[NAI Labs logo]
NAI Labs | NAI Labs Open Source Home


MAC You Can Live With

LOMAC is a dynamically-loadable security module for Free UNIX kernels that uses Low Water-Mark Mandatory Access Control (MAC) to protect the integrity of processes and data from viruses, Trojan horses, malicious remote users, and compromised network server daemons. LOMAC is designed for compatibility and ease of use - to be a form of MAC typical users can live with.

Current Status
Mailing Lists
Point of Contact


LOMAC is an attempt to produce a form of MAC integrity protection that typical users can live with. LOMAC implements a simple form of MAC integrity protection based on Biba's Low Water-Mark model in a Loadable Kernel Module (LKM). LOMAC provides useful integrity protection against viruses, Trojan horses, malicious remote users, and compromised network servers without any modifications to the kernel, applications, or their existing configurations. LOMAC is designed to be easy to use. Its default configuration is intended to provide useful protection without being adjusted for the specific users, servers, or other software present on the system. LOMAC may be used to harden currently-deployed systems simply by loading the LKM into the kernel shortly after boot time.

Once loaded, LOMAC divides the system into two conceptual levels of integrity: high and low. The high-integrity side contains all process and files that should be protected from malicious code and remote users: the kernel servers (kflushd and friends), the system binaries (bin,lib), the system configuration files (etc), and any mission-critical data (your web pages). The low-integrity side contains the processes that must interact with remote users or system (remote login sessions, web clients and servers, mail delivery agents) and the files they download from the net (web content, mail, attachments).

Low-integrity processes and files represent potential threats to the overall integrity of the system: Low-integrity files may contain viruses or Trojan Horses. Low-integrity processes take input from remote users that may cause buffer overflows. During run-time, LOMAC protects high-integrity files and processes by preventing low-integrity processes from modifying or signalling them. Thanks to is generic default configuration, LOMAC handles the division of the system into high and low parts automatically, without administrative direction.

LOMAC does not override the existing kernel protection mechanisms. Instead, its permission checks are done in addition to the existing ones - the kernel permits an operation only if both the existing mechanisms and LOMAC decide it should permit it. Unlike the existing kernel protection mechanisms, LOMAC makes decisions based solely on integrity level, not on user identity. With LOMAC, a low-level root process is just as powerless as a low-level non-root process. Since LOMAC automatically places all network servers in the low part of the system, this fact prevents compromised root-privileged network servers from harming the high-integrity part of the system.

Further information on LOMAC can be found here.

Current Status

LOMAC is under active development by members of the NAI Labs staff and a number of generous outside contributors. There are several versions of LOMAC:

A version of LOMAC for Linux 2.2 kernels.
sufficiently stable for everyday use, although some fixes and features remain to be implemented. Development is ongoing.
version 2 of the GNU General Public License.
See below.
A version of LOMAC for FreeBSD 5 produced by the CBOSS effort.
sufficiently stable for experimental use. Integration and development are ongoing.
this 3-clause BSD-style license.
LOMAC/FreeBSD is available in the current branch of the FreeBSD project's source tree, under src/security/lomac.
LOMAC for Linux 2.4 kernels
Begun, June 2001.
A version of LOMAC for Linux kernels patched to support Linux Security Modules, begun June 2001.
A version of LOMAC for Linux kernels patched to support RSBAC, begun June 2001.


Both the latest release and all historical releases of LOMAC/Linux are available for download here. The source for LOMAC/FreeBSD is a part of the current branch of the FreeBSD Project's source tree, under src/security/lomac.

latest release:
old releases:


The following LOMAC documentation is available:

User Documentation for LOMAC/Linux
Peer-reviewed Publications
Timothy Fraser, "LOMAC: MAC You Can Live With," in the Proceedings of the FREENIX Track, 2001 USENIX Technical Conference, Boston, Massachusetts, USA, 2001.

This paper discusses implementation issues, including how LOMAC uses interposition on the system call interface to gain control of kernel operations, and how LOMAC uses implicit attribute mapping to map persistent attributes onto filesystem objects [ PDF ].

Timothy Fraser, "LOMAC: Low Water-Mark Integrity Protection for COTS Environments," in the Proceedings of the 2000 IEEE Symposium on Security and Privacy, Oakland, California, USA, 2000.

This paper discusses theoretical issues, including LOMAC's compatibility goals and why the Low Water-Mark MAC model is especially suited to meeting them [ PDF ].

Mailing Lists

The lomac-users mailing list is the primary public forum for discussing LOMAC, and all persons interested in learning about, using, or improving LOMAC are welcome to join. Bug reports and fixes often first appear first on this list.

To join the lomac-users mailing list, send mail to


with the following command in the body of the message:

subscribe lomac-users

The lomac-users mailing list is archived here.

Point of Contact

To contact the developers of this project, please join the lomac-users mailing list as described above, or E-mail lomac@nailabs.com.

$Id: index.html,v 1.18 2002/02/22 19:24:35 tfraser Exp $