
1423{
1424
1425 ASSERT_CRED_LABEL(cred->cr_label);
1426
1427 return (0);
1428}
1429
1430static int
1431mac_test_check_system_settime(struct ucred *cred)
1432{
1433
1434 ASSERT_CRED_LABEL(cred->cr_label);
1435
1436 return (0);
1437}
1438
1439static int
1440mac_test_check_system_swapon(struct ucred *cred, struct vnode *vp,
1441 struct label *label)
1442{
1443
1444 ASSERT_CRED_LABEL(cred->cr_label);
1445 ASSERT_VNODE_LABEL(label);
1446
1447 return (0);
1448}
1449
1450static int
1451mac_test_check_system_swapoff(struct ucred *cred, struct vnode *vp,
1452 struct label *label)
1453{
1454
1455 ASSERT_CRED_LABEL(cred->cr_label);
1456 ASSERT_VNODE_LABEL(label);
1457
1458 return (0);
1459}
1460
1461static int
1462mac_test_check_system_sysctl(struct ucred *cred, int *name, u_int namelen,
1463 void *old, size_t *oldlenp, int inkernel, void *new, size_t newlen)
1464{
1465
1466 ASSERT_CRED_LABEL(cred->cr_label);
1467
1468 return (0);
1469}
1470
1471static int
1472mac_test_check_vnode_access(struct ucred *cred, struct vnode *vp,
1473 struct label *label, int acc_mode)
1474{
1475
1476 ASSERT_CRED_LABEL(cred->cr_label);
1477 ASSERT_VNODE_LABEL(label);
1478
1479 return (0);
1480}
1481
1482static int
1483mac_test_check_vnode_chdir(struct ucred *cred, struct vnode *dvp,
1484 struct label *dlabel)
1485{
1486
1487 ASSERT_CRED_LABEL(cred->cr_label);
1488 ASSERT_VNODE_LABEL(dlabel);
1489
1490 return (0);
1491}
1492
1493static int
1494mac_test_check_vnode_chroot(struct ucred *cred, struct vnode *dvp,
1495 struct label *dlabel)
1496{
1497
1498 ASSERT_CRED_LABEL(cred->cr_label);
1499 ASSERT_VNODE_LABEL(dlabel);
1500
1501 return (0);
1502}
1503
1504static int
1505mac_test_check_vnode_create(struct ucred *cred, struct vnode *dvp,
1506 struct label *dlabel, struct componentname *cnp, struct vattr *vap)
1507{
1508
1509 ASSERT_CRED_LABEL(cred->cr_label);
1510 ASSERT_VNODE_LABEL(dlabel);
1511
1512 return (0);
1513}
1514
1515static int
1516mac_test_check_vnode_delete(struct ucred *cred, struct vnode *dvp,
1517 struct label *dlabel, struct vnode *vp, struct label *label,
1518 struct componentname *cnp)
1519{
1520
1521 ASSERT_CRED_LABEL(cred->cr_label);
1522 ASSERT_VNODE_LABEL(dlabel);
1523 ASSERT_VNODE_LABEL(label);
1524
1525 return (0);
1526}
1527
1528static int
1529mac_test_check_vnode_deleteacl(struct ucred *cred, struct vnode *vp,
1530 struct label *label, acl_type_t type)
1531{
1532
1533 ASSERT_CRED_LABEL(cred->cr_label);
1534 ASSERT_VNODE_LABEL(label);
1535
1536 return (0);
1537}
1538
1539static int
1540mac_test_check_vnode_deleteextattr(struct ucred *cred, struct vnode *vp,
1541 struct label *label, int attrnamespace, const char *name)
1542{
1543
1544 ASSERT_CRED_LABEL(cred->cr_label);
1545 ASSERT_VNODE_LABEL(label);
1546
1547 return (0);
1548}
1549
1550static int
1551mac_test_check_vnode_exec(struct ucred *cred, struct vnode *vp,
1552 struct label *label, struct image_params *imgp,
1553 struct label *execlabel)
1554{
1555
1556 ASSERT_CRED_LABEL(cred->cr_label);
1557 ASSERT_VNODE_LABEL(label);
1558 if (execlabel != NULL) {
1559 ASSERT_CRED_LABEL(execlabel);
1560 }
1561
1562 return (0);
1563}
1564
1565static int
1566mac_test_check_vnode_getacl(struct ucred *cred, struct vnode *vp,
1567 struct label *label, acl_type_t type)
1568{
1569
