Module name: mac_seeotheruids.ko
Kernel configuration line: options MAC_SEEOTHERUIDS
Boot option: mac_seeotheruids_load="YES"
The mac_seeotheruids(4)
module mimics and extends the security.bsd.see_other_uids and
security.bsd.see_other_gids sysctl
tunables. This option does not require any labels to be set before configuration and can
operate transparently with the other modules.
After loading the module, the following sysctl tunables may
be used to control the features:
-
security.mac.seeotheruids.enabled will enable the module's
features and use the default settings. These default settings will deny users the ability
to view processes and sockets owned by other users.
-
security.mac.seeotheruids.specificgid_enabled will allow a
certain group to be exempt from this policy. To exempt specific groups from this policy,
use the security.mac.seeotheruids.specificgid=XXX sysctl tunable. In the
above example, the XXX should be replaced with the
numeric group ID to be exempted.
-
security.mac.seeotheruids.primarygroup_enabled is used to
exempt specific primary groups from this policy. When using this tunable, the security.mac.seeotheruids.specificgid_enabled may not be set.