Consistently name functions for mac_<policy> as <policy>_whatever rather

than mac_<policy>_whatever, as this shortens the names and makes the code
a bit easier to read.

When dealing with label structures, name variables 'mb', 'ml', 'mm rather
than the longer 'mac_biba', 'mac_lomac', and 'mac_mls', likewise making
the code a little easier to read.

Obtained from:	TrustedBSD Project

sys/security/mac_bsdextended/mac_bsdextended.c

@@ -65,17 +65,17 @@
 #include <security/mac/mac_policy.h>
 #include <security/mac_bsdextended/mac_bsdextended.h>
 
-static struct mtx mac_bsdextended_mtx;
+static struct mtx ugidfw_mtx;
 
 SYSCTL_DECL(_security_mac);
 
 SYSCTL_NODE(_security_mac, OID_AUTO, bsdextended, CTLFLAG_RW, 0,
     "TrustedBSD extended BSD MAC policy controls");
 
-static int	mac_bsdextended_enabled = 1;
+static int	ugidfw_enabled = 1;
 SYSCTL_INT(_security_mac_bsdextended, OID_AUTO, enabled, CTLFLAG_RW,
-    &mac_bsdextended_enabled, 0, "Enforce extended BSD policy");
-TUNABLE_INT("security.mac.bsdextended.enabled", &mac_bsdextended_enabled);
+    &ugidfw_enabled, 0, "Enforce extended BSD policy");
+TUNABLE_INT("security.mac.bsdextended.enabled", &ugidfw_enabled);
 
 MALLOC_DEFINE(M_MACBSDEXTENDED, "mac_bsdextended", "BSD Extended MAC rule");
 
@@ -96,23 +96,22 @@ SYSCTL_INT(_security_mac_bsdextended, OID_AUTO, rule_version, CTLFLAG_RD,
  * This is just used for logging purposes, eventually we would like to log
  * much more then failed requests.
  */
-static int mac_bsdextended_logging;
+static int ugidfw_logging;
 SYSCTL_INT(_security_mac_bsdextended, OID_AUTO, logging, CTLFLAG_RW,
-    &mac_bsdextended_logging, 0, "Log failed authorization requests");
+    &ugidfw_logging, 0, "Log failed authorization requests");
 
 /*
  * This tunable is here for compatibility.  It will allow the user to switch
  * between the new mode (first rule matches) and the old functionality (all
  * rules match).
  */
-static int
-mac_bsdextended_firstmatch_enabled;
+static int ugidfw_firstmatch_enabled;
 SYSCTL_INT(_security_mac_bsdextended, OID_AUTO, firstmatch_enabled,
-    CTLFLAG_RW, &mac_bsdextended_firstmatch_enabled, 1,
+    CTLFLAG_RW, &ugidfw_firstmatch_enabled, 1,
     "Disable/enable match first rule functionality");
 
 static int
-mac_bsdextended_rule_valid(struct mac_bsdextended_rule *rule)
+ugidfw_rule_valid(struct mac_bsdextended_rule *rule)
 {
 
 	if ((rule->mbr_subject.mbs_flags | MBS_ALL_FLAGS) != MBS_ALL_FLAGS)
@@ -156,7 +155,7 @@ sysctl_rule(SYSCTL_HANDLER_ARGS)
 		    sizeof(*ruleptr), M_MACBSDEXTENDED, M_WAITOK | M_ZERO);
 	}
 
-	mtx_lock(&mac_bsdextended_mtx);
+	mtx_lock(&ugidfw_mtx);
 	if (req->oldptr) {
 		if (index < 0 || index > rule_slots + 1) {
 			error = ENOENT;
@@ -178,7 +177,7 @@ sysctl_rule(SYSCTL_HANDLER_ARGS)
 		rule_count--;
 		rules[index] = NULL;
 	} else if (req->newptr) {
-		error = mac_bsdextended_rule_valid(&temprule);
+		error = ugidfw_rule_valid(&temprule);
 		if (error)
 			goto out;
 		if (rules[index] == NULL) {
@@ -192,7 +191,7 @@ sysctl_rule(SYSCTL_HANDLER_ARGS)
 			*rules[index] = temprule;
 	}
 out:
-	mtx_unlock(&mac_bsdextended_mtx);
+	mtx_unlock(&ugidfw_mtx);
 	if (ruleptr != NULL)
 		FREE(ruleptr, M_MACBSDEXTENDED);
 	if (req->oldptr && error == 0)
@@ -204,21 +203,21 @@ SYSCTL_NODE(_security_mac_bsdextended, OID_AUTO, rules, CTLFLAG_RW,
     sysctl_rule, "BSD extended MAC rules");
 
 static void
-mac_bsdextended_init(struct mac_policy_conf *mpc)
+ugidfw_init(struct mac_policy_conf *mpc)
 {
 
-	mtx_init(&mac_bsdextended_mtx, "mac_bsdextended lock", NULL, MTX_DEF);
+	mtx_init(&ugidfw_mtx, "mac_bsdextended lock", NULL, MTX_DEF);
 }
 
 static void
-mac_bsdextended_destroy(struct mac_policy_conf *mpc)
+ugidfw_destroy(struct mac_policy_conf *mpc)
 {
 
-	mtx_destroy(&mac_bsdextended_mtx);
+	mtx_destroy(&ugidfw_mtx);
 }
 
 static int
-mac_bsdextended_rulecheck(struct mac_bsdextended_rule *rule,
+ugidfw_rulecheck(struct mac_bsdextended_rule *rule,
     struct ucred *cred, struct vnode *vp, struct vattr *vap, int acc_mode)
 {
 	int match;
@@ -227,7 +226,7 @@ mac_bsdextended_rulecheck(struct mac_bsdextended_rule *rule,
 	/*
 	 * Is there a subject match?
 	 */
-	mtx_assert(&mac_bsdextended_mtx, MA_OWNED);
+	mtx_assert(&ugidfw_mtx, MA_OWNED);
 	if (rule->mbr_subject.mbs_flags & MBS_UID_DEFINED) {
 		match =  ((cred->cr_uid <= rule->mbr_subject.mbs_uid_max &&
 		    cred->cr_uid >= rule->mbr_subject.mbs_uid_min) ||
@@ -375,7 +374,7 @@ mac_bsdextended_rulecheck(struct mac_bsdextended_rule *rule,
 	 * Is the access permitted?
 	 */
 	if ((rule->mbr_mode & acc_mode) != acc_mode) {
-		if (mac_bsdextended_logging)
+		if (ugidfw_logging)
 			log(LOG_AUTHPRIV, "mac_bsdextended: %d:%d request %d"
 			    " on %d:%d failed. \n", cred->cr_ruid,
 			    cred->cr_rgid, acc_mode, vap->va_uid,
@@ -387,14 +386,14 @@ mac_bsdextended_rulecheck(struct mac_bsdextended_rule *rule,
 	 * If the rule matched, permits access, and first match is enabled,
 	 * return success.
 	 */
-	if (mac_bsdextended_firstmatch_enabled)
+	if (ugidfw_firstmatch_enabled)
 		return (EJUSTRETURN);
 	else
 		return (0);
 }
 
