git: 8047b85cbe17 - stable/14 - MAC/do: Rules: <from> and <to> parts now to be separated by '>'

Go to: [ bottom of page ] [ top of archives ] [ this month ]
From: Olivier Certner <olce_at_FreeBSD.org>
Date: Tue, 08 Apr 2025 13:41:17 UTC
The branch stable/14 has been updated by olce:

URL: https://cgit.FreeBSD.org/src/commit/?id=8047b85cbe17b3819ac8acf94a19b5a844025c65

commit 8047b85cbe17b3819ac8acf94a19b5a844025c65
Author:     Olivier Certner <olce@FreeBSD.org>
AuthorDate: 2025-04-01 17:06:17 +0000
Commit:     Olivier Certner <olce@FreeBSD.org>
CommitDate: 2025-04-08 13:38:30 +0000

    MAC/do: Rules: <from> and <to> parts now to be separated by '>'
    
    Previously, we would accept only ':' as the separator, which makes
    parsing of the rule specification harder for humans, especially those
    people that are used to UNIX systems where ':' is used as the separator
    in PATH.  With ':', the <from> and <to> parts can look like two
    different elements that are unrelated, especially to these eyes.
    
    Change parse_single_rule() so that '>' is also accepted as a separator
    between <from> and <to>, and promote it as the one to use.  During
    a transition period, we will still allow the use of ':' for backwards
    compatibility.
    
    The manual page update comes from separate revision D49628.  ':' has
    been completely removed from it on purpose.
    
    Reviewed by:    bapt, manpages (ziaee)
    MFC after:      5 days
    Sponsored by:   The FreeBSD Foundation
    Differential Revision:  https://reviews.freebsd.org/D49627
    
    (cherry picked from commit f01d26dec67fb6597438ed765269b85d1099a6fa)
---
 share/man/man4/mac_do.4      | 34 +++++++++++++++++-----------------
 sys/security/mac_do/mac_do.c | 11 ++++++-----
 2 files changed, 23 insertions(+), 22 deletions(-)

