Remove MAC Framework access control check entry points made redundant with

the introduction of priv(9) and MAC Framework entry points for privilege
checking/granting.  These entry points exactly aligned with privileges and
provided no additional security context:

- mac_check_sysarch_ioperm()
- mac_check_kld_unload()
- mac_check_settime()
- mac_check_system_nfsd()

Add mpo_priv_check() implementations to Biba and LOMAC policies, which,
for each privilege, determine if they can be granted to processes
considered unprivileged by those two policies.  These mostly, but not
entirely, align with the set of privileges granted in jails.

Obtained from:	TrustedBSD Project

7 files changed, 387 insertions, 183 deletions

diff --git a/sys/security/mac/mac_framework.h b/sys/security/mac/mac_framework.h
index f127456..98b04c0 100644
--- a/sys/security/mac/mac_framework.h
+++ b/sys/security/mac/mac_framework.h
@@ -282,7 +282,6 @@ int	mac_check_kenv_set(struct ucred *cred, char *name, char *value);
 int	mac_check_kenv_unset(struct ucred *cred, char *name);
 int	mac_check_kld_load(struct ucred *cred, struct vnode *vp);
 int	mac_check_kld_stat(struct ucred *cred);
-int	mac_check_kld_unload(struct ucred *cred);
 int	mac_check_mount_stat(struct ucred *cred, struct mount *mp);
 int	mac_check_pipe_ioctl(struct ucred *cred, struct pipepair *pp,
 	    unsigned long cmd, void *data);
@@ -335,14 +334,11 @@ int	mac_check_socket_receive(struct ucred *cred, struct socket *so);
 int	mac_check_socket_send(struct ucred *cred, struct socket *so);
 int	mac_check_socket_stat(struct ucred *cred, struct socket *so);
 int	mac_check_socket_visible(struct ucred *cred, struct socket *so);
-int	mac_check_sysarch_ioperm(struct ucred *cred);
 int	mac_check_system_acct(struct ucred *cred, struct vnode *vp);
 int	mac_check_system_audit(struct ucred *cred, void *record, int length);
 int	mac_check_system_auditctl(struct ucred *cred, struct vnode *vp);
 int	mac_check_system_auditon(struct ucred *cred, int cmd);
-int	mac_check_system_nfsd(struct ucred *cred);
 int	mac_check_system_reboot(struct ucred *cred, int howto);
-int	mac_check_system_settime(struct ucred *cred);
 int	mac_check_system_swapon(struct ucred *cred, struct vnode *vp);
 int	mac_check_system_swapoff(struct ucred *cred, struct vnode *vp);
 int	mac_check_system_sysctl(struct ucred *cred, struct sysctl_oid *oidp,
diff --git a/sys/security/mac/mac_policy.h b/sys/security/mac/mac_policy.h
index ade77f6..451633f 100644
--- a/sys/security/mac/mac_policy.h
+++ b/sys/security/mac/mac_policy.h
@@ -420,7 +420,6 @@ typedef int	(*mpo_check_kenv_unset_t)(struct ucred *cred, char *name);
 typedef int	(*mpo_check_kld_load_t)(struct ucred *cred, struct vnode *vp,
 		    struct label *vlabel);
 typedef int	(*mpo_check_kld_stat_t)(struct ucred *cred);
-typedef int	(*mpo_check_kld_unload_t)(struct ucred *cred);
 typedef int	(*mpo_mpo_placeholder19_t)(void);
 typedef int	(*mpo_mpo_placeholder20_t)(void);
 typedef int	(*mpo_check_mount_stat_t)(struct ucred *cred,
@@ -505,7 +504,6 @@ typedef int	(*mpo_check_socket_stat_t)(struct ucred *cred,
 		    struct socket *so, struct label *socketlabel);
 typedef int	(*mpo_check_socket_visible_t)(struct ucred *cred,
 		    struct socket *so, struct label *socketlabel);
-typedef int	(*mpo_check_sysarch_ioperm_t)(struct ucred *cred);
 typedef int	(*mpo_check_system_acct_t)(struct ucred *cred,
 		    struct vnode *vp, struct label *vlabel);
 typedef int	(*mpo_check_system_audit_t)(struct ucred *cred, void *record,
@@ -513,9 +511,7 @@ typedef int	(*mpo_check_system_audit_t)(struct ucred *cred, void *record,
 typedef int	(*mpo_check_system_auditctl_t)(struct ucred *cred,
 		    struct vnode *vp, struct label *vplabel);
 typedef int	(*mpo_check_system_auditon_t)(struct ucred *cred, int cmd);
-typedef int	(*mpo_check_system_nfsd_t)(struct ucred *cred);
 typedef int	(*mpo_check_system_reboot_t)(struct ucred *cred, int howto);
-typedef int	(*mpo_check_system_settime_t)(struct ucred *cred);
 typedef int	(*mpo_check_system_swapon_t)(struct ucred *cred,
 		    struct vnode *vp, struct label *label);
 typedef int	(*mpo_check_system_swapoff_t)(struct ucred *cred,
@@ -817,7 +813,6 @@ struct mac_policy_ops {
 	mpo_check_kenv_unset_t			mpo_check_kenv_unset;
 	mpo_check_kld_load_t			mpo_check_kld_load;
 	mpo_check_kld_stat_t			mpo_check_kld_stat;
-	mpo_check_kld_unload_t			mpo_check_kld_unload;
 	mpo_placeholder_t			_mpo_placeholder19;
 	mpo_placeholder_t			_mpo_placeholder20;
 	mpo_check_mount_stat_t			mpo_check_mount_stat;
@@ -862,14 +857,11 @@ struct mac_policy_ops {
 	mpo_check_socket_send_t			mpo_check_socket_send;
 	mpo_check_socket_stat_t			mpo_check_socket_stat;
 	mpo_check_socket_visible_t		mpo_check_socket_visible;
-	mpo_check_sysarch_ioperm_t		mpo_check_sysarch_ioperm;
 	mpo_check_system_acct_t			mpo_check_system_acct;
 	mpo_check_system_audit_t		mpo_check_system_audit;
 	mpo_check_system_auditctl_t		mpo_check_system_auditctl;
 	mpo_check_system_auditon_t		mpo_check_system_auditon;
-	mpo_check_system_nfsd_t			mpo_check_system_nfsd;
 	mpo_check_system_reboot_t		mpo_check_system_reboot;
-	mpo_check_system_settime_t		mpo_check_system_settime;
 	mpo_check_system_swapon_t		mpo_check_system_swapon;
 	mpo_check_system_swapoff_t		mpo_check_system_swapoff;
 	mpo_check_system_sysctl_t		mpo_check_system_sysctl;
diff --git a/sys/security/mac/mac_system.c b/sys/security/mac/mac_system.c
index 32a9b79..07a975c 100644
--- a/sys/security/mac/mac_system.c
+++ b/sys/security/mac/mac_system.c
@@ -1,5 +1,6 @@
 /*-
  * Copyright (c) 2002, 2003 Networks Associates Technology, Inc.
+ * Copyright (c) 2007 Robert N. M. Watson
  * All rights reserved.
  *
  * This software was developed for the FreeBSD Project in part by Network
@@ -7,6 +8,9 @@
  * Associates, Inc. under DARPA/SPAWAR contract N66001-01-C-8035 ("CBOSS"),
  * as part of the DARPA CHATS research program.
  *
+ * Portions of this software were developed by Robert Watson for the
+ * TrustedBSD Project.
+ *
  * Redistribution and use in source and binary forms, with or without
  * modification, are permitted provided that the following conditions
  * are met:
@@ -29,6 +33,16 @@
  * SUCH DAMAGE.
  */
 
