[Bug 290140] mdo(1) and mac_do(4) not working on 15ALPHA5

https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=290140

            Bug ID: 290140
           Summary: mdo(1) and mac_do(4) not working on 15ALPHA5
           Product: Base System
           Version: 15.0-STABLE
          Hardware: Any
                OS: Any
            Status: New
          Severity: Affects Only Me
          Priority: ---
         Component: bin
          Assignee: bugs@FreeBSD.org
          Reporter: 0x1eef@protonmail.com

My system:

FreeBSD 
orca.home.network 
15.0-ALPHA5-HBSD 
FreeBSD 
15.0-ALPHA5-HBSD  
HARDENEDBSD amd64

My environment:

HEAD is e504946ee119c4bd3940bea798bd47e85b0a25d0

Problem:

The mac_do man page suggests that we separate the source and target parts of a
rule with the > character. Let's try that:

root@orca:~ # sysctl security.mac.do.rules=uid=1001>uid=0,gid=0
sysctl: security.mac.do.rules=uid=1001: Invalid argument

Hm. Doesn't work. But the old syntax does work:

root@orca:~ # sysctl security.mac.do.rules=uid=1001:uid=0,gid=0
security.mac.do.rules: uid=1001:uid=0,gid=0 -> uid=1001:uid=0,gid=0

Now let's try use mdo as user with id 1001.

 0x1eef at orca.home.network [~] % id
uid=1001(0x1eef) gid=1001(0x1eef)
groups=0(wheel),1001(0x1eef),1002(_sourcezap),1003(_portzap)
 0x1eef at orca.home.network [~] % mdo -u root ls
mdo: setcred(): Operation not permitted

I would have expected the command to work, given the rule that has been set. 

0x1eef at orca.home.network [~] % sysctl -a | grep security.mac.do              
security.mac.do.rules: uid=1001:uid=0,gid=0
security.mac.do.print_parse_error: 1
security.mac.do.enabled: 1

-- 
You are receiving this mail because:
You are the assignee for the bug.