Adapt MAC policies for the new user API changes; teach policies how

to parse their own label elements (some cleanup to occur here in the
future to use the newly added kernel strsep()).  Policies now
entirely encapsulate their notion of label in the policy module.

Approved by:	re
Obtained from:	TrustedBSD Project
Sponsored by:	DARPA, Network Associates Laboratories

7 files changed, 691 insertions, 94 deletions

diff --git a/sys/security/mac_biba/mac_biba.c b/sys/security/mac_biba/mac_biba.c
index 525ee5a..f10fd53 100644
--- a/sys/security/mac_biba/mac_biba.c
+++ b/sys/security/mac_biba/mac_biba.c
@@ -54,6 +54,7 @@
 #include <sys/systm.h>
 #include <sys/sysproto.h>
 #include <sys/sysent.h>
+#include <sys/systm.h>
 #include <sys/vnode.h>
 #include <sys/file.h>
 #include <sys/socket.h>
@@ -501,15 +502,132 @@ mac_biba_destroy_label(struct label *label)
 	SLOT(label) = NULL;
 }
 
+/*
+ * mac_biba_element_to_string() is basically an snprintf wrapper with
+ * the same properties as snprintf().  It returns the length it would
+ * have added to the string in the event the string is too short.
+ */
+static size_t
+mac_biba_element_to_string(char *string, size_t size,
+    struct mac_biba_element *element)
+{
+	int pos, bit = 1;
+
+	switch (element->mbe_type) {
+	case MAC_BIBA_TYPE_HIGH:
+		return (snprintf(string, size, "high"));
+
+	case MAC_BIBA_TYPE_LOW:
+		return (snprintf(string, size, "low"));
+
+	case MAC_BIBA_TYPE_EQUAL:
+		return (snprintf(string, size, "equal"));
+
+	case MAC_BIBA_TYPE_GRADE:
+		pos = snprintf(string, size, "%d:", element->mbe_grade);
+		for (bit = 1; bit <= MAC_BIBA_MAX_COMPARTMENTS; bit++) {
+			if (MAC_BIBA_BIT_TEST(bit, element->mbe_compartments))
+				pos += snprintf(string + pos, size - pos,
+				    "%d+", bit);
+		}
+		if (string[pos - 1] == '+' || string[pos - 1] == ':')
+			string[--pos] = NULL;
+		return (pos);
+
+	default:
+		panic("mac_biba_element_to_string: invalid type (%d)",
+		    element->mbe_type);
+	}
+}
+
+static int
+mac_biba_to_string(char *string, size_t size, size_t *caller_len,
+    struct mac_biba *mac_biba)
+{
+	size_t left, len;
+	char *curptr;
+
+	bzero(string, size);
+	curptr = string;
+	left = size;
+
+	if (mac_biba->mb_flags & MAC_BIBA_FLAG_SINGLE) {
+		len = mac_biba_element_to_string(curptr, left,
+		    &mac_biba->mb_single);
+		if (len >= left)
+			return (EINVAL);
+		left -= len;
+		curptr += len;
+	}
+
+	if (mac_biba->mb_flags & MAC_BIBA_FLAG_RANGE) {
+		len = snprintf(curptr, left, "(");
+		if (len >= left)
+			return (EINVAL);
+		left -= len;
+		curptr += len;
+
+		len = mac_biba_element_to_string(curptr, left,
+		    &mac_biba->mb_rangelow);
+		if (len >= left)
+			return (EINVAL);
+		left -= len;
+		curptr += len;
+
+		len = snprintf(curptr, left, "-");
+		if (len >= left)
+			return (EINVAL);
+		left -= len;
+		curptr += len;
+
+		len = mac_biba_element_to_string(curptr, left,
+		    &mac_biba->mb_rangehigh);
+		if (len >= left)
+			return (EINVAL);
+		left -= len;
+		curptr += len;
+
+		len = snprintf(curptr, left, ")");
+		if (len >= left)
+			return (EINVAL);
+		left -= len;
+		curptr += len;
+	}
+
+	*caller_len = strlen(string);
+	return (0);
+}
+
+static int
+mac_biba_externalize_label(struct label *label, char *element_name,
+    char *element_data, size_t size, size_t *len, int *claimed)
+{
+	struct mac_biba *mac_biba;
+	int error;
+
+	if (strcmp(MAC_BIBA_LABEL_NAME, element_name) != 0)
+		return (0);
+
+	(*claimed)++;
+
+	mac_biba = SLOT(label);
+	error = mac_biba_to_string(element_data, size, len, mac_biba);
+	if (error)
+		return (error);
+
+	*len = strlen(element_data);
+	return (0);
+}
+
 static int
-mac_biba_externalize(struct label *label, struct mac *extmac)
+mac_biba_externalize_vnode_oldmac(struct label *label, struct oldmac *extmac)
 {
 	struct mac_biba *mac_biba;
 
 	mac_biba = SLOT(label);
 
 	if (mac_biba == NULL) {
-		printf("mac_biba_externalize: NULL pointer\n");
+		printf("mac_biba_externalize_vnode_oldmac: NULL pointer\n");
 		return (0);
 	}
 
