Module name: mac_partition.ko
Kernel configuration line: options MAC_PARTITION
Boot option: mac_partition_load="YES"
The mac_partition(4)
policy will drop processes into specific “partitions” based on their MAC label. Think of it as a special type of jail(8), though that
is hardly a worthy comparison.
This is one module that should be added to the loader.conf(5) file so
that it loads and enables the policy during the boot process.
Most configuration for this policy is done using the setpmac(8) utility
which will be explained below. The following sysctl tunable is
available for this policy:
When this policy is enabled, users will only be permitted to see their processes, and
any others within their partition, but will not be permitted to work with utilities
outside the scope of this partition. For instance, a user in the insecure class above will not be permitted to access the top command as well as many other commands that must spawn a
process.
To set or drop utilities into a partition label, use the setpmac utility:
# setpmac partition/13 top
This will add the top command to the label set on users in
the insecure class. Note that all processes spawned by users in
the insecure class will stay in the partition/13 label.
The following command will show you the partition label and the process list:
# ps Zax
This next command will allow the viewing of another user's process partition label and
that user's currently running processes:
# ps -ZU trhodes
A really crafty implementation could have all of the services disabled in /etc/rc.conf and started by a script that starts them with the
proper labeling set.
Note: The following policies support integer settings in place of the three
default labels offered. These options, including their limitations, are further explained
in the module manual pages.