mac.html

FreeBSD安装说明概述 FreeBSD 提供了一个以文字为主

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
    "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta name="generator" content="HTML Tidy, see www.w3.org" />
<title>Mandatory Access Control (MAC)</title>
<meta name="GENERATOR" content="Modular DocBook HTML Stylesheet Version 1.7" />
<link rel="HOME" title="FreeBSD 使用手册" href="index.html" />
<link rel="UP" title="安全" href="security.html" />
<link rel="PREVIOUS" title="OpenSSH" href="openssh.html" />
<link rel="NEXT" title="File System Access Control Lists" href="fs-acl.html" />
<link rel="STYLESHEET" type="text/css" href="docbook.css" />
<meta http-equiv="Content-Type" content="text/html; charset=GB2312" />
</head>
<body class="SECT1" bgcolor="#FFFFFF" text="#000000" link="#0000FF" vlink="#840084"
alink="#0000FF">
<div class="NAVHEADER">
<table summary="Header navigation table" width="100%" border="0" cellpadding="0"
cellspacing="0">
<tr>
<th colspan="3" align="center">FreeBSD 使用手册</th>
</tr>

<tr>
<td width="10%" align="left" valign="bottom"><a href="openssh.html"
accesskey="P">Prev</a></td>
<td width="80%" align="center" valign="bottom">Chapter 10. 安全</td>
<td width="10%" align="right" valign="bottom"><a href="fs-acl.html"
accesskey="N">Next</a></td>
</tr>
</table>

<hr align="LEFT" width="100%" />
</div>

<div class="SECT1">
<h1 class="SECT1"><a id="MAC" name="MAC">10.12. Mandatory Access Control (MAC)</a></h1>

<i class="AUTHORGROUP"><span class="CONTRIB">Sponsored by DARPA and Network Associates
Laboratories. Contributed by</span> Robert Watson.</i> 

<p>FreeBSD 5.0 includes a new kernel security framework, the TrustedBSD MAC Framework.
The MAC Framework permits compile-time, boot-time, and run-time extension of the kernel
access control policy, and can be used to load support for Mandatory Access Control
(<acronym class="ACRONYM">MAC</acronym>), and custom security modules such as hardening
modules. The MAC Framework is currently considered to be an experimental feature, and
should not yet be used in production environments without careful consideration. It is
anticipated that the MAC Framework will be appropriate for more widespread production use
by FreeBSD 5.2.</p>

<p>When configured into a kernel, the MAC Framework permits security modules to augment
the existing kernel access control model, restricting access to system services and
objects. For example, the <span class="CITEREFENTRY"><span
class="REFENTRYTITLE">mac_bsdextended</span>(4)</span> module augments file system access
control, permitting administrators to provide a firewall-like ruleset constraining access
to file system objects based on user ids and group membership. Some modules require
little or no configuration, such as <span class="CITEREFENTRY"><span
class="REFENTRYTITLE">mac_seeotheruids</span>(4)</span>, whereas others perform
ubiquitous object labeling, such as <span class="CITEREFENTRY"><span
class="REFENTRYTITLE">mac_biba</span>(4)</span> and <span class="CITEREFENTRY"><span
class="REFENTRYTITLE">mac_mls</span>(4)</span>, and require extensive configuration.</p>

<p>To enable the MAC Framework in your system kernel, you must add the following entry to
your kernel configuration:</p>

<pre class="PROGRAMLISTING">
options MAC
</pre>

<p>Security policy modules shipped with the base system may be loaded using <span
class="CITEREFENTRY"><span class="REFENTRYTITLE">kldload</span>(8)</span> or in the boot
<span class="CITEREFENTRY"><span class="REFENTRYTITLE">loader</span>(8)</span> They may
also be compiled directly into the kernel using the following options, if the use of
modules is not desired.</p>

