1a508b2a6SChris Costello.\" Copyright (c) 2003 Networks Associates Technology, Inc. 2a508b2a6SChris Costello.\" All rights reserved. 3a508b2a6SChris Costello.\" 4a508b2a6SChris Costello.\" This software was developed for the FreeBSD Project by Chris Costello 5a508b2a6SChris Costello.\" at Safeport Network Services and Network Associates Labs, the 6a508b2a6SChris Costello.\" Security Research Division of Network Associates, Inc. under 7a508b2a6SChris Costello.\" DARPA/SPAWAR contract N66001-01-C-8035 ("CBOSS"), as part of the 8a508b2a6SChris Costello.\" DARPA CHATS research program. 9a508b2a6SChris Costello.\" 10a508b2a6SChris Costello.\" Redistribution and use in source and binary forms, with or without 11a508b2a6SChris Costello.\" modification, are permitted provided that the following conditions 12a508b2a6SChris Costello.\" are met: 13a508b2a6SChris Costello.\" 1. Redistributions of source code must retain the above copyright 14a508b2a6SChris Costello.\" notice, this list of conditions and the following disclaimer. 15a508b2a6SChris Costello.\" 2. Redistributions in binary form must reproduce the above copyright 16a508b2a6SChris Costello.\" notice, this list of conditions and the following disclaimer in the 17a508b2a6SChris Costello.\" documentation and/or other materials provided with the distribution. 18a508b2a6SChris Costello.\" 19a508b2a6SChris Costello.\" THIS SOFTWARE IS PROVIDED BY THE AUTHORS AND CONTRIBUTORS ``AS IS'' AND 20a508b2a6SChris Costello.\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 21a508b2a6SChris Costello.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 22a508b2a6SChris Costello.\" ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHORS OR CONTRIBUTORS BE LIABLE 23a508b2a6SChris Costello.\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 24a508b2a6SChris Costello.\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 25a508b2a6SChris Costello.\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 26a508b2a6SChris Costello.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 27a508b2a6SChris Costello.\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 28a508b2a6SChris Costello.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 29a508b2a6SChris Costello.\" SUCH DAMAGE. 30a508b2a6SChris Costello.\" 31a508b2a6SChris Costello.\" $FreeBSD$ 32bc9a9cb4SRuslan Ermilov.\" 33d0411883SSimon L. B. Nielsen.Dd February 13, 2004 34a508b2a6SChris Costello.Dt MAC_PORTACL 4 35bc9a9cb4SRuslan Ermilov.Os 36a508b2a6SChris Costello.Sh NAME 37a508b2a6SChris Costello.Nm mac_portacl 38d0411883SSimon L. B. Nielsen.Nd "network port access control policy" 39a508b2a6SChris Costello.Sh SYNOPSIS 40a508b2a6SChris CostelloTo compile the port access control policy into your kernel, 41a508b2a6SChris Costelloplace the following lines in your kernel 42a508b2a6SChris Costelloconfiguration file: 43bc9a9cb4SRuslan Ermilov.Bd -ragged -offset indent 44a508b2a6SChris Costello.Cd "options MAC" 45a508b2a6SChris Costello.Cd "options MAC_PORTACL" 46bc9a9cb4SRuslan Ermilov.Ed 47a508b2a6SChris Costello.Pp 48a508b2a6SChris CostelloAlternately, to load the port access control