diff options
Diffstat (limited to 'static/freebsd/man4/mac_mls.4 3.html')
| -rw-r--r-- | static/freebsd/man4/mac_mls.4 3.html | 212 |
1 files changed, 212 insertions, 0 deletions
diff --git a/static/freebsd/man4/mac_mls.4 3.html b/static/freebsd/man4/mac_mls.4 3.html new file mode 100644 index 00000000..490713e0 --- /dev/null +++ b/static/freebsd/man4/mac_mls.4 3.html @@ -0,0 +1,212 @@ +<table class="head"> + <tr> + <td class="head-ltitle">MAC_MLS(4)</td> + <td class="head-vol">Device Drivers Manual</td> + <td class="head-rtitle">MAC_MLS(4)</td> + </tr> +</table> +<div class="manual-text"> +<section class="Sh"> +<h1 class="Sh" id="NAME"><a class="permalink" href="#NAME">NAME</a></h1> +<p class="Pp"><code class="Nm">mac_mls</code> — + <span class="Nd">Multi-Level Security confidentiality policy</span></p> +</section> +<section class="Sh"> +<h1 class="Sh" id="SYNOPSIS"><a class="permalink" href="#SYNOPSIS">SYNOPSIS</a></h1> +<p class="Pp">To compile MLS into your kernel, place the following lines in your + kernel configuration file:</p> +<div class="Bd Pp Bd-indent"><code class="Cd">options MAC</code> +<br/> +<code class="Cd">options MAC_MLS</code></div> +<p class="Pp">Alternately, to load the MLS module at boot time, place the + following line in your kernel configuration file:</p> +<div class="Bd Pp Bd-indent"><code class="Cd">options MAC</code></div> +<p class="Pp">and in <a class="Xr">loader.conf(5)</a>:</p> +<div class="Bd Pp Bd-indent Li"> +<pre>mac_mls_load="YES"</pre> +</div> +</section> +<section class="Sh"> +<h1 class="Sh" id="DESCRIPTION"><a class="permalink" href="#DESCRIPTION">DESCRIPTION</a></h1> +<p class="Pp">The <code class="Nm">mac_mls</code> policy module implements the + Multi-Level Security, or MLS model, which controls access between subjects + and objects based on their confidentiality by means of a strict information + flow policy. Each subject and object in the system has an MLS label + associated with it; each subject's MLS label contains information on its + clearance level, and each object's MLS label contains information on its + classification.</p> +<p class="Pp">In MLS, all system subjects and objects are assigned + confidentiality labels, made up of a sensitivity level and zero or more + compartments. Together, these label elements permit all labels to be placed + in a partial order, with confidentiality protections based on a dominance + operator describing the order. The sensitivity level is expressed as a value + between 0 and 65535, with higher values reflecting higher sensitivity + levels. The compartment field is expressed as a set of up to 256 components, + numbered from 1 to 256. A complete label consists of both sensitivity and + compartment elements.</p> +<p class="Pp">With normal labels, dominance is defined as a label having a + higher or equal active sensitivity level, and having at least all of the + same compartments as the label to which it is being compared. With respect + to label comparisons, “<code class="Li">lower</code>” is + defined as being dominated by the label to which it is being compared, and + “<code class="Li">higher</code>” is defined as dominating the + label to which it is being compared, and + “<code class="Li">equal</code>” is defined as both labels + being able to satisfy the dominance requirements over one another.