Modify the MAC Framework so that instead of embedding a (struct label)

in various kernel objects to represent security data, we embed a
(struct label *) pointer, which now references labels allocated using
a UMA zone (mac_label.c).  This allows the size and shape of struct
label to be varied without changing the size and shape of these kernel
objects, which become part of the frozen ABI with 5-STABLE.  This opens
the door for boot-time selection of the number of label slots, and hence
changes to the bound on the number of simultaneous labeled policies
at boot-time instead of compile-time.  This also makes it easier to
embed label references in new objects as required for locking/caching
with fine-grained network stack locking, such as inpcb structures.

This change also moves us further in the direction of hiding the
structure of kernel objects from MAC policy modules, not to mention
dramatically reducing the number of '&' symbols appearing in both the
MAC Framework and MAC policy modules, and improving readability.

While this results in minimal performance change with MAC enabled, it
will observably shrink the size of a number of critical kernel data
structures for the !MAC case, and should have a small (but measurable)
performance benefit (i.e., struct vnode, struct socket) do to memory
conservation and reduced cost of zeroing memory.

NOTE: Users of MAC must recompile their kernel and all MAC modules as a
result of this change.  Because this is an API change, third party
MAC modules will also need to be updated to make less use of the '&'
symbol.

Suggestions from:	bmilekic
Obtained from:		TrustedBSD Project
Sponsored by:		DARPA, Network Associates Laboratories

10 files changed, 579 insertions, 359 deletions

diff --git a/sys/security/mac/mac_framework.c b/sys/security/mac/mac_framework.c
index c459003..f9adf9b 100644
--- a/sys/security/mac/mac_framework.c
+++ b/sys/security/mac/mac_framework.c
@@ -256,6 +256,7 @@ mac_init(void)
 
 	LIST_INIT(&mac_static_policy_list);
 	LIST_INIT(&mac_policy_list);
+	mac_labelzone_init();
 
 	mtx_init(&mac_policy_mtx, "mac_policy_mtx", NULL, MTX_DEF);
 	cv_init(&mac_policy_cv, "mac_policy_cv");
@@ -565,7 +566,7 @@ __mac_get_pid(struct thread *td, struct __mac_get_pid_args *uap)
 	}
 
 	buffer = malloc(mac.m_buflen, M_MACTEMP, M_WAITOK | M_ZERO);
-	error = mac_externalize_cred_label(&tcred->cr_label, elements,
+	error = mac_externalize_cred_label(tcred->cr_label, elements,
 	    buffer, mac.m_buflen);
 	if (error == 0)
 		error = copyout(buffer, mac.m_string, strlen(buffer)+1);
@@ -602,7 +603,7 @@ __mac_get_proc(struct thread *td, struct __mac_get_proc_args *uap)
 	}
 
 	buffer = malloc(mac.m_buflen, M_MACTEMP, M_WAITOK | M_ZERO);
-	error = mac_externalize_cred_label(&td->td_ucred->cr_label,
+	error = mac_externalize_cred_label(td->td_ucred->cr_label,
 	    elements, buffer, mac.m_buflen);
 	if (error == 0)
 		error = copyout(buffer, mac.m_string, strlen(buffer)+1);
@@ -619,7 +620,7 @@ int
 __mac_set_proc(struct thread *td, struct __mac_set_proc_args *uap)
 {
 	struct ucred *newcred, *oldcred;
-	struct label intlabel;
+	struct label *intlabel;
 	struct proc *p;
 	struct mac mac;
 	char *buffer;
@@ -640,13 +641,11 @@ __mac_set_proc(struct thread *td, struct __mac_set_proc_args *uap)
 		return (error);
 	}
 
-	mac_init_cred_label(&intlabel);
-	error = mac_internalize_cred_label(&intlabel, buffer);
+	intlabel = mac_cred_label_alloc();
+	error = mac_internalize_cred_label(intlabel, buffer);
 	free(buffer, M_MACTEMP);
-	if (error) {
-		mac_destroy_cred_label(&intlabel);
-		return (error);
-	}
+	if (error)
+		goto out;
 
 	newcred = crget();
 
@@ -654,7 +653,7 @@ __mac_set_proc(struct thread *td, struct __mac_set_proc_args *uap)
 	PROC_LOCK(p);
 	oldcred = p->p_ucred;
 
-	error = mac_check_cred_relabel(oldcred, &intlabel);
+	error = mac_check_cred_relabel(oldcred, intlabel);
 	if (error) {
 		PROC_UNLOCK(p);
 		crfree(newcred);
@@ -663,7 +662,7 @@ __mac_set_proc(struct thread *td, struct __mac_set_proc_args *uap)
 
 	setsugid(p);
 	crcopy(newcred, oldcred);
-	mac_relabel_cred(newcred, &intlabel);
+	mac_relabel_cred(newcred, intlabel);
 	p->p_ucred = newcred;
 
 	/*
@@ -683,7 +682,7 @@ __mac_set_proc(struct thread *td, struct __mac_set_proc_args *uap)
 	crfree(oldcred);
 
 out:
-	mac_destroy_cred_label(&intlabel);
+	mac_cred_label_free(intlabel);
 	return (error);
 }
 
@@ -694,7 +693,7 @@ int
 __mac_get_fd(struct thread *td, struct __mac_get_fd_args *uap)
 {
 	char *elements, *buffer;
-	struct label intlabel;
+	struct label *intlabel;
 	struct file *fp;
 	struct mac mac;
 	struct vnode *vp;
@@ -729,20 +728,20 @@ __mac_get_fd(struct thread *td, struct __mac_get_fd_args *uap)
 	case DTYPE_VNODE:
 		vp = fp->f_vnode;
 
-		mac_init_vnode_label(&intlabel);
+		intlabel = mac_vnode_label_alloc();
 
 		vn_lock(vp, LK_EXCLUSIVE | LK_RETRY, td);
-		mac_copy_vnode_label(&vp->v_label, &intlabel);
+		mac_copy_vnode_label(vp->v_label, intlabel);
 		VOP_UNLOCK(vp, 0, td);
 
 		break;
 	case DTYPE_PIPE:
 		pipe = fp->f_data;
 
-		mac_init_pipe_label(&intlabel);
+		intlabel = mac_pipe_label_alloc();
 
 		PIPE_LOCK(pipe);
-		mac_copy_pipe_label(pipe->pipe_label, &intlabel);
+		mac_copy_pipe_label(pipe->pipe_label, intlabel);
 		PIPE_UNLOCK(pipe);
 		break;
 	default:
@@ -756,14 +755,14 @@ __mac_get_fd(struct thread *td, struct __mac_get_fd_args *uap)
 	case DTYPE_FIFO:
 	case DTYPE_VNODE:
 		if (error == 0)
-			error = mac_externalize_vnode_label(&intlabel,
+			error = mac_externalize_vnode_label(intlabel,
 			    elements, buffer, mac.m_buflen);
-		mac_destroy_vnode_label(&intlabel);
+		mac_vnode_label_free(intlabel);
 		break;
 	case DTYPE_PIPE:
-		error = mac_externalize_pipe_label(&intlabel, elements,
+		error = mac_externalize_pipe_label(intlabel, elements,
 		    buffer, mac.m_buflen);
-		mac_destroy_pipe_label(&intlabel);
+		mac_pipe_label_free(intlabel);
 		break;
 	default:
 		panic("__mac_get_fd: corrupted label_type");
@@ -788,7 +787,7 @@ __mac_get_file(struct thread *td, struct __mac_get_file_args *uap)
 {
 	char *elements, *buffer;
 	struct nameidata nd;
-	struct label intlabel;
+	struct label *intlabel;
 	struct mac mac;
 	int error;
 
@@ -815,13 +814,13 @@ __mac_get_file(struct thread *td, struct __mac_get_file_args *uap)
 	if (error)
 		goto out;
 
-	mac_init_vnode_label(&intlabel);
-	mac_copy_vnode_label(&nd.ni_vp->v_label, &intlabel);
-	error = mac_externalize_vnode_label(&intlabel, elements, buffer,
+	intlabel = mac_vnode_label_alloc();
+	mac_copy_vnode_label(nd.ni_vp->v_label, intlabel);
+	error = mac_externalize_vnode_label(intlabel, elements, buffer,
 	    mac.m_buflen);
 
 	NDFREE(&nd, 0);
-	mac_destroy_vnode_label(&intlabel);
+	mac_vnode_label_free(intlabel);
 
 	if (error == 0)
 		error = copyout(buffer, mac.m_string, strlen(buffer)+1);
@@ -843,7 +842,7 @@ __mac_get_link(struct thread *td, struct __mac_get_link_args *uap)
 {
 	char *elements, *buffer;
 	struct nameidata nd;
-	struct label intlabel;
+	struct label *intlabel;
 	struct mac mac;
 	int error;
 
@@ -870,12 +869,12 @@ __mac_get_link(struct thread *td, struct __mac_get_link_args *uap)
 	if (error)
 		goto out;
 
-	mac_init_vnode_label(&intlabel);
-	mac_copy_vnode_label(&nd.ni_vp->v_label, &intlabel);
-	error = mac_externalize_vnode_label(&intlabel, elements, buffer,
+	intlabel = mac_vnode_label_alloc();
+	mac_copy_vnode_label(nd.ni_vp->v_label, intlabel);
+	error = mac_externalize_vnode_label(intlabel, elements, buffer,
 	    mac.m_buflen);
 	NDFREE(&nd, 0);
-	mac_destroy_vnode_label(&intlabel);
+	mac_vnode_label_free(intlabel);
 
 	if (error == 0)
 		error = copyout(buffer, mac.m_string, strlen(buffer)+1);
@@ -895,7 +894,7 @@ out:
 int
 __mac_set_fd(struct thread *td, struct __mac_set_fd_args *uap)
 {
-	struct label intlabel;
+	struct label *intlabel;
 	struct pipe *pipe;
 	struct file *fp;
 	struct mount *mp;
@@ -928,40 +927,40 @@ __mac_set_fd(struct thread *td, struct __mac_set_fd_args *uap)
 	switch (fp->f_type) {
 	case DTYPE_FIFO:
 	case DTYPE_VNODE:
-		mac_init_vnode_label(&intlabel);
-		error = mac_internalize_vnode_label(&intlabel, buffer);
+		intlabel = mac_vnode_label_alloc();
+		error = mac_internalize_vnode_label(intlabel, buffer);
 		if (error) {
-			mac_destroy_vnode_label(&intlabel);
+			mac_vnode_label_free(intlabel);
 			break;
 		}
 
 		vp = fp->f_vnode;
 		error = vn_start_write(vp, &mp, V_WAIT | PCATCH);
 		if (error != 0) {
-			mac_destroy_vnode_label(&intlabel);
+			mac_vnode_label_free(intlabel);
 			break;
 		}
 
 		vn_lock(vp, LK_EXCLUSIVE | LK_RETRY, td);
-		error = vn_setlabel(vp, &intlabel, td->td_ucred);
+		error = vn_setlabel(vp, intlabel, td->td_ucred);
 		VOP_UNLOCK(vp, 0, td);
 		vn_finished_write(mp);
 
-		mac_destroy_vnode_label(&intlabel);
+		mac_vnode_label_free(intlabel);
 		break;
 
 	case DTYPE_PIPE:
-		mac_init_pipe_label(&intlabel);
-		error = mac_internalize_pipe_label(&intlabel, buffer);
+		intlabel = mac_pipe_label_alloc();
+		error = mac_internalize_pipe_label(intlabel, buffer);
 		if (error == 0) {
 			pipe = fp->f_data;
 			PIPE_LOCK(pipe);
 			error = mac_pipe_label_set(td->td_ucred, pipe,
-			    &intlabel);
+			    intlabel);
 			PIPE_UNLOCK(pipe);
 		}
 
