Generic module for managing access through the mac framework

From: Nicolas MASSE <Nicolas.MASSE_at_stormshield.eu>
Date: Tue, 04 Jun 2024 14:47:50 UTC
Hello,


At my company, we are working on a generic mac module. Its purpose is to grant some users a set of privileges in order to run their services.

For example, it can be configured in order to allow the ntp user to set the system clock (PRIV_CLOCK_SETTIME), or allow a process to change its user or groups (PRIV_CRED_SET[UID|GID|GROUPS), restricting them to some allowed values.

After reading the discussions around the mac_do module, I was wondering if other people could be interested in such a more generic module.

Even though it doesn't do the exact same thing, it still has a lot in common with mac_do while extending its capabilities.


So far, it is still a work in progress so we don't have code to share yet. Though I think it'd be interesting to speak about the idea.

I can explain further how we plan to do this if any of you is interested.


Regards,
Nicolas Masse