Deleted Added
sdiff udiff text old ( 166531 ) new ( 166533 )
full compact
mac_test.c (166531) mac_test.c (166533)
1/*-
1/*-
2 * Copyright (c) 1999-2002 Robert N. M. Watson
2 * Copyright (c) 1999-2002, 2007 Robert N. M. Watson
3 * Copyright (c) 2001-2005 McAfee, Inc.
4 * All rights reserved.
5 *
6 * This software was developed by Robert Watson for the TrustedBSD Project.
7 *
8 * This software was developed for the FreeBSD Project in part by McAfee
9 * Research, the Security Research Division of McAfee, Inc. under
10 * DARPA/SPAWAR contract N66001-01-C-8035 ("CBOSS"), as part of the DARPA
11 * CHATS research program.
12 *
13 * Redistribution and use in source and binary forms, with or without
14 * modification, are permitted provided that the following conditions
15 * are met:
16 * 1. Redistributions of source code must retain the above copyright
17 * notice, this list of conditions and the following disclaimer.
18 * 2. Redistributions in binary form must reproduce the above copyright
19 * notice, this list of conditions and the following disclaimer in the
20 * documentation and/or other materials provided with the distribution.
21 *
22 * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
23 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
24 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
25 * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
26 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
27 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
28 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
29 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
30 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
31 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
32 * SUCH DAMAGE.
33 *
3 * Copyright (c) 2001-2005 McAfee, Inc.
4 * All rights reserved.
5 *
6 * This software was developed by Robert Watson for the TrustedBSD Project.
7 *
8 * This software was developed for the FreeBSD Project in part by McAfee
9 * Research, the Security Research Division of McAfee, Inc. under
10 * DARPA/SPAWAR contract N66001-01-C-8035 ("CBOSS"), as part of the DARPA
11 * CHATS research program.
12 *
13 * Redistribution and use in source and binary forms, with or without
14 * modification, are permitted provided that the following conditions
15 * are met:
16 * 1. Redistributions of source code must retain the above copyright
17 * notice, this list of conditions and the following disclaimer.
18 * 2. Redistributions in binary form must reproduce the above copyright
19 * notice, this list of conditions and the following disclaimer in the
20 * documentation and/or other materials provided with the distribution.
21 *
22 * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
23 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
24 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
25 * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
26 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
27 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
28 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
29 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
30 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
31 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
32 * SUCH DAMAGE.
33 *
34 * $FreeBSD: head/sys/security/mac_test/mac_test.c 166531 2007-02-06 10:59:23Z rwatson $
34 * $FreeBSD: head/sys/security/mac_test/mac_test.c 166533 2007-02-06 14:19:25Z rwatson $
35 */
36
37/*
38 * Developed by the TrustedBSD Project.
39 * Generic mandatory access module that does nothing.
40 */
41
42#include <sys/types.h>
43#include <sys/param.h>
44#include <sys/acl.h>
45#include <sys/conf.h>
46#include <sys/kdb.h>
47#include <sys/extattr.h>
48#include <sys/kernel.h>
49#include <sys/ksem.h>
50#include <sys/malloc.h>
51#include <sys/mount.h>
52#include <sys/proc.h>
53#include <sys/systm.h>
54#include <sys/sysproto.h>
55#include <sys/sysent.h>
56#include <sys/vnode.h>
57#include <sys/file.h>
58#include <sys/socket.h>
59#include <sys/socketvar.h>
60#include <sys/sx.h>
61#include <sys/sysctl.h>
62#include <sys/msg.h>
63#include <sys/sem.h>
64#include <sys/shm.h>
65
66#include <fs/devfs/devfs.h>
67
68#include <net/bpfdesc.h>
69#include <net/if.h>
70#include <net/if_types.h>
71#include <net/if_var.h>
72
73#include <vm/vm.h>
74
75#include <security/mac/mac_policy.h>
76
77SYSCTL_DECL(_security_mac);
78
79SYSCTL_NODE(_security_mac, OID_AUTO, test, CTLFLAG_RW, 0,
80 "TrustedBSD mac_test policy controls");
81
82static int mac_test_enabled = 1;
83SYSCTL_INT(_security_mac_test, OID_AUTO, enabled, CTLFLAG_RW,
84 &mac_test_enabled, 0, "Enforce test policy");
85
86#define BPFMAGIC 0xfe1ad1b6
87#define DEVFSMAGIC 0x9ee79c32
88#define IFNETMAGIC 0xc218b120
89#define INPCBMAGIC 0x4440f7bb
90#define IPQMAGIC 0x206188ef
91#define MBUFMAGIC 0xbbefa5bb
92#define MOUNTMAGIC 0xc7c46e47
93#define SOCKETMAGIC 0x9199c6cd
94#define SYSVIPCMSQMAGIC 0xea672391
95#define SYSVIPCMSGMAGIC 0x8bbba61e
96#define SYSVIPCSEMMAGIC 0x896e8a0b
97#define SYSVIPCSHMMAGIC 0x76119ab0
98#define PIPEMAGIC 0xdc6c9919
99#define POSIXSEMMAGIC 0x78ae980c
100#define PROCMAGIC 0x3b4be98f
101#define CREDMAGIC 0x9a5a4987
102#define VNODEMAGIC 0x1a67a45c
103#define EXMAGIC 0x849ba1fd
104
35 */
36
37/*
38 * Developed by the TrustedBSD Project.
39 * Generic mandatory access module that does nothing.
40 */
41
42#include <sys/types.h>
43#include <sys/param.h>
44#include <sys/acl.h>
45#include <sys/conf.h>
46#include <sys/kdb.h>
47#include <sys/extattr.h>
48#include <sys/kernel.h>
49#include <sys/ksem.h>
50#include <sys/malloc.h>
51#include <sys/mount.h>
52#include <sys/proc.h>
53#include <sys/systm.h>
54#include <sys/sysproto.h>
55#include <sys/sysent.h>
56#include <sys/vnode.h>
57#include <sys/file.h>
58#include <sys/socket.h>
59#include <sys/socketvar.h>
60#include <sys/sx.h>
61#include <sys/sysctl.h>
62#include <sys/msg.h>
63#include <sys/sem.h>
64#include <sys/shm.h>
65
66#include <fs/devfs/devfs.h>
67
68#include <net/bpfdesc.h>
69#include <net/if.h>
70#include <net/if_types.h>
71#include <net/if_var.h>
72
73#include <vm/vm.h>
74
75#include <security/mac/mac_policy.h>
76
77SYSCTL_DECL(_security_mac);
78
79SYSCTL_NODE(_security_mac, OID_AUTO, test, CTLFLAG_RW, 0,
80 "TrustedBSD mac_test policy controls");
81
82static int mac_test_enabled = 1;
83SYSCTL_INT(_security_mac_test, OID_AUTO, enabled, CTLFLAG_RW,
84 &mac_test_enabled, 0, "Enforce test policy");
85
86#define BPFMAGIC 0xfe1ad1b6
87#define DEVFSMAGIC 0x9ee79c32
88#define IFNETMAGIC 0xc218b120
89#define INPCBMAGIC 0x4440f7bb
90#define IPQMAGIC 0x206188ef
91#define MBUFMAGIC 0xbbefa5bb
92#define MOUNTMAGIC 0xc7c46e47
93#define SOCKETMAGIC 0x9199c6cd
94#define SYSVIPCMSQMAGIC 0xea672391
95#define SYSVIPCMSGMAGIC 0x8bbba61e
96#define SYSVIPCSEMMAGIC 0x896e8a0b
97#define SYSVIPCSHMMAGIC 0x76119ab0
98#define PIPEMAGIC 0xdc6c9919
99#define POSIXSEMMAGIC 0x78ae980c
100#define PROCMAGIC 0x3b4be98f
101#define CREDMAGIC 0x9a5a4987
102#define VNODEMAGIC 0x1a67a45c
103#define EXMAGIC 0x849ba1fd
104
105#define SLOT(x) LABEL_TO_SLOT((x), test_slot).l_long
105#define SLOT(x) mac_label_get((x), test_slot)
106#define SLOT_SET(x, v) mac_label_set((x), test_slot, (v))
106
107#define ASSERT_BPF_LABEL(x) KASSERT(SLOT(x) == BPFMAGIC || \
108 SLOT(x) == 0, ("%s: Bad BPF label", __func__ ))
109#define ASSERT_DEVFS_LABEL(x) KASSERT(SLOT(x) == DEVFSMAGIC || \
110 SLOT(x) == 0, ("%s: Bad DEVFS label", __func__ ))
111#define ASSERT_IFNET_LABEL(x) KASSERT(SLOT(x) == IFNETMAGIC || \
112 SLOT(x) == 0, ("%s: Bad IFNET label", __func__ ))
113#define ASSERT_INPCB_LABEL(x) KASSERT(SLOT(x) == INPCBMAGIC || \
114 SLOT(x) == 0, ("%s: Bad INPCB label", __func__ ))
115#define ASSERT_IPQ_LABEL(x) KASSERT(SLOT(x) == IPQMAGIC || \
116 SLOT(x) == 0, ("%s: Bad IPQ label", __func__ ))
117#define ASSERT_MBUF_LABEL(x) KASSERT(x == NULL || \
118 SLOT(x) == MBUFMAGIC || SLOT(x) == 0, \
119 ("%s: Bad MBUF label", __func__ ))
120#define ASSERT_MOUNT_LABEL(x) KASSERT(SLOT(x) == MOUNTMAGIC || \
121 SLOT(x) == 0, ("%s: Bad MOUNT label", __func__ ))
122#define ASSERT_SOCKET_LABEL(x) KASSERT(SLOT(x) == SOCKETMAGIC || \
123 SLOT(x) == 0, ("%s: Bad SOCKET label", __func__ ))
124#define ASSERT_SYSVIPCMSQ_LABEL(x) KASSERT(SLOT(x) == SYSVIPCMSQMAGIC || \
125 SLOT(x) == 0, ("%s: Bad SYSVIPCMSQ label", __func__ ))
126#define ASSERT_SYSVIPCMSG_LABEL(x) KASSERT(SLOT(x) == SYSVIPCMSGMAGIC || \
127 SLOT(x) == 0, ("%s: Bad SYSVIPCMSG label", __func__ ))
128#define ASSERT_SYSVIPCSEM_LABEL(x) KASSERT(SLOT(x) == SYSVIPCSEMMAGIC || \
129 SLOT(x) == 0, ("%s: Bad SYSVIPCSEM label", __func__ ))
130#define ASSERT_SYSVIPCSHM_LABEL(x) KASSERT(SLOT(x) == SYSVIPCSHMMAGIC || \
131 SLOT(x) == 0, ("%s: Bad SYSVIPCSHM label", __func__ ))
132#define ASSERT_PIPE_LABEL(x) KASSERT(SLOT(x) == PIPEMAGIC || \
133 SLOT(x) == 0, ("%s: Bad PIPE label", __func__ ))
134#define ASSERT_POSIX_LABEL(x) KASSERT(SLOT(x) == POSIXSEMMAGIC || \
135 SLOT(x) == 0, ("%s: Bad POSIX ksem label", __func__ ))
136#define ASSERT_PROC_LABEL(x) KASSERT(SLOT(x) == PROCMAGIC || \
137 SLOT(x) == 0, ("%s: Bad PROC label", __func__ ))
138#define ASSERT_CRED_LABEL(x) KASSERT(SLOT(x) == CREDMAGIC || \
139 SLOT(x) == 0, ("%s: Bad CRED label", __func__ ))
140#define ASSERT_VNODE_LABEL(x) KASSERT(SLOT(x) == VNODEMAGIC || \
141 SLOT(x) == 0, ("%s: Bad VNODE label", __func__ ))
142
143static int test_slot;
144SYSCTL_INT(_security_mac_test, OID_AUTO, slot, CTLFLAG_RD,
145 &test_slot, 0, "Slot allocated by framework");
146
147static int init_count_bpfdesc;
148SYSCTL_INT(_security_mac_test, OID_AUTO, init_count_bpfdesc, CTLFLAG_RD,
149 &init_count_bpfdesc, 0, "bpfdesc init calls");
150static int init_count_cred;
151SYSCTL_INT(_security_mac_test, OID_AUTO, init_count_cred, CTLFLAG_RD,
152 &init_count_cred, 0, "cred init calls");
153static int init_count_devfsdirent;
154SYSCTL_INT(_security_mac_test, OID_AUTO, init_count_devfsdirent, CTLFLAG_RD,
155 &init_count_devfsdirent, 0, "devfsdirent init calls");
156static int init_count_ifnet;
157SYSCTL_INT(_security_mac_test, OID_AUTO, init_count_ifnet, CTLFLAG_RD,
158 &init_count_ifnet, 0, "ifnet init calls");
159static int init_count_inpcb;
160SYSCTL_INT(_security_mac_test, OID_AUTO, init_count_inpcb, CTLFLAG_RD,
161 &init_count_inpcb, 0, "inpcb init calls");
162static int init_count_sysv_msg;
163SYSCTL_INT(_security_mac_test, OID_AUTO, init_count_sysv_msg, CTLFLAG_RD,
164 &init_count_sysv_msg, 0, "ipc_msg init calls");
165static int init_count_sysv_msq;
166SYSCTL_INT(_security_mac_test, OID_AUTO, init_count_sysv_msq, CTLFLAG_RD,
167 &init_count_sysv_msq, 0, "ipc_msq init calls");
168static int init_count_sysv_sem;
169SYSCTL_INT(_security_mac_test, OID_AUTO, init_count_sysv_sem, CTLFLAG_RD,
170 &init_count_sysv_sem, 0, "ipc_sema init calls");
171static int init_count_sysv_shm;
172SYSCTL_INT(_security_mac_test, OID_AUTO, init_count_sysv_shm, CTLFLAG_RD,
173 &init_count_sysv_shm, 0, "ipc_shm init calls");
174static int init_count_ipq;
175SYSCTL_INT(_security_mac_test, OID_AUTO, init_count_ipq, CTLFLAG_RD,
176 &init_count_ipq, 0, "ipq init calls");
177static int init_count_mbuf;
178SYSCTL_INT(_security_mac_test, OID_AUTO, init_count_mbuf, CTLFLAG_RD,
179 &init_count_mbuf, 0, "mbuf init calls");
180static int init_count_mount;
181SYSCTL_INT(_security_mac_test, OID_AUTO, init_count_mount, CTLFLAG_RD,
182 &init_count_mount, 0, "mount init calls");
183static int init_count_mount_fslabel;
184SYSCTL_INT(_security_mac_test, OID_AUTO, init_count_mount_fslabel, CTLFLAG_RD,
185 &init_count_mount_fslabel, 0, "mount_fslabel init calls");
186static int init_count_socket;
187SYSCTL_INT(_security_mac_test, OID_AUTO, init_count_socket, CTLFLAG_RD,
188 &init_count_socket, 0, "socket init calls");
189static int init_count_socket_peerlabel;
190SYSCTL_INT(_security_mac_test, OID_AUTO, init_count_socket_peerlabel,
191 CTLFLAG_RD, &init_count_socket_peerlabel, 0,
192 "socket_peerlabel init calls");
193static int init_count_pipe;
194SYSCTL_INT(_security_mac_test, OID_AUTO, init_count_pipe, CTLFLAG_RD,
195 &init_count_pipe, 0, "pipe init calls");
196static int init_count_posixsems;
197SYSCTL_INT(_security_mac_test, OID_AUTO, init_count_posixsems, CTLFLAG_RD,
198 &init_count_posixsems, 0, "posix sems init calls");
199static int init_count_proc;
200SYSCTL_INT(_security_mac_test, OID_AUTO, init_count_proc, CTLFLAG_RD,
201 &init_count_proc, 0, "proc init calls");
202static int init_count_vnode;
203SYSCTL_INT(_security_mac_test, OID_AUTO, init_count_vnode, CTLFLAG_RD,
204 &init_count_vnode, 0, "vnode init calls");
205
206static int destroy_count_bpfdesc;
207SYSCTL_INT(_security_mac_test, OID_AUTO, destroy_count_bpfdesc, CTLFLAG_RD,
208 &destroy_count_bpfdesc, 0, "bpfdesc destroy calls");
209static int destroy_count_cred;
210SYSCTL_INT(_security_mac_test, OID_AUTO, destroy_count_cred, CTLFLAG_RD,
211 &destroy_count_cred, 0, "cred destroy calls");
212static int destroy_count_devfsdirent;
213SYSCTL_INT(_security_mac_test, OID_AUTO, destroy_count_devfsdirent, CTLFLAG_RD,
214 &destroy_count_devfsdirent, 0, "devfsdirent destroy calls");
215static int destroy_count_ifnet;
216SYSCTL_INT(_security_mac_test, OID_AUTO, destroy_count_ifnet, CTLFLAG_RD,
217 &destroy_count_ifnet, 0, "ifnet destroy calls");
218static int destroy_count_inpcb;
219SYSCTL_INT(_security_mac_test, OID_AUTO, destroy_count_inpcb, CTLFLAG_RD,
220 &destroy_count_inpcb, 0, "inpcb destroy calls");
221static int destroy_count_sysv_msg;
222SYSCTL_INT(_security_mac_test, OID_AUTO, destroy_count_sysv_msg, CTLFLAG_RD,
223 &destroy_count_sysv_msg, 0, "ipc_msg destroy calls");
224static int destroy_count_sysv_msq;
225SYSCTL_INT(_security_mac_test, OID_AUTO, destroy_count_sysv_msq, CTLFLAG_RD,
226 &destroy_count_sysv_msq, 0, "ipc_msq destroy calls");
227static int destroy_count_sysv_sem;
228SYSCTL_INT(_security_mac_test, OID_AUTO, destroy_count_sysv_sem, CTLFLAG_RD,
229 &destroy_count_sysv_sem, 0, "ipc_sema destroy calls");
230static int destroy_count_sysv_shm;
231SYSCTL_INT(_security_mac_test, OID_AUTO, destroy_count_sysv_shm, CTLFLAG_RD,
232 &destroy_count_sysv_shm, 0, "ipc_shm destroy calls");
233static int destroy_count_ipq;
234SYSCTL_INT(_security_mac_test, OID_AUTO, destroy_count_ipq, CTLFLAG_RD,
235 &destroy_count_ipq, 0, "ipq destroy calls");
236static int destroy_count_mbuf;
237SYSCTL_INT(_security_mac_test, OID_AUTO, destroy_count_mbuf, CTLFLAG_RD,
238 &destroy_count_mbuf, 0, "mbuf destroy calls");
239static int destroy_count_mount;
240SYSCTL_INT(_security_mac_test, OID_AUTO, destroy_count_mount, CTLFLAG_RD,
241 &destroy_count_mount, 0, "mount destroy calls");
242static int destroy_count_mount_fslabel;
243SYSCTL_INT(_security_mac_test, OID_AUTO, destroy_count_mount_fslabel,
244 CTLFLAG_RD, &destroy_count_mount_fslabel, 0,
245 "mount_fslabel destroy calls");
246static int destroy_count_socket;
247SYSCTL_INT(_security_mac_test, OID_AUTO, destroy_count_socket, CTLFLAG_RD,
248 &destroy_count_socket, 0, "socket destroy calls");
249static int destroy_count_socket_peerlabel;
250SYSCTL_INT(_security_mac_test, OID_AUTO, destroy_count_socket_peerlabel,
251 CTLFLAG_RD, &destroy_count_socket_peerlabel, 0,
252 "socket_peerlabel destroy calls");
253static int destroy_count_pipe;
254SYSCTL_INT(_security_mac_test, OID_AUTO, destroy_count_pipe, CTLFLAG_RD,
255 &destroy_count_pipe, 0, "pipe destroy calls");
256static int destroy_count_posixsems;
257SYSCTL_INT(_security_mac_test, OID_AUTO, destroy_count_posixsems, CTLFLAG_RD,
258 &destroy_count_posixsems, 0, "posix sems destroy calls");
259static int destroy_count_proc;
260SYSCTL_INT(_security_mac_test, OID_AUTO, destroy_count_proc, CTLFLAG_RD,
261 &destroy_count_proc, 0, "proc destroy calls");
262static int destroy_count_vnode;
263SYSCTL_INT(_security_mac_test, OID_AUTO, destroy_count_vnode, CTLFLAG_RD,
264 &destroy_count_vnode, 0, "vnode destroy calls");
265
266static int externalize_count;
267SYSCTL_INT(_security_mac_test, OID_AUTO, externalize_count, CTLFLAG_RD,
268 &externalize_count, 0, "Subject/object externalize calls");
269static int internalize_count;
270SYSCTL_INT(_security_mac_test, OID_AUTO, internalize_count, CTLFLAG_RD,
271 &internalize_count, 0, "Subject/object internalize calls");
272
273#ifdef KDB
274#define DEBUGGER(x) kdb_enter(x)
275#else
276#define DEBUGGER(x) printf("mac_test: %s\n", (x))
277#endif
278
279/*
280 * Policy module operations.
281 */
282static void
283mac_test_destroy(struct mac_policy_conf *conf)
284{
285
286}
287
288static void
289mac_test_init(struct mac_policy_conf *conf)
290{
291
292}
293
294static int
295mac_test_syscall(struct thread *td, int call, void *arg)
296{
297
298 return (0);
299}
300
301/*
302 * Label operations.
