From f1bc833e9552e6874a5343bfd4a0b2999a185b42 Mon Sep 17 00:00:00 2001
From: rwatson <rwatson@FreeBSD.org>
Date: Sun, 13 Jun 2004 02:50:07 +0000
Subject: Socket MAC labels so_label and so_peerlabel are now protected by
 SOCK_LOCK(so):

- Hold socket lock over calls to MAC entry points reading or
  manipulating socket labels.

- Assert socket lock in MAC entry point implementations.

- When externalizing the socket label, first make a thread-local
  copy while holding the socket lock, then release the socket lock
  to externalize to userspace.
---
 sys/kern/kern_prot.c | 2 ++
 1 file changed, 2 insertions(+)

(limited to 'sys/kern/kern_prot.c')

diff --git a/sys/kern/kern_prot.c b/sys/kern/kern_prot.c
index ab2ae0a..a964592 100644
--- a/sys/kern/kern_prot.c
+++ b/sys/kern/kern_prot.c
@@ -1685,7 +1685,9 @@ cr_canseesocket(struct ucred *cred, struct socket *so)
 	if (error)
 		return (ENOENT);
 #ifdef MAC
+	SOCK_LOCK(so);
 	error = mac_check_socket_visible(cred, so);
+	SOCK_UNLOCK(so);
 	if (error)
 		return (error);
 #endif
-- 
cgit v1.1