Retrofit of mac_test regression and consistency test module for MAC

Framework labels:

- Re-work the label state assertions to use a set of central
  ASSERT_type_LABEL() assertions.

- Test to make sure labels passed to externalize/internalize calls haven't
  been destroyed.

- For access control checks, assert the condition of all labels passed in.

- For life cycle events, assert the condition of all labels passed in.

- Add new entry point implementations for new MAC Framework entry points:
  mac_test_reflect_mbuf_icmp(), mac_test_reflect_mbuf_tcp(),
  mac_test_check_vnode_deleteextattr(), mac_test_check_vnode_listextattr().

Obtained from:	TrustedBSD Project
Sponsored by:	DARPA, Network Associates Laboratories

1 files changed, 379 insertions, 1 deletions

diff --git a/sys/security/mac_test/mac_test.c b/sys/security/mac_test/mac_test.c
index 02a8de7..61d91c0 100644
--- a/sys/security/mac_test/mac_test.c
+++ b/sys/security/mac_test/mac_test.c
@@ -1,6 +1,6 @@
 /*-
  * Copyright (c) 1999, 2000, 2001, 2002 Robert N. M. Watson
- * Copyright (c) 2001, 2002 Networks Associates Technology, Inc.
+ * Copyright (c) 2001, 2002, 2003 Networks Associates Technology, Inc.
  * All rights reserved.
  *
  * This software was developed by Robert Watson for the TrustedBSD Project.
@@ -92,6 +92,30 @@ SYSCTL_INT(_security_mac_test, OID_AUTO, enabled, CTLFLAG_RW,
 #define	EXMAGIC		0x849ba1fd
 
 #define	SLOT(x)	LABEL_TO_SLOT((x), test_slot).l_long
+
+#define	ASSERT_BPF_LABEL(x)	KASSERT(SLOT(x) == BPFMAGIC ||		\
+	SLOT(x) == 0, ("%s: Bad BPF label", __func__ ))
+#define	ASSERT_DEVFS_LABEL(x)	KASSERT(SLOT(x) == DEVFSMAGIC ||	\
+	SLOT(x) == 0, ("%s: Bad DEVFS label", __func__ ))
+#define	ASSERT_IFNET_LABEL(x)	KASSERT(SLOT(x) == IFNETMAGIC ||	\
+	SLOT(x) == 0, ("%s: Bad IFNET label", __func__ ))
+#define	ASSERT_IPQ_LABEL(x)	KASSERT(SLOT(x) == IPQMAGIC ||	\
+	SLOT(x) == 0, ("%s: Bad IPQ label", __func__ ))
+#define	ASSERT_MBUF_LABEL(x)	KASSERT(SLOT(x) == MBUFMAGIC ||		\
+	SLOT(x) == 0, ("%s: Bad MBUF label", __func__ ))
+#define	ASSERT_MOUNT_LABEL(x)	KASSERT(SLOT(x) == MOUNTMAGIC ||	\
+	SLOT(x) == 0, ("%s: Bad MOUNT label", __func__ ))
+#define	ASSERT_SOCKET_LABEL(x)	KASSERT(SLOT(x) == SOCKETMAGIC ||	\
+	SLOT(x) == 0, ("%s: Bad SOCKET label", __func__ ))
+#define	ASSERT_PIPE_LABEL(x)	KASSERT(SLOT(x) == PIPEMAGIC ||		\
+	SLOT(x) == 0, ("%s: Bad PIPE label", __func__ ))
+#define	ASSERT_PROC_LABEL(x)	KASSERT(SLOT(x) == PROCMAGIC ||		\
+	SLOT(x) == 0, ("%s: Bad PROC label", __func__ ))
+#define	ASSERT_CRED_LABEL(x)	KASSERT(SLOT(x) == CREDMAGIC ||		\
+	SLOT(x) == 0, ("%s: Bad CRED label", __func__ ))
+#define	ASSERT_VNODE_LABEL(x)	KASSERT(SLOT(x) == VNODEMAGIC ||	\
+	SLOT(x) == 0, ("%s: Bad VNODE label", __func__ ))
+
 static int	test_slot;
 SYSCTL_INT(_security_mac_test, OID_AUTO, slot, CTLFLAG_RD,
     &test_slot, 0, "Slot allocated by framework");
@@ -536,6 +560,9 @@ mac_test_externalize_label(struct label *label, char *element_name,
 
 	atomic_add_int(&externalize_count, 1);
 
+	KASSERT(SLOT(label) != EXMAGIC,
+	    ("mac_test_externalize_label: destroyed label"));
+
 	return (0);
 }
 
@@ -546,6 +573,9 @@ mac_test_internalize_label(struct label *label, char *element_name,
 
 	atomic_add_int(&internalize_count, 1);
 
+	KASSERT(SLOT(label) != EXMAGIC,
+	    ("mac_test_internalize_label: destroyed label"));
+
 	return (0);
 }
 
@@ -559,6 +589,9 @@ mac_test_associate_vnode_devfs(struct mount *mp, struct label *fslabel,
     struct label *vlabel)
 {
 
+	ASSERT_MOUNT_LABEL(fslabel);
+	ASSERT_DEVFS_LABEL(delabel);
+	ASSERT_VNODE_LABEL(vlabel);
 }
 
 static int
@@ -566,6 +599,8 @@ mac_test_associate_vnode_extattr(struct mount *mp, struct label *fslabel,
     struct vnode *vp, struct label *vlabel)
 {
 