</p> +<p class="Pp">Three special label values exist:</p> +<table class="Bl-column Bd-indent"> + <tr id="Label"> + <td><a class="permalink" href="#Label"><b class="Sy">Label</b></a></td> + <td><a class="permalink" href="#Comparison"><b class="Sy" id="Comparison">Comparison</b></a></td> + </tr> + <tr id="mls/low"> + <td><a class="permalink" href="#mls/low"><code class="Li">mls/low</code></a></td> + <td>dominated by all other labels</td> + </tr> + <tr id="mls/equal"> + <td><a class="permalink" href="#mls/equal"><code class="Li">mls/equal</code></a></td> + <td>equal to all other labels</td> + </tr> + <tr id="mls/high"> + <td><a class="permalink" href="#mls/high"><code class="Li">mls/high</code></a></td> + <td>dominates all other labels</td> + </tr> +</table> +<p class="Pp">The “<code class="Li">mls/equal</code>” label may be + applied to subjects and objects for which no enforcement of the MLS security + policy is desired.</p> +<p class="Pp">The MLS model enforces the following basic restrictions:</p> +<ul class="Bl-bullet"> + <li>Subjects may not observe the processes of another subject if its clearance + level is lower than the clearance level of the object it is attempting to + observe.</li> + <li>Subjects may not read, write, or otherwise observe objects without proper + clearance (e.g. subjects may not observe objects whose classification + label dominates its own clearance label)</li> + <li>Subjects may not write to objects with a lower classification level than + its own clearance level.</li> + <li>A subject may read and write to an object if its clearance level is equal + to the object's classification level as though MLS protections were not in + place.</li> +</ul> +<p class="Pp">These rules prevent subjects of lower clearance from gaining + access information classified beyond its clearance level in order to protect + the confidentiality of classified information, subjects of higher clearance + from writing to objects of lower classification in order to prevent the + accidental or malicious leaking of information, and subjects of lower + clearance from observing subjects of higher clearance altogether. In + traditional trusted operating systems, the MLS confidentiality model is used + in concert with the Biba integrity model (<a class="Xr">mac_biba(4)</a>) in + order to protect the Trusted Code Base (TCB).</p> +<section class="Ss"> +<h2 class="Ss" id="Label_Format"><a class="permalink" href="#Label_Format">Label + Format</a></h2> +<p class="Pp">Almost all system objects are tagged with an effective, active + label element, reflecting the classification of the object, or + classification of the data contained in the object. In general, object + labels are represented in the following form:</p> +<p class="Pp"></p> +<div class="Bd + Bd-indent"><code class="Li">mls/</code><var class="Ar">grade</var>:<var class="Ar">compartments</var></div> +<p class="Pp">For example:</p> +<div class="Bd Pp Bd-indent Li"> +<pre>mls/10:2+3+6 +mls/low</pre> +</div> +<p class="Pp">Subject labels consist of three label elements: an effective + (active) label, as well as a range of available labels. This range is + represented using two ordered MLS label elements, and when set on a process, + permits the process to change its active label to any label of greater or + equal integrity to the low end of the range, and lesser or equal integrity + to the high end of the range. In general, subject labels are represented in + the following form:</p> +<p class="Pp"></p> +<div class="Bd + Bd-indent"><code class="Li">mls/</code><var class="Ar">effectivegrade</var>:<var class="Ar">effectivecompartments</var>(<var class="Ar">lograde</var>:<var class="Ar">locompartments</var><span class="No">-</span></div> +<div class="Bd + Bd-indent"><var class="Ar">higrade</var>:<var class="Ar">hicompartments</var></div> +) +<p class="Pp">For example:</p> +<div class="Bd Pp Bd-indent Li"> +<pre>mls/10:2+3+6(5:2+3-20:2+3+4+5+6) +mls/high(low-high)</pre> +</div> +<p class="Pp">Valid ranged labels must meet the following requirement regarding + their elements:</p> +<p class="Pp"></p> +<div class="Bd Bd-indent"><var class="Ar">rangehigh</var> + <span class="No">≥</span> <var class="Ar">effective</var> + <span class="No">≥</span> <var class="Ar">rangelow</var></div> +<p class="Pp">One class of objects with ranges currently exists, the network + interface. In the case of the network interface, the effective label element + references the default label for packets received over the interface, and + the range represents the range of acceptable labels of packets to be + transmitted over the interface.