xref: /freebsd/share/man/man4/mac_bsdextended.4 (revision 3e8eb5c7f4909209c042403ddee340b2ee7003a5)
1.\" Copyright (c) 2002 Networks Associates Technology, Inc.
2.\" All rights reserved.
3.\"
4.\" This software was developed for the FreeBSD Project by Chris Costello
5.\" at Safeport Network Services and Network Associates Laboratories, the
6.\" Security Research Division of Network Associates, Inc. under
7.\" DARPA/SPAWAR contract N66001-01-C-8035 ("CBOSS"), as part of the
8.\" DARPA CHATS research program.
9.\"
10.\" Redistribution and use in source and binary forms, with or without
11.\" modification, are permitted provided that the following conditions
12.\" are met:
13.\" 1. Redistributions of source code must retain the above copyright
14.\"    notice, this list of conditions and the following disclaimer.
15.\" 2. Redistributions in binary form must reproduce the above copyright
16.\"    notice, this list of conditions and the following disclaimer in the
17.\"    documentation and/or other materials provided with the distribution.
18.\"
19.\" THIS SOFTWARE IS PROVIDED BY THE AUTHORS AND CONTRIBUTORS ``AS IS'' AND
20.\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
21.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
22.\" ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHORS OR CONTRIBUTORS BE LIABLE
23.\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
24.\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
25.\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
26.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
27.\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
28.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
29.\" SUCH DAMAGE.
30.\"
31.\" $FreeBSD$
32.\"
33.Dd May 21, 2005
34.Dt MAC_BSDEXTENDED 4
35.Os
36.Sh NAME
37.Nm mac_bsdextended
38.Nd "file system firewall policy"
39.Sh SYNOPSIS
40To compile the file system firewall policy into your kernel,
41place the following lines in your kernel configuration file:
42.Bd -ragged -offset indent
43.Cd "options MAC"
44.Cd "options MAC_BSDEXTENDED"
45.Ed
46.Pp
47Alternately, to load the file system firewall policy module at boot time,
48place the following line in your kernel configuration file:
49.Bd -ragged -offset indent
50.Cd "options MAC"
51.Ed
52.Pp
53and in
54.Xr loader.conf 5 :
55.Bd -literal -offset indent
56mac_bsdextended_load="YES"
57.Ed
58.Sh DESCRIPTION
59The
60.Nm
61security policy module provides an interface for the system administrator
62to impose mandatory rules regarding users and some system objects.
63Rules are uploaded to the module
64(typically using
65.Xr ugidfw 8 ,
66or some other tool utilizing
67.Xr libugidfw 3 )
68where they are stored internally
69and used to determine whether to allow or deny specific accesses
70(see
71.Xr ugidfw 8 ) .
72.Sh IMPLEMENTATION NOTES
73While the traditional
74.Xr mac 9
75entry points are implemented,
76policy labels are not used;
77instead, access control decisions are made by iterating through the internal
78list of rules until a rule
79which denies the particular access
80is found,
81or the end of the list is reached.
82The
83.Nm
84policy works similar to
85.Xr ipfw 8
86or by using a
87.Em first match semantic .
88This means that not all rules are applied,
89only the first matched rule; thus if
90Rule A allows access and Rule B blocks
91access, Rule B will never be applied.
92.Ss Sysctls
93The following sysctls may be used to tweak the behavior of
94.Nm :
95.Bl -tag -width indent
96.It Va security.mac.bsdextended.enabled
97Set to zero or one to toggle the policy off or on.
98.It Va security.mac.bsdextended.rule_count
99List the number of defined rules, the maximum rule count is
100current set at 256.
101.It Va security.mac.bsdextended.rule_slots
102List the number of rule slots currently being used.
103.It Va security.mac.bsdextended.firstmatch_enabled
104Toggle between the old all rules match functionality
105and the new first rule matches functionality.
106This is enabled by default.
107.It Va security.mac.bsdextended.logging
108Log all access violations via the
109.Dv AUTHPRIV
110.Xr syslog 3
111facility.
112.It Va security.mac.bsdextended.rules
113Currently does nothing interesting.
114.El
115.Sh SEE ALSO
116.Xr libugidfw 3 ,
117.Xr syslog 3 ,
118.Xr mac 4 ,
119.Xr mac_biba 4 ,
120.Xr mac_ifoff 4 ,
121.Xr mac_lomac 4 ,
122.Xr mac_mls 4 ,
123.Xr mac_none 4 ,
124.Xr mac_partition 4 ,
125.Xr mac_portacl 4 ,
126.Xr mac_seeotheruids 4 ,
127.Xr mac_test 4 ,
128.Xr ipfw 8 ,
129.Xr ugidfw 8 ,
130.Xr mac 9
131.Sh HISTORY
132The
133.Nm
134policy module first appeared in
135.Fx 5.0
136and was developed by the
137.Tn TrustedBSD
138Project.
139.Pp
140The "match first case" and logging capabilities were later added by
141.An Tom Rhodes Aq Mt trhodes@FreeBSD.org .
142.Sh AUTHORS
143This software was contributed to the
144.Fx
145Project by NAI Labs, the Security Research Division of Network Associates
146Inc.\& under DARPA/SPAWAR contract N66001-01-C-8035
147.Pq Dq CBOSS ,
148as part of the DARPA CHATS research program.
149