1 /*-
2 * Copyright (c) 1999-2002, 2007 Robert N. M. Watson
3 * Copyright (c) 2001-2005 McAfee, Inc.
4 * All rights reserved.
5 *
6 * This software was developed by Robert Watson for the TrustedBSD Project.
7 *
8 * This software was developed for the FreeBSD Project in part by McAfee
9 * Research, the Security Research Division of McAfee, Inc. under
10 * DARPA/SPAWAR contract N66001-01-C-8035 ("CBOSS"), as part of the DARPA
11 * CHATS research program.
12 *
13 * Redistribution and use in source and binary forms, with or without
14 * modification, are permitted provided that the following conditions
15 * are met:
16 * 1. Redistributions of source code must retain the above copyright
17 * notice, this list of conditions and the following disclaimer.
18 * 2. Redistributions in binary form must reproduce the above copyright
19 * notice, this list of conditions and the following disclaimer in the
20 * documentation and/or other materials provided with the distribution.
21 *
22 * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
23 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
24 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
25 * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
26 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
27 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
28 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
29 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
30 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
31 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
32 * SUCH DAMAGE.
33 *
34 * $FreeBSD$
35 */
36
37 /*
38 * Developed by the TrustedBSD Project.
39 *
40 * MAC Test policy - tests MAC Framework labeling by assigning object class
41 * magic numbers to each label and validates that each time an object label
42 * is passed into the policy, it has a consistent object type, catching
43 * incorrectly passed labels, labels passed after free, etc.
44 */
45
46 #include <sys/param.h>
47 #include <sys/acl.h>
48 #include <sys/kdb.h>
49 #include <sys/kernel.h>
50 #include <sys/ksem.h>
51 #include <sys/malloc.h>
52 #include <sys/module.h>
53 #include <sys/mount.h>
54 #include <sys/msg.h>
55 #include <sys/proc.h>
56 #include <sys/vnode.h>
57 #include <sys/sem.h>
58 #include <sys/shm.h>
59 #include <sys/socket.h>
60 #include <sys/socketvar.h>
61 #include <sys/sx.h>
62 #include <sys/sysctl.h>
63
64 #include <fs/devfs/devfs.h>
65
66 #include <net/bpfdesc.h>
67 #include <net/if.h>
68 #include <net/if_types.h>
69 #include <net/if_var.h>
70
71 #include <security/mac/mac_policy.h>
72
73 SYSCTL_DECL(_security_mac);
74
75 SYSCTL_NODE(_security_mac, OID_AUTO, test, CTLFLAG_RW, 0,
76 "TrustedBSD mac_test policy controls");
77
78 #define MAGIC_BPF 0xfe1ad1b6
79 #define MAGIC_DEVFS 0x9ee79c32
80 #define MAGIC_IFNET 0xc218b120
81 #define MAGIC_INPCB 0x4440f7bb
82 #define MAGIC_IPQ 0x206188ef
83 #define MAGIC_MBUF 0xbbefa5bb
84 #define MAGIC_MOUNT 0xc7c46e47
85 #define MAGIC_SOCKET 0x9199c6cd
86 #define MAGIC_SYSV_MSG 0x8bbba61e
87 #define MAGIC_SYSV_MSQ 0xea672391
88 #define MAGIC_SYSV_SEM 0x896e8a0b
89 #define MAGIC_SYSV_SHM 0x76119ab0
90 #define MAGIC_PIPE 0xdc6c9919
91 #define MAGIC_POSIX_SEM 0x78ae980c
92 #define MAGIC_PROC 0x3b4be98f
93 #define MAGIC_CRED 0x9a5a4987
94 #define MAGIC_VNODE 0x1a67a45c
95 #define MAGIC_FREE 0x849ba1fd
96
97 #define SLOT(x) mac_label_get((x), test_slot)
98 #define SLOT_SET(x, v) mac_label_set((x), test_slot, (v))
99
100 static int test_slot;
101 SYSCTL_INT(_security_mac_test, OID_AUTO, slot, CTLFLAG_RD,
102 &test_slot, 0, "Slot allocated by framework");
103
104 SYSCTL_NODE(_security_mac_test, OID_AUTO, counter, CTLFLAG_RW, 0,
105 "TrustedBSD mac_test counters controls");
106
107 #define COUNTER_DECL(variable) \
108 static int counter_##variable; \
109 SYSCTL_INT(_security_mac_test_counter, OID_AUTO, variable, \
110 CTLFLAG_RD, &counter_##variable, 0, #variable)
111
112 #define COUNTER_INC(variable) atomic_add_int(&counter_##variable, 1)
113
114 #ifdef KDB
115 #define DEBUGGER(func, string) kdb_enter((string))
116 #else
117 #define DEBUGGER(func, string) printf("mac_test: %s: %s\n", (func), (string))
118 #endif
119
120 #define LABEL_CHECK(label, magic) do { \
121 if (label != NULL) { \
122 KASSERT(SLOT(label) == magic || SLOT(label) == 0, \
123 ("%s: bad %s label", __func__, #magic)); \
124 } \
125 } while (0)
126
127 #define LABEL_DESTROY(label, magic) do { \
128 if (SLOT(label) == magic || SLOT(label) == 0) { \
129 SLOT_SET(label, MAGIC_FREE); \
130 } else if (SLOT(label) == MAGIC_FREE) { \
131 DEBUGGER("%s: dup destroy", __func__); \
132 } else { \
133 DEBUGGER("%s: corrupted label", __func__); \
134 } \
135 } while (0)
136
137 #define LABEL_INIT(label, magic) do { \
138 SLOT_SET(label, magic); \
139 } while (0)
140
141 #define LABEL_NOTFREE(label) do { \
142 KASSERT(SLOT(label) != MAGIC_FREE, \
143 ("%s: destroyed label", __func__)); \
144 } while (0)
145
146 /*
147 * Label operations.
148 */
149 COUNTER_DECL(init_bpfdesc_label);
150 static void
151 mac_test_init_bpfdesc_label(struct label *label)
152 {
153
154 LABEL_INIT(label, MAGIC_BPF);
155 COUNTER_INC(init_bpfdesc_label);
156 }
157
158 COUNTER_DECL(init_cred_label);
159 static void
160 mac_test_init_cred_label(struct label *label)
161 {
162
163 LABEL_INIT(label, MAGIC_CRED);
164 COUNTER_INC(init_cred_label);
165 }
166
167 COUNTER_DECL(init_devfs_label);
168 static void
169 mac_test_init_devfs_label(struct label *label)
170 {
171
172 LABEL_INIT(label, MAGIC_DEVFS);
173 COUNTER_INC(init_devfs_label);
174 }
175
176 COUNTER_DECL(init_ifnet_label);
177 static void
178 mac_test_init_ifnet_label(struct label *label)
179 {
180
181 LABEL_INIT(label, MAGIC_IFNET);
182 COUNTER_INC(init_ifnet_label);
183 }
184
185 COUNTER_DECL(init_inpcb_label);
186 static int
187 mac_test_init_inpcb_label(struct label *label, int flag)
188 {
189
190 if (flag & M_WAITOK)
191 WITNESS_WARN(WARN_GIANTOK | WARN_SLEEPOK, NULL,
192 "mac_test_init_inpcb_label() at %s:%d", __FILE__,
193 __LINE__);
194
195 LABEL_INIT(label, MAGIC_INPCB);
196 COUNTER_INC(init_inpcb_label);
197 return (0);
198 }
199
200 COUNTER_DECL(init_sysv_msg_label);
201 static void
202 mac_test_init_sysv_msgmsg_label(struct label *label)
203 {
204 LABEL_INIT(label, MAGIC_SYSV_MSG);
205 COUNTER_INC(init_sysv_msg_label);
206 }
207
208 COUNTER_DECL(init_sysv_msq_label);
209 static void
210 mac_test_init_sysv_msgqueue_label(struct label *label)
211 {
212 LABEL_INIT(label, MAGIC_SYSV_MSQ);
213 COUNTER_INC(init_sysv_msq_label);
214 }
215
216 COUNTER_DECL(init_sysv_sem_label);
217 static void
218 mac_test_init_sysv_sem_label(struct label *label)
219 {
220 LABEL_INIT(label, MAGIC_SYSV_SEM);
221 COUNTER_INC(init_sysv_sem_label);
222 }
223
224 COUNTER_DECL(init_sysv_shm_label);
225 static void
226 mac_test_init_sysv_shm_label(struct label *label)
227 {
228 LABEL_INIT(label, MAGIC_SYSV_SHM);
229 COUNTER_INC(init_sysv_shm_label);
230 }
231
232 COUNTER_DECL(init_ipq_label);
233 static int
234 mac_test_init_ipq_label(struct label *label, int flag)
235 {
236
237 if (flag & M_WAITOK)
238 WITNESS_WARN(WARN_GIANTOK | WARN_SLEEPOK, NULL,
239 "mac_test_init_ipq_label() at %s:%d", __FILE__,
240 __LINE__);
241
242 LABEL_INIT(label, MAGIC_IPQ);
243 COUNTER_INC(init_ipq_label);
244 return (0);
245 }
246
247 COUNTER_DECL(init_mbuf_label);
248 static int
249 mac_test_init_mbuf_label(struct label *label, int flag)
250 {
251
252 if (flag & M_WAITOK)
253 WITNESS_WARN(WARN_GIANTOK | WARN_SLEEPOK, NULL,
254 "mac_test_init_mbuf_label() at %s:%d", __FILE__,
255 __LINE__);
256
257 LABEL_INIT(label, MAGIC_MBUF);
258 COUNTER_INC(init_mbuf_label);
259 return (0);
260 }
261
262 COUNTER_DECL(init_mount_label);
263 static void
264 mac_test_init_mount_label(struct label *label)
265 {
266
267 LABEL_INIT(label, MAGIC_MOUNT);
268 COUNTER_INC(init_mount_label);
269 }
270
271 COUNTER_DECL(init_socket_label);
272 static int
273 mac_test_init_socket_label(struct label *label, int flag)
274 {
275
276 if (flag & M_WAITOK)
277 WITNESS_WARN(WARN_GIANTOK | WARN_SLEEPOK, NULL,
278 "mac_test_init_socket_label() at %s:%d", __FILE__,
279 __LINE__);
280
281 LABEL_INIT(label, MAGIC_SOCKET);
282 COUNTER_INC(init_socket_label);
283 return (0);
284 }
285
286 COUNTER_DECL(init_socket_peer_label);
287 static int
288 mac_test_init_socket_peer_label(struct label *label, int flag)
289 {
290
291 if (flag & M_WAITOK)
292 WITNESS_WARN(WARN_GIANTOK | WARN_SLEEPOK, NULL,
293 "mac_test_init_socket_peer_label() at %s:%d", __FILE__,
294 __LINE__);
295
296 LABEL_INIT(label, MAGIC_SOCKET);
297 COUNTER_INC(init_socket_peer_label);
298 return (0);
299 }
300
301 COUNTER_DECL(init_pipe_label);
302 static void
303 mac_test_init_pipe_label(struct label *label)
304 {
305
306 LABEL_INIT(label, MAGIC_PIPE);
307 COUNTER_INC(init_pipe_label);
308 }
309
310 COUNTER_DECL(init_posix_sem_label);
311 static void
312 mac_test_init_posix_sem_label(struct label *label)
313 {
314
315 LABEL_INIT(label, MAGIC_POSIX_SEM);
316 COUNTER_INC(init_posix_sem_label);
317 }
318
319 COUNTER_DECL(init_proc_label);
320 static void
321 mac_test_init_proc_label(struct label *label)
322 {
323
324 LABEL_INIT(label, MAGIC_PROC);
325 COUNTER_INC(init_proc_label);
326 }
327
328 COUNTER_DECL(init_vnode_label);
329 static void
330 mac_test_init_vnode_label(struct label *label)
331 {
332
333 LABEL_INIT(label, MAGIC_VNODE);
334 COUNTER_INC(init_vnode_label);
335 }
336
337 COUNTER_DECL(destroy_bpfdesc_label);
338 static void
339 mac_test_destroy_bpfdesc_label(struct label *label)
340 {
341
342 LABEL_DESTROY(label, MAGIC_BPF);
343 COUNTER_INC(destroy_bpfdesc_label);
344 }
345
346 COUNTER_DECL(destroy_cred_label);
347 static void
348 mac_test_destroy_cred_label(struct label *label)
349 {
350
351 LABEL_DESTROY(label, MAGIC_CRED);
352 COUNTER_INC(destroy_cred_label);
353 }
354
355 COUNTER_DECL(destroy_devfs_label);
356 static void
357 mac_test_destroy_devfs_label(struct label *label)
358 {
359
360 LABEL_DESTROY(label, MAGIC_DEVFS);
361 COUNTER_INC(destroy_devfs_label);
362 }
363
364 COUNTER_DECL(destroy_ifnet_label);
365 static void
366 mac_test_destroy_ifnet_label(struct label *label)
367 {
368
369 LABEL_DESTROY(label, MAGIC_IFNET);
370 COUNTER_INC(destroy_ifnet_label);
371 }
372
373 COUNTER_DECL(destroy_inpcb_label);
374 static void
375 mac_test_destroy_inpcb_label(struct label *label)
376 {
377
378 LABEL_DESTROY(label, MAGIC_INPCB);
379 COUNTER_INC(destroy_inpcb_label);
380 }
381
382 COUNTER_DECL(destroy_sysv_msg_label);
383 static void
384 mac_test_destroy_sysv_msgmsg_label(struct label *label)
385 {
386
387 LABEL_DESTROY(label, MAGIC_SYSV_MSG);
388 COUNTER_INC(destroy_sysv_msg_label);
389 }
390
391 COUNTER_DECL(destroy_sysv_msq_label);
392 static void
393 mac_test_destroy_sysv_msgqueue_label(struct label *label)
394 {
395
396 LABEL_DESTROY(label, MAGIC_SYSV_MSQ);
397 COUNTER_INC(destroy_sysv_msq_label);
398 }
399
400 COUNTER_DECL(destroy_sysv_sem_label);
401 static void
402 mac_test_destroy_sysv_sem_label(struct label *label)
403 {
404
405 LABEL_DESTROY(label, MAGIC_SYSV_SEM);
406 COUNTER_INC(destroy_sysv_sem_label);
407 }
408
409 COUNTER_DECL(destroy_sysv_shm_label);
410 static void
411 mac_test_destroy_sysv_shm_label(struct label *label)
412 {
413
414 LABEL_DESTROY(label, MAGIC_SYSV_SHM);
415 COUNTER_INC(destroy_sysv_shm_label);
416 }
417
418 COUNTER_DECL(destroy_ipq_label);
419 static void
420 mac_test_destroy_ipq_label(struct label *label)
421 {
422
423 LABEL_DESTROY(label, MAGIC_IPQ);
424 COUNTER_INC(destroy_ipq_label);
425 }
426
427 COUNTER_DECL(destroy_mbuf_label);
428 static void
429 mac_test_destroy_mbuf_label(struct label *label)
430 {
431
432 /*
433 * If we're loaded dynamically, there may be mbufs in flight that
434 * didn't have label storage allocated for them. Handle this
435 * gracefully.
