xref: /freebsd-13-stable/share/man/man4/mac.4 (revision 677a7402cea46eb253a241b443471ab072e2b6a7)
1.\" Copyright (c) 2003 Networks Associates Technology, Inc.
2.\" All rights reserved.
3.\"
4.\" This software was developed for the FreeBSD Project by Chris Costello
5.\" at Safeport Network Services and Network Associates Labs, the
6.\" Security Research Division of Network Associates, Inc. under
7.\" DARPA/SPAWAR contract N66001-01-C-8035 ("CBOSS"), as part of the
8.\" DARPA CHATS research program.
9.\"
10.\" Redistribution and use in source and binary forms, with or without
11.\" modification, are permitted provided that the following conditions
12.\" are met:
13.\" 1. Redistributions of source code must retain the above copyright
14.\"    notice, this list of conditions and the following disclaimer.
15.\" 2. Redistributions in binary form must reproduce the above copyright
16.\"    notice, this list of conditions and the following disclaimer in the
17.\"    documentation and/or other materials provided with the distribution.
18.\"
19.\" THIS SOFTWARE IS PROVIDED BY THE AUTHORS AND CONTRIBUTORS ``AS IS'' AND
20.\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
21.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
22.\" ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHORS OR CONTRIBUTORS BE LIABLE
23.\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
24.\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
25.\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
26.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
27.\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
28.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
29.\" SUCH DAMAGE.
30.\"
31.Dd June 10, 2023
32.Dt MAC 4
33.Os
34.Sh NAME
35.Nm mac
36.Nd Mandatory Access Control
37.Sh SYNOPSIS
38.Cd "options MAC"
39.Sh DESCRIPTION
40.Ss Introduction
41The Mandatory Access Control, or MAC, framework allows administrators to
42finely control system security by providing for a loadable security policy
43architecture.
44It is important to note that due to its nature, MAC security policies may
45only restrict access relative to one another and the base system policy;
46they cannot override traditional
47.Ux
48security provisions such as file permissions and superuser checks.
49.Pp
50Currently, the following MAC policy modules are shipped with
51.Fx :
52.Bl -column ".Xr mac_seeotheruids 4" "low-watermark mac policy" ".Em Labeling" "boot only"
53.It Sy Name Ta Sy Description Ta Sy Labeling Ta Sy "Load time"
54.It Xr mac_biba 4 Ta "Biba integrity policy" Ta yes Ta boot only
55.It Xr mac_bsdextended 4 Ta "File system firewall" Ta no Ta any time
56.It Xr mac_ifoff 4 Ta "Interface silencing" Ta no Ta any time
57.It Xr mac_lomac 4 Ta "Low-Watermark MAC policy" Ta yes Ta boot only
58.It Xr mac_mls 4 Ta "Confidentiality policy" Ta yes Ta boot only
59.It Xr mac_ntpd 4 Ta "Non-root NTP Daemon policy" Ta no Ta any time
60.It Xr mac_partition 4 Ta "Process partition policy" Ta yes Ta any time
61.It Xr mac_portacl 4 Ta "Port bind(2) access control" Ta no Ta any time
62.It Xr mac_priority 4 Ta "Scheduling priority policy" Ta no Ta any time
63.It Xr mac_seeotheruids 4 Ta "See-other-UIDs policy" Ta no Ta any time
64.It Xr mac_test 4 Ta "MAC testing policy" Ta no Ta any time
65.El
66.Ss MAC Labels
67Each system subject (processes, sockets, etc.) and each system object
68(file system objects, sockets, etc.) can carry with it a MAC label.
69MAC labels contain data in an arbitrary format
70taken into consideration in making access control decisions
71for a given operation.
72Most MAC labels on system subjects and objects
73can be modified directly or indirectly by the system
74administrator.
75The format for a given policy's label may vary depending on the type
76of object or subject being labeled.
77More information on the format for MAC labels can be found in the
78.Xr maclabel 7
79man page.
80.Ss MAC Support for UFS2 File Systems
81By default, file system enforcement of labeled MAC policies relies on
82a single file system label
83(see
84.Sx "MAC Labels" )
85in order to make access control decisions for all the files in a particular
86file system.
87With some policies, this configuration may not allow administrators to take
88full advantage of features.
89In order to enable support for labeling files on an individual basis
90for a particular file system,
91the
92.Dq multilabel
93flag must be enabled on the file system.
94To set the
95.Dq multilabel
96flag, drop to single-user mode and unmount the file system,
97then execute the following command:
98.Pp
99.Dl "tunefs -l enable" Ar filesystem
100.Pp
101where
102.Ar filesystem
103is either the mount point
104(in
105.Xr fstab 5 )
106or the special file
107(in
108.Pa /dev )
109corresponding to the file system on which to enable multilabel support.
