Cross Reference: /freebsd-11.0-release/sys/security/mac_test/mac

Deleted Added

sdiff udiff text old ( 101934 ) new ( 102112 )

full compact

mac_test.c (101934)	mac_test.c (102112)
1/- 2 Copyright (c) 1999, 2000, 2001, 2002 Robert N. M. Watson 3 * Copyright (c) 2001, 2002 Networks Associates Technology, Inc. 4 * All rights reserved. 5 * 6 * This software was developed by Robert Watson for the TrustedBSD Project. 7 * 8 * This software was developed for the FreeBSD Project in part by NAI Labs, 9 * the Security Research Division of Network Associates, Inc. under 10 * DARPA/SPAWAR contract N66001-01-C-8035 ("CBOSS"), as part of the DARPA 11 * CHATS research program. 12 * 13 * Redistribution and use in source and binary forms, with or without 14 * modification, are permitted provided that the following conditions 15 * are met: 16 * 1. Redistributions of source code must retain the above copyright 17 * notice, this list of conditions and the following disclaimer. 18 * 2. Redistributions in binary form must reproduce the above copyright 19 * notice, this list of conditions and the following disclaimer in the 20 * documentation and/or other materials provided with the distribution. 21 * 3. The names of the authors may not be used to endorse or promote 22 * products derived from this software without specific prior written 23 * permission. 24 * 25 * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND 26 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 27 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 28 * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE 29 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 30 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 31 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 32 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 33 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 34 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 35 * SUCH DAMAGE. 36 *	1/- 2 Copyright (c) 1999, 2000, 2001, 2002 Robert N. M. Watson 3 * Copyright (c) 2001, 2002 Networks Associates Technology, Inc. 4 * All rights reserved. 5 * 6 * This software was developed by Robert Watson for the TrustedBSD Project. 7 * 8 * This software was developed for the FreeBSD Project in part by NAI Labs, 9 * the Security Research Division of Network Associates, Inc. under 10 * DARPA/SPAWAR contract N66001-01-C-8035 ("CBOSS"), as part of the DARPA 11 * CHATS research program. 12 * 13 * Redistribution and use in source and binary forms, with or without 14 * modification, are permitted provided that the following conditions 15 * are met: 16 * 1. Redistributions of source code must retain the above copyright 17 * notice, this list of conditions and the following disclaimer. 18 * 2. Redistributions in binary form must reproduce the above copyright 19 * notice, this list of conditions and the following disclaimer in the 20 * documentation and/or other materials provided with the distribution. 21 * 3. The names of the authors may not be used to endorse or promote 22 * products derived from this software without specific prior written 23 * permission. 24 * 25 * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND 26 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 27 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 28 * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE 29 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 30 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 31 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 32 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 33 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 34 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 35 * SUCH DAMAGE. 36 *
37 * $FreeBSD: head/sys/security/mac_test/mac_test.c 101934 2002-08-15 18:51:27Z rwatson $	37 * $FreeBSD: head/sys/security/mac_test/mac_test.c 102112 2002-08-19 16:43:25Z rwatson $
38 / 39 40/ 41 * Developed by the TrustedBSD Project. 42 * Generic mandatory access module that does nothing. 43 / 44 45#include <sys/types.h> 46#include <sys/param.h> 47#include <sys/acl.h> 48#include <sys/conf.h> 49#include <sys/kernel.h> 50#include <sys/mac.h> 51#include <sys/mount.h> 52#include <sys/proc.h> 53#include <sys/systm.h> 54#include <sys/sysproto.h> 55#include <sys/sysent.h> 56#include <sys/vnode.h> 57#include <sys/file.h> 58#include <sys/socket.h> 59#include <sys/socketvar.h> 60#include <sys/sysctl.h> 61 62#include <fs/devfs/devfs.h> 63 64#include <net/bpfdesc.h> 65#include <net/if.h> 66#include <net/if_types.h> 67#include <net/if_var.h> 68 69#include <vm/vm.h> 70 71#include <sys/mac_policy.h> 72 73SYSCTL_DECL(_security_mac); 74 75SYSCTL_NODE(_security_mac, OID_AUTO, test, CTLFLAG_RW, 0, 76 "TrustedBSD mac_test policy controls"); 77 78static int mac_test_enabled = 0; 79SYSCTL_INT(_security_mac_test, OID_AUTO, enabled, CTLFLAG_RW, 80 &mac_test_enabled, 0, "Enforce test policy"); 81 82#define BPFMAGIC 0xfe1ad1b6 83#define DEVFSMAGIC 0x9ee79c32 84#define IFNETMAGIC 0xc218b120 85#define IPQMAGIC 0x206188ef 86#define MBUFMAGIC 0xbbefa5bb 87#define MOUNTMAGIC 0xc7c46e47 88#define SOCKETMAGIC 0x9199c6cd 89#define PIPEMAGIC 0xdc6c9919 90#define CREDMAGIC 0x9a5a4987 91#define TEMPMAGIC 0x70336678 92#define VNODEMAGIC 0x1a67a45c 93#define EXMAGIC 0x849ba1fd 94 95#define SLOT(x) LABEL_TO_SLOT((x), test_slot).l_long 96static int test_slot; 97SYSCTL_INT(_security_mac_test, OID_AUTO, slot, CTLFLAG_RD, 98 &test_slot, 0, "Slot allocated by framework"); 99 100static int init_count_bpfdesc; 101SYSCTL_INT(_security_mac_test, OID_AUTO, init_count_bpfdesc, CTLFLAG_RD, 102* &init_count_bpfdesc, 0, "bpfdesc init calls"); 103static int init_count_cred; 104SYSCTL_INT(_security_mac_test, OID_AUTO, init_count_cred, CTLFLAG_RD, 105 &init_count_cred, 0, "cred init calls"); 106static int init_count_devfsdirent; 107SYSCTL_INT(_security_mac_test, OID_AUTO, init_count_devfsdirent, CTLFLAG_RD, 108 &init_count_devfsdirent, 0, "devfsdirent init calls"); 109static int init_count_ifnet; 110SYSCTL_INT(_security_mac_test, OID_AUTO, init_count_ifnet, CTLFLAG_RD, 111 &init_count_ifnet, 0, "ifnet init calls"); 112static int init_count_ipq; 113SYSCTL_INT(_security_mac_test, OID_AUTO, init_count_ipq, CTLFLAG_RD, 114 &init_count_ipq, 0, "ipq init calls"); 115static int init_count_mbuf; 116SYSCTL_INT(_security_mac_test, OID_AUTO, init_count_mbuf, CTLFLAG_RD, 117 &init_count_mbuf, 0, "mbuf init calls"); 118static int init_count_mount; 119SYSCTL_INT(_security_mac_test, OID_AUTO, init_count_mount, CTLFLAG_RD, 120 &init_count_mount, 0, "mount init calls"); 121static int init_count_socket; 122SYSCTL_INT(_security_mac_test, OID_AUTO, init_count_socket, CTLFLAG_RD, 123 &init_count_socket, 0, "socket init calls"); 124static int init_count_pipe; 125SYSCTL_INT(_security_mac_test, OID_AUTO, init_count_pipe, CTLFLAG_RD, 126 &init_count_pipe, 0, "pipe init calls"); 127static int init_count_temp; 128SYSCTL_INT(_security_mac_test, OID_AUTO, init_count_temp, CTLFLAG_RD, 129 &init_count_temp, 0, "temp init calls"); 130static int init_count_vnode; 131SYSCTL_INT(_security_mac_test, OID_AUTO, init_count_vnode, CTLFLAG_RD, 132 &init_count_vnode, 0, "vnode init calls"); 133 134static int destroy_count_bpfdesc; 135SYSCTL_INT(_security_mac_test, OID_AUTO, destroy_count_bpfdesc, CTLFLAG_RD, 136 &destroy_count_bpfdesc, 0, "bpfdesc destroy calls"); 137static int destroy_count_cred; 138SYSCTL_INT(_security_mac_test, OID_AUTO, destroy_count_cred, CTLFLAG_RD, 139 &destroy_count_cred, 0, "cred destroy calls"); 140static int destroy_count_devfsdirent; 141SYSCTL_INT(_security_mac_test, OID_AUTO, destroy_count_devfsdirent, CTLFLAG_RD, 142 &destroy_count_devfsdirent, 0, "devfsdirent destroy calls"); 143static int destroy_count_ifnet; 144SYSCTL_INT(_security_mac_test, OID_AUTO, destroy_count_ifnet, CTLFLAG_RD, 145 &destroy_count_ifnet, 0, "ifnet destroy calls"); 146static int destroy_count_ipq; 147SYSCTL_INT(_security_mac_test, OID_AUTO, destroy_count_ipq, CTLFLAG_RD, 148 &destroy_count_ipq, 0, "ipq destroy calls"); 149static int destroy_count_mbuf; 150SYSCTL_INT(_security_mac_test, OID_AUTO, destroy_count_mbuf, CTLFLAG_RD, 151 &destroy_count_mbuf, 0, "mbuf destroy calls"); 152static int destroy_count_mount; 153SYSCTL_INT(_security_mac_test, OID_AUTO, destroy_count_mount, CTLFLAG_RD, 154 &destroy_count_mount, 0, "mount destroy calls"); 155static int destroy_count_socket; 156SYSCTL_INT(_security_mac_test, OID_AUTO, destroy_count_socket, CTLFLAG_RD, 157 &destroy_count_socket, 0, "socket destroy calls"); 158static int destroy_count_pipe; 159SYSCTL_INT(_security_mac_test, OID_AUTO, destroy_count_pipe, CTLFLAG_RD, 160 &destroy_count_pipe, 0, "pipe destroy calls"); 161static int destroy_count_temp; 162SYSCTL_INT(_security_mac_test, OID_AUTO, destroy_count_temp, CTLFLAG_RD, 163 &destroy_count_temp, 0, "temp destroy calls"); 164static int destroy_count_vnode; 165SYSCTL_INT(_security_mac_test, OID_AUTO, destroy_count_vnode, CTLFLAG_RD, 166 &destroy_count_vnode, 0, "vnode destroy calls"); 167 168static int externalize_count; 169SYSCTL_INT(_security_mac_test, OID_AUTO, externalize_count, CTLFLAG_RD, 170 &externalize_count, 0, "Subject/object externalize calls"); 171static int internalize_count; 172SYSCTL_INT(_security_mac_test, OID_AUTO, internalize_count, CTLFLAG_RD, 173 &internalize_count, 0, "Subject/object internalize calls"); 174 175/* 176 * Policy module operations. 