Rename three MAC entry points from _proc_ to _cred_ to reflect the fact

that they operate directly on credentials: mac_proc_create_swapper(),
mac_proc_create_init(), and mac_proc_associate_nfsd().  Update policies.

Obtained from:	TrustedBSD Project

sys/kern/init_main.c

@@ -456,7 +456,7 @@ proc0_init(void *dummy __unused)
 	audit_cred_kproc0(p->p_ucred);
 #endif
 #ifdef MAC
-	mac_proc_create_swapper(p->p_ucred);
+	mac_cred_create_swapper(p->p_ucred);
 #endif
 	td->td_ucred = crhold(p->p_ucred);
 
@@ -736,7 +736,7 @@ create_init(const void *udata __unused)
 	oldcred = initproc->p_ucred;
 	crcopy(newcred, oldcred);
 #ifdef MAC
-	mac_proc_create_init(newcred);
+	mac_cred_create_init(newcred);
 #endif
 #ifdef AUDIT
 	audit_cred_proc1(newcred);

sys/nfsserver/nfs_srvsock.c

@@ -360,7 +360,7 @@ nfs_getreq(struct nfsrv_descript *nd, struct nfsd *nfsd, int has_header)
 		nd->nd_cr->cr_groups[0] = nd->nd_cr->cr_rgid =
 		    nd->nd_cr->cr_svgid = fxdr_unsigned(gid_t, *tl++);
 #ifdef MAC
-		mac_proc_associate_nfsd(nd->nd_cr);
+		mac_cred_associate_nfsd(nd->nd_cr);
 #endif
 		len = fxdr_unsigned(int, *tl);
 		if (len < 0 || len > RPCAUTH_UNIXGIDS) {

sys/security/mac/mac_framework.h

@@ -103,8 +103,11 @@ void	mac_bpfdesc_create_mbuf(struct bpf_d *d, struct mbuf *m);
 void	mac_bpfdesc_destroy(struct bpf_d *);
 void	mac_bpfdesc_init(struct bpf_d *);
 
+void	mac_cred_associate_nfsd(struct ucred *cred);
 int	mac_cred_check_visible(struct ucred *cr1, struct ucred *cr2);
 void	mac_cred_copy(struct ucred *cr1, struct ucred *cr2);
+void	mac_cred_create_init(struct ucred *cred);
+void	mac_cred_create_swapper(struct ucred *cred);
 void	mac_cred_destroy(struct ucred *);
 void	mac_cred_init(struct ucred *);
 
@@ -227,7 +230,6 @@ void	mac_posixshm_init(struct shmfd *);
 int	mac_priv_check(struct ucred *cred, int priv);
 int	mac_priv_grant(struct ucred *cred, int priv);
 
-void	mac_proc_associate_nfsd(struct ucred *cred);
 int	mac_proc_check_debug(struct ucred *cred, struct proc *p);
 int	mac_proc_check_sched(struct ucred *cred, struct proc *p);
 int	mac_proc_check_setaudit(struct ucred *cred, struct auditinfo *ai);
@@ -255,8 +257,6 @@ int	mac_proc_check_setuid(struct proc *p,  struct ucred *cred,
 int	mac_proc_check_signal(struct ucred *cred, struct proc *p,
 	    int signum);
 int	mac_proc_check_wait(struct ucred *cred, struct proc *p);
-void	mac_proc_create_init(struct ucred *cred);
-void	mac_proc_create_swapper(struct ucred *cred);
 void	mac_proc_destroy(struct proc *);
 void	mac_proc_init(struct proc *);
 int	mac_execve_enter(struct image_params *imgp, struct mac *mac_p);

sys/security/mac/mac_policy.h

@@ -128,12 +128,15 @@ typedef void	(*mpo_bpfdesc_create_mbuf_t)(struct bpf_d *d,
 typedef void	(*mpo_bpfdesc_destroy_label_t)(struct label *label);
 typedef void	(*mpo_bpfdesc_init_label_t)(struct label *label);
 
