Re: git: bc201841d139 - main - mac_do(4): Revamp manual page after MAC/do updates

From: FreeBSD User <freebsd_at_walstatt-de.de>
Date: Mon, 23 Dec 2024 17:29:01 UTC
Am Mon, 23 Dec 2024 14:39:51 GMT
Olivier Certner <olce@FreeBSD.org> schrieb:

Module MAC_DO can not be compiled statically into the kernel. trying so on most recent
CURRENT, via

options MAC_DO

results in a 

unknown option "MAC_DO"

Kind regards,

oh

> The branch main has been updated by olce:
> 
> URL: https://cgit.FreeBSD.org/src/commit/?id=bc201841d13928c2a088fb07ac0a010b36eafa13
> 
> commit bc201841d13928c2a088fb07ac0a010b36eafa13
> Author:     Olivier Certner <olce@FreeBSD.org>
> AuthorDate: 2024-12-19 21:13:12 +0000
> Commit:     Olivier Certner <olce@FreeBSD.org>
> CommitDate: 2024-12-23 14:39:35 +0000
> 
>     mac_do(4): Revamp manual page after MAC/do updates
>     
>     The new manual page in particular describes MAC/do's new rules syntax
>     and the jail support, as well as security considerations explaining the
>     overall design and how to leverage it in the most secure fashion.
>     
>     Reviewed by:    bapt, otis, Alexander Ziaee <concussious@runbox.com> (in part)
>     Sponsored by:   The FreeBSD Foundation
>     Differential Revision:  https://reviews.freebsd.org/D48153
> ---
>  share/man/man4/mac_do.4 | 460 +++++++++++++++++++++++++++++++++++++++++++-----
>  1 file changed, 417 insertions(+), 43 deletions(-)
> 
> diff --git a/share/man/man4/mac_do.4 b/share/man/man4/mac_do.4
> index aa84a71b4953..9a9f669cd51c 100644
> --- a/share/man/man4/mac_do.4
> +++ b/share/man/man4/mac_do.4
> @@ -1,38 +1,274 @@
>  .\"-
> +.\" SPDX-License-Identifier: BSD-2-Clause
> +.\"
>  .\" Copyright (c) 2024 Baptiste Daroussin <bapt@FreeBSD.org>
> +.\" Copyright (c) 2024 The FreeBSD Foundation
>  .\"
> -.\" SPDX-License-Identifier: BSD-2-Clause
> +.\" Portions of this documentation were written by Olivier Certner
> +.\" <olce@FreeBSD.org> at Kumacom SARL under sponsorship from the FreeBSD
> +.\" Foundation.
>  .\"
> -.Dd May 22, 2024
> +.Dd December 19, 2024
>  .Dt MAC_DO 4
>  .Os
>  .Sh NAME
>  .Nm mac_do
> -.Nd "policy allowing user to execute program as another user"
> +.Nd "policy allowing unprivileged users to change process credentials"
>  .Sh SYNOPSIS
>  To compile the
> -.Nm
> -policy into your kernel, place the following lines
> -in your kernel configruation file:
> +.Sy mac_do
> +policy into your kernel, place the following lines in your kernel configuration
> +file:
>  .Bd -ragged -offset indent
>  .Cd "options MAC"
>  .Cd "options MAC_DO"
>  .Ed
> +.Pp
> +Alternately, to load this policy module at boot time, place the following line
> +in your kernel configuration file:
> +.Bd -ragged -offset indent
> +.Cd "options MAC"
> +.Ed
> +.Pp
> +and in
> +.Xr loader.conf 5 :
> +.Bd -literal -offset indent
> +mac_do_load="YES"
> +.Ed
>  .Sh DESCRIPTION
>  The
>  .Nm
> -policy grants users the ability to run processs as other users
> -according to predefined rules.
> +policy module allows unprivileged users to change process credentials according
> +to rules configured by the administrator.
> +It supports per-jail configuration.
> +.Pp
> +Currently, the
> +.Nm
> +policy module only produces effects to processes spwaned from the
> +.Pa /usr/bin/mdo
> +executable, please see
> +.Xr mdo 1
> +for more details on this program.
> +.Sh CREDENTIALS RULES
> +Rules specify which transitions of process credentials
> +.Nm
> +will allow, based on current process credentials and the desired final ones.
