1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
|
<table class="head">
<tr>
<td class="head-ltitle">MAC(4)</td>
<td class="head-vol">Device Drivers Manual</td>
<td class="head-rtitle">MAC(4)</td>
</tr>
</table>
<div class="manual-text">
<section class="Sh">
<h1 class="Sh" id="NAME"><a class="permalink" href="#NAME">NAME</a></h1>
<p class="Pp"><code class="Nm">mac</code> — <span class="Nd">Mandatory
Access Control</span></p>
</section>
<section class="Sh">
<h1 class="Sh" id="SYNOPSIS"><a class="permalink" href="#SYNOPSIS">SYNOPSIS</a></h1>
<p class="Pp"><code class="Cd">options MAC</code></p>
</section>
<section class="Sh">
<h1 class="Sh" id="DESCRIPTION"><a class="permalink" href="#DESCRIPTION">DESCRIPTION</a></h1>
<section class="Ss">
<h2 class="Ss" id="Introduction"><a class="permalink" href="#Introduction">Introduction</a></h2>
<p class="Pp">The Mandatory Access Control, or MAC, framework allows
administrators to finely control system security by providing for a loadable
security policy architecture. It is important to note that due to its
nature, MAC security policies may only restrict access relative to one
another and the base system policy; they cannot override traditional
<span class="Ux">UNIX</span> security provisions such as file permissions
and superuser checks.</p>
<p class="Pp">Currently, the following MAC policy modules are shipped with
<span class="Ux">FreeBSD</span>:</p>
<table class="Bl-column">
<tr id="Name">
<td><a class="permalink" href="#Name"><b class="Sy">Name</b></a></td>
<td><a class="permalink" href="#Description"><b class="Sy" id="Description">Description</b></a></td>
<td><a class="permalink" href="#Labeling"><b class="Sy" id="Labeling">Labeling</b></a></td>
<td><a class="permalink" href="#Load"><b class="Sy" id="Load">Load
time</b></a></td>
</tr>
<tr>
<td><a class="Xr">mac_biba(4)</a></td>
<td>Biba integrity policy</td>
<td>yes</td>
<td>boot only</td>
</tr>
<tr>
<td><a class="Xr">mac_bsdextended(4)</a></td>
<td>File system firewall</td>
<td>no</td>
<td>any time</td>
</tr>
<tr>
<td><a class="Xr">mac_ddb(4)</a></td>
<td>ddb(4) interface restrictions</td>
<td>no</td>
<td>any time</td>
</tr>
<tr>
<td><a class="Xr">mac_do(4)</a></td>
<td>Change command's uid/gid</td>
<td>no</td>
<td>any time</td>
</tr>
<tr>
<td><a class="Xr">mac_ifoff(4)</a></td>
<td>Interface silencing</td>
<td>no</td>
<td>any time</td>
</tr>
<tr>
<td><a class="Xr">mac_ipacl(4)</a></td>
<td>IP Address access control</td>
<td>no</td>
<td>any time</td>
</tr>
<tr>
<td><a class="Xr">mac_lomac(4)</a></td>
<td>Low-Watermark MAC policy</td>
<td>yes</td>
<td>boot only</td>
</tr>
<tr>
<td><a class="Xr">mac_mls(4)</a></td>
<td>Confidentiality policy</td>
<td>yes</td>
<td>boot only</td>
</tr>
<tr>
<td><a class="Xr">mac_ntpd(4)</a></td>
<td>Non-root NTP Daemon policy</td>
<td>no</td>
<td>any time</td>
</tr>
<tr>
<td><a class="Xr">mac_partition(4)</a></td>
<td>Process partition policy</td>
<td>yes</td>
<td>any time</td>
</tr>
<tr>
<td><a class="Xr">mac_portacl(4)</a></td>
<td>Port bind(2) access control</td>
<td>no</td>
<td>any time</td>
</tr>
<tr>
<td><a class="Xr">mac_priority(4)</a></td>
<td>Scheduling priority policy</td>
<td>no</td>
<td>any time</td>
</tr>
<tr>
<td><a class="Xr">mac_seeotheruids(4)</a></td>
<td>See-other-UIDs policy</td>
<td>no</td>
<td>any time</td>
</tr>
<tr>
<td><a class="Xr">mac_test(4)</a></td>
<td>MAC testing policy</td>
<td>no</td>
<td>any time</td>
</tr>
</table>
</section>
<section class="Ss">
<h2 class="Ss" id="MAC_Labels"><a class="permalink" href="#MAC_Labels">MAC
Labels</a></h2>
<p class="Pp">Each system subject (processes, sockets, etc.) and each system
object (file system objects, jails, sockets, etc.) can carry with it a MAC
label. MAC labels contain data in an arbitrary format taken into
consideration in making access control decisions for a given operation. Most
MAC labels on system subjects and objects can be modified directly or
indirectly by the system administrator. The format for a given policy's
label may vary depending on the type of object or subject being labeled.