+typedef void	(*mpo_cred_associate_nfsd_t)(struct ucred *cred);
 typedef int	(*mpo_cred_check_relabel_t)(struct ucred *cred,
 		    struct label *newlabel);
 typedef int	(*mpo_cred_check_visible_t)(struct ucred *cr1,
 		    struct ucred *cr2);
 typedef void	(*mpo_cred_copy_label_t)(struct label *src,
 		    struct label *dest);
+typedef void	(*mpo_cred_create_init_t)(struct ucred *cred);
+typedef void	(*mpo_cred_create_swapper_t)(struct ucred *cred);
 typedef void	(*mpo_cred_destroy_label_t)(struct label *label);
 typedef int	(*mpo_cred_externalize_label_t)(struct label *label,
 		    char *element_name, struct sbuf *sb, int *claimed);
@@ -345,7 +348,6 @@ typedef void	(*mpo_posixshm_init_label_t)(struct label *label);
 typedef int	(*mpo_priv_check_t)(struct ucred *cred, int priv);
 typedef int	(*mpo_priv_grant_t)(struct ucred *cred, int priv);
 
-typedef void	(*mpo_proc_associate_nfsd_t)(struct ucred *cred);
 typedef int	(*mpo_proc_check_debug_t)(struct ucred *cred,
 		    struct proc *p);
 typedef int	(*mpo_proc_check_sched_t)(struct ucred *cred,
@@ -373,8 +375,6 @@ typedef int	(*mpo_proc_check_signal_t)(struct ucred *cred,
 		    struct proc *proc, int signum);
 typedef int	(*mpo_proc_check_wait_t)(struct ucred *cred,
 		    struct proc *proc);
-typedef void	(*mpo_proc_create_init_t)(struct ucred *cred);
-typedef void	(*mpo_proc_create_swapper_t)(struct ucred *cred);
 typedef void	(*mpo_proc_destroy_label_t)(struct label *label);
 typedef void	(*mpo_proc_init_label_t)(struct label *label);
 
@@ -674,9 +674,12 @@ struct mac_policy_ops {
 	mpo_bpfdesc_destroy_label_t		mpo_bpfdesc_destroy_label;
 	mpo_bpfdesc_init_label_t		mpo_bpfdesc_init_label;
 
+	mpo_cred_associate_nfsd_t		mpo_cred_associate_nfsd;
 	mpo_cred_check_relabel_t		mpo_cred_check_relabel;
 	mpo_cred_check_visible_t		mpo_cred_check_visible;
 	mpo_cred_copy_label_t			mpo_cred_copy_label;
+	mpo_cred_create_swapper_t		mpo_cred_create_swapper;
+	mpo_cred_create_init_t			mpo_cred_create_init;
 	mpo_cred_destroy_label_t		mpo_cred_destroy_label;
 	mpo_cred_externalize_label_t		mpo_cred_externalize_label;
 	mpo_cred_init_label_t			mpo_cred_init_label;
@@ -790,7 +793,6 @@ struct mac_policy_ops {
 	mpo_priv_check_t			mpo_priv_check;
 	mpo_priv_grant_t			mpo_priv_grant;
 
-	mpo_proc_associate_nfsd_t		mpo_proc_associate_nfsd;
 	mpo_proc_check_debug_t			mpo_proc_check_debug;
 	mpo_proc_check_sched_t			mpo_proc_check_sched;
 	mpo_proc_check_setaudit_t		mpo_proc_check_setaudit;
@@ -807,8 +809,6 @@ struct mac_policy_ops {
 	mpo_proc_check_setresgid_t		mpo_proc_check_setresgid;
 	mpo_proc_check_signal_t			mpo_proc_check_signal;
 	mpo_proc_check_wait_t			mpo_proc_check_wait;
-	mpo_proc_create_swapper_t		mpo_proc_create_swapper;
-	mpo_proc_create_init_t			mpo_proc_create_init;
 	mpo_proc_destroy_label_t		mpo_proc_destroy_label;
 	mpo_proc_init_label_t			mpo_proc_init_label;
 

sys/security/mac/mac_process.c

@@ -1,5 +1,5 @@
 /*-
- * Copyright (c) 1999-2002 Robert N. M. Watson
+ * Copyright (c) 1999-2002, 2008 Robert N. M. Watson
  * Copyright (c) 2001 Ilmar S. Habibulin
  * Copyright (c) 2001-2003 Networks Associates Technology, Inc.
  * Copyright (c) 2005 Samy Al Bahra
@@ -160,6 +160,44 @@ mac_proc_destroy(struct proc *p)
 	}
 }
 
