diff options
Diffstat (limited to 'static/freebsd/man4/mac_bsdextended.4 3.html')
| -rw-r--r-- | static/freebsd/man4/mac_bsdextended.4 3.html | 111 |
1 files changed, 111 insertions, 0 deletions
diff --git a/static/freebsd/man4/mac_bsdextended.4 3.html b/static/freebsd/man4/mac_bsdextended.4 3.html new file mode 100644 index 00000000..9a9a1b2c --- /dev/null +++ b/static/freebsd/man4/mac_bsdextended.4 3.html @@ -0,0 +1,111 @@ +<table class="head"> + <tr> + <td class="head-ltitle">MAC_BSDEXTENDED(4)</td> + <td class="head-vol">Device Drivers Manual</td> + <td class="head-rtitle">MAC_BSDEXTENDED(4)</td> + </tr> +</table> +<div class="manual-text"> +<section class="Sh"> +<h1 class="Sh" id="NAME"><a class="permalink" href="#NAME">NAME</a></h1> +<p class="Pp"><code class="Nm">mac_bsdextended</code> — + <span class="Nd">file system firewall policy</span></p> +</section> +<section class="Sh"> +<h1 class="Sh" id="SYNOPSIS"><a class="permalink" href="#SYNOPSIS">SYNOPSIS</a></h1> +<p class="Pp">To compile the file system firewall policy into your kernel, place + the following lines in your kernel configuration file:</p> +<div class="Bd Pp Bd-indent"><code class="Cd">options MAC</code> +<br/> +<code class="Cd">options MAC_BSDEXTENDED</code></div> +<p class="Pp">Alternately, to load the file system firewall policy module at + boot time, place the following line in your kernel configuration file:</p> +<div class="Bd Pp Bd-indent"><code class="Cd">options MAC</code></div> +<p class="Pp">and in <a class="Xr">loader.conf(5)</a>:</p> +<div class="Bd Pp Bd-indent Li"> +<pre>mac_bsdextended_load="YES"</pre> +</div> +</section> +<section class="Sh"> +<h1 class="Sh" id="DESCRIPTION"><a class="permalink" href="#DESCRIPTION">DESCRIPTION</a></h1> +<p class="Pp">The <code class="Nm">mac_bsdextended</code> security policy module + provides an interface for the system administrator to impose mandatory rules + regarding users and some system objects. Rules are uploaded to the module + (typically using <a class="Xr">ugidfw(8)</a>, or some other tool utilizing + <a class="Xr">libugidfw(3)</a>) where they are stored internally and used to + determine whether to allow or deny specific accesses (see + <a class="Xr">ugidfw(8)</a>).</p> +</section> +<section class="Sh"> +<h1 class="Sh" id="IMPLEMENTATION_NOTES"><a class="permalink" href="#IMPLEMENTATION_NOTES">IMPLEMENTATION + NOTES</a></h1> +<p class="Pp">While the traditional <a class="Xr">mac(9)</a> entry points are + implemented, policy labels are not used; instead, access control decisions + are made by iterating through the internal list of rules until a rule which + denies the particular access is found, or the end of the list is reached. + The <code class="Nm">mac_bsdextended</code> policy works similar to + <a class="Xr">ipfw(8)</a> or by using a + <a class="permalink" href="#first"><i class="Em" id="first">first match + semantic</i></a>. This means that not all rules are applied, only the first + matched rule; thus if Rule A allows access and Rule B blocks access, Rule B + will never be applied.</p> +</section> +<section class="Sh"> +<h1 class="Sh" id="SYSCTL_VARIABLES"><a class="permalink" href="#SYSCTL_VARIABLES">SYSCTL + VARIABLES</a></h1> +<p class="Pp">The following sysctls may be used to tweak the behavior of + <code class="Nm">mac_bsdextended</code>:</p> +<dl class="Bl-tag"> + <dt id="security.mac.bsdextended.enabled"><var class="Va">security.mac.bsdextended.enabled</var></dt> + <dd>Set to zero or one to toggle the policy off or on.</dd> + <dt id="security.mac.bsdextended.rule_count"><var class="Va">security.mac.bsdextended.rule_count</var></dt> + <dd>List the number of defined rules, the maximum rule count is current set at + 256.</dd> + <dt id="security.mac.bsdextended.rule_slots"><var class="Va">security.mac.bsdextended.rule_slots</var></dt> + <dd>List the number of rule slots currently being used.</dd> + <dt id="security.mac.bsdextended.firstmatch_enabled"><var class="Va">security.mac.bsdextended.firstmatch_enabled</var></dt> + <dd>Toggle between the old all rules match functionality and the new first + rule matches functionality. This is enabled by default.</dd> + <dt id="security.mac.bsdextended.logging"><var class="Va">security.mac.bsdextended.logging</var></dt> + <dd>Log all access violations via the <code class="Dv">AUTHPRIV</code> + <a class="Xr">syslog(3)</a> facility.</dd> + <dt id="security.mac.bsdextended.rules"><var class="Va">security.mac.bsdextended.rules</var></dt> + <dd>Currently does nothing interesting.</dd> +</dl> +</section> +<section class="Sh"> +<h1 class="Sh" id="SEE_ALSO"><a class="permalink" href="#SEE_ALSO">SEE + ALSO</a></h1> +<p class="Pp"><a class="Xr">libugidfw(3)</a>, <a class="Xr">syslog(3)</a>, + <a class="Xr">mac(4)</a>, <a class="Xr">mac_biba(4)</a>, + <a class="Xr">mac_ddb(4)</a>, <a class="Xr">mac_ifoff(4)</a>, + <a class="Xr">mac_lomac(4)</a>, <a class="Xr">mac_mls(4)</a>, + <a class="Xr">mac_none(4)</a>, <a class="Xr">mac_partition(4)</a>, + <a class="Xr">mac_portacl(4)</a>, <a class="Xr">mac_seeotheruids(4)</a>, + <a class="Xr">mac_test(4)</a>, <a class="Xr">ipfw(8)</a>, + <a class="Xr">ugidfw(8)</a>, <a class="Xr">mac(9)</a></p> +</section> +<section class="Sh"> +<h1 class="Sh" id="HISTORY"><a class="permalink" href="#HISTORY">HISTORY</a></h1> +<p class="Pp">The <code class="Nm">mac_bsdextended</code> policy module first + appeared in <span class="Ux">FreeBSD 5.0</span> and was developed by the + TrustedBSD Project.</p> +<p class="Pp">The "match first case" and logging capabilities were + later added by <span class="An">Tom Rhodes</span> + <<a class="Mt" href="mailto:trhodes@FreeBSD.org">trhodes@FreeBSD.org</a>>.</p> +</section> +<section class="Sh"> +<h1 class="Sh" id="AUTHORS"><a class="permalink" href="#AUTHORS">AUTHORS</a></h1> +<p class="Pp">This software was contributed to the + <span class="Ux">FreeBSD</span> Project by NAI Labs, the Security Research + Division of Network Associates Inc. under DARPA/SPAWAR contract + N66001-01-C-8035 (“CBOSS”), as part of the DARPA CHATS + research program.</p> +</section> +</div> +<table class="foot"> + <tr> + <td class="foot-date">October 11, 2024</td> + <td class="foot-os">FreeBSD 15.0</td> + </tr> +</table> |