system/freebsd-src
system/freebsd-src
1
0
Fork 0
mirror of https://github.com/freebsd/freebsd-src synced 2024-09-29 13:15:05 +00:00
Code Issues Packages Projects Releases Wiki Activity

veriexec: Simplify the initialization of loader tunable

Browse source 
The loader tunable 'security.mac.veriexec.block_unlink' has been
already flagged with CTLFLAG_RDTUN, no need to re-fetch it with
TUNABLE_INT_FETCH.

While here move the definition of sysctl knob out of function body,
which is more common in FreeBSD.

No functional change intended.

Reviewed by:	stevek
MFC after:	1 week
Differential Revision:	https://reviews.freebsd.org/D42132

(cherry picked from commit bb8d4411e0)
This commit is contained in:
Zhenlei Huang 2023-11-03 12:08:27 +08:00
parent 5d031613af
commit b388201875
1 changed files with 2 additions and 6 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

8
sys/security/mac_veriexec/mac_veriexec.c
View file

@ -105,6 +105,8 @@ SYSCTL_PROC(_security_mac_veriexec, OID_AUTO, db,
static int mac_veriexec_slot;
static int mac_veriexec_block_unlink;
SYSCTL_INT(_security_mac_veriexec, OID_AUTO, block_unlink, CTLFLAG_RDTUN,
&mac_veriexec_block_unlink, 0, "Veriexec unlink protection");
MALLOC_DEFINE(M_VERIEXEC, "veriexec", "Verified execution data");
@ -797,12 +799,6 @@ mac_veriexec_init(struct mac_policy_conf *mpc __unused)
EVENTHANDLER_REGISTER(vfs_unmounted, mac_veriexec_vfs_unmounted, NULL,
EVENTHANDLER_PRI_LAST);
/* Fetch tunable value in kernel env and define a corresponding read-only sysctl */
mac_veriexec_block_unlink = 0;
TUNABLE_INT_FETCH("security.mac.veriexec.block_unlink", &mac_veriexec_block_unlink);
SYSCTL_INT(_security_mac_veriexec, OID_AUTO, block_unlink,
CTLFLAG_RDTUN, &mac_veriexec_block_unlink, 0, "Veriexec unlink protection");
/* Check if unlink control is activated via tunable value */
if (!mac_veriexec_block_unlink)
mac_veriexec_ops.mpo_vnode_check_unlink = NULL;