Open main menu
Home
Random
Recent changes
Special pages
Community portal
Preferences
About Wikipedia
Disclaimers
Incubator escapee wiki
Search
User menu
Talk
Dark mode
Contributions
Create account
Log in
Editing
Mandatory access control
(section)
Warning:
You are not logged in. Your IP address will be publicly visible if you make any edits. If you
log in
or
create an account
, your edits will be attributed to your username, along with other benefits.
Anti-spam check. Do
not
fill this in!
==In operating systems== === Microsoft === {{Main|Mandatory Integrity Control|User Interface Privilege Isolation}} Starting with [[Windows Vista]] and [[Windows Server 2008|Server 2008]], Microsoft has incorporated [[Mandatory Integrity Control]] (MIC) in the Windows operating system, which adds ''integrity levels'' (IL) to running processes. The goal is to restrict access of less trustworthy processes to sensitive info. MIC defines five integrity levels: Low, medium, high, system, and trusted installer.<ref name="symantec">{{cite web | url = http://www.symantec.com/enterprise/security_response/weblog/2006/08/windows_vista_windows_security.html | title = Analysis of the Windows Vista Security Model | author = Matthew Conover | publisher = [[Symantec Corporation]] | accessdate = 2007-10-08 | url-status = dead | archiveurl = https://web.archive.org/web/20080325024250/http://www.symantec.com/enterprise/security_response/weblog/2006/08/windows_vista_windows_security.html | archivedate = 2008-03-25 }}</ref> By default, processes started at medium IL. [[User Account Control|Elevated]] processes receive high IL.<ref name="steve">{{cite web | url = http://blogs.technet.com/steriley/archive/2006/07/21/442870.aspx | title = Mandatory Integrity Control in Windows Vista | author = Steve Riley | accessdate = 2007-10-08}}</ref> Child processes, by default, inherit their parent's integrity, although the parent process can launch them with a lower IL. For example, [[Internet Explorer 7]] launches its subprocesses with low IL. Windows controls access to [[Object Manager (Windows)|objects]] based on ILs. Named [[Object Manager (Windows)|objects]], including [[Computer file|files]], [[Windows Registry|registry]] keys or other [[Process (computing)|processes]] and [[Thread (computer science)|threads]], have an entry in their [[access-control list|ACL]] indicating the minimum IL of the process that can use the object. MIC enforces that a process can write to or delete an object only when its IL is equal to or higher than the object’s IL. Furthermore, to prevent access to sensitive data in memory, [[User Interface Privilege Isolation|processes can’t open processes with a higher IL for read access]].<ref name="mark">{{cite web | url = http://blogs.technet.com/markrussinovich/archive/2007/02/12/638372.aspx | title = PsExec, User Account Control and Security Boundaries | accessdate = 2007-10-08 | author = Mark Russinovich| author-link = Mark Russinovich }}</ref> === Apple === [[Apple Inc.]] has incorporated an implementation of the [[TrustedBSD]] framework in its [[iOS]] and [[macOS]] operating systems.<ref name="TrustedBSD">{{cite web | url = http://www.trustedbsd.org/mac.html | title = TrustedBSD Mandatory Access Control (MAC) Framework | author = TrustedBSD Project | accessdate = 2008-03-15}}</ref> (The word "mac" in "macOS" is short for "[[Macintosh]]" and has nothing to do with the abbreviation of "mandatory access control.") The command-line function <code>sandbox_init</code> provides a limited high-level sandboxing interface.<ref name="Ref_2007">{{cite web |date=2007-07-07 |title=sandbox_init(3) man page |url=https://developer.apple.com/DOCUMENTATION/Darwin/Reference/ManPages/man3/sandbox_init.3.html |accessdate=2008-03-15 |archive-date=2008-07-25 |archive-url=https://web.archive.org/web/20080725072208/http://developer.apple.com/documentation/Darwin/Reference/ManPages/man3/sandbox_init.3.html |url-status=dead }}</ref> === Google === Version 5.0 and later of the [[Android_(operating_system)|Android]] operating system, developed by [[Google]], use [[SELinux]] to enforce a MAC security model on top of its original UID-based DAC approach.