1
/*-
2
 * Copyright (c) 1999-2002, 2007-2011 Robert N. M. Watson
3
 * Copyright (c) 2001-2005 McAfee, Inc.
4
 * Copyright (c) 2006 SPARTA, Inc.
5
 * Copyright (c) 2008 Apple Inc.
6
 * All rights reserved.
7
 *
8
 * This software was developed by Robert Watson for the TrustedBSD Project.
9
 *
10
 * This software was developed for the FreeBSD Project in part by McAfee
11
 * Research, the Security Research Division of McAfee, Inc. under
12
 * DARPA/SPAWAR contract N66001-01-C-8035 ("CBOSS"), as part of the DARPA
13
 * CHATS research program.
14
 *
15
 * This software was enhanced by SPARTA ISSO under SPAWAR contract
16
 * N66001-04-C-6019 ("SEFOS").
17
 *
18
 * This software was developed at the University of Cambridge Computer
19
 * Laboratory with support from a grant from Google, Inc.
20
 *
21
 * Redistribution and use in source and binary forms, with or without
22
 * modification, are permitted provided that the following conditions
23
 * are met:
24
 * 1. Redistributions of source code must retain the above copyright
25
 *    notice, this list of conditions and the following disclaimer.
26
 * 2. Redistributions in binary form must reproduce the above copyright
27
 *    notice, this list of conditions and the following disclaimer in the
28
 *    documentation and/or other materials provided with the distribution.
29
 *
30
 * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
31
 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
32
 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
33
 * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
34
 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
35
 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
36
 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
37
 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
38
 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
39
 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
40
 * SUCH DAMAGE.
41
 */
42

43
/*
44
 * Developed by the TrustedBSD Project.
45
 *
46
 * MAC Test policy - tests MAC Framework labeling by assigning object class
47
 * magic numbers to each label and validates that each time an object label
48
 * is passed into the policy, it has a consistent object type, catching
49
 * incorrectly passed labels, labels passed after free, etc.
50
 */
51

52
#include <sys/param.h>
53
#include <sys/acl.h>
54
#include <sys/kdb.h>
55
#include <sys/kernel.h>
56
#include <sys/ksem.h>
57
#include <sys/malloc.h>
58
#include <sys/module.h>
59
#include <sys/mount.h>
60
#include <sys/msg.h>
61
#include <sys/proc.h>
62
#include <sys/vnode.h>
63
#include <sys/sem.h>
64
#include <sys/shm.h>
65
#include <sys/socket.h>
66
#include <sys/socketvar.h>
67
#include <sys/sx.h>
68
#include <sys/sysctl.h>
69

70
#include <ddb/ddb.h>
71

72
#include <fs/devfs/devfs.h>
73

74
#include <net/bpfdesc.h>
75
#include <net/if.h>
76
#include <net/if_types.h>
77
#include <net/if_var.h>
78

79
#include <security/mac/mac_policy.h>
80

81
static SYSCTL_NODE(_security_mac, OID_AUTO, test,
82
    CTLFLAG_RW | CTLFLAG_MPSAFE, 0,
83
    "TrustedBSD mac_test policy controls");
84

85
#define	MAGIC_BPF	0xfe1ad1b6
86
#define	MAGIC_DEVFS	0x9ee79c32
87
#define	MAGIC_IFNET	0xc218b120
88
#define	MAGIC_INPCB	0x4440f7bb
89
#define	MAGIC_IP6Q	0x0870e1b7
90
#define	MAGIC_IPQ	0x206188ef
91
#define	MAGIC_MBUF	0xbbefa5bb
92
#define	MAGIC_MOUNT	0xc7c46e47
93
#define	MAGIC_SOCKET	0x9199c6cd
94
#define	MAGIC_SYNCACHE	0x7fb838a8
95
#define	MAGIC_SYSV_MSG	0x8bbba61e
96
#define	MAGIC_SYSV_MSQ	0xea672391
97
#define	MAGIC_SYSV_SEM	0x896e8a0b
98
#define	MAGIC_SYSV_SHM	0x76119ab0
99
#define	MAGIC_PIPE	0xdc6c9919
100
#define	MAGIC_POSIX_SEM	0x78ae980c
101
#define	MAGIC_POSIX_SHM	0x4e853fc9
102
#define	MAGIC_PROC	0x3b4be98f
103
#define	MAGIC_CRED	0x9a5a4987
104
#define	MAGIC_VNODE	0x1a67a45c
105
#define	MAGIC_FREE	0x849ba1fd
106

107
#define	SLOT(x)	mac_label_get((x), test_slot)
108
#define	SLOT_SET(x, v)	mac_label_set((x), test_slot, (v))
109

110
static int	test_slot;
111
SYSCTL_INT(_security_mac_test, OID_AUTO, slot, CTLFLAG_RD,
112
    &test_slot, 0, "Slot allocated by framework");
113

114
static SYSCTL_NODE(_security_mac_test, OID_AUTO, counter,
115
    CTLFLAG_RW | CTLFLAG_MPSAFE, 0,
116
    "TrustedBSD mac_test counters controls");
117

118
#define	COUNTER_DECL(variable)						\
119
	static int counter_##variable;					\
120
	SYSCTL_INT(_security_mac_test_counter, OID_AUTO, variable,	\
121
	CTLFLAG_RD, &counter_##variable, 0, #variable)
122

123
#define	COUNTER_INC(variable)	atomic_add_int(&counter_##variable, 1)
124

125
#ifdef KDB
126
#define	DEBUGGER(func, string)	kdb_enter(KDB_WHY_MAC, (string))
127
#else
128
#define	DEBUGGER(func, string)	printf("mac_test: %s: %s\n", (func), (string))
129
#endif
130

131
#define	LABEL_CHECK(label, magic) do {					\
132
	if (label != NULL) {						\
133
		KASSERT(SLOT(label) == magic ||	SLOT(label) == 0,	\
134
		    ("%s: bad %s label", __func__, #magic));		\
135
	}								\
136
} while (0)
137

138
#define	LABEL_DESTROY(label, magic) do {				\
139
	if (SLOT(label) == magic || SLOT(label) == 0) {			\
140
		SLOT_SET(label, MAGIC_FREE);				\
141
	} else if (SLOT(label) == MAGIC_FREE) {				\
142
		DEBUGGER("%s: dup destroy", __func__);			\
143
	} else {							\
144
		DEBUGGER("%s: corrupted label", __func__);		\
145
	}								\
146
} while (0)
147

148
#define	LABEL_INIT(label, magic) do {					\
149
	SLOT_SET(label, magic);						\
150
} while (0)
151

152
#define	LABEL_NOTFREE(label) do {					\
153
	KASSERT(SLOT(label) != MAGIC_FREE,				\
154
	    ("%s: destroyed label", __func__));				\
155
} while (0)
156

157
/*
158
 * Object-specific entry point implementations are sorted alphabetically by
159
 * object type name and then by operation.
160
 */
161
COUNTER_DECL(bpfdesc_check_receive);
162
static int
163
test_bpfdesc_check_receive(struct bpf_d *d, struct label *dlabel,
164
    struct ifnet *ifp, struct label *ifplabel)
165
{
166

167
	LABEL_CHECK(dlabel, MAGIC_BPF);
168
	LABEL_CHECK(ifplabel, MAGIC_IFNET);
169
	COUNTER_INC(bpfdesc_check_receive);
170

171
	return (0);
172
}
173

174
COUNTER_DECL(bpfdesc_create);
175
static void
176
test_bpfdesc_create(struct ucred *cred, struct bpf_d *d,
177
    struct label *dlabel)
178
{
179

180
	LABEL_CHECK(cred->cr_label, MAGIC_CRED);
181
	LABEL_CHECK(dlabel, MAGIC_BPF);
182
	COUNTER_INC(bpfdesc_create);
183
}
184

185
COUNTER_DECL(bpfdesc_create_mbuf);
186
static void
187
test_bpfdesc_create_mbuf(struct bpf_d *d, struct label *dlabel,
188
    struct mbuf *m, struct label *mlabel)
189
{
190

191
	LABEL_CHECK(dlabel, MAGIC_BPF);
192
	LABEL_CHECK(mlabel, MAGIC_MBUF);
193
	COUNTER_INC(bpfdesc_create_mbuf);
194
}
195

196
COUNTER_DECL(bpfdesc_destroy_label);
197
static void
198
test_bpfdesc_destroy_label(struct label *label)
199
{
200

201
	LABEL_DESTROY(label, MAGIC_BPF);
202
	COUNTER_INC(bpfdesc_destroy_label);
203
}
204

205
COUNTER_DECL(bpfdesc_init_label);
206
static void
207
test_bpfdesc_init_label(struct label *label)
208
{
209

210
	LABEL_INIT(label, MAGIC_BPF);
211
	COUNTER_INC(bpfdesc_init_label);
212
}
213

214
COUNTER_DECL(cred_check_relabel);
215
static int
216
test_cred_check_relabel(struct ucred *cred, struct label *newlabel)
217
{
218

219
	LABEL_CHECK(cred->cr_label, MAGIC_CRED);
220
	LABEL_CHECK(newlabel, MAGIC_CRED);
221
	COUNTER_INC(cred_check_relabel);
222

223
	return (0);
224
}
225

226
COUNTER_DECL(cred_check_setaudit);
227
static int
228
test_cred_check_setaudit(struct ucred *cred, struct auditinfo *ai)
229
{
230

231
	LABEL_CHECK(cred->cr_label, MAGIC_CRED);
232
	COUNTER_INC(cred_check_setaudit);
233

234
	return (0);
235
}
236

237
COUNTER_DECL(cred_check_setaudit_addr);
238
static int
239
test_cred_check_setaudit_addr(struct ucred *cred,
240
    struct auditinfo_addr *aia)
241
{
242

243
	LABEL_CHECK(cred->cr_label, MAGIC_CRED);
244
	COUNTER_INC(cred_check_setaudit_addr);
245

246
	return (0);
247
}
248

249
COUNTER_DECL(cred_check_setauid);
250
static int
251
test_cred_check_setauid(struct ucred *cred, uid_t auid)
252
{
253

254
	LABEL_CHECK(cred->cr_label, MAGIC_CRED);
255
	COUNTER_INC(cred_check_setauid);
256

257
	return (0);
258
}
259

260
COUNTER_DECL(cred_setcred_enter);
261
static void
262
test_cred_setcred_enter(void)
263
{
264
	COUNTER_INC(cred_setcred_enter);
265
}
266

267
COUNTER_DECL(cred_check_setcred);
268
static int
269
test_cred_check_setcred(u_int flags, const struct ucred *old_cred,
270
    struct ucred *new_cred)
271
{
272
	LABEL_CHECK(old_cred->cr_label, MAGIC_CRED);
273
	LABEL_CHECK(new_cred->cr_label, MAGIC_CRED);
274
	COUNTER_INC(cred_check_setcred);
275

276
	return (0);
277
}
278

279
COUNTER_DECL(cred_setcred_exit);
280
static void
281
test_cred_setcred_exit(void)
282
{
283
	COUNTER_INC(cred_setcred_exit);
284
}
285

286
COUNTER_DECL(cred_check_setegid);
287
static int
288
test_cred_check_setegid(struct ucred *cred, gid_t egid)
289
{
290

291
	LABEL_CHECK(cred->cr_label, MAGIC_CRED);
292
	COUNTER_INC(cred_check_setegid);
293

294
	return (0);
295
}
296

297
COUNTER_DECL(proc_check_euid);
298
static int
299
test_cred_check_seteuid(struct ucred *cred, uid_t euid)
300
{
301

302
	LABEL_CHECK(cred->cr_label, MAGIC_CRED);
303
	COUNTER_INC(proc_check_euid);
304

305
	return (0);
306
}
307

308
COUNTER_DECL(cred_check_setregid);
309
static int
310
test_cred_check_setregid(struct ucred *cred, gid_t rgid, gid_t egid)
311
{
312

313
	LABEL_CHECK(cred->cr_label, MAGIC_CRED);
314
	COUNTER_INC(cred_check_setregid);
315

316
	return (0);
317
}
318

319
COUNTER_DECL(cred_check_setreuid);
320
static int
321
test_cred_check_setreuid(struct ucred *cred, uid_t ruid, uid_t euid)
322
{
323

324
	LABEL_CHECK(cred->cr_label, MAGIC_CRED);
325
	COUNTER_INC(cred_check_setreuid);
326

327
	return (0);
328
}
329

330
COUNTER_DECL(cred_check_setgid);
331
static int
332
test_cred_check_setgid(struct ucred *cred, gid_t gid)
333
{
334

335
	LABEL_CHECK(cred->cr_label, MAGIC_CRED);
336
	COUNTER_INC(cred_check_setgid);
337

338
	return (0);
339
}
340

341
COUNTER_DECL(cred_check_setgroups);
342
static int
343
test_cred_check_setgroups(struct ucred *cred, int ngroups,
344
	gid_t *gidset)
345
{
346

347
	LABEL_CHECK(cred->cr_label, MAGIC_CRED);
348
	COUNTER_INC(cred_check_setgroups);
349

350
	return (0);
351
}
352

353
COUNTER_DECL(cred_check_setresgid);
354
static int
355
test_cred_check_setresgid(struct ucred *cred, gid_t rgid, gid_t egid,
356
	gid_t sgid)
357
{
358

359
	LABEL_CHECK(cred->cr_label, MAGIC_CRED);
360
	COUNTER_INC(cred_check_setresgid);
361

362
	return (0);
363
}
364

365
COUNTER_DECL(cred_check_setresuid);
366
static int
367
test_cred_check_setresuid(struct ucred *cred, uid_t ruid, uid_t euid,
368
	uid_t suid)
369
{
370

371
	LABEL_CHECK(cred->cr_label, MAGIC_CRED);
372
	COUNTER_INC(cred_check_setresuid);
373

374
	return (0);
375
}
376

377
COUNTER_DECL(cred_check_setuid);
378
static int
379
test_cred_check_setuid(struct ucred *cred, uid_t uid)
380
{
381

382
	LABEL_CHECK(cred->cr_label, MAGIC_CRED);
383
	COUNTER_INC(cred_check_setuid);
384

385
	return (0);
386
}
387

388
COUNTER_DECL(cred_check_visible);
389
static int
390
test_cred_check_visible(struct ucred *u1, struct ucred *u2)
391
{
392

393
	LABEL_CHECK(u1->cr_label, MAGIC_CRED);
394
	LABEL_CHECK(u2->cr_label, MAGIC_CRED);
395
	COUNTER_INC(cred_check_visible);
396

397
	return (0);
398
}
399

400
COUNTER_DECL(cred_copy_label);
401
static void
402
test_cred_copy_label(struct label *src, struct label *dest)
403
{
404

405
	LABEL_CHECK(src, MAGIC_CRED);
406
	LABEL_CHECK(dest, MAGIC_CRED);
407
	COUNTER_INC(cred_copy_label);
408
}
409

410
COUNTER_DECL(cred_create_init);
411
static void
412
test_cred_create_init(struct ucred *cred)
413
{
414

415
	LABEL_CHECK(cred->cr_label, MAGIC_CRED);
416
	COUNTER_INC(cred_create_init);
417
}
418

419
COUNTER_DECL(cred_create_swapper);
420
static void
421
test_cred_create_swapper(struct ucred *cred)
422
{
423

424
	LABEL_CHECK(cred->cr_label, MAGIC_CRED);
425
	COUNTER_INC(cred_create_swapper);
426
}
427

428
COUNTER_DECL(cred_destroy_label);
429
static void
430
test_cred_destroy_label(struct label *label)
431
{
432

433
	LABEL_DESTROY(label, MAGIC_CRED);
434
	COUNTER_INC(cred_destroy_label);
435
}
436

437
COUNTER_DECL(cred_externalize_label);
438
static int
439
test_cred_externalize_label(struct label *label, char *element_name,
440
    struct sbuf *sb, int *claimed)
441
{
442

443
	LABEL_CHECK(label, MAGIC_CRED);
444
	COUNTER_INC(cred_externalize_label);
445

446
	return (0);
447
}
448

449
COUNTER_DECL(cred_init_label);
450
static void
451
test_cred_init_label(struct label *label)
452
{
453

454
	LABEL_INIT(label, MAGIC_CRED);
455
	COUNTER_INC(cred_init_label);
456
}
457

458
COUNTER_DECL(cred_internalize_label);
459
static int
460
test_cred_internalize_label(struct label *label, char *element_name,
461
    char *element_data, int *claimed)
462
{
463

464
	LABEL_CHECK(label, MAGIC_CRED);
465
	COUNTER_INC(cred_internalize_label);
466

467
	return (0);
468
}
469

470
COUNTER_DECL(cred_relabel);
471
static void
472
test_cred_relabel(struct ucred *cred, struct label *newlabel)
473
{
474