-		mac_destroy_pipe_label(&intlabel);
+		mac_pipe_label_free(intlabel);
 		break;
 
 	default:
@@ -983,7 +982,7 @@ out:
 int
 __mac_set_file(struct thread *td, struct __mac_set_file_args *uap)
 {
-	struct label intlabel;
+	struct label *intlabel;
 	struct nameidata nd;
 	struct mount *mp;
 	struct mac mac;
@@ -1005,13 +1004,11 @@ __mac_set_file(struct thread *td, struct __mac_set_file_args *uap)
 		return (error);
 	}
 
-	mac_init_vnode_label(&intlabel);
-	error = mac_internalize_vnode_label(&intlabel, buffer);
+	intlabel = mac_vnode_label_alloc();
+	error = mac_internalize_vnode_label(intlabel, buffer);
 	free(buffer, M_MACTEMP);
-	if (error) {
-		mac_destroy_vnode_label(&intlabel);
-		return (error);
-	}
+	if (error)
+		goto out;
 
 	mtx_lock(&Giant);				/* VFS */
 
@@ -1021,15 +1018,15 @@ __mac_set_file(struct thread *td, struct __mac_set_file_args *uap)
 	if (error == 0) {
 		error = vn_start_write(nd.ni_vp, &mp, V_WAIT | PCATCH);
 		if (error == 0)
-			error = vn_setlabel(nd.ni_vp, &intlabel,
+			error = vn_setlabel(nd.ni_vp, intlabel,
 			    td->td_ucred);
 		vn_finished_write(mp);
 	}
 
 	NDFREE(&nd, 0);
 	mtx_unlock(&Giant);				/* VFS */
-	mac_destroy_vnode_label(&intlabel);
-
+out:
+	mac_vnode_label_free(intlabel);
 	return (error);
 }
 
@@ -1039,7 +1036,7 @@ __mac_set_file(struct thread *td, struct __mac_set_file_args *uap)
 int
 __mac_set_link(struct thread *td, struct __mac_set_link_args *uap)
 {
-	struct label intlabel;
+	struct label *intlabel;
 	struct nameidata nd;
 	struct mount *mp;
 	struct mac mac;
@@ -1061,13 +1058,11 @@ __mac_set_link(struct thread *td, struct __mac_set_link_args *uap)
 		return (error);
 	}
 
-	mac_init_vnode_label(&intlabel);
-	error = mac_internalize_vnode_label(&intlabel, buffer);
+	intlabel = mac_vnode_label_alloc();
+	error = mac_internalize_vnode_label(intlabel, buffer);
 	free(buffer, M_MACTEMP);
-	if (error) {
-		mac_destroy_vnode_label(&intlabel);
-		return (error);
-	}
+	if (error)
+		goto out;
 
 	mtx_lock(&Giant);				/* VFS */
 
@@ -1077,15 +1072,15 @@ __mac_set_link(struct thread *td, struct __mac_set_link_args *uap)
 	if (error == 0) {
 		error = vn_start_write(nd.ni_vp, &mp, V_WAIT | PCATCH);
 		if (error == 0)
-			error = vn_setlabel(nd.ni_vp, &intlabel,
+			error = vn_setlabel(nd.ni_vp, intlabel,
 			    td->td_ucred);
 		vn_finished_write(mp);
 	}
 
 	NDFREE(&nd, 0);
 	mtx_unlock(&Giant);				/* VFS */
-	mac_destroy_vnode_label(&intlabel);
-
+out:
+	mac_vnode_label_free(intlabel);
 	return (error);
 }
 
diff --git a/sys/security/mac/mac_framework.h b/sys/security/mac/mac_framework.h
index 7955c25a..1dc6bf1 100644
--- a/sys/security/mac/mac_framework.h
+++ b/sys/security/mac/mac_framework.h
@@ -144,7 +144,6 @@ int	mac_init_mbuf_tag(struct m_tag *, int flag);
 void	mac_init_mount(struct mount *);
 void	mac_init_proc(struct proc *);
 void	mac_init_vnode(struct vnode *);
-void	mac_init_vnode_label(struct label *);
 void	mac_copy_mbuf_tag(struct m_tag *, struct m_tag *);
 void	mac_copy_vnode_label(struct label *, struct label *label);
 void	mac_destroy_bpfdesc(struct bpf_d *);
@@ -158,7 +157,12 @@ void	mac_destroy_proc(struct proc *);
 void	mac_destroy_mbuf_tag(struct m_tag *);
 void	mac_destroy_mount(struct mount *);
 void	mac_destroy_vnode(struct vnode *);
-void	mac_destroy_vnode_label(struct label *);
+
+struct label	*mac_cred_label_alloc(void);
+void		 mac_cred_label_free(struct label *label);
+struct label	*mac_vnode_label_alloc(void);
+void		 mac_vnode_label_free(struct label *label);
+void		 mac_destroy_vnode_label(struct label *);
 
 /*
  * Labeling event operations: file system objects, and things that
@@ -220,8 +224,7 @@ void	mac_update_ipq(struct mbuf *fragment, struct ipq *ipq);
  * Labeling event operations: processes.
  */
 void	mac_create_cred(struct ucred *cred_parent, struct ucred *cred_child);
-int	mac_execve_enter(struct image_params *imgp, struct mac *mac_p,
-	    struct label *execlabel);
+int	mac_execve_enter(struct image_params *imgp, struct mac *mac_p);
 void	mac_execve_exit(struct image_params *imgp);
 void	mac_execve_transition(struct ucred *old, struct ucred *new,
 	    struct vnode *vp, struct label *interpvnodelabel,
diff --git a/sys/security/mac/mac_internal.h b/sys/security/mac/mac_internal.h
index b07cf6f..957057b 100644
--- a/sys/security/mac/mac_internal.h
+++ b/sys/security/mac/mac_internal.h
@@ -59,6 +59,7 @@ extern struct mac_policy_list_head	mac_policy_list;
 extern struct mac_policy_list_head	mac_static_policy_list;
 extern int				mac_late;
 extern int				mac_enforce_process;
+extern int				mac_enforce_sysv;
 extern int				mac_enforce_vm;
 #ifndef MAC_ALWAYS_LABEL_MBUF
 extern int				mac_labelmbufs;
@@ -88,6 +89,10 @@ void	mac_policy_list_busy(void);
 int	mac_policy_list_conditional_busy(void);
 void	mac_policy_list_unbusy(void);
 
+struct label	*mac_labelzone_alloc(int flags);
+void		 mac_labelzone_free(struct label *label);
+void		 mac_labelzone_init(void);
+
 void	mac_init_label(struct label *label);
 void	mac_destroy_label(struct label *label);
 int	mac_check_structmac_consistent(struct mac *mac);
@@ -98,19 +103,18 @@ int	mac_allocate_slot(void);
  * the namespaces, etc, should work for these, so for now, sort by
  * object type.
  */
+struct label	*mac_pipe_label_alloc(void);
+void		 mac_pipe_label_free(struct label *label);
+
 int	mac_check_cred_relabel(struct ucred *cred, struct label *newlabel);
-void	mac_destroy_cred_label(struct label *label);
-int	mac_externalize_cred_label(struct label *label, char *elements,
+int	mac_externalize_cred_label(struct label *label, char *elements, 
 	    char *outbuf, size_t outbuflen);
-void	mac_init_cred_label(struct label *label);
 int	mac_internalize_cred_label(struct label *label, char *string);
 void	mac_relabel_cred(struct ucred *cred, struct label *newlabel);
 
 void	mac_copy_pipe_label(struct label *src, struct label *dest);
-void	mac_destroy_pipe_label(struct label *label);
 int	mac_externalize_pipe_label(struct label *label, char *elements,
 	    char *outbuf, size_t outbuflen);
-void	mac_init_pipe_label(struct label *label);
 int	mac_internalize_pipe_label(struct label *label, char *string);
 
 int	mac_externalize_vnode_label(struct label *label, char *elements,
diff --git a/sys/security/mac/mac_label.c b/sys/security/mac/mac_label.c
new file mode 100644
index 0000000..eedc1df
--- /dev/null
+++ b/sys/security/mac/mac_label.c
@@ -0,0 +1,97 @@
+/*-
+ * Copyright (c) 2003 Networks Associates Technology, Inc.
+ * All rights reserved.
+ *
+ * This software was developed for the FreeBSD Project in part by Network
+ * Associates Laboratories, the Security Research Division of Network
+ * Associates, Inc. under DARPA/SPAWAR contract N66001-01-C-8035 ("CBOSS"),
+ * as part of the DARPA CHATS research program.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ */
+
+#include <sys/cdefs.h>
+__FBSDID("$FreeBSD$");
+
+#include "opt_mac.h"
+
+#include <sys/param.h>
+#include <sys/mac.h>
+#include <sys/sysctl.h>
+#include <sys/systm.h>
+
+#include <vm/uma.h>
+
+#include <security/mac/mac_internal.h>
+
+uma_zone_t	zone_label;
+
+static void	mac_labelzone_ctor(void *mem, int size, void *arg);
+static void	mac_labelzone_dtor(void *mem, int size, void *arg);
+
+void
+mac_labelzone_init(void)
+{
+
+	zone_label = uma_zcreate("MAC labels", sizeof(struct label),
+	    mac_labelzone_ctor, mac_labelzone_dtor, NULL, NULL,
+	    UMA_ALIGN_PTR, 0);
+}
+
+static void
+mac_labelzone_ctor(void *mem, int size, void *arg)
+{
+	struct label *label;
+
+	KASSERT(size == sizeof(*label), ("mac_labelzone_ctor: wrong size\n"));
+	label = mem;
+	bzero(label, sizeof(*label));
+	label->l_flags = MAC_FLAG_INITIALIZED;
+}
+
+static void
+mac_labelzone_dtor(void *mem, int size, void *arg)
+{
+	struct label *label;
+
+	KASSERT(size == sizeof(*label), ("mac_labelzone_dtor: wrong size\n"));
+	label = mem;
+#ifdef DIAGNOSTIC
+	bzero(label, sizeof(*label));
+#else
+	label->l_flags &= ~MAC_FLAG_INITIALIZED;
+#endif
+}
+
+struct label *
+mac_labelzone_alloc(int flags)
+{
+
+	return (uma_zalloc(zone_label, flags));
+}
+
+void
+mac_labelzone_free(struct label *label)
+{
+
+	uma_zfree(zone_label, label);
+}
diff --git a/sys/security/mac/mac_net.c b/sys/security/mac/mac_net.c
index 308231e..7950393 100644
--- a/sys/security/mac/mac_net.c
+++ b/sys/security/mac/mac_net.c
@@ -91,7 +91,8 @@ SYSCTL_UINT(_security_mac_debug_counters, OID_AUTO, sockets, CTLFLAG_RD,
     &nmacsockets, 0, "number of sockets in use");
 #endif
 
-static void	mac_destroy_socket_label(struct label *label);
+static void	mac_socket_label_free(struct label *label);
+
 
 static struct label *
 mbuf_to_label(struct mbuf *mbuf)
@@ -105,46 +106,70 @@ mbuf_to_label(struct mbuf *mbuf)
 	return (label);
 }
 
+static struct label *
+mac_bpfdesc_label_alloc(void)
+{
+	struct label *label;
+
+	label = mac_labelzone_alloc(M_WAITOK);
+	MAC_PERFORM(init_bpfdesc_label, label);
+	MAC_DEBUG_COUNTER_INC(&nmacbpfdescs);
+	return (label);
+}
+
 void
 mac_init_bpfdesc(struct bpf_d *bpf_d)
 {
 
-	mac_init_label(&bpf_d->bd_label);
-	MAC_PERFORM(init_bpfdesc_label, &bpf_d->bd_label);
-	MAC_DEBUG_COUNTER_INC(&nmacbpfdescs);
+	bpf_d->bd_label = mac_bpfdesc_label_alloc();
 }
 
