From nobody Fri May 29 16:02:06 2026
X-Original-To: dev-commits-src-main@mlmmj.nyi.freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1])
	by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4gRp5W1tjfz6flds
	for <dev-commits-src-main@mlmmj.nyi.freebsd.org>; Fri, 29 May 2026 16:02:07 +0000 (UTC)
	(envelope-from git@FreeBSD.org)
Received: from mxrelay.nyi.freebsd.org (mxrelay.nyi.freebsd.org [IPv6:2610:1c1:1:606c::19:3])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
	 key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256
	 client-signature RSA-PSS (4096 bits) client-digest SHA256)
	(Client CN "mxrelay.nyi.freebsd.org", Issuer "R13" (not verified))
	by mx1.freebsd.org (Postfix) with ESMTPS id 4gRp5V4l6Rz3JHf
	for <dev-commits-src-main@FreeBSD.org>; Fri, 29 May 2026 16:02:06 +0000 (UTC)
	(envelope-from git@FreeBSD.org)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim;
	t=1780070526;
	h=from:from:reply-to:subject:subject:date:date:message-id:message-id:
	 to:to:cc:mime-version:mime-version:content-type:content-type:
	 content-transfer-encoding:content-transfer-encoding;
	bh=RRRUCey/UphbgZXAGxbqIV12gyYE6BvzqX48OeJ8jGw=;
	b=KYi4ZHSoQ6xFJy4sWR8aH5QWAkndQ70EWtglIyMINPK01m6/RIQaMwaXaXtpPAYHCB7Q2B
	fZFv2ZXYJDyOqh/VrHqwUrtSCHhnVQw9sOVp8bpoUvi9zZ+Z6InWi2PgfKukVotzjn1aCW
	nmH/KoBN7cWwmain6qR50kTzbnX1xhinUu498HfwSKbSSrsVDdH0Ki52kePQ+BOY2xZ26a
	YKFB6OspgmNJZCPKUTcI4V2muWpCWIg2W8FyJYaMgbecUxtRjHSklBPTxNsek864GJvylj
	S/Y2tDf7iquS4jsx3DcQYE6iCbJTgrQYyf++jgWNXkiAOU+P/oBZSYzxMX7MhA==
ARC-Seal: i=1; s=dkim; d=freebsd.org; t=1780070526; a=rsa-sha256; cv=none;
	b=KXcwOMwps8VqLDxtRForaAsMYv8xCfs5lxOLx5uG3z+tu57sjCgyZfjmg0cPA8bEdaJ6zn
	3VaSlYmexMZ9nCpOX6wHasHMi3rIvhei/FlVxJ91t2om3BPFxyHjjvEoYsNTynOR36qV+U
	L0ABnWMwRgTe6SppQYvwvkC6nOfHnIC3DXzZV/UJNRJCRVkR82mpUu8KdxeBnBhypNO+se
	qXSHZZKE9L4sQSfanGVwUUQpjq6+bnu48dDHqMWqej40/nYMp5guA/zPOp6+73vZyFBpnw
	XXjL73whuZDwQfwK4kaYQPMcq2hb8F6vXgGbiaHofZuqtT6kpAUn65wBaGCVZg==
ARC-Authentication-Results: i=1;
	mx1.freebsd.org;
	none
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org;
	s=dkim; t=1780070526;
	h=from:from:reply-to:subject:subject:date:date:message-id:message-id:
	 to:to:cc:mime-version:mime-version:content-type:content-type:
	 content-transfer-encoding:content-transfer-encoding;
	bh=RRRUCey/UphbgZXAGxbqIV12gyYE6BvzqX48OeJ8jGw=;
	b=YuA6kzT5yoorgsOwTG79i0XIqkvgrf2xruKuqtgpZjs2W/VX1L6YoAcCOS7LbUCPAm9lcz
	LEEuQlzfKLSEYVl4/OR5iJIkDqMNWZBFgK2xcXdyUgH74+/dma7qszt7kj+RnX0Is6NbZd
	Kze+ACZiQr3aB3JBP1YKhSl9KApJxG709gIoZxY853/Ojs65t7DhapowAlx63UHxFVC/9N
	u9aX9rN+sQr7C0xEZCI10Ybzqt6KWK93jSfJFmu2b1FVjeg6M1MmQmHs9dPeyKJsCwIZTO
	3opRR1RXTSqXpSkHPA8ZOA6pIzGLW3BQsIEP5whbd+u8IjMIILE1Yb97KbEWkA==
Received: from gitrepo.freebsd.org (gitrepo.freebsd.org [IPv6:2610:1c1:1:6068::e6a:5])
	by mxrelay.nyi.freebsd.org (Postfix) with ESMTP id 4gRp5V43Lfzg6t
	for <dev-commits-src-main@FreeBSD.org>; Fri, 29 May 2026 16:02:06 +0000 (UTC)
	(envelope-from git@FreeBSD.org)
Received: from git (uid 1279)
	(envelope-from git@FreeBSD.org)
	id 33f57
	by gitrepo.freebsd.org (DragonFly Mail Agent v0.13+ on gitrepo.freebsd.org);
	Fri, 29 May 2026 16:02:06 +0000
To: src-committers@FreeBSD.org, dev-commits-src-all@FreeBSD.org, dev-commits-src-main@FreeBSD.org
From: Olivier Certner <olce@FreeBSD.org>
Subject: git: a95ff5ef7d1f - main - MAC/do: Tests: Add support for exec paths, jail parameters, subjails
List-Id: Commit messages for the main branch of the src repository <dev-commits-src-main.freebsd.org>
List-Archive: https://lists.freebsd.org/archives/dev-commits-src-main
List-Help: <mailto:dev-commits-src-main+help@freebsd.org>
List-Post: <mailto:dev-commits-src-main@freebsd.org>
List-Subscribe: <mailto:dev-commits-src-main+subscribe@freebsd.org>
List-Unsubscribe: <mailto:dev-commits-src-main+unsubscribe@freebsd.org>
X-BeenThere: dev-commits-src-main@freebsd.org
Sender: owner-dev-commits-src-main@FreeBSD.org
List-Id: <dev-commits-src-main.FreeBSD.org>
List-Post: <mailto:dev-commits-src-main@FreeBSD.org>
List-Help: <mailto:dev-commits-src-main+help@FreeBSD.org>
List-Subscribe: <mailto:dev-commits-src-main+subscribe@FreeBSD.org>
List-Unsubscribe: <mailto:dev-commits-src-main+unsubscribe@FreeBSD.org>
List-Owner: <mailto:postmaster@FreeBSD.org>
Precedence: list
MIME-Version: 1.0
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: 8bit
X-Git-Committer: olce
X-Git-Repository: src
X-Git-Refname: refs/heads/main
X-Git-Reftype: branch
X-Git-Commit: a95ff5ef7d1ffcb701913028253a4700cd9a1459
Auto-Submitted: auto-generated
Date: Fri, 29 May 2026 16:02:06 +0000
Message-Id: <6a19b87e.33f57.5e693405@gitrepo.freebsd.org>

