Merge first in a series of TrustedBSD MAC Framework KPI changes

from Mac OS X Leopard--rationalize naming for entry points to
the following general forms:

  mac_<object>_<method/action>
  mac_<object>_check_<method/action>

The previous naming scheme was inconsistent and mostly
reversed from the new scheme.  Also, make object types more
consistent and remove spaces from object types that contain
multiple parts ("posix_sem" -> "posixsem") to make mechanical
parsing easier.  Introduce a new "netinet" object type for
certain IPv4/IPv6-related methods.  Also simplify, slightly,
some entry point names.

All MAC policy modules will need to be recompiled, and modules
not updates as part of this commit will need to be modified to
conform to the new KPI.

Sponsored by:	SPARTA (original patches against Mac OS X)
Obtained from:	TrustedBSD Project, Apple Computer

sys/compat/linux/linux_file.c

@@ -467,7 +467,7 @@ again:
 	/*
 	 * Do directory search MAC check using non-cached credentials.
 	 */
-	if ((error = mac_check_vnode_readdir(td->td_ucred, vp)))
+	if ((error = mac_vnode_check_readdir(td->td_ucred, vp)))
 		goto out;
 #endif /* MAC */
 	if ((error = VOP_READDIR(vp, &auio, fp->f_cred, &eofflag, &ncookies,

sys/compat/linux/linux_getcwd.c

@@ -170,7 +170,7 @@ linux_getcwd_scandir(lvpp, uvpp, bpp, bufp, td)
 	 * On successful return, *uvpp will be locked
 	 */
 #ifdef MAC
-	error = mac_check_vnode_lookup(td->td_ucred, lvp, &cn);
+	error = mac_vnode_check_lookup(td->td_ucred, lvp, &cn);
 	if (error == 0)
 #endif
 		error = VOP_LOOKUP(lvp, uvpp, &cn);
@@ -216,7 +216,7 @@ unionread:
 		eofflag = 0;
 
 #ifdef MAC
-		error = mac_check_vnode_readdir(td->td_ucred, uvp);
+		error = mac_vnode_check_readdir(td->td_ucred, uvp);
 		if (error == 0)
 #endif /* MAC */
 			error = VOP_READDIR(uvp, &uio, td->td_ucred, &eofflag,

sys/compat/linux/linux_misc.c

@@ -301,7 +301,7 @@ linux_uselib(struct thread *td, struct linux_uselib_args *args)
 	 * than vn_open().
 	 */
 #ifdef MAC
-	error = mac_check_vnode_open(td->td_ucred, vp, FREAD);
+	error = mac_vnode_check_open(td->td_ucred, vp, FREAD);
 	if (error)
 		goto cleanup;
 #endif

sys/compat/svr4/svr4_fcntl.c

@@ -271,7 +271,7 @@ fd_revoke(td, fd)
 
 #ifdef MAC
 	vn_lock(vp, LK_EXCLUSIVE | LK_RETRY, td);
-	error = mac_check_vnode_revoke(td->td_ucred, vp);
+	error = mac_vnode_check_revoke(td->td_ucred, vp);
 	VOP_UNLOCK(vp, 0, td);
 	if (error)
 		goto out;

sys/compat/svr4/svr4_misc.c

@@ -296,7 +296,7 @@ again:
 	}
 
 #ifdef MAC
-	error = mac_check_vnode_readdir(td->td_ucred, vp);
+	error = mac_vnode_check_readdir(td->td_ucred, vp);
 	if (error)
 		goto out;
 #endif
@@ -461,7 +461,7 @@ again:
 	auio.uio_offset = off;
 
 #ifdef MAC
-	error = mac_check_vnode_readdir(td->td_ucred, vp);
+	error = mac_vnode_check_readdir(td->td_ucred, vp);
 	if (error)
 		goto out;
 #endif
@@ -625,7 +625,7 @@ svr4_sys_fchroot(td, uap)
 	if (error)
 		goto fail;
 #ifdef MAC
-	error = mac_check_vnode_chroot(td->td_ucred, vp);
+	error = mac_vnode_check_chroot(td->td_ucred, vp);
 	if (error)
 		goto fail;
 #endif

sys/contrib/pf/net/pf.c

@@ -1818,9 +1818,9 @@ pf_send_tcp(const struct pf_rule *r, sa_family_t af,
 #ifdef __FreeBSD__
 #ifdef MAC
 	if (replyto)
-		mac_create_mbuf_netlayer(replyto, m);
+		mac_mbuf_create_netlayer(replyto, m);
 	else
-		mac_create_mbuf_from_firewall(m);
+		mac_mbuf_create_from_firewall(m);
 #else
 	(void)replyto;
 #endif

sys/fs/devfs/devfs_devs.c

@@ -182,7 +182,7 @@ devfs_newdirent(char *name, int namelen)
 	de->de_links = 1;
 	de->de_holdcnt = 1;
 #ifdef MAC
-	mac_init_devfs(de);
+	mac_devfs_init(de);
 #endif
 	return (de);
 }
@@ -226,7 +226,7 @@ devfs_vmkdir(struct devfs_mount *dmp, char *name, int namelen, struct devfs_dire
 	}
 
 #ifdef MAC
-	mac_create_devfs_directory(dmp->dm_mount, name, namelen, dd);
+	mac_devfs_create_directory(dmp->dm_mount, name, namelen, dd);
 #endif
 	return (dd);
 }
@@ -274,7 +274,7 @@ devfs_delete(struct devfs_mount *dm, struct devfs_dirent *de, int vp_locked)
 		de->de_symlink = NULL;
 	}
 #ifdef MAC
-	mac_destroy_devfs(de);
+	mac_devfs_destroy(de);
 #endif
 	if (de->de_inode > DEVFS_ROOTINO) {
 		free_unr(devfs_inos, de->de_inode);
@@ -452,7 +452,7 @@ devfs_populate_loop(struct devfs_mount *dm, int cleanup)
 		de->de_inode = cdp->cdp_inode;
 		de->de_cdp = cdp;
 #ifdef MAC
-		mac_create_devfs_device(cdp->cdp_c.si_cred, dm->dm_mount,
+		mac_devfs_create_device(cdp->cdp_c.si_cred, dm->dm_mount,
 		    &cdp->cdp_c, de);
 #endif
 		de->de_dir = dd;

sys/fs/devfs/devfs_vnops.c

@@ -262,7 +262,7 @@ devfs_allocv(struct devfs_dirent *de, struct mount *mp, struct vnode **vpp, stru
 		return (ENOENT);
 	}
 #ifdef MAC
-	mac_associate_vnode_devfs(mp, de, vp);
+	mac_devfs_vnode_associate(mp, de, vp);
 #endif
 	sx_xunlock(&dmp->dm_lock);
 	*vpp = vp;
@@ -1233,8 +1233,8 @@ devfs_setlabel(struct vop_setlabel_args *ap)
 	vp = ap->a_vp;
 	de = vp->v_data;
 
-	mac_relabel_vnode(ap->a_cred, vp, ap->a_label);
-	mac_update_devfs(vp->v_mount, de, vp);
+	mac_vnode_relabel(ap->a_cred, vp, ap->a_label);
+	mac_devfs_update(vp->v_mount, de, vp);
 
 	return (0);
 }
@@ -1275,7 +1275,7 @@ devfs_symlink(struct vop_symlink_args *ap)
 	bcopy(ap->a_target, de->de_symlink, i);
 	sx_xlock(&dmp->dm_lock);
 #ifdef MAC
-	mac_create_devfs_symlink(ap->a_cnp->cn_cred, dmp->dm_mount, dd, de);
+	mac_devfs_create_symlink(ap->a_cnp->cn_cred, dmp->dm_mount, dd, de);
 #endif
 	TAILQ_INSERT_TAIL(&dd->de_dlist, de, de_list);
 	return (devfs_allocv(de, ap->a_dvp->v_mount, ap->a_vpp, td));

sys/fs/unionfs/union_subr.c

@@ -966,7 +966,7 @@ unionfs_check_rmdir(struct vnode *vp, struct ucred *cred, struct thread *td)
 
 	/* open vnode */
 #ifdef MAC
-	if ((error = mac_check_vnode_open(cred, vp, VEXEC|VREAD)) != 0)
+	if ((error = mac_vnode_check_open(cred, vp, VEXEC|VREAD)) != 0)
 		return (error);
 #endif
 	if ((error = VOP_ACCESS(vp, VEXEC|VREAD, cred, td)) != 0)
@@ -980,7 +980,7 @@ unionfs_check_rmdir(struct vnode *vp, struct ucred *cred, struct thread *td)
 	uio.uio_offset = 0;
 
 #ifdef MAC
-	error = mac_check_vnode_readdir(td->td_ucred, lvp);
+	error = mac_vnode_check_readdir(td->td_ucred, lvp);
 #endif
 	while (!error && !eofflag) {
 		iov.iov_base = buf;

sys/i386/ibcs2/ibcs2_misc.c

@@ -374,7 +374,7 @@ again:
 	}
 
 #ifdef MAC
-	error = mac_check_vnode_readdir(td->td_ucred, vp);
+	error = mac_vnode_check_readdir(td->td_ucred, vp);
 	if (error)
 		goto out;
 #endif
@@ -536,7 +536,7 @@ again:
 	}
 
 #ifdef MAC
-	error = mac_check_vnode_readdir(td->td_ucred, vp);
+	error = mac_vnode_check_readdir(td->td_ucred, vp);
 	if (error)
 		goto out;
 #endif

sys/kern/init_main.c

@@ -448,7 +448,7 @@ proc0_init(void *dummy __unused)
 	audit_cred_kproc0(p->p_ucred);
 #endif
 #ifdef MAC
-	mac_create_proc0(p->p_ucred);
+	mac_proc_create_swapper(p->p_ucred);
 #endif
 	td->td_ucred = crhold(p->p_ucred);
 
@@ -714,7 +714,7 @@ create_init(const void *udata __unused)
 	oldcred = initproc->p_ucred;
 	crcopy(newcred, oldcred);
 #ifdef MAC
-	mac_create_proc1(newcred);
+	mac_proc_create_init(newcred);
 #endif
 #ifdef AUDIT
 	audit_cred_proc1(newcred);

sys/kern/kern_acct.c

@@ -218,7 +218,7 @@ acct(struct thread *td, struct acct_args *uap)
 		vfslocked = NDHASGIANT(&nd);
 		NDFREE(&nd, NDF_ONLY_PNBUF);
 #ifdef MAC
-		error = mac_check_system_acct(td->td_ucred, nd.ni_vp);
+		error = mac_system_check_acct(td->td_ucred, nd.ni_vp);
 		if (error) {
 			VOP_UNLOCK(nd.ni_vp, 0, td);
 			vn_close(nd.ni_vp, flags, td->td_ucred, td);
@@ -235,7 +235,7 @@ acct(struct thread *td, struct acct_args *uap)
 		VFS_UNLOCK_GIANT(vfslocked);
 #ifdef MAC
 	} else {
-		error = mac_check_system_acct(td->td_ucred, NULL);
+		error = mac_system_check_acct(td->td_ucred, NULL);
 		if (error)
 			return (error);
 #endif

sys/kern/kern_alq.c

@@ -300,7 +300,7 @@ alq_doio(struct alq *alq)
 	 * XXX: VOP_WRITE error checks are ignored.
 	 */
 #ifdef MAC
-	if (mac_check_vnode_write(alq->aq_cred, NOCRED, vp) == 0)
+	if (mac_vnode_check_write(alq->aq_cred, NOCRED, vp) == 0)
 #endif
 		VOP_WRITE(vp, &auio, IO_UNIT | IO_APPEND, alq->aq_cred);
 	VOP_UNLOCK(vp, 0, td);

sys/kern/kern_environment.c

@@ -95,7 +95,7 @@ kenv(td, uap)
 	error = 0;
 	if (uap->what == KENV_DUMP) {
 #ifdef MAC
-		error = mac_check_kenv_dump(td->td_ucred);
+		error = mac_kenv_check_dump(td->td_ucred);
 		if (error)
 			return (error);
 #endif
@@ -148,7 +148,7 @@ kenv(td, uap)
 	switch (uap->what) {
 	case KENV_GET:
 #ifdef MAC
-		error = mac_check_kenv_get(td->td_ucred, name);
+		error = mac_kenv_check_get(td->td_ucred, name);
 		if (error)
 			goto done;
 #endif
@@ -181,7 +181,7 @@ kenv(td, uap)
 			goto done;
 		}
 #ifdef MAC
-		error = mac_check_kenv_set(td->td_ucred, name, value);
+		error = mac_kenv_check_set(td->td_ucred, name, value);
 		if (error == 0)
 #endif
 			setenv(name, value);
@@ -189,7 +189,7 @@ kenv(td, uap)
 		break;
 	case KENV_UNSET:
 #ifdef MAC
-		error = mac_check_kenv_unset(td->td_ucred, name);
+		error = mac_kenv_check_unset(td->td_ucred, name);
 		if (error)
 			goto done;
 #endif

sys/kern/kern_exec.c

@@ -439,7 +439,7 @@ interpret:
 		NDFREE(ndp, NDF_ONLY_PNBUF);
 #ifdef MAC
 		interplabel = mac_vnode_label_alloc();
-		mac_copy_vnode_label(ndp->ni_vp->v_label, interplabel);
+		mac_vnode_copy_label(ndp->ni_vp->v_label, interplabel);
 #endif
 		vput(ndp->ni_vp);
 		vm_object_deallocate(imgp->object);
@@ -550,7 +550,7 @@ interpret:
 	credential_changing |= (attr.va_mode & VSGID) && oldcred->cr_gid !=
 	    attr.va_gid;
 #ifdef MAC
-	will_transition = mac_execve_will_transition(oldcred, imgp->vp,
+	will_transition = mac_vnode_execve_will_transition(oldcred, imgp->vp,
 	    interplabel, imgp);
 	credential_changing |= will_transition;
 #endif
@@ -604,7 +604,7 @@ interpret:
 			change_egid(newcred, attr.va_gid);
 #ifdef MAC
 		if (will_transition) {
-			mac_execve_transition(oldcred, newcred, imgp->vp,
+			mac_vnode_execve_transition(oldcred, newcred, imgp->vp,
 			    interplabel, imgp);
 		}
 #endif
@@ -1191,7 +1191,7 @@ exec_check_permissions(imgp)
 		return (error);
 
 #ifdef MAC
-	error = mac_check_vnode_exec(td->td_ucred, imgp->vp, imgp);
+	error = mac_vnode_check_exec(td->td_ucred, imgp->vp, imgp);
 	if (error)
 		return (error);
 #endif

sys/kern/kern_exit.c

@@ -791,7 +791,7 @@ loop:
 			 */
 			vm_waitproc(p);
 #ifdef MAC
-			mac_destroy_proc(p);
+			mac_proc_destroy(p);
 #endif
 			KASSERT(FIRST_THREAD_IN_PROC(p),
 			    ("kern_wait: no residual thread!"));

sys/kern/kern_fork.c

@@ -285,7 +285,7 @@ fork1(td, flags, pages, procp)
 	/* Allocate new proc. */
 	newproc = uma_zalloc(proc_zone, M_WAITOK);
 #ifdef MAC
-	mac_init_proc(newproc);
+	mac_proc_init(newproc);
 #endif
 	knlist_init(&newproc->p_klist, &newproc->p_mtx, NULL, NULL, NULL);
 	STAILQ_INIT(&newproc->p_ktr);
@@ -752,7 +752,7 @@ fail:
 		    td->td_ucred->cr_ruid);
 	sx_xunlock(&allproc_lock);
 #ifdef MAC
-	mac_destroy_proc(newproc);
+	mac_proc_destroy(newproc);
 #endif
 	uma_zfree(proc_zone, newproc);
 	if (p1->p_flag & P_HADTHREADS) {

sys/kern/kern_jail.c

@@ -258,7 +258,7 @@ jail_attach(struct thread *td, struct jail_attach_args *uap)
 	if ((error = change_dir(pr->pr_root, td)) != 0)
 		goto e_unlock;
 #ifdef MAC
-	if ((error = mac_check_vnode_chroot(td->td_ucred, pr->pr_root)))
+	if ((error = mac_vnode_check_chroot(td->td_ucred, pr->pr_root)))
 		goto e_unlock;
 #endif
 	VOP_UNLOCK(pr->pr_root, 0, td);

sys/kern/kern_ktrace.c

@@ -927,7 +927,7 @@ ktr_writerequest(struct thread *td, struct ktr_request *req)
 	vn_lock(vp, LK_EXCLUSIVE | LK_RETRY, td);
 	(void)VOP_LEASE(vp, td, cred, LEASE_WRITE);
 #ifdef MAC
-	error = mac_check_vnode_write(cred, NOCRED, vp);
+	error = mac_vnode_check_write(cred, NOCRED, vp);
 	if (error == 0)
 #endif
 		error = VOP_WRITE(vp, &auio, IO_UNIT | IO_APPEND, cred);

sys/kern/kern_linker.c

@@ -995,7 +995,7 @@ kldfind(struct thread *td, struct kldfind_args *uap)
 	int error;
 
 #ifdef MAC
-	error = mac_check_kld_stat(td->td_ucred);
+	error = mac_kld_check_stat(td->td_ucred);
 	if (error)
 		return (error);
 #endif
@@ -1026,7 +1026,7 @@ kldnext(struct thread *td, struct kldnext_args *uap)
 	int error = 0;
 
 #ifdef MAC
-	error = mac_check_kld_stat(td->td_ucred);
+	error = mac_kld_check_stat(td->td_ucred);
 	if (error)
 		return (error);
 #endif
@@ -1076,7 +1076,7 @@ kldstat(struct thread *td, struct kldstat_args *uap)
 		return (EINVAL);
 
 #ifdef MAC
-	error = mac_check_kld_stat(td->td_ucred);
+	error = mac_kld_check_stat(td->td_ucred);
 	if (error)
 		return (error);
 #endif
@@ -1119,7 +1119,7 @@ kldfirstmod(struct thread *td, struct kldfirstmod_args *uap)
 	int error = 0;
 
 #ifdef MAC
-	error = mac_check_kld_stat(td->td_ucred);
+	error = mac_kld_check_stat(td->td_ucred);
 	if (error)
 		return (error);
 #endif
@@ -1151,7 +1151,7 @@ kldsym(struct thread *td, struct kldsym_args *uap)
 	int error = 0;
 
 #ifdef MAC
-	error = mac_check_kld_stat(td->td_ucred);
+	error = mac_kld_check_stat(td->td_ucred);
 	if (error)
 		return (error);
 #endif
@@ -1997,7 +1997,7 @@ sysctl_kern_function_list(SYSCTL_HANDLER_ARGS)
 	int error;
 
 #ifdef MAC
-	error = mac_check_kld_stat(req->td->td_ucred);
+	error = mac_kld_check_stat(req->td->td_ucred);
 	if (error)
 		return (error);
 #endif

sys/kern/kern_mbuf.c

@@ -323,7 +323,7 @@ mb_ctor_mbuf(void *mem, int size, void *arg, int how)
 		SLIST_INIT(&m->m_pkthdr.tags);
 #ifdef MAC
 		/* If the label init fails, fail the alloc */
-		error = mac_init_mbuf(m, how);
+		error = mac_mbuf_init(m, how);
 		if (error)
 			return (error);
 #endif
@@ -543,7 +543,7 @@ mb_ctor_pack(void *mem, int size, void *arg, int how)
 		SLIST_INIT(&m->m_pkthdr.tags);
 #ifdef MAC
 		/* If the label init fails, fail the alloc */
-		error = mac_init_mbuf(m, how);
+		error = mac_mbuf_init(m, how);
 		if (error)
 			return (error);
 #endif

sys/kern/kern_prot.c

@@ -482,7 +482,7 @@ setuid(struct thread *td, struct setuid_args *uap)
 	oldcred = p->p_ucred;
 
 #ifdef MAC
-	error = mac_check_proc_setuid(p, oldcred, uid);
+	error = mac_proc_check_setuid(p, oldcred, uid);
 	if (error)
 		goto fail;
 #endif
@@ -594,7 +594,7 @@ seteuid(struct thread *td, struct seteuid_args *uap)
 	oldcred = p->p_ucred;
 
 #ifdef MAC
-	error = mac_check_proc_seteuid(p, oldcred, euid);
+	error = mac_proc_check_seteuid(p, oldcred, euid);
 	if (error)
 		goto fail;
 #endif
@@ -647,7 +647,7 @@ setgid(struct thread *td, struct setgid_args *uap)
 	oldcred = p->p_ucred;
 
 #ifdef MAC
-	error = mac_check_proc_setgid(p, oldcred, gid);
+	error = mac_proc_check_setgid(p, oldcred, gid);
 	if (error)
 		goto fail;
 #endif
@@ -746,7 +746,7 @@ setegid(struct thread *td, struct setegid_args *uap)
 	oldcred = p->p_ucred;
 
 #ifdef MAC
-	error = mac_check_proc_setegid(p, oldcred, egid);
+	error = mac_proc_check_setegid(p, oldcred, egid);
 	if (error)
 		goto fail;
 #endif
@@ -808,7 +808,7 @@ kern_setgroups(struct thread *td, u_int ngrp, gid_t *groups)
 	oldcred = p->p_ucred;
 
 #ifdef MAC
-	error = mac_check_proc_setgroups(p, oldcred, ngrp, groups);
+	error = mac_proc_check_setgroups(p, oldcred, ngrp, groups);
 	if (error)
 		goto fail;
 #endif
@@ -873,7 +873,7 @@ setreuid(register struct thread *td, struct setreuid_args *uap)
 	oldcred = p->p_ucred;
 
 #ifdef MAC
-	error = mac_check_proc_setreuid(p, oldcred, ruid, euid);
+	error = mac_proc_check_setreuid(p, oldcred, ruid, euid);
 	if (error)
 		goto fail;
 #endif
@@ -938,7 +938,7 @@ setregid(register struct thread *td, struct setregid_args *uap)
 	oldcred = p->p_ucred;
 
 #ifdef MAC
-	error = mac_check_proc_setregid(p, oldcred, rgid, egid);
+	error = mac_proc_check_setregid(p, oldcred, rgid, egid);
 	if (error)
 		goto fail;
 #endif
@@ -1009,7 +1009,7 @@ setresuid(register struct thread *td, struct setresuid_args *uap)
 	oldcred = p->p_ucred;
 
 #ifdef MAC
-	error = mac_check_proc_setresuid(p, oldcred, ruid, euid, suid);
+	error = mac_proc_check_setresuid(p, oldcred, ruid, euid, suid);
 	if (error)
 		goto fail;
 #endif
@@ -1086,7 +1086,7 @@ setresgid(register struct thread *td, struct setresgid_args *uap)
 	oldcred = p->p_ucred;
 
 #ifdef MAC
-	error = mac_check_proc_setresgid(p, oldcred, rgid, egid, sgid);
+	error = mac_proc_check_setresgid(p, oldcred, rgid, egid, sgid);
 	if (error)
 		goto fail;
 #endif
@@ -1369,7 +1369,7 @@ cr_cansee(struct ucred *u1, struct ucred *u2)
 	if ((error = prison_check(u1, u2)))
 		return (error);
 #ifdef MAC
-	if ((error = mac_check_cred_visible(u1, u2)))
+	if ((error = mac_cred_check_visible(u1, u2)))
 		return (error);
 #endif
 	if ((error = cr_seeotheruids(u1, u2)))
@@ -1430,7 +1430,7 @@ cr_cansignal(struct ucred *cred, struct proc *proc, int signum)
 	if (error)
 		return (error);
 #ifdef MAC
-	if ((error = mac_check_proc_signal(cred, proc, signum)))
+	if ((error = mac_proc_check_signal(cred, proc, signum)))
 		return (error);
 #endif
 	if ((error = cr_seeotheruids(cred, proc->p_ucred)))
@@ -1547,7 +1547,7 @@ p_cansched(struct thread *td, struct proc *p)
 	if ((error = prison_check(td->td_ucred, p->p_ucred)))
 		return (error);
 #ifdef MAC
-	if ((error = mac_check_proc_sched(td->td_ucred, p)))
+	if ((error = mac_proc_check_sched(td->td_ucred, p)))
 		return (error);
 #endif
 	if ((error = cr_seeotheruids(td->td_ucred, p->p_ucred)))
@@ -1604,7 +1604,7 @@ p_candebug(struct thread *td, struct proc *p)
 	if ((error = prison_check(td->td_ucred, p->p_ucred)))
 		return (error);
 #ifdef MAC
-	if ((error = mac_check_proc_debug(td->td_ucred, p)))
+	if ((error = mac_proc_check_debug(td->td_ucred, p)))
 		return (error);
 #endif
 	if ((error = cr_seeotheruids(td->td_ucred, p->p_ucred)))
@@ -1691,7 +1691,7 @@ cr_canseesocket(struct ucred *cred, struct socket *so)
 		return (ENOENT);
 #ifdef MAC
 	SOCK_LOCK(so);
-	error = mac_check_socket_visible(cred, so);
+	error = mac_socket_check_visible(cred, so);
 	SOCK_UNLOCK(so);
 	if (error)
 		return (error);
@@ -1723,7 +1723,7 @@ p_canwait(struct thread *td, struct proc *p)
 	if ((error = prison_check(td->td_ucred, p->p_ucred)))
 		return (error);
 #ifdef MAC
-	if ((error = mac_check_proc_wait(td->td_ucred, p)))
+	if ((error = mac_proc_check_wait(td->td_ucred, p)))
 		return (error);
 #endif
 #if 0
@@ -1749,7 +1749,7 @@ crget(void)
 	audit_cred_init(cr);
 #endif
 #ifdef MAC
-	mac_init_cred(cr);
+	mac_cred_init(cr);
 #endif
 	return (cr);
 }
@@ -1793,7 +1793,7 @@ crfree(struct ucred *cr)
 		audit_cred_destroy(cr);
 #endif
 #ifdef MAC
-		mac_destroy_cred(cr);
+		mac_cred_destroy(cr);
 #endif
 		FREE(cr, M_CRED);
 	}
@@ -1828,7 +1828,7 @@ crcopy(struct ucred *dest, struct ucred *src)
 	audit_cred_copy(src, dest);
 #endif
 #ifdef MAC
-	mac_copy_cred(src, dest);
+	mac_cred_copy(src, dest);
 #endif
 }
 

sys/kern/kern_shutdown.c

@@ -160,7 +160,7 @@ reboot(struct thread *td, struct reboot_args *uap)
 
 	error = 0;
 #ifdef MAC
-	error = mac_check_system_reboot(td->td_ucred, uap->opt);
+	error = mac_system_check_reboot(td->td_ucred, uap->opt);
 #endif
 	if (error == 0)
 		error = priv_check(td, PRIV_REBOOT);

sys/kern/kern_sysctl.c

@@ -1298,7 +1298,7 @@ sysctl_root(SYSCTL_HANDLER_ARGS)
 		arg2 = oid->oid_arg2;
 	}
 #ifdef MAC
-	error = mac_check_system_sysctl(req->td->td_ucred, oid, arg1, arg2,
+	error = mac_system_check_sysctl(req->td->td_ucred, oid, arg1, arg2,
 	    req);
 	if (error != 0)
 		return (error);

sys/kern/link_elf.c

@@ -572,7 +572,7 @@ link_elf_load_file(linker_class_t cls, const char* filename,
     vfslocked = NDHASGIANT(&nd);
     NDFREE(&nd, NDF_ONLY_PNBUF);
 #ifdef MAC
-    error = mac_check_kld_load(curthread->td_ucred, nd.ni_vp);
+    error = mac_kld_check_load(curthread->td_ucred, nd.ni_vp);
     if (error) {
 	firstpage = NULL;
 	goto out;

sys/kern/link_elf_obj.c

@@ -410,7 +410,7 @@ link_elf_load_file(linker_class_t cls, const char *filename,
 	vfslocked = NDHASGIANT(&nd);
 	NDFREE(&nd, NDF_ONLY_PNBUF);
 #ifdef MAC
-	error = mac_check_kld_load(td->td_ucred, nd.ni_vp);
+	error = mac_kld_check_load(td->td_ucred, nd.ni_vp);
 	if (error) {
 		goto out;
 	}

sys/kern/sys_pipe.c

@@ -323,11 +323,11 @@ pipe(td, uap)
 #ifdef MAC
 	/*
 	 * The MAC label is shared between the connected endpoints.  As a
-	 * result mac_init_pipe() and mac_create_pipe() are called once
+	 * result mac_pipe_init() and mac_pipe_create() are called once
 	 * for the pair, and not on the endpoints.
 	 */
-	mac_init_pipe(pp);
-	mac_create_pipe(td->td_ucred, pp);
+	mac_pipe_init(pp);
+	mac_pipe_create(td->td_ucred, pp);
 #endif
 	rpipe = &pp->pp_rpipe;
 	wpipe = &pp->pp_wpipe;
@@ -576,7 +576,7 @@ pipe_read(fp, uio, active_cred, flags, td)
 		goto unlocked_error;
 
 #ifdef MAC
-	error = mac_check_pipe_read(active_cred, rpipe->pipe_pair);
+	error = mac_pipe_check_read(active_cred, rpipe->pipe_pair);
 	if (error)
 		goto locked_error;
 #endif
@@ -986,7 +986,7 @@ pipe_write(fp, uio, active_cred, flags, td)
 		return (EPIPE);
 	}
 #ifdef MAC
-	error = mac_check_pipe_write(active_cred, wpipe->pipe_pair);
+	error = mac_pipe_check_write(active_cred, wpipe->pipe_pair);
 	if (error) {
 		pipeunlock(wpipe);
 		PIPE_UNLOCK(rpipe);
@@ -1252,7 +1252,7 @@ pipe_ioctl(fp, cmd, data, active_cred, td)
 	PIPE_LOCK(mpipe);
 
 #ifdef MAC
-	error = mac_check_pipe_ioctl(active_cred, mpipe->pipe_pair, cmd, data);
+	error = mac_pipe_check_ioctl(active_cred, mpipe->pipe_pair, cmd, data);
 	if (error) {
 		PIPE_UNLOCK(mpipe);
 		return (error);
@@ -1326,7 +1326,7 @@ pipe_poll(fp, events, active_cred, td)
 	wpipe = rpipe->pipe_peer;
 	PIPE_LOCK(rpipe);
 #ifdef MAC
-	error = mac_check_pipe_poll(active_cred, rpipe->pipe_pair);
+	error = mac_pipe_check_poll(active_cred, rpipe->pipe_pair);
 	if (error)
 		goto locked_error;
 #endif
@@ -1382,7 +1382,7 @@ pipe_stat(fp, ub, active_cred, td)
 	int error;
 
 	PIPE_LOCK(pipe);
-	error = mac_check_pipe_stat(active_cred, pipe->pipe_pair);
+	error = mac_pipe_check_stat(active_cred, pipe->pipe_pair);
 	PIPE_UNLOCK(pipe);
 	if (error)
 		return (error);
@@ -1511,7 +1511,7 @@ pipeclose(cpipe)
 	if (ppipe->pipe_present == 0) {
 		PIPE_UNLOCK(cpipe);
 #ifdef MAC
-		mac_destroy_pipe(pp);
+		mac_pipe_destroy(pp);
 #endif
 		uma_zfree(pipe_zone, cpipe->pipe_pair);
 	} else

sys/kern/sys_socket.c

@@ -77,7 +77,7 @@ soo_read(struct file *fp, struct uio *uio, struct ucred *active_cred,
 	int error;
 
 	SOCK_LOCK(so);
-	error = mac_check_socket_receive(active_cred, so);
+	error = mac_socket_check_receive(active_cred, so);
 	SOCK_UNLOCK(so);
 	if (error)
 		return (error);
@@ -95,7 +95,7 @@ soo_write(struct file *fp, struct uio *uio, struct ucred *active_cred,
 
 #ifdef MAC
 	SOCK_LOCK(so);
-	error = mac_check_socket_send(active_cred, so);
+	error = mac_socket_check_send(active_cred, so);
 	SOCK_UNLOCK(so);
 	if (error)
 		return (error);
@@ -208,7 +208,7 @@ soo_poll(struct file *fp, int events, struct ucred *active_cred,
 	int error;
 
 	SOCK_LOCK(so);
-	error = mac_check_socket_poll(active_cred, so);
+	error = mac_socket_check_poll(active_cred, so);
 	SOCK_UNLOCK(so);
 	if (error)
 		return (error);
@@ -229,7 +229,7 @@ soo_stat(struct file *fp, struct stat *ub, struct ucred *active_cred,
 	ub->st_mode = S_IFSOCK;
 #ifdef MAC
 	SOCK_LOCK(so);
-	error = mac_check_socket_stat(active_cred, so);
+	error = mac_socket_check_stat(active_cred, so);
 	SOCK_UNLOCK(so);
 	if (error)
 		return (error);

sys/kern/sysv_msg.c

@@ -224,7 +224,7 @@ msginit()
 			msghdrs[i-1].msg_next = &msghdrs[i];
 		msghdrs[i].msg_next = NULL;
 #ifdef MAC
-		mac_init_sysv_msgmsg(&msghdrs[i]);
+		mac_sysvmsg_init(&msghdrs[i]);
 #endif
     	}
 	free_msghdrs = &msghdrs[0];
@@ -237,7 +237,7 @@ msginit()
 		msqids[i].u.msg_perm.seq = 0;	/* reset to a known value */
 		msqids[i].u.msg_perm.mode = 0;
 #ifdef MAC
-		mac_init_sysv_msgqueue(&msqids[i]);
+		mac_sysvmsq_init(&msqids[i]);
 #endif
 	}
 	mtx_init(&msq_mtx, "msq", NULL, MTX_DEF);
@@ -269,9 +269,9 @@ msgunload()
 
 #ifdef MAC
 	for (i = 0; i < msginfo.msgtql; i++)
-		mac_destroy_sysv_msgmsg(&msghdrs[i]);
+		mac_sysvmsg_destroy(&msghdrs[i]);
 	for (msqid = 0; msqid < msginfo.msgmni; msqid++)
-		mac_destroy_sysv_msgqueue(&msqids[msqid]);
+		mac_sysvmsq_destroy(&msqids[msqid]);
 #endif
 	free(msgpool, M_MSG);
 	free(msgmaps, M_MSG);
@@ -369,7 +369,7 @@ msg_freehdr(msghdr)
 	msghdr->msg_next = free_msghdrs;
 	free_msghdrs = msghdr;
 #ifdef MAC
-	mac_cleanup_sysv_msgmsg(msghdr);
+	mac_sysvmsg_cleanup(msghdr);
 #endif
 }
 
@@ -435,7 +435,7 @@ kern_msgctl(td, msqid, cmd, msqbuf)
 		goto done2;
 	}
 #ifdef MAC
-	error = mac_check_sysv_msqctl(td->td_ucred, msqkptr, cmd);
+	error = mac_sysvmsq_check_msqctl(td->td_ucred, msqkptr, cmd);
 	if (error != 0)
 		goto done2;
 #endif
@@ -463,7 +463,7 @@ kern_msgctl(td, msqid, cmd, msqbuf)
 		 */
 		for (msghdr = msqkptr->u.msg_first; msghdr != NULL;
 		    msghdr = msghdr->msg_next) {
-			error = mac_check_sysv_msgrmid(td->td_ucred, msghdr);
+			error = mac_sysvmsq_check_msgrmid(td->td_ucred, msghdr);
 			if (error != 0)
 				goto done2;
 		}
@@ -490,7 +490,7 @@ kern_msgctl(td, msqid, cmd, msqbuf)
 		msqkptr->u.msg_qbytes = 0;	/* Mark it as free */
 
 #ifdef MAC
-		mac_cleanup_sysv_msgqueue(msqkptr);
+		mac_sysvmsq_cleanup(msqkptr);
 #endif
 
 		wakeup(msqkptr);
@@ -589,7 +589,7 @@ msgget(td, uap)
 				goto done2;
 			}
 #ifdef MAC
-			error = mac_check_sysv_msqget(cred, msqkptr);
+			error = mac_sysvmsq_check_msqget(cred, msqkptr);
 			if (error != 0)
 				goto done2;
 #endif
@@ -636,7 +636,7 @@ msgget(td, uap)
 		msqkptr->u.msg_rtime = 0;
 		msqkptr->u.msg_ctime = time_second;
 #ifdef MAC
-		mac_create_sysv_msgqueue(cred, msqkptr);
+		mac_sysvmsq_create(cred, msqkptr);
 #endif
 	} else {
 		DPRINTF(("didn't find it and wasn't asked to create it\n"));
@@ -705,7 +705,7 @@ kern_msgsnd(td, msqid, msgp, msgsz, msgflg, mtype)
 	}
 
 #ifdef MAC
-	error = mac_check_sysv_msqsnd(td->td_ucred, msqkptr);
+	error = mac_sysvmsq_check_msqsnd(td->td_ucred, msqkptr);
 	if (error != 0)
 		goto done2;
 #endif
@@ -830,11 +830,11 @@ kern_msgsnd(td, msqid, msgp, msgsz, msgflg, mtype)
 	msghdr->msg_type = mtype;
 #ifdef MAC
 	/*
-	 * XXXMAC: Should the mac_check_sysv_msgmsq check follow here
+	 * XXXMAC: Should the mac_sysvmsq_check_msgmsq check follow here
 	 * immediately?  Or, should it be checked just before the msg is
 	 * enqueued in the msgq (as it is done now)?
 	 */
-	mac_create_sysv_msgmsg(td->td_ucred, msqkptr, msghdr);
+	mac_sysvmsg_create(td->td_ucred, msqkptr, msghdr);
 #endif
 
 	/*
@@ -928,14 +928,14 @@ kern_msgsnd(td, msqid, msgp, msgsz, msgflg, mtype)
 	 * Note: Since the task/thread allocates the msghdr and usually
 	 * primes it with its own MAC label, for a majority of policies, it
 	 * won't be necessary to check whether the msghdr has access
-	 * permissions to the msgq.  The mac_check_sysv_msqsnd check would
+	 * permissions to the msgq.  The mac_sysvmsq_check_msqsnd check would
 	 * suffice in that case.  However, this hook may be required where
 	 * individual policies derive a non-identical label for the msghdr
 	 * from the current thread label and may want to check the msghdr
 	 * enqueue permissions, along with read/write permissions to the
 	 * msgq.
 	 */
-	error = mac_check_sysv_msgmsq(td->td_ucred, msghdr, msqkptr);
+	error = mac_sysvmsq_check_msgmsq(td->td_ucred, msghdr, msqkptr);
 	if (error != 0) {
 		msg_freehdr(msghdr);
 		wakeup(msqkptr);
@@ -1042,7 +1042,7 @@ kern_msgrcv(td, msqid, msgp, msgsz, msgtyp, msgflg, mtype)
 	}
 
 #ifdef MAC
-	error = mac_check_sysv_msqrcv(td->td_ucred, msqkptr);
+	error = mac_sysvmsq_check_msqrcv(td->td_ucred, msqkptr);
 	if (error != 0)
 		goto done2;
 #endif
@@ -1061,7 +1061,7 @@ kern_msgrcv(td, msqid, msgp, msgsz, msgtyp, msgflg, mtype)
 					goto done2;
 				}
 #ifdef MAC
-				error = mac_check_sysv_msgrcv(td->td_ucred,
+				error = mac_sysvmsq_check_msgrcv(td->td_ucred,
 				    msghdr);
 				if (error != 0)
 					goto done2;
@@ -1106,7 +1106,7 @@ kern_msgrcv(td, msqid, msgp, msgsz, msgtyp, msgflg, mtype)
 						goto done2;
 					}
 #ifdef MAC
-					error = mac_check_sysv_msgrcv(
+					error = mac_sysvmsq_check_msgrcv(
 					    td->td_ucred, msghdr);
 					if (error != 0)
 						goto done2;

sys/kern/sysv_sem.c

@@ -245,7 +245,7 @@ seminit(void)
 		sema[i].u.sem_perm.mode = 0;
 		sema[i].u.sem_perm.seq = 0;
 #ifdef MAC
-		mac_init_sysv_sem(&sema[i]);
+		mac_sysvsem_init(&sema[i]);
 #endif
 	}
 	for (i = 0; i < seminfo.semmni; i++)
@@ -271,7 +271,7 @@ semunload(void)
 	EVENTHANDLER_DEREGISTER(process_exit, semexit_tag);
 #ifdef MAC
 	for (i = 0; i < seminfo.semmni; i++)
-		mac_destroy_sysv_sem(&sema[i]);
+		mac_sysvsem_destroy(&sema[i]);
 #endif
 	free(sem, M_SEM);
 	free(sema, M_SEM);
@@ -639,7 +639,7 @@ kern_semctl(struct thread *td, int semid, int semnum, int cmd,
 		if ((error = ipcperm(td, &semakptr->u.sem_perm, IPC_R)))
 			goto done2;
 #ifdef MAC
-		error = mac_check_sysv_semctl(cred, semakptr, cmd);
+		error = mac_sysvsem_check_semctl(cred, semakptr, cmd);
 		if (error != 0)
 			goto done2;
 #endif
@@ -657,7 +657,7 @@ kern_semctl(struct thread *td, int semid, int semnum, int cmd,
 	sema_mtxp = &sema_mtx[semidx];
 	mtx_lock(sema_mtxp);
 #ifdef MAC
-	error = mac_check_sysv_semctl(cred, semakptr, cmd);
+	error = mac_sysvsem_check_semctl(cred, semakptr, cmd);
 	if (error != 0)
 		goto done2;
 #endif
@@ -683,7 +683,7 @@ kern_semctl(struct thread *td, int semid, int semnum, int cmd,
 		}
 		semakptr->u.sem_perm.mode = 0;
 #ifdef MAC
-		mac_cleanup_sysv_sem(semakptr);
+		mac_sysvsem_cleanup(semakptr);
 #endif
 		SEMUNDO_LOCK();
 		semundo_clear(semidx, -1);
@@ -906,7 +906,7 @@ semget(td, uap)
 				goto done2;
 			}
 #ifdef MAC
-			error = mac_check_sysv_semget(cred, &sema[semid]);
+			error = mac_sysvsem_check_semget(cred, &sema[semid]);
 			if (error != 0)
 				goto done2;
 #endif
@@ -955,7 +955,7 @@ semget(td, uap)
 		bzero(sema[semid].u.sem_base,
 		    sizeof(sema[semid].u.sem_base[0])*nsems);
 #ifdef MAC
-		mac_create_sysv_sem(cred, &sema[semid]);
+		mac_sysvsem_create(cred, &sema[semid]);
 #endif
 		DPRINTF(("sembase = %p, next = %p\n",
 		    sema[semid].u.sem_base, &sem[semtot]));
@@ -1063,7 +1063,7 @@ semop(td, uap)
 		goto done2;
 	}
 #ifdef MAC
-	error = mac_check_sysv_semop(td->td_ucred, semakptr, j);
+	error = mac_sysvsem_check_semop(td->td_ucred, semakptr, j);
 	if (error != 0)
 		goto done2;
 #endif

sys/kern/sysv_shm.c

@@ -255,7 +255,7 @@ shm_deallocate_segment(shmseg)
 	shm_nused--;
 	shmseg->u.shm_perm.mode = SHMSEG_FREE;
 #ifdef MAC
-	mac_cleanup_sysv_shm(shmseg);
+	mac_sysvshm_cleanup(shmseg);
 #endif
 }
 
@@ -322,7 +322,7 @@ shmdt(td, uap)
 	}
 #ifdef MAC
 	shmsegptr = &shmsegs[IPCID_TO_IX(shmmap_s->shmid)];
-	error = mac_check_sysv_shmdt(td->td_ucred, shmsegptr);
+	error = mac_sysvshm_check_shmdt(td->td_ucred, shmsegptr);
 	if (error != 0)
 		goto done2;
 #endif
@@ -377,7 +377,7 @@ kern_shmat(td, shmid, shmaddr, shmflg)
 	if (error)
 		goto done2;
 #ifdef MAC
-	error = mac_check_sysv_shmat(td->td_ucred, shmseg, shmflg);
+	error = mac_sysvshm_check_shmat(td->td_ucred, shmseg, shmflg);
 	if (error != 0)
 		goto done2;
 #endif
@@ -492,7 +492,7 @@ oshmctl(td, uap)
 		if (error)
 			goto done2;
 #ifdef MAC
-		error = mac_check_sysv_shmctl(td->td_ucred, shmseg, uap->cmd);
+		error = mac_sysvshm_check_shmctl(td->td_ucred, shmseg, uap->cmd);
 		if (error != 0)
 			goto done2;
 #endif
@@ -575,7 +575,7 @@ kern_shmctl(td, shmid, cmd, buf, bufsz)
 		goto done2;
 	}
 #ifdef MAC
-	error = mac_check_sysv_shmctl(td->td_ucred, shmseg, cmd);
+	error = mac_sysvshm_check_shmctl(td->td_ucred, shmseg, cmd);
 	if (error != 0)
 		goto done2;
 #endif
@@ -701,7 +701,7 @@ shmget_existing(td, uap, mode, segnum)
 	if ((uap->shmflg & (IPC_CREAT | IPC_EXCL)) == (IPC_CREAT | IPC_EXCL))
 		return (EEXIST);
 #ifdef MAC
-	error = mac_check_sysv_shmget(td->td_ucred, shmseg, uap->shmflg);
+	error = mac_sysvshm_check_shmget(td->td_ucred, shmseg, uap->shmflg);
 	if (error != 0)
 		return (error);
 #endif
@@ -779,7 +779,7 @@ shmget_allocate_segment(td, uap, mode)
 	shmseg->u.shm_lpid = shmseg->u.shm_nattch = 0;
 	shmseg->u.shm_atime = shmseg->u.shm_dtime = 0;
 #ifdef MAC
-	mac_create_sysv_shm(cred, shmseg);
+	mac_sysvshm_create(cred, shmseg);
 #endif
 	shmseg->u.shm_ctime = time_second;
 	shm_committed += btoc(size);
@@ -911,7 +911,7 @@ shmrealloc(void)
 		shmsegs[i].u.shm_perm.mode = SHMSEG_FREE;
 		shmsegs[i].u.shm_perm.seq = 0;
 #ifdef MAC
-		mac_init_sysv_shm(&shmsegs[i]);
+		mac_sysvshm_init(&shmsegs[i]);
 #endif
 	}
 	free(shmsegs, M_SHM);
@@ -943,7 +943,7 @@ shminit()
 		shmsegs[i].u.shm_perm.mode = SHMSEG_FREE;
 		shmsegs[i].u.shm_perm.seq = 0;
 #ifdef MAC
-		mac_init_sysv_shm(&shmsegs[i]);
+		mac_sysvshm_init(&shmsegs[i]);
 #endif
 	}
 	shm_last_free = 0;
@@ -965,7 +965,7 @@ shmunload()
 
