Rev 1119 | Details | Compare with Previous | Last modification | View Log | RSS feed
Rev | Author | Line No. | Line |
---|---|---|---|
1119 | dev | 1 | .\" Copyright 2005, Anatoli Klassen <anatoli@aksoft.net> |
2 | .\" All rights reserved. |
||
3 | .\" |
||
4 | .\" Redistribution and use in source and binary forms, with or without |
||
5 | .\" modification, are permitted provided that the following conditions |
||
6 | .\" are met: |
||
7 | .\" 1. Redistributions of source code must retain the above copyright |
||
8 | .\" notice, this list of conditions and the following disclaimer. |
||
9 | .\" 2. Redistributions in binary form must reproduce the above copyright |
||
10 | .\" notice, this list of conditions and the following disclaimer in the |
||
11 | .\" documentation and/or other materials provided with the distribution. |
||
12 | .\" |
||
13 | .\" THIS SOFTWARE IS PROVIDED BY THE AUTHORS AND CONTRIBUTORS ``AS IS'' AND |
||
14 | .\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE |
||
15 | .\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE |
||
16 | .\" ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHORS OR CONTRIBUTORS BE LIABLE |
||
17 | .\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL |
||
18 | .\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS |
||
19 | .\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) |
||
20 | .\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT |
||
21 | .\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY |
||
22 | .\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF |
||
23 | .\" SUCH DAMAGE. |
||
24 | .\" |
||
25 | .\" |
||
26 | .Dd November 4, 2005 |
||
27 | .Dt MAC_SETTIME 4 |
||
28 | .Os |
||
29 | .Sh NAME |
||
30 | .Nm mac_settime |
||
31 | .Nd "set system time policy" |
||
32 | .Sh SYNOPSIS |
||
33 | To load the set system time policy module at boot time, |
||
34 | place the following line in your kernel configuration file: |
||
35 | .Bd -ragged -offset indent |
||
36 | .Cd "options MAC" |
||
37 | .Ed |
||
38 | .Pp |
||
39 | and place the following line in |
||
40 | .Xr loader.conf 5 : |
||
41 | .Pp |
||
42 | .Dl "mac_settime_load=""YES""" |
||
43 | .Pp |
||
44 | then compile the module and copy it to your kernel modules directory |
||
45 | (e.g. /boot/kernel or /boot/modules) |
||
46 | .Sh DESCRIPTION |
||
47 | The |
||
48 | .Nm |
||
49 | policy allows administrators to define who is allowed to set and adjust system time. |
||
50 | .Pp |
||
51 | In order to use the |
||
52 | .Nm |
||
53 | policy, the |
||
54 | .Va kern.usersettime |
||
55 | and |
||
56 | .Va kern.useradjtime |
||
57 | .Xr sysctl 8 |
||
58 | MIBs should be set to 1 to disable kernel security check. |
||
59 | .Pp |
||
60 | If system time has to be changed from jail, additionaly the |
||
61 | .Va kern.jailsettime |
||
62 | and |
||
63 | .Va kern.jailadjtime |
||
64 | .Xr sysctl 8 |
||
65 | MIBs should be set to 1. |
||
66 | .Pp |
||
67 | The following |
||
68 | .Xr sysctl 8 |
||
69 | MIBs are available for fine-tuning the enforcement of this MAC policy. |
||
70 | All |
||
71 | .Xr sysctl 8 |
||
72 | variables, except |
||
73 | .Va security.mac.portacl.rules , |
||
74 | can also be set as |
||
75 | .Xr loader 8 |
||
76 | tunables in |
||
77 | .Xr loader.conf 5 . |
||
78 | .Bl -tag -width indent |
||
79 | .It Va security.mac.settime.enabled |
||
80 | Enforce the |
||
81 | .Nm |
||
82 | policy. |
||
83 | (Default: 1). |
||
84 | .Pp |
||
85 | The MIB ca alse be set as |
||
86 | .Xr loader 8 |
||
87 | tunables in |