-static void
-mac_init_ifnet_label(struct label *label)
+static struct label *
+mac_ifnet_label_alloc(void)
 {
+	struct label *label;
 
-	mac_init_label(label);
+	label = mac_labelzone_alloc(M_WAITOK);
 	MAC_PERFORM(init_ifnet_label, label);
 	MAC_DEBUG_COUNTER_INC(&nmacifnets);
+	return (label);
 }
 
 void
 mac_init_ifnet(struct ifnet *ifp)
 {
 
-	mac_init_ifnet_label(&ifp->if_label);
+	ifp->if_label = mac_ifnet_label_alloc();
 }
 
-int
-mac_init_ipq(struct ipq *ipq, int flag)
+static struct label *
+mac_ipq_label_alloc(int flag)
 {
+	struct label *label;
 	int error;
 
-	mac_init_label(&ipq->ipq_label);
+	label = mac_labelzone_alloc(flag);
+	if (label == NULL)
+		return (NULL);
 
-	MAC_CHECK(init_ipq_label, &ipq->ipq_label, flag);
+	MAC_CHECK(init_ipq_label, label, flag);
 	if (error) {
-		MAC_PERFORM(destroy_ipq_label, &ipq->ipq_label);
-		mac_destroy_label(&ipq->ipq_label);
-	} else {
-		MAC_DEBUG_COUNTER_INC(&nmacipqs);
+		MAC_PERFORM(destroy_ipq_label, label);
+		mac_labelzone_free(label);
+		return (NULL);
 	}
-	return (error);
+	MAC_DEBUG_COUNTER_INC(&nmacipqs);
+	return (label);
+}
+
+int
+mac_init_ipq(struct ipq *ipq, int flag)
+{
+
+	ipq->ipq_label = mac_ipq_label_alloc(flag);
+	if (ipq->ipq_label == NULL)
+		return (ENOMEM);
+	return (0);
 }
 
 int
@@ -195,71 +220,85 @@ mac_init_mbuf(struct mbuf *m, int flag)
 	return (0);
 }
 
-static int
-mac_init_socket_label(struct label *label, int flag)
+static struct label *
+mac_socket_label_alloc(int flag)
 {
+	struct label *label;
 	int error;
 
-	mac_init_label(label);
+	label = mac_labelzone_alloc(flag);
+	if (label == NULL)
+		return (NULL);
 
 	MAC_CHECK(init_socket_label, label, flag);
 	if (error) {
 		MAC_PERFORM(destroy_socket_label, label);
-		mac_destroy_label(label);
-	} else {
-		MAC_DEBUG_COUNTER_INC(&nmacsockets);
+		mac_labelzone_free(label);
+		return  (NULL);
 	}
-
-	return (error);
+	MAC_DEBUG_COUNTER_INC(&nmacsockets);
+	return (label);
 }
 
-static int
-mac_init_socket_peer_label(struct label *label, int flag)
+static struct label *
+mac_socket_peer_label_alloc(int flag)
 {
+	struct label *label;
 	int error;
 
-	mac_init_label(label);
+	label = mac_labelzone_alloc(flag);
+	if (label == NULL)
+		return (NULL);
 
 	MAC_CHECK(init_socket_peer_label, label, flag);
 	if (error) {
 		MAC_PERFORM(destroy_socket_peer_label, label);
-		mac_destroy_label(label);
+		mac_labelzone_free(label);
+		return  (NULL);
 	}
-
-	return (error);
+	MAC_DEBUG_COUNTER_INC(&nmacsockets);
+	return (label);
 }
 
 int
-mac_init_socket(struct socket *socket, int flag)
+mac_init_socket(struct socket *so, int flag)
 {
-	int error;
 
-	error = mac_init_socket_label(&socket->so_label, flag);
-	if (error)
-		return (error);
+	so->so_label = mac_socket_label_alloc(flag);
+	if (so->so_label == NULL)
+		return (ENOMEM);
+	so->so_peerlabel = mac_socket_peer_label_alloc(flag);
+	if (so->so_peerlabel == NULL) {
+		mac_socket_label_free(so->so_label);
+		so->so_label = NULL;
+		return (ENOMEM);
+	}
+	return (0);
+}
 
-	error = mac_init_socket_peer_label(&socket->so_peerlabel, flag);
-	if (error)
-		mac_destroy_socket_label(&socket->so_label);
+static void
+mac_bpfdesc_label_free(struct label *label)
+{
 
-	return (error);
+	MAC_PERFORM(destroy_bpfdesc_label, label);
+	mac_labelzone_free(label);
+	MAC_DEBUG_COUNTER_DEC(&nmacbpfdescs);
 }
 
 void
 mac_destroy_bpfdesc(struct bpf_d *bpf_d)
 {
 
-	MAC_PERFORM(destroy_bpfdesc_label, &bpf_d->bd_label);
-	mac_destroy_label(&bpf_d->bd_label);
-	MAC_DEBUG_COUNTER_DEC(&nmacbpfdescs);
+	mac_bpfdesc_label_free(bpf_d->bd_label);
+	bpf_d->bd_label = NULL;
 }
 
 static void
-mac_destroy_ifnet_label(struct label *label)
+mac_ifnet_label_free(struct label *label)
 {
 
 	MAC_PERFORM(destroy_ifnet_label, label);
-	mac_destroy_label(label);
+	mac_labelzone_free(label);
 	MAC_DEBUG_COUNTER_DEC(&nmacifnets);
 }
 
@@ -267,16 +306,25 @@ void
 mac_destroy_ifnet(struct ifnet *ifp)
 {
 
-	mac_destroy_ifnet_label(&ifp->if_label);
+	mac_ifnet_label_free(ifp->if_label);
+	ifp->if_label = NULL;
+}
+
+static void
+mac_ipq_label_free(struct label *label)
+{
+
+	MAC_PERFORM(destroy_ipq_label, label);
+	mac_labelzone_free(label);
+	MAC_DEBUG_COUNTER_DEC(&nmacipqs);
 }
 
 void
 mac_destroy_ipq(struct ipq *ipq)
 {
 
-	MAC_PERFORM(destroy_ipq_label, &ipq->ipq_label);
-	mac_destroy_label(&ipq->ipq_label);
-	MAC_DEBUG_COUNTER_DEC(&nmacipqs);
+	mac_ipq_label_free(ipq->ipq_label);
+	ipq->ipq_label = NULL;
 }
 
 void
@@ -292,28 +340,31 @@ mac_destroy_mbuf_tag(struct m_tag *tag)
 }
 
 static void
-mac_destroy_socket_label(struct label *label)
+mac_socket_label_free(struct label *label)
 {
 
 	MAC_PERFORM(destroy_socket_label, label);
-	mac_destroy_label(label);
+	mac_labelzone_free(label);
 	MAC_DEBUG_COUNTER_DEC(&nmacsockets);
 }
 
 static void
-mac_destroy_socket_peer_label(struct label *label)
+mac_socket_peer_label_free(struct label *label)
 {
 
 	MAC_PERFORM(destroy_socket_peer_label, label);
-	mac_destroy_label(label);
+	mac_labelzone_free(label);
+	MAC_DEBUG_COUNTER_DEC(&nmacsockets);
 }
 
 void
 mac_destroy_socket(struct socket *socket)
 {
 
-	mac_destroy_socket_label(&socket->so_label);
-	mac_destroy_socket_peer_label(&socket->so_peerlabel);
+	mac_socket_label_free(socket->so_label);
+	socket->so_label = NULL;
+	mac_socket_peer_label_free(socket->so_peerlabel);
+	socket->so_peerlabel = NULL;
 }
 
 void
@@ -388,21 +439,21 @@ void
 mac_create_ifnet(struct ifnet *ifnet)
 {
 
-	MAC_PERFORM(create_ifnet, ifnet, &ifnet->if_label);
+	MAC_PERFORM(create_ifnet, ifnet, ifnet->if_label);
 }
 
 void
 mac_create_bpfdesc(struct ucred *cred, struct bpf_d *bpf_d)
 {
 
-	MAC_PERFORM(create_bpfdesc, cred, bpf_d, &bpf_d->bd_label);
+	MAC_PERFORM(create_bpfdesc, cred, bpf_d, bpf_d->bd_label);
 }
 
 void
 mac_create_socket(struct ucred *cred, struct socket *socket)
 {
 
-	MAC_PERFORM(create_socket, cred, socket, &socket->so_label);
+	MAC_PERFORM(create_socket, cred, socket, socket->so_label);
 }
 
 void
@@ -410,8 +461,8 @@ mac_create_socket_from_socket(struct socket *oldsocket,
     struct socket *newsocket)
 {
 
-	MAC_PERFORM(create_socket_from_socket, oldsocket, &oldsocket->so_label,
-	    newsocket, &newsocket->so_label);
+	MAC_PERFORM(create_socket_from_socket, oldsocket, oldsocket->so_label,
+	    newsocket, newsocket->so_label);
 }
 
 static void
@@ -419,7 +470,7 @@ mac_relabel_socket(struct ucred *cred, struct socket *socket,
     struct label *newlabel)
 {
 
-	MAC_PERFORM(relabel_socket, cred, socket, &socket->so_label, newlabel);
+	MAC_PERFORM(relabel_socket, cred, socket, socket->so_label, newlabel);
 }
 
 void
@@ -430,7 +481,7 @@ mac_set_socket_peer_from_mbuf(struct mbuf *mbuf, struct socket *socket)
 	label = mbuf_to_label(mbuf);
 
 	MAC_PERFORM(set_socket_peer_from_mbuf, mbuf, label, socket,
-	    &socket->so_peerlabel);
+	    socket->so_peerlabel);
 }
 
 void
@@ -439,7 +490,7 @@ mac_set_socket_peer_from_socket(struct socket *oldsocket,
 {
 
 	MAC_PERFORM(set_socket_peer_from_socket, oldsocket,
-	    &oldsocket->so_label, newsocket, &newsocket->so_peerlabel);
+	    oldsocket->so_label, newsocket, newsocket->so_peerlabel);
 }
 
 void
@@ -449,7 +500,7 @@ mac_create_datagram_from_ipq(struct ipq *ipq, struct mbuf *datagram)
 
 	label = mbuf_to_label(datagram);
 
-	MAC_PERFORM(create_datagram_from_ipq, ipq, &ipq->ipq_label,
+	MAC_PERFORM(create_datagram_from_ipq, ipq, ipq->ipq_label,
 	    datagram, label);
 }
 
@@ -472,7 +523,7 @@ mac_create_ipq(struct mbuf *fragment, struct ipq *ipq)
 
 	label = mbuf_to_label(fragment);
 
-	MAC_PERFORM(create_ipq, fragment, label, ipq, &ipq->ipq_label);
+	MAC_PERFORM(create_ipq, fragment, label, ipq, ipq->ipq_label);
 }
 
 void
@@ -494,7 +545,7 @@ mac_create_mbuf_from_bpfdesc(struct bpf_d *bpf_d, struct mbuf *mbuf)
 
 	label = mbuf_to_label(mbuf);
 
-	MAC_PERFORM(create_mbuf_from_bpfdesc, bpf_d, &bpf_d->bd_label, mbuf,
+	MAC_PERFORM(create_mbuf_from_bpfdesc, bpf_d, bpf_d->bd_label, mbuf,
 	    label);
 }
 
@@ -505,7 +556,7 @@ mac_create_mbuf_linklayer(struct ifnet *ifnet, struct mbuf *mbuf)
 
 	label = mbuf_to_label(mbuf);
 
-	MAC_PERFORM(create_mbuf_linklayer, ifnet, &ifnet->if_label, mbuf,
+	MAC_PERFORM(create_mbuf_linklayer, ifnet, ifnet->if_label, mbuf,
 	    label);
 }
 
