| mac_mls.4 (115211) | mac_mls.4 (115643) |
|---|---|
| 1.\" Copyright (c) 2002 Networks Associates Technology, Inc. 2.\" All rights reserved. 3.\" 4.\" This software was developed for the FreeBSD Project by Chris Costello 5.\" at Safeport Network Services and Network Associates Laboratories, the 6.\" Security Research Division of Network Associates, Inc. under 7.\" DARPA/SPAWAR contract N66001-01-C-8035 ("CBOSS"), as part of the 8.\" DARPA CHATS research program. --- 14 unchanged lines hidden (view full) --- 23.\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 24.\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 25.\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 26.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 27.\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 28.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 29.\" SUCH DAMAGE. 30.\" | 1.\" Copyright (c) 2002 Networks Associates Technology, Inc. 2.\" All rights reserved. 3.\" 4.\" This software was developed for the FreeBSD Project by Chris Costello 5.\" at Safeport Network Services and Network Associates Laboratories, the 6.\" Security Research Division of Network Associates, Inc. under 7.\" DARPA/SPAWAR contract N66001-01-C-8035 ("CBOSS"), as part of the 8.\" DARPA CHATS research program. --- 14 unchanged lines hidden (view full) --- 23.\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 24.\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 25.\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 26.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 27.\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 28.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 29.\" SUCH DAMAGE. 30.\" |
| 31.\" $FreeBSD: head/share/man/man4/mac_mls.4 115211 2003-05-21 15:55:40Z ru $ 32.Dd DECEMBER 1, 2002 | 31.\" $FreeBSD: head/share/man/man4/mac_mls.4 115643 2003-06-01 21:52:59Z ru $ 32.\" 33.Dd December 1, 2002 |
| 33.Os 34.Dt MAC_MLS 4 35.Sh NAME 36.Nm mac_mls | 34.Os 35.Dt MAC_MLS 4 36.Sh NAME 37.Nm mac_mls |
| 37.Nd Multi-Level Security confidentiality policy | 38.Nd "Multi-Level Security confidentiality policy" |
| 38.Sh SYNOPSIS 39To compile MLS into your kernel, place the following lines in your kernel 40configuration file: | 39.Sh SYNOPSIS 40To compile MLS into your kernel, place the following lines in your kernel 41configuration file: |
| 42.Bd -ragged -offset indent |
|
| 41.Cd "options MAC" 42.Cd "options MAC_MLS" | 43.Cd "options MAC" 44.Cd "options MAC_MLS" |
| 45.Ed |
|
| 43.Pp 44Alternately, to load the MLS module at boot time, place the following line 45in your kernel configuration file: | 46.Pp 47Alternately, to load the MLS module at boot time, place the following line 48in your kernel configuration file: |
| 49.Bd -ragged -offset indent |
|
| 46.Cd "options MAC" | 50.Cd "options MAC" |
| 51.Ed |
|
| 47.Pp 48and in 49.Xr loader.conf 5 : | 52.Pp 53and in 54.Xr loader.conf 5 : |
| 50.Cd mac_mls_load= Ns \&"YES" | 55.Bd -literal -offset indent 56mac_mls_load="YES" 57.Ed |
| 51.Sh DESCRIPTION 52The 53.Nm 54policy module implements the Multi-Level Security, or MLS model, 55which controls access between subjects and objects based on their 56confidentiality by means of a strict information flow policy. 57Each subject and object in the system has an MLS label associated with it; 58each subject's MLS label contains information on its clearance level, --- 10 unchanged lines hidden (view full) --- 69numbered from 1 to 256. 70A complete label consists of both sensitivity and compartment 71elements. 72.Pp 73With normal labels, dominance is defined as a label having a higher 74or equal active sensitivity level, and having at least 75all of the same compartments as the label to which it is being compared. 76With respect to label comparisons, | 58.Sh DESCRIPTION 59The 60.Nm 61policy module implements the Multi-Level Security, or MLS model, 62which controls access between subjects and objects based on their 63confidentiality by means of a strict information flow policy. 64Each subject and object in the system has an MLS label associated with it; 65each subject's MLS label contains information on its clearance level, --- 10 unchanged lines hidden (view full) --- 76numbered from 1 to 256. 77A complete label consists of both sensitivity and compartment 78elements. 79.Pp 80With normal labels, dominance is defined as a label having a higher 81or equal active sensitivity level, and having at least 82all of the same compartments as the label to which it is being compared. 83With respect to label comparisons, |
| 77.Dq lower | 84.Dq Li lower |
| 78is defined as being dominated by the label to which it is being compared, 79and | 85is defined as being dominated by the label to which it is being compared, 86and |
