2 * Copyright (c) 1999-2002, 2007 Robert N. M. Watson
3 * Copyright (c) 2001-2005 McAfee, Inc.
6 * This software was developed by Robert Watson for the TrustedBSD Project.
8 * This software was developed for the FreeBSD Project in part by McAfee
9 * Research, the Security Research Division of McAfee, Inc. under
10 * DARPA/SPAWAR contract N66001-01-C-8035 ("CBOSS"), as part of the DARPA
11 * CHATS research program.
13 * Redistribution and use in source and binary forms, with or without
14 * modification, are permitted provided that the following conditions
16 * 1. Redistributions of source code must retain the above copyright
17 * notice, this list of conditions and the following disclaimer.
18 * 2. Redistributions in binary form must reproduce the above copyright
19 * notice, this list of conditions and the following disclaimer in the
20 * documentation and/or other materials provided with the distribution.
22 * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
23 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
24 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
25 * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
26 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
27 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
28 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
29 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
30 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
31 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
38 * Developed by the TrustedBSD Project.
40 * MAC Test policy - tests MAC Framework labeling by assigning object class
41 * magic numbers to each label and validates that each time an object label
42 * is passed into the policy, it has a consistent object type, catching
43 * incorrectly passed labels, labels passed after free, etc.
46 #include <sys/param.h>
49 #include <sys/kernel.h>
51 #include <sys/malloc.h>
52 #include <sys/module.h>
53 #include <sys/mount.h>
56 #include <sys/vnode.h>
59 #include <sys/socket.h>
60 #include <sys/socketvar.h>
62 #include <sys/sysctl.h>
64 #include <fs/devfs/devfs.h>
66 #include <net/bpfdesc.h>
68 #include <net/if_types.h>
69 #include <net/if_var.h>
71 #include <security/mac/mac_policy.h>
73 SYSCTL_DECL(_security_mac);
75 SYSCTL_NODE(_security_mac, OID_AUTO, test, CTLFLAG_RW, 0,
76 "TrustedBSD mac_test policy controls");
78 #define MAGIC_BPF 0xfe1ad1b6
79 #define MAGIC_DEVFS 0x9ee79c32
80 #define MAGIC_IFNET 0xc218b120
81 #define MAGIC_INPCB 0x4440f7bb
82 #define MAGIC_IPQ 0x206188ef
83 #define MAGIC_MBUF 0xbbefa5bb
84 #define MAGIC_MOUNT 0xc7c46e47
85 #define MAGIC_SOCKET 0x9199c6cd
86 #define MAGIC_SYSV_MSG 0x8bbba61e
87 #define MAGIC_SYSV_MSQ 0xea672391
88 #define MAGIC_SYSV_SEM 0x896e8a0b
89 #define MAGIC_SYSV_SHM 0x76119ab0
90 #define MAGIC_PIPE 0xdc6c9919
91 #define MAGIC_POSIX_SEM 0x78ae980c
92 #define MAGIC_PROC 0x3b4be98f
93 #define MAGIC_CRED 0x9a5a4987
94 #define MAGIC_VNODE 0x1a67a45c
95 #define MAGIC_FREE 0x849ba1fd
97 #define SLOT(x) mac_label_get((x), test_slot)
98 #define SLOT_SET(x, v) mac_label_set((x), test_slot, (v))
100 static int test_slot;
101 SYSCTL_INT(_security_mac_test, OID_AUTO, slot, CTLFLAG_RD,
102 &test_slot, 0, "Slot allocated by framework");
104 SYSCTL_NODE(_security_mac_test, OID_AUTO, counter, CTLFLAG_RW, 0,
105 "TrustedBSD mac_test counters controls");
107 #define COUNTER_DECL(variable) \
108 static int counter_##variable; \
109 SYSCTL_INT(_security_mac_test_counter, OID_AUTO, variable, \
110 CTLFLAG_RD, &counter_##variable, 0, #variable)
112 #define COUNTER_INC(variable) atomic_add_int(&counter_##variable, 1)
115 #define DEBUGGER(func, string) kdb_enter_why(KDB_WHY_MAC, (string))
117 #define DEBUGGER(func, string) printf("mac_test: %s: %s\n", (func), (string))
120 #define LABEL_CHECK(label, magic) do { \
121 if (label != NULL) { \
122 KASSERT(SLOT(label) == magic || SLOT(label) == 0, \
123 ("%s: bad %s label", __func__, #magic)); \
127 #define LABEL_DESTROY(label, magic) do { \
128 if (SLOT(label) == magic || SLOT(label) == 0) { \
129 SLOT_SET(label, MAGIC_FREE); \
130 } else if (SLOT(label) == MAGIC_FREE) { \
131 DEBUGGER("%s: dup destroy", __func__); \
133 DEBUGGER("%s: corrupted label", __func__); \
137 #define LABEL_INIT(label, magic) do { \
138 SLOT_SET(label, magic); \
141 #define LABEL_NOTFREE(label) do { \
142 KASSERT(SLOT(label) != MAGIC_FREE, \
143 ("%s: destroyed label", __func__)); \
149 COUNTER_DECL(init_bpfdesc_label);
151 test_init_bpfdesc_label(struct label *label)
154 LABEL_INIT(label, MAGIC_BPF);
155 COUNTER_INC(init_bpfdesc_label);
158 COUNTER_DECL(init_cred_label);
160 test_init_cred_label(struct label *label)
163 LABEL_INIT(label, MAGIC_CRED);
164 COUNTER_INC(init_cred_label);
167 COUNTER_DECL(init_devfs_label);
169 test_init_devfs_label(struct label *label)
172 LABEL_INIT(label, MAGIC_DEVFS);
173 COUNTER_INC(init_devfs_label);
176 COUNTER_DECL(init_ifnet_label);
178 test_init_ifnet_label(struct label *label)
181 LABEL_INIT(label, MAGIC_IFNET);
182 COUNTER_INC(init_ifnet_label);
185 COUNTER_DECL(init_inpcb_label);
187 test_init_inpcb_label(struct label *label, int flag)
191 WITNESS_WARN(WARN_GIANTOK | WARN_SLEEPOK, NULL,
192 "test_init_inpcb_label() at %s:%d", __FILE__, __LINE__);
194 LABEL_INIT(label, MAGIC_INPCB);
195 COUNTER_INC(init_inpcb_label);
199 COUNTER_DECL(init_sysv_msg_label);
201 test_init_sysv_msgmsg_label(struct label *label)
203 LABEL_INIT(label, MAGIC_SYSV_MSG);
204 COUNTER_INC(init_sysv_msg_label);
207 COUNTER_DECL(init_sysv_msq_label);
209 test_init_sysv_msgqueue_label(struct label *label)
211 LABEL_INIT(label, MAGIC_SYSV_MSQ);
212 COUNTER_INC(init_sysv_msq_label);
215 COUNTER_DECL(init_sysv_sem_label);
217 test_init_sysv_sem_label(struct label *label)
219 LABEL_INIT(label, MAGIC_SYSV_SEM);
220 COUNTER_INC(init_sysv_sem_label);
223 COUNTER_DECL(init_sysv_shm_label);
225 test_init_sysv_shm_label(struct label *label)
227 LABEL_INIT(label, MAGIC_SYSV_SHM);
228 COUNTER_INC(init_sysv_shm_label);
231 COUNTER_DECL(init_ipq_label);
233 test_init_ipq_label(struct label *label, int flag)
237 WITNESS_WARN(WARN_GIANTOK | WARN_SLEEPOK, NULL,
238 "test_init_ipq_label() at %s:%d", __FILE__, __LINE__);
240 LABEL_INIT(label, MAGIC_IPQ);
241 COUNTER_INC(init_ipq_label);
245 COUNTER_DECL(init_mbuf_label);
247 test_init_mbuf_label(struct label *label, int flag)
251 WITNESS_WARN(WARN_GIANTOK | WARN_SLEEPOK, NULL,
252 "test_init_mbuf_label() at %s:%d", __FILE__, __LINE__);
254 LABEL_INIT(label, MAGIC_MBUF);
255 COUNTER_INC(init_mbuf_label);
259 COUNTER_DECL(init_mount_label);
261 test_init_mount_label(struct label *label)
264 LABEL_INIT(label, MAGIC_MOUNT);
265 COUNTER_INC(init_mount_label);
268 COUNTER_DECL(init_socket_label);
270 test_init_socket_label(struct label *label, int flag)
274 WITNESS_WARN(WARN_GIANTOK | WARN_SLEEPOK, NULL,
275 "test_init_socket_label() at %s:%d", __FILE__, __LINE__);
277 LABEL_INIT(label, MAGIC_SOCKET);
278 COUNTER_INC(init_socket_label);
282 COUNTER_DECL(init_socket_peer_label);
284 test_init_socket_peer_label(struct label *label, int flag)
288 WITNESS_WARN(WARN_GIANTOK | WARN_SLEEPOK, NULL,
289 "test_init_socket_peer_label() at %s:%d", __FILE__,
292 LABEL_INIT(label, MAGIC_SOCKET);
293 COUNTER_INC(init_socket_peer_label);
297 COUNTER_DECL(init_pipe_label);
299 test_init_pipe_label(struct label *label)
302 LABEL_INIT(label, MAGIC_PIPE);
303 COUNTER_INC(init_pipe_label);
306 COUNTER_DECL(init_posix_sem_label);
308 test_init_posix_sem_label(struct label *label)
311 LABEL_INIT(label, MAGIC_POSIX_SEM);
312 COUNTER_INC(init_posix_sem_label);
315 COUNTER_DECL(init_proc_label);
317 test_init_proc_label(struct label *label)
320 LABEL_INIT(label, MAGIC_PROC);
321 COUNTER_INC(init_proc_label);
324 COUNTER_DECL(init_vnode_label);
326 test_init_vnode_label(struct label *label)
329 LABEL_INIT(label, MAGIC_VNODE);
330 COUNTER_INC(init_vnode_label);
333 COUNTER_DECL(destroy_bpfdesc_label);
335 test_destroy_bpfdesc_label(struct label *label)
338 LABEL_DESTROY(label, MAGIC_BPF);
339 COUNTER_INC(destroy_bpfdesc_label);
342 COUNTER_DECL(destroy_cred_label);
344 test_destroy_cred_label(struct label *label)
347 LABEL_DESTROY(label, MAGIC_CRED);
348 COUNTER_INC(destroy_cred_label);
351 COUNTER_DECL(destroy_devfs_label);
353 test_destroy_devfs_label(struct label *label)
356 LABEL_DESTROY(label, MAGIC_DEVFS);
357 COUNTER_INC(destroy_devfs_label);
360 COUNTER_DECL(destroy_ifnet_label);
362 test_destroy_ifnet_label(struct label *label)
365 LABEL_DESTROY(label, MAGIC_IFNET);
366 COUNTER_INC(destroy_ifnet_label);
369 COUNTER_DECL(destroy_inpcb_label);
371 test_destroy_inpcb_label(struct label *label)
374 LABEL_DESTROY(label, MAGIC_INPCB);
375 COUNTER_INC(destroy_inpcb_label);
378 COUNTER_DECL(destroy_sysv_msg_label);
380 test_destroy_sysv_msgmsg_label(struct label *label)
383 LABEL_DESTROY(label, MAGIC_SYSV_MSG);
384 COUNTER_INC(destroy_sysv_msg_label);
387 COUNTER_DECL(destroy_sysv_msq_label);
389 test_destroy_sysv_msgqueue_label(struct label *label)
392 LABEL_DESTROY(label, MAGIC_SYSV_MSQ);
393 COUNTER_INC(destroy_sysv_msq_label);
396 COUNTER_DECL(destroy_sysv_sem_label);
398 test_destroy_sysv_sem_label(struct label *label)
401 LABEL_DESTROY(label, MAGIC_SYSV_SEM);
402 COUNTER_INC(destroy_sysv_sem_label);
405 COUNTER_DECL(destroy_sysv_shm_label);