<ref name="android">{{cite web |title=Security-Enhanced Linux in Android |url=https://source.android.com/docs/security/features/selinux |url-status=live |archive-url=https://web.archive.org/web/20230619124704/https://source.android.com/docs/security/features/selinux |archive-date=19 June 2023 |access-date=25 June 2023 |publisher=Android Open Source Project}}</ref> === Linux family === [[Linux]] and many other [[Unix]] distributions have MAC for CPU (multi-ring), disk, and memory. While OS software may not manage privileges well, Linux became famous during the 1990s as being more secure and far more stable than non-Unix alternatives.{{Citation needed|date=May 2024}} The three main Linux Security Modules implementing MAC are [[SELinux]], [[AppArmor]], and [[TOMOYO Linux]].<ref name="lsm">{{cite web | url = https://linuxsecurity.com/news/security-projects/linux-security-modules-lsm-selinux-vs-apparmor-vs-tomoyo | title = Linux Security Modules Overview: SELinux, AppArmor, and TOMOYO Comparison | date = 2024-09-24 | access-date = 2025-05-05}}</ref> [[SELinux | Security-Enhanced Linux (SELinux) ]] was originally developed by the [[NSA]] and released to the Open Source community in 2000.<ref>{{cite web | url = https://www.nsa.gov/news-features/press-room/press-releases/2001/se-linux.shtml | archive-url = https://web.archive.org/web/20180918025937/https://www.nsa.gov/news-features/press-room/press-releases/2001/se-linux.shtml | archive-date = 2018-09-18 | title = National Security Agency Shares Security Enhancements to Linux | date = 2001-01-02 | work = NSA Press Release | publisher = National Security Agency Central Security Service | location = Fort George G. Meade, Maryland | access-date = 2025-05-05}}</ref> It is one of the first MAC implementations for Linux and is also one of the most popular.<ref>{{cite web | url = https://github.blog/developer-skills/programming-languages-and-frameworks/introduction-to-selinux/ | title = Introduction to SELinux | date = 2023-07-05 | access-date = 2025-05-05}}</ref> It has been incorporated into Linux kernels since v2.4, and is enabled by default on Android 5.0+ and Red Hat/Fedora. SELinux provides powerful fine-grained control which makes it suitable for high-security environments, but many users find that its power and granularity come with a high degree of complexity and a steep learning curve.<ref name="lsm" /> [[TOMOYO Linux]] is a lightweight MAC implementation for [[Linux]] and [[Embedded Linux]], developed by [[NTT Data Corporation]]. It has been merged in Linux Kernel mainline version 2.6.30 in June 2009.<ref name="Ref_b">{{cite web | title=TOMOYO Linux, an alternative Mandatory Access Control | publisher=Linux Kernel Newbies | work=Linux 2 6 30 | url=http://kernelnewbies.org/Linux_2_6_30#head-eeb259e0ba81d96d59015b8f79456d9a5283c650}}</ref> Differently from the ''label-based'' approach used by [[SELinux]], TOMOYO Linux performs a ''pathname-based'' Mandatory Access Control, separating security domains according to process invocation history, which describes the system behavior. Policy are described in terms of pathnames. A security domain is simply defined by a process call chain, and represented by a string. There are 4 modes: disabled, ''learning'', permissive, enforcing. Administrators can assign different modes for different domains. TOMOYO Linux introduced the "learning" mode, in which the accesses occurred in the kernel are automatically analyzed and stored to generate MAC policy: this mode could then be the first step of policy writing, making it easy to customize later. [[AppArmor]] is a MAC implementation which utilizes the [[Linux Security Modules]] (LSM) interface of Linux 2.6 and is incorporated into [[SUSE Linux]] and [[Ubuntu (operating system)|Ubuntu]] 7.10. LSM provides a kernel [[application programming interface|API]] that allows modules of kernel code to govern ACL (DAC ACL, access-control lists). AppArmor is not capable of restricting all programs and is optionally in the Linux kernel as of version 2.6.36.