38c38
< * $FreeBSD: head/sys/security/mac_mls/mac_mls.c 172930 2007-10-24 19:04:04Z rwatson $
---
> * $FreeBSD: head/sys/security/mac_mls/mac_mls.c 172955 2007-10-25 11:31:11Z rwatson $
96c96
< static int mac_mls_label_size = sizeof(struct mac_mls);
---
> static int mls_label_size = sizeof(struct mac_mls);
98c98
< &mac_mls_label_size, 0, "Size of struct mac_mls");
---
> &mls_label_size, 0, "Size of struct mac_mls");
100,103c100,103
< static int mac_mls_enabled = 1;
< SYSCTL_INT(_security_mac_mls, OID_AUTO, enabled, CTLFLAG_RW,
< &mac_mls_enabled, 0, "Enforce MAC/MLS policy");
< TUNABLE_INT("security.mac.mls.enabled", &mac_mls_enabled);
---
> static int mls_enabled = 1;
> SYSCTL_INT(_security_mac_mls, OID_AUTO, enabled, CTLFLAG_RW, &mls_enabled, 0,
> "Enforce MAC/MLS policy");
> TUNABLE_INT("security.mac.mls.enabled", &mls_enabled);
123,125c123,125
< static int mac_mls_slot;
< #define SLOT(l) ((struct mac_mls *)mac_label_get((l), mac_mls_slot))
< #define SLOT_SET(l, val) mac_label_set((l), mac_mls_slot, (uintptr_t)(val))
---
> static int mls_slot;
> #define SLOT(l) ((struct mac_mls *)mac_label_get((l), mls_slot))
> #define SLOT_SET(l, val) mac_label_set((l), mls_slot, (uintptr_t)(val))
147c147
< mls_free(struct mac_mls *mac_mls)
---
> mls_free(struct mac_mls *mm)
150,151c150,151
< if (mac_mls != NULL)
< uma_zfree(zone_mls, mac_mls);
---
> if (mm != NULL)
> uma_zfree(zone_mls, mm);
157c157
< mls_atmostflags(struct mac_mls *mac_mls, int flags)
---
> mls_atmostflags(struct mac_mls *mm, int flags)
160c160
< if ((mac_mls->mm_flags & flags) != mac_mls->mm_flags)
---
> if ((mm->mm_flags & flags) != mm->mm_flags)
166,167c166
< mac_mls_dominate_element(struct mac_mls_element *a,
< struct mac_mls_element *b)
---
> mls_dominate_element(struct mac_mls_element *a, struct mac_mls_element *b)
187c186
< panic("mac_mls_dominate_element: b->mme_type invalid");
---
> panic("mls_dominate_element: b->mme_type invalid");
208c207
< panic("mac_mls_dominate_element: b->mme_type invalid");
---
> panic("mls_dominate_element: b->mme_type invalid");
212c211
< panic("mac_mls_dominate_element: a->mme_type invalid");
---
> panic("mls_dominate_element: a->mme_type invalid");
219c218
< mac_mls_range_in_range(struct mac_mls *rangea, struct mac_mls *rangeb)
---
> mls_range_in_range(struct mac_mls *rangea, struct mac_mls *rangeb)
222c221
< return (mac_mls_dominate_element(&rangeb->mm_rangehigh,
---
> return (mls_dominate_element(&rangeb->mm_rangehigh,
224c223
< mac_mls_dominate_element(&rangea->mm_rangelow,
---
> mls_dominate_element(&rangea->mm_rangelow,
229c228
< mac_mls_effective_in_range(struct mac_mls *effective, struct mac_mls *range)
---
> mls_effective_in_range(struct mac_mls *effective, struct mac_mls *range)
233c232
< ("mac_mls_effective_in_range: a not effective"));
---
> ("mls_effective_in_range: a not effective"));
235c234
< ("mac_mls_effective_in_range: b not range"));
---
> ("mls_effective_in_range: b not range"));
237c236
< return (mac_mls_dominate_element(&range->mm_rangehigh,
---
> return (mls_dominate_element(&range->mm_rangehigh,
239c238
< mac_mls_dominate_element(&effective->mm_effective,
---
> mls_dominate_element(&effective->mm_effective,
246c245
< mac_mls_dominate_effective(struct mac_mls *a, struct mac_mls *b)
---
> mls_dominate_effective(struct mac_mls *a, struct mac_mls *b)
249c248
< ("mac_mls_dominate_effective: a not effective"));
---
> ("mls_dominate_effective: a not effective"));
251c250
< ("mac_mls_dominate_effective: b not effective"));
---
> ("mls_dominate_effective: b not effective"));
253c252
< return (mac_mls_dominate_element(&a->mm_effective, &b->mm_effective));
---
> return (mls_dominate_element(&a->mm_effective, &b->mm_effective));
257c256
< mac_mls_equal_element(struct mac_mls_element *a, struct mac_mls_element *b)
---
> mls_equal_element(struct mac_mls_element *a, struct mac_mls_element *b)
268c267
< mac_mls_equal_effective(struct mac_mls *a, struct mac_mls *b)
---
> mls_equal_effective(struct mac_mls *a, struct mac_mls *b)
272c271
< ("mac_mls_equal_effective: a not effective"));
---
> ("mls_equal_effective: a not effective"));
274c273
< ("mac_mls_equal_effective: b not effective"));
---
> ("mls_equal_effective: b not effective"));
276c275
< return (mac_mls_equal_element(&a->mm_effective, &b->mm_effective));
---
> return (mls_equal_element(&a->mm_effective, &b->mm_effective));
280c279
< mac_mls_contains_equal(struct mac_mls *mac_mls)
---
> mls_contains_equal(struct mac_mls *mm)
283,284c282,283
< if (mac_mls->mm_flags & MAC_MLS_FLAG_EFFECTIVE)
< if (mac_mls->mm_effective.mme_type == MAC_MLS_TYPE_EQUAL)
---
> if (mm->mm_flags & MAC_MLS_FLAG_EFFECTIVE)
> if (mm->mm_effective.mme_type == MAC_MLS_TYPE_EQUAL)
287,288c286,287
< if (mac_mls->mm_flags & MAC_MLS_FLAG_RANGE) {
< if (mac_mls->mm_rangelow.mme_type == MAC_MLS_TYPE_EQUAL)
---
> if (mm->mm_flags & MAC_MLS_FLAG_RANGE) {
> if (mm->mm_rangelow.mme_type == MAC_MLS_TYPE_EQUAL)
290c289
< if (mac_mls->mm_rangehigh.mme_type == MAC_MLS_TYPE_EQUAL)
---
> if (mm->mm_rangehigh.mme_type == MAC_MLS_TYPE_EQUAL)
298c297
< mac_mls_subject_privileged(struct mac_mls *mac_mls)
---
> mls_subject_privileged(struct mac_mls *mm)
301,303c300,301
< KASSERT((mac_mls->mm_flags & MAC_MLS_FLAGS_BOTH) ==
< MAC_MLS_FLAGS_BOTH,
< ("mac_mls_subject_privileged: subject doesn't have both labels"));
---
> KASSERT((mm->mm_flags & MAC_MLS_FLAGS_BOTH) == MAC_MLS_FLAGS_BOTH,
> ("mls_subject_privileged: subject doesn't have both labels"));
306c304
< if (mac_mls->mm_effective.mme_type == MAC_MLS_TYPE_EQUAL)
---
> if (mm->mm_effective.mme_type == MAC_MLS_TYPE_EQUAL)
310,311c308,309
< if (mac_mls->mm_rangelow.mme_type == MAC_MLS_TYPE_EQUAL ||
< mac_mls->mm_rangehigh.mme_type == MAC_MLS_TYPE_EQUAL)
---
> if (mm->mm_rangelow.mme_type == MAC_MLS_TYPE_EQUAL ||
> mm->mm_rangehigh.mme_type == MAC_MLS_TYPE_EQUAL)
315,316c313,314
< if (mac_mls->mm_rangelow.mme_type == MAC_MLS_TYPE_LOW &&
< mac_mls->mm_rangehigh.mme_type == MAC_MLS_TYPE_HIGH)
---
> if (mm->mm_rangelow.mme_type == MAC_MLS_TYPE_LOW &&
> mm->mm_rangehigh.mme_type == MAC_MLS_TYPE_HIGH)
324c322
< mac_mls_valid(struct mac_mls *mac_mls)
---
> mls_valid(struct mac_mls *mm)
327,328c325,326
< if (mac_mls->mm_flags & MAC_MLS_FLAG_EFFECTIVE) {
< switch (mac_mls->mm_effective.mme_type) {
---
> if (mm->mm_flags & MAC_MLS_FLAG_EFFECTIVE) {
> switch (mm->mm_effective.mme_type) {
335c333
< if (mac_mls->mm_effective.mme_level != 0 ||
---
> if (mm->mm_effective.mme_level != 0 ||
337c335
< mac_mls->mm_effective.mme_compartments))
---
> mm->mm_effective.mme_compartments))
345c343
< if (mac_mls->mm_effective.mme_type != MAC_MLS_TYPE_UNDEF)
---
> if (mm->mm_effective.mme_type != MAC_MLS_TYPE_UNDEF)
349,350c347,348
< if (mac_mls->mm_flags & MAC_MLS_FLAG_RANGE) {
< switch (mac_mls->mm_rangelow.mme_type) {
---
> if (mm->mm_flags & MAC_MLS_FLAG_RANGE) {
> switch (mm->mm_rangelow.mme_type) {
357c355
< if (mac_mls->mm_rangelow.mme_level != 0 ||
---
> if (mm->mm_rangelow.mme_level != 0 ||
359c357
< mac_mls->mm_rangelow.mme_compartments))
---
> mm->mm_rangelow.mme_compartments))
367c365
< switch (mac_mls->mm_rangehigh.mme_type) {
---
> switch (mm->mm_rangehigh.mme_type) {
374c372
< if (mac_mls->mm_rangehigh.mme_level != 0 ||
---
> if (mm->mm_rangehigh.mme_level != 0 ||
376c374
< mac_mls->mm_rangehigh.mme_compartments))
---
> mm->mm_rangehigh.mme_compartments))
383,384c381,382
< if (!mac_mls_dominate_element(&mac_mls->mm_rangehigh,
< &mac_mls->mm_rangelow))
---
> if (!mls_dominate_element(&mm->mm_rangehigh,
> &mm->mm_rangelow))
387,388c385,386
< if (mac_mls->mm_rangelow.mme_type != MAC_MLS_TYPE_UNDEF ||
< mac_mls->mm_rangehigh.mme_type != MAC_MLS_TYPE_UNDEF)
---
> if (mm->mm_rangelow.mme_type != MAC_MLS_TYPE_UNDEF ||
> mm->mm_rangehigh.mme_type != MAC_MLS_TYPE_UNDEF)
396,398c394,396
< mac_mls_set_range(struct mac_mls *mac_mls, u_short typelow,
< u_short levellow, u_char *compartmentslow, u_short typehigh,
< u_short levelhigh, u_char *compartmentshigh)
---
> mls_set_range(struct mac_mls *mm, u_short typelow, u_short levellow,
> u_char *compartmentslow, u_short typehigh, u_short levelhigh,
> u_char *compartmentshigh)
401,402c399,400
< mac_mls->mm_rangelow.mme_type = typelow;
< mac_mls->mm_rangelow.mme_level = levellow;
---
> mm->mm_rangelow.mme_type = typelow;
> mm->mm_rangelow.mme_level = levellow;
404c402
< memcpy(mac_mls->mm_rangelow.mme_compartments,
---
> memcpy(mm->mm_rangelow.mme_compartments,
406,408c404,406
< sizeof(mac_mls->mm_rangelow.mme_compartments));
< mac_mls->mm_rangehigh.mme_type = typehigh;
< mac_mls->mm_rangehigh.mme_level = levelhigh;
---
> sizeof(mm->mm_rangelow.mme_compartments));
> mm->mm_rangehigh.mme_type = typehigh;
> mm->mm_rangehigh.mme_level = levelhigh;
410c408
< memcpy(mac_mls->mm_rangehigh.mme_compartments,
---
> memcpy(mm->mm_rangehigh.mme_compartments,
412,413c410,411
< sizeof(mac_mls->mm_rangehigh.mme_compartments));
< mac_mls->mm_flags |= MAC_MLS_FLAG_RANGE;
---
> sizeof(mm->mm_rangehigh.mme_compartments));
> mm->mm_flags |= MAC_MLS_FLAG_RANGE;
417c415
< mac_mls_set_effective(struct mac_mls *mac_mls, u_short type, u_short level,
---
> mls_set_effective(struct mac_mls *mm, u_short type, u_short level,
421,422c419,420
< mac_mls->mm_effective.mme_type = type;
< mac_mls->mm_effective.mme_level = level;
---
> mm->mm_effective.mme_type = type;
> mm->mm_effective.mme_level = level;
424,426c422,424
< memcpy(mac_mls->mm_effective.mme_compartments, compartments,
< sizeof(mac_mls->mm_effective.mme_compartments));
< mac_mls->mm_flags |= MAC_MLS_FLAG_EFFECTIVE;
---
> memcpy(mm->mm_effective.mme_compartments, compartments,
> sizeof(mm->mm_effective.mme_compartments));
> mm->mm_flags |= MAC_MLS_FLAG_EFFECTIVE;
430c428
< mac_mls_copy_range(struct mac_mls *labelfrom, struct mac_mls *labelto)
---
> mls_copy_range(struct mac_mls *labelfrom, struct mac_mls *labelto)
434c432
< ("mac_mls_copy_range: labelfrom not range"));
---
> ("mls_copy_range: labelfrom not range"));
442c440
< mac_mls_copy_effective(struct mac_mls *labelfrom, struct mac_mls *labelto)
---
> mls_copy_effective(struct mac_mls *labelfrom, struct mac_mls *labelto)
446c444
< ("mac_mls_copy_effective: labelfrom not effective"));
---
> ("mls_copy_effective: labelfrom not effective"));
453c451
< mac_mls_copy(struct mac_mls *source, struct mac_mls *dest)
---
> mls_copy(struct mac_mls *source, struct mac_mls *dest)
457c455
< mac_mls_copy_effective(source, dest);
---
> mls_copy_effective(source, dest);
459c457
< mac_mls_copy_range(source, dest);
---
> mls_copy_range(source, dest);
466c464
< mac_mls_init(struct mac_policy_conf *conf)
---
> mls_init(struct mac_policy_conf *conf)
477c475
< mac_mls_init_label(struct label *label)
---
> mls_init_label(struct label *label)
484c482
< mac_mls_init_label_waitcheck(struct label *label, int flag)
---
> mls_init_label_waitcheck(struct label *label, int flag)
495c493
< mac_mls_destroy_label(struct label *label)
---
> mls_destroy_label(struct label *label)
503,505c501,503
< * mac_mls_element_to_string() accepts an sbuf and MLS element. It
< * converts the MLS element to a string and stores the result in the
< * sbuf; if there isn't space in the sbuf, -1 is returned.
---
> * mls_element_to_string() accepts an sbuf and MLS element. It converts the
> * MLS element to a string and stores the result in the sbuf; if there isn't
> * space in the sbuf, -1 is returned.
508c506
< mac_mls_element_to_string(struct sbuf *sb, struct mac_mls_element *element)
---
> mls_element_to_string(struct sbuf *sb, struct mac_mls_element *element)
544c542
< panic("mac_mls_element_to_string: invalid type (%d)",
---
> panic("mls_element_to_string: invalid type (%d)",
550,554c548,552
< * mac_mls_to_string() converts an MLS label to a string, and places
< * the results in the passed sbuf. It returns 0 on success, or EINVAL
< * if there isn't room in the sbuf. Note: the sbuf will be modified
< * even in a failure case, so the caller may need to revert the sbuf
< * by restoring the offset if that's undesired.
---
> * mls_to_string() converts an MLS label to a string, and places the results
> * in the passed sbuf. It returns 0 on success, or EINVAL if there isn't
> * room in the sbuf. Note: the sbuf will be modified even in a failure case,
> * so the caller may need to revert the sbuf by restoring the offset if
> * that's undesired.
557c555
< mac_mls_to_string(struct sbuf *sb, struct mac_mls *mac_mls)
---
> mls_to_string(struct sbuf *sb, struct mac_mls *mm)
560,562c558,559
< if (mac_mls->mm_flags & MAC_MLS_FLAG_EFFECTIVE) {
< if (mac_mls_element_to_string(sb, &mac_mls->mm_effective)
< == -1)
---
> if (mm->mm_flags & MAC_MLS_FLAG_EFFECTIVE) {
> if (mls_element_to_string(sb, &mm->mm_effective) == -1)
566c563
< if (mac_mls->mm_flags & MAC_MLS_FLAG_RANGE) {
---
> if (mm->mm_flags & MAC_MLS_FLAG_RANGE) {
570,571c567
< if (mac_mls_element_to_string(sb, &mac_mls->mm_rangelow)
< == -1)
---
> if (mls_element_to_string(sb, &mm->mm_rangelow) == -1)
577,578c573
< if (mac_mls_element_to_string(sb, &mac_mls->mm_rangehigh)
< == -1)
---
> if (mls_element_to_string(sb, &mm->mm_rangehigh) == -1)
589c584
< mac_mls_externalize_label(struct label *label, char *element_name,
---
> mls_externalize_label(struct label *label, char *element_name,
592c587
< struct mac_mls *mac_mls;
---
> struct mac_mls *mm;
599c594
< mac_mls = SLOT(label);
---
> mm = SLOT(label);
601c596
< return (mac_mls_to_string(sb, mac_mls));
---
> return (mls_to_string(sb, mm));
605c600
< mac_mls_parse_element(struct mac_mls_element *element, char *string)
---
> mls_parse_element(struct mac_mls_element *element, char *string)
610,611c605
< if (strcmp(string, "high") == 0 ||
< strcmp(string, "hi") == 0) {
---
> if (strcmp(string, "high") == 0 || strcmp(string, "hi") == 0) {
614,615c608
< } else if (strcmp(string, "low") == 0 ||
< strcmp(string, "lo") == 0) {
---
> } else if (strcmp(string, "low") == 0 || strcmp(string, "lo") == 0) {
637,639c630,631
< * Optional compartment piece of the element. If none
< * are included, we assume that the label has no
< * compartments.
---
> * Optional compartment piece of the element. If none are
> * included, we assume that the label has no compartments.
660,661c652,653
< * Note: destructively consumes the string, make a local copy before
< * calling if that's a problem.
---
> * Note: destructively consumes the string, make a local copy before calling
> * if that's a problem.
664c656
< mac_mls_parse(struct mac_mls *mac_mls, char *string)
---
> mls_parse(struct mac_mls *mm, char *string)
689c681
< ("mac_mls_parse: range mismatch"));
---
> ("mls_parse: range mismatch"));
691c683
< bzero(mac_mls, sizeof(*mac_mls));
---
> bzero(mm, sizeof(*mm));
693c685
< error = mac_mls_parse_element(&mac_mls->mm_effective, effective);
---
> error = mls_parse_element(&mm->mm_effective, effective);
696c688
< mac_mls->mm_flags |= MAC_MLS_FLAG_EFFECTIVE;
---
> mm->mm_flags |= MAC_MLS_FLAG_EFFECTIVE;
700c692
< error = mac_mls_parse_element(&mac_mls->mm_rangelow,
---
> error = mls_parse_element(&mm->mm_rangelow,
704c696
< error = mac_mls_parse_element(&mac_mls->mm_rangehigh,
---
> error = mls_parse_element(&mm->mm_rangehigh,
708c700
< mac_mls->mm_flags |= MAC_MLS_FLAG_RANGE;
---
> mm->mm_flags |= MAC_MLS_FLAG_RANGE;
711c703
< error = mac_mls_valid(mac_mls);
---
> error = mls_valid(mm);
719c711
< mac_mls_internalize_label(struct label *label, char *element_name,
---
> mls_internalize_label(struct label *label, char *element_name,
722c714
< struct mac_mls *mac_mls, mac_mls_temp;
---
> struct mac_mls *mm, mm_temp;
730c722
< error = mac_mls_parse(&mac_mls_temp, element_data);
---
> error = mls_parse(&mm_temp, element_data);
734,735c726,727
< mac_mls = SLOT(label);
< *mac_mls = mac_mls_temp;
---
> mm = SLOT(label);
> *mm = mm_temp;
741c733
< mac_mls_copy_label(struct label *src, struct label *dest)
---
> mls_copy_label(struct label *src, struct label *dest)
748,749c740,741
< * Labeling event operations: file system objects, and things that look
< * a lot like file system objects.
---
> * Labeling event operations: file system objects, and things that look a lot
> * like file system objects.
