Remove MAC Framework access control check entry points made redundant with

the introduction of priv(9) and MAC Framework entry points for privilege
checking/granting.  These entry points exactly aligned with privileges and
provided no additional security context:

- mac_check_sysarch_ioperm()
- mac_check_kld_unload()
- mac_check_settime()
- mac_check_system_nfsd()

Add mpo_priv_check() implementations to Biba and LOMAC policies, which,
for each privilege, determine if they can be granted to processes
considered unprivileged by those two policies.  These mostly, but not
entirely, align with the set of privileges granted in jails.

Obtained from:	TrustedBSD Project

1 files changed, 0 insertions, 5 deletions

diff --git a/sys/i386/i386/sys_machdep.c b/sys/i386/i386/sys_machdep.c
index f53f49a..738d77e 100644
--- a/sys/i386/i386/sys_machdep.c
+++ b/sys/i386/i386/sys_machdep.c
@@ -57,7 +57,6 @@ __FBSDID("$FreeBSD$");
 #include <machine/sysarch.h>
 
 #include <security/audit/audit.h>
-#include <security/mac/mac_framework.h>
 
 #include <vm/vm_kern.h>		/* for kernel_map */
 
@@ -289,10 +288,6 @@ i386_set_ioperm(td, uap)
 	int i, error;
 	char *iomap;
 
-#ifdef MAC
-	if ((error = mac_check_sysarch_ioperm(td->td_ucred)) != 0)
-		return (error);
-#endif
 	if ((error = priv_check(td, PRIV_IO)) != 0)
 		return (error);
 	if ((error = securelevel_gt(td->td_ucred, 0)) != 0)