Remove mac_enforce_subsystem debugging sysctls. Enforcement on

subsystems will be a property of policy modules, which may require access control check entry points to be invoked even when not actively enforcing (i.e., to track information flow without providing protection). Obtained from: TrustedBSD Project Suggested by: Christopher dot Vance at sparta dot com
author: rwatson <rwatson@FreeBSD.org> 2006-12-21 09:51:34 +0000
committer: rwatson <rwatson@FreeBSD.org> 2006-12-21 09:51:34 +0000
commit: 6fa1425be4ba1838fbf0b757c9cbbb6c0da6811f (patch)
tree: 0e00125c1e53f64a611961efffaf3188df3fc0d6 /sys/security
parent: 24b8c057ed5ff8edf963e31c6cd9eaf0514469b2 (diff)
download: FreeBSD-src-6fa1425be4ba1838fbf0b757c9cbbb6c0da6811f.zip
FreeBSD-src-6fa1425be4ba1838fbf0b757c9cbbb6c0da6811f.tar.gz
14 files changed, 2 insertions, 397 deletions
diff --git a/sys/security/mac/mac_framework.c b/sys/security/mac/mac_framework.c
index 080b1ad..a18b853 100644
--- a/sys/security/mac/mac_framework.c
+++ b/sys/security/mac/mac_framework.c
@@ -741,9 +741,7 @@ __mac_set_proc(struct thread *td, struct __mac_set_proc_args *uap)
 	crhold(newcred);
 	PROC_UNLOCK(p);
 
-	if (mac_enforce_vm) {
-		mac_cred_mmapped_drop_perms(td, newcred);
-	}
+	mac_cred_mmapped_drop_perms(td, newcred);
 
 	crfree(newcred);	/* Free revocation reference. */
 	crfree(oldcred);
diff --git a/sys/security/mac/mac_inet.c b/sys/security/mac/mac_inet.c
index 8802a50..d946bb9 100644
--- a/sys/security/mac/mac_inet.c
+++ b/sys/security/mac/mac_inet.c
@@ -260,9 +260,6 @@ mac_check_inpcb_deliver(struct inpcb *inp, struct mbuf *m)
 
 	M_ASSERTPKTHDR(m);
 
-	if (!mac_enforce_socket)
-		return (0);
-
 	label = mac_mbuf_to_label(m);
 
 	MAC_CHECK(check_inpcb_deliver, inp, inp->inp_label, m, label);
diff --git a/sys/security/mac/mac_internal.h b/sys/security/mac/mac_internal.h
index 40146a6..24a6cfc 100644
--- a/sys/security/mac/mac_internal.h
+++ b/sys/security/mac/mac_internal.h
@@ -61,10 +61,6 @@ MALLOC_DECLARE(M_MACTEMP);
 extern struct mac_policy_list_head	mac_policy_list;
 extern struct mac_policy_list_head	mac_static_policy_list;
 extern int				mac_late;
-extern int				mac_enforce_network;
-extern int				mac_enforce_process;
-extern int				mac_enforce_socket;
-extern int				mac_enforce_vm;
 #ifndef MAC_ALWAYS_LABEL_MBUF
 extern int				mac_labelmbufs;
 #endif
diff --git a/sys/security/mac/mac_net.c b/sys/security/mac/mac_net.c
index 374b3cd..95ad63b 100644
--- a/sys/security/mac/mac_net.c
+++ b/sys/security/mac/mac_net.c
@@ -66,15 +66,6 @@ __FBSDID("$FreeBSD$");
 #include <security/mac/mac_internal.h>
 
 /*
- * mac_enforce_network is used by IPv4 and IPv6 checks, and so must be
- * non-static for now.
- */
-int	mac_enforce_network = 1;
-SYSCTL_INT(_security_mac, OID_AUTO, enforce_network, CTLFLAG_RW,
-    &mac_enforce_network, 0, "Enforce MAC policy on network packets");
-TUNABLE_INT("security.mac.enforce_network", &mac_enforce_network);
-
-/*
  * XXXRW: struct ifnet locking is incomplete in the network code, so we use
  * our own global mutex for struct ifnet.  Non-ideal, but should help in the
  * SMP environment.
@@ -383,9 +374,6 @@ mac_check_bpfdesc_receive(struct bpf_d *bpf_d, struct ifnet *ifnet)
 
 	BPFD_LOCK_ASSERT(bpf_d);
 
-	if (!mac_enforce_network)
-		return (0);
-
 	MAC_IFNET_LOCK(ifnet);
 	MAC_CHECK(check_bpfdesc_receive, bpf_d, bpf_d->bd_label, ifnet,
 	    ifnet->if_label);
@@ -402,9 +390,6 @@ mac_check_ifnet_transmit(struct ifnet *ifnet, struct mbuf *mbuf)
 
 	M_ASSERTPKTHDR(mbuf);
 
-	if (!mac_enforce_network)
-		return (0);
-
 	label = mac_mbuf_to_label(mbuf);
 
 	MAC_IFNET_LOCK(ifnet);
diff --git a/sys/security/mac/mac_pipe.c b/sys/security/mac/mac_pipe.c
index edc03132..44755ad 100644
--- a/sys/security/mac/mac_pipe.c
+++ b/sys/security/mac/mac_pipe.c
@@ -52,11 +52,6 @@ __FBSDID("$FreeBSD$");
 #include <security/mac/mac_framework.h>
 #include <security/mac/mac_internal.h>
 
-static int	mac_enforce_pipe = 1;
-SYSCTL_INT(_security_mac, OID_AUTO, enforce_pipe, CTLFLAG_RW,
-    &mac_enforce_pipe, 0, "Enforce MAC policy on pipe operations");
-TUNABLE_INT("security.mac.enforce_pipe", &mac_enforce_pipe);
-
 struct label *
 mac_pipe_label_alloc(void)
 {
@@ -141,9 +136,6 @@ mac_check_pipe_ioctl(struct ucred *cred, struct pipepair *pp,
 
 	mtx_assert(&pp->pp_mtx, MA_OWNED);
 
-	if (!mac_enforce_pipe)
-		return (0);
-
 	MAC_CHECK(check_pipe_ioctl, cred, pp, pp->pp_label, cmd, data);
 
 	return (error);
@@ -156,9 +148,6 @@ mac_check_pipe_poll(struct ucred *cred, struct pipepair *pp)
 
 	mtx_assert(&pp->pp_mtx, MA_OWNED);
 
-	if (!mac_enforce_pipe)
-		return (0);
-
 	MAC_CHECK(check_pipe_poll, cred, pp, pp->pp_label);
 
 	return (error);
@@ -171,9 +160,6 @@ mac_check_pipe_read(struct ucred *cred, struct pipepair *pp)
 
 	mtx_assert(&pp->pp_mtx, MA_OWNED);
 