@@ -516,7 +567,7 @@ mac_create_mbuf_from_ifnet(struct ifnet *ifnet, struct mbuf *mbuf)
 
 	label = mbuf_to_label(mbuf);
 
-	MAC_PERFORM(create_mbuf_from_ifnet, ifnet, &ifnet->if_label, mbuf,
+	MAC_PERFORM(create_mbuf_from_ifnet, ifnet, ifnet->if_label, mbuf,
 	    label);
 }
 
@@ -530,7 +581,7 @@ mac_create_mbuf_multicast_encap(struct mbuf *oldmbuf, struct ifnet *ifnet,
 	newmbuflabel = mbuf_to_label(newmbuf);
 
 	MAC_PERFORM(create_mbuf_multicast_encap, oldmbuf, oldmbuflabel,
-	    ifnet, &ifnet->if_label, newmbuf, newmbuflabel);
+	    ifnet, ifnet->if_label, newmbuf, newmbuflabel);
 }
 
 void
@@ -555,7 +606,7 @@ mac_fragment_match(struct mbuf *fragment, struct ipq *ipq)
 
 	result = 1;
 	MAC_BOOLEAN(fragment_match, &&, fragment, label, ipq,
-	    &ipq->ipq_label);
+	    ipq->ipq_label);
 
 	return (result);
 }
@@ -586,7 +637,7 @@ mac_update_ipq(struct mbuf *fragment, struct ipq *ipq)
 
 	label = mbuf_to_label(fragment);
 
-	MAC_PERFORM(update_ipq, fragment, label, ipq, &ipq->ipq_label);
+	MAC_PERFORM(update_ipq, fragment, label, ipq, ipq->ipq_label);
 }
 
 void
@@ -596,7 +647,7 @@ mac_create_mbuf_from_socket(struct socket *socket, struct mbuf *mbuf)
 
 	label = mbuf_to_label(mbuf);
 
-	MAC_PERFORM(create_mbuf_from_socket, socket, &socket->so_label, mbuf,
+	MAC_PERFORM(create_mbuf_from_socket, socket, socket->so_label, mbuf,
 	    label);
 }
 
@@ -608,8 +659,8 @@ mac_check_bpfdesc_receive(struct bpf_d *bpf_d, struct ifnet *ifnet)
 	if (!mac_enforce_network)
 		return (0);
 
-	MAC_CHECK(check_bpfdesc_receive, bpf_d, &bpf_d->bd_label, ifnet,
-	    &ifnet->if_label);
+	MAC_CHECK(check_bpfdesc_receive, bpf_d, bpf_d->bd_label, ifnet,
+	    ifnet->if_label);
 
 	return (error);
 }
@@ -627,7 +678,7 @@ mac_check_ifnet_transmit(struct ifnet *ifnet, struct mbuf *mbuf)
 
 	label = mbuf_to_label(mbuf);
 
-	MAC_CHECK(check_ifnet_transmit, ifnet, &ifnet->if_label, mbuf,
+	MAC_CHECK(check_ifnet_transmit, ifnet, ifnet->if_label, mbuf,
 	    label);
 
 	return (error);
@@ -642,7 +693,7 @@ mac_check_socket_bind(struct ucred *ucred, struct socket *socket,
 	if (!mac_enforce_socket)
 		return (0);
 
-	MAC_CHECK(check_socket_bind, ucred, socket, &socket->so_label,
+	MAC_CHECK(check_socket_bind, ucred, socket, socket->so_label,
 	    sockaddr);
 
 	return (error);
@@ -657,7 +708,7 @@ mac_check_socket_connect(struct ucred *cred, struct socket *socket,
 	if (!mac_enforce_socket)
 		return (0);
 
-	MAC_CHECK(check_socket_connect, cred, socket, &socket->so_label,
+	MAC_CHECK(check_socket_connect, cred, socket, socket->so_label,
 	    sockaddr);
 
 	return (error);
@@ -674,7 +725,7 @@ mac_check_socket_deliver(struct socket *socket, struct mbuf *mbuf)
 
 	label = mbuf_to_label(mbuf);
 
-	MAC_CHECK(check_socket_deliver, socket, &socket->so_label, mbuf,
+	MAC_CHECK(check_socket_deliver, socket, socket->so_label, mbuf,
 	    label);
 
 	return (error);
@@ -688,7 +739,7 @@ mac_check_socket_listen(struct ucred *cred, struct socket *socket)
 	if (!mac_enforce_socket)
 		return (0);
 
-	MAC_CHECK(check_socket_listen, cred, socket, &socket->so_label);
+	MAC_CHECK(check_socket_listen, cred, socket, socket->so_label);
 	return (error);
 }
 
@@ -700,7 +751,7 @@ mac_check_socket_receive(struct ucred *cred, struct socket *so)
 	if (!mac_enforce_socket)
 		return (0);
 
-	MAC_CHECK(check_socket_receive, cred, so, &so->so_label);
+	MAC_CHECK(check_socket_receive, cred, so, so->so_label);
 
 	return (error);
 }
@@ -711,7 +762,7 @@ mac_check_socket_relabel(struct ucred *cred, struct socket *socket,
 {
 	int error;
 
-	MAC_CHECK(check_socket_relabel, cred, socket, &socket->so_label,
+	MAC_CHECK(check_socket_relabel, cred, socket, socket->so_label,
 	    newlabel);
 
 	return (error);
@@ -725,7 +776,7 @@ mac_check_socket_send(struct ucred *cred, struct socket *so)
 	if (!mac_enforce_socket)
 		return (0);
 
-	MAC_CHECK(check_socket_send, cred, so, &so->so_label);
+	MAC_CHECK(check_socket_send, cred, so, so->so_label);
 
 	return (error);
 }
@@ -738,7 +789,7 @@ mac_check_socket_visible(struct ucred *cred, struct socket *socket)
 	if (!mac_enforce_socket)
 		return (0);
 
-	MAC_CHECK(check_socket_visible, cred, socket, &socket->so_label);
+	MAC_CHECK(check_socket_visible, cred, socket, socket->so_label);
 
 	return (error);
 }
@@ -767,7 +818,7 @@ mac_ioctl_ifnet_get(struct ucred *cred, struct ifreq *ifr,
 	}
 
 	buffer = malloc(mac.m_buflen, M_MACTEMP, M_WAITOK | M_ZERO);
-	error = mac_externalize_ifnet_label(&ifnet->if_label, elements,
+	error = mac_externalize_ifnet_label(ifnet->if_label, elements,
 	    buffer, mac.m_buflen);
 	if (error == 0)
 		error = copyout(buffer, mac.m_string, strlen(buffer)+1);
@@ -782,7 +833,7 @@ int
 mac_ioctl_ifnet_set(struct ucred *cred, struct ifreq *ifr,
     struct ifnet *ifnet)
 {
-	struct label intlabel;
+	struct label *intlabel;
 	struct mac mac;
 	char *buffer;
 	int error;
@@ -802,11 +853,11 @@ mac_ioctl_ifnet_set(struct ucred *cred, struct ifreq *ifr,
 		return (error);
 	}
 
-	mac_init_ifnet_label(&intlabel);
-	error = mac_internalize_ifnet_label(&intlabel, buffer);
+	intlabel = mac_ifnet_label_alloc();
+	error = mac_internalize_ifnet_label(intlabel, buffer);
 	free(buffer, M_MACTEMP);
 	if (error) {
-		mac_destroy_ifnet_label(&intlabel);
+		mac_ifnet_label_free(intlabel);
 		return (error);
 	}
 
@@ -817,20 +868,20 @@ mac_ioctl_ifnet_set(struct ucred *cred, struct ifreq *ifr,
 	 */
 	error = suser_cred(cred, 0);
 	if (error) {
-		mac_destroy_ifnet_label(&intlabel);
+		mac_ifnet_label_free(intlabel);
 		return (error);
 	}
 
-	MAC_CHECK(check_ifnet_relabel, cred, ifnet, &ifnet->if_label,
-	    &intlabel);
+	MAC_CHECK(check_ifnet_relabel, cred, ifnet, ifnet->if_label,
+	    intlabel);
 	if (error) {
-		mac_destroy_ifnet_label(&intlabel);
+		mac_ifnet_label_free(intlabel);
 		return (error);
 	}
 
-	MAC_PERFORM(relabel_ifnet, cred, ifnet, &ifnet->if_label, &intlabel);
+	MAC_PERFORM(relabel_ifnet, cred, ifnet, ifnet->if_label, intlabel);
 
-	mac_destroy_ifnet_label(&intlabel);
+	mac_ifnet_label_free(intlabel);
 	return (0);
 }
 
@@ -838,7 +889,7 @@ int
 mac_setsockopt_label_set(struct ucred *cred, struct socket *so,
     struct mac *mac)
 {
-	struct label intlabel;
+	struct label *intlabel;
 	char *buffer;
 	int error;
 
@@ -853,23 +904,23 @@ mac_setsockopt_label_set(struct ucred *cred, struct socket *so,
 		return (error);
 	}
 
-	mac_init_socket_label(&intlabel, M_WAITOK);
-	error = mac_internalize_socket_label(&intlabel, buffer);
+	intlabel = mac_socket_label_alloc(M_WAITOK);
+	error = mac_internalize_socket_label(intlabel, buffer);
 	free(buffer, M_MACTEMP);
 	if (error) {
-		mac_destroy_socket_label(&intlabel);
+		mac_socket_label_free(intlabel);
 		return (error);
 	}
 
-	mac_check_socket_relabel(cred, so, &intlabel);
+	mac_check_socket_relabel(cred, so, intlabel);
 	if (error) {
-		mac_destroy_socket_label(&intlabel);
+		mac_socket_label_free(intlabel);
 		return (error);
 	}
 
-	mac_relabel_socket(cred, so, &intlabel);
+	mac_relabel_socket(cred, so, intlabel);
 
-	mac_destroy_socket_label(&intlabel);
+	mac_socket_label_free(intlabel);
 	return (0);
 }
 
@@ -892,7 +943,7 @@ mac_getsockopt_label_get(struct ucred *cred, struct socket *so,
 	}
 
 	buffer = malloc(mac->m_buflen, M_MACTEMP, M_WAITOK | M_ZERO);
-	error = mac_externalize_socket_label(&so->so_label, elements,
+	error = mac_externalize_socket_label(so->so_label, elements,
 	    buffer, mac->m_buflen);
 	if (error == 0)
 		error = copyout(buffer, mac->m_string, strlen(buffer)+1);
@@ -922,7 +973,7 @@ mac_getsockopt_peerlabel_get(struct ucred *cred, struct socket *so,
 	}
 
 	buffer = malloc(mac->m_buflen, M_MACTEMP, M_WAITOK | M_ZERO);
-	error = mac_externalize_socket_peer_label(&so->so_peerlabel,
+	error = mac_externalize_socket_peer_label(so->so_peerlabel,
 	    elements, buffer, mac->m_buflen);
 	if (error == 0)
 		error = copyout(buffer, mac->m_string, strlen(buffer)+1);
diff --git a/sys/security/mac/mac_pipe.c b/sys/security/mac/mac_pipe.c
index b30ebaf..61633c3 100644
--- a/sys/security/mac/mac_pipe.c
+++ b/sys/security/mac/mac_pipe.c
@@ -61,34 +61,31 @@ SYSCTL_UINT(_security_mac_debug_counters, OID_AUTO, pipes, CTLFLAG_RD,
     &nmacpipes, 0, "number of pipes in use");
 #endif
 
-MALLOC_DEFINE(M_MACPIPELABEL, "macpipelabel", "MAC labels for pipes");
-
-void
-mac_init_pipe_label(struct label *label)
+struct label *
+mac_pipe_label_alloc(void)
 {
+	struct label *label;
 
