Page MenuHomeFreeBSD
Files F107032747

D48129.diff
No OneTemporary
Actions

D48129.diff
View Options

diff --git a/share/man/man4/mac_do.4 b/share/man/man4/mac_do.4
--- a/share/man/man4/mac_do.4
+++ b/share/man/man4/mac_do.4
@@ -3,17 +3,15 @@
.\"
.\" SPDX-License-Identifier: BSD-2-Clause
.\"
-.Dd May 22, 2024
+.Dd December 17, 2024
.Dt MAC_DO 4
.Os
.Sh NAME
.Nm mac_do
.Nd "policy allowing user to execute program as another user"
.Sh SYNOPSIS
-To compile the
-.Nm
-policy into your kernel, place the following lines
-in your kernel configruation file:
+To compile the mac_do policy into your kernel,
+place the following lines in your kernel configruation file:
.Bd -ragged -offset indent
.Cd "options MAC"
.Cd "options MAC_DO"
@@ -41,6 +39,11 @@
(Default: 1).
.It Va security.mac.do.rules
The set of rules.
+.It Va security.mac.do.verbose
+Print
+.Nm
+activity (most likely into log).
+(Default: 0).
.El
.Pp
The rules consist of a list of elements separated by
diff --git a/sys/security/mac_do/mac_do.c b/sys/security/mac_do/mac_do.c
--- a/sys/security/mac_do/mac_do.c
+++ b/sys/security/mac_do/mac_do.c
@@ -45,6 +45,10 @@
&print_parse_error, 0, "Print parse errors on setting rules "
"(via sysctl(8)).");
+static int do_verbose = 0;
+SYSCTL_INT(_security_mac_do, OID_AUTO, verbose, CTLFLAG_RWTUN,
+ &do_verbose, 0, "Log mac_do invocations");
+
static MALLOC_DEFINE(M_DO, "do_rule", "Rules for mac_do");
#define MAC_RULE_STRING_LEN 1024
@@ -1936,6 +1940,8 @@
const struct rule *rule;
u_int setcred_flags;
int error;
+ char *rbuf;
+ char *frbuf = NULL;
/* Bail out fast if we aren't concerned. */
if (priv != PRIV_CRED_SETCRED)
@@ -1974,6 +1980,20 @@
error = EPERM;
STAILQ_FOREACH(rule, &rules->head, r_entries)
if (rule_applies(rule, cred)) {
+ if (do_verbose) {
+ error = vn_fullpath_global(curthread->td_proc->p_textvp, &rbuf, &frbuf);
+ if (error != 0)
+ rbuf = curthread->td_proc->p_binname;
+
+ printf("MAC/do: switching UID %u to %u, GID %u to %u for %s (pid %u)\n",
+ cred->cr_uid, new_cred->cr_uid,
+ cred->cr_gid, new_cred->cr_gid,
+ rbuf,
+ curthread->td_proc->p_pid);
+ if (frbuf != NULL)
+ free(frbuf, M_TEMP);
+ }
+
error = rule_grant_setcred(rule, cred, new_cred);
if (error != EPERM)
break;
@@ -1991,7 +2011,7 @@
/*
* Only grant privileges if requested by the right executable.
*
- * XXXOC: We may want to base this check on a tunable path and/or
+ * XXX: We may want to base this check on a tunable path and/or
* a specific MAC label. Going even further, e.g., envisioning to
* completely replace the path check with the latter, we would need to
* install FreeBSD on a FS with multilabel enabled by default, which in

File Metadata

Mime Type
text/plain
Expires
Fri, Jan 10, 6:34 AM (12 h, 15 m)
Storage Engine
blob
Storage Format
Raw Data
Storage Handle
15740223
Default Alt Text
D48129.diff (2 KB)

Event Timeline