303 */
304static void
305mac_test_init_bpfdesc_label(struct label *label)
306{
307
107
108#define ASSERT_BPF_LABEL(x) KASSERT(SLOT(x) == BPFMAGIC || \
109 SLOT(x) == 0, ("%s: Bad BPF label", __func__ ))
110#define ASSERT_DEVFS_LABEL(x) KASSERT(SLOT(x) == DEVFSMAGIC || \
111 SLOT(x) == 0, ("%s: Bad DEVFS label", __func__ ))
112#define ASSERT_IFNET_LABEL(x) KASSERT(SLOT(x) == IFNETMAGIC || \
113 SLOT(x) == 0, ("%s: Bad IFNET label", __func__ ))
114#define ASSERT_INPCB_LABEL(x) KASSERT(SLOT(x) == INPCBMAGIC || \
115 SLOT(x) == 0, ("%s: Bad INPCB label", __func__ ))
116#define ASSERT_IPQ_LABEL(x) KASSERT(SLOT(x) == IPQMAGIC || \
117 SLOT(x) == 0, ("%s: Bad IPQ label", __func__ ))
118#define ASSERT_MBUF_LABEL(x) KASSERT(x == NULL || \
119 SLOT(x) == MBUFMAGIC || SLOT(x) == 0, \
120 ("%s: Bad MBUF label", __func__ ))
121#define ASSERT_MOUNT_LABEL(x) KASSERT(SLOT(x) == MOUNTMAGIC || \
122 SLOT(x) == 0, ("%s: Bad MOUNT label", __func__ ))
123#define ASSERT_SOCKET_LABEL(x) KASSERT(SLOT(x) == SOCKETMAGIC || \
124 SLOT(x) == 0, ("%s: Bad SOCKET label", __func__ ))
125#define ASSERT_SYSVIPCMSQ_LABEL(x) KASSERT(SLOT(x) == SYSVIPCMSQMAGIC || \
126 SLOT(x) == 0, ("%s: Bad SYSVIPCMSQ label", __func__ ))
127#define ASSERT_SYSVIPCMSG_LABEL(x) KASSERT(SLOT(x) == SYSVIPCMSGMAGIC || \
128 SLOT(x) == 0, ("%s: Bad SYSVIPCMSG label", __func__ ))
129#define ASSERT_SYSVIPCSEM_LABEL(x) KASSERT(SLOT(x) == SYSVIPCSEMMAGIC || \
130 SLOT(x) == 0, ("%s: Bad SYSVIPCSEM label", __func__ ))
131#define ASSERT_SYSVIPCSHM_LABEL(x) KASSERT(SLOT(x) == SYSVIPCSHMMAGIC || \
132 SLOT(x) == 0, ("%s: Bad SYSVIPCSHM label", __func__ ))
133#define ASSERT_PIPE_LABEL(x) KASSERT(SLOT(x) == PIPEMAGIC || \
134 SLOT(x) == 0, ("%s: Bad PIPE label", __func__ ))
135#define ASSERT_POSIX_LABEL(x) KASSERT(SLOT(x) == POSIXSEMMAGIC || \
136 SLOT(x) == 0, ("%s: Bad POSIX ksem label", __func__ ))
137#define ASSERT_PROC_LABEL(x) KASSERT(SLOT(x) == PROCMAGIC || \
138 SLOT(x) == 0, ("%s: Bad PROC label", __func__ ))
139#define ASSERT_CRED_LABEL(x) KASSERT(SLOT(x) == CREDMAGIC || \
140 SLOT(x) == 0, ("%s: Bad CRED label", __func__ ))
141#define ASSERT_VNODE_LABEL(x) KASSERT(SLOT(x) == VNODEMAGIC || \
142 SLOT(x) == 0, ("%s: Bad VNODE label", __func__ ))
143
144static int test_slot;
145SYSCTL_INT(_security_mac_test, OID_AUTO, slot, CTLFLAG_RD,
146 &test_slot, 0, "Slot allocated by framework");
147
148static int init_count_bpfdesc;
149SYSCTL_INT(_security_mac_test, OID_AUTO, init_count_bpfdesc, CTLFLAG_RD,
150 &init_count_bpfdesc, 0, "bpfdesc init calls");
151static int init_count_cred;
152SYSCTL_INT(_security_mac_test, OID_AUTO, init_count_cred, CTLFLAG_RD,
153 &init_count_cred, 0, "cred init calls");
154static int init_count_devfsdirent;
155SYSCTL_INT(_security_mac_test, OID_AUTO, init_count_devfsdirent, CTLFLAG_RD,
156 &init_count_devfsdirent, 0, "devfsdirent init calls");
157static int init_count_ifnet;
158SYSCTL_INT(_security_mac_test, OID_AUTO, init_count_ifnet, CTLFLAG_RD,
159 &init_count_ifnet, 0, "ifnet init calls");
160static int init_count_inpcb;
161SYSCTL_INT(_security_mac_test, OID_AUTO, init_count_inpcb, CTLFLAG_RD,
162 &init_count_inpcb, 0, "inpcb init calls");
163static int init_count_sysv_msg;
164SYSCTL_INT(_security_mac_test, OID_AUTO, init_count_sysv_msg, CTLFLAG_RD,
165 &init_count_sysv_msg, 0, "ipc_msg init calls");
166static int init_count_sysv_msq;
167SYSCTL_INT(_security_mac_test, OID_AUTO, init_count_sysv_msq, CTLFLAG_RD,
168 &init_count_sysv_msq, 0, "ipc_msq init calls");
169static int init_count_sysv_sem;
170SYSCTL_INT(_security_mac_test, OID_AUTO, init_count_sysv_sem, CTLFLAG_RD,
171 &init_count_sysv_sem, 0, "ipc_sema init calls");
172static int init_count_sysv_shm;
173SYSCTL_INT(_security_mac_test, OID_AUTO, init_count_sysv_shm, CTLFLAG_RD,
174 &init_count_sysv_shm, 0, "ipc_shm init calls");
175static int init_count_ipq;
176SYSCTL_INT(_security_mac_test, OID_AUTO, init_count_ipq, CTLFLAG_RD,
177 &init_count_ipq, 0, "ipq init calls");
178static int init_count_mbuf;
179SYSCTL_INT(_security_mac_test, OID_AUTO, init_count_mbuf, CTLFLAG_RD,
180 &init_count_mbuf, 0, "mbuf init calls");
181static int init_count_mount;
182SYSCTL_INT(_security_mac_test, OID_AUTO, init_count_mount, CTLFLAG_RD,
183 &init_count_mount, 0, "mount init calls");
184static int init_count_mount_fslabel;
185SYSCTL_INT(_security_mac_test, OID_AUTO, init_count_mount_fslabel, CTLFLAG_RD,
186 &init_count_mount_fslabel, 0, "mount_fslabel init calls");
187static int init_count_socket;
188SYSCTL_INT(_security_mac_test, OID_AUTO, init_count_socket, CTLFLAG_RD,
189 &init_count_socket, 0, "socket init calls");
190static int init_count_socket_peerlabel;
191SYSCTL_INT(_security_mac_test, OID_AUTO, init_count_socket_peerlabel,
192 CTLFLAG_RD, &init_count_socket_peerlabel, 0,
193 "socket_peerlabel init calls");
194static int init_count_pipe;
195SYSCTL_INT(_security_mac_test, OID_AUTO, init_count_pipe, CTLFLAG_RD,
196 &init_count_pipe, 0, "pipe init calls");
197static int init_count_posixsems;
198SYSCTL_INT(_security_mac_test, OID_AUTO, init_count_posixsems, CTLFLAG_RD,
199 &init_count_posixsems, 0, "posix sems init calls");
200static int init_count_proc;
201SYSCTL_INT(_security_mac_test, OID_AUTO, init_count_proc, CTLFLAG_RD,
202 &init_count_proc, 0, "proc init calls");
203static int init_count_vnode;
204SYSCTL_INT(_security_mac_test, OID_AUTO, init_count_vnode, CTLFLAG_RD,
205 &init_count_vnode, 0, "vnode init calls");
206
207static int destroy_count_bpfdesc;
208SYSCTL_INT(_security_mac_test, OID_AUTO, destroy_count_bpfdesc, CTLFLAG_RD,
209 &destroy_count_bpfdesc, 0, "bpfdesc destroy calls");
210static int destroy_count_cred;
211SYSCTL_INT(_security_mac_test, OID_AUTO, destroy_count_cred, CTLFLAG_RD,
212 &destroy_count_cred, 0, "cred destroy calls");
213static int destroy_count_devfsdirent;
214SYSCTL_INT(_security_mac_test, OID_AUTO, destroy_count_devfsdirent, CTLFLAG_RD,
215 &destroy_count_devfsdirent, 0, "devfsdirent destroy calls");
216static int destroy_count_ifnet;
217SYSCTL_INT(_security_mac_test, OID_AUTO, destroy_count_ifnet, CTLFLAG_RD,
218 &destroy_count_ifnet, 0, "ifnet destroy calls");
219static int destroy_count_inpcb;
220SYSCTL_INT(_security_mac_test, OID_AUTO, destroy_count_inpcb, CTLFLAG_RD,
221 &destroy_count_inpcb, 0, "inpcb destroy calls");
222static int destroy_count_sysv_msg;
223SYSCTL_INT(_security_mac_test, OID_AUTO, destroy_count_sysv_msg, CTLFLAG_RD,
224 &destroy_count_sysv_msg, 0, "ipc_msg destroy calls");
225static int destroy_count_sysv_msq;
226SYSCTL_INT(_security_mac_test, OID_AUTO, destroy_count_sysv_msq, CTLFLAG_RD,
227 &destroy_count_sysv_msq, 0, "ipc_msq destroy calls");
228static int destroy_count_sysv_sem;
229SYSCTL_INT(_security_mac_test, OID_AUTO, destroy_count_sysv_sem, CTLFLAG_RD,
230 &destroy_count_sysv_sem, 0, "ipc_sema destroy calls");
231static int destroy_count_sysv_shm;
232SYSCTL_INT(_security_mac_test, OID_AUTO, destroy_count_sysv_shm, CTLFLAG_RD,
233 &destroy_count_sysv_shm, 0, "ipc_shm destroy calls");
234static int destroy_count_ipq;
235SYSCTL_INT(_security_mac_test, OID_AUTO, destroy_count_ipq, CTLFLAG_RD,
236 &destroy_count_ipq, 0, "ipq destroy calls");
237static int destroy_count_mbuf;
238SYSCTL_INT(_security_mac_test, OID_AUTO, destroy_count_mbuf, CTLFLAG_RD,
239 &destroy_count_mbuf, 0, "mbuf destroy calls");
240static int destroy_count_mount;
241SYSCTL_INT(_security_mac_test, OID_AUTO, destroy_count_mount, CTLFLAG_RD,
242 &destroy_count_mount, 0, "mount destroy calls");
243static int destroy_count_mount_fslabel;
244SYSCTL_INT(_security_mac_test, OID_AUTO, destroy_count_mount_fslabel,
245 CTLFLAG_RD, &destroy_count_mount_fslabel, 0,
246 "mount_fslabel destroy calls");
247static int destroy_count_socket;
248SYSCTL_INT(_security_mac_test, OID_AUTO, destroy_count_socket, CTLFLAG_RD,
249 &destroy_count_socket, 0, "socket destroy calls");
250static int destroy_count_socket_peerlabel;
251SYSCTL_INT(_security_mac_test, OID_AUTO, destroy_count_socket_peerlabel,
252 CTLFLAG_RD, &destroy_count_socket_peerlabel, 0,
253 "socket_peerlabel destroy calls");
254static int destroy_count_pipe;
255SYSCTL_INT(_security_mac_test, OID_AUTO, destroy_count_pipe, CTLFLAG_RD,
256 &destroy_count_pipe, 0, "pipe destroy calls");
257static int destroy_count_posixsems;
258SYSCTL_INT(_security_mac_test, OID_AUTO, destroy_count_posixsems, CTLFLAG_RD,
259 &destroy_count_posixsems, 0, "posix sems destroy calls");
260static int destroy_count_proc;
261SYSCTL_INT(_security_mac_test, OID_AUTO, destroy_count_proc, CTLFLAG_RD,
262 &destroy_count_proc, 0, "proc destroy calls");
263static int destroy_count_vnode;
264SYSCTL_INT(_security_mac_test, OID_AUTO, destroy_count_vnode, CTLFLAG_RD,
265 &destroy_count_vnode, 0, "vnode destroy calls");
266
267static int externalize_count;
268SYSCTL_INT(_security_mac_test, OID_AUTO, externalize_count, CTLFLAG_RD,
269 &externalize_count, 0, "Subject/object externalize calls");
270static int internalize_count;
271SYSCTL_INT(_security_mac_test, OID_AUTO, internalize_count, CTLFLAG_RD,
272 &internalize_count, 0, "Subject/object internalize calls");
273
274#ifdef KDB
275#define DEBUGGER(x) kdb_enter(x)
276#else
277#define DEBUGGER(x) printf("mac_test: %s\n", (x))
278#endif
279
280/*
281 * Policy module operations.
282 */
283static void
284mac_test_destroy(struct mac_policy_conf *conf)
285{
286
287}
288
289static void
290mac_test_init(struct mac_policy_conf *conf)
291{
292
293}
294
295static int
296mac_test_syscall(struct thread *td, int call, void *arg)
297{
298
299 return (0);
300}
301
302/*
303 * Label operations.
304 */
305static void
306mac_test_init_bpfdesc_label(struct label *label)
307{
308
308 SLOT(label) = BPFMAGIC;
309 SLOT_SET(label, BPFMAGIC);
309 atomic_add_int(&init_count_bpfdesc, 1);
310}
311
312static void
313mac_test_init_cred_label(struct label *label)
314{
315
310 atomic_add_int(&init_count_bpfdesc, 1);
311}
312
313static void
314mac_test_init_cred_label(struct label *label)
315{
316
316 SLOT(label) = CREDMAGIC;
317 SLOT_SET(label, CREDMAGIC);
317 atomic_add_int(&init_count_cred, 1);
318}
319
320static void
321mac_test_init_devfsdirent_label(struct label *label)
322{
323
318 atomic_add_int(&init_count_cred, 1);
319}
320
321static void
322mac_test_init_devfsdirent_label(struct label *label)
323{
324
324 SLOT(label) = DEVFSMAGIC;
325 SLOT_SET(label, DEVFSMAGIC);
325 atomic_add_int(&init_count_devfsdirent, 1);
326}
327
328static void
329mac_test_init_ifnet_label(struct label *label)
330{
331
326 atomic_add_int(&init_count_devfsdirent, 1);
327}
328
329static void
330mac_test_init_ifnet_label(struct label *label)
331{
332
332 SLOT(label) = IFNETMAGIC;
333 SLOT_SET(label, IFNETMAGIC);
333 atomic_add_int(&init_count_ifnet, 1);
334}
335
336static int
337mac_test_init_inpcb_label(struct label *label, int flag)
338{
339
340 if (flag & M_WAITOK)
341 WITNESS_WARN(WARN_GIANTOK | WARN_SLEEPOK, NULL,
342 "mac_test_init_inpcb_label() at %s:%d", __FILE__,
343 __LINE__);
344
334 atomic_add_int(&init_count_ifnet, 1);
335}
336
337static int
338mac_test_init_inpcb_label(struct label *label, int flag)
339{
340
341 if (flag & M_WAITOK)
342 WITNESS_WARN(WARN_GIANTOK | WARN_SLEEPOK, NULL,
343 "mac_test_init_inpcb_label() at %s:%d", __FILE__,
344 __LINE__);
345
345 SLOT(label) = INPCBMAGIC;
346 SLOT_SET(label, INPCBMAGIC);
346 atomic_add_int(&init_count_inpcb, 1);
347 return (0);
348}
349
350static void
351mac_test_init_sysv_msgmsg_label(struct label *label)
352{
347 atomic_add_int(&init_count_inpcb, 1);
348 return (0);
349}
350
351static void
352mac_test_init_sysv_msgmsg_label(struct label *label)
353{
353 SLOT(label) = SYSVIPCMSGMAGIC;
354 SLOT_SET(label, SYSVIPCMSGMAGIC);
354 atomic_add_int(&init_count_sysv_msg, 1);
355}
356
357static void
358mac_test_init_sysv_msgqueue_label(struct label *label)
359{
355 atomic_add_int(&init_count_sysv_msg, 1);
356}
357
358static void
359mac_test_init_sysv_msgqueue_label(struct label *label)
360{
360 SLOT(label) = SYSVIPCMSQMAGIC;
361 SLOT_SET(label, SYSVIPCMSQMAGIC);
361 atomic_add_int(&init_count_sysv_msq, 1);
362}
363
364static void
365mac_test_init_sysv_sem_label(struct label *label)
366{
362 atomic_add_int(&init_count_sysv_msq, 1);
363}
364
365static void
366mac_test_init_sysv_sem_label(struct label *label)
367{
367 SLOT(label) = SYSVIPCSEMMAGIC;
368 SLOT_SET(label, SYSVIPCSEMMAGIC);
368 atomic_add_int(&init_count_sysv_sem, 1);
369}
370
371static void
372mac_test_init_sysv_shm_label(struct label *label)
373{
369 atomic_add_int(&init_count_sysv_sem, 1);
370}
371
372static void
373mac_test_init_sysv_shm_label(struct label *label)
374{
374 SLOT(label) = SYSVIPCSHMMAGIC;
375 SLOT_SET(label, SYSVIPCSHMMAGIC);
375 atomic_add_int(&init_count_sysv_shm, 1);
376}
377
378static int
379mac_test_init_ipq_label(struct label *label, int flag)
380{
381
382 if (flag & M_WAITOK)
383 WITNESS_WARN(WARN_GIANTOK | WARN_SLEEPOK, NULL,
384 "mac_test_init_ipq_label() at %s:%d", __FILE__,
385 __LINE__);
386
376 atomic_add_int(&init_count_sysv_shm, 1);
377}
378
379static int
380mac_test_init_ipq_label(struct label *label, int flag)
381{
382
383 if (flag & M_WAITOK)
384 WITNESS_WARN(WARN_GIANTOK | WARN_SLEEPOK, NULL,
385 "mac_test_init_ipq_label() at %s:%d", __FILE__,
386 __LINE__);
387
387 SLOT(label) = IPQMAGIC;
388 SLOT_SET(label, IPQMAGIC);
388 atomic_add_int(&init_count_ipq, 1);
389 return (0);
390}
391
392static int
393mac_test_init_mbuf_label(struct label *label, int flag)
394{
395
396 if (flag & M_WAITOK)
397 WITNESS_WARN(WARN_GIANTOK | WARN_SLEEPOK, NULL,
398 "mac_test_init_mbuf_label() at %s:%d", __FILE__,
399 __LINE__);
400
389 atomic_add_int(&init_count_ipq, 1);
390 return (0);
391}
392
393static int
394mac_test_init_mbuf_label(struct label *label, int flag)
395{
396
397 if (flag & M_WAITOK)
398 WITNESS_WARN(WARN_GIANTOK | WARN_SLEEPOK, NULL,
399 "mac_test_init_mbuf_label() at %s:%d", __FILE__,
400 __LINE__);
401
401 SLOT(label) = MBUFMAGIC;
402 SLOT_SET(label, MBUFMAGIC);
402 atomic_add_int(&init_count_mbuf, 1);
403 return (0);
404}
405
406static void
407mac_test_init_mount_label(struct label *label)
408{
409
403 atomic_add_int(&init_count_mbuf, 1);
404 return (0);
405}
406
407static void
408mac_test_init_mount_label(struct label *label)
409{
410
410 SLOT(label) = MOUNTMAGIC;
411 SLOT_SET(label, MOUNTMAGIC);
411 atomic_add_int(&init_count_mount, 1);
412}
413
414static void
415mac_test_init_mount_fs_label(struct label *label)
416{
417
412 atomic_add_int(&init_count_mount, 1);
413}
414
415static void
416mac_test_init_mount_fs_label(struct label *label)
417{
418
418 SLOT(label) = MOUNTMAGIC;
419 SLOT_SET(label, MOUNTMAGIC);
419 atomic_add_int(&init_count_mount_fslabel, 1);
420}
421
422static int
423mac_test_init_socket_label(struct label *label, int flag)
424{
425
426 if (flag & M_WAITOK)
427 WITNESS_WARN(WARN_GIANTOK | WARN_SLEEPOK, NULL,
428 "mac_test_init_socket_label() at %s:%d", __FILE__,
429 __LINE__);
430
420 atomic_add_int(&init_count_mount_fslabel, 1);
421}
422
423static int
424mac_test_init_socket_label(struct label *label, int flag)
425{
426
427 if (flag & M_WAITOK)
428 WITNESS_WARN(WARN_GIANTOK | WARN_SLEEPOK, NULL,
429 "mac_test_init_socket_label() at %s:%d", __FILE__,
430 __LINE__);
431
431 SLOT(label) = SOCKETMAGIC;
432 SLOT_SET(label, SOCKETMAGIC);
432 atomic_add_int(&init_count_socket, 1);
433 return (0);
434}
435
436static int
437mac_test_init_socket_peer_label(struct label *label, int flag)
438{
439
440 if (flag & M_WAITOK)
441 WITNESS_WARN(WARN_GIANTOK | WARN_SLEEPOK, NULL,
442 "mac_test_init_socket_peer_label() at %s:%d", __FILE__,
443 __LINE__);
444
433 atomic_add_int(&init_count_socket, 1);
434 return (0);
435}
436
437static int
438mac_test_init_socket_peer_label(struct label *label, int flag)
439{
440
441 if (flag & M_WAITOK)
442 WITNESS_WARN(WARN_GIANTOK | WARN_SLEEPOK, NULL,
443 "mac_test_init_socket_peer_label() at %s:%d", __FILE__,
444 __LINE__);
445
445 SLOT(label) = SOCKETMAGIC;
446 SLOT_SET(label, SOCKETMAGIC);
446 atomic_add_int(&init_count_socket_peerlabel, 1);
447 return (0);
448}
449
450static void
451mac_test_init_pipe_label(struct label *label)
452{
453
447 atomic_add_int(&init_count_socket_peerlabel, 1);
448 return (0);
449}
450
451static void
452mac_test_init_pipe_label(struct label *label)
453{
454
454 SLOT(label) = PIPEMAGIC;
455 SLOT_SET(label, PIPEMAGIC);
455 atomic_add_int(&init_count_pipe, 1);
456}
457
458static void
459mac_test_init_posix_sem_label(struct label *label)
460{
461
456 atomic_add_int(&init_count_pipe, 1);
457}
458
459static void
460mac_test_init_posix_sem_label(struct label *label)
461{
462
462 SLOT(label) = POSIXSEMMAGIC;
463 SLOT_SET(label, POSIXSEMMAGIC);
463 atomic_add_int(&init_count_posixsems, 1);
464}
465
466static void
467mac_test_init_proc_label(struct label *label)
468{
469
464 atomic_add_int(&init_count_posixsems, 1);
465}
466
467static void
468mac_test_init_proc_label(struct label *label)
469{
470
470 SLOT(label) = PROCMAGIC;
471 SLOT_SET(label, PROCMAGIC);
471 atomic_add_int(&init_count_proc, 1);
472}
473
474static void
475mac_test_init_vnode_label(struct label *label)
476{
477
472 atomic_add_int(&init_count_proc, 1);
473}
474
475static void
476mac_test_init_vnode_label(struct label *label)
477{
478
478 SLOT(label) = VNODEMAGIC;
479 SLOT_SET(label, VNODEMAGIC);
479 atomic_add_int(&init_count_vnode, 1);
480}
481
482static void
483mac_test_destroy_bpfdesc_label(struct label *label)
484{
485
486 if (SLOT(label) == BPFMAGIC || SLOT(label) == 0) {
487 atomic_add_int(&destroy_count_bpfdesc, 1);
480 atomic_add_int(&init_count_vnode, 1);
481}
482
483static void
484mac_test_destroy_bpfdesc_label(struct label *label)
485{
486
487 if (SLOT(label) == BPFMAGIC || SLOT(label) == 0) {
488 atomic_add_int(&destroy_count_bpfdesc, 1);
488 SLOT(label) = EXMAGIC;
489 SLOT_SET(label, EXMAGIC);
489 } else if (SLOT(label) == EXMAGIC) {
490 DEBUGGER("mac_test_destroy_bpfdesc: dup destroy");
491 } else {
492 DEBUGGER("mac_test_destroy_bpfdesc: corrupted label");
493 }
494}
495
496static void
497mac_test_destroy_cred_label(struct label *label)
498{
499
500 if (SLOT(label) == CREDMAGIC || SLOT(label) == 0) {
501 atomic_add_int(&destroy_count_cred, 1);
490 } else if (SLOT(label) == EXMAGIC) {
491 DEBUGGER("mac_test_destroy_bpfdesc: dup destroy");
492 } else {
493 DEBUGGER("mac_test_destroy_bpfdesc: corrupted label");
494 }
495}
496
497static void
498mac_test_destroy_cred_label(struct label *label)
499{
500
501 if (SLOT(label) == CREDMAGIC || SLOT(label) == 0) {
502 atomic_add_int(&destroy_count_cred, 1);
502 SLOT(label) = EXMAGIC;
503 SLOT_SET(label, EXMAGIC);
503 } else if (SLOT(label) == EXMAGIC) {
504 DEBUGGER("mac_test_destroy_cred: dup destroy");
505 } else {
506 DEBUGGER("mac_test_destroy_cred: corrupted label");
507 }
508}
509
510static void
511mac_test_destroy_devfsdirent_label(struct label *label)
512{
513
514 if (SLOT(label) == DEVFSMAGIC || SLOT(label) == 0) {
515 atomic_add_int(&destroy_count_devfsdirent, 1);
504 } else if (SLOT(label) == EXMAGIC) {
505 DEBUGGER("mac_test_destroy_cred: dup destroy");
506 } else {
507 DEBUGGER("mac_test_destroy_cred: corrupted label");
508 }
509}
510
511static void
512mac_test_destroy_devfsdirent_label(struct label *label)
513{
514
515 if (SLOT(label) == DEVFSMAGIC || SLOT(label) == 0) {
516 atomic_add_int(&destroy_count_devfsdirent, 1);
516 SLOT(label) = EXMAGIC;
517 SLOT_SET(label, EXMAGIC);
517 } else if (SLOT(label) == EXMAGIC) {
518 DEBUGGER("mac_test_destroy_devfsdirent: dup destroy");
519 } else {
520 DEBUGGER("mac_test_destroy_devfsdirent: corrupted label");
521 }
522}
523
524static void
525mac_test_destroy_ifnet_label(struct label *label)
526{
527
528 if (SLOT(label) == IFNETMAGIC || SLOT(label) == 0) {
529 atomic_add_int(&destroy_count_ifnet, 1);
518 } else if (SLOT(label) == EXMAGIC) {
519 DEBUGGER("mac_test_destroy_devfsdirent: dup destroy");
520 } else {
521 DEBUGGER("mac_test_destroy_devfsdirent: corrupted label");
522 }
523}
524
525static void
526mac_test_destroy_ifnet_label(struct label *label)
527{
528
529 if (SLOT(label) == IFNETMAGIC || SLOT(label) == 0) {
530 atomic_add_int(&destroy_count_ifnet, 1);
530 SLOT(label) = EXMAGIC;
531 SLOT_SET(label, EXMAGIC);
531 } else if (SLOT(label) == EXMAGIC) {
532 DEBUGGER("mac_test_destroy_ifnet: dup destroy");
533 } else {
534 DEBUGGER("mac_test_destroy_ifnet: corrupted label");
535 }
536}
537
538static void
539mac_test_destroy_inpcb_label(struct label *label)
540{
541
542 if (SLOT(label) == INPCBMAGIC || SLOT(label) == 0) {
543 atomic_add_int(&destroy_count_inpcb, 1);
532 } else if (SLOT(label) == EXMAGIC) {
533 DEBUGGER("mac_test_destroy_ifnet: dup destroy");
534 } else {
535 DEBUGGER("mac_test_destroy_ifnet: corrupted label");
536 }
537}
538
539static void
540mac_test_destroy_inpcb_label(struct label *label)
541{
542
543 if (SLOT(label) == INPCBMAGIC || SLOT(label) == 0) {
544 atomic_add_int(&destroy_count_inpcb, 1);
544 SLOT(label) = EXMAGIC;
545 SLOT_SET(label, EXMAGIC);
545 } else if (SLOT(label) == EXMAGIC) {
546 DEBUGGER("mac_test_destroy_inpcb: dup destroy");
547 } else {
548 DEBUGGER("mac_test_destroy_inpcb: corrupted label");
549 }
550}
551
552static void
553mac_test_destroy_sysv_msgmsg_label(struct label *label)
554{
555
556 if (SLOT(label) == SYSVIPCMSGMAGIC || SLOT(label) == 0) {
557 atomic_add_int(&destroy_count_sysv_msg, 1);
546 } else if (SLOT(label) == EXMAGIC) {
547 DEBUGGER("mac_test_destroy_inpcb: dup destroy");
548 } else {
549 DEBUGGER("mac_test_destroy_inpcb: corrupted label");
550 }
551}
552
553static void
554mac_test_destroy_sysv_msgmsg_label(struct label *label)
555{
556
557 if (SLOT(label) == SYSVIPCMSGMAGIC || SLOT(label) == 0) {
558 atomic_add_int(&destroy_count_sysv_msg, 1);
558 SLOT(label) = EXMAGIC;
559 SLOT_SET(label, EXMAGIC);
559 } else if (SLOT(label) == EXMAGIC) {
560 DEBUGGER("mac_test_destroy_sysv_msgmsg_label: dup destroy");
561 } else {
562 DEBUGGER(
563 "mac_test_destroy_sysv_msgmsg_label: corrupted label");
564 }
565}
566
567static void
568mac_test_destroy_sysv_msgqueue_label(struct label *label)
569{
570
571 if (SLOT(label) == SYSVIPCMSQMAGIC || SLOT(label) == 0) {
572 atomic_add_int(&destroy_count_sysv_msq, 1);
560 } else if (SLOT(label) == EXMAGIC) {
561 DEBUGGER("mac_test_destroy_sysv_msgmsg_label: dup destroy");
562 } else {
563 DEBUGGER(
564 "mac_test_destroy_sysv_msgmsg_label: corrupted label");
565 }
566}
567
568static void
569mac_test_destroy_sysv_msgqueue_label(struct label *label)
570{
571
572 if (SLOT(label) == SYSVIPCMSQMAGIC || SLOT(label) == 0) {
573 atomic_add_int(&destroy_count_sysv_msq, 1);
573 SLOT(label) = EXMAGIC;
574 SLOT_SET(label, EXMAGIC);
574 } else if (SLOT(label) == EXMAGIC) {
575 DEBUGGER("mac_test_destroy_sysv_msgqueue_label: dup destroy");
576 } else {
577 DEBUGGER(
578 "mac_test_destroy_sysv_msgqueue_label: corrupted label");
579 }
580}
581
582static void
583mac_test_destroy_sysv_sem_label(struct label *label)
584{
585
586 if (SLOT(label) == SYSVIPCSEMMAGIC || SLOT(label) == 0) {
587 atomic_add_int(&destroy_count_sysv_sem, 1);
575 } else if (SLOT(label) == EXMAGIC) {
576 DEBUGGER("mac_test_destroy_sysv_msgqueue_label: dup destroy");
577 } else {
578 DEBUGGER(
579 "mac_test_destroy_sysv_msgqueue_label: corrupted label");
580 }
581}
582
583static void
584mac_test_destroy_sysv_sem_label(struct label *label)
585{
586
587 if (SLOT(label) == SYSVIPCSEMMAGIC || SLOT(label) == 0) {
588 atomic_add_int(&destroy_count_sysv_sem, 1);
588 SLOT(label) = EXMAGIC;
589 SLOT_SET(label, EXMAGIC);
589 } else if (SLOT(label) == EXMAGIC) {
590 DEBUGGER("mac_test_destroy_sysv_sem_label: dup destroy");
591 } else {
592 DEBUGGER("mac_test_destroy_sysv_sem_label: corrupted label");
593 }
594}
595
596static void
597mac_test_destroy_sysv_shm_label(struct label *label)
598{
599
600 if (SLOT(label) == SYSVIPCSHMMAGIC || SLOT(label) == 0) {
601 atomic_add_int(&destroy_count_sysv_shm, 1);
590 } else if (SLOT(label) == EXMAGIC) {
591 DEBUGGER("mac_test_destroy_sysv_sem_label: dup destroy");
592 } else {
593 DEBUGGER("mac_test_destroy_sysv_sem_label: corrupted label");
594 }
595}
596
597static void
598mac_test_destroy_sysv_shm_label(struct label *label)
599{
600
601 if (SLOT(label) == SYSVIPCSHMMAGIC || SLOT(label) == 0) {
602 atomic_add_int(&destroy_count_sysv_shm, 1);
602 SLOT(label) = EXMAGIC;
603 SLOT_SET(label, EXMAGIC);
603 } else if (SLOT(label) == EXMAGIC) {
604 DEBUGGER("mac_test_destroy_sysv_shm_label: dup destroy");
605 } else {
606 DEBUGGER("mac_test_destroy_sysv_shm_label: corrupted label");
607 }
608}
609
610static void
611mac_test_destroy_ipq_label(struct label *label)
612{
613
614 if (SLOT(label) == IPQMAGIC || SLOT(label) == 0) {
615 atomic_add_int(&destroy_count_ipq, 1);
604 } else if (SLOT(label) == EXMAGIC) {
605 DEBUGGER("mac_test_destroy_sysv_shm_label: dup destroy");
606 } else {
607 DEBUGGER("mac_test_destroy_sysv_shm_label: corrupted label");
608 }
609}
610
611static void
612mac_test_destroy_ipq_label(struct label *label)
613{
614
615 if (SLOT(label) == IPQMAGIC || SLOT(label) == 0) {
616 atomic_add_int(&destroy_count_ipq, 1);
616 SLOT(label) = EXMAGIC;
617 SLOT_SET(label, EXMAGIC);
617 } else if (SLOT(label) == EXMAGIC) {
618 DEBUGGER("mac_test_destroy_ipq: dup destroy");
619 } else {
620 DEBUGGER("mac_test_destroy_ipq: corrupted label");
621 }
622}
623
624static void
625mac_test_destroy_mbuf_label(struct label *label)
626{
627
628 /*
629 * If we're loaded dynamically, there may be mbufs in flight that
630 * didn't have label storage allocated for them. Handle this
631 * gracefully.