-	if (!mac_enforce_pipe)
-		return (0);
-
 	MAC_CHECK(check_pipe_read, cred, pp, pp->pp_label);
 
 	return (error);
@@ -187,9 +173,6 @@ mac_check_pipe_relabel(struct ucred *cred, struct pipepair *pp,
 
 	mtx_assert(&pp->pp_mtx, MA_OWNED);
 
-	if (!mac_enforce_pipe)
-		return (0);
-
 	MAC_CHECK(check_pipe_relabel, cred, pp, pp->pp_label, newlabel);
 
 	return (error);
@@ -202,9 +185,6 @@ mac_check_pipe_stat(struct ucred *cred, struct pipepair *pp)
 
 	mtx_assert(&pp->pp_mtx, MA_OWNED);
 
-	if (!mac_enforce_pipe)
-		return (0);
-
 	MAC_CHECK(check_pipe_stat, cred, pp, pp->pp_label);
 
 	return (error);
@@ -217,9 +197,6 @@ mac_check_pipe_write(struct ucred *cred, struct pipepair *pp)
 
 	mtx_assert(&pp->pp_mtx, MA_OWNED);
 
-	if (!mac_enforce_pipe)
-		return (0);
-
 	MAC_CHECK(check_pipe_write, cred, pp, pp->pp_label);
 
 	return (error);
diff --git a/sys/security/mac/mac_posix_sem.c b/sys/security/mac/mac_posix_sem.c
index ec05587..6c66e7e 100644
--- a/sys/security/mac/mac_posix_sem.c
+++ b/sys/security/mac/mac_posix_sem.c
@@ -49,11 +49,6 @@ __FBSDID("$FreeBSD$");
 #include <security/mac/mac_framework.h>
 #include <security/mac/mac_internal.h>
 
-static int	mac_enforce_posix_sem = 1;
-SYSCTL_INT(_security_mac, OID_AUTO, enforce_posix_sem, CTLFLAG_RW,
-    &mac_enforce_posix_sem, 0, "Enforce MAC policy on global POSIX semaphores");
-TUNABLE_INT("security.mac.enforce_posix_sem", &mac_enforce_posix_sem);
-
 static struct label *
 mac_posix_sem_label_alloc(void)
 {
@@ -98,9 +93,6 @@ mac_check_posix_sem_destroy(struct ucred *cred, struct ksem *ksemptr)
 {
 	int error;
 
-	if (!mac_enforce_posix_sem)
-		return (0);
-
 	MAC_CHECK(check_posix_sem_destroy, cred, ksemptr, ksemptr->ks_label);
 
 	return(error);
@@ -111,9 +103,6 @@ mac_check_posix_sem_open(struct ucred *cred, struct ksem *ksemptr)
 {
 	int error;
 
-	if (!mac_enforce_posix_sem)
-		return (0);
-
 	MAC_CHECK(check_posix_sem_open, cred, ksemptr, ksemptr->ks_label);
 
 	return(error);
@@ -124,9 +113,6 @@ mac_check_posix_sem_getvalue(struct ucred *cred, struct ksem *ksemptr)
 {
 	int error;
 
-	if (!mac_enforce_posix_sem)
-		return (0);
-
 	MAC_CHECK(check_posix_sem_getvalue, cred, ksemptr,
 	    ksemptr->ks_label);
 
@@ -138,9 +124,6 @@ mac_check_posix_sem_post(struct ucred *cred, struct ksem *ksemptr)
 {
 	int error;
 
-	if (!mac_enforce_posix_sem)
-		return (0);
-
 	MAC_CHECK(check_posix_sem_post, cred, ksemptr, ksemptr->ks_label);
 
 	return(error);
@@ -151,9 +134,6 @@ mac_check_posix_sem_unlink(struct ucred *cred, struct ksem *ksemptr)
 {
 	int error;
 
-	if (!mac_enforce_posix_sem)
-		return (0);
-
 	MAC_CHECK(check_posix_sem_unlink, cred, ksemptr, ksemptr->ks_label);
 
 	return(error);
@@ -164,9 +144,6 @@ mac_check_posix_sem_wait(struct ucred *cred, struct ksem *ksemptr)
 {
 	int error;
 
-	if (!mac_enforce_posix_sem)
-		return (0);
-
 	MAC_CHECK(check_posix_sem_wait, cred, ksemptr, ksemptr->ks_label);
 
 	return(error);
diff --git a/sys/security/mac/mac_process.c b/sys/security/mac/mac_process.c
index 5a63b0d..43c564e 100644
--- a/sys/security/mac/mac_process.c
+++ b/sys/security/mac/mac_process.c
@@ -67,16 +67,6 @@ __FBSDID("$FreeBSD$");
 #include <security/mac/mac_framework.h>
 #include <security/mac/mac_internal.h>
 
-int	mac_enforce_process = 1;
-SYSCTL_INT(_security_mac, OID_AUTO, enforce_process, CTLFLAG_RW,
-    &mac_enforce_process, 0, "Enforce MAC policy on inter-process operations");
-TUNABLE_INT("security.mac.enforce_process", &mac_enforce_process);
-
-int	mac_enforce_vm = 1;
-SYSCTL_INT(_security_mac, OID_AUTO, enforce_vm, CTLFLAG_RW,
-    &mac_enforce_vm, 0, "Enforce MAC policy on vm operations");
-TUNABLE_INT("security.mac.enforce_vm", &mac_enforce_vm);
-
 static int	mac_mmap_revocation = 1;
 SYSCTL_INT(_security_mac, OID_AUTO, mmap_revocation, CTLFLAG_RW,
     &mac_mmap_revocation, 0, "Revoke mmap access to files on subject "
@@ -87,11 +77,6 @@ SYSCTL_INT(_security_mac, OID_AUTO, mmap_revocation_via_cow, CTLFLAG_RW,
     &mac_mmap_revocation_via_cow, 0, "Revoke mmap access to files via "
     "copy-on-write semantics, or by removing all write access");
 
-static int	mac_enforce_suid = 1;
-SYSCTL_INT(_security_mac, OID_AUTO, enforce_suid, CTLFLAG_RW,
-    &mac_enforce_suid, 0, "Enforce MAC policy on suid/sgid operations");
-TUNABLE_INT("security.mac.enforce_suid", &mac_enforce_suid);
-
 static void	mac_cred_mmapped_drop_perms_recurse(struct thread *td,
 		    struct ucred *cred, struct vm_map *map);
 
@@ -466,9 +451,6 @@ mac_check_cred_visible(struct ucred *u1, struct ucred *u2)
 {
 	int error;
 
-	if (!mac_enforce_process)
-		return (0);
-
 	MAC_CHECK(check_cred_visible, u1, u2);
 
 	return (error);
@@ -481,9 +463,6 @@ mac_check_proc_debug(struct ucred *cred, struct proc *proc)
 
