xref: /freebsd/share/man/man4/mac_portacl.4 (revision 22cf89c938886d14f5796fc49f9f020c23ea8eaf)
1.\" Copyright (c) 2003 Networks Associates Technology, Inc.
2.\" All rights reserved.
3.\"
4.\" This software was developed for the FreeBSD Project by Chris Costello
5.\" at Safeport Network Services and Network Associates Labs, the
6.\" Security Research Division of Network Associates, Inc. under
7.\" DARPA/SPAWAR contract N66001-01-C-8035 ("CBOSS"), as part of the
8.\" DARPA CHATS research program.
9.\"
10.\" Redistribution and use in source and binary forms, with or without
11.\" modification, are permitted provided that the following conditions
12.\" are met:
13.\" 1. Redistributions of source code must retain the above copyright
14.\"    notice, this list of conditions and the following disclaimer.
15.\" 2. Redistributions in binary form must reproduce the above copyright
16.\"    notice, this list of conditions and the following disclaimer in the
17.\"    documentation and/or other materials provided with the distribution.
18.\"
19.\" THIS SOFTWARE IS PROVIDED BY THE AUTHORS AND CONTRIBUTORS ``AS IS'' AND
20.\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
21.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
22.\" ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHORS OR CONTRIBUTORS BE LIABLE
23.\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
24.\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
25.\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
26.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
27.\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
28.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
29.\" SUCH DAMAGE.
30.\"
31.Dd December 9, 2004
32.Dt MAC_PORTACL 4
33.Os
34.Sh NAME
35.Nm mac_portacl
36.Nd "network port access control policy"
37.Sh SYNOPSIS
38To compile the port access control policy into your kernel,
39place the following lines in your kernel
40configuration file:
41.Bd -ragged -offset indent
42.Cd "options MAC"
43.Cd "options MAC_PORTACL"
44.Ed
45.Pp
46Alternately, to load the port access control policy module at boot time,
47place the following line in your kernel configuration file:
48.Bd -ragged -offset indent
49.Cd "options MAC"
50.Ed
51.Pp
52and in
53.Xr loader.conf 5 :
54.Pp
55.Dl "mac_portacl_load=""YES"""
56.Sh DESCRIPTION
57The
58.Nm
59policy allows administrators to administratively limit binding to
60local
61.Tn UDP
62and
63.Tn TCP
64ports via the
65.Xr sysctl 8
66interface.
67.Pp
68In order to enable the
69.Nm
70policy, MAC policy must be enforced on sockets
71(see
72.Xr mac 4 ) ,
73and the port(s) protected by
74.Nm
75must not be included in the range specified by
76the
77.Va net.inet.ip.portrange.reservedlow
78and
79.Va net.inet.ip.portrange.reservedhigh
80.Xr sysctl 8
81MIBs.
82.Pp
83The
84.Nm
85policy only affects ports explicitly bound by a user process (either
86for a listen/outgoing
87.Tn TCP
88socket, or a send/receive
89.Tn UDP
90socket).
91This policy will not limit ports bound implicitly for outgoing
92connections where the process has not explicitly selected a port:
93these are automatically selected by the IP stack.
94.Pp
95When
96.Nm
97is enabled, it will control binding access to ports up to the port
98number set in the
99.Va security.mac.portacl.port_high
100.Xr sysctl 8
101variable.
102By default, all attempts to bind to
103.Nm
104controlled ports will fail if not explicitly allowed by the port
105access control list, though binding by the superuser will be allowed,
106if the
107.Xr sysctl 8
108variable
109.Va security.mac.portacl.suser_exempt
110is set to a non-zero value.
111.Ss Runtime Configuration
112The following
113.Xr sysctl 8
114MIBs are available for fine-tuning the enforcement of this MAC policy.
115All
116.Xr sysctl 8
117variables, except
118.Va security.mac.portacl.rules ,
119can also be set as
120.Xr loader 8
121tunables in
122.Xr loader.conf 5 .
123.Bl -tag -width indent
124.It Va security.mac.portacl.enabled
125Enforce the
126.Nm
127policy.
128(Default: 1).
129.It Va security.mac.portacl.port_high
130The highest port number
131.Nm
132will enforce rules for.
133(Default: 1023).
134.It Va security.mac.portacl.rules
135The port access control list is specified in the following format:
136.Pp
137.Sm off
138.D1 Ar idtype : id : protocol : port Op , Ar idtype : id : protocol : port , ...
139.Sm on
140.Bl -tag -width ".Ar protocol"
141.It Ar idtype
142Describes the type of subject match to be performed.
143Either
144.Li uid
145for user ID matching, or
146.Li gid
147for group ID matching.
148.It Ar id
149The user or group ID (depending on
150.Ar idtype )
151allowed to bind to the specified port.
152.Bf -emphasis
153NOTE: User and group names are not valid; only the actual ID numbers
154may be used.
155.Ef
156.It Ar protocol
157Describes which protocol this entry applies to.
158Either
159.Li tcp
160or
161.Li udp
162are supported.
163.It Ar port
164Describes which port this entry applies to.
165.Bf -emphasis
166NOTE: MAC security policies may not override other security system policies
167by allowing accesses that they may deny, such as
168.Va net.inet.ip.portrange.reservedlow /
169.Va net.inet.ip.portrange.reservedhigh .
170.Ef
171If the specified port falls within the range specified, the
172.Nm
173entry will not function
174(i.e., even the specified user/group may not be able to bind to the specified
175port).
176.El
177.It Va security.mac.portacl.suser_exempt
178Allow superuser (i.e., root) to bind to all
179.Nm
180protected ports, even if the port access control list does not
181explicitly allow this.
182(Default: 1).
183.It Va security.mac.portacl.autoport_exempt
184Allow applications to use automatic binding to port 0.
185Applications use port 0 as a request for automatic port allocation when
186binding an IP address to a socket.
187This tunable will exempt port 0 allocation from rule checking.
188(Default: 1).
189.El
190.Sh SEE ALSO
191.Xr mac 3 ,
192.Xr ip 4 ,
193.Xr mac_biba 4 ,
194.Xr mac_bsdextended 4 ,
195.Xr mac_ddb 4 ,
196.Xr mac_ifoff 4 ,
197.Xr mac_mls 4 ,
198.Xr mac_none 4 ,
199.Xr mac_partition 4 ,
200.Xr mac_seeotheruids 4 ,
201.Xr mac_test 4 ,
202.Xr mac 9
203.Sh HISTORY
204MAC first appeared in
205.Fx 5.0
206and
207.Nm
208first appeared in
209.Fx 5.1 .
210.Sh AUTHORS
211This software was contributed to the
212.Fx
213Project by NAI Labs, the Security Research Division of Network Associates
214Inc.\& under DARPA/SPAWAR contract N66001-01-C-8035
215.Pq Dq CBOSS ,
216as part of the DARPA CHATS research program.
217