Move to C99 sparse structure initialization for the mac_policy_ops

structure definition, rather than using an operation vector
we translate into the structure.  Originally, we used a vector
for two reasons:

(1) We wanted to define the structure sparsely, which wasn't
    supported by the C compiler for structures.  For a policy
    with five entry points, you don't want to have to stick in
    a few hundred NULL function pointers.

(2) We thought it would improve ABI compatibility allowing modules
    to work with kernels that had a superset of the entry points
    defined in the module, even if the kernel had changed its
    entry point set.

Both of these no longer apply:

(1) C99 gives us a way to sparsely define a static structure.

(2) The ABI problems existed anyway, due to enumeration numbers,
    argument changes, and semantic mismatches.  Since the going
    rule for FreeBSD is that you really need your modules to
    pretty closely match your kernel, it's not worth the
    complexity.

This submit eliminates the operation vector, dynamic allocation
of the operation structure, copying of the vector to the
structure, and redoes the vectors in each policy to direct
structure definitions.  One enourmous benefit of this change
is that we now get decent type checking on policy entry point
implementation arguments.

Obtained from:	TrustedBSD Project
Sponsored by:	DARPA, Network Associates Laboratories

1 files changed, 131 insertions, 260 deletions

diff --git a/sys/security/mac_mls/mac_mls.c b/sys/security/mac_mls/mac_mls.c
index 21b97a0..329c85b 100644
--- a/sys/security/mac_mls/mac_mls.c
+++ b/sys/security/mac_mls/mac_mls.c
@@ -2372,266 +2372,137 @@ mac_mls_check_vnode_write(struct ucred *active_cred, struct ucred *file_cred,
 	return (0);
 }
 
-static struct mac_policy_op_entry mac_mls_ops[] =
-{
-	{ MAC_DESTROY,
-	    (macop_t)mac_mls_destroy },
-	{ MAC_INIT,
-	    (macop_t)mac_mls_init },
-	{ MAC_INIT_BPFDESC_LABEL,
-	    (macop_t)mac_mls_init_label },
-	{ MAC_INIT_CRED_LABEL,
-	    (macop_t)mac_mls_init_label },
-	{ MAC_INIT_DEVFSDIRENT_LABEL,
-	    (macop_t)mac_mls_init_label },
-	{ MAC_INIT_IFNET_LABEL,
-	    (macop_t)mac_mls_init_label },
-	{ MAC_INIT_IPQ_LABEL,
-	    (macop_t)mac_mls_init_label },
-	{ MAC_INIT_MBUF_LABEL,
-	    (macop_t)mac_mls_init_label_waitcheck },
-	{ MAC_INIT_MOUNT_LABEL,
-	    (macop_t)mac_mls_init_label },
-	{ MAC_INIT_MOUNT_FS_LABEL,
-	    (macop_t)mac_mls_init_label },
-	{ MAC_INIT_PIPE_LABEL,
-	    (macop_t)mac_mls_init_label },
-	{ MAC_INIT_SOCKET_LABEL,
-	    (macop_t)mac_mls_init_label_waitcheck },
-	{ MAC_INIT_SOCKET_PEER_LABEL,
