mac_stub.c revision 122808 
1/*-
2 * Copyright (c) 1999, 2000, 2001, 2002 Robert N. M. Watson
3 * Copyright (c) 2001, 2002, 2003 Networks Associates Technology, Inc.
4 * All rights reserved.
5 *
6 * This software was developed by Robert Watson for the TrustedBSD Project.
7 *
8 * This software was developed for the FreeBSD Project in part by Network
9 * Associates Laboratories, the Security Research Division of Network
10 * Associates, Inc. under DARPA/SPAWAR contract N66001-01-C-8035 ("CBOSS"),
11 * as part of the DARPA CHATS research program.
12 *
13 * Redistribution and use in source and binary forms, with or without
14 * modification, are permitted provided that the following conditions
15 * are met:
16 * 1. Redistributions of source code must retain the above copyright
17 *    notice, this list of conditions and the following disclaimer.
18 * 2. Redistributions in binary form must reproduce the above copyright
19 *    notice, this list of conditions and the following disclaimer in the
20 *    documentation and/or other materials provided with the distribution.
21 *
22 * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
23 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
24 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
25 * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
26 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
27 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
28 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
29 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
30 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
31 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
32 * SUCH DAMAGE.
33 *
34 * $FreeBSD: head/sys/security/mac_stub/mac_stub.c 122808 2003-11-16 18:28:58Z rwatson $
35 */
36
37/*
38 * Developed by the TrustedBSD Project.
39 *
40 * Stub module that implements a NOOP for most (if not all) MAC Framework
41 * policy entry points.
42 */
43
44#include <sys/types.h>
45#include <sys/param.h>
46#include <sys/acl.h>
47#include <sys/conf.h>
48#include <sys/extattr.h>
49#include <sys/kernel.h>
50#include <sys/mac.h>
51#include <sys/mount.h>
52#include <sys/proc.h>
53#include <sys/systm.h>
54#include <sys/sysproto.h>
55#include <sys/sysent.h>
56#include <sys/vnode.h>
57#include <sys/file.h>
58#include <sys/socket.h>
59#include <sys/socketvar.h>
60#include <sys/pipe.h>
61#include <sys/sysctl.h>
62
63#include <fs/devfs/devfs.h>
64
65#include <net/bpfdesc.h>
66#include <net/if.h>
67#include <net/if_types.h>
68#include <net/if_var.h>
69
70#include <netinet/in.h>
71#include <netinet/ip_var.h>
72
73#include <vm/vm.h>
74
75#include <sys/mac_policy.h>
76
77SYSCTL_DECL(_security_mac);
78
79SYSCTL_NODE(_security_mac, OID_AUTO, stub, CTLFLAG_RW, 0,
80    "TrustedBSD mac_stub policy controls");
81
82static int	stub_enabled = 1;
83SYSCTL_INT(_security_mac_stub, OID_AUTO, enabled, CTLFLAG_RW,
84    &stub_enabled, 0, "Enforce mac_stub policy");
85
86/*
87 * Policy module operations.
88 */
89static void
90stub_destroy(struct mac_policy_conf *conf)
91{
92
93}
94
95static void
96stub_init(struct mac_policy_conf *conf)
97{
98
99}
100
101static int
102stub_syscall(struct thread *td, int call, void *arg)
103{
104
105	return (0);
106}
107
108/*
109 * Label operations.
110 */
111static void
112stub_init_label(struct label *label)
113{
114
115}
116
117static int
118stub_init_label_waitcheck(struct label *label, int flag)
119{
120
121	return (0);
122}
123
124static void
125stub_destroy_label(struct label *label)
126{
127
128}
129
130static void
131stub_copy_label(struct label *src, struct label *dest)
132{
133
134}
135
136static int
137stub_externalize_label(struct label *label, char *element_name,
138    struct sbuf *sb, int *claimed)
139{
140
141	return (0);
142}
143
144static int
145stub_internalize_label(struct label *label, char *element_name,
146    char *element_data, int *claimed)
147{
148
149	return (0);
150}
151
152/*
153 * Labeling event operations: file system objects, and things that look
154 * a lot like file system objects.