1570 ASSERT_CRED_LABEL(cred->cr_label);
1571 ASSERT_VNODE_LABEL(label);
1572
1573 return (0);
1574}
1575
1576static int
1577mac_test_check_vnode_getextattr(struct ucred *cred, struct vnode *vp,
1578 struct label *label, int attrnamespace, const char *name, struct uio *uio)
1579{
1580
1581 ASSERT_CRED_LABEL(cred->cr_label);
1582 ASSERT_VNODE_LABEL(label);
1583
1584 return (0);
1585}
1586
1587static int
1588mac_test_check_vnode_link(struct ucred *cred, struct vnode *dvp,
1589 struct label *dlabel, struct vnode *vp, struct label *label,
1590 struct componentname *cnp)
1591{
1592
1593 ASSERT_CRED_LABEL(cred->cr_label);
1594 ASSERT_VNODE_LABEL(dlabel);
1595 ASSERT_VNODE_LABEL(label);
1596
1597 return (0);
1598}
1599
1600static int
1601mac_test_check_vnode_listextattr(struct ucred *cred, struct vnode *vp,
1602 struct label *label, int attrnamespace)
1603{
1604
1605 ASSERT_CRED_LABEL(cred->cr_label);
1606 ASSERT_VNODE_LABEL(label);
1607
1608 return (0);
1609}
1610
1611static int
1612mac_test_check_vnode_lookup(struct ucred *cred, struct vnode *dvp,
1613 struct label *dlabel, struct componentname *cnp)
1614{
1615
1616 ASSERT_CRED_LABEL(cred->cr_label);
1617 ASSERT_VNODE_LABEL(dlabel);
1618
1619 return (0);
1620}
1621
1622static int
1623mac_test_check_vnode_mmap(struct ucred *cred, struct vnode *vp,
1624 struct label *label, int prot)
1625{
1626
1627 ASSERT_CRED_LABEL(cred->cr_label);
1628 ASSERT_VNODE_LABEL(label);
1629
1630 return (0);
1631}
1632
1633static int
1634mac_test_check_vnode_mprotect(struct ucred *cred, struct vnode *vp,
1635 struct label *label, int prot)
1636{
1637
1638 ASSERT_CRED_LABEL(cred->cr_label);
1639 ASSERT_VNODE_LABEL(label);
1640
1641 return (0);
1642}
1643
1644static int
1645mac_test_check_vnode_open(struct ucred *cred, struct vnode *vp,
1646 struct label *filelabel, int acc_mode)
1647{
1648
1649 ASSERT_CRED_LABEL(cred->cr_label);
1650 ASSERT_VNODE_LABEL(filelabel);
1651
1652 return (0);
1653}
1654
1655static int
1656mac_test_check_vnode_poll(struct ucred *active_cred, struct ucred *file_cred,
1657 struct vnode *vp, struct label *label)
1658{
1659
1660 ASSERT_CRED_LABEL(active_cred->cr_label);
1661 ASSERT_CRED_LABEL(file_cred->cr_label);
1662 ASSERT_VNODE_LABEL(label);
1663
1664 return (0);
1665}
1666
1667static int
1668mac_test_check_vnode_read(struct ucred *active_cred, struct ucred *file_cred,
1669 struct vnode *vp, struct label *label)
1670{
1671
1672 ASSERT_CRED_LABEL(active_cred->cr_label);
1673 if (file_cred != NULL) {
1674 ASSERT_CRED_LABEL(file_cred->cr_label);
1675 }
1676 ASSERT_VNODE_LABEL(label);
1677
1678 return (0);
1679}
1680
1681static int
1682mac_test_check_vnode_readdir(struct ucred *cred, struct vnode *dvp,
1683 struct label *dlabel)
1684{
1685
1686 ASSERT_CRED_LABEL(cred->cr_label);
1687 ASSERT_VNODE_LABEL(dlabel);
1688
1689 return (0);
1690}
1691
1692static int
1693mac_test_check_vnode_readlink(struct ucred *cred, struct vnode *vp,
1694 struct label *vnodelabel)
1695{
1696
1697 ASSERT_CRED_LABEL(cred->cr_label);
1698 ASSERT_VNODE_LABEL(vnodelabel);
1699
1700 return (0);
1701}
1702
1703static int
1704mac_test_check_vnode_relabel(struct ucred *cred, struct vnode *vp,
1705 struct label *vnodelabel, struct label *newlabel)
1706{
1707
1708 ASSERT_CRED_LABEL(cred->cr_label);