-	    (macop_t)mac_mls_init_label_waitcheck },
-	{ MAC_INIT_VNODE_LABEL,
-	    (macop_t)mac_mls_init_label },
-	{ MAC_DESTROY_BPFDESC_LABEL,
-	    (macop_t)mac_mls_destroy_label },
-	{ MAC_DESTROY_CRED_LABEL,
-	    (macop_t)mac_mls_destroy_label },
-	{ MAC_DESTROY_DEVFSDIRENT_LABEL,
-	    (macop_t)mac_mls_destroy_label },
-	{ MAC_DESTROY_IFNET_LABEL,
-	    (macop_t)mac_mls_destroy_label },
-	{ MAC_DESTROY_IPQ_LABEL,
-	    (macop_t)mac_mls_destroy_label },
-	{ MAC_DESTROY_MBUF_LABEL,
-	    (macop_t)mac_mls_destroy_label },
-	{ MAC_DESTROY_MOUNT_LABEL,
-	    (macop_t)mac_mls_destroy_label },
-	{ MAC_DESTROY_MOUNT_FS_LABEL,
-	    (macop_t)mac_mls_destroy_label },
-	{ MAC_DESTROY_PIPE_LABEL,
-	    (macop_t)mac_mls_destroy_label },
-	{ MAC_DESTROY_SOCKET_LABEL,
-	    (macop_t)mac_mls_destroy_label },
-	{ MAC_DESTROY_SOCKET_PEER_LABEL,
-	    (macop_t)mac_mls_destroy_label },
-	{ MAC_DESTROY_VNODE_LABEL,
-	    (macop_t)mac_mls_destroy_label },
-	{ MAC_COPY_PIPE_LABEL,
-	    (macop_t)mac_mls_copy_label },
-	{ MAC_COPY_VNODE_LABEL,
-	    (macop_t)mac_mls_copy_label },
-	{ MAC_EXTERNALIZE_CRED_LABEL,
-	    (macop_t)mac_mls_externalize_label },
-	{ MAC_EXTERNALIZE_IFNET_LABEL,
-	    (macop_t)mac_mls_externalize_label },
-	{ MAC_EXTERNALIZE_PIPE_LABEL,
-	    (macop_t)mac_mls_externalize_label },
-	{ MAC_EXTERNALIZE_SOCKET_LABEL,
-	    (macop_t)mac_mls_externalize_label },
-	{ MAC_EXTERNALIZE_SOCKET_PEER_LABEL,
-	    (macop_t)mac_mls_externalize_label },
-	{ MAC_EXTERNALIZE_VNODE_LABEL,
-	    (macop_t)mac_mls_externalize_label },
-	{ MAC_INTERNALIZE_CRED_LABEL,
-	    (macop_t)mac_mls_internalize_label },
-	{ MAC_INTERNALIZE_IFNET_LABEL,
-	    (macop_t)mac_mls_internalize_label },
-	{ MAC_INTERNALIZE_PIPE_LABEL,
-	    (macop_t)mac_mls_internalize_label },
-	{ MAC_INTERNALIZE_SOCKET_LABEL,
-	    (macop_t)mac_mls_internalize_label },
-	{ MAC_INTERNALIZE_VNODE_LABEL,
-	    (macop_t)mac_mls_internalize_label },
-	{ MAC_CREATE_DEVFS_DEVICE,
-	    (macop_t)mac_mls_create_devfs_device },
-	{ MAC_CREATE_DEVFS_DIRECTORY,
-	    (macop_t)mac_mls_create_devfs_directory },
-	{ MAC_CREATE_DEVFS_SYMLINK,
-	    (macop_t)mac_mls_create_devfs_symlink },
-	{ MAC_CREATE_DEVFS_VNODE,
-	    (macop_t)mac_mls_create_devfs_vnode },
-	{ MAC_CREATE_MOUNT,
-	    (macop_t)mac_mls_create_mount },
-	{ MAC_CREATE_ROOT_MOUNT,
-	    (macop_t)mac_mls_create_root_mount },
-	{ MAC_RELABEL_VNODE,
-	    (macop_t)mac_mls_relabel_vnode },
-	{ MAC_UPDATE_DEVFSDIRENT,
-	    (macop_t)mac_mls_update_devfsdirent },
-	{ MAC_ASSOCIATE_VNODE_DEVFS,
-	    (macop_t)mac_mls_associate_vnode_devfs },
-	{ MAC_ASSOCIATE_VNODE_EXTATTR,
