2 * Copyright (c) 1999-2002, 2007 Robert N. M. Watson
3 * Copyright (c) 2001-2005 McAfee, Inc.
6 * This software was developed by Robert Watson for the TrustedBSD Project.
8 * This software was developed for the FreeBSD Project in part by McAfee
9 * Research, the Security Research Division of McAfee, Inc. under
10 * DARPA/SPAWAR contract N66001-01-C-8035 ("CBOSS"), as part of the DARPA
11 * CHATS research program.
13 * Redistribution and use in source and binary forms, with or without
14 * modification, are permitted provided that the following conditions
16 * 1. Redistributions of source code must retain the above copyright
17 * notice, this list of conditions and the following disclaimer.
18 * 2. Redistributions in binary form must reproduce the above copyright
19 * notice, this list of conditions and the following disclaimer in the
20 * documentation and/or other materials provided with the distribution.
22 * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
23 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
24 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
25 * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
26 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
27 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
28 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
29 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
30 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
31 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
38 * Developed by the TrustedBSD Project.
39 * Generic mandatory access module that does nothing.
42 #include <sys/types.h>
43 #include <sys/param.h>
47 #include <sys/extattr.h>
48 #include <sys/kernel.h>
50 #include <sys/malloc.h>
51 #include <sys/mount.h>
53 #include <sys/systm.h>
54 #include <sys/sysproto.h>
55 #include <sys/sysent.h>
56 #include <sys/vnode.h>
58 #include <sys/socket.h>
59 #include <sys/socketvar.h>
61 #include <sys/sysctl.h>
66 #include <fs/devfs/devfs.h>
68 #include <net/bpfdesc.h>
70 #include <net/if_types.h>
71 #include <net/if_var.h>
75 #include <security/mac/mac_policy.h>
77 SYSCTL_DECL(_security_mac);
79 SYSCTL_NODE(_security_mac, OID_AUTO, test, CTLFLAG_RW, 0,
80 "TrustedBSD mac_test policy controls");
82 static int mac_test_enabled = 1;
83 SYSCTL_INT(_security_mac_test, OID_AUTO, enabled, CTLFLAG_RW,
84 &mac_test_enabled, 0, "Enforce test policy");
86 #define BPFMAGIC 0xfe1ad1b6
87 #define DEVFSMAGIC 0x9ee79c32
88 #define IFNETMAGIC 0xc218b120
89 #define INPCBMAGIC 0x4440f7bb
90 #define IPQMAGIC 0x206188ef
91 #define MBUFMAGIC 0xbbefa5bb
92 #define MOUNTMAGIC 0xc7c46e47
93 #define SOCKETMAGIC 0x9199c6cd
94 #define SYSVIPCMSQMAGIC 0xea672391
95 #define SYSVIPCMSGMAGIC 0x8bbba61e
96 #define SYSVIPCSEMMAGIC 0x896e8a0b
97 #define SYSVIPCSHMMAGIC 0x76119ab0
98 #define PIPEMAGIC 0xdc6c9919
99 #define POSIXSEMMAGIC 0x78ae980c
100 #define PROCMAGIC 0x3b4be98f
101 #define CREDMAGIC 0x9a5a4987
102 #define VNODEMAGIC 0x1a67a45c
103 #define EXMAGIC 0x849ba1fd
105 #define SLOT(x) mac_label_get((x), test_slot)
106 #define SLOT_SET(x, v) mac_label_set((x), test_slot, (v))
108 #define ASSERT_BPF_LABEL(x) KASSERT(SLOT(x) == BPFMAGIC || \
109 SLOT(x) == 0, ("%s: Bad BPF label", __func__ ))
110 #define ASSERT_DEVFS_LABEL(x) KASSERT(SLOT(x) == DEVFSMAGIC || \
111 SLOT(x) == 0, ("%s: Bad DEVFS label", __func__ ))
112 #define ASSERT_IFNET_LABEL(x) KASSERT(SLOT(x) == IFNETMAGIC || \
113 SLOT(x) == 0, ("%s: Bad IFNET label", __func__ ))
114 #define ASSERT_INPCB_LABEL(x) KASSERT(SLOT(x) == INPCBMAGIC || \
115 SLOT(x) == 0, ("%s: Bad INPCB label", __func__ ))
116 #define ASSERT_IPQ_LABEL(x) KASSERT(SLOT(x) == IPQMAGIC || \
117 SLOT(x) == 0, ("%s: Bad IPQ label", __func__ ))
118 #define ASSERT_MBUF_LABEL(x) KASSERT(x == NULL || \
119 SLOT(x) == MBUFMAGIC || SLOT(x) == 0, \
120 ("%s: Bad MBUF label", __func__ ))
121 #define ASSERT_MOUNT_LABEL(x) KASSERT(SLOT(x) == MOUNTMAGIC || \
122 SLOT(x) == 0, ("%s: Bad MOUNT label", __func__ ))
123 #define ASSERT_SOCKET_LABEL(x) KASSERT(SLOT(x) == SOCKETMAGIC || \
124 SLOT(x) == 0, ("%s: Bad SOCKET label", __func__ ))
125 #define ASSERT_SYSVIPCMSQ_LABEL(x) KASSERT(SLOT(x) == SYSVIPCMSQMAGIC || \
126 SLOT(x) == 0, ("%s: Bad SYSVIPCMSQ label", __func__ ))
127 #define ASSERT_SYSVIPCMSG_LABEL(x) KASSERT(SLOT(x) == SYSVIPCMSGMAGIC || \
128 SLOT(x) == 0, ("%s: Bad SYSVIPCMSG label", __func__ ))
129 #define ASSERT_SYSVIPCSEM_LABEL(x) KASSERT(SLOT(x) == SYSVIPCSEMMAGIC || \
130 SLOT(x) == 0, ("%s: Bad SYSVIPCSEM label", __func__ ))
131 #define ASSERT_SYSVIPCSHM_LABEL(x) KASSERT(SLOT(x) == SYSVIPCSHMMAGIC || \
132 SLOT(x) == 0, ("%s: Bad SYSVIPCSHM label", __func__ ))
133 #define ASSERT_PIPE_LABEL(x) KASSERT(SLOT(x) == PIPEMAGIC || \
134 SLOT(x) == 0, ("%s: Bad PIPE label", __func__ ))
135 #define ASSERT_POSIX_LABEL(x) KASSERT(SLOT(x) == POSIXSEMMAGIC || \
136 SLOT(x) == 0, ("%s: Bad POSIX ksem label", __func__ ))
137 #define ASSERT_PROC_LABEL(x) KASSERT(SLOT(x) == PROCMAGIC || \
138 SLOT(x) == 0, ("%s: Bad PROC label", __func__ ))
139 #define ASSERT_CRED_LABEL(x) KASSERT(SLOT(x) == CREDMAGIC || \
140 SLOT(x) == 0, ("%s: Bad CRED label", __func__ ))
141 #define ASSERT_VNODE_LABEL(x) KASSERT(SLOT(x) == VNODEMAGIC || \
142 SLOT(x) == 0, ("%s: Bad VNODE label", __func__ ))
144 static int test_slot;
145 SYSCTL_INT(_security_mac_test, OID_AUTO, slot, CTLFLAG_RD,
146 &test_slot, 0, "Slot allocated by framework");
148 static int init_count_bpfdesc;
149 SYSCTL_INT(_security_mac_test, OID_AUTO, init_count_bpfdesc, CTLFLAG_RD,
150 &init_count_bpfdesc, 0, "bpfdesc init calls");
151 static int init_count_cred;
152 SYSCTL_INT(_security_mac_test, OID_AUTO, init_count_cred, CTLFLAG_RD,
153 &init_count_cred, 0, "cred init calls");
154 static int init_count_devfsdirent;
155 SYSCTL_INT(_security_mac_test, OID_AUTO, init_count_devfsdirent, CTLFLAG_RD,
156 &init_count_devfsdirent, 0, "devfsdirent init calls");
157 static int init_count_ifnet;
158 SYSCTL_INT(_security_mac_test, OID_AUTO, init_count_ifnet, CTLFLAG_RD,
159 &init_count_ifnet, 0, "ifnet init calls");
160 static int init_count_inpcb;
161 SYSCTL_INT(_security_mac_test, OID_AUTO, init_count_inpcb, CTLFLAG_RD,
162 &init_count_inpcb, 0, "inpcb init calls");
163 static int init_count_sysv_msg;
164 SYSCTL_INT(_security_mac_test, OID_AUTO, init_count_sysv_msg, CTLFLAG_RD,
165 &init_count_sysv_msg, 0, "ipc_msg init calls");
166 static int init_count_sysv_msq;
167 SYSCTL_INT(_security_mac_test, OID_AUTO, init_count_sysv_msq, CTLFLAG_RD,
168 &init_count_sysv_msq, 0, "ipc_msq init calls");
169 static int init_count_sysv_sem;
170 SYSCTL_INT(_security_mac_test, OID_AUTO, init_count_sysv_sem, CTLFLAG_RD,
171 &init_count_sysv_sem, 0, "ipc_sema init calls");
172 static int init_count_sysv_shm;
173 SYSCTL_INT(_security_mac_test, OID_AUTO, init_count_sysv_shm, CTLFLAG_RD,
174 &init_count_sysv_shm, 0, "ipc_shm init calls");
175 static int init_count_ipq;
176 SYSCTL_INT(_security_mac_test, OID_AUTO, init_count_ipq, CTLFLAG_RD,
177 &init_count_ipq, 0, "ipq init calls");
178 static int init_count_mbuf;
179 SYSCTL_INT(_security_mac_test, OID_AUTO, init_count_mbuf, CTLFLAG_RD,
180 &init_count_mbuf, 0, "mbuf init calls");
181 static int init_count_mount;
182 SYSCTL_INT(_security_mac_test, OID_AUTO, init_count_mount, CTLFLAG_RD,
183 &init_count_mount, 0, "mount init calls");
184 static int init_count_mount_fslabel;
185 SYSCTL_INT(_security_mac_test, OID_AUTO, init_count_mount_fslabel, CTLFLAG_RD,
186 &init_count_mount_fslabel, 0, "mount_fslabel init calls");
187 static int init_count_socket;
188 SYSCTL_INT(_security_mac_test, OID_AUTO, init_count_socket, CTLFLAG_RD,
189 &init_count_socket, 0, "socket init calls");
190 static int init_count_socket_peerlabel;
191 SYSCTL_INT(_security_mac_test, OID_AUTO, init_count_socket_peerlabel,
192 CTLFLAG_RD, &init_count_socket_peerlabel, 0,
