mac-partition.html

FreeBSD操作系统的详细使用手册

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
    "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta name="generator" content="HTML Tidy, see www.w3.org" />
<title>The MAC partition Module</title>
<meta name="GENERATOR" content="Modular DocBook HTML Stylesheet Version 1.7" />
<link rel="HOME" title="FreeBSD Handbook" href="index.html" />
<link rel="UP" title="Mandatory Access Control" href="mac.html" />
<link rel="PREVIOUS" title="MAC Policies with Labeling Features"
href="mac-labelingpolicies.html" />
<link rel="NEXT" title="The MAC Multi-Level Security Module" href="mac-mls.html" />
<link rel="STYLESHEET" type="text/css" href="docbook.css" />
</head>
<body class="SECT1" bgcolor="#FFFFFF" text="#000000" link="#0000FF" vlink="#840084"
alink="#0000FF">
<div class="NAVHEADER">
<table summary="Header navigation table" width="100%" border="0" cellpadding="0"
cellspacing="0">
<tr>
<th colspan="3" align="center">FreeBSD Handbook</th>
</tr>

<tr>
<td width="10%" align="left" valign="bottom"><a href="mac-labelingpolicies.html"
accesskey="P">Prev</a></td>
<td width="80%" align="center" valign="bottom">Chapter 15 Mandatory Access Control</td>
<td width="10%" align="right" valign="bottom"><a href="mac-mls.html"
accesskey="N">Next</a></td>
</tr>
</table>

<hr align="LEFT" width="100%" />
</div>

<div class="SECT1">
<h1 class="SECT1"><a id="MAC-PARTITION" name="MAC-PARTITION">15.10 The MAC partition
Module</a></h1>

<p>Module name: <tt class="FILENAME">mac_partition.ko</tt></p>

<p>Kernel configuration line: <var class="LITERAL">options MAC_PARTITION</var></p>

<p>Boot option: <var class="LITERAL">mac_partition_load="YES"</var></p>

<p>The <a href="http://www.FreeBSD.org/cgi/man.cgi?query=mac_partition&sektion=4"><span
class="CITEREFENTRY"><span class="REFENTRYTITLE">mac_partition</span>(4)</span></a>
policy will drop processes into specific ``partitions'' based on their <acronym
class="ACRONYM">MAC</acronym> label. Think of it as a special type of <a
href="http://www.FreeBSD.org/cgi/man.cgi?query=jail&sektion=8"><span
class="CITEREFENTRY"><span class="REFENTRYTITLE">jail</span>(8)</span></a>, though that
is hardly a worthy comparison.</p>

<p>This is one module that should be added to the <a
href="http://www.FreeBSD.org/cgi/man.cgi?query=loader.conf&sektion=5"><span
class="CITEREFENTRY"><span class="REFENTRYTITLE">loader.conf</span>(5)</span></a> file so
that it loads and enables the policy during the boot process.</p>

<p>Most configuration for this policy is done using the <a
href="http://www.FreeBSD.org/cgi/man.cgi?query=setpmac&sektion=8"><span
class="CITEREFENTRY"><span class="REFENTRYTITLE">setpmac</span>(8)</span></a> utility
which will be explained below. The following <tt class="COMMAND">sysctl</tt> tunable is
available for this policy:</p>

<ul>
<li>
<p><var class="LITERAL">security.mac.partition.enabled</var> will enable the enforcement
of <acronym class="ACRONYM">MAC</acronym> process partitions.</p>
</li>
</ul>

<p>When this policy is enabled, users will only be permitted to see their processes but
will not be permitted to work with certain utilities. For instance, a user in the <var
class="LITERAL">insecure</var> class above will not be permitted to access the <tt
class="COMMAND">top</tt> command as well as many other commands that must spawn a
process.</p>

<p>To set or drop utilities into a partition label, use the <tt
class="COMMAND">setpmac</tt> utility:</p>

<pre class="SCREEN">
<samp class="PROMPT">#</samp> <kbd class="USERINPUT">setpmac partition/13 top</kbd>
</pre>

<p>This will add the <tt class="COMMAND">top</tt> command to the label set on users in
the <var class="LITERAL">insecure</var> class. Note that all processes spawned by users
in the <var class="LITERAL">insecure</var> class will stay in the <var
class="LITERAL">partition/13</var> label.</p>

<div class="SECT2">
<h2 class="SECT2"><a id="AEN22657" name="AEN22657">15.10.1 Examples</a></h2>

<p>The following command will show you the partition label and the process list:</p>

<pre class="SCREEN">
<samp class="PROMPT">#</samp> <kbd class="USERINPUT">ps Zax</kbd>
</pre>

<p>This next command will allow the viewing of another user's process partition label and
that user's currently running processes:</p>

<pre class="SCREEN">
<samp class="PROMPT">#</samp> <kbd class="USERINPUT">ps -ZU trhodes</kbd>
</pre>

<div class="NOTE">
<blockquote class="NOTE">
<p><b>Note:</b> Users can see processes in <tt class="USERNAME">root</tt>'s label unless
the <a href="http://www.FreeBSD.org/cgi/man.cgi?query=mac_seeotheruids&sektion=4"><span
class="CITEREFENTRY"><span class="REFENTRYTITLE">mac_seeotheruids</span>(4)</span></a>
policy is loaded.</p>
</blockquote>
</div>

<p>A really crafty implementation could have all of the services disabled in <tt
class="FILENAME">/etc/rc.conf</tt> and started by a script that starts them with the
proper labeling set.</p>

<div class="NOTE">
<blockquote class="NOTE">
<p><b>Note:</b> The following policies support integer settings in place of the three
default labels offered. These options, including their limitations, are further explained
in the module manual pages.</p>
</blockquote>
</div>
</div>
</div>

<div class="NAVFOOTER">
<hr align="LEFT" width="100%" />
<table summary="Footer navigation table" width="100%" border="0" cellpadding="0"
cellspacing="0">
<tr>
<td width="33%" align="left" valign="top"><a href="mac-labelingpolicies.html"
accesskey="P">Prev</a></td>
<td width="34%" align="center" valign="top"><a href="index.html"
accesskey="H">Home</a></td>
<td width="33%" align="right" valign="top"><a href="mac-mls.html"
accesskey="N">Next</a></td>
</tr>

<tr>
<td width="33%" align="left" valign="top">MAC Policies with Labeling Features</td>
<td width="34%" align="center" valign="top"><a href="mac.html" accesskey="U">Up</a></td>
<td width="33%" align="right" valign="top">The MAC Multi-Level Security Module</td>
</tr>
</table>
</div>

<p align="center"><small>This, and other documents, can be downloaded from <a
href="ftp://ftp.FreeBSD.org/pub/FreeBSD/doc/">ftp://ftp.FreeBSD.org/pub/FreeBSD/doc/</a>.</small></p>

<p align="center"><small>For questions about FreeBSD, read the <a
href="http://www.FreeBSD.org/docs.html">documentation</a> before contacting &#60;<a
href="mailto:questions@FreeBSD.org">questions@FreeBSD.org</a>&#62;.<br />
For questions about this documentation, e-mail &#60;<a
href="mailto:doc@FreeBSD.org">doc@FreeBSD.org</a>&#62;.</small></p>
</body>
</html>