diff --git a/sys/security/mac/mac_internal.h b/sys/security/mac/mac_internal.h
index 89f74a65c803..aeef59017d18 100644
--- a/sys/security/mac/mac_internal.h
+++ b/sys/security/mac/mac_internal.h
@@ -1,534 +1,527 @@
 /*-
  * Copyright (c) 1999-2002, 2006, 2009, 2019 Robert N. M. Watson
  * Copyright (c) 2001 Ilmar S. Habibulin
  * Copyright (c) 2001-2004 Networks Associates Technology, Inc.
  * Copyright (c) 2006 nCircle Network Security, Inc.
  * Copyright (c) 2006 SPARTA, Inc.
  * Copyright (c) 2009 Apple, Inc.
  * All rights reserved.
  *
  * This software was developed by Robert Watson and Ilmar Habibulin for the
  * TrustedBSD Project.
  *
  * This software was developed for the FreeBSD Project in part by Network
  * Associates Laboratories, the Security Research Division of Network
  * Associates, Inc. under DARPA/SPAWAR contract N66001-01-C-8035 ("CBOSS"),
  * as part of the DARPA CHATS research program.
  *
  * This software was developed by Robert N. M. Watson for the TrustedBSD
  * Project under contract to nCircle Network Security, Inc.
  *
  * This software was enhanced by SPARTA ISSO under SPAWAR contract
  * N66001-04-C-6019 ("SEFOS").
  *
  * This software was developed at the University of Cambridge Computer
  * Laboratory with support from a grant from Google, Inc. 
  *
  * Redistribution and use in source and binary forms, with or without
  * modification, are permitted provided that the following conditions
  * are met:
  * 1. Redistributions of source code must retain the above copyright
  *    notice, this list of conditions and the following disclaimer.
  * 2. Redistributions in binary form must reproduce the above copyright
  *    notice, this list of conditions and the following disclaimer in the
  *    documentation and/or other materials provided with the distribution.
  *
  * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
  * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
  * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
  * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
  * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
  * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
  * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
  * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
  * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
  * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
  * SUCH DAMAGE.
  */
 
 #ifndef _SECURITY_MAC_MAC_INTERNAL_H_
 #define	_SECURITY_MAC_MAC_INTERNAL_H_
 
 #ifndef _KERNEL
 #error "no user-serviceable parts inside"
 #endif
 
 #include <sys/lock.h>
 #include <sys/rmlock.h>
 
-/*
- * MAC Framework sysctl namespace.
- */
-#ifdef SYSCTL_DECL
-SYSCTL_DECL(_security_mac);
-#endif /* SYSCTL_DECL */
-
 /*
  * MAC Framework SDT DTrace probe namespace, macros for declaring entry
  * point probes, macros for invoking them.
  */
 #ifdef SDT_PROVIDER_DECLARE
 SDT_PROVIDER_DECLARE(mac);		/* MAC Framework-level events. */
 SDT_PROVIDER_DECLARE(mac_framework);	/* Entry points to MAC. */
 
 #define	MAC_CHECK_PROBE_DEFINE4(name, arg0, arg1, arg2, arg3)		\
 	SDT_PROBE_DEFINE5(mac_framework, , name, mac__check__err,	\
 	    "int", arg0, arg1, arg2, arg3);				\
 	SDT_PROBE_DEFINE5(mac_framework, , name, mac__check__ok,	\
 	    "int", arg0, arg1, arg2, arg3);
 
 #define	MAC_CHECK_PROBE_DEFINE3(name, arg0, arg1, arg2)			\
 	SDT_PROBE_DEFINE4(mac_framework, , name, mac__check__err,	\
 	    "int", arg0, arg1, arg2);					\
 	SDT_PROBE_DEFINE4(mac_framework, , name, mac__check__ok,	\
 	    "int", arg0, arg1, arg2);
 
 #define	MAC_CHECK_PROBE_DEFINE2(name, arg0, arg1)			\
 	SDT_PROBE_DEFINE3(mac_framework, , name, mac__check__err,	\
 	    "int", arg0, arg1);						\
 	SDT_PROBE_DEFINE3(mac_framework, , name, mac__check__ok,	\
 	    "int", arg0, arg1);
 
 #define	MAC_CHECK_PROBE_DEFINE1(name, arg0)				\
 	SDT_PROBE_DEFINE2(mac_framework, , name, mac__check__err,	\
 	    "int", arg0);						\
 	SDT_PROBE_DEFINE2(mac_framework, , name, mac__check__ok,	\
 	    "int", arg0);
 
 #define	MAC_CHECK_PROBE4(name, error, arg0, arg1, arg2, arg3)	do {	\
 	if (SDT_PROBES_ENABLED()) {					\
 		if (error) {						\
 			SDT_PROBE5(mac_framework, , name, mac__check__err,\
 			    error, arg0, arg1, arg2, arg3);		\
 		} else {						\
 			SDT_PROBE5(mac_framework, , name, mac__check__ok,\
 			    0, arg0, arg1, arg2, arg3);			\
 		}							\
 	}								\
 } while (0)
 
 #define	MAC_CHECK_PROBE3(name, error, arg0, arg1, arg2)			\
 	MAC_CHECK_PROBE4(name, error, arg0, arg1, arg2, 0)
 #define	MAC_CHECK_PROBE2(name, error, arg0, arg1)			\
 	MAC_CHECK_PROBE3(name, error, arg0, arg1, 0)
 #define	MAC_CHECK_PROBE1(name, error, arg0)				\
 	MAC_CHECK_PROBE2(name, error, arg0, 0)
 #endif
 
 #define	MAC_GRANT_PROBE_DEFINE2(name, arg0, arg1)			\
 	SDT_PROBE_DEFINE3(mac_framework, , name, mac__grant__err,	\
 	    "int", arg0, arg1);						\
 	SDT_PROBE_DEFINE3(mac_framework, , name, mac__grant__ok,	\
 	    "int", arg0, arg1);
 
 #define	MAC_GRANT_PROBE2(name, error, arg0, arg1)	do {		\
 	if (SDT_PROBES_ENABLED()) {					\
 		if (error) {						\
 			SDT_PROBE3(mac_framework, , name, mac__grant__err,\
 			    error, arg0, arg1);				\
 		} else {						\
 			SDT_PROBE3(mac_framework, , name, mac__grant__ok,\
 			    error, arg0, arg1);				\
 		}							\
 	}								\
 } while (0)
 
 /*
  * MAC Framework global types and typedefs.
  */
 LIST_HEAD(mac_policy_list_head, mac_policy_conf);
 #ifdef MALLOC_DECLARE
 MALLOC_DECLARE(M_MACTEMP);
 #endif
 
 /*
  * MAC labels -- in-kernel storage format.
  *
  * In general, struct label pointers are embedded in kernel data structures
  * representing objects that may be labeled (and protected).  Struct label is
  * opaque to both kernel services that invoke the MAC Framework and MAC
  * policy modules.  In particular, we do not wish to encode the layout of the
  * label structure into any ABIs.  Historically, the slot array contained
  * unions of {long, void} but now contains uintptr_t.
  */
 #define	MAC_MAX_SLOTS	4
 #define	MAC_FLAG_INITIALIZED	0x0000001	/* Is initialized for use. */
 struct label {
 	int		l_flags;
 	intptr_t	l_perpolicy[MAC_MAX_SLOTS];
 };
 
 /*
  * Flags for mac_labeled, a bitmask of object types need across the union of
  * all policies currently registered with the MAC Framework, used to key
  * whether or not labels are allocated and constructors for the type are
  * invoked.
  */
 #define	MPC_OBJECT_CRED			0x0000000000000001
 #define	MPC_OBJECT_PROC			0x0000000000000002
 #define	MPC_OBJECT_VNODE		0x0000000000000004
 #define	MPC_OBJECT_INPCB		0x0000000000000008
 #define	MPC_OBJECT_SOCKET		0x0000000000000010
 #define	MPC_OBJECT_DEVFS		0x0000000000000020
 #define	MPC_OBJECT_MBUF			0x0000000000000040
 #define	MPC_OBJECT_IPQ			0x0000000000000080
 #define	MPC_OBJECT_IFNET		0x0000000000000100
 #define	MPC_OBJECT_BPFDESC		0x0000000000000200
 #define	MPC_OBJECT_PIPE			0x0000000000000400
 #define	MPC_OBJECT_MOUNT		0x0000000000000800
 #define	MPC_OBJECT_POSIXSEM		0x0000000000001000
 #define	MPC_OBJECT_POSIXSHM		0x0000000000002000
 #define	MPC_OBJECT_SYSVMSG		0x0000000000004000
 #define	MPC_OBJECT_SYSVMSQ		0x0000000000008000
 #define	MPC_OBJECT_SYSVSEM		0x0000000000010000
 #define	MPC_OBJECT_SYSVSHM		0x0000000000020000
 #define	MPC_OBJECT_SYNCACHE		0x0000000000040000
 #define	MPC_OBJECT_IP6Q			0x0000000000080000
 
 /*
  * MAC Framework global variables.
  */
 extern struct mac_policy_list_head	mac_policy_list;
 extern struct mac_policy_list_head	mac_static_policy_list;
 extern u_int				mac_policy_count;
 extern uint64_t				mac_labeled;
 extern struct mtx			mac_ifnet_mtx;
 
 /*
  * MAC Framework infrastructure functions.
  */
 int	mac_error_select(int error1, int error2);
 
 void	mac_policy_slock_nosleep(struct rm_priotracker *tracker);
 void	mac_policy_slock_sleep(void);
 void	mac_policy_sunlock_nosleep(struct rm_priotracker *tracker);
 void	mac_policy_sunlock_sleep(void);
 
 struct label	*mac_labelzone_alloc(int flags);
 void		 mac_labelzone_free(struct label *label);
 void		 mac_labelzone_init(void);
 
 void	mac_init_label(struct label *label);
 void	mac_destroy_label(struct label *label);
 int	mac_check_structmac_consistent(const struct mac *mac);
 int	mac_allocate_slot(void);
 
 /*
  * Lock ifnets to protect labels only if ifnet labels are in use.
  */
 #define MAC_IFNET_LOCK(ifp, locked)	do {				\
 	if (mac_labeled & MPC_OBJECT_IFNET) {				\
 		mtx_lock(&mac_ifnet_mtx);				\
 		locked = 1;						\
 	} else {							\
 		locked = 0;						\
 	}								\
 } while (0)
 
 #define MAC_IFNET_UNLOCK(ifp, locked)	do {				\
 	if (locked) {							\
 		mtx_unlock(&mac_ifnet_mtx);				\
 		locked = 0;						\
 	}								\
 } while (0)
 
 /*
  * MAC Framework per-object type functions.  It's not yet clear how the
  * namespaces, etc, should work for these, so for now, sort by object type.
  */
 struct label	*mac_cred_label_alloc(void);
 void		 mac_cred_label_free(struct label *label);
 struct label	*mac_pipe_label_alloc(void);
 void		 mac_pipe_label_free(struct label *label);
 struct label	*mac_socket_label_alloc(int flag);
 void		 mac_socket_label_free(struct label *label);
 void		 mac_socketpeer_label_free(struct label *label);
 struct label	*mac_vnode_label_alloc(void);
 void		 mac_vnode_label_free(struct label *label);
 
 int	mac_cred_check_relabel(struct ucred *cred, struct label *newlabel);
 int	mac_cred_externalize_label(struct label *label, char *elements,
 	    char *outbuf, size_t outbuflen);
 int	mac_cred_internalize_label(struct label *label, char *string);
 void	mac_cred_relabel(struct ucred *cred, struct label *newlabel);
 
 struct label	*mac_mbuf_to_label(struct mbuf *m);
 
 void	mac_pipe_copy_label(struct label *src, struct label *dest);
 int	mac_pipe_externalize_label(struct label *label, char *elements,
 	    char *outbuf, size_t outbuflen);
 int	mac_pipe_internalize_label(struct label *label, char *string);
 
 int	mac_socket_label_set(struct ucred *cred, struct socket *so,
 	    struct label *label);
 void	mac_socket_copy_label(struct label *src, struct label *dest);
 int	mac_socket_externalize_label(struct label *label, char *elements,
 	    char *outbuf, size_t outbuflen);
 int	mac_socket_internalize_label(struct label *label, char *string);
 
 int	mac_vnode_externalize_label(struct label *label, char *elements,
 	    char *outbuf, size_t outbuflen);
 int	mac_vnode_internalize_label(struct label *label, char *string);
 void	mac_vnode_check_mmap_downgrade(struct ucred *cred, struct vnode *vp,
 	    int *prot);
 int	vn_setlabel(struct vnode *vp, struct label *intlabel,
 	    struct ucred *cred);
 
 /*
  * MAC Framework composition macros invoke all registered MAC policies for a
  * specific entry point.  They come in two forms: one which permits policies
  * to sleep/block, and another that does not.
  *
  * MAC_POLICY_CHECK performs the designated check by walking the policy
  * module list and checking with each as to how it feels about the request.
  * Note that it returns its value via 'error' in the scope of the caller.
  */
 #define	MAC_POLICY_CHECK(check, args...) do {				\
 	struct mac_policy_conf *mpc;					\
 									\
 	error = 0;							\
 	LIST_FOREACH(mpc, &mac_static_policy_list, mpc_list) {		\
 		if (mpc->mpc_ops->mpo_ ## check != NULL)		\
 			error = mac_error_select(			\
 			    mpc->mpc_ops->mpo_ ## check (args),		\
 			    error);					\
 	}								\
 	if (!LIST_EMPTY(&mac_policy_list)) {				\
 		mac_policy_slock_sleep();				\
 		LIST_FOREACH(mpc, &mac_policy_list, mpc_list) {		\
 			if (mpc->mpc_ops->mpo_ ## check != NULL)	\
 				error = mac_error_select(		\
 				    mpc->mpc_ops->mpo_ ## check (args),	\
 				    error);				\
 		}							\
 		mac_policy_sunlock_sleep();				\
 	}								\
 } while (0)
 
 #define	MAC_POLICY_CHECK_NOSLEEP(check, args...) do {			\
 	struct mac_policy_conf *mpc;					\
 									\
 	error = 0;							\
 	LIST_FOREACH(mpc, &mac_static_policy_list, mpc_list) {		\
 		if (mpc->mpc_ops->mpo_ ## check != NULL)		\
 			error = mac_error_select(			\
 			    mpc->mpc_ops->mpo_ ## check (args),		\
 			    error);					\
 	}								\
 	if (!LIST_EMPTY(&mac_policy_list)) {				\
 		struct rm_priotracker tracker;				\
 									\
 		mac_policy_slock_nosleep(&tracker);			\
 		LIST_FOREACH(mpc, &mac_policy_list, mpc_list) {		\
 			if (mpc->mpc_ops->mpo_ ## check != NULL)	\
 				error = mac_error_select(		\
 				    mpc->mpc_ops->mpo_ ## check (args),	\
 				    error);				\
 		}							\
 		mac_policy_sunlock_nosleep(&tracker);			\
 	}								\
 } while (0)
 
 /*
  * MAC_POLICY_GRANT performs the designated check by walking the policy
  * module list and checking with each as to how it feels about the request.
  * Unlike MAC_POLICY_CHECK, it grants if any policies return '0', and
  * otherwise returns EPERM.  Note that it returns its value via 'error' in
  * the scope of the caller.
  */
 #define	MAC_POLICY_GRANT_NOSLEEP(check, args...) do {			\
 	struct mac_policy_conf *mpc;					\
 									\
 	error = EPERM;							\
 	LIST_FOREACH(mpc, &mac_static_policy_list, mpc_list) {		\
 		if (mpc->mpc_ops->mpo_ ## check != NULL) {		\
 			if (mpc->mpc_ops->mpo_ ## check(args) == 0)	\
 				error = 0;				\
 		}							\
 	}								\
 	if (!LIST_EMPTY(&mac_policy_list)) {				\
 		struct rm_priotracker tracker;				\
 									\
 		mac_policy_slock_nosleep(&tracker);			\
 		LIST_FOREACH(mpc, &mac_policy_list, mpc_list) {		\
 			if (mpc->mpc_ops->mpo_ ## check != NULL) {	\
 				if (mpc->mpc_ops->mpo_ ## check (args)	\
 				    == 0)				\
 					error = 0;			\
 			}						\
 		}							\
 		mac_policy_sunlock_nosleep(&tracker);			\
 	}								\
 } while (0)
 
 /*
  * MAC_POLICY_BOOLEAN performs the designated boolean composition by walking
  * the module list, invoking each instance of the operation, and combining
  * the results using the passed C operator.  Note that it returns its value
  * via 'result' in the scope of the caller, which should be initialized by
  * the caller in a meaningful way to get a meaningful result.
  */
 #define	MAC_POLICY_BOOLEAN(operation, composition, args...) do {	\
 	struct mac_policy_conf *mpc;					\
 									\
 	LIST_FOREACH(mpc, &mac_static_policy_list, mpc_list) {		\
 		if (mpc->mpc_ops->mpo_ ## operation != NULL)		\
 			result = result composition			\
 			    mpc->mpc_ops->mpo_ ## operation (args);	\
 	}								\
 	if (!LIST_EMPTY(&mac_policy_list)) {				\
 		mac_policy_slock_sleep();				\
 		LIST_FOREACH(mpc, &mac_policy_list, mpc_list) {		\
 			if (mpc->mpc_ops->mpo_ ## operation != NULL)	\
 				result = result composition		\
 				    mpc->mpc_ops->mpo_ ## operation	\
 				    (args);				\
 		}							\
 		mac_policy_sunlock_sleep();				\
 	}								\
 } while (0)
 
 #define	MAC_POLICY_BOOLEAN_NOSLEEP(operation, composition, args...) do {\
 	struct mac_policy_conf *mpc;					\
 									\
 	LIST_FOREACH(mpc, &mac_static_policy_list, mpc_list) {		\
 		if (mpc->mpc_ops->mpo_ ## operation != NULL)		\
 			result = result composition			\
 			    mpc->mpc_ops->mpo_ ## operation (args);	\
 	}								\
 	if (!LIST_EMPTY(&mac_policy_list)) {				\
 		struct rm_priotracker tracker;				\
 									\
 		mac_policy_slock_nosleep(&tracker);			\
 		LIST_FOREACH(mpc, &mac_policy_list, mpc_list) {		\
 			if (mpc->mpc_ops->mpo_ ## operation != NULL)	\
 				result = result composition		\
 				    mpc->mpc_ops->mpo_ ## operation	\
 				    (args);				\
 		}							\
 		mac_policy_sunlock_nosleep(&tracker);			\
 	}								\
 } while (0)
 
 /*
  * MAC_POLICY_EXTERNALIZE queries each policy to see if it can generate an
  * externalized version of a label element by name.  Policies declare whether
  * they have matched a particular element name, parsed from the string by
  * MAC_POLICY_EXTERNALIZE, and an error is returned if any element is matched
  * by no policy.
  */
 #define	MAC_POLICY_EXTERNALIZE(type, label, elementlist, outbuf, 	\
     outbuflen) do {							\
 	int claimed, first, ignorenotfound, savedlen;			\
 	char *element_name, *element_temp;				\
 	struct sbuf sb;							\
 									\
 	error = 0;							\
 	first = 1;							\
 	sbuf_new(&sb, outbuf, outbuflen, SBUF_FIXEDLEN);		\
 	element_temp = elementlist;					\
 	while ((element_name = strsep(&element_temp, ",")) != NULL) {	\
 		if (element_name[0] == '?') {				\
 			element_name++;					\
 			ignorenotfound = 1;				\
 		 } else							\
 			ignorenotfound = 0;				\
 		savedlen = sbuf_len(&sb);				\
 		if (first)						\
 			error = sbuf_printf(&sb, "%s/", element_name);	\
 		else							\
 			error = sbuf_printf(&sb, ",%s/", element_name);	\
 		if (error == -1) {					\
 			error = EINVAL;	/* XXX: E2BIG? */		\
 			break;						\
 		}							\
 		claimed = 0;						\
 		MAC_POLICY_CHECK(type ## _externalize_label, label,	\
 		    element_name, &sb, &claimed);			\
 		if (error)						\
 			break;						\
 		if (claimed == 0 && ignorenotfound) {			\
 			/* Revert last label name. */			\
 			sbuf_setpos(&sb, savedlen);			\
 		} else if (claimed != 1) {				\
 			error = EINVAL;	/* XXX: ENOLABEL? */		\
 			break;						\
 		} else {						\
 			first = 0;					\
 		}							\
 	}								\
 	sbuf_finish(&sb);						\
 } while (0)
 
 /*
  * MAC_POLICY_INTERNALIZE presents parsed element names and data to each
  * policy to see if any is willing to claim it and internalize the label
  * data.  If no policies match, an error is returned.
  */
 #define	MAC_POLICY_INTERNALIZE(type, label, instring) do {		\
 	char *element, *element_name, *element_data;			\
 	int claimed;							\
 									\
 	error = 0;							\
 	element = instring;						\
 	while ((element_name = strsep(&element, ",")) != NULL) {	\
 		element_data = element_name;				\
 		element_name = strsep(&element_data, "/");		\
 		if (element_data == NULL) {				\
 			error = EINVAL;					\
 			break;						\
 		}							\
 		claimed = 0;						\
 		MAC_POLICY_CHECK(type ## _internalize_label, label,	\
 		    element_name, element_data, &claimed);		\
 		if (error)						\
 			break;						\
 		if (claimed != 1) {					\
 			/* XXXMAC: Another error here? */		\
 			error = EINVAL;					\
 			break;						\
 		}							\
 	}								\
 } while (0)
 
 /*
  * MAC_POLICY_PERFORM performs the designated operation by walking the policy
  * module list and invoking that operation for each policy.
  */
 #define	MAC_POLICY_PERFORM(operation, args...) do {			\
 	struct mac_policy_conf *mpc;					\
 									\
 	LIST_FOREACH(mpc, &mac_static_policy_list, mpc_list) {		\
 		if (mpc->mpc_ops->mpo_ ## operation != NULL)		\
 			mpc->mpc_ops->mpo_ ## operation (args);		\
 	}								\
 	if (!LIST_EMPTY(&mac_policy_list)) {				\
 		mac_policy_slock_sleep();				\
 		LIST_FOREACH(mpc, &mac_policy_list, mpc_list) {		\
 			if (mpc->mpc_ops->mpo_ ## operation != NULL)	\
 				mpc->mpc_ops->mpo_ ## operation (args);	\
 		}							\
 		mac_policy_sunlock_sleep();				\
 	}								\
 } while (0)
 
 #define	MAC_POLICY_PERFORM_NOSLEEP(operation, args...) do {		\
 	struct mac_policy_conf *mpc;					\
 									\
 	LIST_FOREACH(mpc, &mac_static_policy_list, mpc_list) {		\
 		if (mpc->mpc_ops->mpo_ ## operation != NULL)		\
 			mpc->mpc_ops->mpo_ ## operation (args);		\
 	}								\
 	if (!LIST_EMPTY(&mac_policy_list)) {				\
 		struct rm_priotracker tracker;				\
 									\
 		mac_policy_slock_nosleep(&tracker);			\
 		LIST_FOREACH(mpc, &mac_policy_list, mpc_list) {		\
 			if (mpc->mpc_ops->mpo_ ## operation != NULL)	\
 				mpc->mpc_ops->mpo_ ## operation (args);	\
 		}							\
 		mac_policy_sunlock_nosleep(&tracker);			\
 	}								\
 } while (0)
 
 #endif /* !_SECURITY_MAC_MAC_INTERNAL_H_ */
diff --git a/sys/security/mac/mac_policy.h b/sys/security/mac/mac_policy.h
index cf101bc4414e..084684e57497 100644
--- a/sys/security/mac/mac_policy.h
+++ b/sys/security/mac/mac_policy.h
@@ -1,1067 +1,1082 @@
 /*-
  * Copyright (c) 1999-2002, 2007-2011 Robert N. M. Watson
  * Copyright (c) 2001-2005 Networks Associates Technology, Inc.
  * Copyright (c) 2005-2006 SPARTA, Inc.
  * Copyright (c) 2008 Apple Inc.
  * All rights reserved.
  *
  * This software was developed by Robert Watson for the TrustedBSD Project.
  *
  * This software was developed for the FreeBSD Project in part by Network
  * Associates Laboratories, the Security Research Division of Network
  * Associates, Inc. under DARPA/SPAWAR contract N66001-01-C-8035 ("CBOSS"),
  * as part of the DARPA CHATS research program.
  *
  * This software was enhanced by SPARTA ISSO under SPAWAR contract 
  * N66001-04-C-6019 ("SEFOS").
  *
  * This software was developed at the University of Cambridge Computer
  * Laboratory with support from a grant from Google, Inc.
  *
  * Redistribution and use in source and binary forms, with or without
  * modification, are permitted provided that the following conditions
  * are met:
  * 1. Redistributions of source code must retain the above copyright
  *    notice, this list of conditions and the following disclaimer.
  * 2. Redistributions in binary form must reproduce the above copyright
  *    notice, this list of conditions and the following disclaimer in the
  *    documentation and/or other materials provided with the distribution.
  *
  * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
  * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
  * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
  * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
  * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
  * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
  * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
  * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
  * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
  * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
  * SUCH DAMAGE.
  */
 /*
  * Kernel interface for MAC policy modules.
  */
 #ifndef _SECURITY_MAC_MAC_POLICY_H_
 #define	_SECURITY_MAC_MAC_POLICY_H_
 
 #ifndef _KERNEL
 #error "no user-serviceable parts inside"
 #endif
 
 /*-
  * Pluggable access control policy definition structure.
  *
  * List of operations that are performed as part of the implementation of a
  * MAC policy.  Policy implementors declare operations with a mac_policy_ops
  * structure, and using the MAC_POLICY_SET() macro.  If an entry point is not
  * declared, then then the policy will be ignored during evaluation of that
  * event or check.
  *
  * Operations are sorted first by general class of operation, then
  * alphabetically.
  */
 #include <sys/acl.h>	/* XXX acl_type_t */
 #include <sys/types.h>	/* XXX accmode_t */
 
 #include <ddb/ddb.h>	/* XXX db_expr_t */
 
 struct acl;
 struct auditinfo;
 struct auditinfo_addr;
 struct bpf_d;
 struct cdev;
 struct componentname;
 struct db_command;
 struct devfs_dirent;
 struct ifnet;
 struct image_params;
 struct inpcb;
 struct ip6q;
 struct ipq;
 struct kdb_dbbe;
 struct ksem;
 struct label;
 struct mac_policy_conf;
 struct mbuf;
 struct mount;
 struct msg;
 struct msqid_kernel;
 struct pipepair;
 struct proc;
 struct sbuf;
 struct semid_kernel;
 struct shmfd;
 struct shmid_kernel;
 struct sockaddr;
 struct socket;
 struct sysctl_oid;
 struct sysctl_req;
 struct thread;
 struct ucred;
 struct vattr;
 struct vnode;
 
 struct in_addr;
 struct in6_addr;
 
 /*
  * Policy module operations.
  */
 typedef void	(*mpo_destroy_t)(struct mac_policy_conf *mpc);
 typedef void	(*mpo_init_t)(struct mac_policy_conf *mpc);
 
 /*
  * General policy-directed security system call so that policies may
  * implement new services without reserving explicit system call numbers.
  */
 typedef int	(*mpo_syscall_t)(struct thread *td, int call, void *arg);
 
 /*
  * Place-holder function pointers for ABI-compatibility purposes.
  */
 typedef void	(*mpo_placeholder_t)(void);
 
 /*
  * Operations sorted alphabetically by primary object type and then method.
  */
 typedef	int	(*mpo_bpfdesc_check_receive_t)(struct bpf_d *d,
 		    struct label *dlabel, struct ifnet *ifp,
 		    struct label *ifplabel);
 typedef void	(*mpo_bpfdesc_create_t)(struct ucred *cred,
 		    struct bpf_d *d, struct label *dlabel);
 typedef void	(*mpo_bpfdesc_create_mbuf_t)(struct bpf_d *d,
 		    struct label *dlabel, struct mbuf *m,
 		    struct label *mlabel);
 typedef void	(*mpo_bpfdesc_destroy_label_t)(struct label *label);
 typedef void	(*mpo_bpfdesc_init_label_t)(struct label *label);
 
 typedef void	(*mpo_cred_associate_nfsd_t)(struct ucred *cred);
 typedef int	(*mpo_cred_check_relabel_t)(struct ucred *cred,
 		    struct label *newlabel);
 typedef int	(*mpo_cred_check_setaudit_t)(struct ucred *cred,
 		    struct auditinfo *ai);
 typedef int	(*mpo_cred_check_setaudit_addr_t)(struct ucred *cred,
 		    struct auditinfo_addr *aia);
 typedef int	(*mpo_cred_check_setauid_t)(struct ucred *cred, uid_t auid);
 typedef int	(*mpo_cred_check_setegid_t)(struct ucred *cred, gid_t egid);
 typedef int	(*mpo_cred_check_seteuid_t)(struct ucred *cred, uid_t euid);
 typedef int	(*mpo_cred_check_setgid_t)(struct ucred *cred, gid_t gid);
 typedef int	(*mpo_cred_check_setgroups_t)(struct ucred *cred, int ngroups,
 		    gid_t *gidset);
 typedef int	(*mpo_cred_check_setregid_t)(struct ucred *cred, gid_t rgid,
 		    gid_t egid);
 typedef int	(*mpo_cred_check_setresgid_t)(struct ucred *cred, gid_t rgid,
 		    gid_t egid, gid_t sgid);
 typedef int	(*mpo_cred_check_setresuid_t)(struct ucred *cred, uid_t ruid,
 		    uid_t euid, uid_t suid);
 typedef int	(*mpo_cred_check_setreuid_t)(struct ucred *cred, uid_t ruid,
 		    uid_t euid);
 typedef int	(*mpo_cred_check_setuid_t)(struct ucred *cred, uid_t uid);
 typedef int	(*mpo_cred_check_visible_t)(struct ucred *cr1,
 		    struct ucred *cr2);
 typedef void	(*mpo_cred_copy_label_t)(struct label *src,
 		    struct label *dest);
 typedef void	(*mpo_cred_create_init_t)(struct ucred *cred);
 typedef void	(*mpo_cred_create_swapper_t)(struct ucred *cred);
 typedef void	(*mpo_cred_destroy_label_t)(struct label *label);
 typedef int	(*mpo_cred_externalize_label_t)(struct label *label,
 		    char *element_name, struct sbuf *sb, int *claimed);
 typedef void	(*mpo_cred_init_label_t)(struct label *label);
 typedef int	(*mpo_cred_internalize_label_t)(struct label *label,
 		    char *element_name, char *element_data, int *claimed);
 typedef void	(*mpo_cred_relabel_t)(struct ucred *cred,
 		    struct label *newlabel);
 
 typedef int	(*mpo_ddb_command_register_t)(struct db_command_table *table,
 		    struct db_command *cmd);
 typedef int	(*mpo_ddb_command_exec_t)(struct db_command *cmd,
 		    db_expr_t addr, bool have_addr, db_expr_t count,
 		    char *modif);
 
 typedef void	(*mpo_devfs_create_device_t)(struct ucred *cred,
 		    struct mount *mp, struct cdev *dev,
 		    struct devfs_dirent *de, struct label *delabel);
 typedef void	(*mpo_devfs_create_directory_t)(struct mount *mp,
 		    char *dirname, int dirnamelen, struct devfs_dirent *de,
 		    struct label *delabel);
 typedef void	(*mpo_devfs_create_symlink_t)(struct ucred *cred,
 		    struct mount *mp, struct devfs_dirent *dd,
 		    struct label *ddlabel, struct devfs_dirent *de,
 		    struct label *delabel);
 typedef void	(*mpo_devfs_destroy_label_t)(struct label *label);
 typedef void	(*mpo_devfs_init_label_t)(struct label *label);
 typedef void	(*mpo_devfs_update_t)(struct mount *mp,
 		    struct devfs_dirent *de, struct label *delabel,
 		    struct vnode *vp, struct label *vplabel);
 typedef void	(*mpo_devfs_vnode_associate_t)(struct mount *mp,
 		    struct label *mplabel, struct devfs_dirent *de,
 		    struct label *delabel, struct vnode *vp,
 		    struct label *vplabel);
 
 typedef int	(*mpo_ifnet_check_relabel_t)(struct ucred *cred,
 		    struct ifnet *ifp, struct label *ifplabel,
 		    struct label *newlabel);
 typedef int	(*mpo_ifnet_check_transmit_t)(struct ifnet *ifp,
 		    struct label *ifplabel, struct mbuf *m,
 		    struct label *mlabel);
 typedef void	(*mpo_ifnet_copy_label_t)(struct label *src,
 		    struct label *dest);
 typedef void	(*mpo_ifnet_create_t)(struct ifnet *ifp,
 		    struct label *ifplabel);
 typedef void	(*mpo_ifnet_create_mbuf_t)(struct ifnet *ifp,
 		    struct label *ifplabel, struct mbuf *m,
 		    struct label *mlabel);
 typedef void	(*mpo_ifnet_destroy_label_t)(struct label *label);
 typedef int	(*mpo_ifnet_externalize_label_t)(struct label *label,
 		    char *element_name, struct sbuf *sb, int *claimed);
 typedef void	(*mpo_ifnet_init_label_t)(struct label *label);
 typedef int	(*mpo_ifnet_internalize_label_t)(struct label *label,
 		    char *element_name, char *element_data, int *claimed);
 typedef void	(*mpo_ifnet_relabel_t)(struct ucred *cred, struct ifnet *ifp,
 		    struct label *ifplabel, struct label *newlabel);
 
 typedef int	(*mpo_inpcb_check_deliver_t)(struct inpcb *inp,
 		    struct label *inplabel, struct mbuf *m,
 		    struct label *mlabel);
 typedef int	(*mpo_inpcb_check_visible_t)(struct ucred *cred,
 		    struct inpcb *inp, struct label *inplabel);
 typedef void	(*mpo_inpcb_create_t)(struct socket *so,
 		    struct label *solabel, struct inpcb *inp,
 		    struct label *inplabel);
 typedef void	(*mpo_inpcb_create_mbuf_t)(struct inpcb *inp,
 		    struct label *inplabel, struct mbuf *m,
 		    struct label *mlabel);
 typedef void	(*mpo_inpcb_destroy_label_t)(struct label *label);
 typedef int	(*mpo_inpcb_init_label_t)(struct label *label, int flag);
 typedef void	(*mpo_inpcb_sosetlabel_t)(struct socket *so,
 		    struct label *label, struct inpcb *inp,
 		    struct label *inplabel);
 
 typedef void	(*mpo_ip6q_create_t)(struct mbuf *m, struct label *mlabel,
 		    struct ip6q *q6, struct label *q6label);
 typedef void	(*mpo_ip6q_destroy_label_t)(struct label *label);
 typedef int	(*mpo_ip6q_init_label_t)(struct label *label, int flag);
 typedef int	(*mpo_ip6q_match_t)(struct mbuf *m, struct label *mlabel,
 		    struct ip6q *q6, struct label *q6label);
 typedef void	(*mpo_ip6q_reassemble)(struct ip6q *q6, struct label *q6label,
 		    struct mbuf *m, struct label *mlabel);
 typedef void	(*mpo_ip6q_update_t)(struct mbuf *m, struct label *mlabel,
 		    struct ip6q *q6, struct label *q6label);
 
 /* Policy ops checking IPv4 and IPv6 address for ipacl. */
 typedef int	(*mpo_ip4_check_jail_t)(struct ucred *cred,
 		    const struct in_addr *ia, struct ifnet *ifp);
 typedef int	(*mpo_ip6_check_jail_t)(struct ucred *cred,
 		    const struct in6_addr *ia6, struct ifnet *ifp);
 
 typedef void	(*mpo_ipq_create_t)(struct mbuf *m, struct label *mlabel,
 		    struct ipq *q, struct label *qlabel);
 typedef void	(*mpo_ipq_destroy_label_t)(struct label *label);
 typedef int	(*mpo_ipq_init_label_t)(struct label *label, int flag);
 typedef int	(*mpo_ipq_match_t)(struct mbuf *m, struct label *mlabel,
 		    struct ipq *q, struct label *qlabel);
 typedef void	(*mpo_ipq_reassemble)(struct ipq *q, struct label *qlabel,
 		    struct mbuf *m, struct label *mlabel);
 typedef void	(*mpo_ipq_update_t)(struct mbuf *m, struct label *mlabel,
 		    struct ipq *q, struct label *qlabel);
 
 typedef int	(*mpo_kdb_check_backend_t)(struct kdb_dbbe *be);
 
 typedef int	(*mpo_kenv_check_dump_t)(struct ucred *cred);
 typedef int	(*mpo_kenv_check_get_t)(struct ucred *cred, char *name);
 typedef int	(*mpo_kenv_check_set_t)(struct ucred *cred, char *name,
 		    char *value);
 typedef int	(*mpo_kenv_check_unset_t)(struct ucred *cred, char *name);
 
 typedef int	(*mpo_kld_check_load_t)(struct ucred *cred, struct vnode *vp,
 		    struct label *vplabel);
 typedef int	(*mpo_kld_check_stat_t)(struct ucred *cred);
 
 typedef void	(*mpo_mbuf_copy_label_t)(struct label *src,
 		    struct label *dest);
 typedef void	(*mpo_mbuf_destroy_label_t)(struct label *label);
 typedef int	(*mpo_mbuf_init_label_t)(struct label *label, int flag);
 
 typedef int	(*mpo_mount_check_stat_t)(struct ucred *cred,
 		    struct mount *mp, struct label *mplabel);
 typedef void	(*mpo_mount_create_t)(struct ucred *cred, struct mount *mp,
 		    struct label *mplabel);
 typedef void	(*mpo_mount_destroy_label_t)(struct label *label);
 typedef void	(*mpo_mount_init_label_t)(struct label *label);
 
 typedef void	(*mpo_netinet_arp_send_t)(struct ifnet *ifp,
 		    struct label *ifplabel, struct mbuf *m,
 		    struct label *mlabel);
 typedef void	(*mpo_netinet_firewall_reply_t)(struct mbuf *mrecv,
 		    struct label *mrecvlabel, struct mbuf *msend,
 		    struct label *msendlabel);
 typedef	void	(*mpo_netinet_firewall_send_t)(struct mbuf *m,
 		    struct label *mlabel);
 typedef void	(*mpo_netinet_fragment_t)(struct mbuf *m,
 		    struct label *mlabel, struct mbuf *frag,
 		    struct label *fraglabel);
 typedef void	(*mpo_netinet_icmp_reply_t)(struct mbuf *mrecv,
 		    struct label *mrecvlabel, struct mbuf *msend,
 		    struct label *msendlabel);
 typedef void	(*mpo_netinet_icmp_replyinplace_t)(struct mbuf *m,
 		    struct label *mlabel);
 typedef void	(*mpo_netinet_igmp_send_t)(struct ifnet *ifp,
 		    struct label *ifplabel, struct mbuf *m,
 		    struct label *mlabel);
 typedef void	(*mpo_netinet_tcp_reply_t)(struct mbuf *m,
 		    struct label *mlabel);
 
 typedef void	(*mpo_netinet6_nd6_send_t)(struct ifnet *ifp,
 		    struct label *ifplabel, struct mbuf *m,
 		    struct label *mlabel);
 
 typedef int	(*mpo_pipe_check_ioctl_t)(struct ucred *cred,
 		    struct pipepair *pp, struct label *pplabel,
 		    unsigned long cmd, void *data);
 typedef int	(*mpo_pipe_check_poll_t)(struct ucred *cred,
 		    struct pipepair *pp, struct label *pplabel);
 typedef int	(*mpo_pipe_check_read_t)(struct ucred *cred,
 		    struct pipepair *pp, struct label *pplabel);
 typedef int	(*mpo_pipe_check_relabel_t)(struct ucred *cred,
 		    struct pipepair *pp, struct label *pplabel,
 		    struct label *newlabel);
 typedef int	(*mpo_pipe_check_stat_t)(struct ucred *cred,
 		    struct pipepair *pp, struct label *pplabel);
 typedef int	(*mpo_pipe_check_write_t)(struct ucred *cred,
 		    struct pipepair *pp, struct label *pplabel);
 typedef void	(*mpo_pipe_copy_label_t)(struct label *src,
 		    struct label *dest);
 typedef void	(*mpo_pipe_create_t)(struct ucred *cred, struct pipepair *pp,
 		    struct label *pplabel);
 typedef void	(*mpo_pipe_destroy_label_t)(struct label *label);
 typedef int	(*mpo_pipe_externalize_label_t)(struct label *label,
 		    char *element_name, struct sbuf *sb, int *claimed);
 typedef void	(*mpo_pipe_init_label_t)(struct label *label);
 typedef int	(*mpo_pipe_internalize_label_t)(struct label *label,
 		    char *element_name, char *element_data, int *claimed);
 typedef void	(*mpo_pipe_relabel_t)(struct ucred *cred, struct pipepair *pp,
 		    struct label *oldlabel, struct label *newlabel);
 
 typedef int	(*mpo_posixsem_check_getvalue_t)(struct ucred *active_cred,
 		    struct ucred *file_cred, struct ksem *ks,
 		    struct label *kslabel);
 typedef int	(*mpo_posixsem_check_open_t)(struct ucred *cred,
 		    struct ksem *ks, struct label *kslabel);
 typedef int	(*mpo_posixsem_check_post_t)(struct ucred *active_cred,
 		    struct ucred *file_cred, struct ksem *ks,
 		    struct label *kslabel);
 typedef int	(*mpo_posixsem_check_setmode_t)(struct ucred *cred,
 		    struct ksem *ks, struct label *shmlabel,
 		    mode_t mode);
 typedef int	(*mpo_posixsem_check_setowner_t)(struct ucred *cred,
 		    struct ksem *ks, struct label *shmlabel,
 		    uid_t uid, gid_t gid);
 typedef int	(*mpo_posixsem_check_stat_t)(struct ucred *active_cred,
 		    struct ucred *file_cred, struct ksem *ks,
 		    struct label *kslabel);
 typedef int	(*mpo_posixsem_check_unlink_t)(struct ucred *cred,
 		    struct ksem *ks, struct label *kslabel);
 typedef int	(*mpo_posixsem_check_wait_t)(struct ucred *active_cred,
 		    struct ucred *file_cred, struct ksem *ks,
 		    struct label *kslabel);
 typedef void	(*mpo_posixsem_create_t)(struct ucred *cred,
 		    struct ksem *ks, struct label *kslabel);
 typedef void    (*mpo_posixsem_destroy_label_t)(struct label *label);
 typedef void    (*mpo_posixsem_init_label_t)(struct label *label);
 
 typedef int	(*mpo_posixshm_check_create_t)(struct ucred *cred,
 		    const char *path);
 typedef int	(*mpo_posixshm_check_mmap_t)(struct ucred *cred,
 		    struct shmfd *shmfd, struct label *shmlabel, int prot,
 		    int flags);
 typedef int	(*mpo_posixshm_check_open_t)(struct ucred *cred,
 		    struct shmfd *shmfd, struct label *shmlabel,
 		    accmode_t accmode);
 typedef int	(*mpo_posixshm_check_read_t)(struct ucred *active_cred,
 		    struct ucred *file_cred, struct shmfd *shmfd,
 		    struct label *shmlabel);
 typedef int	(*mpo_posixshm_check_setmode_t)(struct ucred *cred,
 		    struct shmfd *shmfd, struct label *shmlabel,
 		    mode_t mode);
 typedef int	(*mpo_posixshm_check_setowner_t)(struct ucred *cred,
 		    struct shmfd *shmfd, struct label *shmlabel,
 		    uid_t uid, gid_t gid);
 typedef int	(*mpo_posixshm_check_stat_t)(struct ucred *active_cred,
 		    struct ucred *file_cred, struct shmfd *shmfd,
 		    struct label *shmlabel);
 typedef int	(*mpo_posixshm_check_truncate_t)(struct ucred *active_cred,
 		    struct ucred *file_cred, struct shmfd *shmfd,
 		    struct label *shmlabel);
 typedef int	(*mpo_posixshm_check_unlink_t)(struct ucred *cred,
 		    struct shmfd *shmfd, struct label *shmlabel);
 typedef int	(*mpo_posixshm_check_write_t)(struct ucred *active_cred,
 		    struct ucred *file_cred, struct shmfd *shmfd,
 		    struct label *shmlabel);
 typedef void	(*mpo_posixshm_create_t)(struct ucred *cred,
 		    struct shmfd *shmfd, struct label *shmlabel);
 typedef void	(*mpo_posixshm_destroy_label_t)(struct label *label);
 typedef void	(*mpo_posixshm_init_label_t)(struct label *label);
 
 typedef int	(*mpo_priv_check_t)(struct ucred *cred, int priv);
 typedef int	(*mpo_priv_grant_t)(struct ucred *cred, int priv);
 
 typedef int	(*mpo_proc_check_debug_t)(struct ucred *cred,
 		    struct proc *p);
 typedef int	(*mpo_proc_check_sched_t)(struct ucred *cred,
 		    struct proc *p);
 typedef int	(*mpo_proc_check_signal_t)(struct ucred *cred,
 		    struct proc *proc, int signum);
 typedef int	(*mpo_proc_check_wait_t)(struct ucred *cred,
 		    struct proc *proc);
 typedef void	(*mpo_proc_destroy_label_t)(struct label *label);
 typedef void	(*mpo_proc_init_label_t)(struct label *label);
 
 typedef int	(*mpo_socket_check_accept_t)(struct ucred *cred,
 		    struct socket *so, struct label *solabel);
 typedef int	(*mpo_socket_check_bind_t)(struct ucred *cred,
 		    struct socket *so, struct label *solabel,
 		    struct sockaddr *sa);
 typedef int	(*mpo_socket_check_connect_t)(struct ucred *cred,
 		    struct socket *so, struct label *solabel,
 		    struct sockaddr *sa);
 typedef int	(*mpo_socket_check_create_t)(struct ucred *cred, int domain,
 		    int type, int protocol);
 typedef int	(*mpo_socket_check_deliver_t)(struct socket *so,
 		    struct label *solabel, struct mbuf *m,
 		    struct label *mlabel);
 typedef int	(*mpo_socket_check_listen_t)(struct ucred *cred,
 		    struct socket *so, struct label *solabel);
 typedef int	(*mpo_socket_check_poll_t)(struct ucred *cred,
 		    struct socket *so, struct label *solabel);
 typedef int	(*mpo_socket_check_receive_t)(struct ucred *cred,
 		    struct socket *so, struct label *solabel);
 typedef int	(*mpo_socket_check_relabel_t)(struct ucred *cred,
 		    struct socket *so, struct label *solabel,
 		    struct label *newlabel);
 typedef int	(*mpo_socket_check_send_t)(struct ucred *cred,
 		    struct socket *so, struct label *solabel);
 typedef int	(*mpo_socket_check_stat_t)(struct ucred *cred,
 		    struct socket *so, struct label *solabel);
 typedef int	(*mpo_socket_check_visible_t)(struct ucred *cred,
 		    struct socket *so, struct label *solabel);
 typedef void	(*mpo_socket_copy_label_t)(struct label *src,
 		    struct label *dest);
 typedef void	(*mpo_socket_create_t)(struct ucred *cred, struct socket *so,
 		    struct label *solabel);
 typedef void	(*mpo_socket_create_mbuf_t)(struct socket *so,
 		    struct label *solabel, struct mbuf *m,
 		    struct label *mlabel);
 typedef void	(*mpo_socket_destroy_label_t)(struct label *label);
 typedef int	(*mpo_socket_externalize_label_t)(struct label *label,
 		    char *element_name, struct sbuf *sb, int *claimed);
 typedef int	(*mpo_socket_init_label_t)(struct label *label, int flag);
 typedef int	(*mpo_socket_internalize_label_t)(struct label *label,
 		    char *element_name, char *element_data, int *claimed);
 typedef void	(*mpo_socket_newconn_t)(struct socket *oldso,
 		    struct label *oldsolabel, struct socket *newso,
 		    struct label *newsolabel);
 typedef void	(*mpo_socket_relabel_t)(struct ucred *cred, struct socket *so,
 		    struct label *oldlabel, struct label *newlabel);
 
 typedef void	(*mpo_socketpeer_destroy_label_t)(struct label *label);
 typedef int	(*mpo_socketpeer_externalize_label_t)(struct label *label,
 		    char *element_name, struct sbuf *sb, int *claimed);
 typedef int	(*mpo_socketpeer_init_label_t)(struct label *label,
 		    int flag);
 typedef void	(*mpo_socketpeer_set_from_mbuf_t)(struct mbuf *m,
 		    struct label *mlabel, struct socket *so,
 		    struct label *sopeerlabel);
 typedef void	(*mpo_socketpeer_set_from_socket_t)(struct socket *oldso,
 		    struct label *oldsolabel, struct socket *newso,
 		    struct label *newsopeerlabel);
 
 typedef void	(*mpo_syncache_create_t)(struct label *label,
 		    struct inpcb *inp);
 typedef void	(*mpo_syncache_create_mbuf_t)(struct label *sc_label,
 		    struct mbuf *m, struct label *mlabel);
 typedef void	(*mpo_syncache_destroy_label_t)(struct label *label);
 typedef int	(*mpo_syncache_init_label_t)(struct label *label, int flag);
 
 typedef int	(*mpo_system_check_acct_t)(struct ucred *cred,
 		    struct vnode *vp, struct label *vplabel);
 typedef int	(*mpo_system_check_audit_t)(struct ucred *cred, void *record,
 		    int length);
 typedef int	(*mpo_system_check_auditctl_t)(struct ucred *cred,
 		    struct vnode *vp, struct label *vplabel);
 typedef int	(*mpo_system_check_auditon_t)(struct ucred *cred, int cmd);
 typedef int	(*mpo_system_check_reboot_t)(struct ucred *cred, int howto);
 typedef int	(*mpo_system_check_swapon_t)(struct ucred *cred,
 		    struct vnode *vp, struct label *vplabel);
 typedef int	(*mpo_system_check_swapoff_t)(struct ucred *cred,
 		    struct vnode *vp, struct label *vplabel);
 typedef int	(*mpo_system_check_sysctl_t)(struct ucred *cred,
 		    struct sysctl_oid *oidp, void *arg1, int arg2,
 		    struct sysctl_req *req);
 
 typedef void	(*mpo_sysvmsg_cleanup_t)(struct label *msglabel);
 typedef void	(*mpo_sysvmsg_create_t)(struct ucred *cred,
 		    struct msqid_kernel *msqkptr, struct label *msqlabel,
 		    struct msg *msgptr, struct label *msglabel);
 typedef void	(*mpo_sysvmsg_destroy_label_t)(struct label *label);
 typedef void	(*mpo_sysvmsg_init_label_t)(struct label *label);
 
 typedef int	(*mpo_sysvmsq_check_msgmsq_t)(struct ucred *cred,
 		    struct msg *msgptr, struct label *msglabel,
 		    struct msqid_kernel *msqkptr, struct label *msqklabel);
 typedef int	(*mpo_sysvmsq_check_msgrcv_t)(struct ucred *cred,
 		    struct msg *msgptr, struct label *msglabel);
 typedef int	(*mpo_sysvmsq_check_msgrmid_t)(struct ucred *cred,
 		    struct msg *msgptr, struct label *msglabel);
 typedef int	(*mpo_sysvmsq_check_msqget_t)(struct ucred *cred,
 		    struct msqid_kernel *msqkptr, struct label *msqklabel);
 typedef int	(*mpo_sysvmsq_check_msqctl_t)(struct ucred *cred,
 		    struct msqid_kernel *msqkptr, struct label *msqklabel,
 		    int cmd);
 typedef int	(*mpo_sysvmsq_check_msqrcv_t)(struct ucred *cred,
 		    struct msqid_kernel *msqkptr, struct label *msqklabel);
 typedef int	(*mpo_sysvmsq_check_msqsnd_t)(struct ucred *cred,
 		    struct msqid_kernel *msqkptr, struct label *msqklabel);
 typedef void	(*mpo_sysvmsq_cleanup_t)(struct label *msqlabel);
 typedef void	(*mpo_sysvmsq_create_t)(struct ucred *cred,
 		    struct msqid_kernel *msqkptr, struct label *msqlabel);
 typedef void	(*mpo_sysvmsq_destroy_label_t)(struct label *label);
 typedef void	(*mpo_sysvmsq_init_label_t)(struct label *label);
 
 typedef int	(*mpo_sysvsem_check_semctl_t)(struct ucred *cred,
 		    struct semid_kernel *semakptr, struct label *semaklabel,
 		    int cmd);
 typedef int	(*mpo_sysvsem_check_semget_t)(struct ucred *cred,
 		    struct semid_kernel *semakptr, struct label *semaklabel);
 typedef int	(*mpo_sysvsem_check_semop_t)(struct ucred *cred,
 		    struct semid_kernel *semakptr, struct label *semaklabel,
 		    size_t accesstype);
 typedef void	(*mpo_sysvsem_cleanup_t)(struct label *semalabel);
 typedef void	(*mpo_sysvsem_create_t)(struct ucred *cred,
 		    struct semid_kernel *semakptr, struct label *semalabel);
 typedef void	(*mpo_sysvsem_destroy_label_t)(struct label *label);
 typedef void	(*mpo_sysvsem_init_label_t)(struct label *label);
 
 typedef int	(*mpo_sysvshm_check_shmat_t)(struct ucred *cred,
 		    struct shmid_kernel *shmsegptr,
 		    struct label *shmseglabel, int shmflg);
 typedef int	(*mpo_sysvshm_check_shmctl_t)(struct ucred *cred,
 		    struct shmid_kernel *shmsegptr,
 		    struct label *shmseglabel, int cmd);
 typedef int	(*mpo_sysvshm_check_shmdt_t)(struct ucred *cred,
 		    struct shmid_kernel *shmsegptr,
 		    struct label *shmseglabel);
 typedef int	(*mpo_sysvshm_check_shmget_t)(struct ucred *cred,
 		    struct shmid_kernel *shmsegptr,
 		    struct label *shmseglabel, int shmflg);
 typedef void	(*mpo_sysvshm_cleanup_t)(struct label *shmlabel);
 typedef void	(*mpo_sysvshm_create_t)(struct ucred *cred,
 		    struct shmid_kernel *shmsegptr, struct label *shmlabel);
 typedef void	(*mpo_sysvshm_destroy_label_t)(struct label *label);
 typedef void	(*mpo_sysvshm_init_label_t)(struct label *label);
 
 typedef void	(*mpo_thread_userret_t)(struct thread *thread);
 
 typedef int	(*mpo_vnode_associate_extattr_t)(struct mount *mp,
 		    struct label *mplabel, struct vnode *vp,
 		    struct label *vplabel);
 typedef void	(*mpo_vnode_associate_singlelabel_t)(struct mount *mp,
 		    struct label *mplabel, struct vnode *vp,
 		    struct label *vplabel);
 typedef int	(*mpo_vnode_check_access_t)(struct ucred *cred,
 		    struct vnode *vp, struct label *vplabel,
 		    accmode_t accmode);
 typedef int	(*mpo_vnode_check_chdir_t)(struct ucred *cred,
 		    struct vnode *dvp, struct label *dvplabel);
 typedef int	(*mpo_vnode_check_chroot_t)(struct ucred *cred,
 		    struct vnode *dvp, struct label *dvplabel);
 typedef int	(*mpo_vnode_check_create_t)(struct ucred *cred,
 		    struct vnode *dvp, struct label *dvplabel,
 		    struct componentname *cnp, struct vattr *vap);
 typedef int	(*mpo_vnode_check_deleteacl_t)(struct ucred *cred,
 		    struct vnode *vp, struct label *vplabel,
 		    acl_type_t type);
 typedef int	(*mpo_vnode_check_deleteextattr_t)(struct ucred *cred,
 		    struct vnode *vp, struct label *vplabel,
 		    int attrnamespace, const char *name);
 typedef int	(*mpo_vnode_check_exec_t)(struct ucred *cred,
 		    struct vnode *vp, struct label *vplabel,
 		    struct image_params *imgp, struct label *execlabel);
 typedef int	(*mpo_vnode_check_getacl_t)(struct ucred *cred,
 		    struct vnode *vp, struct label *vplabel,
 		    acl_type_t type);
 typedef int	(*mpo_vnode_check_getextattr_t)(struct ucred *cred,
 		    struct vnode *vp, struct label *vplabel,
 		    int attrnamespace, const char *name);
 typedef int	(*mpo_vnode_check_link_t)(struct ucred *cred,
 		    struct vnode *dvp, struct label *dvplabel,
 		    struct vnode *vp, struct label *vplabel,
 		    struct componentname *cnp);
 typedef int	(*mpo_vnode_check_listextattr_t)(struct ucred *cred,
 		    struct vnode *vp, struct label *vplabel,
 		    int attrnamespace);
 typedef int	(*mpo_vnode_check_lookup_t)(struct ucred *cred,
 		    struct vnode *dvp, struct label *dvplabel,
 		    struct componentname *cnp);
 typedef int	(*mpo_vnode_check_mmap_t)(struct ucred *cred,
 		    struct vnode *vp, struct label *label, int prot,
 		    int flags);
 typedef void	(*mpo_vnode_check_mmap_downgrade_t)(struct ucred *cred,
 		    struct vnode *vp, struct label *vplabel, int *prot);
 typedef int	(*mpo_vnode_check_mprotect_t)(struct ucred *cred,
 		    struct vnode *vp, struct label *vplabel, int prot);
 typedef int	(*mpo_vnode_check_open_t)(struct ucred *cred,
 		    struct vnode *vp, struct label *vplabel,
 		    accmode_t accmode);
 typedef int	(*mpo_vnode_check_poll_t)(struct ucred *active_cred,
 		    struct ucred *file_cred, struct vnode *vp,
 		    struct label *vplabel);
 typedef int	(*mpo_vnode_check_read_t)(struct ucred *active_cred,
 		    struct ucred *file_cred, struct vnode *vp,
 		    struct label *vplabel);
 typedef int	(*mpo_vnode_check_readdir_t)(struct ucred *cred,
 		    struct vnode *dvp, struct label *dvplabel);
 typedef int	(*mpo_vnode_check_readlink_t)(struct ucred *cred,
 		    struct vnode *vp, struct label *vplabel);
 typedef int	(*mpo_vnode_check_relabel_t)(struct ucred *cred,
 		    struct vnode *vp, struct label *vplabel,
 		    struct label *newlabel);
 typedef int	(*mpo_vnode_check_rename_from_t)(struct ucred *cred,
 		    struct vnode *dvp, struct label *dvplabel,
 		    struct vnode *vp, struct label *vplabel,
 		    struct componentname *cnp);
 typedef int	(*mpo_vnode_check_rename_to_t)(struct ucred *cred,
 		    struct vnode *dvp, struct label *dvplabel,
 		    struct vnode *vp, struct label *vplabel, int samedir,
 		    struct componentname *cnp);
 typedef int	(*mpo_vnode_check_revoke_t)(struct ucred *cred,
 		    struct vnode *vp, struct label *vplabel);
 typedef int	(*mpo_vnode_check_setacl_t)(struct ucred *cred,
 		    struct vnode *vp, struct label *vplabel, acl_type_t type,
 		    struct acl *acl);
 typedef int	(*mpo_vnode_check_setextattr_t)(struct ucred *cred,
 		    struct vnode *vp, struct label *vplabel,
 		    int attrnamespace, const char *name);
 typedef int	(*mpo_vnode_check_setflags_t)(struct ucred *cred,
 		    struct vnode *vp, struct label *vplabel, u_long flags);
 typedef int	(*mpo_vnode_check_setmode_t)(struct ucred *cred,
 		    struct vnode *vp, struct label *vplabel, mode_t mode);
 typedef int	(*mpo_vnode_check_setowner_t)(struct ucred *cred,
 		    struct vnode *vp, struct label *vplabel, uid_t uid,
 		    gid_t gid);
 typedef int	(*mpo_vnode_check_setutimes_t)(struct ucred *cred,
 		    struct vnode *vp, struct label *vplabel,
 		    struct timespec atime, struct timespec mtime);
 typedef int	(*mpo_vnode_check_stat_t)(struct ucred *active_cred,
 		    struct ucred *file_cred, struct vnode *vp,
 		    struct label *vplabel);
 typedef int	(*mpo_vnode_check_unlink_t)(struct ucred *cred,
 		    struct vnode *dvp, struct label *dvplabel,
 		    struct vnode *vp, struct label *vplabel,
 		    struct componentname *cnp);
 typedef int	(*mpo_vnode_check_write_t)(struct ucred *active_cred,
 		    struct ucred *file_cred, struct vnode *vp,
 		    struct label *vplabel);
 typedef void	(*mpo_vnode_copy_label_t)(struct label *src,
 		    struct label *dest);
 typedef int	(*mpo_vnode_create_extattr_t)(struct ucred *cred,
 		    struct mount *mp, struct label *mplabel,
 		    struct vnode *dvp, struct label *dvplabel,
 		    struct vnode *vp, struct label *vplabel,
 		    struct componentname *cnp);
 typedef void	(*mpo_vnode_destroy_label_t)(struct label *label);
 typedef void	(*mpo_vnode_execve_transition_t)(struct ucred *old,
 		    struct ucred *new, struct vnode *vp,
 		    struct label *vplabel, struct label *interpvplabel,
 		    struct image_params *imgp, struct label *execlabel);
 typedef int	(*mpo_vnode_execve_will_transition_t)(struct ucred *old,
 		    struct vnode *vp, struct label *vplabel,
 		    struct label *interpvplabel, struct image_params *imgp,
 		    struct label *execlabel);
 typedef int	(*mpo_vnode_externalize_label_t)(struct label *label,
 		    char *element_name, struct sbuf *sb, int *claimed);
 typedef void	(*mpo_vnode_init_label_t)(struct label *label);
 typedef int	(*mpo_vnode_internalize_label_t)(struct label *label,
 		    char *element_name, char *element_data, int *claimed);
 typedef void	(*mpo_vnode_relabel_t)(struct ucred *cred, struct vnode *vp,
 		    struct label *vplabel, struct label *label);
 typedef int	(*mpo_vnode_setlabel_extattr_t)(struct ucred *cred,
 		    struct vnode *vp, struct label *vplabel,
 		    struct label *intlabel);
 
 struct mac_policy_ops {
 	/*
 	 * Policy module operations.
 	 */
 	mpo_destroy_t				mpo_destroy;
 	mpo_init_t				mpo_init;
 
 	/*
 	 * General policy-directed security system call so that policies may
 	 * implement new services without reserving explicit system call
 	 * numbers.
 	 */
 	mpo_syscall_t				mpo_syscall;
 
 	/*
 	 * Label operations.  Initialize label storage, destroy label
 	 * storage, recycle for re-use without init/destroy, copy a label to
 	 * initialized storage, and externalize/internalize from/to
 	 * initialized storage.
 	 */
 	mpo_bpfdesc_check_receive_t		mpo_bpfdesc_check_receive;
 	mpo_bpfdesc_create_t			mpo_bpfdesc_create;
 	mpo_bpfdesc_create_mbuf_t		mpo_bpfdesc_create_mbuf;
 	mpo_bpfdesc_destroy_label_t		mpo_bpfdesc_destroy_label;
 	mpo_bpfdesc_init_label_t		mpo_bpfdesc_init_label;
 
 	mpo_cred_associate_nfsd_t		mpo_cred_associate_nfsd;
 	mpo_cred_check_relabel_t		mpo_cred_check_relabel;
 	mpo_cred_check_setaudit_t		mpo_cred_check_setaudit;
 	mpo_cred_check_setaudit_addr_t		mpo_cred_check_setaudit_addr;
 	mpo_cred_check_setauid_t		mpo_cred_check_setauid;
 	mpo_cred_check_setuid_t			mpo_cred_check_setuid;
 	mpo_cred_check_seteuid_t		mpo_cred_check_seteuid;
 	mpo_cred_check_setgid_t			mpo_cred_check_setgid;
 	mpo_cred_check_setegid_t		mpo_cred_check_setegid;
 	mpo_cred_check_setgroups_t		mpo_cred_check_setgroups;
 	mpo_cred_check_setreuid_t		mpo_cred_check_setreuid;
 	mpo_cred_check_setregid_t		mpo_cred_check_setregid;
 	mpo_cred_check_setresuid_t		mpo_cred_check_setresuid;
 	mpo_cred_check_setresgid_t		mpo_cred_check_setresgid;
 	mpo_cred_check_visible_t		mpo_cred_check_visible;
 	mpo_cred_copy_label_t			mpo_cred_copy_label;
 	mpo_cred_create_swapper_t		mpo_cred_create_swapper;
 	mpo_cred_create_init_t			mpo_cred_create_init;
 	mpo_cred_destroy_label_t		mpo_cred_destroy_label;
 	mpo_cred_externalize_label_t		mpo_cred_externalize_label;
 	mpo_cred_init_label_t			mpo_cred_init_label;
 	mpo_cred_internalize_label_t		mpo_cred_internalize_label;
 	mpo_cred_relabel_t			mpo_cred_relabel;
 
 	mpo_ddb_command_register_t		mpo_ddb_command_register;
 	mpo_ddb_command_exec_t			mpo_ddb_command_exec;
 
 	mpo_devfs_create_device_t		mpo_devfs_create_device;
 	mpo_devfs_create_directory_t		mpo_devfs_create_directory;
 	mpo_devfs_create_symlink_t		mpo_devfs_create_symlink;
 	mpo_devfs_destroy_label_t		mpo_devfs_destroy_label;
 	mpo_devfs_init_label_t			mpo_devfs_init_label;
 	mpo_devfs_update_t			mpo_devfs_update;
 	mpo_devfs_vnode_associate_t		mpo_devfs_vnode_associate;
 
 	mpo_ifnet_check_relabel_t		mpo_ifnet_check_relabel;
 	mpo_ifnet_check_transmit_t		mpo_ifnet_check_transmit;
 	mpo_ifnet_copy_label_t			mpo_ifnet_copy_label;
 	mpo_ifnet_create_t			mpo_ifnet_create;
 	mpo_ifnet_create_mbuf_t			mpo_ifnet_create_mbuf;
 	mpo_ifnet_destroy_label_t		mpo_ifnet_destroy_label;
 	mpo_ifnet_externalize_label_t		mpo_ifnet_externalize_label;
 	mpo_ifnet_init_label_t			mpo_ifnet_init_label;
 	mpo_ifnet_internalize_label_t		mpo_ifnet_internalize_label;
 	mpo_ifnet_relabel_t			mpo_ifnet_relabel;
 
 	mpo_inpcb_check_deliver_t		mpo_inpcb_check_deliver;
 	mpo_inpcb_check_visible_t		mpo_inpcb_check_visible;
 	mpo_inpcb_create_t			mpo_inpcb_create;
 	mpo_inpcb_create_mbuf_t			mpo_inpcb_create_mbuf;
 	mpo_inpcb_destroy_label_t		mpo_inpcb_destroy_label;
 	mpo_inpcb_init_label_t			mpo_inpcb_init_label;
 	mpo_inpcb_sosetlabel_t			mpo_inpcb_sosetlabel;
 
 	mpo_ip4_check_jail_t			mpo_ip4_check_jail;
 	mpo_ip6_check_jail_t			mpo_ip6_check_jail;
 
 	mpo_ip6q_create_t			mpo_ip6q_create;
 	mpo_ip6q_destroy_label_t		mpo_ip6q_destroy_label;
 	mpo_ip6q_init_label_t			mpo_ip6q_init_label;
 	mpo_ip6q_match_t			mpo_ip6q_match;
 	mpo_ip6q_reassemble			mpo_ip6q_reassemble;
 	mpo_ip6q_update_t			mpo_ip6q_update;
 
 	mpo_ipq_create_t			mpo_ipq_create;
 	mpo_ipq_destroy_label_t			mpo_ipq_destroy_label;
 	mpo_ipq_init_label_t			mpo_ipq_init_label;
 	mpo_ipq_match_t				mpo_ipq_match;
 	mpo_ipq_reassemble			mpo_ipq_reassemble;
 	mpo_ipq_update_t			mpo_ipq_update;
 
 	mpo_kdb_check_backend_t			mpo_kdb_check_backend;
 
 	mpo_kenv_check_dump_t			mpo_kenv_check_dump;
 	mpo_kenv_check_get_t			mpo_kenv_check_get;
 	mpo_kenv_check_set_t			mpo_kenv_check_set;
 	mpo_kenv_check_unset_t			mpo_kenv_check_unset;
 
 	mpo_kld_check_load_t			mpo_kld_check_load;
 	mpo_kld_check_stat_t			mpo_kld_check_stat;
 
 	mpo_mbuf_copy_label_t			mpo_mbuf_copy_label;
 	mpo_mbuf_destroy_label_t		mpo_mbuf_destroy_label;
 	mpo_mbuf_init_label_t			mpo_mbuf_init_label;
 
 	mpo_mount_check_stat_t			mpo_mount_check_stat;
 	mpo_mount_create_t			mpo_mount_create;
 	mpo_mount_destroy_label_t		mpo_mount_destroy_label;
 	mpo_mount_init_label_t			mpo_mount_init_label;
 
 	mpo_netinet_arp_send_t			mpo_netinet_arp_send;
 	mpo_netinet_firewall_reply_t		mpo_netinet_firewall_reply;
 	mpo_netinet_firewall_send_t		mpo_netinet_firewall_send;
 	mpo_netinet_fragment_t			mpo_netinet_fragment;
 	mpo_netinet_icmp_reply_t		mpo_netinet_icmp_reply;
 	mpo_netinet_icmp_replyinplace_t		mpo_netinet_icmp_replyinplace;
 	mpo_netinet_igmp_send_t			mpo_netinet_igmp_send;
 	mpo_netinet_tcp_reply_t			mpo_netinet_tcp_reply;
 
 	mpo_netinet6_nd6_send_t			mpo_netinet6_nd6_send;
 
 	mpo_pipe_check_ioctl_t			mpo_pipe_check_ioctl;
 	mpo_pipe_check_poll_t			mpo_pipe_check_poll;
 	mpo_pipe_check_read_t			mpo_pipe_check_read;
 	mpo_pipe_check_relabel_t		mpo_pipe_check_relabel;
 	mpo_pipe_check_stat_t			mpo_pipe_check_stat;
 	mpo_pipe_check_write_t			mpo_pipe_check_write;
 	mpo_pipe_copy_label_t			mpo_pipe_copy_label;
 	mpo_pipe_create_t			mpo_pipe_create;
 	mpo_pipe_destroy_label_t		mpo_pipe_destroy_label;
 	mpo_pipe_externalize_label_t		mpo_pipe_externalize_label;
 	mpo_pipe_init_label_t			mpo_pipe_init_label;
 	mpo_pipe_internalize_label_t		mpo_pipe_internalize_label;
 	mpo_pipe_relabel_t			mpo_pipe_relabel;
 
 	mpo_posixsem_check_getvalue_t		mpo_posixsem_check_getvalue;
 	mpo_posixsem_check_open_t		mpo_posixsem_check_open;
 	mpo_posixsem_check_post_t		mpo_posixsem_check_post;
 	mpo_posixsem_check_setmode_t		mpo_posixsem_check_setmode;
 	mpo_posixsem_check_setowner_t		mpo_posixsem_check_setowner;
 	mpo_posixsem_check_stat_t		mpo_posixsem_check_stat;
 	mpo_posixsem_check_unlink_t		mpo_posixsem_check_unlink;
 	mpo_posixsem_check_wait_t		mpo_posixsem_check_wait;
 	mpo_posixsem_create_t			mpo_posixsem_create;
 	mpo_posixsem_destroy_label_t		mpo_posixsem_destroy_label;
 	mpo_posixsem_init_label_t		mpo_posixsem_init_label;
 
 	mpo_posixshm_check_create_t		mpo_posixshm_check_create;
 	mpo_posixshm_check_mmap_t		mpo_posixshm_check_mmap;
 	mpo_posixshm_check_open_t		mpo_posixshm_check_open;
 	mpo_posixshm_check_read_t		mpo_posixshm_check_read;
 	mpo_posixshm_check_setmode_t		mpo_posixshm_check_setmode;
 	mpo_posixshm_check_setowner_t		mpo_posixshm_check_setowner;
 	mpo_posixshm_check_stat_t		mpo_posixshm_check_stat;
 	mpo_posixshm_check_truncate_t		mpo_posixshm_check_truncate;
 	mpo_posixshm_check_unlink_t		mpo_posixshm_check_unlink;
 	mpo_posixshm_check_write_t		mpo_posixshm_check_write;
 	mpo_posixshm_create_t			mpo_posixshm_create;
 	mpo_posixshm_destroy_label_t		mpo_posixshm_destroy_label;
 	mpo_posixshm_init_label_t		mpo_posixshm_init_label;
 
 	mpo_priv_check_t			mpo_priv_check;
 	mpo_priv_grant_t			mpo_priv_grant;
 
 	mpo_proc_check_debug_t			mpo_proc_check_debug;
 	mpo_proc_check_sched_t			mpo_proc_check_sched;
 	mpo_proc_check_signal_t			mpo_proc_check_signal;
 	mpo_proc_check_wait_t			mpo_proc_check_wait;
 	mpo_proc_destroy_label_t		mpo_proc_destroy_label;
 	mpo_proc_init_label_t			mpo_proc_init_label;
 
 	mpo_socket_check_accept_t		mpo_socket_check_accept;
 	mpo_socket_check_bind_t			mpo_socket_check_bind;
 	mpo_socket_check_connect_t		mpo_socket_check_connect;
 	mpo_socket_check_create_t		mpo_socket_check_create;
 	mpo_socket_check_deliver_t		mpo_socket_check_deliver;
 	mpo_socket_check_listen_t		mpo_socket_check_listen;
 	mpo_socket_check_poll_t			mpo_socket_check_poll;
 	mpo_socket_check_receive_t		mpo_socket_check_receive;
 	mpo_socket_check_relabel_t		mpo_socket_check_relabel;
 	mpo_socket_check_send_t			mpo_socket_check_send;
 	mpo_socket_check_stat_t			mpo_socket_check_stat;
 	mpo_socket_check_visible_t		mpo_socket_check_visible;
 	mpo_socket_copy_label_t			mpo_socket_copy_label;
 	mpo_socket_create_t			mpo_socket_create;
 	mpo_socket_create_mbuf_t		mpo_socket_create_mbuf;
 	mpo_socket_destroy_label_t		mpo_socket_destroy_label;
 	mpo_socket_externalize_label_t		mpo_socket_externalize_label;
 	mpo_socket_init_label_t			mpo_socket_init_label;
 	mpo_socket_internalize_label_t		mpo_socket_internalize_label;
 	mpo_socket_newconn_t			mpo_socket_newconn;
 	mpo_socket_relabel_t			mpo_socket_relabel;
 
 	mpo_socketpeer_destroy_label_t		mpo_socketpeer_destroy_label;
 	mpo_socketpeer_externalize_label_t	mpo_socketpeer_externalize_label;
 	mpo_socketpeer_init_label_t		mpo_socketpeer_init_label;
 	mpo_socketpeer_set_from_mbuf_t		mpo_socketpeer_set_from_mbuf;
 	mpo_socketpeer_set_from_socket_t	mpo_socketpeer_set_from_socket;
 
 	mpo_syncache_init_label_t		mpo_syncache_init_label;
 	mpo_syncache_destroy_label_t		mpo_syncache_destroy_label;
 	mpo_syncache_create_t			mpo_syncache_create;
 	mpo_syncache_create_mbuf_t		mpo_syncache_create_mbuf;
 
 	mpo_system_check_acct_t			mpo_system_check_acct;
 	mpo_system_check_audit_t		mpo_system_check_audit;
 	mpo_system_check_auditctl_t		mpo_system_check_auditctl;
 	mpo_system_check_auditon_t		mpo_system_check_auditon;
 	mpo_system_check_reboot_t		mpo_system_check_reboot;
 	mpo_system_check_swapon_t		mpo_system_check_swapon;
 	mpo_system_check_swapoff_t		mpo_system_check_swapoff;
 	mpo_system_check_sysctl_t		mpo_system_check_sysctl;
 
 	mpo_sysvmsg_cleanup_t			mpo_sysvmsg_cleanup;
 	mpo_sysvmsg_create_t			mpo_sysvmsg_create;
 	mpo_sysvmsg_destroy_label_t		mpo_sysvmsg_destroy_label;
 	mpo_sysvmsg_init_label_t		mpo_sysvmsg_init_label;
 
 	mpo_sysvmsq_check_msgmsq_t		mpo_sysvmsq_check_msgmsq;
 	mpo_sysvmsq_check_msgrcv_t		mpo_sysvmsq_check_msgrcv;
 	mpo_sysvmsq_check_msgrmid_t		mpo_sysvmsq_check_msgrmid;
 	mpo_sysvmsq_check_msqctl_t		mpo_sysvmsq_check_msqctl;
 	mpo_sysvmsq_check_msqget_t		mpo_sysvmsq_check_msqget;
 	mpo_sysvmsq_check_msqrcv_t		mpo_sysvmsq_check_msqrcv;
 	mpo_sysvmsq_check_msqsnd_t		mpo_sysvmsq_check_msqsnd;
 	mpo_sysvmsq_cleanup_t			mpo_sysvmsq_cleanup;
 	mpo_sysvmsq_create_t			mpo_sysvmsq_create;
 	mpo_sysvmsq_destroy_label_t		mpo_sysvmsq_destroy_label;
 	mpo_sysvmsq_init_label_t		mpo_sysvmsq_init_label;
 
 	mpo_sysvsem_check_semctl_t		mpo_sysvsem_check_semctl;
 	mpo_sysvsem_check_semget_t		mpo_sysvsem_check_semget;
 	mpo_sysvsem_check_semop_t		mpo_sysvsem_check_semop;
 	mpo_sysvsem_cleanup_t			mpo_sysvsem_cleanup;
 	mpo_sysvsem_create_t			mpo_sysvsem_create;
 	mpo_sysvsem_destroy_label_t		mpo_sysvsem_destroy_label;
 	mpo_sysvsem_init_label_t		mpo_sysvsem_init_label;
 
 	mpo_sysvshm_check_shmat_t		mpo_sysvshm_check_shmat;
 	mpo_sysvshm_check_shmctl_t		mpo_sysvshm_check_shmctl;
 	mpo_sysvshm_check_shmdt_t		mpo_sysvshm_check_shmdt;
 	mpo_sysvshm_check_shmget_t		mpo_sysvshm_check_shmget;
 	mpo_sysvshm_cleanup_t			mpo_sysvshm_cleanup;
 	mpo_sysvshm_create_t			mpo_sysvshm_create;
 	mpo_sysvshm_destroy_label_t		mpo_sysvshm_destroy_label;
 	mpo_sysvshm_init_label_t		mpo_sysvshm_init_label;
 
 	mpo_thread_userret_t			mpo_thread_userret;
 
 	mpo_vnode_check_access_t		mpo_vnode_check_access;
 	mpo_vnode_check_chdir_t			mpo_vnode_check_chdir;
 	mpo_vnode_check_chroot_t		mpo_vnode_check_chroot;
 	mpo_vnode_check_create_t		mpo_vnode_check_create;
 	mpo_vnode_check_deleteacl_t		mpo_vnode_check_deleteacl;
 	mpo_vnode_check_deleteextattr_t		mpo_vnode_check_deleteextattr;
 	mpo_vnode_check_exec_t			mpo_vnode_check_exec;
 	mpo_vnode_check_getacl_t		mpo_vnode_check_getacl;
 	mpo_vnode_check_getextattr_t		mpo_vnode_check_getextattr;
 	mpo_vnode_check_link_t			mpo_vnode_check_link;
 	mpo_vnode_check_listextattr_t		mpo_vnode_check_listextattr;
 	mpo_vnode_check_lookup_t		mpo_vnode_check_lookup;
 	mpo_vnode_check_mmap_t			mpo_vnode_check_mmap;
 	mpo_vnode_check_mmap_downgrade_t	mpo_vnode_check_mmap_downgrade;
 	mpo_vnode_check_mprotect_t		mpo_vnode_check_mprotect;
 	mpo_vnode_check_open_t			mpo_vnode_check_open;
 	mpo_vnode_check_poll_t			mpo_vnode_check_poll;
 	mpo_vnode_check_read_t			mpo_vnode_check_read;
 	mpo_vnode_check_readdir_t		mpo_vnode_check_readdir;
 	mpo_vnode_check_readlink_t		mpo_vnode_check_readlink;
 	mpo_vnode_check_relabel_t		mpo_vnode_check_relabel;
 	mpo_vnode_check_rename_from_t		mpo_vnode_check_rename_from;
 	mpo_vnode_check_rename_to_t		mpo_vnode_check_rename_to;
 	mpo_vnode_check_revoke_t		mpo_vnode_check_revoke;
 	mpo_vnode_check_setacl_t		mpo_vnode_check_setacl;
 	mpo_vnode_check_setextattr_t		mpo_vnode_check_setextattr;
 	mpo_vnode_check_setflags_t		mpo_vnode_check_setflags;
 	mpo_vnode_check_setmode_t		mpo_vnode_check_setmode;
 	mpo_vnode_check_setowner_t		mpo_vnode_check_setowner;
 	mpo_vnode_check_setutimes_t		mpo_vnode_check_setutimes;
 	mpo_vnode_check_stat_t			mpo_vnode_check_stat;
 	mpo_vnode_check_unlink_t		mpo_vnode_check_unlink;
 	mpo_vnode_check_write_t			mpo_vnode_check_write;
 	mpo_vnode_associate_extattr_t		mpo_vnode_associate_extattr;
 	mpo_vnode_associate_singlelabel_t	mpo_vnode_associate_singlelabel;
 	mpo_vnode_destroy_label_t		mpo_vnode_destroy_label;
 	mpo_vnode_copy_label_t			mpo_vnode_copy_label;
 	mpo_vnode_create_extattr_t		mpo_vnode_create_extattr;
 	mpo_vnode_execve_transition_t		mpo_vnode_execve_transition;
 	mpo_vnode_execve_will_transition_t	mpo_vnode_execve_will_transition;
 	mpo_vnode_externalize_label_t		mpo_vnode_externalize_label;
 	mpo_vnode_init_label_t			mpo_vnode_init_label;
 	mpo_vnode_internalize_label_t		mpo_vnode_internalize_label;
 	mpo_vnode_relabel_t			mpo_vnode_relabel;
 	mpo_vnode_setlabel_extattr_t		mpo_vnode_setlabel_extattr;
 };
 
 /*
  * struct mac_policy_conf is the registration structure for policies, and is
  * provided to the MAC Framework using MAC_POLICY_SET() to invoke a SYSINIT
  * to register the policy.  In general, the fields are immutable, with the
  * exception of the "security field", run-time flags, and policy list entry,
  * which are managed by the MAC Framework.  Be careful when modifying this
  * structure, as its layout is statically compiled into all policies.
  */
 struct mac_policy_conf {
 	char				*mpc_name;	/* policy name */
 	char				*mpc_fullname;	/* policy full name */
 	struct mac_policy_ops		*mpc_ops;	/* policy operations */
 	int				 mpc_loadtime_flags;	/* flags */
 	int				*mpc_field_off; /* security field */
 	int				 mpc_runtime_flags; /* flags */
 	int				 _mpc_spare1;	/* Spare. */
 	uint64_t			 _mpc_spare2;	/* Spare. */
 	uint64_t			 _mpc_spare3;	/* Spare. */
 	void				*_mpc_spare4;	/* Spare. */
 	LIST_ENTRY(mac_policy_conf)	 mpc_list;	/* global list */
 };
 
 /* Flags for the mpc_loadtime_flags field. */
 #define	MPC_LOADTIME_FLAG_NOTLATE	0x00000001
 #define	MPC_LOADTIME_FLAG_UNLOADOK	0x00000002
 
 /* Flags for the mpc_runtime_flags field. */
 #define	MPC_RUNTIME_FLAG_REGISTERED	0x00000001
 
 /*-
  * The TrustedBSD MAC Framework has a major version number, MAC_VERSION,
  * which defines the ABI of the Framework present in the kernel (and depended
  * on by policy modules compiled against that kernel).  Currently,
  * MAC_POLICY_SET() requires that the kernel and module ABI version numbers
  * exactly match.  The following major versions have been defined to date:
  *
  *   MAC version             FreeBSD versions
  *   1                       5.x
  *   2                       6.x
  *   3                       7.x
  *   4                       8.x
  *   5                       14.x
  */
 #define	MAC_VERSION	5
 
 #define	MAC_POLICY_SET(mpops, mpname, mpfullname, mpflags, privdata_wanted) \
 	static struct mac_policy_conf mpname##_mac_policy_conf = {	\
 		.mpc_name = #mpname,					\
 		.mpc_fullname = mpfullname,				\
 		.mpc_ops = mpops,					\
 		.mpc_loadtime_flags = mpflags,				\
 		.mpc_field_off = privdata_wanted,			\
 	};								\
 	static moduledata_t mpname##_mod = {				\
 		#mpname,						\
 		mac_policy_modevent,					\
 		&mpname##_mac_policy_conf				\
 	};								\
 	MODULE_DEPEND(mpname, kernel_mac_support, MAC_VERSION,		\
 	    MAC_VERSION, MAC_VERSION);					\
 	DECLARE_MODULE(mpname, mpname##_mod, SI_SUB_MAC_POLICY,		\
 	    SI_ORDER_MIDDLE)
 
 int	mac_policy_modevent(module_t mod, int type, void *data);
 
 /*
  * Policy interface to map a struct label pointer to per-policy data.
  * Typically, policies wrap this in their own accessor macro that casts a
  * uintptr_t to a policy-specific data type.
  */
 intptr_t	mac_label_get(struct label *l, int slot);
 void		mac_label_set(struct label *l, int slot, intptr_t v);
 
+/*
+ * Common MAC Framework's sysctl and jail parameters' sysctl nodes' declarations.
+ *
+ * Headers <sys/jail.h> and <sys/sysctl.h> normally have to be included before
+ * this header as style(9) hints to.  If they weren't, just forego the
+ * corresponding declarations, assuming they are not needed.
+ */
+#ifdef SYSCTL_DECL
+SYSCTL_DECL(_security_mac);
+#endif
+
+#ifdef SYSCTL_JAIL_PARAM_DECL
+SYSCTL_JAIL_PARAM_DECL(mac);
+#endif
+
 #endif /* !_SECURITY_MAC_MAC_POLICY_H_ */
diff --git a/sys/security/mac_biba/mac_biba.c b/sys/security/mac_biba/mac_biba.c
index 5d66e2fd4b9b..e991e05311df 100644
--- a/sys/security/mac_biba/mac_biba.c
+++ b/sys/security/mac_biba/mac_biba.c
@@ -1,3798 +1,3796 @@
 /*-
  * Copyright (c) 1999-2002, 2007-2011 Robert N. M. Watson
  * Copyright (c) 2001-2005 McAfee, Inc.
  * Copyright (c) 2006 SPARTA, Inc.
  * All rights reserved.
  *
  * This software was developed by Robert Watson for the TrustedBSD Project.
  *
  * This software was developed for the FreeBSD Project in part by McAfee
  * Research, the Security Research Division of McAfee, Inc. under
  * DARPA/SPAWAR contract N66001-01-C-8035 ("CBOSS"), as part of the DARPA
  * CHATS research program.
  *
  * This software was enhanced by SPARTA ISSO under SPAWAR contract
  * N66001-04-C-6019 ("SEFOS").
  *
  * This software was developed at the University of Cambridge Computer
  * Laboratory with support from a grant from Google, Inc.
  *
  * Redistribution and use in source and binary forms, with or without
  * modification, are permitted provided that the following conditions
  * are met:
  * 1. Redistributions of source code must retain the above copyright
  *    notice, this list of conditions and the following disclaimer.
  * 2. Redistributions in binary form must reproduce the above copyright
  *    notice, this list of conditions and the following disclaimer in the
  *    documentation and/or other materials provided with the distribution.
  *
  * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
  * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
  * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
  * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
  * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
  * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
  * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
  * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
  * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
  * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
  * SUCH DAMAGE.
  */
 
 /*
  * Developed by the TrustedBSD Project.
  *
  * Biba fixed label mandatory integrity policy.
  */
 
 #include <sys/param.h>
 #include <sys/conf.h>
 #include <sys/extattr.h>
 #include <sys/kernel.h>
 #include <sys/ksem.h>
 #include <sys/malloc.h>
 #include <sys/mman.h>
 #include <sys/mount.h>
 #include <sys/priv.h>
 #include <sys/proc.h>
 #include <sys/sbuf.h>
 #include <sys/systm.h>
 #include <sys/sysproto.h>
 #include <sys/sysent.h>
 #include <sys/systm.h>
 #include <sys/vnode.h>
 #include <sys/file.h>
 #include <sys/socket.h>
 #include <sys/socketvar.h>
 #include <sys/pipe.h>
 #include <sys/sx.h>
 #include <sys/sysctl.h>
 #include <sys/msg.h>
 #include <sys/sem.h>
 #include <sys/shm.h>
 
 #include <fs/devfs/devfs.h>
 
 #include <net/bpfdesc.h>
 #include <net/if.h>
 #include <net/if_types.h>
 #include <net/if_var.h>
 
 #include <netinet/in.h>
 #include <netinet/in_pcb.h>
 #include <netinet/ip_var.h>
 
