1.\" Copyright (c) 2002 Networks Associates Technology, Inc. 2.\" All rights reserved. 3.\" 4.\" This software was developed for the FreeBSD Project by Chris Costello 5.\" at Safeport Network Services and Network Associates Laboratories, the 6.\" Security Research Division of Network Associates, Inc. under 7.\" DARPA/SPAWAR contract N66001-01-C-8035 ("CBOSS"), as part of the 8.\" DARPA CHATS research program. 9.\" 10.\" Redistribution and use in source and binary forms, with or without 11.\" modification, are permitted provided that the following conditions 12.\" are met: 13.\" 1. Redistributions of source code must retain the above copyright 14.\" notice, this list of conditions and the following disclaimer. 15.\" 2. Redistributions in binary form must reproduce the above copyright 16.\" notice, this list of conditions and the following disclaimer in the 17.\" documentation and/or other materials provided with the distribution. 18.\" 19.\" THIS SOFTWARE IS PROVIDED BY THE AUTHORS AND CONTRIBUTORS ``AS IS'' AND 20.\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 21.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 22.\" ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHORS OR CONTRIBUTORS BE LIABLE 23.\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 24.\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 25.\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 26.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 27.\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 28.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 29.\" SUCH DAMAGE. 30.\" 31.\" $FreeBSD$ 32.\" 33.Dd August 21, 2004 34.Os 35.Dt MAC_BSDEXTENDED 4 36.Sh NAME 37.Nm mac_bsdextended 38.Nd "file system firewall policy" 39.Sh SYNOPSIS 40To compile the file system firewall policy into your kernel, 41place the following lines in your kernel configuration file: 42.Bd -ragged -offset indent 43.Cd "options MAC" 44.Cd "options MAC_BSDEXTENDED" 45.Ed 46.Pp 47Alternately, to load the file system firewall policy module at boot time, 48place the following line in your kernel configuration file: 49.Bd -ragged -offset indent 50.Cd "options MAC" 51.Ed 52.Pp 53and in 54.Xr loader.conf 5 : 55.Bd -literal -offset indent 56mac_bsdextended_load="YES" 57.Ed 58.Sh DESCRIPTION 59The 60.Nm 61interface provides an interface for the system administrator 62to impose mandatory rules regarding users and some system objects. 63Rules are uploaded to the module 64(typically using 65.Xr ugidfw 8 , 66or some other tool utilizing 67.Xr libugidfw 3 ) 68where they are stored internally 69and used to determine whether to allow or deny specific accesses 70(see 71.Xr ugidfw 8 ) . 72.Sh IMPLEMENTATION NOTES 73While the traditional 74.Xr mac 9 75entry points are implemented, 76policy labels are not used; 77instead, access control decisions are made by iterating through the internal 78list of rules until a rule 79which denies the particular access 80is found, 81or the end of the list is reached. 82The 83.Nm 84policy works similar to 85.Xr ipfw 8 86or by using a 87.Em first match semantic . 88This means that not all rules are applied, 89only the first matched rule; thus if 90Rule A allows access and Rule B blocks 91access, Rule B will never be applied. 92.Pp 93.Ss Sysctls 94The following sysctls may be used to tweak the behavior of 95.Nm : 96.Bl -tag -width indent 97.It Va security.mac.bsdextended.enabled 98Set to zero or one to toggle the policy on or off. 99.It Va security.mac.bsdextended.rule_count 100List the number of defined rules, the maximum rule count is 101current set at 256. 102.It Va security.mac.bsdextended.rule_slots 103List the number of rule slots currently being used. 104.It Va security.mac.bsdextended.debugging 105Toggle between debugging mode, currently this does 106nothing and will soon be removed. 107.It Va security.mac.bsdextended.firstmatch_enabled 108Toggle between the old all rules match functionality 109and the new first rule matches functionality. 110.It Va security.mac.bsdextended.logging 111Log all access violations via the 112.Dv AUTHPRIV 113.Xr syslog 3 114facility. 115.It Va security.mac.bsdextended.rules 116Currently does nothing interesting. 117.Sh SEE ALSO 118.Xr libugidfw 3 , 119.Xr syslog 3 , 120.Xr mac 4 , 121.Xr mac_biba 4 , 122.Xr mac_ifoff 4 , 123.Xr mac_lomac 4 , 124.Xr mac_mls 4 , 125.Xr mac_none 4 , 126.Xr mac_partition 4 , 127.Xr mac_portacl 4 , 128.Xr mac_seeotheruids 4 , 129.Xr mac_test 4 , 130.Xr ipfw 8 , 131.Xr ugidfw 8 , 132.Xr mac 9 133.Sh HISTORY 134The 135.Nm 136policy module first appeared in 137.Fx 5.0 138and was developed by the 139.Tn TrustedBSD 140Project. 141.Pp 142The "match first case" and logging capabilities were later added by 143.An Tom Rhodes Aq trhodes@FreeBSD.org . 144.Sh AUTHORS 145This software was contributed to the 146.Fx 147Project by NAI Labs, the Security Research Division of Network Associates 148Inc.\& under DARPA/SPAWAR contract N66001-01-C-8035 149.Pq Dq CBOSS , 150as part of the DARPA CHATS research program. 151