xref: /freebsd/share/man/man4/mac_stub.4 (revision 370e009188ba90c3290b1479aa06ec98b66e140a)
1.\" Copyright (c) 2002, 2003 Networks Associates Technology, Inc.
2.\" All rights reserved.
3.\"
4.\" This software was developed for the FreeBSD Project by Chris Costello
5.\" at Safeport Network Services and Network Associates Laboratories, the
6.\" Security Research Division of Network Associates, Inc. under
7.\" DARPA/SPAWAR contract N66001-01-C-8035 ("CBOSS"), as part of the
8.\" DARPA CHATS research program.
9.\"
10.\" Redistribution and use in source and binary forms, with or without
11.\" modification, are permitted provided that the following conditions
12.\" are met:
13.\" 1. Redistributions of source code must retain the above copyright
14.\"    notice, this list of conditions and the following disclaimer.
15.\" 2. Redistributions in binary form must reproduce the above copyright
16.\"    notice, this list of conditions and the following disclaimer in the
17.\"    documentation and/or other materials provided with the distribution.
18.\"
19.\" THIS SOFTWARE IS PROVIDED BY THE AUTHORS AND CONTRIBUTORS ``AS IS'' AND
20.\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
21.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
22.\" ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHORS OR CONTRIBUTORS BE LIABLE
23.\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
24.\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
25.\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
26.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
27.\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
28.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
29.\" SUCH DAMAGE.
30.\"
31.\" $FreeBSD$
32.\"
33.Dd July 25, 2015
34.Dt MAC_STUB 4
35.Os
36.Sh NAME
37.Nm mac_stub
38.Nd "MAC policy stub module"
39.Sh SYNOPSIS
40To compile the stub policy
41into your kernel, place the following lines in your kernel
42configuration file:
43.Bd -ragged -offset indent
44.Cd "options MAC"
45.Cd "options MAC_STUB"
46.Ed
47.Pp
48Alternately, to load the stub module at boot time, place the following line
49in your kernel configuration file:
50.Bd -ragged -offset indent
51.Cd "options MAC"
52.Ed
53.Pp
54and in
55.Xr loader.conf 5 :
56.Bd -literal -offset indent
57mac_stub_load="YES"
58.Ed
59.Sh DESCRIPTION
60The
61.Nm
62policy module implements a stub MAC policy that has no effect on
63access control in the system.
64Unlike
65.Xr mac_none 4 ,
66each MAC entry point is defined as a
67.Dq no-op ,
68so the policy module will be entered for each event, but no change
69in system behavior should result.
70.Ss Label Format
71No labels are defined for
72.Nm .
73.Sh SEE ALSO
74.Xr mac 4 ,
75.Xr mac_biba 4 ,
76.Xr mac_bsdextended 4 ,
77.Xr mac_ddb 4 ,
78.Xr mac_ifoff 4 ,
79.Xr mac_lomac 4 ,
80.Xr mac_mls 4 ,
81.Xr mac_none 4 ,
82.Xr mac_partition 4 ,
83.Xr mac_portacl 4 ,
84.Xr mac_seeotheruids 4 ,
85.Xr mac_test 4 ,
86.Xr mac 9
87.Sh HISTORY
88The
89.Nm
90policy module first appeared in
91.Fx 5.1
92and was developed by the
93.Tn TrustedBSD
94Project.
95.Sh AUTHORS
96This software was contributed to the
97.Fx
98Project by Network Associates Labs,
99the Security Research Division of Network Associates
100Inc.
101under DARPA/SPAWAR contract N66001-01-C-8035
102.Pq Dq CBOSS ,
103as part of the DARPA CHATS research program.
104.Sh BUGS
105While the MAC Framework design is intended to support the containment of
106the root user, not all attack channels are currently protected by entry
107point checks.
108As such, MAC Framework policies should not be relied on, in isolation,
109to protect against a malicious privileged user.
110