Remove MAC_DEBUG label counters, which were used to debug leaks and

other problems while labels were first being added to various kernel
objects.  They have outlived their usefulness.

MFC after:	1 month
Suggested by:	Christopher dot Vance at SPARTA dot com
Obtained from:	TrustedBSD Project

sys/conf/NOTES

@@ -994,7 +994,6 @@ options 	AUDIT
 options 	MAC
 options 	MAC_BIBA
 options 	MAC_BSDEXTENDED
-options 	MAC_DEBUG
 options 	MAC_IFOFF
 options 	MAC_LOMAC
 options 	MAC_MLS

sys/conf/options

@@ -103,7 +103,6 @@ MAC
 MAC_ALWAYS_LABEL_MBUF	opt_mac.h
 MAC_BIBA	opt_dontuse.h
 MAC_BSDEXTENDED	opt_dontuse.h
-MAC_DEBUG	opt_mac.h
 MAC_IFOFF	opt_dontuse.h
 MAC_LOMAC	opt_dontuse.h
 MAC_MLS		opt_dontuse.h

sys/kern/kern_mac.c

@@ -136,17 +136,6 @@ int	mac_late = 0;
 int	mac_labelmbufs = 0;
 #endif
 
-#ifdef MAC_DEBUG
-SYSCTL_NODE(_security_mac, OID_AUTO, debug, CTLFLAG_RW, 0,
-    "TrustedBSD MAC debug info");
-SYSCTL_NODE(_security_mac_debug, OID_AUTO, counters, CTLFLAG_RW, 0,
-    "TrustedBSD MAC object counters");
-
-static unsigned int nmactemp;
-SYSCTL_UINT(_security_mac_debug_counters, OID_AUTO, temp, CTLFLAG_RD,
-    &nmactemp, 0, "number of temporary labels in use");
-#endif
-
 static int	mac_policy_register(struct mac_policy_conf *mpc);
 static int	mac_policy_unregister(struct mac_policy_conf *mpc);
 

sys/security/mac/mac_framework.c

@@ -136,17 +136,6 @@ int	mac_late = 0;
 int	mac_labelmbufs = 0;
 #endif
 
-#ifdef MAC_DEBUG
-SYSCTL_NODE(_security_mac, OID_AUTO, debug, CTLFLAG_RW, 0,
-    "TrustedBSD MAC debug info");
-SYSCTL_NODE(_security_mac_debug, OID_AUTO, counters, CTLFLAG_RW, 0,
-    "TrustedBSD MAC object counters");
-
-static unsigned int nmactemp;
-SYSCTL_UINT(_security_mac_debug_counters, OID_AUTO, temp, CTLFLAG_RD,
-    &nmactemp, 0, "number of temporary labels in use");
-#endif
-
 static int	mac_policy_register(struct mac_policy_conf *mpc);
 static int	mac_policy_unregister(struct mac_policy_conf *mpc);
 

sys/security/mac/mac_inet.c

@@ -66,15 +66,6 @@ __FBSDID("$FreeBSD$");
 
 #include <security/mac/mac_internal.h>
 
-#ifdef MAC_DEBUG
-static unsigned int nmacinpcbs, nmacipqs;
-
-SYSCTL_UINT(_security_mac_debug_counters, OID_AUTO, inpcbs, CTLFLAG_RD,
-    &nmacinpcbs, 0, "number of inpcbs in use");
-SYSCTL_UINT(_security_mac_debug_counters, OID_AUTO, ipqs, CTLFLAG_RD,
-    &nmacipqs, 0, "number of ipqs in use");
-#endif
-
 static struct label *
 mac_inpcb_label_alloc(int flag)
 {
@@ -90,7 +81,6 @@ mac_inpcb_label_alloc(int flag)
 		mac_labelzone_free(label);
 		return (NULL);
 	}
-	MAC_DEBUG_COUNTER_INC(&nmacinpcbs);
 	return (label);
 }
 
@@ -120,7 +110,6 @@ mac_ipq_label_alloc(int flag)
 		mac_labelzone_free(label);
 		return (NULL);
 	}
-	MAC_DEBUG_COUNTER_INC(&nmacipqs);
 	return (label);
 }
 
@@ -140,7 +129,6 @@ mac_inpcb_label_free(struct label *label)
 