+/*
+ * When a thread becomes an NFS server daemon, its credential may need to be
+ * updated to reflect this so that policies can recognize when file system
+ * operations originate from the network.
+ *
+ * At some point, it would be desirable if the credential used for each NFS
+ * RPC could be set based on the RPC context (i.e., source system, etc) to
+ * provide more fine-grained access control.
+ */
+void
+mac_cred_associate_nfsd(struct ucred *cred)
+{
+
+	MAC_PERFORM(cred_associate_nfsd, cred);
+}
+
+/*
+ * Initialize MAC label for the first kernel process, from which other kernel
+ * processes and threads are spawned.
+ */
+void
+mac_cred_create_swapper(struct ucred *cred)
+{
+
+	MAC_PERFORM(cred_create_swapper, cred);
+}
+
+/*
+ * Initialize MAC label for the first userland process, from which other
+ * userland processes and threads are spawned.
+ */
+void
+mac_cred_create_init(struct ucred *cred)
+{
+
+	MAC_PERFORM(cred_create_init, cred);
+}
+
 int
 mac_cred_externalize_label(struct label *label, char *elements,
     char *outbuf, size_t outbuflen)
@@ -181,44 +219,6 @@ mac_cred_internalize_label(struct label *label, char *string)
 	return (error);
 }
 
-/*
- * Initialize MAC label for the first kernel process, from which other kernel
- * processes and threads are spawned.
- */
-void
-mac_proc_create_swapper(struct ucred *cred)
-{
-
-	MAC_PERFORM(proc_create_swapper, cred);
-}
-
-/*
- * Initialize MAC label for the first userland process, from which other
- * userland processes and threads are spawned.
- */
-void
-mac_proc_create_init(struct ucred *cred)
-{
-
-	MAC_PERFORM(proc_create_init, cred);
-}
-
-/*
- * When a thread becomes an NFS server daemon, its credential may need to be
- * updated to reflect this so that policies can recognize when file system
- * operations originate from the network.
- *
- * At some point, it would be desirable if the credential used for each NFS
- * RPC could be set based on the RPC context (i.e., source system, etc) to
- * provide more fine-grained access control.
- */
-void
-mac_proc_associate_nfsd(struct ucred *cred)
-{
-
-	MAC_PERFORM(proc_associate_nfsd, cred);
-}
-
 void
 mac_thread_userret(struct thread *td)
 {

sys/security/mac_biba/mac_biba.c

@@ -815,6 +815,17 @@ biba_bpfdesc_create_mbuf(struct bpf_d *d, struct label *dlabel,
 	biba_copy_effective(source, dest);
 }
 
+static void
+biba_cred_associate_nfsd(struct ucred *cred)
+{
+	struct mac_biba *label;
+
+	label = SLOT(cred->cr_label);
+	biba_set_effective(label, MAC_BIBA_TYPE_LOW, 0, NULL);
+	biba_set_range(label, MAC_BIBA_TYPE_LOW, 0, NULL, MAC_BIBA_TYPE_HIGH,
+	    0, NULL);
+}
+
 static int
 biba_cred_check_relabel(struct ucred *cred, struct label *newlabel)
 {
@@ -894,6 +905,30 @@ biba_cred_check_visible(struct ucred *u1, struct ucred *u2)
 	return (0);
 }
 
+static void
+biba_cred_create_init(struct ucred *cred)
+{
+	struct mac_biba *dest;
+
+	dest = SLOT(cred->cr_label);
+
+	biba_set_effective(dest, MAC_BIBA_TYPE_HIGH, 0, NULL);
+	biba_set_range(dest, MAC_BIBA_TYPE_LOW, 0, NULL, MAC_BIBA_TYPE_HIGH,
+	    0, NULL);
+}
+
+static void
+biba_cred_create_swapper(struct ucred *cred)
+{
+	struct mac_biba *dest;
+
+	dest = SLOT(cred->cr_label);
+
+	biba_set_effective(dest, MAC_BIBA_TYPE_EQUAL, 0, NULL);
+	biba_set_range(dest, MAC_BIBA_TYPE_LOW, 0, NULL, MAC_BIBA_TYPE_HIGH,
+	    0, NULL);
+}
+
 static void
 biba_cred_relabel(struct ucred *cred, struct label *newlabel)
 {
@@ -1818,17 +1853,6 @@ biba_priv_check(struct ucred *cred, int priv)
 	return (0);
 }
 