-	    (macop_t)mac_mls_associate_vnode_extattr },
-	{ MAC_ASSOCIATE_VNODE_SINGLELABEL,
-	    (macop_t)mac_mls_associate_vnode_singlelabel },
-	{ MAC_CREATE_VNODE_EXTATTR,
-	    (macop_t)mac_mls_create_vnode_extattr },
-	{ MAC_SETLABEL_VNODE_EXTATTR,
-	    (macop_t)mac_mls_setlabel_vnode_extattr },
-	{ MAC_CREATE_MBUF_FROM_SOCKET,
-	    (macop_t)mac_mls_create_mbuf_from_socket },
-	{ MAC_CREATE_PIPE,
-	    (macop_t)mac_mls_create_pipe },
-	{ MAC_CREATE_SOCKET,
-	    (macop_t)mac_mls_create_socket },
-	{ MAC_CREATE_SOCKET_FROM_SOCKET,
-	    (macop_t)mac_mls_create_socket_from_socket },
-	{ MAC_RELABEL_PIPE,
-	    (macop_t)mac_mls_relabel_pipe },
-	{ MAC_RELABEL_SOCKET,
-	    (macop_t)mac_mls_relabel_socket },
-	{ MAC_SET_SOCKET_PEER_FROM_MBUF,
-	    (macop_t)mac_mls_set_socket_peer_from_mbuf },
-	{ MAC_SET_SOCKET_PEER_FROM_SOCKET,
-	    (macop_t)mac_mls_set_socket_peer_from_socket },
-	{ MAC_CREATE_BPFDESC,
-	    (macop_t)mac_mls_create_bpfdesc },
-	{ MAC_CREATE_DATAGRAM_FROM_IPQ,
-	    (macop_t)mac_mls_create_datagram_from_ipq },
-	{ MAC_CREATE_FRAGMENT,
-	    (macop_t)mac_mls_create_fragment },
-	{ MAC_CREATE_IFNET,
-	    (macop_t)mac_mls_create_ifnet },
-	{ MAC_CREATE_IPQ,
-	    (macop_t)mac_mls_create_ipq },
-	{ MAC_CREATE_MBUF_FROM_MBUF,
-	    (macop_t)mac_mls_create_mbuf_from_mbuf },
-	{ MAC_CREATE_MBUF_LINKLAYER,
-	    (macop_t)mac_mls_create_mbuf_linklayer },
-	{ MAC_CREATE_MBUF_FROM_BPFDESC,
-	    (macop_t)mac_mls_create_mbuf_from_bpfdesc },
-	{ MAC_CREATE_MBUF_FROM_IFNET,
-	    (macop_t)mac_mls_create_mbuf_from_ifnet },
-	{ MAC_CREATE_MBUF_MULTICAST_ENCAP,
-	    (macop_t)mac_mls_create_mbuf_multicast_encap },
-	{ MAC_CREATE_MBUF_NETLAYER,
-	    (macop_t)mac_mls_create_mbuf_netlayer },
-	{ MAC_FRAGMENT_MATCH,
-	    (macop_t)mac_mls_fragment_match },
-	{ MAC_RELABEL_IFNET,
-	    (macop_t)mac_mls_relabel_ifnet },
-	{ MAC_UPDATE_IPQ,
-	    (macop_t)mac_mls_update_ipq },
-	{ MAC_CREATE_CRED,
-	    (macop_t)mac_mls_create_cred },
-	{ MAC_EXECVE_TRANSITION,
-	    (macop_t)mac_mls_execve_transition },
-	{ MAC_EXECVE_WILL_TRANSITION,
-	    (macop_t)mac_mls_execve_will_transition },
-	{ MAC_CREATE_PROC0,
-	    (macop_t)mac_mls_create_proc0 },
-	{ MAC_CREATE_PROC1,
-	    (macop_t)mac_mls_create_proc1 },
-	{ MAC_RELABEL_CRED,
-	    (macop_t)mac_mls_relabel_cred },
-	{ MAC_CHECK_BPFDESC_RECEIVE,
-	    (macop_t)mac_mls_check_bpfdesc_receive },
-	{ MAC_CHECK_CRED_RELABEL,
-	    (macop_t)mac_mls_check_cred_relabel },
-	{ MAC_CHECK_CRED_VISIBLE,
-	    (macop_t)mac_mls_check_cred_visible },
-	{ MAC_CHECK_IFNET_RELABEL,
-	    (macop_t)mac_mls_check_ifnet_relabel },
-	{ MAC_CHECK_IFNET_TRANSMIT,