436 */
437 if (label == NULL)
438 return;
439
440 LABEL_DESTROY(label, MAGIC_MBUF);
441 COUNTER_INC(destroy_mbuf_label);
442 }
443
444 COUNTER_DECL(destroy_mount_label);
445 static void
446 mac_test_destroy_mount_label(struct label *label)
447 {
448
449 LABEL_DESTROY(label, MAGIC_MOUNT);
450 COUNTER_INC(destroy_mount_label);
451 }
452
453 COUNTER_DECL(destroy_socket_label);
454 static void
455 mac_test_destroy_socket_label(struct label *label)
456 {
457
458 LABEL_DESTROY(label, MAGIC_SOCKET);
459 COUNTER_INC(destroy_socket_label);
460 }
461
462 COUNTER_DECL(destroy_socket_peer_label);
463 static void
464 mac_test_destroy_socket_peer_label(struct label *label)
465 {
466
467 LABEL_DESTROY(label, MAGIC_SOCKET);
468 COUNTER_INC(destroy_socket_peer_label);
469 }
470
471 COUNTER_DECL(destroy_pipe_label);
472 static void
473 mac_test_destroy_pipe_label(struct label *label)
474 {
475
476 LABEL_DESTROY(label, MAGIC_PIPE);
477 COUNTER_INC(destroy_pipe_label);
478 }
479
480 COUNTER_DECL(destroy_posix_sem_label);
481 static void
482 mac_test_destroy_posix_sem_label(struct label *label)
483 {
484
485 LABEL_DESTROY(label, MAGIC_POSIX_SEM);
486 COUNTER_INC(destroy_posix_sem_label);
487 }
488
489 COUNTER_DECL(destroy_proc_label);
490 static void
491 mac_test_destroy_proc_label(struct label *label)
492 {
493
494 LABEL_DESTROY(label, MAGIC_PROC);
495 COUNTER_INC(destroy_proc_label);
496 }
497
498 COUNTER_DECL(destroy_vnode_label);
499 static void
500 mac_test_destroy_vnode_label(struct label *label)
501 {
502
503 LABEL_DESTROY(label, MAGIC_VNODE);
504 COUNTER_INC(destroy_vnode_label);
505 }
506
507 COUNTER_DECL(copy_cred_label);
508 static void
509 mac_test_copy_cred_label(struct label *src, struct label *dest)
510 {
511
512 LABEL_CHECK(src, MAGIC_CRED);
513 LABEL_CHECK(dest, MAGIC_CRED);
514 COUNTER_INC(copy_cred_label);
515 }
516
517 COUNTER_DECL(copy_ifnet_label);
518 static void
519 mac_test_copy_ifnet_label(struct label *src, struct label *dest)
520 {
521
522 LABEL_CHECK(src, MAGIC_IFNET);
523 LABEL_CHECK(dest, MAGIC_IFNET);
524 COUNTER_INC(copy_ifnet_label);
525 }
526
527 COUNTER_DECL(copy_mbuf_label);
528 static void
529 mac_test_copy_mbuf_label(struct label *src, struct label *dest)
530 {
531
532 LABEL_CHECK(src, MAGIC_MBUF);
533 LABEL_CHECK(dest, MAGIC_MBUF);
534 COUNTER_INC(copy_mbuf_label);
535 }
536
537 COUNTER_DECL(copy_pipe_label);
538 static void
539 mac_test_copy_pipe_label(struct label *src, struct label *dest)
540 {
541
542 LABEL_CHECK(src, MAGIC_PIPE);
543 LABEL_CHECK(dest, MAGIC_PIPE);
544 COUNTER_INC(copy_pipe_label);
545 }
546
547 COUNTER_DECL(copy_socket_label);
548 static void
549 mac_test_copy_socket_label(struct label *src, struct label *dest)
550 {
551
552 LABEL_CHECK(src, MAGIC_SOCKET);
553 LABEL_CHECK(dest, MAGIC_SOCKET);
554 COUNTER_INC(copy_socket_label);
555 }
556
557 COUNTER_DECL(copy_vnode_label);
558 static void
559 mac_test_copy_vnode_label(struct label *src, struct label *dest)
560 {
561
562 LABEL_CHECK(src, MAGIC_VNODE);
563 LABEL_CHECK(dest, MAGIC_VNODE);
564 COUNTER_INC(copy_vnode_label);
565 }
566
567 COUNTER_DECL(externalize_label);
568 static int
569 mac_test_externalize_label(struct label *label, char *element_name,
570 struct sbuf *sb, int *claimed)
571 {
572
573 LABEL_NOTFREE(label);
574 COUNTER_INC(externalize_label);
575
576 return (0);
577 }
578
579 COUNTER_DECL(internalize_label);
580 static int
581 mac_test_internalize_label(struct label *label, char *element_name,
582 char *element_data, int *claimed)
583 {
584
585 LABEL_NOTFREE(label);
586 COUNTER_INC(internalize_label);
587
588 return (0);
589 }
590
591 /*
592 * Labeling event operations: file system objects, and things that look
593 * a lot like file system objects.
594 */
595 COUNTER_DECL(associate_vnode_devfs);
596 static void
597 mac_test_associate_vnode_devfs(struct mount *mp, struct label *mplabel,
598 struct devfs_dirent *de, struct label *delabel, struct vnode *vp,
599 struct label *vplabel)
600 {
601
602 LABEL_CHECK(mplabel, MAGIC_MOUNT);
603 LABEL_CHECK(delabel, MAGIC_DEVFS);
604 LABEL_CHECK(vplabel, MAGIC_VNODE);
605 COUNTER_INC(associate_vnode_devfs);
606 }
607
608 COUNTER_DECL(associate_vnode_extattr);
609 static int
610 mac_test_associate_vnode_extattr(struct mount *mp, struct label *mplabel,
611 struct vnode *vp, struct label *vplabel)
612 {
613
614 LABEL_CHECK(mplabel, MAGIC_MOUNT);
615 LABEL_CHECK(vplabel, MAGIC_VNODE);
616 COUNTER_INC(associate_vnode_extattr);
617
618 return (0);
619 }
620
621 COUNTER_DECL(associate_vnode_singlelabel);
622 static void
623 mac_test_associate_vnode_singlelabel(struct mount *mp, struct label *mplabel,
624 struct vnode *vp, struct label *vplabel)
625 {
626
627 LABEL_CHECK(mplabel, MAGIC_MOUNT);
628 LABEL_CHECK(vplabel, MAGIC_VNODE);
629 COUNTER_INC(associate_vnode_singlelabel);
630 }
631
632 COUNTER_DECL(create_devfs_device);
633 static void
634 mac_test_create_devfs_device(struct ucred *cred, struct mount *mp,
635 struct cdev *dev, struct devfs_dirent *de, struct label *delabel)
636 {
637
638 if (cred != NULL)
639 LABEL_CHECK(cred->cr_label, MAGIC_CRED);
640 LABEL_CHECK(delabel, MAGIC_DEVFS);
641 COUNTER_INC(create_devfs_device);
642 }
643
644 COUNTER_DECL(create_devfs_directory);
645 static void
646 mac_test_create_devfs_directory(struct mount *mp, char *dirname,
647 int dirnamelen, struct devfs_dirent *de, struct label *delabel)
648 {
649
650 LABEL_CHECK(delabel, MAGIC_DEVFS);
651 COUNTER_INC(create_devfs_directory);
652 }
653
654 COUNTER_DECL(create_devfs_symlink);
655 static void
656 mac_test_create_devfs_symlink(struct ucred *cred, struct mount *mp,
657 struct devfs_dirent *dd, struct label *ddlabel, struct devfs_dirent *de,
658 struct label *delabel)
659 {
660
661 LABEL_CHECK(cred->cr_label, MAGIC_CRED);
662 LABEL_CHECK(ddlabel, MAGIC_DEVFS);
663 LABEL_CHECK(delabel, MAGIC_DEVFS);
664 COUNTER_INC(create_devfs_symlink);
665 }
666
667 COUNTER_DECL(create_vnode_extattr);
668 static int
669 mac_test_create_vnode_extattr(struct ucred *cred, struct mount *mp,
670 struct label *mplabel, struct vnode *dvp, struct label *dvplabel,
671 struct vnode *vp, struct label *vplabel, struct componentname *cnp)
672 {
673
674 LABEL_CHECK(cred->cr_label, MAGIC_CRED);
675 LABEL_CHECK(mplabel, MAGIC_MOUNT);
676 LABEL_CHECK(dvplabel, MAGIC_VNODE);
677 COUNTER_INC(create_vnode_extattr);
678
679 return (0);
680 }
681
682 COUNTER_DECL(create_mount);
683 static void
684 mac_test_create_mount(struct ucred *cred, struct mount *mp,
685 struct label *mplabel)
686 {
687
688 LABEL_CHECK(cred->cr_label, MAGIC_CRED);
689 LABEL_CHECK(mplabel, MAGIC_MOUNT);
690 COUNTER_INC(create_mount);
691 }
692
693 COUNTER_DECL(relabel_vnode);
694 static void
695 mac_test_relabel_vnode(struct ucred *cred, struct vnode *vp,
696 struct label *vplabel, struct label *label)
697 {
698
699 LABEL_CHECK(cred->cr_label, MAGIC_CRED);
700 LABEL_CHECK(vplabel, MAGIC_VNODE);
701 LABEL_CHECK(label, MAGIC_VNODE);
702 COUNTER_INC(relabel_vnode);
703 }
704
705 COUNTER_DECL(setlabel_vnode_extattr);
706 static int
707 mac_test_setlabel_vnode_extattr(struct ucred *cred, struct vnode *vp,
708 struct label *vplabel, struct label *intlabel)
709 {
710
711 LABEL_CHECK(cred->cr_label, MAGIC_CRED);
712 LABEL_CHECK(vplabel, MAGIC_VNODE);
713 LABEL_CHECK(intlabel, MAGIC_VNODE);
714 COUNTER_INC(setlabel_vnode_extattr);
715
716 return (0);
717 }
718
719 COUNTER_DECL(update_devfs);
720 static void
721 mac_test_update_devfs(struct mount *mp, struct devfs_dirent *devfs_dirent,
722 struct label *direntlabel, struct vnode *vp, struct label *vplabel)
723 {
724
725 LABEL_CHECK(direntlabel, MAGIC_DEVFS);
726 LABEL_CHECK(vplabel, MAGIC_VNODE);
727 COUNTER_INC(update_devfs);
728 }
729
730 /*
731 * Labeling event operations: IPC object.