632 */
633 if (label == NULL)
634 return;
635
636 if (SLOT(label) == MBUFMAGIC || SLOT(label) == 0) {
637 atomic_add_int(&destroy_count_mbuf, 1);
618 } else if (SLOT(label) == EXMAGIC) {
619 DEBUGGER("mac_test_destroy_ipq: dup destroy");
620 } else {
621 DEBUGGER("mac_test_destroy_ipq: corrupted label");
622 }
623}
624
625static void
626mac_test_destroy_mbuf_label(struct label *label)
627{
628
629 /*
630 * If we're loaded dynamically, there may be mbufs in flight that
631 * didn't have label storage allocated for them. Handle this
632 * gracefully.
633 */
634 if (label == NULL)
635 return;
636
637 if (SLOT(label) == MBUFMAGIC || SLOT(label) == 0) {
638 atomic_add_int(&destroy_count_mbuf, 1);
638 SLOT(label) = EXMAGIC;
639 SLOT_SET(label, EXMAGIC);
639 } else if (SLOT(label) == EXMAGIC) {
640 DEBUGGER("mac_test_destroy_mbuf: dup destroy");
641 } else {
642 DEBUGGER("mac_test_destroy_mbuf: corrupted label");
643 }
644}
645
646static void
647mac_test_destroy_mount_label(struct label *label)
648{
649
650 if ((SLOT(label) == MOUNTMAGIC || SLOT(label) == 0)) {
651 atomic_add_int(&destroy_count_mount, 1);
640 } else if (SLOT(label) == EXMAGIC) {
641 DEBUGGER("mac_test_destroy_mbuf: dup destroy");
642 } else {
643 DEBUGGER("mac_test_destroy_mbuf: corrupted label");
644 }
645}
646
647static void
648mac_test_destroy_mount_label(struct label *label)
649{
650
651 if ((SLOT(label) == MOUNTMAGIC || SLOT(label) == 0)) {
652 atomic_add_int(&destroy_count_mount, 1);
652 SLOT(label) = EXMAGIC;
653 SLOT_SET(label, EXMAGIC);
653 } else if (SLOT(label) == EXMAGIC) {
654 DEBUGGER("mac_test_destroy_mount: dup destroy");
655 } else {
656 DEBUGGER("mac_test_destroy_mount: corrupted label");
657 }
658}
659
660static void
661mac_test_destroy_mount_fs_label(struct label *label)
662{
663
664 if ((SLOT(label) == MOUNTMAGIC || SLOT(label) == 0)) {
665 atomic_add_int(&destroy_count_mount_fslabel, 1);
654 } else if (SLOT(label) == EXMAGIC) {
655 DEBUGGER("mac_test_destroy_mount: dup destroy");
656 } else {
657 DEBUGGER("mac_test_destroy_mount: corrupted label");
658 }
659}
660
661static void
662mac_test_destroy_mount_fs_label(struct label *label)
663{
664
665 if ((SLOT(label) == MOUNTMAGIC || SLOT(label) == 0)) {
666 atomic_add_int(&destroy_count_mount_fslabel, 1);
666 SLOT(label) = EXMAGIC;
667 SLOT_SET(label, EXMAGIC);
667 } else if (SLOT(label) == EXMAGIC) {
668 DEBUGGER("mac_test_destroy_mount_fslabel: dup destroy");
669 } else {
670 DEBUGGER("mac_test_destroy_mount_fslabel: corrupted label");
671 }
672}
673
674static void
675mac_test_destroy_socket_label(struct label *label)
676{
677
678 if ((SLOT(label) == SOCKETMAGIC || SLOT(label) == 0)) {
679 atomic_add_int(&destroy_count_socket, 1);
668 } else if (SLOT(label) == EXMAGIC) {
669 DEBUGGER("mac_test_destroy_mount_fslabel: dup destroy");
670 } else {
671 DEBUGGER("mac_test_destroy_mount_fslabel: corrupted label");
672 }
673}
674
675static void
676mac_test_destroy_socket_label(struct label *label)
677{
678
679 if ((SLOT(label) == SOCKETMAGIC || SLOT(label) == 0)) {
680 atomic_add_int(&destroy_count_socket, 1);
680 SLOT(label) = EXMAGIC;
681 SLOT_SET(label, EXMAGIC);
681 } else if (SLOT(label) == EXMAGIC) {
682 DEBUGGER("mac_test_destroy_socket: dup destroy");
683 } else {
684 DEBUGGER("mac_test_destroy_socket: corrupted label");
685 }
686}
687
688static void
689mac_test_destroy_socket_peer_label(struct label *label)
690{
691
692 if ((SLOT(label) == SOCKETMAGIC || SLOT(label) == 0)) {
693 atomic_add_int(&destroy_count_socket_peerlabel, 1);
682 } else if (SLOT(label) == EXMAGIC) {
683 DEBUGGER("mac_test_destroy_socket: dup destroy");
684 } else {
685 DEBUGGER("mac_test_destroy_socket: corrupted label");
686 }
687}
688
689static void
690mac_test_destroy_socket_peer_label(struct label *label)
691{
692
693 if ((SLOT(label) == SOCKETMAGIC || SLOT(label) == 0)) {
694 atomic_add_int(&destroy_count_socket_peerlabel, 1);
694 SLOT(label) = EXMAGIC;
695 SLOT_SET(label, EXMAGIC);
695 } else if (SLOT(label) == EXMAGIC) {
696 DEBUGGER("mac_test_destroy_socket_peerlabel: dup destroy");
697 } else {
698 DEBUGGER("mac_test_destroy_socket_peerlabel: corrupted label");
699 }
700}
701
702static void
703mac_test_destroy_pipe_label(struct label *label)
704{
705
706 if ((SLOT(label) == PIPEMAGIC || SLOT(label) == 0)) {
707 atomic_add_int(&destroy_count_pipe, 1);
696 } else if (SLOT(label) == EXMAGIC) {
697 DEBUGGER("mac_test_destroy_socket_peerlabel: dup destroy");
698 } else {
699 DEBUGGER("mac_test_destroy_socket_peerlabel: corrupted label");
700 }
701}
702
703static void
704mac_test_destroy_pipe_label(struct label *label)
705{
706
707 if ((SLOT(label) == PIPEMAGIC || SLOT(label) == 0)) {
708 atomic_add_int(&destroy_count_pipe, 1);
708 SLOT(label) = EXMAGIC;
709 SLOT_SET(label, EXMAGIC);
709 } else if (SLOT(label) == EXMAGIC) {
710 DEBUGGER("mac_test_destroy_pipe: dup destroy");
711 } else {
712 DEBUGGER("mac_test_destroy_pipe: corrupted label");
713 }
714}
715
716static void
717mac_test_destroy_posix_sem_label(struct label *label)
718{
719
720 if ((SLOT(label) == POSIXSEMMAGIC || SLOT(label) == 0)) {
721 atomic_add_int(&destroy_count_posixsems, 1);
710 } else if (SLOT(label) == EXMAGIC) {
711 DEBUGGER("mac_test_destroy_pipe: dup destroy");
712 } else {
713 DEBUGGER("mac_test_destroy_pipe: corrupted label");
714 }
715}
716
717static void
718mac_test_destroy_posix_sem_label(struct label *label)
719{
720
721 if ((SLOT(label) == POSIXSEMMAGIC || SLOT(label) == 0)) {
722 atomic_add_int(&destroy_count_posixsems, 1);
722 SLOT(label) = EXMAGIC;
723 SLOT_SET(label, EXMAGIC);
723 } else if (SLOT(label) == EXMAGIC) {
724 DEBUGGER("mac_test_destroy_posix_sem: dup destroy");
725 } else {
726 DEBUGGER("mac_test_destroy_posix_sem: corrupted label");
727 }
728}
729
730static void
731mac_test_destroy_proc_label(struct label *label)
732{
733
734 if ((SLOT(label) == PROCMAGIC || SLOT(label) == 0)) {
735 atomic_add_int(&destroy_count_proc, 1);
724 } else if (SLOT(label) == EXMAGIC) {
725 DEBUGGER("mac_test_destroy_posix_sem: dup destroy");
726 } else {
727 DEBUGGER("mac_test_destroy_posix_sem: corrupted label");
728 }
729}
730
731static void
732mac_test_destroy_proc_label(struct label *label)
733{
734
735 if ((SLOT(label) == PROCMAGIC || SLOT(label) == 0)) {
736 atomic_add_int(&destroy_count_proc, 1);
736 SLOT(label) = EXMAGIC;
737 SLOT_SET(label, EXMAGIC);
737 } else if (SLOT(label) == EXMAGIC) {
738 DEBUGGER("mac_test_destroy_proc: dup destroy");
739 } else {
740 DEBUGGER("mac_test_destroy_proc: corrupted label");
741 }
742}
743
744static void
745mac_test_destroy_vnode_label(struct label *label)
746{
747
748 if (SLOT(label) == VNODEMAGIC || SLOT(label) == 0) {
749 atomic_add_int(&destroy_count_vnode, 1);
738 } else if (SLOT(label) == EXMAGIC) {
739 DEBUGGER("mac_test_destroy_proc: dup destroy");
740 } else {
741 DEBUGGER("mac_test_destroy_proc: corrupted label");
742 }
743}
744
745static void
746mac_test_destroy_vnode_label(struct label *label)
747{
748
749 if (SLOT(label) == VNODEMAGIC || SLOT(label) == 0) {
750 atomic_add_int(&destroy_count_vnode, 1);
750 SLOT(label) = EXMAGIC;
751 SLOT_SET(label, EXMAGIC);
751 } else if (SLOT(label) == EXMAGIC) {
752 DEBUGGER("mac_test_destroy_vnode: dup destroy");
753 } else {
754 DEBUGGER("mac_test_destroy_vnode: corrupted label");
755 }
756}
757
758static void
759mac_test_copy_cred_label(struct label *src, struct label *dest)
760{
761
762 ASSERT_CRED_LABEL(src);
763 ASSERT_CRED_LABEL(dest);
764}
765
766static void
767mac_test_copy_ifnet_label(struct label *src, struct label *dest)
768{
769
770 ASSERT_IFNET_LABEL(src);
771 ASSERT_IFNET_LABEL(dest);
772}
773
774static void
775mac_test_copy_mbuf_label(struct label *src, struct label *dest)
776{
777
778 ASSERT_MBUF_LABEL(src);
779 ASSERT_MBUF_LABEL(dest);
780}
781
782static void
783mac_test_copy_pipe_label(struct label *src, struct label *dest)
784{
785
786 ASSERT_PIPE_LABEL(src);
787 ASSERT_PIPE_LABEL(dest);
788}
789
790static void
791mac_test_copy_socket_label(struct label *src, struct label *dest)
792{
793
794 ASSERT_SOCKET_LABEL(src);
795 ASSERT_SOCKET_LABEL(dest);
796}
797
798static void
799mac_test_copy_vnode_label(struct label *src, struct label *dest)
800{
801
802 ASSERT_VNODE_LABEL(src);
803 ASSERT_VNODE_LABEL(dest);
804}
805
806static int
807mac_test_externalize_label(struct label *label, char *element_name,
808 struct sbuf *sb, int *claimed)
809{
810
811 atomic_add_int(&externalize_count, 1);
812
813 KASSERT(SLOT(label) != EXMAGIC,
814 ("mac_test_externalize_label: destroyed label"));
815
816 return (0);
817}
818
819static int
820mac_test_internalize_label(struct label *label, char *element_name,
821 char *element_data, int *claimed)
822{
823
824 atomic_add_int(&internalize_count, 1);
825
826 KASSERT(SLOT(label) != EXMAGIC,
827 ("mac_test_internalize_label: destroyed label"));
828
829 return (0);
830}
831
832/*
833 * Labeling event operations: file system objects, and things that look
834 * a lot like file system objects.
835 */
836static void
837mac_test_associate_vnode_devfs(struct mount *mp, struct label *fslabel,
838 struct devfs_dirent *de, struct label *delabel, struct vnode *vp,
839 struct label *vlabel)
840{
841
842 ASSERT_MOUNT_LABEL(fslabel);
843 ASSERT_DEVFS_LABEL(delabel);
844 ASSERT_VNODE_LABEL(vlabel);
845}
846
847static int
848mac_test_associate_vnode_extattr(struct mount *mp, struct label *fslabel,
849 struct vnode *vp, struct label *vlabel)
850{
851
852 ASSERT_MOUNT_LABEL(fslabel);
853 ASSERT_VNODE_LABEL(vlabel);
854 return (0);
855}
856
857static void
858mac_test_associate_vnode_singlelabel(struct mount *mp,
859 struct label *fslabel, struct vnode *vp, struct label *vlabel)
860{
861
862 ASSERT_MOUNT_LABEL(fslabel);
863 ASSERT_VNODE_LABEL(vlabel);
864}
865
866static void
867mac_test_create_devfs_device(struct ucred *cred, struct mount *mp,
868 struct cdev *dev, struct devfs_dirent *devfs_dirent, struct label *label)
869{
870
871 if (cred != NULL) {
872 ASSERT_CRED_LABEL(cred->cr_label);
873 }
874 ASSERT_DEVFS_LABEL(label);
875}
876
877static void
878mac_test_create_devfs_directory(struct mount *mp, char *dirname,
879 int dirnamelen, struct devfs_dirent *devfs_dirent, struct label *label)
880{
881
882 ASSERT_DEVFS_LABEL(label);
883}
884
885static void
886mac_test_create_devfs_symlink(struct ucred *cred, struct mount *mp,
887 struct devfs_dirent *dd, struct label *ddlabel, struct devfs_dirent *de,
888 struct label *delabel)
889{
890
891 ASSERT_CRED_LABEL(cred->cr_label);
892 ASSERT_DEVFS_LABEL(ddlabel);
893 ASSERT_DEVFS_LABEL(delabel);
894}
895
896static int
897mac_test_create_vnode_extattr(struct ucred *cred, struct mount *mp,
898 struct label *fslabel, struct vnode *dvp, struct label *dlabel,
899 struct vnode *vp, struct label *vlabel, struct componentname *cnp)
900{
901
902 ASSERT_CRED_LABEL(cred->cr_label);
903 ASSERT_MOUNT_LABEL(fslabel);
904 ASSERT_VNODE_LABEL(dlabel);
905
906 return (0);
907}
908
909static void
910mac_test_create_mount(struct ucred *cred, struct mount *mp,
911 struct label *mntlabel, struct label *fslabel)
912{
913
914 ASSERT_CRED_LABEL(cred->cr_label);
915 ASSERT_MOUNT_LABEL(mntlabel);
916 ASSERT_MOUNT_LABEL(fslabel);
917}
918
919static void
920mac_test_relabel_vnode(struct ucred *cred, struct vnode *vp,
921 struct label *vnodelabel, struct label *label)
922{
923
924 ASSERT_CRED_LABEL(cred->cr_label);
925 ASSERT_VNODE_LABEL(vnodelabel);
926 ASSERT_VNODE_LABEL(label);
927}
928
929static int
930mac_test_setlabel_vnode_extattr(struct ucred *cred, struct vnode *vp,
931 struct label *vlabel, struct label *intlabel)
932{
933
934 ASSERT_CRED_LABEL(cred->cr_label);
935 ASSERT_VNODE_LABEL(vlabel);
936 ASSERT_VNODE_LABEL(intlabel);
937 return (0);
938}
939
940static void
941mac_test_update_devfsdirent(struct mount *mp,
942 struct devfs_dirent *devfs_dirent, struct label *direntlabel,
943 struct vnode *vp, struct label *vnodelabel)
944{
945
946 ASSERT_DEVFS_LABEL(direntlabel);
947 ASSERT_VNODE_LABEL(vnodelabel);
948}
949
950/*
951 * Labeling event operations: IPC object.
952 */
953static void
954mac_test_create_mbuf_from_socket(struct socket *so, struct label *socketlabel,
955 struct mbuf *m, struct label *mbuflabel)
956{
957
958 ASSERT_SOCKET_LABEL(socketlabel);
959 ASSERT_MBUF_LABEL(mbuflabel);
960}
961
962static void
963mac_test_create_socket(struct ucred *cred, struct socket *socket,
964 struct label *socketlabel)
965{
966
967 ASSERT_CRED_LABEL(cred->cr_label);
968 ASSERT_SOCKET_LABEL(socketlabel);
969}
970
971static void
972mac_test_create_pipe(struct ucred *cred, struct pipepair *pp,
973 struct label *pipelabel)
974{
975
976 ASSERT_CRED_LABEL(cred->cr_label);
977 ASSERT_PIPE_LABEL(pipelabel);
978}
979
980static void
981mac_test_create_posix_sem(struct ucred *cred, struct ksem *ksem,
982 struct label *posixlabel)
983{
984
985 ASSERT_CRED_LABEL(cred->cr_label);
986 ASSERT_POSIX_LABEL(posixlabel);
987}
988
989static void
990mac_test_create_socket_from_socket(struct socket *oldsocket,
991 struct label *oldsocketlabel, struct socket *newsocket,
992 struct label *newsocketlabel)
993{
994
995 ASSERT_SOCKET_LABEL(oldsocketlabel);
996 ASSERT_SOCKET_LABEL(newsocketlabel);
997}
998
999static void
1000mac_test_relabel_socket(struct ucred *cred, struct socket *socket,
1001 struct label *socketlabel, struct label *newlabel)
1002{
1003
1004 ASSERT_CRED_LABEL(cred->cr_label);
1005 ASSERT_SOCKET_LABEL(newlabel);
1006}
1007
1008static void
1009mac_test_relabel_pipe(struct ucred *cred, struct pipepair *pp,
1010 struct label *pipelabel, struct label *newlabel)
1011{
1012
1013 ASSERT_CRED_LABEL(cred->cr_label);
1014 ASSERT_PIPE_LABEL(pipelabel);
1015 ASSERT_PIPE_LABEL(newlabel);
1016}
1017
1018static void
1019mac_test_set_socket_peer_from_mbuf(struct mbuf *mbuf, struct label *mbuflabel,
1020 struct socket *socket, struct label *socketpeerlabel)
1021{
1022
1023 ASSERT_MBUF_LABEL(mbuflabel);
1024 ASSERT_SOCKET_LABEL(socketpeerlabel);
1025}
1026
1027/*
1028 * Labeling event operations: network objects.
