1.\" Copyright (c) 2003 Networks Associates Technology, Inc. 2.\" All rights reserved. 3.\" 4.\" This software was developed for the FreeBSD Project by Chris Costello 5.\" at Safeport Network Services and Network Associates Labs, the 6.\" Security Research Division of Network Associates, Inc. under 7.\" DARPA/SPAWAR contract N66001-01-C-8035 ("CBOSS"), as part of the 8.\" DARPA CHATS research program. 9.\" 10.\" Redistribution and use in source and binary forms, with or without 11.\" modification, are permitted provided that the following conditions 12.\" are met: 13.\" 1. Redistributions of source code must retain the above copyright 14.\" notice, this list of conditions and the following disclaimer. 15.\" 2. Redistributions in binary form must reproduce the above copyright 16.\" notice, this list of conditions and the following disclaimer in the 17.\" documentation and/or other materials provided with the distribution. 18.\" 19.\" THIS SOFTWARE IS PROVIDED BY THE AUTHORS AND CONTRIBUTORS ``AS IS'' AND 20.\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 21.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 22.\" ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHORS OR CONTRIBUTORS BE LIABLE 23.\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 24.\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 25.\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 26.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 27.\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 28.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 29.\" SUCH DAMAGE. 30.\" 31.\" $FreeBSD$ 32.Dd JANUARY 8, 2003 33.Os 34.Dt MAC 4 35.Sh NAME 36.Nm mac 37.Nd Mandatory Access Control 38.Sh SYNOPSIS 39.Cd "options MAC" 40.Sh DESCRIPTION 41.Ss Introduction 42The Mandatory Access Control, or MAC, framework allows administrators to 43finely control system security by providing for a loadable security policy 44architecture. 45It is important to note that due to its nature, MAC security policies may 46only restrict access relative to one another and the base system policy; 47they cannot override traditional UNIX 48security provisions such as file permissions and superuser checks. 49.Pp 50Currently, the following MAC policy modules are shipped with 51.Fx : 52.Bl -column ".Xr mac_seeotheruids 4" "low-watermark mac policy " ".Em Labeling" "boot only" 53.It Sy Name Ta Sy Description Ta Sy Labeling Ta Sy "Load time" 54.It Xr mac_biba 4 Ta "Biba integrity policy" Ta yes Ta boot only 55.It Xr mac_bsdextended 4 Ta "File system firewall" Ta no Ta any time 56.It Xr mac_ifoff 4 Ta "Interface silencing" Ta no Ta any time 57.It Xr mac_lomac 4 Ta "Low-Watermark MAC policy" Ta yes Ta boot only 58.It Xr mac_mls 4 Ta "Confidentiality policy" Ta yes Ta boot only 59.It Xr mac_none 4 Ta "Sample no-op policy" Ta no Ta any time 60.It Xr mac_partition 4 Ta "Process partition policy" Ta yes Ta any time 61.It Xr mac_portacl 4 Ta "Port bind(2) access control" Ta no Ta any time 62.It Xr mac_seeotheruids 4 Ta "See-other-UIDs policy" Ta no Ta any time 63.It Xr mac_test 4 Ta "MAC testing policy" Ta no Ta any time 64.El 65.Ss MAC Labels 66Each system subject (processes, sockets, etc.) and each system object 67(file system objects, sockets, etc.) can carry with it a MAC label. 68MAC labels contain data in an arbitrary format 69taken into consideration in making access control decisions 70for a given operation. 71Most MAC labels on system subjects and objects 72can be modified directly or indirectly by the system 73administrator. 74The format for a given policy's label may vary depending on the type 75of object or subject being labeled. 76More information on the format for MAC labels can be found in the 77.Xr maclabel 7 78man page. 79.Ss MAC Support for UFS2 File Systems 80By default, file system enforcement of labeled MAC policies relies on 81a single file system label 82(see 83.Sx "MAC Labels" ) 84in order to make access control decisions for all the files in a particular 85file system. 86With some policies, this configuration may not allow administrators to take 87full advantage of features. 88In order to enable support for labeling files on an individual basis 89for a particular file system, 90the 91.Dq multilabel 92flag must be enabled on the file system. 93To set the 94.Dq multilabel 95flag, drop to single-user mode and unmount the file system, 96then execute the following command: 97.Pp 98.Dl "tunefs -l enable" Sy filesystem 99.Pp 100where 101.Sy filesystem 102is either the mount point 103(in 104.Xr fstab 5 ) 105or the special file 106(in 107.Pa /dev ) 108corresponding to the file system on which to enable multilabel support. 109.Ss Policy Enforcement 110MAC can be configured to enforce only specific portions of 111policies 112(see 113.Sx "Runtime Configuration" ) . 