-static void
-biba_proc_associate_nfsd(struct ucred *cred)
-{
-	struct mac_biba *label;
-
-	label = SLOT(cred->cr_label);
-	biba_set_effective(label, MAC_BIBA_TYPE_LOW, 0, NULL);
-	biba_set_range(label, MAC_BIBA_TYPE_LOW, 0, NULL, MAC_BIBA_TYPE_HIGH,
-	    0, NULL);
-}
-
 static int
 biba_proc_check_debug(struct ucred *cred, struct proc *p)
 {
@@ -1904,30 +1928,6 @@ biba_socket_check_deliver(struct socket *so, struct label *solabel,
 	return (biba_equal_effective(p, s) ? 0 : EACCES);
 }
 
-static void
-biba_proc_create_init(struct ucred *cred)
-{
-	struct mac_biba *dest;
-
-	dest = SLOT(cred->cr_label);
-
-	biba_set_effective(dest, MAC_BIBA_TYPE_HIGH, 0, NULL);
-	biba_set_range(dest, MAC_BIBA_TYPE_LOW, 0, NULL, MAC_BIBA_TYPE_HIGH,
-	    0, NULL);
-}
-
-static void
-biba_proc_create_swapper(struct ucred *cred)
-{
-	struct mac_biba *dest;
-
-	dest = SLOT(cred->cr_label);
-
-	biba_set_effective(dest, MAC_BIBA_TYPE_EQUAL, 0, NULL);
-	biba_set_range(dest, MAC_BIBA_TYPE_LOW, 0, NULL, MAC_BIBA_TYPE_HIGH,
-	    0, NULL);
-}
-
 static int
 biba_socket_check_relabel(struct ucred *cred, struct socket *so,
     struct label *solabel, struct label *newlabel)
@@ -3334,9 +3334,12 @@ static struct mac_policy_ops mac_biba_ops =
 	.mpo_bpfdesc_destroy_label = biba_destroy_label,
 	.mpo_bpfdesc_init_label = biba_init_label,
 
+	.mpo_cred_associate_nfsd = biba_cred_associate_nfsd,
 	.mpo_cred_check_relabel = biba_cred_check_relabel,
 	.mpo_cred_check_visible = biba_cred_check_visible,
 	.mpo_cred_copy_label = biba_copy_label,
+	.mpo_cred_create_init = biba_cred_create_init,
+	.mpo_cred_create_swapper = biba_cred_create_swapper,
 	.mpo_cred_destroy_label = biba_destroy_label,
 	.mpo_cred_externalize_label = biba_externalize_label,
 	.mpo_cred_init_label = biba_init_label,
@@ -3432,12 +3435,9 @@ static struct mac_policy_ops mac_biba_ops =
 
 	.mpo_priv_check = biba_priv_check,
 
-	.mpo_proc_associate_nfsd = biba_proc_associate_nfsd,
 	.mpo_proc_check_debug = biba_proc_check_debug,
 	.mpo_proc_check_sched = biba_proc_check_sched,
 	.mpo_proc_check_signal = biba_proc_check_signal,
-	.mpo_proc_create_init = biba_proc_create_init,
-	.mpo_proc_create_swapper = biba_proc_create_swapper,
 
 	.mpo_socket_check_deliver = biba_socket_check_deliver,
 	.mpo_socket_check_relabel = biba_socket_check_relabel,

sys/security/mac_lomac/mac_lomac.c

@@ -993,6 +993,29 @@ lomac_cred_check_visible(struct ucred *cr1, struct ucred *cr2)
 
 	return (0);
 }
+
+static void
+lomac_cred_create_init(struct ucred *cred)
+{
+	struct mac_lomac *dest;
+
+	dest = SLOT(cred->cr_label);
+
+	lomac_set_single(dest, MAC_LOMAC_TYPE_HIGH, 0);
+	lomac_set_range(dest, MAC_LOMAC_TYPE_LOW, 0, MAC_LOMAC_TYPE_HIGH, 0);
+}
+
+static void
+lomac_cred_create_swapper(struct ucred *cred)
+{
+	struct mac_lomac *dest;
+
+	dest = SLOT(cred->cr_label);
+
+	lomac_set_single(dest, MAC_LOMAC_TYPE_EQUAL, 0);
+	lomac_set_range(dest, MAC_LOMAC_TYPE_LOW, 0, MAC_LOMAC_TYPE_HIGH, 0);
+}
+
 static void
 lomac_cred_relabel(struct ucred *cred, struct label *newlabel)
 {
@@ -1884,28 +1907,6 @@ lomac_proc_check_signal(struct ucred *cred, struct proc *p, int signum)
 	return (0);
 }
 
