computer security Computer security (also cybersecurity, digital security, or information technology (IT) security) is a subdiscipline within the field of information security. It consists of the protection of computer software, systems and computer network, n ...

, mandatory access control (MAC) refers to a type of

access control In physical security and information security, access control (AC) is the action of deciding whether a subject should be granted or denied access to an object (for example, a place or a resource). The act of ''accessing'' may mean consuming ...

by which a

secured environment In computing, a secure environment is any system which implements the controlled storage and use of information. In the event of computing data loss, a secure environment is used to protect personal or confidential data. Often, secure environmen ...

(e.g., an

operating system An operating system (OS) is system software that manages computer hardware and software resources, and provides common daemon (computing), services for computer programs. Time-sharing operating systems scheduler (computing), schedule tasks for ...

or a database) constrains the ability of a ''subject'' or ''initiator'' to access or modify on an ''object'' or ''target''. In the case of operating systems, the subject is a process or thread, while objects are files, directories, TCP/ UDP ports, shared memory segments, or IO devices. Subjects and objects each have a set of security attributes. Whenever a subject attempts to access an object, the

operating system kernel A kernel is a computer program at the core of a computer's operating system that always has complete control over everything in the system. The kernel is also responsible for preventing and mitigating conflicts between different processes. It is ...

examines these security attributes, examines the authorization rules (aka ''policy'') in place, and decides whether to grant access. A

database management system In computing, a database is an organized collection of data or a type of data store based on the use of a database management system (DBMS), the software that interacts with end users, applications, and the database itself to capture and an ...

, in its access control mechanism, can also apply mandatory access control; in this case, the objects are tables, views, procedures, etc. In mandatory access control, the security policy is centrally controlled by a policy administrator and is guaranteed (in principle) to be enforced for all users. Users cannot override the policy and, for example, grant access to files that would otherwise be restricted. By contrast,

discretionary access control In computer security, discretionary access control (DAC) is a type of access control defined by the Trusted Computer System Evaluation Criteria (TCSEC) as a means of restricting access to objects based on the identity of subjects and/or groups to ...

(DAC), which also governs the ability of subjects to access objects, allows users the ability to make policy decisions or assign security attributes. Historically and traditionally, MAC has been closely associated with

multilevel security Multilevel security or multiple levels of security (MLS) is the application of a computer system to process information with incompatible classifications (i.e., at different security levels), permit access by users with different security clearan ...

(MLS) and specialized military systems. In this context, MAC implies a high degree of rigor to satisfy the constraints of MLS systems. More recently, however, MAC has deviated out of the MLS niche and has started to become more mainstream. The more recent MAC implementations, such as

SELinux Security-Enhanced Linux (SELinux) is a Linux kernel security module that provides a mechanism for supporting access control security policies, including mandatory access controls (MAC). SELinux is a set of kernel modifications and user-space too ...

and

AppArmor AppArmor ("Application Armor") is a Linux kernel security module that allows the system administrator to restrict programs' capabilities with per-program profiles. Profiles can allow capabilities like network access, raw socket access, and the pe ...

for Linux and Mandatory Integrity Control for Windows, allow administrators to focus on issues such as network attacks and malware without the rigor or constraints of MLS.

History and background

Historically, MAC was strongly associated with

(MLS) as a means of protecting classified information of the United States. The

Trusted Computer System Evaluation Criteria Trusted Computer System Evaluation Criteria (TCSEC) is a United States Government Department of Defense (DoD) standard that sets basic requirements for assessing the effectiveness of computer security controls built into a computer system. The TC ...

(TCSEC), the seminal work on the subject and often known as the Orange Book, provided the original definition of MAC as "a means of restricting access to objects based on the sensitivity (as represented by a label) of the information contained in the objects and the formal authorization (i.e., clearance) of subjects to access information of such sensitivity". Early implementations of MAC such as

Honeywell Honeywell International Inc. is an American publicly traded, multinational conglomerate corporation headquartered in Charlotte, North Carolina. It primarily operates in four areas of business: aerospace, building automation, industrial automa ...