diff --git a/share/man/man4/mac_do.4 b/share/man/man4/mac_do.4
index 9a9f669cd51c..4c067205225c 100644
--- a/share/man/man4/mac_do.4
+++ b/share/man/man4/mac_do.4
@@ -75,9 +75,9 @@ and a
 .Li Aq to
 part
 .Pq also called Dq target ,
-in this order, separated by a colon
-.Pq Ql ":" :
-.Dl Ao rule Ac \ ⟶\  Ao from Ac So ":" Sc Ao to Ac
+in this order, separated by a greater-than sign
+.Pq Ql > :
+.Dl Ao rule Ac \ ⟶\  Ao from Ac So > Sc Ao to Ac
 .Ss Rule's Ao from Ac Part
 The first part of a rule,
 .Li Aq from ,
@@ -347,32 +347,32 @@ as this path is currently not configurable.
 Here are several examples of single rules matching processes having a real user
 ID of 10001:
 .Bl -tag -width indent
-.It Li uid=10001:uid=10002
+.It Li uid=10001>uid=10002
 Allows the process to switch any of its real, effective or saved user ID to
 10002, but keeping the groups it is already in, and with the same
 primary/supplementary groups split.
-.It Li uid=10001:uid=10002,uid=10003
+.It Li uid=10001>uid=10002,uid=10003
 Same as the first example, but also allows to switch to UID 10003 instead of
 10002.
-.It Li uid=10001:uid=10002,gid=10002
+.It Li uid=10001>uid=10002,gid=10002
 Same as the first example, but the new primary groups must be set to 10002 and
 no supplementary groups should be set.
-.It Li uid=10001:uid=10002,gid=10002,+gid=.\&
+.It Li uid=10001>uid=10002,gid=10002,+gid=.\&
 Same as the previous example, but in addition allowing to retain any current
 supplementary groups.
-.It Li uid=10001:uid=10002,gid=10002,!gid=.\&
+.It Li uid=10001>uid=10002,gid=10002,!gid=.\&
 Same as the previous example, but with the additional constraint that all
 current supplementary groups must be kept.
-.It Li uid=10001:uid=10002,gid=10002,+gid=.,-gid=10001
+.It Li uid=10001>uid=10002,gid=10002,+gid=.,-gid=10001
 Same as
-.Ql uid=10001:uid=10002,gid=10002,+gid=.\&
+.Ql uid=10001>uid=10002,gid=10002,+gid=.\&
 above, but 10001 cannot be retained as a supplementary group.
-.It Li uid=10001:uid=10002,gid=10002,+gid=.,!gid=10003
+.It Li uid=10001>uid=10002,gid=10002,+gid=.,!gid=10003
 Same as
-.Ql uid=10001:uid=10002,gid=10002,+gid=.\&
+.Ql uid=10001>uid=10002,gid=10002,+gid=.\&
 above, with the additional constraint that 10003 must appear in the
 supplementary groups.
-.It Li uid=10001:uid=10002,gid=*,+gid=*
+.It Li uid=10001>uid=10002,gid=*,+gid=*
 Same as the first example, but lifting any constraints on groups, allowing the
 process to become part of any groups it sees fit.
 .El
@@ -380,17 +380,17 @@ process to become part of any groups it sees fit.
 Here are several examples of single rules matching processes having a real group
 ID of 10001:
 .Bl -tag -width indent
-.It Li gid=10001:uid=0
+.It Li gid=10001>uid=0
 Makes 10001 a more powerful
 .Ql wheel
 group, allowing its members to switch to root without password.
-.It Li gid=10001:gid=10002
+.It Li gid=10001>gid=10002
 Allows the process to enter GID 10002 as a primary group, but only if
 giving up all its supplementary groups.
-.It Li security.mac.do.rules=gid=10001:gid=10002,+gid=.\&
+.It Li security.mac.do.rules=gid=10001>gid=10002,+gid=.\&
 Same as the previous example, but allows to retain any current supplementary
 groups.
-.It Li gid=10001:gid=10002,!gid=.\&
+.It Li gid=10001>gid=10002,!gid=.\&
 Same as the previous example, but with the additional constraint that all
 current supplementary groups must be kept.
 .El
diff --git a/sys/security/mac_do/mac_do.c b/sys/security/mac_do/mac_do.c
index 7bd3e2294798..a83c194b24ae 100644
--- a/sys/security/mac_do/mac_do.c
+++ b/sys/security/mac_do/mac_do.c
@@ -891,7 +891,7 @@ parse_single_rule(char *rule, struct rules *const rules,
 		goto einval;
 	}
 
-	from_id = strsep_noblanks(&rule, ":");
+	from_id = strsep_noblanks(&rule, ":>");
 	if (is_null_or_empty(from_id)) {
 		make_parse_error(parse_error, 0, "No ID specified.");
 		goto einval;
@@ -991,8 +991,9 @@ einval:
  * to point to a 'struct parse_error' giving an error message for the problem,
  * else '*parse_error' is set to NULL.
  *
- * Expected format: A semi-colon-separated list of rules of the form
- * "<from>:<target>".  The <from> part is of the form "<type>=<id>" where <type>
+ * Expected format: A >-colon-separated list of rules of the form
+ * "<from>><target>" (for backwards compatibility, a semi-colon ":" is accepted
+ * in place of '>').  The <from> part is of the form "<type>=<id>" where <type>
  * is "uid" or "gid", <id> an UID or GID (depending on <type>) and <target> is
  * "*", "any" or a comma-separated list of '<flags><type>=<id>' clauses (see the
  * comment for parse_single_rule() for more details).  For convenience, empty
@@ -1002,8 +1003,8 @@ einval:
  * allowed between '<flags>' and '<type>').
  *
  * Examples:
- * - "uid=1001:uid=1010,gid=1010;uid=1002:any"
- * - "gid=1010:gid=1011,gid=1012,gid=1013"
+ * - "uid=1001>uid=1010,gid=1010;uid=1002>any"
+ * - "gid=1010>gid=1011,gid=1012,gid=1013"
  */
 static int
 parse_rules(const char *const string, struct rules **const rulesp,