1 files changed, 1128 insertions, 1120 deletions

diff --git a/sys/security/mac_biba/mac_biba.c b/sys/security/mac_biba/mac_biba.c
index 72f974519c7f..052e8f326ee6 100644
--- a/sys/security/mac_biba/mac_biba.c
+++ b/sys/security/mac_biba/mac_biba.c
@@ -774,391 +774,252 @@ biba_copy_label(struct label *src, struct label *dest)
 }
 
 /*
- * Labeling event operations: file system objects, and things that look a lot
- * like file system objects.
+ * Object-specific entry point implementations are sorted alphabetically by
+ * object type name and then by operation.
  */
-static void
-biba_devfs_create_device(struct ucred *cred, struct mount *mp,
-    struct cdev *dev, struct devfs_dirent *de, struct label *delabel)
-{
-	struct mac_biba *mb;
-	int biba_type;
-
-	mb = SLOT(delabel);
-	if (strcmp(dev->si_name, "null") == 0 ||
-	    strcmp(dev->si_name, "zero") == 0 ||
-	    strcmp(dev->si_name, "random") == 0 ||
-	    strncmp(dev->si_name, "fd/", strlen("fd/")) == 0)
-		biba_type = MAC_BIBA_TYPE_EQUAL;
-	else if (ptys_equal &&
-	    (strncmp(dev->si_name, "ttyp", strlen("ttyp")) == 0 ||
-	    strncmp(dev->si_name, "ptyp", strlen("ptyp")) == 0))
-		biba_type = MAC_BIBA_TYPE_EQUAL;
-	else
-		biba_type = MAC_BIBA_TYPE_HIGH;
-	biba_set_effective(mb, biba_type, 0, NULL);
-}
-
-static void
-biba_devfs_create_directory(struct mount *mp, char *dirname, int dirnamelen,
-    struct devfs_dirent *de, struct label *delabel)
+static int
+biba_bpfdesc_check_receive(struct bpf_d *d, struct label *dlabel,
+    struct ifnet *ifp, struct label *ifplabel)
 {
-	struct mac_biba *mb;
-
-	mb = SLOT(delabel);
-
-	biba_set_effective(mb, MAC_BIBA_TYPE_HIGH, 0, NULL);
-}
+	struct mac_biba *a, *b;
 
-static void
-biba_devfs_create_symlink(struct ucred *cred, struct mount *mp,
-    struct devfs_dirent *dd, struct label *ddlabel, struct devfs_dirent *de,
-    struct label *delabel)
-{
-	struct mac_biba *source, *dest;
+	if (!biba_enabled)
+		return (0);
 
-	source = SLOT(cred->cr_label);
-	dest = SLOT(delabel);
+	a = SLOT(dlabel);
+	b = SLOT(ifplabel);
 
-	biba_copy_effective(source, dest);
+	if (biba_equal_effective(a, b))
+		return (0);
+	return (EACCES);
 }
 
 static void
-biba_mount_create(struct ucred *cred, struct mount *mp,
-    struct label *mplabel)
+biba_bpfdesc_create(struct ucred *cred, struct bpf_d *d,
+    struct label *dlabel)
 {
 	struct mac_biba *source, *dest;
 
 	source = SLOT(cred->cr_label);
-	dest = SLOT(mplabel);
+	dest = SLOT(dlabel);
 
 	biba_copy_effective(source, dest);
 }
 
 static void
-biba_vnode_relabel(struct ucred *cred, struct vnode *vp,
-    struct label *vplabel, struct label *newlabel)
-{
-	struct mac_biba *source, *dest;
-
-	source = SLOT(newlabel);
-	dest = SLOT(vplabel);
-
-	biba_copy(source, dest);
-}
-
-static void
-biba_devfs_update(struct mount *mp, struct devfs_dirent *de,
-    struct label *delabel, struct vnode *vp, struct label *vplabel)
-{
-	struct mac_biba *source, *dest;
-
-	source = SLOT(vplabel);
-	dest = SLOT(delabel);
-
-	biba_copy(source, dest);
-}
-
-static void
-biba_devfs_vnode_associate(struct mount *mp, struct label *mntlabel,
-    struct devfs_dirent *de, struct label *delabel, struct vnode *vp,
-    struct label *vplabel)
+biba_bpfdesc_create_mbuf(struct bpf_d *d, struct label *dlabel,
+    struct mbuf *m, struct label *mlabel)
 {
 	struct mac_biba *source, *dest;
 
-	source = SLOT(delabel);
-	dest = SLOT(vplabel);
+	source = SLOT(dlabel);
+	dest = SLOT(mlabel);
 
 	biba_copy_effective(source, dest);
 }
 
 static int
-biba_vnode_associate_extattr(struct mount *mp, struct label *mplabel,
-    struct vnode *vp, struct label *vplabel)
+biba_cred_check_relabel(struct ucred *cred, struct label *newlabel)
 {
-	struct mac_biba mb_temp, *source, *dest;
-	int buflen, error;
-
-	source = SLOT(mplabel);
-	dest = SLOT(vplabel);
+	struct mac_biba *subj, *new;
+	int error;
 
-	buflen = sizeof(mb_temp);
-	bzero(&mb_temp, buflen);
+	subj = SLOT(cred->cr_label);
+	new = SLOT(newlabel);
 
-	error = vn_extattr_get(vp, IO_NODELOCKED, MAC_BIBA_EXTATTR_NAMESPACE,
-	    MAC_BIBA_EXTATTR_NAME, &buflen, (char *) &mb_temp, curthread);
-	if (error == ENOATTR || error == EOPNOTSUPP) {
-		/* Fall back to the mntlabel. */
-		biba_copy_effective(source, dest);
-		return (0);
-	} else if (error)
+	/*
+	 * If there is a Biba label update for the credential, it may
+	 * be an update of the effective, range, or both.
+	 */
+	error = biba_atmostflags(new, MAC_BIBA_FLAGS_BOTH);
+	if (error)
 		return (error);
 
-	if (buflen != sizeof(mb_temp)) {
-		printf("biba_vnode_associate_extattr: bad size %d\n",
-		    buflen);
-		return (EPERM);
-	}
-	if (biba_valid(&mb_temp) != 0) {
-		printf("biba_vnode_associate_extattr: invalid\n");
-		return (EPERM);
-	}
-	if ((mb_temp.mb_flags & MAC_BIBA_FLAGS_BOTH) !=
-	    MAC_BIBA_FLAG_EFFECTIVE) {
-		printf("biba_vnode_associate_extattr: not effective\n");
-		return (EPERM);
-	}
-
-	biba_copy_effective(&mb_temp, dest);
-	return (0);
-}
-
-static void
-biba_vnode_associate_singlelabel(struct mount *mp, struct label *mplabel,
-    struct vnode *vp, struct label *vplabel)
-{
-	struct mac_biba *source, *dest;
-
-	source = SLOT(mplabel);
-	dest = SLOT(vplabel);
-
-	biba_copy_effective(source, dest);
-}
+	/*
+	 * If the Biba label is to be changed, authorize as appropriate.
+	 */
+	if (new->mb_flags & MAC_BIBA_FLAGS_BOTH) {
+		/*
+		 * If the change request modifies both the Biba label
+		 * effective and range, check that the new effective will be
+		 * in the new range.
+		 */
+		if ((new->mb_flags & MAC_BIBA_FLAGS_BOTH) ==
+		    MAC_BIBA_FLAGS_BOTH &&
+		    !biba_effective_in_range(new, new))
+			return (EINVAL);
 
-static int
-biba_vnode_create_extattr(struct ucred *cred, struct mount *mp,
-    struct label *mplabel, struct vnode *dvp, struct label *dvplabel,
-    struct vnode *vp, struct label *vplabel, struct componentname *cnp)
-{
-	struct mac_biba *source, *dest, mb_temp;
-	size_t buflen;
-	int error;
+		/*
+		 * To change the Biba effective label on a credential, the
+		 * new effective label must be in the current range.
+		 */
+		if (new->mb_flags & MAC_BIBA_FLAG_EFFECTIVE &&
+		    !biba_effective_in_range(new, subj))
+			return (EPERM);
 
-	buflen = sizeof(mb_temp);
-	bzero(&mb_temp, buflen);
+		/*
+		 * To change the Biba range on a credential, the new range
+		 * label must be in the current range.
+		 */
+		if (new->mb_flags & MAC_BIBA_FLAG_RANGE &&
+		    !biba_range_in_range(new, subj))
+			return (EPERM);
 
-	source = SLOT(cred->cr_label);
-	dest = SLOT(vplabel);
-	biba_copy_effective(source, &mb_temp);
+		/*
+		 * To have EQUAL in any component of the new credential Biba
+		 * label, the subject must already have EQUAL in their label.
+		 */
+		if (biba_contains_equal(new)) {
+			error = biba_subject_privileged(subj);
+			if (error)
+				return (error);
+		}
+	}
 
-	error = vn_extattr_set(vp, IO_NODELOCKED, MAC_BIBA_EXTATTR_NAMESPACE,
-	    MAC_BIBA_EXTATTR_NAME, buflen, (char *) &mb_temp, curthread);
-	if (error == 0)
-		biba_copy_effective(source, dest);
-	return (error);
+	return (0);
 }
 
 static int
-biba_vnode_setlabel_extattr(struct ucred *cred, struct vnode *vp,
-    struct label *vplabel, struct label *intlabel)
+biba_cred_check_visible(struct ucred *u1, struct ucred *u2)
 {
-	struct mac_biba *source, mb_temp;
-	size_t buflen;
-	int error;
-
-	buflen = sizeof(mb_temp);
-	bzero(&mb_temp, buflen);
+	struct mac_biba *subj, *obj;
 
-	source = SLOT(intlabel);
-	if ((source->mb_flags & MAC_BIBA_FLAG_EFFECTIVE) == 0)
+	if (!biba_enabled)
 		return (0);
 
-	biba_copy_effective(source, &mb_temp);
-
-	error = vn_extattr_set(vp, IO_NODELOCKED, MAC_BIBA_EXTATTR_NAMESPACE,
-	    MAC_BIBA_EXTATTR_NAME, buflen, (char *) &mb_temp, curthread);
-	return (error);
-}
-
-/*
- * Labeling event operations: IPC object.
- */
-static void
-biba_inpcb_create(struct socket *so, struct label *solabel,
-    struct inpcb *inp, struct label *inplabel)
-{
-	struct mac_biba *source, *dest;
-
-	source = SLOT(solabel);
-	dest = SLOT(inplabel);
-
-	biba_copy_effective(source, dest);
-}
-
-static void
-biba_socket_create_mbuf(struct socket *so, struct label *solabel,
-    struct mbuf *m, struct label *mlabel)
-{
-	struct mac_biba *source, *dest;
-
-	source = SLOT(solabel);
-	dest = SLOT(mlabel);
-
-	biba_copy_effective(source, dest);
-}
-
-static void
-biba_socket_create(struct ucred *cred, struct socket *so,
-    struct label *solabel)
-{
-	struct mac_biba *source, *dest;
-
-	source = SLOT(cred->cr_label);
-	dest = SLOT(solabel);
-
-	biba_copy_effective(source, dest);
-}
-
-static void
-biba_pipe_create(struct ucred *cred, struct pipepair *pp,
-    struct label *pplabel)
-{
-	struct mac_biba *source, *dest;
-
-	source = SLOT(cred->cr_label);
-	dest = SLOT(pplabel);
-
-	biba_copy_effective(source, dest);
-}
-
-static void
-biba_posixsem_create(struct ucred *cred, struct ksem *ks,
-    struct label *kslabel)
-{
-	struct mac_biba *source, *dest;
-
-	source = SLOT(cred->cr_label);
-	dest = SLOT(kslabel);
-
-	biba_copy_effective(source, dest);
-}
-
-static void
-biba_socket_newconn(struct socket *oldso, struct label *oldsolabel,
-    struct socket *newso, struct label *newsolabel)
-{
-	struct mac_biba *source, *dest;
+	subj = SLOT(u1->cr_label);
+	obj = SLOT(u2->cr_label);
 
-	source = SLOT(oldsolabel);
-	dest = SLOT(newsolabel);
+	/* XXX: range */
+	if (!biba_dominate_effective(obj, subj))
+		return (ESRCH);
 
-	biba_copy_effective(source, dest);
+	return (0);
 }
 
 static void
-biba_socket_relabel(struct ucred *cred, struct socket *so,
-    struct label *solabel, struct label *newlabel)
+biba_cred_relabel(struct ucred *cred, struct label *newlabel)
 {
 	struct mac_biba *source, *dest;
 
 	source = SLOT(newlabel);
-	dest = SLOT(solabel);
+	dest = SLOT(cred->cr_label);
 
 	biba_copy(source, dest);
 }
 
 static void
-biba_pipe_relabel(struct ucred *cred, struct pipepair *pp,
-    struct label *pplabel, struct label *newlabel)
+biba_devfs_create_device(struct ucred *cred, struct mount *mp,
+    struct cdev *dev, struct devfs_dirent *de, struct label *delabel)
 {
-	struct mac_biba *source, *dest;
-
-	source = SLOT(newlabel);
-	dest = SLOT(pplabel);
+	struct mac_biba *mb;
+	int biba_type;
 
