2 * Copyright (c) 1999-2002, 2007 Robert N. M. Watson
3 * Copyright (c) 2001-2005 McAfee, Inc.
6 * This software was developed by Robert Watson for the TrustedBSD Project.
8 * This software was developed for the FreeBSD Project in part by McAfee
9 * Research, the Security Research Division of McAfee, Inc. under
10 * DARPA/SPAWAR contract N66001-01-C-8035 ("CBOSS"), as part of the DARPA
11 * CHATS research program.
13 * Redistribution and use in source and binary forms, with or without
14 * modification, are permitted provided that the following conditions
16 * 1. Redistributions of source code must retain the above copyright
17 * notice, this list of conditions and the following disclaimer.
18 * 2. Redistributions in binary form must reproduce the above copyright
19 * notice, this list of conditions and the following disclaimer in the
20 * documentation and/or other materials provided with the distribution.
22 * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
23 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
24 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
25 * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
26 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
27 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
28 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
29 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
30 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
31 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
38 * Developed by the TrustedBSD Project.
40 * MAC Test policy - tests MAC Framework labeling by assigning object class
41 * magic numbers to each label and validates that each time an object label
42 * is passed into the policy, it has a consistent object type, catching
43 * incorrectly passed labels, labels passed after free, etc.
46 #include <sys/param.h>
49 #include <sys/kernel.h>
51 #include <sys/malloc.h>
52 #include <sys/module.h>
53 #include <sys/mount.h>
56 #include <sys/vnode.h>
59 #include <sys/socket.h>
60 #include <sys/socketvar.h>
62 #include <sys/sysctl.h>
64 #include <fs/devfs/devfs.h>
66 #include <net/bpfdesc.h>
68 #include <net/if_types.h>
69 #include <net/if_var.h>
71 #include <security/mac/mac_policy.h>
73 SYSCTL_DECL(_security_mac);
75 SYSCTL_NODE(_security_mac, OID_AUTO, test, CTLFLAG_RW, 0,
76 "TrustedBSD mac_test policy controls");
78 #define MAGIC_BPF 0xfe1ad1b6
79 #define MAGIC_DEVFS 0x9ee79c32
80 #define MAGIC_IFNET 0xc218b120
81 #define MAGIC_INPCB 0x4440f7bb
82 #define MAGIC_IPQ 0x206188ef
83 #define MAGIC_MBUF 0xbbefa5bb
84 #define MAGIC_MOUNT 0xc7c46e47
85 #define MAGIC_SOCKET 0x9199c6cd
86 #define MAGIC_SYSV_MSG 0x8bbba61e
87 #define MAGIC_SYSV_MSQ 0xea672391
88 #define MAGIC_SYSV_SEM 0x896e8a0b
89 #define MAGIC_SYSV_SHM 0x76119ab0
90 #define MAGIC_PIPE 0xdc6c9919
91 #define MAGIC_POSIX_SEM 0x78ae980c
92 #define MAGIC_PROC 0x3b4be98f
93 #define MAGIC_CRED 0x9a5a4987
94 #define MAGIC_VNODE 0x1a67a45c
95 #define MAGIC_FREE 0x849ba1fd
97 #define SLOT(x) mac_label_get((x), test_slot)
98 #define SLOT_SET(x, v) mac_label_set((x), test_slot, (v))
100 static int test_slot;
101 SYSCTL_INT(_security_mac_test, OID_AUTO, slot, CTLFLAG_RD,
102 &test_slot, 0, "Slot allocated by framework");
104 SYSCTL_NODE(_security_mac_test, OID_AUTO, counter, CTLFLAG_RW, 0,
105 "TrustedBSD mac_test counters controls");
107 #define COUNTER_DECL(variable) \
108 static int counter_##variable; \
109 SYSCTL_INT(_security_mac_test_counter, OID_AUTO, variable, \
110 CTLFLAG_RD, &counter_##variable, 0, #variable)
112 #define COUNTER_INC(variable) atomic_add_int(&counter_##variable, 1)
115 #define DEBUGGER(func, string) kdb_enter((string))
117 #define DEBUGGER(func, string) printf("mac_test: %s: %s\n", (func), (string))
120 #define LABEL_CHECK(label, magic) do { \
121 if (label != NULL) { \
122 KASSERT(SLOT(label) == magic || SLOT(label) == 0, \
123 ("%s: bad %s label", __func__, #magic)); \
127 #define LABEL_DESTROY(label, magic) do { \
128 if (SLOT(label) == magic || SLOT(label) == 0) { \
129 SLOT_SET(label, MAGIC_FREE); \
130 } else if (SLOT(label) == MAGIC_FREE) { \
131 DEBUGGER("%s: dup destroy", __func__); \
133 DEBUGGER("%s: corrupted label", __func__); \
137 #define LABEL_INIT(label, magic) do { \
138 SLOT_SET(label, magic); \
141 #define LABEL_NOTFREE(label) do { \
142 KASSERT(SLOT(label) != MAGIC_FREE, \
143 ("%s: destroyed label", __func__)); \
149 COUNTER_DECL(init_bpfdesc_label);
151 mac_test_init_bpfdesc_label(struct label *label)
154 LABEL_INIT(label, MAGIC_BPF);
155 COUNTER_INC(init_bpfdesc_label);
158 COUNTER_DECL(init_cred_label);
160 mac_test_init_cred_label(struct label *label)
163 LABEL_INIT(label, MAGIC_CRED);
164 COUNTER_INC(init_cred_label);
167 COUNTER_DECL(init_devfs_label);
169 mac_test_init_devfs_label(struct label *label)
172 LABEL_INIT(label, MAGIC_DEVFS);
173 COUNTER_INC(init_devfs_label);
176 COUNTER_DECL(init_ifnet_label);
178 mac_test_init_ifnet_label(struct label *label)
181 LABEL_INIT(label, MAGIC_IFNET);
182 COUNTER_INC(init_ifnet_label);
185 COUNTER_DECL(init_inpcb_label);
187 mac_test_init_inpcb_label(struct label *label, int flag)
191 WITNESS_WARN(WARN_GIANTOK | WARN_SLEEPOK, NULL,
192 "mac_test_init_inpcb_label() at %s:%d", __FILE__,
195 LABEL_INIT(label, MAGIC_INPCB);
196 COUNTER_INC(init_inpcb_label);
200 COUNTER_DECL(init_sysv_msg_label);
202 mac_test_init_sysv_msgmsg_label(struct label *label)
204 LABEL_INIT(label, MAGIC_SYSV_MSG);
205 COUNTER_INC(init_sysv_msg_label);
208 COUNTER_DECL(init_sysv_msq_label);
210 mac_test_init_sysv_msgqueue_label(struct label *label)
212 LABEL_INIT(label, MAGIC_SYSV_MSQ);
213 COUNTER_INC(init_sysv_msq_label);
216 COUNTER_DECL(init_sysv_sem_label);
218 mac_test_init_sysv_sem_label(struct label *label)
220 LABEL_INIT(label, MAGIC_SYSV_SEM);
221 COUNTER_INC(init_sysv_sem_label);
224 COUNTER_DECL(init_sysv_shm_label);
226 mac_test_init_sysv_shm_label(struct label *label)
228 LABEL_INIT(label, MAGIC_SYSV_SHM);
229 COUNTER_INC(init_sysv_shm_label);
232 COUNTER_DECL(init_ipq_label);
234 mac_test_init_ipq_label(struct label *label, int flag)
238 WITNESS_WARN(WARN_GIANTOK | WARN_SLEEPOK, NULL,
239 "mac_test_init_ipq_label() at %s:%d", __FILE__,
242 LABEL_INIT(label, MAGIC_IPQ);
243 COUNTER_INC(init_ipq_label);
247 COUNTER_DECL(init_mbuf_label);
249 mac_test_init_mbuf_label(struct label *label, int flag)
253 WITNESS_WARN(WARN_GIANTOK | WARN_SLEEPOK, NULL,
254 "mac_test_init_mbuf_label() at %s:%d", __FILE__,
257 LABEL_INIT(label, MAGIC_MBUF);
258 COUNTER_INC(init_mbuf_label);
262 COUNTER_DECL(init_mount_label);
264 mac_test_init_mount_label(struct label *label)
267 LABEL_INIT(label, MAGIC_MOUNT);
268 COUNTER_INC(init_mount_label);
271 COUNTER_DECL(init_socket_label);
273 mac_test_init_socket_label(struct label *label, int flag)
277 WITNESS_WARN(WARN_GIANTOK | WARN_SLEEPOK, NULL,
278 "mac_test_init_socket_label() at %s:%d", __FILE__,
281 LABEL_INIT(label, MAGIC_SOCKET);
282 COUNTER_INC(init_socket_label);
286 COUNTER_DECL(init_socket_peer_label);
288 mac_test_init_socket_peer_label(struct label *label, int flag)
292 WITNESS_WARN(WARN_GIANTOK | WARN_SLEEPOK, NULL,
293 "mac_test_init_socket_peer_label() at %s:%d", __FILE__,
296 LABEL_INIT(label, MAGIC_SOCKET);
297 COUNTER_INC(init_socket_peer_label);
301 COUNTER_DECL(init_pipe_label);
303 mac_test_init_pipe_label(struct label *label)
306 LABEL_INIT(label, MAGIC_PIPE);
307 COUNTER_INC(init_pipe_label);
310 COUNTER_DECL(init_posix_sem_label);
312 mac_test_init_posix_sem_label(struct label *label)
315 LABEL_INIT(label, MAGIC_POSIX_SEM);
316 COUNTER_INC(init_posix_sem_label);
319 COUNTER_DECL(init_proc_label);
321 mac_test_init_proc_label(struct label *label)
324 LABEL_INIT(label, MAGIC_PROC);
325 COUNTER_INC(init_proc_label);
328 COUNTER_DECL(init_vnode_label);
330 mac_test_init_vnode_label(struct label *label)
333 LABEL_INIT(label, MAGIC_VNODE);
334 COUNTER_INC(init_vnode_label);
337 COUNTER_DECL(destroy_bpfdesc_label);
339 mac_test_destroy_bpfdesc_label(struct label *label)
342 LABEL_DESTROY(label, MAGIC_BPF);
343 COUNTER_INC(destroy_bpfdesc_label);
346 COUNTER_DECL(destroy_cred_label);
348 mac_test_destroy_cred_label(struct label *label)
351 LABEL_DESTROY(label, MAGIC_CRED);
352 COUNTER_INC(destroy_cred_label);
355 COUNTER_DECL(destroy_devfs_label);
357 mac_test_destroy_devfs_label(struct label *label)
360 LABEL_DESTROY(label, MAGIC_DEVFS);
361 COUNTER_INC(destroy_devfs_label);
364 COUNTER_DECL(destroy_ifnet_label);
366 mac_test_destroy_ifnet_label(struct label *label)
369 LABEL_DESTROY(label, MAGIC_IFNET);
370 COUNTER_INC(destroy_ifnet_label);
373 COUNTER_DECL(destroy_inpcb_label);
375 mac_test_destroy_inpcb_label(struct label *label)
378 LABEL_DESTROY(label, MAGIC_INPCB);
379 COUNTER_INC(destroy_inpcb_label);
382 COUNTER_DECL(destroy_sysv_msg_label);
384 mac_test_destroy_sysv_msgmsg_label(struct label *label)
387 LABEL_DESTROY(label, MAGIC_SYSV_MSG);
388 COUNTER_INC(destroy_sysv_msg_label);
391 COUNTER_DECL(destroy_sysv_msq_label);
393 mac_test_destroy_sysv_msgqueue_label(struct label *label)
396 LABEL_DESTROY(label, MAGIC_SYSV_MSQ);
397 COUNTER_INC(destroy_sysv_msq_label);
400 COUNTER_DECL(destroy_sysv_sem_label);
402 mac_test_destroy_sysv_sem_label(struct label *label)
405 LABEL_DESTROY(label, MAGIC_SYSV_SEM);
406 COUNTER_INC(destroy_sysv_sem_label);
409 COUNTER_DECL(destroy_sysv_shm_label);
411 mac_test_destroy_sysv_shm_label(struct label *label)
