xref: /freebsd/share/man/man4/mac.4 (revision 74bf4e164ba5851606a27d4feff27717452583e5)
1.\" Copyright (c) 2003 Networks Associates Technology, Inc.
2.\" All rights reserved.
3.\"
4.\" This software was developed for the FreeBSD Project by Chris Costello
5.\" at Safeport Network Services and Network Associates Labs, the
6.\" Security Research Division of Network Associates, Inc. under
7.\" DARPA/SPAWAR contract N66001-01-C-8035 ("CBOSS"), as part of the
8.\" DARPA CHATS research program.
9.\"
10.\" Redistribution and use in source and binary forms, with or without
11.\" modification, are permitted provided that the following conditions
12.\" are met:
13.\" 1. Redistributions of source code must retain the above copyright
14.\"    notice, this list of conditions and the following disclaimer.
15.\" 2. Redistributions in binary form must reproduce the above copyright
16.\"    notice, this list of conditions and the following disclaimer in the
17.\"    documentation and/or other materials provided with the distribution.
18.\"
19.\" THIS SOFTWARE IS PROVIDED BY THE AUTHORS AND CONTRIBUTORS ``AS IS'' AND
20.\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
21.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
22.\" ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHORS OR CONTRIBUTORS BE LIABLE
23.\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
24.\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
25.\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
26.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
27.\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
28.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
29.\" SUCH DAMAGE.
30.\"
31.\" $FreeBSD$
32.\"
33.Dd January 8, 2003
34.Os
35.Dt MAC 4
36.Sh NAME
37.Nm mac
38.Nd Mandatory Access Control
39.Sh SYNOPSIS
40.Cd "options MAC"
41.Sh DESCRIPTION
42.Ss Introduction
43The Mandatory Access Control, or MAC, framework allows administrators to
44finely control system security by providing for a loadable security policy
45architecture.
46It is important to note that due to its nature, MAC security policies may
47only restrict access relative to one another and the base system policy;
48they cannot override traditional
49.Ux
50security provisions such as file permissions and superuser checks.
51.Pp
52Currently, the following MAC policy modules are shipped with
53.Fx :
54.Bl -column ".Xr mac_seeotheruids 4" "low-watermark mac policy" ".Em Labeling" "boot only"
55.It Sy Name Ta Sy Description Ta Sy Labeling Ta Sy "Load time"
56.It Xr mac_biba 4 Ta "Biba integrity policy" Ta yes Ta boot only
57.It Xr mac_bsdextended 4 Ta "File system firewall" Ta no Ta any time
58.It Xr mac_ifoff 4 Ta "Interface silencing" Ta no Ta any time
59.It Xr mac_lomac 4 Ta "Low-Watermark MAC policy" Ta yes Ta boot only
60.It Xr mac_mls 4 Ta "Confidentiality policy" Ta yes Ta boot only
61.It Xr mac_none 4 Ta "Sample no-op policy" Ta no Ta any time
62.It Xr mac_partition 4 Ta "Process partition policy" Ta yes Ta any time
63.It Xr mac_portacl 4 Ta "Port bind(2) access control" Ta no Ta any time
64.It Xr mac_seeotheruids 4 Ta "See-other-UIDs policy" Ta no Ta any time
65.It Xr mac_test 4 Ta "MAC testing policy" Ta no Ta any time
66.El
67.Ss MAC Labels
68Each system subject (processes, sockets, etc.) and each system object
69(file system objects, sockets, etc.) can carry with it a MAC label.
70MAC labels contain data in an arbitrary format
71taken into consideration in making access control decisions
72for a given operation.
73Most MAC labels on system subjects and objects
74can be modified directly or indirectly by the system
75administrator.
76The format for a given policy's label may vary depending on the type
77of object or subject being labeled.
78More information on the format for MAC labels can be found in the
79.Xr maclabel 7
80man page.
81.Ss MAC Support for UFS2 File Systems
82By default, file system enforcement of labeled MAC policies relies on
83a single file system label
84(see
85.Sx "MAC Labels" )
86in order to make access control decisions for all the files in a particular
87file system.
88With some policies, this configuration may not allow administrators to take
89full advantage of features.
90In order to enable support for labeling files on an individual basis
91for a particular file system,
92the
93.Dq multilabel
94flag must be enabled on the file system.
95To set the
96.Dq multilabel
97flag, drop to single-user mode and unmount the file system,
98then execute the following command:
99.Pp
100.Dl "tunefs -l enable" Ar filesystem
101.Pp
102where
103.Ar filesystem
104is either the mount point
105(in
106.Xr fstab 5 )
107or the special file
108(in
109.Pa /dev )
110corresponding to the file system on which to enable multilabel support.
111.Ss Policy Enforcement
112MAC can be configured to enforce only specific portions of
113policies
114(see
115.Sx "Runtime Configuration" ) .
116Policy enforcement is divided into the following areas of the system:
117.Bl -ohang
118.It Sy "File System"
119File system mounts, modifying directories, modifying files, etc.