@@ -519,22 +637,156 @@ mac_biba_externalize(struct label *label, struct mac *extmac)
 }
 
 static int
-mac_biba_internalize(struct label *label, struct mac *extmac)
+mac_biba_parse_element(struct mac_biba_element *element, char *string)
+{
+
+	if (strcmp(string, "high") == 0 ||
+	    strcmp(string, "hi") == 0) {
+		element->mbe_type = MAC_BIBA_TYPE_HIGH;
+		element->mbe_grade = MAC_BIBA_TYPE_UNDEF;
+	} else if (strcmp(string, "low") == 0 ||
+	    strcmp(string, "lo") == 0) {
+		element->mbe_type = MAC_BIBA_TYPE_LOW;
+		element->mbe_grade = MAC_BIBA_TYPE_UNDEF;
+	} else if (strcmp(string, "equal") == 0 ||
+	    strcmp(string, "eq") == 0) {
+		element->mbe_type = MAC_BIBA_TYPE_EQUAL;
+		element->mbe_grade = MAC_BIBA_TYPE_UNDEF;
+	} else {
+		char *p0, *p1;
+		int d;
+
+		p0 = string;
+		d = strtol(p0, &p1, 10);
+	
+		if (d < 0 || d > 65535)
+			return (EINVAL);
+		element->mbe_type = MAC_BIBA_TYPE_GRADE;
+		element->mbe_grade = d;
+
+		if (*p1 != ':')  {
+			if (p1 == p0 || *p1 != '\0')
+				return (EINVAL);
+			else
+				return (0);
+		}
+		else
+			if (*(p1 + 1) == '\0')
+				return (0);
+
+		while ((p0 = ++p1)) {
+			d = strtol(p0, &p1, 10);
+			if (d < 1 || d > MAC_BIBA_MAX_COMPARTMENTS)
+				return (EINVAL);
+
+			MAC_BIBA_BIT_SET(d, element->mbe_compartments);
+
+			if (*p1 == '\0')
+				break;
+			if (p1 == p0 || *p1 != '+')
+				return (EINVAL);
+		}
+	}
+
+	return (0);
+}
+
+/*
+ * Note: destructively consumes the string, make a local copy before
+ * calling if that's a problem.
+ */
+static int
+mac_biba_parse(struct mac_biba *mac_biba, char *string)
 {
-	struct mac_biba *mac_biba;
+	char *range, *rangeend, *rangehigh, *rangelow, *single;
 	int error;
 
-	mac_biba = SLOT(label);
+	/* Do we have a range? */
+	single = string;
+	range = index(string, '(');
+	if (range == single)
+		single = NULL;
+	rangelow = rangehigh = NULL;
+	if (range != NULL) {
+		/* Nul terminate the end of the single string. */
+		*range = '\0';
+		range++;
+		rangelow = range;
+		rangehigh = index(rangelow, '-');
+		if (rangehigh == NULL)
+			return (EINVAL);
+		rangehigh++;
+		if (*rangelow == '\0' || *rangehigh == '\0')
+			return (EINVAL);
+		rangeend = index(rangehigh, ')');
+		if (rangeend == NULL)
+			return (EINVAL);
+		if (*(rangeend + 1) != '\0')
+			return (EINVAL);
+		/* Nul terminate the ends of the ranges. */
+		*(rangehigh - 1) = '\0';
+		*rangeend = '\0';
+	}
+	KASSERT((rangelow != NULL && rangehigh != NULL) ||
+	    (rangelow == NULL && rangehigh == NULL),
+	    ("mac_biba_internalize_label: range mismatch"));
+
+	bzero(mac_biba, sizeof(*mac_biba));
+	if (single != NULL) {
+		error = mac_biba_parse_element(&mac_biba->mb_single, single);
+		if (error)
+			return (error);
+		mac_biba->mb_flags |= MAC_BIBA_FLAG_SINGLE;
+	}
+
+	if (rangelow != NULL) {
+		error = mac_biba_parse_element(&mac_biba->mb_rangelow,
+		    rangelow);
+		if (error)
+			return (error);
+		error = mac_biba_parse_element(&mac_biba->mb_rangehigh,
+		    rangehigh);
+		if (error)
+			return (error);
+		mac_biba->mb_flags |= MAC_BIBA_FLAG_RANGE;
+	}
 
 	error = mac_biba_valid(mac_biba);
 	if (error)
 		return (error);
 
-	*mac_biba = extmac->m_biba;
+	return (0);
+}
+
+static int
+mac_biba_internalize_label(struct label *label, char *element_name,
+    char *element_data, int *claimed)
+{
+	struct mac_biba *mac_biba, mac_biba_temp;
+	int error;
+
+	if (strcmp(MAC_BIBA_LABEL_NAME, element_name) != 0)
+		return (0);
+
+	(*claimed)++;
+
+	error = mac_biba_parse(&mac_biba_temp, element_data);
+	if (error)
+		return (error);
+
+	mac_biba = SLOT(label);
+	*mac_biba = mac_biba_temp;
 
 	return (0);
 }
 
+static void
+mac_biba_copy_label(struct label *src, struct label *dest)
+{
+
+	*SLOT(dest) = *SLOT(src);
+}
+
 /*
  * Labeling event operations: file system objects, and things that look
  * a lot like file system objects.
@@ -674,7 +926,7 @@ mac_biba_update_procfsvnode(struct vnode *vp, struct label *vnodelabel,
 
 static int
 mac_biba_update_vnode_from_externalized(struct vnode *vp,
-    struct label *vnodelabel, struct mac *extmac)
+    struct label *vnodelabel, struct oldmac *extmac)
 {
 	struct mac_biba *source, *dest;
 	int error;
@@ -924,7 +1176,7 @@ mac_biba_create_mbuf_from_mbuf(struct mbuf *oldmbuf,
 
