From nobody Sat Feb 14 04:22:42 2026 X-Original-To: dev-commits-src-all@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4fCbVV5fbNz6SYd9 for ; Sat, 14 Feb 2026 04:22:42 +0000 (UTC) (envelope-from git@FreeBSD.org) Received: from mxrelay.nyi.freebsd.org (mxrelay.nyi.freebsd.org [IPv6:2610:1c1:1:606c::19:3]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "mxrelay.nyi.freebsd.org", Issuer "R13" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4fCbVV41bYz4CqM for ; Sat, 14 Feb 2026 04:22:42 +0000 (UTC) (envelope-from git@FreeBSD.org) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1771042962; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=RoPHiFOF/IJrsOjPri9mEZFKx7kNW77ggtUtLaPsvjw=; b=poIG59+94Xgif9Pz18S+PfpAbFiIE0gGHGMEmln0av+Vlic/N0ER6Pgjdc9Cv2xnn7g0v3 FbsaOUL5lAg5o5HI9B84XIfBxrsQ5dD1RYKHdfL1Ko9y9Ga2TGDV9tJzKjS0gF64GFLMeH 3NtcNDueFPMPwsJ/KaiiVQtkxPD//u1b73I8GQdux661BzT44jzFTIOg6cD15bEnybgChJ cmtwQxmJrOm6MnpTt+FEdrZlujJeptOakfvn/Rm/+GCshzj1ey8p417Av73TAIKx9Auldq So4qtWL+FGEsgncgvOu0P3EXVA24Gm84aMnzVQfNZXkB3RedNfsnOJ3AU8Zepg== ARC-Seal: i=1; s=dkim; d=freebsd.org; t=1771042962; a=rsa-sha256; cv=none; b=CzJ6lUkZIgLBS4AIv9oKpHoPJBlYWsF6yYvCUtkC1G0zJsYC3Dfnt0/2DpUZN2BiXOR0Nd crTG1LXRHcZMaEeh5A0eysjrYduSvzLzT2QuOodPnZvR/DgjlFFUcTzPtvE34wOgwnBqnZ lSBUCqJOTu5ky6Nw2POjaTEg4ZEPsPwpC3pfF1eop6S9tsOpOaUFC1XwBH7R/FW7OqEdRN DeLJjLDnnBeSY7vDxt+UUIA+3TFHR8sFmdAgUpdIVOZ7yGkdctS7c5jLfpzrHR9ov7vHDZ +hYTMLRw5kOKUQ7hNCIoSN85VnBcch/YE0QxTztiXrpobY4g22Ad4CGxqMJ6ww== ARC-Authentication-Results: i=1; mx1.freebsd.org; none ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1771042962; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=RoPHiFOF/IJrsOjPri9mEZFKx7kNW77ggtUtLaPsvjw=; b=vjI7LX5tbYHsdOVOERTtkUv6XHhq7ueB+CbUYPsGa8Im19jZVFLkdIH31cL1L0Zd3ypE2q bztb0ReSH+mwJ92kVjrPZ0SfmaDUvmGgaUMOIrkuQLJ/J3xcO5ByLWtwpTcvox1dtv5CtJ SQ9zuhJLwE9cQRKKhQcXTI22dmCobWCEnBoKY4KvKgUOPNyeYGB4nxX9gzK5l3+uPJzZ5d fQW9Hnb9iHUUjZlp89IfDP0lEMT87vcrguHfQRjlpXX21z/PEels18MKiv8ecUiblMPOvK XnHsSgR48N/Ri8kl45qN49zjBxMujGCt5l9SarZznRTOY+9fY1DDV4TrJT5iHw== Received: from gitrepo.freebsd.org (gitrepo.freebsd.org [IPv6:2610:1c1:1:6068::e6a:5]) by mxrelay.nyi.freebsd.org (Postfix) with ESMTP id 4fCbVV2qbBzsdT for ; Sat, 14 Feb 2026 04:22:42 +0000 (UTC) (envelope-from git@FreeBSD.org) Received: from git (uid 1279) (envelope-from git@FreeBSD.org) id 2172f by gitrepo.freebsd.org (DragonFly Mail Agent v0.13+ on gitrepo.freebsd.org); Sat, 14 Feb 2026 04:22:42 +0000 To: src-committers@FreeBSD.org, dev-commits-src-all@FreeBSD.org, dev-commits-src-main@FreeBSD.org From: Kyle Evans Subject: git: 99e138f20a9b - main - kern: mac: add a prison_cleanup entry point List-Id: Commit messages for all branches of the src repository List-Archive: https://lists.freebsd.org/archives/dev-commits-src-all List-Help: List-Post: List-Subscribe: List-Unsubscribe: X-BeenThere: dev-commits-src-all@freebsd.org Sender: owner-dev-commits-src-all@FreeBSD.org MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 8bit X-Git-Committer: kevans X-Git-Repository: src X-Git-Refname: refs/heads/main X-Git-Reftype: branch X-Git-Commit: 99e138f20a9bad8276e9ebbb1e155daadf201272 Auto-Submitted: auto-generated Date: Sat, 14 Feb 2026 04:22:42 +0000 Message-Id: <698ff892.2172f.466ee06c@gitrepo.freebsd.org> The branch main has been updated by kevans: URL: https://cgit.FreeBSD.org/src/commit/?id=99e138f20a9bad8276e9ebbb1e155daadf201272 commit 99e138f20a9bad8276e9ebbb1e155daadf201272 Author: Kyle Evans AuthorDate: 2026-02-14 04:19:18 +0000 Commit: Kyle Evans CommitDate: 2026-02-14 04:20:52 +0000 kern: mac: add a prison_cleanup entry point The MAC framework provides a lot of useful functionality that can be configured per-jail without requiring the use of labels. Having another entry point that we invoke just for general prison cleanup rather than freeing the label is useful to allow a module that can otherwise work off of a series of MAC entry points + sysctls for configuration to free its per-jail configuration without having to bring in osd(9). One such example in the wild is HardenedBSD's secadm, but some of my own personal use had wanted it as well- it was simply overlooked in the final version because my first policy made more sense with labels. On that note, it's expected that prison_cleanup and prison_destroy_label will effectively be mutually exclusive -- the former only used when a label