xref: /freebsd/share/man/man4/mac_portacl.4 (revision fa9896e082a1046ff4fbc75fcba4d18d1f2efc19)
1a508b2a6SChris Costello.\" Copyright (c) 2003 Networks Associates Technology, Inc.
2a508b2a6SChris Costello.\" All rights reserved.
3a508b2a6SChris Costello.\"
4a508b2a6SChris Costello.\" This software was developed for the FreeBSD Project by Chris Costello
5a508b2a6SChris Costello.\" at Safeport Network Services and Network Associates Labs, the
6a508b2a6SChris Costello.\" Security Research Division of Network Associates, Inc. under
7a508b2a6SChris Costello.\" DARPA/SPAWAR contract N66001-01-C-8035 ("CBOSS"), as part of the
8a508b2a6SChris Costello.\" DARPA CHATS research program.
9a508b2a6SChris Costello.\"
10a508b2a6SChris Costello.\" Redistribution and use in source and binary forms, with or without
11a508b2a6SChris Costello.\" modification, are permitted provided that the following conditions
12a508b2a6SChris Costello.\" are met:
13a508b2a6SChris Costello.\" 1. Redistributions of source code must retain the above copyright
14a508b2a6SChris Costello.\"    notice, this list of conditions and the following disclaimer.
15a508b2a6SChris Costello.\" 2. Redistributions in binary form must reproduce the above copyright
16a508b2a6SChris Costello.\"    notice, this list of conditions and the following disclaimer in the
17a508b2a6SChris Costello.\"    documentation and/or other materials provided with the distribution.
18a508b2a6SChris Costello.\"
19a508b2a6SChris Costello.\" THIS SOFTWARE IS PROVIDED BY THE AUTHORS AND CONTRIBUTORS ``AS IS'' AND
20a508b2a6SChris Costello.\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
21a508b2a6SChris Costello.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
22a508b2a6SChris Costello.\" ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHORS OR CONTRIBUTORS BE LIABLE
23a508b2a6SChris Costello.\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
24a508b2a6SChris Costello.\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
25a508b2a6SChris Costello.\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
26a508b2a6SChris Costello.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
27a508b2a6SChris Costello.\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
28a508b2a6SChris Costello.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
29a508b2a6SChris Costello.\" SUCH DAMAGE.
30a508b2a6SChris Costello.\"
31cf8f149fSTom Rhodes.Dd December 9, 2004
32a508b2a6SChris Costello.Dt MAC_PORTACL 4
33bc9a9cb4SRuslan Ermilov.Os
34a508b2a6SChris Costello.Sh NAME
35a508b2a6SChris Costello.Nm mac_portacl
36d0411883SSimon L. B. Nielsen.Nd "network port access control policy"
37a508b2a6SChris Costello.Sh SYNOPSIS
38a508b2a6SChris CostelloTo compile the port access control policy into your kernel,
39a508b2a6SChris Costelloplace the following lines in your kernel
40a508b2a6SChris Costelloconfiguration file:
41bc9a9cb4SRuslan Ermilov.Bd -ragged -offset indent
42a508b2a6SChris Costello.Cd "options MAC"
43a508b2a6SChris Costello.Cd "options MAC_PORTACL"
44bc9a9cb4SRuslan Ermilov.Ed
45a508b2a6SChris Costello.Pp
46a508b2a6SChris CostelloAlternately, to load the port access control policy module at boot time,
47a508b2a6SChris Costelloplace the following line in your kernel configuration file:
48bc9a9cb4SRuslan Ermilov.Bd -ragged -offset indent
49a508b2a6SChris Costello.Cd "options MAC"
50bc9a9cb4SRuslan Ermilov.Ed
51a508b2a6SChris Costello.Pp
52a508b2a6SChris Costelloand in
53a508b2a6SChris Costello.Xr loader.conf 5 :
54bc9a9cb4SRuslan Ermilov.Pp
55bc9a9cb4SRuslan Ermilov.Dl "mac_portacl_load=""YES"""
56a508b2a6SChris Costello.Sh DESCRIPTION
57a508b2a6SChris CostelloThe
58a508b2a6SChris Costello.Nm
59a508b2a6SChris Costellopolicy allows administrators to administratively limit binding to
60bc9a9cb4SRuslan Ermilovlocal
61bc9a9cb4SRuslan Ermilov.Tn UDP
62bc9a9cb4SRuslan Ermilovand
63bc9a9cb4SRuslan Ermilov.Tn TCP
64bc9a9cb4SRuslan Ermilovports via the
65a508b2a6SChris Costello.Xr sysctl 8
66a508b2a6SChris Costellointerface.