> +They are passed by an administrator in the form of a string having the specific
> +syntax described below in a top-bottom manner.
> +They have been designed to be able to finely describe the desired target
> +credentials in a safe and compact way.
> +.Ss Top-Level List of Rules
> +At the top, rules are a possibly empty list of individual rules separated by
> +a semi-colon
> +.Pq Ql ";" :
> +.Dl Ao rules Ac \ ⟶\  Oo Ao rule Ac Oo So ";" Sc Ao rule Ac Oc Ns * Oc
> +They form a disjunction, i.e.,
> +.Nm
> +authorizes a credentials transition as soon as at least one rule in the list
> +matches.
>  .Pp
> -The exact set of kernel privileges granted are:
> -.Bl -inset -compact -offset indent
> -.It Dv PRIV_CRED_SETGROUPS
> -.It Dv PRIV_CRED_SETUID
> +One rule is composed of a
> +.Li Aq from
> +part
> +.Pq also called Dq match
> +and a
> +.Li Aq to
> +part
> +.Pq also called Dq target ,
> +in this order, separated by a colon
> +.Pq Ql ":" :
> +.Dl Ao rule Ac \ ⟶\  Ao from Ac So ":" Sc Ao to Ac
> +.Ss Rule's Ao from Ac Part
> +The first part of a rule,
> +.Li Aq from ,
> +is matched against the credentials of the process requesting some credentials
> +transition.
> +It has the form:
> +.Dl Ao from Ac \ ⟶\  Ao type Ac So = Sc Ao id Ac
> +.Pp
> +.Li Aq type
> +must be:
> +.Dl Ao type Ac \ ⟶\  Op So uid Sc | So gid Sc
> +i.e., one of the literal strings
> +.Ql uid
> +or
> +.Ql gid .
> +.Li Aq id
> +must be the numerical ID of a user or group, and is matched with the current
> +process real ID of the corresponding type.
> +.Ss Rule's Ao to Ac Part
> +The second part of a rule,
> +.Li Aq to ,
> +is a comma-separated
> +.Pq Ql ","
> +non-empty list of target clauses:
> +.Dl Ao to Ac \ ⟶\  Ao target_clause Ac Oo So "," Sc Ao target_clause Ac Oc Ns *
> +Target clauses of a given rule also form a disjunction, i.e., the IDs they
> +specify are alternatives for the target credentials, except in some cases
> +described below.
> +.Pp
> +The next subsections describe the syntax of target clauses, the defaults that
> +apply and the principle of non-redundancy and non-contradiction in each rule's
> +.Li Aq to
> +part.
> +.Ss Target Clauses
> +A target clause in a rule's
> +.Li Aq to
> +part must be of one of the following forms:
> +.Dl Ao target_clause Ac \ ⟶\  So any Sc
> +.Dl Ao target_clause Ac \ ⟶\  Ao flags Ac Ao type Ac So = Sc Ao id Ac
> +The first form is a compact way to specify that any target credentials are
> +allowed.
> +The second form is similar to that of
> +.Li Aq from
> +clauses, with the following extensions:
> +.Bl -bullet -compact
> +.It
> +.Li Aq id
> +may also be a literal
> +.Ql *
> +or
> +.Ql any
> +or
> +.Ql "." .
> +.Ql *
> +and
> +.Ql any
> +both designate any ID for the specified
> +.Li Aq type ,
> +and are treated identically.
> +.Ql "."
> +designates the process' current IDs for the specified
> +.Li Aq type ,
> +as explained below.
> +.It
> +.Li Aq flags
> +may contain at most one of the
> +.Ql + ,
> +.Ql -
> +and
> +.Ql "!"
> +characters, and may be non-empty only when
> +.Li Aq type
> +is
> +.Ql gid .
> +Additionally, if
> +.Li Aq id
> +is
> +.Ql *
> +or
> +.Ql any ,
> +only the
> +.Ql +
> +flag may appear.
> +.El
> +.Pp
> +For target clauses of
> +.Ql gid
> +type, an absence of flag indicates that the specified group ID is allowed as the
> +real, effective and/or saved group IDs
> +.Pq the Do primary Dc groups .
> +Conversely, the presence of any allowed flag indicates that the specification
