From nobody Fri Jan 16 00:24:21 2026 X-Original-To: dev-commits-src-all@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4dsgZt0nT1z6NPys for ; Fri, 16 Jan 2026 00:24:22 +0000 (UTC) (envelope-from git@FreeBSD.org) Received: from mxrelay.nyi.freebsd.org (mxrelay.nyi.freebsd.org [IPv6:2610:1c1:1:606c::19:3]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "mxrelay.nyi.freebsd.org", Issuer "R13" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4dsgZs4yVGz3Zwl for ; Fri, 16 Jan 2026 00:24:21 +0000 (UTC) (envelope-from git@FreeBSD.org) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1768523061; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=QG/1rV+D5D6PVN7I+7Godz6rdP5cuJs0fZuIswp/NqM=; b=rAPnNVU+NYiX4KfkXI5fVUskIhwl/55HSqXVPE9hYmlkktzCS152wJ9rQ4DkbemQ6cVDDp RBBFE6VPk2ODYh/RiWvot4obaVjJV4jbjnHl+djBW3TSBNKFxS2WEHLLkLBCOFc2vS2jiI bRoS4vFJNlJmrIDfHEAlNxU0ThXr+ZYxCER1ASDEAsNKK/ek61gUn7SxPRDNt81Mg0y16r S3KSge3Y1w5BCWMsOz0EpddPyLdq6ab8oSiJvka7c5d0gH9Ilg3YCyvkxP3S0YpNSCnqw8 Pb8LeXOouELv5QBntMv3TUGQVmGWaZCt5Ze1TkfQiRyLZyLYFZPUDarHXULE2A== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1768523061; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=QG/1rV+D5D6PVN7I+7Godz6rdP5cuJs0fZuIswp/NqM=; b=xvUhaO6I+ptsR3BiDkeUX5OhACI3vfELaA4lcgbfS8Q3kAmNYu4OnfCORR/9wNyvLzp5Mi Zu9OLEJVY7B6sgt4zobY77ZMrR8mUK0G1aCWjSdOFklC+H+Rtp6BtMBqa7qqVmyRT0x6h+ kzrAgGhrSQKBj834KPhXZphxkPBJp14dUvW1YN9ip0dhvnajIocMF9/1adG1qZ7dHMRgBS uZFOvBoxqyCCNBjUooVSBHRTWunZoUb67zJBKi54qtkGizaHGlydXEBU1wTW2g4D0zt+nE JXyzDs3fEg7I8xT3hlcSR9u5gnQxlEr70gNy6XaN0tyOAM+njIA17MDMvQTdhQ== ARC-Seal: i=1; s=dkim; d=freebsd.org; t=1768523061; a=rsa-sha256; cv=none; b=IsDjijlaP2xaeta26FGzEPkMZ9K3rl8cVVybJdnVjjnzhFfaIYisJaeUO5ratR/g0hSjHS yfLInTqiFzDNpQFCKfkNWyQJ+patukwNMt4/r7d7xq9w1qmHuIBwLZIfquUtbN8W4DUUhg nKBFw79QsPPPusUYMkrEpuT1yl4vVMgH8hNisklkgq75KBOjK2KYIEWrtj1q8Tw40aLqSg pelUy2Y8XOYC7yCANkJjPH7cUBVVW1rbPoVg2WM+A31ychLgXJENs7UnOJRL702TZBa33m g7HSis16ZVQHiRGmL1MKs1kmJJTJ+H6zodXVSUoMGT2hMIj2+URB+969kh3yBQ== ARC-Authentication-Results: i=1; mx1.freebsd.org; none Received: from gitrepo.freebsd.org (gitrepo.freebsd.org [IPv6:2610:1c1:1:6068::e6a:5]) by mxrelay.nyi.freebsd.org (Postfix) with ESMTP id 4dsgZs4Vvwzrbf for ; Fri, 16 Jan 2026 00:24:21 +0000 (UTC) (envelope-from git@FreeBSD.org) Received: from git (uid 1279) (envelope-from git@FreeBSD.org) id 3b962 by gitrepo.freebsd.org (DragonFly Mail Agent v0.13+ on gitrepo.freebsd.org); Fri, 16 Jan 2026 00:24:21 +0000 To: src-committers@FreeBSD.org, dev-commits-src-all@FreeBSD.org, dev-commits-src-main@FreeBSD.org From: Kyle Evans Subject: git: 31c2728185d1 - main - mac_set_fd(3): add support for jail descriptors List-Id: Commit messages for all branches of the src repository List-Archive: https://lists.freebsd.org/archives/dev-commits-src-all List-Help: List-Post: List-Subscribe: List-Unsubscribe: X-BeenThere: dev-commits-src-all@freebsd.org Sender: owner-dev-commits-src-all@FreeBSD.org MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 8bit X-Git-Committer: kevans X-Git-Repository: src X-Git-Refname: refs/heads/main X-Git-Reftype: branch X-Git-Commit: 31c2728185d1705634ff84c93936a4c91a651b22 Auto-Submitted: auto-generated Date: Fri, 16 Jan 2026 00:24:21 +0000 Message-Id: <69698535.3b962.5565f721@gitrepo.freebsd.org> The branch main has been updated by kevans: URL: https://cgit.FreeBSD.org/src/commit/?id=31c2728185d1705634ff84c93936a4c91a651b22 commit 31c2728185d1705634ff84c93936a4c91a651b22 Author: Kyle Evans AuthorDate: 2025-10-26 01:57:33 +0000 Commit: Kyle Evans CommitDate: 2026-01-16 00:23:39 +0000 mac_set_fd(3): add support for jail descriptors We'll still add an old-fashioned jail param to configure jail MAC labels, but for testing it's really easy to grab a jaildesc and use that. Reviewed by: jamie, olce