+	ASSERT_MOUNT_LABEL(fslabel);
+	ASSERT_VNODE_LABEL(vlabel);
 	return (0);
 }
 
@@ -574,6 +609,8 @@ mac_test_associate_vnode_singlelabel(struct mount *mp,
     struct label *fslabel, struct vnode *vp, struct label *vlabel)
 {
 
+	ASSERT_MOUNT_LABEL(fslabel);
+	ASSERT_VNODE_LABEL(vlabel);
 }
 
 static void
@@ -581,6 +618,7 @@ mac_test_create_devfs_device(struct mount *mp, dev_t dev,
     struct devfs_dirent *devfs_dirent, struct label *label)
 {
 
+	ASSERT_DEVFS_LABEL(label);
 }
 
 static void
@@ -588,6 +626,7 @@ mac_test_create_devfs_directory(struct mount *mp, char *dirname,
     int dirnamelen, struct devfs_dirent *devfs_dirent, struct label *label)
 {
 
+	ASSERT_DEVFS_LABEL(label);
 }
 
 static void
@@ -596,6 +635,9 @@ mac_test_create_devfs_symlink(struct ucred *cred, struct mount *mp,
     struct label *delabel)
 {
 
+	ASSERT_CRED_LABEL(&cred->cr_label);
+	ASSERT_DEVFS_LABEL(ddlabel);
+	ASSERT_DEVFS_LABEL(delabel);
 }
 
 static int
@@ -604,6 +646,10 @@ mac_test_create_vnode_extattr(struct ucred *cred, struct mount *mp,
     struct vnode *vp, struct label *vlabel, struct componentname *cnp)
 {
 
+	ASSERT_CRED_LABEL(&cred->cr_label);
+	ASSERT_MOUNT_LABEL(fslabel);
+	ASSERT_VNODE_LABEL(dlabel);
+
 	return (0);
 }
 
@@ -612,6 +658,9 @@ mac_test_create_mount(struct ucred *cred, struct mount *mp,
     struct label *mntlabel, struct label *fslabel)
 {
 
+	ASSERT_CRED_LABEL(&cred->cr_label);
+	ASSERT_MOUNT_LABEL(mntlabel);
+	ASSERT_MOUNT_LABEL(fslabel);
 }
 
 static void
@@ -619,6 +668,9 @@ mac_test_create_root_mount(struct ucred *cred, struct mount *mp,
     struct label *mntlabel, struct label *fslabel)
 {
 
+	ASSERT_CRED_LABEL(&cred->cr_label);
+	ASSERT_MOUNT_LABEL(mntlabel);
+	ASSERT_MOUNT_LABEL(fslabel);
 }
 
 static void
@@ -626,6 +678,9 @@ mac_test_relabel_vnode(struct ucred *cred, struct vnode *vp,
     struct label *vnodelabel, struct label *label)
 {
 
+	ASSERT_CRED_LABEL(&cred->cr_label);
+	ASSERT_VNODE_LABEL(vnodelabel);
+	ASSERT_VNODE_LABEL(label);
 }
 
 static int
@@ -633,6 +688,9 @@ mac_test_setlabel_vnode_extattr(struct ucred *cred, struct vnode *vp,
     struct label *vlabel, struct label *intlabel)
 {
 
+	ASSERT_CRED_LABEL(&cred->cr_label);
+	ASSERT_VNODE_LABEL(vlabel);
+	ASSERT_VNODE_LABEL(intlabel);
 	return (0);
 }
 
@@ -642,6 +700,8 @@ mac_test_update_devfsdirent(struct mount *mp,
     struct vnode *vp, struct label *vnodelabel)
 {
 
+	ASSERT_DEVFS_LABEL(direntlabel);
+	ASSERT_VNODE_LABEL(vnodelabel);
 }
 
 /*
@@ -652,6 +712,8 @@ mac_test_create_mbuf_from_socket(struct socket *so, struct label *socketlabel,
     struct mbuf *m, struct label *mbuflabel)
 {
 
+	ASSERT_SOCKET_LABEL(socketlabel);
+	ASSERT_MBUF_LABEL(mbuflabel);
 }
 
 static void
@@ -659,6 +721,8 @@ mac_test_create_socket(struct ucred *cred, struct socket *socket,
    struct label *socketlabel)
 {
 
+	ASSERT_CRED_LABEL(&cred->cr_label);
+	ASSERT_SOCKET_LABEL(socketlabel);
 }
 
 static void
@@ -666,6 +730,8 @@ mac_test_create_pipe(struct ucred *cred, struct pipe *pipe,
    struct label *pipelabel)
 {
 
+	ASSERT_CRED_LABEL(&cred->cr_label);
+	ASSERT_PIPE_LABEL(pipelabel);
 }
 
 static void
@@ -674,6 +740,8 @@ mac_test_create_socket_from_socket(struct socket *oldsocket,
     struct label *newsocketlabel)
 {
 
+	ASSERT_SOCKET_LABEL(oldsocketlabel);
+	ASSERT_SOCKET_LABEL(newsocketlabel);
 }
 
 static void
@@ -681,6 +749,8 @@ mac_test_relabel_socket(struct ucred *cred, struct socket *socket,
     struct label *socketlabel, struct label *newlabel)
 {
 
+	ASSERT_CRED_LABEL(&cred->cr_label);
+	ASSERT_SOCKET_LABEL(newlabel);
 }
 
 static void
@@ -688,6 +758,9 @@ mac_test_relabel_pipe(struct ucred *cred, struct pipe *pipe,
     struct label *pipelabel, struct label *newlabel)
 {
 
