mac_test.c revision 106788
1/*- 2 * Copyright (c) 1999, 2000, 2001, 2002 Robert N. M. Watson 3 * Copyright (c) 2001, 2002 Networks Associates Technology, Inc. 4 * All rights reserved. 5 * 6 * This software was developed by Robert Watson for the TrustedBSD Project. 7 * 8 * This software was developed for the FreeBSD Project in part by Network 9 * Associates Laboratories, the Security Research Division of Network 10 * Associates, Inc. under DARPA/SPAWAR contract N66001-01-C-8035 ("CBOSS"), 11 * as part of the DARPA CHATS research program. 12 * 13 * Redistribution and use in source and binary forms, with or without 14 * modification, are permitted provided that the following conditions 15 * are met: 16 * 1. Redistributions of source code must retain the above copyright 17 * notice, this list of conditions and the following disclaimer. 18 * 2. Redistributions in binary form must reproduce the above copyright 19 * notice, this list of conditions and the following disclaimer in the 20 * documentation and/or other materials provided with the distribution. 21 * 22 * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND 23 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 24 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 25 * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE 26 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 27 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 28 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 29 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 30 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 31 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 32 * SUCH DAMAGE. 33 * 34 * $FreeBSD: head/sys/security/mac_test/mac_test.c 106788 2002-11-12 04:20:36Z rwatson $ 35 */ 36 37/* 38 * Developed by the TrustedBSD Project. 39 * Generic mandatory access module that does nothing. 40 */ 41 42#include <sys/types.h> 43#include <sys/param.h> 44#include <sys/acl.h> 45#include <sys/conf.h> 46#include <sys/extattr.h> 47#include <sys/kernel.h> 48#include <sys/mac.h> 49#include <sys/mount.h> 50#include <sys/proc.h> 51#include <sys/systm.h> 52#include <sys/sysproto.h> 53#include <sys/sysent.h> 54#include <sys/vnode.h> 55#include <sys/file.h> 56#include <sys/socket.h> 57#include <sys/socketvar.h> 58#include <sys/sysctl.h> 59 60#include <fs/devfs/devfs.h> 61 62#include <net/bpfdesc.h> 63#include <net/if.h> 64#include <net/if_types.h> 65#include <net/if_var.h> 66 67#include <vm/vm.h> 68 69#include <sys/mac_policy.h> 70 71SYSCTL_DECL(_security_mac); 72 73SYSCTL_NODE(_security_mac, OID_AUTO, test, CTLFLAG_RW, 0, 74 "TrustedBSD mac_test policy controls"); 75 76static int mac_test_enabled = 0; 77SYSCTL_INT(_security_mac_test, OID_AUTO, enabled, CTLFLAG_RW, 78 &mac_test_enabled, 0, "Enforce test policy"); 79 80#define BPFMAGIC 0xfe1ad1b6 81#define DEVFSMAGIC 0x9ee79c32 82#define IFNETMAGIC 0xc218b120 83#define IPQMAGIC 0x206188ef 84#define MBUFMAGIC 0xbbefa5bb 85#define MOUNTMAGIC 0xc7c46e47 86#define SOCKETMAGIC 0x9199c6cd 87#define PIPEMAGIC 0xdc6c9919 88#define CREDMAGIC 0x9a5a4987 89#define VNODEMAGIC 0x1a67a45c 90#define EXMAGIC 0x849ba1fd 91 92#define SLOT(x) LABEL_TO_SLOT((x), test_slot).l_long 93static int test_slot; 94SYSCTL_INT(_security_mac_test, OID_AUTO, slot, CTLFLAG_RD, 95 &test_slot, 0, "Slot allocated by framework"); 96 97static int init_count_bpfdesc; 98SYSCTL_INT(_security_mac_test, OID_AUTO, init_count_bpfdesc, CTLFLAG_RD, 99 &init_count_bpfdesc, 0, "bpfdesc init calls"); 100static int init_count_cred; 101SYSCTL_INT(_security_mac_test, OID_AUTO, init_count_cred, CTLFLAG_RD, 102 &init_count_cred, 0, "cred init calls"); 103static int init_count_devfsdirent; 104SYSCTL_INT(_security_mac_test, OID_AUTO, init_count_devfsdirent, CTLFLAG_RD, 105 &init_count_devfsdirent, 0, "devfsdirent init calls"); 106static int init_count_ifnet; 107SYSCTL_INT(_security_mac_test, OID_AUTO, init_count_ifnet, CTLFLAG_RD, 108 &init_count_ifnet, 0, "ifnet init calls"); 109static int init_count_ipq; 110SYSCTL_INT(_security_mac_test, OID_AUTO, init_count_ipq, CTLFLAG_RD, 111 &init_count_ipq, 0, "ipq init calls"); 112static int init_count_mbuf; 113SYSCTL_INT(_security_mac_test, OID_AUTO, init_count_mbuf, CTLFLAG_RD, 114 &init_count_mbuf, 0, "mbuf init calls"); 115static int init_count_mount; 116SYSCTL_INT(_security_mac_test, OID_AUTO, init_count_mount, CTLFLAG_RD, 117 &init_count_mount, 0, "mount init calls"); 118static int init_count_mount_fslabel; 119SYSCTL_INT(_security_mac_test, OID_AUTO, init_count_mount_fslabel, CTLFLAG_RD, 120 &init_count_mount_fslabel, 0, "mount_fslabel init calls"); 121static int init_count_socket; 122SYSCTL_INT(_security_mac_test, OID_AUTO, init_count_socket, CTLFLAG_RD, 123 &init_count_socket, 0, "socket init calls"); 124static int init_count_socket_peerlabel; 