From 7935d5382b7785b88437a9b1ee881fb41acf1161 Mon Sep 17 00:00:00 2001
From: "Christian S.J. Peron" <csjp@FreeBSD.org>
Date: Thu, 6 Apr 2006 23:33:11 +0000
Subject: [PATCH] Introduce a new MAC entry point for label initialization of
 the NFS daemon's credential: mac_associate_nfsd_label()

This entry point can be utilized by various Mandatory Access Control policies
so they can properly initialize the label of files which get created
as a result of an NFS operation. This work will be useful for fixing kernel
panics associated with accessing un-initialized or invalid vnode labels.

The implementation of these entry points will come shortly.

Obtained from:	TrustedBSD
Requested by:	mdodd
MFC after:	3 weeks
---
 sys/nfsserver/nfs_srvsock.c      | 3 +++
 sys/security/mac/mac_framework.h | 1 +
 sys/security/mac/mac_policy.h    | 1 +
 sys/security/mac/mac_vfs.c       | 7 +++++++
 sys/sys/mac.h                    | 1 +
 sys/sys/mac_policy.h             | 1 +
 6 files changed, 14 insertions(+)

diff --git a/sys/nfsserver/nfs_srvsock.c b/sys/nfsserver/nfs_srvsock.c
index 805c5ca4e521..5721b39e0f85 100644
--- a/sys/nfsserver/nfs_srvsock.c
+++ b/sys/nfsserver/nfs_srvsock.c
@@ -369,6 +369,9 @@ nfs_getreq(struct nfsrv_descript *nd, struct nfsd *nfsd, int has_header)
 		    nd->nd_cr->cr_svuid = fxdr_unsigned(uid_t, *tl++);
 		nd->nd_cr->cr_groups[0] = nd->nd_cr->cr_rgid =
 		    nd->nd_cr->cr_svgid = fxdr_unsigned(gid_t, *tl++);
+#ifdef MAC
+		mac_associate_nfsd_label(nd->nd_cr);
+#endif
 		len = fxdr_unsigned(int, *tl);
 		if (len < 0 || len > RPCAUTH_UNIXGIDS) {
 			m_freem(mrep);
diff --git a/sys/security/mac/mac_framework.h b/sys/security/mac/mac_framework.h
index 65d879dca1a2..f1b6fe06b617 100644
--- a/sys/security/mac/mac_framework.h
+++ b/sys/security/mac/mac_framework.h
@@ -463,6 +463,7 @@ int	mac_setsockopt_label(struct ucred *cred, struct socket *so,
 int	mac_pipe_label_set(struct ucred *cred, struct pipepair *pp,
 	    struct label *label);
 void	mac_cred_mmapped_drop_perms(struct thread *td, struct ucred *cred);
+void	mac_associate_nfsd_label(struct ucred *cred);
 
 /*
  * Calls to help various file systems implement labeling functionality
diff --git a/sys/security/mac/mac_policy.h b/sys/security/mac/mac_policy.h
index 8573805c8178..fe0fa7c01670 100644
--- a/sys/security/mac/mac_policy.h
+++ b/sys/security/mac/mac_policy.h
@@ -599,6 +599,7 @@ struct mac_policy_ops {
 	int	(*mpo_check_vnode_write)(struct ucred *active_cred,
 		    struct ucred *file_cred, struct vnode *vp,
 		    struct label *label);
+	void	(*mpo_associate_nfsd_label)(struct ucred *cred);
 };
 
 /*
diff --git a/sys/security/mac/mac_vfs.c b/sys/security/mac/mac_vfs.c
index 59aa61bc792d..c9ed9ccaf370 100644
--- a/sys/security/mac/mac_vfs.c
+++ b/sys/security/mac/mac_vfs.c
@@ -1028,3 +1028,10 @@ vn_setlabel(struct vnode *vp, struct label *intlabel, struct ucred *cred)
 
 	return (0);
 }
+
+void
+mac_associate_nfsd_label(struct ucred *cred)
+{
+
+	MAC_PERFORM(associate_nfsd_label, cred);
+}
diff --git a/sys/sys/mac.h b/sys/sys/mac.h
index 65d879dca1a2..f1b6fe06b617 100644
--- a/sys/sys/mac.h
+++ b/sys/sys/mac.h
@@ -463,6 +463,7 @@ int	mac_setsockopt_label(struct ucred *cred, struct socket *so,
 int	mac_pipe_label_set(struct ucred *cred, struct pipepair *pp,
 	    struct label *label);
 void	mac_cred_mmapped_drop_perms(struct thread *td, struct ucred *cred);
+void	mac_associate_nfsd_label(struct ucred *cred);
 
 /*
  * Calls to help various file systems implement labeling functionality
diff --git a/sys/sys/mac_policy.h b/sys/sys/mac_policy.h
index 8573805c8178..fe0fa7c01670 100644
--- a/sys/sys/mac_policy.h
+++ b/sys/sys/mac_policy.h
@@ -599,6 +599,7 @@ struct mac_policy_ops {
 	int	(*mpo_check_vnode_write)(struct ucred *active_cred,
 		    struct ucred *file_cred, struct vnode *vp,
 		    struct label *label);
+	void	(*mpo_associate_nfsd_label)(struct ucred *cred);
 };
 
 /*