Module name: mac_bsdextended.ko
Kernel configuration line:
options MAC_BSDEXTENDED
Boot option:
mac_bsdextended_load="YES"
The mac_bsdextended(4) module enforces the file system
firewall. This module's policy provides an extension to the
standard file system permissions model, permitting an
administrator to create a firewall-like ruleset to protect
files, utilities, and directories in the file system hierarchy.
When access to a file system object is attempted, the list of
rules is iterated until either a matching rule is located or
the end is reached. This behavior may be changed by the use
of a sysctl(8) parameter,
security.mac.bsdextended.firstmatch_enabled
.
Similar to other firewall modules in FreeBSD, a file containing
the access control rules can be created and read by the system
at boot time using an rc.conf(5) variable.
The rule list may be entered using ugidfw(8) which has a syntax similar to ipfw(8). More tools can be written by using the functions in the libugidfw(3) library.
Extreme caution should be taken when working with this module as incorrect use could block access to certain parts of the file system.
After the mac_bsdextended(4) module has been loaded, the following command may be used to list the current rule configuration:
#
ugidfw list
0 slots, 0 rulesBy default, no rules are defined and everything is
completely accessible. To create a rule which will block all
access by users but leave root
unaffected, run the following command:
#
ugidfw add subject not uid root new object not uid root mode n
This is a very bad idea as it will block all users from
issuing even the most simple commands, such as
ls
. The next example will block
user1
any and all access, including
directory listings, to
's home
directory:user2
#
ugidfw set 2 subject uid user1
object uid user2
mode n
#
ugidfw set 3 subject uid user1
object gid user2
mode n
Instead of user1
,
not uid
could be used. This enforces the same access restrictions for
all users instead of just one user.user2
The root
user is unaffected by
these changes.
For more information, refer to mac_bsdextended(4) and ugidfw(8)
All FreeBSD documents are available for download at http://ftp.FreeBSD.org/pub/FreeBSD/doc/
Questions that are not answered by the
documentation may be
sent to <freebsd-questions@FreeBSD.org>.
Send questions about this document to <freebsd-doc@FreeBSD.org>.