1a508b2a6SChris Costello.\" Copyright (c) 2003 Networks Associates Technology, Inc. 2a508b2a6SChris Costello.\" All rights reserved. 3a508b2a6SChris Costello.\" 4a508b2a6SChris Costello.\" This software was developed for the FreeBSD Project by Chris Costello 5a508b2a6SChris Costello.\" at Safeport Network Services and Network Associates Labs, the 6a508b2a6SChris Costello.\" Security Research Division of Network Associates, Inc. under 7a508b2a6SChris Costello.\" DARPA/SPAWAR contract N66001-01-C-8035 ("CBOSS"), as part of the 8a508b2a6SChris Costello.\" DARPA CHATS research program. 9a508b2a6SChris Costello.\" 10a508b2a6SChris Costello.\" Redistribution and use in source and binary forms, with or without 11a508b2a6SChris Costello.\" modification, are permitted provided that the following conditions 12a508b2a6SChris Costello.\" are met: 13a508b2a6SChris Costello.\" 1. Redistributions of source code must retain the above copyright 14a508b2a6SChris Costello.\" notice, this list of conditions and the following disclaimer. 15a508b2a6SChris Costello.\" 2. Redistributions in binary form must reproduce the above copyright 16a508b2a6SChris Costello.\" notice, this list of conditions and the following disclaimer in the 17a508b2a6SChris Costello.\" documentation and/or other materials provided with the distribution. 18a508b2a6SChris Costello.\" 19a508b2a6SChris Costello.\" THIS SOFTWARE IS PROVIDED BY THE AUTHORS AND CONTRIBUTORS ``AS IS'' AND 20a508b2a6SChris Costello.\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 21a508b2a6SChris Costello.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 22a508b2a6SChris Costello.\" ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHORS OR CONTRIBUTORS BE LIABLE 23a508b2a6SChris Costello.\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 24a508b2a6SChris Costello.\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 25a508b2a6SChris Costello.\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 26a508b2a6SChris Costello.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 27a508b2a6SChris Costello.\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 28a508b2a6SChris Costello.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 29a508b2a6SChris Costello.\" SUCH DAMAGE. 30a508b2a6SChris Costello.\" 31cf8f149fSTom Rhodes.Dd December 9, 2004 32a508b2a6SChris Costello.Dt MAC_PORTACL 4 33bc9a9cb4SRuslan Ermilov.Os 34a508b2a6SChris Costello.Sh NAME 35a508b2a6SChris Costello.Nm mac_portacl 36d0411883SSimon L. B. Nielsen.Nd "network port access control policy" 37a508b2a6SChris Costello.Sh SYNOPSIS 38a508b2a6SChris CostelloTo compile the port access control policy into your kernel, 39a508b2a6SChris Costelloplace the following lines in your kernel 40a508b2a6SChris Costelloconfiguration file: 41bc9a9cb4SRuslan Ermilov.Bd -ragged -offset indent 42a508b2a6SChris Costello.Cd "options MAC" 43a508b2a6SChris Costello.Cd "options MAC_PORTACL" 44bc9a9cb4SRuslan Ermilov.Ed 45a508b2a6SChris Costello.Pp 46a508b2a6SChris CostelloAlternately, to load the port access control policy module at boot time, 47a508b2a6SChris Costelloplace the following line in your kernel configuration file: 48bc9a9cb4SRuslan Ermilov.Bd -ragged -offset indent 49a508b2a6SChris Costello.Cd "options MAC" 50bc9a9cb4SRuslan Ermilov.Ed 51a508b2a6SChris Costello.Pp 52a508b2a6SChris Costelloand in 53a508b2a6SChris Costello.Xr loader.conf 5 : 54bc9a9cb4SRuslan Ermilov.Pp 55bc9a9cb4SRuslan Ermilov.Dl "mac_portacl_load=""YES""" 56a508b2a6SChris Costello.Sh DESCRIPTION 57a508b2a6SChris CostelloThe 58a508b2a6SChris Costello.Nm 59a508b2a6SChris Costellopolicy allows administrators to administratively limit binding to 60bc9a9cb4SRuslan Ermilovlocal 61bc9a9cb4SRuslan Ermilov.Tn UDP 62bc9a9cb4SRuslan Ermilovand 63bc9a9cb4SRuslan Ermilov.Tn TCP 64bc9a9cb4SRuslan Ermilovports via the 65a508b2a6SChris Costello.Xr sysctl 8 66a508b2a6SChris Costellointerface. 