xref: /freebsd/share/man/man4/mac.4 (revision 078a31136c8ce89c23c0fae0b24f98c0bd4d45e6)
1.\" Copyright (c) 2003 Networks Associates Technology, Inc.
2.\" All rights reserved.
3.\"
4.\" This software was developed for the FreeBSD Project by Chris Costello
5.\" at Safeport Network Services and Network Associates Labs, the
6.\" Security Research Division of Network Associates, Inc. under
7.\" DARPA/SPAWAR contract N66001-01-C-8035 ("CBOSS"), as part of the
8.\" DARPA CHATS research program.
9.\"
10.\" Redistribution and use in source and binary forms, with or without
11.\" modification, are permitted provided that the following conditions
12.\" are met:
13.\" 1. Redistributions of source code must retain the above copyright
14.\"    notice, this list of conditions and the following disclaimer.
15.\" 2. Redistributions in binary form must reproduce the above copyright
16.\"    notice, this list of conditions and the following disclaimer in the
17.\"    documentation and/or other materials provided with the distribution.
18.\"
19.\" THIS SOFTWARE IS PROVIDED BY THE AUTHORS AND CONTRIBUTORS ``AS IS'' AND
20.\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
21.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
22.\" ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHORS OR CONTRIBUTORS BE LIABLE
23.\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
24.\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
25.\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
26.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
27.\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
28.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
29.\" SUCH DAMAGE.
30.\"
31.Dd July 25, 2023
32.Dt MAC 4
33.Os
34.Sh NAME
35.Nm mac
36.Nd Mandatory Access Control
37.Sh SYNOPSIS
38.Cd "options MAC"
39.Sh DESCRIPTION
40.Ss Introduction
41The Mandatory Access Control, or MAC, framework allows administrators to
42finely control system security by providing for a loadable security policy
43architecture.
44It is important to note that due to its nature, MAC security policies may
45only restrict access relative to one another and the base system policy;
46they cannot override traditional
47.Ux
48security provisions such as file permissions and superuser checks.
49.Pp
50Currently, the following MAC policy modules are shipped with
51.Fx :
52.Bl -column ".Xr mac_seeotheruids 4" "ddb(4) interface restrictions" ".Em Labeling" "boot only"
53.It Sy Name Ta Sy Description Ta Sy Labeling Ta Sy "Load time"
54.It Xr mac_biba 4 Ta "Biba integrity policy" Ta yes Ta boot only
55.It Xr mac_bsdextended 4 Ta "File system firewall" Ta no Ta any time
56.It Xr mac_ddb 4 Ta "ddb(4) interface restrictions" Ta no Ta any time
57.It Xr mac_ifoff 4 Ta "Interface silencing" Ta no Ta any time
58.It Xr mac_ipacl 4 Ta "IP Address access control" Ta no Ta any time
59.It Xr mac_lomac 4 Ta "Low-Watermark MAC policy" Ta yes Ta boot only
60.It Xr mac_mls 4 Ta "Confidentiality policy" Ta yes Ta boot only
61.It Xr mac_ntpd 4 Ta "Non-root NTP Daemon policy" Ta no Ta any time
62.It Xr mac_partition 4 Ta "Process partition policy" Ta yes Ta any time
63.It Xr mac_portacl 4 Ta "Port bind(2) access control" Ta no Ta any time
64.It Xr mac_priority 4 Ta "Scheduling priority policy" Ta no Ta any time
65.It Xr mac_seeotheruids 4 Ta "See-other-UIDs policy" Ta no Ta any time
66.It Xr mac_test 4 Ta "MAC testing policy" Ta no Ta any time
67.El
68.Ss MAC Labels
69Each system subject (processes, sockets, etc.) and each system object
70(file system objects, sockets, etc.) can carry with it a MAC label.
71MAC labels contain data in an arbitrary format
72taken into consideration in making access control decisions
73for a given operation.
74Most MAC labels on system subjects and objects
75can be modified directly or indirectly by the system
76administrator.
77The format for a given policy's label may vary depending on the type
78of object or subject being labeled.
79More information on the format for MAC labels can be found in the
80.Xr maclabel 7
81man page.
82.Ss MAC Support for UFS2 File Systems
83By default, file system enforcement of labeled MAC policies relies on
84a single file system label
85(see
86.Sx "MAC Labels" )
87in order to make access control decisions for all the files in a particular
88file system.
89With some policies, this configuration may not allow administrators to take
90full advantage of features.
91In order to enable support for labeling files on an individual basis
92for a particular file system,
93the
94.Dq multilabel
95flag must be enabled on the file system.
96To set the
97.Dq multilabel
98flag, drop to single-user mode and unmount the file system,
99then execute the following command:
100.Pp
101.Dl "tunefs -l enable" Ar filesystem
102.Pp
103where
104.Ar filesystem
105is either the mount point
106(in
107.Xr fstab 5 )
108or the special file
109(in
110.Pa /dev )
111corresponding to the file system on which to enable multilabel support.
