xref: /freebsd/share/man/man4/mac_portacl.4 (revision bb87c3794781abee9042b91c98c27ed8bdcfd369)
1a508b2a6SChris Costello.\" Copyright (c) 2003 Networks Associates Technology, Inc.
2a508b2a6SChris Costello.\" All rights reserved.
3a508b2a6SChris Costello.\"
4a508b2a6SChris Costello.\" This software was developed for the FreeBSD Project by Chris Costello
5a508b2a6SChris Costello.\" at Safeport Network Services and Network Associates Labs, the
6a508b2a6SChris Costello.\" Security Research Division of Network Associates, Inc. under
7a508b2a6SChris Costello.\" DARPA/SPAWAR contract N66001-01-C-8035 ("CBOSS"), as part of the
8a508b2a6SChris Costello.\" DARPA CHATS research program.
9a508b2a6SChris Costello.\"
10a508b2a6SChris Costello.\" Redistribution and use in source and binary forms, with or without
11a508b2a6SChris Costello.\" modification, are permitted provided that the following conditions
12a508b2a6SChris Costello.\" are met:
13a508b2a6SChris Costello.\" 1. Redistributions of source code must retain the above copyright
14a508b2a6SChris Costello.\"    notice, this list of conditions and the following disclaimer.
15a508b2a6SChris Costello.\" 2. Redistributions in binary form must reproduce the above copyright
16a508b2a6SChris Costello.\"    notice, this list of conditions and the following disclaimer in the
17a508b2a6SChris Costello.\"    documentation and/or other materials provided with the distribution.
18a508b2a6SChris Costello.\"
19a508b2a6SChris Costello.\" THIS SOFTWARE IS PROVIDED BY THE AUTHORS AND CONTRIBUTORS ``AS IS'' AND
20a508b2a6SChris Costello.\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
21a508b2a6SChris Costello.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
22a508b2a6SChris Costello.\" ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHORS OR CONTRIBUTORS BE LIABLE
23a508b2a6SChris Costello.\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
24a508b2a6SChris Costello.\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
25a508b2a6SChris Costello.\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
26a508b2a6SChris Costello.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
27a508b2a6SChris Costello.\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
28a508b2a6SChris Costello.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
29a508b2a6SChris Costello.\" SUCH DAMAGE.
30a508b2a6SChris Costello.\"
31a508b2a6SChris Costello.\" $FreeBSD$
32bc9a9cb4SRuslan Ermilov.\"
33d0411883SSimon L. B. Nielsen.Dd February 13, 2004
34a508b2a6SChris Costello.Dt MAC_PORTACL 4
35bc9a9cb4SRuslan Ermilov.Os
36a508b2a6SChris Costello.Sh NAME
37a508b2a6SChris Costello.Nm mac_portacl
38d0411883SSimon L. B. Nielsen.Nd "network port access control policy"
39a508b2a6SChris Costello.Sh SYNOPSIS
40a508b2a6SChris CostelloTo compile the port access control policy into your kernel,
41a508b2a6SChris Costelloplace the following lines in your kernel
42a508b2a6SChris Costelloconfiguration file:
43bc9a9cb4SRuslan Ermilov.Bd -ragged -offset indent
44a508b2a6SChris Costello.Cd "options MAC"
45a508b2a6SChris Costello.Cd "options MAC_PORTACL"
46bc9a9cb4SRuslan Ermilov.Ed
47a508b2a6SChris Costello.Pp
48a508b2a6SChris CostelloAlternately, to load the port access control policy module at boot time,
49a508b2a6SChris Costelloplace the following line in your kernel configuration file:
50bc9a9cb4SRuslan Ermilov.Bd -ragged -offset indent
51a508b2a6SChris Costello.Cd "options MAC"
52bc9a9cb4SRuslan Ermilov.Ed
53a508b2a6SChris Costello.Pp
54a508b2a6SChris Costelloand in
55a508b2a6SChris Costello.Xr loader.conf 5 :
56bc9a9cb4SRuslan Ermilov.Pp
57bc9a9cb4SRuslan Ermilov.Dl "mac_portacl_load=""YES"""
58a508b2a6SChris Costello.Sh DESCRIPTION
59a508b2a6SChris CostelloThe
60a508b2a6SChris Costello.Nm
61a508b2a6SChris Costellopolicy allows administrators to administratively limit binding to
62bc9a9cb4SRuslan Ermilovlocal
63bc9a9cb4SRuslan Ermilov.Tn UDP
64bc9a9cb4SRuslan Ermilovand
65bc9a9cb4SRuslan Ermilov.Tn TCP
66bc9a9cb4SRuslan Ermilovports via the
67a508b2a6SChris Costello.Xr sysctl 8
68a508b2a6SChris Costellointerface.
