From nobody Tue Jan 20 02:57:59 2026 X-Original-To: dev-commits-src-all@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4dwBpJ1KDnz6NqPL for ; Tue, 20 Jan 2026 02:58:00 +0000 (UTC) (envelope-from git@FreeBSD.org) Received: from mxrelay.nyi.freebsd.org (mxrelay.nyi.freebsd.org [IPv6:2610:1c1:1:606c::19:3]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "mxrelay.nyi.freebsd.org", Issuer "R13" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4dwBpH3LTMz3PxS for ; Tue, 20 Jan 2026 02:57:59 +0000 (UTC) (envelope-from git@FreeBSD.org) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1768877879; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=/1WDvFGtcqxhB8y9AcMCwcEVGajiWTLn0kOVF7s2E4k=; b=TGv4js0Xecy/tnKleda80Hddare0tKNVmi0HGhSADhTq1RkCVrLIzA+RkzdHzHBiX0m6Md yoqD9QdfRmO0swQoSoVkCaslf3ZXxhdjwo3ppAfi1OVyI8QSsMydpJxsfbPA8ZUtEJT0Ml ur/Dzf9kHu1mgjcMMJwsHMhaiDqrkwimp7sK1g7Iy4hyqFK/X82sFphimN+12bmXjiDx9W EfvUqZJKCvzVmmvJWLdAT4fxg+Z/zSnp6DdKJ1xhiGhNbshLmfo0kQOtMvggzO2LJueC8K t//TPvoPWViDwDQC0vSJZygo/0NcXfTQU36tRroQV5/oodmxjgoamkyn1iy8XQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1768877879; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=/1WDvFGtcqxhB8y9AcMCwcEVGajiWTLn0kOVF7s2E4k=; b=HsZ5xpQhNVNPjrHmuHFvlpOy/PC9LRfEWXp1yD7Cb85DAk0Af70ntBWWxbvgQXP7dHT/YP FWzJck/FZn8mJIDZ8EiDDHNAXqE5eRbQH/MMYM6SaPJETnf+h6wj7sHYdJMoMeLW8lC6UG DplaKK8YydOBqMpp0D8iZLBsvuu0sjq0YWz6xczjHp73i7tdhbmZwbRW7oBbq40xsnujsu aX2ib4Jqq2JAtOWYcFSmmtqhwftwMYIg7cfiJ23XU9G/ZwlskGdwsgraZuuAJc0Rf1RKTV XwRztmc7kbH3DVnL/w7cVA6BKUfZQkL0R0JI2tB3O3t9NEGI2Yk9UQ131ptsKA== ARC-Seal: i=1; s=dkim; d=freebsd.org; t=1768877879; a=rsa-sha256; cv=none; b=l6gtwDwcN4KkRVvDEurYptPK+K6ftH4U4EmUno3A/gx+3sk640BS7Mm0a6J7kkzALHqjoi ChFxHkL7YVfuFwjHyWF6xUfAQsUl1EH9Wy0vl24muPpuTBj72vdhroDPeHalO/CW7EYWav hYFKgBG+yrN7ZHgwAAui1bm3mUpWMYgFN7ZVyKOgCerNTDusCLHfzbROCReQzW6cj1Ceeq dCUWSCuI/kmI3iKd3F7iKZv2QF9ci931l55zIVJmNYMBIXFfjnT+krNn+sGX+9g4V0Jp8Y SXCGN0OP5P/gGN2x9NnS5QA6r27b7bdlcyNEWJZGtavqtX2BAbVZAXpJq5qsQw== ARC-Authentication-Results: i=1; mx1.freebsd.org; none Received: from gitrepo.freebsd.org (gitrepo.freebsd.org [IPv6:2610:1c1:1:6068::e6a:5]) by mxrelay.nyi.freebsd.org (Postfix) with ESMTP id 4dwBpH2g1Wzyx9 for ; Tue, 20 Jan 2026 02:57:59 +0000 (UTC) (envelope-from git@FreeBSD.org) Received: from git (uid 1279) (envelope-from git@FreeBSD.org) id 20d63 by gitrepo.freebsd.org (DragonFly Mail Agent v0.13+ on gitrepo.freebsd.org); Tue, 20 Jan 2026 02:57:59 +0000 To: src-committers@FreeBSD.org, dev-commits-src-all@FreeBSD.org, dev-commits-src-main@FreeBSD.org From: Kyle Evans Subject: git: 3f3b53e68a7b - main - jail(3): fix common usage after mac.label support List-Id: Commit messages for all branches of the src repository List-Archive: https://lists.freebsd.org/archives/dev-commits-src-all List-Help: List-Post: List-Subscribe: List-Unsubscribe: X-BeenThere: dev-commits-src-all@freebsd.org Sender: owner-dev-commits-src-all@FreeBSD.org MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 8bit X-Git-Committer: kevans X-Git-Repository: src X-Git-Refname: refs/heads/main X-Git-Reftype: branch X-Git-Commit: 3f3b53e68a7b2f9319ee1fdac82b511c9f9f22d7 Auto-Submitted: auto-generated Date: Tue, 20 Jan 2026 02:57:59 +0000 Message-Id: <696eef37.20d63.467132d4@gitrepo.freebsd.org> The branch main has been updated by kevans: URL: https://cgit.FreeBSD.org/src/commit/?id=3f3b53e68a7b2f9319ee1fdac82b511c9f9f22d7 commit 3f3b53e68a7b2f9319ee1fdac82b511c9f9f22d7 Author: Kyle Evans AuthorDate: 2026-01-20 02:57:42 +0000 Commit: Kyle Evans CommitDate: 2026-01-20 02:57:42 +0000 jail(3): fix common usage after mac.label support Nobody else's mac.conf(5) has any entries for jails, so they get a trivial ENOENT and we fail before we can fetch any jail parameters. Most notably, this breaks `jls -s` / `jls -n` if you do not have