git: 5bedb5e44757 - main - MAC/do: Comment to explain the main invariant for configurations

The branch main has been updated by olce:

URL: https://cgit.FreeBSD.org/src/commit/?id=5bedb5e44757ba83dba9d618f5b951416cf44345

commit 5bedb5e44757ba83dba9d618f5b951416cf44345
Author:     Olivier Certner <olce@FreeBSD.org>
AuthorDate: 2026-04-29 17:11:34 +0000
Commit:     Olivier Certner <olce@FreeBSD.org>
CommitDate: 2026-05-29 15:33:24 +0000

    MAC/do: Comment to explain the main invariant for configurations
    
    Once visible, configuration structures must *never* change.
    
    Spell that out in a comment to help future readers/contributors
    understand the design.
    
    Reviewed by:    bapt
    MFC after:      1 month
    Sponsored by:   The FreeBSD Foundation
    Pull Request:   https://ron-dev.freebsd.org/FreeBSD/src/pulls/38
---
 sys/security/mac_do/mac_do.c | 5 +++++
 1 file changed, 5 insertions(+)

diff --git a/sys/security/mac_do/mac_do.c b/sys/security/mac_do/mac_do.c
index 125054d15423..4e7a65ae2cae 100644
--- a/sys/security/mac_do/mac_do.c
+++ b/sys/security/mac_do/mac_do.c
@@ -210,6 +210,11 @@ struct exec_paths {
 	int exec_path_count;
 };
 
+/*
+ * Once in use, i.e., being pointed to by a jail, a configuration structure MUST
+ * NEVER CHANGE (except for the 'use_count' field).  This invariant is
+ * fundamental to correctness!
+ */
 struct conf {
 	struct rules rules;
 	struct exec_paths exec_paths;