Module name: mac_bsdextended.ko
Kernel configuration line: options MAC_BSDEXTENDED
Boot option: mac_bsdextended_load="YES"
The mac_bsdextended(4)
module enforces the file system firewall. This module's policy provides an extension to
the standard file system permissions model, permitting an administrator to create a
firewall-like ruleset to protect files, utilities, and directories in the file system
hierarchy. When access to a file system object is attempted, the list of rules is
iterated until either a matching rule is located or the end is reached. This behavior may
be changed by the use of a sysctl(8) parameter,
security.mac.bsdextended.firstmatch_enabled
. Similar to
other firewall modules in FreeBSD, a file containing the access control rules can be
created and read by the system at boot time using an rc.conf(5)
variable.
The rule list may be entered using ugidfw(8) which has a syntax similar to ipfw(8). More tools can be written by using the functions in the libugidfw(3) library.
Extreme caution should be taken when working with this module as incorrect use could block access to certain parts of the file system.
After the mac_bsdextended(4) module has been loaded, the following command may be used to list the current rule configuration:
# ugidfw list 0 slots, 0 rules
By default, no rules are defined and everything is completely accessible. To create a rule which will block all access by users but leave root unaffected, run the following command:
# ugidfw add subject not uid root new object not uid root mode n
This is a very bad idea as it will block all users from issuing even the most simple commands, such as ls. The next example will block user1 any and all access, including directory listings, to user2's home directory:
# ugidfw set 2 subject uid user1 object uid user2 mode n # ugidfw set 3 subject uid user1 object gid user2 mode n
Instead of user1, not uid user2
could be used. This enforces the same
access restrictions for all users instead of just one user.
Note: The root user is unaffected by these changes.
For more information, refer to mac_bsdextended(4) and ugidfw(8)
Prev | Home | Next |
The mac_seeotheruids(4) Module | Up | The mac_ifoff(4) Module |