||
88 | .Xr loader.conf 5 . |
||
89 | .It Va security.mac.settime.rules |
||
90 | The set time access control list is specified as list of rules, separated by semicolon or new line. |
||
91 | Rules are applied in given order, first match wins. |
||
92 | If no match found time setting is denied. |
||
93 | Each rule has the following format: |
||
94 | .Pp |
||
95 | .D1 Ar action Oo not Oc Ar idtype Ar idrange Oo not Oc Ar jailtype Ar jailidrange |
||
96 | .Pp |
||
97 | If some specification (id or jail) is omited it means "any". |
||
98 | The |
||
99 | .Li not |
||
100 | keyword negates the match. |
||
101 | Underscore can be used in place of space. |
||
102 | .Bl -tag -width ".Ar action" |
||
103 | .It Ar action |
||
104 | Describes the result of the rule, either |
||
105 | .Li allow |
||
106 | or |
||
107 | .Li deny . |
||
108 | .It Ar idtype |
||
109 | Describes the type of subject match to be performed. |
||
110 | Either |
||
111 | .Li uid |
||
112 | for user ID matching, or |
||
113 | .Li gid |
||
114 | for group ID matching. |
||
115 | .It Ar idrange : Bro Ar id | id Ns \&- Ns Ar id Ns Brc Ns Op , Ns Ar idrange |
||
116 | The user or group IDs range (depending on |
||
117 | .Ar idtype ) |
||
118 | allowed to set system time. |
||
119 | .Bf -emphasis |
||
120 | NOTE: User and group names are not valid; only the actual ID numbers |
||
121 | may be used. |
||
122 | .Ef |
||
123 | .It Ar jailtype |
||
124 | Describes which jail match to be performed. |
||
125 | Either |
||
126 | .Li nojail |
||
127 | for the main system, or |
||
128 | .Li jail |
||
129 | for some jail, id range must be specified. |
||
130 | .It Ar jailidrange : Bro Ar jailid | jailid Ns \&- Ns Ar jailid Ns Brc Ns Op , Ns Ar jailidrange |
||
131 | IDs of jail allowed to set system time. |
||
132 | .Pp |
||
133 | .El |
||
134 | .Bf -emphasis |
||
135 | NOTE: MAC security policies may not override other security system policies |
||
136 | by allowing accesses that they may deny, such as |
||
137 | .Va kern.useradjtime / |
||
138 | .Va kern.jailadjtime / |
||
139 | .Va kern.usersettime / |
||
140 | .Va kern.jailsettime . |
||
141 | .Ef |
||
142 | If the internal kernel security checks are not disabled, the |
||
143 | .Nm |
||
144 | entry will not function |
||
145 | (i.e., even the specified user/group/jail may not be able to set system time). |
||
146 | .Sh EXAMPLES |
||
147 | To allow some user to set system time set |
||
148 | .Va security.mac.settime.rules |
||
149 | .Xr sysctl 8 |
||
150 | MIBs to: |
||
151 | .Pp |
||
152 | .Dl "allow uid 2000 nojail" |
||
153 | .Pp |
||
154 | To additionaly allow root to set time from several jails set the |
||
155 | .Va security.mac.settime.rules |
||
156 | to: |
||
157 | .Pp |
||
158 | .Dl "allow uid 2000 nojail" |
||
159 | .Dl "allow uid 0 jail 4,5-9" |
||
160 | .Pp |
||
161 | If the MIB is set from /etc/sysctl.conf no spaces and new lines are allowed by /etc/rc.d/sysctl, so |
||
162 | the last example can be written in another form: |
||
163 | .Pp |
||
164 | .Dl "allow_uid_2000_nojail;allow_uid_0_jail_4,5-9" |
||
165 | .Pp |
||
166 | .Sh SEE ALSO |
||
167 | .Xr mac 3 , |
||
168 | .Xr ip 4 , |
||
169 | .Xr mac_biba 4 , |
||
170 | .Xr mac_bsdextended 4 , |
||
171 | .Xr mac_ifoff 4 , |
||
172 | .Xr mac_mls 4 , |
||
173 | .Xr mac_none 4 , |
||
174 | .Xr mac_partition 4 , |
||
175 | .Xr mac_seeotheruids 4 , |
||
176 | .Xr mac_portacl 4 , |
||
177 | .Xr mac_test 4 , |
||
178 | .Xr mac 9 |
||
179 | .Sh HISTORY |
||
180 | MAC first appeared in |
||
181 | .Fx 5.0 |