diff --git a/sbin/ddb/ddb.8 b/sbin/ddb/ddb.8
--- a/sbin/ddb/ddb.8
+++ b/sbin/ddb/ddb.8
@@ -150,6 +150,7 @@
 manual pages.
 .Sh SEE ALSO
 .Xr ddb 4 ,
+.Xr mac_ddb 4 ,
 .Xr textdump 4 ,
 .Xr sysctl 8
 .Sh HISTORY
diff --git a/share/man/man4/ddb.4 b/share/man/man4/ddb.4
--- a/share/man/man4/ddb.4
+++ b/share/man/man4/ddb.4
@@ -1602,6 +1602,7 @@
 .Xr kgdb 1 ,
 .Xr acpi 4 ,
 .Xr CAM 4 ,
+.Xr mac_ddb 4 ,
 .Xr mac_test 4 ,
 .Xr netgraph 4 ,
 .Xr textdump 4 ,
diff --git a/share/man/man4/mac.4 b/share/man/man4/mac.4
--- a/share/man/man4/mac.4
+++ b/share/man/man4/mac.4
@@ -30,7 +30,7 @@
 .\"
 .\" $FreeBSD$
 .\"
-.Dd May 20, 2021
+.Dd June 29, 2022
 .Dt MAC 4
 .Os
 .Sh NAME
@@ -51,10 +51,11 @@
 .Pp
 Currently, the following MAC policy modules are shipped with
 .Fx :
-.Bl -column ".Xr mac_seeotheruids 4" "low-watermark mac policy" ".Em Labeling" "boot only"
+.Bl -column ".Xr mac_seeotheruids 4" "ddb(4) interface restrictions" ".Em Labeling" "boot only"
 .It Sy Name Ta Sy Description Ta Sy Labeling Ta Sy "Load time"
 .It Xr mac_biba 4 Ta "Biba integrity policy" Ta yes Ta boot only
 .It Xr mac_bsdextended 4 Ta "File system firewall" Ta no Ta any time
+.It Xr mac_ddb 4 Ta "ddb(4) interface restrictions" Ta no Ta any time
 .It Xr mac_ifoff 4 Ta "Interface silencing" Ta no Ta any time
 .It Xr mac_lomac 4 Ta "Low-Watermark MAC policy" Ta yes Ta boot only
 .It Xr mac_mls 4 Ta "Confidentiality policy" Ta yes Ta boot only
@@ -201,6 +202,7 @@
 .Xr mac 3 ,
 .Xr mac_biba 4 ,
 .Xr mac_bsdextended 4 ,
+.Xr mac_ddb 4 ,
 .Xr mac_ifoff 4 ,
 .Xr mac_lomac 4 ,
 .Xr mac_mls 4 ,
diff --git a/share/man/man4/mac_bsdextended.4 b/share/man/man4/mac_bsdextended.4
--- a/share/man/man4/mac_bsdextended.4
+++ b/share/man/man4/mac_bsdextended.4
@@ -117,6 +117,7 @@
 .Xr syslog 3 ,
 .Xr mac 4 ,
 .Xr mac_biba 4 ,
+.Xr mac_ddb 4 ,
 .Xr mac_ifoff 4 ,
 .Xr mac_lomac 4 ,
 .Xr mac_mls 4 ,
diff --git a/share/man/man4/mac_stub.4 b/share/man/man4/mac_ddb.4
copy from share/man/man4/mac_stub.4
copy to share/man/man4/mac_ddb.4
--- a/share/man/man4/mac_stub.4
+++ b/share/man/man4/mac_ddb.4
@@ -1,11 +1,7 @@
-.\" Copyright (c) 2002, 2003 Networks Associates Technology, Inc.
-.\" All rights reserved.
+.\" Copyright (c) 2022 Klara Systems
 .\"
-.\" This software was developed for the FreeBSD Project by Chris Costello
-.\" at Safeport Network Services and Network Associates Laboratories, the
-.\" Security Research Division of Network Associates, Inc. under
-.\" DARPA/SPAWAR contract N66001-01-C-8035 ("CBOSS"), as part of the
-.\" DARPA CHATS research program.