1709 ASSERT_VNODE_LABEL(vnodelabel);
1710 ASSERT_VNODE_LABEL(newlabel);
1711
1712 return (0);
1713}
1714
1715static int
1716mac_test_check_vnode_rename_from(struct ucred *cred, struct vnode *dvp,
1717 struct label *dlabel, struct vnode *vp, struct label *label,
1718 struct componentname *cnp)
1719{
1720
1721 ASSERT_CRED_LABEL(cred->cr_label);
1722 ASSERT_VNODE_LABEL(dlabel);
1723 ASSERT_VNODE_LABEL(label);
1724
1725 return (0);
1726}
1727
1728static int
1729mac_test_check_vnode_rename_to(struct ucred *cred, struct vnode *dvp,
1730 struct label *dlabel, struct vnode *vp, struct label *label, int samedir,
1731 struct componentname *cnp)
1732{
1733
1734 ASSERT_CRED_LABEL(cred->cr_label);
1735 ASSERT_VNODE_LABEL(dlabel);
1736
1737 if (vp != NULL) {
1738 ASSERT_VNODE_LABEL(label);
1739 }
1740
1741 return (0);
1742}
1743
1744static int
1745mac_test_check_vnode_revoke(struct ucred *cred, struct vnode *vp,
1746 struct label *label)
1747{
1748
1749 ASSERT_CRED_LABEL(cred->cr_label);
1750 ASSERT_VNODE_LABEL(label);
1751
1752 return (0);
1753}
1754
1755static int
1756mac_test_check_vnode_setacl(struct ucred *cred, struct vnode *vp,
1757 struct label *label, acl_type_t type, struct acl *acl)
1758{
1759
1760 ASSERT_CRED_LABEL(cred->cr_label);
1761 ASSERT_VNODE_LABEL(label);
1762
1763 return (0);
1764}
1765
1766static int
1767mac_test_check_vnode_setextattr(struct ucred *cred, struct vnode *vp,
1768 struct label *label, int attrnamespace, const char *name, struct uio *uio)
1769{
1770
1771 ASSERT_CRED_LABEL(cred->cr_label);
1772 ASSERT_VNODE_LABEL(label);
1773
1774 return (0);
1775}
1776
1777static int
1778mac_test_check_vnode_setflags(struct ucred *cred, struct vnode *vp,
1779 struct label *label, u_long flags)
1780{
1781
1782 ASSERT_CRED_LABEL(cred->cr_label);
1783 ASSERT_VNODE_LABEL(label);
1784
1785 return (0);
1786}
1787
1788static int
1789mac_test_check_vnode_setmode(struct ucred *cred, struct vnode *vp,
1790 struct label *label, mode_t mode)
1791{
1792
1793 ASSERT_CRED_LABEL(cred->cr_label);
1794 ASSERT_VNODE_LABEL(label);
1795
1796 return (0);
1797}
1798
1799static int
1800mac_test_check_vnode_setowner(struct ucred *cred, struct vnode *vp,
1801 struct label *label, uid_t uid, gid_t gid)
1802{
1803
1804 ASSERT_CRED_LABEL(cred->cr_label);
1805 ASSERT_VNODE_LABEL(label);
1806
1807 return (0);
1808}
1809
1810static int
1811mac_test_check_vnode_setutimes(struct ucred *cred, struct vnode *vp,
1812 struct label *label, struct timespec atime, struct timespec mtime)
1813{
1814
1815 ASSERT_CRED_LABEL(cred->cr_label);
1816 ASSERT_VNODE_LABEL(label);
1817
1818 return (0);
1819}
1820
1821static int
1822mac_test_check_vnode_stat(struct ucred *active_cred, struct ucred *file_cred,
1823 struct vnode *vp, struct label *label)
1824{
1825
1826 ASSERT_CRED_LABEL(active_cred->cr_label);
1827 if (file_cred != NULL) {
1828 ASSERT_CRED_LABEL(file_cred->cr_label);
1829 }
1830 ASSERT_VNODE_LABEL(label);
1831
1832 return (0);
1833}
1834
1835static int
1836mac_test_check_vnode_write(struct ucred *active_cred,
1837 struct ucred *file_cred, struct vnode *vp, struct label *label)
1838{
1839
1840 ASSERT_CRED_LABEL(active_cred->cr_label);
1841 if (file_cred != NULL) {
1842 ASSERT_CRED_LABEL(file_cred->cr_label);
1843 }
1844 ASSERT_VNODE_LABEL(label);
1845