 #include <vm/uma.h>
 #include <vm/vm.h>
 
 #include <security/mac/mac_policy.h>
 #include <security/mac_biba/mac_biba.h>
 
-SYSCTL_DECL(_security_mac);
-
 static SYSCTL_NODE(_security_mac, OID_AUTO, biba,
     CTLFLAG_RW | CTLFLAG_MPSAFE, 0,
     "TrustedBSD mac_biba policy controls");
 
 static int	biba_label_size = sizeof(struct mac_biba);
 SYSCTL_INT(_security_mac_biba, OID_AUTO, label_size, CTLFLAG_RD,
     &biba_label_size, 0, "Size of struct mac_biba");
 
 static int	biba_enabled = 1;
 SYSCTL_INT(_security_mac_biba, OID_AUTO, enabled, CTLFLAG_RWTUN, &biba_enabled,
     0, "Enforce MAC/Biba policy");
 
 static int	destroyed_not_inited;
 SYSCTL_INT(_security_mac_biba, OID_AUTO, destroyed_not_inited, CTLFLAG_RD,
     &destroyed_not_inited, 0, "Count of labels destroyed but not inited");
 
 static int	trust_all_interfaces = 0;
 SYSCTL_INT(_security_mac_biba, OID_AUTO, trust_all_interfaces, CTLFLAG_RDTUN,
     &trust_all_interfaces, 0, "Consider all interfaces 'trusted' by MAC/Biba");
 
 static char	trusted_interfaces[128];
 SYSCTL_STRING(_security_mac_biba, OID_AUTO, trusted_interfaces, CTLFLAG_RDTUN,
     trusted_interfaces, 0, "Interfaces considered 'trusted' by MAC/Biba");
 
 static int	max_compartments = MAC_BIBA_MAX_COMPARTMENTS;
 SYSCTL_INT(_security_mac_biba, OID_AUTO, max_compartments, CTLFLAG_RD,
     &max_compartments, 0, "Maximum supported compartments");
 
 static int	ptys_equal = 0;
 SYSCTL_INT(_security_mac_biba, OID_AUTO, ptys_equal, CTLFLAG_RWTUN, &ptys_equal,
     0, "Label pty devices as biba/equal on create");
 
 static int	interfaces_equal = 1;
 SYSCTL_INT(_security_mac_biba, OID_AUTO, interfaces_equal, CTLFLAG_RWTUN,
     &interfaces_equal, 0, "Label network interfaces as biba/equal on create");
 
 static int	revocation_enabled = 0;
 SYSCTL_INT(_security_mac_biba, OID_AUTO, revocation_enabled, CTLFLAG_RWTUN,
     &revocation_enabled, 0, "Revoke access to objects on relabel");
 
 static int	biba_slot;
 #define	SLOT(l)	((struct mac_biba *)mac_label_get((l), biba_slot))
 #define	SLOT_SET(l, val) mac_label_set((l), biba_slot, (uintptr_t)(val))
 
 static uma_zone_t	zone_biba;
 
 static __inline int
 biba_bit_set_empty(u_char *set) {
 	int i;
 
 	for (i = 0; i < MAC_BIBA_MAX_COMPARTMENTS >> 3; i++)
 		if (set[i] != 0)
 			return (0);
 	return (1);
 }
 
 static struct mac_biba *
 biba_alloc(int flag)
 {
 
 	return (uma_zalloc(zone_biba, flag | M_ZERO));
 }
 
 static void
 biba_free(struct mac_biba *mb)
 {
 
 	if (mb != NULL)
 		uma_zfree(zone_biba, mb);
 	else
 		atomic_add_int(&destroyed_not_inited, 1);
 }
 
 static int
 biba_atmostflags(struct mac_biba *mb, int flags)
 {
 
 	if ((mb->mb_flags & flags) != mb->mb_flags)
 		return (EINVAL);
 	return (0);
 }
 
 static int
 biba_dominate_element(struct mac_biba_element *a, struct mac_biba_element *b)
 {
 	int bit;
 
 	switch (a->mbe_type) {
 	case MAC_BIBA_TYPE_EQUAL:
 	case MAC_BIBA_TYPE_HIGH:
 		return (1);
 
 	case MAC_BIBA_TYPE_LOW:
 		switch (b->mbe_type) {
 		case MAC_BIBA_TYPE_GRADE:
 		case MAC_BIBA_TYPE_HIGH:
 			return (0);
 
 		case MAC_BIBA_TYPE_EQUAL:
 		case MAC_BIBA_TYPE_LOW:
 			return (1);
 
 		default:
 			panic("biba_dominate_element: b->mbe_type invalid");
 		}
 
 	case MAC_BIBA_TYPE_GRADE:
 		switch (b->mbe_type) {
 		case MAC_BIBA_TYPE_EQUAL:
 		case MAC_BIBA_TYPE_LOW:
 			return (1);
 
 		case MAC_BIBA_TYPE_HIGH:
 			return (0);
 
 		case MAC_BIBA_TYPE_GRADE:
 			for (bit = 1; bit <= MAC_BIBA_MAX_COMPARTMENTS; bit++)
 				if (!MAC_BIBA_BIT_TEST(bit,
 				    a->mbe_compartments) &&
 				    MAC_BIBA_BIT_TEST(bit, b->mbe_compartments))
 					return (0);
 			return (a->mbe_grade >= b->mbe_grade);
 
 		default:
 			panic("biba_dominate_element: b->mbe_type invalid");
 		}
 
 	default:
 		panic("biba_dominate_element: a->mbe_type invalid");
 	}
 
 	return (0);
 }
 
 static int
 biba_subject_dominate_high(struct mac_biba *mb)
 {
 	struct mac_biba_element *element;
 
 	KASSERT((mb->mb_flags & MAC_BIBA_FLAG_EFFECTIVE) != 0,
 	    ("biba_effective_in_range: mb not effective"));
 	element = &mb->mb_effective;
 
 	return (element->mbe_type == MAC_BIBA_TYPE_EQUAL ||
 	    element->mbe_type == MAC_BIBA_TYPE_HIGH);
 }
 
 static int
 biba_range_in_range(struct mac_biba *rangea, struct mac_biba *rangeb)
 {
 
 	return (biba_dominate_element(&rangeb->mb_rangehigh,
 	    &rangea->mb_rangehigh) &&
 	    biba_dominate_element(&rangea->mb_rangelow,
 	    &rangeb->mb_rangelow));
 }
 
 static int
 biba_effective_in_range(struct mac_biba *effective, struct mac_biba *range)
 {
 
 	KASSERT((effective->mb_flags & MAC_BIBA_FLAG_EFFECTIVE) != 0,
 	    ("biba_effective_in_range: a not effective"));
 	KASSERT((range->mb_flags & MAC_BIBA_FLAG_RANGE) != 0,
 	    ("biba_effective_in_range: b not range"));
 
 	return (biba_dominate_element(&range->mb_rangehigh,
 	    &effective->mb_effective) &&
 	    biba_dominate_element(&effective->mb_effective,
 	    &range->mb_rangelow));
 
 	return (1);
 }
 
 static int
 biba_dominate_effective(struct mac_biba *a, struct mac_biba *b)
 {
 	KASSERT((a->mb_flags & MAC_BIBA_FLAG_EFFECTIVE) != 0,
 	    ("biba_dominate_effective: a not effective"));
 	KASSERT((b->mb_flags & MAC_BIBA_FLAG_EFFECTIVE) != 0,
 	    ("biba_dominate_effective: b not effective"));
 
 	return (biba_dominate_element(&a->mb_effective, &b->mb_effective));
 }
 
 static int
 biba_equal_element(struct mac_biba_element *a, struct mac_biba_element *b)
 {
 
 	if (a->mbe_type == MAC_BIBA_TYPE_EQUAL ||
 	    b->mbe_type == MAC_BIBA_TYPE_EQUAL)
 		return (1);
 
 	return (a->mbe_type == b->mbe_type && a->mbe_grade == b->mbe_grade);
 }
 
 static int
 biba_equal_effective(struct mac_biba *a, struct mac_biba *b)
 {
 
 	KASSERT((a->mb_flags & MAC_BIBA_FLAG_EFFECTIVE) != 0,
 	    ("biba_equal_effective: a not effective"));
 	KASSERT((b->mb_flags & MAC_BIBA_FLAG_EFFECTIVE) != 0,
 	    ("biba_equal_effective: b not effective"));
 
 	return (biba_equal_element(&a->mb_effective, &b->mb_effective));
 }
 
 static int
 biba_contains_equal(struct mac_biba *mb)
 {
 
 	if (mb->mb_flags & MAC_BIBA_FLAG_EFFECTIVE) {
 		if (mb->mb_effective.mbe_type == MAC_BIBA_TYPE_EQUAL)
 			return (1);
 	}
 
 	if (mb->mb_flags & MAC_BIBA_FLAG_RANGE) {
 		if (mb->mb_rangelow.mbe_type == MAC_BIBA_TYPE_EQUAL)
 			return (1);
 		if (mb->mb_rangehigh.mbe_type == MAC_BIBA_TYPE_EQUAL)
 			return (1);
 	}
 
 	return (0);
 }
 
 static int
 biba_subject_privileged(struct mac_biba *mb)
 {
 
 	KASSERT((mb->mb_flags & MAC_BIBA_FLAGS_BOTH) == MAC_BIBA_FLAGS_BOTH,
 	    ("biba_subject_privileged: subject doesn't have both labels"));
 
 	/* If the effective is EQUAL, it's ok. */
 	if (mb->mb_effective.mbe_type == MAC_BIBA_TYPE_EQUAL)
 		return (0);
 
 	/* If either range endpoint is EQUAL, it's ok. */
 	if (mb->mb_rangelow.mbe_type == MAC_BIBA_TYPE_EQUAL ||
 	    mb->mb_rangehigh.mbe_type == MAC_BIBA_TYPE_EQUAL)
 		return (0);
 
 	/* If the range is low-high, it's ok. */
 	if (mb->mb_rangelow.mbe_type == MAC_BIBA_TYPE_LOW &&
 	    mb->mb_rangehigh.mbe_type == MAC_BIBA_TYPE_HIGH)
 		return (0);
 
 	/* It's not ok. */
 	return (EPERM);
 }
 
 static int
 biba_high_effective(struct mac_biba *mb)
 {
 
 	KASSERT((mb->mb_flags & MAC_BIBA_FLAG_EFFECTIVE) != 0,
 	    ("biba_equal_effective: mb not effective"));
 
 	return (mb->mb_effective.mbe_type == MAC_BIBA_TYPE_HIGH);
 }
 
 static int
 biba_valid(struct mac_biba *mb)
 {
 
 	if (mb->mb_flags & MAC_BIBA_FLAG_EFFECTIVE) {
 		switch (mb->mb_effective.mbe_type) {
 		case MAC_BIBA_TYPE_GRADE:
 			break;
 
 		case MAC_BIBA_TYPE_EQUAL:
 		case MAC_BIBA_TYPE_HIGH:
 		case MAC_BIBA_TYPE_LOW:
 			if (mb->mb_effective.mbe_grade != 0 ||
 			    !MAC_BIBA_BIT_SET_EMPTY(
 			    mb->mb_effective.mbe_compartments))
 				return (EINVAL);
 			break;
 
 		default:
 			return (EINVAL);
 		}
 	} else {
 		if (mb->mb_effective.mbe_type != MAC_BIBA_TYPE_UNDEF)
 			return (EINVAL);
 	}
 
 	if (mb->mb_flags & MAC_BIBA_FLAG_RANGE) {
 		switch (mb->mb_rangelow.mbe_type) {
 		case MAC_BIBA_TYPE_GRADE:
 			break;
 
 		case MAC_BIBA_TYPE_EQUAL:
 		case MAC_BIBA_TYPE_HIGH:
 		case MAC_BIBA_TYPE_LOW:
 			if (mb->mb_rangelow.mbe_grade != 0 ||
 			    !MAC_BIBA_BIT_SET_EMPTY(
 			    mb->mb_rangelow.mbe_compartments))
 				return (EINVAL);
 			break;
 
 		default:
 			return (EINVAL);
 		}
 
 		switch (mb->mb_rangehigh.mbe_type) {
 		case MAC_BIBA_TYPE_GRADE:
 			break;
 
 		case MAC_BIBA_TYPE_EQUAL:
 		case MAC_BIBA_TYPE_HIGH:
 		case MAC_BIBA_TYPE_LOW:
 			if (mb->mb_rangehigh.mbe_grade != 0 ||
 			    !MAC_BIBA_BIT_SET_EMPTY(
 			    mb->mb_rangehigh.mbe_compartments))
 				return (EINVAL);
 			break;
 
 		default:
 			return (EINVAL);
 		}
 		if (!biba_dominate_element(&mb->mb_rangehigh,
 		    &mb->mb_rangelow))
 			return (EINVAL);
 	} else {
 		if (mb->mb_rangelow.mbe_type != MAC_BIBA_TYPE_UNDEF ||
 		    mb->mb_rangehigh.mbe_type != MAC_BIBA_TYPE_UNDEF)
 			return (EINVAL);
 	}
 
 	return (0);
 }
 
 static void
 biba_set_range(struct mac_biba *mb, u_short typelow, u_short gradelow,
     u_char *compartmentslow, u_short typehigh, u_short gradehigh,
     u_char *compartmentshigh)
 {
 
 	mb->mb_rangelow.mbe_type = typelow;
 	mb->mb_rangelow.mbe_grade = gradelow;
 	if (compartmentslow != NULL)
 		memcpy(mb->mb_rangelow.mbe_compartments, compartmentslow,
 		    sizeof(mb->mb_rangelow.mbe_compartments));
 	mb->mb_rangehigh.mbe_type = typehigh;
 	mb->mb_rangehigh.mbe_grade = gradehigh;
 	if (compartmentshigh != NULL)
 		memcpy(mb->mb_rangehigh.mbe_compartments, compartmentshigh,
 		    sizeof(mb->mb_rangehigh.mbe_compartments));
 	mb->mb_flags |= MAC_BIBA_FLAG_RANGE;
 }
 
 static void
 biba_set_effective(struct mac_biba *mb, u_short type, u_short grade,
     u_char *compartments)
 {
 
 	mb->mb_effective.mbe_type = type;
 	mb->mb_effective.mbe_grade = grade;
 	if (compartments != NULL)
 		memcpy(mb->mb_effective.mbe_compartments, compartments,
 		    sizeof(mb->mb_effective.mbe_compartments));
 	mb->mb_flags |= MAC_BIBA_FLAG_EFFECTIVE;
 }
 
 static void
 biba_copy_range(struct mac_biba *labelfrom, struct mac_biba *labelto)
 {
 
 	KASSERT((labelfrom->mb_flags & MAC_BIBA_FLAG_RANGE) != 0,
 	    ("biba_copy_range: labelfrom not range"));
 
 	labelto->mb_rangelow = labelfrom->mb_rangelow;
 	labelto->mb_rangehigh = labelfrom->mb_rangehigh;
 	labelto->mb_flags |= MAC_BIBA_FLAG_RANGE;
 }
 
 static void
 biba_copy_effective(struct mac_biba *labelfrom, struct mac_biba *labelto)
 {
 
 	KASSERT((labelfrom->mb_flags & MAC_BIBA_FLAG_EFFECTIVE) != 0,
 	    ("biba_copy_effective: labelfrom not effective"));
 
 	labelto->mb_effective = labelfrom->mb_effective;
 	labelto->mb_flags |= MAC_BIBA_FLAG_EFFECTIVE;
 }
 
 static void
 biba_copy(struct mac_biba *source, struct mac_biba *dest)
 {
 
 	if (source->mb_flags & MAC_BIBA_FLAG_EFFECTIVE)
 		biba_copy_effective(source, dest);
 	if (source->mb_flags & MAC_BIBA_FLAG_RANGE)
 		biba_copy_range(source, dest);
 }
 
 /*
  * Policy module operations.
  */
 static void
 biba_init(struct mac_policy_conf *conf)
 {
 
 	zone_biba = uma_zcreate("mac_biba", sizeof(struct mac_biba), NULL,
 	    NULL, NULL, NULL, UMA_ALIGN_PTR, 0);
 }
 
 /*
  * Label operations.
  */
 static void
 biba_init_label(struct label *label)
 {
 
 	SLOT_SET(label, biba_alloc(M_WAITOK));
 }
 
 static int
 biba_init_label_waitcheck(struct label *label, int flag)
 {
 
 	SLOT_SET(label, biba_alloc(flag));
 	if (SLOT(label) == NULL)
 		return (ENOMEM);
 
 	return (0);
 }
 
 static void
 biba_destroy_label(struct label *label)
 {
 
 	biba_free(SLOT(label));
 	SLOT_SET(label, NULL);
 }
 
 /*
  * biba_element_to_string() accepts an sbuf and Biba element.  It converts
  * the Biba element to a string and stores the result in the sbuf; if there
  * isn't space in the sbuf, -1 is returned.
  */
 static int
 biba_element_to_string(struct sbuf *sb, struct mac_biba_element *element)
 {
 	int i, first;
 
 	switch (element->mbe_type) {
 	case MAC_BIBA_TYPE_HIGH:
 		return (sbuf_printf(sb, "high"));
 
 	case MAC_BIBA_TYPE_LOW:
 		return (sbuf_printf(sb, "low"));
 
 	case MAC_BIBA_TYPE_EQUAL:
 		return (sbuf_printf(sb, "equal"));
 
 	case MAC_BIBA_TYPE_GRADE:
 		if (sbuf_printf(sb, "%d", element->mbe_grade) == -1)
 			return (-1);
 
 		first = 1;
 		for (i = 1; i <= MAC_BIBA_MAX_COMPARTMENTS; i++) {
 			if (MAC_BIBA_BIT_TEST(i, element->mbe_compartments)) {
 				if (first) {
 					if (sbuf_putc(sb, ':') == -1)
 						return (-1);
 					if (sbuf_printf(sb, "%d", i) == -1)
 						return (-1);
 					first = 0;
 				} else {
 					if (sbuf_printf(sb, "+%d", i) == -1)
 						return (-1);
 				}
 			}
 		}
 		return (0);
 
 	default:
 		panic("biba_element_to_string: invalid type (%d)",
 		    element->mbe_type);
 	}
 }
 
 /*
  * biba_to_string() converts a Biba label to a string, and places the results
  * in the passed sbuf.  It returns 0 on success, or EINVAL if there isn't
  * room in the sbuf.  Note: the sbuf will be modified even in a failure case,
  * so the caller may need to revert the sbuf by restoring the offset if
  * that's undesired.
  */
 static int
 biba_to_string(struct sbuf *sb, struct mac_biba *mb)
 {
 
 	if (mb->mb_flags & MAC_BIBA_FLAG_EFFECTIVE) {
 		if (biba_element_to_string(sb, &mb->mb_effective) == -1)
 			return (EINVAL);
 	}
 
 	if (mb->mb_flags & MAC_BIBA_FLAG_RANGE) {
 		if (sbuf_putc(sb, '(') == -1)
 			return (EINVAL);
 
 		if (biba_element_to_string(sb, &mb->mb_rangelow) == -1)
 			return (EINVAL);
 
 		if (sbuf_putc(sb, '-') == -1)
 			return (EINVAL);
 
 		if (biba_element_to_string(sb, &mb->mb_rangehigh) == -1)
 			return (EINVAL);
 
 		if (sbuf_putc(sb, ')') == -1)
 			return (EINVAL);
 	}
 
 	return (0);
 }
 
 static int
 biba_externalize_label(struct label *label, char *element_name,
     struct sbuf *sb, int *claimed)
 {
 	struct mac_biba *mb;
 
 	if (strcmp(MAC_BIBA_LABEL_NAME, element_name) != 0)
 		return (0);
 
 	(*claimed)++;
 
 	mb = SLOT(label);
 	return (biba_to_string(sb, mb));
 }
 
 static int
 biba_parse_element(struct mac_biba_element *element, char *string)
 {
 	char *compartment, *end, *grade;
 	int value;
 
 	if (strcmp(string, "high") == 0 || strcmp(string, "hi") == 0) {
 		element->mbe_type = MAC_BIBA_TYPE_HIGH;
 		element->mbe_grade = MAC_BIBA_TYPE_UNDEF;
 	} else if (strcmp(string, "low") == 0 || strcmp(string, "lo") == 0) {
 		element->mbe_type = MAC_BIBA_TYPE_LOW;
 		element->mbe_grade = MAC_BIBA_TYPE_UNDEF;
 	} else if (strcmp(string, "equal") == 0 ||
 	    strcmp(string, "eq") == 0) {
 		element->mbe_type = MAC_BIBA_TYPE_EQUAL;
 		element->mbe_grade = MAC_BIBA_TYPE_UNDEF;
 	} else {
 		element->mbe_type = MAC_BIBA_TYPE_GRADE;
 
 		/*
 		 * Numeric grade piece of the element.
 		 */
 		grade = strsep(&string, ":");
 		value = strtol(grade, &end, 10);
 		if (end == grade || *end != '\0')
 			return (EINVAL);
 		if (value < 0 || value > 65535)
 			return (EINVAL);
 		element->mbe_grade = value;
 
 		/*
 		 * Optional compartment piece of the element.  If none are
 		 * included, we assume that the label has no compartments.
 		 */
 		if (string == NULL)
 			return (0);
 		if (*string == '\0')
 			return (0);
 
 		while ((compartment = strsep(&string, "+")) != NULL) {
 			value = strtol(compartment, &end, 10);
 			if (compartment == end || *end != '\0')
 				return (EINVAL);
 			if (value < 1 || value > MAC_BIBA_MAX_COMPARTMENTS)
 				return (EINVAL);
 			MAC_BIBA_BIT_SET(value, element->mbe_compartments);
 		}
 	}
 
 	return (0);
 }
 
 /*
  * Note: destructively consumes the string, make a local copy before calling
  * if that's a problem.
  */
 static int
 biba_parse(struct mac_biba *mb, char *string)
 {
 	char *rangehigh, *rangelow, *effective;
 	int error;
 
 	effective = strsep(&string, "(");
 	if (*effective == '\0')
 		effective = NULL;
 
 	if (string != NULL) {
 		rangelow = strsep(&string, "-");
 		if (string == NULL)
 			return (EINVAL);
 		rangehigh = strsep(&string, ")");
 		if (string == NULL)
 			return (EINVAL);
 		if (*string != '\0')
 			return (EINVAL);
 	} else {
 		rangelow = NULL;
 		rangehigh = NULL;
 	}
 
 	KASSERT((rangelow != NULL && rangehigh != NULL) ||
 	    (rangelow == NULL && rangehigh == NULL),
 	    ("biba_parse: range mismatch"));
 
 	bzero(mb, sizeof(*mb));
 	if (effective != NULL) {
 		error = biba_parse_element(&mb->mb_effective, effective);
 		if (error)
 			return (error);
 		mb->mb_flags |= MAC_BIBA_FLAG_EFFECTIVE;
 	}
 
 	if (rangelow != NULL) {
 		error = biba_parse_element(&mb->mb_rangelow, rangelow);
 		if (error)
 			return (error);
 		error = biba_parse_element(&mb->mb_rangehigh, rangehigh);
 		if (error)
 			return (error);
 		mb->mb_flags |= MAC_BIBA_FLAG_RANGE;
 	}
 
 	error = biba_valid(mb);
 	if (error)
 		return (error);
 
 	return (0);
 }
 
 static int
 biba_internalize_label(struct label *label, char *element_name,
     char *element_data, int *claimed)
 {
 	struct mac_biba *mb, mb_temp;
 	int error;
 
 	if (strcmp(MAC_BIBA_LABEL_NAME, element_name) != 0)
 		return (0);
 
 	(*claimed)++;
 
 	error = biba_parse(&mb_temp, element_data);
 	if (error)
 		return (error);
 
 	mb = SLOT(label);
 	*mb = mb_temp;
 
 	return (0);
 }
 
 static void
 biba_copy_label(struct label *src, struct label *dest)
 {
 
 	*SLOT(dest) = *SLOT(src);
 }
 
 /*
  * Object-specific entry point implementations are sorted alphabetically by
  * object type name and then by operation.
  */
 static int
 biba_bpfdesc_check_receive(struct bpf_d *d, struct label *dlabel,
     struct ifnet *ifp, struct label *ifplabel)
 {
 	struct mac_biba *a, *b;
 
 	if (!biba_enabled)
 		return (0);
 
 	a = SLOT(dlabel);
 	b = SLOT(ifplabel);
 
 	if (biba_equal_effective(a, b))
 		return (0);
 	return (EACCES);
 }
 
 static void
 biba_bpfdesc_create(struct ucred *cred, struct bpf_d *d,
     struct label *dlabel)
 {
 	struct mac_biba *source, *dest;
 
 	source = SLOT(cred->cr_label);
 	dest = SLOT(dlabel);
 
 	biba_copy_effective(source, dest);
 }
 
 static void
 biba_bpfdesc_create_mbuf(struct bpf_d *d, struct label *dlabel,
     struct mbuf *m, struct label *mlabel)
 {
 	struct mac_biba *source, *dest;
 
 	source = SLOT(dlabel);
 	dest = SLOT(mlabel);
 
 	biba_copy_effective(source, dest);
 }
 
 static void
 biba_cred_associate_nfsd(struct ucred *cred)
 {
 	struct mac_biba *label;
 
 	label = SLOT(cred->cr_label);
 	biba_set_effective(label, MAC_BIBA_TYPE_LOW, 0, NULL);
 	biba_set_range(label, MAC_BIBA_TYPE_LOW, 0, NULL, MAC_BIBA_TYPE_HIGH,
 	    0, NULL);
 }
 
 static int
 biba_cred_check_relabel(struct ucred *cred, struct label *newlabel)
 {
 	struct mac_biba *subj, *new;
 	int error;
 
 	subj = SLOT(cred->cr_label);
 	new = SLOT(newlabel);
 
 	/*
 	 * If there is a Biba label update for the credential, it may
 	 * be an update of the effective, range, or both.
 	 */
 	error = biba_atmostflags(new, MAC_BIBA_FLAGS_BOTH);
 	if (error)
 		return (error);
 
 	/*
 	 * If the Biba label is to be changed, authorize as appropriate.
 	 */
 	if (new->mb_flags & MAC_BIBA_FLAGS_BOTH) {
 		/*
 		 * If the change request modifies both the Biba label
 		 * effective and range, check that the new effective will be
 		 * in the new range.
 		 */
 		if ((new->mb_flags & MAC_BIBA_FLAGS_BOTH) ==
 		    MAC_BIBA_FLAGS_BOTH &&
 		    !biba_effective_in_range(new, new))
 			return (EINVAL);
 
 		/*
 		 * To change the Biba effective label on a credential, the
 		 * new effective label must be in the current range.
 		 */
 		if (new->mb_flags & MAC_BIBA_FLAG_EFFECTIVE &&
 		    !biba_effective_in_range(new, subj))
 			return (EPERM);
 
 		/*
 		 * To change the Biba range on a credential, the new range
 		 * label must be in the current range.
 		 */
 		if (new->mb_flags & MAC_BIBA_FLAG_RANGE &&
 		    !biba_range_in_range(new, subj))
 			return (EPERM);
 
 		/*
 		 * To have EQUAL in any component of the new credential Biba
 		 * label, the subject must already have EQUAL in their label.
 		 */
 		if (biba_contains_equal(new)) {
 			error = biba_subject_privileged(subj);
 			if (error)
 				return (error);
 		}
 	}
 
 	return (0);
 }
 
 static int
 biba_cred_check_visible(struct ucred *u1, struct ucred *u2)
 {
 	struct mac_biba *subj, *obj;
 
 	if (!biba_enabled)
 		return (0);
 
 	subj = SLOT(u1->cr_label);
 	obj = SLOT(u2->cr_label);
 
 	/* XXX: range */
 	if (!biba_dominate_effective(obj, subj))
 		return (ESRCH);
 
 	return (0);
 }
 
 static void
 biba_cred_create_init(struct ucred *cred)
 {
 	struct mac_biba *dest;
 
 	dest = SLOT(cred->cr_label);
 
 	biba_set_effective(dest, MAC_BIBA_TYPE_HIGH, 0, NULL);
 	biba_set_range(dest, MAC_BIBA_TYPE_LOW, 0, NULL, MAC_BIBA_TYPE_HIGH,
 	    0, NULL);
 }
 
 static void
 biba_cred_create_swapper(struct ucred *cred)
 {
 	struct mac_biba *dest;
 
 	dest = SLOT(cred->cr_label);
 
 	biba_set_effective(dest, MAC_BIBA_TYPE_EQUAL, 0, NULL);
 	biba_set_range(dest, MAC_BIBA_TYPE_LOW, 0, NULL, MAC_BIBA_TYPE_HIGH,
 	    0, NULL);
 }
 
 static void
 biba_cred_relabel(struct ucred *cred, struct label *newlabel)
 {
 	struct mac_biba *source, *dest;
 
 	source = SLOT(newlabel);
 	dest = SLOT(cred->cr_label);
 
 	biba_copy(source, dest);
 }
 
 static void
 biba_devfs_create_device(struct ucred *cred, struct mount *mp,
     struct cdev *dev, struct devfs_dirent *de, struct label *delabel)
 {
 	struct mac_biba *mb;
 	const char *dn;
 	int biba_type;
 
 	mb = SLOT(delabel);
 	dn = devtoname(dev);
 	if (strcmp(dn, "null") == 0 ||
 	    strcmp(dn, "zero") == 0 ||
 	    strcmp(dn, "random") == 0 ||
 	    strncmp(dn, "fd/", strlen("fd/")) == 0)
 		biba_type = MAC_BIBA_TYPE_EQUAL;
 	else if (ptys_equal &&
 	    (strncmp(dn, "ttyp", strlen("ttyp")) == 0 ||
 	    strncmp(dn, "pts/", strlen("pts/")) == 0 ||
 	    strncmp(dn, "ptyp", strlen("ptyp")) == 0))
 		biba_type = MAC_BIBA_TYPE_EQUAL;
 	else
 		biba_type = MAC_BIBA_TYPE_HIGH;
 	biba_set_effective(mb, biba_type, 0, NULL);
 }
 
 static void
 biba_devfs_create_directory(struct mount *mp, char *dirname, int dirnamelen,
     struct devfs_dirent *de, struct label *delabel)
 {
 	struct mac_biba *mb;
 
 	mb = SLOT(delabel);
 
 	biba_set_effective(mb, MAC_BIBA_TYPE_HIGH, 0, NULL);
 }
 
 static void
 biba_devfs_create_symlink(struct ucred *cred, struct mount *mp,
     struct devfs_dirent *dd, struct label *ddlabel, struct devfs_dirent *de,
     struct label *delabel)
 {
 	struct mac_biba *source, *dest;
 
 	source = SLOT(cred->cr_label);
 	dest = SLOT(delabel);
 
 	biba_copy_effective(source, dest);
 }
 
 static void
 biba_devfs_update(struct mount *mp, struct devfs_dirent *de,
     struct label *delabel, struct vnode *vp, struct label *vplabel)
 {
 	struct mac_biba *source, *dest;
 
 	source = SLOT(vplabel);
 	dest = SLOT(delabel);
 
 	biba_copy(source, dest);
 }
 
 static void
 biba_devfs_vnode_associate(struct mount *mp, struct label *mntlabel,
     struct devfs_dirent *de, struct label *delabel, struct vnode *vp,
     struct label *vplabel)
 {
 	struct mac_biba *source, *dest;
 
 	source = SLOT(delabel);
 	dest = SLOT(vplabel);
 
 	biba_copy_effective(source, dest);
 }
 
 static int
 biba_ifnet_check_relabel(struct ucred *cred, struct ifnet *ifp,
     struct label *ifplabel, struct label *newlabel)
 {
 	struct mac_biba *subj, *new;
 	int error;
 
 	subj = SLOT(cred->cr_label);
 	new = SLOT(newlabel);
 
 	/*
 	 * If there is a Biba label update for the interface, it may be an
 	 * update of the effective, range, or both.
 	 */
 	error = biba_atmostflags(new, MAC_BIBA_FLAGS_BOTH);
 	if (error)
 		return (error);
 
 	/*
 	 * Relabling network interfaces requires Biba privilege.
 	 */
 	error = biba_subject_privileged(subj);
 	if (error)
 		return (error);
 
 	return (0);
 }
 
 static int
 biba_ifnet_check_transmit(struct ifnet *ifp, struct label *ifplabel,
     struct mbuf *m, struct label *mlabel)
 {
 	struct mac_biba *p, *i;
 
 	if (!biba_enabled)
 		return (0);
 
 	p = SLOT(mlabel);
 	i = SLOT(ifplabel);
 
 	return (biba_effective_in_range(p, i) ? 0 : EACCES);
 }
 
 static void
 biba_ifnet_create(struct ifnet *ifp, struct label *ifplabel)
 {
 	char tifname[IFNAMSIZ], *p, *q;
 	char tiflist[sizeof(trusted_interfaces)];
 	struct mac_biba *dest;
 	int len, type;
 
 	dest = SLOT(ifplabel);
 
 	if (if_gettype(ifp) == IFT_LOOP || interfaces_equal != 0) {
 		type = MAC_BIBA_TYPE_EQUAL;
 		goto set;
 	}
 
 	if (trust_all_interfaces) {
 		type = MAC_BIBA_TYPE_HIGH;
 		goto set;
 	}
 
 	type = MAC_BIBA_TYPE_LOW;
 
 	if (trusted_interfaces[0] == '\0' ||
 	    !strvalid(trusted_interfaces, sizeof(trusted_interfaces)))
 		goto set;
 
 	bzero(tiflist, sizeof(tiflist));
 	for (p = trusted_interfaces, q = tiflist; *p != '\0'; p++, q++)
 		if(*p != ' ' && *p != '\t')
 			*q = *p;
 
 	for (p = q = tiflist;; p++) {
 		if (*p == ',' || *p == '\0') {
 			len = p - q;
 			if (len < IFNAMSIZ) {
 				bzero(tifname, sizeof(tifname));
 				bcopy(q, tifname, len);
 				if (strcmp(tifname, if_name(ifp)) == 0) {
 					type = MAC_BIBA_TYPE_HIGH;
 					break;
 				}
 			} else {
 				*p = '\0';
 				printf("mac_biba warning: interface name "
 				    "\"%s\" is too long (must be < %d)\n",
 				    q, IFNAMSIZ);
 			}
 			if (*p == '\0')
 				break;
 			q = p + 1;
 		}
 	}
 set:
 	biba_set_effective(dest, type, 0, NULL);
 	biba_set_range(dest, type, 0, NULL, type, 0, NULL);
 }
 
 static void
 biba_ifnet_create_mbuf(struct ifnet *ifp, struct label *ifplabel,
     struct mbuf *m, struct label *mlabel)
 {
 	struct mac_biba *source, *dest;
 
 	source = SLOT(ifplabel);
 	dest = SLOT(mlabel);
 
 	biba_copy_effective(source, dest);
 }
 
 static void
 biba_ifnet_relabel(struct ucred *cred, struct ifnet *ifp,
     struct label *ifplabel, struct label *newlabel)
 {
 	struct mac_biba *source, *dest;
 
 	source = SLOT(newlabel);
 	dest = SLOT(ifplabel);
 
 	biba_copy(source, dest);
 }
 
 static int
 biba_inpcb_check_deliver(struct inpcb *inp, struct label *inplabel,
     struct mbuf *m, struct label *mlabel)
 {
 	struct mac_biba *p, *i;
 
 	if (!biba_enabled)
 		return (0);
 
 	p = SLOT(mlabel);
 	i = SLOT(inplabel);
 
 	return (biba_equal_effective(p, i) ? 0 : EACCES);
 }
 
 static int
 biba_inpcb_check_visible(struct ucred *cred, struct inpcb *inp,
     struct label *inplabel)
 {
 	struct mac_biba *subj, *obj;
 
 	if (!biba_enabled)
 		return (0);
 
 	subj = SLOT(cred->cr_label);
 	obj = SLOT(inplabel);
 
 	if (!biba_dominate_effective(obj, subj))
 		return (ENOENT);
 
 	return (0);
 }
 
 static void
 biba_inpcb_create(struct socket *so, struct label *solabel,
     struct inpcb *inp, struct label *inplabel)
 {
 	struct mac_biba *source, *dest;
 
 	source = SLOT(solabel);
 	dest = SLOT(inplabel);
 
 	SOCK_LOCK(so);
 	biba_copy_effective(source, dest);
 	SOCK_UNLOCK(so);
 }
 
 static void
 biba_inpcb_create_mbuf(struct inpcb *inp, struct label *inplabel,
     struct mbuf *m, struct label *mlabel)
 {
 	struct mac_biba *source, *dest;
 
 	source = SLOT(inplabel);
 	dest = SLOT(mlabel);
 
 	biba_copy_effective(source, dest);
 }
 
 static void
 biba_inpcb_sosetlabel(struct socket *so, struct label *solabel,
     struct inpcb *inp, struct label *inplabel)
 {
 	struct mac_biba *source, *dest;
 
 	SOCK_LOCK_ASSERT(so);
 
 	source = SLOT(solabel);
 	dest = SLOT(inplabel);
 
 	biba_copy(source, dest);
 }
 
 static void
 biba_ip6q_create(struct mbuf *m, struct label *mlabel, struct ip6q *q6,
     struct label *q6label)
 {
 	struct mac_biba *source, *dest;
 
 	source = SLOT(mlabel);
 	dest = SLOT(q6label);
 
 	biba_copy_effective(source, dest);
 }
 
 static int
 biba_ip6q_match(struct mbuf *m, struct label *mlabel, struct ip6q *q6,
     struct label *q6label)
 {
 	struct mac_biba *a, *b;
 
 	a = SLOT(q6label);
 	b = SLOT(mlabel);
 
 	return (biba_equal_effective(a, b));
 }
 
 static void
 biba_ip6q_reassemble(struct ip6q *q6, struct label *q6label, struct mbuf *m,
     struct label *mlabel)
 {
 	struct mac_biba *source, *dest;
 
 	source = SLOT(q6label);
 	dest = SLOT(mlabel);
 
 	/* Just use the head, since we require them all to match. */
 	biba_copy_effective(source, dest);
 }
 
 static void
 biba_ip6q_update(struct mbuf *m, struct label *mlabel, struct ip6q *q6,
     struct label *q6label)
 {
 
 	/* NOOP: we only accept matching labels, so no need to update */
 }
 
 static void
 biba_ipq_create(struct mbuf *m, struct label *mlabel, struct ipq *q,
     struct label *qlabel)
 {
 	struct mac_biba *source, *dest;
 
 	source = SLOT(mlabel);
 	dest = SLOT(qlabel);
 
 	biba_copy_effective(source, dest);
 }
 
 static int
 biba_ipq_match(struct mbuf *m, struct label *mlabel, struct ipq *q,
     struct label *qlabel)
 {
 	struct mac_biba *a, *b;
 
 	a = SLOT(qlabel);
 	b = SLOT(mlabel);
 
 	return (biba_equal_effective(a, b));
 }
 
 static void
 biba_ipq_reassemble(struct ipq *q, struct label *qlabel, struct mbuf *m,
     struct label *mlabel)
 {
 	struct mac_biba *source, *dest;
 
 	source = SLOT(qlabel);
 	dest = SLOT(mlabel);
 
 	/* Just use the head, since we require them all to match. */
 	biba_copy_effective(source, dest);
 }
 
 static void
 biba_ipq_update(struct mbuf *m, struct label *mlabel, struct ipq *q,
     struct label *qlabel)
 {
 
 	/* NOOP: we only accept matching labels, so no need to update */
 }
 
 static int
 biba_kld_check_load(struct ucred *cred, struct vnode *vp,
     struct label *vplabel)
 {
 	struct mac_biba *subj, *obj;
 	int error;
 
 	if (!biba_enabled)
 		return (0);
 
 	subj = SLOT(cred->cr_label);
 
 	error = biba_subject_privileged(subj);
 	if (error)
 		return (error);
 
 	obj = SLOT(vplabel);
 	if (!biba_high_effective(obj))
 		return (EACCES);
 
 	return (0);
 }
 
 static int
 biba_mount_check_stat(struct ucred *cred, struct mount *mp,
     struct label *mplabel)
 {
 	struct mac_biba *subj, *obj;
 
 	if (!biba_enabled)
 		return (0);
 
 	subj = SLOT(cred->cr_label);
 	obj = SLOT(mplabel);
 
 	if (!biba_dominate_effective(obj, subj))
 		return (EACCES);
 
 	return (0);
 }
 
 static void
 biba_mount_create(struct ucred *cred, struct mount *mp,
     struct label *mplabel)
 {
 	struct mac_biba *source, *dest;
 
 	source = SLOT(cred->cr_label);
 	dest = SLOT(mplabel);
 
 	biba_copy_effective(source, dest);
 }
 
 static void
 biba_netinet_arp_send(struct ifnet *ifp, struct label *ifplabel,
     struct mbuf *m, struct label *mlabel)
 {
 	struct mac_biba *dest;
 
 	dest = SLOT(mlabel);
 
 	biba_set_effective(dest, MAC_BIBA_TYPE_EQUAL, 0, NULL);
 }
 
 static void
 biba_netinet_firewall_reply(struct mbuf *mrecv, struct label *mrecvlabel,
     struct mbuf *msend, struct label *msendlabel)
 {
 	struct mac_biba *source, *dest;
 
 	source = SLOT(mrecvlabel);
 	dest = SLOT(msendlabel);
 
 	biba_copy_effective(source, dest);
 }
 
 static void
 biba_netinet_firewall_send(struct mbuf *m, struct label *mlabel)
 {
 	struct mac_biba *dest;
 
 	dest = SLOT(mlabel);
 
 	/* XXX: where is the label for the firewall really coming from? */
 	biba_set_effective(dest, MAC_BIBA_TYPE_EQUAL, 0, NULL);
 }
 
 static void
 biba_netinet_fragment(struct mbuf *m, struct label *mlabel,
     struct mbuf *frag, struct label *fraglabel)
 {
 	struct mac_biba *source, *dest;
 
 	source = SLOT(mlabel);
 	dest = SLOT(fraglabel);
 
 	biba_copy_effective(source, dest);
 }
 
 static void
 biba_netinet_icmp_reply(struct mbuf *mrecv, struct label *mrecvlabel,
     struct mbuf *msend, struct label *msendlabel)
 {
 	struct mac_biba *source, *dest;
 
 	source = SLOT(mrecvlabel);
 	dest = SLOT(msendlabel);
 
 	biba_copy_effective(source, dest);
 }
 
 static void
 biba_netinet_igmp_send(struct ifnet *ifp, struct label *ifplabel,
     struct mbuf *m, struct label *mlabel)
 {
 	struct mac_biba *dest;
 
 	dest = SLOT(mlabel);
 
 	biba_set_effective(dest, MAC_BIBA_TYPE_EQUAL, 0, NULL);
 }
 
 static void
 biba_netinet6_nd6_send(struct ifnet *ifp, struct label *ifplabel,
     struct mbuf *m, struct label *mlabel)
 {
 	struct mac_biba *dest;
 
 	dest = SLOT(mlabel);
 
 	biba_set_effective(dest, MAC_BIBA_TYPE_EQUAL, 0, NULL);
 }
 
 static int
 biba_pipe_check_ioctl(struct ucred *cred, struct pipepair *pp,
     struct label *pplabel, unsigned long cmd, void /* caddr_t */ *data)
 {
 
 	if(!biba_enabled)
 		return (0);
 
 	/* XXX: This will be implemented soon... */
 
 	return (0);
 }
 
 static int
 biba_pipe_check_poll(struct ucred *cred, struct pipepair *pp,
     struct label *pplabel)
 {
 	struct mac_biba *subj, *obj;
 
 	if (!biba_enabled)
 		return (0);
 
 	subj = SLOT(cred->cr_label);
 	obj = SLOT(pplabel);
 
 	if (!biba_dominate_effective(obj, subj))
 		return (EACCES);
 
 	return (0);
 }
 
 static int
 biba_pipe_check_read(struct ucred *cred, struct pipepair *pp,
     struct label *pplabel)
 {
 	struct mac_biba *subj, *obj;
 
 	if (!biba_enabled)
 		return (0);
 
 	subj = SLOT(cred->cr_label);
 	obj = SLOT(pplabel);
 
 	if (!biba_dominate_effective(obj, subj))
 		return (EACCES);
 
 	return (0);
 }
 
 static int
 biba_pipe_check_relabel(struct ucred *cred, struct pipepair *pp,
     struct label *pplabel, struct label *newlabel)
 {
 	struct mac_biba *subj, *obj, *new;
 	int error;
 
 	new = SLOT(newlabel);
 	subj = SLOT(cred->cr_label);
 	obj = SLOT(pplabel);
 
 	/*
 	 * If there is a Biba label update for a pipe, it must be a effective
 	 * update.
 	 */
 	error = biba_atmostflags(new, MAC_BIBA_FLAG_EFFECTIVE);
 	if (error)
 		return (error);
 
 	/*
 	 * To perform a relabel of a pipe (Biba label or not), Biba must
 	 * authorize the relabel.
 	 */
 	if (!biba_effective_in_range(obj, subj))
 		return (EPERM);
 
 	/*
 	 * If the Biba label is to be changed, authorize as appropriate.
 	 */
 	if (new->mb_flags & MAC_BIBA_FLAG_EFFECTIVE) {
 		/*
 		 * To change the Biba label on a pipe, the new pipe label
 		 * must be in the subject range.
 		 */
 		if (!biba_effective_in_range(new, subj))
 			return (EPERM);
 
 		/*
 		 * To change the Biba label on a pipe to be EQUAL, the
 		 * subject must have appropriate privilege.
 		 */
 		if (biba_contains_equal(new)) {
 			error = biba_subject_privileged(subj);
 			if (error)
 				return (error);
 		}
 	}
 
 	return (0);
 }
 
 static int
 biba_pipe_check_stat(struct ucred *cred, struct pipepair *pp,
     struct label *pplabel)
 {
 	struct mac_biba *subj, *obj;
 
 	if (!biba_enabled)
 		return (0);
 
 	subj = SLOT(cred->cr_label);
 	obj = SLOT(pplabel);
 
 	if (!biba_dominate_effective(obj, subj))
 		return (EACCES);
 
 	return (0);
 }
 
 static int
 biba_pipe_check_write(struct ucred *cred, struct pipepair *pp,
     struct label *pplabel)
 {
 	struct mac_biba *subj, *obj;
 
 	if (!biba_enabled)
 		return (0);
 
 	subj = SLOT(cred->cr_label);
 	obj = SLOT(pplabel);
 
 	if (!biba_dominate_effective(subj, obj))
 		return (EACCES);
 
 	return (0);
 }
 
 static void
 biba_pipe_create(struct ucred *cred, struct pipepair *pp,
     struct label *pplabel)
 {
 	struct mac_biba *source, *dest;
 
 	source = SLOT(cred->cr_label);
 	dest = SLOT(pplabel);
 
 	biba_copy_effective(source, dest);
 }
 
 static void
 biba_pipe_relabel(struct ucred *cred, struct pipepair *pp,
     struct label *pplabel, struct label *newlabel)
 {
 	struct mac_biba *source, *dest;
 
 	source = SLOT(newlabel);
 	dest = SLOT(pplabel);
 
 	biba_copy(source, dest);
 }
 
 static int
 biba_posixsem_check_openunlink(struct ucred *cred, struct ksem *ks,
     struct label *kslabel)
 {
 	struct mac_biba *subj, *obj;
 
 	if (!biba_enabled)
 		return (0);
 
 	subj = SLOT(cred->cr_label);
 	obj = SLOT(kslabel);
 
 	if (!biba_dominate_effective(subj, obj))
 		return (EACCES);
 
 	return (0);
 }
 
 static int
 biba_posixsem_check_setmode(struct ucred *cred, struct ksem *ks,
     struct label *kslabel, mode_t mode)
 {
 	struct mac_biba *subj, *obj;
 
 	if (!biba_enabled)
 		return (0);
 
 	subj = SLOT(cred->cr_label);
 	obj = SLOT(kslabel);
 
 	if (!biba_dominate_effective(subj, obj))
 		return (EACCES);
 
 	return (0);
 }
 
 static int
 biba_posixsem_check_setowner(struct ucred *cred, struct ksem *ks,
     struct label *kslabel, uid_t uid, gid_t gid)
 {
 	struct mac_biba *subj, *obj;
 
 	if (!biba_enabled)
 		return (0);
 
 	subj = SLOT(cred->cr_label);
 	obj = SLOT(kslabel);
 
 	if (!biba_dominate_effective(subj, obj))
 		return (EACCES);
 
 	return (0);
 }
 
 static int
 biba_posixsem_check_write(struct ucred *active_cred, struct ucred *file_cred,
     struct ksem *ks, struct label *kslabel)
 {
 	struct mac_biba *subj, *obj;
 
 	if (!biba_enabled)
 		return (0);
 
 	subj = SLOT(active_cred->cr_label);
 	obj = SLOT(kslabel);
 
 	if (!biba_dominate_effective(subj, obj))
 		return (EACCES);
 
 	return (0);
 }
 
 static int
 biba_posixsem_check_rdonly(struct ucred *active_cred, struct ucred *file_cred,
     struct ksem *ks, struct label *kslabel)
 {
 	struct mac_biba *subj, *obj;
 
 	if (!biba_enabled)
 		return (0);
 
 	subj = SLOT(active_cred->cr_label);
 	obj = SLOT(kslabel);
 
 	if (!biba_dominate_effective(obj, subj))
 		return (EACCES);
 
 	return (0);
 }
 
 static void
 biba_posixsem_create(struct ucred *cred, struct ksem *ks,
     struct label *kslabel)
 {
 	struct mac_biba *source, *dest;
 
 	source = SLOT(cred->cr_label);
 	dest = SLOT(kslabel);
 
 	biba_copy_effective(source, dest);
 }
 
 static int
 biba_posixshm_check_mmap(struct ucred *cred, struct shmfd *shmfd,
     struct label *shmlabel, int prot, int flags)
 {
 	struct mac_biba *subj, *obj;
 
 	if (!biba_enabled || !revocation_enabled)
 		return (0);
 
 	subj = SLOT(cred->cr_label);
 	obj = SLOT(shmlabel);
 
 	if (prot & (VM_PROT_READ | VM_PROT_EXECUTE)) {
 		if (!biba_dominate_effective(obj, subj))
 			return (EACCES);
 	}
 	if (((prot & VM_PROT_WRITE) != 0) && ((flags & MAP_SHARED) != 0)) {
 		if (!biba_dominate_effective(subj, obj))
 			return (EACCES);
 	}
 
 	return (0);
 }
 
 static int
 biba_posixshm_check_open(struct ucred *cred, struct shmfd *shmfd,
     struct label *shmlabel, accmode_t accmode)
 {
 	struct mac_biba *subj, *obj;
 
 	if (!biba_enabled)
 		return (0);
 
 	subj = SLOT(cred->cr_label);
 	obj = SLOT(shmlabel);
 
 	if (accmode & (VREAD | VEXEC | VSTAT_PERMS)) {
 		if (!biba_dominate_effective(obj, subj))
 			return (EACCES);
 	}
 	if (accmode & VMODIFY_PERMS) {
 		if (!biba_dominate_effective(subj, obj))
 			return (EACCES);
 	}
 
 	return (0);
 }
 
 static int
 biba_posixshm_check_read(struct ucred *active_cred, struct ucred *file_cred,
     struct shmfd *vp, struct label *shmlabel)
 {
 	struct mac_biba *subj, *obj;
 
 	if (!biba_enabled || !revocation_enabled)
 		return (0);
 
 	subj = SLOT(active_cred->cr_label);
 	obj = SLOT(shmlabel);
 
 	if (!biba_dominate_effective(obj, subj))
 		return (EACCES);
 
 	return (0);
 }
 
 static int
 biba_posixshm_check_setmode(struct ucred *cred, struct shmfd *shmfd,
     struct label *shmlabel, mode_t mode)
 {
 	struct mac_biba *subj, *obj;
 
 	if (!biba_enabled)
 		return (0);
 
 	subj = SLOT(cred->cr_label);
 	obj = SLOT(shmlabel);
 
 	if (!biba_dominate_effective(subj, obj))
 		return (EACCES);
 
 	return (0);
 }
 
 static int
 biba_posixshm_check_setowner(struct ucred *cred, struct shmfd *shmfd,
     struct label *shmlabel, uid_t uid, gid_t gid)
 {
 	struct mac_biba *subj, *obj;
 
 	if (!biba_enabled)
 		return (0);
 
 	subj = SLOT(cred->cr_label);
 	obj = SLOT(shmlabel);
 
 	if (!biba_dominate_effective(subj, obj))
 		return (EACCES);
 
 	return (0);
 }
 
 static int
 biba_posixshm_check_stat(struct ucred *active_cred, struct ucred *file_cred,
     struct shmfd *shmfd, struct label *shmlabel)
 {
 	struct mac_biba *subj, *obj;
 
 	if (!biba_enabled)
 		return (0);
 
 	subj = SLOT(active_cred->cr_label);
 	obj = SLOT(shmlabel);
 
 	if (!biba_dominate_effective(obj, subj))
 		return (EACCES);
 
 	return (0);
 }
 
 static int
 biba_posixshm_check_truncate(struct ucred *active_cred,
     struct ucred *file_cred, struct shmfd *shmfd, struct label *shmlabel)
 {
 	struct mac_biba *subj, *obj;
 
 	if (!biba_enabled)
 		return (0);
 
 	subj = SLOT(active_cred->cr_label);
 	obj = SLOT(shmlabel);
 
 	if (!biba_dominate_effective(subj, obj))
 		return (EACCES);
 
 	return (0);
 }
 
 static int
 biba_posixshm_check_unlink(struct ucred *cred, struct shmfd *shmfd,
     struct label *shmlabel)
 {
 	struct mac_biba *subj, *obj;
 
 	if (!biba_enabled)
 		return (0);
 
 	subj = SLOT(cred->cr_label);
 	obj = SLOT(shmlabel);
 
 	if (!biba_dominate_effective(subj, obj))
 		return (EACCES);
     
 	return (0);
 }
 
 static int
 biba_posixshm_check_write(struct ucred *active_cred, struct ucred *file_cred,
     struct shmfd *vp, struct label *shmlabel)
 {
 	struct mac_biba *subj, *obj;
 
 	if (!biba_enabled || !revocation_enabled)
 		return (0);
 
 	subj = SLOT(active_cred->cr_label);
 	obj = SLOT(shmlabel);
 
 	if (!biba_dominate_effective(obj, subj))
 		return (EACCES);
 
 	return (0);
 }
 
 static void
 biba_posixshm_create(struct ucred *cred, struct shmfd *shmfd,
     struct label *shmlabel)
 {
 	struct mac_biba *source, *dest;
 
 	source = SLOT(cred->cr_label);
 	dest = SLOT(shmlabel);
 
 	biba_copy_effective(source, dest);
 }
 
 /*
  * Some system privileges are allowed regardless of integrity grade; others
  * are allowed only when running with privilege with respect to the Biba
  * policy as they might otherwise allow bypassing of the integrity policy.
  */
 static int
 biba_priv_check(struct ucred *cred, int priv)
 {
 	struct mac_biba *subj;
 	int error;
 
 	if (!biba_enabled)
 		return (0);
 
 	/*
 	 * Exempt only specific privileges from the Biba integrity policy.
 	 */
 	switch (priv) {
 	case PRIV_KTRACE:
 	case PRIV_MSGBUF:
 
 	/*
 	 * Allow processes to manipulate basic process audit properties, and
 	 * to submit audit records.
 	 */
 	case PRIV_AUDIT_GETAUDIT:
 	case PRIV_AUDIT_SETAUDIT:
 	case PRIV_AUDIT_SUBMIT:
 
 	/*
 	 * Allow processes to manipulate their regular UNIX credentials.
 	 */
 	case PRIV_CRED_SETUID:
 	case PRIV_CRED_SETEUID:
 	case PRIV_CRED_SETGID:
 	case PRIV_CRED_SETEGID:
 	case PRIV_CRED_SETGROUPS:
 	case PRIV_CRED_SETREUID:
 	case PRIV_CRED_SETREGID:
 	case PRIV_CRED_SETRESUID:
 	case PRIV_CRED_SETRESGID:
 
 	/*
 	 * Allow processes to perform system monitoring.
 	 */
 	case PRIV_SEEOTHERGIDS:
 	case PRIV_SEEOTHERUIDS:
 	case PRIV_SEEJAILPROC:
 		break;
 
 	/*
 	 * Allow access to general process debugging facilities.  We
 	 * separately control debugging based on MAC label.
 	 */
 	case PRIV_DEBUG_DIFFCRED:
 	case PRIV_DEBUG_SUGID:
 	case PRIV_DEBUG_UNPRIV:
 
 	/*
 	 * Allow manipulating jails.
 	 */
 	case PRIV_JAIL_ATTACH:
 
 	/*
 	 * Allow privilege with respect to the Partition policy, but not the
 	 * Privs policy.
 	 */
 	case PRIV_MAC_PARTITION:
 
 	/*
 	 * Allow privilege with respect to process resource limits and login
 	 * context.
 	 */
 	case PRIV_PROC_LIMIT:
 	case PRIV_PROC_SETLOGIN:
 	case PRIV_PROC_SETRLIMIT:
 
 	/*
 	 * Allow System V and POSIX IPC privileges.
 	 */
 	case PRIV_IPC_READ:
 	case PRIV_IPC_WRITE:
 	case PRIV_IPC_ADMIN:
 	case PRIV_IPC_MSGSIZE:
 	case PRIV_MQ_ADMIN:
 
 	/*
 	 * Allow certain scheduler manipulations -- possibly this should be
 	 * controlled by more fine-grained policy, as potentially low
 	 * integrity processes can deny CPU to higher integrity ones.
 	 */
 	case PRIV_SCHED_DIFFCRED:
 	case PRIV_SCHED_SETPRIORITY:
 	case PRIV_SCHED_RTPRIO:
 	case PRIV_SCHED_SETPOLICY:
 	case PRIV_SCHED_SET:
 	case PRIV_SCHED_SETPARAM:
 	case PRIV_SCHED_IDPRIO:
 
 	/*
 	 * More IPC privileges.
 	 */
 	case PRIV_SEM_WRITE:
 
 	/*
 	 * Allow signaling privileges subject to integrity policy.
 	 */
 	case PRIV_SIGNAL_DIFFCRED:
 	case PRIV_SIGNAL_SUGID:
 
 	/*
 	 * Allow access to only limited sysctls from lower integrity levels;
 	 * piggy-back on the Jail definition.
 	 */
 	case PRIV_SYSCTL_WRITEJAIL:
 
 	/*
 	 * Allow TTY-based privileges, subject to general device access using
 	 * labels on TTY device nodes, but not console privilege.
 	 */
 	case PRIV_TTY_DRAINWAIT:
 	case PRIV_TTY_DTRWAIT:
 	case PRIV_TTY_EXCLUSIVE:
 	case PRIV_TTY_STI:
 	case PRIV_TTY_SETA:
 
 	/*
 	 * Grant most VFS privileges, as almost all are in practice bounded
 	 * by more specific checks using labels.
 	 */
 	case PRIV_VFS_READ:
 	case PRIV_VFS_WRITE:
 	case PRIV_VFS_ADMIN:
 	case PRIV_VFS_EXEC:
 	case PRIV_VFS_LOOKUP:
 	case PRIV_VFS_CHFLAGS_DEV:
 	case PRIV_VFS_CHOWN:
 	case PRIV_VFS_CHROOT:
 	case PRIV_VFS_RETAINSUGID:
 	case PRIV_VFS_EXCEEDQUOTA:
 	case PRIV_VFS_FCHROOT:
 	case PRIV_VFS_FHOPEN:
 	case PRIV_VFS_FHSTATFS:
 	case PRIV_VFS_GENERATION:
 	case PRIV_VFS_GETFH:
 	case PRIV_VFS_GETQUOTA:
 	case PRIV_VFS_LINK:
 	case PRIV_VFS_MOUNT:
 	case PRIV_VFS_MOUNT_OWNER:
 	case PRIV_VFS_MOUNT_PERM:
 	case PRIV_VFS_MOUNT_SUIDDIR:
 	case PRIV_VFS_MOUNT_NONUSER:
 	case PRIV_VFS_SETGID:
 	case PRIV_VFS_STICKYFILE:
 	case PRIV_VFS_SYSFLAGS:
 	case PRIV_VFS_UNMOUNT:
 
 	/*
 	 * Allow VM privileges; it would be nice if these were subject to
 	 * resource limits.
 	 */
 	case PRIV_VM_MADV_PROTECT:
 	case PRIV_VM_MLOCK:
 	case PRIV_VM_MUNLOCK:
 	case PRIV_VM_SWAP_NOQUOTA:
 	case PRIV_VM_SWAP_NORLIMIT:
 
 	/*
 	 * Allow some but not all network privileges.  In general, dont allow
 	 * reconfiguring the network stack, just normal use.
 	 */
 	case PRIV_NETINET_RESERVEDPORT:
 	case PRIV_NETINET_RAW:
 	case PRIV_NETINET_REUSEPORT:
 		break;
 
 	/*
 	 * All remaining system privileges are allow only if the process
 	 * holds privilege with respect to the Biba policy.
 	 */
 	default:
 		subj = SLOT(cred->cr_label);
 		error = biba_subject_privileged(subj);
 		if (error)
 			return (error);
 	}
 	return (0);
 }
 
 static int
 biba_proc_check_debug(struct ucred *cred, struct proc *p)
 {
 	struct mac_biba *subj, *obj;
 
 	if (!biba_enabled)
 		return (0);
 
 	subj = SLOT(cred->cr_label);
 	obj = SLOT(p->p_ucred->cr_label);
 
 	/* XXX: range checks */
 	if (!biba_dominate_effective(obj, subj))
 		return (ESRCH);
 	if (!biba_dominate_effective(subj, obj))
 		return (EACCES);
 
 	return (0);
 }
 
 static int
 biba_proc_check_sched(struct ucred *cred, struct proc *p)
 {
 	struct mac_biba *subj, *obj;
 
 	if (!biba_enabled)
 		return (0);
 
 	subj = SLOT(cred->cr_label);
 	obj = SLOT(p->p_ucred->cr_label);
 
 	/* XXX: range checks */
 	if (!biba_dominate_effective(obj, subj))
 		return (ESRCH);
 	if (!biba_dominate_effective(subj, obj))
 		return (EACCES);
 
 	return (0);
 }
 
 static int
 biba_proc_check_signal(struct ucred *cred, struct proc *p, int signum)
 {
 	struct mac_biba *subj, *obj;
 
 	if (!biba_enabled)
 		return (0);
 
 	subj = SLOT(cred->cr_label);
 	obj = SLOT(p->p_ucred->cr_label);
 
 	/* XXX: range checks */
 	if (!biba_dominate_effective(obj, subj))
 		return (ESRCH);
 	if (!biba_dominate_effective(subj, obj))
 		return (EACCES);
 
 	return (0);
 }
 
 static int
 biba_socket_check_deliver(struct socket *so, struct label *solabel,
     struct mbuf *m, struct label *mlabel)
 {
 	struct mac_biba *p, *s;
 	int error;
 
 	if (!biba_enabled)
 		return (0);
 
 	p = SLOT(mlabel);
 	s = SLOT(solabel);
 
 	SOCK_LOCK(so);
 	error = biba_equal_effective(p, s) ? 0 : EACCES;
 	SOCK_UNLOCK(so);
 	return (error);
 }
 
 static int
 biba_socket_check_relabel(struct ucred *cred, struct socket *so,
     struct label *solabel, struct label *newlabel)
 {
 	struct mac_biba *subj, *obj, *new;
 	int error;
 
 	SOCK_LOCK_ASSERT(so);
 
 	new = SLOT(newlabel);
 	subj = SLOT(cred->cr_label);
 	obj = SLOT(solabel);
 
 	/*
 	 * If there is a Biba label update for the socket, it may be an
 	 * update of effective.
 	 */
 	error = biba_atmostflags(new, MAC_BIBA_FLAG_EFFECTIVE);
 	if (error)
 		return (error);
 
 	/*
 	 * To relabel a socket, the old socket effective must be in the
 	 * subject range.
 	 */
 	if (!biba_effective_in_range(obj, subj))
 		return (EPERM);
 
 	/*
 	 * If the Biba label is to be changed, authorize as appropriate.
 	 */
 	if (new->mb_flags & MAC_BIBA_FLAG_EFFECTIVE) {
 		/*
 		 * To relabel a socket, the new socket effective must be in
 		 * the subject range.
 		 */
 		if (!biba_effective_in_range(new, subj))
 			return (EPERM);
 
 		/*
 		 * To change the Biba label on the socket to contain EQUAL,
 		 * the subject must have appropriate privilege.
 		 */
 		if (biba_contains_equal(new)) {
 			error = biba_subject_privileged(subj);
 			if (error)
 				return (error);
 		}
 	}
 
 	return (0);
 }
 
 static int
 biba_socket_check_visible(struct ucred *cred, struct socket *so,
     struct label *solabel)
 {
 	struct mac_biba *subj, *obj;
 
 	if (!biba_enabled)
 		return (0);
 
 	subj = SLOT(cred->cr_label);
 	obj = SLOT(solabel);
 
 	SOCK_LOCK(so);
 	if (!biba_dominate_effective(obj, subj)) {
 		SOCK_UNLOCK(so);
 		return (ENOENT);
 	}
 	SOCK_UNLOCK(so);
 
 	return (0);
 }
 
 static void
 biba_socket_create(struct ucred *cred, struct socket *so,
     struct label *solabel)
 {
 	struct mac_biba *source, *dest;
 
 	source = SLOT(cred->cr_label);
 	dest = SLOT(solabel);
 
 	biba_copy_effective(source, dest);
 }
 
 static void
 biba_socket_create_mbuf(struct socket *so, struct label *solabel,
     struct mbuf *m, struct label *mlabel)
 {
 	struct mac_biba *source, *dest;
 
 	source = SLOT(solabel);
 	dest = SLOT(mlabel);
 
 	SOCK_LOCK(so);
 	biba_copy_effective(source, dest);
 	SOCK_UNLOCK(so);
 }
 
 static void
 biba_socket_newconn(struct socket *oldso, struct label *oldsolabel,
     struct socket *newso, struct label *newsolabel)
 {
 	struct mac_biba source, *dest;
 
 	SOCK_LOCK(oldso);
 	source = *SLOT(oldsolabel);
 	SOCK_UNLOCK(oldso);
 
 	dest = SLOT(newsolabel);
 
 	SOCK_LOCK(newso);
 	biba_copy_effective(&source, dest);
 	SOCK_UNLOCK(newso);
 }
 
 static void
 biba_socket_relabel(struct ucred *cred, struct socket *so,
     struct label *solabel, struct label *newlabel)
 {
 	struct mac_biba *source, *dest;
 
 	SOCK_LOCK_ASSERT(so);
 
 	source = SLOT(newlabel);
 	dest = SLOT(solabel);
 
 	biba_copy(source, dest);
 }
 
 static void
 biba_socketpeer_set_from_mbuf(struct mbuf *m, struct label *mlabel,
     struct socket *so, struct label *sopeerlabel)
 {
 	struct mac_biba *source, *dest;
 
 	source = SLOT(mlabel);
 	dest = SLOT(sopeerlabel);
 
 	SOCK_LOCK(so);
 	biba_copy_effective(source, dest);
 	SOCK_UNLOCK(so);
 }
 
 static void
 biba_socketpeer_set_from_socket(struct socket *oldso,
     struct label *oldsolabel, struct socket *newso,
     struct label *newsopeerlabel)
 {
 	struct mac_biba source, *dest;
 
 	SOCK_LOCK(oldso);
 	source = *SLOT(oldsolabel);
 	SOCK_UNLOCK(oldso);
 	dest = SLOT(newsopeerlabel);
 
 	SOCK_LOCK(newso);
 	biba_copy_effective(&source, dest);
 	SOCK_UNLOCK(newso);
 }
 
 static void
 biba_syncache_create(struct label *label, struct inpcb *inp)
 {
 	struct mac_biba *source, *dest;
 
 	source = SLOT(inp->inp_label);
 	dest = SLOT(label);
 	biba_copy_effective(source, dest);
 }
 
 static void
 biba_syncache_create_mbuf(struct label *sc_label, struct mbuf *m,
     struct label *mlabel)
 {
 	struct mac_biba *source, *dest;
 
 	source = SLOT(sc_label);
 	dest = SLOT(mlabel);
 	biba_copy_effective(source, dest);
 }
 
 static int
 biba_system_check_acct(struct ucred *cred, struct vnode *vp,
     struct label *vplabel)
 {
 	struct mac_biba *subj, *obj;
 	int error;
 
 	if (!biba_enabled)
 		return (0);
 
 	subj = SLOT(cred->cr_label);
 
 	error = biba_subject_privileged(subj);
 	if (error)
 		return (error);
 
 	if (vplabel == NULL)
 		return (0);
 
 	obj = SLOT(vplabel);
 	if (!biba_high_effective(obj))
 		return (EACCES);
 
 	return (0);
 }
 
 static int
 biba_system_check_auditctl(struct ucred *cred, struct vnode *vp,
     struct label *vplabel)
 {
 	struct mac_biba *subj, *obj;
 	int error;
 
 	if (!biba_enabled)
 		return (0);
 
 	subj = SLOT(cred->cr_label);
 
 	error = biba_subject_privileged(subj);
 	if (error)
 		return (error);
 
 	if (vplabel == NULL)
 		return (0);
 
 	obj = SLOT(vplabel);
 	if (!biba_high_effective(obj))
 		return (EACCES);
 
 	return (0);
 }
 
 static int
 biba_system_check_auditon(struct ucred *cred, int cmd)
 {
 	struct mac_biba *subj;
 	int error;
 
 	if (!biba_enabled)
 		return (0);
 
 	subj = SLOT(cred->cr_label);
 
 	error = biba_subject_privileged(subj);
 	if (error)
 		return (error);
 
 	return (0);
 }
 
 static int
 biba_system_check_swapoff(struct ucred *cred, struct vnode *vp,
     struct label *label)
 {
 	struct mac_biba *subj;
 	int error;
 
 	if (!biba_enabled)
 		return (0);
 
 	subj = SLOT(cred->cr_label);
 
 	error = biba_subject_privileged(subj);
 	if (error)
 		return (error);
 
 	return (0);
 }
 
 static int
 biba_system_check_swapon(struct ucred *cred, struct vnode *vp,
     struct label *vplabel)
 {
 	struct mac_biba *subj, *obj;
 	int error;
 
 	if (!biba_enabled)
 		return (0);
 
 	subj = SLOT(cred->cr_label);
 	obj = SLOT(vplabel);
 
 	error = biba_subject_privileged(subj);
 	if (error)
 		return (error);
 
 	if (!biba_high_effective(obj))
 		return (EACCES);
 
 	return (0);
 }
 
 static int
 biba_system_check_sysctl(struct ucred *cred, struct sysctl_oid *oidp,
     void *arg1, int arg2, struct sysctl_req *req)
 {
 	struct mac_biba *subj;
 	int error;
 
 	if (!biba_enabled)
 		return (0);
 
 	subj = SLOT(cred->cr_label);
 
 	/*
 	 * Treat sysctl variables without CTLFLAG_ANYBODY flag as biba/high,
 	 * but also require privilege to change them.
 	 */
 	if (req->newptr != NULL && (oidp->oid_kind & CTLFLAG_ANYBODY) == 0) {
 		if (!biba_subject_dominate_high(subj))
 			return (EACCES);
 
 		error = biba_subject_privileged(subj);
 		if (error)
 			return (error);
 	}
 
 	return (0);
 }
 
 static void
 biba_sysvmsg_cleanup(struct label *msglabel)
 {
 
 	bzero(SLOT(msglabel), sizeof(struct mac_biba));
 }
 
 static void
 biba_sysvmsg_create(struct ucred *cred, struct msqid_kernel *msqkptr,
     struct label *msqlabel, struct msg *msgptr, struct label *msglabel)
 {
 	struct mac_biba *source, *dest;
 
 	/* Ignore the msgq label */
 	source = SLOT(cred->cr_label);
 	dest = SLOT(msglabel);
 
 	biba_copy_effective(source, dest);
 }
 
 static int
 biba_sysvmsq_check_msgrcv(struct ucred *cred, struct msg *msgptr,
     struct label *msglabel)
 {
 	struct mac_biba *subj, *obj;
 
 	if (!biba_enabled)
 		return (0);
 
 	subj = SLOT(cred->cr_label);
 	obj = SLOT(msglabel);
 
 	if (!biba_dominate_effective(obj, subj))
 		return (EACCES);
 
 	return (0);
 }
 
 static int
 biba_sysvmsq_check_msgrmid(struct ucred *cred, struct msg *msgptr,
     struct label *msglabel)
 {
 	struct mac_biba *subj, *obj;
 
 	if (!biba_enabled)
 		return (0);
 
 	subj = SLOT(cred->cr_label);
 	obj = SLOT(msglabel);
 
 	if (!biba_dominate_effective(subj, obj))
 		return (EACCES);
 
 	return (0);
 }
 
 static int
 biba_sysvmsq_check_msqget(struct ucred *cred, struct msqid_kernel *msqkptr,
     struct label *msqklabel)
 {
 	struct mac_biba *subj, *obj;
 
 	if (!biba_enabled)
 		return (0);
 
 	subj = SLOT(cred->cr_label);
 	obj = SLOT(msqklabel);
 
 	if (!biba_dominate_effective(obj, subj))
 		return (EACCES);
 
 	return (0);
 }
 
 static int
 biba_sysvmsq_check_msqsnd(struct ucred *cred, struct msqid_kernel *msqkptr,
     struct label *msqklabel)
 {
 	struct mac_biba *subj, *obj;
 
 	if (!biba_enabled)
 		return (0);
 
 	subj = SLOT(cred->cr_label);
 	obj = SLOT(msqklabel);
 
 	if (!biba_dominate_effective(subj, obj))
 		return (EACCES);
 
 	return (0);
 }
 
 static int
 biba_sysvmsq_check_msqrcv(struct ucred *cred, struct msqid_kernel *msqkptr,
     struct label *msqklabel)
 {
 	struct mac_biba *subj, *obj;
 
 	if (!biba_enabled)
 		return (0);
 
 	subj = SLOT(cred->cr_label);
 	obj = SLOT(msqklabel);
 
 	if (!biba_dominate_effective(obj, subj))
 		return (EACCES);
 
 	return (0);
 }
 
 static int
 biba_sysvmsq_check_msqctl(struct ucred *cred, struct msqid_kernel *msqkptr,
     struct label *msqklabel, int cmd)
 {
 	struct mac_biba *subj, *obj;
 
 	if (!biba_enabled)
 		return (0);
 
 	subj = SLOT(cred->cr_label);
 	obj = SLOT(msqklabel);
 
 	switch(cmd) {
 	case IPC_RMID:
 	case IPC_SET:
 		if (!biba_dominate_effective(subj, obj))
 			return (EACCES);
 		break;
 
 	case IPC_STAT:
 		if (!biba_dominate_effective(obj, subj))
 			return (EACCES);
 		break;
 
 	default:
 		return (EACCES);
 	}
 
 	return (0);
 }
 
 static void
 biba_sysvmsq_cleanup(struct label *msqlabel)
 {
 
 	bzero(SLOT(msqlabel), sizeof(struct mac_biba));
 }
 
 static void
 biba_sysvmsq_create(struct ucred *cred, struct msqid_kernel *msqkptr,
     struct label *msqlabel)
 {
 	struct mac_biba *source, *dest;
 
 	source = SLOT(cred->cr_label);
 	dest = SLOT(msqlabel);
 
 	biba_copy_effective(source, dest);
 }
 
 static int
 biba_sysvsem_check_semctl(struct ucred *cred, struct semid_kernel *semakptr,
     struct label *semaklabel, int cmd)
 {
 	struct mac_biba *subj, *obj;
 
 	if (!biba_enabled)
 		return (0);
 
 	subj = SLOT(cred->cr_label);
 	obj = SLOT(semaklabel);
 
 	switch(cmd) {
 	case IPC_RMID:
 	case IPC_SET:
 	case SETVAL:
 	case SETALL:
 		if (!biba_dominate_effective(subj, obj))
 			return (EACCES);
 		break;
 
 	case IPC_STAT:
 	case GETVAL:
 	case GETPID:
 	case GETNCNT:
 	case GETZCNT:
 	case GETALL:
 		if (!biba_dominate_effective(obj, subj))
 			return (EACCES);
 		break;
 
 	default:
 		return (EACCES);
 	}
 
 	return (0);
 }
 
 static int
 biba_sysvsem_check_semget(struct ucred *cred, struct semid_kernel *semakptr,
     struct label *semaklabel)
 {
 	struct mac_biba *subj, *obj;
 
 	if (!biba_enabled)
 		return (0);
 
 	subj = SLOT(cred->cr_label);
 	obj = SLOT(semaklabel);
 
 	if (!biba_dominate_effective(obj, subj))
 		return (EACCES);
 
 	return (0);
 }
 
 static int
 biba_sysvsem_check_semop(struct ucred *cred, struct semid_kernel *semakptr,
     struct label *semaklabel, size_t accesstype)
 {
 	struct mac_biba *subj, *obj;
 
 	if (!biba_enabled)
 		return (0);
 
 	subj = SLOT(cred->cr_label);
 	obj = SLOT(semaklabel);
 
 	if (accesstype & SEM_R)
 		if (!biba_dominate_effective(obj, subj))
 			return (EACCES);
 
 	if (accesstype & SEM_A)
 		if (!biba_dominate_effective(subj, obj))
 			return (EACCES);
 
 	return (0);
 }
 
 static void
 biba_sysvsem_cleanup(struct label *semalabel)
 {
 
 	bzero(SLOT(semalabel), sizeof(struct mac_biba));
 }
 
 static void
 biba_sysvsem_create(struct ucred *cred, struct semid_kernel *semakptr,
     struct label *semalabel)
 {
 	struct mac_biba *source, *dest;
 
 	source = SLOT(cred->cr_label);
 	dest = SLOT(semalabel);
 
 	biba_copy_effective(source, dest);
 }
 
 static int
 biba_sysvshm_check_shmat(struct ucred *cred, struct shmid_kernel *shmsegptr,
     struct label *shmseglabel, int shmflg)
 {
 	struct mac_biba *subj, *obj;
 
 	if (!biba_enabled)
 		return (0);
 
 	subj = SLOT(cred->cr_label);
 	obj = SLOT(shmseglabel);
 
 	if (!biba_dominate_effective(obj, subj))
 		return (EACCES);
 	if ((shmflg & SHM_RDONLY) == 0) {
 		if (!biba_dominate_effective(subj, obj))
 			return (EACCES);
 	}
 
 	return (0);
 }
 
 static int
 biba_sysvshm_check_shmctl(struct ucred *cred, struct shmid_kernel *shmsegptr,
     struct label *shmseglabel, int cmd)
 {
 	struct mac_biba *subj, *obj;
 
 	if (!biba_enabled)
 		return (0);
 
 	subj = SLOT(cred->cr_label);
 	obj = SLOT(shmseglabel);
 
 	switch(cmd) {
 	case IPC_RMID:
 	case IPC_SET:
 		if (!biba_dominate_effective(subj, obj))
 			return (EACCES);
 		break;
 
 	case IPC_STAT:
 	case SHM_STAT:
 		if (!biba_dominate_effective(obj, subj))
 			return (EACCES);
 		break;
 
 	default:
 		return (EACCES);
 	}
 
 	return (0);
 }
 
 static int
 biba_sysvshm_check_shmget(struct ucred *cred, struct shmid_kernel *shmsegptr,
     struct label *shmseglabel, int shmflg)
 {
 	struct mac_biba *subj, *obj;
 
 	if (!biba_enabled)
 		return (0);
 
 	subj = SLOT(cred->cr_label);
 	obj = SLOT(shmseglabel);
 
 	if (!biba_dominate_effective(obj, subj))
 		return (EACCES);
 
 	return (0);
 }
 
 static void
 biba_sysvshm_cleanup(struct label *shmlabel)
 {
 
 	bzero(SLOT(shmlabel), sizeof(struct mac_biba));
 }
 
 static void
 biba_sysvshm_create(struct ucred *cred, struct shmid_kernel *shmsegptr,
     struct label *shmlabel)
 {
 	struct mac_biba *source, *dest;
 
 	source = SLOT(cred->cr_label);
 	dest = SLOT(shmlabel);
 
 	biba_copy_effective(source, dest);
 }
 
 static int
 biba_vnode_associate_extattr(struct mount *mp, struct label *mplabel,
     struct vnode *vp, struct label *vplabel)
 {
 	struct mac_biba mb_temp, *source, *dest;
 	int buflen, error;
 
 	source = SLOT(mplabel);
 	dest = SLOT(vplabel);
 
 	buflen = sizeof(mb_temp);
 	bzero(&mb_temp, buflen);
 
 	error = vn_extattr_get(vp, IO_NODELOCKED, MAC_BIBA_EXTATTR_NAMESPACE,
 	    MAC_BIBA_EXTATTR_NAME, &buflen, (char *) &mb_temp, curthread);
 	if (error == ENOATTR || error == EOPNOTSUPP) {
 		/* Fall back to the mntlabel. */
 		biba_copy_effective(source, dest);
 		return (0);
 	} else if (error)
 		return (error);
 
 	if (buflen != sizeof(mb_temp)) {
 		printf("biba_vnode_associate_extattr: bad size %d\n",
 		    buflen);
 		return (EPERM);
 	}
 	if (biba_valid(&mb_temp) != 0) {
 		printf("biba_vnode_associate_extattr: invalid\n");
 		return (EPERM);
 	}
 	if ((mb_temp.mb_flags & MAC_BIBA_FLAGS_BOTH) !=
 	    MAC_BIBA_FLAG_EFFECTIVE) {
 		printf("biba_vnode_associate_extattr: not effective\n");
 		return (EPERM);
 	}
 
 	biba_copy_effective(&mb_temp, dest);
 	return (0);
 }
 
 static void
 biba_vnode_associate_singlelabel(struct mount *mp, struct label *mplabel,
     struct vnode *vp, struct label *vplabel)
 {
 	struct mac_biba *source, *dest;
 
 	source = SLOT(mplabel);
 	dest = SLOT(vplabel);
 
 	biba_copy_effective(source, dest);
 }
 
 static int
 biba_vnode_check_chdir(struct ucred *cred, struct vnode *dvp,
     struct label *dvplabel)
 {
 	struct mac_biba *subj, *obj;
 
 	if (!biba_enabled)
 		return (0);
 
 	subj = SLOT(cred->cr_label);
 	obj = SLOT(dvplabel);
 
 	if (!biba_dominate_effective(obj, subj))
 		return (EACCES);
 
 	return (0);
 }
 
 static int
 biba_vnode_check_chroot(struct ucred *cred, struct vnode *dvp,
     struct label *dvplabel)
 {
 	struct mac_biba *subj, *obj;
 
 	if (!biba_enabled)
 		return (0);
 
 	subj = SLOT(cred->cr_label);
 	obj = SLOT(dvplabel);
 
 	if (!biba_dominate_effective(obj, subj))
 		return (EACCES);
 
 	return (0);
 }
 
 static int
 biba_vnode_check_create(struct ucred *cred, struct vnode *dvp,
     struct label *dvplabel, struct componentname *cnp, struct vattr *vap)
 {
 	struct mac_biba *subj, *obj;
 
 	if (!biba_enabled)
 		return (0);
 
 	subj = SLOT(cred->cr_label);
 	obj = SLOT(dvplabel);
 
 	if (!biba_dominate_effective(subj, obj))
 		return (EACCES);
 
 	return (0);
 }
 
 static int
 biba_vnode_check_deleteacl(struct ucred *cred, struct vnode *vp,
     struct label *vplabel, acl_type_t type)
 {
 	struct mac_biba *subj, *obj;
 
 	if (!biba_enabled)
 		return (0);
 
 	subj = SLOT(cred->cr_label);
 	obj = SLOT(vplabel);
 
 	if (!biba_dominate_effective(subj, obj))
 		return (EACCES);
 
 	return (0);
 }
 
 static int
 biba_vnode_check_deleteextattr(struct ucred *cred, struct vnode *vp,
     struct label *vplabel, int attrnamespace, const char *name)
 {
 	struct mac_biba *subj, *obj;
 
 	if (!biba_enabled)
 		return (0);
 
 	subj = SLOT(cred->cr_label);
 	obj = SLOT(vplabel);
 
 	if (!biba_dominate_effective(subj, obj))
 		return (EACCES);
 
 	return (0);
 }
 
 static int
 biba_vnode_check_exec(struct ucred *cred, struct vnode *vp,
     struct label *vplabel, struct image_params *imgp,
     struct label *execlabel)
 {
 	struct mac_biba *subj, *obj, *exec;
 	int error;
 
 	if (execlabel != NULL) {
 		/*
 		 * We currently don't permit labels to be changed at
 		 * exec-time as part of Biba, so disallow non-NULL Biba label
 		 * elements in the execlabel.
 		 */
 		exec = SLOT(execlabel);
 		error = biba_atmostflags(exec, 0);
 		if (error)
 			return (error);
 	}
 
 	if (!biba_enabled)
 		return (0);
 
 	subj = SLOT(cred->cr_label);
 	obj = SLOT(vplabel);
 
 	if (!biba_dominate_effective(obj, subj))
 		return (EACCES);
 
 	return (0);
 }
 
 static int
 biba_vnode_check_getacl(struct ucred *cred, struct vnode *vp,
     struct label *vplabel, acl_type_t type)
 {
 	struct mac_biba *subj, *obj;
 
 	if (!biba_enabled)
 		return (0);
 
 	subj = SLOT(cred->cr_label);
 	obj = SLOT(vplabel);
 
 	if (!biba_dominate_effective(obj, subj))
 		return (EACCES);
 
 	return (0);
 }
 
 static int
 biba_vnode_check_getextattr(struct ucred *cred, struct vnode *vp,
     struct label *vplabel, int attrnamespace, const char *name)
 {
 	struct mac_biba *subj, *obj;
 
 	if (!biba_enabled)
 		return (0);
 
 	subj = SLOT(cred->cr_label);
 	obj = SLOT(vplabel);
 
 	if (!biba_dominate_effective(obj, subj))
 		return (EACCES);
 
 	return (0);
 }
 
 static int
 biba_vnode_check_link(struct ucred *cred, struct vnode *dvp,
     struct label *dvplabel, struct vnode *vp, struct label *vplabel,
     struct componentname *cnp)
 {
 	struct mac_biba *subj, *obj;
 
 	if (!biba_enabled)
 		return (0);
 
 	subj = SLOT(cred->cr_label);
 	obj = SLOT(dvplabel);
 
 	if (!biba_dominate_effective(subj, obj))
 		return (EACCES);
 
 	obj = SLOT(vplabel);
 
 	if (!biba_dominate_effective(subj, obj))
 		return (EACCES);
 
 	return (0);
 }
 
 static int
 biba_vnode_check_listextattr(struct ucred *cred, struct vnode *vp,
     struct label *vplabel, int attrnamespace)
 {
 	struct mac_biba *subj, *obj;
 
 	if (!biba_enabled)
 		return (0);
 
 	subj = SLOT(cred->cr_label);
 	obj = SLOT(vplabel);
 
 	if (!biba_dominate_effective(obj, subj))
 		return (EACCES);
 
 	return (0);
 }
 
 static int
 biba_vnode_check_lookup(struct ucred *cred, struct vnode *dvp,
     struct label *dvplabel, struct componentname *cnp)
 {
 	struct mac_biba *subj, *obj;
 
 	if (!biba_enabled)
 		return (0);
 
 	subj = SLOT(cred->cr_label);
 	obj = SLOT(dvplabel);
 
 	if (!biba_dominate_effective(obj, subj))
 		return (EACCES);
 
 	return (0);
 }
 
 static int
 biba_vnode_check_mmap(struct ucred *cred, struct vnode *vp,
     struct label *vplabel, int prot, int flags)
 {
 	struct mac_biba *subj, *obj;
 
 	/*
 	 * Rely on the use of open()-time protections to handle
 	 * non-revocation cases.
 	 */
 	if (!biba_enabled || !revocation_enabled)
 		return (0);
 
 	subj = SLOT(cred->cr_label);
 	obj = SLOT(vplabel);
 
 	if (prot & (VM_PROT_READ | VM_PROT_EXECUTE)) {
 		if (!biba_dominate_effective(obj, subj))
 			return (EACCES);
 	}
 	if (((prot & VM_PROT_WRITE) != 0) && ((flags & MAP_SHARED) != 0)) {
 		if (!biba_dominate_effective(subj, obj))
 			return (EACCES);
 	}
 
 	return (0);
 }
 
 static int
 biba_vnode_check_open(struct ucred *cred, struct vnode *vp,
     struct label *vplabel, accmode_t accmode)
 {
 	struct mac_biba *subj, *obj;
 
 	if (!biba_enabled)
 		return (0);
 
 	subj = SLOT(cred->cr_label);
 	obj = SLOT(vplabel);
 
 	/* XXX privilege override for admin? */
 	if (accmode & (VREAD | VEXEC | VSTAT_PERMS)) {
 		if (!biba_dominate_effective(obj, subj))
 			return (EACCES);
 	}
 	if (accmode & VMODIFY_PERMS) {
 		if (!biba_dominate_effective(subj, obj))
 			return (EACCES);
 	}
 
 	return (0);
 }
 
 static int
 biba_vnode_check_poll(struct ucred *active_cred, struct ucred *file_cred,
     struct vnode *vp, struct label *vplabel)
 {
 	struct mac_biba *subj, *obj;
 
 	if (!biba_enabled || !revocation_enabled)
 		return (0);
 
 	subj = SLOT(active_cred->cr_label);
 	obj = SLOT(vplabel);
 
 	if (!biba_dominate_effective(obj, subj))
 		return (EACCES);
 
 	return (0);
 }
 
 static int
 biba_vnode_check_read(struct ucred *active_cred, struct ucred *file_cred,
     struct vnode *vp, struct label *vplabel)
 {
 	struct mac_biba *subj, *obj;
 
 	if (!biba_enabled || !revocation_enabled)
 		return (0);
 
 	subj = SLOT(active_cred->cr_label);
 	obj = SLOT(vplabel);
 
 	if (!biba_dominate_effective(obj, subj))
 		return (EACCES);
 
 	return (0);
 }
 
 static int
 biba_vnode_check_readdir(struct ucred *cred, struct vnode *dvp,
     struct label *dvplabel)
 {
 	struct mac_biba *subj, *obj;
 
 	if (!biba_enabled)
 		return (0);
 
 	subj = SLOT(cred->cr_label);
 	obj = SLOT(dvplabel);
 
 	if (!biba_dominate_effective(obj, subj))
 		return (EACCES);
 
 	return (0);
 }
 
 static int
 biba_vnode_check_readlink(struct ucred *cred, struct vnode *vp,
     struct label *vplabel)
 {
 	struct mac_biba *subj, *obj;
 
 	if (!biba_enabled)
 		return (0);
 
 	subj = SLOT(cred->cr_label);
 	obj = SLOT(vplabel);
 
 	if (!biba_dominate_effective(obj, subj))
 		return (EACCES);
 
 	return (0);
 }
 
 static int
 biba_vnode_check_relabel(struct ucred *cred, struct vnode *vp,
     struct label *vplabel, struct label *newlabel)
 {
 	struct mac_biba *old, *new, *subj;
 	int error;
 
 	old = SLOT(vplabel);
 	new = SLOT(newlabel);
 	subj = SLOT(cred->cr_label);
 
 	/*
 	 * If there is a Biba label update for the vnode, it must be a
 	 * effective label.
 	 */
 	error = biba_atmostflags(new, MAC_BIBA_FLAG_EFFECTIVE);
 	if (error)
 		return (error);
 
 	/*
 	 * To perform a relabel of the vnode (Biba label or not), Biba must
 	 * authorize the relabel.
 	 */
 	if (!biba_effective_in_range(old, subj))
 		return (EPERM);
 
 	/*
 	 * If the Biba label is to be changed, authorize as appropriate.
 	 */
 	if (new->mb_flags & MAC_BIBA_FLAG_EFFECTIVE) {
 		/*
 		 * To change the Biba label on a vnode, the new vnode label
 		 * must be in the subject range.
 		 */
 		if (!biba_effective_in_range(new, subj))
 			return (EPERM);
 