policy module at boot time, 49a508b2a6SChris Costelloplace the following line in your kernel configuration file: 50bc9a9cb4SRuslan Ermilov.Bd -ragged -offset indent 51a508b2a6SChris Costello.Cd "options MAC" 52bc9a9cb4SRuslan Ermilov.Ed 53a508b2a6SChris Costello.Pp 54a508b2a6SChris Costelloand in 55a508b2a6SChris Costello.Xr loader.conf 5 : 56bc9a9cb4SRuslan Ermilov.Pp 57bc9a9cb4SRuslan Ermilov.Dl "mac_portacl_load=""YES""" 58a508b2a6SChris Costello.Sh DESCRIPTION 59a508b2a6SChris CostelloThe 60a508b2a6SChris Costello.Nm 61a508b2a6SChris Costellopolicy allows administrators to administratively limit binding to 62bc9a9cb4SRuslan Ermilovlocal 63bc9a9cb4SRuslan Ermilov.Tn UDP 64bc9a9cb4SRuslan Ermilovand 65bc9a9cb4SRuslan Ermilov.Tn TCP 66bc9a9cb4SRuslan Ermilovports via the 67a508b2a6SChris Costello.Xr sysctl 8 68a508b2a6SChris Costellointerface. 69a508b2a6SChris Costello.Pp 70a508b2a6SChris CostelloIn order to enable the 71a508b2a6SChris Costello.Nm 72a508b2a6SChris Costellopolicy, MAC policy must be enforced on sockets 73a508b2a6SChris Costello(see 74a508b2a6SChris Costello.Xr mac 4 ) , 75a508b2a6SChris Costelloand the port(s) protected by 76a508b2a6SChris Costello.Nm 77a508b2a6SChris Costellomust not be included in the range specified by 78a508b2a6SChris Costellothe 79a508b2a6SChris Costello.Va net.inet.ip.portrange.reservedlow 80a508b2a6SChris Costelloand 81a508b2a6SChris Costello.Va net.inet.ip.portrange.reservedhigh 82a508b2a6SChris Costello.Xr sysctl 8 83a508b2a6SChris CostelloMIBs. 84d0411883SSimon L. B. Nielsen.Pp 85d0411883SSimon L. B. NielsenThe 86d0411883SSimon L. B. Nielsen.Nm 87d0411883SSimon L. B. Nielsenpolicy only affects ports explicitly bound by a user process (either 88d0411883SSimon L. B. Nielsenfor a listen/outgoing 89d0411883SSimon L. B. Nielsen.Tn TCP 90d0411883SSimon L. B. Nielsensocket, or a send/receive 91d0411883SSimon L. B. Nielsen.Tn UDP 92d0411883SSimon L. B. Nielsensocket). 93d0411883SSimon L. B. NielsenThis policy will not limit ports bound implicitly for outgoing 94d0411883SSimon L. B. Nielsenconnections where the process has not explicitly selected a port: 95d0411883SSimon L. B. Nielsenthese are automatically selected by the IP stack. 96d0411883SSimon L. B. Nielsen.Pp 97d0411883SSimon L. B. NielsenWhen 98d0411883SSimon L. B. Nielsen.Nm 99bf7f20c2SRuslan Ermilovis enabled, it will control binding access to ports up to the port 100d0411883SSimon L. B. Nielsennumber set in the 101d0411883SSimon L. B. Nielsen.Va security.mac.portacl.port_high 102a508b2a6SChris Costello.Xr sysctl 8 103d0411883SSimon L. B. Nielsenvariable. 104bf7f20c2SRuslan ErmilovBy default, all attempts to bind to 105d0411883SSimon L. B. Nielsen.Nm 106d0411883SSimon L. B. Nielsencontrolled ports will fail if not explicitly allowed by the port 107d0411883SSimon L. B. Nielsenaccess control list, though binding by the superuser will be allowed, 108d0411883SSimon L. B. Nielsenif the 109d0411883SSimon L. B. Nielsen.Xr sysctl 8 110d0411883SSimon L. B. Nielsenvariable 111d0411883SSimon L. B. Nielsen.Va security.mac.portacl.suser_exempt 112d0411883SSimon L. B. Nielsenis set to a non-zero value. 