3 files changed, 18 insertions, 0 deletions

diff --git a/sys/security/mac/mac_framework.h b/sys/security/mac/mac_framework.h
index f72733d6618d..8e5037aa7916 100644
--- a/sys/security/mac/mac_framework.h
+++ b/sys/security/mac/mac_framework.h
@@ -351,6 +351,7 @@ int	mac_check_proc_setresgid(struct proc *proc, struct ucred *cred,
 	    gid_t rgid, gid_t egid, gid_t sgid);
 int	mac_check_proc_signal(struct ucred *cred, struct proc *proc,
 	    int signum);
+int	mac_check_proc_wait(struct ucred *cred, struct proc *proc);
 int	mac_check_socket_accept(struct ucred *cred, struct socket *so);
 int	mac_check_socket_bind(struct ucred *cred, struct socket *so,
 	    struct sockaddr *sockaddr);
diff --git a/sys/security/mac/mac_policy.h b/sys/security/mac/mac_policy.h
index 402d622b915f..e519cb35930d 100644
--- a/sys/security/mac/mac_policy.h
+++ b/sys/security/mac/mac_policy.h
@@ -424,6 +424,8 @@ struct mac_policy_ops {
 		    gid_t egid, gid_t sgid);
 	int	(*mpo_check_proc_signal)(struct ucred *cred,
 		    struct proc *proc, int signum);
+	int	(*mpo_check_proc_wait)(struct ucred *cred,
+		    struct proc *proc);
 	int	(*mpo_check_socket_accept)(struct ucred *cred,
 		    struct socket *so, struct label *socketlabel);
 	int	(*mpo_check_socket_bind)(struct ucred *cred,
diff --git a/sys/security/mac/mac_process.c b/sys/security/mac/mac_process.c
index 8dda7b113874..436c55b878e2 100644
--- a/sys/security/mac/mac_process.c
+++ b/sys/security/mac/mac_process.c
@@ -650,3 +650,18 @@ mac_check_proc_setresgid(struct proc *proc, struct ucred *cred, gid_t rgid,
 	MAC_CHECK(check_proc_setresgid, cred, rgid, egid, sgid);
 	return (error);
 }
+
+int
+mac_check_proc_wait(struct ucred *cred, struct proc *proc)
+{
+	int error;
+
+	PROC_LOCK_ASSERT(proc, MA_OWNED);
+
+	if (!mac_enforce_process)
+		return (0);
+
+	MAC_CHECK(check_proc_wait, cred, proc);
+
+	return (error);
+}