 		/*
 		 * To change the Biba label on the vnode to be EQUAL, the
 		 * subject must have appropriate privilege.
 		 */
 		if (biba_contains_equal(new)) {
 			error = biba_subject_privileged(subj);
 			if (error)
 				return (error);
 		}
 	}
 
 	return (0);
 }
 
 static int
 biba_vnode_check_rename_from(struct ucred *cred, struct vnode *dvp,
     struct label *dvplabel, struct vnode *vp, struct label *vplabel,
     struct componentname *cnp)
 {
 	struct mac_biba *subj, *obj;
 
 	if (!biba_enabled)
 		return (0);
 
 	subj = SLOT(cred->cr_label);
 	obj = SLOT(dvplabel);
 
 	if (!biba_dominate_effective(subj, obj))
 		return (EACCES);
 
 	obj = SLOT(vplabel);
 
 	if (!biba_dominate_effective(subj, obj))
 		return (EACCES);
 
 	return (0);
 }
 
 static int
 biba_vnode_check_rename_to(struct ucred *cred, struct vnode *dvp,
     struct label *dvplabel, struct vnode *vp, struct label *vplabel,
     int samedir, struct componentname *cnp)
 {
 	struct mac_biba *subj, *obj;
 
 	if (!biba_enabled)
 		return (0);
 
 	subj = SLOT(cred->cr_label);
 	obj = SLOT(dvplabel);
 
 	if (!biba_dominate_effective(subj, obj))
 		return (EACCES);
 
 	if (vp != NULL) {
 		obj = SLOT(vplabel);
 
 		if (!biba_dominate_effective(subj, obj))
 			return (EACCES);
 	}
 
 	return (0);
 }
 
 static int
 biba_vnode_check_revoke(struct ucred *cred, struct vnode *vp,
     struct label *vplabel)
 {
 	struct mac_biba *subj, *obj;
 
 	if (!biba_enabled)
 		return (0);
 
 	subj = SLOT(cred->cr_label);
 	obj = SLOT(vplabel);
 
 	if (!biba_dominate_effective(subj, obj))
 		return (EACCES);
 
 	return (0);
 }
 
 static int
 biba_vnode_check_setacl(struct ucred *cred, struct vnode *vp,
     struct label *vplabel, acl_type_t type, struct acl *acl)
 {
 	struct mac_biba *subj, *obj;
 
 	if (!biba_enabled)
 		return (0);
 
 	subj = SLOT(cred->cr_label);
 	obj = SLOT(vplabel);
 
 	if (!biba_dominate_effective(subj, obj))
 		return (EACCES);
 
 	return (0);
 }
 
 static int
 biba_vnode_check_setextattr(struct ucred *cred, struct vnode *vp,
     struct label *vplabel, int attrnamespace, const char *name)
 {
 	struct mac_biba *subj, *obj;
 
 	if (!biba_enabled)
 		return (0);
 
 	subj = SLOT(cred->cr_label);
 	obj = SLOT(vplabel);
 
 	if (!biba_dominate_effective(subj, obj))
 		return (EACCES);
 
 	/* XXX: protect the MAC EA in a special way? */
 
 	return (0);
 }
 
 static int
 biba_vnode_check_setflags(struct ucred *cred, struct vnode *vp,
     struct label *vplabel, u_long flags)
 {
 	struct mac_biba *subj, *obj;
 
 	if (!biba_enabled)
 		return (0);
 
 	subj = SLOT(cred->cr_label);
 	obj = SLOT(vplabel);
 
 	if (!biba_dominate_effective(subj, obj))
 		return (EACCES);
 
 	return (0);
 }
 
 static int
 biba_vnode_check_setmode(struct ucred *cred, struct vnode *vp,
     struct label *vplabel, mode_t mode)
 {
 	struct mac_biba *subj, *obj;
 
 	if (!biba_enabled)
 		return (0);
 
 	subj = SLOT(cred->cr_label);
 	obj = SLOT(vplabel);
 
 	if (!biba_dominate_effective(subj, obj))
 		return (EACCES);
 
 	return (0);
 }
 
 static int
 biba_vnode_check_setowner(struct ucred *cred, struct vnode *vp,
     struct label *vplabel, uid_t uid, gid_t gid)
 {
 	struct mac_biba *subj, *obj;
 
 	if (!biba_enabled)
 		return (0);
 
 	subj = SLOT(cred->cr_label);
 	obj = SLOT(vplabel);
 
 	if (!biba_dominate_effective(subj, obj))
 		return (EACCES);
 
 	return (0);
 }
 
 static int
 biba_vnode_check_setutimes(struct ucred *cred, struct vnode *vp,
     struct label *vplabel, struct timespec atime, struct timespec mtime)
 {
 	struct mac_biba *subj, *obj;
 
 	if (!biba_enabled)
 		return (0);
 
 	subj = SLOT(cred->cr_label);
 	obj = SLOT(vplabel);
 
 	if (!biba_dominate_effective(subj, obj))
 		return (EACCES);
 
 	return (0);
 }
 
 static int
 biba_vnode_check_stat(struct ucred *active_cred, struct ucred *file_cred,
     struct vnode *vp, struct label *vplabel)
 {
 	struct mac_biba *subj, *obj;
 
 	if (!biba_enabled)
 		return (0);
 
 	subj = SLOT(active_cred->cr_label);
 	obj = SLOT(vplabel);
 
 	if (!biba_dominate_effective(obj, subj))
 		return (EACCES);
 
 	return (0);
 }
 
 static int
 biba_vnode_check_unlink(struct ucred *cred, struct vnode *dvp,
     struct label *dvplabel, struct vnode *vp, struct label *vplabel,
     struct componentname *cnp)
 {
 	struct mac_biba *subj, *obj;
 
 	if (!biba_enabled)
 		return (0);
 
 	subj = SLOT(cred->cr_label);
 	obj = SLOT(dvplabel);
 
 	if (!biba_dominate_effective(subj, obj))
 		return (EACCES);
 
 	obj = SLOT(vplabel);
 
 	if (!biba_dominate_effective(subj, obj))
 		return (EACCES);
 
 	return (0);
 }
 
 static int
 biba_vnode_check_write(struct ucred *active_cred,
     struct ucred *file_cred, struct vnode *vp, struct label *vplabel)
 {
 	struct mac_biba *subj, *obj;
 
 	if (!biba_enabled || !revocation_enabled)
 		return (0);
 
 	subj = SLOT(active_cred->cr_label);
 	obj = SLOT(vplabel);
 
 	if (!biba_dominate_effective(subj, obj))
 		return (EACCES);
 
 	return (0);
 }
 
 static int
 biba_vnode_create_extattr(struct ucred *cred, struct mount *mp,
     struct label *mplabel, struct vnode *dvp, struct label *dvplabel,
     struct vnode *vp, struct label *vplabel, struct componentname *cnp)
 {
 	struct mac_biba *source, *dest, mb_temp;
 	size_t buflen;
 	int error;
 
 	buflen = sizeof(mb_temp);
 	bzero(&mb_temp, buflen);
 
 	source = SLOT(cred->cr_label);
 	dest = SLOT(vplabel);
 	biba_copy_effective(source, &mb_temp);
 
 	error = vn_extattr_set(vp, IO_NODELOCKED, MAC_BIBA_EXTATTR_NAMESPACE,
 	    MAC_BIBA_EXTATTR_NAME, buflen, (char *) &mb_temp, curthread);
 	if (error == 0)
 		biba_copy_effective(source, dest);
 	return (error);
 }
 
 static void
 biba_vnode_relabel(struct ucred *cred, struct vnode *vp,
     struct label *vplabel, struct label *newlabel)
 {
 	struct mac_biba *source, *dest;
 
 	source = SLOT(newlabel);
 	dest = SLOT(vplabel);
 
 	biba_copy(source, dest);
 }
 
 static int
 biba_vnode_setlabel_extattr(struct ucred *cred, struct vnode *vp,
     struct label *vplabel, struct label *intlabel)
 {
 	struct mac_biba *source, mb_temp;
 	size_t buflen;
 	int error;
 
 	buflen = sizeof(mb_temp);
 	bzero(&mb_temp, buflen);
 
 	source = SLOT(intlabel);
 	if ((source->mb_flags & MAC_BIBA_FLAG_EFFECTIVE) == 0)
 		return (0);
 
 	biba_copy_effective(source, &mb_temp);
 
 	error = vn_extattr_set(vp, IO_NODELOCKED, MAC_BIBA_EXTATTR_NAMESPACE,
 	    MAC_BIBA_EXTATTR_NAME, buflen, (char *) &mb_temp, curthread);
 	return (error);
 }
 
 static struct mac_policy_ops mac_biba_ops =
 {
 	.mpo_init = biba_init,
 
 	.mpo_bpfdesc_check_receive = biba_bpfdesc_check_receive,
 	.mpo_bpfdesc_create = biba_bpfdesc_create,
 	.mpo_bpfdesc_create_mbuf = biba_bpfdesc_create_mbuf,
 	.mpo_bpfdesc_destroy_label = biba_destroy_label,
 	.mpo_bpfdesc_init_label = biba_init_label,
 
 	.mpo_cred_associate_nfsd = biba_cred_associate_nfsd,
 	.mpo_cred_check_relabel = biba_cred_check_relabel,
 	.mpo_cred_check_visible = biba_cred_check_visible,
 	.mpo_cred_copy_label = biba_copy_label,
 	.mpo_cred_create_init = biba_cred_create_init,
 	.mpo_cred_create_swapper = biba_cred_create_swapper,
 	.mpo_cred_destroy_label = biba_destroy_label,
 	.mpo_cred_externalize_label = biba_externalize_label,
 	.mpo_cred_init_label = biba_init_label,
 	.mpo_cred_internalize_label = biba_internalize_label,
 	.mpo_cred_relabel = biba_cred_relabel,
 
 	.mpo_devfs_create_device = biba_devfs_create_device,
 	.mpo_devfs_create_directory = biba_devfs_create_directory,
 	.mpo_devfs_create_symlink = biba_devfs_create_symlink,
 	.mpo_devfs_destroy_label = biba_destroy_label,
 	.mpo_devfs_init_label = biba_init_label,
 	.mpo_devfs_update = biba_devfs_update,
 	.mpo_devfs_vnode_associate = biba_devfs_vnode_associate,
 
 	.mpo_ifnet_check_relabel = biba_ifnet_check_relabel,
 	.mpo_ifnet_check_transmit = biba_ifnet_check_transmit,
 	.mpo_ifnet_copy_label = biba_copy_label,
 	.mpo_ifnet_create = biba_ifnet_create,
 	.mpo_ifnet_create_mbuf = biba_ifnet_create_mbuf,
 	.mpo_ifnet_destroy_label = biba_destroy_label,
 	.mpo_ifnet_externalize_label = biba_externalize_label,
 	.mpo_ifnet_init_label = biba_init_label,
 	.mpo_ifnet_internalize_label = biba_internalize_label,
 	.mpo_ifnet_relabel = biba_ifnet_relabel,
 
 	.mpo_inpcb_check_deliver = biba_inpcb_check_deliver,
 	.mpo_inpcb_check_visible = biba_inpcb_check_visible,
 	.mpo_inpcb_create = biba_inpcb_create,
 	.mpo_inpcb_create_mbuf = biba_inpcb_create_mbuf,
 	.mpo_inpcb_destroy_label = biba_destroy_label,
 	.mpo_inpcb_init_label = biba_init_label_waitcheck,
 	.mpo_inpcb_sosetlabel = biba_inpcb_sosetlabel,
 
 	.mpo_ip6q_create = biba_ip6q_create,
 	.mpo_ip6q_destroy_label = biba_destroy_label,
 	.mpo_ip6q_init_label = biba_init_label_waitcheck,
 	.mpo_ip6q_match = biba_ip6q_match,
 	.mpo_ip6q_reassemble = biba_ip6q_reassemble,
 	.mpo_ip6q_update = biba_ip6q_update,
 
 	.mpo_ipq_create = biba_ipq_create,
 	.mpo_ipq_destroy_label = biba_destroy_label,
 	.mpo_ipq_init_label = biba_init_label_waitcheck,
 	.mpo_ipq_match = biba_ipq_match,
 	.mpo_ipq_reassemble = biba_ipq_reassemble,
 	.mpo_ipq_update = biba_ipq_update,
 
 	.mpo_kld_check_load = biba_kld_check_load,
 
 	.mpo_mbuf_copy_label = biba_copy_label,
 	.mpo_mbuf_destroy_label = biba_destroy_label,
 	.mpo_mbuf_init_label = biba_init_label_waitcheck,
 
 	.mpo_mount_check_stat = biba_mount_check_stat,
 	.mpo_mount_create = biba_mount_create,
 	.mpo_mount_destroy_label = biba_destroy_label,
 	.mpo_mount_init_label = biba_init_label,
 
 	.mpo_netinet_arp_send = biba_netinet_arp_send,
 	.mpo_netinet_firewall_reply = biba_netinet_firewall_reply,
 	.mpo_netinet_firewall_send = biba_netinet_firewall_send,
 	.mpo_netinet_fragment = biba_netinet_fragment,
 	.mpo_netinet_icmp_reply = biba_netinet_icmp_reply,
 	.mpo_netinet_igmp_send = biba_netinet_igmp_send,
 
 	.mpo_netinet6_nd6_send = biba_netinet6_nd6_send,
 
 	.mpo_pipe_check_ioctl = biba_pipe_check_ioctl,
 	.mpo_pipe_check_poll = biba_pipe_check_poll,
 	.mpo_pipe_check_read = biba_pipe_check_read,
 	.mpo_pipe_check_relabel = biba_pipe_check_relabel,
 	.mpo_pipe_check_stat = biba_pipe_check_stat,
 	.mpo_pipe_check_write = biba_pipe_check_write,
 	.mpo_pipe_copy_label = biba_copy_label,
 	.mpo_pipe_create = biba_pipe_create,
 	.mpo_pipe_destroy_label = biba_destroy_label,
 	.mpo_pipe_externalize_label = biba_externalize_label,
 	.mpo_pipe_init_label = biba_init_label,
 	.mpo_pipe_internalize_label = biba_internalize_label,
 	.mpo_pipe_relabel = biba_pipe_relabel,
 
 	.mpo_posixsem_check_getvalue = biba_posixsem_check_rdonly,
 	.mpo_posixsem_check_open = biba_posixsem_check_openunlink,
 	.mpo_posixsem_check_post = biba_posixsem_check_write,
 	.mpo_posixsem_check_setmode = biba_posixsem_check_setmode,
 	.mpo_posixsem_check_setowner = biba_posixsem_check_setowner,
 	.mpo_posixsem_check_stat = biba_posixsem_check_rdonly,
 	.mpo_posixsem_check_unlink = biba_posixsem_check_openunlink,
 	.mpo_posixsem_check_wait = biba_posixsem_check_write,
 	.mpo_posixsem_create = biba_posixsem_create,
 	.mpo_posixsem_destroy_label = biba_destroy_label,
 	.mpo_posixsem_init_label = biba_init_label,
 
 	.mpo_posixshm_check_mmap = biba_posixshm_check_mmap,
 	.mpo_posixshm_check_open = biba_posixshm_check_open,
 	.mpo_posixshm_check_read = biba_posixshm_check_read,
 	.mpo_posixshm_check_setmode = biba_posixshm_check_setmode,
 	.mpo_posixshm_check_setowner = biba_posixshm_check_setowner,
 	.mpo_posixshm_check_stat = biba_posixshm_check_stat,
 	.mpo_posixshm_check_truncate = biba_posixshm_check_truncate,
 	.mpo_posixshm_check_unlink = biba_posixshm_check_unlink,
 	.mpo_posixshm_check_write = biba_posixshm_check_write,
 	.mpo_posixshm_create = biba_posixshm_create,
 	.mpo_posixshm_destroy_label = biba_destroy_label,
 	.mpo_posixshm_init_label = biba_init_label,
 
 	.mpo_priv_check = biba_priv_check,
 
 	.mpo_proc_check_debug = biba_proc_check_debug,
 	.mpo_proc_check_sched = biba_proc_check_sched,
 	.mpo_proc_check_signal = biba_proc_check_signal,
 
 	.mpo_socket_check_deliver = biba_socket_check_deliver,
 	.mpo_socket_check_relabel = biba_socket_check_relabel,
 	.mpo_socket_check_visible = biba_socket_check_visible,
 	.mpo_socket_copy_label = biba_copy_label,
 	.mpo_socket_create = biba_socket_create,
 	.mpo_socket_create_mbuf = biba_socket_create_mbuf,
 	.mpo_socket_destroy_label = biba_destroy_label,
 	.mpo_socket_externalize_label = biba_externalize_label,
 	.mpo_socket_init_label = biba_init_label_waitcheck,
 	.mpo_socket_internalize_label = biba_internalize_label,
 	.mpo_socket_newconn = biba_socket_newconn,
 	.mpo_socket_relabel = biba_socket_relabel,
 
 	.mpo_socketpeer_destroy_label = biba_destroy_label,
 	.mpo_socketpeer_externalize_label = biba_externalize_label,
 	.mpo_socketpeer_init_label = biba_init_label_waitcheck,
 	.mpo_socketpeer_set_from_mbuf = biba_socketpeer_set_from_mbuf,
 	.mpo_socketpeer_set_from_socket = biba_socketpeer_set_from_socket,
 
 	.mpo_syncache_create = biba_syncache_create,
 	.mpo_syncache_create_mbuf = biba_syncache_create_mbuf,
 	.mpo_syncache_destroy_label = biba_destroy_label,
 	.mpo_syncache_init_label = biba_init_label_waitcheck,
 
 	.mpo_system_check_acct = biba_system_check_acct,
 	.mpo_system_check_auditctl = biba_system_check_auditctl,
 	.mpo_system_check_auditon = biba_system_check_auditon,
 	.mpo_system_check_swapoff = biba_system_check_swapoff,
 	.mpo_system_check_swapon = biba_system_check_swapon,
 	.mpo_system_check_sysctl = biba_system_check_sysctl,
 
 	.mpo_sysvmsg_cleanup = biba_sysvmsg_cleanup,
 	.mpo_sysvmsg_create = biba_sysvmsg_create,
 	.mpo_sysvmsg_destroy_label = biba_destroy_label,
 	.mpo_sysvmsg_init_label = biba_init_label,
 
 	.mpo_sysvmsq_check_msgrcv = biba_sysvmsq_check_msgrcv,
 	.mpo_sysvmsq_check_msgrmid = biba_sysvmsq_check_msgrmid,
 	.mpo_sysvmsq_check_msqget = biba_sysvmsq_check_msqget,
 	.mpo_sysvmsq_check_msqsnd = biba_sysvmsq_check_msqsnd,
 	.mpo_sysvmsq_check_msqrcv = biba_sysvmsq_check_msqrcv,
 	.mpo_sysvmsq_check_msqctl = biba_sysvmsq_check_msqctl,
 	.mpo_sysvmsq_cleanup = biba_sysvmsq_cleanup,
 	.mpo_sysvmsq_create = biba_sysvmsq_create,
 	.mpo_sysvmsq_destroy_label = biba_destroy_label,
 	.mpo_sysvmsq_init_label = biba_init_label,
 
 	.mpo_sysvsem_check_semctl = biba_sysvsem_check_semctl,
 	.mpo_sysvsem_check_semget = biba_sysvsem_check_semget,
 	.mpo_sysvsem_check_semop = biba_sysvsem_check_semop,
 	.mpo_sysvsem_cleanup = biba_sysvsem_cleanup,
 	.mpo_sysvsem_create = biba_sysvsem_create,
 	.mpo_sysvsem_destroy_label = biba_destroy_label,
 	.mpo_sysvsem_init_label = biba_init_label,
 
 	.mpo_sysvshm_check_shmat = biba_sysvshm_check_shmat,
 	.mpo_sysvshm_check_shmctl = biba_sysvshm_check_shmctl,
 	.mpo_sysvshm_check_shmget = biba_sysvshm_check_shmget,
 	.mpo_sysvshm_cleanup = biba_sysvshm_cleanup,
 	.mpo_sysvshm_create = biba_sysvshm_create,
 	.mpo_sysvshm_destroy_label = biba_destroy_label,
 	.mpo_sysvshm_init_label = biba_init_label,
 
 	.mpo_vnode_associate_extattr = biba_vnode_associate_extattr,
 	.mpo_vnode_associate_singlelabel = biba_vnode_associate_singlelabel,
 	.mpo_vnode_check_access = biba_vnode_check_open,
 	.mpo_vnode_check_chdir = biba_vnode_check_chdir,
 	.mpo_vnode_check_chroot = biba_vnode_check_chroot,
 	.mpo_vnode_check_create = biba_vnode_check_create,
 	.mpo_vnode_check_deleteacl = biba_vnode_check_deleteacl,
 	.mpo_vnode_check_deleteextattr = biba_vnode_check_deleteextattr,
 	.mpo_vnode_check_exec = biba_vnode_check_exec,
 	.mpo_vnode_check_getacl = biba_vnode_check_getacl,
 	.mpo_vnode_check_getextattr = biba_vnode_check_getextattr,
 	.mpo_vnode_check_link = biba_vnode_check_link,
 	.mpo_vnode_check_listextattr = biba_vnode_check_listextattr,
 	.mpo_vnode_check_lookup = biba_vnode_check_lookup,
 	.mpo_vnode_check_mmap = biba_vnode_check_mmap,
 	.mpo_vnode_check_open = biba_vnode_check_open,
 	.mpo_vnode_check_poll = biba_vnode_check_poll,
 	.mpo_vnode_check_read = biba_vnode_check_read,
 	.mpo_vnode_check_readdir = biba_vnode_check_readdir,
 	.mpo_vnode_check_readlink = biba_vnode_check_readlink,
 	.mpo_vnode_check_relabel = biba_vnode_check_relabel,
 	.mpo_vnode_check_rename_from = biba_vnode_check_rename_from,
 	.mpo_vnode_check_rename_to = biba_vnode_check_rename_to,
 	.mpo_vnode_check_revoke = biba_vnode_check_revoke,
 	.mpo_vnode_check_setacl = biba_vnode_check_setacl,
 	.mpo_vnode_check_setextattr = biba_vnode_check_setextattr,
 	.mpo_vnode_check_setflags = biba_vnode_check_setflags,
 	.mpo_vnode_check_setmode = biba_vnode_check_setmode,
 	.mpo_vnode_check_setowner = biba_vnode_check_setowner,
 	.mpo_vnode_check_setutimes = biba_vnode_check_setutimes,
 	.mpo_vnode_check_stat = biba_vnode_check_stat,
 	.mpo_vnode_check_unlink = biba_vnode_check_unlink,
 	.mpo_vnode_check_write = biba_vnode_check_write,
 	.mpo_vnode_create_extattr = biba_vnode_create_extattr,
 	.mpo_vnode_copy_label = biba_copy_label,
 	.mpo_vnode_destroy_label = biba_destroy_label,
 	.mpo_vnode_externalize_label = biba_externalize_label,
 	.mpo_vnode_init_label = biba_init_label,
 	.mpo_vnode_internalize_label = biba_internalize_label,
 	.mpo_vnode_relabel = biba_vnode_relabel,
 	.mpo_vnode_setlabel_extattr = biba_vnode_setlabel_extattr,
 };
 
 MAC_POLICY_SET(&mac_biba_ops, mac_biba, "TrustedBSD MAC/Biba",
     MPC_LOADTIME_FLAG_NOTLATE, &biba_slot);
diff --git a/sys/security/mac_bsdextended/mac_bsdextended.c b/sys/security/mac_bsdextended/mac_bsdextended.c
index 95efc537735a..8a6549214380 100644
--- a/sys/security/mac_bsdextended/mac_bsdextended.c
+++ b/sys/security/mac_bsdextended/mac_bsdextended.c
@@ -1,523 +1,521 @@
 /*-
  * Copyright (c) 1999-2002, 2007-2008 Robert N. M. Watson
  * Copyright (c) 2001-2005 Networks Associates Technology, Inc.
  * Copyright (c) 2005 Tom Rhodes
  * Copyright (c) 2006 SPARTA, Inc.
  * All rights reserved.
  *
  * This software was developed by Robert Watson for the TrustedBSD Project.
  * It was later enhanced by Tom Rhodes for the TrustedBSD Project.
  *
  * This software was developed for the FreeBSD Project in part by Network
  * Associates Laboratories, the Security Research Division of Network
  * Associates, Inc. under DARPA/SPAWAR contract N66001-01-C-8035 ("CBOSS"),
  * as part of the DARPA CHATS research program.
  *
  * This software was enhanced by SPARTA ISSO under SPAWAR contract
  * N66001-04-C-6019 ("SEFOS").
  *
  * Redistribution and use in source and binary forms, with or without
  * modification, are permitted provided that the following conditions
  * are met:
  * 1. Redistributions of source code must retain the above copyright
  *    notice, this list of conditions and the following disclaimer.
  * 2. Redistributions in binary form must reproduce the above copyright
  *    notice, this list of conditions and the following disclaimer in the
  *    documentation and/or other materials provided with the distribution.
  *
  * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
  * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
  * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
  * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
  * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
  * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
  * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
  * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
  * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
  * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
  * SUCH DAMAGE.
  */
 
 /*
  * Developed by the TrustedBSD Project.
  *
  * "BSD Extended" MAC policy, allowing the administrator to impose mandatory
  * firewall-like rules regarding users and file system objects.
  */
 
 #include <sys/param.h>
 #include <sys/acl.h>
 #include <sys/kernel.h>
 #include <sys/jail.h>
 #include <sys/lock.h>
 #include <sys/malloc.h>
 #include <sys/module.h>
 #include <sys/mount.h>
 #include <sys/mutex.h>
 #include <sys/priv.h>
 #include <sys/proc.h>
 #include <sys/systm.h>
 #include <sys/vnode.h>
 #include <sys/sysctl.h>
 #include <sys/syslog.h>
 #include <sys/stat.h>
 
 #include <security/mac/mac_policy.h>
 #include <security/mac_bsdextended/mac_bsdextended.h>
 #include <security/mac_bsdextended/ugidfw_internal.h>
 
 static struct mtx ugidfw_mtx;
 
-SYSCTL_DECL(_security_mac);
-
 static SYSCTL_NODE(_security_mac, OID_AUTO, bsdextended,
     CTLFLAG_RW | CTLFLAG_MPSAFE, 0,
     "TrustedBSD extended BSD MAC policy controls");
 
 static int	ugidfw_enabled = 1;
 SYSCTL_INT(_security_mac_bsdextended, OID_AUTO, enabled, CTLFLAG_RWTUN,
     &ugidfw_enabled, 0, "Enforce extended BSD policy");
 
 static MALLOC_DEFINE(M_MACBSDEXTENDED, "mac_bsdextended",
     "BSD Extended MAC rule");
 
 #define	MAC_BSDEXTENDED_MAXRULES	250
 static struct mac_bsdextended_rule *rules[MAC_BSDEXTENDED_MAXRULES];
 static int rule_count = 0;
 static int rule_slots = 0;
 static int rule_version = MB_VERSION;
 
 SYSCTL_INT(_security_mac_bsdextended, OID_AUTO, rule_count, CTLFLAG_RD,
     &rule_count, 0, "Number of defined rules");
 SYSCTL_INT(_security_mac_bsdextended, OID_AUTO, rule_slots, CTLFLAG_RD,
     &rule_slots, 0, "Number of used rule slots");
 SYSCTL_INT(_security_mac_bsdextended, OID_AUTO, rule_version, CTLFLAG_RD,
     &rule_version, 0, "Version number for API");
 
 /*
  * This is just used for logging purposes, eventually we would like to log
  * much more then failed requests.
  */
 static int ugidfw_logging;
 SYSCTL_INT(_security_mac_bsdextended, OID_AUTO, logging, CTLFLAG_RW,
     &ugidfw_logging, 0, "Log failed authorization requests");
 
 /*
  * This tunable is here for compatibility.  It will allow the user to switch
  * between the new mode (first rule matches) and the old functionality (all
  * rules match).
  */
 static int ugidfw_firstmatch_enabled;
 SYSCTL_INT(_security_mac_bsdextended, OID_AUTO, firstmatch_enabled,
     CTLFLAG_RW, &ugidfw_firstmatch_enabled, 1,
     "Disable/enable match first rule functionality");
 
 static int
 ugidfw_rule_valid(struct mac_bsdextended_rule *rule)
 {
 
 	if ((rule->mbr_subject.mbs_flags | MBS_ALL_FLAGS) != MBS_ALL_FLAGS)
 		return (EINVAL);
 	if ((rule->mbr_subject.mbs_neg | MBS_ALL_FLAGS) != MBS_ALL_FLAGS)
 		return (EINVAL);
 	if ((rule->mbr_object.mbo_flags | MBO_ALL_FLAGS) != MBO_ALL_FLAGS)
 		return (EINVAL);
 	if ((rule->mbr_object.mbo_neg | MBO_ALL_FLAGS) != MBO_ALL_FLAGS)
 		return (EINVAL);
 	if (((rule->mbr_object.mbo_flags & MBO_TYPE_DEFINED) != 0) &&
 	    (rule->mbr_object.mbo_type | MBO_ALL_TYPE) != MBO_ALL_TYPE)
 		return (EINVAL);
 	if ((rule->mbr_mode | MBI_ALLPERM) != MBI_ALLPERM)
 		return (EINVAL);
 	return (0);
 }
 
 static int
 sysctl_rule(SYSCTL_HANDLER_ARGS)
 {
 	struct mac_bsdextended_rule temprule, *ruleptr;
 	u_int namelen;
 	int error, index, *name;
 
 	error = 0;
 	name = (int *)arg1;
 	namelen = arg2;
 	if (namelen != 1)
 		return (EINVAL);
 	index = name[0];
         if (index >= MAC_BSDEXTENDED_MAXRULES)
 		return (ENOENT);
 
 	ruleptr = NULL;
 	if (req->newptr && req->newlen != 0) {
 		error = SYSCTL_IN(req, &temprule, sizeof(temprule));
 		if (error)
 			return (error);
 		ruleptr = malloc(sizeof(*ruleptr), M_MACBSDEXTENDED,
 		    M_WAITOK | M_ZERO);
 	}
 
 	mtx_lock(&ugidfw_mtx);
 	if (req->oldptr) {
 		if (index < 0 || index > rule_slots + 1) {
 			error = ENOENT;
 			goto out;
 		}
 		if (rules[index] == NULL) {
 			error = ENOENT;
 			goto out;
 		}
 		temprule = *rules[index];
 	}
 	if (req->newptr && req->newlen == 0) {
 		KASSERT(ruleptr == NULL, ("sysctl_rule: ruleptr != NULL"));
 		ruleptr = rules[index];
 		if (ruleptr == NULL) {
 			error = ENOENT;
 			goto out;
 		}
 		rule_count--;
 		rules[index] = NULL;
 	} else if (req->newptr) {
 		error = ugidfw_rule_valid(&temprule);
 		if (error)
 			goto out;
 		if (rules[index] == NULL) {
 			*ruleptr = temprule;
 			rules[index] = ruleptr;
 			ruleptr = NULL;
 			if (index + 1 > rule_slots)
 				rule_slots = index + 1;
 			rule_count++;
 		} else
 			*rules[index] = temprule;
 	}
 out:
 	mtx_unlock(&ugidfw_mtx);
 	if (ruleptr != NULL)
 		free(ruleptr, M_MACBSDEXTENDED);
 	if (req->oldptr && error == 0)
 		error = SYSCTL_OUT(req, &temprule, sizeof(temprule));
 	return (error);
 }
 
 static SYSCTL_NODE(_security_mac_bsdextended, OID_AUTO, rules,
     CTLFLAG_MPSAFE | CTLFLAG_RW, sysctl_rule, "BSD extended MAC rules");
 
 static void
 ugidfw_init(struct mac_policy_conf *mpc)
 {
 
 	mtx_init(&ugidfw_mtx, "mac_bsdextended lock", NULL, MTX_DEF);
 }
 
 static void
 ugidfw_destroy(struct mac_policy_conf *mpc)
 {
 	int i;
 
 	for (i = 0; i < MAC_BSDEXTENDED_MAXRULES; i++) {
 		if (rules[i] != NULL)
 			free(rules[i], M_MACBSDEXTENDED);
 	}
 	mtx_destroy(&ugidfw_mtx);
 }
 
 static int
 ugidfw_rulecheck(struct mac_bsdextended_rule *rule,
     struct ucred *cred, struct vnode *vp, struct vattr *vap, int acc_mode)
 {
 	int mac_granted, match, priv_granted;
 	int i;
 
 	/*
 	 * Is there a subject match?
 	 */
 	mtx_assert(&ugidfw_mtx, MA_OWNED);
 	if (rule->mbr_subject.mbs_flags & MBS_UID_DEFINED) {
 		match =  ((cred->cr_uid <= rule->mbr_subject.mbs_uid_max &&
 		    cred->cr_uid >= rule->mbr_subject.mbs_uid_min) ||
 		    (cred->cr_ruid <= rule->mbr_subject.mbs_uid_max &&
 		    cred->cr_ruid >= rule->mbr_subject.mbs_uid_min) ||
 		    (cred->cr_svuid <= rule->mbr_subject.mbs_uid_max &&
 		    cred->cr_svuid >= rule->mbr_subject.mbs_uid_min));
 		if (rule->mbr_subject.mbs_neg & MBS_UID_DEFINED)
 			match = !match;
 		if (!match)
 			return (0);
 	}
 
 	if (rule->mbr_subject.mbs_flags & MBS_GID_DEFINED) {
 		match = ((cred->cr_rgid <= rule->mbr_subject.mbs_gid_max &&
 		    cred->cr_rgid >= rule->mbr_subject.mbs_gid_min) ||
 		    (cred->cr_svgid <= rule->mbr_subject.mbs_gid_max &&
 		    cred->cr_svgid >= rule->mbr_subject.mbs_gid_min));
 		if (!match) {
 			for (i = 0; i < cred->cr_ngroups; i++) {
 				if (cred->cr_groups[i]
 				    <= rule->mbr_subject.mbs_gid_max &&
 				    cred->cr_groups[i]
 				    >= rule->mbr_subject.mbs_gid_min) {
 					match = 1;
 					break;
 				}
 			}
 		}
 		if (rule->mbr_subject.mbs_neg & MBS_GID_DEFINED)
 			match = !match;
 		if (!match)
 			return (0);
 	}
 
 	if (rule->mbr_subject.mbs_flags & MBS_PRISON_DEFINED) {
 		match =
 		    (cred->cr_prison->pr_id == rule->mbr_subject.mbs_prison);
 		if (rule->mbr_subject.mbs_neg & MBS_PRISON_DEFINED)
 			match = !match;
 		if (!match)
 			return (0);
 	}
 
 	/*
 	 * Is there an object match?
 	 */
 	if (rule->mbr_object.mbo_flags & MBO_UID_DEFINED) {
 		match = (vap->va_uid <= rule->mbr_object.mbo_uid_max &&
 		    vap->va_uid >= rule->mbr_object.mbo_uid_min);
 		if (rule->mbr_object.mbo_neg & MBO_UID_DEFINED)
 			match = !match;
 		if (!match)
 			return (0);
 	}
 
 	if (rule->mbr_object.mbo_flags & MBO_GID_DEFINED) {
 		match = (vap->va_gid <= rule->mbr_object.mbo_gid_max &&
 		    vap->va_gid >= rule->mbr_object.mbo_gid_min);
 		if (rule->mbr_object.mbo_neg & MBO_GID_DEFINED)
 			match = !match;
 		if (!match)
 			return (0);
 	}
 
 	if (rule->mbr_object.mbo_flags & MBO_FSID_DEFINED) {
 		match = (fsidcmp(&vp->v_mount->mnt_stat.f_fsid,
 		    &rule->mbr_object.mbo_fsid) == 0);
 		if (rule->mbr_object.mbo_neg & MBO_FSID_DEFINED)
 			match = !match;
 		if (!match)
 			return (0);
 	}
 
 	if (rule->mbr_object.mbo_flags & MBO_SUID) {
 		match = (vap->va_mode & S_ISUID);
 		if (rule->mbr_object.mbo_neg & MBO_SUID)
 			match = !match;
 		if (!match)
 			return (0);
 	}
 
 	if (rule->mbr_object.mbo_flags & MBO_SGID) {
 		match = (vap->va_mode & S_ISGID);
 		if (rule->mbr_object.mbo_neg & MBO_SGID)
 			match = !match;
 		if (!match)
 			return (0);
 	}
 
 	if (rule->mbr_object.mbo_flags & MBO_UID_SUBJECT) {
 		match = (vap->va_uid == cred->cr_uid ||
 		    vap->va_uid == cred->cr_ruid ||
 		    vap->va_uid == cred->cr_svuid);
 		if (rule->mbr_object.mbo_neg & MBO_UID_SUBJECT)
 			match = !match;
 		if (!match)
 			return (0);
 	}
 
 	if (rule->mbr_object.mbo_flags & MBO_GID_SUBJECT) {
 		match = (groupmember(vap->va_gid, cred) ||
 		    vap->va_gid == cred->cr_rgid ||
 		    vap->va_gid == cred->cr_svgid);
 		if (rule->mbr_object.mbo_neg & MBO_GID_SUBJECT)
 			match = !match;
 		if (!match)
 			return (0);
 	}
 
 	if (rule->mbr_object.mbo_flags & MBO_TYPE_DEFINED) {
 		switch (vap->va_type) {
 		case VREG:
 			match = (rule->mbr_object.mbo_type & MBO_TYPE_REG);
 			break;
 		case VDIR:
 			match = (rule->mbr_object.mbo_type & MBO_TYPE_DIR);
 			break;
 		case VBLK:
 			match = (rule->mbr_object.mbo_type & MBO_TYPE_BLK);
 			break;
 		case VCHR:
 			match = (rule->mbr_object.mbo_type & MBO_TYPE_CHR);
 			break;
 		case VLNK:
 			match = (rule->mbr_object.mbo_type & MBO_TYPE_LNK);
 			break;
 		case VSOCK:
 			match = (rule->mbr_object.mbo_type & MBO_TYPE_SOCK);
 			break;
 		case VFIFO:
 			match = (rule->mbr_object.mbo_type & MBO_TYPE_FIFO);
 			break;
 		default:
 			match = 0;
 		}
 		if (rule->mbr_object.mbo_neg & MBO_TYPE_DEFINED)
 			match = !match;
 		if (!match)
 			return (0);
 	}
 
 	/*
 	 * MBI_APPEND should not be here as it should get converted to
 	 * MBI_WRITE.
 	 */
 	priv_granted = 0;
 	mac_granted = rule->mbr_mode;
 	if ((acc_mode & MBI_ADMIN) && (mac_granted & MBI_ADMIN) == 0 &&
 	    priv_check_cred(cred, PRIV_VFS_ADMIN) == 0)
 		priv_granted |= MBI_ADMIN;
 	if ((acc_mode & MBI_EXEC) && (mac_granted & MBI_EXEC) == 0 &&
 	    priv_check_cred(cred, (vap->va_type == VDIR) ? PRIV_VFS_LOOKUP : PRIV_VFS_EXEC) == 0)
 		priv_granted |= MBI_EXEC;
 	if ((acc_mode & MBI_READ) && (mac_granted & MBI_READ) == 0 &&
 	    priv_check_cred(cred, PRIV_VFS_READ) == 0)
 		priv_granted |= MBI_READ;
 	if ((acc_mode & MBI_STAT) && (mac_granted & MBI_STAT) == 0 &&
 	    priv_check_cred(cred, PRIV_VFS_STAT) == 0)
 		priv_granted |= MBI_STAT;
 	if ((acc_mode & MBI_WRITE) && (mac_granted & MBI_WRITE) == 0 &&
 	    priv_check_cred(cred, PRIV_VFS_WRITE) == 0)
 		priv_granted |= MBI_WRITE;
 	/*
 	 * Is the access permitted?
 	 */
 	if (((mac_granted | priv_granted) & acc_mode) != acc_mode) {
 		if (ugidfw_logging)
 			log(LOG_AUTHPRIV, "mac_bsdextended: %d:%d request %d"
 			    " on %d:%d failed. \n", cred->cr_ruid,
 			    cred->cr_rgid, acc_mode, vap->va_uid,
 			    vap->va_gid);
 		return (EACCES);
 	}
 
 	/*
 	 * If the rule matched, permits access, and first match is enabled,
 	 * return success.
 	 */
 	if (ugidfw_firstmatch_enabled)
 		return (EJUSTRETURN);
 	else
 		return (0);
 }
 
 int
 ugidfw_check(struct ucred *cred, struct vnode *vp, struct vattr *vap,
     int acc_mode)
 {
 	int error, i;
 
 	/*
 	 * Since we do not separately handle append, map append to write.
 	 */
 	if (acc_mode & MBI_APPEND) {
 		acc_mode &= ~MBI_APPEND;
 		acc_mode |= MBI_WRITE;
 	}
 	mtx_lock(&ugidfw_mtx);
 	for (i = 0; i < rule_slots; i++) {
 		if (rules[i] == NULL)
 			continue;
 		error = ugidfw_rulecheck(rules[i], cred,
 		    vp, vap, acc_mode);
 		if (error == EJUSTRETURN)
 			break;
 		if (error) {
 			mtx_unlock(&ugidfw_mtx);
 			return (error);
 		}
 	}
 	mtx_unlock(&ugidfw_mtx);
 	return (0);
 }
 
 int
 ugidfw_check_vp(struct ucred *cred, struct vnode *vp, int acc_mode)
 {
 	int error;
 	struct vattr vap;
 
 	if (!ugidfw_enabled)
 		return (0);
 	error = VOP_GETATTR(vp, &vap, cred);
 	if (error)
 		return (error);
 	return (ugidfw_check(cred, vp, &vap, acc_mode));
 }
 
 int
 ugidfw_accmode2mbi(accmode_t accmode)
 {
 	int mbi;
 
 	mbi = 0;
 	if (accmode & VEXEC)
 		mbi |= MBI_EXEC;
 	if (accmode & VWRITE)
 		mbi |= MBI_WRITE;
 	if (accmode & VREAD)
 		mbi |= MBI_READ;
 	if (accmode & VADMIN_PERMS)
 		mbi |= MBI_ADMIN;
 	if (accmode & VSTAT_PERMS)
 		mbi |= MBI_STAT;
 	if (accmode & VAPPEND)
 		mbi |= MBI_APPEND;
 	return (mbi);
 }
 
 static struct mac_policy_ops ugidfw_ops =
 {
 	.mpo_destroy = ugidfw_destroy,
 	.mpo_init = ugidfw_init,
 	.mpo_system_check_acct = ugidfw_system_check_acct,
 	.mpo_system_check_auditctl = ugidfw_system_check_auditctl,
 	.mpo_system_check_swapon = ugidfw_system_check_swapon,
 	.mpo_vnode_check_access = ugidfw_vnode_check_access,
 	.mpo_vnode_check_chdir = ugidfw_vnode_check_chdir,
 	.mpo_vnode_check_chroot = ugidfw_vnode_check_chroot,
 	.mpo_vnode_check_create = ugidfw_check_create_vnode,
 	.mpo_vnode_check_deleteacl = ugidfw_vnode_check_deleteacl,
 	.mpo_vnode_check_deleteextattr = ugidfw_vnode_check_deleteextattr,
 	.mpo_vnode_check_exec = ugidfw_vnode_check_exec,
 	.mpo_vnode_check_getacl = ugidfw_vnode_check_getacl,
 	.mpo_vnode_check_getextattr = ugidfw_vnode_check_getextattr,
 	.mpo_vnode_check_link = ugidfw_vnode_check_link,
 	.mpo_vnode_check_listextattr = ugidfw_vnode_check_listextattr,
 	.mpo_vnode_check_lookup = ugidfw_vnode_check_lookup,
 	.mpo_vnode_check_open = ugidfw_vnode_check_open,
 	.mpo_vnode_check_readdir = ugidfw_vnode_check_readdir,
 	.mpo_vnode_check_readlink = ugidfw_vnode_check_readdlink,
 	.mpo_vnode_check_rename_from = ugidfw_vnode_check_rename_from,
 	.mpo_vnode_check_rename_to = ugidfw_vnode_check_rename_to,
 	.mpo_vnode_check_revoke = ugidfw_vnode_check_revoke,
 	.mpo_vnode_check_setacl = ugidfw_check_setacl_vnode,
 	.mpo_vnode_check_setextattr = ugidfw_vnode_check_setextattr,
 	.mpo_vnode_check_setflags = ugidfw_vnode_check_setflags,
 	.mpo_vnode_check_setmode = ugidfw_vnode_check_setmode,
 	.mpo_vnode_check_setowner = ugidfw_vnode_check_setowner,
 	.mpo_vnode_check_setutimes = ugidfw_vnode_check_setutimes,
 	.mpo_vnode_check_stat = ugidfw_vnode_check_stat,
 	.mpo_vnode_check_unlink = ugidfw_vnode_check_unlink,
 };
 
 MAC_POLICY_SET(&ugidfw_ops, mac_bsdextended, "TrustedBSD MAC/BSD Extended",
     MPC_LOADTIME_FLAG_UNLOADOK, NULL);
diff --git a/sys/security/mac_grantbylabel/mac_grantbylabel.c b/sys/security/mac_grantbylabel/mac_grantbylabel.c
index 4d14577820eb..af080e8e34e0 100644
--- a/sys/security/mac_grantbylabel/mac_grantbylabel.c
+++ b/sys/security/mac_grantbylabel/mac_grantbylabel.c
@@ -1,508 +1,507 @@
 /*-
  * SPDX-License-Identifier: BSD-2-Clause
  *
  * Copyright (c) 2018-2023, Juniper Networks, Inc.
  * All rights reserved.
  *
  * Redistribution and use in source and binary forms, with or without
  * modification, are permitted provided that the following conditions
  * are met:
  * 1. Redistributions of source code must retain the above copyright
  *    notice, this list of conditions and the following disclaimer.
  * 2. Redistributions in binary form must reproduce the above copyright
  *    notice, this list of conditions and the following disclaimer in the
  *    documentation and/or other materials provided with the distribution.
  *
  * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
  * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
  * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
  * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
  * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING,
  * BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
  * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED
  * AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY,
  * OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
  * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
  * SUCH DAMAGE.
  */
 
 #include <sys/cdefs.h>
 
 #include "opt_mac.h"
 
 #include <sys/param.h>
 #include <sys/capsicum.h>
 #include <sys/proc.h>
 #include <sys/vnode.h>
 #include <sys/kernel.h>
 #include <sys/module.h>
 #include <sys/mac.h>
 #include <sys/namei.h>
 #include <sys/priv.h>
 #include <sys/imgact.h>
 #include <sys/sysctl.h>
 #include <sys/syslog.h>
 #include <security/mac/mac_policy.h>
 
 #include "mac_grantbylabel.h"
 #include <security/mac_veriexec/mac_veriexec_internal.h>
 
 #define MAC_GRANTBYLABEL_FULLNAME   "MAC/grantbylabel"
 
-SYSCTL_DECL(_security_mac);
 SYSCTL_NODE(_security_mac, OID_AUTO, grantbylabel, CTLFLAG_RW, 0,
     "MAC/grantbylabel policy controls");
 
 #ifdef MAC_DEBUG
 static int mac_grantbylabel_debug;
 
 SYSCTL_INT(_security_mac_grantbylabel, OID_AUTO, debug, CTLFLAG_RW,
     &mac_grantbylabel_debug, 0, "Debug mac_grantbylabel");
 
 #define GRANTBYLABEL_DEBUG(n, x) if (mac_grantbylabel_debug >= (n)) printf x
 
 #define	MAC_GRANTBYLABEL_DBG(_lvl, _fmt, ...)				\
 	do {								\
 		GRANTBYLABEL_DEBUG((_lvl), (MAC_GRANTBYLABEL_FULLNAME ": " \
 			_fmt "\n", ##__VA_ARGS__));			\
 	} while(0)
 #else
 #define	MAC_GRANTBYLABEL_DBG(_lvl, _fmt, ...)
 #endif
 
 
 /* label token prefix */
 #define GBL_PREFIX "gbl/"
 
 static int mac_grantbylabel_slot;
 
 #define	SLOT(l) \
 	mac_label_get((l), mac_grantbylabel_slot)
 #define	SLOT_SET(l, v) \
 	mac_label_set((l), mac_grantbylabel_slot, (v))
 
 
 /**
  * @brief parse label into bitmask
  *
  * We are only interested in tokens prefixed by GBL_PREFIX ("gbl/").
  *
  * @return 32bit mask
  */
 static gbl_label_t
 gbl_parse_label(const char *label)
 {
 	gbl_label_t gbl;
 	char *cp;
 
 	if (!(label && *label))
 		return GBL_EMPTY;
 	gbl = 0;
 	for (cp = strstr(label, GBL_PREFIX); cp; cp = strstr(cp, GBL_PREFIX)) {
 		/* check we didn't find "fugbl/" */
 		if (cp > label && cp[-1] != ',') {
 			cp += sizeof(GBL_PREFIX);
 			continue;
 		}
 		cp += sizeof(GBL_PREFIX) - 1;
 		switch (*cp) {
 		case 'b':
 			if (strncmp(cp, "bind", 4) == 0)
 				gbl |= GBL_BIND;
 			break;
 		case 'd':
 			if (strncmp(cp, "daemon", 6) == 0)
 				gbl |= (GBL_BIND|GBL_IPC|GBL_NET|GBL_PROC|
 				    GBL_SYSCTL|GBL_VACCESS);
 			break;
 		case 'i':
 			if (strncmp(cp, "ipc", 3) == 0)
 				gbl |= GBL_IPC;
 			break;
 		case 'k':
 			if (strncmp(cp, "kmem", 4) == 0)
 				gbl |= GBL_KMEM;
 			break;
 		case 'n':
 			if (strncmp(cp, "net", 3) == 0)
 				gbl |= GBL_NET;
 			break;
 		case 'p':
 			if (strncmp(cp, "proc", 4) == 0)
 				gbl |= GBL_PROC;
 			break;
 		case 'r':
 			if (strncmp(cp, "rtsock", 6) == 0)
 				gbl |= GBL_RTSOCK;
 			break;
 		case 's':
 			if (strncmp(cp, "sysctl", 6) == 0)
 				gbl |= GBL_SYSCTL;
 			break;
 		case 'v':
 			if (strncmp(cp, "vaccess", 7) == 0)
 				gbl |= GBL_VACCESS;
 			else if (strncmp(cp, "veriexec", 8) == 0)
 				gbl |= GBL_VERIEXEC;
 			break;
 		default:		/* ignore unknown? */
 			MAC_GRANTBYLABEL_DBG(1,
 			    "ignoring unknown token at %s/%s",
 			    GBL_PREFIX, cp);
 			break;
 		}
 	}
 
 	return gbl;
 }
 
 
 /**
  * @brief get the v_label for a vnode
  *
  * Lookup the label if not already set in v_label
  *
  * @return 32bit mask or 0 on error
  */
 static gbl_label_t
 gbl_get_vlabel(struct vnode *vp, struct ucred *cred)
 {
 	struct vattr va;
 	const char *label;
 	gbl_label_t gbl;
 	int error;
 
 	gbl = SLOT(vp->v_label);
 	if (gbl == 0) {
 		error = VOP_GETATTR(vp, &va, cred);
 		if (error == 0) {
 			label = mac_veriexec_metadata_get_file_label(va.va_fsid,
 			    va.va_fileid, va.va_gen, FALSE);
 			if (label) {
 				MAC_GRANTBYLABEL_DBG(1,
 				    "label=%s dev=%ju, file %ju.%lu",
 				    label,
 				    (uintmax_t)va.va_fsid,
 				    (uintmax_t)va.va_fileid,
 				    va.va_gen);
 				gbl = gbl_parse_label(label);
 			} else {
 				gbl = GBL_EMPTY;
 				MAC_GRANTBYLABEL_DBG(2, "no label dev=%ju, file %ju.%lu",
 				    (uintmax_t)va.va_fsid,
 				    (uintmax_t)va.va_fileid,
 				    va.va_gen);
 			}
 		}
 	}
 	return gbl;
 }
 
 
 /**
  * @brief grant priv if warranted
  *
  * If the cred is root, we have nothing to do.
  * Otherwise see if the current process has a label
  * that grants it the requested priv.
  */
 static int
 mac_grantbylabel_priv_grant(struct ucred *cred, int priv)
 {
 	gbl_label_t label;
 	int rc;
 
 	rc = EPERM;			/* default response */
 
 	if ((curproc->p_flag & (P_KPROC|P_SYSTEM)))
 		return rc;		/* not interested */
 
 	switch (priv) {
 	case PRIV_PROC_MEM_WRITE:
 	case PRIV_KMEM_READ:
 	case PRIV_KMEM_WRITE:
 		break;
 	case PRIV_VERIEXEC_DIRECT:
 	case PRIV_VERIEXEC_NOVERIFY:
 		/* XXX might want to skip in FIPS mode */
 		break;
 	default:
 		if (cred->cr_uid == 0)
 			return rc;	/* not interested */
 		break;
 	}
 
 	label = (gbl_label_t)(SLOT(curproc->p_textvp->v_label) |
 	    SLOT(curproc->p_label));
 
 	/*
 	 * We look at the extra privs granted
 	 * via process label.
 	 */
 	switch (priv) {
 	case PRIV_IPC_READ:
 	case PRIV_IPC_WRITE:
 		if (label & GBL_IPC)
 			rc = 0;
 		break;
 	case PRIV_PROC_MEM_WRITE:
 	case PRIV_KMEM_READ:
 	case PRIV_KMEM_WRITE:
 		if (label & GBL_KMEM)
 			rc = 0;
 		break;
 	case PRIV_NETINET_BINDANY:
 	case PRIV_NETINET_RESERVEDPORT:	/* socket bind low port */
 	case PRIV_NETINET_REUSEPORT:
 		if (label & GBL_BIND)
 			rc = 0;
 		break;
 	case PRIV_NETINET_ADDRCTRL6:
 	case PRIV_NET_LAGG:
 	case PRIV_NET_SETIFFIB:
 	case PRIV_NET_SETIFVNET:
 	case PRIV_NETINET_SETHDROPTS:
 	case PRIV_NET_VXLAN:
 	case PRIV_NETINET_GETCRED:
 	case PRIV_NETINET_IPSEC:
 	case PRIV_NETINET_RAW:
 		if (label & GBL_NET)
 			rc = 0;
 		break;
 	case PRIV_NETINET_MROUTE:
 	case PRIV_NET_ROUTE:
 		if (label & GBL_RTSOCK)
 			rc = 0;
 		break;
 	case PRIV_PROC_LIMIT:
 	case PRIV_PROC_SETRLIMIT:
 		if (label & GBL_PROC)
 			rc = 0;
 		break;
 	case PRIV_SYSCTL_WRITE:
 		if (label & GBL_SYSCTL)
 			rc = 0;
 		break;
 	case PRIV_VFS_READ:
 	case PRIV_VFS_WRITE:
 		if (label & GBL_KMEM)
 			rc = 0;
 		/* FALLTHROUGH */
 	case PRIV_VFS_ADMIN:
 	case PRIV_VFS_BLOCKRESERVE:
 	case PRIV_VFS_CHOWN:
 	case PRIV_VFS_EXEC:	/* vaccess file and accmode & VEXEC */
 	case PRIV_VFS_GENERATION:
 	case PRIV_VFS_LOOKUP:	/* vaccess DIR */
 		if (label & GBL_VACCESS)
 			rc = 0;
 		break;
 	case PRIV_VERIEXEC_DIRECT:
 		/*
 		 * We are here because we are attempting to direct exec
 		 * something with the 'indirect' flag set.
 		 * We need to check parent label for this one.
 		 */
 		PROC_LOCK(curproc);
 		label = (gbl_label_t)SLOT(curproc->p_pptr->p_textvp->v_label);
 		if (label & GBL_VERIEXEC) {
 			rc = 0;
 			/*
 			 * Of course the only reason to be running an
 			 * interpreter this way is to bypass O_VERIFY
 			 * so we can run unsigned script.
 			 * We set GBL_VERIEXEC on p_label for
 			 * PRIV_VERIEXEC_NOVERIFY below
 			 */
 			SLOT_SET(curproc->p_label, GBL_VERIEXEC);
 		}
 		PROC_UNLOCK(curproc);
 		break;
 	case PRIV_VERIEXEC_NOVERIFY:
 		/* we look at p_label! see above */
 		label = (gbl_label_t)SLOT(curproc->p_label);
 		if (label & GBL_VERIEXEC)
 			rc = 0;
 		break;
 	default:
 		break;
 	}
 	MAC_GRANTBYLABEL_DBG(rc ? 1 : 2,
 	    "pid=%d priv=%d, label=%#o rc=%d",
 	    curproc->p_pid, priv, label, rc);
 
 	return rc;
 }
 
 
 /*
  * If proc->p_textvp does not yet have a label,
  * fetch file info from mac_veriexec
  * and set label (if any) else set.
  * If there is no label set it to GBL_EMPTY.
  */
 static int
 mac_grantbylabel_proc_check_resource(struct ucred *cred,
     struct proc *proc)
 {
 	gbl_label_t gbl;
 
 	if (!SLOT(proc->p_textvp->v_label)) {
 		gbl = gbl_get_vlabel(proc->p_textvp, cred);
 		if (gbl == 0)
 			gbl = GBL_EMPTY;
 		SLOT_SET(proc->p_textvp->v_label, gbl);
 	}
 	return 0;
 }
 
 static int
 mac_grantbylabel_syscall(struct thread *td, int call, void *arg)
 {
 	cap_rights_t rights;
 	struct mac_grantbylabel_fetch_gbl_args gbl_args;
 	struct file *fp;
 	struct proc *proc;
 	int error;
 	int proc_locked;
 
 	switch (call) {
 	case MAC_GRANTBYLABEL_FETCH_GBL:
 	case MAC_GRANTBYLABEL_FETCH_PID_GBL:
 		error = copyin(arg, &gbl_args, sizeof(gbl_args));
 		if (error)
 			return error;
 		gbl_args.gbl = 0;
 		break;
 	default:
 		return EOPNOTSUPP;
 		break;
 	}
 	proc_locked = 0;
 	switch (call) {
 	case MAC_GRANTBYLABEL_FETCH_GBL:
 		error = getvnode(td, gbl_args.u.fd,
 		    cap_rights_init(&rights), &fp);
 		if (error)
 			return (error);
 
 		if (fp->f_type != DTYPE_VNODE) {
 		       error = EINVAL;
 		       goto cleanup_file;
 		}
 
 		vn_lock(fp->f_vnode, LK_SHARED | LK_RETRY);
 		gbl_args.gbl = gbl_get_vlabel(fp->f_vnode, td->td_ucred);
 		if (gbl_args.gbl == 0)
 			error = EOPNOTSUPP;
 		else
 			error = 0;
 		VOP_UNLOCK(fp->f_vnode);
 cleanup_file:
 		fdrop(fp, td);
 		break;
 	case MAC_GRANTBYLABEL_FETCH_PID_GBL:
 		error = 0;
 		if (gbl_args.u.pid == 0
 		    || gbl_args.u.pid == curproc->p_pid) {
 			proc = curproc;
 		} else {
 			proc = pfind(gbl_args.u.pid);
 			if (proc == NULL)
 				return (EINVAL);
 			proc_locked = 1;
 		}
 		gbl_args.gbl = (SLOT(proc->p_textvp->v_label) |
 		    SLOT(proc->p_label));
 		if (proc_locked)
 			PROC_UNLOCK(proc);
 		break;
 	}
 	if (error == 0) {
 		error = copyout(&gbl_args, arg, sizeof(gbl_args));
 	}
 	return error;
 }
 
 
 static void
 mac_grantbylabel_proc_init_label(struct label *label)
 {
 
 	SLOT_SET(label, 0);		/* not yet set! */
 }
 
 static void
 mac_grantbylabel_vnode_init_label(struct label *label)
 {
 
 	SLOT_SET(label, 0);		/* not yet set! */
 }
 
 /**
  * @brief set v_label if needed
  */
 static int
 mac_grantbylabel_vnode_check_exec(struct ucred *cred __unused,
     struct vnode *vp __unused, struct label *label __unused,
     struct image_params *imgp, struct label *execlabel __unused)
 {
 	gbl_label_t gbl;
 
 	gbl = SLOT(vp->v_label);
 	if (gbl == 0) {
 		gbl = gbl_get_vlabel(vp, cred);
 		if (gbl == 0)
 			gbl = GBL_EMPTY;
 		MAC_GRANTBYLABEL_DBG(1, "vnode_check_exec label=%#o", gbl);
 		SLOT_SET(vp->v_label, gbl);
 	}
 	return 0;
 }
 
 static void
 mac_grantbylabel_copy_label(struct label *src, struct label *dest)
 {
 	SLOT_SET(dest, SLOT(src));
 }
 
 /**
  * @brief if interpreting copy script v_label to proc p_label
  */
 static int
 mac_grantbylabel_vnode_execve_will_transition(struct ucred *old,
     struct vnode *vp, struct label *vplabel,
     struct label *interpvplabel, struct image_params *imgp,
     struct label *execlabel)
 {
 	gbl_label_t gbl;
 
 	if (imgp->interpreted) {
 		gbl = SLOT(interpvplabel);
 		if (gbl) {
 			SLOT_SET(imgp->proc->p_label, gbl);
 		}
 		MAC_GRANTBYLABEL_DBG(1, "execve_will_transition label=%#o", gbl);
 	}
 	return 0;
 }
 
 
 static struct mac_policy_ops mac_grantbylabel_ops =
 {
 	.mpo_proc_check_resource = mac_grantbylabel_proc_check_resource,
 	.mpo_priv_grant = mac_grantbylabel_priv_grant,
 	.mpo_syscall = mac_grantbylabel_syscall,
 	.mpo_proc_init_label = mac_grantbylabel_proc_init_label,
 	.mpo_vnode_check_exec = mac_grantbylabel_vnode_check_exec,
 	.mpo_vnode_copy_label = mac_grantbylabel_copy_label,
 	.mpo_vnode_execve_will_transition = mac_grantbylabel_vnode_execve_will_transition,
 	.mpo_vnode_init_label = mac_grantbylabel_vnode_init_label,
 };
 
 MAC_POLICY_SET(&mac_grantbylabel_ops, mac_grantbylabel,
     MAC_GRANTBYLABEL_FULLNAME,
     MPC_LOADTIME_FLAG_NOTLATE, &mac_grantbylabel_slot);
 MODULE_VERSION(mac_grantbylabel, 1);
 MODULE_DEPEND(mac_grantbylabel, mac_veriexec, MAC_VERIEXEC_VERSION,
     MAC_VERIEXEC_VERSION, MAC_VERIEXEC_VERSION);
diff --git a/sys/security/mac_ifoff/mac_ifoff.c b/sys/security/mac_ifoff/mac_ifoff.c
index d84b9c85a5be..cffe93b4d9a9 100644
--- a/sys/security/mac_ifoff/mac_ifoff.c
+++ b/sys/security/mac_ifoff/mac_ifoff.c
@@ -1,171 +1,169 @@
 /*-
  * Copyright (c) 1999-2002, 2007 Robert N. M. Watson
  * Copyright (c) 2001-2002 Networks Associates Technology, Inc.
  * Copyright (c) 2006 SPARTA, Inc.
  * All rights reserved.
  *
  * This software was developed by Robert Watson for the TrustedBSD Project.
  *
  * This software was developed for the FreeBSD Project in part by Network
  * Associates Laboratories, the Security Research Division of Network
  * Associates, Inc. under DARPA/SPAWAR contract N66001-01-C-8035 ("CBOSS"),
  * as part of the DARPA CHATS research program.
  *
  * This software was enhanced by SPARTA ISSO under SPAWAR contract
  * N66001-04-C-6019 ("SEFOS").
  *
  * Redistribution and use in source and binary forms, with or without
  * modification, are permitted provided that the following conditions
  * are met:
  * 1. Redistributions of source code must retain the above copyright
  *    notice, this list of conditions and the following disclaimer.
  * 2. Redistributions in binary form must reproduce the above copyright
  *    notice, this list of conditions and the following disclaimer in the
  *    documentation and/or other materials provided with the distribution.
  *
  * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
  * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
  * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
  * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
  * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
  * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
  * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
  * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
  * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
  * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
  * SUCH DAMAGE.
  */
 
 /*
  * Developed by the TrustedBSD Project.
  *
  * Limit access to interfaces until they are specifically administratively
  * enabled.  Prevents protocol stack-driven packet leakage in unsafe
  * environments.
  */
 
 #include <sys/param.h>
 #include <sys/kernel.h>
 #include <sys/module.h>
 #include <sys/mbuf.h>
 #include <sys/socket.h>
 #include <sys/sysctl.h>
 
 #include <net/if.h>
 #include <net/if_var.h>
 #include <net/if_types.h>
 #include <net/bpfdesc.h>
 
 #include <security/mac/mac_policy.h>
 
-SYSCTL_DECL(_security_mac);
-
 static SYSCTL_NODE(_security_mac, OID_AUTO, ifoff,
     CTLFLAG_RW | CTLFLAG_MPSAFE, 0,
     "TrustedBSD mac_ifoff policy controls");
 
 static int	ifoff_enabled = 1;
 SYSCTL_INT(_security_mac_ifoff, OID_AUTO, enabled, CTLFLAG_RWTUN,
     &ifoff_enabled, 0, "Enforce ifoff policy");
 
 static int	ifoff_lo_enabled = 1;
 SYSCTL_INT(_security_mac_ifoff, OID_AUTO, lo_enabled, CTLFLAG_RWTUN,
     &ifoff_lo_enabled, 0, "Enable loopback interfaces");
 
 static int	ifoff_other_enabled = 0;
 SYSCTL_INT(_security_mac_ifoff, OID_AUTO, other_enabled, CTLFLAG_RWTUN,
     &ifoff_other_enabled, 0, "Enable other interfaces");
 
 static int	ifoff_bpfrecv_enabled = 0;
 SYSCTL_INT(_security_mac_ifoff, OID_AUTO, bpfrecv_enabled, CTLFLAG_RWTUN,
     &ifoff_bpfrecv_enabled, 0, "Enable BPF reception even when interface "
     "is disabled");
 
 static int
 ifnet_check_outgoing(struct ifnet *ifp)
 {
 
 	if (!ifoff_enabled)
 		return (0);
 
 	if (ifoff_lo_enabled && if_gettype(ifp) == IFT_LOOP)
 		return (0);
 
 	if (ifoff_other_enabled && if_gettype(ifp) != IFT_LOOP)
 		return (0);
 
 	return (EPERM);
 }
 
 static int
 ifnet_check_incoming(struct ifnet *ifp, int viabpf)
 {
 	if (!ifoff_enabled)
 		return (0);
 
 	if (ifoff_lo_enabled && if_gettype(ifp) == IFT_LOOP)
 		return (0);
 
 	if (ifoff_other_enabled && if_gettype(ifp) != IFT_LOOP)
 		return (0);
 
 	if (viabpf && ifoff_bpfrecv_enabled)
 		return (0);
 
 	return (EPERM);
 }
 
 /*
  * Object-specific entry point implementations are sorted alphabetically by
  * object type and then by operation.
  */
 static int
 ifoff_bpfdesc_check_receive(struct bpf_d *d, struct label *dlabel,
     struct ifnet *ifp, struct label *ifplabel)
 {
 
 	return (ifnet_check_incoming(ifp, 1));
 }
 
 static int
 ifoff_ifnet_check_transmit(struct ifnet *ifp, struct label *ifplabel,
     struct mbuf *m, struct label *mlabel)
 {
 
 	return (ifnet_check_outgoing(ifp));
 }
 
 static int
 ifoff_inpcb_check_deliver(struct inpcb *inp, struct label *inplabel,
     struct mbuf *m, struct label *mlabel)
 {
 
 	M_ASSERTPKTHDR(m);
 	if (m->m_pkthdr.rcvif != NULL)
 		return (ifnet_check_incoming(m->m_pkthdr.rcvif, 0));
 
 	return (0);
 }
 
 static int
 ifoff_socket_check_deliver(struct socket *so, struct label *solabel,
     struct mbuf *m, struct label *mlabel)
 {
 
 	M_ASSERTPKTHDR(m);
 	if (m->m_pkthdr.rcvif != NULL)
 		return (ifnet_check_incoming(m->m_pkthdr.rcvif, 0));
 
 	return (0);
 }
 
 static struct mac_policy_ops ifoff_ops =
 {
 	.mpo_bpfdesc_check_receive = ifoff_bpfdesc_check_receive,
 	.mpo_ifnet_check_transmit = ifoff_ifnet_check_transmit,
 	.mpo_inpcb_check_deliver = ifoff_inpcb_check_deliver,
 	.mpo_socket_check_deliver = ifoff_socket_check_deliver,
 };
 
 MAC_POLICY_SET(&ifoff_ops, mac_ifoff, "TrustedBSD MAC/ifoff",
     MPC_LOADTIME_FLAG_UNLOADOK, NULL);
diff --git a/sys/security/mac_ipacl/mac_ipacl.c b/sys/security/mac_ipacl/mac_ipacl.c
index bed77e7866f2..eed3eddace89 100644
--- a/sys/security/mac_ipacl/mac_ipacl.c
+++ b/sys/security/mac_ipacl/mac_ipacl.c
@@ -1,451 +1,449 @@
 /*-
  * Copyright (c) 2003-2004 Networks Associates Technology, Inc.
  * Copyright (c) 2006 SPARTA, Inc.
  * Copyright (c) 2019, 2023 Shivank Garg <shivank@FreeBSD.org>
  *
  * This software was developed for the FreeBSD Project by Network
  * Associates Laboratories, the Security Research Division of Network
  * Associates, Inc. under DARPA/SPAWAR contract N66001-01-C-8035 ("CBOSS"),
  * as part of the DARPA CHATS research program.
  *
  * This software was enhanced by SPARTA ISSO under SPAWAR contract
  * N66001-04-C-6019 ("SEFOS").
  *
  * This code was developed as a Google Summer of Code 2019 project
  * under the guidance of Bjoern A. Zeeb.
  *
  * Redistribution and use in source and binary forms, with or without
  * modification, are permitted provided that the following conditions
  * are met:
  * 1. Redistributions of source code must retain the above copyright
  *    notice, this list of conditions and the following disclaimer.
  * 2. Redistributions in binary form must reproduce the above copyright
  *    notice, this list of conditions and the following disclaimer in the
  *    documentation and/or other materials provided with the distribution.
  *
  * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
  * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
  * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
  * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
  * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
  * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
  * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
  * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
  * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
  * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
  * SUCH DAMAGE.
  */
 
 /*
  * The IP address access control policy module - mac_ipacl allows the root of
  * the host to limit the VNET jail's privileges of setting IPv4 and IPv6
  * addresses via sysctl(8) interface. So, the host can define rules for jails
  * and their interfaces about IP addresses.
  * sysctl(8) is to be used to modify the rules string in following format-
  * "jail_id,allow,interface,address_family,IP_addr/prefix_length[@jail_id,...]"
  */
 
 #include "opt_inet.h"
 #include "opt_inet6.h"
 
 #include <sys/param.h>
 #include <sys/module.h>
 #include <sys/errno.h>
 #include <sys/kernel.h>
 #include <sys/mutex.h>
 #include <sys/priv.h>
 #include <sys/queue.h>
 #include <sys/socket.h>
 #include <sys/sysctl.h>
 #include <sys/systm.h>
 #include <sys/types.h>
 #include <sys/ucred.h>
 #include <sys/jail.h>
 
 #include <net/if.h>
 #include <net/if_var.h>
 
 #include <netinet/in.h>
 #include <netinet6/scope6_var.h>
 
 #include <security/mac/mac_policy.h>
 
-SYSCTL_DECL(_security_mac);
-
 static SYSCTL_NODE(_security_mac, OID_AUTO, ipacl, CTLFLAG_RW | CTLFLAG_MPSAFE, 0,
     "TrustedBSD mac_ipacl policy controls");
 
 #ifdef INET
 static int ipacl_ipv4 = 1;
 SYSCTL_INT(_security_mac_ipacl, OID_AUTO, ipv4, CTLFLAG_RWTUN,
     &ipacl_ipv4, 0, "Enforce mac_ipacl for IPv4 addresses");
 #endif
 
 #ifdef INET6
 static int ipacl_ipv6 = 1;
 SYSCTL_INT(_security_mac_ipacl, OID_AUTO, ipv6, CTLFLAG_RWTUN,
     &ipacl_ipv6, 0, "Enforce mac_ipacl for IPv6 addresses");
 #endif
 
 static MALLOC_DEFINE(M_IPACL, "ipacl_rule", "Rules for mac_ipacl");
 
 #define	MAC_RULE_STRING_LEN	1024
 
 struct ipacl_addr {
 	union {
 #ifdef INET
 		struct in_addr	ipv4;
 #endif
 #ifdef INET6
 		struct in6_addr	ipv6;
 #endif
 		u_int8_t	addr8[16];
 		u_int16_t	addr16[8];
 		u_int32_t	addr32[4];
 	} ipa; /* 128 bit address*/
 #ifdef INET
 #define v4	ipa.ipv4
 #endif
 #ifdef INET6
 #define v6	ipa.ipv6
 #endif
 #define addr8	ipa.addr8
 #define addr16	ipa.addr16
 #define addr32	ipa.addr32
 };
 
 struct ip_rule {
 	int			jid;
 	bool			allow;
 	bool			subnet_apply; /* Apply rule on whole subnet. */
 	char			if_name[IFNAMSIZ];
 	int			af; /* Address family. */
 	struct	ipacl_addr	addr;
 	struct	ipacl_addr	mask;
 	TAILQ_ENTRY(ip_rule)	r_entries;
 };
 
 static struct mtx			rule_mtx;
 static TAILQ_HEAD(rulehead, ip_rule)	rule_head;
 static char				rule_string[MAC_RULE_STRING_LEN];
 
 static void
 destroy_rules(struct rulehead *head)
 {
 	struct ip_rule *rule;
 
 	while ((rule = TAILQ_FIRST(head)) != NULL) {
 		TAILQ_REMOVE(head, rule, r_entries);
 		free(rule, M_IPACL);
 	}
 }
 
 static void
 ipacl_init(struct mac_policy_conf *conf)
 {
 	mtx_init(&rule_mtx, "rule_mtx", NULL, MTX_DEF);
 	TAILQ_INIT(&rule_head);
 }
 
 static void
 ipacl_destroy(struct mac_policy_conf *conf)
 {
 	mtx_destroy(&rule_mtx);
 	destroy_rules(&rule_head);
 }
 
 /*
  * Note: parsing routines are destructive on the passed string.
  */
 static int
 parse_rule_element(char *element, struct ip_rule *rule)
 {
 	char *tok, *p;
 	int prefix;
 #ifdef INET6
 	int i;
 #endif
 
 	/* Should we support a jail wildcard? */
 	tok = strsep(&element, ",");
 	if (tok == NULL)
 		return (EINVAL);
 	rule->jid = strtol(tok, &p, 10);
 	if (*p != '\0')
 		return (EINVAL);
 	tok = strsep(&element, ",");
 	if (tok == NULL)
 		return (EINVAL);
 	rule->allow = strtol(tok, &p, 10);
 	if (*p != '\0')
 		return (EINVAL);
 	tok = strsep(&element, ",");
 	if (strlen(tok) + 1 > IFNAMSIZ)
 		return (EINVAL);
 	/* Empty interface name is wildcard to all interfaces. */
 	strlcpy(rule->if_name, tok, strlen(tok) + 1);
 	tok = strsep(&element, ",");
 	if (tok == NULL)
 		return (EINVAL);
 	rule->af = (strcmp(tok, "AF_INET") == 0) ? AF_INET :
 	    (strcmp(tok, "AF_INET6") == 0) ? AF_INET6 : -1;
 	if (rule->af == -1)
 		return (EINVAL);
 	tok = strsep(&element, "/");
 	if (tok == NULL)
 		return (EINVAL);
 	if (inet_pton(rule->af, tok, rule->addr.addr32) != 1)
 		return (EINVAL);
 	tok = element;
 	if (tok == NULL)
 		return (EINVAL);
 	prefix = strtol(tok, &p, 10);
 	if (*p != '\0')
 		return (EINVAL);
 	/* Value -1 for prefix make policy applicable to individual IP only. */
 	if (prefix == -1)
 		rule->subnet_apply = false;
 	else {
 		rule->subnet_apply = true;
 		switch (rule->af) {
 #ifdef INET
 		case AF_INET:
 			if (prefix < 0 || prefix > 32)
 				return (EINVAL);
 
 			if (prefix == 0)
 				rule->mask.addr32[0] = htonl(0);
 			else
 				rule->mask.addr32[0] =
 				    htonl(~((1 << (32 - prefix)) - 1));
 			rule->addr.addr32[0] &= rule->mask.addr32[0];
 			break;
 #endif
 #ifdef INET6
 		case AF_INET6:
 			if (prefix < 0 || prefix > 128)
 				return (EINVAL);
 
 			for (i = 0; prefix > 0; prefix -= 8, i++)
 				rule->mask.addr8[i] = prefix >= 8 ? 0xFF :
 				    (u_int8_t)((0xFFU << (8 - prefix)) & 0xFFU);
 			for (i = 0; i < 16; i++)
 				rule->addr.addr8[i] &= rule->mask.addr8[i];
 			break;
 #endif
 		}
 	}
 	return (0);
 }
 
 /*
  * Format of Rule- jid,allow,interface_name,addr_family,ip_addr/subnet_mask
  * Example: sysctl security.mac.ipacl.rules=1,1,epair0b,AF_INET,192.0.2.2/24
  */
 static int
 parse_rules(char *string, struct rulehead *head)
 {
 	struct ip_rule *new;
 	char *element;
 	int error;
 
 	error = 0;
 	while ((element = strsep(&string, "@")) != NULL) {
 		if (strlen(element) == 0)
 			continue;
 
 		new = malloc(sizeof(*new), M_IPACL, M_ZERO | M_WAITOK);
 		error = parse_rule_element(element, new);
 		if (error != 0) {
 			free(new, M_IPACL);
 			goto out;
 		}
 		TAILQ_INSERT_TAIL(head, new, r_entries);
 	}
 out:
 	if (error != 0)
 		destroy_rules(head);
 	return (error);
 }
 
 static int
 sysctl_rules(SYSCTL_HANDLER_ARGS)
 {
 	char *string, *copy_string, *new_string;
 	struct rulehead head, save_head;
 	int error;
 
 	new_string = NULL;
 	if (req->newptr != NULL) {
 		new_string = malloc(MAC_RULE_STRING_LEN, M_IPACL,
 		    M_WAITOK | M_ZERO);
 		mtx_lock(&rule_mtx);
 		strcpy(new_string, rule_string);
 		mtx_unlock(&rule_mtx);
 		string = new_string;
 	} else
 		string = rule_string;
 
 	error = sysctl_handle_string(oidp, string, MAC_RULE_STRING_LEN, req);
 	if (error)
 		goto out;
 
 	if (req->newptr != NULL) {
 		copy_string = strdup(string, M_IPACL);
 		TAILQ_INIT(&head);
 		error = parse_rules(copy_string, &head);
 		free(copy_string, M_IPACL);
 		if (error)
 			goto out;
 
 		TAILQ_INIT(&save_head);
 		mtx_lock(&rule_mtx);
 		TAILQ_CONCAT(&save_head, &rule_head, r_entries);
 		TAILQ_CONCAT(&rule_head, &head, r_entries);
 		strcpy(rule_string, string);
 		mtx_unlock(&rule_mtx);
 		destroy_rules(&save_head);
 	}
 out:
 	if (new_string != NULL)
 		free(new_string, M_IPACL);
 	return (error);
 }
 SYSCTL_PROC(_security_mac_ipacl, OID_AUTO, rules,
     CTLTYPE_STRING | CTLFLAG_RW | CTLFLAG_MPSAFE, 0,
     0, sysctl_rules, "A", "IP ACL Rules");
 
 static int
 rules_check(struct ucred *cred,
     struct ipacl_addr *ip_addr, if_t ifp)
 {
 	struct ip_rule *rule;
 	int error;
 #ifdef INET6
 	int i;
 	bool same_subnet;
 #endif
 
 	error = EPERM;
 
 	mtx_lock(&rule_mtx);
 
 	/*
 	 * In the case where multiple rules are applicable to an IP address or
 	 * a set of IP addresses, the rule that is defined later in the list
 	 * determines the outcome, disregarding any previous rule for that IP
 	 * address.
 	 * Walk the policy rules list in reverse order until rule applicable
 	 * to the requested IP address is found.
 	 */
 	TAILQ_FOREACH_REVERSE(rule, &rule_head, rulehead, r_entries) {
 		/* Skip if current rule applies to different jail. */
 		if (cred->cr_prison->pr_id != rule->jid)
 			continue;
 
 		if (strcmp(rule->if_name, "\0") &&
 		    strcmp(rule->if_name, if_name(ifp)))
 			continue;
 
 		switch (rule->af) {
 #ifdef INET
 		case AF_INET:
 			if (rule->subnet_apply) {
 				if (rule->addr.v4.s_addr !=
 				    (ip_addr->v4.s_addr & rule->mask.v4.s_addr))
 					continue;
 			} else
 				if (ip_addr->v4.s_addr != rule->addr.v4.s_addr)
 					continue;
 			break;
 #endif
 #ifdef INET6
 		case AF_INET6:
 			if (rule->subnet_apply) {
 				same_subnet = true;
 				for (i = 0; i < 16; i++)
 					if (rule->addr.v6.s6_addr[i] !=
 					    (ip_addr->v6.s6_addr[i] &
 					    rule->mask.v6.s6_addr[i])) {
 						same_subnet = false;
 						break;
 					}
 				if (!same_subnet)
 					continue;
 			} else
 				if (bcmp(&rule->addr, ip_addr,
 				    sizeof(*ip_addr)))
 					continue;
 			break;
 #endif
 		}
 
 		if (rule->allow)
 			error = 0;
 		break;
 	}
 
 	mtx_unlock(&rule_mtx);
 
 	return (error);
 }
 
 /*
  * Feature request: Can we make this sysctl policy apply to jails by default,
  * but also allow it to be changed to apply to the base system?
  */
 #ifdef INET
 static int
 ipacl_ip4_check_jail(struct ucred *cred,
     const struct in_addr *ia, if_t ifp)
 {
 	struct ipacl_addr ip4_addr;
 
 	ip4_addr.v4 = *ia;
 
 	if (!jailed(cred))
 		return (0);
 
 	/* Checks with the policy only when it is enforced for ipv4. */
 	if (ipacl_ipv4)
 		return rules_check(cred, &ip4_addr, ifp);
 
 	return (0);
 }
 #endif
 
 #ifdef INET6
 static int
 ipacl_ip6_check_jail(struct ucred *cred,
     const struct in6_addr *ia6, if_t ifp)
 {
 	struct ipacl_addr ip6_addr;
 
 	ip6_addr.v6 = *ia6; /* Make copy to not alter the original. */
 	in6_clearscope(&ip6_addr.v6); /* Clear the scope id. */
 
 	if (!jailed(cred))
 		return (0);
 
 	/* Checks with the policy when it is enforced for ipv6. */
 	if (ipacl_ipv6)
 		return rules_check(cred, &ip6_addr, ifp);
 
 	return (0);
 }
 #endif
 
 static struct mac_policy_ops ipacl_ops =
 {
 	.mpo_init = ipacl_init,
 	.mpo_destroy = ipacl_destroy,
 #ifdef INET
 	.mpo_ip4_check_jail = ipacl_ip4_check_jail,
 #endif
 #ifdef INET6
 	.mpo_ip6_check_jail = ipacl_ip6_check_jail,
 #endif
 };
 
 MAC_POLICY_SET(&ipacl_ops, mac_ipacl, "TrustedBSD MAC/ipacl",
     MPC_LOADTIME_FLAG_UNLOADOK, NULL);
diff --git a/sys/security/mac_lomac/mac_lomac.c b/sys/security/mac_lomac/mac_lomac.c
index aa9abf458721..23acc7b7a592 100644
--- a/sys/security/mac_lomac/mac_lomac.c
+++ b/sys/security/mac_lomac/mac_lomac.c
@@ -1,3070 +1,3068 @@
 /*-
  * Copyright (c) 1999-2002, 2007-2009 Robert N. M. Watson
  * Copyright (c) 2001-2005 Networks Associates Technology, Inc.
  * Copyright (c) 2006 SPARTA, Inc.
  * All rights reserved.
  *
  * This software was developed by Robert Watson for the TrustedBSD Project.
  *
  * This software was developed for the FreeBSD Project in part by NAI Labs,
  * the Security Research Division of Network Associates, Inc. under
  * DARPA/SPAWAR contract N66001-01-C-8035 ("CBOSS"), as part of the DARPA
  * CHATS research program.
  *
  * This software was enhanced by SPARTA ISSO under SPAWAR contract
  * N66001-04-C-6019 ("SEFOS").
  *
  * Redistribution and use in source and binary forms, with or without
  * modification, are permitted provided that the following conditions
  * are met:
  * 1. Redistributions of source code must retain the above copyright
  *    notice, this list of conditions and the following disclaimer.
  * 2. Redistributions in binary form must reproduce the above copyright
  *    notice, this list of conditions and the following disclaimer in the
  *    documentation and/or other materials provided with the distribution.
  *
  * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
  * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
  * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
  * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
  * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
  * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
  * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
  * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
  * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
  * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
  * SUCH DAMAGE.
  */
 
 /*
  * Developed by the TrustedBSD Project.
  *
  * Low-watermark floating label mandatory integrity policy.
  */
 
 #include <sys/types.h>
 #include <sys/param.h>
 #include <sys/acl.h>
 #include <sys/conf.h>
 #include <sys/extattr.h>
 #include <sys/kernel.h>
 #include <sys/malloc.h>
 #include <sys/mman.h>
 #include <sys/mount.h>
 #include <sys/priv.h>
 #include <sys/proc.h>
 #include <sys/sbuf.h>
 #include <sys/systm.h>
 #include <sys/sysproto.h>
 #include <sys/sysent.h>
 #include <sys/systm.h>
 #include <sys/vnode.h>
 #include <sys/file.h>
 #include <sys/socket.h>
 #include <sys/socketvar.h>
 #include <sys/sx.h>
 #include <sys/pipe.h>
 #include <sys/sysctl.h>
 #include <sys/syslog.h>
 
 #include <fs/devfs/devfs.h>
 
 #include <net/bpfdesc.h>
 #include <net/if.h>
 #include <net/if_types.h>
 #include <net/if_var.h>
 
 #include <netinet/in.h>
 #include <netinet/in_pcb.h>
 #include <netinet/ip_var.h>
 
 #include <vm/vm.h>
 
 #include <security/mac/mac_policy.h>
 #include <security/mac/mac_framework.h>
 #include <security/mac_lomac/mac_lomac.h>
 
 struct mac_lomac_proc {
 	struct mac_lomac mac_lomac;
 	struct mtx mtx;
 };
 
-SYSCTL_DECL(_security_mac);
-
 static SYSCTL_NODE(_security_mac, OID_AUTO, lomac,
     CTLFLAG_RW | CTLFLAG_MPSAFE, 0,
     "TrustedBSD mac_lomac policy controls");
 
 static int	lomac_label_size = sizeof(struct mac_lomac);
 SYSCTL_INT(_security_mac_lomac, OID_AUTO, label_size, CTLFLAG_RD,
     &lomac_label_size, 0, "Size of struct mac_lomac");
 
 static int	lomac_enabled = 1;
 SYSCTL_INT(_security_mac_lomac, OID_AUTO, enabled, CTLFLAG_RWTUN,
     &lomac_enabled, 0, "Enforce MAC/LOMAC policy");
 
 static int	destroyed_not_inited;
 SYSCTL_INT(_security_mac_lomac, OID_AUTO, destroyed_not_inited, CTLFLAG_RD,
     &destroyed_not_inited, 0, "Count of labels destroyed but not inited");
 
 static int	trust_all_interfaces = 0;
 SYSCTL_INT(_security_mac_lomac, OID_AUTO, trust_all_interfaces, CTLFLAG_RDTUN,
     &trust_all_interfaces, 0, "Consider all interfaces 'trusted' by MAC/LOMAC");
 
 static char	trusted_interfaces[128];
 SYSCTL_STRING(_security_mac_lomac, OID_AUTO, trusted_interfaces, CTLFLAG_RDTUN,
     trusted_interfaces, 0, "Interfaces considered 'trusted' by MAC/LOMAC");
 
 static int	ptys_equal = 0;
 SYSCTL_INT(_security_mac_lomac, OID_AUTO, ptys_equal, CTLFLAG_RWTUN,
     &ptys_equal, 0, "Label pty devices as lomac/equal on create");
 
 static int	revocation_enabled = 1;
 SYSCTL_INT(_security_mac_lomac, OID_AUTO, revocation_enabled, CTLFLAG_RWTUN,
     &revocation_enabled, 0, "Revoke access to objects on relabel");
 
 static int	lomac_slot;
 #define	SLOT(l)	((struct mac_lomac *)mac_label_get((l), lomac_slot))
 #define	SLOT_SET(l, val) mac_label_set((l), lomac_slot, (uintptr_t)(val))
 #define	PSLOT(l) ((struct mac_lomac_proc *)				\
     mac_label_get((l), lomac_slot))
 #define	PSLOT_SET(l, val) mac_label_set((l), lomac_slot, (uintptr_t)(val))
 
 static MALLOC_DEFINE(M_LOMAC, "mac_lomac_label", "MAC/LOMAC labels");
 
 static struct mac_lomac *
 lomac_alloc(int flag)
 {
 	struct mac_lomac *ml;
 
 	ml = malloc(sizeof(*ml), M_LOMAC, M_ZERO | flag);
 
 	return (ml);
 }
 
 static void
 lomac_free(struct mac_lomac *ml)
 {
 
 	if (ml != NULL)
 		free(ml, M_LOMAC);
 	else
 		atomic_add_int(&destroyed_not_inited, 1);
 }
 
 static int
 lomac_atmostflags(struct mac_lomac *ml, int flags)
 {
 
 	if ((ml->ml_flags & flags) != ml->ml_flags)
 		return (EINVAL);
 	return (0);
 }
 
 static int
 lomac_dominate_element(struct mac_lomac_element *a,
     struct mac_lomac_element *b)
 {
 
 	switch (a->mle_type) {
 	case MAC_LOMAC_TYPE_EQUAL:
 	case MAC_LOMAC_TYPE_HIGH:
 		return (1);
 
 	case MAC_LOMAC_TYPE_LOW:
 		switch (b->mle_type) {
 		case MAC_LOMAC_TYPE_GRADE:
 		case MAC_LOMAC_TYPE_HIGH:
 			return (0);
 
 		case MAC_LOMAC_TYPE_EQUAL:
 		case MAC_LOMAC_TYPE_LOW:
 			return (1);
 
 		default:
 			panic("lomac_dominate_element: b->mle_type invalid");
 		}
 
 	case MAC_LOMAC_TYPE_GRADE:
 		switch (b->mle_type) {
 		case MAC_LOMAC_TYPE_EQUAL:
 		case MAC_LOMAC_TYPE_LOW:
 			return (1);
 
 		case MAC_LOMAC_TYPE_HIGH:
 			return (0);
 
 		case MAC_LOMAC_TYPE_GRADE:
 			return (a->mle_grade >= b->mle_grade);
 
 		default:
 			panic("lomac_dominate_element: b->mle_type invalid");
 		}
 
 	default:
 		panic("lomac_dominate_element: a->mle_type invalid");
 	}
 }
 
 static int
 lomac_range_in_range(struct mac_lomac *rangea, struct mac_lomac *rangeb)
 {
 
 	return (lomac_dominate_element(&rangeb->ml_rangehigh,
 	    &rangea->ml_rangehigh) &&
 	    lomac_dominate_element(&rangea->ml_rangelow,
 	    &rangeb->ml_rangelow));
 }
 
 static int
 lomac_single_in_range(struct mac_lomac *single, struct mac_lomac *range)
 {
 