155 */
156static void
157stub_associate_vnode_devfs(struct mount *mp, struct label *fslabel,
158    struct devfs_dirent *de, struct label *delabel, struct vnode *vp,
159    struct label *vlabel)
160{
161
162}
163
164static int
165stub_associate_vnode_extattr(struct mount *mp, struct label *fslabel,
166    struct vnode *vp, struct label *vlabel)
167{
168
169	return (0);
170}
171
172static void
173stub_associate_vnode_singlelabel(struct mount *mp,
174    struct label *fslabel, struct vnode *vp, struct label *vlabel)
175{
176
177}
178
179static void
180stub_create_devfs_device(struct mount *mp, dev_t dev,
181    struct devfs_dirent *devfs_dirent, struct label *label)
182{
183
184}
185
186static void
187stub_create_devfs_directory(struct mount *mp, char *dirname,
188    int dirnamelen, struct devfs_dirent *devfs_dirent, struct label *label)
189{
190
191}
192
193static void
194stub_create_devfs_symlink(struct ucred *cred, struct mount *mp,
195    struct devfs_dirent *dd, struct label *ddlabel, struct devfs_dirent *de,
196    struct label *delabel)
197{
198
199}
200
201static int
202stub_create_vnode_extattr(struct ucred *cred, struct mount *mp,
203    struct label *fslabel, struct vnode *dvp, struct label *dlabel,
204    struct vnode *vp, struct label *vlabel, struct componentname *cnp)
205{
206
207	return (0);
208}
209
210static void
211stub_create_mount(struct ucred *cred, struct mount *mp,
212    struct label *mntlabel, struct label *fslabel)
213{
214
215}
216
217static void
218stub_create_root_mount(struct ucred *cred, struct mount *mp,
219    struct label *mntlabel, struct label *fslabel)
220{
221
222}
223
224static void
225stub_relabel_vnode(struct ucred *cred, struct vnode *vp,
226    struct label *vnodelabel, struct label *label)
227{
228
229}
230
231static int
232stub_setlabel_vnode_extattr(struct ucred *cred, struct vnode *vp,
233    struct label *vlabel, struct label *intlabel)
234{
235
236	return (0);
237}
238
239static void
240stub_update_devfsdirent(struct mount *mp,
241    struct devfs_dirent *devfs_dirent, struct label *direntlabel,
242    struct vnode *vp, struct label *vnodelabel)
243{
244
245}
246
247/*
248 * Labeling event operations: IPC object.
249 */
250static void
251stub_create_mbuf_from_socket(struct socket *so, struct label *socketlabel,
252    struct mbuf *m, struct label *mbuflabel)
253{
254
255}
256
257static void
258stub_create_socket(struct ucred *cred, struct socket *socket,
259    struct label *socketlabel)
260{
261
262}
263
264static void
265stub_create_pipe(struct ucred *cred, struct pipe *pipe,
266    struct label *pipelabel)
267{
268
269}
270
271static void
272stub_create_socket_from_socket(struct socket *oldsocket,
273    struct label *oldsocketlabel, struct socket *newsocket,
274    struct label *newsocketlabel)
275{
276
277}
278
279static void
280stub_relabel_socket(struct ucred *cred, struct socket *socket,
281    struct label *socketlabel, struct label *newlabel)
282{
283
284}
285
286static void
287stub_relabel_pipe(struct ucred *cred, struct pipe *pipe,
288    struct label *pipelabel, struct label *newlabel)
289{
290
291}
292
293static void
294stub_set_socket_peer_from_mbuf(struct mbuf *mbuf, struct label *mbuflabel,
295    struct socket *socket, struct label *socketpeerlabel)
296{
297
298}
299
300static void
301stub_set_socket_peer_from_socket(struct socket *oldsocket,
302    struct label *oldsocketlabel, struct socket *newsocket,
303    struct label *newsocketpeerlabel)
304{
305
306}
307
308/*
309 * Labeling event operations: network objects.