-	    (macop_t)mac_mls_check_ifnet_transmit },
-	{ MAC_CHECK_MOUNT_STAT,
-	    (macop_t)mac_mls_check_mount_stat },
-	{ MAC_CHECK_PIPE_IOCTL,
-	    (macop_t)mac_mls_check_pipe_ioctl },
-	{ MAC_CHECK_PIPE_POLL,
-	    (macop_t)mac_mls_check_pipe_poll },
-	{ MAC_CHECK_PIPE_READ,
-	    (macop_t)mac_mls_check_pipe_read },
-	{ MAC_CHECK_PIPE_RELABEL,
-	    (macop_t)mac_mls_check_pipe_relabel },
-	{ MAC_CHECK_PIPE_STAT,
-	    (macop_t)mac_mls_check_pipe_stat },
-	{ MAC_CHECK_PIPE_WRITE,
-	    (macop_t)mac_mls_check_pipe_write },
-	{ MAC_CHECK_PROC_DEBUG,
-	    (macop_t)mac_mls_check_proc_debug },
-	{ MAC_CHECK_PROC_SCHED,
-	    (macop_t)mac_mls_check_proc_sched },
-	{ MAC_CHECK_PROC_SIGNAL,
-	    (macop_t)mac_mls_check_proc_signal },
-	{ MAC_CHECK_SOCKET_DELIVER,
-	    (macop_t)mac_mls_check_socket_deliver },
-	{ MAC_CHECK_SOCKET_RELABEL,
-	    (macop_t)mac_mls_check_socket_relabel },
-	{ MAC_CHECK_SOCKET_VISIBLE,
-	    (macop_t)mac_mls_check_socket_visible },
-	{ MAC_CHECK_VNODE_ACCESS,
-	    (macop_t)mac_mls_check_vnode_open },
-	{ MAC_CHECK_VNODE_CHDIR,
-	    (macop_t)mac_mls_check_vnode_chdir },
-	{ MAC_CHECK_VNODE_CHROOT,
-	    (macop_t)mac_mls_check_vnode_chroot },
-	{ MAC_CHECK_VNODE_CREATE,
-	    (macop_t)mac_mls_check_vnode_create },
-	{ MAC_CHECK_VNODE_DELETE,
-	    (macop_t)mac_mls_check_vnode_delete },
-	{ MAC_CHECK_VNODE_DELETEACL,
-	    (macop_t)mac_mls_check_vnode_deleteacl },
-	{ MAC_CHECK_VNODE_EXEC,
-	    (macop_t)mac_mls_check_vnode_exec },
-	{ MAC_CHECK_VNODE_GETACL,
-	    (macop_t)mac_mls_check_vnode_getacl },
-	{ MAC_CHECK_VNODE_GETEXTATTR,
-	    (macop_t)mac_mls_check_vnode_getextattr },
-	{ MAC_CHECK_VNODE_LINK,
-	    (macop_t)mac_mls_check_vnode_link },
-	{ MAC_CHECK_VNODE_LOOKUP,
-	    (macop_t)mac_mls_check_vnode_lookup },
-	{ MAC_CHECK_VNODE_MMAP,
-	    (macop_t)mac_mls_check_vnode_mmap },
-	{ MAC_CHECK_VNODE_MPROTECT,
-	    (macop_t)mac_mls_check_vnode_mmap },
-	{ MAC_CHECK_VNODE_OPEN,
-	    (macop_t)mac_mls_check_vnode_open },
-	{ MAC_CHECK_VNODE_POLL,
-	    (macop_t)mac_mls_check_vnode_poll },
-	{ MAC_CHECK_VNODE_READ,
-	    (macop_t)mac_mls_check_vnode_read },
-	{ MAC_CHECK_VNODE_READDIR,
-	    (macop_t)mac_mls_check_vnode_readdir },
-	{ MAC_CHECK_VNODE_READLINK,
-	    (macop_t)mac_mls_check_vnode_readlink },
-	{ MAC_CHECK_VNODE_RELABEL,
-	    (macop_t)mac_mls_check_vnode_relabel },
-	{ MAC_CHECK_VNODE_RENAME_FROM,
-	    (macop_t)mac_mls_check_vnode_rename_from },
-	{ MAC_CHECK_VNODE_RENAME_TO,
-	    (macop_t)mac_mls_check_vnode_rename_to },
-	{ MAC_CHECK_VNODE_REVOKE,
-	    (macop_t)mac_mls_check_vnode_revoke },
-	{ MAC_CHECK_VNODE_SETACL,
