xref: /freebsd/share/man/man4/mac_partition.4 (revision 1c05a6ea6b849ff95e539c31adea887c644a6a01)
1.\" Copyright (c) 2002 Networks Associates Technology, Inc.
2.\" All rights reserved.
3.\"
4.\" This software was developed for the FreeBSD Project by Chris Costello
5.\" at Safeport Network Services and Network Associates Laboratories, the
6.\" Security Research Division of Network Associates, Inc. under
7.\" DARPA/SPAWAR contract N66001-01-C-8035 ("CBOSS"), as part of the
8.\" DARPA CHATS research program.
9.\"
10.\" Redistribution and use in source and binary forms, with or without
11.\" modification, are permitted provided that the following conditions
12.\" are met:
13.\" 1. Redistributions of source code must retain the above copyright
14.\"    notice, this list of conditions and the following disclaimer.
15.\" 2. Redistributions in binary form must reproduce the above copyright
16.\"    notice, this list of conditions and the following disclaimer in the
17.\"    documentation and/or other materials provided with the distribution.
18.\"
19.\" THIS SOFTWARE IS PROVIDED BY THE AUTHORS AND CONTRIBUTORS ``AS IS'' AND
20.\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
21.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
22.\" ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHORS OR CONTRIBUTORS BE LIABLE
23.\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
24.\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
25.\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
26.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
27.\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
28.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
29.\" SUCH DAMAGE.
30.\"
31.\" $FreeBSD$
32.\"
33.Dd July 25, 2015
34.Dt MAC_PARTITION 4
35.Os
36.Sh NAME
37.Nm mac_partition
38.Nd "process partition policy"
39.Sh SYNOPSIS
40To compile the process partition policy into your kernel,
41place the following lines in your kernel
42configuration file:
43.Bd -ragged -offset indent
44.Cd "options MAC"
45.Cd "options MAC_PARTITION"
46.Ed
47.Pp
48Alternately, to load the process partition module at boot time,
49place the following line in your kernel configuration file:
50.Bd -ragged -offset indent
51.Cd "options MAC"
52.Ed
53.Pp
54and in
55.Xr loader.conf 5 :
56.Bd -literal -offset indent
57mac_partition_load="YES"
58.Ed
59.Sh DESCRIPTION
60The
61.Nm
62policy module implements a process partition policy,
63which allows administrators to place running processes into
64.Dq partitions ,
65based on their numeric process partition
66(specified in the process's MAC label).
67Processes with a specified partition can only see processes that are in the
68same partition.
69If no partition is specified for a process, it can see all other processes
70in the system
71(subject to other MAC policy restrictions not defined in this man page).
72No provisions for placing processes into multiple partitions are available.
73.Ss Label Format
74Partition labels take on the following format:
75.Pp
76.Sm off
77.Dl Li partition / Ar value
78.Sm on
79.Pp
80Where
81.Ar value
82can be any integer value or
83.Dq Li none .
84For example:
85.Bd -literal -offset indent
86partition/1
87partition/20
88partition/none
89.Ed
90.Sh SEE ALSO
91.Xr mac 4 ,
92.Xr mac_biba 4 ,
93.Xr mac_bsdextended 4 ,
94.Xr mac_ifoff 4 ,
95.Xr mac_lomac 4 ,
96.Xr mac_mls 4 ,
97.Xr mac_none 4 ,
98.Xr mac_portacl 4 ,
99.Xr mac_seeotheruids 4 ,
100.Xr mac_test 4 ,
101.Xr maclabel 7 ,
102.Xr mac 9
103.Sh HISTORY
104The
105.Nm
106policy module first appeared in
107.Fx 5.0
108and was developed by the
109.Tn TrustedBSD
110Project.
111.Sh AUTHORS
112This software was contributed to the
113.Fx
114Project by Network Associates Labs,
115the Security Research Division of Network Associates
116Inc.
117under DARPA/SPAWAR contract N66001-01-C-8035
118.Pq Dq CBOSS ,
119as part of the DARPA CHATS research program.
120.Sh BUGS
121While the MAC Framework design is intended to support the containment of
122the root user, not all attack channels are currently protected by entry
123point checks.
124As such, MAC Framework policies should not be relied on, in isolation,
125to protect against a malicious privileged user.
126