732 */
733 COUNTER_DECL(create_mbuf_from_socket);
734 static void
735 mac_test_create_mbuf_from_socket(struct socket *so, struct label *socketlabel,
736 struct mbuf *m, struct label *mbuflabel)
737 {
738
739 LABEL_CHECK(socketlabel, MAGIC_SOCKET);
740 LABEL_CHECK(mbuflabel, MAGIC_MBUF);
741 COUNTER_INC(create_mbuf_from_socket);
742 }
743
744 COUNTER_DECL(create_socket);
745 static void
746 mac_test_create_socket(struct ucred *cred, struct socket *socket,
747 struct label *socketlabel)
748 {
749
750 LABEL_CHECK(cred->cr_label, MAGIC_CRED);
751 LABEL_CHECK(socketlabel, MAGIC_SOCKET);
752 COUNTER_INC(create_socket);
753 }
754
755 COUNTER_DECL(create_pipe);
756 static void
757 mac_test_create_pipe(struct ucred *cred, struct pipepair *pp,
758 struct label *pipelabel)
759 {
760
761 LABEL_CHECK(cred->cr_label, MAGIC_CRED);
762 LABEL_CHECK(pipelabel, MAGIC_PIPE);
763 COUNTER_INC(create_pipe);
764 }
765
766 COUNTER_DECL(create_posix_sem);
767 static void
768 mac_test_create_posix_sem(struct ucred *cred, struct ksem *ks,
769 struct label *kslabel)
770 {
771
772 LABEL_CHECK(cred->cr_label, MAGIC_CRED);
773 LABEL_CHECK(kslabel, MAGIC_POSIX_SEM);
774 COUNTER_INC(create_posix_sem);
775 }
776
777 COUNTER_DECL(create_socket_from_socket);
778 static void
779 mac_test_create_socket_from_socket(struct socket *oldsocket,
780 struct label *oldsocketlabel, struct socket *newsocket,
781 struct label *newsocketlabel)
782 {
783
784 LABEL_CHECK(oldsocketlabel, MAGIC_SOCKET);
785 LABEL_CHECK(newsocketlabel, MAGIC_SOCKET);
786 COUNTER_INC(create_socket_from_socket);
787 }
788
789 COUNTER_DECL(relabel_socket);
790 static void
791 mac_test_relabel_socket(struct ucred *cred, struct socket *socket,
792 struct label *socketlabel, struct label *newlabel)
793 {
794
795 LABEL_CHECK(cred->cr_label, MAGIC_CRED);
796 LABEL_CHECK(newlabel, MAGIC_SOCKET);
797 COUNTER_INC(relabel_socket);
798 }
799
800 COUNTER_DECL(relabel_pipe);
801 static void
802 mac_test_relabel_pipe(struct ucred *cred, struct pipepair *pp,
803 struct label *pipelabel, struct label *newlabel)
804 {
805
806 LABEL_CHECK(cred->cr_label, MAGIC_CRED);
807 LABEL_CHECK(pipelabel, MAGIC_PIPE);
808 LABEL_CHECK(newlabel, MAGIC_PIPE);
809 COUNTER_INC(relabel_pipe);
810 }
811
812 COUNTER_DECL(set_socket_peer_from_mbuf);
813 static void
814 mac_test_set_socket_peer_from_mbuf(struct mbuf *mbuf, struct label *mbuflabel,
815 struct socket *socket, struct label *socketpeerlabel)
816 {
817
818 LABEL_CHECK(mbuflabel, MAGIC_MBUF);
819 LABEL_CHECK(socketpeerlabel, MAGIC_SOCKET);
820 COUNTER_INC(set_socket_peer_from_mbuf);
821 }
822
823 /*
824 * Labeling event operations: network objects.
825 */
826 COUNTER_DECL(set_socket_peer_from_socket);
827 static void
828 mac_test_set_socket_peer_from_socket(struct socket *oldsocket,
829 struct label *oldsocketlabel, struct socket *newsocket,
830 struct label *newsocketpeerlabel)
831 {
832
833 LABEL_CHECK(oldsocketlabel, MAGIC_SOCKET);
834 LABEL_CHECK(newsocketpeerlabel, MAGIC_SOCKET);
835 COUNTER_INC(set_socket_peer_from_socket);
836 }
837
838 COUNTER_DECL(create_bpfdesc);
839 static void
840 mac_test_create_bpfdesc(struct ucred *cred, struct bpf_d *bpf_d,
841 struct label *bpflabel)
842 {
843
844 LABEL_CHECK(cred->cr_label, MAGIC_CRED);
845 LABEL_CHECK(bpflabel, MAGIC_BPF);
846 COUNTER_INC(create_bpfdesc);
847 }
848
849 COUNTER_DECL(create_datagram_from_ipq);
850 static void
851 mac_test_create_datagram_from_ipq(struct ipq *ipq, struct label *ipqlabel,
852 struct mbuf *datagram, struct label *datagramlabel)
853 {
854
855 LABEL_CHECK(ipqlabel, MAGIC_IPQ);
856 LABEL_CHECK(datagramlabel, MAGIC_MBUF);
857 COUNTER_INC(create_datagram_from_ipq);
858 }
859
860 COUNTER_DECL(create_fragment);
861 static void
862 mac_test_create_fragment(struct mbuf *datagram, struct label *datagramlabel,
863 struct mbuf *fragment, struct label *fragmentlabel)
864 {
865
866 LABEL_CHECK(datagramlabel, MAGIC_MBUF);
867 LABEL_CHECK(fragmentlabel, MAGIC_MBUF);
868 COUNTER_INC(create_fragment);
869 }
870
871 COUNTER_DECL(create_ifnet);
872 static void
873 mac_test_create_ifnet(struct ifnet *ifnet, struct label *ifnetlabel)
874 {
875
876 LABEL_CHECK(ifnetlabel, MAGIC_IFNET);
877 COUNTER_INC(create_ifnet);
878 }
879
880 COUNTER_DECL(create_inpcb_from_socket);
881 static void
882 mac_test_create_inpcb_from_socket(struct socket *so, struct label *solabel,
883 struct inpcb *inp, struct label *inplabel)
884 {
885
886 LABEL_CHECK(solabel, MAGIC_SOCKET);
887 LABEL_CHECK(inplabel, MAGIC_INPCB);
888 COUNTER_INC(create_inpcb_from_socket);
889 }
890
891 COUNTER_DECL(create_sysv_msgmsg);
892 static void
893 mac_test_create_sysv_msgmsg(struct ucred *cred, struct msqid_kernel *msqkptr,
894 struct label *msqlabel, struct msg *msgptr, struct label *msglabel)
895 {
896
897 LABEL_CHECK(msglabel, MAGIC_SYSV_MSG);
898 LABEL_CHECK(msqlabel, MAGIC_SYSV_MSQ);
899 COUNTER_INC(create_sysv_msgmsg);
900 }
901
902 COUNTER_DECL(create_sysv_msgqueue);
903 static void
904 mac_test_create_sysv_msgqueue(struct ucred *cred,
905 struct msqid_kernel *msqkptr, struct label *msqlabel)
906 {
907
908 LABEL_CHECK(msqlabel, MAGIC_SYSV_MSQ);
909 COUNTER_INC(create_sysv_msgqueue);
910 }
911
912 COUNTER_DECL(create_sysv_sem);
913 static void
914 mac_test_create_sysv_sem(struct ucred *cred, struct semid_kernel *semakptr,
915 struct label *semalabel)
916 {
917
918 LABEL_CHECK(semalabel, MAGIC_SYSV_SEM);
919 COUNTER_INC(create_sysv_sem);
920 }
921
922 COUNTER_DECL(create_sysv_shm);
923 static void
924 mac_test_create_sysv_shm(struct ucred *cred, struct shmid_kernel *shmsegptr,
925 struct label *shmlabel)
926 {
927
928 LABEL_CHECK(shmlabel, MAGIC_SYSV_SHM);
929 COUNTER_INC(create_sysv_shm);
930 }
931
932 COUNTER_DECL(create_ipq);
933 static void
934 mac_test_create_ipq(struct mbuf *fragment, struct label *fragmentlabel,
935 struct ipq *ipq, struct label *ipqlabel)
936 {
937
938 LABEL_CHECK(fragmentlabel, MAGIC_MBUF);
939 LABEL_CHECK(ipqlabel, MAGIC_IPQ);
940 COUNTER_INC(create_ipq);
941 }
942
943 COUNTER_DECL(create_mbuf_from_inpcb);
944 static void
945 mac_test_create_mbuf_from_inpcb(struct inpcb *inp, struct label *inplabel,
946 struct mbuf *m, struct label *mlabel)
947 {
948
949 LABEL_CHECK(inplabel, MAGIC_INPCB);
950 LABEL_CHECK(mlabel, MAGIC_MBUF);
951 COUNTER_INC(create_mbuf_from_inpcb);
952 }
953
954 COUNTER_DECL(create_mbuf_linklayer);
955 static void
956 mac_test_create_mbuf_linklayer(struct ifnet *ifnet, struct label *ifnetlabel,
957 struct mbuf *mbuf, struct label *mbuflabel)
958 {
959
960 LABEL_CHECK(ifnetlabel, MAGIC_IFNET);
961 LABEL_CHECK(mbuflabel, MAGIC_MBUF);
962 COUNTER_INC(create_mbuf_linklayer);
963 }
964
965 COUNTER_DECL(create_mbuf_from_bpfdesc);
966 static void
967 mac_test_create_mbuf_from_bpfdesc(struct bpf_d *bpf_d, struct label *bpflabel,
968 struct mbuf *mbuf, struct label *mbuflabel)
969 {
970
971 LABEL_CHECK(bpflabel, MAGIC_BPF);
972 LABEL_CHECK(mbuflabel, MAGIC_MBUF);
973 COUNTER_INC(create_mbuf_from_bpfdesc);
974 }
975
976 COUNTER_DECL(create_mbuf_from_ifnet);
977 static void
978 mac_test_create_mbuf_from_ifnet(struct ifnet *ifnet, struct label *ifnetlabel,
979 struct mbuf *m, struct label *mbuflabel)
980 {
981
982 LABEL_CHECK(ifnetlabel, MAGIC_IFNET);
983 LABEL_CHECK(mbuflabel, MAGIC_MBUF);
984 COUNTER_INC(create_mbuf_from_ifnet);
985 }
986
987 COUNTER_DECL(create_mbuf_multicast_encap);
988 static void
989 mac_test_create_mbuf_multicast_encap(struct mbuf *oldmbuf,
990 struct label *oldmbuflabel, struct ifnet *ifnet, struct label *ifnetlabel,
991 struct mbuf *newmbuf, struct label *newmbuflabel)
992 {
993
994 LABEL_CHECK(oldmbuflabel, MAGIC_MBUF);
995 LABEL_CHECK(ifnetlabel, MAGIC_IFNET);
996 LABEL_CHECK(newmbuflabel, MAGIC_MBUF);
997 COUNTER_INC(create_mbuf_multicast_encap);
998 }
999
1000 COUNTER_DECL(create_mbuf_netlayer);
1001 static void
1002 mac_test_create_mbuf_netlayer(struct mbuf *oldmbuf,
1003 struct label *oldmbuflabel, struct mbuf *newmbuf,
1004 struct label *newmbuflabel)
1005 {
1006
1007 LABEL_CHECK(oldmbuflabel, MAGIC_MBUF);
1008 LABEL_CHECK(newmbuflabel, MAGIC_MBUF);
1009 COUNTER_INC(create_mbuf_netlayer);
1010 }
1011
1012 COUNTER_DECL(fragment_match);
1013 static int
1014 mac_test_fragment_match(struct mbuf *fragment, struct label *fragmentlabel,
1015 struct ipq *ipq, struct label *ipqlabel)
1016 {
1017
1018 LABEL_CHECK(fragmentlabel, MAGIC_MBUF);
1019 LABEL_CHECK(ipqlabel, MAGIC_IPQ);
1020 COUNTER_INC(fragment_match);
1021
1022 return (1);
1023 }
1024
1025 COUNTER_DECL(reflect_mbuf_icmp);
1026 static void
1027 mac_test_reflect_mbuf_icmp(struct mbuf *m, struct label *mlabel)
1028 {
1029
1030 LABEL_CHECK(mlabel, MAGIC_MBUF);
1031 COUNTER_INC(reflect_mbuf_icmp);
1032 }
1033
1034 COUNTER_DECL(reflect_mbuf_tcp);
1035 static void
1036 mac_test_reflect_mbuf_tcp(struct mbuf *m, struct label *mlabel)
1037 {
1038
1039 LABEL_CHECK(mlabel, MAGIC_MBUF);
1040 COUNTER_INC(reflect_mbuf_tcp);
1041 }
1042
1043 COUNTER_DECL(relabel_ifnet);
1044 static void
1045 mac_test_relabel_ifnet(struct ucred *cred, struct ifnet *ifnet,
1046 struct label *ifnetlabel, struct label *newlabel)
1047 {
1048
1049 LABEL_CHECK(cred->cr_label, MAGIC_CRED);
1050 LABEL_CHECK(ifnetlabel, MAGIC_IFNET);
1051 LABEL_CHECK(newlabel, MAGIC_IFNET);
1052 COUNTER_INC(relabel_ifnet);
1053 }
1054
1055 COUNTER_DECL(update_ipq);
1056 static void
1057 mac_test_update_ipq(struct mbuf *fragment, struct label *fragmentlabel,
1058 struct ipq *ipq, struct label *ipqlabel)
1059 {
1060
1061 LABEL_CHECK(fragmentlabel, MAGIC_MBUF);
1062 LABEL_CHECK(ipqlabel, MAGIC_IPQ);
1063 COUNTER_INC(update_ipq);
1064 }
1065
1066 COUNTER_DECL(inpcb_sosetlabel);
1067 static void
1068 mac_test_inpcb_sosetlabel(struct socket *so, struct label *solabel,
1069 struct inpcb *inp, struct label *inplabel)
1070 {
1071
1072 LABEL_CHECK(solabel, MAGIC_SOCKET);
1073 LABEL_CHECK(inplabel, MAGIC_INPCB);
1074 COUNTER_INC(inpcb_sosetlabel);
1075 }
1076
1077 /*
1078 * Labeling event operations: processes.