's SCOMP,

USAF The United States Air Force (USAF) is the Air force, air service branch of the United States Department of Defense. It is one of the six United States Armed Forces and one of the eight uniformed services of the United States. Tracing its ori ...

's SACDIN,

NSA The National Security Agency (NSA) is an intelligence agency of the United States Department of Defense, under the authority of the director of national intelligence (DNI). The NSA is responsible for global monitoring, collection, and proces ...

's Blacker, and

Boeing The Boeing Company, or simply Boeing (), is an American multinational corporation that designs, manufactures, and sells airplanes, rotorcraft, rockets, satellites, and missiles worldwide. The company also provides leasing and product support s ...

's MLS LAN focused on MLS to protect military-oriented security classification levels with robust enforcement. The word "mandatory" in MAC has acquired a special meaning derived from its use with military systems. In this context, MAC implies an extremely high degree of robustness that assures that the control mechanisms can resist any type of subversion, thereby enabling them to enforce access controls that are mandated by the order of a government such as the

Executive Order 12958 Executive Order 12958 created new standards for the process of identifying and protecting classified information, and led to an unprecedented effort to declassify millions of pages from the U.S. diplomatic and national security history. In 1995, ...

. Enforcement is supposed to be more imperative than for commercial applications. This precludes enforcement by best-effort mechanisms. Only mechanisms that can provide absolute or near-absolute enforcement of the mandate are acceptable for MAC. This is a tall order and sometimes assumed unrealistic by those unfamiliar with high assurance strategies, and very difficult for those who are. In some systems, users have the authority to decide whether to grant access to any other user. To allow that, all users have clearances for all data. This is not necessarily true of an MLS system. If individuals or processes exist that may be denied access to any of the data in the system environment, then the system must be trusted to enforce MAC. Since there can be various levels of data classification and user clearances, this implies a quantified scale for robustness. For example, more robustness is indicated for system environments containing classified "Top Secret" information and uncleared users than for one with "Secret" information and users cleared to at least "Confidential." To promote consistency and eliminate subjectivity in degrees of robustness, an extensive scientific analysis and risk assessment of the topic produced a landmark benchmark standardization quantifying security robustness capabilities of systems and mapping them to the degrees of trust warranted for various security environments. The result was documented in CSC-STD-004-85. Two relatively independent components of robustness were defined: ''Assurance level'' and ''functionality''. Both were specified with a degree of precision that warranted significant confidence in certifications based on these criteria. The

Common Criteria The Common Criteria for Information Technology Security Evaluation (referred to as Common Criteria or CC) is an international standard (International Organization for Standardization, ISO/International Electrotechnical Commission, IEC 15408) for co ...

standard is based on this science and it intended to preserve the assurance level as EAL levels and the functionality specifications as

Protection Profile A Protection Profile (PP) is a document used as part of the certification process according to ISO/IEC 15408 and the Common Criteria (CC). As the generic form of a Security Target (ST), it is typically created by a user or user community and provi ...

s. Of these two essential components of objective robustness benchmarks, only EAL levels were faithfully preserved. In one case, TCSEC level C2 (not a MAC-capable category) was fairly faithfully preserved in the Common Criteria, as the

Controlled Access Protection Profile The Controlled Access Protection Profile, also known as CAPP, is a Common Criteria security Security is protection from, or resilience against, potential harm (or other unwanted coercion). Beneficiaries (technically referents) of security ma ...

(CAPP). MLS Protection Profiles (such as MLSOSPP similar to B2) is more general than B2. They are pursuant to MLS, but lack the detailed implementation requirements of their Orange Book predecessors, focusing more on objectives. This gives certifiers more subjective flexibility in deciding whether the evaluated product’s technical features adequately achieve the objective, potentially eroding consistency of evaluated products and making it easier to attain certification for less trustworthy products. For these reasons, the importance of the technical details of the Protection Profile is critical to determining the suitability of a product. Such an architecture prevents an authenticated user or process at a specific classification or trust-level from accessing information, processes, or devices in a different level. This provides a containment mechanism of users and processes, both known and unknown. An unknown program might comprise an untrusted application where the system should monitor or control accesses to devices and files. A few MAC implementations, such as

Unisys Unisys Corporation is a global technology solutions company founded in 1986 and headquartered in Blue Bell, Pennsylvania. The company provides cloud, AI, digital workplace, logistics, and enterprise computing services. History Founding Unis ...

