|MAC_PORTACL(4)||FreeBSD Kernel Interfaces Manual||MAC_PORTACL(4)|
NAMEmac_portacl — network port access control policy
SYNOPSISTo compile the port access control policy into your kernel, place the following lines in your kernel configuration file:
Alternately, to load the port access control policy module at boot time, place the following line in your kernel configuration file:
and in loader.conf(5):
DESCRIPTIONThe mac_portacl policy allows administrators to administratively limit binding to local UDP and TCP ports via the sysctl(8) interface.
In order to enable the mac_portacl policy, MAC policy must be enforced on sockets (see mac(4)), and the port(s) protected by mac_portacl must not be included in the range specified by the net.inet.ip.portrange.reservedlow and net.inet.ip.portrange.reservedhigh sysctl(8) MIBs.
The mac_portacl policy only affects ports explicitly bound by a user process (either for a listen/outgoing TCP socket, or a send/receive UDP socket). This policy will not limit ports bound implicitly for outgoing connections where the process has not explicitly selected a port: these are automatically selected by the IP stack.
When mac_portacl is enabled, it will control binding access to ports up to the port number set in the security.mac.portacl.port_high sysctl(8) variable. By default, all attempts to bind to mac_portacl controlled ports will fail if not explicitly allowed by the port access control list, though binding by the superuser will be allowed, if the sysctl(8) variable security.mac.portacl.suser_exempt is set to a non-zero value.
Runtime ConfigurationThe following sysctl(8) MIBs are available for fine-tuning the enforcement of this MAC policy. All sysctl(8) variables, except security.mac.portacl.rules, can also be set as loader(8) tunables in loader.conf(5).
- Enforce the mac_portacl policy. (Default: 1).
- The highest port number mac_portacl will enforce rules for. (Default: 1023).
The port access control list is specified in the following format:
idtype: id: protocol: port[ , idtype: id: protocol: port, ...]
Describes the type of subject match to be performed. Either
uidfor user ID matching, or
gidfor group ID matching.
The user or group ID (depending on
idtype) allowed to bind to the specified port.
NOTE: User and group names are not valid; only the actual ID numbers may be used.
Describes which protocol this entry applies to. Either
Describes which port this entry applies to.
NOTE: MAC security policies may not override other security system policies by allowing accesses that they may deny, such as net.inet.ip.portrange.reservedlow / net.inet.ip.portrange.reservedhigh.If the specified port falls within the range specified, the mac_portacl entry will not function (i.e., even the specified user/group may not be able to bind to the specified port).
- Allow superuser (i.e., root) to bind to all mac_portacl protected ports, even if the port access control list does not explicitly allow this. (Default: 1).
- Allow applications to use automatic binding to port 0. Applications use port 0 as a request for automatic port allocation when binding an IP address to a socket. This tunable will exempt port 0 allocation from rule checking. (Default: 1).
SEE ALSOmac(3), ip(4), mac_biba(4), mac_bsdextended(4), mac_ifoff(4), mac_mls(4), mac_none(4), mac_partition(4), mac_seeotheruids(4), mac_test(4), mac(9)
HISTORYMAC first appeared in FreeBSD 5.0 and mac_portacl first appeared in FreeBSD 5.1.
AUTHORSThis software was contributed to the FreeBSD Project by NAI Labs, the Security Research Division of Network Associates Inc. under DARPA/SPAWAR contract N66001-01-C-8035 (“CBOSS”), as part of the DARPA CHATS research program.
|December 9, 2004||FreeBSD|