414 LABEL_DESTROY(label, MAGIC_SYSV_SHM);
415 COUNTER_INC(destroy_sysv_shm_label);
418 COUNTER_DECL(destroy_ipq_label);
420 mac_test_destroy_ipq_label(struct label *label)
423 LABEL_DESTROY(label, MAGIC_IPQ);
424 COUNTER_INC(destroy_ipq_label);
427 COUNTER_DECL(destroy_mbuf_label);
429 mac_test_destroy_mbuf_label(struct label *label)
433 * If we're loaded dynamically, there may be mbufs in flight that
434 * didn't have label storage allocated for them. Handle this
440 LABEL_DESTROY(label, MAGIC_MBUF);
441 COUNTER_INC(destroy_mbuf_label);
444 COUNTER_DECL(destroy_mount_label);
446 mac_test_destroy_mount_label(struct label *label)
449 LABEL_DESTROY(label, MAGIC_MOUNT);
450 COUNTER_INC(destroy_mount_label);
453 COUNTER_DECL(destroy_socket_label);
455 mac_test_destroy_socket_label(struct label *label)
458 LABEL_DESTROY(label, MAGIC_SOCKET);
459 COUNTER_INC(destroy_socket_label);
462 COUNTER_DECL(destroy_socket_peer_label);
464 mac_test_destroy_socket_peer_label(struct label *label)
467 LABEL_DESTROY(label, MAGIC_SOCKET);
468 COUNTER_INC(destroy_socket_peer_label);
471 COUNTER_DECL(destroy_pipe_label);
473 mac_test_destroy_pipe_label(struct label *label)
476 LABEL_DESTROY(label, MAGIC_PIPE);
477 COUNTER_INC(destroy_pipe_label);
480 COUNTER_DECL(destroy_posix_sem_label);
482 mac_test_destroy_posix_sem_label(struct label *label)
485 LABEL_DESTROY(label, MAGIC_POSIX_SEM);
486 COUNTER_INC(destroy_posix_sem_label);
489 COUNTER_DECL(destroy_proc_label);
491 mac_test_destroy_proc_label(struct label *label)
494 LABEL_DESTROY(label, MAGIC_PROC);
495 COUNTER_INC(destroy_proc_label);
498 COUNTER_DECL(destroy_vnode_label);
500 mac_test_destroy_vnode_label(struct label *label)
503 LABEL_DESTROY(label, MAGIC_VNODE);
504 COUNTER_INC(destroy_vnode_label);
507 COUNTER_DECL(copy_cred_label);
509 mac_test_copy_cred_label(struct label *src, struct label *dest)
512 LABEL_CHECK(src, MAGIC_CRED);
513 LABEL_CHECK(dest, MAGIC_CRED);
514 COUNTER_INC(copy_cred_label);
517 COUNTER_DECL(copy_ifnet_label);
519 mac_test_copy_ifnet_label(struct label *src, struct label *dest)
522 LABEL_CHECK(src, MAGIC_IFNET);
523 LABEL_CHECK(dest, MAGIC_IFNET);
524 COUNTER_INC(copy_ifnet_label);
527 COUNTER_DECL(copy_mbuf_label);
529 mac_test_copy_mbuf_label(struct label *src, struct label *dest)
532 LABEL_CHECK(src, MAGIC_MBUF);
533 LABEL_CHECK(dest, MAGIC_MBUF);
534 COUNTER_INC(copy_mbuf_label);
537 COUNTER_DECL(copy_pipe_label);
539 mac_test_copy_pipe_label(struct label *src, struct label *dest)
542 LABEL_CHECK(src, MAGIC_PIPE);
543 LABEL_CHECK(dest, MAGIC_PIPE);
544 COUNTER_INC(copy_pipe_label);
547 COUNTER_DECL(copy_socket_label);
549 mac_test_copy_socket_label(struct label *src, struct label *dest)
552 LABEL_CHECK(src, MAGIC_SOCKET);
553 LABEL_CHECK(dest, MAGIC_SOCKET);
554 COUNTER_INC(copy_socket_label);
557 COUNTER_DECL(copy_vnode_label);
559 mac_test_copy_vnode_label(struct label *src, struct label *dest)
562 LABEL_CHECK(src, MAGIC_VNODE);
563 LABEL_CHECK(dest, MAGIC_VNODE);
564 COUNTER_INC(copy_vnode_label);
567 COUNTER_DECL(externalize_label);
569 mac_test_externalize_label(struct label *label, char *element_name,
570 struct sbuf *sb, int *claimed)
573 LABEL_NOTFREE(label);
574 COUNTER_INC(externalize_label);
579 COUNTER_DECL(internalize_label);
581 mac_test_internalize_label(struct label *label, char *element_name,
582 char *element_data, int *claimed)
585 LABEL_NOTFREE(label);
586 COUNTER_INC(internalize_label);
592 * Labeling event operations: file system objects, and things that look
593 * a lot like file system objects.
595 COUNTER_DECL(associate_vnode_devfs);
597 mac_test_associate_vnode_devfs(struct mount *mp, struct label *mplabel,
598 struct devfs_dirent *de, struct label *delabel, struct vnode *vp,
599 struct label *vplabel)
602 LABEL_CHECK(mplabel, MAGIC_MOUNT);
603 LABEL_CHECK(delabel, MAGIC_DEVFS);
604 LABEL_CHECK(vplabel, MAGIC_VNODE);
605 COUNTER_INC(associate_vnode_devfs);
608 COUNTER_DECL(associate_vnode_extattr);
610 mac_test_associate_vnode_extattr(struct mount *mp, struct label *mplabel,
611 struct vnode *vp, struct label *vplabel)
614 LABEL_CHECK(mplabel, MAGIC_MOUNT);
615 LABEL_CHECK(vplabel, MAGIC_VNODE);
616 COUNTER_INC(associate_vnode_extattr);
621 COUNTER_DECL(associate_vnode_singlelabel);
623 mac_test_associate_vnode_singlelabel(struct mount *mp, struct label *mplabel,
624 struct vnode *vp, struct label *vplabel)
627 LABEL_CHECK(mplabel, MAGIC_MOUNT);
628 LABEL_CHECK(vplabel, MAGIC_VNODE);
629 COUNTER_INC(associate_vnode_singlelabel);
632 COUNTER_DECL(create_devfs_device);
634 mac_test_create_devfs_device(struct ucred *cred, struct mount *mp,
635 struct cdev *dev, struct devfs_dirent *de, struct label *delabel)
639 LABEL_CHECK(cred->cr_label, MAGIC_CRED);
640 LABEL_CHECK(delabel, MAGIC_DEVFS);
641 COUNTER_INC(create_devfs_device);
644 COUNTER_DECL(create_devfs_directory);
646 mac_test_create_devfs_directory(struct mount *mp, char *dirname,
647 int dirnamelen, struct devfs_dirent *de, struct label *delabel)
650 LABEL_CHECK(delabel, MAGIC_DEVFS);
651 COUNTER_INC(create_devfs_directory);
654 COUNTER_DECL(create_devfs_symlink);
656 mac_test_create_devfs_symlink(struct ucred *cred, struct mount *mp,
657 struct devfs_dirent *dd, struct label *ddlabel, struct devfs_dirent *de,
658 struct label *delabel)
661 LABEL_CHECK(cred->cr_label, MAGIC_CRED);
662 LABEL_CHECK(ddlabel, MAGIC_DEVFS);
663 LABEL_CHECK(delabel, MAGIC_DEVFS);
664 COUNTER_INC(create_devfs_symlink);
667 COUNTER_DECL(create_vnode_extattr);
669 mac_test_create_vnode_extattr(struct ucred *cred, struct mount *mp,
670 struct label *mplabel, struct vnode *dvp, struct label *dvplabel,
671 struct vnode *vp, struct label *vplabel, struct componentname *cnp)
674 LABEL_CHECK(cred->cr_label, MAGIC_CRED);
675 LABEL_CHECK(mplabel, MAGIC_MOUNT);
676 LABEL_CHECK(dvplabel, MAGIC_VNODE);
677 COUNTER_INC(create_vnode_extattr);
682 COUNTER_DECL(create_mount);
684 mac_test_create_mount(struct ucred *cred, struct mount *mp,
685 struct label *mplabel)
688 LABEL_CHECK(cred->cr_label, MAGIC_CRED);
689 LABEL_CHECK(mplabel, MAGIC_MOUNT);
690 COUNTER_INC(create_mount);
693 COUNTER_DECL(relabel_vnode);
695 mac_test_relabel_vnode(struct ucred *cred, struct vnode *vp,
696 struct label *vplabel, struct label *label)
699 LABEL_CHECK(cred->cr_label, MAGIC_CRED);
700 LABEL_CHECK(vplabel, MAGIC_VNODE);
701 LABEL_CHECK(label, MAGIC_VNODE);
702 COUNTER_INC(relabel_vnode);
705 COUNTER_DECL(setlabel_vnode_extattr);
707 mac_test_setlabel_vnode_extattr(struct ucred *cred, struct vnode *vp,
708 struct label *vplabel, struct label *intlabel)
711 LABEL_CHECK(cred->cr_label, MAGIC_CRED);
712 LABEL_CHECK(vplabel, MAGIC_VNODE);
713 LABEL_CHECK(intlabel, MAGIC_VNODE);
714 COUNTER_INC(setlabel_vnode_extattr);
719 COUNTER_DECL(update_devfs);
721 mac_test_update_devfs(struct mount *mp, struct devfs_dirent *devfs_dirent,
722 struct label *direntlabel, struct vnode *vp, struct label *vplabel)
725 LABEL_CHECK(direntlabel, MAGIC_DEVFS);
726 LABEL_CHECK(vplabel, MAGIC_VNODE);
727 COUNTER_INC(update_devfs);
731 * Labeling event operations: IPC object.
733 COUNTER_DECL(create_mbuf_from_socket);
735 mac_test_create_mbuf_from_socket(struct socket *so, struct label *socketlabel,
736 struct mbuf *m, struct label *mbuflabel)
739 LABEL_CHECK(socketlabel, MAGIC_SOCKET);
740 LABEL_CHECK(mbuflabel, MAGIC_MBUF);
741 COUNTER_INC(create_mbuf_from_socket);
744 COUNTER_DECL(create_socket);
746 mac_test_create_socket(struct ucred *cred, struct socket *socket,
747 struct label *socketlabel)
750 LABEL_CHECK(cred->cr_label, MAGIC_CRED);
751 LABEL_CHECK(socketlabel, MAGIC_SOCKET);
752 COUNTER_INC(create_socket);
755 COUNTER_DECL(create_pipe);
757 mac_test_create_pipe(struct ucred *cred, struct pipepair *pp,
758 struct label *pipelabel)
761 LABEL_CHECK(cred->cr_label, MAGIC_CRED);
762 LABEL_CHECK(pipelabel, MAGIC_PIPE);
763 COUNTER_INC(create_pipe);
766 COUNTER_DECL(create_posix_sem);
768 mac_test_create_posix_sem(struct ucred *cred, struct ksem *ksem,
769 struct label *posixlabel)
772 LABEL_CHECK(cred->cr_label, MAGIC_CRED);
773 LABEL_CHECK(posixlabel, MAGIC_POSIX_SEM);
774 COUNTER_INC(create_posix_sem);
777 COUNTER_DECL(create_socket_from_socket);
779 mac_test_create_socket_from_socket(struct socket *oldsocket,
780 struct label *oldsocketlabel, struct socket *newsocket,
781 struct label *newsocketlabel)
784 LABEL_CHECK(oldsocketlabel, MAGIC_SOCKET);
785 LABEL_CHECK(newsocketlabel, MAGIC_SOCKET);
786 COUNTER_INC(create_socket_from_socket);
789 COUNTER_DECL(relabel_socket);
791 mac_test_relabel_socket(struct ucred *cred, struct socket *socket,
792 struct label *socketlabel, struct label *newlabel)
795 LABEL_CHECK(cred->cr_label, MAGIC_CRED);
796 LABEL_CHECK(newlabel, MAGIC_SOCKET);
797 COUNTER_INC(relabel_socket);
800 COUNTER_DECL(relabel_pipe);
802 mac_test_relabel_pipe(struct ucred *cred, struct pipepair *pp,
803 struct label *pipelabel, struct label *newlabel)
806 LABEL_CHECK(cred->cr_label, MAGIC_CRED);
807 LABEL_CHECK(pipelabel, MAGIC_PIPE);
808 LABEL_CHECK(newlabel, MAGIC_PIPE);
809 COUNTER_INC(relabel_pipe);
812 COUNTER_DECL(set_socket_peer_from_mbuf);
814 mac_test_set_socket_peer_from_mbuf(struct mbuf *mbuf, struct label *mbuflabel,
815 struct socket *socket, struct label *socketpeerlabel)
818 LABEL_CHECK(mbuflabel, MAGIC_MBUF);
819 LABEL_CHECK(socketpeerlabel, MAGIC_SOCKET);
820 COUNTER_INC(set_socket_peer_from_mbuf);
824 * Labeling event operations: network objects.