any loaded policy that applies jail labels. Add an entry that works for everyone, and hardcode that as an ENOENT fallback in libjail to provide a smoother transition. This is probably not harmful to leave in long-term, since mac.conf(5) will override it. This unearthed one additional issue, in that mac_get_prison() in the MAC framework handled the no-label-policies bit wrong. We don't want to break jail utilities enumerating jail parameters automatically, so we must ingest the label in all cases -- we can still use it as a small optimization to avoid trying to copy out any label. We will break things if a non-optional element is specified in the copied in label, but that's expected. The APIs dedicated to jaildescs remain unphased, since they won't be used in the same way. Fixes: db3b39f063d9f05 ("libjail: extend struct handlers [...]") Fixes: bd55cbb50c58876 ("kern: add a mac.label jail parameter") Reported by: jlduran (on behalf of Jenkins) Reviewed by: jlduran Differential Revision: https://reviews.freebsd.org/D54786 --- lib/libc/posix1e/mac.conf | 1 + lib/libc/posix1e/mac.conf.5 | 3 ++- lib/libjail/jail.c | 15 +++++++++------ sys/security/mac/mac_syscalls.c | 8 ++------ 4 files changed, 14 insertions(+), 13 deletions(-) diff --git a/lib/libc/posix1e/mac.conf b/lib/libc/posix1e/mac.conf index 011143abf073..7da9bb8a9638 100644 --- a/lib/libc/posix1e/mac.conf +++ b/lib/libc/posix1e/mac.conf @@ -12,6 +12,7 @@ default_labels file ?biba,?lomac,?mls,?sebsd default_labels ifnet ?biba,?lomac,?mls,?sebsd +default_labels jail ? default_labels process ?biba,?lomac,?mls,?partition,?sebsd default_labels socket ?biba,?lomac,?mls diff --git a/lib/libc/posix1e/mac.conf.5 b/lib/libc/posix1e/mac.conf.5 index 98aa62dd83a7..99d75584a0d7 100644 --- a/lib/libc/posix1e/mac.conf.5 +++ b/lib/libc/posix1e/mac.conf.5 @@ -27,7 +27,7 @@ .\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF .\" SUCH DAMAGE. .\" -.Dd July 25, 2015 +.Dd January 19. 2026 .Dt MAC.CONF 5 .Os .Sh NAME @@ -79,6 +79,7 @@ and # Default label set to be used by simple MAC applications default_labels file ?biba,?lomac,?mls,?sebsd +default_labels jail ? default_labels ifnet ?biba,?lomac,?mls,?sebsd default_labels process ?biba,?lomac,?mls,?partition,?sebsd default_labels socket ?biba,?lomac,?mls diff --git a/lib/libjail/jail.c b/lib/libjail/jail.c index 75fd411c70c8..baabeb4afed9 100644 --- a/lib/libjail/jail.c +++ b/lib/libjail/jail.c @@ -1436,18 +1436,21 @@ jps_get_mac_label(struct jailparam *jp, struct iovec *jiov) int error; error = mac_prepare_type(pmac, "jail"); + if (error != 0 && errno == ENOENT) { + /* + * We special-case the scenario where a system has a custom + * mac.conf(5) that doesn't include a jail entry -- just let + * an empty label slide. + */ + error = mac_prepare(pmac, "?"); + } if (error != 0) { int serrno = errno; free(jp->jp_value); jp->jp_value = NULL; - if (serrno == ENOENT) { - snprintf(jail_errmsg, sizeof(jail_errmsg), - "jail_get: no mac.conf(5) jail config"); - } else { - strerror_r(serrno, jail_errmsg, JAIL_ERRMSGLEN); - } + strerror_r(serrno, jail_errmsg, JAIL_ERRMSGLEN); errno = serrno; return (-1); } diff --git a/sys/security/mac/mac_syscalls.c b/sys/security/mac/mac_syscalls.c index 1035c6dbb84b..9bafa6d30c36 100644 --- a/sys/security/mac/mac_syscalls.c +++ b/sys/security/mac/mac_syscalls.c @@ -331,18 +331,14 @@ mac_get_prison(struct thread *const td, struct prison *pr, goto out_nomac; } - if (!(mac_labeled & MPC_OBJECT_PRISON)) { - error = EINVAL; - goto out; - } - intlabel = mac_prison_label_alloc(M_NOWAIT); if (intlabel == NULL) { error = ENOMEM; goto out; } - mac_prison_copy_label(pr->pr_label, intlabel); + if ((mac_labeled & MPC_OBJECT_PRISON) != 0) + mac_prison_copy_label(pr->pr_label, intlabel); /* * Externalization may want to acquire an rmlock. We already tapped out