 	KASSERT((single->ml_flags & MAC_LOMAC_FLAG_SINGLE) != 0,
 	    ("lomac_single_in_range: a not single"));
 	KASSERT((range->ml_flags & MAC_LOMAC_FLAG_RANGE) != 0,
 	    ("lomac_single_in_range: b not range"));
 
 	return (lomac_dominate_element(&range->ml_rangehigh,
 	    &single->ml_single) && lomac_dominate_element(&single->ml_single,
 	    &range->ml_rangelow));
 }
 
 static int
 lomac_auxsingle_in_range(struct mac_lomac *single, struct mac_lomac *range)
 {
 
 	KASSERT((single->ml_flags & MAC_LOMAC_FLAG_AUX) != 0,
 	    ("lomac_single_in_range: a not auxsingle"));
 	KASSERT((range->ml_flags & MAC_LOMAC_FLAG_RANGE) != 0,
 	    ("lomac_single_in_range: b not range"));
 
 	return (lomac_dominate_element(&range->ml_rangehigh,
 	    &single->ml_auxsingle) &&
 	    lomac_dominate_element(&single->ml_auxsingle,
 	    &range->ml_rangelow));
 }
 
 static int
 lomac_dominate_single(struct mac_lomac *a, struct mac_lomac *b)
 {
 	KASSERT((a->ml_flags & MAC_LOMAC_FLAG_SINGLE) != 0,
 	    ("lomac_dominate_single: a not single"));
 	KASSERT((b->ml_flags & MAC_LOMAC_FLAG_SINGLE) != 0,
 	    ("lomac_dominate_single: b not single"));
 
 	return (lomac_dominate_element(&a->ml_single, &b->ml_single));
 }
 
 static int
 lomac_subject_dominate(struct mac_lomac *a, struct mac_lomac *b)
 {
 	KASSERT((~a->ml_flags &
 	    (MAC_LOMAC_FLAG_SINGLE | MAC_LOMAC_FLAG_RANGE)) == 0,
 	    ("lomac_dominate_single: a not subject"));
 	KASSERT((b->ml_flags & MAC_LOMAC_FLAG_SINGLE) != 0,
 	    ("lomac_dominate_single: b not single"));
 
 	return (lomac_dominate_element(&a->ml_rangehigh, &b->ml_single));
 }
 
 static int
 lomac_equal_element(struct mac_lomac_element *a, struct mac_lomac_element *b)
 {
 
 	if (a->mle_type == MAC_LOMAC_TYPE_EQUAL ||
 	    b->mle_type == MAC_LOMAC_TYPE_EQUAL)
 		return (1);
 
 	return (a->mle_type == b->mle_type && a->mle_grade == b->mle_grade);
 }
 
 static int
 lomac_equal_single(struct mac_lomac *a, struct mac_lomac *b)
 {
 
 	KASSERT((a->ml_flags & MAC_LOMAC_FLAG_SINGLE) != 0,
 	    ("lomac_equal_single: a not single"));
 	KASSERT((b->ml_flags & MAC_LOMAC_FLAG_SINGLE) != 0,
 	    ("lomac_equal_single: b not single"));
 
 	return (lomac_equal_element(&a->ml_single, &b->ml_single));
 }
 
 static int
 lomac_contains_equal(struct mac_lomac *ml)
 {
 
 	if (ml->ml_flags & MAC_LOMAC_FLAG_SINGLE)
 		if (ml->ml_single.mle_type == MAC_LOMAC_TYPE_EQUAL)
 			return (1);
 	if (ml->ml_flags & MAC_LOMAC_FLAG_AUX)
 		if (ml->ml_auxsingle.mle_type == MAC_LOMAC_TYPE_EQUAL)
 			return (1);
 
 	if (ml->ml_flags & MAC_LOMAC_FLAG_RANGE) {
 		if (ml->ml_rangelow.mle_type == MAC_LOMAC_TYPE_EQUAL)
 			return (1);
 		if (ml->ml_rangehigh.mle_type == MAC_LOMAC_TYPE_EQUAL)
 			return (1);
 	}
 
 	return (0);
 }
 
 static int
 lomac_subject_privileged(struct mac_lomac *ml)
 {
 
 	KASSERT((ml->ml_flags & MAC_LOMAC_FLAGS_BOTH) ==
 	    MAC_LOMAC_FLAGS_BOTH,
 	    ("lomac_subject_privileged: subject doesn't have both labels"));
 
 	/* If the single is EQUAL, it's ok. */
 	if (ml->ml_single.mle_type == MAC_LOMAC_TYPE_EQUAL)
 		return (0);
 
 	/* If either range endpoint is EQUAL, it's ok. */
 	if (ml->ml_rangelow.mle_type == MAC_LOMAC_TYPE_EQUAL ||
 	    ml->ml_rangehigh.mle_type == MAC_LOMAC_TYPE_EQUAL)
 		return (0);
 
 	/* If the range is low-high, it's ok. */
 	if (ml->ml_rangelow.mle_type == MAC_LOMAC_TYPE_LOW &&
 	    ml->ml_rangehigh.mle_type == MAC_LOMAC_TYPE_HIGH)
 		return (0);
 
 	/* It's not ok. */
 	return (EPERM);
 }
 
 static int
 lomac_high_single(struct mac_lomac *ml)
 {
 
 	KASSERT((ml->ml_flags & MAC_LOMAC_FLAG_SINGLE) != 0,
 	    ("lomac_high_single: mac_lomac not single"));
 
 	return (ml->ml_single.mle_type == MAC_LOMAC_TYPE_HIGH);
 }
 
 static int
 lomac_valid(struct mac_lomac *ml)
 {
 
 	if (ml->ml_flags & MAC_LOMAC_FLAG_SINGLE) {
 		switch (ml->ml_single.mle_type) {
 		case MAC_LOMAC_TYPE_GRADE:
 		case MAC_LOMAC_TYPE_EQUAL:
 		case MAC_LOMAC_TYPE_HIGH:
 		case MAC_LOMAC_TYPE_LOW:
 			break;
 
 		default:
 			return (EINVAL);
 		}
 	} else {
 		if (ml->ml_single.mle_type != MAC_LOMAC_TYPE_UNDEF)
 			return (EINVAL);
 	}
 
 	if (ml->ml_flags & MAC_LOMAC_FLAG_AUX) {
 		switch (ml->ml_auxsingle.mle_type) {
 		case MAC_LOMAC_TYPE_GRADE:
 		case MAC_LOMAC_TYPE_EQUAL:
 		case MAC_LOMAC_TYPE_HIGH:
 		case MAC_LOMAC_TYPE_LOW:
 			break;
 
 		default:
 			return (EINVAL);
 		}
 	} else {
 		if (ml->ml_auxsingle.mle_type != MAC_LOMAC_TYPE_UNDEF)
 			return (EINVAL);
 	}
 
 	if (ml->ml_flags & MAC_LOMAC_FLAG_RANGE) {
 		switch (ml->ml_rangelow.mle_type) {
 		case MAC_LOMAC_TYPE_GRADE:
 		case MAC_LOMAC_TYPE_EQUAL:
 		case MAC_LOMAC_TYPE_HIGH:
 		case MAC_LOMAC_TYPE_LOW:
 			break;
 
 		default:
 			return (EINVAL);
 		}
 
 		switch (ml->ml_rangehigh.mle_type) {
 		case MAC_LOMAC_TYPE_GRADE:
 		case MAC_LOMAC_TYPE_EQUAL:
 		case MAC_LOMAC_TYPE_HIGH:
 		case MAC_LOMAC_TYPE_LOW:
 			break;
 
 		default:
 			return (EINVAL);
 		}
 		if (!lomac_dominate_element(&ml->ml_rangehigh,
 		    &ml->ml_rangelow))
 			return (EINVAL);
 	} else {
 		if (ml->ml_rangelow.mle_type != MAC_LOMAC_TYPE_UNDEF ||
 		    ml->ml_rangehigh.mle_type != MAC_LOMAC_TYPE_UNDEF)
 			return (EINVAL);
 	}
 
 	return (0);
 }
 
 static void
 lomac_set_range(struct mac_lomac *ml, u_short typelow, u_short gradelow,
     u_short typehigh, u_short gradehigh)
 {
 
 	ml->ml_rangelow.mle_type = typelow;
 	ml->ml_rangelow.mle_grade = gradelow;
 	ml->ml_rangehigh.mle_type = typehigh;
 	ml->ml_rangehigh.mle_grade = gradehigh;
 	ml->ml_flags |= MAC_LOMAC_FLAG_RANGE;
 }
 
 static void
 lomac_set_single(struct mac_lomac *ml, u_short type, u_short grade)
 {
 
 	ml->ml_single.mle_type = type;
 	ml->ml_single.mle_grade = grade;
 	ml->ml_flags |= MAC_LOMAC_FLAG_SINGLE;
 }
 
 static void
 lomac_copy_range(struct mac_lomac *labelfrom, struct mac_lomac *labelto)
 {
 
 	KASSERT((labelfrom->ml_flags & MAC_LOMAC_FLAG_RANGE) != 0,
 	    ("lomac_copy_range: labelfrom not range"));
 
 	labelto->ml_rangelow = labelfrom->ml_rangelow;
 	labelto->ml_rangehigh = labelfrom->ml_rangehigh;
 	labelto->ml_flags |= MAC_LOMAC_FLAG_RANGE;
 }
 
 static void
 lomac_copy_single(struct mac_lomac *labelfrom, struct mac_lomac *labelto)
 {
 
 	KASSERT((labelfrom->ml_flags & MAC_LOMAC_FLAG_SINGLE) != 0,
 	    ("lomac_copy_single: labelfrom not single"));
 
 	labelto->ml_single = labelfrom->ml_single;
 	labelto->ml_flags |= MAC_LOMAC_FLAG_SINGLE;
 }
 
 static void
 lomac_copy_auxsingle(struct mac_lomac *labelfrom, struct mac_lomac *labelto)
 {
 
 	KASSERT((labelfrom->ml_flags & MAC_LOMAC_FLAG_AUX) != 0,
 	    ("lomac_copy_auxsingle: labelfrom not auxsingle"));
 
 	labelto->ml_auxsingle = labelfrom->ml_auxsingle;
 	labelto->ml_flags |= MAC_LOMAC_FLAG_AUX;
 }
 
 static void
 lomac_copy(struct mac_lomac *source, struct mac_lomac *dest)
 {
 
 	if (source->ml_flags & MAC_LOMAC_FLAG_SINGLE)
 		lomac_copy_single(source, dest);
 	if (source->ml_flags & MAC_LOMAC_FLAG_AUX)
 		lomac_copy_auxsingle(source, dest);
 	if (source->ml_flags & MAC_LOMAC_FLAG_RANGE)
 		lomac_copy_range(source, dest);
 }
 
 static int	lomac_to_string(struct sbuf *sb, struct mac_lomac *ml);
 
 static int
 maybe_demote(struct mac_lomac *subjlabel, struct mac_lomac *objlabel,
     const char *actionname, const char *objname, struct vnode *vp)
 {
 	struct sbuf subjlabel_sb, subjtext_sb, objlabel_sb;
 	char *subjlabeltext, *objlabeltext, *subjtext;
 	struct mac_lomac cached_subjlabel;
 	struct mac_lomac_proc *subj;
 	struct vattr va;
 	struct proc *p;
 	pid_t pgid;
 
 	subj = PSLOT(curthread->td_proc->p_label);
 
 	p = curthread->td_proc;
 	mtx_lock(&subj->mtx);
         if (subj->mac_lomac.ml_flags & MAC_LOMAC_FLAG_UPDATE) {
 		/*
 		 * Check to see if the pending demotion would be more or less
 		 * severe than this one, and keep the more severe.  This can
 		 * only happen for a multi-threaded application.
 		 */
 		if (lomac_dominate_single(objlabel, &subj->mac_lomac)) {
 			mtx_unlock(&subj->mtx);
 			return (0);
 		}
 	}
 	bzero(&subj->mac_lomac, sizeof(subj->mac_lomac));
 	/*
 	 * Always demote the single label.
 	 */
 	lomac_copy_single(objlabel, &subj->mac_lomac);
 	/*
 	 * Start with the original range, then minimize each side of the
 	 * range to the point of not dominating the object.  The high side
 	 * will always be demoted, of course.
 	 */
 	lomac_copy_range(subjlabel, &subj->mac_lomac);
 	if (!lomac_dominate_element(&objlabel->ml_single,
 	    &subj->mac_lomac.ml_rangelow))
 		subj->mac_lomac.ml_rangelow = objlabel->ml_single;
 	subj->mac_lomac.ml_rangehigh = objlabel->ml_single;
 	subj->mac_lomac.ml_flags |= MAC_LOMAC_FLAG_UPDATE;
 	ast_sched(curthread, TDA_MAC);
 
 	/*
 	 * Avoid memory allocation while holding a mutex; cache the label.
 	 */
 	lomac_copy_single(&subj->mac_lomac, &cached_subjlabel);
 	mtx_unlock(&subj->mtx);
 
 	sbuf_new(&subjlabel_sb, NULL, 0, SBUF_AUTOEXTEND);
 	lomac_to_string(&subjlabel_sb, subjlabel);
 	sbuf_finish(&subjlabel_sb);
 	subjlabeltext = sbuf_data(&subjlabel_sb);
 
 	sbuf_new(&subjtext_sb, NULL, 0, SBUF_AUTOEXTEND);
 	lomac_to_string(&subjtext_sb, &subj->mac_lomac);
 	sbuf_finish(&subjtext_sb);
 	subjtext = sbuf_data(&subjtext_sb);
 
 	sbuf_new(&objlabel_sb, NULL, 0, SBUF_AUTOEXTEND);
 	lomac_to_string(&objlabel_sb, objlabel);
 	sbuf_finish(&objlabel_sb);
 	objlabeltext = sbuf_data(&objlabel_sb);
 
 	pgid = p->p_pgrp->pg_id;		/* XXX could be stale? */
 	if (vp != NULL && VOP_GETATTR(vp, &va, curthread->td_ucred) == 0) {
 		log(LOG_INFO, "LOMAC: level-%s subject p%dg%du%d:%s demoted to"
 		    " level %s after %s a level-%s %s (inode=%ju, "
 		    "mountpount=%s)\n",
 		    subjlabeltext, p->p_pid, pgid, curthread->td_ucred->cr_uid,
 		    p->p_comm, subjtext, actionname, objlabeltext, objname,
 		    (uintmax_t)va.va_fileid, vp->v_mount->mnt_stat.f_mntonname);
 	} else {
 		log(LOG_INFO, "LOMAC: level-%s subject p%dg%du%d:%s demoted to"
 		    " level %s after %s a level-%s %s\n",
 		    subjlabeltext, p->p_pid, pgid, curthread->td_ucred->cr_uid,
 		    p->p_comm, subjtext, actionname, objlabeltext, objname);
 	}
 
 	sbuf_delete(&subjlabel_sb);
 	sbuf_delete(&subjtext_sb);
 	sbuf_delete(&objlabel_sb);
 		
 	return (0);
 }
 
 /*
  * Relabel "to" to "from" only if "from" is a valid label (contains at least
  * a single), as for a relabel operation which may or may not involve a
  * relevant label.
  */
 static void
 try_relabel(struct mac_lomac *from, struct mac_lomac *to)
 {
 
 	if (from->ml_flags & MAC_LOMAC_FLAG_SINGLE) {
 		bzero(to, sizeof(*to));
 		lomac_copy(from, to);
 	}
 }
 
 static void
 ast_mac(struct thread *td, int tda __unused)
 {
 	mac_thread_userret(td);
 }
 
 /*
  * Policy module operations.
  */
 static void
 lomac_init(struct mac_policy_conf *conf __unused)
 {
 	ast_register(TDA_MAC, ASTR_ASTF_REQUIRED, 0, ast_mac);
 }
 
 static void
 lomac_fini(struct mac_policy_conf *conf __unused)
 {
 	ast_deregister(TDA_MAC);
 }
 
 /*
  * Label operations.
  */
 static void
 lomac_init_label(struct label *label)
 {
 
 	SLOT_SET(label, lomac_alloc(M_WAITOK));
 }
 
 static int
 lomac_init_label_waitcheck(struct label *label, int flag)
 {
 
 	SLOT_SET(label, lomac_alloc(flag));
 	if (SLOT(label) == NULL)
 		return (ENOMEM);
 
 	return (0);
 }
 
 static void
 lomac_destroy_label(struct label *label)
 {
 
 	lomac_free(SLOT(label));
 	SLOT_SET(label, NULL);
 }
 
 static int
 lomac_element_to_string(struct sbuf *sb, struct mac_lomac_element *element)
 {
 
 	switch (element->mle_type) {
 	case MAC_LOMAC_TYPE_HIGH:
 		return (sbuf_printf(sb, "high"));
 
 	case MAC_LOMAC_TYPE_LOW:
 		return (sbuf_printf(sb, "low"));
 
 	case MAC_LOMAC_TYPE_EQUAL:
 		return (sbuf_printf(sb, "equal"));
 
 	case MAC_LOMAC_TYPE_GRADE:
 		return (sbuf_printf(sb, "%d", element->mle_grade));
 
 	default:
 		panic("lomac_element_to_string: invalid type (%d)",
 		    element->mle_type);
 	}
 }
 
 static int
 lomac_to_string(struct sbuf *sb, struct mac_lomac *ml)
 {
 
 	if (ml->ml_flags & MAC_LOMAC_FLAG_SINGLE) {
 		if (lomac_element_to_string(sb, &ml->ml_single) == -1)
 			return (EINVAL);
 	}
 
 	if (ml->ml_flags & MAC_LOMAC_FLAG_AUX) {
 		if (sbuf_putc(sb, '[') == -1)
 			return (EINVAL);
 
 		if (lomac_element_to_string(sb, &ml->ml_auxsingle) == -1)
 			return (EINVAL);
 
 		if (sbuf_putc(sb, ']') == -1)
 			return (EINVAL);
 	}
 
 	if (ml->ml_flags & MAC_LOMAC_FLAG_RANGE) {
 		if (sbuf_putc(sb, '(') == -1)
 			return (EINVAL);
 
 		if (lomac_element_to_string(sb, &ml->ml_rangelow) == -1)
 			return (EINVAL);
 
 		if (sbuf_putc(sb, '-') == -1)
 			return (EINVAL);
 
 		if (lomac_element_to_string(sb, &ml->ml_rangehigh) == -1)
 			return (EINVAL);
 
 		if (sbuf_putc(sb, ')') == -1)
 			return (EINVAL);
 	}
 
 	return (0);
 }
 
 static int
 lomac_externalize_label(struct label *label, char *element_name,
     struct sbuf *sb, int *claimed)
 {
 	struct mac_lomac *ml;
 
 	if (strcmp(MAC_LOMAC_LABEL_NAME, element_name) != 0)
 		return (0);
 
 	(*claimed)++;
 
 	ml = SLOT(label);
 
 	return (lomac_to_string(sb, ml));
 }
 
 static int
 lomac_parse_element(struct mac_lomac_element *element, char *string)
 {
 
 	if (strcmp(string, "high") == 0 || strcmp(string, "hi") == 0) {
 		element->mle_type = MAC_LOMAC_TYPE_HIGH;
 		element->mle_grade = MAC_LOMAC_TYPE_UNDEF;
 	} else if (strcmp(string, "low") == 0 || strcmp(string, "lo") == 0) {
 		element->mle_type = MAC_LOMAC_TYPE_LOW;
 		element->mle_grade = MAC_LOMAC_TYPE_UNDEF;
 	} else if (strcmp(string, "equal") == 0 ||
 	    strcmp(string, "eq") == 0) {
 		element->mle_type = MAC_LOMAC_TYPE_EQUAL;
 		element->mle_grade = MAC_LOMAC_TYPE_UNDEF;
 	} else {
 		char *p0, *p1;
 		int d;
 
 		p0 = string;
 		d = strtol(p0, &p1, 10);
 
 		if (d < 0 || d > 65535)
 			return (EINVAL);
 		element->mle_type = MAC_LOMAC_TYPE_GRADE;
 		element->mle_grade = d;
 
 		if (p1 == p0 || *p1 != '\0')
 			return (EINVAL);
 	}
 
 	return (0);
 }
 
 /*
  * Note: destructively consumes the string, make a local copy before calling
  * if that's a problem.
  */
 static int
 lomac_parse(struct mac_lomac *ml, char *string)
 {
 	char *range, *rangeend, *rangehigh, *rangelow, *single, *auxsingle,
 	    *auxsingleend;
 	int error;
 
 	/* Do we have a range? */
 	single = string;
 	range = strchr(string, '(');
 	if (range == single)
 		single = NULL;
 	auxsingle = strchr(string, '[');
 	if (auxsingle == single)
 		single = NULL;
 	if (range != NULL && auxsingle != NULL)
 		return (EINVAL);
 	rangelow = rangehigh = NULL;
 	if (range != NULL) {
 		/* Nul terminate the end of the single string. */
 		*range = '\0';
 		range++;
 		rangelow = range;
 		rangehigh = strchr(rangelow, '-');
 		if (rangehigh == NULL)
 			return (EINVAL);
 		rangehigh++;
 		if (*rangelow == '\0' || *rangehigh == '\0')
 			return (EINVAL);
 		rangeend = strchr(rangehigh, ')');
 		if (rangeend == NULL)
 			return (EINVAL);
 		if (*(rangeend + 1) != '\0')
 			return (EINVAL);
 		/* Nul terminate the ends of the ranges. */
 		*(rangehigh - 1) = '\0';
 		*rangeend = '\0';
 	}
 	KASSERT((rangelow != NULL && rangehigh != NULL) ||
 	    (rangelow == NULL && rangehigh == NULL),
 	    ("lomac_internalize_label: range mismatch"));
 	if (auxsingle != NULL) {
 		/* Nul terminate the end of the single string. */
 		*auxsingle = '\0';
 		auxsingle++;
 		auxsingleend = strchr(auxsingle, ']');
 		if (auxsingleend == NULL)
 			return (EINVAL);
 		if (*(auxsingleend + 1) != '\0')
 			return (EINVAL);
 		/* Nul terminate the end of the auxsingle. */
 		*auxsingleend = '\0';
 	}
 
 	bzero(ml, sizeof(*ml));
 	if (single != NULL) {
 		error = lomac_parse_element(&ml->ml_single, single);
 		if (error)
 			return (error);
 		ml->ml_flags |= MAC_LOMAC_FLAG_SINGLE;
 	}
 
 	if (auxsingle != NULL) {
 		error = lomac_parse_element(&ml->ml_auxsingle, auxsingle);
 		if (error)
 			return (error);
 		ml->ml_flags |= MAC_LOMAC_FLAG_AUX;
 	}
 
 	if (rangelow != NULL) {
 		error = lomac_parse_element(&ml->ml_rangelow, rangelow);
 		if (error)
 			return (error);
 		error = lomac_parse_element(&ml->ml_rangehigh, rangehigh);
 		if (error)
 			return (error);
 		ml->ml_flags |= MAC_LOMAC_FLAG_RANGE;
 	}
 
 	error = lomac_valid(ml);
 	if (error)
 		return (error);
 
 	return (0);
 }
 
 static int
 lomac_internalize_label(struct label *label, char *element_name,
     char *element_data, int *claimed)
 {
 	struct mac_lomac *ml, ml_temp;
 	int error;
 
 	if (strcmp(MAC_LOMAC_LABEL_NAME, element_name) != 0)
 		return (0);
 
 	(*claimed)++;
 
 	error = lomac_parse(&ml_temp, element_data);
 	if (error)
 		return (error);
 
 	ml = SLOT(label);
 	*ml = ml_temp;
 
 	return (0);
 }
 
 static void
 lomac_copy_label(struct label *src, struct label *dest)
 {
 
 	*SLOT(dest) = *SLOT(src);
 }
 
 /*
  * Object-specific entry point implementations are sorted alphabetically by
  * object type name and then by operation.
  */
 static int
 lomac_bpfdesc_check_receive(struct bpf_d *d, struct label *dlabel,
     struct ifnet *ifp, struct label *ifplabel)
 {
 	struct mac_lomac *a, *b;
 
 	if (!lomac_enabled)
 		return (0);
 
 	a = SLOT(dlabel);
 	b = SLOT(ifplabel);
 
 	if (lomac_equal_single(a, b))
 		return (0);
 	return (EACCES);
 }
 
 static void
 lomac_bpfdesc_create(struct ucred *cred, struct bpf_d *d,
     struct label *dlabel)
 {
 	struct mac_lomac *source, *dest;
 
 	source = SLOT(cred->cr_label);
 	dest = SLOT(dlabel);
 
 	lomac_copy_single(source, dest);
 }
 
 static void
 lomac_bpfdesc_create_mbuf(struct bpf_d *d, struct label *dlabel,
     struct mbuf *m, struct label *mlabel)
 {
 	struct mac_lomac *source, *dest;
 
 	source = SLOT(dlabel);
 	dest = SLOT(mlabel);
 
 	lomac_copy_single(source, dest);
 }
 
 static int
 lomac_cred_check_relabel(struct ucred *cred, struct label *newlabel)
 {
 	struct mac_lomac *subj, *new;
 	int error;
 
 	subj = SLOT(cred->cr_label);
 	new = SLOT(newlabel);
 
 	/*
 	 * If there is a LOMAC label update for the credential, it may be an
 	 * update of the single, range, or both.
 	 */
 	error = lomac_atmostflags(new, MAC_LOMAC_FLAGS_BOTH);
 	if (error)
 		return (error);
 
 	/*
 	 * If the LOMAC label is to be changed, authorize as appropriate.
 	 */
 	if (new->ml_flags & MAC_LOMAC_FLAGS_BOTH) {
 		/*
 		 * Fill in the missing parts from the previous label.
 		 */
 		if ((new->ml_flags & MAC_LOMAC_FLAG_SINGLE) == 0)
 			lomac_copy_single(subj, new);
 		if ((new->ml_flags & MAC_LOMAC_FLAG_RANGE) == 0)
 			lomac_copy_range(subj, new);
 
 		/*
 		 * To change the LOMAC range on a credential, the new range
 		 * label must be in the current range.
 		 */
 		if (!lomac_range_in_range(new, subj))
 			return (EPERM);
 
 		/*
 		 * To change the LOMAC single label on a credential, the new
 		 * single label must be in the new range.  Implicitly from
 		 * the previous check, the new single is in the old range.
 		 */
 		if (!lomac_single_in_range(new, new))
 			return (EPERM);
 
 		/*
 		 * To have EQUAL in any component of the new credential LOMAC
 		 * label, the subject must already have EQUAL in their label.
 		 */
 		if (lomac_contains_equal(new)) {
 			error = lomac_subject_privileged(subj);
 			if (error)
 				return (error);
 		}
 
 		/*
 		 * XXXMAC: Additional consistency tests regarding the single
 		 * and range of the new label might be performed here.
 		 */
 	}
 
 	return (0);
 }
 
 static int
 lomac_cred_check_visible(struct ucred *cr1, struct ucred *cr2)
 {
 	struct mac_lomac *subj, *obj;
 
 	if (!lomac_enabled)
 		return (0);
 
 	subj = SLOT(cr1->cr_label);
 	obj = SLOT(cr2->cr_label);
 
 	/* XXX: range */
 	if (!lomac_dominate_single(obj, subj))
 		return (ESRCH);
 
 	return (0);
 }
 
 static void
 lomac_cred_create_init(struct ucred *cred)
 {
 	struct mac_lomac *dest;
 
 	dest = SLOT(cred->cr_label);
 
 	lomac_set_single(dest, MAC_LOMAC_TYPE_HIGH, 0);
 	lomac_set_range(dest, MAC_LOMAC_TYPE_LOW, 0, MAC_LOMAC_TYPE_HIGH, 0);
 }
 
 static void
 lomac_cred_create_swapper(struct ucred *cred)
 {
 	struct mac_lomac *dest;
 
 	dest = SLOT(cred->cr_label);
 
 	lomac_set_single(dest, MAC_LOMAC_TYPE_EQUAL, 0);
 	lomac_set_range(dest, MAC_LOMAC_TYPE_LOW, 0, MAC_LOMAC_TYPE_HIGH, 0);
 }
 
 static void
 lomac_cred_relabel(struct ucred *cred, struct label *newlabel)
 {
 	struct mac_lomac *source, *dest;
 
 	source = SLOT(newlabel);
 	dest = SLOT(cred->cr_label);
 
 	try_relabel(source, dest);
 }
 
 static void
 lomac_devfs_create_device(struct ucred *cred, struct mount *mp,
     struct cdev *dev, struct devfs_dirent *de, struct label *delabel)
 {
 	struct mac_lomac *ml;
 	const char *dn;
 	int lomac_type;
 
 	ml = SLOT(delabel);
 	dn = devtoname(dev);
 	if (strcmp(dn, "null") == 0 ||
 	    strcmp(dn, "zero") == 0 ||
 	    strcmp(dn, "random") == 0 ||
 	    strncmp(dn, "fd/", strlen("fd/")) == 0 ||
 	    strncmp(dn, "ttyv", strlen("ttyv")) == 0)
 		lomac_type = MAC_LOMAC_TYPE_EQUAL;
 	else if (ptys_equal &&
 	    (strncmp(dn, "ttyp", strlen("ttyp")) == 0 ||
 	    strncmp(dn, "pts/", strlen("pts/")) == 0 ||
 	    strncmp(dn, "ptyp", strlen("ptyp")) == 0))
 		lomac_type = MAC_LOMAC_TYPE_EQUAL;
 	else
 		lomac_type = MAC_LOMAC_TYPE_HIGH;
 	lomac_set_single(ml, lomac_type, 0);
 }
 
 static void
 lomac_devfs_create_directory(struct mount *mp, char *dirname, int dirnamelen,
     struct devfs_dirent *de, struct label *delabel)
 {
 	struct mac_lomac *ml;
 
 	ml = SLOT(delabel);
 	lomac_set_single(ml, MAC_LOMAC_TYPE_HIGH, 0);
 }
 
 static void
 lomac_devfs_create_symlink(struct ucred *cred, struct mount *mp,
     struct devfs_dirent *dd, struct label *ddlabel, struct devfs_dirent *de,
     struct label *delabel)
 {
 	struct mac_lomac *source, *dest;
 
 	source = SLOT(cred->cr_label);
 	dest = SLOT(delabel);
 
 	lomac_copy_single(source, dest);
 }
 
 static void
 lomac_devfs_update(struct mount *mp, struct devfs_dirent *de,
     struct label *delabel, struct vnode *vp, struct label *vplabel)
 {
 	struct mac_lomac *source, *dest;
 
 	source = SLOT(vplabel);
 	dest = SLOT(delabel);
 
 	lomac_copy(source, dest);
 }
 
 static void
 lomac_devfs_vnode_associate(struct mount *mp, struct label *mplabel,
     struct devfs_dirent *de, struct label *delabel, struct vnode *vp,
     struct label *vplabel)
 {
 	struct mac_lomac *source, *dest;
 
 	source = SLOT(delabel);
 	dest = SLOT(vplabel);
 
 	lomac_copy_single(source, dest);
 }
 
 static int
 lomac_ifnet_check_relabel(struct ucred *cred, struct ifnet *ifp,
     struct label *ifplabel, struct label *newlabel)
 {
 	struct mac_lomac *subj, *new;
 	int error;
 
 	subj = SLOT(cred->cr_label);
 	new = SLOT(newlabel);
 
 	/*
 	 * If there is a LOMAC label update for the interface, it may be an
 	 * update of the single, range, or both.
 	 */
 	error = lomac_atmostflags(new, MAC_LOMAC_FLAGS_BOTH);
 	if (error)
 		return (error);
 
 	/*
 	 * Relabling network interfaces requires LOMAC privilege.
 	 */
 	error = lomac_subject_privileged(subj);
 	if (error)
 		return (error);
 
 	/*
 	 * If the LOMAC label is to be changed, authorize as appropriate.
 	 */
 	if (new->ml_flags & MAC_LOMAC_FLAGS_BOTH) {
 		/*
 		 * Fill in the missing parts from the previous label.
 		 */
 		if ((new->ml_flags & MAC_LOMAC_FLAG_SINGLE) == 0)
 			lomac_copy_single(subj, new);
 		if ((new->ml_flags & MAC_LOMAC_FLAG_RANGE) == 0)
 			lomac_copy_range(subj, new);
 
 		/*
 		 * Rely on the traditional superuser status for the LOMAC
 		 * interface relabel requirements.  XXXMAC: This will go
 		 * away.
 		 *
 		 * XXXRW: This is also redundant to a higher layer check.
 		 */
 		error = priv_check_cred(cred, PRIV_NET_SETIFMAC);
 		if (error)
 			return (EPERM);
 
 		/*
 		 * XXXMAC: Additional consistency tests regarding the single
 		 * and the range of the new label might be performed here.
 		 */
 	}
 
 	return (0);
 }
 
 static int
 lomac_ifnet_check_transmit(struct ifnet *ifp, struct label *ifplabel,
     struct mbuf *m, struct label *mlabel)
 {
 	struct mac_lomac *p, *i;
 
 	if (!lomac_enabled)
 		return (0);
 
 	p = SLOT(mlabel);
 	i = SLOT(ifplabel);
 
 	return (lomac_single_in_range(p, i) ? 0 : EACCES);
 }
 
 static void
 lomac_ifnet_create(struct ifnet *ifp, struct label *ifplabel)
 {
 	char tifname[IFNAMSIZ], *p, *q;
 	char tiflist[sizeof(trusted_interfaces)];
 	struct mac_lomac *dest;
 	int len, grade;
 
 	dest = SLOT(ifplabel);
 
 	if (if_gettype(ifp) == IFT_LOOP) {
 		grade = MAC_LOMAC_TYPE_EQUAL;
 		goto set;
 	}
 
 	if (trust_all_interfaces) {
 		grade = MAC_LOMAC_TYPE_HIGH;
 		goto set;
 	}
 
 	grade = MAC_LOMAC_TYPE_LOW;
 
 	if (trusted_interfaces[0] == '\0' ||
 	    !strvalid(trusted_interfaces, sizeof(trusted_interfaces)))
 		goto set;
 
 	bzero(tiflist, sizeof(tiflist));
 	for (p = trusted_interfaces, q = tiflist; *p != '\0'; p++, q++)
 		if(*p != ' ' && *p != '\t')
 			*q = *p;
 
 	for (p = q = tiflist;; p++) {
 		if (*p == ',' || *p == '\0') {
 			len = p - q;
 			if (len < IFNAMSIZ) {
 				bzero(tifname, sizeof(tifname));
 				bcopy(q, tifname, len);
 				if (strcmp(tifname, if_name(ifp)) == 0) {
 					grade = MAC_LOMAC_TYPE_HIGH;
 					break;
 				}
 			}
 			else {
 				*p = '\0';
 				printf("MAC/LOMAC warning: interface name "
 				    "\"%s\" is too long (must be < %d)\n",
 				    q, IFNAMSIZ);
 			}
 			if (*p == '\0')
 				break;
 			q = p + 1;
 		}
 	}
 set:
 	lomac_set_single(dest, grade, 0);
 	lomac_set_range(dest, grade, 0, grade, 0);
 }
 
 static void
 lomac_ifnet_create_mbuf(struct ifnet *ifp, struct label *ifplabel,
     struct mbuf *m, struct label *mlabel)
 {
 	struct mac_lomac *source, *dest;
 
 	source = SLOT(ifplabel);
 	dest = SLOT(mlabel);
 
 	lomac_copy_single(source, dest);
 }
 
 static void
 lomac_ifnet_relabel(struct ucred *cred, struct ifnet *ifp,
     struct label *ifplabel, struct label *newlabel)
 {
 	struct mac_lomac *source, *dest;
 
 	source = SLOT(newlabel);
 	dest = SLOT(ifplabel);
 
 	try_relabel(source, dest);
 }
 
 static int
 lomac_inpcb_check_deliver(struct inpcb *inp, struct label *inplabel,
     struct mbuf *m, struct label *mlabel)
 {
 	struct mac_lomac *p, *i;
 
 	if (!lomac_enabled)
 		return (0);
 
 	p = SLOT(mlabel);
 	i = SLOT(inplabel);
 
 	return (lomac_equal_single(p, i) ? 0 : EACCES);
 }
 
 static int
 lomac_inpcb_check_visible(struct ucred *cred, struct inpcb *inp,
     struct label *inplabel)
 {
 	struct mac_lomac *subj, *obj;
 
 	if (!lomac_enabled)
 		return (0);
 
 	subj = SLOT(cred->cr_label);
 	obj = SLOT(inplabel);
 
 	if (!lomac_dominate_single(obj, subj))
 		return (ENOENT);
 
 	return (0);
 }
 
 static void
 lomac_inpcb_create(struct socket *so, struct label *solabel,
     struct inpcb *inp, struct label *inplabel)
 {
 	struct mac_lomac *source, *dest;
 
 	source = SLOT(solabel);
 	dest = SLOT(inplabel);
 
 	lomac_copy_single(source, dest);
 }
 
 static void
 lomac_inpcb_create_mbuf(struct inpcb *inp, struct label *inplabel,
     struct mbuf *m, struct label *mlabel)
 {
 	struct mac_lomac *source, *dest;
 
 	source = SLOT(inplabel);
 	dest = SLOT(mlabel);
 
 	lomac_copy_single(source, dest);
 }
 
 static void
 lomac_inpcb_sosetlabel(struct socket *so, struct label *solabel,
     struct inpcb *inp, struct label *inplabel)
 {
 	struct mac_lomac *source, *dest;
 
 	SOCK_LOCK_ASSERT(so);
 
 	source = SLOT(solabel);
 	dest = SLOT(inplabel);
 
 	lomac_copy_single(source, dest);
 }
 
 static void
 lomac_ip6q_create(struct mbuf *m, struct label *mlabel, struct ip6q *q6,
     struct label *q6label)
 {
 	struct mac_lomac *source, *dest;
 
 	source = SLOT(mlabel);
 	dest = SLOT(q6label);
 
 	lomac_copy_single(source, dest);
 }
 
 static int
 lomac_ip6q_match(struct mbuf *m, struct label *mlabel, struct ip6q *q6,
     struct label *q6label)
 {
 	struct mac_lomac *a, *b;
 
 	a = SLOT(q6label);
 	b = SLOT(mlabel);
 
 	return (lomac_equal_single(a, b));
 }
 
 static void
 lomac_ip6q_reassemble(struct ip6q *q6, struct label *q6label, struct mbuf *m,
     struct label *mlabel)
 {
 	struct mac_lomac *source, *dest;
 
 	source = SLOT(q6label);
 	dest = SLOT(mlabel);
 
 	/* Just use the head, since we require them all to match. */
 	lomac_copy_single(source, dest);
 }
 
 static void
 lomac_ip6q_update(struct mbuf *m, struct label *mlabel, struct ip6q *q6,
     struct label *q6label)
 {
 
 	/* NOOP: we only accept matching labels, so no need to update */
 }
 
 static void
 lomac_ipq_create(struct mbuf *m, struct label *mlabel, struct ipq *q,
     struct label *qlabel)
 {
 	struct mac_lomac *source, *dest;
 
 	source = SLOT(mlabel);
 	dest = SLOT(qlabel);
 
 	lomac_copy_single(source, dest);
 }
 
 static int
 lomac_ipq_match(struct mbuf *m, struct label *mlabel, struct ipq *q,
     struct label *qlabel)
 {
 	struct mac_lomac *a, *b;
 
 	a = SLOT(qlabel);
 	b = SLOT(mlabel);
 
 	return (lomac_equal_single(a, b));
 }
 
 static void
 lomac_ipq_reassemble(struct ipq *q, struct label *qlabel, struct mbuf *m,
     struct label *mlabel)
 {
 	struct mac_lomac *source, *dest;
 
 	source = SLOT(qlabel);
 	dest = SLOT(mlabel);
 
 	/* Just use the head, since we require them all to match. */
 	lomac_copy_single(source, dest);
 }
 
 static void
 lomac_ipq_update(struct mbuf *m, struct label *mlabel, struct ipq *q,
     struct label *qlabel)
 {
 
 	/* NOOP: we only accept matching labels, so no need to update */
 }
 
 static int
 lomac_kld_check_load(struct ucred *cred, struct vnode *vp,
     struct label *vplabel)
 {
 	struct mac_lomac *subj, *obj;
 
 	if (!lomac_enabled)
 		return (0);
 
 	subj = SLOT(cred->cr_label);
 	obj = SLOT(vplabel);
 
 	if (lomac_subject_privileged(subj))
 		return (EPERM);
 
 	if (!lomac_high_single(obj))
 		return (EACCES);
 
 	return (0);
 }
 
 static void
 lomac_mount_create(struct ucred *cred, struct mount *mp,
     struct label *mplabel)
 {
 	struct mac_lomac *source, *dest;
 
 	source = SLOT(cred->cr_label);
 	dest = SLOT(mplabel);
 	lomac_copy_single(source, dest);
 }
 
 static void
 lomac_netinet_arp_send(struct ifnet *ifp, struct label *ifplabel,
     struct mbuf *m, struct label *mlabel)
 {
 	struct mac_lomac *dest;
 
 	dest = SLOT(mlabel);
 
 	lomac_set_single(dest, MAC_LOMAC_TYPE_EQUAL, 0);
 }
 
 static void
 lomac_netinet_firewall_reply(struct mbuf *mrecv, struct label *mrecvlabel,
     struct mbuf *msend, struct label *msendlabel)
 {
 	struct mac_lomac *source, *dest;
 
 	source = SLOT(mrecvlabel);
 	dest = SLOT(msendlabel);
 
 	lomac_copy_single(source, dest);
 }
 
 static void
 lomac_netinet_firewall_send(struct mbuf *m, struct label *mlabel)
 {
 	struct mac_lomac *dest;
 
 	dest = SLOT(mlabel);
 
 	/* XXX: where is the label for the firewall really coming from? */
 	lomac_set_single(dest, MAC_LOMAC_TYPE_EQUAL, 0);
 }
 
 static void
 lomac_netinet_fragment(struct mbuf *m, struct label *mlabel,
     struct mbuf *frag, struct label *fraglabel)
 {
 	struct mac_lomac *source, *dest;
 
 	source = SLOT(mlabel);
 	dest = SLOT(fraglabel);
 
 	lomac_copy_single(source, dest);
 }
 
 static void
 lomac_netinet_icmp_reply(struct mbuf *mrecv, struct label *mrecvlabel,
     struct mbuf *msend, struct label *msendlabel)
 {
 	struct mac_lomac *source, *dest;
 
 	source = SLOT(mrecvlabel);
 	dest = SLOT(msendlabel);
 
 	lomac_copy_single(source, dest);
 }
 
 static void
 lomac_netinet_igmp_send(struct ifnet *ifp, struct label *ifplabel,
     struct mbuf *m, struct label *mlabel)
 {
 	struct mac_lomac *dest;
 
 	dest = SLOT(mlabel);
 
 	lomac_set_single(dest, MAC_LOMAC_TYPE_EQUAL, 0);
 }
 
 static void
 lomac_netinet6_nd6_send(struct ifnet *ifp, struct label *ifplabel,
     struct mbuf *m, struct label *mlabel)
 {
 	struct mac_lomac *dest;
 
 	dest = SLOT(mlabel);
 
 	lomac_set_single(dest, MAC_LOMAC_TYPE_EQUAL, 0);
 }
 
 static int
 lomac_pipe_check_ioctl(struct ucred *cred, struct pipepair *pp,
     struct label *pplabel, unsigned long cmd, void /* caddr_t */ *data)
 {
 
 	if (!lomac_enabled)
 		return (0);
 
 	/* XXX: This will be implemented soon... */
 
 	return (0);
 }
 
 static int
 lomac_pipe_check_read(struct ucred *cred, struct pipepair *pp,
     struct label *pplabel)
 {
 	struct mac_lomac *subj, *obj;
 
 	if (!lomac_enabled)
 		return (0);
 
 	subj = SLOT(cred->cr_label);
 	obj = SLOT(pplabel);
 
 	if (!lomac_dominate_single(obj, subj))
 		return (maybe_demote(subj, obj, "reading", "pipe", NULL));
 
 	return (0);
 }
 
 static int
 lomac_pipe_check_relabel(struct ucred *cred, struct pipepair *pp,
     struct label *pplabel, struct label *newlabel)
 {
 	struct mac_lomac *subj, *obj, *new;
 	int error;
 
 	new = SLOT(newlabel);
 	subj = SLOT(cred->cr_label);
 	obj = SLOT(pplabel);
 
 	/*
 	 * If there is a LOMAC label update for a pipe, it must be a single
 	 * update.
 	 */
 	error = lomac_atmostflags(new, MAC_LOMAC_FLAG_SINGLE);
 	if (error)
 		return (error);
 
 	/*
 	 * To perform a relabel of a pipe (LOMAC label or not), LOMAC must
 	 * authorize the relabel.
 	 */
 	if (!lomac_single_in_range(obj, subj))
 		return (EPERM);
 
 	/*
 	 * If the LOMAC label is to be changed, authorize as appropriate.
 	 */
 	if (new->ml_flags & MAC_LOMAC_FLAG_SINGLE) {
 		/*
 		 * To change the LOMAC label on a pipe, the new pipe label
 		 * must be in the subject range.
 		 */
 		if (!lomac_single_in_range(new, subj))
 			return (EPERM);
 
 		/*
 		 * To change the LOMAC label on a pipe to be EQUAL, the
 		 * subject must have appropriate privilege.
 		 */
 		if (lomac_contains_equal(new)) {
 			error = lomac_subject_privileged(subj);
 			if (error)
 				return (error);
 		}
 	}
 
 	return (0);
 }
 
 static int
 lomac_pipe_check_write(struct ucred *cred, struct pipepair *pp,
     struct label *pplabel)
 {
 	struct mac_lomac *subj, *obj;
 
 	if (!lomac_enabled)
 		return (0);
 
 	subj = SLOT(cred->cr_label);
 	obj = SLOT(pplabel);
 
 	if (!lomac_subject_dominate(subj, obj))
 		return (EACCES);
 
 	return (0);
 }
 
 static void
 lomac_pipe_create(struct ucred *cred, struct pipepair *pp,
     struct label *pplabel)
 {
 	struct mac_lomac *source, *dest;
 
 	source = SLOT(cred->cr_label);
 	dest = SLOT(pplabel);
 
 	lomac_copy_single(source, dest);
 }
 
 static void
 lomac_pipe_relabel(struct ucred *cred, struct pipepair *pp,
     struct label *pplabel, struct label *newlabel)
 {
 	struct mac_lomac *source, *dest;
 
 	source = SLOT(newlabel);
 	dest = SLOT(pplabel);
 
 	try_relabel(source, dest);
 }
 
 /*
  * Some system privileges are allowed regardless of integrity grade; others
  * are allowed only when running with privilege with respect to the LOMAC 
  * policy as they might otherwise allow bypassing of the integrity policy.
  */
 static int
 lomac_priv_check(struct ucred *cred, int priv)
 {
 	struct mac_lomac *subj;
 	int error;
 
 	if (!lomac_enabled)
 		return (0);
 
 	/*
 	 * Exempt only specific privileges from the LOMAC integrity policy.
 	 */
 	switch (priv) {
 	case PRIV_KTRACE:
 	case PRIV_MSGBUF:
 
 	/*
 	 * Allow processes to manipulate basic process audit properties, and
 	 * to submit audit records.
 	 */
 	case PRIV_AUDIT_GETAUDIT:
 	case PRIV_AUDIT_SETAUDIT:
 	case PRIV_AUDIT_SUBMIT:
 
 	/*
 	 * Allow processes to manipulate their regular UNIX credentials.
 	 */
 	case PRIV_CRED_SETUID:
 	case PRIV_CRED_SETEUID:
 	case PRIV_CRED_SETGID:
 	case PRIV_CRED_SETEGID:
 	case PRIV_CRED_SETGROUPS:
 	case PRIV_CRED_SETREUID:
 	case PRIV_CRED_SETREGID:
 	case PRIV_CRED_SETRESUID:
 	case PRIV_CRED_SETRESGID:
 
 	/*
 	 * Allow processes to perform system monitoring.
 	 */
 	case PRIV_SEEOTHERGIDS:
 	case PRIV_SEEOTHERUIDS:
 	case PRIV_SEEJAILPROC:
 		break;
 
 	/*
 	 * Allow access to general process debugging facilities.  We
 	 * separately control debugging based on MAC label.
 	 */
 	case PRIV_DEBUG_DIFFCRED:
 	case PRIV_DEBUG_SUGID:
 	case PRIV_DEBUG_UNPRIV:
 
 	/*
 	 * Allow manipulating jails.
 	 */
 	case PRIV_JAIL_ATTACH:
 
 	/*
 	 * Allow privilege with respect to the Partition policy, but not the
 	 * Privs policy.
 	 */
 	case PRIV_MAC_PARTITION:
 
 	/*
 	 * Allow privilege with respect to process resource limits and login
 	 * context.
 	 */
 	case PRIV_PROC_LIMIT:
 	case PRIV_PROC_SETLOGIN:
 	case PRIV_PROC_SETRLIMIT:
 
 	/*
 	 * Allow System V and POSIX IPC privileges.
 	 */
 	case PRIV_IPC_READ:
 	case PRIV_IPC_WRITE:
 	case PRIV_IPC_ADMIN:
 	case PRIV_IPC_MSGSIZE:
 	case PRIV_MQ_ADMIN:
 
 	/*
 	 * Allow certain scheduler manipulations -- possibly this should be
 	 * controlled by more fine-grained policy, as potentially low
 	 * integrity processes can deny CPU to higher integrity ones.
 	 */
 	case PRIV_SCHED_DIFFCRED:
 	case PRIV_SCHED_SETPRIORITY:
 	case PRIV_SCHED_RTPRIO:
 	case PRIV_SCHED_SETPOLICY:
 	case PRIV_SCHED_SET:
 	case PRIV_SCHED_SETPARAM:
 	case PRIV_SCHED_IDPRIO:
 
 	/*
 	 * More IPC privileges.
 	 */
 	case PRIV_SEM_WRITE:
 
 	/*
 	 * Allow signaling privileges subject to integrity policy.
 	 */
 	case PRIV_SIGNAL_DIFFCRED:
 	case PRIV_SIGNAL_SUGID:
 
 	/*
 	 * Allow access to only limited sysctls from lower integrity levels;
 	 * piggy-back on the Jail definition.
 	 */
 	case PRIV_SYSCTL_WRITEJAIL:
 
 	/*
 	 * Allow TTY-based privileges, subject to general device access using
 	 * labels on TTY device nodes, but not console privilege.
 	 */
 	case PRIV_TTY_DRAINWAIT:
 	case PRIV_TTY_DTRWAIT:
 	case PRIV_TTY_EXCLUSIVE:
 	case PRIV_TTY_STI:
 	case PRIV_TTY_SETA:
 
 	/*
 	 * Grant most VFS privileges, as almost all are in practice bounded
 	 * by more specific checks using labels.
 	 */
 	case PRIV_VFS_READ:
 	case PRIV_VFS_WRITE:
 	case PRIV_VFS_ADMIN:
 	case PRIV_VFS_EXEC:
 	case PRIV_VFS_LOOKUP:
 	case PRIV_VFS_CHFLAGS_DEV:
 	case PRIV_VFS_CHOWN:
 	case PRIV_VFS_CHROOT:
 	case PRIV_VFS_RETAINSUGID:
 	case PRIV_VFS_EXCEEDQUOTA:
 	case PRIV_VFS_FCHROOT:
 	case PRIV_VFS_FHOPEN:
 	case PRIV_VFS_FHSTATFS:
 	case PRIV_VFS_GENERATION:
 	case PRIV_VFS_GETFH:
 	case PRIV_VFS_GETQUOTA:
 	case PRIV_VFS_LINK:
 	case PRIV_VFS_MOUNT:
 	case PRIV_VFS_MOUNT_OWNER:
 	case PRIV_VFS_MOUNT_PERM:
 	case PRIV_VFS_MOUNT_SUIDDIR:
 	case PRIV_VFS_MOUNT_NONUSER:
 	case PRIV_VFS_SETGID:
 	case PRIV_VFS_STICKYFILE:
 	case PRIV_VFS_SYSFLAGS:
 	case PRIV_VFS_UNMOUNT:
 
 	/*
 	 * Allow VM privileges; it would be nice if these were subject to
 	 * resource limits.
 	 */
 	case PRIV_VM_MADV_PROTECT:
 	case PRIV_VM_MLOCK:
 	case PRIV_VM_MUNLOCK:
 	case PRIV_VM_SWAP_NOQUOTA:
 	case PRIV_VM_SWAP_NORLIMIT:
 
 	/*
 	 * Allow some but not all network privileges.  In general, dont allow
 	 * reconfiguring the network stack, just normal use.
 	 */
 	case PRIV_NETINET_RESERVEDPORT:
 	case PRIV_NETINET_RAW:
 	case PRIV_NETINET_REUSEPORT:
 		break;
 
 	/*
 	 * All remaining system privileges are allow only if the process
 	 * holds privilege with respect to the LOMAC policy.
 	 */
 	default:
 		subj = SLOT(cred->cr_label);
 		error = lomac_subject_privileged(subj);
 		if (error)
 			return (error);
 	}
 	return (0);
 }
 
 static int
 lomac_proc_check_debug(struct ucred *cred, struct proc *p)
 {
 	struct mac_lomac *subj, *obj;
 
 	if (!lomac_enabled)
 		return (0);
 
 	subj = SLOT(cred->cr_label);
 	obj = SLOT(p->p_ucred->cr_label);
 
 	/* XXX: range checks */
 	if (!lomac_dominate_single(obj, subj))
 		return (ESRCH);
 	if (!lomac_subject_dominate(subj, obj))
 		return (EACCES);
 
 	return (0);
 }
 
 static int
 lomac_proc_check_sched(struct ucred *cred, struct proc *p)
 {
 	struct mac_lomac *subj, *obj;
 
 	if (!lomac_enabled)
 		return (0);
 
 	subj = SLOT(cred->cr_label);
 	obj = SLOT(p->p_ucred->cr_label);
 
 	/* XXX: range checks */
 	if (!lomac_dominate_single(obj, subj))
 		return (ESRCH);
 	if (!lomac_subject_dominate(subj, obj))
 		return (EACCES);
 
 	return (0);
 }
 
 static int
 lomac_proc_check_signal(struct ucred *cred, struct proc *p, int signum)
 {
 	struct mac_lomac *subj, *obj;
 
 	if (!lomac_enabled)
 		return (0);
 
 	subj = SLOT(cred->cr_label);
 	obj = SLOT(p->p_ucred->cr_label);
 
 	/* XXX: range checks */
 	if (!lomac_dominate_single(obj, subj))
 		return (ESRCH);
 	if (!lomac_subject_dominate(subj, obj))
 		return (EACCES);
 
 	return (0);
 }
 
 static void
 lomac_proc_destroy_label(struct label *label)
 {
 
 	mtx_destroy(&PSLOT(label)->mtx);
 	free(PSLOT(label), M_LOMAC);
 	PSLOT_SET(label, NULL);
 }
 
 static void
 lomac_proc_init_label(struct label *label)
 {
 
 	PSLOT_SET(label, malloc(sizeof(struct mac_lomac_proc), M_LOMAC,
 	    M_ZERO | M_WAITOK));
 	mtx_init(&PSLOT(label)->mtx, "MAC/Lomac proc lock", NULL, MTX_DEF);
 }
 
 static int
 lomac_socket_check_deliver(struct socket *so, struct label *solabel,
     struct mbuf *m, struct label *mlabel)
 {
 	struct mac_lomac *p, *s;
 	int error;
 
 	if (!lomac_enabled)
 		return (0);
 
 	p = SLOT(mlabel);
 	s = SLOT(solabel);
 
 	SOCK_LOCK(so);
 	error = lomac_equal_single(p, s) ? 0 : EACCES;
 	SOCK_UNLOCK(so);
 	return (error);
 }
 
 static int
 lomac_socket_check_relabel(struct ucred *cred, struct socket *so,
     struct label *solabel, struct label *newlabel)
 {
 	struct mac_lomac *subj, *obj, *new;
 	int error;
 
 	SOCK_LOCK_ASSERT(so);
 
 	new = SLOT(newlabel);
 	subj = SLOT(cred->cr_label);
 	obj = SLOT(solabel);
 
 	/*
 	 * If there is a LOMAC label update for the socket, it may be an
 	 * update of single.
 	 */
 	error = lomac_atmostflags(new, MAC_LOMAC_FLAG_SINGLE);
 	if (error)
 		return (error);
 
 	/*
 	 * To relabel a socket, the old socket single must be in the subject
 	 * range.
 	 */
 	if (!lomac_single_in_range(obj, subj))
 		return (EPERM);
 
 	/*
 	 * If the LOMAC label is to be changed, authorize as appropriate.
 	 */
 	if (new->ml_flags & MAC_LOMAC_FLAG_SINGLE) {
 		/*
 		 * To relabel a socket, the new socket single must be in the
 		 * subject range.
 		 */
 		if (!lomac_single_in_range(new, subj))
 			return (EPERM);
 
 		/*
 		 * To change the LOMAC label on the socket to contain EQUAL,
 		 * the subject must have appropriate privilege.
 		 */
 		if (lomac_contains_equal(new)) {
 			error = lomac_subject_privileged(subj);
 			if (error)
 				return (error);
 		}
 	}
 
 	return (0);
 }
 
 static int
 lomac_socket_check_visible(struct ucred *cred, struct socket *so,
     struct label *solabel)
 {
 	struct mac_lomac *subj, *obj;
 
 	if (!lomac_enabled)
 		return (0);
 
 	subj = SLOT(cred->cr_label);
 	obj = SLOT(solabel);
 
 	SOCK_LOCK(so);
 	if (!lomac_dominate_single(obj, subj)) {
 		SOCK_UNLOCK(so);
 		return (ENOENT);
 	}
 	SOCK_UNLOCK(so);
 
 	return (0);
 }
 
 static void
 lomac_socket_create(struct ucred *cred, struct socket *so,
     struct label *solabel)
 {
 	struct mac_lomac *source, *dest;
 
 	source = SLOT(cred->cr_label);
 	dest = SLOT(solabel);
 
 	lomac_copy_single(source, dest);
 }
 
 static void
 lomac_socket_create_mbuf(struct socket *so, struct label *solabel,
     struct mbuf *m, struct label *mlabel)
 {
 	struct mac_lomac *source, *dest;
 
 	source = SLOT(solabel);
 	dest = SLOT(mlabel);
 
 	SOCK_LOCK(so);
 	lomac_copy_single(source, dest);
 	SOCK_UNLOCK(so);
 }
 
 static void
 lomac_socket_newconn(struct socket *oldso, struct label *oldsolabel,
     struct socket *newso, struct label *newsolabel)
 {
 	struct mac_lomac source, *dest;
 
 	SOCK_LOCK(oldso);
 	source = *SLOT(oldsolabel);
 	SOCK_UNLOCK(oldso);
 
 	dest = SLOT(newsolabel);
 
 	SOCK_LOCK(newso);
 	lomac_copy_single(&source, dest);
 	SOCK_UNLOCK(newso);
 }
 
 static void
 lomac_socket_relabel(struct ucred *cred, struct socket *so,
     struct label *solabel, struct label *newlabel)
 {
 	struct mac_lomac *source, *dest;
 
 	SOCK_LOCK_ASSERT(so);
 
 	source = SLOT(newlabel);
 	dest = SLOT(solabel);
 
 	try_relabel(source, dest);
 }
 
 static void
 lomac_socketpeer_set_from_mbuf(struct mbuf *m, struct label *mlabel,
     struct socket *so, struct label *sopeerlabel)
 {
 	struct mac_lomac *source, *dest;
 
 	source = SLOT(mlabel);
 	dest = SLOT(sopeerlabel);
 
 	SOCK_LOCK(so);
 	lomac_copy_single(source, dest);
 	SOCK_UNLOCK(so);
 }
 
 static void
 lomac_socketpeer_set_from_socket(struct socket *oldso,
     struct label *oldsolabel, struct socket *newso,
     struct label *newsopeerlabel)
 {
 	struct mac_lomac source, *dest;
 
 	SOCK_LOCK(oldso);
 	source = *SLOT(oldsolabel);
 	SOCK_UNLOCK(oldso);
 
 	dest = SLOT(newsopeerlabel);
 
 	SOCK_LOCK(newso);
 	lomac_copy_single(&source, dest);
 	SOCK_UNLOCK(newso);
 }
 
 static void
 lomac_syncache_create(struct label *label, struct inpcb *inp)
 {
 	struct mac_lomac *source, *dest;
 
 	source = SLOT(inp->inp_label);
 	dest = SLOT(label);
 	lomac_copy(source, dest);
 }
 
 static void
 lomac_syncache_create_mbuf(struct label *sc_label, struct mbuf *m,
     struct label *mlabel)
 {
 	struct mac_lomac *source, *dest;
 
 	source = SLOT(sc_label);
 	dest = SLOT(mlabel);
 	lomac_copy(source, dest);
 }
 
 static int
 lomac_system_check_acct(struct ucred *cred, struct vnode *vp,
     struct label *vplabel)
 {
 	struct mac_lomac *subj, *obj;
 
 	if (!lomac_enabled)
 		return (0);
 
 	subj = SLOT(cred->cr_label);
 	obj = SLOT(vplabel);
 
 	if (lomac_subject_privileged(subj))
 		return (EPERM);
 
 	if (!lomac_high_single(obj))
 		return (EACCES);
 
 	return (0);
 }
 
 static int
 lomac_system_check_auditctl(struct ucred *cred, struct vnode *vp,
     struct label *vplabel)
 {
 	struct mac_lomac *subj, *obj;
 
 	if (!lomac_enabled)
 		return (0);
 
 	subj = SLOT(cred->cr_label);
 	obj = SLOT(vplabel);
 
 	if (lomac_subject_privileged(subj))
 		return (EPERM);
 
 	if (!lomac_high_single(obj))
 		return (EACCES);
 
 	return (0);
 }
 
 static int
 lomac_system_check_swapoff(struct ucred *cred, struct vnode *vp,
     struct label *vplabel)
 {
 	struct mac_lomac *subj;
 
 	if (!lomac_enabled)
 		return (0);
 
 	subj = SLOT(cred->cr_label);
 
 	if (lomac_subject_privileged(subj))
 		return (EPERM);
 
 	return (0);
 }
 
 static int
 lomac_system_check_swapon(struct ucred *cred, struct vnode *vp,
     struct label *vplabel)
 {
 	struct mac_lomac *subj, *obj;
 
 	if (!lomac_enabled)
 		return (0);
 
 	subj = SLOT(cred->cr_label);
 	obj = SLOT(vplabel);
 
 	if (lomac_subject_privileged(subj))
 		return (EPERM);
 
 	if (!lomac_high_single(obj))
 		return (EACCES);
 
 	return (0);
 }
 
 static int
 lomac_system_check_sysctl(struct ucred *cred, struct sysctl_oid *oidp,
     void *arg1, int arg2, struct sysctl_req *req)
 {
 	struct mac_lomac *subj;
 
 	if (!lomac_enabled)
 		return (0);
 
 	subj = SLOT(cred->cr_label);
 
 	/*
 	 * Treat sysctl variables without CTLFLAG_ANYBODY flag as lomac/high,
 	 * but also require privilege to change them.
 	 */
 	if (req->newptr != NULL && (oidp->oid_kind & CTLFLAG_ANYBODY) == 0) {
 #ifdef notdef
 		if (!lomac_subject_dominate_high(subj))
 			return (EACCES);
 #endif
 
 		if (lomac_subject_privileged(subj))
 			return (EPERM);
 	}
 
 	return (0);
 }
 
 static void
 lomac_thread_userret(struct thread *td)
 {
 	struct proc *p = td->td_proc;
 	struct mac_lomac_proc *subj = PSLOT(p->p_label);
 	struct ucred *newcred, *oldcred;
 	int dodrop;
 
 	mtx_lock(&subj->mtx);
 	if (subj->mac_lomac.ml_flags & MAC_LOMAC_FLAG_UPDATE) {
 		dodrop = 0;
 		mtx_unlock(&subj->mtx);
 		newcred = crget();
 		PROC_LOCK(p);
 		mtx_lock(&subj->mtx);
 		/*
 		 * Check if we lost the race while allocating the cred.
 		 */
 		if ((subj->mac_lomac.ml_flags & MAC_LOMAC_FLAG_UPDATE) == 0) {
 			crfree(newcred);
 			goto out;
 		}
 		oldcred = p->p_ucred;
 		crcopy(newcred, oldcred);
 		crhold(newcred);
 		lomac_copy(&subj->mac_lomac, SLOT(newcred->cr_label));
 		proc_set_cred(p, newcred);
 		crfree(oldcred);
 		dodrop = 1;
 	out:
 		mtx_unlock(&subj->mtx);
 		PROC_UNLOCK(p);
 		if (dodrop)
 			mac_proc_vm_revoke(curthread);
 	} else {
 		mtx_unlock(&subj->mtx);
 	}
 }
 
 static int
 lomac_vnode_associate_extattr(struct mount *mp, struct label *mplabel,
     struct vnode *vp, struct label *vplabel)
 {
 	struct mac_lomac ml_temp, *source, *dest;
 	int buflen, error;
 
 	source = SLOT(mplabel);
 	dest = SLOT(vplabel);
 
 	buflen = sizeof(ml_temp);
 	bzero(&ml_temp, buflen);
 
 	error = vn_extattr_get(vp, IO_NODELOCKED, MAC_LOMAC_EXTATTR_NAMESPACE,
 	    MAC_LOMAC_EXTATTR_NAME, &buflen, (char *)&ml_temp, curthread);
 	if (error == ENOATTR || error == EOPNOTSUPP) {
 		/* Fall back to the mntlabel. */
 		lomac_copy_single(source, dest);
 		return (0);
 	} else if (error)
 		return (error);
 
 	if (buflen != sizeof(ml_temp)) {
 		if (buflen != sizeof(ml_temp) - sizeof(ml_temp.ml_auxsingle)) {
 			printf("lomac_vnode_associate_extattr: bad size %d\n",
 			    buflen);
 			return (EPERM);
 		}
 		bzero(&ml_temp.ml_auxsingle, sizeof(ml_temp.ml_auxsingle));
 		buflen = sizeof(ml_temp);
 		(void)vn_extattr_set(vp, IO_NODELOCKED,
 		    MAC_LOMAC_EXTATTR_NAMESPACE, MAC_LOMAC_EXTATTR_NAME,
 		    buflen, (char *)&ml_temp, curthread);
 	}
 	if (lomac_valid(&ml_temp) != 0) {
 		printf("lomac_vnode_associate_extattr: invalid\n");
 		return (EPERM);
 	}
 	if ((ml_temp.ml_flags & MAC_LOMAC_FLAGS_BOTH) !=
 	    MAC_LOMAC_FLAG_SINGLE) {
 		printf("lomac_vnode_associate_extattr: not single\n");
 		return (EPERM);
 	}
 
 	lomac_copy_single(&ml_temp, dest);
 	return (0);
 }
 
 static void
 lomac_vnode_associate_singlelabel(struct mount *mp, struct label *mplabel,
     struct vnode *vp, struct label *vplabel)
 {
 	struct mac_lomac *source, *dest;
 
 	source = SLOT(mplabel);
 	dest = SLOT(vplabel);
 
 	lomac_copy_single(source, dest);
 }
 
 static int
 lomac_vnode_check_create(struct ucred *cred, struct vnode *dvp,
     struct label *dvplabel, struct componentname *cnp, struct vattr *vap)
 {
 	struct mac_lomac *subj, *obj;
 
 	if (!lomac_enabled)
 		return (0);
 
 	subj = SLOT(cred->cr_label);
 	obj = SLOT(dvplabel);
 
 	if (!lomac_subject_dominate(subj, obj))
 		return (EACCES);
 	if (obj->ml_flags & MAC_LOMAC_FLAG_AUX &&
 	    !lomac_dominate_element(&subj->ml_single, &obj->ml_auxsingle))
 		return (EACCES);
 
 	return (0);
 }
 
 static int
 lomac_vnode_check_deleteacl(struct ucred *cred, struct vnode *vp,
     struct label *vplabel, acl_type_t type)
 {
 	struct mac_lomac *subj, *obj;
 
 	if (!lomac_enabled)
 		return (0);
 
 	subj = SLOT(cred->cr_label);
 	obj = SLOT(vplabel);
 
 	if (!lomac_subject_dominate(subj, obj))
 		return (EACCES);
 
 	return (0);
 }
 
 static int
 lomac_vnode_check_link(struct ucred *cred, struct vnode *dvp,
     struct label *dvplabel, struct vnode *vp, struct label *vplabel,
     struct componentname *cnp)
 {
 	struct mac_lomac *subj, *obj;
 
 	if (!lomac_enabled)
 		return (0);
 
 	subj = SLOT(cred->cr_label);
 	obj = SLOT(dvplabel);
 
 	if (!lomac_subject_dominate(subj, obj))
 		return (EACCES);
 
 	obj = SLOT(vplabel);
 
 	if (!lomac_subject_dominate(subj, obj))
 		return (EACCES);
 
 	return (0);
 }
 
 static int
 lomac_vnode_check_mmap(struct ucred *cred, struct vnode *vp,
     struct label *vplabel, int prot, int flags)
 {
 	struct mac_lomac *subj, *obj;
 
 	/*
 	 * Rely on the use of open()-time protections to handle
 	 * non-revocation cases.
 	 */
 	if (!lomac_enabled)
 		return (0);
 
 	subj = SLOT(cred->cr_label);
 	obj = SLOT(vplabel);
 
 	if (((prot & VM_PROT_WRITE) != 0) && ((flags & MAP_SHARED) != 0)) {
 		if (!lomac_subject_dominate(subj, obj))
 			return (EACCES);
 	}
 	if (prot & (VM_PROT_READ | VM_PROT_EXECUTE)) {
 		if (!lomac_dominate_single(obj, subj))
 			return (maybe_demote(subj, obj, "mapping", "file", vp));
 	}
 
 	return (0);
 }
 
 static void
 lomac_vnode_check_mmap_downgrade(struct ucred *cred, struct vnode *vp,
     struct label *vplabel, /* XXX vm_prot_t */ int *prot)
 {
 	struct mac_lomac *subj, *obj;
 
 	/*
 	 * Rely on the use of open()-time protections to handle
 	 * non-revocation cases.
 	 */
 	if (!lomac_enabled || !revocation_enabled)
 		return;
 
 	subj = SLOT(cred->cr_label);
 	obj = SLOT(vplabel);
 
 	if (!lomac_subject_dominate(subj, obj))
 		*prot &= ~VM_PROT_WRITE;
 }
 
 static int
 lomac_vnode_check_open(struct ucred *cred, struct vnode *vp,
     struct label *vplabel, accmode_t accmode)
 {
 	struct mac_lomac *subj, *obj;
 
 	if (!lomac_enabled)
 		return (0);
 
 	subj = SLOT(cred->cr_label);
 	obj = SLOT(vplabel);
 
 	/* XXX privilege override for admin? */
 	if (accmode & VMODIFY_PERMS) {
 		if (!lomac_subject_dominate(subj, obj))
 			return (EACCES);
 	}
 
 	return (0);
 }
 
 static int
 lomac_vnode_check_read(struct ucred *active_cred, struct ucred *file_cred,
     struct vnode *vp, struct label *vplabel)
 {
 	struct mac_lomac *subj, *obj;
 
 	if (!lomac_enabled || !revocation_enabled)
 		return (0);
 
 	subj = SLOT(active_cred->cr_label);
 	obj = SLOT(vplabel);
 
 	if (!lomac_dominate_single(obj, subj))
 		return (maybe_demote(subj, obj, "reading", "file", vp));
 
 	return (0);
 }
 
 static int
 lomac_vnode_check_relabel(struct ucred *cred, struct vnode *vp,
     struct label *vplabel, struct label *newlabel)
 {
 	struct mac_lomac *old, *new, *subj;
 	int error;
 
 	old = SLOT(vplabel);
 	new = SLOT(newlabel);
 	subj = SLOT(cred->cr_label);
 
 	/*
 	 * If there is a LOMAC label update for the vnode, it must be a
 	 * single label, with an optional explicit auxiliary single.
 	 */
 	error = lomac_atmostflags(new,
 	    MAC_LOMAC_FLAG_SINGLE | MAC_LOMAC_FLAG_AUX);
 	if (error)
 		return (error);
 
 	/*
 	 * To perform a relabel of the vnode (LOMAC label or not), LOMAC must
 	 * authorize the relabel.
 	 */
 	if (!lomac_single_in_range(old, subj))
 		return (EPERM);
 
 	/*
 	 * If the LOMAC label is to be changed, authorize as appropriate.
 	 */
 	if (new->ml_flags & MAC_LOMAC_FLAG_SINGLE) {
 		/*
 		 * To change the LOMAC label on a vnode, the new vnode label
 		 * must be in the subject range.
 		 */
 		if (!lomac_single_in_range(new, subj))
 			return (EPERM);
 
 		/*
 		 * To change the LOMAC label on the vnode to be EQUAL, the
 		 * subject must have appropriate privilege.
 		 */
 		if (lomac_contains_equal(new)) {
 			error = lomac_subject_privileged(subj);
 			if (error)
 				return (error);
 		}
 	}
 	if (new->ml_flags & MAC_LOMAC_FLAG_AUX) {
 		/*
 		 * Fill in the missing parts from the previous label.
 		 */
 		if ((new->ml_flags & MAC_LOMAC_FLAG_SINGLE) == 0)
 			lomac_copy_single(subj, new);
 
 		/*
 		 * To change the auxiliary LOMAC label on a vnode, the new
 		 * vnode label must be in the subject range.
 		 */
 		if (!lomac_auxsingle_in_range(new, subj))
 			return (EPERM);
 
 		/*
 		 * To change the auxiliary LOMAC label on the vnode to be
 		 * EQUAL, the subject must have appropriate privilege.
 		 */
 		if (lomac_contains_equal(new)) {
 			error = lomac_subject_privileged(subj);
 			if (error)
 				return (error);
 		}
 	}
 
 	return (0);
 }
 
 static int
 lomac_vnode_check_rename_from(struct ucred *cred, struct vnode *dvp,
     struct label *dvplabel, struct vnode *vp, struct label *vplabel,
     struct componentname *cnp)
 {
 	struct mac_lomac *subj, *obj;
 
 	if (!lomac_enabled)
 		return (0);
 
 	subj = SLOT(cred->cr_label);
 	obj = SLOT(dvplabel);
 
 	if (!lomac_subject_dominate(subj, obj))
 		return (EACCES);
 
 	obj = SLOT(vplabel);
 
 	if (!lomac_subject_dominate(subj, obj))
 		return (EACCES);
 
 	return (0);
 }
 
 static int
 lomac_vnode_check_rename_to(struct ucred *cred, struct vnode *dvp,
     struct label *dvplabel, struct vnode *vp, struct label *vplabel,
     int samedir, struct componentname *cnp)
 {
 	struct mac_lomac *subj, *obj;
 
 	if (!lomac_enabled)
 		return (0);
 
 	subj = SLOT(cred->cr_label);
 	obj = SLOT(dvplabel);
 
 	if (!lomac_subject_dominate(subj, obj))
 		return (EACCES);
 
 	if (vp != NULL) {
 		obj = SLOT(vplabel);
 
 		if (!lomac_subject_dominate(subj, obj))
 			return (EACCES);
 	}
 
 	return (0);
 }
 
 static int
 lomac_vnode_check_revoke(struct ucred *cred, struct vnode *vp,
     struct label *vplabel)
 {
 	struct mac_lomac *subj, *obj;
 
 	if (!lomac_enabled)
 		return (0);
 
 	subj = SLOT(cred->cr_label);
 	obj = SLOT(vplabel);
 
 	if (!lomac_subject_dominate(subj, obj))
 		return (EACCES);
 
 	return (0);
 }
 
 static int
 lomac_vnode_check_setacl(struct ucred *cred, struct vnode *vp,
     struct label *vplabel, acl_type_t type, struct acl *acl)
 {
 	struct mac_lomac *subj, *obj;
 
 	if (!lomac_enabled)
 		return (0);
 
 	subj = SLOT(cred->cr_label);
 	obj = SLOT(vplabel);
 
 	if (!lomac_subject_dominate(subj, obj))
 		return (EACCES);
 
 	return (0);
 }
 
 static int
 lomac_vnode_check_setextattr(struct ucred *cred, struct vnode *vp,
     struct label *vplabel, int attrnamespace, const char *name)
 {
 	struct mac_lomac *subj, *obj;
 
 	if (!lomac_enabled)
 		return (0);
 
 	subj = SLOT(cred->cr_label);
 	obj = SLOT(vplabel);
 
 	if (!lomac_subject_dominate(subj, obj))
 		return (EACCES);
 
 	/* XXX: protect the MAC EA in a special way? */
 
 	return (0);
 }
 
 static int
 lomac_vnode_check_setflags(struct ucred *cred, struct vnode *vp,
     struct label *vplabel, u_long flags)
 {
 	struct mac_lomac *subj, *obj;
 
 	if (!lomac_enabled)
 		return (0);
 
 	subj = SLOT(cred->cr_label);
 	obj = SLOT(vplabel);
 
 	if (!lomac_subject_dominate(subj, obj))
 		return (EACCES);
 
 	return (0);
 }
 
 static int
 lomac_vnode_check_setmode(struct ucred *cred, struct vnode *vp,
     struct label *vplabel, mode_t mode)
 {
 	struct mac_lomac *subj, *obj;
 
 	if (!lomac_enabled)
 		return (0);
 
 	subj = SLOT(cred->cr_label);
 	obj = SLOT(vplabel);
 
 	if (!lomac_subject_dominate(subj, obj))
 		return (EACCES);
 
 	return (0);
 }
 
 static int
 lomac_vnode_check_setowner(struct ucred *cred, struct vnode *vp,
     struct label *vplabel, uid_t uid, gid_t gid)
 {
 	struct mac_lomac *subj, *obj;
 
 	if (!lomac_enabled)
 		return (0);
 
 	subj = SLOT(cred->cr_label);
 	obj = SLOT(vplabel);
 
 	if (!lomac_subject_dominate(subj, obj))
 		return (EACCES);
 
 	return (0);
 }
 
 static int
 lomac_vnode_check_setutimes(struct ucred *cred, struct vnode *vp,
     struct label *vplabel, struct timespec atime, struct timespec mtime)
 {
 	struct mac_lomac *subj, *obj;
 
 	if (!lomac_enabled)
 		return (0);
 
 	subj = SLOT(cred->cr_label);
 	obj = SLOT(vplabel);
 
 	if (!lomac_subject_dominate(subj, obj))
 		return (EACCES);
 
 	return (0);
 }
 
 static int
 lomac_vnode_check_unlink(struct ucred *cred, struct vnode *dvp,
     struct label *dvplabel, struct vnode *vp, struct label *vplabel,
     struct componentname *cnp)
 {
 	struct mac_lomac *subj, *obj;
 
 	if (!lomac_enabled)
 		return (0);
 
 	subj = SLOT(cred->cr_label);
 	obj = SLOT(dvplabel);
 
 	if (!lomac_subject_dominate(subj, obj))
 		return (EACCES);
 
 	obj = SLOT(vplabel);
 
 	if (!lomac_subject_dominate(subj, obj))
 		return (EACCES);
 
 	return (0);
 }
 
 static int
 lomac_vnode_check_write(struct ucred *active_cred,
     struct ucred *file_cred, struct vnode *vp, struct label *vplabel)
 {
 	struct mac_lomac *subj, *obj;
 
 	if (!lomac_enabled || !revocation_enabled)
 		return (0);
 
 	subj = SLOT(active_cred->cr_label);
 	obj = SLOT(vplabel);
 
 	if (!lomac_subject_dominate(subj, obj))
 		return (EACCES);
 
 	return (0);
 }
 
 static int
 lomac_vnode_create_extattr(struct ucred *cred, struct mount *mp,
     struct label *mplabel, struct vnode *dvp, struct label *dvplabel,
     struct vnode *vp, struct label *vplabel, struct componentname *cnp)
 {
 	struct mac_lomac *source, *dest, *dir, temp;
 	size_t buflen;
 	int error;
 
 	buflen = sizeof(temp);
 	bzero(&temp, buflen);
 
 	source = SLOT(cred->cr_label);
 	dest = SLOT(vplabel);
 	dir = SLOT(dvplabel);
 	if (dir->ml_flags & MAC_LOMAC_FLAG_AUX) {
 		lomac_copy_auxsingle(dir, &temp);
 		lomac_set_single(&temp, dir->ml_auxsingle.mle_type,
 		    dir->ml_auxsingle.mle_grade);
 	} else {
 		lomac_copy_single(source, &temp);
 	}
 
 	error = vn_extattr_set(vp, IO_NODELOCKED, MAC_LOMAC_EXTATTR_NAMESPACE,
 	    MAC_LOMAC_EXTATTR_NAME, buflen, (char *)&temp, curthread);
 	if (error == 0)
 		lomac_copy(&temp, dest);
 	return (error);
 }
 
 static void
 lomac_vnode_execve_transition(struct ucred *old, struct ucred *new,
     struct vnode *vp, struct label *vplabel, struct label *interpvplabel,
     struct image_params *imgp, struct label *execlabel)
 {
 	struct mac_lomac *source, *dest, *obj, *robj;
 
 	source = SLOT(old->cr_label);
 	dest = SLOT(new->cr_label);
 	obj = SLOT(vplabel);
 	robj = interpvplabel != NULL ? SLOT(interpvplabel) : obj;
 
 	lomac_copy(source, dest);
 	/*
 	 * If there's an auxiliary label on the real object, respect it and
 	 * assume that this level should be assumed immediately if a higher
 	 * level is currently in place.
 	 */
 	if (robj->ml_flags & MAC_LOMAC_FLAG_AUX &&
 	    !lomac_dominate_element(&robj->ml_auxsingle, &dest->ml_single)
 	    && lomac_auxsingle_in_range(robj, dest))
 		lomac_set_single(dest, robj->ml_auxsingle.mle_type,
 		    robj->ml_auxsingle.mle_grade);
 	/*
 	 * Restructuring to use the execve transitioning mechanism instead of
 	 * the normal demotion mechanism here would be difficult, so just
 	 * copy the label over and perform standard demotion.  This is also
 	 * non-optimal because it will result in the intermediate label "new"
 	 * being created and immediately recycled.
 	 */
 	if (lomac_enabled && revocation_enabled &&
 	    !lomac_dominate_single(obj, source))
 		(void)maybe_demote(source, obj, "executing", "file", vp);
 }
 
 static int
 lomac_vnode_execve_will_transition(struct ucred *old, struct vnode *vp,
     struct label *vplabel, struct label *interpvplabel,
     struct image_params *imgp, struct label *execlabel)
 {
 	struct mac_lomac *subj, *obj, *robj;
 
 	if (!lomac_enabled || !revocation_enabled)
 		return (0);
 
 	subj = SLOT(old->cr_label);
 	obj = SLOT(vplabel);
 	robj = interpvplabel != NULL ? SLOT(interpvplabel) : obj;
 
 	return ((robj->ml_flags & MAC_LOMAC_FLAG_AUX &&
 	    !lomac_dominate_element(&robj->ml_auxsingle, &subj->ml_single)
 	    && lomac_auxsingle_in_range(robj, subj)) ||
 	    !lomac_dominate_single(obj, subj));
 }
 
 static void
 lomac_vnode_relabel(struct ucred *cred, struct vnode *vp,
     struct label *vplabel, struct label *newlabel)
 {
 	struct mac_lomac *source, *dest;
 
 	source = SLOT(newlabel);
 	dest = SLOT(vplabel);
 
 	try_relabel(source, dest);
 }
 
 static int
 lomac_vnode_setlabel_extattr(struct ucred *cred, struct vnode *vp,
     struct label *vplabel, struct label *intlabel)
 {
 	struct mac_lomac *source, temp;
 	size_t buflen;
 	int error;
 
 	buflen = sizeof(temp);
 	bzero(&temp, buflen);
 
 	source = SLOT(intlabel);
 	if ((source->ml_flags & MAC_LOMAC_FLAG_SINGLE) == 0)
 		return (0);
 
 	lomac_copy_single(source, &temp);
 	error = vn_extattr_set(vp, IO_NODELOCKED, MAC_LOMAC_EXTATTR_NAMESPACE,
 	    MAC_LOMAC_EXTATTR_NAME, buflen, (char *)&temp, curthread);
 	return (error);
 }
 
 static struct mac_policy_ops lomac_ops =
 {
 	.mpo_init = lomac_init,
 	.mpo_destroy = lomac_fini,
 
 	.mpo_bpfdesc_check_receive = lomac_bpfdesc_check_receive,
 	.mpo_bpfdesc_create = lomac_bpfdesc_create,
 	.mpo_bpfdesc_create_mbuf = lomac_bpfdesc_create_mbuf,
 	.mpo_bpfdesc_destroy_label = lomac_destroy_label,
 	.mpo_bpfdesc_init_label = lomac_init_label,
 
 	.mpo_cred_check_relabel = lomac_cred_check_relabel,
 	.mpo_cred_check_visible = lomac_cred_check_visible,
 	.mpo_cred_copy_label = lomac_copy_label,
 	.mpo_cred_create_swapper = lomac_cred_create_swapper,
 	.mpo_cred_create_init = lomac_cred_create_init,
 	.mpo_cred_destroy_label = lomac_destroy_label,
 	.mpo_cred_externalize_label = lomac_externalize_label,
 	.mpo_cred_init_label = lomac_init_label,
 	.mpo_cred_internalize_label = lomac_internalize_label,
 	.mpo_cred_relabel = lomac_cred_relabel,
 
 	.mpo_devfs_create_device = lomac_devfs_create_device,
 	.mpo_devfs_create_directory = lomac_devfs_create_directory,
 	.mpo_devfs_create_symlink = lomac_devfs_create_symlink,
 	.mpo_devfs_destroy_label = lomac_destroy_label,
 	.mpo_devfs_init_label = lomac_init_label,
 	.mpo_devfs_update = lomac_devfs_update,
 	.mpo_devfs_vnode_associate = lomac_devfs_vnode_associate,
 
 	.mpo_ifnet_check_relabel = lomac_ifnet_check_relabel,
 	.mpo_ifnet_check_transmit = lomac_ifnet_check_transmit,
 	.mpo_ifnet_copy_label = lomac_copy_label,
 	.mpo_ifnet_create = lomac_ifnet_create,
 	.mpo_ifnet_create_mbuf = lomac_ifnet_create_mbuf,
 	.mpo_ifnet_destroy_label = lomac_destroy_label,
 	.mpo_ifnet_externalize_label = lomac_externalize_label,
 	.mpo_ifnet_init_label = lomac_init_label,
 	.mpo_ifnet_internalize_label = lomac_internalize_label,
 	.mpo_ifnet_relabel = lomac_ifnet_relabel,
 
 	.mpo_syncache_create = lomac_syncache_create,
 	.mpo_syncache_destroy_label = lomac_destroy_label,
 	.mpo_syncache_init_label = lomac_init_label_waitcheck,
 
 	.mpo_inpcb_check_deliver = lomac_inpcb_check_deliver,
 	.mpo_inpcb_check_visible = lomac_inpcb_check_visible,
 	.mpo_inpcb_create = lomac_inpcb_create,
 	.mpo_inpcb_create_mbuf = lomac_inpcb_create_mbuf,
 	.mpo_inpcb_destroy_label = lomac_destroy_label,
 	.mpo_inpcb_init_label = lomac_init_label_waitcheck,
 	.mpo_inpcb_sosetlabel = lomac_inpcb_sosetlabel,
 
 	.mpo_ip6q_create = lomac_ip6q_create,
 	.mpo_ip6q_destroy_label = lomac_destroy_label,
 	.mpo_ip6q_init_label = lomac_init_label_waitcheck,
 	.mpo_ip6q_match = lomac_ip6q_match,
 	.mpo_ip6q_reassemble = lomac_ip6q_reassemble,
 	.mpo_ip6q_update = lomac_ip6q_update,
 
 	.mpo_ipq_create = lomac_ipq_create,
 	.mpo_ipq_destroy_label = lomac_destroy_label,
 	.mpo_ipq_init_label = lomac_init_label_waitcheck,
 	.mpo_ipq_match = lomac_ipq_match,
 	.mpo_ipq_reassemble = lomac_ipq_reassemble,
 	.mpo_ipq_update = lomac_ipq_update,
 
 	.mpo_kld_check_load = lomac_kld_check_load,
 
 	.mpo_mbuf_copy_label = lomac_copy_label,
 	.mpo_mbuf_destroy_label = lomac_destroy_label,
 	.mpo_mbuf_init_label = lomac_init_label_waitcheck,
 
 	.mpo_mount_create = lomac_mount_create,
 	.mpo_mount_destroy_label = lomac_destroy_label,
 	.mpo_mount_init_label = lomac_init_label,
 
 	.mpo_netinet_arp_send = lomac_netinet_arp_send,
 	.mpo_netinet_firewall_reply = lomac_netinet_firewall_reply,
 	.mpo_netinet_firewall_send = lomac_netinet_firewall_send,
 	.mpo_netinet_fragment = lomac_netinet_fragment,
 	.mpo_netinet_icmp_reply = lomac_netinet_icmp_reply,
 	.mpo_netinet_igmp_send = lomac_netinet_igmp_send,
 
 	.mpo_netinet6_nd6_send = lomac_netinet6_nd6_send,
 
 	.mpo_pipe_check_ioctl = lomac_pipe_check_ioctl,
 	.mpo_pipe_check_read = lomac_pipe_check_read,
 	.mpo_pipe_check_relabel = lomac_pipe_check_relabel,
 	.mpo_pipe_check_write = lomac_pipe_check_write,
 	.mpo_pipe_copy_label = lomac_copy_label,
 	.mpo_pipe_create = lomac_pipe_create,
 	.mpo_pipe_destroy_label = lomac_destroy_label,
 	.mpo_pipe_externalize_label = lomac_externalize_label,
 	.mpo_pipe_init_label = lomac_init_label,
 	.mpo_pipe_internalize_label = lomac_internalize_label,
 	.mpo_pipe_relabel = lomac_pipe_relabel,
 
 	.mpo_priv_check = lomac_priv_check,
 
 	.mpo_proc_check_debug = lomac_proc_check_debug,
 	.mpo_proc_check_sched = lomac_proc_check_sched,
 	.mpo_proc_check_signal = lomac_proc_check_signal,
 	.mpo_proc_destroy_label = lomac_proc_destroy_label,
 	.mpo_proc_init_label = lomac_proc_init_label,
 
 	.mpo_socket_check_deliver = lomac_socket_check_deliver,
 	.mpo_socket_check_relabel = lomac_socket_check_relabel,
 	.mpo_socket_check_visible = lomac_socket_check_visible,
 	.mpo_socket_copy_label = lomac_copy_label,
 	.mpo_socket_create = lomac_socket_create,
 	.mpo_socket_create_mbuf = lomac_socket_create_mbuf,
 	.mpo_socket_destroy_label = lomac_destroy_label,
 	.mpo_socket_externalize_label = lomac_externalize_label,
 	.mpo_socket_init_label = lomac_init_label_waitcheck,
 	.mpo_socket_internalize_label = lomac_internalize_label,
 	.mpo_socket_newconn = lomac_socket_newconn,
 	.mpo_socket_relabel = lomac_socket_relabel,
 