+.\" This software was developed by Mitchell Horne <mhorne@FreeBSD.org>
+.\" under sponsorship from Juniper Networks and Klara Systems.
 .\"
 .\" Redistribution and use in source and binary forms, with or without
 .\" modification, are permitted provided that the following conditions
@@ -28,24 +24,22 @@
 .\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
 .\" SUCH DAMAGE.
 .\"
-.\" $FreeBSD$
-.\"
-.Dd July 25, 2015
-.Dt MAC_STUB 4
+.Dd June 29, 2022
+.Dt MAC_DDB 4
 .Os
 .Sh NAME
-.Nm mac_stub
-.Nd "MAC policy stub module"
+.Nm mac_ddb
+.Nd "Restricted kernel debugger interface policy"
 .Sh SYNOPSIS
-To compile the stub policy
+To compile the ddb policy
 into your kernel, place the following lines in your kernel
 configuration file:
 .Bd -ragged -offset indent
 .Cd "options MAC"
-.Cd "options MAC_STUB"
+.Cd "options MAC_DDB"
 .Ed
 .Pp
-Alternately, to load the stub module at boot time, place the following line
+Alternately, to load the ddb module at boot time, place the following line
 in your kernel configuration file:
 .Bd -ragged -offset indent
 .Cd "options MAC"
@@ -54,23 +48,46 @@
 and in
 .Xr loader.conf 5 :
 .Bd -literal -offset indent
-mac_stub_load="YES"
+mac_ddb_load="YES"
 .Ed
 .Sh DESCRIPTION
 The
 .Nm
-policy module implements a stub MAC policy that has no effect on
-access control in the system.
-Unlike
-.Xr mac_none 4 ,
-each MAC entry point is defined as a
-.Dq no-op ,
-so the policy module will be entered for each event, but no change
-in system behavior should result.
+policy module implements a MAC policy which restricts the set of commands that
+can be used at the
+.Xr ddb 4
+command prompt.
+The subset of permitted commands is limited to those which do not read or write
+to arbitrary memory locations.
+This is done to deter the possible extraction of system secrets while still
+allowing enough debugger functionality to diagnose a kernel panic.
+For example, the
+.Ic trace
+or
+.Ic show registers
+commands are allowed by this policy, but
+.Ic show Cm buffer Ar addr
+is not.
+.Pp
+All debugger commands that are declared with the
+.Va DB_CMD_MEMSAFE
+flag are allowed by
+.Nm .
+The policy provides validation functions to conditionally allow some additional
+commands, based on the user provided arguments.
+.Pp
+When loaded, the
+.Nm
+policy also ensures that only the
+.Xr ddb 4
+debugger backend may be executed;
+.Xr gdb 4
+may not.
 .Ss Label Format
 No labels are defined for
 .Nm .
 .Sh SEE ALSO
+.Xr ddb 4 ,
 .Xr mac 4 ,
 .Xr mac_biba 4 ,
 .Xr mac_bsdextended 4 ,
@@ -83,23 +100,6 @@
 .Xr mac_seeotheruids 4 ,
 .Xr mac_test 4 ,
 .Xr mac 9
-.Sh HISTORY
-The
-.Nm
-policy module first appeared in
-.Fx 5.1
-and was developed by the
-.Tn TrustedBSD
-Project.
-.Sh AUTHORS
-This software was contributed to the
-.Fx
-Project by Network Associates Labs,
-the Security Research Division of Network Associates
-Inc.
-under DARPA/SPAWAR contract N66001-01-C-8035
-.Pq Dq CBOSS ,
-as part of the DARPA CHATS research program.
