Module name: mac_partition.ko
Kernel configuration line: options MAC_PARTITION
Boot option: mac_partition_load="YES"
The mac_partition(4) policy will drop processes into specific “partitions” based on their MAC label. This module should be added to loader.conf(5) so that it loads and enables the policy at system boot.
Most configuration for this policy is done using setpmac(8). One sysctl tunable is available for this policy:
security.mac.partition.enabled enables the
enforcement of MAC process
When this policy is enabled, users will only be permitted to see their processes, and any others within their partition, but will not be permitted to work with utilities outside the scope of this partition. For instance, a user in the insecure class will not be permitted to access top as well as many other commands that must spawn a process.
To set or drop utilities into a partition label, use the setpmac utility:
# setpmac partition/13 top
This example adds top to the label set on users in the insecure class. All processes spawned by users in the insecure class will stay in the partition/13 label.
The following command will display the partition label and the process list:
# ps Zax
This command will display another user's process partition label and that user's currently running processes:
# ps -ZU trhodes
Note: Users can see processes in root's label unless the mac_seeotheruids(4) policy is loaded.
A really crafty implementation could have all of the services disabled in /etc/rc.conf and started by a script that starts them with the proper labeling set.
Note: The following policies support integer settings in place of the three default labels offered. These options, including their limitations, are further explained in the module manual pages.