-	    (macop_t)mac_mls_check_vnode_setacl },
-	{ MAC_CHECK_VNODE_SETEXTATTR,
-	    (macop_t)mac_mls_check_vnode_setextattr },
-	{ MAC_CHECK_VNODE_SETFLAGS,
-	    (macop_t)mac_mls_check_vnode_setflags },
-	{ MAC_CHECK_VNODE_SETMODE,
-	    (macop_t)mac_mls_check_vnode_setmode },
-	{ MAC_CHECK_VNODE_SETOWNER,
-	    (macop_t)mac_mls_check_vnode_setowner },
-	{ MAC_CHECK_VNODE_SETUTIMES,
-	    (macop_t)mac_mls_check_vnode_setutimes },
-	{ MAC_CHECK_VNODE_STAT,
-	    (macop_t)mac_mls_check_vnode_stat },
-	{ MAC_CHECK_VNODE_WRITE,
-	    (macop_t)mac_mls_check_vnode_write },
-	{ MAC_OP_LAST, NULL }
+static struct mac_policy_ops mac_mls_ops =
+{
+	.mpo_destroy = mac_mls_destroy,
+	.mpo_init = mac_mls_init,
+	.mpo_init_bpfdesc_label = mac_mls_init_label,
+	.mpo_init_cred_label = mac_mls_init_label,
+	.mpo_init_devfsdirent_label = mac_mls_init_label,
+	.mpo_init_ifnet_label = mac_mls_init_label,
+	.mpo_init_ipq_label = mac_mls_init_label,
+	.mpo_init_mbuf_label = mac_mls_init_label_waitcheck,
+	.mpo_init_mount_label = mac_mls_init_label,
+	.mpo_init_mount_fs_label = mac_mls_init_label,
+	.mpo_init_pipe_label = mac_mls_init_label,
+	.mpo_init_socket_label = mac_mls_init_label_waitcheck,
+	.mpo_init_socket_peer_label = mac_mls_init_label_waitcheck,
+	.mpo_init_vnode_label = mac_mls_init_label,
+	.mpo_destroy_bpfdesc_label = mac_mls_destroy_label,
+	.mpo_destroy_cred_label = mac_mls_destroy_label,
+	.mpo_destroy_devfsdirent_label = mac_mls_destroy_label,
+	.mpo_destroy_ifnet_label = mac_mls_destroy_label,
+	.mpo_destroy_ipq_label = mac_mls_destroy_label,
+	.mpo_destroy_mbuf_label = mac_mls_destroy_label,
+	.mpo_destroy_mount_label = mac_mls_destroy_label,
+	.mpo_destroy_mount_fs_label = mac_mls_destroy_label,
+	.mpo_destroy_pipe_label = mac_mls_destroy_label,
+	.mpo_destroy_socket_label = mac_mls_destroy_label,
+	.mpo_destroy_socket_peer_label = mac_mls_destroy_label,
+	.mpo_destroy_vnode_label = mac_mls_destroy_label,
+	.mpo_copy_pipe_label = mac_mls_copy_label,
+	.mpo_copy_vnode_label = mac_mls_copy_label,
+	.mpo_externalize_cred_label = mac_mls_externalize_label,
+	.mpo_externalize_ifnet_label = mac_mls_externalize_label,
+	.mpo_externalize_pipe_label = mac_mls_externalize_label,
+	.mpo_externalize_socket_label = mac_mls_externalize_label,
+	.mpo_externalize_socket_peer_label = mac_mls_externalize_label,
+	.mpo_externalize_vnode_label = mac_mls_externalize_label,
+	.mpo_internalize_cred_label = mac_mls_internalize_label,
+	.mpo_internalize_ifnet_label = mac_mls_internalize_label,
+	.mpo_internalize_pipe_label = mac_mls_internalize_label,
+	.mpo_internalize_socket_label = mac_mls_internalize_label,
