xref: /freebsd/share/man/man4/mac.4 (revision 535af610a4fdace6d50960c0ad9be0597eea7a1b)
1.\" Copyright (c) 2003 Networks Associates Technology, Inc.
2.\" All rights reserved.
3.\"
4.\" This software was developed for the FreeBSD Project by Chris Costello
5.\" at Safeport Network Services and Network Associates Labs, the
6.\" Security Research Division of Network Associates, Inc. under
7.\" DARPA/SPAWAR contract N66001-01-C-8035 ("CBOSS"), as part of the
8.\" DARPA CHATS research program.
9.\"
10.\" Redistribution and use in source and binary forms, with or without
11.\" modification, are permitted provided that the following conditions
12.\" are met:
13.\" 1. Redistributions of source code must retain the above copyright
14.\"    notice, this list of conditions and the following disclaimer.
15.\" 2. Redistributions in binary form must reproduce the above copyright
16.\"    notice, this list of conditions and the following disclaimer in the
17.\"    documentation and/or other materials provided with the distribution.
18.\"
19.\" THIS SOFTWARE IS PROVIDED BY THE AUTHORS AND CONTRIBUTORS ``AS IS'' AND
20.\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
21.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
22.\" ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHORS OR CONTRIBUTORS BE LIABLE
23.\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
24.\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
25.\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
26.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
27.\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
28.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
29.\" SUCH DAMAGE.
30.\"
31.\" $FreeBSD$
32.\"
33.Dd July 25, 2023
34.Dt MAC 4
35.Os
36.Sh NAME
37.Nm mac
38.Nd Mandatory Access Control
39.Sh SYNOPSIS
40.Cd "options MAC"
41.Sh DESCRIPTION
42.Ss Introduction
43The Mandatory Access Control, or MAC, framework allows administrators to
44finely control system security by providing for a loadable security policy
45architecture.
46It is important to note that due to its nature, MAC security policies may
47only restrict access relative to one another and the base system policy;
48they cannot override traditional
49.Ux
50security provisions such as file permissions and superuser checks.
51.Pp
52Currently, the following MAC policy modules are shipped with
53.Fx :
54.Bl -column ".Xr mac_seeotheruids 4" "ddb(4) interface restrictions" ".Em Labeling" "boot only"
55.It Sy Name Ta Sy Description Ta Sy Labeling Ta Sy "Load time"
56.It Xr mac_biba 4 Ta "Biba integrity policy" Ta yes Ta boot only
57.It Xr mac_bsdextended 4 Ta "File system firewall" Ta no Ta any time
58.It Xr mac_ddb 4 Ta "ddb(4) interface restrictions" Ta no Ta any time
59.It Xr mac_ifoff 4 Ta "Interface silencing" Ta no Ta any time
60.It Xr mac_ipacl 4 Ta "IP Address access control" Ta no Ta any time
61.It Xr mac_lomac 4 Ta "Low-Watermark MAC policy" Ta yes Ta boot only
62.It Xr mac_mls 4 Ta "Confidentiality policy" Ta yes Ta boot only
63.It Xr mac_ntpd 4 Ta "Non-root NTP Daemon policy" Ta no Ta any time
64.It Xr mac_partition 4 Ta "Process partition policy" Ta yes Ta any time
65.It Xr mac_portacl 4 Ta "Port bind(2) access control" Ta no Ta any time
66.It Xr mac_priority 4 Ta "Scheduling priority policy" Ta no Ta any time
67.It Xr mac_seeotheruids 4 Ta "See-other-UIDs policy" Ta no Ta any time
68.It Xr mac_test 4 Ta "MAC testing policy" Ta no Ta any time
69.El
70.Ss MAC Labels
71Each system subject (processes, sockets, etc.) and each system object
72(file system objects, sockets, etc.) can carry with it a MAC label.
73MAC labels contain data in an arbitrary format
74taken into consideration in making access control decisions
75for a given operation.
76Most MAC labels on system subjects and objects
77can be modified directly or indirectly by the system
78administrator.
79The format for a given policy's label may vary depending on the type
80of object or subject being labeled.
81More information on the format for MAC labels can be found in the
82.Xr maclabel 7
83man page.
84.Ss MAC Support for UFS2 File Systems
85By default, file system enforcement of labeled MAC policies relies on
86a single file system label
87(see
88.Sx "MAC Labels" )
89in order to make access control decisions for all the files in a particular
90file system.
91With some policies, this configuration may not allow administrators to take
92full advantage of features.
93In order to enable support for labeling files on an individual basis
94for a particular file system,
95the
96.Dq multilabel
97flag must be enabled on the file system.
98To set the
99.Dq multilabel
100flag, drop to single-user mode and unmount the file system,
101then execute the following command:
102.Pp
103.Dl "tunefs -l enable" Ar filesystem
104.Pp
105where
106.Ar filesystem
107is either the mount point
108(in
109.Xr fstab 5 )
110or the special file
111(in
112.Pa /dev )
113corresponding to the file system on which to enable multilabel support.
