| mac_partition.4 (115211) | mac_partition.4 (115643) |
|---|---|
| 1.\" Copyright (c) 2002 Networks Associates Technology, Inc. 2.\" All rights reserved. 3.\" 4.\" This software was developed for the FreeBSD Project by Chris Costello 5.\" at Safeport Network Services and Network Associates Laboratories, the 6.\" Security Research Division of Network Associates, Inc. under 7.\" DARPA/SPAWAR contract N66001-01-C-8035 ("CBOSS"), as part of the 8.\" DARPA CHATS research program. --- 14 unchanged lines hidden (view full) --- 23.\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 24.\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 25.\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 26.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 27.\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 28.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 29.\" SUCH DAMAGE. 30.\" | 1.\" Copyright (c) 2002 Networks Associates Technology, Inc. 2.\" All rights reserved. 3.\" 4.\" This software was developed for the FreeBSD Project by Chris Costello 5.\" at Safeport Network Services and Network Associates Laboratories, the 6.\" Security Research Division of Network Associates, Inc. under 7.\" DARPA/SPAWAR contract N66001-01-C-8035 ("CBOSS"), as part of the 8.\" DARPA CHATS research program. --- 14 unchanged lines hidden (view full) --- 23.\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 24.\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 25.\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 26.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 27.\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 28.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 29.\" SUCH DAMAGE. 30.\" |
| 31.\" $FreeBSD: head/share/man/man4/mac_partition.4 115211 2003-05-21 15:55:40Z ru $ 32.Dd DECEMBER 9, 2002 | 31.\" $FreeBSD: head/share/man/man4/mac_partition.4 115643 2003-06-01 21:52:59Z ru $ 32.\" 33.Dd December 9, 2002 |
| 33.Os 34.Dt MAC_PARTITION 4 35.Sh NAME 36.Nm mac_partition | 34.Os 35.Dt MAC_PARTITION 4 36.Sh NAME 37.Nm mac_partition |
| 37.Nd process partition policy | 38.Nd "process partition policy" |
| 38.Sh SYNOPSIS 39To compile the process partition policy into your kernel, 40place the following lines in your kernel 41configuration file: | 39.Sh SYNOPSIS 40To compile the process partition policy into your kernel, 41place the following lines in your kernel 42configuration file: |
| 43.Bd -ragged -offset indent |
|
| 42.Cd "options MAC" 43.Cd "options MAC_PARTITION" | 44.Cd "options MAC" 45.Cd "options MAC_PARTITION" |
| 46.Ed |
|
| 44.Pp 45Alternately, to load the process partition module at boot time, 46place the following line in your kernel configuration file: | 47.Pp 48Alternately, to load the process partition module at boot time, 49place the following line in your kernel configuration file: |
| 50.Bd -ragged -offset indent |
|
| 47.Cd "options MAC" | 51.Cd "options MAC" |
| 52.Ed |
|
| 48.Pp 49and in 50.Xr loader.conf 5 : | 53.Pp 54and in 55.Xr loader.conf 5 : |
| 51.Cd mac_partition_load= Ns \&"YES" | 56.Bd -literal -offset indent 57mac_partition_load="YES" 58.Ed |
| 52.Sh DESCRIPTION 53The 54.Nm 55policy module implements a process partition policy, 56which allows administrators to place running processes into | 59.Sh DESCRIPTION 60The 61.Nm 62policy module implements a process partition policy, 63which allows administrators to place running processes into |
| 57.Dq partitions, | 64.Dq partitions , |
| 58based on their numeric process partition 59(specified in the process's MAC label). 60Processes with a specified partition can only see processes that are in the 61same partition. 62If no partition is specified for a process, it can see all other processes 63in the system 64(subject to other MAC policy restrictions not defined in this man page). | 65based on their numeric process partition 66(specified in the process's MAC label). 67Processes with a specified partition can only see processes that are in the 68same partition. 69If no partition is specified for a process, it can see all other processes 70in the system 71(subject to other MAC policy restrictions not defined in this man page). |
| 65No provisions for placing processes into multiple partitions is available. | 72No provisions for placing processes into multiple partitions are available. |
| 66.Ss Label Format 67Partition labels take on the following format: 68.Pp | 73.Ss Label Format 74Partition labels take on the following format: 75.Pp |
| 69.Dl partition/ Ns Sy value | 76.Sm off 77.Dl Li partition / Ar value 78.Sm on |
| 70.Pp 71Where | 79.Pp 80Where |
| 72.Sy value | 81.Ar value |
| 73can be any integer value or | 82can be any integer value or |
| 74.Dq none . | 83.Dq Li none . |
| 75For example: | 84For example: |
| 76.Pp | |
| 77.Bd -literal -offset indent 78partition/1 79partition/20 80partition/none 81.Ed 82.Sh SEE ALSO 83.Xr lomac 4 , 84.Xr mac 4 , --- 8 unchanged lines hidden (view full) --- 93.Xr mac_test 4 , 94.Xr maclabel 7 , 95.Xr mac 9 96.Sh HISTORY 97The 98.Nm 99policy module first appeared in 100.Fx 5.0 | 85.Bd -literal -offset indent 86partition/1 87partition/20 88partition/none 89.Ed 90.Sh SEE ALSO 91.Xr lomac 4 , 92.Xr mac 4 , --- 8 unchanged lines hidden (view full) --- 101.Xr mac_test 4 , 102.Xr maclabel 7 , 103.Xr mac 9 104.Sh HISTORY 105The 106.Nm 107policy module first appeared in 108.Fx 5.0 |
| 101and was developed by the TrustedBSD Project. | 109and was developed by the 110.Tn TrustedBSD 111Project. |
| 102.Sh AUTHORS 103This software was contributed to the 104.Fx 105Project by Network Associates Labs, 106the Security Research Division of Network Associates | 112.Sh AUTHORS 113This software was contributed to the 114.Fx 115Project by Network Associates Labs, 116the Security Research Division of Network Associates |
| 107Inc. under DARPA/SPAWAR contract N66001-01-C-8035 ("CBOSS"), | 117Inc. under DARPA/SPAWAR contract N66001-01-C-8035 118.Pq Dq CBOSS , |
| 108as part of the DARPA CHATS research program. 109.Sh BUGS 110See 111.Xr mac 9 112concerning appropriateness for production use. | 119as part of the DARPA CHATS research program. 120.Sh BUGS 121See 122.Xr mac 9 123concerning appropriateness for production use. |
| 113The TrustedBSD MAC Framework is considered experimental in | 124The 125.Tn TrustedBSD 126MAC Framework is considered experimental in |
| 114.Fx . 115.Pp 116While the MAC Framework design is intended to support the containment of 117the root user, not all attack channels are currently protected by entry 118point checks. 119As such, MAC Framework policies should not be relied on, in isolation, 120to protect against a malicious privileged user. | 127.Fx . 128.Pp 129While the MAC Framework design is intended to support the containment of 130the root user, not all attack channels are currently protected by entry 131point checks. 132As such, MAC Framework policies should not be relied on, in isolation, 133to protect against a malicious privileged user. |