Differential Revision: https://reviews.freebsd.org/D53956 --- sys/security/mac/mac_internal.h | 5 +++++ sys/security/mac/mac_policy.h | 3 +++ sys/security/mac/mac_prison.c | 28 +++++++++++++++++++++++-- sys/security/mac/mac_syscalls.c | 44 ++++++++++++++++++++++++++++++++++++++++ sys/security/mac_stub/mac_stub.c | 1 + sys/security/mac_test/mac_test.c | 11 ++++++++++ 6 files changed, 90 insertions(+), 2 deletions(-) diff --git a/sys/security/mac/mac_internal.h b/sys/security/mac/mac_internal.h index a07bf01da6f6..3f032ed3934a 100644 --- a/sys/security/mac/mac_internal.h +++ b/sys/security/mac/mac_internal.h @@ -242,6 +242,8 @@ struct label *mac_cred_label_alloc(void); void mac_cred_label_free(struct label *label); struct label *mac_pipe_label_alloc(void); void mac_pipe_label_free(struct label *label); +struct label *mac_prison_label_alloc(int flags); +void mac_prison_label_free(struct label *label); struct label *mac_socket_label_alloc(int flag); void mac_socket_label_free(struct label *label); void mac_socketpeer_label_free(struct label *label); @@ -261,8 +263,11 @@ int mac_pipe_externalize_label(struct label *label, char *elements, char *outbuf, size_t outbuflen); int mac_pipe_internalize_label(struct label *label, char *string); +int mac_prison_label_set(struct ucred *cred, struct prison *pr, + struct label *label); int mac_prison_check_relabel(struct ucred *cred, struct prison *pr, struct label *newlabel); +void mac_prison_copy_label(struct label *src, struct label *dest); int mac_prison_externalize_label(struct label *label, char *elements, char *outbuf, size_t outbuflen); int mac_prison_internalize_label(struct label *label, char *string); diff --git a/sys/security/mac/mac_policy.h b/sys/security/mac/mac_policy.h index 7693eb309534..0078138d472f 100644 --- a/sys/security/mac/mac_policy.h +++ b/sys/security/mac/mac_policy.h @@ -414,6 +414,8 @@ typedef int (*mpo_prison_check_relabel_t)(struct ucred *cred, struct prison *pr, struct label *prlabel, struct label *newlabel); typedef void (*mpo_prison_destroy_label_t)(struct label *label); +typedef void (*mpo_prison_copy_label_t)(struct label *src, + struct label *dest); typedef int (*mpo_prison_externalize_label_t)(struct label *label, char *element_name, struct sbuf *sb, int *claimed); typedef int (*mpo_prison_internalize_label_t)(struct label *label, @@ -897,6 +899,7 @@ struct mac_policy_ops { mpo_prison_init_label_t mpo_prison_init_label; mpo_prison_check_relabel_t mpo_prison_check_relabel; mpo_prison_destroy_label_t mpo_prison_destroy_label; + mpo_prison_copy_label_t mpo_prison_copy_label; mpo_prison_externalize_label_t mpo_prison_externalize_label; mpo_prison_internalize_label_t mpo_prison_internalize_label; mpo_prison_relabel_t mpo_prison_relabel; diff --git a/sys/security/mac/mac_prison.c b/sys/security/mac/mac_prison.c index 3f787c6b3647..68ffd7a3cda3 100644 --- a/sys/security/mac/mac_prison.c +++ b/sys/security/mac/mac_prison.c @@ -30,7 +30,7 @@ #include #include -static void +void mac_prison_label_free(struct label *label) { if (label == NULL) @@ -40,7 +40,7 @@ mac_prison_label_free(struct label *label) mac_labelzone_free(label); } -static struct label * +struct label * mac_prison_label_alloc(int flag) { struct label *label; @@ -98,6 +98,13 @@ mac_prison_destroy(struct prison *pr) pr->pr_label = NULL; } +void +mac_prison_copy_label(struct label *src, struct label *dest) +{ + + MAC_POLICY_PERFORM_NOSLEEP(prison_copy_label, src, dest); +} + int mac_prison_externalize_label(struct label *label, char *elements, char *outbuf, size_t outbuflen) @@ -126,6 +133,23 @@ mac_prison_relabel(struct ucred *cred, struct prison *pr, newlabel); } +int +mac_prison_label_set(struct ucred *cred, struct prison *pr, + struct label *label) +{ + int error; + + mtx_assert(&pr->pr_mtx, MA_OWNED); + + error = mac_prison_check_relabel(cred, pr, label); + if (error) + return (error); + + mac_prison_relabel(cred, pr, label); + + return (0); +} + MAC_CHECK_PROBE_DEFINE4(prison_check_relabel, "struct ucred *", "struct prison *", "struct label *", "struct label *"); int diff --git a/sys/security/mac/mac_syscalls.c b/sys/security/mac/mac_syscalls.c index 13c7998041f9..3e9908fb9da9 100644 --- a/sys/security/mac/mac_syscalls.c +++ b/sys/security/mac/mac_syscalls.c @@ -49,6 +49,8 @@ #include #include #include +#include +#include #include #include #include @@ -339,6 +341,7 @@ sys___mac_get_fd(struct thread *td, struct __mac_get_fd_args *uap) struct mac mac; struct vnode *vp; struct pipe *pipe; + struct prison *pr; struct socket *so; cap_rights_t rights; int error; @@ -400,6 +403,25 @@ sys___mac_get_fd(struct thread *td, struct __mac_get_fd_args *uap) mac_socket_label_free(intlabel); break; + case DTYPE_JAILDESC: + if (!(mac_labeled & MPC_OBJECT_PRISON)) { + error = EINVAL; + goto out_fdrop; + } + + error = jaildesc_get_prison(fp, &pr); + if (error != 0) + goto out_fdrop; + + intlabel = mac_prison_label_alloc(M_WAITOK); + mac_prison_copy_label(pr->pr_label, intlabel); + prison_free(pr); + + error = mac_prison_externalize_label(intlabel, mac.m_string, + buffer, mac.m_buflen); + mac_prison_label_free(intlabel); + break; + default: error = EINVAL; } @@ -473,6 +495,7 @@ sys___mac_set_fd(struct thread *td, struct __mac_set_fd_args *uap) { struct label *intlabel; struct pipe *pipe; + struct prison *pr; struct socket *so; struct file *fp; struct mount *mp; @@ -548,6 +571,27 @@ sys___mac_set_fd(struct thread *td, struct __mac_set_fd_args *uap) mac_socket_label_free(intlabel); break; + case DTYPE_JAILDESC: + if (!(mac_labeled & MPC_OBJECT_PRISON)) { + error = EINVAL; + goto out_fdrop; + } + + pr = NULL; + intlabel = mac_prison_label_alloc(M_WAITOK); + error = mac_prison_internalize_label(intlabel, mac.m_string); + if (error == 0) + error = jaildesc_get_prison(fp, &pr); + if (error == 0) { + prison_lock(pr); + error = mac_prison_label_set(td->td_ucred, pr, + intlabel); + prison_free_locked(pr); + } + + mac_prison_label_free(intlabel); + break; + default: error = EINVAL; } diff --git a/sys/security/mac_stub/mac_stub.c b/sys/security/mac_stub/mac_stub.c index 20b04d4acf58..4a567c68b2be 100644 --- a/sys/security/mac_stub/mac_stub.c +++ b/sys/security/mac_stub/mac_stub.c @@ -1912,6 +1912,7 @@ static struct mac_policy_ops stub_ops = .mpo_prison_init_label = stub_init_label_waitcheck, .mpo_prison_destroy_label = stub_destroy_label, + .mpo_prison_copy_label = stub_copy_label, .mpo_prison_externalize_label = stub_externalize_label, .mpo_prison_internalize_label = stub_internalize_label, .mpo_prison_relabel = stub_prison_relabel, diff --git a/sys/security/mac_test/mac_test.c b/sys/security/mac_test/mac_test.c index 72af48edb00f..47dd7d1326a3 100644 --- a/sys/security/mac_test/mac_test.c +++ b/sys/security/mac_test/mac_test.c @@ -1617,6 +1617,16 @@ test_prison_destroy_label(struct label *label) COUNTER_INC(prison_destroy_label); } +COUNTER_DECL(prison_copy_label); +static void +test_prison_copy_label(struct label *src, struct label *dest) +{ + + LABEL_CHECK(src, MAGIC_PRISON); + LABEL_CHECK(dest, MAGIC_PRISON); + COUNTER_INC(prison_copy_label); +} + COUNTER_DECL(prison_externalize_label); static int test_prison_externalize_label(struct label *label, char *element_name, @@ -3357,6 +3367,7 @@ static struct mac_policy_ops test_ops = .mpo_prison_init_label = test_prison_init_label, .mpo_prison_destroy_label = test_prison_destroy_label, + .mpo_prison_copy_label = test_prison_copy_label, .mpo_prison_externalize_label = test_prison_externalize_label, .mpo_prison_internalize_label = test_prison_internalize_label, .mpo_prison_relabel = test_prison_relabel,