Conditionally pickup Giant in mac_cred_mmapped_drop_perms_recurse so

we can drop it all together in __mac_set_proc.

Reviewed by:	alc
Discussed with:	rwatson

sys/security/mac/mac_process.c

@@ -325,7 +325,7 @@ mac_cred_mmapped_drop_perms_recurse(struct thread *td, struct ucred *cred,
     struct vm_map *map)
 {
 	struct vm_map_entry *vme;
-	int result;
+	int vfslocked, result;
 	vm_prot_t revokeperms;
 	vm_object_t object;
 	vm_ooffset_t offset;
@@ -366,6 +366,7 @@ mac_cred_mmapped_drop_perms_recurse(struct thread *td, struct ucred *cred,
 		if (object->type != OBJT_VNODE)
 			continue;
 		vp = (struct vnode *)object->handle;
+		vfslocked = VFS_LOCK_GIANT(vp->v_mount);
 		vn_lock(vp, LK_EXCLUSIVE | LK_RETRY, td);
 		result = vme->max_protection;
 		mac_check_vnode_mmap_downgrade(cred, vp, &result);
@@ -375,8 +376,10 @@ mac_cred_mmapped_drop_perms_recurse(struct thread *td, struct ucred *cred,
 		 * now but a policy needs to get removed.
 		 */
 		revokeperms = vme->max_protection & ~result;
-		if (!revokeperms)
+		if (!revokeperms) {
+			VFS_UNLOCK_GIANT(vfslocked);
 			continue;
+		}
 		printf("pid %ld: revoking %s perms from %#lx:%ld "
 		    "(max %s/cur %s)\n", (long)td->td_proc->p_pid,
 		    prot2str(revokeperms), (u_long)vme->start,
@@ -436,6 +439,7 @@ mac_cred_mmapped_drop_perms_recurse(struct thread *td, struct ucred *cred,
 			vm_map_simplify_entry(map, vme);
 		}
 		vm_map_lock_downgrade(map);
+		VFS_UNLOCK_GIANT(vfslocked);
 	}
 	vm_map_unlock_read(map);
 }