1.\" Copyright (c) 2003 Networks Associates Technology, Inc. 2.\" All rights reserved. 3.\" 4.\" This software was developed for the FreeBSD Project by Chris Costello 5.\" at Safeport Network Services and Network Associates Labs, the 6.\" Security Research Division of Network Associates, Inc. under 7.\" DARPA/SPAWAR contract N66001-01-C-8035 ("CBOSS"), as part of the 8.\" DARPA CHATS research program. 9.\" 10.\" Redistribution and use in source and binary forms, with or without 11.\" modification, are permitted provided that the following conditions 12.\" are met: 13.\" 1. Redistributions of source code must retain the above copyright 14.\" notice, this list of conditions and the following disclaimer. 15.\" 2. Redistributions in binary form must reproduce the above copyright 16.\" notice, this list of conditions and the following disclaimer in the 17.\" documentation and/or other materials provided with the distribution. 18.\" 19.\" THIS SOFTWARE IS PROVIDED BY THE AUTHORS AND CONTRIBUTORS ``AS IS'' AND 20.\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 21.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 22.\" ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHORS OR CONTRIBUTORS BE LIABLE 23.\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 24.\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 25.\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 26.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 27.\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 28.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 29.\" SUCH DAMAGE. 30.\" 31.\" $FreeBSD$ 32.Dd JANUARY 8, 2003 33.Os 34.Dt MAC 4 35.Sh NAME 36.Nm mac 37.Nd Mandatory Access Control 38.Sh SYNOPSIS 39.Cd "options MAC" 40.Sh DESCRIPTION 41.Ss Introduction 42The Mandatory Access Control, or MAC, framework allows administrators to 43finely control system security by providing for a loadable security policy 44architecture. 45It is important to note that due to its nature, MAC security policies may 46only restrict access relative to one another and the base system policy; 47they cannot override traditional UNIX 48security provisions such as file permissions and superuser checks. 49.Pp 50Currently, the following MAC policy modules are shipped with 51.Fx : 52.Bl -column ".Xr mac_seeotheruids 4" "low-watermark mac policy " ".Em Labeling" "boot only" 53.It Sy Name Ta Sy Description Ta Sy Labeling Ta Sy "Load time" 54.It Xr mac_biba 4 Ta "Biba integrity policy" Ta yes Ta boot only 55.It Xr mac_bsdextended 4 Ta "File system firewall" Ta no Ta any time 56.It Xr mac_ifoff 4 Ta "Interface silencing" Ta no Ta any time 57.It Xr mac_lomac 4 Ta "Low-Watermark MAC policy" Ta yes Ta boot only 58.It Xr mac_mls 4 Ta "Confidentiality policy" Ta yes Ta boot only 59.It Xr mac_none 4 Ta "Sample no-op policy" Ta no Ta any time 60.It Xr mac_partition 4 Ta "Process partition policy" Ta yes Ta any time 61.It Xr mac_seeotheruids 4 Ta "See-other-UIDs policy" Ta no Ta any time 62.It Xr mac_test 4 Ta "MAC testing policy" Ta no Ta any time 63.El 64.Ss MAC Labels 65Each system subject (processes, sockets, etc.) and each system object 66(file system objects, sockets, etc.) can carry with it a MAC label. 67MAC labels contain data in an arbitrary format 68taken into consideration in making access control decisions 69for a given operation. 70Most MAC labels on system subjects and objects 71can be modified directly or indirectly by the system 72administrator. 73The format for a given policy's label may vary depending on the type 74of object or subject being labeled. 75More information on the format for MAC labels can be found in the 76.Xr maclabel 7 77man page. 78.Ss MAC Support for UFS2 File Systems 79By default, file system enforcement of labeled MAC policies relies on 80a single file system label 81(see 82.Sx "MAC Labels" ) 83in order to make access control decisions for all the files in a particular 84file system. 85With some policies, this configuration may not allow administrators to take 86full advantage of features. 87In order to enable support for labeling files on an individual basis 88for a particular file system, 89the 90.Dq multilabel 91flag must be enabled on the file system. 92To set the 93.Dq multilabel 94flag, drop to single-user mode and unmount the file system, 95then execute the following command: 96.Pp 97.Dl "tunefs -l enable" Sy filesystem 98.Pp 99where 100.Sy filesystem 101is either the mount point 102(in 103.Xr fstab 5 ) 104or the special file 105(in 106.Pa /dev ) 107corresponding to the file system on which to enable multilabel support. 108.Ss Policy Enforcement 109MAC can be configured to enforce only specific portions of 110policies 111(see 112.Sx "Runtime Configuration" ) . 