Lines Matching +full:mac +full:- +full:only
1 .\"-
2 .\" SPDX-License-Identifier: BSD-2-Clause
22 .Bd -ragged -offset indent
23 .Cd "options MAC"
29 .Bd -ragged -offset indent
30 .Cd "options MAC"
35 .Bd -literal -offset indent
43 It supports per-jail configuration.
47 policy module only produces effects to processes spwaned from the
57 syntax described below in a top-bottom manner.
60 .Ss Top-Level List of Rules
62 a semi-colon
102 is a comma-separated
104 non-empty list of target clauses:
111 apply and the principle of non-redundancy and non-contradiction in each rule's
125 .Bl -bullet -compact
148 .Ql -
151 characters, and may be non-empty only when
161 only the
174 .Bl -bullet -compact
183 .Ql -
187 .Ql -
188 is only useful in conjunction with a
190 -tagged specification where only one of them has
197 .Ql -
240 .Ss Non-Redundancy and Non-Contradiction in a Ao to Ac Part
245 only if, each time the same ID appears, it does so with a different flag, or no
246 flags only once.
252 .Ql -
267 types, which are both 64-bit unsigned integers.
272 .Bl -tag -width indent
273 .It Va security.mac.do.enabled
278 .It Va security.mac.do.rules
288 .It Va security.mac.do.print_parse_error
290 .Va security.mac.do.rules
296 supports per-jail configuration of rules.
304 .Bl -tag -width indent
305 .It Va mac.do
307 .Bl -tag -width "'disable'" -compact
312 .Va mac.do.rules
325 .It Va mac.do.rules
330 .Va security.mac.do.rules
334 .Va mac.do
349 .Bl -tag -width indent
366 .It Li uid=10001:uid=10002,gid=10002,+gid=.,-gid=10001
382 .Bl -tag -width indent
388 Allows the process to enter GID 10002 as a primary group, but only if
390 .It Li security.mac.do.rules=gid=10001:gid=10002,+gid=.\&
400 .Xr mac 4 ,
409 considers only credentials transitions requested through the
418 However, calls to traditional or standard credentials-changing functions can be
432 Vulnerabilities in such credentials-changing programs can have catastrophic
449 subsequent restarts, such as re-establishing pristine state or ensuring that the