752c744
< mac_mls_devfs_create_device(struct ucred *cred, struct mount *mp,
---
> mls_devfs_create_device(struct ucred *cred, struct mount *mp,
755c747
< struct mac_mls *mac_mls;
---
> struct mac_mls *mm;
758c750
< mac_mls = SLOT(delabel);
---
> mm = SLOT(delabel);
773c765
< mac_mls_set_effective(mac_mls, mls_type, 0, NULL);
---
> mls_set_effective(mm, mls_type, 0, NULL);
777,778c769,770
< mac_mls_devfs_create_directory(struct mount *mp, char *dirname,
< int dirnamelen, struct devfs_dirent *de, struct label *delabel)
---
> mls_devfs_create_directory(struct mount *mp, char *dirname, int dirnamelen,
> struct devfs_dirent *de, struct label *delabel)
780c772
< struct mac_mls *mac_mls;
---
> struct mac_mls *mm;
782,783c774,775
< mac_mls = SLOT(delabel);
< mac_mls_set_effective(mac_mls, MAC_MLS_TYPE_LOW, 0, NULL);
---
> mm = SLOT(delabel);
> mls_set_effective(mm, MAC_MLS_TYPE_LOW, 0, NULL);
787c779
< mac_mls_devfs_create_symlink(struct ucred *cred, struct mount *mp,
---
> mls_devfs_create_symlink(struct ucred *cred, struct mount *mp,
796c788
< mac_mls_copy_effective(source, dest);
---
> mls_copy_effective(source, dest);
800,801c792
< mac_mls_mount_create(struct ucred *cred, struct mount *mp,
< struct label *mplabel)
---
> mls_mount_create(struct ucred *cred, struct mount *mp, struct label *mplabel)
807c798,799
< mac_mls_copy_effective(source, dest);
---
>
> mls_copy_effective(source, dest);
811c803
< mac_mls_vnode_relabel(struct ucred *cred, struct vnode *vp,
---
> mls_vnode_relabel(struct ucred *cred, struct vnode *vp,
819c811
< mac_mls_copy(source, dest);
---
> mls_copy(source, dest);
823c815
< mac_mls_devfs_update(struct mount *mp, struct devfs_dirent *de,
---
> mls_devfs_update(struct mount *mp, struct devfs_dirent *de,
831c823
< mac_mls_copy_effective(source, dest);
---
> mls_copy_effective(source, dest);
835c827
< mac_mls_devfs_vnode_associate(struct mount *mp, struct label *mplabel,
---
> mls_devfs_vnode_associate(struct mount *mp, struct label *mplabel,
844c836
< mac_mls_copy_effective(source, dest);
---
> mls_copy_effective(source, dest);
848c840
< mac_mls_vnode_associate_extattr(struct mount *mp, struct label *mplabel,
---
> mls_vnode_associate_extattr(struct mount *mp, struct label *mplabel,
851c843
< struct mac_mls temp, *source, *dest;
---
> struct mac_mls mm_temp, *source, *dest;
857,858c849,850
< buflen = sizeof(temp);
< bzero(&temp, buflen);
---
> buflen = sizeof(mm_temp);
> bzero(&mm_temp, buflen);
861c853
< MAC_MLS_EXTATTR_NAME, &buflen, (char *) &temp, curthread);
---
> MAC_MLS_EXTATTR_NAME, &buflen, (char *) &mm_temp, curthread);
864c856
< mac_mls_copy_effective(source, dest);
---
> mls_copy_effective(source, dest);
869,871c861,862
< if (buflen != sizeof(temp)) {
< printf("mac_mls_vnode_associate_extattr: bad size %d\n",
< buflen);
---
> if (buflen != sizeof(mm_temp)) {
> printf("mls_vnode_associate_extattr: bad size %d\n", buflen);
874,875c865,866
< if (mac_mls_valid(&temp) != 0) {
< printf("mac_mls_vnode_associate_extattr: invalid\n");
---
> if (mls_valid(&mm_temp) != 0) {
> printf("mls_vnode_associate_extattr: invalid\n");
878,879c869,871
< if ((temp.mm_flags & MAC_MLS_FLAGS_BOTH) != MAC_MLS_FLAG_EFFECTIVE) {
< printf("mac_mls_associated_vnode_extattr: not effective\n");
---
> if ((mm_temp.mm_flags & MAC_MLS_FLAGS_BOTH) !=
> MAC_MLS_FLAG_EFFECTIVE) {
> printf("mls_associated_vnode_extattr: not effective\n");
883c875
< mac_mls_copy_effective(&temp, dest);
---
> mls_copy_effective(&mm_temp, dest);
888,889c880,881
< mac_mls_vnode_associate_singlelabel(struct mount *mp,
< struct label *mplabel, struct vnode *vp, struct label *vplabel)
---
> mls_vnode_associate_singlelabel(struct mount *mp, struct label *mplabel,
> struct vnode *vp, struct label *vplabel)
896c888
< mac_mls_copy_effective(source, dest);
---
> mls_copy_effective(source, dest);
900c892
< mac_mls_vnode_create_extattr(struct ucred *cred, struct mount *mp,
---
> mls_vnode_create_extattr(struct ucred *cred, struct mount *mp,
904c896
< struct mac_mls *source, *dest, temp;
---
> struct mac_mls *source, *dest, mm_temp;
908,909c900,901
< buflen = sizeof(temp);
< bzero(&temp, buflen);
---
> buflen = sizeof(mm_temp);
> bzero(&mm_temp, buflen);
913c905
< mac_mls_copy_effective(source, &temp);
---
> mls_copy_effective(source, &mm_temp);
916c908
< MAC_MLS_EXTATTR_NAME, buflen, (char *) &temp, curthread);
---
> MAC_MLS_EXTATTR_NAME, buflen, (char *) &mm_temp, curthread);
918c910
< mac_mls_copy_effective(source, dest);
---
> mls_copy_effective(source, dest);
923c915
< mac_mls_vnode_setlabel_extattr(struct ucred *cred, struct vnode *vp,
---
> mls_vnode_setlabel_extattr(struct ucred *cred, struct vnode *vp,
926c918
< struct mac_mls *source, temp;
---
> struct mac_mls *source, mm_temp;
930,931c922,923
< buflen = sizeof(temp);
< bzero(&temp, buflen);
---
> buflen = sizeof(mm_temp);
> bzero(&mm_temp, buflen);
937c929
< mac_mls_copy_effective(source, &temp);
---
> mls_copy_effective(source, &mm_temp);
940c932
< MAC_MLS_EXTATTR_NAME, buflen, (char *) &temp, curthread);
---
> MAC_MLS_EXTATTR_NAME, buflen, (char *) &mm_temp, curthread);
948,949c940,941
< mac_mls_inpcb_create(struct socket *so, struct label *solabel,
< struct inpcb *inp, struct label *inplabel)
---
> mls_inpcb_create(struct socket *so, struct label *solabel, struct inpcb *inp,
> struct label *inplabel)
956c948
< mac_mls_copy_effective(source, dest);
---
> mls_copy_effective(source, dest);
960c952
< mac_mls_socket_create_mbuf(struct socket *so, struct label *solabel,
---
> mls_socket_create_mbuf(struct socket *so, struct label *solabel,
968c960
< mac_mls_copy_effective(source, dest);
---
> mls_copy_effective(source, dest);
972c964
< mac_mls_socket_create(struct ucred *cred, struct socket *so,
---
> mls_socket_create(struct ucred *cred, struct socket *so,
980c972
< mac_mls_copy_effective(source, dest);
---
> mls_copy_effective(source, dest);
984c976
< mac_mls_pipe_create(struct ucred *cred, struct pipepair *pp,
---
> mls_pipe_create(struct ucred *cred, struct pipepair *pp,
992c984
< mac_mls_copy_effective(source, dest);
---
> mls_copy_effective(source, dest);
996c988
< mac_mls_posixsem_create(struct ucred *cred, struct ksem *ks,
---
> mls_posixsem_create(struct ucred *cred, struct ksem *ks,
1004c996
< mac_mls_copy_effective(source, dest);
---
> mls_copy_effective(source, dest);
1008c1000
< mac_mls_socket_newconn(struct socket *oldso, struct label *oldsolabel,
---
> mls_socket_newconn(struct socket *oldso, struct label *oldsolabel,
1016c1008
< mac_mls_copy_effective(source, dest);
---
> mls_copy_effective(source, dest);
1020c1012
< mac_mls_socket_relabel(struct ucred *cred, struct socket *so,
---
> mls_socket_relabel(struct ucred *cred, struct socket *so,
1028c1020
< mac_mls_copy(source, dest);
---
> mls_copy(source, dest);
1032c1024
< mac_mls_pipe_relabel(struct ucred *cred, struct pipepair *pp,
---
> mls_pipe_relabel(struct ucred *cred, struct pipepair *pp,
1040c1032
< mac_mls_copy(source, dest);
---
> mls_copy(source, dest);
1044c1036
< mac_mls_socketpeer_set_from_mbuf(struct mbuf *m, struct label *mlabel,
---
> mls_socketpeer_set_from_mbuf(struct mbuf *m, struct label *mlabel,
1052c1044
< mac_mls_copy_effective(source, dest);
---
> mls_copy_effective(source, dest);
1059c1051
< mac_mls_sysvmsg_create(struct ucred *cred, struct msqid_kernel *msqkptr,
---
> mls_sysvmsg_create(struct ucred *cred, struct msqid_kernel *msqkptr,
1068c1060
< mac_mls_copy_effective(source, dest);
---
> mls_copy_effective(source, dest);
1072c1064
< mac_mls_sysvmsq_create(struct ucred *cred, struct msqid_kernel *msqkptr,
---
> mls_sysvmsq_create(struct ucred *cred, struct msqid_kernel *msqkptr,
1080c1072
< mac_mls_copy_effective(source, dest);
---
> mls_copy_effective(source, dest);
1084c1076
< mac_mls_sysvsem_create(struct ucred *cred, struct semid_kernel *semakptr,
---
> mls_sysvsem_create(struct ucred *cred, struct semid_kernel *semakptr,
1092c1084
< mac_mls_copy_effective(source, dest);
---
> mls_copy_effective(source, dest);
1096c1088
< mac_mls_sysvshm_create(struct ucred *cred, struct shmid_kernel *shmsegptr,
---
> mls_sysvshm_create(struct ucred *cred, struct shmid_kernel *shmsegptr,
1104c1096
< mac_mls_copy_effective(source, dest);
---
> mls_copy_effective(source, dest);
1111c1103
< mac_mls_socketpeer_set_from_socket(struct socket *oldso,
---
> mls_socketpeer_set_from_socket(struct socket *oldso,
1120c1112
< mac_mls_copy_effective(source, dest);
---
> mls_copy_effective(source, dest);
1124,1125c1116
< mac_mls_bpfdesc_create(struct ucred *cred, struct bpf_d *d,
< struct label *dlabel)
---
> mls_bpfdesc_create(struct ucred *cred, struct bpf_d *d, struct label *dlabel)
1132c1123
< mac_mls_copy_effective(source, dest);
---
> mls_copy_effective(source, dest);
1136c1127
< mac_mls_ifnet_create(struct ifnet *ifp, struct label *ifplabel)
---
> mls_ifnet_create(struct ifnet *ifp, struct label *ifplabel)
1148,1149c1139,1140
< mac_mls_set_effective(dest, type, 0, NULL);
< mac_mls_set_range(dest, type, 0, NULL, type, 0, NULL);
---
> mls_set_effective(dest, type, 0, NULL);
> mls_set_range(dest, type, 0, NULL, type, 0, NULL);
1153c1144
< mac_mls_ipq_create(struct mbuf *m, struct label *mlabel, struct ipq *ipq,
---
> mls_ipq_create(struct mbuf *m, struct label *mlabel, struct ipq *ipq,
1161c1152
< mac_mls_copy_effective(source, dest);
---
> mls_copy_effective(source, dest);
1165,1166c1156,1157
< mac_mls_ipq_reassemble(struct ipq *ipq, struct label *ipqlabel,
< struct mbuf *m, struct label *mlabel)
---
> mls_ipq_reassemble(struct ipq *ipq, struct label *ipqlabel, struct mbuf *m,
> struct label *mlabel)
1174c1165
< mac_mls_copy_effective(source, dest);
---
> mls_copy_effective(source, dest);
1178,1179c1169,1170
< mac_mls_netinet_fragment(struct mbuf *m, struct label *mlabel,
< struct mbuf *frag, struct label *fraglabel)
---
> mls_netinet_fragment(struct mbuf *m, struct label *mlabel, struct mbuf *frag,
> struct label *fraglabel)
1186c1177
< mac_mls_copy_effective(source, dest);
---
> mls_copy_effective(source, dest);
1190c1181
< mac_mls_inpcb_create_mbuf(struct inpcb *inp, struct label *inplabel,
---
> mls_inpcb_create_mbuf(struct inpcb *inp, struct label *inplabel,
1198c1189
< mac_mls_copy_effective(source, dest);
---
> mls_copy_effective(source, dest);
1202c1193
< mac_mls_create_mbuf_linklayer(struct ifnet *ifp, struct label *ifplabel,
---
> mls_create_mbuf_linklayer(struct ifnet *ifp, struct label *ifplabel,
1209c1200
< mac_mls_set_effective(dest, MAC_MLS_TYPE_EQUAL, 0, NULL);
---
> mls_set_effective(dest, MAC_MLS_TYPE_EQUAL, 0, NULL);
1213c1204
< mac_mls_bpfdesc_create_mbuf(struct bpf_d *d, struct label *dlabel,
---
> mls_bpfdesc_create_mbuf(struct bpf_d *d, struct label *dlabel,
1221c1212
< mac_mls_copy_effective(source, dest);
---
> mls_copy_effective(source, dest);
1225c1216
< mac_mls_ifnet_create_mbuf(struct ifnet *ifp, struct label *ifplabel,
---
> mls_ifnet_create_mbuf(struct ifnet *ifp, struct label *ifplabel,
1233c1224
< mac_mls_copy_effective(source, dest);
---
> mls_copy_effective(source, dest);
1237c1228
< mac_mls_mbuf_create_multicast_encap(struct mbuf *m, struct label *mlabel,
---
> mls_mbuf_create_multicast_encap(struct mbuf *m, struct label *mlabel,
1246c1237
< mac_mls_copy_effective(source, dest);
---
> mls_copy_effective(source, dest);
1250c1241
< mac_mls_mbuf_create_netlayer(struct mbuf *m, struct label *mlabel,
---
> mls_mbuf_create_netlayer(struct mbuf *m, struct label *mlabel,
1258c1249
< mac_mls_copy_effective(source, dest);
---
> mls_copy_effective(source, dest);
1262c1253
< mac_mls_ipq_match(struct mbuf *m, struct label *mlabel, struct ipq *ipq,
---
> mls_ipq_match(struct mbuf *m, struct label *mlabel, struct ipq *ipq,
1270c1261
< return (mac_mls_equal_effective(a, b));
---
> return (mls_equal_effective(a, b));
1274c1265
< mac_mls_ifnet_relabel(struct ucred *cred, struct ifnet *ifp,
---
> mls_ifnet_relabel(struct ucred *cred, struct ifnet *ifp,
1282c1273
< mac_mls_copy(source, dest);
---
> mls_copy(source, dest);
1286c1277
< mac_mls_ipq_update(struct mbuf *m, struct label *mlabel, struct ipq *ipq,
---
> mls_ipq_update(struct mbuf *m, struct label *mlabel, struct ipq *ipq,
1294c1285
< mac_mls_inpcb_sosetlabel(struct socket *so, struct label *solabel,
---
> mls_inpcb_sosetlabel(struct socket *so, struct label *solabel,
1302c1293
< mac_mls_copy(source, dest);
---
> mls_copy(source, dest);
1306c1297
< mac_mls_mbuf_create_from_firewall(struct mbuf *m, struct label *mlabel)
---
> mls_mbuf_create_from_firewall(struct mbuf *m, struct label *mlabel)
1313c1304
< mac_mls_set_effective(dest, MAC_MLS_TYPE_EQUAL, 0, NULL);
---
> mls_set_effective(dest, MAC_MLS_TYPE_EQUAL, 0, NULL);
1317c1308
< mac_mls_init_syncache_from_inpcb(struct label *label, struct inpcb *inp)
---
> mls_init_syncache_from_inpcb(struct label *label, struct inpcb *inp)
1323c1314,1315
< mac_mls_copy_effective(source, dest);
---
>
> mls_copy_effective(source, dest);
1327c1319
< mac_mls_create_mbuf_from_syncache(struct label *sc_label, struct mbuf *m,
---
> mls_create_mbuf_from_syncache(struct label *sc_label, struct mbuf *m,
1334c1326,1327
< mac_mls_copy_effective(source, dest);
---
>
> mls_copy_effective(source, dest);
1341c1334
< mac_mls_proc_create_swapper(struct ucred *cred)
---
> mls_proc_create_swapper(struct ucred *cred)
1347,1349c1340,1342
< mac_mls_set_effective(dest, MAC_MLS_TYPE_EQUAL, 0, NULL);
< mac_mls_set_range(dest, MAC_MLS_TYPE_LOW, 0, NULL, MAC_MLS_TYPE_HIGH,
< 0, NULL);
---
> mls_set_effective(dest, MAC_MLS_TYPE_EQUAL, 0, NULL);
> mls_set_range(dest, MAC_MLS_TYPE_LOW, 0, NULL, MAC_MLS_TYPE_HIGH, 0,
> NULL);
1353c1346
< mac_mls_proc_create_init(struct ucred *cred)
---
> mls_proc_create_init(struct ucred *cred)
1359,1361c1352,1354
< mac_mls_set_effective(dest, MAC_MLS_TYPE_LOW, 0, NULL);
< mac_mls_set_range(dest, MAC_MLS_TYPE_LOW, 0, NULL, MAC_MLS_TYPE_HIGH,
< 0, NULL);
---
> mls_set_effective(dest, MAC_MLS_TYPE_LOW, 0, NULL);
> mls_set_range(dest, MAC_MLS_TYPE_LOW, 0, NULL, MAC_MLS_TYPE_HIGH, 0,
> NULL);
1365c1358
< mac_mls_cred_relabel(struct ucred *cred, struct label *newlabel)
---
> mls_cred_relabel(struct ucred *cred, struct label *newlabel)
1372c1365
< mac_mls_copy(source, dest);
---
> mls_copy(source, dest);
1379c1372
< mac_mls_sysvmsg_cleanup(struct label *msglabel)
---
> mls_sysvmsg_cleanup(struct label *msglabel)
1386c1379
< mac_mls_sysvmsq_cleanup(struct label *msqlabel)
---
> mls_sysvmsq_cleanup(struct label *msqlabel)
1393c1386
< mac_mls_sysvsem_cleanup(struct label *semalabel)
---
> mls_sysvsem_cleanup(struct label *semalabel)
1400c1393
< mac_mls_sysvshm_cleanup(struct label *shmlabel)
---
> mls_sysvshm_cleanup(struct label *shmlabel)
1410c1403
< mac_mls_bpfdesc_check_receive(struct bpf_d *d, struct label *dlabel,
---
> mls_bpfdesc_check_receive(struct bpf_d *d, struct label *dlabel,
1415c1408
< if (!mac_mls_enabled)
---
> if (!mls_enabled)
1421c1414
< if (mac_mls_equal_effective(a, b))
---
> if (mls_equal_effective(a, b))
1427c1420
< mac_mls_cred_check_relabel(struct ucred *cred, struct label *newlabel)
---
> mls_cred_check_relabel(struct ucred *cred, struct label *newlabel)
1436,1437c1429,1430
< * If there is an MLS label update for the credential, it may be
< * an update of effective, range, or both.
---
> * If there is an MLS label update for the credential, it may be an
> * update of effective, range, or both.
1448,1450c1441,1443
< * If the change request modifies both the MLS label effective
< * and range, check that the new effective will be in the
< * new range.
---
> * If the change request modifies both the MLS label
> * effective and range, check that the new effective will be
> * in the new range.
1453,1454c1446
< MAC_MLS_FLAGS_BOTH &&
< !mac_mls_effective_in_range(new, new))
---
> MAC_MLS_FLAGS_BOTH && !mls_effective_in_range(new, new))
1458,1459c1450,1451
< * To change the MLS effective label on a credential, the
< * new effective label must be in the current range.
---
> * To change the MLS effective label on a credential, the new
> * effective label must be in the current range.
1462c1454
< !mac_mls_effective_in_range(new, subj))
---
> !mls_effective_in_range(new, subj))
1466,1467c1458,1459
< * To change the MLS range label on a credential, the
< * new range must be in the current range.
---
> * To change the MLS range label on a credential, the new
> * range must be in the current range.
1470c1462
< !mac_mls_range_in_range(new, subj))
---
> !mls_range_in_range(new, subj))
1474,1476c1466,1467
< * To have EQUAL in any component of the new credential
< * MLS label, the subject must already have EQUAL in
< * their label.
---
> * To have EQUAL in any component of the new credential MLS
> * label, the subject must already have EQUAL in their label.
1478,1479c1469,1470
< if (mac_mls_contains_equal(new)) {
< error = mac_mls_subject_privileged(subj);
---
> if (mls_contains_equal(new)) {
> error = mls_subject_privileged(subj);
1489c1480
< mac_mls_cred_check_visible(struct ucred *cr1, struct ucred *cr2)
---
> mls_cred_check_visible(struct ucred *cr1, struct ucred *cr2)
1493c1484
< if (!mac_mls_enabled)
---
> if (!mls_enabled)
1500c1491
< if (!mac_mls_dominate_effective(subj, obj))
---
> if (!mls_dominate_effective(subj, obj))
1507c1498
< mac_mls_ifnet_check_relabel(struct ucred *cred, struct ifnet *ifp,
---
> mls_ifnet_check_relabel(struct ucred *cred, struct ifnet *ifp,
1517,1518c1508,1509
< * If there is an MLS label update for the interface, it may
< * be an update of effective, range, or both.
---
> * If there is an MLS label update for the interface, it may be an
> * update of effective, range, or both.
1527c1518
< error = mac_mls_subject_privileged(subj);
---
> error = mls_subject_privileged(subj);
1533c1524
< mac_mls_ifnet_check_transmit(struct ifnet *ifp, struct label *ifplabel,
---
> mls_ifnet_check_transmit(struct ifnet *ifp, struct label *ifplabel,
1538c1529
< if (!mac_mls_enabled)
---
> if (!mls_enabled)
1544c1535
< return (mac_mls_effective_in_range(p, i) ? 0 : EACCES);
---
> return (mls_effective_in_range(p, i) ? 0 : EACCES);
1548c1539
< mac_mls_inpcb_check_deliver(struct inpcb *inp, struct label *inplabel,
---
> mls_inpcb_check_deliver(struct inpcb *inp, struct label *inplabel,
1553c1544
< if (!mac_mls_enabled)
---
> if (!mls_enabled)
1559c1550
< return (mac_mls_equal_effective(p, i) ? 0 : EACCES);
---
> return (mls_equal_effective(p, i) ? 0 : EACCES);
1563c1554
< mac_mls_sysvmsq_check_msgrcv(struct ucred *cred, struct msg *msgptr,
---
> mls_sysvmsq_check_msgrcv(struct ucred *cred, struct msg *msgptr,
1568c1559
< if (!mac_mls_enabled)
---
> if (!mls_enabled)
1574c1565
< if (!mac_mls_dominate_effective(subj, obj))
---
> if (!mls_dominate_effective(subj, obj))
1581c1572
< mac_mls_sysvmsq_check_msgrmid(struct ucred *cred, struct msg *msgptr,
---
> mls_sysvmsq_check_msgrmid(struct ucred *cred, struct msg *msgptr,
1586c1577
< if (!mac_mls_enabled)
---
> if (!mls_enabled)
1592c1583
< if (!mac_mls_dominate_effective(obj, subj))
---
> if (!mls_dominate_effective(obj, subj))
1599,1600c1590,1591
< mac_mls_sysvmsq_check_msqget(struct ucred *cred,
< struct msqid_kernel *msqkptr, struct label *msqklabel)
---
> mls_sysvmsq_check_msqget(struct ucred *cred, struct msqid_kernel *msqkptr,
> struct label *msqklabel)
1604c1595
< if (!mac_mls_enabled)
---
> if (!mls_enabled)
1610c1601
< if (!mac_mls_dominate_effective(subj, obj))
---
> if (!mls_dominate_effective(subj, obj))
1617,1618c1608,1609
< mac_mls_sysvmsq_check_msqsnd(struct ucred *cred,
< struct msqid_kernel *msqkptr, struct label *msqklabel)
---
> mls_sysvmsq_check_msqsnd(struct ucred *cred, struct msqid_kernel *msqkptr,
> struct label *msqklabel)
1622c1613
< if (!mac_mls_enabled)
---
> if (!mls_enabled)
1628c1619
< if (!mac_mls_dominate_effective(obj, subj))
---
> if (!mls_dominate_effective(obj, subj))
1635,1636c1626,1627
< mac_mls_sysvmsq_check_msqrcv(struct ucred *cred,
< struct msqid_kernel *msqkptr, struct label *msqklabel)
---
> mls_sysvmsq_check_msqrcv(struct ucred *cred, struct msqid_kernel *msqkptr,
> struct label *msqklabel)
1640c1631
< if (!mac_mls_enabled)
---
> if (!mls_enabled)
1646c1637
< if (!mac_mls_dominate_effective(subj, obj))
---
> if (!mls_dominate_effective(subj, obj))
1653,1654c1644,1645
< mac_mls_sysvmsq_check_msqctl(struct ucred *cred,
< struct msqid_kernel *msqkptr, struct label *msqklabel, int cmd)
---
> mls_sysvmsq_check_msqctl(struct ucred *cred, struct msqid_kernel *msqkptr,
> struct label *msqklabel, int cmd)
1658c1649
< if (!mac_mls_enabled)
---
> if (!mls_enabled)
1667c1658
< if (!mac_mls_dominate_effective(obj, subj))
---
> if (!mls_dominate_effective(obj, subj))
1672c1663
< if (!mac_mls_dominate_effective(subj, obj))
---
> if (!mls_dominate_effective(subj, obj))
1684,1685c1675,1676
< mac_mls_sysvsem_check_semctl(struct ucred *cred,
< struct semid_kernel *semakptr, struct label *semaklabel, int cmd)
---
> mls_sysvsem_check_semctl(struct ucred *cred, struct semid_kernel *semakptr,
> struct label *semaklabel, int cmd)
1689c1680
< if (!mac_mls_enabled)
---
> if (!mls_enabled)
1700c1691
< if (!mac_mls_dominate_effective(obj, subj))
---
> if (!mls_dominate_effective(obj, subj))
1710c1701
< if (!mac_mls_dominate_effective(subj, obj))
---
> if (!mls_dominate_effective(subj, obj))
1722,1723c1713,1714
< mac_mls_sysvsem_check_semget(struct ucred *cred,
< struct semid_kernel *semakptr, struct label *semaklabel)
---
> mls_sysvsem_check_semget(struct ucred *cred, struct semid_kernel *semakptr,
> struct label *semaklabel)
1727c1718
< if (!mac_mls_enabled)
---
> if (!mls_enabled)
1733c1724
< if (!mac_mls_dominate_effective(subj, obj))
---
> if (!mls_dominate_effective(subj, obj))
1740,1742c1731,1732
< mac_mls_sysvsem_check_semop(struct ucred *cred,
< struct semid_kernel *semakptr, struct label *semaklabel,
< size_t accesstype)
---
> mls_sysvsem_check_semop(struct ucred *cred, struct semid_kernel *semakptr,
> struct label *semaklabel, size_t accesstype)
1746c1736
< if (!mac_mls_enabled)
---
> if (!mls_enabled)
1753c1743
< if (!mac_mls_dominate_effective(subj, obj))
---
> if (!mls_dominate_effective(subj, obj))
1757c1747
< if (!mac_mls_dominate_effective(obj, subj))
---
> if (!mls_dominate_effective(obj, subj))
1764,1765c1754,1755
< mac_mls_sysvshm_check_shmat(struct ucred *cred,
< struct shmid_kernel *shmsegptr, struct label *shmseglabel, int shmflg)
---
> mls_sysvshm_check_shmat(struct ucred *cred, struct shmid_kernel *shmsegptr,
> struct label *shmseglabel, int shmflg)
1769c1759
< if (!mac_mls_enabled)
---
> if (!mls_enabled)
1775c1765,1768
< if (!mac_mls_dominate_effective(subj, obj))
---
> if (!mls_dominate_effective(subj, obj))
> return (EACCES);
> if ((shmflg & SHM_RDONLY) == 0) {
> if (!mls_dominate_effective(obj, subj))
1777,1779c1770
< if ((shmflg & SHM_RDONLY) == 0)
< if (!mac_mls_dominate_effective(obj, subj))
< return (EACCES);
---
> }
1785,1786c1776,1777
< mac_mls_sysvshm_check_shmctl(struct ucred *cred,
< struct shmid_kernel *shmsegptr, struct label *shmseglabel, int cmd)
---
> mls_sysvshm_check_shmctl(struct ucred *cred, struct shmid_kernel *shmsegptr,
> struct label *shmseglabel, int cmd)
1790c1781
< if (!mac_mls_enabled)
---
> if (!mls_enabled)
1799c1790
< if (!mac_mls_dominate_effective(obj, subj))
---
> if (!mls_dominate_effective(obj, subj))
1805c1796
< if (!mac_mls_dominate_effective(subj, obj))
---
> if (!mls_dominate_effective(subj, obj))
1817,1818c1808,1809
< mac_mls_sysvshm_check_shmget(struct ucred *cred,
< struct shmid_kernel *shmsegptr, struct label *shmseglabel, int shmflg)
---
> mls_sysvshm_check_shmget(struct ucred *cred, struct shmid_kernel *shmsegptr,
> struct label *shmseglabel, int shmflg)
1822c1813
< if (!mac_mls_enabled)
---
> if (!mls_enabled)
1828c1819
< if (!mac_mls_dominate_effective(obj, subj))
---
> if (!mls_dominate_effective(obj, subj))
1835c1826
< mac_mls_mount_check_stat(struct ucred *cred, struct mount *mp,
---
> mls_mount_check_stat(struct ucred *cred, struct mount *mp,
1840c1831
< if (!mac_mls_enabled)
---
> if (!mls_enabled)
1846c1837
< if (!mac_mls_dominate_effective(subj, obj))
---
> if (!mls_dominate_effective(subj, obj))
1853c1844
< mac_mls_pipe_check_ioctl(struct ucred *cred, struct pipepair *pp,
---
> mls_pipe_check_ioctl(struct ucred *cred, struct pipepair *pp,
1857c1848
< if(!mac_mls_enabled)
---
> if (!mls_enabled)
1866c1857
< mac_mls_pipe_check_poll(struct ucred *cred, struct pipepair *pp,
---
> mls_pipe_check_poll(struct ucred *cred, struct pipepair *pp,
1871c1862
< if (!mac_mls_enabled)
---
> if (!mls_enabled)
1877c1868
< if (!mac_mls_dominate_effective(subj, obj))
---
> if (!mls_dominate_effective(subj, obj))
1884c1875
< mac_mls_pipe_check_read(struct ucred *cred, struct pipepair *pp,
---
> mls_pipe_check_read(struct ucred *cred, struct pipepair *pp,
1889c1880
< if (!mac_mls_enabled)
---
> if (!mls_enabled)
1895c1886
< if (!mac_mls_dominate_effective(subj, obj))
---
> if (!mls_dominate_effective(subj, obj))
1902c1893
< mac_mls_pipe_check_relabel(struct ucred *cred, struct pipepair *pp,
---
> mls_pipe_check_relabel(struct ucred *cred, struct pipepair *pp,
1913,1914c1904,1905
< * If there is an MLS label update for a pipe, it must be a
< * effective update.