407 test_destroy_sysv_shm_label(struct label *label)
410 LABEL_DESTROY(label, MAGIC_SYSV_SHM);
411 COUNTER_INC(destroy_sysv_shm_label);
414 COUNTER_DECL(destroy_ipq_label);
416 test_destroy_ipq_label(struct label *label)
419 LABEL_DESTROY(label, MAGIC_IPQ);
420 COUNTER_INC(destroy_ipq_label);
423 COUNTER_DECL(destroy_mbuf_label);
425 test_destroy_mbuf_label(struct label *label)
429 * If we're loaded dynamically, there may be mbufs in flight that
430 * didn't have label storage allocated for them. Handle this
436 LABEL_DESTROY(label, MAGIC_MBUF);
437 COUNTER_INC(destroy_mbuf_label);
440 COUNTER_DECL(destroy_mount_label);
442 test_destroy_mount_label(struct label *label)
445 LABEL_DESTROY(label, MAGIC_MOUNT);
446 COUNTER_INC(destroy_mount_label);
449 COUNTER_DECL(destroy_socket_label);
451 test_destroy_socket_label(struct label *label)
454 LABEL_DESTROY(label, MAGIC_SOCKET);
455 COUNTER_INC(destroy_socket_label);
458 COUNTER_DECL(destroy_socket_peer_label);
460 test_destroy_socket_peer_label(struct label *label)
463 LABEL_DESTROY(label, MAGIC_SOCKET);
464 COUNTER_INC(destroy_socket_peer_label);
467 COUNTER_DECL(destroy_pipe_label);
469 test_destroy_pipe_label(struct label *label)
472 LABEL_DESTROY(label, MAGIC_PIPE);
473 COUNTER_INC(destroy_pipe_label);
476 COUNTER_DECL(destroy_posix_sem_label);
478 test_destroy_posix_sem_label(struct label *label)
481 LABEL_DESTROY(label, MAGIC_POSIX_SEM);
482 COUNTER_INC(destroy_posix_sem_label);
485 COUNTER_DECL(destroy_proc_label);
487 test_destroy_proc_label(struct label *label)
490 LABEL_DESTROY(label, MAGIC_PROC);
491 COUNTER_INC(destroy_proc_label);
494 COUNTER_DECL(destroy_vnode_label);
496 test_destroy_vnode_label(struct label *label)
499 LABEL_DESTROY(label, MAGIC_VNODE);
500 COUNTER_INC(destroy_vnode_label);
503 COUNTER_DECL(copy_cred_label);
505 test_copy_cred_label(struct label *src, struct label *dest)
508 LABEL_CHECK(src, MAGIC_CRED);
509 LABEL_CHECK(dest, MAGIC_CRED);
510 COUNTER_INC(copy_cred_label);
513 COUNTER_DECL(copy_ifnet_label);
515 test_copy_ifnet_label(struct label *src, struct label *dest)
518 LABEL_CHECK(src, MAGIC_IFNET);
519 LABEL_CHECK(dest, MAGIC_IFNET);
520 COUNTER_INC(copy_ifnet_label);
523 COUNTER_DECL(copy_mbuf_label);
525 test_copy_mbuf_label(struct label *src, struct label *dest)
528 LABEL_CHECK(src, MAGIC_MBUF);
529 LABEL_CHECK(dest, MAGIC_MBUF);
530 COUNTER_INC(copy_mbuf_label);
533 COUNTER_DECL(copy_pipe_label);
535 test_copy_pipe_label(struct label *src, struct label *dest)
538 LABEL_CHECK(src, MAGIC_PIPE);
539 LABEL_CHECK(dest, MAGIC_PIPE);
540 COUNTER_INC(copy_pipe_label);
543 COUNTER_DECL(copy_socket_label);
545 test_copy_socket_label(struct label *src, struct label *dest)
548 LABEL_CHECK(src, MAGIC_SOCKET);
549 LABEL_CHECK(dest, MAGIC_SOCKET);
550 COUNTER_INC(copy_socket_label);
553 COUNTER_DECL(copy_vnode_label);
555 test_copy_vnode_label(struct label *src, struct label *dest)
558 LABEL_CHECK(src, MAGIC_VNODE);
559 LABEL_CHECK(dest, MAGIC_VNODE);
560 COUNTER_INC(copy_vnode_label);
563 COUNTER_DECL(externalize_label);
565 test_externalize_label(struct label *label, char *element_name,
566 struct sbuf *sb, int *claimed)
569 LABEL_NOTFREE(label);
570 COUNTER_INC(externalize_label);
575 COUNTER_DECL(internalize_label);
577 test_internalize_label(struct label *label, char *element_name,
578 char *element_data, int *claimed)
581 LABEL_NOTFREE(label);
582 COUNTER_INC(internalize_label);
588 * Labeling event operations: file system objects, and things that look a lot
589 * like file system objects.
591 COUNTER_DECL(associate_vnode_devfs);
593 test_associate_vnode_devfs(struct mount *mp, struct label *mplabel,
594 struct devfs_dirent *de, struct label *delabel, struct vnode *vp,
595 struct label *vplabel)
598 LABEL_CHECK(mplabel, MAGIC_MOUNT);
599 LABEL_CHECK(delabel, MAGIC_DEVFS);
600 LABEL_CHECK(vplabel, MAGIC_VNODE);
601 COUNTER_INC(associate_vnode_devfs);
604 COUNTER_DECL(associate_vnode_extattr);
606 test_associate_vnode_extattr(struct mount *mp, struct label *mplabel,
607 struct vnode *vp, struct label *vplabel)
610 LABEL_CHECK(mplabel, MAGIC_MOUNT);
611 LABEL_CHECK(vplabel, MAGIC_VNODE);
612 COUNTER_INC(associate_vnode_extattr);
617 COUNTER_DECL(associate_vnode_singlelabel);
619 test_associate_vnode_singlelabel(struct mount *mp, struct label *mplabel,
620 struct vnode *vp, struct label *vplabel)
623 LABEL_CHECK(mplabel, MAGIC_MOUNT);
624 LABEL_CHECK(vplabel, MAGIC_VNODE);
625 COUNTER_INC(associate_vnode_singlelabel);
628 COUNTER_DECL(create_devfs_device);
630 test_create_devfs_device(struct ucred *cred, struct mount *mp,
631 struct cdev *dev, struct devfs_dirent *de, struct label *delabel)
635 LABEL_CHECK(cred->cr_label, MAGIC_CRED);
636 LABEL_CHECK(delabel, MAGIC_DEVFS);
637 COUNTER_INC(create_devfs_device);
640 COUNTER_DECL(create_devfs_directory);
642 test_create_devfs_directory(struct mount *mp, char *dirname,
643 int dirnamelen, struct devfs_dirent *de, struct label *delabel)
646 LABEL_CHECK(delabel, MAGIC_DEVFS);
647 COUNTER_INC(create_devfs_directory);
650 COUNTER_DECL(create_devfs_symlink);
652 test_create_devfs_symlink(struct ucred *cred, struct mount *mp,
653 struct devfs_dirent *dd, struct label *ddlabel, struct devfs_dirent *de,
654 struct label *delabel)
657 LABEL_CHECK(cred->cr_label, MAGIC_CRED);
658 LABEL_CHECK(ddlabel, MAGIC_DEVFS);
659 LABEL_CHECK(delabel, MAGIC_DEVFS);
660 COUNTER_INC(create_devfs_symlink);
663 COUNTER_DECL(create_vnode_extattr);
665 test_create_vnode_extattr(struct ucred *cred, struct mount *mp,
666 struct label *mplabel, struct vnode *dvp, struct label *dvplabel,
667 struct vnode *vp, struct label *vplabel, struct componentname *cnp)
670 LABEL_CHECK(cred->cr_label, MAGIC_CRED);
671 LABEL_CHECK(mplabel, MAGIC_MOUNT);
672 LABEL_CHECK(dvplabel, MAGIC_VNODE);
673 COUNTER_INC(create_vnode_extattr);
678 COUNTER_DECL(create_mount);
680 test_create_mount(struct ucred *cred, struct mount *mp,
681 struct label *mplabel)
684 LABEL_CHECK(cred->cr_label, MAGIC_CRED);
685 LABEL_CHECK(mplabel, MAGIC_MOUNT);
686 COUNTER_INC(create_mount);
689 COUNTER_DECL(relabel_vnode);
691 test_relabel_vnode(struct ucred *cred, struct vnode *vp,
692 struct label *vplabel, struct label *label)
695 LABEL_CHECK(cred->cr_label, MAGIC_CRED);
696 LABEL_CHECK(vplabel, MAGIC_VNODE);
697 LABEL_CHECK(label, MAGIC_VNODE);
698 COUNTER_INC(relabel_vnode);
701 COUNTER_DECL(setlabel_vnode_extattr);
703 test_setlabel_vnode_extattr(struct ucred *cred, struct vnode *vp,
704 struct label *vplabel, struct label *intlabel)
707 LABEL_CHECK(cred->cr_label, MAGIC_CRED);
708 LABEL_CHECK(vplabel, MAGIC_VNODE);
709 LABEL_CHECK(intlabel, MAGIC_VNODE);
710 COUNTER_INC(setlabel_vnode_extattr);
715 COUNTER_DECL(update_devfs);
717 test_update_devfs(struct mount *mp, struct devfs_dirent *devfs_dirent,
718 struct label *direntlabel, struct vnode *vp, struct label *vplabel)
721 LABEL_CHECK(direntlabel, MAGIC_DEVFS);
722 LABEL_CHECK(vplabel, MAGIC_VNODE);
723 COUNTER_INC(update_devfs);
727 * Labeling event operations: IPC object.
729 COUNTER_DECL(create_mbuf_from_socket);
731 test_create_mbuf_from_socket(struct socket *so, struct label *socketlabel,
732 struct mbuf *m, struct label *mbuflabel)
735 LABEL_CHECK(socketlabel, MAGIC_SOCKET);
736 LABEL_CHECK(mbuflabel, MAGIC_MBUF);
737 COUNTER_INC(create_mbuf_from_socket);
740 COUNTER_DECL(create_socket);
742 test_create_socket(struct ucred *cred, struct socket *socket,
743 struct label *socketlabel)
746 LABEL_CHECK(cred->cr_label, MAGIC_CRED);
747 LABEL_CHECK(socketlabel, MAGIC_SOCKET);
748 COUNTER_INC(create_socket);
751 COUNTER_DECL(create_pipe);
753 test_create_pipe(struct ucred *cred, struct pipepair *pp,
754 struct label *pipelabel)
757 LABEL_CHECK(cred->cr_label, MAGIC_CRED);
758 LABEL_CHECK(pipelabel, MAGIC_PIPE);
759 COUNTER_INC(create_pipe);
762 COUNTER_DECL(create_posix_sem);
764 test_create_posix_sem(struct ucred *cred, struct ksem *ks,
765 struct label *kslabel)
768 LABEL_CHECK(cred->cr_label, MAGIC_CRED);
769 LABEL_CHECK(kslabel, MAGIC_POSIX_SEM);
770 COUNTER_INC(create_posix_sem);
773 COUNTER_DECL(create_socket_from_socket);
775 test_create_socket_from_socket(struct socket *oldsocket,
776 struct label *oldsocketlabel, struct socket *newsocket,
777 struct label *newsocketlabel)
780 LABEL_CHECK(oldsocketlabel, MAGIC_SOCKET);
781 LABEL_CHECK(newsocketlabel, MAGIC_SOCKET);
782 COUNTER_INC(create_socket_from_socket);
785 COUNTER_DECL(relabel_socket);
787 test_relabel_socket(struct ucred *cred, struct socket *socket,
788 struct label *socketlabel, struct label *newlabel)
791 LABEL_CHECK(cred->cr_label, MAGIC_CRED);
792 LABEL_CHECK(newlabel, MAGIC_SOCKET);
793 COUNTER_INC(relabel_socket);
796 COUNTER_DECL(relabel_pipe);
798 test_relabel_pipe(struct ucred *cred, struct pipepair *pp,
799 struct label *pipelabel, struct label *newlabel)
802 LABEL_CHECK(cred->cr_label, MAGIC_CRED);
803 LABEL_CHECK(pipelabel, MAGIC_PIPE);
804 LABEL_CHECK(newlabel, MAGIC_PIPE);
805 COUNTER_INC(relabel_pipe);
808 COUNTER_DECL(set_socket_peer_from_mbuf);
810 test_set_socket_peer_from_mbuf(struct mbuf *mbuf, struct label *mbuflabel,
811 struct socket *socket, struct label *socketpeerlabel)
814 LABEL_CHECK(mbuflabel, MAGIC_MBUF);
815 LABEL_CHECK(socketpeerlabel, MAGIC_SOCKET);
816 COUNTER_INC(set_socket_peer_from_mbuf);
820 * Labeling event operations: network objects.