+	ASSERT_CRED_LABEL(&cred->cr_label);
+	ASSERT_PIPE_LABEL(pipelabel);
+	ASSERT_PIPE_LABEL(newlabel);
 }
 
 static void
@@ -695,6 +768,8 @@ mac_test_set_socket_peer_from_mbuf(struct mbuf *mbuf, struct label *mbuflabel,
     struct socket *socket, struct label *socketpeerlabel)
 {
 
+	ASSERT_MBUF_LABEL(mbuflabel);
+	ASSERT_SOCKET_LABEL(socketpeerlabel);
 }
 
 /*
@@ -706,6 +781,8 @@ mac_test_set_socket_peer_from_socket(struct socket *oldsocket,
     struct label *newsocketpeerlabel)
 {
 
+	ASSERT_SOCKET_LABEL(oldsocketlabel);
+	ASSERT_SOCKET_LABEL(newsocketpeerlabel);
 }
 
 static void
@@ -713,6 +790,8 @@ mac_test_create_bpfdesc(struct ucred *cred, struct bpf_d *bpf_d,
     struct label *bpflabel)
 {
 
+	ASSERT_CRED_LABEL(&cred->cr_label);
+	ASSERT_BPF_LABEL(bpflabel);
 }
 
 static void
@@ -720,6 +799,8 @@ mac_test_create_datagram_from_ipq(struct ipq *ipq, struct label *ipqlabel,
     struct mbuf *datagram, struct label *datagramlabel)
 {
 
+	ASSERT_IPQ_LABEL(ipqlabel);
+	ASSERT_MBUF_LABEL(datagramlabel);
 }
 
 static void
@@ -727,12 +808,15 @@ mac_test_create_fragment(struct mbuf *datagram, struct label *datagramlabel,
     struct mbuf *fragment, struct label *fragmentlabel)
 {
 
+	ASSERT_MBUF_LABEL(datagramlabel);
+	ASSERT_MBUF_LABEL(fragmentlabel);
 }
 
 static void
 mac_test_create_ifnet(struct ifnet *ifnet, struct label *ifnetlabel)
 {
 
+	ASSERT_IFNET_LABEL(ifnetlabel);
 }
 
 static void
@@ -740,6 +824,8 @@ mac_test_create_ipq(struct mbuf *fragment, struct label *fragmentlabel,
     struct ipq *ipq, struct label *ipqlabel)
 {
 
+	ASSERT_MBUF_LABEL(fragmentlabel);
+	ASSERT_IPQ_LABEL(ipqlabel);
 }
 
 static void
@@ -748,6 +834,8 @@ mac_test_create_mbuf_from_mbuf(struct mbuf *oldmbuf,
     struct label *newmbuflabel)
 {
 
+	ASSERT_MBUF_LABEL(oldmbuflabel);
+	ASSERT_MBUF_LABEL(newmbuflabel);
 }
 
 static void
@@ -755,6 +843,8 @@ mac_test_create_mbuf_linklayer(struct ifnet *ifnet, struct label *ifnetlabel,
     struct mbuf *mbuf, struct label *mbuflabel)
 {
 
+	ASSERT_IFNET_LABEL(ifnetlabel);
+	ASSERT_MBUF_LABEL(mbuflabel);
 }
 
 static void
@@ -762,6 +852,8 @@ mac_test_create_mbuf_from_bpfdesc(struct bpf_d *bpf_d, struct label *bpflabel,
     struct mbuf *mbuf, struct label *mbuflabel)
 {
 
+	ASSERT_BPF_LABEL(bpflabel);
+	ASSERT_MBUF_LABEL(mbuflabel);
 }
 
 static void
@@ -769,6 +861,8 @@ mac_test_create_mbuf_from_ifnet(struct ifnet *ifnet, struct label *ifnetlabel,
     struct mbuf *m, struct label *mbuflabel)
 {
 
+	ASSERT_IFNET_LABEL(ifnetlabel);
+	ASSERT_MBUF_LABEL(mbuflabel);
 }
 
 static void
@@ -777,6 +871,9 @@ mac_test_create_mbuf_multicast_encap(struct mbuf *oldmbuf,
     struct mbuf *newmbuf, struct label *newmbuflabel)
 {
 
+	ASSERT_MBUF_LABEL(oldmbuflabel);
+	ASSERT_IFNET_LABEL(ifnetlabel);
+	ASSERT_MBUF_LABEL(newmbuflabel);
 }
 
 static void
@@ -785,6 +882,8 @@ mac_test_create_mbuf_netlayer(struct mbuf *oldmbuf,
     struct label *newmbuflabel)
 {
 
+	ASSERT_MBUF_LABEL(oldmbuflabel);
+	ASSERT_MBUF_LABEL(newmbuflabel);
 }
 
 static int
@@ -792,14 +891,34 @@ mac_test_fragment_match(struct mbuf *fragment, struct label *fragmentlabel,
     struct ipq *ipq, struct label *ipqlabel)
 {
 
+	ASSERT_MBUF_LABEL(fragmentlabel);
+	ASSERT_IPQ_LABEL(ipqlabel);
+
 	return (1);
 }
 
 static void
+mac_test_reflect_mbuf_icmp(struct mbuf *m, struct label *mlabel)
+{
+
+	ASSERT_MBUF_LABEL(mlabel);
+}
+
+static void
+mac_test_reflect_mbuf_tcp(struct mbuf *m, struct label *mlabel)
+{
+
+	ASSERT_MBUF_LABEL(mlabel);
+}
+
+static void
 mac_test_relabel_ifnet(struct ucred *cred, struct ifnet *ifnet,
     struct label *ifnetlabel, struct label *newlabel)
 {
 
