2004-07-16 02:04:41 +00:00
|
|
|
.\" Copyright (c) 2002-2004 Networks Associates Technology, Inc.
|
2002-12-02 01:04:37 +00:00
|
|
|
.\" All rights reserved.
|
2003-05-21 15:55:40 +00:00
|
|
|
.\"
|
2003-01-08 11:06:22 +00:00
|
|
|
.\" This software was developed for the FreeBSD Project by Chris Costello
|
|
|
|
.\" at Safeport Network Services and Network Associates Laboratories, the
|
|
|
|
.\" Security Research Division of Network Associates, Inc. under
|
2002-12-02 01:04:37 +00:00
|
|
|
.\" DARPA/SPAWAR contract N66001-01-C-8035 ("CBOSS"), as part of the
|
|
|
|
.\" DARPA CHATS research program.
|
2003-05-21 15:55:40 +00:00
|
|
|
.\"
|
2002-12-02 01:04:37 +00:00
|
|
|
.\" Redistribution and use in source and binary forms, with or without
|
|
|
|
.\" modification, are permitted provided that the following conditions
|
|
|
|
.\" are met:
|
|
|
|
.\" 1. Redistributions of source code must retain the above copyright
|
|
|
|
.\" notice, this list of conditions and the following disclaimer.
|
|
|
|
.\" 2. Redistributions in binary form must reproduce the above copyright
|
|
|
|
.\" notice, this list of conditions and the following disclaimer in the
|
|
|
|
.\" documentation and/or other materials provided with the distribution.
|
2003-05-21 15:55:40 +00:00
|
|
|
.\"
|
2002-12-02 01:04:37 +00:00
|
|
|
.\" THIS SOFTWARE IS PROVIDED BY THE AUTHORS AND CONTRIBUTORS ``AS IS'' AND
|
|
|
|
.\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
|
|
|
|
.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
|
|
|
|
.\" ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHORS OR CONTRIBUTORS BE LIABLE
|
|
|
|
.\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
|
|
|
|
.\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
|
|
|
|
.\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
|
|
|
|
.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
|
|
|
|
.\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
|
|
|
|
.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
|
|
|
|
.\" SUCH DAMAGE.
|
2003-05-21 15:55:40 +00:00
|
|
|
.\"
|
2002-12-02 01:04:37 +00:00
|
|
|
.\" $FreeBSD$
|
2003-06-01 21:52:59 +00:00
|
|
|
.\"
|
2015-07-25 15:56:49 +00:00
|
|
|
.Dd July 25, 2015
|
2002-12-05 00:05:38 +00:00
|
|
|
.Dt MAC_MLS 4
|
2010-04-14 19:08:06 +00:00
|
|
|
.Os
|
2002-12-02 01:04:37 +00:00
|
|
|
.Sh NAME
|
|
|
|
.Nm mac_mls
|
2003-06-01 21:52:59 +00:00
|
|
|
.Nd "Multi-Level Security confidentiality policy"
|
2002-12-02 01:04:37 +00:00
|
|
|
.Sh SYNOPSIS
|
|
|
|
To compile MLS into your kernel, place the following lines in your kernel
|
|
|
|
configuration file:
|
2003-06-01 21:52:59 +00:00
|
|
|
.Bd -ragged -offset indent
|
2002-12-02 01:04:37 +00:00
|
|
|
.Cd "options MAC"
|
|
|
|
.Cd "options MAC_MLS"
|
2003-06-01 21:52:59 +00:00
|
|
|
.Ed
|
2002-12-02 01:04:37 +00:00
|
|
|
.Pp
|
|
|
|
Alternately, to load the MLS module at boot time, place the following line
|
|
|
|
in your kernel configuration file:
|
2003-06-01 21:52:59 +00:00
|
|
|
.Bd -ragged -offset indent
|
2002-12-02 01:04:37 +00:00
|
|
|
.Cd "options MAC"
|
2003-06-01 21:52:59 +00:00
|
|
|
.Ed
|
2002-12-02 01:04:37 +00:00
|
|
|
.Pp
|
|
|
|
and in
|
|
|
|
.Xr loader.conf 5 :
|
2003-06-01 21:52:59 +00:00
|
|
|
.Bd -literal -offset indent
|
|
|
|
mac_mls_load="YES"
|
|
|
|
.Ed
|
2002-12-02 01:04:37 +00:00
|
|
|
.Sh DESCRIPTION
|
|
|
|
The
|
|
|
|
.Nm
|
|
|
|
policy module implements the Multi-Level Security, or MLS model,
|
2002-12-19 23:47:59 +00:00
|
|
|
which controls access between subjects and objects based on their
|
2002-12-02 01:04:37 +00:00
|
|
|
confidentiality by means of a strict information flow policy.
