| mac.4 (115211) | mac.4 (115643) |
|---|---|
| 1.\" Copyright (c) 2003 Networks Associates Technology, Inc. 2.\" All rights reserved. 3.\" 4.\" This software was developed for the FreeBSD Project by Chris Costello 5.\" at Safeport Network Services and Network Associates Labs, the 6.\" Security Research Division of Network Associates, Inc. under 7.\" DARPA/SPAWAR contract N66001-01-C-8035 ("CBOSS"), as part of the 8.\" DARPA CHATS research program. --- 14 unchanged lines hidden (view full) --- 23.\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 24.\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 25.\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 26.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 27.\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 28.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 29.\" SUCH DAMAGE. 30.\" | 1.\" Copyright (c) 2003 Networks Associates Technology, Inc. 2.\" All rights reserved. 3.\" 4.\" This software was developed for the FreeBSD Project by Chris Costello 5.\" at Safeport Network Services and Network Associates Labs, the 6.\" Security Research Division of Network Associates, Inc. under 7.\" DARPA/SPAWAR contract N66001-01-C-8035 ("CBOSS"), as part of the 8.\" DARPA CHATS research program. --- 14 unchanged lines hidden (view full) --- 23.\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 24.\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 25.\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 26.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 27.\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 28.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 29.\" SUCH DAMAGE. 30.\" |
| 31.\" $FreeBSD: head/share/man/man4/mac.4 115211 2003-05-21 15:55:40Z ru $ 32.Dd JANUARY 8, 2003 | 31.\" $FreeBSD: head/share/man/man4/mac.4 115643 2003-06-01 21:52:59Z ru $ 32.\" 33.Dd January 8, 2003 |
| 33.Os 34.Dt MAC 4 35.Sh NAME 36.Nm mac 37.Nd Mandatory Access Control 38.Sh SYNOPSIS 39.Cd "options MAC" 40.Sh DESCRIPTION 41.Ss Introduction 42The Mandatory Access Control, or MAC, framework allows administrators to 43finely control system security by providing for a loadable security policy 44architecture. 45It is important to note that due to its nature, MAC security policies may 46only restrict access relative to one another and the base system policy; | 34.Os 35.Dt MAC 4 36.Sh NAME 37.Nm mac 38.Nd Mandatory Access Control 39.Sh SYNOPSIS 40.Cd "options MAC" 41.Sh DESCRIPTION 42.Ss Introduction 43The Mandatory Access Control, or MAC, framework allows administrators to 44finely control system security by providing for a loadable security policy 45architecture. 46It is important to note that due to its nature, MAC security policies may 47only restrict access relative to one another and the base system policy; |
| 47they cannot override traditional UNIX | 48they cannot override traditional 49.Ux |
| 48security provisions such as file permissions and superuser checks. 49.Pp 50Currently, the following MAC policy modules are shipped with 51.Fx : | 50security provisions such as file permissions and superuser checks. 51.Pp 52Currently, the following MAC policy modules are shipped with 53.Fx : |
| 52.Bl -column ".Xr mac_seeotheruids 4" "low-watermark mac policy " ".Em Labeling" "boot only" | 54.Bl -column ".Xr mac_seeotheruids 4" "low-watermark mac policy" ".Em Labeling" "boot only" |
