1.\" Copyright (c) 2003 Networks Associates Technology, Inc. 2.\" All rights reserved. 3.\" 4.\" This software was developed for the FreeBSD Project by Chris Costello 5.\" at Safeport Network Services and Network Associates Labs, the 6.\" Security Research Division of Network Associates, Inc. under 7.\" DARPA/SPAWAR contract N66001-01-C-8035 ("CBOSS"), as part of the 8.\" DARPA CHATS research program. 9.\" 10.\" Redistribution and use in source and binary forms, with or without 11.\" modification, are permitted provided that the following conditions 12.\" are met: 13.\" 1. Redistributions of source code must retain the above copyright 14.\" notice, this list of conditions and the following disclaimer. 15.\" 2. Redistributions in binary form must reproduce the above copyright 16.\" notice, this list of conditions and the following disclaimer in the 17.\" documentation and/or other materials provided with the distribution. 18.\" 19.\" THIS SOFTWARE IS PROVIDED BY THE AUTHORS AND CONTRIBUTORS ``AS IS'' AND 20.\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 21.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 22.\" ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHORS OR CONTRIBUTORS BE LIABLE 23.\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 24.\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 25.\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 26.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 27.\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 28.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 29.\" SUCH DAMAGE. 30.\" 31.Dd January 16, 2026 32.Dt MAC 4 33.Os 34.Sh NAME 35.Nm mac 36.Nd Mandatory Access Control 37.Sh SYNOPSIS 38.Cd "options MAC" 39.Sh DESCRIPTION 40.Ss Introduction 41The Mandatory Access Control, or MAC, framework allows administrators to 42finely control system security by providing for a loadable security policy 43architecture. 44It is important to note that due to its nature, MAC security policies may 45only restrict access relative to one another and the base system policy; 46they cannot override traditional 47.Ux 48security provisions such as file permissions and superuser checks. 49.Pp 50Currently, the following MAC policy modules are shipped with 51.Fx : 52.Bl -column ".Xr mac_seeotheruids 4" "ddb(4) interface restrictions" ".Em Labeling" "boot only" 53.It Sy Name Ta Sy Description Ta Sy Labeling Ta Sy "Load time" 54.It Xr mac_biba 4 Ta "Biba integrity policy" Ta yes Ta boot only 55.It Xr mac_bsdextended 4 Ta "File system firewall" Ta no Ta any time 56.It Xr mac_ddb 4 Ta "ddb(4) interface restrictions" Ta no Ta any time 57.It Xr mac_do 4 Ta "Change command's uid/gid" Ta no Ta any time 58.It Xr mac_ifoff 4 Ta "Interface silencing" Ta no Ta any time 59.It Xr mac_ipacl 4 Ta "IP Address access control" Ta no Ta any time 60.It Xr mac_lomac 4 Ta "Low-Watermark MAC policy" Ta yes Ta boot only 61.It Xr mac_mls 4 Ta "Confidentiality policy" Ta yes Ta boot only 62.It Xr mac_ntpd 4 Ta "Non-root NTP Daemon policy" Ta no Ta any time 63.It Xr mac_partition 4 Ta "Process partition policy" Ta yes Ta any time 64.It Xr mac_portacl 4 Ta "Port bind(2) access control" Ta no Ta any time 65.It Xr mac_priority 4 Ta "Scheduling priority policy" Ta no Ta any time 66.It Xr mac_seeotheruids 4 Ta "See-other-UIDs policy" Ta no Ta any time 67.It Xr mac_test 4 Ta "MAC testing policy" Ta no Ta any time 68.El 69.Ss MAC Labels 70Each system subject (processes, sockets, etc.) and each system object 71(file system objects, jails, sockets, etc.) can carry with it a MAC label. 72MAC labels contain data in an arbitrary format 73taken into consideration in making access control decisions 74for a given operation. 75Most MAC labels on system subjects and objects 76can be modified directly or indirectly by the system 77administrator. 78The format for a given policy's label may vary depending on the type 79of object or subject being labeled. 80More information on the format for MAC labels can be found in the 81.Xr maclabel 7 82man page. 83.Ss MAC Support for UFS2 File Systems 84By default, file system enforcement of labeled MAC policies relies on 85a single file system label 86(see 87.Sx "MAC Labels" ) 88in order to make access control decisions for all the files in a particular 89file system. 90With some policies, this configuration may not allow administrators to take 91full advantage of features. 92In order to enable support for labeling files on an individual basis 93for a particular file system, 94the 95.Dq multilabel 96flag must be enabled on the file system. 