isn't needed, the latter when it is. Note that prison_cleanup isn't perfectly symmetrical w.r.t. prison_created: the latter takes a label as well, because it's called later in jail setup and a better point for propagation than when the label is created. As discussed with olce@, we may want to later revisit the notion that struct labels get passed around explicitly along with the referenced object and consider stripping them from all entry points in favor of an object -> label accessor or something. __FreeBSD_version bumped to force a rebuild of MAC policies. Reviewed by: olce Differential Revision: https://reviews.freebsd.org/D54833 --- sys/security/mac/mac_policy.h | 3 +++ sys/security/mac/mac_prison.c | 3 +++ sys/security/mac_stub/mac_stub.c | 7 +++++++ sys/security/mac_test/mac_test.c | 9 +++++++++ sys/sys/param.h | 2 +- 5 files changed, 23 insertions(+), 1 deletion(-) diff --git a/sys/security/mac/mac_policy.h b/sys/security/mac/mac_policy.h index 0078138d472f..a080d8cc4b8b 100644 --- a/sys/security/mac/mac_policy.h +++ b/sys/security/mac/mac_policy.h @@ -436,6 +436,8 @@ typedef int (*mpo_prison_check_remove_t)(struct ucred *cred, struct prison *pr, struct label *prlabel); typedef void (*mpo_prison_created_t)(struct ucred *cred, struct prison *pr, struct label *prlabel); +typedef void (*mpo_prison_cleanup_t)(struct ucred *cred, + struct prison *pr); typedef void (*mpo_prison_attached_t)(struct ucred *cred, struct prison *pr, struct label *prlabel, struct proc *p, struct label *proclabel); @@ -909,6 +911,7 @@ struct mac_policy_ops { mpo_prison_check_set_t mpo_prison_check_set; mpo_prison_check_remove_t mpo_prison_check_remove; mpo_prison_created_t mpo_prison_created; + mpo_prison_cleanup_t mpo_prison_cleanup; mpo_prison_attached_t mpo_prison_attached; mpo_priv_check_t mpo_priv_check; diff --git a/sys/security/mac/mac_prison.c b/sys/security/mac/mac_prison.c index 68ffd7a3cda3..810160994f7b 100644 --- a/sys/security/mac/mac_prison.c +++ b/sys/security/mac/mac_prison.c @@ -94,6 +94,9 @@ void mac_prison_destroy(struct prison *pr) { mtx_assert(&pr->pr_mtx, MA_OWNED); + + /* Symmetry with prison_created */ + MAC_POLICY_PERFORM_NOSLEEP(prison_cleanup, curthread->td_ucred, pr); mac_prison_label_free(pr->pr_label); pr->pr_label = NULL; } diff --git a/sys/security/mac_stub/mac_stub.c b/sys/security/mac_stub/mac_stub.c index 4a567c68b2be..1e1220300259 100644 --- a/sys/security/mac_stub/mac_stub.c +++ b/sys/security/mac_stub/mac_stub.c @@ -914,6 +914,12 @@ stub_prison_created(struct ucred *cred, struct prison *pr, } +static void +stub_prison_cleanup(struct ucred *cred, struct prison *pr) +{ + +} + static void stub_prison_attached(struct ucred *cred, struct prison *pr, struct label *prlabel, struct proc *p, struct label *proclabel) @@ -1923,6 +1929,7 @@ static struct mac_policy_ops stub_ops = .mpo_prison_check_set = stub_prison_check_set, .mpo_prison_check_remove = stub_prison_check_remove, .mpo_prison_created = stub_prison_created, + .mpo_prison_cleanup = stub_prison_cleanup, .mpo_prison_attached = stub_prison_attached, .mpo_priv_check = stub_priv_check, diff --git a/sys/security/mac_test/mac_test.c b/sys/security/mac_test/mac_test.c index 47dd7d1326a3..f16073cfdf72 100644 --- a/sys/security/mac_test/mac_test.c +++ b/sys/security/mac_test/mac_test.c @@ -1737,6 +1737,14 @@ test_prison_created(struct ucred *cred, struct prison *pr, COUNTER_INC(prison_created); } +COUNTER_DECL(prison_cleanup); +static void +test_prison_cleanup(struct ucred *cred, struct prison *pr) +{ + + COUNTER_INC(prison_cleanup); +} + COUNTER_DECL(prison_attached); static void test_prison_attached(struct ucred *cred, struct prison *pr, @@ -3378,6 +3386,7 @@ static struct mac_policy_ops test_ops = .mpo_prison_check_set = test_prison_check_set, .mpo_prison_check_remove = test_prison_check_remove, .mpo_prison_created = test_prison_created, + .mpo_prison_cleanup = test_prison_cleanup, .mpo_prison_attached = test_prison_attached, .mpo_proc_check_debug = test_proc_check_debug, diff --git a/sys/sys/param.h b/sys/sys/param.h index 27e8e0f14e77..99c1af5e55bf 100644 --- a/sys/sys/param.h +++ b/sys/sys/param.h @@ -74,7 +74,7 @@ * cannot include sys/param.h and should only be updated here. */ #undef __FreeBSD_version -#define __FreeBSD_version 1600011 +#define __FreeBSD_version 1600012 /* * __FreeBSD_kernel__ indicates that this system uses the kernel of FreeBSD,