 	.mpo_socketpeer_destroy_label = lomac_destroy_label,
 	.mpo_socketpeer_externalize_label = lomac_externalize_label,
 	.mpo_socketpeer_init_label = lomac_init_label_waitcheck,
 	.mpo_socketpeer_set_from_mbuf = lomac_socketpeer_set_from_mbuf,
 	.mpo_socketpeer_set_from_socket = lomac_socketpeer_set_from_socket,
 
 	.mpo_syncache_create_mbuf = lomac_syncache_create_mbuf,
 
 	.mpo_system_check_acct = lomac_system_check_acct,
 	.mpo_system_check_auditctl = lomac_system_check_auditctl,
 	.mpo_system_check_swapoff = lomac_system_check_swapoff,
 	.mpo_system_check_swapon = lomac_system_check_swapon,
 	.mpo_system_check_sysctl = lomac_system_check_sysctl,
 
 	.mpo_thread_userret = lomac_thread_userret,
 
 	.mpo_vnode_associate_extattr = lomac_vnode_associate_extattr,
 	.mpo_vnode_associate_singlelabel = lomac_vnode_associate_singlelabel,
 	.mpo_vnode_check_access = lomac_vnode_check_open,
 	.mpo_vnode_check_create = lomac_vnode_check_create,
 	.mpo_vnode_check_deleteacl = lomac_vnode_check_deleteacl,
 	.mpo_vnode_check_link = lomac_vnode_check_link,
 	.mpo_vnode_check_mmap = lomac_vnode_check_mmap,
 	.mpo_vnode_check_mmap_downgrade = lomac_vnode_check_mmap_downgrade,
 	.mpo_vnode_check_open = lomac_vnode_check_open,
 	.mpo_vnode_check_read = lomac_vnode_check_read,
 	.mpo_vnode_check_relabel = lomac_vnode_check_relabel,
 	.mpo_vnode_check_rename_from = lomac_vnode_check_rename_from,
 	.mpo_vnode_check_rename_to = lomac_vnode_check_rename_to,
 	.mpo_vnode_check_revoke = lomac_vnode_check_revoke,
 	.mpo_vnode_check_setacl = lomac_vnode_check_setacl,
 	.mpo_vnode_check_setextattr = lomac_vnode_check_setextattr,
 	.mpo_vnode_check_setflags = lomac_vnode_check_setflags,
 	.mpo_vnode_check_setmode = lomac_vnode_check_setmode,
 	.mpo_vnode_check_setowner = lomac_vnode_check_setowner,
 	.mpo_vnode_check_setutimes = lomac_vnode_check_setutimes,
 	.mpo_vnode_check_unlink = lomac_vnode_check_unlink,
 	.mpo_vnode_check_write = lomac_vnode_check_write,
 	.mpo_vnode_copy_label = lomac_copy_label,
 	.mpo_vnode_create_extattr = lomac_vnode_create_extattr,
 	.mpo_vnode_destroy_label = lomac_destroy_label,
 	.mpo_vnode_execve_transition = lomac_vnode_execve_transition,
 	.mpo_vnode_execve_will_transition = lomac_vnode_execve_will_transition,
 	.mpo_vnode_externalize_label = lomac_externalize_label,
 	.mpo_vnode_init_label = lomac_init_label,
 	.mpo_vnode_internalize_label = lomac_internalize_label,
 	.mpo_vnode_relabel = lomac_vnode_relabel,
 	.mpo_vnode_setlabel_extattr = lomac_vnode_setlabel_extattr,
 };
 
 MAC_POLICY_SET(&lomac_ops, mac_lomac, "TrustedBSD MAC/LOMAC",
     MPC_LOADTIME_FLAG_NOTLATE, &lomac_slot);
diff --git a/sys/security/mac_mls/mac_mls.c b/sys/security/mac_mls/mac_mls.c
index a22b504c3362..54a32b6d564d 100644
--- a/sys/security/mac_mls/mac_mls.c
+++ b/sys/security/mac_mls/mac_mls.c
@@ -1,3421 +1,3419 @@
 /*-
  * Copyright (c) 1999-2002, 2007-2011 Robert N. M. Watson
  * Copyright (c) 2001-2005 McAfee, Inc.
  * Copyright (c) 2006 SPARTA, Inc.
  * All rights reserved.
  *
  * This software was developed by Robert Watson for the TrustedBSD Project.
  *
  * This software was developed for the FreeBSD Project in part by McAfee
  * Research, the Security Research Division of McAfee, Inc. under
  * DARPA/SPAWAR contract N66001-01-C-8035 ("CBOSS"), as part of the DARPA
  * CHATS research program.
  *
  * This software was enhanced by SPARTA ISSO under SPAWAR contract
  * N66001-04-C-6019 ("SEFOS").
  *
  * This software was developed at the University of Cambridge Computer
  * Laboratory with support from a grant from Google, Inc.
  *
  * Redistribution and use in source and binary forms, with or without
  * modification, are permitted provided that the following conditions
  * are met:
  * 1. Redistributions of source code must retain the above copyright
  *    notice, this list of conditions and the following disclaimer.
  * 2. Redistributions in binary form must reproduce the above copyright
  *    notice, this list of conditions and the following disclaimer in the
  *    documentation and/or other materials provided with the distribution.
  *
  * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
  * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
  * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
  * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
  * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
  * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
  * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
  * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
  * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
  * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
  * SUCH DAMAGE.
  */
 
 /*
  * Developed by the TrustedBSD Project.
  *
  * MLS fixed label mandatory confidentiality policy.
  */
 
 #include <sys/types.h>
 #include <sys/param.h>
 #include <sys/acl.h>
 #include <sys/conf.h>
 #include <sys/extattr.h>
 #include <sys/kernel.h>
 #include <sys/ksem.h>
 #include <sys/mman.h>
 #include <sys/malloc.h>
 #include <sys/mount.h>
 #include <sys/proc.h>
 #include <sys/sbuf.h>
 #include <sys/systm.h>
 #include <sys/sysproto.h>
 #include <sys/sysent.h>
 #include <sys/systm.h>
 #include <sys/vnode.h>
 #include <sys/file.h>
 #include <sys/socket.h>
 #include <sys/socketvar.h>
 #include <sys/pipe.h>
 #include <sys/sx.h>
 #include <sys/sysctl.h>
 #include <sys/msg.h>
 #include <sys/sem.h>
 #include <sys/shm.h>
 
 #include <fs/devfs/devfs.h>
 
 #include <net/bpfdesc.h>
 #include <net/if.h>
 #include <net/if_types.h>
 #include <net/if_var.h>
 
 #include <netinet/in.h>
 #include <netinet/in_pcb.h>
 #include <netinet/ip_var.h>
 
 #include <vm/uma.h>
 #include <vm/vm.h>
 
 #include <security/mac/mac_policy.h>
 #include <security/mac_mls/mac_mls.h>
 
-SYSCTL_DECL(_security_mac);
-
 static SYSCTL_NODE(_security_mac, OID_AUTO, mls,
     CTLFLAG_RW | CTLFLAG_MPSAFE, 0,
     "TrustedBSD mac_mls policy controls");
 
 static int	mls_label_size = sizeof(struct mac_mls);
 SYSCTL_INT(_security_mac_mls, OID_AUTO, label_size, CTLFLAG_RD,
     &mls_label_size, 0, "Size of struct mac_mls");
 
 static int	mls_enabled = 1;
 SYSCTL_INT(_security_mac_mls, OID_AUTO, enabled, CTLFLAG_RWTUN, &mls_enabled, 0,
     "Enforce MAC/MLS policy");
 
 static int	destroyed_not_inited;
 SYSCTL_INT(_security_mac_mls, OID_AUTO, destroyed_not_inited, CTLFLAG_RD,
     &destroyed_not_inited, 0, "Count of labels destroyed but not inited");
 
 static int	ptys_equal = 0;
 SYSCTL_INT(_security_mac_mls, OID_AUTO, ptys_equal, CTLFLAG_RWTUN,
     &ptys_equal, 0, "Label pty devices as mls/equal on create");
 
 static int	revocation_enabled = 0;
 SYSCTL_INT(_security_mac_mls, OID_AUTO, revocation_enabled, CTLFLAG_RWTUN,
     &revocation_enabled, 0, "Revoke access to objects on relabel");
 
 static int	max_compartments = MAC_MLS_MAX_COMPARTMENTS;
 SYSCTL_INT(_security_mac_mls, OID_AUTO, max_compartments, CTLFLAG_RD,
     &max_compartments, 0, "Maximum compartments the policy supports");
 
 static int	mls_slot;
 #define	SLOT(l)	((struct mac_mls *)mac_label_get((l), mls_slot))
 #define	SLOT_SET(l, val) mac_label_set((l), mls_slot, (uintptr_t)(val))
 
 static uma_zone_t	zone_mls;
 
 static __inline int
 mls_bit_set_empty(u_char *set) {
 	int i;
 
 	for (i = 0; i < MAC_MLS_MAX_COMPARTMENTS >> 3; i++)
 		if (set[i] != 0)
 			return (0);
 	return (1);
 }
 
 static struct mac_mls *
 mls_alloc(int flag)
 {
 
 	return (uma_zalloc(zone_mls, flag | M_ZERO));
 }
 
 static void
 mls_free(struct mac_mls *mm)
 {
 
 	if (mm != NULL)
 		uma_zfree(zone_mls, mm);
 	else
 		atomic_add_int(&destroyed_not_inited, 1);
 }
 
 static int
 mls_atmostflags(struct mac_mls *mm, int flags)
 {
 
 	if ((mm->mm_flags & flags) != mm->mm_flags)
 		return (EINVAL);
 	return (0);
 }
 
 static int
 mls_dominate_element(struct mac_mls_element *a, struct mac_mls_element *b)
 {
 	int bit;
 
 	switch (a->mme_type) {
 	case MAC_MLS_TYPE_EQUAL:
 	case MAC_MLS_TYPE_HIGH:
 		return (1);
 
 	case MAC_MLS_TYPE_LOW:
 		switch (b->mme_type) {
 		case MAC_MLS_TYPE_LEVEL:
 		case MAC_MLS_TYPE_HIGH:
 			return (0);
 
 		case MAC_MLS_TYPE_EQUAL:
 		case MAC_MLS_TYPE_LOW:
 			return (1);
 
 		default:
 			panic("mls_dominate_element: b->mme_type invalid");
 		}
 
 	case MAC_MLS_TYPE_LEVEL:
 		switch (b->mme_type) {
 		case MAC_MLS_TYPE_EQUAL:
 		case MAC_MLS_TYPE_LOW:
 			return (1);
 
 		case MAC_MLS_TYPE_HIGH:
 			return (0);
 
 		case MAC_MLS_TYPE_LEVEL:
 			for (bit = 1; bit <= MAC_MLS_MAX_COMPARTMENTS; bit++)
 				if (!MAC_MLS_BIT_TEST(bit,
 				    a->mme_compartments) &&
 				    MAC_MLS_BIT_TEST(bit, b->mme_compartments))
 					return (0);
 			return (a->mme_level >= b->mme_level);
 
 		default:
 			panic("mls_dominate_element: b->mme_type invalid");
 		}
 
 	default:
 		panic("mls_dominate_element: a->mme_type invalid");
 	}
 
 	return (0);
 }
 
 static int
 mls_range_in_range(struct mac_mls *rangea, struct mac_mls *rangeb)
 {
 
 	return (mls_dominate_element(&rangeb->mm_rangehigh,
 	    &rangea->mm_rangehigh) &&
 	    mls_dominate_element(&rangea->mm_rangelow,
 	    &rangeb->mm_rangelow));
 }
 
 static int
 mls_effective_in_range(struct mac_mls *effective, struct mac_mls *range)
 {
 
 	KASSERT((effective->mm_flags & MAC_MLS_FLAG_EFFECTIVE) != 0,
 	    ("mls_effective_in_range: a not effective"));
 	KASSERT((range->mm_flags & MAC_MLS_FLAG_RANGE) != 0,
 	    ("mls_effective_in_range: b not range"));
 
 	return (mls_dominate_element(&range->mm_rangehigh,
 	    &effective->mm_effective) &&
 	    mls_dominate_element(&effective->mm_effective,
 	    &range->mm_rangelow));
 
 	return (1);
 }
 
 static int
 mls_dominate_effective(struct mac_mls *a, struct mac_mls *b)
 {
 	KASSERT((a->mm_flags & MAC_MLS_FLAG_EFFECTIVE) != 0,
 	    ("mls_dominate_effective: a not effective"));
 	KASSERT((b->mm_flags & MAC_MLS_FLAG_EFFECTIVE) != 0,
 	    ("mls_dominate_effective: b not effective"));
 
 	return (mls_dominate_element(&a->mm_effective, &b->mm_effective));
 }
 
 static int
 mls_equal_element(struct mac_mls_element *a, struct mac_mls_element *b)
 {
 
 	if (a->mme_type == MAC_MLS_TYPE_EQUAL ||
 	    b->mme_type == MAC_MLS_TYPE_EQUAL)
 		return (1);
 
 	return (a->mme_type == b->mme_type && a->mme_level == b->mme_level);
 }
 
 static int
 mls_equal_effective(struct mac_mls *a, struct mac_mls *b)
 {
 
 	KASSERT((a->mm_flags & MAC_MLS_FLAG_EFFECTIVE) != 0,
 	    ("mls_equal_effective: a not effective"));
 	KASSERT((b->mm_flags & MAC_MLS_FLAG_EFFECTIVE) != 0,
 	    ("mls_equal_effective: b not effective"));
 
 	return (mls_equal_element(&a->mm_effective, &b->mm_effective));
 }
 
 static int
 mls_contains_equal(struct mac_mls *mm)
 {
 
 	if (mm->mm_flags & MAC_MLS_FLAG_EFFECTIVE)
 		if (mm->mm_effective.mme_type == MAC_MLS_TYPE_EQUAL)
 			return (1);
 
 	if (mm->mm_flags & MAC_MLS_FLAG_RANGE) {
 		if (mm->mm_rangelow.mme_type == MAC_MLS_TYPE_EQUAL)
 			return (1);
 		if (mm->mm_rangehigh.mme_type == MAC_MLS_TYPE_EQUAL)
 			return (1);
 	}
 
 	return (0);
 }
 
 static int
 mls_subject_privileged(struct mac_mls *mm)
 {
 
 	KASSERT((mm->mm_flags & MAC_MLS_FLAGS_BOTH) == MAC_MLS_FLAGS_BOTH,
 	    ("mls_subject_privileged: subject doesn't have both labels"));
 
 	/* If the effective is EQUAL, it's ok. */
 	if (mm->mm_effective.mme_type == MAC_MLS_TYPE_EQUAL)
 		return (0);
 
 	/* If either range endpoint is EQUAL, it's ok. */
 	if (mm->mm_rangelow.mme_type == MAC_MLS_TYPE_EQUAL ||
 	    mm->mm_rangehigh.mme_type == MAC_MLS_TYPE_EQUAL)
 		return (0);
 
 	/* If the range is low-high, it's ok. */
 	if (mm->mm_rangelow.mme_type == MAC_MLS_TYPE_LOW &&
 	    mm->mm_rangehigh.mme_type == MAC_MLS_TYPE_HIGH)
 		return (0);
 
 	/* It's not ok. */
 	return (EPERM);
 }
 
 static int
 mls_valid(struct mac_mls *mm)
 {
 
 	if (mm->mm_flags & MAC_MLS_FLAG_EFFECTIVE) {
 		switch (mm->mm_effective.mme_type) {
 		case MAC_MLS_TYPE_LEVEL:
 			break;
 
 		case MAC_MLS_TYPE_EQUAL:
 		case MAC_MLS_TYPE_HIGH:
 		case MAC_MLS_TYPE_LOW:
 			if (mm->mm_effective.mme_level != 0 ||
 			    !MAC_MLS_BIT_SET_EMPTY(
 			    mm->mm_effective.mme_compartments))
 				return (EINVAL);
 			break;
 
 		default:
 			return (EINVAL);
 		}
 	} else {
 		if (mm->mm_effective.mme_type != MAC_MLS_TYPE_UNDEF)
 			return (EINVAL);
 	}
 
 	if (mm->mm_flags & MAC_MLS_FLAG_RANGE) {
 		switch (mm->mm_rangelow.mme_type) {
 		case MAC_MLS_TYPE_LEVEL:
 			break;
 
 		case MAC_MLS_TYPE_EQUAL:
 		case MAC_MLS_TYPE_HIGH:
 		case MAC_MLS_TYPE_LOW:
 			if (mm->mm_rangelow.mme_level != 0 ||
 			    !MAC_MLS_BIT_SET_EMPTY(
 			    mm->mm_rangelow.mme_compartments))
 				return (EINVAL);
 			break;
 
 		default:
 			return (EINVAL);
 		}
 
 		switch (mm->mm_rangehigh.mme_type) {
 		case MAC_MLS_TYPE_LEVEL:
 			break;
 
 		case MAC_MLS_TYPE_EQUAL:
 		case MAC_MLS_TYPE_HIGH:
 		case MAC_MLS_TYPE_LOW:
 			if (mm->mm_rangehigh.mme_level != 0 ||
 			    !MAC_MLS_BIT_SET_EMPTY(
 			    mm->mm_rangehigh.mme_compartments))
 				return (EINVAL);
 			break;
 
 		default:
 			return (EINVAL);
 		}
 		if (!mls_dominate_element(&mm->mm_rangehigh,
 		    &mm->mm_rangelow))
 			return (EINVAL);
 	} else {
 		if (mm->mm_rangelow.mme_type != MAC_MLS_TYPE_UNDEF ||
 		    mm->mm_rangehigh.mme_type != MAC_MLS_TYPE_UNDEF)
 			return (EINVAL);
 	}
 
 	return (0);
 }
 
 static void
 mls_set_range(struct mac_mls *mm, u_short typelow, u_short levellow,
     u_char *compartmentslow, u_short typehigh, u_short levelhigh,
     u_char *compartmentshigh)
 {
 
 	mm->mm_rangelow.mme_type = typelow;
 	mm->mm_rangelow.mme_level = levellow;
 	if (compartmentslow != NULL)
 		memcpy(mm->mm_rangelow.mme_compartments, compartmentslow,
 		    sizeof(mm->mm_rangelow.mme_compartments));
 	mm->mm_rangehigh.mme_type = typehigh;
 	mm->mm_rangehigh.mme_level = levelhigh;
 	if (compartmentshigh != NULL)
 		memcpy(mm->mm_rangehigh.mme_compartments, compartmentshigh,
 		    sizeof(mm->mm_rangehigh.mme_compartments));
 	mm->mm_flags |= MAC_MLS_FLAG_RANGE;
 }
 
 static void
 mls_set_effective(struct mac_mls *mm, u_short type, u_short level,
     u_char *compartments)
 {
 
 	mm->mm_effective.mme_type = type;
 	mm->mm_effective.mme_level = level;
 	if (compartments != NULL)
 		memcpy(mm->mm_effective.mme_compartments, compartments,
 		    sizeof(mm->mm_effective.mme_compartments));
 	mm->mm_flags |= MAC_MLS_FLAG_EFFECTIVE;
 }
 
 static void
 mls_copy_range(struct mac_mls *labelfrom, struct mac_mls *labelto)
 {
 
 	KASSERT((labelfrom->mm_flags & MAC_MLS_FLAG_RANGE) != 0,
 	    ("mls_copy_range: labelfrom not range"));
 
 	labelto->mm_rangelow = labelfrom->mm_rangelow;
 	labelto->mm_rangehigh = labelfrom->mm_rangehigh;
 	labelto->mm_flags |= MAC_MLS_FLAG_RANGE;
 }
 
 static void
 mls_copy_effective(struct mac_mls *labelfrom, struct mac_mls *labelto)
 {
 
 	KASSERT((labelfrom->mm_flags & MAC_MLS_FLAG_EFFECTIVE) != 0,
 	    ("mls_copy_effective: labelfrom not effective"));
 
 	labelto->mm_effective = labelfrom->mm_effective;
 	labelto->mm_flags |= MAC_MLS_FLAG_EFFECTIVE;
 }
 
 static void
 mls_copy(struct mac_mls *source, struct mac_mls *dest)
 {
 
 	if (source->mm_flags & MAC_MLS_FLAG_EFFECTIVE)
 		mls_copy_effective(source, dest);
 	if (source->mm_flags & MAC_MLS_FLAG_RANGE)
 		mls_copy_range(source, dest);
 }
 
 /*
  * Policy module operations.
  */
 static void
 mls_init(struct mac_policy_conf *conf)
 {
 
 	zone_mls = uma_zcreate("mac_mls", sizeof(struct mac_mls), NULL,
 	    NULL, NULL, NULL, UMA_ALIGN_PTR, 0);
 }
 
 /*
  * Label operations.
  */
 static void
 mls_init_label(struct label *label)
 {
 
 	SLOT_SET(label, mls_alloc(M_WAITOK));
 }
 
 static int
 mls_init_label_waitcheck(struct label *label, int flag)
 {
 
 	SLOT_SET(label, mls_alloc(flag));
 	if (SLOT(label) == NULL)
 		return (ENOMEM);
 
 	return (0);
 }
 
 static void
 mls_destroy_label(struct label *label)
 {
 
 	mls_free(SLOT(label));
 	SLOT_SET(label, NULL);
 }
 
 /*
  * mls_element_to_string() accepts an sbuf and MLS element.  It converts the
  * MLS element to a string and stores the result in the sbuf; if there isn't
  * space in the sbuf, -1 is returned.
  */
 static int
 mls_element_to_string(struct sbuf *sb, struct mac_mls_element *element)
 {
 	int i, first;
 
 	switch (element->mme_type) {
 	case MAC_MLS_TYPE_HIGH:
 		return (sbuf_printf(sb, "high"));
 
 	case MAC_MLS_TYPE_LOW:
 		return (sbuf_printf(sb, "low"));
 
 	case MAC_MLS_TYPE_EQUAL:
 		return (sbuf_printf(sb, "equal"));
 
 	case MAC_MLS_TYPE_LEVEL:
 		if (sbuf_printf(sb, "%d", element->mme_level) == -1)
 			return (-1);
 
 		first = 1;
 		for (i = 1; i <= MAC_MLS_MAX_COMPARTMENTS; i++) {
 			if (MAC_MLS_BIT_TEST(i, element->mme_compartments)) {
 				if (first) {
 					if (sbuf_putc(sb, ':') == -1)
 						return (-1);
 					if (sbuf_printf(sb, "%d", i) == -1)
 						return (-1);
 					first = 0;
 				} else {
 					if (sbuf_printf(sb, "+%d", i) == -1)
 						return (-1);
 				}
 			}
 		}
 		return (0);
 
 	default:
 		panic("mls_element_to_string: invalid type (%d)",
 		    element->mme_type);
 	}
 }
 
 /*
  * mls_to_string() converts an MLS label to a string, and places the results
  * in the passed sbuf.  It returns 0 on success, or EINVAL if there isn't
  * room in the sbuf.  Note: the sbuf will be modified even in a failure case,
  * so the caller may need to revert the sbuf by restoring the offset if
  * that's undesired.
  */
 static int
 mls_to_string(struct sbuf *sb, struct mac_mls *mm)
 {
 
 	if (mm->mm_flags & MAC_MLS_FLAG_EFFECTIVE) {
 		if (mls_element_to_string(sb, &mm->mm_effective) == -1)
 			return (EINVAL);
 	}
 
 	if (mm->mm_flags & MAC_MLS_FLAG_RANGE) {
 		if (sbuf_putc(sb, '(') == -1)
 			return (EINVAL);
 
 		if (mls_element_to_string(sb, &mm->mm_rangelow) == -1)
 			return (EINVAL);
 
 		if (sbuf_putc(sb, '-') == -1)
 			return (EINVAL);
 
 		if (mls_element_to_string(sb, &mm->mm_rangehigh) == -1)
 			return (EINVAL);
 
 		if (sbuf_putc(sb, ')') == -1)
 			return (EINVAL);
 	}
 
 	return (0);
 }
 
 static int
 mls_externalize_label(struct label *label, char *element_name,
     struct sbuf *sb, int *claimed)
 {
 	struct mac_mls *mm;
 
 	if (strcmp(MAC_MLS_LABEL_NAME, element_name) != 0)
 		return (0);
 
 	(*claimed)++;
 
 	mm = SLOT(label);
 
 	return (mls_to_string(sb, mm));
 }
 
 static int
 mls_parse_element(struct mac_mls_element *element, char *string)
 {
 	char *compartment, *end, *level;
 	int value;
 
 	if (strcmp(string, "high") == 0 || strcmp(string, "hi") == 0) {
 		element->mme_type = MAC_MLS_TYPE_HIGH;
 		element->mme_level = MAC_MLS_TYPE_UNDEF;
 	} else if (strcmp(string, "low") == 0 || strcmp(string, "lo") == 0) {
 		element->mme_type = MAC_MLS_TYPE_LOW;
 		element->mme_level = MAC_MLS_TYPE_UNDEF;
 	} else if (strcmp(string, "equal") == 0 ||
 	    strcmp(string, "eq") == 0) {
 		element->mme_type = MAC_MLS_TYPE_EQUAL;
 		element->mme_level = MAC_MLS_TYPE_UNDEF;
 	} else {
 		element->mme_type = MAC_MLS_TYPE_LEVEL;
 
 		/*
 		 * Numeric level piece of the element.
 		 */
 		level = strsep(&string, ":");
 		value = strtol(level, &end, 10);
 		if (end == level || *end != '\0')
 			return (EINVAL);
 		if (value < 0 || value > 65535)
 			return (EINVAL);
 		element->mme_level = value;
 
 		/*
 		 * Optional compartment piece of the element.  If none are
 		 * included, we assume that the label has no compartments.
 		 */
 		if (string == NULL)
 			return (0);
 		if (*string == '\0')
 			return (0);
 
 		while ((compartment = strsep(&string, "+")) != NULL) {
 			value = strtol(compartment, &end, 10);
 			if (compartment == end || *end != '\0')
 				return (EINVAL);
 			if (value < 1 || value > MAC_MLS_MAX_COMPARTMENTS)
 				return (EINVAL);
 			MAC_MLS_BIT_SET(value, element->mme_compartments);
 		}
 	}
 
 	return (0);
 }
 
 /*
  * Note: destructively consumes the string, make a local copy before calling
  * if that's a problem.
  */
 static int
 mls_parse(struct mac_mls *mm, char *string)
 {
 	char *rangehigh, *rangelow, *effective;
 	int error;
 
 	effective = strsep(&string, "(");
 	if (*effective == '\0')
 		effective = NULL;
 
 	if (string != NULL) {
 		rangelow = strsep(&string, "-");
 		if (string == NULL)
 			return (EINVAL);
 		rangehigh = strsep(&string, ")");
 		if (string == NULL)
 			return (EINVAL);
 		if (*string != '\0')
 			return (EINVAL);
 	} else {
 		rangelow = NULL;
 		rangehigh = NULL;
 	}
 
 	KASSERT((rangelow != NULL && rangehigh != NULL) ||
 	    (rangelow == NULL && rangehigh == NULL),
 	    ("mls_parse: range mismatch"));
 
 	bzero(mm, sizeof(*mm));
 	if (effective != NULL) {
 		error = mls_parse_element(&mm->mm_effective, effective);
 		if (error)
 			return (error);
 		mm->mm_flags |= MAC_MLS_FLAG_EFFECTIVE;
 	}
 
 	if (rangelow != NULL) {
 		error = mls_parse_element(&mm->mm_rangelow, rangelow);
 		if (error)
 			return (error);
 		error = mls_parse_element(&mm->mm_rangehigh, rangehigh);
 		if (error)
 			return (error);
 		mm->mm_flags |= MAC_MLS_FLAG_RANGE;
 	}
 
 	error = mls_valid(mm);
 	if (error)
 		return (error);
 
 	return (0);
 }
 
 static int
 mls_internalize_label(struct label *label, char *element_name,
     char *element_data, int *claimed)
 {
 	struct mac_mls *mm, mm_temp;
 	int error;
 
 	if (strcmp(MAC_MLS_LABEL_NAME, element_name) != 0)
 		return (0);
 
 	(*claimed)++;
 
 	error = mls_parse(&mm_temp, element_data);
 	if (error)
 		return (error);
 
 	mm = SLOT(label);
 	*mm = mm_temp;
 
 	return (0);
 }
 
 static void
 mls_copy_label(struct label *src, struct label *dest)
 {
 
 	*SLOT(dest) = *SLOT(src);
 }
 
 /*
  * Object-specific entry point implementations are sorted alphabetically by
  * object type name and then by operation.
  */
 static int
 mls_bpfdesc_check_receive(struct bpf_d *d, struct label *dlabel,
      struct ifnet *ifp, struct label *ifplabel)
 {
 	struct mac_mls *a, *b;
 
 	if (!mls_enabled)
 		return (0);
 
 	a = SLOT(dlabel);
 	b = SLOT(ifplabel);
 
 	if (mls_equal_effective(a, b))
 		return (0);
 	return (EACCES);
 }
 
 static void
 mls_bpfdesc_create(struct ucred *cred, struct bpf_d *d, struct label *dlabel)
 {
 	struct mac_mls *source, *dest;
 
 	source = SLOT(cred->cr_label);
 	dest = SLOT(dlabel);
 
 	mls_copy_effective(source, dest);
 }
 
 static void
 mls_bpfdesc_create_mbuf(struct bpf_d *d, struct label *dlabel,
     struct mbuf *m, struct label *mlabel)
 {
 	struct mac_mls *source, *dest;
 
 	source = SLOT(dlabel);
 	dest = SLOT(mlabel);
 
 	mls_copy_effective(source, dest);
 }
 
 static void
 mls_cred_associate_nfsd(struct ucred *cred) 
 {
 	struct mac_mls *label;
 
 	label = SLOT(cred->cr_label);
 	mls_set_effective(label, MAC_MLS_TYPE_LOW, 0, NULL);
 	mls_set_range(label, MAC_MLS_TYPE_LOW, 0, NULL, MAC_MLS_TYPE_HIGH, 0,
 	    NULL);
 }
 
 static int
 mls_cred_check_relabel(struct ucred *cred, struct label *newlabel)
 {
 	struct mac_mls *subj, *new;
 	int error;
 
 	subj = SLOT(cred->cr_label);
 	new = SLOT(newlabel);
 
 	/*
 	 * If there is an MLS label update for the credential, it may be an
 	 * update of effective, range, or both.
 	 */
 	error = mls_atmostflags(new, MAC_MLS_FLAGS_BOTH);
 	if (error)
 		return (error);
 
 	/*
 	 * If the MLS label is to be changed, authorize as appropriate.
 	 */
 	if (new->mm_flags & MAC_MLS_FLAGS_BOTH) {
 		/*
 		 * If the change request modifies both the MLS label
 		 * effective and range, check that the new effective will be
 		 * in the new range.
 		 */
 		if ((new->mm_flags & MAC_MLS_FLAGS_BOTH) ==
 		    MAC_MLS_FLAGS_BOTH && !mls_effective_in_range(new, new))
 			return (EINVAL);
 
 		/*
 		 * To change the MLS effective label on a credential, the new
 		 * effective label must be in the current range.
 		 */
 		if (new->mm_flags & MAC_MLS_FLAG_EFFECTIVE &&
 		    !mls_effective_in_range(new, subj))
 			return (EPERM);
 
 		/*
 		 * To change the MLS range label on a credential, the new
 		 * range must be in the current range.
 		 */
 		if (new->mm_flags & MAC_MLS_FLAG_RANGE &&
 		    !mls_range_in_range(new, subj))
 			return (EPERM);
 
 		/*
 		 * To have EQUAL in any component of the new credential MLS
 		 * label, the subject must already have EQUAL in their label.
 		 */
 		if (mls_contains_equal(new)) {
 			error = mls_subject_privileged(subj);
 			if (error)
 				return (error);
 		}
 	}
 
 	return (0);
 }
 
 static int
 mls_cred_check_visible(struct ucred *cr1, struct ucred *cr2)
 {
 	struct mac_mls *subj, *obj;
 
 	if (!mls_enabled)
 		return (0);
 
 	subj = SLOT(cr1->cr_label);
 	obj = SLOT(cr2->cr_label);
 
 	/* XXX: range */
 	if (!mls_dominate_effective(subj, obj))
 		return (ESRCH);
 
 	return (0);
 }
 
 static void
 mls_cred_create_init(struct ucred *cred)
 {
 	struct mac_mls *dest;
 
 	dest = SLOT(cred->cr_label);
 
 	mls_set_effective(dest, MAC_MLS_TYPE_LOW, 0, NULL);
 	mls_set_range(dest, MAC_MLS_TYPE_LOW, 0, NULL, MAC_MLS_TYPE_HIGH, 0,
 	    NULL);
 }
 
 static void
 mls_cred_create_swapper(struct ucred *cred)
 {
 	struct mac_mls *dest;
 
 	dest = SLOT(cred->cr_label);
 
 	mls_set_effective(dest, MAC_MLS_TYPE_EQUAL, 0, NULL);
 	mls_set_range(dest, MAC_MLS_TYPE_LOW, 0, NULL, MAC_MLS_TYPE_HIGH, 0,
 	    NULL);
 }
 
 static void
 mls_cred_relabel(struct ucred *cred, struct label *newlabel)
 {
 	struct mac_mls *source, *dest;
 
 	source = SLOT(newlabel);
 	dest = SLOT(cred->cr_label);
 
 	mls_copy(source, dest);
 }
 
 static void
 mls_devfs_create_device(struct ucred *cred, struct mount *mp,
     struct cdev *dev, struct devfs_dirent *de, struct label *delabel)
 {
 	struct mac_mls *mm;
 	const char *dn;
 	int mls_type;
 
 	mm = SLOT(delabel);
 	dn = devtoname(dev);
 	if (strcmp(dn, "null") == 0 ||
 	    strcmp(dn, "zero") == 0 ||
 	    strcmp(dn, "random") == 0 ||
 	    strncmp(dn, "fd/", strlen("fd/")) == 0)
 		mls_type = MAC_MLS_TYPE_EQUAL;
 	else if (strcmp(dn, "kmem") == 0 ||
 	    strcmp(dn, "mem") == 0)
 		mls_type = MAC_MLS_TYPE_HIGH;
 	else if (ptys_equal &&
 	    (strncmp(dn, "ttyp", strlen("ttyp")) == 0 ||
 	    strncmp(dn, "pts/", strlen("pts/")) == 0 ||
 	    strncmp(dn, "ptyp", strlen("ptyp")) == 0))
 		mls_type = MAC_MLS_TYPE_EQUAL;
 	else
 		mls_type = MAC_MLS_TYPE_LOW;
 	mls_set_effective(mm, mls_type, 0, NULL);
 }
 
 static void
 mls_devfs_create_directory(struct mount *mp, char *dirname, int dirnamelen,
     struct devfs_dirent *de, struct label *delabel)
 {
 	struct mac_mls *mm;
 
 	mm = SLOT(delabel);
 	mls_set_effective(mm, MAC_MLS_TYPE_LOW, 0, NULL);
 }
 
 static void
 mls_devfs_create_symlink(struct ucred *cred, struct mount *mp,
     struct devfs_dirent *dd, struct label *ddlabel, struct devfs_dirent *de,
     struct label *delabel)
 {
 	struct mac_mls *source, *dest;
 
 	source = SLOT(cred->cr_label);
 	dest = SLOT(delabel);
 
 	mls_copy_effective(source, dest);
 }
 
 static void
 mls_devfs_update(struct mount *mp, struct devfs_dirent *de,
     struct label *delabel, struct vnode *vp, struct label *vplabel)
 {
 	struct mac_mls *source, *dest;
 
 	source = SLOT(vplabel);
 	dest = SLOT(delabel);
 
 	mls_copy_effective(source, dest);
 }
 
 static void
 mls_devfs_vnode_associate(struct mount *mp, struct label *mplabel,
     struct devfs_dirent *de, struct label *delabel, struct vnode *vp,
     struct label *vplabel)
 {
 	struct mac_mls *source, *dest;
 
 	source = SLOT(delabel);
 	dest = SLOT(vplabel);
 
 	mls_copy_effective(source, dest);
 }
 
 static int
 mls_ifnet_check_relabel(struct ucred *cred, struct ifnet *ifp,
     struct label *ifplabel, struct label *newlabel)
 {
 	struct mac_mls *subj, *new;
 	int error;
 
 	subj = SLOT(cred->cr_label);
 	new = SLOT(newlabel);
 
 	/*
 	 * If there is an MLS label update for the interface, it may be an
 	 * update of effective, range, or both.
 	 */
 	error = mls_atmostflags(new, MAC_MLS_FLAGS_BOTH);
 	if (error)
 		return (error);
 
 	/*
 	 * Relabeling network interfaces requires MLS privilege.
 	 */
 	return (mls_subject_privileged(subj));
 }
 
 static int
 mls_ifnet_check_transmit(struct ifnet *ifp, struct label *ifplabel,
     struct mbuf *m, struct label *mlabel)
 {
 	struct mac_mls *p, *i;
 
 	if (!mls_enabled)
 		return (0);
 
 	p = SLOT(mlabel);
 	i = SLOT(ifplabel);
 
 	return (mls_effective_in_range(p, i) ? 0 : EACCES);
 }
 
 static void
 mls_ifnet_create(struct ifnet *ifp, struct label *ifplabel)
 {
 	struct mac_mls *dest;
 	int type;
 
 	dest = SLOT(ifplabel);
 
 	if (if_gettype(ifp) == IFT_LOOP)
 		type = MAC_MLS_TYPE_EQUAL;
 	else
 		type = MAC_MLS_TYPE_LOW;
 
 	mls_set_effective(dest, type, 0, NULL);
 	mls_set_range(dest, type, 0, NULL, type, 0, NULL);
 }
 
 static void
 mls_ifnet_create_mbuf(struct ifnet *ifp, struct label *ifplabel,
     struct mbuf *m, struct label *mlabel)
 {
 	struct mac_mls *source, *dest;
 
 	source = SLOT(ifplabel);
 	dest = SLOT(mlabel);
 
 	mls_copy_effective(source, dest);
 }
 
 static void
 mls_ifnet_relabel(struct ucred *cred, struct ifnet *ifp,
     struct label *ifplabel, struct label *newlabel)
 {
 	struct mac_mls *source, *dest;
 
 	source = SLOT(newlabel);
 	dest = SLOT(ifplabel);
 
 	mls_copy(source, dest);
 }
 
 static int
 mls_inpcb_check_deliver(struct inpcb *inp, struct label *inplabel,
     struct mbuf *m, struct label *mlabel)
 {
 	struct mac_mls *p, *i;
 
 	if (!mls_enabled)
 		return (0);
 
 	p = SLOT(mlabel);
 	i = SLOT(inplabel);
 
 	return (mls_equal_effective(p, i) ? 0 : EACCES);
 }
 
 static int
 mls_inpcb_check_visible(struct ucred *cred, struct inpcb *inp,
     struct label *inplabel)
 {
 	struct mac_mls *subj, *obj;
 
 	if (!mls_enabled)
 		return (0);
 
 	subj = SLOT(cred->cr_label);
 	obj = SLOT(inplabel);
 
 	if (!mls_dominate_effective(subj, obj))
 		return (ENOENT);
 
 	return (0);
 }
 
 static void
 mls_inpcb_create(struct socket *so, struct label *solabel, struct inpcb *inp,
     struct label *inplabel)
 {
 	struct mac_mls *source, *dest;
 
 	source = SLOT(solabel);
 	dest = SLOT(inplabel);
 
 	mls_copy_effective(source, dest);
 }
 
 static void
 mls_inpcb_create_mbuf(struct inpcb *inp, struct label *inplabel,
     struct mbuf *m, struct label *mlabel)
 {
 	struct mac_mls *source, *dest;
 
 	source = SLOT(inplabel);
 	dest = SLOT(mlabel);
 
 	mls_copy_effective(source, dest);
 }
 
 static void
 mls_inpcb_sosetlabel(struct socket *so, struct label *solabel,
     struct inpcb *inp, struct label *inplabel)
 {
 	struct mac_mls *source, *dest;
 
 	SOCK_LOCK_ASSERT(so);
 
 	source = SLOT(solabel);
 	dest = SLOT(inplabel);
 
 	mls_copy(source, dest);
 }
 
 static void
 mls_ip6q_create(struct mbuf *m, struct label *mlabel, struct ip6q *q6,
     struct label *q6label)
 {
 	struct mac_mls *source, *dest;
 
 	source = SLOT(mlabel);
 	dest = SLOT(q6label);
 
 	mls_copy_effective(source, dest);
 }
 
 static int
 mls_ip6q_match(struct mbuf *m, struct label *mlabel, struct ip6q *q6,
     struct label *q6label)
 {
 	struct mac_mls *a, *b;
 
 	a = SLOT(q6label);
 	b = SLOT(mlabel);
 
 	return (mls_equal_effective(a, b));
 }
 
 static void
 mls_ip6q_reassemble(struct ip6q *q6, struct label *q6label, struct mbuf *m,
     struct label *mlabel)
 {
 	struct mac_mls *source, *dest;
 
 	source = SLOT(q6label);
 	dest = SLOT(mlabel);
 
 	/* Just use the head, since we require them all to match. */
 	mls_copy_effective(source, dest);
 }
 
 static void
 mls_ip6q_update(struct mbuf *m, struct label *mlabel, struct ip6q *q6,
     struct label *q6label)
 {
 
 	/* NOOP: we only accept matching labels, so no need to update */
 }
 
 static void
 mls_ipq_create(struct mbuf *m, struct label *mlabel, struct ipq *q,
     struct label *qlabel)
 {
 	struct mac_mls *source, *dest;
 
 	source = SLOT(mlabel);
 	dest = SLOT(qlabel);
 
 	mls_copy_effective(source, dest);
 }
 
 static int
 mls_ipq_match(struct mbuf *m, struct label *mlabel, struct ipq *q,
     struct label *qlabel)
 {
 	struct mac_mls *a, *b;
 
 	a = SLOT(qlabel);
 	b = SLOT(mlabel);
 
 	return (mls_equal_effective(a, b));
 }
 
 static void
 mls_ipq_reassemble(struct ipq *q, struct label *qlabel, struct mbuf *m,
     struct label *mlabel)
 {
 	struct mac_mls *source, *dest;
 
 	source = SLOT(qlabel);
 	dest = SLOT(mlabel);
 
 	/* Just use the head, since we require them all to match. */
 	mls_copy_effective(source, dest);
 }
 
 static void
 mls_ipq_update(struct mbuf *m, struct label *mlabel, struct ipq *q,
     struct label *qlabel)
 {
 
 	/* NOOP: we only accept matching labels, so no need to update */
 }
 
 static int
 mls_mount_check_stat(struct ucred *cred, struct mount *mp,
     struct label *mntlabel)
 {
 	struct mac_mls *subj, *obj;
 
 	if (!mls_enabled)
 		return (0);
 
 	subj = SLOT(cred->cr_label);
 	obj = SLOT(mntlabel);
 
 	if (!mls_dominate_effective(subj, obj))
 		return (EACCES);
 
 	return (0);
 }
 
 static void
 mls_mount_create(struct ucred *cred, struct mount *mp, struct label *mplabel)
 {
 	struct mac_mls *source, *dest;
 
 	source = SLOT(cred->cr_label);
 	dest = SLOT(mplabel);
 
 	mls_copy_effective(source, dest);
 }
 
 static void
 mls_netinet_arp_send(struct ifnet *ifp, struct label *ifplabel,
     struct mbuf *m, struct label *mlabel)
 {
 	struct mac_mls *dest;
 
 	dest = SLOT(mlabel);
 
 	mls_set_effective(dest, MAC_MLS_TYPE_EQUAL, 0, NULL);
 }
 
 static void
 mls_netinet_firewall_reply(struct mbuf *mrecv, struct label *mrecvlabel,
     struct mbuf *msend, struct label *msendlabel)
 {
 	struct mac_mls *source, *dest;
 
 	source = SLOT(mrecvlabel);
 	dest = SLOT(msendlabel);
 
 	mls_copy_effective(source, dest);
 }
 
 static void
 mls_netinet_firewall_send(struct mbuf *m, struct label *mlabel)
 {
 	struct mac_mls *dest;
 
 	dest = SLOT(mlabel);
 
 	/* XXX: where is the label for the firewall really coming from? */
 	mls_set_effective(dest, MAC_MLS_TYPE_EQUAL, 0, NULL);
 }
 
 static void
 mls_netinet_fragment(struct mbuf *m, struct label *mlabel, struct mbuf *frag,
     struct label *fraglabel)
 {
 	struct mac_mls *source, *dest;
 
 	source = SLOT(mlabel);
 	dest = SLOT(fraglabel);
 
 	mls_copy_effective(source, dest);
 }
 
 static void
 mls_netinet_icmp_reply(struct mbuf *mrecv, struct label *mrecvlabel,
     struct mbuf *msend, struct label *msendlabel)
 {
 	struct mac_mls *source, *dest;
 
 	source = SLOT(mrecvlabel);
 	dest = SLOT(msendlabel);
 
 	mls_copy_effective(source, dest);
 }
 
 static void
 mls_netinet_igmp_send(struct ifnet *ifp, struct label *ifplabel,
     struct mbuf *m, struct label *mlabel)
 {
 	struct mac_mls *dest;
 
 	dest = SLOT(mlabel);
 
 	mls_set_effective(dest, MAC_MLS_TYPE_EQUAL, 0, NULL);
 }
 
 static void
 mls_netinet6_nd6_send(struct ifnet *ifp, struct label *ifplabel,
     struct mbuf *m, struct label *mlabel)
 {
 	struct mac_mls *dest;
 
 	dest = SLOT(mlabel);
 
 	mls_set_effective(dest, MAC_MLS_TYPE_EQUAL, 0, NULL);
 }
 
 static int
 mls_pipe_check_ioctl(struct ucred *cred, struct pipepair *pp,
     struct label *pplabel, unsigned long cmd, void /* caddr_t */ *data)
 {
 
 	if (!mls_enabled)
 		return (0);
 
 	/* XXX: This will be implemented soon... */
 
 	return (0);
 }
 
 static int
 mls_pipe_check_poll(struct ucred *cred, struct pipepair *pp,
     struct label *pplabel)
 {
 	struct mac_mls *subj, *obj;
 
 	if (!mls_enabled)
 		return (0);
 
 	subj = SLOT(cred->cr_label);
 	obj = SLOT(pplabel);
 
 	if (!mls_dominate_effective(subj, obj))
 		return (EACCES);
 
 	return (0);
 }
 
 static int
 mls_pipe_check_read(struct ucred *cred, struct pipepair *pp,
     struct label *pplabel)
 {
 	struct mac_mls *subj, *obj;
 
 	if (!mls_enabled)
 		return (0);
 
 	subj = SLOT(cred->cr_label);
 	obj = SLOT(pplabel);
 
 	if (!mls_dominate_effective(subj, obj))
 		return (EACCES);
 
 	return (0);
 }
 
 static int
 mls_pipe_check_relabel(struct ucred *cred, struct pipepair *pp,
     struct label *pplabel, struct label *newlabel)
 {
 	struct mac_mls *subj, *obj, *new;
 	int error;
 
 	new = SLOT(newlabel);
 	subj = SLOT(cred->cr_label);
 	obj = SLOT(pplabel);
 
 	/*
 	 * If there is an MLS label update for a pipe, it must be a effective
 	 * update.
 	 */
 	error = mls_atmostflags(new, MAC_MLS_FLAG_EFFECTIVE);
 	if (error)
 		return (error);
 
 	/*
 	 * To perform a relabel of a pipe (MLS label or not), MLS must
 	 * authorize the relabel.
 	 */
 	if (!mls_effective_in_range(obj, subj))
 		return (EPERM);
 
 	/*
 	 * If the MLS label is to be changed, authorize as appropriate.
 	 */
 	if (new->mm_flags & MAC_MLS_FLAG_EFFECTIVE) {
 		/*
 		 * To change the MLS label on a pipe, the new pipe label must
 		 * be in the subject range.
 		 */
 		if (!mls_effective_in_range(new, subj))
 			return (EPERM);
 
 		/*
 		 * To change the MLS label on a pipe to be EQUAL, the subject
 		 * must have appropriate privilege.
 		 */
 		if (mls_contains_equal(new)) {
 			error = mls_subject_privileged(subj);
 			if (error)
 				return (error);
 		}
 	}
 
 	return (0);
 }
 
 static int
 mls_pipe_check_stat(struct ucred *cred, struct pipepair *pp,
     struct label *pplabel)
 {
 	struct mac_mls *subj, *obj;
 
 	if (!mls_enabled)
 		return (0);
 
 	subj = SLOT(cred->cr_label);
 	obj = SLOT(pplabel);
 
 	if (!mls_dominate_effective(subj, obj))
 		return (EACCES);
 
 	return (0);
 }
 
 static int
 mls_pipe_check_write(struct ucred *cred, struct pipepair *pp,
     struct label *pplabel)
 {
 	struct mac_mls *subj, *obj;
 
 	if (!mls_enabled)
 		return (0);
 
 	subj = SLOT(cred->cr_label);
 	obj = SLOT(pplabel);
 
 	if (!mls_dominate_effective(obj, subj))
 		return (EACCES);
 
 	return (0);
 }
 
 static void
 mls_pipe_create(struct ucred *cred, struct pipepair *pp,
     struct label *pplabel)
 {
 	struct mac_mls *source, *dest;
 
 	source = SLOT(cred->cr_label);
 	dest = SLOT(pplabel);
 
 	mls_copy_effective(source, dest);
 }
 
 static void
 mls_pipe_relabel(struct ucred *cred, struct pipepair *pp,
     struct label *pplabel, struct label *newlabel)
 {
 	struct mac_mls *source, *dest;
 
 	source = SLOT(newlabel);
 	dest = SLOT(pplabel);
 
 	mls_copy(source, dest);
 }
 
 static int
 mls_posixsem_check_openunlink(struct ucred *cred, struct ksem *ks,
     struct label *kslabel)
 {
 	struct mac_mls *subj, *obj;
 
 	if (!mls_enabled)
 		return (0);
 
 	subj = SLOT(cred->cr_label);
 	obj = SLOT(kslabel);
 
 	if (!mls_dominate_effective(obj, subj))
 		return (EACCES);
 
 	return (0);
 }
 
 static int
 mls_posixsem_check_rdonly(struct ucred *active_cred, struct ucred *file_cred,
     struct ksem *ks, struct label *kslabel)
 {
 	struct mac_mls *subj, *obj;
 
 	if (!mls_enabled)
 		return (0);
 
 	subj = SLOT(active_cred->cr_label);
 	obj = SLOT(kslabel);
 
 	if (!mls_dominate_effective(subj, obj))
 		return (EACCES);
 
 	return (0);
 }
 
 static int
 mls_posixsem_check_setmode(struct ucred *cred, struct ksem *ks,
     struct label *shmlabel, mode_t mode)
 {
 	struct mac_mls *subj, *obj;
 
 	if (!mls_enabled)
 		return (0);
 
 	subj = SLOT(cred->cr_label);
 	obj = SLOT(shmlabel);
 
 	if (!mls_dominate_effective(obj, subj))
 		return (EACCES);
 
 	return (0);
 }
 
 static int
 mls_posixsem_check_setowner(struct ucred *cred, struct ksem *ks,
     struct label *shmlabel, uid_t uid, gid_t gid)
 {
 	struct mac_mls *subj, *obj;
 
 	if (!mls_enabled)
 		return (0);
 
 	subj = SLOT(cred->cr_label);
 	obj = SLOT(shmlabel);
 
 	if (!mls_dominate_effective(obj, subj))
 		return (EACCES);
 
 	return (0);
 }
 
 static int
 mls_posixsem_check_write(struct ucred *active_cred, struct ucred *file_cred,
     struct ksem *ks, struct label *kslabel)
 {
 	struct mac_mls *subj, *obj;
 
 	if (!mls_enabled)
 		return (0);
 
 	subj = SLOT(active_cred->cr_label);
 	obj = SLOT(kslabel);
 
 	if (!mls_dominate_effective(obj, subj))
 		return (EACCES);
 
 	return (0);
 }
 
 static void
 mls_posixsem_create(struct ucred *cred, struct ksem *ks,
     struct label *kslabel)
 {
 	struct mac_mls *source, *dest;
 
 	source = SLOT(cred->cr_label);
 	dest = SLOT(kslabel);
 
 	mls_copy_effective(source, dest);
 }
 
 static int
 mls_posixshm_check_mmap(struct ucred *cred, struct shmfd *shmfd,
     struct label *shmlabel, int prot, int flags)
 {
 	struct mac_mls *subj, *obj;
 
 	if (!mls_enabled)
 		return (0);
 
 	subj = SLOT(cred->cr_label);
 	obj = SLOT(shmlabel);
 
 	if (prot & (VM_PROT_READ | VM_PROT_EXECUTE)) {
 		if (!mls_dominate_effective(subj, obj))
 			return (EACCES);
 	}
 	if (((prot & VM_PROT_WRITE) != 0) && ((flags & MAP_SHARED) != 0)) {
 		if (!mls_dominate_effective(obj, subj))
 			return (EACCES);
 	}
 
 	return (0);
 }
 
 static int
 mls_posixshm_check_open(struct ucred *cred, struct shmfd *shmfd,
     struct label *shmlabel, accmode_t accmode)
 {
 	struct mac_mls *subj, *obj;
 
 	if (!mls_enabled)
 		return (0);
 
 	subj = SLOT(cred->cr_label);
 	obj = SLOT(shmlabel);
 
 	if (accmode & (VREAD | VEXEC | VSTAT_PERMS)) {
 		if (!mls_dominate_effective(subj, obj))
 			return (EACCES);
 	}
 	if (accmode & VMODIFY_PERMS) {
 		if (!mls_dominate_effective(obj, subj))
 			return (EACCES);
 	}
 
 	return (0);
 }
 
 static int
 mls_posixshm_check_read(struct ucred *active_cred, struct ucred *file_cred,
     struct shmfd *shm, struct label *shmlabel)
 {
 	struct mac_mls *subj, *obj;
 
 	if (!mls_enabled || !revocation_enabled)
 		return (0);
 
 	subj = SLOT(active_cred->cr_label);
 	obj = SLOT(shmlabel);
 
 	if (!mls_dominate_effective(subj, obj))
 		return (EACCES);
 
 	return (0);
 }
 
 static int
 mls_posixshm_check_setmode(struct ucred *cred, struct shmfd *shmfd,
     struct label *shmlabel, mode_t mode)
 {
 	struct mac_mls *subj, *obj;
 
 	if (!mls_enabled)
 		return (0);
 
 	subj = SLOT(cred->cr_label);
 	obj = SLOT(shmlabel);
 
 	if (!mls_dominate_effective(obj, subj))
 		return (EACCES);
 
 	return (0);
 }
 
 static int
 mls_posixshm_check_setowner(struct ucred *cred, struct shmfd *shmfd,
     struct label *shmlabel, uid_t uid, gid_t gid)
 {
 	struct mac_mls *subj, *obj;
 
 	if (!mls_enabled)
 		return (0);
 
 	subj = SLOT(cred->cr_label);
 	obj = SLOT(shmlabel);
 
 	if (!mls_dominate_effective(obj, subj))
 		return (EACCES);
 
 	return (0);
 }
 
 static int
 mls_posixshm_check_stat(struct ucred *active_cred, struct ucred *file_cred,
     struct shmfd *shmfd, struct label *shmlabel)
 {
 	struct mac_mls *subj, *obj;
 
 	if (!mls_enabled)
 		return (0);
 
 	subj = SLOT(active_cred->cr_label);
 	obj = SLOT(shmlabel);
 
 	if (!mls_dominate_effective(subj, obj))
 		return (EACCES);
 
 	return (0);
 }
 
 static int
 mls_posixshm_check_truncate(struct ucred *active_cred,
     struct ucred *file_cred, struct shmfd *shmfd, struct label *shmlabel)
 {
 	struct mac_mls *subj, *obj;
 
 	if (!mls_enabled)
 		return (0);
 
 	subj = SLOT(active_cred->cr_label);
 	obj = SLOT(shmlabel);
 
 	if (!mls_dominate_effective(obj, subj))
 		return (EACCES);
 
 	return (0);
 }
 
 static int
 mls_posixshm_check_unlink(struct ucred *cred, struct shmfd *shmfd,
     struct label *shmlabel)
 {
 	struct mac_mls *subj, *obj;
 
 	if (!mls_enabled)
 		return (0);
 
 	subj = SLOT(cred->cr_label);
 	obj = SLOT(shmlabel);
 
 	if (!mls_dominate_effective(obj, subj))
 		return (EACCES);
     
 	return (0);
 }
 
 static int
 mls_posixshm_check_write(struct ucred *active_cred, struct ucred *file_cred,
     struct shmfd *shm, struct label *shmlabel)
 {
 	struct mac_mls *subj, *obj;
 
 	if (!mls_enabled || !revocation_enabled)
 		return (0);
 
 	subj = SLOT(active_cred->cr_label);
 	obj = SLOT(shmlabel);
 
 	if (!mls_dominate_effective(subj, obj))
 		return (EACCES);
 
 	return (0);
 }
 
 static void
 mls_posixshm_create(struct ucred *cred, struct shmfd *shmfd,
     struct label *shmlabel)
 {
 	struct mac_mls *source, *dest;
 
 	source = SLOT(cred->cr_label);
 	dest = SLOT(shmlabel);
 
 	mls_copy_effective(source, dest);
 }
 
 static int
 mls_proc_check_debug(struct ucred *cred, struct proc *p)
 {
 	struct mac_mls *subj, *obj;
 
 	if (!mls_enabled)
 		return (0);
 
 	subj = SLOT(cred->cr_label);
 	obj = SLOT(p->p_ucred->cr_label);
 
 	/* XXX: range checks */
 	if (!mls_dominate_effective(subj, obj))
 		return (ESRCH);
 	if (!mls_dominate_effective(obj, subj))
 		return (EACCES);
 
 	return (0);
 }
 
 static int
 mls_proc_check_sched(struct ucred *cred, struct proc *p)
 {
 	struct mac_mls *subj, *obj;
 
 	if (!mls_enabled)
 		return (0);
 
 	subj = SLOT(cred->cr_label);
 	obj = SLOT(p->p_ucred->cr_label);
 
 	/* XXX: range checks */
 	if (!mls_dominate_effective(subj, obj))
 		return (ESRCH);
 	if (!mls_dominate_effective(obj, subj))
 		return (EACCES);
 
 	return (0);
 }
 
 static int
 mls_proc_check_signal(struct ucred *cred, struct proc *p, int signum)
 {
 	struct mac_mls *subj, *obj;
 
 	if (!mls_enabled)
 		return (0);
 
 	subj = SLOT(cred->cr_label);
 	obj = SLOT(p->p_ucred->cr_label);
 
 	/* XXX: range checks */
 	if (!mls_dominate_effective(subj, obj))
 		return (ESRCH);
 	if (!mls_dominate_effective(obj, subj))
 		return (EACCES);
 
 	return (0);
 }
 
 static int
 mls_socket_check_deliver(struct socket *so, struct label *solabel,
     struct mbuf *m, struct label *mlabel)
 {
 	struct mac_mls *p, *s;
 	int error;
 
 	if (!mls_enabled)
 		return (0);
 
 	p = SLOT(mlabel);
 	s = SLOT(solabel);
 
 	SOCK_LOCK(so);
 	error = mls_equal_effective(p, s) ? 0 : EACCES;
 	SOCK_UNLOCK(so);
 
 	return (error);
 }
 
 static int
 mls_socket_check_relabel(struct ucred *cred, struct socket *so,
     struct label *solabel, struct label *newlabel)
 {
 	struct mac_mls *subj, *obj, *new;
 	int error;
 
 	SOCK_LOCK_ASSERT(so);
 
 	new = SLOT(newlabel);
 	subj = SLOT(cred->cr_label);
 	obj = SLOT(solabel);
 
 	/*
 	 * If there is an MLS label update for the socket, it may be an
 	 * update of effective.
 	 */
 	error = mls_atmostflags(new, MAC_MLS_FLAG_EFFECTIVE);
 	if (error)
 		return (error);
 
 	/*
 	 * To relabel a socket, the old socket effective must be in the
 	 * subject range.
 	 */
 	if (!mls_effective_in_range(obj, subj))
 		return (EPERM);
 
 	/*
 	 * If the MLS label is to be changed, authorize as appropriate.
 	 */
 	if (new->mm_flags & MAC_MLS_FLAG_EFFECTIVE) {
 		/*
 		 * To relabel a socket, the new socket effective must be in
 		 * the subject range.
 		 */
 		if (!mls_effective_in_range(new, subj))
 			return (EPERM);
 
 		/*
 		 * To change the MLS label on the socket to contain EQUAL,
 		 * the subject must have appropriate privilege.
 		 */
 		if (mls_contains_equal(new)) {
 			error = mls_subject_privileged(subj);
 			if (error)
 				return (error);
 		}
 	}
 
 	return (0);
 }
 
 static int
 mls_socket_check_visible(struct ucred *cred, struct socket *so,
     struct label *solabel)
 {
 	struct mac_mls *subj, *obj;
 
 	if (!mls_enabled)
 		return (0);
 
 	subj = SLOT(cred->cr_label);
 	obj = SLOT(solabel);
 
 	SOCK_LOCK(so);
 	if (!mls_dominate_effective(subj, obj)) {
 		SOCK_UNLOCK(so);
 		return (ENOENT);
 	}
 	SOCK_UNLOCK(so);
 
 	return (0);
 }
 
 static void
 mls_socket_create(struct ucred *cred, struct socket *so,
     struct label *solabel)
 {
 	struct mac_mls *source, *dest;
 
 	source = SLOT(cred->cr_label);
 	dest = SLOT(solabel);
 
 	mls_copy_effective(source, dest);
 }
 
 static void
 mls_socket_create_mbuf(struct socket *so, struct label *solabel,
     struct mbuf *m, struct label *mlabel)
 {
 	struct mac_mls *source, *dest;
 
 	source = SLOT(solabel);
 	dest = SLOT(mlabel);
 
 	SOCK_LOCK(so);
 	mls_copy_effective(source, dest);
 	SOCK_UNLOCK(so);
 }
 
 static void
 mls_socket_newconn(struct socket *oldso, struct label *oldsolabel,
     struct socket *newso, struct label *newsolabel)
 {
 	struct mac_mls source, *dest;
 
 	SOCK_LOCK(oldso);
 	source = *SLOT(oldsolabel);
 	SOCK_UNLOCK(oldso);
 
 	dest = SLOT(newsolabel);
 
 	SOCK_LOCK(newso);
 	mls_copy_effective(&source, dest);
 	SOCK_UNLOCK(newso);
 }
 
 static void
 mls_socket_relabel(struct ucred *cred, struct socket *so,
     struct label *solabel, struct label *newlabel)
 {
 	struct mac_mls *source, *dest;
 
 	SOCK_LOCK_ASSERT(so);
 
 	source = SLOT(newlabel);
 	dest = SLOT(solabel);
 
 	mls_copy(source, dest);
 }
 
 static void
 mls_socketpeer_set_from_mbuf(struct mbuf *m, struct label *mlabel,
     struct socket *so, struct label *sopeerlabel)
 {
 	struct mac_mls *source, *dest;
 
 	source = SLOT(mlabel);
 	dest = SLOT(sopeerlabel);
 
 	SOCK_LOCK(so);
 	mls_copy_effective(source, dest);
 	SOCK_UNLOCK(so);
 }
 
 static void
 mls_socketpeer_set_from_socket(struct socket *oldso,
     struct label *oldsolabel, struct socket *newso,
     struct label *newsopeerlabel)
 {
 	struct mac_mls source, *dest;
 
 	SOCK_LOCK(oldso);
 	source = *SLOT(oldsolabel);
 	SOCK_UNLOCK(oldso);
 
 	dest = SLOT(newsopeerlabel);
 
 	SOCK_LOCK(newso);
 	mls_copy_effective(&source, dest);
 	SOCK_UNLOCK(newso);
 }
 
 static void
 mls_syncache_create(struct label *label, struct inpcb *inp)
 {
 	struct mac_mls *source, *dest;
 
 	source = SLOT(inp->inp_label);
 	dest = SLOT(label);
 
 	mls_copy_effective(source, dest);
 }
 
 static void
 mls_syncache_create_mbuf(struct label *sc_label, struct mbuf *m,
     struct label *mlabel)
 {
 	struct mac_mls *source, *dest;
 
 	source = SLOT(sc_label);
 	dest = SLOT(mlabel);
 
 	mls_copy_effective(source, dest);
 }
 
 static int
 mls_system_check_acct(struct ucred *cred, struct vnode *vp,
     struct label *vplabel)
 {
 	struct mac_mls *subj, *obj;
 
 	if (!mls_enabled)
 		return (0);
 
 	if (vplabel == NULL)
 		return (0);
 
 	subj = SLOT(cred->cr_label);
 	obj = SLOT(vplabel);
 
 	if (!mls_dominate_effective(obj, subj) ||
 	    !mls_dominate_effective(subj, obj))
 		return (EACCES);
 
 	return (0);
 }
 
 static int
 mls_system_check_auditctl(struct ucred *cred, struct vnode *vp,
     struct label *vplabel)
 {
 	struct mac_mls *subj, *obj;
 
 	if (!mls_enabled)
 		return (0);
 
 	subj = SLOT(cred->cr_label);
 	obj = SLOT(vplabel);
 
 	if (!mls_dominate_effective(obj, subj) ||
 	    !mls_dominate_effective(subj, obj))
 		return (EACCES);
 
 	return (0);
 }
 
 static int
 mls_system_check_swapon(struct ucred *cred, struct vnode *vp,
     struct label *vplabel)
 {
 	struct mac_mls *subj, *obj;
 
 	if (!mls_enabled)
 		return (0);
 
 	subj = SLOT(cred->cr_label);
 	obj = SLOT(vplabel);
 
 	if (!mls_dominate_effective(obj, subj) ||
 	    !mls_dominate_effective(subj, obj))
 		return (EACCES);
 
 	return (0);
 }
 
 static void
 mls_sysvmsg_cleanup(struct label *msglabel)
 {
 
 	bzero(SLOT(msglabel), sizeof(struct mac_mls));
 }
 
 static void
 mls_sysvmsg_create(struct ucred *cred, struct msqid_kernel *msqkptr,
     struct label *msqlabel, struct msg *msgptr, struct label *msglabel)
 {
 	struct mac_mls *source, *dest;
 
 	/* Ignore the msgq label. */
 	source = SLOT(cred->cr_label);
 	dest = SLOT(msglabel);
 
 	mls_copy_effective(source, dest);
 }
 
 static int
 mls_sysvmsq_check_msgrcv(struct ucred *cred, struct msg *msgptr,
     struct label *msglabel)
 {
 	struct mac_mls *subj, *obj;
 
 	if (!mls_enabled)
 		return (0);
 
 	subj = SLOT(cred->cr_label);
 	obj = SLOT(msglabel);
 
 	if (!mls_dominate_effective(subj, obj))
 		return (EACCES);
 
 	return (0);
 }
 
 static int
 mls_sysvmsq_check_msgrmid(struct ucred *cred, struct msg *msgptr,
     struct label *msglabel)
 {
 	struct mac_mls *subj, *obj;
 
 	if (!mls_enabled)
 		return (0);
 
 	subj = SLOT(cred->cr_label);
 	obj = SLOT(msglabel);
 
 	if (!mls_dominate_effective(obj, subj))
 		return (EACCES);
 
 	return (0);
 }
 
 static int
 mls_sysvmsq_check_msqget(struct ucred *cred, struct msqid_kernel *msqkptr,
     struct label *msqklabel)
 {
 	struct mac_mls *subj, *obj;
 
 	if (!mls_enabled)
 		return (0);
 
 	subj = SLOT(cred->cr_label);
 	obj = SLOT(msqklabel);
 
 	if (!mls_dominate_effective(subj, obj))
 		return (EACCES);
 
 	return (0);
 }
 
 static int
 mls_sysvmsq_check_msqsnd(struct ucred *cred, struct msqid_kernel *msqkptr,
     struct label *msqklabel)
 {
 	struct mac_mls *subj, *obj;
 
 	if (!mls_enabled)
 		return (0);
 
 	subj = SLOT(cred->cr_label);
 	obj = SLOT(msqklabel);
 
 	if (!mls_dominate_effective(obj, subj))
 		return (EACCES);
 
 	return (0);
 }
 
 static int
 mls_sysvmsq_check_msqrcv(struct ucred *cred, struct msqid_kernel *msqkptr,
     struct label *msqklabel)
 {
 	struct mac_mls *subj, *obj;
 
 	if (!mls_enabled)
 		return (0);
 
 	subj = SLOT(cred->cr_label);
 	obj = SLOT(msqklabel);
 
 	if (!mls_dominate_effective(subj, obj))
 		return (EACCES);
 
 	return (0);
 }
 
 static int
 mls_sysvmsq_check_msqctl(struct ucred *cred, struct msqid_kernel *msqkptr,
     struct label *msqklabel, int cmd)
 {
 	struct mac_mls *subj, *obj;
 
 	if (!mls_enabled)
 		return (0);
 
 	subj = SLOT(cred->cr_label);
 	obj = SLOT(msqklabel);
 
 	switch(cmd) {
 	case IPC_RMID:
 	case IPC_SET:
 		if (!mls_dominate_effective(obj, subj))
 			return (EACCES);
 		break;
 
 	case IPC_STAT:
 		if (!mls_dominate_effective(subj, obj))
 			return (EACCES);
 		break;
 
 	default:
 		return (EACCES);
 	}
 
 	return (0);
 }
 
 static void
 mls_sysvmsq_cleanup(struct label *msqlabel)
 {
 
 	bzero(SLOT(msqlabel), sizeof(struct mac_mls));
 }
 
 static void
 mls_sysvmsq_create(struct ucred *cred, struct msqid_kernel *msqkptr,
     struct label *msqlabel)
 {
 	struct mac_mls *source, *dest;
 
 	source = SLOT(cred->cr_label);
 	dest = SLOT(msqlabel);
 
 	mls_copy_effective(source, dest);
 }
 
 static int
 mls_sysvsem_check_semctl(struct ucred *cred, struct semid_kernel *semakptr,
     struct label *semaklabel, int cmd)
 {
 	struct mac_mls *subj, *obj;
 
 	if (!mls_enabled)
 		return (0);
 
 	subj = SLOT(cred->cr_label);
 	obj = SLOT(semaklabel);
 
 	switch(cmd) {
 	case IPC_RMID:
 	case IPC_SET:
 	case SETVAL:
 	case SETALL:
 		if (!mls_dominate_effective(obj, subj))
 			return (EACCES);
 		break;
 
 	case IPC_STAT:
 	case GETVAL:
 	case GETPID:
 	case GETNCNT:
 	case GETZCNT:
 	case GETALL:
 		if (!mls_dominate_effective(subj, obj))
 			return (EACCES);
 		break;
 
 	default:
 		return (EACCES);
 	}
 
 	return (0);
 }
 
 static int
 mls_sysvsem_check_semget(struct ucred *cred, struct semid_kernel *semakptr,
     struct label *semaklabel)
 {
 	struct mac_mls *subj, *obj;
 
 	if (!mls_enabled)
 		return (0);
 
 	subj = SLOT(cred->cr_label);
 	obj = SLOT(semaklabel);
 
 	if (!mls_dominate_effective(subj, obj))
 		return (EACCES);
 
 	return (0);
 }
 
 static int
 mls_sysvsem_check_semop(struct ucred *cred, struct semid_kernel *semakptr,
     struct label *semaklabel, size_t accesstype)
 {
 	struct mac_mls *subj, *obj;
 
 	if (!mls_enabled)
 		return (0);
 
 	subj = SLOT(cred->cr_label);
 	obj = SLOT(semaklabel);
 
 	if( accesstype & SEM_R )
 		if (!mls_dominate_effective(subj, obj))
 			return (EACCES);
 
 	if( accesstype & SEM_A )
 		if (!mls_dominate_effective(obj, subj))
 			return (EACCES);
 
 	return (0);
 }
 
 static void
 mls_sysvsem_cleanup(struct label *semalabel)
 {
 
 	bzero(SLOT(semalabel), sizeof(struct mac_mls));
 }
 
 static void
 mls_sysvsem_create(struct ucred *cred, struct semid_kernel *semakptr,
     struct label *semalabel)
 {
 	struct mac_mls *source, *dest;
 
 	source = SLOT(cred->cr_label);
 	dest = SLOT(semalabel);
 
 	mls_copy_effective(source, dest);
 }
 
 static int
 mls_sysvshm_check_shmat(struct ucred *cred, struct shmid_kernel *shmsegptr,
     struct label *shmseglabel, int shmflg)
 {
 	struct mac_mls *subj, *obj;
 
 	if (!mls_enabled)
 		return (0);
 
 	subj = SLOT(cred->cr_label);
 	obj = SLOT(shmseglabel);
 
 	if (!mls_dominate_effective(subj, obj))
 		return (EACCES);
 	if ((shmflg & SHM_RDONLY) == 0) {
 		if (!mls_dominate_effective(obj, subj))
 			return (EACCES);
 	}
 
 	return (0);
 }
 
 static int
 mls_sysvshm_check_shmctl(struct ucred *cred, struct shmid_kernel *shmsegptr,
     struct label *shmseglabel, int cmd)
 {
 	struct mac_mls *subj, *obj;
 
 	if (!mls_enabled)
 		return (0);
 
 	subj = SLOT(cred->cr_label);
 	obj = SLOT(shmseglabel);
 
 	switch(cmd) {
 	case IPC_RMID:
 	case IPC_SET:
 		if (!mls_dominate_effective(obj, subj))
 			return (EACCES);
 		break;
 
 	case IPC_STAT:
 	case SHM_STAT:
 		if (!mls_dominate_effective(subj, obj))
 			return (EACCES);
 		break;
 
 	default:
 		return (EACCES);
 	}
 
 	return (0);
 }
 
 static int
 mls_sysvshm_check_shmget(struct ucred *cred, struct shmid_kernel *shmsegptr,
     struct label *shmseglabel, int shmflg)
 {
 	struct mac_mls *subj, *obj;
 
 	if (!mls_enabled)
 		return (0);
 
 	subj = SLOT(cred->cr_label);
 	obj = SLOT(shmseglabel);
 
 	if (!mls_dominate_effective(obj, subj))
 		return (EACCES);
 
 	return (0);
 }
 
 static void
 mls_sysvshm_cleanup(struct label *shmlabel)
 {
 
 	bzero(SLOT(shmlabel), sizeof(struct mac_mls));
 }
 
 static void
 mls_sysvshm_create(struct ucred *cred, struct shmid_kernel *shmsegptr,
     struct label *shmlabel)
 {
 	struct mac_mls *source, *dest;
 
 	source = SLOT(cred->cr_label);
 	dest = SLOT(shmlabel);
 
 	mls_copy_effective(source, dest);
 }
 
 static int
 mls_vnode_associate_extattr(struct mount *mp, struct label *mplabel,
     struct vnode *vp, struct label *vplabel)
 {
 	struct mac_mls mm_temp, *source, *dest;
 	int buflen, error;
 
 	source = SLOT(mplabel);
 	dest = SLOT(vplabel);
 
 	buflen = sizeof(mm_temp);
 	bzero(&mm_temp, buflen);
 
 	error = vn_extattr_get(vp, IO_NODELOCKED, MAC_MLS_EXTATTR_NAMESPACE,
 	    MAC_MLS_EXTATTR_NAME, &buflen, (char *) &mm_temp, curthread);
 	if (error == ENOATTR || error == EOPNOTSUPP) {
 		/* Fall back to the mntlabel. */
 		mls_copy_effective(source, dest);
 		return (0);
 	} else if (error)
 		return (error);
 
 	if (buflen != sizeof(mm_temp)) {
 		printf("mls_vnode_associate_extattr: bad size %d\n", buflen);
 		return (EPERM);
 	}
 	if (mls_valid(&mm_temp) != 0) {
 		printf("mls_vnode_associate_extattr: invalid\n");
 		return (EPERM);
 	}
 	if ((mm_temp.mm_flags & MAC_MLS_FLAGS_BOTH) !=
 	    MAC_MLS_FLAG_EFFECTIVE) {
 		printf("mls_associated_vnode_extattr: not effective\n");
 		return (EPERM);
 	}
 
 	mls_copy_effective(&mm_temp, dest);
 	return (0);
 }
 
 static void
 mls_vnode_associate_singlelabel(struct mount *mp, struct label *mplabel,
     struct vnode *vp, struct label *vplabel)
 {
 	struct mac_mls *source, *dest;
 
 	source = SLOT(mplabel);
 	dest = SLOT(vplabel);
 
 	mls_copy_effective(source, dest);
 }
 
 static int
 mls_vnode_check_chdir(struct ucred *cred, struct vnode *dvp,
     struct label *dvplabel)
 {
 	struct mac_mls *subj, *obj;
 
 	if (!mls_enabled)
 		return (0);
 
 	subj = SLOT(cred->cr_label);
 	obj = SLOT(dvplabel);
 
 	if (!mls_dominate_effective(subj, obj))
 		return (EACCES);
 
 	return (0);
 }
 
 static int
 mls_vnode_check_chroot(struct ucred *cred, struct vnode *dvp,
     struct label *dvplabel)
 {
 	struct mac_mls *subj, *obj;
 
 	if (!mls_enabled)
 		return (0);
 
 	subj = SLOT(cred->cr_label);
 	obj = SLOT(dvplabel);
 
 	if (!mls_dominate_effective(subj, obj))
 		return (EACCES);
 
 	return (0);
 }
 
 static int
 mls_vnode_check_create(struct ucred *cred, struct vnode *dvp,
     struct label *dvplabel, struct componentname *cnp, struct vattr *vap)
 {
 	struct mac_mls *subj, *obj;
 
 	if (!mls_enabled)
 		return (0);
 
 	subj = SLOT(cred->cr_label);
 	obj = SLOT(dvplabel);
 
 	if (!mls_dominate_effective(obj, subj))
 		return (EACCES);
 
 	return (0);
 }
 
 static int
 mls_vnode_check_deleteacl(struct ucred *cred, struct vnode *vp,
     struct label *vplabel, acl_type_t type)
 {
 	struct mac_mls *subj, *obj;
 
 	if (!mls_enabled)
 		return (0);
 
 	subj = SLOT(cred->cr_label);
 	obj = SLOT(vplabel);
 
 	if (!mls_dominate_effective(obj, subj))
 		return (EACCES);
 
 	return (0);
 }
 
 static int
 mls_vnode_check_deleteextattr(struct ucred *cred, struct vnode *vp,
     struct label *vplabel, int attrnamespace, const char *name)
 {
 	struct mac_mls *subj, *obj;
 
 	if (!mls_enabled)
 		return (0);
 
 	subj = SLOT(cred->cr_label);
 	obj = SLOT(vplabel);
 
 	if (!mls_dominate_effective(obj, subj))
 		return (EACCES);
 
 	return (0);
 }
 
 static int
 mls_vnode_check_exec(struct ucred *cred, struct vnode *vp,
     struct label *vplabel, struct image_params *imgp,
     struct label *execlabel)
 {
 	struct mac_mls *subj, *obj, *exec;
 	int error;
 
 	if (execlabel != NULL) {
 		/*
 		 * We currently don't permit labels to be changed at
 		 * exec-time as part of MLS, so disallow non-NULL MLS label
 		 * elements in the execlabel.
 		 */
 		exec = SLOT(execlabel);
 		error = mls_atmostflags(exec, 0);
 		if (error)
 			return (error);
 	}
 
 	if (!mls_enabled)
 		return (0);
 
 	subj = SLOT(cred->cr_label);
 	obj = SLOT(vplabel);
 
 	if (!mls_dominate_effective(subj, obj))
 		return (EACCES);
 
 	return (0);
 }
 
 static int
 mls_vnode_check_getacl(struct ucred *cred, struct vnode *vp,
     struct label *vplabel, acl_type_t type)
 {
 	struct mac_mls *subj, *obj;
 
 	if (!mls_enabled)
 		return (0);
 
 	subj = SLOT(cred->cr_label);
 	obj = SLOT(vplabel);
 
 	if (!mls_dominate_effective(subj, obj))
 		return (EACCES);
 
 	return (0);
 }
 
 static int
 mls_vnode_check_getextattr(struct ucred *cred, struct vnode *vp,
     struct label *vplabel, int attrnamespace, const char *name)
 {
 	struct mac_mls *subj, *obj;
 
 	if (!mls_enabled)
 		return (0);
 
 	subj = SLOT(cred->cr_label);
 	obj = SLOT(vplabel);
 
 	if (!mls_dominate_effective(subj, obj))
 		return (EACCES);
 
 	return (0);
 }
 
 static int
 mls_vnode_check_link(struct ucred *cred, struct vnode *dvp,
     struct label *dvplabel, struct vnode *vp, struct label *vplabel,
     struct componentname *cnp)
 {
 	struct mac_mls *subj, *obj;
 
 	if (!mls_enabled)
 		return (0);
 
 	subj = SLOT(cred->cr_label);
 	obj = SLOT(dvplabel);
 
 	if (!mls_dominate_effective(obj, subj))
 		return (EACCES);
 
 	obj = SLOT(vplabel);
 	if (!mls_dominate_effective(obj, subj))
 		return (EACCES);
 
 	return (0);
 }
 
 static int
 mls_vnode_check_listextattr(struct ucred *cred, struct vnode *vp,
     struct label *vplabel, int attrnamespace)
 {
 
 	struct mac_mls *subj, *obj;
 
 	if (!mls_enabled)
 		return (0);
 
 	subj = SLOT(cred->cr_label);
 	obj = SLOT(vplabel);
 
 	if (!mls_dominate_effective(subj, obj))
 		return (EACCES);
 
 	return (0);
 }
 
 static int
 mls_vnode_check_lookup(struct ucred *cred, struct vnode *dvp,
     struct label *dvplabel, struct componentname *cnp)
 {
 	struct mac_mls *subj, *obj;
 
 	if (!mls_enabled)
 		return (0);
 
 	subj = SLOT(cred->cr_label);
 	obj = SLOT(dvplabel);
 
 	if (!mls_dominate_effective(subj, obj))
 		return (EACCES);
 
 	return (0);
 }
 
 static int
 mls_vnode_check_mmap(struct ucred *cred, struct vnode *vp,
     struct label *vplabel, int prot, int flags)
 {
 	struct mac_mls *subj, *obj;
 
 	/*
 	 * Rely on the use of open()-time protections to handle
 	 * non-revocation cases.
 	 */
 	if (!mls_enabled || !revocation_enabled)
 		return (0);
 
 	subj = SLOT(cred->cr_label);
 	obj = SLOT(vplabel);
 
 	if (prot & (VM_PROT_READ | VM_PROT_EXECUTE)) {
 		if (!mls_dominate_effective(subj, obj))
 			return (EACCES);
 	}
 	if (((prot & VM_PROT_WRITE) != 0) && ((flags & MAP_SHARED) != 0)) {
 		if (!mls_dominate_effective(obj, subj))
 			return (EACCES);
 	}
 
 	return (0);
 }
 
 static int
 mls_vnode_check_open(struct ucred *cred, struct vnode *vp,
     struct label *vplabel, accmode_t accmode)
 {
 	struct mac_mls *subj, *obj;
 
 	if (!mls_enabled)
 		return (0);
 
 	subj = SLOT(cred->cr_label);
 	obj = SLOT(vplabel);
 
 	/* XXX privilege override for admin? */
 	if (accmode & (VREAD | VEXEC | VSTAT_PERMS)) {
 		if (!mls_dominate_effective(subj, obj))
 			return (EACCES);
 	}
 	if (accmode & VMODIFY_PERMS) {
 		if (!mls_dominate_effective(obj, subj))
 			return (EACCES);
 	}
 
 	return (0);
 }
 
 static int
 mls_vnode_check_poll(struct ucred *active_cred, struct ucred *file_cred,
     struct vnode *vp, struct label *vplabel)
 {
 	struct mac_mls *subj, *obj;
 
 	if (!mls_enabled || !revocation_enabled)
 		return (0);
 
 	subj = SLOT(active_cred->cr_label);
 	obj = SLOT(vplabel);
 
 	if (!mls_dominate_effective(subj, obj))
 		return (EACCES);
 
 	return (0);
 }
 
 static int
 mls_vnode_check_read(struct ucred *active_cred, struct ucred *file_cred,
     struct vnode *vp, struct label *vplabel)
 {
 	struct mac_mls *subj, *obj;
 
 	if (!mls_enabled || !revocation_enabled)
 		return (0);
 
 	subj = SLOT(active_cred->cr_label);
 	obj = SLOT(vplabel);
 
 	if (!mls_dominate_effective(subj, obj))
 		return (EACCES);
 
 	return (0);
 }
 
 static int
 mls_vnode_check_readdir(struct ucred *cred, struct vnode *dvp,
     struct label *dvplabel)
 {
 	struct mac_mls *subj, *obj;
 
 	if (!mls_enabled)
 		return (0);
 
 	subj = SLOT(cred->cr_label);
 	obj = SLOT(dvplabel);
 
 	if (!mls_dominate_effective(subj, obj))
 		return (EACCES);
 
 	return (0);
 }
 
 static int
 mls_vnode_check_readlink(struct ucred *cred, struct vnode *vp,
     struct label *vplabel)
 {
 	struct mac_mls *subj, *obj;
 
 	if (!mls_enabled)
 		return (0);
 
 	subj = SLOT(cred->cr_label);
 	obj = SLOT(vplabel);
 
 	if (!mls_dominate_effective(subj, obj))
 		return (EACCES);
 
 	return (0);
 }
 
 static int
 mls_vnode_check_relabel(struct ucred *cred, struct vnode *vp,
     struct label *vplabel, struct label *newlabel)
 {
 	struct mac_mls *old, *new, *subj;
 	int error;
 
 	old = SLOT(vplabel);
 	new = SLOT(newlabel);
 	subj = SLOT(cred->cr_label);
 
 	/*
 	 * If there is an MLS label update for the vnode, it must be a
 	 * effective label.
 	 */
 	error = mls_atmostflags(new, MAC_MLS_FLAG_EFFECTIVE);
 	if (error)
 		return (error);
 
 	/*
 	 * To perform a relabel of the vnode (MLS label or not), MLS must
 	 * authorize the relabel.
 	 */
 	if (!mls_effective_in_range(old, subj))
 		return (EPERM);
 
 	/*
 	 * If the MLS label is to be changed, authorize as appropriate.
 	 */
 	if (new->mm_flags & MAC_MLS_FLAG_EFFECTIVE) {
 		/*
 		 * To change the MLS label on a vnode, the new vnode label
 		 * must be in the subject range.
 		 */
 		if (!mls_effective_in_range(new, subj))
 			return (EPERM);
 
 		/*
 		 * To change the MLS label on the vnode to be EQUAL, the
 		 * subject must have appropriate privilege.
 		 */
 		if (mls_contains_equal(new)) {
 			error = mls_subject_privileged(subj);
 			if (error)
 				return (error);
 		}
 	}
 
 	return (0);
 }
 
 static int
 mls_vnode_check_rename_from(struct ucred *cred, struct vnode *dvp,
     struct label *dvplabel, struct vnode *vp, struct label *vplabel,
     struct componentname *cnp)
 {
 	struct mac_mls *subj, *obj;
 
 	if (!mls_enabled)
 		return (0);
 
 	subj = SLOT(cred->cr_label);
 	obj = SLOT(dvplabel);
 
 	if (!mls_dominate_effective(obj, subj))
 		return (EACCES);
 
 	obj = SLOT(vplabel);
 
 	if (!mls_dominate_effective(obj, subj))
 		return (EACCES);
 
 	return (0);
 }
 
 static int
 mls_vnode_check_rename_to(struct ucred *cred, struct vnode *dvp,
     struct label *dvplabel, struct vnode *vp, struct label *vplabel,
     int samedir, struct componentname *cnp)
 {
 	struct mac_mls *subj, *obj;
 
 	if (!mls_enabled)
 		return (0);
 
 	subj = SLOT(cred->cr_label);
 	obj = SLOT(dvplabel);
 
 	if (!mls_dominate_effective(obj, subj))
 		return (EACCES);
 
 	if (vp != NULL) {
 		obj = SLOT(vplabel);
 
 		if (!mls_dominate_effective(obj, subj))
 			return (EACCES);
 	}
 
 	return (0);
 }
 
 static int
 mls_vnode_check_revoke(struct ucred *cred, struct vnode *vp,
     struct label *vplabel)
 {
 	struct mac_mls *subj, *obj;
 
 	if (!mls_enabled)
 		return (0);
 
 	subj = SLOT(cred->cr_label);
 	obj = SLOT(vplabel);
 
 	if (!mls_dominate_effective(obj, subj))
 		return (EACCES);
 
 	return (0);
 }
 
 static int
 mls_vnode_check_setacl(struct ucred *cred, struct vnode *vp,
     struct label *vplabel, acl_type_t type, struct acl *acl)
 {
 	struct mac_mls *subj, *obj;
 
 	if (!mls_enabled)
 		return (0);
 
 	subj = SLOT(cred->cr_label);
 	obj = SLOT(vplabel);
 
 	if (!mls_dominate_effective(obj, subj))
 		return (EACCES);
 
 	return (0);
 }
 
 static int
 mls_vnode_check_setextattr(struct ucred *cred, struct vnode *vp,
     struct label *vplabel, int attrnamespace, const char *name)
 {
 	struct mac_mls *subj, *obj;
 
 	if (!mls_enabled)
 		return (0);
 
 	subj = SLOT(cred->cr_label);
 	obj = SLOT(vplabel);
 
 	if (!mls_dominate_effective(obj, subj))
 		return (EACCES);
 
