0,0 → 1,181 |
.\" Copyright 2005, Anatoli Klassen <anatoli@aksoft.net> |
.\" All rights reserved. |
.\" |
.\" Redistribution and use in source and binary forms, with or without |
.\" modification, are permitted provided that the following conditions |
.\" are met: |
.\" 1. Redistributions of source code must retain the above copyright |
.\" notice, this list of conditions and the following disclaimer. |
.\" 2. Redistributions in binary form must reproduce the above copyright |
.\" notice, this list of conditions and the following disclaimer in the |
.\" documentation and/or other materials provided with the distribution. |
.\" |
.\" THIS SOFTWARE IS PROVIDED BY THE AUTHORS AND CONTRIBUTORS ``AS IS'' AND |
.\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE |
.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE |
.\" ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHORS OR CONTRIBUTORS BE LIABLE |
.\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL |
.\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS |
.\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) |
.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT |
.\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY |
.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF |
.\" SUCH DAMAGE. |
.\" |
.\" |
.Dd November 4, 2005 |
.Dt MAC_SETTIME 4 |
.Os |
.Sh NAME |
.Nm mac_settime |
.Nd "set system time policy" |
.Sh SYNOPSIS |
To load the set system time policy module at boot time, |
place the following line in your kernel configuration file: |
.Bd -ragged -offset indent |
.Cd "options MAC" |
.Ed |
.Pp |
and place the following line in |
.Xr loader.conf 5 : |
.Pp |
.Dl "mac_settime_load=""YES""" |
.Pp |
then compile the module and copy it to your kernel modules directory |
(e.g. /boot/kernel or /boot/modules) |
.Sh DESCRIPTION |
The |
.Nm |
policy allows administrators to define who is allowed to set and adjust system time. |
.Pp |
In order to use the |
.Nm |
policy, the |
.Va kern.usersettime |
and |
.Va kern.useradjtime |
.Xr sysctl 8 |
MIBs should be set to 1 to disable kernel security check. |
.Pp |
If system time has to be changed from jail, additionaly the |
.Va kern.jailsettime |
and |
.Va kern.jailadjtime |
.Xr sysctl 8 |
MIBs should be set to 1. |
.Pp |
The following |
.Xr sysctl 8 |
MIBs are available for fine-tuning the enforcement of this MAC policy. |
All |
.Xr sysctl 8 |
variables, except |
.Va security.mac.portacl.rules , |
can also be set as |
.Xr loader 8 |
tunables in |
.Xr loader.conf 5 . |
.Bl -tag -width indent |
.It Va security.mac.settime.enabled |
Enforce the |
.Nm |
policy. |
(Default: 1). |
.Pp |
The MIB ca alse be set as |
.Xr loader 8 |
tunables in |
.Xr loader.conf 5 . |
.It Va security.mac.settime.rules |
The set time access control list is specified as list of rules, separated by semicolon or new line. |
Rules are applied in given order, first match wins. |
If no match found time setting is denied. |
Each rule has the following format: |
.Pp |
.D1 Ar action Oo not Oc Ar idtype Ar idrange Oo not Oc Ar jailtype Ar jailidrange |
.Pp |
If some specification (id or jail) is omited it means "any". |
The |
.Li not |
keyword negates the match. |
Underscore can be used in place of space. |
.Bl -tag -width ".Ar action" |
.It Ar action |
Describes the result of the rule, either |
.Li allow |
or |
.Li deny . |
.It Ar idtype |
Describes the type of subject match to be performed. |
Either |
.Li uid |
for user ID matching, or |
.Li gid |
for group ID matching. |
.It Ar idrange : Bro Ar id | id Ns \&- Ns Ar id Ns Brc Ns Op , Ns Ar idrange |
The user or group IDs range (depending on |
.Ar idtype ) |
allowed to set system time. |
.Bf -emphasis |
NOTE: User and group names are not valid; only the actual ID numbers |
may be used. |
.Ef |
.It Ar jailtype |
Describes which jail match to be performed. |
Either |
.Li nojail |
for the main system, or |
.Li jail |
for some jail, id range must be specified. |
.It Ar jailidrange : Bro Ar jailid | jailid Ns \&- Ns Ar jailid Ns Brc Ns Op , Ns Ar jailidrange |
IDs of jail allowed to set system time. |
.Pp |
.El |
.Bf -emphasis |
NOTE: MAC security policies may not override other security system policies |
by allowing accesses that they may deny, such as |
.Va kern.useradjtime / |
.Va kern.jailadjtime / |
.Va kern.usersettime / |
.Va kern.jailsettime . |
.Ef |
If the internal kernel security checks are not disabled, the |
.Nm |
entry will not function |
(i.e., even the specified user/group/jail may not be able to set system time). |
.Sh EXAMPLES |
To allow some user to set system time set |
.Va security.mac.settime.rules |
.Xr sysctl 8 |
MIBs to: |
.Pp |
.Dl "allow uid 2000 nojail" |
.Pp |
To additionaly allow root to set time from several jails set the |
.Va security.mac.settime.rules |
to: |
.Pp |
.Dl "allow uid 2000 nojail" |
.Dl "allow uid 0 jail 4,5-9" |
.Pp |
If the MIB is set from /etc/sysctl.conf no spaces and new lines are allowed by /etc/rc.d/sysctl, so |
the last example can be written in another form: |
.Pp |
.Dl "allow_uid_2000_nojail;allow_uid_0_jail_4,5-9" |
.Pp |
.Sh SEE ALSO |
.Xr mac 3 , |
.Xr ip 4 , |
.Xr mac_biba 4 , |
.Xr mac_bsdextended 4 , |
.Xr mac_ifoff 4 , |
.Xr mac_mls 4 , |
.Xr mac_none 4 , |
.Xr mac_partition 4 , |
.Xr mac_seeotheruids 4 , |
.Xr mac_portacl 4 , |
.Xr mac_test 4 , |
.Xr mac 9 |
.Sh HISTORY |
MAC first appeared in |
.Fx 5.0 |