| 53.It Sy Name Ta Sy Description Ta Sy Labeling Ta Sy "Load time" 54.It Xr mac_biba 4 Ta "Biba integrity policy" Ta yes Ta boot only 55.It Xr mac_bsdextended 4 Ta "File system firewall" Ta no Ta any time 56.It Xr mac_ifoff 4 Ta "Interface silencing" Ta no Ta any time 57.It Xr mac_lomac 4 Ta "Low-Watermark MAC policy" Ta yes Ta boot only 58.It Xr mac_mls 4 Ta "Confidentiality policy" Ta yes Ta boot only 59.It Xr mac_none 4 Ta "Sample no-op policy" Ta no Ta any time 60.It Xr mac_partition 4 Ta "Process partition policy" Ta yes Ta any time --- 29 unchanged lines hidden (view full) --- 90the 91.Dq multilabel 92flag must be enabled on the file system. 93To set the 94.Dq multilabel 95flag, drop to single-user mode and unmount the file system, 96then execute the following command: 97.Pp | 55.It Sy Name Ta Sy Description Ta Sy Labeling Ta Sy "Load time" 56.It Xr mac_biba 4 Ta "Biba integrity policy" Ta yes Ta boot only 57.It Xr mac_bsdextended 4 Ta "File system firewall" Ta no Ta any time 58.It Xr mac_ifoff 4 Ta "Interface silencing" Ta no Ta any time 59.It Xr mac_lomac 4 Ta "Low-Watermark MAC policy" Ta yes Ta boot only 60.It Xr mac_mls 4 Ta "Confidentiality policy" Ta yes Ta boot only 61.It Xr mac_none 4 Ta "Sample no-op policy" Ta no Ta any time 62.It Xr mac_partition 4 Ta "Process partition policy" Ta yes Ta any time --- 29 unchanged lines hidden (view full) --- 92the 93.Dq multilabel 94flag must be enabled on the file system. 95To set the 96.Dq multilabel 97flag, drop to single-user mode and unmount the file system, 98then execute the following command: 99.Pp |
| 98.Dl "tunefs -l enable" Sy filesystem | 100.Dl "tunefs -l enable" Ar filesystem |
| 99.Pp 100where | 101.Pp 102where |
| 101.Sy filesystem | 103.Ar filesystem |
| 102is either the mount point 103(in 104.Xr fstab 5 ) 105or the special file 106(in 107.Pa /dev ) 108corresponding to the file system on which to enable multilabel support. 109.Ss Policy Enforcement 110MAC can be configured to enforce only specific portions of 111policies 112(see 113.Sx "Runtime Configuration" ) . 114Policy enforcement is divided into the following areas of the system: 115.Bl -ohang | 104is either the mount point 105(in 106.Xr fstab 5 ) 107or the special file 108(in 109.Pa /dev ) 110corresponding to the file system on which to enable multilabel support. 111.Ss Policy Enforcement 112MAC can be configured to enforce only specific portions of 113policies 114(see 115.Sx "Runtime Configuration" ) . 116Policy enforcement is divided into the following areas of the system: 117.Bl -ohang |
| 116.It Sy File System | 118.It Sy "File System" |
| 117File system mounts, modifying directories, modifying files, etc. 118.It Sy KLD 119Loading, unloading, and retrieving statistics on loaded kernel modules 120.It Sy Network 121Network interfaces, 122.Xr bpf 4 , 123packet delivery and transmission, 124interface configuration 125.Xr ( ioctl 2 , 126.Xr ifconfig 8 ) 127.It Sy Pipes 128Creation of and operation on 129.Xr pipe 2 130objects 131.It Sy Processes 132Debugging | 119File system mounts, modifying directories, modifying files, etc. 120.It Sy KLD 121Loading, unloading, and retrieving statistics on loaded kernel modules 122.It Sy Network 123Network interfaces, 124.Xr bpf 4 , 125packet delivery and transmission, 126interface configuration 127.Xr ( ioctl 2 , 128.Xr ifconfig 8 ) 129.It Sy Pipes 130Creation of and operation on 131.Xr pipe 2 132objects 133.It Sy Processes 134Debugging |
| 133(e.g. | 135(e.g.\& |
| 134.Xr ktrace 2 ) , 135process visibility | 136.Xr ktrace 2 ) , 137process visibility |
| 136.Xr ( ps 1 ) , | 138.Pq Xr ps 1 , |
| 137process execution | 139process execution |
| 138.Xr ( execve 2 ) , | 140.Pq Xr execve 2 , |
| 139signalling | 141signalling |
| 140.Xr ( kill 2 ) | 142.Pq Xr kill 2 |
| 141.It Sy Sockets 142Creation of and operation on 143.Xr socket 2 144objects 145.It Sy System 146Kernel environment | 143.It Sy Sockets 144Creation of and operation on 145.Xr socket 2 146objects 147.It Sy System 148Kernel environment |
| 147.Xr ( kenv 1 ) , | 149.Pq Xr kenv 1 , |
| 148system accounting | 150system accounting |
| 149.Xr ( acct 2 ) , | 151.Pq Xr acct 2 , |