1079 */
1080 COUNTER_DECL(execve_transition);
1081 static void
1082 mac_test_execve_transition(struct ucred *old, struct ucred *new,
1083 struct vnode *vp, struct label *filelabel,
1084 struct label *interpvplabel, struct image_params *imgp,
1085 struct label *execlabel)
1086 {
1087
1088 LABEL_CHECK(old->cr_label, MAGIC_CRED);
1089 LABEL_CHECK(new->cr_label, MAGIC_CRED);
1090 LABEL_CHECK(filelabel, MAGIC_VNODE);
1091 LABEL_CHECK(interpvplabel, MAGIC_VNODE);
1092 LABEL_CHECK(execlabel, MAGIC_CRED);
1093 COUNTER_INC(execve_transition);
1094 }
1095
1096 COUNTER_DECL(execve_will_transition);
1097 static int
1098 mac_test_execve_will_transition(struct ucred *old, struct vnode *vp,
1099 struct label *filelabel, struct label *interpvplabel,
1100 struct image_params *imgp, struct label *execlabel)
1101 {
1102
1103 LABEL_CHECK(old->cr_label, MAGIC_CRED);
1104 LABEL_CHECK(filelabel, MAGIC_VNODE);
1105 LABEL_CHECK(interpvplabel, MAGIC_VNODE);
1106 LABEL_CHECK(execlabel, MAGIC_CRED);
1107 COUNTER_INC(execve_will_transition);
1108
1109 return (0);
1110 }
1111
1112 COUNTER_DECL(create_proc0);
1113 static void
1114 mac_test_create_proc0(struct ucred *cred)
1115 {
1116
1117 LABEL_CHECK(cred->cr_label, MAGIC_CRED);
1118 COUNTER_INC(create_proc0);
1119 }
1120
1121 COUNTER_DECL(create_proc1);
1122 static void
1123 mac_test_create_proc1(struct ucred *cred)
1124 {
1125
1126 LABEL_CHECK(cred->cr_label, MAGIC_CRED);
1127 COUNTER_INC(create_proc1);
1128 }
1129
1130 COUNTER_DECL(relabel_cred);
1131 static void
1132 mac_test_relabel_cred(struct ucred *cred, struct label *newlabel)
1133 {
1134
1135 LABEL_CHECK(cred->cr_label, MAGIC_CRED);
1136 LABEL_CHECK(newlabel, MAGIC_CRED);
1137 COUNTER_INC(relabel_cred);
1138 }
1139
1140 COUNTER_DECL(thread_userret);
1141 static void
1142 mac_test_thread_userret(struct thread *td)
1143 {
1144
1145 COUNTER_INC(thread_userret);
1146 }
1147
1148 /*
1149 * Label cleanup/flush operations
1150 */
1151 COUNTER_DECL(cleanup_sysv_msgmsg);
1152 static void
1153 mac_test_cleanup_sysv_msgmsg(struct label *msglabel)
1154 {
1155
1156 LABEL_CHECK(msglabel, MAGIC_SYSV_MSG);
1157 COUNTER_INC(cleanup_sysv_msgmsg);
1158 }
1159
1160 COUNTER_DECL(cleanup_sysv_msgqueue);
1161 static void
1162 mac_test_cleanup_sysv_msgqueue(struct label *msqlabel)
1163 {
1164
1165 LABEL_CHECK(msqlabel, MAGIC_SYSV_MSQ);
1166 COUNTER_INC(cleanup_sysv_msgqueue);
1167 }
1168
1169 COUNTER_DECL(cleanup_sysv_sem);
1170 static void
1171 mac_test_cleanup_sysv_sem(struct label *semalabel)
1172 {
1173
1174 LABEL_CHECK(semalabel, MAGIC_SYSV_SEM);
1175 COUNTER_INC(cleanup_sysv_sem);
1176 }
1177
1178 COUNTER_DECL(cleanup_sysv_shm);
1179 static void
1180 mac_test_cleanup_sysv_shm(struct label *shmlabel)
1181 {
1182
1183 LABEL_CHECK(shmlabel, MAGIC_SYSV_SHM);
1184 COUNTER_INC(cleanup_sysv_shm);
1185 }
1186
1187 /*
1188 * Access control checks.
1189 */
1190 COUNTER_DECL(check_bpfdesc_receive);
1191 static int
1192 mac_test_check_bpfdesc_receive(struct bpf_d *bpf_d, struct label *bpflabel,
1193 struct ifnet *ifnet, struct label *ifnetlabel)
1194 {
1195
1196 LABEL_CHECK(bpflabel, MAGIC_BPF);
1197 LABEL_CHECK(ifnetlabel, MAGIC_IFNET);
1198 COUNTER_INC(check_bpfdesc_receive);
1199
1200 return (0);
1201 }
1202
1203 COUNTER_DECL(check_cred_relabel);
1204 static int
1205 mac_test_check_cred_relabel(struct ucred *cred, struct label *newlabel)
1206 {
1207
1208 LABEL_CHECK(cred->cr_label, MAGIC_CRED);
1209 LABEL_CHECK(newlabel, MAGIC_CRED);
1210 COUNTER_INC(check_cred_relabel);
1211
1212 return (0);
1213 }
1214
1215 COUNTER_DECL(check_cred_visible);
1216 static int
1217 mac_test_check_cred_visible(struct ucred *u1, struct ucred *u2)
1218 {
1219
1220 LABEL_CHECK(u1->cr_label, MAGIC_CRED);
1221 LABEL_CHECK(u2->cr_label, MAGIC_CRED);
1222 COUNTER_INC(check_cred_visible);
1223
1224 return (0);
1225 }
1226
1227 COUNTER_DECL(check_ifnet_relabel);
1228 static int
1229 mac_test_check_ifnet_relabel(struct ucred *cred, struct ifnet *ifnet,
1230 struct label *ifnetlabel, struct label *newlabel)
1231 {
1232
1233 LABEL_CHECK(cred->cr_label, MAGIC_CRED);
1234 LABEL_CHECK(ifnetlabel, MAGIC_IFNET);
1235 LABEL_CHECK(newlabel, MAGIC_IFNET);
1236 COUNTER_INC(check_ifnet_relabel);
1237
1238 return (0);
1239 }
1240
1241 COUNTER_DECL(check_ifnet_transmit);
1242 static int
1243 mac_test_check_ifnet_transmit(struct ifnet *ifnet, struct label *ifnetlabel,
1244 struct mbuf *m, struct label *mbuflabel)
1245 {
1246
1247 LABEL_CHECK(ifnetlabel, MAGIC_IFNET);
1248 LABEL_CHECK(mbuflabel, MAGIC_MBUF);
1249 COUNTER_INC(check_ifnet_transmit);
1250
1251 return (0);
1252 }
1253
1254 COUNTER_DECL(check_inpcb_deliver);
1255 static int
1256 mac_test_check_inpcb_deliver(struct inpcb *inp, struct label *inplabel,
1257 struct mbuf *m, struct label *mlabel)
1258 {
1259
1260 LABEL_CHECK(inplabel, MAGIC_INPCB);
1261 LABEL_CHECK(mlabel, MAGIC_MBUF);
1262 COUNTER_INC(check_inpcb_deliver);
1263
1264 return (0);
1265 }
1266
1267 COUNTER_DECL(check_sysv_msgmsq);
1268 static int
1269 mac_test_check_sysv_msgmsq(struct ucred *cred, struct msg *msgptr,
1270 struct label *msglabel, struct msqid_kernel *msqkptr,
1271 struct label *msqklabel)
1272 {
1273
1274 LABEL_CHECK(msqklabel, MAGIC_SYSV_MSQ);
1275 LABEL_CHECK(msglabel, MAGIC_SYSV_MSG);
1276 LABEL_CHECK(cred->cr_label, MAGIC_CRED);
1277 COUNTER_INC(check_sysv_msgmsq);
1278
1279 return (0);
1280 }
1281
1282 COUNTER_DECL(check_sysv_msgrcv);
1283 static int
1284 mac_test_check_sysv_msgrcv(struct ucred *cred, struct msg *msgptr,
1285 struct label *msglabel)
1286 {
1287
1288 LABEL_CHECK(msglabel, MAGIC_SYSV_MSG);
1289 LABEL_CHECK(cred->cr_label, MAGIC_CRED);
1290 COUNTER_INC(check_sysv_msgrcv);
1291
1292 return (0);
1293 }
1294
1295 COUNTER_DECL(check_sysv_msgrmid);
1296 static int
1297 mac_test_check_sysv_msgrmid(struct ucred *cred, struct msg *msgptr,
1298 struct label *msglabel)
1299 {
1300
1301 LABEL_CHECK(msglabel, MAGIC_SYSV_MSG);
1302 LABEL_CHECK(cred->cr_label, MAGIC_CRED);
1303 COUNTER_INC(check_sysv_msgrmid);
1304
1305 return (0);
1306 }
1307
1308 COUNTER_DECL(check_sysv_msqget);
1309 static int
1310 mac_test_check_sysv_msqget(struct ucred *cred, struct msqid_kernel *msqkptr,
1311 struct label *msqklabel)
1312 {
1313
1314 LABEL_CHECK(msqklabel, MAGIC_SYSV_MSQ);
1315 LABEL_CHECK(cred->cr_label, MAGIC_CRED);
1316 COUNTER_INC(check_sysv_msqget);
1317
1318 return (0);
1319 }
1320
1321 COUNTER_DECL(check_sysv_msqsnd);
1322 static int
1323 mac_test_check_sysv_msqsnd(struct ucred *cred, struct msqid_kernel *msqkptr,
1324 struct label *msqklabel)
1325 {
1326
1327 LABEL_CHECK(msqklabel, MAGIC_SYSV_MSQ);
1328 LABEL_CHECK(cred->cr_label, MAGIC_CRED);
1329 COUNTER_INC(check_sysv_msqsnd);
1330
1331 return (0);
1332 }
1333
1334 COUNTER_DECL(check_sysv_msqrcv);
1335 static int
1336 mac_test_check_sysv_msqrcv(struct ucred *cred, struct msqid_kernel *msqkptr,
1337 struct label *msqklabel)
1338 {
1339
1340 LABEL_CHECK(msqklabel, MAGIC_SYSV_MSQ);
1341 LABEL_CHECK(cred->cr_label, MAGIC_CRED);
1342 COUNTER_INC(check_sysv_msqrcv);
1343
1344 return (0);
1345 }
1346
1347 COUNTER_DECL(check_sysv_msqctl);
1348 static int
1349 mac_test_check_sysv_msqctl(struct ucred *cred, struct msqid_kernel *msqkptr,
1350 struct label *msqklabel, int cmd)
1351 {
1352
1353 LABEL_CHECK(msqklabel, MAGIC_SYSV_MSQ);
1354 LABEL_CHECK(cred->cr_label, MAGIC_CRED);
1355 COUNTER_INC(check_sysv_msqctl);
1356
1357 return (0);
1358 }
1359
1360 COUNTER_DECL(check_sysv_semctl);
1361 static int
1362 mac_test_check_sysv_semctl(struct ucred *cred, struct semid_kernel *semakptr,
1363 struct label *semaklabel, int cmd)
1364 {
1365
1366 LABEL_CHECK(cred->cr_label, MAGIC_CRED);
1367 LABEL_CHECK(semaklabel, MAGIC_SYSV_SEM);
1368 COUNTER_INC(check_sysv_semctl);
1369
1370 return (0);
1371 }
1372
1373 COUNTER_DECL(check_sysv_semget);
1374 static int
1375 mac_test_check_sysv_semget(struct ucred *cred, struct semid_kernel *semakptr,
1376 struct label *semaklabel)
1377 {
1378
1379 LABEL_CHECK(cred->cr_label, MAGIC_CRED);
1380 LABEL_CHECK(semaklabel, MAGIC_SYSV_SEM);
1381 COUNTER_INC(check_sysv_semget);
1382
1383 return (0);
1384 }
1385
1386 COUNTER_DECL(check_sysv_semop);
1387 static int
1388 mac_test_check_sysv_semop(struct ucred *cred, struct semid_kernel *semakptr,
1389 struct label *semaklabel, size_t accesstype)
1390 {
1391
1392 LABEL_CHECK(cred->cr_label, MAGIC_CRED);
1393 LABEL_CHECK(semaklabel, MAGIC_SYSV_SEM);
1394 COUNTER_INC(check_sysv_semop);
1395
1396 return (0);
1397 }
1398
1399 COUNTER_DECL(check_sysv_shmat);
1400 static int
1401 mac_test_check_sysv_shmat(struct ucred *cred, struct shmid_kernel *shmsegptr,
1402 struct label *shmseglabel, int shmflg)
1403 {
1404
1405 LABEL_CHECK(cred->cr_label, MAGIC_CRED);
1406 LABEL_CHECK(shmseglabel, MAGIC_SYSV_SHM);
1407 COUNTER_INC(check_sysv_shmat);
1408
1409 return (0);
1410 }
1411
1412 COUNTER_DECL(check_sysv_shmctl);
1413 static int
1414 mac_test_check_sysv_shmctl(struct ucred *cred, struct shmid_kernel *shmsegptr,
1415 struct label *shmseglabel, int cmd)
1416 {
1417
1418 LABEL_CHECK(cred->cr_label, MAGIC_CRED);
1419 LABEL_CHECK(shmseglabel, MAGIC_SYSV_SHM);
1420 COUNTER_INC(check_sysv_shmctl);
1421
1422 return (0);
1423 }
1424
1425 COUNTER_DECL(check_sysv_shmdt);
1426 static int
1427 mac_test_check_sysv_shmdt(struct ucred *cred, struct shmid_kernel *shmsegptr,
1428 struct label *shmseglabel)
1429 {
1430
1431 LABEL_CHECK(cred->cr_label, MAGIC_CRED);
1432 LABEL_CHECK(shmseglabel, MAGIC_SYSV_SHM);
1433 COUNTER_INC(check_sysv_shmdt);
1434
1435 return (0);
1436 }
1437
1438 COUNTER_DECL(check_sysv_shmget);
1439 static int
1440 mac_test_check_sysv_shmget(struct ucred *cred, struct shmid_kernel *shmsegptr,
1441 struct label *shmseglabel, int shmflg)
1442 {
1443
1444 LABEL_CHECK(cred->cr_label, MAGIC_CRED);
1445 LABEL_CHECK(shmseglabel, MAGIC_SYSV_SHM);
1446 COUNTER_INC(check_sysv_shmget);
1447
1448 return (0);
1449 }