177 / 178static void 179mac_test_destroy(struct mac_policy_conf conf) 180{ 181 182} 183 184static void 185mac_test_init(struct mac_policy_conf conf) 186{ 187* 188} 189 190/* 191 * Label operations. 192 / 193static void 194mac_test_init_bpfdesc(struct bpf_d bpf_d, struct label label) 195{ 196* 197 SLOT(label) = BPFMAGIC; 198 atomic_add_int(&init_count_bpfdesc, 1); 199} 200 201static void 202mac_test_init_cred(struct ucred ucred, struct label label) 203{ 204 205 SLOT(label) = CREDMAGIC; 206 atomic_add_int(&init_count_cred, 1); 207} 208 209static void 210mac_test_init_devfsdirent(struct devfs_dirent devfs_dirent, 211* struct label label) 212{ 213* 214 SLOT(label) = DEVFSMAGIC; 215 atomic_add_int(&init_count_devfsdirent, 1); 216} 217 218static void 219mac_test_init_ifnet(struct ifnet ifnet, struct label label) 220{ 221 222 SLOT(label) = IFNETMAGIC; 223 atomic_add_int(&init_count_ifnet, 1); 224} 225 226static void 227mac_test_init_ipq(struct ipq ipq, struct label label) 228{ 229 230 SLOT(label) = IPQMAGIC; 231 atomic_add_int(&init_count_ipq, 1); 232} 233 234static int 235mac_test_init_mbuf(struct mbuf mbuf, int how, struct label label) 236{ 237 238 SLOT(label) = MBUFMAGIC; 239 atomic_add_int(&init_count_mbuf, 1); 240 return (0); 241} 242 243static void 244mac_test_init_mount(struct mount mount, struct label mntlabel, 245 struct label fslabel) 246{ 247* 248 SLOT(mntlabel) = MOUNTMAGIC; 249 SLOT(fslabel) = MOUNTMAGIC; 250 atomic_add_int(&init_count_mount, 1); 251} 252 253static void 254mac_test_init_socket(struct socket socket, struct label label, 255 struct label peerlabel) 256{ 257* 258 SLOT(label) = SOCKETMAGIC; 259 SLOT(peerlabel) = SOCKETMAGIC; 260 atomic_add_int(&init_count_socket, 1); 261} 262 263static void 264mac_test_init_pipe(struct pipe pipe, struct label label) 265{ 266 267 SLOT(label) = PIPEMAGIC; 268 atomic_add_int(&init_count_pipe, 1); 269} 270 271static void 272mac_test_init_temp(struct label label) 273{ 274* 275 SLOT(label) = TEMPMAGIC; 276 atomic_add_int(&init_count_temp, 1); 277} 278 279static void 280mac_test_init_vnode(struct vnode vp, struct label label) 281{ 282 283 SLOT(label) = VNODEMAGIC; 284 atomic_add_int(&init_count_vnode, 1); 285} 286 287static void 288mac_test_destroy_bpfdesc(struct bpf_d bpf_d, struct label label) 289{ 290 291 if (SLOT(label) == BPFMAGIC \|\| SLOT(label) == 0) { 292 atomic_add_int(&destroy_count_bpfdesc, 1); 293 SLOT(label) = EXMAGIC; 294 } else if (SLOT(label) == EXMAGIC) { 295 Debugger("mac_test_destroy_bpfdesc: dup destroy"); 296 } else { 297 Debugger("mac_test_destroy_bpfdesc: corrupted label"); 298 } 299} 300 301static void 302mac_test_destroy_cred(struct ucred ucred, struct label label) 303{ 304 305 if (SLOT(label) == CREDMAGIC \|\| SLOT(label) == 0) { 306 atomic_add_int(&destroy_count_cred, 1); 307 SLOT(label) = EXMAGIC; 308 } else if (SLOT(label) == EXMAGIC) { 309 Debugger("mac_test_destroy_cred: dup destroy"); 310 } else { 311 Debugger("mac_test_destroy_cred: corrupted label"); 312 } 313} 314 315static void 316mac_test_destroy_devfsdirent(struct devfs_dirent devfs_dirent, 317* struct label label) 318{ 319* 320 if (SLOT(label) == DEVFSMAGIC \|\| SLOT(label) == 0) { 321 atomic_add_int(&destroy_count_devfsdirent, 1); 322 SLOT(label) = EXMAGIC; 323 } else if (SLOT(label) == EXMAGIC) { 324 Debugger("mac_test_destroy_devfsdirent: dup destroy"); 325 } else { 326 Debugger("mac_test_destroy_devfsdirent: corrupted label"); 327 } 328} 329 330static void 331mac_test_destroy_ifnet(struct ifnet ifnet, struct label label) 332{ 333 334 if (SLOT(label) == IFNETMAGIC \|\| SLOT(label) == 0) { 335 atomic_add_int(&destroy_count_ifnet, 1); 336 SLOT(label) = EXMAGIC; 337 } else if (SLOT(label) == EXMAGIC) { 338 Debugger("mac_test_destroy_ifnet: dup destroy"); 339 } else { 340 Debugger("mac_test_destroy_ifnet: corrupted label"); 341 } 342} 343 344static void 345mac_test_destroy_ipq(struct ipq ipq, struct label label) 346{ 347 348 if (SLOT(label) == IPQMAGIC \|\| SLOT(label) == 0) { 349 atomic_add_int(&destroy_count_ipq, 1); 350 SLOT(label) = EXMAGIC; 351 } else if (SLOT(label) == EXMAGIC) { 352 Debugger("mac_test_destroy_ipq: dup destroy"); 353 } else { 354 Debugger("mac_test_destroy_ipq: corrupted label"); 355 } 356} 357 358static void 359mac_test_destroy_mbuf(struct mbuf mbuf, struct label label) 360{ 361 362 if (SLOT(label) == MBUFMAGIC \|\| SLOT(label) == 0) { 363 atomic_add_int(&destroy_count_mbuf, 1); 364 SLOT(label) = EXMAGIC; 365 } else if (SLOT(label) == EXMAGIC) { 366 Debugger("mac_test_destroy_mbuf: dup destroy"); 367 } else { 368 Debugger("mac_test_destroy_mbuf: corrupted label"); 369 } 370} 371 372static void 373mac_test_destroy_mount(struct mount mount, struct label mntlabel, 374 struct label fslabel) 375{ 376* 377 if ((SLOT(mntlabel) == MOUNTMAGIC \|\| SLOT(mntlabel) == 0) && 378 (SLOT(fslabel) == MOUNTMAGIC \|\| SLOT(fslabel) == 0)) { 379 atomic_add_int(&destroy_count_mount, 1); 380 SLOT(mntlabel) = EXMAGIC; 381 SLOT(fslabel) = EXMAGIC; 382 } else if (SLOT(mntlabel) == EXMAGIC \|\| SLOT(fslabel) == EXMAGIC) { 383 Debugger("mac_test_destroy_mount: dup destroy"); 384 } else { 385 Debugger("mac_test_destroy_mount: corrupted label"); 386 } 387} 388 389static void 390mac_test_destroy_socket(struct socket socket, struct label label, 391 struct label peerlabel) 392{ 393* 394 if ((SLOT(label) == SOCKETMAGIC \|\| SLOT(label) == 0) && 395 (SLOT(peerlabel) == SOCKETMAGIC \|\| SLOT(peerlabel) == 0)) { 396 atomic_add_int(&destroy_count_socket, 1); 397 SLOT(label) = EXMAGIC; 398 SLOT(peerlabel) = EXMAGIC; 399 } else if (SLOT(label) == EXMAGIC \|\| SLOT(peerlabel) == EXMAGIC) { 400 Debugger("mac_test_destroy_socket: dup destroy"); 401 } else { 402 Debugger("mac_test_destroy_socket: corrupted label"); 403 } 404} 405static void 406mac_test_destroy_pipe(struct pipe pipe, struct label label) 407{ 408 409 if ((SLOT(label) == PIPEMAGIC \|\| SLOT(label) == 0)) { 410 atomic_add_int(&destroy_count_pipe, 1); 411 SLOT(label) = EXMAGIC; 412 } else if (SLOT(label) == EXMAGIC) { 413 Debugger("mac_test_destroy_pipe: dup destroy"); 414 } else { 415 Debugger("mac_test_destroy_pipe: corrupted label"); 416 } 417} 418 419static void 420mac_test_destroy_temp(struct label label) 421{ 422* 423 if (SLOT(label) == TEMPMAGIC \|\| SLOT(label) == 0) { 424 atomic_add_int(&destroy_count_temp, 1); 425 SLOT(label) = EXMAGIC; 426 } else if (SLOT(label) == EXMAGIC) { 427 Debugger("mac_test_destroy_temp: dup destroy"); 428 } else { 429 Debugger("mac_test_destroy_temp: corrupted label"); 430 } 431} 432 433static void 434mac_test_destroy_vnode(struct vnode vp, struct label label) 435{ 436 437 if (SLOT(label) == VNODEMAGIC \|\| SLOT(label) == 0) { 438 atomic_add_int(&destroy_count_vnode, 1); 439 SLOT(label) = EXMAGIC; 440 } else if (SLOT(label) == EXMAGIC) { 441 Debugger("mac_test_destroy_vnode: dup destroy"); 442 } else { 443 Debugger("mac_test_destroy_vnode: corrupted label"); 444 } 445} 446 447static int 448mac_test_externalize(struct label label, struct mac extmac) 449{ 450 451 atomic_add_int(&externalize_count, 1); 452 453 return (0); 454} 455 456static int 457mac_test_internalize(struct label label, struct mac extmac) 458{ 459 460 atomic_add_int(&internalize_count, 1); 461 462 return (0); 463} 464 465/* 466 * Labeling event operations: file system objects, and things that look 467 * a lot like file system objects. 468 / 469static void 470mac_test_create_devfs_device(dev_t dev, struct devfs_dirent devfs_dirent, 471 struct label label) 472{ 473* 474} 475 476static void 477mac_test_create_devfs_directory(char dirname, int dirnamelen, 478* struct devfs_dirent devfs_dirent, struct label label) 479{ 480 481} 482 483static void 484mac_test_create_devfs_vnode(struct devfs_dirent devfs_dirent, 485* struct label direntlabel, struct vnode vp, struct label vnodelabel) 486{ 487* 488} 489 490static void 491mac_test_create_vnode(struct ucred cred, struct vnode parent, 492 struct label parentlabel, struct vnode child, struct label childlabel) 493{ 494* 495} 496 497static void 498mac_test_create_mount(struct ucred cred, struct mount mp, 499 struct label mntlabel, struct label fslabel) 500{ 501 502} 503 504static void 505mac_test_create_root_mount(struct ucred cred, struct mount mp, 506 struct label mntlabel, struct label fslabel) 507{ 508 509} 510 511static void 512mac_test_relabel_vnode(struct ucred cred, struct vnode vp, 513 struct label vnodelabel, struct label label) 514{ 515 516} 517 518static void 519mac_test_update_devfsdirent(struct devfs_dirent devfs_dirent, 520* struct vnode vp) 521{ 522* 523} 524 525static void 526mac_test_update_procfsvnode(struct vnode vp, struct label vnodelabel, 527 struct ucred cred) 528{ 529* 530} 531 532static int 533mac_test_update_vnode_from_externalized(struct vnode vp, 534* struct label vnodelabel, struct mac extmac) 535{ 536 537 return (0); 538} 539 540static void 541mac_test_update_vnode_from_mount(struct vnode vp, struct label vnodelabel, 542 struct mount mp, struct label fslabel) 543{ 544 545} 546 547/* 548 * Labeling event operations: IPC object. 