| mac_portacl.4 (115392) | mac_portacl.4 (125790) |
|---|---|
| 1.\" Copyright (c) 2003 Networks Associates Technology, Inc. 2.\" All rights reserved. 3.\" 4.\" This software was developed for the FreeBSD Project by Chris Costello 5.\" at Safeport Network Services and Network Associates Labs, the 6.\" Security Research Division of Network Associates, Inc. under 7.\" DARPA/SPAWAR contract N66001-01-C-8035 ("CBOSS"), as part of the 8.\" DARPA CHATS research program. --- 14 unchanged lines hidden (view full) --- 23.\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 24.\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 25.\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 26.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 27.\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 28.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 29.\" SUCH DAMAGE. 30.\" | 1.\" Copyright (c) 2003 Networks Associates Technology, Inc. 2.\" All rights reserved. 3.\" 4.\" This software was developed for the FreeBSD Project by Chris Costello 5.\" at Safeport Network Services and Network Associates Labs, the 6.\" Security Research Division of Network Associates, Inc. under 7.\" DARPA/SPAWAR contract N66001-01-C-8035 ("CBOSS"), as part of the 8.\" DARPA CHATS research program. --- 14 unchanged lines hidden (view full) --- 23.\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 24.\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 25.\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 26.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 27.\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 28.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 29.\" SUCH DAMAGE. 30.\" |
| 31.\" $FreeBSD: head/share/man/man4/mac_portacl.4 115392 2003-05-29 21:28:36Z ru $ | 31.\" $FreeBSD: head/share/man/man4/mac_portacl.4 125790 2004-02-13 22:08:16Z simon $ |
| 32.\" | 32.\" |
| 33.Dd March 11, 2003 | 33.Dd February 13, 2004 |
| 34.Dt MAC_PORTACL 4 35.Os 36.Sh NAME 37.Nm mac_portacl | 34.Dt MAC_PORTACL 4 35.Os 36.Sh NAME 37.Nm mac_portacl |
| 38.Nd network port access control policy | 38.Nd "network port access control policy" |
| 39.Sh SYNOPSIS 40To compile the port access control policy into your kernel, 41place the following lines in your kernel 42configuration file: 43.Bd -ragged -offset indent 44.Cd "options MAC" 45.Cd "options MAC_PORTACL" 46.Ed --- 29 unchanged lines hidden (view full) --- 76.Nm 77must not be included in the range specified by 78the 79.Va net.inet.ip.portrange.reservedlow 80and 81.Va net.inet.ip.portrange.reservedhigh 82.Xr sysctl 8 83MIBs. | 39.Sh SYNOPSIS 40To compile the port access control policy into your kernel, 41place the following lines in your kernel 42configuration file: 43.Bd -ragged -offset indent 44.Cd "options MAC" 45.Cd "options MAC_PORTACL" 46.Ed --- 29 unchanged lines hidden (view full) --- 76.Nm 77must not be included in the range specified by 78the 79.Va net.inet.ip.portrange.reservedlow 80and 81.Va net.inet.ip.portrange.reservedhigh 82.Xr sysctl 8 83MIBs. |
| 84.Pp 85The 86.Nm 87policy only affects ports explicitly bound by a user process (either 88for a listen/outgoing 89.Tn TCP 90socket, or a send/receive 91.Tn UDP 92socket). 93This policy will not limit ports bound implicitly for outgoing 94connections where the process has not explicitly selected a port: 95these are automatically selected by the IP stack. 96.Pp 97When 98.Nm 99is enabled it will control binding access to ports up to the port 100number set in the 101.Va security.mac.portacl.port_high 102.Xr sysctl 8 103variable. 104By default all attempts to bind to 105.Nm 106controlled ports will fail if not explicitly allowed by the port 107access control list, though binding by the superuser will be allowed, 108if the 109.Xr sysctl 8 110variable 111.Va security.mac.portacl.suser_exempt 112is set to a non-zero value. |
|
| 84.Ss Runtime Configuration | 113.Ss Runtime Configuration |
| 85The port access control list is specified in the 86.Va security.mac.portacl.rules | 114The following |
| 87.Xr sysctl 8 | 115.Xr sysctl 8 |
| 88MIB in the following format: | 116MIBs are available for fine-tuning the enforcement of this MAC policy. 117All 118.Xr sysctl 8 119variables, except 120.Va security.mac.portacl.rules , 121can also be set as 122.Xr loader 8 123tunables in 124.Xr loader.conf 5 . 125.Bl -tag -width indent 126.It Va security.mac.portacl.enabled 127Enforce the 128.Nm 129policy. 130(Default: 1). 131.It Va security.mac.portacl.port_high 132The highest port number 133.Nm 134will enforce rules for. 135(Default: 1023). 136.It Va security.mac.portacl.rules 137The port access control list is specified in the the following format: |
| 89.Pp 90.Sm off 91.Bd -literal -offset indent 92.Ar idtype 93.Li : 94.Ar id 95.Li : 96.Ar protocol --- 46 unchanged lines hidden (view full) --- 143.Va net.inet.ip.portrange.reservedhigh . 144.Ef 145If the specified port falls within the range specified, the 146.Nm 147entry will not function 148(i.e., even the specified user/group may not be able to bind to the specified 149port). 150.El | 138.Pp 139.Sm off 140.Bd -literal -offset indent 141.Ar idtype 142.Li : 143.Ar id 144.Li : 145.Ar protocol --- 46 unchanged lines hidden (view full) --- 192.Va net.inet.ip.portrange.reservedhigh . 193.Ef 194If the specified port falls within the range specified, the 195.Nm 196entry will not function 197(i.e., even the specified user/group may not be able to bind to the specified 198port). 199.El |
| 200.It Va security.mac.portacl.suser_exempt 201Allow superuser (i.e. root) to bind to all 202.Nm 203protected ports, even if the port access control list does not 204explicitly allow this. 205(Default: 1). 206.El |
|
| 151.Sh SEE ALSO 152.Xr mac 3 , | 207.Sh SEE ALSO 208.Xr mac 3 , |
| 209.Xr ip 4 , |
|
| 153.Xr mac_biba 4 , 154.Xr mac_bsdextended 4 , 155.Xr mac_ifoff 4 , 156.Xr mac_mls 4 , 157.Xr mac_none 4 , 158.Xr mac_partition 4 , 159.Xr mac_seeotheruids 4 , 160.Xr mac_test 4 , 161.Xr mac 9 162.Sh HISTORY 163MAC first appeared in | 210.Xr mac_biba 4 , 211.Xr mac_bsdextended 4 , 212.Xr mac_ifoff 4 , 213.Xr mac_mls 4 , 214.Xr mac_none 4 , 215.Xr mac_partition 4 , 216.Xr mac_seeotheruids 4 , 217.Xr mac_test 4 , 218.Xr mac 9 219.Sh HISTORY 220MAC first appeared in |
| 164.Fx 5.0 . | 221.Fx 5.0 222and 223.Nm 224first appeared in 225.Fx 5.1 . |
| 165.Sh AUTHORS 166This software was contributed to the 167.Fx 168Project by NAI Labs, the Security Research Division of Network Associates 169Inc. under DARPA/SPAWAR contract N66001-01-C-8035 170.Pq Dq CBOSS , 171as part of the DARPA CHATS research program. | 226.Sh AUTHORS 227This software was contributed to the 228.Fx 229Project by NAI Labs, the Security Research Division of Network Associates 230Inc. under DARPA/SPAWAR contract N66001-01-C-8035 231.Pq Dq CBOSS , 232as part of the DARPA CHATS research program. |