 #ifdef MAC
 	for (i = 0; i < shmalloced; i++)
-		mac_destroy_sysv_shm(&shmsegs[i]);
+		mac_sysvshm_destroy(&shmsegs[i]);
 #endif
 	free(shmsegs, M_SHM);
 	shmexit_hook = NULL;

sys/kern/uipc_mbuf2.c

@@ -309,7 +309,7 @@ m_tag_free_default(struct m_tag *t)
 {
 #ifdef MAC
 	if (t->m_tag_id == PACKET_TAG_MACLABEL)
-		mac_destroy_mbuf_tag(t);
+		mac_mbuf_tag_destroy(t);
 #endif
 	free(t, M_PACKET_TAGS);
 }
@@ -413,11 +413,11 @@ m_tag_copy(struct m_tag *t, int how)
 	 * special from the mbuf code?
 	 */
 	if (t->m_tag_id == PACKET_TAG_MACLABEL) {
-		if (mac_init_mbuf_tag(p, how) != 0) {
+		if (mac_mbuf_tag_init(p, how) != 0) {
 			m_tag_free(p);
 			return (NULL);
 		}
-		mac_copy_mbuf_tag(t, p);
+		mac_mbuf_tag_copy(t, p);
 	} else
 #endif
 		bcopy(t + 1, p + 1, t->m_tag_len); /* Copy the data */

sys/kern/uipc_sem.c

@@ -215,8 +215,8 @@ sem_create(struct thread *td, const char *name, struct ksem **ksret,
 	cv_init(&ret->ks_cv, "sem");
 	LIST_INIT(&ret->ks_users);
 #ifdef MAC
-	mac_init_posix_sem(ret);
-	mac_create_posix_sem(uc, ret);
+	mac_posixsem_init(ret);
+	mac_posixsem_create(uc, ret);
 #endif
 	if (name != NULL)
 		sem_enter(td->td_proc, ret);
@@ -381,7 +381,7 @@ kern_sem_open(struct thread *td, int dir, const char *name, int oflag,
 		}
 	} else {
 #ifdef MAC
-		error = mac_check_posix_sem_open(td->td_ucred, ks);
+		error = mac_posixsem_check_open(td->td_ucred, ks);
 		if (error)
 			goto err_open;
 #endif
@@ -540,7 +540,7 @@ kern_sem_unlink(struct thread *td, const char *name)
 	ks = sem_lookup_byname(name);
 	if (ks != NULL) {
 #ifdef MAC
-		error = mac_check_posix_sem_unlink(td->td_ucred, ks);
+		error = mac_posixsem_check_unlink(td->td_ucred, ks);
 		if (error) {
 			mtx_unlock(&sem_lock);
 			return (error);
@@ -614,7 +614,7 @@ kern_sem_post(struct thread *td, semid_t id)
 		goto err;
 	}
 #ifdef MAC
-	error = mac_check_posix_sem_post(td->td_ucred, ks);
+	error = mac_posixsem_check_post(td->td_ucred, ks);
 	if (error)
 		goto err;
 #endif
@@ -709,7 +709,7 @@ kern_sem_wait(struct thread *td, semid_t id, int tryflag,
 		goto err;
 	}
 #ifdef MAC
-	error = mac_check_posix_sem_wait(td->td_ucred, ks);
+	error = mac_posixsem_check_wait(td->td_ucred, ks);
 	if (error) {
 		DP(("kern_sem_wait mac failed\n"));
 		goto err;
@@ -772,7 +772,7 @@ ksem_getvalue(struct thread *td, struct ksem_getvalue_args *uap)
 		return (EINVAL);
 	}
 #ifdef MAC
-	error = mac_check_posix_sem_getvalue(td->td_ucred, ks);
+	error = mac_posixsem_check_getvalue(td->td_ucred, ks);
 	if (error) {
 		mtx_unlock(&sem_lock);
 		return (error);
@@ -804,7 +804,7 @@ ksem_destroy(struct thread *td, struct ksem_destroy_args *uap)
 		goto err;
 	}
 #ifdef MAC
-	error = mac_check_posix_sem_destroy(td->td_ucred, ks);
+	error = mac_posixsem_check_destroy(td->td_ucred, ks);
 	if (error)
 		goto err;
 #endif

sys/kern/uipc_socket.c

@@ -267,7 +267,7 @@ soalloc(void)
 	if (so == NULL)
 		return (NULL);
 #ifdef MAC
-	if (mac_init_socket(so, M_NOWAIT) != 0) {
+	if (mac_socket_init(so, M_NOWAIT) != 0) {
 		uma_zfree(socket_zone, so);
 		return (NULL);
 	}
@@ -312,7 +312,7 @@ sodealloc(struct socket *so)
 		do_setopt_accept_filter(so, NULL);
 #endif
 #ifdef MAC
-	mac_destroy_socket(so);
+	mac_socket_destroy(so);
 #endif
 	crfree(so->so_cred);
 	sx_destroy(&so->so_snd.sb_sx);
@@ -362,7 +362,7 @@ socreate(int dom, struct socket **aso, int type, int proto,
 	so->so_cred = crhold(cred);
 	so->so_proto = prp;
 #ifdef MAC
-	mac_create_socket(cred, so);
+	mac_socket_create(cred, so);
 #endif
 	knlist_init(&so->so_rcv.sb_sel.si_note, SOCKBUF_MTX(&so->so_rcv),
 	    NULL, NULL, NULL);
@@ -429,7 +429,7 @@ sonewconn(struct socket *head, int connstatus)
 	so->so_cred = crhold(head->so_cred);
 #ifdef MAC
 	SOCK_LOCK(head);
-	mac_create_socket_from_socket(head, so);
+	mac_socket_newconn(head, so);
 	SOCK_UNLOCK(head);
 #endif
 	knlist_init(&so->so_rcv.sb_sel.si_note, SOCKBUF_MTX(&so->so_rcv),

sys/kern/uipc_syscalls.c

@@ -165,7 +165,7 @@ socket(td, uap)
 	int fd, error;
 
 #ifdef MAC
-	error = mac_check_socket_create(td->td_ucred, uap->domain, uap->type,
+	error = mac_socket_check_create(td->td_ucred, uap->domain, uap->type,
 	    uap->protocol);
 	if (error)
 		return (error);
@@ -229,7 +229,7 @@ kern_bind(td, fd, sa)
 	so = fp->f_data;
 #ifdef MAC
 	SOCK_LOCK(so);
-	error = mac_check_socket_bind(td->td_ucred, so, sa);
+	error = mac_socket_check_bind(td->td_ucred, so, sa);
 	SOCK_UNLOCK(so);
 	if (error)
 		goto done;
@@ -260,7 +260,7 @@ listen(td, uap)
 		so = fp->f_data;
 #ifdef MAC
 		SOCK_LOCK(so);
-		error = mac_check_socket_listen(td->td_ucred, so);
+		error = mac_socket_check_listen(td->td_ucred, so);
 		SOCK_UNLOCK(so);
 		if (error)
 			goto done;
@@ -360,7 +360,7 @@ kern_accept(struct thread *td, int s, struct sockaddr **name,
 	}
 #ifdef MAC
 	SOCK_LOCK(head);
-	error = mac_check_socket_accept(td->td_ucred, head);
+	error = mac_socket_check_accept(td->td_ucred, head);
 	SOCK_UNLOCK(head);
 	if (error != 0)
 		goto done;
@@ -550,7 +550,7 @@ kern_connect(td, fd, sa)
 	}
 #ifdef MAC
 	SOCK_LOCK(so);
-	error = mac_check_socket_connect(td->td_ucred, so, sa);
+	error = mac_socket_check_connect(td->td_ucred, so, sa);
 	SOCK_UNLOCK(so);
 	if (error)
 		goto bad;
@@ -604,7 +604,7 @@ socketpair(td, uap)
 
 #ifdef MAC
 	/* We might want to have a separate check for socket pairs. */
-	error = mac_check_socket_create(td->td_ucred, uap->domain, uap->type,
+	error = mac_socket_check_create(td->td_ucred, uap->domain, uap->type,
 	    uap->protocol);
 	if (error)
 		return (error);
@@ -761,7 +761,7 @@ kern_sendit(td, s, mp, flags, control, segflg)
 
 #ifdef MAC
 	SOCK_LOCK(so);
-	error = mac_check_socket_send(td->td_ucred, so);
+	error = mac_socket_check_send(td->td_ucred, so);
 	SOCK_UNLOCK(so);
 	if (error)
 		goto bad;
@@ -956,7 +956,7 @@ kern_recvit(td, s, mp, fromseg, controlp)
 
 #ifdef MAC
 	SOCK_LOCK(so);
-	error = mac_check_socket_receive(td->td_ucred, so);
+	error = mac_socket_check_receive(td->td_ucred, so);
 	SOCK_UNLOCK(so);
 	if (error) {
 		fdrop(fp, td);
@@ -1849,7 +1849,7 @@ kern_sendfile(struct thread *td, struct sendfile_args *uap,
 
 #ifdef MAC
 	SOCK_LOCK(so);
-	error = mac_check_socket_send(td->td_ucred, so);
+	error = mac_socket_check_send(td->td_ucred, so);
 	SOCK_UNLOCK(so);
 	if (error)
 		goto out;
@@ -2354,7 +2354,7 @@ sctp_generic_sendmsg (td, uap)
 	so = (struct socket *)fp->f_data;
 #ifdef MAC
 	SOCK_LOCK(so);
-	error = mac_check_socket_send(td->td_ucred, so);
+	error = mac_socket_check_send(td->td_ucred, so);
 	SOCK_UNLOCK(so);
 	if (error)
 		goto sctp_bad;
@@ -2454,7 +2454,7 @@ sctp_generic_sendmsg_iov(td, uap)
 	so = (struct socket *)fp->f_data;
 #ifdef MAC
 	SOCK_LOCK(so);
-	error = mac_check_socket_send(td->td_ucred, so);
+	error = mac_socket_check_send(td->td_ucred, so);
 	SOCK_UNLOCK(so);
 	if (error)
 		goto sctp_bad;
@@ -2551,7 +2551,7 @@ sctp_generic_recvmsg(td, uap)
 	so = fp->f_data;
 #ifdef MAC
 	SOCK_LOCK(so);
-	error = mac_check_socket_receive(td->td_ucred, so);
+	error = mac_socket_check_receive(td->td_ucred, so);
 	SOCK_UNLOCK(so);
 	if (error) {
 		goto out;

sys/kern/uipc_usrreq.c

@@ -449,7 +449,7 @@ restart:
 	vattr.va_type = VSOCK;
 	vattr.va_mode = (ACCESSPERMS & ~td->td_proc->p_fd->fd_cmask);
 #ifdef MAC
-	error = mac_check_vnode_create(td->td_ucred, nd.ni_dvp, &nd.ni_cnd,
+	error = mac_vnode_check_create(td->td_ucred, nd.ni_dvp, &nd.ni_cnd,
 	    &vattr);
 #endif
 	if (error == 0) {
@@ -1159,7 +1159,7 @@ unp_connect(struct socket *so, struct sockaddr *nam, struct thread *td)
 		goto bad;
 	}
 #ifdef MAC
-	error = mac_check_vnode_open(td->td_ucred, vp, VWRITE | VREAD);
+	error = mac_vnode_check_open(td->td_ucred, vp, VWRITE | VREAD);
 	if (error)
 		goto bad;
 #endif
@@ -1236,8 +1236,8 @@ unp_connect(struct socket *so, struct sockaddr *nam, struct thread *td)
 		UNP_PCB_UNLOCK(unp);
 #ifdef MAC
 		SOCK_LOCK(so);
-		mac_set_socket_peer_from_socket(so, so3);
-		mac_set_socket_peer_from_socket(so3, so);
+		mac_socketpeer_set_from_socket(so, so3);
+		mac_socketpeer_set_from_socket(so3, so);
 		SOCK_UNLOCK(so);
 #endif
 

sys/kern/vfs_acl.c

@@ -93,7 +93,7 @@ vacl_set_acl(struct thread *td, struct vnode *vp, acl_type_t type,
 	VOP_LEASE(vp, td, td->td_ucred, LEASE_WRITE);
 	vn_lock(vp, LK_EXCLUSIVE | LK_RETRY, td);
 #ifdef MAC
-	error = mac_check_vnode_setacl(td->td_ucred, vp, type, &inkernacl);
+	error = mac_vnode_check_setacl(td->td_ucred, vp, type, &inkernacl);
 	if (error != 0)
 		goto out;
 #endif
@@ -119,7 +119,7 @@ vacl_get_acl(struct thread *td, struct vnode *vp, acl_type_t type,
 	VOP_LEASE(vp, td, td->td_ucred, LEASE_WRITE);
 	vn_lock(vp, LK_EXCLUSIVE | LK_RETRY, td);
 #ifdef MAC
-	error = mac_check_vnode_getacl(td->td_ucred, vp, type);
+	error = mac_vnode_check_getacl(td->td_ucred, vp, type);
 	if (error != 0)
 		goto out;
 #endif
@@ -148,7 +148,7 @@ vacl_delete(struct thread *td, struct vnode *vp, acl_type_t type)
 	VOP_LEASE(vp, td, td->td_ucred, LEASE_WRITE);
 	vn_lock(vp, LK_EXCLUSIVE | LK_RETRY, td);
 #ifdef MAC
-	error = mac_check_vnode_deleteacl(td->td_ucred, vp, type);
+	error = mac_vnode_check_deleteacl(td->td_ucred, vp, type);
 	if (error)
 		goto out;
 #endif

sys/kern/vfs_extattr.c

@@ -180,7 +180,7 @@ extattr_set_vp(struct vnode *vp, int attrnamespace, const char *attrname,
 	cnt = nbytes;
 
 #ifdef MAC
-	error = mac_check_vnode_setextattr(td->td_ucred, vp, attrnamespace,
+	error = mac_vnode_check_setextattr(td->td_ucred, vp, attrnamespace,
 	    attrname, &auio);
 	if (error)
 		goto done;
@@ -358,7 +358,7 @@ extattr_get_vp(struct vnode *vp, int attrnamespace, const char *attrname,
 		sizep = &size;
 
 #ifdef MAC
-	error = mac_check_vnode_getextattr(td->td_ucred, vp, attrnamespace,
+	error = mac_vnode_check_getextattr(td->td_ucred, vp, attrnamespace,
 	    attrname, &auio);
 	if (error)
 		goto done;
@@ -512,7 +512,7 @@ extattr_delete_vp(struct vnode *vp, int attrnamespace, const char *attrname,
 	vn_lock(vp, LK_EXCLUSIVE | LK_RETRY, td);
 
 #ifdef MAC
-	error = mac_check_vnode_deleteextattr(td->td_ucred, vp, attrnamespace,
+	error = mac_vnode_check_deleteextattr(td->td_ucred, vp, attrnamespace,
 	    attrname);
 	if (error)
 		goto done;
@@ -676,7 +676,7 @@ extattr_list_vp(struct vnode *vp, int attrnamespace, void *data,
 		sizep = &size;
 
 #ifdef MAC
-	error = mac_check_vnode_listextattr(td->td_ucred, vp, attrnamespace);
+	error = mac_vnode_check_listextattr(td->td_ucred, vp, attrnamespace);
 	if (error)
 		goto done;
 #endif

sys/kern/vfs_lookup.c

@@ -252,7 +252,7 @@ namei(struct nameidata *ndp)
 		}
 #ifdef MAC
 		if ((cnp->cn_flags & NOMACCHECK) == 0) {
-			error = mac_check_vnode_readlink(td->td_ucred,
+			error = mac_vnode_check_readlink(td->td_ucred,
 			    ndp->ni_vp);
 			if (error)
 				break;
@@ -556,7 +556,7 @@ dirloop:
 unionlookup:
 #ifdef MAC
 	if ((cnp->cn_flags & NOMACCHECK) == 0) {
-		error = mac_check_vnode_lookup(td->td_ucred, dp, cnp);
+		error = mac_vnode_check_lookup(td->td_ucred, dp, cnp);
 		if (error)
 			goto bad;
 	}

sys/kern/vfs_mount.c

@@ -488,8 +488,8 @@ vfs_mount_alloc(struct vnode *vp, struct vfsconf *vfsp,
 	strlcpy(mp->mnt_stat.f_mntonname, fspath, MNAMELEN);
 	mp->mnt_iosize_max = DFLTPHYS;
 #ifdef MAC
-	mac_init_mount(mp);
-	mac_create_mount(td->td_ucred, mp);
+	mac_mount_init(mp);
+	mac_mount_create(td->td_ucred, mp);
 #endif
 	arc4rand(&mp->mnt_hashseed, sizeof mp->mnt_hashseed, 0);
 	return (mp);
@@ -567,7 +567,7 @@ vfs_mount_destroy(struct mount *mp)
 	mp->mnt_secondary_writes = -1000;
 	MNT_IUNLOCK(mp);
 #ifdef MAC
-	mac_destroy_mount(mp);
+	mac_mount_destroy(mp);
 #endif
 	if (mp->mnt_opt != NULL)
 		vfs_freeopts(mp->mnt_opt);

sys/kern/vfs_subr.c

@@ -811,7 +811,7 @@ vdestroy(struct vnode *vp)
 	VNASSERT(LIST_EMPTY(&vp->v_cache_src), vp, ("vp has namecache src"));
 	VI_UNLOCK(vp);
 #ifdef MAC
-	mac_destroy_vnode(vp);
+	mac_vnode_destroy(vp);
 #endif
 	if (vp->v_pollinfo != NULL) {
 		knlist_destroy(&vp->v_pollinfo->vpi_selinfo.si_note);
@@ -955,9 +955,9 @@ alloc:
 	v_incr_usecount(vp);
 	vp->v_data = 0;
 #ifdef MAC
-	mac_init_vnode(vp);
+	mac_vnode_init(vp);
 	if (mp != NULL && (mp->mnt_flag & MNT_MULTILABEL) == 0)
-		mac_associate_vnode_singlelabel(mp, vp);
+		mac_vnode_associate_singlelabel(mp, vp);
 	else if (mp == NULL)
 		printf("NULL mp in getnewvnode()\n");
 #endif

sys/kern/vfs_syscalls.c

@@ -293,7 +293,7 @@ kern_statfs(struct thread *td, char *path, enum uio_seg pathseg,
 	NDFREE(&nd, NDF_ONLY_PNBUF);
 	vput(nd.ni_vp);
 #ifdef MAC
-	error = mac_check_mount_stat(td->td_ucred, mp);
+	error = mac_mount_check_stat(td->td_ucred, mp);
 	if (error)
 		goto out;
 #endif
@@ -378,7 +378,7 @@ kern_fstatfs(struct thread *td, int fd, struct statfs *buf)
 		goto out;
 	}
 #ifdef MAC
-	error = mac_check_mount_stat(td->td_ucred, mp);
+	error = mac_mount_check_stat(td->td_ucred, mp);
 	if (error)
 		goto out;
 #endif
@@ -470,7 +470,7 @@ kern_getfsstat(struct thread *td, struct statfs **buf, size_t bufsize,
 			continue;
 		}
 #ifdef MAC
-		if (mac_check_mount_stat(td->td_ucred, mp) != 0) {
+		if (mac_mount_check_stat(td->td_ucred, mp) != 0) {
 			nmp = TAILQ_NEXT(mp, mnt_list);
 			continue;
 		}
@@ -891,7 +891,7 @@ chroot(td, uap)
 	if ((error = change_dir(nd.ni_vp, td)) != 0)
 		goto e_vunlock;
 #ifdef MAC
-	if ((error = mac_check_vnode_chroot(td->td_ucred, nd.ni_vp)))
+	if ((error = mac_vnode_check_chroot(td->td_ucred, nd.ni_vp)))
 		goto e_vunlock;
 #endif
 	VOP_UNLOCK(nd.ni_vp, 0, td);
@@ -923,7 +923,7 @@ change_dir(vp, td)
 	if (vp->v_type != VDIR)
 		return (ENOTDIR);
 #ifdef MAC
-	error = mac_check_vnode_chdir(td->td_ucred, vp);
+	error = mac_vnode_check_chdir(td->td_ucred, vp);
 	if (error)
 		return (error);
 #endif
@@ -933,8 +933,8 @@ change_dir(vp, td)
 
 /*
  * Common routine for kern_chroot() and jail_attach().  The caller is
- * responsible for invoking priv_check() and mac_check_chroot() to authorize
- * this operation.
+ * responsible for invoking priv_check() and mac_vnode_check_chroot() to
+ * authorize this operation.
  */
 int
 change_root(vp, td)
@@ -1103,7 +1103,7 @@ kern_open(struct thread *td, char *path, enum uio_seg pathseg, int flags,
 		vat.va_size = 0;
 		vn_lock(vp, LK_EXCLUSIVE | LK_RETRY, td);
 #ifdef MAC
-		error = mac_check_vnode_write(td->td_ucred, fp->f_cred, vp);
+		error = mac_vnode_check_write(td->td_ucred, fp->f_cred, vp);
 		if (error == 0)
 #endif
 			error = VOP_SETATTR(vp, &vat, td->td_ucred, td);
@@ -1258,7 +1258,7 @@ restart:
 	}
 #ifdef MAC
 	if (error == 0 && !whiteout)
-		error = mac_check_vnode_create(td->td_ucred, nd.ni_dvp,
+		error = mac_vnode_check_create(td->td_ucred, nd.ni_dvp,
 		    &nd.ni_cnd, &vattr);
 #endif
 	if (!error) {
@@ -1341,7 +1341,7 @@ restart:
 	vattr.va_mode = (mode & ALLPERMS) & ~td->td_proc->p_fd->fd_cmask;
 	FILEDESC_SUNLOCK(td->td_proc->p_fd);
 #ifdef MAC
-	error = mac_check_vnode_create(td->td_ucred, nd.ni_dvp, &nd.ni_cnd,
+	error = mac_vnode_check_create(td->td_ucred, nd.ni_dvp, &nd.ni_cnd,
 	    &vattr);
 	if (error)
 		goto out;
@@ -1467,7 +1467,7 @@ kern_link(struct thread *td, char *path, char *link, enum uio_seg segflg)
 			error = can_hardlink(vp, td, td->td_ucred);
 			if (error == 0)
 #ifdef MAC
-				error = mac_check_vnode_link(td->td_ucred,
+				error = mac_vnode_check_link(td->td_ucred,
 				    nd.ni_dvp, vp, &nd.ni_cnd);
 			if (error == 0)
 #endif
@@ -1555,7 +1555,7 @@ restart:
 	FILEDESC_SUNLOCK(td->td_proc->p_fd);
 #ifdef MAC
 	vattr.va_type = VLNK;
-	error = mac_check_vnode_create(td->td_ucred, nd.ni_dvp, &nd.ni_cnd,
+	error = mac_vnode_check_create(td->td_ucred, nd.ni_dvp, &nd.ni_cnd,
 	    &vattr);
 	if (error)
 		goto out2;
@@ -1693,7 +1693,7 @@ restart:
 			goto restart;
 		}
 #ifdef MAC
-		error = mac_check_vnode_unlink(td->td_ucred, nd.ni_dvp, vp,
+		error = mac_vnode_check_unlink(td->td_ucred, nd.ni_dvp, vp,
 		    &nd.ni_cnd);
 		if (error)
 			goto out;
@@ -1872,7 +1872,7 @@ vn_access(vp, user_flags, cred, td)
 		if (user_flags & X_OK)
 			flags |= VEXEC;
 #ifdef MAC
-		error = mac_check_vnode_access(cred, vp, flags);
+		error = mac_vnode_check_access(cred, vp, flags);
 		if (error)
 			return (error);
 #endif
@@ -2341,7 +2341,7 @@ kern_readlink(struct thread *td, char *path, enum uio_seg pathseg, char *buf,
 	vfslocked = NDHASGIANT(&nd);
 	vp = nd.ni_vp;
 #ifdef MAC
-	error = mac_check_vnode_readlink(td->td_ucred, vp);
+	error = mac_vnode_check_readlink(td->td_ucred, vp);
 	if (error) {
 		vput(vp);
 		VFS_UNLOCK_GIANT(vfslocked);
@@ -2400,7 +2400,7 @@ setfflags(td, vp, flags)
 	VATTR_NULL(&vattr);
 	vattr.va_flags = flags;
 #ifdef MAC
-	error = mac_check_vnode_setflags(td->td_ucred, vp, vattr.va_flags);
+	error = mac_vnode_check_setflags(td->td_ucred, vp, vattr.va_flags);
 	if (error == 0)
 #endif
 		error = VOP_SETATTR(vp, &vattr, td->td_ucred, td);
@@ -2528,7 +2528,7 @@ setfmode(td, vp, mode)
 	VATTR_NULL(&vattr);
 	vattr.va_mode = mode & ALLPERMS;
 #ifdef MAC
-	error = mac_check_vnode_setmode(td->td_ucred, vp, vattr.va_mode);
+	error = mac_vnode_check_setmode(td->td_ucred, vp, vattr.va_mode);
 	if (error == 0)
 #endif
 		error = VOP_SETATTR(vp, &vattr, td->td_ucred, td);
@@ -2670,7 +2670,7 @@ setfown(td, vp, uid, gid)
 	vattr.va_uid = uid;
 	vattr.va_gid = gid;
 #ifdef MAC
-	error = mac_check_vnode_setowner(td->td_ucred, vp, vattr.va_uid,
+	error = mac_vnode_check_setowner(td->td_ucred, vp, vattr.va_uid,
 	    vattr.va_gid);
 	if (error == 0)
 #endif
@@ -2873,7 +2873,7 @@ setutimes(td, vp, ts, numtimes, nullflag)
 	if (nullflag)
 		vattr.va_vaflags |= VA_UTIMES_NULL;
 #ifdef MAC
-	error = mac_check_vnode_setutimes(td->td_ucred, vp, vattr.va_atime,
+	error = mac_vnode_check_setutimes(td->td_ucred, vp, vattr.va_atime,
 	    vattr.va_mtime);
 #endif
 	if (error == 0)
@@ -3069,7 +3069,7 @@ kern_truncate(struct thread *td, char *path, enum uio_seg pathseg, off_t length)
 	if (vp->v_type == VDIR)
 		error = EISDIR;
 #ifdef MAC
-	else if ((error = mac_check_vnode_write(td->td_ucred, NOCRED, vp))) {
+	else if ((error = mac_vnode_check_write(td->td_ucred, NOCRED, vp))) {
 	}
 #endif
 	else if ((error = vn_writechk(vp)) == 0 &&
@@ -3129,7 +3129,7 @@ ftruncate(td, uap)
 	if (vp->v_type == VDIR)
 		error = EISDIR;
 #ifdef MAC
-	else if ((error = mac_check_vnode_write(td->td_ucred, fp->f_cred,
+	else if ((error = mac_vnode_check_write(td->td_ucred, fp->f_cred,
 	    vp))) {
 	}
 #endif
@@ -3315,7 +3315,7 @@ kern_rename(struct thread *td, char *from, char *to, enum uio_seg pathseg)
 	fvfslocked = NDHASGIANT(&fromnd);
 	tvfslocked = 0;
 #ifdef MAC
-	error = mac_check_vnode_rename_from(td->td_ucred, fromnd.ni_dvp,
+	error = mac_vnode_check_rename_from(td->td_ucred, fromnd.ni_dvp,
 	    fromnd.ni_vp, &fromnd.ni_cnd);
 	VOP_UNLOCK(fromnd.ni_dvp, 0, td);
 	if (fromnd.ni_dvp != fromnd.ni_vp)
@@ -3366,7 +3366,7 @@ kern_rename(struct thread *td, char *from, char *to, enum uio_seg pathseg)
 		error = -1;
 #ifdef MAC
 	else
-		error = mac_check_vnode_rename_to(td->td_ucred, tdvp,
+		error = mac_vnode_check_rename_to(td->td_ucred, tdvp,
 		    tond.ni_vp, fromnd.ni_dvp == tdvp, &tond.ni_cnd);
 #endif
 out:
@@ -3476,7 +3476,7 @@ restart:
 	vattr.va_mode = (mode & ACCESSPERMS) &~ td->td_proc->p_fd->fd_cmask;
 	FILEDESC_SUNLOCK(td->td_proc->p_fd);
 #ifdef MAC
-	error = mac_check_vnode_create(td->td_ucred, nd.ni_dvp, &nd.ni_cnd,
+	error = mac_vnode_check_create(td->td_ucred, nd.ni_dvp, &nd.ni_cnd,
 	    &vattr);
 	if (error)
 		goto out;
@@ -3550,7 +3550,7 @@ restart:
 		goto out;
 	}
 #ifdef MAC
-	error = mac_check_vnode_unlink(td->td_ucred, nd.ni_dvp, vp,
+	error = mac_vnode_check_unlink(td->td_ucred, nd.ni_dvp, vp,
 	    &nd.ni_cnd);
 	if (error)
 		goto out;
@@ -3641,7 +3641,7 @@ unionread:
 	vn_lock(vp, LK_EXCLUSIVE | LK_RETRY, td);
 	loff = auio.uio_offset = fp->f_offset;
 #ifdef MAC
-	error = mac_check_vnode_readdir(td->td_ucred, vp);
+	error = mac_vnode_check_readdir(td->td_ucred, vp);
 	if (error) {
 		VOP_UNLOCK(vp, 0, td);
 		VFS_UNLOCK_GIANT(vfslocked);
@@ -3785,7 +3785,7 @@ unionread:
 	AUDIT_ARG(vnode, vp, ARG_VNODE1);
 	loff = auio.uio_offset = fp->f_offset;
 #ifdef MAC
-	error = mac_check_vnode_readdir(td->td_ucred, vp);
+	error = mac_vnode_check_readdir(td->td_ucred, vp);
 	if (error == 0)
 #endif
 		error = VOP_READDIR(vp, &auio, fp->f_cred, &eofflag, NULL,
@@ -3903,7 +3903,7 @@ revoke(td, uap)
 		goto out;
 	}
 #ifdef MAC
-	error = mac_check_vnode_revoke(td->td_ucred, vp);
+	error = mac_vnode_check_revoke(td->td_ucred, vp);
 	if (error)
 		goto out;
 #endif
@@ -4126,7 +4126,7 @@ fhopen(td, uap)
 	if (fmode & O_APPEND)
 		mode |= VAPPEND;
 #ifdef MAC
-	error = mac_check_vnode_open(td->td_ucred, vp, mode);
+	error = mac_vnode_check_open(td->td_ucred, vp, mode);
 	if (error)
 		goto bad;
 #endif
@@ -4148,7 +4148,7 @@ fhopen(td, uap)
 		 * We don't yet have fp->f_cred, so use td->td_ucred, which
 		 * should be right.
 		 */
-		error = mac_check_vnode_write(td->td_ucred, td->td_ucred, vp);
+		error = mac_vnode_check_write(td->td_ucred, td->td_ucred, vp);
 		if (error == 0) {
 #endif
 			VATTR_NULL(vap);
@@ -4337,7 +4337,7 @@ kern_fhstatfs(struct thread *td, fhandle_t fh, struct statfs *buf)
 	if (error)
 		goto out;
 #ifdef MAC
-	error = mac_check_mount_stat(td->td_ucred, mp);
+	error = mac_mount_check_stat(td->td_ucred, mp);
 	if (error)
 		goto out;
 #endif

sys/kern/vfs_vnops.c

@@ -148,7 +148,7 @@ restart:
 				goto restart;
 			}
 #ifdef MAC
-			error = mac_check_vnode_create(cred, ndp->ni_dvp,
+			error = mac_vnode_check_create(cred, ndp->ni_dvp,
 			    &ndp->ni_cnd, vap);
 			if (error == 0) {
 #endif
@@ -213,7 +213,7 @@ restart:
 	if (fmode & O_APPEND)
 		mode |= VAPPEND;
 #ifdef MAC
-	error = mac_check_vnode_open(cred, vp, mode);
+	error = mac_vnode_check_open(cred, vp, mode);
 	if (error)
 		goto bad;
 #endif
@@ -387,10 +387,10 @@ vn_rdwr(rw, vp, base, len, offset, segflg, ioflg, active_cred, file_cred,
 #ifdef MAC
 	if ((ioflg & IO_NOMACCHECK) == 0) {
 		if (rw == UIO_READ)
-			error = mac_check_vnode_read(active_cred, file_cred,
+			error = mac_vnode_check_read(active_cred, file_cred,
 			    vp);
 		else
-			error = mac_check_vnode_write(active_cred, file_cred,
+			error = mac_vnode_check_write(active_cred, file_cred,
 			    vp);
 	}
 #endif
@@ -520,7 +520,7 @@ vn_read(fp, uio, active_cred, flags, td)
 	ioflag |= sequential_heuristic(uio, fp);
 
 #ifdef MAC
-	error = mac_check_vnode_read(active_cred, fp->f_cred, vp);
+	error = mac_vnode_check_read(active_cred, fp->f_cred, vp);
 	if (error == 0)
 #endif
 		error = VOP_READ(vp, uio, ioflag, fp->f_cred);
@@ -580,7 +580,7 @@ vn_write(fp, uio, active_cred, flags, td)
 		uio->uio_offset = fp->f_offset;
 	ioflag |= sequential_heuristic(uio, fp);
 #ifdef MAC
-	error = mac_check_vnode_write(active_cred, fp->f_cred, vp);
+	error = mac_vnode_check_write(active_cred, fp->f_cred, vp);
 	if (error == 0)
 #endif
 		error = VOP_WRITE(vp, uio, ioflag, fp->f_cred);
@@ -635,7 +635,7 @@ vn_stat(vp, sb, active_cred, file_cred, td)
 	u_short mode;
 
 #ifdef MAC
-	error = mac_check_vnode_stat(active_cred, file_cred, vp);
+	error = mac_vnode_check_stat(active_cred, file_cred, vp);
 	if (error)
 		return (error);
 #endif
@@ -783,7 +783,7 @@ vn_poll(fp, events, active_cred, td)
 	vfslocked = VFS_LOCK_GIANT(vp->v_mount);
 #ifdef MAC
 	vn_lock(vp, LK_EXCLUSIVE | LK_RETRY, td);
-	error = mac_check_vnode_poll(active_cred, fp->f_cred, vp);
+	error = mac_vnode_check_poll(active_cred, fp->f_cred, vp);
 	VOP_UNLOCK(vp, 0, td);
 	if (!error)
 #endif

sys/net/bpf.c

@@ -416,8 +416,8 @@ bpfopen(struct cdev *dev, int flags, int fmt, struct thread *td)
 	d->bd_direction = BPF_D_INOUT;
 	d->bd_pid = td->td_proc->p_pid;
 #ifdef MAC
-	mac_init_bpfdesc(d);
-	mac_create_bpfdesc(td->td_ucred, d);
+	mac_bpfdesc_init(d);
+	mac_bpfdesc_create(td->td_ucred, d);
 #endif
 	mtx_init(&d->bd_mtx, devtoname(dev), "bpf cdev lock", MTX_DEF);
 	callout_init(&d->bd_callout, CALLOUT_MPSAFE);
@@ -448,7 +448,7 @@ bpfclose(struct cdev *dev, int flags, int fmt, struct thread *td)
 	mtx_unlock(&bpf_mtx);
 	selwakeuppri(&d->bd_sel, PRINET);
 #ifdef MAC
-	mac_destroy_bpfdesc(d);
+	mac_bpfdesc_destroy(d);
 #endif /* MAC */
 	knlist_destroy(&d->bd_sel.si_note);
 	bpf_freed(d);
@@ -656,9 +656,9 @@ bpfwrite(struct cdev *dev, struct uio *uio, int ioflag)
 
 #ifdef MAC
 	BPFD_LOCK(d);
-	mac_create_mbuf_from_bpfdesc(d, m);
+	mac_bpfdesc_create_mbuf(d, m);
 	if (mc != NULL)
-		mac_create_mbuf_from_bpfdesc(d, mc);
+		mac_bpfdesc_create_mbuf(d, mc);
 	BPFD_UNLOCK(d);
 #endif
 
@@ -1299,7 +1299,7 @@ bpf_tap(struct bpf_if *bp, u_char *pkt, u_int pktlen)
 				gottime = 1;
 			}
 #ifdef MAC
-			if (mac_check_bpfdesc_receive(d, bp->bif_ifp) == 0)
+			if (mac_bpfdesc_check_receive(d, bp->bif_ifp) == 0)
 #endif
 				catchpacket(d, pkt, pktlen, slen, bcopy, &tv);
 		}
@@ -1378,7 +1378,7 @@ bpf_mtap(struct bpf_if *bp, struct mbuf *m)
 				gottime = 1;
 			}
 #ifdef MAC
-			if (mac_check_bpfdesc_receive(d, bp->bif_ifp) == 0)
+			if (mac_bpfdesc_check_receive(d, bp->bif_ifp) == 0)
 #endif
 				catchpacket(d, (u_char *)m, pktlen, slen,
 				    bpf_mcopy, &tv);
@@ -1433,7 +1433,7 @@ bpf_mtap2(struct bpf_if *bp, void *data, u_int dlen, struct mbuf *m)
 				gottime = 1;
 			}
 #ifdef MAC
-			if (mac_check_bpfdesc_receive(d, bp->bif_ifp) == 0)
+			if (mac_bpfdesc_check_receive(d, bp->bif_ifp) == 0)
 #endif
 				catchpacket(d, (u_char *)&mb, pktlen, slen,
 				    bpf_mcopy, &tv);

sys/net/bsd_comp.c

@@ -881,7 +881,7 @@ bsd_decompress(state, cmp, dmpp)
     wptr = mtod(dmp, u_char *);
     space = M_TRAILINGSPACE(dmp) - PPP_HDRLEN + 1;
 #ifdef MAC
-    mac_copy_mbuf(cmp, dmp);
+    mac_mbuf_copy(cmp, dmp);
 #endif
 
     /*

sys/net/if.c

@@ -478,8 +478,8 @@ if_attach(struct ifnet *ifp)
 	ifp->if_data.ifi_datalen = sizeof(struct if_data);
 
 #ifdef MAC
-	mac_init_ifnet(ifp);
-	mac_create_ifnet(ifp);
+	mac_ifnet_init(ifp);
+	mac_ifnet_create(ifp);
 #endif
 
 	ifdev_byindex(ifp->if_index) = make_dev(&net_cdevsw,
@@ -758,7 +758,7 @@ if_detach(struct ifnet *ifp)
 	IF_AFDATA_UNLOCK(ifp);
 
 #ifdef MAC
-	mac_destroy_ifnet(ifp);
+	mac_ifnet_destroy(ifp);
 #endif /* MAC */
 	KNOTE_UNLOCKED(&ifp->if_klist, NOTE_EXIT);
 	knlist_clear(&ifp->if_klist, 0);
@@ -1534,7 +1534,7 @@ ifhwioctl(u_long cmd, struct ifnet *ifp, caddr_t data, struct thread *td)
 
 #ifdef MAC
 	case SIOCGIFMAC:
-		error = mac_ioctl_ifnet_get(td->td_ucred, ifr, ifp);
+		error = mac_ifnet_ioctl_get(td->td_ucred, ifr, ifp);
 		break;
 #endif
 
@@ -1610,7 +1610,7 @@ ifhwioctl(u_long cmd, struct ifnet *ifp, caddr_t data, struct thread *td)
 
 #ifdef MAC
 	case SIOCSIFMAC:
-		error = mac_ioctl_ifnet_set(td->td_ucred, ifr, ifp);
+		error = mac_ifnet_ioctl_set(td->td_ucred, ifr, ifp);
 		break;
 #endif
 

sys/net/if_atmsubr.c

@@ -134,7 +134,7 @@ atm_output(struct ifnet *ifp, struct mbuf *m0, struct sockaddr *dst,
 	u_int32_t atm_flags;
 
 #ifdef MAC
-	error = mac_check_ifnet_transmit(ifp, m);
+	error = mac_ifnet_check_transmit(ifp, m);
 	if (error)
 		senderr(error);
 #endif
@@ -261,7 +261,7 @@ atm_input(struct ifnet *ifp, struct atm_pseudohdr *ah, struct mbuf *m,
 		return;
 	}
 #ifdef MAC
-	mac_create_mbuf_from_ifnet(ifp, m);
+	mac_ifnet_create_mbuf(ifp, m);
 #endif
 	ifp->if_ibytes += m->m_pkthdr.len;
 

sys/net/if_ethersubr.c

@@ -157,7 +157,7 @@ ether_output(struct ifnet *ifp, struct mbuf *m,
 	int hlen;	/* link layer header length */
 
 #ifdef MAC
-	error = mac_check_ifnet_transmit(ifp, m);
+	error = mac_ifnet_check_transmit(ifp, m);
 	if (error)
 		senderr(error);
 #endif
@@ -570,7 +570,7 @@ ether_input(struct ifnet *ifp, struct mbuf *m)
 	 * Tag the mbuf with an appropriate MAC label before any other
 	 * consumers can get to it.
 	 */
-	mac_create_mbuf_from_ifnet(ifp, m);
+	mac_ifnet_create_mbuf(ifp, m);
 #endif
 
 	/*

sys/net/if_fddisubr.c

@@ -121,7 +121,7 @@ fddi_output(ifp, m, dst, rt0)
 	struct fddi_header *fh;
 
 #ifdef MAC
-	error = mac_check_ifnet_transmit(ifp, m);
+	error = mac_ifnet_check_transmit(ifp, m);
 	if (error)
 		senderr(error);
 #endif
@@ -407,7 +407,7 @@ fddi_input(ifp, m)
 	}
 
 #ifdef MAC
-	mac_create_mbuf_from_ifnet(ifp, m);
+	mac_ifnet_create_mbuf(ifp, m);
 #endif
 
 	/*

sys/net/if_fwsubr.c

@@ -91,7 +91,7 @@ firewire_output(struct ifnet *ifp, struct mbuf *m, struct sockaddr *dst,
 	static int next_dgl;
 
 #ifdef MAC
-	error = mac_check_ifnet_transmit(ifp, m);
+	error = mac_ifnet_check_transmit(ifp, m);
 	if (error)
 		goto bad;
 #endif
@@ -557,7 +557,7 @@ firewire_input(struct ifnet *ifp, struct mbuf *m, uint16_t src)
 	 * Tag the mbuf with an appropriate MAC label before any other
 	 * consumers can get to it.
 	 */
-	mac_create_mbuf_from_ifnet(ifp, m);
+	mac_ifnet_create_mbuf(ifp, m);
 #endif
 
 	/*

sys/net/if_gif.c

@@ -360,7 +360,7 @@ gif_output(ifp, m, dst, rt)
 	u_int32_t af;
 
 #ifdef MAC
-	error = mac_check_ifnet_transmit(ifp, m);
+	error = mac_ifnet_check_transmit(ifp, m);
 	if (error) {
 		m_freem(m);
 		goto end;
@@ -479,7 +479,7 @@ gif_input(m, af, ifp)
 	m->m_pkthdr.rcvif = ifp;
 
 #ifdef MAC
-	mac_create_mbuf_from_ifnet(ifp, m);
+	mac_ifnet_create_mbuf(ifp, m);
 #endif
 
 	if (bpf_peers_present(ifp->if_bpf)) {

sys/net/if_iso88025subr.c

@@ -244,7 +244,7 @@ iso88025_output(ifp, m, dst, rt0)
 	struct rtentry *rt = NULL;
 
 #ifdef MAC
-	error = mac_check_ifnet_transmit(ifp, m);
+	error = mac_ifnet_check_transmit(ifp, m);
 	if (error)
 		senderr(error);
 #endif
@@ -503,7 +503,7 @@ iso88025_input(ifp, m)
 	}
 
 #ifdef MAC
-	mac_create_mbuf_from_ifnet(ifp, m);
+	mac_ifnet_create_mbuf(ifp, m);
 #endif
 
 	/*

sys/net/if_ppp.c

@@ -815,7 +815,7 @@ pppoutput(ifp, m0, dst, rtp)
     int len;
 
 #ifdef MAC
-    error = mac_check_ifnet_transmit(ifp, m0);
+    error = mac_ifnet_check_transmit(ifp, m0);
     if (error)
 	goto bad;
 #endif
@@ -1231,7 +1231,7 @@ pppintr()
 	    if (m == NULL)
 		break;
 #ifdef MAC
-	    mac_create_mbuf_from_ifnet(PPP2IFP(sc), m);
+	    mac_ifnet_create_mbuf(PPP2IFP(sc), m);
 #endif
 	    ppp_inproc(sc, m);
 	}
@@ -1509,7 +1509,7 @@ ppp_inproc(sc, m)
 	    }
 	}
 #ifdef MAC
-	mac_copy_mbuf(m, mp);
+	mac_mbuf_copy(m, mp);
 #endif
 	cp = mtod(mp, u_char *);
 	cp[0] = adrs;
@@ -1563,7 +1563,7 @@ ppp_inproc(sc, m)
 	MGETHDR(mp, M_DONTWAIT, MT_DATA);
 	if (mp != NULL) {
 #ifdef MAC
-	    mac_copy_mbuf(m, mp);
+	    mac_mbuf_copy(m, mp);
 #endif
 	    m_copydata(m, 0, ilen, mtod(mp, caddr_t));
 	    m_freem(m);

sys/net/if_stf.c

@@ -406,7 +406,7 @@ stf_output(ifp, m, dst, rt)
 #ifdef MAC
 	int error;
 
-	error = mac_check_ifnet_transmit(ifp, m);
+	error = mac_ifnet_check_transmit(ifp, m);
 	if (error) {
 		m_freem(m);
 		return (error);
@@ -674,7 +674,7 @@ in_stf_input(m, off)
 	ifp = STF2IFP(sc);
 
 #ifdef MAC
-	mac_create_mbuf_from_ifnet(ifp, m);
+	mac_ifnet_create_mbuf(ifp, m);
 #endif
 
 	/*

sys/net/if_tun.c

@@ -579,7 +579,7 @@ tunoutput(
 	TUNDEBUG (ifp, "tunoutput\n");
 
