1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
|
<table class="head">
<tr>
<td class="head-ltitle">MAC_LOMAC(4)</td>
<td class="head-vol">Device Drivers Manual</td>
<td class="head-rtitle">MAC_LOMAC(4)</td>
</tr>
</table>
<div class="manual-text">
<section class="Sh">
<h1 class="Sh" id="NAME"><a class="permalink" href="#NAME">NAME</a></h1>
<p class="Pp"><code class="Nm">mac_lomac</code> —
<span class="Nd">Low-watermark Mandatory Access Control data integrity
policy</span></p>
</section>
<section class="Sh">
<h1 class="Sh" id="SYNOPSIS"><a class="permalink" href="#SYNOPSIS">SYNOPSIS</a></h1>
<p class="Pp">To compile LOMAC into your kernel, place the following lines in
your kernel configuration file:</p>
<div class="Bd Pp Bd-indent"><code class="Cd">options MAC</code>
<br/>
<code class="Cd">options MAC_LOMAC</code></div>
<p class="Pp">Alternately, to load the LOMAC module at boot time, place the
following line in your kernel configuration file:</p>
<div class="Bd Pp Bd-indent"><code class="Cd">options MAC</code></div>
<p class="Pp">and in <a class="Xr">loader.conf(5)</a>:</p>
<div class="Bd Pp Bd-indent Li">
<pre>mac_lomac_load="YES"</pre>
</div>
</section>
<section class="Sh">
<h1 class="Sh" id="DESCRIPTION"><a class="permalink" href="#DESCRIPTION">DESCRIPTION</a></h1>
<p class="Pp">The <code class="Nm">mac_lomac</code> policy module implements the
LOMAC integrity model, which protects the integrity of system objects and
subjects by means of an information flow policy coupled with the subject
demotion via floating labels. In LOMAC, all system subjects and objects are
assigned integrity labels, made up of one or more hierarchical grades,
depending on their types. Together, these label elements permit all labels
to be placed in a partial order, with information flow protections and
demotion decisions based on a dominance operator describing the order. The
hierarchal grade field or fields are expressed as a value between 0 and
65535, with higher values reflecting higher integrity.</p>
<p class="Pp">Three special label component values exist:</p>
<table class="Bl-column Bd-indent">
<tr id="Label">
<td><a class="permalink" href="#Label"><b class="Sy">Label</b></a></td>
<td><a class="permalink" href="#Comparison"><b class="Sy" id="Comparison">Comparison</b></a></td>
</tr>
<tr id="low">
<td><a class="permalink" href="#low"><code class="Li">low</code></a></td>
<td>dominated by all other labels</td>
</tr>
<tr id="equal">
<td><a class="permalink" href="#equal"><code class="Li">equal</code></a></td>
<td>equal to all other labels</td>
</tr>
<tr id="high">
<td><a class="permalink" href="#high"><code class="Li">high</code></a></td>
<td>dominates all other labels</td>
</tr>
</table>
<p class="Pp">The “<code class="Li">high</code>” label is assigned
to system objects which affect the integrity of the system as a whole. The
“<code class="Li">equal</code>” label may be used to indicate
that a particular subject or object is exempt from the LOMAC protections.
For example, a label of
“<code class="Li">lomac/equal(equal-equal)</code>” might be
used on a subject which is to be used to administratively relabel anything
on the system.</p>
<p class="Pp">Almost all system objects are tagged with a single, active label
element, reflecting the integrity of the object, or integrity of the data
contained in the object. File system objects may contain an additional
auxiliary label which determines the inherited integrity level for new files
created in a directory or the alternate label assumed by the subject upon
execution of an executable. In general, objects labels are represented in
the following form:</p>
<p class="Pp"></p>
<div class="Bd
Bd-indent"><code class="Li">lomac/</code><var class="Ar">grade</var>[<var class="Ar">auxgrade</var>]</div>
<p class="Pp">For example:</p>
<div class="Bd Pp Bd-indent Li">
<pre>lomac/10[2]
lomac/low</pre>
</div>
<p class="Pp">Subject labels consist of three label elements: a single (active)
label, as well as a range of available labels. This range is represented
using two ordered LOMAC label elements, and when set on a process, permits
the process to change its active label to any label of greater or equal
integrity to the low end of the range, and lesser or equal integrity to the
high end of the range. In general, subject labels are represented in the
following form:</p>
<p class="Pp"></p>
<div class="Bd
