mac(9)
NAME
mac - TrustedBSD Mandatory Access Control framework
SYNOPSIS
#include <sys/types.h> #include <sys/mac.h> In the kernel configuration file: options MAC options MAC_DEBUG
DESCRIPTION
- Introduction
- The TrustedBSD mandatory access control framework permits
- dynamically introduced system security modules to modify system security
- functionality. This can be used to support a variety of new security
- services, including traditional labeled mandatory access control mod
- els. The framework provides a series of entry points which must be
- called by code supporting various kernel services, especially with respects
- to access control points and object creation. The framework then
- calls out to security modules to offer them the opportunity to modify se
- curity behavior at those MAC API entry points. Both consumers of the
- API (normal kernel services) and security modules must be aware of the
- semantics of the API calls, particularly with respect to synchronization
- primitives (such as locking).
- Note on Appropriateness for Production Use
- The TrustedBSD MAC Framework included in FreeBSD 5.0 is con
- sidered experimental, and should not be deployed in production environ
- ments without careful consideration of the risks associated with the use
- of experimental operating system features.
- Kernel Objects Supported by the Framework
- The MAC framework manages labels on a variety of types of
- in-kernel objects, including process credentials, vnodes, devfs_di
- rents, mount points, sockets, mbufs, bpf descriptors, network interfaces,
- IP fragment queues, and pipes. Label data on kernel objects, represent
- ed by struct label, is policy-unaware, and may be used in the manner seen
- fit by policy modules.
- API for Consumers
- The MAC API provides a large set of entry points, too broad
- to specifically document here. In general, these entry points repre
- sent an access control check or other MAC-relevant operations, accept one
- or more subjects (credentials) authorizing the activity, a set of ob
- jects on which the operation is to be performed, and a set of operation ar
- guments providing information about the type of operation being re
- quested.
- Locking for Consumers
- Consumers of the MAC API must be aware of the locking re
- quirements for each API entry point: generally, appropriate locks must be
- held over each subject or object being passed into the call, so that MAC
- modules may make use of various aspects of the object for access control
- purposes. For example, vnode locks are frequently required in order
- that the MAC framework and modules may retrieve security labels and at
- tributes from the vnodes for the purposes of access control. Similarly,
- the caller must be aware of the reference counting semantics of any
- subject or object passed into the MAC API: all calls require that a
- valid reference to the object be held for the duration of the (potentially
- lengthy) MAC API call. Under some circumstances, objects must be held in
- either a shared or exclusive manner.
- API for Module Writers
- Each module exports a structure describing the MAC API oper
- ations that the module chooses to implement, including initialization
- and destruction API entry points, a variety of object creation and destruc
- tion calls, and a large set of access control check points. In the future,
- additional audit entry points will also be present. Module authors may
- choose to only implement a subset of the entry points, setting API
- function pointers in the description structure to NULL, permitting the
- framework to avoid calling into the module.
- Locking for Module Writers
- Module writers must be aware of the locking semantics of en
- try points that they implement: MAC API entry points will have specific
- locking or reference counting semantics for each argument, and modules
- must follow the locking and reference counting protocol or risk a vari
- ety of failure modes (including race conditions, inappropriate pointer
- dereferences, etc).
- MAC module writers must also be aware that MAC API entry
- points will frequently be invoked from deep in a kernel stack, and as such
- must be careful to avoid violating more global locking requirements,
- such as global lock order requirements. For example, it may be inappropri
- ate to lock additional objects not specifically maintained and ordered
- by the policy module, or the policy module might violate a global ordering
- requirement relating to those additional objects.
- Finally, MAC API module implementors must be careful to
- avoid inappropriately calling back into the MAC framework: the framework
- makes use of locking to prevent inconsistencies during policy module at
- tachment and detachment. MAC API modules should avoid producing scenar
- ios in which deadlocks or inconsistencies might occur.
- Adding New MAC Entry Points
- The MAC API is intended to be easily expandable as new ser
- vices are added to the kernel. In order that policies may be guaranteed the
- opportunity to ubiquitously protect system subjects and objects, it is
- important that kernel developers maintain awareness of when security checks
- or relevant subject or object operations occur in newly written or modi
- fied kernel code. New entry points must be carefully documented so as
- to prevent any confusion regarding lock orders and semantics. Introducing
- new entry points requires four distinct pieces of work: introducing
- new MAC API entries reflecting the operation arguments, scattering these
- MAC API entry points throughout the new or modified kernel service,
- extending the front-end implementation of the MAC API framework, and modi
- fying appropriate modules to take advantage of the new entry points so
- that they may consistently enforce their policies.
ENTRY POINTS
- System service and module authors should reference the
- FreeBSD Developer's Handbook for information on the MAC Framework
- APIs.
SEE ALSO
- acl(3), mac(3), posix1e(3), mac_biba(4), mac_bsdextended(4), mac_ifoff(4), mac_lomac(4), mac_mls(4), mac_none(4),
- mac_partition(4), mac_seeotheruids(4), mac_test(4), ucred(9), vaccess(9), vaccess_acl_posix1e(9), VFS(9)
- The FreeBSD Developers' Handbook, http://www.FreeBSD.org/doc/en_US.ISO8859-1/books/developers
- handbook/.
HISTORY
The TrustedBSD MAC Framework first appeared in FreeBSD 5.0.
AUTHORS
- This manual page was written by Robert Watson. This soft
- ware was contributed to the FreeBSD Project by Network Associates Labo
- ratories, the Security Research Division of Network Associates Inc. under
- DARPA/SPAWAR contract N66001-01-C-8035 (``CBOSS''), as part of the DARPA
- CHATS research program.
- The TrustedBSD MAC Framework was designed by Robert Watson,
- and implemented by the Network Associates Laboratories Network Secu
- rity (NETSEC), Secure Execution Environment (SEE), and Adaptive Network De
- fense research groups. Network Associates Laboratory staff contributing to
- the CBOSS Project include (in alphabetical order): Lee Badger, Brian
- Feldman, Hrishikesh Dandekar, Tim Fraser, Doug Kilpatrick, Suresh Kr
- ishnaswamy, Adam Migus, Wayne Morrison, Andrew Reisse, Chris Vance, and
- Robert Watson.
- Sub-contracted staff include: Chris Costello, Poul-Henning
- Kamp, Jonathan Lemon, Kirk McKusick, Dag-Erling Smorgrav.
- Additional contributors include: Pawel Dawidek, Chris Faul
- haber, Ilmar Habibulin, Mike Halderman, Bosko Milekic, Thomas Moestl, An
- drew Reiter, and Tim Robbins.
BUGS
- See the earlier section in this document concerning appro
- priateness for production use. The TrustedBSD MAC Framework is considered
- experimental in FreeBSD.
- While the MAC Framework design is intended to support the
- containment of the root user, not all attack channels are currently pro
- tected by entry point checks. As such, MAC Framework policies should not be
- relied on, in isolation, to protect against a malicious privileged us
- er.
- BSD February 16, 2002