475
	LABEL_CHECK(cred->cr_label, MAGIC_CRED);
476
	LABEL_CHECK(newlabel, MAGIC_CRED);
477
	COUNTER_INC(cred_relabel);
478
}
479

480
COUNTER_DECL(ddb_command_exec);
481
static int
482
test_ddb_command_exec(struct db_command *cmd, db_expr_t addr, bool have_addr,
483
    db_expr_t count, char *modif)
484
{
485

486
	COUNTER_INC(ddb_command_exec);
487

488
	return (0);
489
}
490

491
COUNTER_DECL(ddb_command_register);
492
static int
493
test_ddb_command_register(struct db_command_table *table,
494
    struct db_command *cmd)
495
{
496

497
	COUNTER_INC(ddb_command_register);
498

499
	return (0);
500
}
501

502
COUNTER_DECL(devfs_create_device);
503
static void
504
test_devfs_create_device(struct ucred *cred, struct mount *mp,
505
    struct cdev *dev, struct devfs_dirent *de, struct label *delabel)
506
{
507

508
	if (cred != NULL)
509
		LABEL_CHECK(cred->cr_label, MAGIC_CRED);
510
	LABEL_CHECK(delabel, MAGIC_DEVFS);
511
	COUNTER_INC(devfs_create_device);
512
}
513

514
COUNTER_DECL(devfs_create_directory);
515
static void
516
test_devfs_create_directory(struct mount *mp, char *dirname,
517
    int dirnamelen, struct devfs_dirent *de, struct label *delabel)
518
{
519

520
	LABEL_CHECK(delabel, MAGIC_DEVFS);
521
	COUNTER_INC(devfs_create_directory);
522
}
523

524
COUNTER_DECL(devfs_create_symlink);
525
static void
526
test_devfs_create_symlink(struct ucred *cred, struct mount *mp,
527
    struct devfs_dirent *dd, struct label *ddlabel, struct devfs_dirent *de,
528
    struct label *delabel)
529
{
530

531
	LABEL_CHECK(cred->cr_label, MAGIC_CRED);
532
	LABEL_CHECK(ddlabel, MAGIC_DEVFS);
533
	LABEL_CHECK(delabel, MAGIC_DEVFS);
534
	COUNTER_INC(devfs_create_symlink);
535
}
536

537
COUNTER_DECL(devfs_destroy_label);
538
static void
539
test_devfs_destroy_label(struct label *label)
540
{
541

542
	LABEL_DESTROY(label, MAGIC_DEVFS);
543
	COUNTER_INC(devfs_destroy_label);
544
}
545

546
COUNTER_DECL(devfs_init_label);
547
static void
548
test_devfs_init_label(struct label *label)
549
{
550

551
	LABEL_INIT(label, MAGIC_DEVFS);
552
	COUNTER_INC(devfs_init_label);
553
}
554

555
COUNTER_DECL(devfs_update);
556
static void
557
test_devfs_update(struct mount *mp, struct devfs_dirent *devfs_dirent,
558
    struct label *direntlabel, struct vnode *vp, struct label *vplabel)
559
{
560

561
	LABEL_CHECK(direntlabel, MAGIC_DEVFS);
562
	LABEL_CHECK(vplabel, MAGIC_VNODE);
563
	COUNTER_INC(devfs_update);
564
}
565

566
COUNTER_DECL(devfs_vnode_associate);
567
static void
568
test_devfs_vnode_associate(struct mount *mp, struct label *mplabel,
569
    struct devfs_dirent *de, struct label *delabel, struct vnode *vp,
570
    struct label *vplabel)
571
{
572

573
	LABEL_CHECK(mplabel, MAGIC_MOUNT);
574
	LABEL_CHECK(delabel, MAGIC_DEVFS);
575
	LABEL_CHECK(vplabel, MAGIC_VNODE);
576
	COUNTER_INC(devfs_vnode_associate);
577
}
578

579
COUNTER_DECL(ifnet_check_relabel);
580
static int
581
test_ifnet_check_relabel(struct ucred *cred, struct ifnet *ifp,
582
    struct label *ifplabel, struct label *newlabel)
583
{
584

585
	LABEL_CHECK(cred->cr_label, MAGIC_CRED);
586
	LABEL_CHECK(ifplabel, MAGIC_IFNET);
587
	LABEL_CHECK(newlabel, MAGIC_IFNET);
588
	COUNTER_INC(ifnet_check_relabel);
589

590
	return (0);
591
}
592

593
COUNTER_DECL(ifnet_check_transmit);
594
static int
595
test_ifnet_check_transmit(struct ifnet *ifp, struct label *ifplabel,
596
    struct mbuf *m, struct label *mlabel)
597
{
598

599
	LABEL_CHECK(ifplabel, MAGIC_IFNET);
600
	LABEL_CHECK(mlabel, MAGIC_MBUF);
601
	COUNTER_INC(ifnet_check_transmit);
602

603
	return (0);
604
}
605

606
COUNTER_DECL(ifnet_copy_label);
607
static void
608
test_ifnet_copy_label(struct label *src, struct label *dest)
609
{
610

611
	LABEL_CHECK(src, MAGIC_IFNET);
612
	LABEL_CHECK(dest, MAGIC_IFNET);
613
	COUNTER_INC(ifnet_copy_label);
614
}
615

616
COUNTER_DECL(ifnet_create);
617
static void
618
test_ifnet_create(struct ifnet *ifp, struct label *ifplabel)
619
{
620

621
	LABEL_CHECK(ifplabel, MAGIC_IFNET);
622
	COUNTER_INC(ifnet_create);
623
}
624

625
COUNTER_DECL(ifnet_create_mbuf);
626
static void
627
test_ifnet_create_mbuf(struct ifnet *ifp, struct label *ifplabel,
628
    struct mbuf *m, struct label *mlabel)
629
{
630

631
	LABEL_CHECK(ifplabel, MAGIC_IFNET);
632
	LABEL_CHECK(mlabel, MAGIC_MBUF);
633
	COUNTER_INC(ifnet_create_mbuf);
634
}
635

636
COUNTER_DECL(ifnet_destroy_label);
637
static void
638
test_ifnet_destroy_label(struct label *label)
639
{
640

641
	LABEL_DESTROY(label, MAGIC_IFNET);
642
	COUNTER_INC(ifnet_destroy_label);
643
}
644

645
COUNTER_DECL(ifnet_externalize_label);
646
static int
647
test_ifnet_externalize_label(struct label *label, char *element_name,
648
    struct sbuf *sb, int *claimed)
649
{
650

651
	LABEL_CHECK(label, MAGIC_IFNET);
652
	COUNTER_INC(ifnet_externalize_label);
653

654
	return (0);
655
}
656

657
COUNTER_DECL(ifnet_init_label);
658
static void
659
test_ifnet_init_label(struct label *label)
660
{
661

662
	LABEL_INIT(label, MAGIC_IFNET);
663
	COUNTER_INC(ifnet_init_label);
664
}
665

666
COUNTER_DECL(ifnet_internalize_label);
667
static int
668
test_ifnet_internalize_label(struct label *label, char *element_name,
669
    char *element_data, int *claimed)
670
{
671

672
	LABEL_CHECK(label, MAGIC_IFNET);
673
	COUNTER_INC(ifnet_internalize_label);
674

675
	return (0);
676
}
677

678
COUNTER_DECL(ifnet_relabel);
679
static void
680
test_ifnet_relabel(struct ucred *cred, struct ifnet *ifp,
681
    struct label *ifplabel, struct label *newlabel)
682
{
683

684
	LABEL_CHECK(cred->cr_label, MAGIC_CRED);
685
	LABEL_CHECK(ifplabel, MAGIC_IFNET);
686
	LABEL_CHECK(newlabel, MAGIC_IFNET);
687
	COUNTER_INC(ifnet_relabel);
688
}
689

690
COUNTER_DECL(inpcb_check_deliver);
691
static int
692
test_inpcb_check_deliver(struct inpcb *inp, struct label *inplabel,
693
    struct mbuf *m, struct label *mlabel)
694
{
695

696
	LABEL_CHECK(inplabel, MAGIC_INPCB);
697
	LABEL_CHECK(mlabel, MAGIC_MBUF);
698
	COUNTER_INC(inpcb_check_deliver);
699

700
	return (0);
701
}
702

703
COUNTER_DECL(inpcb_check_visible);
704
static int
705
test_inpcb_check_visible(struct ucred *cred, struct inpcb *inp,
706
    struct label *inplabel)
707
{
708

709
	LABEL_CHECK(cred->cr_label, MAGIC_CRED);
710
	LABEL_CHECK(inplabel, MAGIC_INPCB);
711
	COUNTER_INC(inpcb_check_visible);
712

713
	return (0);
714
}
715

716
COUNTER_DECL(inpcb_create);
717
static void
718
test_inpcb_create(struct socket *so, struct label *solabel,
719
    struct inpcb *inp, struct label *inplabel)
720
{
721

722
	SOCK_LOCK(so);
723
	LABEL_CHECK(solabel, MAGIC_SOCKET);
724
	SOCK_UNLOCK(so);
725
	LABEL_CHECK(inplabel, MAGIC_INPCB);
726
	COUNTER_INC(inpcb_create);
727
}
728

729
COUNTER_DECL(inpcb_create_mbuf);
730
static void
731
test_inpcb_create_mbuf(struct inpcb *inp, struct label *inplabel,
732
    struct mbuf *m, struct label *mlabel)
733
{
734

735
	LABEL_CHECK(inplabel, MAGIC_INPCB);
736
	LABEL_CHECK(mlabel, MAGIC_MBUF);
737
	COUNTER_INC(inpcb_create_mbuf);
738
}
739

740
COUNTER_DECL(inpcb_destroy_label);
741
static void
742
test_inpcb_destroy_label(struct label *label)
743
{
744

745
	LABEL_DESTROY(label, MAGIC_INPCB);
746
	COUNTER_INC(inpcb_destroy_label);
747
}
748

749
COUNTER_DECL(inpcb_init_label);
750
static int
751
test_inpcb_init_label(struct label *label, int flag)
752
{
753

754
	if (flag & M_WAITOK)
755
		WITNESS_WARN(WARN_GIANTOK | WARN_SLEEPOK, NULL,
756
		    "test_inpcb_init_label() at %s:%d", __FILE__,
757
		    __LINE__);
758

759
	LABEL_INIT(label, MAGIC_INPCB);
760
	COUNTER_INC(inpcb_init_label);
761
	return (0);
762
}
763

764
COUNTER_DECL(inpcb_sosetlabel);
765
static void
766
test_inpcb_sosetlabel(struct socket *so, struct label *solabel,
767
    struct inpcb *inp, struct label *inplabel)
768
{
769

770
	SOCK_LOCK_ASSERT(so);
771

772
	LABEL_CHECK(solabel, MAGIC_SOCKET);
773
	LABEL_CHECK(inplabel, MAGIC_INPCB);
774
	COUNTER_INC(inpcb_sosetlabel);
775
}
776

777
COUNTER_DECL(ip6q_create);
778
static void
779
test_ip6q_create(struct mbuf *fragment, struct label *fragmentlabel,
780
    struct ip6q *q6, struct label *q6label)
781
{
782

783
	LABEL_CHECK(fragmentlabel, MAGIC_MBUF);
784
	LABEL_CHECK(q6label, MAGIC_IP6Q);
785
	COUNTER_INC(ip6q_create);
786
}
787

788
COUNTER_DECL(ip6q_destroy_label);
789
static void
790
test_ip6q_destroy_label(struct label *label)
791
{
792

793
	LABEL_DESTROY(label, MAGIC_IP6Q);
794
	COUNTER_INC(ip6q_destroy_label);
795
}
796

797
COUNTER_DECL(ip6q_init_label);
798
static int
799
test_ip6q_init_label(struct label *label, int flag)
800
{
801

802
	if (flag & M_WAITOK)
803
		WITNESS_WARN(WARN_GIANTOK | WARN_SLEEPOK, NULL,
804
		    "test_ip6q_init_label() at %s:%d", __FILE__,
805
		    __LINE__);
806

807
	LABEL_INIT(label, MAGIC_IP6Q);
808
	COUNTER_INC(ip6q_init_label);
809
	return (0);
810
}
811

812
COUNTER_DECL(ip6q_match);
813
static int
814
test_ip6q_match(struct mbuf *fragment, struct label *fragmentlabel,
815
    struct ip6q *q6, struct label *q6label)
816
{
817

818
	LABEL_CHECK(fragmentlabel, MAGIC_MBUF);
819
	LABEL_CHECK(q6label, MAGIC_IP6Q);
820
	COUNTER_INC(ip6q_match);
821

822
	return (1);
823
}
824

825
COUNTER_DECL(ip6q_reassemble);
826
static void
827
test_ip6q_reassemble(struct ip6q *q6, struct label *q6label, struct mbuf *m,
828
   struct label *mlabel)
829
{
830

831
	LABEL_CHECK(q6label, MAGIC_IP6Q);
832
	LABEL_CHECK(mlabel, MAGIC_MBUF);
833
	COUNTER_INC(ip6q_reassemble);
834
}
835

836
COUNTER_DECL(ip6q_update);
837
static void
838
test_ip6q_update(struct mbuf *m, struct label *mlabel, struct ip6q *q6,
839
    struct label *q6label)
840
{
841

842
	LABEL_CHECK(mlabel, MAGIC_MBUF);
843
	LABEL_CHECK(q6label, MAGIC_IP6Q);
844
	COUNTER_INC(ip6q_update);
845
}
846

847
COUNTER_DECL(ipq_create);
848
static void
849
test_ipq_create(struct mbuf *fragment, struct label *fragmentlabel,
850
    struct ipq *q, struct label *qlabel)
851
{
852

853
	LABEL_CHECK(fragmentlabel, MAGIC_MBUF);
854
	LABEL_CHECK(qlabel, MAGIC_IPQ);
855
	COUNTER_INC(ipq_create);
856
}
857

858
COUNTER_DECL(ipq_destroy_label);
859
static void
860
test_ipq_destroy_label(struct label *label)
861
{
862

863
	LABEL_DESTROY(label, MAGIC_IPQ);
864
	COUNTER_INC(ipq_destroy_label);
865
}
866

867
COUNTER_DECL(ipq_init_label);
868
static int
869
test_ipq_init_label(struct label *label, int flag)
870
{
871

872
	if (flag & M_WAITOK)
873
		WITNESS_WARN(WARN_GIANTOK | WARN_SLEEPOK, NULL,
874
		    "test_ipq_init_label() at %s:%d", __FILE__,
875
		    __LINE__);
876

877
	LABEL_INIT(label, MAGIC_IPQ);
878
	COUNTER_INC(ipq_init_label);
879
	return (0);
880
}
881

882
COUNTER_DECL(ipq_match);
883
static int
884
test_ipq_match(struct mbuf *fragment, struct label *fragmentlabel,
885
    struct ipq *q, struct label *qlabel)
886
{
887

888
	LABEL_CHECK(fragmentlabel, MAGIC_MBUF);
889
	LABEL_CHECK(qlabel, MAGIC_IPQ);
890
	COUNTER_INC(ipq_match);
891

892
	return (1);
893
}
894

895
COUNTER_DECL(ipq_reassemble);
896
static void
897
test_ipq_reassemble(struct ipq *q, struct label *qlabel, struct mbuf *m,
898
   struct label *mlabel)
899
{
900

901
	LABEL_CHECK(qlabel, MAGIC_IPQ);
902
	LABEL_CHECK(mlabel, MAGIC_MBUF);
903
	COUNTER_INC(ipq_reassemble);
904
}
905

906
COUNTER_DECL(ipq_update);
907
static void
908
test_ipq_update(struct mbuf *m, struct label *mlabel, struct ipq *q,
909
    struct label *qlabel)
910
{
911

912
	LABEL_CHECK(mlabel, MAGIC_MBUF);
913
	LABEL_CHECK(qlabel, MAGIC_IPQ);
914
	COUNTER_INC(ipq_update);
915
}
916

917
COUNTER_DECL(kdb_backend_check);
918
static int
919
test_kdb_check_backend(struct kdb_dbbe *be)
920
{
921

922
	COUNTER_INC(kdb_backend_check);
923

924
	return (0);
925
}
926

927
COUNTER_DECL(kenv_check_dump);
928
static int
929
test_kenv_check_dump(struct ucred *cred)
930
{
931

932
	LABEL_CHECK(cred->cr_label, MAGIC_CRED);
933
	COUNTER_INC(kenv_check_dump);
934

935
	return (0);
936
}
937

938
COUNTER_DECL(kenv_check_get);
939
static int
940
test_kenv_check_get(struct ucred *cred, char *name)
941
{
942

943
	LABEL_CHECK(cred->cr_label, MAGIC_CRED);
944
	COUNTER_INC(kenv_check_get);
945

946
	return (0);
947
}
948

949
COUNTER_DECL(kenv_check_set);
950
static int
951
test_kenv_check_set(struct ucred *cred, char *name, char *value)
952
{
953

