Would it make sense to combine this with the mtx_unlock that immediately follows? On the plus side, you remove a lock with immediate unlock, but on the minus side it complicates the code, especially with MAC being inside an ifdef.

Since you're unlocking later anyway, it might be worthwhile to have a second try where you unlock and M_WAITOK, and then re-lock for mac_prison_copy_label.

I thought about it a bit, and I think I'd rather just reorder things slightly to allocate intlabel and do the copy early, then drop the lock and copyin the label. with M_WAITOK. We seem to have a little bit of a mixed bag about whether we sanity check the label rergardless of whether the objec type is actually labelled or not (see, e.g., kern___mac_get_path vs. sys___mac_get_fd), so the following ordering seems reasonable:

1.) vfs_copyopt so that we can bail out if a mac.label parameter wasn't even supplied
2.) Check mac_labeled so that we can return EINVAL early
3.) Allocate intlabel and mac_prison_copy_label so that we still have a snapshot of the label consistent with the other jail parameters
4.) Drop the lock, mac_label_copyin_string and malloc buffer both M_WAITOK, externalize and finish

I'd really prefer we keep the label copy under the lock if we can, but typical struct label allocation (+ most policies don't really allocate often in init_label) is small enough that I think failing to allocate intlabel is probably enough of an indicator that the other allocations would be a miserable wait. Does that seem like a reasonable compromise?

Yeah, that works. That's a good point on the allocation second tries in general: once we've gotten there, it's a very stressed system.

@jamie We are getting (and in kern_jail_set(), setting) module parameters without the prison lock, which poses atomicity problems (even in the simple case of concurrent retrieval and modification of jail parameters). This needs a re-design one day (tm).

Can't we just elide this copy in, as it seems we don't care about the content of the input buffer at all?

Maybe this code that does vfs_copyopt() on struct mac, also handling the 32-bit case, should be factored out, as it is the same as that of mac_get_prison().

My recollection is that externalization does actually use the input buffer to understand which labels it needs to try and capture, since it may not be able to capture all of them. This is where mac.conf(5) comes into play -- userland would populate the buffer based on labels there, and that's a crucial step to getting anything out of the MAC framework here.

It's a limitation of the OSD system, which has an sxlock in osd_call. I didn't want to reinvent too many wheels (also the reason for vfsopt), so I went with the restriction. Even without the sxlock, I would expect locking problems, since modules will be wanting to use their own locking, or other things like process locks that aren't lower than a prison lock.

But yes, an atomic jail set would be valuable. OSD isn't the only place where that breaks - the retry of ipaddr allocation comes to mind.