1029 */
1030static void
1031mac_test_set_socket_peer_from_socket(struct socket *oldsocket,
1032 struct label *oldsocketlabel, struct socket *newsocket,
1033 struct label *newsocketpeerlabel)
1034{
1035
1036 ASSERT_SOCKET_LABEL(oldsocketlabel);
1037 ASSERT_SOCKET_LABEL(newsocketpeerlabel);
1038}
1039
1040static void
1041mac_test_create_bpfdesc(struct ucred *cred, struct bpf_d *bpf_d,
1042 struct label *bpflabel)
1043{
1044
1045 ASSERT_CRED_LABEL(cred->cr_label);
1046 ASSERT_BPF_LABEL(bpflabel);
1047}
1048
1049static void
1050mac_test_create_datagram_from_ipq(struct ipq *ipq, struct label *ipqlabel,
1051 struct mbuf *datagram, struct label *datagramlabel)
1052{
1053
1054 ASSERT_IPQ_LABEL(ipqlabel);
1055 ASSERT_MBUF_LABEL(datagramlabel);
1056}
1057
1058static void
1059mac_test_create_fragment(struct mbuf *datagram, struct label *datagramlabel,
1060 struct mbuf *fragment, struct label *fragmentlabel)
1061{
1062
1063 ASSERT_MBUF_LABEL(datagramlabel);
1064 ASSERT_MBUF_LABEL(fragmentlabel);
1065}
1066
1067static void
1068mac_test_create_ifnet(struct ifnet *ifnet, struct label *ifnetlabel)
1069{
1070
1071 ASSERT_IFNET_LABEL(ifnetlabel);
1072}
1073
1074static void
1075mac_test_create_inpcb_from_socket(struct socket *so, struct label *solabel,
1076 struct inpcb *inp, struct label *inplabel)
1077{
1078
1079 ASSERT_SOCKET_LABEL(solabel);
1080 ASSERT_INPCB_LABEL(inplabel);
1081}
1082
1083static void
1084mac_test_create_sysv_msgmsg(struct ucred *cred, struct msqid_kernel *msqkptr,
1085 struct label *msqlabel, struct msg *msgptr, struct label *msglabel)
1086{
1087
1088 ASSERT_SYSVIPCMSG_LABEL(msglabel);
1089 ASSERT_SYSVIPCMSQ_LABEL(msqlabel);
1090}
1091
1092static void
1093mac_test_create_sysv_msgqueue(struct ucred *cred,
1094 struct msqid_kernel *msqkptr, struct label *msqlabel)
1095{
1096
1097 ASSERT_SYSVIPCMSQ_LABEL(msqlabel);
1098}
1099
1100static void
1101mac_test_create_sysv_sem(struct ucred *cred, struct semid_kernel *semakptr,
1102 struct label *semalabel)
1103{
1104
1105 ASSERT_SYSVIPCSEM_LABEL(semalabel);
1106}
1107
1108static void
1109mac_test_create_sysv_shm(struct ucred *cred, struct shmid_kernel *shmsegptr,
1110 struct label *shmlabel)
1111{
1112
1113 ASSERT_SYSVIPCSHM_LABEL(shmlabel);
1114}
1115
1116static void
1117mac_test_create_ipq(struct mbuf *fragment, struct label *fragmentlabel,
1118 struct ipq *ipq, struct label *ipqlabel)
1119{
1120
1121 ASSERT_MBUF_LABEL(fragmentlabel);
1122 ASSERT_IPQ_LABEL(ipqlabel);
1123}
1124
1125static void
1126mac_test_create_mbuf_from_inpcb(struct inpcb *inp, struct label *inplabel,
1127 struct mbuf *m, struct label *mlabel)
1128{
1129
1130 ASSERT_INPCB_LABEL(inplabel);
1131 ASSERT_MBUF_LABEL(mlabel);
1132}
1133
1134static void
1135mac_test_create_mbuf_linklayer(struct ifnet *ifnet, struct label *ifnetlabel,
1136 struct mbuf *mbuf, struct label *mbuflabel)
1137{
1138
1139 ASSERT_IFNET_LABEL(ifnetlabel);
1140 ASSERT_MBUF_LABEL(mbuflabel);
1141}
1142
1143static void
1144mac_test_create_mbuf_from_bpfdesc(struct bpf_d *bpf_d, struct label *bpflabel,
1145 struct mbuf *mbuf, struct label *mbuflabel)
1146{
1147
1148 ASSERT_BPF_LABEL(bpflabel);
1149 ASSERT_MBUF_LABEL(mbuflabel);
1150}
1151
1152static void
1153mac_test_create_mbuf_from_ifnet(struct ifnet *ifnet, struct label *ifnetlabel,
1154 struct mbuf *m, struct label *mbuflabel)
1155{
1156
1157 ASSERT_IFNET_LABEL(ifnetlabel);
1158 ASSERT_MBUF_LABEL(mbuflabel);
1159}
1160
1161static void
1162mac_test_create_mbuf_multicast_encap(struct mbuf *oldmbuf,
1163 struct label *oldmbuflabel, struct ifnet *ifnet, struct label *ifnetlabel,
1164 struct mbuf *newmbuf, struct label *newmbuflabel)
1165{
1166
1167 ASSERT_MBUF_LABEL(oldmbuflabel);
1168 ASSERT_IFNET_LABEL(ifnetlabel);
1169 ASSERT_MBUF_LABEL(newmbuflabel);
1170}
1171
1172static void
1173mac_test_create_mbuf_netlayer(struct mbuf *oldmbuf,
1174 struct label *oldmbuflabel, struct mbuf *newmbuf,
1175 struct label *newmbuflabel)
1176{
1177
1178 ASSERT_MBUF_LABEL(oldmbuflabel);
1179 ASSERT_MBUF_LABEL(newmbuflabel);
1180}
1181
1182static int
1183mac_test_fragment_match(struct mbuf *fragment, struct label *fragmentlabel,
1184 struct ipq *ipq, struct label *ipqlabel)
1185{
1186
1187 ASSERT_MBUF_LABEL(fragmentlabel);
1188 ASSERT_IPQ_LABEL(ipqlabel);
1189
1190 return (1);
1191}
1192
1193static void
1194mac_test_reflect_mbuf_icmp(struct mbuf *m, struct label *mlabel)
1195{
1196
1197 ASSERT_MBUF_LABEL(mlabel);
1198}
1199
1200static void
1201mac_test_reflect_mbuf_tcp(struct mbuf *m, struct label *mlabel)
1202{
1203
1204 ASSERT_MBUF_LABEL(mlabel);
1205}
1206
1207static void
1208mac_test_relabel_ifnet(struct ucred *cred, struct ifnet *ifnet,
1209 struct label *ifnetlabel, struct label *newlabel)
1210{
1211
1212 ASSERT_CRED_LABEL(cred->cr_label);
1213 ASSERT_IFNET_LABEL(ifnetlabel);
1214 ASSERT_IFNET_LABEL(newlabel);
1215}
1216
1217static void
1218mac_test_update_ipq(struct mbuf *fragment, struct label *fragmentlabel,
1219 struct ipq *ipq, struct label *ipqlabel)
1220{
1221
1222 ASSERT_MBUF_LABEL(fragmentlabel);
1223 ASSERT_IPQ_LABEL(ipqlabel);
1224}
1225
1226static void
1227mac_test_inpcb_sosetlabel(struct socket *so, struct label *solabel,
1228 struct inpcb *inp, struct label *inplabel)
1229{
1230
1231 ASSERT_SOCKET_LABEL(solabel);
1232 ASSERT_INPCB_LABEL(inplabel);
1233}
1234
1235/*
1236 * Labeling event operations: processes.
1237 */
1238static void
1239mac_test_execve_transition(struct ucred *old, struct ucred *new,
1240 struct vnode *vp, struct label *filelabel,
1241 struct label *interpvnodelabel, struct image_params *imgp,
1242 struct label *execlabel)
1243{
1244
1245 ASSERT_CRED_LABEL(old->cr_label);
1246 ASSERT_CRED_LABEL(new->cr_label);
1247 ASSERT_VNODE_LABEL(filelabel);
1248 if (interpvnodelabel != NULL) {
1249 ASSERT_VNODE_LABEL(interpvnodelabel);
1250 }
1251 if (execlabel != NULL) {
1252 ASSERT_CRED_LABEL(execlabel);
1253 }
1254}
1255
1256static int
1257mac_test_execve_will_transition(struct ucred *old, struct vnode *vp,
1258 struct label *filelabel, struct label *interpvnodelabel,
1259 struct image_params *imgp, struct label *execlabel)
1260{
1261
1262 ASSERT_CRED_LABEL(old->cr_label);
1263 ASSERT_VNODE_LABEL(filelabel);
1264 if (interpvnodelabel != NULL) {
1265 ASSERT_VNODE_LABEL(interpvnodelabel);
1266 }
1267 if (execlabel != NULL) {
1268 ASSERT_CRED_LABEL(execlabel);
1269 }
1270
1271 return (0);
1272}
1273
1274static void
1275mac_test_create_proc0(struct ucred *cred)
1276{
1277
1278 ASSERT_CRED_LABEL(cred->cr_label);
1279}
1280
1281static void
1282mac_test_create_proc1(struct ucred *cred)
1283{
1284
1285 ASSERT_CRED_LABEL(cred->cr_label);
1286}
1287
1288static void
1289mac_test_relabel_cred(struct ucred *cred, struct label *newlabel)
1290{
1291
1292 ASSERT_CRED_LABEL(cred->cr_label);
1293 ASSERT_CRED_LABEL(newlabel);
1294}
1295
1296static void
1297mac_test_thread_userret(struct thread *td)
1298{
1299
1300 printf("mac_test_thread_userret(process = %d)\n",
1301 curthread->td_proc->p_pid);
1302}
1303
1304/*
1305 * Label cleanup/flush operations
1306 */
1307static void
1308mac_test_cleanup_sysv_msgmsg(struct label *msglabel)
1309{
1310
1311 ASSERT_SYSVIPCMSG_LABEL(msglabel);
1312}
1313
1314static void
1315mac_test_cleanup_sysv_msgqueue(struct label *msqlabel)
1316{
1317
1318 ASSERT_SYSVIPCMSQ_LABEL(msqlabel);
1319}
1320
1321static void
1322mac_test_cleanup_sysv_sem(struct label *semalabel)
1323{
1324
1325 ASSERT_SYSVIPCSEM_LABEL(semalabel);
1326}
1327
1328static void
1329mac_test_cleanup_sysv_shm(struct label *shmlabel)
1330{
1331
1332 ASSERT_SYSVIPCSHM_LABEL(shmlabel);
1333}
1334
1335/*
1336 * Access control checks.
1337 */
1338static int
1339mac_test_check_bpfdesc_receive(struct bpf_d *bpf_d, struct label *bpflabel,
1340 struct ifnet *ifnet, struct label *ifnetlabel)
1341{
1342
1343 ASSERT_BPF_LABEL(bpflabel);
1344 ASSERT_IFNET_LABEL(ifnetlabel);
1345
1346 return (0);
1347}
1348
1349static int
1350mac_test_check_cred_relabel(struct ucred *cred, struct label *newlabel)
1351{
1352
1353 ASSERT_CRED_LABEL(cred->cr_label);
1354 ASSERT_CRED_LABEL(newlabel);
1355
1356 return (0);
1357}
1358
1359static int
1360mac_test_check_cred_visible(struct ucred *u1, struct ucred *u2)
1361{
1362
1363 ASSERT_CRED_LABEL(u1->cr_label);
1364 ASSERT_CRED_LABEL(u2->cr_label);
1365
1366 return (0);
1367}
1368
1369static int
1370mac_test_check_ifnet_relabel(struct ucred *cred, struct ifnet *ifnet,
1371 struct label *ifnetlabel, struct label *newlabel)
1372{
1373
1374 ASSERT_CRED_LABEL(cred->cr_label);
1375 ASSERT_IFNET_LABEL(ifnetlabel);
1376 ASSERT_IFNET_LABEL(newlabel);
1377 return (0);
1378}
1379
1380static int
1381mac_test_check_ifnet_transmit(struct ifnet *ifnet, struct label *ifnetlabel,
1382 struct mbuf *m, struct label *mbuflabel)
1383{
1384
1385 ASSERT_IFNET_LABEL(ifnetlabel);
1386 ASSERT_MBUF_LABEL(mbuflabel);
1387
1388 return (0);
1389}
1390
1391static int
1392mac_test_check_inpcb_deliver(struct inpcb *inp, struct label *inplabel,
1393 struct mbuf *m, struct label *mlabel)
1394{
1395
1396 ASSERT_INPCB_LABEL(inplabel);
1397 ASSERT_MBUF_LABEL(mlabel);
1398
1399 return (0);
1400}
1401
1402static int
1403mac_test_check_sysv_msgmsq(struct ucred *cred, struct msg *msgptr,
1404 struct label *msglabel, struct msqid_kernel *msqkptr,
1405 struct label *msqklabel)
1406{
1407
1408 ASSERT_SYSVIPCMSQ_LABEL(msqklabel);
1409 ASSERT_SYSVIPCMSG_LABEL(msglabel);
1410 ASSERT_CRED_LABEL(cred->cr_label);
1411
1412 return (0);
1413}
1414
1415static int
1416mac_test_check_sysv_msgrcv(struct ucred *cred, struct msg *msgptr,
1417 struct label *msglabel)
1418{
1419
1420 ASSERT_SYSVIPCMSG_LABEL(msglabel);
1421 ASSERT_CRED_LABEL(cred->cr_label);
1422
1423 return (0);
1424}
1425
1426
1427static int
1428mac_test_check_sysv_msgrmid(struct ucred *cred, struct msg *msgptr,
1429 struct label *msglabel)
1430{
1431
1432 ASSERT_SYSVIPCMSG_LABEL(msglabel);
1433 ASSERT_CRED_LABEL(cred->cr_label);
1434
1435 return (0);
1436}
1437
1438static int
1439mac_test_check_sysv_msqget(struct ucred *cred, struct msqid_kernel *msqkptr,
1440 struct label *msqklabel)
1441{
1442
1443 ASSERT_SYSVIPCMSQ_LABEL(msqklabel);
1444 ASSERT_CRED_LABEL(cred->cr_label);
1445
1446 return (0);
1447}
1448
1449static int
1450mac_test_check_sysv_msqsnd(struct ucred *cred, struct msqid_kernel *msqkptr,
1451 struct label *msqklabel)
1452{
1453
1454 ASSERT_SYSVIPCMSQ_LABEL(msqklabel);
1455 ASSERT_CRED_LABEL(cred->cr_label);
1456
1457 return (0);
1458}
1459
1460static int
1461mac_test_check_sysv_msqrcv(struct ucred *cred, struct msqid_kernel *msqkptr,
1462 struct label *msqklabel)
1463{
1464
1465 ASSERT_SYSVIPCMSQ_LABEL(msqklabel);
1466 ASSERT_CRED_LABEL(cred->cr_label);
1467
1468 return (0);
1469}
1470
1471static int
1472mac_test_check_sysv_msqctl(struct ucred *cred, struct msqid_kernel *msqkptr,
1473 struct label *msqklabel, int cmd)
1474{
1475
1476 ASSERT_SYSVIPCMSQ_LABEL(msqklabel);
1477 ASSERT_CRED_LABEL(cred->cr_label);
1478
1479 return (0);
1480}
1481
1482static int
1483mac_test_check_sysv_semctl(struct ucred *cred, struct semid_kernel *semakptr,
1484 struct label *semaklabel, int cmd)
1485{
1486
1487 ASSERT_CRED_LABEL(cred->cr_label);
1488 ASSERT_SYSVIPCSEM_LABEL(semaklabel);
1489
1490 return (0);
1491}
1492
1493static int
1494mac_test_check_sysv_semget(struct ucred *cred, struct semid_kernel *semakptr,
1495 struct label *semaklabel)
1496{
1497
1498 ASSERT_CRED_LABEL(cred->cr_label);
1499 ASSERT_SYSVIPCSEM_LABEL(semaklabel);
1500
1501 return (0);
1502}
1503
1504static int
1505mac_test_check_sysv_semop(struct ucred *cred, struct semid_kernel *semakptr,
1506 struct label *semaklabel, size_t accesstype)
1507{
1508
1509 ASSERT_CRED_LABEL(cred->cr_label);
1510 ASSERT_SYSVIPCSEM_LABEL(semaklabel);
1511
1512 return (0);
1513}
1514
1515static int
1516mac_test_check_sysv_shmat(struct ucred *cred, struct shmid_kernel *shmsegptr,
1517 struct label *shmseglabel, int shmflg)
1518{
1519
1520 ASSERT_CRED_LABEL(cred->cr_label);
1521 ASSERT_SYSVIPCSHM_LABEL(shmseglabel);
1522
1523 return (0);
1524}
1525
1526static int
1527mac_test_check_sysv_shmctl(struct ucred *cred, struct shmid_kernel *shmsegptr,
1528 struct label *shmseglabel, int cmd)
1529{
1530
1531 ASSERT_CRED_LABEL(cred->cr_label);
1532 ASSERT_SYSVIPCSHM_LABEL(shmseglabel);
1533
1534 return (0);
1535}
1536
1537static int
1538mac_test_check_sysv_shmdt(struct ucred *cred, struct shmid_kernel *shmsegptr,
1539 struct label *shmseglabel)
1540{
1541
1542 ASSERT_CRED_LABEL(cred->cr_label);
1543 ASSERT_SYSVIPCSHM_LABEL(shmseglabel);
1544
1545 return (0);
1546}
1547
1548static int
1549mac_test_check_sysv_shmget(struct ucred *cred, struct shmid_kernel *shmsegptr,
1550 struct label *shmseglabel, int shmflg)
1551{
1552
1553 ASSERT_CRED_LABEL(cred->cr_label);
1554 ASSERT_SYSVIPCSHM_LABEL(shmseglabel);
1555
1556 return (0);
1557}
1558
1559static int
1560mac_test_check_kenv_dump(struct ucred *cred)
1561{
1562
1563 ASSERT_CRED_LABEL(cred->cr_label);
1564
1565 return (0);
1566}
1567
1568static int
1569mac_test_check_kenv_get(struct ucred *cred, char *name)
1570{
1571
1572 ASSERT_CRED_LABEL(cred->cr_label);
1573
1574 return (0);
1575}
1576
1577static int
1578mac_test_check_kenv_set(struct ucred *cred, char *name, char *value)
1579{
1580
1581 ASSERT_CRED_LABEL(cred->cr_label);
1582
1583 return (0);
1584}
1585
1586static int
1587mac_test_check_kenv_unset(struct ucred *cred, char *name)
1588{
1589
1590 ASSERT_CRED_LABEL(cred->cr_label);
1591
1592 return (0);
1593}
1594
1595static int
1596mac_test_check_kld_load(struct ucred *cred, struct vnode *vp,
1597 struct label *label)
1598{
1599
1600 ASSERT_CRED_LABEL(cred->cr_label);
1601 ASSERT_VNODE_LABEL(label);
1602
1603 return (0);
1604}
1605
1606static int
1607mac_test_check_kld_stat(struct ucred *cred)
1608{
1609
1610 ASSERT_CRED_LABEL(cred->cr_label);
1611
1612 return (0);
1613}
1614
1615static int
1616mac_test_check_kld_unload(struct ucred *cred)
1617{
1618
1619 ASSERT_CRED_LABEL(cred->cr_label);
1620
1621 return (0);
1622}
1623
1624static int
1625mac_test_check_mount_stat(struct ucred *cred, struct mount *mp,
1626 struct label *mntlabel)
1627{
1628
1629 ASSERT_CRED_LABEL(cred->cr_label);
1630 ASSERT_MOUNT_LABEL(mntlabel);
1631
1632 return (0);
1633}
1634
1635static int
1636mac_test_check_pipe_ioctl(struct ucred *cred, struct pipepair *pp,
1637 struct label *pipelabel, unsigned long cmd, void /* caddr_t */ *data)
1638{
1639
1640 ASSERT_CRED_LABEL(cred->cr_label);
1641 ASSERT_PIPE_LABEL(pipelabel);
1642
1643 return (0);
1644}
1645
1646static int
1647mac_test_check_pipe_poll(struct ucred *cred, struct pipepair *pp,
1648 struct label *pipelabel)
1649{
1650
1651 ASSERT_CRED_LABEL(cred->cr_label);
1652 ASSERT_PIPE_LABEL(pipelabel);
1653
1654 return (0);
1655}
1656
1657static int
1658mac_test_check_pipe_read(struct ucred *cred, struct pipepair *pp,
1659 struct label *pipelabel)
1660{
1661
1662 ASSERT_CRED_LABEL(cred->cr_label);
1663 ASSERT_PIPE_LABEL(pipelabel);
1664
1665 return (0);
1666}
1667
1668static int
1669mac_test_check_pipe_relabel(struct ucred *cred, struct pipepair *pp,
1670 struct label *pipelabel, struct label *newlabel)
1671{
1672
1673 ASSERT_CRED_LABEL(cred->cr_label);
1674 ASSERT_PIPE_LABEL(pipelabel);
1675 ASSERT_PIPE_LABEL(newlabel);
1676
1677 return (0);
1678}
1679
1680static int
1681mac_test_check_pipe_stat(struct ucred *cred, struct pipepair *pp,
1682 struct label *pipelabel)
1683{
1684
1685 ASSERT_CRED_LABEL(cred->cr_label);
1686 ASSERT_PIPE_LABEL(pipelabel);
1687
1688 return (0);
1689}
1690
1691static int
1692mac_test_check_pipe_write(struct ucred *cred, struct pipepair *pp,
1693 struct label *pipelabel)
1694{
1695
1696 ASSERT_CRED_LABEL(cred->cr_label);
1697 ASSERT_PIPE_LABEL(pipelabel);
1698
1699 return (0);
1700}
1701
1702static int
1703mac_test_check_posix_sem(struct ucred *cred, struct ksem *ksemptr,
1704 struct label *ks_label)
1705{
1706
1707 ASSERT_CRED_LABEL(cred->cr_label);
1708 ASSERT_POSIX_LABEL(ks_label);
1709
1710 return (0);
1711}
1712
1713static int
1714mac_test_check_proc_debug(struct ucred *cred, struct proc *proc)
1715{
1716
1717 ASSERT_CRED_LABEL(cred->cr_label);
1718 ASSERT_CRED_LABEL(proc->p_ucred->cr_label);
1719
1720 return (0);
1721}
1722
1723static int
1724mac_test_check_proc_sched(struct ucred *cred, struct proc *proc)
1725{
1726
1727 ASSERT_CRED_LABEL(cred->cr_label);
1728 ASSERT_CRED_LABEL(proc->p_ucred->cr_label);
1729
1730 return (0);
1731}
1732
1733static int
1734mac_test_check_proc_signal(struct ucred *cred, struct proc *proc, int signum)
1735{
1736
1737 ASSERT_CRED_LABEL(cred->cr_label);
1738 ASSERT_CRED_LABEL(proc->p_ucred->cr_label);
1739
1740 return (0);
1741}
1742
1743static int
1744mac_test_check_proc_setuid(struct ucred *cred, uid_t uid)
1745{
1746
1747 ASSERT_CRED_LABEL(cred->cr_label);
1748
1749 return (0);
1750}
1751
1752static int
1753mac_test_check_proc_seteuid(struct ucred *cred, uid_t euid)
1754{
1755
1756 ASSERT_CRED_LABEL(cred->cr_label);
1757
1758 return (0);
1759}
1760
1761static int
1762mac_test_check_proc_setgid(struct ucred *cred, gid_t gid)
1763{
1764
1765 ASSERT_CRED_LABEL(cred->cr_label);
1766
1767 return (0);
1768}
1769
1770static int
1771mac_test_check_proc_setegid(struct ucred *cred, gid_t egid)
1772{
1773
1774 ASSERT_CRED_LABEL(cred->cr_label);
1775
1776 return (0);
1777}
1778
1779static int
1780mac_test_check_proc_setgroups(struct ucred *cred, int ngroups,
1781 gid_t *gidset)
1782{
1783
1784 ASSERT_CRED_LABEL(cred->cr_label);
1785
1786 return (0);
1787}
1788
1789static int
1790mac_test_check_proc_setreuid(struct ucred *cred, uid_t ruid, uid_t euid)
1791{
1792
1793 ASSERT_CRED_LABEL(cred->cr_label);
1794
1795 return (0);
1796}
1797
1798static int
1799mac_test_check_proc_setregid(struct ucred *cred, gid_t rgid, gid_t egid)
1800{
1801
1802 ASSERT_CRED_LABEL(cred->cr_label);
1803
1804 return (0);
1805}
1806
1807static int
1808mac_test_check_proc_setresuid(struct ucred *cred, uid_t ruid, uid_t euid,
1809 uid_t suid)
1810{
1811
1812 ASSERT_CRED_LABEL(cred->cr_label);
1813
1814 return (0);
1815}
1816
1817static int
1818mac_test_check_proc_setresgid(struct ucred *cred, gid_t rgid, gid_t egid,
1819 gid_t sgid)
1820{
1821
1822 ASSERT_CRED_LABEL(cred->cr_label);
1823
1824 return (0);
1825}
1826
1827static int
1828mac_test_check_proc_wait(struct ucred *cred, struct proc *proc)
1829{
1830
1831 ASSERT_CRED_LABEL(cred->cr_label);
1832 ASSERT_CRED_LABEL(proc->p_ucred->cr_label);
1833
1834 return (0);
1835}
1836
1837static int
1838mac_test_check_socket_accept(struct ucred *cred, struct socket *socket,
1839 struct label *socketlabel)
1840{
1841
1842 ASSERT_CRED_LABEL(cred->cr_label);
1843 ASSERT_SOCKET_LABEL(socketlabel);
1844
1845 return (0);
1846}
1847
1848static int
1849mac_test_check_socket_bind(struct ucred *cred, struct socket *socket,
1850 struct label *socketlabel, struct sockaddr *sockaddr)
1851{
1852
1853 ASSERT_CRED_LABEL(cred->cr_label);
1854 ASSERT_SOCKET_LABEL(socketlabel);
1855
1856 return (0);
1857}
1858
1859static int
1860mac_test_check_socket_connect(struct ucred *cred, struct socket *socket,
1861 struct label *socketlabel, struct sockaddr *sockaddr)
1862{
1863
1864 ASSERT_CRED_LABEL(cred->cr_label);
1865 ASSERT_SOCKET_LABEL(socketlabel);
1866
1867 return (0);
1868}
1869
1870static int
1871mac_test_check_socket_deliver(struct socket *socket, struct label *socketlabel,
1872 struct mbuf *m, struct label *mbuflabel)
1873{
1874
1875 ASSERT_SOCKET_LABEL(socketlabel);
1876 ASSERT_MBUF_LABEL(mbuflabel);
1877
1878 return (0);
1879}
1880
1881static int
1882mac_test_check_socket_listen(struct ucred *cred, struct socket *socket,
1883 struct label *socketlabel)
1884{
1885
