From owner-p4-projects@FreeBSD.ORG  Tue Oct  3 14:46:45 2006
Return-Path: <owner-p4-projects@FreeBSD.ORG>
X-Original-To: p4-projects@freebsd.org
Delivered-To: p4-projects@freebsd.org
Received: by hub.freebsd.org (Postfix, from userid 32767)
	id 738E016A417; Tue,  3 Oct 2006 14:46:45 +0000 (UTC)
X-Original-To: perforce@freebsd.org
Delivered-To: perforce@freebsd.org
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP id 324CB16A403
	for <perforce@freebsd.org>; Tue,  3 Oct 2006 14:46:45 +0000 (UTC)
	(envelope-from millert@freebsd.org)
Received: from repoman.freebsd.org (repoman.freebsd.org [216.136.204.115])
	by mx1.FreeBSD.org (Postfix) with ESMTP id 4551943D7C
	for <perforce@freebsd.org>; Tue,  3 Oct 2006 14:46:26 +0000 (GMT)
	(envelope-from millert@freebsd.org)
Received: from repoman.freebsd.org (localhost [127.0.0.1])
	by repoman.freebsd.org (8.13.6/8.13.6) with ESMTP id k93EkQHn018551
	for <perforce@freebsd.org>; Tue, 3 Oct 2006 14:46:26 GMT
	(envelope-from millert@freebsd.org)
Received: (from perforce@localhost)
	by repoman.freebsd.org (8.13.6/8.13.4/Submit) id k93EkQPE018535
	for perforce@freebsd.org; Tue, 3 Oct 2006 14:46:26 GMT
	(envelope-from millert@freebsd.org)
Date: Tue, 3 Oct 2006 14:46:26 GMT
Message-Id: <200610031446.k93EkQPE018535@repoman.freebsd.org>
X-Authentication-Warning: repoman.freebsd.org: perforce set sender to
	millert@freebsd.org using -f
From: Todd Miller <millert@FreeBSD.org>
To: Perforce Change Reviews <perforce@freebsd.org>
Cc: 
Subject: PERFORCE change 107181 for review
X-BeenThere: p4-projects@freebsd.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: p4 projects tree changes <p4-projects.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/p4-projects>,
	<mailto:p4-projects-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/p4-projects>
List-Post: <mailto:p4-projects@freebsd.org>
List-Help: <mailto:p4-projects-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/p4-projects>,
	<mailto:p4-projects-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Tue, 03 Oct 2006 14:46:45 -0000

http://perforce.freebsd.org/chv.cgi?CH=107181

Change 107181 by millert@millert_macbook on 2006/10/03 14:46:04

	Add modification notices
	
	Add mac_getfsstat to audit
	
	Fix warnings for sbuf(9)  
	
	Provide a MAC bypass mechanism for vn_rdwr() (ioflg IO_NOAUTH)
	and use in shift_data_down(), shift_data_up().
	
	Split color policy into several files

Affected files ...

.. //depot/projects/trustedbsd/sedarwin8/darwin/bsm/bsm/etc/audit_event#3 edit
.. //depot/projects/trustedbsd/sedarwin8/darwin/diskdev_cmds/disklib/mntopts.h#2 edit
.. //depot/projects/trustedbsd/sedarwin8/darwin/diskdev_cmds/mount.tproj/mount.8#3 edit
.. //depot/projects/trustedbsd/sedarwin8/darwin/diskdev_cmds/mount.tproj/mount.c#3 edit
.. //depot/projects/trustedbsd/sedarwin8/darwin/diskdev_cmds/mount_fdesc.tproj/mount_fdesc.c#3 edit
.. //depot/projects/trustedbsd/sedarwin8/darwin/xnu/bsd/bsm/audit_kevents.h#3 edit
.. //depot/projects/trustedbsd/sedarwin8/darwin/xnu/bsd/kern/kern_bsm_audit.c#4 edit
.. //depot/projects/trustedbsd/sedarwin8/darwin/xnu/bsd/kern/kern_bsm_klib.c#3 edit
.. //depot/projects/trustedbsd/sedarwin8/darwin/xnu/bsd/kern/subr_sbuf.c#2 edit
.. //depot/projects/trustedbsd/sedarwin8/darwin/xnu/bsd/sys/sbuf.h#2 edit
.. //depot/projects/trustedbsd/sedarwin8/darwin/xnu/bsd/sys/vnode.h#2 edit
.. //depot/projects/trustedbsd/sedarwin8/darwin/xnu/bsd/vfs/vfs_vnops.c#5 edit
.. //depot/projects/trustedbsd/sedarwin8/darwin/xnu/bsd/vfs/vfs_xattr.c#4 edit
.. //depot/projects/trustedbsd/sedarwin8/darwin/xnu/security/mac_base.c#12 edit
.. //depot/projects/trustedbsd/sedarwin8/policies/color/Makefile#2 edit
.. //depot/projects/trustedbsd/sedarwin8/policies/color/color_util.c#1 add
.. //depot/projects/trustedbsd/sedarwin8/policies/color/mac_color.c#4 edit
.. //depot/projects/trustedbsd/sedarwin8/policies/color/mac_color.h#1 add

