1/*-
2 * Copyright (c) 1999-2002 Robert N. M. Watson
3 * Copyright (c) 2001-2005 McAfee, Inc.
4 * All rights reserved.
5 *
6 * This software was developed by Robert Watson for the TrustedBSD Project.
7 *
8 * This software was developed for the FreeBSD Project in part by McAfee
9 * Research, the Security Research Division of McAfee, Inc. under
10 * DARPA/SPAWAR contract N66001-01-C-8035 ("CBOSS"), as part of the DARPA
11 * CHATS research program.
12 *
13 * Redistribution and use in source and binary forms, with or without
14 * modification, are permitted provided that the following conditions
15 * are met:
16 * 1. Redistributions of source code must retain the above copyright
17 * notice, this list of conditions and the following disclaimer.
18 * 2. Redistributions in binary form must reproduce the above copyright
19 * notice, this list of conditions and the following disclaimer in the
20 * documentation and/or other materials provided with the distribution.
21 *
22 * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
23 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
24 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
25 * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
26 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
27 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
28 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
29 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
30 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
31 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
32 * SUCH DAMAGE.
33 *
34 * $FreeBSD: head/sys/security/mac_test/mac_test.c 166531 2007-02-06 10:59:23Z rwatson $
35 */
36
37/*
38 * Developed by the TrustedBSD Project.
39 * Generic mandatory access module that does nothing.
40 */
41
42#include <sys/types.h>
43#include <sys/param.h>
44#include <sys/acl.h>
45#include <sys/conf.h>
46#include <sys/kdb.h>
47#include <sys/extattr.h>
48#include <sys/kernel.h>
49#include <sys/ksem.h>
50#include <sys/malloc.h>
51#include <sys/mount.h>
52#include <sys/proc.h>
53#include <sys/systm.h>
54#include <sys/sysproto.h>
55#include <sys/sysent.h>
56#include <sys/vnode.h>
57#include <sys/file.h>
58#include <sys/socket.h>
59#include <sys/socketvar.h>
60#include <sys/sx.h>
61#include <sys/sysctl.h>
62#include <sys/msg.h>
63#include <sys/sem.h>
64#include <sys/shm.h>
65
66#include <fs/devfs/devfs.h>
67
68#include <net/bpfdesc.h>
69#include <net/if.h>
70#include <net/if_types.h>
71#include <net/if_var.h>
72
73#include <vm/vm.h>
74
75#include <security/mac/mac_policy.h>
76
77SYSCTL_DECL(_security_mac);
78
79SYSCTL_NODE(_security_mac, OID_AUTO, test, CTLFLAG_RW, 0,
80 "TrustedBSD mac_test policy controls");
81
82static int mac_test_enabled = 1;
83SYSCTL_INT(_security_mac_test, OID_AUTO, enabled, CTLFLAG_RW,
84 &mac_test_enabled, 0, "Enforce test policy");
85
86#define BPFMAGIC 0xfe1ad1b6
87#define DEVFSMAGIC 0x9ee79c32
88#define IFNETMAGIC 0xc218b120
89#define INPCBMAGIC 0x4440f7bb
90#define IPQMAGIC 0x206188ef
91#define MBUFMAGIC 0xbbefa5bb
92#define MOUNTMAGIC 0xc7c46e47
93#define SOCKETMAGIC 0x9199c6cd
94#define SYSVIPCMSQMAGIC 0xea672391
95#define SYSVIPCMSGMAGIC 0x8bbba61e
96#define SYSVIPCSEMMAGIC 0x896e8a0b
97#define SYSVIPCSHMMAGIC 0x76119ab0
98#define PIPEMAGIC 0xdc6c9919
99#define POSIXSEMMAGIC 0x78ae980c
100#define PROCMAGIC 0x3b4be98f
101#define CREDMAGIC 0x9a5a4987
102#define VNODEMAGIC 0x1a67a45c
103#define EXMAGIC 0x849ba1fd
104
105#define SLOT(x) LABEL_TO_SLOT((x), test_slot).l_long
106
107#define ASSERT_BPF_LABEL(x) KASSERT(SLOT(x) == BPFMAGIC || \
108 SLOT(x) == 0, ("%s: Bad BPF label", __func__ ))
109#define ASSERT_DEVFS_LABEL(x) KASSERT(SLOT(x) == DEVFSMAGIC || \
110 SLOT(x) == 0, ("%s: Bad DEVFS label", __func__ ))
111#define ASSERT_IFNET_LABEL(x) KASSERT(SLOT(x) == IFNETMAGIC || \
112 SLOT(x) == 0, ("%s: Bad IFNET label", __func__ ))
113#define ASSERT_INPCB_LABEL(x) KASSERT(SLOT(x) == INPCBMAGIC || \
114 SLOT(x) == 0, ("%s: Bad INPCB label", __func__ ))
115#define ASSERT_IPQ_LABEL(x) KASSERT(SLOT(x) == IPQMAGIC || \
116 SLOT(x) == 0, ("%s: Bad IPQ label", __func__ ))
117#define ASSERT_MBUF_LABEL(x) KASSERT(x == NULL || \
118 SLOT(x) == MBUFMAGIC || SLOT(x) == 0, \
119 ("%s: Bad MBUF label", __func__ ))
120#define ASSERT_MOUNT_LABEL(x) KASSERT(SLOT(x) == MOUNTMAGIC || \
121 SLOT(x) == 0, ("%s: Bad MOUNT label", __func__ ))
122#define ASSERT_SOCKET_LABEL(x) KASSERT(SLOT(x) == SOCKETMAGIC || \
123 SLOT(x) == 0, ("%s: Bad SOCKET label", __func__ ))
124#define ASSERT_SYSVIPCMSQ_LABEL(x) KASSERT(SLOT(x) == SYSVIPCMSQMAGIC || \
125 SLOT(x) == 0, ("%s: Bad SYSVIPCMSQ label", __func__ ))
126#define ASSERT_SYSVIPCMSG_LABEL(x) KASSERT(SLOT(x) == SYSVIPCMSGMAGIC || \
127 SLOT(x) == 0, ("%s: Bad SYSVIPCMSG label", __func__ ))
128#define ASSERT_SYSVIPCSEM_LABEL(x) KASSERT(SLOT(x) == SYSVIPCSEMMAGIC || \
129 SLOT(x) == 0, ("%s: Bad SYSVIPCSEM label", __func__ ))
130#define ASSERT_SYSVIPCSHM_LABEL(x) KASSERT(SLOT(x) == SYSVIPCSHMMAGIC || \
131 SLOT(x) == 0, ("%s: Bad SYSVIPCSHM label", __func__ ))
132#define ASSERT_PIPE_LABEL(x) KASSERT(SLOT(x) == PIPEMAGIC || \
133 SLOT(x) == 0, ("%s: Bad PIPE label", __func__ ))
134#define ASSERT_POSIX_LABEL(x) KASSERT(SLOT(x) == POSIXSEMMAGIC || \
135 SLOT(x) == 0, ("%s: Bad POSIX ksem label", __func__ ))
136#define ASSERT_PROC_LABEL(x) KASSERT(SLOT(x) == PROCMAGIC || \
137 SLOT(x) == 0, ("%s: Bad PROC label", __func__ ))
138#define ASSERT_CRED_LABEL(x) KASSERT(SLOT(x) == CREDMAGIC || \
139 SLOT(x) == 0, ("%s: Bad CRED label", __func__ ))
140#define ASSERT_VNODE_LABEL(x) KASSERT(SLOT(x) == VNODEMAGIC || \
141 SLOT(x) == 0, ("%s: Bad VNODE label", __func__ ))
142
143static int test_slot;
144SYSCTL_INT(_security_mac_test, OID_AUTO, slot, CTLFLAG_RD,
145 &test_slot, 0, "Slot allocated by framework");
146
147static int init_count_bpfdesc;
148SYSCTL_INT(_security_mac_test, OID_AUTO, init_count_bpfdesc, CTLFLAG_RD,
149 &init_count_bpfdesc, 0, "bpfdesc init calls");
150static int init_count_cred;
151SYSCTL_INT(_security_mac_test, OID_AUTO, init_count_cred, CTLFLAG_RD,
152 &init_count_cred, 0, "cred init calls");
153static int init_count_devfsdirent;
154SYSCTL_INT(_security_mac_test, OID_AUTO, init_count_devfsdirent, CTLFLAG_RD,
155 &init_count_devfsdirent, 0, "devfsdirent init calls");
156static int init_count_ifnet;
157SYSCTL_INT(_security_mac_test, OID_AUTO, init_count_ifnet, CTLFLAG_RD,
158 &init_count_ifnet, 0, "ifnet init calls");
159static int init_count_inpcb;
160SYSCTL_INT(_security_mac_test, OID_AUTO, init_count_inpcb, CTLFLAG_RD,
161 &init_count_inpcb, 0, "inpcb init calls");
162static int init_count_sysv_msg;
163SYSCTL_INT(_security_mac_test, OID_AUTO, init_count_sysv_msg, CTLFLAG_RD,
164 &init_count_sysv_msg, 0, "ipc_msg init calls");
165static int init_count_sysv_msq;
166SYSCTL_INT(_security_mac_test, OID_AUTO, init_count_sysv_msq, CTLFLAG_RD,
167 &init_count_sysv_msq, 0, "ipc_msq init calls");
168static int init_count_sysv_sem;
169SYSCTL_INT(_security_mac_test, OID_AUTO, init_count_sysv_sem, CTLFLAG_RD,
170 &init_count_sysv_sem, 0, "ipc_sema init calls");
171static int init_count_sysv_shm;
172SYSCTL_INT(_security_mac_test, OID_AUTO, init_count_sysv_shm, CTLFLAG_RD,
173 &init_count_sysv_shm, 0, "ipc_shm init calls");
174static int init_count_ipq;
175SYSCTL_INT(_security_mac_test, OID_AUTO, init_count_ipq, CTLFLAG_RD,
176 &init_count_ipq, 0, "ipq init calls");
177static int init_count_mbuf;
178SYSCTL_INT(_security_mac_test, OID_AUTO, init_count_mbuf, CTLFLAG_RD,
179 &init_count_mbuf, 0, "mbuf init calls");
180static int init_count_mount;
181SYSCTL_INT(_security_mac_test, OID_AUTO, init_count_mount, CTLFLAG_RD,
182 &init_count_mount, 0, "mount init calls");
183static int init_count_mount_fslabel;
184SYSCTL_INT(_security_mac_test, OID_AUTO, init_count_mount_fslabel, CTLFLAG_RD,
185 &init_count_mount_fslabel, 0, "mount_fslabel init calls");
186static int init_count_socket;
187SYSCTL_INT(_security_mac_test, OID_AUTO, init_count_socket, CTLFLAG_RD,
188 &init_count_socket, 0, "socket init calls");
189static int init_count_socket_peerlabel;
190SYSCTL_INT(_security_mac_test, OID_AUTO, init_count_socket_peerlabel,
191 CTLFLAG_RD, &init_count_socket_peerlabel, 0,
192 "socket_peerlabel init calls");
193static int init_count_pipe;
194SYSCTL_INT(_security_mac_test, OID_AUTO, init_count_pipe, CTLFLAG_RD,
195 &init_count_pipe, 0, "pipe init calls");
196static int init_count_posixsems;
197SYSCTL_INT(_security_mac_test, OID_AUTO, init_count_posixsems, CTLFLAG_RD,
198 &init_count_posixsems, 0, "posix sems init calls");
199static int init_count_proc;
200SYSCTL_INT(_security_mac_test, OID_AUTO, init_count_proc, CTLFLAG_RD,
201 &init_count_proc, 0, "proc init calls");
202static int init_count_vnode;
203SYSCTL_INT(_security_mac_test, OID_AUTO, init_count_vnode, CTLFLAG_RD,
204 &init_count_vnode, 0, "vnode init calls");
205
206static int destroy_count_bpfdesc;
207SYSCTL_INT(_security_mac_test, OID_AUTO, destroy_count_bpfdesc, CTLFLAG_RD,
208 &destroy_count_bpfdesc, 0, "bpfdesc destroy calls");
209static int destroy_count_cred;
210SYSCTL_INT(_security_mac_test, OID_AUTO, destroy_count_cred, CTLFLAG_RD,
211 &destroy_count_cred, 0, "cred destroy calls");
212static int destroy_count_devfsdirent;
213SYSCTL_INT(_security_mac_test, OID_AUTO, destroy_count_devfsdirent, CTLFLAG_RD,
214 &destroy_count_devfsdirent, 0, "devfsdirent destroy calls");
215static int destroy_count_ifnet;
216SYSCTL_INT(_security_mac_test, OID_AUTO, destroy_count_ifnet, CTLFLAG_RD,
217 &destroy_count_ifnet, 0, "ifnet destroy calls");
218static int destroy_count_inpcb;
219SYSCTL_INT(_security_mac_test, OID_AUTO, destroy_count_inpcb, CTLFLAG_RD,
220 &destroy_count_inpcb, 0, "inpcb destroy calls");
221static int destroy_count_sysv_msg;
222SYSCTL_INT(_security_mac_test, OID_AUTO, destroy_count_sysv_msg, CTLFLAG_RD,
223 &destroy_count_sysv_msg, 0, "ipc_msg destroy calls");
224static int destroy_count_sysv_msq;
225SYSCTL_INT(_security_mac_test, OID_AUTO, destroy_count_sysv_msq, CTLFLAG_RD,
226 &destroy_count_sysv_msq, 0, "ipc_msq destroy calls");
227static int destroy_count_sysv_sem;
228SYSCTL_INT(_security_mac_test, OID_AUTO, destroy_count_sysv_sem, CTLFLAG_RD,
229 &destroy_count_sysv_sem, 0, "ipc_sema destroy calls");
230static int destroy_count_sysv_shm;
231SYSCTL_INT(_security_mac_test, OID_AUTO, destroy_count_sysv_shm, CTLFLAG_RD,
232 &destroy_count_sysv_shm, 0, "ipc_shm destroy calls");
233static int destroy_count_ipq;
234SYSCTL_INT(_security_mac_test, OID_AUTO, destroy_count_ipq, CTLFLAG_RD,
235 &destroy_count_ipq, 0, "ipq destroy calls");
236static int destroy_count_mbuf;
237SYSCTL_INT(_security_mac_test, OID_AUTO, destroy_count_mbuf, CTLFLAG_RD,
238 &destroy_count_mbuf, 0, "mbuf destroy calls");
239static int destroy_count_mount;
240SYSCTL_INT(_security_mac_test, OID_AUTO, destroy_count_mount, CTLFLAG_RD,
241 &destroy_count_mount, 0, "mount destroy calls");
242static int destroy_count_mount_fslabel;
243SYSCTL_INT(_security_mac_test, OID_AUTO, destroy_count_mount_fslabel,
244 CTLFLAG_RD, &destroy_count_mount_fslabel, 0,
245 "mount_fslabel destroy calls");
246static int destroy_count_socket;
247SYSCTL_INT(_security_mac_test, OID_AUTO, destroy_count_socket, CTLFLAG_RD,
248 &destroy_count_socket, 0, "socket destroy calls");
249static int destroy_count_socket_peerlabel;
250SYSCTL_INT(_security_mac_test, OID_AUTO, destroy_count_socket_peerlabel,
251 CTLFLAG_RD, &destroy_count_socket_peerlabel, 0,
252 "socket_peerlabel destroy calls");
253static int destroy_count_pipe;
254SYSCTL_INT(_security_mac_test, OID_AUTO, destroy_count_pipe, CTLFLAG_RD,
255 &destroy_count_pipe, 0, "pipe destroy calls");
256static int destroy_count_posixsems;
257SYSCTL_INT(_security_mac_test, OID_AUTO, destroy_count_posixsems, CTLFLAG_RD,
258 &destroy_count_posixsems, 0, "posix sems destroy calls");
259static int destroy_count_proc;
260SYSCTL_INT(_security_mac_test, OID_AUTO, destroy_count_proc, CTLFLAG_RD,
261 &destroy_count_proc, 0, "proc destroy calls");
262static int destroy_count_vnode;
263SYSCTL_INT(_security_mac_test, OID_AUTO, destroy_count_vnode, CTLFLAG_RD,
264 &destroy_count_vnode, 0, "vnode destroy calls");
265
266static int externalize_count;
267SYSCTL_INT(_security_mac_test, OID_AUTO, externalize_count, CTLFLAG_RD,
268 &externalize_count, 0, "Subject/object externalize calls");
269static int internalize_count;
270SYSCTL_INT(_security_mac_test, OID_AUTO, internalize_count, CTLFLAG_RD,
271 &internalize_count, 0, "Subject/object internalize calls");
272
273#ifdef KDB
274#define DEBUGGER(x) kdb_enter(x)
275#else
276#define DEBUGGER(x) printf("mac_test: %s\n", (x))
277#endif
278
279/*
280 * Policy module operations.
281 */
282static void
283mac_test_destroy(struct mac_policy_conf *conf)
284{
285
286}
287
288static void
289mac_test_init(struct mac_policy_conf *conf)
290{
291
292}
293
294static int
295mac_test_syscall(struct thread *td, int call, void *arg)
296{
297
298 return (0);
299}
300
301/*
302 * Label operations.
303 */
304static void
305mac_test_init_bpfdesc_label(struct label *label)
306{
307
308 SLOT(label) = BPFMAGIC;
309 atomic_add_int(&init_count_bpfdesc, 1);
310}
311
312static void
313mac_test_init_cred_label(struct label *label)
314{
315
316 SLOT(label) = CREDMAGIC;
317 atomic_add_int(&init_count_cred, 1);
318}
319
320static void
321mac_test_init_devfsdirent_label(struct label *label)
322{
323
324 SLOT(label) = DEVFSMAGIC;
325 atomic_add_int(&init_count_devfsdirent, 1);
326}
327
328static void
329mac_test_init_ifnet_label(struct label *label)
330{
331
332 SLOT(label) = IFNETMAGIC;
333 atomic_add_int(&init_count_ifnet, 1);
334}
335
336static int
337mac_test_init_inpcb_label(struct label *label, int flag)
338{
339
340 if (flag & M_WAITOK)
341 WITNESS_WARN(WARN_GIANTOK | WARN_SLEEPOK, NULL,
342 "mac_test_init_inpcb_label() at %s:%d", __FILE__,
343 __LINE__);
344
345 SLOT(label) = INPCBMAGIC;
346 atomic_add_int(&init_count_inpcb, 1);
347 return (0);
348}
349
350static void
351mac_test_init_sysv_msgmsg_label(struct label *label)
352{
353 SLOT(label) = SYSVIPCMSGMAGIC;
354 atomic_add_int(&init_count_sysv_msg, 1);
355}
356
357static void
358mac_test_init_sysv_msgqueue_label(struct label *label)
359{
360 SLOT(label) = SYSVIPCMSQMAGIC;
361 atomic_add_int(&init_count_sysv_msq, 1);
362}
363
364static void
365mac_test_init_sysv_sem_label(struct label *label)
366{
367 SLOT(label) = SYSVIPCSEMMAGIC;
368 atomic_add_int(&init_count_sysv_sem, 1);
369}
370
371static void
372mac_test_init_sysv_shm_label(struct label *label)
373{
374 SLOT(label) = SYSVIPCSHMMAGIC;
375 atomic_add_int(&init_count_sysv_shm, 1);
376}
377
378static int
379mac_test_init_ipq_label(struct label *label, int flag)
380{
381
382 if (flag & M_WAITOK)
383 WITNESS_WARN(WARN_GIANTOK | WARN_SLEEPOK, NULL,
384 "mac_test_init_ipq_label() at %s:%d", __FILE__,
385 __LINE__);
386
387 SLOT(label) = IPQMAGIC;
388 atomic_add_int(&init_count_ipq, 1);
389 return (0);
390}
391
392static int
393mac_test_init_mbuf_label(struct label *label, int flag)
394{
395
396 if (flag & M_WAITOK)
397 WITNESS_WARN(WARN_GIANTOK | WARN_SLEEPOK, NULL,
398 "mac_test_init_mbuf_label() at %s:%d", __FILE__,
399 __LINE__);
400
401 SLOT(label) = MBUFMAGIC;
402 atomic_add_int(&init_count_mbuf, 1);
403 return (0);
404}
405
406static void
407mac_test_init_mount_label(struct label *label)
408{
409
410 SLOT(label) = MOUNTMAGIC;
411 atomic_add_int(&init_count_mount, 1);
412}
413
414static void
415mac_test_init_mount_fs_label(struct label *label)
416{
417
418 SLOT(label) = MOUNTMAGIC;
419 atomic_add_int(&init_count_mount_fslabel, 1);
420}
421
422static int
423mac_test_init_socket_label(struct label *label, int flag)
424{
425
426 if (flag & M_WAITOK)
427 WITNESS_WARN(WARN_GIANTOK | WARN_SLEEPOK, NULL,
428 "mac_test_init_socket_label() at %s:%d", __FILE__,
429 __LINE__);
430
431 SLOT(label) = SOCKETMAGIC;
432 atomic_add_int(&init_count_socket, 1);
433 return (0);
434}
435
436static int
437mac_test_init_socket_peer_label(struct label *label, int flag)
438{
439
440 if (flag & M_WAITOK)
441 WITNESS_WARN(WARN_GIANTOK | WARN_SLEEPOK, NULL,
442 "mac_test_init_socket_peer_label() at %s:%d", __FILE__,
443 __LINE__);
444
445 SLOT(label) = SOCKETMAGIC;
446 atomic_add_int(&init_count_socket_peerlabel, 1);
447 return (0);
448}
449
450static void
451mac_test_init_pipe_label(struct label *label)
452{
453
454 SLOT(label) = PIPEMAGIC;
455 atomic_add_int(&init_count_pipe, 1);
456}
457
458static void
459mac_test_init_posix_sem_label(struct label *label)
460{
461
462 SLOT(label) = POSIXSEMMAGIC;
463 atomic_add_int(&init_count_posixsems, 1);
464}
465
466static void
467mac_test_init_proc_label(struct label *label)
468{
469
470 SLOT(label) = PROCMAGIC;
471 atomic_add_int(&init_count_proc, 1);
472}
473
474static void
475mac_test_init_vnode_label(struct label *label)
476{
477
478 SLOT(label) = VNODEMAGIC;
479 atomic_add_int(&init_count_vnode, 1);
480}
481
482static void
483mac_test_destroy_bpfdesc_label(struct label *label)
484{
485
486 if (SLOT(label) == BPFMAGIC || SLOT(label) == 0) {
487 atomic_add_int(&destroy_count_bpfdesc, 1);
488 SLOT(label) = EXMAGIC;
489 } else if (SLOT(label) == EXMAGIC) {
490 DEBUGGER("mac_test_destroy_bpfdesc: dup destroy");
491 } else {
492 DEBUGGER("mac_test_destroy_bpfdesc: corrupted label");
493 }
494}
495
496static void
497mac_test_destroy_cred_label(struct label *label)
498{
499
500 if (SLOT(label) == CREDMAGIC || SLOT(label) == 0) {
501 atomic_add_int(&destroy_count_cred, 1);
502 SLOT(label) = EXMAGIC;
503 } else if (SLOT(label) == EXMAGIC) {
504 DEBUGGER("mac_test_destroy_cred: dup destroy");
505 } else {
506 DEBUGGER("mac_test_destroy_cred: corrupted label");
507 }
508}
509
510static void
511mac_test_destroy_devfsdirent_label(struct label *label)
512{
513
514 if (SLOT(label) == DEVFSMAGIC || SLOT(label) == 0) {
515 atomic_add_int(&destroy_count_devfsdirent, 1);
516 SLOT(label) = EXMAGIC;
517 } else if (SLOT(label) == EXMAGIC) {
518 DEBUGGER("mac_test_destroy_devfsdirent: dup destroy");
519 } else {
520 DEBUGGER("mac_test_destroy_devfsdirent: corrupted label");
521 }
522}
523
524static void
525mac_test_destroy_ifnet_label(struct label *label)
526{
527
528 if (SLOT(label) == IFNETMAGIC || SLOT(label) == 0) {
529 atomic_add_int(&destroy_count_ifnet, 1);
530 SLOT(label) = EXMAGIC;
531 } else if (SLOT(label) == EXMAGIC) {
532 DEBUGGER("mac_test_destroy_ifnet: dup destroy");
533 } else {
534 DEBUGGER("mac_test_destroy_ifnet: corrupted label");
535 }
536}
537
538static void
539mac_test_destroy_inpcb_label(struct label *label)
540{
541
542 if (SLOT(label) == INPCBMAGIC || SLOT(label) == 0) {
543 atomic_add_int(&destroy_count_inpcb, 1);
544 SLOT(label) = EXMAGIC;
545 } else if (SLOT(label) == EXMAGIC) {
546 DEBUGGER("mac_test_destroy_inpcb: dup destroy");
547 } else {
548 DEBUGGER("mac_test_destroy_inpcb: corrupted label");
549 }
550}
551
552static void
553mac_test_destroy_sysv_msgmsg_label(struct label *label)
554{
555
556 if (SLOT(label) == SYSVIPCMSGMAGIC || SLOT(label) == 0) {
557 atomic_add_int(&destroy_count_sysv_msg, 1);
558 SLOT(label) = EXMAGIC;
559 } else if (SLOT(label) == EXMAGIC) {
560 DEBUGGER("mac_test_destroy_sysv_msgmsg_label: dup destroy");
561 } else {
562 DEBUGGER(
563 "mac_test_destroy_sysv_msgmsg_label: corrupted label");
564 }
565}
566
567static void
568mac_test_destroy_sysv_msgqueue_label(struct label *label)
569{
570
571 if (SLOT(label) == SYSVIPCMSQMAGIC || SLOT(label) == 0) {
572 atomic_add_int(&destroy_count_sysv_msq, 1);
573 SLOT(label) = EXMAGIC;
574 } else if (SLOT(label) == EXMAGIC) {
575 DEBUGGER("mac_test_destroy_sysv_msgqueue_label: dup destroy");
576 } else {
577 DEBUGGER(
578 "mac_test_destroy_sysv_msgqueue_label: corrupted label");
579 }
580}
581
582static void
583mac_test_destroy_sysv_sem_label(struct label *label)
584{
585
586 if (SLOT(label) == SYSVIPCSEMMAGIC || SLOT(label) == 0) {
587 atomic_add_int(&destroy_count_sysv_sem, 1);
588 SLOT(label) = EXMAGIC;
589 } else if (SLOT(label) == EXMAGIC) {
590 DEBUGGER("mac_test_destroy_sysv_sem_label: dup destroy");
591 } else {
592 DEBUGGER("mac_test_destroy_sysv_sem_label: corrupted label");
593 }
594}
595
596static void
597mac_test_destroy_sysv_shm_label(struct label *label)
598{
599
600 if (SLOT(label) == SYSVIPCSHMMAGIC || SLOT(label) == 0) {
601 atomic_add_int(&destroy_count_sysv_shm, 1);
602 SLOT(label) = EXMAGIC;
603 } else if (SLOT(label) == EXMAGIC) {
604 DEBUGGER("mac_test_destroy_sysv_shm_label: dup destroy");
605 } else {
606 DEBUGGER("mac_test_destroy_sysv_shm_label: corrupted label");
607 }
608}
609
610static void
611mac_test_destroy_ipq_label(struct label *label)
612{
613
614 if (SLOT(label) == IPQMAGIC || SLOT(label) == 0) {
615 atomic_add_int(&destroy_count_ipq, 1);
616 SLOT(label) = EXMAGIC;
617 } else if (SLOT(label) == EXMAGIC) {
618 DEBUGGER("mac_test_destroy_ipq: dup destroy");
619 } else {
620 DEBUGGER("mac_test_destroy_ipq: corrupted label");
621 }
622}
623
624static void
625mac_test_destroy_mbuf_label(struct label *label)
626{
627
628 /*
629 * If we're loaded dynamically, there may be mbufs in flight that
630 * didn't have label storage allocated for them. Handle this
631 * gracefully.
