diff --git a/sys/security/mac_do/mac_do.c b/sys/security/mac_do/mac_do.c index 125054d1542..4e7a65ae2ca 100644 --- a/sys/security/mac_do/mac_do.c +++ b/sys/security/mac_do/mac_do.c @@ -210,6 +210,11 @@ struct exec_paths { int exec_path_count; }; +/* + * Once in use, i.e., being pointed to by a jail, a configuration structure MUST + * NEVER CHANGE (except for the 'use_count' field). This invariant is + * fundamental to correctness! + */ struct conf { struct rules rules; struct exec_paths exec_paths;