The branch main has been updated by olce: URL: https://cgit.FreeBSD.org/src/commit/?id=11b567e94ad2a1b4baf768d77c6f1fb2018cfe83
commit 11b567e94ad2a1b4baf768d77c6f1fb2018cfe83 Author: Olivier Certner <[email protected]> AuthorDate: 2026-05-20 09:29:51 +0000 Commit: Olivier Certner <[email protected]> CommitDate: 2026-05-29 15:22:49 +0000 MAC/do: Remove superfluous configuration initialization Configuration objects would be initialized (zeroed, and some STAILQ_INIT() called) multiple times. Make sure they are so only once, and add assertions to check that this is actually the case for functions that expect it. Reviewed by: bapt MFC after: 1 month Sponsored by: The FreeBSD Foundation Pull Request: https://ron-dev.freebsd.org/FreeBSD/src/pulls/38 --- sys/security/mac_do/mac_do.c | 34 ++++++++++++++++++++++++---------- 1 file changed, 24 insertions(+), 10 deletions(-) diff --git a/sys/security/mac_do/mac_do.c b/sys/security/mac_do/mac_do.c index 1d9b756bc0fc..fa20beadbaad 100644 --- a/sys/security/mac_do/mac_do.c +++ b/sys/security/mac_do/mac_do.c @@ -33,6 +33,23 @@ #include <security/mac/mac_policy.h> +#ifdef INVARIANTS +/* + * Should typically be moved to libkern (and perhaps libc) at some point, and be + * optimized if to be used outside of INVARIANTS. + */ +static bool +is_zeroed(const void *const buf, const size_t size) +{ + const char *const p = buf; + + for (size_t i = 0; i < size; ++i) + if (p[i] != 0) + return (false); + return (true); +} +#endif + static SYSCTL_NODE(_security_mac, OID_AUTO, do, CTLFLAG_RW|CTLFLAG_MPSAFE, 0, "mac_do policy controls"); @@ -353,25 +370,24 @@ toast_rules(struct rules *const rules) } } -/* Assumes storage has been zeroed. */ -static void +static inline void init_rules(struct rules *const rules) { + MPASS(is_zeroed(rules, sizeof(*rules))); STAILQ_INIT(&rules->head); } -static void +static inline void init_exec_paths(struct exec_paths *const exec_paths) { - bzero(exec_paths, sizeof(*exec_paths)); - exec_paths->exec_paths_str[0] = 0; + MPASS(is_zeroed(exec_paths, sizeof(*exec_paths))); } static struct conf * new_conf(void) { - struct conf *const conf = malloc(sizeof(*conf), M_MAC_DO, M_WAITOK | - M_ZERO); + struct conf *const conf = malloc(sizeof(*conf), M_MAC_DO, + M_WAITOK | M_ZERO); init_rules(&conf->rules); init_exec_paths(&conf->exec_paths); @@ -1356,9 +1372,7 @@ clone_rules(struct rules *const dst, const struct rules *const src) { struct rule *src_rule, *dst_rule; - bzero(dst, sizeof(*dst)); strlcpy(dst->string, src->string, sizeof(dst->string)); - STAILQ_INIT(&dst->head); STAILQ_FOREACH(src_rule, &src->head, r_entries) { dst_rule = malloc(sizeof(*dst_rule), M_MAC_DO, M_WAITOK | @@ -1387,7 +1401,7 @@ static void clone_exec_paths(struct exec_paths *const dst, const struct exec_paths *const src) { - bzero(dst, sizeof(*dst)); + MPASS(is_zeroed(dst, sizeof(*dst))); dst->exec_path_count = src->exec_path_count; for (int i = 0; i < src->exec_path_count; i++) strlcpy(dst->exec_paths[i], src->exec_paths[i],