-	biba_copy(source, dest);
+	mb = SLOT(delabel);
+	if (strcmp(dev->si_name, "null") == 0 ||
+	    strcmp(dev->si_name, "zero") == 0 ||
+	    strcmp(dev->si_name, "random") == 0 ||
+	    strncmp(dev->si_name, "fd/", strlen("fd/")) == 0)
+		biba_type = MAC_BIBA_TYPE_EQUAL;
+	else if (ptys_equal &&
+	    (strncmp(dev->si_name, "ttyp", strlen("ttyp")) == 0 ||
+	    strncmp(dev->si_name, "ptyp", strlen("ptyp")) == 0))
+		biba_type = MAC_BIBA_TYPE_EQUAL;
+	else
+		biba_type = MAC_BIBA_TYPE_HIGH;
+	biba_set_effective(mb, biba_type, 0, NULL);
 }
 
 static void
-biba_socketpeer_set_from_mbuf(struct mbuf *m, struct label *mlabel,
-    struct socket *so, struct label *sopeerlabel)
+biba_devfs_create_directory(struct mount *mp, char *dirname, int dirnamelen,
+    struct devfs_dirent *de, struct label *delabel)
 {
-	struct mac_biba *source, *dest;
+	struct mac_biba *mb;
 
-	source = SLOT(mlabel);
-	dest = SLOT(sopeerlabel);
+	mb = SLOT(delabel);
 
-	biba_copy_effective(source, dest);
+	biba_set_effective(mb, MAC_BIBA_TYPE_HIGH, 0, NULL);
 }
 
-/*
- * Labeling event operations: System V IPC objects.
- */
 static void
-biba_sysvmsg_create(struct ucred *cred, struct msqid_kernel *msqkptr,
-    struct label *msqlabel, struct msg *msgptr, struct label *msglabel)
+biba_devfs_create_symlink(struct ucred *cred, struct mount *mp,
+    struct devfs_dirent *dd, struct label *ddlabel, struct devfs_dirent *de,
+    struct label *delabel)
 {
 	struct mac_biba *source, *dest;
 
-	/* Ignore the msgq label */
 	source = SLOT(cred->cr_label);
-	dest = SLOT(msglabel);
+	dest = SLOT(delabel);
 
 	biba_copy_effective(source, dest);
 }
 
 static void
-biba_sysvmsq_create(struct ucred *cred, struct msqid_kernel *msqkptr,
-    struct label *msqlabel)
+biba_devfs_update(struct mount *mp, struct devfs_dirent *de,
+    struct label *delabel, struct vnode *vp, struct label *vplabel)
 {
 	struct mac_biba *source, *dest;
 
-	source = SLOT(cred->cr_label);
-	dest = SLOT(msqlabel);
+	source = SLOT(vplabel);
+	dest = SLOT(delabel);
 
-	biba_copy_effective(source, dest);
+	biba_copy(source, dest);
 }
 
 static void
-biba_sysvsem_create(struct ucred *cred, struct semid_kernel *semakptr,
-    struct label *semalabel)
+biba_devfs_vnode_associate(struct mount *mp, struct label *mntlabel,
+    struct devfs_dirent *de, struct label *delabel, struct vnode *vp,
+    struct label *vplabel)
 {
 	struct mac_biba *source, *dest;
 
-	source = SLOT(cred->cr_label);
-	dest = SLOT(semalabel);
+	source = SLOT(delabel);
+	dest = SLOT(vplabel);
 
 	biba_copy_effective(source, dest);
 }
 
-static void
-biba_sysvshm_create(struct ucred *cred, struct shmid_kernel *shmsegptr,
-    struct label *shmlabel)
+static int
+biba_ifnet_check_relabel(struct ucred *cred, struct ifnet *ifp,
+    struct label *ifplabel, struct label *newlabel)
 {
-	struct mac_biba *source, *dest;
-
-	source = SLOT(cred->cr_label);
-	dest = SLOT(shmlabel);
+	struct mac_biba *subj, *new;
+	int error;
 
-	biba_copy_effective(source, dest);
-}
+	subj = SLOT(cred->cr_label);
+	new = SLOT(newlabel);
 
-/*
- * Labeling event operations: network objects.
- */
-static void
-biba_socketpeer_set_from_socket(struct socket *oldso,
-    struct label *oldsolabel, struct socket *newso,
-    struct label *newsopeerlabel)
-{
-	struct mac_biba *source, *dest;
+	/*
+	 * If there is a Biba label update for the interface, it may be an
+	 * update of the effective, range, or both.
+	 */
+	error = biba_atmostflags(new, MAC_BIBA_FLAGS_BOTH);
+	if (error)
+		return (error);
 
-	source = SLOT(oldsolabel);
-	dest = SLOT(newsopeerlabel);
+	/*
+	 * Relabling network interfaces requires Biba privilege.
+	 */
+	error = biba_subject_privileged(subj);
+	if (error)
+		return (error);
 
-	biba_copy_effective(source, dest);
+	return (0);
 }
 
-static void
-biba_bpfdesc_create(struct ucred *cred, struct bpf_d *d,
-    struct label *dlabel)
+static int
+biba_ifnet_check_transmit(struct ifnet *ifp, struct label *ifplabel,
+    struct mbuf *m, struct label *mlabel)
 {
-	struct mac_biba *source, *dest;
+	struct mac_biba *p, *i;
 
-	source = SLOT(cred->cr_label);
-	dest = SLOT(dlabel);
+	if (!biba_enabled)
+		return (0);
 
-	biba_copy_effective(source, dest);
+	p = SLOT(mlabel);
+	i = SLOT(ifplabel);
+
+	return (biba_effective_in_range(p, i) ? 0 : EACCES);
 }
 
 static void
@@ -1219,38 +1080,52 @@ set:
 }
 
 static void
-biba_ipq_create(struct mbuf *m, struct label *mlabel, struct ipq *ipq,
-    struct label *ipqlabel)
+biba_ifnet_create_mbuf(struct ifnet *ifp, struct label *ifplabel,
+    struct mbuf *m, struct label *mlabel)
 {
 	struct mac_biba *source, *dest;
 
-	source = SLOT(mlabel);
-	dest = SLOT(ipqlabel);
+	source = SLOT(ifplabel);
+	dest = SLOT(mlabel);
 
 	biba_copy_effective(source, dest);
 }
 
 static void
-biba_ipq_reassemble(struct ipq *ipq, struct label *ipqlabel, struct mbuf *m,
-    struct label *mlabel)
+biba_ifnet_relabel(struct ucred *cred, struct ifnet *ifp,
+    struct label *ifplabel, struct label *newlabel)
 {
 	struct mac_biba *source, *dest;
 
-	source = SLOT(ipqlabel);
-	dest = SLOT(mlabel);
+	source = SLOT(newlabel);
+	dest = SLOT(ifplabel);
 
-	/* Just use the head, since we require them all to match. */
-	biba_copy_effective(source, dest);
+	biba_copy(source, dest);
+}
+
+static int
+biba_inpcb_check_deliver(struct inpcb *inp, struct label *inplabel,
+    struct mbuf *m, struct label *mlabel)
+{
+	struct mac_biba *p, *i;
+
+	if (!biba_enabled)
+		return (0);
+
+	p = SLOT(mlabel);
+	i = SLOT(inplabel);
+
+	return (biba_equal_effective(p, i) ? 0 : EACCES);
 }
 
 static void
-biba_netinet_fragment(struct mbuf *m, struct label *mlabel,
-    struct mbuf *frag, struct label *fraglabel)
+biba_inpcb_create(struct socket *so, struct label *solabel,
+    struct inpcb *inp, struct label *inplabel)
 {
 	struct mac_biba *source, *dest;
 
-	source = SLOT(mlabel);
-	dest = SLOT(fraglabel);
+	source = SLOT(solabel);
+	dest = SLOT(inplabel);
 
 	biba_copy_effective(source, dest);
 }
@@ -1268,25 +1143,25 @@ biba_inpcb_create_mbuf(struct inpcb *inp, struct label *inplabel,
 }
 
 static void
-biba_bpfdesc_create_mbuf(struct bpf_d *d, struct label *dlabel,
-    struct mbuf *m, struct label *mlabel)
+biba_inpcb_sosetlabel(struct socket *so, struct label *solabel,
+    struct inpcb *inp, struct label *inplabel)
 {
 	struct mac_biba *source, *dest;
 
-	source = SLOT(dlabel);
-	dest = SLOT(mlabel);
+	source = SLOT(solabel);
+	dest = SLOT(inplabel);
 
-	biba_copy_effective(source, dest);
+	biba_copy(source, dest);
 }
 
 static void
-biba_ifnet_create_mbuf(struct ifnet *ifp, struct label *ifplabel,
-    struct mbuf *m, struct label *mlabel)
+biba_ipq_create(struct mbuf *m, struct label *mlabel, struct ipq *ipq,
+    struct label *ipqlabel)
 {
 	struct mac_biba *source, *dest;
 
-	source = SLOT(ifplabel);
-	dest = SLOT(mlabel);
+	source = SLOT(mlabel);
+	dest = SLOT(ipqlabel);
 
 	biba_copy_effective(source, dest);
 }
@@ -1304,15 +1179,16 @@ biba_ipq_match(struct mbuf *m, struct label *mlabel, struct ipq *ipq,
 }
 
 static void
-biba_ifnet_relabel(struct ucred *cred, struct ifnet *ifp,
-    struct label *ifplabel, struct label *newlabel)
+biba_ipq_reassemble(struct ipq *ipq, struct label *ipqlabel, struct mbuf *m,
+    struct label *mlabel)
 {
 	struct mac_biba *source, *dest;
 
-	source = SLOT(newlabel);
-	dest = SLOT(ifplabel);
+	source = SLOT(ipqlabel);
+	dest = SLOT(mlabel);
 
-	biba_copy(source, dest);
+	/* Just use the head, since we require them all to match. */
+	biba_copy_effective(source, dest);
 }
 
 static void
@@ -1323,16 +1199,57 @@ biba_ipq_update(struct mbuf *m, struct label *mlabel, struct ipq *ipq,
 	/* NOOP: we only accept matching labels, so no need to update */
 }
 
+static int
+biba_kld_check_load(struct ucred *cred, struct vnode *vp,
+    struct label *vplabel)
+{
+	struct mac_biba *subj, *obj;
+	int error;
+
+	if (!biba_enabled)
+		return (0);
+
+	subj = SLOT(cred->cr_label);
+
+	error = biba_subject_privileged(subj);
+	if (error)
+		return (error);
+
+	obj = SLOT(vplabel);
+	if (!biba_high_effective(obj))
+		return (EACCES);
+
+	return (0);
+}
+
+static int
+biba_mount_check_stat(struct ucred *cred, struct mount *mp,
+    struct label *mplabel)
+{
+	struct mac_biba *subj, *obj;
+
+	if (!biba_enabled)
+		return (0);
+
+	subj = SLOT(cred->cr_label);
+	obj = SLOT(mplabel);
+
+	if (!biba_dominate_effective(obj, subj))
+		return (EACCES);
+
+	return (0);
+}
+
 static void
-biba_inpcb_sosetlabel(struct socket *so, struct label *solabel,
-    struct inpcb *inp, struct label *inplabel)
+biba_mount_create(struct ucred *cred, struct mount *mp,
+    struct label *mplabel)
 {
 	struct mac_biba *source, *dest;
 
-	source = SLOT(solabel);
-	dest = SLOT(inplabel);
+	source = SLOT(cred->cr_label);
+	dest = SLOT(mplabel);
 
-	biba_copy(source, dest);
+	biba_copy_effective(source, dest);
 }
 
 static void
@@ -1381,6 +1298,18 @@ biba_netinet_firewall_send(struct mbuf *m, struct label *mlabel)
 }
 
 static void
+biba_netinet_fragment(struct mbuf *m, struct label *mlabel,
+    struct mbuf *frag, struct label *fraglabel)
+{
+	struct mac_biba *source, *dest;
+
+	source = SLOT(mlabel);
+	dest = SLOT(fraglabel);
+
+	biba_copy_effective(source, dest);
+}
+
+static void
 biba_netinet_icmp_reply(struct mbuf *mrecv, struct label *mrecvlabel,
     struct mbuf *msend, struct label *msendlabel)
 {
@@ -1414,155 +1343,95 @@ biba_netinet6_nd6_send(struct ifnet *ifp, struct label *ifplabel,
 	biba_set_effective(dest, MAC_BIBA_TYPE_EQUAL, 0, NULL);
 }
 
-/*
- * Labeling event operations: processes.
- */
-static void
-biba_proc_create_swapper(struct ucred *cred)
-{
-	struct mac_biba *dest;
-
-	dest = SLOT(cred->cr_label);
-
-	biba_set_effective(dest, MAC_BIBA_TYPE_EQUAL, 0, NULL);
-	biba_set_range(dest, MAC_BIBA_TYPE_LOW, 0, NULL, MAC_BIBA_TYPE_HIGH,
-	    0, NULL);
-}
-
-static void
-biba_proc_create_init(struct ucred *cred)
-{
-	struct mac_biba *dest;
-
-	dest = SLOT(cred->cr_label);
-
-	biba_set_effective(dest, MAC_BIBA_TYPE_HIGH, 0, NULL);
-	biba_set_range(dest, MAC_BIBA_TYPE_LOW, 0, NULL, MAC_BIBA_TYPE_HIGH,
-	    0, NULL);
-}
-
-static void
-biba_proc_associate_nfsd(struct ucred *cred)
-{
-	struct mac_biba *label;
-
-	label = SLOT(cred->cr_label);
-	biba_set_effective(label, MAC_BIBA_TYPE_LOW, 0, NULL);
-	biba_set_range(label, MAC_BIBA_TYPE_LOW, 0, NULL, MAC_BIBA_TYPE_HIGH,
-	    0, NULL);
-}
-
-static void
-biba_cred_relabel(struct ucred *cred, struct label *newlabel)
+static int
+biba_pipe_check_ioctl(struct ucred *cred, struct pipepair *pp,
+    struct label *pplabel, unsigned long cmd, void /* caddr_t */ *data)
 {
-	struct mac_biba *source, *dest;
-
-	source = SLOT(newlabel);
-	dest = SLOT(cred->cr_label);
 
