mac_do: add a new MAC/do policy and mdo(1) utility

This policy enables a user to become another user without having to be root (hence no setuid binary). it is configured via rules using sysctl security.mac.do.rules For example: security.mac.do.rules=uid=1001:80,gid=0:any The above rule means the user identifier by the uid 1001 is able to become user 80 Any user of the group 0 are allowed to become any user on the system. The mdo(1) utility expects the MAC/do policy to be installed and its rules defined. Reviewed by: des Differential Revision: https://reviews.freebsd.org/D45145
mcusim · May 22, 2024 · 8aac90f · 8aac90f
1 parent ac4ddc4
commit 8aac90f
Show file tree

Hide file tree

Showing 9 changed files with 757 additions and 0 deletions.
diff --git a/share/man/man4/Makefile b/share/man/man4/Makefile
@@ -297,6 +297,7 @@ MAN=	aac.4 \
 	mac_biba.4 \
 	mac_bsdextended.4 \
 	mac_ddb.4 \
+	mac_do.4 \
 	mac_ifoff.4 \
 	mac_ipacl.4 \
 	mac_lomac.4 \

diff --git a/share/man/man4/mac_do.4 b/share/man/man4/mac_do.4
@@ -0,0 +1,78 @@
+.\"-
+.\" Copyright (c) 2024 Baptiste Daroussin <bapt@FreeBSD.org>
+.\"
+.\" SPDX-License-Identifier: BSD-2-Clause
+.\"
+.Dd May 22, 2024
+.Dt MAC_DO 4
+.Os
+.Sh NAME
+.Nm mac_do
+.Nd "policy allowing user to execute program as another user"
+.Sh SYNOPSIS
+To compile the
+.Nm
+policy into your kernel, place the following lines
+in your kernel configruation file:
+.Bd -ragged -offset indent
+.Cd "options MAC"
+.Cd "options MAC_DO"
+.Ed
+.Sh DESCRIPTION
+The
+.Nm
+policy grants users the ability to run processs as other users
+according to predefined rules.
+.Pp
+The exact set of kernel privileges granted are:
+.Bl -inset -compact -offset indent
+.It Dv PRIV_CRED_SETGROUPS
+.It Dv PRIV_CRET_SETUID
+.El
+.Pp
+The following
+.Xr sysctl 8
+MIBs are available:
+.Bl -tag -width indent
+.It Va security.mac.do.enabled
+Enable the
+.Nm
+policy.
+(Default: 1).
+.It Va security.mac.do.rules
+The set of rules.
+.El
+.Pp
+The rules consist of a list of elements separated by
+.So , Sc .
+Each element is of the form
+.Sm off
+.Do
+.Op Cm uid | Cm gid
+.Li =
+.Ar fid
+.Li :
+.Ar tid
+.Dc
+.Sm on .
+Where
+.Ar fid
+is the uid or gid of the user or group the rule applies to, and
+.Ar tid
+is the uid of the targetted user.
+Two special forms are accepted for
+.Ar tid :
+.Va any
+or
+.Va * ,
+which allow to target any user.
+.Sh EXAMPLES
+The following rule:
+.Pp
+.Dl security.mac.do.rules=uid=1001:80,gid=0:any
+.Pp
+means the user with the uid 1001 can execute processes as user with uid 80,
+all the users which belongs to the group gid 0 can execute processes as any user.
+.Sh SEE ALSO
+.Xr mac 4 ,
+.Xr mdo 1
diff --git a/sys/modules/Makefile b/sys/modules/Makefile
@@ -226,6 +226,7 @@ SUBDIR=	\
 	${_mac_biba} \
 	${_mac_bsdextended} \
 	${_mac_ddb} \
+	${_mac_do} \
 	${_mac_ifoff} \
 	${_mac_ipacl} \
 	${_mac_lomac} \
@@ -587,6 +588,7 @@ _mac_bsdextended= mac_bsdextended
 .if ${KERN_OPTS:MDDB} || defined(ALL_MODULES)
 _mac_ddb=	mac_ddb
 .endif
+_mac_do=	mac_do
 _mac_ifoff=	mac_ifoff
 _mac_ipacl=	mac_ipacl
 _mac_lomac=	mac_lomac

diff --git a/sys/modules/mac_do/Makefile b/sys/modules/mac_do/Makefile
@@ -0,0 +1,6 @@
+.PATH: ${SRCTOP}/sys/security/mac_do
+
+KMOD=	mac_do
+SRCS=	mac_do.c vnode_if.h
+
+.include <bsd.kmod.mk>