|
|
|
|
Each subject and object in the system has an MLS label associated with it;
|
|
|
|
each subject's MLS label contains information on its clearance level,
|
|
|
|
and each object's MLS label contains information on its classification.
|
|
|
|
.Pp
|
|
|
|
In MLS, all system subjects and objects are assigned confidentiality labels,
|
|
|
|
made up of a sensitivity level and zero or more compartments.
|
|
|
|
Together, these label elements permit all labels to be placed in a partial
|
|
|
|
order, with confidentiality protections based on a dominance operator
|
|
|
|
describing the order.
|
|
|
|
The sensitivity level is expressed as a value between 0 and
|
|
|
|
65535, with higher values reflecting higher sensitivity levels.
|
|
|
|
The compartment field is expressed as a set of up to 256 components,
|
2002-12-19 23:47:59 +00:00
|
|
|
numbered from 1 to 256.
|
2002-12-02 01:04:37 +00:00
|
|
|
A complete label consists of both sensitivity and compartment
|
|
|
|
elements.
|
|
|
|
.Pp
|
|
|
|
With normal labels, dominance is defined as a label having a higher
|
|
|
|
or equal active sensitivity level, and having at least
|
|
|
|
all of the same compartments as the label to which it is being compared.
|
|
|
|
With respect to label comparisons,
|
2003-06-01 21:52:59 +00:00
|
|
|
.Dq Li lower
|
2002-12-02 01:04:37 +00:00
|
|
|
is defined as being dominated by the label to which it is being compared,
|
|
|
|
and
|
2003-06-01 21:52:59 +00:00
|
|
|
.Dq Li higher
|
2002-12-02 01:04:37 +00:00
|
|
|
is defined as dominating the label to which it is being compared,
|
|
|
|
and
|
2003-06-01 21:52:59 +00:00
|
|
|
.Dq Li equal
|
2002-12-02 01:04:37 +00:00
|
|
|
is defined as both labels being able to satisfy the dominance requirements
|
|
|
|
over one another.
|
|
|
|
.Pp
|
|
|
|
Three special label values exist:
|
2003-06-01 21:52:59 +00:00
|
|
|
.Bl -column -offset indent ".Li mls/equal" "dominated by all other labels"
|
2003-01-20 21:15:03 +00:00
|
|
|
.It Sy Label Ta Sy Comparison
|
2003-06-01 21:52:59 +00:00
|
|
|
.It Li mls/low Ta "dominated by all other labels"
|
|
|
|
.It Li mls/equal Ta "equal to all other labels"
|
|
|
|
.It Li mls/high Ta "dominates all other labels"
|
2002-12-02 01:04:37 +00:00
|
|
|
.El
|
|
|
|
.Pp
|
2003-02-17 20:11:09 +00:00
|
|
|
The
|
2003-06-01 21:52:59 +00:00
|
|
|
.Dq Li mls/equal
|
2003-02-17 20:11:09 +00:00
|
|
|
label may be applied to subjects and objects for which no enforcement of the
|
|
|
|
MLS security policy is desired.
|
|
|
|
.Pp
|
2002-12-02 01:04:37 +00:00
|
|
|
The MLS model enforces the following basic restrictions:
|
|
|
|
.Bl -bullet
|
|
|
|
.It
|
|
|
|
Subjects may not observe the processes of another subject if its
|
|
|
|
clearance level is lower than the clearance level of the object it is
|
|
|
|
attempting to observe.
|
|
|
|
.It
|
|
|
|
Subjects may not read, write, or otherwise observe objects without proper
|
2004-07-03 18:29:24 +00:00
|
|
|
clearance (e.g.\& subjects may not observe objects whose classification label
|
2002-12-02 01:04:37 +00:00
|
|
|
dominates its own clearance label)
|
|
|
|
.It
|
|
|
|
Subjects may not write to objects with a lower classification level than
|
|
|
|
its own clearance level.
|
|
|
|
.It
|
|
|
|
A subject may read and write to an object if its clearance level is equal
|
|
|
|
to the object's classification level as though MLS protections were not in
|
|
|
|
place.
|
|
|
|
.El
|
|
|
|
.Pp
|
|
|
|
These rules prevent subjects of lower clearance from gaining access
|
|
|
|
information classified beyond its clearance level in order to protect the
|
|
|
|
confidentiality of classified information, subjects of higher clearance
|
|
|
|
from writing to objects of lower classification in order to prevent the
|
|
|
|
accidental or malicious leaking of information, and subjects of lower
|
|
|
|
clearance from observing subjects of higher clearance altogether.
|
|
|
|
In traditional trusted operating systems, the MLS confidentiality model is
|
|
|
|
used in concert with the Biba integrity model
|
2002-12-05 00:05:38 +00:00
|
|
|
.Xr ( mac_biba 4 )
|
2002-12-02 01:04:37 +00:00
|
|
|
in order to protect the Trusted Code Base (TCB).
