Status/2025Q3/mac_do.adoc: Add report

Pull Request:	#552

Author: Kushagra Srivastava

website/content/en/status/report-2025-07-2025-09/mac_do.adoc

@@ -0,0 +1,22 @@
+=== mac_do(4) and mdo(1) Improvements
+
+Links: +
+link:https://wiki.freebsd.org/SummerOfCode2025Projects/MacDoAndMDoImprovements[Wiki page] URL: link:https://wiki.freebsd.org/SummerOfCode2025Projects/MacDoAndMDoImprovements[]
+
+Contact: Kushagra Srivastava <thesynthax@FreeBSD.org>
+
+As part of Google Summer of Code 2025, I worked on two related sub-projects in the FreeBSD Project: kernel improvements to man:mac_do[4] and userland enhancements to man:mdo[1].
+
+mac_do is a kernel MAC security module that allows controlled credential transitions without requiring setuid binaries. The project extended it in two key ways:
+
+* **Per-jail configuration of authorized executables** – administrators can now specify a list of executables per-jail, permitted to request credential transitions, instead of being limited to the hardcoded [.filename]#/usr/bin/mdo#.
+* **Support for traditional credential-changing syscalls** – transitions requested via man:setuid[2], man:setgid[2], man:setgroups[2], and related functions are now intercepted and authorized through mac_do, in addition to the original man:setcred[2] mechanism.
+
+On the userland side, the companion tool man:mdo[1] was extended to:
+
+* Allow explicit UID/GID overrides, fine-grained group management (`-g`, `-G`, `-s` options), and improved credential parsing.
+* Provide a `--print-rule` option to display the corresponding mac_do rule for a requested transition.
+
+Together, these improvements make mac_do and mdo far more flexible and practical, enabling safer privilege transitions without relying on setuid executables and with strong jail integration.
+
+Sponsor: Google LLC (Google Summer of Code 2025)