Module name: mac_partition.ko
Kernel configuration line:
options MAC_PARTITION
Boot option:
mac_partition_load="YES"
The mac_partition(4) policy will drop processes into specific „partitions” based on their MAC label. Think of it as a special type of jail(8), though that is hardly a worthy comparison.
This is one module that should be added to the loader.conf(5) file so that it loads and enables the policy during the boot process.
Most configuration for this policy is done using
the setpmac(8) utility which will be explained below.
The following sysctl
tunable is
available for this policy:
security.mac.partition.enabled
will
enable the enforcement of MAC process
partitions.
When this policy is enabled, users will only be permitted
to see their processes, and any others within their partition,
but will not be permitted to work with
utilities outside the scope of this partition. For instance, a user in the
insecure
class above will not be permitted
to access the top
command as well as many
other commands that must spawn a process.
To set or drop utilities into a partition label, use the
setpmac
utility:
#
setpmac partition/13 top
This will add the top
command to the
label set on users in the insecure
class.
Note that all processes spawned by users
in the insecure
class will stay in the
partition/13
label.
The following command will show you the partition label and the process list:
#
ps Zax
This next command will allow the viewing of another user's process partition label and that user's currently running processes:
#
ps -ZU trhodes
Users can see processes in root
's
label unless the mac_seeotheruids(4) policy is
loaded.
A really crafty implementation could have all of the
services disabled in /etc/rc.conf
and
started by a script that starts them with the proper
labeling set.
The following policies support integer settings in place of the three default labels offered. These options, including their limitations, are further explained in the module manual pages.
All FreeBSD documents are available for download at http://ftp.FreeBSD.org/pub/FreeBSD/doc/
Questions that are not answered by the
documentation may be
sent to <freebsd-questions@FreeBSD.org>.
Send questions about this document to <freebsd-doc@FreeBSD.org>.