Skip site navigation (1)Skip section navigation (2) 
Date:      Fri, 3 Nov 2023 04:09:48 GMT
From:      Zhenlei Huang <zlei@FreeBSD.org>
To:        src-committers@FreeBSD.org, dev-commits-src-all@FreeBSD.org, dev-commits-src-main@FreeBSD.org
Subject:   git: bb8d4411e0c6 - main - veriexec: Simplify the initialization of loader tunable
Message-ID:  <202311030409.3A349mEg080944@gitrepo.freebsd.org>
next in thread | raw e-mail | index | archive | help 
The branch main has been updated by zlei:

URL: https://cgit.FreeBSD.org/src/commit/?id=bb8d4411e0c668415538f66fb25e6b38bb910cdd

commit bb8d4411e0c668415538f66fb25e6b38bb910cdd
Author:     Zhenlei Huang <zlei@FreeBSD.org>
AuthorDate: 2023-11-03 04:08:27 +0000
Commit:     Zhenlei Huang <zlei@FreeBSD.org>
CommitDate: 2023-11-03 04:08:27 +0000

    veriexec: Simplify the initialization of loader tunable
    
    The loader tunable 'security.mac.veriexec.block_unlink' has been
    already flagged with CTLFLAG_RDTUN, no need to re-fetch it with
    TUNABLE_INT_FETCH.
    
    While here move the definition of sysctl knob out of function body,
    which is more common in FreeBSD.
    
    No functional change intended.
    
    Reviewed by:    stevek
    MFC after:      1 week
    Differential Revision:  https://reviews.freebsd.org/D42132
---
 sys/security/mac_veriexec/mac_veriexec.c | 8 ++------
 1 file changed, 2 insertions(+), 6 deletions(-)

diff --git a/sys/security/mac_veriexec/mac_veriexec.c b/sys/security/mac_veriexec/mac_veriexec.c
index 57f3b6c307fa..7ac09e2acf0f 100644
--- a/sys/security/mac_veriexec/mac_veriexec.c
+++ b/sys/security/mac_veriexec/mac_veriexec.c
@@ -105,6 +105,8 @@ SYSCTL_PROC(_security_mac_veriexec, OID_AUTO, db,
 static int mac_veriexec_slot;
 
 static int mac_veriexec_block_unlink;
+SYSCTL_INT(_security_mac_veriexec, OID_AUTO, block_unlink, CTLFLAG_RDTUN,
+    &mac_veriexec_block_unlink, 0, "Veriexec unlink protection");
 
 MALLOC_DEFINE(M_VERIEXEC, "veriexec", "Verified execution data");
 
@@ -797,12 +799,6 @@ mac_veriexec_init(struct mac_policy_conf *mpc __unused)
 	EVENTHANDLER_REGISTER(vfs_unmounted, mac_veriexec_vfs_unmounted, NULL,
 	    EVENTHANDLER_PRI_LAST);
 
-	/* Fetch tunable value in kernel env and define a corresponding read-only sysctl */
-	mac_veriexec_block_unlink = 0;
-	TUNABLE_INT_FETCH("security.mac.veriexec.block_unlink", &mac_veriexec_block_unlink);
-	SYSCTL_INT(_security_mac_veriexec, OID_AUTO, block_unlink,
-	    CTLFLAG_RDTUN, &mac_veriexec_block_unlink, 0, "Veriexec unlink protection");
-
 	/* Check if unlink control is activated via tunable value */
 	if (!mac_veriexec_block_unlink)
 		mac_veriexec_ops.mpo_vnode_check_unlink = NULL;

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?202311030409.3A349mEg080944>