 	MAC_PERFORM(destroy_inpcb_label, label);
 	mac_labelzone_free(label);
-	MAC_DEBUG_COUNTER_DEC(&nmacinpcbs);
 }
 
 void
@@ -157,7 +145,6 @@ mac_ipq_label_free(struct label *label)
 
 	MAC_PERFORM(destroy_ipq_label, label);
 	mac_labelzone_free(label);
-	MAC_DEBUG_COUNTER_DEC(&nmacipqs);
 }
 
 void

sys/security/mac/mac_internal.h

@@ -41,10 +41,6 @@
  */
 #ifdef SYSCTL_DECL
 SYSCTL_DECL(_security_mac);
-#ifdef MAC_DEBUG
-SYSCTL_DECL(_security_mac_debug);
-SYSCTL_DECL(_security_mac_debug_counters);
-#endif
 #endif /* SYSCTL_DECL */
 
 /*
@@ -69,18 +65,6 @@ extern int				mac_enforce_vm;
 extern int				mac_labelmbufs;
 #endif
 
-/*
- * MAC Framework object/access counter primitives, conditionally
- * compiled.
- */
-#ifdef MAC_DEBUG
-#define	MAC_DEBUG_COUNTER_INC(x)	atomic_add_int(x, 1);
-#define	MAC_DEBUG_COUNTER_DEC(x)	atomic_subtract_int(x, 1);
-#else
-#define	MAC_DEBUG_COUNTER_INC(x)
-#define	MAC_DEBUG_COUNTER_DEC(x)
-#endif
-
 /*
  * MAC Framework infrastructure functions.
  */

sys/security/mac/mac_net.c

@@ -72,17 +72,6 @@ SYSCTL_INT(_security_mac, OID_AUTO, enforce_network, CTLFLAG_RW,
     &mac_enforce_network, 0, "Enforce MAC policy on network packets");
 TUNABLE_INT("security.mac.enforce_network", &mac_enforce_network);
 
-#ifdef MAC_DEBUG
-static unsigned int nmacbpfdescs, nmacifnets, nmacmbufs;
-
-SYSCTL_UINT(_security_mac_debug_counters, OID_AUTO, bpfdescs, CTLFLAG_RD,
-    &nmacbpfdescs, 0, "number of bpfdescs in use");
-SYSCTL_UINT(_security_mac_debug_counters, OID_AUTO, ifnets, CTLFLAG_RD,
-    &nmacifnets, 0, "number of ifnets in use");
-SYSCTL_UINT(_security_mac_debug_counters, OID_AUTO, mbufs, CTLFLAG_RD,
-    &nmacmbufs, 0, "number of mbufs in use");
-#endif
-
 /*
  * XXXRW: struct ifnet locking is incomplete in the network code, so we
  * use our own global mutex for struct ifnet.  Non-ideal, but should help
@@ -115,7 +104,6 @@ mac_bpfdesc_label_alloc(void)
 
 	label = mac_labelzone_alloc(M_WAITOK);
 	MAC_PERFORM(init_bpfdesc_label, label);
-	MAC_DEBUG_COUNTER_INC(&nmacbpfdescs);
 	return (label);
 }
 
@@ -133,7 +121,6 @@ mac_ifnet_label_alloc(void)
 
 	label = mac_labelzone_alloc(M_WAITOK);
 	MAC_PERFORM(init_ifnet_label, label);
-	MAC_DEBUG_COUNTER_INC(&nmacifnets);
 	return (label);
 }
 
@@ -157,8 +144,6 @@ mac_init_mbuf_tag(struct m_tag *tag, int flag)
 	if (error) {
 		MAC_PERFORM(destroy_mbuf_label, label);
 		mac_destroy_label(label);
-	} else {
-		MAC_DEBUG_COUNTER_INC(&nmacmbufs);
 	}
 	return (error);
 }
@@ -198,7 +183,6 @@ mac_bpfdesc_label_free(struct label *label)
 
 	MAC_PERFORM(destroy_bpfdesc_label, label);
 	mac_labelzone_free(label);
-	MAC_DEBUG_COUNTER_DEC(&nmacbpfdescs);
 }
 
 void
@@ -215,7 +199,6 @@ mac_ifnet_label_free(struct label *label)
 
