From 92dbb82a47dc27aff8b0e9470f2272e799797b9f Mon Sep 17 00:00:00 2001 From: Robert Watson Date: Wed, 2 Oct 2002 02:42:38 +0000 Subject: Add a new MAC entry point, mac_thread_userret(td), which permits policy modules to perform MAC-related events when a thread returns to user space. This is required for policies that have floating process labels, as it's not always possible to acquire the process lock at arbitrary points in the stack during system call processing; process labels might represent traditional authentication data, process history information, or other data. LOMAC will use this entry point to perform the process label update prior to the thread returning to userspace, when plugged into the MAC framework. Obtained from: TrustedBSD Project Sponsored by: DARPA, Network Associates Laboratories --- sys/security/mac/mac_net.c | 11 +++++++++++ 1 file changed, 11 insertions(+) (limited to 'sys/security/mac/mac_net.c') diff --git a/sys/security/mac/mac_net.c b/sys/security/mac/mac_net.c index cdbf726bdccb..2c07abe4f7b9 100644 --- a/sys/security/mac/mac_net.c +++ b/sys/security/mac/mac_net.c @@ -652,6 +652,10 @@ mac_policy_register(struct mac_policy_conf *mpc) mpc->mpc_ops->mpo_relabel_cred = mpe->mpe_function; break; + case MAC_THREAD_USERRET: + mpc->mpc_ops->mpo_thread_userret = + mpe->mpe_function; + break; case MAC_CHECK_BPFDESC_RECEIVE: mpc->mpc_ops->mpo_check_bpfdesc_receive = mpe->mpe_function; @@ -1581,6 +1585,13 @@ mac_create_proc1(struct ucred *cred) MAC_PERFORM(create_proc1, cred); } +void +mac_thread_userret(struct thread *td) +{ + + MAC_PERFORM(thread_userret, td); +} + /* * When a new process is created, its label must be initialized. Generally, * this involves inheritence from the parent process, modulo possible -- cgit v1.2.3