condate vop_read { types "%X struct vnode *;%Y struct ucred *" from "entry" to "%_ = VOP_READ(%X, %_, %_, %Y)" avoid +"%w = mac_vnode_check_read (%_, %Y, %X);%w == 0" or -"%w = mac_vnode_check_read (%_, %Y, %X);%w != 0" } warning("must call mac_vnode_check_read to read vnode"); condate vop_poll { types "%X struct vnode *" from "entry" to "%_ = VOP_POLL(%X, %_, %_, %_)" avoid +"%w = mac_vnode_check_poll (%_, %_, %X);%w == 0" or -"%w = mac_vnode_check_poll (%_, %_, %X);%w != 0" } warning("must call mac_vnode_check_poll to poll vnode"); condate vop_write { types "%X struct vnode *;%Y struct ucred *" from "entry" to "%_ = VOP_WRITE(%X, %_, %_, %Y)" avoid +"%w = mac_vnode_check_write (%_, %Y, %X);%w == 0" or -"%w = mac_vnode_check_write (%_, %Y, %X);%w != 0" } warning("must call mac_vnode_check_write to write vnode"); condate vop_create { types "%X struct vnode *" from "entry" to "%_ = VOP_CREATE(%X, %_, %_, %_)" avoid +"%w = mac_vnode_check_create (%_, %X, %_, %_);%w == 0" } warning("must call mac_vnode_check_create to create vnode"); condate vop_readdir { types "%X struct vnode *;%Y struct ucred *" from "entry" to "%_ = VOP_READDIR(%X, %_, %_, %_, %_, %_)" avoid +"%w = mac_vnode_check_readdir(%_, %X);%w == 0" or -"%w = mac_vnode_check_readdir(%_, %X);%w != 0" }warning("must call mac_vnode_check_readdir to read director"); condate vop_readlink { types "%X struct vnode *;%Y struct ucred *" from "entry" to "%_ = VOP_READLINK(%X, %_, %Y)" avoid +"%w = mac_vnode_check_readlink(%Y, %X);%w == 0" or -"%w = mac_vnode_check_readlink(%Y, %X);%w != 0" }warning("must call mac_vnode_check_readlink to read link"); condate vop_lookup { types "%X struct vnode *;%Y struct componentname *" from "entry" to "%_ = VOP_LOOKUP(%X, %_, %Y)" avoid +"%w = mac_vnode_check_lookup(%X, %_, %Y);%w == 0" or -"%w = mac_vnode_check_lookup(%X, %_, %Y);%w != 0" }warning("must call mac_vnode_check_lookup to do lookup"); condate inpcb_destory { types "%X struct inpcb *" from "entry" to "uma_zfree(%_, %X)" avoid "mac_inpcb_destroy(%X)" or +"%w = mac_inpcb_init (%X, %_);%w != 0" } warning("must call mac_inpcb_destory to destroy inpcb"); condate vop_setattr { types "%X struct vnode *;%Y struct ucred *" from "entry" to "%_ = VOP_SETATTR(%X, %_, %Y, %_)" avoid +"%w = mac_vnode_check_write(%Y, %_, %X);%w == 0" or -"%w = mac_vnode_check_write(%Y, %_, %X);%w != 0" or +"%w = mac_vnode_check_setflags(%Y, %X, %_);%w == 0" or -"%w = mac_vnode_check_setflags(%Y, %X, %_);%w != 0" or +"%w = mac_vnode_check_setmode(%Y, %X, %_);%w == 0" or -"%w = mac_vnode_check_setmode(%Y, %X, %_);%w != 0" or +"%w = mac_vnode_check_setowner(%Y, %X, %_, %_);%w == 0" or -"%w = mac_vnode_check_setowner(%Y, %X, %_, %_);%w != 0" or +"%w = mac_vnode_check_write(%_, %Y, %X);%w == 0" or -"%w = mac_vnode_check_write(%_, %Y, %X);%w != 0" or +"%w = mac_vnode_check_setutimes(%Y, %X, %_, %_);%w == 0" or -"%w = mac_vnode_check_setutimes(%Y, %X, %_, %_);%w != 0" }warning("must call mac_ to setattr"); condate vop_open { types "%X struct vnode *;%Y struct ucred *" from "entry" to "%_ = VOP_OPEN(%X, %_, %Y, %_, %_)" avoid +"%w = mac_vnode_check_open(%Y, %X, %_);%w == 0" or -"%w = mac_vnode_check_open(%Y, %X, %_);%w != 