Date: Fri, 29 May 2026 16:01:53 +0000 From: Olivier Certner <olce@FreeBSD.org> To: src-committers@FreeBSD.org, dev-commits-src-all@FreeBSD.org, dev-commits-src-main@FreeBSD.org Subject: git: 31ef4ee2e357 - main - MAC/do: Allocate only one default configuration Message-ID: <6a19b871.32eef.6cccea60@gitrepo.freebsd.org>
index | next in thread | raw e-mail
The branch main has been updated by olce: URL: https://cgit.FreeBSD.org/src/commit/?id=31ef4ee2e3570b8f438b9b3fb09b3d87c87419ff commit 31ef4ee2e3570b8f438b9b3fb09b3d87c87419ff Author: Olivier Certner <olce@FreeBSD.org> AuthorDate: 2026-04-29 13:12:10 +0000 Commit: Olivier Certner <olce@FreeBSD.org> CommitDate: 2026-05-29 15:32:44 +0000 MAC/do: Allocate only one default configuration When mac_do(4) is loaded, all jails get the same default configuration (disabled, with only one allowed executable path: '/usr/bin/mdo'). Share it between all jails instead of creating a separate copy for each. Reviewed by: bapt Fixes: 9818224174c4 ("MAC/do: Executable paths feature (GSoC 2025's final state)") MFC after: 1 month Sponsored by: The FreeBSD Foundation Pull Request: https://ron-dev.freebsd.org/FreeBSD/src/pulls/38 --- sys/security/mac_do/mac_do.c | 24 ++++++++++++------------ 1 file changed, 12 insertions(+), 12 deletions(-) diff --git a/sys/security/mac_do/mac_do.c b/sys/security/mac_do/mac_do.c index 4feff477b18a..125054d15423 100644 --- a/sys/security/mac_do/mac_do.c +++ b/sys/security/mac_do/mac_do.c @@ -1358,21 +1358,19 @@ set_conf(struct prison *const pr, struct conf *const conf) drop_conf(old_conf); } -/* - * Assigns the default configuration to a jail. - */ -static void -set_default_conf(struct prison *const pr) +static struct conf * +new_default_conf(void) { - struct conf *const conf = new_conf(); + const char *const mdo_path = "/usr/bin/mdo"; + struct conf *conf = new_conf(); - strlcpy(conf->exec_paths.exec_paths_str, "/usr/bin/mdo", + strlcpy(conf->exec_paths.exec_paths_str, mdo_path, MAX_EXEC_PATHS_SIZE); - strlcpy(conf->exec_paths.exec_paths[0], "/usr/bin/mdo", PATH_MAX); + strlcpy(conf->exec_paths.exec_paths[0], mdo_path, + PATH_MAX); conf->exec_paths.exec_path_count = 1; - set_conf(pr, conf); - drop_conf(conf); + return (conf); } static void @@ -2521,14 +2519,16 @@ mac_do_setcred_exit(void) static void mac_do_init(struct mac_policy_conf *mpc) { + struct conf *const default_conf = new_default_conf(); struct prison *pr; osd_jail_slot = osd_jail_register(dealloc_jail_osd, osd_methods); - set_default_conf(&prison0); + set_conf(&prison0, default_conf); sx_slock(&allprison_lock); TAILQ_FOREACH(pr, &allprison, pr_list) - set_default_conf(pr); + set_conf(pr, default_conf); sx_sunlock(&allprison_lock); + drop_conf(default_conf); osd_thread_slot = osd_thread_register(dealloc_thread_osd); }home | help
Want to link to this message? Use this
URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?6a19b871.32eef.6cccea60>