---
> * If there is an MLS label update for a pipe, it must be a effective
> * update.
1924c1915
< if (!mac_mls_effective_in_range(obj, subj))
---
> if (!mls_effective_in_range(obj, subj))
1932,1933c1923,1924
< * To change the MLS label on a pipe, the new pipe label
< * must be in the subject range.
---
> * To change the MLS label on a pipe, the new pipe label must
> * be in the subject range.
1935c1926
< if (!mac_mls_effective_in_range(new, subj))
---
> if (!mls_effective_in_range(new, subj))
1939,1940c1930,1931
< * To change the MLS label on a pipe to be EQUAL, the
< * subject must have appropriate privilege.
---
> * To change the MLS label on a pipe to be EQUAL, the subject
> * must have appropriate privilege.
1942,1943c1933,1934
< if (mac_mls_contains_equal(new)) {
< error = mac_mls_subject_privileged(subj);
---
> if (mls_contains_equal(new)) {
> error = mls_subject_privileged(subj);
1953c1944
< mac_mls_pipe_check_stat(struct ucred *cred, struct pipepair *pp,
---
> mls_pipe_check_stat(struct ucred *cred, struct pipepair *pp,
1958c1949
< if (!mac_mls_enabled)
---
> if (!mls_enabled)
1964c1955
< if (!mac_mls_dominate_effective(subj, obj))
---
> if (!mls_dominate_effective(subj, obj))
1971c1962
< mac_mls_pipe_check_write(struct ucred *cred, struct pipepair *pp,
---
> mls_pipe_check_write(struct ucred *cred, struct pipepair *pp,
1976c1967
< if (!mac_mls_enabled)
---
> if (!mls_enabled)
1982c1973
< if (!mac_mls_dominate_effective(obj, subj))
---
> if (!mls_dominate_effective(obj, subj))
1989c1980
< mac_mls_posixsem_check_write(struct ucred *cred, struct ksem *ks,
---
> mls_posixsem_check_write(struct ucred *cred, struct ksem *ks,
1994c1985
< if (!mac_mls_enabled)
---
> if (!mls_enabled)
2000c1991
< if (!mac_mls_dominate_effective(obj, subj))
---
> if (!mls_dominate_effective(obj, subj))
2007c1998
< mac_mls_posixsem_check_rdonly(struct ucred *cred, struct ksem *ks,
---
> mls_posixsem_check_rdonly(struct ucred *cred, struct ksem *ks,
2012c2003
< if (!mac_mls_enabled)
---
> if (!mls_enabled)
2018c2009
< if (!mac_mls_dominate_effective(subj, obj))
---
> if (!mls_dominate_effective(subj, obj))
2025c2016
< mac_mls_proc_check_debug(struct ucred *cred, struct proc *p)
---
> mls_proc_check_debug(struct ucred *cred, struct proc *p)
2029c2020
< if (!mac_mls_enabled)
---
> if (!mls_enabled)
2036c2027
< if (!mac_mls_dominate_effective(subj, obj))
---
> if (!mls_dominate_effective(subj, obj))
2038c2029
< if (!mac_mls_dominate_effective(obj, subj))
---
> if (!mls_dominate_effective(obj, subj))
2045c2036
< mac_mls_proc_check_sched(struct ucred *cred, struct proc *p)
---
> mls_proc_check_sched(struct ucred *cred, struct proc *p)
2049c2040
< if (!mac_mls_enabled)
---
> if (!mls_enabled)
2056c2047
< if (!mac_mls_dominate_effective(subj, obj))
---
> if (!mls_dominate_effective(subj, obj))
2058c2049
< if (!mac_mls_dominate_effective(obj, subj))
---
> if (!mls_dominate_effective(obj, subj))
2065c2056
< mac_mls_proc_check_signal(struct ucred *cred, struct proc *p, int signum)
---
> mls_proc_check_signal(struct ucred *cred, struct proc *p, int signum)
2069c2060
< if (!mac_mls_enabled)
---
> if (!mls_enabled)
2076c2067
< if (!mac_mls_dominate_effective(subj, obj))
---
> if (!mls_dominate_effective(subj, obj))
2078c2069
< if (!mac_mls_dominate_effective(obj, subj))
---
> if (!mls_dominate_effective(obj, subj))
2085c2076
< mac_mls_socket_check_deliver(struct socket *so, struct label *solabel,
---
> mls_socket_check_deliver(struct socket *so, struct label *solabel,
2090c2081
< if (!mac_mls_enabled)
---
> if (!mls_enabled)
2096c2087
< return (mac_mls_equal_effective(p, s) ? 0 : EACCES);
---
> return (mls_equal_effective(p, s) ? 0 : EACCES);
2100c2091
< mac_mls_socket_check_relabel(struct ucred *cred, struct socket *so,
---
> mls_socket_check_relabel(struct ucred *cred, struct socket *so,
2111,2112c2102,2103
< * If there is an MLS label update for the socket, it may be
< * an update of effective.
---
> * If there is an MLS label update for the socket, it may be an
> * update of effective.
2119,2120c2110,2111
< * To relabel a socket, the old socket effective must be in the subject
< * range.
---
> * To relabel a socket, the old socket effective must be in the
> * subject range.
2122c2113
< if (!mac_mls_effective_in_range(obj, subj))
---
> if (!mls_effective_in_range(obj, subj))
2133c2124
< if (!mac_mls_effective_in_range(new, subj))
---
> if (!mls_effective_in_range(new, subj))
2140,2141c2131,2132
< if (mac_mls_contains_equal(new)) {
< error = mac_mls_subject_privileged(subj);
---
> if (mls_contains_equal(new)) {
> error = mls_subject_privileged(subj);
2151c2142
< mac_mls_socket_check_visible(struct ucred *cred, struct socket *so,
---
> mls_socket_check_visible(struct ucred *cred, struct socket *so,
2156c2147
< if (!mac_mls_enabled)
---
> if (!mls_enabled)
2162c2153
< if (!mac_mls_dominate_effective(subj, obj))
---
> if (!mls_dominate_effective(subj, obj))
2169c2160
< mac_mls_system_check_acct(struct ucred *cred, struct vnode *vp,
---
> mls_system_check_acct(struct ucred *cred, struct vnode *vp,
2174c2165
< if (!mac_mls_enabled)
---
> if (!mls_enabled)
2180,2181c2171,2172
< if (!mac_mls_dominate_effective(obj, subj) ||
< !mac_mls_dominate_effective(subj, obj))
---
> if (!mls_dominate_effective(obj, subj) ||
> !mls_dominate_effective(subj, obj))
2188c2179
< mac_mls_system_check_auditctl(struct ucred *cred, struct vnode *vp,
---
> mls_system_check_auditctl(struct ucred *cred, struct vnode *vp,
2193c2184
< if (!mac_mls_enabled)
---
> if (!mls_enabled)
2199,2200c2190,2191
< if (!mac_mls_dominate_effective(obj, subj) ||
< !mac_mls_dominate_effective(subj, obj))
---
> if (!mls_dominate_effective(obj, subj) ||
> !mls_dominate_effective(subj, obj))
2207c2198
< mac_mls_system_check_swapon(struct ucred *cred, struct vnode *vp,
---
> mls_system_check_swapon(struct ucred *cred, struct vnode *vp,
2212c2203
< if (!mac_mls_enabled)
---
> if (!mls_enabled)
2218,2219c2209,2210
< if (!mac_mls_dominate_effective(obj, subj) ||
< !mac_mls_dominate_effective(subj, obj))
---
> if (!mls_dominate_effective(obj, subj) ||
> !mls_dominate_effective(subj, obj))
2226c2217
< mac_mls_vnode_check_chdir(struct ucred *cred, struct vnode *dvp,
---
> mls_vnode_check_chdir(struct ucred *cred, struct vnode *dvp,
2231c2222
< if (!mac_mls_enabled)
---
> if (!mls_enabled)
2237c2228
< if (!mac_mls_dominate_effective(subj, obj))
---
> if (!mls_dominate_effective(subj, obj))
2244c2235
< mac_mls_vnode_check_chroot(struct ucred *cred, struct vnode *dvp,
---
> mls_vnode_check_chroot(struct ucred *cred, struct vnode *dvp,
2249c2240
< if (!mac_mls_enabled)
---
> if (!mls_enabled)
2255c2246
< if (!mac_mls_dominate_effective(subj, obj))
---
> if (!mls_dominate_effective(subj, obj))
2262c2253
< mac_mls_vnode_check_create(struct ucred *cred, struct vnode *dvp,
---
> mls_vnode_check_create(struct ucred *cred, struct vnode *dvp,
2267c2258
< if (!mac_mls_enabled)
---
> if (!mls_enabled)
2273c2264
< if (!mac_mls_dominate_effective(obj, subj))
---
> if (!mls_dominate_effective(obj, subj))
2280c2271
< mac_mls_vnode_check_deleteacl(struct ucred *cred, struct vnode *vp,
---
> mls_vnode_check_deleteacl(struct ucred *cred, struct vnode *vp,
2285c2276
< if (!mac_mls_enabled)
---
> if (!mls_enabled)
2291c2282
< if (!mac_mls_dominate_effective(obj, subj))
---
> if (!mls_dominate_effective(obj, subj))
2298c2289
< mac_mls_vnode_check_deleteextattr(struct ucred *cred, struct vnode *vp,
---
> mls_vnode_check_deleteextattr(struct ucred *cred, struct vnode *vp,
2303c2294
< if (!mac_mls_enabled)
---
> if (!mls_enabled)
2309c2300
< if (!mac_mls_dominate_effective(obj, subj))
---
> if (!mls_dominate_effective(obj, subj))
2316c2307
< mac_mls_vnode_check_exec(struct ucred *cred, struct vnode *vp,
---
> mls_vnode_check_exec(struct ucred *cred, struct vnode *vp,
2326,2327c2317,2318
< * exec-time as part of MLS, so disallow non-NULL
< * MLS label elements in the execlabel.
---
> * exec-time as part of MLS, so disallow non-NULL MLS label
> * elements in the execlabel.
2335c2326
< if (!mac_mls_enabled)
---
> if (!mls_enabled)
2341c2332
< if (!mac_mls_dominate_effective(subj, obj))
---
> if (!mls_dominate_effective(subj, obj))
2348c2339
< mac_mls_vnode_check_getacl(struct ucred *cred, struct vnode *vp,
---
> mls_vnode_check_getacl(struct ucred *cred, struct vnode *vp,
2353c2344
< if (!mac_mls_enabled)
---
> if (!mls_enabled)
2359c2350
< if (!mac_mls_dominate_effective(subj, obj))
---
> if (!mls_dominate_effective(subj, obj))
2366c2357
< mac_mls_vnode_check_getextattr(struct ucred *cred, struct vnode *vp,
---
> mls_vnode_check_getextattr(struct ucred *cred, struct vnode *vp,
2372c2363
< if (!mac_mls_enabled)
---
> if (!mls_enabled)
2378c2369
< if (!mac_mls_dominate_effective(subj, obj))
---
> if (!mls_dominate_effective(subj, obj))
2385c2376
< mac_mls_vnode_check_link(struct ucred *cred, struct vnode *dvp,
---
> mls_vnode_check_link(struct ucred *cred, struct vnode *dvp,
2391c2382
< if (!mac_mls_enabled)
---
> if (!mls_enabled)
2397c2388
< if (!mac_mls_dominate_effective(obj, subj))
---
> if (!mls_dominate_effective(obj, subj))
2401c2392
< if (!mac_mls_dominate_effective(obj, subj))
---
> if (!mls_dominate_effective(obj, subj))
2408c2399
< mac_mls_vnode_check_listextattr(struct ucred *cred, struct vnode *vp,
---
> mls_vnode_check_listextattr(struct ucred *cred, struct vnode *vp,
2414c2405
< if (!mac_mls_enabled)
---
> if (!mls_enabled)
2420c2411
< if (!mac_mls_dominate_effective(subj, obj))
---
> if (!mls_dominate_effective(subj, obj))
2427c2418
< mac_mls_vnode_check_lookup(struct ucred *cred, struct vnode *dvp,
---
> mls_vnode_check_lookup(struct ucred *cred, struct vnode *dvp,
2432c2423
< if (!mac_mls_enabled)
---
> if (!mls_enabled)
2438c2429
< if (!mac_mls_dominate_effective(subj, obj))
---
> if (!mls_dominate_effective(subj, obj))
2445c2436
< mac_mls_vnode_check_mmap(struct ucred *cred, struct vnode *vp,
---
> mls_vnode_check_mmap(struct ucred *cred, struct vnode *vp,
2454c2445
< if (!mac_mls_enabled || !revocation_enabled)
---
> if (!mls_enabled || !revocation_enabled)
2461c2452
< if (!mac_mls_dominate_effective(subj, obj))
---
> if (!mls_dominate_effective(subj, obj))
2465c2456
< if (!mac_mls_dominate_effective(obj, subj))
---
> if (!mls_dominate_effective(obj, subj))
2473c2464
< mac_mls_vnode_check_open(struct ucred *cred, struct vnode *vp,
---
> mls_vnode_check_open(struct ucred *cred, struct vnode *vp,
2478c2469
< if (!mac_mls_enabled)
---
> if (!mls_enabled)
2486c2477
< if (!mac_mls_dominate_effective(subj, obj))
---
> if (!mls_dominate_effective(subj, obj))
2490c2481
< if (!mac_mls_dominate_effective(obj, subj))
---
> if (!mls_dominate_effective(obj, subj))
2498c2489
< mac_mls_vnode_check_poll(struct ucred *active_cred, struct ucred *file_cred,
---
> mls_vnode_check_poll(struct ucred *active_cred, struct ucred *file_cred,
2503c2494
< if (!mac_mls_enabled || !revocation_enabled)
---
> if (!mls_enabled || !revocation_enabled)
2509c2500
< if (!mac_mls_dominate_effective(subj, obj))
---
> if (!mls_dominate_effective(subj, obj))
2516c2507
< mac_mls_vnode_check_read(struct ucred *active_cred, struct ucred *file_cred,
---
> mls_vnode_check_read(struct ucred *active_cred, struct ucred *file_cred,
2521c2512
< if (!mac_mls_enabled || !revocation_enabled)
---
> if (!mls_enabled || !revocation_enabled)
2527c2518
< if (!mac_mls_dominate_effective(subj, obj))
---
> if (!mls_dominate_effective(subj, obj))
2534c2525
< mac_mls_vnode_check_readdir(struct ucred *cred, struct vnode *dvp,
---
> mls_vnode_check_readdir(struct ucred *cred, struct vnode *dvp,
2539c2530
< if (!mac_mls_enabled)
---
> if (!mls_enabled)
2545c2536
< if (!mac_mls_dominate_effective(subj, obj))
---
> if (!mls_dominate_effective(subj, obj))
2552c2543
< mac_mls_vnode_check_readlink(struct ucred *cred, struct vnode *vp,
---
> mls_vnode_check_readlink(struct ucred *cred, struct vnode *vp,
2557c2548
< if (!mac_mls_enabled)
---
> if (!mls_enabled)
2563c2554
< if (!mac_mls_dominate_effective(subj, obj))
---
> if (!mls_dominate_effective(subj, obj))
2570c2561
< mac_mls_vnode_check_relabel(struct ucred *cred, struct vnode *vp,
---
> mls_vnode_check_relabel(struct ucred *cred, struct vnode *vp,
2592c2583
< if (!mac_mls_effective_in_range(old, subj))
---
> if (!mls_effective_in_range(old, subj))
2603c2594
< if (!mac_mls_effective_in_range(new, subj))
---
> if (!mls_effective_in_range(new, subj))
2607,2608c2598,2599
< * To change the MLS label on the vnode to be EQUAL,
< * the subject must have appropriate privilege.
---
> * To change the MLS label on the vnode to be EQUAL, the
> * subject must have appropriate privilege.