 	MAC_PERFORM(destroy_ifnet_label, label);
 	mac_labelzone_free(label);
-	MAC_DEBUG_COUNTER_DEC(&nmacifnets);
 }
 
 void
@@ -235,7 +218,6 @@ mac_destroy_mbuf_tag(struct m_tag *tag)
 
 	MAC_PERFORM(destroy_mbuf_label, label);
 	mac_destroy_label(label);
-	MAC_DEBUG_COUNTER_DEC(&nmacmbufs);
 }
 
 void

sys/security/mac/mac_pipe.c

@@ -56,12 +56,6 @@ SYSCTL_INT(_security_mac, OID_AUTO, enforce_pipe, CTLFLAG_RW,
     &mac_enforce_pipe, 0, "Enforce MAC policy on pipe operations");
 TUNABLE_INT("security.mac.enforce_pipe", &mac_enforce_pipe);
 
-#ifdef MAC_DEBUG
-static unsigned int nmacpipes;
-SYSCTL_UINT(_security_mac_debug_counters, OID_AUTO, pipes, CTLFLAG_RD,
-    &nmacpipes, 0, "number of pipes in use");
-#endif
-
 struct label *
 mac_pipe_label_alloc(void)
 {
@@ -69,7 +63,6 @@ mac_pipe_label_alloc(void)
 
 	label = mac_labelzone_alloc(M_WAITOK);
 	MAC_PERFORM(init_pipe_label, label);
-	MAC_DEBUG_COUNTER_INC(&nmacpipes);
 	return (label);
 }
 
@@ -86,7 +79,6 @@ mac_pipe_label_free(struct label *label)
 
 	MAC_PERFORM(destroy_pipe_label, label);
 	mac_labelzone_free(label);
-	MAC_DEBUG_COUNTER_DEC(&nmacpipes);
 }
 
 void

sys/security/mac/mac_posix_sem.c

@@ -54,12 +54,6 @@ SYSCTL_INT(_security_mac, OID_AUTO, enforce_posix_sem, CTLFLAG_RW,
     &mac_enforce_posix_sem, 0, "Enforce MAC policy on global POSIX semaphores");
 TUNABLE_INT("security.mac.enforce_posix_sem", &mac_enforce_posix_sem);
 
-#ifdef MAC_DEBUG
-static unsigned int nmacposixsems;
-SYSCTL_UINT(_security_mac_debug_counters, OID_AUTO, posix_sems, CTLFLAG_RD,
-    &nmacposixsems, 0, "number of posix global semaphores inuse");
-#endif
-
 static struct label *
 mac_posix_sem_label_alloc(void)
 {
@@ -67,7 +61,6 @@ mac_posix_sem_label_alloc(void)
 
 	label = mac_labelzone_alloc(M_WAITOK);
 	MAC_PERFORM(init_posix_sem_label, label);
-	MAC_DEBUG_COUNTER_INC(&nmacposixsems);
 	return (label);
 }
 
@@ -83,7 +76,6 @@ mac_posix_sem_label_free(struct label *label)
 {
 
 	MAC_PERFORM(destroy_posix_sem_label, label);
-	MAC_DEBUG_COUNTER_DEC(&nmacposixsems);
 }
 
 void

sys/security/mac/mac_process.c

@@ -91,14 +91,6 @@ SYSCTL_INT(_security_mac, OID_AUTO, enforce_suid, CTLFLAG_RW,
     &mac_enforce_suid, 0, "Enforce MAC policy on suid/sgid operations");
 TUNABLE_INT("security.mac.enforce_suid", &mac_enforce_suid);
 
-#ifdef MAC_DEBUG
-static unsigned int nmaccreds, nmacprocs;
-SYSCTL_UINT(_security_mac_debug_counters, OID_AUTO, creds, CTLFLAG_RD,
-    &nmaccreds, 0, "number of ucreds in use");
-SYSCTL_UINT(_security_mac_debug_counters, OID_AUTO, procs, CTLFLAG_RD,
-    &nmacprocs, 0, "number of procs in use");
-#endif
-
 static void	mac_cred_mmapped_drop_perms_recurse(struct thread *td,
 		    struct ucred *cred, struct vm_map *map);
 
@@ -109,7 +101,6 @@ mac_cred_label_alloc(void)
 
 	label = mac_labelzone_alloc(M_WAITOK);
 	MAC_PERFORM(init_cred_label, label);
-	MAC_DEBUG_COUNTER_INC(&nmaccreds);
 	return (label);
 }
 