 .Sh BUGS
 While the MAC Framework design is intended to support the containment of
 the root user, not all attack channels are currently protected by entry
diff --git a/share/man/man4/mac_lomac.4 b/share/man/man4/mac_lomac.4
--- a/share/man/man4/mac_lomac.4
+++ b/share/man/man4/mac_lomac.4
@@ -194,6 +194,7 @@
 .Xr mac 4 ,
 .Xr mac_biba 4 ,
 .Xr mac_bsdextended 4 ,
+.Xr mac_ddb 4 ,
 .Xr mac_ifoff 4 ,
 .Xr mac_mls 4 ,
 .Xr mac_none 4 ,
diff --git a/share/man/man4/mac_mls.4 b/share/man/man4/mac_mls.4
--- a/share/man/man4/mac_mls.4
+++ b/share/man/man4/mac_mls.4
@@ -210,6 +210,7 @@
 .Xr mac 4 ,
 .Xr mac_biba 4 ,
 .Xr mac_bsdextended 4 ,
+.Xr mac_ddb 4 ,
 .Xr mac_ifoff 4 ,
 .Xr mac_lomac 4 ,
 .Xr mac_none 4 ,
diff --git a/share/man/man4/mac_none.4 b/share/man/man4/mac_none.4
--- a/share/man/man4/mac_none.4
+++ b/share/man/man4/mac_none.4
@@ -71,6 +71,7 @@
 .Xr mac 4 ,
 .Xr mac_biba 4 ,
 .Xr mac_bsdextended 4 ,
+.Xr mac_ddb 4 ,
 .Xr mac_ifoff 4 ,
 .Xr mac_lomac 4 ,
 .Xr mac_mls 4 ,
diff --git a/share/man/man4/mac_partition.4 b/share/man/man4/mac_partition.4
--- a/share/man/man4/mac_partition.4
+++ b/share/man/man4/mac_partition.4
@@ -91,6 +91,7 @@
 .Xr mac 4 ,
 .Xr mac_biba 4 ,
 .Xr mac_bsdextended 4 ,
+.Xr mac_ddb 4 ,
 .Xr mac_ifoff 4 ,
 .Xr mac_lomac 4 ,
 .Xr mac_mls 4 ,
diff --git a/share/man/man4/mac_portacl.4 b/share/man/man4/mac_portacl.4
--- a/share/man/man4/mac_portacl.4
+++ b/share/man/man4/mac_portacl.4
@@ -194,6 +194,7 @@
 .Xr ip 4 ,
 .Xr mac_biba 4 ,
 .Xr mac_bsdextended 4 ,
+.Xr mac_ddb 4 ,
 .Xr mac_ifoff 4 ,
 .Xr mac_mls 4 ,
 .Xr mac_none 4 ,
diff --git a/share/man/man4/mac_seeotheruids.4 b/share/man/man4/mac_seeotheruids.4
--- a/share/man/man4/mac_seeotheruids.4
+++ b/share/man/man4/mac_seeotheruids.4
@@ -90,6 +90,7 @@
 .Xr mac 4 ,
 .Xr mac_biba 4 ,
 .Xr mac_bsdextended 4 ,
+.Xr mac_ddb 4 ,
 .Xr mac_ifoff 4 ,
 .Xr mac_lomac 4 ,
 .Xr mac_mls 4 ,
diff --git a/share/man/man4/mac_stub.4 b/share/man/man4/mac_stub.4
--- a/share/man/man4/mac_stub.4
+++ b/share/man/man4/mac_stub.4
@@ -74,6 +74,7 @@
 .Xr mac 4 ,
 .Xr mac_biba 4 ,
 .Xr mac_bsdextended 4 ,
+.Xr mac_ddb 4 ,
 .Xr mac_ifoff 4 ,
 .Xr mac_lomac 4 ,
 .Xr mac_mls 4 ,
diff --git a/share/man/man4/mac_test.4 b/share/man/man4/mac_test.4
--- a/share/man/man4/mac_test.4
+++ b/share/man/man4/mac_test.4
@@ -76,6 +76,7 @@
 .Xr mac 4 ,
 .Xr mac_biba 4 ,
 .Xr mac_bsdextended 4 ,
+.Xr mac_ddb 4 ,
 .Xr mac_ifoff 4 ,
 .Xr mac_lomac 4 ,
 .Xr mac_mls 4 ,
diff --git a/share/man/man9/mac.9 b/share/man/man9/mac.9
--- a/share/man/man9/mac.9
+++ b/share/man/man9/mac.9
@@ -152,6 +152,7 @@
 .Xr posix1e 3 ,
 .Xr mac_biba 4 ,
 .Xr mac_bsdextended 4 ,
+.Xr mac_ddb 4 ,
 .Xr mac_ifoff 4 ,
 .Xr mac_lomac 4 ,
 .Xr mac_mls 4 ,
diff --git a/sys/conf/NOTES b/sys/conf/NOTES
--- a/sys/conf/NOTES
+++ b/sys/conf/NOTES
@@ -1235,6 +1235,7 @@
 options 	MAC
 options 	MAC_BIBA
 options 	MAC_BSDEXTENDED
+options 	MAC_DDB
 options 	MAC_IFOFF
 options 	MAC_LOMAC
 options 	MAC_MLS
diff --git a/sys/conf/files b/sys/conf/files
--- a/sys/conf/files
+++ b/sys/conf/files
@@ -5137,6 +5137,7 @@
 security/mac/mac_sysv_shm.c	optional mac
 security/mac/mac_vfs.c		optional mac
