1.\"- 2.\" SPDX-License-Identifier: BSD-2-Clause 3.\" 4.\" Copyright (c) 2024 Baptiste Daroussin <bapt@FreeBSD.org> 5.\" Copyright (c) 2024 The FreeBSD Foundation 6.\" 7.\" Portions of this documentation were written by Olivier Certner 8.\" <olce@FreeBSD.org> at Kumacom SARL under sponsorship from the FreeBSD 9.\" Foundation. 10.\" 11.Dd December 19, 2024 12.Dt MAC_DO 4 13.Os 14.Sh NAME 15.Nm mac_do 16.Nd "policy allowing unprivileged users to change process credentials" 17.Sh SYNOPSIS 18To compile the 19.Sy mac_do 20policy into your kernel, place the following lines in your kernel configuration 21file: 22.Bd -ragged -offset indent 23.Cd "options MAC" 24.Cd "options MAC_DO" 25.Ed 26.Pp 27Alternately, to load this policy module at boot time, place the following line 28in your kernel configuration file: 29.Bd -ragged -offset indent 30.Cd "options MAC" 31.Ed 32.Pp 33and in 34.Xr loader.conf 5 : 35.Bd -literal -offset indent 36mac_do_load="YES" 37.Ed 38.Sh DESCRIPTION 39The 40.Nm 41policy module allows unprivileged users to change process credentials according 42to rules configured by the administrator. 43It supports per-jail configuration. 44.Pp 45Currently, the 46.Nm 47policy module only produces effects to processes spwaned from the 48.Pa /usr/bin/mdo 49executable, please see 50.Xr mdo 1 51for more details on this program. 52.Sh CREDENTIALS RULES 53Rules specify which transitions of process credentials 54.Nm 55will allow, based on current process credentials and the desired final ones. 56They are passed by an administrator in the form of a string having the specific 57syntax described below in a top-bottom manner. 58They have been designed to be able to finely describe the desired target 59credentials in a safe and compact way. 60.Ss Top-Level List of Rules 61At the top, rules are a possibly empty list of individual rules separated by 62a semi-colon 63.Pq Ql ";" : 64.Dl Ao rules Ac \ ⟶\ Oo Ao rule Ac Oo So ";" Sc Ao rule Ac Oc Ns * Oc 65They form a disjunction, i.e., 66.Nm 67authorizes a credentials transition as soon as at least one rule in the list 68matches. 69.Pp 70One rule is composed of a 71.Li Aq from 72part 73.Pq also called Dq match 74and a 75.Li Aq to 76part 77.Pq also called Dq target , 78in this order, separated by a colon 79.Pq Ql ":" : 80.Dl Ao rule Ac \ ⟶\ Ao from Ac So ":" Sc Ao to Ac 81.Ss Rule's Ao from Ac Part 82The first part of a rule, 83.Li Aq from , 84is matched against the credentials of the process requesting some credentials 85transition. 86It has the form: 87.Dl Ao from Ac \ ⟶\ Ao type Ac So = Sc Ao id Ac 88.Pp 89.Li Aq type 90must be: 91.Dl Ao type Ac \ ⟶\ Op So uid Sc | So gid Sc 92i.e., one of the literal strings 93.Ql uid 94or 95.Ql gid . 96.Li Aq id 97must be the numerical ID of a user or group, and is matched with the current 98process real ID of the corresponding type. 99.Ss Rule's Ao to Ac Part 100The second part of a rule, 101.Li Aq to , 102is a comma-separated 103.Pq Ql "," 104non-empty list of target clauses: 105.Dl Ao to Ac \ ⟶\ Ao target_clause Ac Oo So "," Sc Ao target_clause Ac Oc Ns * 106Target clauses of a given rule also form a disjunction, i.e., the IDs they 107specify are alternatives for the target credentials, except in some cases 108described below. 109.Pp 110The next subsections describe the syntax of target clauses, the defaults that 111apply and the principle of non-redundancy and non-contradiction in each rule's 112.Li Aq to 113part. 114.Ss Target Clauses 115A target clause in a rule's 116.Li Aq to 117part must be of one of the following forms: 118.Dl Ao target_clause Ac \ ⟶\ So any Sc 119.Dl Ao target_clause Ac \ ⟶\ Ao flags Ac Ao type Ac So = Sc Ao id Ac 120The first form is a compact way to specify that any target credentials are 121allowed. 122The second form is similar to that of 123.Li Aq from 124clauses, with the following extensions: 125.Bl -bullet -compact 126.It 127.Li Aq id 128may also be a literal 129.Ql * 130or 131.Ql any 132or 133.Ql "." . 134.Ql * 135and 136.Ql any 137both designate any ID for the specified 138.Li Aq type , 139and are treated identically. 140.Ql "." 141designates the process' current IDs for the specified 142.Li Aq type , 143as explained below. 144.It 145.Li Aq flags 146may contain at most one of the 147.Ql + , 148.Ql - 149and 150.Ql "!" 151characters, and may be non-empty only when 152.Li Aq type 153is 154.Ql gid . 155Additionally, if 156.Li Aq id 157is 158.Ql * 159or 160.Ql any , 161only the 162.Ql + 163flag may appear. 164.El 165.Pp 166For target clauses of 167.Ql gid 168type, an absence of flag indicates that the specified group ID is allowed as the 169real, effective and/or saved group IDs 170.Pq the Do primary Dc groups . 171Conversely, the presence of any allowed flag indicates that the specification 172concerns supplementary groups. 