Date: Fri, 29 May 2026 16:01:44 +0000 From: Olivier Certner <olce@FreeBSD.org> To: src-committers@FreeBSD.org, dev-commits-src-all@FreeBSD.org, dev-commits-src-main@FreeBSD.org Subject: git: d254322f6fa4 - main - MAC/do: parse_and_set_conf(): Obey empty parameters; Add doc Message-ID: <6a19b868.342b9.21db378@gitrepo.freebsd.org>
index | next in thread | raw e-mail
The branch main has been updated by olce: URL: https://cgit.FreeBSD.org/src/commit/?id=d254322f6fa46010bb94d658ff13c06ad438ee77 commit d254322f6fa46010bb94d658ff13c06ad438ee77 Author: Olivier Certner <olce@FreeBSD.org> AuthorDate: 2026-04-27 16:12:08 +0000 Commit: Olivier Certner <olce@FreeBSD.org> CommitDate: 2026-05-29 15:23:10 +0000 MAC/do: parse_and_set_conf(): Obey empty parameters; Add doc parse_and_set_conf() is meant to be used in all situations when there is a need to set or modify some jail's MAC/do configuration. This entails passing the information of whether some parameter was explicitly specified. For example, an administrator setting/modifying jail parameters may not specify executable paths but only rules, in which case the executable paths value is copied from the currently-applicable configuration. The sysctl(8) knobs case always leverages this feature, since setting a knob changes one parameter at a time. Currently, a NULL or empty string argument is treated as a non-specified parameter. This causes a bug where disabling MAC/do in a jail does not actually work because, to this end, parse_and_set_conf() is passed an empty string which it then interprets as a request to copy the currently applicable configuration's value, which may well not be empty. Fix this problem by only treating NULL as a marker for a non-specified parameter, in accordance with the original design for this function. While here, write some documentation to explain the interface. While here, remove the original herald comment for parse_and_set_rules(), which was inadvertently pushed apart from the replacing parse_and_set_conf(). Reviewed by: bapt Fixes: 9818224174c4 ("MAC/do: Executable paths feature (GSoC 2025's final state)") MFC after: 1 month Sponsored by: The FreeBSD Foundation Pull Request: https://ron-dev.freebsd.org/FreeBSD/src/pulls/38 --- sys/security/mac_do/mac_do.c | 28 ++++++++++++++-------------- 1 file changed, 14 insertions(+), 14 deletions(-) diff --git a/sys/security/mac_do/mac_do.c b/sys/security/mac_do/mac_do.c index b24daaf093c0..3ae5aba4bb8a 100644 --- a/sys/security/mac_do/mac_do.c +++ b/sys/security/mac_do/mac_do.c @@ -1361,12 +1361,6 @@ set_default_conf(struct prison *const pr) drop_conf(conf); } -/* - * Parse a rules specification and assign them to a jail. - * - * Returns the same error code as parse_rules() (which see). - */ - static void clone_rules(struct rules *const dst, const struct rules *const src) { @@ -1413,7 +1407,17 @@ clone_exec_paths(struct exec_paths *const dst, sizeof(dst->exec_paths_str)); } -/* Must be called with '*parse_error' set to NULL. */ +/* + * Sets/modifies the MAC/do configuration for a jail. + * + * Must be called with '*parse_error' set to NULL. + * + * Supports explicitly setting all parameters or only some of them, in which + * case the implicit ones are copied from the currently applicable configuration + * (that of the closest ancestor jail that has one). + * + * An unspecified parameter must be passed as NULL. + */ static int parse_and_set_conf(struct prison *pr, const char *rules_string, const char *exec_paths_string, struct parse_error **parse_error) @@ -1421,17 +1425,13 @@ parse_and_set_conf(struct prison *pr, const char *rules_string, struct conf *applicable_conf = NULL; struct conf *conf; int error = 0; - bool need_applicable_conf; - - need_applicable_conf = (rules_string == NULL || rules_string[0] == '\0' || - exec_paths_string == NULL || exec_paths_string[0] == '\0'); - if (need_applicable_conf) + if (rules_string == NULL || exec_paths_string == NULL) applicable_conf = find_conf(pr, NULL); conf = new_conf(); - if (rules_string != NULL && rules_string[0] != '\0') { + if (rules_string != NULL) { error = parse_rules(rules_string, &conf->rules, parse_error); if (error != 0) goto error; @@ -1439,7 +1439,7 @@ parse_and_set_conf(struct prison *pr, const char *rules_string, else if (applicable_conf != NULL) clone_rules(&conf->rules, &applicable_conf->rules); - if (exec_paths_string != NULL && exec_paths_string[0] != '\0') { + if (exec_paths_string != NULL) { error = parse_exec_paths(exec_paths_string, &conf->exec_paths, parse_error); if (error != 0)home | help
Want to link to this message? Use this
URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?6a19b868.342b9.21db378>