 static int
-mac_bsdextended_check(struct ucred *cred, struct vnode *vp, struct vattr *vap,
+ugidfw_check(struct ucred *cred, struct vnode *vp, struct vattr *vap,
     int acc_mode)
 {
 	int error, i;
@@ -412,341 +411,340 @@ mac_bsdextended_check(struct ucred *cred, struct vnode *vp, struct vattr *vap,
 		acc_mode &= ~MBI_APPEND;
 		acc_mode |= MBI_WRITE;
 	}
-	mtx_lock(&mac_bsdextended_mtx);
+	mtx_lock(&ugidfw_mtx);
 	for (i = 0; i < rule_slots; i++) {
 		if (rules[i] == NULL)
 			continue;
-		error = mac_bsdextended_rulecheck(rules[i], cred,
+		error = ugidfw_rulecheck(rules[i], cred,
 		    vp, vap, acc_mode);
 		if (error == EJUSTRETURN)
 			break;
 		if (error) {
-			mtx_unlock(&mac_bsdextended_mtx);
+			mtx_unlock(&ugidfw_mtx);
 			return (error);
 		}
 	}
-	mtx_unlock(&mac_bsdextended_mtx);
+	mtx_unlock(&ugidfw_mtx);
 	return (0);
 }
 
 static int
-mac_bsdextended_check_vp(struct ucred *cred, struct vnode *vp, int acc_mode)
+ugidfw_check_vp(struct ucred *cred, struct vnode *vp, int acc_mode)
 {
 	int error;
 	struct vattr vap;
 
-	if (!mac_bsdextended_enabled)
+	if (!ugidfw_enabled)
 		return (0);
 	error = VOP_GETATTR(vp, &vap, cred, curthread);
 	if (error)
 		return (error);
-	return (mac_bsdextended_check(cred, vp, &vap, acc_mode));
+	return (ugidfw_check(cred, vp, &vap, acc_mode));
 }
 
 static int
-mac_bsdextended_system_check_acct(struct ucred *cred, struct vnode *vp,
+ugidfw_system_check_acct(struct ucred *cred, struct vnode *vp,
     struct label *vplabel)
 {
 
-	return (mac_bsdextended_check_vp(cred, vp, MBI_WRITE));
+	return (ugidfw_check_vp(cred, vp, MBI_WRITE));
 }
 
 static int
-mac_bsdextended_system_check_auditctl(struct ucred *cred, struct vnode *vp,
+ugidfw_system_check_auditctl(struct ucred *cred, struct vnode *vp,
     struct label *vplabel)
 {
 
-	return (mac_bsdextended_check_vp(cred, vp, MBI_WRITE));
+	return (ugidfw_check_vp(cred, vp, MBI_WRITE));
 }
 
 static int
-mac_bsdextended_system_check_swapoff(struct ucred *cred, struct vnode *vp,
+ugidfw_system_check_swapoff(struct ucred *cred, struct vnode *vp,
     struct label *vplabel)
 {
 
-	return (mac_bsdextended_check_vp(cred, vp, MBI_WRITE));
+	return (ugidfw_check_vp(cred, vp, MBI_WRITE));
 }
 
 static int
-mac_bsdextended_system_check_swapon(struct ucred *cred, struct vnode *vp,
+ugidfw_system_check_swapon(struct ucred *cred, struct vnode *vp,
     struct label *vplabel)
 {
 
-	return (mac_bsdextended_check_vp(cred, vp, MBI_WRITE));
+	return (ugidfw_check_vp(cred, vp, MBI_WRITE));
 }
 
 static int
-mac_bsdextended_vnode_check_access(struct ucred *cred, struct vnode *vp,
+ugidfw_vnode_check_access(struct ucred *cred, struct vnode *vp,
     struct label *vplabel, int acc_mode)
 {
 
-	return (mac_bsdextended_check_vp(cred, vp, acc_mode));
+	return (ugidfw_check_vp(cred, vp, acc_mode));
 }
 
 static int
-mac_bsdextended_vnode_check_chdir(struct ucred *cred, struct vnode *dvp,
+ugidfw_vnode_check_chdir(struct ucred *cred, struct vnode *dvp,
     struct label *dvplabel)
 {
 
-	return (mac_bsdextended_check_vp(cred, dvp, MBI_EXEC));
+	return (ugidfw_check_vp(cred, dvp, MBI_EXEC));
 }
 
 static int
-mac_bsdextended_vnode_check_chroot(struct ucred *cred, struct vnode *dvp,
+ugidfw_vnode_check_chroot(struct ucred *cred, struct vnode *dvp,
     struct label *dvplabel)
 {
 
-	return (mac_bsdextended_check_vp(cred, dvp, MBI_EXEC));
+	return (ugidfw_check_vp(cred, dvp, MBI_EXEC));
 }
 
 static int
-mac_bsdextended_check_create_vnode(struct ucred *cred, struct vnode *dvp,
+ugidfw_check_create_vnode(struct ucred *cred, struct vnode *dvp,
     struct label *dvplabel, struct componentname *cnp, struct vattr *vap)
 {
 
-	return (mac_bsdextended_check_vp(cred, dvp, MBI_WRITE));
+	return (ugidfw_check_vp(cred, dvp, MBI_WRITE));
 }
 
 static int
-mac_bsdextended_vnode_check_deleteacl(struct ucred *cred, struct vnode *vp,
+ugidfw_vnode_check_deleteacl(struct ucred *cred, struct vnode *vp,
     struct label *vplabel, acl_type_t type)
 {
 
-	return (mac_bsdextended_check_vp(cred, vp, MBI_ADMIN));
+	return (ugidfw_check_vp(cred, vp, MBI_ADMIN));
 }
 
 static int
-mac_bsdextended_vnode_check_deleteextattr(struct ucred *cred,
-    struct vnode *vp, struct label *vplabel, int attrnamespace,
-    const char *name)
+ugidfw_vnode_check_deleteextattr(struct ucred *cred, struct vnode *vp,
+    struct label *vplabel, int attrnamespace, const char *name)
 {
 
-	return (mac_bsdextended_check_vp(cred, vp, MBI_WRITE));
+	return (ugidfw_check_vp(cred, vp, MBI_WRITE));
 }
 
 static int
-mac_bsdextended_vnode_check_exec(struct ucred *cred, struct vnode *vp,
+ugidfw_vnode_check_exec(struct ucred *cred, struct vnode *vp,
     struct label *vplabel, struct image_params *imgp,
     struct label *execlabel)
 {
 
-	return (mac_bsdextended_check_vp(cred, vp, MBI_READ|MBI_EXEC));
+	return (ugidfw_check_vp(cred, vp, MBI_READ|MBI_EXEC));
 }
 
 static int
-mac_bsdextended_vnode_check_getacl(struct ucred *cred, struct vnode *vp,
+ugidfw_vnode_check_getacl(struct ucred *cred, struct vnode *vp,
     struct label *vplabel, acl_type_t type)
 {
 