+/*
+ * MAC Framework entry points relating to overall operation of system,
+ * including global services such as the kernel environment and loadable
+ * modules.
+ *
+ * System checks often align with existing privilege checks, but provide
+ * additional security context that may be relevant to policies, such as the
+ * specific object being operated on.
+ */
+
 #include <sys/cdefs.h>
 __FBSDID("$FreeBSD$");
 
@@ -48,12 +62,6 @@ __FBSDID("$FreeBSD$");
 #include <security/mac/mac_internal.h>
 #include <security/mac/mac_policy.h>
 
-/*
- * XXXRW: Some of these checks now duplicate privilege checks.  However,
- * others provide additional security context that may be useful to policies.
- * We need to review these and remove ones that are pure duplicates.
- */
-
 int
 mac_check_kenv_dump(struct ucred *cred)
 {
@@ -117,25 +125,6 @@ mac_check_kld_stat(struct ucred *cred)
 }
 
 int
-mac_check_kld_unload(struct ucred *cred)
-{
-	int error;
-
-	MAC_CHECK(check_kld_unload, cred);
-
-	return (error);
-}
-
-int
-mac_check_sysarch_ioperm(struct ucred *cred)
-{
-	int error;
-
-	MAC_CHECK(check_sysarch_ioperm, cred);
-	return (error);
-}
-
-int
 mac_check_system_acct(struct ucred *cred, struct vnode *vp)
 {
 	int error;
@@ -151,16 +140,6 @@ mac_check_system_acct(struct ucred *cred, struct vnode *vp)
 }
 
 int
-mac_check_system_nfsd(struct ucred *cred)
-{
-	int error;
-
-	MAC_CHECK(check_system_nfsd, cred);
-
-	return (error);
-}
-
-int
 mac_check_system_reboot(struct ucred *cred, int howto)
 {
 	int error;
@@ -171,16 +150,6 @@ mac_check_system_reboot(struct ucred *cred, int howto)
 }
 
