Remove all reference to 'struct oldmac', since it's no longer required

with the new VFS/EA semantics in the MAC framework.  Move the per-policy
structures out to per-policy include files, removing all policy-specific
defines and structures out of the base framework includes and
implementation, making mac_biba and mac_mls entirely self-contained.

Obtained from:	TrustedBSD Project
Sponsored by:	DARPA, Network Associates Laboratories

4 files changed, 63 insertions, 98 deletions

diff --git a/sys/security/mac/mac_framework.h b/sys/security/mac/mac_framework.h
index 0e07753..68ad4b4 100644
--- a/sys/security/mac/mac_framework.h
+++ b/sys/security/mac/mac_framework.h
@@ -106,54 +106,7 @@ int		 mac_set_proc(const mac_t _label);
 int		 mac_syscall(const char *_policyname, int _call, void *_arg);
 int		 mac_to_text(mac_t mac, char **_text);
 
-#endif /* !_KERNEL */
-
-/*
- * XXXMAC: For compatibility until the labels on disk are changed.  We
- * will enable the definitions in various policy include files once
- * these can be disabled.
- */
-
-#define	MAC_BIBA_MAX_COMPARTMENTS	256
-
-struct mac_biba_element {
-	u_short	mbe_type;
-	u_short	mbe_grade;
-	u_char	mbe_compartments[MAC_BIBA_MAX_COMPARTMENTS >> 3];
-};
-
-struct mac_biba {
-	int			mb_flags;
-	struct mac_biba_element	mb_single;
-	struct mac_biba_element	mb_rangelow, mb_rangehigh;
-};
-
-#define	MAC_MLS_MAX_COMPARTMENTS	256
-
-struct mac_mls_element {
-	u_short	mme_type;
-	u_short	mme_level;
-	u_char	mme_compartments[MAC_MLS_MAX_COMPARTMENTS >> 3];
-};
-
-struct mac_mls {
-	int			mm_flags;
-	struct mac_mls_element	mm_single;
-	struct mac_mls_element	mm_rangelow, mm_rangehigh;
-};
-
-struct mac_sebsd {
-	uint32_t	ms_psid;
-};
-
-struct oldmac {
-	int			m_macflags;
-	struct mac_biba		m_biba;
-	struct mac_mls		m_mls;
-	struct mac_sebsd	m_sebsd;
-};
-
-#ifdef _KERNEL
+#else /* _KERNEL */
 
 /*
  * Kernel functions to manage and evaluate labels.
@@ -373,6 +326,6 @@ int	mac_pipe_label_set(struct ucred *cred, struct pipe *pipe,
  */
 int	vop_stdsetlabel_ea(struct vop_setlabel_args *ap);
 
-#endif /* _KERNEL */
+#endif /* !_KERNEL */
 
 #endif /* !_SYS_MAC_H */
diff --git a/sys/security/mac_biba/mac_biba.h b/sys/security/mac_biba/mac_biba.h
index 95af8dd..67d2bc8 100644
--- a/sys/security/mac_biba/mac_biba.h
+++ b/sys/security/mac_biba/mac_biba.h
@@ -61,6 +61,33 @@
 					 * MAC_BIBA_TYPE_LABEL. */
 
 /*
+ * Structures and constants associated with a Biba Integrity policy.
+ * mac_biba represents a Biba label, with mb_type determining its properties,
+ * and mb_grade represents the hierarchal grade if valid for the current
+ * mb_type.
+ */
+
+#define	MAC_BIBA_MAX_COMPARTMENTS	256
+
+struct mac_biba_element {
+	u_short	mbe_type;
+	u_short	mbe_grade;
+	u_char	mbe_compartments[MAC_BIBA_MAX_COMPARTMENTS >> 3];
+};
+
+/*
+ * Biba labels consist of two components: a single label, and a label
+ * range.  Depending on the context, one or both may be used; the mb_flags
+ * field permits the provider to indicate what fields are intended for
+ * use.
+ */
+struct mac_biba {
+	int			mb_flags;
+	struct mac_biba_element	mb_single;
+	struct mac_biba_element	mb_rangelow, mb_rangehigh;
+};
+
+/*
  * Biba compartments bit test/set macros.
  * The range is 1 to MAC_BIBA_MAX_COMPARTMENTS.
  */
diff --git a/sys/security/mac_mls/mac_mls.h b/sys/security/mac_mls/mac_mls.h
index 23296dd..2e464dc 100644
--- a/sys/security/mac_mls/mac_mls.h
+++ b/sys/security/mac_mls/mac_mls.h
@@ -61,6 +61,38 @@
 					 * MAC_MLS_TYPE_LABEL. */
 
