o Improve vocabulary/wording

o Expand on MAC policy enforcement on network interfaces
o Add cross-references to su(1) and setfsmac(8) where appropriate
o Comment out mmap revocation sysctls as they are a bit too experimental
o Add the standard BUGS section

Prompted by:	rwatson
Sponsored by:	DARPA, Network Associates Laboratories

1 files changed, 60 insertions, 34 deletions

diff --git a/share/man/man4/mac.4 b/share/man/man4/mac.4
index 797c48b..d4d8527 100644
--- a/share/man/man4/mac.4
+++ b/share/man/man4/mac.4
@@ -43,7 +43,8 @@ The Mandatory Access Control, or MAC, framework allows administrators to
 finely control system security by providing for a loadable security policy
 architecture.
 It is important to note that due to its nature, MAC security policies may
-only further restrict security; they cannot override traditional UNIX
+only restrict access relative to one another and the base system policy;
+they cannot override traditional UNIX
 security provisions such as file permissions and superuser checks.
 .Pp
 Currently, the following MAC policy modules are shipped with
@@ -60,15 +61,31 @@ Currently, the following MAC policy modules are shipped with
 .It Xr mac_seeotheruids 4 Ta "See-other-UIDs policy" Ta no Ta any time
 .It Xr mac_test 4 Ta "MAC testing policy" Ta no Ta any time
 .El
+.Ss MAC Labels
+Each system subject (processes, sockets, etc.) and each system object
+(file system objects, sockets, etc.) can carry with it a MAC label.
+MAC labels contain data in an arbitrary format
+taken into consideration in making access control decisions
+for a given operation.
+Most MAC labels on system subjects and objects
+can be modified directly or indirectly by the system
+administrator.
+The format for a given policy's label may vary depending on the type
+of object or subject being labeled.
+More information on the format for MAC labels can be found in the
+.Xr maclabel 7
+man page.
 .Ss MAC Support for UFS2 File Systems
-By default, file system enforcement of MAC policies relies on a single file
-system label
+By default, file system enforcement of labeled MAC policies relies on
+a single file system label
 (see
 .Sx "MAC Labels" )
 in order to make access control decisions for all the files in a particular
 file system.
-On most systems, this is not the most desirable configuration.
-In order to enable support for labeling files on an individual basis,
+With some policies, this configuration may not allow administrators to take
+full advantage of features.
+In order to enable support for labeling files on an individual basis
+for a particular file system,
 the
 .Dq multilabel
 flag must be enabled on the file system.
@@ -88,18 +105,6 @@ or the special file
 (in
 .Pa /dev )
 corresponding to the file system on which to enable multilabel support.
-.Ss MAC Labels
-Each system subject (processes, sockets, etc.) and each system object
-(file system objects, sockets, etc.) can carry with it a MAC label.
-MAC labels can contain data in an arbitrary format
-used by the MAC policies in order to help determine how to determine
-access rights for a given operation.
-Most MAC labels on system subjects and objects
-can be modified directly or indirectly by the system
-administrator.
-More information on the format for MAC labels can be found in the
-.Xr maclabel 7
-man page.
 .Ss Policy Enforcement
 MAC can be configured to enforce only specific portions of
 policies
@@ -113,7 +118,11 @@ File system mounts, modifying directories, modifying files, etc.
 Loading, unloading, and retrieving statistics on loaded kernel modules
 .It Sy Network
 Network interfaces,
-.Xr bpf 4
+.Xr bpf 4 ,
+packet delivery and transmission,
+interface configuration
+.Xr ( ioctl 2 ,
+.Xr ifconfig 8 )
 .It Sy Pipes
 Creation of and operation on
 .Xr pipe 2
@@ -129,7 +138,7 @@ process execution
 signalling
 .Xr ( kill 2 )
 .It Sy Sockets
-Creation and operation on
+Creation of and operation on
 .Xr socket 2
 objects
 .It Sy System
@@ -156,17 +165,19 @@ files
 .Ss Setting MAC Labels
 From the command line, each type of system object has its own means for setting
 and modifying its MAC policy label.
-.Bl -column "user (by login class)" "Xr login.conf 5" -offset indent
+.Bl -column "user (by login class)" "Xr setfmac 8 , Xr setfsmac 8" -offset indent
 .It Sy "Subject/Object" Ta Sy "Utility"
-.It "File system object" Ta Xr setfmac 8
+.It "File system object" Ta Xr setfmac 8 , Xr setfsmac 8
 .It "Network interface" Ta Xr ifconfig 8
 .It "TTY (by login class)" Ta Xr login.conf 5
 .It "User (by login class)" Ta Xr login.conf 5
 .El
 .Pp
 Additionally, the
+.Xr su 1
+and
 .Xr setpmac 8
-command can be used to run a command with a different process label than
+utilities can be used to run a command with a different process label than
 the shell's current label.
 .Ss Programming With MAC
 MAC security enforcement itself is transparent to application
@@ -186,7 +197,7 @@ MIBs are available for fine-tuning the enforcement of MAC policies.
 Unless specifically noted, all MIBs default to
 .Li 1
 (that is, all areas are enforced by default):
-.Bl -tag -width "security.mac.mmap_revocation"
+.Bl -tag -width "security.mac.enforce_network"
 .It Va security.mac.enforce_fs
 Enforce MAC policies for file system accesses
 .It Va security.mac.enforce_kld
@@ -214,17 +225,20 @@ Enforce MAC policies on
 .Xr mmap 2
 and
 .Xr mprotect 2
-.It Va security.mac.mmap_revocation
-Revoke
-.Xr mmap 2
-access to files on subject relabel
-.It Va security.mac.mmap_revocation_via_cow
-Revoke
-.Xr mmap 2
-access to files via copy-on-write semantics;
-mapped regions will still appear writable, but will no longer
-effect a change on the underlying vnode
-(Default: 0)
+.\" *** XXX ***
+.\" Support for this feature is poor and should not be encouraged.
+.\"
+.\" .It Va security.mac.mmap_revocation
+.\" Revoke
+.\" .Xr mmap 2
+.\" access to files on subject relabel
+.\" .It Va security.mac.mmap_revocation_via_cow
+.\" Revoke
+.\" .Xr mmap 2
+.\" access to files via copy-on-write semantics;
+.\" mapped regions will still appear writable, but will no longer
+.\" effect a change on the underlying vnode
+.\" (Default: 0)
 .El
 .Sh SEE ALSO
 .Xr mac 3 ,
@@ -262,3 +276,15 @@ Project by Network Associates Labs,
 the Security Research Division of Network Associates
 Inc. under DARPA/SPAWAR contract N66001-01-C-8035 ("CBOSS"),
 as part of the DARPA CHATS research program.
+.Sh BUGS
+See
+.Xr mac 9
+concerning appropriateness for production use.
+The TrustedBSD MAC Framework is considered experimental in
+.Fx .
+.Pp
+While the MAC Framework design is intended to support the containment of   
+the root user, not all attack channels are currently protected by entry  
+point checks.
+As such, MAC Framework policies should not be relied on, in isolation,
+to protect against a malicious privileged user.