822 COUNTER_DECL(set_socket_peer_from_socket);
824 test_set_socket_peer_from_socket(struct socket *oldsocket,
825 struct label *oldsocketlabel, struct socket *newsocket,
826 struct label *newsocketpeerlabel)
829 LABEL_CHECK(oldsocketlabel, MAGIC_SOCKET);
830 LABEL_CHECK(newsocketpeerlabel, MAGIC_SOCKET);
831 COUNTER_INC(set_socket_peer_from_socket);
834 COUNTER_DECL(create_bpfdesc);
836 test_create_bpfdesc(struct ucred *cred, struct bpf_d *bpf_d,
837 struct label *bpflabel)
840 LABEL_CHECK(cred->cr_label, MAGIC_CRED);
841 LABEL_CHECK(bpflabel, MAGIC_BPF);
842 COUNTER_INC(create_bpfdesc);
845 COUNTER_DECL(create_datagram_from_ipq);
847 test_create_datagram_from_ipq(struct ipq *q, struct label *qlabel,
848 struct mbuf *datagram, struct label *datagramlabel)
851 LABEL_CHECK(qlabel, MAGIC_IPQ);
852 LABEL_CHECK(datagramlabel, MAGIC_MBUF);
853 COUNTER_INC(create_datagram_from_ipq);
856 COUNTER_DECL(create_fragment);
858 test_create_fragment(struct mbuf *datagram, struct label *datagramlabel,
859 struct mbuf *fragment, struct label *fragmentlabel)
862 LABEL_CHECK(datagramlabel, MAGIC_MBUF);
863 LABEL_CHECK(fragmentlabel, MAGIC_MBUF);
864 COUNTER_INC(create_fragment);
867 COUNTER_DECL(create_ifnet);
869 test_create_ifnet(struct ifnet *ifnet, struct label *ifnetlabel)
872 LABEL_CHECK(ifnetlabel, MAGIC_IFNET);
873 COUNTER_INC(create_ifnet);
876 COUNTER_DECL(create_inpcb_from_socket);
878 test_create_inpcb_from_socket(struct socket *so, struct label *solabel,
879 struct inpcb *inp, struct label *inplabel)
882 LABEL_CHECK(solabel, MAGIC_SOCKET);
883 LABEL_CHECK(inplabel, MAGIC_INPCB);
884 COUNTER_INC(create_inpcb_from_socket);
887 COUNTER_DECL(create_sysv_msgmsg);
889 test_create_sysv_msgmsg(struct ucred *cred, struct msqid_kernel *msqkptr,
890 struct label *msqlabel, struct msg *msgptr, struct label *msglabel)
893 LABEL_CHECK(msglabel, MAGIC_SYSV_MSG);
894 LABEL_CHECK(msqlabel, MAGIC_SYSV_MSQ);
895 COUNTER_INC(create_sysv_msgmsg);
898 COUNTER_DECL(create_sysv_msgqueue);
900 test_create_sysv_msgqueue(struct ucred *cred, struct msqid_kernel *msqkptr,
901 struct label *msqlabel)
904 LABEL_CHECK(msqlabel, MAGIC_SYSV_MSQ);
905 COUNTER_INC(create_sysv_msgqueue);
908 COUNTER_DECL(create_sysv_sem);
910 test_create_sysv_sem(struct ucred *cred, struct semid_kernel *semakptr,
911 struct label *semalabel)
914 LABEL_CHECK(semalabel, MAGIC_SYSV_SEM);
915 COUNTER_INC(create_sysv_sem);
918 COUNTER_DECL(create_sysv_shm);
920 test_create_sysv_shm(struct ucred *cred, struct shmid_kernel *shmsegptr,
921 struct label *shmlabel)
924 LABEL_CHECK(shmlabel, MAGIC_SYSV_SHM);
925 COUNTER_INC(create_sysv_shm);
928 COUNTER_DECL(create_ipq);
930 test_create_ipq(struct mbuf *fragment, struct label *fragmentlabel,
931 struct ipq *q, struct label *qlabel)
934 LABEL_CHECK(fragmentlabel, MAGIC_MBUF);
935 LABEL_CHECK(qlabel, MAGIC_IPQ);
936 COUNTER_INC(create_ipq);
939 COUNTER_DECL(create_mbuf_from_inpcb);
941 test_create_mbuf_from_inpcb(struct inpcb *inp, struct label *inplabel,
942 struct mbuf *m, struct label *mlabel)
945 LABEL_CHECK(inplabel, MAGIC_INPCB);
946 LABEL_CHECK(mlabel, MAGIC_MBUF);
947 COUNTER_INC(create_mbuf_from_inpcb);
950 COUNTER_DECL(create_mbuf_linklayer);
952 test_create_mbuf_linklayer(struct ifnet *ifnet, struct label *ifnetlabel,
953 struct mbuf *mbuf, struct label *mbuflabel)
956 LABEL_CHECK(ifnetlabel, MAGIC_IFNET);
957 LABEL_CHECK(mbuflabel, MAGIC_MBUF);
958 COUNTER_INC(create_mbuf_linklayer);
961 COUNTER_DECL(create_mbuf_from_bpfdesc);
963 test_create_mbuf_from_bpfdesc(struct bpf_d *bpf_d, struct label *bpflabel,
964 struct mbuf *mbuf, struct label *mbuflabel)
967 LABEL_CHECK(bpflabel, MAGIC_BPF);
968 LABEL_CHECK(mbuflabel, MAGIC_MBUF);
969 COUNTER_INC(create_mbuf_from_bpfdesc);
972 COUNTER_DECL(create_mbuf_from_ifnet);
974 test_create_mbuf_from_ifnet(struct ifnet *ifnet, struct label *ifnetlabel,
975 struct mbuf *m, struct label *mbuflabel)
978 LABEL_CHECK(ifnetlabel, MAGIC_IFNET);
979 LABEL_CHECK(mbuflabel, MAGIC_MBUF);
980 COUNTER_INC(create_mbuf_from_ifnet);
983 COUNTER_DECL(create_mbuf_multicast_encap);
985 test_create_mbuf_multicast_encap(struct mbuf *oldmbuf,
986 struct label *oldmbuflabel, struct ifnet *ifnet, struct label *ifnetlabel,
987 struct mbuf *newmbuf, struct label *newmbuflabel)
990 LABEL_CHECK(oldmbuflabel, MAGIC_MBUF);
991 LABEL_CHECK(ifnetlabel, MAGIC_IFNET);
992 LABEL_CHECK(newmbuflabel, MAGIC_MBUF);
993 COUNTER_INC(create_mbuf_multicast_encap);
996 COUNTER_DECL(create_mbuf_netlayer);
998 test_create_mbuf_netlayer(struct mbuf *oldmbuf, struct label *oldmbuflabel,
999 struct mbuf *newmbuf, struct label *newmbuflabel)
1002 LABEL_CHECK(oldmbuflabel, MAGIC_MBUF);
1003 LABEL_CHECK(newmbuflabel, MAGIC_MBUF);
1004 COUNTER_INC(create_mbuf_netlayer);
1007 COUNTER_DECL(fragment_match);
1009 test_fragment_match(struct mbuf *fragment, struct label *fragmentlabel,
1010 struct ipq *q, struct label *qlabel)
1013 LABEL_CHECK(fragmentlabel, MAGIC_MBUF);
1014 LABEL_CHECK(qlabel, MAGIC_IPQ);
1015 COUNTER_INC(fragment_match);
1020 COUNTER_DECL(reflect_mbuf_icmp);
1022 test_reflect_mbuf_icmp(struct mbuf *m, struct label *mlabel)
1025 LABEL_CHECK(mlabel, MAGIC_MBUF);
1026 COUNTER_INC(reflect_mbuf_icmp);
1029 COUNTER_DECL(reflect_mbuf_tcp);
1031 test_reflect_mbuf_tcp(struct mbuf *m, struct label *mlabel)
1034 LABEL_CHECK(mlabel, MAGIC_MBUF);
1035 COUNTER_INC(reflect_mbuf_tcp);
1038 COUNTER_DECL(relabel_ifnet);
1040 test_relabel_ifnet(struct ucred *cred, struct ifnet *ifnet,
1041 struct label *ifnetlabel, struct label *newlabel)
1044 LABEL_CHECK(cred->cr_label, MAGIC_CRED);
1045 LABEL_CHECK(ifnetlabel, MAGIC_IFNET);
1046 LABEL_CHECK(newlabel, MAGIC_IFNET);
1047 COUNTER_INC(relabel_ifnet);
1050 COUNTER_DECL(update_ipq);
1052 test_update_ipq(struct mbuf *fragment, struct label *fragmentlabel,
1053 struct ipq *q, struct label *qlabel)
1056 LABEL_CHECK(fragmentlabel, MAGIC_MBUF);
1057 LABEL_CHECK(qlabel, MAGIC_IPQ);
1058 COUNTER_INC(update_ipq);
1061 COUNTER_DECL(inpcb_sosetlabel);
1063 test_inpcb_sosetlabel(struct socket *so, struct label *solabel,
1064 struct inpcb *inp, struct label *inplabel)
1067 LABEL_CHECK(solabel, MAGIC_SOCKET);
1068 LABEL_CHECK(inplabel, MAGIC_INPCB);
1069 COUNTER_INC(inpcb_sosetlabel);
1073 * Labeling event operations: processes.