</p> +</section> +<section class="Ss"> +<h2 class="Ss" id="Runtime_Configuration"><a class="permalink" href="#Runtime_Configuration">Runtime + Configuration</a></h2> +<p class="Pp">The following <a class="Xr">sysctl(8)</a> MIBs are available for + fine-tuning the enforcement of this MAC policy.</p> +<dl class="Bl-tag"> + <dt id="security.mac.mls.enabled"><var class="Va">security.mac.mls.enabled</var></dt> + <dd>Enables the enforcement of the MLS confidentiality policy. (Default: + 1).</dd> + <dt id="security.mac.mls.ptys_equal"><var class="Va">security.mac.mls.ptys_equal</var></dt> + <dd>Label <a class="Xr">pty(4)</a>s as + “<code class="Li">mls/equal</code>” upon creation. (Default: + 0).</dd> + <dt id="security.mac.mls.revocation_enabled"><var class="Va">security.mac.mls.revocation_enabled</var></dt> + <dd>Revoke access to objects if the label is changed to a more sensitive level + than the subject. (Default: 0).</dd> +</dl> +</section> +</section> +<section class="Sh"> +<h1 class="Sh" id="IMPLEMENTATION_NOTES"><a class="permalink" href="#IMPLEMENTATION_NOTES">IMPLEMENTATION + NOTES</a></h1> +<p class="Pp">Currently, the <code class="Nm">mac_mls</code> policy relies on + superuser status (<a class="Xr">suser(9)</a>) in order to change network + interface MLS labels. This will eventually go away, but it is currently a + liability and may allow the superuser to bypass MLS protections.</p> +</section> +<section class="Sh"> +<h1 class="Sh" id="SEE_ALSO"><a class="permalink" href="#SEE_ALSO">SEE + ALSO</a></h1> +<p class="Pp"><a class="Xr">mac(4)</a>, <a class="Xr">mac_biba(4)</a>, + <a class="Xr">mac_bsdextended(4)</a>, <a class="Xr">mac_ddb(4)</a>, + <a class="Xr">mac_ifoff(4)</a>, <a class="Xr">mac_lomac(4)</a>, + <a class="Xr">mac_none(4)</a>, <a class="Xr">mac_partition(4)</a>, + <a class="Xr">mac_portacl(4)</a>, <a class="Xr">mac_seeotheruids(4)</a>, + <a class="Xr">mac_test(4)</a>, <a class="Xr">maclabel(7)</a>, + <a class="Xr">mac(9)</a></p> +</section> +<section class="Sh"> +<h1 class="Sh" id="HISTORY"><a class="permalink" href="#HISTORY">HISTORY</a></h1> +<p class="Pp">The <code class="Nm">mac_mls</code> policy module first appeared + in <span class="Ux">FreeBSD 5.0</span> and was developed by the TrustedBSD + Project.</p> +</section> +<section class="Sh"> +<h1 class="Sh" id="AUTHORS"><a class="permalink" href="#AUTHORS">AUTHORS</a></h1> +<p class="Pp">This software was contributed to the + <span class="Ux">FreeBSD</span> Project by Network Associates Laboratories, + the Security Research Division of Network Associates Inc. under DARPA/SPAWAR + contract N66001-01-C-8035 (“CBOSS”), as part of the DARPA + CHATS research program.</p> +</section> +<section class="Sh"> +<h1 class="Sh" id="BUGS"><a class="permalink" href="#BUGS">BUGS</a></h1> +<p class="Pp">While the MAC Framework design is intended to support the + containment of the root user, not all attack channels are currently + protected by entry point checks. As such, MAC Framework policies should not + be relied on, in isolation, to protect against a malicious privileged + user.</p> +</section> +</div> +<table class="foot"> + <tr> + <td class="foot-date">July 25, 2015</td> + <td class="foot-os">FreeBSD 15.0</td> + </tr> +</table> |