125SYSCTL_INT(_security_mac_test, OID_AUTO, init_count_socket_peerlabel, 126 CTLFLAG_RD, &init_count_socket_peerlabel, 0, 127 "socket_peerlabel init calls"); 128static int init_count_pipe; 129SYSCTL_INT(_security_mac_test, OID_AUTO, init_count_pipe, CTLFLAG_RD, 130 &init_count_pipe, 0, "pipe init calls"); 131static int init_count_vnode; 132SYSCTL_INT(_security_mac_test, OID_AUTO, init_count_vnode, CTLFLAG_RD, 133 &init_count_vnode, 0, "vnode init calls"); 134 135static int destroy_count_bpfdesc; 136SYSCTL_INT(_security_mac_test, OID_AUTO, destroy_count_bpfdesc, CTLFLAG_RD, 137 &destroy_count_bpfdesc, 0, "bpfdesc destroy calls"); 138static int destroy_count_cred; 139SYSCTL_INT(_security_mac_test, OID_AUTO, destroy_count_cred, CTLFLAG_RD, 140 &destroy_count_cred, 0, "cred destroy calls"); 141static int destroy_count_devfsdirent; 142SYSCTL_INT(_security_mac_test, OID_AUTO, destroy_count_devfsdirent, CTLFLAG_RD, 143 &destroy_count_devfsdirent, 0, "devfsdirent destroy calls"); 144static int destroy_count_ifnet; 145SYSCTL_INT(_security_mac_test, OID_AUTO, destroy_count_ifnet, CTLFLAG_RD, 146 &destroy_count_ifnet, 0, "ifnet destroy calls"); 147static int destroy_count_ipq; 148SYSCTL_INT(_security_mac_test, OID_AUTO, destroy_count_ipq, CTLFLAG_RD, 149 &destroy_count_ipq, 0, "ipq destroy calls"); 150static int destroy_count_mbuf; 151SYSCTL_INT(_security_mac_test, OID_AUTO, destroy_count_mbuf, CTLFLAG_RD, 152 &destroy_count_mbuf, 0, "mbuf destroy calls"); 153static int destroy_count_mount; 154SYSCTL_INT(_security_mac_test, OID_AUTO, destroy_count_mount, CTLFLAG_RD, 155 &destroy_count_mount, 0, "mount destroy calls"); 156static int destroy_count_mount_fslabel; 157SYSCTL_INT(_security_mac_test, OID_AUTO, destroy_count_mount_fslabel, 158 CTLFLAG_RD, &destroy_count_mount_fslabel, 0, 159 "mount_fslabel destroy calls"); 160static int destroy_count_socket; 161SYSCTL_INT(_security_mac_test, OID_AUTO, destroy_count_socket, CTLFLAG_RD, 162 &destroy_count_socket, 0, "socket destroy calls"); 163static int destroy_count_socket_peerlabel; 164SYSCTL_INT(_security_mac_test, OID_AUTO, destroy_count_socket_peerlabel, 165 CTLFLAG_RD, &destroy_count_socket_peerlabel, 0, 166 "socket_peerlabel destroy calls"); 167static int destroy_count_pipe; 168SYSCTL_INT(_security_mac_test, OID_AUTO, destroy_count_pipe, CTLFLAG_RD, 169 &destroy_count_pipe, 0, "pipe destroy calls"); 170static int destroy_count_vnode; 171SYSCTL_INT(_security_mac_test, OID_AUTO, destroy_count_vnode, CTLFLAG_RD, 172 &destroy_count_vnode, 0, "vnode destroy calls"); 173 174static int externalize_count; 175SYSCTL_INT(_security_mac_test, OID_AUTO, externalize_count, CTLFLAG_RD, 176 &externalize_count, 0, "Subject/object externalize calls"); 177static int internalize_count; 178SYSCTL_INT(_security_mac_test, OID_AUTO, internalize_count, CTLFLAG_RD, 179 &internalize_count, 0, "Subject/object internalize calls"); 180 181/* 182 * Policy module operations. 183 */ 184static void 185mac_test_destroy(struct mac_policy_conf *conf) 186{ 187 188} 189 190static void 191mac_test_init(struct mac_policy_conf *conf) 192{ 193 194} 195 196static int 197mac_test_syscall(struct thread *td, int call, void *arg) 198{ 199 200 return (0); 201} 202 203/* 204 * Label operations. 205 */ 206static void 207mac_test_init_bpfdesc_label(struct label *label) 208{ 209 210 SLOT(label) = BPFMAGIC; 211 atomic_add_int(&init_count_bpfdesc, 1); 212} 213 214static void 215mac_test_init_cred_label(struct label *label) 216{ 217 218 SLOT(label) = CREDMAGIC; 219 atomic_add_int(&init_count_cred, 1); 220} 221 222static void 223mac_test_init_devfsdirent_label(struct label *label) 224{ 225 226 SLOT(label) = DEVFSMAGIC; 227 atomic_add_int(&init_count_devfsdirent, 1); 228} 229 230static void 231mac_test_init_ifnet_label(struct label *label) 232{ 233 234 SLOT(label) = IFNETMAGIC; 235 atomic_add_int(&init_count_ifnet, 1); 236} 237 238static void 239mac_test_init_ipq_label(struct label *label) 240{ 241 242 SLOT(label) = IPQMAGIC; 243 atomic_add_int(&init_count_ipq, 1); 244} 245 246static int 247mac_test_init_mbuf_label(struct label *label, int flag) 248{ 249 250 SLOT(label) = MBUFMAGIC; 251 atomic_add_int(&init_count_mbuf, 1); 252 return (0); 253} 254 255static void 256mac_test_init_mount_label(struct label *label) 257{ 258 259 SLOT(label) = MOUNTMAGIC; 260 atomic_add_int(&init_count_mount, 1); 261} 262 263static void 264mac_test_init_mount_fs_label(struct label *label) 265{ 266 267 SLOT(label) = MOUNTMAGIC; 268 atomic_add_int(&init_count_mount_fslabel, 1); 269} 270 271static int 272mac_test_init_socket_label(struct label *label, int flag) 273{ 274 275 SLOT(label) = SOCKETMAGIC; 276 atomic_add_int(&init_count_socket, 1); 277 return (0); 278} 279 280static int 281mac_test_init_socket_peer_label(struct label *label, int flag) 282{ 283 284 SLOT(label) = SOCKETMAGIC; 285 