From nobody Mon Dec 16 14:45:57 2024 X-Original-To: dev-commits-src-all@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4YBjRp6TBjz5hWZ4; Mon, 16 Dec 2024 14:45:58 +0000 (UTC) (envelope-from git@FreeBSD.org) Received: from mxrelay.nyi.freebsd.org (mxrelay.nyi.freebsd.org [IPv6:2610:1c1:1:606c::19:3]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "mxrelay.nyi.freebsd.org", Issuer "R10" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4YBjRp0MYLz4dt5; Mon, 16 Dec 2024 14:45:58 +0000 (UTC) (envelope-from git@FreeBSD.org) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1734360358; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=Aa4JFeCF2Omu4Y0RA75MGH0eZI2o0wZThSqEpeXxYYs=; b=lbseZsYzTd2r8IyaUa+vkYgFpRrHIqkgZMtRHucL8s1e68Dbi3CQDTyVDJfIAi+pqtJ+Fz N5m0HI4blgiz72xpqb+AGJYNsBhZ/lbef4yN+hS18k8o9ROND2gr3HycZM8Vw7Kx17sk6I 15td2NZTMZgY5PU1YI1FapNZyDBmiuDwv4YH7DxUbbSPv+uUEL6fMjb2YvIZJkA7+IJz0F 4ZyDz3fEPTT0L1wadbmq7Kmf3HePwiEnjzhMpgOuTU2ESbcUeLup0MO56H3vS8/By9O8xn t2MyDq3BD2FpsCQ0ZJCct2UYjtW/+aMJ6CSvum+s/FHueTA13vfy5msLJH+Vsg== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1734360358; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=Aa4JFeCF2Omu4Y0RA75MGH0eZI2o0wZThSqEpeXxYYs=; b=YNIVZh2HlIwT2OhnZWBN2xlLyGBUk1whjMC2WI4EtHekNHSF8+nkEKmfVGdyeYVpdpLcxn zcQEb3zFfugdBhIVou10+wwccREwkrS2VGD82pYOQE/QO9W7tcpaTrT1EBsWAplt3kUJ+Y M5nlHp8+ztC866AlO+CjIBuQk8W8SY+xJ6eGCh6DzFDAF87GmuJlaC8E27Y4Y5+f9mjzwV L4tHHy7QnvsRnyqsAWW+WC9ihg31wjW2QbYTk7+tP/JSSNMcq5XXcRtc5VeVrPnqCtMpcc rqM+0NyOdZ6LsAv7vWebaS/vfgto1mIW4Effwo6c/nm4IsMTqr2zSJHaJ/FW+w== ARC-Authentication-Results: i=1; mx1.freebsd.org; none ARC-Seal: i=1; s=dkim; d=freebsd.org; t=1734360358; a=rsa-sha256; cv=none; b=A8yFxBt8D1qR4Y7LcHe6AHx+Zw11CguNfOZGXUqwarG8u2KoulbA/gFxIdVprsNFhkzJrQ lxVaDGrX4MdtWovvFBq8Kzp4onp+wxWL4YtR9QUrd7bnjok4xpt90Mf/+iC+67X+no3rXU OrP9w3dKBvHWcST/aKwSn5D7FT8XdopXuSR1gD5OYdkVdAMH1z9fzSWW92FWLoiwOBUGgB XBXZvvVj1rCThOI83Fa3MKvDDYFBWIDaqJB3lbI9vMMgS/OYx6tELeFtMNg1nH1H/xWlRu 1JfFUR5FTWyDb8QdA9rUYjHA+XOiGp/hTt8lvwQgsNdG4Ow8aTd++Z7GGRDx2Q== Received: from gitrepo.freebsd.org (gitrepo.freebsd.org [IPv6:2610:1c1:1:6068::e6a:5]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (Client did not present a certificate) by mxrelay.nyi.freebsd.org (Postfix) with ESMTPS id 4YBjRn74R4zy0G; Mon, 16 Dec 2024 14:45:57 +0000 (UTC) (envelope-from git@FreeBSD.org) Received: from gitrepo.freebsd.org ([127.0.1.44]) by gitrepo.freebsd.org (8.18.1/8.18.1) with ESMTP id 4BGEjvmj053407; Mon, 16 Dec 2024 14:45:57 GMT (envelope-from git@gitrepo.freebsd.org) Received: (from git@localhost) by gitrepo.freebsd.org (8.18.1/8.18.1/Submit) id 4BGEjvLW053404; Mon, 16 Dec 2024 14:45:57 