mac_portacl(4)

NAME

mac_portacl - network port access control policy

SYNOPSIS

To compile the port access control policy into your  kernel,
place the
following lines in your kernel configuration file:
      options MAC
      options MAC_PORTACL
Alternately,  to  load the port access control policy module
at boot time,
place the following line in your kernel configuration file:
      options MAC
and in loader.conf(5):
      mac_portacl_load="YES"

DESCRIPTION

The mac_portacl policy allows administrators to administra
tively limit
binding to local UDP and TCP ports via the sysctl(8) inter
face.
In order to enable the mac_portacl policy, MAC policy must
be enforced on
sockets (see mac(4)), and the port(s) protected by
mac_portacl must not
be included in the range specified by the
net.inet.ip.portrange.reservedlow and
net.inet.ip.portrange.reservedhigh sysctl(8) MIBs.
The mac_portacl policy only affects ports explicitly bound
by a user process (either for a listen/outgoing TCP socket, or a send/re
ceive UDP
socket). This policy will not limit ports bound implicitly
for outgoing
connections where the process has not explicitly selected a
port: these
are automatically selected by the IP stack.
When mac_portacl is enabled, it will control binding access
to ports up
to the port number set in the security.mac.portacl.port_high
sysctl(8)
variable. By default, all attempts to bind to mac_portacl
controlled
ports will fail if not explicitly allowed by the port access
control
list, though binding by the superuser will be allowed, if
the sysctl(8)
variable security.mac.portacl.suser_exempt is set to a non
zero value.
Runtime Configuration
The following sysctl(8) MIBs are available for fine-tuning
the enforcement of this MAC policy. All sysctl(8) variables, except
security.mac.portacl.rules, can also be set as loader(8)
tunables in
loader.conf(5).
security.mac.portacl.enabled
Enforce the mac_portacl policy. (Default: 1).
security.mac.portacl.port_high
The highest port number mac_portacl will enforce
rules for.
(Default: 1023).
security.mac.portacl.rules
The port access control list is specified in the
following format:

idtype:id:protocol:port[,idtype:id:protocol:port,...]
idtype Describes the type of subject match to
be per
formed. Either uid for user ID match
ing, or gid
for group ID matching.
id The user or group ID (depending on
idtype) allowed
to bind to the specified port. NOTE:
User and
group names are not valid; only the
actual ID numbers may be used.
protocol Describes which protocol this entry
applies to.
Either tcp or udp are supported.
port Describes which port this entry ap
plies to. NOTE:
MAC security policies may not override
other security system policies by allowing
accesses that they
may deny, such as
net.inet.ip.portrange.reservedlow / net.inet.ip.portrange.reservedhigh.
If the specified port falls within the range
specified, the
mac_portacl entry will not function
(i.e., even the
specified user/group may not be able
to bind to the
specified port).
security.mac.portacl.suser_exempt
Allow superuser (i.e., root) to bind to all
mac_portacl protected
ports, even if the port access control list does not
explicitly
allow this. (Default: 1).
security.mac.portacl.autoport_exempt
Allow applications to use automatic binding to port
0. Applications use port 0 as a request for automatic port al
location when
binding an IP address to a socket. This tunable
will exempt port
0 allocation from rule checking. (Default: 1).

SEE ALSO

mac(3), ip(4), mac_biba(4), mac_bsdextended(4),
mac_ifoff(4), mac_mls(4),
mac_none(4), mac_partition(4), mac_seeotheruids(4),
mac_test(4), mac(9)

HISTORY

MAC first appeared in FreeBSD 5.0 and mac_portacl first ap
peared in
FreeBSD 5.1.

AUTHORS

This software was contributed to the FreeBSD Project by NAI
Labs, the
Security Research Division of Network Associates Inc. under
DARPA/SPAWAR
contract N66001-01-C-8035 (``CBOSS''), as part of the DARPA
CHATS
research program.
BSD December 9, 2004
Copyright © 2010-2024 Platon Technologies, s.r.o.           Home | Man pages | tLDP | Documents | Utilities | About
Design by styleshout