1846 return (0);
1847}
1848
1849static struct mac_policy_ops mac_test_ops =
1850{
1851 .mpo_destroy = mac_test_destroy,
1852 .mpo_init = mac_test_init,
1853 .mpo_syscall = mac_test_syscall,
1854 .mpo_init_bpfdesc_label = mac_test_init_bpfdesc_label,
1855 .mpo_init_cred_label = mac_test_init_cred_label,
1856 .mpo_init_devfsdirent_label = mac_test_init_devfsdirent_label,
1857 .mpo_init_ifnet_label = mac_test_init_ifnet_label,
1858 .mpo_init_inpcb_label = mac_test_init_inpcb_label,
1859 .mpo_init_ipq_label = mac_test_init_ipq_label,
1860 .mpo_init_mbuf_label = mac_test_init_mbuf_label,
1861 .mpo_init_mount_label = mac_test_init_mount_label,
1862 .mpo_init_mount_fs_label = mac_test_init_mount_fs_label,
1863 .mpo_init_pipe_label = mac_test_init_pipe_label,
1864 .mpo_init_proc_label = mac_test_init_proc_label,
1865 .mpo_init_socket_label = mac_test_init_socket_label,
1866 .mpo_init_socket_peer_label = mac_test_init_socket_peer_label,
1867 .mpo_init_vnode_label = mac_test_init_vnode_label,
1868 .mpo_destroy_bpfdesc_label = mac_test_destroy_bpfdesc_label,
1869 .mpo_destroy_cred_label = mac_test_destroy_cred_label,
1870 .mpo_destroy_devfsdirent_label = mac_test_destroy_devfsdirent_label,
1871 .mpo_destroy_ifnet_label = mac_test_destroy_ifnet_label,
1872 .mpo_destroy_inpcb_label = mac_test_destroy_inpcb_label,
1873 .mpo_destroy_ipq_label = mac_test_destroy_ipq_label,
1874 .mpo_destroy_mbuf_label = mac_test_destroy_mbuf_label,
1875 .mpo_destroy_mount_label = mac_test_destroy_mount_label,
1876 .mpo_destroy_mount_fs_label = mac_test_destroy_mount_fs_label,
1877 .mpo_destroy_pipe_label = mac_test_destroy_pipe_label,
1878 .mpo_destroy_proc_label = mac_test_destroy_proc_label,
1879 .mpo_destroy_socket_label = mac_test_destroy_socket_label,
1880 .mpo_destroy_socket_peer_label = mac_test_destroy_socket_peer_label,
1881 .mpo_destroy_vnode_label = mac_test_destroy_vnode_label,

1882 .mpo_copy_cred_label = mac_test_copy_cred_label,

1883 .mpo_copy_mbuf_label = mac_test_copy_mbuf_label,
1884 .mpo_copy_pipe_label = mac_test_copy_pipe_label,
1885 .mpo_copy_socket_label = mac_test_copy_socket_label,
1886 .mpo_copy_vnode_label = mac_test_copy_vnode_label,
1887 .mpo_externalize_cred_label = mac_test_externalize_label,
1888 .mpo_externalize_ifnet_label = mac_test_externalize_label,
1889 .mpo_externalize_pipe_label = mac_test_externalize_label,
1890 .mpo_externalize_socket_label = mac_test_externalize_label,
1891 .mpo_externalize_socket_peer_label = mac_test_externalize_label,
1892 .mpo_externalize_vnode_label = mac_test_externalize_label,
1893 .mpo_internalize_cred_label = mac_test_internalize_label,
1894 .mpo_internalize_ifnet_label = mac_test_internalize_label,
1895 .mpo_internalize_pipe_label = mac_test_internalize_label,
1896 .mpo_internalize_socket_label = mac_test_internalize_label,
1897 .mpo_internalize_vnode_label = mac_test_internalize_label,
1898 .mpo_associate_vnode_devfs = mac_test_associate_vnode_devfs,
1899 .mpo_associate_vnode_extattr = mac_test_associate_vnode_extattr,
1900 .mpo_associate_vnode_singlelabel = mac_test_associate_vnode_singlelabel,
1901 .mpo_create_devfs_device = mac_test_create_devfs_device,
1902 .mpo_create_devfs_directory = mac_test_create_devfs_directory,
1903 .mpo_create_devfs_symlink = mac_test_create_devfs_symlink,