193 "socket_peerlabel init calls");
194 static int init_count_pipe;
195 SYSCTL_INT(_security_mac_test, OID_AUTO, init_count_pipe, CTLFLAG_RD,
196 &init_count_pipe, 0, "pipe init calls");
197 static int init_count_posixsems;
198 SYSCTL_INT(_security_mac_test, OID_AUTO, init_count_posixsems, CTLFLAG_RD,
199 &init_count_posixsems, 0, "posix sems init calls");
200 static int init_count_proc;
201 SYSCTL_INT(_security_mac_test, OID_AUTO, init_count_proc, CTLFLAG_RD,
202 &init_count_proc, 0, "proc init calls");
203 static int init_count_vnode;
204 SYSCTL_INT(_security_mac_test, OID_AUTO, init_count_vnode, CTLFLAG_RD,
205 &init_count_vnode, 0, "vnode init calls");
207 static int destroy_count_bpfdesc;
208 SYSCTL_INT(_security_mac_test, OID_AUTO, destroy_count_bpfdesc, CTLFLAG_RD,
209 &destroy_count_bpfdesc, 0, "bpfdesc destroy calls");
210 static int destroy_count_cred;
211 SYSCTL_INT(_security_mac_test, OID_AUTO, destroy_count_cred, CTLFLAG_RD,
212 &destroy_count_cred, 0, "cred destroy calls");
213 static int destroy_count_devfsdirent;
214 SYSCTL_INT(_security_mac_test, OID_AUTO, destroy_count_devfsdirent, CTLFLAG_RD,
215 &destroy_count_devfsdirent, 0, "devfsdirent destroy calls");
216 static int destroy_count_ifnet;
217 SYSCTL_INT(_security_mac_test, OID_AUTO, destroy_count_ifnet, CTLFLAG_RD,
218 &destroy_count_ifnet, 0, "ifnet destroy calls");
219 static int destroy_count_inpcb;
220 SYSCTL_INT(_security_mac_test, OID_AUTO, destroy_count_inpcb, CTLFLAG_RD,
221 &destroy_count_inpcb, 0, "inpcb destroy calls");
222 static int destroy_count_sysv_msg;
223 SYSCTL_INT(_security_mac_test, OID_AUTO, destroy_count_sysv_msg, CTLFLAG_RD,
224 &destroy_count_sysv_msg, 0, "ipc_msg destroy calls");
225 static int destroy_count_sysv_msq;
226 SYSCTL_INT(_security_mac_test, OID_AUTO, destroy_count_sysv_msq, CTLFLAG_RD,
227 &destroy_count_sysv_msq, 0, "ipc_msq destroy calls");
228 static int destroy_count_sysv_sem;
229 SYSCTL_INT(_security_mac_test, OID_AUTO, destroy_count_sysv_sem, CTLFLAG_RD,
230 &destroy_count_sysv_sem, 0, "ipc_sema destroy calls");
231 static int destroy_count_sysv_shm;
232 SYSCTL_INT(_security_mac_test, OID_AUTO, destroy_count_sysv_shm, CTLFLAG_RD,
233 &destroy_count_sysv_shm, 0, "ipc_shm destroy calls");
234 static int destroy_count_ipq;
235 SYSCTL_INT(_security_mac_test, OID_AUTO, destroy_count_ipq, CTLFLAG_RD,
236 &destroy_count_ipq, 0, "ipq destroy calls");
237 static int destroy_count_mbuf;
238 SYSCTL_INT(_security_mac_test, OID_AUTO, destroy_count_mbuf, CTLFLAG_RD,
239 &destroy_count_mbuf, 0, "mbuf destroy calls");
240 static int destroy_count_mount;
241 SYSCTL_INT(_security_mac_test, OID_AUTO, destroy_count_mount, CTLFLAG_RD,
242 &destroy_count_mount, 0, "mount destroy calls");
243 static int destroy_count_mount_fslabel;
244 SYSCTL_INT(_security_mac_test, OID_AUTO, destroy_count_mount_fslabel,
245 CTLFLAG_RD, &destroy_count_mount_fslabel, 0,
246 "mount_fslabel destroy calls");
247 static int destroy_count_socket;
248 SYSCTL_INT(_security_mac_test, OID_AUTO, destroy_count_socket, CTLFLAG_RD,
249 &destroy_count_socket, 0, "socket destroy calls");
250 static int destroy_count_socket_peerlabel;
251 SYSCTL_INT(_security_mac_test, OID_AUTO, destroy_count_socket_peerlabel,
252 CTLFLAG_RD, &destroy_count_socket_peerlabel, 0,
253 "socket_peerlabel destroy calls");
254 static int destroy_count_pipe;
255 SYSCTL_INT(_security_mac_test, OID_AUTO, destroy_count_pipe, CTLFLAG_RD,
256 &destroy_count_pipe, 0, "pipe destroy calls");
257 static int destroy_count_posixsems;
258 SYSCTL_INT(_security_mac_test, OID_AUTO, destroy_count_posixsems, CTLFLAG_RD,
259 &destroy_count_posixsems, 0, "posix sems destroy calls");
260 static int destroy_count_proc;
261 SYSCTL_INT(_security_mac_test, OID_AUTO, destroy_count_proc, CTLFLAG_RD,
262 &destroy_count_proc, 0, "proc destroy calls");
263 static int destroy_count_vnode;
264 SYSCTL_INT(_security_mac_test, OID_AUTO, destroy_count_vnode, CTLFLAG_RD,
265 &destroy_count_vnode, 0, "vnode destroy calls");
267 static int externalize_count;
268 SYSCTL_INT(_security_mac_test, OID_AUTO, externalize_count, CTLFLAG_RD,
269 &externalize_count, 0, "Subject/object externalize calls");
270 static int internalize_count;
271 SYSCTL_INT(_security_mac_test, OID_AUTO, internalize_count, CTLFLAG_RD,
272 &internalize_count, 0, "Subject/object internalize calls");
275 #define DEBUGGER(x) kdb_enter(x)
277 #define DEBUGGER(x) printf("mac_test: %s\n", (x))
284 mac_test_init_bpfdesc_label(struct label *label)
287 SLOT_SET(label, BPFMAGIC);
288 atomic_add_int(&init_count_bpfdesc, 1);
292 mac_test_init_cred_label(struct label *label)
295 SLOT_SET(label, CREDMAGIC);
296 atomic_add_int(&init_count_cred, 1);
300 mac_test_init_devfsdirent_label(struct label *label)
303 SLOT_SET(label, DEVFSMAGIC);
304 atomic_add_int(&init_count_devfsdirent, 1);
308 mac_test_init_ifnet_label(struct label *label)
311 SLOT_SET(label, IFNETMAGIC);
312 atomic_add_int(&init_count_ifnet, 1);
316 mac_test_init_inpcb_label(struct label *label, int flag)
320 WITNESS_WARN(WARN_GIANTOK | WARN_SLEEPOK, NULL,
321 "mac_test_init_inpcb_label() at %s:%d", __FILE__,
324 SLOT_SET(label, INPCBMAGIC);
325 atomic_add_int(&init_count_inpcb, 1);
330 mac_test_init_sysv_msgmsg_label(struct label *label)
332 SLOT_SET(label, SYSVIPCMSGMAGIC);
333 atomic_add_int(&init_count_sysv_msg, 1);
337 mac_test_init_sysv_msgqueue_label(struct label *label)
339 SLOT_SET(label, SYSVIPCMSQMAGIC);
340 atomic_add_int(&init_count_sysv_msq, 1);
344 mac_test_init_sysv_sem_label(struct label *label)
346 SLOT_SET(label, SYSVIPCSEMMAGIC);
347 atomic_add_int(&init_count_sysv_sem, 1);
351 mac_test_init_sysv_shm_label(struct label *label)
353 SLOT_SET(label, SYSVIPCSHMMAGIC);
354 atomic_add_int(&init_count_sysv_shm, 1);
358 mac_test_init_ipq_label(struct label *label, int flag)
362 WITNESS_WARN(WARN_GIANTOK | WARN_SLEEPOK, NULL,
363 "mac_test_init_ipq_label() at %s:%d", __FILE__,
366 SLOT_SET(label, IPQMAGIC);
367 atomic_add_int(&init_count_ipq, 1);
372 mac_test_init_mbuf_label(struct label *label, int flag)
376 WITNESS_WARN(WARN_GIANTOK | WARN_SLEEPOK, NULL,
377 "mac_test_init_mbuf_label() at %s:%d", __FILE__,
380 SLOT_SET(label, MBUFMAGIC);
381 atomic_add_int(&init_count_mbuf, 1);
386 mac_test_init_mount_label(struct label *label)
389 SLOT_SET(label, MOUNTMAGIC);
390 atomic_add_int(&init_count_mount, 1);
394 mac_test_init_mount_fs_label(struct label *label)
397 SLOT_SET(label, MOUNTMAGIC);
398 atomic_add_int(&init_count_mount_fslabel, 1);
402 mac_test_init_socket_label(struct label *label, int flag)
406 WITNESS_WARN(WARN_GIANTOK | WARN_SLEEPOK, NULL,
407 "mac_test_init_socket_label() at %s:%d", __FILE__,
410 SLOT_SET(label, SOCKETMAGIC);
411 atomic_add_int(&init_count_socket, 1);
416 mac_test_init_socket_peer_label(struct label *label, int flag)
420 WITNESS_WARN(WARN_GIANTOK | WARN_SLEEPOK, NULL,
421 "mac_test_init_socket_peer_label() at %s:%d", __FILE__,
424 SLOT_SET(label, SOCKETMAGIC);
425 atomic_add_int(&init_count_socket_peerlabel, 1);
430 mac_test_init_pipe_label(struct label *label)
433 SLOT_SET(label, PIPEMAGIC);
434 atomic_add_int(&init_count_pipe, 1);
438 mac_test_init_posix_sem_label(struct label *label)
441 SLOT_SET(label, POSIXSEMMAGIC);
442 atomic_add_int(&init_count_posixsems, 1);
446 mac_test_init_proc_label(struct label *label)
449 SLOT_SET(label, PROCMAGIC);
450 atomic_add_int(&init_count_proc, 1);
454 mac_test_init_vnode_label(struct label *label)
457 SLOT_SET(label, VNODEMAGIC);
458 atomic_add_int(&init_count_vnode, 1);
462 mac_test_destroy_bpfdesc_label(struct label *label)
465 if (SLOT(label) == BPFMAGIC || SLOT(label) == 0) {
466 atomic_add_int(&destroy_count_bpfdesc, 1);
467 SLOT_SET(label, EXMAGIC);
468 } else if (SLOT(label) == EXMAGIC) {
469 DEBUGGER("mac_test_destroy_bpfdesc: dup destroy");