1075 COUNTER_DECL(execve_transition);
1077 test_execve_transition(struct ucred *old, struct ucred *new,
1078 struct vnode *vp, struct label *filelabel, struct label *interpvplabel,
1079 struct image_params *imgp, struct label *execlabel)
1082 LABEL_CHECK(old->cr_label, MAGIC_CRED);
1083 LABEL_CHECK(new->cr_label, MAGIC_CRED);
1084 LABEL_CHECK(filelabel, MAGIC_VNODE);
1085 LABEL_CHECK(interpvplabel, MAGIC_VNODE);
1086 LABEL_CHECK(execlabel, MAGIC_CRED);
1087 COUNTER_INC(execve_transition);
1090 COUNTER_DECL(execve_will_transition);
1092 test_execve_will_transition(struct ucred *old, struct vnode *vp,
1093 struct label *filelabel, struct label *interpvplabel,
1094 struct image_params *imgp, struct label *execlabel)
1097 LABEL_CHECK(old->cr_label, MAGIC_CRED);
1098 LABEL_CHECK(filelabel, MAGIC_VNODE);
1099 LABEL_CHECK(interpvplabel, MAGIC_VNODE);
1100 LABEL_CHECK(execlabel, MAGIC_CRED);
1101 COUNTER_INC(execve_will_transition);
1106 COUNTER_DECL(create_proc0);
1108 test_create_proc0(struct ucred *cred)
1111 LABEL_CHECK(cred->cr_label, MAGIC_CRED);
1112 COUNTER_INC(create_proc0);
1115 COUNTER_DECL(create_proc1);
1117 test_create_proc1(struct ucred *cred)
1120 LABEL_CHECK(cred->cr_label, MAGIC_CRED);
1121 COUNTER_INC(create_proc1);
1124 COUNTER_DECL(relabel_cred);
1126 test_relabel_cred(struct ucred *cred, struct label *newlabel)
1129 LABEL_CHECK(cred->cr_label, MAGIC_CRED);
1130 LABEL_CHECK(newlabel, MAGIC_CRED);
1131 COUNTER_INC(relabel_cred);
1134 COUNTER_DECL(thread_userret);
1136 test_thread_userret(struct thread *td)
1139 COUNTER_INC(thread_userret);
1143 * Label cleanup/flush operations
1145 COUNTER_DECL(cleanup_sysv_msgmsg);
1147 test_cleanup_sysv_msgmsg(struct label *msglabel)
1150 LABEL_CHECK(msglabel, MAGIC_SYSV_MSG);
1151 COUNTER_INC(cleanup_sysv_msgmsg);
1154 COUNTER_DECL(cleanup_sysv_msgqueue);
1156 test_cleanup_sysv_msgqueue(struct label *msqlabel)
1159 LABEL_CHECK(msqlabel, MAGIC_SYSV_MSQ);
1160 COUNTER_INC(cleanup_sysv_msgqueue);
1163 COUNTER_DECL(cleanup_sysv_sem);
1165 test_cleanup_sysv_sem(struct label *semalabel)
1168 LABEL_CHECK(semalabel, MAGIC_SYSV_SEM);
1169 COUNTER_INC(cleanup_sysv_sem);
1172 COUNTER_DECL(cleanup_sysv_shm);
1174 test_cleanup_sysv_shm(struct label *shmlabel)
1177 LABEL_CHECK(shmlabel, MAGIC_SYSV_SHM);
1178 COUNTER_INC(cleanup_sysv_shm);
1182 * Access control checks.
1184 COUNTER_DECL(check_bpfdesc_receive);
1186 test_check_bpfdesc_receive(struct bpf_d *bpf_d, struct label *bpflabel,
1187 struct ifnet *ifnet, struct label *ifnetlabel)
1190 LABEL_CHECK(bpflabel, MAGIC_BPF);
1191 LABEL_CHECK(ifnetlabel, MAGIC_IFNET);
1192 COUNTER_INC(check_bpfdesc_receive);
1197 COUNTER_DECL(check_cred_relabel);
1199 test_check_cred_relabel(struct ucred *cred, struct label *newlabel)
1202 LABEL_CHECK(cred->cr_label, MAGIC_CRED);
1203 LABEL_CHECK(newlabel, MAGIC_CRED);
1204 COUNTER_INC(check_cred_relabel);
1209 COUNTER_DECL(check_cred_visible);
1211 test_check_cred_visible(struct ucred *u1, struct ucred *u2)
1214 LABEL_CHECK(u1->cr_label, MAGIC_CRED);
1215 LABEL_CHECK(u2->cr_label, MAGIC_CRED);
1216 COUNTER_INC(check_cred_visible);
1221 COUNTER_DECL(check_ifnet_relabel);
1223 test_check_ifnet_relabel(struct ucred *cred, struct ifnet *ifnet,
1224 struct label *ifnetlabel, struct label *newlabel)
1227 LABEL_CHECK(cred->cr_label, MAGIC_CRED);
1228 LABEL_CHECK(ifnetlabel, MAGIC_IFNET);
1229 LABEL_CHECK(newlabel, MAGIC_IFNET);
1230 COUNTER_INC(check_ifnet_relabel);
1235 COUNTER_DECL(check_ifnet_transmit);
1237 test_check_ifnet_transmit(struct ifnet *ifnet, struct label *ifnetlabel,
1238 struct mbuf *m, struct label *mbuflabel)
1241 LABEL_CHECK(ifnetlabel, MAGIC_IFNET);
1242 LABEL_CHECK(mbuflabel, MAGIC_MBUF);
1243 COUNTER_INC(check_ifnet_transmit);
1248 COUNTER_DECL(check_inpcb_deliver);
1250 test_check_inpcb_deliver(struct inpcb *inp, struct label *inplabel,
1251 struct mbuf *m, struct label *mlabel)
1254 LABEL_CHECK(inplabel, MAGIC_INPCB);
1255 LABEL_CHECK(mlabel, MAGIC_MBUF);
1256 COUNTER_INC(check_inpcb_deliver);
1261 COUNTER_DECL(check_inpcb_visible);
1263 test_check_inpcb_visible(struct ucred *cred, struct inpcb *inp,
1264 struct label *inplabel)
1267 LABEL_CHECK(cred->cr_label, MAGIC_CRED);
1268 LABEL_CHECK(inplabel, MAGIC_INPCB);
1269 COUNTER_INC(check_inpcb_visible);
1274 COUNTER_DECL(check_sysv_msgmsq);
1276 test_check_sysv_msgmsq(struct ucred *cred, struct msg *msgptr,
1277 struct label *msglabel, struct msqid_kernel *msqkptr,
1278 struct label *msqklabel)
1281 LABEL_CHECK(msqklabel, MAGIC_SYSV_MSQ);
1282 LABEL_CHECK(msglabel, MAGIC_SYSV_MSG);
1283 LABEL_CHECK(cred->cr_label, MAGIC_CRED);
1284 COUNTER_INC(check_sysv_msgmsq);
1289 COUNTER_DECL(check_sysv_msgrcv);
1291 test_check_sysv_msgrcv(struct ucred *cred, struct msg *msgptr,
1292 struct label *msglabel)
1295 LABEL_CHECK(msglabel, MAGIC_SYSV_MSG);
1296 LABEL_CHECK(cred->cr_label, MAGIC_CRED);
1297 COUNTER_INC(check_sysv_msgrcv);
1302 COUNTER_DECL(check_sysv_msgrmid);
1304 test_check_sysv_msgrmid(struct ucred *cred, struct msg *msgptr,
1305 struct label *msglabel)
1308 LABEL_CHECK(msglabel, MAGIC_SYSV_MSG);
1309 LABEL_CHECK(cred->cr_label, MAGIC_CRED);
1310 COUNTER_INC(check_sysv_msgrmid);
1315 COUNTER_DECL(check_sysv_msqget);
1317 test_check_sysv_msqget(struct ucred *cred, struct msqid_kernel *msqkptr,
1318 struct label *msqklabel)
1321 LABEL_CHECK(msqklabel, MAGIC_SYSV_MSQ);
1322 LABEL_CHECK(cred->cr_label, MAGIC_CRED);
1323 COUNTER_INC(check_sysv_msqget);
1328 COUNTER_DECL(check_sysv_msqsnd);
1330 test_check_sysv_msqsnd(struct ucred *cred, struct msqid_kernel *msqkptr,
1331 struct label *msqklabel)
1334 LABEL_CHECK(msqklabel, MAGIC_SYSV_MSQ);
1335 LABEL_CHECK(cred->cr_label, MAGIC_CRED);
1336 COUNTER_INC(check_sysv_msqsnd);
1341 COUNTER_DECL(check_sysv_msqrcv);
1343 test_check_sysv_msqrcv(struct ucred *cred, struct msqid_kernel *msqkptr,
1344 struct label *msqklabel)
1347 LABEL_CHECK(msqklabel, MAGIC_SYSV_MSQ);
1348 LABEL_CHECK(cred->cr_label, MAGIC_CRED);
1349 COUNTER_INC(check_sysv_msqrcv);
1354 COUNTER_DECL(check_sysv_msqctl);
1356 test_check_sysv_msqctl(struct ucred *cred, struct msqid_kernel *msqkptr,
1357 struct label *msqklabel, int cmd)
1360 LABEL_CHECK(msqklabel, MAGIC_SYSV_MSQ);
1361 LABEL_CHECK(cred->cr_label, MAGIC_CRED);
1362 COUNTER_INC(check_sysv_msqctl);
1367 COUNTER_DECL(check_sysv_semctl);
1369 test_check_sysv_semctl(struct ucred *cred, struct semid_kernel *semakptr,
1370 struct label *semaklabel, int cmd)
1373 LABEL_CHECK(cred->cr_label, MAGIC_CRED);
1374 LABEL_CHECK(semaklabel, MAGIC_SYSV_SEM);
1375 COUNTER_INC(check_sysv_semctl);
1380 COUNTER_DECL(check_sysv_semget);
1382 test_check_sysv_semget(struct ucred *cred, struct semid_kernel *semakptr,
1383 struct label *semaklabel)
1386 LABEL_CHECK(cred->cr_label, MAGIC_CRED);
1387 LABEL_CHECK(semaklabel, MAGIC_SYSV_SEM);
1388 COUNTER_INC(check_sysv_semget);
1393 COUNTER_DECL(check_sysv_semop);
1395 test_check_sysv_semop(struct ucred *cred, struct semid_kernel *semakptr,
1396 struct label *semaklabel, size_t accesstype)
1399 LABEL_CHECK(cred->cr_label, MAGIC_CRED);
1400 LABEL_CHECK(semaklabel, MAGIC_SYSV_SEM);
1401 COUNTER_INC(check_sysv_semop);
1406 COUNTER_DECL(check_sysv_shmat);
1408 test_check_sysv_shmat(struct ucred *cred, struct shmid_kernel *shmsegptr,
1409 struct label *shmseglabel, int shmflg)
1412 LABEL_CHECK(cred->cr_label, MAGIC_CRED);
1413 LABEL_CHECK(shmseglabel, MAGIC_SYSV_SHM);
1414 COUNTER_INC(check_sysv_shmat);
1419 COUNTER_DECL(check_sysv_shmctl);
1421 test_check_sysv_shmctl(struct ucred *cred, struct shmid_kernel *shmsegptr,
1422 struct label *shmseglabel, int cmd)
1425 LABEL_CHECK(cred->cr_label, MAGIC_CRED);
1426 LABEL_CHECK(shmseglabel, MAGIC_SYSV_SHM);
1427 COUNTER_INC(check_sysv_shmctl);
1432 COUNTER_DECL(check_sysv_shmdt);
1434 test_check_sysv_shmdt(struct ucred *cred, struct shmid_kernel *shmsegptr,
1435 struct label *shmseglabel)
1438 LABEL_CHECK(cred->cr_label, MAGIC_CRED);
1439 LABEL_CHECK(shmseglabel, MAGIC_SYSV_SHM);
1440 COUNTER_INC(check_sysv_shmdt);
1445 COUNTER_DECL(check_sysv_shmget);
1447 test_check_sysv_shmget(struct ucred *cred, struct shmid_kernel *shmsegptr,
1448 struct label *shmseglabel, int shmflg)
1451 LABEL_CHECK(cred->cr_label, MAGIC_CRED);
1452 LABEL_CHECK(shmseglabel, MAGIC_SYSV_SHM);
1453 COUNTER_INC(check_sysv_shmget);