1904 .mpo_create_vnode_extattr = mac_test_create_vnode_extattr,
1905 .mpo_create_mount = mac_test_create_mount,
1906 .mpo_create_root_mount = mac_test_create_root_mount,
1907 .mpo_relabel_vnode = mac_test_relabel_vnode,
1908 .mpo_setlabel_vnode_extattr = mac_test_setlabel_vnode_extattr,
1909 .mpo_update_devfsdirent = mac_test_update_devfsdirent,
1910 .mpo_create_mbuf_from_socket = mac_test_create_mbuf_from_socket,
1911 .mpo_create_pipe = mac_test_create_pipe,
1912 .mpo_create_socket = mac_test_create_socket,
1913 .mpo_create_socket_from_socket = mac_test_create_socket_from_socket,
1914 .mpo_relabel_pipe = mac_test_relabel_pipe,
1915 .mpo_relabel_socket = mac_test_relabel_socket,
1916 .mpo_set_socket_peer_from_mbuf = mac_test_set_socket_peer_from_mbuf,
1917 .mpo_set_socket_peer_from_socket = mac_test_set_socket_peer_from_socket,
1918 .mpo_create_bpfdesc = mac_test_create_bpfdesc,
1919 .mpo_create_ifnet = mac_test_create_ifnet,
1920 .mpo_create_inpcb_from_socket = mac_test_create_inpcb_from_socket,
1921 .mpo_create_datagram_from_ipq = mac_test_create_datagram_from_ipq,
1922 .mpo_create_fragment = mac_test_create_fragment,
1923 .mpo_create_ipq = mac_test_create_ipq,
1924 .mpo_create_mbuf_from_mbuf = mac_test_create_mbuf_from_mbuf,
1925 .mpo_create_mbuf_linklayer = mac_test_create_mbuf_linklayer,
1926 .mpo_create_mbuf_from_bpfdesc = mac_test_create_mbuf_from_bpfdesc,
1927 .mpo_create_mbuf_from_ifnet = mac_test_create_mbuf_from_ifnet,
1928 .mpo_create_mbuf_multicast_encap = mac_test_create_mbuf_multicast_encap,
1929 .mpo_create_mbuf_netlayer = mac_test_create_mbuf_netlayer,
1930 .mpo_fragment_match = mac_test_fragment_match,
1931 .mpo_reflect_mbuf_icmp = mac_test_reflect_mbuf_icmp,
1932 .mpo_reflect_mbuf_tcp = mac_test_reflect_mbuf_tcp,
1933 .mpo_relabel_ifnet = mac_test_relabel_ifnet,
1934 .mpo_update_ipq = mac_test_update_ipq,
1935 .mpo_inpcb_sosetlabel = mac_test_inpcb_sosetlabel,

~~1935~~ .mpo_create_cred = mac_test_create_cred,

1936 .mpo_execve_transition = mac_test_execve_transition,
1937 .mpo_execve_will_transition = mac_test_execve_will_transition,
1938 .mpo_create_proc0 = mac_test_create_proc0,
1939 .mpo_create_proc1 = mac_test_create_proc1,
1940 .mpo_relabel_cred = mac_test_relabel_cred,
1941 .mpo_thread_userret = mac_test_thread_userret,
1942 .mpo_check_bpfdesc_receive = mac_test_check_bpfdesc_receive,
1943 .mpo_check_cred_relabel = mac_test_check_cred_relabel,
1944 .mpo_check_cred_visible = mac_test_check_cred_visible,
1945 .mpo_check_ifnet_relabel = mac_test_check_ifnet_relabel,
1946 .mpo_check_ifnet_transmit = mac_test_check_ifnet_transmit,
1947 .mpo_check_inpcb_deliver = mac_test_check_inpcb_deliver,
1948 .mpo_check_kenv_dump = mac_test_check_kenv_dump,
1949 .mpo_check_kenv_get = mac_test_check_kenv_get,
1950 .mpo_check_kenv_set = mac_test_check_kenv_set,
1951 .mpo_check_kenv_unset = mac_test_check_kenv_unset,
1952 .mpo_check_kld_load = mac_test_check_kld_load,
1953 .mpo_check_kld_stat = mac_test_check_kld_stat,
1954 .mpo_check_kld_unload = mac_test_check_kld_unload,
1955 .mpo_check_mount_stat = mac_test_check_mount_stat,
1956 .mpo_check_pipe_ioctl = mac_test_check_pipe_ioctl,
1957 .mpo_check_pipe_poll = mac_test_check_pipe_poll,
1958 .mpo_check_pipe_read = mac_test_check_pipe_read,