+	ASSERT_CRED_LABEL(&cred->cr_label);
+	ASSERT_IFNET_LABEL(ifnetlabel);
+	ASSERT_IFNET_LABEL(newlabel);
 }
 
 static void
@@ -807,6 +926,8 @@ mac_test_update_ipq(struct mbuf *fragment, struct label *fragmentlabel,
     struct ipq *ipq, struct label *ipqlabel)
 {
 
+	ASSERT_MBUF_LABEL(fragmentlabel);
+	ASSERT_IPQ_LABEL(ipqlabel);
 }
 
 /*
@@ -816,6 +937,8 @@ static void
 mac_test_create_cred(struct ucred *cred_parent, struct ucred *cred_child)
 {
 
+	ASSERT_CRED_LABEL(&cred_parent->cr_label);
+	ASSERT_CRED_LABEL(&cred_child->cr_label);
 }
 
 static void
@@ -825,6 +948,13 @@ mac_test_execve_transition(struct ucred *old, struct ucred *new,
     struct label *execlabel)
 {
 
+	ASSERT_CRED_LABEL(&old->cr_label);
+	ASSERT_CRED_LABEL(&new->cr_label);
+	ASSERT_VNODE_LABEL(filelabel);
+	ASSERT_VNODE_LABEL(interpvnodelabel);
+	if (execlabel != NULL) {
+		ASSERT_CRED_LABEL(execlabel);
+	}
 }
 
 static int
@@ -833,6 +963,15 @@ mac_test_execve_will_transition(struct ucred *old, struct vnode *vp,
     struct image_params *imgp, struct label *execlabel)
 {
 
+	ASSERT_CRED_LABEL(&old->cr_label);
+	ASSERT_VNODE_LABEL(filelabel);
+	if (interpvnodelabel != NULL) {
+		ASSERT_VNODE_LABEL(interpvnodelabel);
+	}
+	if (execlabel != NULL) {
+		ASSERT_CRED_LABEL(execlabel);
+	}
+
 	return (0);
 }
 
@@ -840,24 +979,30 @@ static void
 mac_test_create_proc0(struct ucred *cred)
 {
 
+	ASSERT_CRED_LABEL(&cred->cr_label);
 }
 
 static void
 mac_test_create_proc1(struct ucred *cred)
 {
 
+	ASSERT_CRED_LABEL(&cred->cr_label);
 }
 
 static void
 mac_test_relabel_cred(struct ucred *cred, struct label *newlabel)
 {
 
+	ASSERT_CRED_LABEL(&cred->cr_label);
+	ASSERT_VNODE_LABEL(newlabel);
 }
 
 static void
 mac_test_thread_userret(struct thread *td)
 {
 
+	printf("mac_test_thread_userret(process = %d)\n",
+	    curthread->td_proc->p_pid);
 }
 
 /*
@@ -868,6 +1013,9 @@ mac_test_check_bpfdesc_receive(struct bpf_d *bpf_d, struct label *bpflabel,
     struct ifnet *ifnet, struct label *ifnetlabel)
 {
 
+	ASSERT_BPF_LABEL(bpflabel);
+	ASSERT_IFNET_LABEL(ifnetlabel);
+
 	return (0);
 }
 
@@ -875,6 +1023,9 @@ static int
 mac_test_check_cred_relabel(struct ucred *cred, struct label *newlabel)
 {
 
+	ASSERT_CRED_LABEL(&cred->cr_label);
+	ASSERT_CRED_LABEL(newlabel);
+
 	return (0);
 }
 
@@ -882,6 +1033,9 @@ static int
 mac_test_check_cred_visible(struct ucred *u1, struct ucred *u2)
 {
 
+	ASSERT_CRED_LABEL(&u1->cr_label);
+	ASSERT_CRED_LABEL(&u2->cr_label);
+
 	return (0);
 }
 
@@ -890,6 +1044,9 @@ mac_test_check_ifnet_relabel(struct ucred *cred, struct ifnet *ifnet,
     struct label *ifnetlabel, struct label *newlabel)
 {
 
+	ASSERT_CRED_LABEL(&cred->cr_label);
+	ASSERT_IFNET_LABEL(ifnetlabel);
+	ASSERT_IFNET_LABEL(newlabel);
 	return (0);
 }
 
@@ -898,6 +1055,9 @@ mac_test_check_ifnet_transmit(struct ifnet *ifnet, struct label *ifnetlabel,
     struct mbuf *m, struct label *mbuflabel)
 {
 
+	ASSERT_IFNET_LABEL(ifnetlabel);
+	ASSERT_MBUF_LABEL(mbuflabel);
+
 	return (0);
 }
 
@@ -905,6 +1065,8 @@ static int
 mac_test_check_kenv_dump(struct ucred *cred)
 {
 
+	ASSERT_CRED_LABEL(&cred->cr_label);
+
 	return (0);
 }
 
@@ -912,6 +1074,8 @@ static int
 mac_test_check_kenv_get(struct ucred *cred, char *name)
 {
 
+	ASSERT_CRED_LABEL(&cred->cr_label);
+
 	return (0);
 }
 
@@ -919,6 +1083,8 @@ static int
 mac_test_check_kenv_set(struct ucred *cred, char *name, char *value)
 {
 
+	ASSERT_CRED_LABEL(&cred->cr_label);
+
 	return (0);
 }
 
@@ -926,6 +1092,8 @@ static int
 mac_test_check_kenv_unset(struct ucred *cred, char *name)
 {
 