 #ifdef MAC
-	error = mac_check_ifnet_transmit(ifp, m0);
+	error = mac_ifnet_check_transmit(ifp, m0);
 	if (error) {
 		m_freem(m0);
 		return (error);
@@ -875,7 +875,7 @@ tunwrite(struct cdev *dev, struct uio *uio, int flag)
 
 	m->m_pkthdr.rcvif = ifp;
 #ifdef MAC
-	mac_create_mbuf_from_ifnet(ifp, m);
+	mac_ifnet_create_mbuf(ifp, m);
 #endif
 
 	/* Could be unlocked read? */

sys/netatalk/ddp_input.c

@@ -411,7 +411,7 @@ ddp_input(struct mbuf *m, struct ifnet *ifp, struct elaphdr *elh, int phase)
 
 #ifdef MAC
 	SOCK_LOCK(ddp->ddp_socket);
-	if (mac_check_socket_deliver(ddp->ddp_socket, m) != 0) {
+	if (mac_socket_check_deliver(ddp->ddp_socket, m) != 0) {
 		SOCK_UNLOCK(ddp->ddp_socket);
 		goto out;
 	}

sys/netatalk/ddp_output.c

@@ -54,7 +54,7 @@ ddp_output(struct mbuf *m, struct socket *so)
 
 #ifdef MAC
 	SOCK_LOCK(so);
-	mac_create_mbuf_from_socket(so, m);
+	mac_socket_create_mbuf(so, m);
 	SOCK_UNLOCK(so);
 #endif
 
@@ -200,7 +200,7 @@ ddp_route(struct mbuf *m, struct route *ro)
 			return (ENOBUFS);
 		}
 #ifdef MAC
-		mac_copy_mbuf(m, m0);
+		mac_mbuf_copy(m, m0);
 #endif
 		m0->m_next = m;
 		/* XXX perhaps we ought to align the header? */

sys/netinet/in_pcb.c

@@ -187,11 +187,11 @@ in_pcballoc(struct socket *so, struct inpcbinfo *pcbinfo)
 	inp->inp_pcbinfo = pcbinfo;
 	inp->inp_socket = so;
 #ifdef MAC
-	error = mac_init_inpcb(inp, M_NOWAIT);
+	error = mac_inpcb_init(inp, M_NOWAIT);
 	if (error != 0)
 		goto out;
 	SOCK_LOCK(so);
-	mac_create_inpcb_from_socket(so, inp);
+	mac_inpcb_create(so, inp);
 	SOCK_UNLOCK(so);
 #endif
 
@@ -725,7 +725,7 @@ in_pcbfree(struct inpcb *inp)
 	inp->inp_vflag = 0;
 	
 #ifdef MAC
-	mac_destroy_inpcb(inp);
+	mac_inpcb_destroy(inp);
 #endif
 	INP_UNLOCK(inp);
 	uma_zfree(ipi->ipi_zone, inp);

sys/netinet/ip_divert.c

@@ -376,7 +376,7 @@ div_output(struct socket *so, struct mbuf *m, struct sockaddr_in *sin,
 			ipstat.ips_rawout++;			/* XXX */
 
 #ifdef MAC
-			mac_create_mbuf_from_inpcb(inp, m);
+			mac_inpcb_create_mbuf(inp, m);
 #endif
 			/*
 			 * Get ready to inject the packet into ip_output().
@@ -439,7 +439,7 @@ div_output(struct socket *so, struct mbuf *m, struct sockaddr_in *sin,
 		}
 #ifdef MAC
 		SOCK_LOCK(so);
-		mac_create_mbuf_from_socket(so, m);
+		mac_socket_create_mbuf(so, m);
 		SOCK_UNLOCK(so);
 #endif
 		/* Send packet to input processing via netisr */

sys/netinet/ip_fw2.c

@@ -1619,9 +1619,9 @@ send_pkt(struct mbuf *replyto, struct ipfw_flow_id *id, u_int32_t seq,
 
 #ifdef MAC
 	if (replyto != NULL)
-		mac_create_mbuf_netlayer(replyto, m);
+		mac_mbuf_create_netlayer(replyto, m);
 	else
-		mac_create_mbuf_from_firewall(m);
+		mac_mbuf_create_from_firewall(m);
 #else
 	(void)replyto;		/* don't warn about unused arg */
 #endif

sys/netinet/ip_icmp.c

@@ -221,7 +221,7 @@ stdreply:	icmpelen = max(8, min(icmp_quotelen, oip->ip_len - oiphlen));
 	if (m == NULL)
 		goto freeit;
 #ifdef MAC
-	mac_create_mbuf_netlayer(n, m);
+	mac_mbuf_create_netlayer(n, m);
 #endif
 	icmplen = min(icmplen, M_TRAILINGSPACE(m) - sizeof(struct ip) - ICMP_MINLEN);
 	m_align(m, ICMP_MINLEN + icmplen);
@@ -699,7 +699,7 @@ icmp_reflect(struct mbuf *m)
 	}
 match:
 #ifdef MAC
-	mac_reflect_mbuf_icmp(m);
+	mac_netinet_icmp_reply(m);
 #endif
 	t = IA_SIN(ia)->sin_addr;
 	ip->ip_src = t;

sys/netinet/ip_input.c

@@ -776,7 +776,7 @@ ip_reass(struct mbuf *m)
 		    ip->ip_src.s_addr == fp->ipq_src.s_addr &&
 		    ip->ip_dst.s_addr == fp->ipq_dst.s_addr &&
 #ifdef MAC
-		    mac_fragment_match(m, fp) &&
+		    mac_ipq_match(m, fp) &&
 #endif
 		    ip->ip_p == fp->ipq_p)
 			goto found;
@@ -852,12 +852,12 @@ found:
 		if (fp == NULL)
 			goto dropfrag;
 #ifdef MAC
-		if (mac_init_ipq(fp, M_NOWAIT) != 0) {
+		if (mac_ipq_init(fp, M_NOWAIT) != 0) {
 			uma_zfree(ipq_zone, fp);
 			fp = NULL;
 			goto dropfrag;
 		}
-		mac_create_ipq(m, fp);
+		mac_ipq_create(m, fp);
 #endif
 		TAILQ_INSERT_HEAD(head, fp, ipq_list);
 		nipq++;
@@ -873,7 +873,7 @@ found:
 	} else {
 		fp->ipq_nfrags++;
 #ifdef MAC
-		mac_update_ipq(m, fp);
+		mac_ipq_update(m, fp);
 #endif
 	}
 
@@ -1015,8 +1015,8 @@ found:
 	m->m_pkthdr.csum_data =
 	    (m->m_pkthdr.csum_data & 0xffff) + (m->m_pkthdr.csum_data >> 16);
 #ifdef MAC
-	mac_create_datagram_from_ipq(fp, m);
-	mac_destroy_ipq(fp);
+	mac_ipq_reassemble(fp, m);
+	mac_ipq_destroy(fp);
 #endif
 
 	/*

sys/netinet/ip_options.c

@@ -508,7 +508,7 @@ ip_insertoptions(struct mbuf *m, struct mbuf *opt, int *phlen)
 		M_MOVE_PKTHDR(n, m);
 		n->m_pkthdr.rcvif = NULL;
 #ifdef MAC
-		mac_copy_mbuf(m, n);
+		mac_mbuf_copy(m, n);
 #endif
 		n->m_pkthdr.len += optlen;
 		m->m_len -= sizeof(struct ip);

sys/netinet/ip_output.c

@@ -733,7 +733,7 @@ smart_frag_failure:
 		m->m_pkthdr.len = mhlen + len;
 		m->m_pkthdr.rcvif = NULL;
 #ifdef MAC
-		mac_create_fragment(m0, m);
+		mac_netinet_fragment(m0, m);
 #endif
 		m->m_pkthdr.csum_flags = m0->m_pkthdr.csum_flags;
 		mhip->ip_off = htons(mhip->ip_off);

sys/netinet/raw_ip.c

@@ -164,7 +164,7 @@ raw_append(struct inpcb *last, struct ip *ip, struct mbuf *n)
 	}
 #endif /* IPSEC */
 #ifdef MAC
-	if (!policyfail && mac_check_inpcb_deliver(last, n) != 0)
+	if (!policyfail && mac_inpcb_check_deliver(last, n) != 0)
 		policyfail = 1;
 #endif
 	/* Check the minimum TTL for socket. */
@@ -330,7 +330,7 @@ rip_output(struct mbuf *m, struct socket *so, u_long dst)
 		flags |= IP_SENDONES;
 
 #ifdef MAC
-	mac_create_mbuf_from_inpcb(inp, m);
+	mac_inpcb_create_mbuf(inp, m);
 #endif
 
 	error = ip_output(m, inp->inp_options, NULL, flags,

sys/netinet/tcp_input.c

@@ -534,7 +534,7 @@ findpcb:
 
 #ifdef MAC
 	INP_LOCK_ASSERT(inp);
-	if (mac_check_inpcb_deliver(inp, m))
+	if (mac_inpcb_check_deliver(inp, m))
 		goto dropunlock;
 #endif
 	so = inp->inp_socket;
@@ -1278,7 +1278,7 @@ tcp_do_segment(struct mbuf *m, struct tcphdr *th, struct socket *so,
 			soisconnected(so);
 #ifdef MAC
 			SOCK_LOCK(so);
-			mac_set_socket_peer_from_mbuf(m, so);
+			mac_socketpeer_set_from_mbuf(m, so);
 			SOCK_UNLOCK(so);
 #endif
 			/* Do window scaling on this connection? */

sys/netinet/tcp_output.c

@@ -846,7 +846,7 @@ send:
 	SOCKBUF_UNLOCK_ASSERT(&so->so_snd);
 	m->m_pkthdr.rcvif = (struct ifnet *)0;
 #ifdef MAC
-	mac_create_mbuf_from_inpcb(tp->t_inpcb, m);
+	mac_inpcb_create_mbuf(tp->t_inpcb, m);
 #endif
 #ifdef INET6
 	if (isipv6) {

sys/netinet/tcp_subr.c

@@ -525,13 +525,13 @@ tcp_respond(struct tcpcb *tp, void *ipgen, struct tcphdr *th, struct mbuf *m,
 		 * label of the response to reflect the socket label.
 		 */
 		INP_LOCK_ASSERT(inp);
-		mac_create_mbuf_from_inpcb(inp, m);
+		mac_inpcb_create_mbuf(inp, m);
 	} else {
 		/*
 		 * Packet is not associated with a socket, so possibly
 		 * update the label in place.
 		 */
-		mac_reflect_mbuf_tcp(m);
+		mac_netinet_tcp_reply(m);
 	}
 #endif
 	nth->th_seq = htonl(seq);

sys/netinet/tcp_syncache.c

@@ -640,7 +640,7 @@ syncache_socket(struct syncache *sc, struct socket *lso, struct mbuf *m)
 	}
 #ifdef MAC
 	SOCK_LOCK(so);
-	mac_set_socket_peer_from_mbuf(m, so);
+	mac_socketpeer_set_from_mbuf(m, so);
 	SOCK_UNLOCK(so);
 #endif
 

sys/netinet/tcp_timewait.c

@@ -540,7 +540,7 @@ tcp_twrespond(struct tcptw *tw, int flags)
 	m->m_data += max_linkhdr;
 
 #ifdef MAC
-	mac_create_mbuf_from_inpcb(inp, m);
+	mac_inpcb_create_mbuf(inp, m);
 #endif
 
 #ifdef INET6

sys/netinet/udp_usrreq.c

@@ -206,7 +206,7 @@ udp_append(struct inpcb *inp, struct ip *ip, struct mbuf *n, int off,
 	}
 #endif /* IPSEC */
 #ifdef MAC
-	if (mac_check_inpcb_deliver(inp, n) != 0) {
+	if (mac_inpcb_check_deliver(inp, n) != 0) {
 		m_freem(n);
 		return;
 	}
@@ -843,7 +843,7 @@ udp_output(struct inpcb *inp, struct mbuf *m, struct sockaddr *addr,
 	INP_LOCK(inp);
 
 #ifdef MAC
-	mac_create_mbuf_from_inpcb(inp, m);
+	mac_inpcb_create_mbuf(inp, m);
 #endif
 
 	/*

sys/netinet6/udp6_usrreq.c

@@ -138,7 +138,7 @@ udp6_append(struct inpcb *inp, struct mbuf *n, int off,
 	}
 #endif /* IPSEC */
 #ifdef MAC
-	if (mac_check_inpcb_deliver(inp, n) != 0) {
+	if (mac_inpcb_check_deliver(inp, n) != 0) {
 		m_freem(n);
 		return;
 	}
@@ -990,7 +990,7 @@ udp6_send(struct socket *so, int flags, struct mbuf *m,
 	}
 #endif
 #ifdef MAC
-	mac_create_mbuf_from_inpcb(inp, m);
+	mac_inpcb_create_mbuf(inp, m);
 #endif
 	error = udp6_output(inp, m, addr, control, td);
 out:

sys/security/audit/audit_syscalls.c

@@ -114,7 +114,7 @@ audit(struct thread *td, struct audit_args *uap)
 	}
 
 #ifdef MAC
-	error = mac_check_system_audit(td->td_ucred, rec, uap->length);
+	error = mac_system_check_audit(td->td_ucred, rec, uap->length);
 	if (error)
 		goto free_out;
 #endif
@@ -166,7 +166,7 @@ auditon(struct thread *td, struct auditon_args *uap)
 	AUDIT_ARG(cmd, uap->cmd);
 
 #ifdef MAC
-	error = mac_check_system_auditon(td->td_ucred, uap->cmd);
+	error = mac_system_check_auditon(td->td_ucred, uap->cmd);
 	if (error)
 		return (error);
 #endif
@@ -470,7 +470,7 @@ setauid(struct thread *td, struct setauid_args *uap)
 	oldcred = td->td_proc->p_ucred;
 	crcopy(newcred, oldcred);
 #ifdef MAC
-	error = mac_check_proc_setauid(oldcred, id);
+	error = mac_proc_check_setauid(oldcred, id);
 	if (error)
 		goto fail;
 #endif
@@ -533,7 +533,7 @@ setaudit(struct thread *td, struct setaudit_args *uap)
 	oldcred = td->td_proc->p_ucred;
 	crcopy(newcred, oldcred);
 #ifdef MAC
-	error = mac_check_proc_setaudit(oldcred, &ai);
+	error = mac_proc_check_setaudit(oldcred, &ai);
 	if (error)
 		goto fail;
 #endif
@@ -596,7 +596,7 @@ setaudit_addr(struct thread *td, struct setaudit_addr_args *uap)
 	oldcred = td->td_proc->p_ucred;
 	crcopy(newcred, oldcred);
 #ifdef MAC
-	error = mac_check_proc_setaudit_addr(oldcred, &aia);
+	error = mac_proc_check_setaudit_addr(oldcred, &aia);
 	if (error)
 		goto fail;
 #endif
@@ -655,7 +655,7 @@ auditctl(struct thread *td, struct auditctl_args *uap)
 	vfslocked = NDHASGIANT(&nd);
 	vp = nd.ni_vp;
 #ifdef MAC
-	error = mac_check_system_auditctl(td->td_ucred, vp);
+	error = mac_system_check_auditctl(td->td_ucred, vp);
 	VOP_UNLOCK(vp, 0, td);
 	if (error) {
 		vn_close(vp, AUDIT_CLOSE_FLAGS, td->td_ucred, td);

sys/security/mac/mac_audit.c

@@ -2,6 +2,7 @@
  * Copyright (c) 1999-2002 Robert N. M. Watson
  * Copyright (c) 2001 Ilmar S. Habibulin
  * Copyright (c) 2001-2004 Networks Associates Technology, Inc.
+ * Copyright (c) 2006 SPARTA, Inc.
  *
  * This software was developed by Robert Watson and Ilmar Habibulin for the
  * TrustedBSD Project.
@@ -11,6 +12,9 @@
  * Associates, Inc. under DARPA/SPAWAR contract N66001-01-C-8035 ("CBOSS"),
  * as part of the DARPA CHATS research program.
  *
+ * This software was enhanced by SPARTA ISSO under SPAWAR contract
+ * N66001-04-C-6019 ("SEFOS").
+ *
  * Redistribution and use in source and binary forms, with or without
  * modification, are permitted provided that the following conditions
  * are met:
@@ -46,66 +50,66 @@
 #include <security/mac/mac_policy.h>
 
 int
-mac_check_proc_setaudit(struct ucred *cred, struct auditinfo *ai)
+mac_proc_check_setaudit(struct ucred *cred, struct auditinfo *ai)
 {
 	int error;
 
-	MAC_CHECK(check_proc_setaudit, cred, ai);
+	MAC_CHECK(proc_check_setaudit, cred, ai);
 
 	return (error);
 }
 
 int
-mac_check_proc_setaudit_addr(struct ucred *cred, struct auditinfo_addr *aia)
+mac_proc_check_setaudit_addr(struct ucred *cred, struct auditinfo_addr *aia)
 {
 	int error;
 
-	MAC_CHECK(check_proc_setaudit_addr, cred, aia);
+	MAC_CHECK(proc_check_setaudit_addr, cred, aia);
 
 	return (error);
 }
 
 int
-mac_check_proc_setauid(struct ucred *cred, uid_t auid)
+mac_proc_check_setauid(struct ucred *cred, uid_t auid)
 {
 	int error;
 
-	MAC_CHECK(check_proc_setauid, cred, auid);
+	MAC_CHECK(proc_check_setauid, cred, auid);
 
 	return (error);
 }
 
 int
-mac_check_system_audit(struct ucred *cred, void *record, int length)
+mac_system_check_audit(struct ucred *cred, void *record, int length)
 {
 	int error;
 
-	MAC_CHECK(check_system_audit, cred, record, length);
+	MAC_CHECK(system_check_audit, cred, record, length);
 
 	return (error);
 }
 
 int
-mac_check_system_auditctl(struct ucred *cred, struct vnode *vp)
+mac_system_check_auditctl(struct ucred *cred, struct vnode *vp)
 {
 	int error;
 	struct label *vl;
 
-	ASSERT_VOP_LOCKED(vp, "mac_check_system_auditctl");
+	ASSERT_VOP_LOCKED(vp, "mac_system_check_auditctl");
 
 	vl = (vp != NULL) ? vp->v_label : NULL;
 
-	MAC_CHECK(check_system_auditctl, cred, vp, vl);
+	MAC_CHECK(system_check_auditctl, cred, vp, vl);
 
 	return (error);
 }
 
 int
-mac_check_system_auditon(struct ucred *cred, int cmd)
+mac_system_check_auditon(struct ucred *cred, int cmd)
 {
 	int error;
 
-	MAC_CHECK(check_system_auditon, cred, cmd);
+	MAC_CHECK(system_check_auditon, cred, cmd);
 
 	return (error);
 }

sys/security/mac/mac_framework.h

@@ -90,44 +90,44 @@ struct vop_setlabel_args;
 /*
  * Kernel functions to manage and evaluate labels.
  */
-void	mac_init_bpfdesc(struct bpf_d *);
-void	mac_init_cred(struct ucred *);
-void	mac_init_devfs(struct devfs_dirent *);
-void	mac_init_ifnet(struct ifnet *);
-int	mac_init_inpcb(struct inpcb *, int);
-void	mac_init_sysv_msgmsg(struct msg *);
-void	mac_init_sysv_msgqueue(struct msqid_kernel *);
-void	mac_init_sysv_sem(struct semid_kernel *);
-void	mac_init_sysv_shm(struct shmid_kernel *);
-int	mac_init_ipq(struct ipq *, int);
-int	mac_init_socket(struct socket *, int);
-void	mac_init_pipe(struct pipepair *);
-void	mac_init_posix_sem(struct ksem *);
-int	mac_init_mbuf(struct mbuf *, int);
-int	mac_init_mbuf_tag(struct m_tag *, int);
-void	mac_init_mount(struct mount *);
-void	mac_init_proc(struct proc *);
-void	mac_init_vnode(struct vnode *);
-void	mac_copy_mbuf(struct mbuf *, struct mbuf *);
-void	mac_copy_mbuf_tag(struct m_tag *, struct m_tag *);
-void	mac_copy_vnode_label(struct label *, struct label *);
-void	mac_destroy_bpfdesc(struct bpf_d *);
-void	mac_destroy_cred(struct ucred *);
-void	mac_destroy_devfs(struct devfs_dirent *);
-void	mac_destroy_ifnet(struct ifnet *);
-void	mac_destroy_inpcb(struct inpcb *);
-void	mac_destroy_sysv_msgmsg(struct msg *);
-void	mac_destroy_sysv_msgqueue(struct msqid_kernel *);
-void	mac_destroy_sysv_sem(struct semid_kernel *);
-void	mac_destroy_sysv_shm(struct shmid_kernel *);
-void	mac_destroy_ipq(struct ipq *);
-void	mac_destroy_socket(struct socket *);
-void	mac_destroy_pipe(struct pipepair *);
-void	mac_destroy_posix_sem(struct ksem *);
-void	mac_destroy_proc(struct proc *);
-void	mac_destroy_mbuf_tag(struct m_tag *);
-void	mac_destroy_mount(struct mount *);
-void	mac_destroy_vnode(struct vnode *);
+void	mac_bpfdesc_init(struct bpf_d *);
+void	mac_cred_init(struct ucred *);
+void	mac_devfs_init(struct devfs_dirent *);
+void	mac_ifnet_init(struct ifnet *);
+int	mac_inpcb_init(struct inpcb *, int);
+void	mac_sysvmsg_init(struct msg *);
+void	mac_sysvmsq_init(struct msqid_kernel *);
+void	mac_sysvsem_init(struct semid_kernel *);
+void	mac_sysvshm_init(struct shmid_kernel *);
+int	mac_ipq_init(struct ipq *, int);
+int	mac_socket_init(struct socket *, int);
+void	mac_pipe_init(struct pipepair *);
+void	mac_posixsem_init(struct ksem *);
+int	mac_mbuf_init(struct mbuf *, int);
+int	mac_mbuf_tag_init(struct m_tag *, int);
+void	mac_mount_init(struct mount *);
+void	mac_proc_init(struct proc *);
+void	mac_vnode_init(struct vnode *);
+void	mac_mbuf_copy(struct mbuf *, struct mbuf *);
+void	mac_mbuf_tag_copy(struct m_tag *, struct m_tag *);
+void	mac_vnode_copy_label(struct label *, struct label *);
+void	mac_bpfdesc_destroy(struct bpf_d *);
+void	mac_cred_destroy(struct ucred *);
+void	mac_devfs_destroy(struct devfs_dirent *);
+void	mac_ifnet_destroy(struct ifnet *);
+void	mac_inpcb_destroy(struct inpcb *);
+void	mac_sysvmsg_destroy(struct msg *);
+void	mac_sysvmsq_destroy(struct msqid_kernel *);
+void	mac_sysvsem_destroy(struct semid_kernel *);
+void	mac_sysvshm_destroy(struct shmid_kernel *);
+void	mac_ipq_destroy(struct ipq *);
+void	mac_socket_destroy(struct socket *);
+void	mac_pipe_destroy(struct pipepair *);
+void	mac_posixsem_destroy(struct ksem *);
+void	mac_proc_destroy(struct proc *);
+void	mac_mbuf_tag_destroy(struct m_tag *);
+void	mac_mount_destroy(struct mount *);
+void	mac_vnode_destroy(struct vnode *);
 
 struct label	*mac_cred_label_alloc(void);
 void		 mac_cred_label_free(struct label *);
@@ -138,75 +138,73 @@ void		 mac_vnode_label_free(struct label *);
  * Labeling event operations: file system objects, and things that look a lot
  * like file system objects.
  */
-void	mac_associate_vnode_devfs(struct mount *mp, struct devfs_dirent *de,
+void	mac_devfs_vnode_associate(struct mount *mp, struct devfs_dirent *de,
 	    struct vnode *vp);
-int	mac_associate_vnode_extattr(struct mount *mp, struct vnode *vp);
-void	mac_associate_vnode_singlelabel(struct mount *mp, struct vnode *vp);
-void	mac_create_devfs_device(struct ucred *cred, struct mount *mp,
+int	mac_vnode_associate_extattr(struct mount *mp, struct vnode *vp);
+void	mac_vnode_associate_singlelabel(struct mount *mp, struct vnode *vp);
+void	mac_devfs_create_device(struct ucred *cred, struct mount *mp,
 	    struct cdev *dev, struct devfs_dirent *de);
-void	mac_create_devfs_directory(struct mount *mp, char *dirname,
+void	mac_devfs_create_directory(struct mount *mp, char *dirname,
 	    int dirnamelen, struct devfs_dirent *de);
-void	mac_create_devfs_symlink(struct ucred *cred, struct mount *mp,
+void	mac_devfs_create_symlink(struct ucred *cred, struct mount *mp,
 	    struct devfs_dirent *dd, struct devfs_dirent *de);
-int	mac_create_vnode_extattr(struct ucred *cred, struct mount *mp,
+int	mac_vnode_create_extattr(struct ucred *cred, struct mount *mp,
 	    struct vnode *dvp, struct vnode *vp, struct componentname *cnp);
-void	mac_create_mount(struct ucred *cred, struct mount *mp);
-void	mac_relabel_vnode(struct ucred *cred, struct vnode *vp,
+void	mac_mount_create(struct ucred *cred, struct mount *mp);
+void	mac_vnode_relabel(struct ucred *cred, struct vnode *vp,
 	    struct label *newlabel);
-void	mac_update_devfs(struct mount *mp, struct devfs_dirent *de,
+void	mac_devfs_update(struct mount *mp, struct devfs_dirent *de,
 	    struct vnode *vp);
 
 /*
  * Labeling event operations: IPC objects.
  */
-void	mac_create_mbuf_from_socket(struct socket *so, struct mbuf *m);
-void	mac_create_socket(struct ucred *cred, struct socket *so);
-void	mac_create_socket_from_socket(struct socket *oldso,
+void	mac_socket_create_mbuf(struct socket *so, struct mbuf *m);
+void	mac_socket_create(struct ucred *cred, struct socket *so);
+void	mac_socket_newconn(struct socket *oldso, struct socket *newso);
+void	mac_socketpeer_set_from_mbuf(struct mbuf *m, struct socket *so);
+void	mac_socketpeer_set_from_socket(struct socket *oldso,
 	    struct socket *newso);
-void	mac_set_socket_peer_from_mbuf(struct mbuf *m, struct socket *so);
-void	mac_set_socket_peer_from_socket(struct socket *oldso,
-	    struct socket *newso);
-void	mac_create_pipe(struct ucred *cred, struct pipepair *pp);
+void	mac_pipe_create(struct ucred *cred, struct pipepair *pp);
 
 /*
  * Labeling event operations: System V IPC primitives
  */
-void	mac_create_sysv_msgmsg(struct ucred *cred,
-	    struct msqid_kernel *msqkptr, struct msg *msgptr);
-void	mac_create_sysv_msgqueue(struct ucred *cred,
-	    struct msqid_kernel *msqkptr);
-void	mac_create_sysv_sem(struct ucred *cred,
+void	mac_sysvmsg_create(struct ucred *cred, struct msqid_kernel *msqkptr,
+	    struct msg *msgptr);
+void	mac_sysvmsq_create(struct ucred *cred, struct msqid_kernel *msqkptr);
+void	mac_sysvsem_create(struct ucred *cred,
 	    struct semid_kernel *semakptr);
-void	mac_create_sysv_shm(struct ucred *cred,
+void	mac_sysvshm_create(struct ucred *cred,
 	    struct shmid_kernel *shmsegptr);
 
 /*
  * Labeling event operations: POSIX (global/inter-process) semaphores.
  */
-void 	mac_create_posix_sem(struct ucred *cred, struct ksem *ks);
+void 	mac_posixsem_create(struct ucred *cred, struct ksem *ks);
 
 /*
  * Labeling event operations: network objects.
  */
-void	mac_create_bpfdesc(struct ucred *cred, struct bpf_d *d);
-void	mac_create_ifnet(struct ifnet *ifp);
-void	mac_create_inpcb_from_socket(struct socket *so, struct inpcb *inp);
-void	mac_create_ipq(struct mbuf *m, struct ipq *ipq);
-void	mac_create_datagram_from_ipq(struct ipq *ipq, struct mbuf *m);
-void	mac_create_fragment(struct mbuf *m, struct mbuf *frag);
-void	mac_create_mbuf_from_inpcb(struct inpcb *inp, struct mbuf *m);
+void	mac_bpfdesc_create(struct ucred *cred, struct bpf_d *d);
+void	mac_ifnet_create(struct ifnet *ifp);
+void	mac_inpcb_create(struct socket *so, struct inpcb *inp);
+void	mac_ipq_create(struct mbuf *m, struct ipq *ipq);
+void	mac_ipq_reassemble(struct ipq *ipq, struct mbuf *m);
+void	mac_netinet_fragment(struct mbuf *m, struct mbuf *frag);
+void	mac_inpcb_create_mbuf(struct inpcb *inp, struct mbuf *m);
 void	mac_create_mbuf_linklayer(struct ifnet *ifp, struct mbuf *m);
-void	mac_create_mbuf_from_bpfdesc(struct bpf_d *d, struct mbuf *m);
-void	mac_create_mbuf_from_ifnet(struct ifnet *ifp, struct mbuf *m);
-void	mac_create_mbuf_multicast_encap(struct mbuf *m, struct ifnet *ifp,
+void	mac_bpfdesc_create_mbuf(struct bpf_d *d, struct mbuf *m);
+void	mac_ifnet_create_mbuf(struct ifnet *ifp, struct mbuf *m);
+void	mac_mbuf_create_multicast_encap(struct mbuf *m, struct ifnet *ifp,
 	    struct mbuf *mnew);
-void	mac_create_mbuf_netlayer(struct mbuf *m, struct mbuf *mnew);
-int	mac_fragment_match(struct mbuf *m, struct ipq *ipq);
-void	mac_reflect_mbuf_icmp(struct mbuf *m);
-void	mac_reflect_mbuf_tcp(struct mbuf *m);
-void	mac_update_ipq(struct mbuf *m, struct ipq *ipq);
+void	mac_mbuf_create_netlayer(struct mbuf *m, struct mbuf *mnew);
+int	mac_ipq_match(struct mbuf *m, struct ipq *ipq);
+void	mac_netinet_icmp_reply(struct mbuf *m);
+void	mac_netinet_tcp_reply(struct mbuf *m);
+void	mac_ipq_update(struct mbuf *m, struct ipq *ipq);
 void	mac_inpcb_sosetlabel(struct socket *so, struct inpcb *inp);
-void	mac_create_mbuf_from_firewall(struct mbuf *m);
+void	mac_mbuf_create_from_firewall(struct mbuf *m);
 void	mac_destroy_syncache(struct label **l);
 int	mac_init_syncache(struct label **l);
 void	mac_init_syncache_from_inpcb(struct label *l, struct inpcb *inp);
@@ -215,16 +213,17 @@ void	mac_create_mbuf_from_syncache(struct label *l, struct mbuf *m);
 /*
  * Labeling event operations: processes.
  */
-void	mac_copy_cred(struct ucred *cr1, struct ucred *cr2);
+void	mac_cred_copy(struct ucred *cr1, struct ucred *cr2);
 int	mac_execve_enter(struct image_params *imgp, struct mac *mac_p);
 void	mac_execve_exit(struct image_params *imgp);
-void	mac_execve_transition(struct ucred *oldcred, struct ucred *newcred,
+void	mac_vnode_execve_transition(struct ucred *oldcred,
+	    struct ucred *newcred, struct vnode *vp,
+	    struct label *interpvnodelabel, struct image_params *imgp);
+int	mac_vnode_execve_will_transition(struct ucred *cred,
 	    struct vnode *vp, struct label *interpvnodelabel,
 	    struct image_params *imgp);
-int	mac_execve_will_transition(struct ucred *cred, struct vnode *vp,
-	    struct label *interpvnodelabel, struct image_params *imgp);
-void	mac_create_proc0(struct ucred *cred);
-void	mac_create_proc1(struct ucred *cred);
+void	mac_proc_create_swapper(struct ucred *cred);
+void	mac_proc_create_init(struct ucred *cred);
 void	mac_thread_userret(struct thread *td);
 
 /*
@@ -238,177 +237,177 @@ void	mac_thread_userret(struct thread *td);
  * XXXRW: These object methods are inconsistent with the life cycles of other
  * objects, and likely should be revised to be more consistent.
  */
-void	mac_cleanup_sysv_msgmsg(struct msg *msgptr);
-void	mac_cleanup_sysv_msgqueue(struct msqid_kernel *msqkptr);
-void	mac_cleanup_sysv_sem(struct semid_kernel *semakptr);
-void	mac_cleanup_sysv_shm(struct shmid_kernel *shmsegptr);
+void	mac_sysvmsg_cleanup(struct msg *msgptr);
+void	mac_sysvmsq_cleanup(struct msqid_kernel *msqkptr);
+void	mac_sysvsem_cleanup(struct semid_kernel *semakptr);
+void	mac_sysvshm_cleanup(struct shmid_kernel *shmsegptr);
 
 /*
  * Access control checks.
  */
-int	mac_check_bpfdesc_receive(struct bpf_d *d, struct ifnet *ifp);
-int	mac_check_cred_visible(struct ucred *cr1, struct ucred *cr2);
-int	mac_check_ifnet_transmit(struct ifnet *ifp, struct mbuf *m);
-int	mac_check_inpcb_deliver(struct inpcb *inp, struct mbuf *m);
-int	mac_check_sysv_msgmsq(struct ucred *cred, struct msg *msgptr,
+int	mac_bpfdesc_check_receive(struct bpf_d *d, struct ifnet *ifp);
+int	mac_cred_check_visible(struct ucred *cr1, struct ucred *cr2);
+int	mac_ifnet_check_transmit(struct ifnet *ifp, struct mbuf *m);
+int	mac_inpcb_check_deliver(struct inpcb *inp, struct mbuf *m);
+int	mac_sysvmsq_check_msgmsq(struct ucred *cred, struct msg *msgptr,
 	    struct msqid_kernel *msqkptr);
-int	mac_check_sysv_msgrcv(struct ucred *cred, struct msg *msgptr);
-int	mac_check_sysv_msgrmid(struct ucred *cred, struct msg *msgptr);
-int	mac_check_sysv_msqget(struct ucred *cred,
+int	mac_sysvmsq_check_msgrcv(struct ucred *cred, struct msg *msgptr);
+int	mac_sysvmsq_check_msgrmid(struct ucred *cred, struct msg *msgptr);
+int	mac_sysvmsq_check_msqget(struct ucred *cred,
 	    struct msqid_kernel *msqkptr);
-int	mac_check_sysv_msqsnd(struct ucred *cred,
+int	mac_sysvmsq_check_msqsnd(struct ucred *cred,
 	    struct msqid_kernel *msqkptr);
-int	mac_check_sysv_msqrcv(struct ucred *cred,
+int	mac_sysvmsq_check_msqrcv(struct ucred *cred,
 	    struct msqid_kernel *msqkptr);
-int	mac_check_sysv_msqctl(struct ucred *cred,
+int	mac_sysvmsq_check_msqctl(struct ucred *cred,
 	    struct msqid_kernel *msqkptr, int cmd);
-int	mac_check_sysv_semctl(struct ucred *cred,
+int	mac_sysvsem_check_semctl(struct ucred *cred,
 	    struct semid_kernel *semakptr, int cmd);
-int	mac_check_sysv_semget(struct ucred *cred,
+int	mac_sysvsem_check_semget(struct ucred *cred,
 	   struct semid_kernel *semakptr);
-int	mac_check_sysv_semop(struct ucred *cred,struct semid_kernel *semakptr,
-	    size_t accesstype);
-int	mac_check_sysv_shmat(struct ucred *cred,
+int	mac_sysvsem_check_semop(struct ucred *cred,
+	    struct semid_kernel *semakptr, size_t accesstype);
+int	mac_sysvshm_check_shmat(struct ucred *cred,
 	    struct shmid_kernel *shmsegptr, int shmflg);
-int	mac_check_sysv_shmctl(struct ucred *cred,
+int	mac_sysvshm_check_shmctl(struct ucred *cred,
 	    struct shmid_kernel *shmsegptr, int cmd);
-int	mac_check_sysv_shmdt(struct ucred *cred,
+int	mac_sysvshm_check_shmdt(struct ucred *cred,
 	    struct shmid_kernel *shmsegptr);
-int	mac_check_sysv_shmget(struct ucred *cred,
+int	mac_sysvshm_check_shmget(struct ucred *cred,
 	    struct shmid_kernel *shmsegptr, int shmflg);
-int	mac_check_kenv_dump(struct ucred *cred);
-int	mac_check_kenv_get(struct ucred *cred, char *name);
-int	mac_check_kenv_set(struct ucred *cred, char *name, char *value);
-int	mac_check_kenv_unset(struct ucred *cred, char *name);
-int	mac_check_kld_load(struct ucred *cred, struct vnode *vp);
-int	mac_check_kld_stat(struct ucred *cred);
-int	mac_check_mount_stat(struct ucred *cred, struct mount *mp);
-int	mac_check_pipe_ioctl(struct ucred *cred, struct pipepair *pp,
+int	mac_kenv_check_dump(struct ucred *cred);
+int	mac_kenv_check_get(struct ucred *cred, char *name);
+int	mac_kenv_check_set(struct ucred *cred, char *name, char *value);
+int	mac_kenv_check_unset(struct ucred *cred, char *name);
+int	mac_kld_check_load(struct ucred *cred, struct vnode *vp);
+int	mac_kld_check_stat(struct ucred *cred);
+int	mac_mount_check_stat(struct ucred *cred, struct mount *mp);
+int	mac_pipe_check_ioctl(struct ucred *cred, struct pipepair *pp,
 	    unsigned long cmd, void *data);
-int	mac_check_pipe_poll(struct ucred *cred, struct pipepair *pp);
-int	mac_check_pipe_read(struct ucred *cred, struct pipepair *pp);
-int	mac_check_pipe_stat(struct ucred *cred, struct pipepair *pp);
-int	mac_check_pipe_write(struct ucred *cred, struct pipepair *pp);
-int	mac_check_posix_sem_destroy(struct ucred *cred, struct ksem *ks);
-int	mac_check_posix_sem_getvalue(struct ucred *cred,struct ksem *ks);
-int	mac_check_posix_sem_open(struct ucred *cred, struct ksem *ks);
-int	mac_check_posix_sem_post(struct ucred *cred, struct ksem *ks);
-int	mac_check_posix_sem_unlink(struct ucred *cred, struct ksem *ks);
-int	mac_check_posix_sem_wait(struct ucred *cred, struct ksem *ks);
-int	mac_check_proc_debug(struct ucred *cred, struct proc *p);
-int	mac_check_proc_sched(struct ucred *cred, struct proc *p);
-int	mac_check_proc_setaudit(struct ucred *cred, struct auditinfo *ai);
-int	mac_check_proc_setaudit_addr(struct ucred *cred,
+int	mac_pipe_check_poll(struct ucred *cred, struct pipepair *pp);
+int	mac_pipe_check_read(struct ucred *cred, struct pipepair *pp);
+int	mac_pipe_check_stat(struct ucred *cred, struct pipepair *pp);
+int	mac_pipe_check_write(struct ucred *cred, struct pipepair *pp);
+int	mac_posixsem_check_destroy(struct ucred *cred, struct ksem *ks);
+int	mac_posixsem_check_getvalue(struct ucred *cred,struct ksem *ks);
+int	mac_posixsem_check_open(struct ucred *cred, struct ksem *ks);
+int	mac_posixsem_check_post(struct ucred *cred, struct ksem *ks);
+int	mac_posixsem_check_unlink(struct ucred *cred, struct ksem *ks);
+int	mac_posixsem_check_wait(struct ucred *cred, struct ksem *ks);
+int	mac_proc_check_debug(struct ucred *cred, struct proc *p);
+int	mac_proc_check_sched(struct ucred *cred, struct proc *p);
+int	mac_proc_check_setaudit(struct ucred *cred, struct auditinfo *ai);
+int	mac_proc_check_setaudit_addr(struct ucred *cred,
 	    struct auditinfo_addr *aia);
-int	mac_check_proc_setauid(struct ucred *cred, uid_t auid);
-int	mac_check_proc_setuid(struct proc *p,  struct ucred *cred,
+int	mac_proc_check_setauid(struct ucred *cred, uid_t auid);
+int	mac_proc_check_setuid(struct proc *p,  struct ucred *cred,
 	    uid_t uid);
-int	mac_check_proc_seteuid(struct proc *p, struct ucred *cred,
+int	mac_proc_check_seteuid(struct proc *p, struct ucred *cred,
 	    uid_t euid);
-int	mac_check_proc_setgid(struct proc *p, struct ucred *cred,
+int	mac_proc_check_setgid(struct proc *p, struct ucred *cred,
 	    gid_t gid);
-int	mac_check_proc_setegid(struct proc *p, struct ucred *cred,
+int	mac_proc_check_setegid(struct proc *p, struct ucred *cred,
 	    gid_t egid);
-int	mac_check_proc_setgroups(struct proc *p, struct ucred *cred,
+int	mac_proc_check_setgroups(struct proc *p, struct ucred *cred,
 	    int ngroups, gid_t *gidset);
-int	mac_check_proc_setreuid(struct proc *p, struct ucred *cred,
+int	mac_proc_check_setreuid(struct proc *p, struct ucred *cred,
 	    uid_t ruid, uid_t euid);
-int	mac_check_proc_setregid(struct proc *p, struct ucred *cred,
+int	mac_proc_check_setregid(struct proc *p, struct ucred *cred,
 	    gid_t rgid, gid_t egid);
-int	mac_check_proc_setresuid(struct proc *p, struct ucred *cred,
+int	mac_proc_check_setresuid(struct proc *p, struct ucred *cred,
 	    uid_t ruid, uid_t euid, uid_t suid);
-int	mac_check_proc_setresgid(struct proc *p, struct ucred *cred,
+int	mac_proc_check_setresgid(struct proc *p, struct ucred *cred,
 	    gid_t rgid, gid_t egid, gid_t sgid);
-int	mac_check_proc_signal(struct ucred *cred, struct proc *p,
+int	mac_proc_check_signal(struct ucred *cred, struct proc *p,
 	    int signum);
-int	mac_check_proc_wait(struct ucred *cred, struct proc *p);
-int	mac_check_socket_accept(struct ucred *cred, struct socket *so);
-int	mac_check_socket_bind(struct ucred *cred, struct socket *so,
+int	mac_proc_check_wait(struct ucred *cred, struct proc *p);
+int	mac_socket_check_accept(struct ucred *cred, struct socket *so);
+int	mac_socket_check_bind(struct ucred *cred, struct socket *so,
 	    struct sockaddr *sa);
-int	mac_check_socket_connect(struct ucred *cred, struct socket *so,
+int	mac_socket_check_connect(struct ucred *cred, struct socket *so,
 	    struct sockaddr *sa);
-int	mac_check_socket_create(struct ucred *cred, int domain, int type,
+int	mac_socket_check_create(struct ucred *cred, int domain, int type,
 	    int proto);
-int	mac_check_socket_deliver(struct socket *so, struct mbuf *m);
-int	mac_check_socket_listen(struct ucred *cred, struct socket *so);
-int	mac_check_socket_poll(struct ucred *cred, struct socket *so);
-int	mac_check_socket_receive(struct ucred *cred, struct socket *so);
-int	mac_check_socket_send(struct ucred *cred, struct socket *so);
-int	mac_check_socket_stat(struct ucred *cred, struct socket *so);
-int	mac_check_socket_visible(struct ucred *cred, struct socket *so);
-int	mac_check_system_acct(struct ucred *cred, struct vnode *vp);
-int	mac_check_system_audit(struct ucred *cred, void *record, int length);
-int	mac_check_system_auditctl(struct ucred *cred, struct vnode *vp);
-int	mac_check_system_auditon(struct ucred *cred, int cmd);
-int	mac_check_system_reboot(struct ucred *cred, int howto);
-int	mac_check_system_swapon(struct ucred *cred, struct vnode *vp);
-int	mac_check_system_swapoff(struct ucred *cred, struct vnode *vp);
-int	mac_check_system_sysctl(struct ucred *cred, struct sysctl_oid *oidp,
+int	mac_socket_check_deliver(struct socket *so, struct mbuf *m);
+int	mac_socket_check_listen(struct ucred *cred, struct socket *so);
+int	mac_socket_check_poll(struct ucred *cred, struct socket *so);
+int	mac_socket_check_receive(struct ucred *cred, struct socket *so);
+int	mac_socket_check_send(struct ucred *cred, struct socket *so);
+int	mac_socket_check_stat(struct ucred *cred, struct socket *so);
+int	mac_socket_check_visible(struct ucred *cred, struct socket *so);
+int	mac_system_check_acct(struct ucred *cred, struct vnode *vp);
+int	mac_system_check_audit(struct ucred *cred, void *record, int length);
+int	mac_system_check_auditctl(struct ucred *cred, struct vnode *vp);
+int	mac_system_check_auditon(struct ucred *cred, int cmd);
+int	mac_system_check_reboot(struct ucred *cred, int howto);
+int	mac_system_check_swapon(struct ucred *cred, struct vnode *vp);
+int	mac_system_check_swapoff(struct ucred *cred, struct vnode *vp);
+int	mac_system_check_sysctl(struct ucred *cred, struct sysctl_oid *oidp,
 	    void *arg1, int arg2, struct sysctl_req *req);
-int	mac_check_vnode_access(struct ucred *cred, struct vnode *vp,
+int	mac_vnode_check_access(struct ucred *cred, struct vnode *vp,
 	    int acc_mode);
-int	mac_check_vnode_chdir(struct ucred *cred, struct vnode *dvp);
-int	mac_check_vnode_chroot(struct ucred *cred, struct vnode *dvp);
-int	mac_check_vnode_create(struct ucred *cred, struct vnode *dvp,
+int	mac_vnode_check_chdir(struct ucred *cred, struct vnode *dvp);
+int	mac_vnode_check_chroot(struct ucred *cred, struct vnode *dvp);
+int	mac_vnode_check_create(struct ucred *cred, struct vnode *dvp,
 	    struct componentname *cnp, struct vattr *vap);
-int	mac_check_vnode_deleteacl(struct ucred *cred, struct vnode *vp,
+int	mac_vnode_check_deleteacl(struct ucred *cred, struct vnode *vp,
 	    acl_type_t type);
-int	mac_check_vnode_deleteextattr(struct ucred *cred, struct vnode *vp,
+int	mac_vnode_check_deleteextattr(struct ucred *cred, struct vnode *vp,
 	    int attrnamespace, const char *name);
-int	mac_check_vnode_exec(struct ucred *cred, struct vnode *vp,
+int	mac_vnode_check_exec(struct ucred *cred, struct vnode *vp,
 	    struct image_params *imgp);
-int	mac_check_vnode_getacl(struct ucred *cred, struct vnode *vp,
+int	mac_vnode_check_getacl(struct ucred *cred, struct vnode *vp,
 	    acl_type_t type);
-int	mac_check_vnode_getextattr(struct ucred *cred, struct vnode *vp,
+int	mac_vnode_check_getextattr(struct ucred *cred, struct vnode *vp,
 	    int attrnamespace, const char *name, struct uio *uio);
-int	mac_check_vnode_link(struct ucred *cred, struct vnode *dvp,
+int	mac_vnode_check_link(struct ucred *cred, struct vnode *dvp,
 	    struct vnode *vp, struct componentname *cnp);
-int	mac_check_vnode_listextattr(struct ucred *cred, struct vnode *vp,
+int	mac_vnode_check_listextattr(struct ucred *cred, struct vnode *vp,
 	    int attrnamespace);
-int	mac_check_vnode_lookup(struct ucred *cred, struct vnode *dvp,
+int	mac_vnode_check_lookup(struct ucred *cred, struct vnode *dvp,
  	    struct componentname *cnp);
-int	mac_check_vnode_mmap(struct ucred *cred, struct vnode *vp, int prot,
+int	mac_vnode_check_mmap(struct ucred *cred, struct vnode *vp, int prot,
 	    int flags);
-int	mac_check_vnode_mprotect(struct ucred *cred, struct vnode *vp,
+int	mac_vnode_check_mprotect(struct ucred *cred, struct vnode *vp,
 	    int prot);
-int	mac_check_vnode_open(struct ucred *cred, struct vnode *vp,
+int	mac_vnode_check_open(struct ucred *cred, struct vnode *vp,
 	    int acc_mode);
-int	mac_check_vnode_poll(struct ucred *active_cred,
+int	mac_vnode_check_poll(struct ucred *active_cred,
 	    struct ucred *file_cred, struct vnode *vp);
-int	mac_check_vnode_read(struct ucred *active_cred,
+int	mac_vnode_check_read(struct ucred *active_cred,
 	    struct ucred *file_cred, struct vnode *vp);
-int	mac_check_vnode_readdir(struct ucred *cred, struct vnode *vp);
-int	mac_check_vnode_readlink(struct ucred *cred, struct vnode *vp);
-int	mac_check_vnode_rename_from(struct ucred *cred, struct vnode *dvp,
+int	mac_vnode_check_readdir(struct ucred *cred, struct vnode *vp);
+int	mac_vnode_check_readlink(struct ucred *cred, struct vnode *vp);
+int	mac_vnode_check_rename_from(struct ucred *cred, struct vnode *dvp,
 	    struct vnode *vp, struct componentname *cnp);
-int	mac_check_vnode_rename_to(struct ucred *cred, struct vnode *dvp,
+int	mac_vnode_check_rename_to(struct ucred *cred, struct vnode *dvp,
 	    struct vnode *vp, int samedir, struct componentname *cnp);
-int	mac_check_vnode_revoke(struct ucred *cred, struct vnode *vp);
-int	mac_check_vnode_setacl(struct ucred *cred, struct vnode *vp,
+int	mac_vnode_check_revoke(struct ucred *cred, struct vnode *vp);
+int	mac_vnode_check_setacl(struct ucred *cred, struct vnode *vp,
 	    acl_type_t type, struct acl *acl);
-int	mac_check_vnode_setextattr(struct ucred *cred, struct vnode *vp,
+int	mac_vnode_check_setextattr(struct ucred *cred, struct vnode *vp,
 	    int attrnamespace, const char *name, struct uio *uio);
-int	mac_check_vnode_setflags(struct ucred *cred, struct vnode *vp,
+int	mac_vnode_check_setflags(struct ucred *cred, struct vnode *vp,
 	    u_long flags);
-int	mac_check_vnode_setmode(struct ucred *cred, struct vnode *vp,
+int	mac_vnode_check_setmode(struct ucred *cred, struct vnode *vp,
 	    mode_t mode);
-int	mac_check_vnode_setowner(struct ucred *cred, struct vnode *vp,
+int	mac_vnode_check_setowner(struct ucred *cred, struct vnode *vp,
 	    uid_t uid, gid_t gid);
-int	mac_check_vnode_setutimes(struct ucred *cred, struct vnode *vp,
+int	mac_vnode_check_setutimes(struct ucred *cred, struct vnode *vp,
 	    struct timespec atime, struct timespec mtime);
-int	mac_check_vnode_stat(struct ucred *active_cred,
+int	mac_vnode_check_stat(struct ucred *active_cred,
 	    struct ucred *file_cred, struct vnode *vp);
-int	mac_check_vnode_unlink(struct ucred *cred, struct vnode *dvp,
+int	mac_vnode_check_unlink(struct ucred *cred, struct vnode *dvp,
 	    struct vnode *vp, struct componentname *cnp);
-int	mac_check_vnode_write(struct ucred *active_cred,
+int	mac_vnode_check_write(struct ucred *active_cred,
 	    struct ucred *file_cred, struct vnode *vp);
 int	mac_getsockopt_label(struct ucred *cred, struct socket *so,
 	    struct mac *extmac);
 int	mac_getsockopt_peerlabel(struct ucred *cred, struct socket *so,
 	    struct mac *extmac);
-int	mac_ioctl_ifnet_get(struct ucred *cred, struct ifreq *ifr,
+int	mac_ifnet_ioctl_get(struct ucred *cred, struct ifreq *ifr,
 	    struct ifnet *ifp);
-int	mac_ioctl_ifnet_set(struct ucred *cred, struct ifreq *ifr,
+int	mac_ifnet_ioctl_set(struct ucred *cred, struct ifreq *ifr,
 	    struct ifnet *ifp);
 int	mac_setsockopt_label(struct ucred *cred, struct socket *so,
 	    struct mac *extmac);