549 / 550static void 551mac_test_create_mbuf_from_socket(struct socket so, struct label socketlabel, 552* struct mbuf m, struct label mbuflabel) 553{ 554 555} 556 557static void 558mac_test_create_socket(struct ucred cred, struct socket socket, 559 struct label socketlabel) 560{ 561* 562} 563 564static void 565mac_test_create_pipe(struct ucred cred, struct pipe pipe, 566 struct label pipelabel) 567{ 568* 569} 570 571static void 572mac_test_create_socket_from_socket(struct socket oldsocket, 573* struct label oldsocketlabel, struct socket newsocket, 574 struct label newsocketlabel) 575{ 576* 577} 578 579static void 580mac_test_relabel_socket(struct ucred cred, struct socket socket, 581 struct label socketlabel, struct label newlabel) 582{ 583 584} 585 586static void 587mac_test_relabel_pipe(struct ucred cred, struct pipe pipe, 588 struct label pipelabel, struct label newlabel) 589{ 590 591} 592 593static void 594mac_test_set_socket_peer_from_mbuf(struct mbuf mbuf, struct label mbuflabel, 595 struct socket socket, struct label socketpeerlabel) 596{ 597 598} 599 600/* 601 * Labeling event operations: network objects. 602 / 603static void 604mac_test_set_socket_peer_from_socket(struct socket oldsocket, 605 struct label oldsocketlabel, struct socket newsocket, 606 struct label newsocketpeerlabel) 607{ 608* 609} 610 611static void 612mac_test_create_bpfdesc(struct ucred cred, struct bpf_d bpf_d, 613 struct label bpflabel) 614{ 615* 616} 617 618static void 619mac_test_create_datagram_from_ipq(struct ipq ipq, struct label ipqlabel, 620 struct mbuf datagram, struct label datagramlabel) 621{ 622 623} 624 625static void 626mac_test_create_fragment(struct mbuf datagram, struct label datagramlabel, 627 struct mbuf fragment, struct label fragmentlabel) 628{ 629 630} 631 632static void 633mac_test_create_ifnet(struct ifnet ifnet, struct label ifnetlabel) 634{ 635 636} 637 638static void 639mac_test_create_ipq(struct mbuf fragment, struct label fragmentlabel, 640 struct ipq ipq, struct label ipqlabel) 641{ 642 643} 644 645static void 646mac_test_create_mbuf_from_mbuf(struct mbuf oldmbuf, 647* struct label oldmbuflabel, struct mbuf newmbuf, 648 struct label newmbuflabel) 649{ 650* 651} 652 653static void 654mac_test_create_mbuf_linklayer(struct ifnet ifnet, struct label ifnetlabel, 655 struct mbuf mbuf, struct label mbuflabel) 656{ 657 658} 659 660static void 661mac_test_create_mbuf_from_bpfdesc(struct bpf_d bpf_d, struct label bpflabel, 662 struct mbuf mbuf, struct label mbuflabel) 663{ 664 665} 666 667static void 668mac_test_create_mbuf_from_ifnet(struct ifnet ifnet, struct label ifnetlabel, 669 struct mbuf m, struct label mbuflabel) 670{ 671 672} 673 674static void 675mac_test_create_mbuf_multicast_encap(struct mbuf oldmbuf, 676* struct label oldmbuflabel, struct ifnet ifnet, struct label ifnetlabel, 677* struct mbuf newmbuf, struct label newmbuflabel) 678{ 679 680} 681 682static void 683mac_test_create_mbuf_netlayer(struct mbuf oldmbuf, 684* struct label oldmbuflabel, struct mbuf newmbuf, 685 struct label newmbuflabel) 686{ 687* 688} 689 690static int 691mac_test_fragment_match(struct mbuf fragment, struct label fragmentlabel, 692 struct ipq ipq, struct label ipqlabel) 693{ 694 695 return (1); 696} 697 698static void 699mac_test_relabel_ifnet(struct ucred cred, struct ifnet ifnet, 700 struct label ifnetlabel, struct label newlabel) 701{ 702 703} 704 705static void 706mac_test_update_ipq(struct mbuf fragment, struct label fragmentlabel, 707 struct ipq ipq, struct label ipqlabel) 708{ 709 710} 711 712/* 713 * Labeling event operations: processes. 714 / 715static void 716mac_test_create_cred(struct ucred cred_parent, struct ucred cred_child) 717{ 718* 719} 720 721static void 722mac_test_execve_transition(struct ucred old, struct ucred new, 723 struct vnode vp, struct label filelabel) 724{ 725 726} 727 728static int 729mac_test_execve_will_transition(struct ucred old, struct vnode vp, 730 struct label filelabel) 731{ 732* 733 return (0); 734} 735 736static void 737mac_test_create_proc0(struct ucred cred) 738{ 739* 740} 741 742static void 743mac_test_create_proc1(struct ucred cred) 744{ 745* 746} 747 748static void 749mac_test_relabel_cred(struct ucred cred, struct label newlabel) 750{ 751 752} 753 754/* 755 * Access control checks. 756 / 757static int 758mac_test_check_bpfdesc_receive(struct bpf_d bpf_d, struct label bpflabel, 759* struct ifnet ifnet, struct label ifnetlabel) 760{ 761 762 return (0); 763} 764 765static int 766mac_test_check_cred_relabel(struct ucred cred, struct label newlabel) 767{ 768 769 return (0); 770} 771 772static int 773mac_test_check_cred_visible(struct ucred u1, struct ucred u2) 774{ 775 776 return (0); 777} 778 779static int 780mac_test_check_ifnet_relabel(struct ucred cred, struct ifnet ifnet, 781 struct label ifnetlabel, struct label newlabel) 782{ 783 784 return (0); 785} 786 787static int 788mac_test_check_ifnet_transmit(struct ifnet ifnet, struct label ifnetlabel, 789 struct mbuf m, struct label mbuflabel) 790{ 791 792 return (0); 793} 794 795static int 796mac_test_check_mount_stat(struct ucred cred, struct mount mp, 797 struct label mntlabel) 798{ 799* 800 return (0); 801} 802 803static int 804mac_test_check_pipe_ioctl(struct ucred cred, struct pipe pipe, 805 struct label pipelabel, unsigned long cmd, void / caddr_t / data) 806{ 807 808 return (0); 809} 810 811static int 812mac_test_check_pipe_op(struct ucred cred, struct pipe pipe, 813 struct label pipelabel, int op) 814{ 815* 816 return (0); 817} 818 819static int 820mac_test_check_pipe_relabel(struct ucred cred, struct pipe pipe, 821 struct label pipelabel, struct label newlabel) 822{ 823 824 return (0); 825} 826 827static int 828mac_test_check_proc_debug(struct ucred cred, struct proc proc) 829{ 830 831 return (0); 832} 833 834static int 835mac_test_check_proc_sched(struct ucred cred, struct proc proc) 836{ 837 838 return (0); 839} 840 841static int 842mac_test_check_proc_signal(struct ucred cred, struct proc proc) 843{ 844 845 return (0); 846} 847 848static int 849mac_test_check_socket_bind(struct ucred cred, struct socket socket, 850 struct label socketlabel, struct sockaddr sockaddr) 851{ 852 853 return (0); 854} 855 856static int 857mac_test_check_socket_connect(struct ucred cred, struct socket socket, 858 struct label socketlabel, struct sockaddr sockaddr) 859{ 860 861 return (0); 862} 863 864static int 865mac_test_check_socket_deliver(struct socket socket, struct label socketlabel, 866 struct mbuf m, struct label mbuflabel) 867{ 868 869 return (0); 870} 871 872static int 873mac_test_check_socket_listen(struct ucred cred, struct socket socket, 874 struct label socketlabel, struct sockaddr sockaddr) 875{ 876 877 return (0); 878} 879 880static int 881mac_test_check_socket_visible(struct ucred cred, struct socket socket, 882 struct label socketlabel) 883{ 884* 885 return (0); 886} 887 888static int 889mac_test_check_socket_relabel(struct ucred cred, struct socket socket, 890 struct label socketlabel, struct label newlabel) 891{ 892 893 return (0); 894} 895 896static int 897mac_test_check_vnode_access(struct ucred cred, struct vnode vp, 898 struct label label, mode_t flags) 899{ 900* 901 return (0); 902} 903 904static int 905mac_test_check_vnode_chdir(struct ucred cred, struct vnode dvp, 906 struct label dlabel) 907{ 908* 909 return (0); 910} 911 912static int 913mac_test_check_vnode_chroot(struct ucred cred, struct vnode dvp, 914 struct label dlabel) 915{ 916* 917 return (0); 918} 919 920static int 921mac_test_check_vnode_create(struct ucred cred, struct vnode dvp, 922 struct label dlabel, struct componentname cnp, struct vattr vap) 923{ 924* 925 return (0); 926} 927 928static int 929mac_test_check_vnode_delete(struct ucred cred, struct vnode dvp, 930 struct label dlabel, struct vnode vp, struct label label, 931* struct componentname cnp) 932{ 933* 934 return (0); 935} 936 937static int 938mac_test_check_vnode_deleteacl(struct ucred cred, struct vnode vp, 939 struct label label, acl_type_t type) 940{ 941* 942 return (0); 943} 944 945static int 946mac_test_check_vnode_exec(struct ucred cred, struct vnode vp, 947 struct label label) 948{ 949* 950 return (0); 951} 952 953static int 954mac_test_check_vnode_getacl(struct ucred cred, struct vnode vp, 955 struct label label, acl_type_t type) 956{ 957* 958 return (0); 959} 960 961static int 962mac_test_check_vnode_getextattr(struct ucred cred, struct vnode vp, 963 struct label label, int attrnamespace, const char name, struct uio uio) 964{ 965* 966 return (0); 967} 968 969static int 970mac_test_check_vnode_lookup(struct ucred cred, struct vnode dvp, 971 struct label dlabel, struct componentname cnp) 972{ 973 974 return (0); 975} 976 977static int 978mac_test_check_vnode_open(struct ucred cred, struct vnode vp, 979 struct label filelabel, mode_t acc_mode) 980{ 981* 982 return (0); 983} 984 985static int	38 / 39 40/ 41 * Developed by the TrustedBSD Project. 