1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
|
.\"-
.\" Copyright (c) 1999, 2000, 2001, 2002 Robert N. M. Watson
.\" Copyright (c) 2002 Networks Associates Technology, Inc.
.\" All rights reserved.
.\"
.\" This software was developed by Robert Watson for the TrustedBSD Project.
.\"
.\" This software was developed for the FreeBSD Project in part by Network
.\" Associates Laboratories, the Security Research Division of Network
.\" Associates, Inc. under DARPA/SPAWAR contract N66001-01-C-8035
.\" ("CBOSS"), as part of the DARPA CHATS research program.
.\"
.\" Redistribution and use in source and binary forms, with or without
.\" modification, are permitted provided that the following conditions
.\" are met:
.\" 1. Redistributions of source code must retain the above copyright
.\" notice, this list of conditions and the following disclaimer.
.\" 2. Redistributions in binary form must reproduce the above copyright
.\" notice, this list of conditions and the following disclaimer in the
.\" documentation and/or other materials provided with the distribution.
.\"
.\" THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
.\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
.\" ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
.\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
.\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
.\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
.\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
.\" SUCH DAMAGE.
.\"
.\" $FreeBSD$
.\"
.Dd February 16, 2002
.Dt MAC 9
.Os
.Sh NAME
.Nm mac
.Nd TrustedBSD Mandatory Access Control framework
.Sh SYNOPSIS
.In sys/types.h
.In sys/mac.h
.Pp
In the kernel configuration file:
.Cd "options MAC"
.Cd "options MAC_DEBUG"
.Sh DESCRIPTION
.Ss Introduction
The
.Tn TrustedBSD
mandatory access control framework permits dynamically
introduced system security modules to modify system security functionality.
This can be used to support a variety of new security services, including
traditional labeled mandatory access control models.
The framework provides a series of entry points which must be called by
code supporting various kernel services, especially with respects to access
control points and object creation.
The framework then calls out to security modules to offer them the
opportunity to modify security behavior at those MAC API entry points.
Both consumers of the API (normal kernel services) and security modules
must be aware of the semantics of the API calls, particularly with respect
to synchronization primitives (such as locking).
.Ss Note on Appropriateness for Production Use
The
.Tn TrustedBSD
MAC Framework included in
.Fx 5.0
is considered experimental, and should not be deployed in production
environments without careful consideration of the risks associated with
the use of experimental operating system features.
.Ss Kernel Objects Supported by the Framework
The MAC framework manages labels on a variety of types of in-kernel
objects, including process credentials, vnodes, devfs_dirents, mount
points, sockets, mbufs, bpf descriptors, network interfaces, IP fragment
queues, and pipes.
Label data on kernel objects, represented by
.Vt "struct label" ,
is policy-unaware, and may be used in the manner seen fit by policy modules.
.Ss API for Consumers
The MAC API provides a large set of entry points, too broad to specifically
document here.
In general, these entry points represent an access control check or other
MAC-relevant operations, accept one or more subjects (credentials)
authorizing the activity, a set of objects on which the operation
is to be performed, and a set of operation arguments providing information
about the type of operation being requested.
.Ss Locking for Consumers
Consumers of the MAC API must be aware of the locking requirements for
each API entry point: generally, appropriate locks must be held over each
subject or object being passed into the call, so that MAC modules may
make use of various aspects of the object for access control purposes.
For example, vnode locks are frequently required in order that the MAC
framework and modules may retrieve security labels and attributes from the
vnodes for the purposes of access control.
Similarly, the caller must be aware of the reference counting semantics
of any subject or object passed into the MAC API: all calls require that
a valid reference to the object be held for the duration of the
(potentially lengthy) MAC API call.
Under some circumstances, objects must be held in either a shared or
exclusive manner.
.Ss API for Module Writers
Each module exports a structure describing the MAC API operations that
the module chooses to implement, including initialization and destruction
API entry points, a variety of object creation and destruction calls,
and a large set of access control check points.
In the future, additional audit entry points will also be present.
Module authors may choose to only implement a subset of the entry points,
setting API function pointers in the description structure to
.Dv NULL ,
permitting the framework to avoid calling into the module.
.Ss Locking for Module Writers
Module writers must be aware of the locking semantics of entry points
that they implement: MAC API entry points will have specific locking
or reference counting semantics for each argument, and modules must follow
the locking and reference counting protocol or risk a variety of failure
modes (including race conditions, inappropriate pointer dereferences,
etc).
