xref: /freebsd/share/man/man4/mac_do.4 (revision bd66c1b43e33540205dbc1187c2f2a15c58b57ba)
1.\"-
2.\" Copyright (c) 2024 Baptiste Daroussin <bapt@FreeBSD.org>
3.\"
4.\" SPDX-License-Identifier: BSD-2-Clause
5.\"
6.Dd May 22, 2024
7.Dt MAC_DO 4
8.Os
9.Sh NAME
10.Nm mac_do
11.Nd "policy allowing user to execute program as another user"
12.Sh SYNOPSIS
13To compile the
14.Nm
15policy into your kernel, place the following lines
16in your kernel configruation file:
17.Bd -ragged -offset indent
18.Cd "options MAC"
19.Cd "options MAC_DO"
20.Ed
21.Sh DESCRIPTION
22The
23.Nm
24policy grants users the ability to run processs as other users
25according to predefined rules.
26.Pp
27The exact set of kernel privileges granted are:
28.Bl -inset -compact -offset indent
29.It Dv PRIV_CRED_SETGROUPS
30.It Dv PRIV_CRED_SETUID
31.El
32.Pp
33The following
34.Xr sysctl 8
35MIBs are available:
36.Bl -tag -width indent
37.It Va security.mac.do.enabled
38Enable the
39.Nm
40policy.
41(Default: 1).
42.It Va security.mac.do.rules
43The set of rules.
44.El
45.Pp
46The rules consist of a list of elements separated by
47.So , Sc .
48Each element is of the form
49.Sm off
50.Do
51.Op Cm uid | Cm gid
52.Li =
53.Ar fid
54.Li :
55.Ar tid
56.Dc
57.Sm on .
58Where
59.Ar fid
60is the uid or gid of the user or group the rule applies to, and
61.Ar tid
62is the uid of the targetted user.
63Two special forms are accepted for
64.Ar tid :
65.Va any
66or
67.Va * ,
68which allow to target any user.
69.Sh EXAMPLES
70The following rule:
71.Pp
72.Dl security.mac.do.rules=uid=1001:80,gid=0:any
73.Pp
74means the user with the uid 1001 can execute processes as user with uid 80,
75all the users which belongs to the group gid 0 can execute processes as any user.
76.Sh SEE ALSO
77.Xr mdo 1 ,
78.Xr mac 4
79