From nobody Fri Nov 28 13:22:55 2025 X-Original-To: dev-commits-doc-all@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4dHv9r2X6mz6HRFs for ; Fri, 28 Nov 2025 13:22:56 +0000 (UTC) (envelope-from git@FreeBSD.org) Received: from mxrelay.nyi.freebsd.org (mxrelay.nyi.freebsd.org [IPv6:2610:1c1:1:606c::19:3]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "mxrelay.nyi.freebsd.org", Issuer "R12" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4dHv9q6xxPz3khx for ; Fri, 28 Nov 2025 13:22:55 +0000 (UTC) (envelope-from git@FreeBSD.org) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1764336176; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=q8kaffDMJzcq7npJWK1ffYu9H66Ie1oxAy5nEUD+b7I=; b=RN5GBmyp2jejgcveDUbGW1B++s4TDd9DSQ3PmX5V+/HQ58vw7/Et6PpdlEqrdzJJ4uFz2f WsD9fXWZ0MF9dOmkHXlKwVBI1kCj6wThtjGxj4QlqKRf39APVNCmfayABW1egnvj0iaCGX YbtGqjETOI/TIzLRAikesptNp5lM4HD/9NL/ZnoUrgS+aFppTzYrxVhw5ke58hU/hvZWCv qOfaJy/0wRv/o/+Qmu4xe1ushHMDFfIiHjVzfM65cFHwvGp1djUMvMt46+W/o1IBdzM6GP zgB9IFw3pPk6F2C3D2TswXwzhIvrGPrUk9wQGhgTBInUs8C1hXubfQerJv2dIw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1764336176; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=q8kaffDMJzcq7npJWK1ffYu9H66Ie1oxAy5nEUD+b7I=; b=hfdOz1fwNVtnhk4Zt5QJxf2W7jf5hoUflXHLLHWT0tzZxolh1rRMpMRDynhwcAVJJL5TBS ppUMWPEEOJwI59VkRyrhsgZlQ0sWGBV20lO1X6g0/zO/5YK8Tmna4li9N4b2LLnHykym5i 0qdkWFT53U9OpeNIEkioRjlXk8AUOyKaWGcg+RiPZIvVxxizZODR4HhR1X1E+XKlXh3uIL wHriyiNPFBntt5dhSfZbnzQ3aroXzkR5fH2C+N9n2taCgm5tBhGFGJDBmNUVibsyr0Nk9+ xmfJ7GBhAXDFVwz4xw4+RkmofiZOrV88Ag8vm8bTUJO//B76IDED1vzlpikcRQ== ARC-Seal: i=1; s=dkim; d=freebsd.org; t=1764336176; a=rsa-sha256; cv=none; b=arejIZUm+BHq0ond480g8YuSngPc2dqwhHqEtDLRjLN9647aoVwS6WA1SXGLN58hwrYJES 0DrYMV8luUV/S9/1+0UMJBhTa7Ebw0PdTwWwnA8OgJsODEK1DwBG3dAwwispZSIYqT3alX D0jWcyrbfq9tFQlverRv9f95+8PU7HXuY6YY9ypmM3bh/PVPXDa/rGWr94ROILtHNeWlVZ RPd8WSbMU6FyghNxNbvTyDsjHbaNJ56/zJh77P+9GANhaZ/VGUMKJHlrrIVnsqDXtT6xGf WKEFeQUnX7THf7V6hZ+MK4VsoWd0AO3dJRktfoPvkMiNccvAS/ZxnJ+Ke9R2jA== ARC-Authentication-Results: i=1; mx1.freebsd.org; none Received: from gitrepo.freebsd.org (gitrepo.freebsd.org [IPv6:2610:1c1:1:6068::e6a:5]) by mxrelay.nyi.freebsd.org (Postfix) with ESMTP id 4dHv9q4mWdz13t0 for ; Fri, 28 Nov 2025 13:22:55 +0000 (UTC) (envelope-from git@FreeBSD.org) Received: from git (uid 1279) (envelope-from git@FreeBSD.org) id 2280a by gitrepo.freebsd.org (DragonFly Mail Agent v0.13+ on gitrepo.freebsd.org); Fri, 28 Nov 2025 13:22:55 +0000 To: doc-committers@FreeBSD.org, dev-commits-doc-all@FreeBSD.org From: Olivier Certner Subject: git: 8bbac42f4b - main - releases/15.0R/relnotes: Expand coverage of mac_do(4)/mdo(1) List-Id: Commit messages for all branches of the doc repository List-Archive: https://lists.freebsd.org/archives/dev-commits-doc-all List-Help: List-Post: List-Subscribe: List-Unsubscribe: X-BeenThere: dev-commits-doc-all@freebsd.org Sender: owner-dev-commits-doc-all@FreeBSD.org MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 8bit X-Git-Committer: olce X-Git-Repository: doc X-Git-Refname: refs/heads/main X-Git-Reftype: branch X-Git-Commit: 8bbac42f4b770c180f322c9418604d278c197fbd Auto-Submitted: auto-generated Date: Fri, 28 Nov 2025 13:22:55 +0000 Message-Id: <6929a22f.2280a.11f9411a@gitrepo.freebsd.org> The