git: b388201875bf - stable/14 - veriexec: Simplify the initialization of loader tunable
- Go to: [ bottom of page ] [ top of archives ] [ this month ]
Date: Mon, 13 Nov 2023 03:57:36 UTC
The branch stable/14 has been updated by zlei: URL: https://cgit.FreeBSD.org/src/commit/?id=b388201875bf28939cd32cec6bd786bf0667956d commit b388201875bf28939cd32cec6bd786bf0667956d Author: Zhenlei Huang <zlei@FreeBSD.org> AuthorDate: 2023-11-03 04:08:27 +0000 Commit: Zhenlei Huang <zlei@FreeBSD.org> CommitDate: 2023-11-13 03:56:57 +0000 veriexec: Simplify the initialization of loader tunable The loader tunable 'security.mac.veriexec.block_unlink' has been already flagged with CTLFLAG_RDTUN, no need to re-fetch it with TUNABLE_INT_FETCH. While here move the definition of sysctl knob out of function body, which is more common in FreeBSD. No functional change intended. Reviewed by: stevek MFC after: 1 week Differential Revision: https://reviews.freebsd.org/D42132 (cherry picked from commit bb8d4411e0c668415538f66fb25e6b38bb910cdd) --- sys/security/mac_veriexec/mac_veriexec.c | 8 ++------ 1 file changed, 2 insertions(+), 6 deletions(-) diff --git a/sys/security/mac_veriexec/mac_veriexec.c b/sys/security/mac_veriexec/mac_veriexec.c index 57f3b6c307fa..7ac09e2acf0f 100644 --- a/sys/security/mac_veriexec/mac_veriexec.c +++ b/sys/security/mac_veriexec/mac_veriexec.c @@ -105,6 +105,8 @@ SYSCTL_PROC(_security_mac_veriexec, OID_AUTO, db, static int mac_veriexec_slot; static int mac_veriexec_block_unlink; +SYSCTL_INT(_security_mac_veriexec, OID_AUTO, block_unlink, CTLFLAG_RDTUN, + &mac_veriexec_block_unlink, 0, "Veriexec unlink protection"); MALLOC_DEFINE(M_VERIEXEC, "veriexec", "Verified execution data"); @@ -797,12 +799,6 @@ mac_veriexec_init(struct mac_policy_conf *mpc __unused) EVENTHANDLER_REGISTER(vfs_unmounted, mac_veriexec_vfs_unmounted, NULL, EVENTHANDLER_PRI_LAST); - /* Fetch tunable value in kernel env and define a corresponding read-only sysctl */ - mac_veriexec_block_unlink = 0; - TUNABLE_INT_FETCH("security.mac.veriexec.block_unlink", &mac_veriexec_block_unlink); - SYSCTL_INT(_security_mac_veriexec, OID_AUTO, block_unlink, - CTLFLAG_RDTUN, &mac_veriexec_block_unlink, 0, "Veriexec unlink protection"); - /* Check if unlink control is activated via tunable value */ if (!mac_veriexec_block_unlink) mac_veriexec_ops.mpo_vnode_check_unlink = NULL;