# FreeBSD 15 mac_do Rule Shape

**Date:** 10.maj.2026 21:51
**Scope:** FreeBSD 15.x only

This note records the FreeBSD 15 `mac_do(4)` syntax verified from the host
manual pages before wiring ISO bootstrap support.

## Module loading

Enable the module at boot with `/boot/loader.conf`:

```conf
mac_do_load="YES"
```

Check runtime load state with:

```sh
/sbin/kldstat -m mac_do
```

## Empty rule set

`mac_do` rules are exposed as:

```sh
security.mac.do.rules
```

The rule list may be empty. An empty rule list grants no credential
transitions, which is the desired bootstrap state until a concrete `mdo(1)`
consumer exists.

Persistent `/etc/sysctl.conf` representation:

```conf
security.mac.do.rules=
```

Equivalent interactive command form:

```sh
/sbin/sysctl security.mac.do.rules=""
```

## Rule grammar

A non-empty rule has this top-level shape:

```text
<from> > <to>
```

`<from>` matches the caller's real UID or GID:

```text
uid=<number>
gid=<number>
```

`<to>` is a comma-separated list of target clauses:

```text
uid=<number>
gid=<number>
+gid=<number>
!gid=<number>
-gid=<number>
any
```

Multiple rules are separated with semicolons:

```text
uid=10001>uid=10002,gid=10002;gid=10001>uid=0
```

Examples from `mac_do(4)` include:

```text
uid=10001>uid=10002
uid=10001>uid=10002,gid=10002,+gid=.
gid=10001>uid=0
```

## Jail behavior

`mac_do` supports per-jail configuration. A new jail starts with no credential
rules. Jail parameters are:

```text
mac.do=enable|disable|inherit
mac.do.rules=<rules>
```

Each jail that uses `mdo(1)` must have `/usr/bin/mdo` available.

## Clawdie bootstrap decision

Clawdie ISO bootstrap enables the framework and installs an empty rule set:

- `/boot/loader.conf`: `mac_do_load="YES"`
- `/etc/sysctl.conf`: `security.mac.do.rules=`

No UID/GID transition rules are shipped yet. Specific rules should be added
only for a concrete audited workflow, preferably with hostd as the orchestrator
so agent-initiated privileged actions remain logged through one path.