The branch main has been updated by olce:
URL:
https://cgit.FreeBSD.org/src/commit/?id=f01d26dec67fb6597438ed765269b85d1099a6fa
commit f01d26dec67fb6597438ed765269b85d1099a6fa
Author: Olivier Certner <o...@freebsd.org>
AuthorDate: 2025-04-01 17:06:17 +0000
Commit: Olivier Certner <o...@freebsd.org>
CommitDate: 2025-04-02 16:26:38 +0000
MAC/do: Rules: <from> and <to> parts now to be separated by '>'
Previously, we would accept only ':' as the separator, which makes
parsing of the rule specification harder for humans, especially those
people that are used to UNIX systems where ':' is used as the separator
in PATH. With ':', the <from> and <to> parts can look like two
different elements that are unrelated, especially to these eyes.
Change parse_single_rule() so that '>' is also accepted as a separator
between <from> and <to>, and promote it as the one to use. During
a transition period, we will still allow the use of ':' for backwards
compatibility.
The manual page update comes from separate revision D49628. ':' has
been completely removed from it on purpose.
Reviewed by: bapt, manpages (ziaee)
MFC after: 5 days
Sponsored by: The FreeBSD Foundation
Differential Revision: https://reviews.freebsd.org/D49627
---
share/man/man4/mac_do.4 | 34 +++++++++++++++++-----------------
sys/security/mac_do/mac_do.c | 11 ++++++-----
2 files changed, 23 insertions(+), 22 deletions(-)
diff --git a/share/man/man4/mac_do.4 b/share/man/man4/mac_do.4
index 9a9f669cd51c..4c067205225c 100644
--- a/share/man/man4/mac_do.4
+++ b/share/man/man4/mac_do.4
@@ -75,9 +75,9 @@ and a
.Li Aq to
part
.Pq also called Dq target ,
-in this order, separated by a colon
-.Pq Ql ":" :
-.Dl Ao rule Ac \ ⟶\ Ao from Ac So ":" Sc Ao to Ac
+in this order, separated by a greater-than sign
+.Pq Ql > :
+.Dl Ao rule Ac \ ⟶\ Ao from Ac So > Sc Ao to Ac
.Ss Rule's Ao from Ac Part
The first part of a rule,
.Li Aq from ,
@@ -347,32 +347,32 @@ as this path is currently not configurable.
Here are several examples of single rules matching processes having a real user
ID of 10001:
.Bl -tag -width indent
-.It Li uid=10001:uid=10002
+.It Li uid=10001>uid=10002
Allows the process to switch any of its real, effective or saved user ID to
10002, but keeping the groups it is already in, and with the same
primary/supplementary groups split.
-.It Li uid=10001:uid=10002,uid=10003
+.It Li uid=10001>uid=10002,uid=10003
Same as the first example, but also allows to switch to UID 10003 instead of
10002.
-.It Li uid=10001:uid=10002,gid=10002
+.It Li uid=10001>uid=10002,gid=10002
Same as the first example, but the new primary groups must be set to 10002 and
no supplementary groups should be set.
-.It Li uid=10001:uid=10002,gid=10002,+gid=.\&
+.It Li uid=10001>uid=10002,gid=10002,+gid=.\&
Same as the previous example, but in addition allowing to retain any current
supplementary groups.
-.It Li uid=10001:uid=10002,gid=10002,!gid=.\&
+.It Li uid=10001>uid=10002,gid=10002,!gid=.\&
Same as the previous example, but with the additional constraint that all
current supplementary groups must be kept.
-.It Li uid=10001:uid=10002,gid=10002,+gid=.,-gid=10001
+.It Li uid=10001>uid=10002,gid=10002,+gid=.,-gid=10001
Same as
-.Ql uid=10001:uid=10002,gid=10002,+gid=.\&
+.Ql uid=10001>uid=10002,gid=10002,+gid=.\&
above, but 10001 cannot be retained as a supplementary group.
-.It Li uid=10001:uid=10002,gid=10002,+gid=.,!gid=10003
+.It Li uid=10001>uid=10002,gid=10002,+gid=.,!gid=10003
Same as
-.Ql uid=10001:uid=10002,gid=10002,+gid=.\&
+.Ql uid=10001>uid=10002,gid=10002,+gid=.\&
above, with the additional constraint that 10003 must appear in the
supplementary groups.
-.It Li uid=10001:uid=10002,gid=*,+gid=*
+.It Li uid=10001>uid=10002,gid=*,+gid=*
Same as the first example, but lifting any constraints on groups, allowing the
process to become part of any groups it sees fit.
.El
@@ -380,17 +380,17 @@ process to become part of any groups it sees fit.
Here are several examples of single rules matching processes having a real
group
ID of 10001:
.Bl -tag -width indent
-.It Li gid=10001:uid=0
+.It Li gid=10001>uid=0
Makes 10001 a more powerful
.Ql wheel
group, allowing its members to switch to root without password.
-.It Li gid=10001:gid=10002
+.It Li gid=10001>gid=10002
Allows the process to enter GID 10002 as a primary group, but only if
giving up all its supplementary groups.
-.It Li security.mac.do.rules=gid=10001:gid=10002,+gid=.\&
+.It Li security.mac.do.rules=gid=10001>gid=10002,+gid=.\&
Same as the previous example, but allows to retain any current supplementary
groups.
-.It Li gid=10001:gid=10002,!gid=.\&
+.It Li gid=10001>gid=10002,!gid=.\&
Same as the previous example, but with the additional constraint that all
current supplementary groups must be kept.
.El
diff --git a/sys/security/mac_do/mac_do.c b/sys/security/mac_do/mac_do.c
index 7bd3e2294798..a83c194b24ae 100644
--- a/sys/security/mac_do/mac_do.c
+++ b/sys/security/mac_do/mac_do.c
@@ -891,7 +891,7 @@ parse_single_rule(char *rule, struct rules *const rules,
goto einval;
}
- from_id = strsep_noblanks(&rule, ":");
+ from_id = strsep_noblanks(&rule, ":>");
if (is_null_or_empty(from_id)) {
make_parse_error(parse_error, 0, "No ID specified.");
goto einval;
@@ -991,8 +991,9 @@ einval:
* to point to a 'struct parse_error' giving an error message for the problem,
* else '*parse_error' is set to NULL.
*
- * Expected format: A semi-colon-separated list of rules of the form
- * "<from>:<target>". The <from> part is of the form "<type>=<id>" where
<type>
+ * Expected format: A >-colon-separated list of rules of the form
+ * "<from>><target>" (for backwards compatibility, a semi-colon ":" is accepted
+ * in place of '>'). The <from> part is of the form "<type>=<id>" where <type>
* is "uid" or "gid", <id> an UID or GID (depending on <type>) and <target> is
* "*", "any" or a comma-separated list of '<flags><type>=<id>' clauses (see
the
* comment for parse_single_rule() for more details). For convenience, empty
@@ -1002,8 +1003,8 @@ einval:
* allowed between '<flags>' and '<type>').
*
* Examples:
- * - "uid=1001:uid=1010,gid=1010;uid=1002:any"
- * - "gid=1010:gid=1011,gid=1012,gid=1013"
+ * - "uid=1001>uid=1010,gid=1010;uid=1002>any"
+ * - "gid=1010>gid=1011,gid=1012,gid=1013"
*/
static int
parse_rules(const char *const string, struct rules **const rulesp,