 int
-mac_check_system_settime(struct ucred *cred)
-{
-	int error;
-
-	MAC_CHECK(check_system_settime, cred);
-
-	return (error);
-}
-
-int
 mac_check_system_swapon(struct ucred *cred, struct vnode *vp)
 {
 	int error;
@@ -203,8 +172,8 @@ mac_check_system_swapoff(struct ucred *cred, struct vnode *vp)
 }
 
 int
-mac_check_system_sysctl(struct ucred *cred, struct sysctl_oid *oidp, void *arg1,
-    int arg2, struct sysctl_req *req)
+mac_check_system_sysctl(struct ucred *cred, struct sysctl_oid *oidp,
+    void *arg1, int arg2, struct sysctl_req *req)
 {
 	int error;
 
diff --git a/sys/security/mac_biba/mac_biba.c b/sys/security/mac_biba/mac_biba.c
index abb817d..30dbf79 100644
--- a/sys/security/mac_biba/mac_biba.c
+++ b/sys/security/mac_biba/mac_biba.c
@@ -36,6 +36,7 @@
 
 /*
  * Developed by the TrustedBSD Project.
+ *
  * Biba fixed label mandatory integrity policy.
  */
 
@@ -47,6 +48,7 @@
 #include <sys/malloc.h>
 #include <sys/mman.h>
 #include <sys/mount.h>
+#include <sys/priv.h>
 #include <sys/proc.h>
 #include <sys/sbuf.h>
 #include <sys/systm.h>
@@ -1913,19 +1915,6 @@ mac_biba_check_kld_load(struct ucred *cred, struct vnode *vp,
 
 
 static int
-mac_biba_check_kld_unload(struct ucred *cred)
-{
-	struct mac_biba *subj;
-
-	if (!mac_biba_enabled)
-		return (0);
-
-	subj = SLOT(cred->cr_label);
-
-	return (mac_biba_subject_privileged(subj));
-}
-
-static int
 mac_biba_check_mount_stat(struct ucred *cred, struct mount *mp,
     struct label *mntlabel)
 {
@@ -2259,8 +2248,13 @@ mac_biba_check_socket_visible(struct ucred *cred, struct socket *socket,
 	return (0);
 }
 
+/*
+ * Some system privileges are allowed regardless of integrity grade; others
+ * are allowed only when running with privilege with respect to the Biba
+ * policy as they might otherwise allow bypassing of the integrity policy.
+ */
 static int
-mac_biba_check_sysarch_ioperm(struct ucred *cred)
+mac_biba_priv_check(struct ucred *cred, int priv)
 {
 	struct mac_biba *subj;
 	int error;
@@ -2268,12 +2262,178 @@ mac_biba_check_sysarch_ioperm(struct ucred *cred)
 	if (!mac_biba_enabled)
 		return (0);
 
-	subj = SLOT(cred->cr_label);
+	/*
+	 * Exempt only specific privileges from the Biba integrity policy.
+	 */
+	switch (priv) {
+	case PRIV_KTRACE:
+	case PRIV_MSGBUF:
 
-	error = mac_biba_subject_privileged(subj);
-	if (error)
-		return (error);
+	/*
+	 * Allow processes to manipulate basic process audit properties, and
+	 * to submit audit records.
+	 */
+	case PRIV_AUDIT_GETAUDIT:
+	case PRIV_AUDIT_SETAUDIT:
+	case PRIV_AUDIT_SUBMIT:
+
+	/*
+	 * Allow processes to manipulate their regular UNIX credentials.
+	 */
+	case PRIV_CRED_SETUID:
+	case PRIV_CRED_SETEUID:
+	case PRIV_CRED_SETGID:
+	case PRIV_CRED_SETEGID:
+	case PRIV_CRED_SETGROUPS:
+	case PRIV_CRED_SETREUID:
+	case PRIV_CRED_SETREGID:
+	case PRIV_CRED_SETRESUID:
+	case PRIV_CRED_SETRESGID:
+
+	/*
+	 * Allow processes to perform system monitoring.
+	 */
+	case PRIV_SEEOTHERGIDS:
+	case PRIV_SEEOTHERUIDS:
+		break;
+
+	/*
+	 * Allow access to general process debugging facilities.  We
+	 * separately control debugging based on MAC label.
+	 */
+	case PRIV_DEBUG_DIFFCRED:
+	case PRIV_DEBUG_SUGID:
+	case PRIV_DEBUG_UNPRIV:
+
+	/*
+	 * Allow manipulating jails.
+	 */
+	case PRIV_JAIL_ATTACH:
+
+	/*
+	 * Allow privilege with respect to the Partition policy, but not the
+	 * Privs policy.
+	 */
+	case PRIV_MAC_PARTITION:
+
+	/*
+	 * Allow privilege with respect to process resource limits and login
+	 * context.
+	 */
+	case PRIV_PROC_LIMIT:
+	case PRIV_PROC_SETLOGIN:
+	case PRIV_PROC_SETRLIMIT:
+
+	/*
+	 * Allow System V and POSIX IPC privileges.
+	 */
+	case PRIV_IPC_READ:
+	case PRIV_IPC_WRITE:
+	case PRIV_IPC_ADMIN:
+	case PRIV_IPC_MSGSIZE:
+	case PRIV_MQ_ADMIN:
+
+	/*
+	 * Allow certain scheduler manipulations -- possibly this should be
+	 * controlled by more fine-grained policy, as potentially low
+	 * integrity processes can deny CPU to higher integrity ones.
+	 */
+	case PRIV_SCHED_DIFFCRED:
+	case PRIV_SCHED_SETPRIORITY:
+	case PRIV_SCHED_RTPRIO:
+	case PRIV_SCHED_SETPOLICY:
+	case PRIV_SCHED_SET:
+	case PRIV_SCHED_SETPARAM:
 
