Date: Fri, 28 Nov 2025 13:22:55 +0000 From: Olivier Certner <olce@FreeBSD.org> To: doc-committers@FreeBSD.org, dev-commits-doc-all@FreeBSD.org Subject: git: 8bbac42f4b - main - releases/15.0R/relnotes: Expand coverage of mac_do(4)/mdo(1) Message-ID: <6929a22f.2280a.11f9411a@gitrepo.freebsd.org>
index | next in thread | raw e-mail
The branch main has been updated by olce: URL: https://cgit.FreeBSD.org/doc/commit/?id=8bbac42f4b770c180f322c9418604d278c197fbd commit 8bbac42f4b770c180f322c9418604d278c197fbd Author: Olivier Certner <olce@FreeBSD.org> AuthorDate: 2025-11-28 10:18:29 +0000 Commit: Olivier Certner <olce@FreeBSD.org> CommitDate: 2025-11-28 10:25:41 +0000 releases/15.0R/relnotes: Expand coverage of mac_do(4)/mdo(1) All important messages should be conveyed now. Use a less telegraphic style for first sentences. Fix pre-existing commit hashes (they pointed to MFC commits to stable/14). While here, in the changed paragraphs, fix punctuation around the commit links and "Sponsored by The FreeBSD Foundation" lines, though, comparing with release notes for 14.0 and 13.0, this may not be the final style we want, and anyway the whole file will have to be revised for uniformity. --- website/content/en/releases/15.0R/relnotes.adoc | 52 ++++++++++++++++++------- 1 file changed, 37 insertions(+), 15 deletions(-) diff --git a/website/content/en/releases/15.0R/relnotes.adoc b/website/content/en/releases/15.0R/relnotes.adoc index a5c5212624..401e429fe5 100644 --- a/website/content/en/releases/15.0R/relnotes.adoc +++ b/website/content/en/releases/15.0R/relnotes.adoc @@ -620,21 +620,42 @@ gitref:355f02cddbf0[repository=src]. A new common 'mac' node for MAC modules' jail parameters has been created. All future MAC modules' jail parameters will appear under this node. See man:mac[4] for an introduction to MAC. -To be used by man:mac_do[4]. -gitref:5041b20503db[repository=src] +First consumer is man:mac_do[4]. +gitref:5041b20503db[repository=src], gitref:f3a06ced2568[repository=src] (Sponsored by The FreeBSD Foundation.) -New `setcred()` system call and associated MAC hooks. -This new system call allows to set all necessary credentials of a process in one go: Effective, real and saved UIDs, effective, real and saved GIDs, supplementary groups and the MAC label. -Its advantage over standard credential-setting system calls (such as `setuid()`, `seteuid()`, etc.) is that it enables MAC modules, such as man:mac_do[4], to restrict the set of credentials some process may gain in a fine-grained manner. -gitref:c1d7552dddb5[repository=src]. -(Sponsored by The FreeBSD Foundation). +man:mac_do[4] is now considered production-ready, after a number of important fixes. +gitref:bbf8af664dc9[repository=src], +gitref:292c814931d9[repository=src], +gitref:53d2e0d48549[repository=src], +gitref:add521c1a5d2[repository=src], +gitref:2a20ce91dc29[repository=src], +gitref:fa4352b74580[repository=src], +gitref:3d8d91a5b32c[repository=src], +gitref:8f7e8726e3f5[repository=src] +(Sponsored by The FreeBSD Foundation.) + +man:mac_do[4] now supports changing rules within jails with the `security.mac.do.rules` man:sysctl[8] knob. +gitref:b3f93680e39b[repository=src] +(Sponsored by The FreeBSD Foundation.) + +Introduce the man:setcred[2] system call and associated MAC hooks. +This new system call allows to set all necessary credentials of a process in one go: Effective, real and saved user IDs, effective, real and saved group IDs, supplementary groups and the MAC label. +Besides providing atomicity, its advantage over standard credentials-setting system calls, such as `setuid()`, `seteuid()`, etc., is that it enables MAC modules, such as man:mac_do[4], to restrict the set of credentials some process may gain in a fine-grained manner, as they can now see the final desired state and compare it with the initial one. +gitref:ddb3eb4efe55[repository=src] +(Sponsored by The FreeBSD Foundation.) Support multiple users and groups as single rule's targets in man:mac_do[4]. -Supporting group targets is a requirement for man:mac_do[4] to be able to enforce a limited set of valid new groups passed to `setgroups()`. -Additionally, it must be possible for this set of groups to also depend on the target UID, since users and groups are quite tied in UNIX (users are automatically placed in only the groups specified through '/etc/passwd' (primary group) and '/etc/group' (supplementary ones)). -gitref:83ffc412b2e9[repository=src]. -(Sponsored by The FreeBSD Foundation). +Supporting group targets is a requirement for man:mac_do[4] to be able to enforce a limited set of valid new groups in the target credentials and to allow group-only credentials transitions. +The allowed groups are tied to one or multiple user IDs. +Multiple users and groups in a rule's target part are treated as alternatives (inclusive disjunction), except for the clauses expressing the mandatory presence or absence of a supplementary group. +The rules syntax has been changed incompatibly. +Migrating existing rules is just a matter of adding `uid=` in front of the target part, substituting commas (`,`) with semi-colons (`;`) and colons (`:`) with greater-than signs (`>`). +Please consult the man:mac_do[4] manual page for more information. +gitref:83ffc412b2e9[repository=src], +gitref:8f7e8726e3f5[repository=src], +gitref:f01d26dec67f[repository=src] +(Sponsored by The FreeBSD Foundation.) Teach man:sysctl[8] to attach and run itself in a jail. This allows the parent jail to retrieve or set kernel state when child does not have man:sysctl[8] installed (for example light weighted OCI containers or slim jails). @@ -1019,16 +1040,17 @@ The STANDARDS and BUGS sections have been expanded. gitref:ddf144a04b53[repository=src] (Sponsored by The FreeBSD Foundation.) +The man:mac_do[4] manual page has been revamped as part of adding support for multiple users and groups as single rule's targets, which lead to changing the rules syntax. +In particular, it has grown a JAIL SUPPORT and SECURITY CONSIDERATIONS sections. +gitref:bc201841d139[repository=src] +(Sponsored by The FreeBSD Foundation.) + The existing content of the man:mdo[1] manual page has been enriched as part of documenting the new support for fully specifying all users and groups in the target credentials. It has now a longer introduction and a new SECURITY CONSIDERATIONS section. gitref:20ebb6ec5ac0[repository=src] (Sponsored by The FreeBSD Foundation.) (Sponsored by Google LLC (GSoC 2025).) -man:mac_do[4]: Change of rules syntax; Provide hints and pointers. -gitref:0c3357dfa18f[repository=src]. -(Sponsored by The FreeBSD Foundation). - man:firewire[4]: Add deprecation notice. This was originally discussed as part of FreeBSD 15 planning, but did not happen in time. Add the deprecation notice now, with an expectation that it will be removed before FreeBSD 16.help
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?6929a22f.2280a.11f9411a>