 /*
+ * Structures and constants associated with a Multi-Level Security policy.
+ * mac_mls represents an MLS label, with mm_type determining its properties,
+ * and mm_level represents the hierarchal sensitivity level if valid for the
+ * current mm_type.  If compartments are used, the same semantics apply as
+ * long as the suject is in every compartment the object is in.  LOW, EQUAL
+ * and HIGH cannot be in compartments.
+ */
+
+/*
+ * MLS compartments bit set size (in bits).
+ */
+#define	MAC_MLS_MAX_COMPARTMMENTS	256
+
+struct mac_mls_element {
+	u_short	mme_type;
+	u_short	mme_level;
+	u_char	mme_compartments[MAC_MLS_MAX_COMPARTMENTS >> 3];
+};
+
+/*
+ * MLS labels consist of two components: a single label, and a label
+ * range.  Depending on the context, one or both may be used; the mb_flags
+ * field permits the provider to indicate what fields are intended for
+ * use.
+ */
+struct mac_mls {
+	int			mm_flags;
+	struct mac_mls_element	mm_single;
+	struct mac_mls_element	mm_rangelow, mm_rangehigh;
+};
+
+/*
  * MLS compartments bit test/set macros.
  * The range is 1 to MAC_MLS_MAX_COMPARTMENTS.
  */
diff --git a/sys/sys/mac.h b/sys/sys/mac.h
index 0e07753..68ad4b4 100644
--- a/sys/sys/mac.h
+++ b/sys/sys/mac.h
@@ -106,54 +106,7 @@ int		 mac_set_proc(const mac_t _label);
 int		 mac_syscall(const char *_policyname, int _call, void *_arg);
 int		 mac_to_text(mac_t mac, char **_text);
 
-#endif /* !_KERNEL */
-
-/*
- * XXXMAC: For compatibility until the labels on disk are changed.  We
- * will enable the definitions in various policy include files once
- * these can be disabled.
- */
-
-#define	MAC_BIBA_MAX_COMPARTMENTS	256
-
-struct mac_biba_element {
-	u_short	mbe_type;
-	u_short	mbe_grade;
-	u_char	mbe_compartments[MAC_BIBA_MAX_COMPARTMENTS >> 3];
-};
-
-struct mac_biba {
-	int			mb_flags;
-	struct mac_biba_element	mb_single;
-	struct mac_biba_element	mb_rangelow, mb_rangehigh;
-};
-
-#define	MAC_MLS_MAX_COMPARTMENTS	256
-
-struct mac_mls_element {
-	u_short	mme_type;
-	u_short	mme_level;
-	u_char	mme_compartments[MAC_MLS_MAX_COMPARTMENTS >> 3];
-};
-
-struct mac_mls {
-	int			mm_flags;
-	struct mac_mls_element	mm_single;
-	struct mac_mls_element	mm_rangelow, mm_rangehigh;
-};
-
-struct mac_sebsd {
-	uint32_t	ms_psid;
-};
-
-struct oldmac {
-	int			m_macflags;
-	struct mac_biba		m_biba;
-	struct mac_mls		m_mls;
-	struct mac_sebsd	m_sebsd;
-};
-
-#ifdef _KERNEL
+#else /* _KERNEL */
 
 /*
  * Kernel functions to manage and evaluate labels.
@@ -373,6 +326,6 @@ int	mac_pipe_label_set(struct ucred *cred, struct pipe *pipe,
  */
 int	vop_stdsetlabel_ea(struct vop_setlabel_args *ap);
 
-#endif /* _KERNEL */
+#endif /* !_KERNEL */
 
 #endif /* !_SYS_MAC_H */