On 28 Sep 2013, at 19:32, Konstantin Belousov wrote: >> It easy to reproduce. Just kldload mac_portacl and /etc/rc.d/syslogd restart > > This is due to priv_check_cred() call in mac_portacl.c:rules_check(). > The call causes recusion into the mac framework from the mac callback. > > Robert should have better idea about the proper way to fix the issue. > The trivial attempt might be to enable recursion on the rm lock > protecting the lists. > > diff --git a/sys/security/mac/mac_framework.c b/sys/security/mac/mac_framework.c > index 816bb0b..ed0c05a 100644 > --- a/sys/security/mac/mac_framework.c > +++ b/sys/security/mac/mac_framework.c > _at__at_ -292,7 +292,8 _at__at_ mac_init(void) > mac_labelzone_init(); > > #ifndef MAC_STATIC > - rm_init_flags(&mac_policy_rm, "mac_policy_rm", RM_NOWITNESS); > + rm_init_flags(&mac_policy_rm, "mac_policy_rm", RM_NOWITNESS | > + RM_RECURSE); > sx_init_flags(&mac_policy_sx, "mac_policy_sx", SX_NOWITNESS); > #endif > } Let's go with this -- recursion into the framework should be supported. RobertReceived on Sat Sep 28 2013 - 17:29:53 UTC
This archive was generated by hypermail 2.4.0 : Wed May 19 2021 - 11:40:42 UTC