From nobody Thu Jan 9 10:58:23 2025 X-Original-To: dev-commits-doc-all@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4YTMG72l48z5kZWC for ; Thu, 09 Jan 2025 10:58:23 +0000 (UTC) (envelope-from git@FreeBSD.org) Received: from mxrelay.nyi.freebsd.org (mxrelay.nyi.freebsd.org [IPv6:2610:1c1:1:606c::19:3]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "mxrelay.nyi.freebsd.org", Issuer "R11" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4YTMG71X8gz4jvv; Thu, 9 Jan 2025 10:58:23 +0000 (UTC) (envelope-from git@FreeBSD.org) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1736420303; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=21gsyP69rKUMAgqi2aSo+u7DAerCKF65a16dC9Vzvb8=; b=EhOltQOmXJscCBfvbXOiHmyzB9ZlVHKmPw4yaGFyLXGIFrzsLTYS43S3snTa/JhcuIm0Fm tIbCbGFl6zqeooTwQFrsNAfVlrRTYAwYpmllhJbF4nFdbgA4lMRbMpqO8FYSCzmJ4gERrP o+TMUjGgn+JH0RLXRUYKlhi0Hiz1+zPVRzpwKkOKQk4Q6EZKYi41qTXI0wXNVAGZ41LHzL d6YjwrSnZIGH028UyLEnLOIDcO2CU9thycXmsUTbUAnbUn2iz8h9tBOd8GLBIIAcQ/DZEM 82XblreGPqOr5ia/UhJKT6mU5xuUGss0tIIGoH0c+58ImIcEtdqa6WeiLz4iiA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1736420303; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=21gsyP69rKUMAgqi2aSo+u7DAerCKF65a16dC9Vzvb8=; b=rnF8hTidJfuc6fM2h0vrE8Za+HFFb7xiBTSKHZc4JAYzaEuHqbvigNSj9+UYOomjEMKwi1 Z6U8tQMhOMIqZ9SfL9AbcGETmbPAZ+AjYtLpAyN5G2DT6bdIWDS5+Cwicj3Nvlj7GbfWfj xwNDLavBYZv4eGsJE3ULf3ZybONuomuekqr/QZ5Ymc79q3N4v5PBdETxHIzCnRSX5SPGOH 0TcAsoakwgqg8ZncXL/rWuVtRns70VqS49QEIdZCDDCYbLRy+rsbzq2W8DOYGzqy2B/X1y 6Qmsx8pbQcBKfjCSnXMLpTU6Mndt6l6sVCFYu7KJKbSvWnr2OBxtLmHAObzHoA== ARC-Seal: i=1; s=dkim; d=freebsd.org; t=1736420303; a=rsa-sha256; cv=none; b=pYGc3rXCSvbsOHLvgwJ2e2aU22FuR5alpwoXdn45NsoJQut2Myy2UYBOxH8dC1A+4+mxCz dq77kuXv3wBoXwo5QprfEgQopXNHuHYnrO3ocBo0y76F4FSi81EVrocKYDdzag6aIQVNvT G2Om+a02EMQ81jYX5sKPDNHNrShYxcHwZRkpf9nzM4MISP8lX6wmpDqw+ZymqGdJD+02Ns 5IJUWyhNS814Pu28S3aC0EivaT0pUBkTV3BPHgDkgNDvPrNywVOB2yFq5ajj5uToH0jJLs cHEUPoUssff1zmXaexTBJtbtlvLIYikfeZZWiTERCscwpUiQwzaEqcxbljSKxQ== ARC-Authentication-Results: i=1; mx1.freebsd.org; none Received: from gitrepo.freebsd.org (gitrepo.freebsd.org [IPv6:2610:1c1:1:6068::e6a:5]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (Client did not present a certificate) by mxrelay.nyi.freebsd.org (Postfix) with ESMTPS id 4YTMG70yXMz7rg; Thu, 09 Jan 2025 10:58:23 +0000 (UTC) (envelope-from git@FreeBSD.org) Received: from gitrepo.freebsd.org ([127.0.1.44]) by gitrepo.freebsd.org (8.18.1/8.18.1) with ESMTP id 509AwNOc096595; Thu, 9 Jan 2025 10:58:23 GMT (envelope-from git@gitrepo.freebsd.org) Received: (from git@localhost) by gitrepo.freebsd.org (8.18.1/8.18.1/Submit) id 509AwNu6096592; Thu, 9 Jan 2025 10:58:23 GMT (envelope-from git) Date: Thu, 9 Jan 2025 10:58:23 GMT Message-Id: <202501091058.509AwNu6096592@gitrepo.freebsd.org> To: doc-committers@FreeBSD.org, dev-commits-doc-all@FreeBSD.org From: Lorenzo Salvadore Subject: git: 3af5c7415b - main - Status/2024Q4/mac_do.adoc: Add report List-Id: Commit messages for all branches of the doc repository List-Archive: https://lists.freebsd.org/archives/dev-commits-doc-all List-Help: List-Post: List-Subscribe: List-Unsubscribe: X-BeenThere: dev-commits-doc-all@freebsd.org Sender: owner-dev-commits-doc-all@FreeBSD.org MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 8bit X-Git-Committer: salvadore X-Git-Repository: doc X-Git-Refname: refs/heads/main X-Git-Reftype: branch X-Git-Commit: 3af5c7415b7bb60e80b71b988351de47d6bcdb39 Auto-Submitted: auto-generated The branch main has been updated by salvadore: URL: https://cgit.FreeBSD.org/doc/commit/?id=3af5c7415b7bb60e80b71b988351de47d6bcdb39 commit 3af5c7415b7bb60e80b71b988351de47d6bcdb39 Author: Olivier Certner AuthorDate: 2025-01-09 10:52:00 +0000 Commit: Lorenzo Salvadore CommitDate: 2025-01-09 10:52:13 +0000 Status/2024Q4/mac_do.adoc: Add report Reviewed by: status (Pau Amma ) Differential Revision: https://reviews.freebsd.org/D48136 --- .../en/status/report-2024-10-2024-12/mac_do.adoc | 44 ++++++++++++++++++++++ 1 file changed, 44 insertions(+) diff --git a/website/content/en/status/report-2024-10-2024-12/mac_do.adoc b/website/content/en/status/report-2024-10-2024-12/mac_do.adoc new file mode 100644 index 0000000000..eac353656b --- /dev/null +++ b/website/content/en/status/report-2024-10-2024-12/mac_do.adoc @@ -0,0 +1,44 @@ +=== mac_do(4), setcred(2), mdo(1) + +Contact: Olivier Certner + +Contact: Baptiste Daroussin + +This project aims at allowing controlled process credentials transitions without using setuid executables but instead leveraging our MAC framework. +For an overall presentation, we refer the reader to the link:../report-2024-07-2024-09/#_mac_do4_setcred2_mdo1[previous quarter's report]. +As this is a progress report, we only recall the outline here. + +In a nutshell, this project comprises two components: + +* man:mac_do[4] is the kernel module that checks credentials transition requests and authorizes those that match rules configured by the administrator. +* man:mdo[1] is the userland program playing the role of a mediator between processes wanting to launch other processes with changed credentials and man:mac_do[4], whose function is to authorize only specific such changes. +man:setcred[2] is the new system call at the interface between them. +It enables userland to request various credentials changes atomically, allowing man:mac_do[4] to base its decision on the transition between the initial and desired final credentials. + +Both prerequisite commits and changes in MAC/do proper have been reviewed and all commits have finally been pushed to FreeBSD's main branch, including documentation in the form of a new manual page for man:setcred[2] and changes to the man:mac_do[4] one to match the new man:sysctl[8] knobs and rules syntax. + +Rules can now express finely which groups are allowed in the resulting credentials for a given UID or GID, notably making it possible to specify which target primary and supplementary groups the final credentials can, or must, or must not include. +Please consult man:mac_do[4] for a description of the new syntax and examples. + +Future work, in no particular order and timeframe, may include: + +* For the man:mac_do[4] component: +** Currently, it can only grant credentials transitions for processes spawned from the `/usr/bin/mdo` executable. + The possibility to tweak this path may be interesting for custom thin jail layouts. + The ability to have several such paths is one of the missing pieces to be able to use man:mac_do[4] in conjunction with other credentials-granting programs such as man:sudo[1] and man:doas[1]. +** man:mac_do[4] currently can only grant new credentials if they are requested via the new man:setcred[2], as it needs to see the current and desired final credentials to make a decision. + However, each call to traditional and standard credentials-changing functions, such as man:setuid[2], man:seteuid[2], etc., can be considered as a (limited) full transition on its own, which man:mac_do[4] could decide upon. + This functionality could allow to more finely control transitions to `root` and, combined with that of the previous point, to install and use credentials-granting programs without the "setuid" bit. + However, the full power of this new man:mac_do[4] module version cannot be harnessed without modifying these programs to use man:setcred[2]. +* For the man:mdo[1] component: +** The credentials transitions that can be requested are fairly limited compared to what man:mac_do[4]'s rules can allow. + It would be useful to make it possible to: +*** Specify any list of target groups (primary or supplementary), possibly based on user names (with the implicit list coming from the contents of [.filename]#/etc/passwd# and [.filename]#/etc/group#) but allowing some tweaks (such as excluding a particular group in the final credentials). +*** Allow changes of groups only. +*** Request a password before calling man:setcred[2] in certain cases. + This weakens the security paradigm of the man:mac_do[4]/man:mdo[1] combination, as it would now rely on userland for part of the gating process, but seems acceptable in many cases. +*** Grow a mode producing the target part of rules corresponding to the contents of the password and group databases for some users. + +We welcome any feedback on this new version and the future-work list above. + +Sponsor: The FreeBSD Foundation + +Sponsor: Kumacom SARL