Bd-indent"><code class="Li">lomac/</code><var class="Ar">singlegrade</var>(<var class="Ar">lograde</var><span class="No">-</span><var class="Ar">higrade</var></div>
)
<p class="Pp">Modification of objects is restricted to access via the following
comparison:</p>
<p class="Pp"></p>
<div class="Bd
Bd-indent"><var class="Ar">subject</var>::<var class="Ar">higrade</var>
<span class="No">≥</span>
<var class="Ar">target-object</var>::<var class="Ar">grade</var></div>
<p class="Pp">Modification of subjects is the same, as the target subject's
single grade is the only element taken into comparison.</p>
<p class="Pp">Demotion of a subject occurs when the following comparison is
true:</p>
<p class="Pp"></p>
<div class="Bd
Bd-indent"><var class="Ar">subject</var>::<var class="Ar">singlegrade</var>
<span class="No">></span>
<var class="Ar">object</var>::<var class="Ar">grade</var></div>
<p class="Pp">When demotion occurs, the subject's
<var class="Ar">singlegrade</var> and <var class="Ar">higrade</var> are
reduced to the object's grade, as well as the <var class="Ar">lograde</var>
if necessary. When the demotion occurs, in addition to the permission of the
subject being reduced, shared <a class="Xr">mmap(2)</a> objects which it has
opened in its memory space may be revoked according to the following
<a class="Xr">sysctl(3)</a> variables:</p>
<p class="Pp"></p>
<ul class="Bl-bullet Bl-compact">
<li id="security.mac.lomac.revocation_enabled"><var class="Va">security.mac.lomac.revocation_enabled</var></li>
<li id="security.mac.enforce_vm"><var class="Va">security.mac.enforce_vm</var></li>
<li id="security.mac.mmap_revocation"><var class="Va">security.mac.mmap_revocation</var></li>
<li id="security.mac.mmap_revocation_via_cow"><var class="Va">security.mac.mmap_revocation_via_cow</var></li>
</ul>
<p class="Pp">Upon execution of a file, if the executable has an auxiliary
label, and that label is within the current range of
<var class="Ar">lograde</var>-<var class="Ar">higrade</var>, it will be
assumed by the subject immediately. After this, demotion is performed just
as with any other read operation, with the executable as the target. Through
the use of auxiliary labels, programs may be initially executed at a lower
effective integrity level, while retaining the ability to raise it
again.</p>
<p class="Pp">These rules prevent subjects of lower integrity from influencing
the behavior of higher integrity subjects by preventing the flow of
information, and hence control, from allowing low integrity subjects to
modify either a high integrity object or high integrity subjects acting on
those objects. LOMAC integrity policies may be appropriate in a number of
environments, both from the perspective of preventing corruption of the
operating system, and corruption of user data if marked as higher integrity
than the attacker.</p>
<p class="Pp">The LOMAC security model is quite similar to that of
<a class="Xr">mac_biba(4)</a> and <a class="Xr">mac_mls(4)</a> in various
ways. More background information on this can be found in their respective
man pages.</p>
</section>
<section class="Sh">
<h1 class="Sh" id="SEE_ALSO"><a class="permalink" href="#SEE_ALSO">SEE
ALSO</a></h1>
<p class="Pp"><a class="Xr">mmap(2)</a>, <a class="Xr">sysctl(3)</a>,
<a class="Xr">mac(4)</a>, <a class="Xr">mac_biba(4)</a>,
<a class="Xr">mac_bsdextended(4)</a>, <a class="Xr">mac_ddb(4)</a>,
<a class="Xr">mac_ifoff(4)</a>, <a class="Xr">mac_mls(4)</a>,
<a class="Xr">mac_none(4)</a>, <a class="Xr">mac_partition(4)</a>,
<a class="Xr">mac_portacl(4)</a>, <a class="Xr">mac_seeotheruids(4)</a>,
<a class="Xr">mac_test(4)</a>, <a class="Xr">mac(9)</a></p>
</section>
<section class="Sh">
<h1 class="Sh" id="HISTORY"><a class="permalink" href="#HISTORY">HISTORY</a></h1>
<p class="Pp">The <code class="Nm">mac_lomac</code> policy module first appeared
in <span class="Ux">FreeBSD 5.0</span> and was developed by the TrustedBSD
Project.</p>
</section>
<section class="Sh">
<h1 class="Sh" id="AUTHORS"><a class="permalink" href="#AUTHORS">AUTHORS</a></h1>
<p class="Pp">This software was contributed to the
<span class="Ux">FreeBSD</span> Project by Network Associates Labs, the
Security Research Division of Network Associates Inc. under DARPA/SPAWAR
contract N66001-01-C-8035 (“CBOSS”), as part of the DARPA
CHATS research program.</p>
</section>
</div>
<table class="foot">
<tr>
<td class="foot-date">February 25, 2012</td>
<td class="foot-os">FreeBSD 15.0</td>
</tr>
</table>
|