114.Ss Policy Enforcement
115Policy enforcement is divided into the following areas of the system:
116.Bl -ohang
117.It Sy "File System"
118File system mounts, modifying directories, modifying files, etc.
119.It Sy KLD
120Loading, unloading, and retrieving statistics on loaded kernel modules
121.It Sy Network
122Network interfaces,
123.Xr bpf 4 ,
124packet delivery and transmission,
125interface configuration
126.Xr ( ioctl 2 ,
127.Xr ifconfig 8 )
128.It Sy Pipes
129Creation of and operation on
130.Xr pipe 2
131objects
132.It Sy Processes
133Debugging
134(e.g.\&
135.Xr ktrace 2 ) ,
136process visibility
137.Pq Xr ps 1 ,
138process execution
139.Pq Xr execve 2 ,
140signalling
141.Pq Xr kill 2
142.It Sy Sockets
143Creation of and operation on
144.Xr socket 2
145objects
146.It Sy System
147Kernel environment
148.Pq Xr kenv 1 ,
149system accounting
150.Pq Xr acct 2 ,
151.Xr reboot 2 ,
152.Xr settimeofday 2 ,
153.Xr swapon 2 ,
154.Xr sysctl 3 ,
155.Xr nfsd 8 Ns
156-related operations
157.It Sy VM
158.Xr mmap 2 Ns
159-ed files
160.El
161.Ss Setting MAC Labels
162From the command line, each type of system object has its own means for setting
163and modifying its MAC policy label.
164.Bl -column "user (by login class)" "Xr setfmac 8 , Xr setfsmac 8" -offset indent
165.It Sy "Subject/Object" Ta Sy "Utility"
166.It "File system object" Ta Xr setfmac 8 , Xr setfsmac 8
167.It "Network interface" Ta Xr ifconfig 8
168.It "TTY (by login class)" Ta Xr login.conf 5
169.It "User (by login class)" Ta Xr login.conf 5
170.El
171.Pp
172Additionally, the
173.Xr su 1
174and
175.Xr setpmac 8
176utilities can be used to run a command with a different process label than
177the shell's current label.
178.Ss Programming With MAC
179MAC security enforcement itself is transparent to application
180programs, with the exception that some programs may need to be aware of
181additional
182.Xr errno 2
183returns from various system calls.
184.Pp
185The interface for retrieving, handling, and setting policy labels
186is documented in the
187.Xr mac 3
188man page.
189.\" *** XXX ***
190.\" Support for this feature is poor and should not be encouraged.
191.\"
192.\" .It Va security.mac.mmap_revocation
193.\" Revoke
194.\" .Xr mmap 2
195.\" access to files on subject relabel.
196.\" .It Va security.mac.mmap_revocation_via_cow
197.\" Revoke
198.\" .Xr mmap 2
199.\" access to files via copy-on-write semantics;
200.\" mapped regions will still appear writable, but will no longer
201.\" effect a change on the underlying vnode.
202.\" (Default: 0).
203.Sh SEE ALSO
204.Xr mac 3 ,
205.Xr mac_biba 4 ,
206.Xr mac_bsdextended 4 ,
207.Xr mac_ddb 4 ,
208.Xr mac_ifoff 4 ,
209.Xr mac_ipacl 4 ,
210.Xr mac_lomac 4 ,
211.Xr mac_mls 4 ,
212.Xr mac_none 4 ,
213.Xr mac_ntpd 4 ,
214.Xr mac_partition 4 ,
215.Xr mac_portacl 4 ,
216.Xr mac_priority 4 ,
217.Xr mac_seeotheruids 4 ,
218.Xr mac_stub 4 ,
219.Xr mac_test 4 ,
220.Xr login.conf 5 ,
221.Xr maclabel 7 ,
222.Xr getfmac 8 ,
223.Xr getpmac 8 ,
224.Xr setfmac 8 ,
225.Xr setpmac 8 ,
226.Xr mac 9
227.Rs
228.%B "The FreeBSD Handbook"
229.%T "Mandatory Access Control"
230.%U https://docs.FreeBSD.org/en/books/handbook/mac/
231.Re
232.Sh HISTORY
233The
234.Nm
235implementation first appeared in
236.Fx 5.0
237and was developed by the
238.Tn TrustedBSD
239Project.
240.Sh AUTHORS
241This software was contributed to the
242.Fx
243Project by Network Associates Labs,
244the Security Research Division of Network Associates
245Inc.
246under DARPA/SPAWAR contract N66001-01-C-8035
247.Pq Dq CBOSS ,
248as part of the DARPA CHATS research program.
249.Sh BUGS
250While the MAC Framework design is intended to support the containment of
251the root user, not all attack channels are currently protected by entry
252point checks.
253As such, MAC Framework policies should not be relied on, in isolation,
254to protect against a malicious privileged user.
255