1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
|
<table class="head">
<tr>
<td class="head-ltitle">MAC_STUB(4)</td>
<td class="head-vol">Device Drivers Manual</td>
<td class="head-rtitle">MAC_STUB(4)</td>
</tr>
</table>
<div class="manual-text">
<section class="Sh">
<h1 class="Sh" id="NAME"><a class="permalink" href="#NAME">NAME</a></h1>
<p class="Pp"><code class="Nm">mac_stub</code> — <span class="Nd">MAC
policy stub module</span></p>
</section>
<section class="Sh">
<h1 class="Sh" id="SYNOPSIS"><a class="permalink" href="#SYNOPSIS">SYNOPSIS</a></h1>
<p class="Pp">To compile the stub policy into your kernel, place the following
lines in your kernel configuration file:</p>
<div class="Bd Pp Bd-indent"><code class="Cd">options MAC</code>
<br/>
<code class="Cd">options MAC_STUB</code></div>
<p class="Pp">Alternately, to load the stub module at boot time, place the
following line in your kernel configuration file:</p>
<div class="Bd Pp Bd-indent"><code class="Cd">options MAC</code></div>
<p class="Pp">and in <a class="Xr">loader.conf(5)</a>:</p>
<div class="Bd Pp Bd-indent Li">
<pre>mac_stub_load="YES"</pre>
</div>
</section>
<section class="Sh">
<h1 class="Sh" id="DESCRIPTION"><a class="permalink" href="#DESCRIPTION">DESCRIPTION</a></h1>
<p class="Pp">The <code class="Nm">mac_stub</code> policy module implements a
stub MAC policy that has no effect on access control in the system. Unlike
<a class="Xr">mac_none(4)</a>, each MAC entry point is defined as a
“no-op”, so the policy module will be entered for each event,
but no change in system behavior should result.</p>
<section class="Ss">
<h2 class="Ss" id="Label_Format"><a class="permalink" href="#Label_Format">Label
Format</a></h2>
<p class="Pp">No labels are defined for <code class="Nm">mac_stub</code>.</p>
</section>
</section>
<section class="Sh">
<h1 class="Sh" id="SEE_ALSO"><a class="permalink" href="#SEE_ALSO">SEE
ALSO</a></h1>
<p class="Pp"><a class="Xr">mac(4)</a>, <a class="Xr">mac_biba(4)</a>,
<a class="Xr">mac_bsdextended(4)</a>, <a class="Xr">mac_ddb(4)</a>,
<a class="Xr">mac_ifoff(4)</a>, <a class="Xr">mac_lomac(4)</a>,
<a class="Xr">mac_mls(4)</a>, <a class="Xr">mac_none(4)</a>,
<a class="Xr">mac_partition(4)</a>, <a class="Xr">mac_portacl(4)</a>,
<a class="Xr">mac_seeotheruids(4)</a>, <a class="Xr">mac_test(4)</a>,
<a class="Xr">mac(9)</a></p>
</section>
<section class="Sh">
<h1 class="Sh" id="HISTORY"><a class="permalink" href="#HISTORY">HISTORY</a></h1>
<p class="Pp">The <code class="Nm">mac_stub</code> policy module first appeared
in <span class="Ux">FreeBSD 5.1</span> and was developed by the TrustedBSD
Project.</p>
</section>
<section class="Sh">
<h1 class="Sh" id="AUTHORS"><a class="permalink" href="#AUTHORS">AUTHORS</a></h1>
<p class="Pp">This software was contributed to the
<span class="Ux">FreeBSD</span> Project by Network Associates Labs, the
Security Research Division of Network Associates Inc. under DARPA/SPAWAR
contract N66001-01-C-8035 (“CBOSS”), as part of the DARPA
CHATS research program.</p>
</section>
<section class="Sh">
<h1 class="Sh" id="BUGS"><a class="permalink" href="#BUGS">BUGS</a></h1>
<p class="Pp">While the MAC Framework design is intended to support the
containment of the root user, not all attack channels are currently
protected by entry point checks. As such, MAC Framework policies should not
be relied on, in isolation, to protect against a malicious privileged
user.</p>
</section>
</div>
<table class="foot">
<tr>
<td class="foot-date">July 25, 2015</td>
<td class="foot-os">FreeBSD 15.0</td>
</tr>
</table>
|
