Introduce a new MAC entry point for label initialization of the NFS daemon's

credential: mac_associate_nfsd_label() This entry point can be utilized by various Mandatory Access Control policies so they can properly initialize the label of files which get created as a result of an NFS operation. This work will be useful for fixing kernel panics associated with accessing un-initialized or invalid vnode labels. The implementation of these entry points will come shortly. Obtained from: TrustedBSD Requested by: mdodd MFC after: 3 weeks
svn path=/head/; revision=157575
2024-12-04 03:49:02 +00:00 · 2006-04-06 23:33:11 +00:00 · 2006-04-06 23:33:11 +00:00 · 7935d5382b · 2020-12-20 02:59:44 +00:00
commit 7935d5382b
parent c7f87cc77f
6 changed files with 14 additions and 0 deletions
--- a/sys/nfsserver/nfs_srvsock.c
+++ b/sys/nfsserver/nfs_srvsock.c
@ -369,6 +369,9 @@ nfs_getreq(struct nfsrv_descript *nd, struct nfsd *nfsd, int has_header)
 		    nd->nd_cr->cr_svuid = fxdr_unsigned(uid_t, *tl++);
 		nd->nd_cr->cr_groups[0] = nd->nd_cr->cr_rgid =
 		    nd->nd_cr->cr_svgid = fxdr_unsigned(gid_t, *tl++);
+#ifdef MAC
+		mac_associate_nfsd_label(nd->nd_cr);
+#endif
 		len = fxdr_unsigned(int, *tl);
 		if (len < 0 || len > RPCAUTH_UNIXGIDS) {
 			m_freem(mrep);
--- a/sys/security/mac/mac_framework.h
+++ b/sys/security/mac/mac_framework.h
@ -463,6 +463,7 @@ int	mac_setsockopt_label(struct ucred *cred, struct socket *so,
 int	mac_pipe_label_set(struct ucred *cred, struct pipepair *pp,
 	    struct label *label);
 void	mac_cred_mmapped_drop_perms(struct thread *td, struct ucred *cred);
+void	mac_associate_nfsd_label(struct ucred *cred);

 /*
 * Calls to help various file systems implement labeling functionality
--- a/sys/security/mac/mac_policy.h
+++ b/sys/security/mac/mac_policy.h
@ -599,6 +599,7 @@ struct mac_policy_ops {
 	int	(*mpo_check_vnode_write)(struct ucred *active_cred,
 		    struct ucred *file_cred, struct vnode *vp,
 		    struct label *label);
+	void	(*mpo_associate_nfsd_label)(struct ucred *cred);
 };

 /*
--- a/sys/security/mac/mac_vfs.c
+++ b/sys/security/mac/mac_vfs.c
@ -1028,3 +1028,10 @@ vn_setlabel(struct vnode *vp, struct label *intlabel, struct ucred *cred)

 	return (0);
 }
+
+void
+mac_associate_nfsd_label(struct ucred *cred)
+{
+
+	MAC_PERFORM(associate_nfsd_label, cred);
+}
--- a/sys/sys/mac.h
+++ b/sys/sys/mac.h
@ -463,6 +463,7 @@ int	mac_setsockopt_label(struct ucred *cred, struct socket *so,
 int	mac_pipe_label_set(struct ucred *cred, struct pipepair *pp,
 	    struct label *label);
 void	mac_cred_mmapped_drop_perms(struct thread *td, struct ucred *cred);
+void	mac_associate_nfsd_label(struct ucred *cred);

 /*
 * Calls to help various file systems implement labeling functionality
--- a/sys/sys/mac_policy.h
+++ b/sys/sys/mac_policy.h
@ -599,6 +599,7 @@ struct mac_policy_ops {
 	int	(*mpo_check_vnode_write)(struct ucred *active_cred,
 		    struct ucred *file_cred, struct vnode *vp,
 		    struct label *label);
+	void	(*mpo_associate_nfsd_label)(struct ucred *cred);
 };

 /*