-	return (mac_bsdextended_check_vp(cred, vp, MBI_STAT));
+	return (ugidfw_check_vp(cred, vp, MBI_STAT));
 }
 
 static int
-mac_bsdextended_vnode_check_getextattr(struct ucred *cred, struct vnode *vp,
+ugidfw_vnode_check_getextattr(struct ucred *cred, struct vnode *vp,
     struct label *vplabel, int attrnamespace, const char *name,
     struct uio *uio)
 {
 
-	return (mac_bsdextended_check_vp(cred, vp, MBI_READ));
+	return (ugidfw_check_vp(cred, vp, MBI_READ));
 }
 
 static int
-mac_bsdextended_vnode_check_link(struct ucred *cred, struct vnode *dvp,
+ugidfw_vnode_check_link(struct ucred *cred, struct vnode *dvp,
     struct label *dvplabel, struct vnode *vp, struct label *label,
     struct componentname *cnp)
 {
 	int error;
 
-	error = mac_bsdextended_check_vp(cred, dvp, MBI_WRITE);
+	error = ugidfw_check_vp(cred, dvp, MBI_WRITE);
 	if (error)
 		return (error);
-	error = mac_bsdextended_check_vp(cred, vp, MBI_WRITE);
+	error = ugidfw_check_vp(cred, vp, MBI_WRITE);
 	if (error)
 		return (error);
 	return (0);
 }
 
 static int
-mac_bsdextended_vnode_check_listextattr(struct ucred *cred, struct vnode *vp,
+ugidfw_vnode_check_listextattr(struct ucred *cred, struct vnode *vp,
     struct label *vplabel, int attrnamespace)
 {
 
-	return (mac_bsdextended_check_vp(cred, vp, MBI_READ));
+	return (ugidfw_check_vp(cred, vp, MBI_READ));
 }
 
 static int
-mac_bsdextended_vnode_check_lookup(struct ucred *cred, struct vnode *dvp,
+ugidfw_vnode_check_lookup(struct ucred *cred, struct vnode *dvp,
     struct label *dvplabel, struct componentname *cnp)
 {
 
-	return (mac_bsdextended_check_vp(cred, dvp, MBI_EXEC));
+	return (ugidfw_check_vp(cred, dvp, MBI_EXEC));
 }
 
 static int
-mac_bsdextended_vnode_check_open(struct ucred *cred, struct vnode *vp,
+ugidfw_vnode_check_open(struct ucred *cred, struct vnode *vp,
     struct label *vplabel, int acc_mode)
 {
 
-	return (mac_bsdextended_check_vp(cred, vp, acc_mode));
+	return (ugidfw_check_vp(cred, vp, acc_mode));
 }
 
 static int
-mac_bsdextended_vnode_check_readdir(struct ucred *cred, struct vnode *dvp,
+ugidfw_vnode_check_readdir(struct ucred *cred, struct vnode *dvp,
     struct label *dvplabel)
 {
 
-	return (mac_bsdextended_check_vp(cred, dvp, MBI_READ));
+	return (ugidfw_check_vp(cred, dvp, MBI_READ));
 }
 
 static int
-mac_bsdextended_vnode_check_readdlink(struct ucred *cred, struct vnode *vp,
+ugidfw_vnode_check_readdlink(struct ucred *cred, struct vnode *vp,
     struct label *vplabel)
 {
 
-	return (mac_bsdextended_check_vp(cred, vp, MBI_READ));
+	return (ugidfw_check_vp(cred, vp, MBI_READ));
 }
 
 static int
-mac_bsdextended_vnode_check_rename_from(struct ucred *cred, struct vnode *dvp,
+ugidfw_vnode_check_rename_from(struct ucred *cred, struct vnode *dvp,
     struct label *dvplabel, struct vnode *vp, struct label *vplabel,
     struct componentname *cnp)
 {
 	int error;
 
-	error = mac_bsdextended_check_vp(cred, dvp, MBI_WRITE);
+	error = ugidfw_check_vp(cred, dvp, MBI_WRITE);
 	if (error)
 		return (error);
-	return (mac_bsdextended_check_vp(cred, vp, MBI_WRITE));
+	return (ugidfw_check_vp(cred, vp, MBI_WRITE));
 }
 
 static int
-mac_bsdextended_vnode_check_rename_to(struct ucred *cred, struct vnode *dvp,
+ugidfw_vnode_check_rename_to(struct ucred *cred, struct vnode *dvp,
     struct label *dvplabel, struct vnode *vp, struct label *vplabel,
     int samedir, struct componentname *cnp)
 {
 	int error;
 
-	error = mac_bsdextended_check_vp(cred, dvp, MBI_WRITE);
+	error = ugidfw_check_vp(cred, dvp, MBI_WRITE);
 	if (error)
 		return (error);
 	if (vp != NULL)
-		error = mac_bsdextended_check_vp(cred, vp, MBI_WRITE);
+		error = ugidfw_check_vp(cred, vp, MBI_WRITE);
 	return (error);
 }
 
 static int
-mac_bsdextended_vnode_check_revoke(struct ucred *cred, struct vnode *vp,
+ugidfw_vnode_check_revoke(struct ucred *cred, struct vnode *vp,
     struct label *vplabel)
 {
 
-	return (mac_bsdextended_check_vp(cred, vp, MBI_ADMIN));
+	return (ugidfw_check_vp(cred, vp, MBI_ADMIN));
 }
 
 static int
-mac_bsdextended_check_setacl_vnode(struct ucred *cred, struct vnode *vp,
+ugidfw_check_setacl_vnode(struct ucred *cred, struct vnode *vp,
     struct label *vplabel, acl_type_t type, struct acl *acl)
 {
 
-	return (mac_bsdextended_check_vp(cred, vp, MBI_ADMIN));
+	return (ugidfw_check_vp(cred, vp, MBI_ADMIN));
 }
 
 static int
-mac_bsdextended_vnode_check_setextattr(struct ucred *cred, struct vnode *vp,
+ugidfw_vnode_check_setextattr(struct ucred *cred, struct vnode *vp,
     struct label *vplabel, int attrnamespace, const char *name,
     struct uio *uio)
 {
 
-	return (mac_bsdextended_check_vp(cred, vp, MBI_WRITE));
+	return (ugidfw_check_vp(cred, vp, MBI_WRITE));
 }
 
 static int
-mac_bsdextended_vnode_check_setflags(struct ucred *cred, struct vnode *vp,
+ugidfw_vnode_check_setflags(struct ucred *cred, struct vnode *vp,
     struct label *vplabel, u_long flags)
 {
 
-	return (mac_bsdextended_check_vp(cred, vp, MBI_ADMIN));
+	return (ugidfw_check_vp(cred, vp, MBI_ADMIN));
 }
 
 static int
-mac_bsdextended_vnode_check_setmode(struct ucred *cred, struct vnode *vp,
+ugidfw_vnode_check_setmode(struct ucred *cred, struct vnode *vp,
     struct label *vplabel, mode_t mode)
 {
 
