MAC/do: parse_and_set_conf(): Obey empty parameters; Add doc
parse_and_set_conf() is meant to be used in all situations when there is
a need to set or modify some jail's MAC/do configuration. This entails
passing the information of whether some parameter was explicitly
specified. For example, an administrator setting/modifying jail
parameters may not specify executable paths but only rules, in which
case the executable paths value is copied from the currently-applicable
configuration. The sysctl(8) knobs case always leverages this feature,
since setting a knob changes one parameter at a time.
Currently, a NULL or empty string argument is treated as a non-specified
parameter. This causes a bug where disabling MAC/do in a jail does not
actually work because, to this end, parse_and_set_conf() is passed an
empty string which it then interprets as a request to copy the currently
applicable configuration's value, which may well not be empty.
Fix this problem by only treating NULL as a marker for a non-specified
parameter, in accordance with the original design for this function.
While here, write some documentation to explain the interface. While
here, remove the original herald comment for parse_and_set_rules(),
which was inadvertently pushed apart from the replacing
parse_and_set_conf().
Reviewed by: bapt
Fixes: 9818224174 ("MAC/do: Executable paths feature (GSoC 2025's final state)")
MFC after: 1 month
Sponsored by: The FreeBSD Foundation
Pull Request: https://ron-dev.freebsd.org/FreeBSD/src/pulls/38
This commit is contained in:
@@ -1361,12 +1361,6 @@ set_default_conf(struct prison *const pr)
|
||||
drop_conf(conf);
|
||||
}
|
||||
|
||||
/*
|
||||
* Parse a rules specification and assign them to a jail.
|
||||
*
|
||||
* Returns the same error code as parse_rules() (which see).
|
||||
*/
|
||||
|
||||
static void
|
||||
clone_rules(struct rules *const dst, const struct rules *const src)
|
||||
{
|
||||
@@ -1413,7 +1407,17 @@ clone_exec_paths(struct exec_paths *const dst,
|
||||
sizeof(dst->exec_paths_str));
|
||||
}
|
||||
|
||||
/* Must be called with '*parse_error' set to NULL. */
|
||||
/*
|
||||
* Sets/modifies the MAC/do configuration for a jail.
|
||||
*
|
||||
* Must be called with '*parse_error' set to NULL.
|
||||
*
|
||||
* Supports explicitly setting all parameters or only some of them, in which
|
||||
* case the implicit ones are copied from the currently applicable configuration
|
||||
* (that of the closest ancestor jail that has one).
|
||||
*
|
||||
* An unspecified parameter must be passed as NULL.
|
||||
*/
|
||||
static int
|
||||
parse_and_set_conf(struct prison *pr, const char *rules_string,
|
||||
const char *exec_paths_string, struct parse_error **parse_error)
|
||||
@@ -1421,17 +1425,13 @@ parse_and_set_conf(struct prison *pr, const char *rules_string,
|
||||
struct conf *applicable_conf = NULL;
|
||||
struct conf *conf;
|
||||
int error = 0;
|
||||
bool need_applicable_conf;
|
||||
|
||||
need_applicable_conf = (rules_string == NULL || rules_string[0] == '\0' ||
|
||||
exec_paths_string == NULL || exec_paths_string[0] == '\0');
|
||||
|
||||
if (need_applicable_conf)
|
||||
if (rules_string == NULL || exec_paths_string == NULL)
|
||||
applicable_conf = find_conf(pr, NULL);
|
||||
|
||||
conf = new_conf();
|
||||
|
||||
if (rules_string != NULL && rules_string[0] != '\0') {
|
||||
if (rules_string != NULL) {
|
||||
error = parse_rules(rules_string, &conf->rules, parse_error);
|
||||
if (error != 0)
|
||||
goto error;
|
||||
@@ -1439,7 +1439,7 @@ parse_and_set_conf(struct prison *pr, const char *rules_string,
|
||||
else if (applicable_conf != NULL)
|
||||
clone_rules(&conf->rules, &applicable_conf->rules);
|
||||
|
||||
if (exec_paths_string != NULL && exec_paths_string[0] != '\0') {
|
||||
if (exec_paths_string != NULL) {
|
||||
error = parse_exec_paths(exec_paths_string, &conf->exec_paths,
|
||||
parse_error);
|
||||
if (error != 0)
|
||||
|
||||
Reference in New Issue
Block a user