1450
1451 COUNTER_DECL(check_kenv_dump);
1452 static int
1453 mac_test_check_kenv_dump(struct ucred *cred)
1454 {
1455
1456 LABEL_CHECK(cred->cr_label, MAGIC_CRED);
1457 COUNTER_INC(check_kenv_dump);
1458
1459 return (0);
1460 }
1461
1462 COUNTER_DECL(check_kenv_get);
1463 static int
1464 mac_test_check_kenv_get(struct ucred *cred, char *name)
1465 {
1466
1467 LABEL_CHECK(cred->cr_label, MAGIC_CRED);
1468 COUNTER_INC(check_kenv_get);
1469
1470 return (0);
1471 }
1472
1473 COUNTER_DECL(check_kenv_set);
1474 static int
1475 mac_test_check_kenv_set(struct ucred *cred, char *name, char *value)
1476 {
1477
1478 LABEL_CHECK(cred->cr_label, MAGIC_CRED);
1479 COUNTER_INC(check_kenv_set);
1480
1481 return (0);
1482 }
1483
1484 COUNTER_DECL(check_kenv_unset);
1485 static int
1486 mac_test_check_kenv_unset(struct ucred *cred, char *name)
1487 {
1488
1489 LABEL_CHECK(cred->cr_label, MAGIC_CRED);
1490 COUNTER_INC(check_kenv_unset);
1491
1492 return (0);
1493 }
1494
1495 COUNTER_DECL(check_kld_load);
1496 static int
1497 mac_test_check_kld_load(struct ucred *cred, struct vnode *vp,
1498 struct label *label)
1499 {
1500
1501 LABEL_CHECK(cred->cr_label, MAGIC_CRED);
1502 LABEL_CHECK(label, MAGIC_VNODE);
1503 COUNTER_INC(check_kld_load);
1504
1505 return (0);
1506 }
1507
1508 COUNTER_DECL(check_kld_stat);
1509 static int
1510 mac_test_check_kld_stat(struct ucred *cred)
1511 {
1512
1513 LABEL_CHECK(cred->cr_label, MAGIC_CRED);
1514 COUNTER_INC(check_kld_stat);
1515
1516 return (0);
1517 }
1518
1519 COUNTER_DECL(check_mount_stat);
1520 static int
1521 mac_test_check_mount_stat(struct ucred *cred, struct mount *mp,
1522 struct label *mplabel)
1523 {
1524
1525 LABEL_CHECK(cred->cr_label, MAGIC_CRED);
1526 LABEL_CHECK(mplabel, MAGIC_MOUNT);
1527 COUNTER_INC(check_mount_stat);
1528
1529 return (0);
1530 }
1531
1532 COUNTER_DECL(check_pipe_ioctl);
1533 static int
1534 mac_test_check_pipe_ioctl(struct ucred *cred, struct pipepair *pp,
1535 struct label *pipelabel, unsigned long cmd, void /* caddr_t */ *data)
1536 {
1537
1538 LABEL_CHECK(cred->cr_label, MAGIC_CRED);
1539 LABEL_CHECK(pipelabel, MAGIC_PIPE);
1540 COUNTER_INC(check_pipe_ioctl);
1541
1542 return (0);
1543 }
1544
1545 COUNTER_DECL(check_pipe_poll);
1546 static int
1547 mac_test_check_pipe_poll(struct ucred *cred, struct pipepair *pp,
1548 struct label *pipelabel)
1549 {
1550
1551 LABEL_CHECK(cred->cr_label, MAGIC_CRED);
1552 LABEL_CHECK(pipelabel, MAGIC_PIPE);
1553 COUNTER_INC(check_pipe_poll);
1554
1555 return (0);
1556 }
1557
1558 COUNTER_DECL(check_pipe_read);
1559 static int
1560 mac_test_check_pipe_read(struct ucred *cred, struct pipepair *pp,
1561 struct label *pipelabel)
1562 {
1563
1564 LABEL_CHECK(cred->cr_label, MAGIC_CRED);
1565 LABEL_CHECK(pipelabel, MAGIC_PIPE);
1566 COUNTER_INC(check_pipe_read);
1567
1568 return (0);
1569 }
1570
1571 COUNTER_DECL(check_pipe_relabel);
1572 static int
1573 mac_test_check_pipe_relabel(struct ucred *cred, struct pipepair *pp,
1574 struct label *pipelabel, struct label *newlabel)
1575 {
1576
1577 LABEL_CHECK(cred->cr_label, MAGIC_CRED);
1578 LABEL_CHECK(pipelabel, MAGIC_PIPE);
1579 LABEL_CHECK(newlabel, MAGIC_PIPE);
1580 COUNTER_INC(check_pipe_relabel);
1581
1582 return (0);
1583 }
1584
1585 COUNTER_DECL(check_pipe_stat);
1586 static int
1587 mac_test_check_pipe_stat(struct ucred *cred, struct pipepair *pp,
1588 struct label *pipelabel)
1589 {
1590
1591 LABEL_CHECK(cred->cr_label, MAGIC_CRED);
1592 LABEL_CHECK(pipelabel, MAGIC_PIPE);
1593 COUNTER_INC(check_pipe_stat);
1594
1595 return (0);
1596 }
1597
1598 COUNTER_DECL(check_pipe_write);
1599 static int
1600 mac_test_check_pipe_write(struct ucred *cred, struct pipepair *pp,
1601 struct label *pipelabel)
1602 {
1603
1604 LABEL_CHECK(cred->cr_label, MAGIC_CRED);
1605 LABEL_CHECK(pipelabel, MAGIC_PIPE);
1606 COUNTER_INC(check_pipe_write);
1607
1608 return (0);
1609 }
1610
1611 COUNTER_DECL(check_posix_sem);
1612 static int
1613 mac_test_check_posix_sem(struct ucred *cred, struct ksem *ks,
1614 struct label *kslabel)
1615 {
1616
1617 LABEL_CHECK(cred->cr_label, MAGIC_CRED);
1618 LABEL_CHECK(kslabel, MAGIC_POSIX_SEM);
1619 COUNTER_INC(check_posix_sem);
1620
1621 return (0);
1622 }
1623
1624 COUNTER_DECL(check_proc_debug);
1625 static int
1626 mac_test_check_proc_debug(struct ucred *cred, struct proc *p)
1627 {
1628
1629 LABEL_CHECK(cred->cr_label, MAGIC_CRED);
1630 LABEL_CHECK(p->p_ucred->cr_label, MAGIC_CRED);
1631 COUNTER_INC(check_proc_debug);
1632
1633 return (0);
1634 }
1635
1636 COUNTER_DECL(check_proc_sched);
1637 static int
1638 mac_test_check_proc_sched(struct ucred *cred, struct proc *p)
1639 {
1640
1641 LABEL_CHECK(cred->cr_label, MAGIC_CRED);
1642 LABEL_CHECK(p->p_ucred->cr_label, MAGIC_CRED);
1643 COUNTER_INC(check_proc_sched);
1644
1645 return (0);
1646 }
1647
1648 COUNTER_DECL(check_proc_signal);
1649 static int
1650 mac_test_check_proc_signal(struct ucred *cred, struct proc *p, int signum)
1651 {
1652
1653 LABEL_CHECK(cred->cr_label, MAGIC_CRED);
1654 LABEL_CHECK(p->p_ucred->cr_label, MAGIC_CRED);
1655 COUNTER_INC(check_proc_signal);
1656
1657 return (0);
1658 }
1659
1660 COUNTER_DECL(check_proc_setaudit);
1661 static int
1662 mac_test_check_proc_setaudit(struct ucred *cred, struct auditinfo *ai)
1663 {
1664
1665 LABEL_CHECK(cred->cr_label, MAGIC_CRED);
1666 COUNTER_INC(check_proc_setaudit);
1667
1668 return (0);
1669 }
1670
1671 COUNTER_DECL(check_proc_setaudit_addr);
1672 static int
1673 mac_test_check_proc_setaudit_addr(struct ucred *cred,
1674 struct auditinfo_addr *aia)
1675 {
1676
1677 LABEL_CHECK(cred->cr_label, MAGIC_CRED);
1678 COUNTER_INC(check_proc_setaudit_addr);
1679
1680 return (0);
1681 }
1682
1683 COUNTER_DECL(check_proc_setauid);
1684 static int
1685 mac_test_check_proc_setauid(struct ucred *cred, uid_t auid)
1686 {
1687
1688 LABEL_CHECK(cred->cr_label, MAGIC_CRED);
1689 COUNTER_INC(check_proc_setauid);
1690
1691 return (0);
1692 }
1693
1694 COUNTER_DECL(check_proc_setuid);
1695 static int
1696 mac_test_check_proc_setuid(struct ucred *cred, uid_t uid)
1697 {
1698
1699 LABEL_CHECK(cred->cr_label, MAGIC_CRED);
1700 COUNTER_INC(check_proc_setuid);
1701
1702 return (0);
1703 }
1704
1705 COUNTER_DECL(check_proc_euid);
1706 static int
1707 mac_test_check_proc_seteuid(struct ucred *cred, uid_t euid)
1708 {
1709
1710 LABEL_CHECK(cred->cr_label, MAGIC_CRED);
1711 COUNTER_INC(check_proc_euid);
1712
1713 return (0);
1714 }
1715
1716 COUNTER_DECL(check_proc_setgid);
1717 static int
1718 mac_test_check_proc_setgid(struct ucred *cred, gid_t gid)
1719 {
1720
1721 LABEL_CHECK(cred->cr_label, MAGIC_CRED);
1722 COUNTER_INC(check_proc_setgid);
1723
1724 return (0);
1725 }
1726
1727 COUNTER_DECL(check_proc_setegid);
1728 static int
1729 mac_test_check_proc_setegid(struct ucred *cred, gid_t egid)
1730 {
1731
1732 LABEL_CHECK(cred->cr_label, MAGIC_CRED);
1733 COUNTER_INC(check_proc_setegid);
1734
1735 return (0);
1736 }
1737
1738 COUNTER_DECL(check_proc_setgroups);
1739 static int
1740 mac_test_check_proc_setgroups(struct ucred *cred, int ngroups,
1741 gid_t *gidset)
1742 {
1743
1744 LABEL_CHECK(cred->cr_label, MAGIC_CRED);
1745 COUNTER_INC(check_proc_setgroups);
1746
1747 return (0);
1748 }
1749
1750 COUNTER_DECL(check_proc_setreuid);
1751 static int
1752 mac_test_check_proc_setreuid(struct ucred *cred, uid_t ruid, uid_t euid)
1753 {
1754
1755 LABEL_CHECK(cred->cr_label, MAGIC_CRED);
1756 COUNTER_INC(check_proc_setreuid);
1757
1758 return (0);
1759 }
1760
1761 COUNTER_DECL(check_proc_setregid);
1762 static int
1763 mac_test_check_proc_setregid(struct ucred *cred, gid_t rgid, gid_t egid)
1764 {
1765
1766 LABEL_CHECK(cred->cr_label, MAGIC_CRED);
1767 COUNTER_INC(check_proc_setregid);
1768
1769 return (0);
1770 }
1771
1772 COUNTER_DECL(check_proc_setresuid);
1773 static int
1774 mac_test_check_proc_setresuid(struct ucred *cred, uid_t ruid, uid_t euid,
1775 uid_t suid)
1776 {
1777
1778 LABEL_CHECK(cred->cr_label, MAGIC_CRED);
1779 COUNTER_INC(check_proc_setresuid);
1780
1781 return (0);
1782 }
1783
1784 COUNTER_DECL(check_proc_setresgid);
1785 static int
1786 mac_test_check_proc_setresgid(struct ucred *cred, gid_t rgid, gid_t egid,
1787 gid_t sgid)
1788 {
1789
1790 LABEL_CHECK(cred->cr_label, MAGIC_CRED);
1791 COUNTER_INC(check_proc_setresgid);
1792
1793 return (0);
1794 }
1795
1796 COUNTER_DECL(check_proc_wait);
1797 static int
1798 mac_test_check_proc_wait(struct ucred *cred, struct proc *p)
1799 {
1800
1801 LABEL_CHECK(cred->cr_label, MAGIC_CRED);
1802 LABEL_CHECK(p->p_ucred->cr_label, MAGIC_CRED);
1803 COUNTER_INC(check_proc_wait);
1804
1805 return (0);
1806 }
1807
1808 COUNTER_DECL(check_socket_accept);
1809 static int
1810 mac_test_check_socket_accept(struct ucred *cred, struct socket *so,
1811 struct label *solabel)
1812 {
1813
1814 LABEL_CHECK(cred->cr_label, MAGIC_CRED);
1815 LABEL_CHECK(solabel, MAGIC_SOCKET);
1816 COUNTER_INC(check_socket_accept);
1817
1818 return (0);
1819 }
1820
1821 COUNTER_DECL(check_socket_bind);
1822 static int
1823 mac_test_check_socket_bind(struct ucred *cred, struct socket *so,
1824 struct label *solabel, struct sockaddr *sa)
1825 {
1826
1827 LABEL_CHECK(cred->cr_label, MAGIC_CRED);
1828 LABEL_CHECK(solabel, MAGIC_SOCKET);
1829 COUNTER_INC(check_socket_bind);
1830
1831 return (0);
1832 }
1833
1834 COUNTER_DECL(check_socket_connect);
1835 static int
1836 mac_test_check_socket_connect(struct ucred *cred, struct socket *so,
1837 struct label *solabel, struct sockaddr *sa)
1838 {
1839
1840 LABEL_CHECK(cred->cr_label, MAGIC_CRED);
1841 LABEL_CHECK(solabel, MAGIC_SOCKET);
1842 COUNTER_INC(check_socket_connect);
1843
1844 return (0);
1845 }
1846
1847 COUNTER_DECL(check_socket_deliver);
1848 static int
1849 mac_test_check_socket_deliver(struct socket *so, struct label *solabel,
1850 struct mbuf *m, struct label *mlabel)
1851 {
1852
1853 LABEL_CHECK(solabel, MAGIC_SOCKET);
