git: ae2ee5470d9d - stable/14 - MAC/do: Remove the 'prison0' special cases in the common paths
- Go to: [ bottom of page ] [ top of archives ] [ this month ]
Date: Thu, 03 Apr 2025 19:32:06 UTC
The branch stable/14 has been updated by olce:
URL: https://cgit.FreeBSD.org/src/commit/?id=ae2ee5470d9d0630d8f03c3ea4e4b2852a33d055
commit ae2ee5470d9d0630d8f03c3ea4e4b2852a33d055
Author: Olivier Certner <olce@FreeBSD.org>
AuthorDate: 2024-07-03 13:23:26 +0000
Commit: Olivier Certner <olce@FreeBSD.org>
CommitDate: 2025-04-03 19:30:59 +0000
MAC/do: Remove the 'prison0' special cases in the common paths
The rules on 'prison0' are initialized in init(), now using
set_empty_rules().
Until the jail is destroyed, they can never be uninitialized by a call
to osd_jail_del(), since the only chain to call it is
mac_do_prison_set() -> remove_rules() -> osd_jail_del(), and
mac_do_prison_set() (method PR_METHOD_SET) can never be called on
'prison0'. This guarantees that find_rules() always find a valid
'rules' pointer to return.
There's no need to do anything special in destroy() for 'prison0', as
osd_jail_deregister() now takes care of it.
Reviewed by: bapt
Approved by: markj (mentor)
Sponsored by: The FreeBSD Foundation
Differential Revision: https://reviews.freebsd.org/D47603
(cherry picked from commit beb5603c51e0323e267ceff8f83b3c95151f0822)
---
sys/security/mac_do/mac_do.c | 27 ++++++++++-----------------
1 file changed, 10 insertions(+), 17 deletions(-)
diff --git a/sys/security/mac_do/mac_do.c b/sys/security/mac_do/mac_do.c
index 787790cb2b34..8ce84d7ba099 100644
--- a/sys/security/mac_do/mac_do.c
+++ b/sys/security/mac_do/mac_do.c
@@ -58,8 +58,6 @@ struct rules {
TAILQ_HEAD(rulehead, rule) head;
};
-static struct rules *rules0;
-
static void
toast_rules(struct rules *const rules)
{
@@ -204,19 +202,20 @@ out:
static struct rules *
find_rules(struct prison *const pr, struct prison **const aprp)
{
- struct prison *cpr;
+ struct prison *cpr, *ppr;
struct rules *rules;
- for (cpr = pr;; cpr = cpr->pr_parent) {
+ cpr = pr;
+ for (;;) {
prison_lock(cpr);
- if (cpr == &prison0) {
- rules = rules0;
- break;
- }
rules = osd_jail_get(cpr, mac_do_osd_jail_slot);
if (rules != NULL)
break;
prison_unlock(cpr);
+
+ ppr = cpr->pr_parent;
+ MPASS(ppr != NULL); /* prison0 always has rules. */
+ cpr = ppr;
}
*aprp = cpr;
@@ -265,13 +264,8 @@ set_rules(struct prison *const pr, struct rules *const rules)
rsv = osd_reserve(mac_do_osd_jail_slot);
prison_lock(pr);
- if (pr == &prison0) {
- old_rules = rules0;
- rules0 = rules;
- } else {
- old_rules = osd_jail_get(pr, mac_do_osd_jail_slot);
- osd_jail_set_reserved(pr, mac_do_osd_jail_slot, rsv, rules);
- }
+ old_rules = osd_jail_get(pr, mac_do_osd_jail_slot);
+ osd_jail_set_reserved(pr, mac_do_osd_jail_slot, rsv, rules);
prison_unlock(pr);
if (old_rules != NULL)
toast_rules(old_rules);
@@ -339,7 +333,6 @@ static void
destroy(struct mac_policy_conf *mpc)
{
osd_jail_deregister(mac_do_osd_jail_slot);
- toast_rules(rules0);
}
static int
@@ -452,7 +445,7 @@ init(struct mac_policy_conf *mpc)
struct prison *pr;
mac_do_osd_jail_slot = osd_jail_register(dealloc_osd, osd_methods);
- rules0 = alloc_rules();
+ set_empty_rules(&prison0);
sx_slock(&allprison_lock);
TAILQ_FOREACH(pr, &allprison, pr_list)
set_empty_rules(pr);