LOMAC — Low-Watermark Mandatory Access Control security facility
The LOMAC module provides a drop-in security mechanism in addition to the traditional POSIX UID-based security facilities, requiring no additional configuration from the administrator. LOMAC aims to be two things: it is non-intrusive, so that the system with LOMAC will not feel largely different from the system without it, and will not require much modification to initialize; it is also comprehensive enough that a majority of attacks to compromise a system should fail.
To this end, each process on the system will have a label of several attributes, including a ’’high’’ or ’’low’’ security level, attached to it, and these labels of integrity will be managed with a system cognizant of IPC (signals, debugging, sockets, pipes), path-based file system labels, virtual memory objects, and privileged system calls. A process (or set of vmspace-sharing processes) will initially inherit the integrity level of its parent, which, at the point of LOMAC being started with kldload(8), will be high. If it reads lower-integrity data from one of the controlled mechanisms, it will then decrease its integrity level, and access to modify higher-integrity data will be revoked.
LOMAC on FreeBSD, as implemented currently, should properly respect all aspects of any chroot(8) or jail(8) operation performed after it has been initialized. Pre-existing jail or chroot environments may not necessarily work completely. LOMAC’s file system should correctly respect the caching behavior of any of the system’s file systems, and so work for any ’’normal’’ or ’’synthetic’’ file systems. After loaded, another root mount(8) will exist on the system and appear as type ’’lomacfs’’.
See /sys/security/lomac/policy_plm.h for specific information on exactly how LOMAC has been compiled to control access to the file system.
Some programs, for example syslogd(8), may need to be restarted after LOMAC is initialized for them to continue proper operation. This version of LOMAC has not had widespread testing, so some common programs have probably not been tested and could have issues that need to be worked around or fixed.
LOMAC was initially implemented for Linux systems over the past several years. Since then, this implementation was created via funding from the United States DARPA. See the copyright for details.
LOMAC has not gone through widespread testing yet, so many problems may still exist. There is still yet one unfixed panic which is reproduceable under load (vrele(9) being called too many times). The operation of mount(2) and unmount(2) may not work properly or at all once LOMAC has been loaded. After being loaded, the system must be restarted to revert to a state without LOMAC.
BSD November 20, 2001 BSD