All rights reserved.
This software was developed for the FreeBSD Project by Chris Costello
at Safeport Network Services and Network Associates Labs, the
Security Research Division of Network Associates, Inc. under
DARPA/SPAWAR contract N66001-01-C-8035 ("CBOSS"), as part of the
DARPA CHATS research program.
Redistribution and use in source and binary forms, with or without
modification, are permitted provided that the following conditions
are met:
1. Redistributions of source code must retain the above copyright
notice, this list of conditions and the following disclaimer.
2. Redistributions in binary form must reproduce the above copyright
notice, this list of conditions and the following disclaimer in the
documentation and/or other materials provided with the distribution.
THIS SOFTWARE IS PROVIDED BY THE AUTHORS AND CONTRIBUTORS ``AS IS'' AND
ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHORS OR CONTRIBUTORS BE LIABLE
FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
SUCH DAMAGE.
$FreeBSD: head/share/man/man4/mac.4 110970 2003-02-16 00:57:48Z chris $
.Dd JANUARY 8, 2003 .Os .Dt MAC 4 .Sh NAME .Nm mac .Nd Mandatory Access Control .Sh SYNOPSIS .Cd "options MAC" .Sh DESCRIPTION .Ss Introduction The Mandatory Access Control, or MAC, framework allows administrators to finely control system security by providing for a loadable security policy architecture. It is important to note that due to its nature, MAC security policies may only further restrict security; they cannot override traditional UNIX security provisions such as file permissions and superuser checks.
p Currently, the following MAC policy modules are shipped with .Fx : l -column ".Xr mac_seeotheruids 4" "low-watermark mac policy " ".Em Labeling" "boot only" t Sy Name Ta Sy Description Ta Sy Labeling Ta Sy "Load time" t Xr mac_biba 4 Ta "Biba integrity policy" Ta yes Ta boot only t Xr mac_bsdextended 4 Ta "File system firewall" Ta no Ta any time t Xr mac_ifoff 4 Ta "Interface silencing" Ta no Ta any time t Xr mac_lomac 4 Ta "Low-Watermark MAC policy" Ta yes Ta boot only t Xr mac_mls 4 Ta "Confidentiality policy" Ta yes Ta boot only t Xr mac_none 4 Ta "Sample no-op policy" Ta no Ta any time t Xr mac_partition 4 Ta "Process partition policy" Ta yes Ta any time t Xr mac_seeotheruids 4 Ta "See-other-UIDs policy" Ta no Ta any time t Xr mac_test 4 Ta "MAC testing policy" Ta no Ta any time .El .Ss MAC Support for UFS2 File Systems By default, file system enforcement of MAC policies relies on a single file system label (see .Sx "MAC Labels" ) in order to make access control decisions for all the files in a particular file system. On most systems, this is not the most desirable configuration. In order to enable support for labeling files on an individual basis, the .Dq multilabel flag must be enabled on the file system. To set the .Dq multilabel flag, drop to single-user mode and unmount the file system, then execute the following command:
p .Dl "tunefs -l enable" Sy filesystem
p where .Sy filesystem is either the mount point (in .Xr fstab 5 ) or the special file (in
a /dev ) corresponding to the file system on which to enable multilabel support. .Ss MAC Labels Each system subject (processes, sockets, etc.) and each system object (file system objects, sockets, etc.) can carry with it a MAC label. MAC labels can contain data in an arbitrary format used by the MAC policies in order to help determine how to determine access rights for a given operation. Most MAC labels on system subjects and objects can be modified directly or indirectly by the system administrator. More information on the format for MAC labels can be found in the .Xr maclabel 7 man page. .Ss Policy Enforcement MAC can be configured to enforce only specific