 	PROC_LOCK_ASSERT(proc, MA_OWNED);
 
-	if (!mac_enforce_process)
-		return (0);
-
 	MAC_CHECK(check_proc_debug, cred, proc);
 
 	return (error);
@@ -496,9 +475,6 @@ mac_check_proc_sched(struct ucred *cred, struct proc *proc)
 
 	PROC_LOCK_ASSERT(proc, MA_OWNED);
 
-	if (!mac_enforce_process)
-		return (0);
-
 	MAC_CHECK(check_proc_sched, cred, proc);
 
 	return (error);
@@ -511,9 +487,6 @@ mac_check_proc_signal(struct ucred *cred, struct proc *proc, int signum)
 
 	PROC_LOCK_ASSERT(proc, MA_OWNED);
 
-	if (!mac_enforce_process)
-		return (0);
-
 	MAC_CHECK(check_proc_signal, cred, proc, signum);
 
 	return (error);
@@ -526,9 +499,6 @@ mac_check_proc_setuid(struct proc *proc, struct ucred *cred, uid_t uid)
 
 	PROC_LOCK_ASSERT(proc, MA_OWNED);
 
-	if (!mac_enforce_suid)
-		return (0);
-
 	MAC_CHECK(check_proc_setuid, cred, uid);
 	return (error);
 }
@@ -540,9 +510,6 @@ mac_check_proc_seteuid(struct proc *proc, struct ucred *cred, uid_t euid)
 
 	PROC_LOCK_ASSERT(proc, MA_OWNED);
 
-	if (!mac_enforce_suid)
-		return (0);
-
 	MAC_CHECK(check_proc_seteuid, cred, euid);
 	return (error);
 }
@@ -554,9 +521,6 @@ mac_check_proc_setgid(struct proc *proc, struct ucred *cred, gid_t gid)
 
 	PROC_LOCK_ASSERT(proc, MA_OWNED);
 
-	if (!mac_enforce_suid)
-		return (0);
-
 	MAC_CHECK(check_proc_setgid, cred, gid);
 	return (error);
 }
@@ -568,9 +532,6 @@ mac_check_proc_setegid(struct proc *proc, struct ucred *cred, gid_t egid)
 
 	PROC_LOCK_ASSERT(proc, MA_OWNED);
 
-	if (!mac_enforce_suid)
-		return (0);
-
 	MAC_CHECK(check_proc_setegid, cred, egid);
 	return (error);
 }
@@ -583,9 +544,6 @@ mac_check_proc_setgroups(struct proc *proc, struct ucred *cred,
 
 	PROC_LOCK_ASSERT(proc, MA_OWNED);
 
-	if (!mac_enforce_suid)
-		return (0);
-
 	MAC_CHECK(check_proc_setgroups, cred, ngroups, gidset);
 	return (error);
 }
@@ -598,9 +556,6 @@ mac_check_proc_setreuid(struct proc *proc, struct ucred *cred, uid_t ruid,
 
 	PROC_LOCK_ASSERT(proc, MA_OWNED);
 
-	if (!mac_enforce_suid)
-		return (0);
-
 	MAC_CHECK(check_proc_setreuid, cred, ruid, euid);
 	return (error);
 }
@@ -613,9 +568,6 @@ mac_check_proc_setregid(struct proc *proc, struct ucred *cred, gid_t rgid,
 
 	PROC_LOCK_ASSERT(proc, MA_OWNED);
 
-	if (!mac_enforce_suid)
-		return (0);
-
 	MAC_CHECK(check_proc_setregid, cred, rgid, egid);
 	return (error);
 }
@@ -628,9 +580,6 @@ mac_check_proc_setresuid(struct proc *proc, struct ucred *cred, uid_t ruid,
 
 	PROC_LOCK_ASSERT(proc, MA_OWNED);
 
-	if (!mac_enforce_suid)
-		return (0);
-
 	MAC_CHECK(check_proc_setresuid, cred, ruid, euid, suid);
 	return (error);
 }
@@ -643,9 +592,6 @@ mac_check_proc_setresgid(struct proc *proc, struct ucred *cred, gid_t rgid,
 
 	PROC_LOCK_ASSERT(proc, MA_OWNED);
 
-	if (!mac_enforce_suid)
-		return (0);
-
 	MAC_CHECK(check_proc_setresgid, cred, rgid, egid, sgid);
 	return (error);
 }
@@ -657,9 +603,6 @@ mac_check_proc_wait(struct ucred *cred, struct proc *proc)
 
 	PROC_LOCK_ASSERT(proc, MA_OWNED);
 
-	if (!mac_enforce_process)
-		return (0);
-
 	MAC_CHECK(check_proc_wait, cred, proc);
 
 	return (error);
diff --git a/sys/security/mac/mac_socket.c b/sys/security/mac/mac_socket.c
index 2a2dfa4..2898519 100644
--- a/sys/security/mac/mac_socket.c
+++ b/sys/security/mac/mac_socket.c
@@ -73,15 +73,6 @@ __FBSDID("$FreeBSD$");
 #include <security/mac/mac_internal.h>
 
 /*
- * mac_enforce_socket is used by the inet code when delivering to an inpcb
- * without hitting the socket layer, and has to be non-static for now.
- */
-int	mac_enforce_socket = 1;
-SYSCTL_INT(_security_mac, OID_AUTO, enforce_socket, CTLFLAG_RW,
-    &mac_enforce_socket, 0, "Enforce MAC policy on socket operations");
-TUNABLE_INT("security.mac.enforce_socket", &mac_enforce_socket);
-
-/*
  * Currently, sockets hold two labels: the label of the socket itself, and a
  * peer label, which may be used by policies to hold a copy of the label of
  * any remote endpoint.
@@ -285,9 +276,6 @@ mac_check_socket_accept(struct ucred *cred, struct socket *socket)
 
 	SOCK_LOCK_ASSERT(socket);
 
-	if (!mac_enforce_socket)
-		return (0);
-
 	MAC_CHECK(check_socket_accept, cred, socket, socket->so_label);
 
 	return (error);
@@ -301,9 +289,6 @@ mac_check_socket_bind(struct ucred *ucred, struct socket *socket,
 
 	SOCK_LOCK_ASSERT(socket);
 
-	if (!mac_enforce_socket)
-		return (0);
-
 	MAC_CHECK(check_socket_bind, ucred, socket, socket->so_label,
 	    sockaddr);
 
@@ -318,9 +303,6 @@ mac_check_socket_connect(struct ucred *cred, struct socket *socket,
 
 	SOCK_LOCK_ASSERT(socket);
 
-	if (!mac_enforce_socket)
-		return (0);
-
 	MAC_CHECK(check_socket_connect, cred, socket, socket->so_label,
 	    sockaddr);
 