 	/* XXX: protect the MAC EA in a special way? */
 
 	return (0);
 }
 
 static int
 mls_vnode_check_setflags(struct ucred *cred, struct vnode *vp,
     struct label *vplabel, u_long flags)
 {
 	struct mac_mls *subj, *obj;
 
 	if (!mls_enabled)
 		return (0);
 
 	subj = SLOT(cred->cr_label);
 	obj = SLOT(vplabel);
 
 	if (!mls_dominate_effective(obj, subj))
 		return (EACCES);
 
 	return (0);
 }
 
 static int
 mls_vnode_check_setmode(struct ucred *cred, struct vnode *vp,
     struct label *vplabel, mode_t mode)
 {
 	struct mac_mls *subj, *obj;
 
 	if (!mls_enabled)
 		return (0);
 
 	subj = SLOT(cred->cr_label);
 	obj = SLOT(vplabel);
 
 	if (!mls_dominate_effective(obj, subj))
 		return (EACCES);
 
 	return (0);
 }
 
 static int
 mls_vnode_check_setowner(struct ucred *cred, struct vnode *vp,
     struct label *vplabel, uid_t uid, gid_t gid)
 {
 	struct mac_mls *subj, *obj;
 
 	if (!mls_enabled)
 		return (0);
 
 	subj = SLOT(cred->cr_label);
 	obj = SLOT(vplabel);
 
 	if (!mls_dominate_effective(obj, subj))
 		return (EACCES);
 
 	return (0);
 }
 
 static int
 mls_vnode_check_setutimes(struct ucred *cred, struct vnode *vp,
     struct label *vplabel, struct timespec atime, struct timespec mtime)
 {
 	struct mac_mls *subj, *obj;
 
 	if (!mls_enabled)
 		return (0);
 
 	subj = SLOT(cred->cr_label);
 	obj = SLOT(vplabel);
 
 	if (!mls_dominate_effective(obj, subj))
 		return (EACCES);
 
 	return (0);
 }
 
 static int
 mls_vnode_check_stat(struct ucred *active_cred, struct ucred *file_cred,
     struct vnode *vp, struct label *vplabel)
 {
 	struct mac_mls *subj, *obj;
 
 	if (!mls_enabled)
 		return (0);
 
 	subj = SLOT(active_cred->cr_label);
 	obj = SLOT(vplabel);
 
 	if (!mls_dominate_effective(subj, obj))
 		return (EACCES);
 
 	return (0);
 }
 
 static int
 mls_vnode_check_unlink(struct ucred *cred, struct vnode *dvp,
     struct label *dvplabel, struct vnode *vp, struct label *vplabel,
     struct componentname *cnp)
 {
 	struct mac_mls *subj, *obj;
 
 	if (!mls_enabled)
 		return (0);
 
 	subj = SLOT(cred->cr_label);
 	obj = SLOT(dvplabel);
 
 	if (!mls_dominate_effective(obj, subj))
 		return (EACCES);
 
 	obj = SLOT(vplabel);
 
 	if (!mls_dominate_effective(obj, subj))
 		return (EACCES);
 
 	return (0);
 }
 
 static int
 mls_vnode_check_write(struct ucred *active_cred, struct ucred *file_cred,
     struct vnode *vp, struct label *vplabel)
 {
 	struct mac_mls *subj, *obj;
 
 	if (!mls_enabled || !revocation_enabled)
 		return (0);
 
 	subj = SLOT(active_cred->cr_label);
 	obj = SLOT(vplabel);
 
 	if (!mls_dominate_effective(obj, subj))
 		return (EACCES);
 
 	return (0);
 }
 
 static int
 mls_vnode_create_extattr(struct ucred *cred, struct mount *mp,
     struct label *mplabel, struct vnode *dvp, struct label *dvplabel,
     struct vnode *vp, struct label *vplabel, struct componentname *cnp)
 {
 	struct mac_mls *source, *dest, mm_temp;
 	size_t buflen;
 	int error;
 
 	buflen = sizeof(mm_temp);
 	bzero(&mm_temp, buflen);
 
 	source = SLOT(cred->cr_label);
 	dest = SLOT(vplabel);
 	mls_copy_effective(source, &mm_temp);
 
 	error = vn_extattr_set(vp, IO_NODELOCKED, MAC_MLS_EXTATTR_NAMESPACE,
 	    MAC_MLS_EXTATTR_NAME, buflen, (char *) &mm_temp, curthread);
 	if (error == 0)
 		mls_copy_effective(source, dest);
 	return (error);
 }
 
 static void
 mls_vnode_relabel(struct ucred *cred, struct vnode *vp,
     struct label *vplabel, struct label *label)
 {
 	struct mac_mls *source, *dest;
 
 	source = SLOT(label);
 	dest = SLOT(vplabel);
 
 	mls_copy(source, dest);
 }
 
 static int
 mls_vnode_setlabel_extattr(struct ucred *cred, struct vnode *vp,
     struct label *vplabel, struct label *intlabel)
 {
 	struct mac_mls *source, mm_temp;
 	size_t buflen;
 	int error;
 
 	buflen = sizeof(mm_temp);
 	bzero(&mm_temp, buflen);
 
 	source = SLOT(intlabel);
 	if ((source->mm_flags & MAC_MLS_FLAG_EFFECTIVE) == 0)
 		return (0);
 
 	mls_copy_effective(source, &mm_temp);
 
 	error = vn_extattr_set(vp, IO_NODELOCKED, MAC_MLS_EXTATTR_NAMESPACE,
 	    MAC_MLS_EXTATTR_NAME, buflen, (char *) &mm_temp, curthread);
 	return (error);
 }
 
 static struct mac_policy_ops mls_ops =
 {
 	.mpo_init = mls_init,
 
 	.mpo_bpfdesc_check_receive = mls_bpfdesc_check_receive,
 	.mpo_bpfdesc_create = mls_bpfdesc_create,
 	.mpo_bpfdesc_create_mbuf = mls_bpfdesc_create_mbuf,
 	.mpo_bpfdesc_destroy_label = mls_destroy_label,
 	.mpo_bpfdesc_init_label = mls_init_label,
 
 	.mpo_cred_associate_nfsd = mls_cred_associate_nfsd,
 	.mpo_cred_check_relabel = mls_cred_check_relabel,
 	.mpo_cred_check_visible = mls_cred_check_visible,
 	.mpo_cred_copy_label = mls_copy_label,
 	.mpo_cred_create_init = mls_cred_create_init,
 	.mpo_cred_create_swapper = mls_cred_create_swapper,
 	.mpo_cred_destroy_label = mls_destroy_label,
 	.mpo_cred_externalize_label = mls_externalize_label,
 	.mpo_cred_init_label = mls_init_label,
 	.mpo_cred_internalize_label = mls_internalize_label,
 	.mpo_cred_relabel = mls_cred_relabel,
 
 	.mpo_devfs_create_device = mls_devfs_create_device,
 	.mpo_devfs_create_directory = mls_devfs_create_directory,
 	.mpo_devfs_create_symlink = mls_devfs_create_symlink,
 	.mpo_devfs_destroy_label = mls_destroy_label,
 	.mpo_devfs_init_label = mls_init_label,
 	.mpo_devfs_update = mls_devfs_update,
 	.mpo_devfs_vnode_associate = mls_devfs_vnode_associate,
 
 	.mpo_ifnet_check_relabel = mls_ifnet_check_relabel,
 	.mpo_ifnet_check_transmit = mls_ifnet_check_transmit,
 	.mpo_ifnet_copy_label = mls_copy_label,
 	.mpo_ifnet_create = mls_ifnet_create,
 	.mpo_ifnet_create_mbuf = mls_ifnet_create_mbuf,
 	.mpo_ifnet_destroy_label = mls_destroy_label,
 	.mpo_ifnet_externalize_label = mls_externalize_label,
 	.mpo_ifnet_init_label = mls_init_label,
 	.mpo_ifnet_internalize_label = mls_internalize_label,
 	.mpo_ifnet_relabel = mls_ifnet_relabel,
 
 	.mpo_inpcb_check_deliver = mls_inpcb_check_deliver,
 	.mpo_inpcb_check_visible = mls_inpcb_check_visible,
 	.mpo_inpcb_create = mls_inpcb_create,
 	.mpo_inpcb_create_mbuf = mls_inpcb_create_mbuf,
 	.mpo_inpcb_destroy_label = mls_destroy_label,
 	.mpo_inpcb_init_label = mls_init_label_waitcheck,
 	.mpo_inpcb_sosetlabel = mls_inpcb_sosetlabel,
 
 	.mpo_ip6q_create = mls_ip6q_create,
 	.mpo_ip6q_destroy_label = mls_destroy_label,
 	.mpo_ip6q_init_label = mls_init_label_waitcheck,
 	.mpo_ip6q_match = mls_ip6q_match,
 	.mpo_ip6q_reassemble = mls_ip6q_reassemble,
 	.mpo_ip6q_update = mls_ip6q_update,
 
 	.mpo_ipq_create = mls_ipq_create,
 	.mpo_ipq_destroy_label = mls_destroy_label,
 	.mpo_ipq_init_label = mls_init_label_waitcheck,
 	.mpo_ipq_match = mls_ipq_match,
 	.mpo_ipq_reassemble = mls_ipq_reassemble,
 	.mpo_ipq_update = mls_ipq_update,
 
 	.mpo_mbuf_copy_label = mls_copy_label,
 	.mpo_mbuf_destroy_label = mls_destroy_label,
 	.mpo_mbuf_init_label = mls_init_label_waitcheck,
 
 	.mpo_mount_check_stat = mls_mount_check_stat,
 	.mpo_mount_create = mls_mount_create,
 	.mpo_mount_destroy_label = mls_destroy_label,
 	.mpo_mount_init_label = mls_init_label,
 
 	.mpo_netinet_arp_send = mls_netinet_arp_send,
 	.mpo_netinet_firewall_reply = mls_netinet_firewall_reply,
 	.mpo_netinet_firewall_send = mls_netinet_firewall_send,
 	.mpo_netinet_fragment = mls_netinet_fragment,
 	.mpo_netinet_icmp_reply = mls_netinet_icmp_reply,
 	.mpo_netinet_igmp_send = mls_netinet_igmp_send,
 
 	.mpo_netinet6_nd6_send = mls_netinet6_nd6_send,
 
 	.mpo_pipe_check_ioctl = mls_pipe_check_ioctl,
 	.mpo_pipe_check_poll = mls_pipe_check_poll,
 	.mpo_pipe_check_read = mls_pipe_check_read,
 	.mpo_pipe_check_relabel = mls_pipe_check_relabel,
 	.mpo_pipe_check_stat = mls_pipe_check_stat,
 	.mpo_pipe_check_write = mls_pipe_check_write,
 	.mpo_pipe_copy_label = mls_copy_label,
 	.mpo_pipe_create = mls_pipe_create,
 	.mpo_pipe_destroy_label = mls_destroy_label,
 	.mpo_pipe_externalize_label = mls_externalize_label,
 	.mpo_pipe_init_label = mls_init_label,
 	.mpo_pipe_internalize_label = mls_internalize_label,
 	.mpo_pipe_relabel = mls_pipe_relabel,
 
 	.mpo_posixsem_check_getvalue = mls_posixsem_check_rdonly,
 	.mpo_posixsem_check_open = mls_posixsem_check_openunlink,
 	.mpo_posixsem_check_post = mls_posixsem_check_write,
 	.mpo_posixsem_check_setmode = mls_posixsem_check_setmode,
 	.mpo_posixsem_check_setowner = mls_posixsem_check_setowner,
 	.mpo_posixsem_check_stat = mls_posixsem_check_rdonly,
 	.mpo_posixsem_check_unlink = mls_posixsem_check_openunlink,
 	.mpo_posixsem_check_wait = mls_posixsem_check_write,
 	.mpo_posixsem_create = mls_posixsem_create,
 	.mpo_posixsem_destroy_label = mls_destroy_label,
 	.mpo_posixsem_init_label = mls_init_label,
 
 	.mpo_posixshm_check_mmap = mls_posixshm_check_mmap,
 	.mpo_posixshm_check_open = mls_posixshm_check_open,
 	.mpo_posixshm_check_read = mls_posixshm_check_read,
 	.mpo_posixshm_check_setmode = mls_posixshm_check_setmode,
 	.mpo_posixshm_check_setowner = mls_posixshm_check_setowner,
 	.mpo_posixshm_check_stat = mls_posixshm_check_stat,
 	.mpo_posixshm_check_truncate = mls_posixshm_check_truncate,
 	.mpo_posixshm_check_unlink = mls_posixshm_check_unlink,
 	.mpo_posixshm_check_write = mls_posixshm_check_write,
 	.mpo_posixshm_create = mls_posixshm_create,
 	.mpo_posixshm_destroy_label = mls_destroy_label,
 	.mpo_posixshm_init_label = mls_init_label,
 
 	.mpo_proc_check_debug = mls_proc_check_debug,
 	.mpo_proc_check_sched = mls_proc_check_sched,
 	.mpo_proc_check_signal = mls_proc_check_signal,
 
 	.mpo_socket_check_deliver = mls_socket_check_deliver,
 	.mpo_socket_check_relabel = mls_socket_check_relabel,
 	.mpo_socket_check_visible = mls_socket_check_visible,
 	.mpo_socket_copy_label = mls_copy_label,
 	.mpo_socket_create = mls_socket_create,
 	.mpo_socket_create_mbuf = mls_socket_create_mbuf,
 	.mpo_socket_destroy_label = mls_destroy_label,
 	.mpo_socket_externalize_label = mls_externalize_label,
 	.mpo_socket_init_label = mls_init_label_waitcheck,
 	.mpo_socket_internalize_label = mls_internalize_label,
 	.mpo_socket_newconn = mls_socket_newconn,
 	.mpo_socket_relabel = mls_socket_relabel,
 
 	.mpo_socketpeer_destroy_label = mls_destroy_label,
 	.mpo_socketpeer_externalize_label = mls_externalize_label,
 	.mpo_socketpeer_init_label = mls_init_label_waitcheck,
 	.mpo_socketpeer_set_from_mbuf = mls_socketpeer_set_from_mbuf,
 	.mpo_socketpeer_set_from_socket = mls_socketpeer_set_from_socket,
 
 	.mpo_syncache_create = mls_syncache_create,
 	.mpo_syncache_create_mbuf = mls_syncache_create_mbuf,
 	.mpo_syncache_destroy_label = mls_destroy_label,
 	.mpo_syncache_init_label = mls_init_label_waitcheck,
 
 	.mpo_sysvmsg_cleanup = mls_sysvmsg_cleanup,
 	.mpo_sysvmsg_create = mls_sysvmsg_create,
 	.mpo_sysvmsg_destroy_label = mls_destroy_label,
 	.mpo_sysvmsg_init_label = mls_init_label,
 
 	.mpo_sysvmsq_check_msgrcv = mls_sysvmsq_check_msgrcv,
 	.mpo_sysvmsq_check_msgrmid = mls_sysvmsq_check_msgrmid,
 	.mpo_sysvmsq_check_msqget = mls_sysvmsq_check_msqget,
 	.mpo_sysvmsq_check_msqsnd = mls_sysvmsq_check_msqsnd,
 	.mpo_sysvmsq_check_msqrcv = mls_sysvmsq_check_msqrcv,
 	.mpo_sysvmsq_check_msqctl = mls_sysvmsq_check_msqctl,
 	.mpo_sysvmsq_cleanup = mls_sysvmsq_cleanup,
 	.mpo_sysvmsq_destroy_label = mls_destroy_label,
 	.mpo_sysvmsq_init_label = mls_init_label,
 	.mpo_sysvmsq_create = mls_sysvmsq_create,
 
 	.mpo_sysvsem_check_semctl = mls_sysvsem_check_semctl,
 	.mpo_sysvsem_check_semget = mls_sysvsem_check_semget,
 	.mpo_sysvsem_check_semop = mls_sysvsem_check_semop,
 	.mpo_sysvsem_cleanup = mls_sysvsem_cleanup,
 	.mpo_sysvsem_create = mls_sysvsem_create,
 	.mpo_sysvsem_destroy_label = mls_destroy_label,
 	.mpo_sysvsem_init_label = mls_init_label,
 
 	.mpo_sysvshm_check_shmat = mls_sysvshm_check_shmat,
 	.mpo_sysvshm_check_shmctl = mls_sysvshm_check_shmctl,
 	.mpo_sysvshm_check_shmget = mls_sysvshm_check_shmget,
 	.mpo_sysvshm_cleanup = mls_sysvshm_cleanup,
 	.mpo_sysvshm_create = mls_sysvshm_create,
 	.mpo_sysvshm_destroy_label = mls_destroy_label,
 	.mpo_sysvshm_init_label = mls_init_label,
 
 	.mpo_system_check_acct = mls_system_check_acct,
 	.mpo_system_check_auditctl = mls_system_check_auditctl,
 	.mpo_system_check_swapon = mls_system_check_swapon,
 
 	.mpo_vnode_associate_extattr = mls_vnode_associate_extattr,
 	.mpo_vnode_associate_singlelabel = mls_vnode_associate_singlelabel,
 	.mpo_vnode_check_access = mls_vnode_check_open,
 	.mpo_vnode_check_chdir = mls_vnode_check_chdir,
 	.mpo_vnode_check_chroot = mls_vnode_check_chroot,
 	.mpo_vnode_check_create = mls_vnode_check_create,
 	.mpo_vnode_check_deleteacl = mls_vnode_check_deleteacl,
 	.mpo_vnode_check_deleteextattr = mls_vnode_check_deleteextattr,
 	.mpo_vnode_check_exec = mls_vnode_check_exec,
 	.mpo_vnode_check_getacl = mls_vnode_check_getacl,
 	.mpo_vnode_check_getextattr = mls_vnode_check_getextattr,
 	.mpo_vnode_check_link = mls_vnode_check_link,
 	.mpo_vnode_check_listextattr = mls_vnode_check_listextattr,
 	.mpo_vnode_check_lookup = mls_vnode_check_lookup,
 	.mpo_vnode_check_mmap = mls_vnode_check_mmap,
 	.mpo_vnode_check_open = mls_vnode_check_open,
 	.mpo_vnode_check_poll = mls_vnode_check_poll,
 	.mpo_vnode_check_read = mls_vnode_check_read,
 	.mpo_vnode_check_readdir = mls_vnode_check_readdir,
 	.mpo_vnode_check_readlink = mls_vnode_check_readlink,
 	.mpo_vnode_check_relabel = mls_vnode_check_relabel,
 	.mpo_vnode_check_rename_from = mls_vnode_check_rename_from,
 	.mpo_vnode_check_rename_to = mls_vnode_check_rename_to,
 	.mpo_vnode_check_revoke = mls_vnode_check_revoke,
 	.mpo_vnode_check_setacl = mls_vnode_check_setacl,
 	.mpo_vnode_check_setextattr = mls_vnode_check_setextattr,
 	.mpo_vnode_check_setflags = mls_vnode_check_setflags,
 	.mpo_vnode_check_setmode = mls_vnode_check_setmode,
 	.mpo_vnode_check_setowner = mls_vnode_check_setowner,
 	.mpo_vnode_check_setutimes = mls_vnode_check_setutimes,
 	.mpo_vnode_check_stat = mls_vnode_check_stat,
 	.mpo_vnode_check_unlink = mls_vnode_check_unlink,
 	.mpo_vnode_check_write = mls_vnode_check_write,
 	.mpo_vnode_copy_label = mls_copy_label,
 	.mpo_vnode_create_extattr = mls_vnode_create_extattr,
 	.mpo_vnode_destroy_label = mls_destroy_label,
 	.mpo_vnode_externalize_label = mls_externalize_label,
 	.mpo_vnode_init_label = mls_init_label,
 	.mpo_vnode_internalize_label = mls_internalize_label,
 	.mpo_vnode_relabel = mls_vnode_relabel,
 	.mpo_vnode_setlabel_extattr = mls_vnode_setlabel_extattr,
 };
 
 MAC_POLICY_SET(&mls_ops, mac_mls, "TrustedBSD MAC/MLS",
     MPC_LOADTIME_FLAG_NOTLATE, &mls_slot);
diff --git a/sys/security/mac_ntpd/mac_ntpd.c b/sys/security/mac_ntpd/mac_ntpd.c
index 3125bc057be8..1aeaeb032bb8 100644
--- a/sys/security/mac_ntpd/mac_ntpd.c
+++ b/sys/security/mac_ntpd/mac_ntpd.c
@@ -1,76 +1,74 @@
 /*-
  * SPDX-License-Identifier: BSD-2-Clause
  *
  * Copyright (c) 2018 Ian Lepore <ian@FreeBSD.org>
  *
  * Redistribution and use in source and binary forms, with or without
  * modification, are permitted provided that the following conditions
  * are met:
  * 1. Redistributions of source code must retain the above copyright
  *    notice, this list of conditions and the following disclaimer.
  * 2. Redistributions in binary form must reproduce the above copyright
  *    notice, this list of conditions and the following disclaimer in the
  *    documentation and/or other materials provided with the distribution.
  *
  * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
  * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
  * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
  * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
  * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
  * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
  * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
  * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
  * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
  * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
  * SUCH DAMAGE.
  */
 
 #include <sys/param.h>
 #include <sys/kernel.h>
 #include <sys/module.h>
 #include <sys/priv.h>
 #include <sys/sysctl.h>
 #include <sys/ucred.h>
 
 #include <security/mac/mac_policy.h>
 
-SYSCTL_DECL(_security_mac);
-
 static SYSCTL_NODE(_security_mac, OID_AUTO, ntpd,
     CTLFLAG_RW | CTLFLAG_MPSAFE, 0,
     "mac_ntpd policy controls");
 
 static int ntpd_enabled = 1;
 SYSCTL_INT(_security_mac_ntpd, OID_AUTO, enabled, CTLFLAG_RWTUN,
     &ntpd_enabled, 0, "Enable mac_ntpd policy");
 
 static int ntpd_uid = 123;
 SYSCTL_INT(_security_mac_ntpd, OID_AUTO, uid, CTLFLAG_RWTUN,
     &ntpd_uid, 0, "User id for ntpd user");
 
 static int
 ntpd_priv_grant(struct ucred *cred, int priv)
 {
 
 	if (ntpd_enabled && cred->cr_uid == ntpd_uid) {
 		switch (priv) {
 		case PRIV_ADJTIME:
 		case PRIV_CLOCK_SETTIME:
 		case PRIV_NTP_ADJTIME:
 		case PRIV_NETINET_RESERVEDPORT:
 		case PRIV_NETINET_REUSEPORT:
 			return (0);
 		default:
 			break;
 		}
 	}
 	return (EPERM);
 }
 
 static struct mac_policy_ops ntpd_ops =
 {
 	.mpo_priv_grant = ntpd_priv_grant,
 };
 
 MAC_POLICY_SET(&ntpd_ops, mac_ntpd, "MAC/ntpd",
     MPC_LOADTIME_FLAG_UNLOADOK, NULL);
diff --git a/sys/security/mac_partition/mac_partition.c b/sys/security/mac_partition/mac_partition.c
index 2cff042cb33a..2f0189b79ace 100644
--- a/sys/security/mac_partition/mac_partition.c
+++ b/sys/security/mac_partition/mac_partition.c
@@ -1,318 +1,316 @@
 /*-
  * Copyright (c) 1999-2002, 2007-2008 Robert N. M. Watson
  * Copyright (c) 2001-2002 Networks Associates Technology, Inc.
  * Copyright (c) 2006 SPARTA, Inc.
  * Copyright (c) 2008 Apple Inc.
  * All rights reserved.
  *
  * This software was developed by Robert Watson for the TrustedBSD Project.
  *
  * This software was developed for the FreeBSD Project in part by Network
  * Associates Laboratories, the Security Research Division of Network
  * Associates, Inc. under DARPA/SPAWAR contract N66001-01-C-8035 ("CBOSS"),
  * as part of the DARPA CHATS research program.
  *
  * This software was enhanced by SPARTA ISSO under SPAWAR contract
  * N66001-04-C-6019 ("SEFOS").
  *
  * Redistribution and use in source and binary forms, with or without
  * modification, are permitted provided that the following conditions
  * are met:
  * 1. Redistributions of source code must retain the above copyright
  *    notice, this list of conditions and the following disclaimer.
  * 2. Redistributions in binary form must reproduce the above copyright
  *    notice, this list of conditions and the following disclaimer in the
  *    documentation and/or other materials provided with the distribution.
  *
  * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
  * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
  * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
  * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
  * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
  * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
  * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
  * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
  * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
  * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
  * SUCH DAMAGE.
  */
 
 /*
  * Developed by the TrustedBSD Project.
  *
  * Experiment with a partition-like model.
  */
 
 #include <sys/param.h>
 #include <sys/kernel.h>
 #include <sys/module.h>
 #include <sys/priv.h>
 #include <sys/proc.h>
 #include <sys/sbuf.h>
 #include <sys/socket.h>
 #include <sys/socketvar.h>
 #include <sys/systm.h>
 #include <sys/sysctl.h>
 
 #include <net/route.h>
 #include <netinet/in.h>
 #include <netinet/in_pcb.h>
 
 #include <security/mac/mac_policy.h>
 #include <security/mac_partition/mac_partition.h>
 
-SYSCTL_DECL(_security_mac);
-
 static SYSCTL_NODE(_security_mac, OID_AUTO, partition,
     CTLFLAG_RW | CTLFLAG_MPSAFE, 0,
     "TrustedBSD mac_partition policy controls");
 
 static int	partition_enabled = 1;
 SYSCTL_INT(_security_mac_partition, OID_AUTO, enabled, CTLFLAG_RW,
     &partition_enabled, 0, "Enforce partition policy");
 
 static int	partition_slot;
 #define	SLOT(l)	mac_label_get((l), partition_slot)
 #define	SLOT_SET(l, v)	mac_label_set((l), partition_slot, (v))
 
 static int
 partition_check(struct label *subject, struct label *object)
 {
 
 	if (partition_enabled == 0)
 		return (0);
 
 	if (subject == NULL)
 		return (0);
 
 	if (SLOT(subject) == 0)
 		return (0);
 
 	/*
 	 * If the object label hasn't been allocated, then it's effectively
 	 * not in a partition, and we know the subject is as it has a label
 	 * and it's not 0, so reject.
 	 */
 	if (object == NULL)
 		return (EPERM);
 
 	if (SLOT(subject) == SLOT(object))
 		return (0);
 
 	return (EPERM);
 }
 
 /*
  * Object-specific entry points are sorted alphabetically by object type name
  * and then by operation.
  */
 static int
 partition_cred_check_relabel(struct ucred *cred, struct label *newlabel)
 {
 	int error;
 
 	error = 0;
 
 	/*
 	 * Treat "0" as a no-op request because it reflects an unset
 	 * partition label.  If we ever want to support switching back to an
 	 * unpartitioned state for a process, we'll need to differentiate the
 	 * "not in a partition" and "no partition defined during internalize"
 	 * conditions.
 	 */
 	if (SLOT(newlabel) != 0) {
 		/*
 		 * Require BSD privilege in order to change the partition.
 		 * Originally we also required that the process not be in a
 		 * partition in the first place, but this didn't interact
 		 * well with sendmail.
 		 */
 		error = priv_check_cred(cred, PRIV_MAC_PARTITION);
 	}
 
 	return (error);
 }
 
 static int
 partition_cred_check_visible(struct ucred *cr1, struct ucred *cr2)
 {
 	int error;
 
 	error = partition_check(cr1->cr_label, cr2->cr_label);
 
 	return (error == 0 ? 0 : ESRCH);
 }
 
 static void
 partition_cred_copy_label(struct label *src, struct label *dest)
 {
 
 	if (src != NULL && dest != NULL)
 		SLOT_SET(dest, SLOT(src));
 	else if (dest != NULL)
 		SLOT_SET(dest, 0);
 }
 
 static void
 partition_cred_create_init(struct ucred *cred)
 {
 
 	SLOT_SET(cred->cr_label, 0);
 }
 
 static void
 partition_cred_create_swapper(struct ucred *cred)
 {
 
 	SLOT_SET(cred->cr_label, 0);
 }
 
 static void
 partition_cred_destroy_label(struct label *label)
 {
 
 	SLOT_SET(label, 0);
 }
 
 static int
 partition_cred_externalize_label(struct label *label, char *element_name,
     struct sbuf *sb, int *claimed)
 {
 
 	if (strcmp(MAC_PARTITION_LABEL_NAME, element_name) != 0)
 		return (0);
 
 	(*claimed)++;
 
 	if (label != NULL) {
 		if (sbuf_printf(sb, "%jd", (intmax_t)SLOT(label)) == -1)
 			return (EINVAL);
 	} else {
 		if (sbuf_printf(sb, "0") == -1)
 			return (EINVAL);
 	}
 	return (0);
 }
 
 static void
 partition_cred_init_label(struct label *label)
 {
 
 	SLOT_SET(label, 0);
 }
 
 static int
 partition_cred_internalize_label(struct label *label, char *element_name,
     char *element_data, int *claimed)
 {
 
 	if (strcmp(MAC_PARTITION_LABEL_NAME, element_name) != 0)
 		return (0);
 
 	(*claimed)++;
 	SLOT_SET(label, strtol(element_data, NULL, 10));
 	return (0);
 }
 
 static void
 partition_cred_relabel(struct ucred *cred, struct label *newlabel)
 {
 
 	if (newlabel != NULL && SLOT(newlabel) != 0)
 		SLOT_SET(cred->cr_label, SLOT(newlabel));
 }
 
 static int
 partition_inpcb_check_visible(struct ucred *cred, struct inpcb *inp,
     struct label *inplabel)
 {
 	int error;
 
 	error = partition_check(cred->cr_label, inp->inp_cred->cr_label);
 
 	return (error ? ENOENT : 0);
 }
 
 static int
 partition_proc_check_debug(struct ucred *cred, struct proc *p)
 {
 	int error;
 
 	error = partition_check(cred->cr_label, p->p_ucred->cr_label);
 
 	return (error ? ESRCH : 0);
 }
 
 static int
 partition_proc_check_sched(struct ucred *cred, struct proc *p)
 {
 	int error;
 
 	error = partition_check(cred->cr_label, p->p_ucred->cr_label);
 
 	return (error ? ESRCH : 0);
 }
 
 static int
 partition_proc_check_signal(struct ucred *cred, struct proc *p,
     int signum)
 {
 	int error;
 
 	error = partition_check(cred->cr_label, p->p_ucred->cr_label);
 
 	return (error ? ESRCH : 0);
 }
 
 static int
 partition_socket_check_visible(struct ucred *cred, struct socket *so,
     struct label *solabel)
 {
 	int error;
 
 	error = partition_check(cred->cr_label, so->so_cred->cr_label);
 
 	return (error ? ENOENT : 0);
 }
 
 static int
 partition_vnode_check_exec(struct ucred *cred, struct vnode *vp,
     struct label *vplabel, struct image_params *imgp,
     struct label *execlabel)
 {
 
 	if (execlabel != NULL) {
 		/*
 		 * We currently don't permit labels to be changed at
 		 * exec-time as part of the partition model, so disallow
 		 * non-NULL partition label changes in execlabel.
 		 */
 		if (SLOT(execlabel) != 0)
 			return (EINVAL);
 	}
 
 	return (0);
 }
 
 static struct mac_policy_ops partition_ops =
 {
 	.mpo_cred_check_relabel = partition_cred_check_relabel,
 	.mpo_cred_check_visible = partition_cred_check_visible,
 	.mpo_cred_copy_label = partition_cred_copy_label,
 	.mpo_cred_create_init = partition_cred_create_init,
 	.mpo_cred_create_swapper = partition_cred_create_swapper,
 	.mpo_cred_destroy_label = partition_cred_destroy_label,
 	.mpo_cred_externalize_label = partition_cred_externalize_label,
 	.mpo_cred_init_label = partition_cred_init_label,
 	.mpo_cred_internalize_label = partition_cred_internalize_label,
 	.mpo_cred_relabel = partition_cred_relabel,
 	.mpo_inpcb_check_visible = partition_inpcb_check_visible,
 	.mpo_proc_check_debug = partition_proc_check_debug,
 	.mpo_proc_check_sched = partition_proc_check_sched,
 	.mpo_proc_check_signal = partition_proc_check_signal,
 	.mpo_socket_check_visible = partition_socket_check_visible,
 	.mpo_vnode_check_exec = partition_vnode_check_exec,
 };
 
 MAC_POLICY_SET(&partition_ops, mac_partition, "TrustedBSD MAC/Partition",
     MPC_LOADTIME_FLAG_UNLOADOK, &partition_slot);
diff --git a/sys/security/mac_pimd/mac_pimd.c b/sys/security/mac_pimd/mac_pimd.c
index 19ee307c918d..a9276a73b433 100644
--- a/sys/security/mac_pimd/mac_pimd.c
+++ b/sys/security/mac_pimd/mac_pimd.c
@@ -1,73 +1,71 @@
 /*-
  * SPDX-License-Identifier: BSD-2-Clause
  *
  * Copyright (c) 2022 Semihalf, Stormshield
  * Copyright (c) 2018 Ian Lepore <ian@FreeBSD.org>
  *
  * Redistribution and use in source and binary forms, with or without
  * modification, are permitted provided that the following conditions
  * are met:
  * 1. Redistributions of source code must retain the above copyright
  *    notice, this list of conditions and the following disclaimer.
  * 2. Redistributions in binary form must reproduce the above copyright
  *    notice, this list of conditions and the following disclaimer in the
  *    documentation and/or other materials provided with the distribution.
  *
  * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
  * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
  * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
  * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
  * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
  * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
  * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
  * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
  * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
  * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
  * SUCH DAMAGE.
  */
 
 #include <sys/param.h>
 #include <sys/kernel.h>
 #include <sys/module.h>
 #include <sys/priv.h>
 #include <sys/sysctl.h>
 #include <sys/ucred.h>
 
 #include <security/mac/mac_policy.h>
 
-SYSCTL_DECL(_security_mac);
-
 static SYSCTL_NODE(_security_mac, OID_AUTO, pimd,
     CTLFLAG_RW | CTLFLAG_MPSAFE, 0,
     "mac_pimd policy controls");
 
 static int pimd_enabled = 0;
 SYSCTL_INT(_security_mac_pimd, OID_AUTO, enabled, CTLFLAG_RWTUN,
     &pimd_enabled, 0, "Enable mac_pimd policy");
 
 static int pimd_uid = 0;
 SYSCTL_INT(_security_mac_pimd, OID_AUTO, uid, CTLFLAG_RWTUN,
     &pimd_uid, 0, "User id for pimd user");
 
 static int
 pimd_priv_grant(struct ucred *cred, int priv)
 {
 
 	if (pimd_enabled && cred->cr_uid == pimd_uid) {
 		switch (priv) {
 		case PRIV_NETINET_MROUTE:
 			return (0);
 		default:
 			break;
 		}
 	}
 	return (EPERM);
 }
 
 static struct mac_policy_ops pimd_ops =
 {
 	.mpo_priv_grant = pimd_priv_grant,
 };
 
 MAC_POLICY_SET(&pimd_ops, mac_pimd, "MAC/pimd",
     MPC_LOADTIME_FLAG_UNLOADOK, NULL);
diff --git a/sys/security/mac_portacl/mac_portacl.c b/sys/security/mac_portacl/mac_portacl.c
index 184ec4b4738c..b3a5e06c0e2a 100644
--- a/sys/security/mac_portacl/mac_portacl.c
+++ b/sys/security/mac_portacl/mac_portacl.c
@@ -1,491 +1,489 @@
 /*-
  * Copyright (c) 2003-2004 Networks Associates Technology, Inc.
  * Copyright (c) 2006 SPARTA, Inc.
  * All rights reserved.
  *
  * This software was developed for the FreeBSD Project by Network
  * Associates Laboratories, the Security Research Division of Network
  * Associates, Inc. under DARPA/SPAWAR contract N66001-01-C-8035 ("CBOSS"),
  * as part of the DARPA CHATS research program.
  *
  * This software was enhanced by SPARTA ISSO under SPAWAR contract
  * N66001-04-C-6019 ("SEFOS").
  *
  * Redistribution and use in source and binary forms, with or without
  * modification, are permitted provided that the following conditions
  * are met:
  * 1. Redistributions of source code must retain the above copyright
  *    notice, this list of conditions and the following disclaimer.
  * 2. Redistributions in binary form must reproduce the above copyright
  *    notice, this list of conditions and the following disclaimer in the
  *    documentation and/or other materials provided with the distribution.
  *
  * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
  * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
  * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
  * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
  * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
  * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
  * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
  * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
  * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
  * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
  * SUCH DAMAGE.
  */
 
 /*
  * Developed by the TrustedBSD Project.
  *
  * Administratively limit access to local UDP/TCP ports for binding purposes.
  * Intended to be combined with net.inet.ip.portrange.reservedhigh to allow
  * specific uids and gids to bind specific ports for specific purposes,
  * while not opening the door to any user replacing an "official" service
  * while you're restarting it.  This only affects ports explicitly bound by
  * the user process (either for listen/outgoing socket for TCP, or send/
  * receive for UDP).  This module will not limit ports bound implicitly for
  * out-going connections where the process hasn't explicitly selected a port:
  * these are automatically selected by the IP stack.
  *
  * To use this module, security.mac.enforce_socket must be enabled, and you
  * will probably want to twiddle the net.inet sysctl listed above.  Then use
  * sysctl(8) to modify the rules string:
  *
  * # sysctl security.mac.portacl.rules="uid:425:tcp:80,uid:425:tcp:79"
  *
  * This ruleset, for example, permits uid 425 to bind TCP ports 80 (http) and
  * 79 (finger).  User names and group names can't be used directly because
  * the kernel only knows about uids and gids.
  */
 
 #include <sys/param.h>
 #include <sys/domain.h>
 #include <sys/kernel.h>
 #include <sys/lock.h>
 #include <sys/malloc.h>
 #include <sys/module.h>
 #include <sys/mutex.h>
 #include <sys/priv.h>
 #include <sys/proc.h>
 #include <sys/protosw.h>
 #include <sys/queue.h>
 #include <sys/systm.h>
 #include <sys/sbuf.h>
 #include <sys/socket.h>
 #include <sys/socketvar.h>
 #include <sys/sysctl.h>
 
 #include <netinet/in.h>
 #include <netinet/in_pcb.h>
 
 #include <security/mac/mac_policy.h>
 
-SYSCTL_DECL(_security_mac);
-
 static SYSCTL_NODE(_security_mac, OID_AUTO, portacl,
     CTLFLAG_RW | CTLFLAG_MPSAFE, 0,
     "TrustedBSD mac_portacl policy controls");
 
 static int	portacl_enabled = 1;
 SYSCTL_INT(_security_mac_portacl, OID_AUTO, enabled, CTLFLAG_RWTUN,
     &portacl_enabled, 0, "Enforce portacl policy");
 
 static int	portacl_suser_exempt = 1;
 SYSCTL_INT(_security_mac_portacl, OID_AUTO, suser_exempt, CTLFLAG_RWTUN,
     &portacl_suser_exempt, 0, "Privilege permits binding of any port");
 
 static int	portacl_autoport_exempt = 1;
 SYSCTL_INT(_security_mac_portacl, OID_AUTO, autoport_exempt, CTLFLAG_RWTUN,
     &portacl_autoport_exempt, 0, "Allow automatic allocation through "
     "binding port 0 if not IP_PORTRANGELOW");
 
 static int	portacl_port_high = 1023;
 SYSCTL_INT(_security_mac_portacl, OID_AUTO, port_high, CTLFLAG_RWTUN,
     &portacl_port_high, 0, "Highest port to enforce for");
 
 static MALLOC_DEFINE(M_PORTACL, "portacl_rule", "Rules for mac_portacl");
 
 #define	MAC_RULE_STRING_LEN	1024
 
 #define	RULE_GID	1
 #define	RULE_UID	2
 #define	RULE_PROTO_TCP	1
 #define	RULE_PROTO_UDP	2
 struct rule {
 	id_t			r_id;
 	int			r_idtype;
 	u_int16_t		r_port;
 	int			r_protocol;
 
 	TAILQ_ENTRY(rule)	r_entries;
 };
 
 #define	GID_STRING	"gid"
 #define	TCP_STRING	"tcp"
 #define	UID_STRING	"uid"
 #define	UDP_STRING	"udp"
 
 /*
  * Text format for the rule string is that a rule consists of a
  * comma-separated list of elements.  Each element is in the form
  * idtype:id:protocol:portnumber, and constitutes granting of permission
  * for the specified binding.
  */
 
 static struct mtx			rule_mtx;
 static TAILQ_HEAD(rulehead, rule)	rule_head;
 static char				rule_string[MAC_RULE_STRING_LEN];
 
 static void
 toast_rules(struct rulehead *head)
 {
 	struct rule *rule;
 
 	while ((rule = TAILQ_FIRST(head)) != NULL) {
 		TAILQ_REMOVE(head, rule, r_entries);
 		free(rule, M_PORTACL);
 	}
 }
 
 /*
  * Note that there is an inherent race condition in the unload of modules
  * and access via sysctl.
  */
 static void
 destroy(struct mac_policy_conf *mpc)
 {
 
 	mtx_destroy(&rule_mtx);
 	toast_rules(&rule_head);
 }
 
 static void
 init(struct mac_policy_conf *mpc)
 {
 
 	mtx_init(&rule_mtx, "rule_mtx", NULL, MTX_DEF);
 	TAILQ_INIT(&rule_head);
 }
 
 /*
  * Note: parsing routines are destructive on the passed string.
  */
 static int
 parse_rule_element(char *element, struct rule **rule)
 {
 	char *idtype, *id, *protocol, *portnumber, *p;
 	struct rule *new;
 	int error;
 
 	error = 0;
 	new = malloc(sizeof(*new), M_PORTACL, M_ZERO | M_WAITOK);
 
 	idtype = strsep(&element, ":");
 	if (idtype == NULL) {
 		error = EINVAL;
 		goto out;
 	}
 	id = strsep(&element, ":");
 	if (id == NULL) {
 		error = EINVAL;
 		goto out;
 	}
 	new->r_id = strtol(id, &p, 10);
 	if (*p != '\0') {
 		error = EINVAL;
 		goto out;
 	}
 	if (strcmp(idtype, UID_STRING) == 0)
 		new->r_idtype = RULE_UID;
 	else if (strcmp(idtype, GID_STRING) == 0)
 		new->r_idtype = RULE_GID;
 	else {
 		error = EINVAL;
 		goto out;
 	}
 	protocol = strsep(&element, ":");
 	if (protocol == NULL) {
 		error = EINVAL;
 		goto out;
 	}
 	if (strcmp(protocol, TCP_STRING) == 0)
 		new->r_protocol = RULE_PROTO_TCP;
 	else if (strcmp(protocol, UDP_STRING) == 0)
 		new->r_protocol = RULE_PROTO_UDP;
 	else {
 		error = EINVAL;
 		goto out;
 	}
 	portnumber = element;
 	if (portnumber == NULL) {
 		error = EINVAL;
 		goto out;
 	}
 	new->r_port = strtol(portnumber, &p, 10);
 	if (*p != '\0') {
 		error = EINVAL;
 		goto out;
 	}
 
 out:
 	if (error != 0) {
 		free(new, M_PORTACL);
 		*rule = NULL;
 	} else
 		*rule = new;
 	return (error);
 }
 
 static int
 parse_rules(char *string, struct rulehead *head)
 {
 	struct rule *new;
 	char *element;
 	int error;
 
 	error = 0;
 	while ((element = strsep(&string, ",")) != NULL) {
 		if (strlen(element) == 0)
 			continue;
 		error = parse_rule_element(element, &new);
 		if (error)
 			goto out;
 		TAILQ_INSERT_TAIL(head, new, r_entries);
 	}
 out:
 	if (error != 0)
 		toast_rules(head);
 	return (error);
 }
 
 /*
  * rule_printf() and rules_to_string() are unused currently because they rely
  * on sbufs with auto-extension, which may sleep while holding a mutex.
  * Instead, the non-canonical user-generated rule string is returned to the
  * user when the rules are queried, which is faster anyway.
  */
 #if 0
 static void
 rule_printf(struct sbuf *sb, struct rule *rule)
 {
 	const char *idtype, *protocol;
 
 	switch(rule->r_idtype) {
 	case RULE_GID:
 		idtype = GID_STRING;
 		break;
 	case RULE_UID:
 		idtype = UID_STRING;
 		break;
 	default:
 		panic("rule_printf: unknown idtype (%d)\n", rule->r_idtype);
 	}
 
 	switch (rule->r_protocol) {
 	case RULE_PROTO_TCP:
 		protocol = TCP_STRING;
 		break;
 	case RULE_PROTO_UDP:
 		protocol = UDP_STRING;
 		break;
 	default:
 		panic("rule_printf: unknown protocol (%d)\n",
 		    rule->r_protocol);
 	}
 	sbuf_printf(sb, "%s:%jd:%s:%d", idtype, (intmax_t)rule->r_id,
 	    protocol, rule->r_port);
 }
 
 static char *
 rules_to_string(void)
 {
 	struct rule *rule;
 	struct sbuf *sb;
 	int needcomma;
 	char *temp;
 
 	sb = sbuf_new_auto();
 	needcomma = 0;
 	mtx_lock(&rule_mtx);
 	for (rule = TAILQ_FIRST(&rule_head); rule != NULL;
 	    rule = TAILQ_NEXT(rule, r_entries)) {
 		if (!needcomma)
 			needcomma = 1;
 		else
 			sbuf_printf(sb, ",");
 		rule_printf(sb, rule);
 	}
 	mtx_unlock(&rule_mtx);
 	sbuf_finish(sb);
 	temp = strdup(sbuf_data(sb), M_PORTACL);
 	sbuf_delete(sb);
 	return (temp);
 }
 #endif
 
 /*
  * Note: due to races, there is not a single serializable order
  * between parallel calls to the sysctl.
  */
 static int
 sysctl_rules(SYSCTL_HANDLER_ARGS)
 {
 	char *string, *copy_string, *new_string;
 	struct rulehead head, save_head;
 	int error;
 
 	new_string = NULL;
 	if (req->newptr != NULL) {
 		new_string = malloc(MAC_RULE_STRING_LEN, M_PORTACL,
 		    M_WAITOK | M_ZERO);
 		mtx_lock(&rule_mtx);
 		strcpy(new_string, rule_string);
 		mtx_unlock(&rule_mtx);
 		string = new_string;
 	} else
 		string = rule_string;
 
 	error = sysctl_handle_string(oidp, string, MAC_RULE_STRING_LEN, req);
 	if (error)
 		goto out;
 
 	if (req->newptr != NULL) {
 		copy_string = strdup(string, M_PORTACL);
 		TAILQ_INIT(&head);
 		error = parse_rules(copy_string, &head);
 		free(copy_string, M_PORTACL);
 		if (error)
 			goto out;
 
 		TAILQ_INIT(&save_head);
 		mtx_lock(&rule_mtx);
 		TAILQ_CONCAT(&save_head, &rule_head, r_entries);
 		TAILQ_CONCAT(&rule_head, &head, r_entries);
 		strcpy(rule_string, string);
 		mtx_unlock(&rule_mtx);
 		toast_rules(&save_head);
 	}
 out:
 	if (new_string != NULL)
 		free(new_string, M_PORTACL);
 	return (error);
 }
 
 SYSCTL_PROC(_security_mac_portacl, OID_AUTO, rules,
     CTLTYPE_STRING | CTLFLAG_RW | CTLFLAG_MPSAFE,
     0, 0, sysctl_rules, "A",
     "Rules");
 
 static int
 rules_check(struct ucred *cred, int family, int type, u_int16_t port)
 {
 	struct rule *rule;
 	int error;
 
 #if 0
 	printf("Check requested for euid %d, family %d, type %d, port %d\n",
 	    cred->cr_uid, family, type, port);
 #endif
 
 	if (port > portacl_port_high)
 		return (0);
 
 	error = EPERM;
 	mtx_lock(&rule_mtx);
 	for (rule = TAILQ_FIRST(&rule_head);
 	    rule != NULL;
 	    rule = TAILQ_NEXT(rule, r_entries)) {
 		if (type == SOCK_DGRAM && rule->r_protocol != RULE_PROTO_UDP)
 			continue;
 		if (type == SOCK_STREAM && rule->r_protocol != RULE_PROTO_TCP)
 			continue;
 		if (port != rule->r_port)
 			continue;
 		if (rule->r_idtype == RULE_UID) {
 			if (cred->cr_uid == rule->r_id) {
 				error = 0;
 				break;
 			}
 		} else if (rule->r_idtype == RULE_GID) {
 			if (cred->cr_gid == rule->r_id) {
 				error = 0;
 				break;
 			} else if (groupmember(rule->r_id, cred)) {
 				error = 0;
 				break;
 			}
 		} else
 			panic("rules_check: unknown rule type %d",
 			    rule->r_idtype);
 	}
 	mtx_unlock(&rule_mtx);
 
 	if (error != 0 && portacl_suser_exempt != 0)
 		error = priv_check_cred(cred, PRIV_NETINET_RESERVEDPORT);
 
 	return (error);
 }
 
 /*
  * Note, this only limits the ability to explicitly bind a port, it
  * doesn't limit implicitly bound ports for outgoing connections where
  * the source port is left up to the IP stack to determine automatically.
  */
 static int
 socket_check_bind(struct ucred *cred, struct socket *so,
     struct label *solabel, struct sockaddr *sa)
 {
 	struct sockaddr_in *sin;
 	struct inpcb *inp;
 	int family, type;
 	u_int16_t port;
 
 	/* Only run if we are enabled. */
 	if (portacl_enabled == 0)
 		return (0);
 
 	/* Only interested in IPv4 and IPv6 sockets. */
 	if (so->so_proto->pr_domain->dom_family != PF_INET &&
 	    so->so_proto->pr_domain->dom_family != PF_INET6)
 		return (0);
 
 	/* Currently, we don't attempt to deal with SOCK_RAW, etc. */
 	if (so->so_type != SOCK_DGRAM &&
 	    so->so_type != SOCK_STREAM)
 		return (0);
 
 	/* Reject addresses we don't understand; fail closed. */
 	if (sa->sa_family != AF_INET && sa->sa_family != AF_INET6)
 		return (EINVAL);
 
 	family = so->so_proto->pr_domain->dom_family;
 	type = so->so_type;
 	sin = (struct sockaddr_in *) sa;
 	port = ntohs(sin->sin_port);
 
 	/*
 	 * Sockets are frequently bound with a specific IP address but a port
 	 * number of '0' to request automatic port allocation.  This is often
 	 * desirable as long as IP_PORTRANGELOW isn't set, which might permit
 	 * automatic allocation of a "privileged" port.  The autoport exempt
 	 * flag exempts port 0 allocation from rule checking as long as a low
 	 * port isn't required.
 	 */
 	if (portacl_autoport_exempt && port == 0) {
 		inp = sotoinpcb(so);
 		if ((inp->inp_flags & INP_LOWPORT) == 0)
 			return (0);
 	}
 
 	return (rules_check(cred, family, type, port));
 }
 
 static struct mac_policy_ops portacl_ops =
 {
 	.mpo_destroy = destroy,
 	.mpo_init = init,
 	.mpo_socket_check_bind = socket_check_bind,
 };
 
 MAC_POLICY_SET(&portacl_ops, mac_portacl, "TrustedBSD MAC/portacl",
     MPC_LOADTIME_FLAG_UNLOADOK, NULL);
 MODULE_VERSION(mac_portacl, 1);
diff --git a/sys/security/mac_priority/mac_priority.c b/sys/security/mac_priority/mac_priority.c
index f460e5195cb9..1e5bfb5386cb 100644
--- a/sys/security/mac_priority/mac_priority.c
+++ b/sys/security/mac_priority/mac_priority.c
@@ -1,83 +1,81 @@
 /*-
  * SPDX-License-Identifier: BSD-2-Clause
  *
  * Copyright (c) 2021 Florian Walpen <dev@submerge.ch>
  *
  * Redistribution and use in source and binary forms, with or without
  * modification, are permitted provided that the following conditions
  * are met:
  * 1. Redistributions of source code must retain the above copyright
  *    notice, this list of conditions and the following disclaimer.
  * 2. Redistributions in binary form must reproduce the above copyright
  *    notice, this list of conditions and the following disclaimer in the
  *    documentation and/or other materials provided with the distribution.
  *
  * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
  * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
  * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
  * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
  * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
  * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
  * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
  * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
  * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
  * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
  * SUCH DAMAGE.
  */
 
 #include <sys/param.h>
 #include <sys/conf.h>
 #include <sys/kernel.h>
 #include <sys/module.h>
 #include <sys/priv.h>
 #include <sys/sysctl.h>
 #include <sys/ucred.h>
 
 #include <security/mac/mac_policy.h>
 
-SYSCTL_DECL(_security_mac);
-
 static SYSCTL_NODE(_security_mac, OID_AUTO, priority,
     CTLFLAG_RW | CTLFLAG_MPSAFE, 0,
     "mac_priority policy controls");
 
 static int realtime_enabled = 1;
 SYSCTL_INT(_security_mac_priority, OID_AUTO, realtime, CTLFLAG_RWTUN,
     &realtime_enabled, 0,
     "Enable realtime priority scheduling for group realtime_gid");
 
 static int realtime_gid = GID_RT_PRIO;
 SYSCTL_INT(_security_mac_priority, OID_AUTO, realtime_gid, CTLFLAG_RWTUN,
     &realtime_gid, 0,
     "Group id of the realtime privilege group");
 
 static int idletime_enabled = 1;
 SYSCTL_INT(_security_mac_priority, OID_AUTO, idletime, CTLFLAG_RWTUN,
     &idletime_enabled, 0,
     "Enable idle priority scheduling for group idletime_gid");
 
 static int idletime_gid = GID_ID_PRIO;
 SYSCTL_INT(_security_mac_priority, OID_AUTO, idletime_gid, CTLFLAG_RWTUN,
     &idletime_gid, 0,
     "Group id of the idletime privilege group");
 
 static int
 priority_priv_grant(struct ucred *cred, int priv)
 {
 	if ((priv == PRIV_SCHED_RTPRIO || priv == PRIV_SCHED_SETPOLICY) &&
 	    realtime_enabled && groupmember(realtime_gid, cred))
 		return (0);
 
 	if (priv == PRIV_SCHED_IDPRIO && idletime_enabled &&
 	    groupmember(idletime_gid, cred))
 		return (0);
 
 	return (EPERM);
 }
 
 static struct mac_policy_ops priority_ops = {
 	.mpo_priv_grant = priority_priv_grant,
 };
 
 MAC_POLICY_SET(&priority_ops, mac_priority, "MAC/priority",
     MPC_LOADTIME_FLAG_UNLOADOK, NULL);
diff --git a/sys/security/mac_seeotheruids/mac_seeotheruids.c b/sys/security/mac_seeotheruids/mac_seeotheruids.c
index 1677b092daad..9cd2e0f3c0fc 100644
--- a/sys/security/mac_seeotheruids/mac_seeotheruids.c
+++ b/sys/security/mac_seeotheruids/mac_seeotheruids.c
@@ -1,188 +1,186 @@
 /*-
  * Copyright (c) 1999-2002, 2007 Robert N. M. Watson
  * Copyright (c) 2001-2002 Networks Associates Technology, Inc.
  * Copyright (c) 2006 SPARTA, Inc.
  * All rights reserved.
  *
  * This software was developed by Robert Watson for the TrustedBSD Project.
  *
  * This software was developed for the FreeBSD Project in part by Network
  * Associates Laboratories, the Security Research Division of Network
  * Associates, Inc. under DARPA/SPAWAR contract N66001-01-C-8035 ("CBOSS"),
  * as part of the DARPA CHATS research program.
  *
  * This software was enhanced by SPARTA ISSO under SPAWAR contract
  * N66001-04-C-6019 ("SEFOS").
  *
  * Redistribution and use in source and binary forms, with or without
  * modification, are permitted provided that the following conditions
  * are met:
  * 1. Redistributions of source code must retain the above copyright
  *    notice, this list of conditions and the following disclaimer.
  * 2. Redistributions in binary form must reproduce the above copyright
  *    notice, this list of conditions and the following disclaimer in the
  *    documentation and/or other materials provided with the distribution.
  *
  * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
  * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
  * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
  * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
  * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
  * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
  * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
  * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
  * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
  * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
  * SUCH DAMAGE.
  */
 
 /*
  * Developed by the TrustedBSD Project.
  *
  * Prevent processes owned by a particular uid from seeing various transient
  * kernel objects associated with other uids.
  */
 
 #include <sys/param.h>
 #include <sys/kernel.h>
 #include <sys/module.h>
 #include <sys/priv.h>
 #include <sys/proc.h>
 #include <sys/systm.h>
 #include <sys/socket.h>
 #include <sys/socketvar.h>
 #include <sys/sysctl.h>
 
 #include <net/route.h>
 #include <netinet/in.h>
 #include <netinet/in_pcb.h>
 
 #include <security/mac/mac_policy.h>
 
-SYSCTL_DECL(_security_mac);
-
 static SYSCTL_NODE(_security_mac, OID_AUTO, seeotheruids,
     CTLFLAG_RW | CTLFLAG_MPSAFE, 0,
     "TrustedBSD mac_seeotheruids policy controls");
 
 static int	seeotheruids_enabled = 1;
 SYSCTL_INT(_security_mac_seeotheruids, OID_AUTO, enabled, CTLFLAG_RW,
     &seeotheruids_enabled, 0, "Enforce seeotheruids policy");
 
 /*
  * Exception: allow credentials to be aware of other credentials with the
  * same primary gid.
  */
 static int	primarygroup_enabled = 0;
 SYSCTL_INT(_security_mac_seeotheruids, OID_AUTO, primarygroup_enabled,
     CTLFLAG_RW, &primarygroup_enabled, 0, "Make an exception for credentials "
     "with the same real primary group id");
 
 /*
  * Exception: allow the root user to be aware of other credentials by virtue
  * of privilege.
  */
 static int	suser_privileged = 1;
 SYSCTL_INT(_security_mac_seeotheruids, OID_AUTO, suser_privileged,
     CTLFLAG_RW, &suser_privileged, 0, "Make an exception for superuser");
 
 /*
  * Exception: allow processes with a specific gid to be exempt from the
  * policy.  One sysctl enables this functionality; the other sets the
  * exempt gid.
  */
 static int	specificgid_enabled = 0;
 SYSCTL_INT(_security_mac_seeotheruids, OID_AUTO, specificgid_enabled,
     CTLFLAG_RW, &specificgid_enabled, 0, "Make an exception for credentials "
     "with a specific gid as their real primary group id or group set");
 
 static gid_t	specificgid = 0;
 SYSCTL_UINT(_security_mac_seeotheruids, OID_AUTO, specificgid, CTLFLAG_RW,
     &specificgid, 0, "Specific gid to be exempt from seeotheruids policy");
 
 static int
 seeotheruids_check(struct ucred *cr1, struct ucred *cr2)
 {
 
 	if (!seeotheruids_enabled)
 		return (0);
 
 	if (primarygroup_enabled) {
 		if (cr1->cr_rgid == cr2->cr_rgid)
 			return (0);
 	}
 
 	if (specificgid_enabled) {
 		if (cr1->cr_rgid == specificgid ||
 		    groupmember(specificgid, cr1))
 			return (0);
 	}
 
 	if (cr1->cr_ruid == cr2->cr_ruid)
 		return (0);
 
 	if (suser_privileged) {
 		if (priv_check_cred(cr1, PRIV_SEEOTHERUIDS) == 0)
 			return (0);
 	}
 
 	return (ESRCH);
 }
 
 static int
 seeotheruids_proc_check_debug(struct ucred *cred, struct proc *p)
 {
 
 	return (seeotheruids_check(cred, p->p_ucred));
 }
 
 static int
 seeotheruids_proc_check_sched(struct ucred *cred, struct proc *p)
 {
 
 	return (seeotheruids_check(cred, p->p_ucred));
 }
 
 static int
 seeotheruids_proc_check_signal(struct ucred *cred, struct proc *p,
     int signum)
 {
 
 	return (seeotheruids_check(cred, p->p_ucred));
 }
 
 static int
 seeotheruids_cred_check_visible(struct ucred *cr1, struct ucred *cr2)
 {
 
 	return (seeotheruids_check(cr1, cr2));
 }
 
 static int
 seeotheruids_inpcb_check_visible(struct ucred *cred, struct inpcb *inp,
     struct label *inplabel)
 {
 
 	return (seeotheruids_check(cred, inp->inp_cred));
 }
 
 static int
 seeotheruids_socket_check_visible(struct ucred *cred, struct socket *so,
     struct label *solabel)
 {
 
 	return (seeotheruids_check(cred, so->so_cred));
 }
 
 static struct mac_policy_ops seeotheruids_ops =
 {
 	.mpo_proc_check_debug = seeotheruids_proc_check_debug,
 	.mpo_proc_check_sched = seeotheruids_proc_check_sched,
 	.mpo_proc_check_signal = seeotheruids_proc_check_signal,
 	.mpo_cred_check_visible = seeotheruids_cred_check_visible,
 	.mpo_inpcb_check_visible = seeotheruids_inpcb_check_visible,
 	.mpo_socket_check_visible = seeotheruids_socket_check_visible,
 };
 
 MAC_POLICY_SET(&seeotheruids_ops, mac_seeotheruids,
     "TrustedBSD MAC/seeotheruids", MPC_LOADTIME_FLAG_UNLOADOK, NULL);
diff --git a/sys/security/mac_stub/mac_stub.c b/sys/security/mac_stub/mac_stub.c
index 9a2650ea32f4..c602c639ec95 100644
--- a/sys/security/mac_stub/mac_stub.c
+++ b/sys/security/mac_stub/mac_stub.c
@@ -1,1960 +1,1958 @@
 /*-
  * Copyright (c) 1999-2002, 2007-2011 Robert N. M. Watson
  * Copyright (c) 2001-2005 McAfee, Inc.
  * Copyright (c) 2005-2006 SPARTA, Inc.
  * Copyright (c) 2008 Apple Inc.
  * All rights reserved.
  *
  * This software was developed by Robert Watson for the TrustedBSD Project.
  *
  * This software was developed for the FreeBSD Project in part by McAfee
  * Research, the Security Research Division of McAfee, Inc. under
  * DARPA/SPAWAR contract N66001-01-C-8035 ("CBOSS"), as part of the DARPA
  * CHATS research program.
  *
  * This software was enhanced by SPARTA ISSO under SPAWAR contract
  * N66001-04-C-6019 ("SEFOS").
  *
  * This software was developed at the University of Cambridge Computer
  * Laboratory with support from a grant from Google, Inc.
  *
  * Redistribution and use in source and binary forms, with or without
  * modification, are permitted provided that the following conditions
  * are met:
  * 1. Redistributions of source code must retain the above copyright
  *    notice, this list of conditions and the following disclaimer.
  * 2. Redistributions in binary form must reproduce the above copyright
  *    notice, this list of conditions and the following disclaimer in the
  *    documentation and/or other materials provided with the distribution.
  *
  * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
  * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
  * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
  * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
  * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
  * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
  * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
  * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
  * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
  * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
  * SUCH DAMAGE.
  */
 
 /*
  * Developed by the TrustedBSD Project.
  *
  * Stub module that implements a NOOP for most (if not all) MAC Framework
  * policy entry points.
  */
 
 #include <sys/types.h>
 #include <sys/param.h>
 #include <sys/acl.h>
 #include <sys/conf.h>
 #include <sys/extattr.h>
 #include <sys/kdb.h>
 #include <sys/kernel.h>
 #include <sys/ksem.h>
 #include <sys/mount.h>
 #include <sys/proc.h>
 #include <sys/systm.h>
 #include <sys/sysproto.h>
 #include <sys/sysent.h>
 #include <sys/vnode.h>
 #include <sys/file.h>
 #include <sys/socket.h>
 #include <sys/socketvar.h>
 #include <sys/pipe.h>
 #include <sys/sx.h>
 #include <sys/sysctl.h>
 #include <sys/msg.h>
 #include <sys/sem.h>
 #include <sys/shm.h>
 
 #include <ddb/ddb.h>
 
 #include <fs/devfs/devfs.h>
 
 #include <net/bpfdesc.h>
 #include <net/if.h>
 #include <net/if_types.h>
 #include <net/if_var.h>
 
 #include <netinet/in.h>
 #include <netinet/in_pcb.h>
 #include <netinet/ip_var.h>
 
 #include <vm/vm.h>
 
 #include <security/mac/mac_policy.h>
 
-SYSCTL_DECL(_security_mac);
-
 static SYSCTL_NODE(_security_mac, OID_AUTO, stub,
     CTLFLAG_RW | CTLFLAG_MPSAFE, 0,
     "TrustedBSD mac_stub policy controls");
 
 static int	stub_enabled = 1;
 SYSCTL_INT(_security_mac_stub, OID_AUTO, enabled, CTLFLAG_RW,
     &stub_enabled, 0, "Enforce mac_stub policy");
 
 /*
  * Policy module operations.
  */
 static void
 stub_destroy(struct mac_policy_conf *conf)
 {
 
 }
 
 static void
 stub_init(struct mac_policy_conf *conf)
 {
 
 }
 
 static int
 stub_syscall(struct thread *td, int call, void *arg)
 {
 
 	return (0);
 }
 
 /*
  * Label operations.
  */
 static void
 stub_init_label(struct label *label)
 {
 
 }
 
 static int
 stub_init_label_waitcheck(struct label *label, int flag)
 {
 
 	return (0);
 }
 
 static void
 stub_destroy_label(struct label *label)
 {
 
 }
 
 static void
 stub_copy_label(struct label *src, struct label *dest)
 {
 
 }
 
 static int
 stub_externalize_label(struct label *label, char *element_name,
     struct sbuf *sb, int *claimed)
 {
 
 	return (0);
 }
 
 static int
 stub_internalize_label(struct label *label, char *element_name,
     char *element_data, int *claimed)
 {
 
 	return (0);
 }
 
 /*
  * Object-specific entry point imeplementations are sorted alphabetically by
  * object type name and then by operation.
  */
 static int
 stub_bpfdesc_check_receive(struct bpf_d *d, struct label *dlabel,
     struct ifnet *ifp, struct label *ifplabel)
 {
 
         return (0);
 }
 
 static void
 stub_bpfdesc_create(struct ucred *cred, struct bpf_d *d,
     struct label *dlabel)
 {
 
 }
 
 static void
 stub_bpfdesc_create_mbuf(struct bpf_d *d, struct label *dlabel,
     struct mbuf *m, struct label *mlabel)
 {
 
 }
 
 static void
 stub_cred_associate_nfsd(struct ucred *cred)
 {
 
 }
 
 static int
 stub_cred_check_relabel(struct ucred *cred, struct label *newlabel)
 {
 
 	return (0);
 }
 
 static int
 stub_cred_check_setaudit(struct ucred *cred, struct auditinfo *ai)
 {
 
 	return (0);
 }
 
 static int
 stub_cred_check_setaudit_addr(struct ucred *cred, struct auditinfo_addr *aia)
 {
 
 	return (0);
 }
 
 static int
 stub_cred_check_setauid(struct ucred *cred, uid_t auid)
 {
 
 	return (0);
 }
 
 static int
 stub_cred_check_setegid(struct ucred *cred, gid_t egid)
 {
 
 	return (0);
 }
 
 static int
 stub_cred_check_seteuid(struct ucred *cred, uid_t euid)
 {
 
 	return (0);
 }
 
 static int
 stub_cred_check_setgid(struct ucred *cred, gid_t gid)
 {
 
 	return (0);
 }
 
 static int
 stub_cred_check_setgroups(struct ucred *cred, int ngroups,
 	gid_t *gidset)
 {
 
 	return (0);
 }
 
 static int
 stub_cred_check_setregid(struct ucred *cred, gid_t rgid, gid_t egid)
 {
 
 	return (0);
 }
 
 static int
 stub_cred_check_setresgid(struct ucred *cred, gid_t rgid, gid_t egid,
 	gid_t sgid)
 {
 
 	return (0);
 }
 
 static int
 stub_cred_check_setresuid(struct ucred *cred, uid_t ruid, uid_t euid,
 	uid_t suid)
 {
 
 	return (0);
 }
 
 static int
 stub_cred_check_setreuid(struct ucred *cred, uid_t ruid, uid_t euid)
 {
 
 	return (0);
 }
 
 static int
 stub_cred_check_setuid(struct ucred *cred, uid_t uid)
 {
 
 	return (0);
 }
 
 static int
 stub_cred_check_visible(struct ucred *cr1, struct ucred *cr2)
 {
 
 	return (0);
 }
 
 static void
 stub_cred_create_init(struct ucred *cred)
 {
 
 }
 
 static void
 stub_cred_create_swapper(struct ucred *cred)
 {
 
 }
 
 static void
 stub_cred_relabel(struct ucred *cred, struct label *newlabel)
 {
 
 }
 
 static int
 stub_ddb_command_exec(struct db_command *cmd, db_expr_t addr, bool have_addr,
     db_expr_t count, char *modif)
 {
 
 	return (0);
 }
 
 static int
 stub_ddb_command_register(struct db_command_table *table,
     struct db_command *cmd)
 {
 
 	return (0);
 }
 
 static void
 stub_devfs_create_device(struct ucred *cred, struct mount *mp,
     struct cdev *dev, struct devfs_dirent *de, struct label *delabel)
 {
 
 }
 
 static void
 stub_devfs_create_directory(struct mount *mp, char *dirname,
     int dirnamelen, struct devfs_dirent *de, struct label *delabel)
 {
 
 }
 
 static void
 stub_devfs_create_symlink(struct ucred *cred, struct mount *mp,
     struct devfs_dirent *dd, struct label *ddlabel, struct devfs_dirent *de,
     struct label *delabel)
 {
 
 }
 
 static void
 stub_devfs_update(struct mount *mp, struct devfs_dirent *de,
     struct label *delabel, struct vnode *vp, struct label *vplabel)
 {
 
 }
 
 static void
 stub_devfs_vnode_associate(struct mount *mp, struct label *mplabel,
     struct devfs_dirent *de, struct label *delabel, struct vnode *vp,
     struct label *vplabel)
 {
 
 }
 
 static int
 stub_ifnet_check_relabel(struct ucred *cred, struct ifnet *ifp,
     struct label *ifplabel, struct label *newlabel)
 {
 
 	return (0);
 }
 
 static int
 stub_ifnet_check_transmit(struct ifnet *ifp, struct label *ifplabel,
     struct mbuf *m, struct label *mlabel)
 {
 
 	return (0);
 }
 
 static void
 stub_ifnet_create(struct ifnet *ifp, struct label *ifplabel)
 {
 
 }
 
 static void
 stub_ifnet_create_mbuf(struct ifnet *ifp, struct label *ifplabel,
     struct mbuf *m, struct label *mlabel)
 {
 
 }
 
 static void
 stub_ifnet_relabel(struct ucred *cred, struct ifnet *ifp,
     struct label *ifplabel, struct label *newlabel)
 {
 
 }
 
 static int
 stub_inpcb_check_deliver(struct inpcb *inp, struct label *inplabel,
     struct mbuf *m, struct label *mlabel)
 {
 
 	return (0);
 }
 
 static void
 stub_inpcb_create(struct socket *so, struct label *solabel,
     struct inpcb *inp, struct label *inplabel)
 {
 
 }
 
 static void
 stub_inpcb_create_mbuf(struct inpcb *inp, struct label *inplabel,
     struct mbuf *m, struct label *mlabel)
 {
 
 }
 
 static void
 stub_inpcb_sosetlabel(struct socket *so, struct label *solabel,
     struct inpcb *inp, struct label *inplabel)
 {
 
 	SOCK_LOCK_ASSERT(so);
 
 }
 
 static void
 stub_ip6q_create(struct mbuf *m, struct label *mlabel, struct ip6q *q6,
     struct label *q6label)
 {
 
 }
 
 static int
 stub_ip6q_match(struct mbuf *m, struct label *mlabel, struct ip6q *q6,
     struct label *q6label)
 {
 
 	return (1);
 }
 
 static void
 stub_ip6q_reassemble(struct ip6q *q6, struct label *q6label, struct mbuf *m,
     struct label *mlabel)
 {
 
 }
 
 static void
 stub_ip6q_update(struct mbuf *m, struct label *mlabel, struct ip6q *q6,
     struct label *q6label)
 {
 
 }
 
 static void
 stub_ipq_create(struct mbuf *m, struct label *mlabel, struct ipq *q,
     struct label *qlabel)
 {
 
 }
 
 static int
 stub_ipq_match(struct mbuf *m, struct label *mlabel, struct ipq *q,
     struct label *qlabel)
 {
 
 	return (1);
 }
 
 static void
 stub_ipq_reassemble(struct ipq *q, struct label *qlabel, struct mbuf *m,
     struct label *mlabel)
 {
 
 }
 
 static void
 stub_ipq_update(struct mbuf *m, struct label *mlabel, struct ipq *q,
     struct label *qlabel)
 {
 
 }
 
 static int
 stub_kdb_check_backend(struct kdb_dbbe *be)
 {
 
 	return (0);
 }
 
 static int
 stub_kenv_check_dump(struct ucred *cred)
 {
 
 	return (0);
 }
 
 static int
 stub_kenv_check_get(struct ucred *cred, char *name)
 {
 
 	return (0);
 }
 
 static int
 stub_kenv_check_set(struct ucred *cred, char *name, char *value)
 {
 
 	return (0);
 }
 
 static int
 stub_kenv_check_unset(struct ucred *cred, char *name)
 {
 
 	return (0);
 }
 
 static int
 stub_kld_check_load(struct ucred *cred, struct vnode *vp,
     struct label *vplabel)
 {
 
 	return (0);
 }
 
 static int
 stub_kld_check_stat(struct ucred *cred)
 {
 
 	return (0);
 }
 
 static int
 stub_mount_check_stat(struct ucred *cred, struct mount *mp,
     struct label *mplabel)
 {
 
 	return (0);
 }
 
 static void
 stub_mount_create(struct ucred *cred, struct mount *mp,
     struct label *mplabel)
 {
 
 }
 
 static void
 stub_netinet_arp_send(struct ifnet *ifp, struct label *iflpabel,
     struct mbuf *m, struct label *mlabel)
 {
 
 }
 
 static void
 stub_netinet_firewall_reply(struct mbuf *mrecv, struct label *mrecvlabel,
     struct mbuf *msend, struct label *msendlabel)
 {
 
 }
 
 static void
 stub_netinet_firewall_send(struct mbuf *m, struct label *mlabel)
 {
 
 }
 
 static void
 stub_netinet_fragment(struct mbuf *m, struct label *mlabel, struct mbuf *frag,
     struct label *fraglabel)
 {
 
 }
 
 static void
 stub_netinet_icmp_reply(struct mbuf *mrecv, struct label *mrecvlabel,
     struct mbuf *msend, struct label *msendlabel)
 {
 
 }
 
 static void
 stub_netinet_icmp_replyinplace(struct mbuf *m, struct label *mlabel)
 {
 
 }
 
 static void
 stub_netinet_igmp_send(struct ifnet *ifp, struct label *iflpabel,
     struct mbuf *m, struct label *mlabel)
 {
 
 }
 
 static void
 stub_netinet_tcp_reply(struct mbuf *m, struct label *mlabel)
 {
 
 }
 
 static void
 stub_netinet6_nd6_send(struct ifnet *ifp, struct label *iflpabel,
     struct mbuf *m, struct label *mlabel)
 {
 
 }
 
 static int
 stub_pipe_check_ioctl(struct ucred *cred, struct pipepair *pp,
     struct label *pplabel, unsigned long cmd, void /* caddr_t */ *data)
 {
 
 	return (0);
 }
 
 static int
 stub_pipe_check_poll(struct ucred *cred, struct pipepair *pp,
     struct label *pplabel)
 {
 
 	return (0);
 }
 
 static int
 stub_pipe_check_read(struct ucred *cred, struct pipepair *pp,
     struct label *pplabel)
 {
 
 	return (0);
 }
 
 static int
 stub_pipe_check_relabel(struct ucred *cred, struct pipepair *pp,
     struct label *pplabel, struct label *newlabel)
 {
 
 	return (0);
 }
 
 static int
 stub_pipe_check_stat(struct ucred *cred, struct pipepair *pp,
     struct label *pplabel)
 {
 
 	return (0);
 }
 
 static int
 stub_pipe_check_write(struct ucred *cred, struct pipepair *pp,
     struct label *pplabel)
 {
 
 	return (0);
 }
 
 static void
 stub_pipe_create(struct ucred *cred, struct pipepair *pp,
     struct label *pplabel)
 {
 
 }
 
 static void
 stub_pipe_relabel(struct ucred *cred, struct pipepair *pp,
     struct label *pplabel, struct label *newlabel)
 {
 
 }
 
 static int
 stub_posixsem_check_getvalue(struct ucred *active_cred, struct ucred *file_cred,
     struct ksem *ks, struct label *kslabel)
 {
 
 	return (0);
 }
 
 static int
 stub_posixsem_check_open(struct ucred *cred, struct ksem *ks,
     struct label *kslabel)
 {
 
 	return (0);
 }
 
 static int
 stub_posixsem_check_post(struct ucred *active_cred, struct ucred *file_cred,
     struct ksem *ks, struct label *kslabel)
 {
 
 	return (0);
 }
 
 static int
 stub_posixsem_check_setmode(struct ucred *cred, struct ksem *ks,
     struct label *kslabel, mode_t mode)
 {
 
 	return (0);
 }
 
 static int
 stub_posixsem_check_setowner(struct ucred *cred, struct ksem *ks,
     struct label *kslabel, uid_t uid, gid_t gid)
 {
 
 	return (0);
 }
 
 static int
 stub_posixsem_check_stat(struct ucred *active_cred, struct ucred *file_cred,
     struct ksem *ks, struct label *kslabel)
 {
 
 	return (0);
 }
 
 static int
 stub_posixsem_check_unlink(struct ucred *cred, struct ksem *ks,
     struct label *kslabel)
 {
 
 	return (0);
 }
 
 static int
 stub_posixsem_check_wait(struct ucred *active_cred, struct ucred *file_cred,
     struct ksem *ks, struct label *kslabel)
 {
 
 	return (0);
 }
 
 static void
 stub_posixsem_create(struct ucred *cred, struct ksem *ks,
     struct label *kslabel)
 {
 
 }
 
 static int
 stub_posixshm_check_create(struct ucred *cred, const char *path)
 {
 
 	return (0);
 }
 
 static int
 stub_posixshm_check_mmap(struct ucred *cred, struct shmfd *shmfd,
     struct label *shmlabel, int prot, int flags)
 {
 
 	return (0);
 }
 
 static int
 stub_posixshm_check_open(struct ucred *cred, struct shmfd *shmfd,
     struct label *shmlabel, accmode_t accmode)
 {
 
 	return (0);
 }
 
 static int
 stub_posixshm_check_read(struct ucred *active_cred, struct ucred *file_cred,
     struct shmfd *shm, struct label *shmlabel)
 {
 
 	return (0);
 }
 
 static int
 stub_posixshm_check_setmode(struct ucred *cred, struct shmfd *shmfd,
     struct label *shmlabel, mode_t mode)
 {
 
 	return (0);
 }
 
 static int
 stub_posixshm_check_setowner(struct ucred *cred, struct shmfd *shmfd,
     struct label *shmlabel, uid_t uid, gid_t gid)
 {
 
 	return (0);
 }
 
 static int
 stub_posixshm_check_stat(struct ucred *active_cred, struct ucred *file_cred,
     struct shmfd *shmfd, struct label *shmlabel)
 {
 
 	return (0);
 }
 
 static int
 stub_posixshm_check_truncate(struct ucred *active_cred,
     struct ucred *file_cred, struct shmfd *shmfd, struct label *shmlabel)
 {
 
 	return (0);
 }
 
 static int
 stub_posixshm_check_unlink(struct ucred *cred, struct shmfd *shmfd,
     struct label *shmlabel)
 {
 
 	return (0);
 }
 
 static int
 stub_posixshm_check_write(struct ucred *active_cred, struct ucred *file_cred,
     struct shmfd *shm, struct label *shmlabel)
 {
 
 	return (0);
 }
 
 static void
 stub_posixshm_create(struct ucred *cred, struct shmfd *shmfd,
     struct label *shmlabel)
 {
 
 }
 
 static int
 stub_priv_check(struct ucred *cred, int priv)
 {
 
 	return (0);
 }
 
 static int
 stub_priv_grant(struct ucred *cred, int priv)
 {
 
 	return (EPERM);
 }
 
 static int
 stub_proc_check_debug(struct ucred *cred, struct proc *p)
 {
 
 	return (0);
 }
 
 static int
 stub_proc_check_sched(struct ucred *cred, struct proc *p)
 {
 
 	return (0);
 }
 
 static int
 stub_proc_check_signal(struct ucred *cred, struct proc *p, int signum)
 {
 
 	return (0);
 }
 
 static int
 stub_proc_check_wait(struct ucred *cred, struct proc *p)
 {
 
 	return (0);
 }
 
 static int
 stub_socket_check_accept(struct ucred *cred, struct socket *so,
     struct label *solabel)
 {
 
 #if 0
 	SOCK_LOCK(so);
 	SOCK_UNLOCK(so);
 #endif
 
 	return (0);
 }
 
 static int
 stub_socket_check_bind(struct ucred *cred, struct socket *so,
     struct label *solabel, struct sockaddr *sa)
 {
 
 #if 0
 	SOCK_LOCK(so);
 	SOCK_UNLOCK(so);
 #endif
 
 	return (0);
 }
 
 static int
 stub_socket_check_connect(struct ucred *cred, struct socket *so,
     struct label *solabel, struct sockaddr *sa)
 {
 
 #if 0
 	SOCK_LOCK(so);
 	SOCK_UNLOCK(so);
 #endif
 
 	return (0);
 }
 
 static int
 stub_socket_check_create(struct ucred *cred, int domain, int type, int proto)
 {
 
 	return (0);
 }
 
 static int
 stub_socket_check_deliver(struct socket *so, struct label *solabel,
     struct mbuf *m, struct label *mlabel)
 {
 
 #if 0
 	SOCK_LOCK(so);
 	SOCK_UNLOCK(so);
 #endif
 
 	return (0);
 }
 
 static int
 stub_socket_check_listen(struct ucred *cred, struct socket *so,
     struct label *solabel)
 {
 
 #if 0
 	SOCK_LOCK(so);
 	SOCK_UNLOCK(so);
 #endif
 
 	return (0);
 }
 
 static int
 stub_socket_check_poll(struct ucred *cred, struct socket *so,
     struct label *solabel)
 {
 
 #if 0
 	SOCK_LOCK(so);
 	SOCK_UNLOCK(so);
 #endif
 
 	return (0);
 }
 
 static int
 stub_socket_check_receive(struct ucred *cred, struct socket *so,
     struct label *solabel)
 {
 
 #if 0
 	SOCK_LOCK(so);
 	SOCK_UNLOCK(so);
 #endif
 
 	return (0);
 }
 
 static int
 stub_socket_check_relabel(struct ucred *cred, struct socket *so,
     struct label *solabel, struct label *newlabel)
 {
 
 	SOCK_LOCK_ASSERT(so);
 
 	return (0);
 }
 static int
 stub_socket_check_send(struct ucred *cred, struct socket *so,
     struct label *solabel)
 {
 
 #if 0
 	SOCK_LOCK(so);
 	SOCK_UNLOCK(so);
 #endif
 
 	return (0);
 }
 
 static int
 stub_socket_check_stat(struct ucred *cred, struct socket *so,
     struct label *solabel)
 {
 
 #if 0
 	SOCK_LOCK(so);
 	SOCK_UNLOCK(so);
 #endif
 
 	return (0);
 }
 
 static int
 stub_inpcb_check_visible(struct ucred *cred, struct inpcb *inp,
    struct label *inplabel)
 {
 
 	return (0);
 }
 
 static int
 stub_socket_check_visible(struct ucred *cred, struct socket *so,
    struct label *solabel)
 {
 
 #if 0
 	SOCK_LOCK(so);
 	SOCK_UNLOCK(so);
 #endif
 
 	return (0);
 }
 
 static void
 stub_socket_create(struct ucred *cred, struct socket *so,
     struct label *solabel)
 {
 
 }
 
 static void
 stub_socket_create_mbuf(struct socket *so, struct label *solabel,
     struct mbuf *m, struct label *mlabel)
 {
 
 #if 0
 	SOCK_LOCK(so);
 	SOCK_UNLOCK(so);
 #endif
 }
 
 static void
 stub_socket_newconn(struct socket *oldso, struct label *oldsolabel,
     struct socket *newso, struct label *newsolabel)
 {
 
 #if 0
 	SOCK_LOCK(oldso);
 	SOCK_UNLOCK(oldso);
 #endif
 #if 0
 	SOCK_LOCK(newso);
 	SOCK_UNLOCK(newso);
 #endif
 }
 
 static void
 stub_socket_relabel(struct ucred *cred, struct socket *so,
     struct label *solabel, struct label *newlabel)
 {
 
 	SOCK_LOCK_ASSERT(so);
 }
 
 static void
 stub_socketpeer_set_from_mbuf(struct mbuf *m, struct label *mlabel,
     struct socket *so, struct label *sopeerlabel)
 {
 
 #if 0
 	SOCK_LOCK(so);
 	SOCK_UNLOCK(so);
 #endif
 }
 
 static void
 stub_socketpeer_set_from_socket(struct socket *oldso,
     struct label *oldsolabel, struct socket *newso,
     struct label *newsopeerlabel)
 {
 
 #if 0
 	SOCK_LOCK(oldso);
 	SOCK_UNLOCK(oldso);
 #endif
 #if 0
 	SOCK_LOCK(newso);
 	SOCK_UNLOCK(newso);
 #endif
 }
 
 static void
 stub_syncache_create(struct label *label, struct inpcb *inp)
 {
 
 }
 
 static void
 stub_syncache_create_mbuf(struct label *sc_label, struct mbuf *m,
     struct label *mlabel)
 {
 
 }
 
 static int
 stub_system_check_acct(struct ucred *cred, struct vnode *vp,
     struct label *vplabel)
 {
 
 	return (0);
 }
 
 static int
 stub_system_check_audit(struct ucred *cred, void *record, int length)
 {
 
 	return (0);
 }
 
 static int
 stub_system_check_auditctl(struct ucred *cred, struct vnode *vp,
     struct label *vplabel)
 {
 
 	return (0);
 }
 
 static int
 stub_system_check_auditon(struct ucred *cred, int cmd)
 {
 
 	return (0);
 }
 
 static int
 stub_system_check_reboot(struct ucred *cred, int how)
 {
 
 	return (0);
 }
 
 static int
 stub_system_check_swapoff(struct ucred *cred, struct vnode *vp,
     struct label *vplabel)
 {
 
 	return (0);
 }
 
 static int
 stub_system_check_swapon(struct ucred *cred, struct vnode *vp,
     struct label *vplabel)
 {
 
 	return (0);
 }
 
 static int
 stub_system_check_sysctl(struct ucred *cred, struct sysctl_oid *oidp,
     void *arg1, int arg2, struct sysctl_req *req)
 {
 
 	return (0);
 }
 
 static void
 stub_sysvmsg_cleanup(struct label *msglabel)
 {
 
 }
 
 static void
 stub_sysvmsg_create(struct ucred *cred, struct msqid_kernel *msqkptr,
     struct label *msqlabel, struct msg *msgptr, struct label *msglabel)
 {
 
 }
 
 static int
 stub_sysvmsq_check_msgmsq(struct ucred *cred, struct msg *msgptr,
     struct label *msglabel, struct msqid_kernel *msqkptr,
     struct label *msqklabel)
 {
 
 	return (0);
 }
 
 static int
 stub_sysvmsq_check_msgrcv(struct ucred *cred, struct msg *msgptr,
     struct label *msglabel)
 {
 
 	return (0);
 }
 
 static int
 stub_sysvmsq_check_msgrmid(struct ucred *cred, struct msg *msgptr,
     struct label *msglabel)
 {
 
 	return (0);
 }
 
 static int
 stub_sysvmsq_check_msqget(struct ucred *cred, struct msqid_kernel *msqkptr,
     struct label *msqklabel)
 {
 
 	return (0);
 }
 
 static int
 stub_sysvmsq_check_msqsnd(struct ucred *cred, struct msqid_kernel *msqkptr,
     struct label *msqklabel)
 {
 
 	return (0);
 }
 
 static int
 stub_sysvmsq_check_msqrcv(struct ucred *cred, struct msqid_kernel *msqkptr,
     struct label *msqklabel)
 {
 
 	return (0);
 }
 
 static int
 stub_sysvmsq_check_msqctl(struct ucred *cred, struct msqid_kernel *msqkptr,
     struct label *msqklabel, int cmd)
 {
 
 	return (0);
 }
 
 static void
 stub_sysvmsq_cleanup(struct label *msqlabel)
 {
 
 }
 
 static void
 stub_sysvmsq_create(struct ucred *cred, struct msqid_kernel *msqkptr,
     struct label *msqlabel)
 {
 
 }
 
 static int
 stub_sysvsem_check_semctl(struct ucred *cred, struct semid_kernel *semakptr,
     struct label *semaklabel, int cmd)
 {
 
 	return (0);
 }
 
 static int
 stub_sysvsem_check_semget(struct ucred *cred, struct semid_kernel *semakptr,
     struct label *semaklabel)
 {
 
 	return (0);
 }
 
 static int
 stub_sysvsem_check_semop(struct ucred *cred, struct semid_kernel *semakptr,
     struct label *semaklabel, size_t accesstype)
 {
 
 	return (0);
 }
 
 static void
 stub_sysvsem_cleanup(struct label *semalabel)
 {
 
 }
 
 static void
 stub_sysvsem_create(struct ucred *cred, struct semid_kernel *semakptr,
     struct label *semalabel)
 {
 
 }
 
 static int
 stub_sysvshm_check_shmat(struct ucred *cred, struct shmid_kernel *shmsegptr,
     struct label *shmseglabel, int shmflg)
 {
 
 	return (0);
 }
 
 static int
 stub_sysvshm_check_shmctl(struct ucred *cred, struct shmid_kernel *shmsegptr,
     struct label *shmseglabel, int cmd)
 {
 
 	return (0);
 }
 
 static int
 stub_sysvshm_check_shmdt(struct ucred *cred, struct shmid_kernel *shmsegptr,
     struct label *shmseglabel)
 {
 
 	return (0);
 }
 
 static int
 stub_sysvshm_check_shmget(struct ucred *cred, struct shmid_kernel *shmsegptr,
     struct label *shmseglabel, int shmflg)
 {
 
 	return (0);
 }
 
 static void
 stub_sysvshm_cleanup(struct label *shmlabel)
 {
 
 }
 
 static void
 stub_sysvshm_create(struct ucred *cred, struct shmid_kernel *shmsegptr,
     struct label *shmalabel)
 {
 
 }
 
 static void
 stub_thread_userret(struct thread *td)
 {
 
 }
 
 static int
 stub_vnode_associate_extattr(struct mount *mp, struct label *mplabel,
     struct vnode *vp, struct label *vplabel)
 {
 
 	return (0);
 }
 
 static void
 stub_vnode_associate_singlelabel(struct mount *mp, struct label *mplabel,
     struct vnode *vp, struct label *vplabel)
 {
 
 }
 
 static int
 stub_vnode_check_access(struct ucred *cred, struct vnode *vp,
     struct label *vplabel, accmode_t accmode)
 {
 
 	return (0);
 }
 
 static int
 stub_vnode_check_chdir(struct ucred *cred, struct vnode *dvp,
     struct label *dvplabel)
 {
 
 	return (0);
 }
 
 static int
 stub_vnode_check_chroot(struct ucred *cred, struct vnode *dvp,
     struct label *dvplabel)
 {
 
 	return (0);
 }
 
 static int
 stub_vnode_check_create(struct ucred *cred, struct vnode *dvp,
     struct label *dvplabel, struct componentname *cnp, struct vattr *vap)
 {
 
 	return (0);
 }
 
 static int
 stub_vnode_check_deleteacl(struct ucred *cred, struct vnode *vp,
     struct label *vplabel, acl_type_t type)
 {
 
 	return (0);
 }
 
 static int
 stub_vnode_check_deleteextattr(struct ucred *cred, struct vnode *vp,
     struct label *vplabel, int attrnamespace, const char *name)
 {
 
 	return (0);
 }
 
 static int
 stub_vnode_check_exec(struct ucred *cred, struct vnode *vp,
     struct label *vplabel, struct image_params *imgp,
     struct label *execlabel)
 {
 
 	return (0);
 }
 
 static int
 stub_vnode_check_getacl(struct ucred *cred, struct vnode *vp,
     struct label *vplabel, acl_type_t type)
 {
 
 	return (0);
 }
 
 static int
 stub_vnode_check_getextattr(struct ucred *cred, struct vnode *vp,
     struct label *vplabel, int attrnamespace, const char *name)
 {
 
 	return (0);
 }
 
 static int
 stub_vnode_check_link(struct ucred *cred, struct vnode *dvp,
     struct label *dvplabel, struct vnode *vp, struct label *vplabel,
     struct componentname *cnp)
 {
 
 	return (0);
 }
 
 static int
 stub_vnode_check_listextattr(struct ucred *cred, struct vnode *vp,
     struct label *vplabel, int attrnamespace)
 {
 
 	return (0);
 }
 
 static int
 stub_vnode_check_lookup(struct ucred *cred, struct vnode *dvp,
     struct label *dvplabel, struct componentname *cnp)
 {
 
 	return (0);
 }
 
 static int
 stub_vnode_check_mmap(struct ucred *cred, struct vnode *vp,
     struct label *vplabel, int prot, int flags)
 {
 
 	return (0);
 }
 
 static void
 stub_vnode_check_mmap_downgrade(struct ucred *cred, struct vnode *vp,
     struct label *vplabel, int *prot)
 {
 