67a508b2a6SChris Costello.Pp
68a508b2a6SChris CostelloIn order to enable the
69a508b2a6SChris Costello.Nm
70a508b2a6SChris Costellopolicy, MAC policy must be enforced on sockets
71a508b2a6SChris Costello(see
72a508b2a6SChris Costello.Xr mac 4 ) ,
73a508b2a6SChris Costelloand the port(s) protected by
74a508b2a6SChris Costello.Nm
75a508b2a6SChris Costellomust not be included in the range specified by
76a508b2a6SChris Costellothe
77a508b2a6SChris Costello.Va net.inet.ip.portrange.reservedlow
78a508b2a6SChris Costelloand
79a508b2a6SChris Costello.Va net.inet.ip.portrange.reservedhigh
80a508b2a6SChris Costello.Xr sysctl 8
81a508b2a6SChris CostelloMIBs.
82d0411883SSimon L. B. Nielsen.Pp
83d0411883SSimon L. B. NielsenThe
84d0411883SSimon L. B. Nielsen.Nm
85d0411883SSimon L. B. Nielsenpolicy only affects ports explicitly bound by a user process (either
86d0411883SSimon L. B. Nielsenfor a listen/outgoing
87d0411883SSimon L. B. Nielsen.Tn TCP
88d0411883SSimon L. B. Nielsensocket, or a send/receive
89d0411883SSimon L. B. Nielsen.Tn UDP
90d0411883SSimon L. B. Nielsensocket).
91d0411883SSimon L. B. NielsenThis policy will not limit ports bound implicitly for outgoing
92d0411883SSimon L. B. Nielsenconnections where the process has not explicitly selected a port:
93d0411883SSimon L. B. Nielsenthese are automatically selected by the IP stack.
94d0411883SSimon L. B. Nielsen.Pp
95d0411883SSimon L. B. NielsenWhen
96d0411883SSimon L. B. Nielsen.Nm
97bf7f20c2SRuslan Ermilovis enabled, it will control binding access to ports up to the port
98d0411883SSimon L. B. Nielsennumber set in the
99d0411883SSimon L. B. Nielsen.Va security.mac.portacl.port_high
100a508b2a6SChris Costello.Xr sysctl 8
101d0411883SSimon L. B. Nielsenvariable.
102bf7f20c2SRuslan ErmilovBy default, all attempts to bind to
103d0411883SSimon L. B. Nielsen.Nm
104d0411883SSimon L. B. Nielsencontrolled ports will fail if not explicitly allowed by the port
105d0411883SSimon L. B. Nielsenaccess control list, though binding by the superuser will be allowed,
106d0411883SSimon L. B. Nielsenif the
107d0411883SSimon L. B. Nielsen.Xr sysctl 8
108d0411883SSimon L. B. Nielsenvariable
109d0411883SSimon L. B. Nielsen.Va security.mac.portacl.suser_exempt
110d0411883SSimon L. B. Nielsenis set to a non-zero value.
111d0411883SSimon L. B. Nielsen.Ss Runtime Configuration
112d0411883SSimon L. B. NielsenThe following
113d0411883SSimon L. B. Nielsen.Xr sysctl 8
114d0411883SSimon L. B. NielsenMIBs are available for fine-tuning the enforcement of this MAC policy.
115d0411883SSimon L. B. NielsenAll
116d0411883SSimon L. B. Nielsen.Xr sysctl 8
117d0411883SSimon L. B. Nielsenvariables, except
118d0411883SSimon L. B. Nielsen.Va security.mac.portacl.rules ,
119d0411883SSimon L. B. Nielsencan also be set as
120d0411883SSimon L. B. Nielsen.Xr loader 8
121d0411883SSimon L. B. Nielsentunables in
122d0411883SSimon L. B. Nielsen.Xr loader.conf 5 .
123d0411883SSimon L. B. Nielsen.Bl -tag -width indent
124d0411883SSimon L. B. Nielsen.It Va security.mac.portacl.enabled
125d0411883SSimon L. B. NielsenEnforce the
126d0411883SSimon L. B. Nielsen.Nm
127d0411883SSimon L. B. Nielsenpolicy.
128d0411883SSimon L. B. Nielsen(Default: 1).
129d0411883SSimon L. B. Nielsen.It Va security.mac.portacl.port_high
130d0411883SSimon L. B. NielsenThe highest port number
131d0411883SSimon L. B. Nielsen.Nm
132d0411883SSimon L. B. Nielsenwill enforce rules for.
133d0411883SSimon L. B. Nielsen(Default: 1023).
134d0411883SSimon L. B. Nielsen.It Va security.mac.portacl.rules
135da2fa159SRuslan ErmilovThe port access control list is specified in the following format:
136a508b2a6SChris Costello.Pp
137a508b2a6SChris Costello.Sm off
138ae045148SRuslan Ermilov.D1 Ar idtype : id : protocol : port Op , Ar idtype : id : protocol : port , ...
139a508b2a6SChris Costello.Sm on
140bc9a9cb4SRuslan Ermilov.Bl -tag -width ".Ar protocol"
141bc9a9cb4SRuslan Ermilov.It Ar idtype
142a508b2a6SChris CostelloDescribes the type of subject match to be performed.