The branch main has been updated by olce:

URL: https://cgit.FreeBSD.org/src/commit/?id=a95ff5ef7d1ffcb701913028253a4700cd9a1459

commit a95ff5ef7d1ffcb701913028253a4700cd9a1459
Author:     Olivier Certner <olce@FreeBSD.org>
AuthorDate: 2026-05-22 14:23:31 +0000
Commit:     Olivier Certner <olce@FreeBSD.org>
CommitDate: 2026-05-29 15:41:36 +0000

    MAC/do: Tests: Add support for exec paths, jail parameters, subjails
    
    And also allow configuration of the mdo(1) executable path.
    
    This commit only contains new or modified infrastructure.  No functional
    change intended at this point.
    
    Reviewed by:    bapt
    MFC after:      1 month
    Sponsored by:   The FreeBSD Foundation
    Pull Request:   https://ron-dev.freebsd.org/FreeBSD/src/pulls/38
---
 tests/sys/mac/do/common.sh | 119 +++++++++++++++++++++++++++++++++++++++++----
 1 file changed, 110 insertions(+), 9 deletions(-)

diff --git a/tests/sys/mac/do/common.sh b/tests/sys/mac/do/common.sh
index 6c4b138bdac0..4f0e838bbf5f 100644
--- a/tests/sys/mac/do/common.sh
+++ b/tests/sys/mac/do/common.sh
@@ -10,11 +10,79 @@ rules_parameter()
     echo "$1".rules
 }
 