| 80.Dq higher | 87.Dq Li higher |
| 81is defined as dominating the label to which it is being compared, 82and | 88is defined as dominating the label to which it is being compared, 89and |
| 83.Dq equal | 90.Dq Li equal |
| 84is defined as both labels being able to satisfy the dominance requirements 85over one another. 86.Pp 87Three special label values exist: | 91is defined as both labels being able to satisfy the dominance requirements 92over one another. 93.Pp 94Three special label values exist: |
| 88.Bl -column -offset indent "mls/equal" "dominated by all other labels" | 95.Bl -column -offset indent ".Li mls/equal" "dominated by all other labels" |
| 89.It Sy Label Ta Sy Comparison | 96.It Sy Label Ta Sy Comparison |
| 90.It Li mls/low Ta dominated by all other labels 91.It Li mls/equal Ta equal to all other labels 92.It Li mls/high Ta dominates all other labels | 97.It Li mls/low Ta "dominated by all other labels" 98.It Li mls/equal Ta "equal to all other labels" 99.It Li mls/high Ta "dominates all other labels" |
| 93.El 94.Pp 95The | 100.El 101.Pp 102The |
| 96.Dq mls/equal | 103.Dq Li mls/equal |
| 97label may be applied to subjects and objects for which no enforcement of the 98MLS security policy is desired. 99.Pp 100The MLS model enforces the following basic restrictions: 101.Bl -bullet 102.It 103Subjects may not observe the processes of another subject if its 104clearance level is lower than the clearance level of the object it is --- 22 unchanged lines hidden (view full) --- 127.Xr ( mac_biba 4 ) 128in order to protect the Trusted Code Base (TCB). 129.Ss Label Format 130Almost all system objects are tagged with a single, active label element, 131reflecting the classification of the object, or classification of the data 132contained in the object. 133In general, object labels are represented in the following form: 134.Pp | 104label may be applied to subjects and objects for which no enforcement of the 105MLS security policy is desired. 106.Pp 107The MLS model enforces the following basic restrictions: 108.Bl -bullet 109.It 110Subjects may not observe the processes of another subject if its 111clearance level is lower than the clearance level of the object it is --- 22 unchanged lines hidden (view full) --- 134.Xr ( mac_biba 4 ) 135in order to protect the Trusted Code Base (TCB). 136.Ss Label Format 137Almost all system objects are tagged with a single, active label element, 138reflecting the classification of the object, or classification of the data 139contained in the object. 140In general, object labels are represented in the following form: 141.Pp |
| 135.Dl mls/grade:compartments | 142.Sm off 143.D1 Li mls / Ar grade : compartments 144.Sm on |
| 136.Pp 137For example: | 145.Pp 146For example: |
| 138.Pp | |
| 139.Bd -literal -offset indent 140mls/10:2+3+6 141mls/low 142.Ed 143.Pp 144Subject labels consist of three label elements: a single (active) label, 145as well as a range of available labels. 146This range is represented using two ordered MLS label elements, and when set 147on a process, permits the process to change its active label to any label of 148greater or equal integrity to the low end of the range, and lesser or equal 149integrity to the high end of the range. 150In general, subject labels are represented in the following form: 151.Pp | 147.Bd -literal -offset indent 148mls/10:2+3+6 149mls/low 150.Ed 151.Pp 152Subject labels consist of three label elements: a single (active) label, 153as well as a range of available labels. 154This range is represented using two ordered MLS label elements, and when set 155on a process, permits the process to change its active label to any label of 156greater or equal integrity to the low end of the range, and lesser or equal 157integrity to the high end of the range. 158In general, subject labels are represented in the following form: 159.Pp |
| 152.Dl mls/singlegrade:singlecompartments(lograde:locompartments- 153.Dl higrade:hicompartments) | 160.Sm off 161.D1 Li mls / Ar singlegrade : singlecompartments ( lograde : locompartments No - 162.D1 Ar higrade : hicompartments ) 163.Sm on |
| 154.Pp 155For example: 156.Bd -literal -offset indent 157mls/10:2+3+6(5:2+3-20:2+3+4+5+6) 158mls/high(low-high) 159.Ed 160.Pp 161Valid ranged labels must meet the following requirement regarding their 162elements: 163.Pp | 164.Pp 165For example: 166.Bd -literal -offset indent 167mls/10:2+3+6(5:2+3-20:2+3+4+5+6) 168mls/high(low-high) 169.Ed 170.Pp 171Valid ranged labels must meet the following requirement regarding their 172elements: 173.Pp |
| 164.Dl rangehigh >= single >= rangelow | 174.D1 Ar rangehigh No \[>=] Ar single No \[>=] Ar rangelow |