 security/mac_biba/mac_biba.c	optional mac_biba
+security/mac_ddb/mac_ddb.c	optional mac_ddb
 security/mac_bsdextended/mac_bsdextended.c	optional mac_bsdextended
 security/mac_bsdextended/ugidfw_system.c	optional mac_bsdextended
 security/mac_bsdextended/ugidfw_vnode.c		optional mac_bsdextended
diff --git a/sys/conf/options b/sys/conf/options
--- a/sys/conf/options
+++ b/sys/conf/options
@@ -156,6 +156,7 @@
 MAC		opt_global.h
 MAC_BIBA	opt_dontuse.h
 MAC_BSDEXTENDED	opt_dontuse.h
+MAC_DDB		opt_dontuse.h
 MAC_IFOFF	opt_dontuse.h
 MAC_LOMAC	opt_dontuse.h
 MAC_MLS		opt_dontuse.h
diff --git a/sys/ddb/ddb.h b/sys/ddb/ddb.h
--- a/sys/ddb/ddb.h
+++ b/sys/ddb/ddb.h
@@ -99,6 +99,7 @@
 extern struct db_command_table db_cmd_table;
 extern struct db_command_table db_show_table;
 extern struct db_command_table db_show_all_table;
+extern struct db_command_table db_show_active_table;
 
 /*
  * Type signature for a function implementing a ddb command.
diff --git a/sys/modules/Makefile b/sys/modules/Makefile
--- a/sys/modules/Makefile
+++ b/sys/modules/Makefile
@@ -219,6 +219,7 @@
 	lpt \
 	${_mac_biba} \
 	${_mac_bsdextended} \
+	${_mac_ddb} \
 	${_mac_ifoff} \
 	${_mac_lomac} \
 	${_mac_mls} \
@@ -546,6 +547,9 @@
 .if ${KERN_OPTS:MMAC} || defined(ALL_MODULES)
 _mac_biba=	mac_biba
 _mac_bsdextended= mac_bsdextended
+.if ${KERN_OPTS:MDDB} || defined(ALL_MODULES)
+_mac_ddb=	mac_ddb
+.endif
 _mac_ifoff=	mac_ifoff
 _mac_lomac=	mac_lomac
 _mac_mls=	mac_mls
diff --git a/sys/modules/mac_ddb/Makefile b/sys/modules/mac_ddb/Makefile
new file mode 100644
--- /dev/null
+++ b/sys/modules/mac_ddb/Makefile
@@ -0,0 +1,6 @@
+.PATH: ${SRCTOP}/sys/security/mac_ddb
+
+KMOD=	mac_ddb
+SRCS=	mac_ddb.c
+
+.include <bsd.kmod.mk>
diff --git a/sys/security/mac_ddb/mac_ddb.c b/sys/security/mac_ddb/mac_ddb.c
new file mode 100644
--- /dev/null
+++ b/sys/security/mac_ddb/mac_ddb.c
@@ -0,0 +1,266 @@
+/*-
+ * SPDX-License-Identifier: BSD-2-Clause
+ *
+ * Copyright (c) 2021-2022 Klara Systems
+ *
+ * This software was developed by Mitchell Horne <mhorne@FreeBSD.org>
+ * under sponsorship from Juniper Networks and Klara Systems.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
+ * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
+ * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
+ * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
+ * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
+ * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
+ * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
+ * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
+ * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+ */
+
+#include <sys/param.h>
+#include <sys/kdb.h>
+#include <sys/module.h>
+#include <sys/proc.h>
+#include <sys/sysctl.h>
+
+#include <ddb/ddb.h>
+#include <ddb/db_command.h>
+
+#include <security/mac/mac_policy.h>
+
+/*
+ * This module provides a limited interface to the ddb(4) kernel debugger. The
+ * intent is to allow execution of useful debugging commands while disallowing
+ * the execution of commands which may be used to inspect/modify arbitrary
+ * system memory.