-static void
-lomac_proc_create_init(struct ucred *cred)
-{
-	struct mac_lomac *dest;
-
-	dest = SLOT(cred->cr_label);
-
-	lomac_set_single(dest, MAC_LOMAC_TYPE_HIGH, 0);
-	lomac_set_range(dest, MAC_LOMAC_TYPE_LOW, 0, MAC_LOMAC_TYPE_HIGH, 0);
-}
-
-static void
-lomac_proc_create_swapper(struct ucred *cred)
-{
-	struct mac_lomac *dest;
-
-	dest = SLOT(cred->cr_label);
-
-	lomac_set_single(dest, MAC_LOMAC_TYPE_EQUAL, 0);
-	lomac_set_range(dest, MAC_LOMAC_TYPE_LOW, 0, MAC_LOMAC_TYPE_HIGH, 0);
-}
-
 static void
 lomac_proc_destroy_label(struct label *label)
 {
@@ -2894,6 +2895,8 @@ static struct mac_policy_ops lomac_ops =
 	.mpo_cred_check_relabel = lomac_cred_check_relabel,
 	.mpo_cred_check_visible = lomac_cred_check_visible,
 	.mpo_cred_copy_label = lomac_copy_label,
+	.mpo_cred_create_swapper = lomac_cred_create_swapper,
+	.mpo_cred_create_init = lomac_cred_create_init,
 	.mpo_cred_destroy_label = lomac_destroy_label,
 	.mpo_cred_externalize_label = lomac_externalize_label,
 	.mpo_cred_init_label = lomac_init_label,
@@ -2983,8 +2986,6 @@ static struct mac_policy_ops lomac_ops =
 	.mpo_proc_check_debug = lomac_proc_check_debug,
 	.mpo_proc_check_sched = lomac_proc_check_sched,
 	.mpo_proc_check_signal = lomac_proc_check_signal,
-	.mpo_proc_create_swapper = lomac_proc_create_swapper,
-	.mpo_proc_create_init = lomac_proc_create_init,
 	.mpo_proc_destroy_label = lomac_proc_destroy_label,
 	.mpo_proc_init_label = lomac_proc_init_label,
 

sys/security/mac_mls/mac_mls.c

@@ -776,6 +776,17 @@ mls_bpfdesc_create_mbuf(struct bpf_d *d, struct label *dlabel,
 	mls_copy_effective(source, dest);
 }
 
+static void
+mls_cred_associate_nfsd(struct ucred *cred) 
+{
+	struct mac_mls *label;
+
+	label = SLOT(cred->cr_label);
+	mls_set_effective(label, MAC_MLS_TYPE_LOW, 0, NULL);
+	mls_set_range(label, MAC_MLS_TYPE_LOW, 0, NULL, MAC_MLS_TYPE_HIGH, 0,
+	    NULL);
+}
+
 static int
 mls_cred_check_relabel(struct ucred *cred, struct label *newlabel)
 {
@@ -854,6 +865,30 @@ mls_cred_check_visible(struct ucred *cr1, struct ucred *cr2)
 	return (0);
 }
 
+static void
+mls_cred_create_init(struct ucred *cred)
+{
+	struct mac_mls *dest;
+
+	dest = SLOT(cred->cr_label);
+
+	mls_set_effective(dest, MAC_MLS_TYPE_LOW, 0, NULL);
+	mls_set_range(dest, MAC_MLS_TYPE_LOW, 0, NULL, MAC_MLS_TYPE_HIGH, 0,
+	    NULL);
+}
+
+static void
+mls_cred_create_swapper(struct ucred *cred)
+{
+	struct mac_mls *dest;
+
+	dest = SLOT(cred->cr_label);
+
+	mls_set_effective(dest, MAC_MLS_TYPE_EQUAL, 0, NULL);
+	mls_set_range(dest, MAC_MLS_TYPE_LOW, 0, NULL, MAC_MLS_TYPE_HIGH, 0,
+	    NULL);
+}
+
 static void
 mls_cred_relabel(struct ucred *cred, struct label *newlabel)
 {
@@ -1523,17 +1558,6 @@ mls_posixsem_create(struct ucred *cred, struct ksem *ks,
 	mls_copy_effective(source, dest);
 }
 
