o Improve vocabulary/wording

o Expand on MAC policy enforcement on network interfaces
o Add cross-references to su(1) and setfsmac(8) where appropriate
o Comment out mmap revocation sysctls as they are a bit too experimental
o Add the standard BUGS section

Prompted by:	rwatson
Sponsored by:	DARPA, Network Associates Laboratories
This commit is contained in:
chris 2003-02-23 21:47:03 +00:00
parent 4531e083d4
commit 46357b9840

View File

@ -43,7 +43,8 @@ The Mandatory Access Control, or MAC, framework allows administrators to
finely control system security by providing for a loadable security policy
architecture.
It is important to note that due to its nature, MAC security policies may
only further restrict security; they cannot override traditional UNIX
only restrict access relative to one another and the base system policy;
they cannot override traditional UNIX
security provisions such as file permissions and superuser checks.
.Pp
Currently, the following MAC policy modules are shipped with
@ -60,15 +61,31 @@ Currently, the following MAC policy modules are shipped with
.It Xr mac_seeotheruids 4 Ta "See-other-UIDs policy" Ta no Ta any time
.It Xr mac_test 4 Ta "MAC testing policy" Ta no Ta any time
.El
.Ss MAC Labels
Each system subject (processes, sockets, etc.) and each system object
(file system objects, sockets, etc.) can carry with it a MAC label.
MAC labels contain data in an arbitrary format
taken into consideration in making access control decisions
for a given operation.
Most MAC labels on system subjects and objects
can be modified directly or indirectly by the system
administrator.
The format for a given policy's label may vary depending on the type
of object or subject being labeled.
More information on the format for MAC labels can be found in the
.Xr maclabel 7
man page.
.Ss MAC Support for UFS2 File Systems
By default, file system enforcement of MAC policies relies on a single file
system label
By default, file system enforcement of labeled MAC policies relies on
a single file system label
(see
.Sx "MAC Labels" )
in order to make access control decisions for all the files in a particular
file system.
On most systems, this is not the most desirable configuration.
In order to enable support for labeling files on an individual basis,
With some policies, this configuration may not allow administrators to take
full advantage of features.
In order to enable support for labeling files on an individual basis
for a particular file system,
the
.Dq multilabel
flag must be enabled on the file system.
@ -88,18 +105,6 @@ or the special file
(in
.Pa /dev )
corresponding to the file system on which to enable multilabel support.
.Ss MAC Labels
Each system subject (processes, sockets, etc.) and each system object
(file system objects, sockets, etc.) can carry with it a MAC label.
MAC labels can contain data in an arbitrary format
used by the MAC policies in order to help determine how to determine
access rights for a given operation.
Most MAC labels on system subjects and objects
can be modified directly or indirectly by the system
administrator.
More information on the format for MAC labels can be found in the
.Xr maclabel 7
man page.
.Ss Policy Enforcement
MAC can be configured to enforce only specific portions of
policies
@ -113,7 +118,11 @@ File system mounts, modifying directories, modifying files, etc.
Loading, unloading, and retrieving statistics on loaded kernel modules
.It Sy Network
Network interfaces,
.Xr bpf 4
.Xr bpf 4 ,
packet delivery and transmission,
interface configuration
.Xr ( ioctl 2 ,
.Xr ifconfig 8 )
.It Sy Pipes
Creation of and operation on
.Xr pipe 2
@ -129,7 +138,7 @@ process execution
signalling
.Xr ( kill 2 )
.It Sy Sockets
Creation and operation on
Creation of and operation on
.Xr socket 2
objects
.It Sy System
@ -156,17 +165,19 @@ files
.Ss Setting MAC Labels
From the command line, each type of system object has its own means for setting
and modifying its MAC policy label.
.Bl -column "user (by login class)" "Xr login.conf 5" -offset indent
.Bl -column "user (by login class)" "Xr setfmac 8 , Xr setfsmac 8" -offset indent
.It Sy "Subject/Object" Ta Sy "Utility"
.It "File system object" Ta Xr setfmac 8
.It "File system object" Ta Xr setfmac 8 , Xr setfsmac 8
.It "Network interface" Ta Xr ifconfig 8
.It "TTY (by login class)" Ta Xr login.conf 5
.It "User (by login class)" Ta Xr login.conf 5
.El
.Pp
Additionally, the
.Xr su 1
and
.Xr setpmac 8
command can be used to run a command with a different process label than
utilities can be used to run a command with a different process label than
the shell's current label.
.Ss Programming With MAC
MAC security enforcement itself is transparent to application
@ -186,7 +197,7 @@ MIBs are available for fine-tuning the enforcement of MAC policies.
Unless specifically noted, all MIBs default to
.Li 1
(that is, all areas are enforced by default):
.Bl -tag -width "security.mac.mmap_revocation"
.Bl -tag -width "security.mac.enforce_network"
.It Va security.mac.enforce_fs
Enforce MAC policies for file system accesses
.It Va security.mac.enforce_kld
@ -214,17 +225,20 @@ Enforce MAC policies on
.Xr mmap 2
and
.Xr mprotect 2
.It Va security.mac.mmap_revocation
Revoke
.Xr mmap 2
access to files on subject relabel
.It Va security.mac.mmap_revocation_via_cow
Revoke
.Xr mmap 2
access to files via copy-on-write semantics;
mapped regions will still appear writable, but will no longer
effect a change on the underlying vnode
(Default: 0)
.\" *** XXX ***
.\" Support for this feature is poor and should not be encouraged.
.\"
.\" .It Va security.mac.mmap_revocation
.\" Revoke
.\" .Xr mmap 2
.\" access to files on subject relabel
.\" .It Va security.mac.mmap_revocation_via_cow
.\" Revoke
.\" .Xr mmap 2
.\" access to files via copy-on-write semantics;
.\" mapped regions will still appear writable, but will no longer
.\" effect a change on the underlying vnode
.\" (Default: 0)
.El
.Sh SEE ALSO
.Xr mac 3 ,
@ -262,3 +276,15 @@ Project by Network Associates Labs,
the Security Research Division of Network Associates
Inc. under DARPA/SPAWAR contract N66001-01-C-8035 ("CBOSS"),
as part of the DARPA CHATS research program.
.Sh BUGS
See
.Xr mac 9
concerning appropriateness for production use.
The TrustedBSD MAC Framework is considered experimental in
.Fx .
.Pp
While the MAC Framework design is intended to support the containment of
the root user, not all attack channels are currently protected by entry
point checks.
As such, MAC Framework policies should not be relied on, in isolation,
to protect against a malicious privileged user.