471 DEBUGGER("mac_test_destroy_bpfdesc: corrupted label");
476 mac_test_destroy_cred_label(struct label *label)
479 if (SLOT(label) == CREDMAGIC || SLOT(label) == 0) {
480 atomic_add_int(&destroy_count_cred, 1);
481 SLOT_SET(label, EXMAGIC);
482 } else if (SLOT(label) == EXMAGIC) {
483 DEBUGGER("mac_test_destroy_cred: dup destroy");
485 DEBUGGER("mac_test_destroy_cred: corrupted label");
490 mac_test_destroy_devfsdirent_label(struct label *label)
493 if (SLOT(label) == DEVFSMAGIC || SLOT(label) == 0) {
494 atomic_add_int(&destroy_count_devfsdirent, 1);
495 SLOT_SET(label, EXMAGIC);
496 } else if (SLOT(label) == EXMAGIC) {
497 DEBUGGER("mac_test_destroy_devfsdirent: dup destroy");
499 DEBUGGER("mac_test_destroy_devfsdirent: corrupted label");
504 mac_test_destroy_ifnet_label(struct label *label)
507 if (SLOT(label) == IFNETMAGIC || SLOT(label) == 0) {
508 atomic_add_int(&destroy_count_ifnet, 1);
509 SLOT_SET(label, EXMAGIC);
510 } else if (SLOT(label) == EXMAGIC) {
511 DEBUGGER("mac_test_destroy_ifnet: dup destroy");
513 DEBUGGER("mac_test_destroy_ifnet: corrupted label");
518 mac_test_destroy_inpcb_label(struct label *label)
521 if (SLOT(label) == INPCBMAGIC || SLOT(label) == 0) {
522 atomic_add_int(&destroy_count_inpcb, 1);
523 SLOT_SET(label, EXMAGIC);
524 } else if (SLOT(label) == EXMAGIC) {
525 DEBUGGER("mac_test_destroy_inpcb: dup destroy");
527 DEBUGGER("mac_test_destroy_inpcb: corrupted label");
532 mac_test_destroy_sysv_msgmsg_label(struct label *label)
535 if (SLOT(label) == SYSVIPCMSGMAGIC || SLOT(label) == 0) {
536 atomic_add_int(&destroy_count_sysv_msg, 1);
537 SLOT_SET(label, EXMAGIC);
538 } else if (SLOT(label) == EXMAGIC) {
539 DEBUGGER("mac_test_destroy_sysv_msgmsg_label: dup destroy");
542 "mac_test_destroy_sysv_msgmsg_label: corrupted label");
547 mac_test_destroy_sysv_msgqueue_label(struct label *label)
550 if (SLOT(label) == SYSVIPCMSQMAGIC || SLOT(label) == 0) {
551 atomic_add_int(&destroy_count_sysv_msq, 1);
552 SLOT_SET(label, EXMAGIC);
553 } else if (SLOT(label) == EXMAGIC) {
554 DEBUGGER("mac_test_destroy_sysv_msgqueue_label: dup destroy");
557 "mac_test_destroy_sysv_msgqueue_label: corrupted label");
562 mac_test_destroy_sysv_sem_label(struct label *label)
565 if (SLOT(label) == SYSVIPCSEMMAGIC || SLOT(label) == 0) {
566 atomic_add_int(&destroy_count_sysv_sem, 1);
567 SLOT_SET(label, EXMAGIC);
568 } else if (SLOT(label) == EXMAGIC) {
569 DEBUGGER("mac_test_destroy_sysv_sem_label: dup destroy");
571 DEBUGGER("mac_test_destroy_sysv_sem_label: corrupted label");
576 mac_test_destroy_sysv_shm_label(struct label *label)
579 if (SLOT(label) == SYSVIPCSHMMAGIC || SLOT(label) == 0) {
580 atomic_add_int(&destroy_count_sysv_shm, 1);
581 SLOT_SET(label, EXMAGIC);
582 } else if (SLOT(label) == EXMAGIC) {
583 DEBUGGER("mac_test_destroy_sysv_shm_label: dup destroy");
585 DEBUGGER("mac_test_destroy_sysv_shm_label: corrupted label");
590 mac_test_destroy_ipq_label(struct label *label)
593 if (SLOT(label) == IPQMAGIC || SLOT(label) == 0) {
594 atomic_add_int(&destroy_count_ipq, 1);
595 SLOT_SET(label, EXMAGIC);
596 } else if (SLOT(label) == EXMAGIC) {
597 DEBUGGER("mac_test_destroy_ipq: dup destroy");
599 DEBUGGER("mac_test_destroy_ipq: corrupted label");
604 mac_test_destroy_mbuf_label(struct label *label)
608 * If we're loaded dynamically, there may be mbufs in flight that
609 * didn't have label storage allocated for them. Handle this
615 if (SLOT(label) == MBUFMAGIC || SLOT(label) == 0) {
616 atomic_add_int(&destroy_count_mbuf, 1);
617 SLOT_SET(label, EXMAGIC);
618 } else if (SLOT(label) == EXMAGIC) {
619 DEBUGGER("mac_test_destroy_mbuf: dup destroy");
621 DEBUGGER("mac_test_destroy_mbuf: corrupted label");
626 mac_test_destroy_mount_label(struct label *label)
629 if ((SLOT(label) == MOUNTMAGIC || SLOT(label) == 0)) {
630 atomic_add_int(&destroy_count_mount, 1);
631 SLOT_SET(label, EXMAGIC);
632 } else if (SLOT(label) == EXMAGIC) {
633 DEBUGGER("mac_test_destroy_mount: dup destroy");
635 DEBUGGER("mac_test_destroy_mount: corrupted label");
640 mac_test_destroy_mount_fs_label(struct label *label)
643 if ((SLOT(label) == MOUNTMAGIC || SLOT(label) == 0)) {
644 atomic_add_int(&destroy_count_mount_fslabel, 1);
645 SLOT_SET(label, EXMAGIC);
646 } else if (SLOT(label) == EXMAGIC) {
647 DEBUGGER("mac_test_destroy_mount_fslabel: dup destroy");
649 DEBUGGER("mac_test_destroy_mount_fslabel: corrupted label");
654 mac_test_destroy_socket_label(struct label *label)
657 if ((SLOT(label) == SOCKETMAGIC || SLOT(label) == 0)) {
658 atomic_add_int(&destroy_count_socket, 1);
659 SLOT_SET(label, EXMAGIC);
660 } else if (SLOT(label) == EXMAGIC) {
661 DEBUGGER("mac_test_destroy_socket: dup destroy");
663 DEBUGGER("mac_test_destroy_socket: corrupted label");
668 mac_test_destroy_socket_peer_label(struct label *label)
671 if ((SLOT(label) == SOCKETMAGIC || SLOT(label) == 0)) {
672 atomic_add_int(&destroy_count_socket_peerlabel, 1);
673 SLOT_SET(label, EXMAGIC);
674 } else if (SLOT(label) == EXMAGIC) {
675 DEBUGGER("mac_test_destroy_socket_peerlabel: dup destroy");
677 DEBUGGER("mac_test_destroy_socket_peerlabel: corrupted label");
682 mac_test_destroy_pipe_label(struct label *label)
685 if ((SLOT(label) == PIPEMAGIC || SLOT(label) == 0)) {
686 atomic_add_int(&destroy_count_pipe, 1);
687 SLOT_SET(label, EXMAGIC);
688 } else if (SLOT(label) == EXMAGIC) {
689 DEBUGGER("mac_test_destroy_pipe: dup destroy");
691 DEBUGGER("mac_test_destroy_pipe: corrupted label");
696 mac_test_destroy_posix_sem_label(struct label *label)
699 if ((SLOT(label) == POSIXSEMMAGIC || SLOT(label) == 0)) {
700 atomic_add_int(&destroy_count_posixsems, 1);
701 SLOT_SET(label, EXMAGIC);
702 } else if (SLOT(label) == EXMAGIC) {
703 DEBUGGER("mac_test_destroy_posix_sem: dup destroy");
705 DEBUGGER("mac_test_destroy_posix_sem: corrupted label");
710 mac_test_destroy_proc_label(struct label *label)
713 if ((SLOT(label) == PROCMAGIC || SLOT(label) == 0)) {
714 atomic_add_int(&destroy_count_proc, 1);
715 SLOT_SET(label, EXMAGIC);
716 } else if (SLOT(label) == EXMAGIC) {
717 DEBUGGER("mac_test_destroy_proc: dup destroy");
719 DEBUGGER("mac_test_destroy_proc: corrupted label");
724 mac_test_destroy_vnode_label(struct label *label)
727 if (SLOT(label) == VNODEMAGIC || SLOT(label) == 0) {
728 atomic_add_int(&destroy_count_vnode, 1);
729 SLOT_SET(label, EXMAGIC);
730 } else if (SLOT(label) == EXMAGIC) {
731 DEBUGGER("mac_test_destroy_vnode: dup destroy");
733 DEBUGGER("mac_test_destroy_vnode: corrupted label");
738 mac_test_copy_cred_label(struct label *src, struct label *dest)
741 ASSERT_CRED_LABEL(src);
742 ASSERT_CRED_LABEL(dest);
746 mac_test_copy_ifnet_label(struct label *src, struct label *dest)
749 ASSERT_IFNET_LABEL(src);
750 ASSERT_IFNET_LABEL(dest);
754 mac_test_copy_mbuf_label(struct label *src, struct label *dest)
757 ASSERT_MBUF_LABEL(src);
758 ASSERT_MBUF_LABEL(dest);
762 mac_test_copy_pipe_label(struct label *src, struct label *dest)
765 ASSERT_PIPE_LABEL(src);
766 ASSERT_PIPE_LABEL(dest);
770 mac_test_copy_socket_label(struct label *src, struct label *dest)
773 ASSERT_SOCKET_LABEL(src);
774 ASSERT_SOCKET_LABEL(dest);
778 mac_test_copy_vnode_label(struct label *src, struct label *dest)
781 ASSERT_VNODE_LABEL(src);
782 ASSERT_VNODE_LABEL(dest);
786 mac_test_externalize_label(struct label *label, char *element_name,
787 struct sbuf *sb, int *claimed)
790 atomic_add_int(&externalize_count, 1);
792 KASSERT(SLOT(label) != EXMAGIC,
793 ("mac_test_externalize_label: destroyed label"));
799 mac_test_internalize_label(struct label *label, char *element_name,
800 char *element_data, int *claimed)
803 atomic_add_int(&internalize_count, 1);
805 KASSERT(SLOT(label) != EXMAGIC,
806 ("mac_test_internalize_label: destroyed label"));
812 * Labeling event operations: file system objects, and things that look
813 * a lot like file system objects.
