2026-03-22 –, Room B
In this talk, we present the mac_do(4) and mdo(1) FreeBSD components, which aim at supporting a role-based security model by allowing controlled process credentials transitions, and do so without the use of setuid executables by leveraging instead the mac(4) framework. We describe their architecture and illustrate their practical functionalities to administrators and users.
The mac_do(4) kernel module has been introduced to allow unprivileged processes to change credentials, provided the requested changes are explicitly allowed by rules set by an administrator. Its companion userland program, mdo(1), serves to request credentials changes.
Both components have undergone major changes that have been shipped into FreeBSD 15. First, thanks to a redesign of mac_do(4)'s rules, it is now possible to completely specify the full sets of user and group IDs that must be present or absent in the final credentials for a transition to be accepted. Second, mac_do(4)'s configuration is per jail, allowing different sets of rules as needed or inheritance from the parent jail. This configuration can be tuned from inside and outside the jail. Third, mdo(1), initially limited to changing users and possibly switching to their groups, has grown the ability to fine-tune the target credentials' users and groups while retaining simplicity for the most common use cases.
We will describe how mac_do(4)'s credentials rules work, what you can accomplish with the mdo(1) companion program in FreeBSD 15, and the changes that are in the works at time of this writing. Some of them have been developed as part of Google Summer of Code 2025, which also gave birth to the new mdo(1) features described above, and are in the process of being integrated, such as per-jail configurability of "approved" companion programs for mac_do(4). In general, more logging, auditing and ease of use facilities are to come next. We will report on the progress of these new features.
We will also touch on some aspects of the implementation, notably why we needed to introduce the new setcred(2) system call, which allows to change all process credentials in a single call, and, time-permitting, those that are related to the use of some FreeBSD's kernel sub-systems (notably, sysctl, jails and OSD).
Olivier has been continuously using FreeBSD on all his machines and those of some of the companies he worked with since the end of 2004. During this time, he has grown a set of private customizations including modifications to rc scripts and some kernel bits. After having worked for over 15 years in the CAD and finance sectors, he lately switched back to pure IT topics, and in particular operating system development. His main interests are centered around kernel development, with particular focuses on power management, security, scheduling, file systems and jails. He's currently a contractor for the FreeBSD Foundation.