Operator & Codex
391ed30cb0
Document the FreeBSD 15 mac_do rule shape and expose soft setup verification for module/rule state without enforcing live host changes. --- Build: pass | Tests: pass — 2373 passed (704 files)
2 KiB
FreeBSD 15 mac_do Rule Shape
Date: 10.maj.2026 21:51 Scope: FreeBSD 15.x only
This note records the FreeBSD 15 mac_do(4) syntax verified from the host
manual pages before wiring ISO bootstrap support.
Module loading
Enable the module at boot with /boot/loader.conf:
mac_do_load="YES"
Check runtime load state with:
/sbin/kldstat -m mac_do
Empty rule set
mac_do rules are exposed as:
security.mac.do.rules
The rule list may be empty. An empty rule list grants no credential
transitions, which is the desired bootstrap state until a concrete mdo(1)
consumer exists.
Persistent /etc/sysctl.conf representation:
security.mac.do.rules=
Equivalent interactive command form:
/sbin/sysctl security.mac.do.rules=""
Rule grammar
A non-empty rule has this top-level shape:
<from> > <to>
<from> matches the caller's real UID or GID:
uid=<number>
gid=<number>
<to> is a comma-separated list of target clauses:
uid=<number>
gid=<number>
+gid=<number>
!gid=<number>
-gid=<number>
any
Multiple rules are separated with semicolons:
uid=10001>uid=10002,gid=10002;gid=10001>uid=0
Examples from mac_do(4) include:
uid=10001>uid=10002
uid=10001>uid=10002,gid=10002,+gid=.
gid=10001>uid=0
Jail behavior
mac_do supports per-jail configuration. A new jail starts with no credential
rules. Jail parameters are:
mac.do=enable|disable|inherit
mac.do.rules=<rules>
Each jail that uses mdo(1) must have /usr/bin/mdo available.
Clawdie bootstrap decision
Clawdie ISO bootstrap enables the framework and installs an empty rule set:
/boot/loader.conf:mac_do_load="YES"/etc/sysctl.conf:security.mac.do.rules=
No UID/GID transition rules are shipped yet. Specific rules should be added only for a concrete audited workflow, preferably with hostd as the orchestrator so agent-initiated privileged actions remain logged through one path.