Remove MAC Framework access control check entry points made redundant with

the introduction of priv(9) and MAC Framework entry points for privilege
checking/granting.  These entry points exactly aligned with privileges and
provided no additional security context:

- mac_check_sysarch_ioperm()
- mac_check_kld_unload()
- mac_check_settime()
- mac_check_system_nfsd()

Add mpo_priv_check() implementations to Biba and LOMAC policies, which,
for each privilege, determine if they can be granted to processes
considered unprivileged by those two policies.  These mostly, but not
entirely, align with the set of privileges granted in jails.

Obtained from:	TrustedBSD Project

1 files changed, 0 insertions, 8 deletions

diff --git a/sys/nfsserver/nfs_syscalls.c b/sys/nfsserver/nfs_syscalls.c
index ab247ea..4e0b468 100644
--- a/sys/nfsserver/nfs_syscalls.c
+++ b/sys/nfsserver/nfs_syscalls.c
@@ -36,7 +36,6 @@
 __FBSDID("$FreeBSD$");
 
 #include "opt_inet6.h"
-#include "opt_mac.h"
 
 #include <sys/param.h>
 #include <sys/systm.h>
@@ -74,8 +73,6 @@ __FBSDID("$FreeBSD$");
 #include <nfsserver/nfsm_subs.h>
 #include <nfsserver/nfsrvcache.h>
 
-#include <security/mac/mac_framework.h>
-
 static MALLOC_DEFINE(M_NFSSVC, "nfss_srvsock", "Nfs server structure");
 
 MALLOC_DEFINE(M_NFSRVDESC, "nfss_srvdesc", "NFS server socket descriptor");
@@ -134,11 +131,6 @@ nfssvc(struct thread *td, struct nfssvc_args *uap)
 
 	KASSERT(!mtx_owned(&Giant), ("nfssvc(): called with Giant"));
 
-#ifdef MAC
-	error = mac_check_system_nfsd(td->td_ucred);
-	if (error)
-		return (error);
-#endif
 	error = priv_check(td, PRIV_NFS_DAEMON);
 	if (error)
 		return (error);