Sync from MAC tree: break out the single mmap entry point into

seperate entry points for each occasion:

mac_check_vnode_mmap()		Check at initial mapping
mac_check_vnode_mprotect()	Check at mapping protection change
mac_check_vnode_mmap_downgrade()	Determine if a mapping downgrade
					should take place following
					subject relabel.

Implement mmap() and mprotect() entry points for labeled vnode
policies.  These entry points are currently not hooked up to the
VM system in the base tree.  These changes improve the consistency
of the access control interface and offer more flexibility regarding
limiting access to vnode mmaping.

Obtained from:	TrustedBSD Project
Sponsored by:	DARPA, Network Associates Laboratories

1 files changed, 22 insertions, 2 deletions

diff --git a/sys/security/mac_stub/mac_stub.c b/sys/security/mac_stub/mac_stub.c
index 9bbc1cd7fa8b..6456bf7037d3 100644
--- a/sys/security/mac_stub/mac_stub.c
+++ b/sys/security/mac_stub/mac_stub.c
@@ -689,9 +689,25 @@ static int
 mac_none_check_vnode_lookup(struct ucred *cred, struct vnode *dvp, 
     struct label *dlabel, struct componentname *cnp)
 {
- 
+
+	return (0);
+}
+
+static int
+mac_none_check_vnode_mmap(struct ucred *cred, struct vnode *vp,
+    struct label *label, int prot)
+{
+
 	return (0);
-} 
+}
+
+static int
+mac_none_check_vnode_mprotect(struct ucred *cred, struct vnode *vp,
+    struct label *label, int prot)
+{
+
+	return (0);
+}
 
 static int
 mac_none_check_vnode_open(struct ucred *cred, struct vnode *vp,
@@ -1041,6 +1057,10 @@ static struct mac_policy_op_entry mac_none_ops[] =
 	    (macop_t)mac_none_check_vnode_link },
 	{ MAC_CHECK_VNODE_LOOKUP,
 	    (macop_t)mac_none_check_vnode_lookup },
+	{ MAC_CHECK_VNODE_MMAP,
+	    (macop_t)mac_none_check_vnode_mmap },
+	{ MAC_CHECK_VNODE_MPROTECT,
+	    (macop_t)mac_none_check_vnode_mprotect },
 	{ MAC_CHECK_VNODE_OPEN,
 	    (macop_t)mac_none_check_vnode_open },
 	{ MAC_CHECK_VNODE_POLL,