jail(3): fix common usage after mac.label support

Nobody else's mac.conf(5) has any entries for jails, so they get a
trivial ENOENT and we fail before we can fetch any jail parameters.
Most notably, this breaks `jls -s` / `jls -n` if you do not have any
loaded policy that applies jail labels.

Add an entry that works for everyone, and hardcode that as an ENOENT
fallback in libjail to provide a smoother transition.  This is probably
not harmful to leave in long-term, since mac.conf(5) will override it.

This unearthed one additional issue, in that mac_get_prison() in the
MAC framework handled the no-label-policies bit wrong.  We don't want
to break jail utilities enumerating jail parameters automatically, so
we must ingest the label in all cases -- we can still use it as a small
optimization to avoid trying to copy out any label.  We will break
things if a non-optional element is specified in the copied in label,
but that's expected.

The APIs dedicated to jaildescs remain unphased, since they won't be
used in the same way.

Fixes:	db3b39f063d9f05 ("libjail: extend struct handlers [...]")
Fixes:	bd55cbb50c58876 ("kern: add a mac.label jail parameter")
Reported by:	jlduran (on behalf of Jenkins)
Reviewed by:	jlduran
Differential Revision:	https://reviews.freebsd.org/D54786

4 files changed, 14 insertions, 13 deletions

diff --git a/lib/libc/posix1e/mac.conf b/lib/libc/posix1e/mac.conf
index 011143abf073..7da9bb8a9638 100644
--- a/lib/libc/posix1e/mac.conf
+++ b/lib/libc/posix1e/mac.conf
@@ -12,6 +12,7 @@
 
 default_labels file ?biba,?lomac,?mls,?sebsd
 default_labels ifnet ?biba,?lomac,?mls,?sebsd
+default_labels jail ?
 default_labels process ?biba,?lomac,?mls,?partition,?sebsd
 default_labels socket ?biba,?lomac,?mls
 
diff --git a/lib/libc/posix1e/mac.conf.5 b/lib/libc/posix1e/mac.conf.5
index 98aa62dd83a7..99d75584a0d7 100644
--- a/lib/libc/posix1e/mac.conf.5
+++ b/lib/libc/posix1e/mac.conf.5
@@ -27,7 +27,7 @@
 .\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
 .\" SUCH DAMAGE.
 .\"
-.Dd July 25, 2015
+.Dd January 19. 2026
 .Dt MAC.CONF 5
 .Os
 .Sh NAME
@@ -79,6 +79,7 @@ and
 # Default label set to be used by simple MAC applications
 
 default_labels file ?biba,?lomac,?mls,?sebsd
+default_labels jail ?
 default_labels ifnet ?biba,?lomac,?mls,?sebsd
 default_labels process ?biba,?lomac,?mls,?partition,?sebsd
 default_labels socket ?biba,?lomac,?mls
diff --git a/lib/libjail/jail.c b/lib/libjail/jail.c
index 75fd411c70c8..baabeb4afed9 100644
--- a/lib/libjail/jail.c
+++ b/lib/libjail/jail.c
@@ -1436,18 +1436,21 @@ jps_get_mac_label(struct jailparam *jp, struct iovec *jiov)
 	int error;
 
 	error = mac_prepare_type(pmac, "jail");
+	if (error != 0 && errno == ENOENT) {
+		/*
+		 * We special-case the scenario where a system has a custom
+		 * mac.conf(5) that doesn't include a jail entry -- just let
+		 * an empty label slide.
+		 */
+		error = mac_prepare(pmac, "?");
+	}
 	if (error != 0) {
 		int serrno = errno;
 
 		free(jp->jp_value);
 		jp->jp_value = NULL;
-		if (serrno == ENOENT) {
-			snprintf(jail_errmsg, sizeof(jail_errmsg),
-			    "jail_get: no mac.conf(5) jail config");
-		} else {
-			strerror_r(serrno, jail_errmsg, JAIL_ERRMSGLEN);
-		}
 
+		strerror_r(serrno, jail_errmsg, JAIL_ERRMSGLEN);
 		errno = serrno;
 		return (-1);
 	}
diff --git a/sys/security/mac/mac_syscalls.c b/sys/security/mac/mac_syscalls.c
index 1035c6dbb84b..9bafa6d30c36 100644
--- a/sys/security/mac/mac_syscalls.c
+++ b/sys/security/mac/mac_syscalls.c
@@ -331,18 +331,14 @@ mac_get_prison(struct thread *const td, struct prison *pr,
 		goto out_nomac;
 	}
 
-	if (!(mac_labeled & MPC_OBJECT_PRISON)) {
-		error = EINVAL;
-		goto out;
-	}
-
 	intlabel = mac_prison_label_alloc(M_NOWAIT);
 	if (intlabel == NULL) {
 		error = ENOMEM;
 		goto out;
 	}
 
-	mac_prison_copy_label(pr->pr_label, intlabel);
+	if ((mac_labeled & MPC_OBJECT_PRISON) != 0)
+		mac_prison_copy_label(pr->pr_label, intlabel);
 
 	/*
 	 * Externalization may want to acquire an rmlock.  We already tapped out