git: 179aa1466c - main - Status/2025Q3/mac_do.adoc: Improve report

Go to: [ bottom of page ] [ top of archives ] [ this month ]
From: Olivier Certner <olce_at_FreeBSD.org>
Date: Sun, 19 Oct 2025 17:35:36 UTC
The branch main has been updated by olce:

URL: https://cgit.FreeBSD.org/doc/commit/?id=179aa1466c0b830936822c4f74327ae1db4ba027

commit 179aa1466c0b830936822c4f74327ae1db4ba027
Author:     Olivier Certner <olce@FreeBSD.org>
AuthorDate: 2025-10-18 14:52:18 +0000
Commit:     Olivier Certner <olce@FreeBSD.org>
CommitDate: 2025-10-19 17:35:13 +0000

    Status/2025Q3/mac_do.adoc: Improve report
    
    Add a preamble saying what mac_do(4)/mdo(1) is about and linking to the
    manual pages and previous status reports.
    
    Improve wording, simplify.
    
    Clarify that only the work on mdo(1) to enable fine-grained credentials
    transition requests has been committed, and mention in which releases it
    will appear.  Mention that the other points will eventually be
    committed, but may not appear in 15.0
    
    Add myself as a point of contact, and mention sponsoring by the FreeBSD
    Foundation.
    
    Sponsored by:   The FreeBSD Foundation
---
 .../en/status/report-2025-07-2025-09/mac_do.adoc   | 31 ++++++++++++++--------
 1 file changed, 20 insertions(+), 11 deletions(-)

diff --git a/website/content/en/status/report-2025-07-2025-09/mac_do.adoc b/website/content/en/status/report-2025-07-2025-09/mac_do.adoc
index 8c29e839b9..00eed003c5 100644
--- a/website/content/en/status/report-2025-07-2025-09/mac_do.adoc
+++ b/website/content/en/status/report-2025-07-2025-09/mac_do.adoc
@@ -1,22 +1,31 @@
 === mac_do(4) and mdo(1) Improvements
 
 Links: +
-link:https://wiki.freebsd.org/SummerOfCode2025Projects/MacDoAndMDoImprovements[Wiki page] URL: link:https://wiki.freebsd.org/SummerOfCode2025Projects/MacDoAndMDoImprovements[]
+link:https://wiki.freebsd.org/SummerOfCode2025Projects/MacDoAndMDoImprovements[Wiki page] URL: link:https://wiki.freebsd.org/SummerOfCode2025Projects/MacDoAndMDoImprovements[] +
+link:https://cgit.freebsd.org/src/commit/?id=3ca1e69028ac[Commit to mdo(1) enabling fine-grained credentials transition requests] URL: https://cgit.freebsd.org/src/commit/?id=3ca1e69028ac
 
-Contact: Kushagra Srivastava <thesynthax@FreeBSD.org>
+Contact: Kushagra Srivastava <thesynthax@FreeBSD.org> +
+Contact: Olivier Certner <olce@FreeBSD.org>
 
-As part of Google Summer of Code 2025, I worked on two related sub-projects in the FreeBSD Project: kernel improvements to man:mac_do[4] and userland enhancements to man:mdo[1].
+The man:mac_do[4]/man:mdo[1] project aims at allowing controlled process credentials transitions without using setuid executables but instead leveraging our MAC framework.
+For more information, please consult the associated manual pages as well as previous status reports from link:../report-2024-07-2024-09/#_mac_do4_setcred2_mdo1[T3 2024] and link:../report-2024-10-2024-12/#_mac_do4_setcred2_mdo1[T4 2024].
 
-mac_do is a kernel MAC security module that allows controlled credential transitions without requiring setuid binaries. The project extended it in two key ways:
+As part of Google Summer of Code 2025, Kushagra worked on extending man:mac_do[4] (kernel) and man:mdo[1] (userland).
 
-* **Per-jail configuration of authorized executables** – administrators can now specify a list of executables per-jail, permitted to request credential transitions, instead of being limited to the hardcoded [.filename]#/usr/bin/mdo#.
-* **Support for traditional credential-changing syscalls** – transitions requested via man:setuid[2], man:setgid[2], man:setgroups[2], and related functions are now intercepted and authorized through mac_do, in addition to the original man:setcred[2] mechanism.
+Worked-on man:mac_do[4] features:
 
-On the userland side, the companion tool man:mdo[1] was extended to:
+* Per-jail configuration of authorized executables: Allow administrators to specify a per-jail list of executables that are permitted to request credential transitions, instead of being limited to the hardcoded [.filename]#/usr/bin/mdo#.
+* Support for traditional credential-changing system calls: Allow man:mac_do[4] to assess calls to man:setuid[2], man:setgid[2], man:setgroups[2], and related functions as full credentials transitions on their own.
 
-* Allow explicit UID/GID overrides, fine-grained group management (`-g`, `-G`, `-s` options), and improved credential parsing.
-* Provide a `--print-rule` option to display the corresponding mac_do rule for a requested transition.
+Worked-on new man:mdo[1] features:
 
-Together, these improvements make mac_do and mdo far more flexible and practical, enabling safer privilege transitions without relying on setuid executables and with strong jail integration.
+* Allow finely specifying target groups (`-g`, `-G`, `-s` options), inheriting from current credentials or those of some user in the password and group databases, and explicitly overriding any user and group IDs and supplementary group.
+* Provide a `--print-rule` option to switch to a mode that displays an example of the target part of a rule that would match the requested credentials.
 
-Sponsor: Google LLC (Google Summer of Code 2025)
+Of these, the man:mdo[1]'s new fine-grained credentials transition requests change has been committed and will appear in 15.0 and 14.4.
+The others most probably will land in stable/14 before 14.4, but seem unlikely to appear in 15.0 as they need more review and some amendments.
+
+Together, these improvements will make man:mac_do[4] and man:mdo[1] more flexible and practical, enabling safer credentials transitions without relying on setuid executables and with strong jail integration.
+
+Sponsor: Google LLC (Google Summer of Code 2025) +
+Sponsor: The FreeBSD Foundation