816 mac_test_associate_vnode_devfs(struct mount *mp, struct label *fslabel,
817 struct devfs_dirent *de, struct label *delabel, struct vnode *vp,
818 struct label *vlabel)
821 ASSERT_MOUNT_LABEL(fslabel);
822 ASSERT_DEVFS_LABEL(delabel);
823 ASSERT_VNODE_LABEL(vlabel);
827 mac_test_associate_vnode_extattr(struct mount *mp, struct label *fslabel,
828 struct vnode *vp, struct label *vlabel)
831 ASSERT_MOUNT_LABEL(fslabel);
832 ASSERT_VNODE_LABEL(vlabel);
837 mac_test_associate_vnode_singlelabel(struct mount *mp,
838 struct label *fslabel, struct vnode *vp, struct label *vlabel)
841 ASSERT_MOUNT_LABEL(fslabel);
842 ASSERT_VNODE_LABEL(vlabel);
846 mac_test_create_devfs_device(struct ucred *cred, struct mount *mp,
847 struct cdev *dev, struct devfs_dirent *devfs_dirent, struct label *label)
851 ASSERT_CRED_LABEL(cred->cr_label);
853 ASSERT_DEVFS_LABEL(label);
857 mac_test_create_devfs_directory(struct mount *mp, char *dirname,
858 int dirnamelen, struct devfs_dirent *devfs_dirent, struct label *label)
861 ASSERT_DEVFS_LABEL(label);
865 mac_test_create_devfs_symlink(struct ucred *cred, struct mount *mp,
866 struct devfs_dirent *dd, struct label *ddlabel, struct devfs_dirent *de,
867 struct label *delabel)
870 ASSERT_CRED_LABEL(cred->cr_label);
871 ASSERT_DEVFS_LABEL(ddlabel);
872 ASSERT_DEVFS_LABEL(delabel);
876 mac_test_create_vnode_extattr(struct ucred *cred, struct mount *mp,
877 struct label *fslabel, struct vnode *dvp, struct label *dlabel,
878 struct vnode *vp, struct label *vlabel, struct componentname *cnp)
881 ASSERT_CRED_LABEL(cred->cr_label);
882 ASSERT_MOUNT_LABEL(fslabel);
883 ASSERT_VNODE_LABEL(dlabel);
889 mac_test_create_mount(struct ucred *cred, struct mount *mp,
890 struct label *mntlabel, struct label *fslabel)
893 ASSERT_CRED_LABEL(cred->cr_label);
894 ASSERT_MOUNT_LABEL(mntlabel);
895 ASSERT_MOUNT_LABEL(fslabel);
899 mac_test_relabel_vnode(struct ucred *cred, struct vnode *vp,
900 struct label *vnodelabel, struct label *label)
903 ASSERT_CRED_LABEL(cred->cr_label);
904 ASSERT_VNODE_LABEL(vnodelabel);
905 ASSERT_VNODE_LABEL(label);
909 mac_test_setlabel_vnode_extattr(struct ucred *cred, struct vnode *vp,
910 struct label *vlabel, struct label *intlabel)
913 ASSERT_CRED_LABEL(cred->cr_label);
914 ASSERT_VNODE_LABEL(vlabel);
915 ASSERT_VNODE_LABEL(intlabel);
920 mac_test_update_devfsdirent(struct mount *mp,
921 struct devfs_dirent *devfs_dirent, struct label *direntlabel,
922 struct vnode *vp, struct label *vnodelabel)
925 ASSERT_DEVFS_LABEL(direntlabel);
926 ASSERT_VNODE_LABEL(vnodelabel);
930 * Labeling event operations: IPC object.
933 mac_test_create_mbuf_from_socket(struct socket *so, struct label *socketlabel,
934 struct mbuf *m, struct label *mbuflabel)
937 ASSERT_SOCKET_LABEL(socketlabel);
938 ASSERT_MBUF_LABEL(mbuflabel);
942 mac_test_create_socket(struct ucred *cred, struct socket *socket,
943 struct label *socketlabel)
946 ASSERT_CRED_LABEL(cred->cr_label);
947 ASSERT_SOCKET_LABEL(socketlabel);
951 mac_test_create_pipe(struct ucred *cred, struct pipepair *pp,
952 struct label *pipelabel)
955 ASSERT_CRED_LABEL(cred->cr_label);
956 ASSERT_PIPE_LABEL(pipelabel);
960 mac_test_create_posix_sem(struct ucred *cred, struct ksem *ksem,
961 struct label *posixlabel)
964 ASSERT_CRED_LABEL(cred->cr_label);
965 ASSERT_POSIX_LABEL(posixlabel);
969 mac_test_create_socket_from_socket(struct socket *oldsocket,
970 struct label *oldsocketlabel, struct socket *newsocket,
971 struct label *newsocketlabel)
974 ASSERT_SOCKET_LABEL(oldsocketlabel);
975 ASSERT_SOCKET_LABEL(newsocketlabel);
979 mac_test_relabel_socket(struct ucred *cred, struct socket *socket,
980 struct label *socketlabel, struct label *newlabel)
983 ASSERT_CRED_LABEL(cred->cr_label);
984 ASSERT_SOCKET_LABEL(newlabel);
988 mac_test_relabel_pipe(struct ucred *cred, struct pipepair *pp,
989 struct label *pipelabel, struct label *newlabel)
992 ASSERT_CRED_LABEL(cred->cr_label);
993 ASSERT_PIPE_LABEL(pipelabel);
994 ASSERT_PIPE_LABEL(newlabel);
998 mac_test_set_socket_peer_from_mbuf(struct mbuf *mbuf, struct label *mbuflabel,
999 struct socket *socket, struct label *socketpeerlabel)
1002 ASSERT_MBUF_LABEL(mbuflabel);
1003 ASSERT_SOCKET_LABEL(socketpeerlabel);
1007 * Labeling event operations: network objects.
1010 mac_test_set_socket_peer_from_socket(struct socket *oldsocket,
1011 struct label *oldsocketlabel, struct socket *newsocket,
1012 struct label *newsocketpeerlabel)
1015 ASSERT_SOCKET_LABEL(oldsocketlabel);
1016 ASSERT_SOCKET_LABEL(newsocketpeerlabel);
1020 mac_test_create_bpfdesc(struct ucred *cred, struct bpf_d *bpf_d,
1021 struct label *bpflabel)
1024 ASSERT_CRED_LABEL(cred->cr_label);
1025 ASSERT_BPF_LABEL(bpflabel);
1029 mac_test_create_datagram_from_ipq(struct ipq *ipq, struct label *ipqlabel,
1030 struct mbuf *datagram, struct label *datagramlabel)
1033 ASSERT_IPQ_LABEL(ipqlabel);
1034 ASSERT_MBUF_LABEL(datagramlabel);
1038 mac_test_create_fragment(struct mbuf *datagram, struct label *datagramlabel,
1039 struct mbuf *fragment, struct label *fragmentlabel)
1042 ASSERT_MBUF_LABEL(datagramlabel);
1043 ASSERT_MBUF_LABEL(fragmentlabel);
1047 mac_test_create_ifnet(struct ifnet *ifnet, struct label *ifnetlabel)
1050 ASSERT_IFNET_LABEL(ifnetlabel);
1054 mac_test_create_inpcb_from_socket(struct socket *so, struct label *solabel,
1055 struct inpcb *inp, struct label *inplabel)
1058 ASSERT_SOCKET_LABEL(solabel);
1059 ASSERT_INPCB_LABEL(inplabel);
1063 mac_test_create_sysv_msgmsg(struct ucred *cred, struct msqid_kernel *msqkptr,
1064 struct label *msqlabel, struct msg *msgptr, struct label *msglabel)
1067 ASSERT_SYSVIPCMSG_LABEL(msglabel);
1068 ASSERT_SYSVIPCMSQ_LABEL(msqlabel);
1072 mac_test_create_sysv_msgqueue(struct ucred *cred,
1073 struct msqid_kernel *msqkptr, struct label *msqlabel)
1076 ASSERT_SYSVIPCMSQ_LABEL(msqlabel);
1080 mac_test_create_sysv_sem(struct ucred *cred, struct semid_kernel *semakptr,
1081 struct label *semalabel)
1084 ASSERT_SYSVIPCSEM_LABEL(semalabel);
1088 mac_test_create_sysv_shm(struct ucred *cred, struct shmid_kernel *shmsegptr,
1089 struct label *shmlabel)
1092 ASSERT_SYSVIPCSHM_LABEL(shmlabel);
1096 mac_test_create_ipq(struct mbuf *fragment, struct label *fragmentlabel,
1097 struct ipq *ipq, struct label *ipqlabel)
1100 ASSERT_MBUF_LABEL(fragmentlabel);
1101 ASSERT_IPQ_LABEL(ipqlabel);
1105 mac_test_create_mbuf_from_inpcb(struct inpcb *inp, struct label *inplabel,
1106 struct mbuf *m, struct label *mlabel)
1109 ASSERT_INPCB_LABEL(inplabel);
1110 ASSERT_MBUF_LABEL(mlabel);
1114 mac_test_create_mbuf_linklayer(struct ifnet *ifnet, struct label *ifnetlabel,
1115 struct mbuf *mbuf, struct label *mbuflabel)
1118 ASSERT_IFNET_LABEL(ifnetlabel);
1119 ASSERT_MBUF_LABEL(mbuflabel);
1123 mac_test_create_mbuf_from_bpfdesc(struct bpf_d *bpf_d, struct label *bpflabel,
1124 struct mbuf *mbuf, struct label *mbuflabel)
1127 ASSERT_BPF_LABEL(bpflabel);
1128 ASSERT_MBUF_LABEL(mbuflabel);
1132 mac_test_create_mbuf_from_ifnet(struct ifnet *ifnet, struct label *ifnetlabel,
1133 struct mbuf *m, struct label *mbuflabel)
1136 ASSERT_IFNET_LABEL(ifnetlabel);
1137 ASSERT_MBUF_LABEL(mbuflabel);
1141 mac_test_create_mbuf_multicast_encap(struct mbuf *oldmbuf,
1142 struct label *oldmbuflabel, struct ifnet *ifnet, struct label *ifnetlabel,
1143 struct mbuf *newmbuf, struct label *newmbuflabel)
1146 ASSERT_MBUF_LABEL(oldmbuflabel);
1147 ASSERT_IFNET_LABEL(ifnetlabel);
1148 ASSERT_MBUF_LABEL(newmbuflabel);
1152 mac_test_create_mbuf_netlayer(struct mbuf *oldmbuf,
1153 struct label *oldmbuflabel, struct mbuf *newmbuf,
1154 struct label *newmbuflabel)
1157 ASSERT_MBUF_LABEL(oldmbuflabel);
1158 ASSERT_MBUF_LABEL(newmbuflabel);
1162 mac_test_fragment_match(struct mbuf *fragment, struct label *fragmentlabel,
1163 struct ipq *ipq, struct label *ipqlabel)
1166 ASSERT_MBUF_LABEL(fragmentlabel);
1167 ASSERT_IPQ_LABEL(ipqlabel);
1173 mac_test_reflect_mbuf_icmp(struct mbuf *m, struct label *mlabel)
1176 ASSERT_MBUF_LABEL(mlabel);
1180 mac_test_reflect_mbuf_tcp(struct mbuf *m, struct label *mlabel)
1183 ASSERT_MBUF_LABEL(mlabel);
1187 mac_test_relabel_ifnet(struct ucred *cred, struct ifnet *ifnet,
1188 struct label *ifnetlabel, struct label *newlabel)
1191 ASSERT_CRED_LABEL(cred->cr_label);
1192 ASSERT_IFNET_LABEL(ifnetlabel);
1193 ASSERT_IFNET_LABEL(newlabel);
1197 mac_test_update_ipq(struct mbuf *fragment, struct label *fragmentlabel,
1198 struct ipq *ipq, struct label *ipqlabel)
1201 ASSERT_MBUF_LABEL(fragmentlabel);
1202 ASSERT_IPQ_LABEL(ipqlabel);
1206 mac_test_inpcb_sosetlabel(struct socket *so, struct label *solabel,
1207 struct inpcb *inp, struct label *inplabel)
1210 ASSERT_SOCKET_LABEL(solabel);
1211 ASSERT_INPCB_LABEL(inplabel);
1215 * Labeling event operations: processes.