.Pp
MAC module writers must also be aware that MAC API entry points will
frequently be invoked from deep in a kernel stack, and as such must be
careful to avoid violating more global locking requirements, such as
global lock order requirements.
For example, it may be inappropriate to lock additional objects not
specifically maintained and ordered by the policy module, or the
policy module might violate a global ordering requirement relating
to those additional objects.
.Pp
Finally, MAC API module implementors must be careful to avoid
inappropriately calling back into the MAC framework: the framework
makes use of locking to prevent inconsistencies during policy module
attachment and detachment.
MAC API modules should avoid producing scenarios in which deadlocks
or inconsistencies might occur.
.Ss Adding New MAC Entry Points
The MAC API is intended to be easily expandable as new services are
added to the kernel.
In order that policies may be guaranteed the opportunity to ubiquitously
protect system subjects and objects, it is important that kernel
developers maintain awareness of when security checks or relevant
subject or object operations occur in newly written or modified kernel
code.
New entry points must be carefully documented so as to prevent any
confusion regarding lock orders and semantics.
Introducing new entry points requires four distinct pieces of work:
introducing new MAC API entries reflecting the operation arguments,
scattering these MAC API entry points throughout the new or modified
kernel service, extending the front-end implementation of the MAC API
framework, and modifying appropriate modules to take advantage of
the new entry points so that they may consistently enforce their
policies.
.Sh ENTRY POINTS
System service and module authors should reference the
.%T "FreeBSD Developer's Handbook"
for information on the MAC Framework APIs.
.Sh SEE ALSO
.Xr acl 3 ,
.Xr cap 3 ,
.Xr mac 3 ,
.Xr posix1e 3 ,
.Xr lomac 4 ,
.Xr mac_biba 4 ,
.Xr mac_bsdextended 4 ,
.Xr mac_ifoff 4 ,
.Xr mac_mls 4 ,
.Xr mac_none 4 ,
.Xr mac_partition 4 ,
.Xr mac_seeotheruids 4 ,
.Xr mac_test 4 ,
.Xr ucred 9 ,
.Xr vaccess 9 ,
.Xr vaccess_acl_posix1e 9 ,
.Xr VFS 9
.Rs
.%T "The FreeBSD Developers' Handbook"
.%O "http://www.FreeBSD.org/doc/en_US.ISO8859-1/books/developers-handbook/"
.Re
.Sh AUTHORS
This man page was written by
.An Robert Watson .
This software was contributed to the
.Fx
Project by Network Associates Laboratories, the Security Research
Division of Network Associates Inc. under DARPA/SPAWAR contract
N66001-01-C-8035
.Pq Dq CBOSS ,
as part of the DARPA CHATS research program.
.Pp
.An -nosplit
The
.Tn TrustedBSD
MAC Framework was designed by
.An Robert Watson ,
and implemented by the Network Associates Laboratories Network Security
(NETSEC), Secure Execution Environment (SEE), and Adaptive
Network Defense research groups.
Network Associates Laboratory staff contributing to the CBOSS Project
include (in alphabetical order):
.An Lee Badger ,
.An Brian Feldman ,
.An Tim Fraser ,
.An Doug Kilpatrick ,
.An Suresh Krishnaswamy ,
.An Adam Migus ,
.An Wayne Morrison ,
.An Chris Vance ,
and
.An Robert Watson .
.Pp
Sub-contracted staff include:
.An Chris Costello ,
.An Poul-Henning Kamp ,
.An Jonathan Lemon ,
.An Kirk McKusick ,
.An Dag-Erling Smorgrav .
.Pp
Additional contributors include:
.An Chris Faulhaber ,
.An Ilmar Habibulin ,
.An Thomas Moestl ,
and
.An Andrew Reiter .
.Sh HISTORY
The
.Tn TrustedBSD
MAC Framework first appeared in
.Fx 5.0 .
.Sh BUGS
See the earlier section in this document concerning appropriateness
for production use.
The
.Tn TrustedBSD
MAC Framework is considered experimental in
.Fx .
.Pp
While the MAC Framework design is intended to support the containment of
the root user, not all attack channels are currently protected by entry
point checks.
As such, MAC Framework policies should not be relied on, in isolation,
to protect against a malicious privileged user.
|