632 */
633 if (label == NULL)
634 return;
635
636 if (SLOT(label) == MBUFMAGIC || SLOT(label) == 0) {
637 atomic_add_int(&destroy_count_mbuf, 1);
638 SLOT(label) = EXMAGIC;
639 } else if (SLOT(label) == EXMAGIC) {
640 DEBUGGER("mac_test_destroy_mbuf: dup destroy");
641 } else {
642 DEBUGGER("mac_test_destroy_mbuf: corrupted label");
643 }
644}
645
646static void
647mac_test_destroy_mount_label(struct label *label)
648{
649
650 if ((SLOT(label) == MOUNTMAGIC || SLOT(label) == 0)) {
651 atomic_add_int(&destroy_count_mount, 1);
652 SLOT(label) = EXMAGIC;
653 } else if (SLOT(label) == EXMAGIC) {
654 DEBUGGER("mac_test_destroy_mount: dup destroy");
655 } else {
656 DEBUGGER("mac_test_destroy_mount: corrupted label");
657 }
658}
659
660static void
661mac_test_destroy_mount_fs_label(struct label *label)
662{
663
664 if ((SLOT(label) == MOUNTMAGIC || SLOT(label) == 0)) {
665 atomic_add_int(&destroy_count_mount_fslabel, 1);
666 SLOT(label) = EXMAGIC;
667 } else if (SLOT(label) == EXMAGIC) {
668 DEBUGGER("mac_test_destroy_mount_fslabel: dup destroy");
669 } else {
670 DEBUGGER("mac_test_destroy_mount_fslabel: corrupted label");
671 }
672}
673
674static void
675mac_test_destroy_socket_label(struct label *label)
676{
677
678 if ((SLOT(label) == SOCKETMAGIC || SLOT(label) == 0)) {
679 atomic_add_int(&destroy_count_socket, 1);
680 SLOT(label) = EXMAGIC;
681 } else if (SLOT(label) == EXMAGIC) {
682 DEBUGGER("mac_test_destroy_socket: dup destroy");
683 } else {
684 DEBUGGER("mac_test_destroy_socket: corrupted label");
685 }
686}
687
688static void
689mac_test_destroy_socket_peer_label(struct label *label)
690{
691
692 if ((SLOT(label) == SOCKETMAGIC || SLOT(label) == 0)) {
693 atomic_add_int(&destroy_count_socket_peerlabel, 1);
694 SLOT(label) = EXMAGIC;
695 } else if (SLOT(label) == EXMAGIC) {
696 DEBUGGER("mac_test_destroy_socket_peerlabel: dup destroy");
697 } else {
698 DEBUGGER("mac_test_destroy_socket_peerlabel: corrupted label");
699 }
700}
701
702static void
703mac_test_destroy_pipe_label(struct label *label)
704{
705
706 if ((SLOT(label) == PIPEMAGIC || SLOT(label) == 0)) {
707 atomic_add_int(&destroy_count_pipe, 1);
708 SLOT(label) = EXMAGIC;
709 } else if (SLOT(label) == EXMAGIC) {
710 DEBUGGER("mac_test_destroy_pipe: dup destroy");
711 } else {
712 DEBUGGER("mac_test_destroy_pipe: corrupted label");
713 }
714}
715
716static void
717mac_test_destroy_posix_sem_label(struct label *label)
718{
719
720 if ((SLOT(label) == POSIXSEMMAGIC || SLOT(label) == 0)) {
721 atomic_add_int(&destroy_count_posixsems, 1);
722 SLOT(label) = EXMAGIC;
723 } else if (SLOT(label) == EXMAGIC) {
724 DEBUGGER("mac_test_destroy_posix_sem: dup destroy");
725 } else {
726 DEBUGGER("mac_test_destroy_posix_sem: corrupted label");
727 }
728}
729
730static void
731mac_test_destroy_proc_label(struct label *label)
732{
733
734 if ((SLOT(label) == PROCMAGIC || SLOT(label) == 0)) {
735 atomic_add_int(&destroy_count_proc, 1);
736 SLOT(label) = EXMAGIC;
737 } else if (SLOT(label) == EXMAGIC) {
738 DEBUGGER("mac_test_destroy_proc: dup destroy");
739 } else {
740 DEBUGGER("mac_test_destroy_proc: corrupted label");
741 }
742}
743
744static void
745mac_test_destroy_vnode_label(struct label *label)
746{
747
748 if (SLOT(label) == VNODEMAGIC || SLOT(label) == 0) {
749 atomic_add_int(&destroy_count_vnode, 1);
750 SLOT(label) = EXMAGIC;
751 } else if (SLOT(label) == EXMAGIC) {
752 DEBUGGER("mac_test_destroy_vnode: dup destroy");
753 } else {
754 DEBUGGER("mac_test_destroy_vnode: corrupted label");
755 }
756}
757
758static void
759mac_test_copy_cred_label(struct label *src, struct label *dest)
760{
761
762 ASSERT_CRED_LABEL(src);
763 ASSERT_CRED_LABEL(dest);
764}
765
766static void
767mac_test_copy_ifnet_label(struct label *src, struct label *dest)
768{
769
770 ASSERT_IFNET_LABEL(src);
771 ASSERT_IFNET_LABEL(dest);
772}
773
774static void
775mac_test_copy_mbuf_label(struct label *src, struct label *dest)
776{
777
778 ASSERT_MBUF_LABEL(src);
779 ASSERT_MBUF_LABEL(dest);
780}
781
782static void
783mac_test_copy_pipe_label(struct label *src, struct label *dest)
784{
785
786 ASSERT_PIPE_LABEL(src);
787 ASSERT_PIPE_LABEL(dest);
788}
789
790static void
791mac_test_copy_socket_label(struct label *src, struct label *dest)
792{
793
794 ASSERT_SOCKET_LABEL(src);
795 ASSERT_SOCKET_LABEL(dest);
796}
797
798static void
799mac_test_copy_vnode_label(struct label *src, struct label *dest)
800{
801
802 ASSERT_VNODE_LABEL(src);
803 ASSERT_VNODE_LABEL(dest);
804}
805
806static int
807mac_test_externalize_label(struct label *label, char *element_name,
808 struct sbuf *sb, int *claimed)
809{
810
811 atomic_add_int(&externalize_count, 1);
812
813 KASSERT(SLOT(label) != EXMAGIC,
814 ("mac_test_externalize_label: destroyed label"));
815
816 return (0);
817}
818
819static int
820mac_test_internalize_label(struct label *label, char *element_name,
821 char *element_data, int *claimed)
822{
823
824 atomic_add_int(&internalize_count, 1);
825
826 KASSERT(SLOT(label) != EXMAGIC,
827 ("mac_test_internalize_label: destroyed label"));
828
829 return (0);
830}
831
832/*
833 * Labeling event operations: file system objects, and things that look
834 * a lot like file system objects.
835 */
836static void
837mac_test_associate_vnode_devfs(struct mount *mp, struct label *fslabel,
838 struct devfs_dirent *de, struct label *delabel, struct vnode *vp,
839 struct label *vlabel)
840{
841
842 ASSERT_MOUNT_LABEL(fslabel);
843 ASSERT_DEVFS_LABEL(delabel);
844 ASSERT_VNODE_LABEL(vlabel);
845}
846
847static int
848mac_test_associate_vnode_extattr(struct mount *mp, struct label *fslabel,
849 struct vnode *vp, struct label *vlabel)
850{
851
852 ASSERT_MOUNT_LABEL(fslabel);
853 ASSERT_VNODE_LABEL(vlabel);
854 return (0);
855}
856
857static void
858mac_test_associate_vnode_singlelabel(struct mount *mp,
859 struct label *fslabel, struct vnode *vp, struct label *vlabel)
860{
861
862 ASSERT_MOUNT_LABEL(fslabel);
863 ASSERT_VNODE_LABEL(vlabel);
864}
865
866static void
867mac_test_create_devfs_device(struct ucred *cred, struct mount *mp,
868 struct cdev *dev, struct devfs_dirent *devfs_dirent, struct label *label)
869{
870
871 if (cred != NULL) {
872 ASSERT_CRED_LABEL(cred->cr_label);
873 }
874 ASSERT_DEVFS_LABEL(label);
875}
876
877static void
878mac_test_create_devfs_directory(struct mount *mp, char *dirname,
879 int dirnamelen, struct devfs_dirent *devfs_dirent, struct label *label)
880{
881
882 ASSERT_DEVFS_LABEL(label);
883}
884
885static void
886mac_test_create_devfs_symlink(struct ucred *cred, struct mount *mp,
887 struct devfs_dirent *dd, struct label *ddlabel, struct devfs_dirent *de,
888 struct label *delabel)
889{
890
891 ASSERT_CRED_LABEL(cred->cr_label);
892 ASSERT_DEVFS_LABEL(ddlabel);
893 ASSERT_DEVFS_LABEL(delabel);
894}
895
896static int
897mac_test_create_vnode_extattr(struct ucred *cred, struct mount *mp,
898 struct label *fslabel, struct vnode *dvp, struct label *dlabel,
899 struct vnode *vp, struct label *vlabel, struct componentname *cnp)
900{
901
902 ASSERT_CRED_LABEL(cred->cr_label);
903 ASSERT_MOUNT_LABEL(fslabel);
904 ASSERT_VNODE_LABEL(dlabel);
905
906 return (0);
907}
908
909static void
910mac_test_create_mount(struct ucred *cred, struct mount *mp,
911 struct label *mntlabel, struct label *fslabel)
912{
913
914 ASSERT_CRED_LABEL(cred->cr_label);
915 ASSERT_MOUNT_LABEL(mntlabel);
916 ASSERT_MOUNT_LABEL(fslabel);
917}
918
919static void
920mac_test_relabel_vnode(struct ucred *cred, struct vnode *vp,
921 struct label *vnodelabel, struct label *label)
922{
923
924 ASSERT_CRED_LABEL(cred->cr_label);
925 ASSERT_VNODE_LABEL(vnodelabel);
926 ASSERT_VNODE_LABEL(label);
927}
928
929static int
930mac_test_setlabel_vnode_extattr(struct ucred *cred, struct vnode *vp,
931 struct label *vlabel, struct label *intlabel)
932{
933
934 ASSERT_CRED_LABEL(cred->cr_label);
935 ASSERT_VNODE_LABEL(vlabel);
936 ASSERT_VNODE_LABEL(intlabel);
937 return (0);
938}
939
940static void
941mac_test_update_devfsdirent(struct mount *mp,
942 struct devfs_dirent *devfs_dirent, struct label *direntlabel,
943 struct vnode *vp, struct label *vnodelabel)
944{
945
946 ASSERT_DEVFS_LABEL(direntlabel);
947 ASSERT_VNODE_LABEL(vnodelabel);
948}
949
950/*
951 * Labeling event operations: IPC object.
952 */
953static void
954mac_test_create_mbuf_from_socket(struct socket *so, struct label *socketlabel,
955 struct mbuf *m, struct label *mbuflabel)
956{
957
958 ASSERT_SOCKET_LABEL(socketlabel);
959 ASSERT_MBUF_LABEL(mbuflabel);
960}
961
962static void
963mac_test_create_socket(struct ucred *cred, struct socket *socket,
964 struct label *socketlabel)
965{
966
967 ASSERT_CRED_LABEL(cred->cr_label);
968 ASSERT_SOCKET_LABEL(socketlabel);
969}
970
971static void
972mac_test_create_pipe(struct ucred *cred, struct pipepair *pp,
973 struct label *pipelabel)
974{
975
976 ASSERT_CRED_LABEL(cred->cr_label);
977 ASSERT_PIPE_LABEL(pipelabel);
978}
979
980static void
981mac_test_create_posix_sem(struct ucred *cred, struct ksem *ksem,
982 struct label *posixlabel)
983{
984
985 ASSERT_CRED_LABEL(cred->cr_label);
986 ASSERT_POSIX_LABEL(posixlabel);
987}
988
989static void
990mac_test_create_socket_from_socket(struct socket *oldsocket,
991 struct label *oldsocketlabel, struct socket *newsocket,
992 struct label *newsocketlabel)
993{
994
995 ASSERT_SOCKET_LABEL(oldsocketlabel);
996 ASSERT_SOCKET_LABEL(newsocketlabel);
997}
998
999static void
1000mac_test_relabel_socket(struct ucred *cred, struct socket *socket,
1001 struct label *socketlabel, struct label *newlabel)
1002{
1003
1004 ASSERT_CRED_LABEL(cred->cr_label);
1005 ASSERT_SOCKET_LABEL(newlabel);
1006}
1007
1008static void
1009mac_test_relabel_pipe(struct ucred *cred, struct pipepair *pp,
1010 struct label *pipelabel, struct label *newlabel)
1011{
1012
1013 ASSERT_CRED_LABEL(cred->cr_label);
1014 ASSERT_PIPE_LABEL(pipelabel);
1015 ASSERT_PIPE_LABEL(newlabel);
1016}
1017
1018static void
1019mac_test_set_socket_peer_from_mbuf(struct mbuf *mbuf, struct label *mbuflabel,
1020 struct socket *socket, struct label *socketpeerlabel)
1021{
1022
1023 ASSERT_MBUF_LABEL(mbuflabel);
1024 ASSERT_SOCKET_LABEL(socketpeerlabel);
1025}
1026
1027/*
1028 * Labeling event operations: network objects.
1029 */
1030static void
1031mac_test_set_socket_peer_from_socket(struct socket *oldsocket,
1032 struct label *oldsocketlabel, struct socket *newsocket,
1033 struct label *newsocketpeerlabel)
1034{
1035
1036 ASSERT_SOCKET_LABEL(oldsocketlabel);
1037 ASSERT_SOCKET_LABEL(newsocketpeerlabel);
1038}
1039
1040static void
1041mac_test_create_bpfdesc(struct ucred *cred, struct bpf_d *bpf_d,
1042 struct label *bpflabel)
1043{
1044
1045 ASSERT_CRED_LABEL(cred->cr_label);
1046 ASSERT_BPF_LABEL(bpflabel);
1047}
1048
1049static void
1050mac_test_create_datagram_from_ipq(struct ipq *ipq, struct label *ipqlabel,
1051 struct mbuf *datagram, struct label *datagramlabel)
1052{
1053
1054 ASSERT_IPQ_LABEL(ipqlabel);
1055 ASSERT_MBUF_LABEL(datagramlabel);
1056}
1057
1058static void
1059mac_test_create_fragment(struct mbuf *datagram, struct label *datagramlabel,
1060 struct mbuf *fragment, struct label *fragmentlabel)
1061{
1062
1063 ASSERT_MBUF_LABEL(datagramlabel);
1064 ASSERT_MBUF_LABEL(fragmentlabel);
1065}
1066
1067static void
1068mac_test_create_ifnet(struct ifnet *ifnet, struct label *ifnetlabel)
1069{
1070
1071 ASSERT_IFNET_LABEL(ifnetlabel);
1072}
1073
1074static void
1075mac_test_create_inpcb_from_socket(struct socket *so, struct label *solabel,
1076 struct inpcb *inp, struct label *inplabel)
1077{
1078
1079 ASSERT_SOCKET_LABEL(solabel);
1080 ASSERT_INPCB_LABEL(inplabel);
1081}
1082
1083static void
1084mac_test_create_sysv_msgmsg(struct ucred *cred, struct msqid_kernel *msqkptr,
1085 struct label *msqlabel, struct msg *msgptr, struct label *msglabel)
1086{
1087
1088 ASSERT_SYSVIPCMSG_LABEL(msglabel);
1089 ASSERT_SYSVIPCMSQ_LABEL(msqlabel);
1090}
1091
1092static void
1093mac_test_create_sysv_msgqueue(struct ucred *cred,
1094 struct msqid_kernel *msqkptr, struct label *msqlabel)
1095{
1096
1097 ASSERT_SYSVIPCMSQ_LABEL(msqlabel);
1098}
1099
1100static void
1101mac_test_create_sysv_sem(struct ucred *cred, struct semid_kernel *semakptr,
1102 struct label *semalabel)
1103{
1104
1105 ASSERT_SYSVIPCSEM_LABEL(semalabel);
1106}
1107
1108static void
1109mac_test_create_sysv_shm(struct ucred *cred, struct shmid_kernel *shmsegptr,
1110 struct label *shmlabel)
1111{
1112
1113 ASSERT_SYSVIPCSHM_LABEL(shmlabel);
1114}
1115
1116static void
1117mac_test_create_ipq(struct mbuf *fragment, struct label *fragmentlabel,
1118 struct ipq *ipq, struct label *ipqlabel)
1119{
1120
1121 ASSERT_MBUF_LABEL(fragmentlabel);
1122 ASSERT_IPQ_LABEL(ipqlabel);
1123}
1124
1125static void
1126mac_test_create_mbuf_from_inpcb(struct inpcb *inp, struct label *inplabel,
1127 struct mbuf *m, struct label *mlabel)
1128{
1129
1130 ASSERT_INPCB_LABEL(inplabel);
1131 ASSERT_MBUF_LABEL(mlabel);
1132}
1133
1134static void
1135mac_test_create_mbuf_linklayer(struct ifnet *ifnet, struct label *ifnetlabel,
1136 struct mbuf *mbuf, struct label *mbuflabel)
1137{
1138
1139 ASSERT_IFNET_LABEL(ifnetlabel);
1140 ASSERT_MBUF_LABEL(mbuflabel);
1141}
1142
1143static void
1144mac_test_create_mbuf_from_bpfdesc(struct bpf_d *bpf_d, struct label *bpflabel,
1145 struct mbuf *mbuf, struct label *mbuflabel)
1146{
1147
1148 ASSERT_BPF_LABEL(bpflabel);
1149 ASSERT_MBUF_LABEL(mbuflabel);
1150}
1151
1152static void
1153mac_test_create_mbuf_from_ifnet(struct ifnet *ifnet, struct label *ifnetlabel,
1154 struct mbuf *m, struct label *mbuflabel)
1155{
1156
1157 ASSERT_IFNET_LABEL(ifnetlabel);
1158 ASSERT_MBUF_LABEL(mbuflabel);
1159}
1160
1161static void
1162mac_test_create_mbuf_multicast_encap(struct mbuf *oldmbuf,
1163 struct label *oldmbuflabel, struct ifnet *ifnet, struct label *ifnetlabel,
1164 struct mbuf *newmbuf, struct label *newmbuflabel)
1165{
1166
1167 ASSERT_MBUF_LABEL(oldmbuflabel);
1168 ASSERT_IFNET_LABEL(ifnetlabel);
1169 ASSERT_MBUF_LABEL(newmbuflabel);
1170}
1171
1172static void
1173mac_test_create_mbuf_netlayer(struct mbuf *oldmbuf,
1174 struct label *oldmbuflabel, struct mbuf *newmbuf,
1175 struct label *newmbuflabel)
1176{
1177
1178 ASSERT_MBUF_LABEL(oldmbuflabel);
1179 ASSERT_MBUF_LABEL(newmbuflabel);
1180}
1181
1182static int
1183mac_test_fragment_match(struct mbuf *fragment, struct label *fragmentlabel,
1184 struct ipq *ipq, struct label *ipqlabel)
1185{
1186
1187 ASSERT_MBUF_LABEL(fragmentlabel);
1188 ASSERT_IPQ_LABEL(ipqlabel);
1189
1190 return (1);
1191}
1192
1193static void
1194mac_test_reflect_mbuf_icmp(struct mbuf *m, struct label *mlabel)
1195{
1196
1197 ASSERT_MBUF_LABEL(mlabel);
1198}
1199
1200static void
1201mac_test_reflect_mbuf_tcp(struct mbuf *m, struct label *mlabel)
1202{
1203
1204 ASSERT_MBUF_LABEL(mlabel);
1205}
1206
1207static void
1208mac_test_relabel_ifnet(struct ucred *cred, struct ifnet *ifnet,
1209 struct label *ifnetlabel, struct label *newlabel)
1210{
1211
1212 ASSERT_CRED_LABEL(cred->cr_label);
1213 ASSERT_IFNET_LABEL(ifnetlabel);
1214 ASSERT_IFNET_LABEL(newlabel);
1215}
1216
1217static void
1218mac_test_update_ipq(struct mbuf *fragment, struct label *fragmentlabel,
1219 struct ipq *ipq, struct label *ipqlabel)
1220{
1221
1222 ASSERT_MBUF_LABEL(fragmentlabel);
1223 ASSERT_IPQ_LABEL(ipqlabel);
1224}
1225
1226static void
1227mac_test_inpcb_sosetlabel(struct socket *so, struct label *solabel,
1228 struct inpcb *inp, struct label *inplabel)
1229{
1230
1231 ASSERT_SOCKET_LABEL(solabel);
1232 ASSERT_INPCB_LABEL(inplabel);
1233}
1234
1235/*
1236 * Labeling event operations: processes.
1237 */
1238static void
1239mac_test_execve_transition(struct ucred *old, struct ucred *new,
1240 struct vnode *vp, struct label *filelabel,
1241 struct label *interpvnodelabel, struct image_params *imgp,
1242 struct label *execlabel)
1243{
1244
1245 ASSERT_CRED_LABEL(old->cr_label);
1246 ASSERT_CRED_LABEL(new->cr_label);
1247 ASSERT_VNODE_LABEL(filelabel);
1248 if (interpvnodelabel != NULL) {
1249 ASSERT_VNODE_LABEL(interpvnodelabel);
1250 }
1251 if (execlabel != NULL) {
1252 ASSERT_CRED_LABEL(execlabel);
1253 }
1254}
1255
1256static int
1257mac_test_execve_will_transition(struct ucred *old, struct vnode *vp,
1258 struct label *filelabel, struct label *interpvnodelabel,
1259 struct image_params *imgp, struct label *execlabel)
1260{
1261
1262 ASSERT_CRED_LABEL(old->cr_label);
1263 ASSERT_VNODE_LABEL(filelabel);
1264 if (interpvnodelabel != NULL) {
1265 ASSERT_VNODE_LABEL(interpvnodelabel);
1266 }
1267 if (execlabel != NULL) {
1268 ASSERT_CRED_LABEL(execlabel);
1269 }
1270
1271 return (0);
1272}
1273
1274static void
1275mac_test_create_proc0(struct ucred *cred)
1276{
1277
1278 ASSERT_CRED_LABEL(cred->cr_label);
1279}
1280
1281static void
1282mac_test_create_proc1(struct ucred *cred)
1283{
1284
1285 ASSERT_CRED_LABEL(cred->cr_label);
1286}
1287
1288static void
1289mac_test_relabel_cred(struct ucred *cred, struct label *newlabel)
1290{
1291
1292 ASSERT_CRED_LABEL(cred->cr_label);
1293 ASSERT_CRED_LABEL(newlabel);
1294}
1295
1296static void
1297mac_test_thread_userret(struct thread *td)
1298{
1299
1300 printf("mac_test_thread_userret(process = %d)\n",
1301 curthread->td_proc->p_pid);
1302}
1303
1304/*
1305 * Label cleanup/flush operations
1306 */
1307static void
1308mac_test_cleanup_sysv_msgmsg(struct label *msglabel)
1309{
1310
1311 ASSERT_SYSVIPCMSG_LABEL(msglabel);
1312}
1313
1314static void
1315mac_test_cleanup_sysv_msgqueue(struct label *msqlabel)
1316{
1317
1318 ASSERT_SYSVIPCMSQ_LABEL(msqlabel);
1319}
1320
1321static void
1322mac_test_cleanup_sysv_sem(struct label *semalabel)
1323{
1324
1325 ASSERT_SYSVIPCSEM_LABEL(semalabel);
1326}
1327
1328static void
1329mac_test_cleanup_sysv_shm(struct label *shmlabel)
1330{
1331
1332 ASSERT_SYSVIPCSHM_LABEL(shmlabel);
1333}
1334
1335/*
1336 * Access control checks.