42 * Generic mandatory access module that does nothing. 43 / 44 45#include <sys/types.h> 46#include <sys/param.h> 47#include <sys/acl.h> 48#include <sys/conf.h> 49#include <sys/kernel.h> 50#include <sys/mac.h> 51#include <sys/mount.h> 52#include <sys/proc.h> 53#include <sys/systm.h> 54#include <sys/sysproto.h> 55#include <sys/sysent.h> 56#include <sys/vnode.h> 57#include <sys/file.h> 58#include <sys/socket.h> 59#include <sys/socketvar.h> 60#include <sys/sysctl.h> 61 62#include <fs/devfs/devfs.h> 63 64#include <net/bpfdesc.h> 65#include <net/if.h> 66#include <net/if_types.h> 67#include <net/if_var.h> 68 69#include <vm/vm.h> 70 71#include <sys/mac_policy.h> 72 73SYSCTL_DECL(_security_mac); 74 75SYSCTL_NODE(_security_mac, OID_AUTO, test, CTLFLAG_RW, 0, 76 "TrustedBSD mac_test policy controls"); 77 78static int mac_test_enabled = 0; 79SYSCTL_INT(_security_mac_test, OID_AUTO, enabled, CTLFLAG_RW, 80 &mac_test_enabled, 0, "Enforce test policy"); 81 82#define BPFMAGIC 0xfe1ad1b6 83#define DEVFSMAGIC 0x9ee79c32 84#define IFNETMAGIC 0xc218b120 85#define IPQMAGIC 0x206188ef 86#define MBUFMAGIC 0xbbefa5bb 87#define MOUNTMAGIC 0xc7c46e47 88#define SOCKETMAGIC 0x9199c6cd 89#define PIPEMAGIC 0xdc6c9919 90#define CREDMAGIC 0x9a5a4987 91#define TEMPMAGIC 0x70336678 92#define VNODEMAGIC 0x1a67a45c 93#define EXMAGIC 0x849ba1fd 94 95#define SLOT(x) LABEL_TO_SLOT((x), test_slot).l_long 96static int test_slot; 97SYSCTL_INT(_security_mac_test, OID_AUTO, slot, CTLFLAG_RD, 98 &test_slot, 0, "Slot allocated by framework"); 99 100static int init_count_bpfdesc; 101SYSCTL_INT(_security_mac_test, OID_AUTO, init_count_bpfdesc, CTLFLAG_RD, 102* &init_count_bpfdesc, 0, "bpfdesc init calls"); 103static int init_count_cred; 104SYSCTL_INT(_security_mac_test, OID_AUTO, init_count_cred, CTLFLAG_RD, 105 &init_count_cred, 0, "cred init calls"); 106static int init_count_devfsdirent; 107SYSCTL_INT(_security_mac_test, OID_AUTO, init_count_devfsdirent, CTLFLAG_RD, 108 &init_count_devfsdirent, 0, "devfsdirent init calls"); 109static int init_count_ifnet; 110SYSCTL_INT(_security_mac_test, OID_AUTO, init_count_ifnet, CTLFLAG_RD, 111 &init_count_ifnet, 0, "ifnet init calls"); 112static int init_count_ipq; 113SYSCTL_INT(_security_mac_test, OID_AUTO, init_count_ipq, CTLFLAG_RD, 114 &init_count_ipq, 0, "ipq init calls"); 115static int init_count_mbuf; 116SYSCTL_INT(_security_mac_test, OID_AUTO, init_count_mbuf, CTLFLAG_RD, 117 &init_count_mbuf, 0, "mbuf init calls"); 118static int init_count_mount; 119SYSCTL_INT(_security_mac_test, OID_AUTO, init_count_mount, CTLFLAG_RD, 120 &init_count_mount, 0, "mount init calls"); 121static int init_count_socket; 122SYSCTL_INT(_security_mac_test, OID_AUTO, init_count_socket, CTLFLAG_RD, 123 &init_count_socket, 0, "socket init calls"); 124static int init_count_pipe; 125SYSCTL_INT(_security_mac_test, OID_AUTO, init_count_pipe, CTLFLAG_RD, 126 &init_count_pipe, 0, "pipe init calls"); 127static int init_count_temp; 128SYSCTL_INT(_security_mac_test, OID_AUTO, init_count_temp, CTLFLAG_RD, 129 &init_count_temp, 0, "temp init calls"); 130static int init_count_vnode; 131SYSCTL_INT(_security_mac_test, OID_AUTO, init_count_vnode, CTLFLAG_RD, 132 &init_count_vnode, 0, "vnode init calls"); 133 134static int destroy_count_bpfdesc; 135SYSCTL_INT(_security_mac_test, OID_AUTO, destroy_count_bpfdesc, CTLFLAG_RD, 136 &destroy_count_bpfdesc, 0, "bpfdesc destroy calls"); 137static int destroy_count_cred; 138SYSCTL_INT(_security_mac_test, OID_AUTO, destroy_count_cred, CTLFLAG_RD, 139 &destroy_count_cred, 0, "cred destroy calls"); 140static int destroy_count_devfsdirent; 141SYSCTL_INT(_security_mac_test, OID_AUTO, destroy_count_devfsdirent, CTLFLAG_RD, 142 &destroy_count_devfsdirent, 0, "devfsdirent destroy calls"); 143static int destroy_count_ifnet; 144SYSCTL_INT(_security_mac_test, OID_AUTO, destroy_count_ifnet, CTLFLAG_RD, 145 &destroy_count_ifnet, 0, "ifnet destroy calls"); 146static int destroy_count_ipq; 147SYSCTL_INT(_security_mac_test, OID_AUTO, destroy_count_ipq, CTLFLAG_RD, 148 &destroy_count_ipq, 0, "ipq destroy calls"); 149static int destroy_count_mbuf; 150SYSCTL_INT(_security_mac_test, OID_AUTO, destroy_count_mbuf, CTLFLAG_RD, 151 &destroy_count_mbuf, 0, "mbuf destroy calls"); 152static int destroy_count_mount; 153SYSCTL_INT(_security_mac_test, OID_AUTO, destroy_count_mount, CTLFLAG_RD, 154 &destroy_count_mount, 0, "mount destroy calls"); 155static int destroy_count_socket; 156SYSCTL_INT(_security_mac_test, OID_AUTO, destroy_count_socket, CTLFLAG_RD, 157 &destroy_count_socket, 0, "socket destroy calls"); 158static int destroy_count_pipe; 159SYSCTL_INT(_security_mac_test, OID_AUTO, destroy_count_pipe, CTLFLAG_RD, 160 &destroy_count_pipe, 0, "pipe destroy calls"); 161static int destroy_count_temp; 162SYSCTL_INT(_security_mac_test, OID_AUTO, destroy_count_temp, CTLFLAG_RD, 163 &destroy_count_temp, 0, "temp destroy calls"); 164static int destroy_count_vnode; 165SYSCTL_INT(_security_mac_test, OID_AUTO, destroy_count_vnode, CTLFLAG_RD, 166 &destroy_count_vnode, 0, "vnode destroy calls"); 167 168static int externalize_count; 169SYSCTL_INT(_security_mac_test, OID_AUTO, externalize_count, CTLFLAG_RD, 170 &externalize_count, 0, "Subject/object externalize calls"); 171static int internalize_count; 172SYSCTL_INT(_security_mac_test, OID_AUTO, internalize_count, CTLFLAG_RD, 173 &internalize_count, 0, "Subject/object internalize calls"); 174 175/* 176 * Policy module operations. 177 / 178static void 179mac_test_destroy(struct mac_policy_conf conf) 180{ 181 182} 183 184static void 185mac_test_init(struct mac_policy_conf conf) 186{ 187* 188} 189 190/* 191 * Label operations. 192 / 193static void 194mac_test_init_bpfdesc(struct bpf_d bpf_d, struct label label) 195{ 196* 197 SLOT(label) = BPFMAGIC; 198 atomic_add_int(&init_count_bpfdesc, 1); 199} 200 201static void 202mac_test_init_cred(struct ucred ucred, struct label label) 203{ 204 205 SLOT(label) = CREDMAGIC; 206 atomic_add_int(&init_count_cred, 1); 207} 208 209static void 210mac_test_init_devfsdirent(struct devfs_dirent devfs_dirent, 211* struct label label) 212{ 213* 214 SLOT(label) = DEVFSMAGIC; 215 atomic_add_int(&init_count_devfsdirent, 1); 216} 217 218static void 219mac_test_init_ifnet(struct ifnet ifnet, struct label label) 220{ 221 222 SLOT(label) = IFNETMAGIC; 223 atomic_add_int(&init_count_ifnet, 1); 224} 225 226static void 227mac_test_init_ipq(struct ipq ipq, struct label label) 228{ 229 230 SLOT(label) = IPQMAGIC; 231 atomic_add_int(&init_count_ipq, 1); 232} 233 234static int 235mac_test_init_mbuf(struct mbuf mbuf, int how, struct label label) 236{ 237 238 SLOT(label) = MBUFMAGIC; 239 atomic_add_int(&init_count_mbuf, 1); 240 return (0); 241} 242 243static void 244mac_test_init_mount(struct mount mount, struct label mntlabel, 245 struct label fslabel) 246{ 247* 248 SLOT(mntlabel) = MOUNTMAGIC; 249 SLOT(fslabel) = MOUNTMAGIC; 250 atomic_add_int(&init_count_mount, 1); 251} 252 253static void 254mac_test_init_socket(struct socket socket, struct label label, 255 struct label peerlabel) 256{ 257* 258 SLOT(label) = SOCKETMAGIC; 259 SLOT(peerlabel) = SOCKETMAGIC; 260 atomic_add_int(&init_count_socket, 1); 261} 262 263static void 264mac_test_init_pipe(struct pipe pipe, struct label label) 265{ 266 267 SLOT(label) = PIPEMAGIC; 268 atomic_add_int(&init_count_pipe, 1); 269} 270 271static void 272mac_test_init_temp(struct label label) 273{ 274* 275 SLOT(label) = TEMPMAGIC; 276 atomic_add_int(&init_count_temp, 1); 277} 278 279static void 280mac_test_init_vnode(struct vnode vp, struct label label) 281{ 282 283 SLOT(label) = VNODEMAGIC; 284 atomic_add_int(&init_count_vnode, 1); 285} 286 287static void 288mac_test_destroy_bpfdesc(struct bpf_d bpf_d, struct label label) 289{ 290 291 if (SLOT(label) == BPFMAGIC \|\| SLOT(label) == 0) { 292 atomic_add_int(&destroy_count_bpfdesc, 1); 293 SLOT(label) = EXMAGIC; 294 } else if (SLOT(label) == EXMAGIC) { 295 Debugger("mac_test_destroy_bpfdesc: dup destroy"); 296 } else { 297 Debugger("mac_test_destroy_bpfdesc: corrupted label"); 298 } 299} 300 301static void 302mac_test_destroy_cred(struct ucred ucred, struct label label) 303{ 304 305 if (SLOT(label) == CREDMAGIC \|\| SLOT(label) == 0) { 306 atomic_add_int(&destroy_count_cred, 1); 307 SLOT(label) = EXMAGIC; 308 } else if (SLOT(label) == EXMAGIC) { 309 Debugger("mac_test_destroy_cred: dup destroy"); 310 } else { 311 Debugger("mac_test_destroy_cred: corrupted label"); 312 } 313} 314 315static void 316mac_test_destroy_devfsdirent(struct devfs_dirent devfs_dirent, 317* struct label label) 318{ 319* 320 if (SLOT(label) == DEVFSMAGIC \|\| SLOT(label) == 0) { 321 