Introduce support for Mandatory Access Control and extensible

kernel access control.

Teach mount(8) to understand the MNT_MULTILABEL flag, which is used
to determine whether a file system operates with individual per-vnode
labels, or treats the entire file system as a single object with a
single (mount) label.  The behavior here will probably evolve some
now that nmount(2) is available and can more flexibly support mount
options.

Obtained from:	TrustedBSD Project
Sponsored by:	DARPA, NAI Labs

sbin/mount/mntopts.h

@@ -57,6 +57,7 @@ struct mntopt {
 #define MOPT_NOCLUSTERW		{ "clusterw",	1, MNT_NOCLUSTERW, 0 }
 #define MOPT_SUIDDIR		{ "suiddir",	0, MNT_SUIDDIR, 0 }
 #define MOPT_SNAPSHOT		{ "snapshot",	0, MNT_SNAPSHOT, 0 }
+#define MOPT_MULTILABEL		{ "multilabel",	0, MNT_MULTILABEL, 0 }
 
 /* Control flags. */
 #define MOPT_FORCE		{ "force",	0, MNT_FORCE, 0 }
@@ -86,7 +87,8 @@ struct mntopt {
 	MOPT_RDONLY,							\
 	MOPT_UNION,							\
 	MOPT_NOCLUSTERR,						\
-	MOPT_NOCLUSTERW
+	MOPT_NOCLUSTERW,						\
+	MOPT_MULTILABEL
 
 void getmntopts(const char *, const struct mntopt *, int *, int *);
 void rmslashes(char *, char *);

sbin/mount/mount.c

@@ -107,6 +107,7 @@ static struct opt {
 	{ MNT_NOCLUSTERW,	"noclusterw" },
 	{ MNT_SUIDDIR,		"suiddir" },
 	{ MNT_SOFTDEP,		"soft-updates" },
+	{ MNT_MULTILABEL,	"multilabel" },
 	{ 0, NULL }
 };
 
@@ -762,6 +763,7 @@ flags2opts(flags)
 	if (flags & MNT_NOCLUSTERW)	res = catopt(res, "noclusterw");
 	if (flags & MNT_NOSYMFOLLOW)	res = catopt(res, "nosymfollow");
 	if (flags & MNT_SUIDDIR)	res = catopt(res, "suiddir");
+	if (flags & MNT_MULTILABEL)	res = catopt(res, "multilabel");
 
 	return res;
 }