1 files changed, 287 insertions, 0 deletions

diff --git a/static/freebsd/man4/mac.4 3.html b/static/freebsd/man4/mac.4 3.html
new file mode 100644
index 00000000..0af6d005
--- /dev/null
+++ b/static/freebsd/man4/mac.4 3.html
@@ -0,0 +1,287 @@
+<table class="head">
+  <tr>
+    <td class="head-ltitle">MAC(4)</td>
+    <td class="head-vol">Device Drivers Manual</td>
+    <td class="head-rtitle">MAC(4)</td>
+  </tr>
+</table>
+<div class="manual-text">
+<section class="Sh">
+<h1 class="Sh" id="NAME"><a class="permalink" href="#NAME">NAME</a></h1>
+<p class="Pp"><code class="Nm">mac</code> &#x2014; <span class="Nd">Mandatory
+    Access Control</span></p>
+</section>
+<section class="Sh">
+<h1 class="Sh" id="SYNOPSIS"><a class="permalink" href="#SYNOPSIS">SYNOPSIS</a></h1>
+<p class="Pp"><code class="Cd">options MAC</code></p>
+</section>
+<section class="Sh">
+<h1 class="Sh" id="DESCRIPTION"><a class="permalink" href="#DESCRIPTION">DESCRIPTION</a></h1>
+<section class="Ss">
+<h2 class="Ss" id="Introduction"><a class="permalink" href="#Introduction">Introduction</a></h2>
+<p class="Pp">The Mandatory Access Control, or MAC, framework allows
+    administrators to finely control system security by providing for a loadable
+    security policy architecture. It is important to note that due to its
+    nature, MAC security policies may only restrict access relative to one
+    another and the base system policy; they cannot override traditional
+    <span class="Ux">UNIX</span> security provisions such as file permissions
+    and superuser checks.</p>
+<p class="Pp">Currently, the following MAC policy modules are shipped with
+    <span class="Ux">FreeBSD</span>:</p>
+<table class="Bl-column">
+  <tr id="Name">
+    <td><a class="permalink" href="#Name"><b class="Sy">Name</b></a></td>
+    <td><a class="permalink" href="#Description"><b class="Sy" id="Description">Description</b></a></td>
+    <td><a class="permalink" href="#Labeling"><b class="Sy" id="Labeling">Labeling</b></a></td>
+    <td><a class="permalink" href="#Load"><b class="Sy" id="Load">Load
+      time</b></a></td>
+  </tr>
+  <tr>
+    <td><a class="Xr">mac_biba(4)</a></td>
+    <td>Biba integrity policy</td>
+    <td>yes</td>
+    <td>boot only</td>
+  </tr>
+  <tr>
+    <td><a class="Xr">mac_bsdextended(4)</a></td>
+    <td>File system firewall</td>
+    <td>no</td>
+    <td>any time</td>
+  </tr>
+  <tr>
+    <td><a class="Xr">mac_ddb(4)</a></td>
+    <td>ddb(4) interface restrictions</td>
+    <td>no</td>
+    <td>any time</td>
+  </tr>
+  <tr>
+    <td><a class="Xr">mac_do(4)</a></td>
+    <td>Change command's uid/gid</td>
+    <td>no</td>
+    <td>any time</td>
+  </tr>
+  <tr>
+    <td><a class="Xr">mac_ifoff(4)</a></td>
+    <td>Interface silencing</td>
+    <td>no</td>
+    <td>any time</td>
+  </tr>
+  <tr>
+    <td><a class="Xr">mac_ipacl(4)</a></td>
+    <td>IP Address access control</td>
+    <td>no</td>
+    <td>any time</td>
+  </tr>
+  <tr>
+    <td><a class="Xr">mac_lomac(4)</a></td>
+    <td>Low-Watermark MAC policy</td>
+    <td>yes</td>
+    <td>boot only</td>
+  </tr>
+  <tr>
+    <td><a class="Xr">mac_mls(4)</a></td>
+    <td>Confidentiality policy</td>