-static void
-mls_proc_associate_nfsd(struct ucred *cred) 
-{
-	struct mac_mls *label;
-
-	label = SLOT(cred->cr_label);
-	mls_set_effective(label, MAC_MLS_TYPE_LOW, 0, NULL);
-	mls_set_range(label, MAC_MLS_TYPE_LOW, 0, NULL, MAC_MLS_TYPE_HIGH, 0,
-	    NULL);
-}
-
 static int
 mls_proc_check_debug(struct ucred *cred, struct proc *p)
 {
@@ -1594,30 +1618,6 @@ mls_proc_check_signal(struct ucred *cred, struct proc *p, int signum)
 	return (0);
 }
 
-static void
-mls_proc_create_init(struct ucred *cred)
-{
-	struct mac_mls *dest;
-
-	dest = SLOT(cred->cr_label);
-
-	mls_set_effective(dest, MAC_MLS_TYPE_LOW, 0, NULL);
-	mls_set_range(dest, MAC_MLS_TYPE_LOW, 0, NULL, MAC_MLS_TYPE_HIGH, 0,
-	    NULL);
-}
-
-static void
-mls_proc_create_swapper(struct ucred *cred)
-{
-	struct mac_mls *dest;
-
-	dest = SLOT(cred->cr_label);
-
-	mls_set_effective(dest, MAC_MLS_TYPE_EQUAL, 0, NULL);
-	mls_set_range(dest, MAC_MLS_TYPE_LOW, 0, NULL, MAC_MLS_TYPE_HIGH, 0,
-	    NULL);
-}
-
 static int
 mls_socket_check_deliver(struct socket *so, struct label *solabel,
     struct mbuf *m, struct label *mlabel)
@@ -2957,9 +2957,12 @@ static struct mac_policy_ops mls_ops =
 	.mpo_bpfdesc_destroy_label = mls_destroy_label,
 	.mpo_bpfdesc_init_label = mls_init_label,
 
+	.mpo_cred_associate_nfsd = mls_cred_associate_nfsd,
 	.mpo_cred_check_relabel = mls_cred_check_relabel,
 	.mpo_cred_check_visible = mls_cred_check_visible,
 	.mpo_cred_copy_label = mls_copy_label,
+	.mpo_cred_create_init = mls_cred_create_init,
+	.mpo_cred_create_swapper = mls_cred_create_swapper,
 	.mpo_cred_destroy_label = mls_destroy_label,
 	.mpo_cred_externalize_label = mls_externalize_label,
 	.mpo_cred_init_label = mls_init_label,
@@ -3051,12 +3054,9 @@ static struct mac_policy_ops mls_ops =
 	.mpo_posixsem_destroy_label = mls_destroy_label,
 	.mpo_posixsem_init_label = mls_init_label,
 
-	.mpo_proc_associate_nfsd = mls_proc_associate_nfsd,
 	.mpo_proc_check_debug = mls_proc_check_debug,
 	.mpo_proc_check_sched = mls_proc_check_sched,
 	.mpo_proc_check_signal = mls_proc_check_signal,
-	.mpo_proc_create_init = mls_proc_create_init,
-	.mpo_proc_create_swapper = mls_proc_create_swapper,
 
 	.mpo_socket_check_deliver = mls_socket_check_deliver,
 	.mpo_socket_check_relabel = mls_socket_check_relabel,

sys/security/mac_partition/mac_partition.c

@@ -1,5 +1,5 @@
 /*-
- * Copyright (c) 1999-2002, 2007 Robert N. M. Watson
+ * Copyright (c) 1999-2002, 2007-2008 Robert N. M. Watson
  * Copyright (c) 2001-2002 Networks Associates Technology, Inc.
  * Copyright (c) 2006 SPARTA, Inc.
  * Copyright (c) 2008 Apple Inc.
@@ -154,6 +154,20 @@ partition_cred_copy_label(struct label *src, struct label *dest)
 		SLOT_SET(dest, 0);
 }
 