310 */
311static void
312stub_create_bpfdesc(struct ucred *cred, struct bpf_d *bpf_d,
313    struct label *bpflabel)
314{
315
316}
317
318static void
319stub_create_datagram_from_ipq(struct ipq *ipq, struct label *ipqlabel,
320    struct mbuf *datagram, struct label *datagramlabel)
321{
322
323}
324
325static void
326stub_create_fragment(struct mbuf *datagram, struct label *datagramlabel,
327    struct mbuf *fragment, struct label *fragmentlabel)
328{
329
330}
331
332static void
333stub_create_ifnet(struct ifnet *ifnet, struct label *ifnetlabel)
334{
335
336}
337
338static void
339stub_create_ipq(struct mbuf *fragment, struct label *fragmentlabel,
340    struct ipq *ipq, struct label *ipqlabel)
341{
342
343}
344
345static void
346stub_create_mbuf_from_mbuf(struct mbuf *oldmbuf,
347    struct label *oldmbuflabel, struct mbuf *newmbuf,
348    struct label *newmbuflabel)
349{
350
351}
352
353static void
354stub_create_mbuf_linklayer(struct ifnet *ifnet, struct label *ifnetlabel,
355    struct mbuf *mbuf, struct label *mbuflabel)
356{
357
358}
359
360static void
361stub_create_mbuf_from_bpfdesc(struct bpf_d *bpf_d, struct label *bpflabel,
362    struct mbuf *mbuf, struct label *mbuflabel)
363{
364
365}
366
367static void
368stub_create_mbuf_from_ifnet(struct ifnet *ifnet, struct label *ifnetlabel,
369    struct mbuf *m, struct label *mbuflabel)
370{
371
372}
373
374static void
375stub_create_mbuf_multicast_encap(struct mbuf *oldmbuf,
376    struct label *oldmbuflabel, struct ifnet *ifnet, struct label *ifnetlabel,
377    struct mbuf *newmbuf, struct label *newmbuflabel)
378{
379
380}
381
382static void
383stub_create_mbuf_netlayer(struct mbuf *oldmbuf,
384    struct label *oldmbuflabel, struct mbuf *newmbuf, struct label *newmbuflabel)
385{
386
387}
388
389static int
390stub_fragment_match(struct mbuf *fragment, struct label *fragmentlabel,
391    struct ipq *ipq, struct label *ipqlabel)
392{
393
394	return (1);
395}
396
397static void
398stub_reflect_mbuf_icmp(struct mbuf *m, struct label *mlabel)
399{
400
401}
402
403static void
404stub_reflect_mbuf_tcp(struct mbuf *m, struct label *mlabel)
405{
406
407}
408
409static void
410stub_relabel_ifnet(struct ucred *cred, struct ifnet *ifnet,
411    struct label *ifnetlabel, struct label *newlabel)
412{
413
414}
415
416static void
417stub_update_ipq(struct mbuf *fragment, struct label *fragmentlabel,
418    struct ipq *ipq, struct label *ipqlabel)
419{
420
421}
422
423/*
424 * Labeling event operations: processes.
425 */
426static void
427stub_create_cred(struct ucred *cred_parent, struct ucred *cred_child)
428{
429
430}
431
432static void
433stub_execve_transition(struct ucred *old, struct ucred *new,
434    struct vnode *vp, struct label *vnodelabel,
435    struct label *interpvnodelabel, struct image_params *imgp,
436    struct label *execlabel)
437{
438
439}
440
441static int
442stub_execve_will_transition(struct ucred *old, struct vnode *vp,
443    struct label *vnodelabel, struct label *interpvnodelabel,
444    struct image_params *imgp, struct label *execlabel)
445{
446
447	return (0);
448}
449
450static void
451stub_create_proc0(struct ucred *cred)
452{
453
454}
455
456static void
457stub_create_proc1(struct ucred *cred)
458{
459
460}
461
462static void
463stub_relabel_cred(struct ucred *cred, struct label *newlabel)
464{
465
466}
467
468static void
469stub_thread_userret(struct thread *td)
470{
471
472}
473
474/*
475 * Access control checks.
