diff --git a/sys/security/mac/mac_policy.h b/sys/security/mac/mac_policy.h index 0078138d472..a080d8cc4b8 100644 --- a/sys/security/mac/mac_policy.h +++ b/sys/security/mac/mac_policy.h @@ -436,6 +436,8 @@ typedef int (*mpo_prison_check_remove_t)(struct ucred *cred, struct prison *pr, struct label *prlabel); typedef void (*mpo_prison_created_t)(struct ucred *cred, struct prison *pr, struct label *prlabel); +typedef void (*mpo_prison_cleanup_t)(struct ucred *cred, + struct prison *pr); typedef void (*mpo_prison_attached_t)(struct ucred *cred, struct prison *pr, struct label *prlabel, struct proc *p, struct label *proclabel); @@ -909,6 +911,7 @@ struct mac_policy_ops { mpo_prison_check_set_t mpo_prison_check_set; mpo_prison_check_remove_t mpo_prison_check_remove; mpo_prison_created_t mpo_prison_created; + mpo_prison_cleanup_t mpo_prison_cleanup; mpo_prison_attached_t mpo_prison_attached; mpo_priv_check_t mpo_priv_check; diff --git a/sys/security/mac/mac_prison.c b/sys/security/mac/mac_prison.c index 68ffd7a3cda..810160994f7 100644 --- a/sys/security/mac/mac_prison.c +++ b/sys/security/mac/mac_prison.c @@ -94,6 +94,9 @@ void mac_prison_destroy(struct prison *pr) { mtx_assert(&pr->pr_mtx, MA_OWNED); + + /* Symmetry with prison_created */ + MAC_POLICY_PERFORM_NOSLEEP(prison_cleanup, curthread->td_ucred, pr); mac_prison_label_free(pr->pr_label); pr->pr_label = NULL; } diff --git a/sys/security/mac_stub/mac_stub.c b/sys/security/mac_stub/mac_stub.c index 4a567c68b2b..1e122030025 100644 --- a/sys/security/mac_stub/mac_stub.c +++ b/sys/security/mac_stub/mac_stub.c @@ -914,6 +914,12 @@ stub_prison_created(struct ucred *cred, struct prison *pr, } +static void +stub_prison_cleanup(struct ucred *cred, struct prison *pr) +{ + +} + static void stub_prison_attached(struct ucred *cred, struct prison *pr, struct label *prlabel, struct proc *p, struct label *proclabel) @@ -1923,6 +1929,7 @@ static struct mac_policy_ops stub_ops = .mpo_prison_check_set = stub_prison_check_set, .mpo_prison_check_remove = stub_prison_check_remove, .mpo_prison_created = stub_prison_created, + .mpo_prison_cleanup = stub_prison_cleanup, .mpo_prison_attached = stub_prison_attached, .mpo_priv_check = stub_priv_check, diff --git a/sys/security/mac_test/mac_test.c b/sys/security/mac_test/mac_test.c index 47dd7d1326a..f16073cfdf7 100644 --- a/sys/security/mac_test/mac_test.c +++ b/sys/security/mac_test/mac_test.c @@ -1737,6 +1737,14 @@ test_prison_created(struct ucred *cred, struct prison *pr, COUNTER_INC(prison_created); } +COUNTER_DECL(prison_cleanup); +static void +test_prison_cleanup(struct ucred *cred, struct prison *pr) +{ + + COUNTER_INC(prison_cleanup); +} + COUNTER_DECL(prison_attached); static void test_prison_attached(struct ucred *cred, struct prison *pr, @@ -3378,6 +3386,7 @@ static struct mac_policy_ops test_ops = .mpo_prison_check_set = test_prison_check_set, .mpo_prison_check_remove = test_prison_check_remove, .mpo_prison_created = test_prison_created, + .mpo_prison_cleanup = test_prison_cleanup, .mpo_prison_attached = test_prison_attached, .mpo_proc_check_debug = test_proc_check_debug, diff --git a/sys/sys/param.h b/sys/sys/param.h index 27e8e0f14e7..99c1af5e55b 100644 --- a/sys/sys/param.h +++ b/sys/sys/param.h @@ -74,7 +74,7 @@ * cannot include sys/param.h and should only be updated here. */ #undef __FreeBSD_version -#define __FreeBSD_version 1600011 +#define __FreeBSD_version 1600012 /* * __FreeBSD_kernel__ indicates that this system uses the kernel of FreeBSD,