More information on the format for MAC labels can be found in the
<a class="Xr">maclabel(7)</a> man page.</p>
</section>
<section class="Ss">
<h2 class="Ss" id="MAC_Support_for_UFS2_File_Systems"><a class="permalink" href="#MAC_Support_for_UFS2_File_Systems">MAC
Support for UFS2 File Systems</a></h2>
<p class="Pp">By default, file system enforcement of labeled MAC policies relies
on a single file system label (see <a class="Sx" href="#MAC_Labels">MAC
Labels</a>) in order to make access control decisions for all the files in a
particular file system. With some policies, this configuration may not allow
administrators to take full advantage of features. In order to enable
support for labeling files on an individual basis for a particular file
system, the “multilabel” flag must be enabled on the file
system. To set the “multilabel” flag, drop to single-user mode
and unmount the file system, then execute the following command:</p>
<p class="Pp"></p>
<div class="Bd Bd-indent"><code class="Li">tunefs -l enable
<var class="Ar">filesystem</var></code></div>
<p class="Pp">where <var class="Ar">filesystem</var> is either the mount point
(in <a class="Xr">fstab(5)</a>) or the special file (in
<span class="Pa">/dev</span>) corresponding to the file system on which to
enable multilabel support.</p>
</section>
<section class="Ss">
<h2 class="Ss" id="Policy_Enforcement"><a class="permalink" href="#Policy_Enforcement">Policy
Enforcement</a></h2>
<p class="Pp">Policy enforcement is divided into the following areas of the
system:</p>
<dl class="Bl-ohang">
<dt id="File"><a class="permalink" href="#File"><b class="Sy">File
System</b></a></dt>
<dd>File system mounts, modifying directories, modifying files, etc.</dd>
<dt id="Jails"><a class="permalink" href="#Jails"><b class="Sy">Jails</b></a></dt>
<dd>Creating, modifying, removing, and attaching to jails</dd>
<dt id="KLD"><a class="permalink" href="#KLD"><b class="Sy">KLD</b></a></dt>
<dd>Loading, unloading, and retrieving statistics on loaded kernel
modules</dd>
<dt id="Network"><a class="permalink" href="#Network"><b class="Sy">Network</b></a></dt>
<dd>Network interfaces, <a class="Xr">bpf(4)</a>, packet delivery and
transmission, interface configuration (<a class="Xr">ioctl(2)</a>,
<a class="Xr">ifconfig(8)</a>)</dd>
<dt id="Pipes"><a class="permalink" href="#Pipes"><b class="Sy">Pipes</b></a></dt>
<dd>Creation of and operation on <a class="Xr">pipe(2)</a> objects</dd>
<dt id="Processes"><a class="permalink" href="#Processes"><b class="Sy">Processes</b></a></dt>
<dd>Debugging (e.g. <a class="Xr">ktrace(2)</a>), process visibility
(<a class="Xr">ps(1)</a>), process execution
(<a class="Xr">execve(2)</a>), signalling (<a class="Xr">kill(2)</a>)</dd>
<dt id="Sockets"><a class="permalink" href="#Sockets"><b class="Sy">Sockets</b></a></dt>
<dd>Creation of and operation on <a class="Xr">socket(2)</a> objects</dd>
<dt id="System"><a class="permalink" href="#System"><b class="Sy">System</b></a></dt>
<dd>Kernel environment (<a class="Xr">kenv(1)</a>), system accounting
(<a class="Xr">acct(2)</a>), <a class="Xr">reboot(2)</a>,
<a class="Xr">settimeofday(2)</a>, <a class="Xr">swapon(2)</a>,
<a class="Xr">sysctl(3)</a>, <a class="Xr">nfsd(8)</a>-related
operations</dd>
<dt id="VM"><a class="permalink" href="#VM"><b class="Sy">VM</b></a></dt>
<dd><a class="Xr">mmap(2)</a>-ed files</dd>
</dl>
</section>
<section class="Ss">
<h2 class="Ss" id="Setting_MAC_Labels"><a class="permalink" href="#Setting_MAC_Labels">Setting
MAC Labels</a></h2>
<p class="Pp">From the command line, each type of system object has its own
means for setting and modifying its MAC policy label.</p>
<table class="Bl-column Bd-indent">
<tr id="Subject/Object">