69a508b2a6SChris Costello.Pp
70a508b2a6SChris CostelloIn order to enable the
71a508b2a6SChris Costello.Nm
72a508b2a6SChris Costellopolicy, MAC policy must be enforced on sockets
73a508b2a6SChris Costello(see
74a508b2a6SChris Costello.Xr mac 4 ) ,
75a508b2a6SChris Costelloand the port(s) protected by
76a508b2a6SChris Costello.Nm
77a508b2a6SChris Costellomust not be included in the range specified by
78a508b2a6SChris Costellothe
79a508b2a6SChris Costello.Va net.inet.ip.portrange.reservedlow
80a508b2a6SChris Costelloand
81a508b2a6SChris Costello.Va net.inet.ip.portrange.reservedhigh
82a508b2a6SChris Costello.Xr sysctl 8
83a508b2a6SChris CostelloMIBs.
84d0411883SSimon L. B. Nielsen.Pp
85d0411883SSimon L. B. NielsenThe
86d0411883SSimon L. B. Nielsen.Nm
87d0411883SSimon L. B. Nielsenpolicy only affects ports explicitly bound by a user process (either
88d0411883SSimon L. B. Nielsenfor a listen/outgoing
89d0411883SSimon L. B. Nielsen.Tn TCP
90d0411883SSimon L. B. Nielsensocket, or a send/receive
91d0411883SSimon L. B. Nielsen.Tn UDP
92d0411883SSimon L. B. Nielsensocket).
93d0411883SSimon L. B. NielsenThis policy will not limit ports bound implicitly for outgoing
94d0411883SSimon L. B. Nielsenconnections where the process has not explicitly selected a port:
95d0411883SSimon L. B. Nielsenthese are automatically selected by the IP stack.
96d0411883SSimon L. B. Nielsen.Pp
97d0411883SSimon L. B. NielsenWhen
98d0411883SSimon L. B. Nielsen.Nm
99bf7f20c2SRuslan Ermilovis enabled, it will control binding access to ports up to the port
100d0411883SSimon L. B. Nielsennumber set in the
101d0411883SSimon L. B. Nielsen.Va security.mac.portacl.port_high
102a508b2a6SChris Costello.Xr sysctl 8
103d0411883SSimon L. B. Nielsenvariable.
104bf7f20c2SRuslan ErmilovBy default, all attempts to bind to
105d0411883SSimon L. B. Nielsen.Nm
106d0411883SSimon L. B. Nielsencontrolled ports will fail if not explicitly allowed by the port
107d0411883SSimon L. B. Nielsenaccess control list, though binding by the superuser will be allowed,
108d0411883SSimon L. B. Nielsenif the
109d0411883SSimon L. B. Nielsen.Xr sysctl 8
110d0411883SSimon L. B. Nielsenvariable
111d0411883SSimon L. B. Nielsen.Va security.mac.portacl.suser_exempt
112d0411883SSimon L. B. Nielsenis set to a non-zero value.
113d0411883SSimon L. B. Nielsen.Ss Runtime Configuration
114d0411883SSimon L. B. NielsenThe following
115d0411883SSimon L. B. Nielsen.Xr sysctl 8
116d0411883SSimon L. B. NielsenMIBs are available for fine-tuning the enforcement of this MAC policy.