1337 */
1338static int
1339mac_test_check_bpfdesc_receive(struct bpf_d *bpf_d, struct label *bpflabel,
1340 struct ifnet *ifnet, struct label *ifnetlabel)
1341{
1342
1343 ASSERT_BPF_LABEL(bpflabel);
1344 ASSERT_IFNET_LABEL(ifnetlabel);
1345
1346 return (0);
1347}
1348
1349static int
1350mac_test_check_cred_relabel(struct ucred *cred, struct label *newlabel)
1351{
1352
1353 ASSERT_CRED_LABEL(cred->cr_label);
1354 ASSERT_CRED_LABEL(newlabel);
1355
1356 return (0);
1357}
1358
1359static int
1360mac_test_check_cred_visible(struct ucred *u1, struct ucred *u2)
1361{
1362
1363 ASSERT_CRED_LABEL(u1->cr_label);
1364 ASSERT_CRED_LABEL(u2->cr_label);
1365
1366 return (0);
1367}
1368
1369static int
1370mac_test_check_ifnet_relabel(struct ucred *cred, struct ifnet *ifnet,
1371 struct label *ifnetlabel, struct label *newlabel)
1372{
1373
1374 ASSERT_CRED_LABEL(cred->cr_label);
1375 ASSERT_IFNET_LABEL(ifnetlabel);
1376 ASSERT_IFNET_LABEL(newlabel);
1377 return (0);
1378}
1379
1380static int
1381mac_test_check_ifnet_transmit(struct ifnet *ifnet, struct label *ifnetlabel,
1382 struct mbuf *m, struct label *mbuflabel)
1383{
1384
1385 ASSERT_IFNET_LABEL(ifnetlabel);
1386 ASSERT_MBUF_LABEL(mbuflabel);
1387
1388 return (0);
1389}
1390
1391static int
1392mac_test_check_inpcb_deliver(struct inpcb *inp, struct label *inplabel,
1393 struct mbuf *m, struct label *mlabel)
1394{
1395
1396 ASSERT_INPCB_LABEL(inplabel);
1397 ASSERT_MBUF_LABEL(mlabel);
1398
1399 return (0);
1400}
1401
1402static int
1403mac_test_check_sysv_msgmsq(struct ucred *cred, struct msg *msgptr,
1404 struct label *msglabel, struct msqid_kernel *msqkptr,
1405 struct label *msqklabel)
1406{
1407
1408 ASSERT_SYSVIPCMSQ_LABEL(msqklabel);
1409 ASSERT_SYSVIPCMSG_LABEL(msglabel);
1410 ASSERT_CRED_LABEL(cred->cr_label);
1411
1412 return (0);
1413}
1414
1415static int
1416mac_test_check_sysv_msgrcv(struct ucred *cred, struct msg *msgptr,
1417 struct label *msglabel)
1418{
1419
1420 ASSERT_SYSVIPCMSG_LABEL(msglabel);
1421 ASSERT_CRED_LABEL(cred->cr_label);
1422
1423 return (0);
1424}
1425
1426
1427static int
1428mac_test_check_sysv_msgrmid(struct ucred *cred, struct msg *msgptr,
1429 struct label *msglabel)
1430{
1431
1432 ASSERT_SYSVIPCMSG_LABEL(msglabel);
1433 ASSERT_CRED_LABEL(cred->cr_label);
1434
1435 return (0);
1436}
1437
1438static int
1439mac_test_check_sysv_msqget(struct ucred *cred, struct msqid_kernel *msqkptr,
1440 struct label *msqklabel)
1441{
1442
1443 ASSERT_SYSVIPCMSQ_LABEL(msqklabel);
1444 ASSERT_CRED_LABEL(cred->cr_label);
1445
1446 return (0);
1447}
1448
1449static int
1450mac_test_check_sysv_msqsnd(struct ucred *cred, struct msqid_kernel *msqkptr,
1451 struct label *msqklabel)
1452{
1453
1454 ASSERT_SYSVIPCMSQ_LABEL(msqklabel);
1455 ASSERT_CRED_LABEL(cred->cr_label);
1456
1457 return (0);
1458}
1459
1460static int
1461mac_test_check_sysv_msqrcv(struct ucred *cred, struct msqid_kernel *msqkptr,
1462 struct label *msqklabel)
1463{
1464
1465 ASSERT_SYSVIPCMSQ_LABEL(msqklabel);
1466 ASSERT_CRED_LABEL(cred->cr_label);
1467
1468 return (0);
1469}
1470
1471static int
1472mac_test_check_sysv_msqctl(struct ucred *cred, struct msqid_kernel *msqkptr,
1473 struct label *msqklabel, int cmd)
1474{
1475
1476 ASSERT_SYSVIPCMSQ_LABEL(msqklabel);
1477 ASSERT_CRED_LABEL(cred->cr_label);
1478
1479 return (0);
1480}
1481
1482static int
1483mac_test_check_sysv_semctl(struct ucred *cred, struct semid_kernel *semakptr,
1484 struct label *semaklabel, int cmd)
1485{
1486
1487 ASSERT_CRED_LABEL(cred->cr_label);
1488 ASSERT_SYSVIPCSEM_LABEL(semaklabel);
1489
1490 return (0);
1491}
1492
1493static int
1494mac_test_check_sysv_semget(struct ucred *cred, struct semid_kernel *semakptr,
1495 struct label *semaklabel)
1496{
1497
1498 ASSERT_CRED_LABEL(cred->cr_label);
1499 ASSERT_SYSVIPCSEM_LABEL(semaklabel);
1500
1501 return (0);
1502}
1503
1504static int
1505mac_test_check_sysv_semop(struct ucred *cred, struct semid_kernel *semakptr,
1506 struct label *semaklabel, size_t accesstype)
1507{
1508
1509 ASSERT_CRED_LABEL(cred->cr_label);
1510 ASSERT_SYSVIPCSEM_LABEL(semaklabel);
1511
1512 return (0);
1513}
1514
1515static int
1516mac_test_check_sysv_shmat(struct ucred *cred, struct shmid_kernel *shmsegptr,
1517 struct label *shmseglabel, int shmflg)
1518{
1519
1520 ASSERT_CRED_LABEL(cred->cr_label);
1521 ASSERT_SYSVIPCSHM_LABEL(shmseglabel);
1522
1523 return (0);
1524}
1525
1526static int
1527mac_test_check_sysv_shmctl(struct ucred *cred, struct shmid_kernel *shmsegptr,
1528 struct label *shmseglabel, int cmd)
1529{
1530
1531 ASSERT_CRED_LABEL(cred->cr_label);
1532 ASSERT_SYSVIPCSHM_LABEL(shmseglabel);
1533
1534 return (0);
1535}
1536
1537static int
1538mac_test_check_sysv_shmdt(struct ucred *cred, struct shmid_kernel *shmsegptr,
1539 struct label *shmseglabel)
1540{
1541
1542 ASSERT_CRED_LABEL(cred->cr_label);
1543 ASSERT_SYSVIPCSHM_LABEL(shmseglabel);
1544
1545 return (0);
1546}
1547
1548static int
1549mac_test_check_sysv_shmget(struct ucred *cred, struct shmid_kernel *shmsegptr,
1550 struct label *shmseglabel, int shmflg)
1551{
1552
1553 ASSERT_CRED_LABEL(cred->cr_label);
1554 ASSERT_SYSVIPCSHM_LABEL(shmseglabel);
1555
1556 return (0);
1557}
1558
1559static int
1560mac_test_check_kenv_dump(struct ucred *cred)
1561{
1562
1563 ASSERT_CRED_LABEL(cred->cr_label);
1564
1565 return (0);
1566}
1567
1568static int
1569mac_test_check_kenv_get(struct ucred *cred, char *name)
1570{
1571
1572 ASSERT_CRED_LABEL(cred->cr_label);
1573
1574 return (0);
1575}
1576
1577static int
1578mac_test_check_kenv_set(struct ucred *cred, char *name, char *value)
1579{
1580
1581 ASSERT_CRED_LABEL(cred->cr_label);
1582
1583 return (0);
1584}
1585
1586static int
1587mac_test_check_kenv_unset(struct ucred *cred, char *name)
1588{
1589
1590 ASSERT_CRED_LABEL(cred->cr_label);
1591
1592 return (0);
1593}
1594
1595static int
1596mac_test_check_kld_load(struct ucred *cred, struct vnode *vp,
1597 struct label *label)
1598{
1599
1600 ASSERT_CRED_LABEL(cred->cr_label);
1601 ASSERT_VNODE_LABEL(label);
1602
1603 return (0);
1604}
1605
1606static int
1607mac_test_check_kld_stat(struct ucred *cred)
1608{
1609
1610 ASSERT_CRED_LABEL(cred->cr_label);
1611
1612 return (0);
1613}
1614
1615static int
1616mac_test_check_kld_unload(struct ucred *cred)
1617{
1618
1619 ASSERT_CRED_LABEL(cred->cr_label);
1620
1621 return (0);
1622}
1623
1624static int
1625mac_test_check_mount_stat(struct ucred *cred, struct mount *mp,
1626 struct label *mntlabel)
1627{
1628
1629 ASSERT_CRED_LABEL(cred->cr_label);
1630 ASSERT_MOUNT_LABEL(mntlabel);
1631
1632 return (0);
1633}
1634
1635static int
1636mac_test_check_pipe_ioctl(struct ucred *cred, struct pipepair *pp,
1637 struct label *pipelabel, unsigned long cmd, void /* caddr_t */ *data)
1638{
1639
1640 ASSERT_CRED_LABEL(cred->cr_label);
1641 ASSERT_PIPE_LABEL(pipelabel);
1642
1643 return (0);
1644}
1645
1646static int
1647mac_test_check_pipe_poll(struct ucred *cred, struct pipepair *pp,
1648 struct label *pipelabel)
1649{
1650
1651 ASSERT_CRED_LABEL(cred->cr_label);
1652 ASSERT_PIPE_LABEL(pipelabel);
1653
1654 return (0);
1655}
1656
1657static int
1658mac_test_check_pipe_read(struct ucred *cred, struct pipepair *pp,
1659 struct label *pipelabel)
1660{
1661
1662 ASSERT_CRED_LABEL(cred->cr_label);
1663 ASSERT_PIPE_LABEL(pipelabel);
1664
1665 return (0);
1666}
1667
1668static int
1669mac_test_check_pipe_relabel(struct ucred *cred, struct pipepair *pp,
1670 struct label *pipelabel, struct label *newlabel)
1671{
1672
1673 ASSERT_CRED_LABEL(cred->cr_label);
1674 ASSERT_PIPE_LABEL(pipelabel);
1675 ASSERT_PIPE_LABEL(newlabel);
1676
1677 return (0);
1678}
1679
1680static int
1681mac_test_check_pipe_stat(struct ucred *cred, struct pipepair *pp,
1682 struct label *pipelabel)
1683{
1684
1685 ASSERT_CRED_LABEL(cred->cr_label);
1686 ASSERT_PIPE_LABEL(pipelabel);
1687
1688 return (0);
1689}
1690
1691static int
1692mac_test_check_pipe_write(struct ucred *cred, struct pipepair *pp,
1693 struct label *pipelabel)
1694{
1695
1696 ASSERT_CRED_LABEL(cred->cr_label);
1697 ASSERT_PIPE_LABEL(pipelabel);
1698
1699 return (0);
1700}
1701
1702static int
1703mac_test_check_posix_sem(struct ucred *cred, struct ksem *ksemptr,
1704 struct label *ks_label)
1705{
1706
1707 ASSERT_CRED_LABEL(cred->cr_label);
1708 ASSERT_POSIX_LABEL(ks_label);
1709
1710 return (0);
1711}
1712
1713static int
1714mac_test_check_proc_debug(struct ucred *cred, struct proc *proc)
1715{
1716
1717 ASSERT_CRED_LABEL(cred->cr_label);
1718 ASSERT_CRED_LABEL(proc->p_ucred->cr_label);
1719
1720 return (0);
1721}
1722
1723static int
1724mac_test_check_proc_sched(struct ucred *cred, struct proc *proc)
1725{
1726
1727 ASSERT_CRED_LABEL(cred->cr_label);
1728 ASSERT_CRED_LABEL(proc->p_ucred->cr_label);
1729
1730 return (0);
1731}
1732
1733static int
1734mac_test_check_proc_signal(struct ucred *cred, struct proc *proc, int signum)
1735{
1736
1737 ASSERT_CRED_LABEL(cred->cr_label);
1738 ASSERT_CRED_LABEL(proc->p_ucred->cr_label);
1739
1740 return (0);
1741}
1742
1743static int
1744mac_test_check_proc_setuid(struct ucred *cred, uid_t uid)
1745{
1746
1747 ASSERT_CRED_LABEL(cred->cr_label);
1748
1749 return (0);
1750}
1751
1752static int
1753mac_test_check_proc_seteuid(struct ucred *cred, uid_t euid)
1754{
1755
1756 ASSERT_CRED_LABEL(cred->cr_label);
1757
1758 return (0);
1759}
1760
1761static int
1762mac_test_check_proc_setgid(struct ucred *cred, gid_t gid)
1763{
1764
1765 ASSERT_CRED_LABEL(cred->cr_label);
1766
1767 return (0);
1768}
1769
1770static int
1771mac_test_check_proc_setegid(struct ucred *cred, gid_t egid)
1772{
1773
1774 ASSERT_CRED_LABEL(cred->cr_label);
1775
1776 return (0);
1777}
1778
1779static int
1780mac_test_check_proc_setgroups(struct ucred *cred, int ngroups,
1781 gid_t *gidset)
1782{
1783
1784 ASSERT_CRED_LABEL(cred->cr_label);
1785
1786 return (0);
1787}
1788
1789static int
1790mac_test_check_proc_setreuid(struct ucred *cred, uid_t ruid, uid_t euid)
1791{
1792
1793 ASSERT_CRED_LABEL(cred->cr_label);
1794
1795 return (0);
1796}
1797
1798static int
1799mac_test_check_proc_setregid(struct ucred *cred, gid_t rgid, gid_t egid)
1800{
1801
1802 ASSERT_CRED_LABEL(cred->cr_label);
1803
1804 return (0);
1805}
1806
1807static int
1808mac_test_check_proc_setresuid(struct ucred *cred, uid_t ruid, uid_t euid,
1809 uid_t suid)
1810{
1811
1812 ASSERT_CRED_LABEL(cred->cr_label);
1813
1814 return (0);
1815}
1816
1817static int
1818mac_test_check_proc_setresgid(struct ucred *cred, gid_t rgid, gid_t egid,
1819 gid_t sgid)
1820{
1821
1822 ASSERT_CRED_LABEL(cred->cr_label);
1823
1824 return (0);
1825}
1826
1827static int
1828mac_test_check_proc_wait(struct ucred *cred, struct proc *proc)
1829{
1830
1831 ASSERT_CRED_LABEL(cred->cr_label);
1832 ASSERT_CRED_LABEL(proc->p_ucred->cr_label);
1833
1834 return (0);
1835}
1836
1837static int
1838mac_test_check_socket_accept(struct ucred *cred, struct socket *socket,
1839 struct label *socketlabel)
1840{
1841
1842 ASSERT_CRED_LABEL(cred->cr_label);
1843 ASSERT_SOCKET_LABEL(socketlabel);
1844
1845 return (0);
1846}
1847
1848static int
1849mac_test_check_socket_bind(struct ucred *cred, struct socket *socket,
1850 struct label *socketlabel, struct sockaddr *sockaddr)
1851{
1852
1853 ASSERT_CRED_LABEL(cred->cr_label);
1854 ASSERT_SOCKET_LABEL(socketlabel);
1855
1856 return (0);
1857}
1858
1859static int
1860mac_test_check_socket_connect(struct ucred *cred, struct socket *socket,
1861 struct label *socketlabel, struct sockaddr *sockaddr)
1862{
1863
1864 ASSERT_CRED_LABEL(cred->cr_label);
1865 ASSERT_SOCKET_LABEL(socketlabel);
1866
1867 return (0);
1868}
1869
1870static int
1871mac_test_check_socket_deliver(struct socket *socket, struct label *socketlabel,
1872 struct mbuf *m, struct label *mbuflabel)
1873{
1874
1875 ASSERT_SOCKET_LABEL(socketlabel);
1876 ASSERT_MBUF_LABEL(mbuflabel);
1877
1878 return (0);
1879}
1880
1881static int
1882mac_test_check_socket_listen(struct ucred *cred, struct socket *socket,
1883 struct label *socketlabel)
1884{
1885
1886 ASSERT_CRED_LABEL(cred->cr_label);
1887 ASSERT_SOCKET_LABEL(socketlabel);
1888
1889 return (0);
1890}
1891
1892static int
1893mac_test_check_socket_poll(struct ucred *cred, struct socket *socket,
1894 struct label *socketlabel)
1895{
1896
1897 ASSERT_CRED_LABEL(cred->cr_label);
1898 ASSERT_SOCKET_LABEL(socketlabel);
1899
1900 return (0);
1901}
1902
1903static int
1904mac_test_check_socket_receive(struct ucred *cred, struct socket *socket,
1905 struct label *socketlabel)
1906{
1907
1908 ASSERT_CRED_LABEL(cred->cr_label);
1909 ASSERT_SOCKET_LABEL(socketlabel);
1910
1911 return (0);
1912}
1913
1914static int
1915mac_test_check_socket_relabel(struct ucred *cred, struct socket *socket,
1916 struct label *socketlabel, struct label *newlabel)
1917{
1918
1919 ASSERT_CRED_LABEL(cred->cr_label);
1920 ASSERT_SOCKET_LABEL(socketlabel);
1921 ASSERT_SOCKET_LABEL(newlabel);
1922
1923 return (0);
1924}
1925
1926static int
1927mac_test_check_socket_send(struct ucred *cred, struct socket *socket,
1928 struct label *socketlabel)
1929{
1930
1931 ASSERT_CRED_LABEL(cred->cr_label);
1932 ASSERT_SOCKET_LABEL(socketlabel);
1933
1934 return (0);
1935}
1936
1937static int
1938mac_test_check_socket_stat(struct ucred *cred, struct socket *socket,
1939 struct label *socketlabel)
1940{
1941
1942 ASSERT_CRED_LABEL(cred->cr_label);
1943 ASSERT_SOCKET_LABEL(socketlabel);
1944
1945 return (0);
1946}
1947
1948static int
1949mac_test_check_socket_visible(struct ucred *cred, struct socket *socket,
1950 struct label *socketlabel)
1951{
1952
1953 ASSERT_CRED_LABEL(cred->cr_label);
1954 ASSERT_SOCKET_LABEL(socketlabel);
1955
1956 return (0);
1957}
1958
1959static int
1960mac_test_check_sysarch_ioperm(struct ucred *cred)
1961{
1962
1963 ASSERT_CRED_LABEL(cred->cr_label);
1964
1965 return (0);
1966}
1967
1968static int
1969mac_test_check_system_acct(struct ucred *cred, struct vnode *vp,
1970 struct label *label)
1971{
1972
1973 ASSERT_CRED_LABEL(cred->cr_label);
1974
1975 return (0);
1976}
1977
1978static int
1979mac_test_check_system_reboot(struct ucred *cred, int how)
1980{
1981
1982 ASSERT_CRED_LABEL(cred->cr_label);
1983
1984 return (0);
1985}
1986
1987static int
1988mac_test_check_system_settime(struct ucred *cred)
1989{
1990
1991 ASSERT_CRED_LABEL(cred->cr_label);
1992
1993 return (0);
1994}
1995
1996static int
1997mac_test_check_system_swapon(struct ucred *cred, struct vnode *vp,
1998 struct label *label)
1999{
2000
2001 ASSERT_CRED_LABEL(cred->cr_label);
2002 ASSERT_VNODE_LABEL(label);
2003
2004 return (0);
2005}
2006
2007static int
2008mac_test_check_system_swapoff(struct ucred *cred, struct vnode *vp,
2009 struct label *label)
2010{
2011
2012 ASSERT_CRED_LABEL(cred->cr_label);
2013 ASSERT_VNODE_LABEL(label);
2014
2015 return (0);
2016}
2017
2018static int
2019mac_test_check_system_sysctl(struct ucred *cred, struct sysctl_oid *oidp,
2020 void *arg1, int arg2, struct sysctl_req *req)
2021{
2022
2023 ASSERT_CRED_LABEL(cred->cr_label);
2024
2025 return (0);
2026}
2027
2028static int
2029mac_test_check_vnode_access(struct ucred *cred, struct vnode *vp,
2030 struct label *label, int acc_mode)
2031{
2032
2033 ASSERT_CRED_LABEL(cred->cr_label);
2034 ASSERT_VNODE_LABEL(label);
2035
2036 return (0);
2037}
2038
2039static int
2040mac_test_check_vnode_chdir(struct ucred *cred, struct vnode *dvp,
2041 struct label *dlabel)
2042{
2043
2044 ASSERT_CRED_LABEL(cred->cr_label);
2045 ASSERT_VNODE_LABEL(dlabel);
2046
2047 return (0);
2048}
2049
2050static int
2051mac_test_check_vnode_chroot(struct ucred *cred, struct vnode *dvp,
2052 struct label *dlabel)
2053{
2054
2055 ASSERT_CRED_LABEL(cred->cr_label);
2056 ASSERT_VNODE_LABEL(dlabel);
2057
2058 return (0);
2059}
2060
2061static int
2062mac_test_check_vnode_create(struct ucred *cred, struct vnode *dvp,
2063 struct label *dlabel, struct componentname *cnp, struct vattr *vap)
2064{
2065
2066 ASSERT_CRED_LABEL(cred->cr_label);
2067 ASSERT_VNODE_LABEL(dlabel);
2068
2069 return (0);
2070}
2071
2072static int
2073mac_test_check_vnode_delete(struct ucred *cred, struct vnode *dvp,
2074 struct label *dlabel, struct vnode *vp, struct label *label,
2075 struct componentname *cnp)
2076{
2077
2078 ASSERT_CRED_LABEL(cred->cr_label);
2079 ASSERT_VNODE_LABEL(dlabel);
2080 ASSERT_VNODE_LABEL(label);
2081
2082 return (0);
2083}
2084
2085static int
2086mac_test_check_vnode_deleteacl(struct ucred *cred, struct vnode *vp,
2087 struct label *label, acl_type_t type)
2088{
2089
2090 ASSERT_CRED_LABEL(cred->cr_label);
2091 ASSERT_VNODE_LABEL(label);
2092
2093 return (0);
2094}
2095
2096static int
2097mac_test_check_vnode_deleteextattr(struct ucred *cred, struct vnode *vp,
2098 struct label *label, int attrnamespace, const char *name)
2099{
2100
2101 ASSERT_CRED_LABEL(cred->cr_label);
2102 ASSERT_VNODE_LABEL(label);
2103
2104 return (0);
2105}
2106
2107static int
2108mac_test_check_vnode_exec(struct ucred *cred, struct vnode *vp,
2109 struct label *label, struct image_params *imgp,
2110 struct label *execlabel)
2111{
2112
2113 ASSERT_CRED_LABEL(cred->cr_label);
2114 ASSERT_VNODE_LABEL(label);
2115 if (execlabel != NULL) {
2116 ASSERT_CRED_LABEL(execlabel);
2117 }
2118
2119 return (0);
2120}
2121
2122static int
2123mac_test_check_vnode_getacl(struct ucred *cred, struct vnode *vp,
2124 struct label *label, acl_type_t type)
2125{
2126
2127 ASSERT_CRED_LABEL(cred->cr_label);
2128 ASSERT_VNODE_LABEL(label);
2129
2130 return (0);
2131}
2132
2133static int
2134mac_test_check_vnode_getextattr(struct ucred *cred, struct vnode *vp,
2135 struct label *label, int attrnamespace, const char *name, struct uio *uio)
2136{
2137
2138 ASSERT_CRED_LABEL(cred->cr_label);
2139 ASSERT_VNODE_LABEL(label);
2140
2141 return (0);
2142}
2143
2144static int
2145mac_test_check_vnode_link(struct ucred *cred, struct vnode *dvp,
2146 struct label *dlabel, struct vnode *vp, struct label *label,
2147 struct componentname *cnp)
2148{
2149
2150 ASSERT_CRED_LABEL(cred->cr_label);
2151 ASSERT_VNODE_LABEL(dlabel);
2152 ASSERT_VNODE_LABEL(label);
2153
2154 return (0);
2155}
2156
2157static int
2158mac_test_check_vnode_listextattr(struct ucred *cred, struct vnode *vp,
2159 struct label *label, int attrnamespace)
2160{
2161
2162 ASSERT_CRED_LABEL(cred->cr_label);
2163 ASSERT_VNODE_LABEL(label);
2164
2165 return (0);
2166}
2167
2168static int
2169mac_test_check_vnode_lookup(struct ucred *cred, struct vnode *dvp,
