Index: security/mac/mac_vfs.c
===================================================================
RCS file: /home/ncvs/src/sys/security/mac/mac_vfs.c,v
retrieving revision 1.106
diff -u -r1.106 mac_vfs.c
--- security/mac/mac_vfs.c	16 Jun 2004 09:47:20 -0000	1.106
+++ security/mac/mac_vfs.c	26 Jan 2005 23:49:18 -0000
@@ -598,7 +598,8 @@
 }
 
 int
-mac_check_vnode_mmap(struct ucred *cred, struct vnode *vp, int prot)
+mac_check_vnode_mmap(struct ucred *cred, struct vnode *vp,
+    int prot, int flags)
 {
 	int error;
 
@@ -607,7 +608,7 @@
 	if (!mac_enforce_fs || !mac_enforce_vm)
 		return (0);
 
-	MAC_CHECK(check_vnode_mmap, cred, vp, vp->v_label, prot);
+	MAC_CHECK(check_vnode_mmap, cred, vp, vp->v_label, prot, flags);
 	return (error);
 }
 
Index: security/mac_biba/mac_biba.c
===================================================================
RCS file: /home/ncvs/src/sys/security/mac_biba/mac_biba.c,v
retrieving revision 1.83
diff -u -r1.83 mac_biba.c
--- security/mac_biba/mac_biba.c	26 Jan 2005 23:43:32 -0000	1.83
+++ security/mac_biba/mac_biba.c	26 Jan 2005 23:49:20 -0000
@@ -47,6 +47,7 @@
 #include <sys/kernel.h>
 #include <sys/mac.h>
 #include <sys/malloc.h>
+#include <sys/mman.h>
 #include <sys/mount.h>
 #include <sys/proc.h>
 #include <sys/sbuf.h>
@@ -2607,7 +2608,7 @@
 
 static int
 mac_biba_check_vnode_mmap(struct ucred *cred, struct vnode *vp,
-    struct label *label, int prot)
+    struct label *label, int prot, int flags)
 {
 	struct mac_biba *subj, *obj;
 
@@ -2626,6 +2627,8 @@
 			return (EACCES);
 	}
 	if (prot & VM_PROT_WRITE) {
+		if ((flags & MAP_SHARED) == 0)
+			return (0);
 		if (!mac_biba_dominate_effective(subj, obj))
 			return (EACCES);
 	}
Index: security/mac_lomac/mac_lomac.c
===================================================================
RCS file: /home/ncvs/src/sys/security/mac_lomac/mac_lomac.c,v
retrieving revision 1.33
diff -u -r1.33 mac_lomac.c
--- security/mac_lomac/mac_lomac.c	26 Jan 2005 23:43:32 -0000	1.33
+++ security/mac_lomac/mac_lomac.c	26 Jan 2005 23:49:23 -0000
@@ -47,6 +47,7 @@
 #include <sys/kernel.h>
 #include <sys/mac.h>
 #include <sys/malloc.h>
+#include <sys/mman.h>
 #include <sys/mount.h>
 #include <sys/proc.h>
 #include <sys/sbuf.h>
@@ -2181,7 +2182,7 @@
 
 static int
 mac_lomac_check_vnode_mmap(struct ucred *cred, struct vnode *vp,
-    struct label *label, int prot)
+    struct label *label, int prot, int flags)
 {
 	struct mac_lomac *subj, *obj;
 
@@ -2196,8 +2197,10 @@
 	obj = SLOT(label);
 
 	if (prot & VM_PROT_WRITE) {
-		if (!mac_lomac_subject_dominate(subj, obj))
-			return (EACCES);
+		if (flags & MAP_SHARED) {
+			if (!mac_lomac_subject_dominate(subj, obj))
+				return (EACCES);
+		}
 	}
 	if (prot & (VM_PROT_READ | VM_PROT_EXECUTE)) {
 		if (!mac_lomac_dominate_single(obj, subj))
Index: security/mac_mls/mac_mls.c
===================================================================
RCS file: /home/ncvs/src/sys/security/mac_mls/mac_mls.c,v
retrieving revision 1.68
diff -u -r1.68 mac_mls.c
--- security/mac_mls/mac_mls.c	26 Jan 2005 23:43:32 -0000	1.68
+++ security/mac_mls/mac_mls.c	26 Jan 2005 23:49:24 -0000
@@ -46,6 +46,7 @@
 #include <sys/extattr.h>
 #include <sys/kernel.h>
 #include <sys/mac.h>
+#include <sys/mman.h>
 #include <sys/malloc.h>
 #include <sys/mount.h>
 #include <sys/proc.h>
@@ -2380,7 +2381,7 @@
 
 static int
 mac_mls_check_vnode_mmap(struct ucred *cred, struct vnode *vp,
-    struct label *label, int prot)
+    struct label *label, int prot, int flags)
 {
 	struct mac_mls *subj, *obj;
 