| 150.Xr reboot 2 , 151.Xr settimeofday 2 , 152.Xr swapon 2 , 153.Xr sysctl 3 , | 152.Xr reboot 2 , 153.Xr settimeofday 2 , 154.Xr swapon 2 , 155.Xr sysctl 3 , |
| 154.Sm off 155.Xr nfsd 8 - 156related 157.Sm on 158operations | 156.Xr nfsd 8 Ns 157-related operations |
| 159.It Sy VM | 158.It Sy VM |
| 160.Sm off 161.Xr mmap 2 - 162ed 163.Sm on 164files | 159.Xr mmap 2 Ns 160-ed files |
| 165.El 166.Ss Setting MAC Labels 167From the command line, each type of system object has its own means for setting 168and modifying its MAC policy label. 169.Bl -column "user (by login class)" "Xr setfmac 8 , Xr setfsmac 8" -offset indent 170.It Sy "Subject/Object" Ta Sy "Utility" 171.It "File system object" Ta Xr setfmac 8 , Xr setfsmac 8 172.It "Network interface" Ta Xr ifconfig 8 --- 17 unchanged lines hidden (view full) --- 190The interface for retrieving, handling, and setting policy labels 191is documented in the 192.Xr mac 3 193man page. 194.Ss Runtime Configuration 195The following 196.Xr sysctl 8 197MIBs are available for fine-tuning the enforcement of MAC policies. | 161.El 162.Ss Setting MAC Labels 163From the command line, each type of system object has its own means for setting 164and modifying its MAC policy label. 165.Bl -column "user (by login class)" "Xr setfmac 8 , Xr setfsmac 8" -offset indent 166.It Sy "Subject/Object" Ta Sy "Utility" 167.It "File system object" Ta Xr setfmac 8 , Xr setfsmac 8 168.It "Network interface" Ta Xr ifconfig 8 --- 17 unchanged lines hidden (view full) --- 186The interface for retrieving, handling, and setting policy labels 187is documented in the 188.Xr mac 3 189man page. 190.Ss Runtime Configuration 191The following 192.Xr sysctl 8 193MIBs are available for fine-tuning the enforcement of MAC policies. |
| 198Unless specifically noted, all MIBs default to 199.Li 1 | 194Unless specifically noted, all MIBs default to 1 |
| 200(that is, all areas are enforced by default): | 195(that is, all areas are enforced by default): |
| 201.Bl -tag -width "security.mac.enforce_network" | 196.Bl -tag -width ".Va security.mac.enforce_network" |
| 202.It Va security.mac.enforce_fs | 197.It Va security.mac.enforce_fs |
| 203Enforce MAC policies for file system accesses | 198Enforce MAC policies for file system accesses. |
| 204.It Va security.mac.enforce_kld 205Enforce MAC policies on | 199.It Va security.mac.enforce_kld 200Enforce MAC policies on |
| 206.Xr kld 4 | 201.Xr kld 4 . |
| 207.It Va security.mac.enforce_network | 202.It Va security.mac.enforce_network |
| 208Enforce MAC policies on network interfaces | 203Enforce MAC policies on network interfaces. |
| 209.It Va security.mac.enforce_pipe | 204.It Va security.mac.enforce_pipe |
| 210Enforce MAC policies on pipes | 205Enforce MAC policies on pipes. |
| 211.It Va security.mac.enforce_process 212Enforce MAC policies between system processes | 206.It Va security.mac.enforce_process 207Enforce MAC policies between system processes |
| 213(e.g. | 208(e.g.\& |
| 214.Xr ps 1 , | 209.Xr ps 1 , |
| 215.Xr ktrace 2 ) | 210.Xr ktrace 2 ) . |
| 216.It Va security.mac.enforce_socket | 211.It Va security.mac.enforce_socket |
| 217Enforce MAC policies on sockets | 212Enforce MAC policies on sockets. |
| 218.It Va security.mac.enforce_system 219Enforce MAC policies on system-related items | 213.It Va security.mac.enforce_system 214Enforce MAC policies on system-related items |
| 220(e.g. | 215(e.g.\& |
| 221.Xr kenv 1 , 222.Xr acct 2 , | 216.Xr kenv 1 , 217.Xr acct 2 , |
| 223.Xr reboot 2 ) | 218.Xr reboot 2 ) . |
| 224.It Va security.mac.enforce_vm 225Enforce MAC policies on 226.Xr mmap 2 227and | 219.It Va security.mac.enforce_vm 220Enforce MAC policies on 221.Xr mmap 2 222and |
| 228.Xr mprotect 2 | 223.Xr mprotect 2 . |
