Rather than having MAC policies explicitly declare what object types

they label, derive that information implicitly from the set of label
initializers in their policy operations set.  This avoids a possible
class of programmer errors, while retaining the structure that
allows us to avoid allocating labels for objects that don't need
them.  As before, we regenerate a global mask of labeled objects
each time a policy is loaded or unloaded, stored in mac_labeled.

Discussed with:   csjp
Suggested by:     Jacques Vidrine <nectar at apple.com>
Obtained from:    TrustedBSD Project
Sponsored by:     Apple, Inc.

1 files changed, 1 insertions, 1 deletions

diff --git a/sys/security/mac_partition/mac_partition.c b/sys/security/mac_partition/mac_partition.c
index 7eca1f96af02..2fecb273df79 100644
--- a/sys/security/mac_partition/mac_partition.c
+++ b/sys/security/mac_partition/mac_partition.c
@@ -316,4 +316,4 @@ static struct mac_policy_ops partition_ops =
 };
 
 MAC_POLICY_SET(&partition_ops, mac_partition, "TrustedBSD MAC/Partition",
-    MPC_LOADTIME_FLAG_UNLOADOK, &partition_slot, MPC_OBJECT_CRED);
+    MPC_LOADTIME_FLAG_UNLOADOK, &partition_slot);