476 */
477static int
478stub_check_bpfdesc_receive(struct bpf_d *bpf_d, struct label *bpflabel,
479    struct ifnet *ifnet, struct label *ifnet_label)
480{
481
482        return (0);
483}
484
485static int
486stub_check_cred_relabel(struct ucred *cred, struct label *newlabel)
487{
488
489	return (0);
490}
491
492static int
493stub_check_cred_visible(struct ucred *u1, struct ucred *u2)
494{
495
496	return (0);
497}
498
499static int
500stub_check_ifnet_relabel(struct ucred *cred, struct ifnet *ifnet,
501    struct label *ifnetlabel, struct label *newlabel)
502{
503
504	return (0);
505}
506
507static int
508stub_check_ifnet_transmit(struct ifnet *ifnet, struct label *ifnetlabel,
509    struct mbuf *m, struct label *mbuflabel)
510{
511
512	return (0);
513}
514
515static int
516stub_check_kenv_dump(struct ucred *cred)
517{
518
519	return (0);
520}
521
522static int
523stub_check_kenv_get(struct ucred *cred, char *name)
524{
525
526	return (0);
527}
528
529static int
530stub_check_kenv_set(struct ucred *cred, char *name, char *value)
531{
532
533	return (0);
534}
535
536static int
537stub_check_kenv_unset(struct ucred *cred, char *name)
538{
539
540	return (0);
541}
542
543static int
544stub_check_kld_load(struct ucred *cred, struct vnode *vp,
545    struct label *vlabel)
546{
547
548	return (0);
549}
550
551static int
552stub_check_kld_stat(struct ucred *cred)
553{
554
555	return (0);
556}
557
558static int
559stub_check_kld_unload(struct ucred *cred)
560{
561
562	return (0);
563}
564
565static int
566stub_check_mount_stat(struct ucred *cred, struct mount *mp,
567    struct label *mntlabel)
568{
569
570	return (0);
571}
572
573static int
574stub_check_pipe_ioctl(struct ucred *cred, struct pipe *pipe,
575    struct label *pipelabel, unsigned long cmd, void /* caddr_t */ *data)
576{
577
578	return (0);
579}
580
581static int
582stub_check_pipe_poll(struct ucred *cred, struct pipe *pipe,
583    struct label *pipelabel)
584{
585
586	return (0);
587}
588
589static int
590stub_check_pipe_read(struct ucred *cred, struct pipe *pipe,
591    struct label *pipelabel)
592{
593
594	return (0);
595}
596
597static int
598stub_check_pipe_relabel(struct ucred *cred, struct pipe *pipe,
599    struct label *pipelabel, struct label *newlabel)
600{
601
602	return (0);
603}
604
605static int
606stub_check_pipe_stat(struct ucred *cred, struct pipe *pipe,
607    struct label *pipelabel)
608{
609
610	return (0);
611}
612
613static int
614stub_check_pipe_write(struct ucred *cred, struct pipe *pipe,
615    struct label *pipelabel)
616{
617
618	return (0);
619}
620
621static int
622stub_check_proc_debug(struct ucred *cred, struct proc *proc)
623{
624
625	return (0);
626}
627
628static int
629stub_check_proc_sched(struct ucred *cred, struct proc *proc)
630{
631
632	return (0);
633}
634
635static int
636stub_check_proc_signal(struct ucred *cred, struct proc *proc, int signum)
637{
638
639	return (0);
640}
641
642static int
643stub_check_socket_bind(struct ucred *cred, struct socket *socket,
644    struct label *socketlabel, struct sockaddr *sockaddr)
645{
646
647	return (0);
648}
649
650static int
651stub_check_socket_connect(struct ucred *cred, struct socket *socket,
652    struct label *socketlabel, struct sockaddr *sockaddr)
653{
654
655	return (0);
656}
657
658static int
659stub_check_socket_deliver(struct socket *so, struct label *socketlabel,
660    struct mbuf *m, struct label *mbuflabel)
661{
662
663	return (0);
664}
665
666static int
667stub_check_socket_listen(struct ucred *cred, struct socket *so,
668    struct label *socketlabel)
669{
670
671	return (0);
672}
673
674static int
675stub_check_socket_relabel(struct ucred *cred, struct socket *socket,
676    struct label *socketlabel, struct label *newlabel)
677{
678
679	return (0);
680}