<p>Different MAC policies may be configured in different ways; frequently, MAC policy
modules export configuration parameters using the <span class="CITEREFENTRY"><span
class="REFENTRYTITLE">sysctl</span>(8)</span> <acronym class="ACRONYM">MIB</acronym>
using the <var class="VARNAME">security.mac</var> namespace. Policies relying on file
system or other labels may require a configuration step that involves assigning initial
labels to system objects or creating a policy configuration file. For information on how
to configure and use each policy module, see its man page.</p>

<p>A variety of tools are available to configure the MAC Framework and labels maintained
by various policies. Extensions have been made to the login and credential management
mechanisms (<span class="CITEREFENTRY"><span
class="REFENTRYTITLE">setusercontext</span>(3)</span>) to support initial user labeling
using <span class="CITEREFENTRY"><span class="REFENTRYTITLE">login.conf</span>(5)</span>.
In addition, modifications have been made to <span class="CITEREFENTRY"><span
class="REFENTRYTITLE">su</span>(1)</span>, <span class="CITEREFENTRY"><span
class="REFENTRYTITLE">ps</span>(1)</span>, <span class="CITEREFENTRY"><span
class="REFENTRYTITLE">ls</span>(1)</span>, and <span class="CITEREFENTRY"><span
class="REFENTRYTITLE">ifconfig</span>(8)</span> to inspect and set labels on processes,
files, and interfaces. In addition, several new tools have been added to manage labels on
objects, including <span class="CITEREFENTRY"><span
class="REFENTRYTITLE">getfmac</span>(8)</span>, <span class="CITEREFENTRY"><span
class="REFENTRYTITLE">setfmac</span>(8)</span>, and <span class="CITEREFENTRY"><span
class="REFENTRYTITLE">setfsmac</span>(8)</span> to manage labels on files, and <span
class="CITEREFENTRY"><span class="REFENTRYTITLE">getpmac</span>(8)</span> and <span
class="CITEREFENTRY"><span class="REFENTRYTITLE">setpmac</span>(8)</span>.</p>

<p>What follows is a list of policy modules shipped with FreeBSD 5.0.</p>

<div class="SECT2">
<h2 class="SECT2"><a id="MAC-POLICY-BIBA" name="MAC-POLICY-BIBA">10.12.1. Biba Integrity
Policy (mac_biba)</a></h2>

<p>Vendor: TrustedBSD Project</p>

<p>Module name: mac_biba.ko</p>

<p>Kernel option: <var class="LITERAL">MAC_BIBA</var></p>

<p>The Biba Integrity Policy (<span class="CITEREFENTRY"><span
class="REFENTRYTITLE">mac_biba</span>(4)</span>) provides for hierarchical and
non-hierarchical labeling of all system objects with integrity data, and the strict
enforcement of an information flow policy to prevent corruption of high integrity
subjects and data by low-integrity subjects. Integrity is enforced by preventing high
integrity subjects (generally processes) from reading low integrity objects (often
files), and preventing low integrity subjects from writing to high integrity objects.
This security policy is frequently used in commercial trusted systems to provide strong
protection for the Trusted Code Base (<acronym class="ACRONYM">TCB</acronym>). Because it
provides ubiquitous labeling, the Biba integrity policy must be compiled into the kernel
or loaded at boot.</p>
</div>

<div class="SECT2">
<h2 class="SECT2"><a id="MAC-POLICY-BSDEXTENDED" name="MAC-POLICY-BSDEXTENDED">10.12.2.
File System Firewall Policy (mac_bsdextended)</a></h2>