 }
 
 static int
 stub_vnode_check_mprotect(struct ucred *cred, struct vnode *vp,
     struct label *vplabel, int prot)
 {
 
 	return (0);
 }
 
 static int
 stub_vnode_check_open(struct ucred *cred, struct vnode *vp,
     struct label *vplabel, accmode_t accmode)
 {
 
 	return (0);
 }
 
 static int
 stub_vnode_check_poll(struct ucred *active_cred, struct ucred *file_cred,
     struct vnode *vp, struct label *vplabel)
 {
 
 	return (0);
 }
 
 static int
 stub_vnode_check_read(struct ucred *active_cred, struct ucred *file_cred,
     struct vnode *vp, struct label *vplabel)
 {
 
 	return (0);
 }
 
 static int
 stub_vnode_check_readdir(struct ucred *cred, struct vnode *vp,
     struct label *dvplabel)
 {
 
 	return (0);
 }
 
 static int
 stub_vnode_check_readlink(struct ucred *cred, struct vnode *vp,
     struct label *vplabel)
 {
 
 	return (0);
 }
 
 static int
 stub_vnode_check_relabel(struct ucred *cred, struct vnode *vp,
     struct label *vplabel, struct label *newlabel)
 {
 
 	return (0);
 }
 
 static int
 stub_vnode_check_rename_from(struct ucred *cred, struct vnode *dvp,
     struct label *dvplabel, struct vnode *vp, struct label *vplabel,
     struct componentname *cnp)
 {
 
 	return (0);
 }
 
 static int
 stub_vnode_check_rename_to(struct ucred *cred, struct vnode *dvp,
     struct label *dvplabel, struct vnode *vp, struct label *vplabel,
     int samedir, struct componentname *cnp)
 {
 
 	return (0);
 }
 
 static int
 stub_vnode_check_revoke(struct ucred *cred, struct vnode *vp,
     struct label *vplabel)
 {
 
 	return (0);
 }
 
 static int
 stub_vnode_check_setacl(struct ucred *cred, struct vnode *vp,
     struct label *vplabel, acl_type_t type, struct acl *acl)
 {
 
 	return (0);
 }
 
 static int
 stub_vnode_check_setextattr(struct ucred *cred, struct vnode *vp,
     struct label *vplabel, int attrnamespace, const char *name)
 {
 
 	return (0);
 }
 
 static int
 stub_vnode_check_setflags(struct ucred *cred, struct vnode *vp,
     struct label *vplabel, u_long flags)
 {
 
 	return (0);
 }
 
 static int
 stub_vnode_check_setmode(struct ucred *cred, struct vnode *vp,
     struct label *vplabel, mode_t mode)
 {
 
 	return (0);
 }
 
 static int
 stub_vnode_check_setowner(struct ucred *cred, struct vnode *vp,
     struct label *vplabel, uid_t uid, gid_t gid)
 {
 
 	return (0);
 }
 
 static int
 stub_vnode_check_setutimes(struct ucred *cred, struct vnode *vp,
     struct label *vplabel, struct timespec atime, struct timespec mtime)
 {
 
 	return (0);
 }
 
 static int
 stub_vnode_check_stat(struct ucred *active_cred, struct ucred *file_cred,
     struct vnode *vp, struct label *vplabel)
 {
 
 	return (0);
 }
 
 static int
 stub_vnode_check_unlink(struct ucred *cred, struct vnode *dvp,
     struct label *dvplabel, struct vnode *vp, struct label *vplabel,
     struct componentname *cnp)
 {
 
 	return (0);
 }
 
 static int
 stub_vnode_check_write(struct ucred *active_cred, struct ucred *file_cred,
     struct vnode *vp, struct label *vplabel)
 {
 
 	return (0);
 }
 
 static int
 stub_vnode_create_extattr(struct ucred *cred, struct mount *mp,
     struct label *mntlabel, struct vnode *dvp, struct label *dvplabel,
     struct vnode *vp, struct label *vplabel, struct componentname *cnp)
 {
 
 	return (0);
 }
 
 static void
 stub_vnode_execve_transition(struct ucred *old, struct ucred *new,
     struct vnode *vp, struct label *vplabel, struct label *interpvplabel,
     struct image_params *imgp, struct label *execlabel)
 {
 
 }
 
 static int
 stub_vnode_execve_will_transition(struct ucred *old, struct vnode *vp,
     struct label *vplabel, struct label *interpvplabel,
     struct image_params *imgp, struct label *execlabel)
 {
 
 	return (0);
 }
 
 static void
 stub_vnode_relabel(struct ucred *cred, struct vnode *vp,
     struct label *vplabel, struct label *label)
 {
 
 }
 
 static int
 stub_vnode_setlabel_extattr(struct ucred *cred, struct vnode *vp,
     struct label *vplabel, struct label *intlabel)
 {
 
 	return (0);
 }
 
 /*
  * Register functions with MAC Framework policy entry points.
  */
 static struct mac_policy_ops stub_ops =
 {
 	.mpo_destroy = stub_destroy,
 	.mpo_init = stub_init,
 	.mpo_syscall = stub_syscall,
 
 	.mpo_bpfdesc_check_receive = stub_bpfdesc_check_receive,
 	.mpo_bpfdesc_create = stub_bpfdesc_create,
 	.mpo_bpfdesc_create_mbuf = stub_bpfdesc_create_mbuf,
 	.mpo_bpfdesc_destroy_label = stub_destroy_label,
 	.mpo_bpfdesc_init_label = stub_init_label,
 
 	.mpo_cred_associate_nfsd = stub_cred_associate_nfsd,
 	.mpo_cred_check_relabel = stub_cred_check_relabel,
 	.mpo_cred_check_setaudit = stub_cred_check_setaudit,
 	.mpo_cred_check_setaudit_addr = stub_cred_check_setaudit_addr,
 	.mpo_cred_check_setauid = stub_cred_check_setauid,
 	.mpo_cred_check_setegid = stub_cred_check_setegid,
 	.mpo_cred_check_seteuid = stub_cred_check_seteuid,
 	.mpo_cred_check_setgid = stub_cred_check_setgid,
 	.mpo_cred_check_setgroups = stub_cred_check_setgroups,
 	.mpo_cred_check_setregid = stub_cred_check_setregid,
 	.mpo_cred_check_setresgid = stub_cred_check_setresgid,
 	.mpo_cred_check_setresuid = stub_cred_check_setresuid,
 	.mpo_cred_check_setreuid = stub_cred_check_setreuid,
 	.mpo_cred_check_setuid = stub_cred_check_setuid,
 	.mpo_cred_check_visible = stub_cred_check_visible,
 	.mpo_cred_copy_label = stub_copy_label,
 	.mpo_cred_create_init = stub_cred_create_init,
 	.mpo_cred_create_swapper = stub_cred_create_swapper,
 	.mpo_cred_destroy_label = stub_destroy_label,
 	.mpo_cred_externalize_label = stub_externalize_label,
 	.mpo_cred_init_label = stub_init_label,
 	.mpo_cred_internalize_label = stub_internalize_label,
 	.mpo_cred_relabel= stub_cred_relabel,
 
 	.mpo_ddb_command_exec = stub_ddb_command_exec,
 	.mpo_ddb_command_register = stub_ddb_command_register,
 
 	.mpo_devfs_create_device = stub_devfs_create_device,
 	.mpo_devfs_create_directory = stub_devfs_create_directory,
 	.mpo_devfs_create_symlink = stub_devfs_create_symlink,
 	.mpo_devfs_destroy_label = stub_destroy_label,
 	.mpo_devfs_init_label = stub_init_label,
 	.mpo_devfs_update = stub_devfs_update,
 	.mpo_devfs_vnode_associate = stub_devfs_vnode_associate,
 
 	.mpo_ifnet_check_relabel = stub_ifnet_check_relabel,
 	.mpo_ifnet_check_transmit = stub_ifnet_check_transmit,
 	.mpo_ifnet_copy_label = stub_copy_label,
 	.mpo_ifnet_create = stub_ifnet_create,
 	.mpo_ifnet_create_mbuf = stub_ifnet_create_mbuf,
 	.mpo_ifnet_destroy_label = stub_destroy_label,
 	.mpo_ifnet_externalize_label = stub_externalize_label,
 	.mpo_ifnet_init_label = stub_init_label,
 	.mpo_ifnet_internalize_label = stub_internalize_label,
 	.mpo_ifnet_relabel = stub_ifnet_relabel,
 
 	.mpo_inpcb_check_deliver = stub_inpcb_check_deliver,
 	.mpo_inpcb_check_visible = stub_inpcb_check_visible,
 	.mpo_inpcb_create = stub_inpcb_create,
 	.mpo_inpcb_create_mbuf = stub_inpcb_create_mbuf,
 	.mpo_inpcb_destroy_label = stub_destroy_label,
 	.mpo_inpcb_init_label = stub_init_label_waitcheck,
 	.mpo_inpcb_sosetlabel = stub_inpcb_sosetlabel,
 
 	.mpo_ip6q_create = stub_ip6q_create,
 	.mpo_ip6q_destroy_label = stub_destroy_label,
 	.mpo_ip6q_init_label = stub_init_label_waitcheck,
 	.mpo_ip6q_match = stub_ip6q_match,
 	.mpo_ip6q_update = stub_ip6q_update,
 	.mpo_ip6q_reassemble = stub_ip6q_reassemble,
 
 	.mpo_ipq_create = stub_ipq_create,
 	.mpo_ipq_destroy_label = stub_destroy_label,
 	.mpo_ipq_init_label = stub_init_label_waitcheck,
 	.mpo_ipq_match = stub_ipq_match,
 	.mpo_ipq_update = stub_ipq_update,
 	.mpo_ipq_reassemble = stub_ipq_reassemble,
 
 	.mpo_kdb_check_backend = stub_kdb_check_backend,
 
 	.mpo_kenv_check_dump = stub_kenv_check_dump,
 	.mpo_kenv_check_get = stub_kenv_check_get,
 	.mpo_kenv_check_set = stub_kenv_check_set,
 	.mpo_kenv_check_unset = stub_kenv_check_unset,
 
 	.mpo_kld_check_load = stub_kld_check_load,
 	.mpo_kld_check_stat = stub_kld_check_stat,
 
 	.mpo_mbuf_copy_label = stub_copy_label,
 	.mpo_mbuf_destroy_label = stub_destroy_label,
 	.mpo_mbuf_init_label = stub_init_label_waitcheck,
 
 	.mpo_mount_check_stat = stub_mount_check_stat,
 	.mpo_mount_create = stub_mount_create,
 	.mpo_mount_destroy_label = stub_destroy_label,
 	.mpo_mount_init_label = stub_init_label,
 
 	.mpo_netinet_arp_send = stub_netinet_arp_send,
 	.mpo_netinet_firewall_reply = stub_netinet_firewall_reply,
 	.mpo_netinet_firewall_send = stub_netinet_firewall_send,
 	.mpo_netinet_fragment = stub_netinet_fragment,
 	.mpo_netinet_icmp_reply = stub_netinet_icmp_reply,
 	.mpo_netinet_icmp_replyinplace = stub_netinet_icmp_replyinplace,
 	.mpo_netinet_tcp_reply = stub_netinet_tcp_reply,
 	.mpo_netinet_igmp_send = stub_netinet_igmp_send,
 
 	.mpo_netinet6_nd6_send = stub_netinet6_nd6_send,
 
 	.mpo_pipe_check_ioctl = stub_pipe_check_ioctl,
 	.mpo_pipe_check_poll = stub_pipe_check_poll,
 	.mpo_pipe_check_read = stub_pipe_check_read,
 	.mpo_pipe_check_relabel = stub_pipe_check_relabel,
 	.mpo_pipe_check_stat = stub_pipe_check_stat,
 	.mpo_pipe_check_write = stub_pipe_check_write,
 	.mpo_pipe_copy_label = stub_copy_label,
 	.mpo_pipe_create = stub_pipe_create,
 	.mpo_pipe_destroy_label = stub_destroy_label,
 	.mpo_pipe_externalize_label = stub_externalize_label,
 	.mpo_pipe_init_label = stub_init_label,
 	.mpo_pipe_internalize_label = stub_internalize_label,
 	.mpo_pipe_relabel = stub_pipe_relabel,
 
 	.mpo_posixsem_check_getvalue = stub_posixsem_check_getvalue,
 	.mpo_posixsem_check_open = stub_posixsem_check_open,
 	.mpo_posixsem_check_post = stub_posixsem_check_post,
 	.mpo_posixsem_check_setmode = stub_posixsem_check_setmode,
 	.mpo_posixsem_check_setowner = stub_posixsem_check_setowner,
 	.mpo_posixsem_check_stat = stub_posixsem_check_stat,
 	.mpo_posixsem_check_unlink = stub_posixsem_check_unlink,
 	.mpo_posixsem_check_wait = stub_posixsem_check_wait,
 	.mpo_posixsem_create = stub_posixsem_create,
 	.mpo_posixsem_destroy_label = stub_destroy_label,
 	.mpo_posixsem_init_label = stub_init_label,
 
 	.mpo_posixshm_check_create = stub_posixshm_check_create,
 	.mpo_posixshm_check_mmap = stub_posixshm_check_mmap,
 	.mpo_posixshm_check_open = stub_posixshm_check_open,
 	.mpo_posixshm_check_read = stub_posixshm_check_read,
 	.mpo_posixshm_check_setmode = stub_posixshm_check_setmode,
 	.mpo_posixshm_check_setowner = stub_posixshm_check_setowner,
 	.mpo_posixshm_check_stat = stub_posixshm_check_stat,
 	.mpo_posixshm_check_truncate = stub_posixshm_check_truncate,
 	.mpo_posixshm_check_unlink = stub_posixshm_check_unlink,
 	.mpo_posixshm_check_write = stub_posixshm_check_write,
 	.mpo_posixshm_create = stub_posixshm_create,
 	.mpo_posixshm_destroy_label = stub_destroy_label,
 	.mpo_posixshm_init_label = stub_init_label,
 
 	.mpo_priv_check = stub_priv_check,
 	.mpo_priv_grant = stub_priv_grant,
 
 	.mpo_proc_check_debug = stub_proc_check_debug,
 	.mpo_proc_check_sched = stub_proc_check_sched,
 	.mpo_proc_check_signal = stub_proc_check_signal,
 	.mpo_proc_check_wait = stub_proc_check_wait,
 
 	.mpo_socket_check_accept = stub_socket_check_accept,
 	.mpo_socket_check_bind = stub_socket_check_bind,
 	.mpo_socket_check_connect = stub_socket_check_connect,
 	.mpo_socket_check_create = stub_socket_check_create,
 	.mpo_socket_check_deliver = stub_socket_check_deliver,
 	.mpo_socket_check_listen = stub_socket_check_listen,
 	.mpo_socket_check_poll = stub_socket_check_poll,
 	.mpo_socket_check_receive = stub_socket_check_receive,
 	.mpo_socket_check_relabel = stub_socket_check_relabel,
 	.mpo_socket_check_send = stub_socket_check_send,
 	.mpo_socket_check_stat = stub_socket_check_stat,
 	.mpo_socket_check_visible = stub_socket_check_visible,
 	.mpo_socket_copy_label = stub_copy_label,
 	.mpo_socket_create = stub_socket_create,
 	.mpo_socket_create_mbuf = stub_socket_create_mbuf,
 	.mpo_socket_destroy_label = stub_destroy_label,
 	.mpo_socket_externalize_label = stub_externalize_label,
 	.mpo_socket_init_label = stub_init_label_waitcheck,
 	.mpo_socket_internalize_label = stub_internalize_label,
 	.mpo_socket_newconn = stub_socket_newconn,
 	.mpo_socket_relabel = stub_socket_relabel,
 
 	.mpo_socketpeer_destroy_label = stub_destroy_label,
 	.mpo_socketpeer_externalize_label = stub_externalize_label,
 	.mpo_socketpeer_init_label = stub_init_label_waitcheck,
 	.mpo_socketpeer_set_from_mbuf = stub_socketpeer_set_from_mbuf,
 	.mpo_socketpeer_set_from_socket = stub_socketpeer_set_from_socket,
 
 	.mpo_syncache_init_label = stub_init_label_waitcheck,
 	.mpo_syncache_destroy_label = stub_destroy_label,
 	.mpo_syncache_create = stub_syncache_create,
 	.mpo_syncache_create_mbuf= stub_syncache_create_mbuf,
 
 	.mpo_sysvmsg_cleanup = stub_sysvmsg_cleanup,
 	.mpo_sysvmsg_create = stub_sysvmsg_create,
 	.mpo_sysvmsg_destroy_label = stub_destroy_label,
 	.mpo_sysvmsg_init_label = stub_init_label,
 
 	.mpo_sysvmsq_check_msgmsq = stub_sysvmsq_check_msgmsq,
 	.mpo_sysvmsq_check_msgrcv = stub_sysvmsq_check_msgrcv,
 	.mpo_sysvmsq_check_msgrmid = stub_sysvmsq_check_msgrmid,
 	.mpo_sysvmsq_check_msqget = stub_sysvmsq_check_msqget,
 	.mpo_sysvmsq_check_msqsnd = stub_sysvmsq_check_msqsnd,
 	.mpo_sysvmsq_check_msqrcv = stub_sysvmsq_check_msqrcv,
 	.mpo_sysvmsq_check_msqctl = stub_sysvmsq_check_msqctl,
 	.mpo_sysvmsq_cleanup = stub_sysvmsq_cleanup,
 	.mpo_sysvmsq_create = stub_sysvmsq_create,
 	.mpo_sysvmsq_destroy_label = stub_destroy_label,
 	.mpo_sysvmsq_init_label = stub_init_label,
 
 	.mpo_sysvsem_check_semctl = stub_sysvsem_check_semctl,
 	.mpo_sysvsem_check_semget = stub_sysvsem_check_semget,
 	.mpo_sysvsem_check_semop = stub_sysvsem_check_semop,
 	.mpo_sysvsem_cleanup = stub_sysvsem_cleanup,
 	.mpo_sysvsem_create = stub_sysvsem_create,
 	.mpo_sysvsem_destroy_label = stub_destroy_label,
 	.mpo_sysvsem_init_label = stub_init_label,
 
 	.mpo_sysvshm_check_shmat = stub_sysvshm_check_shmat,
 	.mpo_sysvshm_check_shmctl = stub_sysvshm_check_shmctl,
 	.mpo_sysvshm_check_shmdt = stub_sysvshm_check_shmdt,
 	.mpo_sysvshm_check_shmget = stub_sysvshm_check_shmget,
 	.mpo_sysvshm_cleanup = stub_sysvshm_cleanup,
 	.mpo_sysvshm_create = stub_sysvshm_create,
 	.mpo_sysvshm_destroy_label = stub_destroy_label,
 	.mpo_sysvshm_init_label = stub_init_label,
 
 	.mpo_system_check_acct = stub_system_check_acct,
 	.mpo_system_check_audit = stub_system_check_audit,
 	.mpo_system_check_auditctl = stub_system_check_auditctl,
 	.mpo_system_check_auditon = stub_system_check_auditon,
 	.mpo_system_check_reboot = stub_system_check_reboot,
 	.mpo_system_check_swapoff = stub_system_check_swapoff,
 	.mpo_system_check_swapon = stub_system_check_swapon,
 	.mpo_system_check_sysctl = stub_system_check_sysctl,
 
 	.mpo_thread_userret = stub_thread_userret,
 
 	.mpo_vnode_associate_extattr = stub_vnode_associate_extattr,
 	.mpo_vnode_associate_singlelabel = stub_vnode_associate_singlelabel,
 	.mpo_vnode_check_access = stub_vnode_check_access,
 	.mpo_vnode_check_chdir = stub_vnode_check_chdir,
 	.mpo_vnode_check_chroot = stub_vnode_check_chroot,
 	.mpo_vnode_check_create = stub_vnode_check_create,
 	.mpo_vnode_check_deleteacl = stub_vnode_check_deleteacl,
 	.mpo_vnode_check_deleteextattr = stub_vnode_check_deleteextattr,
 	.mpo_vnode_check_exec = stub_vnode_check_exec,
 	.mpo_vnode_check_getacl = stub_vnode_check_getacl,
 	.mpo_vnode_check_getextattr = stub_vnode_check_getextattr,
 	.mpo_vnode_check_link = stub_vnode_check_link,
 	.mpo_vnode_check_listextattr = stub_vnode_check_listextattr,
 	.mpo_vnode_check_lookup = stub_vnode_check_lookup,
 	.mpo_vnode_check_mmap = stub_vnode_check_mmap,
 	.mpo_vnode_check_mmap_downgrade = stub_vnode_check_mmap_downgrade,
 	.mpo_vnode_check_mprotect = stub_vnode_check_mprotect,
 	.mpo_vnode_check_open = stub_vnode_check_open,
 	.mpo_vnode_check_poll = stub_vnode_check_poll,
 	.mpo_vnode_check_read = stub_vnode_check_read,
 	.mpo_vnode_check_readdir = stub_vnode_check_readdir,
 	.mpo_vnode_check_readlink = stub_vnode_check_readlink,
 	.mpo_vnode_check_relabel = stub_vnode_check_relabel,
 	.mpo_vnode_check_rename_from = stub_vnode_check_rename_from,
 	.mpo_vnode_check_rename_to = stub_vnode_check_rename_to,
 	.mpo_vnode_check_revoke = stub_vnode_check_revoke,
 	.mpo_vnode_check_setacl = stub_vnode_check_setacl,
 	.mpo_vnode_check_setextattr = stub_vnode_check_setextattr,
 	.mpo_vnode_check_setflags = stub_vnode_check_setflags,
 	.mpo_vnode_check_setmode = stub_vnode_check_setmode,
 	.mpo_vnode_check_setowner = stub_vnode_check_setowner,
 	.mpo_vnode_check_setutimes = stub_vnode_check_setutimes,
 	.mpo_vnode_check_stat = stub_vnode_check_stat,
 	.mpo_vnode_check_unlink = stub_vnode_check_unlink,
 	.mpo_vnode_check_write = stub_vnode_check_write,
 	.mpo_vnode_copy_label = stub_copy_label,
 	.mpo_vnode_create_extattr = stub_vnode_create_extattr,
 	.mpo_vnode_destroy_label = stub_destroy_label,
 	.mpo_vnode_execve_transition = stub_vnode_execve_transition,
 	.mpo_vnode_execve_will_transition = stub_vnode_execve_will_transition,
 	.mpo_vnode_externalize_label = stub_externalize_label,
 	.mpo_vnode_init_label = stub_init_label,
 	.mpo_vnode_internalize_label = stub_internalize_label,
 	.mpo_vnode_relabel = stub_vnode_relabel,
 	.mpo_vnode_setlabel_extattr = stub_vnode_setlabel_extattr,
 };
 
 MAC_POLICY_SET(&stub_ops, mac_stub, "TrustedBSD MAC/Stub",
     MPC_LOADTIME_FLAG_UNLOADOK, NULL);
diff --git a/sys/security/mac_test/mac_test.c b/sys/security/mac_test/mac_test.c
index 267666555f22..7a6a76ce23cc 100644
--- a/sys/security/mac_test/mac_test.c
+++ b/sys/security/mac_test/mac_test.c
@@ -1,3304 +1,3302 @@
 /*-
  * Copyright (c) 1999-2002, 2007-2011 Robert N. M. Watson
  * Copyright (c) 2001-2005 McAfee, Inc.
  * Copyright (c) 2006 SPARTA, Inc.
  * Copyright (c) 2008 Apple Inc.
  * All rights reserved.
  *
  * This software was developed by Robert Watson for the TrustedBSD Project.
  *
  * This software was developed for the FreeBSD Project in part by McAfee
  * Research, the Security Research Division of McAfee, Inc. under
  * DARPA/SPAWAR contract N66001-01-C-8035 ("CBOSS"), as part of the DARPA
  * CHATS research program.
  *
  * This software was enhanced by SPARTA ISSO under SPAWAR contract
  * N66001-04-C-6019 ("SEFOS").
  *
  * This software was developed at the University of Cambridge Computer
  * Laboratory with support from a grant from Google, Inc.
  *
  * Redistribution and use in source and binary forms, with or without
  * modification, are permitted provided that the following conditions
  * are met:
  * 1. Redistributions of source code must retain the above copyright
  *    notice, this list of conditions and the following disclaimer.
  * 2. Redistributions in binary form must reproduce the above copyright
  *    notice, this list of conditions and the following disclaimer in the
  *    documentation and/or other materials provided with the distribution.
  *
  * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
  * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
  * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
  * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
  * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
  * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
  * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
  * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
  * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
  * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
  * SUCH DAMAGE.
  */
 
 /*
  * Developed by the TrustedBSD Project.
  *
  * MAC Test policy - tests MAC Framework labeling by assigning object class
  * magic numbers to each label and validates that each time an object label
  * is passed into the policy, it has a consistent object type, catching
  * incorrectly passed labels, labels passed after free, etc.
  */
 
 #include <sys/param.h>
 #include <sys/acl.h>
 #include <sys/kdb.h>
 #include <sys/kernel.h>
 #include <sys/ksem.h>
 #include <sys/malloc.h>
 #include <sys/module.h>
 #include <sys/mount.h>
 #include <sys/msg.h>
 #include <sys/proc.h>
 #include <sys/vnode.h>
 #include <sys/sem.h>
 #include <sys/shm.h>
 #include <sys/socket.h>
 #include <sys/socketvar.h>
 #include <sys/sx.h>
 #include <sys/sysctl.h>
 
 #include <ddb/ddb.h>
 
 #include <fs/devfs/devfs.h>
 
 #include <net/bpfdesc.h>
 #include <net/if.h>
 #include <net/if_types.h>
 #include <net/if_var.h>
 
 #include <security/mac/mac_policy.h>
 
-SYSCTL_DECL(_security_mac);
-
 static SYSCTL_NODE(_security_mac, OID_AUTO, test,
     CTLFLAG_RW | CTLFLAG_MPSAFE, 0,
     "TrustedBSD mac_test policy controls");
 
 #define	MAGIC_BPF	0xfe1ad1b6
 #define	MAGIC_DEVFS	0x9ee79c32
 #define	MAGIC_IFNET	0xc218b120
 #define	MAGIC_INPCB	0x4440f7bb
 #define	MAGIC_IP6Q	0x0870e1b7
 #define	MAGIC_IPQ	0x206188ef
 #define	MAGIC_MBUF	0xbbefa5bb
 #define	MAGIC_MOUNT	0xc7c46e47
 #define	MAGIC_SOCKET	0x9199c6cd
 #define	MAGIC_SYNCACHE	0x7fb838a8
 #define	MAGIC_SYSV_MSG	0x8bbba61e
 #define	MAGIC_SYSV_MSQ	0xea672391
 #define	MAGIC_SYSV_SEM	0x896e8a0b
 #define	MAGIC_SYSV_SHM	0x76119ab0
 #define	MAGIC_PIPE	0xdc6c9919
 #define	MAGIC_POSIX_SEM	0x78ae980c
 #define	MAGIC_POSIX_SHM	0x4e853fc9
 #define	MAGIC_PROC	0x3b4be98f
 #define	MAGIC_CRED	0x9a5a4987
 #define	MAGIC_VNODE	0x1a67a45c
 #define	MAGIC_FREE	0x849ba1fd
 
 #define	SLOT(x)	mac_label_get((x), test_slot)
 #define	SLOT_SET(x, v)	mac_label_set((x), test_slot, (v))
 
 static int	test_slot;
 SYSCTL_INT(_security_mac_test, OID_AUTO, slot, CTLFLAG_RD,
     &test_slot, 0, "Slot allocated by framework");
 
 static SYSCTL_NODE(_security_mac_test, OID_AUTO, counter,
     CTLFLAG_RW | CTLFLAG_MPSAFE, 0,
     "TrustedBSD mac_test counters controls");
 
 #define	COUNTER_DECL(variable)						\
 	static int counter_##variable;					\
 	SYSCTL_INT(_security_mac_test_counter, OID_AUTO, variable,	\
 	CTLFLAG_RD, &counter_##variable, 0, #variable)
 
 #define	COUNTER_INC(variable)	atomic_add_int(&counter_##variable, 1)
 
 #ifdef KDB
 #define	DEBUGGER(func, string)	kdb_enter(KDB_WHY_MAC, (string))
 #else
 #define	DEBUGGER(func, string)	printf("mac_test: %s: %s\n", (func), (string))
 #endif
 
 #define	LABEL_CHECK(label, magic) do {					\
 	if (label != NULL) {						\
 		KASSERT(SLOT(label) == magic ||	SLOT(label) == 0,	\
 		    ("%s: bad %s label", __func__, #magic));		\
 	}								\
 } while (0)
 
 #define	LABEL_DESTROY(label, magic) do {				\
 	if (SLOT(label) == magic || SLOT(label) == 0) {			\
 		SLOT_SET(label, MAGIC_FREE);				\
 	} else if (SLOT(label) == MAGIC_FREE) {				\
 		DEBUGGER("%s: dup destroy", __func__);			\
 	} else {							\
 		DEBUGGER("%s: corrupted label", __func__);		\
 	}								\
 } while (0)
 
 #define	LABEL_INIT(label, magic) do {					\
 	SLOT_SET(label, magic);						\
 } while (0)
 
 #define	LABEL_NOTFREE(label) do {					\
 	KASSERT(SLOT(label) != MAGIC_FREE,				\
 	    ("%s: destroyed label", __func__));				\
 } while (0)
 
 /*
  * Object-specific entry point implementations are sorted alphabetically by
  * object type name and then by operation.
  */
 COUNTER_DECL(bpfdesc_check_receive);
 static int
 test_bpfdesc_check_receive(struct bpf_d *d, struct label *dlabel,
     struct ifnet *ifp, struct label *ifplabel)
 {
 
 	LABEL_CHECK(dlabel, MAGIC_BPF);
 	LABEL_CHECK(ifplabel, MAGIC_IFNET);
 	COUNTER_INC(bpfdesc_check_receive);
 
 	return (0);
 }
 
 COUNTER_DECL(bpfdesc_create);
 static void
 test_bpfdesc_create(struct ucred *cred, struct bpf_d *d,
     struct label *dlabel)
 {
 
 	LABEL_CHECK(cred->cr_label, MAGIC_CRED);
 	LABEL_CHECK(dlabel, MAGIC_BPF);
 	COUNTER_INC(bpfdesc_create);
 }
 
 COUNTER_DECL(bpfdesc_create_mbuf);
 static void
 test_bpfdesc_create_mbuf(struct bpf_d *d, struct label *dlabel,
     struct mbuf *m, struct label *mlabel)
 {
 
 	LABEL_CHECK(dlabel, MAGIC_BPF);
 	LABEL_CHECK(mlabel, MAGIC_MBUF);
 	COUNTER_INC(bpfdesc_create_mbuf);
 }
 
 COUNTER_DECL(bpfdesc_destroy_label);
 static void
 test_bpfdesc_destroy_label(struct label *label)
 {
 
 	LABEL_DESTROY(label, MAGIC_BPF);
 	COUNTER_INC(bpfdesc_destroy_label);
 }
 
 COUNTER_DECL(bpfdesc_init_label);
 static void
 test_bpfdesc_init_label(struct label *label)
 {
 
 	LABEL_INIT(label, MAGIC_BPF);
 	COUNTER_INC(bpfdesc_init_label);
 }
 
 COUNTER_DECL(cred_check_relabel);
 static int
 test_cred_check_relabel(struct ucred *cred, struct label *newlabel)
 {
 
 	LABEL_CHECK(cred->cr_label, MAGIC_CRED);
 	LABEL_CHECK(newlabel, MAGIC_CRED);
 	COUNTER_INC(cred_check_relabel);
 
 	return (0);
 }
 
 COUNTER_DECL(cred_check_setaudit);
 static int
 test_cred_check_setaudit(struct ucred *cred, struct auditinfo *ai)
 {
 
 	LABEL_CHECK(cred->cr_label, MAGIC_CRED);
 	COUNTER_INC(cred_check_setaudit);
 
 	return (0);
 }
 
 COUNTER_DECL(cred_check_setaudit_addr);
 static int
 test_cred_check_setaudit_addr(struct ucred *cred,
     struct auditinfo_addr *aia)
 {
 
 	LABEL_CHECK(cred->cr_label, MAGIC_CRED);
 	COUNTER_INC(cred_check_setaudit_addr);
 
 	return (0);
 }
 
 COUNTER_DECL(cred_check_setauid);
 static int
 test_cred_check_setauid(struct ucred *cred, uid_t auid)
 {
 
 	LABEL_CHECK(cred->cr_label, MAGIC_CRED);
 	COUNTER_INC(cred_check_setauid);
 
 	return (0);
 }
 
 COUNTER_DECL(cred_check_setegid);
 static int
 test_cred_check_setegid(struct ucred *cred, gid_t egid)
 {
 
 	LABEL_CHECK(cred->cr_label, MAGIC_CRED);
 	COUNTER_INC(cred_check_setegid);
 
 	return (0);
 }
 
 COUNTER_DECL(proc_check_euid);
 static int
 test_cred_check_seteuid(struct ucred *cred, uid_t euid)
 {
 
 	LABEL_CHECK(cred->cr_label, MAGIC_CRED);
 	COUNTER_INC(proc_check_euid);
 
 	return (0);
 }
 
 COUNTER_DECL(cred_check_setregid);
 static int
 test_cred_check_setregid(struct ucred *cred, gid_t rgid, gid_t egid)
 {
 
 	LABEL_CHECK(cred->cr_label, MAGIC_CRED);
 	COUNTER_INC(cred_check_setregid);
 
 	return (0);
 }
 
 COUNTER_DECL(cred_check_setreuid);
 static int
 test_cred_check_setreuid(struct ucred *cred, uid_t ruid, uid_t euid)
 {
 
 	LABEL_CHECK(cred->cr_label, MAGIC_CRED);
 	COUNTER_INC(cred_check_setreuid);
 
 	return (0);
 }
 
 COUNTER_DECL(cred_check_setgid);
 static int
 test_cred_check_setgid(struct ucred *cred, gid_t gid)
 {
 
 	LABEL_CHECK(cred->cr_label, MAGIC_CRED);
 	COUNTER_INC(cred_check_setgid);
 
 	return (0);
 }
 
 COUNTER_DECL(cred_check_setgroups);
 static int
 test_cred_check_setgroups(struct ucred *cred, int ngroups,
 	gid_t *gidset)
 {
 
 	LABEL_CHECK(cred->cr_label, MAGIC_CRED);
 	COUNTER_INC(cred_check_setgroups);
 
 	return (0);
 }
 
 COUNTER_DECL(cred_check_setresgid);
 static int
 test_cred_check_setresgid(struct ucred *cred, gid_t rgid, gid_t egid,
 	gid_t sgid)
 {
 
 	LABEL_CHECK(cred->cr_label, MAGIC_CRED);
 	COUNTER_INC(cred_check_setresgid);
 
 	return (0);
 }
 
 COUNTER_DECL(cred_check_setresuid);
 static int
 test_cred_check_setresuid(struct ucred *cred, uid_t ruid, uid_t euid,
 	uid_t suid)
 {
 
 	LABEL_CHECK(cred->cr_label, MAGIC_CRED);
 	COUNTER_INC(cred_check_setresuid);
 
 	return (0);
 }
 
 COUNTER_DECL(cred_check_setuid);
 static int
 test_cred_check_setuid(struct ucred *cred, uid_t uid)
 {
 
 	LABEL_CHECK(cred->cr_label, MAGIC_CRED);
 	COUNTER_INC(cred_check_setuid);
 
 	return (0);
 }
 
 COUNTER_DECL(cred_check_visible);
 static int
 test_cred_check_visible(struct ucred *u1, struct ucred *u2)
 {
 
 	LABEL_CHECK(u1->cr_label, MAGIC_CRED);
 	LABEL_CHECK(u2->cr_label, MAGIC_CRED);
 	COUNTER_INC(cred_check_visible);
 
 	return (0);
 }
 
 COUNTER_DECL(cred_copy_label);
 static void
 test_cred_copy_label(struct label *src, struct label *dest)
 {
 
 	LABEL_CHECK(src, MAGIC_CRED);
 	LABEL_CHECK(dest, MAGIC_CRED);
 	COUNTER_INC(cred_copy_label);
 }
 
 COUNTER_DECL(cred_create_init);
 static void
 test_cred_create_init(struct ucred *cred)
 {
 
 	LABEL_CHECK(cred->cr_label, MAGIC_CRED);
 	COUNTER_INC(cred_create_init);
 }
 
 COUNTER_DECL(cred_create_swapper);
 static void
 test_cred_create_swapper(struct ucred *cred)
 {
 
 	LABEL_CHECK(cred->cr_label, MAGIC_CRED);
 	COUNTER_INC(cred_create_swapper);
 }
 
 COUNTER_DECL(cred_destroy_label);
 static void
 test_cred_destroy_label(struct label *label)
 {
 
 	LABEL_DESTROY(label, MAGIC_CRED);
 	COUNTER_INC(cred_destroy_label);
 }
 
 COUNTER_DECL(cred_externalize_label);
 static int
 test_cred_externalize_label(struct label *label, char *element_name,
     struct sbuf *sb, int *claimed)
 {
 
 	LABEL_CHECK(label, MAGIC_CRED);
 	COUNTER_INC(cred_externalize_label);
 
 	return (0);
 }
 
 COUNTER_DECL(cred_init_label);
 static void
 test_cred_init_label(struct label *label)
 {
 
 	LABEL_INIT(label, MAGIC_CRED);
 	COUNTER_INC(cred_init_label);
 }
 
 COUNTER_DECL(cred_internalize_label);
 static int
 test_cred_internalize_label(struct label *label, char *element_name,
     char *element_data, int *claimed)
 {
 
 	LABEL_CHECK(label, MAGIC_CRED);
 	COUNTER_INC(cred_internalize_label);
 
 	return (0);
 }
 
 COUNTER_DECL(cred_relabel);
 static void
 test_cred_relabel(struct ucred *cred, struct label *newlabel)
 {
 
 	LABEL_CHECK(cred->cr_label, MAGIC_CRED);
 	LABEL_CHECK(newlabel, MAGIC_CRED);
 	COUNTER_INC(cred_relabel);
 }
 
 COUNTER_DECL(ddb_command_exec);
 static int
 test_ddb_command_exec(struct db_command *cmd, db_expr_t addr, bool have_addr,
     db_expr_t count, char *modif)
 {
 
 	COUNTER_INC(ddb_command_exec);
 
 	return (0);
 }
 
 COUNTER_DECL(ddb_command_register);
 static int
 test_ddb_command_register(struct db_command_table *table,
     struct db_command *cmd)
 {
 
 	COUNTER_INC(ddb_command_register);
 
 	return (0);
 }
 
 COUNTER_DECL(devfs_create_device);
 static void
 test_devfs_create_device(struct ucred *cred, struct mount *mp,
     struct cdev *dev, struct devfs_dirent *de, struct label *delabel)
 {
 
 	if (cred != NULL)
 		LABEL_CHECK(cred->cr_label, MAGIC_CRED);
 	LABEL_CHECK(delabel, MAGIC_DEVFS);
 	COUNTER_INC(devfs_create_device);
 }
 
 COUNTER_DECL(devfs_create_directory);
 static void
 test_devfs_create_directory(struct mount *mp, char *dirname,
     int dirnamelen, struct devfs_dirent *de, struct label *delabel)
 {
 
 	LABEL_CHECK(delabel, MAGIC_DEVFS);
 	COUNTER_INC(devfs_create_directory);
 }
 
 COUNTER_DECL(devfs_create_symlink);
 static void
 test_devfs_create_symlink(struct ucred *cred, struct mount *mp,
     struct devfs_dirent *dd, struct label *ddlabel, struct devfs_dirent *de,
     struct label *delabel)
 {
 
 	LABEL_CHECK(cred->cr_label, MAGIC_CRED);
 	LABEL_CHECK(ddlabel, MAGIC_DEVFS);
 	LABEL_CHECK(delabel, MAGIC_DEVFS);
 	COUNTER_INC(devfs_create_symlink);
 }
 
 COUNTER_DECL(devfs_destroy_label);
 static void
 test_devfs_destroy_label(struct label *label)
 {
 
 	LABEL_DESTROY(label, MAGIC_DEVFS);
 	COUNTER_INC(devfs_destroy_label);
 }
 
 COUNTER_DECL(devfs_init_label);
 static void
 test_devfs_init_label(struct label *label)
 {
 
 	LABEL_INIT(label, MAGIC_DEVFS);
 	COUNTER_INC(devfs_init_label);
 }
 
 COUNTER_DECL(devfs_update);
 static void
 test_devfs_update(struct mount *mp, struct devfs_dirent *devfs_dirent,
     struct label *direntlabel, struct vnode *vp, struct label *vplabel)
 {
 
 	LABEL_CHECK(direntlabel, MAGIC_DEVFS);
 	LABEL_CHECK(vplabel, MAGIC_VNODE);
 	COUNTER_INC(devfs_update);
 }
 
 COUNTER_DECL(devfs_vnode_associate);
 static void
 test_devfs_vnode_associate(struct mount *mp, struct label *mplabel,
     struct devfs_dirent *de, struct label *delabel, struct vnode *vp,
     struct label *vplabel)
 {
 
 	LABEL_CHECK(mplabel, MAGIC_MOUNT);
 	LABEL_CHECK(delabel, MAGIC_DEVFS);
 	LABEL_CHECK(vplabel, MAGIC_VNODE);
 	COUNTER_INC(devfs_vnode_associate);
 }
 
 COUNTER_DECL(ifnet_check_relabel);
 static int
 test_ifnet_check_relabel(struct ucred *cred, struct ifnet *ifp,
     struct label *ifplabel, struct label *newlabel)
 {
 
 	LABEL_CHECK(cred->cr_label, MAGIC_CRED);
 	LABEL_CHECK(ifplabel, MAGIC_IFNET);
 	LABEL_CHECK(newlabel, MAGIC_IFNET);
 	COUNTER_INC(ifnet_check_relabel);
 
 	return (0);
 }
 
 COUNTER_DECL(ifnet_check_transmit);
 static int
 test_ifnet_check_transmit(struct ifnet *ifp, struct label *ifplabel,
     struct mbuf *m, struct label *mlabel)
 {
 
 	LABEL_CHECK(ifplabel, MAGIC_IFNET);
 	LABEL_CHECK(mlabel, MAGIC_MBUF);
 	COUNTER_INC(ifnet_check_transmit);
 
 	return (0);
 }
 
 COUNTER_DECL(ifnet_copy_label);
 static void
 test_ifnet_copy_label(struct label *src, struct label *dest)
 {
 
 	LABEL_CHECK(src, MAGIC_IFNET);
 	LABEL_CHECK(dest, MAGIC_IFNET);
 	COUNTER_INC(ifnet_copy_label);
 }
 
 COUNTER_DECL(ifnet_create);
 static void
 test_ifnet_create(struct ifnet *ifp, struct label *ifplabel)
 {
 
 	LABEL_CHECK(ifplabel, MAGIC_IFNET);
 	COUNTER_INC(ifnet_create);
 }
 
 COUNTER_DECL(ifnet_create_mbuf);
 static void
 test_ifnet_create_mbuf(struct ifnet *ifp, struct label *ifplabel,
     struct mbuf *m, struct label *mlabel)
 {
 
 	LABEL_CHECK(ifplabel, MAGIC_IFNET);
 	LABEL_CHECK(mlabel, MAGIC_MBUF);
 	COUNTER_INC(ifnet_create_mbuf);
 }
 
 COUNTER_DECL(ifnet_destroy_label);
 static void
 test_ifnet_destroy_label(struct label *label)
 {
 
 	LABEL_DESTROY(label, MAGIC_IFNET);
 	COUNTER_INC(ifnet_destroy_label);
 }
 
 COUNTER_DECL(ifnet_externalize_label);
 static int
 test_ifnet_externalize_label(struct label *label, char *element_name,
     struct sbuf *sb, int *claimed)
 {
 
 	LABEL_CHECK(label, MAGIC_IFNET);
 	COUNTER_INC(ifnet_externalize_label);
 
 	return (0);
 }
 
 COUNTER_DECL(ifnet_init_label);
 static void
 test_ifnet_init_label(struct label *label)
 {
 
 	LABEL_INIT(label, MAGIC_IFNET);
 	COUNTER_INC(ifnet_init_label);
 }
 
 COUNTER_DECL(ifnet_internalize_label);
 static int
 test_ifnet_internalize_label(struct label *label, char *element_name,
     char *element_data, int *claimed)
 {
 
 	LABEL_CHECK(label, MAGIC_IFNET);
 	COUNTER_INC(ifnet_internalize_label);
 
 	return (0);
 }
 
 COUNTER_DECL(ifnet_relabel);
 static void
 test_ifnet_relabel(struct ucred *cred, struct ifnet *ifp,
     struct label *ifplabel, struct label *newlabel)
 {
 
 	LABEL_CHECK(cred->cr_label, MAGIC_CRED);
 	LABEL_CHECK(ifplabel, MAGIC_IFNET);
 	LABEL_CHECK(newlabel, MAGIC_IFNET);
 	COUNTER_INC(ifnet_relabel);
 }
 
 COUNTER_DECL(inpcb_check_deliver);
 static int
 test_inpcb_check_deliver(struct inpcb *inp, struct label *inplabel,
     struct mbuf *m, struct label *mlabel)
 {
 
 	LABEL_CHECK(inplabel, MAGIC_INPCB);
 	LABEL_CHECK(mlabel, MAGIC_MBUF);
 	COUNTER_INC(inpcb_check_deliver);
 
 	return (0);
 }
 
 COUNTER_DECL(inpcb_check_visible);
 static int
 test_inpcb_check_visible(struct ucred *cred, struct inpcb *inp,
     struct label *inplabel)
 {
 
 	LABEL_CHECK(cred->cr_label, MAGIC_CRED);
 	LABEL_CHECK(inplabel, MAGIC_INPCB);
 	COUNTER_INC(inpcb_check_visible);
 
 	return (0);
 }
 
 COUNTER_DECL(inpcb_create);
 static void
 test_inpcb_create(struct socket *so, struct label *solabel,
     struct inpcb *inp, struct label *inplabel)
 {
 
 	SOCK_LOCK(so);
 	LABEL_CHECK(solabel, MAGIC_SOCKET);
 	SOCK_UNLOCK(so);
 	LABEL_CHECK(inplabel, MAGIC_INPCB);
 	COUNTER_INC(inpcb_create);
 }
 
 COUNTER_DECL(inpcb_create_mbuf);
 static void
 test_inpcb_create_mbuf(struct inpcb *inp, struct label *inplabel,
     struct mbuf *m, struct label *mlabel)
 {
 
 	LABEL_CHECK(inplabel, MAGIC_INPCB);
 	LABEL_CHECK(mlabel, MAGIC_MBUF);
 	COUNTER_INC(inpcb_create_mbuf);
 }
 
 COUNTER_DECL(inpcb_destroy_label);
 static void
 test_inpcb_destroy_label(struct label *label)
 {
 
 	LABEL_DESTROY(label, MAGIC_INPCB);
 	COUNTER_INC(inpcb_destroy_label);
 }
 
 COUNTER_DECL(inpcb_init_label);
 static int
 test_inpcb_init_label(struct label *label, int flag)
 {
 
 	if (flag & M_WAITOK)
 		WITNESS_WARN(WARN_GIANTOK | WARN_SLEEPOK, NULL,
 		    "test_inpcb_init_label() at %s:%d", __FILE__,
 		    __LINE__);
 
 	LABEL_INIT(label, MAGIC_INPCB);
 	COUNTER_INC(inpcb_init_label);
 	return (0);
 }
 
 COUNTER_DECL(inpcb_sosetlabel);
 static void
 test_inpcb_sosetlabel(struct socket *so, struct label *solabel,
     struct inpcb *inp, struct label *inplabel)
 {
 
 	SOCK_LOCK_ASSERT(so);
 
 	LABEL_CHECK(solabel, MAGIC_SOCKET);
 	LABEL_CHECK(inplabel, MAGIC_INPCB);
 	COUNTER_INC(inpcb_sosetlabel);
 }
 
 COUNTER_DECL(ip6q_create);
 static void
 test_ip6q_create(struct mbuf *fragment, struct label *fragmentlabel,
     struct ip6q *q6, struct label *q6label)
 {
 
 	LABEL_CHECK(fragmentlabel, MAGIC_MBUF);
 	LABEL_CHECK(q6label, MAGIC_IP6Q);
 	COUNTER_INC(ip6q_create);
 }
 
 COUNTER_DECL(ip6q_destroy_label);
 static void
 test_ip6q_destroy_label(struct label *label)
 {
 
 	LABEL_DESTROY(label, MAGIC_IP6Q);
 	COUNTER_INC(ip6q_destroy_label);
 }
 
 COUNTER_DECL(ip6q_init_label);
 static int
 test_ip6q_init_label(struct label *label, int flag)
 {
 
 	if (flag & M_WAITOK)
 		WITNESS_WARN(WARN_GIANTOK | WARN_SLEEPOK, NULL,
 		    "test_ip6q_init_label() at %s:%d", __FILE__,
 		    __LINE__);
 
 	LABEL_INIT(label, MAGIC_IP6Q);
 	COUNTER_INC(ip6q_init_label);
 	return (0);
 }
 
 COUNTER_DECL(ip6q_match);
 static int
 test_ip6q_match(struct mbuf *fragment, struct label *fragmentlabel,
     struct ip6q *q6, struct label *q6label)
 {
 
 	LABEL_CHECK(fragmentlabel, MAGIC_MBUF);
 	LABEL_CHECK(q6label, MAGIC_IP6Q);
 	COUNTER_INC(ip6q_match);
 
 	return (1);
 }
 
 COUNTER_DECL(ip6q_reassemble);
 static void
 test_ip6q_reassemble(struct ip6q *q6, struct label *q6label, struct mbuf *m,
    struct label *mlabel)
 {
 
 	LABEL_CHECK(q6label, MAGIC_IP6Q);
 	LABEL_CHECK(mlabel, MAGIC_MBUF);
 	COUNTER_INC(ip6q_reassemble);
 }
 
 COUNTER_DECL(ip6q_update);
 static void
 test_ip6q_update(struct mbuf *m, struct label *mlabel, struct ip6q *q6,
     struct label *q6label)
 {
 
 	LABEL_CHECK(mlabel, MAGIC_MBUF);
 	LABEL_CHECK(q6label, MAGIC_IP6Q);
 	COUNTER_INC(ip6q_update);
 }
 
 COUNTER_DECL(ipq_create);
 static void
 test_ipq_create(struct mbuf *fragment, struct label *fragmentlabel,
     struct ipq *q, struct label *qlabel)
 {
 
 	LABEL_CHECK(fragmentlabel, MAGIC_MBUF);
 	LABEL_CHECK(qlabel, MAGIC_IPQ);
 	COUNTER_INC(ipq_create);
 }
 
 COUNTER_DECL(ipq_destroy_label);
 static void
 test_ipq_destroy_label(struct label *label)
 {
 
 	LABEL_DESTROY(label, MAGIC_IPQ);
 	COUNTER_INC(ipq_destroy_label);
 }
 
 COUNTER_DECL(ipq_init_label);
 static int
 test_ipq_init_label(struct label *label, int flag)
 {
 
 	if (flag & M_WAITOK)
 		WITNESS_WARN(WARN_GIANTOK | WARN_SLEEPOK, NULL,
 		    "test_ipq_init_label() at %s:%d", __FILE__,
 		    __LINE__);
 
 	LABEL_INIT(label, MAGIC_IPQ);
 	COUNTER_INC(ipq_init_label);
 	return (0);
 }
 
 COUNTER_DECL(ipq_match);
 static int
 test_ipq_match(struct mbuf *fragment, struct label *fragmentlabel,
     struct ipq *q, struct label *qlabel)
 {
 
 	LABEL_CHECK(fragmentlabel, MAGIC_MBUF);
 	LABEL_CHECK(qlabel, MAGIC_IPQ);
 	COUNTER_INC(ipq_match);
 
 	return (1);
 }
 
 COUNTER_DECL(ipq_reassemble);
 static void
 test_ipq_reassemble(struct ipq *q, struct label *qlabel, struct mbuf *m,
    struct label *mlabel)
 {
 
 	LABEL_CHECK(qlabel, MAGIC_IPQ);
 	LABEL_CHECK(mlabel, MAGIC_MBUF);
 	COUNTER_INC(ipq_reassemble);
 }
 
 COUNTER_DECL(ipq_update);
 static void
 test_ipq_update(struct mbuf *m, struct label *mlabel, struct ipq *q,
     struct label *qlabel)
 {
 
 	LABEL_CHECK(mlabel, MAGIC_MBUF);
 	LABEL_CHECK(qlabel, MAGIC_IPQ);
 	COUNTER_INC(ipq_update);
 }
 
 COUNTER_DECL(kdb_backend_check);
 static int
 test_kdb_check_backend(struct kdb_dbbe *be)
 {
 
 	COUNTER_INC(kdb_backend_check);
 
 	return (0);
 }
 
 COUNTER_DECL(kenv_check_dump);
 static int
 test_kenv_check_dump(struct ucred *cred)
 {
 
 	LABEL_CHECK(cred->cr_label, MAGIC_CRED);
 	COUNTER_INC(kenv_check_dump);
 
 	return (0);
 }
 
 COUNTER_DECL(kenv_check_get);
 static int
 test_kenv_check_get(struct ucred *cred, char *name)
 {
 
 	LABEL_CHECK(cred->cr_label, MAGIC_CRED);
 	COUNTER_INC(kenv_check_get);
 
 	return (0);
 }
 
 COUNTER_DECL(kenv_check_set);
 static int
 test_kenv_check_set(struct ucred *cred, char *name, char *value)
 {
 
 	LABEL_CHECK(cred->cr_label, MAGIC_CRED);
 	COUNTER_INC(kenv_check_set);
 
 	return (0);
 }
 
 COUNTER_DECL(kenv_check_unset);
 static int
 test_kenv_check_unset(struct ucred *cred, char *name)
 {
 
 	LABEL_CHECK(cred->cr_label, MAGIC_CRED);
 	COUNTER_INC(kenv_check_unset);
 
 	return (0);
 }
 
 COUNTER_DECL(kld_check_load);
 static int
 test_kld_check_load(struct ucred *cred, struct vnode *vp,
     struct label *label)
 {
 
 	LABEL_CHECK(cred->cr_label, MAGIC_CRED);
 	LABEL_CHECK(label, MAGIC_VNODE);
 	COUNTER_INC(kld_check_load);
 
 	return (0);
 }
 
 COUNTER_DECL(kld_check_stat);
 static int
 test_kld_check_stat(struct ucred *cred)
 {
 
 	LABEL_CHECK(cred->cr_label, MAGIC_CRED);
 	COUNTER_INC(kld_check_stat);
 
 	return (0);
 }
 
 COUNTER_DECL(mbuf_copy_label);
 static void
 test_mbuf_copy_label(struct label *src, struct label *dest)
 {
 
 	LABEL_CHECK(src, MAGIC_MBUF);
 	LABEL_CHECK(dest, MAGIC_MBUF);
 	COUNTER_INC(mbuf_copy_label);
 }
 
 COUNTER_DECL(mbuf_destroy_label);
 static void
 test_mbuf_destroy_label(struct label *label)
 {
 
 	/*
 	 * If we're loaded dynamically, there may be mbufs in flight that
 	 * didn't have label storage allocated for them.  Handle this
 	 * gracefully.
 	 */
 	if (label == NULL)
 		return;
 
 	LABEL_DESTROY(label, MAGIC_MBUF);
 	COUNTER_INC(mbuf_destroy_label);
 }
 
 COUNTER_DECL(mbuf_init_label);
 static int
 test_mbuf_init_label(struct label *label, int flag)
 {
 
 	if (flag & M_WAITOK)
 		WITNESS_WARN(WARN_GIANTOK | WARN_SLEEPOK, NULL,
 		    "test_mbuf_init_label() at %s:%d", __FILE__,
 		    __LINE__);
 
 	LABEL_INIT(label, MAGIC_MBUF);
 	COUNTER_INC(mbuf_init_label);
 	return (0);
 }
 
 COUNTER_DECL(mount_check_stat);
 static int
 test_mount_check_stat(struct ucred *cred, struct mount *mp,
     struct label *mplabel)
 {
 
 	LABEL_CHECK(cred->cr_label, MAGIC_CRED);
 	LABEL_CHECK(mplabel, MAGIC_MOUNT);
 	COUNTER_INC(mount_check_stat);
 
 	return (0);
 }
 
 COUNTER_DECL(mount_create);
 static void
 test_mount_create(struct ucred *cred, struct mount *mp,
     struct label *mplabel)
 {
 
 	LABEL_CHECK(cred->cr_label, MAGIC_CRED);
 	LABEL_CHECK(mplabel, MAGIC_MOUNT);
 	COUNTER_INC(mount_create);
 }
 
 COUNTER_DECL(mount_destroy_label);
 static void
 test_mount_destroy_label(struct label *label)
 {
 
 	LABEL_DESTROY(label, MAGIC_MOUNT);
 	COUNTER_INC(mount_destroy_label);
 }
 
 COUNTER_DECL(mount_init_label);
 static void
 test_mount_init_label(struct label *label)
 {
 
 	LABEL_INIT(label, MAGIC_MOUNT);
 	COUNTER_INC(mount_init_label);
 }
 
 COUNTER_DECL(netinet_arp_send);
 static void
 test_netinet_arp_send(struct ifnet *ifp, struct label *ifplabel,
     struct mbuf *m, struct label *mlabel)
 {
 
 	LABEL_CHECK(ifplabel, MAGIC_IFNET);
 	LABEL_CHECK(mlabel, MAGIC_MBUF);
 	COUNTER_INC(netinet_arp_send);
 }
 
 COUNTER_DECL(netinet_fragment);
 static void
 test_netinet_fragment(struct mbuf *m, struct label *mlabel,
     struct mbuf *frag, struct label *fraglabel)
 {
 
 	LABEL_CHECK(mlabel, MAGIC_MBUF);
 	LABEL_CHECK(fraglabel, MAGIC_MBUF);
 	COUNTER_INC(netinet_fragment);
 }
 
 COUNTER_DECL(netinet_icmp_reply);
 static void
 test_netinet_icmp_reply(struct mbuf *mrecv, struct label *mrecvlabel,
     struct mbuf *msend, struct label *msendlabel)
 {
 
 	LABEL_CHECK(mrecvlabel, MAGIC_MBUF);
 	LABEL_CHECK(msendlabel, MAGIC_MBUF);
 	COUNTER_INC(netinet_icmp_reply);
 }
 
 COUNTER_DECL(netinet_icmp_replyinplace);
 static void
 test_netinet_icmp_replyinplace(struct mbuf *m, struct label *mlabel)
 {
 
 	LABEL_CHECK(mlabel, MAGIC_MBUF);
 	COUNTER_INC(netinet_icmp_replyinplace);
 }
 
 COUNTER_DECL(netinet_igmp_send);
 static void
 test_netinet_igmp_send(struct ifnet *ifp, struct label *ifplabel,
     struct mbuf *m, struct label *mlabel)
 {
 
 	LABEL_CHECK(ifplabel, MAGIC_IFNET);
 	LABEL_CHECK(mlabel, MAGIC_MBUF);
 	COUNTER_INC(netinet_igmp_send);
 }
 
 COUNTER_DECL(netinet_tcp_reply);
 static void
 test_netinet_tcp_reply(struct mbuf *m, struct label *mlabel)
 {
 
 	LABEL_CHECK(mlabel, MAGIC_MBUF);
 	COUNTER_INC(netinet_tcp_reply);
 }
 
 COUNTER_DECL(netinet6_nd6_send);
 static void
 test_netinet6_nd6_send(struct ifnet *ifp, struct label *ifplabel,
     struct mbuf *m, struct label *mlabel)
 {
 
 	LABEL_CHECK(ifplabel, MAGIC_IFNET);
 	LABEL_CHECK(mlabel, MAGIC_MBUF);
 	COUNTER_INC(netinet6_nd6_send);
 }
 
 COUNTER_DECL(pipe_check_ioctl);
 static int
 test_pipe_check_ioctl(struct ucred *cred, struct pipepair *pp,
     struct label *pplabel, unsigned long cmd, void /* caddr_t */ *data)
 {
 
 	LABEL_CHECK(cred->cr_label, MAGIC_CRED);
 	LABEL_CHECK(pplabel, MAGIC_PIPE);
 	COUNTER_INC(pipe_check_ioctl);
 
 	return (0);
 }
 
 COUNTER_DECL(pipe_check_poll);
 static int
 test_pipe_check_poll(struct ucred *cred, struct pipepair *pp,
     struct label *pplabel)
 {
 
 	LABEL_CHECK(cred->cr_label, MAGIC_CRED);
 	LABEL_CHECK(pplabel, MAGIC_PIPE);
 	COUNTER_INC(pipe_check_poll);
 
 	return (0);
 }
 
 COUNTER_DECL(pipe_check_read);
 static int
 test_pipe_check_read(struct ucred *cred, struct pipepair *pp,
     struct label *pplabel)
 {
 
 	LABEL_CHECK(cred->cr_label, MAGIC_CRED);
 	LABEL_CHECK(pplabel, MAGIC_PIPE);
 	COUNTER_INC(pipe_check_read);
 
 	return (0);
 }
 
 COUNTER_DECL(pipe_check_relabel);
 static int
 test_pipe_check_relabel(struct ucred *cred, struct pipepair *pp,
     struct label *pplabel, struct label *newlabel)
 {
 
 	LABEL_CHECK(cred->cr_label, MAGIC_CRED);
 	LABEL_CHECK(pplabel, MAGIC_PIPE);
 	LABEL_CHECK(newlabel, MAGIC_PIPE);
 	COUNTER_INC(pipe_check_relabel);
 
 	return (0);
 }
 
 COUNTER_DECL(pipe_check_stat);
 static int
 test_pipe_check_stat(struct ucred *cred, struct pipepair *pp,
     struct label *pplabel)
 {
 
 	LABEL_CHECK(cred->cr_label, MAGIC_CRED);
 	LABEL_CHECK(pplabel, MAGIC_PIPE);
 	COUNTER_INC(pipe_check_stat);
 
 	return (0);
 }
 
 COUNTER_DECL(pipe_check_write);
 static int
 test_pipe_check_write(struct ucred *cred, struct pipepair *pp,
     struct label *pplabel)
 {
 
 	LABEL_CHECK(cred->cr_label, MAGIC_CRED);
 	LABEL_CHECK(pplabel, MAGIC_PIPE);
 	COUNTER_INC(pipe_check_write);
 
 	return (0);
 }
 
 COUNTER_DECL(pipe_copy_label);
 static void
 test_pipe_copy_label(struct label *src, struct label *dest)
 {
 
 	LABEL_CHECK(src, MAGIC_PIPE);
 	LABEL_CHECK(dest, MAGIC_PIPE);
 	COUNTER_INC(pipe_copy_label);
 }
 
 COUNTER_DECL(pipe_create);
 static void
 test_pipe_create(struct ucred *cred, struct pipepair *pp,
    struct label *pplabel)
 {
 
 	LABEL_CHECK(cred->cr_label, MAGIC_CRED);
 	LABEL_CHECK(pplabel, MAGIC_PIPE);
 	COUNTER_INC(pipe_create);
 }
 
 COUNTER_DECL(pipe_destroy_label);
 static void
 test_pipe_destroy_label(struct label *label)
 {
 
 	LABEL_DESTROY(label, MAGIC_PIPE);
 	COUNTER_INC(pipe_destroy_label);
 }
 
 COUNTER_DECL(pipe_externalize_label);
 static int
 test_pipe_externalize_label(struct label *label, char *element_name,
     struct sbuf *sb, int *claimed)
 {
 
 	LABEL_CHECK(label, MAGIC_PIPE);
 	COUNTER_INC(pipe_externalize_label);
 
 	return (0);
 }
 
 COUNTER_DECL(pipe_init_label);
 static void
 test_pipe_init_label(struct label *label)
 {
 
 	LABEL_INIT(label, MAGIC_PIPE);
 	COUNTER_INC(pipe_init_label);
 }
 
 COUNTER_DECL(pipe_internalize_label);
 static int
 test_pipe_internalize_label(struct label *label, char *element_name,
     char *element_data, int *claimed)
 {
 
 	LABEL_CHECK(label, MAGIC_PIPE);
 	COUNTER_INC(pipe_internalize_label);
 
 	return (0);
 }
 
 COUNTER_DECL(pipe_relabel);
 static void
 test_pipe_relabel(struct ucred *cred, struct pipepair *pp,
     struct label *pplabel, struct label *newlabel)
 {
 
 	LABEL_CHECK(cred->cr_label, MAGIC_CRED);
 	LABEL_CHECK(pplabel, MAGIC_PIPE);
 	LABEL_CHECK(newlabel, MAGIC_PIPE);
 	COUNTER_INC(pipe_relabel);
 }
 
 COUNTER_DECL(posixsem_check_getvalue);
 static int
 test_posixsem_check_getvalue(struct ucred *active_cred, struct ucred *file_cred,
     struct ksem *ks, struct label *kslabel)
 {
 
 	LABEL_CHECK(active_cred->cr_label, MAGIC_CRED);
 	LABEL_CHECK(file_cred->cr_label, MAGIC_CRED);
 	LABEL_CHECK(kslabel, MAGIC_POSIX_SEM);
 	COUNTER_INC(posixsem_check_getvalue);
 
 	return (0);
 }
 
 COUNTER_DECL(posixsem_check_open);
 static int
 test_posixsem_check_open(struct ucred *cred, struct ksem *ks,
     struct label *kslabel)
 {
 
 	LABEL_CHECK(cred->cr_label, MAGIC_CRED);
 	LABEL_CHECK(kslabel, MAGIC_POSIX_SEM);
 	COUNTER_INC(posixsem_check_open);
 
 	return (0);
 }
 
 COUNTER_DECL(posixsem_check_post);
 static int
 test_posixsem_check_post(struct ucred *active_cred, struct ucred *file_cred,
     struct ksem *ks, struct label *kslabel)
 {
 
 	LABEL_CHECK(active_cred->cr_label, MAGIC_CRED);
 	LABEL_CHECK(file_cred->cr_label, MAGIC_CRED);
 	LABEL_CHECK(kslabel, MAGIC_POSIX_SEM);
 	COUNTER_INC(posixsem_check_post);
 
 	return (0);
 }
 
 COUNTER_DECL(posixsem_check_setmode);
 static int
 test_posixsem_check_setmode(struct ucred *cred, struct ksem *ks,
     struct label *kslabel, mode_t mode)
 {
 
 	LABEL_CHECK(cred->cr_label, MAGIC_CRED);
 	LABEL_CHECK(kslabel, MAGIC_POSIX_SHM);
 	COUNTER_INC(posixsem_check_setmode);
 	return (0);
 }
 
 COUNTER_DECL(posixsem_check_setowner);
 static int
 test_posixsem_check_setowner(struct ucred *cred, struct ksem *ks,
     struct label *kslabel, uid_t uid, gid_t gid)
 {
 
 	LABEL_CHECK(cred->cr_label, MAGIC_CRED);
 	LABEL_CHECK(kslabel, MAGIC_POSIX_SHM);
 	COUNTER_INC(posixsem_check_setowner);
 	return (0);
 }
 
 COUNTER_DECL(posixsem_check_stat);
 static int
 test_posixsem_check_stat(struct ucred *active_cred,
     struct ucred *file_cred, struct ksem *ks, struct label *kslabel)
 {
 
 	LABEL_CHECK(active_cred->cr_label, MAGIC_CRED);
 	LABEL_CHECK(file_cred->cr_label, MAGIC_CRED);
 	LABEL_CHECK(kslabel, MAGIC_POSIX_SEM);
 	COUNTER_INC(posixsem_check_stat);
 	return (0);
 }
 
 COUNTER_DECL(posixsem_check_unlink);
 static int
 test_posixsem_check_unlink(struct ucred *cred, struct ksem *ks,
     struct label *kslabel)
 {
 
 	LABEL_CHECK(cred->cr_label, MAGIC_CRED);
 	LABEL_CHECK(kslabel, MAGIC_POSIX_SEM);
 	COUNTER_INC(posixsem_check_unlink);
 
 	return (0);
 }
 
 COUNTER_DECL(posixsem_check_wait);
 static int
 test_posixsem_check_wait(struct ucred *active_cred, struct ucred *file_cred,
     struct ksem *ks, struct label *kslabel)
 {
 
 	LABEL_CHECK(active_cred->cr_label, MAGIC_CRED);
 	LABEL_CHECK(file_cred->cr_label, MAGIC_CRED);
 	LABEL_CHECK(kslabel, MAGIC_POSIX_SEM);
 	COUNTER_INC(posixsem_check_wait);
 
 	return (0);
 }
 
 COUNTER_DECL(posixsem_create);
 static void
 test_posixsem_create(struct ucred *cred, struct ksem *ks,
    struct label *kslabel)
 {
 
 	LABEL_CHECK(cred->cr_label, MAGIC_CRED);
 	LABEL_CHECK(kslabel, MAGIC_POSIX_SEM);
 	COUNTER_INC(posixsem_create);
 }
 
 COUNTER_DECL(posixsem_destroy_label);
 static void
 test_posixsem_destroy_label(struct label *label)
 {
 
 	LABEL_DESTROY(label, MAGIC_POSIX_SEM);
 	COUNTER_INC(posixsem_destroy_label);
 }
 
 COUNTER_DECL(posixsem_init_label);
 static void
 test_posixsem_init_label(struct label *label)
 {
 
 	LABEL_INIT(label, MAGIC_POSIX_SEM);
 	COUNTER_INC(posixsem_init_label);
 }
 
 COUNTER_DECL(posixshm_check_create);
 static int
 test_posixshm_check_create(struct ucred *cred, const char *path)
 {
 
 	COUNTER_INC(posixshm_check_create);
 	return (0);
 }
 
 COUNTER_DECL(posixshm_check_mmap);
 static int
 test_posixshm_check_mmap(struct ucred *cred, struct shmfd *shmfd,
     struct label *shmfdlabel, int prot, int flags)
 {
 
 	LABEL_CHECK(cred->cr_label, MAGIC_CRED);
 	LABEL_CHECK(shmfdlabel, MAGIC_POSIX_SHM);
 	COUNTER_INC(posixshm_check_mmap);
 	return (0);
 }
 
 COUNTER_DECL(posixshm_check_open);
 static int
 test_posixshm_check_open(struct ucred *cred, struct shmfd *shmfd,
     struct label *shmfdlabel, accmode_t accmode)
 {
 
 	LABEL_CHECK(cred->cr_label, MAGIC_CRED);
 	LABEL_CHECK(shmfdlabel, MAGIC_POSIX_SHM);
 	COUNTER_INC(posixshm_check_open);
 	return (0);
 }
 
 COUNTER_DECL(posixshm_check_read);
 static int
 test_posixshm_check_read(struct ucred *active_cred,
     struct ucred *file_cred, struct shmfd *shm, struct label *shmlabel)
 {
 
 	LABEL_CHECK(active_cred->cr_label, MAGIC_CRED);
 	if (file_cred != NULL)
 		LABEL_CHECK(file_cred->cr_label, MAGIC_CRED);
 	LABEL_CHECK(shmlabel, MAGIC_POSIX_SHM);
 	COUNTER_INC(posixshm_check_read);
 
 	return (0);
 }
 
 COUNTER_DECL(posixshm_check_setmode);
 static int
 test_posixshm_check_setmode(struct ucred *cred, struct shmfd *shmfd,
     struct label *shmfdlabel, mode_t mode)
 {
 
 	LABEL_CHECK(cred->cr_label, MAGIC_CRED);
 	LABEL_CHECK(shmfdlabel, MAGIC_POSIX_SHM);
 	COUNTER_INC(posixshm_check_setmode);
 	return (0);
 }
 
 COUNTER_DECL(posixshm_check_setowner);
 static int
 test_posixshm_check_setowner(struct ucred *cred, struct shmfd *shmfd,
     struct label *shmfdlabel, uid_t uid, gid_t gid)
 {
 
 	LABEL_CHECK(cred->cr_label, MAGIC_CRED);
 	LABEL_CHECK(shmfdlabel, MAGIC_POSIX_SHM);
 	COUNTER_INC(posixshm_check_setowner);
 	return (0);
 }
 
 COUNTER_DECL(posixshm_check_stat);
 static int
 test_posixshm_check_stat(struct ucred *active_cred,
     struct ucred *file_cred, struct shmfd *shmfd, struct label *shmfdlabel)
 {
 
 	LABEL_CHECK(active_cred->cr_label, MAGIC_CRED);
 	LABEL_CHECK(file_cred->cr_label, MAGIC_CRED);
 	LABEL_CHECK(shmfdlabel, MAGIC_POSIX_SHM);
 	COUNTER_INC(posixshm_check_stat);
 	return (0);
 }
 
 COUNTER_DECL(posixshm_check_truncate);
 static int
 test_posixshm_check_truncate(struct ucred *active_cred,
     struct ucred *file_cred, struct shmfd *shmfd, struct label *shmfdlabel)
 {
 
 	LABEL_CHECK(active_cred->cr_label, MAGIC_CRED);
 	LABEL_CHECK(file_cred->cr_label, MAGIC_CRED);
 	LABEL_CHECK(shmfdlabel, MAGIC_POSIX_SHM);
 	COUNTER_INC(posixshm_check_truncate);
 	return (0);
 }
 
 COUNTER_DECL(posixshm_check_unlink);
 static int
 test_posixshm_check_unlink(struct ucred *cred, struct shmfd *shmfd,
     struct label *shmfdlabel)
 {
 
 	LABEL_CHECK(cred->cr_label, MAGIC_CRED);
 	LABEL_CHECK(shmfdlabel, MAGIC_POSIX_SHM);
 	COUNTER_INC(posixshm_check_unlink);
 	return (0);
 }
 
 COUNTER_DECL(posixshm_check_write);
 static int
 test_posixshm_check_write(struct ucred *active_cred,
     struct ucred *file_cred, struct shmfd *shm, struct label *shmlabel)
 {
 
 	LABEL_CHECK(active_cred->cr_label, MAGIC_CRED);
 	if (file_cred != NULL)
 		LABEL_CHECK(file_cred->cr_label, MAGIC_CRED);
 	LABEL_CHECK(shmlabel, MAGIC_POSIX_SHM);
 	COUNTER_INC(posixshm_check_write);
 
 	return (0);
 }
 
 COUNTER_DECL(posixshm_create);
 static void
 test_posixshm_create(struct ucred *cred, struct shmfd *shmfd,
    struct label *shmfdlabel)
 {
 
 	LABEL_CHECK(cred->cr_label, MAGIC_CRED);
 	LABEL_CHECK(shmfdlabel, MAGIC_POSIX_SHM);
 	COUNTER_INC(posixshm_create);
 }
 
 COUNTER_DECL(posixshm_destroy_label);
 static void
 test_posixshm_destroy_label(struct label *label)
 {
 
 	LABEL_DESTROY(label, MAGIC_POSIX_SHM);
 	COUNTER_INC(posixshm_destroy_label);
 }
 
 COUNTER_DECL(posixshm_init_label);
 static void
 test_posixshm_init_label(struct label *label)
 {
 
 	LABEL_INIT(label, MAGIC_POSIX_SHM);
 	COUNTER_INC(posixshm_init_label);
 }
 
 COUNTER_DECL(proc_check_debug);
 static int
 test_proc_check_debug(struct ucred *cred, struct proc *p)
 {
 
 	LABEL_CHECK(cred->cr_label, MAGIC_CRED);
 	LABEL_CHECK(p->p_ucred->cr_label, MAGIC_CRED);
 	COUNTER_INC(proc_check_debug);
 
 	return (0);
 }
 
 COUNTER_DECL(proc_check_sched);
 static int
 test_proc_check_sched(struct ucred *cred, struct proc *p)
 {
 
 	LABEL_CHECK(cred->cr_label, MAGIC_CRED);
 	LABEL_CHECK(p->p_ucred->cr_label, MAGIC_CRED);
 	COUNTER_INC(proc_check_sched);
 
 	return (0);
 }
 
 COUNTER_DECL(proc_check_signal);
 static int
 test_proc_check_signal(struct ucred *cred, struct proc *p, int signum)
 {
 
 	LABEL_CHECK(cred->cr_label, MAGIC_CRED);
 	LABEL_CHECK(p->p_ucred->cr_label, MAGIC_CRED);
 	COUNTER_INC(proc_check_signal);
 
 	return (0);
 }
 
 COUNTER_DECL(proc_check_wait);
 static int
 test_proc_check_wait(struct ucred *cred, struct proc *p)
 {
 
 	LABEL_CHECK(cred->cr_label, MAGIC_CRED);
 	LABEL_CHECK(p->p_ucred->cr_label, MAGIC_CRED);
 	COUNTER_INC(proc_check_wait);
 
 	return (0);
 }
 
 COUNTER_DECL(proc_destroy_label);
 static void
 test_proc_destroy_label(struct label *label)
 {
 
 	LABEL_DESTROY(label, MAGIC_PROC);
 	COUNTER_INC(proc_destroy_label);
 }
 
 COUNTER_DECL(proc_init_label);
 static void
 test_proc_init_label(struct label *label)
 {
 
 	LABEL_INIT(label, MAGIC_PROC);
 	COUNTER_INC(proc_init_label);
 }
 
 COUNTER_DECL(socket_check_accept);
 static int
 test_socket_check_accept(struct ucred *cred, struct socket *so,
     struct label *solabel)
 {
 
 	LABEL_CHECK(cred->cr_label, MAGIC_CRED);
 	SOCK_LOCK(so);
 	LABEL_CHECK(solabel, MAGIC_SOCKET);
 	SOCK_UNLOCK(so);
 	COUNTER_INC(socket_check_accept);
 
 	return (0);
 }
 
 COUNTER_DECL(socket_check_bind);
 static int
 test_socket_check_bind(struct ucred *cred, struct socket *so,
     struct label *solabel, struct sockaddr *sa)
 {
 
 	LABEL_CHECK(cred->cr_label, MAGIC_CRED);
 	SOCK_LOCK(so);
 	LABEL_CHECK(solabel, MAGIC_SOCKET);
 	SOCK_UNLOCK(so);
 	COUNTER_INC(socket_check_bind);
 
 	return (0);
 }
 
 COUNTER_DECL(socket_check_connect);
 static int
 test_socket_check_connect(struct ucred *cred, struct socket *so,
     struct label *solabel, struct sockaddr *sa)
 {
 
 	LABEL_CHECK(cred->cr_label, MAGIC_CRED);
 	SOCK_LOCK(so);
 	LABEL_CHECK(solabel, MAGIC_SOCKET);
 	SOCK_UNLOCK(so);
 	COUNTER_INC(socket_check_connect);
 
 	return (0);
 }
 
 COUNTER_DECL(socket_check_deliver);
 static int
 test_socket_check_deliver(struct socket *so, struct label *solabel,
     struct mbuf *m, struct label *mlabel)
 {
 
 	SOCK_LOCK(so);
 	LABEL_CHECK(solabel, MAGIC_SOCKET);
 	SOCK_UNLOCK(so);
 	LABEL_CHECK(mlabel, MAGIC_MBUF);
 	COUNTER_INC(socket_check_deliver);
 
 	return (0);
 }
 
 COUNTER_DECL(socket_check_listen);
 static int
 test_socket_check_listen(struct ucred *cred, struct socket *so,
     struct label *solabel)
 {
 
 	LABEL_CHECK(cred->cr_label, MAGIC_CRED);
 	SOCK_LOCK(so);
 	LABEL_CHECK(solabel, MAGIC_SOCKET);
 	SOCK_UNLOCK(so);
 	COUNTER_INC(socket_check_listen);
 
 	return (0);
 }
 
 COUNTER_DECL(socket_check_poll);
 static int
 test_socket_check_poll(struct ucred *cred, struct socket *so,
     struct label *solabel)
 {
 
 	LABEL_CHECK(cred->cr_label, MAGIC_CRED);
 	SOCK_LOCK(so);
 	LABEL_CHECK(solabel, MAGIC_SOCKET);
 	SOCK_UNLOCK(so);
 	COUNTER_INC(socket_check_poll);
 
 	return (0);
 }
 
 COUNTER_DECL(socket_check_receive);
 static int
 test_socket_check_receive(struct ucred *cred, struct socket *so,
     struct label *solabel)
 {
 
 	LABEL_CHECK(cred->cr_label, MAGIC_CRED);
 	SOCK_LOCK(so);
 	LABEL_CHECK(solabel, MAGIC_SOCKET);
 	SOCK_UNLOCK(so);
 	COUNTER_INC(socket_check_receive);
 
 	return (0);
 }
 
 COUNTER_DECL(socket_check_relabel);
 static int
 test_socket_check_relabel(struct ucred *cred, struct socket *so,
     struct label *solabel, struct label *newlabel)
 {
 
 	SOCK_LOCK_ASSERT(so);
 
 	LABEL_CHECK(cred->cr_label, MAGIC_CRED);
 	LABEL_CHECK(solabel, MAGIC_SOCKET);
 	LABEL_CHECK(newlabel, MAGIC_SOCKET);
 	COUNTER_INC(socket_check_relabel);
 
 	return (0);
 }
 
 COUNTER_DECL(socket_check_send);
 static int
 test_socket_check_send(struct ucred *cred, struct socket *so,
     struct label *solabel)
 {
 
 	LABEL_CHECK(cred->cr_label, MAGIC_CRED);
 	SOCK_LOCK(so);
 	LABEL_CHECK(solabel, MAGIC_SOCKET);
 	SOCK_UNLOCK(so);
 	COUNTER_INC(socket_check_send);
 
 	return (0);
 }
 
 COUNTER_DECL(socket_check_stat);
 static int
 test_socket_check_stat(struct ucred *cred, struct socket *so,
     struct label *solabel)
 {
 
 	LABEL_CHECK(cred->cr_label, MAGIC_CRED);
 	SOCK_LOCK(so);
 	LABEL_CHECK(solabel, MAGIC_SOCKET);
 	SOCK_UNLOCK(so);
 	COUNTER_INC(socket_check_stat);
 
 	return (0);
 }
 
 COUNTER_DECL(socket_check_visible);
 static int
 test_socket_check_visible(struct ucred *cred, struct socket *so,
     struct label *solabel)
 {
 
 	LABEL_CHECK(cred->cr_label, MAGIC_CRED);
 	SOCK_LOCK(so);
 	LABEL_CHECK(solabel, MAGIC_SOCKET);
 	SOCK_UNLOCK(so);
 	COUNTER_INC(socket_check_visible);
 
 	return (0);
 }
 
 COUNTER_DECL(socket_copy_label);
 static void
 test_socket_copy_label(struct label *src, struct label *dest)
 {
 
 	LABEL_CHECK(src, MAGIC_SOCKET);
 	LABEL_CHECK(dest, MAGIC_SOCKET);
 	COUNTER_INC(socket_copy_label);
 }
 
 COUNTER_DECL(socket_create);
 static void
 test_socket_create(struct ucred *cred, struct socket *so,
     struct label *solabel)
 {
 
 	LABEL_CHECK(cred->cr_label, MAGIC_CRED);
 	LABEL_CHECK(solabel, MAGIC_SOCKET);
 	COUNTER_INC(socket_create);
 }
 
 COUNTER_DECL(socket_create_mbuf);
 static void
 test_socket_create_mbuf(struct socket *so, struct label *solabel,
     struct mbuf *m, struct label *mlabel)
 {
 
 	SOCK_LOCK(so);
 	LABEL_CHECK(solabel, MAGIC_SOCKET);
 	SOCK_UNLOCK(so);
 	LABEL_CHECK(mlabel, MAGIC_MBUF);
 	COUNTER_INC(socket_create_mbuf);
 }
 
 COUNTER_DECL(socket_destroy_label);
 static void
 test_socket_destroy_label(struct label *label)
 {
 
 	LABEL_DESTROY(label, MAGIC_SOCKET);
 	COUNTER_INC(socket_destroy_label);
 }
 
 COUNTER_DECL(socket_externalize_label);
 static int
 test_socket_externalize_label(struct label *label, char *element_name,
     struct sbuf *sb, int *claimed)
 {
 
 	LABEL_CHECK(label, MAGIC_SOCKET);
 	COUNTER_INC(socket_externalize_label);
 
 	return (0);
 }
 
 COUNTER_DECL(socket_init_label);
 static int
 test_socket_init_label(struct label *label, int flag)
 {
 
 	if (flag & M_WAITOK)
 		WITNESS_WARN(WARN_GIANTOK | WARN_SLEEPOK, NULL,
 		    "test_socket_init_label() at %s:%d", __FILE__,
 		    __LINE__);
 
 	LABEL_INIT(label, MAGIC_SOCKET);
 	COUNTER_INC(socket_init_label);
 	return (0);
 }
 
 COUNTER_DECL(socket_internalize_label);
 static int
 test_socket_internalize_label(struct label *label, char *element_name,
     char *element_data, int *claimed)
 {
 
 	LABEL_CHECK(label, MAGIC_SOCKET);
 	COUNTER_INC(socket_internalize_label);
 
 	return (0);
 }
 
 COUNTER_DECL(socket_newconn);
 static void
 test_socket_newconn(struct socket *oldso, struct label *oldsolabel,
     struct socket *newso, struct label *newsolabel)
 {
 
 	SOCK_LOCK(oldso);
 	LABEL_CHECK(oldsolabel, MAGIC_SOCKET);
 	SOCK_UNLOCK(oldso);
 	SOCK_LOCK(newso);
 	LABEL_CHECK(newsolabel, MAGIC_SOCKET);
 	SOCK_UNLOCK(newso);
 	COUNTER_INC(socket_newconn);
 }
 
 COUNTER_DECL(socket_relabel);
 static void
 test_socket_relabel(struct ucred *cred, struct socket *so,
     struct label *solabel, struct label *newlabel)
 {
 
 	SOCK_LOCK_ASSERT(so);
 
 	LABEL_CHECK(cred->cr_label, MAGIC_CRED);
 	LABEL_CHECK(solabel, MAGIC_SOCKET);
 	LABEL_CHECK(newlabel, MAGIC_SOCKET);
 	COUNTER_INC(socket_relabel);
 }
 
 COUNTER_DECL(socketpeer_destroy_label);
 static void
 test_socketpeer_destroy_label(struct label *label)
 {
 
 	LABEL_DESTROY(label, MAGIC_SOCKET);
 	COUNTER_INC(socketpeer_destroy_label);
 }
 
 COUNTER_DECL(socketpeer_externalize_label);
 static int
 test_socketpeer_externalize_label(struct label *label, char *element_name,
     struct sbuf *sb, int *claimed)
 {
 
 	LABEL_CHECK(label, MAGIC_SOCKET);
 	COUNTER_INC(socketpeer_externalize_label);
 
 	return (0);
 }
 
 COUNTER_DECL(socketpeer_init_label);
 static int
 test_socketpeer_init_label(struct label *label, int flag)
 {
 
 	if (flag & M_WAITOK)
 		WITNESS_WARN(WARN_GIANTOK | WARN_SLEEPOK, NULL,
 		    "test_socketpeer_init_label() at %s:%d", __FILE__,
 		    __LINE__);
 
 	LABEL_INIT(label, MAGIC_SOCKET);
 	COUNTER_INC(socketpeer_init_label);
 	return (0);
 }
 
 COUNTER_DECL(socketpeer_set_from_mbuf);
 static void
 test_socketpeer_set_from_mbuf(struct mbuf *m, struct label *mlabel,
     struct socket *so, struct label *sopeerlabel)
 {
 
 	LABEL_CHECK(mlabel, MAGIC_MBUF);
 	SOCK_LOCK(so);
 	LABEL_CHECK(sopeerlabel, MAGIC_SOCKET);
 	SOCK_UNLOCK(so);
 	COUNTER_INC(socketpeer_set_from_mbuf);
 }
 
 COUNTER_DECL(socketpeer_set_from_socket);
 static void
 test_socketpeer_set_from_socket(struct socket *oldso,
     struct label *oldsolabel, struct socket *newso,
     struct label *newsopeerlabel)
 {
 
 	SOCK_LOCK(oldso);
 	LABEL_CHECK(oldsolabel, MAGIC_SOCKET);
 	SOCK_UNLOCK(oldso);
 	SOCK_LOCK(newso);
 	LABEL_CHECK(newsopeerlabel, MAGIC_SOCKET);
 	SOCK_UNLOCK(newso);
 	COUNTER_INC(socketpeer_set_from_socket);
 }
 
 COUNTER_DECL(syncache_create);
 static void
 test_syncache_create(struct label *label, struct inpcb *inp)
 {
 
 	LABEL_CHECK(label, MAGIC_SYNCACHE);
 	COUNTER_INC(syncache_create);
 }
 
 COUNTER_DECL(syncache_create_mbuf);
 static void
 test_syncache_create_mbuf(struct label *sc_label, struct mbuf *m,
     struct label *mlabel)
 {
 
 	LABEL_CHECK(sc_label, MAGIC_SYNCACHE);
 	LABEL_CHECK(mlabel, MAGIC_MBUF);
 	COUNTER_INC(syncache_create_mbuf);
 }
 
 COUNTER_DECL(syncache_destroy_label);
 static void
 test_syncache_destroy_label(struct label *label)
 {
 
 	LABEL_DESTROY(label, MAGIC_SYNCACHE);
 	COUNTER_INC(syncache_destroy_label);
 }
 
 COUNTER_DECL(syncache_init_label);
 static int
 test_syncache_init_label(struct label *label, int flag)
 {
 
 	if (flag & M_WAITOK)
 		WITNESS_WARN(WARN_GIANTOK | WARN_SLEEPOK, NULL,
 		    "test_syncache_init_label() at %s:%d", __FILE__,
 		    __LINE__);
 	LABEL_INIT(label, MAGIC_SYNCACHE);
 	COUNTER_INC(syncache_init_label);
 	return (0);
 }
 
 COUNTER_DECL(system_check_acct);
 static int
 test_system_check_acct(struct ucred *cred, struct vnode *vp,
     struct label *vplabel)
 {
 
 	LABEL_CHECK(cred->cr_label, MAGIC_CRED);
 	LABEL_CHECK(vplabel, MAGIC_VNODE);
 	COUNTER_INC(system_check_acct);
 
 	return (0);
 }
 
 COUNTER_DECL(system_check_audit);
 static int
 test_system_check_audit(struct ucred *cred, void *record, int length)
 {
 