+	ASSERT_CRED_LABEL(&cred->cr_label);
+
 	return (0);
 }
 
@@ -934,6 +1102,9 @@ mac_test_check_kld_load(struct ucred *cred, struct vnode *vp,
     struct label *label)
 {
 
+	ASSERT_CRED_LABEL(&cred->cr_label);
+	ASSERT_VNODE_LABEL(label);
+
 	return (0);
 }
 
@@ -941,6 +1112,8 @@ static int
 mac_test_check_kld_stat(struct ucred *cred)
 {
 
+	ASSERT_CRED_LABEL(&cred->cr_label);
+
 	return (0);
 }
 
@@ -948,6 +1121,8 @@ static int
 mac_test_check_kld_unload(struct ucred *cred)
 {
 
+	ASSERT_CRED_LABEL(&cred->cr_label);
+
 	return (0);
 }
 
@@ -956,6 +1131,9 @@ mac_test_check_mount_stat(struct ucred *cred, struct mount *mp,
     struct label *mntlabel)
 {
 
+	ASSERT_CRED_LABEL(&cred->cr_label);
+	ASSERT_MOUNT_LABEL(mntlabel);
+
 	return (0);
 }
 
@@ -964,6 +1142,9 @@ mac_test_check_pipe_ioctl(struct ucred *cred, struct pipe *pipe,
     struct label *pipelabel, unsigned long cmd, void /* caddr_t */ *data)
 {
 
+	ASSERT_CRED_LABEL(&cred->cr_label);
+	ASSERT_PIPE_LABEL(pipelabel);
+
 	return (0);
 }
 
@@ -972,6 +1153,9 @@ mac_test_check_pipe_poll(struct ucred *cred, struct pipe *pipe,
     struct label *pipelabel)
 {
 
+	ASSERT_CRED_LABEL(&cred->cr_label);
+	ASSERT_PIPE_LABEL(pipelabel);
+
 	return (0);
 }
 
@@ -980,6 +1164,9 @@ mac_test_check_pipe_read(struct ucred *cred, struct pipe *pipe,
     struct label *pipelabel)
 {
 
+	ASSERT_CRED_LABEL(&cred->cr_label);
+	ASSERT_PIPE_LABEL(pipelabel);
+
 	return (0);
 }
 
@@ -988,6 +1175,10 @@ mac_test_check_pipe_relabel(struct ucred *cred, struct pipe *pipe,
     struct label *pipelabel, struct label *newlabel)
 {
 
+	ASSERT_CRED_LABEL(&cred->cr_label);
+	ASSERT_PIPE_LABEL(pipelabel);
+	ASSERT_PIPE_LABEL(newlabel);
+
 	return (0);
 }
 
@@ -996,6 +1187,9 @@ mac_test_check_pipe_stat(struct ucred *cred, struct pipe *pipe,
     struct label *pipelabel)
 {
 
+	ASSERT_CRED_LABEL(&cred->cr_label);
+	ASSERT_PIPE_LABEL(pipelabel);
+
 	return (0);
 }
 
@@ -1004,6 +1198,9 @@ mac_test_check_pipe_write(struct ucred *cred, struct pipe *pipe,
     struct label *pipelabel)
 {
 
+	ASSERT_CRED_LABEL(&cred->cr_label);
+	ASSERT_PIPE_LABEL(pipelabel);
+
 	return (0);
 }
 
@@ -1011,6 +1208,9 @@ static int
 mac_test_check_proc_debug(struct ucred *cred, struct proc *proc)
 {
 
+	ASSERT_CRED_LABEL(&cred->cr_label);
+	ASSERT_CRED_LABEL(&proc->p_ucred->cr_label);
+
 	return (0);
 }
 
@@ -1018,6 +1218,9 @@ static int
 mac_test_check_proc_sched(struct ucred *cred, struct proc *proc)
 {
 
+	ASSERT_CRED_LABEL(&cred->cr_label);
+	ASSERT_CRED_LABEL(&proc->p_ucred->cr_label);
+
 	return (0);
 }
 
@@ -1025,6 +1228,9 @@ static int
 mac_test_check_proc_signal(struct ucred *cred, struct proc *proc, int signum)
 {
 
+	ASSERT_CRED_LABEL(&cred->cr_label);
+	ASSERT_CRED_LABEL(&proc->p_ucred->cr_label);
+
 	return (0);
 }
 
@@ -1033,6 +1239,9 @@ mac_test_check_socket_bind(struct ucred *cred, struct socket *socket,
     struct label *socketlabel, struct sockaddr *sockaddr)
 {
 
+	ASSERT_CRED_LABEL(&cred->cr_label);
+	ASSERT_SOCKET_LABEL(socketlabel);
+
 	return (0);
 }
 
@@ -1041,6 +1250,9 @@ mac_test_check_socket_connect(struct ucred *cred, struct socket *socket,
     struct label *socketlabel, struct sockaddr *sockaddr)
 {
 
+	ASSERT_CRED_LABEL(&cred->cr_label);
+	ASSERT_SOCKET_LABEL(socketlabel);
+
 	return (0);
 }
 
@@ -1049,6 +1261,9 @@ mac_test_check_socket_deliver(struct socket *socket, struct label *socketlabel,
     struct mbuf *m, struct label *mbuflabel)
 {
 
+	ASSERT_SOCKET_LABEL(socketlabel);
+	ASSERT_MBUF_LABEL(mbuflabel);
+
 	return (0);
 }
 