sys/security/mac/mac_inet.c

@@ -2,6 +2,7 @@
  * Copyright (c) 1999-2002 Robert N. M. Watson
  * Copyright (c) 2001 Ilmar S. Habibulin
  * Copyright (c) 2001-2004 Networks Associates Technology, Inc.
+ * Copyright (c) 2006 SPARTA, Inc.
  * All rights reserved.
  *
  * This software was developed by Robert Watson and Ilmar Habibulin for the
@@ -12,6 +13,9 @@
  * Associates, Inc. under DARPA/SPAWAR contract N66001-01-C-8035 ("CBOSS"),
  * as part of the DARPA CHATS research program.
  *
+ * This software was enhanced by SPARTA ISSO under SPAWAR contract
+ * N66001-04-C-6019 ("SEFOS").
+ *
  * Redistribution and use in source and binary forms, with or without
  * modification, are permitted provided that the following conditions
  * are met:
@@ -74,9 +78,9 @@ mac_inpcb_label_alloc(int flag)
 	label = mac_labelzone_alloc(flag);
 	if (label == NULL)
 		return (NULL);
-	MAC_CHECK(init_inpcb_label, label, flag);
+	MAC_CHECK(inpcb_init_label, label, flag);
 	if (error) {
-		MAC_PERFORM(destroy_inpcb_label, label);
+		MAC_PERFORM(inpcb_destroy_label, label);
 		mac_labelzone_free(label);
 		return (NULL);
 	}
@@ -84,7 +88,7 @@ mac_inpcb_label_alloc(int flag)
 }
 
 int
-mac_init_inpcb(struct inpcb *inp, int flag)
+mac_inpcb_init(struct inpcb *inp, int flag)
 {
 
 	inp->inp_label = mac_inpcb_label_alloc(flag);
@@ -103,9 +107,9 @@ mac_ipq_label_alloc(int flag)
 	if (label == NULL)
 		return (NULL);
 
-	MAC_CHECK(init_ipq_label, label, flag);
+	MAC_CHECK(ipq_init_label, label, flag);
 	if (error) {
-		MAC_PERFORM(destroy_ipq_label, label);
+		MAC_PERFORM(ipq_destroy_label, label);
 		mac_labelzone_free(label);
 		return (NULL);
 	}
@@ -113,7 +117,7 @@ mac_ipq_label_alloc(int flag)
 }
 
 int
-mac_init_ipq(struct ipq *ipq, int flag)
+mac_ipq_init(struct ipq *ipq, int flag)
 {
 
 	ipq->ipq_label = mac_ipq_label_alloc(flag);
@@ -126,12 +130,12 @@ static void
 mac_inpcb_label_free(struct label *label)
 {
 
-	MAC_PERFORM(destroy_inpcb_label, label);
+	MAC_PERFORM(inpcb_destroy_label, label);
 	mac_labelzone_free(label);
 }
 
 void
-mac_destroy_inpcb(struct inpcb *inp)
+mac_inpcb_destroy(struct inpcb *inp)
 {
 
 	mac_inpcb_label_free(inp->inp_label);
@@ -142,12 +146,12 @@ static void
 mac_ipq_label_free(struct label *label)
 {
 
-	MAC_PERFORM(destroy_ipq_label, label);
+	MAC_PERFORM(ipq_destroy_label, label);
 	mac_labelzone_free(label);
 }
 
 void
-mac_destroy_ipq(struct ipq *ipq)
+mac_ipq_destroy(struct ipq *ipq)
 {
 
 	mac_ipq_label_free(ipq->ipq_label);
@@ -155,57 +159,56 @@ mac_destroy_ipq(struct ipq *ipq)
 }
 
 void
-mac_create_inpcb_from_socket(struct socket *so, struct inpcb *inp)
+mac_inpcb_create(struct socket *so, struct inpcb *inp)
 {
 
-	MAC_PERFORM(create_inpcb_from_socket, so, so->so_label, inp,
-	    inp->inp_label);
+	MAC_PERFORM(inpcb_create, so, so->so_label, inp, inp->inp_label);
 }
 
 void
-mac_create_datagram_from_ipq(struct ipq *ipq, struct mbuf *m)
+mac_ipq_reassemble(struct ipq *ipq, struct mbuf *m)
 {
 	struct label *label;
 
 	label = mac_mbuf_to_label(m);
 
-	MAC_PERFORM(create_datagram_from_ipq, ipq, ipq->ipq_label, m, label);
+	MAC_PERFORM(ipq_reassemble, ipq, ipq->ipq_label, m, label);
 }
 
 void
-mac_create_fragment(struct mbuf *m, struct mbuf *frag)
+mac_netinet_fragment(struct mbuf *m, struct mbuf *frag)
 {
 	struct label *mlabel, *fraglabel;
 
 	mlabel = mac_mbuf_to_label(m);
 	fraglabel = mac_mbuf_to_label(frag);
 
-	MAC_PERFORM(create_fragment, m, mlabel, frag, fraglabel);
+	MAC_PERFORM(netinet_fragment, m, mlabel, frag, fraglabel);
 }
 
 void
-mac_create_ipq(struct mbuf *m, struct ipq *ipq)
+mac_ipq_create(struct mbuf *m, struct ipq *ipq)
 {
 	struct label *label;
 
 	label = mac_mbuf_to_label(m);
 
-	MAC_PERFORM(create_ipq, m, label, ipq, ipq->ipq_label);
+	MAC_PERFORM(ipq_create, m, label, ipq, ipq->ipq_label);
 }
 
 void
-mac_create_mbuf_from_inpcb(struct inpcb *inp, struct mbuf *m)
+mac_inpcb_create_mbuf(struct inpcb *inp, struct mbuf *m)
 {
 	struct label *mlabel;
 
 	INP_LOCK_ASSERT(inp);
 	mlabel = mac_mbuf_to_label(m);
 
-	MAC_PERFORM(create_mbuf_from_inpcb, inp, inp->inp_label, m, mlabel);
+	MAC_PERFORM(inpcb_create_mbuf, inp, inp->inp_label, m, mlabel);
 }
 
 int
-mac_fragment_match(struct mbuf *m, struct ipq *ipq)
+mac_ipq_match(struct mbuf *m, struct ipq *ipq)
 {
 	struct label *label;
 	int result;
@@ -213,43 +216,43 @@ mac_fragment_match(struct mbuf *m, struct ipq *ipq)
 	label = mac_mbuf_to_label(m);
 
 	result = 1;
-	MAC_BOOLEAN(fragment_match, &&, m, label, ipq, ipq->ipq_label);
+	MAC_BOOLEAN(ipq_match, &&, m, label, ipq, ipq->ipq_label);
 
 	return (result);
 }
 
 void
-mac_reflect_mbuf_icmp(struct mbuf *m)
+mac_netinet_icmp_reply(struct mbuf *m)
 {
 	struct label *label;
 
 	label = mac_mbuf_to_label(m);
 
-	MAC_PERFORM(reflect_mbuf_icmp, m, label);
+	MAC_PERFORM(netinet_icmp_reply, m, label);
 }
 
 void
-mac_reflect_mbuf_tcp(struct mbuf *m)
+mac_netinet_tcp_reply(struct mbuf *m)
 {
 	struct label *label;
 
 	label = mac_mbuf_to_label(m);
 
-	MAC_PERFORM(reflect_mbuf_tcp, m, label);
+	MAC_PERFORM(netinet_tcp_reply, m, label);
 }
 
 void
-mac_update_ipq(struct mbuf *m, struct ipq *ipq)
+mac_ipq_update(struct mbuf *m, struct ipq *ipq)
 {
 	struct label *label;
 
 	label = mac_mbuf_to_label(m);
 
-	MAC_PERFORM(update_ipq, m, label, ipq, ipq->ipq_label);
+	MAC_PERFORM(ipq_update, m, label, ipq, ipq->ipq_label);
 }
 
 int
-mac_check_inpcb_deliver(struct inpcb *inp, struct mbuf *m)
+mac_inpcb_check_deliver(struct inpcb *inp, struct mbuf *m)
 {
 	struct label *label;
 	int error;
@@ -258,7 +261,7 @@ mac_check_inpcb_deliver(struct inpcb *inp, struct mbuf *m)
 
 	label = mac_mbuf_to_label(m);
 
-	MAC_CHECK(check_inpcb_deliver, inp, inp->inp_label, m, label);
+	MAC_CHECK(inpcb_check_deliver, inp, inp->inp_label, m, label);
 
 	return (error);
 }
@@ -273,13 +276,13 @@ mac_inpcb_sosetlabel(struct socket *so, struct inpcb *inp)
 }
 
 void
-mac_create_mbuf_from_firewall(struct mbuf *m)
+mac_mbuf_create_from_firewall(struct mbuf *m)
 {
 	struct label *label;
 
 	M_ASSERTPKTHDR(m);
 	label = mac_mbuf_to_label(m);
-	MAC_PERFORM(create_mbuf_from_firewall, m, label);
+	MAC_PERFORM(mbuf_create_from_firewall, m, label);
 }
 
 /*

sys/security/mac/mac_internal.h

@@ -3,6 +3,7 @@
  * Copyright (c) 2001 Ilmar S. Habibulin
  * Copyright (c) 2001-2004 Networks Associates Technology, Inc.
  * Copyright (c) 2006 nCircle Network Security, Inc.
+ * Copyright (c) 2006 SPARTA, Inc.
  * All rights reserved.
  *
  * This software was developed by Robert Watson and Ilmar Habibulin for the
@@ -16,6 +17,9 @@
  * This software was developed by Robert N. M. Watson for the TrustedBSD
  * Project under contract to nCircle Network Security, Inc.
  *
+ * This software was enhanced by SPARTA ISSO under SPAWAR contract
+ * N66001-04-C-6019 ("SEFOS").
+ *
  * Redistribution and use in source and binary forms, with or without
  * modification, are permitted provided that the following conditions
  * are met:
@@ -118,30 +122,30 @@ void		 mac_pipe_label_free(struct label *label);
 struct label	*mac_socket_label_alloc(int flag);
 void		 mac_socket_label_free(struct label *label);
 
-int	mac_check_cred_relabel(struct ucred *cred, struct label *newlabel);
-int	mac_externalize_cred_label(struct label *label, char *elements,
+int	mac_cred_check_relabel(struct ucred *cred, struct label *newlabel);
+int	mac_cred_externalize_label(struct label *label, char *elements,
 	    char *outbuf, size_t outbuflen);
-int	mac_internalize_cred_label(struct label *label, char *string);
-void	mac_relabel_cred(struct ucred *cred, struct label *newlabel);
+int	mac_cred_internalize_label(struct label *label, char *string);
+void	mac_cred_relabel(struct ucred *cred, struct label *newlabel);
 
 struct label	*mac_mbuf_to_label(struct mbuf *m);
 
-void	mac_copy_pipe_label(struct label *src, struct label *dest);
-int	mac_externalize_pipe_label(struct label *label, char *elements,
+void	mac_pipe_copy_label(struct label *src, struct label *dest);
+int	mac_pipe_externalize_label(struct label *label, char *elements,
 	    char *outbuf, size_t outbuflen);
-int	mac_internalize_pipe_label(struct label *label, char *string);
+int	mac_pipe_internalize_label(struct label *label, char *string);
 
 int	mac_socket_label_set(struct ucred *cred, struct socket *so,
 	    struct label *label);
-void	mac_copy_socket_label(struct label *src, struct label *dest);
-int	mac_externalize_socket_label(struct label *label, char *elements,
+void	mac_socket_copy_label(struct label *src, struct label *dest);
+int	mac_socket_externalize_label(struct label *label, char *elements,
 	    char *outbuf, size_t outbuflen);
-int	mac_internalize_socket_label(struct label *label, char *string);
+int	mac_socket_internalize_label(struct label *label, char *string);
 
-int	mac_externalize_vnode_label(struct label *label, char *elements,
+int	mac_vnode_externalize_label(struct label *label, char *elements,
 	    char *outbuf, size_t outbuflen);
-int	mac_internalize_vnode_label(struct label *label, char *string);
-void	mac_check_vnode_mmap_downgrade(struct ucred *cred, struct vnode *vp,
+int	mac_vnode_internalize_label(struct label *label, char *string);
+void	mac_vnode_check_mmap_downgrade(struct ucred *cred, struct vnode *vp,
 	    int *prot);
 int	vn_setlabel(struct vnode *vp, struct label *intlabel,
 	    struct ucred *cred);
@@ -263,7 +267,7 @@ int	vn_setlabel(struct vnode *vp, struct label *intlabel,
 			break;						\
 		}							\
 		claimed = 0;						\
-		MAC_CHECK(externalize_ ## type ## _label, label,	\
+		MAC_CHECK(type ## _externalize_label, label,		\
 		    element_name, &sb, &claimed);			\
 		if (error)						\
 			break;						\
@@ -299,7 +303,7 @@ int	vn_setlabel(struct vnode *vp, struct label *intlabel,
 			break;						\
 		}							\
 		claimed = 0;						\
-		MAC_CHECK(internalize_ ## type ## _label, label,	\
+		MAC_CHECK(type ## _internalize_label, label,		\
 		    element_name, element_data, &claimed);		\
 		if (error)						\
 			break;						\

sys/security/mac/mac_net.c

@@ -2,11 +2,15 @@
  * Copyright (c) 1999-2002 Robert N. M. Watson
  * Copyright (c) 2001 Ilmar S. Habibulin
  * Copyright (c) 2001-2004 Networks Associates Technology, Inc.
+ * Copyright (c) 2006 SPARTA, Inc.
  * All rights reserved.
  *
  * This software was developed by Robert Watson and Ilmar Habibulin for the
  * TrustedBSD Project.
  *
+ * This software was enhanced by SPARTA ISSO under SPAWAR contract
+ * N66001-04-C-6019 ("SEFOS").
+ *
  * This software was developed for the FreeBSD Project in part by Network
  * Associates Laboratories, the Security Research Division of Network
  * Associates, Inc. under DARPA/SPAWAR contract N66001-01-C-8035 ("CBOSS"),
@@ -102,12 +106,12 @@ mac_bpfdesc_label_alloc(void)
 	struct label *label;
 
 	label = mac_labelzone_alloc(M_WAITOK);
-	MAC_PERFORM(init_bpfdesc_label, label);
+	MAC_PERFORM(bpfdesc_init_label, label);
 	return (label);
 }
 
 void
-mac_init_bpfdesc(struct bpf_d *d)
+mac_bpfdesc_init(struct bpf_d *d)
 {
 
 	d->bd_label = mac_bpfdesc_label_alloc();
@@ -119,19 +123,19 @@ mac_ifnet_label_alloc(void)
 	struct label *label;
 
 	label = mac_labelzone_alloc(M_WAITOK);
-	MAC_PERFORM(init_ifnet_label, label);
+	MAC_PERFORM(ifnet_init_label, label);
 	return (label);
 }
 
 void
-mac_init_ifnet(struct ifnet *ifp)
+mac_ifnet_init(struct ifnet *ifp)
 {
 
 	ifp->if_label = mac_ifnet_label_alloc();
 }
 
 int
-mac_init_mbuf_tag(struct m_tag *tag, int flag)
+mac_mbuf_tag_init(struct m_tag *tag, int flag)
 {
 	struct label *label;
 	int error;
@@ -139,16 +143,16 @@ mac_init_mbuf_tag(struct m_tag *tag, int flag)
 	label = (struct label *) (tag + 1);
 	mac_init_label(label);
 
-	MAC_CHECK(init_mbuf_label, label, flag);
+	MAC_CHECK(mbuf_init_label, label, flag);
 	if (error) {
-		MAC_PERFORM(destroy_mbuf_label, label);
+		MAC_PERFORM(mbuf_destroy_label, label);
 		mac_destroy_label(label);
 	}
 	return (error);
 }
 
 int
-mac_init_mbuf(struct mbuf *m, int flag)
+mac_mbuf_init(struct mbuf *m, int flag)
 {
 	struct m_tag *tag;
 	int error;
@@ -167,7 +171,7 @@ mac_init_mbuf(struct mbuf *m, int flag)
 	    flag);
 	if (tag == NULL)
 		return (ENOMEM);
-	error = mac_init_mbuf_tag(tag, flag);
+	error = mac_mbuf_tag_init(tag, flag);
 	if (error) {
 		m_tag_free(tag);
 		return (error);
@@ -180,12 +184,12 @@ static void
 mac_bpfdesc_label_free(struct label *label)
 {
 
-	MAC_PERFORM(destroy_bpfdesc_label, label);
+	MAC_PERFORM(bpfdesc_destroy_label, label);
 	mac_labelzone_free(label);
 }
 
 void
-mac_destroy_bpfdesc(struct bpf_d *d)
+mac_bpfdesc_destroy(struct bpf_d *d)
 {
 
 	mac_bpfdesc_label_free(d->bd_label);
@@ -196,12 +200,12 @@ static void
 mac_ifnet_label_free(struct label *label)
 {
 
-	MAC_PERFORM(destroy_ifnet_label, label);
+	MAC_PERFORM(ifnet_destroy_label, label);
 	mac_labelzone_free(label);
 }
 
 void
-mac_destroy_ifnet(struct ifnet *ifp)
+mac_ifnet_destroy(struct ifnet *ifp)
 {
 
 	mac_ifnet_label_free(ifp->if_label);
@@ -209,22 +213,22 @@ mac_destroy_ifnet(struct ifnet *ifp)
 }
 
 void
-mac_destroy_mbuf_tag(struct m_tag *tag)
+mac_mbuf_tag_destroy(struct m_tag *tag)
 {
 	struct label *label;
 
 	label = (struct label *)(tag+1);
 
-	MAC_PERFORM(destroy_mbuf_label, label);
+	MAC_PERFORM(mbuf_destroy_label, label);
 	mac_destroy_label(label);
 }
 
 /*
- * mac_copy_mbuf_tag is called when an mbuf header is duplicated, in which
+ * mac_mbuf_tag_copy is called when an mbuf header is duplicated, in which
  * case the labels must also be duplicated.
  */
 void
-mac_copy_mbuf_tag(struct m_tag *src, struct m_tag *dest)
+mac_mbuf_tag_copy(struct m_tag *src, struct m_tag *dest)
 {
 	struct label *src_label, *dest_label;
 
@@ -232,32 +236,32 @@ mac_copy_mbuf_tag(struct m_tag *src, struct m_tag *dest)
 	dest_label = (struct label *)(dest+1);
 
 	/*
-	 * mac_init_mbuf_tag() is called on the target tag in m_tag_copy(),
+	 * mac_mbuf_tag_init() is called on the target tag in m_tag_copy(),
 	 * so we don't need to call it here.
 	 */
-	MAC_PERFORM(copy_mbuf_label, src_label, dest_label);
+	MAC_PERFORM(mbuf_copy_label, src_label, dest_label);
 }
 
 void
-mac_copy_mbuf(struct mbuf *m_from, struct mbuf *m_to)
+mac_mbuf_copy(struct mbuf *m_from, struct mbuf *m_to)
 {
 	struct label *src_label, *dest_label;
 
 	src_label = mac_mbuf_to_label(m_from);
 	dest_label = mac_mbuf_to_label(m_to);
 
-	MAC_PERFORM(copy_mbuf_label, src_label, dest_label);
+	MAC_PERFORM(mbuf_copy_label, src_label, dest_label);
 }
 
 static void
-mac_copy_ifnet_label(struct label *src, struct label *dest)
+mac_ifnet_copy_label(struct label *src, struct label *dest)
 {
 
-	MAC_PERFORM(copy_ifnet_label, src, dest);
+	MAC_PERFORM(ifnet_copy_label, src, dest);
 }
 
 static int
-mac_externalize_ifnet_label(struct label *label, char *elements,
+mac_ifnet_externalize_label(struct label *label, char *elements,
     char *outbuf, size_t outbuflen)
 {
 	int error;
@@ -268,7 +272,7 @@ mac_externalize_ifnet_label(struct label *label, char *elements,
 }
 
 static int
-mac_internalize_ifnet_label(struct label *label, char *string)
+mac_ifnet_internalize_label(struct label *label, char *string)
 {
 	int error;
 
@@ -278,23 +282,23 @@ mac_internalize_ifnet_label(struct label *label, char *string)
 }
 
 void
-mac_create_ifnet(struct ifnet *ifp)
+mac_ifnet_create(struct ifnet *ifp)
 {
 
 	MAC_IFNET_LOCK(ifp);
-	MAC_PERFORM(create_ifnet, ifp, ifp->if_label);
+	MAC_PERFORM(ifnet_create, ifp, ifp->if_label);
 	MAC_IFNET_UNLOCK(ifp);
 }
 
 void
-mac_create_bpfdesc(struct ucred *cred, struct bpf_d *d)
+mac_bpfdesc_create(struct ucred *cred, struct bpf_d *d)
 {
 
-	MAC_PERFORM(create_bpfdesc, cred, d, d->bd_label);
+	MAC_PERFORM(bpfdesc_create, cred, d, d->bd_label);
 }
 
 void
-mac_create_mbuf_from_bpfdesc(struct bpf_d *d, struct mbuf *m)
+mac_bpfdesc_create_mbuf(struct bpf_d *d, struct mbuf *m)
 {
 	struct label *label;
 
@@ -302,7 +306,7 @@ mac_create_mbuf_from_bpfdesc(struct bpf_d *d, struct mbuf *m)
 
 	label = mac_mbuf_to_label(m);
 
-	MAC_PERFORM(create_mbuf_from_bpfdesc, d, d->bd_label, m, label);
+	MAC_PERFORM(bpfdesc_create_mbuf, d, d->bd_label, m, label);
 }
 
 void
@@ -318,19 +322,19 @@ mac_create_mbuf_linklayer(struct ifnet *ifp, struct mbuf *m)
 }
 
 void
-mac_create_mbuf_from_ifnet(struct ifnet *ifp, struct mbuf *m)
+mac_ifnet_create_mbuf(struct ifnet *ifp, struct mbuf *m)
 {
 	struct label *label;
 
 	label = mac_mbuf_to_label(m);
 
 	MAC_IFNET_LOCK(ifp);
-	MAC_PERFORM(create_mbuf_from_ifnet, ifp, ifp->if_label, m, label);
+	MAC_PERFORM(ifnet_create_mbuf, ifp, ifp->if_label, m, label);
 	MAC_IFNET_UNLOCK(ifp);
 }
 
 void
-mac_create_mbuf_multicast_encap(struct mbuf *m, struct ifnet *ifp,
+mac_mbuf_create_multicast_encap(struct mbuf *m, struct ifnet *ifp,
     struct mbuf *mnew)
 {
 	struct label *mlabel, *mnewlabel;
@@ -339,38 +343,38 @@ mac_create_mbuf_multicast_encap(struct mbuf *m, struct ifnet *ifp,
 	mnewlabel = mac_mbuf_to_label(mnew);
 
 	MAC_IFNET_LOCK(ifp);
-	MAC_PERFORM(create_mbuf_multicast_encap, m, mlabel, ifp,
+	MAC_PERFORM(mbuf_create_multicast_encap, m, mlabel, ifp,
 	    ifp->if_label, mnew, mnewlabel);
 	MAC_IFNET_UNLOCK(ifp);
 }
 
 void
-mac_create_mbuf_netlayer(struct mbuf *m, struct mbuf *mnew)
+mac_mbuf_create_netlayer(struct mbuf *m, struct mbuf *mnew)
 {
 	struct label *mlabel, *mnewlabel;
 
 	mlabel = mac_mbuf_to_label(m);
 	mnewlabel = mac_mbuf_to_label(mnew);
 
-	MAC_PERFORM(create_mbuf_netlayer, m, mlabel, mnew, mnewlabel);
+	MAC_PERFORM(mbuf_create_netlayer, m, mlabel, mnew, mnewlabel);
 }
 
 int
-mac_check_bpfdesc_receive(struct bpf_d *d, struct ifnet *ifp)
+mac_bpfdesc_check_receive(struct bpf_d *d, struct ifnet *ifp)
 {
 	int error;
 
 	BPFD_LOCK_ASSERT(d);
 
 	MAC_IFNET_LOCK(ifp);
-	MAC_CHECK(check_bpfdesc_receive, d, d->bd_label, ifp, ifp->if_label);
+	MAC_CHECK(bpfdesc_check_receive, d, d->bd_label, ifp, ifp->if_label);
 	MAC_IFNET_UNLOCK(ifp);
 
 	return (error);
 }
 
 int
-mac_check_ifnet_transmit(struct ifnet *ifp, struct mbuf *m)
+mac_ifnet_check_transmit(struct ifnet *ifp, struct mbuf *m)
 {
 	struct label *label;
 	int error;
@@ -380,14 +384,14 @@ mac_check_ifnet_transmit(struct ifnet *ifp, struct mbuf *m)
 	label = mac_mbuf_to_label(m);
 
 	MAC_IFNET_LOCK(ifp);
-	MAC_CHECK(check_ifnet_transmit, ifp, ifp->if_label, m, label);
+	MAC_CHECK(ifnet_check_transmit, ifp, ifp->if_label, m, label);
 	MAC_IFNET_UNLOCK(ifp);
 
 	return (error);
 }
 
 int
-mac_ioctl_ifnet_get(struct ucred *cred, struct ifreq *ifr,
+mac_ifnet_ioctl_get(struct ucred *cred, struct ifreq *ifr,
     struct ifnet *ifp)
 {
 	char *elements, *buffer;
@@ -413,9 +417,9 @@ mac_ioctl_ifnet_get(struct ucred *cred, struct ifreq *ifr,
 	buffer = malloc(mac.m_buflen, M_MACTEMP, M_WAITOK | M_ZERO);
 	intlabel = mac_ifnet_label_alloc();
 	MAC_IFNET_LOCK(ifp);
-	mac_copy_ifnet_label(ifp->if_label, intlabel);
+	mac_ifnet_copy_label(ifp->if_label, intlabel);
 	MAC_IFNET_UNLOCK(ifp);
-	error = mac_externalize_ifnet_label(intlabel, elements, buffer,
+	error = mac_ifnet_externalize_label(intlabel, elements, buffer,
 	    mac.m_buflen);
 	mac_ifnet_label_free(intlabel);
 	if (error == 0)
@@ -428,7 +432,7 @@ mac_ioctl_ifnet_get(struct ucred *cred, struct ifreq *ifr,
 }
 
 int
-mac_ioctl_ifnet_set(struct ucred *cred, struct ifreq *ifr, struct ifnet *ifp)
+mac_ifnet_ioctl_set(struct ucred *cred, struct ifreq *ifr, struct ifnet *ifp)
 {
 	struct label *intlabel;
 	struct mac mac;
@@ -451,7 +455,7 @@ mac_ioctl_ifnet_set(struct ucred *cred, struct ifreq *ifr, struct ifnet *ifp)
 	}
 
 	intlabel = mac_ifnet_label_alloc();
-	error = mac_internalize_ifnet_label(intlabel, buffer);
+	error = mac_ifnet_internalize_label(intlabel, buffer);
 	free(buffer, M_MACTEMP);
 	if (error) {
 		mac_ifnet_label_free(intlabel);
@@ -470,14 +474,14 @@ mac_ioctl_ifnet_set(struct ucred *cred, struct ifreq *ifr, struct ifnet *ifp)
 	}
 
 	MAC_IFNET_LOCK(ifp);
-	MAC_CHECK(check_ifnet_relabel, cred, ifp, ifp->if_label, intlabel);
+	MAC_CHECK(ifnet_check_relabel, cred, ifp, ifp->if_label, intlabel);
 	if (error) {
 		MAC_IFNET_UNLOCK(ifp);
 		mac_ifnet_label_free(intlabel);
 		return (error);
 	}
 
-	MAC_PERFORM(relabel_ifnet, cred, ifp, ifp->if_label, intlabel);
+	MAC_PERFORM(ifnet_relabel, cred, ifp, ifp->if_label, intlabel);
 	MAC_IFNET_UNLOCK(ifp);
 
 	mac_ifnet_label_free(intlabel);

sys/security/mac/mac_pipe.c

@@ -1,5 +1,6 @@
 /*-
  * Copyright (c) 2002-2003 Networks Associates Technology, Inc.
+ * Copyright (c) 2006 SPARTA, Inc.
  * All rights reserved.
  *
  * This software was developed for the FreeBSD Project in part by Network
@@ -7,6 +8,9 @@
  * Associates, Inc. under DARPA/SPAWAR contract N66001-01-C-8035 ("CBOSS"),
  * as part of the DARPA CHATS research program.
  *
+ * This software was enhanced by SPARTA ISSO under SPAWAR contract
+ * N66001-04-C-6019 ("SEFOS").
+ *
  * Redistribution and use in source and binary forms, with or without
  * modification, are permitted provided that the following conditions
  * are met:
@@ -56,12 +60,12 @@ mac_pipe_label_alloc(void)
 	struct label *label;
 
 	label = mac_labelzone_alloc(M_WAITOK);
-	MAC_PERFORM(init_pipe_label, label);
+	MAC_PERFORM(pipe_init_label, label);
 	return (label);
 }
 
 void
-mac_init_pipe(struct pipepair *pp)
+mac_pipe_init(struct pipepair *pp)
 {
 
 	pp->pp_label = mac_pipe_label_alloc();
@@ -71,12 +75,12 @@ void
 mac_pipe_label_free(struct label *label)
 {
 
-	MAC_PERFORM(destroy_pipe_label, label);
+	MAC_PERFORM(pipe_destroy_label, label);
 	mac_labelzone_free(label);
 }
 
 void
-mac_destroy_pipe(struct pipepair *pp)
+mac_pipe_destroy(struct pipepair *pp)
 {
 
 	mac_pipe_label_free(pp->pp_label);
@@ -84,14 +88,14 @@ mac_destroy_pipe(struct pipepair *pp)
 }
 
 void
-mac_copy_pipe_label(struct label *src, struct label *dest)
+mac_pipe_copy_label(struct label *src, struct label *dest)
 {
 
-	MAC_PERFORM(copy_pipe_label, src, dest);
+	MAC_PERFORM(pipe_copy_label, src, dest);
 }
 
 int
-mac_externalize_pipe_label(struct label *label, char *elements,
+mac_pipe_externalize_label(struct label *label, char *elements,
     char *outbuf, size_t outbuflen)
 {
 	int error;
@@ -102,7 +106,7 @@ mac_externalize_pipe_label(struct label *label, char *elements,
 }
 
 int
-mac_internalize_pipe_label(struct label *label, char *string)
+mac_pipe_internalize_label(struct label *label, char *string)
 {
 	int error;
 
@@ -112,90 +116,90 @@ mac_internalize_pipe_label(struct label *label, char *string)
 }
 
 void
-mac_create_pipe(struct ucred *cred, struct pipepair *pp)
+mac_pipe_create(struct ucred *cred, struct pipepair *pp)
 {
 
-	MAC_PERFORM(create_pipe, cred, pp, pp->pp_label);
+	MAC_PERFORM(pipe_create, cred, pp, pp->pp_label);
 }
 
 static void
-mac_relabel_pipe(struct ucred *cred, struct pipepair *pp,
+mac_pipe_relabel(struct ucred *cred, struct pipepair *pp,
     struct label *newlabel)
 {
 
-	MAC_PERFORM(relabel_pipe, cred, pp, pp->pp_label, newlabel);
+	MAC_PERFORM(pipe_relabel, cred, pp, pp->pp_label, newlabel);
 }
 
 int
-mac_check_pipe_ioctl(struct ucred *cred, struct pipepair *pp,
+mac_pipe_check_ioctl(struct ucred *cred, struct pipepair *pp,
     unsigned long cmd, void *data)
 {
 	int error;
 
 	mtx_assert(&pp->pp_mtx, MA_OWNED);
 
-	MAC_CHECK(check_pipe_ioctl, cred, pp, pp->pp_label, cmd, data);
+	MAC_CHECK(pipe_check_ioctl, cred, pp, pp->pp_label, cmd, data);
 
 	return (error);
 }
 
 int
-mac_check_pipe_poll(struct ucred *cred, struct pipepair *pp)
+mac_pipe_check_poll(struct ucred *cred, struct pipepair *pp)
 {
 	int error;
 
 	mtx_assert(&pp->pp_mtx, MA_OWNED);
 
-	MAC_CHECK(check_pipe_poll, cred, pp, pp->pp_label);
+	MAC_CHECK(pipe_check_poll, cred, pp, pp->pp_label);
 
 	return (error);
 }
 
 int
-mac_check_pipe_read(struct ucred *cred, struct pipepair *pp)
+mac_pipe_check_read(struct ucred *cred, struct pipepair *pp)
 {
 	int error;
 
 	mtx_assert(&pp->pp_mtx, MA_OWNED);
 
-	MAC_CHECK(check_pipe_read, cred, pp, pp->pp_label);
+	MAC_CHECK(pipe_check_read, cred, pp, pp->pp_label);
 
 	return (error);
 }
 
 static int
-mac_check_pipe_relabel(struct ucred *cred, struct pipepair *pp,
+mac_pipe_check_relabel(struct ucred *cred, struct pipepair *pp,
     struct label *newlabel)
 {
 	int error;
 
 	mtx_assert(&pp->pp_mtx, MA_OWNED);
 
-	MAC_CHECK(check_pipe_relabel, cred, pp, pp->pp_label, newlabel);
+	MAC_CHECK(pipe_check_relabel, cred, pp, pp->pp_label, newlabel);
 
 	return (error);
 }
 
 int
-mac_check_pipe_stat(struct ucred *cred, struct pipepair *pp)
+mac_pipe_check_stat(struct ucred *cred, struct pipepair *pp)
 {
 	int error;
 
 	mtx_assert(&pp->pp_mtx, MA_OWNED);
 
-	MAC_CHECK(check_pipe_stat, cred, pp, pp->pp_label);
+	MAC_CHECK(pipe_check_stat, cred, pp, pp->pp_label);
 
 	return (error);
 }
 
 int
-mac_check_pipe_write(struct ucred *cred, struct pipepair *pp)
+mac_pipe_check_write(struct ucred *cred, struct pipepair *pp)
 {
 	int error;
 
 	mtx_assert(&pp->pp_mtx, MA_OWNED);
 
-	MAC_CHECK(check_pipe_write, cred, pp, pp->pp_label);
+	MAC_CHECK(pipe_check_write, cred, pp, pp->pp_label);
 
 	return (error);
 }
@@ -208,11 +212,11 @@ mac_pipe_label_set(struct ucred *cred, struct pipepair *pp,
 
 	mtx_assert(&pp->pp_mtx, MA_OWNED);
 
-	error = mac_check_pipe_relabel(cred, pp, label);
+	error = mac_pipe_check_relabel(cred, pp, label);
 	if (error)
 		return (error);
 
-	mac_relabel_pipe(cred, pp, label);
+	mac_pipe_relabel(cred, pp, label);
 
 	return (0);
 }

sys/security/mac/mac_posix_sem.c

@@ -1,5 +1,5 @@
 /*-
- * Copyright (c) 2003-2005 SPARTA, Inc.
+ * Copyright (c) 2003-2006 SPARTA, Inc.
  * All rights reserved.
  *
  * This software was developed for the FreeBSD Project in part by Network
@@ -7,6 +7,9 @@
  * Associates, Inc. under DARPA/SPAWAR contract N66001-01-C-8035 ("CBOSS"),
  * as part of the DARPA CHATS research program.
  *
+ * This software was enhanced by SPARTA ISSO under SPAWAR contract
+ * N66001-04-C-6019 ("SEFOS").
+ *
  * Redistribution and use in source and binary forms, with or without
  * modification, are permitted provided that the following conditions
  * are met:
@@ -48,100 +51,100 @@ __FBSDID("$FreeBSD$");
 #include <security/mac/mac_policy.h>
 
 static struct label *
-mac_posix_sem_label_alloc(void)
+mac_posixsem_label_alloc(void)
 {
 	struct label *label;
 
 	label = mac_labelzone_alloc(M_WAITOK);
-	MAC_PERFORM(init_posix_sem_label, label);
+	MAC_PERFORM(posixsem_init_label, label);
 	return (label);
 }
 
 void
-mac_init_posix_sem(struct ksem *ks)
+mac_posixsem_init(struct ksem *ks)
 {
 
-	ks->ks_label = mac_posix_sem_label_alloc();
+	ks->ks_label = mac_posixsem_label_alloc();
 }
 
 static void
-mac_posix_sem_label_free(struct label *label)
+mac_posixsem_label_free(struct label *label)
 {
 
-	MAC_PERFORM(destroy_posix_sem_label, label);
+	MAC_PERFORM(posixsem_destroy_label, label);
 }
 
 void
-mac_destroy_posix_sem(struct ksem *ks)
+mac_posixsem_destroy(struct ksem *ks)
 {
 
-	mac_posix_sem_label_free(ks->ks_label);
+	mac_posixsem_label_free(ks->ks_label);
 	ks->ks_label = NULL;
 }
 
 void
-mac_create_posix_sem(struct ucred *cred, struct ksem *ks)
+mac_posixsem_create(struct ucred *cred, struct ksem *ks)
 {
 
-	MAC_PERFORM(create_posix_sem, cred, ks, ks->ks_label);
+	MAC_PERFORM(posixsem_create, cred, ks, ks->ks_label);
 }
 
 int
-mac_check_posix_sem_destroy(struct ucred *cred, struct ksem *ks)
+mac_posixsem_check_destroy(struct ucred *cred, struct ksem *ks)
 {
 	int error;
 
-	MAC_CHECK(check_posix_sem_destroy, cred, ks, ks->ks_label);
+	MAC_CHECK(posixsem_check_destroy, cred, ks, ks->ks_label);
 
 	return (error);
 }
 
 int
-mac_check_posix_sem_open(struct ucred *cred, struct ksem *ks)
+mac_posixsem_check_open(struct ucred *cred, struct ksem *ks)
 {
 	int error;
 
-	MAC_CHECK(check_posix_sem_open, cred, ks, ks->ks_label);
+	MAC_CHECK(posixsem_check_open, cred, ks, ks->ks_label);
 
 	return (error);
 }
 
 int
-mac_check_posix_sem_getvalue(struct ucred *cred, struct ksem *ks)
+mac_posixsem_check_getvalue(struct ucred *cred, struct ksem *ks)
 {
 	int error;
 
-	MAC_CHECK(check_posix_sem_getvalue, cred, ks, ks->ks_label);
+	MAC_CHECK(posixsem_check_getvalue, cred, ks, ks->ks_label);
 
 	return (error);
 }
 
 int
-mac_check_posix_sem_post(struct ucred *cred, struct ksem *ks)
+mac_posixsem_check_post(struct ucred *cred, struct ksem *ks)
 {
 	int error;
 
-	MAC_CHECK(check_posix_sem_post, cred, ks, ks->ks_label);
+	MAC_CHECK(posixsem_check_post, cred, ks, ks->ks_label);
 
 	return (error);
 }
 
 int
-mac_check_posix_sem_unlink(struct ucred *cred, struct ksem *ks)
+mac_posixsem_check_unlink(struct ucred *cred, struct ksem *ks)
 {
 	int error;
 
-	MAC_CHECK(check_posix_sem_unlink, cred, ks, ks->ks_label);
+	MAC_CHECK(posixsem_check_unlink, cred, ks, ks->ks_label);
 
 	return (error);
 }
 
 int
-mac_check_posix_sem_wait(struct ucred *cred, struct ksem *ks)
+mac_posixsem_check_wait(struct ucred *cred, struct ksem *ks)
 {
 	int error;
 
