Changeset View
Changeset View
Standalone View
Standalone View
share/man/man4/mac_read_dir.4
- This file was added.
.\" | |||||
.\" SPDX-License-Identifier: BSD-2-Clause-FreeBSD | |||||
.\" | |||||
.\" Copyright (c) 2020 Kyle Evans <kevans@FreeBSD.org> | |||||
.\" | |||||
.\" Redistribution and use in source and binary forms, with or without | |||||
.\" modification, are permitted provided that the following conditions | |||||
.\" are met: | |||||
.\" 1. Redistributions of source code must retain the above copyright | |||||
.\" notice, this list of conditions and the following disclaimer. | |||||
.\" 2. Redistributions in binary form must reproduce the above copyright | |||||
.\" notice, this list of conditions and the following disclaimer in the | |||||
.\" documentation and/or other materials provided with the distribution. | |||||
.\" | |||||
.\" THIS SOFTWARE IS PROVIDED BY THE AUTHORS AND CONTRIBUTORS ``AS IS'' AND | |||||
.\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE | |||||
.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE | |||||
.\" ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHORS OR CONTRIBUTORS BE LIABLE | |||||
.\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL | |||||
.\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS | |||||
.\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) | |||||
.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT | |||||
.\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY | |||||
.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF | |||||
.\" SUCH DAMAGE. | |||||
.\" | |||||
.\" $FreeBSD$ | |||||
.\" | |||||
.Dd May 16, 2020 | |||||
.Dt MAC_READ_DIR 4 | |||||
debdrup: Prematurely reminding you to bump .Dd because otherwise bcr will do it? | |||||
.Os | |||||
.Sh NAME | |||||
.Nm mac_read_dir | |||||
.Nd policy allowing read(2) of a directory fd | |||||
.Sh SYNOPSIS | |||||
Done Inline ActionsTypo: directory. Also quoting isn't really needed. yuripv: Typo: directory. Also quoting isn't really needed. | |||||
Done Inline ActionsTypo 0mp: Typo | |||||
To compile the read_dir policy into your kernel, place the following lines | |||||
in your kernel configuration file: | |||||
Done Inline Actionsread_dir should probably be stylized, right? I've quickly checked other manual pages like mac_none and it just uses .Nm, e.g.: To compile the .Nm policy 0mp: `read_dir` should probably be stylized, right?
I've quickly checked other manual pages like… | |||||
.Bd -ragged -offset indent | |||||
.Cd "options MAC" | |||||
.Cd "options MAC_READ_DIR" | |||||
.Ed | |||||
.Pp | |||||
Alternately, to load the read_dir policy module at boot time, | |||||
place the following line in your kernel configuration file: | |||||
.Bd -ragged -offset indent | |||||
.Cd "options MAC" | |||||
.Ed | |||||
.Pp | |||||
and in | |||||
.Xr loader.conf 5 : | |||||
.Bd -literal -offset indent | |||||
mac_read_dir_load="YES" | |||||
.Ed | |||||
.Sh DESCRIPTION | |||||
The | |||||
.Nm | |||||
policy may grant users other than the system root the ability to use | |||||
.Xr read 2 | |||||
on a directory fd. | |||||
Specifically, this policy may grant the | |||||
.Dv PRIV_VFS_READ_DIR | |||||
privilege based on the runtime configuration, assuming the | |||||
.Va security.bsd.allow_read_dir | |||||
sysctl MIB is set to a non-zero value. | |||||
.Ss Runtime Configuration | |||||
The following | |||||
.Xr sysctl 8 | |||||
MIBs are available for fine-tuning this MAC policy. | |||||
All | |||||
Done Inline ActionsAre they MIBs or OIDs? sysctl(3) mentions MIB but sysctl(9) mentions OID. debdrup: Are they MIBs or OIDs?
sysctl(3) mentions MIB but sysctl(9) mentions OID. | |||||
Done Inline ActionsKernel internals deal with OIDs (real identifiers), userland usually deal in terms of MIBs (names) kevans: Kernel internals deal with OIDs (real identifiers), userland usually deal in terms of MIBs… | |||||
.Xr sysctl 8 | |||||
variables can also be set as | |||||
.Xr loader 8 | |||||
tunables in | |||||
.Xr loader.conf 5 . | |||||
.Bl -tag -width indent | |||||
.It Va security.mac.read_dir.enabled | |||||
Enable the | |||||
.Nm | |||||
policy. | |||||
(Default: 1). | |||||
.It Va security.mac.read_dir.all_users | |||||
Grant | |||||
.Dv PRIV_VFS_READ_DIR | |||||
to all users on the system. | |||||
This MIB includes the functionality of the later described | |||||
.Va security.mac.read_dir.jail_root | |||||
MIB. | |||||
.It Va security.mac.read_dir.jail_root | |||||
Grant | |||||
.Dv PRIV_VFS_READ_DIR | |||||
to root in a jail. | |||||
.El | |||||
.Sh SEE ALSO | |||||
.Xr mac 4 | |||||
.Sh HISTORY | |||||
Done Inline Actionsmac(4) should probably reference this new manual page as well. 0mp: mac(4) should probably reference this new manual page as well. | |||||
.Nm | |||||
first appeared in | |||||
Done Inline ActionsMAC history is documented in its man pages, not really needed here? yuripv: MAC history is documented in its man pages, not really needed here? | |||||
.Fx 13.0 . | |||||
.Sh AUTHORS | |||||
.An -nosplit | |||||
The | |||||
.Nm | |||||
Done Inline ActionsAUTHORS? yuripv: AUTHORS? | |||||
module was written by | |||||
.An Kyle Evans Aq Mt kevans@FreeBSD.org . |
Prematurely reminding you to bump .Dd because otherwise bcr will do it?