PERFORCE change 113271 for review
Todd Miller
millert at FreeBSD.org
Sun Jan 21 22:33:07 UTC 2007
http://perforce.freebsd.org/chv.cgi?CH=113271
Change 113271 by millert at millert_macbook on 2007/01/21 22:27:14
If a process fails a MAC permission check when waiting for
a child, do not return the entrypoint error code directly.
Instead, just return ECHILD if there are no processes it
is permitted to wait for.
Affected files ...
.. //depot/projects/trustedbsd/sedarwin8/darwin/xnu/bsd/kern/kern_exit.c#6 edit
Differences ...
==== //depot/projects/trustedbsd/sedarwin8/darwin/xnu/bsd/kern/kern_exit.c#6 (text+ko) ====
@@ -686,8 +686,15 @@
continue;
#ifdef MAC
- if ((error = mac_proc_check_wait(kauth_cred_get(), p)) != 0)
- return (error);
+ /*
+ * We can not return the MAC error back to userland as
+ * the caller would get non-standard error code.
+ * Instead, we will return ECHILD (see below) if there
+ * are no processes we are permitted to wait on.
+ */
+ error = mac_proc_check_wait(kauth_cred_get(), p);
+ if (error)
+ continue;
#endif
nfound++;
More information about the trustedbsd-cvs
mailing list