| 229.\" *** XXX *** 230.\" Support for this feature is poor and should not be encouraged. 231.\" 232.\" .It Va security.mac.mmap_revocation 233.\" Revoke 234.\" .Xr mmap 2 | 224.\" *** XXX *** 225.\" Support for this feature is poor and should not be encouraged. 226.\" 227.\" .It Va security.mac.mmap_revocation 228.\" Revoke 229.\" .Xr mmap 2 |
| 235.\" access to files on subject relabel | 230.\" access to files on subject relabel. |
| 236.\" .It Va security.mac.mmap_revocation_via_cow 237.\" Revoke 238.\" .Xr mmap 2 239.\" access to files via copy-on-write semantics; 240.\" mapped regions will still appear writable, but will no longer | 231.\" .It Va security.mac.mmap_revocation_via_cow 232.\" Revoke 233.\" .Xr mmap 2 234.\" access to files via copy-on-write semantics; 235.\" mapped regions will still appear writable, but will no longer |
| 241.\" effect a change on the underlying vnode 242.\" (Default: 0) | 236.\" effect a change on the underlying vnode. 237.\" (Default: 0). |
| 243.El 244.Sh SEE ALSO 245.Xr mac 3 , 246.Xr mac_biba 4 , 247.Xr mac_bsdextended 4 , 248.Xr mac_ifoff 4 , 249.Xr mac_lomac 4 , 250.Xr mac_mls 4 , 251.Xr mac_none 4 , 252.Xr mac_partition 4 , 253.Xr mac_portacl 4 , 254.Xr mac_seeotheruids 4 , 255.Xr mac_test 4 , | 238.El 239.Sh SEE ALSO 240.Xr mac 3 , 241.Xr mac_biba 4 , 242.Xr mac_bsdextended 4 , 243.Xr mac_ifoff 4 , 244.Xr mac_lomac 4 , 245.Xr mac_mls 4 , 246.Xr mac_none 4 , 247.Xr mac_partition 4 , 248.Xr mac_portacl 4 , 249.Xr mac_seeotheruids 4 , 250.Xr mac_test 4 , |
| 256.Xr login.5 , | 251.Xr login.conf 5 , |
| 257.Xr maclabel 7 , 258.Xr getfmac 8 , | 252.Xr maclabel 7 , 253.Xr getfmac 8 , |
| 259.Xr setfmac 8 , | |
| 260.Xr getpmac 8 , | 254.Xr getpmac 8 , |
| 255.Xr setfmac 8 , |
|
| 261.Xr setpmac 8 , 262.Xr mac 9 263.Rs 264.%B "The FreeBSD Handbook" 265.%T "Mandatory Access Control" | 256.Xr setpmac 8 , 257.Xr mac 9 258.Rs 259.%B "The FreeBSD Handbook" 260.%T "Mandatory Access Control" |
| 266.%O http://www.freebsd.org/doc/en_US.ISO8859-1/books/handbook/mac.html | 261.%O http://www.FreeBSD.org/doc/en_US.ISO8859-1/books/handbook/mac.html |
| 267.Re 268.Sh HISTORY 269The 270.Nm 271implementation first appeared in 272.Fx 5.0 | 262.Re 263.Sh HISTORY 264The 265.Nm 266implementation first appeared in 267.Fx 5.0 |
| 273and was developed by the TrustedBSD Project. | 268and was developed by the 269.Tn TrustedBSD 270Project. |
| 274.Sh AUTHORS 275This software was contributed to the 276.Fx 277Project by Network Associates Labs, 278the Security Research Division of Network Associates | 271.Sh AUTHORS 272This software was contributed to the 273.Fx 274Project by Network Associates Labs, 275the Security Research Division of Network Associates |
| 279Inc. under DARPA/SPAWAR contract N66001-01-C-8035 ("CBOSS"), | 276Inc. under DARPA/SPAWAR contract N66001-01-C-8035 277.Pq Dq CBOSS , |
| 280as part of the DARPA CHATS research program. 281.Sh BUGS 282See 283.Xr mac 9 284concerning appropriateness for production use. | 278as part of the DARPA CHATS research program. 279.Sh BUGS 280See 281.Xr mac 9 282concerning appropriateness for production use. |
| 285The TrustedBSD MAC Framework is considered experimental in | 283The 284.Tn TrustedBSD 285MAC Framework is considered experimental in |
| 286.Fx . 287.Pp 288While the MAC Framework design is intended to support the containment of 289the root user, not all attack channels are currently protected by entry 290point checks. 291As such, MAC Framework policies should not be relied on, in isolation, 292to protect against a malicious privileged user. | 286.Fx . 287.Pp 288While the MAC Framework design is intended to support the containment of 289the root user, not all attack channels are currently protected by entry 290point checks. 291As such, MAC Framework policies should not be relied on, in isolation, 292to protect against a malicious privileged user. |