1458 COUNTER_DECL(check_kenv_dump);
1460 test_check_kenv_dump(struct ucred *cred)
1463 LABEL_CHECK(cred->cr_label, MAGIC_CRED);
1464 COUNTER_INC(check_kenv_dump);
1469 COUNTER_DECL(check_kenv_get);
1471 test_check_kenv_get(struct ucred *cred, char *name)
1474 LABEL_CHECK(cred->cr_label, MAGIC_CRED);
1475 COUNTER_INC(check_kenv_get);
1480 COUNTER_DECL(check_kenv_set);
1482 test_check_kenv_set(struct ucred *cred, char *name, char *value)
1485 LABEL_CHECK(cred->cr_label, MAGIC_CRED);
1486 COUNTER_INC(check_kenv_set);
1491 COUNTER_DECL(check_kenv_unset);
1493 test_check_kenv_unset(struct ucred *cred, char *name)
1496 LABEL_CHECK(cred->cr_label, MAGIC_CRED);
1497 COUNTER_INC(check_kenv_unset);
1502 COUNTER_DECL(check_kld_load);
1504 test_check_kld_load(struct ucred *cred, struct vnode *vp,
1505 struct label *label)
1508 LABEL_CHECK(cred->cr_label, MAGIC_CRED);
1509 LABEL_CHECK(label, MAGIC_VNODE);
1510 COUNTER_INC(check_kld_load);
1515 COUNTER_DECL(check_kld_stat);
1517 test_check_kld_stat(struct ucred *cred)
1520 LABEL_CHECK(cred->cr_label, MAGIC_CRED);
1521 COUNTER_INC(check_kld_stat);
1526 COUNTER_DECL(check_mount_stat);
1528 test_check_mount_stat(struct ucred *cred, struct mount *mp,
1529 struct label *mplabel)
1532 LABEL_CHECK(cred->cr_label, MAGIC_CRED);
1533 LABEL_CHECK(mplabel, MAGIC_MOUNT);
1534 COUNTER_INC(check_mount_stat);
1539 COUNTER_DECL(check_pipe_ioctl);
1541 test_check_pipe_ioctl(struct ucred *cred, struct pipepair *pp,
1542 struct label *pipelabel, unsigned long cmd, void /* caddr_t */ *data)
1545 LABEL_CHECK(cred->cr_label, MAGIC_CRED);
1546 LABEL_CHECK(pipelabel, MAGIC_PIPE);
1547 COUNTER_INC(check_pipe_ioctl);
1552 COUNTER_DECL(check_pipe_poll);
1554 test_check_pipe_poll(struct ucred *cred, struct pipepair *pp,
1555 struct label *pipelabel)
1558 LABEL_CHECK(cred->cr_label, MAGIC_CRED);
1559 LABEL_CHECK(pipelabel, MAGIC_PIPE);
1560 COUNTER_INC(check_pipe_poll);
1565 COUNTER_DECL(check_pipe_read);
1567 test_check_pipe_read(struct ucred *cred, struct pipepair *pp,
1568 struct label *pipelabel)
1571 LABEL_CHECK(cred->cr_label, MAGIC_CRED);
1572 LABEL_CHECK(pipelabel, MAGIC_PIPE);
1573 COUNTER_INC(check_pipe_read);
1578 COUNTER_DECL(check_pipe_relabel);
1580 test_check_pipe_relabel(struct ucred *cred, struct pipepair *pp,
1581 struct label *pipelabel, struct label *newlabel)
1584 LABEL_CHECK(cred->cr_label, MAGIC_CRED);
1585 LABEL_CHECK(pipelabel, MAGIC_PIPE);
1586 LABEL_CHECK(newlabel, MAGIC_PIPE);
1587 COUNTER_INC(check_pipe_relabel);
1592 COUNTER_DECL(check_pipe_stat);
1594 test_check_pipe_stat(struct ucred *cred, struct pipepair *pp,
1595 struct label *pipelabel)
1598 LABEL_CHECK(cred->cr_label, MAGIC_CRED);
1599 LABEL_CHECK(pipelabel, MAGIC_PIPE);
1600 COUNTER_INC(check_pipe_stat);
1605 COUNTER_DECL(check_pipe_write);
1607 test_check_pipe_write(struct ucred *cred, struct pipepair *pp,
1608 struct label *pipelabel)
1611 LABEL_CHECK(cred->cr_label, MAGIC_CRED);
1612 LABEL_CHECK(pipelabel, MAGIC_PIPE);
1613 COUNTER_INC(check_pipe_write);
1618 COUNTER_DECL(check_posix_sem);
1620 test_check_posix_sem(struct ucred *cred, struct ksem *ks,
1621 struct label *kslabel)
1624 LABEL_CHECK(cred->cr_label, MAGIC_CRED);
1625 LABEL_CHECK(kslabel, MAGIC_POSIX_SEM);
1626 COUNTER_INC(check_posix_sem);
1631 COUNTER_DECL(check_proc_debug);
1633 test_check_proc_debug(struct ucred *cred, struct proc *p)
1636 LABEL_CHECK(cred->cr_label, MAGIC_CRED);
1637 LABEL_CHECK(p->p_ucred->cr_label, MAGIC_CRED);
1638 COUNTER_INC(check_proc_debug);
1643 COUNTER_DECL(check_proc_sched);
1645 test_check_proc_sched(struct ucred *cred, struct proc *p)
1648 LABEL_CHECK(cred->cr_label, MAGIC_CRED);
1649 LABEL_CHECK(p->p_ucred->cr_label, MAGIC_CRED);
1650 COUNTER_INC(check_proc_sched);
1655 COUNTER_DECL(check_proc_signal);
1657 test_check_proc_signal(struct ucred *cred, struct proc *p, int signum)
1660 LABEL_CHECK(cred->cr_label, MAGIC_CRED);
1661 LABEL_CHECK(p->p_ucred->cr_label, MAGIC_CRED);
1662 COUNTER_INC(check_proc_signal);
1667 COUNTER_DECL(check_proc_setaudit);
1669 test_check_proc_setaudit(struct ucred *cred, struct auditinfo *ai)
1672 LABEL_CHECK(cred->cr_label, MAGIC_CRED);
1673 COUNTER_INC(check_proc_setaudit);
1678 COUNTER_DECL(check_proc_setaudit_addr);
1680 test_check_proc_setaudit_addr(struct ucred *cred,
1681 struct auditinfo_addr *aia)
1684 LABEL_CHECK(cred->cr_label, MAGIC_CRED);
1685 COUNTER_INC(check_proc_setaudit_addr);
1690 COUNTER_DECL(check_proc_setauid);
1692 test_check_proc_setauid(struct ucred *cred, uid_t auid)
1695 LABEL_CHECK(cred->cr_label, MAGIC_CRED);
1696 COUNTER_INC(check_proc_setauid);
1701 COUNTER_DECL(check_proc_setuid);
1703 test_check_proc_setuid(struct ucred *cred, uid_t uid)
1706 LABEL_CHECK(cred->cr_label, MAGIC_CRED);
1707 COUNTER_INC(check_proc_setuid);
1712 COUNTER_DECL(check_proc_euid);
1714 test_check_proc_seteuid(struct ucred *cred, uid_t euid)
1717 LABEL_CHECK(cred->cr_label, MAGIC_CRED);
1718 COUNTER_INC(check_proc_euid);
1723 COUNTER_DECL(check_proc_setgid);
1725 test_check_proc_setgid(struct ucred *cred, gid_t gid)
1728 LABEL_CHECK(cred->cr_label, MAGIC_CRED);
1729 COUNTER_INC(check_proc_setgid);
1734 COUNTER_DECL(check_proc_setegid);
1736 test_check_proc_setegid(struct ucred *cred, gid_t egid)
1739 LABEL_CHECK(cred->cr_label, MAGIC_CRED);
1740 COUNTER_INC(check_proc_setegid);
1745 COUNTER_DECL(check_proc_setgroups);
1747 test_check_proc_setgroups(struct ucred *cred, int ngroups,
1751 LABEL_CHECK(cred->cr_label, MAGIC_CRED);
1752 COUNTER_INC(check_proc_setgroups);
1757 COUNTER_DECL(check_proc_setreuid);
1759 test_check_proc_setreuid(struct ucred *cred, uid_t ruid, uid_t euid)
1762 LABEL_CHECK(cred->cr_label, MAGIC_CRED);
1763 COUNTER_INC(check_proc_setreuid);
1768 COUNTER_DECL(check_proc_setregid);
1770 test_check_proc_setregid(struct ucred *cred, gid_t rgid, gid_t egid)
1773 LABEL_CHECK(cred->cr_label, MAGIC_CRED);
1774 COUNTER_INC(check_proc_setregid);
1779 COUNTER_DECL(check_proc_setresuid);
1781 test_check_proc_setresuid(struct ucred *cred, uid_t ruid, uid_t euid,
1785 LABEL_CHECK(cred->cr_label, MAGIC_CRED);
1786 COUNTER_INC(check_proc_setresuid);
1791 COUNTER_DECL(check_proc_setresgid);
1793 test_check_proc_setresgid(struct ucred *cred, gid_t rgid, gid_t egid,
1797 LABEL_CHECK(cred->cr_label, MAGIC_CRED);
1798 COUNTER_INC(check_proc_setresgid);
1803 COUNTER_DECL(check_proc_wait);
1805 test_check_proc_wait(struct ucred *cred, struct proc *p)
1808 LABEL_CHECK(cred->cr_label, MAGIC_CRED);
1809 LABEL_CHECK(p->p_ucred->cr_label, MAGIC_CRED);
1810 COUNTER_INC(check_proc_wait);
1815 COUNTER_DECL(check_socket_accept);
1817 test_check_socket_accept(struct ucred *cred, struct socket *so,
1818 struct label *solabel)
1821 LABEL_CHECK(cred->cr_label, MAGIC_CRED);
1822 LABEL_CHECK(solabel, MAGIC_SOCKET);
1823 COUNTER_INC(check_socket_accept);
1828 COUNTER_DECL(check_socket_bind);
1830 test_check_socket_bind(struct ucred *cred, struct socket *so,
1831 struct label *solabel, struct sockaddr *sa)
1834 LABEL_CHECK(cred->cr_label, MAGIC_CRED);
1835 LABEL_CHECK(solabel, MAGIC_SOCKET);
1836 COUNTER_INC(check_socket_bind);
1841 COUNTER_DECL(check_socket_connect);
1843 test_check_socket_connect(struct ucred *cred, struct socket *so,
1844 struct label *solabel, struct sockaddr *sa)
1847 LABEL_CHECK(cred->cr_label, MAGIC_CRED);
1848 LABEL_CHECK(solabel, MAGIC_SOCKET);
1849 COUNTER_INC(check_socket_connect);
1854 COUNTER_DECL(check_socket_deliver);
1856 test_check_socket_deliver(struct socket *so, struct label *solabel,
1857 struct mbuf *m, struct label *mlabel)
1860 LABEL_CHECK(solabel, MAGIC_SOCKET);
1861 LABEL_CHECK(mlabel, MAGIC_MBUF);
1862 COUNTER_INC(check_socket_deliver);
1867 COUNTER_DECL(check_socket_listen);
1869 test_check_socket_listen(struct ucred *cred, struct socket *so,
1870 struct label *solabel)
1873 LABEL_CHECK(cred->cr_label, MAGIC_CRED);
1874 LABEL_CHECK(solabel, MAGIC_SOCKET);
1875 COUNTER_INC(check_socket_listen);
1880 COUNTER_DECL(check_socket_poll);
1882 test_check_socket_poll(struct ucred *cred, struct socket *so,
1883 struct label *solabel)
1886 LABEL_CHECK(cred->cr_label, MAGIC_CRED);
1887 LABEL_CHECK(solabel, MAGIC_SOCKET);
1888 COUNTER_INC(check_socket_poll);
1893 COUNTER_DECL(check_socket_receive);
1895 test_check_socket_receive(struct ucred *cred, struct socket *so,
1896 struct label *solabel)