1854 LABEL_CHECK(mlabel, MAGIC_MBUF);
1855 COUNTER_INC(check_socket_deliver);
1856
1857 return (0);
1858 }
1859
1860 COUNTER_DECL(check_socket_listen);
1861 static int
1862 mac_test_check_socket_listen(struct ucred *cred, struct socket *so,
1863 struct label *solabel)
1864 {
1865
1866 LABEL_CHECK(cred->cr_label, MAGIC_CRED);
1867 LABEL_CHECK(solabel, MAGIC_SOCKET);
1868 COUNTER_INC(check_socket_listen);
1869
1870 return (0);
1871 }
1872
1873 COUNTER_DECL(check_socket_poll);
1874 static int
1875 mac_test_check_socket_poll(struct ucred *cred, struct socket *so,
1876 struct label *solabel)
1877 {
1878
1879 LABEL_CHECK(cred->cr_label, MAGIC_CRED);
1880 LABEL_CHECK(solabel, MAGIC_SOCKET);
1881 COUNTER_INC(check_socket_poll);
1882
1883 return (0);
1884 }
1885
1886 COUNTER_DECL(check_socket_receive);
1887 static int
1888 mac_test_check_socket_receive(struct ucred *cred, struct socket *so,
1889 struct label *solabel)
1890 {
1891
1892 LABEL_CHECK(cred->cr_label, MAGIC_CRED);
1893 LABEL_CHECK(solabel, MAGIC_SOCKET);
1894 COUNTER_INC(check_socket_receive);
1895
1896 return (0);
1897 }
1898
1899 COUNTER_DECL(check_socket_relabel);
1900 static int
1901 mac_test_check_socket_relabel(struct ucred *cred, struct socket *so,
1902 struct label *solabel, struct label *newlabel)
1903 {
1904
1905 LABEL_CHECK(cred->cr_label, MAGIC_CRED);
1906 LABEL_CHECK(solabel, MAGIC_SOCKET);
1907 LABEL_CHECK(newlabel, MAGIC_SOCKET);
1908 COUNTER_INC(check_socket_relabel);
1909
1910 return (0);
1911 }
1912
1913 COUNTER_DECL(check_socket_send);
1914 static int
1915 mac_test_check_socket_send(struct ucred *cred, struct socket *so,
1916 struct label *solabel)
1917 {
1918
1919 LABEL_CHECK(cred->cr_label, MAGIC_CRED);
1920 LABEL_CHECK(solabel, MAGIC_SOCKET);
1921 COUNTER_INC(check_socket_send);
1922
1923 return (0);
1924 }
1925
1926 COUNTER_DECL(check_socket_stat);
1927 static int
1928 mac_test_check_socket_stat(struct ucred *cred, struct socket *so,
1929 struct label *solabel)
1930 {
1931
1932 LABEL_CHECK(cred->cr_label, MAGIC_CRED);
1933 LABEL_CHECK(solabel, MAGIC_SOCKET);
1934 COUNTER_INC(check_socket_stat);
1935
1936 return (0);
1937 }
1938
1939 COUNTER_DECL(check_socket_visible);
1940 static int
1941 mac_test_check_socket_visible(struct ucred *cred, struct socket *so,
1942 struct label *solabel)
1943 {
1944
1945 LABEL_CHECK(cred->cr_label, MAGIC_CRED);
1946 LABEL_CHECK(solabel, MAGIC_SOCKET);
1947 COUNTER_INC(check_socket_visible);
1948
1949 return (0);
1950 }
1951
1952 COUNTER_DECL(check_system_acct);
1953 static int
1954 mac_test_check_system_acct(struct ucred *cred, struct vnode *vp,
1955 struct label *vplabel)
1956 {
1957
1958 LABEL_CHECK(cred->cr_label, MAGIC_CRED);
1959 LABEL_CHECK(vplabel, MAGIC_VNODE);
1960 COUNTER_INC(check_system_acct);
1961
1962 return (0);
1963 }
1964
1965 COUNTER_DECL(check_system_audit);
1966 static int
1967 mac_test_check_system_audit(struct ucred *cred, void *record, int length)
1968 {
1969
1970 LABEL_CHECK(cred->cr_label, MAGIC_CRED);
1971 COUNTER_INC(check_system_audit);
1972
1973 return (0);
1974 }
1975
1976 COUNTER_DECL(check_system_auditctl);
1977 static int
1978 mac_test_check_system_auditctl(struct ucred *cred, struct vnode *vp,
1979 struct label *vplabel)
1980 {
1981
1982 LABEL_CHECK(cred->cr_label, MAGIC_CRED);
1983 LABEL_CHECK(vplabel, MAGIC_VNODE);
1984 COUNTER_INC(check_system_auditctl);
1985
1986 return (0);
1987 }
1988
1989 COUNTER_DECL(check_system_auditon);
1990 static int
1991 mac_test_check_system_auditon(struct ucred *cred, int cmd)
1992 {
1993
1994 LABEL_CHECK(cred->cr_label, MAGIC_CRED);
1995 COUNTER_INC(check_system_auditon);
1996
1997 return (0);
1998 }
1999
2000 COUNTER_DECL(check_system_reboot);
2001 static int
2002 mac_test_check_system_reboot(struct ucred *cred, int how)
2003 {
2004
2005 LABEL_CHECK(cred->cr_label, MAGIC_CRED);
2006 COUNTER_INC(check_system_reboot);
2007
2008 return (0);
2009 }
2010
2011 COUNTER_DECL(check_system_swapoff);
2012 static int
2013 mac_test_check_system_swapoff(struct ucred *cred, struct vnode *vp,
2014 struct label *vplabel)
2015 {
2016
2017 LABEL_CHECK(cred->cr_label, MAGIC_CRED);
2018 LABEL_CHECK(vplabel, MAGIC_VNODE);
2019 COUNTER_INC(check_system_swapoff);
2020
2021 return (0);
2022 }
2023
2024 COUNTER_DECL(check_system_swapon);
2025 static int
2026 mac_test_check_system_swapon(struct ucred *cred, struct vnode *vp,
2027 struct label *vplabel)
2028 {
2029
2030 LABEL_CHECK(cred->cr_label, MAGIC_CRED);
2031 LABEL_CHECK(vplabel, MAGIC_VNODE);
2032 COUNTER_INC(check_system_swapon);
2033
2034 return (0);
2035 }
2036
2037 COUNTER_DECL(check_system_sysctl);
2038 static int
2039 mac_test_check_system_sysctl(struct ucred *cred, struct sysctl_oid *oidp,
2040 void *arg1, int arg2, struct sysctl_req *req)
2041 {
2042
2043 LABEL_CHECK(cred->cr_label, MAGIC_CRED);
2044 COUNTER_INC(check_system_sysctl);
2045
2046 return (0);
2047 }
2048
2049 COUNTER_DECL(check_vnode_access);
2050 static int
2051 mac_test_check_vnode_access(struct ucred *cred, struct vnode *vp,
2052 struct label *vplabel, int acc_mode)
2053 {
2054
2055 LABEL_CHECK(cred->cr_label, MAGIC_CRED);
2056 LABEL_CHECK(vplabel, MAGIC_VNODE);
2057 COUNTER_INC(check_vnode_access);
2058
2059 return (0);
2060 }
2061
2062 COUNTER_DECL(check_vnode_chdir);
2063 static int
2064 mac_test_check_vnode_chdir(struct ucred *cred, struct vnode *dvp,
2065 struct label *dvplabel)
2066 {
2067
2068 LABEL_CHECK(cred->cr_label, MAGIC_CRED);
2069 LABEL_CHECK(dvplabel, MAGIC_VNODE);
2070 COUNTER_INC(check_vnode_chdir);
2071
2072 return (0);
2073 }
2074
2075 COUNTER_DECL(check_vnode_chroot);
2076 static int
2077 mac_test_check_vnode_chroot(struct ucred *cred, struct vnode *dvp,
2078 struct label *dvplabel)
2079 {
2080
2081 LABEL_CHECK(cred->cr_label, MAGIC_CRED);
2082 LABEL_CHECK(dvplabel, MAGIC_VNODE);
2083 COUNTER_INC(check_vnode_chroot);
2084
2085 return (0);
2086 }
2087
2088 COUNTER_DECL(check_vnode_create);
2089 static int
2090 mac_test_check_vnode_create(struct ucred *cred, struct vnode *dvp,
2091 struct label *dvplabel, struct componentname *cnp, struct vattr *vap)
2092 {
2093
2094 LABEL_CHECK(cred->cr_label, MAGIC_CRED);
2095 LABEL_CHECK(dvplabel, MAGIC_VNODE);
2096 COUNTER_INC(check_vnode_create);
2097
2098 return (0);
2099 }
2100
2101 COUNTER_DECL(check_vnode_deleteacl);
2102 static int
2103 mac_test_check_vnode_deleteacl(struct ucred *cred, struct vnode *vp,
2104 struct label *vplabel, acl_type_t type)
2105 {
2106
2107 LABEL_CHECK(cred->cr_label, MAGIC_CRED);
2108 LABEL_CHECK(vplabel, MAGIC_VNODE);
2109 COUNTER_INC(check_vnode_deleteacl);
2110
2111 return (0);
2112 }
2113
2114 COUNTER_DECL(check_vnode_deleteextattr);
2115 static int
2116 mac_test_check_vnode_deleteextattr(struct ucred *cred, struct vnode *vp,
2117 struct label *vplabel, int attrnamespace, const char *name)
2118 {
2119
2120 LABEL_CHECK(cred->cr_label, MAGIC_CRED);
2121 LABEL_CHECK(vplabel, MAGIC_VNODE);
2122 COUNTER_INC(check_vnode_deleteextattr);
2123
2124 return (0);
2125 }
2126
2127 COUNTER_DECL(check_vnode_exec);
2128 static int
2129 mac_test_check_vnode_exec(struct ucred *cred, struct vnode *vp,
2130 struct label *vplabel, struct image_params *imgp,
2131 struct label *execlabel)
2132 {
2133
2134 LABEL_CHECK(cred->cr_label, MAGIC_CRED);
2135 LABEL_CHECK(vplabel, MAGIC_VNODE);
2136 LABEL_CHECK(execlabel, MAGIC_CRED);
2137 COUNTER_INC(check_vnode_exec);
2138
2139 return (0);
2140 }
2141
2142 COUNTER_DECL(check_vnode_getacl);
2143 static int
2144 mac_test_check_vnode_getacl(struct ucred *cred, struct vnode *vp,
2145 struct label *vplabel, acl_type_t type)
2146 {
2147
2148 LABEL_CHECK(cred->cr_label, MAGIC_CRED);
2149 LABEL_CHECK(vplabel, MAGIC_VNODE);
2150 COUNTER_INC(check_vnode_getacl);
2151
2152 return (0);
2153 }
2154
2155 COUNTER_DECL(check_vnode_getextattr);
2156 static int
2157 mac_test_check_vnode_getextattr(struct ucred *cred, struct vnode *vp,
2158 struct label *vplabel, int attrnamespace, const char *name,
2159 struct uio *uio)
2160 {
2161
2162 LABEL_CHECK(cred->cr_label, MAGIC_CRED);
2163 LABEL_CHECK(vplabel, MAGIC_VNODE);
2164 COUNTER_INC(check_vnode_getextattr);
2165
2166 return (0);
2167 }
2168
2169 COUNTER_DECL(check_vnode_link);
2170 static int
2171 mac_test_check_vnode_link(struct ucred *cred, struct vnode *dvp,
2172 struct label *dvplabel, struct vnode *vp, struct label *vplabel,
2173 struct componentname *cnp)
2174 {
2175
2176 LABEL_CHECK(cred->cr_label, MAGIC_CRED);
2177 LABEL_CHECK(dvplabel, MAGIC_VNODE);
2178 LABEL_CHECK(vplabel, MAGIC_VNODE);
2179 COUNTER_INC(check_vnode_link);
2180
2181 return (0);
2182 }
2183
2184 COUNTER_DECL(check_vnode_listextattr);
2185 static int
2186 mac_test_check_vnode_listextattr(struct ucred *cred, struct vnode *vp,
2187 struct label *vplabel, int attrnamespace)
2188 {
2189
2190 LABEL_CHECK(cred->cr_label, MAGIC_CRED);
2191 LABEL_CHECK(vplabel, MAGIC_VNODE);
2192 COUNTER_INC(check_vnode_listextattr);
2193
2194 return (0);
2195 }
2196
2197 COUNTER_DECL(check_vnode_lookup);
2198 static int
2199 mac_test_check_vnode_lookup(struct ucred *cred, struct vnode *dvp,
2200 struct label *dvplabel, struct componentname *cnp)
2201 {
2202
2203 LABEL_CHECK(cred->cr_label, MAGIC_CRED);
2204 LABEL_CHECK(dvplabel, MAGIC_VNODE);
2205 COUNTER_INC(check_vnode_lookup);
2206
2207 return (0);
2208 }
2209
2210 COUNTER_DECL(check_vnode_mmap);
2211 static int
2212 mac_test_check_vnode_mmap(struct ucred *cred, struct vnode *vp,
2213 struct label *vplabel, int prot, int flags)
2214 {
2215
2216 LABEL_CHECK(cred->cr_label, MAGIC_CRED);
2217 LABEL_CHECK(vplabel, MAGIC_VNODE);
2218 COUNTER_INC(check_vnode_mmap);
2219
2220 return (0);
2221 }
2222
2223 COUNTER_DECL(check_vnode_open);
2224 static int
2225 mac_test_check_vnode_open(struct ucred *cred, struct vnode *vp,
2226 struct label *vplabel, int acc_mode)
2227 {
2228
2229 LABEL_CHECK(cred->cr_label, MAGIC_CRED);
2230 LABEL_CHECK(vplabel, MAGIC_VNODE);