-	mac_init_label(label);
+	label = mac_labelzone_alloc(M_WAITOK);
 	MAC_PERFORM(init_pipe_label, label);
 	MAC_DEBUG_COUNTER_INC(&nmacpipes);
+	return (label);
 }
 
 void
 mac_init_pipe(struct pipe *pipe)
 {
-	struct label *label;
 
-	label = malloc(sizeof(struct label), M_MACPIPELABEL, M_ZERO|M_WAITOK);
-	pipe->pipe_label = label;
-	pipe->pipe_peer->pipe_label = label;
-	mac_init_pipe_label(label);
+	pipe->pipe_label = pipe->pipe_peer->pipe_label =
+	    mac_pipe_label_alloc();
 }
 
 void
-mac_destroy_pipe_label(struct label *label)
+mac_pipe_label_free(struct label *label)
 {
 
 	MAC_PERFORM(destroy_pipe_label, label);
-	mac_destroy_label(label);
+	mac_labelzone_free(label);
 	MAC_DEBUG_COUNTER_DEC(&nmacpipes);
 }
 
@@ -96,8 +93,8 @@ void
 mac_destroy_pipe(struct pipe *pipe)
 {
 
-	mac_destroy_pipe_label(pipe->pipe_label);
-	free(pipe->pipe_label, M_MACPIPELABEL);
+	mac_pipe_label_free(pipe->pipe_label);
+	pipe->pipe_label = NULL;
 }
 
 void
diff --git a/sys/security/mac/mac_process.c b/sys/security/mac/mac_process.c
index 7697671..68d847d 100644
--- a/sys/security/mac/mac_process.c
+++ b/sys/security/mac/mac_process.c
@@ -96,37 +96,48 @@ SYSCTL_UINT(_security_mac_debug_counters, OID_AUTO, procs, CTLFLAG_RD,
 static void	mac_cred_mmapped_drop_perms_recurse(struct thread *td,
 		    struct ucred *cred, struct vm_map *map);
 
-void
-mac_init_cred_label(struct label *label)
+struct label *
+mac_cred_label_alloc(void)
 {
+	struct label *label;
 
-	mac_init_label(label);
+	label = mac_labelzone_alloc(M_WAITOK);
 	MAC_PERFORM(init_cred_label, label);
 	MAC_DEBUG_COUNTER_INC(&nmaccreds);
+	return (label);
 }
 
 void
 mac_init_cred(struct ucred *cred)
 {
 
-	mac_init_cred_label(&cred->cr_label);
+	cred->cr_label = mac_cred_label_alloc();
+}
+
+static struct label *
+mac_proc_label_alloc(void)
+{
+	struct label *label;
+
+	label = mac_labelzone_alloc(M_WAITOK);
+	MAC_PERFORM(init_proc_label, label);
+	MAC_DEBUG_COUNTER_INC(&nmacprocs);
+	return (label);
 }
 
 void
 mac_init_proc(struct proc *p)
 {
 
-	mac_init_label(&p->p_label);
-	MAC_PERFORM(init_proc_label, &p->p_label);
-	MAC_DEBUG_COUNTER_INC(&nmacprocs);
+	p->p_label = mac_proc_label_alloc();
 }
 
 void
-mac_destroy_cred_label(struct label *label)
+mac_cred_label_free(struct label *label)
 {
 
 	MAC_PERFORM(destroy_cred_label, label);
-	mac_destroy_label(label);
+	mac_labelzone_free(label);
 	MAC_DEBUG_COUNTER_DEC(&nmaccreds);
 }
 
@@ -134,16 +145,25 @@ void
 mac_destroy_cred(struct ucred *cred)
 {
 
-	mac_destroy_cred_label(&cred->cr_label);
+	mac_cred_label_free(cred->cr_label);
+	cred->cr_label = NULL;
+}
+
+static void
+mac_proc_label_free(struct label *label)
+{
+
+	MAC_PERFORM(destroy_proc_label, label);
+	mac_labelzone_free(label);
+	MAC_DEBUG_COUNTER_DEC(&nmacprocs);
 }
 
 void
 mac_destroy_proc(struct proc *p)
 {
 
-	MAC_PERFORM(destroy_proc_label, &p->p_label);
-	mac_destroy_label(&p->p_label);
-	MAC_DEBUG_COUNTER_DEC(&nmacprocs);
+	mac_proc_label_free(p->p_label);
+	p->p_label = NULL;
 }
 
 int
@@ -209,9 +229,9 @@ mac_create_cred(struct ucred *parent_cred, struct ucred *child_cred)
 }
 
 int
-mac_execve_enter(struct image_params *imgp, struct mac *mac_p,
-    struct label *execlabelstorage)
+mac_execve_enter(struct image_params *imgp, struct mac *mac_p)
 {
+	struct label *label;
 	struct mac mac;
 	char *buffer;
 	int error;
@@ -234,22 +254,24 @@ mac_execve_enter(struct image_params *imgp, struct mac *mac_p,
 		return (error);
 	}
 
-	mac_init_cred_label(execlabelstorage);
-	error = mac_internalize_cred_label(execlabelstorage, buffer);
+	label = mac_cred_label_alloc();
+	error = mac_internalize_cred_label(label, buffer);
 	free(buffer, M_MACTEMP);
 	if (error) {
-		mac_destroy_cred_label(execlabelstorage);
+		mac_cred_label_free(label);
 		return (error);
 	}
-	imgp->execlabel = execlabelstorage;
+	imgp->execlabel = label;
 	return (0);
 }
 
 void
 mac_execve_exit(struct image_params *imgp)
 {
-	if (imgp->execlabel != NULL)
-		mac_destroy_cred_label(imgp->execlabel);
+	if (imgp->execlabel != NULL) {
+		mac_cred_label_free(imgp->execlabel);
+		imgp->execlabel = NULL;
+	}
 }
 
 /*
diff --git a/sys/security/mac/mac_syscalls.c b/sys/security/mac/mac_syscalls.c
index c459003..f9adf9b 100644
--- a/sys/security/mac/mac_syscalls.c
+++ b/sys/security/mac/mac_syscalls.c
@@ -256,6 +256,7 @@ mac_init(void)
 
 	LIST_INIT(&mac_static_policy_list);
 	LIST_INIT(&mac_policy_list);
+	mac_labelzone_init();
 
 	mtx_init(&mac_policy_mtx, "mac_policy_mtx", NULL, MTX_DEF);
 	cv_init(&mac_policy_cv, "mac_policy_cv");
@@ -565,7 +566,7 @@ __mac_get_pid(struct thread *td, struct __mac_get_pid_args *uap)
 	}
 
 	buffer = malloc(mac.m_buflen, M_MACTEMP, M_WAITOK | M_ZERO);
-	error = mac_externalize_cred_label(&tcred->cr_label, elements,
+	error = mac_externalize_cred_label(tcred->cr_label, elements,
 	    buffer, mac.m_buflen);
 	if (error == 0)
 		error = copyout(buffer, mac.m_string, strlen(buffer)+1);
@@ -602,7 +603,7 @@ __mac_get_proc(struct thread *td, struct __mac_get_proc_args *uap)
 	}
 
 	buffer = malloc(mac.m_buflen, M_MACTEMP, M_WAITOK | M_ZERO);
-	error = mac_externalize_cred_label(&td->td_ucred->cr_label,
+	error = mac_externalize_cred_label(td->td_ucred->cr_label,
 	    elements, buffer, mac.m_buflen);
 	if (error == 0)
 		error = copyout(buffer, mac.m_string, strlen(buffer)+1);
@@ -619,7 +620,7 @@ int
 __mac_set_proc(struct thread *td, struct __mac_set_proc_args *uap)
 {
 	struct ucred *newcred, *oldcred;
-	struct label intlabel;
+	struct label *intlabel;
 	struct proc *p;
 	struct mac mac;
 	char *buffer;
@@ -640,13 +641,11 @@ __mac_set_proc(struct thread *td, struct __mac_set_proc_args *uap)
 		return (error);
 	}
 
-	mac_init_cred_label(&intlabel);
-	error = mac_internalize_cred_label(&intlabel, buffer);
+	intlabel = mac_cred_label_alloc();
+	error = mac_internalize_cred_label(intlabel, buffer);
 	free(buffer, M_MACTEMP);
-	if (error) {
-		mac_destroy_cred_label(&intlabel);
-		return (error);
-	}
+	if (error)
+		goto out;
 
 	newcred = crget();
 
@@ -654,7 +653,7 @@ __mac_set_proc(struct thread *td, struct __mac_set_proc_args *uap)
 	PROC_LOCK(p);
 	oldcred = p->p_ucred;
 
-	error = mac_check_cred_relabel(oldcred, &intlabel);
+	error = mac_check_cred_relabel(oldcred, intlabel);
 	if (error) {
 		PROC_UNLOCK(p);
 		crfree(newcred);
@@ -663,7 +662,7 @@ __mac_set_proc(struct thread *td, struct __mac_set_proc_args *uap)
 
 	setsugid(p);
 	crcopy(newcred, oldcred);
-	mac_relabel_cred(newcred, &intlabel);
+	mac_relabel_cred(newcred, intlabel);
 	p->p_ucred = newcred;
 
 	/*
@@ -683,7 +682,7 @@ __mac_set_proc(struct thread *td, struct __mac_set_proc_args *uap)
 	crfree(oldcred);
 
 out:
-	mac_destroy_cred_label(&intlabel);
+	mac_cred_label_free(intlabel);
 	return (error);
 }
 
@@ -694,7 +693,7 @@ int
 __mac_get_fd(struct thread *td, struct __mac_get_fd_args *uap)
 {
 	char *elements, *buffer;
-	struct label intlabel;
+	struct label *intlabel;
 	struct file *fp;
 	struct mac mac;
 	struct vnode *vp;
@@ -729,20 +728,20 @@ __mac_get_fd(struct thread *td, struct __mac_get_fd_args *uap)
 	case DTYPE_VNODE:
 		vp = fp->f_vnode;
 
-		mac_init_vnode_label(&intlabel);
+		intlabel = mac_vnode_label_alloc();
 
 		vn_lock(vp, LK_EXCLUSIVE | LK_RETRY, td);
-		mac_copy_vnode_label(&vp->v_label, &intlabel);
+		mac_copy_vnode_label(vp->v_label, intlabel);
 		VOP_UNLOCK(vp, 0, td);
 
 		break;
 	case DTYPE_PIPE:
 		pipe = fp->f_data;
 
-		mac_init_pipe_label(&intlabel);
+		intlabel = mac_pipe_label_alloc();
 
 		PIPE_LOCK(pipe);
-		mac_copy_pipe_label(pipe->pipe_label, &intlabel);
+		mac_copy_pipe_label(pipe->pipe_label, intlabel);
 		PIPE_UNLOCK(pipe);
 		break;
 	default:
@@ -756,14 +755,14 @@ __mac_get_fd(struct thread *td, struct __mac_get_fd_args *uap)
 	case DTYPE_FIFO:
 	case DTYPE_VNODE:
 		if (error == 0)
-			error = mac_externalize_vnode_label(&intlabel,
+			error = mac_externalize_vnode_label(intlabel,
 			    elements, buffer, mac.m_buflen);
-		mac_destroy_vnode_label(&intlabel);
+		mac_vnode_label_free(intlabel);
 		break;
 	case DTYPE_PIPE:
-		error = mac_externalize_pipe_label(&intlabel, elements,
+		error = mac_externalize_pipe_label(intlabel, elements,
 		    buffer, mac.m_buflen);
-		mac_destroy_pipe_label(&intlabel);
+		mac_pipe_label_free(intlabel);
 		break;
 	default:
 		panic("__mac_get_fd: corrupted label_type");
@@ -788,7 +787,7 @@ __mac_get_file(struct thread *td, struct __mac_get_file_args *uap)
 {
 	char *elements, *buffer;
 	struct nameidata nd;
-	struct label intlabel;
+	struct label *intlabel;
 	struct mac mac;
 	int error;
 