0" or +"%w = mac_vnode_check_exec(%Y, %X, %_);%w == 0" or -"%w = mac_vnode_check_exec(%Y, %X, %_);%w != 0" } warning("must call mac_vnode_check_open check VOP_OPEN"); condate vfs_statfs { types "%X struct mount" from "entry" to "%_ = VFS_STATFS(%X, %_, %_)" avoid +"%w = mac_mount_check_stat(%Y, %X, %_);%w == 0" or -"%w = mac_mount_check_stat(%Y, %X, %_);%w != 0" } warning("must call mac_mount_check_stat to check statfs"); condate change_root { types "%X struct vnode *;%Y struct thread *" from "entry" to "%_ = change_root(%X, %Y)" avoid +"%w = mac_vnode_check_chroot(%Y->td_ucred, %X);%w == 0" or -"%w = mac_vnode_check_chroot(%Y->td_ucred, %X);%w != 0" } warning("must call mac_vnode_check_chroot check change root"); condate change_dir_check { from "entry" to "%_->fd_cdir = %Z" or "%_ = change_root(%Z, %_)" avoid +"%w = change_dir (%Z, %_);%w == 0" or -"%w = change_dir (%Z, %_);%w != 0" } warning("must call change_dir to check change cur dir"); condate change_dir { functions "change_dir" fromappearatleastonce from +"%X = mac_vnode_check_chdir(%_, %_);%X != 0" or -"%X = mac_vnode_check_chdir(%_, %_);%X == 0" to "return %X" avoid "%X = %_" } warning("must call mac_vnode_check_chdir to check change_dir"); condate vop_setextattr { types "%X struct vnode *;%Y struct ucred *" from "entry" to "%_ = VOP_SETEXTATTR(%X, %_, %_, %_, %Y, %_)" avoid +"%w = mac_vnode_check_setextattr (%Y, %X, %_, %_, %_);%w == 0" or -"%w = mac_vnode_check_setextattr (%Y, %X, %_, %_, %_);%w != 0" } warning("must call mac_vnode_check_setextattr to set extattr"); condate vop_getextattr { types "%X struct vnode *;%Y struct ucred *" from "entry" to "%_ = VOP_GETEXTATTR(%X, %_, %_, %_, %_, %Y, %_)" avoid +"%w = mac_vnode_check_getextattr (%Y, %X, %_, %_, %_);%w == 0" or -"%w = mac_vnode_check_getextattr (%Y, %X, %_, %_, %_);%w != 0" } warning("must call mac_vnode_check_getextattr to get extattr"); condate vop_mknod { types "%X struct vnode *" from "entry" to "%_ = VOP_MKNOD(%X, %_, %_, %_)" avoid +"%w = mac_vnode_check_create(%_, %X, %_, %_);%w == 0" or -"%w = mac_vnode_check_create(%_, %X, %_, %_);%w != 0" } warning("must call mac_vnode_check_create to mknod"); condate vop_link { types "%X struct vnode *; %Y struct vnode *; %Z struct componentname *" from "entry" to "%_ = VOP_LINK(%X, %Y, %Z)" avoid +"%w = mac_vnode_check_link(%_, %X, %Y, %Z);%w == 0" or -"%w = mac_vnode_check_link(%_, %X, %Y, %Z);%w != 0" } warning("must call mac_vnode_check_link to link"); condate vop_symlink { types "%X struct vnode *; %Y struct componentname *;%Z struct vattr *" from "entry" to "%_ = VOP_SYMLINK(%X, %_, %Y, %Z, %_)" avoid +"%w = mac_vnode_check_create(%_, %X, %Y, %Z);%w == 0" or -"%w = mac_vnode_check_create(%_, %X, %Y, %Z);%w != 0" } warning("must call mac_vnode_check_create to create symlink"); condate vop_unlink{ types "%X struct vnode *;%Y struct vnode *;%Z struct componentname *" from "entry" to "%_ = VOP_REMOVE(%X, %Y, %Z)" avoid +"%w = mac_vnode_check_unlink(%_, %X, %Y, %Z);%w == 0" or -"%w = mac_vnode_check_unlink(%_, %X, %Y, %Z);%w != 0" } warning("must call mac_vnode_check_unlink to remove vnode"); condate vop_readlink{ types "%X struct vnode *;%Y struct ucred *" from "entry" to "%_ = VOP_READLINK(%X, %_, %Y)" avoid +"%w = mac_vnode_check_readlink(%Y, %X);%w == 0" or -"%w = mac_vnode_check_readlink(%Y, %X);%w != 0" } warning("must call mac_vnode_check_readlink to read link"); condate vop_rename1{ types "%X struct vnode *;%Y struct vnode *;%Z struct componentname *;%W struct componentname *;%U struct vnode *;%V struct vnode *" from "entry" to "%_ = VOP_RENAME(%X, %Y, %Z, %U, %V, %W)" avoid +"%w = mac_vnode_check_rename_from(%_, %X, %Y, %Z);%w == 0" or -"%w = mac_vnode_check_rename_from(%_, %X, %Y, %Z);%w != 0" } warning("must call mac_vnode_check_rename_from to rename"); condate vop_rename2{ types "%X struct vnode *;%Y struct vnode *;%Z struct componentname *;%W struct componentname *;%U struct vnode *;%V struct vnode *" from "entry" to "%_ = VOP_RENAME(%X, %Y, %Z, %U, %V, %W)" avoid +"%w = mac_vnode_check_rename_to(%_, %_, %_, %_, %_);%w == 0" or -"%w = mac_vnode_check_rename_to(%_, %_, %_, %_, %_);%w != 0" } warning("must call mac_vnode_check_rename_to to rename"); condate vop_mkdir { types "%X struct vnode *;%Y struct componentname *;%Z struct vattr *" from "entry" to "%_ = VOP_MKDIR(%X, %_, %Y, %Z)" avoid +"%w = mac_vnode_check_create(%_, %X, %Y, %Z);%w == 0" or -"%w = mac_vnode_check_create(%_, %X, %Y, %Z);%w != 0" } warning("must call mac_vnode_check_create to mkdir"); condate vop_rmdir { types "%X struct vnode *;%Y struct componentname *" from "entry" to "%_ = VOP_RMDIR(%_, %_, %Y)" avoid +"%w = mac_vnode_check_unlink(%_, %_, %_, %Y);%w == 0" or -"%w = mac_vnode_check_unlink(%_, %_, %_, %Y);%w != 0" } warning("must call mac_vnode_check_unlink to rmdir"); condate vop_revoke { types "%X struct vnode *" from "entry" to "%_ = VOP_REVOKE(%X, %_)" avoid +"%w = mac_vnode_check_revoke(%_, %X);%w == 0" or -"%w = mac_vnode_check_revoke(%_, %X);%w != 0" } warning("must call mac_vnode_check_revoke to revoke vnode"); condate inpcb_check_deliver { types "%X struct mbuf *" from "entry" to "tcp_do_segment(%X, %_, %_, %_, %_, %_)" avoid +"%w = mac_inpcb_check_deliver(%_, %X);%w == 0" or -"%w = mac_inpcb_check_deliver(%_, %X);%w != 0" } warning("must call mac_inpcb_check_deliver before deliver the mbuf to inpcb"); condate inpcb_check_deliver1 { types "%X struct mbuf *;%Y struct socket *;%Z struct inpcb *" from "entry" to "%_ = sbappendaddr_locked (&%Y->so_rcv, %_, %X, %_)" match "%Y = %Z->inp_socket" avoid +"%w = mac_inpcb_check_deliver(%Z, %X);%w == 0" or -"%w = mac_inpcb_check_deliver(%Z, %X);%w != 0" } warning("must call mac_inpcb_check_deliver before deliver the mbuf to inpcb"); condate socketpeer_set_from_mbuf { from "%X = sonewconn(%_, %_)" to "return %_" avoid +"%X == 0B" or "mac_socketpeer_set_from_mbuf(%_, %X)" } warning("must call mac_socketpeer_set_from_mbuf to set socket peer label"); condate mbuf_create { types "%X struct mbuf *" from "%X = m_gethdr(%_, %_)" or "%X = m_getcl(%_, %_, %_)" to "ip_output(%X, %_, %_, %_, %_, %_)" or "ip6_output(%X, %_, %_, %_, %_, %_)" or "if_output(%_, %X, %_, %_)" or "%_ = ip_output(%X, %_, %_, %_, %_, %_)" or "%_ = ip6_output(%X, %_, %_, %_, %_, %_, %_)" or "icmp_reflect(%X)" avoid "mac_netinet_firewall_reply(%_, %X)" or "mac_netinet_firewall_send(%X)" or "mac_netinet_icmp_reply(%_,%X)" or "mac_syncache_create_mbuf(%_, %X)" or "mac_inpcb_create_mbuf(%_, %X)" or "mac_netinet_arp_send(%_, %X)" }warning("uninitialized mbuf send"); condate soreceive { types "%X struct socket *" from "entry" to "soreceive(%X, %_, %_, %_, %_, %_)" or "%_ = soreceive(%X, %_, %_, %_, %_, %_)" or "%_ = sctp_sorecvmsg (%X, %_, %_, %_, %_, %_, %_, %_)" avoid +"%w = mac_socket_check_receive(%_, %X);%w == 0" or -"%w = mac_socket_check_receive(%_, %X);%w != 0" }warning("need mac_socket_check_receive to check soreceive"); condate sosend { types "%X struct socket *" from "entry" to "%_ = sosend(%X, %_, %_, %_, %_, %_, %_)" or "%_ = pru_send (%X, %_, %_, %_, %_, %_)" or "%_ = sctp_lower_sosend (%X, %_, %_, %_, %_, %_, %_, %_, %_)" avoid +"%w = mac_socket_check_send(%_, %X);%w == 0" or -"%w = mac_socket_check_send(%_, %X);%w != 0" }warning("need mac_socket_check_send to check sosend"); condate soconnect { types "%X struct socket *;%Y struct sockaddr *;%Z struct thread *" from "entry" to "%_ = soconnect(%X, %Y, %Z)" avoid +"%w = mac_socket_check_connect(%Z->td_ucred, %X, %Y);%w == 0" or -"%w = mac_socket_check_connect(%Z->td_ucred, %X, %Y);%w != 0" }warning("need mac_socket_check_connect to check soconnect"); condate socreate { types "%X struct ucred *;%Y int;%Z int;%W int" from "entry" to "%_ = socreate(%W, %_, %Z, %Y, %X, %_)" avoid +"%w = mac_socket_check_create(%X, %W, %Z, %Y);%w == 0" or -"%w = mac_socket_check_create(%X, %W, %Z, %Y);%w != 0" }warning("need mac_socket_check_create to check socreate"); condate sobind { types "%X struct socket *;%Y struct sockaddr *;%Z struct thread *" from "entry" to "%_ = sobind(%X, %Y, %Z)" avoid +"%w = mac_socket_check_bind(%Z->td_ucred, %X, %Y);%w == 0" or -"%w = mac_socket_check_bind(%Z->td_ucred, %X, %Y);%w != 0" }warning("need mac_socket_check_bind to check bind"); condate solisten { types "%X struct socket *;%Y struct thread *" from "entry" to "%_ = solisten(%X, %_, %Y)" avoid +"%w = mac_socket_check_listen(%Y->td_ucred, %X);%w == 0" or -"%w = mac_socket_check_listen(%Y->td_ucred, %X);%w != 0" }warning("need mac_socket_check_listen to check solisten"); condate accept { from "entry" to "%_ = soaccept(%_, %_)" avoid +"%w = mac_socket_check_accept(%_, %_);%w == 0" or -"%w = mac_socket_check_accept(%_, %_);%w != 0" }warning("need mac_socket_check_accept to check soaccept"); condate nd6_output { types "%X struct mbuf *;%Y struct ifnet *" functions "nd6_output" from "entry" avoid "mac_netinet6_nd6_send(%Y, %X)" to "%_ = if_output(%Y, %X, %_, %_)" }warning("need mac_netinet6_nd6_send to check nd6_output"); condate proc_destroy { types "%X struct proc *" from "mac_proc_init(%X)" avoid "mac_proc_destroy(%X)" to "uma_zfree(%_, %X)" }warning("need to call mac_proc_destroy to destroy proc label"); condate newproc_alloc { types "%X struct proc *" from "%X = uma_zalloc(%_, %_)" to "%_ = %X" or "return %X" avoid "mac_proc_init(%X)" }warning("need to call mac_proc_init to initialize the newly created proc"); condate proc0_init { functions "proc0_init" types "%X struct proc *" from "%X = &proc0" to "return" avoid "mac_proc_create_swapper(%X->p_ucred)" or "mac_proc_create_swapper(proc0.p_ucred)" }warning("need