+	.mpo_internalize_vnode_label = mac_mls_internalize_label,
+	.mpo_create_devfs_device = mac_mls_create_devfs_device,
+	.mpo_create_devfs_directory = mac_mls_create_devfs_directory,
+	.mpo_create_devfs_symlink = mac_mls_create_devfs_symlink,
+	.mpo_create_devfs_vnode = mac_mls_create_devfs_vnode,
+	.mpo_create_mount = mac_mls_create_mount,
+	.mpo_create_root_mount = mac_mls_create_root_mount,
+	.mpo_relabel_vnode = mac_mls_relabel_vnode,
+	.mpo_update_devfsdirent = mac_mls_update_devfsdirent,
+	.mpo_associate_vnode_devfs = mac_mls_associate_vnode_devfs,
+	.mpo_associate_vnode_extattr = mac_mls_associate_vnode_extattr,
+	.mpo_associate_vnode_singlelabel = mac_mls_associate_vnode_singlelabel,
+	.mpo_create_vnode_extattr = mac_mls_create_vnode_extattr,
+	.mpo_setlabel_vnode_extattr = mac_mls_setlabel_vnode_extattr,
+	.mpo_create_mbuf_from_socket = mac_mls_create_mbuf_from_socket,
+	.mpo_create_pipe = mac_mls_create_pipe,
+	.mpo_create_socket = mac_mls_create_socket,
+	.mpo_create_socket_from_socket = mac_mls_create_socket_from_socket,
+	.mpo_relabel_pipe = mac_mls_relabel_pipe,
+	.mpo_relabel_socket = mac_mls_relabel_socket,
+	.mpo_set_socket_peer_from_mbuf = mac_mls_set_socket_peer_from_mbuf,
+	.mpo_set_socket_peer_from_socket = mac_mls_set_socket_peer_from_socket,
+	.mpo_create_bpfdesc = mac_mls_create_bpfdesc,
+	.mpo_create_datagram_from_ipq = mac_mls_create_datagram_from_ipq,
+	.mpo_create_fragment = mac_mls_create_fragment,
+	.mpo_create_ifnet = mac_mls_create_ifnet,
+	.mpo_create_ipq = mac_mls_create_ipq,
+	.mpo_create_mbuf_from_mbuf = mac_mls_create_mbuf_from_mbuf,
+	.mpo_create_mbuf_linklayer = mac_mls_create_mbuf_linklayer,
+	.mpo_create_mbuf_from_bpfdesc = mac_mls_create_mbuf_from_bpfdesc,
+	.mpo_create_mbuf_from_ifnet = mac_mls_create_mbuf_from_ifnet,
+	.mpo_create_mbuf_multicast_encap = mac_mls_create_mbuf_multicast_encap,
+	.mpo_create_mbuf_netlayer = mac_mls_create_mbuf_netlayer,
+	.mpo_fragment_match = mac_mls_fragment_match,
+	.mpo_relabel_ifnet = mac_mls_relabel_ifnet,
+	.mpo_update_ipq = mac_mls_update_ipq,
+	.mpo_create_cred = mac_mls_create_cred,
+	.mpo_execve_transition = mac_mls_execve_transition,
+	.mpo_execve_will_transition = mac_mls_execve_will_transition,
+	.mpo_create_proc0 = mac_mls_create_proc0,
+	.mpo_create_proc1 = mac_mls_create_proc1,
+	.mpo_relabel_cred = mac_mls_relabel_cred,
+	.mpo_check_bpfdesc_receive = mac_mls_check_bpfdesc_receive,
+	.mpo_check_cred_relabel = mac_mls_check_cred_relabel,
+	.mpo_check_cred_visible = mac_mls_check_cred_visible,
+	.mpo_check_ifnet_relabel = mac_mls_check_ifnet_relabel,
+	.mpo_check_ifnet_transmit = mac_mls_check_ifnet_transmit,