@@ -333,9 +315,6 @@ mac_check_socket_create(struct ucred *cred, int domain, int type,
 {
 	int error;
 
-	if (!mac_enforce_socket)
-		return (0);
-
 	MAC_CHECK(check_socket_create, cred, domain, type, protocol);
 
 	return (error);
@@ -349,9 +328,6 @@ mac_check_socket_deliver(struct socket *socket, struct mbuf *mbuf)
 
 	SOCK_LOCK_ASSERT(socket);
 
-	if (!mac_enforce_socket)
-		return (0);
-
 	label = mac_mbuf_to_label(mbuf);
 
 	MAC_CHECK(check_socket_deliver, socket, socket->so_label, mbuf,
@@ -367,9 +343,6 @@ mac_check_socket_listen(struct ucred *cred, struct socket *socket)
 
 	SOCK_LOCK_ASSERT(socket);
 
-	if (!mac_enforce_socket)
-		return (0);
-
 	MAC_CHECK(check_socket_listen, cred, socket, socket->so_label);
 	return (error);
 }
@@ -381,9 +354,6 @@ mac_check_socket_poll(struct ucred *cred, struct socket *so)
 
 	SOCK_LOCK_ASSERT(so);
 
-	if (!mac_enforce_socket)
-		return (0);
-
 	MAC_CHECK(check_socket_poll, cred, so, so->so_label);
 	return (error);
 }
@@ -395,9 +365,6 @@ mac_check_socket_receive(struct ucred *cred, struct socket *so)
 
 	SOCK_LOCK_ASSERT(so);
 
-	if (!mac_enforce_socket)
-		return (0);
-
 	MAC_CHECK(check_socket_receive, cred, so, so->so_label);
 
 	return (error);
@@ -424,9 +391,6 @@ mac_check_socket_send(struct ucred *cred, struct socket *so)
 
 	SOCK_LOCK_ASSERT(so);
 
-	if (!mac_enforce_socket)
-		return (0);
-
 	MAC_CHECK(check_socket_send, cred, so, so->so_label);
 
 	return (error);
@@ -439,9 +403,6 @@ mac_check_socket_stat(struct ucred *cred, struct socket *so)
 
 	SOCK_LOCK_ASSERT(so);
 
-	if (!mac_enforce_socket)
-		return (0);
-
 	MAC_CHECK(check_socket_stat, cred, so, so->so_label);
 
 	return (error);
@@ -454,9 +415,6 @@ mac_check_socket_visible(struct ucred *cred, struct socket *socket)
 
 	SOCK_LOCK_ASSERT(socket);
 
-	if (!mac_enforce_socket)
-		return (0);
-
 	MAC_CHECK(check_socket_visible, cred, socket, socket->so_label);
 
 	return (error);
diff --git a/sys/security/mac/mac_syscalls.c b/sys/security/mac/mac_syscalls.c
index 080b1ad..a18b853 100644
--- a/sys/security/mac/mac_syscalls.c
+++ b/sys/security/mac/mac_syscalls.c
@@ -741,9 +741,7 @@ __mac_set_proc(struct thread *td, struct __mac_set_proc_args *uap)
 	crhold(newcred);
 	PROC_UNLOCK(p);
 
-	if (mac_enforce_vm) {
-		mac_cred_mmapped_drop_perms(td, newcred);
-	}
+	mac_cred_mmapped_drop_perms(td, newcred);
 
 	crfree(newcred);	/* Free revocation reference. */
 	crfree(oldcred);
diff --git a/sys/security/mac/mac_system.c b/sys/security/mac/mac_system.c
index 79108a3..b6ad192 100644
--- a/sys/security/mac/mac_system.c
+++ b/sys/security/mac/mac_system.c
@@ -50,16 +50,6 @@ __FBSDID("$FreeBSD$");
 #include <security/mac/mac_framework.h>
 #include <security/mac/mac_internal.h>
 
-static int	mac_enforce_kld = 1;
-SYSCTL_INT(_security_mac, OID_AUTO, enforce_kld, CTLFLAG_RW,
-    &mac_enforce_kld, 0, "Enforce MAC policy on kld operations");
-TUNABLE_INT("security.mac.enforce_kld", &mac_enforce_kld);
-
-static int	mac_enforce_system = 1;
-SYSCTL_INT(_security_mac, OID_AUTO, enforce_system, CTLFLAG_RW,
-    &mac_enforce_system, 0, "Enforce MAC policy on system operations");
-TUNABLE_INT("security.mac.enforce_system", &mac_enforce_system);
-
 /*
  * XXXRW: Some of these checks now duplicate privilege checks.  However,
  * others provide additional security context that may be useful to policies.
@@ -71,9 +61,6 @@ mac_check_kenv_dump(struct ucred *cred)
 {
 	int error;
 
-	if (!mac_enforce_system)
-		return (0);
-
 	MAC_CHECK(check_kenv_dump, cred);
 
 	return (error);
@@ -84,9 +71,6 @@ mac_check_kenv_get(struct ucred *cred, char *name)
 {
 	int error;
 
-	if (!mac_enforce_system)
-		return (0);
-
 	MAC_CHECK(check_kenv_get, cred, name);
 
 	return (error);
@@ -97,9 +81,6 @@ mac_check_kenv_set(struct ucred *cred, char *name, char *value)
 {
 	int error;
 
-	if (!mac_enforce_system)
-		return (0);
-
 	MAC_CHECK(check_kenv_set, cred, name, value);
 
 	return (error);
@@ -110,9 +91,6 @@ mac_check_kenv_unset(struct ucred *cred, char *name)
 {
 	int error;
 
-	if (!mac_enforce_system)
-		return (0);
-
 	MAC_CHECK(check_kenv_unset, cred, name);
 
 	return (error);
@@ -125,9 +103,6 @@ mac_check_kld_load(struct ucred *cred, struct vnode *vp)
 
 	ASSERT_VOP_LOCKED(vp, "mac_check_kld_load");
 
-	if (!mac_enforce_kld)
-		return (0);
-
 	MAC_CHECK(check_kld_load, cred, vp, vp->v_label);
 
 	return (error);
@@ -138,9 +113,6 @@ mac_check_kld_stat(struct ucred *cred)
 {
 	int error;
 
-	if (!mac_enforce_kld)
-		return (0);
-
 	MAC_CHECK(check_kld_stat, cred);
 
 	return (error);
@@ -151,9 +123,6 @@ mac_check_kld_unload(struct ucred *cred)
 {
 	int error;
 
-	if (!mac_enforce_kld)
-		return (0);
-
 	MAC_CHECK(check_kld_unload, cred);
 
 	return (error);
@@ -164,9 +133,6 @@ mac_check_sysarch_ioperm(struct ucred *cred)
 {
 	int error;
 
