9bcac8799e
Approved by: re (blanket)
188 lines
5.8 KiB
Groff
188 lines
5.8 KiB
Groff
.\" Copyright (c) 2001, 2003 Networks Associates Technology, Inc.
|
|
.\" All rights reserved.
|
|
.\"
|
|
.\" This software was developed for the FreeBSD Project by Chris
|
|
.\" Costello at Safeport Network Services and Network Associates
|
|
.\" Laboratories, the Security Research Division of Network Associates,
|
|
.\" Inc. under DARPA/SPAWAR contract N66001-01-C-8035 ("CBOSS"), as part
|
|
.\" of the DARPA CHATS research program.
|
|
.\"
|
|
.\" Redistribution and use in source and binary forms, with or without
|
|
.\" modification, are permitted provided that the following conditions
|
|
.\" are met:
|
|
.\" 1. Redistributions of source code must retain the above copyright
|
|
.\" notice, this list of conditions and the following disclaimer.
|
|
.\" 2. Redistributions in binary form must reproduce the above copyright
|
|
.\" notice, this list of conditions and the following disclaimer in the
|
|
.\" documentation and/or other materials provided with the distribution.
|
|
.\"
|
|
.\" THIS SOFTWARE IS PROVIDED BY THE AUTHORS AND CONTRIBUTORS ``AS IS'' AND
|
|
.\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
|
|
.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
|
|
.\" ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHORS OR CONTRIBUTORS BE LIABLE
|
|
.\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
|
|
.\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
|
|
.\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
|
|
.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
|
|
.\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
|
|
.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
|
|
.\" SUCH DAMAGE.
|
|
.\"
|
|
.\" $FreeBSD$
|
|
.\"
|
|
.Dd April 19, 2003
|
|
.Dt MAC 3
|
|
.Os
|
|
.Sh NAME
|
|
.Nm mac
|
|
.Nd introduction to the MAC security API
|
|
.Sh LIBRARY
|
|
.Lb libc
|
|
.Sh SYNOPSIS
|
|
.In sys/mac.h
|
|
.Pp
|
|
In the kernel configuration file:
|
|
.Cd "options MAC"
|
|
.Sh DESCRIPTION
|
|
.Fx
|
|
permits administrators to define Mandatory Access Control labels
|
|
defining levels for the privacy and integrity of data,
|
|
overriding discretionary policies
|
|
for those objects.
|
|
Not all objects currently provide support for MAC labels,
|
|
and MAC support must be explicitly enabled by the administrator.
|
|
The library calls include routines to retrieve, duplicate,
|
|
and set MAC labels associated with files and processes.
|
|
.Pp
|
|
POSIX.1e describes a set of MAC manipulation routines
|
|
to manage the contents of MAC labels,
|
|
as well as their relationships with
|
|
files and processes;
|
|
almost all of these support routines
|
|
are implemented in
|
|
.Fx .
|
|
.Pp
|
|
Available functions, sorted by behavior, include:
|
|
.Bl -tag -width indent
|
|
.It Fn mac_get_fd
|
|
This function is described in
|
|
.Xr mac_get 3 ,
|
|
and may be used to retrieve the
|
|
MAC label associated with
|
|
a specific file descriptor.
|
|
.It Fn mac_get_file
|
|
This function is described in
|
|
.Xr mac_get 3 ,
|
|
and may be used to retrieve the
|
|
MAC label associated with
|
|
a named file.
|
|
.It Fn mac_get_proc
|
|
This function is described in
|
|
.Xr mac_get 3 ,
|
|
and may be used to retrieve the
|
|
MAC label associated with
|
|
the calling process.
|
|
.It Fn mac_set_fd
|
|
This function is described in
|
|
.Xr mac_set 3 ,
|
|
and may be used to set the
|
|
MAC label associated with
|
|
a specific file descriptor.
|
|
.It Fn mac_set_file
|
|
This function is described in
|
|
.Xr mac_set 3 ,
|
|
and may be used to set the
|
|
MAC label associated with
|
|
a named file.
|
|
.It Fn mac_set_proc
|
|
This function is described in
|
|
.Xr mac_set 3 ,
|
|
and may be used to set the
|
|
MAC label associated with
|
|
the calling process.
|
|
.It Fn mac_free
|
|
This function is described in
|
|
.Xr mac_free 3 ,
|
|
and may be used to free
|
|
userland working MAC label storage.
|
|
.It Fn mac_from_text
|
|
This function is described in
|
|
.Xr mac_text 3 ,
|
|
and may be used to convert
|
|
a text-form MAC label
|
|
into a working
|
|
.Vt mac_t .
|
|
.It Fn mac_prepare
|
|
.It Fn mac_prepare_file_label
|
|
.It Fn mac_prepare_ifnet_label
|
|
.It Fn mac_prepare_process_label
|
|
These functions are described in
|
|
.Xr mac_prepare 3 ,
|
|
and may be used to preallocate storage for MAC label retrieval.
|
|
.Xr mac_prepare 3
|
|
prepares a label based on caller-specified label names; the other calls
|
|
rely on the default configuration specified in
|
|
.Xr mac.conf 5 .
|
|
.It Fn mac_to_text
|
|
This function is described in
|
|
.Xr mac_text 3 ,
|
|
and may be used to convert a
|
|
.Vt mac_t
|
|
into a text-form MAC label.
|
|
.El
|
|
The behavior of some of these calls is influenced by the configuration
|
|
settings found in
|
|
.Xr mac.conf 5 ,
|
|
the MAC library run-time configuration file.
|
|
.Sh FILES
|
|
.Bl -tag -width ".Pa /etc/mac.conf" -compact
|
|
.It Pa /etc/mac.conf
|
|
MAC library configuration file, documented in
|
|
.Xr mac.conf 5 .
|
|
Provides default behavior for applications aware of MAC labels on
|
|
system objects, but without policy-specific knowledge.
|
|
.El
|
|
.Sh IMPLEMENTATION NOTES
|
|
.Fx Ns 's
|
|
support for POSIX.1e interfaces and features
|
|
is
|
|
.Ud .
|
|
.Sh SEE ALSO
|
|
.Xr mac_free 3 ,
|
|
.Xr mac_get 3 ,
|
|
.Xr mac_prepare 3 ,
|
|
.Xr mac_set 3 ,
|
|
.Xr mac_text 3 ,
|
|
.Xr mac 4 ,
|
|
.Xr mac.conf 5 ,
|
|
.Xr mac 9
|
|
.Sh STANDARDS
|
|
These APIs are loosely based on the APIs described in POSIX.1e.
|
|
POSIX.1e is described in IEEE POSIX.1e draft 17.
|
|
Discussion of the draft
|
|
continues on the cross-platform POSIX.1e implementation mailing list.
|
|
To join this list, see the
|
|
.Fx
|
|
POSIX.1e implementation page
|
|
for more information.
|
|
However, the resemblence of these APIs to the POSIX APIs is only loose,
|
|
as the POSIX APIs were unable to express many notions required for
|
|
flexible and extensible access control.
|
|
.Sh HISTORY
|
|
Support for Mandatory Access Control was introduced in
|
|
.Fx 5.0
|
|
as part of the
|
|
.Tn TrustedBSD
|
|
Project.
|
|
.Sh BUGS
|
|
The
|
|
.Tn TrustedBSD
|
|
MAC Framework and associated policies, interfaces, and
|
|
applications are considered to be an experimental feature in
|
|
.Fx .
|
|
Sites considering production deployment should keep the experimental
|
|
status of these services in mind during any deployment process.
|
|
See also
|
|
.Xr mac 9
|
|
for related considerations regarding the kernel framework.
|