2231 COUNTER_INC(check_vnode_open);
2232
2233 return (0);
2234 }
2235
2236 COUNTER_DECL(check_vnode_poll);
2237 static int
2238 mac_test_check_vnode_poll(struct ucred *active_cred, struct ucred *file_cred,
2239 struct vnode *vp, struct label *vplabel)
2240 {
2241
2242 LABEL_CHECK(active_cred->cr_label, MAGIC_CRED);
2243 if (file_cred != NULL)
2244 LABEL_CHECK(file_cred->cr_label, MAGIC_CRED);
2245 LABEL_CHECK(vplabel, MAGIC_VNODE);
2246 COUNTER_INC(check_vnode_poll);
2247
2248 return (0);
2249 }
2250
2251 COUNTER_DECL(check_vnode_read);
2252 static int
2253 mac_test_check_vnode_read(struct ucred *active_cred, struct ucred *file_cred,
2254 struct vnode *vp, struct label *vplabel)
2255 {
2256
2257 LABEL_CHECK(active_cred->cr_label, MAGIC_CRED);
2258 if (file_cred != NULL)
2259 LABEL_CHECK(file_cred->cr_label, MAGIC_CRED);
2260 LABEL_CHECK(vplabel, MAGIC_VNODE);
2261 COUNTER_INC(check_vnode_read);
2262
2263 return (0);
2264 }
2265
2266 COUNTER_DECL(check_vnode_readdir);
2267 static int
2268 mac_test_check_vnode_readdir(struct ucred *cred, struct vnode *dvp,
2269 struct label *dvplabel)
2270 {
2271
2272 LABEL_CHECK(cred->cr_label, MAGIC_CRED);
2273 LABEL_CHECK(dvplabel, MAGIC_VNODE);
2274 COUNTER_INC(check_vnode_readdir);
2275
2276 return (0);
2277 }
2278
2279 COUNTER_DECL(check_vnode_readlink);
2280 static int
2281 mac_test_check_vnode_readlink(struct ucred *cred, struct vnode *vp,
2282 struct label *vplabel)
2283 {
2284
2285 LABEL_CHECK(cred->cr_label, MAGIC_CRED);
2286 LABEL_CHECK(vplabel, MAGIC_VNODE);
2287 COUNTER_INC(check_vnode_readlink);
2288
2289 return (0);
2290 }
2291
2292 COUNTER_DECL(check_vnode_relabel);
2293 static int
2294 mac_test_check_vnode_relabel(struct ucred *cred, struct vnode *vp,
2295 struct label *vplabel, struct label *newlabel)
2296 {
2297
2298 LABEL_CHECK(cred->cr_label, MAGIC_CRED);
2299 LABEL_CHECK(vplabel, MAGIC_VNODE);
2300 LABEL_CHECK(newlabel, MAGIC_VNODE);
2301 COUNTER_INC(check_vnode_relabel);
2302
2303 return (0);
2304 }
2305
2306 COUNTER_DECL(check_vnode_rename_from);
2307 static int
2308 mac_test_check_vnode_rename_from(struct ucred *cred, struct vnode *dvp,
2309 struct label *dvplabel, struct vnode *vp, struct label *vplabel,
2310 struct componentname *cnp)
2311 {
2312
2313 LABEL_CHECK(cred->cr_label, MAGIC_CRED);
2314 LABEL_CHECK(dvplabel, MAGIC_VNODE);
2315 LABEL_CHECK(vplabel, MAGIC_VNODE);
2316 COUNTER_INC(check_vnode_rename_from);
2317
2318 return (0);
2319 }
2320
2321 COUNTER_DECL(check_vnode_rename_to);
2322 static int
2323 mac_test_check_vnode_rename_to(struct ucred *cred, struct vnode *dvp,
2324 struct label *dvplabel, struct vnode *vp, struct label *vplabel,
2325 int samedir, struct componentname *cnp)
2326 {
2327
2328 LABEL_CHECK(cred->cr_label, MAGIC_CRED);
2329 LABEL_CHECK(dvplabel, MAGIC_VNODE);
2330 LABEL_CHECK(vplabel, MAGIC_VNODE);
2331 COUNTER_INC(check_vnode_rename_to);
2332
2333 return (0);
2334 }
2335
2336 COUNTER_DECL(check_vnode_revoke);
2337 static int
2338 mac_test_check_vnode_revoke(struct ucred *cred, struct vnode *vp,
2339 struct label *vplabel)
2340 {
2341
2342 LABEL_CHECK(cred->cr_label, MAGIC_CRED);
2343 LABEL_CHECK(vplabel, MAGIC_VNODE);
2344 COUNTER_INC(check_vnode_revoke);
2345
2346 return (0);
2347 }
2348
2349 COUNTER_DECL(check_vnode_setacl);
2350 static int
2351 mac_test_check_vnode_setacl(struct ucred *cred, struct vnode *vp,
2352 struct label *vplabel, acl_type_t type, struct acl *acl)
2353 {
2354
2355 LABEL_CHECK(cred->cr_label, MAGIC_CRED);
2356 LABEL_CHECK(vplabel, MAGIC_VNODE);
2357 COUNTER_INC(check_vnode_setacl);
2358
2359 return (0);
2360 }
2361
2362 COUNTER_DECL(check_vnode_setextattr);
2363 static int
2364 mac_test_check_vnode_setextattr(struct ucred *cred, struct vnode *vp,
2365 struct label *vplabel, int attrnamespace, const char *name,
2366 struct uio *uio)
2367 {
2368
2369 LABEL_CHECK(cred->cr_label, MAGIC_CRED);
2370 LABEL_CHECK(vplabel, MAGIC_VNODE);
2371 COUNTER_INC(check_vnode_setextattr);
2372
2373 return (0);
2374 }
2375
2376 COUNTER_DECL(check_vnode_setflags);
2377 static int
2378 mac_test_check_vnode_setflags(struct ucred *cred, struct vnode *vp,
2379 struct label *vplabel, u_long flags)
2380 {
2381
2382 LABEL_CHECK(cred->cr_label, MAGIC_CRED);
2383 LABEL_CHECK(vplabel, MAGIC_VNODE);
2384 COUNTER_INC(check_vnode_setflags);
2385
2386 return (0);
2387 }
2388
2389 COUNTER_DECL(check_vnode_setmode);
2390 static int
2391 mac_test_check_vnode_setmode(struct ucred *cred, struct vnode *vp,
2392 struct label *vplabel, mode_t mode)
2393 {
2394
2395 LABEL_CHECK(cred->cr_label, MAGIC_CRED);
2396 LABEL_CHECK(vplabel, MAGIC_VNODE);
2397 COUNTER_INC(check_vnode_setmode);
2398
2399 return (0);
2400 }
2401
2402 COUNTER_DECL(check_vnode_setowner);
2403 static int
2404 mac_test_check_vnode_setowner(struct ucred *cred, struct vnode *vp,
2405 struct label *vplabel, uid_t uid, gid_t gid)
2406 {
2407
2408 LABEL_CHECK(cred->cr_label, MAGIC_CRED);
2409 LABEL_CHECK(vplabel, MAGIC_VNODE);
2410 COUNTER_INC(check_vnode_setowner);
2411
2412 return (0);
2413 }
2414
2415 COUNTER_DECL(check_vnode_setutimes);
2416 static int
2417 mac_test_check_vnode_setutimes(struct ucred *cred, struct vnode *vp,
2418 struct label *vplabel, struct timespec atime, struct timespec mtime)
2419 {
2420
2421 LABEL_CHECK(cred->cr_label, MAGIC_CRED);
2422 LABEL_CHECK(vplabel, MAGIC_VNODE);
2423 COUNTER_INC(check_vnode_setutimes);
2424
2425 return (0);
2426 }
2427
2428 COUNTER_DECL(check_vnode_stat);
2429 static int
2430 mac_test_check_vnode_stat(struct ucred *active_cred, struct ucred *file_cred,
2431 struct vnode *vp, struct label *vplabel)
2432 {
2433
2434 LABEL_CHECK(active_cred->cr_label, MAGIC_CRED);
2435 if (file_cred != NULL)
2436 LABEL_CHECK(file_cred->cr_label, MAGIC_CRED);
2437 LABEL_CHECK(vplabel, MAGIC_VNODE);
2438 COUNTER_INC(check_vnode_stat);
2439
2440 return (0);
2441 }
2442
2443 COUNTER_DECL(check_vnode_unlink);
2444 static int
2445 mac_test_check_vnode_unlink(struct ucred *cred, struct vnode *dvp,
2446 struct label *dvplabel, struct vnode *vp, struct label *vplabel,
2447 struct componentname *cnp)
2448 {
2449
2450 LABEL_CHECK(cred->cr_label, MAGIC_CRED);
2451 LABEL_CHECK(dvplabel, MAGIC_VNODE);
2452 LABEL_CHECK(vplabel, MAGIC_VNODE);
2453 COUNTER_INC(check_vnode_unlink);
2454
2455 return (0);
2456 }
2457
2458 COUNTER_DECL(check_vnode_write);
2459 static int
2460 mac_test_check_vnode_write(struct ucred *active_cred,
2461 struct ucred *file_cred, struct vnode *vp, struct label *vplabel)
2462 {
2463
2464 LABEL_CHECK(active_cred->cr_label, MAGIC_CRED);
2465 if (file_cred != NULL)
2466 LABEL_CHECK(file_cred->cr_label, MAGIC_CRED);
2467 LABEL_CHECK(vplabel, MAGIC_VNODE);
2468 COUNTER_INC(check_vnode_write);
2469
2470 return (0);
2471 }
2472
2473 static struct mac_policy_ops mac_test_ops =
2474 {
2475 .mpo_init_bpfdesc_label = mac_test_init_bpfdesc_label,
2476 .mpo_init_cred_label = mac_test_init_cred_label,
2477 .mpo_init_devfs_label = mac_test_init_devfs_label,
2478 .mpo_init_ifnet_label = mac_test_init_ifnet_label,
2479 .mpo_init_sysv_msgmsg_label = mac_test_init_sysv_msgmsg_label,
2480 .mpo_init_sysv_msgqueue_label = mac_test_init_sysv_msgqueue_label,
2481 .mpo_init_sysv_sem_label = mac_test_init_sysv_sem_label,
2482 .mpo_init_sysv_shm_label = mac_test_init_sysv_shm_label,
2483 .mpo_init_inpcb_label = mac_test_init_inpcb_label,
2484 .mpo_init_ipq_label = mac_test_init_ipq_label,
2485 .mpo_init_mbuf_label = mac_test_init_mbuf_label,
2486 .mpo_init_mount_label = mac_test_init_mount_label,
2487 .mpo_init_pipe_label = mac_test_init_pipe_label,
2488 .mpo_init_posix_sem_label = mac_test_init_posix_sem_label,
2489 .mpo_init_proc_label = mac_test_init_proc_label,
2490 .mpo_init_socket_label = mac_test_init_socket_label,
2491 .mpo_init_socket_peer_label = mac_test_init_socket_peer_label,
2492 .mpo_init_vnode_label = mac_test_init_vnode_label,
2493 .mpo_destroy_bpfdesc_label = mac_test_destroy_bpfdesc_label,
2494 .mpo_destroy_cred_label = mac_test_destroy_cred_label,
2495 .mpo_destroy_devfs_label = mac_test_destroy_devfs_label,
2496 .mpo_destroy_ifnet_label = mac_test_destroy_ifnet_label,
2497 .mpo_destroy_sysv_msgmsg_label = mac_test_destroy_sysv_msgmsg_label,
2498 .mpo_destroy_sysv_msgqueue_label =
2499 mac_test_destroy_sysv_msgqueue_label,
2500 .mpo_destroy_sysv_sem_label = mac_test_destroy_sysv_sem_label,
2501 .mpo_destroy_sysv_shm_label = mac_test_destroy_sysv_shm_label,
2502 .mpo_destroy_inpcb_label = mac_test_destroy_inpcb_label,
2503 .mpo_destroy_ipq_label = mac_test_destroy_ipq_label,
2504 .mpo_destroy_mbuf_label = mac_test_destroy_mbuf_label,
2505 .mpo_destroy_mount_label = mac_test_destroy_mount_label,
2506 .mpo_destroy_pipe_label = mac_test_destroy_pipe_label,
2507 .mpo_destroy_posix_sem_label = mac_test_destroy_posix_sem_label,
2508 .mpo_destroy_proc_label = mac_test_destroy_proc_label,
2509 .mpo_destroy_socket_label = mac_test_destroy_socket_label,
2510 .mpo_destroy_socket_peer_label = mac_test_destroy_socket_peer_label,
2511 .mpo_destroy_vnode_label = mac_test_destroy_vnode_label,
2512 .mpo_copy_cred_label = mac_test_copy_cred_label,
2513 .mpo_copy_ifnet_label = mac_test_copy_ifnet_label,
2514 .mpo_copy_mbuf_label = mac_test_copy_mbuf_label,
2515 .mpo_copy_pipe_label = mac_test_copy_pipe_label,
2516 .mpo_copy_socket_label = mac_test_copy_socket_label,
2517 .mpo_copy_vnode_label = mac_test_copy_vnode_label,
2518 .mpo_externalize_cred_label = mac_test_externalize_label,
2519 .mpo_externalize_ifnet_label = mac_test_externalize_label,
2520 .mpo_externalize_pipe_label = mac_test_externalize_label,
2521 .mpo_externalize_socket_label = mac_test_externalize_label,
2522 .mpo_externalize_socket_peer_label = mac_test_externalize_label,
2523 .mpo_externalize_vnode_label = mac_test_externalize_label,
2524 .mpo_internalize_cred_label = mac_test_internalize_label,
2525 .mpo_internalize_ifnet_label = mac_test_internalize_label,
