man/man9/secmodel_extensions.9

*4805589dSchristos.\" $NetBSD: secmodel_extensions.9,v 1.7 2022/03/27 16:36:11 christos Exp $
f3effc5eSjym.\"
f3effc5eSjym.\" Copyright (c) 2011 The NetBSD Foundation, Inc.
f3effc5eSjym.\" All rights reserved.
f3effc5eSjym.\"
f3effc5eSjym.\" This code is derived from software contributed to The NetBSD Foundation
f3effc5eSjym.\" by Jean-Yves Migeon <jym@NetBSD.org>
f3effc5eSjym.\"
f3effc5eSjym.\" Redistribution and use in source and binary forms, with or without
f3effc5eSjym.\" modification, are permitted provided that the following conditions
f3effc5eSjym.\" are met:
f3effc5eSjym.\" 1. Redistributions of source code must retain the above copyright
f3effc5eSjym.\"    notice, this list of conditions and the following disclaimer.
f3effc5eSjym.\" 2. Redistributions in binary form must reproduce the above copyright
f3effc5eSjym.\"    notice, this list of conditions and the following disclaimer in the
f3effc5eSjym.\"    documentation and/or other materials provided with the distribution.
f3effc5eSjym.\"
f3effc5eSjym.\" THIS SOFTWARE IS PROVIDED BY THE NETBSD FOUNDATION, INC. AND CONTRIBUTORS
f3effc5eSjym.\" ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED
f3effc5eSjym.\" TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
f3effc5eSjym.\" PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE FOUNDATION OR CONTRIBUTORS
f3effc5eSjym.\" BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
f3effc5eSjym.\" CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
f3effc5eSjym.\" SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
f3effc5eSjym.\" INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
f3effc5eSjym.\" CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
f3effc5eSjym.\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
f3effc5eSjym.\" POSSIBILITY OF SUCH DAMAGE.
f3effc5eSjym.\"
*4805589dSchristos.Dd March 27, 2022
f3effc5eSjym.Dt SECMODEL_EXTENSIONS 9
f3effc5eSjym.Os
f3effc5eSjym.Sh NAME
f3effc5eSjym.Nm secmodel_extensions
25e68552Sabs.Nd extensions security model
f3effc5eSjym.Sh DESCRIPTION
f3effc5eSjym.Nm
f3effc5eSjymimplements extensions to the traditional security model based on
f3effc5eSjymthe original
f3effc5eSjym.Bx 4.4 .
f3effc5eSjymThey can be used to grant additional privileges to ordinary users, or
f3effc5eSjymenable specific security measures like curtain mode.
f3effc5eSjym.Pp
f3effc5eSjymThe extensions are described below.
f3effc5eSjym.Sh Curtain mode
f3effc5eSjymWhen enabled, all returned objects will be filtered according to
f3effc5eSjymthe user-id requesting information about them, preventing users from
f3effc5eSjymaccessing objects they do not own.
f3effc5eSjym.Pp
f3effc5eSjymIt affects the output of many commands, including
f3effc5eSjym.Xr fstat 1 ,
f3effc5eSjym.Xr netstat 1 ,
f3effc5eSjym.Xr ps 1 ,
f3effc5eSjym.Xr sockstat 1 ,
f3effc5eSjymand
f3effc5eSjym.Xr w 1 .
f3effc5eSjym.Pp
f3effc5eSjymThis extension is enabled by setting
f3effc5eSjym.Pa security.models.extensions.curtain
f3effc5eSjymor
f3effc5eSjym.Pa security.curtain
f3effc5eSjym.Xr sysctl 7
f3effc5eSjymto a non-zero value.
f3effc5eSjym.Pp
f3effc5eSjymIt can be enabled at any time, but cannot be disabled
f3effc5eSjymanymore when the
f3effc5eSjym.Em securelevel
f3effc5eSjymof the system is above 0.
f3effc5eSjym.Sh Non-superuser mounts
f3effc5eSjymWhen enabled, it allows file-systems to be mounted by an ordinary user
f3effc5eSjymwho owns the point
f3effc5eSjym.Ar node
f3effc5eSjymand has at least read access to the
f3effc5eSjym.Ar special
f3effc5eSjymdevice
f3effc5eSjym.Xr mount 8
f3effc5eSjymarguments.
f3effc5eSjymNote that the
f3effc5eSjym.Cm nosuid
f3effc5eSjymand
f3effc5eSjym.Cm nodev
f3effc5eSjymflags must be given for non-superuser mounts.
f3effc5eSjym.Pp
f3effc5eSjymThis extension is enabled by setting
f3effc5eSjym.Pa security.models.extensions.usermount
f3effc5eSjymor
f3effc5eSjym.Pa vfs.generic.usermount
f3effc5eSjym.Xr sysctl 7
f3effc5eSjymto a non-zero value.
f3effc5eSjym.Pp
f3effc5eSjymIt can be disabled at any time, but cannot be enabled
f3effc5eSjymanymore when the
f3effc5eSjym.Em securelevel
f3effc5eSjymof the system is above 0.
f3effc5eSjym.Sh Non-superuser control of CPU sets
f3effc5eSjymWhen enabled, an ordinary user is allowed to control the CPU
f3effc5eSjym.Xr affinity 3
288b76eaSniaof the processes and threads they own.
f3effc5eSjym.Pp
f3effc5eSjymThis extension is enabled by setting
f3effc5eSjym.Pa security.models.extensions.user_set_cpu_affinity
f3effc5eSjym.Xr sysctl 7
f3effc5eSjymto a non-zero value.
f3effc5eSjym.Pp
f3effc5eSjymIt can be disabled at any time, but cannot be enabled
f3effc5eSjymanymore when the
f3effc5eSjym.Em securelevel
f3effc5eSjymof the system is above 0.
*4805589dSchristos.Sh Hardlink restrictions
*4805589dSchristosPrevent hardlinks to files that the user does not own or has group access
*4805589dSchristosto.
*4805589dSchristos.Pp
*4805589dSchristosTo enable user ownership checks, set the
*4805589dSchristos.Xr sysctl 7
*4805589dSchristosvariable
*4805589dSchristos.Pa security.models.extensions.hardlink_check_uid
*4805589dSchristosto a non-zero value.
*4805589dSchristos.Pp
*4805589dSchristosTo enable group membership checks, set the
*4805589dSchristos.Xr sysctl 7
*4805589dSchristosvariable
*4805589dSchristos.Pa security.models.extensions.hardlink_check_gid
*4805589dSchristosto a non-zero value.
*4805589dSchristos.Pp
*4805589dSchristosThese variables can be enabled anytime, but cannot be disabled
*4805589dSchristosanymore when the
*4805589dSchristos.Em securelevel
*4805589dSchristosof the system is above 0.
f3effc5eSjym.Sh SEE ALSO
f3effc5eSjym.Xr affinity 3 ,
f3effc5eSjym.Xr sched 3 ,
f3effc5eSjym.Xr sysctl 7 ,
f3effc5eSjym.Xr kauth 9 ,
f3effc5eSjym.Xr secmodel 9 ,
f3effc5eSjym.Xr secmodel_bsd44 9 ,
f3effc5eSjym.Xr secmodel_securelevel 9 ,
f3effc5eSjym.Xr secmodel_suser 9
f3effc5eSjym.Sh AUTHORS
a5684d07Swiz.An Elad Efrat Aq Mt elad@NetBSD.org