2170 struct label *dlabel, struct componentname *cnp)
2171{
2172
2173 ASSERT_CRED_LABEL(cred->cr_label);
2174 ASSERT_VNODE_LABEL(dlabel);
2175
2176 return (0);
2177}
2178
2179static int
2180mac_test_check_vnode_mmap(struct ucred *cred, struct vnode *vp,
2181 struct label *label, int prot, int flags)
2182{
2183
2184 ASSERT_CRED_LABEL(cred->cr_label);
2185 ASSERT_VNODE_LABEL(label);
2186
2187 return (0);
2188}
2189
2190static int
2191mac_test_check_vnode_open(struct ucred *cred, struct vnode *vp,
2192 struct label *filelabel, int acc_mode)
2193{
2194
2195 ASSERT_CRED_LABEL(cred->cr_label);
2196 ASSERT_VNODE_LABEL(filelabel);
2197
2198 return (0);
2199}
2200
2201static int
2202mac_test_check_vnode_poll(struct ucred *active_cred, struct ucred *file_cred,
2203 struct vnode *vp, struct label *label)
2204{
2205
2206 ASSERT_CRED_LABEL(active_cred->cr_label);
2207 ASSERT_CRED_LABEL(file_cred->cr_label);
2208 ASSERT_VNODE_LABEL(label);
2209
2210 return (0);
2211}
2212
2213static int
2214mac_test_check_vnode_read(struct ucred *active_cred, struct ucred *file_cred,
2215 struct vnode *vp, struct label *label)
2216{
2217
2218 ASSERT_CRED_LABEL(active_cred->cr_label);
2219 if (file_cred != NULL) {
2220 ASSERT_CRED_LABEL(file_cred->cr_label);
2221 }
2222 ASSERT_VNODE_LABEL(label);
2223
2224 return (0);
2225}
2226
2227static int
2228mac_test_check_vnode_readdir(struct ucred *cred, struct vnode *dvp,
2229 struct label *dlabel)
2230{
2231
2232 ASSERT_CRED_LABEL(cred->cr_label);
2233 ASSERT_VNODE_LABEL(dlabel);
2234
2235 return (0);
2236}
2237
2238static int
2239mac_test_check_vnode_readlink(struct ucred *cred, struct vnode *vp,
2240 struct label *vnodelabel)
2241{
2242
2243 ASSERT_CRED_LABEL(cred->cr_label);
2244 ASSERT_VNODE_LABEL(vnodelabel);
2245
2246 return (0);
2247}
2248
2249static int
2250mac_test_check_vnode_relabel(struct ucred *cred, struct vnode *vp,
2251 struct label *vnodelabel, struct label *newlabel)
2252{
2253
2254 ASSERT_CRED_LABEL(cred->cr_label);
2255 ASSERT_VNODE_LABEL(vnodelabel);
2256 ASSERT_VNODE_LABEL(newlabel);
2257
2258 return (0);
2259}
2260
2261static int
2262mac_test_check_vnode_rename_from(struct ucred *cred, struct vnode *dvp,
2263 struct label *dlabel, struct vnode *vp, struct label *label,
2264 struct componentname *cnp)
2265{
2266
2267 ASSERT_CRED_LABEL(cred->cr_label);
2268 ASSERT_VNODE_LABEL(dlabel);
2269 ASSERT_VNODE_LABEL(label);
2270
2271 return (0);
2272}
2273
2274static int
2275mac_test_check_vnode_rename_to(struct ucred *cred, struct vnode *dvp,
2276 struct label *dlabel, struct vnode *vp, struct label *label, int samedir,
2277 struct componentname *cnp)
2278{
2279
2280 ASSERT_CRED_LABEL(cred->cr_label);
2281 ASSERT_VNODE_LABEL(dlabel);
2282
2283 if (vp != NULL) {
2284 ASSERT_VNODE_LABEL(label);
2285 }
2286
2287 return (0);
2288}
2289
2290static int
2291mac_test_check_vnode_revoke(struct ucred *cred, struct vnode *vp,
2292 struct label *label)
2293{
2294
2295 ASSERT_CRED_LABEL(cred->cr_label);
2296 ASSERT_VNODE_LABEL(label);
2297
2298 return (0);
2299}
2300
2301static int
2302mac_test_check_vnode_setacl(struct ucred *cred, struct vnode *vp,
2303 struct label *label, acl_type_t type, struct acl *acl)
2304{
2305
2306 ASSERT_CRED_LABEL(cred->cr_label);
2307 ASSERT_VNODE_LABEL(label);
2308
2309 return (0);
2310}
2311
2312static int
2313mac_test_check_vnode_setextattr(struct ucred *cred, struct vnode *vp,
2314 struct label *label, int attrnamespace, const char *name, struct uio *uio)
2315{
2316
2317 ASSERT_CRED_LABEL(cred->cr_label);
2318 ASSERT_VNODE_LABEL(label);
2319
2320 return (0);
2321}
2322
2323static int
2324mac_test_check_vnode_setflags(struct ucred *cred, struct vnode *vp,
2325 struct label *label, u_long flags)
2326{
2327
2328 ASSERT_CRED_LABEL(cred->cr_label);
2329 ASSERT_VNODE_LABEL(label);
2330
2331 return (0);
2332}
2333
2334static int
2335mac_test_check_vnode_setmode(struct ucred *cred, struct vnode *vp,
2336 struct label *label, mode_t mode)
2337{
2338
2339 ASSERT_CRED_LABEL(cred->cr_label);
2340 ASSERT_VNODE_LABEL(label);
2341
2342 return (0);
2343}
2344
2345static int
2346mac_test_check_vnode_setowner(struct ucred *cred, struct vnode *vp,
2347 struct label *label, uid_t uid, gid_t gid)
2348{
2349
2350 ASSERT_CRED_LABEL(cred->cr_label);
2351 ASSERT_VNODE_LABEL(label);
2352
2353 return (0);
2354}
2355
2356static int
2357mac_test_check_vnode_setutimes(struct ucred *cred, struct vnode *vp,
2358 struct label *label, struct timespec atime, struct timespec mtime)
2359{
2360
2361 ASSERT_CRED_LABEL(cred->cr_label);
2362 ASSERT_VNODE_LABEL(label);
2363
2364 return (0);
2365}
2366
2367static int
2368mac_test_check_vnode_stat(struct ucred *active_cred, struct ucred *file_cred,
2369 struct vnode *vp, struct label *label)
2370{
2371
2372 ASSERT_CRED_LABEL(active_cred->cr_label);
2373 if (file_cred != NULL) {
2374 ASSERT_CRED_LABEL(file_cred->cr_label);
2375 }
2376 ASSERT_VNODE_LABEL(label);
2377
2378 return (0);
2379}
2380
2381static int
2382mac_test_check_vnode_write(struct ucred *active_cred,
2383 struct ucred *file_cred, struct vnode *vp, struct label *label)
2384{
2385
2386 ASSERT_CRED_LABEL(active_cred->cr_label);
2387 if (file_cred != NULL) {
2388 ASSERT_CRED_LABEL(file_cred->cr_label);
2389 }
2390 ASSERT_VNODE_LABEL(label);
2391
2392 return (0);
2393}
2394
2395static struct mac_policy_ops mac_test_ops =
2396{
2397 .mpo_destroy = mac_test_destroy,
2398 .mpo_init = mac_test_init,
2399 .mpo_syscall = mac_test_syscall,
2400 .mpo_init_bpfdesc_label = mac_test_init_bpfdesc_label,
2401 .mpo_init_cred_label = mac_test_init_cred_label,
2402 .mpo_init_devfsdirent_label = mac_test_init_devfsdirent_label,
2403 .mpo_init_ifnet_label = mac_test_init_ifnet_label,
2404 .mpo_init_sysv_msgmsg_label = mac_test_init_sysv_msgmsg_label,
2405 .mpo_init_sysv_msgqueue_label = mac_test_init_sysv_msgqueue_label,
2406 .mpo_init_sysv_sem_label = mac_test_init_sysv_sem_label,
2407 .mpo_init_sysv_shm_label = mac_test_init_sysv_shm_label,
2408 .mpo_init_inpcb_label = mac_test_init_inpcb_label,
2409 .mpo_init_ipq_label = mac_test_init_ipq_label,
2410 .mpo_init_mbuf_label = mac_test_init_mbuf_label,
2411 .mpo_init_mount_label = mac_test_init_mount_label,
2412 .mpo_init_mount_fs_label = mac_test_init_mount_fs_label,
2413 .mpo_init_pipe_label = mac_test_init_pipe_label,
2414 .mpo_init_posix_sem_label = mac_test_init_posix_sem_label,
2415 .mpo_init_proc_label = mac_test_init_proc_label,
2416 .mpo_init_socket_label = mac_test_init_socket_label,
2417 .mpo_init_socket_peer_label = mac_test_init_socket_peer_label,
2418 .mpo_init_vnode_label = mac_test_init_vnode_label,
2419 .mpo_destroy_bpfdesc_label = mac_test_destroy_bpfdesc_label,
2420 .mpo_destroy_cred_label = mac_test_destroy_cred_label,
2421 .mpo_destroy_devfsdirent_label = mac_test_destroy_devfsdirent_label,
2422 .mpo_destroy_ifnet_label = mac_test_destroy_ifnet_label,
2423 .mpo_destroy_sysv_msgmsg_label = mac_test_destroy_sysv_msgmsg_label,
2424 .mpo_destroy_sysv_msgqueue_label =
2425 mac_test_destroy_sysv_msgqueue_label,
2426 .mpo_destroy_sysv_sem_label = mac_test_destroy_sysv_sem_label,
2427 .mpo_destroy_sysv_shm_label = mac_test_destroy_sysv_shm_label,
2428 .mpo_destroy_inpcb_label = mac_test_destroy_inpcb_label,
2429 .mpo_destroy_ipq_label = mac_test_destroy_ipq_label,
2430 .mpo_destroy_mbuf_label = mac_test_destroy_mbuf_label,
2431 .mpo_destroy_mount_label = mac_test_destroy_mount_label,
2432 .mpo_destroy_mount_fs_label = mac_test_destroy_mount_fs_label,
2433 .mpo_destroy_pipe_label = mac_test_destroy_pipe_label,
2434 .mpo_destroy_posix_sem_label = mac_test_destroy_posix_sem_label,
2435 .mpo_destroy_proc_label = mac_test_destroy_proc_label,
2436 .mpo_destroy_socket_label = mac_test_destroy_socket_label,
2437 .mpo_destroy_socket_peer_label = mac_test_destroy_socket_peer_label,
2438 .mpo_destroy_vnode_label = mac_test_destroy_vnode_label,
2439 .mpo_copy_cred_label = mac_test_copy_cred_label,
2440 .mpo_copy_ifnet_label = mac_test_copy_ifnet_label,
2441 .mpo_copy_mbuf_label = mac_test_copy_mbuf_label,
2442 .mpo_copy_pipe_label = mac_test_copy_pipe_label,
2443 .mpo_copy_socket_label = mac_test_copy_socket_label,
2444 .mpo_copy_vnode_label = mac_test_copy_vnode_label,
2445 .mpo_externalize_cred_label = mac_test_externalize_label,
2446 .mpo_externalize_ifnet_label = mac_test_externalize_label,
2447 .mpo_externalize_pipe_label = mac_test_externalize_label,
2448 .mpo_externalize_socket_label = mac_test_externalize_label,
2449 .mpo_externalize_socket_peer_label = mac_test_externalize_label,
2450 .mpo_externalize_vnode_label = mac_test_externalize_label,
2451 .mpo_internalize_cred_label = mac_test_internalize_label,
2452 .mpo_internalize_ifnet_label = mac_test_internalize_label,
2453 .mpo_internalize_pipe_label = mac_test_internalize_label,
2454 .mpo_internalize_socket_label = mac_test_internalize_label,
2455 .mpo_internalize_vnode_label = mac_test_internalize_label,
2456 .mpo_associate_vnode_devfs = mac_test_associate_vnode_devfs,
2457 .mpo_associate_vnode_extattr = mac_test_associate_vnode_extattr,
2458 .mpo_associate_vnode_singlelabel = mac_test_associate_vnode_singlelabel,
2459 .mpo_create_devfs_device = mac_test_create_devfs_device,
2460 .mpo_create_devfs_directory = mac_test_create_devfs_directory,
2461 .mpo_create_devfs_symlink = mac_test_create_devfs_symlink,
2462 .mpo_create_vnode_extattr = mac_test_create_vnode_extattr,
2463 .mpo_create_mount = mac_test_create_mount,
2464 .mpo_relabel_vnode = mac_test_relabel_vnode,
2465 .mpo_setlabel_vnode_extattr = mac_test_setlabel_vnode_extattr,
2466 .mpo_update_devfsdirent = mac_test_update_devfsdirent,
2467 .mpo_create_mbuf_from_socket = mac_test_create_mbuf_from_socket,
2468 .mpo_create_pipe = mac_test_create_pipe,
2469 .mpo_create_posix_sem = mac_test_create_posix_sem,
2470 .mpo_create_socket = mac_test_create_socket,
2471 .mpo_create_socket_from_socket = mac_test_create_socket_from_socket,
2472 .mpo_relabel_pipe = mac_test_relabel_pipe,
2473 .mpo_relabel_socket = mac_test_relabel_socket,
2474 .mpo_set_socket_peer_from_mbuf = mac_test_set_socket_peer_from_mbuf,
2475 .mpo_set_socket_peer_from_socket = mac_test_set_socket_peer_from_socket,
2476 .mpo_create_bpfdesc = mac_test_create_bpfdesc,
2477 .mpo_create_ifnet = mac_test_create_ifnet,
2478 .mpo_create_inpcb_from_socket = mac_test_create_inpcb_from_socket,
2479 .mpo_create_sysv_msgmsg = mac_test_create_sysv_msgmsg,
2480 .mpo_create_sysv_msgqueue = mac_test_create_sysv_msgqueue,
2481 .mpo_create_sysv_sem = mac_test_create_sysv_sem,
2482 .mpo_create_sysv_shm = mac_test_create_sysv_shm,
2483 .mpo_create_datagram_from_ipq = mac_test_create_datagram_from_ipq,
2484 .mpo_create_fragment = mac_test_create_fragment,
2485 .mpo_create_ipq = mac_test_create_ipq,
2486 .mpo_create_mbuf_from_inpcb = mac_test_create_mbuf_from_inpcb,
2487 .mpo_create_mbuf_linklayer = mac_test_create_mbuf_linklayer,
2488 .mpo_create_mbuf_from_bpfdesc = mac_test_create_mbuf_from_bpfdesc,
2489 .mpo_create_mbuf_from_ifnet = mac_test_create_mbuf_from_ifnet,
2490 .mpo_create_mbuf_multicast_encap = mac_test_create_mbuf_multicast_encap,
2491 .mpo_create_mbuf_netlayer = mac_test_create_mbuf_netlayer,
2492 .mpo_fragment_match = mac_test_fragment_match,
2493 .mpo_reflect_mbuf_icmp = mac_test_reflect_mbuf_icmp,
2494 .mpo_reflect_mbuf_tcp = mac_test_reflect_mbuf_tcp,
2495 .mpo_relabel_ifnet = mac_test_relabel_ifnet,
2496 .mpo_update_ipq = mac_test_update_ipq,
2497 .mpo_inpcb_sosetlabel = mac_test_inpcb_sosetlabel,
2498 .mpo_execve_transition = mac_test_execve_transition,
2499 .mpo_execve_will_transition = mac_test_execve_will_transition,
2500 .mpo_create_proc0 = mac_test_create_proc0,
2501 .mpo_create_proc1 = mac_test_create_proc1,
2502 .mpo_relabel_cred = mac_test_relabel_cred,
2503 .mpo_thread_userret = mac_test_thread_userret,
2504 .mpo_cleanup_sysv_msgmsg = mac_test_cleanup_sysv_msgmsg,
2505 .mpo_cleanup_sysv_msgqueue = mac_test_cleanup_sysv_msgqueue,
2506 .mpo_cleanup_sysv_sem = mac_test_cleanup_sysv_sem,
2507 .mpo_cleanup_sysv_shm = mac_test_cleanup_sysv_shm,
2508 .mpo_check_bpfdesc_receive = mac_test_check_bpfdesc_receive,
2509 .mpo_check_cred_relabel = mac_test_check_cred_relabel,
2510 .mpo_check_cred_visible = mac_test_check_cred_visible,
2511 .mpo_check_ifnet_relabel = mac_test_check_ifnet_relabel,
2512 .mpo_check_ifnet_transmit = mac_test_check_ifnet_transmit,
2513 .mpo_check_inpcb_deliver = mac_test_check_inpcb_deliver,
2514 .mpo_check_sysv_msgmsq = mac_test_check_sysv_msgmsq,
2515 .mpo_check_sysv_msgrcv = mac_test_check_sysv_msgrcv,
2516 .mpo_check_sysv_msgrmid = mac_test_check_sysv_msgrmid,
2517 .mpo_check_sysv_msqget = mac_test_check_sysv_msqget,
2518 .mpo_check_sysv_msqsnd = mac_test_check_sysv_msqsnd,
2519 .mpo_check_sysv_msqrcv = mac_test_check_sysv_msqrcv,
2520 .mpo_check_sysv_msqctl = mac_test_check_sysv_msqctl,
2521 .mpo_check_sysv_semctl = mac_test_check_sysv_semctl,
2522 .mpo_check_sysv_semget = mac_test_check_sysv_semget,
2523 .mpo_check_sysv_semop = mac_test_check_sysv_semop,
2524 .mpo_check_sysv_shmat = mac_test_check_sysv_shmat,
2525 .mpo_check_sysv_shmctl = mac_test_check_sysv_shmctl,
2526 .mpo_check_sysv_shmdt = mac_test_check_sysv_shmdt,
2527 .mpo_check_sysv_shmget = mac_test_check_sysv_shmget,
2528 .mpo_check_kenv_dump = mac_test_check_kenv_dump,
2529 .mpo_check_kenv_get = mac_test_check_kenv_get,
2530 .mpo_check_kenv_set = mac_test_check_kenv_set,
2531 .mpo_check_kenv_unset = mac_test_check_kenv_unset,
2532 .mpo_check_kld_load = mac_test_check_kld_load,
2533 .mpo_check_kld_stat = mac_test_check_kld_stat,
2534 .mpo_check_kld_unload = mac_test_check_kld_unload,
2535 .mpo_check_mount_stat = mac_test_check_mount_stat,
2536 .mpo_check_pipe_ioctl = mac_test_check_pipe_ioctl,
2537 .mpo_check_pipe_poll = mac_test_check_pipe_poll,
2538 .mpo_check_pipe_read = mac_test_check_pipe_read,
2539 .mpo_check_pipe_relabel = mac_test_check_pipe_relabel,
2540 .mpo_check_pipe_stat = mac_test_check_pipe_stat,
2541 .mpo_check_pipe_write = mac_test_check_pipe_write,
2542 .mpo_check_posix_sem_destroy = mac_test_check_posix_sem,
2543 .mpo_check_posix_sem_getvalue = mac_test_check_posix_sem,
2544 .mpo_check_posix_sem_open = mac_test_check_posix_sem,
2545 .mpo_check_posix_sem_post = mac_test_check_posix_sem,
2546 .mpo_check_posix_sem_unlink = mac_test_check_posix_sem,
2547 .mpo_check_posix_sem_wait = mac_test_check_posix_sem,
2548 .mpo_check_proc_debug = mac_test_check_proc_debug,
2549 .mpo_check_proc_sched = mac_test_check_proc_sched,
2550 .mpo_check_proc_setuid = mac_test_check_proc_setuid,
2551 .mpo_check_proc_seteuid = mac_test_check_proc_seteuid,
2552 .mpo_check_proc_setgid = mac_test_check_proc_setgid,
2553 .mpo_check_proc_setegid = mac_test_check_proc_setegid,
2554 .mpo_check_proc_setgroups = mac_test_check_proc_setgroups,
2555 .mpo_check_proc_setreuid = mac_test_check_proc_setreuid,
2556 .mpo_check_proc_setregid = mac_test_check_proc_setregid,
2557 .mpo_check_proc_setresuid = mac_test_check_proc_setresuid,
2558 .mpo_check_proc_setresgid = mac_test_check_proc_setresgid,
2559 .mpo_check_proc_signal = mac_test_check_proc_signal,
2560 .mpo_check_proc_wait = mac_test_check_proc_wait,
2561 .mpo_check_socket_accept = mac_test_check_socket_accept,
2562 .mpo_check_socket_bind = mac_test_check_socket_bind,
2563 .mpo_check_socket_connect = mac_test_check_socket_connect,
2564 .mpo_check_socket_deliver = mac_test_check_socket_deliver,
2565 .mpo_check_socket_listen = mac_test_check_socket_listen,
2566 .mpo_check_socket_poll = mac_test_check_socket_poll,
2567 .mpo_check_socket_receive = mac_test_check_socket_receive,
2568 .mpo_check_socket_relabel = mac_test_check_socket_relabel,
2569 .mpo_check_socket_send = mac_test_check_socket_send,
2570 .mpo_check_socket_stat = mac_test_check_socket_stat,
2571 .mpo_check_socket_visible = mac_test_check_socket_visible,
2572 .mpo_check_sysarch_ioperm = mac_test_check_sysarch_ioperm,
2573 .mpo_check_system_acct = mac_test_check_system_acct,
2574 .mpo_check_system_reboot = mac_test_check_system_reboot,
2575 .mpo_check_system_settime = mac_test_check_system_settime,
2576 .mpo_check_system_swapon = mac_test_check_system_swapon,
2577 .mpo_check_system_swapoff = mac_test_check_system_swapoff,
2578 .mpo_check_system_sysctl = mac_test_check_system_sysctl,
2579 .mpo_check_vnode_access = mac_test_check_vnode_access,
2580 .mpo_check_vnode_chdir = mac_test_check_vnode_chdir,
2581 .mpo_check_vnode_chroot = mac_test_check_vnode_chroot,
2582 .mpo_check_vnode_create = mac_test_check_vnode_create,
2583 .mpo_check_vnode_delete = mac_test_check_vnode_delete,
2584 .mpo_check_vnode_deleteacl = mac_test_check_vnode_deleteacl,
2585 .mpo_check_vnode_deleteextattr = mac_test_check_vnode_deleteextattr,
2586 .mpo_check_vnode_exec = mac_test_check_vnode_exec,
2587 .mpo_check_vnode_getacl = mac_test_check_vnode_getacl,
2588 .mpo_check_vnode_getextattr = mac_test_check_vnode_getextattr,
2589 .mpo_check_vnode_link = mac_test_check_vnode_link,
2590 .mpo_check_vnode_listextattr = mac_test_check_vnode_listextattr,
2591 .mpo_check_vnode_lookup = mac_test_check_vnode_lookup,
2592 .mpo_check_vnode_mmap = mac_test_check_vnode_mmap,
2593 .mpo_check_vnode_open = mac_test_check_vnode_open,
2594 .mpo_check_vnode_poll = mac_test_check_vnode_poll,
2595 .mpo_check_vnode_read = mac_test_check_vnode_read,
2596 .mpo_check_vnode_readdir = mac_test_check_vnode_readdir,
2597 .mpo_check_vnode_readlink = mac_test_check_vnode_readlink,
2598 .mpo_check_vnode_relabel = mac_test_check_vnode_relabel,
2599 .mpo_check_vnode_rename_from = mac_test_check_vnode_rename_from,
2600 .mpo_check_vnode_rename_to = mac_test_check_vnode_rename_to,
2601 .mpo_check_vnode_revoke = mac_test_check_vnode_revoke,
2602 .mpo_check_vnode_setacl = mac_test_check_vnode_setacl,
2603 .mpo_check_vnode_setextattr = mac_test_check_vnode_setextattr,
2604 .mpo_check_vnode_setflags = mac_test_check_vnode_setflags,
2605 .mpo_check_vnode_setmode = mac_test_check_vnode_setmode,
2606 .mpo_check_vnode_setowner = mac_test_check_vnode_setowner,
2607 .mpo_check_vnode_setutimes = mac_test_check_vnode_setutimes,
2608 .mpo_check_vnode_stat = mac_test_check_vnode_stat,
2609 .mpo_check_vnode_write = mac_test_check_vnode_write,
2610};
2611
2612MAC_POLICY_SET(&mac_test_ops, mac_test, "TrustedBSD MAC/Test",
2613 MPC_LOADTIME_FLAG_UNLOADOK | MPC_LOADTIME_FLAG_LABELMBUFS, &test_slot);
2 * Copyright (c) 1999-2002 Robert N. M. Watson
3 * Copyright (c) 2001-2005 McAfee, Inc.
