1.\" Copyright (c) 2002 Networks Associates Technology, Inc. 2.\" All rights reserved. 3.\" 4.\" This software was developed for the FreeBSD Project by Chris Costello 5.\" at Safeport Network Services and Network Associates Laboratories, the 6.\" Security Research Division of Network Associates, Inc. under 7.\" DARPA/SPAWAR contract N66001-01-C-8035 ("CBOSS"), as part of the 8.\" DARPA CHATS research program. 9.\" 10.\" Redistribution and use in source and binary forms, with or without 11.\" modification, are permitted provided that the following conditions 12.\" are met: 13.\" 1. Redistributions of source code must retain the above copyright 14.\" notice, this list of conditions and the following disclaimer. 15.\" 2. Redistributions in binary form must reproduce the above copyright 16.\" notice, this list of conditions and the following disclaimer in the 17.\" documentation and/or other materials provided with the distribution. 18.\" 19.\" THIS SOFTWARE IS PROVIDED BY THE AUTHORS AND CONTRIBUTORS ``AS IS'' AND 20.\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 21.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 22.\" ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHORS OR CONTRIBUTORS BE LIABLE 23.\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 24.\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 25.\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 26.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 27.\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 28.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 29.\" SUCH DAMAGE. 30.\" 31.\" $FreeBSD$ 32.\" 33.Dd July 25, 2015 34.Dt MAC_PARTITION 4 35.Os 36.Sh NAME 37.Nm mac_partition 38.Nd "process partition policy" 39.Sh SYNOPSIS 40To compile the process partition policy into your kernel, 41place the following lines in your kernel 42configuration file: 43.Bd -ragged -offset indent 44.Cd "options MAC" 45.Cd "options MAC_PARTITION" 46.Ed 47.Pp 48Alternately, to load the process partition module at boot time, 49place the following line in your kernel configuration file: 50.Bd -ragged -offset indent 51.Cd "options MAC" 52.Ed 53.Pp 54and in 55.Xr loader.conf 5 : 56.Bd -literal -offset indent 57mac_partition_load="YES" 58.Ed 59.Sh DESCRIPTION 60The 61.Nm 62policy module implements a process partition policy, 63which allows administrators to place running processes into 64.Dq partitions , 65based on their numeric process partition 66(specified in the process's MAC label). 67Processes with a specified partition can only see processes that are in the 68same partition. 69If no partition is specified for a process, it can see all other processes 70in the system 71(subject to other MAC policy restrictions not defined in this man page). 72No provisions for placing processes into multiple partitions are available. 73.Ss Label Format 74Partition labels take on the following format: 75.Pp 76.Sm off 77.Dl Li partition / Ar value 78.Sm on 79.Pp 80Where 81.Ar value 82can be any integer value or 83.Dq Li none . 84For example: 85.Bd -literal -offset indent 86partition/1 87partition/20 88partition/none 89.Ed 90.Sh SEE ALSO 91.Xr mac 4 , 92.Xr mac_biba 4 , 93.Xr mac_bsdextended 4 , 94.Xr mac_ddb 4 , 95.Xr mac_ifoff 4 , 96.Xr mac_lomac 4 , 97.Xr mac_mls 4 , 98.Xr mac_none 4 , 99.Xr mac_portacl 4 , 100.Xr mac_seeotheruids 4 , 101.Xr mac_test 4 , 102.Xr maclabel 7 , 103.Xr mac 9 104.Sh HISTORY 105The 106.Nm 107policy module first appeared in 108.Fx 5.0 109and was developed by the 110.Tn TrustedBSD 111Project. 112.Sh AUTHORS 113This software was contributed to the 114.Fx 115Project by Network Associates Labs, 116the Security Research Division of Network Associates 117Inc. 118under DARPA/SPAWAR contract N66001-01-C-8035 119.Pq Dq CBOSS , 120as part of the DARPA CHATS research program. 121.Sh BUGS 122While the MAC Framework design is intended to support the containment of 123the root user, not all attack channels are currently protected by entry 124point checks. 125As such, MAC Framework policies should not be relied on, in isolation, 126to protect against a malicious privileged user. 127