1218 mac_test_execve_transition(struct ucred *old, struct ucred *new,
1219 struct vnode *vp, struct label *filelabel,
1220 struct label *interpvnodelabel, struct image_params *imgp,
1221 struct label *execlabel)
1224 ASSERT_CRED_LABEL(old->cr_label);
1225 ASSERT_CRED_LABEL(new->cr_label);
1226 ASSERT_VNODE_LABEL(filelabel);
1227 if (interpvnodelabel != NULL) {
1228 ASSERT_VNODE_LABEL(interpvnodelabel);
1230 if (execlabel != NULL) {
1231 ASSERT_CRED_LABEL(execlabel);
1236 mac_test_execve_will_transition(struct ucred *old, struct vnode *vp,
1237 struct label *filelabel, struct label *interpvnodelabel,
1238 struct image_params *imgp, struct label *execlabel)
1241 ASSERT_CRED_LABEL(old->cr_label);
1242 ASSERT_VNODE_LABEL(filelabel);
1243 if (interpvnodelabel != NULL) {
1244 ASSERT_VNODE_LABEL(interpvnodelabel);
1246 if (execlabel != NULL) {
1247 ASSERT_CRED_LABEL(execlabel);
1254 mac_test_create_proc0(struct ucred *cred)
1257 ASSERT_CRED_LABEL(cred->cr_label);
1261 mac_test_create_proc1(struct ucred *cred)
1264 ASSERT_CRED_LABEL(cred->cr_label);
1268 mac_test_relabel_cred(struct ucred *cred, struct label *newlabel)
1271 ASSERT_CRED_LABEL(cred->cr_label);
1272 ASSERT_CRED_LABEL(newlabel);
1276 mac_test_thread_userret(struct thread *td)
1279 printf("mac_test_thread_userret(process = %d)\n",
1280 curthread->td_proc->p_pid);
1284 * Label cleanup/flush operations
1287 mac_test_cleanup_sysv_msgmsg(struct label *msglabel)
1290 ASSERT_SYSVIPCMSG_LABEL(msglabel);
1294 mac_test_cleanup_sysv_msgqueue(struct label *msqlabel)
1297 ASSERT_SYSVIPCMSQ_LABEL(msqlabel);
1301 mac_test_cleanup_sysv_sem(struct label *semalabel)
1304 ASSERT_SYSVIPCSEM_LABEL(semalabel);
1308 mac_test_cleanup_sysv_shm(struct label *shmlabel)
1311 ASSERT_SYSVIPCSHM_LABEL(shmlabel);
1315 * Access control checks.
1318 mac_test_check_bpfdesc_receive(struct bpf_d *bpf_d, struct label *bpflabel,
1319 struct ifnet *ifnet, struct label *ifnetlabel)
1322 ASSERT_BPF_LABEL(bpflabel);
1323 ASSERT_IFNET_LABEL(ifnetlabel);
1329 mac_test_check_cred_relabel(struct ucred *cred, struct label *newlabel)
1332 ASSERT_CRED_LABEL(cred->cr_label);
1333 ASSERT_CRED_LABEL(newlabel);
1339 mac_test_check_cred_visible(struct ucred *u1, struct ucred *u2)
1342 ASSERT_CRED_LABEL(u1->cr_label);
1343 ASSERT_CRED_LABEL(u2->cr_label);
1349 mac_test_check_ifnet_relabel(struct ucred *cred, struct ifnet *ifnet,
1350 struct label *ifnetlabel, struct label *newlabel)
1353 ASSERT_CRED_LABEL(cred->cr_label);
1354 ASSERT_IFNET_LABEL(ifnetlabel);
1355 ASSERT_IFNET_LABEL(newlabel);
1360 mac_test_check_ifnet_transmit(struct ifnet *ifnet, struct label *ifnetlabel,
1361 struct mbuf *m, struct label *mbuflabel)
1364 ASSERT_IFNET_LABEL(ifnetlabel);
1365 ASSERT_MBUF_LABEL(mbuflabel);
1371 mac_test_check_inpcb_deliver(struct inpcb *inp, struct label *inplabel,
1372 struct mbuf *m, struct label *mlabel)
1375 ASSERT_INPCB_LABEL(inplabel);
1376 ASSERT_MBUF_LABEL(mlabel);
1382 mac_test_check_sysv_msgmsq(struct ucred *cred, struct msg *msgptr,
1383 struct label *msglabel, struct msqid_kernel *msqkptr,
1384 struct label *msqklabel)
1387 ASSERT_SYSVIPCMSQ_LABEL(msqklabel);
1388 ASSERT_SYSVIPCMSG_LABEL(msglabel);
1389 ASSERT_CRED_LABEL(cred->cr_label);
1395 mac_test_check_sysv_msgrcv(struct ucred *cred, struct msg *msgptr,
1396 struct label *msglabel)
1399 ASSERT_SYSVIPCMSG_LABEL(msglabel);
1400 ASSERT_CRED_LABEL(cred->cr_label);
1407 mac_test_check_sysv_msgrmid(struct ucred *cred, struct msg *msgptr,
1408 struct label *msglabel)
1411 ASSERT_SYSVIPCMSG_LABEL(msglabel);
1412 ASSERT_CRED_LABEL(cred->cr_label);
1418 mac_test_check_sysv_msqget(struct ucred *cred, struct msqid_kernel *msqkptr,
1419 struct label *msqklabel)
1422 ASSERT_SYSVIPCMSQ_LABEL(msqklabel);
1423 ASSERT_CRED_LABEL(cred->cr_label);
1429 mac_test_check_sysv_msqsnd(struct ucred *cred, struct msqid_kernel *msqkptr,
1430 struct label *msqklabel)
1433 ASSERT_SYSVIPCMSQ_LABEL(msqklabel);
1434 ASSERT_CRED_LABEL(cred->cr_label);
1440 mac_test_check_sysv_msqrcv(struct ucred *cred, struct msqid_kernel *msqkptr,
1441 struct label *msqklabel)
1444 ASSERT_SYSVIPCMSQ_LABEL(msqklabel);
1445 ASSERT_CRED_LABEL(cred->cr_label);
1451 mac_test_check_sysv_msqctl(struct ucred *cred, struct msqid_kernel *msqkptr,
1452 struct label *msqklabel, int cmd)
1455 ASSERT_SYSVIPCMSQ_LABEL(msqklabel);
1456 ASSERT_CRED_LABEL(cred->cr_label);
1462 mac_test_check_sysv_semctl(struct ucred *cred, struct semid_kernel *semakptr,
1463 struct label *semaklabel, int cmd)
1466 ASSERT_CRED_LABEL(cred->cr_label);
1467 ASSERT_SYSVIPCSEM_LABEL(semaklabel);
1473 mac_test_check_sysv_semget(struct ucred *cred, struct semid_kernel *semakptr,
1474 struct label *semaklabel)
1477 ASSERT_CRED_LABEL(cred->cr_label);
1478 ASSERT_SYSVIPCSEM_LABEL(semaklabel);
1484 mac_test_check_sysv_semop(struct ucred *cred, struct semid_kernel *semakptr,
1485 struct label *semaklabel, size_t accesstype)
1488 ASSERT_CRED_LABEL(cred->cr_label);
1489 ASSERT_SYSVIPCSEM_LABEL(semaklabel);
1495 mac_test_check_sysv_shmat(struct ucred *cred, struct shmid_kernel *shmsegptr,
1496 struct label *shmseglabel, int shmflg)
1499 ASSERT_CRED_LABEL(cred->cr_label);
1500 ASSERT_SYSVIPCSHM_LABEL(shmseglabel);
1506 mac_test_check_sysv_shmctl(struct ucred *cred, struct shmid_kernel *shmsegptr,
1507 struct label *shmseglabel, int cmd)
1510 ASSERT_CRED_LABEL(cred->cr_label);
1511 ASSERT_SYSVIPCSHM_LABEL(shmseglabel);
1517 mac_test_check_sysv_shmdt(struct ucred *cred, struct shmid_kernel *shmsegptr,
1518 struct label *shmseglabel)
1521 ASSERT_CRED_LABEL(cred->cr_label);
1522 ASSERT_SYSVIPCSHM_LABEL(shmseglabel);
1528 mac_test_check_sysv_shmget(struct ucred *cred, struct shmid_kernel *shmsegptr,
1529 struct label *shmseglabel, int shmflg)
1532 ASSERT_CRED_LABEL(cred->cr_label);
1533 ASSERT_SYSVIPCSHM_LABEL(shmseglabel);
1539 mac_test_check_kenv_dump(struct ucred *cred)
1542 ASSERT_CRED_LABEL(cred->cr_label);
1548 mac_test_check_kenv_get(struct ucred *cred, char *name)
1551 ASSERT_CRED_LABEL(cred->cr_label);
1557 mac_test_check_kenv_set(struct ucred *cred, char *name, char *value)
1560 ASSERT_CRED_LABEL(cred->cr_label);
1566 mac_test_check_kenv_unset(struct ucred *cred, char *name)
1569 ASSERT_CRED_LABEL(cred->cr_label);
1575 mac_test_check_kld_load(struct ucred *cred, struct vnode *vp,
1576 struct label *label)
1579 ASSERT_CRED_LABEL(cred->cr_label);
1580 ASSERT_VNODE_LABEL(label);
1586 mac_test_check_kld_stat(struct ucred *cred)
1589 ASSERT_CRED_LABEL(cred->cr_label);
1595 mac_test_check_kld_unload(struct ucred *cred)
1598 ASSERT_CRED_LABEL(cred->cr_label);
1604 mac_test_check_mount_stat(struct ucred *cred, struct mount *mp,
1605 struct label *mntlabel)
1608 ASSERT_CRED_LABEL(cred->cr_label);
1609 ASSERT_MOUNT_LABEL(mntlabel);
1615 mac_test_check_pipe_ioctl(struct ucred *cred, struct pipepair *pp,
1616 struct label *pipelabel, unsigned long cmd, void /* caddr_t */ *data)
1619 ASSERT_CRED_LABEL(cred->cr_label);
1620 ASSERT_PIPE_LABEL(pipelabel);
1626 mac_test_check_pipe_poll(struct ucred *cred, struct pipepair *pp,
1627 struct label *pipelabel)
1630 ASSERT_CRED_LABEL(cred->cr_label);
1631 ASSERT_PIPE_LABEL(pipelabel);
1637 mac_test_check_pipe_read(struct ucred *cred, struct pipepair *pp,
1638 struct label *pipelabel)
1641 ASSERT_CRED_LABEL(cred->cr_label);
1642 ASSERT_PIPE_LABEL(pipelabel);
1648 mac_test_check_pipe_relabel(struct ucred *cred, struct pipepair *pp,
1649 struct label *pipelabel, struct label *newlabel)
1652 ASSERT_CRED_LABEL(cred->cr_label);
1653 ASSERT_PIPE_LABEL(pipelabel);
1654 ASSERT_PIPE_LABEL(newlabel);
1660 mac_test_check_pipe_stat(struct ucred *cred, struct pipepair *pp,
1661 struct label *pipelabel)
1664 ASSERT_CRED_LABEL(cred->cr_label);
1665 ASSERT_PIPE_LABEL(pipelabel);
1671 mac_test_check_pipe_write(struct ucred *cred, struct pipepair *pp,
1672 struct label *pipelabel)
1675 ASSERT_CRED_LABEL(cred->cr_label);
1676 ASSERT_PIPE_LABEL(pipelabel);
1682 mac_test_check_posix_sem(struct ucred *cred, struct ksem *ksemptr,
1683 struct label *ks_label)
1686 ASSERT_CRED_LABEL(cred->cr_label);
1687 ASSERT_POSIX_LABEL(ks_label);
1693 mac_test_check_proc_debug(struct ucred *cred, struct proc *proc)