portions of policies (see .Sx "Runtime Configuration" ) . Policy enforcement is divided into the following areas of the system: l -ohang t Sy File System File system mounts, modifying directories, modifying files, etc. t Sy KLD Loading, unloading, and retrieving statistics on loaded kernel modules t Sy Network Network interfaces, .Xr bpf 4 t Sy Pipes Creation of and operation on .Xr pipe 2 objects t Sy Processes Debugging (e.g. .Xr ktrace 2 ) , process visibility .Xr ( ps 1 ) , process execution .Xr ( execve 2 ) , signalling .Xr ( kill 2 ) t Sy Sockets Creation and operation on .Xr socket 2 objects t Sy System Kernel environment .Xr ( kenv 1 ) , system accounting .Xr ( acct 2 ) , .Xr reboot 2 , .Xr settimeofday 2 , .Xr swapon 2 , .Xr sysctl 3 , .Sm off .Xr nfsd 8 - related .Sm on operations t Sy VM .Sm off .Xr mmap 2 - ed .Sm on files .El .Ss Setting MAC Labels From the command line, each type of system object has its own means for setting and modifying its MAC policy label. l -column "user (by login class)" "Xr login.conf 5" -offset indent t Sy "Subject/Object" Ta Sy "Utility" t "File system object" Ta Xr setfmac 8 t "Network interface" Ta Xr ifconfig 8 t "TTY (by login class)" Ta Xr login.conf 5 t "User (by login class)" Ta Xr login.conf 5 .El
p Additionally, the .Xr setpmac 8 command can be used to run a command with a different process label than the shell's current label. .Ss Programming With MAC MAC security enforcement itself is transparent to application programs, with the exception that some programs may need to be aware of additional .Xr errno 2 returns from various system calls.
p The interface for retrieving, handling, and setting policy labels is documented in the .Xr mac 3 man page. .Ss Runtime Configuration The following .Xr sysctl 8 MIBs are available for fine-tuning the enforcement of MAC policies. Unless specifically noted, all MIBs default to .Li 1 (that is, all areas are enforced by default): l -tag -width "security.mac.mmap_revocation" t Va security.mac.enforce_fs Enforce MAC policies for file system accesses t Va security.mac.enforce_kld Enforce MAC policies on .Xr kld 4 t Va security.mac.enforce_network Enforce MAC policies on network interfaces t Va security.mac.enforce_pipe Enforce MAC policies on pipes t Va security.mac.enforce_process Enforce MAC policies between system processes (e.g. .Xr ps 1 , .Xr ktrace 2 ) t Va security.mac.enforce_socket Enforce MAC policies on sockets t Va security.mac.enforce_system Enforce MAC policies on system-related items (e.g. .Xr kenv 1 , .Xr acct 2 , .Xr reboot 2 ) t Va security.mac.enforce_vm Enforce MAC policies on .Xr mmap 2 and .Xr mprotect 2 t Va security.mac.mmap_revocation Revoke .Xr mmap 2 access to files on subject relabel t Va security.mac.mmap_revocation_via_cow Revoke .Xr mmap 2 access to files via copy-on-write semantics; mapped regions will still appear writable, but will no longer effect a change on the underlying vnode (Default: 0) .El .Sh SEE ALSO .Xr mac 3 , .Xr mac_biba 4 , .Xr mac_bsdextended 4 , .Xr mac_ifoff 4 , .Xr mac_lomac 4 , .Xr mac_mls 4 , .Xr mac_none 4 , .Xr mac_partition 4 , .Xr mac_seeotheruids 4 , .Xr mac_test 4 , .Xr login.5 , .Xr maclabel 7 , .Xr getfmac 8 , .Xr setfmac 8 , .Xr getpmac 8 , .Xr setpmac 8 , .Xr mac 9 .Rs .%B "The FreeBSD Handbook" .%T "Mandatory Access Control" .%O http://www.freebsd.org/doc/en_US.ISO8859-1/books/handbook/mac.html .Re .Sh HISTORY The .Nm implementation first appeared in .Fx 5.0 and was developed by the TrustedBSD Project. .Sh AUTHORS This software was contributed to the .Fx Project by Network Associates Labs, the Security Research Division of Network Associates Inc. under DARPA/SPAWAR contract N66001-01-C-8035 ("CBOSS"), as part of the DARPA CHATS research program.