' Blacker project, were certified robust enough to separate Top Secret from Unclassified late in the last millennium. Their underlying technology became obsolete and they were not refreshed. Today there are no current implementations certified by

TCSEC Trusted Computer System Evaluation Criteria (TCSEC) is a United States Government Department of Defense (DoD) standard that sets basic requirements for assessing the effectiveness of computer security controls built into a computer system. The TC ...

to that level of robust implementation. However, some less robust products exist.

In operating systems

Microsoft

Starting with

Windows Vista Windows Vista is a major release of the Windows NT operating system developed by Microsoft. It was the direct successor to Windows XP, released five years earlier, which was then the longest time span between successive releases of Microsoft W ...

and Server 2008, Microsoft has incorporated Mandatory Integrity Control (MIC) in the Windows operating system, which adds ''integrity levels'' (IL) to running processes. The goal is to restrict access of less trustworthy processes to sensitive info. MIC defines five integrity levels: Low, medium, high, system, and trusted installer. By default, processes started at medium IL.

Elevated An elevated railway or elevated train (also known as an el train or el for short) is a railway with the Track (rail transport), tracks above street level on a viaduct or other elevated structure (usually constructed from steel, cast iron, concre ...

processes receive high IL. Child processes, by default, inherit their parent's integrity, although the parent process can launch them with a lower IL. For example,

Internet Explorer 7 Windows Internet Explorer 7 (IE7) (codenamed Rincon) is a version of Internet Explorer, a web browser for Windows. It was released by Microsoft on October 18, 2006. It was the first major update to the browser since 2001. It does not support ve ...

launches its subprocesses with low IL. Windows controls access to objects based on ILs. Named objects, including

files File or filing may refer to: Mechanical tools and processes * File (tool), a tool used to remove fine amounts of material from a workpiece. **Filing (metalworking), a material removal process in manufacturing ** Nail file, a tool used to gentl ...

, registry keys or other processes and threads, have an entry in their ACL indicating the minimum IL of the process that can use the object. MIC enforces that a process can write to or delete an object only when its IL is equal to or higher than the object’s IL. Furthermore, to prevent access to sensitive data in memory, processes can’t open processes with a higher IL for read access.

Apple

Apple Inc. Apple Inc. is an American multinational corporation and technology company headquartered in Cupertino, California, in Silicon Valley. It is best known for its consumer electronics, software, and services. Founded in 1976 as Apple Comput ...

has incorporated an implementation of the

TrustedBSD FreeBSD is a free-software Unix-like operating system descended from the Berkeley Software Distribution (BSD). The first version was released in 1993 developed from 386BSD, one of the first fully functional and free Unix clones on affordable h ...

framework in its

iOS Ios, Io or Nio (, ; ; locally Nios, Νιός) is a Greek island in the Cyclades group in the Aegean Sea. Ios is a hilly island with cliffs down to the sea on most sides. It is situated halfway between Naxos and Santorini. It is about long an ...

and

macOS macOS, previously OS X and originally Mac OS X, is a Unix, Unix-based operating system developed and marketed by Apple Inc., Apple since 2001. It is the current operating system for Apple's Mac (computer), Mac computers. With ...

operating systems. (The word "mac" in "macOS" is short for "

Macintosh Mac is a brand of personal computers designed and marketed by Apple Inc., Apple since 1984. The name is short for Macintosh (its official name until 1999), a reference to the McIntosh (apple), McIntosh apple. The current product lineup inclu ...

" and has nothing to do with the abbreviation of "mandatory access control.") The command-line function sandbox_init provides a limited high-level sandboxing interface.

Google

Version 5.0 and later of the Android operating system, developed by

Google Google LLC (, ) is an American multinational corporation and technology company focusing on online advertising, search engine technology, cloud computing, computer software, quantum computing, e-commerce, consumer electronics, and artificial ...

, use

to enforce a MAC security model on top of its original UID-based DAC approach.

