diff --git a/sys/kern/uipc_socket.c b/sys/kern/uipc_socket.c
index 880dec89245..0ddcf0409cb 100644
--- a/sys/kern/uipc_socket.c
+++ b/sys/kern/uipc_socket.c
@@ -3442,7 +3442,7 @@ integer:
 			    so, &extmac);
 			if (error)
 				goto bad;
-			error = sooptcopyout(sopt, &extmac, sizeof extmac);
+			/* Don't copy out extmac, it is unchanged. */
 #else
 			error = EOPNOTSUPP;
 #endif
@@ -3458,7 +3458,7 @@ integer:
 			    sopt->sopt_td->td_ucred, so, &extmac);
 			if (error)
 				goto bad;
-			error = sooptcopyout(sopt, &extmac, sizeof extmac);
+			/* Don't copy out extmac, it is unchanged. */
 #else
 			error = EOPNOTSUPP;
 #endif
diff --git a/sys/security/mac/mac_framework.c b/sys/security/mac/mac_framework.c
index 8f1aa37d45b..682f05c6979 100644
--- a/sys/security/mac/mac_framework.c
+++ b/sys/security/mac/mac_framework.c
@@ -725,9 +725,8 @@ mac_error_select(int error1, int error2)
 }
 
 int
-mac_check_structmac_consistent(struct mac *mac)
+mac_check_structmac_consistent(const struct mac *mac)
 {
-
 	/* Require that labels have a non-zero length. */
 	if (mac->m_buflen > MAC_MAX_LABEL_BUF_LEN ||
 	    mac->m_buflen <= sizeof(""))
diff --git a/sys/security/mac/mac_framework.h b/sys/security/mac/mac_framework.h
index 644028bde47..c69b9cd6445 100644
--- a/sys/security/mac/mac_framework.h
+++ b/sys/security/mac/mac_framework.h
@@ -408,11 +408,11 @@ void	mac_socket_destroy(struct socket *);
 int	mac_socket_init(struct socket *, int);
 void	mac_socket_newconn(struct socket *oldso, struct socket *newso);
 int	mac_getsockopt_label(struct ucred *cred, struct socket *so,
-	    struct mac *extmac);
+	    const struct mac *extmac);
 int	mac_getsockopt_peerlabel(struct ucred *cred, struct socket *so,
-	    struct mac *extmac);
+	    const struct mac *extmac);
 int	mac_setsockopt_label(struct ucred *cred, struct socket *so,
-	    struct mac *extmac);
+	    const struct mac *extmac);
 
 void	mac_socketpeer_set_from_mbuf(struct mbuf *m, struct socket *so);
 void	mac_socketpeer_set_from_socket(struct socket *oldso,
diff --git a/sys/security/mac/mac_internal.h b/sys/security/mac/mac_internal.h
index d1ee1af09c0..aa407598600 100644
--- a/sys/security/mac/mac_internal.h
+++ b/sys/security/mac/mac_internal.h
@@ -210,7 +210,7 @@ void		 mac_labelzone_init(void);
 
 void	mac_init_label(struct label *label);
 void	mac_destroy_label(struct label *label);
-int	mac_check_structmac_consistent(struct mac *mac);
+int	mac_check_structmac_consistent(const struct mac *mac);
 int	mac_allocate_slot(void);
 
 /*
diff --git a/sys/security/mac/mac_socket.c b/sys/security/mac/mac_socket.c
index be136302465..e9f94404734 100644
--- a/sys/security/mac/mac_socket.c
+++ b/sys/security/mac/mac_socket.c
@@ -521,7 +521,8 @@ mac_socket_label_set(struct ucred *cred, struct socket *so,
 }
 
 int
-mac_setsockopt_label(struct ucred *cred, struct socket *so, struct mac *mac)
+mac_setsockopt_label(struct ucred *cred, struct socket *so,
+    const struct mac *mac)
 {
 	struct label *intlabel;
 	char *buffer;
@@ -554,7 +555,8 @@ out:
 }
 
 int
-mac_getsockopt_label(struct ucred *cred, struct socket *so, struct mac *mac)
+mac_getsockopt_label(struct ucred *cred, struct socket *so,
+    const struct mac *mac)
 {
 	char *buffer, *elements;
 	struct label *intlabel;
@@ -593,7 +595,7 @@ mac_getsockopt_label(struct ucred *cred, struct socket *so, struct mac *mac)
 
 int
 mac_getsockopt_peerlabel(struct ucred *cred, struct socket *so,
-    struct mac *mac)
+    const struct mac *mac)
 {
 	char *elements, *buffer;
 	struct label *intlabel;