 	/*
 	 * Because the source mbuf may not yet have been "created",
-	 * just initialiezd, we do a conditional copy.  Since we don't
+	 * just initialized, we do a conditional copy.  Since we don't
 	 * allow mbufs to have ranges, do a KASSERT to make sure that
 	 * doesn't happen.
 	 */
@@ -2153,8 +2405,6 @@ static struct mac_policy_op_entry mac_biba_ops[] =
 	    (macop_t)mac_biba_init_label_waitcheck },
 	{ MAC_INIT_SOCKET_PEER_LABEL,
 	    (macop_t)mac_biba_init_label_waitcheck },
-	{ MAC_INIT_TEMP_LABEL,
-	    (macop_t)mac_biba_init_label },
 	{ MAC_INIT_VNODE_LABEL,
 	    (macop_t)mac_biba_init_label },
 	{ MAC_DESTROY_BPFDESC_LABEL,
@@ -2179,14 +2429,36 @@ static struct mac_policy_op_entry mac_biba_ops[] =
 	    (macop_t)mac_biba_destroy_label },
 	{ MAC_DESTROY_SOCKET_PEER_LABEL,
 	    (macop_t)mac_biba_destroy_label },
-	{ MAC_DESTROY_TEMP_LABEL,
-	    (macop_t)mac_biba_destroy_label },
 	{ MAC_DESTROY_VNODE_LABEL,
 	    (macop_t)mac_biba_destroy_label },
-	{ MAC_EXTERNALIZE,
-	    (macop_t)mac_biba_externalize },
-	{ MAC_INTERNALIZE,
-	    (macop_t)mac_biba_internalize },
+	{ MAC_COPY_PIPE_LABEL,
+	    (macop_t)mac_biba_copy_label },
+	{ MAC_COPY_VNODE_LABEL,
+	    (macop_t)mac_biba_copy_label },
+	{ MAC_EXTERNALIZE_CRED_LABEL,
+	    (macop_t)mac_biba_externalize_label },
+	{ MAC_EXTERNALIZE_IFNET_LABEL,
+	    (macop_t)mac_biba_externalize_label },
+	{ MAC_EXTERNALIZE_PIPE_LABEL,
+	    (macop_t)mac_biba_externalize_label },
+	{ MAC_EXTERNALIZE_SOCKET_LABEL,
+	    (macop_t)mac_biba_externalize_label },
+	{ MAC_EXTERNALIZE_SOCKET_PEER_LABEL,
+	    (macop_t)mac_biba_externalize_label },
+	{ MAC_EXTERNALIZE_VNODE_LABEL,
+	    (macop_t)mac_biba_externalize_label },
+	{ MAC_EXTERNALIZE_VNODE_OLDMAC,
+	    (macop_t)mac_biba_externalize_vnode_oldmac },
+	{ MAC_INTERNALIZE_CRED_LABEL,
+	    (macop_t)mac_biba_internalize_label },
+	{ MAC_INTERNALIZE_IFNET_LABEL,
+	    (macop_t)mac_biba_internalize_label },
+	{ MAC_INTERNALIZE_PIPE_LABEL,
+	    (macop_t)mac_biba_internalize_label },
+	{ MAC_INTERNALIZE_SOCKET_LABEL,
+	    (macop_t)mac_biba_internalize_label },
+	{ MAC_INTERNALIZE_VNODE_LABEL,
+	    (macop_t)mac_biba_internalize_label },
 	{ MAC_CREATE_DEVFS_DEVICE,
 	    (macop_t)mac_biba_create_devfs_device },
 	{ MAC_CREATE_DEVFS_DIRECTORY,
diff --git a/sys/security/mac_biba/mac_biba.h b/sys/security/mac_biba/mac_biba.h
index 9d6ce0f..95af8dd 100644
--- a/sys/security/mac_biba/mac_biba.h
+++ b/sys/security/mac_biba/mac_biba.h
@@ -45,6 +45,8 @@
 #define	MAC_BIBA_EXTATTR_NAMESPACE	EXTATTR_NAMESPACE_SYSTEM
 #define	MAC_BIBA_EXTATTR_NAME		"mac_biba"
 
+#define	MAC_BIBA_LABEL_NAME		"biba"
+
 #define	MAC_BIBA_FLAG_SINGLE	0x00000001	/* mb_single initialized */
 #define	MAC_BIBA_FLAG_RANGE	0x00000002	/* mb_range* initialized */
 #define	MAC_BIBA_FLAGS_BOTH	(MAC_BIBA_FLAG_SINGLE | MAC_BIBA_FLAG_RANGE)
diff --git a/sys/security/mac_mls/mac_mls.c b/sys/security/mac_mls/mac_mls.c
index 2a74589..b053f51 100644
--- a/sys/security/mac_mls/mac_mls.c
+++ b/sys/security/mac_mls/mac_mls.c
@@ -54,6 +54,7 @@
 #include <sys/systm.h>
 #include <sys/sysproto.h>
 #include <sys/sysent.h>
+#include <sys/systm.h>
 #include <sys/vnode.h>
 #include <sys/file.h>
 #include <sys/socket.h>
@@ -489,8 +490,126 @@ mac_mls_destroy_label(struct label *label)
 	SLOT(label) = NULL;
 }
 