110.Ss Policy Enforcement
111Policy enforcement is divided into the following areas of the system:
112.Bl -ohang
113.It Sy "File System"
114File system mounts, modifying directories, modifying files, etc.
115.It Sy KLD
116Loading, unloading, and retrieving statistics on loaded kernel modules
117.It Sy Network
118Network interfaces,
119.Xr bpf 4 ,
120packet delivery and transmission,
121interface configuration
122.Xr ( ioctl 2 ,
123.Xr ifconfig 8 )
124.It Sy Pipes
125Creation of and operation on
126.Xr pipe 2
127objects
128.It Sy Processes
129Debugging
130(e.g.\&
131.Xr ktrace 2 ) ,
132process visibility
133.Pq Xr ps 1 ,
134process execution
135.Pq Xr execve 2 ,
136signalling
137.Pq Xr kill 2
138.It Sy Sockets
139Creation of and operation on
140.Xr socket 2
141objects
142.It Sy System
143Kernel environment
144.Pq Xr kenv 1 ,
145system accounting
146.Pq Xr acct 2 ,
147.Xr reboot 2 ,
148.Xr settimeofday 2 ,
149.Xr swapon 2 ,
150.Xr sysctl 3 ,
151.Xr nfsd 8 Ns
152-related operations
153.It Sy VM
154.Xr mmap 2 Ns
155-ed files
156.El
157.Ss Setting MAC Labels
158From the command line, each type of system object has its own means for setting
159and modifying its MAC policy label.
160.Bl -column "user (by login class)" "Xr setfmac 8 , Xr setfsmac 8" -offset indent
161.It Sy "Subject/Object" Ta Sy "Utility"
162.It "File system object" Ta Xr setfmac 8 , Xr setfsmac 8
163.It "Network interface" Ta Xr ifconfig 8
164.It "TTY (by login class)" Ta Xr login.conf 5
165.It "User (by login class)" Ta Xr login.conf 5
166.El
167.Pp
168Additionally, the
169.Xr su 1
170and
171.Xr setpmac 8
172utilities can be used to run a command with a different process label than
173the shell's current label.
174.Ss Programming With MAC
175MAC security enforcement itself is transparent to application
176programs, with the exception that some programs may need to be aware of
177additional
178.Xr errno 2
179returns from various system calls.
180.Pp
181The interface for retrieving, handling, and setting policy labels
182is documented in the
183.Xr mac 3
184man page.
185.\" *** XXX ***
186.\" Support for this feature is poor and should not be encouraged.
187.\"
188.\" .It Va security.mac.mmap_revocation
189.\" Revoke
190.\" .Xr mmap 2
191.\" access to files on subject relabel.
192.\" .It Va security.mac.mmap_revocation_via_cow
193.\" Revoke
194.\" .Xr mmap 2
195.\" access to files via copy-on-write semantics;
196.\" mapped regions will still appear writable, but will no longer
197.\" effect a change on the underlying vnode.
198.\" (Default: 0).
199.Sh SEE ALSO
200.Xr mac 3 ,
201.Xr mac_biba 4 ,
202.Xr mac_bsdextended 4 ,
203.Xr mac_ifoff 4 ,
204.Xr mac_lomac 4 ,
205.Xr mac_mls 4 ,
206.Xr mac_none 4 ,
207.Xr mac_ntpd 4 ,
208.Xr mac_partition 4 ,
209.Xr mac_portacl 4 ,
210.Xr mac_priority 4 ,
211.Xr mac_seeotheruids 4 ,
212.Xr mac_stub 4 ,
213.Xr mac_test 4 ,
214.Xr login.conf 5 ,
215.Xr maclabel 7 ,
216.Xr getfmac 8 ,
217.Xr getpmac 8 ,
218.Xr setfmac 8 ,
219.Xr setpmac 8 ,
220.Xr mac 9
221.Rs
222.%B "The FreeBSD Handbook"
223.%T "Mandatory Access Control"
224.%U https://docs.FreeBSD.org/en/books/handbook/mac/
225.Re
226.Sh HISTORY
227The
228.Nm
229implementation first appeared in
230.Fx 5.0
231and was developed by the
232.Tn TrustedBSD
233Project.
234.Sh AUTHORS
235This software was contributed to the
236.Fx
237Project by Network Associates Labs,
238the Security Research Division of Network Associates
239Inc.
240under DARPA/SPAWAR contract N66001-01-C-8035
241.Pq Dq CBOSS ,
242as part of the DARPA CHATS research program.
243.Sh BUGS
244While the MAC Framework design is intended to support the containment of
245the root user, not all attack channels are currently protected by entry
246point checks.
247As such, MAC Framework policies should not be relied on, in isolation,
248to protect against a malicious privileged user.
249