@@ -2399,6 +2400,8 @@
 			return (EACCES);
 	}
 	if (prot & VM_PROT_WRITE) {
+		if ((flags & MAP_SHARED) == 0)
+			return (0);
 		if (!mac_mls_dominate_effective(obj, subj))
 			return (EACCES);
 	}
Index: security/mac_stub/mac_stub.c
===================================================================
RCS file: /home/ncvs/src/sys/security/mac_stub/mac_stub.c,v
retrieving revision 1.44
diff -u -r1.44 mac_stub.c
--- security/mac_stub/mac_stub.c	26 Jan 2005 23:43:32 -0000	1.44
+++ security/mac_stub/mac_stub.c	26 Jan 2005 23:49:25 -0000
@@ -1051,7 +1051,7 @@
 
 static int
 stub_check_vnode_mmap(struct ucred *cred, struct vnode *vp,
-    struct label *label, int prot)
+    struct label *label, int prot, int flags)
 {
 
 	return (0);
Index: security/mac_test/mac_test.c
===================================================================
RCS file: /home/ncvs/src/sys/security/mac_test/mac_test.c,v
retrieving revision 1.52
diff -u -r1.52 mac_test.c
--- security/mac_test/mac_test.c	26 Jan 2005 23:43:32 -0000	1.52
+++ security/mac_test/mac_test.c	26 Jan 2005 23:49:27 -0000
@@ -1995,7 +1995,7 @@
 
 static int
 mac_test_check_vnode_mmap(struct ucred *cred, struct vnode *vp,
-    struct label *label, int prot)
+    struct label *label, int prot, int flags)
 {
 
 	ASSERT_CRED_LABEL(cred->cr_label);
Index: sys/mac.h
===================================================================
RCS file: /home/ncvs/src/sys/sys/mac.h,v
retrieving revision 1.59
diff -u -r1.59 mac.h
--- sys/mac.h	17 Nov 2004 13:10:16 -0000	1.59
+++ sys/mac.h	26 Jan 2005 23:49:28 -0000
@@ -375,7 +375,7 @@
 int	mac_check_vnode_lookup(struct ucred *cred, struct vnode *dvp,
  	    struct componentname *cnp);
 int	mac_check_vnode_mmap(struct ucred *cred, struct vnode *vp,
-	    int prot);
+	    int prot, int flags);
 int	mac_check_vnode_mprotect(struct ucred *cred, struct vnode *vp,
 	    int prot);
 int	mac_check_vnode_open(struct ucred *cred, struct vnode *vp,
Index: sys/mac_policy.h
===================================================================
RCS file: /home/ncvs/src/sys/sys/mac_policy.h,v
retrieving revision 1.58
diff -u -r1.58 mac_policy.h
--- sys/mac_policy.h	17 Nov 2004 13:10:16 -0000	1.58
+++ sys/mac_policy.h	26 Jan 2005 23:49:29 -0000
@@ -478,7 +478,7 @@
 		    struct vnode *dvp, struct label *dlabel,
 		    struct componentname *cnp);
 	int	(*mpo_check_vnode_mmap)(struct ucred *cred, struct vnode *vp,
-		    struct label *label, int prot);
+		    struct label *label, int prot, int flags);
 	void	(*mpo_check_vnode_mmap_downgrade)(struct ucred *cred,
 		    struct vnode *vp, struct label *label, int *prot);
 	int	(*mpo_check_vnode_mprotect)(struct ucred *cred,
Index: vm/vm_mmap.c
===================================================================
RCS file: /home/ncvs/src/sys/vm/vm_mmap.c,v
retrieving revision 1.198
diff -u -r1.198 vm_mmap.c
--- vm/vm_mmap.c	25 Jan 2005 00:40:01 -0000	1.198
+++ vm/vm_mmap.c	26 Jan 2005 23:49:30 -0000
@@ -1128,6 +1128,11 @@
 	if ((error = VOP_GETATTR(vp, &va, td->td_ucred, td))) {
 		goto done;
 	}
+#ifdef MAC
+	error = mac_check_vnode_mmap(td->td_ucred, vp, prot, flags);
+	if (error != 0)
+		goto done;
+#endif
 	if ((flags & MAP_SHARED) != 0) {
 		if ((va.va_flags & (SF_SNAPSHOT|IMMUTABLE|APPEND)) != 0) {
 			if (prot & PROT_WRITE) {
@@ -1136,11 +1141,6 @@
 			}
 			*maxprotp &= ~VM_PROT_WRITE;
 		}
-#ifdef MAC
-		error = mac_check_vnode_mmap(td->td_ucred, vp, prot);
-		if (error != 0)
-			goto done;
-#endif
 	}
 	/*
 	 * If it is a regular file without any references