1959 .mpo_check_pipe_relabel = mac_test_check_pipe_relabel,
1960 .mpo_check_pipe_stat = mac_test_check_pipe_stat,
1961 .mpo_check_pipe_write = mac_test_check_pipe_write,
1962 .mpo_check_proc_debug = mac_test_check_proc_debug,
1963 .mpo_check_proc_sched = mac_test_check_proc_sched,
1964 .mpo_check_proc_signal = mac_test_check_proc_signal,
1965 .mpo_check_socket_bind = mac_test_check_socket_bind,
1966 .mpo_check_socket_connect = mac_test_check_socket_connect,
1967 .mpo_check_socket_deliver = mac_test_check_socket_deliver,
1968 .mpo_check_socket_listen = mac_test_check_socket_listen,
1969 .mpo_check_socket_relabel = mac_test_check_socket_relabel,
1970 .mpo_check_socket_visible = mac_test_check_socket_visible,
1971 .mpo_check_sysarch_ioperm = mac_test_check_sysarch_ioperm,
1972 .mpo_check_system_acct = mac_test_check_system_acct,
1973 .mpo_check_system_reboot = mac_test_check_system_reboot,
1974 .mpo_check_system_settime = mac_test_check_system_settime,
1975 .mpo_check_system_swapon = mac_test_check_system_swapon,
1976 .mpo_check_system_swapoff = mac_test_check_system_swapoff,
1977 .mpo_check_system_sysctl = mac_test_check_system_sysctl,
1978 .mpo_check_vnode_access = mac_test_check_vnode_access,
1979 .mpo_check_vnode_chdir = mac_test_check_vnode_chdir,
1980 .mpo_check_vnode_chroot = mac_test_check_vnode_chroot,
1981 .mpo_check_vnode_create = mac_test_check_vnode_create,
1982 .mpo_check_vnode_delete = mac_test_check_vnode_delete,
1983 .mpo_check_vnode_deleteacl = mac_test_check_vnode_deleteacl,
1984 .mpo_check_vnode_deleteextattr = mac_test_check_vnode_deleteextattr,
1985 .mpo_check_vnode_exec = mac_test_check_vnode_exec,
1986 .mpo_check_vnode_getacl = mac_test_check_vnode_getacl,
1987 .mpo_check_vnode_getextattr = mac_test_check_vnode_getextattr,
1988 .mpo_check_vnode_link = mac_test_check_vnode_link,
1989 .mpo_check_vnode_listextattr = mac_test_check_vnode_listextattr,
1990 .mpo_check_vnode_lookup = mac_test_check_vnode_lookup,
1991 .mpo_check_vnode_mmap = mac_test_check_vnode_mmap,
1992 .mpo_check_vnode_mprotect = mac_test_check_vnode_mprotect,
1993 .mpo_check_vnode_open = mac_test_check_vnode_open,
1994 .mpo_check_vnode_poll = mac_test_check_vnode_poll,
1995 .mpo_check_vnode_read = mac_test_check_vnode_read,
1996 .mpo_check_vnode_readdir = mac_test_check_vnode_readdir,
1997 .mpo_check_vnode_readlink = mac_test_check_vnode_readlink,
1998 .mpo_check_vnode_relabel = mac_test_check_vnode_relabel,
1999 .mpo_check_vnode_rename_from = mac_test_check_vnode_rename_from,
2000 .mpo_check_vnode_rename_to = mac_test_check_vnode_rename_to,
2001 .mpo_check_vnode_revoke = mac_test_check_vnode_revoke,
2002 .mpo_check_vnode_setacl = mac_test_check_vnode_setacl,
2003 .mpo_check_vnode_setextattr = mac_test_check_vnode_setextattr,
2004 .mpo_check_vnode_setflags = mac_test_check_vnode_setflags,
2005 .mpo_check_vnode_setmode = mac_test_check_vnode_setmode,
2006 .mpo_check_vnode_setowner = mac_test_check_vnode_setowner,
2007 .mpo_check_vnode_setutimes = mac_test_check_vnode_setutimes,
2008 .mpo_check_vnode_stat = mac_test_check_vnode_stat,
2009 .mpo_check_vnode_write = mac_test_check_vnode_write,
2010};
2011
2012MAC_POLICY_SET(&mac_test_ops, mac_test, "TrustedBSD MAC/Test",
2013 MPC_LOADTIME_FLAG_UNLOADOK | MPC_LOADTIME_FLAG_LABELMBUFS, &test_slot);