-	biba_copy(source, dest);
-}
+	if(!biba_enabled)
+		return (0);
 
-/*
- * Label cleanup/flush operations
- */
-static void
-biba_sysvmsg_cleanup(struct label *msglabel)
-{
+	/* XXX: This will be implemented soon... */
 
-	bzero(SLOT(msglabel), sizeof(struct mac_biba));
+	return (0);
 }
 
-static void
-biba_sysvmsq_cleanup(struct label *msqlabel)
+static int
+biba_pipe_check_poll(struct ucred *cred, struct pipepair *pp,
+    struct label *pplabel)
 {
+	struct mac_biba *subj, *obj;
 
-	bzero(SLOT(msqlabel), sizeof(struct mac_biba));
-}
+	if (!biba_enabled)
+		return (0);
 
-static void
-biba_sysvsem_cleanup(struct label *semalabel)
-{
+	subj = SLOT(cred->cr_label);
+	obj = SLOT(pplabel);
 
-	bzero(SLOT(semalabel), sizeof(struct mac_biba));
-}
+	if (!biba_dominate_effective(obj, subj))
+		return (EACCES);
 
-static void
-biba_sysvshm_cleanup(struct label *shmlabel)
-{
-	bzero(SLOT(shmlabel), sizeof(struct mac_biba));
+	return (0);
 }
 
-/*
- * Access control checks.
- */
 static int
-biba_bpfdesc_check_receive(struct bpf_d *d, struct label *dlabel,
-    struct ifnet *ifp, struct label *ifplabel)
+biba_pipe_check_read(struct ucred *cred, struct pipepair *pp,
+    struct label *pplabel)
 {
-	struct mac_biba *a, *b;
+	struct mac_biba *subj, *obj;
 
 	if (!biba_enabled)
 		return (0);
 
-	a = SLOT(dlabel);
-	b = SLOT(ifplabel);
+	subj = SLOT(cred->cr_label);
+	obj = SLOT(pplabel);
 
-	if (biba_equal_effective(a, b))
-		return (0);
-	return (EACCES);
+	if (!biba_dominate_effective(obj, subj))
+		return (EACCES);
+
+	return (0);
 }
 
 static int
-biba_cred_check_relabel(struct ucred *cred, struct label *newlabel)
+biba_pipe_check_relabel(struct ucred *cred, struct pipepair *pp,
+    struct label *pplabel, struct label *newlabel)
 {
-	struct mac_biba *subj, *new;
+	struct mac_biba *subj, *obj, *new;
 	int error;
 
-	subj = SLOT(cred->cr_label);
 	new = SLOT(newlabel);
+	subj = SLOT(cred->cr_label);
+	obj = SLOT(pplabel);
 
 	/*
-	 * If there is a Biba label update for the credential, it may
-	 * be an update of the effective, range, or both.
+	 * If there is a Biba label update for a pipe, it must be a effective
+	 * update.
 	 */
-	error = biba_atmostflags(new, MAC_BIBA_FLAGS_BOTH);
+	error = biba_atmostflags(new, MAC_BIBA_FLAG_EFFECTIVE);
 	if (error)
 		return (error);
 
 	/*
-	 * If the Biba label is to be changed, authorize as appropriate.
+	 * To perform a relabel of a pipe (Biba label or not), Biba must
+	 * authorize the relabel.
 	 */
-	if (new->mb_flags & MAC_BIBA_FLAGS_BOTH) {
-		/*
-		 * If the change request modifies both the Biba label
-		 * effective and range, check that the new effective will be
-		 * in the new range.
-		 */
-		if ((new->mb_flags & MAC_BIBA_FLAGS_BOTH) ==
-		    MAC_BIBA_FLAGS_BOTH &&
-		    !biba_effective_in_range(new, new))
-			return (EINVAL);
-
-		/*
-		 * To change the Biba effective label on a credential, the
-		 * new effective label must be in the current range.
-		 */
-		if (new->mb_flags & MAC_BIBA_FLAG_EFFECTIVE &&
-		    !biba_effective_in_range(new, subj))
-			return (EPERM);
+	if (!biba_effective_in_range(obj, subj))
+		return (EPERM);
 
+	/*
+	 * If the Biba label is to be changed, authorize as appropriate.
+	 */
+	if (new->mb_flags & MAC_BIBA_FLAG_EFFECTIVE) {
 		/*
-		 * To change the Biba range on a credential, the new range
-		 * label must be in the current range.
+		 * To change the Biba label on a pipe, the new pipe label
+		 * must be in the subject range.
 		 */
-		if (new->mb_flags & MAC_BIBA_FLAG_RANGE &&
-		    !biba_range_in_range(new, subj))
+		if (!biba_effective_in_range(new, subj))
 			return (EPERM);
 
 		/*
-		 * To have EQUAL in any component of the new credential Biba
-		 * label, the subject must already have EQUAL in their label.
+		 * To change the Biba label on a pipe to be EQUAL, the
+		 * subject must have appropriate privilege.
 		 */
 		if (biba_contains_equal(new)) {
 			error = biba_subject_privileged(subj);
@@ -1575,84 +1444,86 @@ biba_cred_check_relabel(struct ucred *cred, struct label *newlabel)
 }
 
 static int
-biba_cred_check_visible(struct ucred *u1, struct ucred *u2)
+biba_pipe_check_stat(struct ucred *cred, struct pipepair *pp,
+    struct label *pplabel)
 {
 	struct mac_biba *subj, *obj;
 
 	if (!biba_enabled)
 		return (0);
 
-	subj = SLOT(u1->cr_label);
-	obj = SLOT(u2->cr_label);
+	subj = SLOT(cred->cr_label);
+	obj = SLOT(pplabel);
 
-	/* XXX: range */
 	if (!biba_dominate_effective(obj, subj))
-		return (ESRCH);
+		return (EACCES);
 
 	return (0);
 }
 
 static int
-biba_ifnet_check_relabel(struct ucred *cred, struct ifnet *ifp,
-    struct label *ifplabel, struct label *newlabel)
+biba_pipe_check_write(struct ucred *cred, struct pipepair *pp,
+    struct label *pplabel)
 {
-	struct mac_biba *subj, *new;
-	int error;
+	struct mac_biba *subj, *obj;
 
-	subj = SLOT(cred->cr_label);
-	new = SLOT(newlabel);
+	if (!biba_enabled)
+		return (0);
 
-	/*
-	 * If there is a Biba label update for the interface, it may be an
-	 * update of the effective, range, or both.
-	 */
-	error = biba_atmostflags(new, MAC_BIBA_FLAGS_BOTH);
-	if (error)
-		return (error);
+	subj = SLOT(cred->cr_label);
+	obj = SLOT(pplabel);
 
-	/*
-	 * Relabling network interfaces requires Biba privilege.
-	 */
-	error = biba_subject_privileged(subj);
-	if (error)
-		return (error);
+	if (!biba_dominate_effective(subj, obj))
+		return (EACCES);
 
 	return (0);
 }
 
-static int
-biba_ifnet_check_transmit(struct ifnet *ifp, struct label *ifplabel,
-    struct mbuf *m, struct label *mlabel)
+static void
+biba_pipe_create(struct ucred *cred, struct pipepair *pp,
+    struct label *pplabel)
 {
-	struct mac_biba *p, *i;
+	struct mac_biba *source, *dest;
 
-	if (!biba_enabled)
-		return (0);
+	source = SLOT(cred->cr_label);
+	dest = SLOT(pplabel);
 
-	p = SLOT(mlabel);
-	i = SLOT(ifplabel);
+	biba_copy_effective(source, dest);
+}
 
-	return (biba_effective_in_range(p, i) ? 0 : EACCES);
+static void
+biba_pipe_relabel(struct ucred *cred, struct pipepair *pp,
+    struct label *pplabel, struct label *newlabel)
+{
+	struct mac_biba *source, *dest;
+
+	source = SLOT(newlabel);
+	dest = SLOT(pplabel);
+
+	biba_copy(source, dest);
 }
 
 static int
-biba_inpcb_check_deliver(struct inpcb *inp, struct label *inplabel,
-    struct mbuf *m, struct label *mlabel)
+biba_posixsem_check_write(struct ucred *cred, struct ksem *ks,
+    struct label *kslabel)
 {
-	struct mac_biba *p, *i;
+	struct mac_biba *subj, *obj;
 
 	if (!biba_enabled)
 		return (0);
 
-	p = SLOT(mlabel);
-	i = SLOT(inplabel);
+	subj = SLOT(cred->cr_label);
+	obj = SLOT(kslabel);
 
-	return (biba_equal_effective(p, i) ? 0 : EACCES);
+	if (!biba_dominate_effective(subj, obj))
+		return (EACCES);
+
+	return (0);
 }
 
 static int
-biba_sysvmsq_check_msgrcv(struct ucred *cred, struct msg *msgptr,
-    struct label *msglabel)
+biba_posixsem_check_rdonly(struct ucred *cred, struct ksem *ks,
+    struct label *kslabel)
 {
 	struct mac_biba *subj, *obj;
 
@@ -1660,7 +1531,7 @@ biba_sysvmsq_check_msgrcv(struct ucred *cred, struct msg *msgptr,
 		return (0);
 
 	subj = SLOT(cred->cr_label);
-	obj = SLOT(msglabel);
+	obj = SLOT(kslabel);
 
 	if (!biba_dominate_effective(obj, subj))
 		return (EACCES);
@@ -1668,27 +1539,220 @@ biba_sysvmsq_check_msgrcv(struct ucred *cred, struct msg *msgptr,
 	return (0);
 }
 
+static void
+biba_posixsem_create(struct ucred *cred, struct ksem *ks,
+    struct label *kslabel)
+{
+	struct mac_biba *source, *dest;
+
+	source = SLOT(cred->cr_label);
+	dest = SLOT(kslabel);
+
+	biba_copy_effective(source, dest);
+}
+
+/*
+ * Some system privileges are allowed regardless of integrity grade; others
+ * are allowed only when running with privilege with respect to the Biba
+ * policy as they might otherwise allow bypassing of the integrity policy.
+ */
 static int
-biba_sysvmsq_check_msgrmid(struct ucred *cred, struct msg *msgptr,
-    struct label *msglabel)
+biba_priv_check(struct ucred *cred, int priv)
 {
-	struct mac_biba *subj, *obj;
+	struct mac_biba *subj;
+	int error;
 
 	if (!biba_enabled)
 		return (0);
 
-	subj = SLOT(cred->cr_label);
-	obj = SLOT(msglabel);
+	/*
+	 * Exempt only specific privileges from the Biba integrity policy.
+	 */
+	switch (priv) {
+	case PRIV_KTRACE:
+	case PRIV_MSGBUF:
 
-	if (!biba_dominate_effective(subj, obj))
-		return (EACCES);
+	/*
+	 * Allow processes to manipulate basic process audit properties, and
+	 * to submit audit records.
+	 */
+	case PRIV_AUDIT_GETAUDIT:
+	case PRIV_AUDIT_SETAUDIT:
+	case PRIV_AUDIT_SUBMIT:
 