117d0411883SSimon L. B. NielsenAll
118d0411883SSimon L. B. Nielsen.Xr sysctl 8
119d0411883SSimon L. B. Nielsenvariables, except
120d0411883SSimon L. B. Nielsen.Va security.mac.portacl.rules ,
121d0411883SSimon L. B. Nielsencan also be set as
122d0411883SSimon L. B. Nielsen.Xr loader 8
123d0411883SSimon L. B. Nielsentunables in
124d0411883SSimon L. B. Nielsen.Xr loader.conf 5 .
125d0411883SSimon L. B. Nielsen.Bl -tag -width indent
126d0411883SSimon L. B. Nielsen.It Va security.mac.portacl.enabled
127d0411883SSimon L. B. NielsenEnforce the
128d0411883SSimon L. B. Nielsen.Nm
129d0411883SSimon L. B. Nielsenpolicy.
130d0411883SSimon L. B. Nielsen(Default: 1).
131d0411883SSimon L. B. Nielsen.It Va security.mac.portacl.port_high
132d0411883SSimon L. B. NielsenThe highest port number
133d0411883SSimon L. B. Nielsen.Nm
134d0411883SSimon L. B. Nielsenwill enforce rules for.
135d0411883SSimon L. B. Nielsen(Default: 1023).
136d0411883SSimon L. B. Nielsen.It Va security.mac.portacl.rules
137d0411883SSimon L. B. NielsenThe port access control list is specified in the the following format:
138a508b2a6SChris Costello.Pp
139a508b2a6SChris Costello.Sm off
140a508b2a6SChris Costello.Bd -literal -offset indent
141bc9a9cb4SRuslan Ermilov.Ar idtype
142a508b2a6SChris Costello.Li :
143bc9a9cb4SRuslan Ermilov.Ar id
144a508b2a6SChris Costello.Li :
145bc9a9cb4SRuslan Ermilov.Ar protocol
146a508b2a6SChris Costello.Li :
147bc9a9cb4SRuslan Ermilov.Ar port
148bc9a9cb4SRuslan Ermilov.Oo
149bc9a9cb4SRuslan Ermilov.Li ,
150bc9a9cb4SRuslan Ermilov.Ar idtype
151a508b2a6SChris Costello.Li :
152bc9a9cb4SRuslan Ermilov.Ar id
153a508b2a6SChris Costello.Li :
154bc9a9cb4SRuslan Ermilov.Ar protocol
155a508b2a6SChris Costello.Li :
156bc9a9cb4SRuslan Ermilov.Ar port
157bc9a9cb4SRuslan Ermilov.Li ,
158bc9a9cb4SRuslan Ermilov.Ar ...
159bc9a9cb4SRuslan Ermilov.Oc
160a508b2a6SChris Costello.Ed
161a508b2a6SChris Costello.Sm on
162a508b2a6SChris Costello.Pp
163bc9a9cb4SRuslan Ermilov.Bl -tag -width ".Ar protocol"
164bc9a9cb4SRuslan Ermilov.It Ar idtype
165a508b2a6SChris CostelloDescribes the type of subject match to be performed.
166a508b2a6SChris CostelloEither
167a508b2a6SChris Costello.Li uid
168bc9a9cb4SRuslan Ermilovfor user ID matching, or
169a508b2a6SChris Costello.Li gid
170a508b2a6SChris Costellofor group ID matching.
171bc9a9cb4SRuslan Ermilov.It Ar id
172a508b2a6SChris CostelloThe user or group ID (depending on
173bc9a9cb4SRuslan Ermilov.Ar idtype )
174a508b2a6SChris Costelloallowed to bind to the specified port.
175a508b2a6SChris Costello.Bf -emphasis
176a508b2a6SChris CostelloNOTE: User and group names are not valid; only the actual ID numbers
177a508b2a6SChris Costellomay be used.
178a508b2a6SChris Costello.Ef
179bc9a9cb4SRuslan Ermilov.It Ar protocol
180a508b2a6SChris CostelloDescribes which protocol this entry applies to.