2526 .mpo_internalize_pipe_label = mac_test_internalize_label,
2527 .mpo_internalize_socket_label = mac_test_internalize_label,
2528 .mpo_internalize_vnode_label = mac_test_internalize_label,
2529 .mpo_associate_vnode_devfs = mac_test_associate_vnode_devfs,
2530 .mpo_associate_vnode_extattr = mac_test_associate_vnode_extattr,
2531 .mpo_associate_vnode_singlelabel = mac_test_associate_vnode_singlelabel,
2532 .mpo_create_devfs_device = mac_test_create_devfs_device,
2533 .mpo_create_devfs_directory = mac_test_create_devfs_directory,
2534 .mpo_create_devfs_symlink = mac_test_create_devfs_symlink,
2535 .mpo_create_vnode_extattr = mac_test_create_vnode_extattr,
2536 .mpo_create_mount = mac_test_create_mount,
2537 .mpo_relabel_vnode = mac_test_relabel_vnode,
2538 .mpo_setlabel_vnode_extattr = mac_test_setlabel_vnode_extattr,
2539 .mpo_update_devfs = mac_test_update_devfs,
2540 .mpo_create_mbuf_from_socket = mac_test_create_mbuf_from_socket,
2541 .mpo_create_pipe = mac_test_create_pipe,
2542 .mpo_create_posix_sem = mac_test_create_posix_sem,
2543 .mpo_create_socket = mac_test_create_socket,
2544 .mpo_create_socket_from_socket = mac_test_create_socket_from_socket,
2545 .mpo_relabel_pipe = mac_test_relabel_pipe,
2546 .mpo_relabel_socket = mac_test_relabel_socket,
2547 .mpo_set_socket_peer_from_mbuf = mac_test_set_socket_peer_from_mbuf,
2548 .mpo_set_socket_peer_from_socket = mac_test_set_socket_peer_from_socket,
2549 .mpo_create_bpfdesc = mac_test_create_bpfdesc,
2550 .mpo_create_ifnet = mac_test_create_ifnet,
2551 .mpo_create_inpcb_from_socket = mac_test_create_inpcb_from_socket,
2552 .mpo_create_sysv_msgmsg = mac_test_create_sysv_msgmsg,
2553 .mpo_create_sysv_msgqueue = mac_test_create_sysv_msgqueue,
2554 .mpo_create_sysv_sem = mac_test_create_sysv_sem,
2555 .mpo_create_sysv_shm = mac_test_create_sysv_shm,
2556 .mpo_create_datagram_from_ipq = mac_test_create_datagram_from_ipq,
2557 .mpo_create_fragment = mac_test_create_fragment,
2558 .mpo_create_ipq = mac_test_create_ipq,
2559 .mpo_create_mbuf_from_inpcb = mac_test_create_mbuf_from_inpcb,
2560 .mpo_create_mbuf_linklayer = mac_test_create_mbuf_linklayer,
2561 .mpo_create_mbuf_from_bpfdesc = mac_test_create_mbuf_from_bpfdesc,
2562 .mpo_create_mbuf_from_ifnet = mac_test_create_mbuf_from_ifnet,
2563 .mpo_create_mbuf_multicast_encap = mac_test_create_mbuf_multicast_encap,
2564 .mpo_create_mbuf_netlayer = mac_test_create_mbuf_netlayer,
2565 .mpo_fragment_match = mac_test_fragment_match,
2566 .mpo_reflect_mbuf_icmp = mac_test_reflect_mbuf_icmp,
2567 .mpo_reflect_mbuf_tcp = mac_test_reflect_mbuf_tcp,
2568 .mpo_relabel_ifnet = mac_test_relabel_ifnet,
2569 .mpo_update_ipq = mac_test_update_ipq,
2570 .mpo_inpcb_sosetlabel = mac_test_inpcb_sosetlabel,
2571 .mpo_execve_transition = mac_test_execve_transition,
2572 .mpo_execve_will_transition = mac_test_execve_will_transition,
2573 .mpo_create_proc0 = mac_test_create_proc0,
2574 .mpo_create_proc1 = mac_test_create_proc1,
2575 .mpo_relabel_cred = mac_test_relabel_cred,
2576 .mpo_thread_userret = mac_test_thread_userret,
2577 .mpo_cleanup_sysv_msgmsg = mac_test_cleanup_sysv_msgmsg,
2578 .mpo_cleanup_sysv_msgqueue = mac_test_cleanup_sysv_msgqueue,
2579 .mpo_cleanup_sysv_sem = mac_test_cleanup_sysv_sem,
2580 .mpo_cleanup_sysv_shm = mac_test_cleanup_sysv_shm,
2581 .mpo_check_bpfdesc_receive = mac_test_check_bpfdesc_receive,
2582 .mpo_check_cred_relabel = mac_test_check_cred_relabel,
2583 .mpo_check_cred_visible = mac_test_check_cred_visible,
2584 .mpo_check_ifnet_relabel = mac_test_check_ifnet_relabel,
2585 .mpo_check_ifnet_transmit = mac_test_check_ifnet_transmit,
2586 .mpo_check_inpcb_deliver = mac_test_check_inpcb_deliver,
2587 .mpo_check_sysv_msgmsq = mac_test_check_sysv_msgmsq,
2588 .mpo_check_sysv_msgrcv = mac_test_check_sysv_msgrcv,
2589 .mpo_check_sysv_msgrmid = mac_test_check_sysv_msgrmid,
2590 .mpo_check_sysv_msqget = mac_test_check_sysv_msqget,
2591 .mpo_check_sysv_msqsnd = mac_test_check_sysv_msqsnd,
2592 .mpo_check_sysv_msqrcv = mac_test_check_sysv_msqrcv,
2593 .mpo_check_sysv_msqctl = mac_test_check_sysv_msqctl,
2594 .mpo_check_sysv_semctl = mac_test_check_sysv_semctl,
2595 .mpo_check_sysv_semget = mac_test_check_sysv_semget,
2596 .mpo_check_sysv_semop = mac_test_check_sysv_semop,
2597 .mpo_check_sysv_shmat = mac_test_check_sysv_shmat,
2598 .mpo_check_sysv_shmctl = mac_test_check_sysv_shmctl,
2599 .mpo_check_sysv_shmdt = mac_test_check_sysv_shmdt,
2600 .mpo_check_sysv_shmget = mac_test_check_sysv_shmget,
2601 .mpo_check_kenv_dump = mac_test_check_kenv_dump,
2602 .mpo_check_kenv_get = mac_test_check_kenv_get,
2603 .mpo_check_kenv_set = mac_test_check_kenv_set,
2604 .mpo_check_kenv_unset = mac_test_check_kenv_unset,
2605 .mpo_check_kld_load = mac_test_check_kld_load,
2606 .mpo_check_kld_stat = mac_test_check_kld_stat,
2607 .mpo_check_mount_stat = mac_test_check_mount_stat,
2608 .mpo_check_pipe_ioctl = mac_test_check_pipe_ioctl,
2609 .mpo_check_pipe_poll = mac_test_check_pipe_poll,
2610 .mpo_check_pipe_read = mac_test_check_pipe_read,
2611 .mpo_check_pipe_relabel = mac_test_check_pipe_relabel,
2612 .mpo_check_pipe_stat = mac_test_check_pipe_stat,
2613 .mpo_check_pipe_write = mac_test_check_pipe_write,
2614 .mpo_check_posix_sem_destroy = mac_test_check_posix_sem,
2615 .mpo_check_posix_sem_getvalue = mac_test_check_posix_sem,
2616 .mpo_check_posix_sem_open = mac_test_check_posix_sem,
2617 .mpo_check_posix_sem_post = mac_test_check_posix_sem,
2618 .mpo_check_posix_sem_unlink = mac_test_check_posix_sem,
2619 .mpo_check_posix_sem_wait = mac_test_check_posix_sem,
2620 .mpo_check_proc_debug = mac_test_check_proc_debug,
2621 .mpo_check_proc_sched = mac_test_check_proc_sched,
2622 .mpo_check_proc_setaudit = mac_test_check_proc_setaudit,
2623 .mpo_check_proc_setaudit_addr = mac_test_check_proc_setaudit_addr,
2624 .mpo_check_proc_setauid = mac_test_check_proc_setauid,
2625 .mpo_check_proc_setuid = mac_test_check_proc_setuid,
2626 .mpo_check_proc_seteuid = mac_test_check_proc_seteuid,
2627 .mpo_check_proc_setgid = mac_test_check_proc_setgid,
2628 .mpo_check_proc_setegid = mac_test_check_proc_setegid,
2629 .mpo_check_proc_setgroups = mac_test_check_proc_setgroups,
2630 .mpo_check_proc_setreuid = mac_test_check_proc_setreuid,
2631 .mpo_check_proc_setregid = mac_test_check_proc_setregid,
2632 .mpo_check_proc_setresuid = mac_test_check_proc_setresuid,
2633 .mpo_check_proc_setresgid = mac_test_check_proc_setresgid,
2634 .mpo_check_proc_signal = mac_test_check_proc_signal,
2635 .mpo_check_proc_wait = mac_test_check_proc_wait,
2636 .mpo_check_socket_accept = mac_test_check_socket_accept,
2637 .mpo_check_socket_bind = mac_test_check_socket_bind,
2638 .mpo_check_socket_connect = mac_test_check_socket_connect,
2639 .mpo_check_socket_deliver = mac_test_check_socket_deliver,
2640 .mpo_check_socket_listen = mac_test_check_socket_listen,
2641 .mpo_check_socket_poll = mac_test_check_socket_poll,
2642 .mpo_check_socket_receive = mac_test_check_socket_receive,
2643 .mpo_check_socket_relabel = mac_test_check_socket_relabel,
2644 .mpo_check_socket_send = mac_test_check_socket_send,
2645 .mpo_check_socket_stat = mac_test_check_socket_stat,
2646 .mpo_check_socket_visible = mac_test_check_socket_visible,
2647 .mpo_check_system_acct = mac_test_check_system_acct,
2648 .mpo_check_system_audit = mac_test_check_system_audit,
2649 .mpo_check_system_auditctl = mac_test_check_system_auditctl,
2650 .mpo_check_system_auditon = mac_test_check_system_auditon,
2651 .mpo_check_system_reboot = mac_test_check_system_reboot,
2652 .mpo_check_system_swapoff = mac_test_check_system_swapoff,
2653 .mpo_check_system_swapon = mac_test_check_system_swapon,
2654 .mpo_check_system_sysctl = mac_test_check_system_sysctl,
2655 .mpo_check_vnode_access = mac_test_check_vnode_access,
2656 .mpo_check_vnode_chdir = mac_test_check_vnode_chdir,
2657 .mpo_check_vnode_chroot = mac_test_check_vnode_chroot,
2658 .mpo_check_vnode_create = mac_test_check_vnode_create,
2659 .mpo_check_vnode_deleteacl = mac_test_check_vnode_deleteacl,
2660 .mpo_check_vnode_deleteextattr = mac_test_check_vnode_deleteextattr,
2661 .mpo_check_vnode_exec = mac_test_check_vnode_exec,
2662 .mpo_check_vnode_getacl = mac_test_check_vnode_getacl,
2663 .mpo_check_vnode_getextattr = mac_test_check_vnode_getextattr,
2664 .mpo_check_vnode_link = mac_test_check_vnode_link,
2665 .mpo_check_vnode_listextattr = mac_test_check_vnode_listextattr,
2666 .mpo_check_vnode_lookup = mac_test_check_vnode_lookup,
2667 .mpo_check_vnode_mmap = mac_test_check_vnode_mmap,
2668 .mpo_check_vnode_open = mac_test_check_vnode_open,
2669 .mpo_check_vnode_poll = mac_test_check_vnode_poll,
2670 .mpo_check_vnode_read = mac_test_check_vnode_read,
2671 .mpo_check_vnode_readdir = mac_test_check_vnode_readdir,
2672 .mpo_check_vnode_readlink = mac_test_check_vnode_readlink,
2673 .mpo_check_vnode_relabel = mac_test_check_vnode_relabel,
2674 .mpo_check_vnode_rename_from = mac_test_check_vnode_rename_from,
2675 .mpo_check_vnode_rename_to = mac_test_check_vnode_rename_to,
2676 .mpo_check_vnode_revoke = mac_test_check_vnode_revoke,
2677 .mpo_check_vnode_setacl = mac_test_check_vnode_setacl,
2678 .mpo_check_vnode_setextattr = mac_test_check_vnode_setextattr,
2679 .mpo_check_vnode_setflags = mac_test_check_vnode_setflags,
2680 .mpo_check_vnode_setmode = mac_test_check_vnode_setmode,
2681 .mpo_check_vnode_setowner = mac_test_check_vnode_setowner,
2682 .mpo_check_vnode_setutimes = mac_test_check_vnode_setutimes,
2683 .mpo_check_vnode_stat = mac_test_check_vnode_stat,
2684 .mpo_check_vnode_unlink = mac_test_check_vnode_unlink,
2685 .mpo_check_vnode_write = mac_test_check_vnode_write,
2686 };
2687
2688 MAC_POLICY_SET(&mac_test_ops, mac_test, "TrustedBSD MAC/Test",
2689 MPC_LOADTIME_FLAG_UNLOADOK | MPC_LOADTIME_FLAG_LABELMBUFS, &test_slot);
Cache object: 7b6ae3a7c0e5a88231f3bb94aa3ba27c
|