-	return (mac_bsdextended_check_vp(cred, vp, MBI_ADMIN));
+	return (ugidfw_check_vp(cred, vp, MBI_ADMIN));
 }
 
 static int
-mac_bsdextended_vnode_check_setowner(struct ucred *cred, struct vnode *vp,
+ugidfw_vnode_check_setowner(struct ucred *cred, struct vnode *vp,
     struct label *vplabel, uid_t uid, gid_t gid)
 {
 
-	return (mac_bsdextended_check_vp(cred, vp, MBI_ADMIN));
+	return (ugidfw_check_vp(cred, vp, MBI_ADMIN));
 }
 
 static int
-mac_bsdextended_vnode_check_setutimes(struct ucred *cred, struct vnode *vp,
+ugidfw_vnode_check_setutimes(struct ucred *cred, struct vnode *vp,
     struct label *vplabel, struct timespec atime, struct timespec utime)
 {
 
-	return (mac_bsdextended_check_vp(cred, vp, MBI_ADMIN));
+	return (ugidfw_check_vp(cred, vp, MBI_ADMIN));
 }
 
 static int
-mac_bsdextended_vnode_check_stat(struct ucred *active_cred,
+ugidfw_vnode_check_stat(struct ucred *active_cred,
     struct ucred *file_cred, struct vnode *vp, struct label *vplabel)
 {
 
-	return (mac_bsdextended_check_vp(active_cred, vp, MBI_STAT));
+	return (ugidfw_check_vp(active_cred, vp, MBI_STAT));
 }
 
 static int
-mac_bsdextended_vnode_check_unlink(struct ucred *cred, struct vnode *dvp,
+ugidfw_vnode_check_unlink(struct ucred *cred, struct vnode *dvp,
     struct label *dvplabel, struct vnode *vp, struct label *vplabel,
     struct componentname *cnp)
 {
 	int error;
 
-	error = mac_bsdextended_check_vp(cred, dvp, MBI_WRITE);
+	error = ugidfw_check_vp(cred, dvp, MBI_WRITE);
 	if (error)
 		return (error);
-	return (mac_bsdextended_check_vp(cred, vp, MBI_WRITE));
+	return (ugidfw_check_vp(cred, vp, MBI_WRITE));
 }
 
-static struct mac_policy_ops mac_bsdextended_ops =
+static struct mac_policy_ops ugidfw_ops =
 {
-	.mpo_destroy = mac_bsdextended_destroy,
-	.mpo_init = mac_bsdextended_init,
-	.mpo_system_check_acct = mac_bsdextended_system_check_acct,
-	.mpo_system_check_auditctl = mac_bsdextended_system_check_auditctl,
-	.mpo_system_check_swapoff = mac_bsdextended_system_check_swapoff,
-	.mpo_system_check_swapon = mac_bsdextended_system_check_swapon,
-	.mpo_vnode_check_access = mac_bsdextended_vnode_check_access,
-	.mpo_vnode_check_chdir = mac_bsdextended_vnode_check_chdir,
-	.mpo_vnode_check_chroot = mac_bsdextended_vnode_check_chroot,
-	.mpo_vnode_check_create = mac_bsdextended_check_create_vnode,
-	.mpo_vnode_check_deleteacl = mac_bsdextended_vnode_check_deleteacl,
-	.mpo_vnode_check_deleteextattr = mac_bsdextended_vnode_check_deleteextattr,
-	.mpo_vnode_check_exec = mac_bsdextended_vnode_check_exec,
-	.mpo_vnode_check_getacl = mac_bsdextended_vnode_check_getacl,
-	.mpo_vnode_check_getextattr = mac_bsdextended_vnode_check_getextattr,
-	.mpo_vnode_check_link = mac_bsdextended_vnode_check_link,
-	.mpo_vnode_check_listextattr = mac_bsdextended_vnode_check_listextattr,
-	.mpo_vnode_check_lookup = mac_bsdextended_vnode_check_lookup,
-	.mpo_vnode_check_open = mac_bsdextended_vnode_check_open,
-	.mpo_vnode_check_readdir = mac_bsdextended_vnode_check_readdir,
-	.mpo_vnode_check_readlink = mac_bsdextended_vnode_check_readdlink,
-	.mpo_vnode_check_rename_from = mac_bsdextended_vnode_check_rename_from,
-	.mpo_vnode_check_rename_to = mac_bsdextended_vnode_check_rename_to,
-	.mpo_vnode_check_revoke = mac_bsdextended_vnode_check_revoke,
-	.mpo_vnode_check_setacl = mac_bsdextended_check_setacl_vnode,
-	.mpo_vnode_check_setextattr = mac_bsdextended_vnode_check_setextattr,
-	.mpo_vnode_check_setflags = mac_bsdextended_vnode_check_setflags,
-	.mpo_vnode_check_setmode = mac_bsdextended_vnode_check_setmode,
-	.mpo_vnode_check_setowner = mac_bsdextended_vnode_check_setowner,
-	.mpo_vnode_check_setutimes = mac_bsdextended_vnode_check_setutimes,
-	.mpo_vnode_check_stat = mac_bsdextended_vnode_check_stat,
-	.mpo_vnode_check_unlink = mac_bsdextended_vnode_check_unlink,
+	.mpo_destroy = ugidfw_destroy,
+	.mpo_init = ugidfw_init,
+	.mpo_system_check_acct = ugidfw_system_check_acct,
+	.mpo_system_check_auditctl = ugidfw_system_check_auditctl,
+	.mpo_system_check_swapoff = ugidfw_system_check_swapoff,
+	.mpo_system_check_swapon = ugidfw_system_check_swapon,
+	.mpo_vnode_check_access = ugidfw_vnode_check_access,
+	.mpo_vnode_check_chdir = ugidfw_vnode_check_chdir,
+	.mpo_vnode_check_chroot = ugidfw_vnode_check_chroot,
+	.mpo_vnode_check_create = ugidfw_check_create_vnode,
+	.mpo_vnode_check_deleteacl = ugidfw_vnode_check_deleteacl,
+	.mpo_vnode_check_deleteextattr = ugidfw_vnode_check_deleteextattr,
+	.mpo_vnode_check_exec = ugidfw_vnode_check_exec,
+	.mpo_vnode_check_getacl = ugidfw_vnode_check_getacl,
+	.mpo_vnode_check_getextattr = ugidfw_vnode_check_getextattr,
+	.mpo_vnode_check_link = ugidfw_vnode_check_link,
+	.mpo_vnode_check_listextattr = ugidfw_vnode_check_listextattr,
+	.mpo_vnode_check_lookup = ugidfw_vnode_check_lookup,
+	.mpo_vnode_check_open = ugidfw_vnode_check_open,
+	.mpo_vnode_check_readdir = ugidfw_vnode_check_readdir,
+	.mpo_vnode_check_readlink = ugidfw_vnode_check_readdlink,
+	.mpo_vnode_check_rename_from = ugidfw_vnode_check_rename_from,
+	.mpo_vnode_check_rename_to = ugidfw_vnode_check_rename_to,
+	.mpo_vnode_check_revoke = ugidfw_vnode_check_revoke,
+	.mpo_vnode_check_setacl = ugidfw_check_setacl_vnode,
+	.mpo_vnode_check_setextattr = ugidfw_vnode_check_setextattr,
+	.mpo_vnode_check_setflags = ugidfw_vnode_check_setflags,
+	.mpo_vnode_check_setmode = ugidfw_vnode_check_setmode,
+	.mpo_vnode_check_setowner = ugidfw_vnode_check_setowner,
+	.mpo_vnode_check_setutimes = ugidfw_vnode_check_setutimes,
+	.mpo_vnode_check_stat = ugidfw_vnode_check_stat,
+	.mpo_vnode_check_unlink = ugidfw_vnode_check_unlink,
 };
 
