Index: sys/kern/uipc_socket.c
===================================================================
--- sys/kern/uipc_socket.c
+++ sys/kern/uipc_socket.c
@@ -3085,7 +3085,7 @@
 			    so, &extmac);
 			if (error)
 				goto bad;
-			error = sooptcopyout(sopt, &extmac, sizeof extmac);
+			/* Don't copy out extmac, it is unchanged. */
 #else
 			error = EOPNOTSUPP;
 #endif
@@ -3101,7 +3101,7 @@
 			    sopt->sopt_td->td_ucred, so, &extmac);
 			if (error)
 				goto bad;
-			error = sooptcopyout(sopt, &extmac, sizeof extmac);
+			/* Don't copy out extmac, it is unchanged. */
 #else
 			error = EOPNOTSUPP;
 #endif
Index: sys/security/mac/mac_framework.h
===================================================================
--- sys/security/mac/mac_framework.h
+++ sys/security/mac/mac_framework.h
@@ -295,11 +295,11 @@
 int	mac_socket_init(struct socket *, int);
 void	mac_socket_newconn(struct socket *oldso, struct socket *newso);
 int	mac_getsockopt_label(struct ucred *cred, struct socket *so,
-	    struct mac *extmac);
+	    const struct mac *extmac);
 int	mac_getsockopt_peerlabel(struct ucred *cred, struct socket *so,
-	    struct mac *extmac);
+	    const struct mac *extmac);
 int	mac_setsockopt_label(struct ucred *cred, struct socket *so,
-	    struct mac *extmac);
+	    const struct mac *extmac);
 
 void	mac_socketpeer_set_from_mbuf(struct mbuf *m, struct socket *so);
 void	mac_socketpeer_set_from_socket(struct socket *oldso,
Index: sys/security/mac/mac_framework.c
===================================================================
--- sys/security/mac/mac_framework.c
+++ sys/security/mac/mac_framework.c
@@ -583,7 +583,7 @@
 }
 
 int
-mac_check_structmac_consistent(struct mac *mac)
+mac_check_structmac_consistent(const struct mac *mac)
 {
 
 	/* Require that labels have a non-zero length. */
Index: sys/security/mac/mac_internal.h
===================================================================
--- sys/security/mac/mac_internal.h
+++ sys/security/mac/mac_internal.h
@@ -209,7 +209,7 @@
 
 void	mac_init_label(struct label *label);
 void	mac_destroy_label(struct label *label);
-int	mac_check_structmac_consistent(struct mac *mac);
+int	mac_check_structmac_consistent(const struct mac *mac);
 int	mac_allocate_slot(void);
 
 #define MAC_IFNET_LOCK(ifp)	mtx_lock(&mac_ifnet_mtx)
Index: sys/security/mac/mac_socket.c
===================================================================
--- sys/security/mac/mac_socket.c
+++ sys/security/mac/mac_socket.c
@@ -523,7 +523,8 @@
 }
 
 int
-mac_setsockopt_label(struct ucred *cred, struct socket *so, struct mac *mac)
+mac_setsockopt_label(struct ucred *cred, struct socket *so,
+    const struct mac *mac)
 {
 	struct label *intlabel;
 	char *buffer;
@@ -556,7 +557,8 @@
 }
 
 int
-mac_getsockopt_label(struct ucred *cred, struct socket *so, struct mac *mac)
+mac_getsockopt_label(struct ucred *cred, struct socket *so,
+    const struct mac *mac)
 {
 	char *buffer, *elements;
 	struct label *intlabel;
@@ -595,7 +597,7 @@
 
 int
 mac_getsockopt_peerlabel(struct ucred *cred, struct socket *so,
-    struct mac *mac)
+    const struct mac *mac)
 {
 	char *elements, *buffer;
 	struct label *intlabel;