@@ -1057,6 +1272,9 @@ mac_test_check_socket_listen(struct ucred *cred, struct socket *socket,
     struct label *socketlabel)
 {
 
+	ASSERT_CRED_LABEL(&cred->cr_label);
+	ASSERT_SOCKET_LABEL(socketlabel);
+
 	return (0);
 }
 
@@ -1065,6 +1283,9 @@ mac_test_check_socket_visible(struct ucred *cred, struct socket *socket,
     struct label *socketlabel)
 {
 
+	ASSERT_CRED_LABEL(&cred->cr_label);
+	ASSERT_SOCKET_LABEL(socketlabel);
+
 	return (0);
 }
 
@@ -1073,6 +1294,10 @@ mac_test_check_socket_relabel(struct ucred *cred, struct socket *socket,
     struct label *socketlabel, struct label *newlabel)
 {
 
+	ASSERT_CRED_LABEL(&cred->cr_label);
+	ASSERT_SOCKET_LABEL(socketlabel);
+	ASSERT_SOCKET_LABEL(newlabel);
+
 	return (0);
 }
 
@@ -1080,6 +1305,8 @@ static int
 mac_test_check_sysarch_ioperm(struct ucred *cred)
 {
 
+	ASSERT_CRED_LABEL(&cred->cr_label);
+
 	return (0);
 }
 
@@ -1088,6 +1315,8 @@ mac_test_check_system_acct(struct ucred *cred, struct vnode *vp,
     struct label *label)
 {
 
+	ASSERT_CRED_LABEL(&cred->cr_label);
+
 	return (0);
 }
 
@@ -1095,6 +1324,8 @@ static int
 mac_test_check_system_reboot(struct ucred *cred, int how)
 {
 
+	ASSERT_CRED_LABEL(&cred->cr_label);
+
 	return (0);
 }
 
@@ -1102,6 +1333,8 @@ static int
 mac_test_check_system_settime(struct ucred *cred)
 {
 
+	ASSERT_CRED_LABEL(&cred->cr_label);
+
 	return (0);
 }
 
@@ -1110,6 +1343,9 @@ mac_test_check_system_swapon(struct ucred *cred, struct vnode *vp,
     struct label *label)
 {
 
+	ASSERT_CRED_LABEL(&cred->cr_label);
+	ASSERT_VNODE_LABEL(label);
+
 	return (0);
 }
 
@@ -1118,6 +1354,9 @@ mac_test_check_system_swapoff(struct ucred *cred, struct vnode *vp,
     struct label *label)
 {
 
+	ASSERT_CRED_LABEL(&cred->cr_label);
+	ASSERT_VNODE_LABEL(label);
+
 	return (0);
 }
 
@@ -1126,6 +1365,8 @@ mac_test_check_system_sysctl(struct ucred *cred, int *name, u_int namelen,
     void *old, size_t *oldlenp, int inkernel, void *new, size_t newlen)
 {
 
+	ASSERT_CRED_LABEL(&cred->cr_label);
+
 	return (0);
 }
 
@@ -1134,6 +1375,9 @@ mac_test_check_vnode_access(struct ucred *cred, struct vnode *vp,
     struct label *label, int acc_mode)
 {
 
+	ASSERT_CRED_LABEL(&cred->cr_label);
+	ASSERT_VNODE_LABEL(label);
+
 	return (0);
 }
 
@@ -1142,6 +1386,9 @@ mac_test_check_vnode_chdir(struct ucred *cred, struct vnode *dvp,
     struct label *dlabel)
 {
 
+	ASSERT_CRED_LABEL(&cred->cr_label);
+	ASSERT_VNODE_LABEL(dlabel);
+
 	return (0);
 }
 
@@ -1150,6 +1397,9 @@ mac_test_check_vnode_chroot(struct ucred *cred, struct vnode *dvp,
     struct label *dlabel)
 {
 
+	ASSERT_CRED_LABEL(&cred->cr_label);
+	ASSERT_VNODE_LABEL(dlabel);
+
 	return (0);
 }
 
@@ -1158,6 +1408,9 @@ mac_test_check_vnode_create(struct ucred *cred, struct vnode *dvp,
     struct label *dlabel, struct componentname *cnp, struct vattr *vap)
 {
 
+	ASSERT_CRED_LABEL(&cred->cr_label);
+	ASSERT_VNODE_LABEL(dlabel);
+
 	return (0);
 }
 
@@ -1167,6 +1420,10 @@ mac_test_check_vnode_delete(struct ucred *cred, struct vnode *dvp,
     struct componentname *cnp)
 {
 
+	ASSERT_CRED_LABEL(&cred->cr_label);
+	ASSERT_VNODE_LABEL(dlabel);
+	ASSERT_VNODE_LABEL(label);
+
 	return (0);
 }
 
@@ -1175,6 +1432,20 @@ mac_test_check_vnode_deleteacl(struct ucred *cred, struct vnode *vp,
     struct label *label, acl_type_t type)
 {
 
+	ASSERT_CRED_LABEL(&cred->cr_label);
+	ASSERT_VNODE_LABEL(label);
+
+	return (0);
+}
+
+static int
+mac_test_check_vnode_deleteextattr(struct ucred *cred, struct vnode *vp,
+    struct label *label, int attrnamespace, const char *name)
+{
+
+	ASSERT_CRED_LABEL(&cred->cr_label);
+	ASSERT_VNODE_LABEL(label);
+
 	return (0);
 }
 
@@ -1184,6 +1455,12 @@ mac_test_check_vnode_exec(struct ucred *cred, struct vnode *vp,
     struct label *execlabel)
 {
 