Differences ...

==== //depot/projects/trustedbsd/sedarwin8/darwin/bsm/bsm/etc/audit_event#3 (text+ko) ====

@@ -301,6 +301,7 @@
 415:AUE_GETLCID:getlcid(2):pc
 416:AUE_MAC_MOUNT:mac_mount(2):ad
 417:AUE_MAC_GET_MOUNT:mac_get_mount(2):fa
+418:AUE_MAC_GETFSSTAT:mac_getfsstat(2):fa
 451:AUE_EXTATTR_SET_FILE:extattr_set_file(2):fm
 452:AUE_EXTATTR_GET_FILE:extattr_get_file(2):fa
 453:AUE_EXTATTR_DELETE_FILE:extattr_delete_file(2):fm

==== //depot/projects/trustedbsd/sedarwin8/darwin/diskdev_cmds/disklib/mntopts.h#2 (text+ko) ====

@@ -54,6 +54,12 @@
  *
  *	@(#)mntopts.h	8.7 (Berkeley) 3/29/95
  */
+/*
+ * NOTICE: This file was modified by SPARTA, Inc. in 2006 to introduce
+ * support for mandatory and extensible security protections.  This notice
+ * is included in support of clause 2.2 (b) of the Apple Public License,
+ * Version 2.0.
+ */
 
 #ifdef linux
 #define MNT_RDONLY      0x00000001      /* read only filesystem */

==== //depot/projects/trustedbsd/sedarwin8/darwin/diskdev_cmds/mount.tproj/mount.8#3 (text+ko) ====

@@ -31,6 +31,12 @@
 .\"
 .\"     @(#)mount.8	8.8 (Berkeley) 6/16/94
 .\"
+.\"
+.\" NOTICE: This file was modified by SPARTA, Inc. in 2006 to introduce
+.\" support for mandatory and extensible security protections.  This notice
+.\" is included in support of clause 2.2 (b) of the Apple Public License,
+.\" Version 2.0.
+.\"
 .Dd June 16, 1994
 .Dt MOUNT 8
 .Os BSD 4

==== //depot/projects/trustedbsd/sedarwin8/darwin/diskdev_cmds/mount.tproj/mount.c#3 (text+ko) ====

@@ -52,7 +52,12 @@
  * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
  * SUCH DAMAGE.
  */
-
+/*
+ * NOTICE: This file was modified by SPARTA, Inc. in 2006 to introduce
+ * support for mandatory and extensible security protections.  This notice
+ * is included in support of clause 2.2 (b) of the Apple Public License,
+ * Version 2.0.
+ */
 
 #include <sys/param.h>
 #include <sys/mount.h>

==== //depot/projects/trustedbsd/sedarwin8/darwin/diskdev_cmds/mount_fdesc.tproj/mount_fdesc.c#3 (text+ko) ====

@@ -56,7 +56,12 @@
  * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
  * SUCH DAMAGE.
  */
-
+/*
+ * NOTICE: This file was modified by SPARTA, Inc. in 2006 to introduce
+ * support for mandatory and extensible security protections.  This notice
+ * is included in support of clause 2.2 (b) of the Apple Public License,
+ * Version 2.0.
+ */
 
 #include <sys/param.h>
 #include <sys/mount.h>

==== //depot/projects/trustedbsd/sedarwin8/darwin/xnu/bsd/bsm/audit_kevents.h#3 (text+ko) ====

@@ -353,6 +353,7 @@
 #define	AUE_GETLCID			415
 #define	AUE_MAC_MOUNT			416
 #define	AUE_MAC_GET_MOUNT		417
+#define	AUE_MAC_GETFSSTAT		418
  