+	/*
+	 * Allow processes to manipulate their regular UNIX credentials.
+	 */
+	case PRIV_CRED_SETUID:
+	case PRIV_CRED_SETEUID:
+	case PRIV_CRED_SETGID:
+	case PRIV_CRED_SETEGID:
+	case PRIV_CRED_SETGROUPS:
+	case PRIV_CRED_SETREUID:
+	case PRIV_CRED_SETREGID:
+	case PRIV_CRED_SETRESUID:
+	case PRIV_CRED_SETRESGID:
+
+	/*
+	 * Allow processes to perform system monitoring.
+	 */
+	case PRIV_SEEOTHERGIDS:
+	case PRIV_SEEOTHERUIDS:
+		break;
+
+	/*
+	 * Allow access to general process debugging facilities.  We
+	 * separately control debugging based on MAC label.
+	 */
+	case PRIV_DEBUG_DIFFCRED:
+	case PRIV_DEBUG_SUGID:
+	case PRIV_DEBUG_UNPRIV:
+
+	/*
+	 * Allow manipulating jails.
+	 */
+	case PRIV_JAIL_ATTACH:
+
+	/*
+	 * Allow privilege with respect to the Partition policy, but not the
+	 * Privs policy.
+	 */
+	case PRIV_MAC_PARTITION:
+
+	/*
+	 * Allow privilege with respect to process resource limits and login
+	 * context.
+	 */
+	case PRIV_PROC_LIMIT:
+	case PRIV_PROC_SETLOGIN:
+	case PRIV_PROC_SETRLIMIT:
+
+	/*
+	 * Allow System V and POSIX IPC privileges.
+	 */
+	case PRIV_IPC_READ:
+	case PRIV_IPC_WRITE:
+	case PRIV_IPC_ADMIN:
+	case PRIV_IPC_MSGSIZE:
+	case PRIV_MQ_ADMIN:
+
+	/*
+	 * Allow certain scheduler manipulations -- possibly this should be
+	 * controlled by more fine-grained policy, as potentially low
+	 * integrity processes can deny CPU to higher integrity ones.
+	 */
+	case PRIV_SCHED_DIFFCRED:
+	case PRIV_SCHED_SETPRIORITY:
+	case PRIV_SCHED_RTPRIO:
+	case PRIV_SCHED_SETPOLICY:
+	case PRIV_SCHED_SET:
+	case PRIV_SCHED_SETPARAM:
+
+	/*
+	 * More IPC privileges.
+	 */
+	case PRIV_SEM_WRITE:
+
+	/*
+	 * Allow signaling privileges subject to integrity policy.
+	 */
+	case PRIV_SIGNAL_DIFFCRED:
+	case PRIV_SIGNAL_SUGID:
+
+	/*
+	 * Allow access to only limited sysctls from lower integrity levels;
+	 * piggy-back on the Jail definition.
+	 */
+	case PRIV_SYSCTL_WRITEJAIL:
+
+	/*
+	 * Allow TTY-based privileges, subject to general device access using
+	 * labels on TTY device nodes, but not console privilege.
+	 */
+	case PRIV_TTY_DRAINWAIT:
+	case PRIV_TTY_DTRWAIT:
+	case PRIV_TTY_EXCLUSIVE:
+	case PRIV_TTY_PRISON:
+	case PRIV_TTY_STI:
+	case PRIV_TTY_SETA:
+
+	/*
+	 * Grant most VFS privileges, as almost all are in practice bounded
+	 * by more specific checks using labels.
+	 */
+	case PRIV_VFS_READ:
+	case PRIV_VFS_WRITE:
+	case PRIV_VFS_ADMIN:
+	case PRIV_VFS_EXEC:
+	case PRIV_VFS_LOOKUP:
+	case PRIV_VFS_CHFLAGS_DEV:
+	case PRIV_VFS_CHOWN:
+	case PRIV_VFS_CHROOT:
+	case PRIV_VFS_RETAINSUGID:
+	case PRIV_VFS_EXCEEDQUOTA:
+	case PRIV_VFS_FCHROOT:
+	case PRIV_VFS_FHOPEN:
+	case PRIV_VFS_FHSTATFS:
+	case PRIV_VFS_GENERATION:
+	case PRIV_VFS_GETFH:
+	case PRIV_VFS_GETQUOTA:
+	case PRIV_VFS_LINK:
+	case PRIV_VFS_MOUNT:
+	case PRIV_VFS_MOUNT_OWNER:
+	case PRIV_VFS_MOUNT_PERM:
+	case PRIV_VFS_MOUNT_SUIDDIR:
+	case PRIV_VFS_MOUNT_NONUSER:
+	case PRIV_VFS_SETGID:
+	case PRIV_VFS_STICKYFILE:
+	case PRIV_VFS_SYSFLAGS:
+	case PRIV_VFS_UNMOUNT:
+
+	/*
+	 * Allow VM privileges; it would be nice if these were subject to
+	 * resource limits.
+	 */
+	case PRIV_VM_MADV_PROTECT:
+	case PRIV_VM_MLOCK:
+	case PRIV_VM_MUNLOCK:
+
+	/*
+	 * Allow some but not all network privileges.  In general, dont allow
+	 * reconfiguring the network stack, just normal use.
+	 */
+	case PRIV_NETATALK_RESERVEDPORT:
+	case PRIV_NETINET_RESERVEDPORT:
+	case PRIV_NETINET_RAW:
+	case PRIV_NETINET_REUSEPORT:
+	case PRIV_NETIPX_RESERVEDPORT:
+	case PRIV_NETIPX_RAW:
+		break;
+
+	/*
+	 * All remaining system privileges are allow only if the process
+	 * holds privilege with respect to the Biba policy.
+	 */
+	default:
+		subj = SLOT(cred->cr_label);
+		error = biba_subject_privileged(subj);
+		if (error)
+			return (error);
+	}
 	return (0);
 }
 
+static void
+biba_proc_associate_nfsd(struct ucred *cred)
+{
+	struct mac_biba *label;
+
+	label = SLOT(cred->cr_label);
+	biba_set_effective(label, MAC_BIBA_TYPE_LOW, 0, NULL);
+	biba_set_range(label, MAC_BIBA_TYPE_LOW, 0, NULL, MAC_BIBA_TYPE_HIGH,
+	    0, NULL);
+}
+
 static int
-biba_sysvmsq_check_msqget(struct ucred *cred, struct msqid_kernel *msqkptr,
-    struct label *msqklabel)
+biba_proc_check_debug(struct ucred *cred, struct proc *p)
 {
 	struct mac_biba *subj, *obj;
 
@@ -1696,17 +1760,19 @@ biba_sysvmsq_check_msqget(struct ucred *cred, struct msqid_kernel *msqkptr,
 		return (0);
 
 	subj = SLOT(cred->cr_label);
-	obj = SLOT(msqklabel);
+	obj = SLOT(p->p_ucred->cr_label);
 
+	/* XXX: range checks */
 	if (!biba_dominate_effective(obj, subj))
+		return (ESRCH);
+	if (!biba_dominate_effective(subj, obj))
 		return (EACCES);
 
 	return (0);
 }
 
 static int
-biba_sysvmsq_check_msqsnd(struct ucred *cred, struct msqid_kernel *msqkptr,
-    struct label *msqklabel)
+biba_proc_check_sched(struct ucred *cred, struct proc *p)
 {
 	struct mac_biba *subj, *obj;
 
@@ -1714,8 +1780,11 @@ biba_sysvmsq_check_msqsnd(struct ucred *cred, struct msqid_kernel *msqkptr,
 		return (0);
 
 	subj = SLOT(cred->cr_label);
-	obj = SLOT(msqklabel);
+	obj = SLOT(p->p_ucred->cr_label);
 
+	/* XXX: range checks */
+	if (!biba_dominate_effective(obj, subj))
+		return (ESRCH);
 	if (!biba_dominate_effective(subj, obj))
 		return (EACCES);
 
@@ -1723,8 +1792,7 @@ biba_sysvmsq_check_msqsnd(struct ucred *cred, struct msqid_kernel *msqkptr,
 }
 
 static int
-biba_sysvmsq_check_msqrcv(struct ucred *cred, struct msqid_kernel *msqkptr,
-    struct label *msqklabel)
+biba_proc_check_signal(struct ucred *cred, struct proc *p, int signum)
 {
 	struct mac_biba *subj, *obj;
 
@@ -1732,86 +1800,110 @@ biba_sysvmsq_check_msqrcv(struct ucred *cred, struct msqid_kernel *msqkptr,
 		return (0);
 
 	subj = SLOT(cred->cr_label);
-	obj = SLOT(msqklabel);
+	obj = SLOT(p->p_ucred->cr_label);
 
+	/* XXX: range checks */
 	if (!biba_dominate_effective(obj, subj))
+		return (ESRCH);
+	if (!biba_dominate_effective(subj, obj))
 		return (EACCES);
 
 	return (0);
 }
 
 static int
-biba_sysvmsq_check_msqctl(struct ucred *cred, struct msqid_kernel *msqkptr,
-    struct label *msqklabel, int cmd)
+biba_socket_check_deliver(struct socket *so, struct label *solabel,
+    struct mbuf *m, struct label *mlabel)
 {
-	struct mac_biba *subj, *obj;
+	struct mac_biba *p, *s;
 
 	if (!biba_enabled)
 		return (0);
 
-	subj = SLOT(cred->cr_label);
-	obj = SLOT(msqklabel);
+	p = SLOT(mlabel);
+	s = SLOT(solabel);
 
-	switch(cmd) {
-	case IPC_RMID:
-	case IPC_SET:
-		if (!biba_dominate_effective(subj, obj))
-			return (EACCES);
-		break;
+	return (biba_equal_effective(p, s) ? 0 : EACCES);
+}
 
-	case IPC_STAT:
-		if (!biba_dominate_effective(obj, subj))
-			return (EACCES);
-		break;
+static void
+biba_proc_create_init(struct ucred *cred)
+{
+	struct mac_biba *dest;
 
-	default:
-		return (EACCES);
-	}
+	dest = SLOT(cred->cr_label);
 
-	return (0);
+	biba_set_effective(dest, MAC_BIBA_TYPE_HIGH, 0, NULL);
+	biba_set_range(dest, MAC_BIBA_TYPE_LOW, 0, NULL, MAC_BIBA_TYPE_HIGH,
+	    0, NULL);
 }
 
-static int
-biba_sysvsem_check_semctl(struct ucred *cred, struct semid_kernel *semakptr,
-    struct label *semaklabel, int cmd)
+static void
+biba_proc_create_swapper(struct ucred *cred)
 {
-	struct mac_biba *subj, *obj;
+	struct mac_biba *dest;
 
-	if (!biba_enabled)
-		return (0);
+	dest = SLOT(cred->cr_label);
 
+	biba_set_effective(dest, MAC_BIBA_TYPE_EQUAL, 0, NULL);
+	biba_set_range(dest, MAC_BIBA_TYPE_LOW, 0, NULL, MAC_BIBA_TYPE_HIGH,
+	    0, NULL);
+}
+
+static int
+biba_socket_check_relabel(struct ucred *cred, struct socket *so,
+    struct label *solabel, struct label *newlabel)
+{
+	struct mac_biba *subj, *obj, *new;
+	int error;
+
+	new = SLOT(newlabel);
 	subj = SLOT(cred->cr_label);
-	obj = SLOT(semaklabel);
+	obj = SLOT(solabel);
 
-	switch(cmd) {
-	case IPC_RMID:
-	case IPC_SET:
-	case SETVAL:
-	case SETALL:
-		if (!biba_dominate_effective(subj, obj))
-			return (EACCES);
-		break;
+	/*
+	 * If there is a Biba label update for the socket, it may be an
+	 * update of effective.
+	 */
+	error = biba_atmostflags(new, MAC_BIBA_FLAG_EFFECTIVE);
+	if (error)
+		return (error);
 
-	case IPC_STAT:
-	case GETVAL:
-	case GETPID:
-	case GETNCNT:
-	case GETZCNT:
-	case GETALL:
-		if (!biba_dominate_effective(obj, subj))
-			return (EACCES);
-		break;
+	/*
+	 * To relabel a socket, the old socket effective must be in the
+	 * subject range.
+	 */
+	if (!biba_effective_in_range(obj, subj))
+		return (EPERM);
 
-	default:
-		return (EACCES);
+	/*
+	 * If the Biba label is to be changed, authorize as appropriate.
+	 */
+	if (new->mb_flags & MAC_BIBA_FLAG_EFFECTIVE) {
+		/*
+		 * To relabel a socket, the new socket effective must be in
+		 * the subject range.
+		 */
+		if (!biba_effective_in_range(new, subj))
+			return (EPERM);
+
+		/*
+		 * To change the Biba label on the socket to contain EQUAL,
+		 * the subject must have appropriate privilege.
+		 */
+		if (biba_contains_equal(new)) {
+			error = biba_subject_privileged(subj);
+			if (error)
+				return (error);
+		}
 	}
 
 	return (0);
 }
 
 static int
-biba_sysvsem_check_semget(struct ucred *cred, struct semid_kernel *semakptr,
-    struct label *semaklabel)
+biba_socket_check_visible(struct ucred *cred, struct socket *so,
+    struct label *solabel)
 {
 	struct mac_biba *subj, *obj;
 
@@ -1819,111 +1911,110 @@ biba_sysvsem_check_semget(struct ucred *cred, struct semid_kernel *semakptr,
 		return (0);
 
 	subj = SLOT(cred->cr_label);
-	obj = SLOT(semaklabel);
+	obj = SLOT(solabel);
 
 	if (!biba_dominate_effective(obj, subj))
-		return (EACCES);
+		return (ENOENT);
 
 	return (0);
 }
 
-static int
-biba_sysvsem_check_semop(struct ucred *cred, struct semid_kernel *semakptr,
-    struct label *semaklabel, size_t accesstype)
+static void
+biba_socket_create(struct ucred *cred, struct socket *so,
+    struct label *solabel)
 {
-	struct mac_biba *subj, *obj;
+	struct mac_biba *source, *dest;
 
-	if (!biba_enabled)
-		return (0);
+	source = SLOT(cred->cr_label);
+	dest = SLOT(solabel);
 
-	subj = SLOT(cred->cr_label);
-	obj = SLOT(semaklabel);
+	biba_copy_effective(source, dest);
+}
 
-	if (accesstype & SEM_R)
-		if (!biba_dominate_effective(obj, subj))
-			return (EACCES);
+static void
+biba_socket_create_mbuf(struct socket *so, struct label *solabel,
+    struct mbuf *m, struct label *mlabel)
+{
+	struct mac_biba *source, *dest;
 
-	if (accesstype & SEM_A)
-		if (!biba_dominate_effective(subj, obj))
-			return (EACCES);
+	source = SLOT(solabel);
+	dest = SLOT(mlabel);
 
-	return (0);
+	biba_copy_effective(source, dest);
 }
 
-static int
-biba_sysvshm_check_shmat(struct ucred *cred, struct shmid_kernel *shmsegptr,
-    struct label *shmseglabel, int shmflg)
+static void
+biba_socket_newconn(struct socket *oldso, struct label *oldsolabel,
+    struct socket *newso, struct label *newsolabel)
 {
-	struct mac_biba *subj, *obj;
-
-	if (!biba_enabled)
-		return (0);
+	struct mac_biba *source, *dest;
 
-	subj = SLOT(cred->cr_label);
-	obj = SLOT(shmseglabel);
+	source = SLOT(oldsolabel);
+	dest = SLOT(newsolabel);
 
-	if (!biba_dominate_effective(obj, subj))
-		return (EACCES);
-	if ((shmflg & SHM_RDONLY) == 0) {
-		if (!biba_dominate_effective(subj, obj))
-			return (EACCES);
-	}
-	
-	return (0);
+	biba_copy_effective(source, dest);
 }
 
-static int
-biba_sysvshm_check_shmctl(struct ucred *cred, struct shmid_kernel *shmsegptr,
-    struct label *shmseglabel, int cmd)
+static void
+biba_socket_relabel(struct ucred *cred, struct socket *so,
+    struct label *solabel, struct label *newlabel)
 {
-	struct mac_biba *subj, *obj;
-
-	if (!biba_enabled)
-		return (0);
+	struct mac_biba *source, *dest;
 
