1 .\" Copyright (c) 2002 Networks Associates Technology, Inc.
2 .\" All rights reserved.
4 .\" This software was developed for the FreeBSD Project by Chris Costello
5 .\" at Safeport Network Services and Network Associates Laboratories, the
6 .\" Security Research Division of Network Associates, Inc. under
7 .\" DARPA/SPAWAR contract N66001-01-C-8035 ("CBOSS"), as part of the
8 .\" DARPA CHATS research program.
10 .\" Redistribution and use in source and binary forms, with or without
11 .\" modification, are permitted provided that the following conditions
13 .\" 1. Redistributions of source code must retain the above copyright
14 .\" notice, this list of conditions and the following disclaimer.
15 .\" 2. Redistributions in binary form must reproduce the above copyright
16 .\" notice, this list of conditions and the following disclaimer in the
17 .\" documentation and/or other materials provided with the distribution.
19 .\" THIS SOFTWARE IS PROVIDED BY THE AUTHORS AND CONTRIBUTORS ``AS IS'' AND
20 .\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
21 .\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
22 .\" ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHORS OR CONTRIBUTORS BE LIABLE
23 .\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
24 .\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
25 .\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
26 .\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
27 .\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
28 .\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
38 .Nd "file system firewall policy"
40 To compile the file system firewall policy into your kernel,
41 place the following lines in your kernel configuration file:
42 .Bd -ragged -offset indent
44 .Cd "options MAC_BSDEXTENDED"
47 Alternately, to load the file system firewall policy module at boot time,
48 place the following line in your kernel configuration file:
49 .Bd -ragged -offset indent
55 .Bd -literal -offset indent
56 mac_bsdextended_load="YES"
61 security policy module provides an interface for the system administrator
62 to impose mandatory rules regarding users and some system objects.
63 Rules are uploaded to the module
66 or some other tool utilizing
68 where they are stored internally
69 and used to determine whether to allow or deny specific accesses
72 .Sh IMPLEMENTATION NOTES
75 entry points are implemented,
76 policy labels are not used;
77 instead, access control decisions are made by iterating through the internal
78 list of rules until a rule
79 which denies the particular access
81 or the end of the list is reached.
84 policy works similar to
87 .Em first match semantic .
88 This means that not all rules are applied,
89 only the first matched rule; thus if
90 Rule A allows access and Rule B blocks
91 access, Rule B will never be applied.
94 The following sysctls may be used to tweak the behavior of
96 .Bl -tag -width indent
97 .It Va security.mac.bsdextended.enabled
98 Set to zero or one to toggle the policy off or on.
99 .It Va security.mac.bsdextended.rule_count
100 List the number of defined rules, the maximum rule count is
102 .It Va security.mac.bsdextended.rule_slots
103 List the number of rule slots currently being used.
104 .It Va security.mac.bsdextended.firstmatch_enabled
105 Toggle between the old all rules match functionality
106 and the new first rule matches functionality.
107 This is enabled by default.
108 .It Va security.mac.bsdextended.logging
109 Log all access violations via the
113 .It Va security.mac.bsdextended.rules
114 Currently does nothing interesting.
125 .Xr mac_partition 4 ,
127 .Xr mac_seeotheruids 4 ,
135 policy module first appeared in
137 and was developed by the
141 The "match first case" and logging capabilities were later added by
142 .An Tom Rhodes Aq trhodes@FreeBSD.org .
144 This software was contributed to the
146 Project by NAI Labs, the Security Research Division of Network Associates
147 Inc.\& under DARPA/SPAWAR contract N66001-01-C-8035
149 as part of the DARPA CHATS research program.