1696 ASSERT_CRED_LABEL(cred->cr_label);
1697 ASSERT_CRED_LABEL(proc->p_ucred->cr_label);
1703 mac_test_check_proc_sched(struct ucred *cred, struct proc *proc)
1706 ASSERT_CRED_LABEL(cred->cr_label);
1707 ASSERT_CRED_LABEL(proc->p_ucred->cr_label);
1713 mac_test_check_proc_signal(struct ucred *cred, struct proc *proc, int signum)
1716 ASSERT_CRED_LABEL(cred->cr_label);
1717 ASSERT_CRED_LABEL(proc->p_ucred->cr_label);
1723 mac_test_check_proc_setuid(struct ucred *cred, uid_t uid)
1726 ASSERT_CRED_LABEL(cred->cr_label);
1732 mac_test_check_proc_seteuid(struct ucred *cred, uid_t euid)
1735 ASSERT_CRED_LABEL(cred->cr_label);
1741 mac_test_check_proc_setgid(struct ucred *cred, gid_t gid)
1744 ASSERT_CRED_LABEL(cred->cr_label);
1750 mac_test_check_proc_setegid(struct ucred *cred, gid_t egid)
1753 ASSERT_CRED_LABEL(cred->cr_label);
1759 mac_test_check_proc_setgroups(struct ucred *cred, int ngroups,
1763 ASSERT_CRED_LABEL(cred->cr_label);
1769 mac_test_check_proc_setreuid(struct ucred *cred, uid_t ruid, uid_t euid)
1772 ASSERT_CRED_LABEL(cred->cr_label);
1778 mac_test_check_proc_setregid(struct ucred *cred, gid_t rgid, gid_t egid)
1781 ASSERT_CRED_LABEL(cred->cr_label);
1787 mac_test_check_proc_setresuid(struct ucred *cred, uid_t ruid, uid_t euid,
1791 ASSERT_CRED_LABEL(cred->cr_label);
1797 mac_test_check_proc_setresgid(struct ucred *cred, gid_t rgid, gid_t egid,
1801 ASSERT_CRED_LABEL(cred->cr_label);
1807 mac_test_check_proc_wait(struct ucred *cred, struct proc *proc)
1810 ASSERT_CRED_LABEL(cred->cr_label);
1811 ASSERT_CRED_LABEL(proc->p_ucred->cr_label);
1817 mac_test_check_socket_accept(struct ucred *cred, struct socket *socket,
1818 struct label *socketlabel)
1821 ASSERT_CRED_LABEL(cred->cr_label);
1822 ASSERT_SOCKET_LABEL(socketlabel);
1828 mac_test_check_socket_bind(struct ucred *cred, struct socket *socket,
1829 struct label *socketlabel, struct sockaddr *sockaddr)
1832 ASSERT_CRED_LABEL(cred->cr_label);
1833 ASSERT_SOCKET_LABEL(socketlabel);
1839 mac_test_check_socket_connect(struct ucred *cred, struct socket *socket,
1840 struct label *socketlabel, struct sockaddr *sockaddr)
1843 ASSERT_CRED_LABEL(cred->cr_label);
1844 ASSERT_SOCKET_LABEL(socketlabel);
1850 mac_test_check_socket_deliver(struct socket *socket, struct label *socketlabel,
1851 struct mbuf *m, struct label *mbuflabel)
1854 ASSERT_SOCKET_LABEL(socketlabel);
1855 ASSERT_MBUF_LABEL(mbuflabel);
1861 mac_test_check_socket_listen(struct ucred *cred, struct socket *socket,
1862 struct label *socketlabel)
1865 ASSERT_CRED_LABEL(cred->cr_label);
1866 ASSERT_SOCKET_LABEL(socketlabel);
1872 mac_test_check_socket_poll(struct ucred *cred, struct socket *socket,
1873 struct label *socketlabel)
1876 ASSERT_CRED_LABEL(cred->cr_label);
1877 ASSERT_SOCKET_LABEL(socketlabel);
1883 mac_test_check_socket_receive(struct ucred *cred, struct socket *socket,
1884 struct label *socketlabel)
1887 ASSERT_CRED_LABEL(cred->cr_label);
1888 ASSERT_SOCKET_LABEL(socketlabel);
1894 mac_test_check_socket_relabel(struct ucred *cred, struct socket *socket,
1895 struct label *socketlabel, struct label *newlabel)
1898 ASSERT_CRED_LABEL(cred->cr_label);
1899 ASSERT_SOCKET_LABEL(socketlabel);
1900 ASSERT_SOCKET_LABEL(newlabel);
1906 mac_test_check_socket_send(struct ucred *cred, struct socket *socket,
1907 struct label *socketlabel)
1910 ASSERT_CRED_LABEL(cred->cr_label);
1911 ASSERT_SOCKET_LABEL(socketlabel);
1917 mac_test_check_socket_stat(struct ucred *cred, struct socket *socket,
1918 struct label *socketlabel)
1921 ASSERT_CRED_LABEL(cred->cr_label);
1922 ASSERT_SOCKET_LABEL(socketlabel);
1928 mac_test_check_socket_visible(struct ucred *cred, struct socket *socket,
1929 struct label *socketlabel)
1932 ASSERT_CRED_LABEL(cred->cr_label);
1933 ASSERT_SOCKET_LABEL(socketlabel);
1939 mac_test_check_sysarch_ioperm(struct ucred *cred)
1942 ASSERT_CRED_LABEL(cred->cr_label);
1948 mac_test_check_system_acct(struct ucred *cred, struct vnode *vp,
1949 struct label *label)
1952 ASSERT_CRED_LABEL(cred->cr_label);
1958 mac_test_check_system_reboot(struct ucred *cred, int how)
1961 ASSERT_CRED_LABEL(cred->cr_label);
1967 mac_test_check_system_settime(struct ucred *cred)
1970 ASSERT_CRED_LABEL(cred->cr_label);
1976 mac_test_check_system_swapon(struct ucred *cred, struct vnode *vp,
1977 struct label *label)
1980 ASSERT_CRED_LABEL(cred->cr_label);
1981 ASSERT_VNODE_LABEL(label);
1987 mac_test_check_system_swapoff(struct ucred *cred, struct vnode *vp,
1988 struct label *label)
1991 ASSERT_CRED_LABEL(cred->cr_label);
1992 ASSERT_VNODE_LABEL(label);
1998 mac_test_check_system_sysctl(struct ucred *cred, struct sysctl_oid *oidp,
1999 void *arg1, int arg2, struct sysctl_req *req)
2002 ASSERT_CRED_LABEL(cred->cr_label);
2008 mac_test_check_vnode_access(struct ucred *cred, struct vnode *vp,
2009 struct label *label, int acc_mode)
2012 ASSERT_CRED_LABEL(cred->cr_label);
2013 ASSERT_VNODE_LABEL(label);
2019 mac_test_check_vnode_chdir(struct ucred *cred, struct vnode *dvp,
2020 struct label *dlabel)
2023 ASSERT_CRED_LABEL(cred->cr_label);
2024 ASSERT_VNODE_LABEL(dlabel);
2030 mac_test_check_vnode_chroot(struct ucred *cred, struct vnode *dvp,
2031 struct label *dlabel)
2034 ASSERT_CRED_LABEL(cred->cr_label);
2035 ASSERT_VNODE_LABEL(dlabel);
2041 mac_test_check_vnode_create(struct ucred *cred, struct vnode *dvp,
2042 struct label *dlabel, struct componentname *cnp, struct vattr *vap)
2045 ASSERT_CRED_LABEL(cred->cr_label);
2046 ASSERT_VNODE_LABEL(dlabel);
2052 mac_test_check_vnode_delete(struct ucred *cred, struct vnode *dvp,
2053 struct label *dlabel, struct vnode *vp, struct label *label,
2054 struct componentname *cnp)
2057 ASSERT_CRED_LABEL(cred->cr_label);
2058 ASSERT_VNODE_LABEL(dlabel);
2059 ASSERT_VNODE_LABEL(label);
2065 mac_test_check_vnode_deleteacl(struct ucred *cred, struct vnode *vp,
2066 struct label *label, acl_type_t type)
2069 ASSERT_CRED_LABEL(cred->cr_label);
2070 ASSERT_VNODE_LABEL(label);
2076 mac_test_check_vnode_deleteextattr(struct ucred *cred, struct vnode *vp,
2077 struct label *label, int attrnamespace, const char *name)
2080 ASSERT_CRED_LABEL(cred->cr_label);
2081 ASSERT_VNODE_LABEL(label);
2087 mac_test_check_vnode_exec(struct ucred *cred, struct vnode *vp,
2088 struct label *label, struct image_params *imgp,
2089 struct label *execlabel)
2092 ASSERT_CRED_LABEL(cred->cr_label);
2093 ASSERT_VNODE_LABEL(label);
2094 if (execlabel != NULL) {
2095 ASSERT_CRED_LABEL(execlabel);
2102 mac_test_check_vnode_getacl(struct ucred *cred, struct vnode *vp,
2103 struct label *label, acl_type_t type)
2106 ASSERT_CRED_LABEL(cred->cr_label);
2107 ASSERT_VNODE_LABEL(label);
2113 mac_test_check_vnode_getextattr(struct ucred *cred, struct vnode *vp,
2114 struct label *label, int attrnamespace, const char *name, struct uio *uio)
2117 ASSERT_CRED_LABEL(cred->cr_label);
2118 ASSERT_VNODE_LABEL(label);
2124 mac_test_check_vnode_link(struct ucred *cred, struct vnode *dvp,
2125 struct label *dlabel, struct vnode *vp, struct label *label,
2126 struct componentname *cnp)
2129 ASSERT_CRED_LABEL(cred->cr_label);
2130 ASSERT_VNODE_LABEL(dlabel);
2131 ASSERT_VNODE_LABEL(label);
2137 mac_test_check_vnode_listextattr(struct ucred *cred, struct vnode *vp,
2138 struct label *label, int attrnamespace)
2141 ASSERT_CRED_LABEL(cred->cr_label);
2142 ASSERT_VNODE_LABEL(label);
2148 mac_test_check_vnode_lookup(struct ucred *cred, struct vnode *dvp,
2149 struct label *dlabel, struct componentname *cnp)
2152 ASSERT_CRED_LABEL(cred->cr_label);
2153 ASSERT_VNODE_LABEL(dlabel);
2159 mac_test_check_vnode_mmap(struct ucred *cred, struct vnode *vp,
2160 struct label *label, int prot, int flags)
2163 ASSERT_CRED_LABEL(cred->cr_label);
2164 ASSERT_VNODE_LABEL(label);
2170 mac_test_check_vnode_open(struct ucred *cred, struct vnode *vp,
2171 struct label *filelabel, int acc_mode)
2174 ASSERT_CRED_LABEL(cred->cr_label);
2175 ASSERT_VNODE_LABEL(filelabel);
2181 mac_test_check_vnode_poll(struct ucred *active_cred, struct ucred *file_cred,
2182 struct vnode *vp, struct label *label)
2185 ASSERT_CRED_LABEL(active_cred->cr_label);
2186 ASSERT_CRED_LABEL(file_cred->cr_label);
2187 ASSERT_VNODE_LABEL(label);
