2002-11-20 22:26:58 +00:00
|
|
|
.\" Copyright (c) 2002 Networks Associates Technology, Inc.
|
|
|
|
.\" All rights reserved.
|
2002-12-27 12:15:40 +00:00
|
|
|
.\"
|
2003-01-08 11:06:22 +00:00
|
|
|
.\" This software was developed for the FreeBSD Project by Chris Costello
|
|
|
|
.\" at Safeport Network Services and Network Associates Laboratories, the
|
|
|
|
.\" Security Research Division of Network Associates, Inc. under
|
|
|
|
.\" DARPA/SPAWAR contract N66001-01-C-8035 ("CBOSS"), as part of the
|
|
|
|
.\" DARPA CHATS research program.
|
2002-12-27 12:15:40 +00:00
|
|
|
.\"
|
2002-11-20 22:26:58 +00:00
|
|
|
.\" Redistribution and use in source and binary forms, with or without
|
|
|
|
.\" modification, are permitted provided that the following conditions
|
|
|
|
.\" are met:
|
|
|
|
.\" 1. Redistributions of source code must retain the above copyright
|
|
|
|
.\" notice, this list of conditions and the following disclaimer.
|
|
|
|
.\" 2. Redistributions in binary form must reproduce the above copyright
|
|
|
|
.\" notice, this list of conditions and the following disclaimer in the
|
|
|
|
.\" documentation and/or other materials provided with the distribution.
|
2002-12-27 12:15:40 +00:00
|
|
|
.\"
|
2002-11-20 22:26:58 +00:00
|
|
|
.\" THIS SOFTWARE IS PROVIDED BY THE AUTHORS AND CONTRIBUTORS ``AS IS'' AND
|
|
|
|
.\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
|
|
|
|
.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
|
|
|
|
.\" ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHORS OR CONTRIBUTORS BE LIABLE
|
|
|
|
.\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
|
|
|
|
.\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
|
|
|
|
.\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
|
|
|
|
.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
|
|
|
|
.\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
|
|
|
|
.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
|
|
|
|
.\" SUCH DAMAGE.
|
2002-12-27 12:15:40 +00:00
|
|
|
.\"
|
2002-11-20 22:26:58 +00:00
|
|
|
.\" $FreeBSD$
|
|
|
|
.Dd NOVEMBER 18, 2002
|
|
|
|
.Os
|
2002-12-05 00:05:38 +00:00
|
|
|
.Dt MAC_BIBA 4
|
2002-11-20 22:26:58 +00:00
|
|
|
.Sh NAME
|
|
|
|
.Nm mac_biba
|
|
|
|
.Nd Biba data integrity policy
|
|
|
|
.Sh SYNOPSIS
|
2002-12-10 00:39:17 +00:00
|
|
|
To compile Biba into your kernel, place the following lines in your kernel
|
|
|
|
configuration file:
|
2002-11-20 22:26:58 +00:00
|
|
|
.Cd "options MAC"
|
2002-12-10 00:39:17 +00:00
|
|
|
.Cd "options MAC_BIBA"
|
|
|
|
.Pp
|
|
|
|
Alternately, to load the Biba module at boot time, place the following line
|
|
|
|
in your kernel configuration file:
|
|
|
|
.Cd "options MAC"
|
|
|
|
.Pp
|
|
|
|
and in
|
|
|
|
.Xr loader.conf 5 :
|
|
|
|
.Cd mac_biba_load= Ns \&"YES"
|
2002-11-20 22:26:58 +00:00
|
|
|
.Sh DESCRIPTION
|
|
|
|
The
|
|
|
|
.Nm
|
|
|
|
policy module implements the Biba integrity model,
|
|
|
|
which protects the integrity of system objects and subjects by means of
|
|
|
|
a strict information flow policy.
|
|
|
|
In Biba, all system subjects and objects are assigned integrity labels, made
|
|
|
|
up of hierarchal grades, and non-hierarchal components.
|
|
|
|
Together, these label elements permit all labels to be placed in a partial
|
|
|
|
order, with information flow protections based on a dominance operator
|
|
|
|
describing the order.
|
|
|
|
The hierarchal grade field is expressed as a value between 0 and 65535,
|
|
|
|
with higher values reflecting higher integrity.
|
|
|
|
The non-hierarchal compartment field is expressed as a set of up to 256
|
|
|
|
components, numbered from 0 to 255.
|
|
|
|
A complete label consists of both hierarchal and non-hierarchal elements.
