Module name: mac_partition.ko
Kernel configuration line: options MAC_PARTITION
Boot option: mac_partition_load="YES"
The mac_partition(4) policy will drop processes into specific “partitions” based on their MAC label. Think of it as a special type of jail(8), though that is hardly a worthy comparison.
This is one module that should be added to the loader.conf(5) file so that it loads and enables the policy during the boot process.
Most configuration for this policy is done using the setpmac(8) utility which will be explained below. The following sysctl tunable is available for this policy:
security.mac.partition.enabled will enable the enforcement of MAC process partitions.
When this policy is enabled, users will only be permitted to see their processes, and any others within their partition, but will not be permitted to work with utilities outside the scope of this partition. For instance, a user in the insecure class above will not be permitted to access the top command as well as many other commands that must spawn a process.
To set or drop utilities into a partition label, use the setpmac utility:
# setpmac partition/13 top
This will add the top command to the label set on users in the insecure class. Note that all processes spawned by users in the insecure class will stay in the partition/13 label.
The following command will show you the partition label and the process list:
# ps Zax
This next command will allow the viewing of another user's process partition label and that user's currently running processes:
# ps -ZU trhodes
Note: Users can see processes in root's label unless the mac_seeotheruids(4) policy is loaded.
A really crafty implementation could have all of the services disabled in /etc/rc.conf and started by a script that starts them with the proper labeling set.
Note: The following policies support integer settings in place of the three default labels offered. These options, including their limitations, are further explained in the module manual pages.