Reserve a mount flag, MNT_MULTILABEL, used by the MAC subsystem and

individual filesystems to determine whether they should operate in
"file system as a single object" mode, or "file system as a set of objects
with individual labels" mode.  Note: in the trustedbsd_mac branch,
this is refered to as "MNT_MULTILEVEL", but the two mean the same thing.
MNT_MULTILABEL is more suggestive of a flexible policy system than one
providing purely hierarchal policies.  The need for a reserved flag will
go away once nmount() is done.

Obtained from:	TrustedBSD Project
Sponsored by:	DARPA, NAI Labs

sys/sys/mount.h

@@ -154,6 +154,7 @@ struct mount {
 #define	MNT_SOFTDEP	0x00200000	/* soft updates being done */
 #define	MNT_NOSYMFOLLOW	0x00400000	/* do not follow symlinks */
 #define	MNT_JAILDEVFS	0x02000000	/* Jail friendly DEVFS behaviour */
+#define	MNT_MULTILABEL	0x04000000	/* MAC support for individual objects */
 #define	MNT_NOATIME	0x10000000	/* disable update of file access time */
 #define	MNT_NOCLUSTERR	0x40000000	/* disable cluster read */
 #define	MNT_NOCLUSTERW	0x80000000	/* disable cluster write */
@@ -192,14 +193,15 @@ struct mount {
 			MNT_ROOTFS	| MNT_NOATIME	| MNT_NOCLUSTERR| \
 			MNT_NOCLUSTERW	| MNT_SUIDDIR	| MNT_SOFTDEP	| \
 			MNT_IGNORE	| MNT_EXPUBLIC	| MNT_NOSYMFOLLOW | \
-			MNT_JAILDEVFS)
+			MNT_JAILDEVFS	| MNT_MULTILABEL)
 
 /* Mask of flags that can be updated */
 #define MNT_UPDATEMASK (MNT_NOSUID	| MNT_NOEXEC	| MNT_NODEV	| \
 			MNT_SYNCHRONOUS	| MNT_UNION	| MNT_ASYNC	| \
 			MNT_NOATIME | \
 			MNT_NOSYMFOLLOW	| MNT_IGNORE	| MNT_JAILDEVFS	| \
-			MNT_NOCLUSTERR	| MNT_NOCLUSTERW | MNT_SUIDDIR)
+			MNT_NOCLUSTERR	| MNT_NOCLUSTERW | MNT_SUIDDIR | \
+			MNT_MULTILABEL)
   
 /*
  * External filesystem command modifier flags.
@@ -216,7 +218,6 @@ struct mount {
 /*
  * Still available
  */
-#define	MNT_SPARE2	0x04000000
 #define	MNT_SPARE3	0x08000000
 /*
  * Internal filesystem control flags stored in mnt_kern_flag.