When stopping ugidfw, it is not enough to just try unloading the module. If

the module is built-in to the kernel then the kldunload will fail. Rather than do this just check if there are rules and then remove them all. Add requirement on FILESYSTEMS to ensure /usr is present for /usr/sbin/ugidfw and /usr/bin/xargs. This was already effectively the ordering from rcorder(8). MFC after: 2 weeks Relnotes: yes
2015-09-29 18:51:56 +00:00 · 2015-09-29 18:51:56 +00:00 · 575059f684
commit 575059f684
parent 7d7e4c43c4
1 changed files with 10 additions and 1 deletions
--- a/etc/rc.d/ugidfw
+++ b/etc/rc.d/ugidfw
@ -3,6 +3,7 @@
 # $FreeBSD$

 # PROVIDE: ugidfw
+# REQUIRE: FILESYSTEMS
 # BEFORE: LOGIN
 # KEYWORD: nojail shutdown

@ -33,9 +34,17 @@ ugidfw_start()

 ugidfw_stop()
 {
+	local rulecount
+
 	# Disable the policy
 	#
-	kldunload mac_bsdextended
+	# Check for the existence of rules and flush them if needed.
+	rulecount=$(sysctl -in security.mac.bsdextended.rule_count)
+	if [ ${rulecount:-0} -gt 0 ]; then
+		ugidfw list | sed -n '2,$p' | cut -d ' ' -f 1 | sort -r -n |
+		    xargs -n 1 ugidfw remove
+		echo "MAC bsdextended rules flushed."
+	fi
 }

 load_rc_config $name