Add a new 'NOMACCHECK' flag to namei() NDINIT flags, which permits the

caller to indicate that MAC checks are not required for the lookup.
Similar to IO_NOMACCHECK for vn_rdwr(), this indicates that the caller
has already performed all required protections and that this is an
internally generated operation.  This will be used by the NFS server
code, as we don't currently enforce MAC protections against requests
delivered via NFS.

While here, add NOCROSSMOUNT to PARAMASK; apparently this was used at
one point for name lookup flag checking, but isn't any longer or it
would have triggered from the NFS server code passing it to indicate
that mountpoints shouldn't be crossed in lookups.

Approved by:	re
Obtained from:	TrustedBSD Project
Sponsored by:	DARPA, Network Associates Laboratories

sys/kern/vfs_lookup.c

@@ -216,9 +216,12 @@ namei(ndp)
 			break;
 		}
 #ifdef MAC
-		error = mac_check_vnode_readlink(td->td_ucred, ndp->ni_vp);
-		if (error)
-			break;
+		if ((cnp->cn_flags & NOMACCHECK) == 0) {
+			error = mac_check_vnode_readlink(td->td_ucred,
+			    ndp->ni_vp);
+			if (error)
+				break;
+		}
 #endif
 		if (ndp->ni_pathlen > 1)
 			cp = uma_zalloc(namei_zone, M_WAITOK);
@@ -471,9 +474,11 @@ lookup(ndp)
 	 */
 unionlookup:
 #ifdef MAC
-	error = mac_check_vnode_lookup(td->td_ucred, dp, cnp);
-	if (error)
-		goto bad;
+	if ((cnp->cn_flags & NOMACCHECK) == 0) {
+		error = mac_check_vnode_lookup(td->td_ucred, dp, cnp);
+		if (error)
+			goto bad;
+	}
 #endif
 	ndp->ni_dvp = dp;
 	ndp->ni_vp = NULL;

sys/sys/namei.h

@@ -144,7 +144,8 @@ struct nameidata {
 #define	ISUNICODE	0x100000 /* current component name is unicode*/
 #define	PDIRUNLOCK	0x200000 /* filesystem lookup() unlocked parent dir */
 #define	NOCROSSMOUNT	0x400000 /* do not cross mount points */
-#define	PARAMASK	0x3ffe00 /* mask of parameter descriptors */
+#define	NOMACCHECK	0x800000 /* do not perform MAC checks */
+#define	PARAMASK	0xfffe00 /* mask of parameter descriptors */
 
 /*
  * Initialization of an nameidata structure.