4 * All rights reserved.
5 *
6 * This software was developed by Robert Watson for the TrustedBSD Project.
7 *
8 * This software was developed for the FreeBSD Project in part by McAfee
9 * Research, the Security Research Division of McAfee, Inc. under
10 * DARPA/SPAWAR contract N66001-01-C-8035 ("CBOSS"), as part of the DARPA
11 * CHATS research program.
12 *
13 * Redistribution and use in source and binary forms, with or without
14 * modification, are permitted provided that the following conditions
15 * are met:
16 * 1. Redistributions of source code must retain the above copyright
17 * notice, this list of conditions and the following disclaimer.
18 * 2. Redistributions in binary form must reproduce the above copyright
19 * notice, this list of conditions and the following disclaimer in the
20 * documentation and/or other materials provided with the distribution.
21 *
22 * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
23 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
24 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
25 * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
26 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
27 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
28 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
29 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
30 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
31 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
32 * SUCH DAMAGE.
33 *
34 * $FreeBSD: head/sys/security/mac_test/mac_test.c 166531 2007-02-06 10:59:23Z rwatson $
35 */
36
37/*
38 * Developed by the TrustedBSD Project.
39 * Generic mandatory access module that does nothing.
40 */
41
42#include <sys/types.h>
43#include <sys/param.h>
44#include <sys/acl.h>
45#include <sys/conf.h>
46#include <sys/kdb.h>
47#include <sys/extattr.h>
48#include <sys/kernel.h>
49#include <sys/ksem.h>
50#include <sys/malloc.h>
51#include <sys/mount.h>
52#include <sys/proc.h>
53#include <sys/systm.h>
54#include <sys/sysproto.h>
55#include <sys/sysent.h>
56#include <sys/vnode.h>
57#include <sys/file.h>
58#include <sys/socket.h>
59#include <sys/socketvar.h>
60#include <sys/sx.h>
61#include <sys/sysctl.h>
62#include <sys/msg.h>
63#include <sys/sem.h>
64#include <sys/shm.h>
65
66#include <fs/devfs/devfs.h>
67
68#include <net/bpfdesc.h>
69#include <net/if.h>
70#include <net/if_types.h>
71#include <net/if_var.h>
72
73#include <vm/vm.h>
74
75#include <security/mac/mac_policy.h>
76
77SYSCTL_DECL(_security_mac);
78
79SYSCTL_NODE(_security_mac, OID_AUTO, test, CTLFLAG_RW, 0,
80 "TrustedBSD mac_test policy controls");
81
82static int mac_test_enabled = 1;
83SYSCTL_INT(_security_mac_test, OID_AUTO, enabled, CTLFLAG_RW,
84 &mac_test_enabled, 0, "Enforce test policy");
85
86#define BPFMAGIC 0xfe1ad1b6
87#define DEVFSMAGIC 0x9ee79c32
88#define IFNETMAGIC 0xc218b120
89#define INPCBMAGIC 0x4440f7bb
90#define IPQMAGIC 0x206188ef
91#define MBUFMAGIC 0xbbefa5bb
92#define MOUNTMAGIC 0xc7c46e47
93#define SOCKETMAGIC 0x9199c6cd
94#define SYSVIPCMSQMAGIC 0xea672391
95#define SYSVIPCMSGMAGIC 0x8bbba61e
96#define SYSVIPCSEMMAGIC 0x896e8a0b
97#define SYSVIPCSHMMAGIC 0x76119ab0
98#define PIPEMAGIC 0xdc6c9919
99#define POSIXSEMMAGIC 0x78ae980c
100#define PROCMAGIC 0x3b4be98f
101#define CREDMAGIC 0x9a5a4987
102#define VNODEMAGIC 0x1a67a45c
103#define EXMAGIC 0x849ba1fd
104
105#define SLOT(x) LABEL_TO_SLOT((x), test_slot).l_long
106
107#define ASSERT_BPF_LABEL(x) KASSERT(SLOT(x) == BPFMAGIC || \
108 SLOT(x) == 0, ("%s: Bad BPF label", __func__ ))
109#define ASSERT_DEVFS_LABEL(x) KASSERT(SLOT(x) == DEVFSMAGIC || \
110 SLOT(x) == 0, ("%s: Bad DEVFS label", __func__ ))
111#define ASSERT_IFNET_LABEL(x) KASSERT(SLOT(x) == IFNETMAGIC || \
112 SLOT(x) == 0, ("%s: Bad IFNET label", __func__ ))
113#define ASSERT_INPCB_LABEL(x) KASSERT(SLOT(x) == INPCBMAGIC || \
114 SLOT(x) == 0, ("%s: Bad INPCB label", __func__ ))
115#define ASSERT_IPQ_LABEL(x) KASSERT(SLOT(x) == IPQMAGIC || \
116 SLOT(x) == 0, ("%s: Bad IPQ label", __func__ ))
117#define ASSERT_MBUF_LABEL(x) KASSERT(x == NULL || \
118 SLOT(x) == MBUFMAGIC || SLOT(x) == 0, \
119 ("%s: Bad MBUF label", __func__ ))
120#define ASSERT_MOUNT_LABEL(x) KASSERT(SLOT(x) == MOUNTMAGIC || \
121 SLOT(x) == 0, ("%s: Bad MOUNT label", __func__ ))
122#define ASSERT_SOCKET_LABEL(x) KASSERT(SLOT(x) == SOCKETMAGIC || \
123 SLOT(x) == 0, ("%s: Bad SOCKET label", __func__ ))
124#define ASSERT_SYSVIPCMSQ_LABEL(x) KASSERT(SLOT(x) == SYSVIPCMSQMAGIC || \
125 SLOT(x) == 0, ("%s: Bad SYSVIPCMSQ label", __func__ ))
126#define ASSERT_SYSVIPCMSG_LABEL(x) KASSERT(SLOT(x) == SYSVIPCMSGMAGIC || \
127 SLOT(x) == 0, ("%s: Bad SYSVIPCMSG label", __func__ ))
128#define ASSERT_SYSVIPCSEM_LABEL(x) KASSERT(SLOT(x) == SYSVIPCSEMMAGIC || \
129 SLOT(x) == 0, ("%s: Bad SYSVIPCSEM label", __func__ ))
130#define ASSERT_SYSVIPCSHM_LABEL(x) KASSERT(SLOT(x) == SYSVIPCSHMMAGIC || \
131 SLOT(x) == 0, ("%s: Bad SYSVIPCSHM label", __func__ ))
132#define ASSERT_PIPE_LABEL(x) KASSERT(SLOT(x) == PIPEMAGIC || \
133 SLOT(x) == 0, ("%s: Bad PIPE label", __func__ ))
134#define ASSERT_POSIX_LABEL(x) KASSERT(SLOT(x) == POSIXSEMMAGIC || \
135 SLOT(x) == 0, ("%s: Bad POSIX ksem label", __func__ ))
136#define ASSERT_PROC_LABEL(x) KASSERT(SLOT(x) == PROCMAGIC || \
137 SLOT(x) == 0, ("%s: Bad PROC label", __func__ ))
138#define ASSERT_CRED_LABEL(x) KASSERT(SLOT(x) == CREDMAGIC || \
139 SLOT(x) == 0, ("%s: Bad CRED label", __func__ ))
140#define ASSERT_VNODE_LABEL(x) KASSERT(SLOT(x) == VNODEMAGIC || \
141 SLOT(x) == 0, ("%s: Bad VNODE label", __func__ ))
142
143static int test_slot;
144SYSCTL_INT(_security_mac_test, OID_AUTO, slot, CTLFLAG_RD,
145 &test_slot, 0, "Slot allocated by framework");
146
147static int init_count_bpfdesc;
148SYSCTL_INT(_security_mac_test, OID_AUTO, init_count_bpfdesc, CTLFLAG_RD,
149 &init_count_bpfdesc, 0, "bpfdesc init calls");
150static int init_count_cred;
151SYSCTL_INT(_security_mac_test, OID_AUTO, init_count_cred, CTLFLAG_RD,
152 &init_count_cred, 0, "cred init calls");
153static int init_count_devfsdirent;
154SYSCTL_INT(_security_mac_test, OID_AUTO, init_count_devfsdirent, CTLFLAG_RD,
155 &init_count_devfsdirent, 0, "devfsdirent init calls");
156static int init_count_ifnet;
157SYSCTL_INT(_security_mac_test, OID_AUTO, init_count_ifnet, CTLFLAG_RD,
158 &init_count_ifnet, 0, "ifnet init calls");
159static int init_count_inpcb;
160SYSCTL_INT(_security_mac_test, OID_AUTO, init_count_inpcb, CTLFLAG_RD,
161 &init_count_inpcb, 0, "inpcb init calls");
162static int init_count_sysv_msg;
163SYSCTL_INT(_security_mac_test, OID_AUTO, init_count_sysv_msg, CTLFLAG_RD,
164 &init_count_sysv_msg, 0, "ipc_msg init calls");
165static int init_count_sysv_msq;
166SYSCTL_INT(_security_mac_test, OID_AUTO, init_count_sysv_msq, CTLFLAG_RD,
167 &init_count_sysv_msq, 0, "ipc_msq init calls");
168static int init_count_sysv_sem;
169SYSCTL_INT(_security_mac_test, OID_AUTO, init_count_sysv_sem, CTLFLAG_RD,
170 &init_count_sysv_sem, 0, "ipc_sema init calls");
171static int init_count_sysv_shm;
172SYSCTL_INT(_security_mac_test, OID_AUTO, init_count_sysv_shm, CTLFLAG_RD,
173 &init_count_sysv_shm, 0, "ipc_shm init calls");
174static int init_count_ipq;
175SYSCTL_INT(_security_mac_test, OID_AUTO, init_count_ipq, CTLFLAG_RD,
176 &init_count_ipq, 0, "ipq init calls");
177static int init_count_mbuf;
178SYSCTL_INT(_security_mac_test, OID_AUTO, init_count_mbuf, CTLFLAG_RD,
179 &init_count_mbuf, 0, "mbuf init calls");
180static int init_count_mount;
181SYSCTL_INT(_security_mac_test, OID_AUTO, init_count_mount, CTLFLAG_RD,
182 &init_count_mount, 0, "mount init calls");
183static int init_count_mount_fslabel;
184SYSCTL_INT(_security_mac_test, OID_AUTO, init_count_mount_fslabel, CTLFLAG_RD,
185 &init_count_mount_fslabel, 0, "mount_fslabel init calls");
186static int init_count_socket;
187SYSCTL_INT(_security_mac_test, OID_AUTO, init_count_socket, CTLFLAG_RD,
188 &init_count_socket, 0, "socket init calls");
189static int init_count_socket_peerlabel;
190SYSCTL_INT(_security_mac_test, OID_AUTO, init_count_socket_peerlabel,
191 CTLFLAG_RD, &init_count_socket_peerlabel, 0,
192 "socket_peerlabel init calls");
193static int init_count_pipe;
194SYSCTL_INT(_security_mac_test, OID_AUTO, init_count_pipe, CTLFLAG_RD,
195 &init_count_pipe, 0, "pipe init calls");
196static int init_count_posixsems;
197SYSCTL_INT(_security_mac_test, OID_AUTO, init_count_posixsems, CTLFLAG_RD,
198 &init_count_posixsems, 0, "posix sems init calls");
199static int init_count_proc;
200SYSCTL_INT(_security_mac_test, OID_AUTO, init_count_proc, CTLFLAG_RD,
201 &init_count_proc, 0, "proc init calls");
202static int init_count_vnode;
203SYSCTL_INT(_security_mac_test, OID_AUTO, init_count_vnode, CTLFLAG_RD,
204 &init_count_vnode, 0, "vnode init calls");
205
206static int destroy_count_bpfdesc;
207SYSCTL_INT(_security_mac_test, OID_AUTO, destroy_count_bpfdesc, CTLFLAG_RD,
208 &destroy_count_bpfdesc, 0, "bpfdesc destroy calls");
209static int destroy_count_cred;
210SYSCTL_INT(_security_mac_test, OID_AUTO, destroy_count_cred, CTLFLAG_RD,
211 &destroy_count_cred, 0, "cred destroy calls");
212static int destroy_count_devfsdirent;
213SYSCTL_INT(_security_mac_test, OID_AUTO, destroy_count_devfsdirent, CTLFLAG_RD,
214 &destroy_count_devfsdirent, 0, "devfsdirent destroy calls");
215static int destroy_count_ifnet;
216SYSCTL_INT(_security_mac_test, OID_AUTO, destroy_count_ifnet, CTLFLAG_RD,
217 &destroy_count_ifnet, 0, "ifnet destroy calls");
218static int destroy_count_inpcb;
219SYSCTL_INT(_security_mac_test, OID_AUTO, destroy_count_inpcb, CTLFLAG_RD,
220 &destroy_count_inpcb, 0, "inpcb destroy calls");
221static int destroy_count_sysv_msg;
222SYSCTL_INT(_security_mac_test, OID_AUTO, destroy_count_sysv_msg, CTLFLAG_RD,
223 &destroy_count_sysv_msg, 0, "ipc_msg destroy calls");
224static int destroy_count_sysv_msq;
225SYSCTL_INT(_security_mac_test, OID_AUTO, destroy_count_sysv_msq, CTLFLAG_RD,
226 &destroy_count_sysv_msq, 0, "ipc_msq destroy calls");
227static int destroy_count_sysv_sem;
228SYSCTL_INT(_security_mac_test, OID_AUTO, destroy_count_sysv_sem, CTLFLAG_RD,
229 &destroy_count_sysv_sem, 0, "ipc_sema destroy calls");
230static int destroy_count_sysv_shm;
231SYSCTL_INT(_security_mac_test, OID_AUTO, destroy_count_sysv_shm, CTLFLAG_RD,
232 &destroy_count_sysv_shm, 0, "ipc_shm destroy calls");
233static int destroy_count_ipq;
234SYSCTL_INT(_security_mac_test, OID_AUTO, destroy_count_ipq, CTLFLAG_RD,
235 &destroy_count_ipq, 0, "ipq destroy calls");
236static int destroy_count_mbuf;
237SYSCTL_INT(_security_mac_test, OID_AUTO, destroy_count_mbuf, CTLFLAG_RD,
238 &destroy_count_mbuf, 0, "mbuf destroy calls");
239static int destroy_count_mount;
240SYSCTL_INT(_security_mac_test, OID_AUTO, destroy_count_mount, CTLFLAG_RD,
241 &destroy_count_mount, 0, "mount destroy calls");
242static int destroy_count_mount_fslabel;
243SYSCTL_INT(_security_mac_test, OID_AUTO, destroy_count_mount_fslabel,
244 CTLFLAG_RD, &destroy_count_mount_fslabel, 0,
245 "mount_fslabel destroy calls");
246static int destroy_count_socket;
247SYSCTL_INT(_security_mac_test, OID_AUTO, destroy_count_socket, CTLFLAG_RD,
248 &destroy_count_socket, 0, "socket destroy calls");
249static int destroy_count_socket_peerlabel;
250SYSCTL_INT(_security_mac_test, OID_AUTO, destroy_count_socket_peerlabel,
251 CTLFLAG_RD, &destroy_count_socket_peerlabel, 0,
252 "socket_peerlabel destroy calls");
253static int destroy_count_pipe;
254SYSCTL_INT(_security_mac_test, OID_AUTO, destroy_count_pipe, CTLFLAG_RD,
255 &destroy_count_pipe, 0, "pipe destroy calls");
256static int destroy_count_posixsems;
257SYSCTL_INT(_security_mac_test, OID_AUTO, destroy_count_posixsems, CTLFLAG_RD,
258 &destroy_count_posixsems, 0, "posix sems destroy calls");
259static int destroy_count_proc;
260SYSCTL_INT(_security_mac_test, OID_AUTO, destroy_count_proc, CTLFLAG_RD,
261 &destroy_count_proc, 0, "proc destroy calls");
262static int destroy_count_vnode;
263SYSCTL_INT(_security_mac_test, OID_AUTO, destroy_count_vnode, CTLFLAG_RD,
264 &destroy_count_vnode, 0, "vnode destroy calls");
265
266static int externalize_count;
267SYSCTL_INT(_security_mac_test, OID_AUTO, externalize_count, CTLFLAG_RD,
268 &externalize_count, 0, "Subject/object externalize calls");
269static int internalize_count;
270SYSCTL_INT(_security_mac_test, OID_AUTO, internalize_count, CTLFLAG_RD,
271 &internalize_count, 0, "Subject/object internalize calls");
272
273#ifdef KDB
274#define DEBUGGER(x) kdb_enter(x)
275#else
276#define DEBUGGER(x) printf("mac_test: %s\n", (x))
277#endif
278
279/*
280 * Policy module operations.
281 */
282static void
283mac_test_destroy(struct mac_policy_conf *conf)
284{
285
286}
287
288static void
289mac_test_init(struct mac_policy_conf *conf)
290{
291
292}
293
294static int
295mac_test_syscall(struct thread *td, int call, void *arg)
296{
297
298 return (0);
299}
300
301/*
302 * Label operations.
303 */
304static void
305mac_test_init_bpfdesc_label(struct label *label)
306{
307
308 SLOT(label) = BPFMAGIC;
309 atomic_add_int(&init_count_bpfdesc, 1);
310}
311
312static void
313mac_test_init_cred_label(struct label *label)
314{
315
316 SLOT(label) = CREDMAGIC;
317 atomic_add_int(&init_count_cred, 1);
318}
319
320static void
321mac_test_init_devfsdirent_label(struct label *label)
322{
323
324 SLOT(label) = DEVFSMAGIC;
325 atomic_add_int(&init_count_devfsdirent, 1);
326}
327
328static void
329mac_test_init_ifnet_label(struct label *label)
330{
331
332 SLOT(label) = IFNETMAGIC;
333 atomic_add_int(&init_count_ifnet, 1);
334}
335
336static int
337mac_test_init_inpcb_label(struct label *label, int flag)
338{
339
340 if (flag & M_WAITOK)
341 WITNESS_WARN(WARN_GIANTOK | WARN_SLEEPOK, NULL,
342 "mac_test_init_inpcb_label() at %s:%d", __FILE__,
343 __LINE__);
344
345 SLOT(label) = INPCBMAGIC;
346 atomic_add_int(&init_count_inpcb, 1);
347 return (0);
348}
349
350static void
351mac_test_init_sysv_msgmsg_label(struct label *label)
352{
353 SLOT(label) = SYSVIPCMSGMAGIC;
354 atomic_add_int(&init_count_sysv_msg, 1);
355}
356
357static void
358mac_test_init_sysv_msgqueue_label(struct label *label)
359{
360 SLOT(label) = SYSVIPCMSQMAGIC;
361 atomic_add_int(&init_count_sysv_msq, 1);
362}
363
364static void
365mac_test_init_sysv_sem_label(struct label *label)
366{
367 SLOT(label) = SYSVIPCSEMMAGIC;
368 atomic_add_int(&init_count_sysv_sem, 1);
369}
370
371static void
372mac_test_init_sysv_shm_label(struct label *label)
373{
374 SLOT(label) = SYSVIPCSHMMAGIC;
375 atomic_add_int(&init_count_sysv_shm, 1);
376}
377
378static int
379mac_test_init_ipq_label(struct label *label, int flag)
380{
381
382 if (flag & M_WAITOK)
383 WITNESS_WARN(WARN_GIANTOK | WARN_SLEEPOK, NULL,
384 "mac_test_init_ipq_label() at %s:%d", __FILE__,
385 __LINE__);
386
387 SLOT(label) = IPQMAGIC;
388 atomic_add_int(&init_count_ipq, 1);
389 return (0);
390}
391
392static int
393mac_test_init_mbuf_label(struct label *label, int flag)
394{
395
396 if (flag & M_WAITOK)
397 WITNESS_WARN(WARN_GIANTOK | WARN_SLEEPOK, NULL,
398 "mac_test_init_mbuf_label() at %s:%d", __FILE__,
399 __LINE__);
400
401 SLOT(label) = MBUFMAGIC;
402 atomic_add_int(&init_count_mbuf, 1);
403 return (0);
404}
405
406static void
407mac_test_init_mount_label(struct label *label)
408{
409
410 SLOT(label) = MOUNTMAGIC;
411 atomic_add_int(&init_count_mount, 1);
412}
413
414static void
415mac_test_init_mount_fs_label(struct label *label)
416{
417
418 SLOT(label) = MOUNTMAGIC;
419 atomic_add_int(&init_count_mount_fslabel, 1);
420}
421
422static int
423mac_test_init_socket_label(struct label *label, int flag)
424{
425
426 if (flag & M_WAITOK)
427 WITNESS_WARN(WARN_GIANTOK | WARN_SLEEPOK, NULL,
428 "mac_test_init_socket_label() at %s:%d", __FILE__,
429 __LINE__);
430
431 SLOT(label) = SOCKETMAGIC;
432 atomic_add_int(&init_count_socket, 1);
433 return (0);
434}
435
436static int
437mac_test_init_socket_peer_label(struct label *label, int flag)
438{
439
440 if (flag & M_WAITOK)
441 WITNESS_WARN(WARN_GIANTOK | WARN_SLEEPOK, NULL,
442 "mac_test_init_socket_peer_label() at %s:%d", __FILE__,
443 __LINE__);
444
445 SLOT(label) = SOCKETMAGIC;
446 atomic_add_int(&init_count_socket_peerlabel, 1);
447 return (0);
448}
449
450static void
451mac_test_init_pipe_label(struct label *label)
452{
453
454 SLOT(label) = PIPEMAGIC;
455 atomic_add_int(&init_count_pipe, 1);
456}
457
458static void
459mac_test_init_posix_sem_label(struct label *label)
460{
461
462 SLOT(label) = POSIXSEMMAGIC;
463 atomic_add_int(&init_count_posixsems, 1);
464}
465
466static void
467mac_test_init_proc_label(struct label *label)
468{
469
470 SLOT(label) = PROCMAGIC;
471 atomic_add_int(&init_count_proc, 1);
472}
473
474static void
475mac_test_init_vnode_label(struct label *label)
476{
477
478 SLOT(label) = VNODEMAGIC;
479 atomic_add_int(&init_count_vnode, 1);
480}
481
482static void
483mac_test_destroy_bpfdesc_label(struct label *label)
484{
485
486 if (SLOT(label) == BPFMAGIC || SLOT(label) == 0) {
487 atomic_add_int(&destroy_count_bpfdesc, 1);
488 SLOT(label) = EXMAGIC;
489 } else if (SLOT(label) == EXMAGIC) {
490 DEBUGGER("mac_test_destroy_bpfdesc: dup destroy");
491 } else {
492 DEBUGGER("mac_test_destroy_bpfdesc: corrupted label");
493 }
494}
495
496static void
497mac_test_destroy_cred_label(struct label *label)
498{
499
500 if (SLOT(label) == CREDMAGIC || SLOT(label) == 0) {
501 atomic_add_int(&destroy_count_cred, 1);
502 SLOT(label) = EXMAGIC;
503 } else if (SLOT(label) == EXMAGIC) {
504 DEBUGGER("mac_test_destroy_cred: dup destroy");
505 } else {
506 DEBUGGER("mac_test_destroy_cred: corrupted label");
507 }
508}
509
510static void
511mac_test_destroy_devfsdirent_label(struct label *label)
512{
513
514 if (SLOT(label) == DEVFSMAGIC || SLOT(label) == 0) {
515 atomic_add_int(&destroy_count_devfsdirent, 1);
516 SLOT(label) = EXMAGIC;
517 } else if (SLOT(label) == EXMAGIC) {
518 DEBUGGER("mac_test_destroy_devfsdirent: dup destroy");
519 } else {
520 DEBUGGER("mac_test_destroy_devfsdirent: corrupted label");
521 }
522}
523
524static void
525mac_test_destroy_ifnet_label(struct label *label)
526{
527
528 if (SLOT(label) == IFNETMAGIC || SLOT(label) == 0) {
529 atomic_add_int(&destroy_count_ifnet, 1);
530 SLOT(label) = EXMAGIC;
531 } else if (SLOT(label) == EXMAGIC) {
532 DEBUGGER("mac_test_destroy_ifnet: dup destroy");
533 } else {
534 DEBUGGER("mac_test_destroy_ifnet: corrupted label");
535 }
536}
537
538static void
539mac_test_destroy_inpcb_label(struct label *label)
540{
541
542 if (SLOT(label) == INPCBMAGIC || SLOT(label) == 0) {
543 atomic_add_int(&destroy_count_inpcb, 1);
544 SLOT(label) = EXMAGIC;
545 } else if (SLOT(label) == EXMAGIC) {
546 DEBUGGER("mac_test_destroy_inpcb: dup destroy");
547 } else {
548 DEBUGGER("mac_test_destroy_inpcb: corrupted label");
549 }
550}
551
552static void
553mac_test_destroy_sysv_msgmsg_label(struct label *label)
554{
555
556 if (SLOT(label) == SYSVIPCMSGMAGIC || SLOT(label) == 0) {
557 atomic_add_int(&destroy_count_sysv_msg, 1);
558 SLOT(label) = EXMAGIC;
559 } else if (SLOT(label) == EXMAGIC) {
560 DEBUGGER("mac_test_destroy_sysv_msgmsg_label: dup destroy");
561 } else {
562 DEBUGGER(
563 "mac_test_destroy_sysv_msgmsg_label: corrupted label");
564 }
565}
566
567static void
568mac_test_destroy_sysv_msgqueue_label(struct label *label)
569{
570
571 if (SLOT(label) == SYSVIPCMSQMAGIC || SLOT(label) == 0) {
572 atomic_add_int(&destroy_count_sysv_msq, 1);
573 SLOT(label) = EXMAGIC;
574 } else if (SLOT(label) == EXMAGIC) {
575 DEBUGGER("mac_test_destroy_sysv_msgqueue_label: dup destroy");
576 } else {
577 DEBUGGER(
578 "mac_test_destroy_sysv_msgqueue_label: corrupted label");
579 }
580}
581
582static void
583mac_test_destroy_sysv_sem_label(struct label *label)
584{
585
586 if (SLOT(label) == SYSVIPCSEMMAGIC || SLOT(label) == 0) {
587 atomic_add_int(&destroy_count_sysv_sem, 1);
588 SLOT(label) = EXMAGIC;
589 } else if (SLOT(label) == EXMAGIC) {
590 DEBUGGER("mac_test_destroy_sysv_sem_label: dup destroy");
591 } else {
592 DEBUGGER("mac_test_destroy_sysv_sem_label: corrupted label");
593 }
594}
595
596static void
597mac_test_destroy_sysv_shm_label(struct label *label)
598{
599
600 if (SLOT(label) == SYSVIPCSHMMAGIC || SLOT(label) == 0) {
601 atomic_add_int(&destroy_count_sysv_shm, 1);
602 SLOT(label) = EXMAGIC;
603 } else if (SLOT(label) == EXMAGIC) {
604 DEBUGGER("mac_test_destroy_sysv_shm_label: dup destroy");
605 } else {
606 DEBUGGER("mac_test_destroy_sysv_shm_label: corrupted label");
607 }
608}
609
610static void
611mac_test_destroy_ipq_label(struct label *label)
612{
613
614 if (SLOT(label) == IPQMAGIC || SLOT(label) == 0) {
615 atomic_add_int(&destroy_count_ipq, 1);
616 SLOT(label) = EXMAGIC;
617 } else if (SLOT(label) == EXMAGIC) {
618 DEBUGGER("mac_test_destroy_ipq: dup destroy");
619 } else {
620 DEBUGGER("mac_test_destroy_ipq: corrupted label");
621 }
622}
623
624static void
625mac_test_destroy_mbuf_label(struct label *label)
626{
627
628 /*
629 * If we're loaded dynamically, there may be mbufs in flight that
630 * didn't have label storage allocated for them. Handle this
631 * gracefully.
