1.\" Copyright (c) 2002 Networks Associates Technology, Inc. 2.\" All rights reserved. 3.\" 4.\" This software was developed for the FreeBSD Project by Chris Costello 5.\" at Safeport Network Services and Network Associates Laboratories, the 6.\" Security Research Division of Network Associates, Inc. under 7.\" DARPA/SPAWAR contract N66001-01-C-8035 ("CBOSS"), as part of the 8.\" DARPA CHATS research program. 9.\" 10.\" Redistribution and use in source and binary forms, with or without 11.\" modification, are permitted provided that the following conditions 12.\" are met: 13.\" 1. Redistributions of source code must retain the above copyright 14.\" notice, this list of conditions and the following disclaimer. 15.\" 2. Redistributions in binary form must reproduce the above copyright 16.\" notice, this list of conditions and the following disclaimer in the 17.\" documentation and/or other materials provided with the distribution. 18.\" 19.\" THIS SOFTWARE IS PROVIDED BY THE AUTHORS AND CONTRIBUTORS ``AS IS'' AND 20.\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 21.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 22.\" ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHORS OR CONTRIBUTORS BE LIABLE 23.\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 24.\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 25.\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 26.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 27.\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 28.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 29.\" SUCH DAMAGE. 30.\" 31.Dd October 11, 2024 32.Dt MAC_BSDEXTENDED 4 33.Os 34.Sh NAME 35.Nm mac_bsdextended 36.Nd "file system firewall policy" 37.Sh SYNOPSIS 38To compile the file system firewall policy into your kernel, 39place the following lines in your kernel configuration file: 40.Bd -ragged -offset indent 41.Cd "options MAC" 42.Cd "options MAC_BSDEXTENDED" 43.Ed 44.Pp 45Alternately, to load the file system firewall policy module at boot time, 46place the following line in your kernel configuration file: 47.Bd -ragged -offset indent 48.Cd "options MAC" 49.Ed 50.Pp 51and in 52.Xr loader.conf 5 : 53.Bd -literal -offset indent 54mac_bsdextended_load="YES" 55.Ed 56.Sh DESCRIPTION 57The 58.Nm 59security policy module provides an interface for the system administrator 60to impose mandatory rules regarding users and some system objects. 61Rules are uploaded to the module 62(typically using 63.Xr ugidfw 8 , 64or some other tool utilizing 65.Xr libugidfw 3 ) 66where they are stored internally 67and used to determine whether to allow or deny specific accesses 68(see 69.Xr ugidfw 8 ) . 70.Sh IMPLEMENTATION NOTES 71While the traditional 72.Xr mac 9 73entry points are implemented, 74policy labels are not used; 75instead, access control decisions are made by iterating through the internal 76list of rules until a rule 77which denies the particular access 78is found, 79or the end of the list is reached. 80The 81.Nm 82policy works similar to 83.Xr ipfw 8 84or by using a 85.Em first match semantic . 86This means that not all rules are applied, 87only the first matched rule; thus if 88Rule A allows access and Rule B blocks 89access, Rule B will never be applied. 90.Sh SYSCTL VARIABLES 91The following sysctls may be used to tweak the behavior of 92.Nm : 93.Bl -tag -width indent 94.It Va security.mac.bsdextended.enabled 95Set to zero or one to toggle the policy off or on. 96.It Va security.mac.bsdextended.rule_count 97List the number of defined rules, the maximum rule count is 98current set at 256. 99.It Va security.mac.bsdextended.rule_slots 100List the number of rule slots currently being used. 101.It Va security.mac.bsdextended.firstmatch_enabled 102Toggle between the old all rules match functionality 103and the new first rule matches functionality. 104This is enabled by default. 105.It Va security.mac.bsdextended.logging 106Log all access violations via the 107.Dv AUTHPRIV 108.Xr syslog 3 109facility. 110.It Va security.mac.bsdextended.rules 111Currently does nothing interesting. 112.El 113.Sh SEE ALSO 114.Xr libugidfw 3 , 115.Xr syslog 3 , 116.Xr mac 4 , 117.Xr mac_biba 4 , 118.Xr mac_ddb 4 , 119.Xr mac_ifoff 4 , 120.Xr mac_lomac 4 , 121.Xr mac_mls 4 , 122.Xr mac_none 4 , 123.Xr mac_partition 4 , 124.Xr mac_portacl 4 , 125.Xr mac_seeotheruids 4 , 126.Xr mac_test 4 , 127.Xr ipfw 8 , 128.Xr ugidfw 8 , 129.Xr mac 9 130.Sh HISTORY 131The 132.Nm 133policy module first appeared in 134.Fx 5.0 135and was developed by the 136.Tn TrustedBSD 137Project. 138.Pp 139The "match first case" and logging capabilities were later added by 140.An Tom Rhodes Aq Mt trhodes@FreeBSD.org . 141.Sh AUTHORS 142This software was contributed to the 143.Fx 144Project by NAI Labs, the Security Research Division of Network Associates 145Inc.\& under DARPA/SPAWAR contract N66001-01-C-8035 146.Pq Dq CBOSS , 147as part of the DARPA CHATS research program. 148