> +concerns supplementary groups.
> +Each flag has a specific meaning:
> +.Bl -bullet -compact
> +.It
> +.Ql +
> +indicates that the group ID is allowed as a supplementary group.
> +.It
> +.Ql "!"
> +indicates that the group ID is mandatory, i.e., it must be listed in the
> +supplementary groups.
> +.It
> +.Ql -
> +indicates that the group ID must not be listed in the supplementary groups.
>  .El
> +A specification with
> +.Ql -
> +is only useful in conjunction with a
> +.Ql + Ns
> +-tagged specification where only one of them has
> +.Ql "."
> +as its
> +.Li Aq id .
> +Target clauses having the
> +.Ql "!"
> +or
> +.Ql -
> +flag are
> +.Dq forcing
> +clauses, and as such do not take part in the disjunction of the other
> +target clauses but rather unconditionally apply in their rule.
> +.Pp
> +.Ql "."
> +is a placeholder for IDs that the calling process already has on privilege
> +check.
> +For type
> +.Ql uid ,
> +it designates any of the process' real, effective or
> +saved user IDs.
> +For type
> +.Ql gid ,
> +its effect depends on whether flags are present.
> +If none is present, it designates any of the process' real, effective or saved
> +group IDs.
> +If one is present, it designates any of the process' supplementary groups.
> +.Ss Defaults for the Ao to Ac Part
> +If the
> +.Li Aq to
> +part does not list a target clause with type
> +.Ql uid ,
> +any of the current user IDs of the calling process is accepted.
> +In other words, in this case,
> +.Nm
> +behaves as if a target clause of:
> +.Dl uid=.
> +had been listed.
>  .Pp
> +Similarly, if the
> +.Li Aq to
> +part does not list a target clause with type
> +.Ql gid ,
> +all the groups of the calling process are assumed to be required.
> +More precisely, each of the desired real, effective and saved group IDs must be
> +one of the current real, effective or saved group ID, and all supplementary
> +groups must be the same as those that are current.
> +It is as if the
> +.Li Aq to
> +part had contained the following two clauses:
> +.Dl gid=.,!gid=.
> +.Ss Non-Redundancy and Non-Contradiction in a Ao to Ac Part
> +No two target clauses of a single rule may express the exact same logical intent
> +nor contradictory ones.
> +.Pp
> +In practice, no two clauses may display the same ID except for group IDs but
> +only if, each time the same ID appears, it does so with a different flag, or no
> +flags only once.
> +Additionally, the specified flags in multiple occurences must not be
> +contradictory.
> +For example, the same group ID appearing with both
> +.Ql +
> +and
> +.Ql -
> +will cause rejection of the rule.
> +.Ss Parsing Specifics
> +Any amount of whitespace is allowed around tokens of the above grammar, except
> +that there may be no spaces between
> +.Li Aq flags
> +and
> +.Li Aq id
> +in target clauses.
> +.Pp
> +For convenience, numerical IDs may be specified as negative integers, which are
> +then converted to unsigned ones as specified in the C standard for the
> +.Vt uid_t
> +and
> +.Vt gid_t
> +types, which are both 64-bit unsigned integers.
> +.Sh RUNTIME CONFIGURATION
>  The following
>  .Xr sysctl 8
> -MIBs are available:
> +knobs are available:
>  .Bl -tag -width indent
>  .It Va security.mac.do.enabled
>  Enable the
> @@ -40,39 +276,177 @@ Enable the
>  policy.
>  (Default: 1).
>  .It Va security.mac.do.rules
> -The set of rules.
> +The list of credential rules, whose syntax is described in the
> +.Sx CREDENTIALS RULES
> +section above.