+/*
+ * mac_mls_element_to_string() is basically an snprintf wrapper with
+ * the same properties as snprintf().  It returns the length it would
+ * have added to the string in the event the string is too short.
+ */
+static size_t
+mac_mls_element_to_string(char *string, size_t size,
+    struct mac_mls_element *element)
+{
+	int pos, bit = 1;
+
+	switch (element->mme_type) {
+	case MAC_MLS_TYPE_HIGH:
+		return (snprintf(string, size, "high"));
+
+	case MAC_MLS_TYPE_LOW:
+		return (snprintf(string, size, "low"));
+
+	case MAC_MLS_TYPE_EQUAL:
+		return (snprintf(string, size, "equal"));
+
+	case MAC_MLS_TYPE_LEVEL:
+		pos = snprintf(string, size, "%d:", element->mme_level);
+		for (bit = 1; bit <= MAC_MLS_MAX_COMPARTMENTS; bit++) {
+			if (MAC_MLS_BIT_TEST(bit, element->mme_compartments))
+				pos += snprintf(string + pos, size - pos,
+				    "%d+", bit);
+		}
+		if (string[pos - 1] == '+' || string[pos - 1] == ':')
+			string[--pos] = NULL;
+		return (pos);
+
+	default:
+		panic("mac_mls_element_to_string: invalid type (%d)",
+		    element->mme_type);
+	}
+}
+
+static size_t
+mac_mls_to_string(char *string, size_t size, size_t *caller_len,
+    struct mac_mls *mac_mls)
+{
+	size_t left, len;
+	char *curptr;
+
+	bzero(string, size);
+	curptr = string;
+	left = size;
+
+	if (mac_mls->mm_flags & MAC_MLS_FLAG_SINGLE) {
+		len = mac_mls_element_to_string(curptr, left,
+		    &mac_mls->mm_single);
+		if (len >= left)
+			return (EINVAL);
+		left -= len;
+		curptr += len;
+	}
+
+	if (mac_mls->mm_flags & MAC_MLS_FLAG_RANGE) {
+		len = snprintf(curptr, left, "(");
+		if (len >= left)
+			return (EINVAL);
+		left -= len;
+		curptr += len;
+
+		len = mac_mls_element_to_string(curptr, left,
+		    &mac_mls->mm_rangelow);
+		if (len >= left)
+			return (EINVAL);
+		left -= len;
+		curptr += len;
+
+		len = snprintf(curptr, left, "-");
+		if (len >= left)
+			return (EINVAL);
+		left -= len;
+		curptr += len;
+
+		len = mac_mls_element_to_string(curptr, left,
+		    &mac_mls->mm_rangehigh);
+		if (len >= left)
+			return (EINVAL);
+		left -= len;
+		curptr += len;
+
+		len = snprintf(curptr, left, ")");
+		if (len >= left)
+			return (EINVAL);
+		left -= len;
+		curptr += len;
+	}
+
+	*caller_len = strlen(string);
+	return (0);
+}
+
+static int
+mac_mls_externalize_label(struct label *label, char *element_name,
+    char *element_data, size_t size, size_t *len, int *claimed)
+{
+	struct mac_mls *mac_mls;
+	int error;
+
+	if (strcmp(MAC_MLS_LABEL_NAME, element_name) != 0)
+		return (0);
+
+	(*claimed)++;
+
+	mac_mls = SLOT(label);
+
+	error = mac_mls_to_string(element_data, size, len, mac_mls);
+	if (error)
+		return (error);
+
+	*len = strlen(element_data);
+	return (0);
+}
+
 static int
-mac_mls_externalize(struct label *label, struct mac *extmac)
+mac_mls_externalize_vnode_oldmac(struct label *label, struct oldmac *extmac)
 {
 	struct mac_mls *mac_mls;
 
@@ -507,22 +626,156 @@ mac_mls_externalize(struct label *label, struct mac *extmac)
 }
 
 static int
-mac_mls_internalize(struct label *label, struct mac *extmac)
+mac_mls_parse_element(struct mac_mls_element *element, char *string)
+{
+
+	if (strcmp(string, "high") == 0 ||
+	    strcmp(string, "hi") == 0) {
+		element->mme_type = MAC_MLS_TYPE_HIGH;
+		element->mme_level = MAC_MLS_TYPE_UNDEF;
+	} else if (strcmp(string, "low") == 0 ||
+	    strcmp(string, "lo") == 0) {
+		element->mme_type = MAC_MLS_TYPE_LOW;
+		element->mme_level = MAC_MLS_TYPE_UNDEF;
+	} else if (strcmp(string, "equal") == 0 ||
+	    strcmp(string, "eq") == 0) {
+		element->mme_type = MAC_MLS_TYPE_EQUAL;
+		element->mme_level = MAC_MLS_TYPE_UNDEF;
+	} else {
+		char *p0, *p1;
+		int d;
+
+		p0 = string;
+		d = strtol(p0, &p1, 10);
+
+		if (d < 0 || d > 65535)
+			return (EINVAL);
+		element->mme_type = MAC_MLS_TYPE_LEVEL;
+		element->mme_level = d;
+
+		if (*p1 != ':')  {
+			if (p1 == p0 || *p1 != '\0')
+				return (EINVAL);
+			else
+				return (0);
+		}
+		else
+			if (*(p1 + 1) == '\0')
+				return (0);
+
+		while ((p0 = ++p1)) {
+			d = strtol(p0, &p1, 10);
+			if (d < 1 || d > MAC_MLS_MAX_COMPARTMENTS)
+				return (EINVAL);
+
+			MAC_MLS_BIT_SET(d, element->mme_compartments);
+
+			if (*p1 == '\0')
+				break;
+			if (p1 == p0 || *p1 != '+')
+				return (EINVAL);
+		}
+	}
+
+	return (0);
+}
+
+/*
+ * Note: destructively consumes the string, make a local copy before
+ * calling if that's a problem.
+ */
+static int
+mac_mls_parse(struct mac_mls *mac_mls, char *string)
 {
-	struct mac_mls *mac_mls;
+	char *range, *rangeend, *rangehigh, *rangelow, *single;
 	int error;
 