1886 ASSERT_CRED_LABEL(cred->cr_label);
1887 ASSERT_SOCKET_LABEL(socketlabel);
1888
1889 return (0);
1890}
1891
1892static int
1893mac_test_check_socket_poll(struct ucred *cred, struct socket *socket,
1894 struct label *socketlabel)
1895{
1896
1897 ASSERT_CRED_LABEL(cred->cr_label);
1898 ASSERT_SOCKET_LABEL(socketlabel);
1899
1900 return (0);
1901}
1902
1903static int
1904mac_test_check_socket_receive(struct ucred *cred, struct socket *socket,
1905 struct label *socketlabel)
1906{
1907
1908 ASSERT_CRED_LABEL(cred->cr_label);
1909 ASSERT_SOCKET_LABEL(socketlabel);
1910
1911 return (0);
1912}
1913
1914static int
1915mac_test_check_socket_relabel(struct ucred *cred, struct socket *socket,
1916 struct label *socketlabel, struct label *newlabel)
1917{
1918
1919 ASSERT_CRED_LABEL(cred->cr_label);
1920 ASSERT_SOCKET_LABEL(socketlabel);
1921 ASSERT_SOCKET_LABEL(newlabel);
1922
1923 return (0);
1924}
1925
1926static int
1927mac_test_check_socket_send(struct ucred *cred, struct socket *socket,
1928 struct label *socketlabel)
1929{
1930
1931 ASSERT_CRED_LABEL(cred->cr_label);
1932 ASSERT_SOCKET_LABEL(socketlabel);
1933
1934 return (0);
1935}
1936
1937static int
1938mac_test_check_socket_stat(struct ucred *cred, struct socket *socket,
1939 struct label *socketlabel)
1940{
1941
1942 ASSERT_CRED_LABEL(cred->cr_label);
1943 ASSERT_SOCKET_LABEL(socketlabel);
1944
1945 return (0);
1946}
1947
1948static int
1949mac_test_check_socket_visible(struct ucred *cred, struct socket *socket,
1950 struct label *socketlabel)
1951{
1952
1953 ASSERT_CRED_LABEL(cred->cr_label);
1954 ASSERT_SOCKET_LABEL(socketlabel);
1955
1956 return (0);
1957}
1958
1959static int
1960mac_test_check_sysarch_ioperm(struct ucred *cred)
1961{
1962
1963 ASSERT_CRED_LABEL(cred->cr_label);
1964
1965 return (0);
1966}
1967
1968static int
1969mac_test_check_system_acct(struct ucred *cred, struct vnode *vp,
1970 struct label *label)
1971{
1972
1973 ASSERT_CRED_LABEL(cred->cr_label);
1974
1975 return (0);
1976}
1977
1978static int
1979mac_test_check_system_reboot(struct ucred *cred, int how)
1980{
1981
1982 ASSERT_CRED_LABEL(cred->cr_label);
1983
1984 return (0);
1985}
1986
1987static int
1988mac_test_check_system_settime(struct ucred *cred)
1989{
1990
1991 ASSERT_CRED_LABEL(cred->cr_label);
1992
1993 return (0);
1994}
1995
1996static int
1997mac_test_check_system_swapon(struct ucred *cred, struct vnode *vp,
1998 struct label *label)
1999{
2000
2001 ASSERT_CRED_LABEL(cred->cr_label);
2002 ASSERT_VNODE_LABEL(label);
2003
2004 return (0);
2005}
2006
2007static int
2008mac_test_check_system_swapoff(struct ucred *cred, struct vnode *vp,
2009 struct label *label)
2010{
2011
2012 ASSERT_CRED_LABEL(cred->cr_label);
2013 ASSERT_VNODE_LABEL(label);
2014
2015 return (0);
2016}
2017
2018static int
2019mac_test_check_system_sysctl(struct ucred *cred, struct sysctl_oid *oidp,
2020 void *arg1, int arg2, struct sysctl_req *req)
2021{
2022
2023 ASSERT_CRED_LABEL(cred->cr_label);
2024
2025 return (0);
2026}
2027
2028static int
2029mac_test_check_vnode_access(struct ucred *cred, struct vnode *vp,
2030 struct label *label, int acc_mode)
2031{
2032
2033 ASSERT_CRED_LABEL(cred->cr_label);
2034 ASSERT_VNODE_LABEL(label);
2035
2036 return (0);
2037}
2038
2039static int
2040mac_test_check_vnode_chdir(struct ucred *cred, struct vnode *dvp,
2041 struct label *dlabel)
2042{
2043
2044 ASSERT_CRED_LABEL(cred->cr_label);
2045 ASSERT_VNODE_LABEL(dlabel);
2046
2047 return (0);
2048}
2049
2050static int
2051mac_test_check_vnode_chroot(struct ucred *cred, struct vnode *dvp,
2052 struct label *dlabel)
2053{
2054
2055 ASSERT_CRED_LABEL(cred->cr_label);
2056 ASSERT_VNODE_LABEL(dlabel);
2057
2058 return (0);
2059}
2060
2061static int
2062mac_test_check_vnode_create(struct ucred *cred, struct vnode *dvp,
2063 struct label *dlabel, struct componentname *cnp, struct vattr *vap)
2064{
2065
2066 ASSERT_CRED_LABEL(cred->cr_label);
2067 ASSERT_VNODE_LABEL(dlabel);
2068
2069 return (0);
2070}
2071
2072static int
2073mac_test_check_vnode_delete(struct ucred *cred, struct vnode *dvp,
2074 struct label *dlabel, struct vnode *vp, struct label *label,
2075 struct componentname *cnp)
2076{
2077
2078 ASSERT_CRED_LABEL(cred->cr_label);
2079 ASSERT_VNODE_LABEL(dlabel);
2080 ASSERT_VNODE_LABEL(label);
2081
2082 return (0);
2083}
2084
2085static int
2086mac_test_check_vnode_deleteacl(struct ucred *cred, struct vnode *vp,
2087 struct label *label, acl_type_t type)
2088{
2089
2090 ASSERT_CRED_LABEL(cred->cr_label);
2091 ASSERT_VNODE_LABEL(label);
2092
2093 return (0);
2094}
2095
2096static int
2097mac_test_check_vnode_deleteextattr(struct ucred *cred, struct vnode *vp,
2098 struct label *label, int attrnamespace, const char *name)
2099{
2100
2101 ASSERT_CRED_LABEL(cred->cr_label);
2102 ASSERT_VNODE_LABEL(label);
2103
2104 return (0);
2105}
2106
2107static int
2108mac_test_check_vnode_exec(struct ucred *cred, struct vnode *vp,
2109 struct label *label, struct image_params *imgp,
2110 struct label *execlabel)
2111{
2112
2113 ASSERT_CRED_LABEL(cred->cr_label);
2114 ASSERT_VNODE_LABEL(label);
2115 if (execlabel != NULL) {
2116 ASSERT_CRED_LABEL(execlabel);
2117 }
2118
2119 return (0);
2120}
2121
2122static int
2123mac_test_check_vnode_getacl(struct ucred *cred, struct vnode *vp,
2124 struct label *label, acl_type_t type)
2125{
2126
2127 ASSERT_CRED_LABEL(cred->cr_label);
2128 ASSERT_VNODE_LABEL(label);
2129
2130 return (0);
2131}
2132
2133static int
2134mac_test_check_vnode_getextattr(struct ucred *cred, struct vnode *vp,
2135 struct label *label, int attrnamespace, const char *name, struct uio *uio)
2136{
2137
2138 ASSERT_CRED_LABEL(cred->cr_label);
2139 ASSERT_VNODE_LABEL(label);
2140
2141 return (0);
2142}
2143
2144static int
2145mac_test_check_vnode_link(struct ucred *cred, struct vnode *dvp,
2146 struct label *dlabel, struct vnode *vp, struct label *label,
2147 struct componentname *cnp)
2148{
2149
2150 ASSERT_CRED_LABEL(cred->cr_label);
2151 ASSERT_VNODE_LABEL(dlabel);
2152 ASSERT_VNODE_LABEL(label);
2153
2154 return (0);
2155}
2156
2157static int
2158mac_test_check_vnode_listextattr(struct ucred *cred, struct vnode *vp,
2159 struct label *label, int attrnamespace)
2160{
2161
2162 ASSERT_CRED_LABEL(cred->cr_label);
2163 ASSERT_VNODE_LABEL(label);
2164
2165 return (0);
2166}
2167
2168static int
2169mac_test_check_vnode_lookup(struct ucred *cred, struct vnode *dvp,
2170 struct label *dlabel, struct componentname *cnp)
2171{
2172
2173 ASSERT_CRED_LABEL(cred->cr_label);
2174 ASSERT_VNODE_LABEL(dlabel);
2175
2176 return (0);
2177}
2178
2179static int
2180mac_test_check_vnode_mmap(struct ucred *cred, struct vnode *vp,
2181 struct label *label, int prot, int flags)
2182{
2183
2184 ASSERT_CRED_LABEL(cred->cr_label);
2185 ASSERT_VNODE_LABEL(label);
2186
2187 return (0);
2188}
2189
2190static int
2191mac_test_check_vnode_open(struct ucred *cred, struct vnode *vp,
2192 struct label *filelabel, int acc_mode)
2193{
2194
2195 ASSERT_CRED_LABEL(cred->cr_label);
2196 ASSERT_VNODE_LABEL(filelabel);
2197
2198 return (0);
2199}
2200
2201static int
2202mac_test_check_vnode_poll(struct ucred *active_cred, struct ucred *file_cred,
2203 struct vnode *vp, struct label *label)
2204{
2205
2206 ASSERT_CRED_LABEL(active_cred->cr_label);
2207 ASSERT_CRED_LABEL(file_cred->cr_label);
2208 ASSERT_VNODE_LABEL(label);
2209
2210 return (0);
2211}
2212
2213static int
2214mac_test_check_vnode_read(struct ucred *active_cred, struct ucred *file_cred,
2215 struct vnode *vp, struct label *label)
2216{
2217
2218 ASSERT_CRED_LABEL(active_cred->cr_label);
2219 if (file_cred != NULL) {
2220 ASSERT_CRED_LABEL(file_cred->cr_label);
2221 }
2222 ASSERT_VNODE_LABEL(label);
2223
2224 return (0);
2225}
2226
2227static int
2228mac_test_check_vnode_readdir(struct ucred *cred, struct vnode *dvp,
2229 struct label *dlabel)
2230{
2231
2232 ASSERT_CRED_LABEL(cred->cr_label);
2233 ASSERT_VNODE_LABEL(dlabel);
2234
2235 return (0);
2236}
2237
2238static int
2239mac_test_check_vnode_readlink(struct ucred *cred, struct vnode *vp,
2240 struct label *vnodelabel)
2241{
2242
2243 ASSERT_CRED_LABEL(cred->cr_label);
2244 ASSERT_VNODE_LABEL(vnodelabel);
2245
2246 return (0);
2247}
2248
2249static int
2250mac_test_check_vnode_relabel(struct ucred *cred, struct vnode *vp,
2251 struct label *vnodelabel, struct label *newlabel)
2252{
2253
2254 ASSERT_CRED_LABEL(cred->cr_label);
2255 ASSERT_VNODE_LABEL(vnodelabel);
2256 ASSERT_VNODE_LABEL(newlabel);
2257
2258 return (0);
2259}
2260
2261static int
2262mac_test_check_vnode_rename_from(struct ucred *cred, struct vnode *dvp,
2263 struct label *dlabel, struct vnode *vp, struct label *label,
2264 struct componentname *cnp)
2265{
2266
2267 ASSERT_CRED_LABEL(cred->cr_label);
2268 ASSERT_VNODE_LABEL(dlabel);
2269 ASSERT_VNODE_LABEL(label);
2270
2271 return (0);
2272}
2273
2274static int
2275mac_test_check_vnode_rename_to(struct ucred *cred, struct vnode *dvp,
2276 struct label *dlabel, struct vnode *vp, struct label *label, int samedir,
2277 struct componentname *cnp)
2278{
2279
2280 ASSERT_CRED_LABEL(cred->cr_label);
2281 ASSERT_VNODE_LABEL(dlabel);
2282
2283 if (vp != NULL) {
2284 ASSERT_VNODE_LABEL(label);
2285 }
2286
2287 return (0);
2288}
2289
2290static int
2291mac_test_check_vnode_revoke(struct ucred *cred, struct vnode *vp,
2292 struct label *label)
2293{
2294
2295 ASSERT_CRED_LABEL(cred->cr_label);
2296 ASSERT_VNODE_LABEL(label);
2297
2298 return (0);
2299}
2300
2301static int
2302mac_test_check_vnode_setacl(struct ucred *cred, struct vnode *vp,
2303 struct label *label, acl_type_t type, struct acl *acl)
2304{
2305
2306 ASSERT_CRED_LABEL(cred->cr_label);
2307 ASSERT_VNODE_LABEL(label);
2308
2309 return (0);
2310}
2311
2312static int
2313mac_test_check_vnode_setextattr(struct ucred *cred, struct vnode *vp,
2314 struct label *label, int attrnamespace, const char *name, struct uio *uio)
2315{
2316
2317 ASSERT_CRED_LABEL(cred->cr_label);
2318 ASSERT_VNODE_LABEL(label);
2319
2320 return (0);
2321}
2322
2323static int
2324mac_test_check_vnode_setflags(struct ucred *cred, struct vnode *vp,
2325 struct label *label, u_long flags)
2326{
2327
2328 ASSERT_CRED_LABEL(cred->cr_label);
2329 ASSERT_VNODE_LABEL(label);
2330
2331 return (0);
2332}
2333
2334static int
2335mac_test_check_vnode_setmode(struct ucred *cred, struct vnode *vp,
2336 struct label *label, mode_t mode)
2337{
2338
2339 ASSERT_CRED_LABEL(cred->cr_label);
2340 ASSERT_VNODE_LABEL(label);
2341
2342 return (0);
2343}
2344
2345static int
2346mac_test_check_vnode_setowner(struct ucred *cred, struct vnode *vp,
2347 struct label *label, uid_t uid, gid_t gid)
2348{
2349
2350 ASSERT_CRED_LABEL(cred->cr_label);
2351 ASSERT_VNODE_LABEL(label);
2352
2353 return (0);
2354}
2355
2356static int
2357mac_test_check_vnode_setutimes(struct ucred *cred, struct vnode *vp,
2358 struct label *label, struct timespec atime, struct timespec mtime)
2359{
2360
2361 ASSERT_CRED_LABEL(cred->cr_label);
2362 ASSERT_VNODE_LABEL(label);
2363
2364 return (0);
2365}
2366
2367static int
2368mac_test_check_vnode_stat(struct ucred *active_cred, struct ucred *file_cred,
2369 struct vnode *vp, struct label *label)
2370{
2371
2372 ASSERT_CRED_LABEL(active_cred->cr_label);
2373 if (file_cred != NULL) {
2374 ASSERT_CRED_LABEL(file_cred->cr_label);
2375 }
2376 ASSERT_VNODE_LABEL(label);
2377
2378 return (0);
2379}
2380
2381static int
2382mac_test_check_vnode_write(struct ucred *active_cred,
2383 struct ucred *file_cred, struct vnode *vp, struct label *label)
2384{
2385
2386 ASSERT_CRED_LABEL(active_cred->cr_label);
2387 if (file_cred != NULL) {
2388 ASSERT_CRED_LABEL(file_cred->cr_label);
2389 }
2390 ASSERT_VNODE_LABEL(label);
2391
2392 return (0);
2393}
2394
2395static struct mac_policy_ops mac_test_ops =
2396{
2397 .mpo_destroy = mac_test_destroy,
2398 .mpo_init = mac_test_init,
2399 .mpo_syscall = mac_test_syscall,
2400 .mpo_init_bpfdesc_label = mac_test_init_bpfdesc_label,
2401 .mpo_init_cred_label = mac_test_init_cred_label,
2402 .mpo_init_devfsdirent_label = mac_test_init_devfsdirent_label,
2403 .mpo_init_ifnet_label = mac_test_init_ifnet_label,
2404 .mpo_init_sysv_msgmsg_label = mac_test_init_sysv_msgmsg_label,
2405 .mpo_init_sysv_msgqueue_label = mac_test_init_sysv_msgqueue_label,
2406 .mpo_init_sysv_sem_label = mac_test_init_sysv_sem_label,
2407 .mpo_init_sysv_shm_label = mac_test_init_sysv_shm_label,
2408 .mpo_init_inpcb_label = mac_test_init_inpcb_label,
2409 .mpo_init_ipq_label = mac_test_init_ipq_label,
2410 .mpo_init_mbuf_label = mac_test_init_mbuf_label,
2411 .mpo_init_mount_label = mac_test_init_mount_label,
2412 .mpo_init_mount_fs_label = mac_test_init_mount_fs_label,
2413 .mpo_init_pipe_label = mac_test_init_pipe_label,
2414 .mpo_init_posix_sem_label = mac_test_init_posix_sem_label,
2415 .mpo_init_proc_label = mac_test_init_proc_label,
2416 .mpo_init_socket_label = mac_test_init_socket_label,
2417 .mpo_init_socket_peer_label = mac_test_init_socket_peer_label,
2418 .mpo_init_vnode_label = mac_test_init_vnode_label,
2419 .mpo_destroy_bpfdesc_label = mac_test_destroy_bpfdesc_label,
2420 .mpo_destroy_cred_label = mac_test_destroy_cred_label,
2421 .mpo_destroy_devfsdirent_label = mac_test_destroy_devfsdirent_label,
2422 .mpo_destroy_ifnet_label = mac_test_destroy_ifnet_label,
2423 .mpo_destroy_sysv_msgmsg_label = mac_test_destroy_sysv_msgmsg_label,
2424 .mpo_destroy_sysv_msgqueue_label =
2425 mac_test_destroy_sysv_msgqueue_label,
2426 .mpo_destroy_sysv_sem_label = mac_test_destroy_sysv_sem_label,
2427 .mpo_destroy_sysv_shm_label = mac_test_destroy_sysv_shm_label,
2428 .mpo_destroy_inpcb_label = mac_test_destroy_inpcb_label,
2429 .mpo_destroy_ipq_label = mac_test_destroy_ipq_label,
2430 .mpo_destroy_mbuf_label = mac_test_destroy_mbuf_label,
2431 .mpo_destroy_mount_label = mac_test_destroy_mount_label,
2432 .mpo_destroy_mount_fs_label = mac_test_destroy_mount_fs_label,
2433 .mpo_destroy_pipe_label = mac_test_destroy_pipe_label,
2434 .mpo_destroy_posix_sem_label = mac_test_destroy_posix_sem_label,
2435 .mpo_destroy_proc_label = mac_test_destroy_proc_label,
2436 .mpo_destroy_socket_label = mac_test_destroy_socket_label,
2437 .mpo_destroy_socket_peer_label = mac_test_destroy_socket_peer_label,
2438 .mpo_destroy_vnode_label = mac_test_destroy_vnode_label,
2439 .mpo_copy_cred_label = mac_test_copy_cred_label,
2440 .mpo_copy_ifnet_label = mac_test_copy_ifnet_label,
2441 .mpo_copy_mbuf_label = mac_test_copy_mbuf_label,
2442 .mpo_copy_pipe_label = mac_test_copy_pipe_label,
2443 .mpo_copy_socket_label = mac_test_copy_socket_label,
2444 .mpo_copy_vnode_label = mac_test_copy_vnode_label,
2445 .mpo_externalize_cred_label = mac_test_externalize_label,
2446 .mpo_externalize_ifnet_label = mac_test_externalize_label,
2447 .mpo_externalize_pipe_label = mac_test_externalize_label,
2448 .mpo_externalize_socket_label = mac_test_externalize_label,
2449 .mpo_externalize_socket_peer_label = mac_test_externalize_label,
2450 .mpo_externalize_vnode_label = mac_test_externalize_label,
2451 .mpo_internalize_cred_label = mac_test_internalize_label,
2452 .mpo_internalize_ifnet_label = mac_test_internalize_label,
2453 .mpo_internalize_pipe_label = mac_test_internalize_label,
2454 .mpo_internalize_socket_label = mac_test_internalize_label,
2455 .mpo_internalize_vnode_label = mac_test_internalize_label,
2456 .mpo_associate_vnode_devfs = mac_test_associate_vnode_devfs,
2457 .mpo_associate_vnode_extattr = mac_test_associate_vnode_extattr,
2458 .mpo_associate_vnode_singlelabel = mac_test_associate_vnode_singlelabel,
2459 .mpo_create_devfs_device = mac_test_create_devfs_device,
2460 .mpo_create_devfs_directory = mac_test_create_devfs_directory,
2461 .mpo_create_devfs_symlink = mac_test_create_devfs_symlink,
2462 .mpo_create_vnode_extattr = mac_test_create_vnode_extattr,
2463 .mpo_create_mount = mac_test_create_mount,
2464 .mpo_relabel_vnode = mac_test_relabel_vnode,
2465 .mpo_setlabel_vnode_extattr = mac_test_setlabel_vnode_extattr,
2466 .mpo_update_devfsdirent = mac_test_update_devfsdirent,
2467 .mpo_create_mbuf_from_socket = mac_test_create_mbuf_from_socket,
2468 .mpo_create_pipe = mac_test_create_pipe,
2469 .mpo_create_posix_sem = mac_test_create_posix_sem,
2470 .mpo_create_socket = mac_test_create_socket,
2471 .mpo_create_socket_from_socket = mac_test_create_socket_from_socket,
2472 .mpo_relabel_pipe = mac_test_relabel_pipe,
2473 .mpo_relabel_socket = mac_test_relabel_socket,
2474 .mpo_set_socket_peer_from_mbuf = mac_test_set_socket_peer_from_mbuf,
2475 .mpo_set_socket_peer_from_socket = mac_test_set_socket_peer_from_socket,
2476 .mpo_create_bpfdesc = mac_test_create_bpfdesc,
2477 .mpo_create_ifnet = mac_test_create_ifnet,
2478 .mpo_create_inpcb_from_socket = mac_test_create_inpcb_from_socket,
2479 .mpo_create_sysv_msgmsg = mac_test_create_sysv_msgmsg,
2480 .mpo_create_sysv_msgqueue = mac_test_create_sysv_msgqueue,
2481 .mpo_create_sysv_sem = mac_test_create_sysv_sem,
2482 .mpo_create_sysv_shm = mac_test_create_sysv_shm,
2483 .mpo_create_datagram_from_ipq = mac_test_create_datagram_from_ipq,
2484 .mpo_create_fragment = mac_test_create_fragment,
2485 .mpo_create_ipq = mac_test_create_ipq,
2486 .mpo_create_mbuf_from_inpcb = mac_test_create_mbuf_from_inpcb,
2487 .mpo_create_mbuf_linklayer = mac_test_create_mbuf_linklayer,
2488 .mpo_create_mbuf_from_bpfdesc = mac_test_create_mbuf_from_bpfdesc,
2489 .mpo_create_mbuf_from_ifnet = mac_test_create_mbuf_from_ifnet,
2490 .mpo_create_mbuf_multicast_encap = mac_test_create_mbuf_multicast_encap,
2491 .mpo_create_mbuf_netlayer = mac_test_create_mbuf_netlayer,
2492 .mpo_fragment_match = mac_test_fragment_match,
2493 .mpo_reflect_mbuf_icmp = mac_test_reflect_mbuf_icmp,
2494 .mpo_reflect_mbuf_tcp = mac_test_reflect_mbuf_tcp,
2495 .mpo_relabel_ifnet = mac_test_relabel_ifnet,
2496 .mpo_update_ipq = mac_test_update_ipq,
2497 .mpo_inpcb_sosetlabel = mac_test_inpcb_sosetlabel,
2498 .mpo_execve_transition = mac_test_execve_transition,
2499 .mpo_execve_will_transition = mac_test_execve_will_transition,
2500 .mpo_create_proc0 = mac_test_create_proc0,
2501 .mpo_create_proc1 = mac_test_create_proc1,
2502 .mpo_relabel_cred = mac_test_relabel_cred,
2503 .mpo_thread_userret = mac_test_thread_userret,
2504 .mpo_cleanup_sysv_msgmsg = mac_test_cleanup_sysv_msgmsg,
2505 .mpo_cleanup_sysv_msgqueue = mac_test_cleanup_sysv_msgqueue,
2506 .mpo_cleanup_sysv_sem = mac_test_cleanup_sysv_sem,
2507 .mpo_cleanup_sysv_shm = mac_test_cleanup_sysv_shm,
2508 .mpo_check_bpfdesc_receive = mac_test_check_bpfdesc_receive,
2509 .mpo_check_cred_relabel = mac_test_check_cred_relabel,
2510 .mpo_check_cred_visible = mac_test_check_cred_visible,
2511 .mpo_check_ifnet_relabel = mac_test_check_ifnet_relabel,
2512 .mpo_check_ifnet_transmit = mac_test_check_ifnet_transmit,
2513 .mpo_check_inpcb_deliver = mac_test_check_inpcb_deliver,
2514 .mpo_check_sysv_msgmsq = mac_test_check_sysv_msgmsq,
2515 .mpo_check_sysv_msgrcv = mac_test_check_sysv_msgrcv,
2516 .mpo_check_sysv_msgrmid = mac_test_check_sysv_msgrmid,
2517 .mpo_check_sysv_msqget = mac_test_check_sysv_msqget,
2518 .mpo_check_sysv_msqsnd = mac_test_check_sysv_msqsnd,
2519 .mpo_check_sysv_msqrcv = mac_test_check_sysv_msqrcv,
2520 .mpo_check_sysv_msqctl = mac_test_check_sysv_msqctl,
2521 .mpo_check_sysv_semctl = mac_test_check_sysv_semctl,
2522 .mpo_check_sysv_semget = mac_test_check_sysv_semget,
2523 .mpo_check_sysv_semop = mac_test_check_sysv_semop,
2524 .mpo_check_sysv_shmat = mac_test_check_sysv_shmat,
2525 .mpo_check_sysv_shmctl = mac_test_check_sysv_shmctl,
2526 .mpo_check_sysv_shmdt = mac_test_check_sysv_shmdt,
2527 .mpo_check_sysv_shmget = mac_test_check_sysv_shmget,