atomic_add_int(&init_count_socket_peerlabel, 1); 286 return (0); 287} 288 289static void 290mac_test_init_pipe_label(struct label *label) 291{ 292 293 SLOT(label) = PIPEMAGIC; 294 atomic_add_int(&init_count_pipe, 1); 295} 296 297static void 298mac_test_init_vnode_label(struct label *label) 299{ 300 301 SLOT(label) = VNODEMAGIC; 302 atomic_add_int(&init_count_vnode, 1); 303} 304 305static void 306mac_test_destroy_bpfdesc_label(struct label *label) 307{ 308 309 if (SLOT(label) == BPFMAGIC || SLOT(label) == 0) { 310 atomic_add_int(&destroy_count_bpfdesc, 1); 311 SLOT(label) = EXMAGIC; 312 } else if (SLOT(label) == EXMAGIC) { 313 Debugger("mac_test_destroy_bpfdesc: dup destroy"); 314 } else { 315 Debugger("mac_test_destroy_bpfdesc: corrupted label"); 316 } 317} 318 319static void 320mac_test_destroy_cred_label(struct label *label) 321{ 322 323 if (SLOT(label) == CREDMAGIC || SLOT(label) == 0) { 324 atomic_add_int(&destroy_count_cred, 1); 325 SLOT(label) = EXMAGIC; 326 } else if (SLOT(label) == EXMAGIC) { 327 Debugger("mac_test_destroy_cred: dup destroy"); 328 } else { 329 Debugger("mac_test_destroy_cred: corrupted label"); 330 } 331} 332 333static void 334mac_test_destroy_devfsdirent_label(struct label *label) 335{ 336 337 if (SLOT(label) == DEVFSMAGIC || SLOT(label) == 0) { 338 atomic_add_int(&destroy_count_devfsdirent, 1); 339 SLOT(label) = EXMAGIC; 340 } else if (SLOT(label) == EXMAGIC) { 341 Debugger("mac_test_destroy_devfsdirent: dup destroy"); 342 } else { 343 Debugger("mac_test_destroy_devfsdirent: corrupted label"); 344 } 345} 346 347static void 348mac_test_destroy_ifnet_label(struct label *label) 349{ 350 351 if (SLOT(label) == IFNETMAGIC || SLOT(label) == 0) { 352 atomic_add_int(&destroy_count_ifnet, 1); 353 SLOT(label) = EXMAGIC; 354 } else if (SLOT(label) == EXMAGIC) { 355 Debugger("mac_test_destroy_ifnet: dup destroy"); 356 } else { 357 Debugger("mac_test_destroy_ifnet: corrupted label"); 358 } 359} 360 361static void 362mac_test_destroy_ipq_label(struct label *label) 363{ 364 365 if (SLOT(label) == IPQMAGIC || SLOT(label) == 0) { 366 atomic_add_int(&destroy_count_ipq, 1); 367 SLOT(label) = EXMAGIC; 368 } else if (SLOT(label) == EXMAGIC) { 369 Debugger("mac_test_destroy_ipq: dup destroy"); 370 } else { 371 Debugger("mac_test_destroy_ipq: corrupted label"); 372 } 373} 374 375static void 376mac_test_destroy_mbuf_label(struct label *label) 377{ 378 379 if (SLOT(label) == MBUFMAGIC || SLOT(label) == 0) { 380 atomic_add_int(&destroy_count_mbuf, 1); 381 SLOT(label) = EXMAGIC; 382 } else if (SLOT(label) == EXMAGIC) { 383 Debugger("mac_test_destroy_mbuf: dup destroy"); 384 } else { 385 Debugger("mac_test_destroy_mbuf: corrupted label"); 386 } 387} 388 389static void 390mac_test_destroy_mount_label(struct label *label) 391{ 392 393 if ((SLOT(label) == MOUNTMAGIC || SLOT(label) == 0)) { 394 atomic_add_int(&destroy_count_mount, 1); 395 SLOT(label) = EXMAGIC; 396 } else if (SLOT(label) == EXMAGIC) { 397 Debugger("mac_test_destroy_mount: dup destroy"); 398 } else { 399 Debugger("mac_test_destroy_mount: corrupted label"); 400 } 401} 402 403static void 404mac_test_destroy_mount_fs_label(struct label *label) 405{ 406 407 if ((SLOT(label) == MOUNTMAGIC || SLOT(label) == 0)) { 408 atomic_add_int(&destroy_count_mount_fslabel, 1); 409 SLOT(label) = EXMAGIC; 410 } else if (SLOT(label) == EXMAGIC) { 411 Debugger("mac_test_destroy_mount_fslabel: dup destroy"); 412 } else { 413 Debugger("mac_test_destroy_mount_fslabel: corrupted label"); 414 } 415} 416 417static void 418mac_test_destroy_socket_label(struct label *label) 419{ 420 421 if ((SLOT(label) == SOCKETMAGIC || SLOT(label) == 0)) { 422 atomic_add_int(&destroy_count_socket, 1); 423 SLOT(label) = EXMAGIC; 424 } else if (SLOT(label) == EXMAGIC) { 425 Debugger("mac_test_destroy_socket: dup destroy"); 426 } else { 427 Debugger("mac_test_destroy_socket: corrupted label"); 428 } 429} 430 431static void 432mac_test_destroy_socket_peer_label(struct label *label) 433{ 434 435 if ((SLOT(label) == SOCKETMAGIC || SLOT(label) == 0)) { 436 atomic_add_int(&destroy_count_socket_peerlabel, 1); 437 SLOT(label) = EXMAGIC; 438 } else if (SLOT(label) == EXMAGIC) { 439 Debugger("mac_test_destroy_socket_peerlabel: dup destroy"); 440 } else { 441 Debugger("mac_test_destroy_socket_peerlabel: corrupted label"); 442 } 443} 444 445static void 446mac_test_destroy_pipe_label(struct label *label) 447{ 448 449 if ((SLOT(label) == PIPEMAGIC || SLOT(label) == 0)) { 450 atomic_add_int(&destroy_count_pipe, 1); 451 SLOT(label) = EXMAGIC; 452 } else if (SLOT(label) == EXMAGIC) { 453 Debugger("mac_test_destroy_pipe: dup destroy"); 454 } else { 455 Debugger("mac_test_destroy_pipe: corrupted label"); 456 } 457} 458 459static void 460mac_test_destroy_vnode_label(struct label *label) 461{ 462 463 if (SLOT(label) == VNODEMAGIC || SLOT(label) == 0) { 464 atomic_add_int(&destroy_count_vnode, 1); 465 SLOT(label) = EXMAGIC; 466 } else if (SLOT(label) == EXMAGIC) { 467 Debugger("mac_test_destroy_vnode: dup destroy"); 468 } else { 469 Debugger("mac_test_destroy_vnode: corrupted label"); 470 } 471} 472 473static int 474mac_test_externalize_label(struct label *label, char *element_name, 475 char *element_data, size_t size, size_t *len, int *claimed) 476{ 477 478 atomic_add_int(&externalize_count, 1); 479 480 return (0); 481} 482 483static int 484mac_test_internalize_label(struct label *label, char *element_name, 485 char *element_data, int *claimed) 486{ 487 488 atomic_add_int(&internalize_count, 1); 489 490 return (0); 491} 492 493/* 494 * Labeling event operations: file system objects, and things that look 495 * a lot like file system objects. 496 */ 497static void 498mac_test_associate_vnode_devfs(struct mount *mp, struct label *fslabel, 499 struct devfs_dirent *de, struct label *delabel, struct vnode *vp, 500 struct label *vlabel) 501{ 502 503} 504 505static int 506mac_test_associate_vnode_extattr(struct mount *mp, struct label *fslabel, 507 struct vnode *vp, struct label *vlabel) 508{ 509 510 return (0); 511} 512 513static void 514mac_test_associate_vnode_singlelabel(struct mount *mp, 515 struct label *fslabel, struct vnode *vp, struct label *vlabel) 516{ 517 518} 519 520static void 521mac_test_create_devfs_device(dev_t dev, struct devfs_dirent *devfs_dirent, 522 struct label *label) 523{ 524 525} 526 527static void 528mac_test_create_devfs_directory(char *dirname, int dirnamelen, 529 struct devfs_dirent *devfs_dirent, struct label *label) 530{ 531 532} 533 534static void 535mac_test_create_devfs_symlink(struct ucred *cred, struct devfs_dirent *dd, 536 struct label *ddlabel, struct devfs_dirent *de, struct label *delabel) 537{ 538 539} 540 541static int 542mac_test_create_vnode_extattr(struct ucred *cred, struct mount *mp, 543 struct label *fslabel, struct vnode *dvp, struct label *dlabel, 544 struct vnode *vp, struct label *vlabel, struct componentname *cnp) 545{ 546 547 return (0); 548} 549 550static void 551mac_test_create_mount(struct ucred *cred, struct mount *mp, 552 struct label *mntlabel, struct label *fslabel) 553{ 554 555} 556 557static void 558mac_test_create_root_mount(struct ucred *cred, struct mount *mp, 559 struct label *mntlabel, struct label *fslabel) 560{ 561 562} 563 564static void 565mac_test_relabel_vnode(struct ucred *cred, struct vnode *vp, 566 struct label *vnodelabel, struct label *label) 567{ 568 569} 570 571static int 572mac_test_setlabel_vnode_extattr(struct ucred *cred, struct vnode *vp, 573 struct label *vlabel, struct label *intlabel) 574{ 575 576 return (0); 577} 578 579static void 580mac_test_update_devfsdirent(struct devfs_dirent *devfs_dirent, 581 struct label *direntlabel, struct vnode *vp, struct label *vnodelabel) 582{ 583 584} 585 586/* 587 * Labeling event operations: IPC object. 588 */ 589static void 590mac_test_create_mbuf_from_socket(struct socket *so, struct label *socketlabel, 591 struct mbuf *m, struct label *mbuflabel) 592{ 593 594} 595 596static void 597mac_test_create_socket(struct ucred *cred, struct socket *socket, 598 struct label *socketlabel) 599{ 600 601} 602 603static void 604mac_test_create_pipe(struct ucred *cred, struct pipe *pipe, 605 struct label *pipelabel) 606{ 607 608} 609 610static void 611mac_test_create_socket_from_socket(struct socket *oldsocket, 612 struct label *oldsocketlabel, struct socket *newsocket, 613 struct label *newsocketlabel) 614{ 615 616} 617 618static void 619mac_test_relabel_socket(struct ucred *cred, struct socket *socket, 620 struct label *socketlabel, struct label *newlabel) 621{ 622 623} 624 625static void 626mac_test_relabel_pipe(struct ucred *cred, struct pipe *pipe, 627 struct label *pipelabel, struct label *newlabel) 628{ 629 630} 631 632static void 633mac_test_set_socket_peer_from_mbuf(struct mbuf *mbuf, struct label *mbuflabel, 634 struct socket *socket, struct label *socketpeerlabel) 635{ 636 637} 638 639/* 640 * Labeling event operations: network objects. 641 */ 642static void 643mac_test_set_socket_peer_from_socket(struct socket *oldsocket, 644 struct label *oldsocketlabel, struct socket *newsocket, 645 struct label *newsocketpeerlabel) 646{ 647 648} 649 650static void 651mac_test_create_bpfdesc(struct ucred *cred, struct bpf_d *bpf_d, 652 struct label *bpflabel) 653{ 654 655} 656 657static void 658mac_test_create_datagram_from_ipq(struct ipq *ipq, struct label *ipqlabel, 659 struct mbuf *datagram, struct label *datagramlabel) 660{ 661 662} 663 664static void 665mac_test_create_fragment(struct mbuf *datagram, struct label *datagramlabel, 666 struct mbuf *fragment, struct label *fragmentlabel) 667{ 668 669} 670 671static void 672mac_test_create_ifnet(struct ifnet *ifnet, struct label *ifnetlabel) 673{ 674 675} 676 677static void 678mac_test_create_ipq(struct mbuf *fragment, struct label *fragmentlabel, 679 struct ipq *ipq, struct label *ipqlabel) 680{ 681 682} 683 684static void 685mac_test_create_mbuf_from_mbuf(struct mbuf *oldmbuf, 686 struct label *oldmbuflabel, struct mbuf *newmbuf, 687 struct label *newmbuflabel) 688{ 689 690} 691 692static void 693mac_test_create_mbuf_linklayer(struct ifnet *ifnet, struct label *ifnetlabel, 694 struct mbuf *mbuf, struct label *mbuflabel) 695{ 696 697} 698 699static void 700mac_test_create_mbuf_from_bpfdesc(struct bpf_d *bpf_d, struct label *bpflabel, 701 struct mbuf *mbuf, struct label *mbuflabel) 702{ 703 704} 705 706static void 707mac_test_create_mbuf_from_ifnet(struct ifnet *ifnet, struct label *ifnetlabel, 708 struct mbuf *m, struct label *mbuflabel) 709{ 710 711} 712 713static void 714mac_test_create_mbuf_multicast_encap(struct mbuf *oldmbuf, 715 struct label *oldmbuflabel, struct ifnet *ifnet, struct label *ifnetlabel, 716 struct mbuf *newmbuf, struct label *newmbuflabel) 717{ 718 719} 720 721static void 722mac_test_create_mbuf_netlayer(struct mbuf *oldmbuf, 723 struct label *oldmbuflabel, struct mbuf *newmbuf, 724 struct label *newmbuflabel) 725{ 726 727} 728 729static int 730mac_test_fragment_match(struct mbuf *fragment, struct label *fragmentlabel, 731 struct ipq *ipq, struct label *ipqlabel) 732{ 733 734 return (1); 735} 736 737static void 738mac_test_relabel_ifnet(struct ucred *cred, struct ifnet *ifnet, 739 struct label *ifnetlabel, struct label *newlabel) 740{ 741 742} 743 744static void 745mac_test_update_ipq(struct mbuf *fragment, struct label *fragmentlabel, 746 struct ipq *ipq, struct label *ipqlabel) 747{ 748 749} 750 751/* 752 * Labeling event operations: processes. 753 */ 754static void 755mac_test_create_cred(struct ucred *cred_parent, struct ucred *cred_child) 756{ 757 758} 759 760static void 761mac_test_execve_transition(struct ucred *old, struct ucred *new, 762 struct vnode *vp, struct label *filelabel, 763 struct label *interpvnodelabel, struct image_params *imgp, 764 struct label *execlabel) 765{ 766 767} 768 769static int 770mac_test_execve_will_transition(struct ucred *old, struct vnode *vp, 771 struct label *filelabel, struct label *interpvnodelabel, 772 struct image_params *imgp, struct label *execlabel) 773{ 774 775 return (0); 776} 777 778static void 779mac_test_create_proc0(struct ucred *cred) 780{ 781 782} 783 784static void 785mac_test_create_proc1(struct ucred *cred) 786{ 787 788} 789 790static void 791mac_test_relabel_cred(struct ucred *cred, struct label *newlabel) 792{ 793 794} 795 796/* 797 * Access control checks. 798 */ 799static int 800mac_test_check_bpfdesc_receive(struct bpf_d *bpf_d, struct label *bpflabel, 801 struct ifnet *ifnet, struct label *ifnetlabel) 802{ 803 804 return (0); 805} 806 807static int 808mac_test_check_cred_relabel(struct ucred *cred, struct label *newlabel) 809{ 810 811 return (0); 812} 813 814static int 815mac_test_check_cred_visible(struct ucred *u1, struct ucred *u2) 816{ 817 818 return (0); 819} 820 821static int 822mac_test_check_ifnet_relabel(struct ucred *cred, struct ifnet *ifnet, 823 struct label *ifnetlabel, struct label *newlabel) 824{ 825 826 return (0); 827} 828 829static int 830mac_test_check_ifnet_transmit(struct ifnet *ifnet, struct label *ifnetlabel, 831 struct mbuf *m, struct label *mbuflabel) 832{ 833 834 return (0); 835} 836 837static int 838mac_test_check_mount_stat(struct ucred *cred, struct mount *mp, 839 struct label *mntlabel) 840{ 841 842 return (0); 843} 844 845static int 846mac_test_check_pipe_ioctl(struct ucred *cred, struct pipe *pipe, 847 struct label *pipelabel, unsigned long cmd, void /* caddr_t */ *data) 848{ 849 850 return (0); 851} 852 853static int 854mac_test_check_pipe_poll(struct ucred *cred, struct pipe *pipe, 855 struct label *pipelabel) 856{ 857 858 return (0); 859} 860 861static int 862mac_test_check_pipe_read(struct ucred *cred, struct pipe *pipe, 863 struct label *pipelabel) 864{ 865 866 return (0); 867} 868 869static int 870mac_test_check_pipe_relabel(struct ucred *cred, struct pipe *pipe, 871 struct label *pipelabel, struct label *newlabel) 872{ 873 874 return (0); 875} 876 877static int 878mac_test_check_pipe_stat(struct ucred *cred, struct pipe *pipe, 879 struct label *pipelabel) 880{ 881 882 return (0); 883} 884 885static int 886mac_test_check_pipe_write(struct ucred *cred, struct pipe *pipe, 887 struct label *pipelabel) 888{ 889 890 return (0); 891} 892 893static int 894mac_test_check_proc_debug(struct ucred *cred, struct proc *proc) 895{ 896 897 return (0); 898} 899 900static int 901mac_test_check_proc_sched(struct ucred *cred, struct proc *proc) 902{ 903 904 return (0); 905} 906 907static int 908mac_test_check_proc_signal(struct ucred *cred, struct proc *proc, int signum) 909{ 910 911 return (0); 912} 913 914static int 915mac_test_check_socket_bind(struct ucred *cred, struct socket *socket, 916 struct label *socketlabel, struct sockaddr *sockaddr) 917{ 918 919 return (0); 920} 921 922static int 923mac_test_check_socket_connect(struct ucred *cred, struct socket *socket, 924 struct label *socketlabel, struct sockaddr *sockaddr) 925{ 926 927 return (0); 928} 929 930static int 931mac_test_check_socket_deliver(struct socket *socket, struct label *socketlabel, 932 struct mbuf *m, struct label *mbuflabel) 933{ 934 935 return (0); 936} 937 938static int 939mac_test_check_socket_listen(struct ucred *cred, struct socket *socket, 940 struct label *socketlabel) 941{ 942 943 return (0); 944} 945 946static int 947mac_test_check_socket_visible(struct ucred *cred, struct socket *socket, 948 struct label *socketlabel) 949{ 950 951 return (0); 952} 953 954static int 955mac_test_check_socket_relabel(struct ucred *cred, struct socket *socket, 956 struct label *socketlabel, struct label *newlabel) 957{ 958 959 return (0); 960} 961 962static int 963mac_test_check_vnode_access(struct ucred *cred, struct vnode *vp, 964 struct label *label, int acc_mode) 965{ 966 967 return (0); 968} 969 970static int 971mac_test_check_vnode_chdir(struct ucred *cred, struct vnode *dvp, 972 struct label *dlabel) 973{ 974 975 return (0); 976} 977 978static int 979mac_test_check_vnode_chroot(struct ucred *cred, struct vnode *dvp, 980 struct label *dlabel) 981{ 982 983 return (0); 984} 985 986static int 987mac_test_check_vnode_create(struct ucred *cred, struct vnode *dvp, 988 struct label *dlabel, struct componentname *cnp, struct vattr *vap) 989{ 990 991 return (0); 992} 993 994static int 995mac_test_check_vnode_delete(struct ucred *cred, struct vnode *dvp, 996 struct label *dlabel, struct vnode *vp, struct label *label, 997 struct componentname *cnp) 998{ 999 1000 return (0); 1001} 1002 1003static int 1004mac_test_check_vnode_deleteacl(struct ucred *cred, struct vnode *vp, 1005 struct label *label, acl_type_t type) 1006{ 1007 1008 return (0); 1009} 1010 1011static int 1012mac_test_check_vnode_exec(struct ucred *cred, struct vnode *vp, 1013 struct label *label, struct image_params *imgp, 1014 struct label *execlabel) 1015{ 1016 1017 return (0); 1018} 1019 1020static int 1021mac_test_check_vnode_getacl(struct ucred *cred, struct vnode *vp, 1022 struct label *label, acl_type_t type) 1023{ 1024 1025 return (0); 1026} 1027 1028static int 1029mac_test_check_vnode_getextattr(struct ucred *cred, struct vnode *vp, 1030 struct label *label, int attrnamespace, const char *name, struct uio *uio) 1031{ 1032 1033 return (0); 1034} 1035 1036static int 1037mac_test_check_vnode_link(struct ucred *cred, struct vnode *dvp, 1038 struct label *dlabel, struct vnode *vp, struct label *label, 1039 struct componentname *cnp) 1040{ 1041 1042 return (0); 1043} 1044 1045static int 1046mac_test_check_vnode_lookup(struct ucred *cred, struct vnode *dvp, 1047 struct label *dlabel, struct componentname *cnp) 1048{ 1049 1050 return (0); 1051} 1052 1053static int 1054mac_test_check_vnode_mmap(struct ucred *cred, struct vnode *vp, 1055 struct label *label, int prot) 1056{ 1057 1058 return (0); 1059} 1060 1061static int 1062mac_test_check_vnode_mprotect(struct ucred *cred, struct vnode *vp, 1063 struct label *label, int prot) 1064{ 1065 1066 return (0); 1067} 1068 1069static int 1070mac_test_check_vnode_open(struct ucred *cred, struct vnode *vp, 1071 struct label *filelabel, int acc_mode) 1072{ 1073 1074 return (0); 1075} 1076 1077static int 1078mac_test_check_vnode_poll(struct ucred *active_cred, struct ucred *file_cred, 1079 struct vnode *vp, struct label *label) 1080{ 1081 1082 return (0); 1083} 1084 1085static int 1086mac_test_check_vnode_read(struct ucred *active_cred, struct ucred *file_cred, 1087 struct vnode *vp, struct label *label) 1088{ 1089 1090 return (0); 1091} 1092 1093static int 1094mac_test_check_vnode_readdir(struct ucred *cred, struct vnode *dvp, 1095 struct label *dlabel) 1096{ 1097 1098 return (0); 1099} 1100 1101static int 1102mac_test_check_vnode_readlink(struct ucred *cred, struct vnode *vp, 1103 struct label *vnodelabel) 1104{ 1105 1106 return (0); 1107} 1108 1109static int 1110mac_test_check_vnode_relabel(struct ucred *cred, struct vnode *vp, 1111 struct label *vnodelabel, struct label *newlabel) 1112{ 1113 1114 return (0); 1115} 1116 1117static int 1118mac_test_check_vnode_rename_from(struct ucred *cred, struct vnode *dvp, 1119 struct label *dlabel, struct vnode *vp, struct label *label, 1120 struct componentname *cnp) 1121{ 1122 1123 return (0); 1124} 1125 1126static int 1127mac_test_check_vnode_rename_to(struct ucred *cred, struct vnode *dvp, 1128 struct label *dlabel, struct vnode *vp, struct label *label, int