1.\" Copyright (c) 2003 Networks Associates Technology, Inc. 2.\" All rights reserved. 3.\" 4.\" This software was developed for the FreeBSD Project by Chris Costello 5.\" at Safeport Network Services and Network Associates Labs, the 6.\" Security Research Division of Network Associates, Inc. under 7.\" DARPA/SPAWAR contract N66001-01-C-8035 ("CBOSS"), as part of the 8.\" DARPA CHATS research program. 9.\" 10.\" Redistribution and use in source and binary forms, with or without 11.\" modification, are permitted provided that the following conditions 12.\" are met: 13.\" 1. Redistributions of source code must retain the above copyright 14.\" notice, this list of conditions and the following disclaimer. 15.\" 2. Redistributions in binary form must reproduce the above copyright 16.\" notice, this list of conditions and the following disclaimer in the 17.\" documentation and/or other materials provided with the distribution. 18.\" 19.\" THIS SOFTWARE IS PROVIDED BY THE AUTHORS AND CONTRIBUTORS ``AS IS'' AND 20.\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 21.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 22.\" ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHORS OR CONTRIBUTORS BE LIABLE 23.\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 24.\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 25.\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 26.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 27.\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 28.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 29.\" SUCH DAMAGE. 30.\" 31.\" $FreeBSD$ 32.\" 33.Dd July 25, 2023 34.Dt MAC 4 35.Os 36.Sh NAME 37.Nm mac 38.Nd Mandatory Access Control 39.Sh SYNOPSIS 40.Cd "options MAC" 41.Sh DESCRIPTION 42.Ss Introduction 43The Mandatory Access Control, or MAC, framework allows administrators to 44finely control system security by providing for a loadable security policy 45architecture. 46It is important to note that due to its nature, MAC security policies may 47only restrict access relative to one another and the base system policy; 48they cannot override traditional 49.Ux 50security provisions such as file permissions and superuser checks. 51.Pp 52Currently, the following MAC policy modules are shipped with 53.Fx : 54.Bl -column ".Xr mac_seeotheruids 4" "ddb(4) interface restrictions" ".Em Labeling" "boot only" 55.It Sy Name Ta Sy Description Ta Sy Labeling Ta Sy "Load time" 56.It Xr mac_biba 4 Ta "Biba integrity policy" Ta yes Ta boot only 57.It Xr mac_bsdextended 4 Ta "File system firewall" Ta no Ta any time 58.It Xr mac_ddb 4 Ta "ddb(4) interface restrictions" Ta no Ta any time 59.It Xr mac_ifoff 4 Ta "Interface silencing" Ta no Ta any time 60.It Xr mac_ipacl 4 Ta "IP Address access control" Ta no Ta any time 61.It Xr mac_lomac 4 Ta "Low-Watermark MAC policy" Ta yes Ta boot only 62.It Xr mac_mls 4 Ta "Confidentiality policy" Ta yes Ta boot only 63.It Xr mac_ntpd 4 Ta "Non-root NTP Daemon policy" Ta no Ta any time 64.It Xr mac_partition 4 Ta "Process partition policy" Ta yes Ta any time 65.It Xr mac_portacl 4 Ta "Port bind(2) access control" Ta no Ta any time 66.It Xr mac_priority 4 Ta "Scheduling priority policy" Ta no Ta any time 67.It Xr mac_seeotheruids 4 Ta "See-other-UIDs policy" Ta no Ta any time 68.It Xr mac_test 4 Ta "MAC testing policy" Ta no Ta any time 69.El 70.Ss MAC Labels 71Each system subject (processes, sockets, etc.) and each system object 72(file system objects, sockets, etc.) can carry with it a MAC label. 73MAC labels contain data in an arbitrary format 74taken into consideration in making access control decisions 75for a given operation. 76Most MAC labels on system subjects and objects 77can be modified directly or indirectly by the system 78administrator. 79The format for a given policy's label may vary depending on the type 80of object or subject being labeled. 81More information on the format for MAC labels can be found in the 82.Xr maclabel 7 83man page. 84.Ss MAC Support for UFS2 File Systems 85By default, file system enforcement of labeled MAC policies relies on 86a single file system label 87(see 88.Sx "MAC Labels" ) 89in order to make access control decisions for all the files in a particular 90file system. 91With some policies, this configuration may not allow administrators to take 92full advantage of features. 