mirror of
https://git.FreeBSD.org/src.git
synced 2024-12-21 11:13:30 +00:00
8d5d039f80
Approved by: re
141 lines
4.8 KiB
Groff
141 lines
4.8 KiB
Groff
.\" Copyright (c) 2001 Networks Associates Technology, Inc.
|
|
.\" All rights reserved.
|
|
.\"
|
|
.\" This software was developed for the FreeBSD Project by NAI Labs, the
|
|
.\" Security Research Division of Network Associates, Inc. under
|
|
.\" DARPA/SPAWAR contract N66001-01-C-8035 ("CBOSS"), as part of the DARPA
|
|
.\" CHATS research program.
|
|
.\"
|
|
.\" Redistribution and use in source and binary forms, with or without
|
|
.\" modification, are permitted provided that the following conditions
|
|
.\" are met:
|
|
.\" 1. Redistributions of source code must retain the above copyright
|
|
.\" notice, this list of conditions and the following disclaimer.
|
|
.\" 2. Redistributions in binary form must reproduce the above copyright
|
|
.\" notice, this list of conditions and the following disclaimer in the
|
|
.\" documentation and/or other materials provided with the distribution.
|
|
.\" 3. The name of the author may not be used to endorse or promote
|
|
.\" products derived from this software without specific prior written
|
|
.\" permission.
|
|
.\"
|
|
.\" THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
|
|
.\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
|
|
.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
|
|
.\" ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
|
|
.\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
|
|
.\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
|
|
.\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
|
|
.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
|
|
.\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
|
|
.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
|
|
.\" SUCH DAMAGE.
|
|
.\"
|
|
.\" $FreeBSD$
|
|
.\"
|
|
.Dd November 20, 2001
|
|
.Dt LOMAC 4
|
|
.Os
|
|
.Sh NAME
|
|
.Nm LOMAC
|
|
.Nd Low-Watermark Mandatory Access Control security facility
|
|
.Sh SYNOPSIS
|
|
.Li "kldload lomac"
|
|
.Sh DESCRIPTION
|
|
The
|
|
.Nm
|
|
module provides a drop-in security mechanism in addition to the traditional
|
|
.Tn POSIX
|
|
UID-based security facilities, requiring no additional configuration
|
|
from the administrator.
|
|
.Nm
|
|
aims to be two things: it is non-intrusive, so that the system with
|
|
.Nm
|
|
will not feel largely different from the system without it, and will not
|
|
require much modification to initialize; it is also comprehensive enough
|
|
that a majority of attacks to compromise a system should fail.
|
|
.Pp
|
|
To this end, each process on the system will have a label of several
|
|
attributes, including a
|
|
.Dq high
|
|
or
|
|
.Dq low
|
|
security level, attached to it,
|
|
and these labels of integrity will be managed with a system cognizant
|
|
of IPC (signals, debugging, sockets, pipes), path-based file system
|
|
labels, virtual memory objects, and privileged system calls.
|
|
A process (or set of vmspace-sharing processes) will initially inherit
|
|
the integrity level of its parent, which, at the point of
|
|
.Nm
|
|
being started with
|
|
.Xr kldload 8 ,
|
|
will be high.
|
|
If it reads lower-integrity data from one of the controlled mechanisms,
|
|
it will then decrease its integrity level, and access to modify
|
|
higher-integrity data will be revoked.
|
|
.Sh IMPLEMENTATION NOTES
|
|
.Nm
|
|
on
|
|
.Fx ,
|
|
as implemented currently, should properly respect all aspects of any
|
|
.Xr chroot 8
|
|
or
|
|
.Xr jail 8
|
|
operation performed after it has been initialized.
|
|
Pre-existing jail or chroot environments may not necessarily work
|
|
completely.
|
|
.Nm Ns 's
|
|
file system should correctly respect the caching behavior of any of the
|
|
system's file systems, and so work for any
|
|
.Dq normal
|
|
or
|
|
.Dq synthetic
|
|
fileystems.
|
|
After loaded, another root
|
|
.Xr mount 8
|
|
will exist on the system and appear as type
|
|
.Dq lomacfs .
|
|
.Sh FILES
|
|
See
|
|
.Pa /sys/security/lomac/policy_plm.h
|
|
for specific information on exactly how
|
|
.Nm
|
|
has been compiled to control access to the file system.
|
|
.Sh COMPATIBILITY
|
|
Some programs, for example
|
|
.Xr syslogd 8 ,
|
|
may need to be restarted after
|
|
.Nm
|
|
is initialized for them to continue proper operation.
|
|
This version of
|
|
.Nm
|
|
has not had widespread testing, so some common programs have probably
|
|
not been tested and could have issues that need to be worked around or
|
|
fixed.
|
|
.Sh SEE ALSO
|
|
.Xr kldload 8
|
|
.Sh HISTORY
|
|
.Nm
|
|
was initially implemented for Linux systems over the past several years.
|
|
Since then, this implementation was created via funding from the
|
|
United States DARPA.
|
|
See the copyright for details.
|
|
.Sh AUTHORS
|
|
.An Brian Fundakowski Feldman Aq bfeldman@tislabs.com
|
|
.An Timothy Fraser Aq tfraser@tislabs.com
|
|
.Sh BUGS
|
|
.Nm
|
|
has not gone through widespread testing yet, so many problems may still exist.
|
|
There is still yet one unfixed panic which is reproduceable under load
|
|
.Xr ( vrele 9
|
|
being called too many times).
|
|
The operation of
|
|
.Xr mount 2
|
|
and
|
|
.Xr unmount 2
|
|
may not work properly or at all once
|
|
.Nm
|
|
has been loaded.
|
|
After being loaded, the system must be restarted to revert to a state
|
|
without
|
|
.Nm .
|