+	/*
+	 * More IPC privileges.
+	 */
+	case PRIV_SEM_WRITE:
+
+	/*
+	 * Allow signaling privileges subject to integrity policy.
+	 */
+	case PRIV_SIGNAL_DIFFCRED:
+	case PRIV_SIGNAL_SUGID:
+
+	/*
+	 * Allow access to only limited sysctls from lower integrity levels;
+	 * piggy-back on the Jail definition.
+	 */
+	case PRIV_SYSCTL_WRITEJAIL:
+
+	/*
+	 * Allow TTY-based privileges, subject to general device access using
+	 * labels on TTY device nodes, but not console privilege.
+	 */
+	case PRIV_TTY_DRAINWAIT:
+	case PRIV_TTY_DTRWAIT:
+	case PRIV_TTY_EXCLUSIVE:
+	case PRIV_TTY_PRISON:
+	case PRIV_TTY_STI:
+	case PRIV_TTY_SETA:
+
+	/*
+	 * Grant most VFS privileges, as almost all are in practice bounded
+	 * by more specific checks using labels.
+	 */
+	case PRIV_VFS_READ:
+	case PRIV_VFS_WRITE:
+	case PRIV_VFS_ADMIN:
+	case PRIV_VFS_EXEC:
+	case PRIV_VFS_LOOKUP:
+	case PRIV_VFS_CHFLAGS_DEV:
+	case PRIV_VFS_CHOWN:
+	case PRIV_VFS_CHROOT:
+	case PRIV_VFS_RETAINSUGID:
+	case PRIV_VFS_EXCEEDQUOTA:
+	case PRIV_VFS_FCHROOT:
+	case PRIV_VFS_FHOPEN:
+	case PRIV_VFS_FHSTATFS:
+	case PRIV_VFS_GENERATION:
+	case PRIV_VFS_GETFH:
+	case PRIV_VFS_GETQUOTA:
+	case PRIV_VFS_LINK:
+	case PRIV_VFS_MOUNT:
+	case PRIV_VFS_MOUNT_OWNER:
+	case PRIV_VFS_MOUNT_PERM:
+	case PRIV_VFS_MOUNT_SUIDDIR:
+	case PRIV_VFS_MOUNT_NONUSER:
+	case PRIV_VFS_SETGID:
+	case PRIV_VFS_STICKYFILE:
+	case PRIV_VFS_SYSFLAGS:
+	case PRIV_VFS_UNMOUNT:
+
+	/*
+	 * Allow VM privileges; it would be nice if these were subject to
+	 * resource limits.
+	 */
+	case PRIV_VM_MADV_PROTECT:
+	case PRIV_VM_MLOCK:
+	case PRIV_VM_MUNLOCK:
+
+	/*
+	 * Allow some but not all network privileges.  In general, dont allow
+	 * reconfiguring the network stack, just normal use.
+	 */
+	case PRIV_NETATALK_RESERVEDPORT:
+	case PRIV_NETINET_RESERVEDPORT:
+	case PRIV_NETINET_RAW:
+	case PRIV_NETINET_REUSEPORT:
+	case PRIV_NETIPX_RESERVEDPORT:
+	case PRIV_NETIPX_RAW:
+		break;
+
+	/*
+	 * All remaining system privileges are allow only if the process
+	 * holds privilege with respect to the Biba policy.
+	 */
+	default:
+		subj = SLOT(cred->cr_label);
+		error = mac_biba_subject_privileged(subj);
+		if (error)
+			return (error);
+	}
 	return (0);
 }
 