-	mac_mls = SLOT(label);
+	/* Do we have a range? */
+	single = string;
+	range = index(string, '(');
+	if (range == single)
+		single = NULL;
+	rangelow = rangehigh = NULL;
+	if (range != NULL) {
+		/* Nul terminate the end of the single string. */
+		*range = '\0';
+		range++;
+		rangelow = range;
+		rangehigh = index(rangelow, '-');
+		if (rangehigh == NULL)
+			return (EINVAL);
+		rangehigh++;
+		if (*rangelow == '\0' || *rangehigh == '\0')
+			return (EINVAL);
+		rangeend = index(rangehigh, ')');
+		if (rangeend == NULL)
+			return (EINVAL);
+		if (*(rangeend + 1) != '\0')
+			return (EINVAL);
+		/* Nul terminate the ends of the ranges. */
+		*(rangehigh - 1) = '\0';
+		*rangeend = '\0';
+	}
+	KASSERT((rangelow != NULL && rangehigh != NULL) ||
+	    (rangelow == NULL && rangehigh == NULL),
+	    ("mac_biba_internalize_label: range mismatch"));
+
+	bzero(mac_mls, sizeof(*mac_mls));
+	if (single != NULL) {
+		error = mac_mls_parse_element(&mac_mls->mm_single, single);
+		if (error)
+			return (error);
+		mac_mls->mm_flags |= MAC_MLS_FLAG_SINGLE;
+	}
+
+	if (rangelow != NULL) {
+		error = mac_mls_parse_element(&mac_mls->mm_rangelow,
+		    rangelow);
+		if (error)
+			return (error);
+		error = mac_mls_parse_element(&mac_mls->mm_rangehigh,
+		    rangehigh);
+		if (error)
+			return (error);
+		mac_mls->mm_flags |= MAC_MLS_FLAG_RANGE;
+	}
 
 	error = mac_mls_valid(mac_mls);
 	if (error)
 		return (error);
 
-	*mac_mls = extmac->m_mls;
+	return (0);
+}
+
+static int
+mac_mls_internalize_label(struct label *label, char *element_name,
+    char *element_data, int *claimed)
+{
+	struct mac_mls *mac_mls, mac_mls_temp;
+	int error;
+
+	if (strcmp(MAC_MLS_LABEL_NAME, element_name) != 0)
+		return (0);
+
+	(*claimed)++;
+
+	error = mac_mls_parse(&mac_mls_temp, element_data);
+	if (error)
+		return (error);
+
+	mac_mls = SLOT(label);
+	*mac_mls = mac_mls_temp;
 
 	return (0);
 }
 
+static void
+mac_mls_copy_label(struct label *src, struct label *dest)
+{
+
+	*SLOT(dest) = *SLOT(src);
+}
+
 /*
  * Labeling event operations: file system objects, and things that look
  * a lot like file system objects.
@@ -665,7 +918,7 @@ mac_mls_update_procfsvnode(struct vnode *vp, struct label *vnodelabel,
 
 static int
 mac_mls_update_vnode_from_externalized(struct vnode *vp,
-    struct label *vnodelabel, struct mac *extmac)
+    struct label *vnodelabel, struct oldmac *extmac)
 {
 	struct mac_mls *source, *dest;
 	int error;
@@ -997,7 +1250,7 @@ mac_mls_create_cred(struct ucred *cred_parent, struct ucred *cred_child)
 
 static void
 mac_mls_execve_transition(struct ucred *old, struct ucred *new,
-    struct vnode *vp, struct mac *vnodelabel)
+    struct vnode *vp, struct label *vnodelabel)
 {
 	struct mac_mls *source, *dest;
 
@@ -1010,7 +1263,7 @@ mac_mls_execve_transition(struct ucred *old, struct ucred *new,
 
 static int
 mac_mls_execve_will_transition(struct ucred *old, struct vnode *vp,
-    struct mac *vnodelabel)
+    struct label *vnodelabel)
 {
 
 	return (0);
@@ -2110,8 +2363,6 @@ static struct mac_policy_op_entry mac_mls_ops[] =
 	    (macop_t)mac_mls_init_label_waitcheck },
 	{ MAC_INIT_SOCKET_PEER_LABEL,
 	    (macop_t)mac_mls_init_label_waitcheck },
-	{ MAC_INIT_TEMP_LABEL,
-	    (macop_t)mac_mls_init_label },
 	{ MAC_INIT_VNODE_LABEL,
 	    (macop_t)mac_mls_init_label },
 	{ MAC_DESTROY_BPFDESC_LABEL,
@@ -2136,14 +2387,36 @@ static struct mac_policy_op_entry mac_mls_ops[] =
 	    (macop_t)mac_mls_destroy_label },
 	{ MAC_DESTROY_SOCKET_PEER_LABEL,
 	    (macop_t)mac_mls_destroy_label },
-	{ MAC_DESTROY_TEMP_LABEL,
-	    (macop_t)mac_mls_destroy_label },
 	{ MAC_DESTROY_VNODE_LABEL,
 	    (macop_t)mac_mls_destroy_label },
-	{ MAC_EXTERNALIZE,
-	    (macop_t)mac_mls_externalize },
-	{ MAC_INTERNALIZE,
-	    (macop_t)mac_mls_internalize },
+	{ MAC_COPY_PIPE_LABEL,
+	    (macop_t)mac_mls_copy_label },
+	{ MAC_COPY_VNODE_LABEL,
+	    (macop_t)mac_mls_copy_label },
+	{ MAC_EXTERNALIZE_CRED_LABEL,
+	    (macop_t)mac_mls_externalize_label },
+	{ MAC_EXTERNALIZE_IFNET_LABEL,
+	    (macop_t)mac_mls_externalize_label },
+	{ MAC_EXTERNALIZE_PIPE_LABEL,
+	    (macop_t)mac_mls_externalize_label },
+	{ MAC_EXTERNALIZE_SOCKET_LABEL,
+	    (macop_t)mac_mls_externalize_label },
+	{ MAC_EXTERNALIZE_SOCKET_PEER_LABEL,
+	    (macop_t)mac_mls_externalize_label },
+	{ MAC_EXTERNALIZE_VNODE_LABEL,
+	    (macop_t)mac_mls_externalize_label },
+	{ MAC_EXTERNALIZE_VNODE_OLDMAC,
+	    (macop_t)mac_mls_externalize_vnode_oldmac },
+	{ MAC_INTERNALIZE_CRED_LABEL,
+	    (macop_t)mac_mls_internalize_label },
+	{ MAC_INTERNALIZE_IFNET_LABEL,
+	    (macop_t)mac_mls_internalize_label },
+	{ MAC_INTERNALIZE_PIPE_LABEL,
+	    (macop_t)mac_mls_internalize_label },
+	{ MAC_INTERNALIZE_SOCKET_LABEL,
+	    (macop_t)mac_mls_internalize_label },
+	{ MAC_INTERNALIZE_VNODE_LABEL,
+	    (macop_t)mac_mls_internalize_label },
 	{ MAC_CREATE_DEVFS_DEVICE,
 	    (macop_t)mac_mls_create_devfs_device },
 	{ MAC_CREATE_DEVFS_DIRECTORY,
diff --git a/sys/security/mac_mls/mac_mls.h b/sys/security/mac_mls/mac_mls.h
index bf255a1..23296dd 100644
--- a/sys/security/mac_mls/mac_mls.h
+++ b/sys/security/mac_mls/mac_mls.h
@@ -43,7 +43,9 @@
 #define	_SYS_SECURITY_MAC_MLS_H
 
