mdoc(7) police: markup overhaul.
Approved by: re
This commit is contained in:
ru
parent
e479f313a6
commit
9622c79f57
@ -34,8 +34,8 @@
|
||||
.\" $FreeBSD$
|
||||
.\"
|
||||
.Dd February 16, 2002
|
||||
.Os
|
||||
.Dt MAC 9
|
||||
.Os
|
||||
.Sh NAME
|
||||
.Nm mac
|
||||
.Nd TrustedBSD Mandatory Access Control framework
|
||||
@ -48,7 +48,9 @@ In the kernel configuration file:
|
||||
.Cd "options MAC_DEBUG"
|
||||
.Sh DESCRIPTION
|
||||
.Ss Introduction
|
||||
The TrustedBSD mandatory access control framework permits dynamically
|
||||
The
|
||||
.Tn TrustedBSD
|
||||
mandatory access control framework permits dynamically
|
||||
introduced system security modules to modify system security functionality.
|
||||
This can be used to support a variety of new security services, including
|
||||
traditional labeled mandatory access control models.
|
||||
@ -60,19 +62,22 @@ opportunity to modify security behavior at those MAC API entry points.
|
||||
Both consumers of the API (normal kernel services) and security modules
|
||||
must be aware of the semantics of the API calls, particularly with respect
|
||||
to synchronization primitives (such as locking).
|
||||
.Ss Note on appropriateness for production use
|
||||
The TrustedBSD MAC Framework included in
|
||||
.Ss Note on Appropriateness for Production Use
|
||||
The
|
||||
.Tn TrustedBSD
|
||||
MAC Framework included in
|
||||
.Fx 5.0
|
||||
is considered experimental, and should not be deployed in production
|
||||
environments without careful consideration of the risks associated with
|
||||
the use of experimental operating system features.
|
||||
.Ss Kernel objects supported by the framework
|
||||
.Ss Kernel Objects Supported by the Framework
|
||||
The MAC framework manages labels on a variety of types of in-kernel
|
||||
objects, including process credentials, vnodes, devfs_dirents, mount
|
||||
points, sockets, mbufs, bpf descriptors, network interfaces, ip fragment
|
||||
points, sockets, mbufs, bpf descriptors, network interfaces, IP fragment
|
||||
queues, and pipes.
|
||||
Label data on kernel objects, represented by struct label, is
|
||||
policy-unaware, and may be used in the manner seen fit by policy modules.
|
||||
Label data on kernel objects, represented by
|
||||
.Vt "struct label" ,
|
||||
is policy-unaware, and may be used in the manner seen fit by policy modules.
|
||||
.Ss API for Consumers
|
||||
The MAC API provides a large set of entry points, too broad to specifically
|
||||
document here.
|
||||
@ -102,7 +107,8 @@ API entry points, a variety of object creation and destruction calls,
|
||||
and a large set of access control check points.
|
||||
In the future, additional audit entry points will also be present.
|
||||
Module authors may choose to only implement a subset of the entry points,
|
||||
setting API function pointers in the description structure to NULL,
|
||||
setting API function pointers in the description structure to
|
||||
.Dv NULL ,
|
||||
permitting the framework to avoid calling into the module.
|
||||
.Ss Locking for Module Writers
|
||||
Module writers must be aware of the locking semantics of entry points
|
||||
@ -145,19 +151,19 @@ framework, and modifying appropriate modules to take advantage of
|
||||
the new entry points so that they may consistently enforce their
|
||||
policies.
|
||||
.Sh ENTRY POINTS
|
||||
System service and module authors should reference the FreeBSD
|
||||
Developer's Handbook for information on the MAC Framework APIs.
|
||||
.Pp
|
||||
System service and module authors should reference the
|
||||
.%T "FreeBSD Developer's Handbook"
|
||||
for information on the MAC Framework APIs.
|
||||
.Sh SEE ALSO
|
||||
.Xr acl 3 ,
|
||||
.Xr cap 3 ,
|
||||
.Xr mac 3 ,
|
||||
.Xr lomac 4 ,
|
||||
.Xr posix1e 3 ,
|
||||
.Xr lomac 4 ,
|
||||
.Xr ucred 9 ,
|
||||
.Xr vaccess 9 ,
|
||||
.Xr vaccess_acl_posix1e 9 ,
|
||||
.Xr VFS 9 ,
|
||||
.Xr VFS 9
|
||||
.Sh AUTHORS
|
||||
This man page was written by
|
||||
.An Robert Watson .
|
||||
@ -165,10 +171,14 @@ This software was contributed to the
|
||||
.Fx
|
||||
Project by Network Associates Laboratories, the Security Research
|
||||
Division of Network Associates Inc. under DARPA/SPAWAR contract
|
||||
N66001-01-C-8035 ("CBOSS"), as part of the DARPA CHATS research program.
|
||||
N66001-01-C-8035
|
||||
.Pq Dq CBOSS ,
|
||||
as part of the DARPA CHATS research program.
|
||||
.Pp
|
||||
.An -nosplit
|
||||
The TrustedBSD MAC Framework was designed by
|
||||
The
|
||||
.Tn TrustedBSD
|
||||
MAC Framework was designed by
|
||||
.An Robert Watson ,
|
||||
and implemented by the Network Associates Laboratories Network Security
|
||||
(NETSEC), Secure Execution Environement (SEE), and Adaptive
|
||||
@ -200,12 +210,16 @@ Additional contributors include:
|
||||
and
|
||||
.An Andrew Reiter .
|
||||
.Sh HISTORY
|
||||
The TrustedBSD MAC Framework first appeared in
|
||||
.Fx 5.0
|
||||
The
|
||||
.Tn TrustedBSD
|
||||
MAC Framework first appeared in
|
||||
.Fx 5.0 .
|
||||
.Sh BUGS
|
||||
See the earlier section in this document concerning appropriateness
|
||||
for production use.
|
||||
The TrustedBSD MAC Framework is considered experimental in
|
||||
The
|
||||
.Tn TrustedBSD
|
||||
MAC Framework is considered experimental in
|
||||
.Fx .
|
||||
.Pp
|
||||
While the MAC Framework design is intended to support the containment of
|
||||
|
||||
Loading…
Reference in New Issue
Block a user