mac_is_present() has been replaced with a sysctl call instead. The problem is that the former only checks for the presence of the security.mac variable that seems to be there always. security.mac.labeled is non-zero if some policy is labeling some type of objects, which is closer to what we're interested in.

Quick Note: I haven't forgotten about this. I've started looking through it finally; it looks good so far. I hope to finish reviewing it sometime next week.

I don't like the sysctl approach at all. We are issuing here the same sysctl() call for each file we read. We should avoid sysctl at all. The best approach here is to call mac_get_*() and treat EINVAL as a valid errno telling that MAC is not supported for the archived object.

I also dislike using an extended attribute with the name "system.mac". Extended attributes are intended to be used with "real" extended attributes and their correct names (an example for MAC would be e.g. mac_biba). A much better solution is e.g. to extend archive_entry with a mac field. This field will be populated if there is a mac label.

A function archive_entry_mac_clear() could be used to clear MAC metadata and archive_entry_mac_to_text() to read it out. A new attribute for pax tar archives, e.g. LIBARCHIVE.mac could store the text label.

When writing, we need to process every label individually and call mac_is_present() before writing it. Because some of the policies may not be loaded.

Disclaimer: with three and a half years passed, my memory is rather hazy about this and I also don't do any development on FreeBSD anymore.

Re: first comment, why do you need to avoid using sysctl?

As for the second comment, sounds good to me.

After some reflection, I also probably agree with your first comment, however I won't fix this myself as I don't have a proper test environment for this.

The way it was originally intended was to check the presence of a labelling MAC policy once per program invocation. I guess I should have stated very clearly in comments that the patch was left in unfinished state.