-MAC_POLICY_SET(&mac_bsdextended_ops, mac_bsdextended,
-    "TrustedBSD MAC/BSD Extended", MPC_LOADTIME_FLAG_UNLOADOK, NULL);
+MAC_POLICY_SET(&ugidfw_ops, mac_bsdextended, "TrustedBSD MAC/BSD Extended",
+    MPC_LOADTIME_FLAG_UNLOADOK, NULL);

sys/security/mac_ifoff/mac_ifoff.c

@@ -40,6 +40,7 @@
 
 /*
  * Developed by the TrustedBSD Project.
+ *
  * Limit access to interfaces until they are specifically administratively
  * enabled.  Prevents protocol stack-driven packet leakage in unsafe
  * environments.
@@ -61,38 +62,38 @@ SYSCTL_DECL(_security_mac);
 SYSCTL_NODE(_security_mac, OID_AUTO, ifoff, CTLFLAG_RW, 0,
     "TrustedBSD mac_ifoff policy controls");
 
-static int	mac_ifoff_enabled = 1;
+static int	ifoff_enabled = 1;
 SYSCTL_INT(_security_mac_ifoff, OID_AUTO, enabled, CTLFLAG_RW,
-    &mac_ifoff_enabled, 0, "Enforce ifoff policy");
-TUNABLE_INT("security.mac.ifoff.enabled", &mac_ifoff_enabled);
+    &ifoff_enabled, 0, "Enforce ifoff policy");
+TUNABLE_INT("security.mac.ifoff.enabled", &ifoff_enabled);
 
-static int	mac_ifoff_lo_enabled = 1;
+static int	ifoff_lo_enabled = 1;
 SYSCTL_INT(_security_mac_ifoff, OID_AUTO, lo_enabled, CTLFLAG_RW,
-    &mac_ifoff_lo_enabled, 0, "Enable loopback interfaces");
-TUNABLE_INT("security.mac.ifoff.lo_enabled", &mac_ifoff_lo_enabled);
+    &ifoff_lo_enabled, 0, "Enable loopback interfaces");
+TUNABLE_INT("security.mac.ifoff.lo_enabled", &ifoff_lo_enabled);
 
-static int	mac_ifoff_other_enabled = 0;
+static int	ifoff_other_enabled = 0;
 SYSCTL_INT(_security_mac_ifoff, OID_AUTO, other_enabled, CTLFLAG_RW,
-    &mac_ifoff_other_enabled, 0, "Enable other interfaces");
-TUNABLE_INT("security.mac.ifoff.other_enabled", &mac_ifoff_other_enabled);
+    &ifoff_other_enabled, 0, "Enable other interfaces");
+TUNABLE_INT("security.mac.ifoff.other_enabled", &ifoff_other_enabled);
 
-static int	mac_ifoff_bpfrecv_enabled = 0;
+static int	ifoff_bpfrecv_enabled = 0;
 SYSCTL_INT(_security_mac_ifoff, OID_AUTO, bpfrecv_enabled, CTLFLAG_RW,
-    &mac_ifoff_bpfrecv_enabled, 0, "Enable BPF reception even when interface "
+    &ifoff_bpfrecv_enabled, 0, "Enable BPF reception even when interface "
     "is disabled");
-TUNABLE_INT("security.mac.ifoff.bpfrecv.enabled", &mac_ifoff_bpfrecv_enabled);
+TUNABLE_INT("security.mac.ifoff.bpfrecv.enabled", &ifoff_bpfrecv_enabled);
 
 static int
 ifnet_check_outgoing(struct ifnet *ifp)
 {
 
-	if (!mac_ifoff_enabled)
+	if (!ifoff_enabled)
 		return (0);
 
-	if (mac_ifoff_lo_enabled && ifp->if_type == IFT_LOOP)
+	if (ifoff_lo_enabled && ifp->if_type == IFT_LOOP)
 		return (0);
 
-	if (mac_ifoff_other_enabled && ifp->if_type != IFT_LOOP)
+	if (ifoff_other_enabled && ifp->if_type != IFT_LOOP)
 		return (0);
 
 	return (EPERM);
@@ -101,23 +102,23 @@ ifnet_check_outgoing(struct ifnet *ifp)
 static int
 ifnet_check_incoming(struct ifnet *ifp, int viabpf)
 {
-	if (!mac_ifoff_enabled)
+	if (!ifoff_enabled)
 		return (0);
 
-	if (mac_ifoff_lo_enabled && ifp->if_type == IFT_LOOP)
+	if (ifoff_lo_enabled && ifp->if_type == IFT_LOOP)
 		return (0);
 
-	if (mac_ifoff_other_enabled && ifp->if_type != IFT_LOOP)
+	if (ifoff_other_enabled && ifp->if_type != IFT_LOOP)
 		return (0);
 
-	if (viabpf && mac_ifoff_bpfrecv_enabled)
+	if (viabpf && ifoff_bpfrecv_enabled)
 		return (0);
 
 	return (EPERM);
 }
 
 static int
-mac_ifoff_bpfdesc_check_receive(struct bpf_d *d, struct label *dlabel,
+ifoff_bpfdesc_check_receive(struct bpf_d *d, struct label *dlabel,
     struct ifnet *ifp, struct label *ifplabel)
 {
 
@@ -125,7 +126,7 @@ mac_ifoff_bpfdesc_check_receive(struct bpf_d *d, struct label *dlabel,
 }
 
 static int
-mac_ifoff_ifnet_check_transmit(struct ifnet *ifp, struct label *ifplabel,
+ifoff_ifnet_check_transmit(struct ifnet *ifp, struct label *ifplabel,
     struct mbuf *m, struct label *mlabel)
 {
 
@@ -133,7 +134,7 @@ mac_ifoff_ifnet_check_transmit(struct ifnet *ifp, struct label *ifplabel,
 }
 
 static int
-mac_ifoff_inpcb_check_deliver(struct inpcb *inp, struct label *inplabel,
+ifoff_inpcb_check_deliver(struct inpcb *inp, struct label *inplabel,
     struct mbuf *m, struct label *mlabel)
 {
 
@@ -145,7 +146,7 @@ mac_ifoff_inpcb_check_deliver(struct inpcb *inp, struct label *inplabel,
 }
 
 static int
-mac_ifoff_socket_check_deliver(struct socket *so, struct label *solabel,
+ifoff_socket_check_deliver(struct socket *so, struct label *solabel,
     struct mbuf *m, struct label *mlabel)
 {
 