-	if (!mac_enforce_system)
-		return (0);
-
 	MAC_CHECK(check_sysarch_ioperm, cred);
 	return (error);
 }
@@ -180,9 +146,6 @@ mac_check_system_acct(struct ucred *cred, struct vnode *vp)
 		ASSERT_VOP_LOCKED(vp, "mac_check_system_acct");
 	}
 
-	if (!mac_enforce_system)
-		return (0);
-
 	MAC_CHECK(check_system_acct, cred, vp,
 	    vp != NULL ? vp->v_label : NULL);
 
@@ -194,9 +157,6 @@ mac_check_system_nfsd(struct ucred *cred)
 {
 	int error;
 
-	if (!mac_enforce_system)
-		return (0);
-
 	MAC_CHECK(check_system_nfsd, cred);
 
 	return (error);
@@ -207,9 +167,6 @@ mac_check_system_reboot(struct ucred *cred, int howto)
 {
 	int error;
 
-	if (!mac_enforce_system)
-		return (0);
-
 	MAC_CHECK(check_system_reboot, cred, howto);
 
 	return (error);
@@ -220,9 +177,6 @@ mac_check_system_settime(struct ucred *cred)
 {
 	int error;
 
-	if (!mac_enforce_system)
-		return (0);
-
 	MAC_CHECK(check_system_settime, cred);
 
 	return (error);
@@ -235,9 +189,6 @@ mac_check_system_swapon(struct ucred *cred, struct vnode *vp)
 
 	ASSERT_VOP_LOCKED(vp, "mac_check_system_swapon");
 
-	if (!mac_enforce_system)
-		return (0);
-
 	MAC_CHECK(check_system_swapon, cred, vp, vp->v_label);
 	return (error);
 }
@@ -249,9 +200,6 @@ mac_check_system_swapoff(struct ucred *cred, struct vnode *vp)
 
 	ASSERT_VOP_LOCKED(vp, "mac_check_system_swapoff");
 
-	if (!mac_enforce_system)
-		return (0);
-
 	MAC_CHECK(check_system_swapoff, cred, vp, vp->v_label);
 	return (error);
 }
@@ -266,9 +214,6 @@ mac_check_system_sysctl(struct ucred *cred, struct sysctl_oid *oidp, void *arg1,
 	 * XXXMAC: We would very much like to assert the SYSCTL_LOCK here,
 	 * but since it's not exported from kern_sysctl.c, we can't.
 	 */
-	if (!mac_enforce_system)
-		return (0);
-
 	MAC_CHECK(check_system_sysctl, cred, oidp, arg1, arg2, req);
 
 	return (error);
diff --git a/sys/security/mac/mac_sysv_msg.c b/sys/security/mac/mac_sysv_msg.c
index 8e66281..95d79ce 100644
--- a/sys/security/mac/mac_sysv_msg.c
+++ b/sys/security/mac/mac_sysv_msg.c
@@ -54,12 +54,6 @@ __FBSDID("$FreeBSD$");
 #include <security/mac/mac_framework.h>
 #include <security/mac/mac_internal.h>
 
-static int	mac_enforce_sysv_msg = 1;
-SYSCTL_INT(_security_mac, OID_AUTO, enforce_sysv_msg, CTLFLAG_RW,
-    &mac_enforce_sysv_msg, 0,
-    "Enforce MAC policy on System V IPC Message Queues");
-TUNABLE_INT("security.mac.enforce_sysv_msg", &mac_enforce_sysv_msg);
-
 static struct label *
 mac_sysv_msgmsg_label_alloc(void)
 {
@@ -162,9 +156,6 @@ mac_check_sysv_msgmsq(struct ucred *cred, struct msg *msgptr,
 {
 	int error;
 
-	if (!mac_enforce_sysv_msg)
-		return (0);
-
 	MAC_CHECK(check_sysv_msgmsq, cred,  msgptr, msgptr->label, msqkptr,
 	    msqkptr->label);
 
@@ -176,9 +167,6 @@ mac_check_sysv_msgrcv(struct ucred *cred, struct msg *msgptr)
 {
 	int error;
 
-	if (!mac_enforce_sysv_msg)
-		return (0);
-
 	MAC_CHECK(check_sysv_msgrcv, cred, msgptr, msgptr->label);
 
 	return(error);
@@ -189,9 +177,6 @@ mac_check_sysv_msgrmid(struct ucred *cred, struct msg *msgptr)
 {
 	int error;
 
-	if (!mac_enforce_sysv_msg)
-		return (0);
-
 	MAC_CHECK(check_sysv_msgrmid, cred,  msgptr, msgptr->label);
 
 	return(error);
@@ -202,9 +187,6 @@ mac_check_sysv_msqget(struct ucred *cred, struct msqid_kernel *msqkptr)
 {
 	int error;
 
-	if (!mac_enforce_sysv_msg)
-		return (0);
-
 	MAC_CHECK(check_sysv_msqget, cred, msqkptr, msqkptr->label);
 
 	return(error);
@@ -215,9 +197,6 @@ mac_check_sysv_msqsnd(struct ucred *cred, struct msqid_kernel *msqkptr)
 {
 	int error;
 
-	if (!mac_enforce_sysv_msg)
-		return (0);
-
 	MAC_CHECK(check_sysv_msqsnd, cred, msqkptr, msqkptr->label);
 
 	return(error);
@@ -228,9 +207,6 @@ mac_check_sysv_msqrcv(struct ucred *cred, struct msqid_kernel *msqkptr)
 {
 	int error;
 
-	if (!mac_enforce_sysv_msg)
-		return (0);
-
 	MAC_CHECK(check_sysv_msqrcv, cred, msqkptr, msqkptr->label);
 
 	return(error);
@@ -242,9 +218,6 @@ mac_check_sysv_msqctl(struct ucred *cred, struct msqid_kernel *msqkptr,
 {
 	int error;
 
-	if (!mac_enforce_sysv_msg)
-		return (0);
-
 	MAC_CHECK(check_sysv_msqctl, cred, msqkptr, msqkptr->label, cmd);
 
 	return(error);
diff --git a/sys/security/mac/mac_sysv_sem.c b/sys/security/mac/mac_sysv_sem.c
index aae6788..80778c3 100644
--- a/sys/security/mac/mac_sysv_sem.c
+++ b/sys/security/mac/mac_sysv_sem.c
@@ -54,11 +54,6 @@ __FBSDID("$FreeBSD$");
 #include <security/mac/mac_framework.h>
 #include <security/mac/mac_internal.h>
 
