simple policy controlling whether users see other users
To compile the policy into your kernel, place the following lines in your kernel
Alternately, to load the module at boot time, place the following
line in your kernel configuration file:
mac_seeotheruids policy module, when enabled, denies
users to see processes or sockets owned by other users.
mac_seeotheruids, set the sysctl
OID security.mac.seeotheruids.enabled to 1. To permit
superuser awareness of other credentials by virtue of privilege, set the
sysctl OID security.mac.seeotheruids.suser_privileged
To allow users to see processes and sockets owned by the same
primary group, set the sysctl OID
To allow processes with a specific group ID to be exempt from the
policy, set the sysctl OID
security.mac.seeotheruids.specificgid_enabled to 1,
and security.mac.seeotheruids.specificgid to the group
ID to be exempted.
No labels are defined for
mac_seeotheruids policy module first appeared in
FreeBSD 5.0 and was developed by the TrustedBSD
This software was contributed to the FreeBSD Project by
Network Associates Labs, the Security Research Division of Network Associates
Inc. under DARPA/SPAWAR contract N66001-01-C-8035 (“CBOSS”), as
part of the DARPA CHATS research program.
While the MAC Framework design is intended to support the containment of the
root user, not all attack channels are currently protected by entry point
checks. As such, MAC Framework policies should not be relied on, in isolation,
to protect against a malicious privileged user.