xref: /freebsd/share/man/man4/mac_do.4 (revision b2d2a78ad80ec68d4a17f5aef97d21686cb1e29b)
1.\"-
2.\" SPDX-License-Identifier: BSD-2-Clause
3.\"
4.\" Copyright (c) 2024 Baptiste Daroussin <bapt@FreeBSD.org>
5.\" Copyright (c) 2024 The FreeBSD Foundation
6.\"
7.\" Portions of this documentation were written by Olivier Certner
8.\" <olce@FreeBSD.org> at Kumacom SARL under sponsorship from the FreeBSD
9.\" Foundation.
10.\"
11.Dd December 19, 2024
12.Dt MAC_DO 4
13.Os
14.Sh NAME
15.Nm mac_do
16.Nd "policy allowing unprivileged users to change process credentials"
17.Sh SYNOPSIS
18To compile the
19.Sy mac_do
20policy into your kernel, place the following lines in your kernel configuration
21file:
22.Bd -ragged -offset indent
23.Cd "options MAC"
24.Cd "options MAC_DO"
25.Ed
26.Pp
27Alternately, to load this policy module at boot time, place the following line
28in your kernel configuration file:
29.Bd -ragged -offset indent
30.Cd "options MAC"
31.Ed
32.Pp
33and in
34.Xr loader.conf 5 :
35.Bd -literal -offset indent
36mac_do_load="YES"
37.Ed
38.Sh DESCRIPTION
39The
40.Nm
41policy module allows unprivileged users to change process credentials according
42to rules configured by the administrator.
43It supports per-jail configuration.
44.Pp
45Currently, the
46.Nm
47policy module only produces effects to processes spwaned from the
48.Pa /usr/bin/mdo
49executable, please see
50.Xr mdo 1
51for more details on this program.
52.Sh CREDENTIALS RULES
53Rules specify which transitions of process credentials
54.Nm
55will allow, based on current process credentials and the desired final ones.
56They are passed by an administrator in the form of a string having the specific
57syntax described below in a top-bottom manner.
58They have been designed to be able to finely describe the desired target
59credentials in a safe and compact way.
60.Ss Top-Level List of Rules
61At the top, rules are a possibly empty list of individual rules separated by
62a semi-colon
63.Pq Ql ";" :
64.Dl Ao rules Ac \ ⟶\  Oo Ao rule Ac Oo So ";" Sc Ao rule Ac Oc Ns * Oc
65They form a disjunction, i.e.,
66.Nm
67authorizes a credentials transition as soon as at least one rule in the list
68matches.
69.Pp
70One rule is composed of a
71.Li Aq from
72part
73.Pq also called Dq match
74and a
75.Li Aq to
76part
77.Pq also called Dq target ,
78in this order, separated by a colon
79.Pq Ql ":" :
80.Dl Ao rule Ac \ ⟶\  Ao from Ac So ":" Sc Ao to Ac
81.Ss Rule's Ao from Ac Part
82The first part of a rule,
83.Li Aq from ,
84is matched against the credentials of the process requesting some credentials
85transition.
86It has the form:
87.Dl Ao from Ac \ ⟶\  Ao type Ac So = Sc Ao id Ac
88.Pp
89.Li Aq type
90must be:
91.Dl Ao type Ac \ ⟶\  Op So uid Sc | So gid Sc
92i.e., one of the literal strings
93.Ql uid
94or
95.Ql gid .
96.Li Aq id
97must be the numerical ID of a user or group, and is matched with the current
98process real ID of the corresponding type.
99.Ss Rule's Ao to Ac Part
100The second part of a rule,
101.Li Aq to ,
102is a comma-separated
103.Pq Ql ","
104non-empty list of target clauses:
105.Dl Ao to Ac \ ⟶\  Ao target_clause Ac Oo So "," Sc Ao target_clause Ac Oc Ns *
106Target clauses of a given rule also form a disjunction, i.e., the IDs they
107specify are alternatives for the target credentials, except in some cases
108described below.
109.Pp
110The next subsections describe the syntax of target clauses, the defaults that
111apply and the principle of non-redundancy and non-contradiction in each rule's
112.Li Aq to
113part.
114.Ss Target Clauses
115A target clause in a rule's
116.Li Aq to
117part must be of one of the following forms:
118.Dl Ao target_clause Ac \ ⟶\  So any Sc
119.Dl Ao target_clause Ac \ ⟶\  Ao flags Ac Ao type Ac So = Sc Ao id Ac
120The first form is a compact way to specify that any target credentials are
121allowed.
122The second form is similar to that of
123.Li Aq from
124clauses, with the following extensions:
125.Bl -bullet -compact
126.It
127.Li Aq id
128may also be a literal
129.Ql *
130or
131.Ql any
132or
133.Ql "." .
134.Ql *
135and
136.Ql any
137both designate any ID for the specified
138.Li Aq type ,
139and are treated identically.
140.Ql "."
141designates the process' current IDs for the specified
142.Li Aq type ,
143as explained below.
