jail(3): fix common usage after mac.label supportHEADmain

Nobody else's mac.conf(5) has any entries for jails, so they get a
trivial ENOENT and we fail before we can fetch any jail parameters.
Most notably, this breaks `jls -s` / `jls -n` if you do not have any
loaded policy that applies jail labels.

Add an entry that works for everyone, and hardcode that as an ENOENT
fallback in libjail to provide a smoother transition.  This is probably
not harmful to leave in long-term, since mac.conf(5) will override it.

This unearthed one additional issue, in that mac_get_prison() in the
MAC framework handled the no-label-policies bit wrong.  We don't want
to break jail utilities enumerating jail parameters automatically, so
we must ingest the label in all cases -- we can still use it as a small
optimization to avoid trying to copy out any label.  We will break
things if a non-optional element is specified in the copied in label,
but that's expected.

The APIs dedicated to jaildescs remain unphased, since they won't be
used in the same way.

Fixes:	db3b39f063d9f05 ("libjail: extend struct handlers [...]")
Fixes:	bd55cbb50c58876 ("kern: add a mac.label jail parameter")
Reported by:	jlduran (on behalf of Jenkins)
Reviewed by:	jlduran
Differential Revision:	https://reviews.freebsd.org/D54786

0 files changed, 0 insertions, 0 deletions