 // BSM events for extended attributes
 #define AUE_EXTATTR_SET_FILE		451

==== //depot/projects/trustedbsd/sedarwin8/darwin/xnu/bsd/kern/kern_bsm_audit.c#4 (text+ko) ====

@@ -611,6 +611,7 @@
 	case AUE_GETAUDIT_ADDR:
 	case AUE_GETAUID:
 	case AUE_GETFSSTAT:
+	case AUE_MAC_GETFSSTAT:
 	case AUE_PIPE:
 	case AUE_SETPGRP:
 	case AUE_SETRLIMIT:

==== //depot/projects/trustedbsd/sedarwin8/darwin/xnu/bsd/kern/kern_bsm_klib.c#3 (text+ko) ====

@@ -460,6 +460,7 @@
 	AUE_GETLCID,			/* 395 = getlcid */
 	AUE_MAC_MOUNT,			/* 396 = __mac_mount */
 	AUE_MAC_GET_MOUNT,		/* 397 = __mac_get_mount */
+	AUE_MAC_GETFSSTAT,		/* 398 = __mac_getfsstat */
 };
 int	nsys_au_event = sizeof(sys_au_event) / sizeof(sys_au_event[0]);
 

==== //depot/projects/trustedbsd/sedarwin8/darwin/xnu/bsd/kern/subr_sbuf.c#2 (text+ko) ====

@@ -83,6 +83,8 @@
 #define	SBUF_MAXEXTENDSIZE	PAGE_SIZE
 #define	SBUF_MAXEXTENDINCR	PAGE_SIZE
 
+#define	isspace(c)	((c) == ' ' || ((c) >= '\t' && (c) <= '\r'))
+
 /*
  * Debugging support
  */
@@ -299,11 +301,11 @@
 
 	if (len == 0)
 		return (0);
-	if (len > SBUF_FREESPACE(s)) {
+	if ((int)len > SBUF_FREESPACE(s)) {
 		sbuf_extend(s, len - SBUF_FREESPACE(s));
 		len = min(len, SBUF_FREESPACE(s));
 	}
-	if (copyin(uaddr, s->s_buf + s->s_len, len) != 0)
+	if (copyin(CAST_USER_ADDR_T(uaddr), s->s_buf + s->s_len, len) != 0)
 		return (-1);
 	s->s_len += len;
 	
@@ -365,11 +367,11 @@
 
 	if (len == 0)
 		len = SBUF_FREESPACE(s);	/* XXX return 0? */
-	if (len > SBUF_FREESPACE(s)) {
+	if ((int)len > SBUF_FREESPACE(s)) {
 		sbuf_extend(s, len);
 		len = min(len, SBUF_FREESPACE(s));
 	}
-	switch (copyinstr(uaddr, s->s_buf + s->s_len, len + 1, &done)) {
+	switch (copyinstr(CAST_USER_ADDR_T(uaddr), s->s_buf + s->s_len, len + 1, &done)) {
 	case ENAMETOOLONG:
 		SBUF_SETFLAG(s, SBUF_OVERFLOWED);
 		/* fall through */
@@ -480,11 +482,6 @@
 	return (0);
 }
 
-static inline int isspace(ch)
-{
-  return (ch == ' ' || ch == '\n' || ch == '\t');
-}
-
 /*
  * Trim whitespace characters from end of an sbuf.
  */

==== //depot/projects/trustedbsd/sedarwin8/darwin/xnu/bsd/sys/sbuf.h#2 (text+ko) ====

@@ -74,7 +74,7 @@
 int		 sbuf_done(struct sbuf *);
 void		 sbuf_delete(struct sbuf *);
 
-#ifdef _KERNEL
+#ifdef KERNEL
 struct uio;
 struct sbuf	*sbuf_uionew(struct sbuf *, struct uio *, int *);
 int		 sbuf_bcopyin(struct sbuf *, const void *, size_t);

==== //depot/projects/trustedbsd/sedarwin8/darwin/xnu/bsd/sys/vnode.h#2 (text+ko) ====

@@ -131,6 +131,7 @@
 #define IO_NOCACHE	0x0800		/* same effect as VNOCACHE_DATA, but only for this 1 I/O */
 #define IO_RAOFF	0x1000		/* same effect as VRAOFF, but only for this 1 I/O */
 #define IO_DEFWRITE	0x2000		/* defer write if vfs.defwrite is set */
+#define	IO_NOAUTH	0x4000		/* No authorization checks. */
 