+exec_paths_parameter()
+{
+    echo "$1".exec_paths
+}
+
+: ${MDO:=/usr/bin/mdo}
+
+ROOT_KNOB=security.mac.do
+RULES_KNOB=$(rules_parameter ${ROOT_KNOB})
+EXEC_PATHS_KNOB=$(exec_paths_parameter ${ROOT_KNOB})
+PPE_KNOB=${ROOT_KNOB}.print_parse_error
+
+ROOT_JAIL_PARAM=mac.do
+RULES_JAIL_PARAM=$(rules_parameter ${ROOT_JAIL_PARAM})
+EXEC_PATHS_JAIL_PARAM=$(exec_paths_parameter ${ROOT_JAIL_PARAM})
+
+# To be overridden to execute commands in a sub-jail
+JEXEC=
+
+# Exit status: 0 iff disabled
+mac_do_disabled()
+{
+    [ -z "$($JEXEC sysctl -n ${RULES_KNOB})" ] ||
+        [ -z "$($JEXEC sysctl -n ${EXEC_PATHS_KNOB})" ]
+}
+
+mac_do_check_disabled()
+{
+    mac_do_disabled || atf_fail "mac_do(4) expected disabled but is not."
+}
+
+mac_do_ensure_disabled()
+{
+    mac_do_disabled || $JEXEC sysctl ${RULES_KNOB}=""
+}
+
+sysctl_rules()
+{
+    $JEXEC sysctl -n ${RULES_KNOB}
+}
+
+sysctl_exec_paths()
+{
+    $JEXEC sysctl -n ${EXEC_PATHS_KNOB}
+}
+
+# $1 = sysctl func, $2 = expected value
+sysctl_check()
+{
+    local func value
+
+    func=$1
+    value=$2
+    atf_check [ "$($func)" = "$value" ]
+}
+
+# $1 = value
+sysctl_check_rules()
+{
+    local value
 
-CONF_ROOT_KNOB=security.mac.do
-RULES_KNOB=$(rules_parameter ${CONF_ROOT_KNOB})
-PPE_KNOB=${CONF_ROOT_KNOB}.print_parse_error
+    value=$1
+    sysctl_check sysctl_rules $value
+}
 
+# $1 = value
+sysctl_check_exec_paths()
+{
+    local value
+
+    value=$1
+    sysctl_check sysctl_exec_paths $value
+}
 
 # $1 = knob name, $2 = value
 sysctl_set_and_check()
@@ -23,8 +91,8 @@ sysctl_set_and_check()
 
     knob=$1
     value=$2
-    atf_check -o ignore sysctl "$knob"="$value"
-    atf_check -o inline:"$value\n" sysctl -n "$knob"
+    atf_check -o ignore $JEXEC sysctl "$knob"="$value"
+    atf_check -o inline:"$value\n" $JEXEC sysctl -n "$knob"
 }
 
 # $1 = knob name, $2 = value
@@ -35,8 +103,8 @@ sysctl_set_and_check_fails()
     knob=$1
     value=$2
     orig_value=$(sysctl -n "$knob")
-    atf_check -s not-exit:0 -o ignore -e ignore sysctl "$knob"="$value"
-    atf_check -o inline:"${orig_value}\n" sysctl -n "$knob"
+    atf_check -s not-exit:0 -o ignore -e ignore $JEXEC sysctl "$knob"="$value"
+    atf_check -o inline:"${orig_value}\n" $JEXEC sysctl -n "$knob"
 }
 
 # $1 = sysctl function, $2 = value
@@ -46,9 +114,9 @@ sysctl_set_and_check_rules_common()
 
     func=$1
     value=$2
-    "$func" ${RULES_KNOB} "$value"
-    # Same spec but using the older in-rule separator (':')
+    # Use older in-rule separator (':') first to have final value as specified
     "$func" ${RULES_KNOB} "$(echo "$value" | sed 's%>%:%')"
+    "$func" ${RULES_KNOB} "$value"
 }
 
 # $1 = value
@@ -69,7 +137,40 @@ sysctl_set_and_check_fails_rules()
     sysctl_set_and_check_rules_common sysctl_set_and_check_fails "$value"
 }
 
+# $1 = sysctl function, $2 = value
+sysctl_set_and_check_exec_paths_common()
+{
+    local func value
+
+    func=$1
+    value=$2
+    # Use older in-rule separator (':') first to have final value as specified
+    "$func" ${EXEC_PATHS_KNOB} "$(echo "$value" | sed 's%>%:%')"
+    "$func" ${EXEC_PATHS_KNOB} "$value"
+}
+
+# $1 = value
+sysctl_set_and_check_exec_paths()
+{
+    local value
+
+    value=$1
+    sysctl_set_and_check_exec_paths_common sysctl_set_and_check "$value"
+}
+
+# Create a persistent subjail.  Echoes its JID.
+launch_subjail()
+{
+    (
+        set -o pipefail
+        $JEXEC jail -c -J /dev/stdout persist=true |
+            sed -nE 's%^.*jid=([0-9]+).*$%\1%p'
+    ) || atf_fail "Cannot create a subjail (check children limits?)"
+}
+
 atf_require_prog sysctl
+atf_require_prog jail
+atf_require_prog sed
 
 # Do not pollute kernel logs with parse errors
 sysctl $PPE_KNOB=0 >/dev/null 2>&1