2528 .mpo_check_kenv_dump = mac_test_check_kenv_dump,
2529 .mpo_check_kenv_get = mac_test_check_kenv_get,
2530 .mpo_check_kenv_set = mac_test_check_kenv_set,
2531 .mpo_check_kenv_unset = mac_test_check_kenv_unset,
2532 .mpo_check_kld_load = mac_test_check_kld_load,
2533 .mpo_check_kld_stat = mac_test_check_kld_stat,
2534 .mpo_check_kld_unload = mac_test_check_kld_unload,
2535 .mpo_check_mount_stat = mac_test_check_mount_stat,
2536 .mpo_check_pipe_ioctl = mac_test_check_pipe_ioctl,
2537 .mpo_check_pipe_poll = mac_test_check_pipe_poll,
2538 .mpo_check_pipe_read = mac_test_check_pipe_read,
2539 .mpo_check_pipe_relabel = mac_test_check_pipe_relabel,
2540 .mpo_check_pipe_stat = mac_test_check_pipe_stat,
2541 .mpo_check_pipe_write = mac_test_check_pipe_write,
2542 .mpo_check_posix_sem_destroy = mac_test_check_posix_sem,
2543 .mpo_check_posix_sem_getvalue = mac_test_check_posix_sem,
2544 .mpo_check_posix_sem_open = mac_test_check_posix_sem,
2545 .mpo_check_posix_sem_post = mac_test_check_posix_sem,
2546 .mpo_check_posix_sem_unlink = mac_test_check_posix_sem,
2547 .mpo_check_posix_sem_wait = mac_test_check_posix_sem,
2548 .mpo_check_proc_debug = mac_test_check_proc_debug,
2549 .mpo_check_proc_sched = mac_test_check_proc_sched,
2550 .mpo_check_proc_setuid = mac_test_check_proc_setuid,
2551 .mpo_check_proc_seteuid = mac_test_check_proc_seteuid,
2552 .mpo_check_proc_setgid = mac_test_check_proc_setgid,
2553 .mpo_check_proc_setegid = mac_test_check_proc_setegid,
2554 .mpo_check_proc_setgroups = mac_test_check_proc_setgroups,
2555 .mpo_check_proc_setreuid = mac_test_check_proc_setreuid,
2556 .mpo_check_proc_setregid = mac_test_check_proc_setregid,
2557 .mpo_check_proc_setresuid = mac_test_check_proc_setresuid,
2558 .mpo_check_proc_setresgid = mac_test_check_proc_setresgid,
2559 .mpo_check_proc_signal = mac_test_check_proc_signal,
2560 .mpo_check_proc_wait = mac_test_check_proc_wait,
2561 .mpo_check_socket_accept = mac_test_check_socket_accept,
2562 .mpo_check_socket_bind = mac_test_check_socket_bind,
2563 .mpo_check_socket_connect = mac_test_check_socket_connect,
2564 .mpo_check_socket_deliver = mac_test_check_socket_deliver,
2565 .mpo_check_socket_listen = mac_test_check_socket_listen,
2566 .mpo_check_socket_poll = mac_test_check_socket_poll,
2567 .mpo_check_socket_receive = mac_test_check_socket_receive,
2568 .mpo_check_socket_relabel = mac_test_check_socket_relabel,
2569 .mpo_check_socket_send = mac_test_check_socket_send,
2570 .mpo_check_socket_stat = mac_test_check_socket_stat,
2571 .mpo_check_socket_visible = mac_test_check_socket_visible,
2572 .mpo_check_sysarch_ioperm = mac_test_check_sysarch_ioperm,
2573 .mpo_check_system_acct = mac_test_check_system_acct,
2574 .mpo_check_system_reboot = mac_test_check_system_reboot,
2575 .mpo_check_system_settime = mac_test_check_system_settime,
2576 .mpo_check_system_swapon = mac_test_check_system_swapon,
2577 .mpo_check_system_swapoff = mac_test_check_system_swapoff,
2578 .mpo_check_system_sysctl = mac_test_check_system_sysctl,
2579 .mpo_check_vnode_access = mac_test_check_vnode_access,
2580 .mpo_check_vnode_chdir = mac_test_check_vnode_chdir,
2581 .mpo_check_vnode_chroot = mac_test_check_vnode_chroot,
2582 .mpo_check_vnode_create = mac_test_check_vnode_create,
2583 .mpo_check_vnode_delete = mac_test_check_vnode_delete,
2584 .mpo_check_vnode_deleteacl = mac_test_check_vnode_deleteacl,
2585 .mpo_check_vnode_deleteextattr = mac_test_check_vnode_deleteextattr,
2586 .mpo_check_vnode_exec = mac_test_check_vnode_exec,
2587 .mpo_check_vnode_getacl = mac_test_check_vnode_getacl,
2588 .mpo_check_vnode_getextattr = mac_test_check_vnode_getextattr,
2589 .mpo_check_vnode_link = mac_test_check_vnode_link,
2590 .mpo_check_vnode_listextattr = mac_test_check_vnode_listextattr,
2591 .mpo_check_vnode_lookup = mac_test_check_vnode_lookup,
2592 .mpo_check_vnode_mmap = mac_test_check_vnode_mmap,
2593 .mpo_check_vnode_open = mac_test_check_vnode_open,
2594 .mpo_check_vnode_poll = mac_test_check_vnode_poll,
2595 .mpo_check_vnode_read = mac_test_check_vnode_read,
2596 .mpo_check_vnode_readdir = mac_test_check_vnode_readdir,
2597 .mpo_check_vnode_readlink = mac_test_check_vnode_readlink,
2598 .mpo_check_vnode_relabel = mac_test_check_vnode_relabel,
2599 .mpo_check_vnode_rename_from = mac_test_check_vnode_rename_from,
2600 .mpo_check_vnode_rename_to = mac_test_check_vnode_rename_to,
2601 .mpo_check_vnode_revoke = mac_test_check_vnode_revoke,
2602 .mpo_check_vnode_setacl = mac_test_check_vnode_setacl,
2603 .mpo_check_vnode_setextattr = mac_test_check_vnode_setextattr,
2604 .mpo_check_vnode_setflags = mac_test_check_vnode_setflags,
2605 .mpo_check_vnode_setmode = mac_test_check_vnode_setmode,
2606 .mpo_check_vnode_setowner = mac_test_check_vnode_setowner,
2607 .mpo_check_vnode_setutimes = mac_test_check_vnode_setutimes,
2608 .mpo_check_vnode_stat = mac_test_check_vnode_stat,
2609 .mpo_check_vnode_write = mac_test_check_vnode_write,
2610};
2611
2612MAC_POLICY_SET(&mac_test_ops, mac_test, "TrustedBSD MAC/Test",
2613 MPC_LOADTIME_FLAG_UNLOADOK | MPC_LOADTIME_FLAG_LABELMBUFS, &test_slot);
752 } else if (SLOT(label) == EXMAGIC) {
753 DEBUGGER("mac_test_destroy_vnode: dup destroy");
754 } else {
755 DEBUGGER("mac_test_destroy_vnode: corrupted label");
756 }
757}
758
759static void
760mac_test_copy_cred_label(struct label *src, struct label *dest)
761{
762
763 ASSERT_CRED_LABEL(src);
764 ASSERT_CRED_LABEL(dest);
765}
766
767static void
768mac_test_copy_ifnet_label(struct label *src, struct label *dest)
769{
770
771 ASSERT_IFNET_LABEL(src);
772 ASSERT_IFNET_LABEL(dest);
773}
774
775static void
776mac_test_copy_mbuf_label(struct label *src, struct label *dest)
777{
778
779 ASSERT_MBUF_LABEL(src);
780 ASSERT_MBUF_LABEL(dest);
781}
782
783static void
784mac_test_copy_pipe_label(struct label *src, struct label *dest)
785{
786
787 ASSERT_PIPE_LABEL(src);
788 ASSERT_PIPE_LABEL(dest);
789}
790
791static void
792mac_test_copy_socket_label(struct label *src, struct label *dest)
793{
794
795 ASSERT_SOCKET_LABEL(src);
796 ASSERT_SOCKET_LABEL(dest);
797}
798
799static void
800mac_test_copy_vnode_label(struct label *src, struct label *dest)
801{
802
803 ASSERT_VNODE_LABEL(src);
804 ASSERT_VNODE_LABEL(dest);
805}
806
807static int
808mac_test_externalize_label(struct label *label, char *element_name,
809 struct sbuf *sb, int *claimed)
810{
811
812 atomic_add_int(&externalize_count, 1);
813
814 KASSERT(SLOT(label) != EXMAGIC,
815 ("mac_test_externalize_label: destroyed label"));
816
817 return (0);
818}
819
820static int
821mac_test_internalize_label(struct label *label, char *element_name,
822 char *element_data, int *claimed)
823{
824
825 atomic_add_int(&internalize_count, 1);
826
827 KASSERT(SLOT(label) != EXMAGIC,
828 ("mac_test_internalize_label: destroyed label"));
829
830 return (0);
831}
832
833/*
834 * Labeling event operations: file system objects, and things that look
835 * a lot like file system objects.
836 */
837static void
838mac_test_associate_vnode_devfs(struct mount *mp, struct label *fslabel,
839 struct devfs_dirent *de, struct label *delabel, struct vnode *vp,
840 struct label *vlabel)
841{
842
843 ASSERT_MOUNT_LABEL(fslabel);
844 ASSERT_DEVFS_LABEL(delabel);
845 ASSERT_VNODE_LABEL(vlabel);
846}
847
848static int
849mac_test_associate_vnode_extattr(struct mount *mp, struct label *fslabel,
850 struct vnode *vp, struct label *vlabel)
851{
852
853 ASSERT_MOUNT_LABEL(fslabel);
854 ASSERT_VNODE_LABEL(vlabel);
855 return (0);
856}
857
858static void
859mac_test_associate_vnode_singlelabel(struct mount *mp,
860 struct label *fslabel, struct vnode *vp, struct label *vlabel)
861{
862
863 ASSERT_MOUNT_LABEL(fslabel);
864 ASSERT_VNODE_LABEL(vlabel);
865}
866
867static void
868mac_test_create_devfs_device(struct ucred *cred, struct mount *mp,
869 struct cdev *dev, struct devfs_dirent *devfs_dirent, struct label *label)
870{
871
872 if (cred != NULL) {
873 ASSERT_CRED_LABEL(cred->cr_label);
874 }
875 ASSERT_DEVFS_LABEL(label);
876}
877
878static void
879mac_test_create_devfs_directory(struct mount *mp, char *dirname,
880 int dirnamelen, struct devfs_dirent *devfs_dirent, struct label *label)
881{
882
883 ASSERT_DEVFS_LABEL(label);
884}
885
886static void
887mac_test_create_devfs_symlink(struct ucred *cred, struct mount *mp,
888 struct devfs_dirent *dd, struct label *ddlabel, struct devfs_dirent *de,
889 struct label *delabel)
890{
891
892 ASSERT_CRED_LABEL(cred->cr_label);
893 ASSERT_DEVFS_LABEL(ddlabel);
894 ASSERT_DEVFS_LABEL(delabel);
895}
896
897static int
898mac_test_create_vnode_extattr(struct ucred *cred, struct mount *mp,
899 struct label *fslabel, struct vnode *dvp, struct label *dlabel,
900 struct vnode *vp, struct label *vlabel, struct componentname *cnp)
901{
902
903 ASSERT_CRED_LABEL(cred->cr_label);
904 ASSERT_MOUNT_LABEL(fslabel);
905 ASSERT_VNODE_LABEL(dlabel);
906
907 return (0);
908}
909
910static void
911mac_test_create_mount(struct ucred *cred, struct mount *mp,
912 struct label *mntlabel, struct label *fslabel)
913{
914
915 ASSERT_CRED_LABEL(cred->cr_label);
916 ASSERT_MOUNT_LABEL(mntlabel);
917 ASSERT_MOUNT_LABEL(fslabel);
918}
919
920static void
921mac_test_relabel_vnode(struct ucred *cred, struct vnode *vp,
922 struct label *vnodelabel, struct label *label)
923{
924
925 ASSERT_CRED_LABEL(cred->cr_label);
926 ASSERT_VNODE_LABEL(vnodelabel);
927 ASSERT_VNODE_LABEL(label);
928}
929
930static int
931mac_test_setlabel_vnode_extattr(struct ucred *cred, struct vnode *vp,
932 struct label *vlabel, struct label *intlabel)
933{
934
935 ASSERT_CRED_LABEL(cred->cr_label);
936 ASSERT_VNODE_LABEL(vlabel);
937 ASSERT_VNODE_LABEL(intlabel);
938 return (0);
939}
940
941static void
942mac_test_update_devfsdirent(struct mount *mp,
943 struct devfs_dirent *devfs_dirent, struct label *direntlabel,
944 struct vnode *vp, struct label *vnodelabel)
945{
946
947 ASSERT_DEVFS_LABEL(direntlabel);
948 ASSERT_VNODE_LABEL(vnodelabel);
949}
950
951/*
952 * Labeling event operations: IPC object.
953 */
954static void
955mac_test_create_mbuf_from_socket(struct socket *so, struct label *socketlabel,
956 struct mbuf *m, struct label *mbuflabel)
957{
958
959 ASSERT_SOCKET_LABEL(socketlabel);
960 ASSERT_MBUF_LABEL(mbuflabel);
961}
962
963static void
964mac_test_create_socket(struct ucred *cred, struct socket *socket,
965 struct label *socketlabel)
966{
967
968 ASSERT_CRED_LABEL(cred->cr_label);
969 ASSERT_SOCKET_LABEL(socketlabel);
970}
971
972static void
973mac_test_create_pipe(struct ucred *cred, struct pipepair *pp,
974 struct label *pipelabel)
975{
976
977 ASSERT_CRED_LABEL(cred->cr_label);
978 ASSERT_PIPE_LABEL(pipelabel);
979}
980
981static void
982mac_test_create_posix_sem(struct ucred *cred, struct ksem *ksem,
983 struct label *posixlabel)
984{
985
986 ASSERT_CRED_LABEL(cred->cr_label);
987 ASSERT_POSIX_LABEL(posixlabel);
988}
989
990static void
991mac_test_create_socket_from_socket(struct socket *oldsocket,
992 struct label *oldsocketlabel, struct socket *newsocket,
993 struct label *newsocketlabel)
994{
995
996 ASSERT_SOCKET_LABEL(oldsocketlabel);
997 ASSERT_SOCKET_LABEL(newsocketlabel);
998}
999
1000static void
1001mac_test_relabel_socket(struct ucred *cred, struct socket *socket,
1002 struct label *socketlabel, struct label *newlabel)
1003{
1004
1005 ASSERT_CRED_LABEL(cred->cr_label);
1006 ASSERT_SOCKET_LABEL(newlabel);
1007}
1008
1009static void
1010mac_test_relabel_pipe(struct ucred *cred, struct pipepair *pp,
1011 struct label *pipelabel, struct label *newlabel)
1012{
1013
1014 ASSERT_CRED_LABEL(cred->cr_label);
1015 ASSERT_PIPE_LABEL(pipelabel);
1016 ASSERT_PIPE_LABEL(newlabel);
1017}
1018
1019static void
1020mac_test_set_socket_peer_from_mbuf(struct mbuf *mbuf, struct label *mbuflabel,
1021 struct socket *socket, struct label *socketpeerlabel)
1022{
1023
1024 ASSERT_MBUF_LABEL(mbuflabel);
1025 ASSERT_SOCKET_LABEL(socketpeerlabel);
1026}
1027
1028/*
1029 * Labeling event operations: network objects.
1030 */
1031static void
1032mac_test_set_socket_peer_from_socket(struct socket *oldsocket,
1033 struct label *oldsocketlabel, struct socket *newsocket,
1034 struct label *newsocketpeerlabel)
1035{
1036
1037 ASSERT_SOCKET_LABEL(oldsocketlabel);
1038 ASSERT_SOCKET_LABEL(newsocketpeerlabel);
1039}
1040
1041static void
1042mac_test_create_bpfdesc(struct ucred *cred, struct bpf_d *bpf_d,
1043 struct label *bpflabel)
1044{
1045
1046 ASSERT_CRED_LABEL(cred->cr_label);
1047 ASSERT_BPF_LABEL(bpflabel);
1048}
1049
1050static void
1051mac_test_create_datagram_from_ipq(struct ipq *ipq, struct label *ipqlabel,
1052 struct mbuf *datagram, struct label *datagramlabel)
1053{
1054
1055 ASSERT_IPQ_LABEL(ipqlabel);
1056 ASSERT_MBUF_LABEL(datagramlabel);
1057}
1058
1059static void
1060mac_test_create_fragment(struct mbuf *datagram, struct label *datagramlabel,
1061 struct mbuf *fragment, struct label *fragmentlabel)
1062{
1063
1064 ASSERT_MBUF_LABEL(datagramlabel);
1065 ASSERT_MBUF_LABEL(fragmentlabel);
1066}
1067
1068static void
1069mac_test_create_ifnet(struct ifnet *ifnet, struct label *ifnetlabel)
1070{
1071
1072 ASSERT_IFNET_LABEL(ifnetlabel);
1073}
1074
1075static void
1076mac_test_create_inpcb_from_socket(struct socket *so, struct label *solabel,
1077 struct inpcb *inp, struct label *inplabel)
1078{
1079
1080 ASSERT_SOCKET_LABEL(solabel);
1081 ASSERT_INPCB_LABEL(inplabel);
1082}
1083
1084static void
1085mac_test_create_sysv_msgmsg(struct ucred *cred, struct msqid_kernel *msqkptr,
1086 struct label *msqlabel, struct msg *msgptr, struct label *msglabel)
1087{
1088
1089 ASSERT_SYSVIPCMSG_LABEL(msglabel);
1090 ASSERT_SYSVIPCMSQ_LABEL(msqlabel);
1091}
1092
1093static void
1094mac_test_create_sysv_msgqueue(struct ucred *cred,
1095 struct msqid_kernel *msqkptr, struct label *msqlabel)
1096{
1097
1098 ASSERT_SYSVIPCMSQ_LABEL(msqlabel);
1099}
1100
1101static void
1102mac_test_create_sysv_sem(struct ucred *cred, struct semid_kernel *semakptr,
1103 struct label *semalabel)
1104{
1105
1106 ASSERT_SYSVIPCSEM_LABEL(semalabel);
1107}
1108
1109static void
1110mac_test_create_sysv_shm(struct ucred *cred, struct shmid_kernel *shmsegptr,
1111 struct label *shmlabel)
1112{
1113
1114 ASSERT_SYSVIPCSHM_LABEL(shmlabel);
1115}
1116
1117static void
1118mac_test_create_ipq(struct mbuf *fragment, struct label *fragmentlabel,
1119 struct ipq *ipq, struct label *ipqlabel)
1120{
1121
1122 ASSERT_MBUF_LABEL(fragmentlabel);
1123 ASSERT_IPQ_LABEL(ipqlabel);
1124}
1125
1126static void
1127mac_test_create_mbuf_from_inpcb(struct inpcb *inp, struct label *inplabel,
1128 struct mbuf *m, struct label *mlabel)
1129{
1130
1131 ASSERT_INPCB_LABEL(inplabel);
1132 ASSERT_MBUF_LABEL(mlabel);
1133}
1134
1135static void
1136mac_test_create_mbuf_linklayer(struct ifnet *ifnet, struct label *ifnetlabel,
1137 struct mbuf *mbuf, struct label *mbuflabel)
1138{
1139
1140 ASSERT_IFNET_LABEL(ifnetlabel);
1141 ASSERT_MBUF_LABEL(mbuflabel);
1142}
1143
1144static void
1145mac_test_create_mbuf_from_bpfdesc(struct bpf_d *bpf_d, struct label *bpflabel,
1146 struct mbuf *mbuf, struct label *mbuflabel)
1147{
1148
1149 ASSERT_BPF_LABEL(bpflabel);
1150 ASSERT_MBUF_LABEL(mbuflabel);
1151}
1152
1153static void
1154mac_test_create_mbuf_from_ifnet(struct ifnet *ifnet, struct label *ifnetlabel,
1155 struct mbuf *m, struct label *mbuflabel)
1156{
1157
1158 ASSERT_IFNET_LABEL(ifnetlabel);
1159 ASSERT_MBUF_LABEL(mbuflabel);
1160}
1161
1162static void
1163mac_test_create_mbuf_multicast_encap(struct mbuf *oldmbuf,
1164 struct label *oldmbuflabel, struct ifnet *ifnet, struct label *ifnetlabel,
1165 struct mbuf *newmbuf, struct label *newmbuflabel)
1166{
1167
1168 ASSERT_MBUF_LABEL(oldmbuflabel);
1169 ASSERT_IFNET_LABEL(ifnetlabel);
1170 ASSERT_MBUF_LABEL(newmbuflabel);
1171}
1172
1173static void
1174mac_test_create_mbuf_netlayer(struct mbuf *oldmbuf,
1175 struct label *oldmbuflabel, struct mbuf *newmbuf,
1176 struct label *newmbuflabel)
1177{
1178
1179 ASSERT_MBUF_LABEL(oldmbuflabel);
1180 ASSERT_MBUF_LABEL(newmbuflabel);
1181}
1182
1183static int
1184mac_test_fragment_match(struct mbuf *fragment, struct label *fragmentlabel,
1185 struct ipq *ipq, struct label *ipqlabel)
1186{
1187
1188 ASSERT_MBUF_LABEL(fragmentlabel);
1189 ASSERT_IPQ_LABEL(ipqlabel);
1190
1191 return (1);
1192}
1193
1194static void
1195mac_test_reflect_mbuf_icmp(struct mbuf *m, struct label *mlabel)
1196{
1197
1198 ASSERT_MBUF_LABEL(mlabel);
1199}
1200
1201static void
1202mac_test_reflect_mbuf_tcp(struct mbuf *m, struct label *mlabel)
1203{
1204
1205 ASSERT_MBUF_LABEL(mlabel);
1206}
1207
1208static void
1209mac_test_relabel_ifnet(struct ucred *cred, struct ifnet *ifnet,
1210 struct label *ifnetlabel, struct label *newlabel)
1211{
1212
1213 ASSERT_CRED_LABEL(cred->cr_label);
1214 ASSERT_IFNET_LABEL(ifnetlabel);
1215 ASSERT_IFNET_LABEL(newlabel);
1216}
1217
1218static void
1219mac_test_update_ipq(struct mbuf *fragment, struct label *fragmentlabel,
1220 struct ipq *ipq, struct label *ipqlabel)
1221{
1222
1223 ASSERT_MBUF_LABEL(fragmentlabel);
1224 ASSERT_IPQ_LABEL(ipqlabel);
1225}
1226
1227static void
1228mac_test_inpcb_sosetlabel(struct socket *so, struct label *solabel,
1229 struct inpcb *inp, struct label *inplabel)
1230{
1231
1232 ASSERT_SOCKET_LABEL(solabel);
1233 ASSERT_INPCB_LABEL(inplabel);
1234}
1235
1236/*
1237 * Labeling event operations: processes.
1238 */
1239static void
1240mac_test_execve_transition(struct ucred *old, struct ucred *new,
1241 struct vnode *vp, struct label *filelabel,
1242 struct label *interpvnodelabel, struct image_params *imgp,
1243 struct label *execlabel)
1244{
1245
1246 ASSERT_CRED_LABEL(old->cr_label);
1247 ASSERT_CRED_LABEL(new->cr_label);
1248 ASSERT_VNODE_LABEL(filelabel);
1249 if (interpvnodelabel != NULL) {
1250 ASSERT_VNODE_LABEL(interpvnodelabel);
1251 }
1252 if (execlabel != NULL) {
1253 ASSERT_CRED_LABEL(execlabel);
1254 }
1255}
1256
1257static int
1258mac_test_execve_will_transition(struct ucred *old, struct vnode *vp,
1259 struct label *filelabel, struct label *interpvnodelabel,
1260 struct image_params *imgp, struct label *execlabel)
1261{
1262
1263 ASSERT_CRED_LABEL(old->cr_label);
1264 ASSERT_VNODE_LABEL(filelabel);
1265 if (interpvnodelabel != NULL) {
1266 ASSERT_VNODE_LABEL(interpvnodelabel);
1267 }
1268 if (execlabel != NULL) {
1269 ASSERT_CRED_LABEL(execlabel);
1270 }
1271
1272 return (0);
1273}
1274
1275static void
1276mac_test_create_proc0(struct ucred *cred)
1277{
1278
1279 ASSERT_CRED_LABEL(cred->cr_label);
1280}
1281
1282static void
1283mac_test_create_proc1(struct ucred *cred)
1284{
1285
1286 ASSERT_CRED_LABEL(cred->cr_label);
1287}
1288
1289static void
1290mac_test_relabel_cred(struct ucred *cred, struct label *newlabel)
1291{
1292
1293 ASSERT_CRED_LABEL(cred->cr_label);
1294 ASSERT_CRED_LABEL(newlabel);
1295}
1296
1297static void
1298mac_test_thread_userret(struct thread *td)
1299{
1300
1301 printf("mac_test_thread_userret(process = %d)\n",
1302 curthread->td_proc->p_pid);
1303}
1304
1305/*
1306 * Label cleanup/flush operations
1307 */
1308static void
1309mac_test_cleanup_sysv_msgmsg(struct label *msglabel)
1310{
1311
1312 ASSERT_SYSVIPCMSG_LABEL(msglabel);
1313}
1314
1315static void
1316mac_test_cleanup_sysv_msgqueue(struct label *msqlabel)
1317{
1318
1319 ASSERT_SYSVIPCMSQ_LABEL(msqlabel);
1320}
1321
1322static void
1323mac_test_cleanup_sysv_sem(struct label *semalabel)
1324{
1325
1326 ASSERT_SYSVIPCSEM_LABEL(semalabel);
1327}
1328
1329static void
1330mac_test_cleanup_sysv_shm(struct label *shmlabel)
1331{
1332
1333 ASSERT_SYSVIPCSHM_LABEL(shmlabel);
1334}
1335
1336/*
1337 * Access control checks.
