diff --git a/share/man/man4/mac_do.4 b/share/man/man4/mac_do.4 --- a/share/man/man4/mac_do.4 +++ b/share/man/man4/mac_do.4 @@ -3,17 +3,15 @@ .\" .\" SPDX-License-Identifier: BSD-2-Clause .\" -.Dd May 22, 2024 +.Dd December 17, 2024 .Dt MAC_DO 4 .Os .Sh NAME .Nm mac_do .Nd "policy allowing user to execute program as another user" .Sh SYNOPSIS -To compile the -.Nm -policy into your kernel, place the following lines -in your kernel configruation file: +To compile the mac_do policy into your kernel, +place the following lines in your kernel configruation file: .Bd -ragged -offset indent .Cd "options MAC" .Cd "options MAC_DO" @@ -41,6 +39,11 @@ (Default: 1). .It Va security.mac.do.rules The set of rules. +.It Va security.mac.do.verbose +Print +.Nm +activity (most likely into log). +(Default: 0). .El .Pp The rules consist of a list of elements separated by diff --git a/sys/security/mac_do/mac_do.c b/sys/security/mac_do/mac_do.c --- a/sys/security/mac_do/mac_do.c +++ b/sys/security/mac_do/mac_do.c @@ -45,6 +45,10 @@ &print_parse_error, 0, "Print parse errors on setting rules " "(via sysctl(8))."); +static int do_verbose = 0; +SYSCTL_INT(_security_mac_do, OID_AUTO, verbose, CTLFLAG_RWTUN, + &do_verbose, 0, "Log mac_do invocations"); + static MALLOC_DEFINE(M_DO, "do_rule", "Rules for mac_do"); #define MAC_RULE_STRING_LEN 1024 @@ -1936,6 +1940,8 @@ const struct rule *rule; u_int setcred_flags; int error; + char *rbuf; + char *frbuf = NULL; /* Bail out fast if we aren't concerned. */ if (priv != PRIV_CRED_SETCRED) @@ -1974,6 +1980,20 @@ error = EPERM; STAILQ_FOREACH(rule, &rules->head, r_entries) if (rule_applies(rule, cred)) { + if (do_verbose) { + error = vn_fullpath_global(curthread->td_proc->p_textvp, &rbuf, &frbuf); + if (error != 0) + rbuf = curthread->td_proc->p_binname; + + printf("MAC/do: switching UID %u to %u, GID %u to %u for %s (pid %u)\n", + cred->cr_uid, new_cred->cr_uid, + cred->cr_gid, new_cred->cr_gid, + rbuf, + curthread->td_proc->p_pid); + if (frbuf != NULL) + free(frbuf, M_TEMP); + } + error = rule_grant_setcred(rule, cred, new_cred); if (error != EPERM) break; @@ -1991,7 +2011,7 @@ /* * Only grant privileges if requested by the right executable. * - * XXXOC: We may want to base this check on a tunable path and/or + * XXX: We may want to base this check on a tunable path and/or * a specific MAC label. Going even further, e.g., envisioning to * completely replace the path check with the latter, we would need to * install FreeBSD on a FS with multilabel enabled by default, which in