181a508b2a6SChris CostelloEither
182a508b2a6SChris Costello.Li tcp
183a508b2a6SChris Costelloor
184a508b2a6SChris Costello.Li udp
185a508b2a6SChris Costelloare supported.
186bc9a9cb4SRuslan Ermilov.It Ar port
187a508b2a6SChris CostelloDescribes which port this entry applies to.
188a508b2a6SChris Costello.Bf -emphasis
189a508b2a6SChris CostelloNOTE: MAC security policies may not override other security system policies
190a508b2a6SChris Costelloby allowing accesses that they may deny, such as
191a508b2a6SChris Costello.Va net.inet.ip.portrange.reservedlow /
192a508b2a6SChris Costello.Va net.inet.ip.portrange.reservedhigh .
193a508b2a6SChris Costello.Ef
194a508b2a6SChris CostelloIf the specified port falls within the range specified, the
195a508b2a6SChris Costello.Nm
196a508b2a6SChris Costelloentry will not function
197bc9a9cb4SRuslan Ermilov(i.e., even the specified user/group may not be able to bind to the specified
198a508b2a6SChris Costelloport).
199a508b2a6SChris Costello.El
200d0411883SSimon L. B. Nielsen.It Va security.mac.portacl.suser_exempt
201bf7f20c2SRuslan ErmilovAllow superuser (i.e., root) to bind to all
202d0411883SSimon L. B. Nielsen.Nm
203d0411883SSimon L. B. Nielsenprotected ports, even if the port access control list does not
204d0411883SSimon L. B. Nielsenexplicitly allow this.
205d0411883SSimon L. B. Nielsen(Default: 1).
206bb87c379STom Rhodes.It Va security.mac.portacl.autoport_exempt
207bb87c379STom RhodesAllow applications to use automatic binding to port 0.
208bb87c379STom RhodesOften applications will use port 0 as a request for
209bb87c379STom Rhodesautomatic port allocation before binding an IP address to
210bb87c379STom Rhodesa socket.  This tunable will exempt port 0 allocation from
211bb87c379STom Rhodesrule checking when a low port is required and
212bb87c379STom Rhodes.Dv IP_PORTRANGELOW
213bb87c379STom Rhodesis set to a value above 1.
214d0411883SSimon L. B. Nielsen.El
215a508b2a6SChris Costello.Sh SEE ALSO
216a508b2a6SChris Costello.Xr mac 3 ,
217d0411883SSimon L. B. Nielsen.Xr ip 4 ,
218a508b2a6SChris Costello.Xr mac_biba 4 ,
219a508b2a6SChris Costello.Xr mac_bsdextended 4 ,
220a508b2a6SChris Costello.Xr mac_ifoff 4 ,
221a508b2a6SChris Costello.Xr mac_mls 4 ,
222a508b2a6SChris Costello.Xr mac_none 4 ,
223a508b2a6SChris Costello.Xr mac_partition 4 ,
224a508b2a6SChris Costello.Xr mac_seeotheruids 4 ,
225a508b2a6SChris Costello.Xr mac_test 4 ,
226a508b2a6SChris Costello.Xr mac 9
227a508b2a6SChris Costello.Sh HISTORY
228a508b2a6SChris CostelloMAC first appeared in
229d0411883SSimon L. B. Nielsen.Fx 5.0
230d0411883SSimon L. B. Nielsenand
231d0411883SSimon L. B. Nielsen.Nm
232d0411883SSimon L. B. Nielsenfirst appeared in
233d0411883SSimon L. B. Nielsen.Fx 5.1 .
234a508b2a6SChris Costello.Sh AUTHORS
235a508b2a6SChris CostelloThis software was contributed to the
236a508b2a6SChris Costello.Fx
237a508b2a6SChris CostelloProject by NAI Labs, the Security Research Division of Network Associates
2385203edcdSRuslan ErmilovInc.\& under DARPA/SPAWAR contract N66001-01-C-8035
239bc9a9cb4SRuslan Ermilov.Pq Dq CBOSS ,
240a508b2a6SChris Costelloas part of the DARPA CHATS research program.
241