6 files changed, 24 insertions, 0 deletions

diff --git a/sys/kern/kern_prot.c b/sys/kern/kern_prot.c
index ab2ae0a..a964592 100644
--- a/sys/kern/kern_prot.c
+++ b/sys/kern/kern_prot.c
@@ -1685,7 +1685,9 @@ cr_canseesocket(struct ucred *cred, struct socket *so)
 	if (error)
 		return (ENOENT);
 #ifdef MAC
+	SOCK_LOCK(so);
 	error = mac_check_socket_visible(cred, so);
+	SOCK_UNLOCK(so);
 	if (error)
 		return (error);
 #endif
diff --git a/sys/kern/sys_socket.c b/sys/kern/sys_socket.c
index 5331574..5f14608 100644
--- a/sys/kern/sys_socket.c
+++ b/sys/kern/sys_socket.c
@@ -77,7 +77,9 @@ soo_read(fp, uio, active_cred, flags, td)
 
 	NET_LOCK_GIANT();
 #ifdef MAC
+	SOCK_LOCK(so);
 	error = mac_check_socket_receive(active_cred, so);
+	SOCK_UNLOCK(so);
 	if (error) {
 		NET_UNLOCK_GIANT();
 		return (error);
@@ -102,7 +104,9 @@ soo_write(fp, uio, active_cred, flags, td)
 
 	NET_LOCK_GIANT();
 #ifdef MAC
+	SOCK_LOCK(so);
 	error = mac_check_socket_send(active_cred, so);
+	SOCK_UNLOCK(so);
 	if (error) {
 		NET_UNLOCK_GIANT();
 		return (error);
diff --git a/sys/kern/uipc_sockbuf.c b/sys/kern/uipc_sockbuf.c
index 0d75abe..7dbc19d 100644
--- a/sys/kern/uipc_sockbuf.c
+++ b/sys/kern/uipc_sockbuf.c
@@ -209,7 +209,9 @@ sonewconn(head, connstatus)
 	so->so_timeo = head->so_timeo;
 	so->so_cred = crhold(head->so_cred);
 #ifdef MAC
+	SOCK_LOCK(head);
 	mac_create_socket_from_socket(head, so);
+	SOCK_UNLOCK(head);
 #endif
 	if (soreserve(so, head->so_snd.sb_hiwat, head->so_rcv.sb_hiwat) ||
 	    (*so->so_proto->pr_usrreqs->pru_attach)(so, 0, NULL)) {
diff --git a/sys/kern/uipc_socket2.c b/sys/kern/uipc_socket2.c
index 0d75abe..7dbc19d 100644
--- a/sys/kern/uipc_socket2.c
+++ b/sys/kern/uipc_socket2.c
@@ -209,7 +209,9 @@ sonewconn(head, connstatus)
 	so->so_timeo = head->so_timeo;
 	so->so_cred = crhold(head->so_cred);
 #ifdef MAC
+	SOCK_LOCK(head);
 	mac_create_socket_from_socket(head, so);
+	SOCK_UNLOCK(head);
 #endif
 	if (soreserve(so, head->so_snd.sb_hiwat, head->so_rcv.sb_hiwat) ||
 	    (*so->so_proto->pr_usrreqs->pru_attach)(so, 0, NULL)) {
diff --git a/sys/kern/uipc_syscalls.c b/sys/kern/uipc_syscalls.c
index 53d4962..18a5e24 100644
--- a/sys/kern/uipc_syscalls.c
+++ b/sys/kern/uipc_syscalls.c
@@ -190,7 +190,9 @@ kern_bind(td, fd, sa)
 	if ((error = fgetsock(td, fd, &so, NULL)) != 0)
 		goto done2;
 #ifdef MAC
+	SOCK_LOCK(so);
 	error = mac_check_socket_bind(td->td_ucred, so, sa);
+	SOCK_UNLOCK(so);
 	if (error)
 		goto done1;
 #endif
@@ -223,7 +225,9 @@ listen(td, uap)
 	NET_LOCK_GIANT();
 	if ((error = fgetsock(td, uap->s, &so, NULL)) == 0) {
 #ifdef MAC
+		SOCK_LOCK(so);
 		error = mac_check_socket_listen(td->td_ucred, so);
+		SOCK_UNLOCK(so);
 		if (error)
 			goto done;
 #endif
@@ -482,7 +486,9 @@ kern_connect(td, fd, sa)
 		goto done1;
 	}
 #ifdef MAC
+	SOCK_LOCK(so);
 	error = mac_check_socket_connect(td->td_ucred, so, sa);
+	SOCK_UNLOCK(so);
 	if (error)
 		goto bad;
 #endif
@@ -701,7 +707,9 @@ kern_sendit(td, s, mp, flags, control)
 		goto bad2;
 
 #ifdef MAC
+	SOCK_LOCK(so);
 	error = mac_check_socket_send(td->td_ucred, so);
+	SOCK_UNLOCK(so);
 	if (error)
 		goto bad;
 #endif
@@ -944,7 +952,9 @@ recvit(td, s, mp, namelenp)
 	}
 
 #ifdef MAC
+	SOCK_LOCK(so);
 	error = mac_check_socket_receive(td->td_ucred, so);
+	SOCK_UNLOCK(so);
 	if (error) {
 		fputsock(so);
 		NET_UNLOCK_GIANT();
@@ -1750,7 +1760,9 @@ do_sendfile(struct thread *td, struct sendfile_args *uap, int compat)
 	}
 
 #ifdef MAC
+	SOCK_LOCK(so);
 	error = mac_check_socket_send(td->td_ucred, so);
+	SOCK_UNLOCK(so);
 	if (error)
 		goto done;
 #endif
diff --git a/sys/kern/uipc_usrreq.c b/sys/kern/uipc_usrreq.c
index 6660d7b..aa435f2 100644
--- a/sys/kern/uipc_usrreq.c
+++ b/sys/kern/uipc_usrreq.c
@@ -846,8 +846,10 @@ unp_connect(so, nam, td)
 		    sizeof(unp->unp_peercred));
 		unp->unp_flags |= UNP_HAVEPC;
 #ifdef MAC
+		SOCK_LOCK(so);
 		mac_set_socket_peer_from_socket(so, so3);
 		mac_set_socket_peer_from_socket(so3, so);
+		SOCK_UNLOCK(so);
 #endif
 
 		so2 = so3;