git: cd2c67fb12 - main - Status/2025Q3/mac_do.adoc: Add report

Go to: [ bottom of page ] [ top of archives ] [ this month ]
From: Lorenzo Salvadore <salvadore_at_FreeBSD.org>
Date: Fri, 10 Oct 2025 13:45:03 UTC
The branch main has been updated by salvadore:

URL: https://cgit.FreeBSD.org/doc/commit/?id=cd2c67fb127c629084fc470452f8d6a469c6487b

commit cd2c67fb127c629084fc470452f8d6a469c6487b
Author:     Kushagra Srivastava <thesynthax@FreeBSD.org>
AuthorDate: 2025-09-25 15:11:08 +0000
Commit:     Lorenzo Salvadore <salvadore@FreeBSD.org>
CommitDate: 2025-10-10 13:06:57 +0000

    Status/2025Q3/mac_do.adoc: Add report
    
    Pull Request:   https://github.com/freebsd/freebsd-doc/pull/552
---
 .../en/status/report-2025-07-2025-09/mac_do.adoc   | 22 ++++++++++++++++++++++
 1 file changed, 22 insertions(+)

diff --git a/website/content/en/status/report-2025-07-2025-09/mac_do.adoc b/website/content/en/status/report-2025-07-2025-09/mac_do.adoc
new file mode 100644
index 0000000000..8c29e839b9
--- /dev/null
+++ b/website/content/en/status/report-2025-07-2025-09/mac_do.adoc
@@ -0,0 +1,22 @@
+=== mac_do(4) and mdo(1) Improvements
+
+Links: +
+link:https://wiki.freebsd.org/SummerOfCode2025Projects/MacDoAndMDoImprovements[Wiki page] URL: link:https://wiki.freebsd.org/SummerOfCode2025Projects/MacDoAndMDoImprovements[]
+
+Contact: Kushagra Srivastava <thesynthax@FreeBSD.org>
+
+As part of Google Summer of Code 2025, I worked on two related sub-projects in the FreeBSD Project: kernel improvements to man:mac_do[4] and userland enhancements to man:mdo[1].
+
+mac_do is a kernel MAC security module that allows controlled credential transitions without requiring setuid binaries. The project extended it in two key ways:
+
+* **Per-jail configuration of authorized executables** – administrators can now specify a list of executables per-jail, permitted to request credential transitions, instead of being limited to the hardcoded [.filename]#/usr/bin/mdo#.
+* **Support for traditional credential-changing syscalls** – transitions requested via man:setuid[2], man:setgid[2], man:setgroups[2], and related functions are now intercepted and authorized through mac_do, in addition to the original man:setcred[2] mechanism.
+
+On the userland side, the companion tool man:mdo[1] was extended to:
+
+* Allow explicit UID/GID overrides, fine-grained group management (`-g`, `-G`, `-s` options), and improved credential parsing.
+* Provide a `--print-rule` option to display the corresponding mac_do rule for a requested transition.
+
+Together, these improvements make mac_do and mdo far more flexible and practical, enabling safer privilege transitions without relying on setuid executables and with strong jail integration.
+
+Sponsor: Google LLC (Google Summer of Code 2025)