+    <td>yes</td>
+    <td>boot only</td>
+  </tr>
+  <tr>
+    <td><a class="Xr">mac_ntpd(4)</a></td>
+    <td>Non-root NTP Daemon policy</td>
+    <td>no</td>
+    <td>any time</td>
+  </tr>
+  <tr>
+    <td><a class="Xr">mac_partition(4)</a></td>
+    <td>Process partition policy</td>
+    <td>yes</td>
+    <td>any time</td>
+  </tr>
+  <tr>
+    <td><a class="Xr">mac_portacl(4)</a></td>
+    <td>Port bind(2) access control</td>
+    <td>no</td>
+    <td>any time</td>
+  </tr>
+  <tr>
+    <td><a class="Xr">mac_priority(4)</a></td>
+    <td>Scheduling priority policy</td>
+    <td>no</td>
+    <td>any time</td>
+  </tr>
+  <tr>
+    <td><a class="Xr">mac_seeotheruids(4)</a></td>
+    <td>See-other-UIDs policy</td>
+    <td>no</td>
+    <td>any time</td>
+  </tr>
+  <tr>
+    <td><a class="Xr">mac_test(4)</a></td>
+    <td>MAC testing policy</td>
+    <td>no</td>
+    <td>any time</td>
+  </tr>
+</table>
+</section>
+<section class="Ss">
+<h2 class="Ss" id="MAC_Labels"><a class="permalink" href="#MAC_Labels">MAC
+  Labels</a></h2>
+<p class="Pp">Each system subject (processes, sockets, etc.) and each system
+    object (file system objects, jails, sockets, etc.) can carry with it a MAC
+    label. MAC labels contain data in an arbitrary format taken into
+    consideration in making access control decisions for a given operation. Most
+    MAC labels on system subjects and objects can be modified directly or
+    indirectly by the system administrator. The format for a given policy's
+    label may vary depending on the type of object or subject being labeled.
+    More information on the format for MAC labels can be found in the
+    <a class="Xr">maclabel(7)</a> man page.</p>
+</section>
+<section class="Ss">
+<h2 class="Ss" id="MAC_Support_for_UFS2_File_Systems"><a class="permalink" href="#MAC_Support_for_UFS2_File_Systems">MAC
+  Support for UFS2 File Systems</a></h2>
+<p class="Pp">By default, file system enforcement of labeled MAC policies relies
+    on a single file system label (see <a class="Sx" href="#MAC_Labels">MAC
+    Labels</a>) in order to make access control decisions for all the files in a
+    particular file system. With some policies, this configuration may not allow
+    administrators to take full advantage of features. In order to enable
+    support for labeling files on an individual basis for a particular file
+    system, the &#x201C;multilabel&#x201D; flag must be enabled on the file
+    system. To set the &#x201C;multilabel&#x201D; flag, drop to single-user mode
+    and unmount the file system, then execute the following command:</p>
+<p class="Pp"></p>
+<div class="Bd Bd-indent"><code class="Li">tunefs -l enable
+  <var class="Ar">filesystem</var></code></div>
+<p class="Pp">where <var class="Ar">filesystem</var> is either the mount point
+    (in <a class="Xr">fstab(5)</a>) or the special file (in
+    <span class="Pa">/dev</span>) corresponding to the file system on which to
+    enable multilabel support.</p>
+</section>
+<section class="Ss">
+<h2 class="Ss" id="Policy_Enforcement"><a class="permalink" href="#Policy_Enforcement">Policy
+  Enforcement</a></h2>