@@ -2348,24 +2508,6 @@ mac_biba_check_system_auditon(struct ucred *cred, int cmd)
 }
 
 static int
-mac_biba_check_system_settime(struct ucred *cred)
-{
-	struct mac_biba *subj;
-	int error;
-
-	if (!mac_biba_enabled)
-		return (0);
-
-	subj = SLOT(cred->cr_label);
-
-	error = mac_biba_subject_privileged(subj);
-	if (error)
-		return (error);
-
-	return (0);
-}
-
-static int
 mac_biba_check_system_swapon(struct ucred *cred, struct vnode *vp,
     struct label *label)
 {
@@ -3226,7 +3368,6 @@ static struct mac_policy_ops mac_biba_ops =
 	.mpo_check_sysv_shmctl = mac_biba_check_sysv_shmctl,
 	.mpo_check_sysv_shmget = mac_biba_check_sysv_shmget,
 	.mpo_check_kld_load = mac_biba_check_kld_load,
-	.mpo_check_kld_unload = mac_biba_check_kld_unload,
 	.mpo_check_mount_stat = mac_biba_check_mount_stat,
 	.mpo_check_pipe_ioctl = mac_biba_check_pipe_ioctl,
 	.mpo_check_pipe_poll = mac_biba_check_pipe_poll,
@@ -3246,11 +3387,9 @@ static struct mac_policy_ops mac_biba_ops =
 	.mpo_check_socket_deliver = mac_biba_check_socket_deliver,
 	.mpo_check_socket_relabel = mac_biba_check_socket_relabel,
 	.mpo_check_socket_visible = mac_biba_check_socket_visible,
-	.mpo_check_sysarch_ioperm = mac_biba_check_sysarch_ioperm,
 	.mpo_check_system_acct = mac_biba_check_system_acct,
 	.mpo_check_system_auditctl = mac_biba_check_system_auditctl,
 	.mpo_check_system_auditon = mac_biba_check_system_auditon,
-	.mpo_check_system_settime = mac_biba_check_system_settime,
 	.mpo_check_system_swapon = mac_biba_check_system_swapon,
 	.mpo_check_system_swapoff = mac_biba_check_system_swapoff,
 	.mpo_check_system_sysctl = mac_biba_check_system_sysctl,
@@ -3287,6 +3426,7 @@ static struct mac_policy_ops mac_biba_ops =
 	.mpo_check_vnode_write = mac_biba_check_vnode_write,
 	.mpo_associate_nfsd_label = mac_biba_associate_nfsd_label,
 	.mpo_create_mbuf_from_firewall = mac_biba_create_mbuf_from_firewall,
+	.mpo_priv_check = mac_biba_priv_check,
 };
 
 MAC_POLICY_SET(&mac_biba_ops, mac_biba, "TrustedBSD MAC/Biba",
diff --git a/sys/security/mac_lomac/mac_lomac.c b/sys/security/mac_lomac/mac_lomac.c
index d24e63f..c52cf70 100644
--- a/sys/security/mac_lomac/mac_lomac.c
+++ b/sys/security/mac_lomac/mac_lomac.c
@@ -36,6 +36,7 @@
 
 /*
  * Developed by the TrustedBSD Project.
+ *
  * Low-watermark floating label mandatory integrity policy.
  */
 
@@ -1786,22 +1787,6 @@ mac_lomac_check_kld_load(struct ucred *cred, struct vnode *vp,
 }
 
 static int
-mac_lomac_check_kld_unload(struct ucred *cred)
-{
-	struct mac_lomac *subj;
-
-	if (!mac_lomac_enabled)
-		return (0);
-
-	subj = SLOT(cred->cr_label);
-
-	if (mac_lomac_subject_privileged(subj))
-		return (EPERM);
-
-	return (0);
-}
-
-static int
 mac_lomac_check_pipe_ioctl(struct ucred *cred, struct pipepair *pp,
     struct label *pipelabel, unsigned long cmd, void /* caddr_t */ *data)
 {
@@ -2045,6 +2030,196 @@ mac_lomac_check_socket_visible(struct ucred *cred, struct socket *socket,
 	return (0);
 }
 
