diff --git a/website/content/en/status/report-2025-07-2025-09/mac_do.adoc b/website/content/en/status/report-2025-07-2025-09/mac_do.adoc new file mode 100644 index 0000000000..8c29e839b9 --- /dev/null +++ b/website/content/en/status/report-2025-07-2025-09/mac_do.adoc @@ -0,0 +1,22 @@ +=== mac_do(4) and mdo(1) Improvements + +Links: + +link:https://wiki.freebsd.org/SummerOfCode2025Projects/MacDoAndMDoImprovements[Wiki page] URL: link:https://wiki.freebsd.org/SummerOfCode2025Projects/MacDoAndMDoImprovements[] + +Contact: Kushagra Srivastava + +As part of Google Summer of Code 2025, I worked on two related sub-projects in the FreeBSD Project: kernel improvements to man:mac_do[4] and userland enhancements to man:mdo[1]. + +mac_do is a kernel MAC security module that allows controlled credential transitions without requiring setuid binaries. The project extended it in two key ways: + +* **Per-jail configuration of authorized executables** – administrators can now specify a list of executables per-jail, permitted to request credential transitions, instead of being limited to the hardcoded [.filename]#/usr/bin/mdo#. +* **Support for traditional credential-changing syscalls** – transitions requested via man:setuid[2], man:setgid[2], man:setgroups[2], and related functions are now intercepted and authorized through mac_do, in addition to the original man:setcred[2] mechanism. + +On the userland side, the companion tool man:mdo[1] was extended to: + +* Allow explicit UID/GID overrides, fine-grained group management (`-g`, `-G`, `-s` options), and improved credential parsing. +* Provide a `--print-rule` option to display the corresponding mac_do rule for a requested transition. + +Together, these improvements make mac_do and mdo far more flexible and practical, enabling safer privilege transitions without relying on setuid executables and with strong jail integration. + +Sponsor: Google LLC (Google Summer of Code 2025)