2193 mac_test_check_vnode_read(struct ucred *active_cred, struct ucred *file_cred,
2194 struct vnode *vp, struct label *label)
2197 ASSERT_CRED_LABEL(active_cred->cr_label);
2198 if (file_cred != NULL) {
2199 ASSERT_CRED_LABEL(file_cred->cr_label);
2201 ASSERT_VNODE_LABEL(label);
2207 mac_test_check_vnode_readdir(struct ucred *cred, struct vnode *dvp,
2208 struct label *dlabel)
2211 ASSERT_CRED_LABEL(cred->cr_label);
2212 ASSERT_VNODE_LABEL(dlabel);
2218 mac_test_check_vnode_readlink(struct ucred *cred, struct vnode *vp,
2219 struct label *vnodelabel)
2222 ASSERT_CRED_LABEL(cred->cr_label);
2223 ASSERT_VNODE_LABEL(vnodelabel);
2229 mac_test_check_vnode_relabel(struct ucred *cred, struct vnode *vp,
2230 struct label *vnodelabel, struct label *newlabel)
2233 ASSERT_CRED_LABEL(cred->cr_label);
2234 ASSERT_VNODE_LABEL(vnodelabel);
2235 ASSERT_VNODE_LABEL(newlabel);
2241 mac_test_check_vnode_rename_from(struct ucred *cred, struct vnode *dvp,
2242 struct label *dlabel, struct vnode *vp, struct label *label,
2243 struct componentname *cnp)
2246 ASSERT_CRED_LABEL(cred->cr_label);
2247 ASSERT_VNODE_LABEL(dlabel);
2248 ASSERT_VNODE_LABEL(label);
2254 mac_test_check_vnode_rename_to(struct ucred *cred, struct vnode *dvp,
2255 struct label *dlabel, struct vnode *vp, struct label *label, int samedir,
2256 struct componentname *cnp)
2259 ASSERT_CRED_LABEL(cred->cr_label);
2260 ASSERT_VNODE_LABEL(dlabel);
2263 ASSERT_VNODE_LABEL(label);
2270 mac_test_check_vnode_revoke(struct ucred *cred, struct vnode *vp,
2271 struct label *label)
2274 ASSERT_CRED_LABEL(cred->cr_label);
2275 ASSERT_VNODE_LABEL(label);
2281 mac_test_check_vnode_setacl(struct ucred *cred, struct vnode *vp,
2282 struct label *label, acl_type_t type, struct acl *acl)
2285 ASSERT_CRED_LABEL(cred->cr_label);
2286 ASSERT_VNODE_LABEL(label);
2292 mac_test_check_vnode_setextattr(struct ucred *cred, struct vnode *vp,
2293 struct label *label, int attrnamespace, const char *name, struct uio *uio)
2296 ASSERT_CRED_LABEL(cred->cr_label);
2297 ASSERT_VNODE_LABEL(label);
2303 mac_test_check_vnode_setflags(struct ucred *cred, struct vnode *vp,
2304 struct label *label, u_long flags)
2307 ASSERT_CRED_LABEL(cred->cr_label);
2308 ASSERT_VNODE_LABEL(label);
2314 mac_test_check_vnode_setmode(struct ucred *cred, struct vnode *vp,
2315 struct label *label, mode_t mode)
2318 ASSERT_CRED_LABEL(cred->cr_label);
2319 ASSERT_VNODE_LABEL(label);
2325 mac_test_check_vnode_setowner(struct ucred *cred, struct vnode *vp,
2326 struct label *label, uid_t uid, gid_t gid)
2329 ASSERT_CRED_LABEL(cred->cr_label);
2330 ASSERT_VNODE_LABEL(label);
2336 mac_test_check_vnode_setutimes(struct ucred *cred, struct vnode *vp,
2337 struct label *label, struct timespec atime, struct timespec mtime)
2340 ASSERT_CRED_LABEL(cred->cr_label);
2341 ASSERT_VNODE_LABEL(label);
2347 mac_test_check_vnode_stat(struct ucred *active_cred, struct ucred *file_cred,
2348 struct vnode *vp, struct label *label)
2351 ASSERT_CRED_LABEL(active_cred->cr_label);
2352 if (file_cred != NULL) {
2353 ASSERT_CRED_LABEL(file_cred->cr_label);
2355 ASSERT_VNODE_LABEL(label);
2361 mac_test_check_vnode_write(struct ucred *active_cred,
2362 struct ucred *file_cred, struct vnode *vp, struct label *label)
2365 ASSERT_CRED_LABEL(active_cred->cr_label);
2366 if (file_cred != NULL) {
2367 ASSERT_CRED_LABEL(file_cred->cr_label);
2369 ASSERT_VNODE_LABEL(label);
2374 static struct mac_policy_ops mac_test_ops =
2376 .mpo_init_bpfdesc_label = mac_test_init_bpfdesc_label,
2377 .mpo_init_cred_label = mac_test_init_cred_label,
2378 .mpo_init_devfsdirent_label = mac_test_init_devfsdirent_label,
2379 .mpo_init_ifnet_label = mac_test_init_ifnet_label,
2380 .mpo_init_sysv_msgmsg_label = mac_test_init_sysv_msgmsg_label,
2381 .mpo_init_sysv_msgqueue_label = mac_test_init_sysv_msgqueue_label,
2382 .mpo_init_sysv_sem_label = mac_test_init_sysv_sem_label,
2383 .mpo_init_sysv_shm_label = mac_test_init_sysv_shm_label,
2384 .mpo_init_inpcb_label = mac_test_init_inpcb_label,
2385 .mpo_init_ipq_label = mac_test_init_ipq_label,
2386 .mpo_init_mbuf_label = mac_test_init_mbuf_label,
2387 .mpo_init_mount_label = mac_test_init_mount_label,
2388 .mpo_init_mount_fs_label = mac_test_init_mount_fs_label,
2389 .mpo_init_pipe_label = mac_test_init_pipe_label,
2390 .mpo_init_posix_sem_label = mac_test_init_posix_sem_label,
2391 .mpo_init_proc_label = mac_test_init_proc_label,
2392 .mpo_init_socket_label = mac_test_init_socket_label,
2393 .mpo_init_socket_peer_label = mac_test_init_socket_peer_label,
2394 .mpo_init_vnode_label = mac_test_init_vnode_label,
2395 .mpo_destroy_bpfdesc_label = mac_test_destroy_bpfdesc_label,
2396 .mpo_destroy_cred_label = mac_test_destroy_cred_label,
2397 .mpo_destroy_devfsdirent_label = mac_test_destroy_devfsdirent_label,
2398 .mpo_destroy_ifnet_label = mac_test_destroy_ifnet_label,
2399 .mpo_destroy_sysv_msgmsg_label = mac_test_destroy_sysv_msgmsg_label,
2400 .mpo_destroy_sysv_msgqueue_label =
2401 mac_test_destroy_sysv_msgqueue_label,
2402 .mpo_destroy_sysv_sem_label = mac_test_destroy_sysv_sem_label,
2403 .mpo_destroy_sysv_shm_label = mac_test_destroy_sysv_shm_label,
2404 .mpo_destroy_inpcb_label = mac_test_destroy_inpcb_label,
2405 .mpo_destroy_ipq_label = mac_test_destroy_ipq_label,
2406 .mpo_destroy_mbuf_label = mac_test_destroy_mbuf_label,
2407 .mpo_destroy_mount_label = mac_test_destroy_mount_label,
2408 .mpo_destroy_mount_fs_label = mac_test_destroy_mount_fs_label,
2409 .mpo_destroy_pipe_label = mac_test_destroy_pipe_label,
2410 .mpo_destroy_posix_sem_label = mac_test_destroy_posix_sem_label,
2411 .mpo_destroy_proc_label = mac_test_destroy_proc_label,
2412 .mpo_destroy_socket_label = mac_test_destroy_socket_label,
2413 .mpo_destroy_socket_peer_label = mac_test_destroy_socket_peer_label,
2414 .mpo_destroy_vnode_label = mac_test_destroy_vnode_label,
2415 .mpo_copy_cred_label = mac_test_copy_cred_label,
2416 .mpo_copy_ifnet_label = mac_test_copy_ifnet_label,
2417 .mpo_copy_mbuf_label = mac_test_copy_mbuf_label,
2418 .mpo_copy_pipe_label = mac_test_copy_pipe_label,
2419 .mpo_copy_socket_label = mac_test_copy_socket_label,
2420 .mpo_copy_vnode_label = mac_test_copy_vnode_label,
2421 .mpo_externalize_cred_label = mac_test_externalize_label,
2422 .mpo_externalize_ifnet_label = mac_test_externalize_label,
2423 .mpo_externalize_pipe_label = mac_test_externalize_label,
2424 .mpo_externalize_socket_label = mac_test_externalize_label,
2425 .mpo_externalize_socket_peer_label = mac_test_externalize_label,
2426 .mpo_externalize_vnode_label = mac_test_externalize_label,
2427 .mpo_internalize_cred_label = mac_test_internalize_label,
2428 .mpo_internalize_ifnet_label = mac_test_internalize_label,
2429 .mpo_internalize_pipe_label = mac_test_internalize_label,
2430 .mpo_internalize_socket_label = mac_test_internalize_label,
2431 .mpo_internalize_vnode_label = mac_test_internalize_label,
2432 .mpo_associate_vnode_devfs = mac_test_associate_vnode_devfs,
2433 .mpo_associate_vnode_extattr = mac_test_associate_vnode_extattr,
2434 .mpo_associate_vnode_singlelabel = mac_test_associate_vnode_singlelabel,
2435 .mpo_create_devfs_device = mac_test_create_devfs_device,
2436 .mpo_create_devfs_directory = mac_test_create_devfs_directory,
2437 .mpo_create_devfs_symlink = mac_test_create_devfs_symlink,
2438 .mpo_create_vnode_extattr = mac_test_create_vnode_extattr,
2439 .mpo_create_mount = mac_test_create_mount,
2440 .mpo_relabel_vnode = mac_test_relabel_vnode,
2441 .mpo_setlabel_vnode_extattr = mac_test_setlabel_vnode_extattr,
2442 .mpo_update_devfsdirent = mac_test_update_devfsdirent,
2443 .mpo_create_mbuf_from_socket = mac_test_create_mbuf_from_socket,
2444 .mpo_create_pipe = mac_test_create_pipe,
2445 .mpo_create_posix_sem = mac_test_create_posix_sem,
2446 .mpo_create_socket = mac_test_create_socket,
2447 .mpo_create_socket_from_socket = mac_test_create_socket_from_socket,
2448 .mpo_relabel_pipe = mac_test_relabel_pipe,
2449 .mpo_relabel_socket = mac_test_relabel_socket,
2450 .mpo_set_socket_peer_from_mbuf = mac_test_set_socket_peer_from_mbuf,
2451 .mpo_set_socket_peer_from_socket = mac_test_set_socket_peer_from_socket,
2452 .mpo_create_bpfdesc = mac_test_create_bpfdesc,