@@ -156,13 +157,13 @@ mac_ifoff_socket_check_deliver(struct socket *so, struct label *solabel,
 	return (0);
 }
 
-static struct mac_policy_ops mac_ifoff_ops =
+static struct mac_policy_ops ifoff_ops =
 {
-	.mpo_bpfdesc_check_receive = mac_ifoff_bpfdesc_check_receive,
-	.mpo_ifnet_check_transmit = mac_ifoff_ifnet_check_transmit,
-	.mpo_inpcb_check_deliver = mac_ifoff_inpcb_check_deliver,
-	.mpo_socket_check_deliver = mac_ifoff_socket_check_deliver,
+	.mpo_bpfdesc_check_receive = ifoff_bpfdesc_check_receive,
+	.mpo_ifnet_check_transmit = ifoff_ifnet_check_transmit,
+	.mpo_inpcb_check_deliver = ifoff_inpcb_check_deliver,
+	.mpo_socket_check_deliver = ifoff_socket_check_deliver,
 };
 
-MAC_POLICY_SET(&mac_ifoff_ops, mac_ifoff, "TrustedBSD MAC/ifoff",
+MAC_POLICY_SET(&ifoff_ops, mac_ifoff, "TrustedBSD MAC/ifoff",
     MPC_LOADTIME_FLAG_UNLOADOK, NULL);

sys/security/mac_none/mac_none.c

@@ -48,9 +48,9 @@
 
 #include <security/mac/mac_policy.h>
 
-static struct mac_policy_ops mac_none_ops =
+static struct mac_policy_ops none_ops =
 {
 };
 
-MAC_POLICY_SET(&mac_none_ops, mac_none, "TrustedBSD MAC/None",
+MAC_POLICY_SET(&none_ops, mac_none, "TrustedBSD MAC/None",
     MPC_LOADTIME_FLAG_UNLOADOK, NULL);

sys/security/mac_partition/mac_partition.c

@@ -40,6 +40,7 @@
 
 /*
  * Developed by the TrustedBSD Project.
+ *
  * Experiment with a partition-like model.
  */
 
@@ -69,28 +70,28 @@ static int	partition_slot;
 #define	SLOT_SET(l, v)	mac_label_set((l), partition_slot, (v))
 
 static void
-mac_partition_init_label(struct label *label)
+partition_init_label(struct label *label)
 {
 
 	SLOT_SET(label, 0);
 }
 
 static void
-mac_partition_destroy_label(struct label *label)
+partition_destroy_label(struct label *label)
 {
 
 	SLOT_SET(label, 0);
 }
 
 static void
-mac_partition_copy_label(struct label *src, struct label *dest)
+partition_copy_label(struct label *src, struct label *dest)
 {
 
 	SLOT_SET(dest, SLOT(src));
 }
 
 static int
-mac_partition_externalize_label(struct label *label, char *element_name,
+partition_externalize_label(struct label *label, char *element_name,
     struct sbuf *sb, int *claimed)
 {
 
@@ -106,7 +107,7 @@ mac_partition_externalize_label(struct label *label, char *element_name,
 }
 
 static int
-mac_partition_internalize_label(struct label *label, char *element_name,
+partition_internalize_label(struct label *label, char *element_name,
     char *element_data, int *claimed)
 {
 
@@ -119,21 +120,21 @@ mac_partition_internalize_label(struct label *label, char *element_name,
 }
 
 static void
-mac_partition_proc_create_swapper(struct ucred *cred)
+partition_proc_create_swapper(struct ucred *cred)
 {
 
 	SLOT_SET(cred->cr_label, 0);
 }
 
 static void
-mac_partition_proc_create_init(struct ucred *cred)
+partition_proc_create_init(struct ucred *cred)
 {
 
 	SLOT_SET(cred->cr_label, 0);
 }
 
 static void
-mac_partition_cred_relabel(struct ucred *cred, struct label *newlabel)
+partition_cred_relabel(struct ucred *cred, struct label *newlabel)
 {
 
 	if (SLOT(newlabel) != 0)
@@ -157,7 +158,7 @@ label_on_label(struct label *subject, struct label *object)
 }
 
 static int
-mac_partition_cred_check_relabel(struct ucred *cred, struct label *newlabel)
+partition_cred_check_relabel(struct ucred *cred, struct label *newlabel)
 {
 	int error;
 
@@ -167,9 +168,9 @@ mac_partition_cred_check_relabel(struct ucred *cred, struct label *newlabel)
 	if (SLOT(newlabel) != 0) {
 		/*
 		 * Require BSD privilege in order to change the partition.
-		 * Originally we also required that the process not be
-		 * in a partition in the first place, but this didn't
-		 * interact well with sendmail.
+		 * Originally we also required that the process not be in a
+		 * partition in the first place, but this didn't interact
+		 * well with sendmail.
 		 */
 		error = priv_check_cred(cred, PRIV_MAC_PARTITION, 0);
 	}
@@ -178,7 +179,7 @@ mac_partition_cred_check_relabel(struct ucred *cred, struct label *newlabel)
 }
 
 static int
-mac_partition_cred_check_visible(struct ucred *cr1, struct ucred *cr2)
+partition_cred_check_visible(struct ucred *cr1, struct ucred *cr2)
 {
 	int error;
 
@@ -188,7 +189,7 @@ mac_partition_cred_check_visible(struct ucred *cr1, struct ucred *cr2)
 }
 
 static int
-mac_partition_proc_check_debug(struct ucred *cred, struct proc *p)
+partition_proc_check_debug(struct ucred *cred, struct proc *p)
 {
 	int error;
 
@@ -198,7 +199,7 @@ mac_partition_proc_check_debug(struct ucred *cred, struct proc *p)
 }
 
 static int
-mac_partition_proc_check_sched(struct ucred *cred, struct proc *p)
+partition_proc_check_sched(struct ucred *cred, struct proc *p)
 {
 	int error;
 
@@ -208,7 +209,7 @@ mac_partition_proc_check_sched(struct ucred *cred, struct proc *p)
 }
 
 static int
-mac_partition_proc_check_signal(struct ucred *cred, struct proc *p,
+partition_proc_check_signal(struct ucred *cred, struct proc *p,
     int signum)
 {
 	int error;
@@ -219,7 +220,7 @@ mac_partition_proc_check_signal(struct ucred *cred, struct proc *p,
 }
 
 static int
-mac_partition_socket_check_visible(struct ucred *cred, struct socket *so,
+partition_socket_check_visible(struct ucred *cred, struct socket *so,
     struct label *solabel)
 {
 	int error;
@@ -230,7 +231,7 @@ mac_partition_socket_check_visible(struct ucred *cred, struct socket *so,
 }
 
 static int
-mac_partition_vnode_check_exec(struct ucred *cred, struct vnode *vp,
+partition_vnode_check_exec(struct ucred *cred, struct vnode *vp,
     struct label *vplabel, struct image_params *imgp,
     struct label *execlabel)
 {
@@ -248,24 +249,24 @@ mac_partition_vnode_check_exec(struct ucred *cred, struct vnode *vp,
 	return (0);
 }
 
