Date: Mon, 4 Dec 2006 18:35:24 GMT From: Todd Miller <millert@FreeBSD.org> To: Perforce Change Reviews <perforce@freebsd.org> Subject: PERFORCE change 111047 for review Message-ID: <200612041835.kB4IZOws089674@repoman.freebsd.org>
next in thread | raw e-mail | index | archive | help
http://perforce.freebsd.org/chv.cgi?CH=111047 Change 111047 by millert@millert_g5tower on 2006/12/04 18:35:19 Add mac_thread_userret() function which gets called when a BSD syscall or Mach trap exits. Affected files ... .. //depot/projects/trustedbsd/sedarwin8/darwin/xnu/bsd/dev/ppc/systemcalls.c#3 edit .. //depot/projects/trustedbsd/sedarwin8/darwin/xnu/osfmk/ppc/hw_exception.s#3 edit .. //depot/projects/trustedbsd/sedarwin8/darwin/xnu/security/mac_base.c#25 edit .. //depot/projects/trustedbsd/sedarwin8/darwin/xnu/security/mac_framework.h#24 edit .. //depot/projects/trustedbsd/sedarwin8/darwin/xnu/security/mac_policy.h#32 edit Differences ... ==== //depot/projects/trustedbsd/sedarwin8/darwin/xnu/bsd/dev/ppc/systemcalls.c#3 (text+ko) ==== @@ -221,6 +221,7 @@ error = (*(callp->sy_call))(proc, (void *)uthread->uu_arg, &(uthread->uu_rval[0])); #ifdef MAC AUDIT_SYSCALL_EXIT(code, error, proc, uthread); + mac_thread_userret(thread_act); #else AUDIT_SYSCALL_EXIT(error, proc, uthread); #endif ==== //depot/projects/trustedbsd/sedarwin8/darwin/xnu/osfmk/ppc/hw_exception.s#3 (text+ko) ==== @@ -625,6 +625,10 @@ stw r0, saver3(r30) ; stash the high part of the return code stw r3,saver3+4(r30) ; Stash the low part of the return code beq-- cr0,.L_mach_invalid_ret ; otherwise fall through into the normal return path +#ifdef MAC + mr r3,r31 + bl EXT(mac_thread_userret) +#endif .L_mach_invalid_arg: ==== //depot/projects/trustedbsd/sedarwin8/darwin/xnu/security/mac_base.c#25 (text+ko) ==== @@ -1233,6 +1233,14 @@ return (error); } +void +mac_thread_userret(struct thread *thread) +{ + + if (mac_late) + MAC_PERFORM(thread_userret, thread); +} + /* system calls */ int ==== //depot/projects/trustedbsd/sedarwin8/darwin/xnu/security/mac_framework.h#24 (text+ko) ==== @@ -68,7 +68,7 @@ struct proc; struct semid_kernel; struct shmid_kernel; -struct uthread; +struct thread; struct timespec; struct ucred; struct uio; @@ -325,6 +325,7 @@ void mac_sysvshm_label_init(struct shmid_kernel* shmsegptr); void mac_sysvshm_label_recycle(struct shmid_kernel *shmsegptr); int mac_task_check_get_port(struct ucred *cred, struct task *task); +void mac_thread_userret(struct thread *thread); int mac_vnode_check_access(struct ucred *cred, struct vnode *vp, int acc_mode); int mac_vnode_check_chdir(struct ucred *cred, struct vnode *dvp); ==== //depot/projects/trustedbsd/sedarwin8/darwin/xnu/security/mac_policy.h#32 (text+ko) ==== @@ -75,6 +75,7 @@ struct semid_kernel; struct shmid_kernel; struct task; +struct thread; struct ucred; struct vnode; struct xsocket; @@ -3884,6 +3885,17 @@ struct label *task ); /** + @brief Perform MAC-related events when a thread returns to user space + @param thread Mach thread that is returning + + This entry point permits policy modules to perform MAC-related + events when a thread returns to user space, via a system call + return, trap return, or otherwise. +*/ +typedef void mpo_thread_userret_t( + struct thread *thread +); +/** @brief Check vnode access @param cred Subject credential @param vp Object vnode @@ -5227,6 +5239,7 @@ mpo_task_label_init_t *mpo_task_label_init; mpo_task_label_internalize_t *mpo_task_label_internalize; mpo_task_label_update_t *mpo_task_label_update; + mpo_thread_userret_t *mpo_thread_userret; mpo_vnode_check_access_t *mpo_vnode_check_access; mpo_vnode_check_chdir_t *mpo_vnode_check_chdir; mpo_vnode_check_chroot_t *mpo_vnode_check_chroot;
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200612041835.kB4IZOws089674>