diff options
| author | Kyle Evans <kevans@FreeBSD.org> | 2026-01-19 20:57:42 -0600 |
|---|---|---|
| committer | Kyle Evans <kevans@FreeBSD.org> | 2026-01-19 20:57:42 -0600 |
| commit | 3f3b53e68a7b2f9319ee1fdac82b511c9f9f22d7 (patch) | |
| tree | 342a3aa9dbc70b9012e5fbcbfeb60183e9808220 /lib/libdevinfo/devinfo.c | |
| parent | bef0475b6810b9cc725bb786a8100a6e54b54891 (diff) | |
Nobody else's mac.conf(5) has any entries for jails, so they get a
trivial ENOENT and we fail before we can fetch any jail parameters.
Most notably, this breaks `jls -s` / `jls -n` if you do not have any
loaded policy that applies jail labels.
Add an entry that works for everyone, and hardcode that as an ENOENT
fallback in libjail to provide a smoother transition. This is probably
not harmful to leave in long-term, since mac.conf(5) will override it.
This unearthed one additional issue, in that mac_get_prison() in the
MAC framework handled the no-label-policies bit wrong. We don't want
to break jail utilities enumerating jail parameters automatically, so
we must ingest the label in all cases -- we can still use it as a small
optimization to avoid trying to copy out any label. We will break
things if a non-optional element is specified in the copied in label,
but that's expected.
The APIs dedicated to jaildescs remain unphased, since they won't be
used in the same way.
Fixes: db3b39f063d9f05 ("libjail: extend struct handlers [...]")
Fixes: bd55cbb50c58876 ("kern: add a mac.label jail parameter")
Reported by: jlduran (on behalf of Jenkins)
Reviewed by: jlduran
Differential Revision: https://reviews.freebsd.org/D54786
Diffstat (limited to 'lib/libdevinfo/devinfo.c')
0 files changed, 0 insertions, 0 deletions