2610,2611c2601,2602
< if (mac_mls_contains_equal(new)) {
< error = mac_mls_subject_privileged(subj);
---
> if (mls_contains_equal(new)) {
> error = mls_subject_privileged(subj);
2621c2612
< mac_mls_vnode_check_rename_from(struct ucred *cred, struct vnode *dvp,
---
> mls_vnode_check_rename_from(struct ucred *cred, struct vnode *dvp,
2627c2618
< if (!mac_mls_enabled)
---
> if (!mls_enabled)
2633c2624
< if (!mac_mls_dominate_effective(obj, subj))
---
> if (!mls_dominate_effective(obj, subj))
2638c2629
< if (!mac_mls_dominate_effective(obj, subj))
---
> if (!mls_dominate_effective(obj, subj))
2645c2636
< mac_mls_vnode_check_rename_to(struct ucred *cred, struct vnode *dvp,
---
> mls_vnode_check_rename_to(struct ucred *cred, struct vnode *dvp,
2651c2642
< if (!mac_mls_enabled)
---
> if (!mls_enabled)
2657c2648
< if (!mac_mls_dominate_effective(obj, subj))
---
> if (!mls_dominate_effective(obj, subj))
2663c2654
< if (!mac_mls_dominate_effective(obj, subj))
---
> if (!mls_dominate_effective(obj, subj))
2671c2662
< mac_mls_vnode_check_revoke(struct ucred *cred, struct vnode *vp,
---
> mls_vnode_check_revoke(struct ucred *cred, struct vnode *vp,
2676c2667
< if (!mac_mls_enabled)
---
> if (!mls_enabled)
2682c2673
< if (!mac_mls_dominate_effective(obj, subj))
---
> if (!mls_dominate_effective(obj, subj))
2689c2680
< mac_mls_vnode_check_setacl(struct ucred *cred, struct vnode *vp,
---
> mls_vnode_check_setacl(struct ucred *cred, struct vnode *vp,
2694c2685
< if (!mac_mls_enabled)
---
> if (!mls_enabled)
2700c2691
< if (!mac_mls_dominate_effective(obj, subj))
---
> if (!mls_dominate_effective(obj, subj))
2707c2698
< mac_mls_vnode_check_setextattr(struct ucred *cred, struct vnode *vp,
---
> mls_vnode_check_setextattr(struct ucred *cred, struct vnode *vp,
2713c2704
< if (!mac_mls_enabled)
---
> if (!mls_enabled)
2719c2710
< if (!mac_mls_dominate_effective(obj, subj))
---
> if (!mls_dominate_effective(obj, subj))
2728c2719
< mac_mls_vnode_check_setflags(struct ucred *cred, struct vnode *vp,
---
> mls_vnode_check_setflags(struct ucred *cred, struct vnode *vp,
2733c2724
< if (!mac_mls_enabled)
---
> if (!mls_enabled)
2739c2730
< if (!mac_mls_dominate_effective(obj, subj))
---
> if (!mls_dominate_effective(obj, subj))
2746c2737
< mac_mls_vnode_check_setmode(struct ucred *cred, struct vnode *vp,
---
> mls_vnode_check_setmode(struct ucred *cred, struct vnode *vp,
2751c2742
< if (!mac_mls_enabled)
---
> if (!mls_enabled)
2757c2748
< if (!mac_mls_dominate_effective(obj, subj))
---
> if (!mls_dominate_effective(obj, subj))
2764c2755
< mac_mls_vnode_check_setowner(struct ucred *cred, struct vnode *vp,
---
> mls_vnode_check_setowner(struct ucred *cred, struct vnode *vp,
2769c2760
< if (!mac_mls_enabled)
---
> if (!mls_enabled)
2775c2766
< if (!mac_mls_dominate_effective(obj, subj))
---
> if (!mls_dominate_effective(obj, subj))
2782c2773
< mac_mls_vnode_check_setutimes(struct ucred *cred, struct vnode *vp,
---
> mls_vnode_check_setutimes(struct ucred *cred, struct vnode *vp,
2787c2778
< if (!mac_mls_enabled)
---
> if (!mls_enabled)
2793c2784
< if (!mac_mls_dominate_effective(obj, subj))
---
> if (!mls_dominate_effective(obj, subj))
2800c2791
< mac_mls_vnode_check_stat(struct ucred *active_cred, struct ucred *file_cred,
---
> mls_vnode_check_stat(struct ucred *active_cred, struct ucred *file_cred,
2805c2796
< if (!mac_mls_enabled)
---
> if (!mls_enabled)
2811c2802
< if (!mac_mls_dominate_effective(subj, obj))
---
> if (!mls_dominate_effective(subj, obj))
2818c2809
< mac_mls_vnode_check_unlink(struct ucred *cred, struct vnode *dvp,
---
> mls_vnode_check_unlink(struct ucred *cred, struct vnode *dvp,
2824c2815
< if (!mac_mls_enabled)
---
> if (!mls_enabled)
2830c2821
< if (!mac_mls_dominate_effective(obj, subj))
---
> if (!mls_dominate_effective(obj, subj))
2835c2826
< if (!mac_mls_dominate_effective(obj, subj))
---
> if (!mls_dominate_effective(obj, subj))
2842c2833
< mac_mls_vnode_check_write(struct ucred *active_cred, struct ucred *file_cred,
---
> mls_vnode_check_write(struct ucred *active_cred, struct ucred *file_cred,
2847c2838
< if (!mac_mls_enabled || !revocation_enabled)
---
> if (!mls_enabled || !revocation_enabled)
2853c2844
< if (!mac_mls_dominate_effective(obj, subj))
---
> if (!mls_dominate_effective(obj, subj))
2860c2851
< mac_mls_associate_nfsd_label(struct ucred *cred)
---
> mls_associate_nfsd_label(struct ucred *cred)
2865,2867c2856,2858
< mac_mls_set_effective(label, MAC_MLS_TYPE_LOW, 0, NULL);
< mac_mls_set_range(label, MAC_MLS_TYPE_LOW, 0, NULL,
< MAC_MLS_TYPE_HIGH, 0, NULL);
---
> mls_set_effective(label, MAC_MLS_TYPE_LOW, 0, NULL);
> mls_set_range(label, MAC_MLS_TYPE_LOW, 0, NULL, MAC_MLS_TYPE_HIGH, 0,
> NULL);
2870c2861
< static struct mac_policy_ops mac_mls_ops =
---
> static struct mac_policy_ops mls_ops =
2872,3047c2863,3038
< .mpo_init = mac_mls_init,
< .mpo_bpfdesc_init_label = mac_mls_init_label,
< .mpo_cred_init_label = mac_mls_init_label,
< .mpo_devfs_init_label = mac_mls_init_label,
< .mpo_ifnet_init_label = mac_mls_init_label,
< .mpo_inpcb_init_label = mac_mls_init_label_waitcheck,
< .mpo_init_syncache_label = mac_mls_init_label_waitcheck,
< .mpo_sysvmsg_init_label = mac_mls_init_label,
< .mpo_sysvmsq_init_label = mac_mls_init_label,
< .mpo_sysvsem_init_label = mac_mls_init_label,
< .mpo_sysvshm_init_label = mac_mls_init_label,
< .mpo_ipq_init_label = mac_mls_init_label_waitcheck,
< .mpo_mbuf_init_label = mac_mls_init_label_waitcheck,
< .mpo_mount_init_label = mac_mls_init_label,
< .mpo_pipe_init_label = mac_mls_init_label,
< .mpo_posixsem_init_label = mac_mls_init_label,
< .mpo_socket_init_label = mac_mls_init_label_waitcheck,
< .mpo_socketpeer_init_label = mac_mls_init_label_waitcheck,
< .mpo_vnode_init_label = mac_mls_init_label,
< .mpo_bpfdesc_destroy_label = mac_mls_destroy_label,
< .mpo_cred_destroy_label = mac_mls_destroy_label,
< .mpo_devfs_destroy_label = mac_mls_destroy_label,
< .mpo_ifnet_destroy_label = mac_mls_destroy_label,
< .mpo_inpcb_destroy_label = mac_mls_destroy_label,
< .mpo_destroy_syncache_label = mac_mls_destroy_label,
< .mpo_sysvmsg_destroy_label = mac_mls_destroy_label,
< .mpo_sysvmsq_destroy_label = mac_mls_destroy_label,
< .mpo_sysvsem_destroy_label = mac_mls_destroy_label,
< .mpo_sysvshm_destroy_label = mac_mls_destroy_label,
< .mpo_ipq_destroy_label = mac_mls_destroy_label,
< .mpo_mbuf_destroy_label = mac_mls_destroy_label,
< .mpo_mount_destroy_label = mac_mls_destroy_label,
< .mpo_pipe_destroy_label = mac_mls_destroy_label,
< .mpo_posixsem_destroy_label = mac_mls_destroy_label,
< .mpo_socket_destroy_label = mac_mls_destroy_label,
< .mpo_socketpeer_destroy_label = mac_mls_destroy_label,
< .mpo_vnode_destroy_label = mac_mls_destroy_label,
< .mpo_cred_copy_label = mac_mls_copy_label,
< .mpo_ifnet_copy_label = mac_mls_copy_label,
< .mpo_mbuf_copy_label = mac_mls_copy_label,
< .mpo_pipe_copy_label = mac_mls_copy_label,
< .mpo_socket_copy_label = mac_mls_copy_label,
< .mpo_vnode_copy_label = mac_mls_copy_label,
< .mpo_cred_externalize_label = mac_mls_externalize_label,
< .mpo_ifnet_externalize_label = mac_mls_externalize_label,
< .mpo_pipe_externalize_label = mac_mls_externalize_label,
< .mpo_socket_externalize_label = mac_mls_externalize_label,
< .mpo_socketpeer_externalize_label = mac_mls_externalize_label,
< .mpo_vnode_externalize_label = mac_mls_externalize_label,
< .mpo_cred_internalize_label = mac_mls_internalize_label,
< .mpo_ifnet_internalize_label = mac_mls_internalize_label,
< .mpo_pipe_internalize_label = mac_mls_internalize_label,
< .mpo_socket_internalize_label = mac_mls_internalize_label,
< .mpo_vnode_internalize_label = mac_mls_internalize_label,
< .mpo_devfs_create_device = mac_mls_devfs_create_device,
< .mpo_devfs_create_directory = mac_mls_devfs_create_directory,
< .mpo_devfs_create_symlink = mac_mls_devfs_create_symlink,
< .mpo_mount_create = mac_mls_mount_create,
< .mpo_vnode_relabel = mac_mls_vnode_relabel,
< .mpo_devfs_update = mac_mls_devfs_update,
< .mpo_devfs_vnode_associate = mac_mls_devfs_vnode_associate,
< .mpo_vnode_associate_extattr = mac_mls_vnode_associate_extattr,
< .mpo_vnode_associate_singlelabel = mac_mls_vnode_associate_singlelabel,
< .mpo_vnode_create_extattr = mac_mls_vnode_create_extattr,
< .mpo_vnode_setlabel_extattr = mac_mls_vnode_setlabel_extattr,
< .mpo_socket_create_mbuf = mac_mls_socket_create_mbuf,
< .mpo_create_mbuf_from_syncache = mac_mls_create_mbuf_from_syncache,
< .mpo_pipe_create = mac_mls_pipe_create,
< .mpo_posixsem_create = mac_mls_posixsem_create,
< .mpo_socket_create = mac_mls_socket_create,
< .mpo_socket_newconn = mac_mls_socket_newconn,
< .mpo_pipe_relabel = mac_mls_pipe_relabel,
< .mpo_socket_relabel = mac_mls_socket_relabel,
< .mpo_socketpeer_set_from_mbuf = mac_mls_socketpeer_set_from_mbuf,
< .mpo_socketpeer_set_from_socket = mac_mls_socketpeer_set_from_socket,
< .mpo_bpfdesc_create = mac_mls_bpfdesc_create,
< .mpo_ipq_reassemble = mac_mls_ipq_reassemble,
< .mpo_netinet_fragment = mac_mls_netinet_fragment,
< .mpo_ifnet_create = mac_mls_ifnet_create,
< .mpo_inpcb_create = mac_mls_inpcb_create,
< .mpo_init_syncache_from_inpcb = mac_mls_init_syncache_from_inpcb,
< .mpo_ipq_create = mac_mls_ipq_create,
< .mpo_sysvmsg_create = mac_mls_sysvmsg_create,
< .mpo_sysvmsq_create = mac_mls_sysvmsq_create,
< .mpo_sysvsem_create = mac_mls_sysvsem_create,
< .mpo_sysvshm_create = mac_mls_sysvshm_create,
< .mpo_inpcb_create_mbuf = mac_mls_inpcb_create_mbuf,
< .mpo_create_mbuf_linklayer = mac_mls_create_mbuf_linklayer,
< .mpo_bpfdesc_create_mbuf = mac_mls_bpfdesc_create_mbuf,
< .mpo_ifnet_create_mbuf = mac_mls_ifnet_create_mbuf,
< .mpo_mbuf_create_multicast_encap = mac_mls_mbuf_create_multicast_encap,
< .mpo_mbuf_create_netlayer = mac_mls_mbuf_create_netlayer,
< .mpo_ipq_match = mac_mls_ipq_match,
< .mpo_ifnet_relabel = mac_mls_ifnet_relabel,
< .mpo_ipq_update = mac_mls_ipq_update,
< .mpo_inpcb_sosetlabel = mac_mls_inpcb_sosetlabel,
< .mpo_proc_create_swapper = mac_mls_proc_create_swapper,
< .mpo_proc_create_init = mac_mls_proc_create_init,
< .mpo_cred_relabel = mac_mls_cred_relabel,
< .mpo_sysvmsg_cleanup = mac_mls_sysvmsg_cleanup,
< .mpo_sysvmsq_cleanup = mac_mls_sysvmsq_cleanup,
< .mpo_sysvsem_cleanup = mac_mls_sysvsem_cleanup,
< .mpo_sysvshm_cleanup = mac_mls_sysvshm_cleanup,
< .mpo_bpfdesc_check_receive = mac_mls_bpfdesc_check_receive,
< .mpo_cred_check_relabel = mac_mls_cred_check_relabel,
< .mpo_cred_check_visible = mac_mls_cred_check_visible,
< .mpo_ifnet_check_relabel = mac_mls_ifnet_check_relabel,
< .mpo_ifnet_check_transmit = mac_mls_ifnet_check_transmit,
< .mpo_inpcb_check_deliver = mac_mls_inpcb_check_deliver,
< .mpo_sysvmsq_check_msgrcv = mac_mls_sysvmsq_check_msgrcv,
< .mpo_sysvmsq_check_msgrmid = mac_mls_sysvmsq_check_msgrmid,
< .mpo_sysvmsq_check_msqget = mac_mls_sysvmsq_check_msqget,
< .mpo_sysvmsq_check_msqsnd = mac_mls_sysvmsq_check_msqsnd,
< .mpo_sysvmsq_check_msqrcv = mac_mls_sysvmsq_check_msqrcv,
< .mpo_sysvmsq_check_msqctl = mac_mls_sysvmsq_check_msqctl,
< .mpo_sysvsem_check_semctl = mac_mls_sysvsem_check_semctl,
< .mpo_sysvsem_check_semget = mac_mls_sysvsem_check_semget,
< .mpo_sysvsem_check_semop = mac_mls_sysvsem_check_semop,
< .mpo_sysvshm_check_shmat = mac_mls_sysvshm_check_shmat,
< .mpo_sysvshm_check_shmctl = mac_mls_sysvshm_check_shmctl,
< .mpo_sysvshm_check_shmget = mac_mls_sysvshm_check_shmget,
< .mpo_mount_check_stat = mac_mls_mount_check_stat,
< .mpo_pipe_check_ioctl = mac_mls_pipe_check_ioctl,
< .mpo_pipe_check_poll = mac_mls_pipe_check_poll,
< .mpo_pipe_check_read = mac_mls_pipe_check_read,
< .mpo_pipe_check_relabel = mac_mls_pipe_check_relabel,
< .mpo_pipe_check_stat = mac_mls_pipe_check_stat,
< .mpo_pipe_check_write = mac_mls_pipe_check_write,
< .mpo_posixsem_check_destroy = mac_mls_posixsem_check_write,
< .mpo_posixsem_check_getvalue = mac_mls_posixsem_check_rdonly,
< .mpo_posixsem_check_open = mac_mls_posixsem_check_write,
< .mpo_posixsem_check_post = mac_mls_posixsem_check_write,
< .mpo_posixsem_check_unlink = mac_mls_posixsem_check_write,
< .mpo_posixsem_check_wait = mac_mls_posixsem_check_write,
< .mpo_proc_check_debug = mac_mls_proc_check_debug,
< .mpo_proc_check_sched = mac_mls_proc_check_sched,
< .mpo_proc_check_signal = mac_mls_proc_check_signal,
< .mpo_socket_check_deliver = mac_mls_socket_check_deliver,
< .mpo_socket_check_relabel = mac_mls_socket_check_relabel,
< .mpo_socket_check_visible = mac_mls_socket_check_visible,
< .mpo_system_check_acct = mac_mls_system_check_acct,
< .mpo_system_check_auditctl = mac_mls_system_check_auditctl,
< .mpo_system_check_swapon = mac_mls_system_check_swapon,
< .mpo_vnode_check_access = mac_mls_vnode_check_open,
< .mpo_vnode_check_chdir = mac_mls_vnode_check_chdir,
< .mpo_vnode_check_chroot = mac_mls_vnode_check_chroot,
< .mpo_vnode_check_create = mac_mls_vnode_check_create,
< .mpo_vnode_check_deleteacl = mac_mls_vnode_check_deleteacl,
< .mpo_vnode_check_deleteextattr = mac_mls_vnode_check_deleteextattr,
< .mpo_vnode_check_exec = mac_mls_vnode_check_exec,
< .mpo_vnode_check_getacl = mac_mls_vnode_check_getacl,
< .mpo_vnode_check_getextattr = mac_mls_vnode_check_getextattr,
< .mpo_vnode_check_link = mac_mls_vnode_check_link,
< .mpo_vnode_check_listextattr = mac_mls_vnode_check_listextattr,
< .mpo_vnode_check_lookup = mac_mls_vnode_check_lookup,
< .mpo_vnode_check_mmap = mac_mls_vnode_check_mmap,
< .mpo_vnode_check_open = mac_mls_vnode_check_open,
< .mpo_vnode_check_poll = mac_mls_vnode_check_poll,
< .mpo_vnode_check_read = mac_mls_vnode_check_read,
< .mpo_vnode_check_readdir = mac_mls_vnode_check_readdir,
< .mpo_vnode_check_readlink = mac_mls_vnode_check_readlink,
< .mpo_vnode_check_relabel = mac_mls_vnode_check_relabel,
< .mpo_vnode_check_rename_from = mac_mls_vnode_check_rename_from,
< .mpo_vnode_check_rename_to = mac_mls_vnode_check_rename_to,
< .mpo_vnode_check_revoke = mac_mls_vnode_check_revoke,
< .mpo_vnode_check_setacl = mac_mls_vnode_check_setacl,
< .mpo_vnode_check_setextattr = mac_mls_vnode_check_setextattr,
< .mpo_vnode_check_setflags = mac_mls_vnode_check_setflags,
< .mpo_vnode_check_setmode = mac_mls_vnode_check_setmode,
< .mpo_vnode_check_setowner = mac_mls_vnode_check_setowner,
< .mpo_vnode_check_setutimes = mac_mls_vnode_check_setutimes,
< .mpo_vnode_check_stat = mac_mls_vnode_check_stat,
< .mpo_vnode_check_unlink = mac_mls_vnode_check_unlink,
< .mpo_vnode_check_write = mac_mls_vnode_check_write,
< .mpo_associate_nfsd_label = mac_mls_associate_nfsd_label,
< .mpo_mbuf_create_from_firewall = mac_mls_mbuf_create_from_firewall,
---
> .mpo_init = mls_init,
> .mpo_bpfdesc_init_label = mls_init_label,
> .mpo_cred_init_label = mls_init_label,
> .mpo_devfs_init_label = mls_init_label,
> .mpo_ifnet_init_label = mls_init_label,
> .mpo_inpcb_init_label = mls_init_label_waitcheck,
> .mpo_init_syncache_label = mls_init_label_waitcheck,
> .mpo_sysvmsg_init_label = mls_init_label,
> .mpo_sysvmsq_init_label = mls_init_label,
> .mpo_sysvsem_init_label = mls_init_label,
> .mpo_sysvshm_init_label = mls_init_label,
> .mpo_ipq_init_label = mls_init_label_waitcheck,
> .mpo_mbuf_init_label = mls_init_label_waitcheck,
> .mpo_mount_init_label = mls_init_label,
> .mpo_pipe_init_label = mls_init_label,
> .mpo_posixsem_init_label = mls_init_label,
> .mpo_socket_init_label = mls_init_label_waitcheck,
> .mpo_socketpeer_init_label = mls_init_label_waitcheck,
> .mpo_vnode_init_label = mls_init_label,
> .mpo_bpfdesc_destroy_label = mls_destroy_label,
> .mpo_cred_destroy_label = mls_destroy_label,
> .mpo_devfs_destroy_label = mls_destroy_label,
> .mpo_ifnet_destroy_label = mls_destroy_label,
> .mpo_inpcb_destroy_label = mls_destroy_label,
> .mpo_destroy_syncache_label = mls_destroy_label,
> .mpo_sysvmsg_destroy_label = mls_destroy_label,
> .mpo_sysvmsq_destroy_label = mls_destroy_label,
> .mpo_sysvsem_destroy_label = mls_destroy_label,
> .mpo_sysvshm_destroy_label = mls_destroy_label,
> .mpo_ipq_destroy_label = mls_destroy_label,
> .mpo_mbuf_destroy_label = mls_destroy_label,
> .mpo_mount_destroy_label = mls_destroy_label,
> .mpo_pipe_destroy_label = mls_destroy_label,
> .mpo_posixsem_destroy_label = mls_destroy_label,
> .mpo_socket_destroy_label = mls_destroy_label,
> .mpo_socketpeer_destroy_label = mls_destroy_label,
> .mpo_vnode_destroy_label = mls_destroy_label,
> .mpo_cred_copy_label = mls_copy_label,
> .mpo_ifnet_copy_label = mls_copy_label,
> .mpo_mbuf_copy_label = mls_copy_label,
> .mpo_pipe_copy_label = mls_copy_label,
> .mpo_socket_copy_label = mls_copy_label,
> .mpo_vnode_copy_label = mls_copy_label,
> .mpo_cred_externalize_label = mls_externalize_label,
> .mpo_ifnet_externalize_label = mls_externalize_label,
> .mpo_pipe_externalize_label = mls_externalize_label,
> .mpo_socket_externalize_label = mls_externalize_label,
> .mpo_socketpeer_externalize_label = mls_externalize_label,
> .mpo_vnode_externalize_label = mls_externalize_label,
> .mpo_cred_internalize_label = mls_internalize_label,
> .mpo_ifnet_internalize_label = mls_internalize_label,
> .mpo_pipe_internalize_label = mls_internalize_label,
> .mpo_socket_internalize_label = mls_internalize_label,
> .mpo_vnode_internalize_label = mls_internalize_label,
> .mpo_devfs_create_device = mls_devfs_create_device,
> .mpo_devfs_create_directory = mls_devfs_create_directory,
> .mpo_devfs_create_symlink = mls_devfs_create_symlink,
> .mpo_mount_create = mls_mount_create,
> .mpo_vnode_relabel = mls_vnode_relabel,
> .mpo_devfs_update = mls_devfs_update,
> .mpo_devfs_vnode_associate = mls_devfs_vnode_associate,
> .mpo_vnode_associate_extattr = mls_vnode_associate_extattr,
> .mpo_vnode_associate_singlelabel = mls_vnode_associate_singlelabel,
> .mpo_vnode_create_extattr = mls_vnode_create_extattr,
> .mpo_vnode_setlabel_extattr = mls_vnode_setlabel_extattr,
> .mpo_socket_create_mbuf = mls_socket_create_mbuf,
> .mpo_create_mbuf_from_syncache = mls_create_mbuf_from_syncache,
> .mpo_pipe_create = mls_pipe_create,
> .mpo_posixsem_create = mls_posixsem_create,
> .mpo_socket_create = mls_socket_create,
> .mpo_socket_newconn = mls_socket_newconn,
> .mpo_pipe_relabel = mls_pipe_relabel,
> .mpo_socket_relabel = mls_socket_relabel,
> .mpo_socketpeer_set_from_mbuf = mls_socketpeer_set_from_mbuf,
> .mpo_socketpeer_set_from_socket = mls_socketpeer_set_from_socket,
> .mpo_bpfdesc_create = mls_bpfdesc_create,
> .mpo_ipq_reassemble = mls_ipq_reassemble,
> .mpo_netinet_fragment = mls_netinet_fragment,
> .mpo_ifnet_create = mls_ifnet_create,
> .mpo_inpcb_create = mls_inpcb_create,
> .mpo_init_syncache_from_inpcb = mls_init_syncache_from_inpcb,
> .mpo_ipq_create = mls_ipq_create,
> .mpo_sysvmsg_create = mls_sysvmsg_create,
> .mpo_sysvmsq_create = mls_sysvmsq_create,
> .mpo_sysvsem_create = mls_sysvsem_create,
> .mpo_sysvshm_create = mls_sysvshm_create,
> .mpo_inpcb_create_mbuf = mls_inpcb_create_mbuf,
> .mpo_create_mbuf_linklayer = mls_create_mbuf_linklayer,
> .mpo_bpfdesc_create_mbuf = mls_bpfdesc_create_mbuf,
> .mpo_ifnet_create_mbuf = mls_ifnet_create_mbuf,
> .mpo_mbuf_create_multicast_encap = mls_mbuf_create_multicast_encap,
> .mpo_mbuf_create_netlayer = mls_mbuf_create_netlayer,
> .mpo_ipq_match = mls_ipq_match,
> .mpo_ifnet_relabel = mls_ifnet_relabel,
> .mpo_ipq_update = mls_ipq_update,
> .mpo_inpcb_sosetlabel = mls_inpcb_sosetlabel,
> .mpo_proc_create_swapper = mls_proc_create_swapper,
> .mpo_proc_create_init = mls_proc_create_init,
> .mpo_cred_relabel = mls_cred_relabel,
> .mpo_sysvmsg_cleanup = mls_sysvmsg_cleanup,
> .mpo_sysvmsq_cleanup = mls_sysvmsq_cleanup,
> .mpo_sysvsem_cleanup = mls_sysvsem_cleanup,
> .mpo_sysvshm_cleanup = mls_sysvshm_cleanup,
> .mpo_bpfdesc_check_receive = mls_bpfdesc_check_receive,
> .mpo_cred_check_relabel = mls_cred_check_relabel,
> .mpo_cred_check_visible = mls_cred_check_visible,
> .mpo_ifnet_check_relabel = mls_ifnet_check_relabel,
> .mpo_ifnet_check_transmit = mls_ifnet_check_transmit,
> .mpo_inpcb_check_deliver = mls_inpcb_check_deliver,
> .mpo_sysvmsq_check_msgrcv = mls_sysvmsq_check_msgrcv,