+	ASSERT_CRED_LABEL(&cred->cr_label);
+	ASSERT_VNODE_LABEL(label);
+	if (execlabel != NULL) {
+		ASSERT_CRED_LABEL(execlabel);
+	}
+
 	return (0);
 }
 
@@ -1192,6 +1469,9 @@ mac_test_check_vnode_getacl(struct ucred *cred, struct vnode *vp,
     struct label *label, acl_type_t type)
 {
 
+	ASSERT_CRED_LABEL(&cred->cr_label);
+	ASSERT_VNODE_LABEL(label);
+
 	return (0);
 }
 
@@ -1200,6 +1480,9 @@ mac_test_check_vnode_getextattr(struct ucred *cred, struct vnode *vp,
     struct label *label, int attrnamespace, const char *name, struct uio *uio)
 {
 
+	ASSERT_CRED_LABEL(&cred->cr_label);
+	ASSERT_VNODE_LABEL(label);
+
 	return (0);
 }
 
@@ -1209,6 +1492,21 @@ mac_test_check_vnode_link(struct ucred *cred, struct vnode *dvp,
     struct componentname *cnp)
 {
 
+	ASSERT_CRED_LABEL(&cred->cr_label);
+	ASSERT_VNODE_LABEL(dlabel);
+	ASSERT_VNODE_LABEL(label);
+
+	return (0);
+}
+
+static int
+mac_test_check_vnode_listextattr(struct ucred *cred, struct vnode *vp,
+    struct label *label, int attrnamespace)
+{
+
+	ASSERT_CRED_LABEL(&cred->cr_label);
+	ASSERT_VNODE_LABEL(label);
+
 	return (0);
 }
 
@@ -1217,6 +1515,9 @@ mac_test_check_vnode_lookup(struct ucred *cred, struct vnode *dvp,
     struct label *dlabel, struct componentname *cnp)
 {
 
+	ASSERT_CRED_LABEL(&cred->cr_label);
+	ASSERT_VNODE_LABEL(dlabel);
+
 	return (0);
 }
 
@@ -1225,6 +1526,9 @@ mac_test_check_vnode_mmap(struct ucred *cred, struct vnode *vp,
     struct label *label, int prot)
 {
 
+	ASSERT_CRED_LABEL(&cred->cr_label);
+	ASSERT_VNODE_LABEL(label);
+
 	return (0);
 }
 
@@ -1233,6 +1537,9 @@ mac_test_check_vnode_mprotect(struct ucred *cred, struct vnode *vp,
     struct label *label, int prot)
 {
 
+	ASSERT_CRED_LABEL(&cred->cr_label);
+	ASSERT_VNODE_LABEL(label);
+
 	return (0);
 }
 
@@ -1241,6 +1548,9 @@ mac_test_check_vnode_open(struct ucred *cred, struct vnode *vp,
     struct label *filelabel, int acc_mode)
 {
 
+	ASSERT_CRED_LABEL(&cred->cr_label);
+	ASSERT_VNODE_LABEL(filelabel);
+
 	return (0);
 }
 
@@ -1249,6 +1559,10 @@ mac_test_check_vnode_poll(struct ucred *active_cred, struct ucred *file_cred,
     struct vnode *vp, struct label *label)
 {
 
+	ASSERT_CRED_LABEL(&active_cred->cr_label);
+	ASSERT_CRED_LABEL(&file_cred->cr_label);
+	ASSERT_VNODE_LABEL(label);
+
 	return (0);
 }
 
@@ -1257,6 +1571,12 @@ mac_test_check_vnode_read(struct ucred *active_cred, struct ucred *file_cred,
     struct vnode *vp, struct label *label)
 {
 
+	ASSERT_CRED_LABEL(&active_cred->cr_label);
+	if (file_cred != NULL) {
+		ASSERT_CRED_LABEL(&file_cred->cr_label);
+	}
+	ASSERT_VNODE_LABEL(label);
+
 	return (0);
 }
 
@@ -1265,6 +1585,9 @@ mac_test_check_vnode_readdir(struct ucred *cred, struct vnode *dvp,
     struct label *dlabel)
 {
 
+	ASSERT_CRED_LABEL(&cred->cr_label);
+	ASSERT_VNODE_LABEL(dlabel);
+
 	return (0);
 }
 
@@ -1273,6 +1596,9 @@ mac_test_check_vnode_readlink(struct ucred *cred, struct vnode *vp,
     struct label *vnodelabel)
 {
 
+	ASSERT_CRED_LABEL(&cred->cr_label);
+	ASSERT_VNODE_LABEL(vnodelabel);
+
 	return (0);
 }
 
@@ -1281,6 +1607,10 @@ mac_test_check_vnode_relabel(struct ucred *cred, struct vnode *vp,
     struct label *vnodelabel, struct label *newlabel)
 {
 
+	ASSERT_CRED_LABEL(&cred->cr_label);
+	ASSERT_VNODE_LABEL(vnodelabel);
+	ASSERT_VNODE_LABEL(newlabel);
+
 	return (0);
 }
 
@@ -1290,6 +1620,10 @@ mac_test_check_vnode_rename_from(struct ucred *cred, struct vnode *dvp,
     struct componentname *cnp)
 {
 
+	ASSERT_CRED_LABEL(&cred->cr_label);
+	ASSERT_VNODE_LABEL(dlabel);
+	ASSERT_VNODE_LABEL(label);
+
 	return (0);
 }
 
@@ -1299,6 +1633,13 @@ mac_test_check_vnode_rename_to(struct ucred *cred, struct vnode *dvp,
     struct componentname *cnp)
 {
 