632 */
633 if (label == NULL)
634 return;
635
636 if (SLOT(label) == MBUFMAGIC || SLOT(label) == 0) {
637 atomic_add_int(&destroy_count_mbuf, 1);
638 SLOT(label) = EXMAGIC;
639 } else if (SLOT(label) == EXMAGIC) {
640 DEBUGGER("mac_test_destroy_mbuf: dup destroy");
641 } else {
642 DEBUGGER("mac_test_destroy_mbuf: corrupted label");
643 }
644}
645
646static void
647mac_test_destroy_mount_label(struct label *label)
648{
649
650 if ((SLOT(label) == MOUNTMAGIC || SLOT(label) == 0)) {
651 atomic_add_int(&destroy_count_mount, 1);
652 SLOT(label) = EXMAGIC;
653 } else if (SLOT(label) == EXMAGIC) {
654 DEBUGGER("mac_test_destroy_mount: dup destroy");
655 } else {
656 DEBUGGER("mac_test_destroy_mount: corrupted label");
657 }
658}
659
660static void
661mac_test_destroy_mount_fs_label(struct label *label)
662{
663
664 if ((SLOT(label) == MOUNTMAGIC || SLOT(label) == 0)) {
665 atomic_add_int(&destroy_count_mount_fslabel, 1);
666 SLOT(label) = EXMAGIC;
667 } else if (SLOT(label) == EXMAGIC) {
668 DEBUGGER("mac_test_destroy_mount_fslabel: dup destroy");
669 } else {
670 DEBUGGER("mac_test_destroy_mount_fslabel: corrupted label");
671 }
672}
673
674static void
675mac_test_destroy_socket_label(struct label *label)
676{
677
678 if ((SLOT(label) == SOCKETMAGIC || SLOT(label) == 0)) {
679 atomic_add_int(&destroy_count_socket, 1);
680 SLOT(label) = EXMAGIC;
681 } else if (SLOT(label) == EXMAGIC) {
682 DEBUGGER("mac_test_destroy_socket: dup destroy");
683 } else {
684 DEBUGGER("mac_test_destroy_socket: corrupted label");
685 }
686}
687
688static void
689mac_test_destroy_socket_peer_label(struct label *label)
690{
691
692 if ((SLOT(label) == SOCKETMAGIC || SLOT(label) == 0)) {
693 atomic_add_int(&destroy_count_socket_peerlabel, 1);
694 SLOT(label) = EXMAGIC;
695 } else if (SLOT(label) == EXMAGIC) {
696 DEBUGGER("mac_test_destroy_socket_peerlabel: dup destroy");
697 } else {
698 DEBUGGER("mac_test_destroy_socket_peerlabel: corrupted label");
699 }
700}
701
702static void
703mac_test_destroy_pipe_label(struct label *label)
704{
705
706 if ((SLOT(label) == PIPEMAGIC || SLOT(label) == 0)) {
707 atomic_add_int(&destroy_count_pipe, 1);
708 SLOT(label) = EXMAGIC;
709 } else if (SLOT(label) == EXMAGIC) {
710 DEBUGGER("mac_test_destroy_pipe: dup destroy");
711 } else {
712 DEBUGGER("mac_test_destroy_pipe: corrupted label");
713 }
714}
715
716static void
717mac_test_destroy_posix_sem_label(struct label *label)
718{
719
720 if ((SLOT(label) == POSIXSEMMAGIC || SLOT(label) == 0)) {
721 atomic_add_int(&destroy_count_posixsems, 1);
722 SLOT(label) = EXMAGIC;
723 } else if (SLOT(label) == EXMAGIC) {
724 DEBUGGER("mac_test_destroy_posix_sem: dup destroy");
725 } else {
726 DEBUGGER("mac_test_destroy_posix_sem: corrupted label");
727 }
728}
729
730static void
731mac_test_destroy_proc_label(struct label *label)
732{
733
734 if ((SLOT(label) == PROCMAGIC || SLOT(label) == 0)) {
735 atomic_add_int(&destroy_count_proc, 1);
736 SLOT(label) = EXMAGIC;
737 } else if (SLOT(label) == EXMAGIC) {
738 DEBUGGER("mac_test_destroy_proc: dup destroy");
739 } else {
740 DEBUGGER("mac_test_destroy_proc: corrupted label");
741 }
742}
743
744static void
745mac_test_destroy_vnode_label(struct label *label)
746{
747
748 if (SLOT(label) == VNODEMAGIC || SLOT(label) == 0) {
749 atomic_add_int(&destroy_count_vnode, 1);
750 SLOT(label) = EXMAGIC;
751 } else if (SLOT(label) == EXMAGIC) {
752 DEBUGGER("mac_test_destroy_vnode: dup destroy");
753 } else {
754 DEBUGGER("mac_test_destroy_vnode: corrupted label");
755 }
756}
757
758static void
759mac_test_copy_cred_label(struct label *src, struct label *dest)
760{
761
762 ASSERT_CRED_LABEL(src);
763 ASSERT_CRED_LABEL(dest);
764}
765
766static void
767mac_test_copy_ifnet_label(struct label *src, struct label *dest)
768{
769
770 ASSERT_IFNET_LABEL(src);
771 ASSERT_IFNET_LABEL(dest);
772}
773
774static void
775mac_test_copy_mbuf_label(struct label *src, struct label *dest)
776{
777
778 ASSERT_MBUF_LABEL(src);
779 ASSERT_MBUF_LABEL(dest);
780}
781
782static void
783mac_test_copy_pipe_label(struct label *src, struct label *dest)
784{
785
786 ASSERT_PIPE_LABEL(src);
787 ASSERT_PIPE_LABEL(dest);
788}
789
790static void
791mac_test_copy_socket_label(struct label *src, struct label *dest)
792{
793
794 ASSERT_SOCKET_LABEL(src);
795 ASSERT_SOCKET_LABEL(dest);
796}
797
798static void
799mac_test_copy_vnode_label(struct label *src, struct label *dest)
800{
801
802 ASSERT_VNODE_LABEL(src);
803 ASSERT_VNODE_LABEL(dest);
804}
805
806static int
807mac_test_externalize_label(struct label *label, char *element_name,
808 struct sbuf *sb, int *claimed)
809{
810
811 atomic_add_int(&externalize_count, 1);
812
813 KASSERT(SLOT(label) != EXMAGIC,
814 ("mac_test_externalize_label: destroyed label"));
815
816 return (0);
817}
818
819static int
820mac_test_internalize_label(struct label *label, char *element_name,
821 char *element_data, int *claimed)
822{
823
824 atomic_add_int(&internalize_count, 1);
825
826 KASSERT(SLOT(label) != EXMAGIC,
827 ("mac_test_internalize_label: destroyed label"));
828
829 return (0);
830}
831
832/*
833 * Labeling event operations: file system objects, and things that look
834 * a lot like file system objects.
835 */
836static void
837mac_test_associate_vnode_devfs(struct mount *mp, struct label *fslabel,
838 struct devfs_dirent *de, struct label *delabel, struct vnode *vp,
839 struct label *vlabel)
840{
841
842 ASSERT_MOUNT_LABEL(fslabel);
843 ASSERT_DEVFS_LABEL(delabel);
844 ASSERT_VNODE_LABEL(vlabel);
845}
846
847static int
848mac_test_associate_vnode_extattr(struct mount *mp, struct label *fslabel,
849 struct vnode *vp, struct label *vlabel)
850{
851
852 ASSERT_MOUNT_LABEL(fslabel);
853 ASSERT_VNODE_LABEL(vlabel);
854 return (0);
855}
856
857static void
858mac_test_associate_vnode_singlelabel(struct mount *mp,
859 struct label *fslabel, struct vnode *vp, struct label *vlabel)
860{
861
862 ASSERT_MOUNT_LABEL(fslabel);
863 ASSERT_VNODE_LABEL(vlabel);
864}
865
866static void
867mac_test_create_devfs_device(struct ucred *cred, struct mount *mp,
868 struct cdev *dev, struct devfs_dirent *devfs_dirent, struct label *label)
869{
870
871 if (cred != NULL) {
872 ASSERT_CRED_LABEL(cred->cr_label);
873 }
874 ASSERT_DEVFS_LABEL(label);
875}
876
877static void
878mac_test_create_devfs_directory(struct mount *mp, char *dirname,
879 int dirnamelen, struct devfs_dirent *devfs_dirent, struct label *label)
880{
881
882 ASSERT_DEVFS_LABEL(label);
883}
884
885static void
886mac_test_create_devfs_symlink(struct ucred *cred, struct mount *mp,
887 struct devfs_dirent *dd, struct label *ddlabel, struct devfs_dirent *de,
888 struct label *delabel)
889{
890
891 ASSERT_CRED_LABEL(cred->cr_label);
892 ASSERT_DEVFS_LABEL(ddlabel);
893 ASSERT_DEVFS_LABEL(delabel);
894}
895
896static int
897mac_test_create_vnode_extattr(struct ucred *cred, struct mount *mp,
898 struct label *fslabel, struct vnode *dvp, struct label *dlabel,
899 struct vnode *vp, struct label *vlabel, struct componentname *cnp)
900{
901
902 ASSERT_CRED_LABEL(cred->cr_label);
903 ASSERT_MOUNT_LABEL(fslabel);
904 ASSERT_VNODE_LABEL(dlabel);
905
906 return (0);
907}
908
909static void
910mac_test_create_mount(struct ucred *cred, struct mount *mp,
911 struct label *mntlabel, struct label *fslabel)
912{
913
914 ASSERT_CRED_LABEL(cred->cr_label);
915 ASSERT_MOUNT_LABEL(mntlabel);
916 ASSERT_MOUNT_LABEL(fslabel);
917}
918
919static void
920mac_test_relabel_vnode(struct ucred *cred, struct vnode *vp,
921 struct label *vnodelabel, struct label *label)
922{
923
924 ASSERT_CRED_LABEL(cred->cr_label);
925 ASSERT_VNODE_LABEL(vnodelabel);
926 ASSERT_VNODE_LABEL(label);
927}
928
929static int
930mac_test_setlabel_vnode_extattr(struct ucred *cred, struct vnode *vp,
931 struct label *vlabel, struct label *intlabel)
932{
933
934 ASSERT_CRED_LABEL(cred->cr_label);
935 ASSERT_VNODE_LABEL(vlabel);
936 ASSERT_VNODE_LABEL(intlabel);
937 return (0);
938}
939
940static void
941mac_test_update_devfsdirent(struct mount *mp,
942 struct devfs_dirent *devfs_dirent, struct label *direntlabel,
943 struct vnode *vp, struct label *vnodelabel)
944{
945
946 ASSERT_DEVFS_LABEL(direntlabel);
947 ASSERT_VNODE_LABEL(vnodelabel);
948}
949
950/*
951 * Labeling event operations: IPC object.
952 */
953static void
954mac_test_create_mbuf_from_socket(struct socket *so, struct label *socketlabel,
955 struct mbuf *m, struct label *mbuflabel)
956{
957
958 ASSERT_SOCKET_LABEL(socketlabel);
959 ASSERT_MBUF_LABEL(mbuflabel);
960}
961
962static void
963mac_test_create_socket(struct ucred *cred, struct socket *socket,
964 struct label *socketlabel)
965{
966
967 ASSERT_CRED_LABEL(cred->cr_label);
968 ASSERT_SOCKET_LABEL(socketlabel);
969}
970
971static void
972mac_test_create_pipe(struct ucred *cred, struct pipepair *pp,
973 struct label *pipelabel)
974{
975
976 ASSERT_CRED_LABEL(cred->cr_label);
977 ASSERT_PIPE_LABEL(pipelabel);
978}
979
980static void
981mac_test_create_posix_sem(struct ucred *cred, struct ksem *ksem,
982 struct label *posixlabel)
983{
984
985 ASSERT_CRED_LABEL(cred->cr_label);
986 ASSERT_POSIX_LABEL(posixlabel);
987}
988
989static void
990mac_test_create_socket_from_socket(struct socket *oldsocket,
991 struct label *oldsocketlabel, struct socket *newsocket,
992 struct label *newsocketlabel)
993{
994
995 ASSERT_SOCKET_LABEL(oldsocketlabel);
996 ASSERT_SOCKET_LABEL(newsocketlabel);
997}
998
999static void
1000mac_test_relabel_socket(struct ucred *cred, struct socket *socket,
1001 struct label *socketlabel, struct label *newlabel)
1002{
1003
1004 ASSERT_CRED_LABEL(cred->cr_label);
1005 ASSERT_SOCKET_LABEL(newlabel);
1006}
1007
1008static void
1009mac_test_relabel_pipe(struct ucred *cred, struct pipepair *pp,
1010 struct label *pipelabel, struct label *newlabel)
1011{
1012
1013 ASSERT_CRED_LABEL(cred->cr_label);
1014 ASSERT_PIPE_LABEL(pipelabel);
1015 ASSERT_PIPE_LABEL(newlabel);
1016}
1017
1018static void
1019mac_test_set_socket_peer_from_mbuf(struct mbuf *mbuf, struct label *mbuflabel,
1020 struct socket *socket, struct label *socketpeerlabel)
1021{
1022
1023 ASSERT_MBUF_LABEL(mbuflabel);
1024 ASSERT_SOCKET_LABEL(socketpeerlabel);
1025}
1026
1027/*
1028 * Labeling event operations: network objects.
1029 */
1030static void
1031mac_test_set_socket_peer_from_socket(struct socket *oldsocket,
1032 struct label *oldsocketlabel, struct socket *newsocket,
1033 struct label *newsocketpeerlabel)
1034{
1035
1036 ASSERT_SOCKET_LABEL(oldsocketlabel);
1037 ASSERT_SOCKET_LABEL(newsocketpeerlabel);
1038}
1039
1040static void
1041mac_test_create_bpfdesc(struct ucred *cred, struct bpf_d *bpf_d,
1042 struct label *bpflabel)
1043{
1044
1045 ASSERT_CRED_LABEL(cred->cr_label);
1046 ASSERT_BPF_LABEL(bpflabel);
1047}
1048
1049static void
1050mac_test_create_datagram_from_ipq(struct ipq *ipq, struct label *ipqlabel,
1051 struct mbuf *datagram, struct label *datagramlabel)
1052{
1053
1054 ASSERT_IPQ_LABEL(ipqlabel);
1055 ASSERT_MBUF_LABEL(datagramlabel);
1056}
1057
1058static void
1059mac_test_create_fragment(struct mbuf *datagram, struct label *datagramlabel,
1060 struct mbuf *fragment, struct label *fragmentlabel)
1061{
1062
1063 ASSERT_MBUF_LABEL(datagramlabel);
1064 ASSERT_MBUF_LABEL(fragmentlabel);
1065}
1066
1067static void
1068mac_test_create_ifnet(struct ifnet *ifnet, struct label *ifnetlabel)
1069{
1070
1071 ASSERT_IFNET_LABEL(ifnetlabel);
1072}
1073
1074static void
1075mac_test_create_inpcb_from_socket(struct socket *so, struct label *solabel,
1076 struct inpcb *inp, struct label *inplabel)
1077{
1078
1079 ASSERT_SOCKET_LABEL(solabel);
1080 ASSERT_INPCB_LABEL(inplabel);
1081}
1082
1083static void
1084mac_test_create_sysv_msgmsg(struct ucred *cred, struct msqid_kernel *msqkptr,
1085 struct label *msqlabel, struct msg *msgptr, struct label *msglabel)
1086{
1087
1088 ASSERT_SYSVIPCMSG_LABEL(msglabel);
1089 ASSERT_SYSVIPCMSQ_LABEL(msqlabel);
1090}
1091
1092static void
1093mac_test_create_sysv_msgqueue(struct ucred *cred,
1094 struct msqid_kernel *msqkptr, struct label *msqlabel)
1095{
1096
1097 ASSERT_SYSVIPCMSQ_LABEL(msqlabel);
1098}
1099
1100static void
1101mac_test_create_sysv_sem(struct ucred *cred, struct semid_kernel *semakptr,
1102 struct label *semalabel)
1103{
1104
1105 ASSERT_SYSVIPCSEM_LABEL(semalabel);
1106}
1107
1108static void
1109mac_test_create_sysv_shm(struct ucred *cred, struct shmid_kernel *shmsegptr,
1110 struct label *shmlabel)
1111{
1112
1113 ASSERT_SYSVIPCSHM_LABEL(shmlabel);
1114}
1115
1116static void
1117mac_test_create_ipq(struct mbuf *fragment, struct label *fragmentlabel,
1118 struct ipq *ipq, struct label *ipqlabel)
1119{
1120
1121 ASSERT_MBUF_LABEL(fragmentlabel);
1122 ASSERT_IPQ_LABEL(ipqlabel);
1123}
1124
1125static void
1126mac_test_create_mbuf_from_inpcb(struct inpcb *inp, struct label *inplabel,
1127 struct mbuf *m, struct label *mlabel)
1128{
1129
1130 ASSERT_INPCB_LABEL(inplabel);
1131 ASSERT_MBUF_LABEL(mlabel);
1132}
1133
1134static void
1135mac_test_create_mbuf_linklayer(struct ifnet *ifnet, struct label *ifnetlabel,
1136 struct mbuf *mbuf, struct label *mbuflabel)
1137{
1138
1139 ASSERT_IFNET_LABEL(ifnetlabel);
1140 ASSERT_MBUF_LABEL(mbuflabel);
1141}
1142
1143static void
1144mac_test_create_mbuf_from_bpfdesc(struct bpf_d *bpf_d, struct label *bpflabel,
1145 struct mbuf *mbuf, struct label *mbuflabel)
1146{
1147
1148 ASSERT_BPF_LABEL(bpflabel);
1149 ASSERT_MBUF_LABEL(mbuflabel);
1150}
1151
1152static void
1153mac_test_create_mbuf_from_ifnet(struct ifnet *ifnet, struct label *ifnetlabel,
1154 struct mbuf *m, struct label *mbuflabel)
1155{
1156
1157 ASSERT_IFNET_LABEL(ifnetlabel);
1158 ASSERT_MBUF_LABEL(mbuflabel);
1159}
1160
1161static void
1162mac_test_create_mbuf_multicast_encap(struct mbuf *oldmbuf,
1163 struct label *oldmbuflabel, struct ifnet *ifnet, struct label *ifnetlabel,
1164 struct mbuf *newmbuf, struct label *newmbuflabel)
1165{
1166
1167 ASSERT_MBUF_LABEL(oldmbuflabel);
1168 ASSERT_IFNET_LABEL(ifnetlabel);
1169 ASSERT_MBUF_LABEL(newmbuflabel);
1170}
1171
1172static void
1173mac_test_create_mbuf_netlayer(struct mbuf *oldmbuf,
1174 struct label *oldmbuflabel, struct mbuf *newmbuf,
1175 struct label *newmbuflabel)
1176{
1177
1178 ASSERT_MBUF_LABEL(oldmbuflabel);
1179 ASSERT_MBUF_LABEL(newmbuflabel);
1180}
1181
1182static int
1183mac_test_fragment_match(struct mbuf *fragment, struct label *fragmentlabel,
1184 struct ipq *ipq, struct label *ipqlabel)
1185{
1186
1187 ASSERT_MBUF_LABEL(fragmentlabel);
1188 ASSERT_IPQ_LABEL(ipqlabel);
1189
1190 return (1);
1191}
1192
1193static void
1194mac_test_reflect_mbuf_icmp(struct mbuf *m, struct label *mlabel)
1195{
1196
1197 ASSERT_MBUF_LABEL(mlabel);
1198}
1199
1200static void
1201mac_test_reflect_mbuf_tcp(struct mbuf *m, struct label *mlabel)
1202{
1203
1204 ASSERT_MBUF_LABEL(mlabel);
1205}
1206
1207static void
1208mac_test_relabel_ifnet(struct ucred *cred, struct ifnet *ifnet,
1209 struct label *ifnetlabel, struct label *newlabel)
1210{
1211
1212 ASSERT_CRED_LABEL(cred->cr_label);
1213 ASSERT_IFNET_LABEL(ifnetlabel);
1214 ASSERT_IFNET_LABEL(newlabel);
1215}
1216
1217static void
1218mac_test_update_ipq(struct mbuf *fragment, struct label *fragmentlabel,
1219 struct ipq *ipq, struct label *ipqlabel)
1220{
1221
1222 ASSERT_MBUF_LABEL(fragmentlabel);
1223 ASSERT_IPQ_LABEL(ipqlabel);
1224}
1225
1226static void
1227mac_test_inpcb_sosetlabel(struct socket *so, struct label *solabel,
1228 struct inpcb *inp, struct label *inplabel)
1229{
1230
1231 ASSERT_SOCKET_LABEL(solabel);
1232 ASSERT_INPCB_LABEL(inplabel);
1233}
1234
1235/*
1236 * Labeling event operations: processes.
1237 */
1238static void
1239mac_test_execve_transition(struct ucred *old, struct ucred *new,
1240 struct vnode *vp, struct label *filelabel,
1241 struct label *interpvnodelabel, struct image_params *imgp,
1242 struct label *execlabel)
1243{
1244
1245 ASSERT_CRED_LABEL(old->cr_label);
1246 ASSERT_CRED_LABEL(new->cr_label);
1247 ASSERT_VNODE_LABEL(filelabel);
1248 if (interpvnodelabel != NULL) {
1249 ASSERT_VNODE_LABEL(interpvnodelabel);
1250 }
1251 if (execlabel != NULL) {
1252 ASSERT_CRED_LABEL(execlabel);
1253 }
1254}
1255
1256static int
1257mac_test_execve_will_transition(struct ucred *old, struct vnode *vp,
1258 struct label *filelabel, struct label *interpvnodelabel,
1259 struct image_params *imgp, struct label *execlabel)
1260{
1261
1262 ASSERT_CRED_LABEL(old->cr_label);
1263 ASSERT_VNODE_LABEL(filelabel);
1264 if (interpvnodelabel != NULL) {
1265 ASSERT_VNODE_LABEL(interpvnodelabel);
1266 }
1267 if (execlabel != NULL) {
1268 ASSERT_CRED_LABEL(execlabel);
1269 }
1270
1271 return (0);
1272}
1273
1274static void
1275mac_test_create_proc0(struct ucred *cred)
1276{
1277
1278 ASSERT_CRED_LABEL(cred->cr_label);
1279}
1280
1281static void
1282mac_test_create_proc1(struct ucred *cred)
1283{
1284
1285 ASSERT_CRED_LABEL(cred->cr_label);
1286}
1287
1288static void
1289mac_test_relabel_cred(struct ucred *cred, struct label *newlabel)
1290{
1291
1292 ASSERT_CRED_LABEL(cred->cr_label);
1293 ASSERT_CRED_LABEL(newlabel);
1294}
1295
1296static void
1297mac_test_thread_userret(struct thread *td)
1298{
1299
1300 printf("mac_test_thread_userret(process = %d)\n",
1301 curthread->td_proc->p_pid);
1302}
1303
1304/*
1305 * Label cleanup/flush operations
1306 */
1307static void
1308mac_test_cleanup_sysv_msgmsg(struct label *msglabel)
1309{
1310
1311 ASSERT_SYSVIPCMSG_LABEL(msglabel);
1312}
1313
1314static void
1315mac_test_cleanup_sysv_msgqueue(struct label *msqlabel)
1316{
1317
1318 ASSERT_SYSVIPCMSQ_LABEL(msqlabel);
1319}
1320
1321static void
1322mac_test_cleanup_sysv_sem(struct label *semalabel)
1323{
1324
1325 ASSERT_SYSVIPCSEM_LABEL(semalabel);
1326}
1327
1328static void
1329mac_test_cleanup_sysv_shm(struct label *shmlabel)
1330{
1331
1332 ASSERT_SYSVIPCSHM_LABEL(shmlabel);
1333}
1334
1335/*
1336 * Access control checks.