 /*
  * Component Name: this structure describes the pathname

==== //depot/projects/trustedbsd/sedarwin8/darwin/xnu/bsd/vfs/vfs_vnops.c#5 (text+ko) ====

@@ -510,11 +510,17 @@
 	uio_addiov(auio, base, len);
 
 #ifdef MAC
+	/* XXXMAC
+	 * 	IO_NOAUTH should be re-examined.
+ 	 *	Likely that mediation should be performed in caller.
+	 */
+	if ((ioflg & IO_NOAUTH) == 0) {
 	/* passed cred is fp->f_cred */
-	if (rw == UIO_READ)
-		error = mac_vnode_check_read(kauth_cred_get(), cred, vp);
-	else
-		error = mac_vnode_check_write(kauth_cred_get(), cred, vp);
+		if (rw == UIO_READ)
+			error = mac_vnode_check_read(kauth_cred_get(), cred, vp);
+		else
+			error = mac_vnode_check_write(kauth_cred_get(), cred, vp);
+	}
 #endif
 
 	if (error == 0) {

==== //depot/projects/trustedbsd/sedarwin8/darwin/xnu/bsd/vfs/vfs_xattr.c#4 (text+ko) ====

@@ -1932,14 +1932,14 @@
 	}
 
 	for(pos=start+len-chunk; pos >= start; pos-=chunk) {
-		ret = vn_rdwr(UIO_READ, xvp, buff, chunk, pos, UIO_SYSSPACE, IO_NODELOCKED, ucred, &iolen, p);
+		ret = vn_rdwr(UIO_READ, xvp, buff, chunk, pos, UIO_SYSSPACE, IO_NODELOCKED|IO_NOAUTH, ucred, &iolen, p);
 		if (iolen != 0) {
 			printf("xattr:shift_data: error reading data @ %lld (read %d of %d) (%d)\n",
 				pos, ret, chunk, ret);
 			break;
 		}
 		
-		ret = vn_rdwr(UIO_WRITE, xvp, buff, chunk, pos + delta, UIO_SYSSPACE, IO_NODELOCKED, ucred, &iolen, p);
+		ret = vn_rdwr(UIO_WRITE, xvp, buff, chunk, pos + delta, UIO_SYSSPACE, IO_NODELOCKED|IO_NOAUTH, ucred, &iolen, p);
 		if (iolen != 0) {
 			printf("xattr:shift_data: error writing data @ %lld (wrote %d of %d) (%d)\n",
 				pos+delta, ret, chunk, ret);
@@ -1987,14 +1987,14 @@
 	}
 
 	for(pos = start; pos < end; pos += chunk) {
-		ret = vn_rdwr(UIO_READ, xvp, buff, chunk, pos, UIO_SYSSPACE, IO_NODELOCKED, ucred, &iolen, p);
+		ret = vn_rdwr(UIO_READ, xvp, buff, chunk, pos, UIO_SYSSPACE, IO_NODELOCKED|IO_NOAUTH, ucred, &iolen, p);
 		if (iolen != 0) {
 			printf("xattr:shift_data: error reading data @ %lld (read %d of %d) (%d)\n",
 				pos, ret, chunk, ret);
 			break;
 		}
 		
-		ret = vn_rdwr(UIO_WRITE, xvp, buff, chunk, pos - delta, UIO_SYSSPACE, IO_NODELOCKED, ucred, &iolen, p);
+		ret = vn_rdwr(UIO_WRITE, xvp, buff, chunk, pos - delta, UIO_SYSSPACE, IO_NODELOCKED|IO_NOAUTH, ucred, &iolen, p);
 		if (iolen != 0) {
 			printf("xattr:shift_data: error writing data @ %lld (wrote %d of %d) (%d)\n",
 				pos+delta, ret, chunk, ret);

==== //depot/projects/trustedbsd/sedarwin8/darwin/xnu/security/mac_base.c#12 (text+ko) ====

@@ -295,6 +295,7 @@
 		case MLJ_TYPE_TASK:
 			if (mlj->ops & MLJ_TASK_OP_INIT)
 				MAC_PERFORM(task_init_label, mlj->l);
+			/* Not enough context to replay. */
 			if (mlj->ops & MLJ_TASK_OP_CREATE_K)
 				;
 			break;

==== //depot/projects/trustedbsd/sedarwin8/policies/color/Makefile#2 (text+ko) ====