samedir, 1129 struct componentname *cnp) 1130{ 1131 1132 return (0); 1133} 1134 1135static int 1136mac_test_check_vnode_revoke(struct ucred *cred, struct vnode *vp, 1137 struct label *label) 1138{ 1139 1140 return (0); 1141} 1142 1143static int 1144mac_test_check_vnode_setacl(struct ucred *cred, struct vnode *vp, 1145 struct label *label, acl_type_t type, struct acl *acl) 1146{ 1147 1148 return (0); 1149} 1150 1151static int 1152mac_test_check_vnode_setextattr(struct ucred *cred, struct vnode *vp, 1153 struct label *label, int attrnamespace, const char *name, struct uio *uio) 1154{ 1155 1156 return (0); 1157} 1158 1159static int 1160mac_test_check_vnode_setflags(struct ucred *cred, struct vnode *vp, 1161 struct label *label, u_long flags) 1162{ 1163 1164 return (0); 1165} 1166 1167static int 1168mac_test_check_vnode_setmode(struct ucred *cred, struct vnode *vp, 1169 struct label *label, mode_t mode) 1170{ 1171 1172 return (0); 1173} 1174 1175static int 1176mac_test_check_vnode_setowner(struct ucred *cred, struct vnode *vp, 1177 struct label *label, uid_t uid, gid_t gid) 1178{ 1179 1180 return (0); 1181} 1182 1183static int 1184mac_test_check_vnode_setutimes(struct ucred *cred, struct vnode *vp, 1185 struct label *label, struct timespec atime, struct timespec mtime) 1186{ 1187 1188 return (0); 1189} 1190 1191static int 1192mac_test_check_vnode_stat(struct ucred *active_cred, struct ucred *file_cred, 1193 struct vnode *vp, struct label *label) 1194{ 1195 1196 return (0); 1197} 1198 1199static int 1200mac_test_check_vnode_write(struct ucred *active_cred, 1201 struct ucred *file_cred, struct vnode *vp, struct label *label) 1202{ 1203 1204 return (0); 1205} 1206 1207static struct mac_policy_ops mac_test_ops = 1208{ 1209 .mpo_destroy = mac_test_destroy, 1210 .mpo_init = mac_test_init, 1211 .mpo_syscall = mac_test_syscall, 1212 .mpo_init_bpfdesc_label = mac_test_init_bpfdesc_label, 1213 .mpo_init_cred_label = mac_test_init_cred_label, 1214 .mpo_init_devfsdirent_label = mac_test_init_devfsdirent_label, 1215 .mpo_init_ifnet_label = mac_test_init_ifnet_label, 1216 .mpo_init_ipq_label = mac_test_init_ipq_label, 1217 .mpo_init_mbuf_label = mac_test_init_mbuf_label, 1218 .mpo_init_mount_label = mac_test_init_mount_label, 1219 .mpo_init_mount_fs_label = mac_test_init_mount_fs_label, 1220 .mpo_init_pipe_label = mac_test_init_pipe_label, 1221 .mpo_init_socket_label = mac_test_init_socket_label, 1222 .mpo_init_socket_peer_label = mac_test_init_socket_peer_label, 1223 .mpo_init_vnode_label = mac_test_init_vnode_label, 1224 .mpo_destroy_bpfdesc_label = mac_test_destroy_bpfdesc_label, 1225 .mpo_destroy_cred_label = mac_test_destroy_cred_label, 1226 .mpo_destroy_devfsdirent_label = mac_test_destroy_devfsdirent_label, 1227 .mpo_destroy_ifnet_label = mac_test_destroy_ifnet_label, 1228 .mpo_destroy_ipq_label = mac_test_destroy_ipq_label, 1229 .mpo_destroy_mbuf_label = mac_test_destroy_mbuf_label, 1230 .mpo_destroy_mount_label = mac_test_destroy_mount_label, 1231 .mpo_destroy_mount_fs_label = mac_test_destroy_mount_fs_label, 1232 .mpo_destroy_pipe_label = mac_test_destroy_pipe_label, 1233 .mpo_destroy_socket_label = mac_test_destroy_socket_label, 1234 .mpo_destroy_socket_peer_label = mac_test_destroy_socket_peer_label, 1235 .mpo_destroy_vnode_label = mac_test_destroy_vnode_label, 1236 .mpo_externalize_cred_label = mac_test_externalize_label, 1237 .mpo_externalize_ifnet_label = mac_test_externalize_label, 1238 .mpo_externalize_pipe_label = mac_test_externalize_label, 1239 .mpo_externalize_socket_label = mac_test_externalize_label, 1240 .mpo_externalize_socket_peer_label = mac_test_externalize_label, 1241 .mpo_externalize_vnode_label = mac_test_externalize_label, 1242 .mpo_internalize_cred_label = mac_test_internalize_label, 1243 .mpo_internalize_ifnet_label = mac_test_internalize_label, 1244 .mpo_internalize_pipe_label = mac_test_internalize_label, 1245 .mpo_internalize_socket_label = mac_test_internalize_label, 1246 .mpo_internalize_vnode_label = mac_test_internalize_label, 1247 .mpo_associate_vnode_devfs = mac_test_associate_vnode_devfs, 1248 .mpo_associate_vnode_extattr = mac_test_associate_vnode_extattr, 1249 .mpo_associate_vnode_singlelabel = mac_test_associate_vnode_singlelabel, 1250 .mpo_create_devfs_device = mac_test_create_devfs_device, 1251 .mpo_create_devfs_directory = mac_test_create_devfs_directory, 1252 .mpo_create_devfs_symlink = mac_test_create_devfs_symlink, 1253 .mpo_create_vnode_extattr = mac_test_create_vnode_extattr, 1254 .mpo_create_mount = mac_test_create_mount, 1255 .mpo_create_root_mount = mac_test_create_root_mount, 1256 .mpo_relabel_vnode = mac_test_relabel_vnode, 1257 .mpo_setlabel_vnode_extattr = mac_test_setlabel_vnode_extattr, 1258 .mpo_update_devfsdirent = mac_test_update_devfsdirent, 1259 .mpo_create_mbuf_from_socket = mac_test_create_mbuf_from_socket, 1260 .mpo_create_pipe = mac_test_create_pipe, 1261 .mpo_create_socket = mac_test_create_socket, 1262 .mpo_create_socket_from_socket = mac_test_create_socket_from_socket, 1263 .mpo_relabel_pipe = mac_test_relabel_pipe, 1264 .mpo_relabel_socket = mac_test_relabel_socket, 1265 .mpo_set_socket_peer_from_mbuf = mac_test_set_socket_peer_from_mbuf, 1266 .mpo_set_socket_peer_from_socket = mac_test_set_socket_peer_from_socket, 1267 .mpo_create_bpfdesc = mac_test_create_bpfdesc, 1268 .mpo_create_ifnet = mac_test_create_ifnet, 1269 .mpo_create_datagram_from_ipq = mac_test_create_datagram_from_ipq, 1270 .mpo_create_fragment = mac_test_create_fragment, 1271 .mpo_create_ipq = mac_test_create_ipq, 1272 .mpo_create_mbuf_from_mbuf = mac_test_create_mbuf_from_mbuf, 1273 .mpo_create_mbuf_linklayer = mac_test_create_mbuf_linklayer, 1274 .mpo_create_mbuf_from_bpfdesc = mac_test_create_mbuf_from_bpfdesc, 1275 .mpo_create_mbuf_from_ifnet = mac_test_create_mbuf_from_ifnet, 1276 .mpo_create_mbuf_multicast_encap = mac_test_create_mbuf_multicast_encap, 1277 .mpo_create_mbuf_netlayer = mac_test_create_mbuf_netlayer, 1278 .mpo_fragment_match = mac_test_fragment_match, 1279 .mpo_relabel_ifnet = mac_test_relabel_ifnet, 1280 .mpo_update_ipq = mac_test_update_ipq, 1281 .mpo_create_cred = mac_test_create_cred, 1282 .mpo_execve_transition = mac_test_execve_transition, 1283 .mpo_execve_will_transition = mac_test_execve_will_transition, 1284 .mpo_create_proc0 = mac_test_create_proc0, 1285 .mpo_create_proc1 = mac_test_create_proc1, 1286 .mpo_relabel_cred = mac_test_relabel_cred, 1287 .mpo_check_bpfdesc_receive = mac_test_check_bpfdesc_receive, 1288 .mpo_check_cred_relabel = mac_test_check_cred_relabel, 1289 .mpo_check_cred_visible = mac_test_check_cred_visible, 1290 .mpo_check_ifnet_relabel = mac_test_check_ifnet_relabel, 1291 .mpo_check_ifnet_transmit = mac_test_check_ifnet_transmit, 1292 .mpo_check_mount_stat = mac_test_check_mount_stat, 1293 .mpo_check_pipe_ioctl = mac_test_check_pipe_ioctl, 1294 .mpo_check_pipe_poll = mac_test_check_pipe_poll, 1295 .mpo_check_pipe_read = mac_test_check_pipe_read, 1296 .mpo_check_pipe_relabel = mac_test_check_pipe_relabel, 1297 .mpo_check_pipe_stat = mac_test_check_pipe_stat, 1298 .mpo_check_pipe_write = mac_test_check_pipe_write, 1299 .mpo_check_proc_debug = mac_test_check_proc_debug, 1300 .mpo_check_proc_sched = mac_test_check_proc_sched, 1301 .mpo_check_proc_signal = mac_test_check_proc_signal, 1302 .mpo_check_socket_bind = mac_test_check_socket_bind, 1303 .mpo_check_socket_connect = mac_test_check_socket_connect, 1304 .mpo_check_socket_deliver = mac_test_check_socket_deliver, 1305 .mpo_check_socket_listen = mac_test_check_socket_listen, 1306 .mpo_check_socket_relabel = mac_test_check_socket_relabel, 1307 .mpo_check_socket_visible = mac_test_check_socket_visible, 1308 .mpo_check_vnode_access = mac_test_check_vnode_access, 1309 .mpo_check_vnode_chdir = mac_test_check_vnode_chdir, 1310 .mpo_check_vnode_chroot = mac_test_check_vnode_chroot, 1311 .mpo_check_vnode_create = mac_test_check_vnode_create, 1312 .mpo_check_vnode_delete = mac_test_check_vnode_delete, 1313 .mpo_check_vnode_deleteacl = mac_test_check_vnode_deleteacl, 1314 .mpo_check_vnode_exec = mac_test_check_vnode_exec, 1315 .mpo_check_vnode_getacl = mac_test_check_vnode_getacl, 1316 .mpo_check_vnode_getextattr = mac_test_check_vnode_getextattr, 1317 .mpo_check_vnode_link = mac_test_check_vnode_link, 1318 .mpo_check_vnode_lookup = mac_test_check_vnode_lookup, 1319 .mpo_check_vnode_mmap = mac_test_check_vnode_mmap, 1320 .mpo_check_vnode_mprotect = mac_test_check_vnode_mprotect, 1321 .mpo_check_vnode_open = mac_test_check_vnode_open, 1322 .mpo_check_vnode_poll = mac_test_check_vnode_poll, 1323 .mpo_check_vnode_read = mac_test_check_vnode_read, 1324 .mpo_check_vnode_readdir = mac_test_check_vnode_readdir, 1325 .mpo_check_vnode_readlink = mac_test_check_vnode_readlink, 1326 .mpo_check_vnode_relabel = mac_test_check_vnode_relabel, 1327 .mpo_check_vnode_rename_from = mac_test_check_vnode_rename_from, 1328 .mpo_check_vnode_rename_to = mac_test_check_vnode_rename_to, 1329 .mpo_check_vnode_revoke = mac_test_check_vnode_revoke, 1330 .mpo_check_vnode_setacl = mac_test_check_vnode_setacl, 1331 .mpo_check_vnode_setextattr = mac_test_check_vnode_setextattr, 1332 .mpo_check_vnode_setflags = mac_test_check_vnode_setflags, 1333 .mpo_check_vnode_setmode = mac_test_check_vnode_setmode, 1334 .mpo_check_vnode_setowner = mac_test_check_vnode_setowner, 1335 .mpo_check_vnode_setutimes = mac_test_check_vnode_setutimes, 1336 .mpo_check_vnode_stat = mac_test_check_vnode_stat, 1337 .mpo_check_vnode_write = mac_test_check_vnode_write, 1338}; 1339 1340MAC_POLICY_SET(&mac_test_ops, trustedbsd_mac_test, "TrustedBSD MAC/Test", 1341 MPC_LOADTIME_FLAG_UNLOADOK, &test_slot); 1342