xref: /freebsd/share/man/man4/mac_bsdextended.4 (revision 9d81f99b127fe8533a6049df5d265ec8b176dfbb)
1.\" Copyright (c) 2002 Networks Associates Technology, Inc.
2.\" All rights reserved.
3.\"
4.\" This software was developed for the FreeBSD Project by Chris Costello
5.\" at Safeport Network Services and Network Associates Laboratories, the
6.\" Security Research Division of Network Associates, Inc. under
7.\" DARPA/SPAWAR contract N66001-01-C-8035 ("CBOSS"), as part of the
8.\" DARPA CHATS research program.
9.\"
10.\" Redistribution and use in source and binary forms, with or without
11.\" modification, are permitted provided that the following conditions
12.\" are met:
13.\" 1. Redistributions of source code must retain the above copyright
14.\"    notice, this list of conditions and the following disclaimer.
15.\" 2. Redistributions in binary form must reproduce the above copyright
16.\"    notice, this list of conditions and the following disclaimer in the
17.\"    documentation and/or other materials provided with the distribution.
18.\"
19.\" THIS SOFTWARE IS PROVIDED BY THE AUTHORS AND CONTRIBUTORS ``AS IS'' AND
20.\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
21.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
22.\" ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHORS OR CONTRIBUTORS BE LIABLE
23.\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
24.\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
25.\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
26.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
27.\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
28.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
29.\" SUCH DAMAGE.
30.\"
31.Dd October 11, 2024
32.Dt MAC_BSDEXTENDED 4
33.Os
34.Sh NAME
35.Nm mac_bsdextended
36.Nd "file system firewall policy"
37.Sh SYNOPSIS
38To compile the file system firewall policy into your kernel,
39place the following lines in your kernel configuration file:
40.Bd -ragged -offset indent
41.Cd "options MAC"
42.Cd "options MAC_BSDEXTENDED"
43.Ed
44.Pp
45Alternately, to load the file system firewall policy module at boot time,
46place the following line in your kernel configuration file:
47.Bd -ragged -offset indent
48.Cd "options MAC"
49.Ed
50.Pp
51and in
52.Xr loader.conf 5 :
53.Bd -literal -offset indent
54mac_bsdextended_load="YES"
55.Ed
56.Sh DESCRIPTION
57The
58.Nm
59security policy module provides an interface for the system administrator
60to impose mandatory rules regarding users and some system objects.
61Rules are uploaded to the module
62(typically using
63.Xr ugidfw 8 ,
64or some other tool utilizing
65.Xr libugidfw 3 )
66where they are stored internally
67and used to determine whether to allow or deny specific accesses
68(see
69.Xr ugidfw 8 ) .
70.Sh IMPLEMENTATION NOTES
71While the traditional
72.Xr mac 9
73entry points are implemented,
74policy labels are not used;
75instead, access control decisions are made by iterating through the internal
76list of rules until a rule
77which denies the particular access
78is found,
79or the end of the list is reached.
80The
81.Nm
82policy works similar to
83.Xr ipfw 8
84or by using a
85.Em first match semantic .
86This means that not all rules are applied,
87only the first matched rule; thus if
88Rule A allows access and Rule B blocks
89access, Rule B will never be applied.
90.Sh SYSCTL VARIABLES
91The following sysctls may be used to tweak the behavior of
92.Nm :
93.Bl -tag -width indent
94.It Va security.mac.bsdextended.enabled
95Set to zero or one to toggle the policy off or on.
96.It Va security.mac.bsdextended.rule_count
97List the number of defined rules, the maximum rule count is
98current set at 256.
99.It Va security.mac.bsdextended.rule_slots
100List the number of rule slots currently being used.
101.It Va security.mac.bsdextended.firstmatch_enabled
102Toggle between the old all rules match functionality
103and the new first rule matches functionality.
104This is enabled by default.
105.It Va security.mac.bsdextended.logging
106Log all access violations via the
107.Dv AUTHPRIV
108.Xr syslog 3
109facility.
110.It Va security.mac.bsdextended.rules
111Currently does nothing interesting.
112.El
113.Sh SEE ALSO
114.Xr libugidfw 3 ,
115.Xr syslog 3 ,
116.Xr mac 4 ,
117.Xr mac_biba 4 ,
118.Xr mac_ddb 4 ,
119.Xr mac_ifoff 4 ,
120.Xr mac_lomac 4 ,
121.Xr mac_mls 4 ,
122.Xr mac_none 4 ,
123.Xr mac_partition 4 ,
124.Xr mac_portacl 4 ,
125.Xr mac_seeotheruids 4 ,
126.Xr mac_test 4 ,
127.Xr ipfw 8 ,
128.Xr ugidfw 8 ,
129.Xr mac 9
130.Sh HISTORY
131The
132.Nm
133policy module first appeared in
134.Fx 5.0
135and was developed by the
136.Tn TrustedBSD
137Project.
138.Pp
139The "match first case" and logging capabilities were later added by
140.An Tom Rhodes Aq Mt trhodes@FreeBSD.org .
141.Sh AUTHORS
142This software was contributed to the
143.Fx
144Project by NAI Labs, the Security Research Division of Network Associates
145Inc.\& under DARPA/SPAWAR contract N66001-01-C-8035
146.Pq Dq CBOSS ,
147as part of the DARPA CHATS research program.
148