 #define	MAC_MLS_EXTATTR_NAMESPACE	EXTATTR_NAMESPACE_SYSTEM
-#define	MAC_MLS_EXTATTR_NAME		"mac_biba"
+#define	MAC_MLS_EXTATTR_NAME		"mac_mls"
+
+#define	MAC_MLS_LABEL_NAME		"mls"
 
 #define	MAC_MLS_FLAG_SINGLE	0x00000001	/* mm_single initialized */
 #define	MAC_MLS_FLAG_RANGE	0x00000002	/* mm_range* initialized */
diff --git a/sys/security/mac_none/mac_none.c b/sys/security/mac_none/mac_none.c
index 0722b25..85eb896 100644
--- a/sys/security/mac_none/mac_none.c
+++ b/sys/security/mac_none/mac_none.c
@@ -128,14 +128,23 @@ mac_none_destroy_label(struct label *label)
 }
 
 static int
-mac_none_externalize(struct label *label, struct mac *extmac)
+mac_none_externalize_label(struct label *label, char *element_name,
+    char *element_data, size_t size, size_t *len, int *claimed)
 {
 
 	return (0);
 }
 
 static int
-mac_none_internalize(struct label *label, struct mac *extmac)
+mac_none_externalize_vnode_oldmac(struct label *label, struct oldmac *extmac)
+{
+
+	return (0);
+}
+
+static int
+mac_none_internalize_label(struct label *label, char *element_name,
+    char *element_data, int *claimed)
 {
 
 	return (0);
@@ -218,7 +227,7 @@ mac_none_update_procfsvnode(struct vnode *vp, struct label *vnodelabel,
 
 static int
 mac_none_update_vnode_from_externalized(struct vnode *vp,
-    struct label *vnodelabel, struct mac *extmac)
+    struct label *vnodelabel, struct oldmac *extmac)
 {
 
 	return (0);
@@ -877,8 +886,6 @@ static struct mac_policy_op_entry mac_none_ops[] =
 	    (macop_t)mac_none_init_label_waitcheck },
 	{ MAC_INIT_SOCKET_PEER_LABEL,
 	    (macop_t)mac_none_init_label_waitcheck },
-	{ MAC_INIT_TEMP_LABEL,
-	    (macop_t)mac_none_init_label },
 	{ MAC_INIT_VNODE_LABEL,
 	    (macop_t)mac_none_init_label },
 	{ MAC_DESTROY_BPFDESC_LABEL,
@@ -903,14 +910,32 @@ static struct mac_policy_op_entry mac_none_ops[] =
 	    (macop_t)mac_none_destroy_label },
 	{ MAC_DESTROY_SOCKET_PEER_LABEL,
 	    (macop_t)mac_none_destroy_label },
-	{ MAC_DESTROY_TEMP_LABEL,
-	    (macop_t)mac_none_destroy_label },
 	{ MAC_DESTROY_VNODE_LABEL,
 	    (macop_t)mac_none_destroy_label },
-	{ MAC_EXTERNALIZE,
-	    (macop_t)mac_none_externalize },
-	{ MAC_INTERNALIZE,
-	    (macop_t)mac_none_internalize },
+	{ MAC_EXTERNALIZE_CRED_LABEL,
+	    (macop_t)mac_none_externalize_label },
+	{ MAC_EXTERNALIZE_IFNET_LABEL,
+	    (macop_t)mac_none_externalize_label },
+	{ MAC_EXTERNALIZE_PIPE_LABEL,
+	    (macop_t)mac_none_externalize_label },
+	{ MAC_EXTERNALIZE_SOCKET_LABEL,
+	    (macop_t)mac_none_externalize_label },
+	{ MAC_EXTERNALIZE_SOCKET_PEER_LABEL,
+	    (macop_t)mac_none_externalize_label },
+	{ MAC_EXTERNALIZE_VNODE_LABEL,
+	    (macop_t)mac_none_externalize_label },
+	{ MAC_EXTERNALIZE_VNODE_OLDMAC,
+	    (macop_t)mac_none_externalize_vnode_oldmac },
+	{ MAC_INTERNALIZE_CRED_LABEL,
+	    (macop_t)mac_none_internalize_label },
+	{ MAC_INTERNALIZE_IFNET_LABEL,
+	    (macop_t)mac_none_internalize_label },
+	{ MAC_INTERNALIZE_PIPE_LABEL,
+	    (macop_t)mac_none_internalize_label },
+	{ MAC_INTERNALIZE_SOCKET_LABEL,
+	    (macop_t)mac_none_internalize_label },
+	{ MAC_INTERNALIZE_VNODE_LABEL,
+	    (macop_t)mac_none_internalize_label },
 	{ MAC_CREATE_DEVFS_DEVICE,
 	    (macop_t)mac_none_create_devfs_device },
 	{ MAC_CREATE_DEVFS_DIRECTORY,
diff --git a/sys/security/mac_stub/mac_stub.c b/sys/security/mac_stub/mac_stub.c
index 0722b25..85eb896 100644
--- a/sys/security/mac_stub/mac_stub.c
+++ b/sys/security/mac_stub/mac_stub.c
@@ -128,14 +128,23 @@ mac_none_destroy_label(struct label *label)
 }
 
