kern: mac: add a prison_cleanup entry point
The MAC framework provides a lot of useful functionality that can be configured per-jail without requiring the use of labels. Having another entry point that we invoke just for general prison cleanup rather than freeing the label is useful to allow a module that can otherwise work off of a series of MAC entry points + sysctls for configuration to free its per-jail configuration without having to bring in osd(9). One such example in the wild is HardenedBSD's secadm, but some of my own personal use had wanted it as well- it was simply overlooked in the final version because my first policy made more sense with labels. On that note, it's expected that prison_cleanup and prison_destroy_label will effectively be mutually exclusive -- the former only used when a label isn't needed, the latter when it is. Note that prison_cleanup isn't perfectly symmetrical w.r.t. prison_created: the latter takes a label as well, because it's called later in jail setup and a better point for propagation than when the label is created. As discussed with olce@, we may want to later revisit the notion that struct labels get passed around explicitly along with the referenced object and consider stripping them from all entry points in favor of an object -> label accessor or something. __FreeBSD_version bumped to force a rebuild of MAC policies. Reviewed by: olce Differential Revision: https://reviews.freebsd.org/D54833
This commit is contained in:
@@ -436,6 +436,8 @@ typedef int (*mpo_prison_check_remove_t)(struct ucred *cred,
|
||||
struct prison *pr, struct label *prlabel);
|
||||
typedef void (*mpo_prison_created_t)(struct ucred *cred,
|
||||
struct prison *pr, struct label *prlabel);
|
||||
typedef void (*mpo_prison_cleanup_t)(struct ucred *cred,
|
||||
struct prison *pr);
|
||||
typedef void (*mpo_prison_attached_t)(struct ucred *cred,
|
||||
struct prison *pr, struct label *prlabel, struct proc *p,
|
||||
struct label *proclabel);
|
||||
@@ -909,6 +911,7 @@ struct mac_policy_ops {
|
||||
mpo_prison_check_set_t mpo_prison_check_set;
|
||||
mpo_prison_check_remove_t mpo_prison_check_remove;
|
||||
mpo_prison_created_t mpo_prison_created;
|
||||
mpo_prison_cleanup_t mpo_prison_cleanup;
|
||||
mpo_prison_attached_t mpo_prison_attached;
|
||||
|
||||
mpo_priv_check_t mpo_priv_check;
|
||||
|
||||
@@ -94,6 +94,9 @@ void
|
||||
mac_prison_destroy(struct prison *pr)
|
||||
{
|
||||
mtx_assert(&pr->pr_mtx, MA_OWNED);
|
||||
|
||||
/* Symmetry with prison_created */
|
||||
MAC_POLICY_PERFORM_NOSLEEP(prison_cleanup, curthread->td_ucred, pr);
|
||||
mac_prison_label_free(pr->pr_label);
|
||||
pr->pr_label = NULL;
|
||||
}
|
||||
|
||||
@@ -914,6 +914,12 @@ stub_prison_created(struct ucred *cred, struct prison *pr,
|
||||
|
||||
}
|
||||
|
||||
static void
|
||||
stub_prison_cleanup(struct ucred *cred, struct prison *pr)
|
||||
{
|
||||
|
||||
}
|
||||
|
||||
static void
|
||||
stub_prison_attached(struct ucred *cred, struct prison *pr,
|
||||
struct label *prlabel, struct proc *p, struct label *proclabel)
|
||||
@@ -1923,6 +1929,7 @@ static struct mac_policy_ops stub_ops =
|
||||
.mpo_prison_check_set = stub_prison_check_set,
|
||||
.mpo_prison_check_remove = stub_prison_check_remove,
|
||||
.mpo_prison_created = stub_prison_created,
|
||||
.mpo_prison_cleanup = stub_prison_cleanup,
|
||||
.mpo_prison_attached = stub_prison_attached,
|
||||
|
||||
.mpo_priv_check = stub_priv_check,
|
||||
|
||||
@@ -1737,6 +1737,14 @@ test_prison_created(struct ucred *cred, struct prison *pr,
|
||||
COUNTER_INC(prison_created);
|
||||
}
|
||||
|
||||
COUNTER_DECL(prison_cleanup);
|
||||
static void
|
||||
test_prison_cleanup(struct ucred *cred, struct prison *pr)
|
||||
{
|
||||
|
||||
COUNTER_INC(prison_cleanup);
|
||||
}
|
||||
|
||||
COUNTER_DECL(prison_attached);
|
||||
static void
|
||||
test_prison_attached(struct ucred *cred, struct prison *pr,
|
||||
@@ -3378,6 +3386,7 @@ static struct mac_policy_ops test_ops =
|
||||
.mpo_prison_check_set = test_prison_check_set,
|
||||
.mpo_prison_check_remove = test_prison_check_remove,
|
||||
.mpo_prison_created = test_prison_created,
|
||||
.mpo_prison_cleanup = test_prison_cleanup,
|
||||
.mpo_prison_attached = test_prison_attached,
|
||||
|
||||
.mpo_proc_check_debug = test_proc_check_debug,
|
||||
|
||||
+1
-1
@@ -74,7 +74,7 @@
|
||||
* cannot include sys/param.h and should only be updated here.
|
||||
*/
|
||||
#undef __FreeBSD_version
|
||||
#define __FreeBSD_version 1600011
|
||||
#define __FreeBSD_version 1600012
|
||||
|
||||
/*
|
||||
* __FreeBSD_kernel__ indicates that this system uses the kernel of FreeBSD,
|
||||
|
||||
Reference in New Issue
Block a user