2 files changed, 17 insertions, 0 deletions

diff --git a/sys/kern/kern_mac.c b/sys/kern/kern_mac.c
index cdbf726..2c07abe 100644
--- a/sys/kern/kern_mac.c
+++ b/sys/kern/kern_mac.c
@@ -652,6 +652,10 @@ mac_policy_register(struct mac_policy_conf *mpc)
 			mpc->mpc_ops->mpo_relabel_cred =
 			    mpe->mpe_function;
 			break;
+		case MAC_THREAD_USERRET:
+			mpc->mpc_ops->mpo_thread_userret =
+			    mpe->mpe_function;
+			break;
 		case MAC_CHECK_BPFDESC_RECEIVE:
 			mpc->mpc_ops->mpo_check_bpfdesc_receive =
 			    mpe->mpe_function;
@@ -1581,6 +1585,13 @@ mac_create_proc1(struct ucred *cred)
 	MAC_PERFORM(create_proc1, cred);
 }
 
+void
+mac_thread_userret(struct thread *td)
+{
+
+	MAC_PERFORM(thread_userret, td);
+}
+
 /*
  * When a new process is created, its label must be initialized.  Generally,
  * this involves inheritence from the parent process, modulo possible
diff --git a/sys/kern/subr_trap.c b/sys/kern/subr_trap.c
index 2ec3fb1..272714a 100644
--- a/sys/kern/subr_trap.c
+++ b/sys/kern/subr_trap.c
@@ -38,6 +38,7 @@
  * $FreeBSD$
  */
 
+#include "opt_mac.h"
 #ifdef __i386__
 #include "opt_npx.h"
 #endif
@@ -46,6 +47,7 @@
 #include <sys/bus.h>
 #include <sys/kernel.h>
 #include <sys/lock.h>
+#include <sys/mac.h>
 #include <sys/mutex.h>
 #include <sys/proc.h>
 #include <sys/kse.h>
@@ -88,6 +90,10 @@ userret(td, frame, oticks)
 	mtx_unlock(&Giant);
 #endif
 
+#ifdef MAC
+	mac_thread_userret(td);
+#endif
+
 	/*
 	 * XXX we cheat slightly on the locking here to avoid locking in
 	 * the usual case.  Setting td_priority here is essentially an