@@ -127,7 +118,6 @@ mac_proc_label_alloc(void)
 
 	label = mac_labelzone_alloc(M_WAITOK);
 	MAC_PERFORM(init_proc_label, label);
-	MAC_DEBUG_COUNTER_INC(&nmacprocs);
 	return (label);
 }
 
@@ -144,7 +134,6 @@ mac_cred_label_free(struct label *label)
 
 	MAC_PERFORM(destroy_cred_label, label);
 	mac_labelzone_free(label);
-	MAC_DEBUG_COUNTER_DEC(&nmaccreds);
 }
 
 void
@@ -161,7 +150,6 @@ mac_proc_label_free(struct label *label)
 
 	MAC_PERFORM(destroy_proc_label, label);
 	mac_labelzone_free(label);
-	MAC_DEBUG_COUNTER_DEC(&nmacprocs);
 }
 
 void

sys/security/mac/mac_socket.c

@@ -80,13 +80,6 @@ SYSCTL_INT(_security_mac, OID_AUTO, enforce_socket, CTLFLAG_RW,
     &mac_enforce_socket, 0, "Enforce MAC policy on socket operations");
 TUNABLE_INT("security.mac.enforce_socket", &mac_enforce_socket);
 
-#ifdef MAC_DEBUG
-static unsigned int nmacsockets;
-
-SYSCTL_UINT(_security_mac_debug_counters, OID_AUTO, sockets, CTLFLAG_RD,
-    &nmacsockets, 0, "number of sockets in use");
-#endif
-
 struct label *
 mac_socket_label_alloc(int flag)
 {
@@ -103,7 +96,6 @@ mac_socket_label_alloc(int flag)
 		mac_labelzone_free(label);
 		return (NULL);
 	}
-	MAC_DEBUG_COUNTER_INC(&nmacsockets);
 	return (label);
 }
 
@@ -123,7 +115,6 @@ mac_socket_peer_label_alloc(int flag)
 		mac_labelzone_free(label);
 		return (NULL);
 	}
-	MAC_DEBUG_COUNTER_INC(&nmacsockets);
 	return (label);
 }
 
@@ -149,7 +140,6 @@ mac_socket_label_free(struct label *label)
 
 	MAC_PERFORM(destroy_socket_label, label);
 	mac_labelzone_free(label);
-	MAC_DEBUG_COUNTER_DEC(&nmacsockets);
 }
 
 static void
@@ -158,7 +148,6 @@ mac_socket_peer_label_free(struct label *label)
 
 	MAC_PERFORM(destroy_socket_peer_label, label);
 	mac_labelzone_free(label);
-	MAC_DEBUG_COUNTER_DEC(&nmacsockets);
 }
 
 void

sys/security/mac/mac_syscalls.c

@@ -136,17 +136,6 @@ int	mac_late = 0;
 int	mac_labelmbufs = 0;
 #endif
 
-#ifdef MAC_DEBUG
-SYSCTL_NODE(_security_mac, OID_AUTO, debug, CTLFLAG_RW, 0,
-    "TrustedBSD MAC debug info");
-SYSCTL_NODE(_security_mac_debug, OID_AUTO, counters, CTLFLAG_RW, 0,
-    "TrustedBSD MAC object counters");
-
-static unsigned int nmactemp;
-SYSCTL_UINT(_security_mac_debug_counters, OID_AUTO, temp, CTLFLAG_RD,
-    &nmactemp, 0, "number of temporary labels in use");
-#endif
-
 static int	mac_policy_register(struct mac_policy_conf *mpc);
 static int	mac_policy_unregister(struct mac_policy_conf *mpc);
 

sys/security/mac/mac_sysv_msg.c

@@ -59,14 +59,6 @@ SYSCTL_INT(_security_mac, OID_AUTO, enforce_sysv_msg, CTLFLAG_RW,
     "Enforce MAC policy on System V IPC Message Queues");
 TUNABLE_INT("security.mac.enforce_sysv_msg", &mac_enforce_sysv_msg);
 