120.It Sy KLD
121Loading, unloading, and retrieving statistics on loaded kernel modules
122.It Sy Network
123Network interfaces,
124.Xr bpf 4 ,
125packet delivery and transmission,
126interface configuration
127.Xr ( ioctl 2 ,
128.Xr ifconfig 8 )
129.It Sy Pipes
130Creation of and operation on
131.Xr pipe 2
132objects
133.It Sy Processes
134Debugging
135(e.g.\&
136.Xr ktrace 2 ) ,
137process visibility
138.Pq Xr ps 1 ,
139process execution
140.Pq Xr execve 2 ,
141signalling
142.Pq Xr kill 2
143.It Sy Sockets
144Creation of and operation on
145.Xr socket 2
146objects
147.It Sy System
148Kernel environment
149.Pq Xr kenv 1 ,
150system accounting
151.Pq Xr acct 2 ,
152.Xr reboot 2 ,
153.Xr settimeofday 2 ,
154.Xr swapon 2 ,
155.Xr sysctl 3 ,
156.Xr nfsd 8 Ns
157-related operations
158.It Sy VM
159.Xr mmap 2 Ns
160-ed files
161.El
162.Ss Setting MAC Labels
163From the command line, each type of system object has its own means for setting
164and modifying its MAC policy label.
165.Bl -column "user (by login class)" "Xr setfmac 8 , Xr setfsmac 8" -offset indent
166.It Sy "Subject/Object" Ta Sy "Utility"
167.It "File system object" Ta Xr setfmac 8 , Xr setfsmac 8
168.It "Network interface" Ta Xr ifconfig 8
169.It "TTY (by login class)" Ta Xr login.conf 5
170.It "User (by login class)" Ta Xr login.conf 5
171.El
172.Pp
173Additionally, the
174.Xr su 1
175and
176.Xr setpmac 8
177utilities can be used to run a command with a different process label than
178the shell's current label.
179.Ss Programming With MAC
180MAC security enforcement itself is transparent to application
181programs, with the exception that some programs may need to be aware of
182additional
183.Xr errno 2
184returns from various system calls.
185.Pp
186The interface for retrieving, handling, and setting policy labels
187is documented in the
188.Xr mac 3
189man page.
190.Ss Runtime Configuration
191The following
192.Xr sysctl 8
193MIBs are available for fine-tuning the enforcement of MAC policies.
194Unless specifically noted, all MIBs default to 1
195(that is, all areas are enforced by default):
196.Bl -tag -width ".Va security.mac.enforce_network"
197.It Va security.mac.enforce_fs
198Enforce MAC policies for file system accesses.
199.It Va security.mac.enforce_kld
200Enforce MAC policies on
201.Xr kld 4 .
202.It Va security.mac.enforce_network
203Enforce MAC policies on network interfaces.
204.It Va security.mac.enforce_pipe
205Enforce MAC policies on pipes.
206.It Va security.mac.enforce_process
207Enforce MAC policies between system processes
208(e.g.\&
209.Xr ps 1 ,
210.Xr ktrace 2 ) .
211.It Va security.mac.enforce_socket
212Enforce MAC policies on sockets.
213.It Va security.mac.enforce_system
214Enforce MAC policies on system-related items
215(e.g.\&
216.Xr kenv 1 ,
217.Xr acct 2 ,
218.Xr reboot 2 ) .
219.It Va security.mac.enforce_vm
220Enforce MAC policies on
221.Xr mmap 2
222and
223.Xr mprotect 2 .
224.\" *** XXX ***
225.\" Support for this feature is poor and should not be encouraged.
226.\"
227.\" .It Va security.mac.mmap_revocation
228.\" Revoke
229.\" .Xr mmap 2
230.\" access to files on subject relabel.
231.\" .It Va security.mac.mmap_revocation_via_cow
232.\" Revoke
233.\" .Xr mmap 2
234.\" access to files via copy-on-write semantics;
235.\" mapped regions will still appear writable, but will no longer
236.\" effect a change on the underlying vnode.
237.\" (Default: 0).
238.El
239.Sh SEE ALSO
240.Xr mac 3 ,
241.Xr mac_biba 4 ,
242.Xr mac_bsdextended 4 ,
243.Xr mac_ifoff 4 ,
244.Xr mac_lomac 4 ,
245.Xr mac_mls 4 ,
246.Xr mac_none 4 ,
247.Xr mac_partition 4 ,
248.Xr mac_portacl 4 ,
249.Xr mac_seeotheruids 4 ,
250.Xr mac_test 4 ,
251.Xr login.conf 5 ,
252.Xr maclabel 7 ,
253.Xr getfmac 8 ,
254.Xr getpmac 8 ,
255.Xr setfmac 8 ,
256.Xr setpmac 8 ,
257.Xr mac 9
258.Rs
259.%B "The FreeBSD Handbook"
260.%T "Mandatory Access Control"
261.%O http://www.FreeBSD.org/doc/en_US.ISO8859-1/books/handbook/mac.html
262.Re
263.Sh HISTORY
264The
265.Nm
266implementation first appeared in
267.Fx 5.0
268and was developed by the
269.Tn TrustedBSD
270Project.
271.Sh AUTHORS
272This software was contributed to the
273.Fx
274Project by Network Associates Labs,
275the Security Research Division of Network Associates
276Inc.
277under DARPA/SPAWAR contract N66001-01-C-8035
278.Pq Dq CBOSS ,
279as part of the DARPA CHATS research program.
280.Sh BUGS
281See
282.Xr mac 9
283concerning appropriateness for production use.
284The
285.Tn TrustedBSD
286MAC Framework is considered experimental in
287.Fx .
288.Pp
289While the MAC Framework design is intended to support the containment of
290the root user, not all attack channels are currently protected by entry
291point checks.
292As such, MAC Framework policies should not be relied on, in isolation,
293to protect against a malicious privileged user.
294