From 9e0d822d771302156061adda7333129ed59b6b88 Mon Sep 17 00:00:00 2001
From: "Christian S.J. Peron" <csjp@FreeBSD.org>
Date: Sat, 26 Aug 2006 20:13:35 +0000
Subject: [PATCH] Fix panic associated with file creation via RPC/NFS when the
 MLS policy is loaded. This problem stems from the fact that the policy is not
 properly initializing the mac label associated with the NFS daemon.

Obtained from:	TrustedBSD Project
Discussed with:	rwatson
---
 sys/security/mac_mls/mac_mls.c | 12 ++++++++++++
 1 file changed, 12 insertions(+)

diff --git a/sys/security/mac_mls/mac_mls.c b/sys/security/mac_mls/mac_mls.c
index 76e2cdaa485f..b258b21f3c3d 100644
--- a/sys/security/mac_mls/mac_mls.c
+++ b/sys/security/mac_mls/mac_mls.c
@@ -2788,6 +2788,17 @@ mac_mls_check_vnode_write(struct ucred *active_cred, struct ucred *file_cred,
 	return (0);
 }
 
+static void
+mac_mls_associate_nfsd_label(struct ucred *cred) 
+{
+	struct mac_mls *label;
+
+	label = SLOT(cred->cr_label);
+	mac_mls_set_effective(label, MAC_MLS_TYPE_LOW, 0, NULL);
+	mac_mls_set_range(label, MAC_MLS_TYPE_LOW, 0, NULL,
+	    MAC_MLS_TYPE_HIGH, 0, NULL);
+}
+
 static struct mac_policy_ops mac_mls_ops =
 {
 	.mpo_init = mac_mls_init,
@@ -2960,6 +2971,7 @@ static struct mac_policy_ops mac_mls_ops =
 	.mpo_check_vnode_setutimes = mac_mls_check_vnode_setutimes,
 	.mpo_check_vnode_stat = mac_mls_check_vnode_stat,
 	.mpo_check_vnode_write = mac_mls_check_vnode_write,
+	.mpo_associate_nfsd_label = mac_mls_associate_nfsd_label,
 };
 
 MAC_POLICY_SET(&mac_mls_ops, mac_mls, "TrustedBSD MAC/MLS",