+ *
+ * Commands which are deterministic in their output or effect and that have
+ * been flagged with DB_CMD_MEMSAFE in their definition will be allowed.
+ *
+ * Other commands are valid within this context so long as there is some
+ * constraint placed on their input arguments. This applies to most 'show'
+ * commands which accept an arbitrary address. If the provided address can be
+ * validated as a real instance of the object (e.g. the 'show proc' address
+ * points to a real struct proc in the process list), then the command may be
+ * executed. This module defines several validation functions which are used to
+ * conditionally allow or block the execution of some commands. For these
+ * commands we define and apply the DB_CMD_VALIDATE flag.
+ *
+ * Any other commands not flagged with DM_CMD_MEMSAFE or DB_CMD_VALIDATE are
+ * considered unsafe for execution.
+ */
+
+#define	DB_CMD_VALIDATE		DB_MAC1
+
+typedef int db_validation_fn_t(db_expr_t addr, bool have_addr, db_expr_t count,
+    char *modif);
+
+static db_validation_fn_t	db_thread_valid;
+
+struct cmd_list_item {
+	const char *name;
+	db_validation_fn_t *validate_fn;
+};
+
+/* List of top-level ddb(4) commands which are allowed by this policy. */
+static const struct cmd_list_item command_list[] = {
+	{ "thread",	db_thread_valid },
+};
+
+/* List of ddb(4) 'show' commands which are allowed by this policy. */
+static const struct cmd_list_item show_command_list[] = {
+	{ "thread",	db_thread_valid },
+};
+
+static int
+db_thread_valid(db_expr_t addr, bool have_addr, db_expr_t count, char *modif)
+{
+	struct thread *thr;
+	lwpid_t tid;
+
+	/* Default will show the current proc. */
+	if (!have_addr)
+		return (0);
+
+	/* Validate the provided addr OR tid against the thread list. */
+	tid = db_hex2dec(addr);
+	for (thr = kdb_thr_first(); thr != NULL; thr = kdb_thr_next(thr)) {
+		if ((void *)thr == (void *)addr || tid == thr->td_tid)
+			return (0);
+	}
+
+	return (EACCES);
+}
+
+static int
+command_match(struct db_command *cmd, struct cmd_list_item item)
+{
+	db_validation_fn_t *vfn;
+	int n;
+
+	n = strcmp(cmd->name, item.name);
+	if (n != 0)
+		return (n);
+
+	/* Got an exact match. Update the command struct */
+	vfn = item.validate_fn;
+	if (vfn != NULL) {
+		cmd->flag |= DB_CMD_VALIDATE;
+		cmd->mac_priv = vfn;
+	}
+	return (0);
+}
+
+static void
+mac_ddb_init(struct mac_policy_conf *conf)
+{
+	struct db_command *cmd, *prev;
+	int i, n;
+
+	/* The command lists are sorted lexographically, as are our arrays. */
+
+	/* Register basic commands. */
+	for (i = 0, cmd = prev = NULL; i < nitems(command_list); i++) {
+		LIST_FOREACH_FROM(cmd, &db_cmd_table, next) {
+			n = command_match(cmd, command_list[i]);
+			if (n == 0) {
+				/* Got an exact match. */
+				prev = cmd;
+				break;
+			} else if (n > 0) {
+				/* Desired command is not registered. */
+				break;
+			}
+		}
+
+		/* Next search begins at the previous match. */