to call mac_proc_create_swapper to create the proc0"); condate create_init { functions "create_init" types "%X struct ucred *" from "%X = crget()" to "initproc->p_ucred = %X" avoid "mac_proc_create_init(%X)" }warning("need to call mac_proc_create_init to create the init"); condate cred_init { types "%X struct ucred *;%Y struct ucred *" from "%X = malloc (%_, %_, %_)" to "return %X" or "return" avoid "mac_cred_init(%X)" }warning("must call mac_cred_init to init cred"); condate cred_destory { types "%X struct ucred *" from "entry" to "free(%X, %_)" avoid "mac_cred_destroy(%X)" }warning("must call mac_cred_destroy before free the cred"); condate thread_userret { types "%X struct thread *;%Y int" functions "ast" from "entry" to "userret(%_, %_)" or "return" avoid "mac_thread_userret (%_)" or -"(flags & 1073741824) != 0" }warning("must call mac_thread_userret before userret "); condate change_crcopy { functions "crcopy(%X, %Y)" types "%X struct ucred *; %Y struct ucred *" from "entry" to "return" avoid "mac_cred_copy(%Y, %X)" } warning("must call mac_cred_copy to copy cred"); condate execve_enter{ from "entry" to "exec_setregs(%_, %_, %_, %_)" or "%_->p_sysent->sv_setregs(%_, %_, %_, %_)" avoid +"%w = mac_execve_enter(%_, %_);%w == 0" or -"%w = mac_execve_enter(%_, %_);%w != 0" }warning("must call mac_execve_enter to check do_execve"); condate will_transition { from "entry" to "exec_setregs(%_, %_, %_, %_)" or "%_->p_sysent->sv_setregs(%_, %_, %_, %_)" avoid "will_transition = mac_vnode_execve_will_transition(%_, %_, %_, %_)" }warning("must call mac_vnode_execve_will_transition in do_execve"); condate execve_transition { from "entry" to "exec_setregs(%_, %_, %_, %_)" or "%_->p_sysent->sv_setregs(%_, %_, %_, %_)" avoid +"(credential_changing | %_) == 0" or +"(%_->mnt_flag & 8) != 0" or +"(%_->p_flag & 2048) != 0" or +"will_transtion == 0" or -"will_transition != 0" or "mac_vnode_execve_transition(%_, %_, %_, %_, %_)" } warning("must call mac_vnode_execve_transition to check execve transition"); condate execve_exit { types "%X struct image_params *" from "%_ = mac_execve_enter(%X, %_)" avoid "mac_execve_exit(%X)" to "return %X" or "return" } warning("must call mac_execve_exit at the end of the do_execve"); condate proc_check_wait { functions "p_canwait(%Y, %Z)" types "%Y struct thread *;%Z struct proc *" fromappearatleastonce from +"%X = mac_proc_check_wait(%Y->td_ucred, %Z);%X != 0" or -"%X = mac_proc_check_wait(%Y->td_ucred, %Z);%X == 0" or "%X = mac_proc_check_wait(%_, %Z)" to "return %X" avoid "%X = %_" } warning("must call mac_proc_check_wait to check wait"); condate change_ruid { from "entry" types "%X struct ucred *; %Y struct proc *" to "change_ruid(%X, %_)" follow "%Y->p_ucred = %X" avoid +"%W = mac_proc_check_setresuid(%Y, %_, %_, %_, %_);%W == 0" or -"%W = mac_proc_check_setresuid(%Y, %_, %_, %_, %_);%W != 0" or +"%W = mac_proc_check_setreuid(%Y, %_, %_, %_);%W == 0" or -"%W = mac_proc_check_setreuid(%Y, %_, %_, %_);%W != 0" or +"%W = mac_proc_check_setuid(%Y, %_, %_);%W == 0" or -"%W = mac_proc_check_setuid(%Y, %_, %_);%W != 0" } warning("must call something to check set real uid"); condate change_euid { from "entry" types "%X struct ucred *; %Y struct proc *" to "change_euid(%X, %_)" follow "%Y->p_ucred = %X" avoid +"%W = mac_proc_check_setresuid(%Y, %_, %_, %_, %_);%W == 0" or -"%W = mac_proc_check_setresuid(%Y, %_, %_, %_, %_);%W != 0" or +"%W = mac_proc_check_setreuid(%Y, %_, %_, %_);%W == 0" or -"%W = mac_proc_check_setreuid(%Y, %_, %_, %_);%W != 0" or +"%W = mac_proc_check_setuid(%Y, %_, %_);%W == 0" or -"%W = mac_proc_check_setuid(%Y, %_, %_);%W != 0" or +"%W = mac_proc_check_seteuid(%Y, %_, %_);%W == 0" or -"%W = mac_proc_check_seteuid(%Y, %_, %_);%W != 0" } warning("must call something to check effective uid"); condate change_svuid { from "entry" types "%X struct ucred *; %Y struct proc *" to "change_svuid(%X, %_)" follow "%Y->p_ucred = %X" avoid +"%W = mac_proc_check_setuid(%Y, %_, %_);%W == 0" or -"%W = mac_proc_check_setuid(%Y, %_, %_);%W != 0" or +"%W = mac_proc_check_setresuid(%Y, %_, %_, %_, %_);%W == 0" or -"%W = mac_proc_check_setresuid(%Y, %_, %_, %_, %_);%W != 0" or +"%W = mac_proc_check_setreuid(%Y, %_, %_, %_);%W == 0" or -"%W = mac_proc_check_setreuid(%Y, %_, %_, %_);%W != 0" } warning("must call something to check set saved user uid"); condate change_rgid { from "entry" types "%X struct ucred *; %Y struct proc *" to "change_rgid(%X, %_)" follow "%Y->p_ucred = %X" avoid +"%W = mac_proc_check_setgid(%Y, %_, %_);%W == 0" or -"%W = mac_proc_check_setgid(%Y, %_, %_);%W != 0" or +"%W = mac_proc_check_setregid(%Y, %_, %_, %_);%W == 0" or -"%W = mac_proc_check_setregid(%Y, %_, %_, %_);%W != 0" or +"%W = mac_proc_check_setresgid(%Y, %_, %_, %_, %_);%W == 0" or -"%W = mac_proc_check_setresgid(%Y, %_, %_, %_, %_);%W != 0" } warning("must call something to check set real gid"); condate change_egid { from "entry" types "%X struct ucred *; %Y struct proc *" to "change_egid(%X, %_)" follow "%Y->p_ucred = %X" avoid +"%W = mac_proc_check_setgid(%Y, %_, %_);%W == 0" or -"%W = mac_proc_check_setgid(%Y, %_, %_);%W != 0" or +"%W = mac_proc_check_setregid(%Y, %_, %_, %_);%W == 0" or -"%W = mac_proc_check_setregid(%Y, %_, %_, %_);%W != 0" or +"%W = mac_proc_check_setresgid(%Y, %_, %_, %_, %_);%W == 0" or -"%W = mac_proc_check_setresgid(%Y, %_, %_, %_, %_);%W != 0" or +"%W = mac_proc_check_setegid(%Y, %_, %_);%W == 0" or -"%W = mac_proc_check_setegid(%Y, %_, %_);%W != 0" } warning("must call something to check set effective gid"); condate change_svgid { from "entry" types "%X struct ucred *; %Y struct proc *" to "change_svgid(%X, %_)" follow "%Y->p_ucred = %X" avoid +"%W = mac_proc_check_setgid(%Y, %_, %_);%W == 0" or -"%W = mac_proc_check_setgid(%Y, %_, %_);%W != 0" or +"%W = mac_proc_check_setregid(%Y, %_, %_, %_);%W == 0" or -"%W = mac_proc_check_setregid(%Y, %_, %_, %_);%W != 0" or +"%W = mac_proc_check_setresgid(%Y, %_, %_, %_, %_);%W == 0" or -"%W = mac_proc_check_setresgid(%Y, %_, %_, %_, %_);%W != 0" } warning("must call something to check set real gid"); condate setgroups { from "entry" types "%X struct ucred *; %Y struct proc *" to "%X->cr_ngroups = %_" avoid +"%W = mac_proc_check_setgroups(%Y, %_, %_, %_);%W == 0" or -"%W = mac_proc_check_setgroups(%Y, %_, %_, %_);%W != 0" follow "%Y->p_ucred = %X" } warning("must call