1.\" Copyright (c) 2003 Networks Associates Technology, Inc. 2.\" All rights reserved. 3.\" 4.\" This software was developed for the FreeBSD Project by Chris Costello 5.\" at Safeport Network Services and Network Associates Labs, the 6.\" Security Research Division of Network Associates, Inc. under 7.\" DARPA/SPAWAR contract N66001-01-C-8035 ("CBOSS"), as part of the 8.\" DARPA CHATS research program. 9.\" 10.\" Redistribution and use in source and binary forms, with or without 11.\" modification, are permitted provided that the following conditions 12.\" are met: 13.\" 1. Redistributions of source code must retain the above copyright 14.\" notice, this list of conditions and the following disclaimer. 15.\" 2. Redistributions in binary form must reproduce the above copyright 16.\" notice, this list of conditions and the following disclaimer in the 17.\" documentation and/or other materials provided with the distribution. 18.\" 19.\" THIS SOFTWARE IS PROVIDED BY THE AUTHORS AND CONTRIBUTORS ``AS IS'' AND 20.\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 21.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 22.\" ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHORS OR CONTRIBUTORS BE LIABLE 23.\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 24.\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 25.\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 26.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 27.\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 28.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 29.\" SUCH DAMAGE. 30.\" 31.\" $FreeBSD$ 32.\" 33.Dd December 9, 2004 34.Dt MAC_PORTACL 4 35.Os 36.Sh NAME 37.Nm mac_portacl 38.Nd "network port access control policy" 39.Sh SYNOPSIS 40To compile the port access control policy into your kernel, 41place the following lines in your kernel 42configuration file: 43.Bd -ragged -offset indent 44.Cd "options MAC" 45.Cd "options MAC_PORTACL" 46.Ed 47.Pp 48Alternately, to load the port access control policy module at boot time, 49place the following line in your kernel configuration file: 50.Bd -ragged -offset indent 51.Cd "options MAC" 52.Ed 53.Pp 54and in 55.Xr loader.conf 5 : 56.Pp 57.Dl "mac_portacl_load=""YES""" 58.Sh DESCRIPTION 59The 60.Nm 61policy allows administrators to administratively limit binding to 62local 63.Tn UDP 64and 65.Tn TCP 66ports via the 67.Xr sysctl 8 68interface. 69.Pp 70In order to enable the 71.Nm 72policy, MAC policy must be enforced on sockets 73(see 74.Xr mac 4 ) , 75and the port(s) protected by 76.Nm 77must not be included in the range specified by 78the 79.Va net.inet.ip.portrange.reservedlow 80and 81.Va net.inet.ip.portrange.reservedhigh 82.Xr sysctl 8 83MIBs. 84.Pp 85The 86.Nm 87policy only affects ports explicitly bound by a user process (either 88for a listen/outgoing 89.Tn TCP 90socket, or a send/receive 91.Tn UDP 92socket). 93This policy will not limit ports bound implicitly for outgoing 94connections where the process has not explicitly selected a port: 95these are automatically selected by the IP stack. 96.Pp 97When 98.Nm 99is enabled, it will control binding access to ports up to the port 100number set in the 101.Va security.mac.portacl.port_high 102.Xr sysctl 8 103variable. 104By default, all attempts to bind to 105.Nm 106controlled ports will fail if not explicitly allowed by the port 107access control list, though binding by the superuser will be allowed, 108if the 109.Xr sysctl 8 110variable 111.Va security.mac.portacl.suser_exempt 112is set to a non-zero value. 113.Ss Runtime Configuration 114The following 115.Xr sysctl 8 116MIBs are available for fine-tuning the enforcement of this MAC policy. 117All 118.Xr sysctl 8 119variables, except 120.Va security.mac.portacl.rules , 121can also be set as 122.Xr loader 8 123tunables in 124.Xr loader.conf 5 . 125.Bl -tag -width indent 126.It Va security.mac.portacl.enabled 127Enforce the 128.Nm 129policy. 130(Default: 1). 131.It Va security.mac.portacl.port_high 132The highest port number 133.Nm 134will enforce rules for. 135(Default: 1023). 136.It Va security.mac.portacl.rules 137The port access control list is specified in the following format: 138.Pp 139.Sm off 140.D1 Ar idtype : id : protocol : port Op , Ar idtype : id : protocol : port , ... 141.Sm on 142.Pp 143.Bl -tag -width ".Ar protocol" 144.It Ar idtype 145Describes the type of subject match to be performed. 146Either 147.Li uid 148for user ID matching, or 149.Li gid 150for group ID matching. 151.It Ar id 152The user or group ID (depending on 153.Ar idtype ) 154allowed to bind to the specified port. 155.Bf -emphasis 156NOTE: User and group names are not valid; only the actual ID numbers 157may be used. 158.Ef 159.It Ar protocol 160Describes which protocol this entry applies to. 161Either 162.Li tcp 163or 164.Li udp 165are supported. 166.It Ar port 167Describes which port this entry applies to. 168.Bf -emphasis 169NOTE: MAC security policies may not override other security system policies 170by allowing accesses that they may deny, such as 171.Va net.inet.ip.portrange.reservedlow / 172.Va net.inet.ip.portrange.reservedhigh . 173.Ef 174If the specified port falls within the range specified, the 175.Nm 176entry will not function 177(i.e., even the specified user/group may not be able to bind to the specified 178port). 179.El 180.It Va security.mac.portacl.suser_exempt 181Allow superuser (i.e., root) to bind to all 182.Nm 183protected ports, even if the port access control list does not 184explicitly allow this. 185(Default: 1). 186.It Va security.mac.portacl.autoport_exempt 187Allow applications to use automatic binding to port 0. 188Applications use port 0 as a request for automatic port allocation when 189binding an IP address to a socket. 190This tunable will exempt port 0 allocation from rule checking. 191(Default: 1). 192.El 193.Sh SEE ALSO 194.Xr mac 3 , 195.Xr ip 4 , 196.Xr mac_biba 4 , 197.Xr mac_bsdextended 4 , 198.Xr mac_ifoff 4 , 199.Xr mac_mls 4 , 200.Xr mac_none 4 , 201.Xr mac_partition 4 , 202.Xr mac_seeotheruids 4 , 203.Xr mac_test 4 , 204.Xr mac 9 205.Sh HISTORY 206MAC first appeared in 207.Fx 5.0 208and 209.Nm 210first appeared in 211.Fx 5.1 . 212.Sh AUTHORS 213This software was contributed to the 214.Fx 215Project by NAI Labs, the Security Research Division of Network Associates 216Inc.\& under DARPA/SPAWAR contract N66001-01-C-8035 217.Pq Dq CBOSS , 218as part of the DARPA CHATS research program. 219