Date: Sun, 21 Jan 2007 22:27:17 GMT From: Todd Miller <millert@FreeBSD.org> To: Perforce Change Reviews <perforce@freebsd.org> Subject: PERFORCE change 113271 for review Message-ID: <200701212227.l0LMRHoY060493@repoman.freebsd.org>
next in thread | raw e-mail | index | archive | help
http://perforce.freebsd.org/chv.cgi?CH=113271 Change 113271 by millert@millert_macbook on 2007/01/21 22:27:14 If a process fails a MAC permission check when waiting for a child, do not return the entrypoint error code directly. Instead, just return ECHILD if there are no processes it is permitted to wait for. Affected files ... .. //depot/projects/trustedbsd/sedarwin8/darwin/xnu/bsd/kern/kern_exit.c#6 edit Differences ... ==== //depot/projects/trustedbsd/sedarwin8/darwin/xnu/bsd/kern/kern_exit.c#6 (text+ko) ==== @@ -686,8 +686,15 @@ continue; #ifdef MAC - if ((error = mac_proc_check_wait(kauth_cred_get(), p)) != 0) - return (error); + /* + * We can not return the MAC error back to userland as + * the caller would get non-standard error code. + * Instead, we will return ECHILD (see below) if there + * are no processes we are permitted to wait on. + */ + error = mac_proc_check_wait(kauth_cred_get(), p); + if (error) + continue; #endif nfound++;
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200701212227.l0LMRHoY060493>