| mac.4 (aa4a335baec3d36bc4b0c510be6a530c16570b4b) | mac.4 (a56840346b3059fb8d3ded4d9e61a9d42928c971) |
|---|---|
| 1.\" Copyright (c) 2003 Networks Associates Technology, Inc. 2.\" All rights reserved. | 1.\" Copyright (c) 2003 Networks Associates Technology, Inc. 2.\" All rights reserved. |
| 3.\" | 3.\" |
| 4.\" This software was developed for the FreeBSD Project by Chris Costello 5.\" at Safeport Network Services and Network Associates Labs, the 6.\" Security Research Division of Network Associates, Inc. under 7.\" DARPA/SPAWAR contract N66001-01-C-8035 ("CBOSS"), as part of the 8.\" DARPA CHATS research program. | 4.\" This software was developed for the FreeBSD Project by Chris Costello 5.\" at Safeport Network Services and Network Associates Labs, the 6.\" Security Research Division of Network Associates, Inc. under 7.\" DARPA/SPAWAR contract N66001-01-C-8035 ("CBOSS"), as part of the 8.\" DARPA CHATS research program. |
| 9.\" | 9.\" |
| 10.\" Redistribution and use in source and binary forms, with or without 11.\" modification, are permitted provided that the following conditions 12.\" are met: 13.\" 1. Redistributions of source code must retain the above copyright 14.\" notice, this list of conditions and the following disclaimer. 15.\" 2. Redistributions in binary form must reproduce the above copyright 16.\" notice, this list of conditions and the following disclaimer in the 17.\" documentation and/or other materials provided with the distribution. | 10.\" Redistribution and use in source and binary forms, with or without 11.\" modification, are permitted provided that the following conditions 12.\" are met: 13.\" 1. Redistributions of source code must retain the above copyright 14.\" notice, this list of conditions and the following disclaimer. 15.\" 2. Redistributions in binary form must reproduce the above copyright 16.\" notice, this list of conditions and the following disclaimer in the 17.\" documentation and/or other materials provided with the distribution. |
| 18.\" | 18.\" |
| 19.\" THIS SOFTWARE IS PROVIDED BY THE AUTHORS AND CONTRIBUTORS ``AS IS'' AND 20.\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 21.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 22.\" ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHORS OR CONTRIBUTORS BE LIABLE 23.\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 24.\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 25.\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 26.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 27.\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 28.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 29.\" SUCH DAMAGE. | 19.\" THIS SOFTWARE IS PROVIDED BY THE AUTHORS AND CONTRIBUTORS ``AS IS'' AND 20.\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 21.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 22.\" ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHORS OR CONTRIBUTORS BE LIABLE 23.\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 24.\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 25.\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 26.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 27.\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 28.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 29.\" SUCH DAMAGE. |
| 30.\" | 30.\" |
| 31.\" $FreeBSD$ | 31.\" $FreeBSD$ |
| 32.\" 33.Dd October 30, 2007 | 32.Dd JANUARY 8, 2003 |
