mac_do: gid rule fails

Go to: [ bottom of page ] [ top of archives ] [ this month ]

From: Christian Weisgerber <naddy_at_mips.inka.de>
Date: Wed, 10 Jul 2024 23:22:00 UTC

I noticed that mac_do(4) and mdo(1) were recently added to 14-STABLE
and decided to give them a try.  A UID-based rule works:

  $ sysctl security.mac.do
  security.mac.do.rules: uid=1000:any
  security.mac.do.enabled: 1
  $ id -u
  1000
  $ mdo id
  uid=0(root) gid=0(wheel) groups=0(wheel),5(operator)

However, a GID rule fails:

  $ sysctl security.mac.do.rules
  security.mac.do.rules: gid=1000:any
  $ id -g
  1000
  $ mdo id
  mdo: failed to call setuid: Operation not permitted

Is that a misunderstanding on my part, am I doing something wrong,
or is there a bug?

14.1-STABLE as of e729e750806d3873d5de24cce3b47cc054145985.

-- 
Christian "naddy" Weisgerber                          naddy@mips.inka.de