+		cmd = prev;
+	}
+
+	/* Register 'show' commands which require validation. */
+	for (i = 0, cmd = prev = NULL; i < nitems(show_command_list); i++) {
+		LIST_FOREACH_FROM(cmd, &db_show_table, next) {
+			n = command_match(cmd, show_command_list[i]);
+			if (n == 0) {
+				/* Got an exact match. */
+				prev = cmd;
+				break;
+			} else if (n > 0) {
+				/* Desired command is not registered. */
+				break;
+			}
+		}
+
+		/* Next search begins at the previous match. */
+		cmd = prev;
+	}
+
+#ifdef INVARIANTS
+	/* Verify the lists are sorted correctly. */
+	const char *a, *b;
+
+	for (i = 0; i < nitems(command_list) - 1; i++) {
+		a = command_list[i].name;
+		b = command_list[i + 1].name;
+		if (strcmp(a, b) > 0)
+			panic("%s: command_list[] not alphabetical: %s,%s",
+			    __func__, a, b);
+	}
+	for (i = 0; i < nitems(show_command_list) - 1; i++) {
+		a = show_command_list[i].name;
+		b = show_command_list[i + 1].name;
+		if (strcmp(a, b) > 0)
+			panic("%s: show_command_list[] not alphabetical: %s,%s",
+			    __func__, a, b);
+	}
+#endif
+}
+
+static int
+mac_ddb_command_register(struct db_command_table *table,
+    struct db_command *cmd)
+{
+	int i, n;
+
+	if ((cmd->flag & DB_CMD_MEMSAFE) != 0)
+		return (0);
+
+	/* For other commands, search the allow-lists. */
+	if (table == &db_show_table) {
+		for (i = 0; i < nitems(show_command_list); i++) {
+			n = command_match(cmd, show_command_list[i]);
+			if (n == 0)
+				/* Got an exact match. */
+				return (0);
+			else if (n > 0)
+				/* Command is not in the policy list. */
+				break;
+		}
+	} else if (table == &db_cmd_table) {
+		for (i = 0; i < nitems(command_list); i++) {
+			n = command_match(cmd, command_list[i]);
+			if (n == 0)
+				/* Got an exact match. */
+				return (0);
+			else if (n > 0)
+				/* Command is not in the policy list. */
+				break;
+		}
+	}
+
+	/* The command will not be registered. */
+	return (EACCES);
+}
+
+static int
+mac_ddb_command_exec(struct db_command *cmd, db_expr_t addr,
+    bool have_addr, db_expr_t count, char *modif)
+{
+	db_validation_fn_t *vfn = cmd->mac_priv;
+
+	/* Validate the command and args based on policy. */
+	if ((cmd->flag & DB_CMD_VALIDATE) != 0) {
+		MPASS(vfn != NULL);
+		if (vfn(addr, have_addr, count, modif) == 0)
+			return (0);
+	} else if ((cmd->flag & DB_CMD_MEMSAFE) != 0)
+		return (0);
+
+	return (EACCES);
+}
+
+static int
+mac_ddb_check_backend(struct kdb_dbbe *be)
+{
+
+	/* Only allow DDB backend to execute. */
+	if (strcmp(be->dbbe_name, "ddb") == 0)
+		return (0);
+
+	return (EACCES);
+}
+
+/*
+ * Register functions with MAC Framework policy entry points.
+ */
+static struct mac_policy_ops mac_ddb_ops =
+{
+	.mpo_init = mac_ddb_init,
+
+	.mpo_ddb_command_register = mac_ddb_command_register,
+	.mpo_ddb_command_exec = mac_ddb_command_exec,
+
+	.mpo_kdb_check_backend = mac_ddb_check_backend,
+};
+MAC_POLICY_SET(&mac_ddb_ops, mac_ddb, "MAC/DDB", 0, NULL);