173Each flag has a specific meaning: 174.Bl -bullet -compact 175.It 176.Ql + 177indicates that the group ID is allowed as a supplementary group. 178.It 179.Ql "!" 180indicates that the group ID is mandatory, i.e., it must be listed in the 181supplementary groups. 182.It 183.Ql - 184indicates that the group ID must not be listed in the supplementary groups. 185.El 186A specification with 187.Ql - 188is only useful in conjunction with a 189.Ql + Ns 190-tagged specification where only one of them has 191.Ql "." 192as its 193.Li Aq id . 194Target clauses having the 195.Ql "!" 196or 197.Ql - 198flag are 199.Dq forcing 200clauses, and as such do not take part in the disjunction of the other 201target clauses but rather unconditionally apply in their rule. 202.Pp 203.Ql "." 204is a placeholder for IDs that the calling process already has on privilege 205check. 206For type 207.Ql uid , 208it designates any of the process' real, effective or 209saved user IDs. 210For type 211.Ql gid , 212its effect depends on whether flags are present. 213If none is present, it designates any of the process' real, effective or saved 214group IDs. 215If one is present, it designates any of the process' supplementary groups. 216.Ss Defaults for the Ao to Ac Part 217If the 218.Li Aq to 219part does not list a target clause with type 220.Ql uid , 221any of the current user IDs of the calling process is accepted. 222In other words, in this case, 223.Nm 224behaves as if a target clause of: 225.Dl uid=. 226had been listed. 227.Pp 228Similarly, if the 229.Li Aq to 230part does not list a target clause with type 231.Ql gid , 232all the groups of the calling process are assumed to be required. 233More precisely, each of the desired real, effective and saved group IDs must be 234one of the current real, effective or saved group ID, and all supplementary 235groups must be the same as those that are current. 236It is as if the 237.Li Aq to 238part had contained the following two clauses: 239.Dl gid=.,!gid=. 240.Ss Non-Redundancy and Non-Contradiction in a Ao to Ac Part 241No two target clauses of a single rule may express the exact same logical intent 242nor contradictory ones. 243.Pp 244In practice, no two clauses may display the same ID except for group IDs but 245only if, each time the same ID appears, it does so with a different flag, or no 246flags only once. 247Additionally, the specified flags in multiple occurences must not be 248contradictory. 249For example, the same group ID appearing with both 250.Ql + 251and 252.Ql - 253will cause rejection of the rule. 254.Ss Parsing Specifics 255Any amount of whitespace is allowed around tokens of the above grammar, except 256that there may be no spaces between 257.Li Aq flags 258and 259.Li Aq id 260in target clauses. 261.Pp 262For convenience, numerical IDs may be specified as negative integers, which are 263then converted to unsigned ones as specified in the C standard for the 264.Vt uid_t 265and 266.Vt gid_t 267types, which are both 64-bit unsigned integers. 268.Sh RUNTIME CONFIGURATION 269The following 270.Xr sysctl 8 271knobs are available: 272.Bl -tag -width indent 273.It Va security.mac.do.enabled 274Enable the 275.Nm 276policy. 277(Default: 1). 278.It Va security.mac.do.rules 279The list of credential rules, whose syntax is described in the 280.Sx CREDENTIALS RULES 281section above. 282This list is specific to each jail. 283Please see the 284.Sx JAIL SUPPORT 285section below for more details on the interaction of 286.Nm 287with jails. 288.It Va security.mac.do.print_parse_error 289Logs a message on trying to set incorrect rules via the 290.Va security.mac.do.rules 291.Xr sysctl 8 292knob. 293.El 294.Sh JAIL SUPPORT 295.Nm 296supports per-jail configuration of rules. 297.Pp 298By default, at creation, a new jail has no credentials rules, effectively 299disabling 300.Nm 301for its processes. 302.Pp 303The following jail parameters are defined: 304.Bl -tag -width indent 305.It Va mac.do 306Possible values are: 307.Bl -tag -width "'disable'" -compact 308.It Ql enable 309.Nm 310will enforce specific credential rules in the jail. 311The 312.Va mac.do.rules 313jail parameter must also be set in this case. 314.It Ql disable 315Disables 316.Nm 317in the jail. 318Strictly equivalent to jail creation's default behavior and to setting the rules 319to an empty string. 320.It Ql inherit 321The jail's credentials rules are inherited from the jail's parent 322.Pq which may themselves have been inherited . 323Modified rules propagate to all children jails configured for inheritance. 324.El 325.It Va mac.do.rules 326The credentials rules for the jail. 327It is always equal to the value that can be retrieved by the 328.Xr sysctl 8 329knob 330.Va security.mac.do.rules 331described in section 332.Sx RUNTIME CONFIGURATION . 