@@ -2,7 +2,7 @@
 POLICY_VER=	1.0
 POLICY_COMPVER=	1.0
 POLICY_DESC=	"MAC Color Security"
-POLICY_SRCS=	mac_color.c
+POLICY_SRCS=	mac_color.c color_util.c
 POLICY_NOMAN=	yes
 
 include ../../Makeconfig

==== //depot/projects/trustedbsd/sedarwin8/policies/color/mac_color.c#4 (text+ko) ====

@@ -32,7 +32,6 @@
 #include <sys/proc_internal.h>
 #include <sys/sbuf.h>
 #include <sys/systm.h>
-#include <sys/sysctl.h>
 #include <sys/vnode.h>
 #include <sys/mman.h>
 #include <sys/fcntl.h>
@@ -42,232 +41,20 @@
 
 #include <security/mac_policy.h>
 #include <security/mac_alloc.h>
+#include "mac_color.h"
 
-#define MAC_COLOR_XATTR_NAME		"security.color"
-#define MAC_COLOR_POLICY_NAME		"mac_color"
-#define MAC_COLOR_LABEL_COUNT		1
 static const char *labelnamespaces[MAC_COLOR_LABEL_COUNT] = 
 	{ MAC_COLOR_POLICY_NAME };
 
-#define MAC_COLOR_NAMELEN 8
+static int color_slot;			/* Per-policy label storage */
 
 static mac_policy_handle_t mac_color_handle;
 
