Document the following MAC policies:

o Biba: A data integrity policy
o BSD Extended: Support for the firewall-like access controls (ugidfw(8))
o MLS: Multi-level security, a confidentiality policy

(These files originally lived in src/share/man/man9)

Approved by:	re (blanket)
Sponsored by:	DARPA, Network Associates Labs
Obtained from:	TrustedBSD Project

1 files changed, 182 insertions, 0 deletions

diff --git a/share/man/man4/mac_biba.4 b/share/man/man4/mac_biba.4
new file mode 100644
index 0000000..3d2dc6f
--- /dev/null
+++ b/share/man/man4/mac_biba.4
@@ -0,0 +1,182 @@
+.\" Copyright (c) 2002 Networks Associates Technology, Inc.
+.\" All rights reserved.
+.\" 
+.\" This software was developed for the FreeBSD Project by Chris
+.\" Costello at Safeport Network Services and NAI Labs, the Security
+.\" Research Division of Network Associates, Inc. under DARPA/SPAWAR
+.\" contract N66001-01-C-8035 ("CBOSS"), as part of the DARPA CHATS
+.\" research program.
+.\" 
+.\" Redistribution and use in source and binary forms, with or without
+.\" modification, are permitted provided that the following conditions
+.\" are met:
+.\" 1. Redistributions of source code must retain the above copyright
+.\"    notice, this list of conditions and the following disclaimer.
+.\" 2. Redistributions in binary form must reproduce the above copyright
+.\"    notice, this list of conditions and the following disclaimer in the
+.\"    documentation and/or other materials provided with the distribution.
+.\" 
+.\" THIS SOFTWARE IS PROVIDED BY THE AUTHORS AND CONTRIBUTORS ``AS IS'' AND
+.\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+.\" ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHORS OR CONTRIBUTORS BE LIABLE
+.\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+.\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+.\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+.\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+.\" SUCH DAMAGE.
+.\" 
+.\" $FreeBSD$
+.Dd NOVEMBER 18, 2002
+.Os
+.Dt MAC_BIBA 4
+.Sh NAME
+.Nm mac_biba
+.Nd Biba data integrity policy
+.Sh SYNOPSIS
+.Cd "options MAC"
+.Li "kldload mac_biba"
+.Sh DESCRIPTION
+The
+.Nm
+policy module implements the Biba integrity model,
+which protects the integrity of system objects and subjects by means of
+a strict information flow policy.
+In Biba, all system subjects and objects are assigned integrity labels, made
+up of hierarchal grades, and non-hierarchal components.
+Together, these label elements permit all labels to be placed in a partial
+order, with information flow protections based on a dominance operator
+describing the order.
+The hierarchal grade field is expressed as a value between 0 and 65535,
+with higher values reflecting higher integrity.
+The non-hierarchal compartment field is expressed as a set of up to 256
+components, numbered from 0 to 255.
+A complete label consists of both hierarchal and non-hierarchal elements.
+.Pp
+Three special label values exist:
+.Bl -column -offset indent ".Sy Label" ".Sy Comparison"
+.It Sy Label Ta Ta Sy Comparison
+.It Li biba/low Ta Ta Ta lower than all other labels
+.It Li biba/equal Ta equal to all other labels
+.It Li biba/high Ta higher than all other labels
+.El
+.Pp
+The
+.Dq biba/high
+label is assigned to system objects which affect the ingrity of the system
+as a whole.
+.Dq biba/equal
+may be used to indicate that a particular subject or object is exempt from
+the Biba protections.
+These special label values are not specified as containing any compartments,
+although in a label comparison,
+.Dq biba/high
+appears to contain all compartments,
+.Dq biba/equal
+the same compartments as the other label to which it is being compared,
+and
+.Dq biba/low
+none.
+.Pp
+Almost all system objects are tagged with a single, active label element,
+reflecting the integrity of the object, or integrity of the data contained
+in the object.
+In general, objects labels are represented in the following form:
+.Pp
+.Dl biba/grade:compartments
+.Pp
+For example:
+.Pp
+.Bd -literal -offset indent
+biba/10:2,3,6
+biba/low
+.Ed
+.Pp
+Subject labels consist of three label elements: a single (active) label,
+as well as a range of available labels.
+This range is represented using two ordered Biba label elements, and when set
+on a process, permits the process to change its active label to any label of
+greater or equal integrity to the low end of the range, and lesser or equal
+integrity to the high end of the range.
+In general, subject labels are represented in the following form:
+.Pp
+.Dl biba/singlegrade:singlecompartments(lograde:locompartments-
+.Dl higrade:hicompartments)
+.Pp
+For example:
+.Bd -literal -offset indent
+biba/10:2,3,6(5-20:2,3,4,5,6)
+biba/high(low-high)
+.Ed
+.Pp
+Valid ranged labels must meet the following requirement regarding their
+elements:
+.Pp
+.Dl rangehigh >= single >= rangelow
+.Pp
+One class of objects with ranges currently exists, the network interface.
+In the case of the network interface, the single label element references the
+default label for packets received over the interface, and the range
+represents the range of acceptable labels of packets to be transmitted over
+the interface.
+.Pp
+In general, Biba access control takes the following model:
+.Bl -bullet
+.It
+A subject at the same integrity level as an object may both read from
+and write to the object as though Biba protections were not in place.
+.It
+A subject at a higher integrity level than an object may write to the object,
+but not read the object.
+.It
+A subject at a lower integrity level than an object may read the object,
+but not write to the object.
+.It
+If the subject and object labels may not be compared in the partial order,
+all access is restricted.
+.El
+.Pp
+These rules prevent subjects of lower integrity from influencing the
+behavior of higher integrity subjects by preventing the flow of information,
+and hence control, from allowing low integrity subjects to modify either
+a high integrity object or high integrity subjects acting on those objects.
+Biba integrity policies may be appropriate in a number of environments,
+both from the perspective of preventing corruption of the operating system,
+and corruption of user data if marked as higher integrity than the attacker.
+In traditional trusted operating systems, the Biba integrity model is used
+to protect the Trusted Code Base (TCB).
+.Pp
+The Biba integrity model is similar to
+.Xr lomac 4 ,
+with the exception that LOMAC permits access by a higher integrity subject
+to a lower integrity object, but downgrades the integrity level of the subject
+to prevent integrity rules from being violated.
+Biba is a fixed label policy in that all subject and object label changes are
+explicit, whereas LOMAC is a floating label policy.
+.Pp
+The Biba integrity model is also similar to
+.Xr mac_mls 4 ,
+with the exception that the dominance operator and access rules are reversed,
+preventing the downward flow of information rather than the upward flow of
+information.
+Multi-Level Security (MLS) protects the confentiality, rather than the
+integrity, of subjects and objects.
+.Sh SEE ALSO
+.Xr LOMAC 4 ,
+.Xr mac_mls 4 ,
+.Xr mac 9
+.Sh HISTORY
+The
+.Nm
+policy module first appeared in
+.Fx 5.0
+and was developed by the TrustedBSD Project.
+.Sh AUTHORS
+This software was contributed to the
+.Fx
+Project by Network Associates Labs,
+the Security Research Division of Network Associates
+Inc. under DARPA/SPAWAR contract N66001-01-C-8035 ("CBOSS"),
+as part of the DARPA CHATS research program.