67a508b2a6SChris Costello.Pp 68a508b2a6SChris CostelloIn order to enable the 69a508b2a6SChris Costello.Nm 70a508b2a6SChris Costellopolicy, MAC policy must be enforced on sockets 71a508b2a6SChris Costello(see 72a508b2a6SChris Costello.Xr mac 4 ) , 73a508b2a6SChris Costelloand the port(s) protected by 74a508b2a6SChris Costello.Nm 75a508b2a6SChris Costellomust not be included in the range specified by 76a508b2a6SChris Costellothe 77a508b2a6SChris Costello.Va net.inet.ip.portrange.reservedlow 78a508b2a6SChris Costelloand 79a508b2a6SChris Costello.Va net.inet.ip.portrange.reservedhigh 80a508b2a6SChris Costello.Xr sysctl 8 81a508b2a6SChris CostelloMIBs. 82d0411883SSimon L. B. Nielsen.Pp 83d0411883SSimon L. B. NielsenThe 84d0411883SSimon L. B. Nielsen.Nm 85d0411883SSimon L. B. Nielsenpolicy only affects ports explicitly bound by a user process (either 86d0411883SSimon L. B. Nielsenfor a listen/outgoing 87d0411883SSimon L. B. Nielsen.Tn TCP 88d0411883SSimon L. B. Nielsensocket, or a send/receive 89d0411883SSimon L. B. Nielsen.Tn UDP 90d0411883SSimon L. B. Nielsensocket). 91d0411883SSimon L. B. NielsenThis policy will not limit ports bound implicitly for outgoing 92d0411883SSimon L. B. Nielsenconnections where the process has not explicitly selected a port: 93d0411883SSimon L. B. Nielsenthese are automatically selected by the IP stack. 94d0411883SSimon L. B. Nielsen.Pp 95d0411883SSimon L. B. NielsenWhen 96d0411883SSimon L. B. Nielsen.Nm 97bf7f20c2SRuslan Ermilovis enabled, it will control binding access to ports up to the port 98d0411883SSimon L. B. Nielsennumber set in the 99d0411883SSimon L. B. Nielsen.Va security.mac.portacl.port_high 100a508b2a6SChris Costello.Xr sysctl 8 101d0411883SSimon L. B. Nielsenvariable. 102bf7f20c2SRuslan ErmilovBy default, all attempts to bind to 103d0411883SSimon L. B. Nielsen.Nm 104d0411883SSimon L. B. Nielsencontrolled ports will fail if not explicitly allowed by the port 105d0411883SSimon L. B. Nielsenaccess control list, though binding by the superuser will be allowed, 106d0411883SSimon L. B. Nielsenif the 107d0411883SSimon L. B. Nielsen.Xr sysctl 8 108d0411883SSimon L. B. Nielsenvariable 109d0411883SSimon L. B. Nielsen.Va security.mac.portacl.suser_exempt 110d0411883SSimon L. B. Nielsenis set to a non-zero value. 111d0411883SSimon L. B. Nielsen.Ss Runtime Configuration 112d0411883SSimon L. B. NielsenThe following 113d0411883SSimon L. B. Nielsen.Xr sysctl 8 114d0411883SSimon L. B. NielsenMIBs are available for fine-tuning the enforcement of this MAC policy. 115d0411883SSimon L. B. NielsenAll 116d0411883SSimon L. B. Nielsen.Xr sysctl 8 117d0411883SSimon L. B. Nielsenvariables, except 118d0411883SSimon L. B. Nielsen.Va security.mac.portacl.rules , 119d0411883SSimon L. B. Nielsencan also be set as 120d0411883SSimon L. B. Nielsen.Xr loader 8 121d0411883SSimon L. B. Nielsentunables in 122d0411883SSimon L. B. Nielsen.Xr loader.conf 5 . 123d0411883SSimon L. B. Nielsen.Bl -tag -width indent 124d0411883SSimon L. B. Nielsen.It Va security.mac.portacl.enabled 125d0411883SSimon L. B. NielsenEnforce the 126d0411883SSimon L. B. Nielsen.Nm 127d0411883SSimon L. B. Nielsenpolicy. 128d0411883SSimon L. B. Nielsen(Default: 1). 129d0411883SSimon L. B. Nielsen.It Va security.mac.portacl.port_high 130d0411883SSimon L. B. NielsenThe highest port number 131d0411883SSimon L. B. Nielsen.Nm 132d0411883SSimon L. B. Nielsenwill enforce rules for. 133d0411883SSimon L. B. Nielsen(Default: 1023). 134d0411883SSimon L. B. Nielsen.It Va security.mac.portacl.rules 135da2fa159SRuslan ErmilovThe port access control list is specified in the following format: 136a508b2a6SChris Costello.Pp 137a508b2a6SChris Costello.Sm off 138ae045148SRuslan Ermilov.D1 Ar idtype : id : protocol : port Op , Ar idtype : id : protocol : port , ... 139a508b2a6SChris Costello.Sm on 140bc9a9cb4SRuslan Ermilov.Bl -tag -width ".Ar protocol" 141bc9a9cb4SRuslan Ermilov.It Ar idtype 142a508b2a6SChris CostelloDescribes the type of subject match to be performed. 