113Policy enforcement is divided into the following areas of the system: 114.Bl -ohang 115.It Sy File System 116File system mounts, modifying directories, modifying files, etc. 117.It Sy KLD 118Loading, unloading, and retrieving statistics on loaded kernel modules 119.It Sy Network 120Network interfaces, 121.Xr bpf 4 , 122packet delivery and transmission, 123interface configuration 124.Xr ( ioctl 2 , 125.Xr ifconfig 8 ) 126.It Sy Pipes 127Creation of and operation on 128.Xr pipe 2 129objects 130.It Sy Processes 131Debugging 132(e.g. 133.Xr ktrace 2 ) , 134process visibility 135.Xr ( ps 1 ) , 136process execution 137.Xr ( execve 2 ) , 138signalling 139.Xr ( kill 2 ) 140.It Sy Sockets 141Creation of and operation on 142.Xr socket 2 143objects 144.It Sy System 145Kernel environment 146.Xr ( kenv 1 ) , 147system accounting 148.Xr ( acct 2 ) , 149.Xr reboot 2 , 150.Xr settimeofday 2 , 151.Xr swapon 2 , 152.Xr sysctl 3 , 153.Sm off 154.Xr nfsd 8 - 155related 156.Sm on 157operations 158.It Sy VM 159.Sm off 160.Xr mmap 2 - 161ed 162.Sm on 163files 164.El 165.Ss Setting MAC Labels 166From the command line, each type of system object has its own means for setting 167and modifying its MAC policy label. 168.Bl -column "user (by login class)" "Xr setfmac 8 , Xr setfsmac 8" -offset indent 169.It Sy "Subject/Object" Ta Sy "Utility" 170.It "File system object" Ta Xr setfmac 8 , Xr setfsmac 8 171.It "Network interface" Ta Xr ifconfig 8 172.It "TTY (by login class)" Ta Xr login.conf 5 173.It "User (by login class)" Ta Xr login.conf 5 174.El 175.Pp 176Additionally, the 177.Xr su 1 178and 179.Xr setpmac 8 180utilities can be used to run a command with a different process label than 181the shell's current label. 182.Ss Programming With MAC 183MAC security enforcement itself is transparent to application 184programs, with the exception that some programs may need to be aware of 185additional 186.Xr errno 2 187returns from various system calls. 188.Pp 189The interface for retrieving, handling, and setting policy labels 190is documented in the 191.Xr mac 3 192man page. 193.Ss Runtime Configuration 194The following 195.Xr sysctl 8 196MIBs are available for fine-tuning the enforcement of MAC policies. 197Unless specifically noted, all MIBs default to 198.Li 1 199(that is, all areas are enforced by default): 200.Bl -tag -width "security.mac.enforce_network" 201.It Va security.mac.enforce_fs 202Enforce MAC policies for file system accesses 203.It Va security.mac.enforce_kld 204Enforce MAC policies on 205.Xr kld 4 206.It Va security.mac.enforce_network 207Enforce MAC policies on network interfaces 208.It Va security.mac.enforce_pipe 209Enforce MAC policies on pipes 210.It Va security.mac.enforce_process 211Enforce MAC policies between system processes 212(e.g. 213.Xr ps 1 , 214.Xr ktrace 2 ) 215.It Va security.mac.enforce_socket 216Enforce MAC policies on sockets 217.It Va security.mac.enforce_system 218Enforce MAC policies on system-related items 219(e.g. 220.Xr kenv 1 , 221.Xr acct 2 , 222.Xr reboot 2 ) 223.It Va security.mac.enforce_vm 224Enforce MAC policies on 225.Xr mmap 2 226and 227.Xr mprotect 2 228.\" *** XXX *** 229.\" Support for this feature is poor and should not be encouraged. 230.\" 231.\" .It Va security.mac.mmap_revocation 232.\" Revoke 233.\" .Xr mmap 2 234.\" access to files on subject relabel 235.\" .It Va security.mac.mmap_revocation_via_cow 236.\" Revoke 237.\" .Xr mmap 2 238.\" access to files via copy-on-write semantics; 239.\" mapped regions will still appear writable, but will no longer 240.\" effect a change on the underlying vnode 241.\" (Default: 0) 242.El 243.Sh SEE ALSO 244.Xr mac 3 , 245.Xr mac_biba 4 , 246.Xr mac_bsdextended 4 , 247.Xr mac_ifoff 4 , 248.Xr mac_lomac 4 , 249.Xr mac_mls 4 , 250.Xr mac_none 4 , 251.Xr mac_partition 4 , 252.Xr mac_seeotheruids 4 , 253.Xr mac_test 4 , 254.Xr login.5 , 255.Xr maclabel 7 , 256.Xr getfmac 8 , 257.Xr setfmac 8 , 258.Xr getpmac 8 , 259.Xr setpmac 8 , 260.Xr mac 9 261.Rs 262.%B "The FreeBSD Handbook" 263.%T "Mandatory Access Control" 264.%O http://www.freebsd.org/doc/en_US.ISO8859-1/books/handbook/mac.html 265.Re 266.Sh HISTORY 267The 268.Nm 269implementation first appeared in 270.Fx 5.0 271and was developed by the TrustedBSD Project. 272.Sh AUTHORS 273This software was contributed to the 274.Fx 275Project by Network Associates Labs, 276the Security Research Division of Network Associates 277Inc. under DARPA/SPAWAR contract N66001-01-C-8035 ("CBOSS"), 278as part of the DARPA CHATS research program. 279.Sh BUGS 280See 281.Xr mac 9 282concerning appropriateness for production use. 283The TrustedBSD MAC Framework is considered experimental in 284.Fx . 285.Pp 286While the MAC Framework design is intended to support the containment of 287the root user, not all attack channels are currently protected by entry 288point checks. 289As such, MAC Framework policies should not be relied on, in isolation, 290to protect against a malicious privileged user. 291