954
	LABEL_CHECK(cred->cr_label, MAGIC_CRED);
955
	COUNTER_INC(kenv_check_set);
956

957
	return (0);
958
}
959

960
COUNTER_DECL(kenv_check_unset);
961
static int
962
test_kenv_check_unset(struct ucred *cred, char *name)
963
{
964

965
	LABEL_CHECK(cred->cr_label, MAGIC_CRED);
966
	COUNTER_INC(kenv_check_unset);
967

968
	return (0);
969
}
970

971
COUNTER_DECL(kld_check_load);
972
static int
973
test_kld_check_load(struct ucred *cred, struct vnode *vp,
974
    struct label *label)
975
{
976

977
	LABEL_CHECK(cred->cr_label, MAGIC_CRED);
978
	LABEL_CHECK(label, MAGIC_VNODE);
979
	COUNTER_INC(kld_check_load);
980

981
	return (0);
982
}
983

984
COUNTER_DECL(kld_check_stat);
985
static int
986
test_kld_check_stat(struct ucred *cred)
987
{
988

989
	LABEL_CHECK(cred->cr_label, MAGIC_CRED);
990
	COUNTER_INC(kld_check_stat);
991

992
	return (0);
993
}
994

995
COUNTER_DECL(mbuf_copy_label);
996
static void
997
test_mbuf_copy_label(struct label *src, struct label *dest)
998
{
999

1000
	LABEL_CHECK(src, MAGIC_MBUF);
1001
	LABEL_CHECK(dest, MAGIC_MBUF);
1002
	COUNTER_INC(mbuf_copy_label);
1003
}
1004

1005
COUNTER_DECL(mbuf_destroy_label);
1006
static void
1007
test_mbuf_destroy_label(struct label *label)
1008
{
1009

1010
	/*
1011
	 * If we're loaded dynamically, there may be mbufs in flight that
1012
	 * didn't have label storage allocated for them.  Handle this
1013
	 * gracefully.
1014
	 */
1015
	if (label == NULL)
1016
		return;
1017

1018
	LABEL_DESTROY(label, MAGIC_MBUF);
1019
	COUNTER_INC(mbuf_destroy_label);
1020
}
1021

1022
COUNTER_DECL(mbuf_init_label);
1023
static int
1024
test_mbuf_init_label(struct label *label, int flag)
1025
{
1026

1027
	if (flag & M_WAITOK)
1028
		WITNESS_WARN(WARN_GIANTOK | WARN_SLEEPOK, NULL,
1029
		    "test_mbuf_init_label() at %s:%d", __FILE__,
1030
		    __LINE__);
1031

1032
	LABEL_INIT(label, MAGIC_MBUF);
1033
	COUNTER_INC(mbuf_init_label);
1034
	return (0);
1035
}
1036

1037
COUNTER_DECL(mount_check_stat);
1038
static int
1039
test_mount_check_stat(struct ucred *cred, struct mount *mp,
1040
    struct label *mplabel)
1041
{
1042

1043
	LABEL_CHECK(cred->cr_label, MAGIC_CRED);
1044
	LABEL_CHECK(mplabel, MAGIC_MOUNT);
1045
	COUNTER_INC(mount_check_stat);
1046

1047
	return (0);
1048
}
1049

1050
COUNTER_DECL(mount_create);
1051
static void
1052
test_mount_create(struct ucred *cred, struct mount *mp,
1053
    struct label *mplabel)
1054
{
1055

1056
	LABEL_CHECK(cred->cr_label, MAGIC_CRED);
1057
	LABEL_CHECK(mplabel, MAGIC_MOUNT);
1058
	COUNTER_INC(mount_create);
1059
}
1060

1061
COUNTER_DECL(mount_destroy_label);
1062
static void
1063
test_mount_destroy_label(struct label *label)
1064
{
1065

1066
	LABEL_DESTROY(label, MAGIC_MOUNT);
1067
	COUNTER_INC(mount_destroy_label);
1068
}
1069

1070
COUNTER_DECL(mount_init_label);
1071
static void
1072
test_mount_init_label(struct label *label)
1073
{
1074

1075
	LABEL_INIT(label, MAGIC_MOUNT);
1076
	COUNTER_INC(mount_init_label);
1077
}
1078

1079
COUNTER_DECL(netinet_arp_send);
1080
static void
1081
test_netinet_arp_send(struct ifnet *ifp, struct label *ifplabel,
1082
    struct mbuf *m, struct label *mlabel)
1083
{
1084

1085
	LABEL_CHECK(ifplabel, MAGIC_IFNET);
1086
	LABEL_CHECK(mlabel, MAGIC_MBUF);
1087
	COUNTER_INC(netinet_arp_send);
1088
}
1089

1090
COUNTER_DECL(netinet_fragment);
1091
static void
1092
test_netinet_fragment(struct mbuf *m, struct label *mlabel,
1093
    struct mbuf *frag, struct label *fraglabel)
1094
{
1095

1096
	LABEL_CHECK(mlabel, MAGIC_MBUF);
1097
	LABEL_CHECK(fraglabel, MAGIC_MBUF);
1098
	COUNTER_INC(netinet_fragment);
1099
}
1100

1101
COUNTER_DECL(netinet_icmp_reply);
1102
static void
1103
test_netinet_icmp_reply(struct mbuf *mrecv, struct label *mrecvlabel,
1104
    struct mbuf *msend, struct label *msendlabel)
1105
{
1106

1107
	LABEL_CHECK(mrecvlabel, MAGIC_MBUF);
1108
	LABEL_CHECK(msendlabel, MAGIC_MBUF);
1109
	COUNTER_INC(netinet_icmp_reply);
1110
}
1111

1112
COUNTER_DECL(netinet_icmp_replyinplace);
1113
static void
1114
test_netinet_icmp_replyinplace(struct mbuf *m, struct label *mlabel)
1115
{
1116

1117
	LABEL_CHECK(mlabel, MAGIC_MBUF);
1118
	COUNTER_INC(netinet_icmp_replyinplace);
1119
}
1120

1121
COUNTER_DECL(netinet_igmp_send);
1122
static void
1123
test_netinet_igmp_send(struct ifnet *ifp, struct label *ifplabel,
1124
    struct mbuf *m, struct label *mlabel)
1125
{
1126

1127
	LABEL_CHECK(ifplabel, MAGIC_IFNET);
1128
	LABEL_CHECK(mlabel, MAGIC_MBUF);
1129
	COUNTER_INC(netinet_igmp_send);
1130
}
1131

1132
COUNTER_DECL(netinet_tcp_reply);
1133
static void
1134
test_netinet_tcp_reply(struct mbuf *m, struct label *mlabel)
1135
{
1136

1137
	LABEL_CHECK(mlabel, MAGIC_MBUF);
1138
	COUNTER_INC(netinet_tcp_reply);
1139
}
1140

1141
COUNTER_DECL(netinet6_nd6_send);
1142
static void
1143
test_netinet6_nd6_send(struct ifnet *ifp, struct label *ifplabel,
1144
    struct mbuf *m, struct label *mlabel)
1145
{
1146

1147
	LABEL_CHECK(ifplabel, MAGIC_IFNET);
1148
	LABEL_CHECK(mlabel, MAGIC_MBUF);
1149
	COUNTER_INC(netinet6_nd6_send);
1150
}
1151

1152
COUNTER_DECL(pipe_check_ioctl);
1153
static int
1154
test_pipe_check_ioctl(struct ucred *cred, struct pipepair *pp,
1155
    struct label *pplabel, unsigned long cmd, void /* caddr_t */ *data)
1156
{
1157

1158
	LABEL_CHECK(cred->cr_label, MAGIC_CRED);
1159
	LABEL_CHECK(pplabel, MAGIC_PIPE);
1160
	COUNTER_INC(pipe_check_ioctl);
1161

1162
	return (0);
1163
}
1164

1165
COUNTER_DECL(pipe_check_poll);
1166
static int
1167
test_pipe_check_poll(struct ucred *cred, struct pipepair *pp,
1168
    struct label *pplabel)
1169
{
1170

1171
	LABEL_CHECK(cred->cr_label, MAGIC_CRED);
1172
	LABEL_CHECK(pplabel, MAGIC_PIPE);
1173
	COUNTER_INC(pipe_check_poll);
1174

1175
	return (0);
1176
}
1177

1178
COUNTER_DECL(pipe_check_read);
1179
static int
1180
test_pipe_check_read(struct ucred *cred, struct pipepair *pp,
1181
    struct label *pplabel)
1182
{
1183

1184
	LABEL_CHECK(cred->cr_label, MAGIC_CRED);
1185
	LABEL_CHECK(pplabel, MAGIC_PIPE);
1186
	COUNTER_INC(pipe_check_read);
1187

1188
	return (0);
1189
}
1190

1191
COUNTER_DECL(pipe_check_relabel);
1192
static int
1193
test_pipe_check_relabel(struct ucred *cred, struct pipepair *pp,
1194
    struct label *pplabel, struct label *newlabel)
1195
{
1196

1197
	LABEL_CHECK(cred->cr_label, MAGIC_CRED);
1198
	LABEL_CHECK(pplabel, MAGIC_PIPE);
1199
	LABEL_CHECK(newlabel, MAGIC_PIPE);
1200
	COUNTER_INC(pipe_check_relabel);
1201

1202
	return (0);
1203
}
1204

1205
COUNTER_DECL(pipe_check_stat);
1206
static int
1207
test_pipe_check_stat(struct ucred *cred, struct pipepair *pp,
1208
    struct label *pplabel)
1209
{
1210

1211
	LABEL_CHECK(cred->cr_label, MAGIC_CRED);
1212
	LABEL_CHECK(pplabel, MAGIC_PIPE);
1213
	COUNTER_INC(pipe_check_stat);
1214

1215
	return (0);
1216
}
1217

1218
COUNTER_DECL(pipe_check_write);
1219
static int
1220
test_pipe_check_write(struct ucred *cred, struct pipepair *pp,
1221
    struct label *pplabel)
1222
{
1223

1224
	LABEL_CHECK(cred->cr_label, MAGIC_CRED);
1225
	LABEL_CHECK(pplabel, MAGIC_PIPE);
1226
	COUNTER_INC(pipe_check_write);
1227

1228
	return (0);
1229
}
1230

1231
COUNTER_DECL(pipe_copy_label);
1232
static void
1233
test_pipe_copy_label(struct label *src, struct label *dest)
1234
{
1235

1236
	LABEL_CHECK(src, MAGIC_PIPE);
1237
	LABEL_CHECK(dest, MAGIC_PIPE);
1238
	COUNTER_INC(pipe_copy_label);
1239
}
1240

1241
COUNTER_DECL(pipe_create);
1242
static void
1243
test_pipe_create(struct ucred *cred, struct pipepair *pp,
1244
   struct label *pplabel)
1245
{
1246

1247
	LABEL_CHECK(cred->cr_label, MAGIC_CRED);
1248
	LABEL_CHECK(pplabel, MAGIC_PIPE);
1249
	COUNTER_INC(pipe_create);
1250
}
1251

1252
COUNTER_DECL(pipe_destroy_label);
1253
static void
1254
test_pipe_destroy_label(struct label *label)
1255
{
1256

1257
	LABEL_DESTROY(label, MAGIC_PIPE);
1258
	COUNTER_INC(pipe_destroy_label);
1259
}
1260

1261
COUNTER_DECL(pipe_externalize_label);
1262
static int
1263
test_pipe_externalize_label(struct label *label, char *element_name,
1264
    struct sbuf *sb, int *claimed)
1265
{
1266

1267
	LABEL_CHECK(label, MAGIC_PIPE);
1268
	COUNTER_INC(pipe_externalize_label);
1269

1270
	return (0);
1271
}
1272

1273
COUNTER_DECL(pipe_init_label);
1274
static void
1275
test_pipe_init_label(struct label *label)
1276
{
1277

1278
	LABEL_INIT(label, MAGIC_PIPE);
1279
	COUNTER_INC(pipe_init_label);
1280
}
1281

1282
COUNTER_DECL(pipe_internalize_label);
1283
static int
1284
test_pipe_internalize_label(struct label *label, char *element_name,
1285
    char *element_data, int *claimed)
1286
{
1287

1288
	LABEL_CHECK(label, MAGIC_PIPE);
1289
	COUNTER_INC(pipe_internalize_label);
1290

1291
	return (0);
1292
}
1293

1294
COUNTER_DECL(pipe_relabel);
1295
static void
1296
test_pipe_relabel(struct ucred *cred, struct pipepair *pp,
1297
    struct label *pplabel, struct label *newlabel)
1298
{
1299

1300
	LABEL_CHECK(cred->cr_label, MAGIC_CRED);
1301
	LABEL_CHECK(pplabel, MAGIC_PIPE);
1302
	LABEL_CHECK(newlabel, MAGIC_PIPE);
1303
	COUNTER_INC(pipe_relabel);
1304
}
1305

1306
COUNTER_DECL(posixsem_check_getvalue);
1307
static int
1308
test_posixsem_check_getvalue(struct ucred *active_cred, struct ucred *file_cred,
1309
    struct ksem *ks, struct label *kslabel)
1310
{
1311

1312
	LABEL_CHECK(active_cred->cr_label, MAGIC_CRED);
1313
	LABEL_CHECK(file_cred->cr_label, MAGIC_CRED);
1314
	LABEL_CHECK(kslabel, MAGIC_POSIX_SEM);
1315
	COUNTER_INC(posixsem_check_getvalue);
1316

1317
	return (0);
1318
}
1319

1320
COUNTER_DECL(posixsem_check_open);
1321
static int
1322
test_posixsem_check_open(struct ucred *cred, struct ksem *ks,
1323
    struct label *kslabel)
1324
{
1325

1326
	LABEL_CHECK(cred->cr_label, MAGIC_CRED);
1327
	LABEL_CHECK(kslabel, MAGIC_POSIX_SEM);
1328
	COUNTER_INC(posixsem_check_open);
1329

1330
	return (0);
1331
}
1332

1333
COUNTER_DECL(posixsem_check_post);
1334
static int
1335
test_posixsem_check_post(struct ucred *active_cred, struct ucred *file_cred,
1336
    struct ksem *ks, struct label *kslabel)
1337
{
1338

1339
	LABEL_CHECK(active_cred->cr_label, MAGIC_CRED);
1340
	LABEL_CHECK(file_cred->cr_label, MAGIC_CRED);
1341
	LABEL_CHECK(kslabel, MAGIC_POSIX_SEM);
1342
	COUNTER_INC(posixsem_check_post);
1343

1344
	return (0);
1345
}
1346

1347
COUNTER_DECL(posixsem_check_setmode);
1348
static int
1349
test_posixsem_check_setmode(struct ucred *cred, struct ksem *ks,
1350
    struct label *kslabel, mode_t mode)
1351
{
1352

1353
	LABEL_CHECK(cred->cr_label, MAGIC_CRED);
1354
	LABEL_CHECK(kslabel, MAGIC_POSIX_SHM);
1355
	COUNTER_INC(posixsem_check_setmode);
1356
	return (0);
1357
}
1358

1359
COUNTER_DECL(posixsem_check_setowner);
1360
static int
1361
test_posixsem_check_setowner(struct ucred *cred, struct ksem *ks,
1362
    struct label *kslabel, uid_t uid, gid_t gid)
1363
{
1364

1365
	LABEL_CHECK(cred->cr_label, MAGIC_CRED);
1366
	LABEL_CHECK(kslabel, MAGIC_POSIX_SHM);
1367
	COUNTER_INC(posixsem_check_setowner);
1368
	return (0);
1369
}
1370

1371
COUNTER_DECL(posixsem_check_stat);
1372
static int
1373
test_posixsem_check_stat(struct ucred *active_cred,
1374
    struct ucred *file_cred, struct ksem *ks, struct label *kslabel)
1375
{
1376

1377
	LABEL_CHECK(active_cred->cr_label, MAGIC_CRED);
1378
	LABEL_CHECK(file_cred->cr_label, MAGIC_CRED);
1379
	LABEL_CHECK(kslabel, MAGIC_POSIX_SEM);
1380
	COUNTER_INC(posixsem_check_stat);
1381
	return (0);
1382
}
1383

1384
COUNTER_DECL(posixsem_check_unlink);
1385
static int
1386
test_posixsem_check_unlink(struct ucred *cred, struct ksem *ks,
1387
    struct label *kslabel)
1388
{
1389