826 COUNTER_DECL(set_socket_peer_from_socket);
828 mac_test_set_socket_peer_from_socket(struct socket *oldsocket,
829 struct label *oldsocketlabel, struct socket *newsocket,
830 struct label *newsocketpeerlabel)
833 LABEL_CHECK(oldsocketlabel, MAGIC_SOCKET);
834 LABEL_CHECK(newsocketpeerlabel, MAGIC_SOCKET);
835 COUNTER_INC(set_socket_peer_from_socket);
838 COUNTER_DECL(create_bpfdesc);
840 mac_test_create_bpfdesc(struct ucred *cred, struct bpf_d *bpf_d,
841 struct label *bpflabel)
844 LABEL_CHECK(cred->cr_label, MAGIC_CRED);
845 LABEL_CHECK(bpflabel, MAGIC_BPF);
846 COUNTER_INC(create_bpfdesc);
849 COUNTER_DECL(create_datagram_from_ipq);
851 mac_test_create_datagram_from_ipq(struct ipq *ipq, struct label *ipqlabel,
852 struct mbuf *datagram, struct label *datagramlabel)
855 LABEL_CHECK(ipqlabel, MAGIC_IPQ);
856 LABEL_CHECK(datagramlabel, MAGIC_MBUF);
857 COUNTER_INC(create_datagram_from_ipq);
860 COUNTER_DECL(create_fragment);
862 mac_test_create_fragment(struct mbuf *datagram, struct label *datagramlabel,
863 struct mbuf *fragment, struct label *fragmentlabel)
866 LABEL_CHECK(datagramlabel, MAGIC_MBUF);
867 LABEL_CHECK(fragmentlabel, MAGIC_MBUF);
868 COUNTER_INC(create_fragment);
871 COUNTER_DECL(create_ifnet);
873 mac_test_create_ifnet(struct ifnet *ifnet, struct label *ifnetlabel)
876 LABEL_CHECK(ifnetlabel, MAGIC_IFNET);
877 COUNTER_INC(create_ifnet);
880 COUNTER_DECL(create_inpcb_from_socket);
882 mac_test_create_inpcb_from_socket(struct socket *so, struct label *solabel,
883 struct inpcb *inp, struct label *inplabel)
886 LABEL_CHECK(solabel, MAGIC_SOCKET);
887 LABEL_CHECK(inplabel, MAGIC_INPCB);
888 COUNTER_INC(create_inpcb_from_socket);
891 COUNTER_DECL(create_sysv_msgmsg);
893 mac_test_create_sysv_msgmsg(struct ucred *cred, struct msqid_kernel *msqkptr,
894 struct label *msqlabel, struct msg *msgptr, struct label *msglabel)
897 LABEL_CHECK(msglabel, MAGIC_SYSV_MSG);
898 LABEL_CHECK(msqlabel, MAGIC_SYSV_MSQ);
899 COUNTER_INC(create_sysv_msgmsg);
902 COUNTER_DECL(create_sysv_msgqueue);
904 mac_test_create_sysv_msgqueue(struct ucred *cred,
905 struct msqid_kernel *msqkptr, struct label *msqlabel)
908 LABEL_CHECK(msqlabel, MAGIC_SYSV_MSQ);
909 COUNTER_INC(create_sysv_msgqueue);
912 COUNTER_DECL(create_sysv_sem);
914 mac_test_create_sysv_sem(struct ucred *cred, struct semid_kernel *semakptr,
915 struct label *semalabel)
918 LABEL_CHECK(semalabel, MAGIC_SYSV_SEM);
919 COUNTER_INC(create_sysv_sem);
922 COUNTER_DECL(create_sysv_shm);
924 mac_test_create_sysv_shm(struct ucred *cred, struct shmid_kernel *shmsegptr,
925 struct label *shmlabel)
928 LABEL_CHECK(shmlabel, MAGIC_SYSV_SHM);
929 COUNTER_INC(create_sysv_shm);
932 COUNTER_DECL(create_ipq);
934 mac_test_create_ipq(struct mbuf *fragment, struct label *fragmentlabel,
935 struct ipq *ipq, struct label *ipqlabel)
938 LABEL_CHECK(fragmentlabel, MAGIC_MBUF);
939 LABEL_CHECK(ipqlabel, MAGIC_IPQ);
940 COUNTER_INC(create_ipq);
943 COUNTER_DECL(create_mbuf_from_inpcb);
945 mac_test_create_mbuf_from_inpcb(struct inpcb *inp, struct label *inplabel,
946 struct mbuf *m, struct label *mlabel)
949 LABEL_CHECK(inplabel, MAGIC_INPCB);
950 LABEL_CHECK(mlabel, MAGIC_MBUF);
951 COUNTER_INC(create_mbuf_from_inpcb);
954 COUNTER_DECL(create_mbuf_linklayer);
956 mac_test_create_mbuf_linklayer(struct ifnet *ifnet, struct label *ifnetlabel,
957 struct mbuf *mbuf, struct label *mbuflabel)
960 LABEL_CHECK(ifnetlabel, MAGIC_IFNET);
961 LABEL_CHECK(mbuflabel, MAGIC_MBUF);
962 COUNTER_INC(create_mbuf_linklayer);
965 COUNTER_DECL(create_mbuf_from_bpfdesc);
967 mac_test_create_mbuf_from_bpfdesc(struct bpf_d *bpf_d, struct label *bpflabel,
968 struct mbuf *mbuf, struct label *mbuflabel)
971 LABEL_CHECK(bpflabel, MAGIC_BPF);
972 LABEL_CHECK(mbuflabel, MAGIC_MBUF);
973 COUNTER_INC(create_mbuf_from_bpfdesc);
976 COUNTER_DECL(create_mbuf_from_ifnet);
978 mac_test_create_mbuf_from_ifnet(struct ifnet *ifnet, struct label *ifnetlabel,
979 struct mbuf *m, struct label *mbuflabel)
982 LABEL_CHECK(ifnetlabel, MAGIC_IFNET);
983 LABEL_CHECK(mbuflabel, MAGIC_MBUF);
984 COUNTER_INC(create_mbuf_from_ifnet);
987 COUNTER_DECL(create_mbuf_multicast_encap);
989 mac_test_create_mbuf_multicast_encap(struct mbuf *oldmbuf,
990 struct label *oldmbuflabel, struct ifnet *ifnet, struct label *ifnetlabel,
991 struct mbuf *newmbuf, struct label *newmbuflabel)
994 LABEL_CHECK(oldmbuflabel, MAGIC_MBUF);
995 LABEL_CHECK(ifnetlabel, MAGIC_IFNET);
996 LABEL_CHECK(newmbuflabel, MAGIC_MBUF);
997 COUNTER_INC(create_mbuf_multicast_encap);
1000 COUNTER_DECL(create_mbuf_netlayer);
1002 mac_test_create_mbuf_netlayer(struct mbuf *oldmbuf,
1003 struct label *oldmbuflabel, struct mbuf *newmbuf,
1004 struct label *newmbuflabel)
1007 LABEL_CHECK(oldmbuflabel, MAGIC_MBUF);
1008 LABEL_CHECK(newmbuflabel, MAGIC_MBUF);
1009 COUNTER_INC(create_mbuf_netlayer);
1012 COUNTER_DECL(fragment_match);
1014 mac_test_fragment_match(struct mbuf *fragment, struct label *fragmentlabel,
1015 struct ipq *ipq, struct label *ipqlabel)
1018 LABEL_CHECK(fragmentlabel, MAGIC_MBUF);
1019 LABEL_CHECK(ipqlabel, MAGIC_IPQ);
1020 COUNTER_INC(fragment_match);
1025 COUNTER_DECL(reflect_mbuf_icmp);
1027 mac_test_reflect_mbuf_icmp(struct mbuf *m, struct label *mlabel)
1030 LABEL_CHECK(mlabel, MAGIC_MBUF);
1031 COUNTER_INC(reflect_mbuf_icmp);
1034 COUNTER_DECL(reflect_mbuf_tcp);
1036 mac_test_reflect_mbuf_tcp(struct mbuf *m, struct label *mlabel)
1039 LABEL_CHECK(mlabel, MAGIC_MBUF);
1040 COUNTER_INC(reflect_mbuf_tcp);
1043 COUNTER_DECL(relabel_ifnet);
1045 mac_test_relabel_ifnet(struct ucred *cred, struct ifnet *ifnet,
1046 struct label *ifnetlabel, struct label *newlabel)
1049 LABEL_CHECK(cred->cr_label, MAGIC_CRED);
1050 LABEL_CHECK(ifnetlabel, MAGIC_IFNET);
1051 LABEL_CHECK(newlabel, MAGIC_IFNET);
1052 COUNTER_INC(relabel_ifnet);
1055 COUNTER_DECL(update_ipq);
1057 mac_test_update_ipq(struct mbuf *fragment, struct label *fragmentlabel,
1058 struct ipq *ipq, struct label *ipqlabel)
1061 LABEL_CHECK(fragmentlabel, MAGIC_MBUF);
1062 LABEL_CHECK(ipqlabel, MAGIC_IPQ);
1063 COUNTER_INC(update_ipq);
1066 COUNTER_DECL(inpcb_sosetlabel);
1068 mac_test_inpcb_sosetlabel(struct socket *so, struct label *solabel,
1069 struct inpcb *inp, struct label *inplabel)
1072 LABEL_CHECK(solabel, MAGIC_SOCKET);
1073 LABEL_CHECK(inplabel, MAGIC_INPCB);
1074 COUNTER_INC(inpcb_sosetlabel);
1078 * Labeling event operations: processes.