@@ -815,13 +814,13 @@ __mac_get_file(struct thread *td, struct __mac_get_file_args *uap)
 	if (error)
 		goto out;
 
-	mac_init_vnode_label(&intlabel);
-	mac_copy_vnode_label(&nd.ni_vp->v_label, &intlabel);
-	error = mac_externalize_vnode_label(&intlabel, elements, buffer,
+	intlabel = mac_vnode_label_alloc();
+	mac_copy_vnode_label(nd.ni_vp->v_label, intlabel);
+	error = mac_externalize_vnode_label(intlabel, elements, buffer,
 	    mac.m_buflen);
 
 	NDFREE(&nd, 0);
-	mac_destroy_vnode_label(&intlabel);
+	mac_vnode_label_free(intlabel);
 
 	if (error == 0)
 		error = copyout(buffer, mac.m_string, strlen(buffer)+1);
@@ -843,7 +842,7 @@ __mac_get_link(struct thread *td, struct __mac_get_link_args *uap)
 {
 	char *elements, *buffer;
 	struct nameidata nd;
-	struct label intlabel;
+	struct label *intlabel;
 	struct mac mac;
 	int error;
 
@@ -870,12 +869,12 @@ __mac_get_link(struct thread *td, struct __mac_get_link_args *uap)
 	if (error)
 		goto out;
 
-	mac_init_vnode_label(&intlabel);
-	mac_copy_vnode_label(&nd.ni_vp->v_label, &intlabel);
-	error = mac_externalize_vnode_label(&intlabel, elements, buffer,
+	intlabel = mac_vnode_label_alloc();
+	mac_copy_vnode_label(nd.ni_vp->v_label, intlabel);
+	error = mac_externalize_vnode_label(intlabel, elements, buffer,
 	    mac.m_buflen);
 	NDFREE(&nd, 0);
-	mac_destroy_vnode_label(&intlabel);
+	mac_vnode_label_free(intlabel);
 
 	if (error == 0)
 		error = copyout(buffer, mac.m_string, strlen(buffer)+1);
@@ -895,7 +894,7 @@ out:
 int
 __mac_set_fd(struct thread *td, struct __mac_set_fd_args *uap)
 {
-	struct label intlabel;
+	struct label *intlabel;
 	struct pipe *pipe;
 	struct file *fp;
 	struct mount *mp;
@@ -928,40 +927,40 @@ __mac_set_fd(struct thread *td, struct __mac_set_fd_args *uap)
 	switch (fp->f_type) {
 	case DTYPE_FIFO:
 	case DTYPE_VNODE:
-		mac_init_vnode_label(&intlabel);
-		error = mac_internalize_vnode_label(&intlabel, buffer);
+		intlabel = mac_vnode_label_alloc();
+		error = mac_internalize_vnode_label(intlabel, buffer);
 		if (error) {
-			mac_destroy_vnode_label(&intlabel);
+			mac_vnode_label_free(intlabel);
 			break;
 		}
 
 		vp = fp->f_vnode;
 		error = vn_start_write(vp, &mp, V_WAIT | PCATCH);
 		if (error != 0) {
-			mac_destroy_vnode_label(&intlabel);
+			mac_vnode_label_free(intlabel);
 			break;
 		}
 
 		vn_lock(vp, LK_EXCLUSIVE | LK_RETRY, td);
-		error = vn_setlabel(vp, &intlabel, td->td_ucred);
+		error = vn_setlabel(vp, intlabel, td->td_ucred);
 		VOP_UNLOCK(vp, 0, td);
 		vn_finished_write(mp);
 
-		mac_destroy_vnode_label(&intlabel);
+		mac_vnode_label_free(intlabel);
 		break;
 
 	case DTYPE_PIPE:
-		mac_init_pipe_label(&intlabel);
-		error = mac_internalize_pipe_label(&intlabel, buffer);
+		intlabel = mac_pipe_label_alloc();
+		error = mac_internalize_pipe_label(intlabel, buffer);
 		if (error == 0) {
 			pipe = fp->f_data;
 			PIPE_LOCK(pipe);
 			error = mac_pipe_label_set(td->td_ucred, pipe,
-			    &intlabel);
+			    intlabel);
 			PIPE_UNLOCK(pipe);
 		}
 
-		mac_destroy_pipe_label(&intlabel);
+		mac_pipe_label_free(intlabel);
 		break;
 
 	default:
@@ -983,7 +982,7 @@ out:
 int
 __mac_set_file(struct thread *td, struct __mac_set_file_args *uap)
 {
-	struct label intlabel;
+	struct label *intlabel;
 	struct nameidata nd;
 	struct mount *mp;
 	struct mac mac;
@@ -1005,13 +1004,11 @@ __mac_set_file(struct thread *td, struct __mac_set_file_args *uap)
 		return (error);
 	}
 
-	mac_init_vnode_label(&intlabel);
-	error = mac_internalize_vnode_label(&intlabel, buffer);
+	intlabel = mac_vnode_label_alloc();
+	error = mac_internalize_vnode_label(intlabel, buffer);
 	free(buffer, M_MACTEMP);
-	if (error) {
-		mac_destroy_vnode_label(&intlabel);
-		return (error);
-	}
+	if (error)
+		goto out;
 
 	mtx_lock(&Giant);				/* VFS */
 
@@ -1021,15 +1018,15 @@ __mac_set_file(struct thread *td, struct __mac_set_file_args *uap)
 	if (error == 0) {
 		error = vn_start_write(nd.ni_vp, &mp, V_WAIT | PCATCH);
 		if (error == 0)
-			error = vn_setlabel(nd.ni_vp, &intlabel,
+			error = vn_setlabel(nd.ni_vp, intlabel,
 			    td->td_ucred);
 		vn_finished_write(mp);
 	}
 
 	NDFREE(&nd, 0);
 	mtx_unlock(&Giant);				/* VFS */
-	mac_destroy_vnode_label(&intlabel);
-
+out:
+	mac_vnode_label_free(intlabel);
 	return (error);
 }
 
@@ -1039,7 +1036,7 @@ __mac_set_file(struct thread *td, struct __mac_set_file_args *uap)
 int
 __mac_set_link(struct thread *td, struct __mac_set_link_args *uap)
 {
-	struct label intlabel;
+	struct label *intlabel;
 	struct nameidata nd;
 	struct mount *mp;
 	struct mac mac;
@@ -1061,13 +1058,11 @@ __mac_set_link(struct thread *td, struct __mac_set_link_args *uap)
 		return (error);
 	}
 
-	mac_init_vnode_label(&intlabel);
-	error = mac_internalize_vnode_label(&intlabel, buffer);
+	intlabel = mac_vnode_label_alloc();
+	error = mac_internalize_vnode_label(intlabel, buffer);
 	free(buffer, M_MACTEMP);
-	if (error) {
-		mac_destroy_vnode_label(&intlabel);
-		return (error);
-	}
+	if (error)
+		goto out;
 
 	mtx_lock(&Giant);				/* VFS */
 
@@ -1077,15 +1072,15 @@ __mac_set_link(struct thread *td, struct __mac_set_link_args *uap)
 	if (error == 0) {
 		error = vn_start_write(nd.ni_vp, &mp, V_WAIT | PCATCH);
 		if (error == 0)
-			error = vn_setlabel(nd.ni_vp, &intlabel,
+			error = vn_setlabel(nd.ni_vp, intlabel,
 			    td->td_ucred);
 		vn_finished_write(mp);
 	}
 
 	NDFREE(&nd, 0);
 	mtx_unlock(&Giant);				/* VFS */
-	mac_destroy_vnode_label(&intlabel);
-
+out:
+	mac_vnode_label_free(intlabel);
 	return (error);
 }
 
diff --git a/sys/security/mac/mac_system.c b/sys/security/mac/mac_system.c
index e5041a2..14755cf 100644
--- a/sys/security/mac/mac_system.c
+++ b/sys/security/mac/mac_system.c
@@ -120,7 +120,7 @@ mac_check_kld_load(struct ucred *cred, struct vnode *vp)
 	if (!mac_enforce_kld)
 		return (0);
 
-	MAC_CHECK(check_kld_load, cred, vp, &vp->v_label);
+	MAC_CHECK(check_kld_load, cred, vp, vp->v_label);
 
 	return (error);
 }
@@ -176,7 +176,7 @@ mac_check_system_acct(struct ucred *cred, struct vnode *vp)
 		return (0);
 
 	MAC_CHECK(check_system_acct, cred, vp,
-	    vp != NULL ? &vp->v_label : NULL);
+	    vp != NULL ? vp->v_label : NULL);
 
 	return (error);
 }
@@ -230,7 +230,7 @@ mac_check_system_swapon(struct ucred *cred, struct vnode *vp)
 	if (!mac_enforce_system)
 		return (0);
 
-	MAC_CHECK(check_system_swapon, cred, vp, &vp->v_label);
+	MAC_CHECK(check_system_swapon, cred, vp, vp->v_label);
 	return (error);
 }
 
@@ -244,7 +244,7 @@ mac_check_system_swapoff(struct ucred *cred, struct vnode *vp)
 	if (!mac_enforce_system)
 		return (0);
 
-	MAC_CHECK(check_system_swapoff, cred, vp, &vp->v_label);
+	MAC_CHECK(check_system_swapoff, cred, vp, vp->v_label);
 	return (error);
 }
 
diff --git a/sys/security/mac/mac_vfs.c b/sys/security/mac/mac_vfs.c
index 08e78bb..8d475a5 100644
--- a/sys/security/mac/mac_vfs.c
+++ b/sys/security/mac/mac_vfs.c
@@ -100,68 +100,123 @@ SYSCTL_UINT(_security_mac_debug_counters, OID_AUTO, devfsdirents, CTLFLAG_RD,
 static int	mac_setlabel_vnode_extattr(struct ucred *cred,
 		    struct vnode *vp, struct label *intlabel);
 
-void
-mac_init_devfsdirent(struct devfs_dirent *de)
+static struct label *
+mac_devfsdirent_label_alloc(void)
 {
+	struct label *label;
 
-	mac_init_label(&de->de_label);
-	MAC_PERFORM(init_devfsdirent_label, &de->de_label);
+	label = mac_labelzone_alloc(M_WAITOK);
+	MAC_PERFORM(init_devfsdirent_label, label);
 	MAC_DEBUG_COUNTER_INC(&nmacdevfsdirents);
+	return (label);
 }
 
 void
-mac_init_mount(struct mount *mp)
+mac_init_devfsdirent(struct devfs_dirent *de)
+{
+
+	de->de_label = mac_devfsdirent_label_alloc();
+}
+
+static struct label *
+mac_mount_label_alloc(void)
+{
+	struct label *label;
+
+	label = mac_labelzone_alloc(M_WAITOK);
+	MAC_PERFORM(init_mount_label, label);
+	MAC_DEBUG_COUNTER_INC(&nmacmounts);
+	return (label);
+}
+
+static struct label *
+mac_mount_fs_label_alloc(void)
 {
+	struct label *label;
 
-	mac_init_label(&mp->mnt_mntlabel);
-	mac_init_label(&mp->mnt_fslabel);
-	MAC_PERFORM(init_mount_label, &mp->mnt_mntlabel);
-	MAC_PERFORM(init_mount_fs_label, &mp->mnt_fslabel);
+	label = mac_labelzone_alloc(M_WAITOK);
+	MAC_PERFORM(init_mount_fs_label, label);
 	MAC_DEBUG_COUNTER_INC(&nmacmounts);
+	return (label);
 }
 
 void
-mac_init_vnode_label(struct label *label)
+mac_init_mount(struct mount *mp)
+{
+
+	mp->mnt_mntlabel = mac_mount_label_alloc();
+	mp->mnt_fslabel = mac_mount_fs_label_alloc();
+}
+
+struct label *
+mac_vnode_label_alloc(void)
 {
+	struct label *label;
 
