xref: /freebsd/share/man/man4/mac_test.4 (revision a03411e84728e9b267056fd31c7d1d9d1dc1b01e)
1.\" Copyright (c) 2002 Networks Associates Technology, Inc.
2.\" All rights reserved.
3.\"
4.\" This software was developed for the FreeBSD Project by Chris Costello
5.\" at Safeport Network Services and Network Associates Laboratories, the
6.\" Security Research Division of Network Associates, Inc. under
7.\" DARPA/SPAWAR contract N66001-01-C-8035 ("CBOSS"), as part of the
8.\" DARPA CHATS research program.
9.\"
10.\" Redistribution and use in source and binary forms, with or without
11.\" modification, are permitted provided that the following conditions
12.\" are met:
13.\" 1. Redistributions of source code must retain the above copyright
14.\"    notice, this list of conditions and the following disclaimer.
15.\" 2. Redistributions in binary form must reproduce the above copyright
16.\"    notice, this list of conditions and the following disclaimer in the
17.\"    documentation and/or other materials provided with the distribution.
18.\"
19.\" THIS SOFTWARE IS PROVIDED BY THE AUTHORS AND CONTRIBUTORS ``AS IS'' AND
20.\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
21.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
22.\" ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHORS OR CONTRIBUTORS BE LIABLE
23.\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
24.\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
25.\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
26.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
27.\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
28.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
29.\" SUCH DAMAGE.
30.\"
31.Dd July 25, 2015
32.Dt MAC_TEST 4
33.Os
34.Sh NAME
35.Nm mac_test
36.Nd MAC framework testing policy
37.Sh SYNOPSIS
38To compile the testing policy
39into your kernel, place the following lines in your kernel
40configuration file:
41.Bd -ragged -offset indent
42.Cd "options MAC"
43.Cd "options MAC_TEST"
44.Ed
45.Pp
46Alternately, to load the testing module at boot time, place the following line
47in your kernel configuration file:
48.Bd -ragged -offset indent
49.Cd "options MAC"
50.Ed
51.Pp
52and in
53.Xr loader.conf 5 :
54.Bd -literal -offset indent
55mac_test_load="YES"
56.Ed
57.Sh DESCRIPTION
58The
59.Nm
60policy module implements a testing facility for the MAC framework.
61Among other things,
62.Nm
63will try to catch corrupt labels the system is attempting to destroy and
64drop to the debugger.
65Additionally, a set of statistics regarding the number of times various
66MAC framework entry points have been called is stored in the
67.Va security.mac.test
68.Xr sysctl 8
69tree.
70.Ss Label Format
71No labels are defined for
72.Nm .
73.Sh SEE ALSO
74.Xr mac 4 ,
75.Xr mac_biba 4 ,
76.Xr mac_bsdextended 4 ,
77.Xr mac_ddb 4 ,
78.Xr mac_ifoff 4 ,
79.Xr mac_lomac 4 ,
80.Xr mac_mls 4 ,
81.Xr mac_none 4 ,
82.Xr mac_partition 4 ,
83.Xr mac_portacl 4 ,
84.Xr mac_seeotheruids 4 ,
85.Xr mac 9
86.Sh HISTORY
87The
88.Nm
89policy module first appeared in
90.Fx 5.0
91and was developed by the
92.Tn TrustedBSD
93Project.
94.Sh AUTHORS
95This software was contributed to the
96.Fx
97Project by Network Associates Labs,
98the Security Research Division of Network Associates
99Inc.
100under DARPA/SPAWAR contract N66001-01-C-8035
101.Pq Dq CBOSS ,
102as part of the DARPA CHATS research program.
103.Sh BUGS
104While the MAC Framework design is intended to support the containment of
105the root user, not all attack channels are currently protected by entry
106point checks.
107As such, MAC Framework policies should not be relied on, in isolation,
108to protect against a malicious privileged user.
109