1080 COUNTER_DECL(execve_transition);
1082 mac_test_execve_transition(struct ucred *old, struct ucred *new,
1083 struct vnode *vp, struct label *filelabel,
1084 struct label *interpvplabel, struct image_params *imgp,
1085 struct label *execlabel)
1088 LABEL_CHECK(old->cr_label, MAGIC_CRED);
1089 LABEL_CHECK(new->cr_label, MAGIC_CRED);
1090 LABEL_CHECK(filelabel, MAGIC_VNODE);
1091 LABEL_CHECK(interpvplabel, MAGIC_VNODE);
1092 LABEL_CHECK(execlabel, MAGIC_CRED);
1093 COUNTER_INC(execve_transition);
1096 COUNTER_DECL(execve_will_transition);
1098 mac_test_execve_will_transition(struct ucred *old, struct vnode *vp,
1099 struct label *filelabel, struct label *interpvplabel,
1100 struct image_params *imgp, struct label *execlabel)
1103 LABEL_CHECK(old->cr_label, MAGIC_CRED);
1104 LABEL_CHECK(filelabel, MAGIC_VNODE);
1105 LABEL_CHECK(interpvplabel, MAGIC_VNODE);
1106 LABEL_CHECK(execlabel, MAGIC_CRED);
1107 COUNTER_INC(execve_will_transition);
1112 COUNTER_DECL(create_proc0);
1114 mac_test_create_proc0(struct ucred *cred)
1117 LABEL_CHECK(cred->cr_label, MAGIC_CRED);
1118 COUNTER_INC(create_proc0);
1121 COUNTER_DECL(create_proc1);
1123 mac_test_create_proc1(struct ucred *cred)
1126 LABEL_CHECK(cred->cr_label, MAGIC_CRED);
1127 COUNTER_INC(create_proc1);
1130 COUNTER_DECL(relabel_cred);
1132 mac_test_relabel_cred(struct ucred *cred, struct label *newlabel)
1135 LABEL_CHECK(cred->cr_label, MAGIC_CRED);
1136 LABEL_CHECK(newlabel, MAGIC_CRED);
1137 COUNTER_INC(relabel_cred);
1140 COUNTER_DECL(thread_userret);
1142 mac_test_thread_userret(struct thread *td)
1145 COUNTER_INC(thread_userret);
1149 * Label cleanup/flush operations
1151 COUNTER_DECL(cleanup_sysv_msgmsg);
1153 mac_test_cleanup_sysv_msgmsg(struct label *msglabel)
1156 LABEL_CHECK(msglabel, MAGIC_SYSV_MSG);
1157 COUNTER_INC(cleanup_sysv_msgmsg);
1160 COUNTER_DECL(cleanup_sysv_msgqueue);
1162 mac_test_cleanup_sysv_msgqueue(struct label *msqlabel)
1165 LABEL_CHECK(msqlabel, MAGIC_SYSV_MSQ);
1166 COUNTER_INC(cleanup_sysv_msgqueue);
1169 COUNTER_DECL(cleanup_sysv_sem);
1171 mac_test_cleanup_sysv_sem(struct label *semalabel)
1174 LABEL_CHECK(semalabel, MAGIC_SYSV_SEM);
1175 COUNTER_INC(cleanup_sysv_sem);
1178 COUNTER_DECL(cleanup_sysv_shm);
1180 mac_test_cleanup_sysv_shm(struct label *shmlabel)
1183 LABEL_CHECK(shmlabel, MAGIC_SYSV_SHM);
1184 COUNTER_INC(cleanup_sysv_shm);
1188 * Access control checks.
1190 COUNTER_DECL(check_bpfdesc_receive);
1192 mac_test_check_bpfdesc_receive(struct bpf_d *bpf_d, struct label *bpflabel,
1193 struct ifnet *ifnet, struct label *ifnetlabel)
1196 LABEL_CHECK(bpflabel, MAGIC_BPF);
1197 LABEL_CHECK(ifnetlabel, MAGIC_IFNET);
1198 COUNTER_INC(check_bpfdesc_receive);
1203 COUNTER_DECL(check_cred_relabel);
1205 mac_test_check_cred_relabel(struct ucred *cred, struct label *newlabel)
1208 LABEL_CHECK(cred->cr_label, MAGIC_CRED);
1209 LABEL_CHECK(newlabel, MAGIC_CRED);
1210 COUNTER_INC(check_cred_relabel);
1215 COUNTER_DECL(check_cred_visible);
1217 mac_test_check_cred_visible(struct ucred *u1, struct ucred *u2)
1220 LABEL_CHECK(u1->cr_label, MAGIC_CRED);
1221 LABEL_CHECK(u2->cr_label, MAGIC_CRED);
1222 COUNTER_INC(check_cred_visible);
1227 COUNTER_DECL(check_ifnet_relabel);
1229 mac_test_check_ifnet_relabel(struct ucred *cred, struct ifnet *ifnet,
1230 struct label *ifnetlabel, struct label *newlabel)
1233 LABEL_CHECK(cred->cr_label, MAGIC_CRED);
1234 LABEL_CHECK(ifnetlabel, MAGIC_IFNET);
1235 LABEL_CHECK(newlabel, MAGIC_IFNET);
1236 COUNTER_INC(check_ifnet_relabel);
1241 COUNTER_DECL(check_ifnet_transmit);
1243 mac_test_check_ifnet_transmit(struct ifnet *ifnet, struct label *ifnetlabel,
1244 struct mbuf *m, struct label *mbuflabel)
1247 LABEL_CHECK(ifnetlabel, MAGIC_IFNET);
1248 LABEL_CHECK(mbuflabel, MAGIC_MBUF);
1249 COUNTER_INC(check_ifnet_transmit);
1254 COUNTER_DECL(check_inpcb_deliver);
1256 mac_test_check_inpcb_deliver(struct inpcb *inp, struct label *inplabel,
1257 struct mbuf *m, struct label *mlabel)
1260 LABEL_CHECK(inplabel, MAGIC_INPCB);
1261 LABEL_CHECK(mlabel, MAGIC_MBUF);
1262 COUNTER_INC(check_inpcb_deliver);
1267 COUNTER_DECL(check_sysv_msgmsq);
1269 mac_test_check_sysv_msgmsq(struct ucred *cred, struct msg *msgptr,
1270 struct label *msglabel, struct msqid_kernel *msqkptr,
1271 struct label *msqklabel)
1274 LABEL_CHECK(msqklabel, MAGIC_SYSV_MSQ);
1275 LABEL_CHECK(msglabel, MAGIC_SYSV_MSG);
1276 LABEL_CHECK(cred->cr_label, MAGIC_CRED);
1277 COUNTER_INC(check_sysv_msgmsq);
1282 COUNTER_DECL(check_sysv_msgrcv);
1284 mac_test_check_sysv_msgrcv(struct ucred *cred, struct msg *msgptr,
1285 struct label *msglabel)
1288 LABEL_CHECK(msglabel, MAGIC_SYSV_MSG);
1289 LABEL_CHECK(cred->cr_label, MAGIC_CRED);
1290 COUNTER_INC(check_sysv_msgrcv);
1295 COUNTER_DECL(check_sysv_msgrmid);
1297 mac_test_check_sysv_msgrmid(struct ucred *cred, struct msg *msgptr,
1298 struct label *msglabel)
1301 LABEL_CHECK(msglabel, MAGIC_SYSV_MSG);
1302 LABEL_CHECK(cred->cr_label, MAGIC_CRED);
1303 COUNTER_INC(check_sysv_msgrmid);
1308 COUNTER_DECL(check_sysv_msqget);
1310 mac_test_check_sysv_msqget(struct ucred *cred, struct msqid_kernel *msqkptr,
1311 struct label *msqklabel)
1314 LABEL_CHECK(msqklabel, MAGIC_SYSV_MSQ);
1315 LABEL_CHECK(cred->cr_label, MAGIC_CRED);
1316 COUNTER_INC(check_sysv_msqget);
1321 COUNTER_DECL(check_sysv_msqsnd);
1323 mac_test_check_sysv_msqsnd(struct ucred *cred, struct msqid_kernel *msqkptr,
1324 struct label *msqklabel)
1327 LABEL_CHECK(msqklabel, MAGIC_SYSV_MSQ);
1328 LABEL_CHECK(cred->cr_label, MAGIC_CRED);
1329 COUNTER_INC(check_sysv_msqsnd);
1334 COUNTER_DECL(check_sysv_msqrcv);
1336 mac_test_check_sysv_msqrcv(struct ucred *cred, struct msqid_kernel *msqkptr,
1337 struct label *msqklabel)
1340 LABEL_CHECK(msqklabel, MAGIC_SYSV_MSQ);
1341 LABEL_CHECK(cred->cr_label, MAGIC_CRED);
1342 COUNTER_INC(check_sysv_msqrcv);
1347 COUNTER_DECL(check_sysv_msqctl);
1349 mac_test_check_sysv_msqctl(struct ucred *cred, struct msqid_kernel *msqkptr,
1350 struct label *msqklabel, int cmd)
1353 LABEL_CHECK(msqklabel, MAGIC_SYSV_MSQ);
1354 LABEL_CHECK(cred->cr_label, MAGIC_CRED);
1355 COUNTER_INC(check_sysv_msqctl);
1360 COUNTER_DECL(check_sysv_semctl);
1362 mac_test_check_sysv_semctl(struct ucred *cred, struct semid_kernel *semakptr,
1363 struct label *semaklabel, int cmd)
1366 LABEL_CHECK(cred->cr_label, MAGIC_CRED);
1367 LABEL_CHECK(semaklabel, MAGIC_SYSV_SEM);
1368 COUNTER_INC(check_sysv_semctl);
1373 COUNTER_DECL(check_sysv_semget);
1375 mac_test_check_sysv_semget(struct ucred *cred, struct semid_kernel *semakptr,
1376 struct label *semaklabel)
1379 LABEL_CHECK(cred->cr_label, MAGIC_CRED);
1380 LABEL_CHECK(semaklabel, MAGIC_SYSV_SEM);
1381 COUNTER_INC(check_sysv_semget);
1386 COUNTER_DECL(check_sysv_semop);
1388 mac_test_check_sysv_semop(struct ucred *cred, struct semid_kernel *semakptr,
1389 struct label *semaklabel, size_t accesstype)
1392 LABEL_CHECK(cred->cr_label, MAGIC_CRED);
1393 LABEL_CHECK(semaklabel, MAGIC_SYSV_SEM);
1394 COUNTER_INC(check_sysv_semop);
1399 COUNTER_DECL(check_sysv_shmat);
1401 mac_test_check_sysv_shmat(struct ucred *cred, struct shmid_kernel *shmsegptr,
1402 struct label *shmseglabel, int shmflg)
1405 LABEL_CHECK(cred->cr_label, MAGIC_CRED);
1406 LABEL_CHECK(shmseglabel, MAGIC_SYSV_SHM);
1407 COUNTER_INC(check_sysv_shmat);
1412 COUNTER_DECL(check_sysv_shmctl);
1414 mac_test_check_sysv_shmctl(struct ucred *cred, struct shmid_kernel *shmsegptr,
1415 struct label *shmseglabel, int cmd)
1418 LABEL_CHECK(cred->cr_label, MAGIC_CRED);
1419 LABEL_CHECK(shmseglabel, MAGIC_SYSV_SHM);
1420 COUNTER_INC(check_sysv_shmctl);
1425 COUNTER_DECL(check_sysv_shmdt);
1427 mac_test_check_sysv_shmdt(struct ucred *cred, struct shmid_kernel *shmsegptr,
1428 struct label *shmseglabel)
1431 LABEL_CHECK(cred->cr_label, MAGIC_CRED);
1432 LABEL_CHECK(shmseglabel, MAGIC_SYSV_SHM);
1433 COUNTER_INC(check_sysv_shmdt);
1438 COUNTER_DECL(check_sysv_shmget);
1440 mac_test_check_sysv_shmget(struct ucred *cred, struct shmid_kernel *shmsegptr,
1441 struct label *shmseglabel, int shmflg)
1444 LABEL_CHECK(cred->cr_label, MAGIC_CRED);
1445 LABEL_CHECK(shmseglabel, MAGIC_SYSV_SHM);
1446 COUNTER_INC(check_sysv_shmget);
1451 COUNTER_DECL(check_kenv_dump);
1453 mac_test_check_kenv_dump(struct ucred *cred)
1456 LABEL_CHECK(cred->cr_label, MAGIC_CRED);
1457 COUNTER_INC(check_kenv_dump);
1462 COUNTER_DECL(check_kenv_get);
1464 mac_test_check_kenv_get(struct ucred *cred, char *name)
1467 LABEL_CHECK(cred->cr_label, MAGIC_CRED);
