mac_portacl(4)
NAME
mac_portacl - network port access control policy
SYNOPSIS
To compile the port access control policy into your kernel, place the following lines in your kernel configuration file: options MAC options MAC_PORTACL Alternately, to load the port access control policy module at boot time, place the following line in your kernel configuration file: options MAC and in loader.conf(5): mac_portacl_load="YES"
DESCRIPTION
- The mac_portacl policy allows administrators to administra
- tively limit
binding to local UDP and TCP ports via the sysctl(8) inter - face.
- In order to enable the mac_portacl policy, MAC policy must
- be enforced on
sockets (see mac(4)), and the port(s) protected by - mac_portacl must not
be included in the range specified by the
net.inet.ip.portrange.reservedlow and - net.inet.ip.portrange.reservedhigh sysctl(8) MIBs.
- The mac_portacl policy only affects ports explicitly bound
- by a user process (either for a listen/outgoing TCP socket, or a send/re
- ceive UDP
socket). This policy will not limit ports bound implicitly - for outgoing
connections where the process has not explicitly selected a - port: these
are automatically selected by the IP stack. - When mac_portacl is enabled, it will control binding access
- to ports up
to the port number set in the security.mac.portacl.port_high - sysctl(8)
variable. By default, all attempts to bind to mac_portacl - controlled
ports will fail if not explicitly allowed by the port access - control
list, though binding by the superuser will be allowed, if - the sysctl(8)
variable security.mac.portacl.suser_exempt is set to a non - zero value.
- Runtime Configuration
- The following sysctl(8) MIBs are available for fine-tuning
- the enforcement of this MAC policy. All sysctl(8) variables, except
security.mac.portacl.rules, can also be set as loader(8) - tunables in
loader.conf(5). - security.mac.portacl.enabled
Enforce the mac_portacl policy. (Default: 1).
- security.mac.portacl.port_high
- The highest port number mac_portacl will enforce
- rules for.
(Default: 1023). - security.mac.portacl.rules
- The port access control list is specified in the
- following format:
idtype:id:protocol:port[,idtype:id:protocol:port,...] - idtype Describes the type of subject match to
- be per
formed. Either uid for user ID matching, or gid
for group ID matching. - id The user or group ID (depending on
- idtype) allowed
- to bind to the specified port. NOTE:
- User and
group names are not valid; only the - actual ID numbers may be used.
- protocol Describes which protocol this entry
- applies to.
- Either tcp or udp are supported.
- port Describes which port this entry ap
- plies to. NOTE:
- MAC security policies may not override
- other security system policies by allowing
- accesses that they
may deny, such as - net.inet.ip.portrange.reservedlow / net.inet.ip.portrange.reservedhigh.
- If the specified port falls within the range
- specified, the
mac_portacl entry will not function - (i.e., even the
specified user/group may not be able - to bind to the
specified port). - security.mac.portacl.suser_exempt
- Allow superuser (i.e., root) to bind to all
- mac_portacl protected
ports, even if the port access control list does not - explicitly
allow this. (Default: 1). - security.mac.portacl.autoport_exempt
- Allow applications to use automatic binding to port
- 0. Applications use port 0 as a request for automatic port al
- location when
binding an IP address to a socket. This tunable - will exempt port
0 allocation from rule checking. (Default: 1).
SEE ALSO
- mac(3), ip(4), mac_biba(4), mac_bsdextended(4),
- mac_ifoff(4), mac_mls(4),
mac_none(4), mac_partition(4), mac_seeotheruids(4), - mac_test(4), mac(9)
HISTORY
- MAC first appeared in FreeBSD 5.0 and mac_portacl first ap
- peared in
FreeBSD 5.1.
AUTHORS
- This software was contributed to the FreeBSD Project by NAI
- Labs, the
Security Research Division of Network Associates Inc. under - DARPA/SPAWAR
contract N66001-01-C-8035 (``CBOSS''), as part of the DARPA - CHATS
research program. - BSD December 9, 2004