+<p class="Pp">Policy enforcement is divided into the following areas of the
+    system:</p>
+<dl class="Bl-ohang">
+  <dt id="File"><a class="permalink" href="#File"><b class="Sy">File
+    System</b></a></dt>
+  <dd>File system mounts, modifying directories, modifying files, etc.</dd>
+  <dt id="Jails"><a class="permalink" href="#Jails"><b class="Sy">Jails</b></a></dt>
+  <dd>Creating, modifying, removing, and attaching to jails</dd>
+  <dt id="KLD"><a class="permalink" href="#KLD"><b class="Sy">KLD</b></a></dt>
+  <dd>Loading, unloading, and retrieving statistics on loaded kernel
+    modules</dd>
+  <dt id="Network"><a class="permalink" href="#Network"><b class="Sy">Network</b></a></dt>
+  <dd>Network interfaces, <a class="Xr">bpf(4)</a>, packet delivery and
+      transmission, interface configuration (<a class="Xr">ioctl(2)</a>,
+      <a class="Xr">ifconfig(8)</a>)</dd>
+  <dt id="Pipes"><a class="permalink" href="#Pipes"><b class="Sy">Pipes</b></a></dt>
+  <dd>Creation of and operation on <a class="Xr">pipe(2)</a> objects</dd>
+  <dt id="Processes"><a class="permalink" href="#Processes"><b class="Sy">Processes</b></a></dt>
+  <dd>Debugging (e.g. <a class="Xr">ktrace(2)</a>), process visibility
+      (<a class="Xr">ps(1)</a>), process execution
+      (<a class="Xr">execve(2)</a>), signalling (<a class="Xr">kill(2)</a>)</dd>
+  <dt id="Sockets"><a class="permalink" href="#Sockets"><b class="Sy">Sockets</b></a></dt>
+  <dd>Creation of and operation on <a class="Xr">socket(2)</a> objects</dd>
+  <dt id="System"><a class="permalink" href="#System"><b class="Sy">System</b></a></dt>
+  <dd>Kernel environment (<a class="Xr">kenv(1)</a>), system accounting
+      (<a class="Xr">acct(2)</a>), <a class="Xr">reboot(2)</a>,
+      <a class="Xr">settimeofday(2)</a>, <a class="Xr">swapon(2)</a>,
+      <a class="Xr">sysctl(3)</a>, <a class="Xr">nfsd(8)</a>-related
+    operations</dd>
+  <dt id="VM"><a class="permalink" href="#VM"><b class="Sy">VM</b></a></dt>
+  <dd><a class="Xr">mmap(2)</a>-ed files</dd>
+</dl>
+</section>
+<section class="Ss">
+<h2 class="Ss" id="Setting_MAC_Labels"><a class="permalink" href="#Setting_MAC_Labels">Setting
+  MAC Labels</a></h2>
+<p class="Pp">From the command line, each type of system object has its own
+    means for setting and modifying its MAC policy label.</p>
+<table class="Bl-column Bd-indent">
+  <tr id="Subject/Object">
+    <td><a class="permalink" href="#Subject/Object"><b class="Sy">Subject/Object</b></a></td>
+    <td><a class="permalink" href="#Utility"><b class="Sy" id="Utility">Utility</b></a></td>
+  </tr>
+  <tr>
+    <td>File system object</td>
+    <td><a class="Xr">setfmac(8)</a>, <a class="Xr">setfsmac(8)</a></td>
+  </tr>
+  <tr>
+    <td>Jail</td>
+    <td><a class="Xr">jail(8)</a></td>
+  </tr>
+  <tr>
+    <td>Network interface</td>
+    <td><a class="Xr">ifconfig(8)</a></td>
+  </tr>
+  <tr>
+    <td>TTY (by login class)</td>
+    <td><a class="Xr">login.conf(5)</a></td>
+  </tr>
+  <tr>
+    <td>User (by login class)</td>
+    <td><a class="Xr">login.conf(5)</a></td>
+  </tr>
+</table>
+<p class="Pp">Additionally, the <a class="Xr">su(1)</a> and
+    <a class="Xr">setpmac(8)</a> utilities can be used to run a command with a
