Status/2025Q3/mac_do.adoc: Add report

website/content/en/status/report-2025-07-2025-09/mac_do.adoc

@@ -0,0 +1,23 @@
+[[gsoc25-macdo-mdo]]
+=== mac_do(4) and mdo(1) Improvements
+
+Links: +
+https://wiki.freebsd.org/SummerOfCode2025Projects/MacDoAndMDoImprovements
+
+Contact: Kushagra Srivastava <[email protected]>
+
+As part of Google Summer of Code 2025, I worked on two related sub-projects in the FreeBSD Project: kernel improvements to `mac_do(4)` and userland enhancements to `mdo(1)`.
+
+`mac_do(4)` is a kernel MAC security module that allows controlled credential transitions without requiring setuid binaries. The project extended it in two key ways:
+
+* **Per-jail configuration of authorized executables** – administrators can now specify a list of executables per-jail, permitted to request credential transitions, instead of being limited to the hardcoded `/usr/bin/mdo`.
+* **Support for traditional credential-changing syscalls** – transitions requested via `setuid(2)`, `setgid(2)`, `setgroups(2)`, and related functions are now intercepted and authorized through `mac_do(4)`, in addition to the original `setcred(2)` mechanism.
+
+On the userland side, the companion tool `mdo(1)` was extended to:
+
+* Allow explicit UID/GID overrides, fine-grained group management (`-g`, `-G`, `-s` options), and improved credential parsing.
+* Provide a `--print-rule` option to display the corresponding `mac_do(4)` rule for a requested transition.
+
+Together, these improvements make `mac_do(4)` and `mdo(1)` far more flexible and practical, enabling safer privilege transitions without relying on setuid executables and with strong jail integration.
+
+Sponsor: Google LLC (Google Summer of Code 2025)