-	MAC_CHECK(check_posix_sem_wait, cred, ks, ks->ks_label);
+	MAC_CHECK(posixsem_check_wait, cred, ks, ks->ks_label);
 
 	return (error);
 }

sys/security/mac/mac_process.c

@@ -3,6 +3,7 @@
  * Copyright (c) 2001 Ilmar S. Habibulin
  * Copyright (c) 2001-2003 Networks Associates Technology, Inc.
  * Copyright (c) 2005 Samy Al Bahra
+ * Copyright (c) 2006 SPARTA, Inc.
  * All rights reserved.
  *
  * This software was developed by Robert Watson and Ilmar Habibulin for the
@@ -13,6 +14,9 @@
  * Associates, Inc. under DARPA/SPAWAR contract N66001-01-C-8035 ("CBOSS"),
  * as part of the DARPA CHATS research program.
  *
+ * This software was enhanced by SPARTA ISSO under SPAWAR contract
+ * N66001-04-C-6019 ("SEFOS").
+ *
  * Redistribution and use in source and binary forms, with or without
  * modification, are permitted provided that the following conditions
  * are met:
@@ -85,12 +89,12 @@ mac_cred_label_alloc(void)
 	struct label *label;
 
 	label = mac_labelzone_alloc(M_WAITOK);
-	MAC_PERFORM(init_cred_label, label);
+	MAC_PERFORM(cred_init_label, label);
 	return (label);
 }
 
 void
-mac_init_cred(struct ucred *cred)
+mac_cred_init(struct ucred *cred)
 {
 
 	cred->cr_label = mac_cred_label_alloc();
@@ -102,12 +106,12 @@ mac_proc_label_alloc(void)
 	struct label *label;
 
 	label = mac_labelzone_alloc(M_WAITOK);
-	MAC_PERFORM(init_proc_label, label);
+	MAC_PERFORM(proc_init_label, label);
 	return (label);
 }
 
 void
-mac_init_proc(struct proc *p)
+mac_proc_init(struct proc *p)
 {
 
 	p->p_label = mac_proc_label_alloc();
@@ -117,12 +121,12 @@ void
 mac_cred_label_free(struct label *label)
 {
 
-	MAC_PERFORM(destroy_cred_label, label);
+	MAC_PERFORM(cred_destroy_label, label);
 	mac_labelzone_free(label);
 }
 
 void
-mac_destroy_cred(struct ucred *cred)
+mac_cred_destroy(struct ucred *cred)
 {
 
 	mac_cred_label_free(cred->cr_label);
@@ -133,12 +137,12 @@ static void
 mac_proc_label_free(struct label *label)
 {
 
-	MAC_PERFORM(destroy_proc_label, label);
+	MAC_PERFORM(proc_destroy_label, label);
 	mac_labelzone_free(label);
 }
 
 void
-mac_destroy_proc(struct proc *p)
+mac_proc_destroy(struct proc *p)
 {
 
 	mac_proc_label_free(p->p_label);
@@ -146,7 +150,7 @@ mac_destroy_proc(struct proc *p)
 }
 
 int
-mac_externalize_cred_label(struct label *label, char *elements,
+mac_cred_externalize_label(struct label *label, char *elements,
     char *outbuf, size_t outbuflen)
 {
 	int error;
@@ -157,7 +161,7 @@ mac_externalize_cred_label(struct label *label, char *elements,
 }
 
 int
-mac_internalize_cred_label(struct label *label, char *string)
+mac_cred_internalize_label(struct label *label, char *string)
 {
 	int error;
 
@@ -171,10 +175,10 @@ mac_internalize_cred_label(struct label *label, char *string)
  * processes and threads are spawned.
  */
 void
-mac_create_proc0(struct ucred *cred)
+mac_proc_create_swapper(struct ucred *cred)
 {
 
-	MAC_PERFORM(create_proc0, cred);
+	MAC_PERFORM(proc_create_swapper, cred);
 }
 
 /*
@@ -182,10 +186,10 @@ mac_create_proc0(struct ucred *cred)
  * userland processes and threads are spawned.
  */
 void
-mac_create_proc1(struct ucred *cred)
+mac_proc_create_init(struct ucred *cred)
 {
 
-	MAC_PERFORM(create_proc1, cred);
+	MAC_PERFORM(proc_create_init, cred);
 }
 
 void
@@ -201,10 +205,10 @@ mac_thread_userret(struct thread *td)
  * This function allows that processing to take place.
  */
 void
-mac_copy_cred(struct ucred *src, struct ucred *dest)
+mac_cred_copy(struct ucred *src, struct ucred *dest)
 {
 
-	MAC_PERFORM(copy_cred_label, src->cr_label, dest->cr_label);
+	MAC_PERFORM(cred_copy_label, src->cr_label, dest->cr_label);
 }
 
 int
@@ -234,7 +238,7 @@ mac_execve_enter(struct image_params *imgp, struct mac *mac_p)
 	}
 
 	label = mac_cred_label_alloc();
-	error = mac_internalize_cred_label(label, buffer);
+	error = mac_cred_internalize_label(label, buffer);
 	free(buffer, M_MACTEMP);
 	if (error) {
 		mac_cred_label_free(label);
@@ -347,7 +351,7 @@ mac_cred_mmapped_drop_perms_recurse(struct thread *td, struct ucred *cred,
 		vfslocked = VFS_LOCK_GIANT(vp->v_mount);
 		vn_lock(vp, LK_EXCLUSIVE | LK_RETRY, td);
 		result = vme->max_protection;
-		mac_check_vnode_mmap_downgrade(cred, vp, &result);
+		mac_vnode_check_mmap_downgrade(cred, vp, &result);
 		VOP_UNLOCK(vp, 0, td);
 		/*
 		 * Find out what maximum protection we may be allowing now
@@ -429,185 +433,185 @@ mac_cred_mmapped_drop_perms_recurse(struct thread *td, struct ucred *cred,
  * buffer cache.
  */
 void
-mac_relabel_cred(struct ucred *cred, struct label *newlabel)
+mac_cred_relabel(struct ucred *cred, struct label *newlabel)
 {
 
-	MAC_PERFORM(relabel_cred, cred, newlabel);
+	MAC_PERFORM(cred_relabel, cred, newlabel);
 }
 
 int
-mac_check_cred_relabel(struct ucred *cred, struct label *newlabel)
+mac_cred_check_relabel(struct ucred *cred, struct label *newlabel)
 {
 	int error;
 
-	MAC_CHECK(check_cred_relabel, cred, newlabel);
+	MAC_CHECK(cred_check_relabel, cred, newlabel);
 
 	return (error);
 }
 
 int
-mac_check_cred_visible(struct ucred *cr1, struct ucred *cr2)
+mac_cred_check_visible(struct ucred *cr1, struct ucred *cr2)
 {
 	int error;
 
-	MAC_CHECK(check_cred_visible, cr1, cr2);
+	MAC_CHECK(cred_check_visible, cr1, cr2);
 
 	return (error);
 }
 
 int
-mac_check_proc_debug(struct ucred *cred, struct proc *p)
+mac_proc_check_debug(struct ucred *cred, struct proc *p)
 {
 	int error;
 
 	PROC_LOCK_ASSERT(p, MA_OWNED);
 
-	MAC_CHECK(check_proc_debug, cred, p);
+	MAC_CHECK(proc_check_debug, cred, p);
 
 	return (error);
 }
 
 int
-mac_check_proc_sched(struct ucred *cred, struct proc *p)
+mac_proc_check_sched(struct ucred *cred, struct proc *p)
 {
 	int error;
 
 	PROC_LOCK_ASSERT(p, MA_OWNED);
 
-	MAC_CHECK(check_proc_sched, cred, p);
+	MAC_CHECK(proc_check_sched, cred, p);
 
 	return (error);
 }
 
 int
-mac_check_proc_signal(struct ucred *cred, struct proc *p, int signum)
+mac_proc_check_signal(struct ucred *cred, struct proc *p, int signum)
 {
 	int error;
 
 	PROC_LOCK_ASSERT(p, MA_OWNED);
 
-	MAC_CHECK(check_proc_signal, cred, p, signum);
+	MAC_CHECK(proc_check_signal, cred, p, signum);
 
 	return (error);
 }
 
 int
-mac_check_proc_setuid(struct proc *p, struct ucred *cred, uid_t uid)
+mac_proc_check_setuid(struct proc *p, struct ucred *cred, uid_t uid)
 {
 	int error;
 
 	PROC_LOCK_ASSERT(p, MA_OWNED);
 
-	MAC_CHECK(check_proc_setuid, cred, uid);
+	MAC_CHECK(proc_check_setuid, cred, uid);
 	return (error);
 }
 
 int
-mac_check_proc_seteuid(struct proc *p, struct ucred *cred, uid_t euid)
+mac_proc_check_seteuid(struct proc *p, struct ucred *cred, uid_t euid)
 {
 	int error;
 
 	PROC_LOCK_ASSERT(p, MA_OWNED);
 
-	MAC_CHECK(check_proc_seteuid, cred, euid);
+	MAC_CHECK(proc_check_seteuid, cred, euid);
 	return (error);
 }
 
 int
-mac_check_proc_setgid(struct proc *p, struct ucred *cred, gid_t gid)
+mac_proc_check_setgid(struct proc *p, struct ucred *cred, gid_t gid)
 {
 	int error;
 
 	PROC_LOCK_ASSERT(p, MA_OWNED);
 
-	MAC_CHECK(check_proc_setgid, cred, gid);
+	MAC_CHECK(proc_check_setgid, cred, gid);
 
 	return (error);
 }
 
 int
-mac_check_proc_setegid(struct proc *p, struct ucred *cred, gid_t egid)
+mac_proc_check_setegid(struct proc *p, struct ucred *cred, gid_t egid)
 {
 	int error;
 
 	PROC_LOCK_ASSERT(p, MA_OWNED);
 
-	MAC_CHECK(check_proc_setegid, cred, egid);
+	MAC_CHECK(proc_check_setegid, cred, egid);
 
 	return (error);
 }
 
 int
-mac_check_proc_setgroups(struct proc *p, struct ucred *cred, int ngroups,
+mac_proc_check_setgroups(struct proc *p, struct ucred *cred, int ngroups,
     gid_t *gidset)
 {
 	int error;
 
 	PROC_LOCK_ASSERT(p, MA_OWNED);
 
-	MAC_CHECK(check_proc_setgroups, cred, ngroups, gidset);
+	MAC_CHECK(proc_check_setgroups, cred, ngroups, gidset);
 	return (error);
 }
 
 int
-mac_check_proc_setreuid(struct proc *p, struct ucred *cred, uid_t ruid,
+mac_proc_check_setreuid(struct proc *p, struct ucred *cred, uid_t ruid,
     uid_t euid)
 {
 	int error;
 
 	PROC_LOCK_ASSERT(p, MA_OWNED);
 
-	MAC_CHECK(check_proc_setreuid, cred, ruid, euid);
+	MAC_CHECK(proc_check_setreuid, cred, ruid, euid);
 
 	return (error);
 }
 
 int
-mac_check_proc_setregid(struct proc *proc, struct ucred *cred, gid_t rgid,
+mac_proc_check_setregid(struct proc *proc, struct ucred *cred, gid_t rgid,
     gid_t egid)
 {
 	int error;
 
 	PROC_LOCK_ASSERT(proc, MA_OWNED);
 
-	MAC_CHECK(check_proc_setregid, cred, rgid, egid);
+	MAC_CHECK(proc_check_setregid, cred, rgid, egid);
 
 	return (error);
 }
 
 int
-mac_check_proc_setresuid(struct proc *p, struct ucred *cred, uid_t ruid,
+mac_proc_check_setresuid(struct proc *p, struct ucred *cred, uid_t ruid,
     uid_t euid, uid_t suid)
 {
 	int error;
 
 	PROC_LOCK_ASSERT(p, MA_OWNED);
 
-	MAC_CHECK(check_proc_setresuid, cred, ruid, euid, suid);
+	MAC_CHECK(proc_check_setresuid, cred, ruid, euid, suid);
 	return (error);
 }
 
 int
-mac_check_proc_setresgid(struct proc *p, struct ucred *cred, gid_t rgid,
+mac_proc_check_setresgid(struct proc *p, struct ucred *cred, gid_t rgid,
     gid_t egid, gid_t sgid)
 {
 	int error;
 
 	PROC_LOCK_ASSERT(p, MA_OWNED);
 
-	MAC_CHECK(check_proc_setresgid, cred, rgid, egid, sgid);
+	MAC_CHECK(proc_check_setresgid, cred, rgid, egid, sgid);
 
 	return (error);
 }
 
 int
-mac_check_proc_wait(struct ucred *cred, struct proc *p)
+mac_proc_check_wait(struct ucred *cred, struct proc *p)
 {
 	int error;
 
 	PROC_LOCK_ASSERT(p, MA_OWNED);
 
-	MAC_CHECK(check_proc_wait, cred, p);
+	MAC_CHECK(proc_check_wait, cred, p);
 
 	return (error);
 }

sys/security/mac/mac_socket.c

@@ -2,7 +2,7 @@
  * Copyright (c) 1999-2002 Robert N. M. Watson
  * Copyright (c) 2001 Ilmar S. Habibulin
  * Copyright (c) 2001-2005 Networks Associates Technology, Inc.
- * Copyright (c) 2005 SPARTA, Inc.
+ * Copyright (c) 2005-2006 SPARTA, Inc.
  * All rights reserved.
  *
  * This software was developed by Robert Watson and Ilmar Habibulin for the
@@ -94,9 +94,9 @@ mac_socket_label_alloc(int flag)
 	if (label == NULL)
 		return (NULL);
 
-	MAC_CHECK(init_socket_label, label, flag);
+	MAC_CHECK(socket_init_label, label, flag);
 	if (error) {
-		MAC_PERFORM(destroy_socket_label, label);
+		MAC_PERFORM(socket_destroy_label, label);
 		mac_labelzone_free(label);
 		return (NULL);
 	}
@@ -104,7 +104,7 @@ mac_socket_label_alloc(int flag)
 }
 
 static struct label *
-mac_socket_peer_label_alloc(int flag)
+mac_socketpeer_label_alloc(int flag)
 {
 	struct label *label;
 	int error;
@@ -113,9 +113,9 @@ mac_socket_peer_label_alloc(int flag)
 	if (label == NULL)
 		return (NULL);
 
-	MAC_CHECK(init_socket_peer_label, label, flag);
+	MAC_CHECK(socketpeer_init_label, label, flag);
 	if (error) {
-		MAC_PERFORM(destroy_socket_peer_label, label);
+		MAC_PERFORM(socketpeer_destroy_label, label);
 		mac_labelzone_free(label);
 		return (NULL);
 	}
@@ -123,13 +123,13 @@ mac_socket_peer_label_alloc(int flag)
 }
 
 int
-mac_init_socket(struct socket *so, int flag)
+mac_socket_init(struct socket *so, int flag)
 {
 
 	so->so_label = mac_socket_label_alloc(flag);
 	if (so->so_label == NULL)
 		return (ENOMEM);
-	so->so_peerlabel = mac_socket_peer_label_alloc(flag);
+	so->so_peerlabel = mac_socketpeer_label_alloc(flag);
 	if (so->so_peerlabel == NULL) {
 		mac_socket_label_free(so->so_label);
 		so->so_label = NULL;
@@ -142,37 +142,37 @@ void
 mac_socket_label_free(struct label *label)
 {
 
-	MAC_PERFORM(destroy_socket_label, label);
+	MAC_PERFORM(socket_destroy_label, label);
 	mac_labelzone_free(label);
 }
 
 static void
-mac_socket_peer_label_free(struct label *label)
+mac_socketpeer_label_free(struct label *label)
 {
 
-	MAC_PERFORM(destroy_socket_peer_label, label);
+	MAC_PERFORM(socketpeer_destroy_label, label);
 	mac_labelzone_free(label);
 }
 
 void
-mac_destroy_socket(struct socket *so)
+mac_socket_destroy(struct socket *so)
 {
 
 	mac_socket_label_free(so->so_label);
 	so->so_label = NULL;
-	mac_socket_peer_label_free(so->so_peerlabel);
+	mac_socketpeer_label_free(so->so_peerlabel);
 	so->so_peerlabel = NULL;
 }
 
 void
-mac_copy_socket_label(struct label *src, struct label *dest)
+mac_socket_copy_label(struct label *src, struct label *dest)
 {
 
-	MAC_PERFORM(copy_socket_label, src, dest);
+	MAC_PERFORM(socket_copy_label, src, dest);
 }
 
 int
-mac_externalize_socket_label(struct label *label, char *elements,
+mac_socket_externalize_label(struct label *label, char *elements,
     char *outbuf, size_t outbuflen)
 {
 	int error;
@@ -183,18 +183,18 @@ mac_externalize_socket_label(struct label *label, char *elements,
 }
 
 static int
-mac_externalize_socket_peer_label(struct label *label, char *elements,
+mac_socketpeer_externalize_label(struct label *label, char *elements,
     char *outbuf, size_t outbuflen)
 {
 	int error;
 
-	MAC_EXTERNALIZE(socket_peer, label, elements, outbuf, outbuflen);
+	MAC_EXTERNALIZE(socketpeer, label, elements, outbuf, outbuflen);
 
 	return (error);
 }
 
 int
-mac_internalize_socket_label(struct label *label, char *string)
+mac_socket_internalize_label(struct label *label, char *string)
 {
 	int error;
 
@@ -204,34 +204,34 @@ mac_internalize_socket_label(struct label *label, char *string)
 }
 
 void
-mac_create_socket(struct ucred *cred, struct socket *so)
+mac_socket_create(struct ucred *cred, struct socket *so)
 {
 
-	MAC_PERFORM(create_socket, cred, so, so->so_label);
+	MAC_PERFORM(socket_create, cred, so, so->so_label);
 }
 
 void
-mac_create_socket_from_socket(struct socket *oldso, struct socket *newso)
+mac_socket_newconn(struct socket *oldso, struct socket *newso)
 {
 
 	SOCK_LOCK_ASSERT(oldso);
 
-	MAC_PERFORM(create_socket_from_socket, oldso, oldso->so_label, newso,
+	MAC_PERFORM(socket_newconn, oldso, oldso->so_label, newso,
 	    newso->so_label);
 }
 
 static void
-mac_relabel_socket(struct ucred *cred, struct socket *so,
+mac_socket_relabel(struct ucred *cred, struct socket *so,
     struct label *newlabel)
 {
 
 	SOCK_LOCK_ASSERT(so);
 
-	MAC_PERFORM(relabel_socket, cred, so, so->so_label, newlabel);
+	MAC_PERFORM(socket_relabel, cred, so, so->so_label, newlabel);
 }
 
 void
-mac_set_socket_peer_from_mbuf(struct mbuf *m, struct socket *so)
+mac_socketpeer_set_from_mbuf(struct mbuf *m, struct socket *so)
 {
 	struct label *label;
 
@@ -239,12 +239,12 @@ mac_set_socket_peer_from_mbuf(struct mbuf *m, struct socket *so)
 
 	label = mac_mbuf_to_label(m);
 
-	MAC_PERFORM(set_socket_peer_from_mbuf, m, label, so,
+	MAC_PERFORM(socketpeer_set_from_mbuf, m, label, so,
 	    so->so_peerlabel);
 }
 
 void
-mac_set_socket_peer_from_socket(struct socket *oldso, struct socket *newso)
+mac_socketpeer_set_from_socket(struct socket *oldso, struct socket *newso)
 {
 
 	/*
@@ -252,12 +252,12 @@ mac_set_socket_peer_from_socket(struct socket *oldso, struct socket *newso)
 	 * is the original, and one is the new.  However, it's called in both
 	 * directions, so we can't assert the lock here currently.
 	 */
-	MAC_PERFORM(set_socket_peer_from_socket, oldso, oldso->so_label,
+	MAC_PERFORM(socketpeer_set_from_socket, oldso, oldso->so_label,
 	    newso, newso->so_peerlabel);
 }
 
 void
-mac_create_mbuf_from_socket(struct socket *so, struct mbuf *m)
+mac_socket_create_mbuf(struct socket *so, struct mbuf *m)
 {
 	struct label *label;
 
@@ -265,59 +265,59 @@ mac_create_mbuf_from_socket(struct socket *so, struct mbuf *m)
 
 	label = mac_mbuf_to_label(m);
 
-	MAC_PERFORM(create_mbuf_from_socket, so, so->so_label, m, label);
+	MAC_PERFORM(socket_create_mbuf, so, so->so_label, m, label);
 }
 
 int
-mac_check_socket_accept(struct ucred *cred, struct socket *so)
+mac_socket_check_accept(struct ucred *cred, struct socket *so)
 {
 	int error;
 
 	SOCK_LOCK_ASSERT(so);
 
-	MAC_CHECK(check_socket_accept, cred, so, so->so_label);
+	MAC_CHECK(socket_check_accept, cred, so, so->so_label);
 
 	return (error);
 }
 
 int
-mac_check_socket_bind(struct ucred *ucred, struct socket *so,
+mac_socket_check_bind(struct ucred *ucred, struct socket *so,
     struct sockaddr *sa)
 {
 	int error;
 
 	SOCK_LOCK_ASSERT(so);
 
-	MAC_CHECK(check_socket_bind, ucred, so, so->so_label, sa);
+	MAC_CHECK(socket_check_bind, ucred, so, so->so_label, sa);
 
 	return (error);
 }
 
 int
-mac_check_socket_connect(struct ucred *cred, struct socket *so,
+mac_socket_check_connect(struct ucred *cred, struct socket *so,
     struct sockaddr *sa)
 {
 	int error;
 
 	SOCK_LOCK_ASSERT(so);
 
-	MAC_CHECK(check_socket_connect, cred, so, so->so_label, sa);
+	MAC_CHECK(socket_check_connect, cred, so, so->so_label, sa);
 
 	return (error);
 }
 
 int
-mac_check_socket_create(struct ucred *cred, int domain, int type, int proto)
+mac_socket_check_create(struct ucred *cred, int domain, int type, int proto)
 {
 	int error;
 
-	MAC_CHECK(check_socket_create, cred, domain, type, proto);
+	MAC_CHECK(socket_check_create, cred, domain, type, proto);
 
 	return (error);
 }
 
 int
-mac_check_socket_deliver(struct socket *so, struct mbuf *m)
+mac_socket_check_deliver(struct socket *so, struct mbuf *m)
 {
 	struct label *label;
 	int error;
@@ -326,92 +326,92 @@ mac_check_socket_deliver(struct socket *so, struct mbuf *m)
 
 	label = mac_mbuf_to_label(m);
 
-	MAC_CHECK(check_socket_deliver, so, so->so_label, m, label);
+	MAC_CHECK(socket_check_deliver, so, so->so_label, m, label);
 
 	return (error);
 }
 
 int
-mac_check_socket_listen(struct ucred *cred, struct socket *so)
+mac_socket_check_listen(struct ucred *cred, struct socket *so)
 {
 	int error;
 
 	SOCK_LOCK_ASSERT(so);
 
-	MAC_CHECK(check_socket_listen, cred, so, so->so_label);
+	MAC_CHECK(socket_check_listen, cred, so, so->so_label);
 
 	return (error);
 }
 
 int
-mac_check_socket_poll(struct ucred *cred, struct socket *so)
+mac_socket_check_poll(struct ucred *cred, struct socket *so)
 {
 	int error;
 
 	SOCK_LOCK_ASSERT(so);
 
-	MAC_CHECK(check_socket_poll, cred, so, so->so_label);
+	MAC_CHECK(socket_check_poll, cred, so, so->so_label);
 
 	return (error);
 }
 
 int
-mac_check_socket_receive(struct ucred *cred, struct socket *so)
+mac_socket_check_receive(struct ucred *cred, struct socket *so)
 {
 	int error;
 
 	SOCK_LOCK_ASSERT(so);
 
-	MAC_CHECK(check_socket_receive, cred, so, so->so_label);
+	MAC_CHECK(socket_check_receive, cred, so, so->so_label);
 
 	return (error);
 }
 
 static int
-mac_check_socket_relabel(struct ucred *cred, struct socket *so,
+mac_socket_check_relabel(struct ucred *cred, struct socket *so,
     struct label *newlabel)
 {
 	int error;
 
 	SOCK_LOCK_ASSERT(so);
 
-	MAC_CHECK(check_socket_relabel, cred, so, so->so_label, newlabel);
+	MAC_CHECK(socket_check_relabel, cred, so, so->so_label, newlabel);
 
 	return (error);
 }
 
 int
-mac_check_socket_send(struct ucred *cred, struct socket *so)
+mac_socket_check_send(struct ucred *cred, struct socket *so)
 {
 	int error;
 
 	SOCK_LOCK_ASSERT(so);
 
-	MAC_CHECK(check_socket_send, cred, so, so->so_label);
+	MAC_CHECK(socket_check_send, cred, so, so->so_label);
 
 	return (error);
 }
 
 int
-mac_check_socket_stat(struct ucred *cred, struct socket *so)
+mac_socket_check_stat(struct ucred *cred, struct socket *so)
 {
 	int error;
 
 	SOCK_LOCK_ASSERT(so);
 
-	MAC_CHECK(check_socket_stat, cred, so, so->so_label);
+	MAC_CHECK(socket_check_stat, cred, so, so->so_label);
 
 	return (error);
 }
 
 int
-mac_check_socket_visible(struct ucred *cred, struct socket *so)
+mac_socket_check_visible(struct ucred *cred, struct socket *so)
 {
 	int error;
 
 	SOCK_LOCK_ASSERT(so);
 
-	MAC_CHECK(check_socket_visible, cred, so, so->so_label);
+	MAC_CHECK(socket_check_visible, cred, so, so->so_label);
 
 	return (error);
 }
@@ -431,13 +431,13 @@ mac_socket_label_set(struct ucred *cred, struct socket *so,
 	 * acquire the socket lock before refreshing, holding both locks.
 	 */
 	SOCK_LOCK(so);
-	error = mac_check_socket_relabel(cred, so, label);
+	error = mac_socket_check_relabel(cred, so, label);
 	if (error) {
 		SOCK_UNLOCK(so);
 		return (error);
 	}
 
-	mac_relabel_socket(cred, so, label);
+	mac_socket_relabel(cred, so, label);
 	SOCK_UNLOCK(so);
 
 	/*
@@ -471,7 +471,7 @@ mac_setsockopt_label(struct ucred *cred, struct socket *so, struct mac *mac)
 	}
 
 	intlabel = mac_socket_label_alloc(M_WAITOK);
-	error = mac_internalize_socket_label(intlabel, buffer);
+	error = mac_socket_internalize_label(intlabel, buffer);
 	free(buffer, M_MACTEMP);
 	if (error)
 		goto out;
@@ -503,9 +503,9 @@ mac_getsockopt_label(struct ucred *cred, struct socket *so, struct mac *mac)
 	buffer = malloc(mac->m_buflen, M_MACTEMP, M_WAITOK | M_ZERO);
 	intlabel = mac_socket_label_alloc(M_WAITOK);
 	SOCK_LOCK(so);
-	mac_copy_socket_label(so->so_label, intlabel);
+	mac_socket_copy_label(so->so_label, intlabel);
 	SOCK_UNLOCK(so);
-	error = mac_externalize_socket_label(intlabel, elements, buffer,
+	error = mac_socket_externalize_label(intlabel, elements, buffer,
 	    mac->m_buflen);
 	mac_socket_label_free(intlabel);
 	if (error == 0)
@@ -539,9 +539,9 @@ mac_getsockopt_peerlabel(struct ucred *cred, struct socket *so,
 	buffer = malloc(mac->m_buflen, M_MACTEMP, M_WAITOK | M_ZERO);
 	intlabel = mac_socket_label_alloc(M_WAITOK);
 	SOCK_LOCK(so);
-	mac_copy_socket_label(so->so_peerlabel, intlabel);
+	mac_socket_copy_label(so->so_peerlabel, intlabel);
 	SOCK_UNLOCK(so);
-	error = mac_externalize_socket_peer_label(intlabel, elements, buffer,
+	error = mac_socketpeer_externalize_label(intlabel, elements, buffer,
 	    mac->m_buflen);
 	mac_socket_label_free(intlabel);
 	if (error == 0)

sys/security/mac/mac_syscalls.c

@@ -105,7 +105,7 @@ __mac_get_pid(struct thread *td, struct __mac_get_pid_args *uap)
 	}
 
 	buffer = malloc(mac.m_buflen, M_MACTEMP, M_WAITOK | M_ZERO);
-	error = mac_externalize_cred_label(tcred->cr_label, elements,
+	error = mac_cred_externalize_label(tcred->cr_label, elements,
 	    buffer, mac.m_buflen);
 	if (error == 0)
 		error = copyout(buffer, mac.m_string, strlen(buffer)+1);
@@ -139,7 +139,7 @@ __mac_get_proc(struct thread *td, struct __mac_get_proc_args *uap)
 	}
 
 	buffer = malloc(mac.m_buflen, M_MACTEMP, M_WAITOK | M_ZERO);
-	error = mac_externalize_cred_label(td->td_ucred->cr_label,
+	error = mac_cred_externalize_label(td->td_ucred->cr_label,
 	    elements, buffer, mac.m_buflen);
 	if (error == 0)
 		error = copyout(buffer, mac.m_string, strlen(buffer)+1);
@@ -175,7 +175,7 @@ __mac_set_proc(struct thread *td, struct __mac_set_proc_args *uap)
 	}
 
 	intlabel = mac_cred_label_alloc();
-	error = mac_internalize_cred_label(intlabel, buffer);
+	error = mac_cred_internalize_label(intlabel, buffer);
 	free(buffer, M_MACTEMP);
 	if (error)
 		goto out;
@@ -186,7 +186,7 @@ __mac_set_proc(struct thread *td, struct __mac_set_proc_args *uap)
 	PROC_LOCK(p);
 	oldcred = p->p_ucred;
 
-	error = mac_check_cred_relabel(oldcred, intlabel);
+	error = mac_cred_check_relabel(oldcred, intlabel);
 	if (error) {
 		PROC_UNLOCK(p);
 		crfree(newcred);
@@ -195,7 +195,7 @@ __mac_set_proc(struct thread *td, struct __mac_set_proc_args *uap)
 
 	setsugid(p);
 	crcopy(newcred, oldcred);
-	mac_relabel_cred(newcred, intlabel);
+	mac_cred_relabel(newcred, intlabel);
 	p->p_ucred = newcred;
 
 	/*
@@ -256,10 +256,10 @@ __mac_get_fd(struct thread *td, struct __mac_get_fd_args *uap)
 		intlabel = mac_vnode_label_alloc();
 		vfslocked = VFS_LOCK_GIANT(vp->v_mount);
 		vn_lock(vp, LK_EXCLUSIVE | LK_RETRY, td);
-		mac_copy_vnode_label(vp->v_label, intlabel);
+		mac_vnode_copy_label(vp->v_label, intlabel);
 		VOP_UNLOCK(vp, 0, td);
 		VFS_UNLOCK_GIANT(vfslocked);
-		error = mac_externalize_vnode_label(intlabel, elements,
+		error = mac_vnode_externalize_label(intlabel, elements,
 		    buffer, mac.m_buflen);
 		mac_vnode_label_free(intlabel);
 		break;
@@ -268,9 +268,9 @@ __mac_get_fd(struct thread *td, struct __mac_get_fd_args *uap)
 		pipe = fp->f_data;
 		intlabel = mac_pipe_label_alloc();
 		PIPE_LOCK(pipe);
-		mac_copy_pipe_label(pipe->pipe_pair->pp_label, intlabel);
+		mac_pipe_copy_label(pipe->pipe_pair->pp_label, intlabel);
 		PIPE_UNLOCK(pipe);
-		error = mac_externalize_pipe_label(intlabel, elements,
+		error = mac_pipe_externalize_label(intlabel, elements,
 		    buffer, mac.m_buflen);
 		mac_pipe_label_free(intlabel);
 		break;
@@ -279,9 +279,9 @@ __mac_get_fd(struct thread *td, struct __mac_get_fd_args *uap)
 		so = fp->f_data;
 		intlabel = mac_socket_label_alloc(M_WAITOK);
 		SOCK_LOCK(so);
-		mac_copy_socket_label(so->so_label, intlabel);
+		mac_socket_copy_label(so->so_label, intlabel);
 		SOCK_UNLOCK(so);
-		error = mac_externalize_socket_label(intlabel, elements,
+		error = mac_socket_externalize_label(intlabel, elements,
 		    buffer, mac.m_buflen);
 		mac_socket_label_free(intlabel);
 		break;
@@ -332,8 +332,8 @@ __mac_get_file(struct thread *td, struct __mac_get_file_args *uap)
 
 	intlabel = mac_vnode_label_alloc();
 	vfslocked = NDHASGIANT(&nd);
-	mac_copy_vnode_label(nd.ni_vp->v_label, intlabel);
-	error = mac_externalize_vnode_label(intlabel, elements, buffer,
+	mac_vnode_copy_label(nd.ni_vp->v_label, intlabel);
+	error = mac_vnode_externalize_label(intlabel, elements, buffer,
 	    mac.m_buflen);
 
 	NDFREE(&nd, 0);
@@ -382,8 +382,8 @@ __mac_get_link(struct thread *td, struct __mac_get_link_args *uap)
 
 	intlabel = mac_vnode_label_alloc();
 	vfslocked = NDHASGIANT(&nd);
-	mac_copy_vnode_label(nd.ni_vp->v_label, intlabel);
-	error = mac_externalize_vnode_label(intlabel, elements, buffer,
+	mac_vnode_copy_label(nd.ni_vp->v_label, intlabel);
+	error = mac_vnode_externalize_label(intlabel, elements, buffer,
 	    mac.m_buflen);
 	NDFREE(&nd, 0);
 	VFS_UNLOCK_GIANT(vfslocked);
@@ -435,7 +435,7 @@ __mac_set_fd(struct thread *td, struct __mac_set_fd_args *uap)
 	case DTYPE_FIFO:
 	case DTYPE_VNODE:
 		intlabel = mac_vnode_label_alloc();
-		error = mac_internalize_vnode_label(intlabel, buffer);
+		error = mac_vnode_internalize_label(intlabel, buffer);
 		if (error) {
 			mac_vnode_label_free(intlabel);
 			break;
@@ -458,7 +458,7 @@ __mac_set_fd(struct thread *td, struct __mac_set_fd_args *uap)
 
 	case DTYPE_PIPE:
 		intlabel = mac_pipe_label_alloc();
-		error = mac_internalize_pipe_label(intlabel, buffer);
+		error = mac_pipe_internalize_label(intlabel, buffer);
 		if (error == 0) {
 			pipe = fp->f_data;
 			PIPE_LOCK(pipe);
@@ -471,7 +471,7 @@ __mac_set_fd(struct thread *td, struct __mac_set_fd_args *uap)
 
 	case DTYPE_SOCKET:
 		intlabel = mac_socket_label_alloc(M_WAITOK);
-		error = mac_internalize_socket_label(intlabel, buffer);
+		error = mac_socket_internalize_label(intlabel, buffer);
 		if (error == 0) {
 			so = fp->f_data;
 			error = mac_socket_label_set(td->td_ucred, so,
@@ -515,7 +515,7 @@ __mac_set_file(struct thread *td, struct __mac_set_file_args *uap)
 	}
 
 	intlabel = mac_vnode_label_alloc();
-	error = mac_internalize_vnode_label(intlabel, buffer);
+	error = mac_vnode_internalize_label(intlabel, buffer);
 	free(buffer, M_MACTEMP);
 	if (error)
 		goto out;
@@ -566,7 +566,7 @@ __mac_set_link(struct thread *td, struct __mac_set_link_args *uap)
 	}
 
 	intlabel = mac_vnode_label_alloc();
-	error = mac_internalize_vnode_label(intlabel, buffer);
+	error = mac_vnode_internalize_label(intlabel, buffer);
 	free(buffer, M_MACTEMP);
 	if (error)
 		goto out;

sys/security/mac/mac_system.c

@@ -1,5 +1,6 @@
 /*-
  * Copyright (c) 2002-2003 Networks Associates Technology, Inc.
+ * Copyright (c) 2006 SPARTA, Inc.
  * Copyright (c) 2007 Robert N. M. Watson
  * All rights reserved.
  *
@@ -11,6 +12,9 @@
  * Portions of this software were developed by Robert Watson for the
  * TrustedBSD Project.
  *
+ * This software was enhanced by SPARTA ISSO under SPAWAR contract
+ * N66001-04-C-6019 ("SEFOS").
+ *
  * Redistribution and use in source and binary forms, with or without
  * modification, are permitted provided that the following conditions
  * are met:
@@ -63,116 +67,116 @@ __FBSDID("$FreeBSD$");
 #include <security/mac/mac_policy.h>
 
 int
-mac_check_kenv_dump(struct ucred *cred)
+mac_kenv_check_dump(struct ucred *cred)
 {
 	int error;
 
-	MAC_CHECK(check_kenv_dump, cred);
+	MAC_CHECK(kenv_check_dump, cred);
 
 	return (error);
 }
 
 int
-mac_check_kenv_get(struct ucred *cred, char *name)
+mac_kenv_check_get(struct ucred *cred, char *name)
 {
 	int error;
 
-	MAC_CHECK(check_kenv_get, cred, name);
+	MAC_CHECK(kenv_check_get, cred, name);
 
 	return (error);
 }
 
 int
-mac_check_kenv_set(struct ucred *cred, char *name, char *value)
+mac_kenv_check_set(struct ucred *cred, char *name, char *value)
 {
 	int error;
 
-	MAC_CHECK(check_kenv_set, cred, name, value);
+	MAC_CHECK(kenv_check_set, cred, name, value);
 
 	return (error);
 }
 
 int
-mac_check_kenv_unset(struct ucred *cred, char *name)
+mac_kenv_check_unset(struct ucred *cred, char *name)
 {
 	int error;
 
-	MAC_CHECK(check_kenv_unset, cred, name);
+	MAC_CHECK(kenv_check_unset, cred, name);
 
 	return (error);
 }
 
 int
-mac_check_kld_load(struct ucred *cred, struct vnode *vp)
+mac_kld_check_load(struct ucred *cred, struct vnode *vp)
 {
 	int error;
 
-	ASSERT_VOP_LOCKED(vp, "mac_check_kld_load");
+	ASSERT_VOP_LOCKED(vp, "mac_kld_check_load");
 
-	MAC_CHECK(check_kld_load, cred, vp, vp->v_label);
+	MAC_CHECK(kld_check_load, cred, vp, vp->v_label);
 
 	return (error);
 }
 
 int
-mac_check_kld_stat(struct ucred *cred)
+mac_kld_check_stat(struct ucred *cred)
 {
 	int error;
 
-	MAC_CHECK(check_kld_stat, cred);
+	MAC_CHECK(kld_check_stat, cred);
 
 	return (error);
 }
 
 int
-mac_check_system_acct(struct ucred *cred, struct vnode *vp)
+mac_system_check_acct(struct ucred *cred, struct vnode *vp)
 {
 	int error;
 
 	if (vp != NULL) {
-		ASSERT_VOP_LOCKED(vp, "mac_check_system_acct");
+		ASSERT_VOP_LOCKED(vp, "mac_system_check_acct");
 	}
 
-	MAC_CHECK(check_system_acct, cred, vp,
+	MAC_CHECK(system_check_acct, cred, vp,
 	    vp != NULL ? vp->v_label : NULL);
 
 	return (error);
 }
 
 int
-mac_check_system_reboot(struct ucred *cred, int howto)
+mac_system_check_reboot(struct ucred *cred, int howto)
 {
 	int error;
 
-	MAC_CHECK(check_system_reboot, cred, howto);
+	MAC_CHECK(system_check_reboot, cred, howto);
 
 	return (error);
 }
 
 int
-mac_check_system_swapon(struct ucred *cred, struct vnode *vp)
+mac_system_check_swapon(struct ucred *cred, struct vnode *vp)
 {
 	int error;
 
-	ASSERT_VOP_LOCKED(vp, "mac_check_system_swapon");
+	ASSERT_VOP_LOCKED(vp, "mac_system_check_swapon");
 
-	MAC_CHECK(check_system_swapon, cred, vp, vp->v_label);
+	MAC_CHECK(system_check_swapon, cred, vp, vp->v_label);
 	return (error);
 }
 
 int
-mac_check_system_swapoff(struct ucred *cred, struct vnode *vp)
+mac_system_check_swapoff(struct ucred *cred, struct vnode *vp)
 {
 	int error;
 
-	ASSERT_VOP_LOCKED(vp, "mac_check_system_swapoff");
+	ASSERT_VOP_LOCKED(vp, "mac_system_check_swapoff");
 
-	MAC_CHECK(check_system_swapoff, cred, vp, vp->v_label);
+	MAC_CHECK(system_check_swapoff, cred, vp, vp->v_label);
 	return (error);
 }
 
 int
-mac_check_system_sysctl(struct ucred *cred, struct sysctl_oid *oidp,
+mac_system_check_sysctl(struct ucred *cred, struct sysctl_oid *oidp,
     void *arg1, int arg2, struct sysctl_req *req)
 {
 	int error;
@@ -181,7 +185,7 @@ mac_check_system_sysctl(struct ucred *cred, struct sysctl_oid *oidp,
 	 * XXXMAC: We would very much like to assert the SYSCTL_LOCK here,
 	 * but since it's not exported from kern_sysctl.c, we can't.
 	 */
-	MAC_CHECK(check_system_sysctl, cred, oidp, arg1, arg2, req);
+	MAC_CHECK(system_check_sysctl, cred, oidp, arg1, arg2, req);
 
 	return (error);
 }

sys/security/mac/mac_sysv_msg.c

@@ -1,5 +1,6 @@
 /*-
  * Copyright (c) 2003-2004 Networks Associates Technology, Inc.
+ * Copyright (c) 2006 SPARTA, Inc.
  * All rights reserved.
  *
  * This software was developed for the FreeBSD Project in part by Network
@@ -7,6 +8,9 @@
  * Associates, Inc. under DARPA/SPAWAR contract N66001-01-C-8035 ("CBOSS"),
  * as part of the DARPA CHATS research program.
  *
+ * This software was enhanced by SPARTA ISSO under SPAWAR contract
+ * N66001-04-C-6019 ("SEFOS").
+ *
  * Redistribution and use in source and binary forms, with or without
  * modification, are permitted provided that the following conditions
  * are met:
@@ -58,12 +62,12 @@ mac_sysv_msgmsg_label_alloc(void)
 	struct label *label;
 
 	label = mac_labelzone_alloc(M_WAITOK);
-	MAC_PERFORM(init_sysv_msgmsg_label, label);
+	MAC_PERFORM(sysvmsg_init_label, label);
 	return (label);
 }
 
 void
-mac_init_sysv_msgmsg(struct msg *msgptr)
+mac_sysvmsg_init(struct msg *msgptr)
 {
 
 	msgptr->label = mac_sysv_msgmsg_label_alloc();
@@ -75,12 +79,12 @@ mac_sysv_msgqueue_label_alloc(void)
 	struct label *label;
 
 	label = mac_labelzone_alloc(M_WAITOK);
-	MAC_PERFORM(init_sysv_msgqueue_label, label);
+	MAC_PERFORM(sysvmsq_init_label, label);
 	return (label);
 }
 
 void
-mac_init_sysv_msgqueue(struct msqid_kernel *msqkptr)
+mac_sysvmsq_init(struct msqid_kernel *msqkptr)
 {
 
 	msqkptr->label = mac_sysv_msgqueue_label_alloc();
@@ -90,12 +94,12 @@ static void
 mac_sysv_msgmsg_label_free(struct label *label)
 {
 
-	MAC_PERFORM(destroy_sysv_msgmsg_label, label);
+	MAC_PERFORM(sysvmsg_destroy_label, label);
 	mac_labelzone_free(label);
 }
 
 void
-mac_destroy_sysv_msgmsg(struct msg *msgptr)
+mac_sysvmsg_destroy(struct msg *msgptr)
 {
 
 	mac_sysv_msgmsg_label_free(msgptr->label);
@@ -106,12 +110,12 @@ static void
 mac_sysv_msgqueue_label_free(struct label *label)
 {
 
-	MAC_PERFORM(destroy_sysv_msgqueue_label, label);
+	MAC_PERFORM(sysvmsq_destroy_label, label);
 	mac_labelzone_free(label);
 }
 
 void
-mac_destroy_sysv_msgqueue(struct msqid_kernel *msqkptr)
+mac_sysvmsq_destroy(struct msqid_kernel *msqkptr)
 {
 
 	mac_sysv_msgqueue_label_free(msqkptr->label);
@@ -119,104 +123,104 @@ mac_destroy_sysv_msgqueue(struct msqid_kernel *msqkptr)
 }
 
 void
-mac_create_sysv_msgmsg(struct ucred *cred, struct msqid_kernel *msqkptr,
+mac_sysvmsg_create(struct ucred *cred, struct msqid_kernel *msqkptr,
     struct msg *msgptr)
 {
 
-	MAC_PERFORM(create_sysv_msgmsg, cred, msqkptr, msqkptr->label,
+	MAC_PERFORM(sysvmsg_create, cred, msqkptr, msqkptr->label,
 		msgptr, msgptr->label);
 }
 
 void
-mac_create_sysv_msgqueue(struct ucred *cred, struct msqid_kernel *msqkptr)
+mac_sysvmsq_create(struct ucred *cred, struct msqid_kernel *msqkptr)
 {
 
-	MAC_PERFORM(create_sysv_msgqueue, cred, msqkptr, msqkptr->label);
+	MAC_PERFORM(sysvmsq_create, cred, msqkptr, msqkptr->label);
 }
 
 void
-mac_cleanup_sysv_msgmsg(struct msg *msgptr)
+mac_sysvmsg_cleanup(struct msg *msgptr)
 {
 
-	MAC_PERFORM(cleanup_sysv_msgmsg, msgptr->label);
+	MAC_PERFORM(sysvmsg_cleanup, msgptr->label);
 }
 
 void
-mac_cleanup_sysv_msgqueue(struct msqid_kernel *msqkptr)
+mac_sysvmsq_cleanup(struct msqid_kernel *msqkptr)
 {
 
-	MAC_PERFORM(cleanup_sysv_msgqueue, msqkptr->label);
+	MAC_PERFORM(sysvmsq_cleanup, msqkptr->label);
 }
 
 int
-mac_check_sysv_msgmsq(struct ucred *cred, struct msg *msgptr,
+mac_sysvmsq_check_msgmsq(struct ucred *cred, struct msg *msgptr,
 	struct msqid_kernel *msqkptr)
 {
 	int error;
 
-	MAC_CHECK(check_sysv_msgmsq, cred,  msgptr, msgptr->label, msqkptr,
-	    msqkptr->label);
+	MAC_CHECK(sysvmsq_check_msgmsq, cred,  msgptr, msgptr->label,
+	    msqkptr, msqkptr->label);
 
 	return (error);
 }
 
 int
-mac_check_sysv_msgrcv(struct ucred *cred, struct msg *msgptr)
+mac_sysvmsq_check_msgrcv(struct ucred *cred, struct msg *msgptr)
 {
 	int error;
 
