Generic module for managing access through the mac framework
Date: Tue, 04 Jun 2024 14:47:50 UTC
Hello, At my company, we are working on a generic mac module. Its purpose is to grant some users a set of privileges in order to run their services. For example, it can be configured in order to allow the ntp user to set the system clock (PRIV_CLOCK_SETTIME), or allow a process to change its user or groups (PRIV_CRED_SET[UID|GID|GROUPS), restricting them to some allowed values. After reading the discussions around the mac_do module, I was wondering if other people could be interested in such a more generic module. Even though it doesn't do the exact same thing, it still has a lot in common with mac_do while extending its capabilities. So far, it is still a work in progress so we don't have code to share yet. Though I think it'd be interesting to speak about the idea. I can explain further how we plan to do this if any of you is interested. Regards, Nicolas Masse