| 165.Pp 166One class of objects with ranges currently exists, the network interface. 167In the case of the network interface, the single label element references 168the default label for packets received over the interface, and the range 169represents the range of acceptable labels of packets to be transmitted over 170the interface. 171.Ss Runtime Configuration 172The following 173.Xr sysctl 8 174MIBs are available for fine-tuning the enforcement of this MAC policy. | 175.Pp 176One class of objects with ranges currently exists, the network interface. 177In the case of the network interface, the single label element references 178the default label for packets received over the interface, and the range 179represents the range of acceptable labels of packets to be transmitted over 180the interface. 181.Ss Runtime Configuration 182The following 183.Xr sysctl 8 184MIBs are available for fine-tuning the enforcement of this MAC policy. |
| 175.Bl -tag -width security.mac.mls.enabled | 185.Bl -tag -width ".Va security.mac.mls.ptys_equal" |
| 176.It Va security.mac.mls.enabled | 186.It Va security.mac.mls.enabled |
| 177Enables the enforcement of the MLS confidentiality policy 178(Default: 1) | 187Enables the enforcement of the MLS confidentiality policy. 188(Default: 1). |
| 179.It Va security.mac.mls.ptys_equal 180Label | 189.It Va security.mac.mls.ptys_equal 190Label |
| 181.Sm off 182.Xr pty 4 183s 184.Sm on | 191.Xr pty 4 Ns s |
| 185as | 192as |
| 186.Dq mls/equal 187upon creation 188(Default: 0) | 193.Dq Li mls/equal 194upon creation. 195(Default: 0). |
| 189.It Va security.mac.mls.revocation_enabled 190Revoke access to objects if the label is changed to a more sensitive | 196.It Va security.mac.mls.revocation_enabled 197Revoke access to objects if the label is changed to a more sensitive |
| 191level than the subject 192(Default: 0) | 198level than the subject. 199(Default: 0). |
| 193.El 194.Sh IMPLEMENTATION NOTES 195Currently, the 196.Nm 197policy relies on superuser status | 200.El 201.Sh IMPLEMENTATION NOTES 202Currently, the 203.Nm 204policy relies on superuser status |
| 198.Xr ( suser 9 ) | 205.Pq Xr suser 9 |
| 199in order to change network interface MLS labels. 200This will eventually go away, but it is currently a liability and may 201allow the superuser to bypass MLS protections. 202.Sh SEE ALSO 203.Xr mac 4 , 204.Xr mac_biba 4 , 205.Xr mac_bsdextended 4 , 206.Xr mac_ifoff 4 , --- 6 unchanged lines hidden (view full) --- 213.Xr mac_test 4 214.Xr maclabel 7 , 215.Xr mac 9 216.Sh HISTORY 217The 218.Nm 219policy module first appeared in 220.Fx 5.0 | 206in order to change network interface MLS labels. 207This will eventually go away, but it is currently a liability and may 208allow the superuser to bypass MLS protections. 209.Sh SEE ALSO 210.Xr mac 4 , 211.Xr mac_biba 4 , 212.Xr mac_bsdextended 4 , 213.Xr mac_ifoff 4 , --- 6 unchanged lines hidden (view full) --- 220.Xr mac_test 4 221.Xr maclabel 7 , 222.Xr mac 9 223.Sh HISTORY 224The 225.Nm 226policy module first appeared in 227.Fx 5.0 |
| 221and was developed by the TrustedBSD Project. | 228and was developed by the 229.Tn TrustedBSD 230Project. |
| 222.Sh AUTHORS 223This software was contributed to the 224.Fx 225Project by Network Associates Laboratories, 226the Security Research Division of Network Associates | 231.Sh AUTHORS 232This software was contributed to the 233.Fx 234Project by Network Associates Laboratories, 235the Security Research Division of Network Associates |
| 227Inc. under DARPA/SPAWAR contract N66001-01-C-8035 ("CBOSS"), | 236Inc. under DARPA/SPAWAR contract N66001-01-C-8035 237.Pq Dq CBOSS , |
| 228as part of the DARPA CHATS research program. 229.Sh BUGS 230See 231.Xr mac 9 232concerning appropriateness for production use. | 238as part of the DARPA CHATS research program. 239.Sh BUGS 240See 241.Xr mac 9 242concerning appropriateness for production use. |
| 233The TrustedBSD MAC Framework is considered experimental in | 243The 244.Tn TrustedBSD 245MAC Framework is considered experimental in |
| 234.Fx . 235.Pp 236While the MAC Framework design is intended to support the containment of 237the root user, not all attack channels are currently protected by entry 238point checks. 239As such, MAC Framework policies should not be relied on, in isolation, 240to protect against a malicious privileged user. | 246.Fx . 247.Pp 248While the MAC Framework design is intended to support the containment of 249the root user, not all attack channels are currently protected by entry 250point checks. 251As such, MAC Framework policies should not be relied on, in isolation, 252to protect against a malicious privileged user. |