> .mpo_sysvmsq_check_msgrmid = mls_sysvmsq_check_msgrmid,
> .mpo_sysvmsq_check_msqget = mls_sysvmsq_check_msqget,
> .mpo_sysvmsq_check_msqsnd = mls_sysvmsq_check_msqsnd,
> .mpo_sysvmsq_check_msqrcv = mls_sysvmsq_check_msqrcv,
> .mpo_sysvmsq_check_msqctl = mls_sysvmsq_check_msqctl,
> .mpo_sysvsem_check_semctl = mls_sysvsem_check_semctl,
> .mpo_sysvsem_check_semget = mls_sysvsem_check_semget,
> .mpo_sysvsem_check_semop = mls_sysvsem_check_semop,
> .mpo_sysvshm_check_shmat = mls_sysvshm_check_shmat,
> .mpo_sysvshm_check_shmctl = mls_sysvshm_check_shmctl,
> .mpo_sysvshm_check_shmget = mls_sysvshm_check_shmget,
> .mpo_mount_check_stat = mls_mount_check_stat,
> .mpo_pipe_check_ioctl = mls_pipe_check_ioctl,
> .mpo_pipe_check_poll = mls_pipe_check_poll,
> .mpo_pipe_check_read = mls_pipe_check_read,
> .mpo_pipe_check_relabel = mls_pipe_check_relabel,
> .mpo_pipe_check_stat = mls_pipe_check_stat,
> .mpo_pipe_check_write = mls_pipe_check_write,
> .mpo_posixsem_check_destroy = mls_posixsem_check_write,
> .mpo_posixsem_check_getvalue = mls_posixsem_check_rdonly,
> .mpo_posixsem_check_open = mls_posixsem_check_write,
> .mpo_posixsem_check_post = mls_posixsem_check_write,
> .mpo_posixsem_check_unlink = mls_posixsem_check_write,
> .mpo_posixsem_check_wait = mls_posixsem_check_write,
> .mpo_proc_check_debug = mls_proc_check_debug,
> .mpo_proc_check_sched = mls_proc_check_sched,
> .mpo_proc_check_signal = mls_proc_check_signal,
> .mpo_socket_check_deliver = mls_socket_check_deliver,
> .mpo_socket_check_relabel = mls_socket_check_relabel,
> .mpo_socket_check_visible = mls_socket_check_visible,
> .mpo_system_check_acct = mls_system_check_acct,
> .mpo_system_check_auditctl = mls_system_check_auditctl,
> .mpo_system_check_swapon = mls_system_check_swapon,
> .mpo_vnode_check_access = mls_vnode_check_open,
> .mpo_vnode_check_chdir = mls_vnode_check_chdir,
> .mpo_vnode_check_chroot = mls_vnode_check_chroot,
> .mpo_vnode_check_create = mls_vnode_check_create,
> .mpo_vnode_check_deleteacl = mls_vnode_check_deleteacl,
> .mpo_vnode_check_deleteextattr = mls_vnode_check_deleteextattr,
> .mpo_vnode_check_exec = mls_vnode_check_exec,
> .mpo_vnode_check_getacl = mls_vnode_check_getacl,
> .mpo_vnode_check_getextattr = mls_vnode_check_getextattr,
> .mpo_vnode_check_link = mls_vnode_check_link,
> .mpo_vnode_check_listextattr = mls_vnode_check_listextattr,
> .mpo_vnode_check_lookup = mls_vnode_check_lookup,
> .mpo_vnode_check_mmap = mls_vnode_check_mmap,
> .mpo_vnode_check_open = mls_vnode_check_open,
> .mpo_vnode_check_poll = mls_vnode_check_poll,
> .mpo_vnode_check_read = mls_vnode_check_read,
> .mpo_vnode_check_readdir = mls_vnode_check_readdir,
> .mpo_vnode_check_readlink = mls_vnode_check_readlink,
> .mpo_vnode_check_relabel = mls_vnode_check_relabel,
> .mpo_vnode_check_rename_from = mls_vnode_check_rename_from,
> .mpo_vnode_check_rename_to = mls_vnode_check_rename_to,
> .mpo_vnode_check_revoke = mls_vnode_check_revoke,
> .mpo_vnode_check_setacl = mls_vnode_check_setacl,
> .mpo_vnode_check_setextattr = mls_vnode_check_setextattr,
> .mpo_vnode_check_setflags = mls_vnode_check_setflags,
> .mpo_vnode_check_setmode = mls_vnode_check_setmode,
> .mpo_vnode_check_setowner = mls_vnode_check_setowner,
> .mpo_vnode_check_setutimes = mls_vnode_check_setutimes,
> .mpo_vnode_check_stat = mls_vnode_check_stat,
> .mpo_vnode_check_unlink = mls_vnode_check_unlink,
> .mpo_vnode_check_write = mls_vnode_check_write,
> .mpo_associate_nfsd_label = mls_associate_nfsd_label,
> .mpo_mbuf_create_from_firewall = mls_mbuf_create_from_firewall,
3050,3051c3041,3042
< MAC_POLICY_SET(&mac_mls_ops, mac_mls, "TrustedBSD MAC/MLS",
< MPC_LOADTIME_FLAG_NOTLATE | MPC_LOADTIME_FLAG_LABELMBUFS, &mac_mls_slot);
---
> MAC_POLICY_SET(&mls_ops, mac_mls, "TrustedBSD MAC/MLS",
> MPC_LOADTIME_FLAG_NOTLATE | MPC_LOADTIME_FLAG_LABELMBUFS, &mls_slot);
< * $FreeBSD: head/sys/security/mac_mls/mac_mls.c 172930 2007-10-24 19:04:04Z rwatson $
---
> * $FreeBSD: head/sys/security/mac_mls/mac_mls.c 172955 2007-10-25 11:31:11Z rwatson $
96c96
< static int mac_mls_label_size = sizeof(struct mac_mls);
---
> static int mls_label_size = sizeof(struct mac_mls);
98c98
< &mac_mls_label_size, 0, "Size of struct mac_mls");
---
> &mls_label_size, 0, "Size of struct mac_mls");
100,103c100,103
< static int mac_mls_enabled = 1;
< SYSCTL_INT(_security_mac_mls, OID_AUTO, enabled, CTLFLAG_RW,
< &mac_mls_enabled, 0, "Enforce MAC/MLS policy");
< TUNABLE_INT("security.mac.mls.enabled", &mac_mls_enabled);
---
> static int mls_enabled = 1;
> SYSCTL_INT(_security_mac_mls, OID_AUTO, enabled, CTLFLAG_RW, &mls_enabled, 0,
> "Enforce MAC/MLS policy");
> TUNABLE_INT("security.mac.mls.enabled", &mls_enabled);
123,125c123,125
< static int mac_mls_slot;
< #define SLOT(l) ((struct mac_mls *)mac_label_get((l), mac_mls_slot))
< #define SLOT_SET(l, val) mac_label_set((l), mac_mls_slot, (uintptr_t)(val))
---
> static int mls_slot;
> #define SLOT(l) ((struct mac_mls *)mac_label_get((l), mls_slot))
> #define SLOT_SET(l, val) mac_label_set((l), mls_slot, (uintptr_t)(val))
147c147
< mls_free(struct mac_mls *mac_mls)
---
> mls_free(struct mac_mls *mm)
150,151c150,151
< if (mac_mls != NULL)
< uma_zfree(zone_mls, mac_mls);
---
> if (mm != NULL)
> uma_zfree(zone_mls, mm);
157c157
< mls_atmostflags(struct mac_mls *mac_mls, int flags)
---
> mls_atmostflags(struct mac_mls *mm, int flags)
160c160
< if ((mac_mls->mm_flags & flags) != mac_mls->mm_flags)
---
> if ((mm->mm_flags & flags) != mm->mm_flags)
166,167c166
< mac_mls_dominate_element(struct mac_mls_element *a,
< struct mac_mls_element *b)
---
> mls_dominate_element(struct mac_mls_element *a, struct mac_mls_element *b)
187c186
< panic("mac_mls_dominate_element: b->mme_type invalid");
---
> panic("mls_dominate_element: b->mme_type invalid");
208c207
< panic("mac_mls_dominate_element: b->mme_type invalid");
---
> panic("mls_dominate_element: b->mme_type invalid");
212c211
< panic("mac_mls_dominate_element: a->mme_type invalid");
---
> panic("mls_dominate_element: a->mme_type invalid");
219c218
< mac_mls_range_in_range(struct mac_mls *rangea, struct mac_mls *rangeb)
---
> mls_range_in_range(struct mac_mls *rangea, struct mac_mls *rangeb)
222c221
< return (mac_mls_dominate_element(&rangeb->mm_rangehigh,
---
> return (mls_dominate_element(&rangeb->mm_rangehigh,
224c223
< mac_mls_dominate_element(&rangea->mm_rangelow,
---
> mls_dominate_element(&rangea->mm_rangelow,
229c228
< mac_mls_effective_in_range(struct mac_mls *effective, struct mac_mls *range)
---
> mls_effective_in_range(struct mac_mls *effective, struct mac_mls *range)
233c232
< ("mac_mls_effective_in_range: a not effective"));
---
> ("mls_effective_in_range: a not effective"));
235c234
< ("mac_mls_effective_in_range: b not range"));
---
> ("mls_effective_in_range: b not range"));
237c236
< return (mac_mls_dominate_element(&range->mm_rangehigh,
---
> return (mls_dominate_element(&range->mm_rangehigh,
239c238
< mac_mls_dominate_element(&effective->mm_effective,
---
> mls_dominate_element(&effective->mm_effective,
246c245
< mac_mls_dominate_effective(struct mac_mls *a, struct mac_mls *b)
---
> mls_dominate_effective(struct mac_mls *a, struct mac_mls *b)
249c248
< ("mac_mls_dominate_effective: a not effective"));
---
> ("mls_dominate_effective: a not effective"));
251c250
< ("mac_mls_dominate_effective: b not effective"));
---
> ("mls_dominate_effective: b not effective"));
253c252
< return (mac_mls_dominate_element(&a->mm_effective, &b->mm_effective));
---
> return (mls_dominate_element(&a->mm_effective, &b->mm_effective));
257c256
< mac_mls_equal_element(struct mac_mls_element *a, struct mac_mls_element *b)
---
> mls_equal_element(struct mac_mls_element *a, struct mac_mls_element *b)
268c267
< mac_mls_equal_effective(struct mac_mls *a, struct mac_mls *b)
---
> mls_equal_effective(struct mac_mls *a, struct mac_mls *b)
272c271
< ("mac_mls_equal_effective: a not effective"));
---
> ("mls_equal_effective: a not effective"));
274c273
< ("mac_mls_equal_effective: b not effective"));
---
> ("mls_equal_effective: b not effective"));
276c275
< return (mac_mls_equal_element(&a->mm_effective, &b->mm_effective));
---
> return (mls_equal_element(&a->mm_effective, &b->mm_effective));
280c279
< mac_mls_contains_equal(struct mac_mls *mac_mls)
---
> mls_contains_equal(struct mac_mls *mm)
283,284c282,283
< if (mac_mls->mm_flags & MAC_MLS_FLAG_EFFECTIVE)
< if (mac_mls->mm_effective.mme_type == MAC_MLS_TYPE_EQUAL)
---
> if (mm->mm_flags & MAC_MLS_FLAG_EFFECTIVE)
> if (mm->mm_effective.mme_type == MAC_MLS_TYPE_EQUAL)
287,288c286,287
< if (mac_mls->mm_flags & MAC_MLS_FLAG_RANGE) {
< if (mac_mls->mm_rangelow.mme_type == MAC_MLS_TYPE_EQUAL)
---
> if (mm->mm_flags & MAC_MLS_FLAG_RANGE) {
> if (mm->mm_rangelow.mme_type == MAC_MLS_TYPE_EQUAL)
290c289
< if (mac_mls->mm_rangehigh.mme_type == MAC_MLS_TYPE_EQUAL)
---
> if (mm->mm_rangehigh.mme_type == MAC_MLS_TYPE_EQUAL)
298c297
< mac_mls_subject_privileged(struct mac_mls *mac_mls)
---
> mls_subject_privileged(struct mac_mls *mm)
301,303c300,301
< KASSERT((mac_mls->mm_flags & MAC_MLS_FLAGS_BOTH) ==
< MAC_MLS_FLAGS_BOTH,
< ("mac_mls_subject_privileged: subject doesn't have both labels"));
---
> KASSERT((mm->mm_flags & MAC_MLS_FLAGS_BOTH) == MAC_MLS_FLAGS_BOTH,
> ("mls_subject_privileged: subject doesn't have both labels"));
306c304
< if (mac_mls->mm_effective.mme_type == MAC_MLS_TYPE_EQUAL)
---
> if (mm->mm_effective.mme_type == MAC_MLS_TYPE_EQUAL)
310,311c308,309
< if (mac_mls->mm_rangelow.mme_type == MAC_MLS_TYPE_EQUAL ||
< mac_mls->mm_rangehigh.mme_type == MAC_MLS_TYPE_EQUAL)
---
> if (mm->mm_rangelow.mme_type == MAC_MLS_TYPE_EQUAL ||
> mm->mm_rangehigh.mme_type == MAC_MLS_TYPE_EQUAL)
315,316c313,314
< if (mac_mls->mm_rangelow.mme_type == MAC_MLS_TYPE_LOW &&
< mac_mls->mm_rangehigh.mme_type == MAC_MLS_TYPE_HIGH)
---
> if (mm->mm_rangelow.mme_type == MAC_MLS_TYPE_LOW &&
> mm->mm_rangehigh.mme_type == MAC_MLS_TYPE_HIGH)
324c322
< mac_mls_valid(struct mac_mls *mac_mls)
---
> mls_valid(struct mac_mls *mm)
327,328c325,326
< if (mac_mls->mm_flags & MAC_MLS_FLAG_EFFECTIVE) {
< switch (mac_mls->mm_effective.mme_type) {
---
> if (mm->mm_flags & MAC_MLS_FLAG_EFFECTIVE) {
> switch (mm->mm_effective.mme_type) {
335c333
< if (mac_mls->mm_effective.mme_level != 0 ||
---
> if (mm->mm_effective.mme_level != 0 ||
337c335
< mac_mls->mm_effective.mme_compartments))
---
> mm->mm_effective.mme_compartments))
345c343
< if (mac_mls->mm_effective.mme_type != MAC_MLS_TYPE_UNDEF)
---
> if (mm->mm_effective.mme_type != MAC_MLS_TYPE_UNDEF)
349,350c347,348
< if (mac_mls->mm_flags & MAC_MLS_FLAG_RANGE) {
< switch (mac_mls->mm_rangelow.mme_type) {
---
> if (mm->mm_flags & MAC_MLS_FLAG_RANGE) {
> switch (mm->mm_rangelow.mme_type) {
357c355
< if (mac_mls->mm_rangelow.mme_level != 0 ||
---
> if (mm->mm_rangelow.mme_level != 0 ||
359c357
< mac_mls->mm_rangelow.mme_compartments))
---
> mm->mm_rangelow.mme_compartments))
367c365
< switch (mac_mls->mm_rangehigh.mme_type) {
---
> switch (mm->mm_rangehigh.mme_type) {
374c372
< if (mac_mls->mm_rangehigh.mme_level != 0 ||
---
> if (mm->mm_rangehigh.mme_level != 0 ||
376c374
< mac_mls->mm_rangehigh.mme_compartments))
---
> mm->mm_rangehigh.mme_compartments))
383,384c381,382
< if (!mac_mls_dominate_element(&mac_mls->mm_rangehigh,
< &mac_mls->mm_rangelow))
---
> if (!mls_dominate_element(&mm->mm_rangehigh,
> &mm->mm_rangelow))
387,388c385,386
< if (mac_mls->mm_rangelow.mme_type != MAC_MLS_TYPE_UNDEF ||
< mac_mls->mm_rangehigh.mme_type != MAC_MLS_TYPE_UNDEF)
---
> if (mm->mm_rangelow.mme_type != MAC_MLS_TYPE_UNDEF ||
> mm->mm_rangehigh.mme_type != MAC_MLS_TYPE_UNDEF)
396,398c394,396
< mac_mls_set_range(struct mac_mls *mac_mls, u_short typelow,
< u_short levellow, u_char *compartmentslow, u_short typehigh,
< u_short levelhigh, u_char *compartmentshigh)
---
> mls_set_range(struct mac_mls *mm, u_short typelow, u_short levellow,
> u_char *compartmentslow, u_short typehigh, u_short levelhigh,
> u_char *compartmentshigh)
401,402c399,400
< mac_mls->mm_rangelow.mme_type = typelow;
< mac_mls->mm_rangelow.mme_level = levellow;
---
> mm->mm_rangelow.mme_type = typelow;
> mm->mm_rangelow.mme_level = levellow;
404c402
< memcpy(mac_mls->mm_rangelow.mme_compartments,
---
> memcpy(mm->mm_rangelow.mme_compartments,
406,408c404,406
< sizeof(mac_mls->mm_rangelow.mme_compartments));
< mac_mls->mm_rangehigh.mme_type = typehigh;
< mac_mls->mm_rangehigh.mme_level = levelhigh;
---
> sizeof(mm->mm_rangelow.mme_compartments));
> mm->mm_rangehigh.mme_type = typehigh;
> mm->mm_rangehigh.mme_level = levelhigh;
410c408
< memcpy(mac_mls->mm_rangehigh.mme_compartments,
---
> memcpy(mm->mm_rangehigh.mme_compartments,
412,413c410,411
< sizeof(mac_mls->mm_rangehigh.mme_compartments));
< mac_mls->mm_flags |= MAC_MLS_FLAG_RANGE;
---
> sizeof(mm->mm_rangehigh.mme_compartments));
> mm->mm_flags |= MAC_MLS_FLAG_RANGE;
417c415
< mac_mls_set_effective(struct mac_mls *mac_mls, u_short type, u_short level,
---
> mls_set_effective(struct mac_mls *mm, u_short type, u_short level,
421,422c419,420
< mac_mls->mm_effective.mme_type = type;
< mac_mls->mm_effective.mme_level = level;
---
> mm->mm_effective.mme_type = type;
> mm->mm_effective.mme_level = level;
424,426c422,424
< memcpy(mac_mls->mm_effective.mme_compartments, compartments,
< sizeof(mac_mls->mm_effective.mme_compartments));
< mac_mls->mm_flags |= MAC_MLS_FLAG_EFFECTIVE;
---
> memcpy(mm->mm_effective.mme_compartments, compartments,
> sizeof(mm->mm_effective.mme_compartments));
> mm->mm_flags |= MAC_MLS_FLAG_EFFECTIVE;
430c428
< mac_mls_copy_range(struct mac_mls *labelfrom, struct mac_mls *labelto)
---
> mls_copy_range(struct mac_mls *labelfrom, struct mac_mls *labelto)
434c432
< ("mac_mls_copy_range: labelfrom not range"));
---
> ("mls_copy_range: labelfrom not range"));
442c440
< mac_mls_copy_effective(struct mac_mls *labelfrom, struct mac_mls *labelto)
---
> mls_copy_effective(struct mac_mls *labelfrom, struct mac_mls *labelto)
446c444
< ("mac_mls_copy_effective: labelfrom not effective"));
---
> ("mls_copy_effective: labelfrom not effective"));
453c451
< mac_mls_copy(struct mac_mls *source, struct mac_mls *dest)
---
> mls_copy(struct mac_mls *source, struct mac_mls *dest)
457c455
< mac_mls_copy_effective(source, dest);
---
> mls_copy_effective(source, dest);
459c457
< mac_mls_copy_range(source, dest);
---
> mls_copy_range(source, dest);
466c464
< mac_mls_init(struct mac_policy_conf *conf)
---
> mls_init(struct mac_policy_conf *conf)
477c475
< mac_mls_init_label(struct label *label)
---
> mls_init_label(struct label *label)
484c482
< mac_mls_init_label_waitcheck(struct label *label, int flag)
---
> mls_init_label_waitcheck(struct label *label, int flag)
495c493
< mac_mls_destroy_label(struct label *label)
---
> mls_destroy_label(struct label *label)
503,505c501,503
< * mac_mls_element_to_string() accepts an sbuf and MLS element. It
< * converts the MLS element to a string and stores the result in the
< * sbuf; if there isn't space in the sbuf, -1 is returned.
---
> * mls_element_to_string() accepts an sbuf and MLS element. It converts the
> * MLS element to a string and stores the result in the sbuf; if there isn't
> * space in the sbuf, -1 is returned.
508c506
< mac_mls_element_to_string(struct sbuf *sb, struct mac_mls_element *element)
---
> mls_element_to_string(struct sbuf *sb, struct mac_mls_element *element)
544c542
< panic("mac_mls_element_to_string: invalid type (%d)",
---
> panic("mls_element_to_string: invalid type (%d)",
550,554c548,552
< * mac_mls_to_string() converts an MLS label to a string, and places
< * the results in the passed sbuf. It returns 0 on success, or EINVAL
< * if there isn't room in the sbuf. Note: the sbuf will be modified
< * even in a failure case, so the caller may need to revert the sbuf
< * by restoring the offset if that's undesired.
---
> * mls_to_string() converts an MLS label to a string, and places the results
> * in the passed sbuf. It returns 0 on success, or EINVAL if there isn't
> * room in the sbuf. Note: the sbuf will be modified even in a failure case,
> * so the caller may need to revert the sbuf by restoring the offset if
> * that's undesired.
557c555
< mac_mls_to_string(struct sbuf *sb, struct mac_mls *mac_mls)
---
> mls_to_string(struct sbuf *sb, struct mac_mls *mm)
560,562c558,559
< if (mac_mls->mm_flags & MAC_MLS_FLAG_EFFECTIVE) {
< if (mac_mls_element_to_string(sb, &mac_mls->mm_effective)
< == -1)
---
> if (mm->mm_flags & MAC_MLS_FLAG_EFFECTIVE) {
> if (mls_element_to_string(sb, &mm->mm_effective) == -1)
566c563
< if (mac_mls->mm_flags & MAC_MLS_FLAG_RANGE) {
---
> if (mm->mm_flags & MAC_MLS_FLAG_RANGE) {
570,571c567
< if (mac_mls_element_to_string(sb, &mac_mls->mm_rangelow)
< == -1)
---
> if (mls_element_to_string(sb, &mm->mm_rangelow) == -1)
577,578c573
< if (mac_mls_element_to_string(sb, &mac_mls->mm_rangehigh)
< == -1)
---
> if (mls_element_to_string(sb, &mm->mm_rangehigh) == -1)
589c584
< mac_mls_externalize_label(struct label *label, char *element_name,
---
> mls_externalize_label(struct label *label, char *element_name,
592c587
< struct mac_mls *mac_mls;
---
> struct mac_mls *mm;
599c594
< mac_mls = SLOT(label);
---
> mm = SLOT(label);
601c596
< return (mac_mls_to_string(sb, mac_mls));
---
> return (mls_to_string(sb, mm));
605c600
< mac_mls_parse_element(struct mac_mls_element *element, char *string)
---
> mls_parse_element(struct mac_mls_element *element, char *string)
610,611c605
< if (strcmp(string, "high") == 0 ||
< strcmp(string, "hi") == 0) {
---
> if (strcmp(string, "high") == 0 || strcmp(string, "hi") == 0) {
614,615c608
< } else if (strcmp(string, "low") == 0 ||
< strcmp(string, "lo") == 0) {
---
> } else if (strcmp(string, "low") == 0 || strcmp(string, "lo") == 0) {
637,639c630,631
< * Optional compartment piece of the element. If none
< * are included, we assume that the label has no
< * compartments.
---
> * Optional compartment piece of the element. If none are
> * included, we assume that the label has no compartments.
660,661c652,653
< * Note: destructively consumes the string, make a local copy before
< * calling if that's a problem.
---
> * Note: destructively consumes the string, make a local copy before calling
> * if that's a problem.
664c656
< mac_mls_parse(struct mac_mls *mac_mls, char *string)
---
> mls_parse(struct mac_mls *mm, char *string)
689c681
< ("mac_mls_parse: range mismatch"));
---
> ("mls_parse: range mismatch"));
691c683
< bzero(mac_mls, sizeof(*mac_mls));
---
> bzero(mm, sizeof(*mm));
693c685
< error = mac_mls_parse_element(&mac_mls->mm_effective, effective);
---
> error = mls_parse_element(&mm->mm_effective, effective);
696c688
< mac_mls->mm_flags |= MAC_MLS_FLAG_EFFECTIVE;
---
> mm->mm_flags |= MAC_MLS_FLAG_EFFECTIVE;
700c692
< error = mac_mls_parse_element(&mac_mls->mm_rangelow,
---
> error = mls_parse_element(&mm->mm_rangelow,
704c696
< error = mac_mls_parse_element(&mac_mls->mm_rangehigh,
---
> error = mls_parse_element(&mm->mm_rangehigh,
708c700
< mac_mls->mm_flags |= MAC_MLS_FLAG_RANGE;
---
> mm->mm_flags |= MAC_MLS_FLAG_RANGE;
711c703
< error = mac_mls_valid(mac_mls);
---
> error = mls_valid(mm);
719c711
< mac_mls_internalize_label(struct label *label, char *element_name,
---
> mls_internalize_label(struct label *label, char *element_name,
722c714
< struct mac_mls *mac_mls, mac_mls_temp;
---
> struct mac_mls *mm, mm_temp;
730c722
< error = mac_mls_parse(&mac_mls_temp, element_data);
---
> error = mls_parse(&mm_temp, element_data);
734,735c726,727
< mac_mls = SLOT(label);
< *mac_mls = mac_mls_temp;
---
> mm = SLOT(label);
> *mm = mm_temp;
741c733
< mac_mls_copy_label(struct label *src, struct label *dest)
---
> mls_copy_label(struct label *src, struct label *dest)
748,749c740,741
< * Labeling event operations: file system objects, and things that look
< * a lot like file system objects.
---
> * Labeling event operations: file system objects, and things that look a lot
> * like file system objects.