1468 COUNTER_INC(check_kenv_get);
1473 COUNTER_DECL(check_kenv_set);
1475 mac_test_check_kenv_set(struct ucred *cred, char *name, char *value)
1478 LABEL_CHECK(cred->cr_label, MAGIC_CRED);
1479 COUNTER_INC(check_kenv_set);
1484 COUNTER_DECL(check_kenv_unset);
1486 mac_test_check_kenv_unset(struct ucred *cred, char *name)
1489 LABEL_CHECK(cred->cr_label, MAGIC_CRED);
1490 COUNTER_INC(check_kenv_unset);
1495 COUNTER_DECL(check_kld_load);
1497 mac_test_check_kld_load(struct ucred *cred, struct vnode *vp,
1498 struct label *label)
1501 LABEL_CHECK(cred->cr_label, MAGIC_CRED);
1502 LABEL_CHECK(label, MAGIC_VNODE);
1503 COUNTER_INC(check_kld_load);
1508 COUNTER_DECL(check_kld_stat);
1510 mac_test_check_kld_stat(struct ucred *cred)
1513 LABEL_CHECK(cred->cr_label, MAGIC_CRED);
1514 COUNTER_INC(check_kld_stat);
1519 COUNTER_DECL(check_mount_stat);
1521 mac_test_check_mount_stat(struct ucred *cred, struct mount *mp,
1522 struct label *mplabel)
1525 LABEL_CHECK(cred->cr_label, MAGIC_CRED);
1526 LABEL_CHECK(mplabel, MAGIC_MOUNT);
1527 COUNTER_INC(check_mount_stat);
1532 COUNTER_DECL(check_pipe_ioctl);
1534 mac_test_check_pipe_ioctl(struct ucred *cred, struct pipepair *pp,
1535 struct label *pipelabel, unsigned long cmd, void /* caddr_t */ *data)
1538 LABEL_CHECK(cred->cr_label, MAGIC_CRED);
1539 LABEL_CHECK(pipelabel, MAGIC_PIPE);
1540 COUNTER_INC(check_pipe_ioctl);
1545 COUNTER_DECL(check_pipe_poll);
1547 mac_test_check_pipe_poll(struct ucred *cred, struct pipepair *pp,
1548 struct label *pipelabel)
1551 LABEL_CHECK(cred->cr_label, MAGIC_CRED);
1552 LABEL_CHECK(pipelabel, MAGIC_PIPE);
1553 COUNTER_INC(check_pipe_poll);
1558 COUNTER_DECL(check_pipe_read);
1560 mac_test_check_pipe_read(struct ucred *cred, struct pipepair *pp,
1561 struct label *pipelabel)
1564 LABEL_CHECK(cred->cr_label, MAGIC_CRED);
1565 LABEL_CHECK(pipelabel, MAGIC_PIPE);
1566 COUNTER_INC(check_pipe_read);
1571 COUNTER_DECL(check_pipe_relabel);
1573 mac_test_check_pipe_relabel(struct ucred *cred, struct pipepair *pp,
1574 struct label *pipelabel, struct label *newlabel)
1577 LABEL_CHECK(cred->cr_label, MAGIC_CRED);
1578 LABEL_CHECK(pipelabel, MAGIC_PIPE);
1579 LABEL_CHECK(newlabel, MAGIC_PIPE);
1580 COUNTER_INC(check_pipe_relabel);
1585 COUNTER_DECL(check_pipe_stat);
1587 mac_test_check_pipe_stat(struct ucred *cred, struct pipepair *pp,
1588 struct label *pipelabel)
1591 LABEL_CHECK(cred->cr_label, MAGIC_CRED);
1592 LABEL_CHECK(pipelabel, MAGIC_PIPE);
1593 COUNTER_INC(check_pipe_stat);
1598 COUNTER_DECL(check_pipe_write);
1600 mac_test_check_pipe_write(struct ucred *cred, struct pipepair *pp,
1601 struct label *pipelabel)
1604 LABEL_CHECK(cred->cr_label, MAGIC_CRED);
1605 LABEL_CHECK(pipelabel, MAGIC_PIPE);
1606 COUNTER_INC(check_pipe_write);
1611 COUNTER_DECL(check_posix_sem);
1613 mac_test_check_posix_sem(struct ucred *cred, struct ksem *ksemptr,
1614 struct label *ks_label)
1617 LABEL_CHECK(cred->cr_label, MAGIC_CRED);
1618 LABEL_CHECK(ks_label, MAGIC_POSIX_SEM);
1619 COUNTER_INC(check_posix_sem);
1624 COUNTER_DECL(check_proc_debug);
1626 mac_test_check_proc_debug(struct ucred *cred, struct proc *p)
1629 LABEL_CHECK(cred->cr_label, MAGIC_CRED);
1630 LABEL_CHECK(p->p_ucred->cr_label, MAGIC_CRED);
1631 COUNTER_INC(check_proc_debug);
1636 COUNTER_DECL(check_proc_sched);
1638 mac_test_check_proc_sched(struct ucred *cred, struct proc *p)
1641 LABEL_CHECK(cred->cr_label, MAGIC_CRED);
1642 LABEL_CHECK(p->p_ucred->cr_label, MAGIC_CRED);
1643 COUNTER_INC(check_proc_sched);
1648 COUNTER_DECL(check_proc_signal);
1650 mac_test_check_proc_signal(struct ucred *cred, struct proc *p, int signum)
1653 LABEL_CHECK(cred->cr_label, MAGIC_CRED);
1654 LABEL_CHECK(p->p_ucred->cr_label, MAGIC_CRED);
1655 COUNTER_INC(check_proc_signal);
1660 COUNTER_DECL(check_proc_setaudit);
1662 mac_test_check_proc_setaudit(struct ucred *cred, struct auditinfo *ai)
1665 LABEL_CHECK(cred->cr_label, MAGIC_CRED);
1666 COUNTER_INC(check_proc_setaudit);
1671 COUNTER_DECL(check_proc_setauid);
1673 mac_test_check_proc_setauid(struct ucred *cred, uid_t auid)
1676 LABEL_CHECK(cred->cr_label, MAGIC_CRED);
1677 COUNTER_INC(check_proc_setauid);
1682 COUNTER_DECL(check_proc_setuid);
1684 mac_test_check_proc_setuid(struct ucred *cred, uid_t uid)
1687 LABEL_CHECK(cred->cr_label, MAGIC_CRED);
1688 COUNTER_INC(check_proc_setuid);
1693 COUNTER_DECL(check_proc_euid);
1695 mac_test_check_proc_seteuid(struct ucred *cred, uid_t euid)
1698 LABEL_CHECK(cred->cr_label, MAGIC_CRED);
1699 COUNTER_INC(check_proc_euid);
1704 COUNTER_DECL(check_proc_setgid);
1706 mac_test_check_proc_setgid(struct ucred *cred, gid_t gid)
1709 LABEL_CHECK(cred->cr_label, MAGIC_CRED);
1710 COUNTER_INC(check_proc_setgid);
1715 COUNTER_DECL(check_proc_setegid);
1717 mac_test_check_proc_setegid(struct ucred *cred, gid_t egid)
1720 LABEL_CHECK(cred->cr_label, MAGIC_CRED);
1721 COUNTER_INC(check_proc_setegid);
1726 COUNTER_DECL(check_proc_setgroups);
1728 mac_test_check_proc_setgroups(struct ucred *cred, int ngroups,
1732 LABEL_CHECK(cred->cr_label, MAGIC_CRED);
1733 COUNTER_INC(check_proc_setgroups);
1738 COUNTER_DECL(check_proc_setreuid);
1740 mac_test_check_proc_setreuid(struct ucred *cred, uid_t ruid, uid_t euid)
1743 LABEL_CHECK(cred->cr_label, MAGIC_CRED);
1744 COUNTER_INC(check_proc_setreuid);
1749 COUNTER_DECL(check_proc_setregid);
1751 mac_test_check_proc_setregid(struct ucred *cred, gid_t rgid, gid_t egid)
1754 LABEL_CHECK(cred->cr_label, MAGIC_CRED);
1755 COUNTER_INC(check_proc_setregid);
1760 COUNTER_DECL(check_proc_setresuid);
1762 mac_test_check_proc_setresuid(struct ucred *cred, uid_t ruid, uid_t euid,
1766 LABEL_CHECK(cred->cr_label, MAGIC_CRED);
1767 COUNTER_INC(check_proc_setresuid);
1772 COUNTER_DECL(check_proc_setresgid);
1774 mac_test_check_proc_setresgid(struct ucred *cred, gid_t rgid, gid_t egid,
1778 LABEL_CHECK(cred->cr_label, MAGIC_CRED);
1779 COUNTER_INC(check_proc_setresgid);
1784 COUNTER_DECL(check_proc_wait);
1786 mac_test_check_proc_wait(struct ucred *cred, struct proc *p)
1789 LABEL_CHECK(cred->cr_label, MAGIC_CRED);
1790 LABEL_CHECK(p->p_ucred->cr_label, MAGIC_CRED);
1791 COUNTER_INC(check_proc_wait);
1796 COUNTER_DECL(check_socket_accept);
1798 mac_test_check_socket_accept(struct ucred *cred, struct socket *so,
1799 struct label *solabel)
1802 LABEL_CHECK(cred->cr_label, MAGIC_CRED);
1803 LABEL_CHECK(solabel, MAGIC_SOCKET);
1804 COUNTER_INC(check_socket_accept);
1809 COUNTER_DECL(check_socket_bind);
1811 mac_test_check_socket_bind(struct ucred *cred, struct socket *so,
1812 struct label *solabel, struct sockaddr *sa)
1815 LABEL_CHECK(cred->cr_label, MAGIC_CRED);
1816 LABEL_CHECK(solabel, MAGIC_SOCKET);
1817 COUNTER_INC(check_socket_bind);
1822 COUNTER_DECL(check_socket_connect);
1824 mac_test_check_socket_connect(struct ucred *cred, struct socket *so,
1825 struct label *solabel, struct sockaddr *sa)
1828 LABEL_CHECK(cred->cr_label, MAGIC_CRED);
1829 LABEL_CHECK(solabel, MAGIC_SOCKET);
1830 COUNTER_INC(check_socket_connect);
1835 COUNTER_DECL(check_socket_deliver);
1837 mac_test_check_socket_deliver(struct socket *so, struct label *solabel,
1838 struct mbuf *m, struct label *mlabel)
1841 LABEL_CHECK(solabel, MAGIC_SOCKET);
1842 LABEL_CHECK(mlabel, MAGIC_MBUF);
1843 COUNTER_INC(check_socket_deliver);
1848 COUNTER_DECL(check_socket_listen);
1850 mac_test_check_socket_listen(struct ucred *cred, struct socket *so,
1851 struct label *solabel)
1854 LABEL_CHECK(cred->cr_label, MAGIC_CRED);
1855 LABEL_CHECK(solabel, MAGIC_SOCKET);
1856 COUNTER_INC(check_socket_listen);
1861 COUNTER_DECL(check_socket_poll);
1863 mac_test_check_socket_poll(struct ucred *cred, struct socket *so,
1864 struct label *solabel)
1867 LABEL_CHECK(cred->cr_label, MAGIC_CRED);
1868 LABEL_CHECK(solabel, MAGIC_SOCKET);
1869 COUNTER_INC(check_socket_poll);
1874 COUNTER_DECL(check_socket_receive);
1876 mac_test_check_socket_receive(struct ucred *cred, struct socket *so,
1877 struct label *solabel)
1880 LABEL_CHECK(cred->cr_label, MAGIC_CRED);
1881 LABEL_CHECK(solabel, MAGIC_SOCKET);
1882 COUNTER_INC(check_socket_receive);
1887 COUNTER_DECL(check_socket_relabel);
1889 mac_test_check_socket_relabel(struct ucred *cred, struct socket *so,
1890 struct label *solabel, struct label *newlabel)
1893 LABEL_CHECK(cred->cr_label, MAGIC_CRED);
1894 LABEL_CHECK(solabel, MAGIC_SOCKET);
1895 LABEL_CHECK(newlabel, MAGIC_SOCKET);
1896 COUNTER_INC(check_socket_relabel);
1901 COUNTER_DECL(check_socket_send);