Linux family

Linux Linux ( ) is a family of open source Unix-like operating systems based on the Linux kernel, an kernel (operating system), operating system kernel first released on September 17, 1991, by Linus Torvalds. Linux is typically package manager, pac ...

and many other

Unix Unix (, ; trademarked as UNIX) is a family of multitasking, multi-user computer operating systems that derive from the original AT&T Unix, whose development started in 1969 at the Bell Labs research center by Ken Thompson, Dennis Ritchie, a ...

distributions have MAC for CPU (multi-ring), disk, and memory. While OS software may not manage privileges well, Linux became famous during the 1990s as being more secure and far more stable than non-Unix alternatives. The three main Linux Security Modules implementing MAC are

, and TOMOYO Linux. Security-Enhanced Linux (SELinux) was originally developed by the

and released to the Open Source community in 2000. It is one of the first MAC implementations for Linux and is also one of the most popular. It has been incorporated into Linux kernels since v2.4, and is enabled by default on Android 5.0+ and Red Hat/Fedora. SELinux provides powerful fine-grained control which makes it suitable for high-security environments, but many users find that its power and granularity come with a high degree of complexity and a steep learning curve. TOMOYO Linux is a lightweight MAC implementation for

and

Embedded Linux The Linux, Linux Operating system is prevalent in embedded systems. As of 2024, developer surveys and industry reports find that Embedded Linux is used in 44%-46% of embedded systems. Due to its Linux range of use, versatility, its large community ...

, developed by NTT Data Corporation. It has been merged in Linux Kernel mainline version 2.6.30 in June 2009. Differently from the ''label-based'' approach used by

, TOMOYO Linux performs a ''pathname-based'' Mandatory Access Control, separating security domains according to process invocation history, which describes the system behavior. Policy are described in terms of pathnames. A security domain is simply defined by a process call chain, and represented by a string. There are 4 modes: disabled, ''learning'', permissive, enforcing. Administrators can assign different modes for different domains. TOMOYO Linux introduced the "learning" mode, in which the accesses occurred in the kernel are automatically analyzed and stored to generate MAC policy: this mode could then be the first step of policy writing, making it easy to customize later.

is a MAC implementation which utilizes the

Linux Security Modules Linux Security Modules (LSM) is a framework allowing the Linux kernel to support, without bias, a variety of computer security models. LSM is licensed under the terms of the GNU General Public License and is a standard part of the Linux kernel s ...

(LSM) interface of Linux 2.6 and is incorporated into

SUSE Linux openSUSE () is a free and open-source Linux distribution developed by the openSUSE project. It is offered in two main variations: ''Tumbleweed'', an upstream rolling release distribution, and ''Leap'', a stable release distribution which is so ...

and

Ubuntu Ubuntu ( ) is a Linux distribution based on Debian and composed primarily of free and open-source software. Developed by the British company Canonical (company), Canonical and a community of contributors under a Meritocracy, meritocratic gover ...

7.10. LSM provides a kernel

API An application programming interface (API) is a connection between computers or between computer programs. It is a type of software interface, offering a service to other pieces of software. A document or standard that describes how to build ...

that allows modules of kernel code to govern ACL (DAC ACL, access-control lists). AppArmor is not capable of restricting all programs and is optionally in the Linux kernel as of version 2.6.36. Amon Ott's

RSBAC Rule-set-based access control (RSBAC) is an open source access control framework for current Linux kernels, which has been in stable production use since January 2000 (version 1.0.9a). Features * Free open source GNU General Public License ( GPL) ...

(Rule Set Based Access Control) provides a framework for Linux kernels that allows several different security policy / decision modules. One of the models implemented is Mandatory Access Control model. A general goal of RSBAC design was to try to reach (obsolete) Orange Book (TCSEC) B1 level. The model of mandatory access control used in RSBAC is mostly the same as in Unix System V/MLS, Version 1.2.1 (developed in 1989 by the National Computer Security Center of the USA with classification B1/TCSEC). RSBAC requires a set of patches to the stock kernel, which are maintained quite well by the

project owner In project management, an executive or project executive is a person who has ultimate responsibility for a project, and is a role defined in the recognized project management framework PRINCE2. It is appointed by the customer during the start of th ...

