jail(3): fix common usage after mac.label support
Nobody else's mac.conf(5) has any entries for jails, so they get a trivial ENOENT and we fail before we can fetch any jail parameters. Most notably, this breaks `jls -s` / `jls -n` if you do not have any loaded policy that applies jail labels. Add an entry that works for everyone, and hardcode that as an ENOENT fallback in libjail to provide a smoother transition. This is probably not harmful to leave in long-term, since mac.conf(5) will override it. This unearthed one additional issue, in that mac_get_prison() in the MAC framework handled the no-label-policies bit wrong. We don't want to break jail utilities enumerating jail parameters automatically, so we must ingest the label in all cases -- we can still use it as a small optimization to avoid trying to copy out any label. We will break things if a non-optional element is specified in the copied in label, but that's expected. The APIs dedicated to jaildescs remain unphased, since they won't be used in the same way. Fixes:db3b39f063("libjail: extend struct handlers [...]") Fixes:bd55cbb50c("kern: add a mac.label jail parameter") Reported by: jlduran (on behalf of Jenkins) Reviewed by: jlduran Differential Revision: https://reviews.freebsd.org/D54786
This commit is contained in:
@@ -12,6 +12,7 @@
|
||||
|
||||
default_labels file ?biba,?lomac,?mls,?sebsd
|
||||
default_labels ifnet ?biba,?lomac,?mls,?sebsd
|
||||
default_labels jail ?
|
||||
default_labels process ?biba,?lomac,?mls,?partition,?sebsd
|
||||
default_labels socket ?biba,?lomac,?mls
|
||||
|
||||
|
||||
@@ -27,7 +27,7 @@
|
||||
.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
|
||||
.\" SUCH DAMAGE.
|
||||
.\"
|
||||
.Dd July 25, 2015
|
||||
.Dd January 19. 2026
|
||||
.Dt MAC.CONF 5
|
||||
.Os
|
||||
.Sh NAME
|
||||
@@ -79,6 +79,7 @@ and
|
||||
# Default label set to be used by simple MAC applications
|
||||
|
||||
default_labels file ?biba,?lomac,?mls,?sebsd
|
||||
default_labels jail ?
|
||||
default_labels ifnet ?biba,?lomac,?mls,?sebsd
|
||||
default_labels process ?biba,?lomac,?mls,?partition,?sebsd
|
||||
default_labels socket ?biba,?lomac,?mls
|
||||
|
||||
+9
-6
@@ -1436,18 +1436,21 @@ jps_get_mac_label(struct jailparam *jp, struct iovec *jiov)
|
||||
int error;
|
||||
|
||||
error = mac_prepare_type(pmac, "jail");
|
||||
if (error != 0 && errno == ENOENT) {
|
||||
/*
|
||||
* We special-case the scenario where a system has a custom
|
||||
* mac.conf(5) that doesn't include a jail entry -- just let
|
||||
* an empty label slide.
|
||||
*/
|
||||
error = mac_prepare(pmac, "?");
|
||||
}
|
||||
if (error != 0) {
|
||||
int serrno = errno;
|
||||
|
||||
free(jp->jp_value);
|
||||
jp->jp_value = NULL;
|
||||
if (serrno == ENOENT) {
|
||||
snprintf(jail_errmsg, sizeof(jail_errmsg),
|
||||
"jail_get: no mac.conf(5) jail config");
|
||||
} else {
|
||||
strerror_r(serrno, jail_errmsg, JAIL_ERRMSGLEN);
|
||||
}
|
||||
|
||||
strerror_r(serrno, jail_errmsg, JAIL_ERRMSGLEN);
|
||||
errno = serrno;
|
||||
return (-1);
|
||||
}
|
||||
|
||||
@@ -331,18 +331,14 @@ mac_get_prison(struct thread *const td, struct prison *pr,
|
||||
goto out_nomac;
|
||||
}
|
||||
|
||||
if (!(mac_labeled & MPC_OBJECT_PRISON)) {
|
||||
error = EINVAL;
|
||||
goto out;
|
||||
}
|
||||
|
||||
intlabel = mac_prison_label_alloc(M_NOWAIT);
|
||||
if (intlabel == NULL) {
|
||||
error = ENOMEM;
|
||||
goto out;
|
||||
}
|
||||
|
||||
mac_prison_copy_label(pr->pr_label, intlabel);
|
||||
if ((mac_labeled & MPC_OBJECT_PRISON) != 0)
|
||||
mac_prison_copy_label(pr->pr_label, intlabel);
|
||||
|
||||
/*
|
||||
* Externalization may want to acquire an rmlock. We already tapped out
|
||||
|
||||
Reference in New Issue
Block a user