Changeset View
Changeset View
Standalone View
Standalone View
share/man/man4/mac_read_dir.4
- This file was added.
| .\" | |||||
| .\" SPDX-License-Identifier: BSD-2-Clause-FreeBSD | |||||
| .\" | |||||
| .\" Copyright (c) 2020 Kyle Evans <kevans@FreeBSD.org> | |||||
| .\" | |||||
| .\" Redistribution and use in source and binary forms, with or without | |||||
| .\" modification, are permitted provided that the following conditions | |||||
| .\" are met: | |||||
| .\" 1. Redistributions of source code must retain the above copyright | |||||
| .\" notice, this list of conditions and the following disclaimer. | |||||
| .\" 2. Redistributions in binary form must reproduce the above copyright | |||||
| .\" notice, this list of conditions and the following disclaimer in the | |||||
| .\" documentation and/or other materials provided with the distribution. | |||||
| .\" | |||||
| .\" THIS SOFTWARE IS PROVIDED BY THE AUTHORS AND CONTRIBUTORS ``AS IS'' AND | |||||
| .\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE | |||||
| .\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE | |||||
| .\" ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHORS OR CONTRIBUTORS BE LIABLE | |||||
| .\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL | |||||
| .\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS | |||||
| .\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) | |||||
| .\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT | |||||
| .\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY | |||||
| .\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF | |||||
| .\" SUCH DAMAGE. | |||||
| .\" | |||||
| .\" $FreeBSD$ | |||||
| .\" | |||||
| .Dd May 16, 2020 | |||||
| .Dt MAC_READ_DIR 4 | |||||
debdrup: Prematurely reminding you to bump .Dd because otherwise bcr will do it? | |||||
| .Os | |||||
| .Sh NAME | |||||
| .Nm mac_read_dir | |||||
| .Nd policy allowing read(2) of a directory fd | |||||
| .Sh SYNOPSIS | |||||
Done Inline ActionsTypo: directory. Also quoting isn't really needed. yuripv: Typo: directory. Also quoting isn't really needed. | |||||
Done Inline ActionsTypo 0mp: Typo | |||||
| To compile the read_dir policy into your kernel, place the following lines | |||||
| in your kernel configuration file: | |||||
Done Inline Actionsread_dir should probably be stylized, right? I've quickly checked other manual pages like mac_none and it just uses .Nm, e.g.: To compile the .Nm policy 0mp: `read_dir` should probably be stylized, right?
I've quickly checked other manual pages like… | |||||
| .Bd -ragged -offset indent | |||||
| .Cd "options MAC" | |||||
| .Cd "options MAC_READ_DIR" | |||||
| .Ed | |||||
| .Pp | |||||
| Alternately, to load the read_dir policy module at boot time, | |||||
| place the following line in your kernel configuration file: | |||||
| .Bd -ragged -offset indent | |||||
| .Cd "options MAC" | |||||
| .Ed | |||||
| .Pp | |||||
| and in | |||||
| .Xr loader.conf 5 : | |||||
| .Bd -literal -offset indent | |||||
| mac_read_dir_load="YES" | |||||
| .Ed | |||||
| .Sh DESCRIPTION | |||||
| The | |||||
| .Nm | |||||
| policy may grant users other than the system root the ability to use | |||||
| .Xr read 2 | |||||
| on a directory fd. | |||||
| Specifically, this policy may grant the | |||||
| .Dv PRIV_VFS_READ_DIR | |||||
| privilege based on the runtime configuration, assuming the | |||||
| .Va security.bsd.allow_read_dir | |||||
| sysctl MIB is set to a non-zero value. | |||||
| .Ss Runtime Configuration | |||||
| The following | |||||
| .Xr sysctl 8 | |||||
| MIBs are available for fine-tuning this MAC policy. | |||||
| All | |||||
Done Inline ActionsAre they MIBs or OIDs? sysctl(3) mentions MIB but sysctl(9) mentions OID. debdrup: Are they MIBs or OIDs?
sysctl(3) mentions MIB but sysctl(9) mentions OID. | |||||
Done Inline ActionsKernel internals deal with OIDs (real identifiers), userland usually deal in terms of MIBs (names) kevans: Kernel internals deal with OIDs (real identifiers), userland usually deal in terms of MIBs… | |||||
| .Xr sysctl 8 | |||||
| variables can also be set as | |||||
| .Xr loader 8 | |||||
| tunables in | |||||
| .Xr loader.conf 5 . | |||||
| .Bl -tag -width indent | |||||
| .It Va security.mac.read_dir.enabled | |||||
| Enable the | |||||
| .Nm | |||||
| policy. | |||||
| (Default: 1). | |||||
| .It Va security.mac.read_dir.all_users | |||||
| Grant | |||||
| .Dv PRIV_VFS_READ_DIR | |||||
| to all users on the system. | |||||
| This MIB includes the functionality of the later described | |||||
| .Va security.mac.read_dir.jail_root | |||||
| MIB. | |||||
| .It Va security.mac.read_dir.jail_root | |||||
| Grant | |||||
| .Dv PRIV_VFS_READ_DIR | |||||
| to root in a jail. | |||||
| .El | |||||
| .Sh SEE ALSO | |||||
| .Xr mac 4 | |||||
| .Sh HISTORY | |||||
Done Inline Actionsmac(4) should probably reference this new manual page as well. 0mp: mac(4) should probably reference this new manual page as well. | |||||
| .Nm | |||||
| first appeared in | |||||
Done Inline ActionsMAC history is documented in its man pages, not really needed here? yuripv: MAC history is documented in its man pages, not really needed here? | |||||
| .Fx 13.0 . | |||||
| .Sh AUTHORS | |||||
| .An -nosplit | |||||
| The | |||||
| .Nm | |||||
Done Inline ActionsAUTHORS? yuripv: AUTHORS? | |||||
| module was written by | |||||
| .An Kyle Evans Aq Mt kevans@FreeBSD.org . | |||||
Prematurely reminding you to bump .Dd because otherwise bcr will do it?