+	ASSERT_CRED_LABEL(&cred->cr_label);
+	ASSERT_VNODE_LABEL(dlabel);
+
+	if (vp != NULL) {
+		ASSERT_VNODE_LABEL(label);
+	}
+
 	return (0);
 }
 
@@ -1307,6 +1648,9 @@ mac_test_check_vnode_revoke(struct ucred *cred, struct vnode *vp,
     struct label *label)
 {
 
+	ASSERT_CRED_LABEL(&cred->cr_label);
+	ASSERT_VNODE_LABEL(label);
+
 	return (0);
 }
 
@@ -1315,6 +1659,9 @@ mac_test_check_vnode_setacl(struct ucred *cred, struct vnode *vp,
     struct label *label, acl_type_t type, struct acl *acl)
 {
 
+	ASSERT_CRED_LABEL(&cred->cr_label);
+	ASSERT_VNODE_LABEL(label);
+
 	return (0);
 }
 
@@ -1323,6 +1670,9 @@ mac_test_check_vnode_setextattr(struct ucred *cred, struct vnode *vp,
     struct label *label, int attrnamespace, const char *name, struct uio *uio)
 {
 
+	ASSERT_CRED_LABEL(&cred->cr_label);
+	ASSERT_VNODE_LABEL(label);
+
 	return (0);
 }
 
@@ -1331,6 +1681,9 @@ mac_test_check_vnode_setflags(struct ucred *cred, struct vnode *vp,
     struct label *label, u_long flags)
 {
 
+	ASSERT_CRED_LABEL(&cred->cr_label);
+	ASSERT_VNODE_LABEL(label);
+
 	return (0);
 }
 
@@ -1339,6 +1692,9 @@ mac_test_check_vnode_setmode(struct ucred *cred, struct vnode *vp,
     struct label *label, mode_t mode)
 {
 
+	ASSERT_CRED_LABEL(&cred->cr_label);
+	ASSERT_VNODE_LABEL(label);
+
 	return (0);
 }
 
@@ -1347,6 +1703,9 @@ mac_test_check_vnode_setowner(struct ucred *cred, struct vnode *vp,
     struct label *label, uid_t uid, gid_t gid)
 {
 
+	ASSERT_CRED_LABEL(&cred->cr_label);
+	ASSERT_VNODE_LABEL(label);
+
 	return (0);
 }
 
@@ -1355,6 +1714,9 @@ mac_test_check_vnode_setutimes(struct ucred *cred, struct vnode *vp,
     struct label *label, struct timespec atime, struct timespec mtime)
 {
 
+	ASSERT_CRED_LABEL(&cred->cr_label);
+	ASSERT_VNODE_LABEL(label);
+
 	return (0);
 }
 
@@ -1363,6 +1725,12 @@ mac_test_check_vnode_stat(struct ucred *active_cred, struct ucred *file_cred,
     struct vnode *vp, struct label *label)
 {
 
+	ASSERT_CRED_LABEL(&active_cred->cr_label);
+	if (file_cred != NULL) {
+		ASSERT_CRED_LABEL(&file_cred->cr_label);
+	}
+	ASSERT_VNODE_LABEL(label);
+
 	return (0);
 }
 
@@ -1371,6 +1739,12 @@ mac_test_check_vnode_write(struct ucred *active_cred,
     struct ucred *file_cred, struct vnode *vp, struct label *label)
 {
 
+	ASSERT_CRED_LABEL(&active_cred->cr_label);
+	if (file_cred != NULL) {
+		ASSERT_CRED_LABEL(&file_cred->cr_label);
+	}
+	ASSERT_VNODE_LABEL(label);
+
 	return (0);
 }
 
@@ -1448,6 +1822,8 @@ static struct mac_policy_ops mac_test_ops =
 	.mpo_create_mbuf_multicast_encap = mac_test_create_mbuf_multicast_encap,
 	.mpo_create_mbuf_netlayer = mac_test_create_mbuf_netlayer,
 	.mpo_fragment_match = mac_test_fragment_match,
+	.mpo_reflect_mbuf_icmp = mac_test_reflect_mbuf_icmp,
+	.mpo_reflect_mbuf_icmp = mac_test_reflect_mbuf_tcp,
 	.mpo_relabel_ifnet = mac_test_relabel_ifnet,
 	.mpo_update_ipq = mac_test_update_ipq,
 	.mpo_create_cred = mac_test_create_cred,
@@ -1498,10 +1874,12 @@ static struct mac_policy_ops mac_test_ops =
 	.mpo_check_vnode_create = mac_test_check_vnode_create,
 	.mpo_check_vnode_delete = mac_test_check_vnode_delete,
 	.mpo_check_vnode_deleteacl = mac_test_check_vnode_deleteacl,
+	.mpo_check_vnode_deleteextattr = mac_test_check_vnode_deleteextattr,
 	.mpo_check_vnode_exec = mac_test_check_vnode_exec,
 	.mpo_check_vnode_getacl = mac_test_check_vnode_getacl,
 	.mpo_check_vnode_getextattr = mac_test_check_vnode_getextattr,
 	.mpo_check_vnode_link = mac_test_check_vnode_link,
+	.mpo_check_vnode_listextattr = mac_test_check_vnode_listextattr,
 	.mpo_check_vnode_lookup = mac_test_check_vnode_lookup,
 	.mpo_check_vnode_mmap = mac_test_check_vnode_mmap,
 	.mpo_check_vnode_mprotect = mac_test_check_vnode_mprotect,