| mac.4 (bc2c2a48a9e1ae98cc38df6dd702757b93aa14ed) | mac.4 (58ce77d37b36199368c98cdcb4d59cb8271ce18d) |
|---|---|
| 1.\" Copyright (c) 2003 Networks Associates Technology, Inc. 2.\" All rights reserved. 3.\" 4.\" This software was developed for the FreeBSD Project by Chris Costello 5.\" at Safeport Network Services and Network Associates Labs, the 6.\" Security Research Division of Network Associates, Inc. under 7.\" DARPA/SPAWAR contract N66001-01-C-8035 ("CBOSS"), as part of the 8.\" DARPA CHATS research program. --- 58 unchanged lines hidden (view full) --- 67used by the MAC policies in order to help determine how to determine 68access rights for a given operation. 69Most MAC labels on system subjects and objects 70can be modified directly or indirectly by the system 71administrator. 72More information on the format for MAC labels can be found in the 73.Xr maclabel 7 74man page. | 1.\" Copyright (c) 2003 Networks Associates Technology, Inc. 2.\" All rights reserved. 3.\" 4.\" This software was developed for the FreeBSD Project by Chris Costello 5.\" at Safeport Network Services and Network Associates Labs, the 6.\" Security Research Division of Network Associates, Inc. under 7.\" DARPA/SPAWAR contract N66001-01-C-8035 ("CBOSS"), as part of the 8.\" DARPA CHATS research program. --- 58 unchanged lines hidden (view full) --- 67used by the MAC policies in order to help determine how to determine 68access rights for a given operation. 69Most MAC labels on system subjects and objects 70can be modified directly or indirectly by the system 71administrator. 72More information on the format for MAC labels can be found in the 73.Xr maclabel 7 74man page. |
| 75.Ss Policy Enforcement 76MAC can be configured to enforce only specific portions of 77policies 78(see 79.Sx "Runtime Configuration" ) . 80Policy enforcement is divided into the following areas of the system: 81.Bl -ohang 82.It Sy File System 83File system mounts, modifying directories, modifying files, etc. 84.It Sy KLD 85Loading, unloading, and retrieving statistics on loaded kernel modules 86.It Sy Network 87Network interfaces, 88.Xr bpf 4 89.It Sy Pipes 90Creation of and operation on 91.Xr pipe 2 92objects 93.It Sy Processes 94Debugging 95(e.g. 96.Xr ktrace 2 ) , 97process visibility 98.Xr ( ps 1 ) , 99process execution 100.Xr ( execve 2 ) , 101signalling 102.Xr ( kill 2 ) 103.It Sy Sockets 104Creation and operation on 105.Xr socket 2 106objects 107.It Sy System 108Kernel environment 109.Xr ( kenv 1 ) , 110system accounting 111.Xr ( acct 2 ) , 112.Xr reboot 2 , 113.Xr settimeofday 2 , 114.Xr swapon 2 , 115.Xr sysctl 3 , 116.Sm off 117.Xr nfsd 8 - 118related 119.Sm on 120operations 121.It Sy VM 122.Sm off 123.Xr mmap 2 - 124ed 125.Sm on 126files 127.El |
|
| 75.Ss Setting MAC labels 76From the command line, each type of system object has its own means for setting 77and modifying its MAC policy label. 78.Bl -column "user login process" "Xr login.conf 5" -offset indent 79.It Em "Subject/Object" Ta Em "Utility" 80.It "File system object" Ta Xr setfmac 8 81.It "Network interface" Ta Xr ifconfig 8 82.It "TTY (by login class)" Ta Xr login.conf 5 --- 10 unchanged lines hidden (view full) --- 93additional 94.Xr errno 2 95returns from various system calls. 96.Pp 97The interface for retrieving, handling, and setting policy labels 98is documented in the 99.Xr mac 3 100man page. | 128.Ss Setting MAC labels 129From the command line, each type of system object has its own means for setting 130and modifying its MAC policy label. 131.Bl -column "user login process" "Xr login.conf 5" -offset indent 132.It Em "Subject/Object" Ta Em "Utility" 133.It "File system object" Ta Xr setfmac 8 134.It "Network interface" Ta Xr ifconfig 8 135.It "TTY (by login class)" Ta Xr login.conf 5 --- 10 unchanged lines hidden (view full) --- 146additional 147.Xr errno 2 148returns from various system calls. 149.Pp 150The interface for retrieving, handling, and setting policy labels 151is documented in the 152.Xr mac 3 153man page. |
| 154.Ss Runtime Configuration 155The following 156.Xr sysctl 8 157MIBs are available for fine-tuning the enforcement of MAC policies. 158Unless specifically noted, all MIBs default to 159.Li 1 160(that is, all areas are enforced by default): 161.Bl -tag -width "security.mac.mmap_revocation" 162.It Va security.mac.enforce_fs 163Enforce MAC policies for file system accesses 164.It Va security.mac.enforce_kld 165Enforce MAC policies on 166.Xr kld 4 167.It Va security.mac.enforce_network 168Enforce MAC policies on network interfaces 169.It Va security.mac.enforce_pipe 170Enforce MAC policies on pipes 171.It Va security.mac.enforce_process 172Enforce MAC policies between system processes 173(e.g. 174.Xr ps 1 , 175.Xr ktrace 2 ) 176.It Va security.mac.enforce_socket 177Enforce MAC policies on sockets 178.It Va security.mac.enforce_system 179Enforce MAC policies on system-related items 180(e.g. 181.Xr kenv 1 , 182.Xr acct 2 , 183.Xr reboot 2 ) 184.It Va security.mac.enforce_vm 185Enforce MAC policies on 186.Xr mmap 2 187and 188.Xr mprotect 2 189.It Va security.mac.mmap_revocation 190Revoke 191.Xr mmap 2 192access to files on subject relabel 193.It Va security.mac.mmap_revocation_via_cow 194Revoke 195.Xr mmap 2 196access to files via copy-on-write semantics; 197mapped regions will still appear writable, but will no longer 198effect a change on the underlying vnode 199(Default: 0) 200.El |
|
| 101.Sh SEE ALSO 102.Xr mac 3 , 103.Xr mac_biba 4 , 104.Xr mac_bsdextended 4 , 105.Xr mac_ifoff 4 , 106.Xr mac_lomac 4 , 107.Xr mac_mls 4 , 108.Xr mac_none 4 , --- 28 unchanged lines hidden --- | 201.Sh SEE ALSO 202.Xr mac 3 , 203.Xr mac_biba 4 , 204.Xr mac_bsdextended 4 , 205.Xr mac_ifoff 4 , 206.Xr mac_lomac 4 , 207.Xr mac_mls 4 , 208.Xr mac_none 4 , --- 28 unchanged lines hidden --- |