2003-09-10 18:45:26 +00:00

141 lines
4.8 KiB
Groff

.\" Copyright (c) 2001 Networks Associates Technology, Inc.
.\" All rights reserved.
.\"
.\" This software was developed for the FreeBSD Project by NAI Labs, the
.\" Security Research Division of Network Associates, Inc. under
.\" DARPA/SPAWAR contract N66001-01-C-8035 ("CBOSS"), as part of the DARPA
.\" CHATS research program.
.\"
.\" Redistribution and use in source and binary forms, with or without
.\" modification, are permitted provided that the following conditions
.\" are met:
.\" 1. Redistributions of source code must retain the above copyright
.\" notice, this list of conditions and the following disclaimer.
.\" 2. Redistributions in binary form must reproduce the above copyright
.\" notice, this list of conditions and the following disclaimer in the
.\" documentation and/or other materials provided with the distribution.
.\" 3. The name of the author may not be used to endorse or promote
.\" products derived from this software without specific prior written
.\" permission.
.\"
.\" THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
.\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
.\" ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
.\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
.\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
.\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
.\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
.\" SUCH DAMAGE.
.\"
.\" $FreeBSD$
.\"
.Dd November 20, 2001
.Dt LOMAC 4
.Os
.Sh NAME
.Nm LOMAC
.Nd Low-Watermark Mandatory Access Control security facility
.Sh SYNOPSIS
.Li "kldload lomac"
.Sh DESCRIPTION
The
.Nm
module provides a drop-in security mechanism in addition to the traditional
.Tn POSIX
UID-based security facilities, requiring no additional configuration
from the administrator.
.Nm
aims to be two things: it is non-intrusive, so that the system with
.Nm
will not feel largely different from the system without it, and will not
require much modification to initialize; it is also comprehensive enough
that a majority of attacks to compromise a system should fail.
.Pp
To this end, each process on the system will have a label of several
attributes, including a
.Dq high
or
.Dq low
security level, attached to it,
and these labels of integrity will be managed with a system cognizant
of IPC (signals, debugging, sockets, pipes), path-based file system
labels, virtual memory objects, and privileged system calls.
A process (or set of vmspace-sharing processes) will initially inherit
the integrity level of its parent, which, at the point of
.Nm
being started with
.Xr kldload 8 ,
will be high.
If it reads lower-integrity data from one of the controlled mechanisms,
it will then decrease its integrity level, and access to modify
higher-integrity data will be revoked.
.Sh IMPLEMENTATION NOTES
.Nm
on
.Fx ,
as implemented currently, should properly respect all aspects of any
.Xr chroot 8
or
.Xr jail 8
operation performed after it has been initialized.
Pre-existing jail or chroot environments may not necessarily work
completely.
.Nm Ns 's
file system should correctly respect the caching behavior of any of the
system's file systems, and so work for any
.Dq normal
or
.Dq synthetic
file systems.
After loaded, another root
.Xr mount 8
will exist on the system and appear as type
.Dq lomacfs .
.Sh FILES
See
.Pa /sys/security/lomac/policy_plm.h
for specific information on exactly how
.Nm
has been compiled to control access to the file system.
.Sh COMPATIBILITY
Some programs, for example
.Xr syslogd 8 ,
may need to be restarted after
.Nm
is initialized for them to continue proper operation.
This version of
.Nm
has not had widespread testing, so some common programs have probably
not been tested and could have issues that need to be worked around or
fixed.
.Sh SEE ALSO
.Xr kldload 8
.Sh HISTORY
.Nm
was initially implemented for Linux systems over the past several years.
Since then, this implementation was created via funding from the
United States DARPA.
See the copyright for details.
.Sh AUTHORS
.An Brian Fundakowski Feldman Aq bfeldman@tislabs.com
.An Timothy Fraser Aq tfraser@tislabs.com
.Sh BUGS
.Nm
has not gone through widespread testing yet, so many problems may still exist.
There is still yet one unfixed panic which is reproduceable under load
.Xr ( vrele 9
being called too many times).
The operation of
.Xr mount 2
and
.Xr unmount 2
may not work properly or at all once
.Nm
has been loaded.
After being loaded, the system must be restarted to revert to a state
without
.Nm .