diff options
| author | Olivier Certner <olce@FreeBSD.org> | 2024-07-04 09:51:00 +0000 |
|---|---|---|
| committer | Olivier Certner <olce@FreeBSD.org> | 2024-12-16 14:42:36 +0000 |
| commit | f3a06ced25681b6da40c652203f882ba18be227d (patch) | |
| tree | 05250b0a6f5633f6549904460e15bb0918d41bfa | |
| parent | 11ba1f2fe2d4e151ffc0a66d03a0691a7b8d2866 (diff) | |
MAC/do: Sysctl knobs/jail parameters under MAC's common nodes
Reviewed by: bapt
Approved by: markj (mentor)
Sponsored by: The FreeBSD Foundation
Differential Revision: https://reviews.freebsd.org/D47608
| -rw-r--r-- | sys/security/mac_do/mac_do.c | 18 |
1 files changed, 8 insertions, 10 deletions
diff --git a/sys/security/mac_do/mac_do.c b/sys/security/mac_do/mac_do.c index a57c29c407b8..6f68a6f62a79 100644 --- a/sys/security/mac_do/mac_do.c +++ b/sys/security/mac_do/mac_do.c @@ -23,8 +23,6 @@ #include <security/mac/mac_policy.h> -SYSCTL_DECL(_security_mac); - static SYSCTL_NODE(_security_mac, OID_AUTO, do, CTLFLAG_RW|CTLFLAG_MPSAFE, 0, "mac_do policy controls"); @@ -338,8 +336,8 @@ SYSCTL_PROC(_security_mac_do, OID_AUTO, rules, "Rules"); -SYSCTL_JAIL_PARAM_SYS_NODE(mdo, CTLFLAG_RW, "Jail MAC/do parameters"); -SYSCTL_JAIL_PARAM_STRING(_mdo, rules, CTLFLAG_RW, MAC_RULE_STRING_LEN, +SYSCTL_JAIL_PARAM_SYS_SUBNODE(mac, do, CTLFLAG_RW, "Jail MAC/do parameters"); +SYSCTL_JAIL_PARAM_STRING(_mac_do, rules, CTLFLAG_RW, MAC_RULE_STRING_LEN, "Jail MAC/do rules"); @@ -361,10 +359,10 @@ mac_do_jail_get(void *obj, void *data) int jsys, error; rules = find_rules(pr, &ppr); - error = vfs_setopt(opts, "mdo", &jsys, sizeof(jsys)); + error = vfs_setopt(opts, "mac.do", &jsys, sizeof(jsys)); if (error != 0 && error != ENOENT) goto done; - error = vfs_setopts(opts, "mdo.rules", rules->string); + error = vfs_setopts(opts, "mac.do.rules", rules->string); if (error != 0 && error != ENOENT) goto done; prison_unlock(ppr); @@ -380,14 +378,14 @@ mac_do_jail_check(void *obj, void *data) char *rules_string; int error, jsys, len; - error = vfs_copyopt(opts, "mdo", &jsys, sizeof(jsys)); + error = vfs_copyopt(opts, "mac.do", &jsys, sizeof(jsys)); if (error != ENOENT) { if (error != 0) return (error); if (jsys != JAIL_SYS_NEW && jsys != JAIL_SYS_INHERIT) return (EINVAL); } - error = vfs_getopt(opts, "mdo.rules", (void **)&rules_string, &len); + error = vfs_getopt(opts, "mac.do.rules", (void **)&rules_string, &len); if (error != ENOENT) { if (error != 0) return (error); @@ -409,10 +407,10 @@ mac_do_jail_set(void *obj, void *data) char *rules_string; int error, jsys, len; - error = vfs_copyopt(opts, "mdo", &jsys, sizeof(jsys)); + error = vfs_copyopt(opts, "mac.do", &jsys, sizeof(jsys)); if (error == ENOENT) jsys = -1; - error = vfs_getopt(opts, "mdo.rules", (void **)&rules_string, &len); + error = vfs_getopt(opts, "mac.do.rules", (void **)&rules_string, &len); if (error == ENOENT) rules_string = ""; else |