Copy stable/9 to releng/9.3 as part of the 9.3-RELEASE cycle.

Approved by: re (implicit)
Sponsored by: The FreeBSD Foundation

Copy head to stable/9 as part of 9.0-RELEASE release cycle.

Approved by: re (implicit)

Add __FBSDID() tags.

MFC after: 3 days

Remove unused variables and function declarations. Add missing headers.

Staticize label_default_head to prevent it from leaking out of mac.c.

Obtained from: TrustedBSD Project
Sponsored by: DARPA, Network Associates Laboratories

Remove debugging printf that crept into the last commit.

/etc/mac.conf is implicitly read and parsed when the MAC configuration
is accessed for the first time as a result of an application looking
up label configuration information. Previously, the check and read
were kicked off by mac_prepare_(typename)() functions; since
mac_prepare_type() may now be directly employed by a user process,
push the check and initialization into that function.

Obtained from: TrustedBSD Project
Sponsored by: DARPA, Network Associates Laboratories

Return (-1) not (ENOENT) for mac_prepare_type(), and set errno to
ENOENT instead.

Reported by: "Kenneth D. Merry" <ken@kdm.org>
Submitted by: Bryan Liesner <bleez@comcast.net>

Make the elements argument to mac_prepare() be const.

Obtained from: TrustedBSD Project
Sponsored by: DARPA, Network Associates Laboratories

As new objects begin to support new labels, start to generalize
the default label support in /etc/mac.conf. Rather than maintain
each default label type in an explicit global variable in mac.c,
keep a list of defaults loaded from the configuration file.
Generalize the parsing so that we support both the older:

default_file_labels foo
default_ifnet_labels foo
default_process_labels foo

And also a new:

default_labels file foo
default_labels ifnet foo
default_labels process foo

We now accept arbitrary object classes in the first argument. If
the same object is specified more than once, we discard the
earlier definition in favor of the later one.

Add a new API, mac_prepare_type(), which accepts a mac_t to
prepare, as well as an object name in the second argument, which
will pull a default label set for the object out of the
configuration loaded by mac_init_internal(). This permits the libc
to adapt to new objects known about by applications but not by libc
at compile-time.

Also liberalize the error handling a bit: if we're using implicit
initialization (i.e., the application didn't explicitly initialize
the MAC code), ignore syntax errors and only use valid lines. In
the future, we may want to add explicit warnings and do this a
bit more consistently.

While here, add support for a MAC_CONFFILE environmental variable,
which may be used to specify an alternative mac.conf configuration
file if the application isn't running with modified privilege
(issetugid()).

Obtained from: TrustedBSD Project
Sponsored by: DARPA, Network Associates Laboratories

Whack 28 unused variables.

License update authorized by NAI: remove clause 3.

Do not include <sys/syslimits.h> directly; it is not intended for general
consumption.

Place mac_prepare() with the other mac_prepare*() functions.

Reflect MAC kernel/user API changes into the libc MAC implementation.
This removes a lot of complexity, since we basically just reserve
space on a retrieval of a label, and pass around strings. Two new
elements: (1) consumers of the API must now declare what label
elements they are interested in retrieving, or (2) rely on the default
provided in a new configuration file, mac.conf.

Approved by: re
Obtained from: TrustedBSD Project
Sponsored by: DARPA, Network Associates Laboratories