Introduce a new MAC entry point for label initialization of the NFS daemon's

credential: mac_associate_nfsd_label()

This entry point can be utilized by various Mandatory Access Control policies
so they can properly initialize the label of files which get created
as a result of an NFS operation. This work will be useful for fixing kernel
panics associated with accessing un-initialized or invalid vnode labels.

The implementation of these entry points will come shortly.

Obtained from:	TrustedBSD
Requested by:	mdodd
MFC after:	3 weeks

3 files changed, 9 insertions, 0 deletions

diff --git a/sys/security/mac/mac_framework.h b/sys/security/mac/mac_framework.h
index 65d879d..f1b6fe0 100644
--- a/sys/security/mac/mac_framework.h
+++ b/sys/security/mac/mac_framework.h
@@ -463,6 +463,7 @@ int	mac_setsockopt_label(struct ucred *cred, struct socket *so,
 int	mac_pipe_label_set(struct ucred *cred, struct pipepair *pp,
 	    struct label *label);
 void	mac_cred_mmapped_drop_perms(struct thread *td, struct ucred *cred);
+void	mac_associate_nfsd_label(struct ucred *cred);
 
 /*
  * Calls to help various file systems implement labeling functionality
diff --git a/sys/security/mac/mac_policy.h b/sys/security/mac/mac_policy.h
index 8573805..fe0fa7c 100644
--- a/sys/security/mac/mac_policy.h
+++ b/sys/security/mac/mac_policy.h
@@ -599,6 +599,7 @@ struct mac_policy_ops {
 	int	(*mpo_check_vnode_write)(struct ucred *active_cred,
 		    struct ucred *file_cred, struct vnode *vp,
 		    struct label *label);
+	void	(*mpo_associate_nfsd_label)(struct ucred *cred);
 };
 
 /*
diff --git a/sys/security/mac/mac_vfs.c b/sys/security/mac/mac_vfs.c
index 59aa61b..c9ed9cc 100644
--- a/sys/security/mac/mac_vfs.c
+++ b/sys/security/mac/mac_vfs.c
@@ -1028,3 +1028,10 @@ vn_setlabel(struct vnode *vp, struct label *intlabel, struct ucred *cred)
 
 	return (0);
 }
+
+void
+mac_associate_nfsd_label(struct ucred *cred)
+{
+
+	MAC_PERFORM(associate_nfsd_label, cred);
+}