Fix panic associated with file creation via RPC/NFS when the MLS policy

is loaded. This problem stems from the fact that the policy is not properly initializing the mac label associated with the NFS daemon. Obtained from: TrustedBSD Project Discussed with: rwatson
svn path=/head/; revision=161649
2006-08-26 20:13:35 +00:00 · 2006-08-26 20:13:35 +00:00 · 9e0d822d77 · 2020-12-20 02:59:44 +00:00
commit 9e0d822d77
parent 77b1a4d66a
1 changed files with 12 additions and 0 deletions
--- a/sys/security/mac_mls/mac_mls.c
+++ b/sys/security/mac_mls/mac_mls.c
@ -2788,6 +2788,17 @@ mac_mls_check_vnode_write(struct ucred *active_cred, struct ucred *file_cred,
 	return (0);
 }

+static void
+mac_mls_associate_nfsd_label(struct ucred *cred) 
+{
+	struct mac_mls *label;
+
+	label = SLOT(cred->cr_label);
+	mac_mls_set_effective(label, MAC_MLS_TYPE_LOW, 0, NULL);
+	mac_mls_set_range(label, MAC_MLS_TYPE_LOW, 0, NULL,
+	    MAC_MLS_TYPE_HIGH, 0, NULL);
+}
+
 static struct mac_policy_ops mac_mls_ops =
 {
 	.mpo_init = mac_mls_init,
@ -2960,6 +2971,7 @@ static struct mac_policy_ops mac_mls_ops =
 	.mpo_check_vnode_setutimes = mac_mls_check_vnode_setutimes,
 	.mpo_check_vnode_stat = mac_mls_check_vnode_stat,
 	.mpo_check_vnode_write = mac_mls_check_vnode_write,
+	.mpo_associate_nfsd_label = mac_mls_associate_nfsd_label,
 };

 MAC_POLICY_SET(&mac_mls_ops, mac_mls, "TrustedBSD MAC/MLS",