1390
	LABEL_CHECK(cred->cr_label, MAGIC_CRED);
1391
	LABEL_CHECK(kslabel, MAGIC_POSIX_SEM);
1392
	COUNTER_INC(posixsem_check_unlink);
1393

1394
	return (0);
1395
}
1396

1397
COUNTER_DECL(posixsem_check_wait);
1398
static int
1399
test_posixsem_check_wait(struct ucred *active_cred, struct ucred *file_cred,
1400
    struct ksem *ks, struct label *kslabel)
1401
{
1402

1403
	LABEL_CHECK(active_cred->cr_label, MAGIC_CRED);
1404
	LABEL_CHECK(file_cred->cr_label, MAGIC_CRED);
1405
	LABEL_CHECK(kslabel, MAGIC_POSIX_SEM);
1406
	COUNTER_INC(posixsem_check_wait);
1407

1408
	return (0);
1409
}
1410

1411
COUNTER_DECL(posixsem_create);
1412
static void
1413
test_posixsem_create(struct ucred *cred, struct ksem *ks,
1414
   struct label *kslabel)
1415
{
1416

1417
	LABEL_CHECK(cred->cr_label, MAGIC_CRED);
1418
	LABEL_CHECK(kslabel, MAGIC_POSIX_SEM);
1419
	COUNTER_INC(posixsem_create);
1420
}
1421

1422
COUNTER_DECL(posixsem_destroy_label);
1423
static void
1424
test_posixsem_destroy_label(struct label *label)
1425
{
1426

1427
	LABEL_DESTROY(label, MAGIC_POSIX_SEM);
1428
	COUNTER_INC(posixsem_destroy_label);
1429
}
1430

1431
COUNTER_DECL(posixsem_init_label);
1432
static void
1433
test_posixsem_init_label(struct label *label)
1434
{
1435

1436
	LABEL_INIT(label, MAGIC_POSIX_SEM);
1437
	COUNTER_INC(posixsem_init_label);
1438
}
1439

1440
COUNTER_DECL(posixshm_check_create);
1441
static int
1442
test_posixshm_check_create(struct ucred *cred, const char *path)
1443
{
1444

1445
	COUNTER_INC(posixshm_check_create);
1446
	return (0);
1447
}
1448

1449
COUNTER_DECL(posixshm_check_mmap);
1450
static int
1451
test_posixshm_check_mmap(struct ucred *cred, struct shmfd *shmfd,
1452
    struct label *shmfdlabel, int prot, int flags)
1453
{
1454

1455
	LABEL_CHECK(cred->cr_label, MAGIC_CRED);
1456
	LABEL_CHECK(shmfdlabel, MAGIC_POSIX_SHM);
1457
	COUNTER_INC(posixshm_check_mmap);
1458
	return (0);
1459
}
1460

1461
COUNTER_DECL(posixshm_check_open);
1462
static int
1463
test_posixshm_check_open(struct ucred *cred, struct shmfd *shmfd,
1464
    struct label *shmfdlabel, accmode_t accmode)
1465
{
1466

1467
	LABEL_CHECK(cred->cr_label, MAGIC_CRED);
1468
	LABEL_CHECK(shmfdlabel, MAGIC_POSIX_SHM);
1469
	COUNTER_INC(posixshm_check_open);
1470
	return (0);
1471
}
1472

1473
COUNTER_DECL(posixshm_check_read);
1474
static int
1475
test_posixshm_check_read(struct ucred *active_cred,
1476
    struct ucred *file_cred, struct shmfd *shm, struct label *shmlabel)
1477
{
1478

1479
	LABEL_CHECK(active_cred->cr_label, MAGIC_CRED);
1480
	if (file_cred != NULL)
1481
		LABEL_CHECK(file_cred->cr_label, MAGIC_CRED);
1482
	LABEL_CHECK(shmlabel, MAGIC_POSIX_SHM);
1483
	COUNTER_INC(posixshm_check_read);
1484

1485
	return (0);
1486
}
1487

1488
COUNTER_DECL(posixshm_check_setmode);
1489
static int
1490
test_posixshm_check_setmode(struct ucred *cred, struct shmfd *shmfd,
1491
    struct label *shmfdlabel, mode_t mode)
1492
{
1493

1494
	LABEL_CHECK(cred->cr_label, MAGIC_CRED);
1495
	LABEL_CHECK(shmfdlabel, MAGIC_POSIX_SHM);
1496
	COUNTER_INC(posixshm_check_setmode);
1497
	return (0);
1498
}
1499

1500
COUNTER_DECL(posixshm_check_setowner);
1501
static int
1502
test_posixshm_check_setowner(struct ucred *cred, struct shmfd *shmfd,
1503
    struct label *shmfdlabel, uid_t uid, gid_t gid)
1504
{
1505

1506
	LABEL_CHECK(cred->cr_label, MAGIC_CRED);
1507
	LABEL_CHECK(shmfdlabel, MAGIC_POSIX_SHM);
1508
	COUNTER_INC(posixshm_check_setowner);
1509
	return (0);
1510
}
1511

1512
COUNTER_DECL(posixshm_check_stat);
1513
static int
1514
test_posixshm_check_stat(struct ucred *active_cred,
1515
    struct ucred *file_cred, struct shmfd *shmfd, struct label *shmfdlabel)
1516
{
1517

1518
	LABEL_CHECK(active_cred->cr_label, MAGIC_CRED);
1519
	LABEL_CHECK(file_cred->cr_label, MAGIC_CRED);
1520
	LABEL_CHECK(shmfdlabel, MAGIC_POSIX_SHM);
1521
	COUNTER_INC(posixshm_check_stat);
1522
	return (0);
1523
}
1524

1525
COUNTER_DECL(posixshm_check_truncate);
1526
static int
1527
test_posixshm_check_truncate(struct ucred *active_cred,
1528
    struct ucred *file_cred, struct shmfd *shmfd, struct label *shmfdlabel)
1529
{
1530

1531
	LABEL_CHECK(active_cred->cr_label, MAGIC_CRED);
1532
	LABEL_CHECK(file_cred->cr_label, MAGIC_CRED);
1533
	LABEL_CHECK(shmfdlabel, MAGIC_POSIX_SHM);
1534
	COUNTER_INC(posixshm_check_truncate);
1535
	return (0);
1536
}
1537

1538
COUNTER_DECL(posixshm_check_unlink);
1539
static int
1540
test_posixshm_check_unlink(struct ucred *cred, struct shmfd *shmfd,
1541
    struct label *shmfdlabel)
1542
{
1543

1544
	LABEL_CHECK(cred->cr_label, MAGIC_CRED);
1545
	LABEL_CHECK(shmfdlabel, MAGIC_POSIX_SHM);
1546
	COUNTER_INC(posixshm_check_unlink);
1547
	return (0);
1548
}
1549

1550
COUNTER_DECL(posixshm_check_write);
1551
static int
1552
test_posixshm_check_write(struct ucred *active_cred,
1553
    struct ucred *file_cred, struct shmfd *shm, struct label *shmlabel)
1554
{
1555

1556
	LABEL_CHECK(active_cred->cr_label, MAGIC_CRED);
1557
	if (file_cred != NULL)
1558
		LABEL_CHECK(file_cred->cr_label, MAGIC_CRED);
1559
	LABEL_CHECK(shmlabel, MAGIC_POSIX_SHM);
1560
	COUNTER_INC(posixshm_check_write);
1561

1562
	return (0);
1563
}
1564

1565
COUNTER_DECL(posixshm_create);
1566
static void
1567
test_posixshm_create(struct ucred *cred, struct shmfd *shmfd,
1568
   struct label *shmfdlabel)
1569
{
1570

1571
	LABEL_CHECK(cred->cr_label, MAGIC_CRED);
1572
	LABEL_CHECK(shmfdlabel, MAGIC_POSIX_SHM);
1573
	COUNTER_INC(posixshm_create);
1574
}
1575

1576
COUNTER_DECL(posixshm_destroy_label);
1577
static void
1578
test_posixshm_destroy_label(struct label *label)
1579
{
1580

1581
	LABEL_DESTROY(label, MAGIC_POSIX_SHM);
1582
	COUNTER_INC(posixshm_destroy_label);
1583
}
1584

1585
COUNTER_DECL(posixshm_init_label);
1586
static void
1587
test_posixshm_init_label(struct label *label)
1588
{
1589

1590
	LABEL_INIT(label, MAGIC_POSIX_SHM);
1591
	COUNTER_INC(posixshm_init_label);
1592
}
1593

1594
COUNTER_DECL(proc_check_debug);
1595
static int
1596
test_proc_check_debug(struct ucred *cred, struct proc *p)
1597
{
1598

1599
	LABEL_CHECK(cred->cr_label, MAGIC_CRED);
1600
	LABEL_CHECK(p->p_ucred->cr_label, MAGIC_CRED);
1601
	COUNTER_INC(proc_check_debug);
1602

1603
	return (0);
1604
}
1605

1606
COUNTER_DECL(proc_check_sched);
1607
static int
1608
test_proc_check_sched(struct ucred *cred, struct proc *p)
1609
{
1610

1611
	LABEL_CHECK(cred->cr_label, MAGIC_CRED);
1612
	LABEL_CHECK(p->p_ucred->cr_label, MAGIC_CRED);
1613
	COUNTER_INC(proc_check_sched);
1614

1615
	return (0);
1616
}
1617

1618
COUNTER_DECL(proc_check_signal);
1619
static int
1620
test_proc_check_signal(struct ucred *cred, struct proc *p, int signum)
1621
{
1622

1623
	LABEL_CHECK(cred->cr_label, MAGIC_CRED);
1624
	LABEL_CHECK(p->p_ucred->cr_label, MAGIC_CRED);
1625
	COUNTER_INC(proc_check_signal);
1626

1627
	return (0);
1628
}
1629

1630
COUNTER_DECL(proc_check_wait);
1631
static int
1632
test_proc_check_wait(struct ucred *cred, struct proc *p)
1633
{
1634

1635
	LABEL_CHECK(cred->cr_label, MAGIC_CRED);
1636
	LABEL_CHECK(p->p_ucred->cr_label, MAGIC_CRED);
1637
	COUNTER_INC(proc_check_wait);
1638

1639
	return (0);
1640
}
1641

1642
COUNTER_DECL(proc_destroy_label);
1643
static void
1644
test_proc_destroy_label(struct label *label)
1645
{
1646

1647
	LABEL_DESTROY(label, MAGIC_PROC);
1648
	COUNTER_INC(proc_destroy_label);
1649
}
1650

1651
COUNTER_DECL(proc_init_label);
1652
static void
1653
test_proc_init_label(struct label *label)
1654
{
1655

1656
	LABEL_INIT(label, MAGIC_PROC);
1657
	COUNTER_INC(proc_init_label);
1658
}
1659

1660
COUNTER_DECL(socket_check_accept);
1661
static int
1662
test_socket_check_accept(struct ucred *cred, struct socket *so,
1663
    struct label *solabel)
1664
{
1665

1666
	LABEL_CHECK(cred->cr_label, MAGIC_CRED);
1667
	SOCK_LOCK(so);
1668
	LABEL_CHECK(solabel, MAGIC_SOCKET);
1669
	SOCK_UNLOCK(so);
1670
	COUNTER_INC(socket_check_accept);
1671

1672
	return (0);
1673
}
1674

1675
COUNTER_DECL(socket_check_bind);
1676
static int
1677
test_socket_check_bind(struct ucred *cred, struct socket *so,
1678
    struct label *solabel, struct sockaddr *sa)
1679
{
1680

1681
	LABEL_CHECK(cred->cr_label, MAGIC_CRED);
1682
	SOCK_LOCK(so);
1683
	LABEL_CHECK(solabel, MAGIC_SOCKET);
1684
	SOCK_UNLOCK(so);
1685
	COUNTER_INC(socket_check_bind);
1686

1687
	return (0);
1688
}
1689

1690
COUNTER_DECL(socket_check_connect);
1691
static int
1692
test_socket_check_connect(struct ucred *cred, struct socket *so,
1693
    struct label *solabel, struct sockaddr *sa)
1694
{
1695

1696
	LABEL_CHECK(cred->cr_label, MAGIC_CRED);
1697
	SOCK_LOCK(so);
1698
	LABEL_CHECK(solabel, MAGIC_SOCKET);
1699
	SOCK_UNLOCK(so);
1700
	COUNTER_INC(socket_check_connect);
1701

1702
	return (0);
1703
}
1704

1705
COUNTER_DECL(socket_check_deliver);
1706
static int
1707
test_socket_check_deliver(struct socket *so, struct label *solabel,
1708
    struct mbuf *m, struct label *mlabel)
1709
{
1710

1711
	SOCK_LOCK(so);
1712
	LABEL_CHECK(solabel, MAGIC_SOCKET);
1713
	SOCK_UNLOCK(so);
1714
	LABEL_CHECK(mlabel, MAGIC_MBUF);
1715
	COUNTER_INC(socket_check_deliver);
1716

1717
	return (0);
1718
}
1719

1720
COUNTER_DECL(socket_check_listen);
1721
static int
1722
test_socket_check_listen(struct ucred *cred, struct socket *so,
1723
    struct label *solabel)
1724
{
1725

1726
	LABEL_CHECK(cred->cr_label, MAGIC_CRED);
1727
	SOCK_LOCK(so);
1728
	LABEL_CHECK(solabel, MAGIC_SOCKET);
1729
	SOCK_UNLOCK(so);
1730
	COUNTER_INC(socket_check_listen);
1731

1732
	return (0);
1733
}
1734

1735
COUNTER_DECL(socket_check_poll);
1736
static int
1737
test_socket_check_poll(struct ucred *cred, struct socket *so,
1738
    struct label *solabel)
1739
{
1740

1741
	LABEL_CHECK(cred->cr_label, MAGIC_CRED);
1742
	SOCK_LOCK(so);
1743
	LABEL_CHECK(solabel, MAGIC_SOCKET);
1744
	SOCK_UNLOCK(so);
1745
	COUNTER_INC(socket_check_poll);
1746

1747
	return (0);
1748
}
1749

1750
COUNTER_DECL(socket_check_receive);
1751
static int
1752
test_socket_check_receive(struct ucred *cred, struct socket *so,
1753
    struct label *solabel)
1754
{
1755

1756
	LABEL_CHECK(cred->cr_label, MAGIC_CRED);
1757
	SOCK_LOCK(so);
1758
	LABEL_CHECK(solabel, MAGIC_SOCKET);
1759
	SOCK_UNLOCK(so);
1760
	COUNTER_INC(socket_check_receive);
1761

1762
	return (0);
1763
}
1764

1765
COUNTER_DECL(socket_check_relabel);
1766
static int
1767
test_socket_check_relabel(struct ucred *cred, struct socket *so,
1768
    struct label *solabel, struct label *newlabel)
1769
{
1770

1771
	SOCK_LOCK_ASSERT(so);
1772

1773
	LABEL_CHECK(cred->cr_label, MAGIC_CRED);
1774
	LABEL_CHECK(solabel, MAGIC_SOCKET);
1775
	LABEL_CHECK(newlabel, MAGIC_SOCKET);
1776
	COUNTER_INC(socket_check_relabel);
1777

1778
	return (0);
1779
}
1780

1781
COUNTER_DECL(socket_check_send);
1782
static int
1783
test_socket_check_send(struct ucred *cred, struct socket *so,
1784
    struct label *solabel)
1785
{
1786

1787
	LABEL_CHECK(cred->cr_label, MAGIC_CRED);
1788
	SOCK_LOCK(so);
1789
	LABEL_CHECK(solabel, MAGIC_SOCKET);
1790
	SOCK_UNLOCK(so);
1791
	COUNTER_INC(socket_check_send);
1792

1793
	return (0);
1794
}
1795

1796
COUNTER_DECL(socket_check_stat);
1797
static int
1798
test_socket_check_stat(struct ucred *cred, struct socket *so,
1799
    struct label *solabel)
1800
{
1801

1802
	LABEL_CHECK(cred->cr_label, MAGIC_CRED);
1803
	SOCK_LOCK(so);
1804
	LABEL_CHECK(solabel, MAGIC_SOCKET);
1805
	SOCK_UNLOCK(so);
1806
	COUNTER_INC(socket_check_stat);
1807

1808
	return (0);
1809
}
1810

1811
COUNTER_DECL(socket_check_visible);
1812
static int
1813
test_socket_check_visible(struct ucred *cred, struct socket *so,
1814
    struct label *solabel)
1815
{
1816

1817
	LABEL_CHECK(cred->cr_label, MAGIC_CRED);
1818
	SOCK_LOCK(so);
1819
	LABEL_CHECK(solabel, MAGIC_SOCKET);
1820
	SOCK_UNLOCK(so);
1821
	COUNTER_INC(socket_check_visible);
1822

