Move mapping of MBI_APPEND to MBI_WRITE from inside the rule loop in

mac_bsdextended_check() to before the loop, as it needs to happen only
once.

MFC after:	1 week

1 files changed, 8 insertions, 9 deletions

diff --git a/sys/security/mac_bsdextended/mac_bsdextended.c b/sys/security/mac_bsdextended/mac_bsdextended.c
index 2ebf9b86dcca..1a330036f08a 100644
--- a/sys/security/mac_bsdextended/mac_bsdextended.c
+++ b/sys/security/mac_bsdextended/mac_bsdextended.c
@@ -460,20 +460,19 @@ mac_bsdextended_check(struct ucred *cred, struct vnode *vp, struct vattr *vap,
 	if (suser_cred(cred, 0) == 0)
 		return (0);
 
+	/*
+	 * Since we do not separately handle append, map append to write.
+	 */
+	if (acc_mode & MBI_APPEND) {
+		acc_mode &= ~MBI_APPEND;
+		acc_mode |= MBI_WRITE;
+	}
+
 	mtx_lock(&mac_bsdextended_mtx);
 	for (i = 0; i < rule_slots; i++) {
 		if (rules[i] == NULL)
 			continue;
 
-		/*
-		 * Since we do not separately handle append, map append to
-		 * write.
-		 */
-		if (acc_mode & MBI_APPEND) {
-			acc_mode &= ~MBI_APPEND;
-			acc_mode |= MBI_WRITE;
-		}
-
 		error = mac_bsdextended_rulecheck(rules[i], cred,
 		    vp, vap, acc_mode);
 		if (error == EJUSTRETURN)