<td><a class="permalink" href="#Subject/Object"><b class="Sy">Subject/Object</b></a></td>
<td><a class="permalink" href="#Utility"><b class="Sy" id="Utility">Utility</b></a></td>
</tr>
<tr>
<td>File system object</td>
<td><a class="Xr">setfmac(8)</a>, <a class="Xr">setfsmac(8)</a></td>
</tr>
<tr>
<td>Jail</td>
<td><a class="Xr">jail(8)</a></td>
</tr>
<tr>
<td>Network interface</td>
<td><a class="Xr">ifconfig(8)</a></td>
</tr>
<tr>
<td>TTY (by login class)</td>
<td><a class="Xr">login.conf(5)</a></td>
</tr>
<tr>
<td>User (by login class)</td>
<td><a class="Xr">login.conf(5)</a></td>
</tr>
</table>
<p class="Pp">Additionally, the <a class="Xr">su(1)</a> and
<a class="Xr">setpmac(8)</a> utilities can be used to run a command with a
different process label than the shell's current label.</p>
</section>
<section class="Ss">
<h2 class="Ss" id="Programming_With_MAC"><a class="permalink" href="#Programming_With_MAC">Programming
With MAC</a></h2>
<p class="Pp">MAC security enforcement itself is transparent to application
programs, with the exception that some programs may need to be aware of
additional <a class="Xr">errno(2)</a> returns from various system calls.</p>
<p class="Pp">The interface for retrieving, handling, and setting policy labels
is documented in the <a class="Xr">mac(3)</a> man page.</p>
</section>
</section>
<section class="Sh">
<h1 class="Sh" id="SEE_ALSO"><a class="permalink" href="#SEE_ALSO">SEE
ALSO</a></h1>
<p class="Pp"><a class="Xr">mac(3)</a>, <a class="Xr">mac_biba(4)</a>,
<a class="Xr">mac_bsdextended(4)</a>, <a class="Xr">mac_ddb(4)</a>,
<a class="Xr">mac_do(4)</a>, <a class="Xr">mac_ifoff(4)</a>,
<a class="Xr">mac_ipacl(4)</a>, <a class="Xr">mac_lomac(4)</a>,
<a class="Xr">mac_mls(4)</a>, <a class="Xr">mac_none(4)</a>,
<a class="Xr">mac_ntpd(4)</a>, <a class="Xr">mac_partition(4)</a>,
<a class="Xr">mac_portacl(4)</a>, <a class="Xr">mac_priority(4)</a>,
<a class="Xr">mac_seeotheruids(4)</a>, <a class="Xr">mac_stub(4)</a>,
<a class="Xr">mac_test(4)</a>, <a class="Xr">login.conf(5)</a>,
<a class="Xr">maclabel(7)</a>, <a class="Xr">jail(8)</a>,
<a class="Xr">getfmac(8)</a>, <a class="Xr">getpmac(8)</a>,
<a class="Xr">setfmac(8)</a>, <a class="Xr">setpmac(8)</a>,
<a class="Xr">mac(9)</a></p>
<p class="Pp"><cite class="Rs"><span class="RsT">Mandatory Access
Control</span>, <i class="RsB">The FreeBSD Handbook</i>,
<a class="RsU" href="https://docs.FreeBSD.org/en/books/handbook/mac/">https://docs.FreeBSD.org/en/books/handbook/mac/</a>.</cite></p>
</section>
<section class="Sh">
<h1 class="Sh" id="HISTORY"><a class="permalink" href="#HISTORY">HISTORY</a></h1>
<p class="Pp">The <code class="Nm">mac</code> implementation first appeared in
<span class="Ux">FreeBSD 5.0</span> and was developed by the TrustedBSD
Project.</p>
</section>
<section class="Sh">
<h1 class="Sh" id="AUTHORS"><a class="permalink" href="#AUTHORS">AUTHORS</a></h1>
<p class="Pp">This software was contributed to the
<span class="Ux">FreeBSD</span> Project by Network Associates Labs, the
Security Research Division of Network Associates Inc. under DARPA/SPAWAR
contract N66001-01-C-8035 (“CBOSS”), as part of the DARPA
CHATS research program.</p>
</section>
<section class="Sh">
<h1 class="Sh" id="BUGS"><a class="permalink" href="#BUGS">BUGS</a></h1>
<p class="Pp">While the MAC Framework design is intended to support the
containment of the root user, not all attack channels are currently
protected by entry point checks. As such, MAC Framework policies should not
be relied on, in isolation, to protect against a malicious privileged
user.</p>
</section>
</div>
<table class="foot">
<tr>
<td class="foot-date">January 16, 2026</td>
<td class="foot-os">FreeBSD 15.0</td>
</tr>
</table>
|
