o Improve vocabulary/wording
o Expand on MAC policy enforcement on network interfaces o Add cross-references to su(1) and setfsmac(8) where appropriate o Comment out mmap revocation sysctls as they are a bit too experimental o Add the standard BUGS section Prompted by: rwatson Sponsored by: DARPA, Network Associates Laboratories
This commit is contained in:
Chris Costello
parent
bbcbd93649
commit
9c73007c1c
@ -43,7 +43,8 @@ The Mandatory Access Control, or MAC, framework allows administrators to
|
|||||||
finely control system security by providing for a loadable security policy
|
finely control system security by providing for a loadable security policy
|
||||||
architecture.
|
architecture.
|
||||||
It is important to note that due to its nature, MAC security policies may
|
It is important to note that due to its nature, MAC security policies may
|
||||||
only further restrict security; they cannot override traditional UNIX
|
only restrict access relative to one another and the base system policy;
|
||||||
|
they cannot override traditional UNIX
|
||||||
security provisions such as file permissions and superuser checks.
|
security provisions such as file permissions and superuser checks.
|
||||||
.Pp
|
.Pp
|
||||||
Currently, the following MAC policy modules are shipped with
|
Currently, the following MAC policy modules are shipped with
|
||||||
@ -60,15 +61,31 @@ Currently, the following MAC policy modules are shipped with
|
|||||||
.It Xr mac_seeotheruids 4 Ta "See-other-UIDs policy" Ta no Ta any time
|
.It Xr mac_seeotheruids 4 Ta "See-other-UIDs policy" Ta no Ta any time
|
||||||
.It Xr mac_test 4 Ta "MAC testing policy" Ta no Ta any time
|
.It Xr mac_test 4 Ta "MAC testing policy" Ta no Ta any time
|
||||||
.El
|
.El
|
||||||
|
.Ss MAC Labels
|
||||||
|
Each system subject (processes, sockets, etc.) and each system object
|
||||||
|
(file system objects, sockets, etc.) can carry with it a MAC label.
|
||||||
|
MAC labels contain data in an arbitrary format
|
||||||
|
taken into consideration in making access control decisions
|
||||||
|
for a given operation.
|
||||||
|
Most MAC labels on system subjects and objects
|
||||||
|
can be modified directly or indirectly by the system
|
||||||
|
administrator.
|
||||||
|
The format for a given policy's label may vary depending on the type
|
||||||
|
of object or subject being labeled.
|
||||||
|
More information on the format for MAC labels can be found in the
|
||||||
|
.Xr maclabel 7
|
||||||
|
man page.
|
||||||
.Ss MAC Support for UFS2 File Systems
|
.Ss MAC Support for UFS2 File Systems
|
||||||
By default, file system enforcement of MAC policies relies on a single file
|
By default, file system enforcement of labeled MAC policies relies on
|
||||||
system label
|
a single file system label
|
||||||
(see
|
(see
|
||||||
.Sx "MAC Labels" )
|
.Sx "MAC Labels" )
|
||||||
in order to make access control decisions for all the files in a particular
|
in order to make access control decisions for all the files in a particular
|
||||||
file system.
|
file system.
|
||||||
On most systems, this is not the most desirable configuration.
|
With some policies, this configuration may not allow administrators to take
|
||||||
In order to enable support for labeling files on an individual basis,
|
full advantage of features.
|
||||||
|
In order to enable support for labeling files on an individual basis
|
||||||
|
for a particular file system,
|
||||||
the
|
the
|
||||||
.Dq multilabel
|
.Dq multilabel
|
||||||
flag must be enabled on the file system.
|
flag must be enabled on the file system.
|
||||||
@ -88,18 +105,6 @@ or the special file
|
|||||||
(in
|
(in
|
||||||
.Pa /dev )
|
.Pa /dev )
|
||||||
corresponding to the file system on which to enable multilabel support.