| 34.Os 35.Dt MAC 4 36.Sh NAME 37.Nm mac 38.Nd Mandatory Access Control 39.Sh SYNOPSIS 40.Cd "options MAC" 41.Sh DESCRIPTION 42.Ss Introduction 43The Mandatory Access Control, or MAC, framework allows administrators to 44finely control system security by providing for a loadable security policy 45architecture. 46It is important to note that due to its nature, MAC security policies may | 33.Os 34.Dt MAC 4 35.Sh NAME 36.Nm mac 37.Nd Mandatory Access Control 38.Sh SYNOPSIS 39.Cd "options MAC" 40.Sh DESCRIPTION 41.Ss Introduction 42The Mandatory Access Control, or MAC, framework allows administrators to 43finely control system security by providing for a loadable security policy 44architecture. 45It is important to note that due to its nature, MAC security policies may |
| 47only restrict access relative to one another and the base system policy; 48they cannot override traditional 49.Ux | 46only further restrict security; they cannot override traditional UNIX |
| 50security provisions such as file permissions and superuser checks. 51.Pp 52Currently, the following MAC policy modules are shipped with 53.Fx : 54.Bl -column ".Xr mac_seeotheruids 4" "low-watermark mac policy" ".Em Labeling" "boot only" | 47security provisions such as file permissions and superuser checks. 48.Pp 49Currently, the following MAC policy modules are shipped with 50.Fx : 51.Bl -column ".Xr mac_seeotheruids 4" "low-watermark mac policy" ".Em Labeling" "boot only" |
| 55.It Sy Name Ta Sy Description Ta Sy Labeling Ta Sy "Load time" | 52.It Em Name Ta Em Description Ta Em Labeling Ta Em "Load time" |
| 56.It Xr mac_biba 4 Ta "Biba integrity policy" Ta yes Ta boot only 57.It Xr mac_bsdextended 4 Ta "File system firewall" Ta no Ta any time 58.It Xr mac_ifoff 4 Ta "Interface silencing" Ta no Ta any time 59.It Xr mac_lomac 4 Ta "Low-Watermark MAC policy" Ta yes Ta boot only 60.It Xr mac_mls 4 Ta "Confidentiality policy" Ta yes Ta boot only 61.It Xr mac_none 4 Ta "Sample no-op policy" Ta no Ta any time 62.It Xr mac_partition 4 Ta "Process partition policy" Ta yes Ta any time | 53.It Xr mac_biba 4 Ta "Biba integrity policy" Ta yes Ta boot only 54.It Xr mac_bsdextended 4 Ta "File system firewall" Ta no Ta any time 55.It Xr mac_ifoff 4 Ta "Interface silencing" Ta no Ta any time 56.It Xr mac_lomac 4 Ta "Low-Watermark MAC policy" Ta yes Ta boot only 57.It Xr mac_mls 4 Ta "Confidentiality policy" Ta yes Ta boot only 58.It Xr mac_none 4 Ta "Sample no-op policy" Ta no Ta any time 59.It Xr mac_partition 4 Ta "Process partition policy" Ta yes Ta any time |
| 63.It Xr mac_portacl 4 Ta "Port bind(2) access control" Ta no Ta any time | |
| 64.It Xr mac_seeotheruids 4 Ta "See-other-UIDs policy" Ta no Ta any time 65.It Xr mac_test 4 Ta "MAC testing policy" Ta no Ta any time 66.El 67.Ss MAC Labels 68Each system subject (processes, sockets, etc.) and each system object 69(file system objects, sockets, etc.) can carry with it a MAC label. | 60.It Xr mac_seeotheruids 4 Ta "See-other-UIDs policy" Ta no Ta any time 61.It Xr mac_test 4 Ta "MAC testing policy" Ta no Ta any time 62.El 63.Ss MAC Labels 64Each system subject (processes, sockets, etc.) and each system object 65(file system objects, sockets, etc.) can carry with it a MAC label. |
| 70MAC labels contain data in an arbitrary format 71taken into consideration in making access control decisions 72for a given operation. | 66MAC labels can contain data in an arbitrary format 67used by the MAC policies in order to help determine how to determine 68access rights for a given operation. |
| 73Most MAC labels on system subjects and objects 74can be modified directly or indirectly by the system 75administrator. | 69Most MAC labels on system subjects and objects 70can be modified directly or indirectly by the system 71administrator. |