752c744
< mac_mls_devfs_create_device(struct ucred *cred, struct mount *mp,
---
> mls_devfs_create_device(struct ucred *cred, struct mount *mp,
755c747
< struct mac_mls *mac_mls;
---
> struct mac_mls *mm;
758c750
< mac_mls = SLOT(delabel);
---
> mm = SLOT(delabel);
773c765
< mac_mls_set_effective(mac_mls, mls_type, 0, NULL);
---
> mls_set_effective(mm, mls_type, 0, NULL);
777,778c769,770
< mac_mls_devfs_create_directory(struct mount *mp, char *dirname,
< int dirnamelen, struct devfs_dirent *de, struct label *delabel)
---
> mls_devfs_create_directory(struct mount *mp, char *dirname, int dirnamelen,
> struct devfs_dirent *de, struct label *delabel)
780c772
< struct mac_mls *mac_mls;
---
> struct mac_mls *mm;
782,783c774,775
< mac_mls = SLOT(delabel);
< mac_mls_set_effective(mac_mls, MAC_MLS_TYPE_LOW, 0, NULL);
---
> mm = SLOT(delabel);
> mls_set_effective(mm, MAC_MLS_TYPE_LOW, 0, NULL);
787c779
< mac_mls_devfs_create_symlink(struct ucred *cred, struct mount *mp,
---
> mls_devfs_create_symlink(struct ucred *cred, struct mount *mp,
796c788
< mac_mls_copy_effective(source, dest);
---
> mls_copy_effective(source, dest);
800,801c792
< mac_mls_mount_create(struct ucred *cred, struct mount *mp,
< struct label *mplabel)
---
> mls_mount_create(struct ucred *cred, struct mount *mp, struct label *mplabel)
807c798,799
< mac_mls_copy_effective(source, dest);
---
>
> mls_copy_effective(source, dest);
811c803
< mac_mls_vnode_relabel(struct ucred *cred, struct vnode *vp,
---
> mls_vnode_relabel(struct ucred *cred, struct vnode *vp,
819c811
< mac_mls_copy(source, dest);
---
> mls_copy(source, dest);
823c815
< mac_mls_devfs_update(struct mount *mp, struct devfs_dirent *de,
---
> mls_devfs_update(struct mount *mp, struct devfs_dirent *de,
831c823
< mac_mls_copy_effective(source, dest);
---
> mls_copy_effective(source, dest);
835c827
< mac_mls_devfs_vnode_associate(struct mount *mp, struct label *mplabel,
---
> mls_devfs_vnode_associate(struct mount *mp, struct label *mplabel,
844c836
< mac_mls_copy_effective(source, dest);
---
> mls_copy_effective(source, dest);
848c840
< mac_mls_vnode_associate_extattr(struct mount *mp, struct label *mplabel,
---
> mls_vnode_associate_extattr(struct mount *mp, struct label *mplabel,
851c843
< struct mac_mls temp, *source, *dest;
---
> struct mac_mls mm_temp, *source, *dest;
857,858c849,850
< buflen = sizeof(temp);
< bzero(&temp, buflen);
---
> buflen = sizeof(mm_temp);
> bzero(&mm_temp, buflen);
861c853
< MAC_MLS_EXTATTR_NAME, &buflen, (char *) &temp, curthread);
---
> MAC_MLS_EXTATTR_NAME, &buflen, (char *) &mm_temp, curthread);
864c856
< mac_mls_copy_effective(source, dest);
---
> mls_copy_effective(source, dest);
869,871c861,862
< if (buflen != sizeof(temp)) {
< printf("mac_mls_vnode_associate_extattr: bad size %d\n",
< buflen);
---
> if (buflen != sizeof(mm_temp)) {
> printf("mls_vnode_associate_extattr: bad size %d\n", buflen);
874,875c865,866
< if (mac_mls_valid(&temp) != 0) {
< printf("mac_mls_vnode_associate_extattr: invalid\n");
---
> if (mls_valid(&mm_temp) != 0) {
> printf("mls_vnode_associate_extattr: invalid\n");
878,879c869,871
< if ((temp.mm_flags & MAC_MLS_FLAGS_BOTH) != MAC_MLS_FLAG_EFFECTIVE) {
< printf("mac_mls_associated_vnode_extattr: not effective\n");
---
> if ((mm_temp.mm_flags & MAC_MLS_FLAGS_BOTH) !=
> MAC_MLS_FLAG_EFFECTIVE) {
> printf("mls_associated_vnode_extattr: not effective\n");
883c875
< mac_mls_copy_effective(&temp, dest);
---
> mls_copy_effective(&mm_temp, dest);
888,889c880,881
< mac_mls_vnode_associate_singlelabel(struct mount *mp,
< struct label *mplabel, struct vnode *vp, struct label *vplabel)
---
> mls_vnode_associate_singlelabel(struct mount *mp, struct label *mplabel,
> struct vnode *vp, struct label *vplabel)
896c888
< mac_mls_copy_effective(source, dest);
---
> mls_copy_effective(source, dest);
900c892
< mac_mls_vnode_create_extattr(struct ucred *cred, struct mount *mp,
---
> mls_vnode_create_extattr(struct ucred *cred, struct mount *mp,
904c896
< struct mac_mls *source, *dest, temp;
---
> struct mac_mls *source, *dest, mm_temp;
908,909c900,901
< buflen = sizeof(temp);
< bzero(&temp, buflen);
---
> buflen = sizeof(mm_temp);
> bzero(&mm_temp, buflen);
913c905
< mac_mls_copy_effective(source, &temp);
---
> mls_copy_effective(source, &mm_temp);
916c908
< MAC_MLS_EXTATTR_NAME, buflen, (char *) &temp, curthread);
---
> MAC_MLS_EXTATTR_NAME, buflen, (char *) &mm_temp, curthread);
918c910
< mac_mls_copy_effective(source, dest);
---
> mls_copy_effective(source, dest);
923c915
< mac_mls_vnode_setlabel_extattr(struct ucred *cred, struct vnode *vp,
---
> mls_vnode_setlabel_extattr(struct ucred *cred, struct vnode *vp,
926c918
< struct mac_mls *source, temp;
---
> struct mac_mls *source, mm_temp;
930,931c922,923
< buflen = sizeof(temp);
< bzero(&temp, buflen);
---
> buflen = sizeof(mm_temp);
> bzero(&mm_temp, buflen);
937c929
< mac_mls_copy_effective(source, &temp);
---
> mls_copy_effective(source, &mm_temp);
940c932
< MAC_MLS_EXTATTR_NAME, buflen, (char *) &temp, curthread);
---
> MAC_MLS_EXTATTR_NAME, buflen, (char *) &mm_temp, curthread);
948,949c940,941
< mac_mls_inpcb_create(struct socket *so, struct label *solabel,
< struct inpcb *inp, struct label *inplabel)
---
> mls_inpcb_create(struct socket *so, struct label *solabel, struct inpcb *inp,
> struct label *inplabel)
956c948
< mac_mls_copy_effective(source, dest);
---
> mls_copy_effective(source, dest);
960c952
< mac_mls_socket_create_mbuf(struct socket *so, struct label *solabel,
---
> mls_socket_create_mbuf(struct socket *so, struct label *solabel,
968c960
< mac_mls_copy_effective(source, dest);
---
> mls_copy_effective(source, dest);
972c964
< mac_mls_socket_create(struct ucred *cred, struct socket *so,
---
> mls_socket_create(struct ucred *cred, struct socket *so,
980c972
< mac_mls_copy_effective(source, dest);
---
> mls_copy_effective(source, dest);
984c976
< mac_mls_pipe_create(struct ucred *cred, struct pipepair *pp,
---
> mls_pipe_create(struct ucred *cred, struct pipepair *pp,
992c984
< mac_mls_copy_effective(source, dest);
---
> mls_copy_effective(source, dest);
996c988
< mac_mls_posixsem_create(struct ucred *cred, struct ksem *ks,
---
> mls_posixsem_create(struct ucred *cred, struct ksem *ks,
1004c996
< mac_mls_copy_effective(source, dest);
---
> mls_copy_effective(source, dest);
1008c1000
< mac_mls_socket_newconn(struct socket *oldso, struct label *oldsolabel,
---
> mls_socket_newconn(struct socket *oldso, struct label *oldsolabel,
1016c1008
< mac_mls_copy_effective(source, dest);
---
> mls_copy_effective(source, dest);
1020c1012
< mac_mls_socket_relabel(struct ucred *cred, struct socket *so,
---
> mls_socket_relabel(struct ucred *cred, struct socket *so,
1028c1020
< mac_mls_copy(source, dest);
---
> mls_copy(source, dest);
1032c1024
< mac_mls_pipe_relabel(struct ucred *cred, struct pipepair *pp,
---
> mls_pipe_relabel(struct ucred *cred, struct pipepair *pp,
1040c1032
< mac_mls_copy(source, dest);
---
> mls_copy(source, dest);
1044c1036
< mac_mls_socketpeer_set_from_mbuf(struct mbuf *m, struct label *mlabel,
---
> mls_socketpeer_set_from_mbuf(struct mbuf *m, struct label *mlabel,
1052c1044
< mac_mls_copy_effective(source, dest);
---
> mls_copy_effective(source, dest);
1059c1051
< mac_mls_sysvmsg_create(struct ucred *cred, struct msqid_kernel *msqkptr,
---
> mls_sysvmsg_create(struct ucred *cred, struct msqid_kernel *msqkptr,
1068c1060
< mac_mls_copy_effective(source, dest);
---
> mls_copy_effective(source, dest);
1072c1064
< mac_mls_sysvmsq_create(struct ucred *cred, struct msqid_kernel *msqkptr,
---
> mls_sysvmsq_create(struct ucred *cred, struct msqid_kernel *msqkptr,
1080c1072
< mac_mls_copy_effective(source, dest);
---
> mls_copy_effective(source, dest);
1084c1076
< mac_mls_sysvsem_create(struct ucred *cred, struct semid_kernel *semakptr,
---
> mls_sysvsem_create(struct ucred *cred, struct semid_kernel *semakptr,
1092c1084
< mac_mls_copy_effective(source, dest);
---
> mls_copy_effective(source, dest);
1096c1088
< mac_mls_sysvshm_create(struct ucred *cred, struct shmid_kernel *shmsegptr,
---
> mls_sysvshm_create(struct ucred *cred, struct shmid_kernel *shmsegptr,
1104c1096
< mac_mls_copy_effective(source, dest);
---
> mls_copy_effective(source, dest);
1111c1103
< mac_mls_socketpeer_set_from_socket(struct socket *oldso,
---
> mls_socketpeer_set_from_socket(struct socket *oldso,
1120c1112
< mac_mls_copy_effective(source, dest);
---
> mls_copy_effective(source, dest);
1124,1125c1116
< mac_mls_bpfdesc_create(struct ucred *cred, struct bpf_d *d,
< struct label *dlabel)
---
> mls_bpfdesc_create(struct ucred *cred, struct bpf_d *d, struct label *dlabel)
1132c1123
< mac_mls_copy_effective(source, dest);
---
> mls_copy_effective(source, dest);
1136c1127
< mac_mls_ifnet_create(struct ifnet *ifp, struct label *ifplabel)
---
> mls_ifnet_create(struct ifnet *ifp, struct label *ifplabel)
1148,1149c1139,1140
< mac_mls_set_effective(dest, type, 0, NULL);
< mac_mls_set_range(dest, type, 0, NULL, type, 0, NULL);
---
> mls_set_effective(dest, type, 0, NULL);
> mls_set_range(dest, type, 0, NULL, type, 0, NULL);
1153c1144
< mac_mls_ipq_create(struct mbuf *m, struct label *mlabel, struct ipq *ipq,
---
> mls_ipq_create(struct mbuf *m, struct label *mlabel, struct ipq *ipq,
1161c1152
< mac_mls_copy_effective(source, dest);
---
> mls_copy_effective(source, dest);
1165,1166c1156,1157
< mac_mls_ipq_reassemble(struct ipq *ipq, struct label *ipqlabel,
< struct mbuf *m, struct label *mlabel)
---
> mls_ipq_reassemble(struct ipq *ipq, struct label *ipqlabel, struct mbuf *m,
> struct label *mlabel)
1174c1165
< mac_mls_copy_effective(source, dest);
---
> mls_copy_effective(source, dest);
1178,1179c1169,1170
< mac_mls_netinet_fragment(struct mbuf *m, struct label *mlabel,
< struct mbuf *frag, struct label *fraglabel)
---
> mls_netinet_fragment(struct mbuf *m, struct label *mlabel, struct mbuf *frag,
> struct label *fraglabel)
1186c1177
< mac_mls_copy_effective(source, dest);
---
> mls_copy_effective(source, dest);
1190c1181
< mac_mls_inpcb_create_mbuf(struct inpcb *inp, struct label *inplabel,
---
> mls_inpcb_create_mbuf(struct inpcb *inp, struct label *inplabel,
1198c1189
< mac_mls_copy_effective(source, dest);
---
> mls_copy_effective(source, dest);
1202c1193
< mac_mls_create_mbuf_linklayer(struct ifnet *ifp, struct label *ifplabel,
---
> mls_create_mbuf_linklayer(struct ifnet *ifp, struct label *ifplabel,
1209c1200
< mac_mls_set_effective(dest, MAC_MLS_TYPE_EQUAL, 0, NULL);
---
> mls_set_effective(dest, MAC_MLS_TYPE_EQUAL, 0, NULL);
1213c1204
< mac_mls_bpfdesc_create_mbuf(struct bpf_d *d, struct label *dlabel,
---
> mls_bpfdesc_create_mbuf(struct bpf_d *d, struct label *dlabel,
1221c1212
< mac_mls_copy_effective(source, dest);
---
> mls_copy_effective(source, dest);
1225c1216
< mac_mls_ifnet_create_mbuf(struct ifnet *ifp, struct label *ifplabel,
---
> mls_ifnet_create_mbuf(struct ifnet *ifp, struct label *ifplabel,
1233c1224
< mac_mls_copy_effective(source, dest);
---
> mls_copy_effective(source, dest);
1237c1228
< mac_mls_mbuf_create_multicast_encap(struct mbuf *m, struct label *mlabel,
---
> mls_mbuf_create_multicast_encap(struct mbuf *m, struct label *mlabel,
1246c1237
< mac_mls_copy_effective(source, dest);
---
> mls_copy_effective(source, dest);
1250c1241
< mac_mls_mbuf_create_netlayer(struct mbuf *m, struct label *mlabel,
---
> mls_mbuf_create_netlayer(struct mbuf *m, struct label *mlabel,
1258c1249
< mac_mls_copy_effective(source, dest);
---
> mls_copy_effective(source, dest);
1262c1253
< mac_mls_ipq_match(struct mbuf *m, struct label *mlabel, struct ipq *ipq,
---
> mls_ipq_match(struct mbuf *m, struct label *mlabel, struct ipq *ipq,
1270c1261
< return (mac_mls_equal_effective(a, b));
---
> return (mls_equal_effective(a, b));
1274c1265
< mac_mls_ifnet_relabel(struct ucred *cred, struct ifnet *ifp,
---
> mls_ifnet_relabel(struct ucred *cred, struct ifnet *ifp,
1282c1273
< mac_mls_copy(source, dest);
---
> mls_copy(source, dest);
1286c1277
< mac_mls_ipq_update(struct mbuf *m, struct label *mlabel, struct ipq *ipq,
---
> mls_ipq_update(struct mbuf *m, struct label *mlabel, struct ipq *ipq,
1294c1285
< mac_mls_inpcb_sosetlabel(struct socket *so, struct label *solabel,
---
> mls_inpcb_sosetlabel(struct socket *so, struct label *solabel,
1302c1293
< mac_mls_copy(source, dest);
---
> mls_copy(source, dest);
1306c1297
< mac_mls_mbuf_create_from_firewall(struct mbuf *m, struct label *mlabel)
---
> mls_mbuf_create_from_firewall(struct mbuf *m, struct label *mlabel)
1313c1304
< mac_mls_set_effective(dest, MAC_MLS_TYPE_EQUAL, 0, NULL);
---
> mls_set_effective(dest, MAC_MLS_TYPE_EQUAL, 0, NULL);
1317c1308
< mac_mls_init_syncache_from_inpcb(struct label *label, struct inpcb *inp)
---
> mls_init_syncache_from_inpcb(struct label *label, struct inpcb *inp)
1323c1314,1315
< mac_mls_copy_effective(source, dest);
---
>
> mls_copy_effective(source, dest);
1327c1319
< mac_mls_create_mbuf_from_syncache(struct label *sc_label, struct mbuf *m,
---
> mls_create_mbuf_from_syncache(struct label *sc_label, struct mbuf *m,
1334c1326,1327
< mac_mls_copy_effective(source, dest);
---
>
> mls_copy_effective(source, dest);
1341c1334
< mac_mls_proc_create_swapper(struct ucred *cred)
---
> mls_proc_create_swapper(struct ucred *cred)
1347,1349c1340,1342
< mac_mls_set_effective(dest, MAC_MLS_TYPE_EQUAL, 0, NULL);
< mac_mls_set_range(dest, MAC_MLS_TYPE_LOW, 0, NULL, MAC_MLS_TYPE_HIGH,
< 0, NULL);
---
> mls_set_effective(dest, MAC_MLS_TYPE_EQUAL, 0, NULL);
> mls_set_range(dest, MAC_MLS_TYPE_LOW, 0, NULL, MAC_MLS_TYPE_HIGH, 0,
> NULL);
1353c1346
< mac_mls_proc_create_init(struct ucred *cred)
---
> mls_proc_create_init(struct ucred *cred)
1359,1361c1352,1354
< mac_mls_set_effective(dest, MAC_MLS_TYPE_LOW, 0, NULL);
< mac_mls_set_range(dest, MAC_MLS_TYPE_LOW, 0, NULL, MAC_MLS_TYPE_HIGH,
< 0, NULL);
---
> mls_set_effective(dest, MAC_MLS_TYPE_LOW, 0, NULL);
> mls_set_range(dest, MAC_MLS_TYPE_LOW, 0, NULL, MAC_MLS_TYPE_HIGH, 0,
> NULL);
1365c1358
< mac_mls_cred_relabel(struct ucred *cred, struct label *newlabel)
---
> mls_cred_relabel(struct ucred *cred, struct label *newlabel)
1372c1365
< mac_mls_copy(source, dest);
---
> mls_copy(source, dest);
1379c1372
< mac_mls_sysvmsg_cleanup(struct label *msglabel)
---
> mls_sysvmsg_cleanup(struct label *msglabel)
1386c1379
< mac_mls_sysvmsq_cleanup(struct label *msqlabel)
---
> mls_sysvmsq_cleanup(struct label *msqlabel)
1393c1386
< mac_mls_sysvsem_cleanup(struct label *semalabel)
---
> mls_sysvsem_cleanup(struct label *semalabel)
1400c1393
< mac_mls_sysvshm_cleanup(struct label *shmlabel)
---
> mls_sysvshm_cleanup(struct label *shmlabel)
1410c1403
< mac_mls_bpfdesc_check_receive(struct bpf_d *d, struct label *dlabel,
---
> mls_bpfdesc_check_receive(struct bpf_d *d, struct label *dlabel,
1415c1408
< if (!mac_mls_enabled)
---
> if (!mls_enabled)
1421c1414
< if (mac_mls_equal_effective(a, b))
---
> if (mls_equal_effective(a, b))
1427c1420
< mac_mls_cred_check_relabel(struct ucred *cred, struct label *newlabel)
---
> mls_cred_check_relabel(struct ucred *cred, struct label *newlabel)
1436,1437c1429,1430
< * If there is an MLS label update for the credential, it may be
< * an update of effective, range, or both.
---
> * If there is an MLS label update for the credential, it may be an
> * update of effective, range, or both.
1448,1450c1441,1443
< * If the change request modifies both the MLS label effective
< * and range, check that the new effective will be in the
< * new range.
---
> * If the change request modifies both the MLS label
> * effective and range, check that the new effective will be
> * in the new range.
1453,1454c1446
< MAC_MLS_FLAGS_BOTH &&
< !mac_mls_effective_in_range(new, new))
---
> MAC_MLS_FLAGS_BOTH && !mls_effective_in_range(new, new))
1458,1459c1450,1451
< * To change the MLS effective label on a credential, the
< * new effective label must be in the current range.
---
> * To change the MLS effective label on a credential, the new
> * effective label must be in the current range.
1462c1454
< !mac_mls_effective_in_range(new, subj))
---
> !mls_effective_in_range(new, subj))
1466,1467c1458,1459
< * To change the MLS range label on a credential, the
< * new range must be in the current range.
---
> * To change the MLS range label on a credential, the new
> * range must be in the current range.
1470c1462
< !mac_mls_range_in_range(new, subj))
---
> !mls_range_in_range(new, subj))
1474,1476c1466,1467
< * To have EQUAL in any component of the new credential
< * MLS label, the subject must already have EQUAL in
< * their label.
---
> * To have EQUAL in any component of the new credential MLS
> * label, the subject must already have EQUAL in their label.
1478,1479c1469,1470
< if (mac_mls_contains_equal(new)) {
< error = mac_mls_subject_privileged(subj);
---
> if (mls_contains_equal(new)) {
> error = mls_subject_privileged(subj);
1489c1480
< mac_mls_cred_check_visible(struct ucred *cr1, struct ucred *cr2)
---
> mls_cred_check_visible(struct ucred *cr1, struct ucred *cr2)
1493c1484
< if (!mac_mls_enabled)
---
> if (!mls_enabled)
1500c1491
< if (!mac_mls_dominate_effective(subj, obj))
---
> if (!mls_dominate_effective(subj, obj))
1507c1498
< mac_mls_ifnet_check_relabel(struct ucred *cred, struct ifnet *ifp,
---
> mls_ifnet_check_relabel(struct ucred *cred, struct ifnet *ifp,
1517,1518c1508,1509
< * If there is an MLS label update for the interface, it may
< * be an update of effective, range, or both.
---
> * If there is an MLS label update for the interface, it may be an
> * update of effective, range, or both.
1527c1518
< error = mac_mls_subject_privileged(subj);
---
> error = mls_subject_privileged(subj);
1533c1524
< mac_mls_ifnet_check_transmit(struct ifnet *ifp, struct label *ifplabel,
---
> mls_ifnet_check_transmit(struct ifnet *ifp, struct label *ifplabel,
1538c1529
< if (!mac_mls_enabled)
---
> if (!mls_enabled)
1544c1535
< return (mac_mls_effective_in_range(p, i) ? 0 : EACCES);
---
> return (mls_effective_in_range(p, i) ? 0 : EACCES);
1548c1539
< mac_mls_inpcb_check_deliver(struct inpcb *inp, struct label *inplabel,
---
> mls_inpcb_check_deliver(struct inpcb *inp, struct label *inplabel,
1553c1544
< if (!mac_mls_enabled)
---
> if (!mls_enabled)
1559c1550
< return (mac_mls_equal_effective(p, i) ? 0 : EACCES);
---
> return (mls_equal_effective(p, i) ? 0 : EACCES);
1563c1554
< mac_mls_sysvmsq_check_msgrcv(struct ucred *cred, struct msg *msgptr,
---
> mls_sysvmsq_check_msgrcv(struct ucred *cred, struct msg *msgptr,
1568c1559
< if (!mac_mls_enabled)
---
> if (!mls_enabled)
1574c1565
< if (!mac_mls_dominate_effective(subj, obj))
---
> if (!mls_dominate_effective(subj, obj))
1581c1572
< mac_mls_sysvmsq_check_msgrmid(struct ucred *cred, struct msg *msgptr,
---
> mls_sysvmsq_check_msgrmid(struct ucred *cred, struct msg *msgptr,
1586c1577
< if (!mac_mls_enabled)
---
> if (!mls_enabled)
1592c1583
< if (!mac_mls_dominate_effective(obj, subj))
---
> if (!mls_dominate_effective(obj, subj))
1599,1600c1590,1591
< mac_mls_sysvmsq_check_msqget(struct ucred *cred,
< struct msqid_kernel *msqkptr, struct label *msqklabel)
---
> mls_sysvmsq_check_msqget(struct ucred *cred, struct msqid_kernel *msqkptr,
> struct label *msqklabel)
1604c1595
< if (!mac_mls_enabled)
---
> if (!mls_enabled)
1610c1601
< if (!mac_mls_dominate_effective(subj, obj))
---
> if (!mls_dominate_effective(subj, obj))
1617,1618c1608,1609
< mac_mls_sysvmsq_check_msqsnd(struct ucred *cred,
< struct msqid_kernel *msqkptr, struct label *msqklabel)
---
> mls_sysvmsq_check_msqsnd(struct ucred *cred, struct msqid_kernel *msqkptr,
> struct label *msqklabel)
1622c1613
< if (!mac_mls_enabled)
---
> if (!mls_enabled)
1628c1619
< if (!mac_mls_dominate_effective(obj, subj))
---
> if (!mls_dominate_effective(obj, subj))
1635,1636c1626,1627
< mac_mls_sysvmsq_check_msqrcv(struct ucred *cred,
< struct msqid_kernel *msqkptr, struct label *msqklabel)
---
> mls_sysvmsq_check_msqrcv(struct ucred *cred, struct msqid_kernel *msqkptr,
> struct label *msqklabel)
1640c1631
< if (!mac_mls_enabled)
---
> if (!mls_enabled)
1646c1637
< if (!mac_mls_dominate_effective(subj, obj))
---
> if (!mls_dominate_effective(subj, obj))
1653,1654c1644,1645
< mac_mls_sysvmsq_check_msqctl(struct ucred *cred,
< struct msqid_kernel *msqkptr, struct label *msqklabel, int cmd)
---
> mls_sysvmsq_check_msqctl(struct ucred *cred, struct msqid_kernel *msqkptr,
> struct label *msqklabel, int cmd)
1658c1649
< if (!mac_mls_enabled)
---
> if (!mls_enabled)
1667c1658
< if (!mac_mls_dominate_effective(obj, subj))
---
> if (!mls_dominate_effective(obj, subj))
1672c1663
< if (!mac_mls_dominate_effective(subj, obj))
---
> if (!mls_dominate_effective(subj, obj))
1684,1685c1675,1676
< mac_mls_sysvsem_check_semctl(struct ucred *cred,
< struct semid_kernel *semakptr, struct label *semaklabel, int cmd)
---
> mls_sysvsem_check_semctl(struct ucred *cred, struct semid_kernel *semakptr,
> struct label *semaklabel, int cmd)
1689c1680
< if (!mac_mls_enabled)
---
> if (!mls_enabled)
1700c1691
< if (!mac_mls_dominate_effective(obj, subj))
---
> if (!mls_dominate_effective(obj, subj))
1710c1701
< if (!mac_mls_dominate_effective(subj, obj))
---
> if (!mls_dominate_effective(subj, obj))
1722,1723c1713,1714
< mac_mls_sysvsem_check_semget(struct ucred *cred,
< struct semid_kernel *semakptr, struct label *semaklabel)
---
> mls_sysvsem_check_semget(struct ucred *cred, struct semid_kernel *semakptr,
> struct label *semaklabel)
1727c1718
< if (!mac_mls_enabled)
---
> if (!mls_enabled)
1733c1724
< if (!mac_mls_dominate_effective(subj, obj))
---
> if (!mls_dominate_effective(subj, obj))
1740,1742c1731,1732
< mac_mls_sysvsem_check_semop(struct ucred *cred,
< struct semid_kernel *semakptr, struct label *semaklabel,
< size_t accesstype)
---
> mls_sysvsem_check_semop(struct ucred *cred, struct semid_kernel *semakptr,
> struct label *semaklabel, size_t accesstype)
1746c1736
< if (!mac_mls_enabled)
---
> if (!mls_enabled)
1753c1743
< if (!mac_mls_dominate_effective(subj, obj))
---
> if (!mls_dominate_effective(subj, obj))
1757c1747
< if (!mac_mls_dominate_effective(obj, subj))
---
> if (!mls_dominate_effective(obj, subj))
1764,1765c1754,1755
< mac_mls_sysvshm_check_shmat(struct ucred *cred,
< struct shmid_kernel *shmsegptr, struct label *shmseglabel, int shmflg)
---
> mls_sysvshm_check_shmat(struct ucred *cred, struct shmid_kernel *shmsegptr,
> struct label *shmseglabel, int shmflg)
1769c1759
< if (!mac_mls_enabled)
---
> if (!mls_enabled)
1775c1765,1768
< if (!mac_mls_dominate_effective(subj, obj))
---
> if (!mls_dominate_effective(subj, obj))
> return (EACCES);
> if ((shmflg & SHM_RDONLY) == 0) {
> if (!mls_dominate_effective(obj, subj))
1777,1779c1770
< if ((shmflg & SHM_RDONLY) == 0)
< if (!mac_mls_dominate_effective(obj, subj))
< return (EACCES);
---
> }
1785,1786c1776,1777
< mac_mls_sysvshm_check_shmctl(struct ucred *cred,
< struct shmid_kernel *shmsegptr, struct label *shmseglabel, int cmd)
---
> mls_sysvshm_check_shmctl(struct ucred *cred, struct shmid_kernel *shmsegptr,
> struct label *shmseglabel, int cmd)
1790c1781
< if (!mac_mls_enabled)
---
> if (!mls_enabled)
1799c1790
< if (!mac_mls_dominate_effective(obj, subj))
---
> if (!mls_dominate_effective(obj, subj))
1805c1796
< if (!mac_mls_dominate_effective(subj, obj))
---
> if (!mls_dominate_effective(subj, obj))
1817,1818c1808,1809
< mac_mls_sysvshm_check_shmget(struct ucred *cred,
< struct shmid_kernel *shmsegptr, struct label *shmseglabel, int shmflg)
---
> mls_sysvshm_check_shmget(struct ucred *cred, struct shmid_kernel *shmsegptr,
> struct label *shmseglabel, int shmflg)
1822c1813
< if (!mac_mls_enabled)
---
> if (!mls_enabled)
1828c1819
< if (!mac_mls_dominate_effective(obj, subj))
---
> if (!mls_dominate_effective(obj, subj))
1835c1826
< mac_mls_mount_check_stat(struct ucred *cred, struct mount *mp,
---
> mls_mount_check_stat(struct ucred *cred, struct mount *mp,
1840c1831
< if (!mac_mls_enabled)
---
> if (!mls_enabled)
1846c1837
< if (!mac_mls_dominate_effective(subj, obj))
---
> if (!mls_dominate_effective(subj, obj))
1853c1844
< mac_mls_pipe_check_ioctl(struct ucred *cred, struct pipepair *pp,
---
> mls_pipe_check_ioctl(struct ucred *cred, struct pipepair *pp,
1857c1848
< if(!mac_mls_enabled)
---
> if (!mls_enabled)
1866c1857
< mac_mls_pipe_check_poll(struct ucred *cred, struct pipepair *pp,
---
> mls_pipe_check_poll(struct ucred *cred, struct pipepair *pp,
1871c1862
< if (!mac_mls_enabled)
---
> if (!mls_enabled)
1877c1868
< if (!mac_mls_dominate_effective(subj, obj))
---
> if (!mls_dominate_effective(subj, obj))
1884c1875
< mac_mls_pipe_check_read(struct ucred *cred, struct pipepair *pp,
---
> mls_pipe_check_read(struct ucred *cred, struct pipepair *pp,
1889c1880
< if (!mac_mls_enabled)
---
> if (!mls_enabled)
1895c1886
< if (!mac_mls_dominate_effective(subj, obj))
---
> if (!mls_dominate_effective(subj, obj))
1902c1893
< mac_mls_pipe_check_relabel(struct ucred *cred, struct pipepair *pp,
---
> mls_pipe_check_relabel(struct ucred *cred, struct pipepair *pp,
1913,1914c1904,1905
< * If there is an MLS label update for a pipe, it must be a
< * effective update.