114Policy enforcement is divided into the following areas of the system: 115.Bl -ohang 116.It Sy File System 117File system mounts, modifying directories, modifying files, etc. 118.It Sy KLD 119Loading, unloading, and retrieving statistics on loaded kernel modules 120.It Sy Network 121Network interfaces, 122.Xr bpf 4 , 123packet delivery and transmission, 124interface configuration 125.Xr ( ioctl 2 , 126.Xr ifconfig 8 ) 127.It Sy Pipes 128Creation of and operation on 129.Xr pipe 2 130objects 131.It Sy Processes 132Debugging 133(e.g. 134.Xr ktrace 2 ) , 135process visibility 136.Xr ( ps 1 ) , 137process execution 138.Xr ( execve 2 ) , 139signalling 140.Xr ( kill 2 ) 141.It Sy Sockets 142Creation of and operation on 143.Xr socket 2 144objects 145.It Sy System 146Kernel environment 147.Xr ( kenv 1 ) , 148system accounting 149.Xr ( acct 2 ) , 150.Xr reboot 2 , 151.Xr settimeofday 2 , 152.Xr swapon 2 , 153.Xr sysctl 3 , 154.Sm off 155.Xr nfsd 8 - 156related 157.Sm on 158operations 159.It Sy VM 160.Sm off 161.Xr mmap 2 - 162ed 163.Sm on 164files 165.El 166.Ss Setting MAC Labels 167From the command line, each type of system object has its own means for setting 168and modifying its MAC policy label. 169.Bl -column "user (by login class)" "Xr setfmac 8 , Xr setfsmac 8" -offset indent 170.It Sy "Subject/Object" Ta Sy "Utility" 171.It "File system object" Ta Xr setfmac 8 , Xr setfsmac 8 172.It "Network interface" Ta Xr ifconfig 8 173.It "TTY (by login class)" Ta Xr login.conf 5 174.It "User (by login class)" Ta Xr login.conf 5 175.El 176.Pp 177Additionally, the 178.Xr su 1 179and 180.Xr setpmac 8 181utilities can be used to run a command with a different process label than 182the shell's current label. 183.Ss Programming With MAC 184MAC security enforcement itself is transparent to application 185programs, with the exception that some programs may need to be aware of 186additional 187.Xr errno 2 188returns from various system calls. 189.Pp 190The interface for retrieving, handling, and setting policy labels 191is documented in the 192.Xr mac 3 193man page. 194.Ss Runtime Configuration 195The following 196.Xr sysctl 8 197MIBs are available for fine-tuning the enforcement of MAC policies. 198Unless specifically noted, all MIBs default to 199.Li 1 200(that is, all areas are enforced by default): 201.Bl -tag -width "security.mac.enforce_network" 202.It Va security.mac.enforce_fs 203Enforce MAC policies for file system accesses 204.It Va security.mac.enforce_kld 205Enforce MAC policies on 206.Xr kld 4 207.It Va security.mac.enforce_network 208Enforce MAC policies on network interfaces 209.It Va security.mac.enforce_pipe 210Enforce MAC policies on pipes 211.It Va security.mac.enforce_process 212Enforce MAC policies between system processes 213(e.g. 214.Xr ps 1 , 215.Xr ktrace 2 ) 216.It Va security.mac.enforce_socket 217Enforce MAC policies on sockets 218.It Va security.mac.enforce_system 219Enforce MAC policies on system-related items 220(e.g. 221.Xr kenv 1 , 222.Xr acct 2 , 223.Xr reboot 2 ) 224.It Va security.mac.enforce_vm 225Enforce MAC policies on 226.Xr mmap 2 227and 228.Xr mprotect 2 229.\" *** XXX *** 230.\" Support for this feature is poor and should not be encouraged. 231.\" 232.\" .It Va security.mac.mmap_revocation 233.\" Revoke 234.\" .Xr mmap 2 235.\" access to files on subject relabel 236.\" .It Va security.mac.mmap_revocation_via_cow 237.\" Revoke 238.\" .Xr mmap 2 239.\" access to files via copy-on-write semantics; 240.\" mapped regions will still appear writable, but will no longer 241.\" effect a change on the underlying vnode 242.\" (Default: 0) 243.El 244.Sh SEE ALSO 245.Xr mac 3 , 246.Xr mac_biba 4 , 247.Xr mac_bsdextended 4 , 248.Xr mac_ifoff 4 , 249.Xr mac_lomac 4 , 250.Xr mac_mls 4 , 251.Xr mac_none 4 , 252.Xr mac_partition 4 , 253.Xr mac_portacl 4 , 254.Xr mac_seeotheruids 4 , 255.Xr mac_test 4 , 256.Xr login.5 , 257.Xr maclabel 7 , 258.Xr getfmac 8 , 259.Xr setfmac 8 , 260.Xr getpmac 8 , 261.Xr setpmac 8 , 262.Xr mac 9 263.Rs 264.%B "The FreeBSD Handbook" 265.%T "Mandatory Access Control" 266.%O http://www.freebsd.org/doc/en_US.ISO8859-1/books/handbook/mac.html 267.Re 268.Sh HISTORY 269The 270.Nm 271implementation first appeared in 272.Fx 5.0 273and was developed by the TrustedBSD Project. 274.Sh AUTHORS 275This software was contributed to the 276.Fx 277Project by Network Associates Labs, 278the Security Research Division of Network Associates 279Inc. under DARPA/SPAWAR contract N66001-01-C-8035 ("CBOSS"), 280as part of the DARPA CHATS research program. 281.Sh BUGS 282See 283.Xr mac 9 284concerning appropriateness for production use. 285The TrustedBSD MAC Framework is considered experimental in 286.Fx . 287.Pp 288While the MAC Framework design is intended to support the containment of 289the root user, not all attack channels are currently protected by entry 290point checks. 291As such, MAC Framework policies should not be relied on, in isolation, 292to protect against a malicious privileged user. 293