-#ifdef MAC_DEBUG
-static unsigned int nmacipcmsgs, nmacipcmsqs;
-SYSCTL_UINT(_security_mac_debug_counters, OID_AUTO, ipc_msgs, CTLFLAG_RD,
-    &nmacipcmsgs, 0, "number of sysv ipc messages inuse");
-SYSCTL_UINT(_security_mac_debug_counters, OID_AUTO, ipc_msqs, CTLFLAG_RD,
-    &nmacipcmsqs, 0, "number of sysv ipc message queue identifiers inuse");
-#endif
-
 static struct label *
 mac_sysv_msgmsg_label_alloc(void)
 {
@@ -74,7 +66,6 @@ mac_sysv_msgmsg_label_alloc(void)
 
 	label = mac_labelzone_alloc(M_WAITOK);
 	MAC_PERFORM(init_sysv_msgmsg_label, label);
-	MAC_DEBUG_COUNTER_INC(&nmacipcmsgs);
 	return (label);
 }
 
@@ -92,7 +83,6 @@ mac_sysv_msgqueue_label_alloc(void)
 
 	label = mac_labelzone_alloc(M_WAITOK);
 	MAC_PERFORM(init_sysv_msgqueue_label, label);
-	MAC_DEBUG_COUNTER_INC(&nmacipcmsqs);
 	return (label);
 }
 
@@ -109,7 +99,6 @@ mac_sysv_msgmsg_label_free(struct label *label)
 
 	MAC_PERFORM(destroy_sysv_msgmsg_label, label);
 	mac_labelzone_free(label);
-	MAC_DEBUG_COUNTER_DEC(&nmacipcmsgs);
 }
 
 void
@@ -126,7 +115,6 @@ mac_sysv_msgqueue_label_free(struct label *label)
 
 	MAC_PERFORM(destroy_sysv_msgqueue_label, label);
 	mac_labelzone_free(label);
-	MAC_DEBUG_COUNTER_DEC(&nmacipcmsqs);
 }
 
 void

sys/security/mac/mac_sysv_sem.c

@@ -58,12 +58,6 @@ SYSCTL_INT(_security_mac, OID_AUTO, enforce_sysv_sem, CTLFLAG_RW,
     &mac_enforce_sysv_sem, 0, "Enforce MAC policy on System V IPC Semaphores");
 TUNABLE_INT("security.mac.enforce_sysv", &mac_enforce_sysv_sem);
 
-#ifdef MAC_DEBUG
-static unsigned int nmacipcsemas;
-SYSCTL_UINT(_security_mac_debug_counters, OID_AUTO, ipc_semas, CTLFLAG_RD,
-    &nmacipcsemas, 0, "number of sysv ipc semaphore identifiers inuse");
-#endif
-
 static struct label *
 mac_sysv_sem_label_alloc(void)
 {
@@ -71,7 +65,6 @@ mac_sysv_sem_label_alloc(void)
 
 	label = mac_labelzone_alloc(M_WAITOK);
 	MAC_PERFORM(init_sysv_sem_label, label);
-	MAC_DEBUG_COUNTER_INC(&nmacipcsemas);
 	return (label);
 }
 
@@ -88,7 +81,6 @@ mac_sysv_sem_label_free(struct label *label)
 
 	MAC_PERFORM(destroy_sysv_sem_label, label);
 	mac_labelzone_free(label);
-	MAC_DEBUG_COUNTER_DEC(&nmacipcsemas);
 }
 
 void

sys/security/mac/mac_sysv_shm.c

@@ -59,12 +59,6 @@ SYSCTL_INT(_security_mac, OID_AUTO, enforce_sysv_shm, CTLFLAG_RW,
     "Enforce MAC policy on System V IPC shared memory");
 TUNABLE_INT("security.mac.enforce_sysv", &mac_enforce_sysv_shm);
 
-#ifdef MAC_DEBUG
-static unsigned int nmacipcshms;
-SYSCTL_UINT(_security_mac_debug_counters, OID_AUTO, ipc_shms, CTLFLAG_RD,
-    &nmacipcshms, 0, "number of sysv ipc shm identifiers inuse");
-#endif
-
 static struct label *
 mac_sysv_shm_label_alloc(void)
 {
@@ -72,7 +66,6 @@ mac_sysv_shm_label_alloc(void)
 
 	label = mac_labelzone_alloc(M_WAITOK);
 	MAC_PERFORM(init_sysv_shm_label, label);
-	MAC_DEBUG_COUNTER_INC(&nmacipcshms);
 	return (label);
 }
 
@@ -89,7 +82,6 @@ mac_sysv_shm_label_free(struct label *label)
 
