FreeBSD includes a group of policies that will cover most security requirements. Each policy is discussed below.
Module name: mac_seeotheruids.ko
Kernel configuration line:
options MAC_SEEOTHERUIDS
Boot option:
mac_seeotheruids_load="YES"
The mac_seeotheruids(4) module mimics and extends
the security.bsd.see_other_uids
and
security.bsd.see_other_gids
sysctl
tunables. This option does
not require any labels to be set before configuration and
can operate transparently with the other modules.
After loading the module, the following
sysctl
tunables may be used to control
the features:
security.mac.seeotheruids.enabled
enables the module and uses the default settings which deny
users the ability to view processes and sockets owned by
other users.
security.mac.seeotheruids.specificgid_enabled
allows certain groups to be exempt from this policy. To
exempt specific groups from this policy, use the
security.mac.seeotheruids.specificgid=
XXX
sysctl
tunable. Replace
XXX
with the numeric group ID to
be exempted.
security.mac.seeotheruids.primarygroup_enabled
is used to exempt specific primary groups from this policy.
When using this tunable,
security.mac.seeotheruids.specificgid_enabled
may not be set.
Module name: mac_bsdextended.ko
Kernel configuration line:
options MAC_BSDEXTENDED
Boot option:
mac_bsdextended_load="YES"
The mac_bsdextended(4) module enforces the file system
firewall. This module's policy provides an extension to the
standard file system permissions model, permitting an
administrator to create a firewall-like ruleset to protect
files, utilities, and directories in the file system hierarchy.
When access to a file system object is attempted, the list of
rules is iterated until either a matching rule is located or
the end is reached. This behavior may be changed by the use
of a sysctl(8) parameter,
security.mac.bsdextended.firstmatch_enabled
.
Similar to other firewall modules in FreeBSD, a file containing
the access control rules can be created and read by the system
at boot time using an rc.conf(5) variable.
The rule list may be entered using ugidfw(8) which has a syntax similar to ipfw(8). More tools can be written by using the functions in the libugidfw(3) library.
Extreme caution should be taken when working with this module as incorrect use could block access to certain parts of the file system.
After the mac_bsdextended(4) module has been loaded, the following command may be used to list the current rule configuration:
#
ugidfw list
0 slots, 0 rules
By default, no rules are defined and everything is
completely accessible. To create a rule which will block all
access by users but leave root
unaffected, run the following command:
#
ugidfw add subject not uid root new object not uid root mode n
This is a very bad idea as it will block all users from
issuing even the most simple commands, such as
ls
. The next example will block
user1
any and all access, including
directory listings, to
's home
directory:user2
#
ugidfw set 2 subject uid user1 object uid user2 mode n
#
ugidfw set 3 subject uid user1 object gid user2 mode n
Instead of user1
,
not uid
could be used. This enforces the same access restrictions for
all users instead of just one user.user2
The root
user is unaffected by
these changes.
For more information, refer to mac_bsdextended(4) and ugidfw(8)
Module name: mac_ifoff.ko
Kernel configuration line:
options MAC_IFOFF
Boot option:
mac_ifoff_load="YES"
The mac_ifoff(4) module exists solely to disable network interfaces on the fly and keep network interfaces from being brought up during system boot. It does not require any labels to be set up on the system, nor does it depend on other MAC modules.
Most of this module's control is performed through the
sysctl
tunables listed below.
One of the most common uses of mac_ifoff(4) is network monitoring in an environment where network traffic should not be permitted during the boot sequence. Another suggested use would be to write a script which uses security/aide to automatically block network traffic if it finds new or altered files in protected directories.
Module name: mac_portacl.ko
Kernel configuration line:
MAC_PORTACL
Boot option:
mac_portacl_load="YES"
The mac_portacl(4) module is used to limit binding to
local TCP and UDP ports
using a variety of sysctl
variables.
mac_portacl(4) makes it possible to allow
non-root
users to bind to specified
privileged ports below 1024.
Once loaded, this module enables the MAC policy on all sockets. The following tunables are available:
security.mac.portacl.enabled
enables or disables the policy completely.
security.mac.portacl.port_high
sets the highest port number that mac_portacl(4)
protects.
security.mac.portacl.suser_exempt
,
when set to a non-zero value, exempts the
root
user from this policy.
security.mac.portacl.rules
specifies the mac_portacl policy, which is a text string of
the form: rule[,rule,...]
with as many
rules as needed. Each rule is of the form:
idtype:id:protocol:port
. The
idtype
parameter can be
uid
or gid
and is used
to interpret the id
parameter as
either a user id or group id, respectively. The
protocol
parameter is used to
determine if the rule should apply to TCP
or UDP by setting the parameter to
tcp
or udp
. The final
port
parameter is the port number to
allow the specified user or group to bind to.
Since the ruleset is interpreted directly by the kernel, only numeric values can be used for the user ID, group ID, and port parameters. Names cannot be used for users, groups, or services.