atomic_add_int(&destroy_count_devfsdirent, 1); 322 SLOT(label) = EXMAGIC; 323 } else if (SLOT(label) == EXMAGIC) { 324 Debugger("mac_test_destroy_devfsdirent: dup destroy"); 325 } else { 326 Debugger("mac_test_destroy_devfsdirent: corrupted label"); 327 } 328} 329 330static void 331mac_test_destroy_ifnet(struct ifnet ifnet, struct label label) 332{ 333 334 if (SLOT(label) == IFNETMAGIC \|\| SLOT(label) == 0) { 335 atomic_add_int(&destroy_count_ifnet, 1); 336 SLOT(label) = EXMAGIC; 337 } else if (SLOT(label) == EXMAGIC) { 338 Debugger("mac_test_destroy_ifnet: dup destroy"); 339 } else { 340 Debugger("mac_test_destroy_ifnet: corrupted label"); 341 } 342} 343 344static void 345mac_test_destroy_ipq(struct ipq ipq, struct label label) 346{ 347 348 if (SLOT(label) == IPQMAGIC \|\| SLOT(label) == 0) { 349 atomic_add_int(&destroy_count_ipq, 1); 350 SLOT(label) = EXMAGIC; 351 } else if (SLOT(label) == EXMAGIC) { 352 Debugger("mac_test_destroy_ipq: dup destroy"); 353 } else { 354 Debugger("mac_test_destroy_ipq: corrupted label"); 355 } 356} 357 358static void 359mac_test_destroy_mbuf(struct mbuf mbuf, struct label label) 360{ 361 362 if (SLOT(label) == MBUFMAGIC \|\| SLOT(label) == 0) { 363 atomic_add_int(&destroy_count_mbuf, 1); 364 SLOT(label) = EXMAGIC; 365 } else if (SLOT(label) == EXMAGIC) { 366 Debugger("mac_test_destroy_mbuf: dup destroy"); 367 } else { 368 Debugger("mac_test_destroy_mbuf: corrupted label"); 369 } 370} 371 372static void 373mac_test_destroy_mount(struct mount mount, struct label mntlabel, 374 struct label fslabel) 375{ 376* 377 if ((SLOT(mntlabel) == MOUNTMAGIC \|\| SLOT(mntlabel) == 0) && 378 (SLOT(fslabel) == MOUNTMAGIC \|\| SLOT(fslabel) == 0)) { 379 atomic_add_int(&destroy_count_mount, 1); 380 SLOT(mntlabel) = EXMAGIC; 381 SLOT(fslabel) = EXMAGIC; 382 } else if (SLOT(mntlabel) == EXMAGIC \|\| SLOT(fslabel) == EXMAGIC) { 383 Debugger("mac_test_destroy_mount: dup destroy"); 384 } else { 385 Debugger("mac_test_destroy_mount: corrupted label"); 386 } 387} 388 389static void 390mac_test_destroy_socket(struct socket socket, struct label label, 391 struct label peerlabel) 392{ 393* 394 if ((SLOT(label) == SOCKETMAGIC \|\| SLOT(label) == 0) && 395 (SLOT(peerlabel) == SOCKETMAGIC \|\| SLOT(peerlabel) == 0)) { 396 atomic_add_int(&destroy_count_socket, 1); 397 SLOT(label) = EXMAGIC; 398 SLOT(peerlabel) = EXMAGIC; 399 } else if (SLOT(label) == EXMAGIC \|\| SLOT(peerlabel) == EXMAGIC) { 400 Debugger("mac_test_destroy_socket: dup destroy"); 401 } else { 402 Debugger("mac_test_destroy_socket: corrupted label"); 403 } 404} 405static void 406mac_test_destroy_pipe(struct pipe pipe, struct label label) 407{ 408 409 if ((SLOT(label) == PIPEMAGIC \|\| SLOT(label) == 0)) { 410 atomic_add_int(&destroy_count_pipe, 1); 411 SLOT(label) = EXMAGIC; 412 } else if (SLOT(label) == EXMAGIC) { 413 Debugger("mac_test_destroy_pipe: dup destroy"); 414 } else { 415 Debugger("mac_test_destroy_pipe: corrupted label"); 416 } 417} 418 419static void 420mac_test_destroy_temp(struct label label) 421{ 422* 423 if (SLOT(label) == TEMPMAGIC \|\| SLOT(label) == 0) { 424 atomic_add_int(&destroy_count_temp, 1); 425 SLOT(label) = EXMAGIC; 426 } else if (SLOT(label) == EXMAGIC) { 427 Debugger("mac_test_destroy_temp: dup destroy"); 428 } else { 429 Debugger("mac_test_destroy_temp: corrupted label"); 430 } 431} 432 433static void 434mac_test_destroy_vnode(struct vnode vp, struct label label) 435{ 436 437 if (SLOT(label) == VNODEMAGIC \|\| SLOT(label) == 0) { 438 atomic_add_int(&destroy_count_vnode, 1); 439 SLOT(label) = EXMAGIC; 440 } else if (SLOT(label) == EXMAGIC) { 441 Debugger("mac_test_destroy_vnode: dup destroy"); 442 } else { 443 Debugger("mac_test_destroy_vnode: corrupted label"); 444 } 445} 446 447static int 448mac_test_externalize(struct label label, struct mac extmac) 449{ 450 451 atomic_add_int(&externalize_count, 1); 452 453 return (0); 454} 455 456static int 457mac_test_internalize(struct label label, struct mac extmac) 458{ 459 460 atomic_add_int(&internalize_count, 1); 461 462 return (0); 463} 464 465/* 466 * Labeling event operations: file system objects, and things that look 467 * a lot like file system objects. 468 / 469static void 470mac_test_create_devfs_device(dev_t dev, struct devfs_dirent devfs_dirent, 471 struct label label) 472{ 473* 474} 475 476static void 477mac_test_create_devfs_directory(char dirname, int dirnamelen, 478* struct devfs_dirent devfs_dirent, struct label label) 479{ 480 481} 482 483static void 484mac_test_create_devfs_vnode(struct devfs_dirent devfs_dirent, 485* struct label direntlabel, struct vnode vp, struct label vnodelabel) 486{ 487* 488} 489 490static void 491mac_test_create_vnode(struct ucred cred, struct vnode parent, 492 struct label parentlabel, struct vnode child, struct label childlabel) 493{ 494* 495} 496 497static void 498mac_test_create_mount(struct ucred cred, struct mount mp, 499 struct label mntlabel, struct label fslabel) 500{ 501 502} 503 504static void 505mac_test_create_root_mount(struct ucred cred, struct mount mp, 506 struct label mntlabel, struct label fslabel) 507{ 508 509} 510 511static void 512mac_test_relabel_vnode(struct ucred cred, struct vnode vp, 513 struct label vnodelabel, struct label label) 514{ 515 516} 517 518static void 519mac_test_update_devfsdirent(struct devfs_dirent devfs_dirent, 520* struct vnode vp) 521{ 522* 523} 524 525static void 526mac_test_update_procfsvnode(struct vnode vp, struct label vnodelabel, 527 struct ucred cred) 528{ 529* 530} 531 532static int 533mac_test_update_vnode_from_externalized(struct vnode vp, 534* struct label vnodelabel, struct mac extmac) 535{ 536 537 return (0); 538} 539 540static void 541mac_test_update_vnode_from_mount(struct vnode vp, struct label vnodelabel, 542 struct mount mp, struct label fslabel) 543{ 544 545} 546 547/* 548 * Labeling event operations: IPC object. 549 / 550static void 551mac_test_create_mbuf_from_socket(struct socket so, struct label socketlabel, 552* struct mbuf m, struct label mbuflabel) 553{ 554 555} 556 557static void 558mac_test_create_socket(struct ucred cred, struct socket socket, 559 struct label socketlabel) 560{ 561* 562} 563 564static void 565mac_test_create_pipe(struct ucred cred, struct pipe pipe, 566 struct label pipelabel) 567{ 568* 569} 570 571static void 572mac_test_create_socket_from_socket(struct socket oldsocket, 573* struct label oldsocketlabel, struct socket newsocket, 574 struct label newsocketlabel) 575{ 576* 577} 578 579static void 580mac_test_relabel_socket(struct ucred cred, struct socket socket, 581 struct label socketlabel, struct label newlabel) 582{ 583 584} 585 586static void 587mac_test_relabel_pipe(struct ucred cred, struct pipe pipe, 588 struct label pipelabel, struct label newlabel) 589{ 590 591} 592 593static void 594mac_test_set_socket_peer_from_mbuf(struct mbuf mbuf, struct label mbuflabel, 595 struct socket socket, struct label socketpeerlabel) 596{ 597 598} 599 600/* 601 * Labeling event operations: network objects. 602 / 603static void 604mac_test_set_socket_peer_from_socket(struct socket oldsocket, 605 struct label oldsocketlabel, struct socket newsocket, 606 struct label newsocketpeerlabel) 607{ 608* 609} 610 611static void 612mac_test_create_bpfdesc(struct ucred cred, struct bpf_d bpf_d, 613 struct label bpflabel) 614{ 615* 616} 617 618static void 619mac_test_create_datagram_from_ipq(struct ipq ipq, struct label ipqlabel, 620 struct mbuf datagram, struct label datagramlabel) 621{ 622 623} 624 625static void 626mac_test_create_fragment(struct mbuf datagram, struct label datagramlabel, 627 struct mbuf fragment, struct label fragmentlabel) 628{ 629 630} 631 632static void 633mac_test_create_ifnet(struct ifnet ifnet, struct label ifnetlabel) 634{ 635 636} 637 638static void 639mac_test_create_ipq(struct mbuf fragment, struct label fragmentlabel, 640 struct ipq ipq, struct label ipqlabel) 641{ 642 643} 644 645static void 646mac_test_create_mbuf_from_mbuf(struct mbuf oldmbuf, 647* struct label oldmbuflabel, struct mbuf newmbuf, 648 struct label newmbuflabel) 649{ 650* 651} 652 653static void 654mac_test_create_mbuf_linklayer(struct ifnet ifnet, struct label ifnetlabel, 655 struct mbuf mbuf, struct label mbuflabel) 656{ 657 658} 659 660static void 661mac_test_create_mbuf_from_bpfdesc(struct bpf_d bpf_d, struct label bpflabel, 662 struct mbuf mbuf, struct label mbuflabel) 663{ 664 665} 666 667static void 668mac_test_create_mbuf_from_ifnet(struct ifnet ifnet, struct label ifnetlabel, 669 struct mbuf m, struct label mbuflabel) 670{ 671 672} 673 674static void 675mac_test_create_mbuf_multicast_encap(struct mbuf oldmbuf, 676* struct label oldmbuflabel, struct ifnet ifnet, struct label ifnetlabel, 677* struct mbuf newmbuf, struct label newmbuflabel) 678{ 679 680} 681 682static void 683mac_test_create_mbuf_netlayer(struct mbuf oldmbuf, 684* struct label oldmbuflabel, struct mbuf newmbuf, 685 struct label newmbuflabel) 686{ 687* 688} 689 690static int 691mac_test_fragment_match(struct mbuf fragment, struct label fragmentlabel, 692 struct ipq ipq, struct label ipqlabel) 693{ 694 695 return (1); 696} 697 698static void 699mac_test_relabel_ifnet(struct ucred cred, struct ifnet ifnet, 700 struct label ifnetlabel, struct label newlabel) 701{ 702 703} 704 705static void 706mac_test_update_ipq(struct mbuf fragment, struct label fragmentlabel, 707 struct ipq ipq, struct label ipqlabel) 708{ 709 710} 711 712/* 713 * Labeling event operations: processes. 