mac_proc_check_setgroups to set groups"); condate cr_cansee { functions "cr_cansee(%Y, %Z)" types "%Y struct ucred *;%Z struct ucred *" fromappearatleastonce from +"%X = mac_cred_check_visible(%Y, %Z);%X != 0" or -"%X = mac_cred_check_visible(%Y, %Z);%X == 0" to "return %X" avoid "%X = %_" } warning("must call mac_cred_check_visible to see other thread"); condate cr_cansignal { functions "cr_cansignal(%Y, %Z, %W)" types "%Y struct ucred *;%Z struct proc *;%W int" fromappearatleastonce from +"%X = mac_proc_check_signal(%Y, %Z, %W);%X != 0" or -"%X = mac_proc_check_signal(%Y, %Z, %W);%X == 0" to "return %X" avoid "%X = %_" } warning("must call mac_proc_check_signal to see other thread"); condate cr_cansignal1 { functions "cr_cansignal(%Y, %Z, %W)" types "%Y struct ucred *;%Z struct proc *;%W int" fromappearatleastonce from "entry" to "%_ = mac_proc_check_signal(%Y, %Z, %W)" avoid "%Y = %_" or "%Z = %_" or "%W = %_" } warning("call mac_cred_check_signal's argument should not change"); condate p_cansignal { functions "p_cansignal(%Y, %Z, %W)" types "%Y struct thread *;%Z struct proc *;%W int;%X int" fromappearatleastonce from "%_ = cr_cansignal(%_, %_, %_)" to "return %_" } warning("must call cr_cansignal to check p_cansignal"); condate p_cansched { functions "p_cansched(%Y, %Z)" types "%Y struct thread *;%Z struct proc *" fromappearatleastonce from +"%X = mac_proc_check_sched(%Y->td_ucred, %Z);%X != 0" or -"%X = mac_proc_check_sched(%Y->td_ucred, %Z);%X == 0" to "return %X" avoid "%X = %_" } warning("must call mac_proc_check_sched to sched other proc"); condate p_cansched1 { functions "p_cansched(%Y, %Z)" types "%Y struct thread *;%Z struct proc *" fromappearatleastonce from "entry" to "%_ = mac_proc_check_sched(%Y->td_ucred, %Z)" avoid "%Y = %_" or "%Z = %_" } warning("call mac_proc_check_sched's argument should not change"); condate p_candebug { functions "p_candebug(%Y, %Z)" types "%Y struct thread *;%Z struct proc *" fromappearatleastonce from +"%X = mac_proc_check_debug(%Y->td_ucred, %Z);%X != 0" or -"%X = mac_proc_check_debug(%Y->td_ucred, %Z);%X == 0" to "return %X" avoid "%X = %_" } warning("must call mac_proc_check_debug to debug other proc"); condate p_candebug1 { functions "p_candebug(%Y, %Z)" types "%Y struct thread *;%Z struct proc *" fromappearatleastonce from "entry" to "%_ = mac_proc_check_debug(%Y->td_ucred, %Z)" avoid "%Y = %_" or "%Z = %_" } warning("must call mac_proc_check_debug's argument should not change"); condate cred_free{ types "%X struct ucred *" from "entry" to "free(%X, %_)" avoid "mac_cred_destroy(%X)" }warning("must call mac_cred_destroy to free the ucred"); condate crcopy { types "%X struct ucred *;%Y struct ucred *" functions "crcopy(%X, %Y)" fromappearatleastonce from "mac_cred_copy(%Y, %X)" to "return" } warning("crcopy must call mac_cred_copy to copy the ucred"); condate crget{ types "%X struct ucred *" from "%X = malloc (%_, &M_CRED, %_)" to "return %X" avoid "mac_cred_init(%X)" }warning("must call mac_cred_init to init the ucred"); condate cr_canseesocket{ types "%X struct ucred *;%Y struct socket *" functions "cr_canseesocket(%X, %Y)" fromappearatleastonce from +"%W = mac_socket_check_visible(%X, %Y);%W != 0" or -"%W = mac_socket_check_visible(%X, %Y);%W == 0" to "return %W" avoid "%X = %_" }warning("must call mac_socket_check_visible in cr_canseesocket"); condate mac_cred_check_relabel{ types "%Z struct ucred *;%X struct ucred *;%Y struct label *;%W struct thread *;%V struct proc *" from "%Z = %V->p_ucred" to "mac_cred_relabel(%X, %Y)" follow "%V->p_ucred = %X" avoid +"%K = mac_cred_check_relabel(%Z, %Y);%K == 0" or -"%K = mac_cred_check_relabel(%Z, %Y);%K != 0" }warning("must call mac_cred_check_relabel to relabel the cred"); condate ipq_init { types "%X struct ipq *" from +"%X = uma_zalloc(%_, %_);%X != 0B" or -"%X = uma_zalloc(%_, %_);%X == 0B" avoid "%_ = mac_ipq_init(%X, %_)" to "return" or "return %_" }warning("must call mac_ipq_init to init the ipq"); condate mac_ipq_create { types "%X struct ipq *" from +"%T = mac_ipq_init(%X, %_);%T == 0" or -"%T = mac_ipq_init(%X, %_);%T != 0" to "return" or "return %_" avoid "mac_ipq_create(%_, %X)" }warning("must call mac_ipq_create to create the ipq"); condate ipq_destroy { types "%X struct ipq *" from -"%T = mac_ipq_init(%X, %_); %T != 0" to "uma_zfree(%_, %X)" avoid "mac_ipq_destroy(%X)" }warning("must call mac_ipq_destroy before free a ipq"); condate ifnet_init { types "%X struct ifnet *" functions "if_attach(%X)" from "entry" avoid "mac_ifnet_init(%_)" or +"%_->if_index == 0" or +"%_->ife_ifnet != %X" or "panic(%_, %_)" to "return" } warning("must call mac_ifnet_init to init the ifnet"); condate ifnet_check_transmit { types "%X struct ifnet *;%Y struct mbuf *" fromappearatleastonce functions "ether_output(%X, %Y, %_, %_)" or "pppoutput(%X, %Y, %_, %_)" or "firewire_output(%X, %Y, %_, %_)" or "atm_output(%X, %Y, %_, %_)" or "fddi_output(%X, %Y, %_, %_)" or "iso88025_output(%X, %Y, %_, %_)" or "stf_output(%X, %Y, %_, %_)" or "tunoutput(%X, %Y, %_, %_)" from +"%W = mac_ifnet_check_transmit(%_, %_);%W != 0" or -"%W = mac_ifnet_check_transmit(%_, %_);%W == 0" to "return %W" avoid "%W = %_" }warning("require mac_ifnet_check_transmit to check the mbuf transmit"); condate bpfdesc_check_receive { types "%X struct bpf_d *" from "entry" to "catchpacket(%X, %_, %_, %_, %_, %_)" avoid +"%K = mac_bpfdesc_check_receive(%X, %_);%K == 0" or -"%K = mac_bpfdesc_check_receive(%X, %_);%K != 0" }warning("must call mac_bpfdesc_check_receive to catchpacket"); condate mac_ifnet_create_mbuf { from "entry" types "%X struct mbuf *" to "netisr_dispatch(%_, %X)" or "ether_demux(%_, %X)" avoid "mac_ifnet_create_mbuf(%_, %X)" }warning("must call mac_ifnet_create_mbuf before the mbuf is in from ifnet"); condate bpf_movein { types "%X struct mbuf *" from "%_ = bpf_movein(%_, %_, %_, &%X, %_, %_, %_)" to "%_ = if_output(%_, %X, %_, %_)" avoid "mac_bpfdesc_create_mbuf(%_, %X)" }warning("must call mac_bpfdesc_create_mbuf to setup the mbuf"); condate bpf_create{ types "%X struct bpf_d *" from "%X = malloc (%_, %_, %_)" to "return %_" avoid "mac_bpfdesc_create(%_, %X)" }warning("must call mac_bpfdesc_create after bpf_d creating"); condate bpf_create1{ types "%X struct bpf_d *" from "%X = malloc (%_, %_, %_)" to "return %_" avoid "mac_bpfdesc_init(%X)" }warning("must call mac_bpfdesc_init after bpf_d creating");