681
682static int
683stub_check_socket_visible(struct ucred *cred, struct socket *socket,
684   struct label *socketlabel)
685{
686
687	return (0);
688}
689
690static int
691stub_check_sysarch_ioperm(struct ucred *cred)
692{
693
694	return (0);
695}
696
697static int
698stub_check_system_acct(struct ucred *cred, struct vnode *vp,
699    struct label *vlabel)
700{
701
702	return (0);
703}
704
705static int
706stub_check_system_reboot(struct ucred *cred, int how)
707{
708
709	return (0);
710}
711
712static int
713stub_check_system_settime(struct ucred *cred)
714{
715
716	return (0);
717}
718
719static int
720stub_check_system_swapon(struct ucred *cred, struct vnode *vp,
721    struct label *label)
722{
723
724	return (0);
725}
726
727static int
728stub_check_system_swapoff(struct ucred *cred, struct vnode *vp,
729    struct label *label)
730{
731
732	return (0);
733}
734
735static int
736stub_check_system_sysctl(struct ucred *cred, int *name, u_int namelen,
737    void *old, size_t *oldlenp, int inkernel, void *new, size_t newlen)
738{
739
740	return (0);
741}
742
743static int
744stub_check_vnode_access(struct ucred *cred, struct vnode *vp,
745    struct label *label, int acc_mode)
746{
747
748	return (0);
749}
750
751static int
752stub_check_vnode_chdir(struct ucred *cred, struct vnode *dvp,
753    struct label *dlabel)
754{
755
756	return (0);
757}
758
759static int
760stub_check_vnode_chroot(struct ucred *cred, struct vnode *dvp,
761    struct label *dlabel)
762{
763
764	return (0);
765}
766
767static int
768stub_check_vnode_create(struct ucred *cred, struct vnode *dvp,
769    struct label *dlabel, struct componentname *cnp, struct vattr *vap)
770{
771
772	return (0);
773}
774
775static int
776stub_check_vnode_delete(struct ucred *cred, struct vnode *dvp,
777    struct label *dlabel, struct vnode *vp, struct label *label,
778    struct componentname *cnp)
779{
780
781	return (0);
782}
783
784static int
785stub_check_vnode_deleteacl(struct ucred *cred, struct vnode *vp,
786    struct label *label, acl_type_t type)
787{
788
789	return (0);
790}
791
792static int
793stub_check_vnode_deleteextattr(struct ucred *cred, struct vnode *vp,
794    struct label *label, int attrnamespace, const char *name)
795{
796
797	return (0);
798}
799
800static int
801stub_check_vnode_exec(struct ucred *cred, struct vnode *vp,
802    struct label *label, struct image_params *imgp,
803    struct label *execlabel)
804{
805
806	return (0);
807}
808
809static int
810stub_check_vnode_getacl(struct ucred *cred, struct vnode *vp,
811    struct label *label, acl_type_t type)
812{
813
814	return (0);
815}
816
817static int
818stub_check_vnode_getextattr(struct ucred *cred, struct vnode *vp,
819    struct label *label, int attrnamespace, const char *name, struct uio *uio)
820{
821
822	return (0);
823}
824
825static int
826stub_check_vnode_link(struct ucred *cred, struct vnode *dvp,
827    struct label *dlabel, struct vnode *vp, struct label *label,
828    struct componentname *cnp)
829{
830
831	return (0);
832}
833
834static int
835stub_check_vnode_listextattr(struct ucred *cred, struct vnode *vp,
836    struct label *label, int attrnamespace)
837{
838
839	return (0);
840}
841
842static int
843stub_check_vnode_lookup(struct ucred *cred, struct vnode *dvp,
844    struct label *dlabel, struct componentname *cnp)
845{
846
847	return (0);
848}
849
850static int
851stub_check_vnode_mmap(struct ucred *cred, struct vnode *vp,
852    struct label *label, int prot)
853{
854
855	return (0);
856}
857
858static int
859stub_check_vnode_mprotect(struct ucred *cred, struct vnode *vp,
860    struct label *label, int prot)
861{
862
863	return (0);
864}
865
866static int
867stub_check_vnode_open(struct ucred *cred, struct vnode *vp,
868    struct label *filelabel, int acc_mode)