-static int color_slot;
-#define	SLOT(l)	((struct color *)LABEL_TO_SLOT((l), color_slot).l_ptr)
-#define	SLOTREF(l) ((struct mac_color *)LABEL_TO_SLOT((l), color_slot).l_ptr)
-
-struct color {
-	char name[MAC_COLOR_NAMELEN];
-	int level;
-	int refs;
-};
-
-static struct color colors[8] = {
-	{"red", 1, 0},
-	{"orange", 2, 0},
-	{"yellow", 3, 0},
-	{"green", 4, 0},
-	{"cyan", 5, 0},
-	{"blue", 6, 0},
-	{"indigo", 7, 0},
-	{"violet", 8, 0}
-};
-
-struct mac_color {
-	LIST_ENTRY(mac_color) list;
-	int refs;
-	struct color *color;
-	int valid;
-};
-
-LIST_HEAD(mc_list, mac_color);
-static struct mc_list mc_list_free;  /* Free list */
-static struct mc_list mc_list_used;  /* Labels in use */
-static int used_count = 0;
-static int free_count = 0;
-static int free_max = 256;
-
-SYSCTL_DECL(_security_mac);
-SYSCTL_NODE(_security_mac, OID_AUTO, color, CTLFLAG_RW, 0,
-	    "MAC Color Policy controls");
-static int	mac_color_enabled = 1;
-SYSCTL_INT(_security_mac_color, OID_AUTO, enabled, CTLFLAG_RW,
-	   &mac_color_enabled, 0, "Enforce Mac Color Policy");
-
-SYSCTL_NODE(_security_mac_color, OID_AUTO, used, CTLFLAG_RW, 0, NULL);
-SYSCTL_INT(_security_mac_color_used, OID_AUTO, count, CTLFLAG_RD,
-	&used_count, 0, "Labels in use");
-
-SYSCTL_NODE(_security_mac_color, OID_AUTO, free, CTLFLAG_RW, 0, NULL);
-SYSCTL_INT(_security_mac_color_free, OID_AUTO, count, CTLFLAG_RD,
-	&free_count, 0, "Size of free list.");
-SYSCTL_INT(_security_mac_color_free, OID_AUTO, max, CTLFLAG_RW,
-	&free_max, 0, "Maximum size of free list.");
-
-
-#define	MC_ALLOC(val, type, flag)					\
-	do {								\
-		val = (type *)mac_kalloc(sizeof(type), (flag));		\
-		if (val != NULL && (((flag) & M_ZERO) == M_ZERO))	\
-			bzero(val, sizeof(type));			\
-	} while (0)
-#define	MC_FREE(p, type)					\
-	do {							\
-		if (p != NULL)					\
-			mac_kfree((void *)p, sizeof(type));\
-	} while (0)
-
-
-/* MAC Color label reference list */
-
-static struct mac_color *
-mc_alloc(int flag)
-{
-	struct mac_color *mc;
-
-	if (LIST_EMPTY(&mc_list_free)) {
-		MC_ALLOC(mc, struct mac_color, flag|M_ZERO);
-	} else {
-		mc = LIST_FIRST(&mc_list_free);
-		LIST_REMOVE(mc, list);
-		free_count--;
-		mc->refs = 0;
-		mc->valid = 0;
-	}
-
-	mc->refs++;
-	used_count++;
-	mc->color = &colors[0];
-	LIST_INSERT_HEAD(&mc_list_used, mc, list);
-//	printf("mc_alloc, mc=%p, refs=%d\n", mc, mc->refs);
-
-	return (mc);
-}
-
-static void
-mc_free(struct mac_color *mc)
-{
-
-	if (mc == NULL)
-		return;
-//	printf("mc_free, mc=%p, refs=%d\n", mc, mc->refs);
-	LIST_REMOVE(mc, list);
-	used_count--;
-
-	if (free_count >= free_max)
-		MC_FREE(mc, struct mac_color);
-	else {
-		LIST_INSERT_HEAD(&mc_list_free, mc, list);
-		free_count++;
-	}
-		
-	return;
-}
-
-
-/* MAC Color label routines */
-
-static struct color *
-co_findlabel(char *name)
-{
-	int i;
-
-	for (i = 0; i < 8; i++)
-		if (strncmp(colors[i].name, name, MAC_COLOR_NAMELEN) == 0)
-			return (&colors[i]);
-
-	return (NULL);
-}
-
-static inline void
-co_setlabel(struct label *label, struct color *color)
-{
-
-	SLOT(label) = color;
-}
-
-static inline void
-co_setreflabel(struct label *label, struct mac_color *color)
-{
-
-	SLOTREF(label) = color;
-}
-
-static inline struct color *
-co_getlabel(struct label *label)
-{
-
-	return (SLOT(label));
-}
-
-static inline struct mac_color *
-co_getreflabel(struct label *label)
-{
-
-	return (SLOTREF(label));
-}
-
 static void
-color_destroy_reflabel(struct label *label)
-{
-	struct mac_color *mc;
-
-	mc = co_getreflabel(label);
-	if (mc == NULL)
-		return;
-
-	if (--mc->refs <= 0)
-		mc_free(mc);
-
-	co_setreflabel(label, NULL);
-
-	return;
-}
-
-
-static void
-co_reference_label(struct label *src, struct label *dst)
-{
-	struct mac_color *mc;
-
-	mc = co_getreflabel(src);
-	if (SLOTREF(dst) != NULL) {
-		/* Already has a reference. */
-		if (SLOTREF(dst) == mc) {
-//			printf("co_reference_label: already has matching reference\n");
-			return;
-		} else {
-//			printf("co_reference_label: already has a reference\n");
-		}
-		color_destroy_reflabel(dst);
-	}
-	printf("co_reference_label: copying reference, mc=%p, refs=%d\n", mc, mc->refs);
-	mc->refs++;
-	co_setreflabel(dst, mc);
-
-	return;
-}
-
-static inline void
-co_setlabelstring(struct label *label, char *color)
-{
-
-	SLOT(label) = co_findlabel(color); /* Might set label to NULL */
-}
-
-static void
-co_copylabel(struct label *src, struct label *dst)
-{
-
-	SLOT(dst) = SLOT(src); /* Just copy the pointer */
-}
-
-static void
 color_init_reflabel(struct label *label)
 {
 
-	co_setreflabel(label, mc_alloc(M_WAITOK));
+	co_init_reflabel(label);
 }
 
 static void
@@ -278,27 +65,12 @@
 }
 
 static void
-color_policy_init(struct mac_policy_conf *conf)
+color_destroy_reflabel(struct label *label)
 {
 
-	LIST_INIT(&mc_list_used);
-	LIST_INIT(&mc_list_free);
+	co_destroy_reflabel(label);
 }
 
-static void
-color_policy_initbsd(struct mac_policy_conf *conf)
-{
-
-	sysctl_register_oid(&sysctl__security_mac_color);
-	sysctl_register_oid(&sysctl__security_mac_color_enabled);
-	sysctl_register_oid(&sysctl__security_mac_color_used);
-	sysctl_register_oid(&sysctl__security_mac_color_used_count);
-	sysctl_register_oid(&sysctl__security_mac_color_free);
-	sysctl_register_oid(&sysctl__security_mac_color_free_count);
-	sysctl_register_oid(&sysctl__security_mac_color_free_max);
-}
-
-
 static int
 color_internalize_label(struct label *label, char *element_name,
     char *string)