-	MAC_CHECK(check_sysv_msgrcv, cred, msgptr, msgptr->label);
+	MAC_CHECK(sysvmsq_check_msgrcv, cred, msgptr, msgptr->label);
 
 	return (error);
 }
 
 int
-mac_check_sysv_msgrmid(struct ucred *cred, struct msg *msgptr)
+mac_sysvmsq_check_msgrmid(struct ucred *cred, struct msg *msgptr)
 {
 	int error;
 
-	MAC_CHECK(check_sysv_msgrmid, cred,  msgptr, msgptr->label);
+	MAC_CHECK(sysvmsq_check_msgrmid, cred,  msgptr, msgptr->label);
 
 	return (error);
 }
 
 int
-mac_check_sysv_msqget(struct ucred *cred, struct msqid_kernel *msqkptr)
+mac_sysvmsq_check_msqget(struct ucred *cred, struct msqid_kernel *msqkptr)
 {
 	int error;
 
-	MAC_CHECK(check_sysv_msqget, cred, msqkptr, msqkptr->label);
+	MAC_CHECK(sysvmsq_check_msqget, cred, msqkptr, msqkptr->label);
 
 	return (error);
 }
 
 int
-mac_check_sysv_msqsnd(struct ucred *cred, struct msqid_kernel *msqkptr)
+mac_sysvmsq_check_msqsnd(struct ucred *cred, struct msqid_kernel *msqkptr)
 {
 	int error;
 
-	MAC_CHECK(check_sysv_msqsnd, cred, msqkptr, msqkptr->label);
+	MAC_CHECK(sysvmsq_check_msqsnd, cred, msqkptr, msqkptr->label);
 
 	return (error);
 }
 
 int
-mac_check_sysv_msqrcv(struct ucred *cred, struct msqid_kernel *msqkptr)
+mac_sysvmsq_check_msqrcv(struct ucred *cred, struct msqid_kernel *msqkptr)
 {
 	int error;
 
-	MAC_CHECK(check_sysv_msqrcv, cred, msqkptr, msqkptr->label);
+	MAC_CHECK(sysvmsq_check_msqrcv, cred, msqkptr, msqkptr->label);
 
 	return (error);
 }
 
 int
-mac_check_sysv_msqctl(struct ucred *cred, struct msqid_kernel *msqkptr,
+mac_sysvmsq_check_msqctl(struct ucred *cred, struct msqid_kernel *msqkptr,
     int cmd)
 {
 	int error;
 
-	MAC_CHECK(check_sysv_msqctl, cred, msqkptr, msqkptr->label, cmd);
+	MAC_CHECK(sysvmsq_check_msqctl, cred, msqkptr, msqkptr->label, cmd);
 
 	return (error);
 }

sys/security/mac/mac_sysv_sem.c

@@ -1,5 +1,6 @@
 /*-
  * Copyright (c) 2003-2004 Networks Associates Technology, Inc.
+ * Copyright (c) 2006 SPARTA, Inc.
  * All rights reserved.
  *
  * This software was developed for the FreeBSD Project in part by Network
@@ -7,6 +8,9 @@
  * Associates, Inc. under DARPA/SPAWAR contract N66001-01-C-8035 ("CBOSS"),
  * as part of the DARPA CHATS research program.
  *
+ * This software was enhanced by SPARTA ISSO under SPAWAR contract
+ * N66001-04-C-6019 ("SEFOS").
+ *
  * Redistribution and use in source and binary forms, with or without
  * modification, are permitted provided that the following conditions
  * are met:
@@ -58,12 +62,12 @@ mac_sysv_sem_label_alloc(void)
 	struct label *label;
 
 	label = mac_labelzone_alloc(M_WAITOK);
-	MAC_PERFORM(init_sysv_sem_label, label);
+	MAC_PERFORM(sysvsem_init_label, label);
 	return (label);
 }
 
 void
-mac_init_sysv_sem(struct semid_kernel *semakptr)
+mac_sysvsem_init(struct semid_kernel *semakptr)
 {
 
 	semakptr->label = mac_sysv_sem_label_alloc();
@@ -73,12 +77,12 @@ static void
 mac_sysv_sem_label_free(struct label *label)
 {
 
-	MAC_PERFORM(destroy_sysv_sem_label, label);
+	MAC_PERFORM(sysvsem_destroy_label, label);
 	mac_labelzone_free(label);
 }
 
 void
-mac_destroy_sysv_sem(struct semid_kernel *semakptr)
+mac_sysvsem_destroy(struct semid_kernel *semakptr)
 {
 
 	mac_sysv_sem_label_free(semakptr->label);
@@ -86,47 +90,48 @@ mac_destroy_sysv_sem(struct semid_kernel *semakptr)
 }
 
 void
-mac_create_sysv_sem(struct ucred *cred, struct semid_kernel *semakptr)
+mac_sysvsem_create(struct ucred *cred, struct semid_kernel *semakptr)
 {
 
-	MAC_PERFORM(create_sysv_sem, cred, semakptr, semakptr->label);
+	MAC_PERFORM(sysvsem_create, cred, semakptr, semakptr->label);
 }
 
 void
-mac_cleanup_sysv_sem(struct semid_kernel *semakptr)
+mac_sysvsem_cleanup(struct semid_kernel *semakptr)
 {
 
-	MAC_PERFORM(cleanup_sysv_sem, semakptr->label);
+	MAC_PERFORM(sysvsem_cleanup, semakptr->label);
 }
 
 int
-mac_check_sysv_semctl(struct ucred *cred, struct semid_kernel *semakptr,
+mac_sysvsem_check_semctl(struct ucred *cred, struct semid_kernel *semakptr,
     int cmd)
 {
 	int error;
 
-	MAC_CHECK(check_sysv_semctl, cred, semakptr, semakptr->label, cmd);
+	MAC_CHECK(sysvsem_check_semctl, cred, semakptr, semakptr->label,
+	    cmd);
 
 	return (error);
 }
 
 int
-mac_check_sysv_semget(struct ucred *cred, struct semid_kernel *semakptr)
+mac_sysvsem_check_semget(struct ucred *cred, struct semid_kernel *semakptr)
 {
 	int error;
 
-	MAC_CHECK(check_sysv_semget, cred, semakptr, semakptr->label);
+	MAC_CHECK(sysvsem_check_semget, cred, semakptr, semakptr->label);
 
 	return (error);
 }
 
 int
-mac_check_sysv_semop(struct ucred *cred, struct semid_kernel *semakptr,
+mac_sysvsem_check_semop(struct ucred *cred, struct semid_kernel *semakptr,
     size_t accesstype)
 {
 	int error;
 
-	MAC_CHECK(check_sysv_semop, cred, semakptr, semakptr->label,
+	MAC_CHECK(sysvsem_check_semop, cred, semakptr, semakptr->label,
 	    accesstype);
 
 	return (error);

sys/security/mac/mac_sysv_shm.c

@@ -1,5 +1,6 @@
 /*-
  * Copyright (c) 2003-2004 Networks Associates Technology, Inc.
+ * Copyright (c) 2006 SPARTA, Inc.
  * All rights reserved.
  *
  * This software was developed for the FreeBSD Project in part by Network
@@ -7,6 +8,9 @@
  * Associates, Inc. under DARPA/SPAWAR contract N66001-01-C-8035 ("CBOSS"),
  * as part of the DARPA CHATS research program.
  *
+ * This software was enhanced by SPARTA ISSO under SPAWAR contract
+ * N66001-04-C-6019 ("SEFOS").
+ *
  * Redistribution and use in source and binary forms, with or without
  * modification, are permitted provided that the following conditions
  * are met:
@@ -58,12 +62,12 @@ mac_sysv_shm_label_alloc(void)
 	struct label *label;
 
 	label = mac_labelzone_alloc(M_WAITOK);
-	MAC_PERFORM(init_sysv_shm_label, label);
+	MAC_PERFORM(sysvshm_init_label, label);
 	return (label);
 }
 
 void
-mac_init_sysv_shm(struct shmid_kernel *shmsegptr)
+mac_sysvshm_init(struct shmid_kernel *shmsegptr)
 {
 
 	shmsegptr->label = mac_sysv_shm_label_alloc();
@@ -73,12 +77,12 @@ static void
 mac_sysv_shm_label_free(struct label *label)
 {
 
-	MAC_PERFORM(destroy_sysv_shm_label, label);
+	MAC_PERFORM(sysvshm_destroy_label, label);
 	mac_labelzone_free(label);
 }
 
 void
-mac_destroy_sysv_shm(struct shmid_kernel *shmsegptr)
+mac_sysvshm_destroy(struct shmid_kernel *shmsegptr)
 {
 
 	mac_sysv_shm_label_free(shmsegptr->label);
@@ -86,60 +90,60 @@ mac_destroy_sysv_shm(struct shmid_kernel *shmsegptr)
 }
 
 void
-mac_create_sysv_shm(struct ucred *cred, struct shmid_kernel *shmsegptr)
+mac_sysvshm_create(struct ucred *cred, struct shmid_kernel *shmsegptr)
 {
 
-	MAC_PERFORM(create_sysv_shm, cred, shmsegptr, shmsegptr->label);
+	MAC_PERFORM(sysvshm_create, cred, shmsegptr, shmsegptr->label);
 }
 
 void
-mac_cleanup_sysv_shm(struct shmid_kernel *shmsegptr)
+mac_sysvshm_cleanup(struct shmid_kernel *shmsegptr)
 {
 
-	MAC_PERFORM(cleanup_sysv_shm, shmsegptr->label);
+	MAC_PERFORM(sysvshm_cleanup, shmsegptr->label);
 }
 
 int
-mac_check_sysv_shmat(struct ucred *cred, struct shmid_kernel *shmsegptr,
+mac_sysvshm_check_shmat(struct ucred *cred, struct shmid_kernel *shmsegptr,
     int shmflg)
 {
 	int error;
 
-	MAC_CHECK(check_sysv_shmat, cred, shmsegptr, shmsegptr->label,
+	MAC_CHECK(sysvshm_check_shmat, cred, shmsegptr, shmsegptr->label,
 	    shmflg);
 
 	return (error);
 }
 
 int
-mac_check_sysv_shmctl(struct ucred *cred, struct shmid_kernel *shmsegptr,
+mac_sysvshm_check_shmctl(struct ucred *cred, struct shmid_kernel *shmsegptr,
     int cmd)
 {
 	int error;
 
-	MAC_CHECK(check_sysv_shmctl, cred, shmsegptr, shmsegptr->label,
+	MAC_CHECK(sysvshm_check_shmctl, cred, shmsegptr, shmsegptr->label,
 	    cmd);
 
 	return (error);
 }
 
 int
-mac_check_sysv_shmdt(struct ucred *cred, struct shmid_kernel *shmsegptr)
+mac_sysvshm_check_shmdt(struct ucred *cred, struct shmid_kernel *shmsegptr)
 {
 	int error;
 
-	MAC_CHECK(check_sysv_shmdt, cred, shmsegptr, shmsegptr->label);
+	MAC_CHECK(sysvshm_check_shmdt, cred, shmsegptr, shmsegptr->label);
 
 	return (error);
 }
 
 int
-mac_check_sysv_shmget(struct ucred *cred, struct shmid_kernel *shmsegptr,
+mac_sysvshm_check_shmget(struct ucred *cred, struct shmid_kernel *shmsegptr,
     int shmflg)
 {
 	int error;
 
-	MAC_CHECK(check_sysv_shmget, cred, shmsegptr, shmsegptr->label,
+	MAC_CHECK(sysvshm_check_shmget, cred, shmsegptr, shmsegptr->label,
 	    shmflg);
 
 	return (error);

sys/security/mac/mac_vfs.c

@@ -77,7 +77,7 @@ __FBSDID("$FreeBSD$");
  */
 static int	ea_warn_once = 0;
 
-static int	mac_setlabel_vnode_extattr(struct ucred *cred,
+static int	mac_vnode_setlabel_extattr(struct ucred *cred,
 		    struct vnode *vp, struct label *intlabel);
 
 static struct label *
@@ -86,12 +86,12 @@ mac_devfs_label_alloc(void)
 	struct label *label;
 
 	label = mac_labelzone_alloc(M_WAITOK);
-	MAC_PERFORM(init_devfs_label, label);
+	MAC_PERFORM(devfs_init_label, label);
 	return (label);
 }
 
 void
-mac_init_devfs(struct devfs_dirent *de)
+mac_devfs_init(struct devfs_dirent *de)
 {
 
 	de->de_label = mac_devfs_label_alloc();
@@ -103,12 +103,12 @@ mac_mount_label_alloc(void)
 	struct label *label;
 
 	label = mac_labelzone_alloc(M_WAITOK);
-	MAC_PERFORM(init_mount_label, label);
+	MAC_PERFORM(mount_init_label, label);
 	return (label);
 }
 
 void
-mac_init_mount(struct mount *mp)
+mac_mount_init(struct mount *mp)
 {
 
 	mp->mnt_label = mac_mount_label_alloc();
@@ -120,12 +120,12 @@ mac_vnode_label_alloc(void)
 	struct label *label;
 
 	label = mac_labelzone_alloc(M_WAITOK);
-	MAC_PERFORM(init_vnode_label, label);
+	MAC_PERFORM(vnode_init_label, label);
 	return (label);
 }
 
 void
-mac_init_vnode(struct vnode *vp)
+mac_vnode_init(struct vnode *vp)
 {
 
 	vp->v_label = mac_vnode_label_alloc();
@@ -135,12 +135,12 @@ static void
 mac_devfs_label_free(struct label *label)
 {
 
-	MAC_PERFORM(destroy_devfs_label, label);
+	MAC_PERFORM(devfs_destroy_label, label);
 	mac_labelzone_free(label);
 }
 
 void
-mac_destroy_devfs(struct devfs_dirent *de)
+mac_devfs_destroy(struct devfs_dirent *de)
 {
 
 	mac_devfs_label_free(de->de_label);
@@ -151,12 +151,12 @@ static void
 mac_mount_label_free(struct label *label)
 {
 
-	MAC_PERFORM(destroy_mount_label, label);
+	MAC_PERFORM(mount_destroy_label, label);
 	mac_labelzone_free(label);
 }
 
 void
-mac_destroy_mount(struct mount *mp)
+mac_mount_destroy(struct mount *mp)
 {
 
 	mac_mount_label_free(mp->mnt_label);
@@ -167,12 +167,12 @@ void
 mac_vnode_label_free(struct label *label)
 {
 
-	MAC_PERFORM(destroy_vnode_label, label);
+	MAC_PERFORM(vnode_destroy_label, label);
 	mac_labelzone_free(label);
 }
 
 void
-mac_destroy_vnode(struct vnode *vp)
+mac_vnode_destroy(struct vnode *vp)
 {
 
 	mac_vnode_label_free(vp->v_label);
@@ -180,14 +180,14 @@ mac_destroy_vnode(struct vnode *vp)
 }
 
 void
-mac_copy_vnode_label(struct label *src, struct label *dest)
+mac_vnode_copy_label(struct label *src, struct label *dest)
 {
 
-	MAC_PERFORM(copy_vnode_label, src, dest);
+	MAC_PERFORM(vnode_copy_label, src, dest);
 }
 
 int
-mac_externalize_vnode_label(struct label *label, char *elements,
+mac_vnode_externalize_label(struct label *label, char *elements,
     char *outbuf, size_t outbuflen)
 {
 	int error;
@@ -198,7 +198,7 @@ mac_externalize_vnode_label(struct label *label, char *elements,
 }
 
 int
-mac_internalize_vnode_label(struct label *label, char *string)
+mac_vnode_internalize_label(struct label *label, char *string)
 {
 	int error;
 
@@ -208,39 +208,39 @@ mac_internalize_vnode_label(struct label *label, char *string)
 }
 
 void
-mac_update_devfs(struct mount *mp, struct devfs_dirent *de, struct vnode *vp)
+mac_devfs_update(struct mount *mp, struct devfs_dirent *de, struct vnode *vp)
 {
 
-	MAC_PERFORM(update_devfs, mp, de, de->de_label, vp, vp->v_label);
+	MAC_PERFORM(devfs_update, mp, de, de->de_label, vp, vp->v_label);
 }
 
 void
-mac_associate_vnode_devfs(struct mount *mp, struct devfs_dirent *de,
+mac_devfs_vnode_associate(struct mount *mp, struct devfs_dirent *de,
     struct vnode *vp)
 {
 
-	MAC_PERFORM(associate_vnode_devfs, mp, mp->mnt_label, de,
+	MAC_PERFORM(devfs_vnode_associate, mp, mp->mnt_label, de,
 	    de->de_label, vp, vp->v_label);
 }
 
 int
-mac_associate_vnode_extattr(struct mount *mp, struct vnode *vp)
+mac_vnode_associate_extattr(struct mount *mp, struct vnode *vp)
 {
 	int error;
 
-	ASSERT_VOP_LOCKED(vp, "mac_associate_vnode_extattr");
+	ASSERT_VOP_LOCKED(vp, "mac_vnode_associate_extattr");
 
-	MAC_CHECK(associate_vnode_extattr, mp, mp->mnt_label, vp,
+	MAC_CHECK(vnode_associate_extattr, mp, mp->mnt_label, vp,
 	    vp->v_label);
 
 	return (error);
 }
 
 void
-mac_associate_vnode_singlelabel(struct mount *mp, struct vnode *vp)
+mac_vnode_associate_singlelabel(struct mount *mp, struct vnode *vp)
 {
 
-	MAC_PERFORM(associate_vnode_singlelabel, mp, mp->mnt_label, vp,
+	MAC_PERFORM(vnode_associate_singlelabel, mp, mp->mnt_label, vp,
 	    vp->v_label);
 }
 
@@ -254,13 +254,13 @@ mac_associate_vnode_singlelabel(struct mount *mp, struct vnode *vp)
  * printf warning.
  */
 int
-mac_create_vnode_extattr(struct ucred *cred, struct mount *mp,
+mac_vnode_create_extattr(struct ucred *cred, struct mount *mp,
     struct vnode *dvp, struct vnode *vp, struct componentname *cnp)
 {
 	int error;
 
-	ASSERT_VOP_LOCKED(dvp, "mac_create_vnode_extattr");
-	ASSERT_VOP_LOCKED(vp, "mac_create_vnode_extattr");
+	ASSERT_VOP_LOCKED(dvp, "mac_vnode_create_extattr");
+	ASSERT_VOP_LOCKED(vp, "mac_vnode_create_extattr");
 
 	error = VOP_OPENEXTATTR(vp, cred, curthread);
 	if (error == EOPNOTSUPP) {
@@ -272,7 +272,7 @@ mac_create_vnode_extattr(struct ucred *cred, struct mount *mp,
 	} else if (error)
 		return (error);
 
-	MAC_CHECK(create_vnode_extattr, cred, mp, mp->mnt_label, dvp,
+	MAC_CHECK(vnode_create_extattr, cred, mp, mp->mnt_label, dvp,
 	    dvp->v_label, vp, vp->v_label, cnp);
 
 	if (error) {
@@ -288,12 +288,12 @@ mac_create_vnode_extattr(struct ucred *cred, struct mount *mp,
 }
 
 static int
-mac_setlabel_vnode_extattr(struct ucred *cred, struct vnode *vp,
+mac_vnode_setlabel_extattr(struct ucred *cred, struct vnode *vp,
     struct label *intlabel)
 {
 	int error;
 
-	ASSERT_VOP_LOCKED(vp, "mac_setlabel_vnode_extattr");
+	ASSERT_VOP_LOCKED(vp, "mac_vnode_setlabel_extattr");
 
 	error = VOP_OPENEXTATTR(vp, cred, curthread);
 	if (error == EOPNOTSUPP) {
@@ -305,7 +305,7 @@ mac_setlabel_vnode_extattr(struct ucred *cred, struct vnode *vp,
 	} else if (error)
 		return (error);
 
-	MAC_CHECK(setlabel_vnode_extattr, cred, vp, vp->v_label, intlabel);
+	MAC_CHECK(vnode_setlabel_extattr, cred, vp, vp->v_label, intlabel);
 
 	if (error) {
 		VOP_CLOSEEXTATTR(vp, 0, NOCRED, curthread);
@@ -320,487 +320,488 @@ mac_setlabel_vnode_extattr(struct ucred *cred, struct vnode *vp,
 }
 
 void
-mac_execve_transition(struct ucred *old, struct ucred *new, struct vnode *vp,
-    struct label *interpvnodelabel, struct image_params *imgp)
+mac_vnode_execve_transition(struct ucred *old, struct ucred *new,
+    struct vnode *vp, struct label *interpvnodelabel,
+    struct image_params *imgp)
 {
 
-	ASSERT_VOP_LOCKED(vp, "mac_execve_transition");
+	ASSERT_VOP_LOCKED(vp, "mac_vnode_execve_transition");
 
-	MAC_PERFORM(execve_transition, old, new, vp, vp->v_label,
+	MAC_PERFORM(vnode_execve_transition, old, new, vp, vp->v_label,
 	    interpvnodelabel, imgp, imgp->execlabel);
 }
 
 int
-mac_execve_will_transition(struct ucred *old, struct vnode *vp,
+mac_vnode_execve_will_transition(struct ucred *old, struct vnode *vp,
     struct label *interpvnodelabel, struct image_params *imgp)
 {
 	int result;
 
-	ASSERT_VOP_LOCKED(vp, "mac_execve_will_transition");
+	ASSERT_VOP_LOCKED(vp, "mac_vnode_execve_will_transition");
 
 	result = 0;
-	MAC_BOOLEAN(execve_will_transition, ||, old, vp, vp->v_label,
+	MAC_BOOLEAN(vnode_execve_will_transition, ||, old, vp, vp->v_label,
 	    interpvnodelabel, imgp, imgp->execlabel);
 
 	return (result);
 }
 
 int
-mac_check_vnode_access(struct ucred *cred, struct vnode *vp, int acc_mode)
+mac_vnode_check_access(struct ucred *cred, struct vnode *vp, int acc_mode)
 {
 	int error;
 
-	ASSERT_VOP_LOCKED(vp, "mac_check_vnode_access");
+	ASSERT_VOP_LOCKED(vp, "mac_vnode_check_access");
 
-	MAC_CHECK(check_vnode_access, cred, vp, vp->v_label, acc_mode);
+	MAC_CHECK(vnode_check_access, cred, vp, vp->v_label, acc_mode);
 	return (error);
 }
 
 int
-mac_check_vnode_chdir(struct ucred *cred, struct vnode *dvp)
+mac_vnode_check_chdir(struct ucred *cred, struct vnode *dvp)
 {
 	int error;
 
-	ASSERT_VOP_LOCKED(dvp, "mac_check_vnode_chdir");
+	ASSERT_VOP_LOCKED(dvp, "mac_vnode_check_chdir");
 
-	MAC_CHECK(check_vnode_chdir, cred, dvp, dvp->v_label);
+	MAC_CHECK(vnode_check_chdir, cred, dvp, dvp->v_label);
 	return (error);
 }
 
 int
-mac_check_vnode_chroot(struct ucred *cred, struct vnode *dvp)
+mac_vnode_check_chroot(struct ucred *cred, struct vnode *dvp)
 {
 	int error;
 
-	ASSERT_VOP_LOCKED(dvp, "mac_check_vnode_chroot");
+	ASSERT_VOP_LOCKED(dvp, "mac_vnode_check_chroot");
 
-	MAC_CHECK(check_vnode_chroot, cred, dvp, dvp->v_label);
+	MAC_CHECK(vnode_check_chroot, cred, dvp, dvp->v_label);
 	return (error);
 }
 
 int
-mac_check_vnode_create(struct ucred *cred, struct vnode *dvp,
+mac_vnode_check_create(struct ucred *cred, struct vnode *dvp,
     struct componentname *cnp, struct vattr *vap)
 {
 	int error;
 
-	ASSERT_VOP_LOCKED(dvp, "mac_check_vnode_create");
+	ASSERT_VOP_LOCKED(dvp, "mac_vnode_check_create");
 
-	MAC_CHECK(check_vnode_create, cred, dvp, dvp->v_label, cnp, vap);
+	MAC_CHECK(vnode_check_create, cred, dvp, dvp->v_label, cnp, vap);
 	return (error);
 }
 
 int
-mac_check_vnode_deleteacl(struct ucred *cred, struct vnode *vp,
+mac_vnode_check_deleteacl(struct ucred *cred, struct vnode *vp,
     acl_type_t type)
 {
 	int error;
 
-	ASSERT_VOP_LOCKED(vp, "mac_check_vnode_deleteacl");
+	ASSERT_VOP_LOCKED(vp, "mac_vnode_check_deleteacl");
 
-	MAC_CHECK(check_vnode_deleteacl, cred, vp, vp->v_label, type);
+	MAC_CHECK(vnode_check_deleteacl, cred, vp, vp->v_label, type);
 	return (error);
 }
 
 int
-mac_check_vnode_deleteextattr(struct ucred *cred, struct vnode *vp,
+mac_vnode_check_deleteextattr(struct ucred *cred, struct vnode *vp,
     int attrnamespace, const char *name)
 {
 	int error;
 
-	ASSERT_VOP_LOCKED(vp, "mac_check_vnode_deleteextattr");
+	ASSERT_VOP_LOCKED(vp, "mac_vnode_check_deleteextattr");
 
-	MAC_CHECK(check_vnode_deleteextattr, cred, vp, vp->v_label,
+	MAC_CHECK(vnode_check_deleteextattr, cred, vp, vp->v_label,
 	    attrnamespace, name);
 	return (error);
 }
 
 int
-mac_check_vnode_exec(struct ucred *cred, struct vnode *vp,
+mac_vnode_check_exec(struct ucred *cred, struct vnode *vp,
     struct image_params *imgp)
 {
 	int error;
 
-	ASSERT_VOP_LOCKED(vp, "mac_check_vnode_exec");
+	ASSERT_VOP_LOCKED(vp, "mac_vnode_check_exec");
 
-	MAC_CHECK(check_vnode_exec, cred, vp, vp->v_label, imgp,
+	MAC_CHECK(vnode_check_exec, cred, vp, vp->v_label, imgp,
 	    imgp->execlabel);
 
 	return (error);
 }
 
 int
-mac_check_vnode_getacl(struct ucred *cred, struct vnode *vp, acl_type_t type)
+mac_vnode_check_getacl(struct ucred *cred, struct vnode *vp, acl_type_t type)
 {
 	int error;
 
-	ASSERT_VOP_LOCKED(vp, "mac_check_vnode_getacl");
+	ASSERT_VOP_LOCKED(vp, "mac_vnode_check_getacl");
 
-	MAC_CHECK(check_vnode_getacl, cred, vp, vp->v_label, type);
+	MAC_CHECK(vnode_check_getacl, cred, vp, vp->v_label, type);
 	return (error);
 }
 
 int
-mac_check_vnode_getextattr(struct ucred *cred, struct vnode *vp,
+mac_vnode_check_getextattr(struct ucred *cred, struct vnode *vp,
     int attrnamespace, const char *name, struct uio *uio)
 {
 	int error;
 
-	ASSERT_VOP_LOCKED(vp, "mac_check_vnode_getextattr");
+	ASSERT_VOP_LOCKED(vp, "mac_vnode_check_getextattr");
 
-	MAC_CHECK(check_vnode_getextattr, cred, vp, vp->v_label,
+	MAC_CHECK(vnode_check_getextattr, cred, vp, vp->v_label,
 	    attrnamespace, name, uio);
 	return (error);
 }
 
 int
-mac_check_vnode_link(struct ucred *cred, struct vnode *dvp,
+mac_vnode_check_link(struct ucred *cred, struct vnode *dvp,
     struct vnode *vp, struct componentname *cnp)
 {
 	int error;
 
-	ASSERT_VOP_LOCKED(dvp, "mac_check_vnode_link");
-	ASSERT_VOP_LOCKED(vp, "mac_check_vnode_link");
+	ASSERT_VOP_LOCKED(dvp, "mac_vnode_check_link");
+	ASSERT_VOP_LOCKED(vp, "mac_vnode_check_link");
 
-	MAC_CHECK(check_vnode_link, cred, dvp, dvp->v_label, vp,
+	MAC_CHECK(vnode_check_link, cred, dvp, dvp->v_label, vp,
 	    vp->v_label, cnp);
 	return (error);
 }
 
 int
-mac_check_vnode_listextattr(struct ucred *cred, struct vnode *vp,
+mac_vnode_check_listextattr(struct ucred *cred, struct vnode *vp,
     int attrnamespace)
 {
 	int error;
 
-	ASSERT_VOP_LOCKED(vp, "mac_check_vnode_listextattr");
+	ASSERT_VOP_LOCKED(vp, "mac_vnode_check_listextattr");
 
-	MAC_CHECK(check_vnode_listextattr, cred, vp, vp->v_label,
+	MAC_CHECK(vnode_check_listextattr, cred, vp, vp->v_label,
 	    attrnamespace);
 	return (error);
 }
 
 int
-mac_check_vnode_lookup(struct ucred *cred, struct vnode *dvp,
+mac_vnode_check_lookup(struct ucred *cred, struct vnode *dvp,
     struct componentname *cnp)
 {
 	int error;
 
-	ASSERT_VOP_LOCKED(dvp, "mac_check_vnode_lookup");
+	ASSERT_VOP_LOCKED(dvp, "mac_vnode_check_lookup");
 
-	MAC_CHECK(check_vnode_lookup, cred, dvp, dvp->v_label, cnp);
+	MAC_CHECK(vnode_check_lookup, cred, dvp, dvp->v_label, cnp);
 	return (error);
 }
 
 int
-mac_check_vnode_mmap(struct ucred *cred, struct vnode *vp,
+mac_vnode_check_mmap(struct ucred *cred, struct vnode *vp,
     int prot, int flags)
 {
 	int error;
 
-	ASSERT_VOP_LOCKED(vp, "mac_check_vnode_mmap");
+	ASSERT_VOP_LOCKED(vp, "mac_vnode_check_mmap");
 
-	MAC_CHECK(check_vnode_mmap, cred, vp, vp->v_label, prot, flags);
+	MAC_CHECK(vnode_check_mmap, cred, vp, vp->v_label, prot, flags);
 	return (error);
 }
 
 void
-mac_check_vnode_mmap_downgrade(struct ucred *cred, struct vnode *vp, int *prot)
+mac_vnode_check_mmap_downgrade(struct ucred *cred, struct vnode *vp, int *prot)
 {
 	int result = *prot;
 
-	ASSERT_VOP_LOCKED(vp, "mac_check_vnode_mmap_downgrade");
+	ASSERT_VOP_LOCKED(vp, "mac_vnode_check_mmap_downgrade");
 
-	MAC_PERFORM(check_vnode_mmap_downgrade, cred, vp, vp->v_label,
+	MAC_PERFORM(vnode_check_mmap_downgrade, cred, vp, vp->v_label,
 	    &result);
 
 	*prot = result;
 }
 
 int
-mac_check_vnode_mprotect(struct ucred *cred, struct vnode *vp, int prot)
+mac_vnode_check_mprotect(struct ucred *cred, struct vnode *vp, int prot)
 {
 	int error;
 
-	ASSERT_VOP_LOCKED(vp, "mac_check_vnode_mprotect");
+	ASSERT_VOP_LOCKED(vp, "mac_vnode_check_mprotect");
 
-	MAC_CHECK(check_vnode_mprotect, cred, vp, vp->v_label, prot);
+	MAC_CHECK(vnode_check_mprotect, cred, vp, vp->v_label, prot);
 	return (error);
 }
 
 int
-mac_check_vnode_open(struct ucred *cred, struct vnode *vp, int acc_mode)
+mac_vnode_check_open(struct ucred *cred, struct vnode *vp, int acc_mode)
 {
 	int error;
 
-	ASSERT_VOP_LOCKED(vp, "mac_check_vnode_open");
+	ASSERT_VOP_LOCKED(vp, "mac_vnode_check_open");
 
-	MAC_CHECK(check_vnode_open, cred, vp, vp->v_label, acc_mode);
+	MAC_CHECK(vnode_check_open, cred, vp, vp->v_label, acc_mode);
 	return (error);
 }
 
 int
-mac_check_vnode_poll(struct ucred *active_cred, struct ucred *file_cred,
+mac_vnode_check_poll(struct ucred *active_cred, struct ucred *file_cred,
     struct vnode *vp)
 {
 	int error;
 
-	ASSERT_VOP_LOCKED(vp, "mac_check_vnode_poll");
+	ASSERT_VOP_LOCKED(vp, "mac_vnode_check_poll");
 
-	MAC_CHECK(check_vnode_poll, active_cred, file_cred, vp,
+	MAC_CHECK(vnode_check_poll, active_cred, file_cred, vp,
 	    vp->v_label);
 
 	return (error);
 }
 
 int
-mac_check_vnode_read(struct ucred *active_cred, struct ucred *file_cred,
+mac_vnode_check_read(struct ucred *active_cred, struct ucred *file_cred,
     struct vnode *vp)
 {
 	int error;
 
-	ASSERT_VOP_LOCKED(vp, "mac_check_vnode_read");
+	ASSERT_VOP_LOCKED(vp, "mac_vnode_check_read");
 
-	MAC_CHECK(check_vnode_read, active_cred, file_cred, vp,
+	MAC_CHECK(vnode_check_read, active_cred, file_cred, vp,
 	    vp->v_label);
 
 	return (error);
 }
 
 int
-mac_check_vnode_readdir(struct ucred *cred, struct vnode *dvp)
+mac_vnode_check_readdir(struct ucred *cred, struct vnode *dvp)
 {
 	int error;
 
-	ASSERT_VOP_LOCKED(dvp, "mac_check_vnode_readdir");
+	ASSERT_VOP_LOCKED(dvp, "mac_vnode_check_readdir");
 
-	MAC_CHECK(check_vnode_readdir, cred, dvp, dvp->v_label);
+	MAC_CHECK(vnode_check_readdir, cred, dvp, dvp->v_label);
 	return (error);
 }
 
 int
-mac_check_vnode_readlink(struct ucred *cred, struct vnode *vp)
+mac_vnode_check_readlink(struct ucred *cred, struct vnode *vp)
 {
 	int error;
 
-	ASSERT_VOP_LOCKED(vp, "mac_check_vnode_readlink");
+	ASSERT_VOP_LOCKED(vp, "mac_vnode_check_readlink");
 
-	MAC_CHECK(check_vnode_readlink, cred, vp, vp->v_label);
+	MAC_CHECK(vnode_check_readlink, cred, vp, vp->v_label);
 	return (error);
 }
 
 static int
-mac_check_vnode_relabel(struct ucred *cred, struct vnode *vp,
+mac_vnode_check_relabel(struct ucred *cred, struct vnode *vp,
     struct label *newlabel)
 {
 	int error;
 
-	ASSERT_VOP_LOCKED(vp, "mac_check_vnode_relabel");
+	ASSERT_VOP_LOCKED(vp, "mac_vnode_check_relabel");
 
-	MAC_CHECK(check_vnode_relabel, cred, vp, vp->v_label, newlabel);
+	MAC_CHECK(vnode_check_relabel, cred, vp, vp->v_label, newlabel);
 
 	return (error);
 }
 
 int
-mac_check_vnode_rename_from(struct ucred *cred, struct vnode *dvp,
+mac_vnode_check_rename_from(struct ucred *cred, struct vnode *dvp,
     struct vnode *vp, struct componentname *cnp)
 {
 	int error;
 
-	ASSERT_VOP_LOCKED(dvp, "mac_check_vnode_rename_from");
-	ASSERT_VOP_LOCKED(vp, "mac_check_vnode_rename_from");
+	ASSERT_VOP_LOCKED(dvp, "mac_vnode_check_rename_from");
+	ASSERT_VOP_LOCKED(vp, "mac_vnode_check_rename_from");
 
-	MAC_CHECK(check_vnode_rename_from, cred, dvp, dvp->v_label, vp,
+	MAC_CHECK(vnode_check_rename_from, cred, dvp, dvp->v_label, vp,
 	    vp->v_label, cnp);
 	return (error);
 }
 
 int
-mac_check_vnode_rename_to(struct ucred *cred, struct vnode *dvp,
+mac_vnode_check_rename_to(struct ucred *cred, struct vnode *dvp,
     struct vnode *vp, int samedir, struct componentname *cnp)
 {
 	int error;
 
-	ASSERT_VOP_LOCKED(dvp, "mac_check_vnode_rename_to");
-	ASSERT_VOP_LOCKED(vp, "mac_check_vnode_rename_to");
+	ASSERT_VOP_LOCKED(dvp, "mac_vnode_check_rename_to");
+	ASSERT_VOP_LOCKED(vp, "mac_vnode_check_rename_to");
 
-	MAC_CHECK(check_vnode_rename_to, cred, dvp, dvp->v_label, vp,
+	MAC_CHECK(vnode_check_rename_to, cred, dvp, dvp->v_label, vp,
 	    vp != NULL ? vp->v_label : NULL, samedir, cnp);
 	return (error);
 }
 
 int
-mac_check_vnode_revoke(struct ucred *cred, struct vnode *vp)
+mac_vnode_check_revoke(struct ucred *cred, struct vnode *vp)
 {
 	int error;
 
-	ASSERT_VOP_LOCKED(vp, "mac_check_vnode_revoke");
+	ASSERT_VOP_LOCKED(vp, "mac_vnode_check_revoke");
 
-	MAC_CHECK(check_vnode_revoke, cred, vp, vp->v_label);
+	MAC_CHECK(vnode_check_revoke, cred, vp, vp->v_label);
 	return (error);
 }
 
 int
-mac_check_vnode_setacl(struct ucred *cred, struct vnode *vp, acl_type_t type,
+mac_vnode_check_setacl(struct ucred *cred, struct vnode *vp, acl_type_t type,
     struct acl *acl)
 {
 	int error;
 
-	ASSERT_VOP_LOCKED(vp, "mac_check_vnode_setacl");
+	ASSERT_VOP_LOCKED(vp, "mac_vnode_check_setacl");
 
-	MAC_CHECK(check_vnode_setacl, cred, vp, vp->v_label, type, acl);
+	MAC_CHECK(vnode_check_setacl, cred, vp, vp->v_label, type, acl);
 	return (error);
 }
 
 int
-mac_check_vnode_setextattr(struct ucred *cred, struct vnode *vp,
+mac_vnode_check_setextattr(struct ucred *cred, struct vnode *vp,
     int attrnamespace, const char *name, struct uio *uio)
 {
 	int error;
 
-	ASSERT_VOP_LOCKED(vp, "mac_check_vnode_setextattr");
+	ASSERT_VOP_LOCKED(vp, "mac_vnode_check_setextattr");
 
-	MAC_CHECK(check_vnode_setextattr, cred, vp, vp->v_label,
+	MAC_CHECK(vnode_check_setextattr, cred, vp, vp->v_label,
 	    attrnamespace, name, uio);
 	return (error);
 }
 
 int
-mac_check_vnode_setflags(struct ucred *cred, struct vnode *vp, u_long flags)
+mac_vnode_check_setflags(struct ucred *cred, struct vnode *vp, u_long flags)
 {
 	int error;
 
-	ASSERT_VOP_LOCKED(vp, "mac_check_vnode_setflags");
+	ASSERT_VOP_LOCKED(vp, "mac_vnode_check_setflags");
 
-	MAC_CHECK(check_vnode_setflags, cred, vp, vp->v_label, flags);
+	MAC_CHECK(vnode_check_setflags, cred, vp, vp->v_label, flags);
 	return (error);
 }
 
 int
-mac_check_vnode_setmode(struct ucred *cred, struct vnode *vp, mode_t mode)
+mac_vnode_check_setmode(struct ucred *cred, struct vnode *vp, mode_t mode)
 {
 	int error;
 
-	ASSERT_VOP_LOCKED(vp, "mac_check_vnode_setmode");
+	ASSERT_VOP_LOCKED(vp, "mac_vnode_check_setmode");
 
-	MAC_CHECK(check_vnode_setmode, cred, vp, vp->v_label, mode);
+	MAC_CHECK(vnode_check_setmode, cred, vp, vp->v_label, mode);
 	return (error);
 }
 
 int
-mac_check_vnode_setowner(struct ucred *cred, struct vnode *vp, uid_t uid,
+mac_vnode_check_setowner(struct ucred *cred, struct vnode *vp, uid_t uid,
     gid_t gid)
 {
 	int error;
 
-	ASSERT_VOP_LOCKED(vp, "mac_check_vnode_setowner");
+	ASSERT_VOP_LOCKED(vp, "mac_vnode_check_setowner");
 
-	MAC_CHECK(check_vnode_setowner, cred, vp, vp->v_label, uid, gid);
+	MAC_CHECK(vnode_check_setowner, cred, vp, vp->v_label, uid, gid);
 	return (error);
 }
 
 int
-mac_check_vnode_setutimes(struct ucred *cred, struct vnode *vp,
+mac_vnode_check_setutimes(struct ucred *cred, struct vnode *vp,
     struct timespec atime, struct timespec mtime)
 {
 	int error;
 
-	ASSERT_VOP_LOCKED(vp, "mac_check_vnode_setutimes");
+	ASSERT_VOP_LOCKED(vp, "mac_vnode_check_setutimes");
 
-	MAC_CHECK(check_vnode_setutimes, cred, vp, vp->v_label, atime,
+	MAC_CHECK(vnode_check_setutimes, cred, vp, vp->v_label, atime,
 	    mtime);
 	return (error);
 }
 
 int
-mac_check_vnode_stat(struct ucred *active_cred, struct ucred *file_cred,
+mac_vnode_check_stat(struct ucred *active_cred, struct ucred *file_cred,
     struct vnode *vp)
 {
 	int error;
 
-	ASSERT_VOP_LOCKED(vp, "mac_check_vnode_stat");
+	ASSERT_VOP_LOCKED(vp, "mac_vnode_check_stat");
 
-	MAC_CHECK(check_vnode_stat, active_cred, file_cred, vp,
+	MAC_CHECK(vnode_check_stat, active_cred, file_cred, vp,
 	    vp->v_label);
 	return (error);
 }
 
 int
-mac_check_vnode_unlink(struct ucred *cred, struct vnode *dvp, struct vnode *vp,
+mac_vnode_check_unlink(struct ucred *cred, struct vnode *dvp, struct vnode *vp,
     struct componentname *cnp)
 {
 	int error;
 
-	ASSERT_VOP_LOCKED(dvp, "mac_check_vnode_unlink");
-	ASSERT_VOP_LOCKED(vp, "mac_check_vnode_unlink");
+	ASSERT_VOP_LOCKED(dvp, "mac_vnode_check_unlink");
+	ASSERT_VOP_LOCKED(vp, "mac_vnode_check_unlink");
 
-	MAC_CHECK(check_vnode_unlink, cred, dvp, dvp->v_label, vp,
+	MAC_CHECK(vnode_check_unlink, cred, dvp, dvp->v_label, vp,
 	    vp->v_label, cnp);
 	return (error);
 }
 
 int
-mac_check_vnode_write(struct ucred *active_cred, struct ucred *file_cred,
+mac_vnode_check_write(struct ucred *active_cred, struct ucred *file_cred,
     struct vnode *vp)
 {
 	int error;
 
-	ASSERT_VOP_LOCKED(vp, "mac_check_vnode_write");
+	ASSERT_VOP_LOCKED(vp, "mac_vnode_check_write");
 
-	MAC_CHECK(check_vnode_write, active_cred, file_cred, vp,
+	MAC_CHECK(vnode_check_write, active_cred, file_cred, vp,
 	    vp->v_label);
 
 	return (error);
 }
 
 void
-mac_relabel_vnode(struct ucred *cred, struct vnode *vp, struct label *newlabel)
+mac_vnode_relabel(struct ucred *cred, struct vnode *vp, struct label *newlabel)
 {
 
-	MAC_PERFORM(relabel_vnode, cred, vp, vp->v_label, newlabel);
+	MAC_PERFORM(vnode_relabel, cred, vp, vp->v_label, newlabel);
 }
 
 void
-mac_create_mount(struct ucred *cred, struct mount *mp)
+mac_mount_create(struct ucred *cred, struct mount *mp)
 {
 
-	MAC_PERFORM(create_mount, cred, mp, mp->mnt_label);
+	MAC_PERFORM(mount_create, cred, mp, mp->mnt_label);
 }
 
 int
-mac_check_mount_stat(struct ucred *cred, struct mount *mount)
+mac_mount_check_stat(struct ucred *cred, struct mount *mount)
 {
 	int error;
 
-	MAC_CHECK(check_mount_stat, cred, mount, mount->mnt_label);
+	MAC_CHECK(mount_check_stat, cred, mount, mount->mnt_label);
 
 	return (error);
 }
 
 void
-mac_create_devfs_device(struct ucred *cred, struct mount *mp,
+mac_devfs_create_device(struct ucred *cred, struct mount *mp,
     struct cdev *dev, struct devfs_dirent *de)
 {
 
-	MAC_PERFORM(create_devfs_device, cred, mp, dev, de, de->de_label);
+	MAC_PERFORM(devfs_create_device, cred, mp, dev, de, de->de_label);
 }
 
 void
-mac_create_devfs_symlink(struct ucred *cred, struct mount *mp,
+mac_devfs_create_symlink(struct ucred *cred, struct mount *mp,
     struct devfs_dirent *dd, struct devfs_dirent *de)
 {
 
-	MAC_PERFORM(create_devfs_symlink, cred, mp, dd, dd->de_label, de,
+	MAC_PERFORM(devfs_create_symlink, cred, mp, dd, dd->de_label, de,
 	    de->de_label);
 }
 
 void
-mac_create_devfs_directory(struct mount *mp, char *dirname, int dirnamelen,
+mac_devfs_create_directory(struct mount *mp, char *dirname, int dirnamelen,
     struct devfs_dirent *de)
 {
 
-	MAC_PERFORM(create_devfs_directory, mp, dirname, dirnamelen, de,
+	MAC_PERFORM(devfs_create_directory, mp, dirname, dirnamelen, de,
 	    de->de_label);
 }
 
@@ -821,11 +822,11 @@ vop_stdsetlabel_ea(struct vop_setlabel_args *ap)
 	if ((vp->v_mount->mnt_flag & MNT_MULTILABEL) == 0)
 		return (EOPNOTSUPP);
 