+static void
+partition_cred_create_init(struct ucred *cred)
+{
+
+	SLOT_SET(cred->cr_label, 0);
+}
+
+static void
+partition_cred_create_swapper(struct ucred *cred)
+{
+
+	SLOT_SET(cred->cr_label, 0);
+}
+
 static void
 partition_cred_destroy_label(struct label *label)
 {
@@ -251,20 +265,6 @@ partition_proc_check_signal(struct ucred *cred, struct proc *p,
 	return (error ? ESRCH : 0);
 }
 
-static void
-partition_proc_create_init(struct ucred *cred)
-{
-
-	SLOT_SET(cred->cr_label, 0);
-}
-
-static void
-partition_proc_create_swapper(struct ucred *cred)
-{
-
-	SLOT_SET(cred->cr_label, 0);
-}
-
 static int
 partition_socket_check_visible(struct ucred *cred, struct socket *so,
     struct label *solabel)
@@ -300,6 +300,8 @@ static struct mac_policy_ops partition_ops =
 	.mpo_cred_check_relabel = partition_cred_check_relabel,
 	.mpo_cred_check_visible = partition_cred_check_visible,
 	.mpo_cred_copy_label = partition_cred_copy_label,
+	.mpo_cred_create_init = partition_cred_create_init,
+	.mpo_cred_create_swapper = partition_cred_create_swapper,
 	.mpo_cred_destroy_label = partition_cred_destroy_label,
 	.mpo_cred_externalize_label = partition_cred_externalize_label,
 	.mpo_cred_init_label = partition_cred_init_label,
@@ -309,8 +311,6 @@ static struct mac_policy_ops partition_ops =
 	.mpo_proc_check_debug = partition_proc_check_debug,
 	.mpo_proc_check_sched = partition_proc_check_sched,
 	.mpo_proc_check_signal = partition_proc_check_signal,
-	.mpo_proc_create_init = partition_proc_create_init,
-	.mpo_proc_create_swapper = partition_proc_create_swapper,
 	.mpo_socket_check_visible = partition_socket_check_visible,
 	.mpo_vnode_check_exec = partition_vnode_check_exec,
 };

sys/security/mac_stub/mac_stub.c

@@ -185,6 +185,12 @@ stub_bpfdesc_create_mbuf(struct bpf_d *d, struct label *dlabel,
 
 }
 
+static void
+stub_cred_associate_nfsd(struct ucred *cred)
+{
+
+}
+
 static int
 stub_cred_check_relabel(struct ucred *cred, struct label *newlabel)
 {
@@ -199,6 +205,18 @@ stub_cred_check_visible(struct ucred *cr1, struct ucred *cr2)
 	return (0);
 }
 
+static void
+stub_cred_create_init(struct ucred *cred)
+{
+
+}
+
+static void
+stub_cred_create_swapper(struct ucred *cred)
+{
+
+}
+
 static void
 stub_cred_relabel(struct ucred *cred, struct label *newlabel)
 {
@@ -668,12 +686,6 @@ stub_priv_grant(struct ucred *cred, int priv)
 	return (EPERM);
 }
 
-static void
-stub_proc_associate_nfsd(struct ucred *cred)
-{
-
-}
-
 static int
 stub_proc_check_debug(struct ucred *cred, struct proc *p)
 {
@@ -789,18 +801,6 @@ stub_proc_check_wait(struct ucred *cred, struct proc *p)
 	return (0);
 }
 
-static void
-stub_proc_create_init(struct ucred *cred)
-{
-
-}
-
-static void
-stub_proc_create_swapper(struct ucred *cred)
-{
-
-}
-
 static int
 stub_socket_check_accept(struct ucred *cred, struct socket *so,
     struct label *solabel)
@@ -1539,9 +1539,12 @@ static struct mac_policy_ops stub_ops =
 	.mpo_bpfdesc_destroy_label = stub_destroy_label,
 	.mpo_bpfdesc_init_label = stub_init_label,
 