+/*
+ * Some system privileges are allowed regardless of integrity grade; others
+ * are allowed only when running with privilege with respect to the LOMAC 
+ * policy as they might otherwise allow bypassing of the integrity policy.
+ */
+static int
+mac_lomac_priv_check(struct ucred *cred, int priv)
+{
+	struct mac_lomac *subj;
+	int error;
+
+	if (!mac_lomac_enabled)
+		return (0);
+
+	/*
+	 * Exempt only specific privileges from the LOMAC integrity policy.
+	 */
+	switch (priv) {
+	case PRIV_KTRACE:
+	case PRIV_MSGBUF:
+
+	/*
+	 * Allow processes to manipulate basic process audit properties, and
+	 * to submit audit records.
+	 */
+	case PRIV_AUDIT_GETAUDIT:
+	case PRIV_AUDIT_SETAUDIT:
+	case PRIV_AUDIT_SUBMIT:
+
+	/*
+	 * Allow processes to manipulate their regular UNIX credentials.
+	 */
+	case PRIV_CRED_SETUID:
+	case PRIV_CRED_SETEUID:
+	case PRIV_CRED_SETGID:
+	case PRIV_CRED_SETEGID:
+	case PRIV_CRED_SETGROUPS:
+	case PRIV_CRED_SETREUID:
+	case PRIV_CRED_SETREGID:
+	case PRIV_CRED_SETRESUID:
+	case PRIV_CRED_SETRESGID:
+
+	/*
+	 * Allow processes to perform system monitoring.
+	 */
+	case PRIV_SEEOTHERGIDS:
+	case PRIV_SEEOTHERUIDS:
+		break;
+
+	/*
+	 * Allow access to general process debugging facilities.  We
+	 * separately control debugging based on MAC label.
+	 */
+	case PRIV_DEBUG_DIFFCRED:
+	case PRIV_DEBUG_SUGID:
+	case PRIV_DEBUG_UNPRIV:
+
+	/*
+	 * Allow manipulating jails.
+	 */
+	case PRIV_JAIL_ATTACH:
+
+	/*
+	 * Allow privilege with respect to the Partition policy, but not the
+	 * Privs policy.
+	 */
+	case PRIV_MAC_PARTITION:
+
+	/*
+	 * Allow privilege with respect to process resource limits and login
+	 * context.
+	 */
+	case PRIV_PROC_LIMIT:
+	case PRIV_PROC_SETLOGIN:
+	case PRIV_PROC_SETRLIMIT:
+
+	/*
+	 * Allow System V and POSIX IPC privileges.
+	 */
+	case PRIV_IPC_READ:
+	case PRIV_IPC_WRITE:
+	case PRIV_IPC_ADMIN:
+	case PRIV_IPC_MSGSIZE:
+	case PRIV_MQ_ADMIN:
+
+	/*
+	 * Allow certain scheduler manipulations -- possibly this should be
+	 * controlled by more fine-grained policy, as potentially low
+	 * integrity processes can deny CPU to higher integrity ones.
+	 */
+	case PRIV_SCHED_DIFFCRED:
+	case PRIV_SCHED_SETPRIORITY:
+	case PRIV_SCHED_RTPRIO:
+	case PRIV_SCHED_SETPOLICY:
+	case PRIV_SCHED_SET:
+	case PRIV_SCHED_SETPARAM:
+
+	/*
+	 * More IPC privileges.
+	 */
+	case PRIV_SEM_WRITE:
+
+	/*
+	 * Allow signaling privileges subject to integrity policy.
+	 */
+	case PRIV_SIGNAL_DIFFCRED:
+	case PRIV_SIGNAL_SUGID:
+
+	/*
+	 * Allow access to only limited sysctls from lower integrity levels;
+	 * piggy-back on the Jail definition.
+	 */
+	case PRIV_SYSCTL_WRITEJAIL:
+
+	/*
+	 * Allow TTY-based privileges, subject to general device access using
+	 * labels on TTY device nodes, but not console privilege.
+	 */
+	case PRIV_TTY_DRAINWAIT:
+	case PRIV_TTY_DTRWAIT:
+	case PRIV_TTY_EXCLUSIVE:
+	case PRIV_TTY_PRISON:
+	case PRIV_TTY_STI:
+	case PRIV_TTY_SETA:
+
+	/*
+	 * Grant most VFS privileges, as almost all are in practice bounded
+	 * by more specific checks using labels.
+	 */
+	case PRIV_VFS_READ:
+	case PRIV_VFS_WRITE:
+	case PRIV_VFS_ADMIN:
+	case PRIV_VFS_EXEC:
+	case PRIV_VFS_LOOKUP:
+	case PRIV_VFS_CHFLAGS_DEV:
+	case PRIV_VFS_CHOWN:
+	case PRIV_VFS_CHROOT:
+	case PRIV_VFS_RETAINSUGID:
+	case PRIV_VFS_EXCEEDQUOTA:
+	case PRIV_VFS_FCHROOT:
+	case PRIV_VFS_FHOPEN:
+	case PRIV_VFS_FHSTATFS:
+	case PRIV_VFS_GENERATION:
+	case PRIV_VFS_GETFH:
+	case PRIV_VFS_GETQUOTA:
+	case PRIV_VFS_LINK:
+	case PRIV_VFS_MOUNT:
+	case PRIV_VFS_MOUNT_OWNER:
+	case PRIV_VFS_MOUNT_PERM:
+	case PRIV_VFS_MOUNT_SUIDDIR:
+	case PRIV_VFS_MOUNT_NONUSER:
+	case PRIV_VFS_SETGID:
+	case PRIV_VFS_STICKYFILE:
+	case PRIV_VFS_SYSFLAGS:
+	case PRIV_VFS_UNMOUNT:
+
+	/*
+	 * Allow VM privileges; it would be nice if these were subject to
+	 * resource limits.
+	 */
+	case PRIV_VM_MADV_PROTECT:
+	case PRIV_VM_MLOCK:
+	case PRIV_VM_MUNLOCK:
+
+	/*
+	 * Allow some but not all network privileges.  In general, dont allow
+	 * reconfiguring the network stack, just normal use.
+	 */
+	case PRIV_NETATALK_RESERVEDPORT:
+	case PRIV_NETINET_RESERVEDPORT:
+	case PRIV_NETINET_RAW:
+	case PRIV_NETINET_REUSEPORT:
+	case PRIV_NETIPX_RESERVEDPORT:
+	case PRIV_NETIPX_RAW:
+		break;
+
+	/*
+	 * All remaining system privileges are allow only if the process
+	 * holds privilege with respect to the LOMAC policy.
+	 */
+	default:
+		subj = SLOT(cred->cr_label);
+		error = mac_lomac_subject_privileged(subj);
+		if (error)
+			return (error);
+	}
+	return (0);
+}
+
+
 static int
 mac_lomac_check_system_acct(struct ucred *cred, struct vnode *vp,
     struct label *label)
@@ -2748,7 +2923,6 @@ static struct mac_policy_ops mac_lomac_ops =
 	.mpo_check_ifnet_transmit = mac_lomac_check_ifnet_transmit,
 	.mpo_check_inpcb_deliver = mac_lomac_check_inpcb_deliver,
 	.mpo_check_kld_load = mac_lomac_check_kld_load,
-	.mpo_check_kld_unload = mac_lomac_check_kld_unload,
 	.mpo_check_pipe_ioctl = mac_lomac_check_pipe_ioctl,
 	.mpo_check_pipe_read = mac_lomac_check_pipe_read,
 	.mpo_check_pipe_relabel = mac_lomac_check_pipe_relabel,
@@ -2786,6 +2960,7 @@ static struct mac_policy_ops mac_lomac_ops =
 	.mpo_check_vnode_write = mac_lomac_check_vnode_write,
 	.mpo_thread_userret = mac_lomac_thread_userret,
 	.mpo_create_mbuf_from_firewall = mac_lomac_create_mbuf_from_firewall,
+	.mpo_priv_check = mac_lomac_priv_check,
 };
 