. Smack (Simplified Mandatory Access Control Kernel) is a

Linux kernel The Linux kernel is a Free and open-source software, free and open source Unix-like kernel (operating system), kernel that is used in many computer systems worldwide. The kernel was created by Linus Torvalds in 1991 and was soon adopted as the k ...

security module that protects data and process interaction from malicious manipulation using a set of custom mandatory access control rules, with simplicity as its main design goal. It has been officially merged since the Linux 2.6.25 release. grsecurity is a patch for the Linux kernel providing a MAC implementation (precisely, it is an

RBAC In computer systems security, role-based access control (RBAC) or role-based security is an approach to restricting system access to authorized users, and to implementing mandatory access control (MAC) or discretionary access control (DAC). Ro ...

implementation). grsecurity is not implemented via the

LSM LSM may refer to: Science *Laboratoire Souterrain de Modane (Modane Underground Laboratory), a particle physics laboratory in France *Lanthanum strontium manganite, a crystal used as a cathode material *Confocal microscopy, Laser scanning microsc ...

API.

Astra Linux Astra Linux is a Russian Linux-based computer operating system (OS) that is being widely deployed in the Russian Federation to replace Microsoft Windows. Initially it was created and developed to meet the needs of the Russian army, other armed f ...

OS developed for

Russian Army The Russian Ground Forces (), also known as the Russian Army in English, are the Army, land forces of the Russian Armed Forces. The primary responsibilities of the Russian Ground Forces are the protection of the state borders, combat on land, ...

has its own mandatory access control.Ключевые особенности Astra Linux Special Edition по реализации требований безопасности информации

Other OSes

FreeBSD FreeBSD is a free-software Unix-like operating system descended from the Berkeley Software Distribution (BSD). The first version was released in 1993 developed from 386BSD, one of the first fully functional and free Unix clones on affordable ...

supports ''Mandatory Access Control'', implemented as part of the TrustedBSD project. It was introduced in FreeBSD 5.0. Since FreeBSD 7.2, MAC support is enabled by default. The framework is extensible; various MAC modules implement policies such as

Biba Biba was a London fashion store of the 1960s and 1970s. Biba was started and run by the Polish-born Barbara Hulanicki and her husband Stephen Fitz-Simon. After the original company closed in 1975, Biba was relaunched several times, independentl ...

and

. Sun's Trusted Solaris uses a mandatory and system-enforced access control mechanism (MAC), where clearances and labels are used to enforce a security policy. However note that the capability to manage labels does not imply the kernel strength to operate in

mode. Access to the labels and control mechanisms are not robustly protected from corruption in protected domain maintained by a kernel. The applications a user runs are combined with the security label at which the user works in the session. Access to information, programs and devices are only weakly controlled.

Footnotes

References

* P. A. Loscocco, S. D. Smalley, P. A. Muckelbauer, R. C. Taylor, S. J. Turner, and J. F. Farrell.
The Inevitability of Failure: The Flawed Assumption of Security in Modern Computing Environments
'. In Proceedings of the 21st National Information Systems Security Conference, pages 303–314, Oct. 1998. * P. A. Loscocco, S. D. Smalley,
Meeting Critical Security Objectives with Security-Enhanced Linux
'' Proceedings of the 2001 Ottawa Linux Symposium. * ISO/IEC DIS 10181-3, Information Technology, OSI Security Model, Security FrameWorks, Part 3: Access Control, 1993 * Robert N. M. Watson.
A decade of OS access-control extensibility
. Commun. ACM 56, 2 (February 2013), 52–63.

External links

Weblog post
on the how virtualization can be used to implement Mandatory Access Control.
Weblog post
from a Microsoft employee detailing Mandatory Integrity Control and how it differs from MAC implementations.
GWV Formal Security Policy Model
A Separation Kernel Formal Security Policy, David Greve, Matthew Wilding, and W. Mark Vanfleet. {{DEFAULTSORT:Mandatory Access Control Computer security models Computer access control Operating system security Access control