> +This list is specific to each jail.
> +Please see the
> +.Sx JAIL SUPPORT
> +section below for more details on the interaction of
> +.Nm
> +with jails.
> +.It Va security.mac.do.print_parse_error
> +Logs a message on trying to set incorrect rules via the
> +.Va security.mac.do.rules
> +.Xr sysctl 8
> +knob.
>  .El
> +.Sh JAIL SUPPORT
> +.Nm
> +supports per-jail configuration of rules.
>  .Pp
> -The rules consist of a list of elements separated by
> -.So , Sc .
> -Each element is of the form
> -.Sm off
> -.Do
> -.Op Cm uid | Cm gid
> -.Li =
> -.Ar fid
> -.Li :
> -.Ar tid
> -.Dc
> -.Sm on .
> -Where
> -.Ar fid
> -is the uid or gid of the user or group the rule applies to, and
> -.Ar tid
> -is the uid of the targetted user.
> -Two special forms are accepted for
> -.Ar tid :
> -.Va any
> -or
> -.Va * ,
> -which allow to target any user.
> -.Sh EXAMPLES
> -The following rule:
> +By default, at creation, a new jail has no credentials rules, effectively
> +disabling
> +.Nm
> +for its processes.
>  .Pp
> -.Dl security.mac.do.rules=uid=1001:80,gid=0:any
> +The following jail parameters are defined:
> +.Bl -tag -width indent
> +.It Va mac.do
> +Possible values are:
> +.Bl -tag -width "'disable'" -compact
> +.It Ql enable
> +.Nm
> +will enforce specific credential rules in the jail.
> +The
> +.Va mac.do.rules
> +jail parameter must also be set in this case.
> +.It Ql disable
> +Disables
> +.Nm
> +in the jail.
> +Strictly equivalent to jail creation's default behavior and to setting the rules
> +to an empty string.
> +.It Ql inherit
> +The jail's credentials rules are inherited from the jail's parent
> +.Pq which may themselves have been inherited .
> +Modified rules propagate to all children jails configured for inheritance.
> +.El
> +.It Va mac.do.rules
> +The credentials rules for the jail.
> +It is always equal to the value that can be retrieved by the
> +.Xr sysctl 8
> +knob
> +.Va security.mac.do.rules
> +described in section
> +.Sx RUNTIME CONFIGURATION .
> +If set, and the jail parameter
> +.Va mac.do
> +is not so explicitly, the value of the latter will default to
> +.Ql disable
> +if empty, else to
> +.Ql enable .
> +.El
>  .Pp
> -means the user with the uid 1001 can execute processes as user with uid 80,
> -all the users which belongs to the group gid 0 can execute processes as any user.
> +Each jail must have
> +.Xr mdo 1
> +installed at path
> +.Pa /usr/bin/mdo ,
> +as this path is currently not configurable.
> +.Sh EXAMPLES
> +Here are several examples of single rules matching processes having a real user
> +ID of 10001:
> +.Bl -tag -width indent
> +.It Li uid=10001:uid=10002
> +Allows the process to switch any of its real, effective or saved user ID to
> +10002, but keeping the groups it is already in, and with the same
> +primary/supplementary groups split.
> +.It Li uid=10001:uid=10002,uid=10003
> +Same as the first example, but also allows to switch to UID 10003 instead of
> +10002.
> +.It Li uid=10001:uid=10002,gid=10002
> +Same as the first example, but the new primary groups must be set to 10002 and
> +no supplementary groups should be set.
> +.It Li uid=10001:uid=10002,gid=10002,+gid=.\&
> +Same as the previous example, but in addition allowing to retain any current
> +supplementary groups.
> +.It Li uid=10001:uid=10002,gid=10002,!gid=.\&
> +Same as the previous example, but with the additional constraint that all
> +current supplementary groups must be kept.
> +.It Li uid=10001:uid=10002,gid=10002,+gid=.,-gid=10001
