1.\"- 2.\" Copyright (c) 2024 Baptiste Daroussin <bapt@FreeBSD.org> 3.\" 4.\" SPDX-License-Identifier: BSD-2-Clause 5.\" 6.Dd May 22, 2024 7.Dt MAC_DO 4 8.Os 9.Sh NAME 10.Nm mac_do 11.Nd "policy allowing user to execute program as another user" 12.Sh SYNOPSIS 13To compile the 14.Nm 15policy into your kernel, place the following lines 16in your kernel configruation file: 17.Bd -ragged -offset indent 18.Cd "options MAC" 19.Cd "options MAC_DO" 20.Ed 21.Sh DESCRIPTION 22The 23.Nm 24policy grants users the ability to run processs as other users 25according to predefined rules. 26.Pp 27The exact set of kernel privileges granted are: 28.Bl -inset -compact -offset indent 29.It Dv PRIV_CRED_SETGROUPS 30.It Dv PRIV_CRED_SETUID 31.El 32.Pp 33The following 34.Xr sysctl 8 35MIBs are available: 36.Bl -tag -width indent 37.It Va security.mac.do.enabled 38Enable the 39.Nm 40policy. 41(Default: 1). 42.It Va security.mac.do.rules 43The set of rules. 44.El 45.Pp 46The rules consist of a list of elements separated by 47.So , Sc . 48Each element is of the form 49.Sm off 50.Do 51.Op Cm uid | Cm gid 52.Li = 53.Ar fid 54.Li : 55.Ar tid 56.Dc 57.Sm on . 58Where 59.Ar fid 60is the uid or gid of the user or group the rule applies to, and 61.Ar tid 62is the uid of the targetted user. 63Two special forms are accepted for 64.Ar tid : 65.Va any 66or 67.Va * , 68which allow to target any user. 69.Sh EXAMPLES 70The following rule: 71.Pp 72.Dl security.mac.do.rules=uid=1001:80,gid=0:any 73.Pp 74means the user with the uid 1001 can execute processes as user with uid 80, 75all the users which belongs to the group gid 0 can execute processes as any user. 76.Sh SEE ALSO 77.Xr mdo 1 , 78.Xr mac 4 79