diff options
author | chris <chris@FreeBSD.org> | 2003-02-23 21:47:03 +0000 |
---|---|---|
committer | chris <chris@FreeBSD.org> | 2003-02-23 21:47:03 +0000 |
commit | 46357b9840462650fb678759e413454a40104b77 (patch) | |
tree | 1ebfe246d8b627f53cdd8df670bb92737cb3b969 /share/man/man4/mac.4 | |
parent | 4531e083d41e4f3c0a7a7774a738392932c034c7 (diff) | |
download | FreeBSD-src-46357b9840462650fb678759e413454a40104b77.zip FreeBSD-src-46357b9840462650fb678759e413454a40104b77.tar.gz |
o Improve vocabulary/wording
o Expand on MAC policy enforcement on network interfaces
o Add cross-references to su(1) and setfsmac(8) where appropriate
o Comment out mmap revocation sysctls as they are a bit too experimental
o Add the standard BUGS section
Prompted by: rwatson
Sponsored by: DARPA, Network Associates Laboratories
Diffstat (limited to 'share/man/man4/mac.4')
-rw-r--r-- | share/man/man4/mac.4 | 94 |
1 files changed, 60 insertions, 34 deletions
diff --git a/share/man/man4/mac.4 b/share/man/man4/mac.4 index 797c48b..d4d8527 100644 --- a/share/man/man4/mac.4 +++ b/share/man/man4/mac.4 @@ -43,7 +43,8 @@ The Mandatory Access Control, or MAC, framework allows administrators to finely control system security by providing for a loadable security policy architecture. It is important to note that due to its nature, MAC security policies may -only further restrict security; they cannot override traditional UNIX +only restrict access relative to one another and the base system policy; +they cannot override traditional UNIX security provisions such as file permissions and superuser checks. .Pp Currently, the following MAC policy modules are shipped with @@ -60,15 +61,31 @@ Currently, the following MAC policy modules are shipped with .It Xr mac_seeotheruids 4 Ta "See-other-UIDs policy" Ta no Ta any time .It Xr mac_test 4 Ta "MAC testing policy" Ta no Ta any time .El +.Ss MAC Labels +Each system subject (processes, sockets, etc.) and each system object +(file system objects, sockets, etc.) can carry with it a MAC label. +MAC labels contain data in an arbitrary format +taken into consideration in making access control decisions +for a given operation. +Most MAC labels on system subjects and objects +can be modified directly or indirectly by the system +administrator. +The format for a given policy's label may vary depending on the type +of object or subject being labeled. +More information on the format for MAC labels can be found in the +.Xr maclabel 7 +man page. .Ss MAC Support for UFS2 File Systems -By default, file system enforcement of MAC policies relies on a single file -system label +By default, file system enforcement of labeled MAC policies relies on +a single file system label (see .Sx "MAC Labels" ) in order to make access control decisions for all the files in a particular file system. -On most systems, this is not the most desirable configuration. -In order to enable support for labeling files on an individual basis, +With some policies, this configuration may not allow administrators to take +full advantage of features. +In order to enable support for labeling files on an individual basis +for a particular file system, the .Dq multilabel flag must be enabled on the file system. @@ -88,18 +105,6 @@ or the special file (in .Pa /dev ) corresponding to the file system on which to enable multilabel support. -.Ss MAC Labels -Each system subject (processes, sockets, etc.) and each system object -(file system objects, sockets, etc.) can carry with it a MAC label. -MAC labels can contain data in an arbitrary format -used by the MAC policies in order to help determine how to determine -access rights for a given operation. -Most MAC labels on system subjects and objects -can be modified directly or indirectly by the system -administrator. -More information on the format for MAC labels can be found in the -.Xr maclabel 7 -man page. .Ss Policy Enforcement MAC can be configured to enforce only specific portions of policies @@ -113,7 +118,11 @@ File system mounts, modifying directories, modifying files, etc. Loading, unloading, and retrieving statistics on loaded kernel modules .It Sy Network Network interfaces, -.Xr bpf 4 +.Xr bpf 4 , +packet delivery and transmission, +interface configuration +.Xr ( ioctl 2 , +.Xr ifconfig 8 ) .It Sy Pipes Creation of and operation on .Xr pipe 2 @@ -129,7 +138,7 @@ process execution signalling .Xr ( kill 2 ) .It Sy Sockets -Creation and operation on +Creation of and operation on .Xr socket 2 objects .It Sy System @@ -156,17 +165,19 @@ files .Ss Setting MAC Labels From the command line, each type of system object has its own means for setting and modifying its MAC policy label. -.Bl -column "user (by login class)" "Xr login.conf 5" -offset indent +.Bl -column "user (by login class)" "Xr setfmac 8 , Xr setfsmac 8" -offset indent .It Sy "Subject/Object" Ta Sy "Utility" -.It "File system object" Ta Xr setfmac 8 +.It "File system object" Ta Xr setfmac 8 , Xr setfsmac 8 .It "Network interface" Ta Xr ifconfig 8 .It "TTY (by login class)" Ta Xr login.conf 5 .It "User (by login class)" Ta Xr login.conf 5 .El .Pp Additionally, the +.Xr su 1 +and .Xr setpmac 8 -command can be used to run a command with a different process label than +utilities can be used to run a command with a different process label than the shell's current label. .Ss Programming With MAC MAC security enforcement itself is transparent to application @@ -186,7 +197,7 @@ MIBs are available for fine-tuning the enforcement of MAC policies. Unless specifically noted, all MIBs default to .Li 1 (that is, all areas are enforced by default): -.Bl -tag -width "security.mac.mmap_revocation" +.Bl -tag -width "security.mac.enforce_network" .It Va security.mac.enforce_fs Enforce MAC policies for file system accesses .It Va security.mac.enforce_kld @@ -214,17 +225,20 @@ Enforce MAC policies on .Xr mmap 2 and .Xr mprotect 2 -.It Va security.mac.mmap_revocation -Revoke -.Xr mmap 2 -access to files on subject relabel -.It Va security.mac.mmap_revocation_via_cow -Revoke -.Xr mmap 2 -access to files via copy-on-write semantics; -mapped regions will still appear writable, but will no longer -effect a change on the underlying vnode -(Default: 0) +.\" *** XXX *** +.\" Support for this feature is poor and should not be encouraged. +.\" +.\" .It Va security.mac.mmap_revocation +.\" Revoke +.\" .Xr mmap 2 +.\" access to files on subject relabel +.\" .It Va security.mac.mmap_revocation_via_cow +.\" Revoke +.\" .Xr mmap 2 +.\" access to files via copy-on-write semantics; +.\" mapped regions will still appear writable, but will no longer +.\" effect a change on the underlying vnode +.\" (Default: 0) .El .Sh SEE ALSO .Xr mac 3 , @@ -262,3 +276,15 @@ Project by Network Associates Labs, the Security Research Division of Network Associates Inc. under DARPA/SPAWAR contract N66001-01-C-8035 ("CBOSS"), as part of the DARPA CHATS research program. +.Sh BUGS +See +.Xr mac 9 +concerning appropriateness for production use. +The TrustedBSD MAC Framework is considered experimental in +.Fx . +.Pp +While the MAC Framework design is intended to support the containment of +the root user, not all attack channels are currently protected by entry +point checks. +As such, MAC Framework policies should not be relied on, in isolation, +to protect against a malicious privileged user. |