333If set, and the jail parameter 334.Va mac.do 335is not so explicitly, the value of the latter will default to 336.Ql disable 337if empty, else to 338.Ql enable . 339.El 340.Pp 341Each jail must have 342.Xr mdo 1 343installed at path 344.Pa /usr/bin/mdo , 345as this path is currently not configurable. 346.Sh EXAMPLES 347Here are several examples of single rules matching processes having a real user 348ID of 10001: 349.Bl -tag -width indent 350.It Li uid=10001:uid=10002 351Allows the process to switch any of its real, effective or saved user ID to 35210002, but keeping the groups it is already in, and with the same 353primary/supplementary groups split. 354.It Li uid=10001:uid=10002,uid=10003 355Same as the first example, but also allows to switch to UID 10003 instead of 35610002. 357.It Li uid=10001:uid=10002,gid=10002 358Same as the first example, but the new primary groups must be set to 10002 and 359no supplementary groups should be set. 360.It Li uid=10001:uid=10002,gid=10002,+gid=.\& 361Same as the previous example, but in addition allowing to retain any current 362supplementary groups. 363.It Li uid=10001:uid=10002,gid=10002,!gid=.\& 364Same as the previous example, but with the additional constraint that all 365current supplementary groups must be kept. 366.It Li uid=10001:uid=10002,gid=10002,+gid=.,-gid=10001 367Same as 368.Ql uid=10001:uid=10002,gid=10002,+gid=.\& 369above, but 10001 cannot be retained as a supplementary group. 370.It Li uid=10001:uid=10002,gid=10002,+gid=.,!gid=10003 371Same as 372.Ql uid=10001:uid=10002,gid=10002,+gid=.\& 373above, with the additional constraint that 10003 must appear in the 374supplementary groups. 375.It Li uid=10001:uid=10002,gid=*,+gid=* 376Same as the first example, but lifting any constraints on groups, allowing the 377process to become part of any groups it sees fit. 378.El 379.Pp 380Here are several examples of single rules matching processes having a real group 381ID of 10001: 382.Bl -tag -width indent 383.It Li gid=10001:uid=0 384Makes 10001 a more powerful 385.Ql wheel 386group, allowing its members to switch to root without password. 387.It Li gid=10001:gid=10002 388Allows the process to enter GID 10002 as a primary group, but only if 389giving up all its supplementary groups. 390.It Li security.mac.do.rules=gid=10001:gid=10002,+gid=.\& 391Same as the previous example, but allows to retain any current supplementary 392groups. 393.It Li gid=10001:gid=10002,!gid=.\& 394Same as the previous example, but with the additional constraint that all 395current supplementary groups must be kept. 396.El 397.Sh SEE ALSO 398.Xr mdo 1 , 399.Xr setcred 2 , 400.Xr mac 4 , 401.Xr jail 8 , 402.Xr sysctl 8 403.Sh AUTHORS 404.An Olivier Certner Aq Mt olce@FreeBSD.org 405.An Baptiste Daroussin Aq Mt bapt@FreeBSD.org 406.Sh BUGS 407Currently, 408.Nm 409considers only credentials transitions requested through the 410.Xr setcred 2 411system call. 412This system call was in large part created so that 413.Nm 414can see whole credentials transitions to decide whether to authorize them, which 415the traditional UNIX's piecewise approach of successively changing different 416parts of them cannot allow. 417.Pp 418However, calls to traditional or standard credentials-changing functions can be 419considered as full transitions on their own, however limited, and as such should 420be equally monitored by 421.Nm . 422Future work will lift this restriction. 423.Sh SECURITY CONSIDERATIONS 424The threat model for 425.Nm 426is to consider userland programs as generally untrustable to decide upon which 427credentials changes are acceptable. 428It is in contrast with the traditional UNIX way to change credentials, in which 429specialized programs are installed with the setuid bit, giving them full 430administrator privileges so that they are effectively able to establish new 431ones. 432Vulnerabilities in such credentials-changing programs can have catastrophic 433consequences on the integrity of the system. 434.Pp 435Consequently, 436.Nm 437does not rely on companion userland programs to decide whether some credentials 438transition is acceptable. 439Instead, it maintains its own configuration independently from the userland 440password and group databases. 441Establishing this configuration currently itself relies on userland programs 442issuing calls to 443.Xr sysctl 3 444or 445.Xr jail 2 . 446It should thus be established near system boot or jail start, before any 447possible attacks could happen on the system, and further measures should be 448taken to ensure that potential corruptions does not affect the configuration in 449subsequent restarts, such as re-establishing pristine state or ensuring that the 450boot procedure up to the configuration of 451.Nm 452can be trusted. 453