869{
870
871	return (0);
872}
873
874static int
875stub_check_vnode_poll(struct ucred *active_cred, struct ucred *file_cred,
876    struct vnode *vp, struct label *label)
877{
878
879	return (0);
880}
881
882static int
883stub_check_vnode_read(struct ucred *active_cred, struct ucred *file_cred,
884    struct vnode *vp, struct label *label)
885{
886
887	return (0);
888}
889
890static int
891stub_check_vnode_readdir(struct ucred *cred, struct vnode *vp,
892    struct label *dlabel)
893{
894
895	return (0);
896}
897
898static int
899stub_check_vnode_readlink(struct ucred *cred, struct vnode *vp,
900    struct label *vnodelabel)
901{
902
903	return (0);
904}
905
906static int
907stub_check_vnode_relabel(struct ucred *cred, struct vnode *vp,
908    struct label *vnodelabel, struct label *newlabel)
909{
910
911	return (0);
912}
913
914static int
915stub_check_vnode_rename_from(struct ucred *cred, struct vnode *dvp,
916    struct label *dlabel, struct vnode *vp, struct label *label,
917    struct componentname *cnp)
918{
919
920	return (0);
921}
922
923static int
924stub_check_vnode_rename_to(struct ucred *cred, struct vnode *dvp,
925    struct label *dlabel, struct vnode *vp, struct label *label, int samedir,
926    struct componentname *cnp)
927{
928
929	return (0);
930}
931
932static int
933stub_check_vnode_revoke(struct ucred *cred, struct vnode *vp,
934    struct label *label)
935{
936
937	return (0);
938}
939
940static int
941stub_check_vnode_setacl(struct ucred *cred, struct vnode *vp,
942    struct label *label, acl_type_t type, struct acl *acl)
943{
944
945	return (0);
946}
947
948static int
949stub_check_vnode_setextattr(struct ucred *cred, struct vnode *vp,
950    struct label *label, int attrnamespace, const char *name, struct uio *uio)
951{
952
953	return (0);
954}
955
956static int
957stub_check_vnode_setflags(struct ucred *cred, struct vnode *vp,
958    struct label *label, u_long flags)
959{
960
961	return (0);
962}
963
964static int
965stub_check_vnode_setmode(struct ucred *cred, struct vnode *vp,
966    struct label *label, mode_t mode)
967{
968
969	return (0);
970}
971
972static int
973stub_check_vnode_setowner(struct ucred *cred, struct vnode *vp,
974    struct label *label, uid_t uid, gid_t gid)
975{
976
977	return (0);
978}
979
980static int
981stub_check_vnode_setutimes(struct ucred *cred, struct vnode *vp,
982    struct label *label, struct timespec atime, struct timespec mtime)
983{
984
985	return (0);
986}
987
988static int
989stub_check_vnode_stat(struct ucred *active_cred, struct ucred *file_cred,
990    struct vnode *vp, struct label *label)
991{
992
993	return (0);
994}
995
996static int
997stub_check_vnode_write(struct ucred *active_cred,
998    struct ucred *file_cred, struct vnode *vp, struct label *label)
999{
1000
1001	return (0);
1002}
1003
1004static struct mac_policy_ops mac_stub_ops =
1005{
1006	.mpo_destroy = stub_destroy,
1007	.mpo_init = stub_init,
1008	.mpo_syscall = stub_syscall,
1009	.mpo_init_bpfdesc_label = stub_init_label,
1010	.mpo_init_cred_label = stub_init_label,
1011	.mpo_init_devfsdirent_label = stub_init_label,
1012	.mpo_init_ifnet_label = stub_init_label,
1013	.mpo_init_ipq_label = stub_init_label_waitcheck,
1014	.mpo_init_mbuf_label = stub_init_label_waitcheck,
1015	.mpo_init_mount_label = stub_init_label,
1016	.mpo_init_mount_fs_label = stub_init_label,
1017	.mpo_init_pipe_label = stub_init_label,
1018	.mpo_init_socket_label = stub_init_label_waitcheck,
1019	.mpo_init_socket_peer_label = stub_init_label_waitcheck,
1020	.mpo_init_vnode_label = stub_init_label,
1021	.mpo_destroy_bpfdesc_label = stub_destroy_label,
1022	.mpo_destroy_cred_label = stub_destroy_label,
1023	.mpo_destroy_devfsdirent_label = stub_destroy_label,
1024	.mpo_destroy_ifnet_label = stub_destroy_label,
