=== mac_do(4) and mdo(1) Improvements Links: + link:https://wiki.freebsd.org/SummerOfCode2025Projects/MacDoAndMDoImprovements[Wiki page] URL: link:https://wiki.freebsd.org/SummerOfCode2025Projects/MacDoAndMDoImprovements[] + link:https://cgit.freebsd.org/src/commit/?id=3ca1e69028ac[Commit to mdo(1) enabling fine-grained credentials transition requests] URL: https://cgit.freebsd.org/src/commit/?id=3ca1e69028ac Contact: Kushagra Srivastava + Contact: Olivier Certner The man:mac_do[4]/man:mdo[1] project aims at allowing controlled process credentials transitions without using setuid executables but instead leveraging our MAC framework. For more information, please consult the associated manual pages as well as previous status reports from link:../report-2024-07-2024-09/#_mac_do4_setcred2_mdo1[T3 2024] and link:../report-2024-10-2024-12/#_mac_do4_setcred2_mdo1[T4 2024]. As part of Google Summer of Code 2025, Kushagra worked on extending man:mac_do[4] (kernel) and man:mdo[1] (userland). Worked-on man:mac_do[4] features: * Per-jail configuration of authorized executables: Allow administrators to specify a per-jail list of executables that are permitted to request credential transitions, instead of being limited to the hardcoded [.filename]#/usr/bin/mdo#. * Support for traditional credential-changing system calls: Allow man:mac_do[4] to assess calls to man:setuid[2], man:setgid[2], man:setgroups[2], and related functions as full credentials transitions on their own. Worked-on new man:mdo[1] features: * Allow finely specifying target groups (`-g`, `-G`, `-s` options), inheriting from current credentials or those of some user in the password and group databases, and explicitly overriding any user and group IDs and supplementary group. * Provide a `--print-rule` option to switch to a mode that displays an example of the target part of a rule that would match the requested credentials. Of these, the man:mdo[1]'s new fine-grained credentials transition requests change has been committed and will appear in 15.0 and 14.4. The others most probably will land in stable/14 before 14.4, but seem unlikely to appear in 15.0 as they need more review and some amendments. Together, these improvements will make man:mac_do[4] and man:mdo[1] more flexible and practical, enabling safer credentials transitions without relying on setuid executables and with strong jail integration. Sponsor: Google LLC (Google Summer of Code 2025) + Sponsor: The FreeBSD Foundation