branch main has been updated by olce: URL: https://cgit.FreeBSD.org/doc/commit/?id=8bbac42f4b770c180f322c9418604d278c197fbd commit 8bbac42f4b770c180f322c9418604d278c197fbd Author: Olivier Certner AuthorDate: 2025-11-28 10:18:29 +0000 Commit: Olivier Certner CommitDate: 2025-11-28 10:25:41 +0000 releases/15.0R/relnotes: Expand coverage of mac_do(4)/mdo(1) All important messages should be conveyed now. Use a less telegraphic style for first sentences. Fix pre-existing commit hashes (they pointed to MFC commits to stable/14). While here, in the changed paragraphs, fix punctuation around the commit links and "Sponsored by The FreeBSD Foundation" lines, though, comparing with release notes for 14.0 and 13.0, this may not be the final style we want, and anyway the whole file will have to be revised for uniformity. --- website/content/en/releases/15.0R/relnotes.adoc | 52 ++++++++++++++++++------- 1 file changed, 37 insertions(+), 15 deletions(-) diff --git a/website/content/en/releases/15.0R/relnotes.adoc b/website/content/en/releases/15.0R/relnotes.adoc index a5c5212624..401e429fe5 100644 --- a/website/content/en/releases/15.0R/relnotes.adoc +++ b/website/content/en/releases/15.0R/relnotes.adoc @@ -620,21 +620,42 @@ gitref:355f02cddbf0[repository=src]. A new common 'mac' node for MAC modules' jail parameters has been created. All future MAC modules' jail parameters will appear under this node. See man:mac[4] for an introduction to MAC. -To be used by man:mac_do[4]. -gitref:5041b20503db[repository=src] +First consumer is man:mac_do[4]. +gitref:5041b20503db[repository=src], gitref:f3a06ced2568[repository=src] (Sponsored by The FreeBSD Foundation.) -New `setcred()` system call and associated MAC hooks. -This new system call allows to set all necessary credentials of a process in one go: Effective, real and saved UIDs, effective, real and saved GIDs, supplementary groups and the MAC label. -Its advantage over standard credential-setting system calls (such as `setuid()`, `seteuid()`, etc.) is that it enables MAC modules, such as man:mac_do[4], to restrict the set of credentials some process may gain in a fine-grained manner. -gitref:c1d7552dddb5[repository=src]. -(Sponsored by The FreeBSD Foundation). +man:mac_do[4] is now considered production-ready, after a number of important fixes. +gitref:bbf8af664dc9[repository=src], +gitref:292c814931d9[repository=src], +gitref:53d2e0d48549[repository=src], +gitref:add521c1a5d2[repository=src], +gitref:2a20ce91dc29[repository=src], +gitref:fa4352b74580[repository=src], +gitref:3d8d91a5b32c[repository=src], +gitref:8f7e8726e3f5[repository=src] +(Sponsored by The FreeBSD Foundation.) + +man:mac_do[4] now supports changing rules within jails with the `security.mac.do.rules` man:sysctl[8] knob. +gitref:b3f93680e39b[repository=src] +(Sponsored by The FreeBSD Foundation.) + +Introduce the man:setcred[2] system call and associated MAC hooks. +This new system call allows to set all necessary credentials of a process in one go: Effective, real and saved user IDs, effective, real and saved group IDs, supplementary groups and the MAC label. +Besides providing atomicity, its advantage over standard credentials-setting system calls, such as `setuid()`, `seteuid()`, etc., is that it enables MAC modules, such as man:mac_do[4], to restrict the set of credentials some process may gain in a fine-grained manner, as they can now see the final desired state and compare it with the initial one. +gitref:ddb3eb4efe55[repository=src] +(Sponsored by The FreeBSD Foundation.) Support multiple users and groups as single rule's targets in man:mac_do[4]. -Supporting group targets is a requirement for man:mac_do[4] to be able to enforce a limited set of valid new groups passed to `setgroups()`. -Additionally, it must be possible for this set of groups to also depend on the target UID, since users and groups are quite tied in UNIX (users are automatically placed in only the groups specified through '/etc/passwd' (primary group) and '/etc/group' (supplementary ones)). -gitref:83ffc412b2e9[repository=src]. -(Sponsored by The FreeBSD Foundation). +Supporting group targets is a requirement for man:mac_do[4] to be able to enforce a limited set of valid new groups in the target credentials and to allow group-only credentials transitions. +The allowed groups are tied to one or multiple user IDs. +Multiple users and groups in a rule's target part are treated as alternatives (inclusive disjunction), except for the clauses expressing the mandatory presence or absence of a supplementary group. +The rules syntax has been changed incompatibly. +Migrating existing rules is just a matter of adding `uid=` in front of the target part, substituting commas (`,`) with semi-colons (`;`) and colons (`:`) with greater-than signs (`>`). +Please consult the man:mac_do[4] manual page for more information. +gitref:83ffc412b2e9[repository=src], +gitref:8f7e8726e3f5[repository=src], +gitref:f01d26dec67f[repository=src] +(Sponsored by The FreeBSD Foundation.) Teach man:sysctl[8] to attach and run itself in a jail. This allows the parent jail to retrieve or set kernel state when child does not have man:sysctl[8] installed (for example light weighted OCI containers or slim jails). @@ -1019,16 +1040,17 @@ The STANDARDS and BUGS sections have been expanded. gitref:ddf144a04b53[repository=src] (Sponsored by The FreeBSD Foundation.) +The man:mac_do[4] manual page has been revamped as part of adding support for multiple users and groups as single rule's targets, which lead to changing the rules syntax. +In particular, it has grown a JAIL SUPPORT and SECURITY CONSIDERATIONS sections. +gitref:bc201841d139[repository=src] +(Sponsored by The FreeBSD Foundation.) + The existing content of the man:mdo[1] manual page has been enriched as part of documenting the new support for fully specifying all users and groups in the target credentials. It has now a longer introduction and a new SECURITY CONSIDERATIONS section. gitref:20ebb6ec5ac0[repository=src] (Sponsored by The FreeBSD Foundation.) (Sponsored by Google LLC (GSoC 2025).) -man:mac_do[4]: Change of rules syntax; Provide hints and pointers. -gitref:0c3357dfa18f[repository=src]. -(Sponsored by The FreeBSD Foundation). - man:firewire[4]: Add deprecation notice. This was originally discussed as part of FreeBSD 15 planning, but did not happen in time. Add the deprecation notice now, with an expectation that it will be removed before FreeBSD 16.