Mandatory access controls extend operating system access control policy by allowing administrators to enforce additional constraints on user and application behavior. The TrustedBSD MAC Framework is a kernel programming interface allowing loadable modules to augment the system security policy in order to implement mandatory access control in a flexible manner.
The TrustedBSD MAC Framework first shipped in FreeBSD 5.0, with significant functionality, quality, and performance enhancements in later releases. Supported policy modules include rule-based file system firewall support, TCP/UDP port access control lists, inter-user process visibility controls, as well as classic mandatory access control policies such as Multi-Level Security (MLS) with compartments, and fixed- and floating-label Biba integrity policies. Third party policy modules include cryptographic checksums on system binaries, and SEBSD, a port of the NSA FLASK/SELinux policy to FreeBSD. A number of commercial FreeBSD-based products make use of the TrustedBSD MAC Framework to locally modify the operating system security policy.
MAC Framework and general MAC user documentation and a number of implementation papers may be found on the documentation page. A detailed discussion of the architecture and industry adoption of the MAC Framework, including use in FreeBSD and Apple's Mac OS X and iOS, may be found in Robert Watson's PhD Dissertation, New Approaches to Operating System Security Extensibility.
The TrustedBSD MAC Framework has also been present in Mac OS X releases as of "Leopard", where it is used to implement Seatbelt and other system security services; on the iPhone and iPad, the MAC Framework is used for App sandboxing. This port of the MAC Framework was performed initially as part of SEDarwin, which also included a port of FLASK and SELinux to the Mac OS X platform. Other prominent industry consumers of the MAC Framework include Juniper Networks and McAfee (now Intel).