1903 mac_test_check_socket_send(struct ucred *cred, struct socket *so,
1904 struct label *solabel)
1907 LABEL_CHECK(cred->cr_label, MAGIC_CRED);
1908 LABEL_CHECK(solabel, MAGIC_SOCKET);
1909 COUNTER_INC(check_socket_send);
1914 COUNTER_DECL(check_socket_stat);
1916 mac_test_check_socket_stat(struct ucred *cred, struct socket *so,
1917 struct label *solabel)
1920 LABEL_CHECK(cred->cr_label, MAGIC_CRED);
1921 LABEL_CHECK(solabel, MAGIC_SOCKET);
1922 COUNTER_INC(check_socket_stat);
1927 COUNTER_DECL(check_socket_visible);
1929 mac_test_check_socket_visible(struct ucred *cred, struct socket *so,
1930 struct label *solabel)
1933 LABEL_CHECK(cred->cr_label, MAGIC_CRED);
1934 LABEL_CHECK(solabel, MAGIC_SOCKET);
1935 COUNTER_INC(check_socket_visible);
1940 COUNTER_DECL(check_system_acct);
1942 mac_test_check_system_acct(struct ucred *cred, struct vnode *vp,
1943 struct label *vplabel)
1946 LABEL_CHECK(cred->cr_label, MAGIC_CRED);
1947 LABEL_CHECK(vplabel, MAGIC_VNODE);
1948 COUNTER_INC(check_system_acct);
1953 COUNTER_DECL(check_system_audit);
1955 mac_test_check_system_audit(struct ucred *cred, void *record, int length)
1958 LABEL_CHECK(cred->cr_label, MAGIC_CRED);
1959 COUNTER_INC(check_system_audit);
1964 COUNTER_DECL(check_system_auditctl);
1966 mac_test_check_system_auditctl(struct ucred *cred, struct vnode *vp,
1967 struct label *vplabel)
1970 LABEL_CHECK(cred->cr_label, MAGIC_CRED);
1971 LABEL_CHECK(vplabel, MAGIC_VNODE);
1972 COUNTER_INC(check_system_auditctl);
1977 COUNTER_DECL(check_system_auditon);
1979 mac_test_check_system_auditon(struct ucred *cred, int cmd)
1982 LABEL_CHECK(cred->cr_label, MAGIC_CRED);
1983 COUNTER_INC(check_system_auditon);
1988 COUNTER_DECL(check_system_reboot);
1990 mac_test_check_system_reboot(struct ucred *cred, int how)
1993 LABEL_CHECK(cred->cr_label, MAGIC_CRED);
1994 COUNTER_INC(check_system_reboot);
1999 COUNTER_DECL(check_system_swapoff);
2001 mac_test_check_system_swapoff(struct ucred *cred, struct vnode *vp,
2002 struct label *vplabel)
2005 LABEL_CHECK(cred->cr_label, MAGIC_CRED);
2006 LABEL_CHECK(vplabel, MAGIC_VNODE);
2007 COUNTER_INC(check_system_swapoff);
2012 COUNTER_DECL(check_system_swapon);
2014 mac_test_check_system_swapon(struct ucred *cred, struct vnode *vp,
2015 struct label *vplabel)
2018 LABEL_CHECK(cred->cr_label, MAGIC_CRED);
2019 LABEL_CHECK(vplabel, MAGIC_VNODE);
2020 COUNTER_INC(check_system_swapon);
2025 COUNTER_DECL(check_system_sysctl);
2027 mac_test_check_system_sysctl(struct ucred *cred, struct sysctl_oid *oidp,
2028 void *arg1, int arg2, struct sysctl_req *req)
2031 LABEL_CHECK(cred->cr_label, MAGIC_CRED);
2032 COUNTER_INC(check_system_sysctl);
2037 COUNTER_DECL(check_vnode_access);
2039 mac_test_check_vnode_access(struct ucred *cred, struct vnode *vp,
2040 struct label *vplabel, int acc_mode)
2043 LABEL_CHECK(cred->cr_label, MAGIC_CRED);
2044 LABEL_CHECK(vplabel, MAGIC_VNODE);
2045 COUNTER_INC(check_vnode_access);
2050 COUNTER_DECL(check_vnode_chdir);
2052 mac_test_check_vnode_chdir(struct ucred *cred, struct vnode *dvp,
2053 struct label *dvplabel)
2056 LABEL_CHECK(cred->cr_label, MAGIC_CRED);
2057 LABEL_CHECK(dvplabel, MAGIC_VNODE);
2058 COUNTER_INC(check_vnode_chdir);
2063 COUNTER_DECL(check_vnode_chroot);
2065 mac_test_check_vnode_chroot(struct ucred *cred, struct vnode *dvp,
2066 struct label *dvplabel)
2069 LABEL_CHECK(cred->cr_label, MAGIC_CRED);
2070 LABEL_CHECK(dvplabel, MAGIC_VNODE);
2071 COUNTER_INC(check_vnode_chroot);
2076 COUNTER_DECL(check_vnode_create);
2078 mac_test_check_vnode_create(struct ucred *cred, struct vnode *dvp,
2079 struct label *dvplabel, struct componentname *cnp, struct vattr *vap)
2082 LABEL_CHECK(cred->cr_label, MAGIC_CRED);
2083 LABEL_CHECK(dvplabel, MAGIC_VNODE);
2084 COUNTER_INC(check_vnode_create);
2089 COUNTER_DECL(check_vnode_delete);
2091 mac_test_check_vnode_delete(struct ucred *cred, struct vnode *dvp,
2092 struct label *dvplabel, struct vnode *vp, struct label *vplabel,
2093 struct componentname *cnp)
2096 LABEL_CHECK(cred->cr_label, MAGIC_CRED);
2097 LABEL_CHECK(dvplabel, MAGIC_VNODE);
2098 LABEL_CHECK(vplabel, MAGIC_VNODE);
2099 COUNTER_INC(check_vnode_delete);
2104 COUNTER_DECL(check_vnode_deleteacl);
2106 mac_test_check_vnode_deleteacl(struct ucred *cred, struct vnode *vp,
2107 struct label *vplabel, acl_type_t type)
2110 LABEL_CHECK(cred->cr_label, MAGIC_CRED);
2111 LABEL_CHECK(vplabel, MAGIC_VNODE);
2112 COUNTER_INC(check_vnode_deleteacl);
2117 COUNTER_DECL(check_vnode_deleteextattr);
2119 mac_test_check_vnode_deleteextattr(struct ucred *cred, struct vnode *vp,
2120 struct label *vplabel, int attrnamespace, const char *name)
2123 LABEL_CHECK(cred->cr_label, MAGIC_CRED);
2124 LABEL_CHECK(vplabel, MAGIC_VNODE);
2125 COUNTER_INC(check_vnode_deleteextattr);
2130 COUNTER_DECL(check_vnode_exec);
2132 mac_test_check_vnode_exec(struct ucred *cred, struct vnode *vp,
2133 struct label *vplabel, struct image_params *imgp,
2134 struct label *execlabel)
2137 LABEL_CHECK(cred->cr_label, MAGIC_CRED);
2138 LABEL_CHECK(vplabel, MAGIC_VNODE);
2139 LABEL_CHECK(execlabel, MAGIC_CRED);
2140 COUNTER_INC(check_vnode_exec);
2145 COUNTER_DECL(check_vnode_getacl);
2147 mac_test_check_vnode_getacl(struct ucred *cred, struct vnode *vp,
2148 struct label *vplabel, acl_type_t type)
2151 LABEL_CHECK(cred->cr_label, MAGIC_CRED);
2152 LABEL_CHECK(vplabel, MAGIC_VNODE);
2153 COUNTER_INC(check_vnode_getacl);
2158 COUNTER_DECL(check_vnode_getextattr);
2160 mac_test_check_vnode_getextattr(struct ucred *cred, struct vnode *vp,
2161 struct label *vplabel, int attrnamespace, const char *name,
2165 LABEL_CHECK(cred->cr_label, MAGIC_CRED);
2166 LABEL_CHECK(vplabel, MAGIC_VNODE);
2167 COUNTER_INC(check_vnode_getextattr);
2172 COUNTER_DECL(check_vnode_link);
2174 mac_test_check_vnode_link(struct ucred *cred, struct vnode *dvp,
2175 struct label *dvplabel, struct vnode *vp, struct label *vplabel,
2176 struct componentname *cnp)
2179 LABEL_CHECK(cred->cr_label, MAGIC_CRED);
2180 LABEL_CHECK(dvplabel, MAGIC_VNODE);
2181 LABEL_CHECK(vplabel, MAGIC_VNODE);
2182 COUNTER_INC(check_vnode_link);
2187 COUNTER_DECL(check_vnode_listextattr);
2189 mac_test_check_vnode_listextattr(struct ucred *cred, struct vnode *vp,
2190 struct label *vplabel, int attrnamespace)
2193 LABEL_CHECK(cred->cr_label, MAGIC_CRED);
2194 LABEL_CHECK(vplabel, MAGIC_VNODE);
2195 COUNTER_INC(check_vnode_listextattr);
2200 COUNTER_DECL(check_vnode_lookup);
2202 mac_test_check_vnode_lookup(struct ucred *cred, struct vnode *dvp,
2203 struct label *dvplabel, struct componentname *cnp)
2206 LABEL_CHECK(cred->cr_label, MAGIC_CRED);
2207 LABEL_CHECK(dvplabel, MAGIC_VNODE);
2208 COUNTER_INC(check_vnode_lookup);
2213 COUNTER_DECL(check_vnode_mmap);
2215 mac_test_check_vnode_mmap(struct ucred *cred, struct vnode *vp,
2216 struct label *vplabel, int prot, int flags)
2219 LABEL_CHECK(cred->cr_label, MAGIC_CRED);
2220 LABEL_CHECK(vplabel, MAGIC_VNODE);
2221 COUNTER_INC(check_vnode_mmap);
2226 COUNTER_DECL(check_vnode_open);
2228 mac_test_check_vnode_open(struct ucred *cred, struct vnode *vp,
2229 struct label *vplabel, int acc_mode)
2232 LABEL_CHECK(cred->cr_label, MAGIC_CRED);
2233 LABEL_CHECK(vplabel, MAGIC_VNODE);
2234 COUNTER_INC(check_vnode_open);
2239 COUNTER_DECL(check_vnode_poll);
2241 mac_test_check_vnode_poll(struct ucred *active_cred, struct ucred *file_cred,
2242 struct vnode *vp, struct label *vplabel)
2245 LABEL_CHECK(active_cred->cr_label, MAGIC_CRED);
2246 if (file_cred != NULL)
2247 LABEL_CHECK(file_cred->cr_label, MAGIC_CRED);
2248 LABEL_CHECK(vplabel, MAGIC_VNODE);
2249 COUNTER_INC(check_vnode_poll);
2254 COUNTER_DECL(check_vnode_read);
2256 mac_test_check_vnode_read(struct ucred *active_cred, struct ucred *file_cred,
2257 struct vnode *vp, struct label *vplabel)
2260 LABEL_CHECK(active_cred->cr_label, MAGIC_CRED);
2261 if (file_cred != NULL)
2262 LABEL_CHECK(file_cred->cr_label, MAGIC_CRED);
2263 LABEL_CHECK(vplabel, MAGIC_VNODE);
2264 COUNTER_INC(check_vnode_read);
2269 COUNTER_DECL(check_vnode_readdir);
2271 mac_test_check_vnode_readdir(struct ucred *cred, struct vnode *dvp,
2272 struct label *dvplabel)
2275 LABEL_CHECK(cred->cr_label, MAGIC_CRED);
2276 LABEL_CHECK(dvplabel, MAGIC_VNODE);
2277 COUNTER_INC(check_vnode_readdir);
2282 COUNTER_DECL(check_vnode_readlink);
2284 mac_test_check_vnode_readlink(struct ucred *cred, struct vnode *vp,
2285 struct label *vplabel)
2288 LABEL_CHECK(cred->cr_label, MAGIC_CRED);