-static int	mac_enforce_sysv_sem = 1;
-SYSCTL_INT(_security_mac, OID_AUTO, enforce_sysv_sem, CTLFLAG_RW,
-    &mac_enforce_sysv_sem, 0, "Enforce MAC policy on System V IPC Semaphores");
-TUNABLE_INT("security.mac.enforce_sysv", &mac_enforce_sysv_sem);
-
 static struct label *
 mac_sysv_sem_label_alloc(void)
 {
@@ -112,9 +107,6 @@ mac_check_sysv_semctl(struct ucred *cred, struct semid_kernel *semakptr,
 {
 	int error;
 
-	if (!mac_enforce_sysv_sem)
-		return (0);
-
 	MAC_CHECK(check_sysv_semctl, cred, semakptr, semakptr->label, cmd);
 
 	return(error);
@@ -125,9 +117,6 @@ mac_check_sysv_semget(struct ucred *cred, struct semid_kernel *semakptr)
 {
 	int error;
 
-	if (!mac_enforce_sysv_sem)
-		return (0);
-
 	MAC_CHECK(check_sysv_semget, cred, semakptr, semakptr->label);
 
 	return(error);
@@ -139,9 +128,6 @@ mac_check_sysv_semop(struct ucred *cred, struct semid_kernel *semakptr,
 {
 	int error;
 
-	if (!mac_enforce_sysv_sem)
-		return (0);
-
 	MAC_CHECK(check_sysv_semop, cred, semakptr, semakptr->label,
 	    accesstype);
 
diff --git a/sys/security/mac/mac_sysv_shm.c b/sys/security/mac/mac_sysv_shm.c
index b7c8cfb..7bdffdb 100644
--- a/sys/security/mac/mac_sysv_shm.c
+++ b/sys/security/mac/mac_sysv_shm.c
@@ -54,12 +54,6 @@ __FBSDID("$FreeBSD$");
 #include <security/mac/mac_framework.h>
 #include <security/mac/mac_internal.h>
 
-static int	mac_enforce_sysv_shm = 1;
-SYSCTL_INT(_security_mac, OID_AUTO, enforce_sysv_shm, CTLFLAG_RW,
-    &mac_enforce_sysv_shm, 0,
-    "Enforce MAC policy on System V IPC shared memory");
-TUNABLE_INT("security.mac.enforce_sysv", &mac_enforce_sysv_shm);
-
 static struct label *
 mac_sysv_shm_label_alloc(void)
 {
@@ -113,9 +107,6 @@ mac_check_sysv_shmat(struct ucred *cred, struct shmid_kernel *shmsegptr,
 {
 	int error;
 
-	if (!mac_enforce_sysv_shm)
-		return (0);
-
 	MAC_CHECK(check_sysv_shmat, cred, shmsegptr, shmsegptr->label,
 	    shmflg);
 
@@ -128,9 +119,6 @@ mac_check_sysv_shmctl(struct ucred *cred, struct shmid_kernel *shmsegptr,
 {
 	int error;
 
-	if (!mac_enforce_sysv_shm)
-		return (0);
-
 	MAC_CHECK(check_sysv_shmctl, cred, shmsegptr, shmsegptr->label,
 	    cmd);
 
@@ -142,9 +130,6 @@ mac_check_sysv_shmdt(struct ucred *cred, struct shmid_kernel *shmsegptr)
 {
 	int error;
 
-	if (!mac_enforce_sysv_shm)
-		return (0);
-
 	MAC_CHECK(check_sysv_shmdt, cred, shmsegptr, shmsegptr->label);
 
 	return(error);
@@ -156,9 +141,6 @@ mac_check_sysv_shmget(struct ucred *cred, struct shmid_kernel *shmsegptr,
 {
 	int error;
 
-	if (!mac_enforce_sysv_shm)
-		return (0);
-
 	MAC_CHECK(check_sysv_shmget, cred, shmsegptr, shmsegptr->label,
 	    shmflg);
 
diff --git a/sys/security/mac/mac_vfs.c b/sys/security/mac/mac_vfs.c
index 403bc1c..b5901f9 100644
--- a/sys/security/mac/mac_vfs.c
+++ b/sys/security/mac/mac_vfs.c
@@ -79,11 +79,6 @@ __FBSDID("$FreeBSD$");
  */
 static int	ea_warn_once = 0;
 
-static int	mac_enforce_fs = 1;
-SYSCTL_INT(_security_mac, OID_AUTO, enforce_fs, CTLFLAG_RW,
-    &mac_enforce_fs, 0, "Enforce MAC policy on file system objects");
-TUNABLE_INT("security.mac.enforce_fs", &mac_enforce_fs);
-
 static int	mac_setlabel_vnode_extattr(struct ucred *cred,
 		    struct vnode *vp, struct label *intlabel);
 
@@ -351,9 +346,6 @@ mac_execve_transition(struct ucred *old, struct ucred *new, struct vnode *vp,
 
 	ASSERT_VOP_LOCKED(vp, "mac_execve_transition");
 
-	if (!mac_enforce_process && !mac_enforce_fs)
-		return;
-
 	MAC_PERFORM(execve_transition, old, new, vp, vp->v_label,
 	    interpvnodelabel, imgp, imgp->execlabel);
 }
@@ -366,9 +358,6 @@ mac_execve_will_transition(struct ucred *old, struct vnode *vp,
 
 	ASSERT_VOP_LOCKED(vp, "mac_execve_will_transition");
 
-	if (!mac_enforce_process && !mac_enforce_fs)
-		return (0);
-
 	result = 0;
 	MAC_BOOLEAN(execve_will_transition, ||, old, vp, vp->v_label,
 	    interpvnodelabel, imgp, imgp->execlabel);
@@ -383,9 +372,6 @@ mac_check_vnode_access(struct ucred *cred, struct vnode *vp, int acc_mode)
 
 	ASSERT_VOP_LOCKED(vp, "mac_check_vnode_access");
 
-	if (!mac_enforce_fs)
-		return (0);
-
 	MAC_CHECK(check_vnode_access, cred, vp, vp->v_label, acc_mode);
 	return (error);
 }
@@ -397,9 +383,6 @@ mac_check_vnode_chdir(struct ucred *cred, struct vnode *dvp)
 
 	ASSERT_VOP_LOCKED(dvp, "mac_check_vnode_chdir");
 
-	if (!mac_enforce_fs)
-		return (0);
-
 	MAC_CHECK(check_vnode_chdir, cred, dvp, dvp->v_label);
 	return (error);
 }
@@ -411,9 +394,6 @@ mac_check_vnode_chroot(struct ucred *cred, struct vnode *dvp)
 
 	ASSERT_VOP_LOCKED(dvp, "mac_check_vnode_chroot");
 
-	if (!mac_enforce_fs)
-		return (0);
-
 	MAC_CHECK(check_vnode_chroot, cred, dvp, dvp->v_label);
 	return (error);
 }
@@ -426,9 +406,6 @@ mac_check_vnode_create(struct ucred *cred, struct vnode *dvp,
 