-	mac_init_label(label);
+	label = mac_labelzone_alloc(M_WAITOK);
 	MAC_PERFORM(init_vnode_label, label);
 	MAC_DEBUG_COUNTER_INC(&nmacvnodes);
+	return (label);
 }
 
 void
 mac_init_vnode(struct vnode *vp)
 {
 
-	mac_init_vnode_label(&vp->v_label);
+	vp->v_label = mac_vnode_label_alloc();
+}
+
+static void
+mac_devfsdirent_label_free(struct label *label)
+{
+
+	MAC_PERFORM(destroy_devfsdirent_label, label);
+	mac_labelzone_free(label);
+	MAC_DEBUG_COUNTER_DEC(&nmacdevfsdirents);
 }
 
 void
 mac_destroy_devfsdirent(struct devfs_dirent *de)
 {
 
-	MAC_PERFORM(destroy_devfsdirent_label, &de->de_label);
-	mac_destroy_label(&de->de_label);
-	MAC_DEBUG_COUNTER_DEC(&nmacdevfsdirents);
+	mac_devfsdirent_label_free(de->de_label);
+	de->de_label = NULL;
+}
+
+static void
+mac_mount_label_free(struct label *label)
+{
+
+	MAC_PERFORM(destroy_mount_label, label);
+	mac_labelzone_free(label);
+	MAC_DEBUG_COUNTER_DEC(&nmacmounts);
+}
+
+static void
+mac_mount_fs_label_free(struct label *label)
+{
+
+	MAC_PERFORM(destroy_mount_fs_label, label);
+	mac_labelzone_free(label);
+	MAC_DEBUG_COUNTER_DEC(&nmacmounts);
 }
 
 void
 mac_destroy_mount(struct mount *mp)
 {
 
-	MAC_PERFORM(destroy_mount_label, &mp->mnt_mntlabel);
-	MAC_PERFORM(destroy_mount_fs_label, &mp->mnt_fslabel);
-	mac_destroy_label(&mp->mnt_fslabel);
-	mac_destroy_label(&mp->mnt_mntlabel);
-	MAC_DEBUG_COUNTER_DEC(&nmacmounts);
+	mac_mount_fs_label_free(mp->mnt_fslabel);
+	mp->mnt_fslabel = NULL;
+	mac_mount_label_free(mp->mnt_mntlabel);
+	mp->mnt_mntlabel = NULL;
 }
 
 void
-mac_destroy_vnode_label(struct label *label)
+mac_vnode_label_free(struct label *label)
 {
 
 	MAC_PERFORM(destroy_vnode_label, label);
-	mac_destroy_label(label);
+	mac_labelzone_free(label);
 	MAC_DEBUG_COUNTER_DEC(&nmacvnodes);
 }
 
@@ -169,7 +224,8 @@ void
 mac_destroy_vnode(struct vnode *vp)
 {
 
-	mac_destroy_vnode_label(&vp->v_label);
+	mac_vnode_label_free(vp->v_label);
+	vp->v_label = NULL;
 }
 
 void
@@ -205,8 +261,8 @@ mac_update_devfsdirent(struct mount *mp, struct devfs_dirent *de,
     struct vnode *vp)
 {
 
-	MAC_PERFORM(update_devfsdirent, mp, de, &de->de_label, vp,
-	    &vp->v_label);
+	MAC_PERFORM(update_devfsdirent, mp, de, de->de_label, vp,
+	    vp->v_label);
 }
 
 void
@@ -214,8 +270,8 @@ mac_associate_vnode_devfs(struct mount *mp, struct devfs_dirent *de,
     struct vnode *vp)
 {
 
-	MAC_PERFORM(associate_vnode_devfs, mp, &mp->mnt_fslabel, de,
-	    &de->de_label, vp, &vp->v_label);
+	MAC_PERFORM(associate_vnode_devfs, mp, mp->mnt_fslabel, de,
+	    de->de_label, vp, vp->v_label);
 }
 
 int
@@ -225,8 +281,8 @@ mac_associate_vnode_extattr(struct mount *mp, struct vnode *vp)
 
 	ASSERT_VOP_LOCKED(vp, "mac_associate_vnode_extattr");
 
-	MAC_CHECK(associate_vnode_extattr, mp, &mp->mnt_fslabel, vp,
-	    &vp->v_label);
+	MAC_CHECK(associate_vnode_extattr, mp, mp->mnt_fslabel, vp,
+	    vp->v_label);
 
 	return (error);
 }
@@ -235,8 +291,8 @@ void
 mac_associate_vnode_singlelabel(struct mount *mp, struct vnode *vp)
 {
 
-	MAC_PERFORM(associate_vnode_singlelabel, mp, &mp->mnt_fslabel, vp,
-	    &vp->v_label);
+	MAC_PERFORM(associate_vnode_singlelabel, mp, mp->mnt_fslabel, vp,
+	    vp->v_label);
 }
 
 int
@@ -259,8 +315,8 @@ mac_create_vnode_extattr(struct ucred *cred, struct mount *mp,
 	} else if (error)
 		return (error);
 
-	MAC_CHECK(create_vnode_extattr, cred, mp, &mp->mnt_fslabel,
-	    dvp, &dvp->v_label, vp, &vp->v_label, cnp);
+	MAC_CHECK(create_vnode_extattr, cred, mp, mp->mnt_fslabel,
+	    dvp, dvp->v_label, vp, vp->v_label, cnp);
 
 	if (error) {
 		VOP_CLOSEEXTATTR(vp, 0, NOCRED, curthread);
@@ -294,7 +350,7 @@ mac_setlabel_vnode_extattr(struct ucred *cred, struct vnode *vp,
 	} else if (error)
 		return (error);
 
-	MAC_CHECK(setlabel_vnode_extattr, cred, vp, &vp->v_label, intlabel);
+	MAC_CHECK(setlabel_vnode_extattr, cred, vp, vp->v_label, intlabel);
 
 	if (error) {
 		VOP_CLOSEEXTATTR(vp, 0, NOCRED, curthread);
@@ -319,7 +375,7 @@ mac_execve_transition(struct ucred *old, struct ucred *new, struct vnode *vp,
 	if (!mac_enforce_process && !mac_enforce_fs)
 		return;
 
-	MAC_PERFORM(execve_transition, old, new, vp, &vp->v_label,
+	MAC_PERFORM(execve_transition, old, new, vp, vp->v_label,
 	    interpvnodelabel, imgp, imgp->execlabel);
 }
 
@@ -335,7 +391,7 @@ mac_execve_will_transition(struct ucred *old, struct vnode *vp,
 		return (0);
 
 	result = 0;
-	MAC_BOOLEAN(execve_will_transition, ||, old, vp, &vp->v_label,
+	MAC_BOOLEAN(execve_will_transition, ||, old, vp, vp->v_label,
 	    interpvnodelabel, imgp, imgp->execlabel);
 
 	return (result);
@@ -351,7 +407,7 @@ mac_check_vnode_access(struct ucred *cred, struct vnode *vp, int acc_mode)
 	if (!mac_enforce_fs)
 		return (0);
 
-	MAC_CHECK(check_vnode_access, cred, vp, &vp->v_label, acc_mode);
+	MAC_CHECK(check_vnode_access, cred, vp, vp->v_label, acc_mode);
 	return (error);
 }
 
@@ -365,7 +421,7 @@ mac_check_vnode_chdir(struct ucred *cred, struct vnode *dvp)
 	if (!mac_enforce_fs)
 		return (0);
 
-	MAC_CHECK(check_vnode_chdir, cred, dvp, &dvp->v_label);
+	MAC_CHECK(check_vnode_chdir, cred, dvp, dvp->v_label);
 	return (error);
 }
 
@@ -379,7 +435,7 @@ mac_check_vnode_chroot(struct ucred *cred, struct vnode *dvp)
 	if (!mac_enforce_fs)
 		return (0);
 
-	MAC_CHECK(check_vnode_chroot, cred, dvp, &dvp->v_label);
+	MAC_CHECK(check_vnode_chroot, cred, dvp, dvp->v_label);
 	return (error);
 }
 
@@ -394,7 +450,7 @@ mac_check_vnode_create(struct ucred *cred, struct vnode *dvp,
 	if (!mac_enforce_fs)
 		return (0);
 
-	MAC_CHECK(check_vnode_create, cred, dvp, &dvp->v_label, cnp, vap);
+	MAC_CHECK(check_vnode_create, cred, dvp, dvp->v_label, cnp, vap);
 	return (error);
 }
 
@@ -410,8 +466,8 @@ mac_check_vnode_delete(struct ucred *cred, struct vnode *dvp, struct vnode *vp,
 	if (!mac_enforce_fs)
 		return (0);
 
-	MAC_CHECK(check_vnode_delete, cred, dvp, &dvp->v_label, vp,
-	    &vp->v_label, cnp);
+	MAC_CHECK(check_vnode_delete, cred, dvp, dvp->v_label, vp,
+	    vp->v_label, cnp);
 	return (error);
 }
 
@@ -426,7 +482,7 @@ mac_check_vnode_deleteacl(struct ucred *cred, struct vnode *vp,
 	if (!mac_enforce_fs)
 		return (0);
 
-	MAC_CHECK(check_vnode_deleteacl, cred, vp, &vp->v_label, type);
+	MAC_CHECK(check_vnode_deleteacl, cred, vp, vp->v_label, type);
 	return (error);
 }
 
@@ -441,7 +497,7 @@ mac_check_vnode_deleteextattr(struct ucred *cred, struct vnode *vp,
 	if (!mac_enforce_fs)
 		return (0);
 
-	MAC_CHECK(check_vnode_deleteextattr, cred, vp, &vp->v_label,
+	MAC_CHECK(check_vnode_deleteextattr, cred, vp, vp->v_label,
 	    attrnamespace, name);
 	return (error);
 }
@@ -457,7 +513,7 @@ mac_check_vnode_exec(struct ucred *cred, struct vnode *vp,
 	if (!mac_enforce_process && !mac_enforce_fs)
 		return (0);
 
-	MAC_CHECK(check_vnode_exec, cred, vp, &vp->v_label, imgp,
+	MAC_CHECK(check_vnode_exec, cred, vp, vp->v_label, imgp,
 	    imgp->execlabel);
 
 	return (error);
@@ -473,7 +529,7 @@ mac_check_vnode_getacl(struct ucred *cred, struct vnode *vp, acl_type_t type)
 	if (!mac_enforce_fs)
 		return (0);
 
-	MAC_CHECK(check_vnode_getacl, cred, vp, &vp->v_label, type);
+	MAC_CHECK(check_vnode_getacl, cred, vp, vp->v_label, type);
 	return (error);
 }
 
@@ -488,7 +544,7 @@ mac_check_vnode_getextattr(struct ucred *cred, struct vnode *vp,
 	if (!mac_enforce_fs)
 		return (0);
 
-	MAC_CHECK(check_vnode_getextattr, cred, vp, &vp->v_label,
+	MAC_CHECK(check_vnode_getextattr, cred, vp, vp->v_label,
 	    attrnamespace, name, uio);
 	return (error);
 }
@@ -505,8 +561,8 @@ mac_check_vnode_link(struct ucred *cred, struct vnode *dvp,
 	if (!mac_enforce_fs)
 		return (0);
 
-	MAC_CHECK(check_vnode_link, cred, dvp, &dvp->v_label, vp,
-	    &vp->v_label, cnp);
+	MAC_CHECK(check_vnode_link, cred, dvp, dvp->v_label, vp,
+	    vp->v_label, cnp);
 	return (error);
 }
 
