mirror of
https://github.com/freebsd/freebsd-src
synced 2024-10-06 16:40:47 +00:00
veriexec: Simplify the initialization of loader tunable
The loader tunable 'security.mac.veriexec.block_unlink' has been already flagged with CTLFLAG_RDTUN, no need to re-fetch it with TUNABLE_INT_FETCH. While here move the definition of sysctl knob out of function body, which is more common in FreeBSD. No functional change intended. Reviewed by: stevek MFC after: 1 week Differential Revision: https://reviews.freebsd.org/D42132
This commit is contained in:
parent
2008043f38
commit
bb8d4411e0
|
@ -105,6 +105,8 @@ SYSCTL_PROC(_security_mac_veriexec, OID_AUTO, db,
|
|||
static int mac_veriexec_slot;
|
||||
|
||||
static int mac_veriexec_block_unlink;
|
||||
SYSCTL_INT(_security_mac_veriexec, OID_AUTO, block_unlink, CTLFLAG_RDTUN,
|
||||
&mac_veriexec_block_unlink, 0, "Veriexec unlink protection");
|
||||
|
||||
MALLOC_DEFINE(M_VERIEXEC, "veriexec", "Verified execution data");
|
||||
|
||||
|
@ -797,12 +799,6 @@ mac_veriexec_init(struct mac_policy_conf *mpc __unused)
|
|||
EVENTHANDLER_REGISTER(vfs_unmounted, mac_veriexec_vfs_unmounted, NULL,
|
||||
EVENTHANDLER_PRI_LAST);
|
||||
|
||||
/* Fetch tunable value in kernel env and define a corresponding read-only sysctl */
|
||||
mac_veriexec_block_unlink = 0;
|
||||
TUNABLE_INT_FETCH("security.mac.veriexec.block_unlink", &mac_veriexec_block_unlink);
|
||||
SYSCTL_INT(_security_mac_veriexec, OID_AUTO, block_unlink,
|
||||
CTLFLAG_RDTUN, &mac_veriexec_block_unlink, 0, "Veriexec unlink protection");
|
||||
|
||||
/* Check if unlink control is activated via tunable value */
|
||||
if (!mac_veriexec_block_unlink)
|
||||
mac_veriexec_ops.mpo_vnode_check_unlink = NULL;
|
||||
|
|
Loading…
Reference in a new issue