1899 LABEL_CHECK(cred->cr_label, MAGIC_CRED);
1900 LABEL_CHECK(solabel, MAGIC_SOCKET);
1901 COUNTER_INC(check_socket_receive);
1906 COUNTER_DECL(check_socket_relabel);
1908 test_check_socket_relabel(struct ucred *cred, struct socket *so,
1909 struct label *solabel, struct label *newlabel)
1912 LABEL_CHECK(cred->cr_label, MAGIC_CRED);
1913 LABEL_CHECK(solabel, MAGIC_SOCKET);
1914 LABEL_CHECK(newlabel, MAGIC_SOCKET);
1915 COUNTER_INC(check_socket_relabel);
1920 COUNTER_DECL(check_socket_send);
1922 test_check_socket_send(struct ucred *cred, struct socket *so,
1923 struct label *solabel)
1926 LABEL_CHECK(cred->cr_label, MAGIC_CRED);
1927 LABEL_CHECK(solabel, MAGIC_SOCKET);
1928 COUNTER_INC(check_socket_send);
1933 COUNTER_DECL(check_socket_stat);
1935 test_check_socket_stat(struct ucred *cred, struct socket *so,
1936 struct label *solabel)
1939 LABEL_CHECK(cred->cr_label, MAGIC_CRED);
1940 LABEL_CHECK(solabel, MAGIC_SOCKET);
1941 COUNTER_INC(check_socket_stat);
1946 COUNTER_DECL(check_socket_visible);
1948 test_check_socket_visible(struct ucred *cred, struct socket *so,
1949 struct label *solabel)
1952 LABEL_CHECK(cred->cr_label, MAGIC_CRED);
1953 LABEL_CHECK(solabel, MAGIC_SOCKET);
1954 COUNTER_INC(check_socket_visible);
1959 COUNTER_DECL(check_system_acct);
1961 test_check_system_acct(struct ucred *cred, struct vnode *vp,
1962 struct label *vplabel)
1965 LABEL_CHECK(cred->cr_label, MAGIC_CRED);
1966 LABEL_CHECK(vplabel, MAGIC_VNODE);
1967 COUNTER_INC(check_system_acct);
1972 COUNTER_DECL(check_system_audit);
1974 test_check_system_audit(struct ucred *cred, void *record, int length)
1977 LABEL_CHECK(cred->cr_label, MAGIC_CRED);
1978 COUNTER_INC(check_system_audit);
1983 COUNTER_DECL(check_system_auditctl);
1985 test_check_system_auditctl(struct ucred *cred, struct vnode *vp,
1986 struct label *vplabel)
1989 LABEL_CHECK(cred->cr_label, MAGIC_CRED);
1990 LABEL_CHECK(vplabel, MAGIC_VNODE);
1991 COUNTER_INC(check_system_auditctl);
1996 COUNTER_DECL(check_system_auditon);
1998 test_check_system_auditon(struct ucred *cred, int cmd)
2001 LABEL_CHECK(cred->cr_label, MAGIC_CRED);
2002 COUNTER_INC(check_system_auditon);
2007 COUNTER_DECL(check_system_reboot);
2009 test_check_system_reboot(struct ucred *cred, int how)
2012 LABEL_CHECK(cred->cr_label, MAGIC_CRED);
2013 COUNTER_INC(check_system_reboot);
2018 COUNTER_DECL(check_system_swapoff);
2020 test_check_system_swapoff(struct ucred *cred, struct vnode *vp,
2021 struct label *vplabel)
2024 LABEL_CHECK(cred->cr_label, MAGIC_CRED);
2025 LABEL_CHECK(vplabel, MAGIC_VNODE);
2026 COUNTER_INC(check_system_swapoff);
2031 COUNTER_DECL(check_system_swapon);
2033 test_check_system_swapon(struct ucred *cred, struct vnode *vp,
2034 struct label *vplabel)
2037 LABEL_CHECK(cred->cr_label, MAGIC_CRED);
2038 LABEL_CHECK(vplabel, MAGIC_VNODE);
2039 COUNTER_INC(check_system_swapon);
2044 COUNTER_DECL(check_system_sysctl);
2046 test_check_system_sysctl(struct ucred *cred, struct sysctl_oid *oidp,
2047 void *arg1, int arg2, struct sysctl_req *req)
2050 LABEL_CHECK(cred->cr_label, MAGIC_CRED);
2051 COUNTER_INC(check_system_sysctl);
2056 COUNTER_DECL(check_vnode_access);
2058 test_check_vnode_access(struct ucred *cred, struct vnode *vp,
2059 struct label *vplabel, int acc_mode)
2062 LABEL_CHECK(cred->cr_label, MAGIC_CRED);
2063 LABEL_CHECK(vplabel, MAGIC_VNODE);
2064 COUNTER_INC(check_vnode_access);
2069 COUNTER_DECL(check_vnode_chdir);
2071 test_check_vnode_chdir(struct ucred *cred, struct vnode *dvp,
2072 struct label *dvplabel)
2075 LABEL_CHECK(cred->cr_label, MAGIC_CRED);
2076 LABEL_CHECK(dvplabel, MAGIC_VNODE);
2077 COUNTER_INC(check_vnode_chdir);
2082 COUNTER_DECL(check_vnode_chroot);
2084 test_check_vnode_chroot(struct ucred *cred, struct vnode *dvp,
2085 struct label *dvplabel)
2088 LABEL_CHECK(cred->cr_label, MAGIC_CRED);
2089 LABEL_CHECK(dvplabel, MAGIC_VNODE);
2090 COUNTER_INC(check_vnode_chroot);
2095 COUNTER_DECL(check_vnode_create);
2097 test_check_vnode_create(struct ucred *cred, struct vnode *dvp,
2098 struct label *dvplabel, struct componentname *cnp, struct vattr *vap)
2101 LABEL_CHECK(cred->cr_label, MAGIC_CRED);
2102 LABEL_CHECK(dvplabel, MAGIC_VNODE);
2103 COUNTER_INC(check_vnode_create);
2108 COUNTER_DECL(check_vnode_deleteacl);
2110 test_check_vnode_deleteacl(struct ucred *cred, struct vnode *vp,
2111 struct label *vplabel, acl_type_t type)
2114 LABEL_CHECK(cred->cr_label, MAGIC_CRED);
2115 LABEL_CHECK(vplabel, MAGIC_VNODE);
2116 COUNTER_INC(check_vnode_deleteacl);
2121 COUNTER_DECL(check_vnode_deleteextattr);
2123 test_check_vnode_deleteextattr(struct ucred *cred, struct vnode *vp,
2124 struct label *vplabel, int attrnamespace, const char *name)
2127 LABEL_CHECK(cred->cr_label, MAGIC_CRED);
2128 LABEL_CHECK(vplabel, MAGIC_VNODE);
2129 COUNTER_INC(check_vnode_deleteextattr);
2134 COUNTER_DECL(check_vnode_exec);
2136 test_check_vnode_exec(struct ucred *cred, struct vnode *vp,
2137 struct label *vplabel, struct image_params *imgp,
2138 struct label *execlabel)
2141 LABEL_CHECK(cred->cr_label, MAGIC_CRED);
2142 LABEL_CHECK(vplabel, MAGIC_VNODE);
2143 LABEL_CHECK(execlabel, MAGIC_CRED);
2144 COUNTER_INC(check_vnode_exec);
2149 COUNTER_DECL(check_vnode_getacl);
2151 test_check_vnode_getacl(struct ucred *cred, struct vnode *vp,
2152 struct label *vplabel, acl_type_t type)
2155 LABEL_CHECK(cred->cr_label, MAGIC_CRED);
2156 LABEL_CHECK(vplabel, MAGIC_VNODE);
2157 COUNTER_INC(check_vnode_getacl);
2162 COUNTER_DECL(check_vnode_getextattr);
2164 test_check_vnode_getextattr(struct ucred *cred, struct vnode *vp,
2165 struct label *vplabel, int attrnamespace, const char *name,
2169 LABEL_CHECK(cred->cr_label, MAGIC_CRED);
2170 LABEL_CHECK(vplabel, MAGIC_VNODE);
2171 COUNTER_INC(check_vnode_getextattr);
2176 COUNTER_DECL(check_vnode_link);
2178 test_check_vnode_link(struct ucred *cred, struct vnode *dvp,
2179 struct label *dvplabel, struct vnode *vp, struct label *vplabel,
2180 struct componentname *cnp)
2183 LABEL_CHECK(cred->cr_label, MAGIC_CRED);
2184 LABEL_CHECK(dvplabel, MAGIC_VNODE);
2185 LABEL_CHECK(vplabel, MAGIC_VNODE);
2186 COUNTER_INC(check_vnode_link);
2191 COUNTER_DECL(check_vnode_listextattr);
2193 test_check_vnode_listextattr(struct ucred *cred, struct vnode *vp,
2194 struct label *vplabel, int attrnamespace)
2197 LABEL_CHECK(cred->cr_label, MAGIC_CRED);
2198 LABEL_CHECK(vplabel, MAGIC_VNODE);
2199 COUNTER_INC(check_vnode_listextattr);
2204 COUNTER_DECL(check_vnode_lookup);
2206 test_check_vnode_lookup(struct ucred *cred, struct vnode *dvp,
2207 struct label *dvplabel, struct componentname *cnp)
2210 LABEL_CHECK(cred->cr_label, MAGIC_CRED);
2211 LABEL_CHECK(dvplabel, MAGIC_VNODE);
2212 COUNTER_INC(check_vnode_lookup);
2217 COUNTER_DECL(check_vnode_mmap);
2219 test_check_vnode_mmap(struct ucred *cred, struct vnode *vp,
2220 struct label *vplabel, int prot, int flags)
2223 LABEL_CHECK(cred->cr_label, MAGIC_CRED);
2224 LABEL_CHECK(vplabel, MAGIC_VNODE);
2225 COUNTER_INC(check_vnode_mmap);
2230 COUNTER_DECL(check_vnode_open);
2232 test_check_vnode_open(struct ucred *cred, struct vnode *vp,
2233 struct label *vplabel, int acc_mode)
2236 LABEL_CHECK(cred->cr_label, MAGIC_CRED);
2237 LABEL_CHECK(vplabel, MAGIC_VNODE);
2238 COUNTER_INC(check_vnode_open);
2243 COUNTER_DECL(check_vnode_poll);
2245 test_check_vnode_poll(struct ucred *active_cred, struct ucred *file_cred,
2246 struct vnode *vp, struct label *vplabel)
2249 LABEL_CHECK(active_cred->cr_label, MAGIC_CRED);
2250 if (file_cred != NULL)
2251 LABEL_CHECK(file_cred->cr_label, MAGIC_CRED);
2252 LABEL_CHECK(vplabel, MAGIC_VNODE);
2253 COUNTER_INC(check_vnode_poll);
2258 COUNTER_DECL(check_vnode_read);
2260 test_check_vnode_read(struct ucred *active_cred, struct ucred *file_cred,
2261 struct vnode *vp, struct label *vplabel)
2264 LABEL_CHECK(active_cred->cr_label, MAGIC_CRED);
2265 if (file_cred != NULL)
2266 LABEL_CHECK(file_cred->cr_label, MAGIC_CRED);
2267 LABEL_CHECK(vplabel, MAGIC_VNODE);
2268 COUNTER_INC(check_vnode_read);
2273 COUNTER_DECL(check_vnode_readdir);
2275 test_check_vnode_readdir(struct ucred *cred, struct vnode *dvp,
2276 struct label *dvplabel)
2279 LABEL_CHECK(cred->cr_label, MAGIC_CRED);
2280 LABEL_CHECK(dvplabel, MAGIC_VNODE);
2281 COUNTER_INC(check_vnode_readdir);
2286 COUNTER_DECL(check_vnode_readlink);