144.It
145.Li Aq flags
146may contain at most one of the
147.Ql + ,
148.Ql -
149and
150.Ql "!"
151characters, and may be non-empty only when
152.Li Aq type
153is
154.Ql gid .
155Additionally, if
156.Li Aq id
157is
158.Ql *
159or
160.Ql any ,
161only the
162.Ql +
163flag may appear.
164.El
165.Pp
166For target clauses of
167.Ql gid
168type, an absence of flag indicates that the specified group ID is allowed as the
169real, effective and/or saved group IDs
170.Pq the Do primary Dc groups .
171Conversely, the presence of any allowed flag indicates that the specification
172concerns supplementary groups.
173Each flag has a specific meaning:
174.Bl -bullet -compact
175.It
176.Ql +
177indicates that the group ID is allowed as a supplementary group.
178.It
179.Ql "!"
180indicates that the group ID is mandatory, i.e., it must be listed in the
181supplementary groups.
182.It
183.Ql -
184indicates that the group ID must not be listed in the supplementary groups.
185.El
186A specification with
187.Ql -
188is only useful in conjunction with a
189.Ql + Ns
190-tagged specification where only one of them has
191.Ql "."
192as its
193.Li Aq id .
194Target clauses having the
195.Ql "!"
196or
197.Ql -
198flag are
199.Dq forcing
200clauses, and as such do not take part in the disjunction of the other
201target clauses but rather unconditionally apply in their rule.
202.Pp
203.Ql "."
204is a placeholder for IDs that the calling process already has on privilege
205check.
206For type
207.Ql uid ,
208it designates any of the process' real, effective or
209saved user IDs.
210For type
211.Ql gid ,
212its effect depends on whether flags are present.
213If none is present, it designates any of the process' real, effective or saved
214group IDs.
215If one is present, it designates any of the process' supplementary groups.
216.Ss Defaults for the Ao to Ac Part
217If the
218.Li Aq to
219part does not list a target clause with type
220.Ql uid ,
221any of the current user IDs of the calling process is accepted.
222In other words, in this case,
223.Nm
224behaves as if a target clause of:
225.Dl uid=.
226had been listed.
227.Pp
228Similarly, if the
229.Li Aq to
230part does not list a target clause with type
231.Ql gid ,
232all the groups of the calling process are assumed to be required.
233More precisely, each of the desired real, effective and saved group IDs must be
234one of the current real, effective or saved group ID, and all supplementary
235groups must be the same as those that are current.
236It is as if the
237.Li Aq to
238part had contained the following two clauses:
239.Dl gid=.,!gid=.
240.Ss Non-Redundancy and Non-Contradiction in a Ao to Ac Part
241No two target clauses of a single rule may express the exact same logical intent
242nor contradictory ones.
243.Pp
244In practice, no two clauses may display the same ID except for group IDs but
245only if, each time the same ID appears, it does so with a different flag, or no
246flags only once.
247Additionally, the specified flags in multiple occurences must not be
248contradictory.
249For example, the same group ID appearing with both
250.Ql +
251and
252.Ql -
253will cause rejection of the rule.
254.Ss Parsing Specifics
255Any amount of whitespace is allowed around tokens of the above grammar, except
256that there may be no spaces between
257.Li Aq flags
258and
259.Li Aq id
260in target clauses.
261.Pp
262For convenience, numerical IDs may be specified as negative integers, which are
263then converted to unsigned ones as specified in the C standard for the
264.Vt uid_t
265and
266.Vt gid_t
267types, which are both 64-bit unsigned integers.
268.Sh RUNTIME CONFIGURATION
269The following
270.Xr sysctl 8
271knobs are available:
272.Bl -tag -width indent
273.It Va security.mac.do.enabled
274Enable the
275.Nm
276policy.
277(Default: 1).
278.It Va security.mac.do.rules
279The list of credential rules, whose syntax is described in the
280.Sx CREDENTIALS RULES
281section above.
282This list is specific to each jail.
283Please see the
284.Sx JAIL SUPPORT
285section below for more details on the interaction of
286.Nm
287with jails.
288.It Va security.mac.do.print_parse_error
289Logs a message on trying to set incorrect rules via the
290.Va security.mac.do.rules
291.Xr sysctl 8
292knob.
293.El
294.Sh JAIL SUPPORT
295.Nm
296supports per-jail configuration of rules.
297.Pp
298By default, at creation, a new jail has no credentials rules, effectively
299disabling
300.Nm
301for its processes.
302.Pp
303The following jail parameters are defined:
304.Bl -tag -width indent
305.It Va mac.do
306Possible values are:
307.Bl -tag -width "'disable'" -compact
308.It Ql enable
309.Nm
310will enforce specific credential rules in the jail.
311The
312.Va mac.do.rules
313jail parameter must also be set in this case.
314.It Ql disable
315Disables
316.Nm
317in the jail.
318Strictly equivalent to jail creation's default behavior and to setting the rules
319to an empty string.
320.It Ql inherit
321The jail's credentials rules are inherited from the jail's parent
322.Pq which may themselves have been inherited .