+	.mpo_check_mount_stat = mac_mls_check_mount_stat,
+	.mpo_check_pipe_ioctl = mac_mls_check_pipe_ioctl,
+	.mpo_check_pipe_poll = mac_mls_check_pipe_poll,
+	.mpo_check_pipe_read = mac_mls_check_pipe_read,
+	.mpo_check_pipe_relabel = mac_mls_check_pipe_relabel,
+	.mpo_check_pipe_stat = mac_mls_check_pipe_stat,
+	.mpo_check_pipe_write = mac_mls_check_pipe_write,
+	.mpo_check_proc_debug = mac_mls_check_proc_debug,
+	.mpo_check_proc_sched = mac_mls_check_proc_sched,
+	.mpo_check_proc_signal = mac_mls_check_proc_signal,
+	.mpo_check_socket_deliver = mac_mls_check_socket_deliver,
+	.mpo_check_socket_relabel = mac_mls_check_socket_relabel,
+	.mpo_check_socket_visible = mac_mls_check_socket_visible,
+	.mpo_check_vnode_access = mac_mls_check_vnode_open,
+	.mpo_check_vnode_chdir = mac_mls_check_vnode_chdir,
+	.mpo_check_vnode_chroot = mac_mls_check_vnode_chroot,
+	.mpo_check_vnode_create = mac_mls_check_vnode_create,
+	.mpo_check_vnode_delete = mac_mls_check_vnode_delete,
+	.mpo_check_vnode_deleteacl = mac_mls_check_vnode_deleteacl,
+	.mpo_check_vnode_exec = mac_mls_check_vnode_exec,
+	.mpo_check_vnode_getacl = mac_mls_check_vnode_getacl,
+	.mpo_check_vnode_getextattr = mac_mls_check_vnode_getextattr,
+	.mpo_check_vnode_link = mac_mls_check_vnode_link,
+	.mpo_check_vnode_lookup = mac_mls_check_vnode_lookup,
+	.mpo_check_vnode_mmap = mac_mls_check_vnode_mmap,
+	.mpo_check_vnode_mprotect = mac_mls_check_vnode_mmap,
+	.mpo_check_vnode_open = mac_mls_check_vnode_open,
+	.mpo_check_vnode_poll = mac_mls_check_vnode_poll,
+	.mpo_check_vnode_read = mac_mls_check_vnode_read,
+	.mpo_check_vnode_readdir = mac_mls_check_vnode_readdir,
+	.mpo_check_vnode_readlink = mac_mls_check_vnode_readlink,
+	.mpo_check_vnode_relabel = mac_mls_check_vnode_relabel,
+	.mpo_check_vnode_rename_from = mac_mls_check_vnode_rename_from,
+	.mpo_check_vnode_rename_to = mac_mls_check_vnode_rename_to,
+	.mpo_check_vnode_revoke = mac_mls_check_vnode_revoke,
+	.mpo_check_vnode_setacl = mac_mls_check_vnode_setacl,
+	.mpo_check_vnode_setextattr = mac_mls_check_vnode_setextattr,
+	.mpo_check_vnode_setflags = mac_mls_check_vnode_setflags,
+	.mpo_check_vnode_setmode = mac_mls_check_vnode_setmode,
+	.mpo_check_vnode_setowner = mac_mls_check_vnode_setowner,
+	.mpo_check_vnode_setutimes = mac_mls_check_vnode_setutimes,
+	.mpo_check_vnode_stat = mac_mls_check_vnode_stat,
+	.mpo_check_vnode_write = mac_mls_check_vnode_write,
 };
 
-MAC_POLICY_SET(mac_mls_ops, trustedbsd_mac_mls, "TrustedBSD MAC/MLS",
+MAC_POLICY_SET(&mac_mls_ops, trustedbsd_mac_mls, "TrustedBSD MAC/MLS",
     MPC_LOADTIME_FLAG_NOTLATE, &mac_mls_slot);