As 'root' issue: # kldload mac_do # sysctl security.mac.do.rules=gid=0:any A user 'freebsd' already exists and belongs to 'wheel': $ mdo pkg upgrade uma_zalloc_debug: zone "malloc-1024" with the following non-sleepable locks held: exclusive sleep mutex process lock (process lock) r = 0 (0xfffffe0049457188) locked @ /usr/src/sys/kern/kern_prot.c:846 stack backtrace: #0 0xffffffff80bc6bfc at witness_debugger+0x6c #1 0xffffffff80bc7df3 at witness_warn+0x403 #2 0xffffffff80ef7864 at uma_zalloc_debug+0x34 #3 0xffffffff80ef7387 at uma_zalloc_arg+0x27 #4 0xffffffff80b23d8d at malloc+0x7d #5 0xffffffff80c2bce1 at vn_fullpath+0x41 #6 0xffffffff8331c9dc at check_setgroups+0x5c #7 0xffffffff80e8b2e4 at mac_cred_check_setgroups+0xa4 #8 0xffffffff80b3bbc7 at kern_setgroups+0x157 #9 0xffffffff80b3ba5e at sys_setgroups+0x9e #10 0xffffffff8107c9b8 at amd64_syscall+0x158 #11 0xffffffff8104e7bb at fast_syscall_common+0xf8 mdo: failed to call initgroups: Operation not permitted
Created attachment 254060 [details] WIP: Not thoroughly tested - mac_do: Allow a gid-only rule to any - mac_do: Avoid locking around vn_fullpath() - mac_do: check if freebuf is non-NULL before freeing This is my weekly progress on this bug. I would like to test it further, and familiarize with the code a bit more before submitting it for review. Posting it here just in case it is of any help. Tests: As 'root' issue: # kldload mac_do # sysctl security.mac.do.rules=gid=0:any [1] # sysctl security.mac.do.rules=gid=1001:any [2] A user 'freebsd' already exists with a GID 1001 and belongs to 'wheel': $ mdo pkg upgrade [1] [2] Updating FreeBSD repository catalogue... ...
Hello Jose, There are several code and conceptual problems in the current implementation of mac_do(4), and I would advise not to use it in a production setup yet. I have been working on a full revamp of it. Prerequisite commits (about general infrastructure changes) are already under review, and the bulk of if (changes in mac_do(4)) proper will soon follow (an earlier version can be globally seen at https://github.com/freebsd/freebsd-src/compare/main...OlCe2:freebsd-src:oc-mac_do). As you can see there, the format of the rules specification in `security.mac.do.rules` has been changed. Thanks and regards.
(In reply to Olivier Certner from comment #2) Thank you for sharing this information.
I'll be glad if you can test, or even review, the changes in their final form. If you are OK, I can add you to the upcoming reviews. In any case, I intend to update the GitHub series above next (still working with reviewers on the prerequisite ones), and will post an update here so that interested people can test.
(In reply to Olivier Certner from comment #4) Yes, I am installing this branch as we speak. Thank you!
This bug can be closed as FIXED by review D47304.
(In reply to Olivier Certner from comment #4) (In reply to Jose Luis Duran from comment #5) Hi Jose, I have added you as a subscriber to differential revisions concerning the revamped mac_do(4). If you have some time and interest, please review what you can. If you find it more convenient, the full series of commits (including some prerequisites mostly reviewed and some not really related commits) is also available at my GitHub (https://github.com/freebsd/freebsd-src/compare/main...OlCe2:freebsd-src:oc-mac_do; the 'oc-mac_do' branch has been updated). I've just noticed that you added yourself to D47633 (the "umbrella" revision), great. If, on the other hand, you're annoyed to have been added as a subscriber to all incremental changes, don't hesitate to say so and I'll remove these subscriptions.
(In reply to Olivier Certner from comment #7) No problem at all. Thank you! I'll take a look.