143a508b2a6SChris CostelloEither
144a508b2a6SChris Costello.Li uid
145bc9a9cb4SRuslan Ermilovfor user ID matching, or
146a508b2a6SChris Costello.Li gid
147a508b2a6SChris Costellofor group ID matching.
148bc9a9cb4SRuslan Ermilov.It Ar id
149a508b2a6SChris CostelloThe user or group ID (depending on
150bc9a9cb4SRuslan Ermilov.Ar idtype )
151a508b2a6SChris Costelloallowed to bind to the specified port.
152a508b2a6SChris Costello.Bf -emphasis
153a508b2a6SChris CostelloNOTE: User and group names are not valid; only the actual ID numbers
154a508b2a6SChris Costellomay be used.
155a508b2a6SChris Costello.Ef
156bc9a9cb4SRuslan Ermilov.It Ar protocol
157a508b2a6SChris CostelloDescribes which protocol this entry applies to.
158a508b2a6SChris CostelloEither
159a508b2a6SChris Costello.Li tcp
160a508b2a6SChris Costelloor
161a508b2a6SChris Costello.Li udp
162a508b2a6SChris Costelloare supported.
163bc9a9cb4SRuslan Ermilov.It Ar port
164a508b2a6SChris CostelloDescribes which port this entry applies to.
165a508b2a6SChris Costello.Bf -emphasis
166a508b2a6SChris CostelloNOTE: MAC security policies may not override other security system policies
167a508b2a6SChris Costelloby allowing accesses that they may deny, such as
168a508b2a6SChris Costello.Va net.inet.ip.portrange.reservedlow /
169a508b2a6SChris Costello.Va net.inet.ip.portrange.reservedhigh .
170a508b2a6SChris Costello.Ef
171a508b2a6SChris CostelloIf the specified port falls within the range specified, the
172a508b2a6SChris Costello.Nm
173a508b2a6SChris Costelloentry will not function
174bc9a9cb4SRuslan Ermilov(i.e., even the specified user/group may not be able to bind to the specified
175a508b2a6SChris Costelloport).
176a508b2a6SChris Costello.El
177d0411883SSimon L. B. Nielsen.It Va security.mac.portacl.suser_exempt
178bf7f20c2SRuslan ErmilovAllow superuser (i.e., root) to bind to all
179d0411883SSimon L. B. Nielsen.Nm
180d0411883SSimon L. B. Nielsenprotected ports, even if the port access control list does not
181d0411883SSimon L. B. Nielsenexplicitly allow this.
182d0411883SSimon L. B. Nielsen(Default: 1).
183bb87c379STom Rhodes.It Va security.mac.portacl.autoport_exempt
184bb87c379STom RhodesAllow applications to use automatic binding to port 0.
18528c9aae1STom RhodesApplications use port 0 as a request for automatic port allocation when
18628c9aae1STom Rhodesbinding an IP address to a socket.
18728c9aae1STom RhodesThis tunable will exempt port 0 allocation from rule checking.
188da2fa159SRuslan Ermilov(Default: 1).
189d0411883SSimon L. B. Nielsen.El
190a508b2a6SChris Costello.Sh SEE ALSO
191a508b2a6SChris Costello.Xr mac 3 ,
192d0411883SSimon L. B. Nielsen.Xr ip 4 ,
193a508b2a6SChris Costello.Xr mac_biba 4 ,
194a508b2a6SChris Costello.Xr mac_bsdextended 4 ,
195*287d467cSMitchell Horne.Xr mac_ddb 4 ,
196a508b2a6SChris Costello.Xr mac_ifoff 4 ,
197a508b2a6SChris Costello.Xr mac_mls 4 ,
198a508b2a6SChris Costello.Xr mac_none 4 ,
199a508b2a6SChris Costello.Xr mac_partition 4 ,
200a508b2a6SChris Costello.Xr mac_seeotheruids 4 ,
201a508b2a6SChris Costello.Xr mac_test 4 ,
202a508b2a6SChris Costello.Xr mac 9
203a508b2a6SChris Costello.Sh HISTORY
204a508b2a6SChris CostelloMAC first appeared in
205d0411883SSimon L. B. Nielsen.Fx 5.0
206d0411883SSimon L. B. Nielsenand
207d0411883SSimon L. B. Nielsen.Nm
208d0411883SSimon L. B. Nielsenfirst appeared in
209d0411883SSimon L. B. Nielsen.Fx 5.1 .
210a508b2a6SChris Costello.Sh AUTHORS
211a508b2a6SChris CostelloThis software was contributed to the
212a508b2a6SChris Costello.Fx
213a508b2a6SChris CostelloProject by NAI Labs, the Security Research Division of Network Associates
2145203edcdSRuslan ErmilovInc.\& under DARPA/SPAWAR contract N66001-01-C-8035
215bc9a9cb4SRuslan Ermilov.Pq Dq CBOSS ,
216a508b2a6SChris Costelloas part of the DARPA CHATS research program.
217