|
|
|
|
.Ss Label Format
|
2005-01-12 10:14:43 +00:00
|
|
|
Almost all system objects are tagged with an effective, active label element,
|
2002-12-02 01:04:37 +00:00
|
|
|
reflecting the classification of the object, or classification of the data
|
|
|
|
contained in the object.
|
|
|
|
In general, object labels are represented in the following form:
|
|
|
|
.Pp
|
2003-06-01 21:52:59 +00:00
|
|
|
.Sm off
|
|
|
|
.D1 Li mls / Ar grade : compartments
|
|
|
|
.Sm on
|
2002-12-02 01:04:37 +00:00
|
|
|
.Pp
|
|
|
|
For example:
|
|
|
|
.Bd -literal -offset indent
|
2003-02-17 20:11:09 +00:00
|
|
|
mls/10:2+3+6
|
2002-12-02 01:04:37 +00:00
|
|
|
mls/low
|
|
|
|
.Ed
|
|
|
|
.Pp
|
2005-01-12 10:14:43 +00:00
|
|
|
Subject labels consist of three label elements: an effective (active) label,
|
2002-12-02 01:04:37 +00:00
|
|
|
as well as a range of available labels.
|
|
|
|
This range is represented using two ordered MLS label elements, and when set
|
|
|
|
on a process, permits the process to change its active label to any label of
|
|
|
|
greater or equal integrity to the low end of the range, and lesser or equal
|
|
|
|
integrity to the high end of the range.
|
|
|
|
In general, subject labels are represented in the following form:
|
|
|
|
.Pp
|
2003-06-01 21:52:59 +00:00
|
|
|
.Sm off
|
2004-07-16 02:04:41 +00:00
|
|
|
.D1 Li mls / Ar effectivegrade : effectivecompartments ( lograde : locompartments No -
|
2003-06-01 21:52:59 +00:00
|
|
|
.D1 Ar higrade : hicompartments )
|
|
|
|
.Sm on
|
2002-12-02 01:04:37 +00:00
|
|
|
.Pp
|
|
|
|
For example:
|
|
|
|
.Bd -literal -offset indent
|
2003-02-17 20:11:09 +00:00
|
|
|
mls/10:2+3+6(5:2+3-20:2+3+4+5+6)
|
2002-12-02 01:04:37 +00:00
|
|
|
mls/high(low-high)
|
|
|
|
.Ed
|
|
|
|
.Pp
|
|
|
|
Valid ranged labels must meet the following requirement regarding their
|
|
|
|
elements:
|
|
|
|
.Pp
|
2004-07-16 02:04:41 +00:00
|
|
|
.D1 Ar rangehigh No \[>=] Ar effective No \[>=] Ar rangelow
|
2002-12-02 01:04:37 +00:00
|
|
|
.Pp
|
|
|
|
One class of objects with ranges currently exists, the network interface.
|
2004-07-16 02:04:41 +00:00
|
|
|
In the case of the network interface, the effective label element references
|
2002-12-02 01:04:37 +00:00
|
|
|
the default label for packets received over the interface, and the range
|
|
|
|
represents the range of acceptable labels of packets to be transmitted over
|
|
|
|
the interface.
|
2003-02-17 20:11:09 +00:00
|
|
|
.Ss Runtime Configuration
|
|
|
|
The following
|
|
|
|
.Xr sysctl 8
|
|
|
|
MIBs are available for fine-tuning the enforcement of this MAC policy.
|
2003-06-01 21:52:59 +00:00
|
|
|
.Bl -tag -width ".Va security.mac.mls.ptys_equal"
|
2003-02-17 20:11:09 +00:00
|
|
|
.It Va security.mac.mls.enabled
|
2003-06-01 21:52:59 +00:00
|
|
|
Enables the enforcement of the MLS confidentiality policy.
|
|
|
|
(Default: 1).
|
2003-02-17 20:11:09 +00:00
|
|
|
.It Va security.mac.mls.ptys_equal
|
|
|
|
Label
|
2003-06-01 21:52:59 +00:00
|
|
|
.Xr pty 4 Ns s
|
2003-02-17 20:11:09 +00:00
|
|
|
as
|
2003-06-01 21:52:59 +00:00
|
|
|
.Dq Li mls/equal
|
|
|
|
upon creation.
|
|
|
|
(Default: 0).
|
2003-02-17 20:11:09 +00:00
|
|
|
.It Va security.mac.mls.revocation_enabled
|
|
|
|
Revoke access to objects if the label is changed to a more sensitive
|
2003-06-01 21:52:59 +00:00
|
|
|
level than the subject.
|
|
|
|
(Default: 0).