@@ -521,7 +577,7 @@ mac_check_vnode_listextattr(struct ucred *cred, struct vnode *vp,
 	if (!mac_enforce_fs)
 		return (0);
 
-	MAC_CHECK(check_vnode_listextattr, cred, vp, &vp->v_label,
+	MAC_CHECK(check_vnode_listextattr, cred, vp, vp->v_label,
 	    attrnamespace);
 	return (error);
 }
@@ -537,7 +593,7 @@ mac_check_vnode_lookup(struct ucred *cred, struct vnode *dvp,
 	if (!mac_enforce_fs)
 		return (0);
 
-	MAC_CHECK(check_vnode_lookup, cred, dvp, &dvp->v_label, cnp);
+	MAC_CHECK(check_vnode_lookup, cred, dvp, dvp->v_label, cnp);
 	return (error);
 }
 
@@ -551,7 +607,7 @@ mac_check_vnode_mmap(struct ucred *cred, struct vnode *vp, int prot)
 	if (!mac_enforce_fs || !mac_enforce_vm)
 		return (0);
 
-	MAC_CHECK(check_vnode_mmap, cred, vp, &vp->v_label, prot);
+	MAC_CHECK(check_vnode_mmap, cred, vp, vp->v_label, prot);
 	return (error);
 }
 
@@ -565,7 +621,7 @@ mac_check_vnode_mmap_downgrade(struct ucred *cred, struct vnode *vp, int *prot)
 	if (!mac_enforce_fs || !mac_enforce_vm)
 		return;
 
-	MAC_PERFORM(check_vnode_mmap_downgrade, cred, vp, &vp->v_label,
+	MAC_PERFORM(check_vnode_mmap_downgrade, cred, vp, vp->v_label,
 	    &result);
 
 	*prot = result;
@@ -581,7 +637,7 @@ mac_check_vnode_mprotect(struct ucred *cred, struct vnode *vp, int prot)
 	if (!mac_enforce_fs || !mac_enforce_vm)
 		return (0);
 
-	MAC_CHECK(check_vnode_mprotect, cred, vp, &vp->v_label, prot);
+	MAC_CHECK(check_vnode_mprotect, cred, vp, vp->v_label, prot);
 	return (error);
 }
 
@@ -595,7 +651,7 @@ mac_check_vnode_open(struct ucred *cred, struct vnode *vp, int acc_mode)
 	if (!mac_enforce_fs)
 		return (0);
 
-	MAC_CHECK(check_vnode_open, cred, vp, &vp->v_label, acc_mode);
+	MAC_CHECK(check_vnode_open, cred, vp, vp->v_label, acc_mode);
 	return (error);
 }
 
@@ -611,7 +667,7 @@ mac_check_vnode_poll(struct ucred *active_cred, struct ucred *file_cred,
 		return (0);
 
 	MAC_CHECK(check_vnode_poll, active_cred, file_cred, vp,
-	    &vp->v_label);
+	    vp->v_label);
 
 	return (error);
 }
@@ -628,7 +684,7 @@ mac_check_vnode_read(struct ucred *active_cred, struct ucred *file_cred,
 		return (0);
 
 	MAC_CHECK(check_vnode_read, active_cred, file_cred, vp,
-	    &vp->v_label);
+	    vp->v_label);
 
 	return (error);
 }
@@ -643,7 +699,7 @@ mac_check_vnode_readdir(struct ucred *cred, struct vnode *dvp)
 	if (!mac_enforce_fs)
 		return (0);
 
-	MAC_CHECK(check_vnode_readdir, cred, dvp, &dvp->v_label);
+	MAC_CHECK(check_vnode_readdir, cred, dvp, dvp->v_label);
 	return (error);
 }
 
@@ -657,7 +713,7 @@ mac_check_vnode_readlink(struct ucred *cred, struct vnode *vp)
 	if (!mac_enforce_fs)
 		return (0);
 
-	MAC_CHECK(check_vnode_readlink, cred, vp, &vp->v_label);
+	MAC_CHECK(check_vnode_readlink, cred, vp, vp->v_label);
 	return (error);
 }
 
@@ -669,7 +725,7 @@ mac_check_vnode_relabel(struct ucred *cred, struct vnode *vp,
 
 	ASSERT_VOP_LOCKED(vp, "mac_check_vnode_relabel");
 
-	MAC_CHECK(check_vnode_relabel, cred, vp, &vp->v_label, newlabel);
+	MAC_CHECK(check_vnode_relabel, cred, vp, vp->v_label, newlabel);
 
 	return (error);
 }
@@ -686,8 +742,8 @@ mac_check_vnode_rename_from(struct ucred *cred, struct vnode *dvp,
 	if (!mac_enforce_fs)
 		return (0);
 
-	MAC_CHECK(check_vnode_rename_from, cred, dvp, &dvp->v_label, vp,
-	    &vp->v_label, cnp);
+	MAC_CHECK(check_vnode_rename_from, cred, dvp, dvp->v_label, vp,
+	    vp->v_label, cnp);
 	return (error);
 }
 
@@ -703,8 +759,8 @@ mac_check_vnode_rename_to(struct ucred *cred, struct vnode *dvp,
 	if (!mac_enforce_fs)
 		return (0);
 
-	MAC_CHECK(check_vnode_rename_to, cred, dvp, &dvp->v_label, vp,
-	    vp != NULL ? &vp->v_label : NULL, samedir, cnp);
+	MAC_CHECK(check_vnode_rename_to, cred, dvp, dvp->v_label, vp,
+	    vp != NULL ? vp->v_label : NULL, samedir, cnp);
 	return (error);
 }
 
@@ -718,7 +774,7 @@ mac_check_vnode_revoke(struct ucred *cred, struct vnode *vp)
 	if (!mac_enforce_fs)
 		return (0);
 
-	MAC_CHECK(check_vnode_revoke, cred, vp, &vp->v_label);
+	MAC_CHECK(check_vnode_revoke, cred, vp, vp->v_label);
 	return (error);
 }
 
@@ -733,7 +789,7 @@ mac_check_vnode_setacl(struct ucred *cred, struct vnode *vp, acl_type_t type,
 	if (!mac_enforce_fs)
 		return (0);
 
-	MAC_CHECK(check_vnode_setacl, cred, vp, &vp->v_label, type, acl);
+	MAC_CHECK(check_vnode_setacl, cred, vp, vp->v_label, type, acl);
 	return (error);
 }
 
@@ -748,7 +804,7 @@ mac_check_vnode_setextattr(struct ucred *cred, struct vnode *vp,
 	if (!mac_enforce_fs)
 		return (0);
 
-	MAC_CHECK(check_vnode_setextattr, cred, vp, &vp->v_label,
+	MAC_CHECK(check_vnode_setextattr, cred, vp, vp->v_label,
 	    attrnamespace, name, uio);
 	return (error);
 }
@@ -763,7 +819,7 @@ mac_check_vnode_setflags(struct ucred *cred, struct vnode *vp, u_long flags)
 	if (!mac_enforce_fs)
 		return (0);
 
-	MAC_CHECK(check_vnode_setflags, cred, vp, &vp->v_label, flags);
+	MAC_CHECK(check_vnode_setflags, cred, vp, vp->v_label, flags);
 	return (error);
 }
 
@@ -777,7 +833,7 @@ mac_check_vnode_setmode(struct ucred *cred, struct vnode *vp, mode_t mode)
 	if (!mac_enforce_fs)
 		return (0);
 
-	MAC_CHECK(check_vnode_setmode, cred, vp, &vp->v_label, mode);
+	MAC_CHECK(check_vnode_setmode, cred, vp, vp->v_label, mode);
 	return (error);
 }
 
@@ -792,7 +848,7 @@ mac_check_vnode_setowner(struct ucred *cred, struct vnode *vp, uid_t uid,
 	if (!mac_enforce_fs)
 		return (0);
 
-	MAC_CHECK(check_vnode_setowner, cred, vp, &vp->v_label, uid, gid);
+	MAC_CHECK(check_vnode_setowner, cred, vp, vp->v_label, uid, gid);
 	return (error);
 }
 
@@ -807,7 +863,7 @@ mac_check_vnode_setutimes(struct ucred *cred, struct vnode *vp,
 	if (!mac_enforce_fs)
 		return (0);
 
-	MAC_CHECK(check_vnode_setutimes, cred, vp, &vp->v_label, atime,
+	MAC_CHECK(check_vnode_setutimes, cred, vp, vp->v_label, atime,
 	    mtime);
 	return (error);
 }
@@ -824,7 +880,7 @@ mac_check_vnode_stat(struct ucred *active_cred, struct ucred *file_cred,
 		return (0);
 
 	MAC_CHECK(check_vnode_stat, active_cred, file_cred, vp,
-	    &vp->v_label);
+	    vp->v_label);
 	return (error);
 }
 
@@ -840,7 +896,7 @@ mac_check_vnode_write(struct ucred *active_cred, struct ucred *file_cred,
 		return (0);
 
 	MAC_CHECK(check_vnode_write, active_cred, file_cred, vp,
-	    &vp->v_label);
+	    vp->v_label);
 
 	return (error);
 }
@@ -849,23 +905,23 @@ void
 mac_relabel_vnode(struct ucred *cred, struct vnode *vp, struct label *newlabel)
 {
 
-	MAC_PERFORM(relabel_vnode, cred, vp, &vp->v_label, newlabel);
+	MAC_PERFORM(relabel_vnode, cred, vp, vp->v_label, newlabel);
 }
 
 void
 mac_create_mount(struct ucred *cred, struct mount *mp)
 {
 
-	MAC_PERFORM(create_mount, cred, mp, &mp->mnt_mntlabel,
-	    &mp->mnt_fslabel);
+	MAC_PERFORM(create_mount, cred, mp, mp->mnt_mntlabel,
+	    mp->mnt_fslabel);
 }
 
 void
 mac_create_root_mount(struct ucred *cred, struct mount *mp)
 {
 
-	MAC_PERFORM(create_root_mount, cred, mp, &mp->mnt_mntlabel,
-	    &mp->mnt_fslabel);
+	MAC_PERFORM(create_root_mount, cred, mp, mp->mnt_mntlabel,
+	    mp->mnt_fslabel);
 }
 
 int
@@ -876,7 +932,7 @@ mac_check_mount_stat(struct ucred *cred, struct mount *mount)
 	if (!mac_enforce_fs)
 		return (0);
 
-	MAC_CHECK(check_mount_stat, cred, mount, &mount->mnt_mntlabel);
+	MAC_CHECK(check_mount_stat, cred, mount, mount->mnt_mntlabel);
 
 	return (error);
 }
@@ -885,7 +941,7 @@ void
 mac_create_devfs_device(struct mount *mp, dev_t dev, struct devfs_dirent *de)
 {
 
-	MAC_PERFORM(create_devfs_device, mp, dev, de, &de->de_label);
+	MAC_PERFORM(create_devfs_device, mp, dev, de, de->de_label);
 }
 
 void
@@ -893,8 +949,8 @@ mac_create_devfs_symlink(struct ucred *cred, struct mount *mp,
     struct devfs_dirent *dd, struct devfs_dirent *de)
 {
 
-	MAC_PERFORM(create_devfs_symlink, cred, mp, dd, &dd->de_label, de,
-	    &de->de_label);
+	MAC_PERFORM(create_devfs_symlink, cred, mp, dd, dd->de_label, de,
+	    de->de_label);
 }
 
 void
@@ -903,7 +959,7 @@ mac_create_devfs_directory(struct mount *mp, char *dirname, int dirnamelen,
 {
 
 	MAC_PERFORM(create_devfs_directory, mp, dirname, dirnamelen, de,
-	    &de->de_label);
+	    de->de_label);
 }
 
 /*