From 5ff6e23e4103a7955f31ad59971fb6b0b21fd215 Mon Sep 17 00:00:00 2001 From: chris Date: Mon, 2 Dec 2002 01:04:37 +0000 Subject: Document the MLS policy Approved by: re Sponsored by: DARPA, Network Associates Labs Obtained from: TrustedBSD Project --- share/man/man9/Makefile | 2 +- share/man/man9/mac_mls.9 | 202 +++++++++++++++++++++++++++++++++++++++++++++++ 2 files changed, 203 insertions(+), 1 deletion(-) create mode 100644 share/man/man9/mac_mls.9 (limited to 'share') diff --git a/share/man/man9/Makefile b/share/man/man9/Makefile index c3500be..8451c74 100644 --- a/share/man/man9/Makefile +++ b/share/man/man9/Makefile @@ -48,7 +48,7 @@ MAN= BUF_LOCK.9 BUF_LOCKFREE.9 BUF_LOCKINIT.9 BUF_REFCNT.9 \ jumbo.9 \ kernacc.9 kobj.9 kthread.9 ktr.9 \ lock.9 \ - mac.9 mac_biba.9 mac_bsdextended.9 \ + mac.9 mac_biba.9 mac_bsdextended.9 mac_mls.9 \ make_dev.9 malloc.9 mbchain.9 mbuf.9 mdchain.9 \ mi_switch.9 microseq.9 microtime.9 microuptime.9 \ module.9 mtx_pool.9 mutex.9 \ diff --git a/share/man/man9/mac_mls.9 b/share/man/man9/mac_mls.9 new file mode 100644 index 0000000..15ffba8 --- /dev/null +++ b/share/man/man9/mac_mls.9 @@ -0,0 +1,202 @@ +.\" Copyright (c) 2002 Networks Associates Technology, Inc. +.\" All rights reserved. +.\" +.\" This software was developed for the FreeBSD Project by Chris +.\" Costello at Safeport Network Services and Network Associates Labs, +.\" the Security Research Division of Network Associates, Inc. under +.\" DARPA/SPAWAR contract N66001-01-C-8035 ("CBOSS"), as part of the +.\" DARPA CHATS research program. +.\" +.\" Redistribution and use in source and binary forms, with or without +.\" modification, are permitted provided that the following conditions +.\" are met: +.\" 1. Redistributions of source code must retain the above copyright +.\" notice, this list of conditions and the following disclaimer. +.\" 2. Redistributions in binary form must reproduce the above copyright +.\" notice, this list of conditions and the following disclaimer in the +.\" documentation and/or other materials provided with the distribution. +.\" +.\" THIS SOFTWARE IS PROVIDED BY THE AUTHORS AND CONTRIBUTORS ``AS IS'' AND +.\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE +.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE +.\" ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHORS OR CONTRIBUTORS BE LIABLE +.\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL +.\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS +.\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) +.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT +.\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY +.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF +.\" SUCH DAMAGE. +.\" +.\" $FreeBSD$ +.Dd DECEMBER 1, 2002 +.Os +.Dt MAC_MLS 9 +.Sh NAME +.Nm mac_mls +.Nd Multi-Level Security confidentiality policy +.Sh SYNOPSIS +To compile MLS into your kernel, place the following lines in your kernel +configuration file: +.Cd "options MAC" +.Cd "options MAC_MLS" +.Pp +Alternately, to load the MLS module at boot time, place the following line +in your kernel configuration file: +.Cd "options MAC" +.Pp +and in +.Xr loader.conf 5 : +.Cd mac_mls_load= Ns \&"YES" +.Sh DESCRIPTION +The +.Nm +policy module implements the Multi-Level Security, or MLS model, +which controls accesses between subjects and objects based on their +confidentiality by means of a strict information flow policy. +Each subject and object in the system has an MLS label associated with it; +each subject's MLS label contains information on its clearance level, +and each object's MLS label contains information on its classification. +.Pp +In MLS, all system subjects and objects are assigned confidentiality labels, +made up of a sensitivity level and zero or more compartments. +Together, these label elements permit all labels to be placed in a partial +order, with confidentiality protections based on a dominance operator +describing the order. +The sensitivity level is expressed as a value between 0 and +65535, with higher values reflecting higher sensitivity levels. +The compartment field is expressed as a set of up to 256 components, +numbered from 0 to 255. +A complete label consists of both sensitivity and compartment +elements. +.Pp +With normal labels, dominance is defined as a label having a higher +or equal active sensitivity level, and having at least +all of the same compartments as the label to which it is being compared. +With respect to label comparisons, +.Dq lower +is defined as being dominated by the label to which it is being compared, +and +.Dq higher +is defined as dominating the label to which it is being compared, +and +.Dq equal +is defined as both labels being able to satisfy the dominance requirements +over one another. +.Pp +Three special label values exist: +.Bl -column -offset indent ".Sy Label" ".Sy Comparison" +.It Sy Label Ta Ta Sy Comparison +.It Li mls/low Ta Ta dominated by all other labels +.It Li mls/equal Ta equal to all other labels +.It Li mls/high Ta Ta dominates all other labels +.El +.Pp +The MLS model enforces the following basic restrictions: +.Bl -bullet +.It +Subjects may not observe the processes of another subject if its +clearance level is lower than the clearance level of the object it is +attempting to observe. +.It +Subjects may not read, write, or otherwise observe objects without proper +clearance (i.e. subjects may not observe objects whose classification label +dominates its own clearance label) +.It +Subjects may not write to objects with a lower classification level than +its own clearance level. +.It +A subject may read and write to an object if its clearance level is equal +to the object's classification level as though MLS protections were not in +place. +.El +.Pp +These rules prevent subjects of lower clearance from gaining access +information classified beyond its clearance level in order to protect the +confidentiality of classified information, subjects of higher clearance +from writing to objects of lower classification in order to prevent the +accidental or malicious leaking of information, and subjects of lower +clearance from observing subjects of higher clearance altogether. +In traditional trusted operating systems, the MLS confidentiality model is +used in concert with the Biba integrity model +.Xr ( mac_biba 9 ) +in order to protect the Trusted Code Base (TCB). +.Ss Label Format +Almost all system objects are tagged with a single, active label element, +reflecting the classification of the object, or classification of the data +contained in the object. +In general, object labels are represented in the following form: +.Pp +.Dl mls/grade:compartments +.Pp +For example: +.Pp +.Bd -literal -offset indent +mls/10:2,3,6 +mls/low +.Ed +.Pp +Subject labels consist of three label elements: a single (active) label, +as well as a range of available labels. +This range is represented using two ordered MLS label elements, and when set +on a process, permits the process to change its active label to any label of +greater or equal integrity to the low end of the range, and lesser or equal +integrity to the high end of the range. +In general, subject labels are represented in the following form: +.Pp +.Dl mls/singlegrade:singlecompartments(lograde:locompartments- +.Dl higrade:hicompartments) +.Pp +For example: +.Bd -literal -offset indent +mls/10:2,3,6(5-20:2,3,4,5,6) +mls/high(low-high) +.Ed +.Pp +Valid ranged labels must meet the following requirement regarding their +elements: +.Pp +.Dl rangehigh >= single >= rangelow +.Pp +One class of objects with ranges currently exists, the network interface. +In the case of the network interface, the single label element references +the default label for packets received over the interface, and the range +represents the range of acceptable labels of packets to be transmitted over +the interface. +.Sh IMPLEMENTATION NOTES +Currently, the +.Nm +policy relies on superuser status +.Xr ( suser_cred 9 ) +in order to change network interface MLS labels. +This will eventually go away, but it is currently a liability and may +allow the superuser to bypass MLS protections. +.Sh SEE ALSO +.Xr maclabel 7 , +.Xr mac 9 , +.Xr mac_biba 9 +.Sh HISTORY +The +.Nm +policy module first appeared in +.Fx 5.0 +and was developed by the TrustedBSD Project. +.Sh AUTHORS +This software was contributed to the +.Fx +Project by Network Associates Labs, +the Security Research Division of Network Associates +Inc. under DARPA/SPAWAR contract N66001-01-C-8035 ("CBOSS"), +as part of the DARPA CHATS research program. +.Sh BUGS +See +.Xr mac 9 +concerning appropriateness for production use. +The TrustedBSD MAC Framework is considered experimental in +.Fx . +.Pp +While the MAC Framework design is intended to support the containment of +the root user, not all attack channels are currently protected by entry +point checks. +As such, MAC Framework policies should not be relied on, in isolation, +to protect against a malicious privileged user. -- cgit v1.1