+    different process label than the shell's current label.</p>
+</section>
+<section class="Ss">
+<h2 class="Ss" id="Programming_With_MAC"><a class="permalink" href="#Programming_With_MAC">Programming
+  With MAC</a></h2>
+<p class="Pp">MAC security enforcement itself is transparent to application
+    programs, with the exception that some programs may need to be aware of
+    additional <a class="Xr">errno(2)</a> returns from various system calls.</p>
+<p class="Pp">The interface for retrieving, handling, and setting policy labels
+    is documented in the <a class="Xr">mac(3)</a> man page.</p>
+</section>
+</section>
+<section class="Sh">
+<h1 class="Sh" id="SEE_ALSO"><a class="permalink" href="#SEE_ALSO">SEE
+  ALSO</a></h1>
+<p class="Pp"><a class="Xr">mac(3)</a>, <a class="Xr">mac_biba(4)</a>,
+    <a class="Xr">mac_bsdextended(4)</a>, <a class="Xr">mac_ddb(4)</a>,
+    <a class="Xr">mac_do(4)</a>, <a class="Xr">mac_ifoff(4)</a>,
+    <a class="Xr">mac_ipacl(4)</a>, <a class="Xr">mac_lomac(4)</a>,
+    <a class="Xr">mac_mls(4)</a>, <a class="Xr">mac_none(4)</a>,
+    <a class="Xr">mac_ntpd(4)</a>, <a class="Xr">mac_partition(4)</a>,
+    <a class="Xr">mac_portacl(4)</a>, <a class="Xr">mac_priority(4)</a>,
+    <a class="Xr">mac_seeotheruids(4)</a>, <a class="Xr">mac_stub(4)</a>,
+    <a class="Xr">mac_test(4)</a>, <a class="Xr">login.conf(5)</a>,
+    <a class="Xr">maclabel(7)</a>, <a class="Xr">jail(8)</a>,
+    <a class="Xr">getfmac(8)</a>, <a class="Xr">getpmac(8)</a>,
+    <a class="Xr">setfmac(8)</a>, <a class="Xr">setpmac(8)</a>,
+    <a class="Xr">mac(9)</a></p>
+<p class="Pp"><cite class="Rs"><span class="RsT">Mandatory Access
+    Control</span>, <i class="RsB">The FreeBSD Handbook</i>,
+    <a class="RsU" href="https://docs.FreeBSD.org/en/books/handbook/mac/">https://docs.FreeBSD.org/en/books/handbook/mac/</a>.</cite></p>
+</section>
+<section class="Sh">
+<h1 class="Sh" id="HISTORY"><a class="permalink" href="#HISTORY">HISTORY</a></h1>
+<p class="Pp">The <code class="Nm">mac</code> implementation first appeared in
+    <span class="Ux">FreeBSD 5.0</span> and was developed by the TrustedBSD
+    Project.</p>
+</section>
+<section class="Sh">
+<h1 class="Sh" id="AUTHORS"><a class="permalink" href="#AUTHORS">AUTHORS</a></h1>
+<p class="Pp">This software was contributed to the
+    <span class="Ux">FreeBSD</span> Project by Network Associates Labs, the
+    Security Research Division of Network Associates Inc. under DARPA/SPAWAR
+    contract N66001-01-C-8035 (&#x201C;CBOSS&#x201D;), as part of the DARPA
+    CHATS research program.</p>
+</section>
+<section class="Sh">
+<h1 class="Sh" id="BUGS"><a class="permalink" href="#BUGS">BUGS</a></h1>
+<p class="Pp">While the MAC Framework design is intended to support the
+    containment of the root user, not all attack channels are currently
+    protected by entry point checks. As such, MAC Framework policies should not
+    be relied on, in isolation, to protect against a malicious privileged
+  user.</p>
+</section>
+</div>
+<table class="foot">
+  <tr>
+    <td class="foot-date">January 16, 2026</td>
+    <td class="foot-os">FreeBSD 15.0</td>
+  </tr>
+</table>