1 .\" Copyright (c) 2002, 2004 Networks Associates Technology, Inc.
2 .\" All rights reserved.
4 .\" This software was developed for the FreeBSD Project by Chris
5 .\" Costello at Safeport Network Services and NAI Labs, the Security
6 .\" Research Division of Network Associates, Inc. under DARPA/SPAWAR
7 .\" contract N66001-01-C-8035 ("CBOSS"), as part of the DARPA CHATS
10 .\" Redistribution and use in source and binary forms, with or without
11 .\" modification, are permitted provided that the following conditions
13 .\" 1. Redistributions of source code must retain the above copyright
14 .\" notice, this list of conditions and the following disclaimer.
15 .\" 2. Redistributions in binary form must reproduce the above copyright
16 .\" notice, this list of conditions and the following disclaimer in the
17 .\" documentation and/or other materials provided with the distribution.
19 .\" THIS SOFTWARE IS PROVIDED BY THE AUTHORS AND CONTRIBUTORS ``AS IS'' AND
20 .\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
21 .\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
22 .\" ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHORS OR CONTRIBUTORS BE LIABLE
23 .\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
24 .\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
25 .\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
26 .\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
27 .\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
28 .\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
36 .Nd "firewall-like access controls for file system objects"
44 .Cm uid Ar uid | minuid:maxuid
48 .Cm gid Ar gid | mingid:maxgid
58 .Cm uid Ar uid | minuid:maxuid
62 .Cm gid Ar gid | mingid:maxgid
99 .Cm uid Ar uid | minuid:maxuid
103 .Cm gid Ar gid | mingid:maxgid
113 .Cm uid Ar uid | minuid:maxuid
117 .Cm gid Ar gid | mingid:maxgid
153 interface to manage access to file system objects by UID and GID,
155 .Xr mac_bsdextended 4
159 The arguments are as follows:
160 .Bl -tag -width indent -offset indent
170 Add a new rule, automatically selecting the rule number.
171 See the description of
173 for syntax information.
175 Produces a list of all the current
187 Add a new rule or modify an existing rule.
188 The arguments are as follows:
189 .Bl -tag -width ".Ar rulenum"
192 Entries with a lower rule number
194 placing the most frequently-matched rules at the beginning of the list
195 (i.e., lower-numbered)
196 will yield a slight performance increase.
202 .Cm uid Ar uid | minuid:maxuid
206 .Cm gid Ar gid | mingid:maxgid
213 Subjects performing an operation must match all the conditions given.
216 means that the subject should not match the remainder of the specification.
217 A condition may be prefixed by
219 to indicate that particular condition must not match the subject.
220 The subject can be required to have a particular
224 A range of uids/gids can be specified, separated by a colon.
225 The subject can be required to be in a particular jail with the
232 .Cm uid Ar uid | minuid:maxuid
236 .Cm gid Ar gid | mingid:maxgid
263 The rule will apply only to objects matching all the specified conditions.
266 means that the object should not match all the remaining conditions.
267 A condition may be prefixed by
269 to indicate that particular condition must not match the object.
270 Objects can be required to be owned by the user and/or group specified by
274 A range of uids/gids can be specified, separated by a colon.
275 The object can be required to be in a particular filesystem by
276 specifying the filesystem using
279 if the filesystem is unmounted and remounted,
280 then the rule may need to be reapplied to ensure the correct filesystem
282 The object can be required to have the
287 The owner of the object can be required to match the
291 attempting the operation.
292 The type of the object can be restricted to a subset of
295 .Bl -tag -width ".Cm w" -compact -offset indent
303 a block special device
305 a character special device
313 .It Cm mode Ar arswxn
316 each character represents an access mode.
318 the specified access permissions are enforced
320 When a character is specified in the rule,
321 the rule will allow for the operation.
322 Conversely, not including it will cause the operation
324 The definitions of each character are as follows:
326 .Bl -tag -width ".Cm w" -compact -offset indent
328 administrative operations
332 access to file attributes
341 .It Cm remove Ar rulenum
342 Disable and remove the rule with the specified rule number.
345 .Xr mac_bsdextended 4 ,
350 utility first appeared in
353 This software was contributed to the
355 Project by NAI Labs, the Security Research Division of Network Associates
356 Inc.\& under DARPA/SPAWAR contract N66001-01-C-8035
358 as part of the DARPA CHATS research program.