1823
	return (0);
1824
}
1825

1826
COUNTER_DECL(socket_copy_label);
1827
static void
1828
test_socket_copy_label(struct label *src, struct label *dest)
1829
{
1830

1831
	LABEL_CHECK(src, MAGIC_SOCKET);
1832
	LABEL_CHECK(dest, MAGIC_SOCKET);
1833
	COUNTER_INC(socket_copy_label);
1834
}
1835

1836
COUNTER_DECL(socket_create);
1837
static void
1838
test_socket_create(struct ucred *cred, struct socket *so,
1839
    struct label *solabel)
1840
{
1841

1842
	LABEL_CHECK(cred->cr_label, MAGIC_CRED);
1843
	LABEL_CHECK(solabel, MAGIC_SOCKET);
1844
	COUNTER_INC(socket_create);
1845
}
1846

1847
COUNTER_DECL(socket_create_mbuf);
1848
static void
1849
test_socket_create_mbuf(struct socket *so, struct label *solabel,
1850
    struct mbuf *m, struct label *mlabel)
1851
{
1852

1853
	SOCK_LOCK(so);
1854
	LABEL_CHECK(solabel, MAGIC_SOCKET);
1855
	SOCK_UNLOCK(so);
1856
	LABEL_CHECK(mlabel, MAGIC_MBUF);
1857
	COUNTER_INC(socket_create_mbuf);
1858
}
1859

1860
COUNTER_DECL(socket_destroy_label);
1861
static void
1862
test_socket_destroy_label(struct label *label)
1863
{
1864

1865
	LABEL_DESTROY(label, MAGIC_SOCKET);
1866
	COUNTER_INC(socket_destroy_label);
1867
}
1868

1869
COUNTER_DECL(socket_externalize_label);
1870
static int
1871
test_socket_externalize_label(struct label *label, char *element_name,
1872
    struct sbuf *sb, int *claimed)
1873
{
1874

1875
	LABEL_CHECK(label, MAGIC_SOCKET);
1876
	COUNTER_INC(socket_externalize_label);
1877

1878
	return (0);
1879
}
1880

1881
COUNTER_DECL(socket_init_label);
1882
static int
1883
test_socket_init_label(struct label *label, int flag)
1884
{
1885

1886
	if (flag & M_WAITOK)
1887
		WITNESS_WARN(WARN_GIANTOK | WARN_SLEEPOK, NULL,
1888
		    "test_socket_init_label() at %s:%d", __FILE__,
1889
		    __LINE__);
1890

1891
	LABEL_INIT(label, MAGIC_SOCKET);
1892
	COUNTER_INC(socket_init_label);
1893
	return (0);
1894
}
1895

1896
COUNTER_DECL(socket_internalize_label);
1897
static int
1898
test_socket_internalize_label(struct label *label, char *element_name,
1899
    char *element_data, int *claimed)
1900
{
1901

1902
	LABEL_CHECK(label, MAGIC_SOCKET);
1903
	COUNTER_INC(socket_internalize_label);
1904

1905
	return (0);
1906
}
1907

1908
COUNTER_DECL(socket_newconn);
1909
static void
1910
test_socket_newconn(struct socket *oldso, struct label *oldsolabel,
1911
    struct socket *newso, struct label *newsolabel)
1912
{
1913

1914
	SOCK_LOCK(oldso);
1915
	LABEL_CHECK(oldsolabel, MAGIC_SOCKET);
1916
	SOCK_UNLOCK(oldso);
1917
	SOCK_LOCK(newso);
1918
	LABEL_CHECK(newsolabel, MAGIC_SOCKET);
1919
	SOCK_UNLOCK(newso);
1920
	COUNTER_INC(socket_newconn);
1921
}
1922

1923
COUNTER_DECL(socket_relabel);
1924
static void
1925
test_socket_relabel(struct ucred *cred, struct socket *so,
1926
    struct label *solabel, struct label *newlabel)
1927
{
1928

1929
	SOCK_LOCK_ASSERT(so);
1930

1931
	LABEL_CHECK(cred->cr_label, MAGIC_CRED);
1932
	LABEL_CHECK(solabel, MAGIC_SOCKET);
1933
	LABEL_CHECK(newlabel, MAGIC_SOCKET);
1934
	COUNTER_INC(socket_relabel);
1935
}
1936

1937
COUNTER_DECL(socketpeer_destroy_label);
1938
static void
1939
test_socketpeer_destroy_label(struct label *label)
1940
{
1941

1942
	LABEL_DESTROY(label, MAGIC_SOCKET);
1943
	COUNTER_INC(socketpeer_destroy_label);
1944
}
1945

1946
COUNTER_DECL(socketpeer_externalize_label);
1947
static int
1948
test_socketpeer_externalize_label(struct label *label, char *element_name,
1949
    struct sbuf *sb, int *claimed)
1950
{
1951

1952
	LABEL_CHECK(label, MAGIC_SOCKET);
1953
	COUNTER_INC(socketpeer_externalize_label);
1954

1955
	return (0);
1956
}
1957

1958
COUNTER_DECL(socketpeer_init_label);
1959
static int
1960
test_socketpeer_init_label(struct label *label, int flag)
1961
{
1962

1963
	if (flag & M_WAITOK)
1964
		WITNESS_WARN(WARN_GIANTOK | WARN_SLEEPOK, NULL,
1965
		    "test_socketpeer_init_label() at %s:%d", __FILE__,
1966
		    __LINE__);
1967

1968
	LABEL_INIT(label, MAGIC_SOCKET);
1969
	COUNTER_INC(socketpeer_init_label);
1970
	return (0);
1971
}
1972

1973
COUNTER_DECL(socketpeer_set_from_mbuf);
1974
static void
1975
test_socketpeer_set_from_mbuf(struct mbuf *m, struct label *mlabel,
1976
    struct socket *so, struct label *sopeerlabel)
1977
{
1978

1979
	LABEL_CHECK(mlabel, MAGIC_MBUF);
1980
	SOCK_LOCK(so);
1981
	LABEL_CHECK(sopeerlabel, MAGIC_SOCKET);
1982
	SOCK_UNLOCK(so);
1983
	COUNTER_INC(socketpeer_set_from_mbuf);
1984
}
1985

1986
COUNTER_DECL(socketpeer_set_from_socket);
1987
static void
1988
test_socketpeer_set_from_socket(struct socket *oldso,
1989
    struct label *oldsolabel, struct socket *newso,
1990
    struct label *newsopeerlabel)
1991
{
1992

1993
	SOCK_LOCK(oldso);
1994
	LABEL_CHECK(oldsolabel, MAGIC_SOCKET);
1995
	SOCK_UNLOCK(oldso);
1996
	SOCK_LOCK(newso);
1997
	LABEL_CHECK(newsopeerlabel, MAGIC_SOCKET);
1998
	SOCK_UNLOCK(newso);
1999
	COUNTER_INC(socketpeer_set_from_socket);
2000
}
2001

2002
COUNTER_DECL(syncache_create);
2003
static void
2004
test_syncache_create(struct label *label, struct inpcb *inp)
2005
{
2006

2007
	LABEL_CHECK(label, MAGIC_SYNCACHE);
2008
	COUNTER_INC(syncache_create);
2009
}
2010

2011
COUNTER_DECL(syncache_create_mbuf);
2012
static void
2013
test_syncache_create_mbuf(struct label *sc_label, struct mbuf *m,
2014
    struct label *mlabel)
2015
{
2016

2017
	LABEL_CHECK(sc_label, MAGIC_SYNCACHE);
2018
	LABEL_CHECK(mlabel, MAGIC_MBUF);
2019
	COUNTER_INC(syncache_create_mbuf);
2020
}
2021

2022
COUNTER_DECL(syncache_destroy_label);
2023
static void
2024
test_syncache_destroy_label(struct label *label)
2025
{
2026

2027
	LABEL_DESTROY(label, MAGIC_SYNCACHE);
2028
	COUNTER_INC(syncache_destroy_label);
2029
}
2030

2031
COUNTER_DECL(syncache_init_label);
2032
static int
2033
test_syncache_init_label(struct label *label, int flag)
2034
{
2035

2036
	if (flag & M_WAITOK)
2037
		WITNESS_WARN(WARN_GIANTOK | WARN_SLEEPOK, NULL,
2038
		    "test_syncache_init_label() at %s:%d", __FILE__,
2039
		    __LINE__);
2040
	LABEL_INIT(label, MAGIC_SYNCACHE);
2041
	COUNTER_INC(syncache_init_label);
2042
	return (0);
2043
}
2044

2045
COUNTER_DECL(system_check_acct);
2046
static int
2047
test_system_check_acct(struct ucred *cred, struct vnode *vp,
2048
    struct label *vplabel)
2049
{
2050

2051
	LABEL_CHECK(cred->cr_label, MAGIC_CRED);
2052
	LABEL_CHECK(vplabel, MAGIC_VNODE);
2053
	COUNTER_INC(system_check_acct);
2054

2055
	return (0);
2056
}
2057

2058
COUNTER_DECL(system_check_audit);
2059
static int
2060
test_system_check_audit(struct ucred *cred, void *record, int length)
2061
{
2062

2063
	LABEL_CHECK(cred->cr_label, MAGIC_CRED);
2064
	COUNTER_INC(system_check_audit);
2065

2066
	return (0);
2067
}
2068

2069
COUNTER_DECL(system_check_auditctl);
2070
static int
2071
test_system_check_auditctl(struct ucred *cred, struct vnode *vp,
2072
    struct label *vplabel)
2073
{
2074

2075
	LABEL_CHECK(cred->cr_label, MAGIC_CRED);
2076
	LABEL_CHECK(vplabel, MAGIC_VNODE);
2077
	COUNTER_INC(system_check_auditctl);
2078

2079
	return (0);
2080
}
2081

2082
COUNTER_DECL(system_check_auditon);
2083
static int
2084
test_system_check_auditon(struct ucred *cred, int cmd)
2085
{
2086

2087
	LABEL_CHECK(cred->cr_label, MAGIC_CRED);
2088
	COUNTER_INC(system_check_auditon);
2089

2090
	return (0);
2091
}
2092

2093
COUNTER_DECL(system_check_reboot);
2094
static int
2095
test_system_check_reboot(struct ucred *cred, int how)
2096
{
2097

2098
	LABEL_CHECK(cred->cr_label, MAGIC_CRED);
2099
	COUNTER_INC(system_check_reboot);
2100

2101
	return (0);
2102
}
2103

2104
COUNTER_DECL(system_check_swapoff);
2105
static int
2106
test_system_check_swapoff(struct ucred *cred, struct vnode *vp,
2107
    struct label *vplabel)
2108
{
2109

2110
	LABEL_CHECK(cred->cr_label, MAGIC_CRED);
2111
	LABEL_CHECK(vplabel, MAGIC_VNODE);
2112
	COUNTER_INC(system_check_swapoff);
2113

2114
	return (0);
2115
}
2116

2117
COUNTER_DECL(system_check_swapon);
2118
static int
2119
test_system_check_swapon(struct ucred *cred, struct vnode *vp,
2120
    struct label *vplabel)
2121
{
2122

2123
	LABEL_CHECK(cred->cr_label, MAGIC_CRED);
2124
	LABEL_CHECK(vplabel, MAGIC_VNODE);
2125
	COUNTER_INC(system_check_swapon);
2126

2127
	return (0);
2128
}
2129

2130
COUNTER_DECL(system_check_sysctl);
2131
static int
2132
test_system_check_sysctl(struct ucred *cred, struct sysctl_oid *oidp,
2133
    void *arg1, int arg2, struct sysctl_req *req)
2134
{
2135

2136
	LABEL_CHECK(cred->cr_label, MAGIC_CRED);
2137
	COUNTER_INC(system_check_sysctl);
2138

2139
	return (0);
2140
}
2141

2142
COUNTER_DECL(sysvmsg_cleanup);
2143
static void
2144
test_sysvmsg_cleanup(struct label *msglabel)
2145
{
2146

2147
	LABEL_CHECK(msglabel, MAGIC_SYSV_MSG);
2148
	COUNTER_INC(sysvmsg_cleanup);
2149
}
2150

2151
COUNTER_DECL(sysvmsg_create);
2152
static void
2153
test_sysvmsg_create(struct ucred *cred, struct msqid_kernel *msqkptr,
2154
    struct label *msqlabel, struct msg *msgptr, struct label *msglabel)
2155
{
2156

2157
	LABEL_CHECK(msglabel, MAGIC_SYSV_MSG);
2158
	LABEL_CHECK(msqlabel, MAGIC_SYSV_MSQ);
2159
	COUNTER_INC(sysvmsg_create);
2160
}
2161

2162
COUNTER_DECL(sysvmsg_destroy_label);
2163
static void
2164
test_sysvmsg_destroy_label(struct label *label)
2165
{
2166

2167
	LABEL_DESTROY(label, MAGIC_SYSV_MSG);
2168
	COUNTER_INC(sysvmsg_destroy_label);
2169
}
2170

2171
COUNTER_DECL(sysvmsg_init_label);
2172
static void
2173
test_sysvmsg_init_label(struct label *label)
2174
{
2175
	LABEL_INIT(label, MAGIC_SYSV_MSG);
2176
	COUNTER_INC(sysvmsg_init_label);
2177
}
2178

2179
COUNTER_DECL(sysvmsq_check_msgmsq);
2180
static int
2181
test_sysvmsq_check_msgmsq(struct ucred *cred, struct msg *msgptr,
2182
    struct label *msglabel, struct msqid_kernel *msqkptr,
2183
    struct label *msqklabel)
2184
{
2185

2186
	LABEL_CHECK(msqklabel, MAGIC_SYSV_MSQ);
2187
	LABEL_CHECK(msglabel, MAGIC_SYSV_MSG);
2188
	LABEL_CHECK(cred->cr_label, MAGIC_CRED);
2189
	COUNTER_INC(sysvmsq_check_msgmsq);
2190

2191
  	return (0);
2192
}
2193

2194
COUNTER_DECL(sysvmsq_check_msgrcv);
2195
static int
2196
test_sysvmsq_check_msgrcv(struct ucred *cred, struct msg *msgptr,
2197
    struct label *msglabel)
2198
{
2199

2200
	LABEL_CHECK(msglabel, MAGIC_SYSV_MSG);
2201
	LABEL_CHECK(cred->cr_label, MAGIC_CRED);
2202
	COUNTER_INC(sysvmsq_check_msgrcv);
2203

2204
	return (0);
2205
}
2206

2207
COUNTER_DECL(sysvmsq_check_msgrmid);
2208
static int
2209
test_sysvmsq_check_msgrmid(struct ucred *cred, struct msg *msgptr,
2210
    struct label *msglabel)
2211
{
2212

2213
	LABEL_CHECK(msglabel, MAGIC_SYSV_MSG);
2214
	LABEL_CHECK(cred->cr_label, MAGIC_CRED);
2215
	COUNTER_INC(sysvmsq_check_msgrmid);
2216

2217
	return (0);
2218
}
2219

2220
COUNTER_DECL(sysvmsq_check_msqget);
2221
static int
2222
test_sysvmsq_check_msqget(struct ucred *cred,
2223
    struct msqid_kernel *msqkptr, struct label *msqklabel)
2224
{
2225

2226
	LABEL_CHECK(msqklabel, MAGIC_SYSV_MSQ);
2227
	LABEL_CHECK(cred->cr_label, MAGIC_CRED);
2228
	COUNTER_INC(sysvmsq_check_msqget);
2229

2230
	return (0);
2231
}
2232

2233
COUNTER_DECL(sysvmsq_check_msqsnd);
2234
static int
2235
test_sysvmsq_check_msqsnd(struct ucred *cred,
2236
    struct msqid_kernel *msqkptr, struct label *msqklabel)
2237
{
2238

2239
	LABEL_CHECK(msqklabel, MAGIC_SYSV_MSQ);
2240
	LABEL_CHECK(cred->cr_label, MAGIC_CRED);
2241
	COUNTER_INC(sysvmsq_check_msqsnd);
2242

2243
	return (0);
2244
}
2245

2246
COUNTER_DECL(sysvmsq_check_msqrcv);
2247
static int
2248
test_sysvmsq_check_msqrcv(struct ucred *cred,
2249
    struct msqid_kernel *msqkptr, struct label *msqklabel)
2250
{
2251

2252
	LABEL_CHECK(msqklabel, MAGIC_SYSV_MSQ);
2253
	LABEL_CHECK(cred->cr_label, MAGIC_CRED);
2254
	COUNTER_INC(sysvmsq_check_msqrcv);
2255

2256
	return (0);
2257
}
2258

2259
COUNTER_DECL(sysvmsq_check_msqctl);
2260
static int
2261
test_sysvmsq_check_msqctl(struct ucred *cred,
2262
    struct msqid_kernel *msqkptr, struct label *msqklabel, int cmd)
2263
{
2264