By default, ports below 1024 can only be used by or bound
to privileged processes, which run as
root
. For mac_portacl(4) to allow
non-privileged processes to bind to ports below 1024, this
restriction has to be disabled by setting the sysctl(8)
variables
net.inet.ip.portrange.reservedlow
and
net.inet.ip.portrange.reservedhigh
to
zero:
#
sysctl security.mac.portacl.port_high=1023
#
sysctl net.inet.ip.portrange.reservedlow=0 net.inet.ip.portrange.reservedhigh=0
See the examples below or refer to mac_portacl(4) for further information.
Since the root
user should not be
crippled by this policy, this example starts by setting the
security.mac.portacl.suser_exempt
to a
non-zero value.
#
sysctl security.mac.portacl.suser_exempt=1
Next, allow the user with UID 80
to bind to port 80. This allows the www
user to run a web server without ever having
root
privilege.
#
sysctl security.mac.portacl.rules=uid:80:tcp:80
The next example permits the user with the UID of 1001 to bind to the TCP ports 110 (“pop3”) and 995 (“pop3s”). This permits this user to start a server that accepts connections on ports 110 and 995.
#
sysctl security.mac.portacl.rules=uid:1001:tcp:110,uid:1001:tcp:995
Module name: mac_partition.ko
Kernel configuration line:
options MAC_PARTITION
Boot option:
mac_partition_load="YES"
The mac_partition(4) policy will drop processes into specific “partitions” based on their MAC label. This module should be added to loader.conf(5) so that it loads and enables the policy at system boot.
Most configuration for this policy is done using
setpmac(8). One sysctl
tunable is
available for this policy:
security.mac.partition.enabled
enables the enforcement of MAC process
partitions.
When this policy is enabled, users will only be permitted
to see their processes, and any others within their partition,
but will not be permitted to work with utilities outside the
scope of this partition. For instance, a user in the
insecure
class will not be permitted to
access top
as well as many other commands
that must spawn a process.
To set or drop utilities into a partition label, use the
setpmac
utility:
#
setpmac partition/13 top
This example adds top
to the label set on
users in the insecure
class. All processes
spawned by users in the insecure
class will
stay in the partition/13
label.
The following command will display the partition label and the process list:
#
ps Zax
This command will display another user's process partition label and that user's currently running processes:
#
ps -ZU trhodes
Users can see processes in root
's
label unless the mac_seeotheruids(4) policy is
loaded.
A really crafty implementation could have all of the
services disabled in /etc/rc.conf
and
started by a script that starts them with the proper
labeling set.
The following policies support integer settings in place of the three default labels offered. These options, including their limitations, are further explained in the module manual pages.
Module name: mac_mls.ko
Kernel configuration line:
options MAC_MLS
Boot option: mac_mls_load="YES"
The mac_mls(4) policy controls access between subjects and objects in the system by enforcing a strict information flow policy.
In MLS environments, a “clearance” level is set in the label of each subject or object, along with compartments. Since these clearance or sensibility levels can reach numbers greater than several thousand; it would be a daunting task for any system administrator to thoroughly configure each subject or object. Thankfully, three “instant” labels are included in this policy.
These labels are mls/low
,
mls/equal
and mls/high
.
Since these labels are described in depth in the manual page,
they will only get a brief description here:
The mls/low
label contains a low
configuration which permits it to be dominated by all other
objects. Anything labeled with mls/low
will have a low clearance level and not be permitted to
access information of a higher level. This label also
prevents objects of a higher clearance level from writing or
passing information on to them.
The mls/equal
label should be
placed on objects considered to be exempt from the
policy.
The mls/high
label is the highest
level of clearance possible. Objects assigned this label
will hold dominance over all other objects in the system;
however, they will not permit the leaking of information
to objects of a lower class.
MLS provides:
A hierarchical security level with a set of non hierarchical categories.
Fixed rules of no read up, no write
down
. This means that a subject can have read
access to objects on its own level or below, but not above.
Similarly, a subject can have write access to objects on its
own level or above but not beneath.
Secrecy, or the prevention of inappropriate disclosure of data.
A basis for the design of systems that concurrently handle data at multiple sensitivity levels without leaking information between secret and confidential.
The following sysctl
tunables are
available for the configuration of special services and
interfaces:
security.mac.mls.enabled
is used to
enable or disable the MLS policy.
security.mac.mls.ptys_equal
labels all pty(4) devices as
mls/equal
during creation.
security.mac.mls.revocation_enabled
revokes access to objects after their label changes to a
label of a lower grade.
security.mac.mls.max_compartments
sets the maximum number of compartment levels allowed on a
system.
To manipulate the MLS labels, use setfmac(8). To assign a label to an object, issue the following command:
#
setfmac mls/5 test
To get the MLS label for the file
test
, issue the following command:
#
getfmac test
Another approach is to create a master policy file in
/etc/
which specifies the
MLS policy information and to feed that file
to setfmac
. This method will be explained
after all policies are covered.