93In order to enable support for labeling files on an individual basis 94for a particular file system, 95the 96.Dq multilabel 97flag must be enabled on the file system. 98To set the 99.Dq multilabel 100flag, drop to single-user mode and unmount the file system, 101then execute the following command: 102.Pp 103.Dl "tunefs -l enable" Ar filesystem 104.Pp 105where 106.Ar filesystem 107is either the mount point 108(in 109.Xr fstab 5 ) 110or the special file 111(in 112.Pa /dev ) 113corresponding to the file system on which to enable multilabel support. 114.Ss Policy Enforcement 115Policy enforcement is divided into the following areas of the system: 116.Bl -ohang 117.It Sy "File System" 118File system mounts, modifying directories, modifying files, etc. 119.It Sy KLD 120Loading, unloading, and retrieving statistics on loaded kernel modules 121.It Sy Network 122Network interfaces, 123.Xr bpf 4 , 124packet delivery and transmission, 125interface configuration 126.Xr ( ioctl 2 , 127.Xr ifconfig 8 ) 128.It Sy Pipes 129Creation of and operation on 130.Xr pipe 2 131objects 132.It Sy Processes 133Debugging 134(e.g.\& 135.Xr ktrace 2 ) , 136process visibility 137.Pq Xr ps 1 , 138process execution 139.Pq Xr execve 2 , 140signalling 141.Pq Xr kill 2 142.It Sy Sockets 143Creation of and operation on 144.Xr socket 2 145objects 146.It Sy System 147Kernel environment 148.Pq Xr kenv 1 , 149system accounting 150.Pq Xr acct 2 , 151.Xr reboot 2 , 152.Xr settimeofday 2 , 153.Xr swapon 2 , 154.Xr sysctl 3 , 155.Xr nfsd 8 Ns 156-related operations 157.It Sy VM 158.Xr mmap 2 Ns 159-ed files 160.El 161.Ss Setting MAC Labels 162From the command line, each type of system object has its own means for setting 163and modifying its MAC policy label. 164.Bl -column "user (by login class)" "Xr setfmac 8 , Xr setfsmac 8" -offset indent 165.It Sy "Subject/Object" Ta Sy "Utility" 166.It "File system object" Ta Xr setfmac 8 , Xr setfsmac 8 167.It "Network interface" Ta Xr ifconfig 8 168.It "TTY (by login class)" Ta Xr login.conf 5 169.It "User (by login class)" Ta Xr login.conf 5 170.El 171.Pp 172Additionally, the 173.Xr su 1 174and 175.Xr setpmac 8 176utilities can be used to run a command with a different process label than 177the shell's current label. 178.Ss Programming With MAC 179MAC security enforcement itself is transparent to application 180programs, with the exception that some programs may need to be aware of 181additional 182.Xr errno 2 183returns from various system calls. 184.Pp 185The interface for retrieving, handling, and setting policy labels 186is documented in the 187.Xr mac 3 188man page. 189.\" *** XXX *** 190.\" Support for this feature is poor and should not be encouraged. 191.\" 192.\" .It Va security.mac.mmap_revocation 193.\" Revoke 194.\" .Xr mmap 2 195.\" access to files on subject relabel. 196.\" .It Va security.mac.mmap_revocation_via_cow 197.\" Revoke 198.\" .Xr mmap 2 199.\" access to files via copy-on-write semantics; 200.\" mapped regions will still appear writable, but will no longer 201.\" effect a change on the underlying vnode. 202.\" (Default: 0). 203.Sh SEE ALSO 204.Xr mac 3 , 205.Xr mac_biba 4 , 206.Xr mac_bsdextended 4 , 207.Xr mac_ddb 4 , 208.Xr mac_ifoff 4 , 209.Xr mac_ipacl 4 , 210.Xr mac_lomac 4 , 211.Xr mac_mls 4 , 212.Xr mac_none 4 , 213.Xr mac_ntpd 4 , 214.Xr mac_partition 4 , 215.Xr mac_portacl 4 , 216.Xr mac_priority 4 , 217.Xr mac_seeotheruids 4 , 218.Xr mac_stub 4 , 219.Xr mac_test 4 , 220.Xr login.conf 5 , 221.Xr maclabel 7 , 222.Xr getfmac 8 , 223.Xr getpmac 8 , 224.Xr setfmac 8 , 225.Xr setpmac 8 , 226.Xr mac 9 227.Rs 228.%B "The FreeBSD Handbook" 229.%T "Mandatory Access Control" 230.%U https://docs.FreeBSD.org/en/books/handbook/mac/ 231.Re 232.Sh HISTORY 233The 234.Nm 235implementation first appeared in 236.Fx 5.0 237and was developed by the 238.Tn TrustedBSD 239Project. 240.Sh AUTHORS 241This software was contributed to the 242.Fx 243Project by Network Associates Labs, 244the Security Research Division of Network Associates 245Inc. 246under DARPA/SPAWAR contract N66001-01-C-8035 247.Pq Dq CBOSS , 248as part of the DARPA CHATS research program. 249.Sh BUGS 250While the MAC Framework design is intended to support the containment of 251the root user, not all attack channels are currently protected by entry 252point checks. 253As such, MAC Framework policies should not be relied on, in isolation, 254to protect against a malicious privileged user. 255