 static int
-mac_none_externalize(struct label *label, struct mac *extmac)
+mac_none_externalize_label(struct label *label, char *element_name,
+    char *element_data, size_t size, size_t *len, int *claimed)
 {
 
 	return (0);
 }
 
 static int
-mac_none_internalize(struct label *label, struct mac *extmac)
+mac_none_externalize_vnode_oldmac(struct label *label, struct oldmac *extmac)
+{
+
+	return (0);
+}
+
+static int
+mac_none_internalize_label(struct label *label, char *element_name,
+    char *element_data, int *claimed)
 {
 
 	return (0);
@@ -218,7 +227,7 @@ mac_none_update_procfsvnode(struct vnode *vp, struct label *vnodelabel,
 
 static int
 mac_none_update_vnode_from_externalized(struct vnode *vp,
-    struct label *vnodelabel, struct mac *extmac)
+    struct label *vnodelabel, struct oldmac *extmac)
 {
 
 	return (0);
@@ -877,8 +886,6 @@ static struct mac_policy_op_entry mac_none_ops[] =
 	    (macop_t)mac_none_init_label_waitcheck },
 	{ MAC_INIT_SOCKET_PEER_LABEL,
 	    (macop_t)mac_none_init_label_waitcheck },
-	{ MAC_INIT_TEMP_LABEL,
-	    (macop_t)mac_none_init_label },
 	{ MAC_INIT_VNODE_LABEL,
 	    (macop_t)mac_none_init_label },
 	{ MAC_DESTROY_BPFDESC_LABEL,
@@ -903,14 +910,32 @@ static struct mac_policy_op_entry mac_none_ops[] =
 	    (macop_t)mac_none_destroy_label },
 	{ MAC_DESTROY_SOCKET_PEER_LABEL,
 	    (macop_t)mac_none_destroy_label },
-	{ MAC_DESTROY_TEMP_LABEL,
-	    (macop_t)mac_none_destroy_label },
 	{ MAC_DESTROY_VNODE_LABEL,
 	    (macop_t)mac_none_destroy_label },
-	{ MAC_EXTERNALIZE,
-	    (macop_t)mac_none_externalize },
-	{ MAC_INTERNALIZE,
-	    (macop_t)mac_none_internalize },
+	{ MAC_EXTERNALIZE_CRED_LABEL,
+	    (macop_t)mac_none_externalize_label },
+	{ MAC_EXTERNALIZE_IFNET_LABEL,
+	    (macop_t)mac_none_externalize_label },
+	{ MAC_EXTERNALIZE_PIPE_LABEL,
+	    (macop_t)mac_none_externalize_label },
+	{ MAC_EXTERNALIZE_SOCKET_LABEL,
+	    (macop_t)mac_none_externalize_label },
+	{ MAC_EXTERNALIZE_SOCKET_PEER_LABEL,
+	    (macop_t)mac_none_externalize_label },
+	{ MAC_EXTERNALIZE_VNODE_LABEL,
+	    (macop_t)mac_none_externalize_label },
+	{ MAC_EXTERNALIZE_VNODE_OLDMAC,
+	    (macop_t)mac_none_externalize_vnode_oldmac },
+	{ MAC_INTERNALIZE_CRED_LABEL,
+	    (macop_t)mac_none_internalize_label },
+	{ MAC_INTERNALIZE_IFNET_LABEL,
+	    (macop_t)mac_none_internalize_label },
+	{ MAC_INTERNALIZE_PIPE_LABEL,
+	    (macop_t)mac_none_internalize_label },
+	{ MAC_INTERNALIZE_SOCKET_LABEL,
+	    (macop_t)mac_none_internalize_label },
+	{ MAC_INTERNALIZE_VNODE_LABEL,
+	    (macop_t)mac_none_internalize_label },
 	{ MAC_CREATE_DEVFS_DEVICE,
 	    (macop_t)mac_none_create_devfs_device },
 	{ MAC_CREATE_DEVFS_DIRECTORY,
diff --git a/sys/security/mac_test/mac_test.c b/sys/security/mac_test/mac_test.c
index 9b93071..b4b18a3 100644
--- a/sys/security/mac_test/mac_test.c
+++ b/sys/security/mac_test/mac_test.c
@@ -88,7 +88,6 @@ SYSCTL_INT(_security_mac_test, OID_AUTO, enabled, CTLFLAG_RW,
 #define	SOCKETMAGIC	0x9199c6cd
 #define	PIPEMAGIC	0xdc6c9919
 #define	CREDMAGIC	0x9a5a4987
-#define	TEMPMAGIC	0x70336678
 #define	VNODEMAGIC	0x1a67a45c
 #define	EXMAGIC		0x849ba1fd
 