|
corresponding to the file system on which to enable multilabel support.
|
||||||
.Ss MAC Labels
|
|
||||||
Each system subject (processes, sockets, etc.) and each system object
|
|
||||||
(file system objects, sockets, etc.) can carry with it a MAC label.
|
|
||||||
MAC labels can contain data in an arbitrary format
|
|
||||||
used by the MAC policies in order to help determine how to determine
|
|
||||||
access rights for a given operation.
|
|
||||||
Most MAC labels on system subjects and objects
|
|
||||||
can be modified directly or indirectly by the system
|
|
||||||
administrator.
|
|
||||||
More information on the format for MAC labels can be found in the
|
|
||||||
.Xr maclabel 7
|
|
||||||
man page.
|
|
||||||
.Ss Policy Enforcement
|
.Ss Policy Enforcement
|
||||||
MAC can be configured to enforce only specific portions of
|
MAC can be configured to enforce only specific portions of
|
||||||
policies
|
policies
|
||||||
@ -113,7 +118,11 @@ File system mounts, modifying directories, modifying files, etc.
|
|||||||
Loading, unloading, and retrieving statistics on loaded kernel modules
|
Loading, unloading, and retrieving statistics on loaded kernel modules
|
||||||
.It Sy Network
|
.It Sy Network
|
||||||
Network interfaces,
|
Network interfaces,
|
||||||
.Xr bpf 4
|
.Xr bpf 4 ,
|
||||||
|
packet delivery and transmission,
|
||||||
|
interface configuration
|
||||||
|
.Xr ( ioctl 2 ,
|
||||||
|
.Xr ifconfig 8 )
|
||||||
.It Sy Pipes
|
.It Sy Pipes
|
||||||
Creation of and operation on
|
Creation of and operation on
|
||||||
.Xr pipe 2
|
.Xr pipe 2
|
||||||
@ -129,7 +138,7 @@ process execution
|
|||||||
signalling
|
signalling
|
||||||
.Xr ( kill 2 )
|
.Xr ( kill 2 )
|
||||||
.It Sy Sockets
|
.It Sy Sockets
|
||||||
Creation and operation on
|
Creation of and operation on
|
||||||
.Xr socket 2
|
.Xr socket 2
|
||||||
objects
|
objects
|
||||||
.It Sy System
|
.It Sy System
|
||||||
@ -156,17 +165,19 @@ files
|
|||||||
.Ss Setting MAC Labels
|
.Ss Setting MAC Labels
|
||||||
From the command line, each type of system object has its own means for setting
|
From the command line, each type of system object has its own means for setting
|
||||||
and modifying its MAC policy label.
|
and modifying its MAC policy label.
|
||||||
.Bl -column "user (by login class)" "Xr login.conf 5" -offset indent
|
.Bl -column "user (by login class)" "Xr setfmac 8 , Xr setfsmac 8" -offset indent
|
||||||
.It Sy "Subject/Object" Ta Sy "Utility"
|
.It Sy "Subject/Object" Ta Sy "Utility"
|
||||||
.It "File system object" Ta Xr setfmac 8
|
.It "File system object" Ta Xr setfmac 8 , Xr setfsmac 8
|
||||||
.It "Network interface" Ta Xr ifconfig 8
|
.It "Network interface" Ta Xr ifconfig 8
|
||||||
.It "TTY (by login class)" Ta Xr login.conf 5
|
.It "TTY (by login class)" Ta Xr login.conf 5
|
||||||
.It "User (by login class)" Ta Xr login.conf 5
|
.It "User (by login class)" Ta Xr login.conf 5
|
||||||
.El
|
.El
|
||||||
.Pp
|
.Pp
|
||||||
Additionally, the
|
Additionally, the
|
||||||
|
.Xr su 1
|
||||||
|
and
|
||||||
.Xr setpmac 8
|
.Xr setpmac 8
|
||||||
command can be used to run a command with a different process label than
|
utilities can be used to run a command with a different process label than
|
||||||
the shell's current label.