-static struct mac_policy_ops mac_partition_ops =
+static struct mac_policy_ops partition_ops =
 {
-	.mpo_cred_init_label = mac_partition_init_label,
-	.mpo_cred_destroy_label = mac_partition_destroy_label,
-	.mpo_cred_copy_label = mac_partition_copy_label,
-	.mpo_cred_externalize_label = mac_partition_externalize_label,
-	.mpo_cred_internalize_label = mac_partition_internalize_label,
-	.mpo_proc_create_swapper = mac_partition_proc_create_swapper,
-	.mpo_proc_create_init = mac_partition_proc_create_init,
-	.mpo_cred_relabel = mac_partition_cred_relabel,
-	.mpo_cred_check_relabel = mac_partition_cred_check_relabel,
-	.mpo_cred_check_visible = mac_partition_cred_check_visible,
-	.mpo_proc_check_debug = mac_partition_proc_check_debug,
-	.mpo_proc_check_sched = mac_partition_proc_check_sched,
-	.mpo_proc_check_signal = mac_partition_proc_check_signal,
-	.mpo_socket_check_visible = mac_partition_socket_check_visible,
-	.mpo_vnode_check_exec = mac_partition_vnode_check_exec,
+	.mpo_cred_init_label = partition_init_label,
+	.mpo_cred_destroy_label = partition_destroy_label,
+	.mpo_cred_copy_label = partition_copy_label,
+	.mpo_cred_externalize_label = partition_externalize_label,
+	.mpo_cred_internalize_label = partition_internalize_label,
+	.mpo_proc_create_swapper = partition_proc_create_swapper,
+	.mpo_proc_create_init = partition_proc_create_init,
+	.mpo_cred_relabel = partition_cred_relabel,
+	.mpo_cred_check_relabel = partition_cred_check_relabel,
+	.mpo_cred_check_visible = partition_cred_check_visible,
+	.mpo_proc_check_debug = partition_proc_check_debug,
+	.mpo_proc_check_sched = partition_proc_check_sched,
+	.mpo_proc_check_signal = partition_proc_check_signal,
+	.mpo_socket_check_visible = partition_socket_check_visible,
+	.mpo_vnode_check_exec = partition_vnode_check_exec,
 };
 
-MAC_POLICY_SET(&mac_partition_ops, mac_partition, "TrustedBSD MAC/Partition",
+MAC_POLICY_SET(&partition_ops, mac_partition, "TrustedBSD MAC/Partition",
     MPC_LOADTIME_FLAG_UNLOADOK, &partition_slot);

sys/security/mac_portacl/mac_portacl.c

@@ -48,15 +48,15 @@
  * out-going connections where the process hasn't explicitly selected a port:
  * these are automatically selected by the IP stack.
  *
- * To use this module, security.mac.enforce_socket must be enabled, and
- * you will probably want to twiddle the net.inet sysctl listed above.
- * Then use sysctl(8) to modify the rules string:
+ * To use this module, security.mac.enforce_socket must be enabled, and you
+ * will probably want to twiddle the net.inet sysctl listed above.  Then use
+ * sysctl(8) to modify the rules string:
  *
  * # sysctl security.mac.portacl.rules="uid:425:tcp:80,uid:425:tcp:79"
  *
- * This ruleset, for example, permits uid 425 to bind TCP ports 80 (http)
- * and 79 (finger).  User names and group names can't be used directly
- * because the kernel only knows about uids and gids.
+ * This ruleset, for example, permits uid 425 to bind TCP ports 80 (http) and
+ * 79 (finger).  User names and group names can't be used directly because
+ * the kernel only knows about uids and gids.
  */
 
 #include <sys/param.h>
@@ -86,30 +86,30 @@ SYSCTL_DECL(_security_mac);
 SYSCTL_NODE(_security_mac, OID_AUTO, portacl, CTLFLAG_RW, 0,
     "TrustedBSD mac_portacl policy controls");
 
-static int	mac_portacl_enabled = 1;
+static int	portacl_enabled = 1;
 SYSCTL_INT(_security_mac_portacl, OID_AUTO, enabled, CTLFLAG_RW,
-    &mac_portacl_enabled, 0, "Enforce portacl policy");
-TUNABLE_INT("security.mac.portacl.enabled", &mac_portacl_enabled);
+    &portacl_enabled, 0, "Enforce portacl policy");
+TUNABLE_INT("security.mac.portacl.enabled", &portacl_enabled);
 
-static int	mac_portacl_suser_exempt = 1;
+static int	portacl_suser_exempt = 1;
 SYSCTL_INT(_security_mac_portacl, OID_AUTO, suser_exempt, CTLFLAG_RW,
-    &mac_portacl_suser_exempt, 0, "Privilege permits binding of any port");
+    &portacl_suser_exempt, 0, "Privilege permits binding of any port");
 TUNABLE_INT("security.mac.portacl.suser_exempt",
-    &mac_portacl_suser_exempt);
+    &portacl_suser_exempt);
 
-static int	mac_portacl_autoport_exempt = 1;
+static int	portacl_autoport_exempt = 1;
 SYSCTL_INT(_security_mac_portacl, OID_AUTO, autoport_exempt, CTLFLAG_RW,
-    &mac_portacl_autoport_exempt, 0, "Allow automatic allocation through "
+    &portacl_autoport_exempt, 0, "Allow automatic allocation through "
     "binding port 0 if not IP_PORTRANGELOW");
 TUNABLE_INT("security.mac.portacl.autoport_exempt",
-    &mac_portacl_autoport_exempt);
+    &portacl_autoport_exempt);
 
-static int	mac_portacl_port_high = 1023;
+static int	portacl_port_high = 1023;
 SYSCTL_INT(_security_mac_portacl, OID_AUTO, port_high, CTLFLAG_RW,
-    &mac_portacl_port_high, 0, "Highest port to enforce for");
-TUNABLE_INT("security.mac.portacl.port_high", &mac_portacl_port_high);
+    &portacl_port_high, 0, "Highest port to enforce for");
+TUNABLE_INT("security.mac.portacl.port_high", &portacl_port_high);
 
-MALLOC_DEFINE(M_PORTACL, "mac_portacl_rule", "Rules for mac_portacl");
+MALLOC_DEFINE(M_PORTACL, "portacl_rule", "Rules for mac_portacl");
 
 #define	MAC_RULE_STRING_LEN	1024
 
@@ -389,7 +389,7 @@ rules_check(struct ucred *cred, int family, int type, u_int16_t port)
 	    cred->cr_uid, family, type, port);
 #endif
 
-	if (port > mac_portacl_port_high)
+	if (port > portacl_port_high)
 		return (0);
 
 	error = EPERM;
@@ -422,7 +422,7 @@ rules_check(struct ucred *cred, int family, int type, u_int16_t port)
 	}
 	mtx_unlock(&rule_mtx);
 
