git: d254322f6fa4 - main - MAC/do: parse_and_set_conf(): Obey empty parameters; Add doc
- Go to: [ bottom of page ] [ top of archives ] [ this month ]
Date: Fri, 29 May 2026 16:01:44 UTC
The branch main has been updated by olce:
URL: https://cgit.FreeBSD.org/src/commit/?id=d254322f6fa46010bb94d658ff13c06ad438ee77
commit d254322f6fa46010bb94d658ff13c06ad438ee77
Author: Olivier Certner <olce@FreeBSD.org>
AuthorDate: 2026-04-27 16:12:08 +0000
Commit: Olivier Certner <olce@FreeBSD.org>
CommitDate: 2026-05-29 15:23:10 +0000
MAC/do: parse_and_set_conf(): Obey empty parameters; Add doc
parse_and_set_conf() is meant to be used in all situations when there is
a need to set or modify some jail's MAC/do configuration. This entails
passing the information of whether some parameter was explicitly
specified. For example, an administrator setting/modifying jail
parameters may not specify executable paths but only rules, in which
case the executable paths value is copied from the currently-applicable
configuration. The sysctl(8) knobs case always leverages this feature,
since setting a knob changes one parameter at a time.
Currently, a NULL or empty string argument is treated as a non-specified
parameter. This causes a bug where disabling MAC/do in a jail does not
actually work because, to this end, parse_and_set_conf() is passed an
empty string which it then interprets as a request to copy the currently
applicable configuration's value, which may well not be empty.
Fix this problem by only treating NULL as a marker for a non-specified
parameter, in accordance with the original design for this function.
While here, write some documentation to explain the interface. While
here, remove the original herald comment for parse_and_set_rules(),
which was inadvertently pushed apart from the replacing
parse_and_set_conf().
Reviewed by: bapt
Fixes: 9818224174c4 ("MAC/do: Executable paths feature (GSoC 2025's final state)")
MFC after: 1 month
Sponsored by: The FreeBSD Foundation
Pull Request: https://ron-dev.freebsd.org/FreeBSD/src/pulls/38
---
sys/security/mac_do/mac_do.c | 28 ++++++++++++++--------------
1 file changed, 14 insertions(+), 14 deletions(-)
diff --git a/sys/security/mac_do/mac_do.c b/sys/security/mac_do/mac_do.c
index b24daaf093c0..3ae5aba4bb8a 100644
--- a/sys/security/mac_do/mac_do.c
+++ b/sys/security/mac_do/mac_do.c
@@ -1361,12 +1361,6 @@ set_default_conf(struct prison *const pr)
drop_conf(conf);
}
-/*
- * Parse a rules specification and assign them to a jail.
- *
- * Returns the same error code as parse_rules() (which see).
- */
-
static void
clone_rules(struct rules *const dst, const struct rules *const src)
{
@@ -1413,7 +1407,17 @@ clone_exec_paths(struct exec_paths *const dst,
sizeof(dst->exec_paths_str));
}
-/* Must be called with '*parse_error' set to NULL. */
+/*
+ * Sets/modifies the MAC/do configuration for a jail.
+ *
+ * Must be called with '*parse_error' set to NULL.
+ *
+ * Supports explicitly setting all parameters or only some of them, in which
+ * case the implicit ones are copied from the currently applicable configuration
+ * (that of the closest ancestor jail that has one).
+ *
+ * An unspecified parameter must be passed as NULL.
+ */
static int
parse_and_set_conf(struct prison *pr, const char *rules_string,
const char *exec_paths_string, struct parse_error **parse_error)
@@ -1421,17 +1425,13 @@ parse_and_set_conf(struct prison *pr, const char *rules_string,
struct conf *applicable_conf = NULL;
struct conf *conf;
int error = 0;
- bool need_applicable_conf;
-
- need_applicable_conf = (rules_string == NULL || rules_string[0] == '\0' ||
- exec_paths_string == NULL || exec_paths_string[0] == '\0');
- if (need_applicable_conf)
+ if (rules_string == NULL || exec_paths_string == NULL)
applicable_conf = find_conf(pr, NULL);
conf = new_conf();
- if (rules_string != NULL && rules_string[0] != '\0') {
+ if (rules_string != NULL) {
error = parse_rules(rules_string, &conf->rules, parse_error);
if (error != 0)
goto error;
@@ -1439,7 +1439,7 @@ parse_and_set_conf(struct prison *pr, const char *rules_string,
else if (applicable_conf != NULL)
clone_rules(&conf->rules, &applicable_conf->rules);
- if (exec_paths_string != NULL && exec_paths_string[0] != '\0') {
+ if (exec_paths_string != NULL) {
error = parse_exec_paths(exec_paths_string, &conf->exec_paths,
parse_error);
if (error != 0)