1338 */
1339static int
1340mac_test_check_bpfdesc_receive(struct bpf_d *bpf_d, struct label *bpflabel,
1341 struct ifnet *ifnet, struct label *ifnetlabel)
1342{
1343
1344 ASSERT_BPF_LABEL(bpflabel);
1345 ASSERT_IFNET_LABEL(ifnetlabel);
1346
1347 return (0);
1348}
1349
1350static int
1351mac_test_check_cred_relabel(struct ucred *cred, struct label *newlabel)
1352{
1353
1354 ASSERT_CRED_LABEL(cred->cr_label);
1355 ASSERT_CRED_LABEL(newlabel);
1356
1357 return (0);
1358}
1359
1360static int
1361mac_test_check_cred_visible(struct ucred *u1, struct ucred *u2)
1362{
1363
1364 ASSERT_CRED_LABEL(u1->cr_label);
1365 ASSERT_CRED_LABEL(u2->cr_label);
1366
1367 return (0);
1368}
1369
1370static int
1371mac_test_check_ifnet_relabel(struct ucred *cred, struct ifnet *ifnet,
1372 struct label *ifnetlabel, struct label *newlabel)
1373{
1374
1375 ASSERT_CRED_LABEL(cred->cr_label);
1376 ASSERT_IFNET_LABEL(ifnetlabel);
1377 ASSERT_IFNET_LABEL(newlabel);
1378 return (0);
1379}
1380
1381static int
1382mac_test_check_ifnet_transmit(struct ifnet *ifnet, struct label *ifnetlabel,
1383 struct mbuf *m, struct label *mbuflabel)
1384{
1385
1386 ASSERT_IFNET_LABEL(ifnetlabel);
1387 ASSERT_MBUF_LABEL(mbuflabel);
1388
1389 return (0);
1390}
1391
1392static int
1393mac_test_check_inpcb_deliver(struct inpcb *inp, struct label *inplabel,
1394 struct mbuf *m, struct label *mlabel)
1395{
1396
1397 ASSERT_INPCB_LABEL(inplabel);
1398 ASSERT_MBUF_LABEL(mlabel);
1399
1400 return (0);
1401}
1402
1403static int
1404mac_test_check_sysv_msgmsq(struct ucred *cred, struct msg *msgptr,
1405 struct label *msglabel, struct msqid_kernel *msqkptr,
1406 struct label *msqklabel)
1407{
1408
1409 ASSERT_SYSVIPCMSQ_LABEL(msqklabel);
1410 ASSERT_SYSVIPCMSG_LABEL(msglabel);
1411 ASSERT_CRED_LABEL(cred->cr_label);
1412
1413 return (0);
1414}
1415
1416static int
1417mac_test_check_sysv_msgrcv(struct ucred *cred, struct msg *msgptr,
1418 struct label *msglabel)
1419{
1420
1421 ASSERT_SYSVIPCMSG_LABEL(msglabel);
1422 ASSERT_CRED_LABEL(cred->cr_label);
1423
1424 return (0);
1425}
1426
1427
1428static int
1429mac_test_check_sysv_msgrmid(struct ucred *cred, struct msg *msgptr,
1430 struct label *msglabel)
1431{
1432
1433 ASSERT_SYSVIPCMSG_LABEL(msglabel);
1434 ASSERT_CRED_LABEL(cred->cr_label);
1435
1436 return (0);
1437}
1438
1439static int
1440mac_test_check_sysv_msqget(struct ucred *cred, struct msqid_kernel *msqkptr,
1441 struct label *msqklabel)
1442{
1443
1444 ASSERT_SYSVIPCMSQ_LABEL(msqklabel);
1445 ASSERT_CRED_LABEL(cred->cr_label);
1446
1447 return (0);
1448}
1449
1450static int
1451mac_test_check_sysv_msqsnd(struct ucred *cred, struct msqid_kernel *msqkptr,
1452 struct label *msqklabel)
1453{
1454
1455 ASSERT_SYSVIPCMSQ_LABEL(msqklabel);
1456 ASSERT_CRED_LABEL(cred->cr_label);
1457
1458 return (0);
1459}
1460
1461static int
1462mac_test_check_sysv_msqrcv(struct ucred *cred, struct msqid_kernel *msqkptr,
1463 struct label *msqklabel)
1464{
1465
1466 ASSERT_SYSVIPCMSQ_LABEL(msqklabel);
1467 ASSERT_CRED_LABEL(cred->cr_label);
1468
1469 return (0);
1470}
1471
1472static int
1473mac_test_check_sysv_msqctl(struct ucred *cred, struct msqid_kernel *msqkptr,
1474 struct label *msqklabel, int cmd)
1475{
1476
1477 ASSERT_SYSVIPCMSQ_LABEL(msqklabel);
1478 ASSERT_CRED_LABEL(cred->cr_label);
1479
1480 return (0);
1481}
1482
1483static int
1484mac_test_check_sysv_semctl(struct ucred *cred, struct semid_kernel *semakptr,
1485 struct label *semaklabel, int cmd)
1486{
1487
1488 ASSERT_CRED_LABEL(cred->cr_label);
1489 ASSERT_SYSVIPCSEM_LABEL(semaklabel);
1490
1491 return (0);
1492}
1493
1494static int
1495mac_test_check_sysv_semget(struct ucred *cred, struct semid_kernel *semakptr,
1496 struct label *semaklabel)
1497{
1498
1499 ASSERT_CRED_LABEL(cred->cr_label);
1500 ASSERT_SYSVIPCSEM_LABEL(semaklabel);
1501
1502 return (0);
1503}
1504
1505static int
1506mac_test_check_sysv_semop(struct ucred *cred, struct semid_kernel *semakptr,
1507 struct label *semaklabel, size_t accesstype)
1508{
1509
1510 ASSERT_CRED_LABEL(cred->cr_label);
1511 ASSERT_SYSVIPCSEM_LABEL(semaklabel);
1512
1513 return (0);
1514}
1515
1516static int
1517mac_test_check_sysv_shmat(struct ucred *cred, struct shmid_kernel *shmsegptr,
1518 struct label *shmseglabel, int shmflg)
1519{
1520
1521 ASSERT_CRED_LABEL(cred->cr_label);
1522 ASSERT_SYSVIPCSHM_LABEL(shmseglabel);
1523
1524 return (0);
1525}
1526
1527static int
1528mac_test_check_sysv_shmctl(struct ucred *cred, struct shmid_kernel *shmsegptr,
1529 struct label *shmseglabel, int cmd)
1530{
1531
1532 ASSERT_CRED_LABEL(cred->cr_label);
1533 ASSERT_SYSVIPCSHM_LABEL(shmseglabel);
1534
1535 return (0);
1536}
1537
1538static int
1539mac_test_check_sysv_shmdt(struct ucred *cred, struct shmid_kernel *shmsegptr,
1540 struct label *shmseglabel)
1541{
1542
1543 ASSERT_CRED_LABEL(cred->cr_label);
1544 ASSERT_SYSVIPCSHM_LABEL(shmseglabel);
1545
1546 return (0);
1547}
1548
1549static int
1550mac_test_check_sysv_shmget(struct ucred *cred, struct shmid_kernel *shmsegptr,
1551 struct label *shmseglabel, int shmflg)
1552{
1553
1554 ASSERT_CRED_LABEL(cred->cr_label);
1555 ASSERT_SYSVIPCSHM_LABEL(shmseglabel);
1556
1557 return (0);
1558}
1559
1560static int
1561mac_test_check_kenv_dump(struct ucred *cred)
1562{
1563
1564 ASSERT_CRED_LABEL(cred->cr_label);
1565
1566 return (0);
1567}
1568
1569static int
1570mac_test_check_kenv_get(struct ucred *cred, char *name)
1571{
1572
1573 ASSERT_CRED_LABEL(cred->cr_label);
1574
1575 return (0);
1576}
1577
1578static int
1579mac_test_check_kenv_set(struct ucred *cred, char *name, char *value)
1580{
1581
1582 ASSERT_CRED_LABEL(cred->cr_label);
1583
1584 return (0);
1585}
1586
1587static int
1588mac_test_check_kenv_unset(struct ucred *cred, char *name)
1589{
1590
1591 ASSERT_CRED_LABEL(cred->cr_label);
1592
1593 return (0);
1594}
1595
1596static int
1597mac_test_check_kld_load(struct ucred *cred, struct vnode *vp,
1598 struct label *label)
1599{
1600
1601 ASSERT_CRED_LABEL(cred->cr_label);
1602 ASSERT_VNODE_LABEL(label);
1603
1604 return (0);
1605}
1606
1607static int
1608mac_test_check_kld_stat(struct ucred *cred)
1609{
1610
1611 ASSERT_CRED_LABEL(cred->cr_label);
1612
1613 return (0);
1614}
1615
1616static int
1617mac_test_check_kld_unload(struct ucred *cred)
1618{
1619
1620 ASSERT_CRED_LABEL(cred->cr_label);
1621
1622 return (0);
1623}
1624
1625static int
1626mac_test_check_mount_stat(struct ucred *cred, struct mount *mp,
1627 struct label *mntlabel)
1628{
1629
1630 ASSERT_CRED_LABEL(cred->cr_label);
1631 ASSERT_MOUNT_LABEL(mntlabel);
1632
1633 return (0);
1634}
1635
1636static int
1637mac_test_check_pipe_ioctl(struct ucred *cred, struct pipepair *pp,
1638 struct label *pipelabel, unsigned long cmd, void /* caddr_t */ *data)
1639{
1640
1641 ASSERT_CRED_LABEL(cred->cr_label);
1642 ASSERT_PIPE_LABEL(pipelabel);
1643
1644 return (0);
1645}
1646
1647static int
1648mac_test_check_pipe_poll(struct ucred *cred, struct pipepair *pp,
1649 struct label *pipelabel)
1650{
1651
1652 ASSERT_CRED_LABEL(cred->cr_label);
1653 ASSERT_PIPE_LABEL(pipelabel);
1654
1655 return (0);
1656}
1657
1658static int
1659mac_test_check_pipe_read(struct ucred *cred, struct pipepair *pp,
1660 struct label *pipelabel)
1661{
1662
1663 ASSERT_CRED_LABEL(cred->cr_label);
1664 ASSERT_PIPE_LABEL(pipelabel);
1665
1666 return (0);
1667}
1668
1669static int
1670mac_test_check_pipe_relabel(struct ucred *cred, struct pipepair *pp,
1671 struct label *pipelabel, struct label *newlabel)
1672{
1673
1674 ASSERT_CRED_LABEL(cred->cr_label);
1675 ASSERT_PIPE_LABEL(pipelabel);
1676 ASSERT_PIPE_LABEL(newlabel);
1677
1678 return (0);
1679}
1680
1681static int
1682mac_test_check_pipe_stat(struct ucred *cred, struct pipepair *pp,
1683 struct label *pipelabel)
1684{
1685
1686 ASSERT_CRED_LABEL(cred->cr_label);
1687 ASSERT_PIPE_LABEL(pipelabel);
1688
1689 return (0);
1690}
1691
1692static int
1693mac_test_check_pipe_write(struct ucred *cred, struct pipepair *pp,
1694 struct label *pipelabel)
1695{
1696
1697 ASSERT_CRED_LABEL(cred->cr_label);
1698 ASSERT_PIPE_LABEL(pipelabel);
1699
1700 return (0);
1701}
1702
1703static int
1704mac_test_check_posix_sem(struct ucred *cred, struct ksem *ksemptr,
1705 struct label *ks_label)
1706{
1707
1708 ASSERT_CRED_LABEL(cred->cr_label);
1709 ASSERT_POSIX_LABEL(ks_label);
1710
1711 return (0);
1712}
1713
1714static int
1715mac_test_check_proc_debug(struct ucred *cred, struct proc *proc)
1716{
1717
1718 ASSERT_CRED_LABEL(cred->cr_label);
1719 ASSERT_CRED_LABEL(proc->p_ucred->cr_label);
1720
1721 return (0);
1722}
1723
1724static int
1725mac_test_check_proc_sched(struct ucred *cred, struct proc *proc)
1726{
1727
1728 ASSERT_CRED_LABEL(cred->cr_label);
1729 ASSERT_CRED_LABEL(proc->p_ucred->cr_label);
1730
1731 return (0);
1732}
1733
1734static int
1735mac_test_check_proc_signal(struct ucred *cred, struct proc *proc, int signum)
1736{
1737
1738 ASSERT_CRED_LABEL(cred->cr_label);
1739 ASSERT_CRED_LABEL(proc->p_ucred->cr_label);
1740
1741 return (0);
1742}
1743
1744static int
1745mac_test_check_proc_setuid(struct ucred *cred, uid_t uid)
1746{
1747
1748 ASSERT_CRED_LABEL(cred->cr_label);
1749
1750 return (0);
1751}
1752
1753static int
1754mac_test_check_proc_seteuid(struct ucred *cred, uid_t euid)
1755{
1756
1757 ASSERT_CRED_LABEL(cred->cr_label);
1758
1759 return (0);
1760}
1761
1762static int
1763mac_test_check_proc_setgid(struct ucred *cred, gid_t gid)
1764{
1765
1766 ASSERT_CRED_LABEL(cred->cr_label);
1767
1768 return (0);
1769}
1770
1771static int
1772mac_test_check_proc_setegid(struct ucred *cred, gid_t egid)
1773{
1774
1775 ASSERT_CRED_LABEL(cred->cr_label);
1776
1777 return (0);
1778}
1779
1780static int
1781mac_test_check_proc_setgroups(struct ucred *cred, int ngroups,
1782 gid_t *gidset)
1783{
1784
1785 ASSERT_CRED_LABEL(cred->cr_label);
1786
1787 return (0);
1788}
1789
1790static int
1791mac_test_check_proc_setreuid(struct ucred *cred, uid_t ruid, uid_t euid)
1792{
1793
1794 ASSERT_CRED_LABEL(cred->cr_label);
1795
1796 return (0);
1797}
1798
1799static int
1800mac_test_check_proc_setregid(struct ucred *cred, gid_t rgid, gid_t egid)
1801{
1802
1803 ASSERT_CRED_LABEL(cred->cr_label);
1804
1805 return (0);
1806}
1807
1808static int
1809mac_test_check_proc_setresuid(struct ucred *cred, uid_t ruid, uid_t euid,
1810 uid_t suid)
1811{
1812
1813 ASSERT_CRED_LABEL(cred->cr_label);
1814
1815 return (0);
1816}
1817
1818static int
1819mac_test_check_proc_setresgid(struct ucred *cred, gid_t rgid, gid_t egid,
1820 gid_t sgid)
1821{
1822
1823 ASSERT_CRED_LABEL(cred->cr_label);
1824
1825 return (0);
1826}
1827
1828static int
1829mac_test_check_proc_wait(struct ucred *cred, struct proc *proc)
1830{
1831
1832 ASSERT_CRED_LABEL(cred->cr_label);
1833 ASSERT_CRED_LABEL(proc->p_ucred->cr_label);
1834
1835 return (0);
1836}
1837
1838static int
1839mac_test_check_socket_accept(struct ucred *cred, struct socket *socket,
1840 struct label *socketlabel)
1841{
1842
1843 ASSERT_CRED_LABEL(cred->cr_label);
1844 ASSERT_SOCKET_LABEL(socketlabel);
1845
1846 return (0);
1847}
1848
1849static int
1850mac_test_check_socket_bind(struct ucred *cred, struct socket *socket,
1851 struct label *socketlabel, struct sockaddr *sockaddr)
1852{
1853
1854 ASSERT_CRED_LABEL(cred->cr_label);
1855 ASSERT_SOCKET_LABEL(socketlabel);
1856
1857 return (0);
1858}
1859
1860static int
1861mac_test_check_socket_connect(struct ucred *cred, struct socket *socket,
1862 struct label *socketlabel, struct sockaddr *sockaddr)
1863{
1864
1865 ASSERT_CRED_LABEL(cred->cr_label);
1866 ASSERT_SOCKET_LABEL(socketlabel);
1867
1868 return (0);
1869}
1870
1871static int
1872mac_test_check_socket_deliver(struct socket *socket, struct label *socketlabel,
1873 struct mbuf *m, struct label *mbuflabel)
1874{
1875
1876 ASSERT_SOCKET_LABEL(socketlabel);
1877 ASSERT_MBUF_LABEL(mbuflabel);
1878
1879 return (0);
1880}
1881
1882static int
1883mac_test_check_socket_listen(struct ucred *cred, struct socket *socket,
1884 struct label *socketlabel)
1885{
1886
1887 ASSERT_CRED_LABEL(cred->cr_label);
1888 ASSERT_SOCKET_LABEL(socketlabel);
1889
1890 return (0);
1891}
1892
1893static int
1894mac_test_check_socket_poll(struct ucred *cred, struct socket *socket,
1895 struct label *socketlabel)
1896{
1897
1898 ASSERT_CRED_LABEL(cred->cr_label);
1899 ASSERT_SOCKET_LABEL(socketlabel);
1900
1901 return (0);
1902}
1903
1904static int
1905mac_test_check_socket_receive(struct ucred *cred, struct socket *socket,
1906 struct label *socketlabel)
1907{
1908
1909 ASSERT_CRED_LABEL(cred->cr_label);
1910 ASSERT_SOCKET_LABEL(socketlabel);
1911
1912 return (0);
1913}
1914
1915static int
1916mac_test_check_socket_relabel(struct ucred *cred, struct socket *socket,
1917 struct label *socketlabel, struct label *newlabel)
1918{
1919
1920 ASSERT_CRED_LABEL(cred->cr_label);
1921 ASSERT_SOCKET_LABEL(socketlabel);
1922 ASSERT_SOCKET_LABEL(newlabel);
1923
1924 return (0);
1925}
1926
1927static int
1928mac_test_check_socket_send(struct ucred *cred, struct socket *socket,
1929 struct label *socketlabel)
1930{
1931
1932 ASSERT_CRED_LABEL(cred->cr_label);
1933 ASSERT_SOCKET_LABEL(socketlabel);
1934
1935 return (0);
1936}
1937
1938static int
1939mac_test_check_socket_stat(struct ucred *cred, struct socket *socket,
1940 struct label *socketlabel)
1941{
1942
1943 ASSERT_CRED_LABEL(cred->cr_label);
1944 ASSERT_SOCKET_LABEL(socketlabel);
1945
1946 return (0);
1947}
1948
1949static int
1950mac_test_check_socket_visible(struct ucred *cred, struct socket *socket,
1951 struct label *socketlabel)
1952{
1953
1954 ASSERT_CRED_LABEL(cred->cr_label);
1955 ASSERT_SOCKET_LABEL(socketlabel);
1956
1957 return (0);
1958}
1959
1960static int
1961mac_test_check_sysarch_ioperm(struct ucred *cred)
1962{
1963
1964 ASSERT_CRED_LABEL(cred->cr_label);
1965
1966 return (0);
1967}
1968
1969static int
1970mac_test_check_system_acct(struct ucred *cred, struct vnode *vp,
1971 struct label *label)
1972{
1973
1974 ASSERT_CRED_LABEL(cred->cr_label);
1975
1976 return (0);
1977}
1978
1979static int
1980mac_test_check_system_reboot(struct ucred *cred, int how)
1981{
1982
1983 ASSERT_CRED_LABEL(cred->cr_label);
1984
1985 return (0);
1986}
1987
1988static int
1989mac_test_check_system_settime(struct ucred *cred)
1990{
1991
1992 ASSERT_CRED_LABEL(cred->cr_label);
1993
1994 return (0);
1995}
1996
1997static int
1998mac_test_check_system_swapon(struct ucred *cred, struct vnode *vp,
1999 struct label *label)
2000{
2001
2002 ASSERT_CRED_LABEL(cred->cr_label);
2003 ASSERT_VNODE_LABEL(label);
2004
2005 return (0);
2006}
2007
2008static int
2009mac_test_check_system_swapoff(struct ucred *cred, struct vnode *vp,
2010 struct label *label)
2011{
2012
2013 ASSERT_CRED_LABEL(cred->cr_label);
2014 ASSERT_VNODE_LABEL(label);
2015
2016 return (0);
2017}
2018
2019static int
2020mac_test_check_system_sysctl(struct ucred *cred, struct sysctl_oid *oidp,
2021 void *arg1, int arg2, struct sysctl_req *req)
2022{
2023
2024 ASSERT_CRED_LABEL(cred->cr_label);
2025
2026 return (0);
2027}
2028
2029static int
2030mac_test_check_vnode_access(struct ucred *cred, struct vnode *vp,
2031 struct label *label, int acc_mode)
2032{
2033
2034 ASSERT_CRED_LABEL(cred->cr_label);
2035 ASSERT_VNODE_LABEL(label);
2036
2037 return (0);
2038}
2039
2040static int
2041mac_test_check_vnode_chdir(struct ucred *cred, struct vnode *dvp,
2042 struct label *dlabel)
2043{
2044
2045 ASSERT_CRED_LABEL(cred->cr_label);
2046 ASSERT_VNODE_LABEL(dlabel);
2047
2048 return (0);
2049}
2050
2051static int
2052mac_test_check_vnode_chroot(struct ucred *cred, struct vnode *dvp,
2053 struct label *dlabel)
2054{
2055
2056 ASSERT_CRED_LABEL(cred->cr_label);
2057 ASSERT_VNODE_LABEL(dlabel);
2058
2059 return (0);
2060}
2061
2062static int
2063mac_test_check_vnode_create(struct ucred *cred, struct vnode *dvp,
2064 struct label *dlabel, struct componentname *cnp, struct vattr *vap)
2065{
2066
2067 ASSERT_CRED_LABEL(cred->cr_label);
2068 ASSERT_VNODE_LABEL(dlabel);
2069
2070 return (0);
2071}
2072
2073static int
2074mac_test_check_vnode_delete(struct ucred *cred, struct vnode *dvp,
2075 struct label *dlabel, struct vnode *vp, struct label *label,
2076 struct componentname *cnp)
2077{
2078
2079 ASSERT_CRED_LABEL(cred->cr_label);
2080 ASSERT_VNODE_LABEL(dlabel);
2081 ASSERT_VNODE_LABEL(label);
2082
2083 return (0);
2084}
2085
2086static int
2087mac_test_check_vnode_deleteacl(struct ucred *cred, struct vnode *vp,
2088 struct label *label, acl_type_t type)
2089{
2090
2091 ASSERT_CRED_LABEL(cred->cr_label);
2092 ASSERT_VNODE_LABEL(label);
2093
2094 return (0);
2095}
2096
2097static int
2098mac_test_check_vnode_deleteextattr(struct ucred *cred, struct vnode *vp,
2099 struct label *label, int attrnamespace, const char *name)
2100{
2101
2102 ASSERT_CRED_LABEL(cred->cr_label);
2103 ASSERT_VNODE_LABEL(label);
2104
2105 return (0);
2106}
2107
2108static int
2109mac_test_check_vnode_exec(struct ucred *cred, struct vnode *vp,
2110 struct label *label, struct image_params *imgp,
2111 struct label *execlabel)
2112{
2113
2114 ASSERT_CRED_LABEL(cred->cr_label);
2115 ASSERT_VNODE_LABEL(label);
2116 if (execlabel != NULL) {
2117 ASSERT_CRED_LABEL(execlabel);
2118 }
2119
2120 return (0);
2121}
2122
2123static int
2124mac_test_check_vnode_getacl(struct ucred *cred, struct vnode *vp,
2125 struct label *label, acl_type_t type)
2126{
2127
2128 ASSERT_CRED_LABEL(cred->cr_label);
2129 ASSERT_VNODE_LABEL(label);
2130
2131 return (0);
2132}
2133
2134static int
2135mac_test_check_vnode_getextattr(struct ucred *cred, struct vnode *vp,
2136 struct label *label, int attrnamespace, const char *name, struct uio *uio)
2137{
2138
2139 ASSERT_CRED_LABEL(cred->cr_label);
2140 ASSERT_VNODE_LABEL(label);
2141
2142 return (0);
2143}
2144
2145static int
2146mac_test_check_vnode_link(struct ucred *cred, struct vnode *dvp,
2147 struct label *dlabel, struct vnode *vp, struct label *label,
2148 struct componentname *cnp)
2149{
2150
2151 ASSERT_CRED_LABEL(cred->cr_label);
2152 ASSERT_VNODE_LABEL(dlabel);
2153 ASSERT_VNODE_LABEL(label);
2154
2155 return (0);
2156}
2157
2158static int
2159mac_test_check_vnode_listextattr(struct ucred *cred, struct vnode *vp,
2160 struct label *label, int attrnamespace)
2161{
2162
2163 ASSERT_CRED_LABEL(cred->cr_label);
2164 ASSERT_VNODE_LABEL(label);
2165
2166 return (0);
2167}
2168
2169static int
2170mac_test_check_vnode_lookup(struct ucred *cred, struct vnode *dvp,
