Introduce a new MAC entry point for label initialization of the NFS daemon's
credential: mac_associate_nfsd_label() This entry point can be utilized by various Mandatory Access Control policies so they can properly initialize the label of files which get created as a result of an NFS operation. This work will be useful for fixing kernel panics associated with accessing un-initialized or invalid vnode labels. The implementation of these entry points will come shortly. Obtained from: TrustedBSD Requested by: mdodd MFC after: 3 weeks
This commit is contained in:
parent
eb74e00e0c
commit
be495bef58
@ -369,6 +369,9 @@ nfs_getreq(struct nfsrv_descript *nd, struct nfsd *nfsd, int has_header)
|
||||
nd->nd_cr->cr_svuid = fxdr_unsigned(uid_t, *tl++);
|
||||
nd->nd_cr->cr_groups[0] = nd->nd_cr->cr_rgid =
|
||||
nd->nd_cr->cr_svgid = fxdr_unsigned(gid_t, *tl++);
|
||||
#ifdef MAC
|
||||
mac_associate_nfsd_label(nd->nd_cr);
|
||||
#endif
|
||||
len = fxdr_unsigned(int, *tl);
|
||||
if (len < 0 || len > RPCAUTH_UNIXGIDS) {
|
||||
m_freem(mrep);
|
||||
|
@ -463,6 +463,7 @@ int mac_setsockopt_label(struct ucred *cred, struct socket *so,
|
||||
int mac_pipe_label_set(struct ucred *cred, struct pipepair *pp,
|
||||
struct label *label);
|
||||
void mac_cred_mmapped_drop_perms(struct thread *td, struct ucred *cred);
|
||||
void mac_associate_nfsd_label(struct ucred *cred);
|
||||
|
||||
/*
|
||||
* Calls to help various file systems implement labeling functionality
|
||||
|
@ -599,6 +599,7 @@ struct mac_policy_ops {
|
||||
int (*mpo_check_vnode_write)(struct ucred *active_cred,
|
||||
struct ucred *file_cred, struct vnode *vp,
|
||||
struct label *label);
|
||||
void (*mpo_associate_nfsd_label)(struct ucred *cred);
|
||||
};
|
||||
|
||||
/*
|
||||
|
@ -1028,3 +1028,10 @@ vn_setlabel(struct vnode *vp, struct label *intlabel, struct ucred *cred)
|
||||
|
||||
return (0);
|
||||
}
|
||||
|
||||
void
|
||||
mac_associate_nfsd_label(struct ucred *cred)
|
||||
{
|
||||
|
||||
MAC_PERFORM(associate_nfsd_label, cred);
|
||||
}
|
||||
|
@ -463,6 +463,7 @@ int mac_setsockopt_label(struct ucred *cred, struct socket *so,
|
||||
int mac_pipe_label_set(struct ucred *cred, struct pipepair *pp,
|
||||
struct label *label);
|
||||
void mac_cred_mmapped_drop_perms(struct thread *td, struct ucred *cred);
|
||||
void mac_associate_nfsd_label(struct ucred *cred);
|
||||
|
||||
/*
|
||||
* Calls to help various file systems implement labeling functionality
|
||||
|
@ -599,6 +599,7 @@ struct mac_policy_ops {
|
||||
int (*mpo_check_vnode_write)(struct ucred *active_cred,
|
||||
struct ucred *file_cred, struct vnode *vp,
|
||||
struct label *label);
|
||||
void (*mpo_associate_nfsd_label)(struct ucred *cred);
|
||||
};
|
||||
|
||||
/*
|
||||
|
Loading…
x
Reference in New Issue
Block a user