<ref name="Ref_c">{{cite web | title=Linux 2.6.36 released 20 October 2010 | publisher=Linux Kernel Newbies | work=Linux 2.6.36 | url=http://kernelnewbies.org/Linux_2_6_36}}</ref> Amon Ott's [[RSBAC]] (Rule Set Based Access Control) provides a framework for Linux kernels that allows several different security policy / decision modules. One of the models implemented is Mandatory Access Control model. A general goal of RSBAC design was to try to reach (obsolete) Orange Book (TCSEC) B1 level. The model of mandatory access control used in RSBAC is mostly the same as in Unix System V/MLS, Version 1.2.1 (developed in 1989 by the National Computer Security Center of the USA with classification B1/TCSEC). RSBAC requires a set of patches to the stock kernel, which are maintained quite well by the [[project owner]]. [[Smack (software)|Smack]] (Simplified Mandatory Access Control Kernel) is a [[Linux kernel]] [[Linux Security Modules|security module]] that protects data and process interaction from malicious manipulation using a set of custom mandatory access control rules, with simplicity as its main design goal.<ref name="Major">{{cite web|url=http://schaufler-ca.com/description_from_the_linux_source_tree |title=Official SMACK documentation from the Linux source tree |archiveurl=https://web.archive.org/web/20130501010740/http://schaufler-ca.com/description_from_the_linux_source_tree |archivedate=2013-05-01 |url-status=dead }}</ref> It has been officially merged since the Linux 2.6.25 release.<ref name="Merge">{{cite web|url=https://lwn.net/Articles/267849/ |title=More stuff for 2.6.25 |author=Jonathan Corbet |archiveurl=https://web.archive.org/web/20121102083054/http://lwn.net/Articles/267849/ |archivedate=2012-11-02 |url-status=dead }}</ref> <code>grsecurity</code> is a patch for the Linux kernel providing a MAC implementation (precisely, it is an [[RBAC]] implementation). <code>grsecurity</code> is not implemented via the [[Linux Security Modules|LSM]] API.<ref name="Ref_d">{{cite web | title=Why doesn't grsecurity use LSM? | url=http://grsecurity.net/lsm.php}}</ref> [[Astra Linux]] OS developed for [[Russian Army]] has its own mandatory access control.<ref>{{in lang|ru}} [http://astra-linux.com/klyuchevye-osobennosti.html Ключевые особенности Astra Linux Special Edition по реализации требований безопасности информации] {{Webarchive|url=https://web.archive.org/web/20140716115137/http://astra-linux.com/klyuchevye-osobennosti.html |date=2014-07-16 }}</ref> === Other OSes === [[FreeBSD]] supports ''Mandatory Access Control'', implemented as part of the TrustedBSD project. It was introduced in FreeBSD 5.0. Since FreeBSD 7.2, MAC support is enabled by default. The framework is extensible; various MAC modules implement policies such as [[Biba Integrity Model|Biba]] and [[multilevel security]]. Sun's [[Trusted Solaris]] uses a mandatory and system-enforced access control mechanism (MAC), where clearances and labels are used to enforce a security policy. However note that the capability to manage labels does not imply the kernel strength to operate in [[multilevel security]] mode{{Citation needed|date=November 2009}}. Access to the labels and control mechanisms are not{{Citation needed|date=November 2009}} robustly protected from corruption in protected domain maintained by a kernel. The applications a user runs are combined with the security label at which the user works in the session. Access to information, programs and devices are only weakly controlled{{Citation needed|date=November 2009}}.
Edit summary
(Briefly describe your changes)
By publishing changes, you agree to the
Terms of Use
, and you irrevocably agree to release your contribution under the
CC BY-SA 4.0 License
and the
GFDL
. You agree that a hyperlink or URL is sufficient attribution under the Creative Commons license.
Cancel
Editing help
(opens in new window)