-	subj = SLOT(cred->cr_label);
-	obj = SLOT(shmseglabel);
+	source = SLOT(newlabel);
+	dest = SLOT(solabel);
 
-	switch(cmd) {
-	case IPC_RMID:
-	case IPC_SET:
-		if (!biba_dominate_effective(subj, obj))
-			return (EACCES);
-		break;
+	biba_copy(source, dest);
+}
 
-	case IPC_STAT:
-	case SHM_STAT:
-		if (!biba_dominate_effective(obj, subj))
-			return (EACCES);
-		break;
+static void
+biba_socketpeer_set_from_mbuf(struct mbuf *m, struct label *mlabel,
+    struct socket *so, struct label *sopeerlabel)
+{
+	struct mac_biba *source, *dest;
 
-	default:
-		return (EACCES);
-	}
+	source = SLOT(mlabel);
+	dest = SLOT(sopeerlabel);
 
-	return (0);
+	biba_copy_effective(source, dest);
 }
 
-static int
-biba_sysvshm_check_shmget(struct ucred *cred, struct shmid_kernel *shmsegptr,
-    struct label *shmseglabel, int shmflg)
+static void
+biba_socketpeer_set_from_socket(struct socket *oldso,
+    struct label *oldsolabel, struct socket *newso,
+    struct label *newsopeerlabel)
 {
-	struct mac_biba *subj, *obj;
+	struct mac_biba *source, *dest;
 
-	if (!biba_enabled)
-		return (0);
+	source = SLOT(oldsolabel);
+	dest = SLOT(newsopeerlabel);
 
-	subj = SLOT(cred->cr_label);
-	obj = SLOT(shmseglabel);
+	biba_copy_effective(source, dest);
+}
 
-	if (!biba_dominate_effective(obj, subj))
-		return (EACCES);
+static void
+biba_syncache_create(struct label *label, struct inpcb *inp)
+{
+	struct mac_biba *source, *dest;
 
-	return (0);
+	source = SLOT(inp->inp_label);
+	dest = SLOT(label);
+	biba_copy_effective(source, dest);
+}
+
+static void
+biba_syncache_create_mbuf(struct label *sc_label, struct mbuf *m,
+    struct label *mlabel)
+{
+	struct mac_biba *source, *dest;
+
+	source = SLOT(sc_label);
+	dest = SLOT(mlabel);
+	biba_copy_effective(source, dest);
 }
 
 static int
-biba_kld_check_load(struct ucred *cred, struct vnode *vp,
+biba_system_check_acct(struct ucred *cred, struct vnode *vp,
     struct label *vplabel)
 {
 	struct mac_biba *subj, *obj;
@@ -1938,6 +2029,9 @@ biba_kld_check_load(struct ucred *cred, struct vnode *vp,
 	if (error)
 		return (error);
 
+	if (vplabel == NULL)
+		return (0);
+
 	obj = SLOT(vplabel);
 	if (!biba_high_effective(obj))
 		return (EACCES);
@@ -1946,144 +2040,142 @@ biba_kld_check_load(struct ucred *cred, struct vnode *vp,
 }
 
 static int
-biba_mount_check_stat(struct ucred *cred, struct mount *mp,
-    struct label *mplabel)
+biba_system_check_auditctl(struct ucred *cred, struct vnode *vp,
+    struct label *vplabel)
 {
 	struct mac_biba *subj, *obj;
+	int error;
 
 	if (!biba_enabled)
 		return (0);
 
 	subj = SLOT(cred->cr_label);
-	obj = SLOT(mplabel);
 
-	if (!biba_dominate_effective(obj, subj))
+	error = biba_subject_privileged(subj);
+	if (error)
+		return (error);
+
+	if (vplabel == NULL)
+		return (0);
+
+	obj = SLOT(vplabel);
+	if (!biba_high_effective(obj))
 		return (EACCES);
 
 	return (0);
 }
 
 static int
-biba_pipe_check_ioctl(struct ucred *cred, struct pipepair *pp,
-    struct label *pplabel, unsigned long cmd, void /* caddr_t */ *data)
+biba_system_check_auditon(struct ucred *cred, int cmd)
 {
+	struct mac_biba *subj;
+	int error;
 
-	if(!biba_enabled)
+	if (!biba_enabled)
 		return (0);
 
-	/* XXX: This will be implemented soon... */
+	subj = SLOT(cred->cr_label);
+
+	error = biba_subject_privileged(subj);
+	if (error)
+		return (error);
 
 	return (0);
 }
 
 static int
-biba_pipe_check_poll(struct ucred *cred, struct pipepair *pp,
-    struct label *pplabel)
+biba_system_check_swapoff(struct ucred *cred, struct vnode *vp,
+    struct label *label)
 {
-	struct mac_biba *subj, *obj;
+	struct mac_biba *subj;
+	int error;
 
 	if (!biba_enabled)
 		return (0);
 
 	subj = SLOT(cred->cr_label);
-	obj = SLOT(pplabel);
 
-	if (!biba_dominate_effective(obj, subj))
-		return (EACCES);
+	error = biba_subject_privileged(subj);
+	if (error)
+		return (error);
 
 	return (0);
 }
 
 static int
-biba_pipe_check_read(struct ucred *cred, struct pipepair *pp,
-    struct label *pplabel)
+biba_system_check_swapon(struct ucred *cred, struct vnode *vp,
+    struct label *vplabel)
 {
 	struct mac_biba *subj, *obj;
+	int error;
 
 	if (!biba_enabled)
 		return (0);
 
 	subj = SLOT(cred->cr_label);
-	obj = SLOT(pplabel);
+	obj = SLOT(vplabel);
 
-	if (!biba_dominate_effective(obj, subj))
+	error = biba_subject_privileged(subj);
+	if (error)
+		return (error);
+
+	if (!biba_high_effective(obj))
 		return (EACCES);
 
 	return (0);
 }
 
 static int
-biba_pipe_check_relabel(struct ucred *cred, struct pipepair *pp,
-    struct label *pplabel, struct label *newlabel)
+biba_system_check_sysctl(struct ucred *cred, struct sysctl_oid *oidp,
+    void *arg1, int arg2, struct sysctl_req *req)
 {
-	struct mac_biba *subj, *obj, *new;
+	struct mac_biba *subj;
 	int error;
 
-	new = SLOT(newlabel);
-	subj = SLOT(cred->cr_label);
-	obj = SLOT(pplabel);
-
-	/*
-	 * If there is a Biba label update for a pipe, it must be a effective
-	 * update.
-	 */
-	error = biba_atmostflags(new, MAC_BIBA_FLAG_EFFECTIVE);
-	if (error)
-		return (error);
+	if (!biba_enabled)
+		return (0);
 
-	/*
-	 * To perform a relabel of a pipe (Biba label or not), Biba must
-	 * authorize the relabel.
-	 */
-	if (!biba_effective_in_range(obj, subj))
-		return (EPERM);
+	subj = SLOT(cred->cr_label);
 
 	/*
-	 * If the Biba label is to be changed, authorize as appropriate.
+	 * Treat sysctl variables without CTLFLAG_ANYBODY flag as biba/high,
+	 * but also require privilege to change them.
 	 */
-	if (new->mb_flags & MAC_BIBA_FLAG_EFFECTIVE) {
-		/*
-		 * To change the Biba label on a pipe, the new pipe label
-		 * must be in the subject range.
-		 */
-		if (!biba_effective_in_range(new, subj))
-			return (EPERM);
+	if (req->newptr != NULL && (oidp->oid_kind & CTLFLAG_ANYBODY) == 0) {
+		if (!biba_subject_dominate_high(subj))
+			return (EACCES);
 
-		/*
-		 * To change the Biba label on a pipe to be EQUAL, the
-		 * subject must have appropriate privilege.
-		 */
-		if (biba_contains_equal(new)) {
-			error = biba_subject_privileged(subj);
-			if (error)
-				return (error);
-		}
+		error = biba_subject_privileged(subj);
+		if (error)
+			return (error);
 	}
 
 	return (0);
 }
 
-static int
-biba_pipe_check_stat(struct ucred *cred, struct pipepair *pp,
-    struct label *pplabel)
+static void
+biba_sysvmsg_cleanup(struct label *msglabel)
 {
-	struct mac_biba *subj, *obj;
 
-	if (!biba_enabled)
-		return (0);
+	bzero(SLOT(msglabel), sizeof(struct mac_biba));
+}
 
-	subj = SLOT(cred->cr_label);
-	obj = SLOT(pplabel);
+static void
+biba_sysvmsg_create(struct ucred *cred, struct msqid_kernel *msqkptr,
+    struct label *msqlabel, struct msg *msgptr, struct label *msglabel)
+{
+	struct mac_biba *source, *dest;
 
-	if (!biba_dominate_effective(obj, subj))
-		return (EACCES);
+	/* Ignore the msgq label */
+	source = SLOT(cred->cr_label);
+	dest = SLOT(msglabel);
 
-	return (0);
+	biba_copy_effective(source, dest);
 }
 
 static int
-biba_pipe_check_write(struct ucred *cred, struct pipepair *pp,
-    struct label *pplabel)
+biba_sysvmsq_check_msgrcv(struct ucred *cred, struct msg *msgptr,
+    struct label *msglabel)
 {
 	struct mac_biba *subj, *obj;
 
@@ -2091,17 +2183,17 @@ biba_pipe_check_write(struct ucred *cred, struct pipepair *pp,
 		return (0);
 
 	subj = SLOT(cred->cr_label);
-	obj = SLOT(pplabel);
+	obj = SLOT(msglabel);
 
-	if (!biba_dominate_effective(subj, obj))
+	if (!biba_dominate_effective(obj, subj))
 		return (EACCES);
 
 	return (0);
 }
 
 static int
-biba_posixsem_check_write(struct ucred *cred, struct ksem *ks,
-    struct label *kslabel)
+biba_sysvmsq_check_msgrmid(struct ucred *cred, struct msg *msgptr,
+    struct label *msglabel)
 {
 	struct mac_biba *subj, *obj;
 
@@ -2109,7 +2201,7 @@ biba_posixsem_check_write(struct ucred *cred, struct ksem *ks,
 		return (0);
 
 	subj = SLOT(cred->cr_label);
-	obj = SLOT(kslabel);
+	obj = SLOT(msglabel);
 
 	if (!biba_dominate_effective(subj, obj))
 		return (EACCES);
@@ -2118,8 +2210,8 @@ biba_posixsem_check_write(struct ucred *cred, struct ksem *ks,
 }
 
 static int
-biba_posixsem_check_rdonly(struct ucred *cred, struct ksem *ks,
-    struct label *kslabel)
+biba_sysvmsq_check_msqget(struct ucred *cred, struct msqid_kernel *msqkptr,
+    struct label *msqklabel)
 {
 	struct mac_biba *subj, *obj;
 
@@ -2127,7 +2219,7 @@ biba_posixsem_check_rdonly(struct ucred *cred, struct ksem *ks,
 		return (0);
 
 	subj = SLOT(cred->cr_label);
-	obj = SLOT(kslabel);
+	obj = SLOT(msqklabel);
 
 	if (!biba_dominate_effective(obj, subj))
 		return (EACCES);
@@ -2136,7 +2228,8 @@ biba_posixsem_check_rdonly(struct ucred *cred, struct ksem *ks,
 }
 
 static int
-biba_proc_check_debug(struct ucred *cred, struct proc *p)
+biba_sysvmsq_check_msqsnd(struct ucred *cred, struct msqid_kernel *msqkptr,
+    struct label *msqklabel)
 {
 	struct mac_biba *subj, *obj;
 
@@ -2144,11 +2237,8 @@ biba_proc_check_debug(struct ucred *cred, struct proc *p)
 		return (0);
 
 	subj = SLOT(cred->cr_label);
-	obj = SLOT(p->p_ucred->cr_label);
+	obj = SLOT(msqklabel);
 
-	/* XXX: range checks */
-	if (!biba_dominate_effective(obj, subj))
-		return (ESRCH);
 	if (!biba_dominate_effective(subj, obj))
 		return (EACCES);
 
@@ -2156,7 +2246,8 @@ biba_proc_check_debug(struct ucred *cred, struct proc *p)
 }
 
 static int
-biba_proc_check_sched(struct ucred *cred, struct proc *p)
+biba_sysvmsq_check_msqrcv(struct ucred *cred, struct msqid_kernel *msqkptr,
+    struct label *msqklabel)
 {
 	struct mac_biba *subj, *obj;
 
@@ -2164,19 +2255,17 @@ biba_proc_check_sched(struct ucred *cred, struct proc *p)
 		return (0);
 
 	subj = SLOT(cred->cr_label);
-	obj = SLOT(p->p_ucred->cr_label);
+	obj = SLOT(msqklabel);
 
-	/* XXX: range checks */
 	if (!biba_dominate_effective(obj, subj))
-		return (ESRCH);
-	if (!biba_dominate_effective(subj, obj))
 		return (EACCES);
 
 	return (0);
 }
 
 static int
-biba_proc_check_signal(struct ucred *cred, struct proc *p, int signum)
+biba_sysvmsq_check_msqctl(struct ucred *cred, struct msqid_kernel *msqkptr,
+    struct label *msqklabel, int cmd)
 {
 	struct mac_biba *subj, *obj;
 
@@ -2184,86 +2273,87 @@ biba_proc_check_signal(struct ucred *cred, struct proc *p, int signum)
 		return (0);
 
 	subj = SLOT(cred->cr_label);
-	obj = SLOT(p->p_ucred->cr_label);
+	obj = SLOT(msqklabel);
 