113d0411883SSimon L. B. Nielsen.Ss Runtime Configuration 114d0411883SSimon L. B. NielsenThe following 115d0411883SSimon L. B. Nielsen.Xr sysctl 8 116d0411883SSimon L. B. NielsenMIBs are available for fine-tuning the enforcement of this MAC policy. 117d0411883SSimon L. B. NielsenAll 118d0411883SSimon L. B. Nielsen.Xr sysctl 8 119d0411883SSimon L. B. Nielsenvariables, except 120d0411883SSimon L. B. Nielsen.Va security.mac.portacl.rules , 121d0411883SSimon L. B. Nielsencan also be set as 122d0411883SSimon L. B. Nielsen.Xr loader 8 123d0411883SSimon L. B. Nielsentunables in 124d0411883SSimon L. B. Nielsen.Xr loader.conf 5 . 125d0411883SSimon L. B. Nielsen.Bl -tag -width indent 126d0411883SSimon L. B. Nielsen.It Va security.mac.portacl.enabled 127d0411883SSimon L. B. NielsenEnforce the 128d0411883SSimon L. B. Nielsen.Nm 129d0411883SSimon L. B. Nielsenpolicy. 130d0411883SSimon L. B. Nielsen(Default: 1). 131d0411883SSimon L. B. Nielsen.It Va security.mac.portacl.port_high 132d0411883SSimon L. B. NielsenThe highest port number 133d0411883SSimon L. B. Nielsen.Nm 134d0411883SSimon L. B. Nielsenwill enforce rules for. 135d0411883SSimon L. B. Nielsen(Default: 1023). 136d0411883SSimon L. B. Nielsen.It Va security.mac.portacl.rules 137d0411883SSimon L. B. NielsenThe port access control list is specified in the the following format: 138a508b2a6SChris Costello.Pp 139a508b2a6SChris Costello.Sm off 140a508b2a6SChris Costello.Bd -literal -offset indent 141bc9a9cb4SRuslan Ermilov.Ar idtype 142a508b2a6SChris Costello.Li : 143bc9a9cb4SRuslan Ermilov.Ar id 144a508b2a6SChris Costello.Li : 145bc9a9cb4SRuslan Ermilov.Ar protocol 146a508b2a6SChris Costello.Li : 147bc9a9cb4SRuslan Ermilov.Ar port 148bc9a9cb4SRuslan Ermilov.Oo 149bc9a9cb4SRuslan Ermilov.Li , 150bc9a9cb4SRuslan Ermilov.Ar idtype 151a508b2a6SChris Costello.Li : 152bc9a9cb4SRuslan Ermilov.Ar id 153a508b2a6SChris Costello.Li : 154bc9a9cb4SRuslan Ermilov.Ar protocol 155a508b2a6SChris Costello.Li : 156bc9a9cb4SRuslan Ermilov.Ar port 157bc9a9cb4SRuslan Ermilov.Li , 158bc9a9cb4SRuslan Ermilov.Ar ... 159bc9a9cb4SRuslan Ermilov.Oc 160a508b2a6SChris Costello.Ed 161a508b2a6SChris Costello.Sm on 162a508b2a6SChris Costello.Pp 163bc9a9cb4SRuslan Ermilov.Bl -tag -width ".Ar protocol" 164bc9a9cb4SRuslan Ermilov.It Ar idtype 165a508b2a6SChris CostelloDescribes the type of subject match to be performed. 166a508b2a6SChris CostelloEither 167a508b2a6SChris Costello.Li uid 168bc9a9cb4SRuslan Ermilovfor user ID matching, or 169a508b2a6SChris Costello.Li gid 170a508b2a6SChris Costellofor group ID matching. 171bc9a9cb4SRuslan Ermilov.It Ar id 172a508b2a6SChris CostelloThe user or group ID (depending on 173bc9a9cb4SRuslan Ermilov.Ar idtype ) 174a508b2a6SChris Costelloallowed to bind to the specified port. 175a508b2a6SChris Costello.Bf -emphasis 176a508b2a6SChris CostelloNOTE: User and group names are not valid; only the actual ID numbers 177a508b2a6SChris Costellomay be used. 178a508b2a6SChris Costello.Ef 179bc9a9cb4SRuslan Ermilov.It Ar protocol 180a508b2a6SChris CostelloDescribes which protocol this entry applies to. 181a508b2a6SChris CostelloEither 182a508b2a6SChris Costello.Li tcp 183a508b2a6SChris Costelloor 184a508b2a6SChris Costello.Li udp 185a508b2a6SChris Costelloare supported. 