/share/man/man4/mac_stub.4

  1.\" Copyright (c) 2002, 2003 Networks Associates Technology, Inc.
  2.\" All rights reserved.
  3.\"
  4.\" This software was developed for the FreeBSD Project by Chris Costello
  5.\" at Safeport Network Services and Network Associates Laboratories, the
  6.\" Security Research Division of Network Associates, Inc. under
  7.\" DARPA/SPAWAR contract N66001-01-C-8035 ("CBOSS"), as part of the
  8.\" DARPA CHATS research program.
  9.\"
 10.\" Redistribution and use in source and binary forms, with or without
 11.\" modification, are permitted provided that the following conditions
 12.\" are met:
 13.\" 1. Redistributions of source code must retain the above copyright
 14.\"    notice, this list of conditions and the following disclaimer.
 15.\" 2. Redistributions in binary form must reproduce the above copyright
 16.\"    notice, this list of conditions and the following disclaimer in the
 17.\"    documentation and/or other materials provided with the distribution.
 18.\"
 19.\" THIS SOFTWARE IS PROVIDED BY THE AUTHORS AND CONTRIBUTORS ``AS IS'' AND
 20.\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
 21.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
 22.\" ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHORS OR CONTRIBUTORS BE LIABLE
 23.\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
 24.\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
 25.\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
 26.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
 27.\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
 28.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
 29.\" SUCH DAMAGE.
 30.\"
 31.\" $FreeBSD$
 32.\"
 33.Dd December 1, 2002
 34.Dt MAC_STUB 4
 35.Os
 36.Sh NAME
 37.Nm mac_stub
 38.Nd "MAC policy stub module"
 39.Sh SYNOPSIS
 40To compile the stub policy
 41into your kernel, place the following lines in your kernel
 42configuration file:
 43.Bd -ragged -offset indent
 44.Cd "options MAC"
 45.Cd "options MAC_STUB"
 46.Ed
 47.Pp
 48Alternately, to load the stub module at boot time, place the following line
 49in your kernel configuration file:
 50.Bd -ragged -offset indent
 51.Cd "options MAC"
 52.Ed
 53.Pp
 54and in
 55.Xr loader.conf 5 :
 56.Bd -literal -offset indent
 57mac_stub_load="YES"
 58.Ed
 59.Sh DESCRIPTION
 60The
 61.Nm
 62policy module implements a stub MAC policy that has no effect on
 63access control in the system.
 64Unlike
 65.Xr mac_none 4 ,
 66each MAC entry point is defined as a
 67.Dq no-op ,
 68so the policy module will be entered for each event, but no change
 69in system behavior should result.
 70.Ss Label Format
 71No labels are defined for
 72.Nm .
 73.Sh SEE ALSO
 74.Xr mac 4 ,
 75.Xr mac_biba 4 ,
 76.Xr mac_bsdextended 4 ,
 77.Xr mac_ifoff 4 ,
 78.Xr mac_lomac 4 ,
 79.Xr mac_mls 4 ,
 80.Xr mac_none 4 ,
 81.Xr mac_partition 4 ,
 82.Xr mac_portacl 4 ,
 83.Xr mac_seeotheruids 4 ,
 84.Xr mac_test 4 ,
 85.Xr mac 9
 86.Sh HISTORY
 87The
 88.Nm
 89policy module first appeared in
 90.Fx 5.1
 91and was developed by the
 92.Tn TrustedBSD
 93Project.
 94.Sh AUTHORS
 95This software was contributed to the
 96.Fx
 97Project by Network Associates Labs,
 98the Security Research Division of Network Associates
 99Inc.
100under DARPA/SPAWAR contract N66001-01-C-8035
101.Pq Dq CBOSS ,
102as part of the DARPA CHATS research program.
103.Sh BUGS
104See
105.Xr mac 9
106concerning appropriateness for production use.
107The
108.Tn TrustedBSD
109MAC Framework is considered experimental in
110.Fx .
111.Pp
112While the MAC Framework design is intended to support the containment of
113the root user, not all attack channels are currently protected by entry
114point checks.
115As such, MAC Framework policies should not be relied on, in isolation,
116to protect against a malicious privileged user.