| 76The format for a given policy's label may vary depending on the type 77of object or subject being labeled. | |
| 78More information on the format for MAC labels can be found in the 79.Xr maclabel 7 80man page. | 72More information on the format for MAC labels can be found in the 73.Xr maclabel 7 74man page. |
| 81.Ss MAC Support for UFS2 File Systems 82By default, file system enforcement of labeled MAC policies relies on 83a single file system label 84(see 85.Sx "MAC Labels" ) 86in order to make access control decisions for all the files in a particular 87file system. 88With some policies, this configuration may not allow administrators to take 89full advantage of features. 90In order to enable support for labeling files on an individual basis 91for a particular file system, 92the 93.Dq multilabel 94flag must be enabled on the file system. 95To set the 96.Dq multilabel 97flag, drop to single-user mode and unmount the file system, 98then execute the following command: 99.Pp 100.Dl "tunefs -l enable" Ar filesystem 101.Pp 102where 103.Ar filesystem 104is either the mount point 105(in 106.Xr fstab 5 ) 107or the special file 108(in 109.Pa /dev ) 110corresponding to the file system on which to enable multilabel support. 111.Ss Policy Enforcement 112Policy enforcement is divided into the following areas of the system: 113.Bl -ohang 114.It Sy "File System" 115File system mounts, modifying directories, modifying files, etc. 116.It Sy KLD 117Loading, unloading, and retrieving statistics on loaded kernel modules 118.It Sy Network 119Network interfaces, 120.Xr bpf 4 , 121packet delivery and transmission, 122interface configuration 123.Xr ( ioctl 2 , 124.Xr ifconfig 8 ) 125.It Sy Pipes 126Creation of and operation on 127.Xr pipe 2 128objects 129.It Sy Processes 130Debugging 131(e.g.\& 132.Xr ktrace 2 ) , 133process visibility 134.Pq Xr ps 1 , 135process execution 136.Pq Xr execve 2 , 137signalling 138.Pq Xr kill 2 139.It Sy Sockets 140Creation of and operation on 141.Xr socket 2 142objects 143.It Sy System 144Kernel environment 145.Pq Xr kenv 1 , 146system accounting 147.Pq Xr acct 2 , 148.Xr reboot 2 , 149.Xr settimeofday 2 , 150.Xr swapon 2 , 151.Xr sysctl 3 , 152.Xr nfsd 8 Ns 153-related operations 154.It Sy VM 155.Xr mmap 2 Ns 156-ed files 157.El 158.Ss Setting MAC Labels 159From the command line, each type of system object has its own means for setting | 75.Ss Setting MAC labels 76From the command line, each type of system object has its own way of setting |
| 160and modifying its MAC policy label. | 77and modifying its MAC policy label. |
| 161.Bl -column "user (by login class)" "Xr setfmac 8 , Xr setfsmac 8" -offset indent 162.It Sy "Subject/Object" Ta Sy "Utility" 163.It "File system object" Ta Xr setfmac 8 , Xr setfsmac 8 | 78.Bl -column "user login process" "Xr login.conf 5" -offset indent 79.It Em "Subject/Object" Ta Em "Utility" 80.It "File system object" Ta Xr setfmac 8 |
| 164.It "Network interface" Ta Xr ifconfig 8 165.It "TTY (by login class)" Ta Xr login.conf 5 166.It "User (by login class)" Ta Xr login.conf 5 167.El 168.Pp 169Additionally, the | 81.It "Network interface" Ta Xr ifconfig 8 82.It "TTY (by login class)" Ta Xr login.conf 5 83.It "User (by login class)" Ta Xr login.conf 5 84.El 85.Pp 86Additionally, the |
| 170.Xr su 1 171and | |
| 172.Xr setpmac 8 | 87.Xr setpmac 8 |
| 173utilities can be used to run a command with a different process label than | 88command can be used to run a command with a different process label than |
