FreeBSD Manual Pages
LOMAC(4) FreeBSD Kernel Interfaces Manual LOMAC(4) NAME LOMAC -- Low-Watermark Mandatory Access Control security facility SYNOPSIS kldload lomac DESCRIPTION The LOMAC module provides a drop-in security mechanism in addition to the traditional POSIX UID-based security facilities, requiring no additional configuration from the administrator. LOMAC aims to be two things: it is non-intrusive, so that the system with LOMAC will not feel largely dif- ferent from the system without it, and will not require much modification to initialize; it is also comprehensive enough that a majority of attacks to compromise a system should fail. To this end, each process on the system will have a label of several attributes, including a ``high'' or ``low'' security level, attached to it, and these labels of integrity will be managed with a system cognizant of IPC (signals, debugging, sockets, pipes), path-based file system labels, virtual memory objects, and privileged system calls. A process (or set of vmspace-sharing processes) will initially inherit the integrity level of its parent, which, at the point of LOMAC being started with kldload(8), will be high. If it reads lower-integrity data from one of the controlled mechanisms, it will then decrease its integrity level, and access to modify higher-integrity data will be revoked. IMPLEMENTATION NOTES LOMAC on FreeBSD, as implemented currently, should properly respect all aspects of any chroot(8) or jail(8) operation performed after it has been initialized. Pre-existing jail or chroot environments may not necessar- ily work completely. LOMAC's file system should correctly respect the caching behavior of any of the system's file systems, and so work for any ``normal'' or ``synthetic'' fileystems. After loaded, another root mount(8) will exist on the system and appear as type ``lomacfs''. FILES See /sys/security/lomac/policy_plm.h for specific information on exactly how LOMAC has been compiled to control access to the file system. COMPATIBILITY Some programs, for example syslogd(8), may need to be restarted after LOMAC is initialized for them to continue proper operation. This version of LOMAC has not had widespread testing, so some common programs have probably not been tested and could have issues that need to be worked around or fixed. SEE ALSO kldload(8) HISTORY LOMAC was initially implemented for Linux systems over the past several years. Since then, this implementation was created via funding from the United States DARPA. See the copyright for details. AUTHORS Brian Fundakowski Feldman <bfeldman@tislabs.com> Timothy Fraser <tfraser@tislabs.com> BUGS LOMAC has not gone through widespread testing yet, so many problems may still exist. There is still yet one unfixed panic which is reproduceable under load (vrele(9) being called too many times). The operation of mount(2) and unmount(2) may not work properly or at all once LOMAC has been loaded. After being loaded, the system must be restarted to revert to a state without LOMAC. FreeBSD 11.1 November 20, 2001 FreeBSD 11.1
NAME | SYNOPSIS | DESCRIPTION | IMPLEMENTATION NOTES | FILES | COMPATIBILITY | SEE ALSO | HISTORY | AUTHORS | BUGS
Want to link to this manual page? Use this URL:
<https://www.freebsd.org/cgi/man.cgi?query=lomac&sektion=4&manpath=FreeBSD+5.0-RELEASE>