 	ASSERT_VOP_LOCKED(dvp, "mac_check_vnode_create");
 
-	if (!mac_enforce_fs)
-		return (0);
-
 	MAC_CHECK(check_vnode_create, cred, dvp, dvp->v_label, cnp, vap);
 	return (error);
 }
@@ -442,9 +419,6 @@ mac_check_vnode_delete(struct ucred *cred, struct vnode *dvp, struct vnode *vp,
 	ASSERT_VOP_LOCKED(dvp, "mac_check_vnode_delete");
 	ASSERT_VOP_LOCKED(vp, "mac_check_vnode_delete");
 
-	if (!mac_enforce_fs)
-		return (0);
-
 	MAC_CHECK(check_vnode_delete, cred, dvp, dvp->v_label, vp,
 	    vp->v_label, cnp);
 	return (error);
@@ -458,9 +432,6 @@ mac_check_vnode_deleteacl(struct ucred *cred, struct vnode *vp,
 
 	ASSERT_VOP_LOCKED(vp, "mac_check_vnode_deleteacl");
 
-	if (!mac_enforce_fs)
-		return (0);
-
 	MAC_CHECK(check_vnode_deleteacl, cred, vp, vp->v_label, type);
 	return (error);
 }
@@ -473,9 +444,6 @@ mac_check_vnode_deleteextattr(struct ucred *cred, struct vnode *vp,
 
 	ASSERT_VOP_LOCKED(vp, "mac_check_vnode_deleteextattr");
 
-	if (!mac_enforce_fs)
-		return (0);
-
 	MAC_CHECK(check_vnode_deleteextattr, cred, vp, vp->v_label,
 	    attrnamespace, name);
 	return (error);
@@ -489,9 +457,6 @@ mac_check_vnode_exec(struct ucred *cred, struct vnode *vp,
 
 	ASSERT_VOP_LOCKED(vp, "mac_check_vnode_exec");
 
-	if (!mac_enforce_process && !mac_enforce_fs)
-		return (0);
-
 	MAC_CHECK(check_vnode_exec, cred, vp, vp->v_label, imgp,
 	    imgp->execlabel);
 
@@ -505,9 +470,6 @@ mac_check_vnode_getacl(struct ucred *cred, struct vnode *vp, acl_type_t type)
 
 	ASSERT_VOP_LOCKED(vp, "mac_check_vnode_getacl");
 
-	if (!mac_enforce_fs)
-		return (0);
-
 	MAC_CHECK(check_vnode_getacl, cred, vp, vp->v_label, type);
 	return (error);
 }
@@ -520,9 +482,6 @@ mac_check_vnode_getextattr(struct ucred *cred, struct vnode *vp,
 
 	ASSERT_VOP_LOCKED(vp, "mac_check_vnode_getextattr");
 
-	if (!mac_enforce_fs)
-		return (0);
-
 	MAC_CHECK(check_vnode_getextattr, cred, vp, vp->v_label,
 	    attrnamespace, name, uio);
 	return (error);
@@ -537,9 +496,6 @@ mac_check_vnode_link(struct ucred *cred, struct vnode *dvp,
 	ASSERT_VOP_LOCKED(dvp, "mac_check_vnode_link");
 	ASSERT_VOP_LOCKED(vp, "mac_check_vnode_link");
 
-	if (!mac_enforce_fs)
-		return (0);
-
 	MAC_CHECK(check_vnode_link, cred, dvp, dvp->v_label, vp,
 	    vp->v_label, cnp);
 	return (error);
@@ -553,9 +509,6 @@ mac_check_vnode_listextattr(struct ucred *cred, struct vnode *vp,
 
 	ASSERT_VOP_LOCKED(vp, "mac_check_vnode_listextattr");
 
-	if (!mac_enforce_fs)
-		return (0);
-
 	MAC_CHECK(check_vnode_listextattr, cred, vp, vp->v_label,
 	    attrnamespace);
 	return (error);
@@ -569,9 +522,6 @@ mac_check_vnode_lookup(struct ucred *cred, struct vnode *dvp,
 
 	ASSERT_VOP_LOCKED(dvp, "mac_check_vnode_lookup");
 
-	if (!mac_enforce_fs)
-		return (0);
-
 	MAC_CHECK(check_vnode_lookup, cred, dvp, dvp->v_label, cnp);
 	return (error);
 }
@@ -584,9 +534,6 @@ mac_check_vnode_mmap(struct ucred *cred, struct vnode *vp,
 
 	ASSERT_VOP_LOCKED(vp, "mac_check_vnode_mmap");
 
-	if (!mac_enforce_fs || !mac_enforce_vm)
-		return (0);
-
 	MAC_CHECK(check_vnode_mmap, cred, vp, vp->v_label, prot, flags);
 	return (error);
 }
@@ -598,9 +545,6 @@ mac_check_vnode_mmap_downgrade(struct ucred *cred, struct vnode *vp, int *prot)
 
 	ASSERT_VOP_LOCKED(vp, "mac_check_vnode_mmap_downgrade");
 
-	if (!mac_enforce_fs || !mac_enforce_vm)
-		return;
-
 	MAC_PERFORM(check_vnode_mmap_downgrade, cred, vp, vp->v_label,
 	    &result);
 
@@ -614,9 +558,6 @@ mac_check_vnode_mprotect(struct ucred *cred, struct vnode *vp, int prot)
 
 	ASSERT_VOP_LOCKED(vp, "mac_check_vnode_mprotect");
 
-	if (!mac_enforce_fs || !mac_enforce_vm)
-		return (0);
-
 	MAC_CHECK(check_vnode_mprotect, cred, vp, vp->v_label, prot);
 	return (error);
 }
@@ -628,9 +569,6 @@ mac_check_vnode_open(struct ucred *cred, struct vnode *vp, int acc_mode)
 
 	ASSERT_VOP_LOCKED(vp, "mac_check_vnode_open");
 
-	if (!mac_enforce_fs)
-		return (0);
-
 	MAC_CHECK(check_vnode_open, cred, vp, vp->v_label, acc_mode);
 	return (error);
 }
@@ -643,9 +581,6 @@ mac_check_vnode_poll(struct ucred *active_cred, struct ucred *file_cred,
 
 	ASSERT_VOP_LOCKED(vp, "mac_check_vnode_poll");
 
-	if (!mac_enforce_fs)
-		return (0);
-
 	MAC_CHECK(check_vnode_poll, active_cred, file_cred, vp,
 	    vp->v_label);
 
@@ -660,9 +595,6 @@ mac_check_vnode_read(struct ucred *active_cred, struct ucred *file_cred,
 
 	ASSERT_VOP_LOCKED(vp, "mac_check_vnode_read");
 