2453 .mpo_create_ifnet = mac_test_create_ifnet,
2454 .mpo_create_inpcb_from_socket = mac_test_create_inpcb_from_socket,
2455 .mpo_create_sysv_msgmsg = mac_test_create_sysv_msgmsg,
2456 .mpo_create_sysv_msgqueue = mac_test_create_sysv_msgqueue,
2457 .mpo_create_sysv_sem = mac_test_create_sysv_sem,
2458 .mpo_create_sysv_shm = mac_test_create_sysv_shm,
2459 .mpo_create_datagram_from_ipq = mac_test_create_datagram_from_ipq,
2460 .mpo_create_fragment = mac_test_create_fragment,
2461 .mpo_create_ipq = mac_test_create_ipq,
2462 .mpo_create_mbuf_from_inpcb = mac_test_create_mbuf_from_inpcb,
2463 .mpo_create_mbuf_linklayer = mac_test_create_mbuf_linklayer,
2464 .mpo_create_mbuf_from_bpfdesc = mac_test_create_mbuf_from_bpfdesc,
2465 .mpo_create_mbuf_from_ifnet = mac_test_create_mbuf_from_ifnet,
2466 .mpo_create_mbuf_multicast_encap = mac_test_create_mbuf_multicast_encap,
2467 .mpo_create_mbuf_netlayer = mac_test_create_mbuf_netlayer,
2468 .mpo_fragment_match = mac_test_fragment_match,
2469 .mpo_reflect_mbuf_icmp = mac_test_reflect_mbuf_icmp,
2470 .mpo_reflect_mbuf_tcp = mac_test_reflect_mbuf_tcp,
2471 .mpo_relabel_ifnet = mac_test_relabel_ifnet,
2472 .mpo_update_ipq = mac_test_update_ipq,
2473 .mpo_inpcb_sosetlabel = mac_test_inpcb_sosetlabel,
2474 .mpo_execve_transition = mac_test_execve_transition,
2475 .mpo_execve_will_transition = mac_test_execve_will_transition,
2476 .mpo_create_proc0 = mac_test_create_proc0,
2477 .mpo_create_proc1 = mac_test_create_proc1,
2478 .mpo_relabel_cred = mac_test_relabel_cred,
2479 .mpo_thread_userret = mac_test_thread_userret,
2480 .mpo_cleanup_sysv_msgmsg = mac_test_cleanup_sysv_msgmsg,
2481 .mpo_cleanup_sysv_msgqueue = mac_test_cleanup_sysv_msgqueue,
2482 .mpo_cleanup_sysv_sem = mac_test_cleanup_sysv_sem,
2483 .mpo_cleanup_sysv_shm = mac_test_cleanup_sysv_shm,
2484 .mpo_check_bpfdesc_receive = mac_test_check_bpfdesc_receive,
2485 .mpo_check_cred_relabel = mac_test_check_cred_relabel,
2486 .mpo_check_cred_visible = mac_test_check_cred_visible,
2487 .mpo_check_ifnet_relabel = mac_test_check_ifnet_relabel,
2488 .mpo_check_ifnet_transmit = mac_test_check_ifnet_transmit,
2489 .mpo_check_inpcb_deliver = mac_test_check_inpcb_deliver,
2490 .mpo_check_sysv_msgmsq = mac_test_check_sysv_msgmsq,
2491 .mpo_check_sysv_msgrcv = mac_test_check_sysv_msgrcv,
2492 .mpo_check_sysv_msgrmid = mac_test_check_sysv_msgrmid,
2493 .mpo_check_sysv_msqget = mac_test_check_sysv_msqget,
2494 .mpo_check_sysv_msqsnd = mac_test_check_sysv_msqsnd,
2495 .mpo_check_sysv_msqrcv = mac_test_check_sysv_msqrcv,
2496 .mpo_check_sysv_msqctl = mac_test_check_sysv_msqctl,
2497 .mpo_check_sysv_semctl = mac_test_check_sysv_semctl,
2498 .mpo_check_sysv_semget = mac_test_check_sysv_semget,
2499 .mpo_check_sysv_semop = mac_test_check_sysv_semop,
2500 .mpo_check_sysv_shmat = mac_test_check_sysv_shmat,
2501 .mpo_check_sysv_shmctl = mac_test_check_sysv_shmctl,
2502 .mpo_check_sysv_shmdt = mac_test_check_sysv_shmdt,
2503 .mpo_check_sysv_shmget = mac_test_check_sysv_shmget,
2504 .mpo_check_kenv_dump = mac_test_check_kenv_dump,
2505 .mpo_check_kenv_get = mac_test_check_kenv_get,
2506 .mpo_check_kenv_set = mac_test_check_kenv_set,
2507 .mpo_check_kenv_unset = mac_test_check_kenv_unset,
2508 .mpo_check_kld_load = mac_test_check_kld_load,
2509 .mpo_check_kld_stat = mac_test_check_kld_stat,
2510 .mpo_check_kld_unload = mac_test_check_kld_unload,
2511 .mpo_check_mount_stat = mac_test_check_mount_stat,
2512 .mpo_check_pipe_ioctl = mac_test_check_pipe_ioctl,
2513 .mpo_check_pipe_poll = mac_test_check_pipe_poll,
2514 .mpo_check_pipe_read = mac_test_check_pipe_read,
2515 .mpo_check_pipe_relabel = mac_test_check_pipe_relabel,
2516 .mpo_check_pipe_stat = mac_test_check_pipe_stat,
2517 .mpo_check_pipe_write = mac_test_check_pipe_write,
2518 .mpo_check_posix_sem_destroy = mac_test_check_posix_sem,
2519 .mpo_check_posix_sem_getvalue = mac_test_check_posix_sem,
2520 .mpo_check_posix_sem_open = mac_test_check_posix_sem,
2521 .mpo_check_posix_sem_post = mac_test_check_posix_sem,
2522 .mpo_check_posix_sem_unlink = mac_test_check_posix_sem,
2523 .mpo_check_posix_sem_wait = mac_test_check_posix_sem,
2524 .mpo_check_proc_debug = mac_test_check_proc_debug,
2525 .mpo_check_proc_sched = mac_test_check_proc_sched,
2526 .mpo_check_proc_setuid = mac_test_check_proc_setuid,
2527 .mpo_check_proc_seteuid = mac_test_check_proc_seteuid,
2528 .mpo_check_proc_setgid = mac_test_check_proc_setgid,
2529 .mpo_check_proc_setegid = mac_test_check_proc_setegid,
2530 .mpo_check_proc_setgroups = mac_test_check_proc_setgroups,
2531 .mpo_check_proc_setreuid = mac_test_check_proc_setreuid,
2532 .mpo_check_proc_setregid = mac_test_check_proc_setregid,
2533 .mpo_check_proc_setresuid = mac_test_check_proc_setresuid,
2534 .mpo_check_proc_setresgid = mac_test_check_proc_setresgid,
2535 .mpo_check_proc_signal = mac_test_check_proc_signal,
2536 .mpo_check_proc_wait = mac_test_check_proc_wait,
2537 .mpo_check_socket_accept = mac_test_check_socket_accept,
2538 .mpo_check_socket_bind = mac_test_check_socket_bind,
2539 .mpo_check_socket_connect = mac_test_check_socket_connect,
2540 .mpo_check_socket_deliver = mac_test_check_socket_deliver,
2541 .mpo_check_socket_listen = mac_test_check_socket_listen,
2542 .mpo_check_socket_poll = mac_test_check_socket_poll,
2543 .mpo_check_socket_receive = mac_test_check_socket_receive,
2544 .mpo_check_socket_relabel = mac_test_check_socket_relabel,
2545 .mpo_check_socket_send = mac_test_check_socket_send,
2546 .mpo_check_socket_stat = mac_test_check_socket_stat,
2547 .mpo_check_socket_visible = mac_test_check_socket_visible,
2548 .mpo_check_sysarch_ioperm = mac_test_check_sysarch_ioperm,
2549 .mpo_check_system_acct = mac_test_check_system_acct,
2550 .mpo_check_system_reboot = mac_test_check_system_reboot,
2551 .mpo_check_system_settime = mac_test_check_system_settime,
2552 .mpo_check_system_swapon = mac_test_check_system_swapon,
2553 .mpo_check_system_swapoff = mac_test_check_system_swapoff,
2554 .mpo_check_system_sysctl = mac_test_check_system_sysctl,
2555 .mpo_check_vnode_access = mac_test_check_vnode_access,
2556 .mpo_check_vnode_chdir = mac_test_check_vnode_chdir,
2557 .mpo_check_vnode_chroot = mac_test_check_vnode_chroot,
2558 .mpo_check_vnode_create = mac_test_check_vnode_create,
2559 .mpo_check_vnode_delete = mac_test_check_vnode_delete,
2560 .mpo_check_vnode_deleteacl = mac_test_check_vnode_deleteacl,
2561 .mpo_check_vnode_deleteextattr = mac_test_check_vnode_deleteextattr,
2562 .mpo_check_vnode_exec = mac_test_check_vnode_exec,
2563 .mpo_check_vnode_getacl = mac_test_check_vnode_getacl,
2564 .mpo_check_vnode_getextattr = mac_test_check_vnode_getextattr,
2565 .mpo_check_vnode_link = mac_test_check_vnode_link,
2566 .mpo_check_vnode_listextattr = mac_test_check_vnode_listextattr,
2567 .mpo_check_vnode_lookup = mac_test_check_vnode_lookup,
2568 .mpo_check_vnode_mmap = mac_test_check_vnode_mmap,
2569 .mpo_check_vnode_open = mac_test_check_vnode_open,
2570 .mpo_check_vnode_poll = mac_test_check_vnode_poll,
2571 .mpo_check_vnode_read = mac_test_check_vnode_read,
2572 .mpo_check_vnode_readdir = mac_test_check_vnode_readdir,
2573 .mpo_check_vnode_readlink = mac_test_check_vnode_readlink,
2574 .mpo_check_vnode_relabel = mac_test_check_vnode_relabel,
2575 .mpo_check_vnode_rename_from = mac_test_check_vnode_rename_from,
2576 .mpo_check_vnode_rename_to = mac_test_check_vnode_rename_to,
2577 .mpo_check_vnode_revoke = mac_test_check_vnode_revoke,
2578 .mpo_check_vnode_setacl = mac_test_check_vnode_setacl,
2579 .mpo_check_vnode_setextattr = mac_test_check_vnode_setextattr,
2580 .mpo_check_vnode_setflags = mac_test_check_vnode_setflags,
2581 .mpo_check_vnode_setmode = mac_test_check_vnode_setmode,
2582 .mpo_check_vnode_setowner = mac_test_check_vnode_setowner,
2583 .mpo_check_vnode_setutimes = mac_test_check_vnode_setutimes,
2584 .mpo_check_vnode_stat = mac_test_check_vnode_stat,
2585 .mpo_check_vnode_write = mac_test_check_vnode_write,
2588 MAC_POLICY_SET(&mac_test_ops, mac_test, "TrustedBSD MAC/Test",
2589 MPC_LOADTIME_FLAG_UNLOADOK | MPC_LOADTIME_FLAG_LABELMBUFS, &test_slot);
projects / FreeBSD / FreeBSD.git / blob