-	if (error != 0 && mac_portacl_suser_exempt != 0)
+	if (error != 0 && portacl_suser_exempt != 0)
 		error = priv_check_cred(cred, PRIV_NETINET_RESERVEDPORT, 0);
 
 	return (error);
@@ -443,7 +443,7 @@ socket_check_bind(struct ucred *cred, struct socket *so,
 	u_int16_t port;
 
 	/* Only run if we are enabled. */
-	if (mac_portacl_enabled == 0)
+	if (portacl_enabled == 0)
 		return (0);
 
 	/* Only interested in IPv4 and IPv6 sockets. */
@@ -473,7 +473,7 @@ socket_check_bind(struct ucred *cred, struct socket *so,
 	 * flag exempts port 0 allocation from rule checking as long as a low
 	 * port isn't required.
 	 */
-	if (mac_portacl_autoport_exempt && port == 0) {
+	if (portacl_autoport_exempt && port == 0) {
 		inp = sotoinpcb(so);
 		if ((inp->inp_flags & INP_LOWPORT) == 0)
 			return (0);
@@ -482,12 +482,12 @@ socket_check_bind(struct ucred *cred, struct socket *so,
 	return (rules_check(cred, family, type, port));
 }
 
-static struct mac_policy_ops mac_portacl_ops =
+static struct mac_policy_ops portacl_ops =
 {
 	.mpo_destroy = destroy,
 	.mpo_init = init,
 	.mpo_socket_check_bind = socket_check_bind,
 };
 
-MAC_POLICY_SET(&mac_portacl_ops, trustedbsd_mac_portacl,
-    "TrustedBSD MAC/portacl", MPC_LOADTIME_FLAG_UNLOADOK, NULL);
+MAC_POLICY_SET(&portacl_ops, mac_portacl, "TrustedBSD MAC/portacl",
+    MPC_LOADTIME_FLAG_UNLOADOK, NULL);

sys/security/mac_seeotheruids/mac_seeotheruids.c

@@ -61,9 +61,9 @@ SYSCTL_DECL(_security_mac);
 SYSCTL_NODE(_security_mac, OID_AUTO, seeotheruids, CTLFLAG_RW, 0,
     "TrustedBSD mac_seeotheruids policy controls");
 
-static int	mac_seeotheruids_enabled = 1;
+static int	seeotheruids_enabled = 1;
 SYSCTL_INT(_security_mac_seeotheruids, OID_AUTO, enabled, CTLFLAG_RW,
-    &mac_seeotheruids_enabled, 0, "Enforce seeotheruids policy");
+    &seeotheruids_enabled, 0, "Enforce seeotheruids policy");
 
 /*
  * Exception: allow credentials to be aware of other credentials with the
@@ -97,10 +97,10 @@ SYSCTL_INT(_security_mac_seeotheruids, OID_AUTO, specificgid, CTLFLAG_RW,
     &specificgid, 0, "Specific gid to be exempt from seeotheruids policy");
 
 static int
-mac_seeotheruids_check(struct ucred *cr1, struct ucred *cr2)
+seeotheruids_check(struct ucred *cr1, struct ucred *cr2)
 {
 
-	if (!mac_seeotheruids_enabled)
+	if (!seeotheruids_enabled)
 		return (0);
 
 	if (primarygroup_enabled) {
@@ -126,50 +126,50 @@ mac_seeotheruids_check(struct ucred *cr1, struct ucred *cr2)
 }
 
 static int
-mac_seeotheruids_cred_check_visible(struct ucred *cr1, struct ucred *cr2)
+seeotheruids_cred_check_visible(struct ucred *cr1, struct ucred *cr2)
 {
 
-	return (mac_seeotheruids_check(cr1, cr2));
+	return (seeotheruids_check(cr1, cr2));
 }
 
 static int
-mac_seeotheruids_proc_check_signal(struct ucred *cred, struct proc *p,
+seeotheruids_proc_check_signal(struct ucred *cred, struct proc *p,
     int signum)
 {
 
-	return (mac_seeotheruids_check(cred, p->p_ucred));
+	return (seeotheruids_check(cred, p->p_ucred));
 }
 
 static int
-mac_seeotheruids_proc_check_sched(struct ucred *cred, struct proc *p)
+seeotheruids_proc_check_sched(struct ucred *cred, struct proc *p)
 {
 
-	return (mac_seeotheruids_check(cred, p->p_ucred));
+	return (seeotheruids_check(cred, p->p_ucred));
 }
 
 static int
-mac_seeotheruids_proc_check_debug(struct ucred *cred, struct proc *p)
+seeotheruids_proc_check_debug(struct ucred *cred, struct proc *p)
 {
 
-	return (mac_seeotheruids_check(cred, p->p_ucred));
+	return (seeotheruids_check(cred, p->p_ucred));
 }
 
 static int
-mac_seeotheruids_socket_check_visible(struct ucred *cred, struct socket *so,
+seeotheruids_socket_check_visible(struct ucred *cred, struct socket *so,
     struct label *solabel)
 {
 
-	return (mac_seeotheruids_check(cred, so->so_cred));
+	return (seeotheruids_check(cred, so->so_cred));
 }
 
-static struct mac_policy_ops mac_seeotheruids_ops =
+static struct mac_policy_ops seeotheruids_ops =
 {
-	.mpo_cred_check_visible = mac_seeotheruids_cred_check_visible,
-	.mpo_proc_check_debug = mac_seeotheruids_proc_check_debug,
-	.mpo_proc_check_sched = mac_seeotheruids_proc_check_sched,
-	.mpo_proc_check_signal = mac_seeotheruids_proc_check_signal,
-	.mpo_socket_check_visible = mac_seeotheruids_socket_check_visible,
+	.mpo_cred_check_visible = seeotheruids_cred_check_visible,
+	.mpo_proc_check_debug = seeotheruids_proc_check_debug,
+	.mpo_proc_check_sched = seeotheruids_proc_check_sched,
+	.mpo_proc_check_signal = seeotheruids_proc_check_signal,
+	.mpo_socket_check_visible = seeotheruids_socket_check_visible,
 };
 
-MAC_POLICY_SET(&mac_seeotheruids_ops, mac_seeotheruids,
+MAC_POLICY_SET(&seeotheruids_ops, mac_seeotheruids,
     "TrustedBSD MAC/seeotheruids", MPC_LOADTIME_FLAG_UNLOADOK, NULL);

sys/security/mac_stub/mac_stub.c

@@ -1434,7 +1434,7 @@ stub_priv_grant(struct ucred *cred, int priv)
 	return (EPERM);
 }
 
-static struct mac_policy_ops mac_stub_ops =
+static struct mac_policy_ops stub_ops =
 {
 	.mpo_destroy = stub_destroy,
 	.mpo_init = stub_init,
@@ -1660,5 +1660,5 @@ static struct mac_policy_ops mac_stub_ops =
 	.mpo_create_mbuf_from_syncache = stub_create_mbuf_from_syncache,
 };
 
-MAC_POLICY_SET(&mac_stub_ops, mac_stub, "TrustedBSD MAC/Stub",
+MAC_POLICY_SET(&stub_ops, mac_stub, "TrustedBSD MAC/Stub",
     MPC_LOADTIME_FLAG_UNLOADOK, NULL);