112.Ss Policy Enforcement
113Policy enforcement is divided into the following areas of the system:
114.Bl -ohang
115.It Sy "File System"
116File system mounts, modifying directories, modifying files, etc.
117.It Sy KLD
118Loading, unloading, and retrieving statistics on loaded kernel modules
119.It Sy Network
120Network interfaces,
121.Xr bpf 4 ,
122packet delivery and transmission,
123interface configuration
124.Xr ( ioctl 2 ,
125.Xr ifconfig 8 )
126.It Sy Pipes
127Creation of and operation on
128.Xr pipe 2
129objects
130.It Sy Processes
131Debugging
132(e.g.\&
133.Xr ktrace 2 ) ,
134process visibility
135.Pq Xr ps 1 ,
136process execution
137.Pq Xr execve 2 ,
138signalling
139.Pq Xr kill 2
140.It Sy Sockets
141Creation of and operation on
142.Xr socket 2
143objects
144.It Sy System
145Kernel environment
146.Pq Xr kenv 1 ,
147system accounting
148.Pq Xr acct 2 ,
149.Xr reboot 2 ,
150.Xr settimeofday 2 ,
151.Xr swapon 2 ,
152.Xr sysctl 3 ,
153.Xr nfsd 8 Ns
154-related operations
155.It Sy VM
156.Xr mmap 2 Ns
157-ed files
158.El
159.Ss Setting MAC Labels
160From the command line, each type of system object has its own means for setting
161and modifying its MAC policy label.
162.Bl -column "user (by login class)" "Xr setfmac 8 , Xr setfsmac 8" -offset indent
163.It Sy "Subject/Object" Ta Sy "Utility"
164.It "File system object" Ta Xr setfmac 8 , Xr setfsmac 8
165.It "Network interface" Ta Xr ifconfig 8
166.It "TTY (by login class)" Ta Xr login.conf 5
167.It "User (by login class)" Ta Xr login.conf 5
168.El
169.Pp
170Additionally, the
171.Xr su 1
172and
173.Xr setpmac 8
174utilities can be used to run a command with a different process label than
175the shell's current label.
176.Ss Programming With MAC
177MAC security enforcement itself is transparent to application
178programs, with the exception that some programs may need to be aware of
179additional
180.Xr errno 2
181returns from various system calls.
182.Pp
183The interface for retrieving, handling, and setting policy labels
184is documented in the
185.Xr mac 3
186man page.
187.\" *** XXX ***
188.\" Support for this feature is poor and should not be encouraged.
189.\"
190.\" .It Va security.mac.mmap_revocation
191.\" Revoke
192.\" .Xr mmap 2
193.\" access to files on subject relabel.
194.\" .It Va security.mac.mmap_revocation_via_cow
195.\" Revoke
196.\" .Xr mmap 2
197.\" access to files via copy-on-write semantics;
198.\" mapped regions will still appear writable, but will no longer
199.\" effect a change on the underlying vnode.
200.\" (Default: 0).
201.Sh SEE ALSO
202.Xr mac 3 ,
203.Xr mac_biba 4 ,
204.Xr mac_bsdextended 4 ,
205.Xr mac_ddb 4 ,
206.Xr mac_ifoff 4 ,
207.Xr mac_ipacl 4 ,
208.Xr mac_lomac 4 ,
209.Xr mac_mls 4 ,
210.Xr mac_none 4 ,
211.Xr mac_ntpd 4 ,
212.Xr mac_partition 4 ,
213.Xr mac_portacl 4 ,
214.Xr mac_priority 4 ,
215.Xr mac_seeotheruids 4 ,
216.Xr mac_stub 4 ,
217.Xr mac_test 4 ,
218.Xr login.conf 5 ,
219.Xr maclabel 7 ,
220.Xr getfmac 8 ,
221.Xr getpmac 8 ,
222.Xr setfmac 8 ,
223.Xr setpmac 8 ,
224.Xr mac 9
225.Rs
226.%B "The FreeBSD Handbook"
227.%T "Mandatory Access Control"
228.%U https://docs.FreeBSD.org/en/books/handbook/mac/
229.Re
230.Sh HISTORY
231The
232.Nm
233implementation first appeared in
234.Fx 5.0
235and was developed by the
236.Tn TrustedBSD
237Project.
238.Sh AUTHORS
239This software was contributed to the
240.Fx
241Project by Network Associates Labs,
242the Security Research Division of Network Associates
243Inc.
244under DARPA/SPAWAR contract N66001-01-C-8035
245.Pq Dq CBOSS ,
246as part of the DARPA CHATS research program.
247.Sh BUGS
248While the MAC Framework design is intended to support the containment of
249the root user, not all attack channels are currently protected by entry
250point checks.
251As such, MAC Framework policies should not be relied on, in isolation,
252to protect against a malicious privileged user.
253