714 / 715static void 716mac_test_create_cred(struct ucred cred_parent, struct ucred cred_child) 717{ 718* 719} 720 721static void 722mac_test_execve_transition(struct ucred old, struct ucred new, 723 struct vnode vp, struct label filelabel) 724{ 725 726} 727 728static int 729mac_test_execve_will_transition(struct ucred old, struct vnode vp, 730 struct label filelabel) 731{ 732* 733 return (0); 734} 735 736static void 737mac_test_create_proc0(struct ucred cred) 738{ 739* 740} 741 742static void 743mac_test_create_proc1(struct ucred cred) 744{ 745* 746} 747 748static void 749mac_test_relabel_cred(struct ucred cred, struct label newlabel) 750{ 751 752} 753 754/* 755 * Access control checks. 756 / 757static int 758mac_test_check_bpfdesc_receive(struct bpf_d bpf_d, struct label bpflabel, 759* struct ifnet ifnet, struct label ifnetlabel) 760{ 761 762 return (0); 763} 764 765static int 766mac_test_check_cred_relabel(struct ucred cred, struct label newlabel) 767{ 768 769 return (0); 770} 771 772static int 773mac_test_check_cred_visible(struct ucred u1, struct ucred u2) 774{ 775 776 return (0); 777} 778 779static int 780mac_test_check_ifnet_relabel(struct ucred cred, struct ifnet ifnet, 781 struct label ifnetlabel, struct label newlabel) 782{ 783 784 return (0); 785} 786 787static int 788mac_test_check_ifnet_transmit(struct ifnet ifnet, struct label ifnetlabel, 789 struct mbuf m, struct label mbuflabel) 790{ 791 792 return (0); 793} 794 795static int 796mac_test_check_mount_stat(struct ucred cred, struct mount mp, 797 struct label mntlabel) 798{ 799* 800 return (0); 801} 802 803static int 804mac_test_check_pipe_ioctl(struct ucred cred, struct pipe pipe, 805 struct label pipelabel, unsigned long cmd, void / caddr_t / data) 806{ 807 808 return (0); 809} 810 811static int 812mac_test_check_pipe_op(struct ucred cred, struct pipe pipe, 813 struct label pipelabel, int op) 814{ 815* 816 return (0); 817} 818 819static int 820mac_test_check_pipe_relabel(struct ucred cred, struct pipe pipe, 821 struct label pipelabel, struct label newlabel) 822{ 823 824 return (0); 825} 826 827static int 828mac_test_check_proc_debug(struct ucred cred, struct proc proc) 829{ 830 831 return (0); 832} 833 834static int 835mac_test_check_proc_sched(struct ucred cred, struct proc proc) 836{ 837 838 return (0); 839} 840 841static int 842mac_test_check_proc_signal(struct ucred cred, struct proc proc) 843{ 844 845 return (0); 846} 847 848static int 849mac_test_check_socket_bind(struct ucred cred, struct socket socket, 850 struct label socketlabel, struct sockaddr sockaddr) 851{ 852 853 return (0); 854} 855 856static int 857mac_test_check_socket_connect(struct ucred cred, struct socket socket, 858 struct label socketlabel, struct sockaddr sockaddr) 859{ 860 861 return (0); 862} 863 864static int 865mac_test_check_socket_deliver(struct socket socket, struct label socketlabel, 866 struct mbuf m, struct label mbuflabel) 867{ 868 869 return (0); 870} 871 872static int 873mac_test_check_socket_listen(struct ucred cred, struct socket socket, 874 struct label socketlabel, struct sockaddr sockaddr) 875{ 876 877 return (0); 878} 879 880static int 881mac_test_check_socket_visible(struct ucred cred, struct socket socket, 882 struct label socketlabel) 883{ 884* 885 return (0); 886} 887 888static int 889mac_test_check_socket_relabel(struct ucred cred, struct socket socket, 890 struct label socketlabel, struct label newlabel) 891{ 892 893 return (0); 894} 895 896static int 897mac_test_check_vnode_access(struct ucred cred, struct vnode vp, 898 struct label label, mode_t flags) 899{ 900* 901 return (0); 902} 903 904static int 905mac_test_check_vnode_chdir(struct ucred cred, struct vnode dvp, 906 struct label dlabel) 907{ 908* 909 return (0); 910} 911 912static int 913mac_test_check_vnode_chroot(struct ucred cred, struct vnode dvp, 914 struct label dlabel) 915{ 916* 917 return (0); 918} 919 920static int 921mac_test_check_vnode_create(struct ucred cred, struct vnode dvp, 922 struct label dlabel, struct componentname cnp, struct vattr vap) 923{ 924* 925 return (0); 926} 927 928static int 929mac_test_check_vnode_delete(struct ucred cred, struct vnode dvp, 930 struct label dlabel, struct vnode vp, struct label label, 931* struct componentname cnp) 932{ 933* 934 return (0); 935} 936 937static int 938mac_test_check_vnode_deleteacl(struct ucred cred, struct vnode vp, 939 struct label label, acl_type_t type) 940{ 941* 942 return (0); 943} 944 945static int 946mac_test_check_vnode_exec(struct ucred cred, struct vnode vp, 947 struct label label) 948{ 949* 950 return (0); 951} 952 953static int 954mac_test_check_vnode_getacl(struct ucred cred, struct vnode vp, 955 struct label label, acl_type_t type) 956{ 957* 958 return (0); 959} 960 961static int 962mac_test_check_vnode_getextattr(struct ucred cred, struct vnode vp, 963 struct label label, int attrnamespace, const char name, struct uio uio) 964{ 965* 966 return (0); 967} 968 969static int 970mac_test_check_vnode_lookup(struct ucred cred, struct vnode dvp, 971 struct label dlabel, struct componentname cnp) 972{ 973 974 return (0); 975} 976 977static int 978mac_test_check_vnode_open(struct ucred cred, struct vnode vp, 979 struct label filelabel, mode_t acc_mode) 980{ 981* 982 return (0); 983} 984 985static int
	986mac_test_check_vnode_poll(struct ucred cred, struct vnode vp, 987 struct label label) 988{ 989* 990 return (0); 991} 992 993static int 994mac_test_check_vnode_read(struct ucred cred, struct vnode vp, 995 struct label label) 996{ 997* 998 return (0); 999} 1000 1001static int
986mac_test_check_vnode_readdir(struct ucred cred, struct vnode dvp, 987 struct label dlabel) 988{ 989* 990 return (0); 991} 992 993static int 994mac_test_check_vnode_readlink(struct ucred cred, struct vnode vp, 995 struct label vnodelabel) 996{ 997* 998 return (0); 999} 1000 1001static int 1002mac_test_check_vnode_relabel(struct ucred cred, struct vnode vp, 1003 struct label vnodelabel, struct label newlabel) 1004{ 1005 1006 return (0); 1007} 1008 1009static int 1010mac_test_check_vnode_rename_from(struct ucred cred, struct vnode dvp, 1011 struct label dlabel, struct vnode vp, struct label label, 1012* struct componentname cnp) 1013{ 1014* 1015 return (0); 1016} 1017 1018static int 1019mac_test_check_vnode_rename_to(struct ucred cred, struct vnode dvp, 1020 struct label dlabel, struct vnode vp, struct label label, int samedir, 1021* struct componentname cnp) 1022{ 1023* 1024 return (0); 1025} 1026 1027static int 1028mac_test_check_vnode_revoke(struct ucred cred, struct vnode vp, 1029 struct label label) 1030{ 1031* 1032 return (0); 1033} 1034 1035static int 1036mac_test_check_vnode_setacl(struct ucred cred, struct vnode vp, 1037 struct label label, acl_type_t type, struct acl acl) 1038{ 1039 1040 return (0); 1041} 1042 1043static int 1044mac_test_check_vnode_setextattr(struct ucred cred, struct vnode vp, 1045 struct label label, int attrnamespace, const char name, struct uio uio) 1046{ 1047* 1048 return (0); 1049} 1050 1051static int 1052mac_test_check_vnode_setflags(struct ucred cred, struct vnode vp, 1053 struct label label, u_long flags) 1054{ 1055* 1056 return (0); 1057} 1058 1059static int 1060mac_test_check_vnode_setmode(struct ucred cred, struct vnode vp, 1061 struct label label, mode_t mode) 1062{ 1063* 1064 return (0); 1065} 1066 1067static int 1068mac_test_check_vnode_setowner(struct ucred cred, struct vnode vp, 1069 struct label label, uid_t uid, gid_t gid) 1070{ 1071* 1072 return (0); 1073} 1074 1075static int 1076mac_test_check_vnode_setutimes(struct ucred cred, struct vnode vp, 1077 struct label label, struct timespec atime, struct timespec mtime) 1078{ 1079* 1080 return (0); 1081} 1082 1083static int 1084mac_test_check_vnode_stat(struct ucred cred, struct vnode vp, 1085 struct label label) 1086{ 1087* 1088 return (0); 1089} 1090	1002mac_test_check_vnode_readdir(struct ucred cred, struct vnode dvp, 1003 struct label dlabel) 1004{ 1005* 1006 return (0); 1007} 1008 1009static int 1010mac_test_check_vnode_readlink(struct ucred cred, struct vnode vp, 1011 struct label vnodelabel) 1012{ 1013* 1014 return (0); 1015} 1016 1017static int 1018mac_test_check_vnode_relabel(struct ucred cred, struct vnode vp, 1019 struct label vnodelabel, struct label newlabel) 1020{ 1021 1022 return (0); 1023} 1024 1025static int 1026mac_test_check_vnode_rename_from(struct ucred cred, struct vnode dvp, 1027 struct label dlabel, struct vnode vp, struct label label, 1028* struct componentname cnp) 1029{ 1030* 1031 return (0); 1032} 1033 