+	.mpo_cred_associate_nfsd = stub_cred_associate_nfsd,
 	.mpo_cred_check_relabel = stub_cred_check_relabel,
 	.mpo_cred_check_visible = stub_cred_check_visible,
 	.mpo_cred_copy_label = stub_copy_label,
+	.mpo_cred_create_init = stub_cred_create_init,
+	.mpo_cred_create_swapper = stub_cred_create_swapper,
 	.mpo_cred_destroy_label = stub_destroy_label,
 	.mpo_cred_externalize_label = stub_externalize_label,
 	.mpo_cred_init_label = stub_init_label,
@@ -1655,7 +1658,6 @@ static struct mac_policy_ops stub_ops =
 	.mpo_priv_check = stub_priv_check,
 	.mpo_priv_grant = stub_priv_grant,
 
-	.mpo_proc_associate_nfsd = stub_proc_associate_nfsd,
 	.mpo_proc_check_debug = stub_proc_check_debug,
 	.mpo_proc_check_sched = stub_proc_check_sched,
 	.mpo_proc_check_setaudit = stub_proc_check_setaudit,
@@ -1672,8 +1674,6 @@ static struct mac_policy_ops stub_ops =
 	.mpo_proc_check_setuid = stub_proc_check_setuid,
 	.mpo_proc_check_signal = stub_proc_check_signal,
 	.mpo_proc_check_wait = stub_proc_check_wait,
-	.mpo_proc_create_init = stub_proc_create_init,
-	.mpo_proc_create_swapper = stub_proc_create_swapper,
 
 	.mpo_socket_check_accept = stub_socket_check_accept,
 	.mpo_socket_check_bind = stub_socket_check_bind,

sys/security/mac_test/mac_test.c

@@ -242,6 +242,24 @@ test_cred_copy_label(struct label *src, struct label *dest)
 	COUNTER_INC(cred_copy_label);
 }
 
+COUNTER_DECL(cred_create_init);
+static void
+test_cred_create_init(struct ucred *cred)
+{
+
+	LABEL_CHECK(cred->cr_label, MAGIC_CRED);
+	COUNTER_INC(cred_create_init);
+}
+
+COUNTER_DECL(cred_create_swapper);
+static void
+test_cred_create_swapper(struct ucred *cred)
+{
+
+	LABEL_CHECK(cred->cr_label, MAGIC_CRED);
+	COUNTER_INC(cred_create_swapper);
+}
+
 COUNTER_DECL(cred_destroy_label);
 static void
 test_cred_destroy_label(struct label *label)
@@ -1480,24 +1498,6 @@ test_proc_check_wait(struct ucred *cred, struct proc *p)
 	return (0);
 }
 
-COUNTER_DECL(proc_create_init);
-static void
-test_proc_create_init(struct ucred *cred)
-{
-
-	LABEL_CHECK(cred->cr_label, MAGIC_CRED);
-	COUNTER_INC(proc_create_init);
-}
-
-COUNTER_DECL(proc_create_swapper);
-static void
-test_proc_create_swapper(struct ucred *cred)
-{
-
-	LABEL_CHECK(cred->cr_label, MAGIC_CRED);
-	COUNTER_INC(proc_create_swapper);
-}
-
 COUNTER_DECL(proc_destroy_label);
 static void
 test_proc_destroy_label(struct label *label)
@@ -2883,6 +2883,8 @@ static struct mac_policy_ops test_ops =
 	.mpo_cred_check_relabel = test_cred_check_relabel,
 	.mpo_cred_check_visible = test_cred_check_visible,
 	.mpo_cred_copy_label = test_cred_copy_label,
+	.mpo_cred_create_init = test_cred_create_init,
+	.mpo_cred_create_swapper = test_cred_create_swapper,
 	.mpo_cred_destroy_label = test_cred_destroy_label,
 	.mpo_cred_externalize_label = test_cred_externalize_label,
 	.mpo_cred_init_label = test_cred_init_label,
@@ -3022,8 +3024,6 @@ static struct mac_policy_ops test_ops =
 	.mpo_proc_check_setuid = test_proc_check_setuid,
 	.mpo_proc_check_signal = test_proc_check_signal,
 	.mpo_proc_check_wait = test_proc_check_wait,
-	.mpo_proc_create_init = test_proc_create_init,
-	.mpo_proc_create_swapper = test_proc_create_swapper,
 	.mpo_proc_destroy_label = test_proc_destroy_label,
 	.mpo_proc_init_label = test_proc_init_label,