 MAC_POLICY_SET(&mac_lomac_ops, mac_lomac, "TrustedBSD MAC/LOMAC",
diff --git a/sys/security/mac_stub/mac_stub.c b/sys/security/mac_stub/mac_stub.c
index 9e66145..b06c02b 100644
--- a/sys/security/mac_stub/mac_stub.c
+++ b/sys/security/mac_stub/mac_stub.c
@@ -781,13 +781,6 @@ stub_check_kld_stat(struct ucred *cred)
 }
 
 static int
-stub_check_kld_unload(struct ucred *cred)
-{
-
-	return (0);
-}
-
-static int
 stub_check_mount_stat(struct ucred *cred, struct mount *mp,
     struct label *mntlabel)
 {
@@ -1095,13 +1088,6 @@ stub_check_socket_visible(struct ucred *cred, struct socket *socket,
 }
 
 static int
-stub_check_sysarch_ioperm(struct ucred *cred)
-{
-
-	return (0);
-}
-
-static int
 stub_check_system_acct(struct ucred *cred, struct vnode *vp,
     struct label *vlabel)
 {
@@ -1132,13 +1118,6 @@ stub_check_system_auditon(struct ucred *cred, int cmd)
 }
 
 static int
-stub_check_system_nfsd(struct ucred *cred)
-{
-
-	return (0);
-}
-
-static int
 stub_check_system_reboot(struct ucred *cred, int how)
 {
 
