Date: Tue, 4 Jun 2024 14:47:50 +0000 From: Nicolas MASSE <Nicolas.MASSE@stormshield.eu> To: "freebsd-hackers@FreeBSD.org" <freebsd-hackers@FreeBSD.org> Subject: Generic module for managing access through the mac framework Message-ID: <3b62d55d66101bebd504a65f9b2706ab40edb712.camel@stormshield.eu>
next in thread | raw e-mail | index | archive | help
[-- Attachment #1 --] Hello, At my company, we are working on a generic mac module. Its purpose is to grant some users a set of privileges in order to run their services. For example, it can be configured in order to allow the ntp user to set the system clock (PRIV_CLOCK_SETTIME), or allow a process to change its user or groups (PRIV_CRED_SET[UID|GID|GROUPS), restricting them to some allowed values. After reading the discussions around the mac_do module, I was wondering if other people could be interested in such a more generic module. Even though it doesn't do the exact same thing, it still has a lot in common with mac_do while extending its capabilities. So far, it is still a work in progress so we don't have code to share yet. Though I think it'd be interesting to speak about the idea. I can explain further how we plan to do this if any of you is interested. Regards, Nicolas Masse [-- Attachment #2 --] <html dir="ltr"> <head> <meta http-equiv="Content-Type" content="text/html; charset=utf-8"> </head> <body style="text-align:left; direction:ltr;"> <pre class="main">Hello,</pre> <pre class="main"><br></pre> <pre class="main">At my company, we are working on a generic mac module. Its purpose is to grant some users a set of privileges in order to run their services.</pre> <pre class="main">For example, it can be configured in order to allow the ntp user to set the system clock (PRIV_CLOCK_SETTIME), or allow a process to change its user or groups (PRIV_CRED_SET[UID|GID|GROUPS), restricting them to some allowed values.</pre> <pre class="main">After reading the discussions around the mac_do module, I was wondering if other people could be interested in such a more generic module.</pre> <pre class="main">Even though it doesn't do the exact same thing, it still has a lot in common with mac_do while extending its capabilities.</pre> <pre class="main"><br></pre> <pre class="main">So far, it is still a work in progress so we don't have code to share yet. Though I think it'd be interesting to speak about the idea.</pre> <pre class="main">I can explain further how we plan to do this if any of you is interested.</pre> <pre class="main"><br></pre> <pre class="main">Regards, Nicolas Masse</pre> </body> </html>
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?3b62d55d66101bebd504a65f9b2706ab40edb712.camel>