-	if (!mac_enforce_fs)
-		return (0);
-
 	MAC_CHECK(check_vnode_read, active_cred, file_cred, vp,
 	    vp->v_label);
 
@@ -676,9 +608,6 @@ mac_check_vnode_readdir(struct ucred *cred, struct vnode *dvp)
 
 	ASSERT_VOP_LOCKED(dvp, "mac_check_vnode_readdir");
 
-	if (!mac_enforce_fs)
-		return (0);
-
 	MAC_CHECK(check_vnode_readdir, cred, dvp, dvp->v_label);
 	return (error);
 }
@@ -690,9 +619,6 @@ mac_check_vnode_readlink(struct ucred *cred, struct vnode *vp)
 
 	ASSERT_VOP_LOCKED(vp, "mac_check_vnode_readlink");
 
-	if (!mac_enforce_fs)
-		return (0);
-
 	MAC_CHECK(check_vnode_readlink, cred, vp, vp->v_label);
 	return (error);
 }
@@ -719,9 +645,6 @@ mac_check_vnode_rename_from(struct ucred *cred, struct vnode *dvp,
 	ASSERT_VOP_LOCKED(dvp, "mac_check_vnode_rename_from");
 	ASSERT_VOP_LOCKED(vp, "mac_check_vnode_rename_from");
 
-	if (!mac_enforce_fs)
-		return (0);
-
 	MAC_CHECK(check_vnode_rename_from, cred, dvp, dvp->v_label, vp,
 	    vp->v_label, cnp);
 	return (error);
@@ -736,9 +659,6 @@ mac_check_vnode_rename_to(struct ucred *cred, struct vnode *dvp,
 	ASSERT_VOP_LOCKED(dvp, "mac_check_vnode_rename_to");
 	ASSERT_VOP_LOCKED(vp, "mac_check_vnode_rename_to");
 
-	if (!mac_enforce_fs)
-		return (0);
-
 	MAC_CHECK(check_vnode_rename_to, cred, dvp, dvp->v_label, vp,
 	    vp != NULL ? vp->v_label : NULL, samedir, cnp);
 	return (error);
@@ -751,9 +671,6 @@ mac_check_vnode_revoke(struct ucred *cred, struct vnode *vp)
 
 	ASSERT_VOP_LOCKED(vp, "mac_check_vnode_revoke");
 
-	if (!mac_enforce_fs)
-		return (0);
-
 	MAC_CHECK(check_vnode_revoke, cred, vp, vp->v_label);
 	return (error);
 }
@@ -766,9 +683,6 @@ mac_check_vnode_setacl(struct ucred *cred, struct vnode *vp, acl_type_t type,
 
 	ASSERT_VOP_LOCKED(vp, "mac_check_vnode_setacl");
 
-	if (!mac_enforce_fs)
-		return (0);
-
 	MAC_CHECK(check_vnode_setacl, cred, vp, vp->v_label, type, acl);
 	return (error);
 }
@@ -781,9 +695,6 @@ mac_check_vnode_setextattr(struct ucred *cred, struct vnode *vp,
 
 	ASSERT_VOP_LOCKED(vp, "mac_check_vnode_setextattr");
 
-	if (!mac_enforce_fs)
-		return (0);
-
 	MAC_CHECK(check_vnode_setextattr, cred, vp, vp->v_label,
 	    attrnamespace, name, uio);
 	return (error);
@@ -796,9 +707,6 @@ mac_check_vnode_setflags(struct ucred *cred, struct vnode *vp, u_long flags)
 
 	ASSERT_VOP_LOCKED(vp, "mac_check_vnode_setflags");
 
-	if (!mac_enforce_fs)
-		return (0);
-
 	MAC_CHECK(check_vnode_setflags, cred, vp, vp->v_label, flags);
 	return (error);
 }
@@ -810,9 +718,6 @@ mac_check_vnode_setmode(struct ucred *cred, struct vnode *vp, mode_t mode)
 
 	ASSERT_VOP_LOCKED(vp, "mac_check_vnode_setmode");
 
-	if (!mac_enforce_fs)
-		return (0);
-
 	MAC_CHECK(check_vnode_setmode, cred, vp, vp->v_label, mode);
 	return (error);
 }
@@ -825,9 +730,6 @@ mac_check_vnode_setowner(struct ucred *cred, struct vnode *vp, uid_t uid,
 
 	ASSERT_VOP_LOCKED(vp, "mac_check_vnode_setowner");
 
-	if (!mac_enforce_fs)
-		return (0);
-
 	MAC_CHECK(check_vnode_setowner, cred, vp, vp->v_label, uid, gid);
 	return (error);
 }
@@ -840,9 +742,6 @@ mac_check_vnode_setutimes(struct ucred *cred, struct vnode *vp,
 
 	ASSERT_VOP_LOCKED(vp, "mac_check_vnode_setutimes");
 
-	if (!mac_enforce_fs)
-		return (0);
-
 	MAC_CHECK(check_vnode_setutimes, cred, vp, vp->v_label, atime,
 	    mtime);
 	return (error);
@@ -856,9 +755,6 @@ mac_check_vnode_stat(struct ucred *active_cred, struct ucred *file_cred,
 
 	ASSERT_VOP_LOCKED(vp, "mac_check_vnode_stat");
 
-	if (!mac_enforce_fs)
-		return (0);
-
 	MAC_CHECK(check_vnode_stat, active_cred, file_cred, vp,
 	    vp->v_label);
 	return (error);
@@ -872,9 +768,6 @@ mac_check_vnode_write(struct ucred *active_cred, struct ucred *file_cred,
 
 	ASSERT_VOP_LOCKED(vp, "mac_check_vnode_write");
 
-	if (!mac_enforce_fs)
-		return (0);
-
 	MAC_CHECK(check_vnode_write, active_cred, file_cred, vp,
 	    vp->v_label);
 
@@ -901,9 +794,6 @@ mac_check_mount_stat(struct ucred *cred, struct mount *mount)
 {
 	int error;
 
-	if (!mac_enforce_fs)
-		return (0);
-
 	MAC_CHECK(check_mount_stat, cred, mount, mount->mnt_mntlabel);
 
 	return (error);
author	rwatson <rwatson@FreeBSD.org>	2006-12-21 09:51:34 +0000
committer	rwatson <rwatson@FreeBSD.org>	2006-12-21 09:51:34 +0000
commit	6fa1425be4ba1838fbf0b757c9cbbb6c0da6811f (patch)
tree	0e00125c1e53f64a611961efffaf3188df3fc0d6 /sys/security
parent	24b8c057ed5ff8edf963e31c6cd9eaf0514469b2 (diff)
download	FreeBSD-src-6fa1425be4ba1838fbf0b757c9cbbb6c0da6811f.zip FreeBSD-src-6fa1425be4ba1838fbf0b757c9cbbb6c0da6811f.tar.gz