@@ -1146,13 +1125,6 @@ stub_check_system_reboot(struct ucred *cred, int how)
 }
 
 static int
-stub_check_system_settime(struct ucred *cred)
-{
-
-	return (0);
-}
-
-static int
 stub_check_system_swapoff(struct ucred *cred, struct vnode *vp,
     struct label *label)
 {
@@ -1596,7 +1568,6 @@ static struct mac_policy_ops mac_stub_ops =
 	.mpo_check_kenv_unset = stub_check_kenv_unset,
 	.mpo_check_kld_load = stub_check_kld_load,
 	.mpo_check_kld_stat = stub_check_kld_stat,
-	.mpo_check_kld_unload = stub_check_kld_unload,
 	.mpo_check_mount_stat = stub_check_mount_stat,
 	.mpo_check_pipe_ioctl = stub_check_pipe_ioctl,
 	.mpo_check_pipe_poll = stub_check_pipe_poll,
@@ -1637,14 +1608,11 @@ static struct mac_policy_ops mac_stub_ops =
 	.mpo_check_socket_send = stub_check_socket_send,
 	.mpo_check_socket_stat = stub_check_socket_stat,
 	.mpo_check_socket_visible = stub_check_socket_visible,
-	.mpo_check_sysarch_ioperm = stub_check_sysarch_ioperm,
 	.mpo_check_system_acct = stub_check_system_acct,
 	.mpo_check_system_audit = stub_check_system_audit,
 	.mpo_check_system_auditctl = stub_check_system_auditctl,
 	.mpo_check_system_auditon = stub_check_system_auditon,
-	.mpo_check_system_nfsd = stub_check_system_nfsd,
 	.mpo_check_system_reboot = stub_check_system_reboot,
-	.mpo_check_system_settime = stub_check_system_settime,
 	.mpo_check_system_swapoff = stub_check_system_swapoff,
 	.mpo_check_system_swapon = stub_check_system_swapon,
 	.mpo_check_system_sysctl = stub_check_system_sysctl,
diff --git a/sys/security/mac_test/mac_test.c b/sys/security/mac_test/mac_test.c
index d3cf5c6..5c53b15 100644
--- a/sys/security/mac_test/mac_test.c
+++ b/sys/security/mac_test/mac_test.c
@@ -1536,17 +1536,6 @@ mac_test_check_kld_stat(struct ucred *cred)
 	return (0);
 }
 
-COUNTER_DECL(check_kld_unload);
-static int
-mac_test_check_kld_unload(struct ucred *cred)
-{
-
-	LABEL_CHECK(cred->cr_label, MAGIC_CRED);
-	COUNTER_INC(check_kld_unload);
-
-	return (0);
-}
-
 COUNTER_DECL(check_mount_stat);
 static int
 mac_test_check_mount_stat(struct ucred *cred, struct mount *mp,
@@ -1968,17 +1957,6 @@ mac_test_check_socket_visible(struct ucred *cred, struct socket *socket,
 	return (0);
 }
 
-COUNTER_DECL(check_sysarch_ioperm);
-static int
-mac_test_check_sysarch_ioperm(struct ucred *cred)
-{
-
-	LABEL_CHECK(cred->cr_label, MAGIC_CRED);
-	COUNTER_INC(check_sysarch_ioperm);
-
-	return (0);
-}
-
 COUNTER_DECL(check_system_acct);
 static int
 mac_test_check_system_acct(struct ucred *cred, struct vnode *vp,
@@ -2038,17 +2016,6 @@ mac_test_check_system_reboot(struct ucred *cred, int how)
 	return (0);
 }
 
-COUNTER_DECL(check_system_settime);
-static int
-mac_test_check_system_settime(struct ucred *cred)
-{
-
-	LABEL_CHECK(cred->cr_label, MAGIC_CRED);
-	COUNTER_INC(check_system_settime);
-
-	return (0);
-}
-
 COUNTER_DECL(check_system_swapoff);
 static int
 mac_test_check_system_swapoff(struct ucred *cred, struct vnode *vp,
@@ -2645,7 +2612,6 @@ static struct mac_policy_ops mac_test_ops =
 	.mpo_check_kenv_unset = mac_test_check_kenv_unset,
 	.mpo_check_kld_load = mac_test_check_kld_load,
 	.mpo_check_kld_stat = mac_test_check_kld_stat,
-	.mpo_check_kld_unload = mac_test_check_kld_unload,
 	.mpo_check_mount_stat = mac_test_check_mount_stat,
 	.mpo_check_pipe_ioctl = mac_test_check_pipe_ioctl,
 	.mpo_check_pipe_poll = mac_test_check_pipe_poll,
@@ -2685,13 +2651,11 @@ static struct mac_policy_ops mac_test_ops =
 	.mpo_check_socket_send = mac_test_check_socket_send,
 	.mpo_check_socket_stat = mac_test_check_socket_stat,
 	.mpo_check_socket_visible = mac_test_check_socket_visible,
-	.mpo_check_sysarch_ioperm = mac_test_check_sysarch_ioperm,
 	.mpo_check_system_acct = mac_test_check_system_acct,
 	.mpo_check_system_audit = mac_test_check_system_audit,
 	.mpo_check_system_auditctl = mac_test_check_system_auditctl,
 	.mpo_check_system_auditon = mac_test_check_system_auditon,
 	.mpo_check_system_reboot = mac_test_check_system_reboot,
-	.mpo_check_system_settime = mac_test_check_system_settime,
 	.mpo_check_system_swapoff = mac_test_check_system_swapoff,
 	.mpo_check_system_swapon = mac_test_check_system_swapon,
 	.mpo_check_system_sysctl = mac_test_check_system_sysctl,