1034static int 1035mac_test_check_vnode_rename_to(struct ucred cred, struct vnode dvp, 1036 struct label dlabel, struct vnode vp, struct label label, int samedir, 1037* struct componentname cnp) 1038{ 1039* 1040 return (0); 1041} 1042 1043static int 1044mac_test_check_vnode_revoke(struct ucred cred, struct vnode vp, 1045 struct label label) 1046{ 1047* 1048 return (0); 1049} 1050 1051static int 1052mac_test_check_vnode_setacl(struct ucred cred, struct vnode vp, 1053 struct label label, acl_type_t type, struct acl acl) 1054{ 1055 1056 return (0); 1057} 1058 1059static int 1060mac_test_check_vnode_setextattr(struct ucred cred, struct vnode vp, 1061 struct label label, int attrnamespace, const char name, struct uio uio) 1062{ 1063* 1064 return (0); 1065} 1066 1067static int 1068mac_test_check_vnode_setflags(struct ucred cred, struct vnode vp, 1069 struct label label, u_long flags) 1070{ 1071* 1072 return (0); 1073} 1074 1075static int 1076mac_test_check_vnode_setmode(struct ucred cred, struct vnode vp, 1077 struct label label, mode_t mode) 1078{ 1079* 1080 return (0); 1081} 1082 1083static int 1084mac_test_check_vnode_setowner(struct ucred cred, struct vnode vp, 1085 struct label label, uid_t uid, gid_t gid) 1086{ 1087* 1088 return (0); 1089} 1090 1091static int 1092mac_test_check_vnode_setutimes(struct ucred cred, struct vnode vp, 1093 struct label label, struct timespec atime, struct timespec mtime) 1094{ 1095* 1096 return (0); 1097} 1098 1099static int 1100mac_test_check_vnode_stat(struct ucred cred, struct vnode vp, 1101 struct label label) 1102{ 1103* 1104 return (0); 1105} 1106
	1107static int 1108mac_test_check_vnode_write(struct ucred cred, struct vnode vp, 1109 struct label label) 1110{ 1111* 1112 return (0); 1113} 1114
1091static struct mac_policy_op_entry mac_test_ops[] = 1092{ 1093 { MAC_DESTROY, 1094 (macop_t)mac_test_destroy }, 1095 { MAC_INIT, 1096 (macop_t)mac_test_init }, 1097 { MAC_INIT_BPFDESC, 1098 (macop_t)mac_test_init_bpfdesc }, 1099 { MAC_INIT_CRED, 1100 (macop_t)mac_test_init_cred }, 1101 { MAC_INIT_DEVFSDIRENT, 1102 (macop_t)mac_test_init_devfsdirent }, 1103 { MAC_INIT_IFNET, 1104 (macop_t)mac_test_init_ifnet }, 1105 { MAC_INIT_IPQ, 1106 (macop_t)mac_test_init_ipq }, 1107 { MAC_INIT_MBUF, 1108 (macop_t)mac_test_init_mbuf }, 1109 { MAC_INIT_MOUNT, 1110 (macop_t)mac_test_init_mount }, 1111 { MAC_INIT_PIPE, 1112 (macop_t)mac_test_init_pipe }, 1113 { MAC_INIT_SOCKET, 1114 (macop_t)mac_test_init_socket }, 1115 { MAC_INIT_TEMP, 1116 (macop_t)mac_test_init_temp }, 1117 { MAC_INIT_VNODE, 1118 (macop_t)mac_test_init_vnode }, 1119 { MAC_DESTROY_BPFDESC, 1120 (macop_t)mac_test_destroy_bpfdesc }, 1121 { MAC_DESTROY_CRED, 1122 (macop_t)mac_test_destroy_cred }, 1123 { MAC_DESTROY_DEVFSDIRENT, 1124 (macop_t)mac_test_destroy_devfsdirent }, 1125 { MAC_DESTROY_IFNET, 1126 (macop_t)mac_test_destroy_ifnet }, 1127 { MAC_DESTROY_IPQ, 1128 (macop_t)mac_test_destroy_ipq }, 1129 { MAC_DESTROY_MBUF, 1130 (macop_t)mac_test_destroy_mbuf }, 1131 { MAC_DESTROY_MOUNT, 1132 (macop_t)mac_test_destroy_mount }, 1133 { MAC_DESTROY_PIPE, 1134 (macop_t)mac_test_destroy_pipe }, 1135 { MAC_DESTROY_SOCKET, 1136 (macop_t)mac_test_destroy_socket }, 1137 { MAC_DESTROY_TEMP, 1138 (macop_t)mac_test_destroy_temp }, 1139 { MAC_DESTROY_VNODE, 1140 (macop_t)mac_test_destroy_vnode }, 1141 { MAC_EXTERNALIZE, 1142 (macop_t)mac_test_externalize }, 1143 { MAC_INTERNALIZE, 1144 (macop_t)mac_test_internalize }, 1145 { MAC_CREATE_DEVFS_DEVICE, 1146 (macop_t)mac_test_create_devfs_device }, 1147 { MAC_CREATE_DEVFS_DIRECTORY, 1148 (macop_t)mac_test_create_devfs_directory }, 1149 { MAC_CREATE_DEVFS_VNODE, 1150 (macop_t)mac_test_create_devfs_vnode }, 1151 { MAC_CREATE_VNODE, 1152 (macop_t)mac_test_create_vnode }, 1153 { MAC_CREATE_MOUNT, 1154 (macop_t)mac_test_create_mount }, 1155 { MAC_CREATE_ROOT_MOUNT, 1156 (macop_t)mac_test_create_root_mount }, 1157 { MAC_RELABEL_VNODE, 1158 (macop_t)mac_test_relabel_vnode }, 1159 { MAC_UPDATE_DEVFSDIRENT, 1160 (macop_t)mac_test_update_devfsdirent }, 1161 { MAC_UPDATE_PROCFSVNODE, 1162 (macop_t)mac_test_update_procfsvnode }, 1163 { MAC_UPDATE_VNODE_FROM_EXTERNALIZED, 1164 (macop_t)mac_test_update_vnode_from_externalized }, 1165 { MAC_UPDATE_VNODE_FROM_MOUNT, 1166 (macop_t)mac_test_update_vnode_from_mount }, 1167 { MAC_CREATE_MBUF_FROM_SOCKET, 1168 (macop_t)mac_test_create_mbuf_from_socket }, 1169 { MAC_CREATE_PIPE, 1170 (macop_t)mac_test_create_pipe }, 1171 { MAC_CREATE_SOCKET, 1172 (macop_t)mac_test_create_socket }, 1173 { MAC_CREATE_SOCKET_FROM_SOCKET, 1174 (macop_t)mac_test_create_socket_from_socket }, 1175 { MAC_RELABEL_PIPE, 1176 (macop_t)mac_test_relabel_pipe }, 1177 { MAC_RELABEL_SOCKET, 1178 (macop_t)mac_test_relabel_socket }, 1179 { MAC_SET_SOCKET_PEER_FROM_MBUF, 1180 (macop_t)mac_test_set_socket_peer_from_mbuf }, 1181 { MAC_SET_SOCKET_PEER_FROM_SOCKET, 1182 (macop_t)mac_test_set_socket_peer_from_socket }, 1183 { MAC_CREATE_BPFDESC, 1184 (macop_t)mac_test_create_bpfdesc }, 1185 { MAC_CREATE_IFNET, 1186 (macop_t)mac_test_create_ifnet }, 1187 { MAC_CREATE_DATAGRAM_FROM_IPQ, 1188 (macop_t)mac_test_create_datagram_from_ipq }, 1189 { MAC_CREATE_FRAGMENT, 1190 (macop_t)mac_test_create_fragment }, 1191 { MAC_CREATE_IPQ, 1192 (macop_t)mac_test_create_ipq }, 1193 { MAC_CREATE_MBUF_FROM_MBUF, 1194 (macop_t)mac_test_create_mbuf_from_mbuf }, 1195 { MAC_CREATE_MBUF_LINKLAYER, 1196 (macop_t)mac_test_create_mbuf_linklayer }, 1197 { MAC_CREATE_MBUF_FROM_BPFDESC, 1198 (macop_t)mac_test_create_mbuf_from_bpfdesc }, 1199 { MAC_CREATE_MBUF_FROM_IFNET, 1200 (macop_t)mac_test_create_mbuf_from_ifnet }, 1201 { MAC_CREATE_MBUF_MULTICAST_ENCAP, 1202 (macop_t)mac_test_create_mbuf_multicast_encap }, 1203 { MAC_CREATE_MBUF_NETLAYER, 1204 (macop_t)mac_test_create_mbuf_netlayer }, 1205 { MAC_FRAGMENT_MATCH, 1206 (macop_t)mac_test_fragment_match }, 1207 { MAC_RELABEL_IFNET, 1208 (macop_t)mac_test_relabel_ifnet }, 1209 { MAC_UPDATE_IPQ, 1210 (macop_t)mac_test_update_ipq }, 1211 { MAC_CREATE_CRED, 1212 (macop_t)mac_test_create_cred }, 1213 { MAC_EXECVE_TRANSITION, 1214 (macop_t)mac_test_execve_transition }, 1215 { MAC_EXECVE_WILL_TRANSITION, 1216 (macop_t)mac_test_execve_will_transition }, 1217 { MAC_CREATE_PROC0, 1218 (macop_t)mac_test_create_proc0 }, 1219 { MAC_CREATE_PROC1, 1220 (macop_t)mac_test_create_proc1 }, 1221 { MAC_RELABEL_CRED, 1222 (macop_t)mac_test_relabel_cred }, 1223 { MAC_CHECK_BPFDESC_RECEIVE, 1224 (macop_t)mac_test_check_bpfdesc_receive }, 1225 { MAC_CHECK_CRED_RELABEL, 1226 (macop_t)mac_test_check_cred_relabel }, 1227 { MAC_CHECK_CRED_VISIBLE, 1228 (macop_t)mac_test_check_cred_visible }, 1229 { MAC_CHECK_IFNET_RELABEL, 1230 (macop_t)mac_test_check_ifnet_relabel }, 1231 { MAC_CHECK_IFNET_TRANSMIT, 1232 (macop_t)mac_test_check_ifnet_transmit }, 1233 { MAC_CHECK_MOUNT_STAT, 1234 (macop_t)mac_test_check_mount_stat }, 1235 { MAC_CHECK_PIPE_IOCTL, 1236 (macop_t)mac_test_check_pipe_ioctl }, 1237 { MAC_CHECK_PIPE_OP, 1238 (macop_t)mac_test_check_pipe_op }, 1239 { MAC_CHECK_PIPE_RELABEL, 1240 (macop_t)mac_test_check_pipe_relabel }, 1241 { MAC_CHECK_PROC_DEBUG, 1242 (macop_t)mac_test_check_proc_debug }, 1243 { MAC_CHECK_PROC_SCHED, 1244 (macop_t)mac_test_check_proc_sched }, 1245 { MAC_CHECK_PROC_SIGNAL, 1246 (macop_t)mac_test_check_proc_signal }, 1247 { MAC_CHECK_SOCKET_BIND, 1248 (macop_t)mac_test_check_socket_bind }, 1249 { MAC_CHECK_SOCKET_CONNECT, 1250 (macop_t)mac_test_check_socket_connect }, 1251 { MAC_CHECK_SOCKET_DELIVER, 1252 (macop_t)mac_test_check_socket_deliver }, 1253 { MAC_CHECK_SOCKET_LISTEN, 1254 (macop_t)mac_test_check_socket_listen }, 1255 { MAC_CHECK_SOCKET_RELABEL, 1256 (macop_t)mac_test_check_socket_relabel }, 1257 { MAC_CHECK_SOCKET_VISIBLE, 1258 (macop_t)mac_test_check_socket_visible }, 1259 { MAC_CHECK_VNODE_ACCESS, 1260 (macop_t)mac_test_check_vnode_access }, 1261 { MAC_CHECK_VNODE_CHDIR, 1262 (macop_t)mac_test_check_vnode_chdir }, 1263 { MAC_CHECK_VNODE_CHROOT, 1264 (macop_t)mac_test_check_vnode_chroot }, 1265 { MAC_CHECK_VNODE_CREATE, 1266 (macop_t)mac_test_check_vnode_create }, 1267 { MAC_CHECK_VNODE_DELETE, 1268 (macop_t)mac_test_check_vnode_delete }, 1269 { MAC_CHECK_VNODE_DELETEACL, 1270 (macop_t)mac_test_check_vnode_deleteacl }, 1271 { MAC_CHECK_VNODE_EXEC, 1272 (macop_t)mac_test_check_vnode_exec }, 1273 { MAC_CHECK_VNODE_GETACL, 1274 (macop_t)mac_test_check_vnode_getacl }, 1275 { MAC_CHECK_VNODE_GETEXTATTR, 1276 (macop_t)mac_test_check_vnode_getextattr }, 1277 { MAC_CHECK_VNODE_LOOKUP, 1278 (macop_t)mac_test_check_vnode_lookup }, 1279 { MAC_CHECK_VNODE_OPEN, 1280 (macop_t)mac_test_check_vnode_open },	1115static struct mac_policy_op_entry mac_test_ops[] = 1116{ 1117 { MAC_DESTROY, 1118 (macop_t)mac_test_destroy }, 1119 { MAC_INIT, 1120 (macop_t)mac_test_init }, 1121 { MAC_INIT_BPFDESC, 1122 (macop_t)mac_test_init_bpfdesc }, 1123 { MAC_INIT_CRED, 1124 (macop_t)mac_test_init_cred }, 1125 { MAC_INIT_DEVFSDIRENT, 1126 (macop_t)mac_test_init_devfsdirent }, 1127 { MAC_INIT_IFNET, 1128 (macop_t)mac_test_init_ifnet }, 1129 { MAC_INIT_IPQ, 1130 (macop_t)mac_test_init_ipq }, 1131 { MAC_INIT_MBUF, 1132 (macop_t)mac_test_init_mbuf }, 1133 { MAC_INIT_MOUNT, 1134 (macop_t)mac_test_init_mount }, 1135 { MAC_INIT_PIPE, 1136 (macop_t)mac_test_init_pipe }, 1137 { MAC_INIT_SOCKET, 1138 (macop_t)mac_test_init_socket }, 1139 { MAC_INIT_TEMP, 1140 (macop_t)mac_test_init_temp }, 1141 { MAC_INIT_VNODE, 1142 (macop_t)mac_test_init_vnode }, 1143 { MAC_DESTROY_BPFDESC, 1144 (macop_t)mac_test_destroy_bpfdesc }, 1145 { MAC_DESTROY_CRED, 1146 (macop_t)mac_test_destroy_cred }, 1147 { MAC_DESTROY_DEVFSDIRENT, 1148 (macop_t)mac_test_destroy_devfsdirent }, 1149 { MAC_DESTROY_IFNET, 1150 (macop_t)mac_test_destroy_ifnet }, 1151 { MAC_DESTROY_IPQ, 1152 (macop_t)mac_test_destroy_ipq }, 1153 { MAC_DESTROY_MBUF, 1154 (macop_t)mac_test_destroy_mbuf }, 1155 { MAC_DESTROY_MOUNT, 1156 (macop_t)mac_test_destroy_mount }, 1157 { MAC_DESTROY_PIPE, 1158 (macop_t)mac_test_destroy_pipe }, 1159 { MAC_DESTROY_SOCKET, 1160 (macop_t)mac_test_destroy_socket }, 1161 { MAC_DESTROY_TEMP, 1162 (macop_t)mac_test_destroy_temp }, 1163 { MAC_DESTROY_VNODE, 1164 (macop_t)mac_test_destroy_vnode }, 1165 { MAC_EXTERNALIZE, 1166 (macop_t)mac_test_externalize }, 1167 { MAC_INTERNALIZE, 1168 (macop_t)mac_test_internalize }, 1169 { MAC_CREATE_DEVFS_DEVICE, 1170 (macop_t)mac_test_create_devfs_device }, 1171 { MAC_CREATE_DEVFS_DIRECTORY, 1172 (macop_t)mac_test_create_devfs_directory }, 1173 { MAC_CREATE_DEVFS_VNODE, 1174 (macop_t)mac_test_create_devfs_vnode }, 1175 { MAC_CREATE_VNODE, 1176 (macop_t)mac_test_create_vnode }, 1177 { MAC_CREATE_MOUNT, 1178 (macop_t)mac_test_create_mount }, 1179 { MAC_CREATE_ROOT_MOUNT, 1180 (macop_t)mac_test_create_root_mount }, 1181 { MAC_RELABEL_VNODE, 1182 (macop_t)mac_test_relabel_vnode }, 1183 { MAC_UPDATE_DEVFSDIRENT, 1184 (macop_t)mac_test_update_devfsdirent }, 1185 { MAC_UPDATE_PROCFSVNODE, 1186 (macop_t)mac_test_update_procfsvnode }, 1187 { MAC_UPDATE_VNODE_FROM_EXTERNALIZED, 1188 (macop_t)mac_test_update_vnode_from_externalized }, 1189 { MAC_UPDATE_VNODE_FROM_MOUNT, 1190 (macop_t)mac_test_update_vnode_from_mount }, 1191 { MAC_CREATE_MBUF_FROM_SOCKET, 1192 (macop_t)mac_test_create_mbuf_from_socket }, 1193 { MAC_CREATE_PIPE, 1194 (macop_t)mac_test_create_pipe }, 1195 { MAC_CREATE_SOCKET, 1196 (macop_t)mac_test_create_socket }, 1197 { MAC_CREATE_SOCKET_FROM_SOCKET, 1198 (macop_t)mac_test_create_socket_from_socket }, 1199 { MAC_RELABEL_PIPE, 1200 (macop_t)mac_test_relabel_pipe }, 1201 { MAC_RELABEL_SOCKET, 1202 (macop_t)mac_test_relabel_socket }, 1203 { MAC_SET_SOCKET_PEER_FROM_MBUF, 1204 (macop_t)mac_test_set_socket_peer_from_mbuf }, 1205 { MAC_SET_SOCKET_PEER_FROM_SOCKET, 1206 (macop_t)mac_test_set_socket_peer_from_socket }, 1207 { MAC_CREATE_BPFDESC, 1208 (macop_t)mac_test_create_bpfdesc }, 1209 { MAC_CREATE_IFNET, 1210 (macop_t)mac_test_create_ifnet }, 1211 { MAC_CREATE_DATAGRAM_FROM_IPQ, 1212 (macop_t)mac_test_create_datagram_from_ipq }, 1213 { MAC_CREATE_FRAGMENT, 1214 (macop_t)mac_test_create_fragment }, 1215 { MAC_CREATE_IPQ, 1216 (macop_t)mac_test_create_ipq }, 1217 { MAC_CREATE_MBUF_FROM_MBUF, 1218 (macop_t)mac_test_create_mbuf_from_mbuf }, 1219 { MAC_CREATE_MBUF_LINKLAYER, 1220 (macop_t)mac_test_create_mbuf_linklayer }, 1221 { MAC_CREATE_MBUF_FROM_BPFDESC, 1222 (macop_t)mac_test_create_mbuf_from_bpfdesc }, 1223 { MAC_CREATE_MBUF_FROM_IFNET, 1224 (macop_t)mac_test_create_mbuf_from_ifnet }, 1225 { MAC_CREATE_MBUF_MULTICAST_ENCAP, 1226 (macop_t)mac_test_create_mbuf_multicast_encap }, 1227 { MAC_CREATE_MBUF_NETLAYER, 1228 (macop_t)mac_test_create_mbuf_netlayer }, 1229 { MAC_FRAGMENT_MATCH, 1230 (macop_t)mac_test_fragment_match }, 1231 { MAC_RELABEL_IFNET, 1232 (macop_t)mac_test_relabel_ifnet }, 1233 { MAC_UPDATE_IPQ, 1234 (macop_t)mac_test_update_ipq }, 1235 { MAC_CREATE_CRED, 1236 (macop_t)mac_test_create_cred }, 1237 { MAC_EXECVE_TRANSITION, 1238 (macop_t)mac_test_execve_transition }, 1239 { MAC_EXECVE_WILL_TRANSITION, 1240 (macop_t)mac_test_execve_will_transition }, 1241 { MAC_CREATE_PROC0, 1242 (macop_t)mac_test_create_proc0 }, 1243 { MAC_CREATE_PROC1, 1244 (macop_t)mac_test_create_proc1 }, 1245 { MAC_RELABEL_CRED, 1246 (macop_t)mac_test_relabel_cred }, 1247 { MAC_CHECK_BPFDESC_RECEIVE, 1248 (macop_t)mac_test_check_bpfdesc_receive }, 1249 { MAC_CHECK_CRED_RELABEL, 1250 (macop_t)mac_test_check_cred_relabel }, 1251 { MAC_CHECK_CRED_VISIBLE, 1252 (macop_t)mac_test_check_cred_visible }, 1253 { MAC_CHECK_IFNET_RELABEL, 1254 (macop_t)mac_test_check_ifnet_relabel }, 1255 { MAC_CHECK_IFNET_TRANSMIT, 1256 (macop_t)mac_test_check_ifnet_transmit }, 1257 { MAC_CHECK_MOUNT_STAT, 1258 (macop_t)mac_test_check_mount_stat }, 1259 { MAC_CHECK_PIPE_IOCTL, 1260 (macop_t)mac_test_check_pipe_ioctl }, 1261 { MAC_CHECK_PIPE_OP, 1262 (macop_t)mac_test_check_pipe_op }, 1263 { MAC_CHECK_PIPE_RELABEL, 1264 (macop_t)mac_test_check_pipe_relabel }, 1265 { MAC_CHECK_PROC_DEBUG, 1266 (macop_t)mac_test_check_proc_debug }, 1267 { MAC_CHECK_PROC_SCHED, 1268 (macop_t)mac_test_check_proc_sched }, 1269 { MAC_CHECK_PROC_SIGNAL, 1270 (macop_t)mac_test_check_proc_signal }, 1271 { MAC_CHECK_SOCKET_BIND, 1272 (macop_t)mac_test_check_socket_bind }, 1273 { MAC_CHECK_SOCKET_CONNECT, 1274 (macop_t)mac_test_check_socket_connect }, 1275 { MAC_CHECK_SOCKET_DELIVER, 1276 (macop_t)mac_test_check_socket_deliver }, 1277 { MAC_CHECK_SOCKET_LISTEN, 1278 (macop_t)mac_test_check_socket_listen }, 1279 { MAC_CHECK_SOCKET_RELABEL, 1280 (macop_t)mac_test_check_socket_relabel }, 1281 { MAC_CHECK_SOCKET_VISIBLE, 1282 (macop_t)mac_test_check_socket_visible }, 1283 { MAC_CHECK_VNODE_ACCESS, 1284 (macop_t)mac_test_check_vnode_access }, 1285 { MAC_CHECK_VNODE_CHDIR, 1286 (macop_t)mac_test_check_vnode_chdir }, 1287 { MAC_CHECK_VNODE_CHROOT, 1288 (macop_t)mac_test_check_vnode_chroot }, 1289 { MAC_CHECK_VNODE_CREATE, 1290 (macop_t)mac_test_check_vnode_create }, 1291 { MAC_CHECK_VNODE_DELETE, 1292 (macop_t)mac_test_check_vnode_delete }, 1293 { MAC_CHECK_VNODE_DELETEACL, 1294 (macop_t)mac_test_check_vnode_deleteacl }, 1295 { MAC_CHECK_VNODE_EXEC, 1296 (macop_t)mac_test_check_vnode_exec }, 1297 { MAC_CHECK_VNODE_GETACL, 1298 (macop_t)mac_test_check_vnode_getacl }, 1299 { MAC_CHECK_VNODE_GETEXTATTR, 1300 (macop_t)mac_test_check_vnode_getextattr }, 1301 { MAC_CHECK_VNODE_LOOKUP, 1302 (macop_t)mac_test_check_vnode_lookup }, 1303 { MAC_CHECK_VNODE_OPEN, 1304 (macop_t)mac_test_check_vnode_open },
	1305 { MAC_CHECK_VNODE_POLL, 1306 (macop_t)mac_test_check_vnode_poll }, 1307 { MAC_CHECK_VNODE_READ, 1308 (macop_t)mac_test_check_vnode_read },
1281 { MAC_CHECK_VNODE_READDIR, 1282 (macop_t)mac_test_check_vnode_readdir }, 1283 { MAC_CHECK_VNODE_READLINK, 1284 (macop_t)mac_test_check_vnode_readlink }, 1285 { MAC_CHECK_VNODE_RELABEL, 1286 (macop_t)mac_test_check_vnode_relabel }, 1287 { MAC_CHECK_VNODE_RENAME_FROM, 1288 (macop_t)mac_test_check_vnode_rename_from }, 1289 { MAC_CHECK_VNODE_RENAME_TO, 1290 (macop_t)mac_test_check_vnode_rename_to }, 1291 { MAC_CHECK_VNODE_REVOKE, 1292 (macop_t)mac_test_check_vnode_revoke }, 1293 { MAC_CHECK_VNODE_SETACL, 1294 (macop_t)mac_test_check_vnode_setacl }, 1295 { MAC_CHECK_VNODE_SETEXTATTR, 1296 (macop_t)mac_test_check_vnode_setextattr }, 1297 { MAC_CHECK_VNODE_SETFLAGS, 1298 (macop_t)mac_test_check_vnode_setflags }, 1299 { MAC_CHECK_VNODE_SETMODE, 1300 (macop_t)mac_test_check_vnode_setmode }, 1301 { MAC_CHECK_VNODE_SETOWNER, 1302 (macop_t)mac_test_check_vnode_setowner }, 1303 { MAC_CHECK_VNODE_SETUTIMES, 1304 (macop_t)mac_test_check_vnode_setutimes }, 1305 { MAC_CHECK_VNODE_STAT, 1306 (macop_t)mac_test_check_vnode_stat },	1309 { MAC_CHECK_VNODE_READDIR, 1310 (macop_t)mac_test_check_vnode_readdir }, 1311 { MAC_CHECK_VNODE_READLINK, 1312 (macop_t)mac_test_check_vnode_readlink }, 1313 { MAC_CHECK_VNODE_RELABEL, 1314 (macop_t)mac_test_check_vnode_relabel }, 1315 { MAC_CHECK_VNODE_RENAME_FROM, 1316 (macop_t)mac_test_check_vnode_rename_from }, 1317 { MAC_CHECK_VNODE_RENAME_TO, 1318 (macop_t)mac_test_check_vnode_rename_to }, 1319 { MAC_CHECK_VNODE_REVOKE, 1320 (macop_t)mac_test_check_vnode_revoke }, 1321 { MAC_CHECK_VNODE_SETACL, 1322 (macop_t)mac_test_check_vnode_setacl }, 1323 { MAC_CHECK_VNODE_SETEXTATTR, 1324 (macop_t)mac_test_check_vnode_setextattr }, 1325 { MAC_CHECK_VNODE_SETFLAGS, 1326 (macop_t)mac_test_check_vnode_setflags }, 1327 { MAC_CHECK_VNODE_SETMODE, 1328 (macop_t)mac_test_check_vnode_setmode }, 1329 { MAC_CHECK_VNODE_SETOWNER, 1330 (macop_t)mac_test_check_vnode_setowner }, 1331 { MAC_CHECK_VNODE_SETUTIMES, 1332 (macop_t)mac_test_check_vnode_setutimes }, 1333 { MAC_CHECK_VNODE_STAT, 1334 (macop_t)mac_test_check_vnode_stat },
	1335 { MAC_CHECK_VNODE_WRITE, 1336 (macop_t)mac_test_check_vnode_write },
1307 { MAC_OP_LAST, NULL } 1308}; 1309 1310MAC_POLICY_SET(mac_test_ops, trustedbsd_mac_test, "TrustedBSD MAC/Test", 1311 MPC_LOADTIME_FLAG_UNLOADOK, &test_slot);	1337 { MAC_OP_LAST, NULL } 1338}; 1339 1340MAC_POLICY_SET(mac_test_ops, trustedbsd_mac_test, "TrustedBSD MAC/Test", 1341 MPC_LOADTIME_FLAG_UNLOADOK, &test_slot);