1025	.mpo_destroy_ipq_label = stub_destroy_label,
1026	.mpo_destroy_mbuf_label = stub_destroy_label,
1027	.mpo_destroy_mount_label = stub_destroy_label,
1028	.mpo_destroy_mount_fs_label = stub_destroy_label,
1029	.mpo_destroy_pipe_label = stub_destroy_label,
1030	.mpo_destroy_socket_label = stub_destroy_label,
1031	.mpo_destroy_socket_peer_label = stub_destroy_label,
1032	.mpo_destroy_vnode_label = stub_destroy_label,
1033	.mpo_copy_mbuf_label = stub_copy_label,
1034	.mpo_copy_pipe_label = stub_copy_label,
1035	.mpo_copy_vnode_label = stub_copy_label,
1036	.mpo_externalize_cred_label = stub_externalize_label,
1037	.mpo_externalize_ifnet_label = stub_externalize_label,
1038	.mpo_externalize_pipe_label = stub_externalize_label,
1039	.mpo_externalize_socket_label = stub_externalize_label,
1040	.mpo_externalize_socket_peer_label = stub_externalize_label,
1041	.mpo_externalize_vnode_label = stub_externalize_label,
1042	.mpo_internalize_cred_label = stub_internalize_label,
1043	.mpo_internalize_ifnet_label = stub_internalize_label,
1044	.mpo_internalize_pipe_label = stub_internalize_label,
1045	.mpo_internalize_socket_label = stub_internalize_label,
1046	.mpo_internalize_vnode_label = stub_internalize_label,
1047	.mpo_associate_vnode_devfs = stub_associate_vnode_devfs,
1048	.mpo_associate_vnode_extattr = stub_associate_vnode_extattr,
1049	.mpo_associate_vnode_singlelabel = stub_associate_vnode_singlelabel,
1050	.mpo_create_devfs_device = stub_create_devfs_device,
1051	.mpo_create_devfs_directory = stub_create_devfs_directory,
1052	.mpo_create_devfs_symlink = stub_create_devfs_symlink,
1053	.mpo_create_vnode_extattr = stub_create_vnode_extattr,
1054	.mpo_create_mount = stub_create_mount,
1055	.mpo_create_root_mount = stub_create_root_mount,
1056	.mpo_relabel_vnode = stub_relabel_vnode,
1057	.mpo_setlabel_vnode_extattr = stub_setlabel_vnode_extattr,
1058	.mpo_update_devfsdirent = stub_update_devfsdirent,
1059	.mpo_create_mbuf_from_socket = stub_create_mbuf_from_socket,
1060	.mpo_create_pipe = stub_create_pipe,
1061	.mpo_create_socket = stub_create_socket,
1062	.mpo_create_socket_from_socket = stub_create_socket_from_socket,
1063	.mpo_relabel_pipe = stub_relabel_pipe,
1064	.mpo_relabel_socket = stub_relabel_socket,
1065	.mpo_set_socket_peer_from_mbuf = stub_set_socket_peer_from_mbuf,
1066	.mpo_set_socket_peer_from_socket = stub_set_socket_peer_from_socket,
1067	.mpo_create_bpfdesc = stub_create_bpfdesc,
1068	.mpo_create_ifnet = stub_create_ifnet,
1069	.mpo_create_ipq = stub_create_ipq,
1070	.mpo_create_datagram_from_ipq = stub_create_datagram_from_ipq,
1071	.mpo_create_fragment = stub_create_fragment,
1072	.mpo_create_ipq = stub_create_ipq,
1073	.mpo_create_mbuf_from_mbuf = stub_create_mbuf_from_mbuf,
1074	.mpo_create_mbuf_linklayer = stub_create_mbuf_linklayer,
1075	.mpo_create_mbuf_from_bpfdesc = stub_create_mbuf_from_bpfdesc,
1076	.mpo_create_mbuf_from_ifnet = stub_create_mbuf_from_ifnet,
1077	.mpo_create_mbuf_multicast_encap = stub_create_mbuf_multicast_encap,
1078	.mpo_create_mbuf_netlayer = stub_create_mbuf_netlayer,
1079	.mpo_fragment_match = stub_fragment_match,
1080	.mpo_reflect_mbuf_icmp = stub_reflect_mbuf_icmp,
1081	.mpo_reflect_mbuf_tcp = stub_reflect_mbuf_tcp,
1082	.mpo_relabel_ifnet = stub_relabel_ifnet,
1083	.mpo_update_ipq = stub_update_ipq,
1084	.mpo_create_cred = stub_create_cred,
1085	.mpo_execve_transition = stub_execve_transition,
1086	.mpo_execve_will_transition = stub_execve_will_transition,
1087	.mpo_create_proc0 = stub_create_proc0,
1088	.mpo_create_proc1 = stub_create_proc1,
1089	.mpo_relabel_cred = stub_relabel_cred,
1090	.mpo_thread_userret = stub_thread_userret,
1091	.mpo_check_bpfdesc_receive = stub_check_bpfdesc_receive,
1092	.mpo_check_cred_relabel = stub_check_cred_relabel,