<p>Vendor: TrustedBSD Project</p>

<p>Module name: mac_bsdextended.ko</p>

<p>Kernel option: <var class="LITERAL">MAC_BSDEXTENDED</var></p>

<p>The File System Firewall Policy (<span class="CITEREFENTRY"><span
class="REFENTRYTITLE">mac_bsdextended</span>(4)</span>) provides an extension to the BSD
file system permission model, permitting the administrator to define a set of
firewall-like rules for limiting access to file system objects owned by other users and
groups. Managed using <span class="CITEREFENTRY"><span
class="REFENTRYTITLE">ugidfw</span>(8)</span>, rules may limit access to files and
directories based on the uid and gids of the process attempting the access, and the owner
and group of the target of the access attempt. All rules are restrictive, so they may be
placed in any order. This policy requires no prior configuration or labeling, and may be
appropriate in multi-user environments where mandatory limits on inter-user data exchange
are required. Caution should be exercised in limiting access to files owned by the
super-user or other system user ids, as many useful programs and directories are owned by
these users. As with a network firewall, improper application of file system firewall
rules may render the system unusable. New tools to manage the rule set may be easily
written using the <span class="CITEREFENTRY"><span
class="REFENTRYTITLE">libugidfw</span>(3)</span> library.</p>
</div>

<div class="SECT2">
<h2 class="SECT2"><a id="MAC-POLICY-IFOFF" name="MAC-POLICY-IFOFF">10.12.3. Interface
Silencing Policy (mac_ifoff)</a></h2>

<p>Vendor: TrustedBSD Project</p>

<p>Module name: mac_ifoff.ko</p>

<p>Kernel option: <var class="LITERAL">MAC_IFOFF</var></p>

<p>The interface silencing policy (<span class="CITEREFENTRY"><span
class="REFENTRYTITLE">mac_ifoff</span>(4)</span>) prohibits the use of network interfaces
during the boot until explicitly enabled, preventing spurious stack output stack response
to incoming packets. This is appropriate for use in environments where the monitoring of
packets is required, but no traffic may be generated.</p>
</div>

<div class="SECT2">
<h2 class="SECT2"><a id="MAC-POLICY-LOMAC" name="MAC-POLICY-LOMAC">10.12.4. Low-Watermark
Mandatory Access Control (LOMAC) (mac_lomac)</a></h2>

<p>Vendor: Network Associates Laboratories</p>

<p>Module name: mac_lomac.ko</p>

<p>Kernel option: <var class="LITERAL">MAC_LOMAC</var></p>

<p>Similar to the Biba Integrity Policy, the LOMAC policy (<span
class="CITEREFENTRY"><span class="REFENTRYTITLE">mac_lomac</span>(4)</span>) relies on
the ubiquitous labeling of all system objects with integrity labels. Unlike Biba, LOMAC
permits high integrity subjects to read from low integrity objects, but then downgrades
the label on the subject to prevent future writes to high integrity objects. This policy
may provide for greater compatibility, as well as require less initial configuration than
Biba. However, as with Biba, it ubiquitously labels objects and must therefore be
compiled into the kernel or loaded at boot.</p>
</div>

<div class="SECT2">
<h2 class="SECT2"><a id="MAC-POLICY-MLS" name="MAC-POLICY-MLS">10.12.5. Multi-Level
Security Policy (MLS) (mac_mls)</a></h2>

<p>Vendor: TrustedBSD Project</p>

<p>Module name: mac_mls.ko</p>

<p>Kernel option: <var class="LITERAL">MAC_MLS</var></p>

<p>Multi-Level Security (<acronym class="ACRONYM">MLS</acronym>) (<span
class="CITEREFENTRY"><span class="REFENTRYTITLE">mac_mls</span>(4)</span>) provides for
hierarchical and non-hierarchical labeling of all system objects with sensitivity data,
and the strict enforcement of an information flow policy to prevent the leakage of
confidential data to untrusted parties. The logical conjugate of the Biba Integrity
Policy, <acronym class="ACRONYM">MLS</acronym> is frequently shipped in commercial
trusted operating systems to protect data secrecy in multi-user environments. Hierarchal
labels provide support for the notion of clearances and classifications in traditional
parlance; non-hierarchical labels provide support for ``need-to-know.'' As with Biba,
ubiquitous labeling of objects occurs, and it must therefore be compiled into the kernel
or loaded at boot. As with Biba, extensive initial configuration may be required.</p>
</div>

<div class="SECT2">
<h2 class="SECT2"><a id="MAC-POLICY-NONE" name="MAC-POLICY-NONE">10.12.6. MAC Stub Policy
(mac_none)</a></h2>