| 174the shell's current label. 175.Ss Programming With MAC 176MAC security enforcement itself is transparent to application 177programs, with the exception that some programs may need to be aware of 178additional 179.Xr errno 2 180returns from various system calls. 181.Pp 182The interface for retrieving, handling, and setting policy labels 183is documented in the 184.Xr mac 3 185man page. | 89the shell's current label. 90.Ss Programming With MAC 91MAC security enforcement itself is transparent to application 92programs, with the exception that some programs may need to be aware of 93additional 94.Xr errno 2 95returns from various system calls. 96.Pp 97The interface for retrieving, handling, and setting policy labels 98is documented in the 99.Xr mac 3 100man page. |
| 186.\" *** XXX *** 187.\" Support for this feature is poor and should not be encouraged. 188.\" 189.\" .It Va security.mac.mmap_revocation 190.\" Revoke 191.\" .Xr mmap 2 192.\" access to files on subject relabel. 193.\" .It Va security.mac.mmap_revocation_via_cow 194.\" Revoke 195.\" .Xr mmap 2 196.\" access to files via copy-on-write semantics; 197.\" mapped regions will still appear writable, but will no longer 198.\" effect a change on the underlying vnode. 199.\" (Default: 0). | |
| 200.Sh SEE ALSO 201.Xr mac 3 , 202.Xr mac_biba 4 , 203.Xr mac_bsdextended 4 , 204.Xr mac_ifoff 4 , 205.Xr mac_lomac 4 , 206.Xr mac_mls 4 , 207.Xr mac_none 4 , 208.Xr mac_partition 4 , | 101.Sh SEE ALSO 102.Xr mac 3 , 103.Xr mac_biba 4 , 104.Xr mac_bsdextended 4 , 105.Xr mac_ifoff 4 , 106.Xr mac_lomac 4 , 107.Xr mac_mls 4 , 108.Xr mac_none 4 , 109.Xr mac_partition 4 , |
| 209.Xr mac_portacl 4 , | |
| 210.Xr mac_seeotheruids 4 , 211.Xr mac_test 4 , | 110.Xr mac_seeotheruids 4 , 111.Xr mac_test 4 , |
| 212.Xr login.conf 5 , | 112.Xr login.5 , |
| 213.Xr maclabel 7 , 214.Xr getfmac 8 , | 113.Xr maclabel 7 , 114.Xr getfmac 8 , |
| 215.Xr getpmac 8 , | |
| 216.Xr setfmac 8 , | 115.Xr setfmac 8 , |
| 116.Xr getpmac 8 , |
|
| 217.Xr setpmac 8 , 218.Xr mac 9 | 117.Xr setpmac 8 , 118.Xr mac 9 |
| 219.Rs 220.%B "The FreeBSD Handbook" 221.%T "Mandatory Access Control" 222.%U http://www.FreeBSD.org/doc/en_US.ISO8859-1/books/handbook/mac.html 223.Re | |
| 224.Sh HISTORY 225The 226.Nm 227implementation first appeared in 228.Fx 5.0 | 119.Sh HISTORY 120The 121.Nm 122implementation first appeared in 123.Fx 5.0 |
| 229and was developed by the 230.Tn TrustedBSD 231Project. | 124and was developed by the TrustedBSD Project. |
| 232.Sh AUTHORS 233This software was contributed to the 234.Fx 235Project by Network Associates Labs, 236the Security Research Division of Network Associates | 125.Sh AUTHORS 126This software was contributed to the 127.Fx 128Project by Network Associates Labs, 129the Security Research Division of Network Associates |
| 237Inc. 238under DARPA/SPAWAR contract N66001-01-C-8035 239.Pq Dq CBOSS , | 130Inc. under DARPA/SPAWAR contract N66001-01-C-8035 ("CBOSS"), |
| 240as part of the DARPA CHATS research program. | 131as part of the DARPA CHATS research program. |
| 241.Sh BUGS 242See 243.Xr mac 9 244concerning appropriateness for production use. 245The 246.Tn TrustedBSD 247MAC Framework is considered experimental in 248.Fx . 249.Pp 250While the MAC Framework design is intended to support the containment of 251the root user, not all attack channels are currently protected by entry 252point checks. 253As such, MAC Framework policies should not be relied on, in isolation, 254to protect against a malicious privileged user. | |