2265
	LABEL_CHECK(msqklabel, MAGIC_SYSV_MSQ);
2266
	LABEL_CHECK(cred->cr_label, MAGIC_CRED);
2267
	COUNTER_INC(sysvmsq_check_msqctl);
2268

2269
	return (0);
2270
}
2271

2272
COUNTER_DECL(sysvmsq_cleanup);
2273
static void
2274
test_sysvmsq_cleanup(struct label *msqlabel)
2275
{
2276

2277
	LABEL_CHECK(msqlabel, MAGIC_SYSV_MSQ);
2278
	COUNTER_INC(sysvmsq_cleanup);
2279
}
2280

2281
COUNTER_DECL(sysvmsq_create);
2282
static void
2283
test_sysvmsq_create(struct ucred *cred,
2284
    struct msqid_kernel *msqkptr, struct label *msqlabel)
2285
{
2286

2287
	LABEL_CHECK(msqlabel, MAGIC_SYSV_MSQ);
2288
	COUNTER_INC(sysvmsq_create);
2289
}
2290

2291
COUNTER_DECL(sysvmsq_destroy_label);
2292
static void
2293
test_sysvmsq_destroy_label(struct label *label)
2294
{
2295

2296
	LABEL_DESTROY(label, MAGIC_SYSV_MSQ);
2297
	COUNTER_INC(sysvmsq_destroy_label);
2298
}
2299

2300
COUNTER_DECL(sysvmsq_init_label);
2301
static void
2302
test_sysvmsq_init_label(struct label *label)
2303
{
2304
	LABEL_INIT(label, MAGIC_SYSV_MSQ);
2305
	COUNTER_INC(sysvmsq_init_label);
2306
}
2307

2308
COUNTER_DECL(sysvsem_check_semctl);
2309
static int
2310
test_sysvsem_check_semctl(struct ucred *cred,
2311
    struct semid_kernel *semakptr, struct label *semaklabel, int cmd)
2312
{
2313

2314
	LABEL_CHECK(cred->cr_label, MAGIC_CRED);
2315
	LABEL_CHECK(semaklabel, MAGIC_SYSV_SEM);
2316
	COUNTER_INC(sysvsem_check_semctl);
2317

2318
  	return (0);
2319
}
2320

2321
COUNTER_DECL(sysvsem_check_semget);
2322
static int
2323
test_sysvsem_check_semget(struct ucred *cred,
2324
    struct semid_kernel *semakptr, struct label *semaklabel)
2325
{
2326

2327
	LABEL_CHECK(cred->cr_label, MAGIC_CRED);
2328
	LABEL_CHECK(semaklabel, MAGIC_SYSV_SEM);
2329
	COUNTER_INC(sysvsem_check_semget);
2330

2331
	return (0);
2332
}
2333

2334
COUNTER_DECL(sysvsem_check_semop);
2335
static int
2336
test_sysvsem_check_semop(struct ucred *cred,
2337
    struct semid_kernel *semakptr, struct label *semaklabel, size_t accesstype)
2338
{
2339

2340
	LABEL_CHECK(cred->cr_label, MAGIC_CRED);
2341
	LABEL_CHECK(semaklabel, MAGIC_SYSV_SEM);
2342
	COUNTER_INC(sysvsem_check_semop);
2343

2344
	return (0);
2345
}
2346

2347
COUNTER_DECL(sysvsem_cleanup);
2348
static void
2349
test_sysvsem_cleanup(struct label *semalabel)
2350
{
2351

2352
	LABEL_CHECK(semalabel, MAGIC_SYSV_SEM);
2353
	COUNTER_INC(sysvsem_cleanup);
2354
}
2355

2356
COUNTER_DECL(sysvsem_create);
2357
static void
2358
test_sysvsem_create(struct ucred *cred, struct semid_kernel *semakptr,
2359
    struct label *semalabel)
2360
{
2361

2362
	LABEL_CHECK(semalabel, MAGIC_SYSV_SEM);
2363
	COUNTER_INC(sysvsem_create);
2364
}
2365

2366
COUNTER_DECL(sysvsem_destroy_label);
2367
static void
2368
test_sysvsem_destroy_label(struct label *label)
2369
{
2370

2371
	LABEL_DESTROY(label, MAGIC_SYSV_SEM);
2372
	COUNTER_INC(sysvsem_destroy_label);
2373
}
2374

2375
COUNTER_DECL(sysvsem_init_label);
2376
static void
2377
test_sysvsem_init_label(struct label *label)
2378
{
2379
	LABEL_INIT(label, MAGIC_SYSV_SEM);
2380
	COUNTER_INC(sysvsem_init_label);
2381
}
2382

2383
COUNTER_DECL(sysvshm_check_shmat);
2384
static int
2385
test_sysvshm_check_shmat(struct ucred *cred,
2386
    struct shmid_kernel *shmsegptr, struct label *shmseglabel, int shmflg)
2387
{
2388

2389
	LABEL_CHECK(cred->cr_label, MAGIC_CRED);
2390
	LABEL_CHECK(shmseglabel, MAGIC_SYSV_SHM);
2391
	COUNTER_INC(sysvshm_check_shmat);
2392

2393
  	return (0);
2394
}
2395

2396
COUNTER_DECL(sysvshm_check_shmctl);
2397
static int
2398
test_sysvshm_check_shmctl(struct ucred *cred,
2399
    struct shmid_kernel *shmsegptr, struct label *shmseglabel, int cmd)
2400
{
2401

2402
	LABEL_CHECK(cred->cr_label, MAGIC_CRED);
2403
	LABEL_CHECK(shmseglabel, MAGIC_SYSV_SHM);
2404
	COUNTER_INC(sysvshm_check_shmctl);
2405

2406
  	return (0);
2407
}
2408

2409
COUNTER_DECL(sysvshm_check_shmdt);
2410
static int
2411
test_sysvshm_check_shmdt(struct ucred *cred,
2412
    struct shmid_kernel *shmsegptr, struct label *shmseglabel)
2413
{
2414

2415
	LABEL_CHECK(cred->cr_label, MAGIC_CRED);
2416
	LABEL_CHECK(shmseglabel, MAGIC_SYSV_SHM);
2417
	COUNTER_INC(sysvshm_check_shmdt);
2418

2419
	return (0);
2420
}
2421

2422
COUNTER_DECL(sysvshm_check_shmget);
2423
static int
2424
test_sysvshm_check_shmget(struct ucred *cred,
2425
    struct shmid_kernel *shmsegptr, struct label *shmseglabel, int shmflg)
2426
{
2427

2428
	LABEL_CHECK(cred->cr_label, MAGIC_CRED);
2429
	LABEL_CHECK(shmseglabel, MAGIC_SYSV_SHM);
2430
	COUNTER_INC(sysvshm_check_shmget);
2431

2432
	return (0);
2433
}
2434

2435
COUNTER_DECL(sysvshm_cleanup);
2436
static void
2437
test_sysvshm_cleanup(struct label *shmlabel)
2438
{
2439

2440
	LABEL_CHECK(shmlabel, MAGIC_SYSV_SHM);
2441
	COUNTER_INC(sysvshm_cleanup);
2442
}
2443

2444
COUNTER_DECL(sysvshm_create);
2445
static void
2446
test_sysvshm_create(struct ucred *cred, struct shmid_kernel *shmsegptr,
2447
    struct label *shmlabel)
2448
{
2449

2450
	LABEL_CHECK(shmlabel, MAGIC_SYSV_SHM);
2451
	COUNTER_INC(sysvshm_create);
2452
}
2453

2454
COUNTER_DECL(sysvshm_destroy_label);
2455
static void
2456
test_sysvshm_destroy_label(struct label *label)
2457
{
2458

2459
	LABEL_DESTROY(label, MAGIC_SYSV_SHM);
2460
	COUNTER_INC(sysvshm_destroy_label);
2461
}
2462

2463
COUNTER_DECL(sysvshm_init_label);
2464
static void
2465
test_sysvshm_init_label(struct label *label)
2466
{
2467
	LABEL_INIT(label, MAGIC_SYSV_SHM);
2468
	COUNTER_INC(sysvshm_init_label);
2469
}
2470

2471
COUNTER_DECL(thread_userret);
2472
static void
2473
test_thread_userret(struct thread *td)
2474
{
2475

2476
	COUNTER_INC(thread_userret);
2477
}
2478

2479
COUNTER_DECL(vnode_associate_extattr);
2480
static int
2481
test_vnode_associate_extattr(struct mount *mp, struct label *mplabel,
2482
    struct vnode *vp, struct label *vplabel)
2483
{
2484

2485
	LABEL_CHECK(mplabel, MAGIC_MOUNT);
2486
	LABEL_CHECK(vplabel, MAGIC_VNODE);
2487
	COUNTER_INC(vnode_associate_extattr);
2488

2489
	return (0);
2490
}
2491

2492
COUNTER_DECL(vnode_associate_singlelabel);
2493
static void
2494
test_vnode_associate_singlelabel(struct mount *mp, struct label *mplabel,
2495
    struct vnode *vp, struct label *vplabel)
2496
{
2497

2498
	LABEL_CHECK(mplabel, MAGIC_MOUNT);
2499
	LABEL_CHECK(vplabel, MAGIC_VNODE);
2500
	COUNTER_INC(vnode_associate_singlelabel);
2501
}
2502

2503
COUNTER_DECL(vnode_check_access);
2504
static int
2505
test_vnode_check_access(struct ucred *cred, struct vnode *vp,
2506
    struct label *vplabel, accmode_t accmode)
2507
{
2508

2509
	LABEL_CHECK(cred->cr_label, MAGIC_CRED);
2510
	LABEL_CHECK(vplabel, MAGIC_VNODE);
2511
	COUNTER_INC(vnode_check_access);
2512

2513
	return (0);
2514
}
2515

2516
COUNTER_DECL(vnode_check_chdir);
2517
static int
2518
test_vnode_check_chdir(struct ucred *cred, struct vnode *dvp,
2519
    struct label *dvplabel)
2520
{
2521

2522
	LABEL_CHECK(cred->cr_label, MAGIC_CRED);
2523
	LABEL_CHECK(dvplabel, MAGIC_VNODE);
2524
	COUNTER_INC(vnode_check_chdir);
2525

2526
	return (0);
2527
}
2528

2529
COUNTER_DECL(vnode_check_chroot);
2530
static int
2531
test_vnode_check_chroot(struct ucred *cred, struct vnode *dvp,
2532
    struct label *dvplabel)
2533
{
2534

2535
	LABEL_CHECK(cred->cr_label, MAGIC_CRED);
2536
	LABEL_CHECK(dvplabel, MAGIC_VNODE);
2537
	COUNTER_INC(vnode_check_chroot);
2538

2539
	return (0);
2540
}
2541

2542
COUNTER_DECL(vnode_check_create);
2543
static int
2544
test_vnode_check_create(struct ucred *cred, struct vnode *dvp,
2545
    struct label *dvplabel, struct componentname *cnp, struct vattr *vap)
2546
{
2547

2548
	LABEL_CHECK(cred->cr_label, MAGIC_CRED);
2549
	LABEL_CHECK(dvplabel, MAGIC_VNODE);
2550
	COUNTER_INC(vnode_check_create);
2551

2552
	return (0);
2553
}
2554

2555
COUNTER_DECL(vnode_check_deleteacl);
2556
static int
2557
test_vnode_check_deleteacl(struct ucred *cred, struct vnode *vp,
2558
    struct label *vplabel, acl_type_t type)
2559
{
2560

2561
	LABEL_CHECK(cred->cr_label, MAGIC_CRED);
2562
	LABEL_CHECK(vplabel, MAGIC_VNODE);
2563
	COUNTER_INC(vnode_check_deleteacl);
2564

2565
	return (0);
2566
}
2567

2568
COUNTER_DECL(vnode_check_deleteextattr);
2569
static int
2570
test_vnode_check_deleteextattr(struct ucred *cred, struct vnode *vp,
2571
    struct label *vplabel, int attrnamespace, const char *name)
2572
{
2573

2574
	LABEL_CHECK(cred->cr_label, MAGIC_CRED);
2575
	LABEL_CHECK(vplabel, MAGIC_VNODE);
2576
	COUNTER_INC(vnode_check_deleteextattr);
2577

2578
	return (0);
2579
}
2580

2581
COUNTER_DECL(vnode_check_exec);
2582
static int
2583
test_vnode_check_exec(struct ucred *cred, struct vnode *vp,
2584
    struct label *vplabel, struct image_params *imgp,
2585
    struct label *execlabel)
2586
{
2587

2588
	LABEL_CHECK(cred->cr_label, MAGIC_CRED);
2589
	LABEL_CHECK(vplabel, MAGIC_VNODE);
2590
	LABEL_CHECK(execlabel, MAGIC_CRED);
2591
	COUNTER_INC(vnode_check_exec);
2592

2593
	return (0);
2594
}
2595

2596
COUNTER_DECL(vnode_check_getacl);
2597
static int
2598
test_vnode_check_getacl(struct ucred *cred, struct vnode *vp,
2599
    struct label *vplabel, acl_type_t type)
2600
{
2601

2602
	LABEL_CHECK(cred->cr_label, MAGIC_CRED);
2603
	LABEL_CHECK(vplabel, MAGIC_VNODE);
2604
	COUNTER_INC(vnode_check_getacl);
2605

2606
	return (0);
2607
}
2608

2609
COUNTER_DECL(vnode_check_getextattr);
2610
static int
2611
test_vnode_check_getextattr(struct ucred *cred, struct vnode *vp,
2612
    struct label *vplabel, int attrnamespace, const char *name)
2613
{
2614

2615
	LABEL_CHECK(cred->cr_label, MAGIC_CRED);
2616
	LABEL_CHECK(vplabel, MAGIC_VNODE);
2617
	COUNTER_INC(vnode_check_getextattr);
2618

2619
	return (0);
2620
}
2621

2622
COUNTER_DECL(vnode_check_link);
2623
static int
2624
test_vnode_check_link(struct ucred *cred, struct vnode *dvp,
2625
    struct label *dvplabel, struct vnode *vp, struct label *vplabel,
2626
    struct componentname *cnp)
2627
{
2628

2629
	LABEL_CHECK(cred->cr_label, MAGIC_CRED);
2630
	LABEL_CHECK(dvplabel, MAGIC_VNODE);
2631
	LABEL_CHECK(vplabel, MAGIC_VNODE);
2632
	COUNTER_INC(vnode_check_link);
2633

2634
	return (0);
2635
}
2636

2637
COUNTER_DECL(vnode_check_listextattr);
2638
static int
2639
test_vnode_check_listextattr(struct ucred *cred, struct vnode *vp,
2640
    struct label *vplabel, int attrnamespace)
2641
{
2642

2643
	LABEL_CHECK(cred->cr_label, MAGIC_CRED);
2644
	LABEL_CHECK(vplabel, MAGIC_VNODE);
2645
	COUNTER_INC(vnode_check_listextattr);
2646

2647
	return (0);
2648
}
2649

2650
COUNTER_DECL(vnode_check_lookup);
2651
static int
2652
test_vnode_check_lookup(struct ucred *cred, struct vnode *dvp,
2653
    struct label *dvplabel, struct componentname *cnp)
2654
{
2655

2656
	LABEL_CHECK(cred->cr_label, MAGIC_CRED);
2657
	LABEL_CHECK(dvplabel, MAGIC_VNODE);
2658
	COUNTER_INC(vnode_check_lookup);
2659

2660
	return (0);
2661
}
2662

2663
COUNTER_DECL(vnode_check_mmap);
2664
static int
2665
test_vnode_check_mmap(struct ucred *cred, struct vnode *vp,
2666
    struct label *vplabel, int prot, int flags)
2667
{
2668

2669
	LABEL_CHECK(cred->cr_label, MAGIC_CRED);
2670
	LABEL_CHECK(vplabel, MAGIC_VNODE);
2671
	COUNTER_INC(vnode_check_mmap);
2672

2673
	return (0);
2674
}
2675

2676
COUNTER_DECL(vnode_check_open);
2677
static int
2678
test_vnode_check_open(struct ucred *cred, struct vnode *vp,
2679
    struct label *vplabel, accmode_t accmode)
2680
{
2681

2682
	LABEL_CHECK(cred->cr_label, MAGIC_CRED);
2683
	LABEL_CHECK(vplabel, MAGIC_VNODE);
2684
	COUNTER_INC(vnode_check_open);
2685

2686
	return (0);
2687
}
2688

2689
COUNTER_DECL(vnode_check_poll);
2690
static int
2691
test_vnode_check_poll(struct ucred *active_cred, struct ucred *file_cred,
2692
    struct vnode *vp, struct label *vplabel)
2693
{
2694