2171 struct label *dlabel, struct componentname *cnp)
2172{
2173
2174 ASSERT_CRED_LABEL(cred->cr_label);
2175 ASSERT_VNODE_LABEL(dlabel);
2176
2177 return (0);
2178}
2179
2180static int
2181mac_test_check_vnode_mmap(struct ucred *cred, struct vnode *vp,
2182 struct label *label, int prot, int flags)
2183{
2184
2185 ASSERT_CRED_LABEL(cred->cr_label);
2186 ASSERT_VNODE_LABEL(label);
2187
2188 return (0);
2189}
2190
2191static int
2192mac_test_check_vnode_open(struct ucred *cred, struct vnode *vp,
2193 struct label *filelabel, int acc_mode)
2194{
2195
2196 ASSERT_CRED_LABEL(cred->cr_label);
2197 ASSERT_VNODE_LABEL(filelabel);
2198
2199 return (0);
2200}
2201
2202static int
2203mac_test_check_vnode_poll(struct ucred *active_cred, struct ucred *file_cred,
2204 struct vnode *vp, struct label *label)
2205{
2206
2207 ASSERT_CRED_LABEL(active_cred->cr_label);
2208 ASSERT_CRED_LABEL(file_cred->cr_label);
2209 ASSERT_VNODE_LABEL(label);
2210
2211 return (0);
2212}
2213
2214static int
2215mac_test_check_vnode_read(struct ucred *active_cred, struct ucred *file_cred,
2216 struct vnode *vp, struct label *label)
2217{
2218
2219 ASSERT_CRED_LABEL(active_cred->cr_label);
2220 if (file_cred != NULL) {
2221 ASSERT_CRED_LABEL(file_cred->cr_label);
2222 }
2223 ASSERT_VNODE_LABEL(label);
2224
2225 return (0);
2226}
2227
2228static int
2229mac_test_check_vnode_readdir(struct ucred *cred, struct vnode *dvp,
2230 struct label *dlabel)
2231{
2232
2233 ASSERT_CRED_LABEL(cred->cr_label);
2234 ASSERT_VNODE_LABEL(dlabel);
2235
2236 return (0);
2237}
2238
2239static int
2240mac_test_check_vnode_readlink(struct ucred *cred, struct vnode *vp,
2241 struct label *vnodelabel)
2242{
2243
2244 ASSERT_CRED_LABEL(cred->cr_label);
2245 ASSERT_VNODE_LABEL(vnodelabel);
2246
2247 return (0);
2248}
2249
2250static int
2251mac_test_check_vnode_relabel(struct ucred *cred, struct vnode *vp,
2252 struct label *vnodelabel, struct label *newlabel)
2253{
2254
2255 ASSERT_CRED_LABEL(cred->cr_label);
2256 ASSERT_VNODE_LABEL(vnodelabel);
2257 ASSERT_VNODE_LABEL(newlabel);
2258
2259 return (0);
2260}
2261
2262static int
2263mac_test_check_vnode_rename_from(struct ucred *cred, struct vnode *dvp,
2264 struct label *dlabel, struct vnode *vp, struct label *label,
2265 struct componentname *cnp)
2266{
2267
2268 ASSERT_CRED_LABEL(cred->cr_label);
2269 ASSERT_VNODE_LABEL(dlabel);
2270 ASSERT_VNODE_LABEL(label);
2271
2272 return (0);
2273}
2274
2275static int
2276mac_test_check_vnode_rename_to(struct ucred *cred, struct vnode *dvp,
2277 struct label *dlabel, struct vnode *vp, struct label *label, int samedir,
2278 struct componentname *cnp)
2279{
2280
2281 ASSERT_CRED_LABEL(cred->cr_label);
2282 ASSERT_VNODE_LABEL(dlabel);
2283
2284 if (vp != NULL) {
2285 ASSERT_VNODE_LABEL(label);
2286 }
2287
2288 return (0);
2289}
2290
2291static int
2292mac_test_check_vnode_revoke(struct ucred *cred, struct vnode *vp,
2293 struct label *label)
2294{
2295
2296 ASSERT_CRED_LABEL(cred->cr_label);
2297 ASSERT_VNODE_LABEL(label);
2298
2299 return (0);
2300}
2301
2302static int
2303mac_test_check_vnode_setacl(struct ucred *cred, struct vnode *vp,
2304 struct label *label, acl_type_t type, struct acl *acl)
2305{
2306
2307 ASSERT_CRED_LABEL(cred->cr_label);
2308 ASSERT_VNODE_LABEL(label);
2309
2310 return (0);
2311}
2312
2313static int
2314mac_test_check_vnode_setextattr(struct ucred *cred, struct vnode *vp,
2315 struct label *label, int attrnamespace, const char *name, struct uio *uio)
2316{
2317
2318 ASSERT_CRED_LABEL(cred->cr_label);
2319 ASSERT_VNODE_LABEL(label);
2320
2321 return (0);
2322}
2323
2324static int
2325mac_test_check_vnode_setflags(struct ucred *cred, struct vnode *vp,
2326 struct label *label, u_long flags)
2327{
2328
2329 ASSERT_CRED_LABEL(cred->cr_label);
2330 ASSERT_VNODE_LABEL(label);
2331
2332 return (0);
2333}
2334
2335static int
2336mac_test_check_vnode_setmode(struct ucred *cred, struct vnode *vp,
2337 struct label *label, mode_t mode)
2338{
2339
2340 ASSERT_CRED_LABEL(cred->cr_label);
2341 ASSERT_VNODE_LABEL(label);
2342
2343 return (0);
2344}
2345
2346static int
2347mac_test_check_vnode_setowner(struct ucred *cred, struct vnode *vp,
2348 struct label *label, uid_t uid, gid_t gid)
2349{
2350
2351 ASSERT_CRED_LABEL(cred->cr_label);
2352 ASSERT_VNODE_LABEL(label);
2353
2354 return (0);
2355}
2356
2357static int
2358mac_test_check_vnode_setutimes(struct ucred *cred, struct vnode *vp,
2359 struct label *label, struct timespec atime, struct timespec mtime)
2360{
2361
2362 ASSERT_CRED_LABEL(cred->cr_label);
2363 ASSERT_VNODE_LABEL(label);
2364
2365 return (0);
2366}
2367
2368static int
2369mac_test_check_vnode_stat(struct ucred *active_cred, struct ucred *file_cred,
2370 struct vnode *vp, struct label *label)
2371{
2372
2373 ASSERT_CRED_LABEL(active_cred->cr_label);
2374 if (file_cred != NULL) {
2375 ASSERT_CRED_LABEL(file_cred->cr_label);
2376 }
2377 ASSERT_VNODE_LABEL(label);
2378
2379 return (0);
2380}
2381
2382static int
2383mac_test_check_vnode_write(struct ucred *active_cred,
2384 struct ucred *file_cred, struct vnode *vp, struct label *label)
2385{
2386
2387 ASSERT_CRED_LABEL(active_cred->cr_label);
2388 if (file_cred != NULL) {
2389 ASSERT_CRED_LABEL(file_cred->cr_label);
2390 }
2391 ASSERT_VNODE_LABEL(label);
2392
2393 return (0);
2394}
2395
2396static struct mac_policy_ops mac_test_ops =
2397{
2398 .mpo_destroy = mac_test_destroy,
2399 .mpo_init = mac_test_init,
2400 .mpo_syscall = mac_test_syscall,
2401 .mpo_init_bpfdesc_label = mac_test_init_bpfdesc_label,
2402 .mpo_init_cred_label = mac_test_init_cred_label,
2403 .mpo_init_devfsdirent_label = mac_test_init_devfsdirent_label,
2404 .mpo_init_ifnet_label = mac_test_init_ifnet_label,
2405 .mpo_init_sysv_msgmsg_label = mac_test_init_sysv_msgmsg_label,
2406 .mpo_init_sysv_msgqueue_label = mac_test_init_sysv_msgqueue_label,
2407 .mpo_init_sysv_sem_label = mac_test_init_sysv_sem_label,
2408 .mpo_init_sysv_shm_label = mac_test_init_sysv_shm_label,
2409 .mpo_init_inpcb_label = mac_test_init_inpcb_label,
2410 .mpo_init_ipq_label = mac_test_init_ipq_label,
2411 .mpo_init_mbuf_label = mac_test_init_mbuf_label,
2412 .mpo_init_mount_label = mac_test_init_mount_label,
2413 .mpo_init_mount_fs_label = mac_test_init_mount_fs_label,
2414 .mpo_init_pipe_label = mac_test_init_pipe_label,
2415 .mpo_init_posix_sem_label = mac_test_init_posix_sem_label,
2416 .mpo_init_proc_label = mac_test_init_proc_label,
2417 .mpo_init_socket_label = mac_test_init_socket_label,
2418 .mpo_init_socket_peer_label = mac_test_init_socket_peer_label,
2419 .mpo_init_vnode_label = mac_test_init_vnode_label,
2420 .mpo_destroy_bpfdesc_label = mac_test_destroy_bpfdesc_label,
2421 .mpo_destroy_cred_label = mac_test_destroy_cred_label,
2422 .mpo_destroy_devfsdirent_label = mac_test_destroy_devfsdirent_label,
2423 .mpo_destroy_ifnet_label = mac_test_destroy_ifnet_label,
2424 .mpo_destroy_sysv_msgmsg_label = mac_test_destroy_sysv_msgmsg_label,
2425 .mpo_destroy_sysv_msgqueue_label =
2426 mac_test_destroy_sysv_msgqueue_label,
2427 .mpo_destroy_sysv_sem_label = mac_test_destroy_sysv_sem_label,
2428 .mpo_destroy_sysv_shm_label = mac_test_destroy_sysv_shm_label,
2429 .mpo_destroy_inpcb_label = mac_test_destroy_inpcb_label,
2430 .mpo_destroy_ipq_label = mac_test_destroy_ipq_label,
2431 .mpo_destroy_mbuf_label = mac_test_destroy_mbuf_label,
2432 .mpo_destroy_mount_label = mac_test_destroy_mount_label,
2433 .mpo_destroy_mount_fs_label = mac_test_destroy_mount_fs_label,
2434 .mpo_destroy_pipe_label = mac_test_destroy_pipe_label,
2435 .mpo_destroy_posix_sem_label = mac_test_destroy_posix_sem_label,
2436 .mpo_destroy_proc_label = mac_test_destroy_proc_label,
2437 .mpo_destroy_socket_label = mac_test_destroy_socket_label,
2438 .mpo_destroy_socket_peer_label = mac_test_destroy_socket_peer_label,
2439 .mpo_destroy_vnode_label = mac_test_destroy_vnode_label,
2440 .mpo_copy_cred_label = mac_test_copy_cred_label,
2441 .mpo_copy_ifnet_label = mac_test_copy_ifnet_label,
2442 .mpo_copy_mbuf_label = mac_test_copy_mbuf_label,
2443 .mpo_copy_pipe_label = mac_test_copy_pipe_label,
2444 .mpo_copy_socket_label = mac_test_copy_socket_label,
2445 .mpo_copy_vnode_label = mac_test_copy_vnode_label,
2446 .mpo_externalize_cred_label = mac_test_externalize_label,
2447 .mpo_externalize_ifnet_label = mac_test_externalize_label,
2448 .mpo_externalize_pipe_label = mac_test_externalize_label,
2449 .mpo_externalize_socket_label = mac_test_externalize_label,
2450 .mpo_externalize_socket_peer_label = mac_test_externalize_label,
2451 .mpo_externalize_vnode_label = mac_test_externalize_label,
2452 .mpo_internalize_cred_label = mac_test_internalize_label,
2453 .mpo_internalize_ifnet_label = mac_test_internalize_label,
2454 .mpo_internalize_pipe_label = mac_test_internalize_label,
2455 .mpo_internalize_socket_label = mac_test_internalize_label,
2456 .mpo_internalize_vnode_label = mac_test_internalize_label,
2457 .mpo_associate_vnode_devfs = mac_test_associate_vnode_devfs,
2458 .mpo_associate_vnode_extattr = mac_test_associate_vnode_extattr,
2459 .mpo_associate_vnode_singlelabel = mac_test_associate_vnode_singlelabel,
2460 .mpo_create_devfs_device = mac_test_create_devfs_device,
2461 .mpo_create_devfs_directory = mac_test_create_devfs_directory,
2462 .mpo_create_devfs_symlink = mac_test_create_devfs_symlink,
2463 .mpo_create_vnode_extattr = mac_test_create_vnode_extattr,
2464 .mpo_create_mount = mac_test_create_mount,
2465 .mpo_relabel_vnode = mac_test_relabel_vnode,
2466 .mpo_setlabel_vnode_extattr = mac_test_setlabel_vnode_extattr,
2467 .mpo_update_devfsdirent = mac_test_update_devfsdirent,
2468 .mpo_create_mbuf_from_socket = mac_test_create_mbuf_from_socket,
2469 .mpo_create_pipe = mac_test_create_pipe,
2470 .mpo_create_posix_sem = mac_test_create_posix_sem,
2471 .mpo_create_socket = mac_test_create_socket,
2472 .mpo_create_socket_from_socket = mac_test_create_socket_from_socket,
2473 .mpo_relabel_pipe = mac_test_relabel_pipe,
2474 .mpo_relabel_socket = mac_test_relabel_socket,
2475 .mpo_set_socket_peer_from_mbuf = mac_test_set_socket_peer_from_mbuf,
2476 .mpo_set_socket_peer_from_socket = mac_test_set_socket_peer_from_socket,
2477 .mpo_create_bpfdesc = mac_test_create_bpfdesc,
2478 .mpo_create_ifnet = mac_test_create_ifnet,
2479 .mpo_create_inpcb_from_socket = mac_test_create_inpcb_from_socket,
2480 .mpo_create_sysv_msgmsg = mac_test_create_sysv_msgmsg,
2481 .mpo_create_sysv_msgqueue = mac_test_create_sysv_msgqueue,
2482 .mpo_create_sysv_sem = mac_test_create_sysv_sem,
2483 .mpo_create_sysv_shm = mac_test_create_sysv_shm,
2484 .mpo_create_datagram_from_ipq = mac_test_create_datagram_from_ipq,
2485 .mpo_create_fragment = mac_test_create_fragment,
2486 .mpo_create_ipq = mac_test_create_ipq,
2487 .mpo_create_mbuf_from_inpcb = mac_test_create_mbuf_from_inpcb,
2488 .mpo_create_mbuf_linklayer = mac_test_create_mbuf_linklayer,
2489 .mpo_create_mbuf_from_bpfdesc = mac_test_create_mbuf_from_bpfdesc,
2490 .mpo_create_mbuf_from_ifnet = mac_test_create_mbuf_from_ifnet,
2491 .mpo_create_mbuf_multicast_encap = mac_test_create_mbuf_multicast_encap,
2492 .mpo_create_mbuf_netlayer = mac_test_create_mbuf_netlayer,
2493 .mpo_fragment_match = mac_test_fragment_match,
2494 .mpo_reflect_mbuf_icmp = mac_test_reflect_mbuf_icmp,
2495 .mpo_reflect_mbuf_tcp = mac_test_reflect_mbuf_tcp,
2496 .mpo_relabel_ifnet = mac_test_relabel_ifnet,
2497 .mpo_update_ipq = mac_test_update_ipq,
2498 .mpo_inpcb_sosetlabel = mac_test_inpcb_sosetlabel,
2499 .mpo_execve_transition = mac_test_execve_transition,
2500 .mpo_execve_will_transition = mac_test_execve_will_transition,
2501 .mpo_create_proc0 = mac_test_create_proc0,
2502 .mpo_create_proc1 = mac_test_create_proc1,
2503 .mpo_relabel_cred = mac_test_relabel_cred,
2504 .mpo_thread_userret = mac_test_thread_userret,
2505 .mpo_cleanup_sysv_msgmsg = mac_test_cleanup_sysv_msgmsg,
2506 .mpo_cleanup_sysv_msgqueue = mac_test_cleanup_sysv_msgqueue,
2507 .mpo_cleanup_sysv_sem = mac_test_cleanup_sysv_sem,
2508 .mpo_cleanup_sysv_shm = mac_test_cleanup_sysv_shm,
2509 .mpo_check_bpfdesc_receive = mac_test_check_bpfdesc_receive,
2510 .mpo_check_cred_relabel = mac_test_check_cred_relabel,
2511 .mpo_check_cred_visible = mac_test_check_cred_visible,
2512 .mpo_check_ifnet_relabel = mac_test_check_ifnet_relabel,
2513 .mpo_check_ifnet_transmit = mac_test_check_ifnet_transmit,
2514 .mpo_check_inpcb_deliver = mac_test_check_inpcb_deliver,
2515 .mpo_check_sysv_msgmsq = mac_test_check_sysv_msgmsq,
2516 .mpo_check_sysv_msgrcv = mac_test_check_sysv_msgrcv,
2517 .mpo_check_sysv_msgrmid = mac_test_check_sysv_msgrmid,
2518 .mpo_check_sysv_msqget = mac_test_check_sysv_msqget,
2519 .mpo_check_sysv_msqsnd = mac_test_check_sysv_msqsnd,
2520 .mpo_check_sysv_msqrcv = mac_test_check_sysv_msqrcv,
2521 .mpo_check_sysv_msqctl = mac_test_check_sysv_msqctl,
2522 .mpo_check_sysv_semctl = mac_test_check_sysv_semctl,
2523 .mpo_check_sysv_semget = mac_test_check_sysv_semget,
2524 .mpo_check_sysv_semop = mac_test_check_sysv_semop,
2525 .mpo_check_sysv_shmat = mac_test_check_sysv_shmat,
2526 .mpo_check_sysv_shmctl = mac_test_check_sysv_shmctl,
2527 .mpo_check_sysv_shmdt = mac_test_check_sysv_shmdt,
2528 .mpo_check_sysv_shmget = mac_test_check_sysv_shmget,
2529 .mpo_check_kenv_dump = mac_test_check_kenv_dump,
2530 .mpo_check_kenv_get = mac_test_check_kenv_get,
2531 .mpo_check_kenv_set = mac_test_check_kenv_set,
2532 .mpo_check_kenv_unset = mac_test_check_kenv_unset,
2533 .mpo_check_kld_load = mac_test_check_kld_load,
2534 .mpo_check_kld_stat = mac_test_check_kld_stat,
2535 .mpo_check_kld_unload = mac_test_check_kld_unload,
2536 .mpo_check_mount_stat = mac_test_check_mount_stat,
2537 .mpo_check_pipe_ioctl = mac_test_check_pipe_ioctl,
2538 .mpo_check_pipe_poll = mac_test_check_pipe_poll,
2539 .mpo_check_pipe_read = mac_test_check_pipe_read,
2540 .mpo_check_pipe_relabel = mac_test_check_pipe_relabel,
2541 .mpo_check_pipe_stat = mac_test_check_pipe_stat,
2542 .mpo_check_pipe_write = mac_test_check_pipe_write,
2543 .mpo_check_posix_sem_destroy = mac_test_check_posix_sem,
2544 .mpo_check_posix_sem_getvalue = mac_test_check_posix_sem,
2545 .mpo_check_posix_sem_open = mac_test_check_posix_sem,
2546 .mpo_check_posix_sem_post = mac_test_check_posix_sem,
2547 .mpo_check_posix_sem_unlink = mac_test_check_posix_sem,
2548 .mpo_check_posix_sem_wait = mac_test_check_posix_sem,
2549 .mpo_check_proc_debug = mac_test_check_proc_debug,
2550 .mpo_check_proc_sched = mac_test_check_proc_sched,
2551 .mpo_check_proc_setuid = mac_test_check_proc_setuid,
2552 .mpo_check_proc_seteuid = mac_test_check_proc_seteuid,
2553 .mpo_check_proc_setgid = mac_test_check_proc_setgid,
2554 .mpo_check_proc_setegid = mac_test_check_proc_setegid,
2555 .mpo_check_proc_setgroups = mac_test_check_proc_setgroups,
2556 .mpo_check_proc_setreuid = mac_test_check_proc_setreuid,
2557 .mpo_check_proc_setregid = mac_test_check_proc_setregid,
2558 .mpo_check_proc_setresuid = mac_test_check_proc_setresuid,
2559 .mpo_check_proc_setresgid = mac_test_check_proc_setresgid,
2560 .mpo_check_proc_signal = mac_test_check_proc_signal,
2561 .mpo_check_proc_wait = mac_test_check_proc_wait,
2562 .mpo_check_socket_accept = mac_test_check_socket_accept,
2563 .mpo_check_socket_bind = mac_test_check_socket_bind,
2564 .mpo_check_socket_connect = mac_test_check_socket_connect,
2565 .mpo_check_socket_deliver = mac_test_check_socket_deliver,
2566 .mpo_check_socket_listen = mac_test_check_socket_listen,
2567 .mpo_check_socket_poll = mac_test_check_socket_poll,
2568 .mpo_check_socket_receive = mac_test_check_socket_receive,
2569 .mpo_check_socket_relabel = mac_test_check_socket_relabel,
2570 .mpo_check_socket_send = mac_test_check_socket_send,
2571 .mpo_check_socket_stat = mac_test_check_socket_stat,
2572 .mpo_check_socket_visible = mac_test_check_socket_visible,
2573 .mpo_check_sysarch_ioperm = mac_test_check_sysarch_ioperm,
2574 .mpo_check_system_acct = mac_test_check_system_acct,
2575 .mpo_check_system_reboot = mac_test_check_system_reboot,
2576 .mpo_check_system_settime = mac_test_check_system_settime,
2577 .mpo_check_system_swapon = mac_test_check_system_swapon,
2578 .mpo_check_system_swapoff = mac_test_check_system_swapoff,
2579 .mpo_check_system_sysctl = mac_test_check_system_sysctl,
2580 .mpo_check_vnode_access = mac_test_check_vnode_access,
2581 .mpo_check_vnode_chdir = mac_test_check_vnode_chdir,
2582 .mpo_check_vnode_chroot = mac_test_check_vnode_chroot,
2583 .mpo_check_vnode_create = mac_test_check_vnode_create,
2584 .mpo_check_vnode_delete = mac_test_check_vnode_delete,
2585 .mpo_check_vnode_deleteacl = mac_test_check_vnode_deleteacl,
2586 .mpo_check_vnode_deleteextattr = mac_test_check_vnode_deleteextattr,
2587 .mpo_check_vnode_exec = mac_test_check_vnode_exec,
2588 .mpo_check_vnode_getacl = mac_test_check_vnode_getacl,
2589 .mpo_check_vnode_getextattr = mac_test_check_vnode_getextattr,
2590 .mpo_check_vnode_link = mac_test_check_vnode_link,
2591 .mpo_check_vnode_listextattr = mac_test_check_vnode_listextattr,
2592 .mpo_check_vnode_lookup = mac_test_check_vnode_lookup,
2593 .mpo_check_vnode_mmap = mac_test_check_vnode_mmap,
2594 .mpo_check_vnode_open = mac_test_check_vnode_open,
2595 .mpo_check_vnode_poll = mac_test_check_vnode_poll,
2596 .mpo_check_vnode_read = mac_test_check_vnode_read,
2597 .mpo_check_vnode_readdir = mac_test_check_vnode_readdir,
2598 .mpo_check_vnode_readlink = mac_test_check_vnode_readlink,
2599 .mpo_check_vnode_relabel = mac_test_check_vnode_relabel,
2600 .mpo_check_vnode_rename_from = mac_test_check_vnode_rename_from,
2601 .mpo_check_vnode_rename_to = mac_test_check_vnode_rename_to,
2602 .mpo_check_vnode_revoke = mac_test_check_vnode_revoke,
2603 .mpo_check_vnode_setacl = mac_test_check_vnode_setacl,
2604 .mpo_check_vnode_setextattr = mac_test_check_vnode_setextattr,
2605 .mpo_check_vnode_setflags = mac_test_check_vnode_setflags,
2606 .mpo_check_vnode_setmode = mac_test_check_vnode_setmode,
2607 .mpo_check_vnode_setowner = mac_test_check_vnode_setowner,
2608 .mpo_check_vnode_setutimes = mac_test_check_vnode_setutimes,
2609 .mpo_check_vnode_stat = mac_test_check_vnode_stat,
2610 .mpo_check_vnode_write = mac_test_check_vnode_write,
2611};
2612
2613MAC_POLICY_SET(&mac_test_ops, mac_test, "TrustedBSD MAC/Test",
2614 MPC_LOADTIME_FLAG_UNLOADOK | MPC_LOADTIME_FLAG_LABELMBUFS, &test_slot);