• SummerOfCode2025Projects
• MacDoAndMDoImprovements

mac_do(4) and mdo(1) improvements

• Student: KushagraSrivastava (thesynthax@freebsd.org)

• Mentor: OlivierCertner (olce@freebsd.org)

Project summary

This project extended the kernel MAC/do policy and the userland mdo(1) helper to make credential transitions safer, more flexible, and easier to manage. Major outcomes are:

• Per-jail configurable allowed executable paths (instead of a hard-coded /usr/bin/mdo).
• Granular group-management features and --print-rule mode in mdo(1).
• Kernel support to treat traditional credential syscalls (setuid/setgid/etc.) as mac_do(4) transitions where appropriate.
• Tests, documentation and manpage updates to reflect the changes.

Deliverables

mac_do(4) enhancements:

1. Per-Jail Configurable Authorized Executables

2. Support for Traditional Credential Syscalls

mdo(1) enhancements:

1. Enabling ability to specify target/supplementary groups

2. Print rule: output mac_do(4) rule string corresponding to requested transition

Milestones

• June 2nd - July 13th: Phase 1 (Pre-mid term)
  • Allowed Path Config Implementation in mac_do(4)
  • Jail Integration in mac_do(4)
• June 14th - June 18th: Mid-term Evaluations
• July 19th - August 30th: Phase 2 (Post-mid term)
  • Extending mdo(1) for new flags
  • Print-rule implementation in mdo(1)
  • Traditional Syscalls implementation in mac_do(4)
• August 31st: End of coding

The Code

• PR #2 - mac_do(4) exec_paths task

• PR #3 - mdo(1) extensive options / --print-rule

• PR #5 - mac_do(4) traditional syscalls

• PR #6 - ATF/Kyua tests for mdo(1) and mac_do(4)

• PR #7 - Man page updates for mdo(1) and mac_do(4)

• My fork

Merged:

• mdo(1) code

Details can be found here: https://thesynthax.hashnode.dev/my-google-summer-of-code-journey-part-3

CategoryGsoc