-	/* XXX: range checks */
-	if (!biba_dominate_effective(obj, subj))
-		return (ESRCH);
-	if (!biba_dominate_effective(subj, obj))
+	switch(cmd) {
+	case IPC_RMID:
+	case IPC_SET:
+		if (!biba_dominate_effective(subj, obj))
+			return (EACCES);
+		break;
+
+	case IPC_STAT:
+		if (!biba_dominate_effective(obj, subj))
+			return (EACCES);
+		break;
+
+	default:
 		return (EACCES);
+	}
 
 	return (0);
 }
 
-static int
-biba_socket_check_deliver(struct socket *so, struct label *solabel,
-    struct mbuf *m, struct label *mlabel)
+static void
+biba_sysvmsq_cleanup(struct label *msqlabel)
 {
-	struct mac_biba *p, *s;
 
-	if (!biba_enabled)
-		return (0);
+	bzero(SLOT(msqlabel), sizeof(struct mac_biba));
+}
 
-	p = SLOT(mlabel);
-	s = SLOT(solabel);
+static void
+biba_sysvmsq_create(struct ucred *cred, struct msqid_kernel *msqkptr,
+    struct label *msqlabel)
+{
+	struct mac_biba *source, *dest;
 
-	return (biba_equal_effective(p, s) ? 0 : EACCES);
+	source = SLOT(cred->cr_label);
+	dest = SLOT(msqlabel);
+
+	biba_copy_effective(source, dest);
 }
 
 static int
-biba_socket_check_relabel(struct ucred *cred, struct socket *so,
-    struct label *solabel, struct label *newlabel)
+biba_sysvsem_check_semctl(struct ucred *cred, struct semid_kernel *semakptr,
+    struct label *semaklabel, int cmd)
 {
-	struct mac_biba *subj, *obj, *new;
-	int error;
+	struct mac_biba *subj, *obj;
 
-	new = SLOT(newlabel);
-	subj = SLOT(cred->cr_label);
-	obj = SLOT(solabel);
+	if (!biba_enabled)
+		return (0);
 
-	/*
-	 * If there is a Biba label update for the socket, it may be an
-	 * update of effective.
-	 */
-	error = biba_atmostflags(new, MAC_BIBA_FLAG_EFFECTIVE);
-	if (error)
-		return (error);
+	subj = SLOT(cred->cr_label);
+	obj = SLOT(semaklabel);
 
-	/*
-	 * To relabel a socket, the old socket effective must be in the
-	 * subject range.
-	 */
-	if (!biba_effective_in_range(obj, subj))
-		return (EPERM);
+	switch(cmd) {
+	case IPC_RMID:
+	case IPC_SET:
+	case SETVAL:
+	case SETALL:
+		if (!biba_dominate_effective(subj, obj))
+			return (EACCES);
+		break;
 
-	/*
-	 * If the Biba label is to be changed, authorize as appropriate.
-	 */
-	if (new->mb_flags & MAC_BIBA_FLAG_EFFECTIVE) {
-		/*
-		 * To relabel a socket, the new socket effective must be in
-		 * the subject range.
-		 */
-		if (!biba_effective_in_range(new, subj))
-			return (EPERM);
+	case IPC_STAT:
+	case GETVAL:
+	case GETPID:
+	case GETNCNT:
+	case GETZCNT:
+	case GETALL:
+		if (!biba_dominate_effective(obj, subj))
+			return (EACCES);
+		break;
 
-		/*
-		 * To change the Biba label on the socket to contain EQUAL,
-		 * the subject must have appropriate privilege.
-		 */
-		if (biba_contains_equal(new)) {
-			error = biba_subject_privileged(subj);
-			if (error)
-				return (error);
-		}
+	default:
+		return (EACCES);
 	}
 
 	return (0);
 }
 
 static int
-biba_socket_check_visible(struct ucred *cred, struct socket *so,
-    struct label *solabel)
+biba_sysvsem_check_semget(struct ucred *cred, struct semid_kernel *semakptr,
+    struct label *semaklabel)
 {
 	struct mac_biba *subj, *obj;
 
@@ -2271,341 +2361,198 @@ biba_socket_check_visible(struct ucred *cred, struct socket *so,
 		return (0);
 
 	subj = SLOT(cred->cr_label);
-	obj = SLOT(solabel);
+	obj = SLOT(semaklabel);
 
 	if (!biba_dominate_effective(obj, subj))
-		return (ENOENT);
+		return (EACCES);
 
 	return (0);
 }
 
-/*
- * Some system privileges are allowed regardless of integrity grade; others
- * are allowed only when running with privilege with respect to the Biba
- * policy as they might otherwise allow bypassing of the integrity policy.
- */
 static int
-biba_priv_check(struct ucred *cred, int priv)
+biba_sysvsem_check_semop(struct ucred *cred, struct semid_kernel *semakptr,
+    struct label *semaklabel, size_t accesstype)
 {
-	struct mac_biba *subj;
-	int error;
+	struct mac_biba *subj, *obj;
 
 	if (!biba_enabled)
 		return (0);
 
-	/*
-	 * Exempt only specific privileges from the Biba integrity policy.
-	 */
-	switch (priv) {
-	case PRIV_KTRACE:
-	case PRIV_MSGBUF:
-
-	/*
-	 * Allow processes to manipulate basic process audit properties, and
-	 * to submit audit records.
-	 */
-	case PRIV_AUDIT_GETAUDIT:
-	case PRIV_AUDIT_SETAUDIT:
-	case PRIV_AUDIT_SUBMIT:
-
-	/*
-	 * Allow processes to manipulate their regular UNIX credentials.
-	 */
-	case PRIV_CRED_SETUID:
-	case PRIV_CRED_SETEUID:
-	case PRIV_CRED_SETGID:
-	case PRIV_CRED_SETEGID:
-	case PRIV_CRED_SETGROUPS:
-	case PRIV_CRED_SETREUID:
-	case PRIV_CRED_SETREGID:
-	case PRIV_CRED_SETRESUID:
-	case PRIV_CRED_SETRESGID:
-
-	/*
-	 * Allow processes to perform system monitoring.
-	 */
-	case PRIV_SEEOTHERGIDS:
-	case PRIV_SEEOTHERUIDS:
-		break;
-
-	/*
-	 * Allow access to general process debugging facilities.  We
-	 * separately control debugging based on MAC label.
-	 */
-	case PRIV_DEBUG_DIFFCRED:
-	case PRIV_DEBUG_SUGID:
-	case PRIV_DEBUG_UNPRIV:
-
-	/*
-	 * Allow manipulating jails.
-	 */
-	case PRIV_JAIL_ATTACH:
-
-	/*
-	 * Allow privilege with respect to the Partition policy, but not the
-	 * Privs policy.
-	 */
-	case PRIV_MAC_PARTITION:
-
-	/*
-	 * Allow privilege with respect to process resource limits and login
-	 * context.
-	 */
-	case PRIV_PROC_LIMIT:
-	case PRIV_PROC_SETLOGIN:
-	case PRIV_PROC_SETRLIMIT:
-
-	/*
-	 * Allow System V and POSIX IPC privileges.
-	 */
-	case PRIV_IPC_READ:
-	case PRIV_IPC_WRITE:
-	case PRIV_IPC_ADMIN:
-	case PRIV_IPC_MSGSIZE:
-	case PRIV_MQ_ADMIN:
-
-	/*
-	 * Allow certain scheduler manipulations -- possibly this should be
-	 * controlled by more fine-grained policy, as potentially low
-	 * integrity processes can deny CPU to higher integrity ones.
-	 */
-	case PRIV_SCHED_DIFFCRED:
-	case PRIV_SCHED_SETPRIORITY:
-	case PRIV_SCHED_RTPRIO:
-	case PRIV_SCHED_SETPOLICY:
-	case PRIV_SCHED_SET:
-	case PRIV_SCHED_SETPARAM:
+	subj = SLOT(cred->cr_label);
+	obj = SLOT(semaklabel);
 
-	/*
-	 * More IPC privileges.
-	 */
-	case PRIV_SEM_WRITE:
+	if (accesstype & SEM_R)
+		if (!biba_dominate_effective(obj, subj))
+			return (EACCES);
 
-	/*
-	 * Allow signaling privileges subject to integrity policy.
-	 */
-	case PRIV_SIGNAL_DIFFCRED:
-	case PRIV_SIGNAL_SUGID:
+	if (accesstype & SEM_A)
+		if (!biba_dominate_effective(subj, obj))
+			return (EACCES);
 
-	/*
-	 * Allow access to only limited sysctls from lower integrity levels;
-	 * piggy-back on the Jail definition.
-	 */
-	case PRIV_SYSCTL_WRITEJAIL:
+	return (0);
+}
 
-	/*
-	 * Allow TTY-based privileges, subject to general device access using
-	 * labels on TTY device nodes, but not console privilege.
-	 */
-	case PRIV_TTY_DRAINWAIT:
-	case PRIV_TTY_DTRWAIT:
-	case PRIV_TTY_EXCLUSIVE:
-	case PRIV_TTY_PRISON:
-	case PRIV_TTY_STI:
-	case PRIV_TTY_SETA:
+static void
+biba_sysvsem_cleanup(struct label *semalabel)
+{
 
-	/*
-	 * Grant most VFS privileges, as almost all are in practice bounded
-	 * by more specific checks using labels.
-	 */
-	case PRIV_VFS_READ:
-	case PRIV_VFS_WRITE:
-	case PRIV_VFS_ADMIN:
-	case PRIV_VFS_EXEC:
-	case PRIV_VFS_LOOKUP:
-	case PRIV_VFS_CHFLAGS_DEV:
-	case PRIV_VFS_CHOWN:
-	case PRIV_VFS_CHROOT:
-	case PRIV_VFS_RETAINSUGID:
-	case PRIV_VFS_EXCEEDQUOTA:
-	case PRIV_VFS_FCHROOT:
-	case PRIV_VFS_FHOPEN:
-	case PRIV_VFS_FHSTATFS:
-	case PRIV_VFS_GENERATION:
-	case PRIV_VFS_GETFH:
-	case PRIV_VFS_GETQUOTA:
-	case PRIV_VFS_LINK:
-	case PRIV_VFS_MOUNT:
-	case PRIV_VFS_MOUNT_OWNER:
-	case PRIV_VFS_MOUNT_PERM:
-	case PRIV_VFS_MOUNT_SUIDDIR:
-	case PRIV_VFS_MOUNT_NONUSER:
-	case PRIV_VFS_SETGID:
-	case PRIV_VFS_STICKYFILE:
-	case PRIV_VFS_SYSFLAGS:
-	case PRIV_VFS_UNMOUNT:
+	bzero(SLOT(semalabel), sizeof(struct mac_biba));
+}
 
-	/*
-	 * Allow VM privileges; it would be nice if these were subject to
-	 * resource limits.
-	 */
-	case PRIV_VM_MADV_PROTECT:
-	case PRIV_VM_MLOCK:
-	case PRIV_VM_MUNLOCK:
+static void
+biba_sysvsem_create(struct ucred *cred, struct semid_kernel *semakptr,
+    struct label *semalabel)
+{
+	struct mac_biba *source, *dest;
 
-	/*
-	 * Allow some but not all network privileges.  In general, dont allow
-	 * reconfiguring the network stack, just normal use.
-	 */
-	case PRIV_NETATALK_RESERVEDPORT:
-	case PRIV_NETINET_RESERVEDPORT:
-	case PRIV_NETINET_RAW:
-	case PRIV_NETINET_REUSEPORT:
-	case PRIV_NETIPX_RESERVEDPORT:
-	case PRIV_NETIPX_RAW:
-		break;
+	source = SLOT(cred->cr_label);
+	dest = SLOT(semalabel);
 
-	/*
-	 * All remaining system privileges are allow only if the process
-	 * holds privilege with respect to the Biba policy.
-	 */
-	default:
-		subj = SLOT(cred->cr_label);
-		error = biba_subject_privileged(subj);
-		if (error)
-			return (error);
-	}
-	return (0);
+	biba_copy_effective(source, dest);
 }
 
 static int
-biba_system_check_acct(struct ucred *cred, struct vnode *vp,
-    struct label *vplabel)
+biba_sysvshm_check_shmat(struct ucred *cred, struct shmid_kernel *shmsegptr,
+    struct label *shmseglabel, int shmflg)
 {
 	struct mac_biba *subj, *obj;
-	int error;
 
 	if (!biba_enabled)
 		return (0);
 
 	subj = SLOT(cred->cr_label);
+	obj = SLOT(shmseglabel);
 
-	error = biba_subject_privileged(subj);
-	if (error)
-		return (error);
-
-	if (vplabel == NULL)
-		return (0);
-
-	obj = SLOT(vplabel);
-	if (!biba_high_effective(obj))
+	if (!biba_dominate_effective(obj, subj))
 		return (EACCES);
-
+	if ((shmflg & SHM_RDONLY) == 0) {
+		if (!biba_dominate_effective(subj, obj))
+			return (EACCES);
+	}
+	
 	return (0);
 }
 
 static int
-biba_system_check_auditctl(struct ucred *cred, struct vnode *vp,
-    struct label *vplabel)
+biba_sysvshm_check_shmctl(struct ucred *cred, struct shmid_kernel *shmsegptr,
+    struct label *shmseglabel, int cmd)
 {
 	struct mac_biba *subj, *obj;
-	int error;
 
 	if (!biba_enabled)
 		return (0);
 
 	subj = SLOT(cred->cr_label);
+	obj = SLOT(shmseglabel);
 
-	error = biba_subject_privileged(subj);
-	if (error)
-		return (error);
+	switch(cmd) {
+	case IPC_RMID:
+	case IPC_SET:
+		if (!biba_dominate_effective(subj, obj))
+			return (EACCES);
+		break;
 
-	if (vplabel == NULL)
-		return (0);
+	case IPC_STAT:
+	case SHM_STAT:
+		if (!biba_dominate_effective(obj, subj))
+			return (EACCES);
+		break;
 