2695
	LABEL_CHECK(active_cred->cr_label, MAGIC_CRED);
2696
	if (file_cred != NULL)
2697
		LABEL_CHECK(file_cred->cr_label, MAGIC_CRED);
2698
	LABEL_CHECK(vplabel, MAGIC_VNODE);
2699
	COUNTER_INC(vnode_check_poll);
2700

2701
	return (0);
2702
}
2703

2704
COUNTER_DECL(vnode_check_read);
2705
static int
2706
test_vnode_check_read(struct ucred *active_cred, struct ucred *file_cred,
2707
    struct vnode *vp, struct label *vplabel)
2708
{
2709

2710
	LABEL_CHECK(active_cred->cr_label, MAGIC_CRED);
2711
	if (file_cred != NULL)
2712
		LABEL_CHECK(file_cred->cr_label, MAGIC_CRED);
2713
	LABEL_CHECK(vplabel, MAGIC_VNODE);
2714
	COUNTER_INC(vnode_check_read);
2715

2716
	return (0);
2717
}
2718

2719
COUNTER_DECL(vnode_check_readdir);
2720
static int
2721
test_vnode_check_readdir(struct ucred *cred, struct vnode *dvp,
2722
    struct label *dvplabel)
2723
{
2724

2725
	LABEL_CHECK(cred->cr_label, MAGIC_CRED);
2726
	LABEL_CHECK(dvplabel, MAGIC_VNODE);
2727
	COUNTER_INC(vnode_check_readdir);
2728

2729
	return (0);
2730
}
2731

2732
COUNTER_DECL(vnode_check_readlink);
2733
static int
2734
test_vnode_check_readlink(struct ucred *cred, struct vnode *vp,
2735
    struct label *vplabel)
2736
{
2737

2738
	LABEL_CHECK(cred->cr_label, MAGIC_CRED);
2739
	LABEL_CHECK(vplabel, MAGIC_VNODE);
2740
	COUNTER_INC(vnode_check_readlink);
2741

2742
	return (0);
2743
}
2744

2745
COUNTER_DECL(vnode_check_relabel);
2746
static int
2747
test_vnode_check_relabel(struct ucred *cred, struct vnode *vp,
2748
    struct label *vplabel, struct label *newlabel)
2749
{
2750

2751
	LABEL_CHECK(cred->cr_label, MAGIC_CRED);
2752
	LABEL_CHECK(vplabel, MAGIC_VNODE);
2753
	LABEL_CHECK(newlabel, MAGIC_VNODE);
2754
	COUNTER_INC(vnode_check_relabel);
2755

2756
	return (0);
2757
}
2758

2759
COUNTER_DECL(vnode_check_rename_from);
2760
static int
2761
test_vnode_check_rename_from(struct ucred *cred, struct vnode *dvp,
2762
    struct label *dvplabel, struct vnode *vp, struct label *vplabel,
2763
    struct componentname *cnp)
2764
{
2765

2766
	LABEL_CHECK(cred->cr_label, MAGIC_CRED);
2767
	LABEL_CHECK(dvplabel, MAGIC_VNODE);
2768
	LABEL_CHECK(vplabel, MAGIC_VNODE);
2769
	COUNTER_INC(vnode_check_rename_from);
2770

2771
	return (0);
2772
}
2773

2774
COUNTER_DECL(vnode_check_rename_to);
2775
static int
2776
test_vnode_check_rename_to(struct ucred *cred, struct vnode *dvp,
2777
    struct label *dvplabel, struct vnode *vp, struct label *vplabel,
2778
    int samedir, struct componentname *cnp)
2779
{
2780

2781
	LABEL_CHECK(cred->cr_label, MAGIC_CRED);
2782
	LABEL_CHECK(dvplabel, MAGIC_VNODE);
2783
	LABEL_CHECK(vplabel, MAGIC_VNODE);
2784
	COUNTER_INC(vnode_check_rename_to);
2785

2786
	return (0);
2787
}
2788

2789
COUNTER_DECL(vnode_check_revoke);
2790
static int
2791
test_vnode_check_revoke(struct ucred *cred, struct vnode *vp,
2792
    struct label *vplabel)
2793
{
2794

2795
	LABEL_CHECK(cred->cr_label, MAGIC_CRED);
2796
	LABEL_CHECK(vplabel, MAGIC_VNODE);
2797
	COUNTER_INC(vnode_check_revoke);
2798

2799
	return (0);
2800
}
2801

2802
COUNTER_DECL(vnode_check_setacl);
2803
static int
2804
test_vnode_check_setacl(struct ucred *cred, struct vnode *vp,
2805
    struct label *vplabel, acl_type_t type, struct acl *acl)
2806
{
2807

2808
	LABEL_CHECK(cred->cr_label, MAGIC_CRED);
2809
	LABEL_CHECK(vplabel, MAGIC_VNODE);
2810
	COUNTER_INC(vnode_check_setacl);
2811

2812
	return (0);
2813
}
2814

2815
COUNTER_DECL(vnode_check_setextattr);
2816
static int
2817
test_vnode_check_setextattr(struct ucred *cred, struct vnode *vp,
2818
    struct label *vplabel, int attrnamespace, const char *name)
2819
{
2820

2821
	LABEL_CHECK(cred->cr_label, MAGIC_CRED);
2822
	LABEL_CHECK(vplabel, MAGIC_VNODE);
2823
	COUNTER_INC(vnode_check_setextattr);
2824

2825
	return (0);
2826
}
2827

2828
COUNTER_DECL(vnode_check_setflags);
2829
static int
2830
test_vnode_check_setflags(struct ucred *cred, struct vnode *vp,
2831
    struct label *vplabel, u_long flags)
2832
{
2833

2834
	LABEL_CHECK(cred->cr_label, MAGIC_CRED);
2835
	LABEL_CHECK(vplabel, MAGIC_VNODE);
2836
	COUNTER_INC(vnode_check_setflags);
2837

2838
	return (0);
2839
}
2840

2841
COUNTER_DECL(vnode_check_setmode);
2842
static int
2843
test_vnode_check_setmode(struct ucred *cred, struct vnode *vp,
2844
    struct label *vplabel, mode_t mode)
2845
{
2846

2847
	LABEL_CHECK(cred->cr_label, MAGIC_CRED);
2848
	LABEL_CHECK(vplabel, MAGIC_VNODE);
2849
	COUNTER_INC(vnode_check_setmode);
2850

2851
	return (0);
2852
}
2853

2854
COUNTER_DECL(vnode_check_setowner);
2855
static int
2856
test_vnode_check_setowner(struct ucred *cred, struct vnode *vp,
2857
    struct label *vplabel, uid_t uid, gid_t gid)
2858
{
2859

2860
	LABEL_CHECK(cred->cr_label, MAGIC_CRED);
2861
	LABEL_CHECK(vplabel, MAGIC_VNODE);
2862
	COUNTER_INC(vnode_check_setowner);
2863

2864
	return (0);
2865
}
2866

2867
COUNTER_DECL(vnode_check_setutimes);
2868
static int
2869
test_vnode_check_setutimes(struct ucred *cred, struct vnode *vp,
2870
    struct label *vplabel, struct timespec atime, struct timespec mtime)
2871
{
2872

2873
	LABEL_CHECK(cred->cr_label, MAGIC_CRED);
2874
	LABEL_CHECK(vplabel, MAGIC_VNODE);
2875
	COUNTER_INC(vnode_check_setutimes);
2876

2877
	return (0);
2878
}
2879

2880
COUNTER_DECL(vnode_check_stat);
2881
static int
2882
test_vnode_check_stat(struct ucred *active_cred, struct ucred *file_cred,
2883
    struct vnode *vp, struct label *vplabel)
2884
{
2885

2886
	LABEL_CHECK(active_cred->cr_label, MAGIC_CRED);
2887
	if (file_cred != NULL)
2888
		LABEL_CHECK(file_cred->cr_label, MAGIC_CRED);
2889
	LABEL_CHECK(vplabel, MAGIC_VNODE);
2890
	COUNTER_INC(vnode_check_stat);
2891

2892
	return (0);
2893
}
2894

2895
COUNTER_DECL(vnode_check_unlink);
2896
static int
2897
test_vnode_check_unlink(struct ucred *cred, struct vnode *dvp,
2898
    struct label *dvplabel, struct vnode *vp, struct label *vplabel,
2899
    struct componentname *cnp)
2900
{
2901

2902
	LABEL_CHECK(cred->cr_label, MAGIC_CRED);
2903
	LABEL_CHECK(dvplabel, MAGIC_VNODE);
2904
	LABEL_CHECK(vplabel, MAGIC_VNODE);
2905
	COUNTER_INC(vnode_check_unlink);
2906

2907
	return (0);
2908
}
2909

2910
COUNTER_DECL(vnode_check_write);
2911
static int
2912
test_vnode_check_write(struct ucred *active_cred,
2913
    struct ucred *file_cred, struct vnode *vp, struct label *vplabel)
2914
{
2915

2916
	LABEL_CHECK(active_cred->cr_label, MAGIC_CRED);
2917
	if (file_cred != NULL)
2918
		LABEL_CHECK(file_cred->cr_label, MAGIC_CRED);
2919
	LABEL_CHECK(vplabel, MAGIC_VNODE);
2920
	COUNTER_INC(vnode_check_write);
2921

2922
	return (0);
2923
}
2924

2925
COUNTER_DECL(vnode_copy_label);
2926
static void
2927
test_vnode_copy_label(struct label *src, struct label *dest)
2928
{
2929

2930
	LABEL_CHECK(src, MAGIC_VNODE);
2931
	LABEL_CHECK(dest, MAGIC_VNODE);
2932
	COUNTER_INC(vnode_copy_label);
2933
}
2934

2935
COUNTER_DECL(vnode_create_extattr);
2936
static int
2937
test_vnode_create_extattr(struct ucred *cred, struct mount *mp,
2938
    struct label *mplabel, struct vnode *dvp, struct label *dvplabel,
2939
    struct vnode *vp, struct label *vplabel, struct componentname *cnp)
2940
{
2941

2942
	LABEL_CHECK(cred->cr_label, MAGIC_CRED);
2943
	LABEL_CHECK(mplabel, MAGIC_MOUNT);
2944
	LABEL_CHECK(dvplabel, MAGIC_VNODE);
2945
	COUNTER_INC(vnode_create_extattr);
2946

2947
	return (0);
2948
}
2949

2950
COUNTER_DECL(vnode_destroy_label);
2951
static void
2952
test_vnode_destroy_label(struct label *label)
2953
{
2954

2955
	LABEL_DESTROY(label, MAGIC_VNODE);
2956
	COUNTER_INC(vnode_destroy_label);
2957
}
2958

2959
COUNTER_DECL(vnode_execve_transition);
2960
static void
2961
test_vnode_execve_transition(struct ucred *old, struct ucred *new,
2962
    struct vnode *vp, struct label *filelabel,
2963
    struct label *interpvplabel, struct image_params *imgp,
2964
    struct label *execlabel)
2965
{
2966

2967
	LABEL_CHECK(old->cr_label, MAGIC_CRED);
2968
	LABEL_CHECK(new->cr_label, MAGIC_CRED);
2969
	LABEL_CHECK(filelabel, MAGIC_VNODE);
2970
	LABEL_CHECK(interpvplabel, MAGIC_VNODE);
2971
	LABEL_CHECK(execlabel, MAGIC_CRED);
2972
	COUNTER_INC(vnode_execve_transition);
2973
}
2974

2975
COUNTER_DECL(vnode_execve_will_transition);
2976
static int
2977
test_vnode_execve_will_transition(struct ucred *old, struct vnode *vp,
2978
    struct label *filelabel, struct label *interpvplabel,
2979
    struct image_params *imgp, struct label *execlabel)
2980
{
2981

2982
	LABEL_CHECK(old->cr_label, MAGIC_CRED);
2983
	LABEL_CHECK(filelabel, MAGIC_VNODE);
2984
	LABEL_CHECK(interpvplabel, MAGIC_VNODE);
2985
	LABEL_CHECK(execlabel, MAGIC_CRED);
2986
	COUNTER_INC(vnode_execve_will_transition);
2987

2988
	return (0);
2989
}
2990

2991
COUNTER_DECL(vnode_externalize_label);
2992
static int
2993
test_vnode_externalize_label(struct label *label, char *element_name,
2994
    struct sbuf *sb, int *claimed)
2995
{
2996

2997
	LABEL_CHECK(label, MAGIC_VNODE);
2998
	COUNTER_INC(vnode_externalize_label);
2999

3000
	return (0);
3001
}
3002

3003
COUNTER_DECL(vnode_init_label);
3004
static void
3005
test_vnode_init_label(struct label *label)
3006
{
3007

3008
	LABEL_INIT(label, MAGIC_VNODE);
3009
	COUNTER_INC(vnode_init_label);
3010
}
3011

3012
COUNTER_DECL(vnode_internalize_label);
3013
static int
3014
test_vnode_internalize_label(struct label *label, char *element_name,
3015
    char *element_data, int *claimed)
3016
{
3017

3018
	LABEL_CHECK(label, MAGIC_VNODE);
3019
	COUNTER_INC(vnode_internalize_label);
3020

3021
	return (0);
3022
}
3023

3024
COUNTER_DECL(vnode_relabel);
3025
static void
3026
test_vnode_relabel(struct ucred *cred, struct vnode *vp,
3027
    struct label *vplabel, struct label *label)
3028
{
3029

3030
	LABEL_CHECK(cred->cr_label, MAGIC_CRED);
3031
	LABEL_CHECK(vplabel, MAGIC_VNODE);
3032
	LABEL_CHECK(label, MAGIC_VNODE);
3033
	COUNTER_INC(vnode_relabel);
3034
}
3035

3036
COUNTER_DECL(vnode_setlabel_extattr);
3037
static int
3038
test_vnode_setlabel_extattr(struct ucred *cred, struct vnode *vp,
3039
    struct label *vplabel, struct label *intlabel)
3040
{
3041

3042
	LABEL_CHECK(cred->cr_label, MAGIC_CRED);
3043
	LABEL_CHECK(vplabel, MAGIC_VNODE);
3044
	LABEL_CHECK(intlabel, MAGIC_VNODE);
3045
	COUNTER_INC(vnode_setlabel_extattr);
3046

3047
	return (0);
3048
}
3049

3050
static struct mac_policy_ops test_ops =
3051
{
3052
	.mpo_bpfdesc_check_receive = test_bpfdesc_check_receive,
3053
	.mpo_bpfdesc_create = test_bpfdesc_create,
3054
	.mpo_bpfdesc_create_mbuf = test_bpfdesc_create_mbuf,
3055
	.mpo_bpfdesc_destroy_label = test_bpfdesc_destroy_label,
3056
	.mpo_bpfdesc_init_label = test_bpfdesc_init_label,
3057

3058
	.mpo_cred_check_relabel = test_cred_check_relabel,
3059
	.mpo_cred_check_setaudit = test_cred_check_setaudit,
3060
	.mpo_cred_check_setaudit_addr = test_cred_check_setaudit_addr,
3061
	.mpo_cred_check_setauid = test_cred_check_setauid,
3062
	.mpo_cred_setcred_enter = test_cred_setcred_enter,
3063
	.mpo_cred_check_setcred = test_cred_check_setcred,
3064
	.mpo_cred_setcred_exit = test_cred_setcred_exit,
3065
	.mpo_cred_check_seteuid = test_cred_check_seteuid,
3066
	.mpo_cred_check_setegid = test_cred_check_setegid,
3067
	.mpo_cred_check_setgid = test_cred_check_setgid,
3068
	.mpo_cred_check_setgroups = test_cred_check_setgroups,
3069
	.mpo_cred_check_setregid = test_cred_check_setregid,
3070
	.mpo_cred_check_setresgid = test_cred_check_setresgid,
3071
	.mpo_cred_check_setresuid = test_cred_check_setresuid,
3072
	.mpo_cred_check_setreuid = test_cred_check_setreuid,
3073
	.mpo_cred_check_setuid = test_cred_check_setuid,
3074
	.mpo_cred_check_visible = test_cred_check_visible,
3075
	.mpo_cred_copy_label = test_cred_copy_label,
3076
	.mpo_cred_create_init = test_cred_create_init,
3077
	.mpo_cred_create_swapper = test_cred_create_swapper,
3078
	.mpo_cred_destroy_label = test_cred_destroy_label,
3079
	.mpo_cred_externalize_label = test_cred_externalize_label,
3080
	.mpo_cred_init_label = test_cred_init_label,
3081
	.mpo_cred_internalize_label = test_cred_internalize_label,
3082
	.mpo_cred_relabel = test_cred_relabel,
3083