323Modified rules propagate to all children jails configured for inheritance.
324.El
325.It Va mac.do.rules
326The credentials rules for the jail.
327It is always equal to the value that can be retrieved by the
328.Xr sysctl 8
329knob
330.Va security.mac.do.rules
331described in section
332.Sx RUNTIME CONFIGURATION .
333If set, and the jail parameter
334.Va mac.do
335is not so explicitly, the value of the latter will default to
336.Ql disable
337if empty, else to
338.Ql enable .
339.El
340.Pp
341Each jail must have
342.Xr mdo 1
343installed at path
344.Pa /usr/bin/mdo ,
345as this path is currently not configurable.
346.Sh EXAMPLES
347Here are several examples of single rules matching processes having a real user
348ID of 10001:
349.Bl -tag -width indent
350.It Li uid=10001:uid=10002
351Allows the process to switch any of its real, effective or saved user ID to
35210002, but keeping the groups it is already in, and with the same
353primary/supplementary groups split.
354.It Li uid=10001:uid=10002,uid=10003
355Same as the first example, but also allows to switch to UID 10003 instead of
35610002.
357.It Li uid=10001:uid=10002,gid=10002
358Same as the first example, but the new primary groups must be set to 10002 and
359no supplementary groups should be set.
360.It Li uid=10001:uid=10002,gid=10002,+gid=.\&
361Same as the previous example, but in addition allowing to retain any current
362supplementary groups.
363.It Li uid=10001:uid=10002,gid=10002,!gid=.\&
364Same as the previous example, but with the additional constraint that all
365current supplementary groups must be kept.
366.It Li uid=10001:uid=10002,gid=10002,+gid=.,-gid=10001
367Same as
368.Ql uid=10001:uid=10002,gid=10002,+gid=.\&
369above, but 10001 cannot be retained as a supplementary group.
370.It Li uid=10001:uid=10002,gid=10002,+gid=.,!gid=10003
371Same as
372.Ql uid=10001:uid=10002,gid=10002,+gid=.\&
373above, with the additional constraint that 10003 must appear in the
374supplementary groups.
375.It Li uid=10001:uid=10002,gid=*,+gid=*
376Same as the first example, but lifting any constraints on groups, allowing the
377process to become part of any groups it sees fit.
378.El
379.Pp
380Here are several examples of single rules matching processes having a real group
381ID of 10001:
382.Bl -tag -width indent
383.It Li gid=10001:uid=0
384Makes 10001 a more powerful
385.Ql wheel
386group, allowing its members to switch to root without password.
387.It Li gid=10001:gid=10002
388Allows the process to enter GID 10002 as a primary group, but only if
389giving up all its supplementary groups.
390.It Li security.mac.do.rules=gid=10001:gid=10002,+gid=.\&
391Same as the previous example, but allows to retain any current supplementary
392groups.
393.It Li gid=10001:gid=10002,!gid=.\&
394Same as the previous example, but with the additional constraint that all
395current supplementary groups must be kept.
396.El
397.Sh SEE ALSO
398.Xr mdo 1 ,
399.Xr setcred 2 ,
400.Xr mac 4 ,
401.Xr jail 8 ,
402.Xr sysctl 8
403.Sh AUTHORS
404.An Olivier Certner Aq Mt olce@FreeBSD.org
405.An Baptiste Daroussin Aq Mt bapt@FreeBSD.org
406.Sh BUGS
407Currently,
408.Nm
409considers only credentials transitions requested through the
410.Xr setcred 2
411system call.
412This system call was in large part created so that
413.Nm
414can see whole credentials transitions to decide whether to authorize them, which
415the traditional UNIX's piecewise approach of successively changing different
416parts of them cannot allow.
417.Pp
418However, calls to traditional or standard credentials-changing functions can be
419considered as full transitions on their own, however limited, and as such should
420be equally monitored by
421.Nm .
422Future work will lift this restriction.
423.Sh SECURITY CONSIDERATIONS
424The threat model for
425.Nm
426is to consider userland programs as generally untrustable to decide upon which
427credentials changes are acceptable.
428It is in contrast with the traditional UNIX way to change credentials, in which
429specialized programs are installed with the setuid bit, giving them full
430administrator privileges so that they are effectively able to establish new
431ones.
432Vulnerabilities in such credentials-changing programs can have catastrophic
433consequences on the integrity of the system.
434.Pp
435Consequently,
436.Nm
437does not rely on companion userland programs to decide whether some credentials
438transition is acceptable.
439Instead, it maintains its own configuration independently from the userland
440password and group databases.
441Establishing this configuration currently itself relies on userland programs
442issuing calls to
443.Xr sysctl 3
444or
445.Xr jail 2 .
446It should thus be established near system boot or jail start, before any
447possible attacks could happen on the system, and further measures should be
448taken to ensure that potential corruptions does not affect the configuration in
449subsequent restarts, such as re-establishing pristine state or ensuring that the
450boot procedure up to the configuration of
451.Nm
452can be trusted.
453