Reimplement sysctls handling by MAC framework.

Now I believe it is done in the right way.

Removed some XXMAC cases, we now assume 'high' integrity level for all
sysctls, except those with CTLFLAG_ANYBODY flag set. No more magic.

Reviewed by:	rwatson
Approved by:	rwatson, scottl (mentor)
Tested with:	LINT (compilation), mac_biba(4) (functionality)

1 files changed, 3 insertions, 4 deletions

diff --git a/sys/security/mac/mac_system.c b/sys/security/mac/mac_system.c
index 14755cf..128f2c5 100644
--- a/sys/security/mac/mac_system.c
+++ b/sys/security/mac/mac_system.c
@@ -249,8 +249,8 @@ mac_check_system_swapoff(struct ucred *cred, struct vnode *vp)
 }
 
 int
-mac_check_system_sysctl(struct ucred *cred, int *name, u_int namelen,
-    void *old, size_t *oldlenp, int inkernel, void *new, size_t newlen)
+mac_check_system_sysctl(struct ucred *cred, struct sysctl_oid *oidp, void *arg1,
+    int arg2, struct sysctl_req *req)
 {
 	int error;
 
@@ -261,8 +261,7 @@ mac_check_system_sysctl(struct ucred *cred, int *name, u_int namelen,
 	if (!mac_enforce_system)
 		return (0);
 
-	MAC_CHECK(check_system_sysctl, cred, name, namelen, old, oldlenp,
-	    inkernel, new, newlen);
+	MAC_CHECK(check_system_sysctl, cred, oidp, arg1, arg2, req);
 
 	return (error);
 }