-	obj = SLOT(vplabel);
-	if (!biba_high_effective(obj))
+	default:
 		return (EACCES);
+	}
 
 	return (0);
 }
 
 static int
-biba_system_check_auditon(struct ucred *cred, int cmd)
+biba_sysvshm_check_shmget(struct ucred *cred, struct shmid_kernel *shmsegptr,
+    struct label *shmseglabel, int shmflg)
 {
-	struct mac_biba *subj;
-	int error;
+	struct mac_biba *subj, *obj;
 
 	if (!biba_enabled)
 		return (0);
 
 	subj = SLOT(cred->cr_label);
+	obj = SLOT(shmseglabel);
 
-	error = biba_subject_privileged(subj);
-	if (error)
-		return (error);
+	if (!biba_dominate_effective(obj, subj))
+		return (EACCES);
 
 	return (0);
 }
 
-static int
-biba_system_check_swapon(struct ucred *cred, struct vnode *vp,
-    struct label *vplabel)
+static void
+biba_sysvshm_cleanup(struct label *shmlabel)
 {
-	struct mac_biba *subj, *obj;
-	int error;
 
-	if (!biba_enabled)
-		return (0);
-
-	subj = SLOT(cred->cr_label);
-	obj = SLOT(vplabel);
+	bzero(SLOT(shmlabel), sizeof(struct mac_biba));
+}
 
-	error = biba_subject_privileged(subj);
-	if (error)
-		return (error);
+static void
+biba_sysvshm_create(struct ucred *cred, struct shmid_kernel *shmsegptr,
+    struct label *shmlabel)
+{
+	struct mac_biba *source, *dest;
 
-	if (!biba_high_effective(obj))
-		return (EACCES);
+	source = SLOT(cred->cr_label);
+	dest = SLOT(shmlabel);
 
-	return (0);
+	biba_copy_effective(source, dest);
 }
 
 static int
-biba_system_check_swapoff(struct ucred *cred, struct vnode *vp,
-    struct label *label)
+biba_vnode_associate_extattr(struct mount *mp, struct label *mplabel,
+    struct vnode *vp, struct label *vplabel)
 {
-	struct mac_biba *subj;
-	int error;
+	struct mac_biba mb_temp, *source, *dest;
+	int buflen, error;
 
-	if (!biba_enabled)
-		return (0);
+	source = SLOT(mplabel);
+	dest = SLOT(vplabel);
 
-	subj = SLOT(cred->cr_label);
+	buflen = sizeof(mb_temp);
+	bzero(&mb_temp, buflen);
 
-	error = biba_subject_privileged(subj);
-	if (error)
+	error = vn_extattr_get(vp, IO_NODELOCKED, MAC_BIBA_EXTATTR_NAMESPACE,
+	    MAC_BIBA_EXTATTR_NAME, &buflen, (char *) &mb_temp, curthread);
+	if (error == ENOATTR || error == EOPNOTSUPP) {
+		/* Fall back to the mntlabel. */
+		biba_copy_effective(source, dest);
+		return (0);
+	} else if (error)
 		return (error);
 
+	if (buflen != sizeof(mb_temp)) {
+		printf("biba_vnode_associate_extattr: bad size %d\n",
+		    buflen);
+		return (EPERM);
+	}
+	if (biba_valid(&mb_temp) != 0) {
+		printf("biba_vnode_associate_extattr: invalid\n");
+		return (EPERM);
+	}
+	if ((mb_temp.mb_flags & MAC_BIBA_FLAGS_BOTH) !=
+	    MAC_BIBA_FLAG_EFFECTIVE) {
+		printf("biba_vnode_associate_extattr: not effective\n");
+		return (EPERM);
+	}
+
+	biba_copy_effective(&mb_temp, dest);
 	return (0);
 }
 
-static int
-biba_system_check_sysctl(struct ucred *cred, struct sysctl_oid *oidp,
-    void *arg1, int arg2, struct sysctl_req *req)
+static void
+biba_vnode_associate_singlelabel(struct mount *mp, struct label *mplabel,
+    struct vnode *vp, struct label *vplabel)
 {
-	struct mac_biba *subj;
-	int error;
-
-	if (!biba_enabled)
-		return (0);
-
-	subj = SLOT(cred->cr_label);
-
-	/*
-	 * Treat sysctl variables without CTLFLAG_ANYBODY flag as biba/high,
-	 * but also require privilege to change them.
-	 */
-	if (req->newptr != NULL && (oidp->oid_kind & CTLFLAG_ANYBODY) == 0) {
-		if (!biba_subject_dominate_high(subj))
-			return (EACCES);
+	struct mac_biba *source, *dest;
 
-		error = biba_subject_privileged(subj);
-		if (error)
-			return (error);
-	}
+	source = SLOT(mplabel);
+	dest = SLOT(vplabel);
 
-	return (0);
+	biba_copy_effective(source, dest);
 }
 
 static int
@@ -3242,174 +3189,235 @@ biba_vnode_check_write(struct ucred *active_cred,
 	return (0);
 }
 
-static void
-biba_syncache_create(struct label *label, struct inpcb *inp)
+static int
+biba_vnode_create_extattr(struct ucred *cred, struct mount *mp,
+    struct label *mplabel, struct vnode *dvp, struct label *dvplabel,
+    struct vnode *vp, struct label *vplabel, struct componentname *cnp)
 {
-	struct mac_biba *source, *dest;
+	struct mac_biba *source, *dest, mb_temp;
+	size_t buflen;
+	int error;
 
-	source = SLOT(inp->inp_label);
-	dest = SLOT(label);
-	biba_copy_effective(source, dest);
+	buflen = sizeof(mb_temp);
+	bzero(&mb_temp, buflen);
+
+	source = SLOT(cred->cr_label);
+	dest = SLOT(vplabel);
+	biba_copy_effective(source, &mb_temp);
+
+	error = vn_extattr_set(vp, IO_NODELOCKED, MAC_BIBA_EXTATTR_NAMESPACE,
+	    MAC_BIBA_EXTATTR_NAME, buflen, (char *) &mb_temp, curthread);
+	if (error == 0)
+		biba_copy_effective(source, dest);
+	return (error);
 }
 
 static void
-biba_syncache_create_mbuf(struct label *sc_label, struct mbuf *m,
-    struct label *mlabel)
+biba_vnode_relabel(struct ucred *cred, struct vnode *vp,
+    struct label *vplabel, struct label *newlabel)
 {
 	struct mac_biba *source, *dest;
 
-	source = SLOT(sc_label);
-	dest = SLOT(mlabel);
-	biba_copy_effective(source, dest);
+	source = SLOT(newlabel);
+	dest = SLOT(vplabel);
+
+	biba_copy(source, dest);
+}
+
+static int
+biba_vnode_setlabel_extattr(struct ucred *cred, struct vnode *vp,
+    struct label *vplabel, struct label *intlabel)
+{
+	struct mac_biba *source, mb_temp;
+	size_t buflen;
+	int error;
+
+	buflen = sizeof(mb_temp);
+	bzero(&mb_temp, buflen);
+
+	source = SLOT(intlabel);
+	if ((source->mb_flags & MAC_BIBA_FLAG_EFFECTIVE) == 0)
+		return (0);
+
+	biba_copy_effective(source, &mb_temp);
+
+	error = vn_extattr_set(vp, IO_NODELOCKED, MAC_BIBA_EXTATTR_NAMESPACE,
+	    MAC_BIBA_EXTATTR_NAME, buflen, (char *) &mb_temp, curthread);
+	return (error);
 }
 
