Files
src/lib/libjail
Kyle Evans 3f3b53e68a jail(3): fix common usage after mac.label support
Nobody else's mac.conf(5) has any entries for jails, so they get a
trivial ENOENT and we fail before we can fetch any jail parameters.
Most notably, this breaks `jls -s` / `jls -n` if you do not have any
loaded policy that applies jail labels.

Add an entry that works for everyone, and hardcode that as an ENOENT
fallback in libjail to provide a smoother transition.  This is probably
not harmful to leave in long-term, since mac.conf(5) will override it.

This unearthed one additional issue, in that mac_get_prison() in the
MAC framework handled the no-label-policies bit wrong.  We don't want
to break jail utilities enumerating jail parameters automatically, so
we must ingest the label in all cases -- we can still use it as a small
optimization to avoid trying to copy out any label.  We will break
things if a non-optional element is specified in the copied in label,
but that's expected.

The APIs dedicated to jaildescs remain unphased, since they won't be
used in the same way.

Fixes:	db3b39f063 ("libjail: extend struct handlers [...]")
Fixes:	bd55cbb50c ("kern: add a mac.label jail parameter")
Reported by:	jlduran (on behalf of Jenkins)
Reviewed by:	jlduran
Differential Revision:	https://reviews.freebsd.org/D54786
2026-01-19 20:57:42 -06:00
..
2025-03-31 09:17:03 +00:00