2289 LABEL_CHECK(vplabel, MAGIC_VNODE);
2290 COUNTER_INC(check_vnode_readlink);
2295 COUNTER_DECL(check_vnode_relabel);
2297 mac_test_check_vnode_relabel(struct ucred *cred, struct vnode *vp,
2298 struct label *vplabel, struct label *newlabel)
2301 LABEL_CHECK(cred->cr_label, MAGIC_CRED);
2302 LABEL_CHECK(vplabel, MAGIC_VNODE);
2303 LABEL_CHECK(newlabel, MAGIC_VNODE);
2304 COUNTER_INC(check_vnode_relabel);
2309 COUNTER_DECL(check_vnode_rename_from);
2311 mac_test_check_vnode_rename_from(struct ucred *cred, struct vnode *dvp,
2312 struct label *dvplabel, struct vnode *vp, struct label *vplabel,
2313 struct componentname *cnp)
2316 LABEL_CHECK(cred->cr_label, MAGIC_CRED);
2317 LABEL_CHECK(dvplabel, MAGIC_VNODE);
2318 LABEL_CHECK(vplabel, MAGIC_VNODE);
2319 COUNTER_INC(check_vnode_rename_from);
2324 COUNTER_DECL(check_vnode_rename_to);
2326 mac_test_check_vnode_rename_to(struct ucred *cred, struct vnode *dvp,
2327 struct label *dvplabel, struct vnode *vp, struct label *vplabel,
2328 int samedir, struct componentname *cnp)
2331 LABEL_CHECK(cred->cr_label, MAGIC_CRED);
2332 LABEL_CHECK(dvplabel, MAGIC_VNODE);
2333 LABEL_CHECK(vplabel, MAGIC_VNODE);
2334 COUNTER_INC(check_vnode_rename_to);
2339 COUNTER_DECL(check_vnode_revoke);
2341 mac_test_check_vnode_revoke(struct ucred *cred, struct vnode *vp,
2342 struct label *vplabel)
2345 LABEL_CHECK(cred->cr_label, MAGIC_CRED);
2346 LABEL_CHECK(vplabel, MAGIC_VNODE);
2347 COUNTER_INC(check_vnode_revoke);
2352 COUNTER_DECL(check_vnode_setacl);
2354 mac_test_check_vnode_setacl(struct ucred *cred, struct vnode *vp,
2355 struct label *vplabel, acl_type_t type, struct acl *acl)
2358 LABEL_CHECK(cred->cr_label, MAGIC_CRED);
2359 LABEL_CHECK(vplabel, MAGIC_VNODE);
2360 COUNTER_INC(check_vnode_setacl);
2365 COUNTER_DECL(check_vnode_setextattr);
2367 mac_test_check_vnode_setextattr(struct ucred *cred, struct vnode *vp,
2368 struct label *vplabel, int attrnamespace, const char *name,
2372 LABEL_CHECK(cred->cr_label, MAGIC_CRED);
2373 LABEL_CHECK(vplabel, MAGIC_VNODE);
2374 COUNTER_INC(check_vnode_setextattr);
2379 COUNTER_DECL(check_vnode_setflags);
2381 mac_test_check_vnode_setflags(struct ucred *cred, struct vnode *vp,
2382 struct label *vplabel, u_long flags)
2385 LABEL_CHECK(cred->cr_label, MAGIC_CRED);
2386 LABEL_CHECK(vplabel, MAGIC_VNODE);
2387 COUNTER_INC(check_vnode_setflags);
2392 COUNTER_DECL(check_vnode_setmode);
2394 mac_test_check_vnode_setmode(struct ucred *cred, struct vnode *vp,
2395 struct label *vplabel, mode_t mode)
2398 LABEL_CHECK(cred->cr_label, MAGIC_CRED);
2399 LABEL_CHECK(vplabel, MAGIC_VNODE);
2400 COUNTER_INC(check_vnode_setmode);
2405 COUNTER_DECL(check_vnode_setowner);
2407 mac_test_check_vnode_setowner(struct ucred *cred, struct vnode *vp,
2408 struct label *vplabel, uid_t uid, gid_t gid)
2411 LABEL_CHECK(cred->cr_label, MAGIC_CRED);
2412 LABEL_CHECK(vplabel, MAGIC_VNODE);
2413 COUNTER_INC(check_vnode_setowner);
2418 COUNTER_DECL(check_vnode_setutimes);
2420 mac_test_check_vnode_setutimes(struct ucred *cred, struct vnode *vp,
2421 struct label *vplabel, struct timespec atime, struct timespec mtime)
2424 LABEL_CHECK(cred->cr_label, MAGIC_CRED);
2425 LABEL_CHECK(vplabel, MAGIC_VNODE);
2426 COUNTER_INC(check_vnode_setutimes);
2431 COUNTER_DECL(check_vnode_stat);
2433 mac_test_check_vnode_stat(struct ucred *active_cred, struct ucred *file_cred,
2434 struct vnode *vp, struct label *vplabel)
2437 LABEL_CHECK(active_cred->cr_label, MAGIC_CRED);
2438 if (file_cred != NULL)
2439 LABEL_CHECK(file_cred->cr_label, MAGIC_CRED);
2440 LABEL_CHECK(vplabel, MAGIC_VNODE);
2441 COUNTER_INC(check_vnode_stat);
2446 COUNTER_DECL(check_vnode_write);
2448 mac_test_check_vnode_write(struct ucred *active_cred,
2449 struct ucred *file_cred, struct vnode *vp, struct label *vplabel)
2452 LABEL_CHECK(active_cred->cr_label, MAGIC_CRED);
2453 if (file_cred != NULL)
2454 LABEL_CHECK(file_cred->cr_label, MAGIC_CRED);
2455 LABEL_CHECK(vplabel, MAGIC_VNODE);
2456 COUNTER_INC(check_vnode_write);
2461 static struct mac_policy_ops mac_test_ops =
2463 .mpo_init_bpfdesc_label = mac_test_init_bpfdesc_label,
2464 .mpo_init_cred_label = mac_test_init_cred_label,
2465 .mpo_init_devfs_label = mac_test_init_devfs_label,
2466 .mpo_init_ifnet_label = mac_test_init_ifnet_label,
2467 .mpo_init_sysv_msgmsg_label = mac_test_init_sysv_msgmsg_label,
2468 .mpo_init_sysv_msgqueue_label = mac_test_init_sysv_msgqueue_label,
2469 .mpo_init_sysv_sem_label = mac_test_init_sysv_sem_label,
2470 .mpo_init_sysv_shm_label = mac_test_init_sysv_shm_label,
2471 .mpo_init_inpcb_label = mac_test_init_inpcb_label,
2472 .mpo_init_ipq_label = mac_test_init_ipq_label,
2473 .mpo_init_mbuf_label = mac_test_init_mbuf_label,
2474 .mpo_init_mount_label = mac_test_init_mount_label,
2475 .mpo_init_pipe_label = mac_test_init_pipe_label,
2476 .mpo_init_posix_sem_label = mac_test_init_posix_sem_label,
2477 .mpo_init_proc_label = mac_test_init_proc_label,
2478 .mpo_init_socket_label = mac_test_init_socket_label,
2479 .mpo_init_socket_peer_label = mac_test_init_socket_peer_label,
2480 .mpo_init_vnode_label = mac_test_init_vnode_label,
2481 .mpo_destroy_bpfdesc_label = mac_test_destroy_bpfdesc_label,
2482 .mpo_destroy_cred_label = mac_test_destroy_cred_label,
2483 .mpo_destroy_devfs_label = mac_test_destroy_devfs_label,
2484 .mpo_destroy_ifnet_label = mac_test_destroy_ifnet_label,
2485 .mpo_destroy_sysv_msgmsg_label = mac_test_destroy_sysv_msgmsg_label,
2486 .mpo_destroy_sysv_msgqueue_label =
2487 mac_test_destroy_sysv_msgqueue_label,
2488 .mpo_destroy_sysv_sem_label = mac_test_destroy_sysv_sem_label,
2489 .mpo_destroy_sysv_shm_label = mac_test_destroy_sysv_shm_label,
2490 .mpo_destroy_inpcb_label = mac_test_destroy_inpcb_label,
2491 .mpo_destroy_ipq_label = mac_test_destroy_ipq_label,
2492 .mpo_destroy_mbuf_label = mac_test_destroy_mbuf_label,
2493 .mpo_destroy_mount_label = mac_test_destroy_mount_label,
2494 .mpo_destroy_pipe_label = mac_test_destroy_pipe_label,
2495 .mpo_destroy_posix_sem_label = mac_test_destroy_posix_sem_label,
2496 .mpo_destroy_proc_label = mac_test_destroy_proc_label,
2497 .mpo_destroy_socket_label = mac_test_destroy_socket_label,
2498 .mpo_destroy_socket_peer_label = mac_test_destroy_socket_peer_label,
2499 .mpo_destroy_vnode_label = mac_test_destroy_vnode_label,
2500 .mpo_copy_cred_label = mac_test_copy_cred_label,
2501 .mpo_copy_ifnet_label = mac_test_copy_ifnet_label,
2502 .mpo_copy_mbuf_label = mac_test_copy_mbuf_label,
2503 .mpo_copy_pipe_label = mac_test_copy_pipe_label,
2504 .mpo_copy_socket_label = mac_test_copy_socket_label,
2505 .mpo_copy_vnode_label = mac_test_copy_vnode_label,
2506 .mpo_externalize_cred_label = mac_test_externalize_label,
2507 .mpo_externalize_ifnet_label = mac_test_externalize_label,
2508 .mpo_externalize_pipe_label = mac_test_externalize_label,
2509 .mpo_externalize_socket_label = mac_test_externalize_label,
2510 .mpo_externalize_socket_peer_label = mac_test_externalize_label,
2511 .mpo_externalize_vnode_label = mac_test_externalize_label,
2512 .mpo_internalize_cred_label = mac_test_internalize_label,
2513 .mpo_internalize_ifnet_label = mac_test_internalize_label,
2514 .mpo_internalize_pipe_label = mac_test_internalize_label,
2515 .mpo_internalize_socket_label = mac_test_internalize_label,
2516 .mpo_internalize_vnode_label = mac_test_internalize_label,
2517 .mpo_associate_vnode_devfs = mac_test_associate_vnode_devfs,
2518 .mpo_associate_vnode_extattr = mac_test_associate_vnode_extattr,
2519 .mpo_associate_vnode_singlelabel = mac_test_associate_vnode_singlelabel,
2520 .mpo_create_devfs_device = mac_test_create_devfs_device,
2521 .mpo_create_devfs_directory = mac_test_create_devfs_directory,
2522 .mpo_create_devfs_symlink = mac_test_create_devfs_symlink,
2523 .mpo_create_vnode_extattr = mac_test_create_vnode_extattr,
2524 .mpo_create_mount = mac_test_create_mount,
2525 .mpo_relabel_vnode = mac_test_relabel_vnode,
2526 .mpo_setlabel_vnode_extattr = mac_test_setlabel_vnode_extattr,
2527 .mpo_update_devfs = mac_test_update_devfs,
2528 .mpo_create_mbuf_from_socket = mac_test_create_mbuf_from_socket,
2529 .mpo_create_pipe = mac_test_create_pipe,
2530 .mpo_create_posix_sem = mac_test_create_posix_sem,
2531 .mpo_create_socket = mac_test_create_socket,
2532 .mpo_create_socket_from_socket = mac_test_create_socket_from_socket,
2533 .mpo_relabel_pipe = mac_test_relabel_pipe,
2534 .mpo_relabel_socket = mac_test_relabel_socket,