@@ -131,9 +130,6 @@ SYSCTL_INT(_security_mac_test, OID_AUTO, init_count_socket_peerlabel,
 static int	init_count_pipe;
 SYSCTL_INT(_security_mac_test, OID_AUTO, init_count_pipe, CTLFLAG_RD,
     &init_count_pipe, 0, "pipe init calls");
-static int	init_count_temp;
-SYSCTL_INT(_security_mac_test, OID_AUTO, init_count_temp, CTLFLAG_RD,
-    &init_count_temp, 0, "temp init calls");
 static int	init_count_vnode;
 SYSCTL_INT(_security_mac_test, OID_AUTO, init_count_vnode, CTLFLAG_RD,
     &init_count_vnode, 0, "vnode init calls");
@@ -173,9 +169,6 @@ SYSCTL_INT(_security_mac_test, OID_AUTO, destroy_count_socket_peerlabel,
 static int      destroy_count_pipe;
 SYSCTL_INT(_security_mac_test, OID_AUTO, destroy_count_pipe, CTLFLAG_RD,
     &destroy_count_pipe, 0, "pipe destroy calls");
-static int      destroy_count_temp;
-SYSCTL_INT(_security_mac_test, OID_AUTO, destroy_count_temp, CTLFLAG_RD,
-    &destroy_count_temp, 0, "temp destroy calls");
 static int      destroy_count_vnode;
 SYSCTL_INT(_security_mac_test, OID_AUTO, destroy_count_vnode, CTLFLAG_RD,
     &destroy_count_vnode, 0, "vnode destroy calls");
@@ -304,14 +297,6 @@ mac_test_init_pipe_label(struct label *label)
 }
 
 static void
-mac_test_init_temp_label(struct label *label)
-{
-
-	SLOT(label) = TEMPMAGIC;
-	atomic_add_int(&init_count_temp, 1);
-}
-
-static void
 mac_test_init_vnode_label(struct label *label)
 {
 
@@ -474,20 +459,6 @@ mac_test_destroy_pipe_label(struct label *label)
 }
 
 static void
-mac_test_destroy_temp_label(struct label *label)
-{
-
-	if (SLOT(label) == TEMPMAGIC || SLOT(label) == 0) {
-		atomic_add_int(&destroy_count_temp, 1);
-		SLOT(label) = EXMAGIC;
-	} else if (SLOT(label) == EXMAGIC) {
-		Debugger("mac_test_destroy_temp: dup destroy");
-	} else {
-		Debugger("mac_test_destroy_temp: corrupted label");
-	}
-}
-
-static void
 mac_test_destroy_vnode_label(struct label *label)
 {
 
@@ -502,7 +473,17 @@ mac_test_destroy_vnode_label(struct label *label)
 }
 
 static int
-mac_test_externalize(struct label *label, struct mac *extmac)
+mac_test_externalize_label(struct label *label, char *element_name,
+    char *element_data, size_t size, size_t *len, int *claimed)
+{
+
+	atomic_add_int(&externalize_count, 1);
+
+	return (0);
+}
+
+static int
+mac_test_externalize_vnode_oldmac(struct label *label, struct oldmac *extmac)
 {
 
 	atomic_add_int(&externalize_count, 1);
@@ -511,7 +492,8 @@ mac_test_externalize(struct label *label, struct mac *extmac)
 }
 
 static int
-mac_test_internalize(struct label *label, struct mac *extmac)
+mac_test_internalize_label(struct label *label, struct mac *mac,
+    char *element_name, char *element_data, int *claimed)
 {
 
 	atomic_add_int(&internalize_count, 1);
@@ -1255,8 +1237,6 @@ static struct mac_policy_op_entry mac_test_ops[] =
 	    (macop_t)mac_test_init_socket_label },
 	{ MAC_INIT_SOCKET_PEER_LABEL,
 	    (macop_t)mac_test_init_socket_peer_label },
-	{ MAC_INIT_TEMP_LABEL,
-	    (macop_t)mac_test_init_temp_label },
 	{ MAC_INIT_VNODE_LABEL,
 	    (macop_t)mac_test_init_vnode_label },
 	{ MAC_DESTROY_BPFDESC_LABEL,
@@ -1281,14 +1261,32 @@ static struct mac_policy_op_entry mac_test_ops[] =
 	    (macop_t)mac_test_destroy_socket_label },
 	{ MAC_DESTROY_SOCKET_PEER_LABEL,
 	    (macop_t)mac_test_destroy_socket_peer_label },
-	{ MAC_DESTROY_TEMP_LABEL,
-	    (macop_t)mac_test_destroy_temp_label },
 	{ MAC_DESTROY_VNODE_LABEL,
 	    (macop_t)mac_test_destroy_vnode_label },
-	{ MAC_EXTERNALIZE,
-	    (macop_t)mac_test_externalize },
-	{ MAC_INTERNALIZE,
-	    (macop_t)mac_test_internalize },
+	{ MAC_EXTERNALIZE_CRED_LABEL,
+	    (macop_t)mac_test_externalize_label },
+	{ MAC_EXTERNALIZE_IFNET_LABEL,
+	    (macop_t)mac_test_externalize_label },
+	{ MAC_EXTERNALIZE_PIPE_LABEL,
+	    (macop_t)mac_test_externalize_label },
+	{ MAC_EXTERNALIZE_SOCKET_LABEL,
+	    (macop_t)mac_test_externalize_label },
+	{ MAC_EXTERNALIZE_SOCKET_PEER_LABEL,
+	    (macop_t)mac_test_externalize_label },
+	{ MAC_EXTERNALIZE_VNODE_LABEL,
+	    (macop_t)mac_test_externalize_label },
+	{ MAC_EXTERNALIZE_VNODE_OLDMAC,
+	    (macop_t)mac_test_externalize_vnode_oldmac },
+	{ MAC_INTERNALIZE_CRED_LABEL,
+	    (macop_t)mac_test_internalize_label },
+	{ MAC_INTERNALIZE_IFNET_LABEL,
+	    (macop_t)mac_test_internalize_label },
+	{ MAC_INTERNALIZE_PIPE_LABEL,
+	    (macop_t)mac_test_internalize_label },
+	{ MAC_INTERNALIZE_SOCKET_LABEL,
+	    (macop_t)mac_test_internalize_label },
+	{ MAC_INTERNALIZE_VNODE_LABEL,
+	    (macop_t)mac_test_internalize_label },
 	{ MAC_CREATE_DEVFS_DEVICE,
 	    (macop_t)mac_test_create_devfs_device },
 	{ MAC_CREATE_DEVFS_DIRECTORY,