When using the MLS policy module, an administrator plans
to control the flow of sensitive information. The default
block read up block write down
sets
everything to a low state. Everything is accessible and an
administrator slowly augments the confidentiality of the
information during the configuration stage;.
Beyond the three basic label options, an administrator may
group users and groups as required to block the information
flow between them. It might be easier to look at the
information in clearance levels using descriptive words, such
as classifications of Confidential
,
Secret
, and Top Secret
.
Some administrators instead create different groups based on
project levels. Regardless of the classification method, a
well thought out plan must exist before implementing such a
restrictive policy.
Some example situations for the MLS policy module include an e-commerce web server, a file server holding critical company information, and financial institution environments.
Module name: mac_biba.ko
Kernel configuration line: options
MAC_BIBA
Boot option: mac_biba_load="YES"
The mac_biba(4) module loads the MAC Biba policy. This policy is similar to the MLS policy with the exception that the rules for information flow are slightly reversed. This is to prevent the downward flow of sensitive information whereas the MLS policy prevents the upward flow of sensitive information. Much of this section can apply to both policies.
In Biba environments, an “integrity” label is set on each subject or object. These labels are made up of hierarchical grades and non-hierarchical components. As an grade ascends, so does its integrity.
Supported labels are biba/low
,
biba/equal
, and biba/high
;
as explained below:
The biba/low
label is considered the
lowest integrity an object or subject may have. Setting
this on objects or subjects will block their write access
to objects or subjects marked high. They still have read
access though.
The biba/equal
label should only be
placed on objects considered to be exempt from the
policy.
The biba/high
label will permit
writing to objects set at a lower label, but not
permit reading that object. It is recommended that this
label be placed on objects that affect the integrity of
the entire system.
Biba provides:
Hierarchical integrity level with a set of non hierarchical integrity categories.
Fixed rules are no write up, no read
down
, the opposite of
MLS. A subject can have write access
to objects on its own level or below, but not above.
Similarly, a subject can have read access to objects on
its own level or above, but not below.
Integrity by preventing inappropriate modification of data.
Integrity levels instead of MLS sensitivity levels.
The following sysctl
tunables can
be used to manipulate the Biba policy:
security.mac.biba.enabled
is used
to enable or disable enforcement of the Biba policy on the
target machine.
security.mac.biba.ptys_equal
is
used to disable the Biba policy on pty(4)
devices.
security.mac.biba.revocation_enabled
forces the revocation of access to objects if the label
is changed to dominate the subject.
To access the Biba policy setting on system objects, use
setfmac
and
getfmac
:
#
setfmac biba/low test
#
getfmac test
test: biba/low
Integrity, which is different from sensitivity, guarantees that the information will never be manipulated by untrusted parties. This includes information passed between subjects, objects, and both. It ensures that users will only be able to modify or access information they explicitly need to.
The mac_biba(4) security policy module permits an administrator to address which files and programs a user may see and invoke while assuring that the programs and files are free from threats and trusted by the system for that user.
During the initial planning phase, an administrator must be prepared to partition users into grades, levels, and areas. Users will be blocked access not only to data but to programs and utilities both before and after they start. The system will default to a high label once this policy module is enabled, and it is up to the administrator to configure the different grades and levels for users. Instead of using clearance levels, a good planning method could include topics. For instance, only allow developers modification access to the source code repository, source code compiler, and other development utilities. Other users would be grouped into other categories such as testers, designers, or end users and would only be permitted read access.
A lower integrity subject is unable to write to a higher integrity subject and a higher integrity subject cannot observe or read a lower integrity object. Setting a label at the lowest possible grade could make it inaccessible to subjects. Some prospective environments for this security policy module would include a constrained web server, a development and test machine, and a source code repository. A less useful implementation would be a personal workstation, a machine used as a router, or a network firewall.
Module name: mac_lomac.ko
Kernel configuration line: options
MAC_LOMAC
Boot option: mac_lomac_load="YES"
Unlike the MAC Biba policy, the mac_lomac(4) policy permits access to lower integrity objects only after decreasing the integrity level to not disrupt any integrity rules.
The MAC version of the Low-watermark
integrity policy works almost identically to Biba, but with the
exception of using floating labels to support subject demotion
via an auxiliary grade compartment. This secondary compartment
takes the form [auxgrade]
. When assigning
a LOMAC policy with an auxiliary grade, use the syntax
lomac/10[2]
where the number two (2) is the
auxiliary grade.
The MAC LOMAC policy relies on the
ubiquitous labeling of all system objects with integrity labels,
permitting subjects to read from low integrity objects and then
downgrading the label on the subject to prevent future writes to
high integrity objects using [auxgrade]
. The
policy may provide for greater compatibility and require less
initial configuration than Biba.
All FreeBSD documents are available for download at http://ftp.FreeBSD.org/pub/FreeBSD/doc/
Questions that are not answered by the
documentation may be
sent to <freebsd-questions@FreeBSD.org>.
Send questions about this document to <freebsd-doc@FreeBSD.org>.