<p>Vendor: TrustedBSD Project</p>

<p>Module name: mac_none.ko</p>

<p>Kernel option: <var class="LITERAL">MAC_NONE</var></p>

<p>The None policy (<span class="CITEREFENTRY"><span
class="REFENTRYTITLE">mac_none</span>(4)</span>) provides a stub sample policy for
developers, implementing all entry points, but not changing the system access control
policy. Running this on a production system would not be highly beneficial.</p>
</div>

<div class="SECT2">
<h2 class="SECT2"><a id="MAC-POLICY-PARTITION" name="MAC-POLICY-PARTITION">10.12.7.
Process Partition Policy (mac_partition)</a></h2>

<p>Vendor: TrustedBSD Project</p>

<p>Module name: mac_partition.ko</p>

<p>Kernel option: <var class="LITERAL">MAC_PARTITION</var></p>

<p>The Partition policy (<span class="CITEREFENTRY"><span
class="REFENTRYTITLE">mac_partition</span>(4)</span>) provides for a simple process
visibility limitation, assigning labels to processes identifying what numeric system
partition they are present in. If none, all other processes are visible using standard
monitoring tools; if a partition identifier is present, then only other processes in the
same partition are visible. This policy may be compiled into the kernel, loaded at boot,
or loaded at run-time.</p>
</div>

<div class="SECT2">
<h2 class="SECT2"><a id="MAC-POLICY-SEEOTHERUIDS" name="MAC-POLICY-SEEOTHERUIDS">10.12.8.
See Other Uids Policy (mac_seeotheruids)</a></h2>

<p>Vendor: TrustedBSD Project</p>

<p>Module name: mac_seeotheruids.ko</p>

<p>Kernel option: <var class="LITERAL">MAC_SEEOTHERUIDS</var></p>

<p>The See Other Uids policy (<span class="CITEREFENTRY"><span
class="REFENTRYTITLE">mac_seeotheruids</span>(4)</span>) implements a similar process
visibility model to mac_partition, except that it relies on process credentials to
control visibility of processes, rather than partition labels. This policy may be
configured to exempt certain users and groups, including permitting system operators to
view all processes without special privilege. This policy may be compiled into the
kernel, loaded at boot, or loaded at run-time.</p>
</div>

<div class="SECT2">
<h2 class="SECT2"><a id="MAC-POLICY-TEST" name="MAC-POLICY-TEST">10.12.9. MAC Framework
Test Policy (mac_test)</a></h2>

<p>Vendor: TrustedBSD Project</p>

<p>Module name: mac_test.ko</p>

<p>Kernel option: <var class="LITERAL">MAC_TEST</var></p>

<p>The Test policy (<span class="CITEREFENTRY"><span
class="REFENTRYTITLE">mac_test</span>(4)</span>) provides a regression test environment
for the MAC Framework, and will cause a fail-stop in the event that internal MAC
Framework assertions about proper data labeling fail. This module can be used to detect
failures to properly label system objects in the kernel implementation. This policy may
be compiled into the kernel, loaded at boot, or loaded at run-time.</p>
</div>
</div>

<div class="NAVFOOTER">
<hr align="LEFT" width="100%" />
<table summary="Footer navigation table" width="100%" border="0" cellpadding="0"
cellspacing="0">
<tr>
<td width="33%" align="left" valign="top"><a href="openssh.html"
accesskey="P">Prev</a></td>
<td width="34%" align="center" valign="top"><a href="index.html"
accesskey="H">Home</a></td>
<td width="33%" align="right" valign="top"><a href="fs-acl.html"
accesskey="N">Next</a></td>
</tr>

<tr>
<td width="33%" align="left" valign="top">OpenSSH</td>
<td width="34%" align="center" valign="top"><a href="security.html"
accesskey="U">Up</a></td>
<td width="33%" align="right" valign="top">File System Access Control Lists</td>
</tr>
</table>
</div>
</body>
</html>