Differential D54833

kern: mac: add a prison_cleanup entry point
Needs ReviewPublic
Actions

Authored by kevans on Fri, Jan 23, 3:00 PM.

Tags

None

Referenced Files

	F143109212: D54833.diff
	Mon, Jan 26, 2:22 AM

	Unknown Object (File)
	Sat, Jan 24, 9:39 PM

	Unknown Object (File)
	Sat, Jan 24, 10:45 AM

	Unknown Object (File)
	Sat, Jan 24, 8:42 AM

	Unknown Object (File)
	Sat, Jan 24, 8:31 AM

	Unknown Object (File)
	Sat, Jan 24, 6:50 AM

	Unknown Object (File)
	Sat, Jan 24, 6:19 AM

	Unknown Object (File)
	Sat, Jan 24, 12:54 AM

View All 9 Files

Subscribers

Details

Reviewers

csjp
olce

Group Reviewers

Summary

The MAC framework provides a lot of useful functionality that can be
configured per-jail without requiring the use of labels. Having another
entry point that we invoke just for general prison cleanup rather than
freeing the label is useful to allow a module that can otherwise work
off of a series of MAC entry points + sysctls for configuration to free
its per-jail configuration without having to bring in osd(9).

One such example in the wild is HardenedBSD's secadm, but some of my
own personal use had wanted it as well- it was simply overlooked in the
final version because my first policy made more sense with labels.

Diff Detail

Repository

rG FreeBSD src repository

Lint

Lint Passed

Unit

No Test Coverage

Build Status

Buildable 70071
Build 66954: arc lint + arc unit

Event Timeline

kevans created this revision.Fri, Jan 23, 3:00 PM

Herald added a subscriber: imp. · View Herald TranscriptFri, Jan 23, 3:00 PM

kevans requested review of this revision.Fri, Jan 23, 3:00 PM

Harbormaster completed remote builds in B70071: Diff 170266.Fri, Jan 23, 3:00 PM

Revision Contents
Changeset List

Path

Size

sys/

security/

mac/

3 lines

4 lines

mac_stub/

8 lines

mac_test/

11 lines

Diff 170266

sys/security/mac/mac_policy.h

Loading...

sys/security/mac/mac_prison.c

Loading...

sys/security/mac_stub/mac_stub.c

Loading...

sys/security/mac_test/mac_test.c

Loading...