1.\" Copyright (c) 2003 Networks Associates Technology, Inc. 2.\" All rights reserved. 3.\" 4.\" This software was developed for the FreeBSD Project by Chris Costello 5.\" at Safeport Network Services and Network Associates Labs, the 6.\" Security Research Division of Network Associates, Inc. under 7.\" DARPA/SPAWAR contract N66001-01-C-8035 ("CBOSS"), as part of the 8.\" DARPA CHATS research program. 9.\" 10.\" Redistribution and use in source and binary forms, with or without 11.\" modification, are permitted provided that the following conditions 12.\" are met: 13.\" 1. Redistributions of source code must retain the above copyright 14.\" notice, this list of conditions and the following disclaimer. 15.\" 2. Redistributions in binary form must reproduce the above copyright 16.\" notice, this list of conditions and the following disclaimer in the 17.\" documentation and/or other materials provided with the distribution. 18.\" 19.\" THIS SOFTWARE IS PROVIDED BY THE AUTHORS AND CONTRIBUTORS ``AS IS'' AND 20.\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 21.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 22.\" ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHORS OR CONTRIBUTORS BE LIABLE 23.\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 24.\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 25.\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 26.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 27.\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 28.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 29.\" SUCH DAMAGE. 30.\" 31.Dd July 25, 2023 32.Dt MAC 4 33.Os 34.Sh NAME 35.Nm mac 36.Nd Mandatory Access Control 37.Sh SYNOPSIS 38.Cd "options MAC" 39.Sh DESCRIPTION 40.Ss Introduction 41The Mandatory Access Control, or MAC, framework allows administrators to 42finely control system security by providing for a loadable security policy 43architecture. 44It is important to note that due to its nature, MAC security policies may 45only restrict access relative to one another and the base system policy; 46they cannot override traditional 47.Ux 48security provisions such as file permissions and superuser checks. 49.Pp 50Currently, the following MAC policy modules are shipped with 51.Fx : 52.Bl -column ".Xr mac_seeotheruids 4" "ddb(4) interface restrictions" ".Em Labeling" "boot only" 53.It Sy Name Ta Sy Description Ta Sy Labeling Ta Sy "Load time" 54.It Xr mac_biba 4 Ta "Biba integrity policy" Ta yes Ta boot only 55.It Xr mac_bsdextended 4 Ta "File system firewall" Ta no Ta any time 56.It Xr mac_ddb 4 Ta "ddb(4) interface restrictions" Ta no Ta any time 57.It Xr mac_ifoff 4 Ta "Interface silencing" Ta no Ta any time 58.It Xr mac_ipacl 4 Ta "IP Address access control" Ta no Ta any time 59.It Xr mac_lomac 4 Ta "Low-Watermark MAC policy" Ta yes Ta boot only 60.It Xr mac_mls 4 Ta "Confidentiality policy" Ta yes Ta boot only 61.It Xr mac_ntpd 4 Ta "Non-root NTP Daemon policy" Ta no Ta any time 62.It Xr mac_partition 4 Ta "Process partition policy" Ta yes Ta any time 63.It Xr mac_portacl 4 Ta "Port bind(2) access control" Ta no Ta any time 64.It Xr mac_priority 4 Ta "Scheduling priority policy" Ta no Ta any time 65.It Xr mac_seeotheruids 4 Ta "See-other-UIDs policy" Ta no Ta any time 66.It Xr mac_test 4 Ta "MAC testing policy" Ta no Ta any time 67.El 68.Ss MAC Labels 69Each system subject (processes, sockets, etc.) and each system object 70(file system objects, sockets, etc.) can carry with it a MAC label. 71MAC labels contain data in an arbitrary format 72taken into consideration in making access control decisions 73for a given operation. 74Most MAC labels on system subjects and objects 75can be modified directly or indirectly by the system 76administrator. 77The format for a given policy's label may vary depending on the type 78of object or subject being labeled. 79More information on the format for MAC labels can be found in the 80.Xr maclabel 7 81man page. 82.Ss MAC Support for UFS2 File Systems 83By default, file system enforcement of labeled MAC policies relies on 84a single file system label 85(see 86.Sx "MAC Labels" ) 87in order to make access control decisions for all the files in a particular 88file system. 89With some policies, this configuration may not allow administrators to take 90full advantage of features. 