Skip to content

Status/2025Q3/mac_do.adoc: Add report #552

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Closed
wants to merge 1 commit into from
+23 −0
Closed

Status/2025Q3/mac_do.adoc: Add report #552

Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
23 changes: 23 additions & 0 deletions website/content/en/status/report-2025-07-2025-09/mac_do.adoc
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,23 @@
[[gsoc25-macdo-mdo]]
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

We usually do not put labels at the beginning of reports. Please remove it unless you have some special need.

Suggested change
[[gsoc25-macdo-mdo]]

=== mac_do(4) and mdo(1) Improvements

Links: +
https://wiki.freebsd.org/SummerOfCode2025Projects/MacDoAndMDoImprovements
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

We have a different format for the links section. We need to explicitly use the link: prefix and to repeat it twice for technical reasons.

Suggested change
https://wiki.freebsd.org/SummerOfCode2025Projects/MacDoAndMDoImprovements
link:https://wiki.freebsd.org/SummerOfCode2025Projects/MacDoAndMDoImprovements[Wiki page] URL: link:https://wiki.freebsd.org/SummerOfCode2025Projects/MacDoAndMDoImprovements[]


Contact: Kushagra Srivastava <[email protected]>

As part of Google Summer of Code 2025, I worked on two related sub-projects in the FreeBSD Project: kernel improvements to `mac_do(4)` and userland enhancements to `mdo(1)`.
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

We have a specific macro for man pages.

Suggested change
As part of Google Summer of Code 2025, I worked on two related sub-projects in the FreeBSD Project: kernel improvements to `mac_do(4)` and userland enhancements to `mdo(1)`.
As part of Google Summer of Code 2025, I worked on two related sub-projects in the FreeBSD Project: kernel improvements to man:mac_do[4] and userland enhancements to man:mdo[1].


`mac_do(4)` is a kernel MAC security module that allows controlled credential transitions without requiring setuid binaries. The project extended it in two key ways:
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

We do not need to refer to the man page each single time.
We need to put one sentence per line.

Suggested change
`mac_do(4)` is a kernel MAC security module that allows controlled credential transitions without requiring setuid binaries. The project extended it in two key ways:
mac_do is a kernel MAC security module that allows controlled credential transitions without requiring setuid binaries.
The project extended it in two key ways:


* **Per-jail configuration of authorized executables** – administrators can now specify a list of executables per-jail, permitted to request credential transitions, instead of being limited to the hardcoded `/usr/bin/mdo`.
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

We have a special syntax for filenames too.

Suggested change
* **Per-jail configuration of authorized executables** – administrators can now specify a list of executables per-jail, permitted to request credential transitions, instead of being limited to the hardcoded `/usr/bin/mdo`.
* **Per-jail configuration of authorized executables** – administrators can now specify a list of executables per-jail, permitted to request credential transitions, instead of being limited to the hardcoded [.filename]#/usr/bin/mdo#.

* **Support for traditional credential-changing syscalls** – transitions requested via `setuid(2)`, `setgid(2)`, `setgroups(2)`, and related functions are now intercepted and authorized through `mac_do(4)`, in addition to the original `setcred(2)` mechanism.
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
* **Support for traditional credential-changing syscalls** – transitions requested via `setuid(2)`, `setgid(2)`, `setgroups(2)`, and related functions are now intercepted and authorized through `mac_do(4)`, in addition to the original `setcred(2)` mechanism.
* **Support for traditional credential-changing syscalls** – transitions requested via man:setuid[2], man:setgid[2], man:setgroups[2], and related functions are now intercepted and authorized through mac_do, in addition to the original man:setcred[2] mechanism.


On the userland side, the companion tool `mdo(1)` was extended to:
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
On the userland side, the companion tool `mdo(1)` was extended to:
On the userland side, the companion tool mdo was extended to:


* Allow explicit UID/GID overrides, fine-grained group management (`-g`, `-G`, `-s` options), and improved credential parsing.
* Provide a `--print-rule` option to display the corresponding `mac_do(4)` rule for a requested transition.

Together, these improvements make `mac_do(4)` and `mdo(1)` far more flexible and practical, enabling safer privilege transitions without relying on setuid executables and with strong jail integration.
Comment on lines +19 to +21
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
* Provide a `--print-rule` option to display the corresponding `mac_do(4)` rule for a requested transition.
Together, these improvements make `mac_do(4)` and `mdo(1)` far more flexible and practical, enabling safer privilege transitions without relying on setuid executables and with strong jail integration.
* Provide a `--print-rule` option to display the corresponding mac_do rule for a requested transition.
Together, these improvements make mac_do and mdo far more flexible and practical, enabling safer privilege transitions without relying on setuid executables and with strong jail integration.


Sponsor: Google LLC (Google Summer of Code 2025)