NAME¶
mac_portacl
—
network port access control policy
SYNOPSIS¶
To compile the port access control policy into your kernel, place the following
lines in your kernel configuration file:
options MAC
options MAC_PORTACL
Alternately, to load the port access control policy module at boot time, place
the following line in your kernel configuration file:
options MAC
and in
loader.conf(5):
mac_portacl_load="YES"
DESCRIPTION¶
The
mac_portacl
policy allows administrators
to administratively limit binding to local UDP and TCP ports via the
sysctl(8) interface.
In order to enable the
mac_portacl
policy,
MAC policy must be enforced on sockets (see
mac(4)), and the port(s) protected by
mac_portacl
must not be included in the
range specified by the
net.inet.ip.portrange.reservedlow and
net.inet.ip.portrange.reservedhigh
sysctl(8) MIBs.
The
mac_portacl
policy only affects ports
explicitly bound by a user process (either for a listen/outgoing TCP socket,
or a send/receive UDP socket). This policy will not limit ports bound
implicitly for outgoing connections where the process has not explicitly
selected a port: these are automatically selected by the IP stack.
When
mac_portacl
is enabled, it will control
binding access to ports up to the port number set in the
security.mac.portacl.port_high
sysctl(8) variable. By default, all attempts to
bind to
mac_portacl
controlled ports will
fail if not explicitly allowed by the port access control list, though binding
by the superuser will be allowed, if the
sysctl(8) variable
security.mac.portacl.suser_exempt is set to a
non-zero value.
Runtime Configuration¶
The following
sysctl(8) MIBs are available for
fine-tuning the enforcement of this MAC policy. All
sysctl(8) variables, except
security.mac.portacl.rules, can also be set
as
loader(8) tunables in
loader.conf(5).
- security.mac.portacl.enabled
- Enforce the
mac_portacl
policy.
(Default: 1).
- security.mac.portacl.port_high
- The highest port number
mac_portacl
will enforce rules for. (Default: 1023).
- security.mac.portacl.rules
- The port access control list is specified in the following format:
idtype:
id:
protocol:
port[
,idtype:id:protocol:port,...
]
- idtype
- Describes the type of subject match to be performed. Either
uid
for user ID matching, or
gid
for group ID matching.
- id
- The user or group ID (depending on
idtype) allowed to bind to the
specified port.
NOTE: User and group names are not valid; only the
actual ID numbers may be used.
- protocol
- Describes which protocol this entry applies to. Either
tcp
or udp
are
supported.
- port
- Describes which port this entry applies to.
NOTE: MAC security policies may not override other
security system policies by allowing accesses that they may deny, such
as net.inet.ip.portrange.reservedlow
/
net.inet.ip.portrange.reservedhigh.
If the specified port falls within the range specified, the
mac_portacl
entry will not function
(i.e., even the specified user/group may not be able to bind to the
specified port).
- security.mac.portacl.suser_exempt
- Allow superuser (i.e., root) to bind to all
mac_portacl
protected ports, even if
the port access control list does not explicitly allow this. (Default:
1).
- security.mac.portacl.autoport_exempt
- Allow applications to use automatic binding to port 0. Applications use
port 0 as a request for automatic port allocation when binding an IP
address to a socket. This tunable will exempt port 0 allocation from rule
checking. (Default: 1).
SEE ALSO¶
mac(3),
ip(4),
mac_biba(4),
mac_bsdextended(4),
mac_ifoff(4),
mac_mls(4),
mac_none(4),
mac_partition(4),
mac_seeotheruids(4),
mac_test(4),
mac(9)
HISTORY¶
MAC first appeared in
FreeBSD 5.0 and
mac_portacl
first appeared in
FreeBSD 5.1.
AUTHORS¶
This software was contributed to the
FreeBSD Project by
NAI Labs, the Security Research Division of Network Associates Inc. under
DARPA/SPAWAR contract N66001-01-C-8035 (“CBOSS”), as part of the
DARPA CHATS research program.