|
|
|
|
.Pp
|
|
|
|
Three special label values exist:
|
2003-01-20 21:15:03 +00:00
|
|
|
.Bl -column -offset indent "biba/equal" "lower than all other labels"
|
|
|
|
.It Sy Label Ta Sy Comparison
|
|
|
|
.It Li biba/low Ta lower than all other labels
|
2002-11-20 22:26:58 +00:00
|
|
|
.It Li biba/equal Ta equal to all other labels
|
|
|
|
.It Li biba/high Ta higher than all other labels
|
|
|
|
.El
|
|
|
|
.Pp
|
|
|
|
The
|
|
|
|
.Dq biba/high
|
2002-12-16 21:13:25 +00:00
|
|
|
label is assigned to system objects which affect the integrity of the system
|
2002-11-20 22:26:58 +00:00
|
|
|
as a whole.
|
|
|
|
.Dq biba/equal
|
|
|
|
may be used to indicate that a particular subject or object is exempt from
|
|
|
|
the Biba protections.
|
|
|
|
These special label values are not specified as containing any compartments,
|
|
|
|
although in a label comparison,
|
|
|
|
.Dq biba/high
|
|
|
|
appears to contain all compartments,
|
|
|
|
.Dq biba/equal
|
|
|
|
the same compartments as the other label to which it is being compared,
|
|
|
|
and
|
|
|
|
.Dq biba/low
|
|
|
|
none.
|
|
|
|
.Pp
|
|
|
|
In general, Biba access control takes the following model:
|
|
|
|
.Bl -bullet
|
|
|
|
.It
|
|
|
|
A subject at the same integrity level as an object may both read from
|
|
|
|
and write to the object as though Biba protections were not in place.
|
|
|
|
.It
|
|
|
|
A subject at a higher integrity level than an object may write to the object,
|
|
|
|
but not read the object.
|
|
|
|
.It
|
|
|
|
A subject at a lower integrity level than an object may read the object,
|
|
|
|
but not write to the object.
|
|
|
|
.It
|
|
|
|
If the subject and object labels may not be compared in the partial order,
|
|
|
|
all access is restricted.
|
|
|
|
.El
|
|
|
|
.Pp
|
|
|
|
These rules prevent subjects of lower integrity from influencing the
|
|
|
|
behavior of higher integrity subjects by preventing the flow of information,
|
|
|
|
and hence control, from allowing low integrity subjects to modify either
|
|
|
|
a high integrity object or high integrity subjects acting on those objects.
|
|
|
|
Biba integrity policies may be appropriate in a number of environments,
|
|
|
|
both from the perspective of preventing corruption of the operating system,
|
|
|
|
and corruption of user data if marked as higher integrity than the attacker.
|
|
|
|
In traditional trusted operating systems, the Biba integrity model is used
|
|
|
|
to protect the Trusted Code Base (TCB).
|
|
|
|
.Pp
|
|
|
|
The Biba integrity model is similar to
|
2002-12-05 00:05:38 +00:00
|
|
|
.Xr lomac 4 ,
|
2002-11-20 22:26:58 +00:00
|
|
|
with the exception that LOMAC permits access by a higher integrity subject
|
|
|
|
to a lower integrity object, but downgrades the integrity level of the subject
|
|
|
|
to prevent integrity rules from being violated.
|
|
|
|
Biba is a fixed label policy in that all subject and object label changes are
|
|
|
|
explicit, whereas LOMAC is a floating label policy.
|
|
|
|
.Pp
|
|
|
|
The Biba integrity model is also similar to
|
2002-12-05 00:05:38 +00:00
|
|
|
.Xr mac_mls 4 ,
|
2002-11-20 22:26:58 +00:00
|
|
|
with the exception that the dominance operator and access rules are reversed,
|
|
|
|
preventing the downward flow of information rather than the upward flow of
|
|
|
|
information.
|
2002-12-27 12:15:40 +00:00
|
|
|
Multi-Level Security (MLS) protects the confidentiality, rather than the
|
2002-11-20 22:26:58 +00:00
|
|
|
integrity, of subjects and objects.
|
2003-02-17 20:04:06 +00:00
|
|
|
.Ss Label Format
|
|
|
|
Almost all system objects are tagged with a single, active label element,
|
|
|
|
reflecting the integrity of the object, or integrity of the data contained
|
|
|
|
in the object.
|
|
|
|
In general, objects labels are represented in the following form:
|
|
|
|
.Pp
|
|
|
|
.Dl biba/grade:compartments
|
|
|
|
.Pp
|
|
|
|
For example:
|
|
|
|
.Pp
|
|
|
|
.Bd -literal -offset indent
|
|
|
|
biba/10:2+3+6
|
|
|
|
biba/low
|
|
|
|
.Ed
|
|
|
|
.Pp
|
|
|
|
Subject labels consist of three label elements: a single (active) label,
|
|
|
|
as well as a range of available labels.
