PERFORCE change 111047 for review

Todd Miller millert at FreeBSD.org
Mon Dec 4 10:35:54 PST 2006 

http://perforce.freebsd.org/chv.cgi?CH=111047

Change 111047 by millert at millert_g5tower on 2006/12/04 18:35:19

	Add mac_thread_userret() function which gets called when a
	BSD syscall or Mach trap exits.

Affected files ...

.. //depot/projects/trustedbsd/sedarwin8/darwin/xnu/bsd/dev/ppc/systemcalls.c#3 edit
.. //depot/projects/trustedbsd/sedarwin8/darwin/xnu/osfmk/ppc/hw_exception.s#3 edit
.. //depot/projects/trustedbsd/sedarwin8/darwin/xnu/security/mac_base.c#25 edit
.. //depot/projects/trustedbsd/sedarwin8/darwin/xnu/security/mac_framework.h#24 edit
.. //depot/projects/trustedbsd/sedarwin8/darwin/xnu/security/mac_policy.h#32 edit

Differences ...

==== //depot/projects/trustedbsd/sedarwin8/darwin/xnu/bsd/dev/ppc/systemcalls.c#3 (text+ko) ====

@@ -221,6 +221,7 @@
 	error = (*(callp->sy_call))(proc, (void *)uthread->uu_arg, &(uthread->uu_rval[0]));
 #ifdef MAC
 	AUDIT_SYSCALL_EXIT(code, error, proc, uthread);
+	mac_thread_userret(thread_act);
 #else
 	AUDIT_SYSCALL_EXIT(error, proc, uthread);
 #endif

==== //depot/projects/trustedbsd/sedarwin8/darwin/xnu/osfmk/ppc/hw_exception.s#3 (text+ko) ====

@@ -625,6 +625,10 @@
 			stw		r0, saver3(r30)					; stash the high part of the return code
 			stw		r3,saver3+4(r30)				; Stash the low part of the return code
 			beq--	cr0,.L_mach_invalid_ret			; otherwise fall through into the normal return path
+#ifdef MAC
+	mr r3,r31
+	bl EXT(mac_thread_userret)
+#endif
 .L_mach_invalid_arg:		
 
 

==== //depot/projects/trustedbsd/sedarwin8/darwin/xnu/security/mac_base.c#25 (text+ko) ====

@@ -1233,6 +1233,14 @@
 	return (error);
 }
 
+void
+mac_thread_userret(struct thread *thread)
+{
+
+	if (mac_late)
+		MAC_PERFORM(thread_userret, thread);
+}
+
 /* system calls */
 
 int

==== //depot/projects/trustedbsd/sedarwin8/darwin/xnu/security/mac_framework.h#24 (text+ko) ====

@@ -68,7 +68,7 @@
 struct proc;
 struct semid_kernel;
 struct shmid_kernel;
-struct uthread;
+struct thread;
 struct timespec;
 struct ucred;
 struct uio;
@@ -325,6 +325,7 @@
 void	mac_sysvshm_label_init(struct shmid_kernel* shmsegptr);
 void	mac_sysvshm_label_recycle(struct shmid_kernel *shmsegptr);
 int	mac_task_check_get_port(struct ucred *cred, struct task *task);
+void	mac_thread_userret(struct thread *thread);
 int	mac_vnode_check_access(struct ucred *cred, struct vnode *vp,
 	    int acc_mode);
 int	mac_vnode_check_chdir(struct ucred *cred, struct vnode *dvp);

==== //depot/projects/trustedbsd/sedarwin8/darwin/xnu/security/mac_policy.h#32 (text+ko) ====

@@ -75,6 +75,7 @@
 struct semid_kernel;
 struct shmid_kernel;
 struct task;
+struct thread;
 struct ucred;
 struct vnode;
 struct xsocket;
@@ -3884,6 +3885,17 @@
 	struct label *task
 );
 /**
+  @brief Perform MAC-related events when a thread returns to user space
+  @param thread Mach thread that is returning
+
+  This entry point permits policy modules to perform MAC-related
+  events when a thread returns to user space, via a system call
+  return, trap return, or otherwise.
+*/
+typedef void mpo_thread_userret_t(
+	struct thread *thread
+);
+/**
   @brief Check vnode access
   @param cred Subject credential
   @param vp Object vnode
@@ -5227,6 +5239,7 @@
 	mpo_task_label_init_t			*mpo_task_label_init;
 	mpo_task_label_internalize_t		*mpo_task_label_internalize;
 	mpo_task_label_update_t			*mpo_task_label_update;
+	mpo_thread_userret_t			*mpo_thread_userret;
 	mpo_vnode_check_access_t		*mpo_vnode_check_access;
 	mpo_vnode_check_chdir_t			*mpo_vnode_check_chdir;
 	mpo_vnode_check_chroot_t		*mpo_vnode_check_chroot;

More information about the trustedbsd-cvs mailing list