-	error = mac_setlabel_vnode_extattr(ap->a_cred, vp, intlabel);
+	error = mac_vnode_setlabel_extattr(ap->a_cred, vp, intlabel);
 	if (error)
 		return (error);
 
-	mac_relabel_vnode(ap->a_cred, vp, intlabel);
+	mac_vnode_relabel(ap->a_cred, vp, intlabel);
 
 	return (0);
 }
@@ -853,7 +854,7 @@ vn_setlabel(struct vnode *vp, struct label *intlabel, struct ucred *cred)
 	 * Question: maybe the filesystem should update the vnode at the end
 	 * as part of VOP_SETLABEL()?
 	 */
-	error = mac_check_vnode_relabel(cred, vp, intlabel);
+	error = mac_vnode_check_relabel(cred, vp, intlabel);
 	if (error)
 		return (error);
 

sys/security/mac_bsdextended/mac_bsdextended.c

@@ -2,6 +2,7 @@
  * Copyright (c) 1999-2002, 2007 Robert N. M. Watson
  * Copyright (c) 2001-2005 Networks Associates Technology, Inc.
  * Copyright (c) 2005 Tom Rhodes
+ * Copyright (c) 2006 SPARTA, Inc.
  * All rights reserved.
  *
  * This software was developed by Robert Watson for the TrustedBSD Project.
@@ -12,6 +13,9 @@
  * Associates, Inc. under DARPA/SPAWAR contract N66001-01-C-8035 ("CBOSS"),
  * as part of the DARPA CHATS research program.
  *
+ * This software was enhanced by SPARTA ISSO under SPAWAR contract
+ * N66001-04-C-6019 ("SEFOS").
+ *
  * Redistribution and use in source and binary forms, with or without
  * modification, are permitted provided that the following conditions
  * are met:
@@ -440,7 +444,7 @@ mac_bsdextended_check_vp(struct ucred *cred, struct vnode *vp, int acc_mode)
 }
 
 static int
-mac_bsdextended_check_system_acct(struct ucred *cred, struct vnode *vp,
+mac_bsdextended_system_check_acct(struct ucred *cred, struct vnode *vp,
     struct label *vplabel)
 {
 
@@ -448,7 +452,7 @@ mac_bsdextended_check_system_acct(struct ucred *cred, struct vnode *vp,
 }
 
 static int
-mac_bsdextended_check_system_auditctl(struct ucred *cred, struct vnode *vp,
+mac_bsdextended_system_check_auditctl(struct ucred *cred, struct vnode *vp,
     struct label *vplabel)
 {
 
@@ -456,7 +460,7 @@ mac_bsdextended_check_system_auditctl(struct ucred *cred, struct vnode *vp,
 }
 
 static int
-mac_bsdextended_check_system_swapoff(struct ucred *cred, struct vnode *vp,
+mac_bsdextended_system_check_swapoff(struct ucred *cred, struct vnode *vp,
     struct label *vplabel)
 {
 
@@ -464,7 +468,7 @@ mac_bsdextended_check_system_swapoff(struct ucred *cred, struct vnode *vp,
 }
 
 static int
-mac_bsdextended_check_system_swapon(struct ucred *cred, struct vnode *vp,
+mac_bsdextended_system_check_swapon(struct ucred *cred, struct vnode *vp,
     struct label *vplabel)
 {
 
@@ -472,7 +476,7 @@ mac_bsdextended_check_system_swapon(struct ucred *cred, struct vnode *vp,
 }
 
 static int
-mac_bsdextended_check_vnode_access(struct ucred *cred, struct vnode *vp,
+mac_bsdextended_vnode_check_access(struct ucred *cred, struct vnode *vp,
     struct label *vplabel, int acc_mode)
 {
 
@@ -480,7 +484,7 @@ mac_bsdextended_check_vnode_access(struct ucred *cred, struct vnode *vp,
 }
 
 static int
-mac_bsdextended_check_vnode_chdir(struct ucred *cred, struct vnode *dvp,
+mac_bsdextended_vnode_check_chdir(struct ucred *cred, struct vnode *dvp,
     struct label *dvplabel)
 {
 
@@ -488,7 +492,7 @@ mac_bsdextended_check_vnode_chdir(struct ucred *cred, struct vnode *dvp,
 }
 
 static int
-mac_bsdextended_check_vnode_chroot(struct ucred *cred, struct vnode *dvp,
+mac_bsdextended_vnode_check_chroot(struct ucred *cred, struct vnode *dvp,
     struct label *dvplabel)
 {
 
@@ -504,7 +508,7 @@ mac_bsdextended_check_create_vnode(struct ucred *cred, struct vnode *dvp,
 }
 
 static int
-mac_bsdextended_check_vnode_deleteacl(struct ucred *cred, struct vnode *vp,
+mac_bsdextended_vnode_check_deleteacl(struct ucred *cred, struct vnode *vp,
     struct label *vplabel, acl_type_t type)
 {
 
@@ -512,7 +516,7 @@ mac_bsdextended_check_vnode_deleteacl(struct ucred *cred, struct vnode *vp,
 }
 
 static int
-mac_bsdextended_check_vnode_deleteextattr(struct ucred *cred,
+mac_bsdextended_vnode_check_deleteextattr(struct ucred *cred,
     struct vnode *vp, struct label *vplabel, int attrnamespace,
     const char *name)
 {
@@ -521,7 +525,7 @@ mac_bsdextended_check_vnode_deleteextattr(struct ucred *cred,
 }
 
 static int
-mac_bsdextended_check_vnode_exec(struct ucred *cred, struct vnode *vp,
+mac_bsdextended_vnode_check_exec(struct ucred *cred, struct vnode *vp,
     struct label *vplabel, struct image_params *imgp,
     struct label *execlabel)
 {
@@ -530,7 +534,7 @@ mac_bsdextended_check_vnode_exec(struct ucred *cred, struct vnode *vp,
 }
 
 static int
-mac_bsdextended_check_vnode_getacl(struct ucred *cred, struct vnode *vp,
+mac_bsdextended_vnode_check_getacl(struct ucred *cred, struct vnode *vp,
     struct label *vplabel, acl_type_t type)
 {
 
@@ -538,7 +542,7 @@ mac_bsdextended_check_vnode_getacl(struct ucred *cred, struct vnode *vp,
 }
 
 static int
-mac_bsdextended_check_vnode_getextattr(struct ucred *cred, struct vnode *vp,
+mac_bsdextended_vnode_check_getextattr(struct ucred *cred, struct vnode *vp,
     struct label *vplabel, int attrnamespace, const char *name,
     struct uio *uio)
 {
@@ -547,7 +551,7 @@ mac_bsdextended_check_vnode_getextattr(struct ucred *cred, struct vnode *vp,
 }
 
 static int
-mac_bsdextended_check_vnode_link(struct ucred *cred, struct vnode *dvp,
+mac_bsdextended_vnode_check_link(struct ucred *cred, struct vnode *dvp,
     struct label *dvplabel, struct vnode *vp, struct label *label,
     struct componentname *cnp)
 {
@@ -563,7 +567,7 @@ mac_bsdextended_check_vnode_link(struct ucred *cred, struct vnode *dvp,
 }
 
 static int
-mac_bsdextended_check_vnode_listextattr(struct ucred *cred, struct vnode *vp,
+mac_bsdextended_vnode_check_listextattr(struct ucred *cred, struct vnode *vp,
     struct label *vplabel, int attrnamespace)
 {
 
@@ -571,7 +575,7 @@ mac_bsdextended_check_vnode_listextattr(struct ucred *cred, struct vnode *vp,
 }
 
 static int
-mac_bsdextended_check_vnode_lookup(struct ucred *cred, struct vnode *dvp,
+mac_bsdextended_vnode_check_lookup(struct ucred *cred, struct vnode *dvp,
     struct label *dvplabel, struct componentname *cnp)
 {
 
@@ -579,7 +583,7 @@ mac_bsdextended_check_vnode_lookup(struct ucred *cred, struct vnode *dvp,
 }
 
 static int
-mac_bsdextended_check_vnode_open(struct ucred *cred, struct vnode *vp,
+mac_bsdextended_vnode_check_open(struct ucred *cred, struct vnode *vp,
     struct label *vplabel, int acc_mode)
 {
 
@@ -587,7 +591,7 @@ mac_bsdextended_check_vnode_open(struct ucred *cred, struct vnode *vp,
 }
 
 static int
-mac_bsdextended_check_vnode_readdir(struct ucred *cred, struct vnode *dvp,
+mac_bsdextended_vnode_check_readdir(struct ucred *cred, struct vnode *dvp,
     struct label *dvplabel)
 {
 
@@ -595,7 +599,7 @@ mac_bsdextended_check_vnode_readdir(struct ucred *cred, struct vnode *dvp,
 }
 
 static int
-mac_bsdextended_check_vnode_readdlink(struct ucred *cred, struct vnode *vp,
+mac_bsdextended_vnode_check_readdlink(struct ucred *cred, struct vnode *vp,
     struct label *vplabel)
 {
 
@@ -603,7 +607,7 @@ mac_bsdextended_check_vnode_readdlink(struct ucred *cred, struct vnode *vp,
 }
 
 static int
-mac_bsdextended_check_vnode_rename_from(struct ucred *cred, struct vnode *dvp,
+mac_bsdextended_vnode_check_rename_from(struct ucred *cred, struct vnode *dvp,
     struct label *dvplabel, struct vnode *vp, struct label *vplabel,
     struct componentname *cnp)
 {
@@ -616,7 +620,7 @@ mac_bsdextended_check_vnode_rename_from(struct ucred *cred, struct vnode *dvp,
 }
 
 static int
-mac_bsdextended_check_vnode_rename_to(struct ucred *cred, struct vnode *dvp,
+mac_bsdextended_vnode_check_rename_to(struct ucred *cred, struct vnode *dvp,
     struct label *dvplabel, struct vnode *vp, struct label *vplabel,
     int samedir, struct componentname *cnp)
 {
@@ -631,7 +635,7 @@ mac_bsdextended_check_vnode_rename_to(struct ucred *cred, struct vnode *dvp,
 }
 
 static int
-mac_bsdextended_check_vnode_revoke(struct ucred *cred, struct vnode *vp,
+mac_bsdextended_vnode_check_revoke(struct ucred *cred, struct vnode *vp,
     struct label *vplabel)
 {
 
@@ -647,7 +651,7 @@ mac_bsdextended_check_setacl_vnode(struct ucred *cred, struct vnode *vp,
 }
 
 static int
-mac_bsdextended_check_vnode_setextattr(struct ucred *cred, struct vnode *vp,
+mac_bsdextended_vnode_check_setextattr(struct ucred *cred, struct vnode *vp,
     struct label *vplabel, int attrnamespace, const char *name,
     struct uio *uio)
 {
@@ -656,7 +660,7 @@ mac_bsdextended_check_vnode_setextattr(struct ucred *cred, struct vnode *vp,
 }
 
 static int
-mac_bsdextended_check_vnode_setflags(struct ucred *cred, struct vnode *vp,
+mac_bsdextended_vnode_check_setflags(struct ucred *cred, struct vnode *vp,
     struct label *vplabel, u_long flags)
 {
 
@@ -664,7 +668,7 @@ mac_bsdextended_check_vnode_setflags(struct ucred *cred, struct vnode *vp,
 }
 
 static int
-mac_bsdextended_check_vnode_setmode(struct ucred *cred, struct vnode *vp,
+mac_bsdextended_vnode_check_setmode(struct ucred *cred, struct vnode *vp,
     struct label *vplabel, mode_t mode)
 {
 
@@ -672,7 +676,7 @@ mac_bsdextended_check_vnode_setmode(struct ucred *cred, struct vnode *vp,
 }
 
 static int
-mac_bsdextended_check_vnode_setowner(struct ucred *cred, struct vnode *vp,
+mac_bsdextended_vnode_check_setowner(struct ucred *cred, struct vnode *vp,
     struct label *vplabel, uid_t uid, gid_t gid)
 {
 
@@ -680,7 +684,7 @@ mac_bsdextended_check_vnode_setowner(struct ucred *cred, struct vnode *vp,
 }
 
 static int
-mac_bsdextended_check_vnode_setutimes(struct ucred *cred, struct vnode *vp,
+mac_bsdextended_vnode_check_setutimes(struct ucred *cred, struct vnode *vp,
     struct label *vplabel, struct timespec atime, struct timespec utime)
 {
 
@@ -688,7 +692,7 @@ mac_bsdextended_check_vnode_setutimes(struct ucred *cred, struct vnode *vp,
 }
 
 static int
-mac_bsdextended_check_vnode_stat(struct ucred *active_cred,
+mac_bsdextended_vnode_check_stat(struct ucred *active_cred,
     struct ucred *file_cred, struct vnode *vp, struct label *vplabel)
 {
 
@@ -696,7 +700,7 @@ mac_bsdextended_check_vnode_stat(struct ucred *active_cred,
 }
 
 static int
-mac_bsdextended_check_vnode_unlink(struct ucred *cred, struct vnode *dvp,
+mac_bsdextended_vnode_check_unlink(struct ucred *cred, struct vnode *dvp,
     struct label *dvplabel, struct vnode *vp, struct label *vplabel,
     struct componentname *cnp)
 {
@@ -712,36 +716,36 @@ static struct mac_policy_ops mac_bsdextended_ops =
 {
 	.mpo_destroy = mac_bsdextended_destroy,
 	.mpo_init = mac_bsdextended_init,
-	.mpo_check_system_acct = mac_bsdextended_check_system_acct,
-	.mpo_check_system_auditctl = mac_bsdextended_check_system_auditctl,
-	.mpo_check_system_swapoff = mac_bsdextended_check_system_swapoff,
-	.mpo_check_system_swapon = mac_bsdextended_check_system_swapon,
-	.mpo_check_vnode_access = mac_bsdextended_check_vnode_access,
-	.mpo_check_vnode_chdir = mac_bsdextended_check_vnode_chdir,
-	.mpo_check_vnode_chroot = mac_bsdextended_check_vnode_chroot,
-	.mpo_check_vnode_create = mac_bsdextended_check_create_vnode,
-	.mpo_check_vnode_deleteacl = mac_bsdextended_check_vnode_deleteacl,
-	.mpo_check_vnode_deleteextattr = mac_bsdextended_check_vnode_deleteextattr,
-	.mpo_check_vnode_exec = mac_bsdextended_check_vnode_exec,
-	.mpo_check_vnode_getacl = mac_bsdextended_check_vnode_getacl,
-	.mpo_check_vnode_getextattr = mac_bsdextended_check_vnode_getextattr,
-	.mpo_check_vnode_link = mac_bsdextended_check_vnode_link,
-	.mpo_check_vnode_listextattr = mac_bsdextended_check_vnode_listextattr,
-	.mpo_check_vnode_lookup = mac_bsdextended_check_vnode_lookup,
-	.mpo_check_vnode_open = mac_bsdextended_check_vnode_open,
-	.mpo_check_vnode_readdir = mac_bsdextended_check_vnode_readdir,
-	.mpo_check_vnode_readlink = mac_bsdextended_check_vnode_readdlink,
-	.mpo_check_vnode_rename_from = mac_bsdextended_check_vnode_rename_from,
-	.mpo_check_vnode_rename_to = mac_bsdextended_check_vnode_rename_to,
-	.mpo_check_vnode_revoke = mac_bsdextended_check_vnode_revoke,
-	.mpo_check_vnode_setacl = mac_bsdextended_check_setacl_vnode,
-	.mpo_check_vnode_setextattr = mac_bsdextended_check_vnode_setextattr,
-	.mpo_check_vnode_setflags = mac_bsdextended_check_vnode_setflags,
-	.mpo_check_vnode_setmode = mac_bsdextended_check_vnode_setmode,
-	.mpo_check_vnode_setowner = mac_bsdextended_check_vnode_setowner,
-	.mpo_check_vnode_setutimes = mac_bsdextended_check_vnode_setutimes,
-	.mpo_check_vnode_stat = mac_bsdextended_check_vnode_stat,
-	.mpo_check_vnode_unlink = mac_bsdextended_check_vnode_unlink,
+	.mpo_system_check_acct = mac_bsdextended_system_check_acct,
+	.mpo_system_check_auditctl = mac_bsdextended_system_check_auditctl,
+	.mpo_system_check_swapoff = mac_bsdextended_system_check_swapoff,
+	.mpo_system_check_swapon = mac_bsdextended_system_check_swapon,
+	.mpo_vnode_check_access = mac_bsdextended_vnode_check_access,
+	.mpo_vnode_check_chdir = mac_bsdextended_vnode_check_chdir,
+	.mpo_vnode_check_chroot = mac_bsdextended_vnode_check_chroot,
+	.mpo_vnode_check_create = mac_bsdextended_check_create_vnode,
+	.mpo_vnode_check_deleteacl = mac_bsdextended_vnode_check_deleteacl,
+	.mpo_vnode_check_deleteextattr = mac_bsdextended_vnode_check_deleteextattr,
+	.mpo_vnode_check_exec = mac_bsdextended_vnode_check_exec,
+	.mpo_vnode_check_getacl = mac_bsdextended_vnode_check_getacl,
+	.mpo_vnode_check_getextattr = mac_bsdextended_vnode_check_getextattr,
+	.mpo_vnode_check_link = mac_bsdextended_vnode_check_link,
+	.mpo_vnode_check_listextattr = mac_bsdextended_vnode_check_listextattr,
+	.mpo_vnode_check_lookup = mac_bsdextended_vnode_check_lookup,
+	.mpo_vnode_check_open = mac_bsdextended_vnode_check_open,
+	.mpo_vnode_check_readdir = mac_bsdextended_vnode_check_readdir,
+	.mpo_vnode_check_readlink = mac_bsdextended_vnode_check_readdlink,
+	.mpo_vnode_check_rename_from = mac_bsdextended_vnode_check_rename_from,
+	.mpo_vnode_check_rename_to = mac_bsdextended_vnode_check_rename_to,
+	.mpo_vnode_check_revoke = mac_bsdextended_vnode_check_revoke,
+	.mpo_vnode_check_setacl = mac_bsdextended_check_setacl_vnode,
+	.mpo_vnode_check_setextattr = mac_bsdextended_vnode_check_setextattr,
+	.mpo_vnode_check_setflags = mac_bsdextended_vnode_check_setflags,
+	.mpo_vnode_check_setmode = mac_bsdextended_vnode_check_setmode,
+	.mpo_vnode_check_setowner = mac_bsdextended_vnode_check_setowner,
+	.mpo_vnode_check_setutimes = mac_bsdextended_vnode_check_setutimes,
+	.mpo_vnode_check_stat = mac_bsdextended_vnode_check_stat,
+	.mpo_vnode_check_unlink = mac_bsdextended_vnode_check_unlink,
 };
 
 MAC_POLICY_SET(&mac_bsdextended_ops, mac_bsdextended,

sys/security/mac_ifoff/mac_ifoff.c

@@ -1,6 +1,7 @@
 /*-
  * Copyright (c) 1999-2002, 2007 Robert N. M. Watson
  * Copyright (c) 2001-2002 Networks Associates Technology, Inc.
+ * Copyright (c) 2006 SPARTA, Inc.
  * All rights reserved.
  *
  * This software was developed by Robert Watson for the TrustedBSD Project.
@@ -10,6 +11,9 @@
  * Associates, Inc. under DARPA/SPAWAR contract N66001-01-C-8035 ("CBOSS"),
  * as part of the DARPA CHATS research program.
  *
+ * This software was enhanced by SPARTA ISSO under SPAWAR contract
+ * N66001-04-C-6019 ("SEFOS").
+ *
  * Redistribution and use in source and binary forms, with or without
  * modification, are permitted provided that the following conditions
  * are met:
@@ -79,7 +83,7 @@ SYSCTL_INT(_security_mac_ifoff, OID_AUTO, bpfrecv_enabled, CTLFLAG_RW,
 TUNABLE_INT("security.mac.ifoff.bpfrecv.enabled", &mac_ifoff_bpfrecv_enabled);
 
 static int
-check_ifnet_outgoing(struct ifnet *ifp)
+ifnet_check_outgoing(struct ifnet *ifp)
 {
 
 	if (!mac_ifoff_enabled)
@@ -95,7 +99,7 @@ check_ifnet_outgoing(struct ifnet *ifp)
 }
 
 static int
-check_ifnet_incoming(struct ifnet *ifp, int viabpf)
+ifnet_check_incoming(struct ifnet *ifp, int viabpf)
 {
 	if (!mac_ifoff_enabled)
 		return (0);
@@ -113,51 +117,51 @@ check_ifnet_incoming(struct ifnet *ifp, int viabpf)
 }
 
 static int
-mac_ifoff_check_bpfdesc_receive(struct bpf_d *d, struct label *dlabel,
+mac_ifoff_bpfdesc_check_receive(struct bpf_d *d, struct label *dlabel,
     struct ifnet *ifp, struct label *ifplabel)
 {
 
-	return (check_ifnet_incoming(ifp, 1));
+	return (ifnet_check_incoming(ifp, 1));
 }
 
 static int
-mac_ifoff_check_ifnet_transmit(struct ifnet *ifp, struct label *ifplabel,
+mac_ifoff_ifnet_check_transmit(struct ifnet *ifp, struct label *ifplabel,
     struct mbuf *m, struct label *mlabel)
 {
 
-	return (check_ifnet_outgoing(ifp));
+	return (ifnet_check_outgoing(ifp));
 }
 
 static int
-mac_ifoff_check_inpcb_deliver(struct inpcb *inp, struct label *inplabel,
+mac_ifoff_inpcb_check_deliver(struct inpcb *inp, struct label *inplabel,
     struct mbuf *m, struct label *mlabel)
 {
 
 	M_ASSERTPKTHDR(m);
 	if (m->m_pkthdr.rcvif != NULL)
-		return (check_ifnet_incoming(m->m_pkthdr.rcvif, 0));
+		return (ifnet_check_incoming(m->m_pkthdr.rcvif, 0));
 
 	return (0);
 }
 
 static int
-mac_ifoff_check_socket_deliver(struct socket *so, struct label *solabel,
+mac_ifoff_socket_check_deliver(struct socket *so, struct label *solabel,
     struct mbuf *m, struct label *mlabel)
 {
 
 	M_ASSERTPKTHDR(m);
 	if (m->m_pkthdr.rcvif != NULL)
-		return (check_ifnet_incoming(m->m_pkthdr.rcvif, 0));
+		return (ifnet_check_incoming(m->m_pkthdr.rcvif, 0));
 
 	return (0);
 }
 
 static struct mac_policy_ops mac_ifoff_ops =
 {
-	.mpo_check_bpfdesc_receive = mac_ifoff_check_bpfdesc_receive,
-	.mpo_check_ifnet_transmit = mac_ifoff_check_ifnet_transmit,
-	.mpo_check_inpcb_deliver = mac_ifoff_check_inpcb_deliver,
-	.mpo_check_socket_deliver = mac_ifoff_check_socket_deliver,
+	.mpo_bpfdesc_check_receive = mac_ifoff_bpfdesc_check_receive,
+	.mpo_ifnet_check_transmit = mac_ifoff_ifnet_check_transmit,
+	.mpo_inpcb_check_deliver = mac_ifoff_inpcb_check_deliver,
+	.mpo_socket_check_deliver = mac_ifoff_socket_check_deliver,
 };
 
 MAC_POLICY_SET(&mac_ifoff_ops, mac_ifoff, "TrustedBSD MAC/ifoff",

sys/security/mac_lomac/mac_lomac.c

@@ -1,6 +1,7 @@
 /*-
  * Copyright (c) 1999-2002, 2007 Robert N. M. Watson
  * Copyright (c) 2001-2005 Networks Associates Technology, Inc.
+ * Copyright (c) 2006 SPARTA, Inc.
  * All rights reserved.
  *
  * This software was developed by Robert Watson for the TrustedBSD Project.
@@ -10,6 +11,9 @@
  * DARPA/SPAWAR contract N66001-01-C-8035 ("CBOSS"), as part of the DARPA
  * CHATS research program.
  *
+ * This software was enhanced by SPARTA ISSO under SPAWAR contract
+ * N66001-04-C-6019 ("SEFOS").
+ *
  * Redistribution and use in source and binary forms, with or without
  * modification, are permitted provided that the following conditions
  * are met:
@@ -631,7 +635,7 @@ mac_lomac_init_label_waitcheck(struct label *label, int flag)
 }
 
 static void
-mac_lomac_init_proc_label(struct label *label)
+mac_lomac_proc_init_label(struct label *label)
 {
 
 	PSLOT_SET(label, malloc(sizeof(struct mac_lomac_proc), M_MACLOMAC,
@@ -648,7 +652,7 @@ mac_lomac_destroy_label(struct label *label)
 }
 
 static void
-mac_lomac_destroy_proc_label(struct label *label)
+mac_lomac_proc_destroy_label(struct label *label)
 {
 
 	mtx_destroy(&PSLOT(label)->mtx);
@@ -901,7 +905,7 @@ mac_lomac_copy_label(struct label *src, struct label *dest)
  * a lot like file system objects.
  */
 static void
-mac_lomac_create_devfs_device(struct ucred *cred, struct mount *mp,
+mac_lomac_devfs_create_device(struct ucred *cred, struct mount *mp,
     struct cdev *dev, struct devfs_dirent *de, struct label *delabel)
 {
 	struct mac_lomac *mac_lomac;
@@ -924,7 +928,7 @@ mac_lomac_create_devfs_device(struct ucred *cred, struct mount *mp,
 }
 
 static void
-mac_lomac_create_devfs_directory(struct mount *mp, char *dirname,
+mac_lomac_devfs_create_directory(struct mount *mp, char *dirname,
     int dirnamelen, struct devfs_dirent *de, struct label *delabel)
 {
 	struct mac_lomac *mac_lomac;
@@ -934,7 +938,7 @@ mac_lomac_create_devfs_directory(struct mount *mp, char *dirname,
 }
 
 static void
-mac_lomac_create_devfs_symlink(struct ucred *cred, struct mount *mp,
+mac_lomac_devfs_create_symlink(struct ucred *cred, struct mount *mp,
     struct devfs_dirent *dd, struct label *ddlabel, struct devfs_dirent *de,
     struct label *delabel)
 {
@@ -947,7 +951,7 @@ mac_lomac_create_devfs_symlink(struct ucred *cred, struct mount *mp,
 }
 
 static void
-mac_lomac_create_mount(struct ucred *cred, struct mount *mp,
+mac_lomac_mount_create(struct ucred *cred, struct mount *mp,
     struct label *mplabel)
 {
 	struct mac_lomac *source, *dest;
@@ -958,7 +962,7 @@ mac_lomac_create_mount(struct ucred *cred, struct mount *mp,
 }
 
 static void
-mac_lomac_relabel_vnode(struct ucred *cred, struct vnode *vp,
+mac_lomac_vnode_relabel(struct ucred *cred, struct vnode *vp,
     struct label *vplabel, struct label *newlabel)
 {
 	struct mac_lomac *source, *dest;
@@ -970,7 +974,7 @@ mac_lomac_relabel_vnode(struct ucred *cred, struct vnode *vp,
 }
 
 static void
-mac_lomac_update_devfs(struct mount *mp, struct devfs_dirent *de,
+mac_lomac_devfs_update(struct mount *mp, struct devfs_dirent *de,
     struct label *delabel, struct vnode *vp, struct label *vplabel)
 {
 	struct mac_lomac *source, *dest;
@@ -982,7 +986,7 @@ mac_lomac_update_devfs(struct mount *mp, struct devfs_dirent *de,
 }
 
 static void
-mac_lomac_associate_vnode_devfs(struct mount *mp, struct label *mplabel,
+mac_lomac_devfs_vnode_associate(struct mount *mp, struct label *mplabel,
     struct devfs_dirent *de, struct label *delabel, struct vnode *vp,
     struct label *vplabel)
 {
@@ -995,7 +999,7 @@ mac_lomac_associate_vnode_devfs(struct mount *mp, struct label *mplabel,
 }
 
 static int
-mac_lomac_associate_vnode_extattr(struct mount *mp, struct label *mplabel,
+mac_lomac_vnode_associate_extattr(struct mount *mp, struct label *mplabel,
     struct vnode *vp, struct label *vplabel)
 {
 	struct mac_lomac temp, *source, *dest;
@@ -1018,7 +1022,7 @@ mac_lomac_associate_vnode_extattr(struct mount *mp, struct label *mplabel,
 
 	if (buflen != sizeof(temp)) {
 		if (buflen != sizeof(temp) - sizeof(temp.ml_auxsingle)) {
-			printf("mac_lomac_associate_vnode_extattr: bad size %d\n",
+			printf("mac_lomac_vnode_associate_extattr: bad size %d\n",
 			    buflen);
 			return (EPERM);
 		}
@@ -1029,11 +1033,11 @@ mac_lomac_associate_vnode_extattr(struct mount *mp, struct label *mplabel,
 		    buflen, (char *)&temp, curthread);
 	}
 	if (mac_lomac_valid(&temp) != 0) {
-		printf("mac_lomac_associate_vnode_extattr: invalid\n");
+		printf("mac_lomac_vnode_associate_extattr: invalid\n");
 		return (EPERM);
 	}
 	if ((temp.ml_flags & MAC_LOMAC_FLAGS_BOTH) != MAC_LOMAC_FLAG_SINGLE) {
-		printf("mac_lomac_associate_vnode_extattr: not single\n");
+		printf("mac_lomac_vnode_associate_extattr: not single\n");
 		return (EPERM);
 	}
 
@@ -1042,7 +1046,7 @@ mac_lomac_associate_vnode_extattr(struct mount *mp, struct label *mplabel,
 }
 
 static void
-mac_lomac_associate_vnode_singlelabel(struct mount *mp,
+mac_lomac_vnode_associate_singlelabel(struct mount *mp,
     struct label *mplabel, struct vnode *vp, struct label *vplabel)
 {
 	struct mac_lomac *source, *dest;
@@ -1054,7 +1058,7 @@ mac_lomac_associate_vnode_singlelabel(struct mount *mp,
 }
 
 static int
-mac_lomac_create_vnode_extattr(struct ucred *cred, struct mount *mp,
+mac_lomac_vnode_create_extattr(struct ucred *cred, struct mount *mp,
     struct label *mplabel, struct vnode *dvp, struct label *dvplabel,
     struct vnode *vp, struct label *vplabel, struct componentname *cnp)
 {
@@ -1084,7 +1088,7 @@ mac_lomac_create_vnode_extattr(struct ucred *cred, struct mount *mp,
 }
 
 static int
-mac_lomac_setlabel_vnode_extattr(struct ucred *cred, struct vnode *vp,
+mac_lomac_vnode_setlabel_extattr(struct ucred *cred, struct vnode *vp,
     struct label *vplabel, struct label *intlabel)
 {
 	struct mac_lomac *source, temp;
@@ -1108,7 +1112,7 @@ mac_lomac_setlabel_vnode_extattr(struct ucred *cred, struct vnode *vp,
  * Labeling event operations: IPC object.
  */
 static void
-mac_lomac_create_inpcb_from_socket(struct socket *so, struct label *solabel,
+mac_lomac_inpcb_create(struct socket *so, struct label *solabel,
     struct inpcb *inp, struct label *inplabel)
 {
 	struct mac_lomac *source, *dest;
@@ -1120,7 +1124,7 @@ mac_lomac_create_inpcb_from_socket(struct socket *so, struct label *solabel,
 }
 
 static void
-mac_lomac_create_mbuf_from_socket(struct socket *so, struct label *solabel,
+mac_lomac_socket_create_mbuf(struct socket *so, struct label *solabel,
     struct mbuf *m, struct label *mlabel)
 {
 	struct mac_lomac *source, *dest;
@@ -1132,7 +1136,7 @@ mac_lomac_create_mbuf_from_socket(struct socket *so, struct label *solabel,
 }
 
 static void
-mac_lomac_create_socket(struct ucred *cred, struct socket *so,
+mac_lomac_socket_create(struct ucred *cred, struct socket *so,
     struct label *solabel)
 {
 	struct mac_lomac *source, *dest;
@@ -1144,7 +1148,7 @@ mac_lomac_create_socket(struct ucred *cred, struct socket *so,
 }
 
 static void
-mac_lomac_create_pipe(struct ucred *cred, struct pipepair *pp,
+mac_lomac_pipe_create(struct ucred *cred, struct pipepair *pp,
     struct label *pplabel)
 {
 	struct mac_lomac *source, *dest;
@@ -1156,8 +1160,8 @@ mac_lomac_create_pipe(struct ucred *cred, struct pipepair *pp,
 }
 
 static void
-mac_lomac_create_socket_from_socket(struct socket *oldso,
-    struct label *oldsolabel, struct socket *newso, struct label *newsolabel)
+mac_lomac_socket_newconn(struct socket *oldso, struct label *oldsolabel,
+    struct socket *newso, struct label *newsolabel)
 {
 	struct mac_lomac *source, *dest;
 
@@ -1168,7 +1172,7 @@ mac_lomac_create_socket_from_socket(struct socket *oldso,
 }
 
 static void
-mac_lomac_relabel_socket(struct ucred *cred, struct socket *so,
+mac_lomac_socket_relabel(struct ucred *cred, struct socket *so,
     struct label *solabel, struct label *newlabel)
 {
 	struct mac_lomac *source, *dest;
@@ -1180,7 +1184,7 @@ mac_lomac_relabel_socket(struct ucred *cred, struct socket *so,
 }
 
 static void
-mac_lomac_relabel_pipe(struct ucred *cred, struct pipepair *pp,
+mac_lomac_pipe_relabel(struct ucred *cred, struct pipepair *pp,
     struct label *pplabel, struct label *newlabel)
 {
 	struct mac_lomac *source, *dest;
@@ -1192,7 +1196,7 @@ mac_lomac_relabel_pipe(struct ucred *cred, struct pipepair *pp,
 }
 
 static void
-mac_lomac_set_socket_peer_from_mbuf(struct mbuf *m, struct label *mlabel,
+mac_lomac_socketpeer_set_from_mbuf(struct mbuf *m, struct label *mlabel,
     struct socket *so, struct label *sopeerlabel)
 {
 	struct mac_lomac *source, *dest;
@@ -1207,7 +1211,7 @@ mac_lomac_set_socket_peer_from_mbuf(struct mbuf *m, struct label *mlabel,
  * Labeling event operations: network objects.
  */
 static void
-mac_lomac_set_socket_peer_from_socket(struct socket *oldso,
+mac_lomac_socketpeer_set_from_socket(struct socket *oldso,
     struct label *oldsolabel, struct socket *newso,
     struct label *newsopeerlabel)
 {
@@ -1220,7 +1224,7 @@ mac_lomac_set_socket_peer_from_socket(struct socket *oldso,
 }
 
 static void
-mac_lomac_create_bpfdesc(struct ucred *cred, struct bpf_d *d,
+mac_lomac_bpfdesc_create(struct ucred *cred, struct bpf_d *d,
     struct label *dlabel)
 {
 	struct mac_lomac *source, *dest;
@@ -1232,7 +1236,7 @@ mac_lomac_create_bpfdesc(struct ucred *cred, struct bpf_d *d,
 }
 
 static void
-mac_lomac_create_ifnet(struct ifnet *ifp, struct label *ifplabel)
+mac_lomac_ifnet_create(struct ifnet *ifp, struct label *ifplabel)
 {
 	char tifname[IFNAMSIZ], *p, *q;
 	char tiflist[sizeof(trusted_interfaces)];
@@ -1290,7 +1294,7 @@ set:
 }
 
 static void
-mac_lomac_create_ipq(struct mbuf *m, struct label *mlabel, struct ipq *ipq,
+mac_lomac_ipq_create(struct mbuf *m, struct label *mlabel, struct ipq *ipq,
     struct label *ipqlabel)
 {
 	struct mac_lomac *source, *dest;
@@ -1302,7 +1306,7 @@ mac_lomac_create_ipq(struct mbuf *m, struct label *mlabel, struct ipq *ipq,
 }
 
 static void
-mac_lomac_create_datagram_from_ipq(struct ipq *ipq, struct label *ipqlabel,
+mac_lomac_ipq_reassemble(struct ipq *ipq, struct label *ipqlabel,
     struct mbuf *m, struct label *mlabel)
 {
 	struct mac_lomac *source, *dest;
@@ -1315,7 +1319,7 @@ mac_lomac_create_datagram_from_ipq(struct ipq *ipq, struct label *ipqlabel,
 }
 
 static void
-mac_lomac_create_fragment(struct mbuf *m, struct label *mlabel,
+mac_lomac_netinet_fragment(struct mbuf *m, struct label *mlabel,
     struct mbuf *frag, struct label *fraglabel)
 {
 	struct mac_lomac *source, *dest;
@@ -1327,7 +1331,7 @@ mac_lomac_create_fragment(struct mbuf *m, struct label *mlabel,
 }
 
 static void
-mac_lomac_create_mbuf_from_inpcb(struct inpcb *inp, struct label *inplabel,
+mac_lomac_inpcb_create_mbuf(struct inpcb *inp, struct label *inplabel,
     struct mbuf *m, struct label *mlabel)
 {
 	struct mac_lomac *source, *dest;
@@ -1350,7 +1354,7 @@ mac_lomac_create_mbuf_linklayer(struct ifnet *ifp, struct label *ifplabel,
 }
 
 static void
-mac_lomac_create_mbuf_from_bpfdesc(struct bpf_d *d, struct label *dlabel,
+mac_lomac_bpfdesc_create_mbuf(struct bpf_d *d, struct label *dlabel,
     struct mbuf *m, struct label *mlabel)
 {
 	struct mac_lomac *source, *dest;
@@ -1362,7 +1366,7 @@ mac_lomac_create_mbuf_from_bpfdesc(struct bpf_d *d, struct label *dlabel,
 }
 
 static void
-mac_lomac_create_mbuf_from_ifnet(struct ifnet *ifp, struct label *ifplabel,
+mac_lomac_ifnet_create_mbuf(struct ifnet *ifp, struct label *ifplabel,
     struct mbuf *m, struct label *mlabel)
 {
 	struct mac_lomac *source, *dest;
@@ -1374,7 +1378,7 @@ mac_lomac_create_mbuf_from_ifnet(struct ifnet *ifp, struct label *ifplabel,
 }
 
 static void
-mac_lomac_create_mbuf_multicast_encap(struct mbuf *m, struct label *mlabel,
+mac_lomac_mbuf_create_multicast_encap(struct mbuf *m, struct label *mlabel,
     struct ifnet *ifp, struct label *ifplabel, struct mbuf *mnew,
     struct label *mnewlabel)
 {
@@ -1387,7 +1391,7 @@ mac_lomac_create_mbuf_multicast_encap(struct mbuf *m, struct label *mlabel,
 }
 
 static void
-mac_lomac_create_mbuf_netlayer(struct mbuf *m, struct label *mlabel,
+mac_lomac_mbuf_create_netlayer(struct mbuf *m, struct label *mlabel,
     struct mbuf *mnew, struct label *mnewlabel)
 {
 	struct mac_lomac *source, *dest;
@@ -1399,8 +1403,8 @@ mac_lomac_create_mbuf_netlayer(struct mbuf *m, struct label *mlabel,
 }
 
 static int
-mac_lomac_fragment_match(struct mbuf *m, struct label *mlabel,
-    struct ipq *ipq, struct label *ipqlabel)
+mac_lomac_ipq_match(struct mbuf *m, struct label *mlabel, struct ipq *ipq,
+    struct label *ipqlabel)
 {
 	struct mac_lomac *a, *b;
 
@@ -1411,7 +1415,7 @@ mac_lomac_fragment_match(struct mbuf *m, struct label *mlabel,
 }
 
 static void
-mac_lomac_relabel_ifnet(struct ucred *cred, struct ifnet *ifp,
+mac_lomac_ifnet_relabel(struct ucred *cred, struct ifnet *ifp,
     struct label *ifplabel, struct label *newlabel)
 {
 	struct mac_lomac *source, *dest;
@@ -1423,7 +1427,7 @@ mac_lomac_relabel_ifnet(struct ucred *cred, struct ifnet *ifp,
 }
 
 static void
-mac_lomac_update_ipq(struct mbuf *m, struct label *mlabel, struct ipq *ipq,
+mac_lomac_ipq_update(struct mbuf *m, struct label *mlabel, struct ipq *ipq,
     struct label *ipqlabel)
 {
 
@@ -1464,7 +1468,7 @@ mac_lomac_create_mbuf_from_syncache(struct label *sc_label, struct mbuf *m,
 }
 
 static void
-mac_lomac_create_mbuf_from_firewall(struct mbuf *m, struct label *mlabel)
+mac_lomac_mbuf_create_from_firewall(struct mbuf *m, struct label *mlabel)
 {
 	struct mac_lomac *dest;
 
@@ -1478,7 +1482,7 @@ mac_lomac_create_mbuf_from_firewall(struct mbuf *m, struct label *mlabel)
  * Labeling event operations: processes.
  */
 static void
-mac_lomac_execve_transition(struct ucred *old, struct ucred *new,
+mac_lomac_vnode_execve_transition(struct ucred *old, struct ucred *new,
     struct vnode *vp, struct label *vplabel, struct label *interpvnodelabel,
     struct image_params *imgp, struct label *execlabel)
 {
@@ -1514,7 +1518,7 @@ mac_lomac_execve_transition(struct ucred *old, struct ucred *new,
 }
 
 static int
-mac_lomac_execve_will_transition(struct ucred *old, struct vnode *vp,
+mac_lomac_vnode_execve_will_transition(struct ucred *old, struct vnode *vp,
     struct label *vplabel, struct label *interpvnodelabel,
     struct image_params *imgp, struct label *execlabel)
 {
@@ -1534,7 +1538,7 @@ mac_lomac_execve_will_transition(struct ucred *old, struct vnode *vp,
 }
 
 static void
-mac_lomac_create_proc0(struct ucred *cred)
+mac_lomac_proc_create_swapper(struct ucred *cred)
 {
 	struct mac_lomac *dest;
 
@@ -1546,7 +1550,7 @@ mac_lomac_create_proc0(struct ucred *cred)
 }
 
 static void
-mac_lomac_create_proc1(struct ucred *cred)
+mac_lomac_proc_create_init(struct ucred *cred)
 {
 	struct mac_lomac *dest;
 
@@ -1558,7 +1562,7 @@ mac_lomac_create_proc1(struct ucred *cred)
 }
 
 static void
-mac_lomac_relabel_cred(struct ucred *cred, struct label *newlabel)
+mac_lomac_cred_relabel(struct ucred *cred, struct label *newlabel)
 {
 	struct mac_lomac *source, *dest;
 
@@ -1572,7 +1576,7 @@ mac_lomac_relabel_cred(struct ucred *cred, struct label *newlabel)
  * Access control checks.
  */
 static int
-mac_lomac_check_bpfdesc_receive(struct bpf_d *d, struct label *dlabel,
+mac_lomac_bpfdesc_check_receive(struct bpf_d *d, struct label *dlabel,
     struct ifnet *ifp, struct label *ifplabel)
 {
 	struct mac_lomac *a, *b;
@@ -1589,7 +1593,7 @@ mac_lomac_check_bpfdesc_receive(struct bpf_d *d, struct label *dlabel,
 }
 
 static int
-mac_lomac_check_cred_relabel(struct ucred *cred, struct label *newlabel)
+mac_lomac_cred_check_relabel(struct ucred *cred, struct label *newlabel)
 {
 	struct mac_lomac *subj, *new;
 	int error;
@@ -1655,7 +1659,7 @@ mac_lomac_check_cred_relabel(struct ucred *cred, struct label *newlabel)
 }
 
 static int
-mac_lomac_check_cred_visible(struct ucred *cr1, struct ucred *cr2)
+mac_lomac_cred_check_visible(struct ucred *cr1, struct ucred *cr2)
 {
 	struct mac_lomac *subj, *obj;
 
@@ -1673,7 +1677,7 @@ mac_lomac_check_cred_visible(struct ucred *cr1, struct ucred *cr2)
 }
 
 static int
-mac_lomac_check_ifnet_relabel(struct ucred *cred, struct ifnet *ifp,
+mac_lomac_ifnet_check_relabel(struct ucred *cred, struct ifnet *ifp,
     struct label *ifplabel, struct label *newlabel)
 {
 	struct mac_lomac *subj, *new;
@@ -1730,7 +1734,7 @@ mac_lomac_check_ifnet_relabel(struct ucred *cred, struct ifnet *ifp,
 }
 
 static int
-mac_lomac_check_ifnet_transmit(struct ifnet *ifp, struct label *ifplabel,
+mac_lomac_ifnet_check_transmit(struct ifnet *ifp, struct label *ifplabel,
     struct mbuf *m, struct label *mlabel)
 {
 	struct mac_lomac *p, *i;
@@ -1745,7 +1749,7 @@ mac_lomac_check_ifnet_transmit(struct ifnet *ifp, struct label *ifplabel,
 }
 
 static int
-mac_lomac_check_inpcb_deliver(struct inpcb *inp, struct label *inplabel,
+mac_lomac_inpcb_check_deliver(struct inpcb *inp, struct label *inplabel,
     struct mbuf *m, struct label *mlabel)
 {
 	struct mac_lomac *p, *i;
@@ -1760,7 +1764,7 @@ mac_lomac_check_inpcb_deliver(struct inpcb *inp, struct label *inplabel,
 }
 
 static int
-mac_lomac_check_kld_load(struct ucred *cred, struct vnode *vp,
+mac_lomac_kld_check_load(struct ucred *cred, struct vnode *vp,
     struct label *vplabel)
 {
 	struct mac_lomac *subj, *obj;
@@ -1781,7 +1785,7 @@ mac_lomac_check_kld_load(struct ucred *cred, struct vnode *vp,
 }
 
 static int
-mac_lomac_check_pipe_ioctl(struct ucred *cred, struct pipepair *pp,
+mac_lomac_pipe_check_ioctl(struct ucred *cred, struct pipepair *pp,
     struct label *pplabel, unsigned long cmd, void /* caddr_t */ *data)
 {
 