3084
	.mpo_ddb_command_exec = test_ddb_command_exec,
3085
	.mpo_ddb_command_register = test_ddb_command_register,
3086

3087
	.mpo_devfs_create_device = test_devfs_create_device,
3088
	.mpo_devfs_create_directory = test_devfs_create_directory,
3089
	.mpo_devfs_create_symlink = test_devfs_create_symlink,
3090
	.mpo_devfs_destroy_label = test_devfs_destroy_label,
3091
	.mpo_devfs_init_label = test_devfs_init_label,
3092
	.mpo_devfs_update = test_devfs_update,
3093
	.mpo_devfs_vnode_associate = test_devfs_vnode_associate,
3094

3095
	.mpo_ifnet_check_relabel = test_ifnet_check_relabel,
3096
	.mpo_ifnet_check_transmit = test_ifnet_check_transmit,
3097
	.mpo_ifnet_copy_label = test_ifnet_copy_label,
3098
	.mpo_ifnet_create = test_ifnet_create,
3099
	.mpo_ifnet_create_mbuf = test_ifnet_create_mbuf,
3100
	.mpo_ifnet_destroy_label = test_ifnet_destroy_label,
3101
	.mpo_ifnet_externalize_label = test_ifnet_externalize_label,
3102
	.mpo_ifnet_init_label = test_ifnet_init_label,
3103
	.mpo_ifnet_internalize_label = test_ifnet_internalize_label,
3104
	.mpo_ifnet_relabel = test_ifnet_relabel,
3105

3106
	.mpo_syncache_destroy_label = test_syncache_destroy_label,
3107
	.mpo_syncache_init_label = test_syncache_init_label,
3108

3109
	.mpo_sysvmsg_destroy_label = test_sysvmsg_destroy_label,
3110
	.mpo_sysvmsg_init_label = test_sysvmsg_init_label,
3111

3112
	.mpo_sysvmsq_destroy_label = test_sysvmsq_destroy_label,
3113
	.mpo_sysvmsq_init_label = test_sysvmsq_init_label,
3114

3115
	.mpo_sysvsem_destroy_label = test_sysvsem_destroy_label,
3116
	.mpo_sysvsem_init_label = test_sysvsem_init_label,
3117

3118
	.mpo_sysvshm_destroy_label = test_sysvshm_destroy_label,
3119
	.mpo_sysvshm_init_label = test_sysvshm_init_label,
3120

3121
	.mpo_inpcb_check_deliver = test_inpcb_check_deliver,
3122
	.mpo_inpcb_check_visible = test_inpcb_check_visible,
3123
	.mpo_inpcb_create = test_inpcb_create,
3124
	.mpo_inpcb_create_mbuf = test_inpcb_create_mbuf,
3125
	.mpo_inpcb_destroy_label = test_inpcb_destroy_label,
3126
	.mpo_inpcb_init_label = test_inpcb_init_label,
3127
	.mpo_inpcb_sosetlabel = test_inpcb_sosetlabel,
3128

3129
	.mpo_ip6q_create = test_ip6q_create,
3130
	.mpo_ip6q_destroy_label = test_ip6q_destroy_label,
3131
	.mpo_ip6q_init_label = test_ip6q_init_label,
3132
	.mpo_ip6q_match = test_ip6q_match,
3133
	.mpo_ip6q_reassemble = test_ip6q_reassemble,
3134
	.mpo_ip6q_update = test_ip6q_update,
3135

3136
	.mpo_ipq_create = test_ipq_create,
3137
	.mpo_ipq_destroy_label = test_ipq_destroy_label,
3138
	.mpo_ipq_init_label = test_ipq_init_label,
3139
	.mpo_ipq_match = test_ipq_match,
3140
	.mpo_ipq_reassemble = test_ipq_reassemble,
3141
	.mpo_ipq_update = test_ipq_update,
3142

3143
	.mpo_kdb_check_backend = test_kdb_check_backend,
3144

3145
	.mpo_kenv_check_dump = test_kenv_check_dump,
3146
	.mpo_kenv_check_get = test_kenv_check_get,
3147
	.mpo_kenv_check_set = test_kenv_check_set,
3148
	.mpo_kenv_check_unset = test_kenv_check_unset,
3149

3150
	.mpo_kld_check_load = test_kld_check_load,
3151
	.mpo_kld_check_stat = test_kld_check_stat,
3152

3153
	.mpo_mbuf_copy_label = test_mbuf_copy_label,
3154
	.mpo_mbuf_destroy_label = test_mbuf_destroy_label,
3155
	.mpo_mbuf_init_label = test_mbuf_init_label,
3156

3157
	.mpo_mount_check_stat = test_mount_check_stat,
3158
	.mpo_mount_create = test_mount_create,
3159
	.mpo_mount_destroy_label = test_mount_destroy_label,
3160
	.mpo_mount_init_label = test_mount_init_label,
3161

3162
	.mpo_netinet_arp_send = test_netinet_arp_send,
3163
	.mpo_netinet_fragment = test_netinet_fragment,
3164
	.mpo_netinet_icmp_reply = test_netinet_icmp_reply,
3165
	.mpo_netinet_icmp_replyinplace = test_netinet_icmp_replyinplace,
3166
	.mpo_netinet_igmp_send = test_netinet_igmp_send,
3167
	.mpo_netinet_tcp_reply = test_netinet_tcp_reply,
3168

3169
	.mpo_netinet6_nd6_send = test_netinet6_nd6_send,
3170

3171
	.mpo_pipe_check_ioctl = test_pipe_check_ioctl,
3172
	.mpo_pipe_check_poll = test_pipe_check_poll,
3173
	.mpo_pipe_check_read = test_pipe_check_read,
3174
	.mpo_pipe_check_relabel = test_pipe_check_relabel,
3175
	.mpo_pipe_check_stat = test_pipe_check_stat,
3176
	.mpo_pipe_check_write = test_pipe_check_write,
3177
	.mpo_pipe_copy_label = test_pipe_copy_label,
3178
	.mpo_pipe_create = test_pipe_create,
3179
	.mpo_pipe_destroy_label = test_pipe_destroy_label,
3180
	.mpo_pipe_externalize_label = test_pipe_externalize_label,
3181
	.mpo_pipe_init_label = test_pipe_init_label,
3182
	.mpo_pipe_internalize_label = test_pipe_internalize_label,
3183
	.mpo_pipe_relabel = test_pipe_relabel,
3184

3185
	.mpo_posixsem_check_getvalue = test_posixsem_check_getvalue,
3186
	.mpo_posixsem_check_open = test_posixsem_check_open,
3187
	.mpo_posixsem_check_post = test_posixsem_check_post,
3188
	.mpo_posixsem_check_setmode = test_posixsem_check_setmode,
3189
	.mpo_posixsem_check_setowner = test_posixsem_check_setowner,
3190
	.mpo_posixsem_check_stat = test_posixsem_check_stat,
3191
	.mpo_posixsem_check_unlink = test_posixsem_check_unlink,
3192
	.mpo_posixsem_check_wait = test_posixsem_check_wait,
3193
	.mpo_posixsem_create = test_posixsem_create,
3194
	.mpo_posixsem_destroy_label = test_posixsem_destroy_label,
3195
	.mpo_posixsem_init_label = test_posixsem_init_label,
3196

3197
	.mpo_posixshm_check_create = test_posixshm_check_create,
3198
	.mpo_posixshm_check_mmap = test_posixshm_check_mmap,
3199
	.mpo_posixshm_check_open = test_posixshm_check_open,
3200
	.mpo_posixshm_check_read = test_posixshm_check_read,
3201
	.mpo_posixshm_check_setmode = test_posixshm_check_setmode,
3202
	.mpo_posixshm_check_setowner = test_posixshm_check_setowner,
3203
	.mpo_posixshm_check_stat = test_posixshm_check_stat,
3204
	.mpo_posixshm_check_truncate = test_posixshm_check_truncate,
3205
	.mpo_posixshm_check_unlink = test_posixshm_check_unlink,
3206
	.mpo_posixshm_check_write = test_posixshm_check_write,
3207
	.mpo_posixshm_create = test_posixshm_create,
3208
	.mpo_posixshm_destroy_label = test_posixshm_destroy_label,
3209
	.mpo_posixshm_init_label = test_posixshm_init_label,
3210

3211
	.mpo_proc_check_debug = test_proc_check_debug,
3212
	.mpo_proc_check_sched = test_proc_check_sched,
3213
	.mpo_proc_check_signal = test_proc_check_signal,
3214
	.mpo_proc_check_wait = test_proc_check_wait,
3215
	.mpo_proc_destroy_label = test_proc_destroy_label,
3216
	.mpo_proc_init_label = test_proc_init_label,
3217

3218
	.mpo_socket_check_accept = test_socket_check_accept,
3219
	.mpo_socket_check_bind = test_socket_check_bind,
3220
	.mpo_socket_check_connect = test_socket_check_connect,
3221
	.mpo_socket_check_deliver = test_socket_check_deliver,
3222
	.mpo_socket_check_listen = test_socket_check_listen,
3223
	.mpo_socket_check_poll = test_socket_check_poll,
3224
	.mpo_socket_check_receive = test_socket_check_receive,
3225
	.mpo_socket_check_relabel = test_socket_check_relabel,
3226
	.mpo_socket_check_send = test_socket_check_send,
3227
	.mpo_socket_check_stat = test_socket_check_stat,
3228
	.mpo_socket_check_visible = test_socket_check_visible,
3229
	.mpo_socket_copy_label = test_socket_copy_label,
3230
	.mpo_socket_create = test_socket_create,
3231
	.mpo_socket_create_mbuf = test_socket_create_mbuf,
3232
	.mpo_socket_destroy_label = test_socket_destroy_label,
3233
	.mpo_socket_externalize_label = test_socket_externalize_label,
3234
	.mpo_socket_init_label = test_socket_init_label,
3235
	.mpo_socket_internalize_label = test_socket_internalize_label,
3236
	.mpo_socket_newconn = test_socket_newconn,
3237
	.mpo_socket_relabel = test_socket_relabel,
3238

3239
	.mpo_socketpeer_destroy_label = test_socketpeer_destroy_label,
3240
	.mpo_socketpeer_externalize_label = test_socketpeer_externalize_label,
3241
	.mpo_socketpeer_init_label = test_socketpeer_init_label,
3242
	.mpo_socketpeer_set_from_mbuf = test_socketpeer_set_from_mbuf,
3243
	.mpo_socketpeer_set_from_socket = test_socketpeer_set_from_socket,
3244

3245
	.mpo_syncache_create = test_syncache_create,
3246
	.mpo_syncache_create_mbuf = test_syncache_create_mbuf,
3247

3248
	.mpo_system_check_acct = test_system_check_acct,
3249
	.mpo_system_check_audit = test_system_check_audit,
3250
	.mpo_system_check_auditctl = test_system_check_auditctl,
3251
	.mpo_system_check_auditon = test_system_check_auditon,
3252
	.mpo_system_check_reboot = test_system_check_reboot,
3253
	.mpo_system_check_swapoff = test_system_check_swapoff,
3254
	.mpo_system_check_swapon = test_system_check_swapon,
3255
	.mpo_system_check_sysctl = test_system_check_sysctl,
3256

3257
	.mpo_vnode_check_access = test_vnode_check_access,
3258
	.mpo_sysvmsg_cleanup = test_sysvmsg_cleanup,
3259
	.mpo_sysvmsg_create = test_sysvmsg_create,
3260

3261
	.mpo_sysvmsq_check_msgmsq = test_sysvmsq_check_msgmsq,
3262
	.mpo_sysvmsq_check_msgrcv = test_sysvmsq_check_msgrcv,
3263
	.mpo_sysvmsq_check_msgrmid = test_sysvmsq_check_msgrmid,
3264
	.mpo_sysvmsq_check_msqget = test_sysvmsq_check_msqget,
3265
	.mpo_sysvmsq_check_msqsnd = test_sysvmsq_check_msqsnd,
3266
	.mpo_sysvmsq_check_msqrcv = test_sysvmsq_check_msqrcv,
3267
	.mpo_sysvmsq_check_msqctl = test_sysvmsq_check_msqctl,
3268
	.mpo_sysvmsq_cleanup = test_sysvmsq_cleanup,
3269
	.mpo_sysvmsq_create = test_sysvmsq_create,
3270

3271
	.mpo_sysvsem_check_semctl = test_sysvsem_check_semctl,
3272
	.mpo_sysvsem_check_semget = test_sysvsem_check_semget,
3273
	.mpo_sysvsem_check_semop = test_sysvsem_check_semop,
3274
	.mpo_sysvsem_cleanup = test_sysvsem_cleanup,
3275
	.mpo_sysvsem_create = test_sysvsem_create,
3276

3277
	.mpo_sysvshm_check_shmat = test_sysvshm_check_shmat,
3278
	.mpo_sysvshm_check_shmctl = test_sysvshm_check_shmctl,
3279
	.mpo_sysvshm_check_shmdt = test_sysvshm_check_shmdt,
3280
	.mpo_sysvshm_check_shmget = test_sysvshm_check_shmget,
3281
	.mpo_sysvshm_cleanup = test_sysvshm_cleanup,
3282
	.mpo_sysvshm_create = test_sysvshm_create,
3283

3284
	.mpo_thread_userret = test_thread_userret,
3285

3286
	.mpo_vnode_associate_extattr = test_vnode_associate_extattr,
3287
	.mpo_vnode_associate_singlelabel = test_vnode_associate_singlelabel,
3288
	.mpo_vnode_check_chdir = test_vnode_check_chdir,
3289
	.mpo_vnode_check_chroot = test_vnode_check_chroot,
3290
	.mpo_vnode_check_create = test_vnode_check_create,
3291
	.mpo_vnode_check_deleteacl = test_vnode_check_deleteacl,
3292
	.mpo_vnode_check_deleteextattr = test_vnode_check_deleteextattr,
3293
	.mpo_vnode_check_exec = test_vnode_check_exec,
3294
	.mpo_vnode_check_getacl = test_vnode_check_getacl,
3295
	.mpo_vnode_check_getextattr = test_vnode_check_getextattr,
3296
	.mpo_vnode_check_link = test_vnode_check_link,
3297
	.mpo_vnode_check_listextattr = test_vnode_check_listextattr,
3298
	.mpo_vnode_check_lookup = test_vnode_check_lookup,
3299
	.mpo_vnode_check_mmap = test_vnode_check_mmap,
3300
	.mpo_vnode_check_open = test_vnode_check_open,
3301
	.mpo_vnode_check_poll = test_vnode_check_poll,
3302
	.mpo_vnode_check_read = test_vnode_check_read,
3303
	.mpo_vnode_check_readdir = test_vnode_check_readdir,
3304
	.mpo_vnode_check_readlink = test_vnode_check_readlink,
3305
	.mpo_vnode_check_relabel = test_vnode_check_relabel,
3306
	.mpo_vnode_check_rename_from = test_vnode_check_rename_from,
3307
	.mpo_vnode_check_rename_to = test_vnode_check_rename_to,
3308
	.mpo_vnode_check_revoke = test_vnode_check_revoke,
3309
	.mpo_vnode_check_setacl = test_vnode_check_setacl,
3310
	.mpo_vnode_check_setextattr = test_vnode_check_setextattr,
3311
	.mpo_vnode_check_setflags = test_vnode_check_setflags,
3312
	.mpo_vnode_check_setmode = test_vnode_check_setmode,
3313
	.mpo_vnode_check_setowner = test_vnode_check_setowner,
3314
	.mpo_vnode_check_setutimes = test_vnode_check_setutimes,
3315
	.mpo_vnode_check_stat = test_vnode_check_stat,
3316
	.mpo_vnode_check_unlink = test_vnode_check_unlink,
3317
	.mpo_vnode_check_write = test_vnode_check_write,
3318
	.mpo_vnode_copy_label = test_vnode_copy_label,
3319
	.mpo_vnode_create_extattr = test_vnode_create_extattr,
3320
	.mpo_vnode_destroy_label = test_vnode_destroy_label,
3321
	.mpo_vnode_execve_transition = test_vnode_execve_transition,
3322
	.mpo_vnode_execve_will_transition = test_vnode_execve_will_transition,
3323
	.mpo_vnode_externalize_label = test_vnode_externalize_label,
3324
	.mpo_vnode_init_label = test_vnode_init_label,
3325
	.mpo_vnode_internalize_label = test_vnode_internalize_label,
3326
	.mpo_vnode_relabel = test_vnode_relabel,
3327
	.mpo_vnode_setlabel_extattr = test_vnode_setlabel_extattr,
3328
};
3329

3330
MAC_POLICY_SET(&test_ops, mac_test, "TrustedBSD MAC/Test",
3331
    MPC_LOADTIME_FLAG_UNLOADOK, &test_slot);
3332

3333