1337 */
1338static int
1339mac_test_check_bpfdesc_receive(struct bpf_d *bpf_d, struct label *bpflabel,
1340 struct ifnet *ifnet, struct label *ifnetlabel)
1341{
1342
1343 ASSERT_BPF_LABEL(bpflabel);
1344 ASSERT_IFNET_LABEL(ifnetlabel);
1345
1346 return (0);
1347}
1348
1349static int
1350mac_test_check_cred_relabel(struct ucred *cred, struct label *newlabel)
1351{
1352
1353 ASSERT_CRED_LABEL(cred->cr_label);
1354 ASSERT_CRED_LABEL(newlabel);
1355
1356 return (0);
1357}
1358
1359static int
1360mac_test_check_cred_visible(struct ucred *u1, struct ucred *u2)
1361{
1362
1363 ASSERT_CRED_LABEL(u1->cr_label);
1364 ASSERT_CRED_LABEL(u2->cr_label);
1365
1366 return (0);
1367}
1368
1369static int
1370mac_test_check_ifnet_relabel(struct ucred *cred, struct ifnet *ifnet,
1371 struct label *ifnetlabel, struct label *newlabel)
1372{
1373
1374 ASSERT_CRED_LABEL(cred->cr_label);
1375 ASSERT_IFNET_LABEL(ifnetlabel);
1376 ASSERT_IFNET_LABEL(newlabel);
1377 return (0);
1378}
1379
1380static int
1381mac_test_check_ifnet_transmit(struct ifnet *ifnet, struct label *ifnetlabel,
1382 struct mbuf *m, struct label *mbuflabel)
1383{
1384
1385 ASSERT_IFNET_LABEL(ifnetlabel);
1386 ASSERT_MBUF_LABEL(mbuflabel);
1387
1388 return (0);
1389}
1390
1391static int
1392mac_test_check_inpcb_deliver(struct inpcb *inp, struct label *inplabel,
1393 struct mbuf *m, struct label *mlabel)
1394{
1395
1396 ASSERT_INPCB_LABEL(inplabel);
1397 ASSERT_MBUF_LABEL(mlabel);
1398
1399 return (0);
1400}
1401
1402static int
1403mac_test_check_sysv_msgmsq(struct ucred *cred, struct msg *msgptr,
1404 struct label *msglabel, struct msqid_kernel *msqkptr,
1405 struct label *msqklabel)
1406{
1407
1408 ASSERT_SYSVIPCMSQ_LABEL(msqklabel);
1409 ASSERT_SYSVIPCMSG_LABEL(msglabel);
1410 ASSERT_CRED_LABEL(cred->cr_label);
1411
1412 return (0);
1413}
1414
1415static int
1416mac_test_check_sysv_msgrcv(struct ucred *cred, struct msg *msgptr,
1417 struct label *msglabel)
1418{
1419
1420 ASSERT_SYSVIPCMSG_LABEL(msglabel);
1421 ASSERT_CRED_LABEL(cred->cr_label);
1422
1423 return (0);
1424}
1425
1426
1427static int
1428mac_test_check_sysv_msgrmid(struct ucred *cred, struct msg *msgptr,
1429 struct label *msglabel)
1430{
1431
1432 ASSERT_SYSVIPCMSG_LABEL(msglabel);
1433 ASSERT_CRED_LABEL(cred->cr_label);
1434
1435 return (0);
1436}
1437
1438static int
1439mac_test_check_sysv_msqget(struct ucred *cred, struct msqid_kernel *msqkptr,
1440 struct label *msqklabel)
1441{
1442
1443 ASSERT_SYSVIPCMSQ_LABEL(msqklabel);
1444 ASSERT_CRED_LABEL(cred->cr_label);
1445
1446 return (0);
1447}
1448
1449static int
1450mac_test_check_sysv_msqsnd(struct ucred *cred, struct msqid_kernel *msqkptr,
1451 struct label *msqklabel)
1452{
1453
1454 ASSERT_SYSVIPCMSQ_LABEL(msqklabel);
1455 ASSERT_CRED_LABEL(cred->cr_label);
1456
1457 return (0);
1458}
1459
1460static int
1461mac_test_check_sysv_msqrcv(struct ucred *cred, struct msqid_kernel *msqkptr,
1462 struct label *msqklabel)
1463{
1464
1465 ASSERT_SYSVIPCMSQ_LABEL(msqklabel);
1466 ASSERT_CRED_LABEL(cred->cr_label);
1467
1468 return (0);
1469}
1470
1471static int
1472mac_test_check_sysv_msqctl(struct ucred *cred, struct msqid_kernel *msqkptr,
1473 struct label *msqklabel, int cmd)
1474{
1475
1476 ASSERT_SYSVIPCMSQ_LABEL(msqklabel);
1477 ASSERT_CRED_LABEL(cred->cr_label);
1478
1479 return (0);
1480}
1481
1482static int
1483mac_test_check_sysv_semctl(struct ucred *cred, struct semid_kernel *semakptr,
1484 struct label *semaklabel, int cmd)
1485{
1486
1487 ASSERT_CRED_LABEL(cred->cr_label);
1488 ASSERT_SYSVIPCSEM_LABEL(semaklabel);
1489
1490 return (0);
1491}
1492
1493static int
1494mac_test_check_sysv_semget(struct ucred *cred, struct semid_kernel *semakptr,
1495 struct label *semaklabel)
1496{
1497
1498 ASSERT_CRED_LABEL(cred->cr_label);
1499 ASSERT_SYSVIPCSEM_LABEL(semaklabel);
1500
1501 return (0);
1502}
1503
1504static int
1505mac_test_check_sysv_semop(struct ucred *cred, struct semid_kernel *semakptr,
1506 struct label *semaklabel, size_t accesstype)
1507{
1508
1509 ASSERT_CRED_LABEL(cred->cr_label);
1510 ASSERT_SYSVIPCSEM_LABEL(semaklabel);
1511
1512 return (0);
1513}
1514
1515static int
1516mac_test_check_sysv_shmat(struct ucred *cred, struct shmid_kernel *shmsegptr,
1517 struct label *shmseglabel, int shmflg)
1518{
1519
1520 ASSERT_CRED_LABEL(cred->cr_label);
1521 ASSERT_SYSVIPCSHM_LABEL(shmseglabel);
1522
1523 return (0);
1524}
1525
1526static int
1527mac_test_check_sysv_shmctl(struct ucred *cred, struct shmid_kernel *shmsegptr,
1528 struct label *shmseglabel, int cmd)
1529{
1530
1531 ASSERT_CRED_LABEL(cred->cr_label);
1532 ASSERT_SYSVIPCSHM_LABEL(shmseglabel);
1533
1534 return (0);
1535}
1536
1537static int
1538mac_test_check_sysv_shmdt(struct ucred *cred, struct shmid_kernel *shmsegptr,
1539 struct label *shmseglabel)
1540{
1541
1542 ASSERT_CRED_LABEL(cred->cr_label);
1543 ASSERT_SYSVIPCSHM_LABEL(shmseglabel);
1544
1545 return (0);
1546}
1547
1548static int
1549mac_test_check_sysv_shmget(struct ucred *cred, struct shmid_kernel *shmsegptr,
1550 struct label *shmseglabel, int shmflg)
1551{
1552
1553 ASSERT_CRED_LABEL(cred->cr_label);
1554 ASSERT_SYSVIPCSHM_LABEL(shmseglabel);
1555
1556 return (0);
1557}
1558
1559static int
1560mac_test_check_kenv_dump(struct ucred *cred)
1561{
1562
1563 ASSERT_CRED_LABEL(cred->cr_label);
1564
1565 return (0);
1566}
1567
1568static int
1569mac_test_check_kenv_get(struct ucred *cred, char *name)
1570{
1571
1572 ASSERT_CRED_LABEL(cred->cr_label);
1573
1574 return (0);
1575}
1576
1577static int
1578mac_test_check_kenv_set(struct ucred *cred, char *name, char *value)
1579{
1580
1581 ASSERT_CRED_LABEL(cred->cr_label);
1582
1583 return (0);
1584}
1585
1586static int
1587mac_test_check_kenv_unset(struct ucred *cred, char *name)
1588{
1589
1590 ASSERT_CRED_LABEL(cred->cr_label);
1591
1592 return (0);
1593}
1594
1595static int
1596mac_test_check_kld_load(struct ucred *cred, struct vnode *vp,
1597 struct label *label)
1598{
1599
1600 ASSERT_CRED_LABEL(cred->cr_label);
1601 ASSERT_VNODE_LABEL(label);
1602
1603 return (0);
1604}
1605
1606static int
1607mac_test_check_kld_stat(struct ucred *cred)
1608{
1609
1610 ASSERT_CRED_LABEL(cred->cr_label);
1611
1612 return (0);
1613}
1614
1615static int
1616mac_test_check_kld_unload(struct ucred *cred)
1617{
1618
1619 ASSERT_CRED_LABEL(cred->cr_label);
1620
1621 return (0);
1622}
1623
1624static int
1625mac_test_check_mount_stat(struct ucred *cred, struct mount *mp,
1626 struct label *mntlabel)
1627{
1628
1629 ASSERT_CRED_LABEL(cred->cr_label);
1630 ASSERT_MOUNT_LABEL(mntlabel);
1631
1632 return (0);
1633}
1634
1635static int
1636mac_test_check_pipe_ioctl(struct ucred *cred, struct pipepair *pp,
1637 struct label *pipelabel, unsigned long cmd, void /* caddr_t */ *data)
1638{
1639
1640 ASSERT_CRED_LABEL(cred->cr_label);
1641 ASSERT_PIPE_LABEL(pipelabel);
1642
1643 return (0);
1644}
1645
1646static int
1647mac_test_check_pipe_poll(struct ucred *cred, struct pipepair *pp,
1648 struct label *pipelabel)
1649{
1650
1651 ASSERT_CRED_LABEL(cred->cr_label);
1652 ASSERT_PIPE_LABEL(pipelabel);
1653
1654 return (0);
1655}
1656
1657static int
1658mac_test_check_pipe_read(struct ucred *cred, struct pipepair *pp,
1659 struct label *pipelabel)
1660{
1661
1662 ASSERT_CRED_LABEL(cred->cr_label);
1663 ASSERT_PIPE_LABEL(pipelabel);
1664
1665 return (0);
1666}
1667
1668static int
1669mac_test_check_pipe_relabel(struct ucred *cred, struct pipepair *pp,
1670 struct label *pipelabel, struct label *newlabel)
1671{
1672
1673 ASSERT_CRED_LABEL(cred->cr_label);
1674 ASSERT_PIPE_LABEL(pipelabel);
1675 ASSERT_PIPE_LABEL(newlabel);
1676
1677 return (0);
1678}
1679
1680static int
1681mac_test_check_pipe_stat(struct ucred *cred, struct pipepair *pp,
1682 struct label *pipelabel)
1683{
1684
1685 ASSERT_CRED_LABEL(cred->cr_label);
1686 ASSERT_PIPE_LABEL(pipelabel);
1687
1688 return (0);
1689}
1690
1691static int
1692mac_test_check_pipe_write(struct ucred *cred, struct pipepair *pp,
1693 struct label *pipelabel)
1694{
1695
1696 ASSERT_CRED_LABEL(cred->cr_label);
1697 ASSERT_PIPE_LABEL(pipelabel);
1698
1699 return (0);
1700}
1701
1702static int
1703mac_test_check_posix_sem(struct ucred *cred, struct ksem *ksemptr,
1704 struct label *ks_label)
1705{
1706
1707 ASSERT_CRED_LABEL(cred->cr_label);
1708 ASSERT_POSIX_LABEL(ks_label);
1709
1710 return (0);
1711}
1712
1713static int
1714mac_test_check_proc_debug(struct ucred *cred, struct proc *proc)
1715{
1716
1717 ASSERT_CRED_LABEL(cred->cr_label);
1718 ASSERT_CRED_LABEL(proc->p_ucred->cr_label);
1719
1720 return (0);
1721}
1722
1723static int
1724mac_test_check_proc_sched(struct ucred *cred, struct proc *proc)
1725{
1726
1727 ASSERT_CRED_LABEL(cred->cr_label);
1728 ASSERT_CRED_LABEL(proc->p_ucred->cr_label);
1729
1730 return (0);
1731}
1732
1733static int
1734mac_test_check_proc_signal(struct ucred *cred, struct proc *proc, int signum)
1735{
1736
1737 ASSERT_CRED_LABEL(cred->cr_label);
1738 ASSERT_CRED_LABEL(proc->p_ucred->cr_label);
1739
1740 return (0);
1741}
1742
1743static int
1744mac_test_check_proc_setuid(struct ucred *cred, uid_t uid)
1745{
1746
1747 ASSERT_CRED_LABEL(cred->cr_label);
1748
1749 return (0);
1750}
1751
1752static int
1753mac_test_check_proc_seteuid(struct ucred *cred, uid_t euid)
1754{
1755
1756 ASSERT_CRED_LABEL(cred->cr_label);
1757
1758 return (0);
1759}
1760
1761static int
1762mac_test_check_proc_setgid(struct ucred *cred, gid_t gid)
1763{
1764
1765 ASSERT_CRED_LABEL(cred->cr_label);
1766
1767 return (0);
1768}
1769
1770static int
1771mac_test_check_proc_setegid(struct ucred *cred, gid_t egid)
1772{
1773
1774 ASSERT_CRED_LABEL(cred->cr_label);
1775
1776 return (0);
1777}
1778
1779static int
1780mac_test_check_proc_setgroups(struct ucred *cred, int ngroups,
1781 gid_t *gidset)
1782{
1783
1784 ASSERT_CRED_LABEL(cred->cr_label);
1785
1786 return (0);
1787}
1788
1789static int
1790mac_test_check_proc_setreuid(struct ucred *cred, uid_t ruid, uid_t euid)
1791{
1792
1793 ASSERT_CRED_LABEL(cred->cr_label);
1794
1795 return (0);
1796}
1797
1798static int
1799mac_test_check_proc_setregid(struct ucred *cred, gid_t rgid, gid_t egid)
1800{
1801
1802 ASSERT_CRED_LABEL(cred->cr_label);
1803
1804 return (0);
1805}
1806
1807static int
1808mac_test_check_proc_setresuid(struct ucred *cred, uid_t ruid, uid_t euid,
1809 uid_t suid)
1810{
1811
1812 ASSERT_CRED_LABEL(cred->cr_label);
1813
1814 return (0);
1815}
1816
1817static int
1818mac_test_check_proc_setresgid(struct ucred *cred, gid_t rgid, gid_t egid,
1819 gid_t sgid)
1820{
1821
1822 ASSERT_CRED_LABEL(cred->cr_label);
1823
1824 return (0);
1825}
1826
1827static int
1828mac_test_check_proc_wait(struct ucred *cred, struct proc *proc)
1829{
1830
1831 ASSERT_CRED_LABEL(cred->cr_label);
1832 ASSERT_CRED_LABEL(proc->p_ucred->cr_label);
1833
1834 return (0);
1835}
1836
1837static int
1838mac_test_check_socket_accept(struct ucred *cred, struct socket *socket,
1839 struct label *socketlabel)
1840{
1841
1842 ASSERT_CRED_LABEL(cred->cr_label);
1843 ASSERT_SOCKET_LABEL(socketlabel);
1844
1845 return (0);
1846}
1847
1848static int
1849mac_test_check_socket_bind(struct ucred *cred, struct socket *socket,
1850 struct label *socketlabel, struct sockaddr *sockaddr)
1851{
1852
1853 ASSERT_CRED_LABEL(cred->cr_label);
1854 ASSERT_SOCKET_LABEL(socketlabel);
1855
1856 return (0);
1857}
1858
1859static int
1860mac_test_check_socket_connect(struct ucred *cred, struct socket *socket,
1861 struct label *socketlabel, struct sockaddr *sockaddr)
1862{
1863
1864 ASSERT_CRED_LABEL(cred->cr_label);
1865 ASSERT_SOCKET_LABEL(socketlabel);
1866
1867 return (0);
1868}
1869
1870static int
1871mac_test_check_socket_deliver(struct socket *socket, struct label *socketlabel,
1872 struct mbuf *m, struct label *mbuflabel)
1873{
1874
1875 ASSERT_SOCKET_LABEL(socketlabel);
1876 ASSERT_MBUF_LABEL(mbuflabel);
1877
1878 return (0);
1879}
1880
1881static int
1882mac_test_check_socket_listen(struct ucred *cred, struct socket *socket,
1883 struct label *socketlabel)
1884{
1885
1886 ASSERT_CRED_LABEL(cred->cr_label);
1887 ASSERT_SOCKET_LABEL(socketlabel);
1888
1889 return (0);
1890}
1891
1892static int
1893mac_test_check_socket_poll(struct ucred *cred, struct socket *socket,
1894 struct label *socketlabel)
1895{
1896
1897 ASSERT_CRED_LABEL(cred->cr_label);
1898 ASSERT_SOCKET_LABEL(socketlabel);
1899
1900 return (0);
1901}
1902
1903static int
1904mac_test_check_socket_receive(struct ucred *cred, struct socket *socket,
1905 struct label *socketlabel)
1906{
1907
1908 ASSERT_CRED_LABEL(cred->cr_label);
1909 ASSERT_SOCKET_LABEL(socketlabel);
1910
1911 return (0);
1912}
1913
1914static int
1915mac_test_check_socket_relabel(struct ucred *cred, struct socket *socket,
1916 struct label *socketlabel, struct label *newlabel)
1917{
1918
1919 ASSERT_CRED_LABEL(cred->cr_label);
1920 ASSERT_SOCKET_LABEL(socketlabel);
1921 ASSERT_SOCKET_LABEL(newlabel);
1922
1923 return (0);
1924}
1925
1926static int
1927mac_test_check_socket_send(struct ucred *cred, struct socket *socket,
1928 struct label *socketlabel)
1929{
1930
1931 ASSERT_CRED_LABEL(cred->cr_label);
1932 ASSERT_SOCKET_LABEL(socketlabel);
1933
1934 return (0);
1935}
1936
1937static int
1938mac_test_check_socket_stat(struct ucred *cred, struct socket *socket,
1939 struct label *socketlabel)
1940{
1941
1942 ASSERT_CRED_LABEL(cred->cr_label);
1943 ASSERT_SOCKET_LABEL(socketlabel);
1944
1945 return (0);
1946}
1947
1948static int
1949mac_test_check_socket_visible(struct ucred *cred, struct socket *socket,
1950 struct label *socketlabel)
1951{
1952
1953 ASSERT_CRED_LABEL(cred->cr_label);
1954 ASSERT_SOCKET_LABEL(socketlabel);
1955
1956 return (0);
1957}
1958
1959static int
1960mac_test_check_sysarch_ioperm(struct ucred *cred)
1961{
1962
1963 ASSERT_CRED_LABEL(cred->cr_label);
1964
1965 return (0);
1966}
1967
1968static int
1969mac_test_check_system_acct(struct ucred *cred, struct vnode *vp,
1970 struct label *label)
1971{
1972
1973 ASSERT_CRED_LABEL(cred->cr_label);
1974
1975 return (0);
1976}
1977
1978static int
1979mac_test_check_system_reboot(struct ucred *cred, int how)
1980{
1981
1982 ASSERT_CRED_LABEL(cred->cr_label);
1983
1984 return (0);
1985}
1986
1987static int
1988mac_test_check_system_settime(struct ucred *cred)
1989{
1990
1991 ASSERT_CRED_LABEL(cred->cr_label);
1992
1993 return (0);
1994}
1995
1996static int
1997mac_test_check_system_swapon(struct ucred *cred, struct vnode *vp,
1998 struct label *label)
1999{
2000
2001 ASSERT_CRED_LABEL(cred->cr_label);
2002 ASSERT_VNODE_LABEL(label);
2003
2004 return (0);
2005}
2006
2007static int
2008mac_test_check_system_swapoff(struct ucred *cred, struct vnode *vp,
2009 struct label *label)
2010{
2011
2012 ASSERT_CRED_LABEL(cred->cr_label);
2013 ASSERT_VNODE_LABEL(label);
2014
2015 return (0);
2016}
2017
2018static int
2019mac_test_check_system_sysctl(struct ucred *cred, struct sysctl_oid *oidp,
2020 void *arg1, int arg2, struct sysctl_req *req)
2021{
2022
2023 ASSERT_CRED_LABEL(cred->cr_label);
2024
2025 return (0);
2026}
2027
2028static int
2029mac_test_check_vnode_access(struct ucred *cred, struct vnode *vp,
2030 struct label *label, int acc_mode)
2031{
2032
2033 ASSERT_CRED_LABEL(cred->cr_label);
2034 ASSERT_VNODE_LABEL(label);
2035
2036 return (0);
2037}
2038
2039static int
2040mac_test_check_vnode_chdir(struct ucred *cred, struct vnode *dvp,
2041 struct label *dlabel)
2042{
2043
2044 ASSERT_CRED_LABEL(cred->cr_label);
2045 ASSERT_VNODE_LABEL(dlabel);
2046
2047 return (0);
2048}
2049
2050static int
2051mac_test_check_vnode_chroot(struct ucred *cred, struct vnode *dvp,
2052 struct label *dlabel)
2053{
2054
2055 ASSERT_CRED_LABEL(cred->cr_label);
2056 ASSERT_VNODE_LABEL(dlabel);
2057
2058 return (0);
2059}
2060
2061static int
2062mac_test_check_vnode_create(struct ucred *cred, struct vnode *dvp,
2063 struct label *dlabel, struct componentname *cnp, struct vattr *vap)
2064{
2065
2066 ASSERT_CRED_LABEL(cred->cr_label);
2067 ASSERT_VNODE_LABEL(dlabel);
2068
2069 return (0);
2070}
2071
2072static int
2073mac_test_check_vnode_delete(struct ucred *cred, struct vnode *dvp,
2074 struct label *dlabel, struct vnode *vp, struct label *label,
2075 struct componentname *cnp)
2076{
2077
2078 ASSERT_CRED_LABEL(cred->cr_label);
2079 ASSERT_VNODE_LABEL(dlabel);
2080 ASSERT_VNODE_LABEL(label);
2081
2082 return (0);
2083}
2084
2085static int
2086mac_test_check_vnode_deleteacl(struct ucred *cred, struct vnode *vp,
2087 struct label *label, acl_type_t type)
2088{
2089
2090 ASSERT_CRED_LABEL(cred->cr_label);
2091 ASSERT_VNODE_LABEL(label);
2092
2093 return (0);
2094}
2095
2096static int
2097mac_test_check_vnode_deleteextattr(struct ucred *cred, struct vnode *vp,
2098 struct label *label, int attrnamespace, const char *name)
2099{
2100
2101 ASSERT_CRED_LABEL(cred->cr_label);
2102 ASSERT_VNODE_LABEL(label);
2103
2104 return (0);
2105}
2106
2107static int
2108mac_test_check_vnode_exec(struct ucred *cred, struct vnode *vp,
2109 struct label *label, struct image_params *imgp,
2110 struct label *execlabel)
2111{
2112
2113 ASSERT_CRED_LABEL(cred->cr_label);
2114 ASSERT_VNODE_LABEL(label);
2115 if (execlabel != NULL) {
2116 ASSERT_CRED_LABEL(execlabel);
2117 }
2118
2119 return (0);
2120}
2121
2122static int
2123mac_test_check_vnode_getacl(struct ucred *cred, struct vnode *vp,
2124 struct label *label, acl_type_t type)
2125{
2126
2127 ASSERT_CRED_LABEL(cred->cr_label);
2128 ASSERT_VNODE_LABEL(label);
2129
2130 return (0);
2131}
2132
2133static int
2134mac_test_check_vnode_getextattr(struct ucred *cred, struct vnode *vp,
2135 struct label *label, int attrnamespace, const char *name, struct uio *uio)
2136{
2137
2138 ASSERT_CRED_LABEL(cred->cr_label);
2139 ASSERT_VNODE_LABEL(label);
2140
2141 return (0);
2142}
2143
2144static int
2145mac_test_check_vnode_link(struct ucred *cred, struct vnode *dvp,
2146 struct label *dlabel, struct vnode *vp, struct label *label,
2147 struct componentname *cnp)
2148{
2149
2150 ASSERT_CRED_LABEL(cred->cr_label);
2151 ASSERT_VNODE_LABEL(dlabel);
2152 ASSERT_VNODE_LABEL(label);
2153
2154 return (0);
2155}
2156
2157static int
2158mac_test_check_vnode_listextattr(struct ucred *cred, struct vnode *vp,
2159 struct label *label, int attrnamespace)
2160{
2161
2162 ASSERT_CRED_LABEL(cred->cr_label);
2163 ASSERT_VNODE_LABEL(label);
2164
2165 return (0);
2166}
2167
2168static int
2169mac_test_check_vnode_lookup(struct ucred *cred, struct vnode *dvp,