> +Same as
> +.Ql uid=10001:uid=10002,gid=10002,+gid=.\&
> +above, but 10001 cannot be retained as a supplementary group.
> +.It Li uid=10001:uid=10002,gid=10002,+gid=.,!gid=10003
> +Same as
> +.Ql uid=10001:uid=10002,gid=10002,+gid=.\&
> +above, with the additional constraint that 10003 must appear in the
> +supplementary groups.
> +.It Li uid=10001:uid=10002,gid=*,+gid=*
> +Same as the first example, but lifting any constraints on groups, allowing the
> +process to become part of any groups it sees fit.
> +.El
> +.Pp
> +Here are several examples of single rules matching processes having a real group
> +ID of 10001:
> +.Bl -tag -width indent
> +.It Li gid=10001:uid=0
> +Makes 10001 a more powerful
> +.Ql wheel
> +group, allowing its members to switch to root without password.
> +.It Li gid=10001:gid=10002
> +Allows the process to enter GID 10002 as a primary group, but only if
> +giving up all its supplementary groups.
> +.It Li security.mac.do.rules=gid=10001:gid=10002,+gid=.\&
> +Same as the previous example, but allows to retain any current supplementary
> +groups.
> +.It Li gid=10001:gid=10002,!gid=.\&
> +Same as the previous example, but with the additional constraint that all
> +current supplementary groups must be kept.
> +.El
>  .Sh SEE ALSO
>  .Xr mdo 1 ,
> -.Xr mac 4
> +.Xr setcred 2 ,
> +.Xr mac 4 ,
> +.Xr jail 8 ,
> +.Xr sysctl 8
> +.Sh AUTHORS
> +.An Olivier Certner Aq Mt olce@FreeBSD.org
> +.An Baptiste Daroussin Aq Mt bapt@FreeBSD.org
> +.Sh BUGS
> +Currently,
> +.Nm
> +considers only credentials transitions requested through the
> +.Xr setcred 2
> +system call.
> +This system call was in large part created so that
> +.Nm
> +can see whole credentials transitions to decide whether to authorize them, which
> +the traditional UNIX's piecewise approach of successively changing different
> +parts of them cannot allow.
> +.Pp
> +However, calls to traditional or standard credentials-changing functions can be
> +considered as full transitions on their own, however limited, and as such should
> +be equally monitored by
> +.Nm .
> +Future work will lift this restriction.
> +.Sh SECURITY CONSIDERATIONS
> +The threat model for
> +.Nm
> +is to consider userland programs as generally untrustable to decide upon which
> +credentials changes are acceptable.
> +It is in contrast with the traditional UNIX way to change credentials, in which
> +specialized programs are installed with the setuid bit, giving them full
> +administrator privileges so that they are effectively able to establish new
> +ones.
> +Vulnerabilities in such credentials-changing programs can have catastrophic
> +consequences on the integrity of the system.
> +.Pp
> +Consequently,
> +.Nm
> +does not rely on companion userland programs to decide whether some credentials
> +transition is acceptable.
> +Instead, it maintains its own configuration independently from the userland
> +password and group databases.
> +Establishing this configuration currently itself relies on userland programs
> +issuing calls to
> +.Xr sysctl 3
> +or
> +.Xr jail 2 .
> +It should thus be established near system boot or jail start, before any
> +possible attacks could happen on the system, and further measures should be
> +taken to ensure that potential corruptions does not affect the configuration in
> +subsequent restarts, such as re-establishing pristine state or ensuring that the
> +boot procedure up to the configuration of
> +.Nm
> +can be trusted.
> 



-- 
O. Hartmann