---
> * If there is an MLS label update for a pipe, it must be a effective
> * update.
1924c1915
< if (!mac_mls_effective_in_range(obj, subj))
---
> if (!mls_effective_in_range(obj, subj))
1932,1933c1923,1924
< * To change the MLS label on a pipe, the new pipe label
< * must be in the subject range.
---
> * To change the MLS label on a pipe, the new pipe label must
> * be in the subject range.
1935c1926
< if (!mac_mls_effective_in_range(new, subj))
---
> if (!mls_effective_in_range(new, subj))
1939,1940c1930,1931
< * To change the MLS label on a pipe to be EQUAL, the
< * subject must have appropriate privilege.
---
> * To change the MLS label on a pipe to be EQUAL, the subject
> * must have appropriate privilege.
1942,1943c1933,1934
< if (mac_mls_contains_equal(new)) {
< error = mac_mls_subject_privileged(subj);
---
> if (mls_contains_equal(new)) {
> error = mls_subject_privileged(subj);
1953c1944
< mac_mls_pipe_check_stat(struct ucred *cred, struct pipepair *pp,
---
> mls_pipe_check_stat(struct ucred *cred, struct pipepair *pp,
1958c1949
< if (!mac_mls_enabled)
---
> if (!mls_enabled)
1964c1955
< if (!mac_mls_dominate_effective(subj, obj))
---
> if (!mls_dominate_effective(subj, obj))
1971c1962
< mac_mls_pipe_check_write(struct ucred *cred, struct pipepair *pp,
---
> mls_pipe_check_write(struct ucred *cred, struct pipepair *pp,
1976c1967
< if (!mac_mls_enabled)
---
> if (!mls_enabled)
1982c1973
< if (!mac_mls_dominate_effective(obj, subj))
---
> if (!mls_dominate_effective(obj, subj))
1989c1980
< mac_mls_posixsem_check_write(struct ucred *cred, struct ksem *ks,
---
> mls_posixsem_check_write(struct ucred *cred, struct ksem *ks,
1994c1985
< if (!mac_mls_enabled)
---
> if (!mls_enabled)
2000c1991
< if (!mac_mls_dominate_effective(obj, subj))
---
> if (!mls_dominate_effective(obj, subj))
2007c1998
< mac_mls_posixsem_check_rdonly(struct ucred *cred, struct ksem *ks,
---
> mls_posixsem_check_rdonly(struct ucred *cred, struct ksem *ks,
2012c2003
< if (!mac_mls_enabled)
---
> if (!mls_enabled)
2018c2009
< if (!mac_mls_dominate_effective(subj, obj))
---
> if (!mls_dominate_effective(subj, obj))
2025c2016
< mac_mls_proc_check_debug(struct ucred *cred, struct proc *p)
---
> mls_proc_check_debug(struct ucred *cred, struct proc *p)
2029c2020
< if (!mac_mls_enabled)
---
> if (!mls_enabled)
2036c2027
< if (!mac_mls_dominate_effective(subj, obj))
---
> if (!mls_dominate_effective(subj, obj))
2038c2029
< if (!mac_mls_dominate_effective(obj, subj))
---
> if (!mls_dominate_effective(obj, subj))
2045c2036
< mac_mls_proc_check_sched(struct ucred *cred, struct proc *p)
---
> mls_proc_check_sched(struct ucred *cred, struct proc *p)
2049c2040
< if (!mac_mls_enabled)
---
> if (!mls_enabled)
2056c2047
< if (!mac_mls_dominate_effective(subj, obj))
---
> if (!mls_dominate_effective(subj, obj))
2058c2049
< if (!mac_mls_dominate_effective(obj, subj))
---
> if (!mls_dominate_effective(obj, subj))
2065c2056
< mac_mls_proc_check_signal(struct ucred *cred, struct proc *p, int signum)
---
> mls_proc_check_signal(struct ucred *cred, struct proc *p, int signum)
2069c2060
< if (!mac_mls_enabled)
---
> if (!mls_enabled)
2076c2067
< if (!mac_mls_dominate_effective(subj, obj))
---
> if (!mls_dominate_effective(subj, obj))
2078c2069
< if (!mac_mls_dominate_effective(obj, subj))
---
> if (!mls_dominate_effective(obj, subj))
2085c2076
< mac_mls_socket_check_deliver(struct socket *so, struct label *solabel,
---
> mls_socket_check_deliver(struct socket *so, struct label *solabel,
2090c2081
< if (!mac_mls_enabled)
---
> if (!mls_enabled)
2096c2087
< return (mac_mls_equal_effective(p, s) ? 0 : EACCES);
---
> return (mls_equal_effective(p, s) ? 0 : EACCES);
2100c2091
< mac_mls_socket_check_relabel(struct ucred *cred, struct socket *so,
---
> mls_socket_check_relabel(struct ucred *cred, struct socket *so,
2111,2112c2102,2103
< * If there is an MLS label update for the socket, it may be
< * an update of effective.
---
> * If there is an MLS label update for the socket, it may be an
> * update of effective.
2119,2120c2110,2111
< * To relabel a socket, the old socket effective must be in the subject
< * range.
---
> * To relabel a socket, the old socket effective must be in the
> * subject range.
2122c2113
< if (!mac_mls_effective_in_range(obj, subj))
---
> if (!mls_effective_in_range(obj, subj))
2133c2124
< if (!mac_mls_effective_in_range(new, subj))
---
> if (!mls_effective_in_range(new, subj))
2140,2141c2131,2132
< if (mac_mls_contains_equal(new)) {
< error = mac_mls_subject_privileged(subj);
---
> if (mls_contains_equal(new)) {
> error = mls_subject_privileged(subj);
2151c2142
< mac_mls_socket_check_visible(struct ucred *cred, struct socket *so,
---
> mls_socket_check_visible(struct ucred *cred, struct socket *so,
2156c2147
< if (!mac_mls_enabled)
---
> if (!mls_enabled)
2162c2153
< if (!mac_mls_dominate_effective(subj, obj))
---
> if (!mls_dominate_effective(subj, obj))
2169c2160
< mac_mls_system_check_acct(struct ucred *cred, struct vnode *vp,
---
> mls_system_check_acct(struct ucred *cred, struct vnode *vp,
2174c2165
< if (!mac_mls_enabled)
---
> if (!mls_enabled)
2180,2181c2171,2172
< if (!mac_mls_dominate_effective(obj, subj) ||
< !mac_mls_dominate_effective(subj, obj))
---
> if (!mls_dominate_effective(obj, subj) ||
> !mls_dominate_effective(subj, obj))
2188c2179
< mac_mls_system_check_auditctl(struct ucred *cred, struct vnode *vp,
---
> mls_system_check_auditctl(struct ucred *cred, struct vnode *vp,
2193c2184
< if (!mac_mls_enabled)
---
> if (!mls_enabled)
2199,2200c2190,2191
< if (!mac_mls_dominate_effective(obj, subj) ||
< !mac_mls_dominate_effective(subj, obj))
---
> if (!mls_dominate_effective(obj, subj) ||
> !mls_dominate_effective(subj, obj))
2207c2198
< mac_mls_system_check_swapon(struct ucred *cred, struct vnode *vp,
---
> mls_system_check_swapon(struct ucred *cred, struct vnode *vp,
2212c2203
< if (!mac_mls_enabled)
---
> if (!mls_enabled)
2218,2219c2209,2210
< if (!mac_mls_dominate_effective(obj, subj) ||
< !mac_mls_dominate_effective(subj, obj))
---
> if (!mls_dominate_effective(obj, subj) ||
> !mls_dominate_effective(subj, obj))
2226c2217
< mac_mls_vnode_check_chdir(struct ucred *cred, struct vnode *dvp,
---
> mls_vnode_check_chdir(struct ucred *cred, struct vnode *dvp,
2231c2222
< if (!mac_mls_enabled)
---
> if (!mls_enabled)
2237c2228
< if (!mac_mls_dominate_effective(subj, obj))
---
> if (!mls_dominate_effective(subj, obj))
2244c2235
< mac_mls_vnode_check_chroot(struct ucred *cred, struct vnode *dvp,
---
> mls_vnode_check_chroot(struct ucred *cred, struct vnode *dvp,
2249c2240
< if (!mac_mls_enabled)
---
> if (!mls_enabled)
2255c2246
< if (!mac_mls_dominate_effective(subj, obj))
---
> if (!mls_dominate_effective(subj, obj))
2262c2253
< mac_mls_vnode_check_create(struct ucred *cred, struct vnode *dvp,
---
> mls_vnode_check_create(struct ucred *cred, struct vnode *dvp,
2267c2258
< if (!mac_mls_enabled)
---
> if (!mls_enabled)
2273c2264
< if (!mac_mls_dominate_effective(obj, subj))
---
> if (!mls_dominate_effective(obj, subj))
2280c2271
< mac_mls_vnode_check_deleteacl(struct ucred *cred, struct vnode *vp,
---
> mls_vnode_check_deleteacl(struct ucred *cred, struct vnode *vp,
2285c2276
< if (!mac_mls_enabled)
---
> if (!mls_enabled)
2291c2282
< if (!mac_mls_dominate_effective(obj, subj))
---
> if (!mls_dominate_effective(obj, subj))
2298c2289
< mac_mls_vnode_check_deleteextattr(struct ucred *cred, struct vnode *vp,
---
> mls_vnode_check_deleteextattr(struct ucred *cred, struct vnode *vp,
2303c2294
< if (!mac_mls_enabled)
---
> if (!mls_enabled)
2309c2300
< if (!mac_mls_dominate_effective(obj, subj))
---
> if (!mls_dominate_effective(obj, subj))
2316c2307
< mac_mls_vnode_check_exec(struct ucred *cred, struct vnode *vp,
---
> mls_vnode_check_exec(struct ucred *cred, struct vnode *vp,
2326,2327c2317,2318
< * exec-time as part of MLS, so disallow non-NULL
< * MLS label elements in the execlabel.
---
> * exec-time as part of MLS, so disallow non-NULL MLS label
> * elements in the execlabel.
2335c2326
< if (!mac_mls_enabled)
---
> if (!mls_enabled)
2341c2332
< if (!mac_mls_dominate_effective(subj, obj))
---
> if (!mls_dominate_effective(subj, obj))
2348c2339
< mac_mls_vnode_check_getacl(struct ucred *cred, struct vnode *vp,
---
> mls_vnode_check_getacl(struct ucred *cred, struct vnode *vp,
2353c2344
< if (!mac_mls_enabled)
---
> if (!mls_enabled)
2359c2350
< if (!mac_mls_dominate_effective(subj, obj))
---
> if (!mls_dominate_effective(subj, obj))
2366c2357
< mac_mls_vnode_check_getextattr(struct ucred *cred, struct vnode *vp,
---
> mls_vnode_check_getextattr(struct ucred *cred, struct vnode *vp,
2372c2363
< if (!mac_mls_enabled)
---
> if (!mls_enabled)
2378c2369
< if (!mac_mls_dominate_effective(subj, obj))
---
> if (!mls_dominate_effective(subj, obj))
2385c2376
< mac_mls_vnode_check_link(struct ucred *cred, struct vnode *dvp,
---
> mls_vnode_check_link(struct ucred *cred, struct vnode *dvp,
2391c2382
< if (!mac_mls_enabled)
---
> if (!mls_enabled)
2397c2388
< if (!mac_mls_dominate_effective(obj, subj))
---
> if (!mls_dominate_effective(obj, subj))
2401c2392
< if (!mac_mls_dominate_effective(obj, subj))
---
> if (!mls_dominate_effective(obj, subj))
2408c2399
< mac_mls_vnode_check_listextattr(struct ucred *cred, struct vnode *vp,
---
> mls_vnode_check_listextattr(struct ucred *cred, struct vnode *vp,
2414c2405
< if (!mac_mls_enabled)
---
> if (!mls_enabled)
2420c2411
< if (!mac_mls_dominate_effective(subj, obj))
---
> if (!mls_dominate_effective(subj, obj))
2427c2418
< mac_mls_vnode_check_lookup(struct ucred *cred, struct vnode *dvp,
---
> mls_vnode_check_lookup(struct ucred *cred, struct vnode *dvp,
2432c2423
< if (!mac_mls_enabled)
---
> if (!mls_enabled)
2438c2429
< if (!mac_mls_dominate_effective(subj, obj))
---
> if (!mls_dominate_effective(subj, obj))
2445c2436
< mac_mls_vnode_check_mmap(struct ucred *cred, struct vnode *vp,
---
> mls_vnode_check_mmap(struct ucred *cred, struct vnode *vp,
2454c2445
< if (!mac_mls_enabled || !revocation_enabled)
---
> if (!mls_enabled || !revocation_enabled)
2461c2452
< if (!mac_mls_dominate_effective(subj, obj))
---
> if (!mls_dominate_effective(subj, obj))
2465c2456
< if (!mac_mls_dominate_effective(obj, subj))
---
> if (!mls_dominate_effective(obj, subj))
2473c2464
< mac_mls_vnode_check_open(struct ucred *cred, struct vnode *vp,
---
> mls_vnode_check_open(struct ucred *cred, struct vnode *vp,
2478c2469
< if (!mac_mls_enabled)
---
> if (!mls_enabled)
2486c2477
< if (!mac_mls_dominate_effective(subj, obj))
---
> if (!mls_dominate_effective(subj, obj))
2490c2481
< if (!mac_mls_dominate_effective(obj, subj))
---
> if (!mls_dominate_effective(obj, subj))
2498c2489
< mac_mls_vnode_check_poll(struct ucred *active_cred, struct ucred *file_cred,
---
> mls_vnode_check_poll(struct ucred *active_cred, struct ucred *file_cred,
2503c2494
< if (!mac_mls_enabled || !revocation_enabled)
---
> if (!mls_enabled || !revocation_enabled)
2509c2500
< if (!mac_mls_dominate_effective(subj, obj))
---
> if (!mls_dominate_effective(subj, obj))
2516c2507
< mac_mls_vnode_check_read(struct ucred *active_cred, struct ucred *file_cred,
---
> mls_vnode_check_read(struct ucred *active_cred, struct ucred *file_cred,
2521c2512
< if (!mac_mls_enabled || !revocation_enabled)
---
> if (!mls_enabled || !revocation_enabled)
2527c2518
< if (!mac_mls_dominate_effective(subj, obj))
---
> if (!mls_dominate_effective(subj, obj))
2534c2525
< mac_mls_vnode_check_readdir(struct ucred *cred, struct vnode *dvp,
---
> mls_vnode_check_readdir(struct ucred *cred, struct vnode *dvp,
2539c2530
< if (!mac_mls_enabled)
---
> if (!mls_enabled)
2545c2536
< if (!mac_mls_dominate_effective(subj, obj))
---
> if (!mls_dominate_effective(subj, obj))
2552c2543
< mac_mls_vnode_check_readlink(struct ucred *cred, struct vnode *vp,
---
> mls_vnode_check_readlink(struct ucred *cred, struct vnode *vp,
2557c2548
< if (!mac_mls_enabled)
---
> if (!mls_enabled)
2563c2554
< if (!mac_mls_dominate_effective(subj, obj))
---
> if (!mls_dominate_effective(subj, obj))
2570c2561
< mac_mls_vnode_check_relabel(struct ucred *cred, struct vnode *vp,
---
> mls_vnode_check_relabel(struct ucred *cred, struct vnode *vp,
2592c2583
< if (!mac_mls_effective_in_range(old, subj))
---
> if (!mls_effective_in_range(old, subj))
2603c2594
< if (!mac_mls_effective_in_range(new, subj))
---
> if (!mls_effective_in_range(new, subj))
2607,2608c2598,2599
< * To change the MLS label on the vnode to be EQUAL,
< * the subject must have appropriate privilege.
---
> * To change the MLS label on the vnode to be EQUAL, the
> * subject must have appropriate privilege.