 static struct mac_policy_ops mac_biba_ops =
 {
 	.mpo_init = biba_init,
-	.mpo_bpfdesc_init_label = biba_init_label,
-	.mpo_cred_init_label = biba_init_label,
-	.mpo_devfs_init_label = biba_init_label,
-	.mpo_ifnet_init_label = biba_init_label,
-	.mpo_inpcb_init_label = biba_init_label_waitcheck,
-	.mpo_syncache_init_label = biba_init_label_waitcheck,
-	.mpo_sysvmsg_init_label = biba_init_label,
-	.mpo_sysvmsq_init_label = biba_init_label,
-	.mpo_sysvsem_init_label = biba_init_label,
-	.mpo_sysvshm_init_label = biba_init_label,
-	.mpo_ipq_init_label = biba_init_label_waitcheck,
-	.mpo_mbuf_init_label = biba_init_label_waitcheck,
-	.mpo_mount_init_label = biba_init_label,
-	.mpo_pipe_init_label = biba_init_label,
-	.mpo_posixsem_init_label = biba_init_label,
-	.mpo_socket_init_label = biba_init_label_waitcheck,
-	.mpo_socketpeer_init_label = biba_init_label_waitcheck,
-	.mpo_syncache_create = biba_syncache_create,
-	.mpo_vnode_init_label = biba_init_label,
+
+	.mpo_bpfdesc_check_receive = biba_bpfdesc_check_receive,
+	.mpo_bpfdesc_create = biba_bpfdesc_create,
+	.mpo_bpfdesc_create_mbuf = biba_bpfdesc_create_mbuf,
 	.mpo_bpfdesc_destroy_label = biba_destroy_label,
-	.mpo_cred_destroy_label = biba_destroy_label,
-	.mpo_devfs_destroy_label = biba_destroy_label,
-	.mpo_ifnet_destroy_label = biba_destroy_label,
-	.mpo_inpcb_destroy_label = biba_destroy_label,
-	.mpo_syncache_destroy_label = biba_destroy_label,
-	.mpo_sysvmsg_destroy_label = biba_destroy_label,
-	.mpo_sysvmsq_destroy_label = biba_destroy_label,
-	.mpo_sysvsem_destroy_label = biba_destroy_label,
-	.mpo_sysvshm_destroy_label = biba_destroy_label,
-	.mpo_ipq_destroy_label = biba_destroy_label,
-	.mpo_mbuf_destroy_label = biba_destroy_label,
-	.mpo_mount_destroy_label = biba_destroy_label,
-	.mpo_pipe_destroy_label = biba_destroy_label,
-	.mpo_posixsem_destroy_label = biba_destroy_label,
-	.mpo_socket_destroy_label = biba_destroy_label,
-	.mpo_socketpeer_destroy_label = biba_destroy_label,
-	.mpo_vnode_destroy_label = biba_destroy_label,
+	.mpo_bpfdesc_init_label = biba_init_label,
+
+	.mpo_cred_check_relabel = biba_cred_check_relabel,
+	.mpo_cred_check_visible = biba_cred_check_visible,
 	.mpo_cred_copy_label = biba_copy_label,
-	.mpo_ifnet_copy_label = biba_copy_label,
-	.mpo_mbuf_copy_label = biba_copy_label,
-	.mpo_pipe_copy_label = biba_copy_label,
-	.mpo_socket_copy_label = biba_copy_label,
-	.mpo_vnode_copy_label = biba_copy_label,
+	.mpo_cred_destroy_label = biba_destroy_label,
 	.mpo_cred_externalize_label = biba_externalize_label,
-	.mpo_ifnet_externalize_label = biba_externalize_label,
-	.mpo_pipe_externalize_label = biba_externalize_label,
-	.mpo_socket_externalize_label = biba_externalize_label,
-	.mpo_socketpeer_externalize_label = biba_externalize_label,
-	.mpo_vnode_externalize_label = biba_externalize_label,
+	.mpo_cred_init_label = biba_init_label,
 	.mpo_cred_internalize_label = biba_internalize_label,
-	.mpo_ifnet_internalize_label = biba_internalize_label,
-	.mpo_pipe_internalize_label = biba_internalize_label,
-	.mpo_socket_internalize_label = biba_internalize_label,
-	.mpo_vnode_internalize_label = biba_internalize_label,
+	.mpo_cred_relabel = biba_cred_relabel,
+
 	.mpo_devfs_create_device = biba_devfs_create_device,
 	.mpo_devfs_create_directory = biba_devfs_create_directory,
 	.mpo_devfs_create_symlink = biba_devfs_create_symlink,
-	.mpo_mount_create = biba_mount_create,
-	.mpo_vnode_relabel = biba_vnode_relabel,
+	.mpo_devfs_destroy_label = biba_destroy_label,
+	.mpo_devfs_init_label = biba_init_label,
 	.mpo_devfs_update = biba_devfs_update,
 	.mpo_devfs_vnode_associate = biba_devfs_vnode_associate,
-	.mpo_vnode_associate_extattr = biba_vnode_associate_extattr,
-	.mpo_vnode_associate_singlelabel = biba_vnode_associate_singlelabel,
-	.mpo_vnode_create_extattr = biba_vnode_create_extattr,
-	.mpo_vnode_setlabel_extattr = biba_vnode_setlabel_extattr,
-	.mpo_socket_create_mbuf = biba_socket_create_mbuf,
-	.mpo_syncache_create_mbuf = biba_syncache_create_mbuf,
-	.mpo_pipe_create = biba_pipe_create,
-	.mpo_posixsem_create = biba_posixsem_create,
-	.mpo_socket_create = biba_socket_create,
-	.mpo_socket_newconn = biba_socket_newconn,
-	.mpo_pipe_relabel = biba_pipe_relabel,
-	.mpo_socket_relabel = biba_socket_relabel,
-	.mpo_socketpeer_set_from_mbuf = biba_socketpeer_set_from_mbuf,
-	.mpo_socketpeer_set_from_socket = biba_socketpeer_set_from_socket,
-	.mpo_bpfdesc_create = biba_bpfdesc_create,
-	.mpo_ipq_reassemble = biba_ipq_reassemble,
-	.mpo_netinet_fragment = biba_netinet_fragment,
+
+	.mpo_ifnet_check_relabel = biba_ifnet_check_relabel,
+	.mpo_ifnet_check_transmit = biba_ifnet_check_transmit,
+	.mpo_ifnet_copy_label = biba_copy_label,
 	.mpo_ifnet_create = biba_ifnet_create,
+	.mpo_ifnet_create_mbuf = biba_ifnet_create_mbuf,
+	.mpo_ifnet_destroy_label = biba_destroy_label,
+	.mpo_ifnet_externalize_label = biba_externalize_label,
+	.mpo_ifnet_init_label = biba_init_label,
+	.mpo_ifnet_internalize_label = biba_internalize_label,
+	.mpo_ifnet_relabel = biba_ifnet_relabel,
+
+	.mpo_inpcb_check_deliver = biba_inpcb_check_deliver,
 	.mpo_inpcb_create = biba_inpcb_create,
-	.mpo_sysvmsg_create = biba_sysvmsg_create,
-	.mpo_sysvmsq_create = biba_sysvmsq_create,
-	.mpo_sysvsem_create = biba_sysvsem_create,
-	.mpo_sysvshm_create = biba_sysvshm_create,
-	.mpo_ipq_create = biba_ipq_create,
 	.mpo_inpcb_create_mbuf = biba_inpcb_create_mbuf,
-	.mpo_bpfdesc_create_mbuf = biba_bpfdesc_create_mbuf,
-	.mpo_ifnet_create_mbuf = biba_ifnet_create_mbuf,
+	.mpo_inpcb_destroy_label = biba_destroy_label,
+	.mpo_inpcb_init_label = biba_init_label_waitcheck,
+	.mpo_inpcb_sosetlabel = biba_inpcb_sosetlabel,
+
+	.mpo_ipq_create = biba_ipq_create,
+	.mpo_ipq_destroy_label = biba_destroy_label,
+	.mpo_ipq_init_label = biba_init_label_waitcheck,
 	.mpo_ipq_match = biba_ipq_match,
-	.mpo_ifnet_relabel = biba_ifnet_relabel,
+	.mpo_ipq_reassemble = biba_ipq_reassemble,
 	.mpo_ipq_update = biba_ipq_update,
-	.mpo_inpcb_sosetlabel = biba_inpcb_sosetlabel,
-	.mpo_proc_create_swapper = biba_proc_create_swapper,
-	.mpo_proc_create_init = biba_proc_create_init,
-	.mpo_proc_associate_nfsd = biba_proc_associate_nfsd,
-	.mpo_cred_relabel = biba_cred_relabel,
-	.mpo_sysvmsg_cleanup = biba_sysvmsg_cleanup,
-	.mpo_sysvmsq_cleanup = biba_sysvmsq_cleanup,
-	.mpo_sysvsem_cleanup = biba_sysvsem_cleanup,
-	.mpo_sysvshm_cleanup = biba_sysvshm_cleanup,
-	.mpo_bpfdesc_check_receive = biba_bpfdesc_check_receive,
-	.mpo_cred_check_relabel = biba_cred_check_relabel,
-	.mpo_cred_check_visible = biba_cred_check_visible,
-	.mpo_ifnet_check_relabel = biba_ifnet_check_relabel,
-	.mpo_ifnet_check_transmit = biba_ifnet_check_transmit,
-	.mpo_inpcb_check_deliver = biba_inpcb_check_deliver,
-	.mpo_sysvmsq_check_msgrcv = biba_sysvmsq_check_msgrcv,
-	.mpo_sysvmsq_check_msgrmid = biba_sysvmsq_check_msgrmid,
-	.mpo_sysvmsq_check_msqget = biba_sysvmsq_check_msqget,
-	.mpo_sysvmsq_check_msqsnd = biba_sysvmsq_check_msqsnd,
-	.mpo_sysvmsq_check_msqrcv = biba_sysvmsq_check_msqrcv,
-	.mpo_sysvmsq_check_msqctl = biba_sysvmsq_check_msqctl,
-	.mpo_sysvsem_check_semctl = biba_sysvsem_check_semctl,
-	.mpo_sysvsem_check_semget = biba_sysvsem_check_semget,
-	.mpo_sysvsem_check_semop = biba_sysvsem_check_semop,
-	.mpo_sysvshm_check_shmat = biba_sysvshm_check_shmat,
-	.mpo_sysvshm_check_shmctl = biba_sysvshm_check_shmctl,
-	.mpo_sysvshm_check_shmget = biba_sysvshm_check_shmget,
+
 	.mpo_kld_check_load = biba_kld_check_load,
+
+	.mpo_mbuf_copy_label = biba_copy_label,
+	.mpo_mbuf_destroy_label = biba_destroy_label,
+	.mpo_mbuf_init_label = biba_init_label_waitcheck,
+
 	.mpo_mount_check_stat = biba_mount_check_stat,
+	.mpo_mount_create = biba_mount_create,
+	.mpo_mount_destroy_label = biba_destroy_label,
+	.mpo_mount_init_label = biba_init_label,
+
+	.mpo_netatalk_aarp_send = biba_netatalk_aarp_send,
+
+	.mpo_netinet_arp_send = biba_netinet_arp_send,
+	.mpo_netinet_firewall_reply = biba_netinet_firewall_reply,
+	.mpo_netinet_firewall_send = biba_netinet_firewall_send,
+	.mpo_netinet_fragment = biba_netinet_fragment,
+	.mpo_netinet_icmp_reply = biba_netinet_icmp_reply,
+	.mpo_netinet_igmp_send = biba_netinet_igmp_send,
+
+	.mpo_netinet6_nd6_send = biba_netinet6_nd6_send,
+
 	.mpo_pipe_check_ioctl = biba_pipe_check_ioctl,
 	.mpo_pipe_check_poll = biba_pipe_check_poll,
 	.mpo_pipe_check_read = biba_pipe_check_read,
 	.mpo_pipe_check_relabel = biba_pipe_check_relabel,
 	.mpo_pipe_check_stat = biba_pipe_check_stat,
 	.mpo_pipe_check_write = biba_pipe_check_write,
+	.mpo_pipe_copy_label = biba_copy_label,
+	.mpo_pipe_create = biba_pipe_create,
+	.mpo_pipe_destroy_label = biba_destroy_label,
+	.mpo_pipe_externalize_label = biba_externalize_label,
+	.mpo_pipe_init_label = biba_init_label,
+	.mpo_pipe_internalize_label = biba_internalize_label,
+	.mpo_pipe_relabel = biba_pipe_relabel,
+
 	.mpo_posixsem_check_destroy = biba_posixsem_check_write,
 	.mpo_posixsem_check_getvalue = biba_posixsem_check_rdonly,
 	.mpo_posixsem_check_open = biba_posixsem_check_write,
 	.mpo_posixsem_check_post = biba_posixsem_check_write,
 	.mpo_posixsem_check_unlink = biba_posixsem_check_write,
 	.mpo_posixsem_check_wait = biba_posixsem_check_write,
+	.mpo_posixsem_create = biba_posixsem_create,
+	.mpo_posixsem_destroy_label = biba_destroy_label,
+	.mpo_posixsem_init_label = biba_init_label,
+
+	.mpo_priv_check = biba_priv_check,
+
+	.mpo_proc_associate_nfsd = biba_proc_associate_nfsd,
 	.mpo_proc_check_debug = biba_proc_check_debug,
 	.mpo_proc_check_sched = biba_proc_check_sched,
 	.mpo_proc_check_signal = biba_proc_check_signal,
+	.mpo_proc_create_init = biba_proc_create_init,
+	.mpo_proc_create_swapper = biba_proc_create_swapper,
+
 	.mpo_socket_check_deliver = biba_socket_check_deliver,
 	.mpo_socket_check_relabel = biba_socket_check_relabel,
 	.mpo_socket_check_visible = biba_socket_check_visible,
+	.mpo_socket_copy_label = biba_copy_label,
+	.mpo_socket_create = biba_socket_create,
+	.mpo_socket_create_mbuf = biba_socket_create_mbuf,
+	.mpo_socket_destroy_label = biba_destroy_label,
+	.mpo_socket_externalize_label = biba_externalize_label,
+	.mpo_socket_init_label = biba_init_label_waitcheck,
+	.mpo_socket_internalize_label = biba_internalize_label,
+	.mpo_socket_newconn = biba_socket_newconn,
+	.mpo_socket_relabel = biba_socket_relabel,
+
+	.mpo_socketpeer_destroy_label = biba_destroy_label,
+	.mpo_socketpeer_externalize_label = biba_externalize_label,
+	.mpo_socketpeer_init_label = biba_init_label_waitcheck,
+	.mpo_socketpeer_set_from_mbuf = biba_socketpeer_set_from_mbuf,
+	.mpo_socketpeer_set_from_socket = biba_socketpeer_set_from_socket,
+
+	.mpo_syncache_create = biba_syncache_create,
+	.mpo_syncache_create_mbuf = biba_syncache_create_mbuf,
+	.mpo_syncache_destroy_label = biba_destroy_label,
+	.mpo_syncache_init_label = biba_init_label_waitcheck,
+
 	.mpo_system_check_acct = biba_system_check_acct,
 	.mpo_system_check_auditctl = biba_system_check_auditctl,
 	.mpo_system_check_auditon = biba_system_check_auditon,
-	.mpo_system_check_swapon = biba_system_check_swapon,
 	.mpo_system_check_swapoff = biba_system_check_swapoff,
+	.mpo_system_check_swapon = biba_system_check_swapon,
 	.mpo_system_check_sysctl = biba_system_check_sysctl,
+
+	.mpo_sysvmsg_cleanup = biba_sysvmsg_cleanup,
+	.mpo_sysvmsg_create = biba_sysvmsg_create,
+	.mpo_sysvmsg_destroy_label = biba_destroy_label,
+	.mpo_sysvmsg_init_label = biba_init_label,
+
+	.mpo_sysvmsq_check_msgrcv = biba_sysvmsq_check_msgrcv,
+	.mpo_sysvmsq_check_msgrmid = biba_sysvmsq_check_msgrmid,
+	.mpo_sysvmsq_check_msqget = biba_sysvmsq_check_msqget,
+	.mpo_sysvmsq_check_msqsnd = biba_sysvmsq_check_msqsnd,
+	.mpo_sysvmsq_check_msqrcv = biba_sysvmsq_check_msqrcv,
+	.mpo_sysvmsq_check_msqctl = biba_sysvmsq_check_msqctl,
+	.mpo_sysvmsq_cleanup = biba_sysvmsq_cleanup,
+	.mpo_sysvmsq_create = biba_sysvmsq_create,
+	.mpo_sysvmsq_destroy_label = biba_destroy_label,
+	.mpo_sysvmsq_init_label = biba_init_label,
+
+	.mpo_sysvsem_check_semctl = biba_sysvsem_check_semctl,
+	.mpo_sysvsem_check_semget = biba_sysvsem_check_semget,
+	.mpo_sysvsem_check_semop = biba_sysvsem_check_semop,
+	.mpo_sysvsem_cleanup = biba_sysvsem_cleanup,
+	.mpo_sysvsem_create = biba_sysvsem_create,
+	.mpo_sysvsem_destroy_label = biba_destroy_label,
+	.mpo_sysvsem_init_label = biba_init_label,
+
+	.mpo_sysvshm_check_shmat = biba_sysvshm_check_shmat,
+	.mpo_sysvshm_check_shmctl = biba_sysvshm_check_shmctl,
+	.mpo_sysvshm_check_shmget = biba_sysvshm_check_shmget,
+	.mpo_sysvshm_cleanup = biba_sysvshm_cleanup,
+	.mpo_sysvshm_create = biba_sysvshm_create,
+	.mpo_sysvshm_destroy_label = biba_destroy_label,
+	.mpo_sysvshm_init_label = biba_init_label,
+
+	.mpo_vnode_associate_extattr = biba_vnode_associate_extattr,
+	.mpo_vnode_associate_singlelabel = biba_vnode_associate_singlelabel,
 	.mpo_vnode_check_access = biba_vnode_check_open,
 	.mpo_vnode_check_chdir = biba_vnode_check_chdir,
 	.mpo_vnode_check_chroot = biba_vnode_check_chroot,
@@ -3441,14 +3449,14 @@ static struct mac_policy_ops mac_biba_ops =
 	.mpo_vnode_check_stat = biba_vnode_check_stat,
 	.mpo_vnode_check_unlink = biba_vnode_check_unlink,
 	.mpo_vnode_check_write = biba_vnode_check_write,
-	.mpo_netatalk_aarp_send = biba_netatalk_aarp_send,
-	.mpo_netinet_arp_send = biba_netinet_arp_send,
-	.mpo_netinet_firewall_reply = biba_netinet_firewall_reply,
-	.mpo_netinet_firewall_send = biba_netinet_firewall_send,
-	.mpo_netinet_icmp_reply = biba_netinet_icmp_reply,
-	.mpo_netinet_igmp_send = biba_netinet_igmp_send,
-	.mpo_netinet6_nd6_send = biba_netinet6_nd6_send,
-	.mpo_priv_check = biba_priv_check,
+	.mpo_vnode_create_extattr = biba_vnode_create_extattr,
+	.mpo_vnode_copy_label = biba_copy_label,
+	.mpo_vnode_destroy_label = biba_destroy_label,
+	.mpo_vnode_externalize_label = biba_externalize_label,
+	.mpo_vnode_init_label = biba_init_label,
+	.mpo_vnode_internalize_label = biba_internalize_label,
+	.mpo_vnode_relabel = biba_vnode_relabel,
+	.mpo_vnode_setlabel_extattr = biba_vnode_setlabel_extattr,
 };
 
 MAC_POLICY_SET(&mac_biba_ops, mac_biba, "TrustedBSD MAC/Biba",