Pass IO_NOMACCHECK to vn_rdwr() in the following checks to prevent

enforcement of MAC policy on the read or write operations:

- In ext2fs, don't enforce MAC on loop-back reads and writes supporting
  directory read operations in lookup(), directory modifications in
  rename(), directory write operations in mkdir(), symlink write
  operations in symlink().

- In the NFS client locking code, perform vn_rdwr() on the NFS locking
  socket without enforcing MAC, since the write is done on behalf of
  the kernel NFS implementation rather than the user process.

- In UFS, don't enforce MAC on loop-back reads and writes supporting
  directory read operations in lookup(), and symlink write operations
  in symlink().

Obtained from:	TrustedBSD Project
Sponsored by:	DARPA, NAI Labs

1 files changed, 1 insertions, 1 deletions

diff --git a/sys/nfsclient/nfs_lock.c b/sys/nfsclient/nfs_lock.c
index dfd5ed0..32f9a1d 100644
--- a/sys/nfsclient/nfs_lock.c
+++ b/sys/nfsclient/nfs_lock.c
@@ -163,7 +163,7 @@ nfs_dolock(struct vop_advlock_args *ap)
 	VOP_UNLOCK(wvp, 0, td);		/* vn_open leaves it locked */
 
 
-	ioflg = IO_UNIT;
+	ioflg = IO_UNIT | IO_NOMACCHECK;
 	for (;;) {
 		VOP_LEASE(wvp, td, thread0.td_ucred, LEASE_WRITE);