2288 test_check_vnode_readlink(struct ucred *cred, struct vnode *vp,
2289 struct label *vplabel)
2292 LABEL_CHECK(cred->cr_label, MAGIC_CRED);
2293 LABEL_CHECK(vplabel, MAGIC_VNODE);
2294 COUNTER_INC(check_vnode_readlink);
2299 COUNTER_DECL(check_vnode_relabel);
2301 test_check_vnode_relabel(struct ucred *cred, struct vnode *vp,
2302 struct label *vplabel, struct label *newlabel)
2305 LABEL_CHECK(cred->cr_label, MAGIC_CRED);
2306 LABEL_CHECK(vplabel, MAGIC_VNODE);
2307 LABEL_CHECK(newlabel, MAGIC_VNODE);
2308 COUNTER_INC(check_vnode_relabel);
2313 COUNTER_DECL(check_vnode_rename_from);
2315 test_check_vnode_rename_from(struct ucred *cred, struct vnode *dvp,
2316 struct label *dvplabel, struct vnode *vp, struct label *vplabel,
2317 struct componentname *cnp)
2320 LABEL_CHECK(cred->cr_label, MAGIC_CRED);
2321 LABEL_CHECK(dvplabel, MAGIC_VNODE);
2322 LABEL_CHECK(vplabel, MAGIC_VNODE);
2323 COUNTER_INC(check_vnode_rename_from);
2328 COUNTER_DECL(check_vnode_rename_to);
2330 test_check_vnode_rename_to(struct ucred *cred, struct vnode *dvp,
2331 struct label *dvplabel, struct vnode *vp, struct label *vplabel,
2332 int samedir, struct componentname *cnp)
2335 LABEL_CHECK(cred->cr_label, MAGIC_CRED);
2336 LABEL_CHECK(dvplabel, MAGIC_VNODE);
2337 LABEL_CHECK(vplabel, MAGIC_VNODE);
2338 COUNTER_INC(check_vnode_rename_to);
2343 COUNTER_DECL(check_vnode_revoke);
2345 test_check_vnode_revoke(struct ucred *cred, struct vnode *vp,
2346 struct label *vplabel)
2349 LABEL_CHECK(cred->cr_label, MAGIC_CRED);
2350 LABEL_CHECK(vplabel, MAGIC_VNODE);
2351 COUNTER_INC(check_vnode_revoke);
2356 COUNTER_DECL(check_vnode_setacl);
2358 test_check_vnode_setacl(struct ucred *cred, struct vnode *vp,
2359 struct label *vplabel, acl_type_t type, struct acl *acl)
2362 LABEL_CHECK(cred->cr_label, MAGIC_CRED);
2363 LABEL_CHECK(vplabel, MAGIC_VNODE);
2364 COUNTER_INC(check_vnode_setacl);
2369 COUNTER_DECL(check_vnode_setextattr);
2371 test_check_vnode_setextattr(struct ucred *cred, struct vnode *vp,
2372 struct label *vplabel, int attrnamespace, const char *name,
2376 LABEL_CHECK(cred->cr_label, MAGIC_CRED);
2377 LABEL_CHECK(vplabel, MAGIC_VNODE);
2378 COUNTER_INC(check_vnode_setextattr);
2383 COUNTER_DECL(check_vnode_setflags);
2385 test_check_vnode_setflags(struct ucred *cred, struct vnode *vp,
2386 struct label *vplabel, u_long flags)
2389 LABEL_CHECK(cred->cr_label, MAGIC_CRED);
2390 LABEL_CHECK(vplabel, MAGIC_VNODE);
2391 COUNTER_INC(check_vnode_setflags);
2396 COUNTER_DECL(check_vnode_setmode);
2398 test_check_vnode_setmode(struct ucred *cred, struct vnode *vp,
2399 struct label *vplabel, mode_t mode)
2402 LABEL_CHECK(cred->cr_label, MAGIC_CRED);
2403 LABEL_CHECK(vplabel, MAGIC_VNODE);
2404 COUNTER_INC(check_vnode_setmode);
2409 COUNTER_DECL(check_vnode_setowner);
2411 test_check_vnode_setowner(struct ucred *cred, struct vnode *vp,
2412 struct label *vplabel, uid_t uid, gid_t gid)
2415 LABEL_CHECK(cred->cr_label, MAGIC_CRED);
2416 LABEL_CHECK(vplabel, MAGIC_VNODE);
2417 COUNTER_INC(check_vnode_setowner);
2422 COUNTER_DECL(check_vnode_setutimes);
2424 test_check_vnode_setutimes(struct ucred *cred, struct vnode *vp,
2425 struct label *vplabel, struct timespec atime, struct timespec mtime)
2428 LABEL_CHECK(cred->cr_label, MAGIC_CRED);
2429 LABEL_CHECK(vplabel, MAGIC_VNODE);
2430 COUNTER_INC(check_vnode_setutimes);
2435 COUNTER_DECL(check_vnode_stat);
2437 test_check_vnode_stat(struct ucred *active_cred, struct ucred *file_cred,
2438 struct vnode *vp, struct label *vplabel)
2441 LABEL_CHECK(active_cred->cr_label, MAGIC_CRED);
2442 if (file_cred != NULL)
2443 LABEL_CHECK(file_cred->cr_label, MAGIC_CRED);
2444 LABEL_CHECK(vplabel, MAGIC_VNODE);
2445 COUNTER_INC(check_vnode_stat);
2450 COUNTER_DECL(check_vnode_unlink);
2452 test_check_vnode_unlink(struct ucred *cred, struct vnode *dvp,
2453 struct label *dvplabel, struct vnode *vp, struct label *vplabel,
2454 struct componentname *cnp)
2457 LABEL_CHECK(cred->cr_label, MAGIC_CRED);
2458 LABEL_CHECK(dvplabel, MAGIC_VNODE);
2459 LABEL_CHECK(vplabel, MAGIC_VNODE);
2460 COUNTER_INC(check_vnode_unlink);
2465 COUNTER_DECL(check_vnode_write);
2467 test_check_vnode_write(struct ucred *active_cred,
2468 struct ucred *file_cred, struct vnode *vp, struct label *vplabel)
2471 LABEL_CHECK(active_cred->cr_label, MAGIC_CRED);
2472 if (file_cred != NULL)
2473 LABEL_CHECK(file_cred->cr_label, MAGIC_CRED);
2474 LABEL_CHECK(vplabel, MAGIC_VNODE);
2475 COUNTER_INC(check_vnode_write);
2480 static struct mac_policy_ops test_ops =
2482 .mpo_init_bpfdesc_label = test_init_bpfdesc_label,
2483 .mpo_init_cred_label = test_init_cred_label,
2484 .mpo_init_devfs_label = test_init_devfs_label,
2485 .mpo_init_ifnet_label = test_init_ifnet_label,
2486 .mpo_init_sysv_msgmsg_label = test_init_sysv_msgmsg_label,
2487 .mpo_init_sysv_msgqueue_label = test_init_sysv_msgqueue_label,
2488 .mpo_init_sysv_sem_label = test_init_sysv_sem_label,
2489 .mpo_init_sysv_shm_label = test_init_sysv_shm_label,
2490 .mpo_init_inpcb_label = test_init_inpcb_label,
2491 .mpo_init_ipq_label = test_init_ipq_label,
2492 .mpo_init_mbuf_label = test_init_mbuf_label,
2493 .mpo_init_mount_label = test_init_mount_label,
2494 .mpo_init_pipe_label = test_init_pipe_label,
2495 .mpo_init_posix_sem_label = test_init_posix_sem_label,
2496 .mpo_init_proc_label = test_init_proc_label,
2497 .mpo_init_socket_label = test_init_socket_label,
2498 .mpo_init_socket_peer_label = test_init_socket_peer_label,
2499 .mpo_init_vnode_label = test_init_vnode_label,
2500 .mpo_destroy_bpfdesc_label = test_destroy_bpfdesc_label,
2501 .mpo_destroy_cred_label = test_destroy_cred_label,
2502 .mpo_destroy_devfs_label = test_destroy_devfs_label,
2503 .mpo_destroy_ifnet_label = test_destroy_ifnet_label,
2504 .mpo_destroy_sysv_msgmsg_label = test_destroy_sysv_msgmsg_label,
2505 .mpo_destroy_sysv_msgqueue_label = test_destroy_sysv_msgqueue_label,
2506 .mpo_destroy_sysv_sem_label = test_destroy_sysv_sem_label,
2507 .mpo_destroy_sysv_shm_label = test_destroy_sysv_shm_label,
2508 .mpo_destroy_inpcb_label = test_destroy_inpcb_label,
2509 .mpo_destroy_ipq_label = test_destroy_ipq_label,
2510 .mpo_destroy_mbuf_label = test_destroy_mbuf_label,
2511 .mpo_destroy_mount_label = test_destroy_mount_label,
2512 .mpo_destroy_pipe_label = test_destroy_pipe_label,
2513 .mpo_destroy_posix_sem_label = test_destroy_posix_sem_label,
2514 .mpo_destroy_proc_label = test_destroy_proc_label,
2515 .mpo_destroy_socket_label = test_destroy_socket_label,
2516 .mpo_destroy_socket_peer_label = test_destroy_socket_peer_label,
2517 .mpo_destroy_vnode_label = test_destroy_vnode_label,
2518 .mpo_copy_cred_label = test_copy_cred_label,
2519 .mpo_copy_ifnet_label = test_copy_ifnet_label,
2520 .mpo_copy_mbuf_label = test_copy_mbuf_label,
2521 .mpo_copy_pipe_label = test_copy_pipe_label,
2522 .mpo_copy_socket_label = test_copy_socket_label,
2523 .mpo_copy_vnode_label = test_copy_vnode_label,
2524 .mpo_externalize_cred_label = test_externalize_label,
2525 .mpo_externalize_ifnet_label = test_externalize_label,
2526 .mpo_externalize_pipe_label = test_externalize_label,
2527 .mpo_externalize_socket_label = test_externalize_label,
2528 .mpo_externalize_socket_peer_label = test_externalize_label,
2529 .mpo_externalize_vnode_label = test_externalize_label,
2530 .mpo_internalize_cred_label = test_internalize_label,
2531 .mpo_internalize_ifnet_label = test_internalize_label,
2532 .mpo_internalize_pipe_label = test_internalize_label,
2533 .mpo_internalize_socket_label = test_internalize_label,
2534 .mpo_internalize_vnode_label = test_internalize_label,
2535 .mpo_associate_vnode_devfs = test_associate_vnode_devfs,
2536 .mpo_associate_vnode_extattr = test_associate_vnode_extattr,
2537 .mpo_associate_vnode_singlelabel = test_associate_vnode_singlelabel,
2538 .mpo_create_devfs_device = test_create_devfs_device,
2539 .mpo_create_devfs_directory = test_create_devfs_directory,
2540 .mpo_create_devfs_symlink = test_create_devfs_symlink,
2541 .mpo_create_vnode_extattr = test_create_vnode_extattr,
2542 .mpo_create_mount = test_create_mount,
2543 .mpo_relabel_vnode = test_relabel_vnode,
2544 .mpo_setlabel_vnode_extattr = test_setlabel_vnode_extattr,
2545 .mpo_update_devfs = test_update_devfs,
2546 .mpo_create_mbuf_from_socket = test_create_mbuf_from_socket,
2547 .mpo_create_pipe = test_create_pipe,