91In order to enable support for labeling files on an individual basis 92for a particular file system, 93the 94.Dq multilabel 95flag must be enabled on the file system. 96To set the 97.Dq multilabel 98flag, drop to single-user mode and unmount the file system, 99then execute the following command: 100.Pp 101.Dl "tunefs -l enable" Ar filesystem 102.Pp 103where 104.Ar filesystem 105is either the mount point 106(in 107.Xr fstab 5 ) 108or the special file 109(in 110.Pa /dev ) 111corresponding to the file system on which to enable multilabel support. 112.Ss Policy Enforcement 113Policy enforcement is divided into the following areas of the system: 114.Bl -ohang 115.It Sy "File System" 116File system mounts, modifying directories, modifying files, etc. 117.It Sy KLD 118Loading, unloading, and retrieving statistics on loaded kernel modules 119.It Sy Network 120Network interfaces, 121.Xr bpf 4 , 122packet delivery and transmission, 123interface configuration 124.Xr ( ioctl 2 , 125.Xr ifconfig 8 ) 126.It Sy Pipes 127Creation of and operation on 128.Xr pipe 2 129objects 130.It Sy Processes 131Debugging 132(e.g.\& 133.Xr ktrace 2 ) , 134process visibility 135.Pq Xr ps 1 , 136process execution 137.Pq Xr execve 2 , 138signalling 139.Pq Xr kill 2 140.It Sy Sockets 141Creation of and operation on 142.Xr socket 2 143objects 144.It Sy System 145Kernel environment 146.Pq Xr kenv 1 , 147system accounting 148.Pq Xr acct 2 , 149.Xr reboot 2 , 150.Xr settimeofday 2 , 151.Xr swapon 2 , 152.Xr sysctl 3 , 153.Xr nfsd 8 Ns 154-related operations 155.It Sy VM 156.Xr mmap 2 Ns 157-ed files 158.El 159.Ss Setting MAC Labels 160From the command line, each type of system object has its own means for setting 161and modifying its MAC policy label. 162.Bl -column "user (by login class)" "Xr setfmac 8 , Xr setfsmac 8" -offset indent 163.It Sy "Subject/Object" Ta Sy "Utility" 164.It "File system object" Ta Xr setfmac 8 , Xr setfsmac 8 165.It "Network interface" Ta Xr ifconfig 8 166.It "TTY (by login class)" Ta Xr login.conf 5 167.It "User (by login class)" Ta Xr login.conf 5 168.El 169.Pp 170Additionally, the 171.Xr su 1 172and 173.Xr setpmac 8 174utilities can be used to run a command with a different process label than 175the shell's current label. 176.Ss Programming With MAC 177MAC security enforcement itself is transparent to application 178programs, with the exception that some programs may need to be aware of 179additional 180.Xr errno 2 181returns from various system calls. 182.Pp 183The interface for retrieving, handling, and setting policy labels 184is documented in the 185.Xr mac 3 186man page. 187.\" *** XXX *** 188.\" Support for this feature is poor and should not be encouraged. 189.\" 190.\" .It Va security.mac.mmap_revocation 191.\" Revoke 192.\" .Xr mmap 2 193.\" access to files on subject relabel. 194.\" .It Va security.mac.mmap_revocation_via_cow 195.\" Revoke 196.\" .Xr mmap 2 197.\" access to files via copy-on-write semantics; 198.\" mapped regions will still appear writable, but will no longer 199.\" effect a change on the underlying vnode. 200.\" (Default: 0). 201.Sh SEE ALSO 202.Xr mac 3 , 203.Xr mac_biba 4 , 204.Xr mac_bsdextended 4 , 205.Xr mac_ddb 4 , 206.Xr mac_ifoff 4 , 207.Xr mac_ipacl 4 , 208.Xr mac_lomac 4 , 209.Xr mac_mls 4 , 210.Xr mac_none 4 , 211.Xr mac_ntpd 4 , 212.Xr mac_partition 4 , 213.Xr mac_portacl 4 , 214.Xr mac_priority 4 , 215.Xr mac_seeotheruids 4 , 216.Xr mac_stub 4 , 217.Xr mac_test 4 , 218.Xr login.conf 5 , 219.Xr maclabel 7 , 220.Xr getfmac 8 , 221.Xr getpmac 8 , 222.Xr setfmac 8 , 223.Xr setpmac 8 , 224.Xr mac 9 225.Rs 226.%B "The FreeBSD Handbook" 227.%T "Mandatory Access Control" 228.%U https://docs.FreeBSD.org/en/books/handbook/mac/ 229.Re 230.Sh HISTORY 231The 232.Nm 233implementation first appeared in 234.Fx 5.0 235and was developed by the 236.Tn TrustedBSD 237Project. 238.Sh AUTHORS 239This software was contributed to the 240.Fx 241Project by Network Associates Labs, 242the Security Research Division of Network Associates 243Inc. 244under DARPA/SPAWAR contract N66001-01-C-8035 245.Pq Dq CBOSS , 246as part of the DARPA CHATS research program. 247.Sh BUGS 248While the MAC Framework design is intended to support the containment of 249the root user, not all attack channels are currently protected by entry 250point checks. 251As such, MAC Framework policies should not be relied on, in isolation, 252to protect against a malicious privileged user. 253