 	MAC_PERFORM(destroy_sysv_shm_label, label);
 	mac_labelzone_free(label);
-	MAC_DEBUG_COUNTER_DEC(&nmacipcshms);
 }
 
 void

sys/security/mac/mac_vfs.c

@@ -83,23 +83,6 @@ SYSCTL_INT(_security_mac, OID_AUTO, enforce_fs, CTLFLAG_RW,
     &mac_enforce_fs, 0, "Enforce MAC policy on file system objects");
 TUNABLE_INT("security.mac.enforce_fs", &mac_enforce_fs);
 
-#ifdef MAC_DEBUG
-static int	mac_debug_label_fallback = 0;
-SYSCTL_INT(_security_mac_debug, OID_AUTO, label_fallback, CTLFLAG_RW,
-    &mac_debug_label_fallback, 0, "Filesystems should fall back to fs label"
-    "when label is corrupted.");
-TUNABLE_INT("security.mac.debug_label_fallback",
-    &mac_debug_label_fallback);
-
-static unsigned int nmacmounts, nmacvnodes, nmacdevfsdirents;
-SYSCTL_UINT(_security_mac_debug_counters, OID_AUTO, mounts, CTLFLAG_RD,
-    &nmacmounts, 0, "number of mounts in use");
-SYSCTL_UINT(_security_mac_debug_counters, OID_AUTO, vnodes, CTLFLAG_RD,
-    &nmacvnodes, 0, "number of vnodes in use");
-SYSCTL_UINT(_security_mac_debug_counters, OID_AUTO, devfsdirents, CTLFLAG_RD,
-    &nmacdevfsdirents, 0, "number of devfs dirents inuse");
-#endif
-
 static int	mac_setlabel_vnode_extattr(struct ucred *cred,
 		    struct vnode *vp, struct label *intlabel);
 
@@ -110,7 +93,6 @@ mac_devfsdirent_label_alloc(void)
 
 	label = mac_labelzone_alloc(M_WAITOK);
 	MAC_PERFORM(init_devfsdirent_label, label);
-	MAC_DEBUG_COUNTER_INC(&nmacdevfsdirents);
 	return (label);
 }
 
@@ -128,7 +110,6 @@ mac_mount_label_alloc(void)
 
 	label = mac_labelzone_alloc(M_WAITOK);
 	MAC_PERFORM(init_mount_label, label);
-	MAC_DEBUG_COUNTER_INC(&nmacmounts);
 	return (label);
 }
 
@@ -139,7 +120,6 @@ mac_mount_fs_label_alloc(void)
 
 	label = mac_labelzone_alloc(M_WAITOK);
 	MAC_PERFORM(init_mount_fs_label, label);
-	MAC_DEBUG_COUNTER_INC(&nmacmounts);
 	return (label);
 }
 
@@ -158,7 +138,6 @@ mac_vnode_label_alloc(void)
 
 	label = mac_labelzone_alloc(M_WAITOK);
 	MAC_PERFORM(init_vnode_label, label);
-	MAC_DEBUG_COUNTER_INC(&nmacvnodes);
 	return (label);
 }
 
@@ -175,7 +154,6 @@ mac_devfsdirent_label_free(struct label *label)
 
 	MAC_PERFORM(destroy_devfsdirent_label, label);
 	mac_labelzone_free(label);
-	MAC_DEBUG_COUNTER_DEC(&nmacdevfsdirents);
 }
 
 void
@@ -192,7 +170,6 @@ mac_mount_label_free(struct label *label)
 
 	MAC_PERFORM(destroy_mount_label, label);
 	mac_labelzone_free(label);
-	MAC_DEBUG_COUNTER_DEC(&nmacmounts);
 }
 
 static void
@@ -201,7 +178,6 @@ mac_mount_fs_label_free(struct label *label)
 
 	MAC_PERFORM(destroy_mount_fs_label, label);
 	mac_labelzone_free(label);
-	MAC_DEBUG_COUNTER_DEC(&nmacmounts);
 }
 
 void
@@ -220,7 +196,6 @@ mac_vnode_label_free(struct label *label)
 
 	MAC_PERFORM(destroy_vnode_label, label);
 	mac_labelzone_free(label);
-	MAC_DEBUG_COUNTER_DEC(&nmacvnodes);
 }
 
 void