2610,2611c2601,2602
< if (mac_mls_contains_equal(new)) {
< error = mac_mls_subject_privileged(subj);
---
> if (mls_contains_equal(new)) {
> error = mls_subject_privileged(subj);
2621c2612
< mac_mls_vnode_check_rename_from(struct ucred *cred, struct vnode *dvp,
---
> mls_vnode_check_rename_from(struct ucred *cred, struct vnode *dvp,
2627c2618
< if (!mac_mls_enabled)
---
> if (!mls_enabled)
2633c2624
< if (!mac_mls_dominate_effective(obj, subj))
---
> if (!mls_dominate_effective(obj, subj))
2638c2629
< if (!mac_mls_dominate_effective(obj, subj))
---
> if (!mls_dominate_effective(obj, subj))
2645c2636
< mac_mls_vnode_check_rename_to(struct ucred *cred, struct vnode *dvp,
---
> mls_vnode_check_rename_to(struct ucred *cred, struct vnode *dvp,
2651c2642
< if (!mac_mls_enabled)
---
> if (!mls_enabled)
2657c2648
< if (!mac_mls_dominate_effective(obj, subj))
---
> if (!mls_dominate_effective(obj, subj))
2663c2654
< if (!mac_mls_dominate_effective(obj, subj))
---
> if (!mls_dominate_effective(obj, subj))
2671c2662
< mac_mls_vnode_check_revoke(struct ucred *cred, struct vnode *vp,
---
> mls_vnode_check_revoke(struct ucred *cred, struct vnode *vp,
2676c2667
< if (!mac_mls_enabled)
---
> if (!mls_enabled)
2682c2673
< if (!mac_mls_dominate_effective(obj, subj))
---
> if (!mls_dominate_effective(obj, subj))
2689c2680
< mac_mls_vnode_check_setacl(struct ucred *cred, struct vnode *vp,
---
> mls_vnode_check_setacl(struct ucred *cred, struct vnode *vp,
2694c2685
< if (!mac_mls_enabled)
---
> if (!mls_enabled)
2700c2691
< if (!mac_mls_dominate_effective(obj, subj))
---
> if (!mls_dominate_effective(obj, subj))
2707c2698
< mac_mls_vnode_check_setextattr(struct ucred *cred, struct vnode *vp,
---
> mls_vnode_check_setextattr(struct ucred *cred, struct vnode *vp,
2713c2704
< if (!mac_mls_enabled)
---
> if (!mls_enabled)
2719c2710
< if (!mac_mls_dominate_effective(obj, subj))
---
> if (!mls_dominate_effective(obj, subj))
2728c2719
< mac_mls_vnode_check_setflags(struct ucred *cred, struct vnode *vp,
---
> mls_vnode_check_setflags(struct ucred *cred, struct vnode *vp,
2733c2724
< if (!mac_mls_enabled)
---
> if (!mls_enabled)
2739c2730
< if (!mac_mls_dominate_effective(obj, subj))
---
> if (!mls_dominate_effective(obj, subj))
2746c2737
< mac_mls_vnode_check_setmode(struct ucred *cred, struct vnode *vp,
---
> mls_vnode_check_setmode(struct ucred *cred, struct vnode *vp,
2751c2742
< if (!mac_mls_enabled)
---
> if (!mls_enabled)
2757c2748
< if (!mac_mls_dominate_effective(obj, subj))
---
> if (!mls_dominate_effective(obj, subj))
2764c2755
< mac_mls_vnode_check_setowner(struct ucred *cred, struct vnode *vp,
---
> mls_vnode_check_setowner(struct ucred *cred, struct vnode *vp,
2769c2760
< if (!mac_mls_enabled)
---
> if (!mls_enabled)
2775c2766
< if (!mac_mls_dominate_effective(obj, subj))
---
> if (!mls_dominate_effective(obj, subj))
2782c2773
< mac_mls_vnode_check_setutimes(struct ucred *cred, struct vnode *vp,
---
> mls_vnode_check_setutimes(struct ucred *cred, struct vnode *vp,
2787c2778
< if (!mac_mls_enabled)
---
> if (!mls_enabled)
2793c2784
< if (!mac_mls_dominate_effective(obj, subj))
---
> if (!mls_dominate_effective(obj, subj))
2800c2791
< mac_mls_vnode_check_stat(struct ucred *active_cred, struct ucred *file_cred,
---
> mls_vnode_check_stat(struct ucred *active_cred, struct ucred *file_cred,
2805c2796
< if (!mac_mls_enabled)
---
> if (!mls_enabled)
2811c2802
< if (!mac_mls_dominate_effective(subj, obj))
---
> if (!mls_dominate_effective(subj, obj))
2818c2809
< mac_mls_vnode_check_unlink(struct ucred *cred, struct vnode *dvp,
---
> mls_vnode_check_unlink(struct ucred *cred, struct vnode *dvp,
2824c2815
< if (!mac_mls_enabled)
---
> if (!mls_enabled)
2830c2821
< if (!mac_mls_dominate_effective(obj, subj))
---
> if (!mls_dominate_effective(obj, subj))
2835c2826
< if (!mac_mls_dominate_effective(obj, subj))
---
> if (!mls_dominate_effective(obj, subj))
2842c2833
< mac_mls_vnode_check_write(struct ucred *active_cred, struct ucred *file_cred,
---
> mls_vnode_check_write(struct ucred *active_cred, struct ucred *file_cred,
2847c2838
< if (!mac_mls_enabled || !revocation_enabled)
---
> if (!mls_enabled || !revocation_enabled)
2853c2844
< if (!mac_mls_dominate_effective(obj, subj))
---
> if (!mls_dominate_effective(obj, subj))
2860c2851
< mac_mls_associate_nfsd_label(struct ucred *cred)
---
> mls_associate_nfsd_label(struct ucred *cred)
2865,2867c2856,2858
< mac_mls_set_effective(label, MAC_MLS_TYPE_LOW, 0, NULL);
< mac_mls_set_range(label, MAC_MLS_TYPE_LOW, 0, NULL,
< MAC_MLS_TYPE_HIGH, 0, NULL);
---
> mls_set_effective(label, MAC_MLS_TYPE_LOW, 0, NULL);
> mls_set_range(label, MAC_MLS_TYPE_LOW, 0, NULL, MAC_MLS_TYPE_HIGH, 0,
> NULL);
2870c2861
< static struct mac_policy_ops mac_mls_ops =
---
> static struct mac_policy_ops mls_ops =
2872,3047c2863,3038
< .mpo_init = mac_mls_init,
< .mpo_bpfdesc_init_label = mac_mls_init_label,
< .mpo_cred_init_label = mac_mls_init_label,
< .mpo_devfs_init_label = mac_mls_init_label,
< .mpo_ifnet_init_label = mac_mls_init_label,
< .mpo_inpcb_init_label = mac_mls_init_label_waitcheck,
< .mpo_init_syncache_label = mac_mls_init_label_waitcheck,
< .mpo_sysvmsg_init_label = mac_mls_init_label,
< .mpo_sysvmsq_init_label = mac_mls_init_label,
< .mpo_sysvsem_init_label = mac_mls_init_label,
< .mpo_sysvshm_init_label = mac_mls_init_label,
< .mpo_ipq_init_label = mac_mls_init_label_waitcheck,
< .mpo_mbuf_init_label = mac_mls_init_label_waitcheck,
< .mpo_mount_init_label = mac_mls_init_label,
< .mpo_pipe_init_label = mac_mls_init_label,
< .mpo_posixsem_init_label = mac_mls_init_label,
< .mpo_socket_init_label = mac_mls_init_label_waitcheck,
< .mpo_socketpeer_init_label = mac_mls_init_label_waitcheck,
< .mpo_vnode_init_label = mac_mls_init_label,
< .mpo_bpfdesc_destroy_label = mac_mls_destroy_label,
< .mpo_cred_destroy_label = mac_mls_destroy_label,
< .mpo_devfs_destroy_label = mac_mls_destroy_label,
< .mpo_ifnet_destroy_label = mac_mls_destroy_label,
< .mpo_inpcb_destroy_label = mac_mls_destroy_label,
< .mpo_destroy_syncache_label = mac_mls_destroy_label,
< .mpo_sysvmsg_destroy_label = mac_mls_destroy_label,
< .mpo_sysvmsq_destroy_label = mac_mls_destroy_label,
< .mpo_sysvsem_destroy_label = mac_mls_destroy_label,
< .mpo_sysvshm_destroy_label = mac_mls_destroy_label,
< .mpo_ipq_destroy_label = mac_mls_destroy_label,
< .mpo_mbuf_destroy_label = mac_mls_destroy_label,
< .mpo_mount_destroy_label = mac_mls_destroy_label,
< .mpo_pipe_destroy_label = mac_mls_destroy_label,
< .mpo_posixsem_destroy_label = mac_mls_destroy_label,
< .mpo_socket_destroy_label = mac_mls_destroy_label,
< .mpo_socketpeer_destroy_label = mac_mls_destroy_label,
< .mpo_vnode_destroy_label = mac_mls_destroy_label,
< .mpo_cred_copy_label = mac_mls_copy_label,
< .mpo_ifnet_copy_label = mac_mls_copy_label,
< .mpo_mbuf_copy_label = mac_mls_copy_label,
< .mpo_pipe_copy_label = mac_mls_copy_label,
< .mpo_socket_copy_label = mac_mls_copy_label,
< .mpo_vnode_copy_label = mac_mls_copy_label,
< .mpo_cred_externalize_label = mac_mls_externalize_label,
< .mpo_ifnet_externalize_label = mac_mls_externalize_label,
< .mpo_pipe_externalize_label = mac_mls_externalize_label,
< .mpo_socket_externalize_label = mac_mls_externalize_label,
< .mpo_socketpeer_externalize_label = mac_mls_externalize_label,
< .mpo_vnode_externalize_label = mac_mls_externalize_label,
< .mpo_cred_internalize_label = mac_mls_internalize_label,
< .mpo_ifnet_internalize_label = mac_mls_internalize_label,
< .mpo_pipe_internalize_label = mac_mls_internalize_label,
< .mpo_socket_internalize_label = mac_mls_internalize_label,
< .mpo_vnode_internalize_label = mac_mls_internalize_label,
< .mpo_devfs_create_device = mac_mls_devfs_create_device,
< .mpo_devfs_create_directory = mac_mls_devfs_create_directory,
< .mpo_devfs_create_symlink = mac_mls_devfs_create_symlink,
< .mpo_mount_create = mac_mls_mount_create,
< .mpo_vnode_relabel = mac_mls_vnode_relabel,
< .mpo_devfs_update = mac_mls_devfs_update,
< .mpo_devfs_vnode_associate = mac_mls_devfs_vnode_associate,
< .mpo_vnode_associate_extattr = mac_mls_vnode_associate_extattr,
< .mpo_vnode_associate_singlelabel = mac_mls_vnode_associate_singlelabel,
< .mpo_vnode_create_extattr = mac_mls_vnode_create_extattr,
< .mpo_vnode_setlabel_extattr = mac_mls_vnode_setlabel_extattr,
< .mpo_socket_create_mbuf = mac_mls_socket_create_mbuf,
< .mpo_create_mbuf_from_syncache = mac_mls_create_mbuf_from_syncache,
< .mpo_pipe_create = mac_mls_pipe_create,
< .mpo_posixsem_create = mac_mls_posixsem_create,
< .mpo_socket_create = mac_mls_socket_create,
< .mpo_socket_newconn = mac_mls_socket_newconn,
< .mpo_pipe_relabel = mac_mls_pipe_relabel,
< .mpo_socket_relabel = mac_mls_socket_relabel,
< .mpo_socketpeer_set_from_mbuf = mac_mls_socketpeer_set_from_mbuf,
< .mpo_socketpeer_set_from_socket = mac_mls_socketpeer_set_from_socket,
< .mpo_bpfdesc_create = mac_mls_bpfdesc_create,
< .mpo_ipq_reassemble = mac_mls_ipq_reassemble,
< .mpo_netinet_fragment = mac_mls_netinet_fragment,
< .mpo_ifnet_create = mac_mls_ifnet_create,
< .mpo_inpcb_create = mac_mls_inpcb_create,
< .mpo_init_syncache_from_inpcb = mac_mls_init_syncache_from_inpcb,
< .mpo_ipq_create = mac_mls_ipq_create,
< .mpo_sysvmsg_create = mac_mls_sysvmsg_create,
< .mpo_sysvmsq_create = mac_mls_sysvmsq_create,
< .mpo_sysvsem_create = mac_mls_sysvsem_create,
< .mpo_sysvshm_create = mac_mls_sysvshm_create,
< .mpo_inpcb_create_mbuf = mac_mls_inpcb_create_mbuf,
< .mpo_create_mbuf_linklayer = mac_mls_create_mbuf_linklayer,
< .mpo_bpfdesc_create_mbuf = mac_mls_bpfdesc_create_mbuf,
< .mpo_ifnet_create_mbuf = mac_mls_ifnet_create_mbuf,
< .mpo_mbuf_create_multicast_encap = mac_mls_mbuf_create_multicast_encap,
< .mpo_mbuf_create_netlayer = mac_mls_mbuf_create_netlayer,
< .mpo_ipq_match = mac_mls_ipq_match,
< .mpo_ifnet_relabel = mac_mls_ifnet_relabel,
< .mpo_ipq_update = mac_mls_ipq_update,
< .mpo_inpcb_sosetlabel = mac_mls_inpcb_sosetlabel,
< .mpo_proc_create_swapper = mac_mls_proc_create_swapper,
< .mpo_proc_create_init = mac_mls_proc_create_init,
< .mpo_cred_relabel = mac_mls_cred_relabel,
< .mpo_sysvmsg_cleanup = mac_mls_sysvmsg_cleanup,
< .mpo_sysvmsq_cleanup = mac_mls_sysvmsq_cleanup,
< .mpo_sysvsem_cleanup = mac_mls_sysvsem_cleanup,
< .mpo_sysvshm_cleanup = mac_mls_sysvshm_cleanup,
< .mpo_bpfdesc_check_receive = mac_mls_bpfdesc_check_receive,
< .mpo_cred_check_relabel = mac_mls_cred_check_relabel,
< .mpo_cred_check_visible = mac_mls_cred_check_visible,
< .mpo_ifnet_check_relabel = mac_mls_ifnet_check_relabel,
< .mpo_ifnet_check_transmit = mac_mls_ifnet_check_transmit,
< .mpo_inpcb_check_deliver = mac_mls_inpcb_check_deliver,
< .mpo_sysvmsq_check_msgrcv = mac_mls_sysvmsq_check_msgrcv,
< .mpo_sysvmsq_check_msgrmid = mac_mls_sysvmsq_check_msgrmid,
< .mpo_sysvmsq_check_msqget = mac_mls_sysvmsq_check_msqget,
< .mpo_sysvmsq_check_msqsnd = mac_mls_sysvmsq_check_msqsnd,
< .mpo_sysvmsq_check_msqrcv = mac_mls_sysvmsq_check_msqrcv,
< .mpo_sysvmsq_check_msqctl = mac_mls_sysvmsq_check_msqctl,
< .mpo_sysvsem_check_semctl = mac_mls_sysvsem_check_semctl,
< .mpo_sysvsem_check_semget = mac_mls_sysvsem_check_semget,
< .mpo_sysvsem_check_semop = mac_mls_sysvsem_check_semop,
< .mpo_sysvshm_check_shmat = mac_mls_sysvshm_check_shmat,
< .mpo_sysvshm_check_shmctl = mac_mls_sysvshm_check_shmctl,
< .mpo_sysvshm_check_shmget = mac_mls_sysvshm_check_shmget,
< .mpo_mount_check_stat = mac_mls_mount_check_stat,
< .mpo_pipe_check_ioctl = mac_mls_pipe_check_ioctl,
< .mpo_pipe_check_poll = mac_mls_pipe_check_poll,
< .mpo_pipe_check_read = mac_mls_pipe_check_read,
< .mpo_pipe_check_relabel = mac_mls_pipe_check_relabel,
< .mpo_pipe_check_stat = mac_mls_pipe_check_stat,
< .mpo_pipe_check_write = mac_mls_pipe_check_write,
< .mpo_posixsem_check_destroy = mac_mls_posixsem_check_write,
< .mpo_posixsem_check_getvalue = mac_mls_posixsem_check_rdonly,
< .mpo_posixsem_check_open = mac_mls_posixsem_check_write,
< .mpo_posixsem_check_post = mac_mls_posixsem_check_write,
< .mpo_posixsem_check_unlink = mac_mls_posixsem_check_write,
< .mpo_posixsem_check_wait = mac_mls_posixsem_check_write,
< .mpo_proc_check_debug = mac_mls_proc_check_debug,
< .mpo_proc_check_sched = mac_mls_proc_check_sched,
< .mpo_proc_check_signal = mac_mls_proc_check_signal,
< .mpo_socket_check_deliver = mac_mls_socket_check_deliver,
< .mpo_socket_check_relabel = mac_mls_socket_check_relabel,
< .mpo_socket_check_visible = mac_mls_socket_check_visible,
< .mpo_system_check_acct = mac_mls_system_check_acct,
< .mpo_system_check_auditctl = mac_mls_system_check_auditctl,
< .mpo_system_check_swapon = mac_mls_system_check_swapon,
< .mpo_vnode_check_access = mac_mls_vnode_check_open,
< .mpo_vnode_check_chdir = mac_mls_vnode_check_chdir,
< .mpo_vnode_check_chroot = mac_mls_vnode_check_chroot,
< .mpo_vnode_check_create = mac_mls_vnode_check_create,
< .mpo_vnode_check_deleteacl = mac_mls_vnode_check_deleteacl,
< .mpo_vnode_check_deleteextattr = mac_mls_vnode_check_deleteextattr,
< .mpo_vnode_check_exec = mac_mls_vnode_check_exec,
< .mpo_vnode_check_getacl = mac_mls_vnode_check_getacl,
< .mpo_vnode_check_getextattr = mac_mls_vnode_check_getextattr,
< .mpo_vnode_check_link = mac_mls_vnode_check_link,
< .mpo_vnode_check_listextattr = mac_mls_vnode_check_listextattr,
< .mpo_vnode_check_lookup = mac_mls_vnode_check_lookup,
< .mpo_vnode_check_mmap = mac_mls_vnode_check_mmap,
< .mpo_vnode_check_open = mac_mls_vnode_check_open,
< .mpo_vnode_check_poll = mac_mls_vnode_check_poll,
< .mpo_vnode_check_read = mac_mls_vnode_check_read,
< .mpo_vnode_check_readdir = mac_mls_vnode_check_readdir,
< .mpo_vnode_check_readlink = mac_mls_vnode_check_readlink,
< .mpo_vnode_check_relabel = mac_mls_vnode_check_relabel,
< .mpo_vnode_check_rename_from = mac_mls_vnode_check_rename_from,
< .mpo_vnode_check_rename_to = mac_mls_vnode_check_rename_to,
< .mpo_vnode_check_revoke = mac_mls_vnode_check_revoke,
< .mpo_vnode_check_setacl = mac_mls_vnode_check_setacl,
< .mpo_vnode_check_setextattr = mac_mls_vnode_check_setextattr,
< .mpo_vnode_check_setflags = mac_mls_vnode_check_setflags,
< .mpo_vnode_check_setmode = mac_mls_vnode_check_setmode,
< .mpo_vnode_check_setowner = mac_mls_vnode_check_setowner,
< .mpo_vnode_check_setutimes = mac_mls_vnode_check_setutimes,
< .mpo_vnode_check_stat = mac_mls_vnode_check_stat,
< .mpo_vnode_check_unlink = mac_mls_vnode_check_unlink,
< .mpo_vnode_check_write = mac_mls_vnode_check_write,
< .mpo_associate_nfsd_label = mac_mls_associate_nfsd_label,
< .mpo_mbuf_create_from_firewall = mac_mls_mbuf_create_from_firewall,
---
> .mpo_init = mls_init,
> .mpo_bpfdesc_init_label = mls_init_label,
> .mpo_cred_init_label = mls_init_label,
> .mpo_devfs_init_label = mls_init_label,
> .mpo_ifnet_init_label = mls_init_label,
> .mpo_inpcb_init_label = mls_init_label_waitcheck,
> .mpo_init_syncache_label = mls_init_label_waitcheck,
> .mpo_sysvmsg_init_label = mls_init_label,
> .mpo_sysvmsq_init_label = mls_init_label,
> .mpo_sysvsem_init_label = mls_init_label,
> .mpo_sysvshm_init_label = mls_init_label,
> .mpo_ipq_init_label = mls_init_label_waitcheck,
> .mpo_mbuf_init_label = mls_init_label_waitcheck,
> .mpo_mount_init_label = mls_init_label,
> .mpo_pipe_init_label = mls_init_label,
> .mpo_posixsem_init_label = mls_init_label,
> .mpo_socket_init_label = mls_init_label_waitcheck,
> .mpo_socketpeer_init_label = mls_init_label_waitcheck,
> .mpo_vnode_init_label = mls_init_label,
> .mpo_bpfdesc_destroy_label = mls_destroy_label,
> .mpo_cred_destroy_label = mls_destroy_label,
> .mpo_devfs_destroy_label = mls_destroy_label,
> .mpo_ifnet_destroy_label = mls_destroy_label,
> .mpo_inpcb_destroy_label = mls_destroy_label,
> .mpo_destroy_syncache_label = mls_destroy_label,
> .mpo_sysvmsg_destroy_label = mls_destroy_label,
> .mpo_sysvmsq_destroy_label = mls_destroy_label,
> .mpo_sysvsem_destroy_label = mls_destroy_label,
> .mpo_sysvshm_destroy_label = mls_destroy_label,
> .mpo_ipq_destroy_label = mls_destroy_label,
> .mpo_mbuf_destroy_label = mls_destroy_label,
> .mpo_mount_destroy_label = mls_destroy_label,
> .mpo_pipe_destroy_label = mls_destroy_label,
> .mpo_posixsem_destroy_label = mls_destroy_label,
> .mpo_socket_destroy_label = mls_destroy_label,
> .mpo_socketpeer_destroy_label = mls_destroy_label,
> .mpo_vnode_destroy_label = mls_destroy_label,
> .mpo_cred_copy_label = mls_copy_label,
> .mpo_ifnet_copy_label = mls_copy_label,
> .mpo_mbuf_copy_label = mls_copy_label,
> .mpo_pipe_copy_label = mls_copy_label,
> .mpo_socket_copy_label = mls_copy_label,
> .mpo_vnode_copy_label = mls_copy_label,
> .mpo_cred_externalize_label = mls_externalize_label,
> .mpo_ifnet_externalize_label = mls_externalize_label,
> .mpo_pipe_externalize_label = mls_externalize_label,
> .mpo_socket_externalize_label = mls_externalize_label,
> .mpo_socketpeer_externalize_label = mls_externalize_label,
> .mpo_vnode_externalize_label = mls_externalize_label,
> .mpo_cred_internalize_label = mls_internalize_label,
> .mpo_ifnet_internalize_label = mls_internalize_label,
> .mpo_pipe_internalize_label = mls_internalize_label,
> .mpo_socket_internalize_label = mls_internalize_label,
> .mpo_vnode_internalize_label = mls_internalize_label,
> .mpo_devfs_create_device = mls_devfs_create_device,
> .mpo_devfs_create_directory = mls_devfs_create_directory,
> .mpo_devfs_create_symlink = mls_devfs_create_symlink,
> .mpo_mount_create = mls_mount_create,
> .mpo_vnode_relabel = mls_vnode_relabel,
> .mpo_devfs_update = mls_devfs_update,
> .mpo_devfs_vnode_associate = mls_devfs_vnode_associate,
> .mpo_vnode_associate_extattr = mls_vnode_associate_extattr,
> .mpo_vnode_associate_singlelabel = mls_vnode_associate_singlelabel,
> .mpo_vnode_create_extattr = mls_vnode_create_extattr,
> .mpo_vnode_setlabel_extattr = mls_vnode_setlabel_extattr,
> .mpo_socket_create_mbuf = mls_socket_create_mbuf,
> .mpo_create_mbuf_from_syncache = mls_create_mbuf_from_syncache,
> .mpo_pipe_create = mls_pipe_create,
> .mpo_posixsem_create = mls_posixsem_create,
> .mpo_socket_create = mls_socket_create,
> .mpo_socket_newconn = mls_socket_newconn,
> .mpo_pipe_relabel = mls_pipe_relabel,
> .mpo_socket_relabel = mls_socket_relabel,
> .mpo_socketpeer_set_from_mbuf = mls_socketpeer_set_from_mbuf,
> .mpo_socketpeer_set_from_socket = mls_socketpeer_set_from_socket,
> .mpo_bpfdesc_create = mls_bpfdesc_create,
> .mpo_ipq_reassemble = mls_ipq_reassemble,
> .mpo_netinet_fragment = mls_netinet_fragment,
> .mpo_ifnet_create = mls_ifnet_create,
> .mpo_inpcb_create = mls_inpcb_create,
> .mpo_init_syncache_from_inpcb = mls_init_syncache_from_inpcb,
> .mpo_ipq_create = mls_ipq_create,
> .mpo_sysvmsg_create = mls_sysvmsg_create,
> .mpo_sysvmsq_create = mls_sysvmsq_create,
> .mpo_sysvsem_create = mls_sysvsem_create,
> .mpo_sysvshm_create = mls_sysvshm_create,
> .mpo_inpcb_create_mbuf = mls_inpcb_create_mbuf,
> .mpo_create_mbuf_linklayer = mls_create_mbuf_linklayer,
> .mpo_bpfdesc_create_mbuf = mls_bpfdesc_create_mbuf,
> .mpo_ifnet_create_mbuf = mls_ifnet_create_mbuf,
> .mpo_mbuf_create_multicast_encap = mls_mbuf_create_multicast_encap,
> .mpo_mbuf_create_netlayer = mls_mbuf_create_netlayer,
> .mpo_ipq_match = mls_ipq_match,
> .mpo_ifnet_relabel = mls_ifnet_relabel,
> .mpo_ipq_update = mls_ipq_update,
> .mpo_inpcb_sosetlabel = mls_inpcb_sosetlabel,
> .mpo_proc_create_swapper = mls_proc_create_swapper,
> .mpo_proc_create_init = mls_proc_create_init,
> .mpo_cred_relabel = mls_cred_relabel,
> .mpo_sysvmsg_cleanup = mls_sysvmsg_cleanup,
> .mpo_sysvmsq_cleanup = mls_sysvmsq_cleanup,
> .mpo_sysvsem_cleanup = mls_sysvsem_cleanup,
> .mpo_sysvshm_cleanup = mls_sysvshm_cleanup,
> .mpo_bpfdesc_check_receive = mls_bpfdesc_check_receive,
> .mpo_cred_check_relabel = mls_cred_check_relabel,
> .mpo_cred_check_visible = mls_cred_check_visible,
> .mpo_ifnet_check_relabel = mls_ifnet_check_relabel,
> .mpo_ifnet_check_transmit = mls_ifnet_check_transmit,
> .mpo_inpcb_check_deliver = mls_inpcb_check_deliver,
> .mpo_sysvmsq_check_msgrcv = mls_sysvmsq_check_msgrcv,
> .mpo_sysvmsq_check_msgrmid = mls_sysvmsq_check_msgrmid,
> .mpo_sysvmsq_check_msqget = mls_sysvmsq_check_msqget,
> .mpo_sysvmsq_check_msqsnd = mls_sysvmsq_check_msqsnd,
> .mpo_sysvmsq_check_msqrcv = mls_sysvmsq_check_msqrcv,
> .mpo_sysvmsq_check_msqctl = mls_sysvmsq_check_msqctl,
> .mpo_sysvsem_check_semctl = mls_sysvsem_check_semctl,
> .mpo_sysvsem_check_semget = mls_sysvsem_check_semget,
> .mpo_sysvsem_check_semop = mls_sysvsem_check_semop,
> .mpo_sysvshm_check_shmat = mls_sysvshm_check_shmat,
> .mpo_sysvshm_check_shmctl = mls_sysvshm_check_shmctl,
> .mpo_sysvshm_check_shmget = mls_sysvshm_check_shmget,
> .mpo_mount_check_stat = mls_mount_check_stat,
> .mpo_pipe_check_ioctl = mls_pipe_check_ioctl,
> .mpo_pipe_check_poll = mls_pipe_check_poll,
> .mpo_pipe_check_read = mls_pipe_check_read,
> .mpo_pipe_check_relabel = mls_pipe_check_relabel,
> .mpo_pipe_check_stat = mls_pipe_check_stat,
> .mpo_pipe_check_write = mls_pipe_check_write,
> .mpo_posixsem_check_destroy = mls_posixsem_check_write,
> .mpo_posixsem_check_getvalue = mls_posixsem_check_rdonly,
> .mpo_posixsem_check_open = mls_posixsem_check_write,
> .mpo_posixsem_check_post = mls_posixsem_check_write,
> .mpo_posixsem_check_unlink = mls_posixsem_check_write,
> .mpo_posixsem_check_wait = mls_posixsem_check_write,
> .mpo_proc_check_debug = mls_proc_check_debug,
> .mpo_proc_check_sched = mls_proc_check_sched,
> .mpo_proc_check_signal = mls_proc_check_signal,
> .mpo_socket_check_deliver = mls_socket_check_deliver,
> .mpo_socket_check_relabel = mls_socket_check_relabel,
> .mpo_socket_check_visible = mls_socket_check_visible,
> .mpo_system_check_acct = mls_system_check_acct,
> .mpo_system_check_auditctl = mls_system_check_auditctl,
> .mpo_system_check_swapon = mls_system_check_swapon,
> .mpo_vnode_check_access = mls_vnode_check_open,
> .mpo_vnode_check_chdir = mls_vnode_check_chdir,
> .mpo_vnode_check_chroot = mls_vnode_check_chroot,
> .mpo_vnode_check_create = mls_vnode_check_create,
> .mpo_vnode_check_deleteacl = mls_vnode_check_deleteacl,
> .mpo_vnode_check_deleteextattr = mls_vnode_check_deleteextattr,
> .mpo_vnode_check_exec = mls_vnode_check_exec,
> .mpo_vnode_check_getacl = mls_vnode_check_getacl,
> .mpo_vnode_check_getextattr = mls_vnode_check_getextattr,
> .mpo_vnode_check_link = mls_vnode_check_link,
> .mpo_vnode_check_listextattr = mls_vnode_check_listextattr,
> .mpo_vnode_check_lookup = mls_vnode_check_lookup,
> .mpo_vnode_check_mmap = mls_vnode_check_mmap,
> .mpo_vnode_check_open = mls_vnode_check_open,
> .mpo_vnode_check_poll = mls_vnode_check_poll,
> .mpo_vnode_check_read = mls_vnode_check_read,
> .mpo_vnode_check_readdir = mls_vnode_check_readdir,
> .mpo_vnode_check_readlink = mls_vnode_check_readlink,
> .mpo_vnode_check_relabel = mls_vnode_check_relabel,
> .mpo_vnode_check_rename_from = mls_vnode_check_rename_from,
> .mpo_vnode_check_rename_to = mls_vnode_check_rename_to,
> .mpo_vnode_check_revoke = mls_vnode_check_revoke,
> .mpo_vnode_check_setacl = mls_vnode_check_setacl,
> .mpo_vnode_check_setextattr = mls_vnode_check_setextattr,
> .mpo_vnode_check_setflags = mls_vnode_check_setflags,
> .mpo_vnode_check_setmode = mls_vnode_check_setmode,
> .mpo_vnode_check_setowner = mls_vnode_check_setowner,
> .mpo_vnode_check_setutimes = mls_vnode_check_setutimes,
> .mpo_vnode_check_stat = mls_vnode_check_stat,
> .mpo_vnode_check_unlink = mls_vnode_check_unlink,
> .mpo_vnode_check_write = mls_vnode_check_write,
> .mpo_associate_nfsd_label = mls_associate_nfsd_label,
> .mpo_mbuf_create_from_firewall = mls_mbuf_create_from_firewall,
3050,3051c3041,3042
< MAC_POLICY_SET(&mac_mls_ops, mac_mls, "TrustedBSD MAC/MLS",
< MPC_LOADTIME_FLAG_NOTLATE | MPC_LOADTIME_FLAG_LABELMBUFS, &mac_mls_slot);
---
> MAC_POLICY_SET(&mls_ops, mac_mls, "TrustedBSD MAC/MLS",
> MPC_LOADTIME_FLAG_NOTLATE | MPC_LOADTIME_FLAG_LABELMBUFS, &mls_slot);