 	LABEL_CHECK(cred->cr_label, MAGIC_CRED);
 	COUNTER_INC(system_check_audit);
 
 	return (0);
 }
 
 COUNTER_DECL(system_check_auditctl);
 static int
 test_system_check_auditctl(struct ucred *cred, struct vnode *vp,
     struct label *vplabel)
 {
 
 	LABEL_CHECK(cred->cr_label, MAGIC_CRED);
 	LABEL_CHECK(vplabel, MAGIC_VNODE);
 	COUNTER_INC(system_check_auditctl);
 
 	return (0);
 }
 
 COUNTER_DECL(system_check_auditon);
 static int
 test_system_check_auditon(struct ucred *cred, int cmd)
 {
 
 	LABEL_CHECK(cred->cr_label, MAGIC_CRED);
 	COUNTER_INC(system_check_auditon);
 
 	return (0);
 }
 
 COUNTER_DECL(system_check_reboot);
 static int
 test_system_check_reboot(struct ucred *cred, int how)
 {
 
 	LABEL_CHECK(cred->cr_label, MAGIC_CRED);
 	COUNTER_INC(system_check_reboot);
 
 	return (0);
 }
 
 COUNTER_DECL(system_check_swapoff);
 static int
 test_system_check_swapoff(struct ucred *cred, struct vnode *vp,
     struct label *vplabel)
 {
 
 	LABEL_CHECK(cred->cr_label, MAGIC_CRED);
 	LABEL_CHECK(vplabel, MAGIC_VNODE);
 	COUNTER_INC(system_check_swapoff);
 
 	return (0);
 }
 
 COUNTER_DECL(system_check_swapon);
 static int
 test_system_check_swapon(struct ucred *cred, struct vnode *vp,
     struct label *vplabel)
 {
 
 	LABEL_CHECK(cred->cr_label, MAGIC_CRED);
 	LABEL_CHECK(vplabel, MAGIC_VNODE);
 	COUNTER_INC(system_check_swapon);
 
 	return (0);
 }
 
 COUNTER_DECL(system_check_sysctl);
 static int
 test_system_check_sysctl(struct ucred *cred, struct sysctl_oid *oidp,
     void *arg1, int arg2, struct sysctl_req *req)
 {
 
 	LABEL_CHECK(cred->cr_label, MAGIC_CRED);
 	COUNTER_INC(system_check_sysctl);
 
 	return (0);
 }
 
 COUNTER_DECL(sysvmsg_cleanup);
 static void
 test_sysvmsg_cleanup(struct label *msglabel)
 {
 
 	LABEL_CHECK(msglabel, MAGIC_SYSV_MSG);
 	COUNTER_INC(sysvmsg_cleanup);
 }
 
 COUNTER_DECL(sysvmsg_create);
 static void
 test_sysvmsg_create(struct ucred *cred, struct msqid_kernel *msqkptr,
     struct label *msqlabel, struct msg *msgptr, struct label *msglabel)
 {
 
 	LABEL_CHECK(msglabel, MAGIC_SYSV_MSG);
 	LABEL_CHECK(msqlabel, MAGIC_SYSV_MSQ);
 	COUNTER_INC(sysvmsg_create);
 }
 
 COUNTER_DECL(sysvmsg_destroy_label);
 static void
 test_sysvmsg_destroy_label(struct label *label)
 {
 
 	LABEL_DESTROY(label, MAGIC_SYSV_MSG);
 	COUNTER_INC(sysvmsg_destroy_label);
 }
 
 COUNTER_DECL(sysvmsg_init_label);
 static void
 test_sysvmsg_init_label(struct label *label)
 {
 	LABEL_INIT(label, MAGIC_SYSV_MSG);
 	COUNTER_INC(sysvmsg_init_label);
 }
 
 COUNTER_DECL(sysvmsq_check_msgmsq);
 static int
 test_sysvmsq_check_msgmsq(struct ucred *cred, struct msg *msgptr,
     struct label *msglabel, struct msqid_kernel *msqkptr,
     struct label *msqklabel)
 {
 
 	LABEL_CHECK(msqklabel, MAGIC_SYSV_MSQ);
 	LABEL_CHECK(msglabel, MAGIC_SYSV_MSG);
 	LABEL_CHECK(cred->cr_label, MAGIC_CRED);
 	COUNTER_INC(sysvmsq_check_msgmsq);
 
   	return (0);
 }
 
 COUNTER_DECL(sysvmsq_check_msgrcv);
 static int
 test_sysvmsq_check_msgrcv(struct ucred *cred, struct msg *msgptr,
     struct label *msglabel)
 {
 
 	LABEL_CHECK(msglabel, MAGIC_SYSV_MSG);
 	LABEL_CHECK(cred->cr_label, MAGIC_CRED);
 	COUNTER_INC(sysvmsq_check_msgrcv);
 
 	return (0);
 }
 
 COUNTER_DECL(sysvmsq_check_msgrmid);
 static int
 test_sysvmsq_check_msgrmid(struct ucred *cred, struct msg *msgptr,
     struct label *msglabel)
 {
 
 	LABEL_CHECK(msglabel, MAGIC_SYSV_MSG);
 	LABEL_CHECK(cred->cr_label, MAGIC_CRED);
 	COUNTER_INC(sysvmsq_check_msgrmid);
 
 	return (0);
 }
 
 COUNTER_DECL(sysvmsq_check_msqget);
 static int
 test_sysvmsq_check_msqget(struct ucred *cred,
     struct msqid_kernel *msqkptr, struct label *msqklabel)
 {
 
 	LABEL_CHECK(msqklabel, MAGIC_SYSV_MSQ);
 	LABEL_CHECK(cred->cr_label, MAGIC_CRED);
 	COUNTER_INC(sysvmsq_check_msqget);
 
 	return (0);
 }
 
 COUNTER_DECL(sysvmsq_check_msqsnd);
 static int
 test_sysvmsq_check_msqsnd(struct ucred *cred,
     struct msqid_kernel *msqkptr, struct label *msqklabel)
 {
 
 	LABEL_CHECK(msqklabel, MAGIC_SYSV_MSQ);
 	LABEL_CHECK(cred->cr_label, MAGIC_CRED);
 	COUNTER_INC(sysvmsq_check_msqsnd);
 
 	return (0);
 }
 
 COUNTER_DECL(sysvmsq_check_msqrcv);
 static int
 test_sysvmsq_check_msqrcv(struct ucred *cred,
     struct msqid_kernel *msqkptr, struct label *msqklabel)
 {
 
 	LABEL_CHECK(msqklabel, MAGIC_SYSV_MSQ);
 	LABEL_CHECK(cred->cr_label, MAGIC_CRED);
 	COUNTER_INC(sysvmsq_check_msqrcv);
 
 	return (0);
 }
 
 COUNTER_DECL(sysvmsq_check_msqctl);
 static int
 test_sysvmsq_check_msqctl(struct ucred *cred,
     struct msqid_kernel *msqkptr, struct label *msqklabel, int cmd)
 {
 
 	LABEL_CHECK(msqklabel, MAGIC_SYSV_MSQ);
 	LABEL_CHECK(cred->cr_label, MAGIC_CRED);
 	COUNTER_INC(sysvmsq_check_msqctl);
 
 	return (0);
 }
 
 COUNTER_DECL(sysvmsq_cleanup);
 static void
 test_sysvmsq_cleanup(struct label *msqlabel)
 {
 
 	LABEL_CHECK(msqlabel, MAGIC_SYSV_MSQ);
 	COUNTER_INC(sysvmsq_cleanup);
 }
 
 COUNTER_DECL(sysvmsq_create);
 static void
 test_sysvmsq_create(struct ucred *cred,
     struct msqid_kernel *msqkptr, struct label *msqlabel)
 {
 
 	LABEL_CHECK(msqlabel, MAGIC_SYSV_MSQ);
 	COUNTER_INC(sysvmsq_create);
 }
 
 COUNTER_DECL(sysvmsq_destroy_label);
 static void
 test_sysvmsq_destroy_label(struct label *label)
 {
 
 	LABEL_DESTROY(label, MAGIC_SYSV_MSQ);
 	COUNTER_INC(sysvmsq_destroy_label);
 }
 
 COUNTER_DECL(sysvmsq_init_label);
 static void
 test_sysvmsq_init_label(struct label *label)
 {
 	LABEL_INIT(label, MAGIC_SYSV_MSQ);
 	COUNTER_INC(sysvmsq_init_label);
 }
 
 COUNTER_DECL(sysvsem_check_semctl);
 static int
 test_sysvsem_check_semctl(struct ucred *cred,
     struct semid_kernel *semakptr, struct label *semaklabel, int cmd)
 {
 
 	LABEL_CHECK(cred->cr_label, MAGIC_CRED);
 	LABEL_CHECK(semaklabel, MAGIC_SYSV_SEM);
 	COUNTER_INC(sysvsem_check_semctl);
 
   	return (0);
 }
 
 COUNTER_DECL(sysvsem_check_semget);
 static int
 test_sysvsem_check_semget(struct ucred *cred,
     struct semid_kernel *semakptr, struct label *semaklabel)
 {
 
 	LABEL_CHECK(cred->cr_label, MAGIC_CRED);
 	LABEL_CHECK(semaklabel, MAGIC_SYSV_SEM);
 	COUNTER_INC(sysvsem_check_semget);
 
 	return (0);
 }
 
 COUNTER_DECL(sysvsem_check_semop);
 static int
 test_sysvsem_check_semop(struct ucred *cred,
     struct semid_kernel *semakptr, struct label *semaklabel, size_t accesstype)
 {
 
 	LABEL_CHECK(cred->cr_label, MAGIC_CRED);
 	LABEL_CHECK(semaklabel, MAGIC_SYSV_SEM);
 	COUNTER_INC(sysvsem_check_semop);
 
 	return (0);
 }
 
 COUNTER_DECL(sysvsem_cleanup);
 static void
 test_sysvsem_cleanup(struct label *semalabel)
 {
 
 	LABEL_CHECK(semalabel, MAGIC_SYSV_SEM);
 	COUNTER_INC(sysvsem_cleanup);
 }
 
 COUNTER_DECL(sysvsem_create);
 static void
 test_sysvsem_create(struct ucred *cred, struct semid_kernel *semakptr,
     struct label *semalabel)
 {
 
 	LABEL_CHECK(semalabel, MAGIC_SYSV_SEM);
 	COUNTER_INC(sysvsem_create);
 }
 
 COUNTER_DECL(sysvsem_destroy_label);
 static void
 test_sysvsem_destroy_label(struct label *label)
 {
 
 	LABEL_DESTROY(label, MAGIC_SYSV_SEM);
 	COUNTER_INC(sysvsem_destroy_label);
 }
 
 COUNTER_DECL(sysvsem_init_label);
 static void
 test_sysvsem_init_label(struct label *label)
 {
 	LABEL_INIT(label, MAGIC_SYSV_SEM);
 	COUNTER_INC(sysvsem_init_label);
 }
 
 COUNTER_DECL(sysvshm_check_shmat);
 static int
 test_sysvshm_check_shmat(struct ucred *cred,
     struct shmid_kernel *shmsegptr, struct label *shmseglabel, int shmflg)
 {
 
 	LABEL_CHECK(cred->cr_label, MAGIC_CRED);
 	LABEL_CHECK(shmseglabel, MAGIC_SYSV_SHM);
 	COUNTER_INC(sysvshm_check_shmat);
 
   	return (0);
 }
 
 COUNTER_DECL(sysvshm_check_shmctl);
 static int
 test_sysvshm_check_shmctl(struct ucred *cred,
     struct shmid_kernel *shmsegptr, struct label *shmseglabel, int cmd)
 {
 
 	LABEL_CHECK(cred->cr_label, MAGIC_CRED);
 	LABEL_CHECK(shmseglabel, MAGIC_SYSV_SHM);
 	COUNTER_INC(sysvshm_check_shmctl);
 
   	return (0);
 }
 
 COUNTER_DECL(sysvshm_check_shmdt);
 static int
 test_sysvshm_check_shmdt(struct ucred *cred,
     struct shmid_kernel *shmsegptr, struct label *shmseglabel)
 {
 
 	LABEL_CHECK(cred->cr_label, MAGIC_CRED);
 	LABEL_CHECK(shmseglabel, MAGIC_SYSV_SHM);
 	COUNTER_INC(sysvshm_check_shmdt);
 
 	return (0);
 }
 
 COUNTER_DECL(sysvshm_check_shmget);
 static int
 test_sysvshm_check_shmget(struct ucred *cred,
     struct shmid_kernel *shmsegptr, struct label *shmseglabel, int shmflg)
 {
 
 	LABEL_CHECK(cred->cr_label, MAGIC_CRED);
 	LABEL_CHECK(shmseglabel, MAGIC_SYSV_SHM);
 	COUNTER_INC(sysvshm_check_shmget);
 
 	return (0);
 }
 
 COUNTER_DECL(sysvshm_cleanup);
 static void
 test_sysvshm_cleanup(struct label *shmlabel)
 {
 
 	LABEL_CHECK(shmlabel, MAGIC_SYSV_SHM);
 	COUNTER_INC(sysvshm_cleanup);
 }
 
 COUNTER_DECL(sysvshm_create);
 static void
 test_sysvshm_create(struct ucred *cred, struct shmid_kernel *shmsegptr,
     struct label *shmlabel)
 {
 
 	LABEL_CHECK(shmlabel, MAGIC_SYSV_SHM);
 	COUNTER_INC(sysvshm_create);
 }
 
 COUNTER_DECL(sysvshm_destroy_label);
 static void
 test_sysvshm_destroy_label(struct label *label)
 {
 
 	LABEL_DESTROY(label, MAGIC_SYSV_SHM);
 	COUNTER_INC(sysvshm_destroy_label);
 }
 
 COUNTER_DECL(sysvshm_init_label);
 static void
 test_sysvshm_init_label(struct label *label)
 {
 	LABEL_INIT(label, MAGIC_SYSV_SHM);
 	COUNTER_INC(sysvshm_init_label);
 }
 
 COUNTER_DECL(thread_userret);
 static void
 test_thread_userret(struct thread *td)
 {
 
 	COUNTER_INC(thread_userret);
 }
 
 COUNTER_DECL(vnode_associate_extattr);
 static int
 test_vnode_associate_extattr(struct mount *mp, struct label *mplabel,
     struct vnode *vp, struct label *vplabel)
 {
 
 	LABEL_CHECK(mplabel, MAGIC_MOUNT);
 	LABEL_CHECK(vplabel, MAGIC_VNODE);
 	COUNTER_INC(vnode_associate_extattr);
 
 	return (0);
 }
 
 COUNTER_DECL(vnode_associate_singlelabel);
 static void
 test_vnode_associate_singlelabel(struct mount *mp, struct label *mplabel,
     struct vnode *vp, struct label *vplabel)
 {
 
 	LABEL_CHECK(mplabel, MAGIC_MOUNT);
 	LABEL_CHECK(vplabel, MAGIC_VNODE);
 	COUNTER_INC(vnode_associate_singlelabel);
 }
 
 COUNTER_DECL(vnode_check_access);
 static int
 test_vnode_check_access(struct ucred *cred, struct vnode *vp,
     struct label *vplabel, accmode_t accmode)
 {
 
 	LABEL_CHECK(cred->cr_label, MAGIC_CRED);
 	LABEL_CHECK(vplabel, MAGIC_VNODE);
 	COUNTER_INC(vnode_check_access);
 
 	return (0);
 }
 
 COUNTER_DECL(vnode_check_chdir);
 static int
 test_vnode_check_chdir(struct ucred *cred, struct vnode *dvp,
     struct label *dvplabel)
 {
 
 	LABEL_CHECK(cred->cr_label, MAGIC_CRED);
 	LABEL_CHECK(dvplabel, MAGIC_VNODE);
 	COUNTER_INC(vnode_check_chdir);
 
 	return (0);
 }
 
 COUNTER_DECL(vnode_check_chroot);
 static int
 test_vnode_check_chroot(struct ucred *cred, struct vnode *dvp,
     struct label *dvplabel)
 {
 
 	LABEL_CHECK(cred->cr_label, MAGIC_CRED);
 	LABEL_CHECK(dvplabel, MAGIC_VNODE);
 	COUNTER_INC(vnode_check_chroot);
 
 	return (0);
 }
 
 COUNTER_DECL(vnode_check_create);
 static int
 test_vnode_check_create(struct ucred *cred, struct vnode *dvp,
     struct label *dvplabel, struct componentname *cnp, struct vattr *vap)
 {
 
 	LABEL_CHECK(cred->cr_label, MAGIC_CRED);
 	LABEL_CHECK(dvplabel, MAGIC_VNODE);
 	COUNTER_INC(vnode_check_create);
 
 	return (0);
 }
 
 COUNTER_DECL(vnode_check_deleteacl);
 static int
 test_vnode_check_deleteacl(struct ucred *cred, struct vnode *vp,
     struct label *vplabel, acl_type_t type)
 {
 
 	LABEL_CHECK(cred->cr_label, MAGIC_CRED);
 	LABEL_CHECK(vplabel, MAGIC_VNODE);
 	COUNTER_INC(vnode_check_deleteacl);
 
 	return (0);
 }
 
 COUNTER_DECL(vnode_check_deleteextattr);
 static int
 test_vnode_check_deleteextattr(struct ucred *cred, struct vnode *vp,
     struct label *vplabel, int attrnamespace, const char *name)
 {
 
 	LABEL_CHECK(cred->cr_label, MAGIC_CRED);
 	LABEL_CHECK(vplabel, MAGIC_VNODE);
 	COUNTER_INC(vnode_check_deleteextattr);
 
 	return (0);
 }
 
 COUNTER_DECL(vnode_check_exec);
 static int
 test_vnode_check_exec(struct ucred *cred, struct vnode *vp,
     struct label *vplabel, struct image_params *imgp,
     struct label *execlabel)
 {
 
 	LABEL_CHECK(cred->cr_label, MAGIC_CRED);
 	LABEL_CHECK(vplabel, MAGIC_VNODE);
 	LABEL_CHECK(execlabel, MAGIC_CRED);
 	COUNTER_INC(vnode_check_exec);
 
 	return (0);
 }
 
 COUNTER_DECL(vnode_check_getacl);
 static int
 test_vnode_check_getacl(struct ucred *cred, struct vnode *vp,
     struct label *vplabel, acl_type_t type)
 {
 
 	LABEL_CHECK(cred->cr_label, MAGIC_CRED);
 	LABEL_CHECK(vplabel, MAGIC_VNODE);
 	COUNTER_INC(vnode_check_getacl);
 
 	return (0);
 }
 
 COUNTER_DECL(vnode_check_getextattr);
 static int
 test_vnode_check_getextattr(struct ucred *cred, struct vnode *vp,
     struct label *vplabel, int attrnamespace, const char *name)
 {
 
 	LABEL_CHECK(cred->cr_label, MAGIC_CRED);
 	LABEL_CHECK(vplabel, MAGIC_VNODE);
 	COUNTER_INC(vnode_check_getextattr);
 
 	return (0);
 }
 
 COUNTER_DECL(vnode_check_link);
 static int
 test_vnode_check_link(struct ucred *cred, struct vnode *dvp,
     struct label *dvplabel, struct vnode *vp, struct label *vplabel,
     struct componentname *cnp)
 {
 
 	LABEL_CHECK(cred->cr_label, MAGIC_CRED);
 	LABEL_CHECK(dvplabel, MAGIC_VNODE);
 	LABEL_CHECK(vplabel, MAGIC_VNODE);
 	COUNTER_INC(vnode_check_link);
 
 	return (0);
 }
 
 COUNTER_DECL(vnode_check_listextattr);
 static int
 test_vnode_check_listextattr(struct ucred *cred, struct vnode *vp,
     struct label *vplabel, int attrnamespace)
 {
 
 	LABEL_CHECK(cred->cr_label, MAGIC_CRED);
 	LABEL_CHECK(vplabel, MAGIC_VNODE);
 	COUNTER_INC(vnode_check_listextattr);
 
 	return (0);
 }
 
 COUNTER_DECL(vnode_check_lookup);
 static int
 test_vnode_check_lookup(struct ucred *cred, struct vnode *dvp,
     struct label *dvplabel, struct componentname *cnp)
 {
 
 	LABEL_CHECK(cred->cr_label, MAGIC_CRED);
 	LABEL_CHECK(dvplabel, MAGIC_VNODE);
 	COUNTER_INC(vnode_check_lookup);
 
 	return (0);
 }
 
 COUNTER_DECL(vnode_check_mmap);
 static int
 test_vnode_check_mmap(struct ucred *cred, struct vnode *vp,
     struct label *vplabel, int prot, int flags)
 {
 
 	LABEL_CHECK(cred->cr_label, MAGIC_CRED);
 	LABEL_CHECK(vplabel, MAGIC_VNODE);
 	COUNTER_INC(vnode_check_mmap);
 
 	return (0);
 }
 
 COUNTER_DECL(vnode_check_open);
 static int
 test_vnode_check_open(struct ucred *cred, struct vnode *vp,
     struct label *vplabel, accmode_t accmode)
 {
 
 	LABEL_CHECK(cred->cr_label, MAGIC_CRED);
 	LABEL_CHECK(vplabel, MAGIC_VNODE);
 	COUNTER_INC(vnode_check_open);
 
 	return (0);
 }
 
 COUNTER_DECL(vnode_check_poll);
 static int
 test_vnode_check_poll(struct ucred *active_cred, struct ucred *file_cred,
     struct vnode *vp, struct label *vplabel)
 {
 
 	LABEL_CHECK(active_cred->cr_label, MAGIC_CRED);
 	if (file_cred != NULL)
 		LABEL_CHECK(file_cred->cr_label, MAGIC_CRED);
 	LABEL_CHECK(vplabel, MAGIC_VNODE);
 	COUNTER_INC(vnode_check_poll);
 
 	return (0);
 }
 
 COUNTER_DECL(vnode_check_read);
 static int
 test_vnode_check_read(struct ucred *active_cred, struct ucred *file_cred,
     struct vnode *vp, struct label *vplabel)
 {
 
 	LABEL_CHECK(active_cred->cr_label, MAGIC_CRED);
 	if (file_cred != NULL)
 		LABEL_CHECK(file_cred->cr_label, MAGIC_CRED);
 	LABEL_CHECK(vplabel, MAGIC_VNODE);
 	COUNTER_INC(vnode_check_read);
 
 	return (0);
 }
 
 COUNTER_DECL(vnode_check_readdir);
 static int
 test_vnode_check_readdir(struct ucred *cred, struct vnode *dvp,
     struct label *dvplabel)
 {
 
 	LABEL_CHECK(cred->cr_label, MAGIC_CRED);
 	LABEL_CHECK(dvplabel, MAGIC_VNODE);
 	COUNTER_INC(vnode_check_readdir);
 
 	return (0);
 }
 
 COUNTER_DECL(vnode_check_readlink);
 static int
 test_vnode_check_readlink(struct ucred *cred, struct vnode *vp,
     struct label *vplabel)
 {
 
 	LABEL_CHECK(cred->cr_label, MAGIC_CRED);
 	LABEL_CHECK(vplabel, MAGIC_VNODE);
 	COUNTER_INC(vnode_check_readlink);
 
 	return (0);
 }
 
 COUNTER_DECL(vnode_check_relabel);
 static int
 test_vnode_check_relabel(struct ucred *cred, struct vnode *vp,
     struct label *vplabel, struct label *newlabel)
 {
 
 	LABEL_CHECK(cred->cr_label, MAGIC_CRED);
 	LABEL_CHECK(vplabel, MAGIC_VNODE);
 	LABEL_CHECK(newlabel, MAGIC_VNODE);
 	COUNTER_INC(vnode_check_relabel);
 
 	return (0);
 }
 
 COUNTER_DECL(vnode_check_rename_from);
 static int
 test_vnode_check_rename_from(struct ucred *cred, struct vnode *dvp,
     struct label *dvplabel, struct vnode *vp, struct label *vplabel,
     struct componentname *cnp)
 {
 
 	LABEL_CHECK(cred->cr_label, MAGIC_CRED);
 	LABEL_CHECK(dvplabel, MAGIC_VNODE);
 	LABEL_CHECK(vplabel, MAGIC_VNODE);
 	COUNTER_INC(vnode_check_rename_from);
 
 	return (0);
 }
 
 COUNTER_DECL(vnode_check_rename_to);
 static int
 test_vnode_check_rename_to(struct ucred *cred, struct vnode *dvp,
     struct label *dvplabel, struct vnode *vp, struct label *vplabel,
     int samedir, struct componentname *cnp)
 {
 
 	LABEL_CHECK(cred->cr_label, MAGIC_CRED);
 	LABEL_CHECK(dvplabel, MAGIC_VNODE);
 	LABEL_CHECK(vplabel, MAGIC_VNODE);
 	COUNTER_INC(vnode_check_rename_to);
 
 	return (0);
 }
 
 COUNTER_DECL(vnode_check_revoke);
 static int
 test_vnode_check_revoke(struct ucred *cred, struct vnode *vp,
     struct label *vplabel)
 {
 
 	LABEL_CHECK(cred->cr_label, MAGIC_CRED);
 	LABEL_CHECK(vplabel, MAGIC_VNODE);
 	COUNTER_INC(vnode_check_revoke);
 
 	return (0);
 }
 
 COUNTER_DECL(vnode_check_setacl);
 static int
 test_vnode_check_setacl(struct ucred *cred, struct vnode *vp,
     struct label *vplabel, acl_type_t type, struct acl *acl)
 {
 
 	LABEL_CHECK(cred->cr_label, MAGIC_CRED);
 	LABEL_CHECK(vplabel, MAGIC_VNODE);
 	COUNTER_INC(vnode_check_setacl);
 
 	return (0);
 }
 
 COUNTER_DECL(vnode_check_setextattr);
 static int
 test_vnode_check_setextattr(struct ucred *cred, struct vnode *vp,
     struct label *vplabel, int attrnamespace, const char *name)
 {
 
 	LABEL_CHECK(cred->cr_label, MAGIC_CRED);
 	LABEL_CHECK(vplabel, MAGIC_VNODE);
 	COUNTER_INC(vnode_check_setextattr);
 
 	return (0);
 }
 
 COUNTER_DECL(vnode_check_setflags);
 static int
 test_vnode_check_setflags(struct ucred *cred, struct vnode *vp,
     struct label *vplabel, u_long flags)
 {
 
 	LABEL_CHECK(cred->cr_label, MAGIC_CRED);
 	LABEL_CHECK(vplabel, MAGIC_VNODE);
 	COUNTER_INC(vnode_check_setflags);
 
 	return (0);
 }
 
 COUNTER_DECL(vnode_check_setmode);
 static int
 test_vnode_check_setmode(struct ucred *cred, struct vnode *vp,
     struct label *vplabel, mode_t mode)
 {
 
 	LABEL_CHECK(cred->cr_label, MAGIC_CRED);
 	LABEL_CHECK(vplabel, MAGIC_VNODE);
 	COUNTER_INC(vnode_check_setmode);
 
 	return (0);
 }
 
 COUNTER_DECL(vnode_check_setowner);
 static int
 test_vnode_check_setowner(struct ucred *cred, struct vnode *vp,
     struct label *vplabel, uid_t uid, gid_t gid)
 {
 
 	LABEL_CHECK(cred->cr_label, MAGIC_CRED);
 	LABEL_CHECK(vplabel, MAGIC_VNODE);
 	COUNTER_INC(vnode_check_setowner);
 
 	return (0);
 }
 
 COUNTER_DECL(vnode_check_setutimes);
 static int
 test_vnode_check_setutimes(struct ucred *cred, struct vnode *vp,
     struct label *vplabel, struct timespec atime, struct timespec mtime)
 {
 
 	LABEL_CHECK(cred->cr_label, MAGIC_CRED);
 	LABEL_CHECK(vplabel, MAGIC_VNODE);
 	COUNTER_INC(vnode_check_setutimes);
 
 	return (0);
 }
 
 COUNTER_DECL(vnode_check_stat);
 static int
 test_vnode_check_stat(struct ucred *active_cred, struct ucred *file_cred,
     struct vnode *vp, struct label *vplabel)
 {
 
 	LABEL_CHECK(active_cred->cr_label, MAGIC_CRED);
 	if (file_cred != NULL)
 		LABEL_CHECK(file_cred->cr_label, MAGIC_CRED);
 	LABEL_CHECK(vplabel, MAGIC_VNODE);
 	COUNTER_INC(vnode_check_stat);
 
 	return (0);
 }
 
 COUNTER_DECL(vnode_check_unlink);
 static int
 test_vnode_check_unlink(struct ucred *cred, struct vnode *dvp,
     struct label *dvplabel, struct vnode *vp, struct label *vplabel,
     struct componentname *cnp)
 {
 
 	LABEL_CHECK(cred->cr_label, MAGIC_CRED);
 	LABEL_CHECK(dvplabel, MAGIC_VNODE);
 	LABEL_CHECK(vplabel, MAGIC_VNODE);
 	COUNTER_INC(vnode_check_unlink);
 
 	return (0);
 }
 
 COUNTER_DECL(vnode_check_write);
 static int
 test_vnode_check_write(struct ucred *active_cred,
     struct ucred *file_cred, struct vnode *vp, struct label *vplabel)
 {
 
 	LABEL_CHECK(active_cred->cr_label, MAGIC_CRED);
 	if (file_cred != NULL)
 		LABEL_CHECK(file_cred->cr_label, MAGIC_CRED);
 	LABEL_CHECK(vplabel, MAGIC_VNODE);
 	COUNTER_INC(vnode_check_write);
 
 	return (0);
 }
 
 COUNTER_DECL(vnode_copy_label);
 static void
 test_vnode_copy_label(struct label *src, struct label *dest)
 {
 
 	LABEL_CHECK(src, MAGIC_VNODE);
 	LABEL_CHECK(dest, MAGIC_VNODE);
 	COUNTER_INC(vnode_copy_label);
 }
 
 COUNTER_DECL(vnode_create_extattr);
 static int
 test_vnode_create_extattr(struct ucred *cred, struct mount *mp,
     struct label *mplabel, struct vnode *dvp, struct label *dvplabel,
     struct vnode *vp, struct label *vplabel, struct componentname *cnp)
 {
 
 	LABEL_CHECK(cred->cr_label, MAGIC_CRED);
 	LABEL_CHECK(mplabel, MAGIC_MOUNT);
 	LABEL_CHECK(dvplabel, MAGIC_VNODE);
 	COUNTER_INC(vnode_create_extattr);
 
 	return (0);
 }
 
 COUNTER_DECL(vnode_destroy_label);
 static void
 test_vnode_destroy_label(struct label *label)
 {
 
 	LABEL_DESTROY(label, MAGIC_VNODE);
 	COUNTER_INC(vnode_destroy_label);
 }
 
 COUNTER_DECL(vnode_execve_transition);
 static void
 test_vnode_execve_transition(struct ucred *old, struct ucred *new,
     struct vnode *vp, struct label *filelabel,
     struct label *interpvplabel, struct image_params *imgp,
     struct label *execlabel)
 {
 
 	LABEL_CHECK(old->cr_label, MAGIC_CRED);
 	LABEL_CHECK(new->cr_label, MAGIC_CRED);
 	LABEL_CHECK(filelabel, MAGIC_VNODE);
 	LABEL_CHECK(interpvplabel, MAGIC_VNODE);
 	LABEL_CHECK(execlabel, MAGIC_CRED);
 	COUNTER_INC(vnode_execve_transition);
 }
 
 COUNTER_DECL(vnode_execve_will_transition);
 static int
 test_vnode_execve_will_transition(struct ucred *old, struct vnode *vp,
     struct label *filelabel, struct label *interpvplabel,
     struct image_params *imgp, struct label *execlabel)
 {
 
 	LABEL_CHECK(old->cr_label, MAGIC_CRED);
 	LABEL_CHECK(filelabel, MAGIC_VNODE);
 	LABEL_CHECK(interpvplabel, MAGIC_VNODE);
 	LABEL_CHECK(execlabel, MAGIC_CRED);
 	COUNTER_INC(vnode_execve_will_transition);
 
 	return (0);
 }
 
 COUNTER_DECL(vnode_externalize_label);
 static int
 test_vnode_externalize_label(struct label *label, char *element_name,
     struct sbuf *sb, int *claimed)
 {
 
 	LABEL_CHECK(label, MAGIC_VNODE);
 	COUNTER_INC(vnode_externalize_label);
 
 	return (0);
 }
 
 COUNTER_DECL(vnode_init_label);
 static void
 test_vnode_init_label(struct label *label)
 {
 
 	LABEL_INIT(label, MAGIC_VNODE);
 	COUNTER_INC(vnode_init_label);
 }
 
 COUNTER_DECL(vnode_internalize_label);
 static int
 test_vnode_internalize_label(struct label *label, char *element_name,
     char *element_data, int *claimed)
 {
 
 	LABEL_CHECK(label, MAGIC_VNODE);
 	COUNTER_INC(vnode_internalize_label);
 
 	return (0);
 }
 
 COUNTER_DECL(vnode_relabel);
 static void
 test_vnode_relabel(struct ucred *cred, struct vnode *vp,
     struct label *vplabel, struct label *label)
 {
 
 	LABEL_CHECK(cred->cr_label, MAGIC_CRED);
 	LABEL_CHECK(vplabel, MAGIC_VNODE);
 	LABEL_CHECK(label, MAGIC_VNODE);
 	COUNTER_INC(vnode_relabel);
 }
 
 COUNTER_DECL(vnode_setlabel_extattr);
 static int
 test_vnode_setlabel_extattr(struct ucred *cred, struct vnode *vp,
     struct label *vplabel, struct label *intlabel)
 {
 
 	LABEL_CHECK(cred->cr_label, MAGIC_CRED);
 	LABEL_CHECK(vplabel, MAGIC_VNODE);
 	LABEL_CHECK(intlabel, MAGIC_VNODE);
 	COUNTER_INC(vnode_setlabel_extattr);
 
 	return (0);
 }
 
 static struct mac_policy_ops test_ops =
 {
 	.mpo_bpfdesc_check_receive = test_bpfdesc_check_receive,
 	.mpo_bpfdesc_create = test_bpfdesc_create,
 	.mpo_bpfdesc_create_mbuf = test_bpfdesc_create_mbuf,
 	.mpo_bpfdesc_destroy_label = test_bpfdesc_destroy_label,
 	.mpo_bpfdesc_init_label = test_bpfdesc_init_label,
 
 	.mpo_cred_check_relabel = test_cred_check_relabel,
 	.mpo_cred_check_setaudit = test_cred_check_setaudit,
 	.mpo_cred_check_setaudit_addr = test_cred_check_setaudit_addr,
 	.mpo_cred_check_setauid = test_cred_check_setauid,
 	.mpo_cred_check_seteuid = test_cred_check_seteuid,
 	.mpo_cred_check_setegid = test_cred_check_setegid,
 	.mpo_cred_check_setgid = test_cred_check_setgid,
 	.mpo_cred_check_setgroups = test_cred_check_setgroups,
 	.mpo_cred_check_setregid = test_cred_check_setregid,
 	.mpo_cred_check_setresgid = test_cred_check_setresgid,
 	.mpo_cred_check_setresuid = test_cred_check_setresuid,
 	.mpo_cred_check_setreuid = test_cred_check_setreuid,
 	.mpo_cred_check_setuid = test_cred_check_setuid,
 	.mpo_cred_check_visible = test_cred_check_visible,
 	.mpo_cred_copy_label = test_cred_copy_label,
 	.mpo_cred_create_init = test_cred_create_init,
 	.mpo_cred_create_swapper = test_cred_create_swapper,
 	.mpo_cred_destroy_label = test_cred_destroy_label,
 	.mpo_cred_externalize_label = test_cred_externalize_label,
 	.mpo_cred_init_label = test_cred_init_label,
 	.mpo_cred_internalize_label = test_cred_internalize_label,
 	.mpo_cred_relabel = test_cred_relabel,
 
 	.mpo_ddb_command_exec = test_ddb_command_exec,
 	.mpo_ddb_command_register = test_ddb_command_register,
 
 	.mpo_devfs_create_device = test_devfs_create_device,
 	.mpo_devfs_create_directory = test_devfs_create_directory,
 	.mpo_devfs_create_symlink = test_devfs_create_symlink,
 	.mpo_devfs_destroy_label = test_devfs_destroy_label,
 	.mpo_devfs_init_label = test_devfs_init_label,
 	.mpo_devfs_update = test_devfs_update,
 	.mpo_devfs_vnode_associate = test_devfs_vnode_associate,
 
 	.mpo_ifnet_check_relabel = test_ifnet_check_relabel,
 	.mpo_ifnet_check_transmit = test_ifnet_check_transmit,
 	.mpo_ifnet_copy_label = test_ifnet_copy_label,
 	.mpo_ifnet_create = test_ifnet_create,
 	.mpo_ifnet_create_mbuf = test_ifnet_create_mbuf,
 	.mpo_ifnet_destroy_label = test_ifnet_destroy_label,
 	.mpo_ifnet_externalize_label = test_ifnet_externalize_label,
 	.mpo_ifnet_init_label = test_ifnet_init_label,
 	.mpo_ifnet_internalize_label = test_ifnet_internalize_label,
 	.mpo_ifnet_relabel = test_ifnet_relabel,
 
 	.mpo_syncache_destroy_label = test_syncache_destroy_label,
 	.mpo_syncache_init_label = test_syncache_init_label,
 
 	.mpo_sysvmsg_destroy_label = test_sysvmsg_destroy_label,
 	.mpo_sysvmsg_init_label = test_sysvmsg_init_label,
 
 	.mpo_sysvmsq_destroy_label = test_sysvmsq_destroy_label,
 	.mpo_sysvmsq_init_label = test_sysvmsq_init_label,
 
 	.mpo_sysvsem_destroy_label = test_sysvsem_destroy_label,
 	.mpo_sysvsem_init_label = test_sysvsem_init_label,
 
 	.mpo_sysvshm_destroy_label = test_sysvshm_destroy_label,
 	.mpo_sysvshm_init_label = test_sysvshm_init_label,
 
 	.mpo_inpcb_check_deliver = test_inpcb_check_deliver,
 	.mpo_inpcb_check_visible = test_inpcb_check_visible,
 	.mpo_inpcb_create = test_inpcb_create,
 	.mpo_inpcb_create_mbuf = test_inpcb_create_mbuf,
 	.mpo_inpcb_destroy_label = test_inpcb_destroy_label,
 	.mpo_inpcb_init_label = test_inpcb_init_label,
 	.mpo_inpcb_sosetlabel = test_inpcb_sosetlabel,
 
 	.mpo_ip6q_create = test_ip6q_create,
 	.mpo_ip6q_destroy_label = test_ip6q_destroy_label,
 	.mpo_ip6q_init_label = test_ip6q_init_label,
 	.mpo_ip6q_match = test_ip6q_match,
 	.mpo_ip6q_reassemble = test_ip6q_reassemble,
 	.mpo_ip6q_update = test_ip6q_update,
 
 	.mpo_ipq_create = test_ipq_create,
 	.mpo_ipq_destroy_label = test_ipq_destroy_label,
 	.mpo_ipq_init_label = test_ipq_init_label,
 	.mpo_ipq_match = test_ipq_match,
 	.mpo_ipq_reassemble = test_ipq_reassemble,
 	.mpo_ipq_update = test_ipq_update,
 
 	.mpo_kdb_check_backend = test_kdb_check_backend,
 
 	.mpo_kenv_check_dump = test_kenv_check_dump,
 	.mpo_kenv_check_get = test_kenv_check_get,
 	.mpo_kenv_check_set = test_kenv_check_set,
 	.mpo_kenv_check_unset = test_kenv_check_unset,
 
 	.mpo_kld_check_load = test_kld_check_load,
 	.mpo_kld_check_stat = test_kld_check_stat,
 
 	.mpo_mbuf_copy_label = test_mbuf_copy_label,
 	.mpo_mbuf_destroy_label = test_mbuf_destroy_label,
 	.mpo_mbuf_init_label = test_mbuf_init_label,
 
 	.mpo_mount_check_stat = test_mount_check_stat,
 	.mpo_mount_create = test_mount_create,
 	.mpo_mount_destroy_label = test_mount_destroy_label,
 	.mpo_mount_init_label = test_mount_init_label,
 
 	.mpo_netinet_arp_send = test_netinet_arp_send,
 	.mpo_netinet_fragment = test_netinet_fragment,
 	.mpo_netinet_icmp_reply = test_netinet_icmp_reply,
 	.mpo_netinet_icmp_replyinplace = test_netinet_icmp_replyinplace,
 	.mpo_netinet_igmp_send = test_netinet_igmp_send,
 	.mpo_netinet_tcp_reply = test_netinet_tcp_reply,
 
 	.mpo_netinet6_nd6_send = test_netinet6_nd6_send,
 
 	.mpo_pipe_check_ioctl = test_pipe_check_ioctl,
 	.mpo_pipe_check_poll = test_pipe_check_poll,
 	.mpo_pipe_check_read = test_pipe_check_read,
 	.mpo_pipe_check_relabel = test_pipe_check_relabel,
 	.mpo_pipe_check_stat = test_pipe_check_stat,
 	.mpo_pipe_check_write = test_pipe_check_write,
 	.mpo_pipe_copy_label = test_pipe_copy_label,
 	.mpo_pipe_create = test_pipe_create,
 	.mpo_pipe_destroy_label = test_pipe_destroy_label,
 	.mpo_pipe_externalize_label = test_pipe_externalize_label,
 	.mpo_pipe_init_label = test_pipe_init_label,
 	.mpo_pipe_internalize_label = test_pipe_internalize_label,
 	.mpo_pipe_relabel = test_pipe_relabel,
 
 	.mpo_posixsem_check_getvalue = test_posixsem_check_getvalue,
 	.mpo_posixsem_check_open = test_posixsem_check_open,
 	.mpo_posixsem_check_post = test_posixsem_check_post,
 	.mpo_posixsem_check_setmode = test_posixsem_check_setmode,
 	.mpo_posixsem_check_setowner = test_posixsem_check_setowner,
 	.mpo_posixsem_check_stat = test_posixsem_check_stat,
 	.mpo_posixsem_check_unlink = test_posixsem_check_unlink,
 	.mpo_posixsem_check_wait = test_posixsem_check_wait,
 	.mpo_posixsem_create = test_posixsem_create,
 	.mpo_posixsem_destroy_label = test_posixsem_destroy_label,
 	.mpo_posixsem_init_label = test_posixsem_init_label,
 
 	.mpo_posixshm_check_create = test_posixshm_check_create,
 	.mpo_posixshm_check_mmap = test_posixshm_check_mmap,
 	.mpo_posixshm_check_open = test_posixshm_check_open,
 	.mpo_posixshm_check_read = test_posixshm_check_read,
 	.mpo_posixshm_check_setmode = test_posixshm_check_setmode,
 	.mpo_posixshm_check_setowner = test_posixshm_check_setowner,
 	.mpo_posixshm_check_stat = test_posixshm_check_stat,
 	.mpo_posixshm_check_truncate = test_posixshm_check_truncate,
 	.mpo_posixshm_check_unlink = test_posixshm_check_unlink,
 	.mpo_posixshm_check_write = test_posixshm_check_write,
 	.mpo_posixshm_create = test_posixshm_create,
 	.mpo_posixshm_destroy_label = test_posixshm_destroy_label,
 	.mpo_posixshm_init_label = test_posixshm_init_label,
 
 	.mpo_proc_check_debug = test_proc_check_debug,
 	.mpo_proc_check_sched = test_proc_check_sched,
 	.mpo_proc_check_signal = test_proc_check_signal,
 	.mpo_proc_check_wait = test_proc_check_wait,
 	.mpo_proc_destroy_label = test_proc_destroy_label,
 	.mpo_proc_init_label = test_proc_init_label,
 
 	.mpo_socket_check_accept = test_socket_check_accept,
 	.mpo_socket_check_bind = test_socket_check_bind,
 	.mpo_socket_check_connect = test_socket_check_connect,
 	.mpo_socket_check_deliver = test_socket_check_deliver,
 	.mpo_socket_check_listen = test_socket_check_listen,
 	.mpo_socket_check_poll = test_socket_check_poll,
 	.mpo_socket_check_receive = test_socket_check_receive,
 	.mpo_socket_check_relabel = test_socket_check_relabel,
 	.mpo_socket_check_send = test_socket_check_send,
 	.mpo_socket_check_stat = test_socket_check_stat,
 	.mpo_socket_check_visible = test_socket_check_visible,
 	.mpo_socket_copy_label = test_socket_copy_label,
 	.mpo_socket_create = test_socket_create,
 	.mpo_socket_create_mbuf = test_socket_create_mbuf,
 	.mpo_socket_destroy_label = test_socket_destroy_label,
 	.mpo_socket_externalize_label = test_socket_externalize_label,
 	.mpo_socket_init_label = test_socket_init_label,
 	.mpo_socket_internalize_label = test_socket_internalize_label,
 	.mpo_socket_newconn = test_socket_newconn,
 	.mpo_socket_relabel = test_socket_relabel,
 
 	.mpo_socketpeer_destroy_label = test_socketpeer_destroy_label,
 	.mpo_socketpeer_externalize_label = test_socketpeer_externalize_label,
 	.mpo_socketpeer_init_label = test_socketpeer_init_label,
 	.mpo_socketpeer_set_from_mbuf = test_socketpeer_set_from_mbuf,
 	.mpo_socketpeer_set_from_socket = test_socketpeer_set_from_socket,
 
 	.mpo_syncache_create = test_syncache_create,
 	.mpo_syncache_create_mbuf = test_syncache_create_mbuf,
 
 	.mpo_system_check_acct = test_system_check_acct,
 	.mpo_system_check_audit = test_system_check_audit,
 	.mpo_system_check_auditctl = test_system_check_auditctl,
 	.mpo_system_check_auditon = test_system_check_auditon,
 	.mpo_system_check_reboot = test_system_check_reboot,
 	.mpo_system_check_swapoff = test_system_check_swapoff,
 	.mpo_system_check_swapon = test_system_check_swapon,
 	.mpo_system_check_sysctl = test_system_check_sysctl,
 
 	.mpo_vnode_check_access = test_vnode_check_access,
 	.mpo_sysvmsg_cleanup = test_sysvmsg_cleanup,
 	.mpo_sysvmsg_create = test_sysvmsg_create,
 
 	.mpo_sysvmsq_check_msgmsq = test_sysvmsq_check_msgmsq,
 	.mpo_sysvmsq_check_msgrcv = test_sysvmsq_check_msgrcv,
 	.mpo_sysvmsq_check_msgrmid = test_sysvmsq_check_msgrmid,
 	.mpo_sysvmsq_check_msqget = test_sysvmsq_check_msqget,
 	.mpo_sysvmsq_check_msqsnd = test_sysvmsq_check_msqsnd,
 	.mpo_sysvmsq_check_msqrcv = test_sysvmsq_check_msqrcv,
 	.mpo_sysvmsq_check_msqctl = test_sysvmsq_check_msqctl,
 	.mpo_sysvmsq_cleanup = test_sysvmsq_cleanup,
 	.mpo_sysvmsq_create = test_sysvmsq_create,
 
 	.mpo_sysvsem_check_semctl = test_sysvsem_check_semctl,
 	.mpo_sysvsem_check_semget = test_sysvsem_check_semget,
 	.mpo_sysvsem_check_semop = test_sysvsem_check_semop,
 	.mpo_sysvsem_cleanup = test_sysvsem_cleanup,
 	.mpo_sysvsem_create = test_sysvsem_create,
 
 	.mpo_sysvshm_check_shmat = test_sysvshm_check_shmat,
 	.mpo_sysvshm_check_shmctl = test_sysvshm_check_shmctl,
 	.mpo_sysvshm_check_shmdt = test_sysvshm_check_shmdt,
 	.mpo_sysvshm_check_shmget = test_sysvshm_check_shmget,
 	.mpo_sysvshm_cleanup = test_sysvshm_cleanup,
 	.mpo_sysvshm_create = test_sysvshm_create,
 
 	.mpo_thread_userret = test_thread_userret,
 
 	.mpo_vnode_associate_extattr = test_vnode_associate_extattr,
 	.mpo_vnode_associate_singlelabel = test_vnode_associate_singlelabel,
 	.mpo_vnode_check_chdir = test_vnode_check_chdir,
 	.mpo_vnode_check_chroot = test_vnode_check_chroot,
 	.mpo_vnode_check_create = test_vnode_check_create,
 	.mpo_vnode_check_deleteacl = test_vnode_check_deleteacl,
 	.mpo_vnode_check_deleteextattr = test_vnode_check_deleteextattr,
 	.mpo_vnode_check_exec = test_vnode_check_exec,
 	.mpo_vnode_check_getacl = test_vnode_check_getacl,
 	.mpo_vnode_check_getextattr = test_vnode_check_getextattr,
 	.mpo_vnode_check_link = test_vnode_check_link,
 	.mpo_vnode_check_listextattr = test_vnode_check_listextattr,
 	.mpo_vnode_check_lookup = test_vnode_check_lookup,
 	.mpo_vnode_check_mmap = test_vnode_check_mmap,
 	.mpo_vnode_check_open = test_vnode_check_open,
 	.mpo_vnode_check_poll = test_vnode_check_poll,
 	.mpo_vnode_check_read = test_vnode_check_read,
 	.mpo_vnode_check_readdir = test_vnode_check_readdir,
 	.mpo_vnode_check_readlink = test_vnode_check_readlink,
 	.mpo_vnode_check_relabel = test_vnode_check_relabel,
 	.mpo_vnode_check_rename_from = test_vnode_check_rename_from,
 	.mpo_vnode_check_rename_to = test_vnode_check_rename_to,
 	.mpo_vnode_check_revoke = test_vnode_check_revoke,
 	.mpo_vnode_check_setacl = test_vnode_check_setacl,
 	.mpo_vnode_check_setextattr = test_vnode_check_setextattr,
 	.mpo_vnode_check_setflags = test_vnode_check_setflags,
 	.mpo_vnode_check_setmode = test_vnode_check_setmode,
 	.mpo_vnode_check_setowner = test_vnode_check_setowner,
 	.mpo_vnode_check_setutimes = test_vnode_check_setutimes,
 	.mpo_vnode_check_stat = test_vnode_check_stat,
 	.mpo_vnode_check_unlink = test_vnode_check_unlink,
 	.mpo_vnode_check_write = test_vnode_check_write,
 	.mpo_vnode_copy_label = test_vnode_copy_label,
 	.mpo_vnode_create_extattr = test_vnode_create_extattr,
 	.mpo_vnode_destroy_label = test_vnode_destroy_label,
 	.mpo_vnode_execve_transition = test_vnode_execve_transition,
 	.mpo_vnode_execve_will_transition = test_vnode_execve_will_transition,
 	.mpo_vnode_externalize_label = test_vnode_externalize_label,
 	.mpo_vnode_init_label = test_vnode_init_label,
 	.mpo_vnode_internalize_label = test_vnode_internalize_label,
 	.mpo_vnode_relabel = test_vnode_relabel,
 	.mpo_vnode_setlabel_extattr = test_vnode_setlabel_extattr,
 };
 
 MAC_POLICY_SET(&test_ops, mac_test, "TrustedBSD MAC/Test",
     MPC_LOADTIME_FLAG_UNLOADOK, &test_slot);
diff --git a/sys/security/mac_veriexec/mac_veriexec.c b/sys/security/mac_veriexec/mac_veriexec.c
index 490601863197..20005ffc75b8 100644
--- a/sys/security/mac_veriexec/mac_veriexec.c
+++ b/sys/security/mac_veriexec/mac_veriexec.c
@@ -1,1187 +1,1185 @@
 /*-
  * SPDX-License-Identifier: BSD-2-Clause
  *
  * Copyright (c) 2011-2023 Juniper Networks, Inc.
  * All rights reserved.
  *
  * Redistribution and use in source and binary forms, with or without
  * modification, are permitted provided that the following conditions
  * are met:
  * 1. Redistributions of source code must retain the above copyright
  *    notice, this list of conditions and the following disclaimer.
  * 2. Redistributions in binary form must reproduce the above copyright
  *    notice, this list of conditions and the following disclaimer in the
  *    documentation and/or other materials provided with the distribution.
  *
  * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
  * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
  * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
  * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
  * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING,
  * BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
  * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED
  * AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY,
  * OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
  * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
  * SUCH DAMAGE.
  */
 
 #include <sys/cdefs.h>
 
 #include "opt_capsicum.h"
 #include "opt_mac.h"
 
 #include <sys/param.h>
 #include <sys/systm.h>
 #include <sys/capsicum.h>
 #include <sys/eventhandler.h>
 #include <sys/fcntl.h>
 #include <sys/file.h>
 #include <sys/filedesc.h>
 #include <sys/imgact.h>
 #include <sys/jail.h>
 #include <sys/kernel.h>
 #include <sys/mac.h>
 #include <sys/mount.h>
 #include <sys/namei.h>
 #include <sys/priv.h>
 #include <sys/proc.h>
 #include <sys/sbuf.h>
 #include <sys/stat.h>
 #include <sys/sysctl.h>
 #include <sys/vnode.h>
 #ifdef COMPAT_FREEBSD32
 #include <sys/sysent.h>
 #include <sys/stdint.h>
 #include <sys/abi_compat.h>
 #endif
 #include <fs/nullfs/null.h>
 #include <security/mac/mac_framework.h>
 #include <security/mac/mac_policy.h>
 
 #include "mac_veriexec.h"
 #include "mac_veriexec_internal.h"
 
 #define	SLOT(l) \
 	mac_label_get((l), mac_veriexec_slot)
 #define	SLOT_SET(l, v) \
 	mac_label_set((l), mac_veriexec_slot, (v))
 
 #ifdef MAC_VERIEXEC_DEBUG
 #define	MAC_VERIEXEC_DBG(_lvl, _fmt, ...)				\
 	do {								\
 		VERIEXEC_DEBUG((_lvl), (MAC_VERIEXEC_FULLNAME ": " _fmt	\
 		     "\n", ##__VA_ARGS__));				\
 	} while(0)
 #else
 #define	MAC_VERIEXEC_DBG(_lvl, _fmt, ...)
 #endif
 
 static int sysctl_mac_veriexec_state(SYSCTL_HANDLER_ARGS);
 static int sysctl_mac_veriexec_db(SYSCTL_HANDLER_ARGS);
 static struct mac_policy_ops mac_veriexec_ops;
 
-SYSCTL_DECL(_security_mac);
-
 SYSCTL_NODE(_security_mac, OID_AUTO, veriexec, CTLFLAG_RW | CTLFLAG_MPSAFE, 0,
     "MAC/veriexec policy controls");
 
 int	mac_veriexec_debug;
 SYSCTL_INT(_security_mac_veriexec, OID_AUTO, debug, CTLFLAG_RW,
     &mac_veriexec_debug, 0, "Debug level");
 
 static int	mac_veriexec_state;
 SYSCTL_PROC(_security_mac_veriexec, OID_AUTO, state,
     CTLTYPE_STRING | CTLFLAG_RD | CTLFLAG_NEEDGIANT,
     0, 0, sysctl_mac_veriexec_state, "A",
     "Verified execution subsystem state");
 
 SYSCTL_PROC(_security_mac_veriexec, OID_AUTO, db,
     CTLTYPE_STRING | CTLFLAG_RD | CTLFLAG_SKIP | CTLFLAG_NEEDGIANT,
     0, 0, sysctl_mac_veriexec_db,
     "A", "Verified execution fingerprint database");
 
 
 static int mac_veriexec_slot;
 
 static int mac_veriexec_block_unlink;
 SYSCTL_INT(_security_mac_veriexec, OID_AUTO, block_unlink, CTLFLAG_RDTUN,
     &mac_veriexec_block_unlink, 0, "Veriexec unlink protection");
 
 MALLOC_DEFINE(M_VERIEXEC, "veriexec", "Verified execution data");
 
 /**
  * @internal
  * @brief Handler for security.mac.veriexec.db sysctl
  *
  * Display a human-readable form of the current fingerprint database.
  */
 static int
 sysctl_mac_veriexec_db(SYSCTL_HANDLER_ARGS)
 {
 	struct sbuf sb;
 	int error;
 
 	error = sysctl_wire_old_buffer(req, 0);
 	if (error != 0)
 		return (error);
 
 	sbuf_new_for_sysctl(&sb, NULL, 1024, req);
 	mac_veriexec_metadata_print_db(&sb);
 	error = sbuf_finish(&sb);
 	sbuf_delete(&sb);
 
 	return (error);
 }
 
 /**
  * @internal
  * @brief Generate human-readable output about the current verified execution
  *        state.
  *
  * @param sbp		sbuf to write output to
  */
 static void
 mac_veriexec_print_state(struct sbuf *sbp)
 {
 
 	if (mac_veriexec_state & VERIEXEC_STATE_INACTIVE)
 		sbuf_printf(sbp, "inactive ");
 	if (mac_veriexec_state & VERIEXEC_STATE_LOADED)
 		sbuf_printf(sbp, "loaded ");
 	if (mac_veriexec_state & VERIEXEC_STATE_ACTIVE)
 		sbuf_printf(sbp, "active ");
 	if (mac_veriexec_state & VERIEXEC_STATE_ENFORCE)
 		sbuf_printf(sbp, "enforce ");
 	if (mac_veriexec_state & VERIEXEC_STATE_LOCKED)
 		sbuf_printf(sbp, "locked ");
 	if (mac_veriexec_state != 0)
 		sbuf_trim(sbp);
 }
 
 /**
  * @internal
  * @brief Handler for security.mac.veriexec.state sysctl
  *
  * Display a human-readable form of the current verified execution subsystem
  * state.
  */
 static int
 sysctl_mac_veriexec_state(SYSCTL_HANDLER_ARGS)
 {
 	struct sbuf sb;
 	int error;
 
 	sbuf_new(&sb, NULL, 128, SBUF_AUTOEXTEND);
 	mac_veriexec_print_state(&sb);
 	sbuf_finish(&sb);
 
 	error = SYSCTL_OUT(req, sbuf_data(&sb), sbuf_len(&sb));
 	sbuf_delete(&sb);
 	return (error);
 }
 
 /**
  * @internal
  * @brief Event handler called when a virtual file system is mounted.
  *
  * We need to record the file system identifier in the MAC per-policy slot
  * assigned to veriexec, so we have a key to use in order to reference the
  * mount point in the meta-data store.
  *
  * @param arg		unused argument
  * @param mp		mount point that is being mounted
  * @param fsrootvp	vnode of the file system root
  * @param td		calling thread
  */
 static void
 mac_veriexec_vfs_mounted(void *arg __unused, struct mount *mp,
     struct vnode *fsrootvp, struct thread *td)
 {
 	struct vattr va;
 	int error;
 
 	error = VOP_GETATTR(fsrootvp, &va, td->td_ucred);
 	if (error)
 		return;
 
 	SLOT_SET(mp->mnt_label, va.va_fsid);
 	MAC_VERIEXEC_DBG(3, "set fsid to %ju for mount %p",
 	    (uintmax_t)va.va_fsid, mp);
 }
 
 /**
  * @internal
  * @brief Event handler called when a virtual file system is unmounted.
  *
  * If we recorded a file system identifier in the MAC per-policy slot assigned
  * to veriexec, then we need to tell the meta-data store to clean up.
  *
  * @param arg		unused argument
  * @param mp		mount point that is being unmounted
  * @param td		calling thread
  */
 static void
 mac_veriexec_vfs_unmounted(void *arg __unused, struct mount *mp,
     struct thread *td)
 {
 	dev_t fsid;
 
 	fsid = SLOT(mp->mnt_label);
 	if (fsid) {
 		MAC_VERIEXEC_DBG(3, "fsid %ju, cleaning up mount",
 		    (uintmax_t)fsid);
 		mac_veriexec_metadata_unmounted(fsid, td);
 	}
 }
 
 /**
  * @internal
  * @brief The mount point is being initialized, set the value in the MAC
  *     per-policy slot for veriexec to zero.
  *
  * @note A value of zero in this slot indicates no file system identifier
  *     is assigned.
  *
  * @param label the label that is being initialized
  */
 static void
 mac_veriexec_mount_init_label(struct label *label)
 {
 
 	SLOT_SET(label, 0);
 }
 
 /**
  * @internal
  * @brief The mount-point is being destroyed, reset the value in the MAC
  *     per-policy slot for veriexec back to zero.
  *
  * @note A value of zero in this slot indicates no file system identifier
  *     is assigned.
  *
  * @param label the label that is being destroyed
  */
 static void
 mac_veriexec_mount_destroy_label(struct label *label)
 {
 
 	SLOT_SET(label, 0);
 }
 
 /**
  * @internal
  * @brief The vnode label is being initialized, set the value in the MAC
  *     per-policy slot for veriexec to @c FINGERPRINT_INVALID
  *
  * @note @c FINGERPRINT_INVALID indicates the fingerprint is invalid.
  *
  * @param label		the label that is being initialized
  */
 static void
 mac_veriexec_vnode_init_label(struct label *label)
 {
 
 	SLOT_SET(label, FINGERPRINT_INVALID);
 }
 
 /**
  * @internal
  * @brief The vnode label is being destroyed, reset the value in the MAC
  *        per-policy slot for veriexec back to @c FINGERPRINT_INVALID
  *
  * @note @c FINGERPRINT_INVALID indicates the fingerprint is invalid.
  *
  * @param label		the label that is being destroyed
  */
 static void
 mac_veriexec_vnode_destroy_label(struct label *label)
 {
 
 	SLOT_SET(label, FINGERPRINT_INVALID);
 }
 
 /**
  * @internal
  * @brief Copy the value in the MAC per-policy slot assigned to veriexec from
  *        the @p src label to the @p dest label
  */
 static void
 mac_veriexec_copy_label(struct label *src, struct label *dest)
 {
 
 	SLOT_SET(dest, SLOT(src));
 }
 
 /**
  * @internal
  * @brief Check if the requested process can be debugged
  *
  * @param cred		credentials to use
  * @param p		process to debug
  *
  * @return 0 if debugging is allowed, otherwise an error code.
  */
 static int
 mac_veriexec_proc_check_debug(struct ucred *cred, struct proc *p)
 {
 	int error, flags;
 
 	/* If we are not enforcing veriexec, nothing for us to check */
 	if ((mac_veriexec_state & VERIEXEC_STATE_ENFORCE) == 0)
 		return (0);
 
 	error = mac_veriexec_metadata_get_executable_flags(cred, p, &flags, 0);
 	if (error != 0)
 		return (0);
 
 	error = (flags & (VERIEXEC_NOTRACE|VERIEXEC_TRUSTED)) ? EACCES : 0;
 	MAC_VERIEXEC_DBG(4, "%s flags=%#x error=%d", __func__, flags, error);
 
 	return (error);
 }
 
 /**
  * @internal
  * @brief A KLD load has been requested and needs to be validated.
  *
  * @param cred		credentials to use
  * @param vp		vnode of the KLD that has been requested
  * @param vlabel	vnode label assigned to the vnode
  *
  * @return 0 if the KLD load is allowed, otherwise an error code.
  */
 static int
 mac_veriexec_kld_check_load(struct ucred *cred, struct vnode *vp,
     struct label *vlabel)
 {
 	struct vattr va;
 	struct thread *td = curthread;
 	fingerprint_status_t status;
 	int error;
 
 	/*
 	 * If we are not actively enforcing, allow it
 	 */
 	if ((mac_veriexec_state & VERIEXEC_STATE_ENFORCE) == 0)
 		return (0);
 
 	/* Get vnode attributes */
 	error = VOP_GETATTR(vp, &va, cred);
 	if (error)
 		return (error);
 
 	/*
 	 * Fetch the fingerprint status for the vnode
 	 * (starting with files first)
 	 */
 	error = mac_veriexec_metadata_fetch_fingerprint_status(vp, &va, td,
 	    VERIEXEC_FILES_FIRST);
 	if (error && error != EAUTH)
 		return (error);
 
 	/*
 	 * By now we should have status...
 	 */
 	status = mac_veriexec_get_fingerprint_status(vp);
 	switch (status) {
 	case FINGERPRINT_FILE:
 	case FINGERPRINT_VALID:
 	case FINGERPRINT_INDIRECT:
 		if (error)
 			return (error);
 		break;
 	default:
 		/*
 		 * kldload should fail unless there is a valid fingerprint
 		 * registered.
 		 */
 		MAC_VERIEXEC_DBG(2, "fingerprint status is %d for dev %ju, "
 		    "file %ju.%ju\n", status, (uintmax_t)va.va_fsid,
 		    (uintmax_t)va.va_fileid, (uintmax_t)va.va_gen);
 		return (EAUTH);
 	}
 
 	/* Everything is good, allow the KLD to be loaded */
 	return (0);
 }
 
 /**
  * @internal
  * @brief Check privileges that veriexec needs to be concerned about.
  *
  * The following privileges are checked by this function:
  *  - PRIV_KMEM_WRITE\n
  *    Check if writes to /dev/mem and /dev/kmem are allowed\n
  *    (Only trusted processes are allowed)
  *  - PRIV_VERIEXEC_CONTROL\n
  *    Check if manipulating veriexec is allowed\n
  *    (only trusted processes are allowed)
  *
  * @param cred		credentials to use
  * @param priv		privilege to check
  *
  * @return 0 if the privilege is allowed, error code otherwise.
  */
 static int
 mac_veriexec_priv_check(struct ucred *cred, int priv)
 {
 	int error;
 
 	/* If we are not enforcing veriexec, nothing for us to check */
 	if ((mac_veriexec_state & VERIEXEC_STATE_ENFORCE) == 0)
 		return (0);
 
 	error = 0;
 	switch (priv) {
 	case PRIV_KMEM_WRITE:
 	case PRIV_PROC_MEM_WRITE:
 	case PRIV_VERIEXEC_CONTROL:
 		/*
 		 * Do not allow writing to memory or manipulating veriexec,
 		 * unless trusted
 		 */
 		if (mac_veriexec_proc_is_trusted(cred, curproc) == 0 &&
 		    mac_priv_grant(cred, priv) != 0)
 			error = EPERM;
 		MAC_VERIEXEC_DBG(4, "%s priv=%d error=%d", __func__, priv,
 		    error);
 		break;
 	default:
 		break;
 	}
 	return (error);
 }
 
 /**
  * @internal
  * @brief Check if the requested sysctl should be allowed
  *
  * @param cred         credentials to use
  * @param oidp         sysctl OID
  * @param arg1         first sysctl argument
  * @param arg2         second sysctl argument
  * @param req          sysctl request information
  *
  * @return 0 if the sysctl should be allowed, otherwise an error code.
  */
 static int
 mac_veriexec_sysctl_check(struct ucred *cred, struct sysctl_oid *oidp,
     void *arg1, int arg2, struct sysctl_req *req)
 {
 	struct sysctl_oid *oid;
 
 	/* If we are not enforcing veriexec, nothing for us to check */
 	if ((mac_veriexec_state & VERIEXEC_STATE_ENFORCE) == 0)
 		return (0);
 
 	oid = oidp;
 	if (req->newptr && (oid->oid_kind & CTLFLAG_SECURE)) {
 		return (EPERM);		/* XXX call mac_veriexec_priv_check? */
 	}
 	return 0;
 }
 
 /**
  * @internal
  * @brief A program is being executed and needs to be validated.
  *
  * @param cred		credentials to use
  * @param vp		vnode of the program that is being executed
  * @param label		vnode label assigned to the vnode
  * @param imgp		parameters for the image to be executed
  * @param execlabel	optional exec label
  *
  * @return 0 if the program should be allowed to execute, otherwise an error
  *     code.
  */
 static int
 mac_veriexec_vnode_check_exec(struct ucred *cred __unused,
     struct vnode *vp __unused, struct label *label __unused,
     struct image_params *imgp, struct label *execlabel __unused)
 {
 	struct thread *td = curthread;
 	int error;
 
 	error = mac_veriexec_fingerprint_check_image(imgp, 0, td);
 	return (error);
 }
 
 /**
  * @brief Check fingerprint for the specified vnode and validate it
  *
  * @param cred		credentials to use
  * @param vp		vnode of the file
  * @param accmode	access mode to check (read, write, append, create,
  *			verify, etc.)
  *
  * @return 0 if the file validated, otherwise an error code.
  */
 static int
 mac_veriexec_check_vp(struct ucred *cred, struct vnode *vp, accmode_t accmode)
 {
 	struct vattr va;
 	struct thread *td = curthread;
 	fingerprint_status_t status;
 	int error;
 
 	/* Get vnode attributes */
 	error = VOP_GETATTR(vp, &va, cred);
 	if (error)
 		return (error);
 
 	/* Get the fingerprint status for the file */
 	error = mac_veriexec_metadata_fetch_fingerprint_status(vp, &va, td,
 	    VERIEXEC_FILES_FIRST);
 	if (error && error != EAUTH)
 		return (error);
 
 	/*
 	 * By now we should have status...
 	 */
 	status = mac_veriexec_get_fingerprint_status(vp);
 	if (accmode & VWRITE) {
 		/*
 		 * If file has a fingerprint then deny the write request,
 		 * otherwise invalidate the status so we don't keep checking
 		 * for the file having a fingerprint.
 		 */
 		switch (status) {
 		case FINGERPRINT_FILE:
 		case FINGERPRINT_VALID:
 		case FINGERPRINT_INDIRECT:
 			MAC_VERIEXEC_DBG(2,
 			    "attempted write to fingerprinted file for dev "
 			    "%ju, file %ju.%ju\n", (uintmax_t)va.va_fsid,
 			    (uintmax_t)va.va_fileid, (uintmax_t)va.va_gen);
 			return (EPERM);
 		default:
 			break;
 		}
 	}
 	if (accmode & VVERIFY) {
 		switch (status) {
 		case FINGERPRINT_FILE:
 		case FINGERPRINT_VALID:
 		case FINGERPRINT_INDIRECT:
 			if (error)
 				return (error);
 			break;
 		default:
 			/* Allow for overriding verification requirement */
 			if (mac_priv_grant(cred, PRIV_VERIEXEC_NOVERIFY) == 0)
 				return (0);
 			/*
 			 * Caller wants open to fail unless there is a valid
 			 * fingerprint registered.
 			 */
 			MAC_VERIEXEC_DBG(2, "fingerprint status is %d for dev "
 			    "%ju, file %ju.%ju\n", status,
 			    (uintmax_t)va.va_fsid, (uintmax_t)va.va_fileid,
 			    (uintmax_t)va.va_gen);
 			return (EAUTH);
 		}
 	}
 	return (0);
 }
 
 /**
  * @brief Opening a file has been requested and may need to be validated.
  *
  * @param cred		credentials to use
  * @param vp		vnode of the file to open
  * @param label		vnode label assigned to the vnode
  * @param accmode	access mode to use for opening the file (read, write,
  * 			append, create, verify, etc.)
  *
  * @return 0 if opening the file should be allowed, otherwise an error code.
  */
 static int
 mac_veriexec_vnode_check_open(struct ucred *cred, struct vnode *vp,
 	struct label *label __unused, accmode_t accmode)
 {
 	int error;
 
 	/*
 	 * Look for the file on the fingerprint lists iff it has not been seen
 	 * before.
 	 */
 	if ((mac_veriexec_state & VERIEXEC_STATE_ENFORCE) == 0)
 		return (0);
 
 	error = mac_veriexec_check_vp(cred, vp, accmode);
 	return (error);
 }
 
 /**
  * @brief Unlink on a file has been requested and may need to be validated.
  *
  * @param cred		credentials to use
  * @param dvp		parent directory for file vnode vp
  * @param dlabel	vnode label assigned to the directory vnode
  * @param vp		vnode of the file to unlink
  * @param label		vnode label assigned to the vnode
  * @param cnp		component name for vp
  *
  *
  * @return 0 if opening the file should be allowed, otherwise an error code.
  */
 static int
 mac_veriexec_vnode_check_unlink(struct ucred *cred, struct vnode *dvp __unused,
     struct label *dvplabel __unused, struct vnode *vp,
     struct label *label __unused, struct componentname *cnp __unused)
 {
 	int error;
 
 	/*
 	 * Look for the file on the fingerprint lists iff it has not been seen
 	 * before.
 	 */
 	if ((mac_veriexec_state & VERIEXEC_STATE_ENFORCE) == 0)
 		return (0);
 
 	error = mac_veriexec_check_vp(cred, vp, VVERIFY);
 	if (error == 0) {
 		/*
 		 * The target is verified, so disallow replacement.
 		 */
 		MAC_VERIEXEC_DBG(2,
     "(UNLINK) attempted to unlink a protected file (euid: %u)", cred->cr_uid);
 
 		return (EAUTH);
 	}
 	return (0);
 }
 
 /**
  * @brief Rename the file has been requested and may need to be validated.
  *
  * @param cred		credentials to use
  * @param dvp		parent directory for file vnode vp
  * @param dlabel	vnode label assigned to the directory vnode
  * @param vp		vnode of the file to rename
  * @param label		vnode label assigned to the vnode
  * @param cnp		component name for vp
  *
  *
  * @return 0 if opening the file should be allowed, otherwise an error code.
  */
 static int
 mac_veriexec_vnode_check_rename_from(struct ucred *cred,
     struct vnode *dvp __unused, struct label *dvplabel __unused,
     struct vnode *vp, struct label *label __unused,
     struct componentname *cnp __unused)
 {
 	int error;
 
 	/*
 	 * Look for the file on the fingerprint lists iff it has not been seen
 	 * before.
 	 */
 	if ((mac_veriexec_state & VERIEXEC_STATE_ENFORCE) == 0)
 		return (0);
 
 	error = mac_veriexec_check_vp(cred, vp, VVERIFY);
 	if (error == 0) {
 		/*
 		 * The target is verified, so disallow replacement.
 		 */
 		MAC_VERIEXEC_DBG(2,
     "(RENAME_FROM) attempted to rename a protected file (euid: %u)", cred->cr_uid);
 		return (EAUTH);
 	}
 	return (0);
 }
 
 
 /**
  * @brief Rename to file into the directory (overwrite the file name) has been
  * requested and may need to be validated.
  *
  * @param cred		credentials to use
  * @param dvp		parent directory for file vnode vp
  * @param dlabel	vnode label assigned to the directory vnode
  * @param vp		vnode of the overwritten file
  * @param label		vnode label assigned to the vnode
  * @param samedir	1 if the source and destination directories are the same
  * @param cnp		component name for vp
  *
  *
  * @return 0 if opening the file should be allowed, otherwise an error code.
  */
 	static int
 mac_veriexec_vnode_check_rename_to(struct ucred *cred, struct vnode *dvp __unused,
     struct label *dvplabel __unused, struct vnode *vp,
     struct label *label __unused, int samedir __unused,
     struct componentname *cnp __unused)
 {
 	int error;
 	/*
 	 * If there is no existing file to overwrite, vp and label will be
 	 * NULL.
 	 */
 	if (vp == NULL)
 		return (0);
 
 	/*
 	 * Look for the file on the fingerprint lists iff it has not been seen
 	 * before.
 	 */
 	if ((mac_veriexec_state & VERIEXEC_STATE_ENFORCE) == 0)
 		return (0);
 
 	error = mac_veriexec_check_vp(cred, vp, VVERIFY);
 	if (error == 0) {
 		/*
 		 * The target is verified, so disallow replacement.
 		 */
 		MAC_VERIEXEC_DBG(2,
     "(RENAME_TO) attempted to overwrite a protected file (euid: %u)", cred->cr_uid);
 		return (EAUTH);
 	}
 	return (0);
 }
 
 
 /**
  * @brief Check mode changes on file to ensure they should be allowed.
  *
  * We cannot allow chmod of SUID or SGID on verified files.
  *
  * @param cred		credentials to use
  * @param vp		vnode of the file to open
  * @param label		vnode label assigned to the vnode
  * @param mode		mode flags to set
  *
  * @return 0 if the mode change should be allowed, EAUTH otherwise.
  */
 static int
 mac_veriexec_vnode_check_setmode(struct ucred *cred, struct vnode *vp,
     struct label *label __unused, mode_t mode)
 {
 	int error;
 
 	if ((mac_veriexec_state & VERIEXEC_STATE_ENFORCE) == 0)
 		return (0);
 
 	/*
 	 * Prohibit chmod of verified set-[gu]id file.
 	 */
 	error = mac_veriexec_check_vp(cred, vp, VVERIFY);
 	if (error == EAUTH)		/* target not verified */
 		return (0);
 	if (error == 0 && (mode & (S_ISUID|S_ISGID)) != 0)
 		return (EAUTH);
 
 	return (0);
 }
 
 /**
  * @internal
  * @brief Initialize the mac_veriexec MAC policy
  *
  * @param mpc		MAC policy configuration
  */
 static void
 mac_veriexec_init(struct mac_policy_conf *mpc __unused)
 {
 	/* Initialize state */
 	mac_veriexec_state = VERIEXEC_STATE_INACTIVE;
 
 	/* Initialize meta-data storage */
 	mac_veriexec_metadata_init();
 
 	/* Initialize fingerprint ops */
 	mac_veriexec_fingerprint_init();
 
 	/* Register event handlers */
 	EVENTHANDLER_REGISTER(vfs_mounted, mac_veriexec_vfs_mounted, NULL,
 	    EVENTHANDLER_PRI_FIRST);
 	EVENTHANDLER_REGISTER(vfs_unmounted, mac_veriexec_vfs_unmounted, NULL,
 	    EVENTHANDLER_PRI_LAST);
 
 	/* Check if unlink control is activated via tunable value */
 	if (!mac_veriexec_block_unlink)
 		mac_veriexec_ops.mpo_vnode_check_unlink = NULL;
 }
 
 #ifdef COMPAT_FREEBSD32
 struct mac_veriexec_syscall_params32  {
 	char fp_type[VERIEXEC_FPTYPELEN];
 	unsigned char fingerprint[MAXFINGERPRINTLEN];
 	char label[MAXLABELLEN];
 	uint32_t labellen;
 	unsigned char flags;
 };
 
 struct mac_veriexec_syscall_params_args32 {
 	union {
 		pid_t pid;
 		uint32_t filename;
 	} u;				  /* input only */
 	uint32_t params;		  /* result */
 };
 #endif
 
 /**
  * @internal
  * @brief MAC policy-specific syscall for mac_veriexec
  *
  * The following syscalls are implemented:
  *   - @c MAC_VERIEXEC_CHECK_SYSCALL
  *        Check if the file referenced by a file descriptor has a fingerprint
  *        registered in the meta-data store.
  *
  * @param td		calling thread
  * @param call		system call number
  * @param arg		arugments to the syscall
  *
  * @return 0 on success, otherwise an error code.
  */
 static int
 mac_veriexec_syscall(struct thread *td, int call, void *arg)
 {
 	struct image_params img;
 	struct nameidata nd;
 	cap_rights_t rights;
 	struct vattr va;
 	struct file *fp;
 	struct mac_veriexec_syscall_params_args pargs;
 	struct mac_veriexec_syscall_params result;
 #ifdef COMPAT_FREEBSD32
 	struct mac_veriexec_syscall_params_args32 pargs32;
 	struct mac_veriexec_syscall_params32 result32;
 #endif
 	struct mac_veriexec_file_info *ip;
 	struct proc *proc;
 	struct vnode *textvp;
 	int error, flags, proc_locked;
 
 	nd.ni_vp = NULL;
 	proc_locked = 0;
 	textvp = NULL;
 	switch (call) {
 	case MAC_VERIEXEC_GET_PARAMS_PID_SYSCALL:
 	case MAC_VERIEXEC_GET_PARAMS_PATH_SYSCALL:
 #ifdef COMPAT_FREEBSD32
 		if (SV_PROC_FLAG(td->td_proc, SV_ILP32)) {
 			error = copyin(arg, &pargs32, sizeof(pargs32));
 			if (error)
 				return error;
 			bzero(&pargs, sizeof(pargs));
 			switch (call) {
 			case MAC_VERIEXEC_GET_PARAMS_PID_SYSCALL:
 				CP(pargs32, pargs, u.pid);
 				break;
 			case MAC_VERIEXEC_GET_PARAMS_PATH_SYSCALL:
 				PTRIN_CP(pargs32, pargs, u.filename);
 				break;
 			}
 			PTRIN_CP(pargs32, pargs, params);
 		} else
 #endif
 		error = copyin(arg, &pargs, sizeof(pargs));
 		if (error)
 			return error;
 		break;
 	}
 
 	switch (call) {
 	case MAC_VERIEXEC_CHECK_FD_SYSCALL:
 		/* Get the vnode associated with the file descriptor passed */
 		error = getvnode(td, (uintptr_t) arg,
 		    cap_rights_init_one(&rights, CAP_READ), &fp);
 		if (error)
 			return (error);
 		if (fp->f_type != DTYPE_VNODE) {
 			MAC_VERIEXEC_DBG(3, "MAC_VERIEXEC_CHECK_SYSCALL: "
 			    "file is not vnode type (type=0x%x)",
 			    fp->f_type);
 			error = EINVAL;
 			goto cleanup_file;
 		}
 
 		/*
 		 * setup the bits of image_params that are used by
 		 * mac_veriexec_check_fingerprint().
 		 */
 		bzero(&img, sizeof(img));
 		img.proc = td->td_proc;
 		img.vp = fp->f_vnode;
 		img.attr = &va;
 
 		/*
 		 * Get vnode attributes
 		 * (need to obtain a lock on the vnode first)
 		 */
 		vn_lock(img.vp, LK_EXCLUSIVE | LK_RETRY);
 		error = VOP_GETATTR(fp->f_vnode, &va,  td->td_ucred);
 		if (error)
 			goto check_done;
 
 		MAC_VERIEXEC_DBG(2, "mac_veriexec_fingerprint_check_image: "
 		    "va_mode=%o, check_files=%d\n", va.va_mode,
 		    ((va.va_mode & (S_IXUSR|S_IXGRP|S_IXOTH)) == 0));
 		error = mac_veriexec_fingerprint_check_image(&img,
 		    ((va.va_mode & (S_IXUSR|S_IXGRP|S_IXOTH)) == 0), td);
 check_done:
 		/* Release the lock we obtained earlier */
 		VOP_UNLOCK(img.vp);
 cleanup_file:
 		fdrop(fp, td);
 		break;
 	case MAC_VERIEXEC_CHECK_PATH_SYSCALL:
 		/* Look up the path to get the vnode */
 		NDINIT(&nd, LOOKUP,
 		    FOLLOW | LOCKLEAF | LOCKSHARED | AUDITVNODE1,
 		    UIO_USERSPACE, arg);
 		flags = FREAD;
 		error = vn_open(&nd, &flags, 0, NULL);
 		if (error != 0)
 			break;
 		NDFREE_PNBUF(&nd);
 
 		/* Check the fingerprint status of the vnode */
 		error = mac_veriexec_check_vp(td->td_ucred, nd.ni_vp, VVERIFY);
 		/* nd.ni_vp cleaned up below */
 		break;
 	case MAC_VERIEXEC_GET_PARAMS_PID_SYSCALL:
 		if (pargs.u.pid == 0 || pargs.u.pid == curproc->p_pid) {
 			proc = curproc;
 		} else {
 			proc = pfind(pargs.u.pid);
 			if (proc == NULL)
 				return (EINVAL);
 			proc_locked = 1;
 		}
 		textvp = proc->p_textvp;
 		/* FALLTHROUGH */
 	case MAC_VERIEXEC_GET_PARAMS_PATH_SYSCALL:
 		if (textvp == NULL) {
 			/* Look up the path to get the vnode */
 			NDINIT(&nd, LOOKUP, FOLLOW | LOCKLEAF | AUDITVNODE1,
 			    UIO_USERSPACE, pargs.u.filename);
 			flags = FREAD;
 			error = vn_open(&nd, &flags, 0, NULL);
 			if (error != 0)
 				break;
 
 			NDFREE_PNBUF(&nd);
 			textvp = nd.ni_vp;
 		}
 		error = VOP_GETATTR(textvp, &va, curproc->p_ucred);
 		if (proc_locked)
 			PROC_UNLOCK(proc);
 		if (error != 0)
 			break;
 
 		error = mac_veriexec_metadata_get_file_info(va.va_fsid,
 		    va.va_fileid, va.va_gen, NULL, &ip, FALSE);
 		if (error != 0)
 			break;
 
 #ifdef COMPAT_FREEBSD32
 		if (SV_PROC_FLAG(td->td_proc, SV_ILP32)) {
 			bzero(&result32, sizeof(result32));
 			result32.flags = ip->flags;
 			strlcpy(result32.fp_type, ip->ops->type, sizeof(result32.fp_type));
 			result.labellen = ip->labellen;
 			CP(result, result32, labellen);
 			if (ip->labellen > 0)
 				strlcpy(result32.label, ip->label, sizeof(result32.label));
 			result32.label[result.labellen] = '\0';
 			memcpy(result32.fingerprint, ip->fingerprint,
 			    ip->ops->digest_len);
 
 			error = copyout(&result32, pargs.params, sizeof(result32));
 			break;		/* yes */
 		}
 #endif
 		bzero(&result, sizeof(result));
 		result.flags = ip->flags;
 		strlcpy(result.fp_type, ip->ops->type, sizeof(result.fp_type));
 		result.labellen = ip->labellen;
 		if (ip->labellen > 0)
 			strlcpy(result.label, ip->label, sizeof(result.label));
 		result.label[result.labellen] = '\0';
 		memcpy(result.fingerprint, ip->fingerprint,
 		    ip->ops->digest_len);
 
 		error = copyout(&result, pargs.params, sizeof(result));
 		break;
 	default:
 		error = EOPNOTSUPP;
 	}
 	if (nd.ni_vp != NULL) {
 		VOP_UNLOCK(nd.ni_vp);
 		vn_close(nd.ni_vp, FREAD, td->td_ucred, td);
 	}
 	return (error);
 }
 
 static struct mac_policy_ops mac_veriexec_ops =
 {
 	.mpo_init = mac_veriexec_init,
 	.mpo_kld_check_load = mac_veriexec_kld_check_load,
 	.mpo_mount_destroy_label = mac_veriexec_mount_destroy_label,
 	.mpo_mount_init_label = mac_veriexec_mount_init_label,
 	.mpo_priv_check = mac_veriexec_priv_check,
 	.mpo_proc_check_debug = mac_veriexec_proc_check_debug,
 	.mpo_syscall = mac_veriexec_syscall,
 	.mpo_system_check_sysctl = mac_veriexec_sysctl_check,
 	.mpo_vnode_check_exec = mac_veriexec_vnode_check_exec,
 	.mpo_vnode_check_open = mac_veriexec_vnode_check_open,
 	.mpo_vnode_check_unlink = mac_veriexec_vnode_check_unlink,
 	.mpo_vnode_check_rename_to = mac_veriexec_vnode_check_rename_to,
 	.mpo_vnode_check_rename_from = mac_veriexec_vnode_check_rename_from,
 	.mpo_vnode_check_setmode = mac_veriexec_vnode_check_setmode,
 	.mpo_vnode_copy_label = mac_veriexec_copy_label,
 	.mpo_vnode_destroy_label = mac_veriexec_vnode_destroy_label,
 	.mpo_vnode_init_label = mac_veriexec_vnode_init_label,
 };
 
 MAC_POLICY_SET(&mac_veriexec_ops, mac_veriexec, MAC_VERIEXEC_FULLNAME,
     MPC_LOADTIME_FLAG_NOTLATE, &mac_veriexec_slot);
 MODULE_VERSION(mac_veriexec, MAC_VERIEXEC_VERSION);
 
 static struct vnode *
 mac_veriexec_bottom_vnode(struct vnode *vp)
 {
 	struct vnode *ldvp = NULL;
 
 	/*
 	 * XXX This code is bogus. nullfs is not the only stacking
 	 * filesystem. Less bogus code would add a VOP to reach bottom
 	 * vnode and would not make assumptions how to get there.
 	 */
 	if (vp->v_mount != NULL &&
 	    strcmp(vp->v_mount->mnt_vfc->vfc_name, "nullfs") == 0)
 		ldvp = NULLVPTOLOWERVP(vp);
 	return (ldvp);
 }
 
 /**
  * @brief Get the fingerprint status set on a vnode.
  *
  * @param vp		vnode to obtain fingerprint status from
  *
  * @return Fingerprint status assigned to the vnode.
  */
 fingerprint_status_t
 mac_veriexec_get_fingerprint_status(struct vnode *vp)
 {
 	fingerprint_status_t fps;
 	struct vnode *ldvp;
 
 	fps = SLOT(vp->v_label);
 	switch (fps) {
 	case FINGERPRINT_VALID:
 	case FINGERPRINT_INDIRECT:
 	case FINGERPRINT_FILE:
 		break;
 	default:
 		/* we may need to recurse */
 		ldvp = mac_veriexec_bottom_vnode(vp);
 		if (ldvp != NULL)
 			return mac_veriexec_get_fingerprint_status(ldvp);
 		break;
 	}
 	return fps;
 }
 
 /**
  * @brief Get the current verified execution subsystem state.
  *
  * @return Current set of verified execution subsystem state flags.
  */
 int
 mac_veriexec_get_state(void)
 {
 
 	return (mac_veriexec_state);
 }
 
 /**
  * @brief Determine if the verified execution subsystem state has specific
  *     flags set.
  *
  * @param state		mask of flags to check
  *
  * @return State flags set within the masked bits
  */
 int
 mac_veriexec_in_state(int state)
 {
 
 	return (mac_veriexec_state & state);
 }
 
 /**
  * @brief Set the fingerprint status for a vnode
  *
  * Fingerprint status is stored in the MAC per-policy slot assigned to
  * mac_veriexec.
  *
  * @param vp		vnode to store the fingerprint status on
  * @param fp_status	fingerprint status to store
  */
 void
 mac_veriexec_set_fingerprint_status(struct vnode *vp,
     fingerprint_status_t fp_status)
 {
 	struct vnode *ldvp;
 
 	/* recurse until we find the real storage */
 	ldvp = mac_veriexec_bottom_vnode(vp);
 	if (ldvp != NULL) {
 		mac_veriexec_set_fingerprint_status(ldvp, fp_status);
 		return;
 	}
 	SLOT_SET(vp->v_label, fp_status);
 }
 
 /**
  * @brief Set verified execution subsystem state flags
  *
  * @note Flags can only be added to the current state, not removed.
  *
  * @param state		state flags to add to the current state
  */
 void
 mac_veriexec_set_state(int state)
 {
 
 	mac_veriexec_state |= state;
 }
 
 /**
  * @brief Determine if the process is trusted
  *
  * @param cred		credentials to use
  * @param p		the process in question
  *
  * @return 1 if the process is trusted, otherwise 0.
  */
 int
 mac_veriexec_proc_is_trusted(struct ucred *cred, struct proc *p)
 {
 	int already_locked, error, flags;
 
 	/* Make sure we lock the process if we do not already have the lock */
 	already_locked = PROC_LOCKED(p);
 	if (!already_locked)
 		PROC_LOCK(p);
 
 	error = mac_veriexec_metadata_get_executable_flags(cred, p, &flags, 0);
 
 	/* Unlock the process if we locked it previously */
 	if (!already_locked)
 		PROC_UNLOCK(p);
 
 	/* Any errors, deny access */
 	if (error != 0)
 		return (0);
 
 	/* Check that the trusted flag is set */
 	return ((flags & VERIEXEC_TRUSTED) == VERIEXEC_TRUSTED);
 }