git: 3f3b53e68a7b - main - jail(3): fix common usage after mac.label support

Go to: [ bottom of page ] [ top of archives ] [ this month ]
From: Kyle Evans <kevans_at_FreeBSD.org>
Date: Tue, 20 Jan 2026 02:57:59 UTC
The branch main has been updated by kevans:

URL: https://cgit.FreeBSD.org/src/commit/?id=3f3b53e68a7b2f9319ee1fdac82b511c9f9f22d7

commit 3f3b53e68a7b2f9319ee1fdac82b511c9f9f22d7
Author:     Kyle Evans <kevans@FreeBSD.org>
AuthorDate: 2026-01-20 02:57:42 +0000
Commit:     Kyle Evans <kevans@FreeBSD.org>
CommitDate: 2026-01-20 02:57:42 +0000

    jail(3): fix common usage after mac.label support
    
    Nobody else's mac.conf(5) has any entries for jails, so they get a
    trivial ENOENT and we fail before we can fetch any jail parameters.
    Most notably, this breaks `jls -s` / `jls -n` if you do not have any
    loaded policy that applies jail labels.
    
    Add an entry that works for everyone, and hardcode that as an ENOENT
    fallback in libjail to provide a smoother transition.  This is probably
    not harmful to leave in long-term, since mac.conf(5) will override it.
    
    This unearthed one additional issue, in that mac_get_prison() in the
    MAC framework handled the no-label-policies bit wrong.  We don't want
    to break jail utilities enumerating jail parameters automatically, so
    we must ingest the label in all cases -- we can still use it as a small
    optimization to avoid trying to copy out any label.  We will break
    things if a non-optional element is specified in the copied in label,
    but that's expected.
    
    The APIs dedicated to jaildescs remain unphased, since they won't be
    used in the same way.
    
    Fixes:  db3b39f063d9f05 ("libjail: extend struct handlers [...]")
    Fixes:  bd55cbb50c58876 ("kern: add a mac.label jail parameter")
    Reported by:    jlduran (on behalf of Jenkins)
    Reviewed by:    jlduran
    Differential Revision:  https://reviews.freebsd.org/D54786
---
 lib/libc/posix1e/mac.conf       |  1 +
 lib/libc/posix1e/mac.conf.5     |  3 ++-
 lib/libjail/jail.c              | 15 +++++++++------
 sys/security/mac/mac_syscalls.c |  8 ++------
 4 files changed, 14 insertions(+), 13 deletions(-)

diff --git a/lib/libc/posix1e/mac.conf b/lib/libc/posix1e/mac.conf
index 011143abf073..7da9bb8a9638 100644
--- a/lib/libc/posix1e/mac.conf
+++ b/lib/libc/posix1e/mac.conf
@@ -12,6 +12,7 @@
 
 default_labels file ?biba,?lomac,?mls,?sebsd
 default_labels ifnet ?biba,?lomac,?mls,?sebsd
+default_labels jail ?
 default_labels process ?biba,?lomac,?mls,?partition,?sebsd
 default_labels socket ?biba,?lomac,?mls
 
diff --git a/lib/libc/posix1e/mac.conf.5 b/lib/libc/posix1e/mac.conf.5
index 98aa62dd83a7..99d75584a0d7 100644
--- a/lib/libc/posix1e/mac.conf.5
+++ b/lib/libc/posix1e/mac.conf.5
@@ -27,7 +27,7 @@
 .\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
 .\" SUCH DAMAGE.
 .\"
-.Dd July 25, 2015
+.Dd January 19. 2026
 .Dt MAC.CONF 5
 .Os
 .Sh NAME
@@ -79,6 +79,7 @@ and
 # Default label set to be used by simple MAC applications
 
 default_labels file ?biba,?lomac,?mls,?sebsd
+default_labels jail ?
 default_labels ifnet ?biba,?lomac,?mls,?sebsd
 default_labels process ?biba,?lomac,?mls,?partition,?sebsd
 default_labels socket ?biba,?lomac,?mls
diff --git a/lib/libjail/jail.c b/lib/libjail/jail.c
index 75fd411c70c8..baabeb4afed9 100644
--- a/lib/libjail/jail.c
+++ b/lib/libjail/jail.c
@@ -1436,18 +1436,21 @@ jps_get_mac_label(struct jailparam *jp, struct iovec *jiov)
 	int error;
 
 	error = mac_prepare_type(pmac, "jail");
+	if (error != 0 && errno == ENOENT) {
+		/*
+		 * We special-case the scenario where a system has a custom
+		 * mac.conf(5) that doesn't include a jail entry -- just let
+		 * an empty label slide.
+		 */
+		error = mac_prepare(pmac, "?");
+	}
 	if (error != 0) {
 		int serrno = errno;
 
 		free(jp->jp_value);
 		jp->jp_value = NULL;
-		if (serrno == ENOENT) {
-			snprintf(jail_errmsg, sizeof(jail_errmsg),
-			    "jail_get: no mac.conf(5) jail config");
-		} else {
-			strerror_r(serrno, jail_errmsg, JAIL_ERRMSGLEN);
-		}
 
+		strerror_r(serrno, jail_errmsg, JAIL_ERRMSGLEN);
 		errno = serrno;
 		return (-1);
 	}
diff --git a/sys/security/mac/mac_syscalls.c b/sys/security/mac/mac_syscalls.c
index 1035c6dbb84b..9bafa6d30c36 100644
--- a/sys/security/mac/mac_syscalls.c
+++ b/sys/security/mac/mac_syscalls.c
@@ -331,18 +331,14 @@ mac_get_prison(struct thread *const td, struct prison *pr,
 		goto out_nomac;
 	}
 
-	if (!(mac_labeled & MPC_OBJECT_PRISON)) {
-		error = EINVAL;
-		goto out;
-	}
-
 	intlabel = mac_prison_label_alloc(M_NOWAIT);
 	if (intlabel == NULL) {
 		error = ENOMEM;
 		goto out;
 	}
 
-	mac_prison_copy_label(pr->pr_label, intlabel);
+	if ((mac_labeled & MPC_OBJECT_PRISON) != 0)
+		mac_prison_copy_label(pr->pr_label, intlabel);
 
 	/*
 	 * Externalization may want to acquire an rmlock.  We already tapped out