PageRenderTime 16ms CodeModel.GetById 12ms app.highlight 1ms RepoModel.GetById 2ms app.codeStats 0ms

/share/man/man4/mac_bsdextended.4

https://bitbucket.org/freebsd/freebsd-head/
Forth | 149 lines | 149 code | 0 blank | 0 comment | 2 complexity | 5193cf12b8807c6655dc13b3da7e0a04 MD5 | raw file
  1.\" Copyright (c) 2002 Networks Associates Technology, Inc.
  2.\" All rights reserved.
  3.\"
  4.\" This software was developed for the FreeBSD Project by Chris Costello
  5.\" at Safeport Network Services and Network Associates Laboratories, the
  6.\" Security Research Division of Network Associates, Inc. under
  7.\" DARPA/SPAWAR contract N66001-01-C-8035 ("CBOSS"), as part of the
  8.\" DARPA CHATS research program.
  9.\"
 10.\" Redistribution and use in source and binary forms, with or without
 11.\" modification, are permitted provided that the following conditions
 12.\" are met:
 13.\" 1. Redistributions of source code must retain the above copyright
 14.\"    notice, this list of conditions and the following disclaimer.
 15.\" 2. Redistributions in binary form must reproduce the above copyright
 16.\"    notice, this list of conditions and the following disclaimer in the
 17.\"    documentation and/or other materials provided with the distribution.
 18.\"
 19.\" THIS SOFTWARE IS PROVIDED BY THE AUTHORS AND CONTRIBUTORS ``AS IS'' AND
 20.\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
 21.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
 22.\" ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHORS OR CONTRIBUTORS BE LIABLE
 23.\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
 24.\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
 25.\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
 26.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
 27.\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
 28.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
 29.\" SUCH DAMAGE.
 30.\"
 31.\" $FreeBSD$
 32.\"
 33.Dd May 21, 2005
 34.Dt MAC_BSDEXTENDED 4
 35.Os
 36.Sh NAME
 37.Nm mac_bsdextended
 38.Nd "file system firewall policy"
 39.Sh SYNOPSIS
 40To compile the file system firewall policy into your kernel,
 41place the following lines in your kernel configuration file:
 42.Bd -ragged -offset indent
 43.Cd "options MAC"
 44.Cd "options MAC_BSDEXTENDED"
 45.Ed
 46.Pp
 47Alternately, to load the file system firewall policy module at boot time,
 48place the following line in your kernel configuration file:
 49.Bd -ragged -offset indent
 50.Cd "options MAC"
 51.Ed
 52.Pp
 53and in
 54.Xr loader.conf 5 :
 55.Bd -literal -offset indent
 56mac_bsdextended_load="YES"
 57.Ed
 58.Sh DESCRIPTION
 59The
 60.Nm
 61security policy module provides an interface for the system administrator
 62to impose mandatory rules regarding users and some system objects.
 63Rules are uploaded to the module
 64(typically using
 65.Xr ugidfw 8 ,
 66or some other tool utilizing
 67.Xr libugidfw 3 )
 68where they are stored internally
 69and used to determine whether to allow or deny specific accesses
 70(see
 71.Xr ugidfw 8 ) .
 72.Sh IMPLEMENTATION NOTES
 73While the traditional
 74.Xr mac 9
 75entry points are implemented,
 76policy labels are not used;
 77instead, access control decisions are made by iterating through the internal
 78list of rules until a rule
 79which denies the particular access
 80is found,
 81or the end of the list is reached.
 82The
 83.Nm
 84policy works similar to
 85.Xr ipfw 8
 86or by using a
 87.Em first match semantic .
 88This means that not all rules are applied,
 89only the first matched rule; thus if
 90Rule A allows access and Rule B blocks
 91access, Rule B will never be applied.
 92.Pp
 93.Ss Sysctls
 94The following sysctls may be used to tweak the behavior of
 95.Nm :
 96.Bl -tag -width indent
 97.It Va security.mac.bsdextended.enabled
 98Set to zero or one to toggle the policy off or on.
 99.It Va security.mac.bsdextended.rule_count
100List the number of defined rules, the maximum rule count is
101current set at 256.
102.It Va security.mac.bsdextended.rule_slots
103List the number of rule slots currently being used.
104.It Va security.mac.bsdextended.firstmatch_enabled
105Toggle between the old all rules match functionality
106and the new first rule matches functionality.
107This is enabled by default.
108.It Va security.mac.bsdextended.logging
109Log all access violations via the
110.Dv AUTHPRIV
111.Xr syslog 3
112facility.
113.It Va security.mac.bsdextended.rules
114Currently does nothing interesting.
115.El
116.Sh SEE ALSO
117.Xr libugidfw 3 ,
118.Xr syslog 3 ,
119.Xr mac 4 ,
120.Xr mac_biba 4 ,
121.Xr mac_ifoff 4 ,
122.Xr mac_lomac 4 ,
123.Xr mac_mls 4 ,
124.Xr mac_none 4 ,
125.Xr mac_partition 4 ,
126.Xr mac_portacl 4 ,
127.Xr mac_seeotheruids 4 ,
128.Xr mac_test 4 ,
129.Xr ipfw 8 ,
130.Xr ugidfw 8 ,
131.Xr mac 9
132.Sh HISTORY
133The
134.Nm
135policy module first appeared in
136.Fx 5.0
137and was developed by the
138.Tn TrustedBSD
139Project.
140.Pp
141The "match first case" and logging capabilities were later added by
142.An Tom Rhodes Aq trhodes@FreeBSD.org .
143.Sh AUTHORS
144This software was contributed to the
145.Fx
146Project by NAI Labs, the Security Research Division of Network Associates
147Inc.\& under DARPA/SPAWAR contract N66001-01-C-8035
148.Pq Dq CBOSS ,
149as part of the DARPA CHATS research program.