xref: /freebsd/share/man/man4/mac_portacl.4 (revision 8ddb146abcdf061be9f2c0db7e391697dafad85c)
1.\" Copyright (c) 2003 Networks Associates Technology, Inc.
2.\" All rights reserved.
3.\"
4.\" This software was developed for the FreeBSD Project by Chris Costello
5.\" at Safeport Network Services and Network Associates Labs, the
6.\" Security Research Division of Network Associates, Inc. under
7.\" DARPA/SPAWAR contract N66001-01-C-8035 ("CBOSS"), as part of the
8.\" DARPA CHATS research program.
9.\"
10.\" Redistribution and use in source and binary forms, with or without
11.\" modification, are permitted provided that the following conditions
12.\" are met:
13.\" 1. Redistributions of source code must retain the above copyright
14.\"    notice, this list of conditions and the following disclaimer.
15.\" 2. Redistributions in binary form must reproduce the above copyright
16.\"    notice, this list of conditions and the following disclaimer in the
17.\"    documentation and/or other materials provided with the distribution.
18.\"
19.\" THIS SOFTWARE IS PROVIDED BY THE AUTHORS AND CONTRIBUTORS ``AS IS'' AND
20.\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
21.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
22.\" ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHORS OR CONTRIBUTORS BE LIABLE
23.\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
24.\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
25.\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
26.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
27.\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
28.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
29.\" SUCH DAMAGE.
30.\"
31.\" $FreeBSD$
32.\"
33.Dd December 9, 2004
34.Dt MAC_PORTACL 4
35.Os
36.Sh NAME
37.Nm mac_portacl
38.Nd "network port access control policy"
39.Sh SYNOPSIS
40To compile the port access control policy into your kernel,
41place the following lines in your kernel
42configuration file:
43.Bd -ragged -offset indent
44.Cd "options MAC"
45.Cd "options MAC_PORTACL"
46.Ed
47.Pp
48Alternately, to load the port access control policy module at boot time,
49place the following line in your kernel configuration file:
50.Bd -ragged -offset indent
51.Cd "options MAC"
52.Ed
53.Pp
54and in
55.Xr loader.conf 5 :
56.Pp
57.Dl "mac_portacl_load=""YES"""
58.Sh DESCRIPTION
59The
60.Nm
61policy allows administrators to administratively limit binding to
62local
63.Tn UDP
64and
65.Tn TCP
66ports via the
67.Xr sysctl 8
68interface.
69.Pp
70In order to enable the
71.Nm
72policy, MAC policy must be enforced on sockets
73(see
74.Xr mac 4 ) ,
75and the port(s) protected by
76.Nm
77must not be included in the range specified by
78the
79.Va net.inet.ip.portrange.reservedlow
80and
81.Va net.inet.ip.portrange.reservedhigh
82.Xr sysctl 8
83MIBs.
84.Pp
85The
86.Nm
87policy only affects ports explicitly bound by a user process (either
88for a listen/outgoing
89.Tn TCP
90socket, or a send/receive
91.Tn UDP
92socket).
93This policy will not limit ports bound implicitly for outgoing
94connections where the process has not explicitly selected a port:
95these are automatically selected by the IP stack.
96.Pp
97When
98.Nm
99is enabled, it will control binding access to ports up to the port
100number set in the
101.Va security.mac.portacl.port_high
102.Xr sysctl 8
103variable.
104By default, all attempts to bind to
105.Nm
106controlled ports will fail if not explicitly allowed by the port
107access control list, though binding by the superuser will be allowed,
108if the
109.Xr sysctl 8
110variable
111.Va security.mac.portacl.suser_exempt
112is set to a non-zero value.
113.Ss Runtime Configuration
114The following
115.Xr sysctl 8
116MIBs are available for fine-tuning the enforcement of this MAC policy.
117All
118.Xr sysctl 8
119variables, except
120.Va security.mac.portacl.rules ,
121can also be set as
122.Xr loader 8
123tunables in
124.Xr loader.conf 5 .
125.Bl -tag -width indent
126.It Va security.mac.portacl.enabled
127Enforce the
128.Nm
129policy.
130(Default: 1).
131.It Va security.mac.portacl.port_high
132The highest port number
133.Nm
134will enforce rules for.
135(Default: 1023).
136.It Va security.mac.portacl.rules
137The port access control list is specified in the following format:
138.Pp
139.Sm off
140.D1 Ar idtype : id : protocol : port Op , Ar idtype : id : protocol : port , ...
141.Sm on
142.Bl -tag -width ".Ar protocol"
143.It Ar idtype
144Describes the type of subject match to be performed.
145Either
146.Li uid
147for user ID matching, or
148.Li gid
149for group ID matching.
150.It Ar id
151The user or group ID (depending on
152.Ar idtype )
153allowed to bind to the specified port.
154.Bf -emphasis
155NOTE: User and group names are not valid; only the actual ID numbers
156may be used.
157.Ef
158.It Ar protocol
159Describes which protocol this entry applies to.
160Either
161.Li tcp
162or
163.Li udp
164are supported.
165.It Ar port
166Describes which port this entry applies to.
167.Bf -emphasis
168NOTE: MAC security policies may not override other security system policies
169by allowing accesses that they may deny, such as
170.Va net.inet.ip.portrange.reservedlow /
171.Va net.inet.ip.portrange.reservedhigh .
172.Ef
173If the specified port falls within the range specified, the
174.Nm
175entry will not function
176(i.e., even the specified user/group may not be able to bind to the specified
177port).
178.El
179.It Va security.mac.portacl.suser_exempt
180Allow superuser (i.e., root) to bind to all
181.Nm
182protected ports, even if the port access control list does not
183explicitly allow this.
184(Default: 1).
185.It Va security.mac.portacl.autoport_exempt
186Allow applications to use automatic binding to port 0.
187Applications use port 0 as a request for automatic port allocation when
188binding an IP address to a socket.
189This tunable will exempt port 0 allocation from rule checking.
190(Default: 1).
191.El
192.Sh SEE ALSO
193.Xr mac 3 ,
194.Xr ip 4 ,
195.Xr mac_biba 4 ,
196.Xr mac_bsdextended 4 ,
197.Xr mac_ddb 4 ,
198.Xr mac_ifoff 4 ,
199.Xr mac_mls 4 ,
200.Xr mac_none 4 ,
201.Xr mac_partition 4 ,
202.Xr mac_seeotheruids 4 ,
203.Xr mac_test 4 ,
204.Xr mac 9
205.Sh HISTORY
206MAC first appeared in
207.Fx 5.0
208and
209.Nm
210first appeared in
211.Fx 5.1 .
212.Sh AUTHORS
213This software was contributed to the
214.Fx
215Project by NAI Labs, the Security Research Division of Network Associates
216Inc.\& under DARPA/SPAWAR contract N66001-01-C-8035
217.Pq Dq CBOSS ,
218as part of the DARPA CHATS research program.
219