Use the credential authorizing the socket creation operation to perform

the jail check and the MAC socket labeling in socreate().  This handles
socket creation using a cached credential better (such as in the NFS
client code when rebuilding a socket following a disconnect: the new
socket should be created using the nfsmount cached cred, not the cred
of the thread causing the socket to be rebuilt).

Obtained from:	TrustedBSD Project
Sponsored by:	DARPA, NAI Labs

1 files changed, 2 insertions, 2 deletions

diff --git a/sys/kern/uipc_socket.c b/sys/kern/uipc_socket.c
index cfcec00..61cef61 100644
--- a/sys/kern/uipc_socket.c
+++ b/sys/kern/uipc_socket.c
@@ -177,7 +177,7 @@ socreate(dom, aso, type, proto, cred, td)
 	if (prp == 0 || prp->pr_usrreqs->pru_attach == 0)
 		return (EPROTONOSUPPORT);
 
-	if (jailed(td->td_ucred) && jail_socket_unixiproute_only &&
+	if (jailed(cred) && jail_socket_unixiproute_only &&
 	    prp->pr_domain->dom_family != PF_LOCAL &&
 	    prp->pr_domain->dom_family != PF_INET &&
 	    prp->pr_domain->dom_family != PF_ROUTE) {
@@ -196,7 +196,7 @@ socreate(dom, aso, type, proto, cred, td)
 	so->so_cred = crhold(cred);
 	so->so_proto = prp;
 #ifdef MAC
-	mac_create_socket(td->td_ucred, so);
+	mac_create_socket(cred, so);
 #endif
 	soref(so);
 	error = (*prp->pr_usrreqs->pru_attach)(so, proto, td);