veriexec: Simplify the initialization of loader tunable

The loader tunable 'security.mac.veriexec.block_unlink' has been
already flagged with CTLFLAG_RDTUN, no need to re-fetch it with
TUNABLE_INT_FETCH.

While here move the definition of sysctl knob out of function body,
which is more common in FreeBSD.

No functional change intended.

Reviewed by:	stevek
MFC after:	1 week
Differential Revision:	https://reviews.freebsd.org/D42132

1 files changed, 2 insertions, 6 deletions

diff --git a/sys/security/mac_veriexec/mac_veriexec.c b/sys/security/mac_veriexec/mac_veriexec.c
index 57f3b6c307fa..7ac09e2acf0f 100644
--- a/sys/security/mac_veriexec/mac_veriexec.c
+++ b/sys/security/mac_veriexec/mac_veriexec.c
@@ -105,6 +105,8 @@ SYSCTL_PROC(_security_mac_veriexec, OID_AUTO, db,
 static int mac_veriexec_slot;
 
 static int mac_veriexec_block_unlink;
+SYSCTL_INT(_security_mac_veriexec, OID_AUTO, block_unlink, CTLFLAG_RDTUN,
+    &mac_veriexec_block_unlink, 0, "Veriexec unlink protection");
 
 MALLOC_DEFINE(M_VERIEXEC, "veriexec", "Verified execution data");
 
@@ -797,12 +799,6 @@ mac_veriexec_init(struct mac_policy_conf *mpc __unused)
 	EVENTHANDLER_REGISTER(vfs_unmounted, mac_veriexec_vfs_unmounted, NULL,
 	    EVENTHANDLER_PRI_LAST);
 
-	/* Fetch tunable value in kernel env and define a corresponding read-only sysctl */
-	mac_veriexec_block_unlink = 0;
-	TUNABLE_INT_FETCH("security.mac.veriexec.block_unlink", &mac_veriexec_block_unlink);
-	SYSCTL_INT(_security_mac_veriexec, OID_AUTO, block_unlink,
-	    CTLFLAG_RDTUN, &mac_veriexec_block_unlink, 0, "Veriexec unlink protection");
-
 	/* Check if unlink control is activated via tunable value */
 	if (!mac_veriexec_block_unlink)
 		mac_veriexec_ops.mpo_vnode_check_unlink = NULL;