mdoc(7) police: markup overhaul.

Approved by:	re
This commit is contained in:
Ruslan Ermilov 2002-12-12 14:25:52 +00:00
parent e89f01cca3
commit 4ac17494d7

View File

@ -34,8 +34,8 @@
.\" $FreeBSD$
.\"
.Dd February 16, 2002
.Os
.Dt MAC 9
.Os
.Sh NAME
.Nm mac
.Nd TrustedBSD Mandatory Access Control framework
@ -48,7 +48,9 @@ In the kernel configuration file:
.Cd "options MAC_DEBUG"
.Sh DESCRIPTION
.Ss Introduction
The TrustedBSD mandatory access control framework permits dynamically
The
.Tn TrustedBSD
mandatory access control framework permits dynamically
introduced system security modules to modify system security functionality.
This can be used to support a variety of new security services, including
traditional labeled mandatory access control models.
@ -60,19 +62,22 @@ opportunity to modify security behavior at those MAC API entry points.
Both consumers of the API (normal kernel services) and security modules
must be aware of the semantics of the API calls, particularly with respect
to synchronization primitives (such as locking).
.Ss Note on appropriateness for production use
The TrustedBSD MAC Framework included in
.Ss Note on Appropriateness for Production Use
The
.Tn TrustedBSD
MAC Framework included in
.Fx 5.0
is considered experimental, and should not be deployed in production
environments without careful consideration of the risks associated with
the use of experimental operating system features.
.Ss Kernel objects supported by the framework
.Ss Kernel Objects Supported by the Framework
The MAC framework manages labels on a variety of types of in-kernel
objects, including process credentials, vnodes, devfs_dirents, mount
points, sockets, mbufs, bpf descriptors, network interfaces, ip fragment
points, sockets, mbufs, bpf descriptors, network interfaces, IP fragment
queues, and pipes.
Label data on kernel objects, represented by struct label, is
policy-unaware, and may be used in the manner seen fit by policy modules.
Label data on kernel objects, represented by
.Vt "struct label" ,
is policy-unaware, and may be used in the manner seen fit by policy modules.
.Ss API for Consumers
The MAC API provides a large set of entry points, too broad to specifically
document here.
@ -102,7 +107,8 @@ API entry points, a variety of object creation and destruction calls,
and a large set of access control check points.
In the future, additional audit entry points will also be present.
Module authors may choose to only implement a subset of the entry points,
setting API function pointers in the description structure to NULL,
setting API function pointers in the description structure to
.Dv NULL ,
permitting the framework to avoid calling into the module.
.Ss Locking for Module Writers
Module writers must be aware of the locking semantics of entry points
@ -145,19 +151,19 @@ framework, and modifying appropriate modules to take advantage of
the new entry points so that they may consistently enforce their
policies.
.Sh ENTRY POINTS
System service and module authors should reference the FreeBSD
Developer's Handbook for information on the MAC Framework APIs.
.Pp
System service and module authors should reference the
.%T "FreeBSD Developer's Handbook"
for information on the MAC Framework APIs.
.Sh SEE ALSO
.Xr acl 3 ,
.Xr cap 3 ,
.Xr mac 3 ,
.Xr lomac 4 ,
.Xr posix1e 3 ,
.Xr lomac 4 ,
.Xr ucred 9 ,
.Xr vaccess 9 ,
.Xr vaccess_acl_posix1e 9 ,
.Xr VFS 9 ,
.Xr VFS 9
.Sh AUTHORS
This man page was written by
.An Robert Watson .
@ -165,10 +171,14 @@ This software was contributed to the
.Fx
Project by Network Associates Laboratories, the Security Research
Division of Network Associates Inc. under DARPA/SPAWAR contract
N66001-01-C-8035 ("CBOSS"), as part of the DARPA CHATS research program.
N66001-01-C-8035
.Pq Dq CBOSS ,
as part of the DARPA CHATS research program.
.Pp
.An -nosplit
The TrustedBSD MAC Framework was designed by
The
.Tn TrustedBSD
MAC Framework was designed by
.An Robert Watson ,
and implemented by the Network Associates Laboratories Network Security
(NETSEC), Secure Execution Environement (SEE), and Adaptive
@ -200,12 +210,16 @@ Additional contributors include:
and
.An Andrew Reiter .
.Sh HISTORY
The TrustedBSD MAC Framework first appeared in
.Fx 5.0
The
.Tn TrustedBSD
MAC Framework first appeared in
.Fx 5.0 .
.Sh BUGS
See the earlier section in this document concerning appropriateness
for production use.
The TrustedBSD MAC Framework is considered experimental in
The
.Tn TrustedBSD
MAC Framework is considered experimental in
.Fx .
.Pp
While the MAC Framework design is intended to support the containment of