The TrustedBSD MAC Framework includes a number of policy-agnostic elements, including MAC library interfaces for abstractly managing labels, modifications to the system credential management and login libraries to support the assignment of MAC labels to users, and a set of tools to monitor and modify labels on processes, files, and network interfaces. More details on the user architecture will be added to this section in the near future.
The TrustedBSD MAC Framework provides a number of library and system calls permitting applications to manage MAC labels on objects using a policy-agnostic interface. This permits applications to manipulate labels for a variety of policies without being written to support specific policies. These interfaces are used by general-purpose tools such as ifconfig(8), ls(1) and ps(1) to view labels on network interfaces, files, and processes. The APIs also support MAC management tools including getfmac(8), getpmac(8), setfmac(8), setfsmac(8), and setpmac(8). The MAC APIs are documented in mac(3).
Applications handle MAC labels in two forms: an
internalized form used to return and set labels on
processes and objects (mac_t
),
and externalized form based on C strings appropriate for
storage in configuration files, display to the user, or
input from the user. Each MAC label contains a number of
elements, each consisting of a name and value pair.
Policy modules in the kernel bind to specific names
and interpret the values in policy-specific ways. In
the externalized string form, labels are represented
by a comma-delimited list of name and value pairs separated
by the /
character. Labels may be
directly converted to and from text using provided APIs;
when retrieving labels from the kernel, internalized
label storage must first be prepared for the desired
label element set. Typically, this is done in one of
two ways: using mac_prepare(3) and an arbitrary
list of desired label elements, or one of the variants
of the call that loads a default element set from the
mac.conf(5) configuration file. Per-object
defaults permit application writers to usefully display
labels associated with objects without being aware of
the policies present in the system.
Currently, direct manipulation of label elements other than by conversion to a text string, string editing, and conversion back to an internalized label is not supported by the MAC library. Such interfaces may be added in the future if they prove necessary for application writers.
The standard user context management interface,
setusercontext(3), has been modified to retrieve
MAC labels associated with a user's class from
login.conf(5). These labels are then set along
with other user context when either
LOGIN_SETALL
is specified, or when
LOGIN_SETMAC
is explicitly
specified.
It is expected that, in a future version of FreeBSD,
the MAC label database will be separated from the
login.conf
user class abstraction,
and be maintained in a separate database. However, the
setusercontext(3) API should remain the same
following such a change.
All FreeBSD documents are available for download at https://download.freebsd.org/ftp/doc/
Questions that are not answered by the
documentation may be
sent to <freebsd-questions@FreeBSD.org>.
Send questions about this document to <freebsd-doc@FreeBSD.org>.