|
the shell's current label.
|
||||||
.Ss Programming With MAC
|
.Ss Programming With MAC
|
||||||
MAC security enforcement itself is transparent to application
|
MAC security enforcement itself is transparent to application
|
||||||
@ -186,7 +197,7 @@ MIBs are available for fine-tuning the enforcement of MAC policies.
|
|||||||
Unless specifically noted, all MIBs default to
|
Unless specifically noted, all MIBs default to
|
||||||
.Li 1
|
.Li 1
|
||||||
(that is, all areas are enforced by default):
|
(that is, all areas are enforced by default):
|
||||||
.Bl -tag -width "security.mac.mmap_revocation"
|
.Bl -tag -width "security.mac.enforce_network"
|
||||||
.It Va security.mac.enforce_fs
|
.It Va security.mac.enforce_fs
|
||||||
Enforce MAC policies for file system accesses
|
Enforce MAC policies for file system accesses
|
||||||
.It Va security.mac.enforce_kld
|
.It Va security.mac.enforce_kld
|
||||||
@ -214,17 +225,20 @@ Enforce MAC policies on
|
|||||||
.Xr mmap 2
|
.Xr mmap 2
|
||||||
and
|
and
|
||||||
.Xr mprotect 2
|
.Xr mprotect 2
|
||||||
.It Va security.mac.mmap_revocation
|
.\" *** XXX ***
|
||||||
Revoke
|
.\" Support for this feature is poor and should not be encouraged.
|
||||||
.Xr mmap 2
|
.\"
|
||||||
access to files on subject relabel
|
.\" .It Va security.mac.mmap_revocation
|
||||||
.It Va security.mac.mmap_revocation_via_cow
|
.\" Revoke
|
||||||
Revoke
|
.\" .Xr mmap 2
|
||||||
.Xr mmap 2
|
.\" access to files on subject relabel
|
||||||
access to files via copy-on-write semantics;
|
.\" .It Va security.mac.mmap_revocation_via_cow
|
||||||
mapped regions will still appear writable, but will no longer
|
.\" Revoke
|
||||||
effect a change on the underlying vnode
|
.\" .Xr mmap 2
|
||||||
(Default: 0)
|
.\" access to files via copy-on-write semantics;
|
||||||
|
.\" mapped regions will still appear writable, but will no longer
|
||||||
|
.\" effect a change on the underlying vnode
|
||||||
|
.\" (Default: 0)
|
||||||
.El
|
.El
|
||||||
.Sh SEE ALSO
|
.Sh SEE ALSO
|
||||||
.Xr mac 3 ,
|
.Xr mac 3 ,
|
||||||
@ -262,3 +276,15 @@ Project by Network Associates Labs,
|
|||||||
the Security Research Division of Network Associates
|
the Security Research Division of Network Associates
|
||||||
Inc. under DARPA/SPAWAR contract N66001-01-C-8035 ("CBOSS"),
|
Inc. under DARPA/SPAWAR contract N66001-01-C-8035 ("CBOSS"),
|
||||||
as part of the DARPA CHATS research program.
|
as part of the DARPA CHATS research program.
|
||||||
|
.Sh BUGS
|
||||||
|
See
|
||||||
|
.Xr mac 9
|
||||||
|
concerning appropriateness for production use.
|
||||||
|
The TrustedBSD MAC Framework is considered experimental in
|
||||||
|
.Fx .
|
||||||
|
.Pp
|
||||||
|
While the MAC Framework design is intended to support the containment of
|
||||||
|
the root user, not all attack channels are currently protected by entry
|
||||||
|
point checks.
|
||||||
|
As such, MAC Framework policies should not be relied on, in isolation,
|
||||||
|
to protect against a malicious privileged user.
|
||||||
|
|||||||
Loading…
Reference in New Issue
Block a user