git: 7d4c0fac8c7d - main - MAC: mac_biba, mac_lomac: Fix setting loader tunables

Go to: [ bottom of page ] [ top of archives ] [ this month ]
From: Zhenlei Huang <zlei_at_FreeBSD.org>
Date: Sun, 09 Feb 2025 15:55:21 UTC
The branch main has been updated by zlei:

URL: https://cgit.FreeBSD.org/src/commit/?id=7d4c0fac8c7db9c5741ba98a8b3ce3c43feb1cf4

commit 7d4c0fac8c7db9c5741ba98a8b3ce3c43feb1cf4
Author:     Zhenlei Huang <zlei@FreeBSD.org>
AuthorDate: 2025-02-09 15:53:29 +0000
Commit:     Zhenlei Huang <zlei@FreeBSD.org>
CommitDate: 2025-02-09 15:53:29 +0000

    MAC: mac_biba, mac_lomac: Fix setting loader tunables
    
    A string loader tunable requires setting the len parameter to a nonzero
    value, typically the size of the string, to have the flag CTLFLAG_TUN
    work correctly [1] [2].
    
    Without this fix security.mac.{biba,lomac}.trusted_interfaces would
    have no effect at all.
    
    [1] 3da1cf1e88f8 Extend the meaning of the CTLFLAG_TUN flag to automatically ...
    [2] 6a3287f889b0 Fix regression issue after r267961. Handle special string case ...
    
    Reviewed by:    olce, kib
    Fixes:          af3b2549c4ba Pull in r267961 and r267973 again ...
    MFC after:      3 days
    Differential Revision:  https://reviews.freebsd.org/D48898
---
 sys/security/mac_biba/mac_biba.c   | 3 ++-
 sys/security/mac_lomac/mac_lomac.c | 3 ++-
 2 files changed, 4 insertions(+), 2 deletions(-)

diff --git a/sys/security/mac_biba/mac_biba.c b/sys/security/mac_biba/mac_biba.c
index e991e05311df..aac7a0545ab8 100644
--- a/sys/security/mac_biba/mac_biba.c
+++ b/sys/security/mac_biba/mac_biba.c
@@ -110,7 +110,8 @@ SYSCTL_INT(_security_mac_biba, OID_AUTO, trust_all_interfaces, CTLFLAG_RDTUN,
 
 static char	trusted_interfaces[128];
 SYSCTL_STRING(_security_mac_biba, OID_AUTO, trusted_interfaces, CTLFLAG_RDTUN,
-    trusted_interfaces, 0, "Interfaces considered 'trusted' by MAC/Biba");
+    trusted_interfaces, sizeof(trusted_interfaces),
+    "Interfaces considered 'trusted' by MAC/Biba");
 
 static int	max_compartments = MAC_BIBA_MAX_COMPARTMENTS;
 SYSCTL_INT(_security_mac_biba, OID_AUTO, max_compartments, CTLFLAG_RD,
diff --git a/sys/security/mac_lomac/mac_lomac.c b/sys/security/mac_lomac/mac_lomac.c
index 23acc7b7a592..23a996469bc0 100644
--- a/sys/security/mac_lomac/mac_lomac.c
+++ b/sys/security/mac_lomac/mac_lomac.c
@@ -111,7 +111,8 @@ SYSCTL_INT(_security_mac_lomac, OID_AUTO, trust_all_interfaces, CTLFLAG_RDTUN,
 
 static char	trusted_interfaces[128];
 SYSCTL_STRING(_security_mac_lomac, OID_AUTO, trusted_interfaces, CTLFLAG_RDTUN,
-    trusted_interfaces, 0, "Interfaces considered 'trusted' by MAC/LOMAC");
+    trusted_interfaces, sizeof(trusted_interfaces),
+    "Interfaces considered 'trusted' by MAC/LOMAC");
 
 static int	ptys_equal = 0;
 SYSCTL_INT(_security_mac_lomac, OID_AUTO, ptys_equal, CTLFLAG_RWTUN,