@@ -1794,7 +1798,7 @@ mac_lomac_check_pipe_ioctl(struct ucred *cred, struct pipepair *pp,
 }
 
 static int
-mac_lomac_check_pipe_read(struct ucred *cred, struct pipepair *pp,
+mac_lomac_pipe_check_read(struct ucred *cred, struct pipepair *pp,
     struct label *pplabel)
 {
 	struct mac_lomac *subj, *obj;
@@ -1812,7 +1816,7 @@ mac_lomac_check_pipe_read(struct ucred *cred, struct pipepair *pp,
 }
 
 static int
-mac_lomac_check_pipe_relabel(struct ucred *cred, struct pipepair *pp,
+mac_lomac_pipe_check_relabel(struct ucred *cred, struct pipepair *pp,
     struct label *pplabel, struct label *newlabel)
 {
 	struct mac_lomac *subj, *obj, *new;
@@ -1863,7 +1867,7 @@ mac_lomac_check_pipe_relabel(struct ucred *cred, struct pipepair *pp,
 }
 
 static int
-mac_lomac_check_pipe_write(struct ucred *cred, struct pipepair *pp,
+mac_lomac_pipe_check_write(struct ucred *cred, struct pipepair *pp,
     struct label *pplabel)
 {
 	struct mac_lomac *subj, *obj;
@@ -1881,7 +1885,7 @@ mac_lomac_check_pipe_write(struct ucred *cred, struct pipepair *pp,
 }
 
 static int
-mac_lomac_check_proc_debug(struct ucred *cred, struct proc *p)
+mac_lomac_proc_check_debug(struct ucred *cred, struct proc *p)
 {
 	struct mac_lomac *subj, *obj;
 
@@ -1901,7 +1905,7 @@ mac_lomac_check_proc_debug(struct ucred *cred, struct proc *p)
 }
 
 static int
-mac_lomac_check_proc_sched(struct ucred *cred, struct proc *p)
+mac_lomac_proc_check_sched(struct ucred *cred, struct proc *p)
 {
 	struct mac_lomac *subj, *obj;
 
@@ -1921,7 +1925,7 @@ mac_lomac_check_proc_sched(struct ucred *cred, struct proc *p)
 }
 
 static int
-mac_lomac_check_proc_signal(struct ucred *cred, struct proc *p, int signum)
+mac_lomac_proc_check_signal(struct ucred *cred, struct proc *p, int signum)
 {
 	struct mac_lomac *subj, *obj;
 
@@ -1941,7 +1945,7 @@ mac_lomac_check_proc_signal(struct ucred *cred, struct proc *p, int signum)
 }
 
 static int
-mac_lomac_check_socket_deliver(struct socket *so, struct label *solabel,
+mac_lomac_socket_check_deliver(struct socket *so, struct label *solabel,
     struct mbuf *m, struct label *mlabel)
 {
 	struct mac_lomac *p, *s;
@@ -1956,7 +1960,7 @@ mac_lomac_check_socket_deliver(struct socket *so, struct label *solabel,
 }
 
 static int
-mac_lomac_check_socket_relabel(struct ucred *cred, struct socket *so,
+mac_lomac_socket_check_relabel(struct ucred *cred, struct socket *so,
     struct label *solabel, struct label *newlabel)
 {
 	struct mac_lomac *subj, *obj, *new;
@@ -2007,7 +2011,7 @@ mac_lomac_check_socket_relabel(struct ucred *cred, struct socket *so,
 }
 
 static int
-mac_lomac_check_socket_visible(struct ucred *cred, struct socket *so,
+mac_lomac_socket_check_visible(struct ucred *cred, struct socket *so,
     struct label *solabel)
 {
 	struct mac_lomac *subj, *obj;
@@ -2215,7 +2219,7 @@ mac_lomac_priv_check(struct ucred *cred, int priv)
 
 
 static int
-mac_lomac_check_system_acct(struct ucred *cred, struct vnode *vp,
+mac_lomac_system_check_acct(struct ucred *cred, struct vnode *vp,
     struct label *vplabel)
 {
 	struct mac_lomac *subj, *obj;
@@ -2236,7 +2240,7 @@ mac_lomac_check_system_acct(struct ucred *cred, struct vnode *vp,
 }
 
 static int
-mac_lomac_check_system_auditctl(struct ucred *cred, struct vnode *vp,
+mac_lomac_system_check_auditctl(struct ucred *cred, struct vnode *vp,
     struct label *vplabel)
 {
 	struct mac_lomac *subj, *obj;
@@ -2257,7 +2261,7 @@ mac_lomac_check_system_auditctl(struct ucred *cred, struct vnode *vp,
 }
 
 static int
-mac_lomac_check_system_swapoff(struct ucred *cred, struct vnode *vp,
+mac_lomac_system_check_swapoff(struct ucred *cred, struct vnode *vp,
     struct label *vplabel)
 {
 	struct mac_lomac *subj;
@@ -2274,7 +2278,7 @@ mac_lomac_check_system_swapoff(struct ucred *cred, struct vnode *vp,
 }
 
 static int
-mac_lomac_check_system_swapon(struct ucred *cred, struct vnode *vp,
+mac_lomac_system_check_swapon(struct ucred *cred, struct vnode *vp,
     struct label *vplabel)
 {
 	struct mac_lomac *subj, *obj;
@@ -2295,7 +2299,7 @@ mac_lomac_check_system_swapon(struct ucred *cred, struct vnode *vp,
 }
 
 static int
-mac_lomac_check_system_sysctl(struct ucred *cred, struct sysctl_oid *oidp,
+mac_lomac_system_check_sysctl(struct ucred *cred, struct sysctl_oid *oidp,
     void *arg1, int arg2, struct sysctl_req *req)
 {
 	struct mac_lomac *subj;
@@ -2323,7 +2327,7 @@ mac_lomac_check_system_sysctl(struct ucred *cred, struct sysctl_oid *oidp,
 }
 
 static int
-mac_lomac_check_vnode_create(struct ucred *cred, struct vnode *dvp,
+mac_lomac_vnode_check_create(struct ucred *cred, struct vnode *dvp,
     struct label *dvplabel, struct componentname *cnp, struct vattr *vap)
 {
 	struct mac_lomac *subj, *obj;
@@ -2344,7 +2348,7 @@ mac_lomac_check_vnode_create(struct ucred *cred, struct vnode *dvp,
 }
 
 static int
-mac_lomac_check_vnode_deleteacl(struct ucred *cred, struct vnode *vp,
+mac_lomac_vnode_check_deleteacl(struct ucred *cred, struct vnode *vp,
     struct label *vplabel, acl_type_t type)
 {
 	struct mac_lomac *subj, *obj;
@@ -2362,7 +2366,7 @@ mac_lomac_check_vnode_deleteacl(struct ucred *cred, struct vnode *vp,
 }
 
 static int
-mac_lomac_check_vnode_link(struct ucred *cred, struct vnode *dvp,
+mac_lomac_vnode_check_link(struct ucred *cred, struct vnode *dvp,
     struct label *dvplabel, struct vnode *vp, struct label *vplabel,
     struct componentname *cnp)
 {
@@ -2386,7 +2390,7 @@ mac_lomac_check_vnode_link(struct ucred *cred, struct vnode *dvp,
 }
 
 static int
-mac_lomac_check_vnode_mmap(struct ucred *cred, struct vnode *vp,
+mac_lomac_vnode_check_mmap(struct ucred *cred, struct vnode *vp,
     struct label *vplabel, int prot, int flags)
 {
 	struct mac_lomac *subj, *obj;
@@ -2414,7 +2418,7 @@ mac_lomac_check_vnode_mmap(struct ucred *cred, struct vnode *vp,
 }
 
 static void
-mac_lomac_check_vnode_mmap_downgrade(struct ucred *cred, struct vnode *vp,
+mac_lomac_vnode_check_mmap_downgrade(struct ucred *cred, struct vnode *vp,
     struct label *vplabel, /* XXX vm_prot_t */ int *prot)
 {
 	struct mac_lomac *subj, *obj;
@@ -2434,7 +2438,7 @@ mac_lomac_check_vnode_mmap_downgrade(struct ucred *cred, struct vnode *vp,
 }
 
 static int
-mac_lomac_check_vnode_open(struct ucred *cred, struct vnode *vp,
+mac_lomac_vnode_check_open(struct ucred *cred, struct vnode *vp,
     struct label *vplabel, int acc_mode)
 {
 	struct mac_lomac *subj, *obj;
@@ -2455,7 +2459,7 @@ mac_lomac_check_vnode_open(struct ucred *cred, struct vnode *vp,
 }
 
 static int
-mac_lomac_check_vnode_read(struct ucred *active_cred, struct ucred *file_cred,
+mac_lomac_vnode_check_read(struct ucred *active_cred, struct ucred *file_cred,
     struct vnode *vp, struct label *vplabel)
 {
 	struct mac_lomac *subj, *obj;
@@ -2473,7 +2477,7 @@ mac_lomac_check_vnode_read(struct ucred *active_cred, struct ucred *file_cred,
 }
 
 static int
-mac_lomac_check_vnode_relabel(struct ucred *cred, struct vnode *vp,
+mac_lomac_vnode_check_relabel(struct ucred *cred, struct vnode *vp,
     struct label *vplabel, struct label *newlabel)
 {
 	struct mac_lomac *old, *new, *subj;
@@ -2549,7 +2553,7 @@ mac_lomac_check_vnode_relabel(struct ucred *cred, struct vnode *vp,
 }
 
 static int
-mac_lomac_check_vnode_rename_from(struct ucred *cred, struct vnode *dvp,
+mac_lomac_vnode_check_rename_from(struct ucred *cred, struct vnode *dvp,
     struct label *dvplabel, struct vnode *vp, struct label *vplabel,
     struct componentname *cnp)
 {
@@ -2573,7 +2577,7 @@ mac_lomac_check_vnode_rename_from(struct ucred *cred, struct vnode *dvp,
 }
 
 static int
-mac_lomac_check_vnode_rename_to(struct ucred *cred, struct vnode *dvp,
+mac_lomac_vnode_check_rename_to(struct ucred *cred, struct vnode *dvp,
     struct label *dvplabel, struct vnode *vp, struct label *vplabel,
     int samedir, struct componentname *cnp)
 {
@@ -2599,7 +2603,7 @@ mac_lomac_check_vnode_rename_to(struct ucred *cred, struct vnode *dvp,
 }
 
 static int
-mac_lomac_check_vnode_revoke(struct ucred *cred, struct vnode *vp,
+mac_lomac_vnode_check_revoke(struct ucred *cred, struct vnode *vp,
     struct label *vplabel)
 {
 	struct mac_lomac *subj, *obj;
@@ -2617,7 +2621,7 @@ mac_lomac_check_vnode_revoke(struct ucred *cred, struct vnode *vp,
 }
 
 static int
-mac_lomac_check_vnode_setacl(struct ucred *cred, struct vnode *vp,
+mac_lomac_vnode_check_setacl(struct ucred *cred, struct vnode *vp,
     struct label *vplabel, acl_type_t type, struct acl *acl)
 {
 	struct mac_lomac *subj, *obj;
@@ -2635,7 +2639,7 @@ mac_lomac_check_vnode_setacl(struct ucred *cred, struct vnode *vp,
 }
 
 static int
-mac_lomac_check_vnode_setextattr(struct ucred *cred, struct vnode *vp,
+mac_lomac_vnode_check_setextattr(struct ucred *cred, struct vnode *vp,
     struct label *vplabel, int attrnamespace, const char *name,
     struct uio *uio)
 {
@@ -2656,7 +2660,7 @@ mac_lomac_check_vnode_setextattr(struct ucred *cred, struct vnode *vp,
 }
 
 static int
-mac_lomac_check_vnode_setflags(struct ucred *cred, struct vnode *vp,
+mac_lomac_vnode_check_setflags(struct ucred *cred, struct vnode *vp,
     struct label *vplabel, u_long flags)
 {
 	struct mac_lomac *subj, *obj;
@@ -2674,7 +2678,7 @@ mac_lomac_check_vnode_setflags(struct ucred *cred, struct vnode *vp,
 }
 
 static int
-mac_lomac_check_vnode_setmode(struct ucred *cred, struct vnode *vp,
+mac_lomac_vnode_check_setmode(struct ucred *cred, struct vnode *vp,
     struct label *vplabel, mode_t mode)
 {
 	struct mac_lomac *subj, *obj;
@@ -2692,7 +2696,7 @@ mac_lomac_check_vnode_setmode(struct ucred *cred, struct vnode *vp,
 }
 
 static int
-mac_lomac_check_vnode_setowner(struct ucred *cred, struct vnode *vp,
+mac_lomac_vnode_check_setowner(struct ucred *cred, struct vnode *vp,
     struct label *vplabel, uid_t uid, gid_t gid)
 {
 	struct mac_lomac *subj, *obj;
@@ -2710,7 +2714,7 @@ mac_lomac_check_vnode_setowner(struct ucred *cred, struct vnode *vp,
 }
 
 static int
-mac_lomac_check_vnode_setutimes(struct ucred *cred, struct vnode *vp,
+mac_lomac_vnode_check_setutimes(struct ucred *cred, struct vnode *vp,
     struct label *vplabel, struct timespec atime, struct timespec mtime)
 {
 	struct mac_lomac *subj, *obj;
@@ -2728,7 +2732,7 @@ mac_lomac_check_vnode_setutimes(struct ucred *cred, struct vnode *vp,
 }
 
 static int
-mac_lomac_check_vnode_unlink(struct ucred *cred, struct vnode *dvp,
+mac_lomac_vnode_check_unlink(struct ucred *cred, struct vnode *dvp,
     struct label *dvplabel, struct vnode *vp, struct label *vplabel,
     struct componentname *cnp)
 {
@@ -2752,7 +2756,7 @@ mac_lomac_check_vnode_unlink(struct ucred *cred, struct vnode *dvp,
 }
 
 static int
-mac_lomac_check_vnode_write(struct ucred *active_cred,
+mac_lomac_vnode_check_write(struct ucred *active_cred,
     struct ucred *file_cred, struct vnode *vp, struct label *vplabel)
 {
 	struct mac_lomac *subj, *obj;
@@ -2818,140 +2822,141 @@ mac_lomac_thread_userret(struct thread *td)
 static struct mac_policy_ops mac_lomac_ops =
 {
 	.mpo_init = mac_lomac_init,
-	.mpo_init_bpfdesc_label = mac_lomac_init_label,
-	.mpo_init_cred_label = mac_lomac_init_label,
-	.mpo_init_devfs_label = mac_lomac_init_label,
-	.mpo_init_ifnet_label = mac_lomac_init_label,
+	.mpo_bpfdesc_init_label = mac_lomac_init_label,
+	.mpo_cred_init_label = mac_lomac_init_label,
+	.mpo_devfs_init_label = mac_lomac_init_label,
+	.mpo_ifnet_init_label = mac_lomac_init_label,
 	.mpo_init_syncache_label = mac_lomac_init_label_waitcheck,
-	.mpo_init_inpcb_label = mac_lomac_init_label_waitcheck,
-	.mpo_init_ipq_label = mac_lomac_init_label_waitcheck,
-	.mpo_init_mbuf_label = mac_lomac_init_label_waitcheck,
-	.mpo_init_mount_label = mac_lomac_init_label,
-	.mpo_init_pipe_label = mac_lomac_init_label,
-	.mpo_init_proc_label = mac_lomac_init_proc_label,
-	.mpo_init_socket_label = mac_lomac_init_label_waitcheck,
-	.mpo_init_socket_peer_label = mac_lomac_init_label_waitcheck,
-	.mpo_init_vnode_label = mac_lomac_init_label,
+	.mpo_inpcb_init_label = mac_lomac_init_label_waitcheck,
+	.mpo_ipq_init_label = mac_lomac_init_label_waitcheck,
+	.mpo_mbuf_init_label = mac_lomac_init_label_waitcheck,
+	.mpo_mount_init_label = mac_lomac_init_label,
+	.mpo_pipe_init_label = mac_lomac_init_label,
+	.mpo_proc_init_label = mac_lomac_proc_init_label,
+	.mpo_socket_init_label = mac_lomac_init_label_waitcheck,
+	.mpo_socketpeer_init_label = mac_lomac_init_label_waitcheck,
+	.mpo_vnode_init_label = mac_lomac_init_label,
 	.mpo_init_syncache_from_inpcb = mac_lomac_init_syncache_from_inpcb,
-	.mpo_destroy_bpfdesc_label = mac_lomac_destroy_label,
-	.mpo_destroy_cred_label = mac_lomac_destroy_label,
-	.mpo_destroy_devfs_label = mac_lomac_destroy_label,
-	.mpo_destroy_ifnet_label = mac_lomac_destroy_label,
-	.mpo_destroy_inpcb_label = mac_lomac_destroy_label,
-	.mpo_destroy_ipq_label = mac_lomac_destroy_label,
-	.mpo_destroy_mbuf_label = mac_lomac_destroy_label,
-	.mpo_destroy_mount_label = mac_lomac_destroy_label,
-	.mpo_destroy_pipe_label = mac_lomac_destroy_label,
-	.mpo_destroy_proc_label = mac_lomac_destroy_proc_label,
+	.mpo_bpfdesc_destroy_label = mac_lomac_destroy_label,
+	.mpo_cred_destroy_label = mac_lomac_destroy_label,
+	.mpo_devfs_destroy_label = mac_lomac_destroy_label,
+	.mpo_ifnet_destroy_label = mac_lomac_destroy_label,
+	.mpo_inpcb_destroy_label = mac_lomac_destroy_label,
+	.mpo_ipq_destroy_label = mac_lomac_destroy_label,
+	.mpo_mbuf_destroy_label = mac_lomac_destroy_label,
+	.mpo_mount_destroy_label = mac_lomac_destroy_label,
+	.mpo_pipe_destroy_label = mac_lomac_destroy_label,
+	.mpo_proc_destroy_label = mac_lomac_proc_destroy_label,
 	.mpo_destroy_syncache_label = mac_lomac_destroy_label,
-	.mpo_destroy_socket_label = mac_lomac_destroy_label,
-	.mpo_destroy_socket_peer_label = mac_lomac_destroy_label,
-	.mpo_destroy_vnode_label = mac_lomac_destroy_label,
-	.mpo_copy_cred_label = mac_lomac_copy_label,
-	.mpo_copy_ifnet_label = mac_lomac_copy_label,
-	.mpo_copy_mbuf_label = mac_lomac_copy_label,
-	.mpo_copy_pipe_label = mac_lomac_copy_label,
-	.mpo_copy_socket_label = mac_lomac_copy_label,
-	.mpo_copy_vnode_label = mac_lomac_copy_label,
-	.mpo_externalize_cred_label = mac_lomac_externalize_label,
-	.mpo_externalize_ifnet_label = mac_lomac_externalize_label,
-	.mpo_externalize_pipe_label = mac_lomac_externalize_label,
-	.mpo_externalize_socket_label = mac_lomac_externalize_label,
-	.mpo_externalize_socket_peer_label = mac_lomac_externalize_label,
-	.mpo_externalize_vnode_label = mac_lomac_externalize_label,
-	.mpo_internalize_cred_label = mac_lomac_internalize_label,
-	.mpo_internalize_ifnet_label = mac_lomac_internalize_label,
-	.mpo_internalize_pipe_label = mac_lomac_internalize_label,
-	.mpo_internalize_socket_label = mac_lomac_internalize_label,
-	.mpo_internalize_vnode_label = mac_lomac_internalize_label,
-	.mpo_create_devfs_device = mac_lomac_create_devfs_device,
-	.mpo_create_devfs_directory = mac_lomac_create_devfs_directory,
-	.mpo_create_devfs_symlink = mac_lomac_create_devfs_symlink,
-	.mpo_create_mount = mac_lomac_create_mount,
-	.mpo_relabel_vnode = mac_lomac_relabel_vnode,
-	.mpo_update_devfs = mac_lomac_update_devfs,
-	.mpo_associate_vnode_devfs = mac_lomac_associate_vnode_devfs,
-	.mpo_associate_vnode_extattr = mac_lomac_associate_vnode_extattr,
-	.mpo_associate_vnode_singlelabel =
-	    mac_lomac_associate_vnode_singlelabel,
-	.mpo_create_vnode_extattr = mac_lomac_create_vnode_extattr,
-	.mpo_setlabel_vnode_extattr = mac_lomac_setlabel_vnode_extattr,
-	.mpo_create_mbuf_from_socket = mac_lomac_create_mbuf_from_socket,
+	.mpo_socket_destroy_label = mac_lomac_destroy_label,
+	.mpo_socketpeer_destroy_label = mac_lomac_destroy_label,
+	.mpo_vnode_destroy_label = mac_lomac_destroy_label,
+	.mpo_cred_copy_label = mac_lomac_copy_label,
+	.mpo_ifnet_copy_label = mac_lomac_copy_label,
+	.mpo_mbuf_copy_label = mac_lomac_copy_label,
+	.mpo_pipe_copy_label = mac_lomac_copy_label,
+	.mpo_socket_copy_label = mac_lomac_copy_label,
+	.mpo_vnode_copy_label = mac_lomac_copy_label,
+	.mpo_cred_externalize_label = mac_lomac_externalize_label,
+	.mpo_ifnet_externalize_label = mac_lomac_externalize_label,
+	.mpo_pipe_externalize_label = mac_lomac_externalize_label,
+	.mpo_socket_externalize_label = mac_lomac_externalize_label,
+	.mpo_socketpeer_externalize_label = mac_lomac_externalize_label,
+	.mpo_vnode_externalize_label = mac_lomac_externalize_label,
+	.mpo_cred_internalize_label = mac_lomac_internalize_label,
+	.mpo_ifnet_internalize_label = mac_lomac_internalize_label,
+	.mpo_pipe_internalize_label = mac_lomac_internalize_label,
+	.mpo_socket_internalize_label = mac_lomac_internalize_label,
+	.mpo_vnode_internalize_label = mac_lomac_internalize_label,
+	.mpo_devfs_create_device = mac_lomac_devfs_create_device,
+	.mpo_devfs_create_directory = mac_lomac_devfs_create_directory,
+	.mpo_devfs_create_symlink = mac_lomac_devfs_create_symlink,
+	.mpo_mount_create = mac_lomac_mount_create,
+	.mpo_vnode_relabel = mac_lomac_vnode_relabel,
+	.mpo_devfs_update = mac_lomac_devfs_update,
+	.mpo_devfs_vnode_associate = mac_lomac_devfs_vnode_associate,
+	.mpo_vnode_associate_extattr = mac_lomac_vnode_associate_extattr,
+	.mpo_vnode_associate_singlelabel =
+	    mac_lomac_vnode_associate_singlelabel,
+	.mpo_vnode_create_extattr = mac_lomac_vnode_create_extattr,
+	.mpo_vnode_setlabel_extattr = mac_lomac_vnode_setlabel_extattr,
+	.mpo_socket_create_mbuf = mac_lomac_socket_create_mbuf,
 	.mpo_create_mbuf_from_syncache = mac_lomac_create_mbuf_from_syncache,
-	.mpo_create_pipe = mac_lomac_create_pipe,
-	.mpo_create_socket = mac_lomac_create_socket,
-	.mpo_create_socket_from_socket = mac_lomac_create_socket_from_socket,
-	.mpo_relabel_pipe = mac_lomac_relabel_pipe,
-	.mpo_relabel_socket = mac_lomac_relabel_socket,
-	.mpo_set_socket_peer_from_mbuf = mac_lomac_set_socket_peer_from_mbuf,
-	.mpo_set_socket_peer_from_socket =
-	    mac_lomac_set_socket_peer_from_socket,
-	.mpo_create_bpfdesc = mac_lomac_create_bpfdesc,
-	.mpo_create_datagram_from_ipq = mac_lomac_create_datagram_from_ipq,
-	.mpo_create_fragment = mac_lomac_create_fragment,
-	.mpo_create_ifnet = mac_lomac_create_ifnet,
-	.mpo_create_inpcb_from_socket = mac_lomac_create_inpcb_from_socket,
-	.mpo_create_ipq = mac_lomac_create_ipq,
-	.mpo_create_mbuf_from_inpcb = mac_lomac_create_mbuf_from_inpcb,
+	.mpo_pipe_create = mac_lomac_pipe_create,
+	.mpo_socket_create = mac_lomac_socket_create,
+	.mpo_socket_newconn = mac_lomac_socket_newconn,
+	.mpo_pipe_relabel = mac_lomac_pipe_relabel,
+	.mpo_socket_relabel = mac_lomac_socket_relabel,
+	.mpo_socketpeer_set_from_mbuf = mac_lomac_socketpeer_set_from_mbuf,
+	.mpo_socketpeer_set_from_socket =
+	    mac_lomac_socketpeer_set_from_socket,
+	.mpo_bpfdesc_create = mac_lomac_bpfdesc_create,
+	.mpo_ipq_reassemble = mac_lomac_ipq_reassemble,
+	.mpo_netinet_fragment = mac_lomac_netinet_fragment,
+	.mpo_ifnet_create = mac_lomac_ifnet_create,
+	.mpo_inpcb_create = mac_lomac_inpcb_create,
+	.mpo_ipq_create = mac_lomac_ipq_create,
+	.mpo_inpcb_create_mbuf = mac_lomac_inpcb_create_mbuf,
 	.mpo_create_mbuf_linklayer = mac_lomac_create_mbuf_linklayer,
-	.mpo_create_mbuf_from_bpfdesc = mac_lomac_create_mbuf_from_bpfdesc,
-	.mpo_create_mbuf_from_ifnet = mac_lomac_create_mbuf_from_ifnet,
-	.mpo_create_mbuf_multicast_encap =
-	    mac_lomac_create_mbuf_multicast_encap,
-	.mpo_create_mbuf_netlayer = mac_lomac_create_mbuf_netlayer,
-	.mpo_fragment_match = mac_lomac_fragment_match,
-	.mpo_relabel_ifnet = mac_lomac_relabel_ifnet,
-	.mpo_update_ipq = mac_lomac_update_ipq,
+	.mpo_bpfdesc_create_mbuf = mac_lomac_bpfdesc_create_mbuf,
+	.mpo_ifnet_create_mbuf = mac_lomac_ifnet_create_mbuf,
+	.mpo_mbuf_create_multicast_encap =
+	    mac_lomac_mbuf_create_multicast_encap,
+	.mpo_mbuf_create_netlayer = mac_lomac_mbuf_create_netlayer,
+	.mpo_ipq_match = mac_lomac_ipq_match,
+	.mpo_ifnet_relabel = mac_lomac_ifnet_relabel,
+	.mpo_ipq_update = mac_lomac_ipq_update,
 	.mpo_inpcb_sosetlabel = mac_lomac_inpcb_sosetlabel,
-	.mpo_execve_transition = mac_lomac_execve_transition,
-	.mpo_execve_will_transition = mac_lomac_execve_will_transition,
-	.mpo_create_proc0 = mac_lomac_create_proc0,
-	.mpo_create_proc1 = mac_lomac_create_proc1,
-	.mpo_relabel_cred = mac_lomac_relabel_cred,
-	.mpo_check_bpfdesc_receive = mac_lomac_check_bpfdesc_receive,
-	.mpo_check_cred_relabel = mac_lomac_check_cred_relabel,
-	.mpo_check_cred_visible = mac_lomac_check_cred_visible,
-	.mpo_check_ifnet_relabel = mac_lomac_check_ifnet_relabel,
-	.mpo_check_ifnet_transmit = mac_lomac_check_ifnet_transmit,
-	.mpo_check_inpcb_deliver = mac_lomac_check_inpcb_deliver,
-	.mpo_check_kld_load = mac_lomac_check_kld_load,
-	.mpo_check_pipe_ioctl = mac_lomac_check_pipe_ioctl,
-	.mpo_check_pipe_read = mac_lomac_check_pipe_read,
-	.mpo_check_pipe_relabel = mac_lomac_check_pipe_relabel,
-	.mpo_check_pipe_write = mac_lomac_check_pipe_write,
-	.mpo_check_proc_debug = mac_lomac_check_proc_debug,
-	.mpo_check_proc_sched = mac_lomac_check_proc_sched,
-	.mpo_check_proc_signal = mac_lomac_check_proc_signal,
-	.mpo_check_socket_deliver = mac_lomac_check_socket_deliver,
-	.mpo_check_socket_relabel = mac_lomac_check_socket_relabel,
-	.mpo_check_socket_visible = mac_lomac_check_socket_visible,
-	.mpo_check_system_acct = mac_lomac_check_system_acct,
-	.mpo_check_system_auditctl = mac_lomac_check_system_auditctl,
-	.mpo_check_system_swapoff = mac_lomac_check_system_swapoff,
-	.mpo_check_system_swapon = mac_lomac_check_system_swapon,
-	.mpo_check_system_sysctl = mac_lomac_check_system_sysctl,
-	.mpo_check_vnode_access = mac_lomac_check_vnode_open,
-	.mpo_check_vnode_create = mac_lomac_check_vnode_create,
-	.mpo_check_vnode_deleteacl = mac_lomac_check_vnode_deleteacl,
-	.mpo_check_vnode_link = mac_lomac_check_vnode_link,
-	.mpo_check_vnode_mmap = mac_lomac_check_vnode_mmap,
-	.mpo_check_vnode_mmap_downgrade = mac_lomac_check_vnode_mmap_downgrade,
-	.mpo_check_vnode_open = mac_lomac_check_vnode_open,
-	.mpo_check_vnode_read = mac_lomac_check_vnode_read,
-	.mpo_check_vnode_relabel = mac_lomac_check_vnode_relabel,
-	.mpo_check_vnode_rename_from = mac_lomac_check_vnode_rename_from,
-	.mpo_check_vnode_rename_to = mac_lomac_check_vnode_rename_to,
-	.mpo_check_vnode_revoke = mac_lomac_check_vnode_revoke,
-	.mpo_check_vnode_setacl = mac_lomac_check_vnode_setacl,
-	.mpo_check_vnode_setextattr = mac_lomac_check_vnode_setextattr,
-	.mpo_check_vnode_setflags = mac_lomac_check_vnode_setflags,
-	.mpo_check_vnode_setmode = mac_lomac_check_vnode_setmode,
-	.mpo_check_vnode_setowner = mac_lomac_check_vnode_setowner,
-	.mpo_check_vnode_setutimes = mac_lomac_check_vnode_setutimes,
-	.mpo_check_vnode_unlink = mac_lomac_check_vnode_unlink,
-	.mpo_check_vnode_write = mac_lomac_check_vnode_write,
+	.mpo_vnode_execve_transition = mac_lomac_vnode_execve_transition,
+	.mpo_vnode_execve_will_transition =
+	    mac_lomac_vnode_execve_will_transition,
+	.mpo_proc_create_swapper = mac_lomac_proc_create_swapper,
+	.mpo_proc_create_init = mac_lomac_proc_create_init,
+	.mpo_cred_relabel = mac_lomac_cred_relabel,
+	.mpo_bpfdesc_check_receive = mac_lomac_bpfdesc_check_receive,
+	.mpo_cred_check_relabel = mac_lomac_cred_check_relabel,
+	.mpo_cred_check_visible = mac_lomac_cred_check_visible,
+	.mpo_ifnet_check_relabel = mac_lomac_ifnet_check_relabel,
+	.mpo_ifnet_check_transmit = mac_lomac_ifnet_check_transmit,
+	.mpo_inpcb_check_deliver = mac_lomac_inpcb_check_deliver,
+	.mpo_kld_check_load = mac_lomac_kld_check_load,
+	.mpo_pipe_check_ioctl = mac_lomac_pipe_check_ioctl,
+	.mpo_pipe_check_read = mac_lomac_pipe_check_read,
+	.mpo_pipe_check_relabel = mac_lomac_pipe_check_relabel,
+	.mpo_pipe_check_write = mac_lomac_pipe_check_write,
+	.mpo_proc_check_debug = mac_lomac_proc_check_debug,
+	.mpo_proc_check_sched = mac_lomac_proc_check_sched,
+	.mpo_proc_check_signal = mac_lomac_proc_check_signal,
+	.mpo_socket_check_deliver = mac_lomac_socket_check_deliver,
+	.mpo_socket_check_relabel = mac_lomac_socket_check_relabel,
+	.mpo_socket_check_visible = mac_lomac_socket_check_visible,
+	.mpo_system_check_acct = mac_lomac_system_check_acct,
+	.mpo_system_check_auditctl = mac_lomac_system_check_auditctl,
+	.mpo_system_check_swapoff = mac_lomac_system_check_swapoff,
+	.mpo_system_check_swapon = mac_lomac_system_check_swapon,
+	.mpo_system_check_sysctl = mac_lomac_system_check_sysctl,
+	.mpo_vnode_check_access = mac_lomac_vnode_check_open,
+	.mpo_vnode_check_create = mac_lomac_vnode_check_create,
+	.mpo_vnode_check_deleteacl = mac_lomac_vnode_check_deleteacl,
+	.mpo_vnode_check_link = mac_lomac_vnode_check_link,
+	.mpo_vnode_check_mmap = mac_lomac_vnode_check_mmap,
+	.mpo_vnode_check_mmap_downgrade = mac_lomac_vnode_check_mmap_downgrade,
+	.mpo_vnode_check_open = mac_lomac_vnode_check_open,
+	.mpo_vnode_check_read = mac_lomac_vnode_check_read,
+	.mpo_vnode_check_relabel = mac_lomac_vnode_check_relabel,
+	.mpo_vnode_check_rename_from = mac_lomac_vnode_check_rename_from,
+	.mpo_vnode_check_rename_to = mac_lomac_vnode_check_rename_to,
+	.mpo_vnode_check_revoke = mac_lomac_vnode_check_revoke,
+	.mpo_vnode_check_setacl = mac_lomac_vnode_check_setacl,
+	.mpo_vnode_check_setextattr = mac_lomac_vnode_check_setextattr,
+	.mpo_vnode_check_setflags = mac_lomac_vnode_check_setflags,
+	.mpo_vnode_check_setmode = mac_lomac_vnode_check_setmode,
+	.mpo_vnode_check_setowner = mac_lomac_vnode_check_setowner,
+	.mpo_vnode_check_setutimes = mac_lomac_vnode_check_setutimes,
+	.mpo_vnode_check_unlink = mac_lomac_vnode_check_unlink,
+	.mpo_vnode_check_write = mac_lomac_vnode_check_write,
 	.mpo_thread_userret = mac_lomac_thread_userret,
-	.mpo_create_mbuf_from_firewall = mac_lomac_create_mbuf_from_firewall,
+	.mpo_mbuf_create_from_firewall = mac_lomac_mbuf_create_from_firewall,
 	.mpo_priv_check = mac_lomac_priv_check,
 };
 

sys/security/mac_partition/mac_partition.c

@@ -1,6 +1,7 @@
 /*-
  * Copyright (c) 1999-2002, 2007 Robert N. M. Watson
  * Copyright (c) 2001-2002 Networks Associates Technology, Inc.
+ * Copyright (c) 2006 SPARTA, Inc.
  * All rights reserved.
  *
  * This software was developed by Robert Watson for the TrustedBSD Project.
@@ -10,6 +11,9 @@
  * Associates, Inc. under DARPA/SPAWAR contract N66001-01-C-8035 ("CBOSS"),
  * as part of the DARPA CHATS research program.
  *
+ * This software was enhanced by SPARTA ISSO under SPAWAR contract
+ * N66001-04-C-6019 ("SEFOS").
+ *
  * Redistribution and use in source and binary forms, with or without
  * modification, are permitted provided that the following conditions
  * are met:
@@ -115,21 +119,21 @@ mac_partition_internalize_label(struct label *label, char *element_name,
 }
 
 static void
-mac_partition_create_proc0(struct ucred *cred)
+mac_partition_proc_create_swapper(struct ucred *cred)
 {
 
 	SLOT_SET(cred->cr_label, 0);
 }
 
 static void
-mac_partition_create_proc1(struct ucred *cred)
+mac_partition_proc_create_init(struct ucred *cred)
 {
 
 	SLOT_SET(cred->cr_label, 0);
 }
 
 static void
-mac_partition_relabel_cred(struct ucred *cred, struct label *newlabel)
+mac_partition_cred_relabel(struct ucred *cred, struct label *newlabel)
 {
 
 	if (SLOT(newlabel) != 0)
@@ -153,7 +157,7 @@ label_on_label(struct label *subject, struct label *object)
 }
 
 static int
-mac_partition_check_cred_relabel(struct ucred *cred, struct label *newlabel)
+mac_partition_cred_check_relabel(struct ucred *cred, struct label *newlabel)
 {
 	int error;
 
@@ -174,7 +178,7 @@ mac_partition_check_cred_relabel(struct ucred *cred, struct label *newlabel)
 }
 
 static int
-mac_partition_check_cred_visible(struct ucred *cr1, struct ucred *cr2)
+mac_partition_cred_check_visible(struct ucred *cr1, struct ucred *cr2)
 {
 	int error;
 
@@ -184,7 +188,7 @@ mac_partition_check_cred_visible(struct ucred *cr1, struct ucred *cr2)
 }
 
 static int
-mac_partition_check_proc_debug(struct ucred *cred, struct proc *p)
+mac_partition_proc_check_debug(struct ucred *cred, struct proc *p)
 {
 	int error;
 
@@ -194,7 +198,7 @@ mac_partition_check_proc_debug(struct ucred *cred, struct proc *p)
 }
 
 static int
-mac_partition_check_proc_sched(struct ucred *cred, struct proc *p)
+mac_partition_proc_check_sched(struct ucred *cred, struct proc *p)
 {
 	int error;
 
@@ -204,7 +208,7 @@ mac_partition_check_proc_sched(struct ucred *cred, struct proc *p)
 }
 
 static int
-mac_partition_check_proc_signal(struct ucred *cred, struct proc *p,
+mac_partition_proc_check_signal(struct ucred *cred, struct proc *p,
     int signum)
 {
 	int error;
@@ -215,7 +219,7 @@ mac_partition_check_proc_signal(struct ucred *cred, struct proc *p,
 }
 
 static int
-mac_partition_check_socket_visible(struct ucred *cred, struct socket *so,
+mac_partition_socket_check_visible(struct ucred *cred, struct socket *so,
     struct label *solabel)
 {
 	int error;
@@ -226,7 +230,7 @@ mac_partition_check_socket_visible(struct ucred *cred, struct socket *so,
 }
 
 static int
-mac_partition_check_vnode_exec(struct ucred *cred, struct vnode *vp,
+mac_partition_vnode_check_exec(struct ucred *cred, struct vnode *vp,
     struct label *vplabel, struct image_params *imgp,
     struct label *execlabel)
 {
@@ -246,21 +250,21 @@ mac_partition_check_vnode_exec(struct ucred *cred, struct vnode *vp,
 
 static struct mac_policy_ops mac_partition_ops =
 {
-	.mpo_init_cred_label = mac_partition_init_label,
-	.mpo_destroy_cred_label = mac_partition_destroy_label,
-	.mpo_copy_cred_label = mac_partition_copy_label,
-	.mpo_externalize_cred_label = mac_partition_externalize_label,
-	.mpo_internalize_cred_label = mac_partition_internalize_label,
-	.mpo_create_proc0 = mac_partition_create_proc0,
-	.mpo_create_proc1 = mac_partition_create_proc1,
-	.mpo_relabel_cred = mac_partition_relabel_cred,
-	.mpo_check_cred_relabel = mac_partition_check_cred_relabel,
-	.mpo_check_cred_visible = mac_partition_check_cred_visible,
-	.mpo_check_proc_debug = mac_partition_check_proc_debug,
-	.mpo_check_proc_sched = mac_partition_check_proc_sched,
-	.mpo_check_proc_signal = mac_partition_check_proc_signal,
-	.mpo_check_socket_visible = mac_partition_check_socket_visible,
-	.mpo_check_vnode_exec = mac_partition_check_vnode_exec,
+	.mpo_cred_init_label = mac_partition_init_label,
+	.mpo_cred_destroy_label = mac_partition_destroy_label,
+	.mpo_cred_copy_label = mac_partition_copy_label,
+	.mpo_cred_externalize_label = mac_partition_externalize_label,
+	.mpo_cred_internalize_label = mac_partition_internalize_label,
+	.mpo_proc_create_swapper = mac_partition_proc_create_swapper,
+	.mpo_proc_create_init = mac_partition_proc_create_init,
+	.mpo_cred_relabel = mac_partition_cred_relabel,
+	.mpo_cred_check_relabel = mac_partition_cred_check_relabel,
+	.mpo_cred_check_visible = mac_partition_cred_check_visible,
+	.mpo_proc_check_debug = mac_partition_proc_check_debug,
+	.mpo_proc_check_sched = mac_partition_proc_check_sched,
+	.mpo_proc_check_signal = mac_partition_proc_check_signal,
+	.mpo_socket_check_visible = mac_partition_socket_check_visible,
+	.mpo_vnode_check_exec = mac_partition_vnode_check_exec,
 };
 
 MAC_POLICY_SET(&mac_partition_ops, mac_partition, "TrustedBSD MAC/Partition",

sys/security/mac_portacl/mac_portacl.c

@@ -1,5 +1,6 @@
 /*-
  * Copyright (c) 2003-2004 Networks Associates Technology, Inc.
+ * Copyright (c) 2006 SPARTA, Inc.
  * All rights reserved.
  *
  * This software was developed for the FreeBSD Project by Network
@@ -7,6 +8,9 @@
  * Associates, Inc. under DARPA/SPAWAR contract N66001-01-C-8035 ("CBOSS"),
  * as part of the DARPA CHATS research program.
  *
+ * This software was enhanced by SPARTA ISSO under SPAWAR contract
+ * N66001-04-C-6019 ("SEFOS").
+ *
  * Redistribution and use in source and binary forms, with or without
  * modification, are permitted provided that the following conditions
  * are met:
@@ -430,7 +434,7 @@ rules_check(struct ucred *cred, int family, int type, u_int16_t port)
  * the source port is left up to the IP stack to determine automatically.
  */
 static int
-check_socket_bind(struct ucred *cred, struct socket *so,
+socket_check_bind(struct ucred *cred, struct socket *so,
     struct label *solabel, struct sockaddr *sa)
 {
 	struct sockaddr_in *sin;
@@ -482,7 +486,7 @@ static struct mac_policy_ops mac_portacl_ops =
 {
 	.mpo_destroy = destroy,
 	.mpo_init = init,
-	.mpo_check_socket_bind = check_socket_bind,
+	.mpo_socket_check_bind = socket_check_bind,
 };
 
 MAC_POLICY_SET(&mac_portacl_ops, trustedbsd_mac_portacl,

sys/security/mac_seeotheruids/mac_seeotheruids.c

@@ -1,6 +1,7 @@
 /*-
  * Copyright (c) 1999-2002, 2007 Robert N. M. Watson
  * Copyright (c) 2001-2002 Networks Associates Technology, Inc.
+ * Copyright (c) 2006 SPARTA, Inc.
  * All rights reserved.
  *
  * This software was developed by Robert Watson for the TrustedBSD Project.
@@ -10,6 +11,9 @@
  * Associates, Inc. under DARPA/SPAWAR contract N66001-01-C-8035 ("CBOSS"),
  * as part of the DARPA CHATS research program.
  *
+ * This software was enhanced by SPARTA ISSO under SPAWAR contract
+ * N66001-04-C-6019 ("SEFOS").
+ *
  * Redistribution and use in source and binary forms, with or without
  * modification, are permitted provided that the following conditions
  * are met:
@@ -122,14 +126,14 @@ mac_seeotheruids_check(struct ucred *cr1, struct ucred *cr2)
 }
 
 static int
-mac_seeotheruids_check_cred_visible(struct ucred *cr1, struct ucred *cr2)
+mac_seeotheruids_cred_check_visible(struct ucred *cr1, struct ucred *cr2)
 {
 
 	return (mac_seeotheruids_check(cr1, cr2));
 }
 
 static int
-mac_seeotheruids_check_proc_signal(struct ucred *cred, struct proc *p,
+mac_seeotheruids_proc_check_signal(struct ucred *cred, struct proc *p,
     int signum)
 {
 
@@ -137,21 +141,21 @@ mac_seeotheruids_check_proc_signal(struct ucred *cred, struct proc *p,
 }
 
 static int
-mac_seeotheruids_check_proc_sched(struct ucred *cred, struct proc *p)
+mac_seeotheruids_proc_check_sched(struct ucred *cred, struct proc *p)
 {
 
 	return (mac_seeotheruids_check(cred, p->p_ucred));
 }
 
 static int
-mac_seeotheruids_check_proc_debug(struct ucred *cred, struct proc *p)
+mac_seeotheruids_proc_check_debug(struct ucred *cred, struct proc *p)
 {
 
 	return (mac_seeotheruids_check(cred, p->p_ucred));
 }
 
 static int
-mac_seeotheruids_check_socket_visible(struct ucred *cred, struct socket *so,
+mac_seeotheruids_socket_check_visible(struct ucred *cred, struct socket *so,
     struct label *solabel)
 {
 
@@ -160,11 +164,11 @@ mac_seeotheruids_check_socket_visible(struct ucred *cred, struct socket *so,
 
 static struct mac_policy_ops mac_seeotheruids_ops =
 {
-	.mpo_check_cred_visible = mac_seeotheruids_check_cred_visible,
-	.mpo_check_proc_debug = mac_seeotheruids_check_proc_debug,
-	.mpo_check_proc_sched = mac_seeotheruids_check_proc_sched,
-	.mpo_check_proc_signal = mac_seeotheruids_check_proc_signal,
-	.mpo_check_socket_visible = mac_seeotheruids_check_socket_visible,
+	.mpo_cred_check_visible = mac_seeotheruids_cred_check_visible,
+	.mpo_proc_check_debug = mac_seeotheruids_proc_check_debug,
+	.mpo_proc_check_sched = mac_seeotheruids_proc_check_sched,
+	.mpo_proc_check_signal = mac_seeotheruids_proc_check_signal,
+	.mpo_socket_check_visible = mac_seeotheruids_socket_check_visible,
 };
 
 MAC_POLICY_SET(&mac_seeotheruids_ops, mac_seeotheruids,

sys/ufs/ffs/ffs_vfsops.c

@@ -1464,7 +1464,7 @@ ffs_vget(mp, ino, flags, vpp)
 		 * multi-label, attempt to perform a label association
 		 * from the extended attributes on the inode.
 		 */
-		error = mac_associate_vnode_extattr(mp, vp);
+		error = mac_vnode_associate_extattr(mp, vp);
 		if (error) {
 			/* ufs_inactive will release ip->i_devvp ref. */
 			vput(vp);