143a508b2a6SChris CostelloEither 144a508b2a6SChris Costello.Li uid 145bc9a9cb4SRuslan Ermilovfor user ID matching, or 146a508b2a6SChris Costello.Li gid 147a508b2a6SChris Costellofor group ID matching. 148bc9a9cb4SRuslan Ermilov.It Ar id 149a508b2a6SChris CostelloThe user or group ID (depending on 150bc9a9cb4SRuslan Ermilov.Ar idtype ) 151a508b2a6SChris Costelloallowed to bind to the specified port. 152a508b2a6SChris Costello.Bf -emphasis 153a508b2a6SChris CostelloNOTE: User and group names are not valid; only the actual ID numbers 154a508b2a6SChris Costellomay be used. 155a508b2a6SChris Costello.Ef 156bc9a9cb4SRuslan Ermilov.It Ar protocol 157a508b2a6SChris CostelloDescribes which protocol this entry applies to. 158a508b2a6SChris CostelloEither 159a508b2a6SChris Costello.Li tcp 160a508b2a6SChris Costelloor 161a508b2a6SChris Costello.Li udp 162a508b2a6SChris Costelloare supported. 163bc9a9cb4SRuslan Ermilov.It Ar port 164a508b2a6SChris CostelloDescribes which port this entry applies to. 165a508b2a6SChris Costello.Bf -emphasis 166a508b2a6SChris CostelloNOTE: MAC security policies may not override other security system policies 167a508b2a6SChris Costelloby allowing accesses that they may deny, such as 168a508b2a6SChris Costello.Va net.inet.ip.portrange.reservedlow / 169a508b2a6SChris Costello.Va net.inet.ip.portrange.reservedhigh . 170a508b2a6SChris Costello.Ef 171a508b2a6SChris CostelloIf the specified port falls within the range specified, the 172a508b2a6SChris Costello.Nm 173a508b2a6SChris Costelloentry will not function 174bc9a9cb4SRuslan Ermilov(i.e., even the specified user/group may not be able to bind to the specified 175a508b2a6SChris Costelloport). 176a508b2a6SChris Costello.El 177d0411883SSimon L. B. Nielsen.It Va security.mac.portacl.suser_exempt 178bf7f20c2SRuslan ErmilovAllow superuser (i.e., root) to bind to all 179d0411883SSimon L. B. Nielsen.Nm 180d0411883SSimon L. B. Nielsenprotected ports, even if the port access control list does not 181d0411883SSimon L. B. Nielsenexplicitly allow this. 182d0411883SSimon L. B. Nielsen(Default: 1). 183bb87c379STom Rhodes.It Va security.mac.portacl.autoport_exempt 184bb87c379STom RhodesAllow applications to use automatic binding to port 0. 18528c9aae1STom RhodesApplications use port 0 as a request for automatic port allocation when 18628c9aae1STom Rhodesbinding an IP address to a socket. 18728c9aae1STom RhodesThis tunable will exempt port 0 allocation from rule checking. 188da2fa159SRuslan Ermilov(Default: 1). 189d0411883SSimon L. B. Nielsen.El 190a508b2a6SChris Costello.Sh SEE ALSO 191a508b2a6SChris Costello.Xr mac 3 , 192d0411883SSimon L. B. Nielsen.Xr ip 4 , 193a508b2a6SChris Costello.Xr mac_biba 4 , 194a508b2a6SChris Costello.Xr mac_bsdextended 4 , 195*287d467cSMitchell Horne.Xr mac_ddb 4 , 196a508b2a6SChris Costello.Xr mac_ifoff 4 , 197a508b2a6SChris Costello.Xr mac_mls 4 , 198a508b2a6SChris Costello.Xr mac_none 4 , 199a508b2a6SChris Costello.Xr mac_partition 4 , 200a508b2a6SChris Costello.Xr mac_seeotheruids 4 , 201a508b2a6SChris Costello.Xr mac_test 4 , 202a508b2a6SChris Costello.Xr mac 9 203a508b2a6SChris Costello.Sh HISTORY 204a508b2a6SChris CostelloMAC first appeared in 205d0411883SSimon L. B. Nielsen.Fx 5.0 206d0411883SSimon L. B. Nielsenand 207d0411883SSimon L. B. Nielsen.Nm 208d0411883SSimon L. B. Nielsenfirst appeared in 209d0411883SSimon L. B. Nielsen.Fx 5.1 . 210a508b2a6SChris Costello.Sh AUTHORS 211a508b2a6SChris CostelloThis software was contributed to the 212a508b2a6SChris Costello.Fx 213a508b2a6SChris CostelloProject by NAI Labs, the Security Research Division of Network Associates 2145203edcdSRuslan ErmilovInc.\& under DARPA/SPAWAR contract N66001-01-C-8035 215bc9a9cb4SRuslan Ermilov.Pq Dq CBOSS , 216a508b2a6SChris Costelloas part of the DARPA CHATS research program. 217