97To set the 98.Dq multilabel 99flag, drop to single-user mode and unmount the file system, 100then execute the following command: 101.Pp 102.Dl "tunefs -l enable" Ar filesystem 103.Pp 104where 105.Ar filesystem 106is either the mount point 107(in 108.Xr fstab 5 ) 109or the special file 110(in 111.Pa /dev ) 112corresponding to the file system on which to enable multilabel support. 113.Ss Policy Enforcement 114Policy enforcement is divided into the following areas of the system: 115.Bl -ohang 116.It Sy "File System" 117File system mounts, modifying directories, modifying files, etc. 118.It Sy Jails 119Creating, modifying, removing, and attaching to jails 120.It Sy KLD 121Loading, unloading, and retrieving statistics on loaded kernel modules 122.It Sy Network 123Network interfaces, 124.Xr bpf 4 , 125packet delivery and transmission, 126interface configuration 127.Xr ( ioctl 2 , 128.Xr ifconfig 8 ) 129.It Sy Pipes 130Creation of and operation on 131.Xr pipe 2 132objects 133.It Sy Processes 134Debugging 135(e.g.\& 136.Xr ktrace 2 ) , 137process visibility 138.Pq Xr ps 1 , 139process execution 140.Pq Xr execve 2 , 141signalling 142.Pq Xr kill 2 143.It Sy Sockets 144Creation of and operation on 145.Xr socket 2 146objects 147.It Sy System 148Kernel environment 149.Pq Xr kenv 1 , 150system accounting 151.Pq Xr acct 2 , 152.Xr reboot 2 , 153.Xr settimeofday 2 , 154.Xr swapon 2 , 155.Xr sysctl 3 , 156.Xr nfsd 8 Ns 157-related operations 158.It Sy VM 159.Xr mmap 2 Ns 160-ed files 161.El 162.Ss Setting MAC Labels 163From the command line, each type of system object has its own means for setting 164and modifying its MAC policy label. 165.Bl -column "user (by login class)" "Xr setfmac 8 , Xr setfsmac 8" -offset indent 166.It Sy "Subject/Object" Ta Sy "Utility" 167.It "File system object" Ta Xr setfmac 8 , Xr setfsmac 8 168.It Jail Ta Xr jail 8 169.It "Network interface" Ta Xr ifconfig 8 170.It "TTY (by login class)" Ta Xr login.conf 5 171.It "User (by login class)" Ta Xr login.conf 5 172.El 173.Pp 174Additionally, the 175.Xr su 1 176and 177.Xr setpmac 8 178utilities can be used to run a command with a different process label than 179the shell's current label. 180.Ss Programming With MAC 181MAC security enforcement itself is transparent to application 182programs, with the exception that some programs may need to be aware of 183additional 184.Xr errno 2 185returns from various system calls. 186.Pp 187The interface for retrieving, handling, and setting policy labels 188is documented in the 189.Xr mac 3 190man page. 191.\" *** XXX *** 192.\" Support for this feature is poor and should not be encouraged. 193.\" 194.\" .It Va security.mac.mmap_revocation 195.\" Revoke 196.\" .Xr mmap 2 197.\" access to files on subject relabel. 198.\" .It Va security.mac.mmap_revocation_via_cow 199.\" Revoke 200.\" .Xr mmap 2 201.\" access to files via copy-on-write semantics; 202.\" mapped regions will still appear writable, but will no longer 203.\" effect a change on the underlying vnode. 204.\" (Default: 0). 205.Sh SEE ALSO 206.Xr mac 3 , 207.Xr mac_biba 4 , 208.Xr mac_bsdextended 4 , 209.Xr mac_ddb 4 , 210.Xr mac_do 4 , 211.Xr mac_ifoff 4 , 212.Xr mac_ipacl 4 , 213.Xr mac_lomac 4 , 214.Xr mac_mls 4 , 215.Xr mac_none 4 , 216.Xr mac_ntpd 4 , 217.Xr mac_partition 4 , 218.Xr mac_portacl 4 , 219.Xr mac_priority 4 , 220.Xr mac_seeotheruids 4 , 221.Xr mac_stub 4 , 222.Xr mac_test 4 , 223.Xr login.conf 5 , 224.Xr maclabel 7 , 225.Xr jail 8 , 226.Xr getfmac 8 , 227.Xr getpmac 8 , 228.Xr setfmac 8 , 229.Xr setpmac 8 , 230.Xr mac 9 231.Rs 232.%B "The FreeBSD Handbook" 233.%T "Mandatory Access Control" 234.%U https://docs.FreeBSD.org/en/books/handbook/mac/ 235.Re 236.Sh HISTORY 237The 238.Nm 239implementation first appeared in 240.Fx 5.0 241and was developed by the 242.Tn TrustedBSD 243Project. 244.Sh AUTHORS 245This software was contributed to the 246.Fx 247Project by Network Associates Labs, 248the Security Research Division of Network Associates 249Inc. 250under DARPA/SPAWAR contract N66001-01-C-8035 251.Pq Dq CBOSS , 252as part of the DARPA CHATS research program. 253.Sh BUGS 254While the MAC Framework design is intended to support the containment of 255the root user, not all attack channels are currently protected by entry 256point checks. 257As such, MAC Framework policies should not be relied on, in isolation, 258to protect against a malicious privileged user. 259