|
|
|
|
This range is represented using two ordered Biba label elements, and when set
|
|
|
|
on a process, permits the process to change its active label to any label of
|
|
|
|
greater or equal integrity to the low end of the range, and lesser or equal
|
|
|
|
integrity to the high end of the range.
|
|
|
|
In general, subject labels are represented in the following form:
|
|
|
|
.Pp
|
|
|
|
.Dl biba/singlegrade:singlecompartments(lograde:locompartments-
|
|
|
|
.Dl higrade:hicompartments)
|
|
|
|
.Pp
|
|
|
|
For example:
|
|
|
|
.Bd -literal -offset indent
|
|
|
|
biba/10:2+3+6(5:2+3-20:2+3+4+5+6)
|
|
|
|
biba/high(low-high)
|
|
|
|
.Ed
|
|
|
|
.Pp
|
|
|
|
Valid ranged labels must meet the following requirement regarding their
|
|
|
|
elements:
|
|
|
|
.Pp
|
|
|
|
.Dl rangehigh >= single >= rangelow
|
|
|
|
.Pp
|
|
|
|
One class of objects with ranges currently exists, the network interface.
|
|
|
|
In the case of the network interface, the single label element references the
|
|
|
|
default label for packets received over the interface, and the range
|
|
|
|
represents the range of acceptable labels of packets to be transmitted over
|
|
|
|
the interface.
|
|
|
|
.Ss Runtime Configuration
|
|
|
|
The following
|
|
|
|
.Xr sysctl 8
|
|
|
|
MIBs are available for fine-tuning the enforcement of this MAC policy.
|
|
|
|
.Bl -tag -width 'security.mac.biba.ptys_equal'
|
|
|
|
.It Va security.mac.biba.enabled
|
|
|
|
Enables enforcement of the Biba integrity policy
|
|
|
|
(Default: 1)
|
|
|
|
.It Va security.mac.biba.ptys_equal
|
|
|
|
Label
|
|
|
|
.Sm off
|
|
|
|
.Xr pty 4
|
|
|
|
s
|
|
|
|
.Sm on
|
|
|
|
as
|
|
|
|
.Dq biba/equal
|
|
|
|
upon creation
|
|
|
|
(Default: 0)
|
|
|
|
.It Va security.mac.biba.revocation_enabled
|
|
|
|
Revoke access to objects if the label is changed to dominate the subject
|
|
|
|
(Default: 0)
|
|
|
|
.El
|
2002-11-20 22:26:58 +00:00
|
|
|
.Sh SEE ALSO
|
2002-12-12 22:17:44 +00:00
|
|
|
.Xr lomac 4 ,
|
2003-01-15 02:59:36 +00:00
|
|
|
.Xr mac 4 ,
|
2002-12-10 00:39:17 +00:00
|
|
|
.Xr mac_bsdextended 4 ,
|
2002-12-11 01:02:26 +00:00
|
|
|
.Xr mac_ifoff 4 ,
|
2003-01-08 10:47:18 +00:00
|
|
|
.Xr mac_lomac 4 ,
|
2002-12-05 00:05:38 +00:00
|
|
|
.Xr mac_mls 4 ,
|
2002-12-10 00:39:17 +00:00
|
|
|
.Xr mac_none 4 ,
|
2002-12-11 01:02:26 +00:00
|
|
|
.Xr mac_partition 4 ,
|
2002-12-10 00:39:17 +00:00
|
|
|
.Xr mac_seeotheruids 4 ,
|
|
|
|
.Xr mac_test 4 ,
|
2002-12-20 00:17:10 +00:00
|
|
|
.Xr maclabel 7 ,
|
2002-12-05 00:05:38 +00:00
|
|
|
.Xr mac 9
|
2002-11-20 22:26:58 +00:00
|
|
|
.Sh HISTORY
|
|
|
|
The
|
|
|
|
.Nm
|
|
|
|
policy module first appeared in
|
|
|
|
.Fx 5.0
|
|
|
|
and was developed by the TrustedBSD Project.
|
|
|
|
.Sh AUTHORS
|
|
|
|
This software was contributed to the
|
|
|
|
.Fx
|
|
|
|
Project by Network Associates Labs,
|
|
|
|
the Security Research Division of Network Associates
|
|
|
|
Inc. under DARPA/SPAWAR contract N66001-01-C-8035 ("CBOSS"),
|
|
|
|
as part of the DARPA CHATS research program.
|