Mandatory Access Control (MAC) is a security feature frequently found in commercial trusted operating systems. MAC supplements existing Discretionary Access Control (DAC) protections (such as file system permissions and access control lists) by allowing the security administrator to define mandatory protections for system objects. Mandatory protections may be distinguished from discretionary protections in that DAC is applied at the discretion of the object owner, whereas MAC protections are defined by the administrator and applied to all users and objects in the system and may not be bypassed even by object owners. A variety of MAC policies have been explored in security research literature as well as the commercial trusted operating system space. These include policies such as the Multi-Level Security (MLS) confidentiality policy, used to prevent inappropriate sharing of information on multi-user systems, and the Biba integrity policy, typically used to protect the integrity of system and user services.
The implementation of MAC found in FreeBSD was developed by the TrustedBSD Project, and includes support for both a number of specific MAC policies, and for a flexible and extensible security framework to support the easy creation of new kernel security policies. This framework isolates the internals of specific MAC policies from the implementation of kernel services, and encapsulates the policies in policy modules. Policy modules may be added to the system without changes to the base kernel, and can augment the kernel security policy in a variety of ways. In addition, policies may provide a shared object implementation of common MAC interfaces for userland applications, permitting applications to be easily extended to manage labels for new policies. Support is provided for setting labels on user processes at login, as well as in a number of other locations where user context management occurs.
This chapter introduces the MAC policy userland and kernel policy frameworks and provides documentation for a sample MAC policy module.
This, and other documents, can be downloaded from ftp://ftp.FreeBSD.org/pub/FreeBSD/doc/.
For questions about FreeBSD, read the
documentation
before contacting <[email protected]>.
For questions about this documentation, e-mail <[email protected]>.
Закладки на сайте Проследить за страницей |
Created 1996-2024 by Maxim Chirkov Добавить, Поддержать, Вебмастеру |