2170 struct label *dlabel, struct componentname *cnp)
2171{
2172
2173 ASSERT_CRED_LABEL(cred->cr_label);
2174 ASSERT_VNODE_LABEL(dlabel);
2175
2176 return (0);
2177}
2178
2179static int
2180mac_test_check_vnode_mmap(struct ucred *cred, struct vnode *vp,
2181 struct label *label, int prot, int flags)
2182{
2183
2184 ASSERT_CRED_LABEL(cred->cr_label);
2185 ASSERT_VNODE_LABEL(label);
2186
2187 return (0);
2188}
2189
2190static int
2191mac_test_check_vnode_open(struct ucred *cred, struct vnode *vp,
2192 struct label *filelabel, int acc_mode)
2193{
2194
2195 ASSERT_CRED_LABEL(cred->cr_label);
2196 ASSERT_VNODE_LABEL(filelabel);
2197
2198 return (0);
2199}
2200
2201static int
2202mac_test_check_vnode_poll(struct ucred *active_cred, struct ucred *file_cred,
2203 struct vnode *vp, struct label *label)
2204{
2205
2206 ASSERT_CRED_LABEL(active_cred->cr_label);
2207 ASSERT_CRED_LABEL(file_cred->cr_label);
2208 ASSERT_VNODE_LABEL(label);
2209
2210 return (0);
2211}
2212
2213static int
2214mac_test_check_vnode_read(struct ucred *active_cred, struct ucred *file_cred,
2215 struct vnode *vp, struct label *label)
2216{
2217
2218 ASSERT_CRED_LABEL(active_cred->cr_label);
2219 if (file_cred != NULL) {
2220 ASSERT_CRED_LABEL(file_cred->cr_label);
2221 }
2222 ASSERT_VNODE_LABEL(label);
2223
2224 return (0);
2225}
2226
2227static int
2228mac_test_check_vnode_readdir(struct ucred *cred, struct vnode *dvp,
2229 struct label *dlabel)
2230{
2231
2232 ASSERT_CRED_LABEL(cred->cr_label);
2233 ASSERT_VNODE_LABEL(dlabel);
2234
2235 return (0);
2236}
2237
2238static int
2239mac_test_check_vnode_readlink(struct ucred *cred, struct vnode *vp,
2240 struct label *vnodelabel)
2241{
2242
2243 ASSERT_CRED_LABEL(cred->cr_label);
2244 ASSERT_VNODE_LABEL(vnodelabel);
2245
2246 return (0);
2247}
2248
2249static int
2250mac_test_check_vnode_relabel(struct ucred *cred, struct vnode *vp,
2251 struct label *vnodelabel, struct label *newlabel)
2252{
2253
2254 ASSERT_CRED_LABEL(cred->cr_label);
2255 ASSERT_VNODE_LABEL(vnodelabel);
2256 ASSERT_VNODE_LABEL(newlabel);
2257
2258 return (0);
2259}
2260
2261static int
2262mac_test_check_vnode_rename_from(struct ucred *cred, struct vnode *dvp,
2263 struct label *dlabel, struct vnode *vp, struct label *label,
2264 struct componentname *cnp)
2265{
2266
2267 ASSERT_CRED_LABEL(cred->cr_label);
2268 ASSERT_VNODE_LABEL(dlabel);
2269 ASSERT_VNODE_LABEL(label);
2270
2271 return (0);
2272}
2273
2274static int
2275mac_test_check_vnode_rename_to(struct ucred *cred, struct vnode *dvp,
2276 struct label *dlabel, struct vnode *vp, struct label *label, int samedir,
2277 struct componentname *cnp)
2278{
2279
2280 ASSERT_CRED_LABEL(cred->cr_label);
2281 ASSERT_VNODE_LABEL(dlabel);
2282
2283 if (vp != NULL) {
2284 ASSERT_VNODE_LABEL(label);
2285 }
2286
2287 return (0);
2288}
2289
2290static int
2291mac_test_check_vnode_revoke(struct ucred *cred, struct vnode *vp,
2292 struct label *label)
2293{
2294
2295 ASSERT_CRED_LABEL(cred->cr_label);
2296 ASSERT_VNODE_LABEL(label);
2297
2298 return (0);
2299}
2300
2301static int
2302mac_test_check_vnode_setacl(struct ucred *cred, struct vnode *vp,
2303 struct label *label, acl_type_t type, struct acl *acl)
2304{
2305
2306 ASSERT_CRED_LABEL(cred->cr_label);
2307 ASSERT_VNODE_LABEL(label);
2308
2309 return (0);
2310}
2311
2312static int
2313mac_test_check_vnode_setextattr(struct ucred *cred, struct vnode *vp,
2314 struct label *label, int attrnamespace, const char *name, struct uio *uio)
2315{
2316
2317 ASSERT_CRED_LABEL(cred->cr_label);
2318 ASSERT_VNODE_LABEL(label);
2319
2320 return (0);
2321}
2322
2323static int
2324mac_test_check_vnode_setflags(struct ucred *cred, struct vnode *vp,
2325 struct label *label, u_long flags)
2326{
2327
2328 ASSERT_CRED_LABEL(cred->cr_label);
2329 ASSERT_VNODE_LABEL(label);
2330
2331 return (0);
2332}
2333
2334static int
2335mac_test_check_vnode_setmode(struct ucred *cred, struct vnode *vp,
2336 struct label *label, mode_t mode)
2337{
2338
2339 ASSERT_CRED_LABEL(cred->cr_label);
2340 ASSERT_VNODE_LABEL(label);
2341
2342 return (0);
2343}
2344
2345static int
2346mac_test_check_vnode_setowner(struct ucred *cred, struct vnode *vp,
2347 struct label *label, uid_t uid, gid_t gid)
2348{
2349
2350 ASSERT_CRED_LABEL(cred->cr_label);
2351 ASSERT_VNODE_LABEL(label);
2352
2353 return (0);
2354}
2355
2356static int
2357mac_test_check_vnode_setutimes(struct ucred *cred, struct vnode *vp,
2358 struct label *label, struct timespec atime, struct timespec mtime)
2359{
2360
2361 ASSERT_CRED_LABEL(cred->cr_label);
2362 ASSERT_VNODE_LABEL(label);
2363
2364 return (0);
2365}
2366
2367static int
2368mac_test_check_vnode_stat(struct ucred *active_cred, struct ucred *file_cred,
2369 struct vnode *vp, struct label *label)
2370{
2371
2372 ASSERT_CRED_LABEL(active_cred->cr_label);
2373 if (file_cred != NULL) {
2374 ASSERT_CRED_LABEL(file_cred->cr_label);
2375 }
2376 ASSERT_VNODE_LABEL(label);
2377
2378 return (0);
2379}
2380
2381static int
2382mac_test_check_vnode_write(struct ucred *active_cred,
2383 struct ucred *file_cred, struct vnode *vp, struct label *label)
2384{
2385
2386 ASSERT_CRED_LABEL(active_cred->cr_label);
2387 if (file_cred != NULL) {
2388 ASSERT_CRED_LABEL(file_cred->cr_label);
2389 }
2390 ASSERT_VNODE_LABEL(label);
2391
2392 return (0);
2393}
2394
2395static struct mac_policy_ops mac_test_ops =
2396{
2397 .mpo_destroy = mac_test_destroy,
2398 .mpo_init = mac_test_init,
2399 .mpo_syscall = mac_test_syscall,
2400 .mpo_init_bpfdesc_label = mac_test_init_bpfdesc_label,
2401 .mpo_init_cred_label = mac_test_init_cred_label,
2402 .mpo_init_devfsdirent_label = mac_test_init_devfsdirent_label,
2403 .mpo_init_ifnet_label = mac_test_init_ifnet_label,
2404 .mpo_init_sysv_msgmsg_label = mac_test_init_sysv_msgmsg_label,
2405 .mpo_init_sysv_msgqueue_label = mac_test_init_sysv_msgqueue_label,
2406 .mpo_init_sysv_sem_label = mac_test_init_sysv_sem_label,
2407 .mpo_init_sysv_shm_label = mac_test_init_sysv_shm_label,
2408 .mpo_init_inpcb_label = mac_test_init_inpcb_label,
2409 .mpo_init_ipq_label = mac_test_init_ipq_label,
2410 .mpo_init_mbuf_label = mac_test_init_mbuf_label,
2411 .mpo_init_mount_label = mac_test_init_mount_label,
2412 .mpo_init_mount_fs_label = mac_test_init_mount_fs_label,
2413 .mpo_init_pipe_label = mac_test_init_pipe_label,
2414 .mpo_init_posix_sem_label = mac_test_init_posix_sem_label,
2415 .mpo_init_proc_label = mac_test_init_proc_label,
2416 .mpo_init_socket_label = mac_test_init_socket_label,
2417 .mpo_init_socket_peer_label = mac_test_init_socket_peer_label,
2418 .mpo_init_vnode_label = mac_test_init_vnode_label,
2419 .mpo_destroy_bpfdesc_label = mac_test_destroy_bpfdesc_label,
2420 .mpo_destroy_cred_label = mac_test_destroy_cred_label,
2421 .mpo_destroy_devfsdirent_label = mac_test_destroy_devfsdirent_label,
2422 .mpo_destroy_ifnet_label = mac_test_destroy_ifnet_label,
2423 .mpo_destroy_sysv_msgmsg_label = mac_test_destroy_sysv_msgmsg_label,
2424 .mpo_destroy_sysv_msgqueue_label =
2425 mac_test_destroy_sysv_msgqueue_label,
2426 .mpo_destroy_sysv_sem_label = mac_test_destroy_sysv_sem_label,
2427 .mpo_destroy_sysv_shm_label = mac_test_destroy_sysv_shm_label,
2428 .mpo_destroy_inpcb_label = mac_test_destroy_inpcb_label,
2429 .mpo_destroy_ipq_label = mac_test_destroy_ipq_label,
2430 .mpo_destroy_mbuf_label = mac_test_destroy_mbuf_label,
2431 .mpo_destroy_mount_label = mac_test_destroy_mount_label,
2432 .mpo_destroy_mount_fs_label = mac_test_destroy_mount_fs_label,
2433 .mpo_destroy_pipe_label = mac_test_destroy_pipe_label,
2434 .mpo_destroy_posix_sem_label = mac_test_destroy_posix_sem_label,
2435 .mpo_destroy_proc_label = mac_test_destroy_proc_label,
2436 .mpo_destroy_socket_label = mac_test_destroy_socket_label,
2437 .mpo_destroy_socket_peer_label = mac_test_destroy_socket_peer_label,
2438 .mpo_destroy_vnode_label = mac_test_destroy_vnode_label,
2439 .mpo_copy_cred_label = mac_test_copy_cred_label,
2440 .mpo_copy_ifnet_label = mac_test_copy_ifnet_label,
2441 .mpo_copy_mbuf_label = mac_test_copy_mbuf_label,
2442 .mpo_copy_pipe_label = mac_test_copy_pipe_label,
2443 .mpo_copy_socket_label = mac_test_copy_socket_label,
2444 .mpo_copy_vnode_label = mac_test_copy_vnode_label,
2445 .mpo_externalize_cred_label = mac_test_externalize_label,
2446 .mpo_externalize_ifnet_label = mac_test_externalize_label,
2447 .mpo_externalize_pipe_label = mac_test_externalize_label,
2448 .mpo_externalize_socket_label = mac_test_externalize_label,
2449 .mpo_externalize_socket_peer_label = mac_test_externalize_label,
2450 .mpo_externalize_vnode_label = mac_test_externalize_label,
2451 .mpo_internalize_cred_label = mac_test_internalize_label,
2452 .mpo_internalize_ifnet_label = mac_test_internalize_label,
2453 .mpo_internalize_pipe_label = mac_test_internalize_label,
2454 .mpo_internalize_socket_label = mac_test_internalize_label,
2455 .mpo_internalize_vnode_label = mac_test_internalize_label,
2456 .mpo_associate_vnode_devfs = mac_test_associate_vnode_devfs,
2457 .mpo_associate_vnode_extattr = mac_test_associate_vnode_extattr,
2458 .mpo_associate_vnode_singlelabel = mac_test_associate_vnode_singlelabel,
2459 .mpo_create_devfs_device = mac_test_create_devfs_device,
2460 .mpo_create_devfs_directory = mac_test_create_devfs_directory,
2461 .mpo_create_devfs_symlink = mac_test_create_devfs_symlink,
2462 .mpo_create_vnode_extattr = mac_test_create_vnode_extattr,
2463 .mpo_create_mount = mac_test_create_mount,
2464 .mpo_relabel_vnode = mac_test_relabel_vnode,
2465 .mpo_setlabel_vnode_extattr = mac_test_setlabel_vnode_extattr,
2466 .mpo_update_devfsdirent = mac_test_update_devfsdirent,
2467 .mpo_create_mbuf_from_socket = mac_test_create_mbuf_from_socket,
2468 .mpo_create_pipe = mac_test_create_pipe,
2469 .mpo_create_posix_sem = mac_test_create_posix_sem,
2470 .mpo_create_socket = mac_test_create_socket,
2471 .mpo_create_socket_from_socket = mac_test_create_socket_from_socket,
2472 .mpo_relabel_pipe = mac_test_relabel_pipe,
2473 .mpo_relabel_socket = mac_test_relabel_socket,
2474 .mpo_set_socket_peer_from_mbuf = mac_test_set_socket_peer_from_mbuf,
2475 .mpo_set_socket_peer_from_socket = mac_test_set_socket_peer_from_socket,
2476 .mpo_create_bpfdesc = mac_test_create_bpfdesc,
2477 .mpo_create_ifnet = mac_test_create_ifnet,
2478 .mpo_create_inpcb_from_socket = mac_test_create_inpcb_from_socket,
2479 .mpo_create_sysv_msgmsg = mac_test_create_sysv_msgmsg,
2480 .mpo_create_sysv_msgqueue = mac_test_create_sysv_msgqueue,
2481 .mpo_create_sysv_sem = mac_test_create_sysv_sem,
2482 .mpo_create_sysv_shm = mac_test_create_sysv_shm,
2483 .mpo_create_datagram_from_ipq = mac_test_create_datagram_from_ipq,
2484 .mpo_create_fragment = mac_test_create_fragment,
2485 .mpo_create_ipq = mac_test_create_ipq,
2486 .mpo_create_mbuf_from_inpcb = mac_test_create_mbuf_from_inpcb,
2487 .mpo_create_mbuf_linklayer = mac_test_create_mbuf_linklayer,
2488 .mpo_create_mbuf_from_bpfdesc = mac_test_create_mbuf_from_bpfdesc,
2489 .mpo_create_mbuf_from_ifnet = mac_test_create_mbuf_from_ifnet,
2490 .mpo_create_mbuf_multicast_encap = mac_test_create_mbuf_multicast_encap,
2491 .mpo_create_mbuf_netlayer = mac_test_create_mbuf_netlayer,
2492 .mpo_fragment_match = mac_test_fragment_match,
2493 .mpo_reflect_mbuf_icmp = mac_test_reflect_mbuf_icmp,
2494 .mpo_reflect_mbuf_tcp = mac_test_reflect_mbuf_tcp,
2495 .mpo_relabel_ifnet = mac_test_relabel_ifnet,
2496 .mpo_update_ipq = mac_test_update_ipq,
2497 .mpo_inpcb_sosetlabel = mac_test_inpcb_sosetlabel,
2498 .mpo_execve_transition = mac_test_execve_transition,
2499 .mpo_execve_will_transition = mac_test_execve_will_transition,
2500 .mpo_create_proc0 = mac_test_create_proc0,
2501 .mpo_create_proc1 = mac_test_create_proc1,
2502 .mpo_relabel_cred = mac_test_relabel_cred,
2503 .mpo_thread_userret = mac_test_thread_userret,
2504 .mpo_cleanup_sysv_msgmsg = mac_test_cleanup_sysv_msgmsg,
2505 .mpo_cleanup_sysv_msgqueue = mac_test_cleanup_sysv_msgqueue,
2506 .mpo_cleanup_sysv_sem = mac_test_cleanup_sysv_sem,
2507 .mpo_cleanup_sysv_shm = mac_test_cleanup_sysv_shm,
2508 .mpo_check_bpfdesc_receive = mac_test_check_bpfdesc_receive,
2509 .mpo_check_cred_relabel = mac_test_check_cred_relabel,
2510 .mpo_check_cred_visible = mac_test_check_cred_visible,
2511 .mpo_check_ifnet_relabel = mac_test_check_ifnet_relabel,
2512 .mpo_check_ifnet_transmit = mac_test_check_ifnet_transmit,
2513 .mpo_check_inpcb_deliver = mac_test_check_inpcb_deliver,
2514 .mpo_check_sysv_msgmsq = mac_test_check_sysv_msgmsq,
2515 .mpo_check_sysv_msgrcv = mac_test_check_sysv_msgrcv,
2516 .mpo_check_sysv_msgrmid = mac_test_check_sysv_msgrmid,
2517 .mpo_check_sysv_msqget = mac_test_check_sysv_msqget,
2518 .mpo_check_sysv_msqsnd = mac_test_check_sysv_msqsnd,
2519 .mpo_check_sysv_msqrcv = mac_test_check_sysv_msqrcv,
2520 .mpo_check_sysv_msqctl = mac_test_check_sysv_msqctl,
2521 .mpo_check_sysv_semctl = mac_test_check_sysv_semctl,
2522 .mpo_check_sysv_semget = mac_test_check_sysv_semget,
2523 .mpo_check_sysv_semop = mac_test_check_sysv_semop,
2524 .mpo_check_sysv_shmat = mac_test_check_sysv_shmat,
2525 .mpo_check_sysv_shmctl = mac_test_check_sysv_shmctl,
2526 .mpo_check_sysv_shmdt = mac_test_check_sysv_shmdt,
2527 .mpo_check_sysv_shmget = mac_test_check_sysv_shmget,
2528 .mpo_check_kenv_dump = mac_test_check_kenv_dump,
2529 .mpo_check_kenv_get = mac_test_check_kenv_get,
2530 .mpo_check_kenv_set = mac_test_check_kenv_set,
2531 .mpo_check_kenv_unset = mac_test_check_kenv_unset,
2532 .mpo_check_kld_load = mac_test_check_kld_load,
2533 .mpo_check_kld_stat = mac_test_check_kld_stat,
2534 .mpo_check_kld_unload = mac_test_check_kld_unload,
2535 .mpo_check_mount_stat = mac_test_check_mount_stat,
2536 .mpo_check_pipe_ioctl = mac_test_check_pipe_ioctl,
2537 .mpo_check_pipe_poll = mac_test_check_pipe_poll,
2538 .mpo_check_pipe_read = mac_test_check_pipe_read,
2539 .mpo_check_pipe_relabel = mac_test_check_pipe_relabel,
2540 .mpo_check_pipe_stat = mac_test_check_pipe_stat,
2541 .mpo_check_pipe_write = mac_test_check_pipe_write,
2542 .mpo_check_posix_sem_destroy = mac_test_check_posix_sem,
2543 .mpo_check_posix_sem_getvalue = mac_test_check_posix_sem,
2544 .mpo_check_posix_sem_open = mac_test_check_posix_sem,
2545 .mpo_check_posix_sem_post = mac_test_check_posix_sem,
2546 .mpo_check_posix_sem_unlink = mac_test_check_posix_sem,
2547 .mpo_check_posix_sem_wait = mac_test_check_posix_sem,
2548 .mpo_check_proc_debug = mac_test_check_proc_debug,
2549 .mpo_check_proc_sched = mac_test_check_proc_sched,
2550 .mpo_check_proc_setuid = mac_test_check_proc_setuid,
2551 .mpo_check_proc_seteuid = mac_test_check_proc_seteuid,
2552 .mpo_check_proc_setgid = mac_test_check_proc_setgid,
2553 .mpo_check_proc_setegid = mac_test_check_proc_setegid,
2554 .mpo_check_proc_setgroups = mac_test_check_proc_setgroups,
2555 .mpo_check_proc_setreuid = mac_test_check_proc_setreuid,
2556 .mpo_check_proc_setregid = mac_test_check_proc_setregid,
2557 .mpo_check_proc_setresuid = mac_test_check_proc_setresuid,
2558 .mpo_check_proc_setresgid = mac_test_check_proc_setresgid,
2559 .mpo_check_proc_signal = mac_test_check_proc_signal,
2560 .mpo_check_proc_wait = mac_test_check_proc_wait,
2561 .mpo_check_socket_accept = mac_test_check_socket_accept,
2562 .mpo_check_socket_bind = mac_test_check_socket_bind,
2563 .mpo_check_socket_connect = mac_test_check_socket_connect,
2564 .mpo_check_socket_deliver = mac_test_check_socket_deliver,
2565 .mpo_check_socket_listen = mac_test_check_socket_listen,
2566 .mpo_check_socket_poll = mac_test_check_socket_poll,
2567 .mpo_check_socket_receive = mac_test_check_socket_receive,
2568 .mpo_check_socket_relabel = mac_test_check_socket_relabel,
2569 .mpo_check_socket_send = mac_test_check_socket_send,
2570 .mpo_check_socket_stat = mac_test_check_socket_stat,
2571 .mpo_check_socket_visible = mac_test_check_socket_visible,
2572 .mpo_check_sysarch_ioperm = mac_test_check_sysarch_ioperm,
2573 .mpo_check_system_acct = mac_test_check_system_acct,
2574 .mpo_check_system_reboot = mac_test_check_system_reboot,
2575 .mpo_check_system_settime = mac_test_check_system_settime,
2576 .mpo_check_system_swapon = mac_test_check_system_swapon,
2577 .mpo_check_system_swapoff = mac_test_check_system_swapoff,
2578 .mpo_check_system_sysctl = mac_test_check_system_sysctl,
2579 .mpo_check_vnode_access = mac_test_check_vnode_access,
2580 .mpo_check_vnode_chdir = mac_test_check_vnode_chdir,
2581 .mpo_check_vnode_chroot = mac_test_check_vnode_chroot,
2582 .mpo_check_vnode_create = mac_test_check_vnode_create,
2583 .mpo_check_vnode_delete = mac_test_check_vnode_delete,
2584 .mpo_check_vnode_deleteacl = mac_test_check_vnode_deleteacl,
2585 .mpo_check_vnode_deleteextattr = mac_test_check_vnode_deleteextattr,
2586 .mpo_check_vnode_exec = mac_test_check_vnode_exec,
2587 .mpo_check_vnode_getacl = mac_test_check_vnode_getacl,
2588 .mpo_check_vnode_getextattr = mac_test_check_vnode_getextattr,
2589 .mpo_check_vnode_link = mac_test_check_vnode_link,
2590 .mpo_check_vnode_listextattr = mac_test_check_vnode_listextattr,
2591 .mpo_check_vnode_lookup = mac_test_check_vnode_lookup,
2592 .mpo_check_vnode_mmap = mac_test_check_vnode_mmap,
2593 .mpo_check_vnode_open = mac_test_check_vnode_open,
2594 .mpo_check_vnode_poll = mac_test_check_vnode_poll,
2595 .mpo_check_vnode_read = mac_test_check_vnode_read,
2596 .mpo_check_vnode_readdir = mac_test_check_vnode_readdir,
2597 .mpo_check_vnode_readlink = mac_test_check_vnode_readlink,
2598 .mpo_check_vnode_relabel = mac_test_check_vnode_relabel,
2599 .mpo_check_vnode_rename_from = mac_test_check_vnode_rename_from,
2600 .mpo_check_vnode_rename_to = mac_test_check_vnode_rename_to,
2601 .mpo_check_vnode_revoke = mac_test_check_vnode_revoke,
2602 .mpo_check_vnode_setacl = mac_test_check_vnode_setacl,
2603 .mpo_check_vnode_setextattr = mac_test_check_vnode_setextattr,
2604 .mpo_check_vnode_setflags = mac_test_check_vnode_setflags,
2605 .mpo_check_vnode_setmode = mac_test_check_vnode_setmode,
2606 .mpo_check_vnode_setowner = mac_test_check_vnode_setowner,
2607 .mpo_check_vnode_setutimes = mac_test_check_vnode_setutimes,
2608 .mpo_check_vnode_stat = mac_test_check_vnode_stat,
2609 .mpo_check_vnode_write = mac_test_check_vnode_write,
2610};
2611
2612MAC_POLICY_SET(&mac_test_ops, mac_test, "TrustedBSD MAC/Test",
2613 MPC_LOADTIME_FLAG_UNLOADOK | MPC_LOADTIME_FLAG_LABELMBUFS, &test_slot);