From owner-p4-projects@FreeBSD.ORG  Mon Dec  4 18:35:25 2006
Return-Path: <owner-p4-projects@FreeBSD.ORG>
X-Original-To: p4-projects@freebsd.org
Delivered-To: p4-projects@freebsd.org
Received: by hub.freebsd.org (Postfix, from userid 32767)
	id 9B39116A50A; Mon,  4 Dec 2006 18:35:25 +0000 (UTC)
X-Original-To: perforce@freebsd.org
Delivered-To: perforce@freebsd.org
Received: from mx1.FreeBSD.org (mx1.freebsd.org [69.147.83.52])
	by hub.freebsd.org (Postfix) with ESMTP id 48D9F16A509
	for <perforce@freebsd.org>; Mon,  4 Dec 2006 18:35:25 +0000 (UTC)
	(envelope-from millert@freebsd.org)
Received: from repoman.freebsd.org (repoman.freebsd.org [69.147.83.41])
	by mx1.FreeBSD.org (Postfix) with ESMTP id C1AAB43CBA
	for <perforce@freebsd.org>; Mon,  4 Dec 2006 18:34:50 +0000 (GMT)
	(envelope-from millert@freebsd.org)
Received: from repoman.freebsd.org (localhost [127.0.0.1])
	by repoman.freebsd.org (8.13.6/8.13.6) with ESMTP id kB4IZO6N089677
	for <perforce@freebsd.org>; Mon, 4 Dec 2006 18:35:24 GMT
	(envelope-from millert@freebsd.org)
Received: (from perforce@localhost)
	by repoman.freebsd.org (8.13.6/8.13.4/Submit) id kB4IZOws089674
	for perforce@freebsd.org; Mon, 4 Dec 2006 18:35:24 GMT
	(envelope-from millert@freebsd.org)
Date: Mon, 4 Dec 2006 18:35:24 GMT
Message-Id: <200612041835.kB4IZOws089674@repoman.freebsd.org>
X-Authentication-Warning: repoman.freebsd.org: perforce set sender to
	millert@freebsd.org using -f
From: Todd Miller <millert@FreeBSD.org>
To: Perforce Change Reviews <perforce@freebsd.org>
Cc: 
Subject: PERFORCE change 111047 for review
X-BeenThere: p4-projects@freebsd.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: p4 projects tree changes <p4-projects.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/p4-projects>,
	<mailto:p4-projects-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/p4-projects>
List-Post: <mailto:p4-projects@freebsd.org>
List-Help: <mailto:p4-projects-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/p4-projects>,
	<mailto:p4-projects-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Mon, 04 Dec 2006 18:35:25 -0000

http://perforce.freebsd.org/chv.cgi?CH=111047

Change 111047 by millert@millert_g5tower on 2006/12/04 18:35:19

	Add mac_thread_userret() function which gets called when a
	BSD syscall or Mach trap exits.

Affected files ...

.. //depot/projects/trustedbsd/sedarwin8/darwin/xnu/bsd/dev/ppc/systemcalls.c#3 edit
.. //depot/projects/trustedbsd/sedarwin8/darwin/xnu/osfmk/ppc/hw_exception.s#3 edit
.. //depot/projects/trustedbsd/sedarwin8/darwin/xnu/security/mac_base.c#25 edit
.. //depot/projects/trustedbsd/sedarwin8/darwin/xnu/security/mac_framework.h#24 edit
.. //depot/projects/trustedbsd/sedarwin8/darwin/xnu/security/mac_policy.h#32 edit

Differences ...

==== //depot/projects/trustedbsd/sedarwin8/darwin/xnu/bsd/dev/ppc/systemcalls.c#3 (text+ko) ====

@@ -221,6 +221,7 @@
 	error = (*(callp->sy_call))(proc, (void *)uthread->uu_arg, &(uthread->uu_rval[0]));
 #ifdef MAC
 	AUDIT_SYSCALL_EXIT(code, error, proc, uthread);
+	mac_thread_userret(thread_act);
 #else
 	AUDIT_SYSCALL_EXIT(error, proc, uthread);
 #endif

==== //depot/projects/trustedbsd/sedarwin8/darwin/xnu/osfmk/ppc/hw_exception.s#3 (text+ko) ====

@@ -625,6 +625,10 @@
 			stw		r0, saver3(r30)					; stash the high part of the return code
 			stw		r3,saver3+4(r30)				; Stash the low part of the return code
 			beq--	cr0,.L_mach_invalid_ret			; otherwise fall through into the normal return path
+#ifdef MAC
+	mr r3,r31
+	bl EXT(mac_thread_userret)
+#endif
 .L_mach_invalid_arg:		
 
 

==== //depot/projects/trustedbsd/sedarwin8/darwin/xnu/security/mac_base.c#25 (text+ko) ====

@@ -1233,6 +1233,14 @@
 	return (error);
 }
 
+void
+mac_thread_userret(struct thread *thread)
+{
+
+	if (mac_late)
+		MAC_PERFORM(thread_userret, thread);
+}
+
 /* system calls */
 
 int

==== //depot/projects/trustedbsd/sedarwin8/darwin/xnu/security/mac_framework.h#24 (text+ko) ====

@@ -68,7 +68,7 @@
 struct proc;
 struct semid_kernel;
 struct shmid_kernel;
-struct uthread;
+struct thread;
 struct timespec;
 struct ucred;
 struct uio;
@@ -325,6 +325,7 @@
 void	mac_sysvshm_label_init(struct shmid_kernel* shmsegptr);
 void	mac_sysvshm_label_recycle(struct shmid_kernel *shmsegptr);
 int	mac_task_check_get_port(struct ucred *cred, struct task *task);
+void	mac_thread_userret(struct thread *thread);
 int	mac_vnode_check_access(struct ucred *cred, struct vnode *vp,
 	    int acc_mode);
 int	mac_vnode_check_chdir(struct ucred *cred, struct vnode *dvp);

==== //depot/projects/trustedbsd/sedarwin8/darwin/xnu/security/mac_policy.h#32 (text+ko) ====

@@ -75,6 +75,7 @@
 struct semid_kernel;
 struct shmid_kernel;
 struct task;
+struct thread;
 struct ucred;
 struct vnode;
 struct xsocket;
@@ -3884,6 +3885,17 @@
 	struct label *task
 );
 /**
+  @brief Perform MAC-related events when a thread returns to user space
+  @param thread Mach thread that is returning
+
+  This entry point permits policy modules to perform MAC-related
+  events when a thread returns to user space, via a system call
+  return, trap return, or otherwise.
+*/
+typedef void mpo_thread_userret_t(
+	struct thread *thread
+);
+/**
   @brief Check vnode access
   @param cred Subject credential
   @param vp Object vnode
@@ -5227,6 +5239,7 @@
 	mpo_task_label_init_t			*mpo_task_label_init;
 	mpo_task_label_internalize_t		*mpo_task_label_internalize;
 	mpo_task_label_update_t			*mpo_task_label_update;
+	mpo_thread_userret_t			*mpo_thread_userret;
 	mpo_vnode_check_access_t		*mpo_vnode_check_access;
 	mpo_vnode_check_chdir_t			*mpo_vnode_check_chdir;
 	mpo_vnode_check_chroot_t		*mpo_vnode_check_chroot;