CUSTOM kernel: options MAC kldload mac_bsdextended.ko % sysctl security.mac.bsdextended.firstmatch_enabled security.mac.bsdextended.firstmatch_enabled: 0 man mac_bsdextended security.mac.bsdextended.firstmatch_enabled Toggle between the old all rules match functionality and the new first rule matches functionality. This is enabled by default. The value 0 means disabled not enabled! How-To-Repeat: % sysctl security.mac.bsdextended.firstmatch_enabled % man mac_bsdextended
Dr. Markus Waldeck wrote: > >> Description: > CUSTOM kernel: > options MAC > kldload mac_bsdextended.ko > > % sysctl security.mac.bsdextended.firstmatch_enabled > security.mac.bsdextended.firstmatch_enabled: 0 > > man mac_bsdextended > security.mac.bsdextended.firstmatch_enabled > Toggle between the old all rules match functionality and the new > first rule matches functionality. This is enabled by default. > > The value 0 means disabled not enabled! >> How-To-Repeat: > % sysctl security.mac.bsdextended.firstmatch_enabled > > % man mac_bsdextended > Hello (again), When are you going to read my emails about asking you over and over again, to give these things a bit of discussion before you are submitting PR's? A little discussion with the developers of the MAC framework could give the proper idea about what is going on. Perhaps the documentation is OK and the code is wrong, or the other way around. You might think that I am a bit grumpy, and yes I am. The PR tickets are not for Support questions (Which this initially is) but for confirmed problems which should be resolved. We cannot resolve this prior to have some investigation going on. So AGAIN: Please ask / discuss these things on the various mailinglists before submitting a ticket to make things more concrete, this will help FreeBSD, you and others! Thanks for your understanding and coorporation. -- Kind regards, Remko Lodder ** remko@elvandar.org FreeBSD ** remko@FreeBSD.org /* Quis custodiet ipsos custodes */
Responsible Changed From-To: freebsd-doc->trhodes Tom wanted to have a look at this (Thanks Tom)
For bugs matching the following criteria: Status: In Progress Changed: (is less than) 2014-06-01 Reset to default assignee and clear in-progress tags. Mail being skipped
I was looking into ugidfw when I found this issue as well. firstmatch_enabled isn't being initialized properly. Index: sys/security/mac_bsdextended/mac_bsdextended.c =================================================================== --- sys/security/mac_bsdextended/mac_bsdextended.c (revision 355771) +++ sys/security/mac_bsdextended/mac_bsdextended.c (working copy) @@ -108,9 +108,9 @@ * between the new mode (first rule matches) and the old functionality (all * rules match). */ -static int ugidfw_firstmatch_enabled; +static int ugidfw_firstmatch_enabled = 1; SYSCTL_INT(_security_mac_bsdextended, OID_AUTO, firstmatch_enabled, - CTLFLAG_RW, &ugidfw_firstmatch_enabled, 1, + CTLFLAG_RW, &ugidfw_firstmatch_enabled, 0, "Disable/enable match first rule functionality"); static int At this point you've got to wonder if keeping the old behavior would be better though.