GMT (envelope-from git) Date: Mon, 16 Dec 2024 14:45:57 GMT Message-Id: <202412161445.4BGEjvLW053404@gitrepo.freebsd.org> To: src-committers@FreeBSD.org, dev-commits-src-all@FreeBSD.org, dev-commits-src-main@FreeBSD.org From: Olivier Certner Subject: git: 2a20ce91dc29 - main - MAC/do: Fix jail_get() (PR_METHOD_GET) List-Id: Commit messages for all branches of the src repository List-Archive: https://lists.freebsd.org/archives/dev-commits-src-all List-Help: List-Post: List-Subscribe: List-Unsubscribe: X-BeenThere: dev-commits-src-all@freebsd.org Sender: owner-dev-commits-src-all@FreeBSD.org MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 8bit X-Git-Committer: olce X-Git-Repository: src X-Git-Refname: refs/heads/main X-Git-Reftype: branch X-Git-Commit: 2a20ce91dc29e5a80f4eeb9352cf3169cd1891b9 Auto-Submitted: auto-generated The branch main has been updated by olce: URL: https://cgit.FreeBSD.org/src/commit/?id=2a20ce91dc29e5a80f4eeb9352cf3169cd1891b9 commit 2a20ce91dc29e5a80f4eeb9352cf3169cd1891b9 Author: Olivier Certner AuthorDate: 2024-07-03 15:22:28 +0000 Commit: Olivier Certner CommitDate: 2024-12-16 14:42:37 +0000 MAC/do: Fix jail_get() (PR_METHOD_GET) - Properly fill 'jsys' before copying it out (we would leak bytes from the kernel stack). When the current jail has its own 'struct rules', set it to the special value JAIL_SYS_DISABLE if it in fact holds no rules. - Don't forget to unlock the jail holding rules on error. - Correctly return errors. Reviewed by: bapt Approved by: markj (mentor) Sponsored by: The FreeBSD Foundation Differential Revision: https://reviews.freebsd.org/D47609 --- sys/security/mac_do/mac_do.c | 14 ++++++++++---- 1 file changed, 10 insertions(+), 4 deletions(-) diff --git a/sys/security/mac_do/mac_do.c b/sys/security/mac_do/mac_do.c index 6f68a6f62a79..2482221e43a3 100644 --- a/sys/security/mac_do/mac_do.c +++ b/sys/security/mac_do/mac_do.c @@ -353,22 +353,28 @@ mac_do_jail_create(void *obj, void *data __unused) static int mac_do_jail_get(void *obj, void *data) { - struct prison *ppr, *pr = obj; - struct vfsoptlist *opts = data; + struct prison *ppr, *const pr = obj; + struct vfsoptlist *const opts = data; struct rules *rules; int jsys, error; rules = find_rules(pr, &ppr); + + jsys = pr == ppr ? + (TAILQ_EMPTY(&rules->head) ? JAIL_SYS_DISABLE : JAIL_SYS_NEW) : + JAIL_SYS_INHERIT; error = vfs_setopt(opts, "mac.do", &jsys, sizeof(jsys)); if (error != 0 && error != ENOENT) goto done; + error = vfs_setopts(opts, "mac.do.rules", rules->string); if (error != 0 && error != ENOENT) goto done; - prison_unlock(ppr); + error = 0; done: - return (0); + prison_unlock(ppr); + return (error); } static int