|
2003-02-17 20:11:09 +00:00
|
|
|
.El
|
2002-12-02 01:04:37 +00:00
|
|
|
.Sh IMPLEMENTATION NOTES
|
|
|
|
Currently, the
|
|
|
|
.Nm
|
|
|
|
policy relies on superuser status
|
2003-06-01 21:52:59 +00:00
|
|
|
.Pq Xr suser 9
|
2002-12-02 01:04:37 +00:00
|
|
|
in order to change network interface MLS labels.
|
|
|
|
This will eventually go away, but it is currently a liability and may
|
|
|
|
allow the superuser to bypass MLS protections.
|
|
|
|
.Sh SEE ALSO
|
2003-01-15 02:59:36 +00:00
|
|
|
.Xr mac 4 ,
|
2002-12-05 00:05:38 +00:00
|
|
|
.Xr mac_biba 4 ,
|
2002-12-10 00:39:17 +00:00
|
|
|
.Xr mac_bsdextended 4 ,
|
mac: add new mac_ddb(4) policy
Generally, access to the kernel debugger is considered to be unsafe from
a security perspective since it presents an unrestricted interface to
inspect or modify the system state, including sensitive data such as
signing keys.
However, having some access to debugger functionality on production
systems may be useful in determining the cause of a panic or hang.
Therefore, it is desirable to have an optional policy which allows
limited use of ddb(4) while disabling the functionality which could
reveal system secrets.
This loadable MAC module allows for the use of some ddb(4) commands
while preventing the execution of others. The commands have been broadly
grouped into three categories:
- Those which are 'safe' and will not emit sensitive data (e.g. trace).
Generally, these commands are deterministic and don't accept
arguments.
- Those which are definitively unsafe (e.g. examine <addr>, search
<addr> <value>)
- Commands which may be safe to execute depending on the arguments
provided (e.g. show thread <addr>).
Safe commands have been flagged as such with the DB_CMD_MEMSAFE flag.
Commands requiring extra validation can provide a function to do so.
For example, 'show thread <addr>' can be used as long as addr can be
checked against the system's list of process structures.
The policy also prevents debugger backends other than ddb(4) from
executing, for example gdb(4).
Reviewed by: markj, pauamma_gundo.com (manpages)
Sponsored by: Juniper Networks, Inc.
Sponsored by: Klara, Inc.
Differential Revision: https://reviews.freebsd.org/D35371
2022-07-18 21:24:06 +00:00
|
|
|
.Xr mac_ddb 4 ,
|
2002-12-11 01:02:26 +00:00
|
|
|
.Xr mac_ifoff 4 ,
|
2003-01-08 10:47:18 +00:00
|
|
|
.Xr mac_lomac 4 ,
|
2002-12-10 00:39:17 +00:00
|
|
|
.Xr mac_none 4 ,
|
2002-12-11 01:02:26 +00:00
|
|
|
.Xr mac_partition 4 ,
|
2003-03-31 08:08:59 +00:00
|
|
|
.Xr mac_portacl 4 ,
|
2002-12-10 00:39:17 +00:00
|
|
|
.Xr mac_seeotheruids 4 ,
|
2003-09-12 21:54:11 +00:00
|
|
|
.Xr mac_test 4 ,
|
2002-12-10 00:39:17 +00:00
|
|
|
.Xr maclabel 7 ,
|
2002-12-05 00:05:38 +00:00
|
|
|
.Xr mac 9
|
2002-12-02 01:04:37 +00:00
|
|
|
.Sh HISTORY
|
|
|
|
The
|
|
|
|
.Nm
|
|
|
|
policy module first appeared in
|
|
|
|
.Fx 5.0
|
2003-06-01 21:52:59 +00:00
|
|
|
and was developed by the
|
|
|
|
.Tn TrustedBSD
|
|
|
|
Project.
|
2002-12-02 01:04:37 +00:00
|
|
|
.Sh AUTHORS
|
|
|
|
This software was contributed to the
|
|
|
|
.Fx
|
2002-12-19 23:47:59 +00:00
|
|
|
Project by Network Associates Laboratories,
|
2002-12-02 01:04:37 +00:00
|
|
|
the Security Research Division of Network Associates
|
2004-07-03 18:29:24 +00:00
|
|
|
Inc.\& under DARPA/SPAWAR contract N66001-01-C-8035
|
2003-06-01 21:52:59 +00:00
|
|
|
.Pq Dq CBOSS ,
|
2002-12-02 01:04:37 +00:00
|
|
|
as part of the DARPA CHATS research program.
|
|
|
|
.Sh BUGS
|
2003-05-21 15:55:40 +00:00
|
|
|
While the MAC Framework design is intended to support the containment of
|
2002-12-02 01:04:37 +00:00
|
|
|
the root user, not all attack channels are currently protected by entry
|
|
|
|
point checks.
|
|
|
|
As such, MAC Framework policies should not be relied on, in isolation,
|
|
|
|
to protect against a malicious privileged user.
|