186bc9a9cb4SRuslan Ermilov.It Ar port 187a508b2a6SChris CostelloDescribes which port this entry applies to. 188a508b2a6SChris Costello.Bf -emphasis 189a508b2a6SChris CostelloNOTE: MAC security policies may not override other security system policies 190a508b2a6SChris Costelloby allowing accesses that they may deny, such as 191a508b2a6SChris Costello.Va net.inet.ip.portrange.reservedlow / 192a508b2a6SChris Costello.Va net.inet.ip.portrange.reservedhigh . 193a508b2a6SChris Costello.Ef 194a508b2a6SChris CostelloIf the specified port falls within the range specified, the 195a508b2a6SChris Costello.Nm 196a508b2a6SChris Costelloentry will not function 197bc9a9cb4SRuslan Ermilov(i.e., even the specified user/group may not be able to bind to the specified 198a508b2a6SChris Costelloport). 199a508b2a6SChris Costello.El 200d0411883SSimon L. B. Nielsen.It Va security.mac.portacl.suser_exempt 201bf7f20c2SRuslan ErmilovAllow superuser (i.e., root) to bind to all 202d0411883SSimon L. B. Nielsen.Nm 203d0411883SSimon L. B. Nielsenprotected ports, even if the port access control list does not 204d0411883SSimon L. B. Nielsenexplicitly allow this. 205d0411883SSimon L. B. Nielsen(Default: 1). 206bb87c379STom Rhodes.It Va security.mac.portacl.autoport_exempt 207bb87c379STom RhodesAllow applications to use automatic binding to port 0. 208bb87c379STom RhodesOften applications will use port 0 as a request for 209bb87c379STom Rhodesautomatic port allocation before binding an IP address to 210bb87c379STom Rhodesa socket. This tunable will exempt port 0 allocation from 211bb87c379STom Rhodesrule checking when a low port is required and 212bb87c379STom Rhodes.Dv IP_PORTRANGELOW 213bb87c379STom Rhodesis set to a value above 1. 214d0411883SSimon L. B. Nielsen.El 215a508b2a6SChris Costello.Sh SEE ALSO 216a508b2a6SChris Costello.Xr mac 3 , 217d0411883SSimon L. B. Nielsen.Xr ip 4 , 218a508b2a6SChris Costello.Xr mac_biba 4 , 219a508b2a6SChris Costello.Xr mac_bsdextended 4 , 220a508b2a6SChris Costello.Xr mac_ifoff 4 , 221a508b2a6SChris Costello.Xr mac_mls 4 , 222a508b2a6SChris Costello.Xr mac_none 4 , 223a508b2a6SChris Costello.Xr mac_partition 4 , 224a508b2a6SChris Costello.Xr mac_seeotheruids 4 , 225a508b2a6SChris Costello.Xr mac_test 4 , 226a508b2a6SChris Costello.Xr mac 9 227a508b2a6SChris Costello.Sh HISTORY 228a508b2a6SChris CostelloMAC first appeared in 229d0411883SSimon L. B. Nielsen.Fx 5.0 230d0411883SSimon L. B. Nielsenand 231d0411883SSimon L. B. Nielsen.Nm 232d0411883SSimon L. B. Nielsenfirst appeared in 233d0411883SSimon L. B. Nielsen.Fx 5.1 . 234a508b2a6SChris Costello.Sh AUTHORS 235a508b2a6SChris CostelloThis software was contributed to the 236a508b2a6SChris Costello.Fx 237a508b2a6SChris CostelloProject by NAI Labs, the Security Research Division of Network Associates 2385203edcdSRuslan ErmilovInc.\& under DARPA/SPAWAR contract N66001-01-C-8035 239bc9a9cb4SRuslan Ermilov.Pq Dq CBOSS , 240a508b2a6SChris Costelloas part of the DARPA CHATS research program. 241