git: 3c77f39d2ae6 - stable/14 - MAC/do: Sysctl knobs/jail parameters under MAC's common nodes

Go to: [ bottom of page ] [ top of archives ] [ this month ]
From: Olivier Certner <olce_at_FreeBSD.org>
Date: Thu, 03 Apr 2025 19:32:11 UTC
The branch stable/14 has been updated by olce:

URL: https://cgit.FreeBSD.org/src/commit/?id=3c77f39d2ae647114b6ad4c5b108387f3c6818c1

commit 3c77f39d2ae647114b6ad4c5b108387f3c6818c1
Author:     Olivier Certner <olce@FreeBSD.org>
AuthorDate: 2024-07-04 09:51:00 +0000
Commit:     Olivier Certner <olce@FreeBSD.org>
CommitDate: 2025-04-03 19:31:00 +0000

    MAC/do: Sysctl knobs/jail parameters under MAC's common nodes
    
    Reviewed by:    bapt
    Approved by:    markj (mentor)
    Sponsored by:   The FreeBSD Foundation
    Differential Revision:  https://reviews.freebsd.org/D47608
    
    (cherry picked from commit f3a06ced25681b6da40c652203f882ba18be227d)
---
 sys/security/mac_do/mac_do.c | 18 ++++++++----------
 1 file changed, 8 insertions(+), 10 deletions(-)

diff --git a/sys/security/mac_do/mac_do.c b/sys/security/mac_do/mac_do.c
index a57c29c407b8..6f68a6f62a79 100644
--- a/sys/security/mac_do/mac_do.c
+++ b/sys/security/mac_do/mac_do.c
@@ -23,8 +23,6 @@
 
 #include <security/mac/mac_policy.h>
 
-SYSCTL_DECL(_security_mac);
-
 static SYSCTL_NODE(_security_mac, OID_AUTO, do,
     CTLFLAG_RW|CTLFLAG_MPSAFE, 0, "mac_do policy controls");
 
@@ -338,8 +336,8 @@ SYSCTL_PROC(_security_mac_do, OID_AUTO, rules,
     "Rules");
 
 
-SYSCTL_JAIL_PARAM_SYS_NODE(mdo, CTLFLAG_RW, "Jail MAC/do parameters");
-SYSCTL_JAIL_PARAM_STRING(_mdo, rules, CTLFLAG_RW, MAC_RULE_STRING_LEN,
+SYSCTL_JAIL_PARAM_SYS_SUBNODE(mac, do, CTLFLAG_RW, "Jail MAC/do parameters");
+SYSCTL_JAIL_PARAM_STRING(_mac_do, rules, CTLFLAG_RW, MAC_RULE_STRING_LEN,
     "Jail MAC/do rules");
 
 
@@ -361,10 +359,10 @@ mac_do_jail_get(void *obj, void *data)
 	int jsys, error;
 
 	rules = find_rules(pr, &ppr);
-	error = vfs_setopt(opts, "mdo", &jsys, sizeof(jsys));
+	error = vfs_setopt(opts, "mac.do", &jsys, sizeof(jsys));
 	if (error != 0 && error != ENOENT)
 		goto done;
-	error = vfs_setopts(opts, "mdo.rules", rules->string);
+	error = vfs_setopts(opts, "mac.do.rules", rules->string);
 	if (error != 0 && error != ENOENT)
 		goto done;
 	prison_unlock(ppr);
@@ -380,14 +378,14 @@ mac_do_jail_check(void *obj, void *data)
 	char *rules_string;
 	int error, jsys, len;
 
-	error = vfs_copyopt(opts, "mdo", &jsys, sizeof(jsys));
+	error = vfs_copyopt(opts, "mac.do", &jsys, sizeof(jsys));
 	if (error != ENOENT) {
 		if (error != 0)
 			return (error);
 		if (jsys != JAIL_SYS_NEW && jsys != JAIL_SYS_INHERIT)
 			return (EINVAL);
 	}
-	error = vfs_getopt(opts, "mdo.rules", (void **)&rules_string, &len);
+	error = vfs_getopt(opts, "mac.do.rules", (void **)&rules_string, &len);
 	if (error != ENOENT) {
 		if (error != 0)
 			return (error);
@@ -409,10 +407,10 @@ mac_do_jail_set(void *obj, void *data)
 	char *rules_string;
 	int error, jsys, len;
 
-	error = vfs_copyopt(opts, "mdo", &jsys, sizeof(jsys));
+	error = vfs_copyopt(opts, "mac.do", &jsys, sizeof(jsys));
 	if (error == ENOENT)
 		jsys = -1;
-	error = vfs_getopt(opts, "mdo.rules", (void **)&rules_string, &len);
+	error = vfs_getopt(opts, "mac.do.rules", (void **)&rules_string, &len);
 	if (error == ENOENT)
 		rules_string = "";
 	else