1093	.mpo_check_cred_visible = stub_check_cred_visible,
1094	.mpo_check_ifnet_relabel = stub_check_ifnet_relabel,
1095	.mpo_check_ifnet_transmit = stub_check_ifnet_transmit,
1096	.mpo_check_kenv_dump = stub_check_kenv_dump,
1097	.mpo_check_kenv_get = stub_check_kenv_get,
1098	.mpo_check_kenv_set = stub_check_kenv_set,
1099	.mpo_check_kenv_unset = stub_check_kenv_unset,
1100	.mpo_check_kld_load = stub_check_kld_load,
1101	.mpo_check_kld_stat = stub_check_kld_stat,
1102	.mpo_check_kld_unload = stub_check_kld_unload,
1103	.mpo_check_mount_stat = stub_check_mount_stat,
1104	.mpo_check_pipe_ioctl = stub_check_pipe_ioctl,
1105	.mpo_check_pipe_poll = stub_check_pipe_poll,
1106	.mpo_check_pipe_read = stub_check_pipe_read,
1107	.mpo_check_pipe_relabel = stub_check_pipe_relabel,
1108	.mpo_check_pipe_stat = stub_check_pipe_stat,
1109	.mpo_check_pipe_write = stub_check_pipe_write,
1110	.mpo_check_proc_debug = stub_check_proc_debug,
1111	.mpo_check_proc_sched = stub_check_proc_sched,
1112	.mpo_check_proc_signal = stub_check_proc_signal,
1113	.mpo_check_socket_bind = stub_check_socket_bind,
1114	.mpo_check_socket_connect = stub_check_socket_connect,
1115	.mpo_check_socket_deliver = stub_check_socket_deliver,
1116	.mpo_check_socket_listen = stub_check_socket_listen,
1117	.mpo_check_socket_relabel = stub_check_socket_relabel,
1118	.mpo_check_socket_visible = stub_check_socket_visible,
1119	.mpo_check_sysarch_ioperm = stub_check_sysarch_ioperm,
1120	.mpo_check_system_acct = stub_check_system_acct,
1121	.mpo_check_system_reboot = stub_check_system_reboot,
1122	.mpo_check_system_settime = stub_check_system_settime,
1123	.mpo_check_system_swapon = stub_check_system_swapon,
1124	.mpo_check_system_swapoff = stub_check_system_swapoff,
1125	.mpo_check_system_sysctl = stub_check_system_sysctl,
1126	.mpo_check_vnode_access = stub_check_vnode_access,
1127	.mpo_check_vnode_chdir = stub_check_vnode_chdir,
1128	.mpo_check_vnode_chroot = stub_check_vnode_chroot,
1129	.mpo_check_vnode_create = stub_check_vnode_create,
1130	.mpo_check_vnode_delete = stub_check_vnode_delete,
1131	.mpo_check_vnode_deleteacl = stub_check_vnode_deleteacl,
1132	.mpo_check_vnode_deleteextattr = stub_check_vnode_deleteextattr,
1133	.mpo_check_vnode_exec = stub_check_vnode_exec,
1134	.mpo_check_vnode_getacl = stub_check_vnode_getacl,
1135	.mpo_check_vnode_getextattr = stub_check_vnode_getextattr,
1136	.mpo_check_vnode_link = stub_check_vnode_link,
1137	.mpo_check_vnode_listextattr = stub_check_vnode_listextattr,
1138	.mpo_check_vnode_lookup = stub_check_vnode_lookup,
1139	.mpo_check_vnode_mmap = stub_check_vnode_mmap,
1140	.mpo_check_vnode_mprotect = stub_check_vnode_mprotect,
1141	.mpo_check_vnode_open = stub_check_vnode_open,
1142	.mpo_check_vnode_poll = stub_check_vnode_poll,
1143	.mpo_check_vnode_read = stub_check_vnode_read,
1144	.mpo_check_vnode_readdir = stub_check_vnode_readdir,
1145	.mpo_check_vnode_readlink = stub_check_vnode_readlink,
1146	.mpo_check_vnode_relabel = stub_check_vnode_relabel,
1147	.mpo_check_vnode_rename_from = stub_check_vnode_rename_from,
1148	.mpo_check_vnode_rename_to = stub_check_vnode_rename_to,
1149	.mpo_check_vnode_revoke = stub_check_vnode_revoke,
1150	.mpo_check_vnode_setacl = stub_check_vnode_setacl,
1151	.mpo_check_vnode_setextattr = stub_check_vnode_setextattr,
1152	.mpo_check_vnode_setflags = stub_check_vnode_setflags,
1153	.mpo_check_vnode_setmode = stub_check_vnode_setmode,
1154	.mpo_check_vnode_setowner = stub_check_vnode_setowner,
1155	.mpo_check_vnode_setutimes = stub_check_vnode_setutimes,
1156	.mpo_check_vnode_stat = stub_check_vnode_stat,
1157	.mpo_check_vnode_write = stub_check_vnode_write,
1158};
1159
1160MAC_POLICY_SET(&mac_stub_ops, mac_stub, "TrustedBSD MAC/Stub",
1161    MPC_LOADTIME_FLAG_UNLOADOK, NULL);
1162