2535 .mpo_set_socket_peer_from_mbuf = mac_test_set_socket_peer_from_mbuf,
2536 .mpo_set_socket_peer_from_socket = mac_test_set_socket_peer_from_socket,
2537 .mpo_create_bpfdesc = mac_test_create_bpfdesc,
2538 .mpo_create_ifnet = mac_test_create_ifnet,
2539 .mpo_create_inpcb_from_socket = mac_test_create_inpcb_from_socket,
2540 .mpo_create_sysv_msgmsg = mac_test_create_sysv_msgmsg,
2541 .mpo_create_sysv_msgqueue = mac_test_create_sysv_msgqueue,
2542 .mpo_create_sysv_sem = mac_test_create_sysv_sem,
2543 .mpo_create_sysv_shm = mac_test_create_sysv_shm,
2544 .mpo_create_datagram_from_ipq = mac_test_create_datagram_from_ipq,
2545 .mpo_create_fragment = mac_test_create_fragment,
2546 .mpo_create_ipq = mac_test_create_ipq,
2547 .mpo_create_mbuf_from_inpcb = mac_test_create_mbuf_from_inpcb,
2548 .mpo_create_mbuf_linklayer = mac_test_create_mbuf_linklayer,
2549 .mpo_create_mbuf_from_bpfdesc = mac_test_create_mbuf_from_bpfdesc,
2550 .mpo_create_mbuf_from_ifnet = mac_test_create_mbuf_from_ifnet,
2551 .mpo_create_mbuf_multicast_encap = mac_test_create_mbuf_multicast_encap,
2552 .mpo_create_mbuf_netlayer = mac_test_create_mbuf_netlayer,
2553 .mpo_fragment_match = mac_test_fragment_match,
2554 .mpo_reflect_mbuf_icmp = mac_test_reflect_mbuf_icmp,
2555 .mpo_reflect_mbuf_tcp = mac_test_reflect_mbuf_tcp,
2556 .mpo_relabel_ifnet = mac_test_relabel_ifnet,
2557 .mpo_update_ipq = mac_test_update_ipq,
2558 .mpo_inpcb_sosetlabel = mac_test_inpcb_sosetlabel,
2559 .mpo_execve_transition = mac_test_execve_transition,
2560 .mpo_execve_will_transition = mac_test_execve_will_transition,
2561 .mpo_create_proc0 = mac_test_create_proc0,
2562 .mpo_create_proc1 = mac_test_create_proc1,
2563 .mpo_relabel_cred = mac_test_relabel_cred,
2564 .mpo_thread_userret = mac_test_thread_userret,
2565 .mpo_cleanup_sysv_msgmsg = mac_test_cleanup_sysv_msgmsg,
2566 .mpo_cleanup_sysv_msgqueue = mac_test_cleanup_sysv_msgqueue,
2567 .mpo_cleanup_sysv_sem = mac_test_cleanup_sysv_sem,
2568 .mpo_cleanup_sysv_shm = mac_test_cleanup_sysv_shm,
2569 .mpo_check_bpfdesc_receive = mac_test_check_bpfdesc_receive,
2570 .mpo_check_cred_relabel = mac_test_check_cred_relabel,
2571 .mpo_check_cred_visible = mac_test_check_cred_visible,
2572 .mpo_check_ifnet_relabel = mac_test_check_ifnet_relabel,
2573 .mpo_check_ifnet_transmit = mac_test_check_ifnet_transmit,
2574 .mpo_check_inpcb_deliver = mac_test_check_inpcb_deliver,
2575 .mpo_check_sysv_msgmsq = mac_test_check_sysv_msgmsq,
2576 .mpo_check_sysv_msgrcv = mac_test_check_sysv_msgrcv,
2577 .mpo_check_sysv_msgrmid = mac_test_check_sysv_msgrmid,
2578 .mpo_check_sysv_msqget = mac_test_check_sysv_msqget,
2579 .mpo_check_sysv_msqsnd = mac_test_check_sysv_msqsnd,
2580 .mpo_check_sysv_msqrcv = mac_test_check_sysv_msqrcv,
2581 .mpo_check_sysv_msqctl = mac_test_check_sysv_msqctl,
2582 .mpo_check_sysv_semctl = mac_test_check_sysv_semctl,
2583 .mpo_check_sysv_semget = mac_test_check_sysv_semget,
2584 .mpo_check_sysv_semop = mac_test_check_sysv_semop,
2585 .mpo_check_sysv_shmat = mac_test_check_sysv_shmat,
2586 .mpo_check_sysv_shmctl = mac_test_check_sysv_shmctl,
2587 .mpo_check_sysv_shmdt = mac_test_check_sysv_shmdt,
2588 .mpo_check_sysv_shmget = mac_test_check_sysv_shmget,
2589 .mpo_check_kenv_dump = mac_test_check_kenv_dump,
2590 .mpo_check_kenv_get = mac_test_check_kenv_get,
2591 .mpo_check_kenv_set = mac_test_check_kenv_set,
2592 .mpo_check_kenv_unset = mac_test_check_kenv_unset,
2593 .mpo_check_kld_load = mac_test_check_kld_load,
2594 .mpo_check_kld_stat = mac_test_check_kld_stat,
2595 .mpo_check_mount_stat = mac_test_check_mount_stat,
2596 .mpo_check_pipe_ioctl = mac_test_check_pipe_ioctl,
2597 .mpo_check_pipe_poll = mac_test_check_pipe_poll,
2598 .mpo_check_pipe_read = mac_test_check_pipe_read,
2599 .mpo_check_pipe_relabel = mac_test_check_pipe_relabel,
2600 .mpo_check_pipe_stat = mac_test_check_pipe_stat,
2601 .mpo_check_pipe_write = mac_test_check_pipe_write,
2602 .mpo_check_posix_sem_destroy = mac_test_check_posix_sem,
2603 .mpo_check_posix_sem_getvalue = mac_test_check_posix_sem,
2604 .mpo_check_posix_sem_open = mac_test_check_posix_sem,
2605 .mpo_check_posix_sem_post = mac_test_check_posix_sem,
2606 .mpo_check_posix_sem_unlink = mac_test_check_posix_sem,
2607 .mpo_check_posix_sem_wait = mac_test_check_posix_sem,
2608 .mpo_check_proc_debug = mac_test_check_proc_debug,
2609 .mpo_check_proc_sched = mac_test_check_proc_sched,
2610 .mpo_check_proc_setaudit = mac_test_check_proc_setaudit,
2611 .mpo_check_proc_setauid = mac_test_check_proc_setauid,
2612 .mpo_check_proc_setuid = mac_test_check_proc_setuid,
2613 .mpo_check_proc_seteuid = mac_test_check_proc_seteuid,
2614 .mpo_check_proc_setgid = mac_test_check_proc_setgid,
2615 .mpo_check_proc_setegid = mac_test_check_proc_setegid,
2616 .mpo_check_proc_setgroups = mac_test_check_proc_setgroups,
2617 .mpo_check_proc_setreuid = mac_test_check_proc_setreuid,
2618 .mpo_check_proc_setregid = mac_test_check_proc_setregid,
2619 .mpo_check_proc_setresuid = mac_test_check_proc_setresuid,
2620 .mpo_check_proc_setresgid = mac_test_check_proc_setresgid,
2621 .mpo_check_proc_signal = mac_test_check_proc_signal,
2622 .mpo_check_proc_wait = mac_test_check_proc_wait,
2623 .mpo_check_socket_accept = mac_test_check_socket_accept,
2624 .mpo_check_socket_bind = mac_test_check_socket_bind,
2625 .mpo_check_socket_connect = mac_test_check_socket_connect,
2626 .mpo_check_socket_deliver = mac_test_check_socket_deliver,
2627 .mpo_check_socket_listen = mac_test_check_socket_listen,
2628 .mpo_check_socket_poll = mac_test_check_socket_poll,
2629 .mpo_check_socket_receive = mac_test_check_socket_receive,
2630 .mpo_check_socket_relabel = mac_test_check_socket_relabel,
2631 .mpo_check_socket_send = mac_test_check_socket_send,
2632 .mpo_check_socket_stat = mac_test_check_socket_stat,
2633 .mpo_check_socket_visible = mac_test_check_socket_visible,
2634 .mpo_check_system_acct = mac_test_check_system_acct,
2635 .mpo_check_system_audit = mac_test_check_system_audit,
2636 .mpo_check_system_auditctl = mac_test_check_system_auditctl,
2637 .mpo_check_system_auditon = mac_test_check_system_auditon,
2638 .mpo_check_system_reboot = mac_test_check_system_reboot,
2639 .mpo_check_system_swapoff = mac_test_check_system_swapoff,
2640 .mpo_check_system_swapon = mac_test_check_system_swapon,
2641 .mpo_check_system_sysctl = mac_test_check_system_sysctl,
2642 .mpo_check_vnode_access = mac_test_check_vnode_access,
2643 .mpo_check_vnode_chdir = mac_test_check_vnode_chdir,
2644 .mpo_check_vnode_chroot = mac_test_check_vnode_chroot,
2645 .mpo_check_vnode_create = mac_test_check_vnode_create,
2646 .mpo_check_vnode_delete = mac_test_check_vnode_delete,
2647 .mpo_check_vnode_deleteacl = mac_test_check_vnode_deleteacl,
2648 .mpo_check_vnode_deleteextattr = mac_test_check_vnode_deleteextattr,
2649 .mpo_check_vnode_exec = mac_test_check_vnode_exec,
2650 .mpo_check_vnode_getacl = mac_test_check_vnode_getacl,
2651 .mpo_check_vnode_getextattr = mac_test_check_vnode_getextattr,
2652 .mpo_check_vnode_link = mac_test_check_vnode_link,
2653 .mpo_check_vnode_listextattr = mac_test_check_vnode_listextattr,
2654 .mpo_check_vnode_lookup = mac_test_check_vnode_lookup,
2655 .mpo_check_vnode_mmap = mac_test_check_vnode_mmap,
2656 .mpo_check_vnode_open = mac_test_check_vnode_open,
2657 .mpo_check_vnode_poll = mac_test_check_vnode_poll,
2658 .mpo_check_vnode_read = mac_test_check_vnode_read,
2659 .mpo_check_vnode_readdir = mac_test_check_vnode_readdir,
2660 .mpo_check_vnode_readlink = mac_test_check_vnode_readlink,
2661 .mpo_check_vnode_relabel = mac_test_check_vnode_relabel,
2662 .mpo_check_vnode_rename_from = mac_test_check_vnode_rename_from,
2663 .mpo_check_vnode_rename_to = mac_test_check_vnode_rename_to,
2664 .mpo_check_vnode_revoke = mac_test_check_vnode_revoke,
2665 .mpo_check_vnode_setacl = mac_test_check_vnode_setacl,
2666 .mpo_check_vnode_setextattr = mac_test_check_vnode_setextattr,
2667 .mpo_check_vnode_setflags = mac_test_check_vnode_setflags,
2668 .mpo_check_vnode_setmode = mac_test_check_vnode_setmode,
2669 .mpo_check_vnode_setowner = mac_test_check_vnode_setowner,
2670 .mpo_check_vnode_setutimes = mac_test_check_vnode_setutimes,
2671 .mpo_check_vnode_stat = mac_test_check_vnode_stat,
2672 .mpo_check_vnode_write = mac_test_check_vnode_write,
2675 MAC_POLICY_SET(&mac_test_ops, mac_test, "TrustedBSD MAC/Test",
2676 MPC_LOADTIME_FLAG_UNLOADOK | MPC_LOADTIME_FLAG_LABELMBUFS, &test_slot);
projects / FreeBSD / FreeBSD.git / blob