Index: sys/kern/uipc_socket.c =================================================================== --- sys/kern/uipc_socket.c +++ sys/kern/uipc_socket.c @@ -3085,7 +3085,7 @@ so, &extmac); if (error) goto bad; - error = sooptcopyout(sopt, &extmac, sizeof extmac); + /* Don't copy out extmac, it is unchanged. */ #else error = EOPNOTSUPP; #endif @@ -3101,7 +3101,7 @@ sopt->sopt_td->td_ucred, so, &extmac); if (error) goto bad; - error = sooptcopyout(sopt, &extmac, sizeof extmac); + /* Don't copy out extmac, it is unchanged. */ #else error = EOPNOTSUPP; #endif Index: sys/security/mac/mac_framework.h =================================================================== --- sys/security/mac/mac_framework.h +++ sys/security/mac/mac_framework.h @@ -295,11 +295,11 @@ int mac_socket_init(struct socket *, int); void mac_socket_newconn(struct socket *oldso, struct socket *newso); int mac_getsockopt_label(struct ucred *cred, struct socket *so, - struct mac *extmac); + const struct mac *extmac); int mac_getsockopt_peerlabel(struct ucred *cred, struct socket *so, - struct mac *extmac); + const struct mac *extmac); int mac_setsockopt_label(struct ucred *cred, struct socket *so, - struct mac *extmac); + const struct mac *extmac); void mac_socketpeer_set_from_mbuf(struct mbuf *m, struct socket *so); void mac_socketpeer_set_from_socket(struct socket *oldso, Index: sys/security/mac/mac_framework.c =================================================================== --- sys/security/mac/mac_framework.c +++ sys/security/mac/mac_framework.c @@ -583,7 +583,7 @@ } int -mac_check_structmac_consistent(struct mac *mac) +mac_check_structmac_consistent(const struct mac *mac) { /* Require that labels have a non-zero length. */ Index: sys/security/mac/mac_internal.h =================================================================== --- sys/security/mac/mac_internal.h +++ sys/security/mac/mac_internal.h @@ -209,7 +209,7 @@ void mac_init_label(struct label *label); void mac_destroy_label(struct label *label); -int mac_check_structmac_consistent(struct mac *mac); +int mac_check_structmac_consistent(const struct mac *mac); int mac_allocate_slot(void); #define MAC_IFNET_LOCK(ifp) mtx_lock(&mac_ifnet_mtx) Index: sys/security/mac/mac_socket.c =================================================================== --- sys/security/mac/mac_socket.c +++ sys/security/mac/mac_socket.c @@ -523,7 +523,8 @@ } int -mac_setsockopt_label(struct ucred *cred, struct socket *so, struct mac *mac) +mac_setsockopt_label(struct ucred *cred, struct socket *so, + const struct mac *mac) { struct label *intlabel; char *buffer; @@ -556,7 +557,8 @@ } int -mac_getsockopt_label(struct ucred *cred, struct socket *so, struct mac *mac) +mac_getsockopt_label(struct ucred *cred, struct socket *so, + const struct mac *mac) { char *buffer, *elements; struct label *intlabel; @@ -595,7 +597,7 @@ int mac_getsockopt_peerlabel(struct ucred *cred, struct socket *so, - struct mac *mac) + const struct mac *mac) { char *elements, *buffer; struct label *intlabel;