2548 .mpo_create_posix_sem = test_create_posix_sem,
2549 .mpo_create_socket = test_create_socket,
2550 .mpo_create_socket_from_socket = test_create_socket_from_socket,
2551 .mpo_relabel_pipe = test_relabel_pipe,
2552 .mpo_relabel_socket = test_relabel_socket,
2553 .mpo_set_socket_peer_from_mbuf = test_set_socket_peer_from_mbuf,
2554 .mpo_set_socket_peer_from_socket = test_set_socket_peer_from_socket,
2555 .mpo_create_bpfdesc = test_create_bpfdesc,
2556 .mpo_create_ifnet = test_create_ifnet,
2557 .mpo_create_inpcb_from_socket = test_create_inpcb_from_socket,
2558 .mpo_create_sysv_msgmsg = test_create_sysv_msgmsg,
2559 .mpo_create_sysv_msgqueue = test_create_sysv_msgqueue,
2560 .mpo_create_sysv_sem = test_create_sysv_sem,
2561 .mpo_create_sysv_shm = test_create_sysv_shm,
2562 .mpo_create_datagram_from_ipq = test_create_datagram_from_ipq,
2563 .mpo_create_fragment = test_create_fragment,
2564 .mpo_create_ipq = test_create_ipq,
2565 .mpo_create_mbuf_from_inpcb = test_create_mbuf_from_inpcb,
2566 .mpo_create_mbuf_linklayer = test_create_mbuf_linklayer,
2567 .mpo_create_mbuf_from_bpfdesc = test_create_mbuf_from_bpfdesc,
2568 .mpo_create_mbuf_from_ifnet = test_create_mbuf_from_ifnet,
2569 .mpo_create_mbuf_multicast_encap = test_create_mbuf_multicast_encap,
2570 .mpo_create_mbuf_netlayer = test_create_mbuf_netlayer,
2571 .mpo_fragment_match = test_fragment_match,
2572 .mpo_reflect_mbuf_icmp = test_reflect_mbuf_icmp,
2573 .mpo_reflect_mbuf_tcp = test_reflect_mbuf_tcp,
2574 .mpo_relabel_ifnet = test_relabel_ifnet,
2575 .mpo_update_ipq = test_update_ipq,
2576 .mpo_inpcb_sosetlabel = test_inpcb_sosetlabel,
2577 .mpo_execve_transition = test_execve_transition,
2578 .mpo_execve_will_transition = test_execve_will_transition,
2579 .mpo_create_proc0 = test_create_proc0,
2580 .mpo_create_proc1 = test_create_proc1,
2581 .mpo_relabel_cred = test_relabel_cred,
2582 .mpo_thread_userret = test_thread_userret,
2583 .mpo_cleanup_sysv_msgmsg = test_cleanup_sysv_msgmsg,
2584 .mpo_cleanup_sysv_msgqueue = test_cleanup_sysv_msgqueue,
2585 .mpo_cleanup_sysv_sem = test_cleanup_sysv_sem,
2586 .mpo_cleanup_sysv_shm = test_cleanup_sysv_shm,
2587 .mpo_check_bpfdesc_receive = test_check_bpfdesc_receive,
2588 .mpo_check_cred_relabel = test_check_cred_relabel,
2589 .mpo_check_cred_visible = test_check_cred_visible,
2590 .mpo_check_ifnet_relabel = test_check_ifnet_relabel,
2591 .mpo_check_ifnet_transmit = test_check_ifnet_transmit,
2592 .mpo_check_inpcb_deliver = test_check_inpcb_deliver,
2593 .mpo_check_inpcb_visible = test_check_inpcb_visible,
2594 .mpo_check_sysv_msgmsq = test_check_sysv_msgmsq,
2595 .mpo_check_sysv_msgrcv = test_check_sysv_msgrcv,
2596 .mpo_check_sysv_msgrmid = test_check_sysv_msgrmid,
2597 .mpo_check_sysv_msqget = test_check_sysv_msqget,
2598 .mpo_check_sysv_msqsnd = test_check_sysv_msqsnd,
2599 .mpo_check_sysv_msqrcv = test_check_sysv_msqrcv,
2600 .mpo_check_sysv_msqctl = test_check_sysv_msqctl,
2601 .mpo_check_sysv_semctl = test_check_sysv_semctl,
2602 .mpo_check_sysv_semget = test_check_sysv_semget,
2603 .mpo_check_sysv_semop = test_check_sysv_semop,
2604 .mpo_check_sysv_shmat = test_check_sysv_shmat,
2605 .mpo_check_sysv_shmctl = test_check_sysv_shmctl,
2606 .mpo_check_sysv_shmdt = test_check_sysv_shmdt,
2607 .mpo_check_sysv_shmget = test_check_sysv_shmget,
2608 .mpo_check_kenv_dump = test_check_kenv_dump,
2609 .mpo_check_kenv_get = test_check_kenv_get,
2610 .mpo_check_kenv_set = test_check_kenv_set,
2611 .mpo_check_kenv_unset = test_check_kenv_unset,
2612 .mpo_check_kld_load = test_check_kld_load,
2613 .mpo_check_kld_stat = test_check_kld_stat,
2614 .mpo_check_mount_stat = test_check_mount_stat,
2615 .mpo_check_pipe_ioctl = test_check_pipe_ioctl,
2616 .mpo_check_pipe_poll = test_check_pipe_poll,
2617 .mpo_check_pipe_read = test_check_pipe_read,
2618 .mpo_check_pipe_relabel = test_check_pipe_relabel,
2619 .mpo_check_pipe_stat = test_check_pipe_stat,
2620 .mpo_check_pipe_write = test_check_pipe_write,
2621 .mpo_check_posix_sem_destroy = test_check_posix_sem,
2622 .mpo_check_posix_sem_getvalue = test_check_posix_sem,
2623 .mpo_check_posix_sem_open = test_check_posix_sem,
2624 .mpo_check_posix_sem_post = test_check_posix_sem,
2625 .mpo_check_posix_sem_unlink = test_check_posix_sem,
2626 .mpo_check_posix_sem_wait = test_check_posix_sem,
2627 .mpo_check_proc_debug = test_check_proc_debug,
2628 .mpo_check_proc_sched = test_check_proc_sched,
2629 .mpo_check_proc_setaudit = test_check_proc_setaudit,
2630 .mpo_check_proc_setaudit_addr = test_check_proc_setaudit_addr,
2631 .mpo_check_proc_setauid = test_check_proc_setauid,
2632 .mpo_check_proc_setuid = test_check_proc_setuid,
2633 .mpo_check_proc_seteuid = test_check_proc_seteuid,
2634 .mpo_check_proc_setgid = test_check_proc_setgid,
2635 .mpo_check_proc_setegid = test_check_proc_setegid,
2636 .mpo_check_proc_setgroups = test_check_proc_setgroups,
2637 .mpo_check_proc_setreuid = test_check_proc_setreuid,
2638 .mpo_check_proc_setregid = test_check_proc_setregid,
2639 .mpo_check_proc_setresuid = test_check_proc_setresuid,
2640 .mpo_check_proc_setresgid = test_check_proc_setresgid,
2641 .mpo_check_proc_signal = test_check_proc_signal,
2642 .mpo_check_proc_wait = test_check_proc_wait,
2643 .mpo_check_socket_accept = test_check_socket_accept,
2644 .mpo_check_socket_bind = test_check_socket_bind,
2645 .mpo_check_socket_connect = test_check_socket_connect,
2646 .mpo_check_socket_deliver = test_check_socket_deliver,
2647 .mpo_check_socket_listen = test_check_socket_listen,
2648 .mpo_check_socket_poll = test_check_socket_poll,
2649 .mpo_check_socket_receive = test_check_socket_receive,
2650 .mpo_check_socket_relabel = test_check_socket_relabel,
2651 .mpo_check_socket_send = test_check_socket_send,
2652 .mpo_check_socket_stat = test_check_socket_stat,
2653 .mpo_check_socket_visible = test_check_socket_visible,
2654 .mpo_check_system_acct = test_check_system_acct,
2655 .mpo_check_system_audit = test_check_system_audit,
2656 .mpo_check_system_auditctl = test_check_system_auditctl,
2657 .mpo_check_system_auditon = test_check_system_auditon,
2658 .mpo_check_system_reboot = test_check_system_reboot,
2659 .mpo_check_system_swapoff = test_check_system_swapoff,
2660 .mpo_check_system_swapon = test_check_system_swapon,
2661 .mpo_check_system_sysctl = test_check_system_sysctl,
2662 .mpo_check_vnode_access = test_check_vnode_access,
2663 .mpo_check_vnode_chdir = test_check_vnode_chdir,
2664 .mpo_check_vnode_chroot = test_check_vnode_chroot,
2665 .mpo_check_vnode_create = test_check_vnode_create,
2666 .mpo_check_vnode_deleteacl = test_check_vnode_deleteacl,
2667 .mpo_check_vnode_deleteextattr = test_check_vnode_deleteextattr,
2668 .mpo_check_vnode_exec = test_check_vnode_exec,
2669 .mpo_check_vnode_getacl = test_check_vnode_getacl,
2670 .mpo_check_vnode_getextattr = test_check_vnode_getextattr,
2671 .mpo_check_vnode_link = test_check_vnode_link,
2672 .mpo_check_vnode_listextattr = test_check_vnode_listextattr,
2673 .mpo_check_vnode_lookup = test_check_vnode_lookup,
2674 .mpo_check_vnode_mmap = test_check_vnode_mmap,
2675 .mpo_check_vnode_open = test_check_vnode_open,
2676 .mpo_check_vnode_poll = test_check_vnode_poll,
2677 .mpo_check_vnode_read = test_check_vnode_read,
2678 .mpo_check_vnode_readdir = test_check_vnode_readdir,
2679 .mpo_check_vnode_readlink = test_check_vnode_readlink,
2680 .mpo_check_vnode_relabel = test_check_vnode_relabel,
2681 .mpo_check_vnode_rename_from = test_check_vnode_rename_from,
2682 .mpo_check_vnode_rename_to = test_check_vnode_rename_to,
2683 .mpo_check_vnode_revoke = test_check_vnode_revoke,
2684 .mpo_check_vnode_setacl = test_check_vnode_setacl,
2685 .mpo_check_vnode_setextattr = test_check_vnode_setextattr,
2686 .mpo_check_vnode_setflags = test_check_vnode_setflags,
2687 .mpo_check_vnode_setmode = test_check_vnode_setmode,
2688 .mpo_check_vnode_setowner = test_check_vnode_setowner,
2689 .mpo_check_vnode_setutimes = test_check_vnode_setutimes,
2690 .mpo_check_vnode_stat = test_check_vnode_stat,
2691 .mpo_check_vnode_unlink = test_check_vnode_unlink,
2692 .mpo_check_vnode_write = test_check_vnode_write,
2695 MAC_POLICY_SET(&test_ops, mac_test, "TrustedBSD MAC/Test",
2696 MPC_LOADTIME_FLAG_UNLOADOK | MPC_LOADTIME_FLAG_LABELMBUFS, &test_slot);
projects / FreeBSD / releng / 7.2.git / blob