1.\" Copyright (c) 2003 Networks Associates Technology, Inc. 2.\" All rights reserved. 3.\" 4.\" This software was developed for the FreeBSD Project by Chris Costello 5.\" at Safeport Network Services and Network Associates Labs, the 6.\" Security Research Division of Network Associates, Inc. under 7.\" DARPA/SPAWAR contract N66001-01-C-8035 ("CBOSS"), as part of the 8.\" DARPA CHATS research program. 9.\" 10.\" Redistribution and use in source and binary forms, with or without 11.\" modification, are permitted provided that the following conditions 12.\" are met: 13.\" 1. Redistributions of source code must retain the above copyright 14.\" notice, this list of conditions and the following disclaimer. 15.\" 2. Redistributions in binary form must reproduce the above copyright 16.\" notice, this list of conditions and the following disclaimer in the 17.\" documentation and/or other materials provided with the distribution. 18.\" 19.\" THIS SOFTWARE IS PROVIDED BY THE AUTHORS AND CONTRIBUTORS ``AS IS'' AND 20.\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 21.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 22.\" ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHORS OR CONTRIBUTORS BE LIABLE 23.\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 24.\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 25.\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 26.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 27.\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 28.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 29.\" SUCH DAMAGE. 30.\" 31.\" $FreeBSD$ 32.\" 33.Dd December 9, 2004 34.Dt MAC_PORTACL 4 35.Os 36.Sh NAME 37.Nm mac_portacl 38.Nd "network port access control policy" 39.Sh SYNOPSIS 40To compile the port access control policy into your kernel, 41place the following lines in your kernel 42configuration file: 43.Bd -ragged -offset indent 44.Cd "options MAC" 45.Cd "options MAC_PORTACL" 46.Ed 47.Pp 48Alternately, to load the port access control policy module at boot time, 49place the following line in your kernel configuration file: 50.Bd -ragged -offset indent 51.Cd "options MAC" 52.Ed 53.Pp 54and in 55.Xr loader.conf 5 : 56.Pp 57.Dl "mac_portacl_load=""YES""" 58.Sh DESCRIPTION 59The 60.Nm 61policy allows administrators to administratively limit binding to 62local 63.Tn UDP 64and 65.Tn TCP 66ports via the 67.Xr sysctl 8 68interface. 69.Pp 70In order to enable the 71.Nm 72policy, MAC policy must be enforced on sockets 73(see 74.Xr mac 4 ) , 75and the port(s) protected by 76.Nm 77must not be included in the range specified by 78the 79.Va net.inet.ip.portrange.reservedlow 80and 81.Va net.inet.ip.portrange.reservedhigh 82.Xr sysctl 8 83MIBs. 84.Pp 85The 86.Nm 87policy only affects ports explicitly bound by a user process (either 88for a listen/outgoing 89.Tn TCP 90socket, or a send/receive 91.Tn UDP 92socket). 93This policy will not limit ports bound implicitly for outgoing 94connections where the process has not explicitly selected a port: 95these are automatically selected by the IP stack. 96.Pp 97When 98.Nm 99is enabled, it will control binding access to ports up to the port 100number set in the 101.Va security.mac.portacl.port_high 102.Xr sysctl 8 103variable. 104By default, all attempts to bind to 105.Nm 106controlled ports will fail if not explicitly allowed by the port 107access control list, though binding by the superuser will be allowed, 108if the 109.Xr sysctl 8 110variable 111.Va security.mac.portacl.suser_exempt 112is set to a non-zero value. 113.Ss Runtime Configuration 114The following 115.Xr sysctl 8 116MIBs are available for fine-tuning the enforcement of this MAC policy. 117All 118.Xr sysctl 8 119variables, except 120.Va security.mac.portacl.rules , 121can also be set as 122.Xr loader 8 123tunables in 124.Xr loader.conf 5 . 125.Bl -tag -width indent 126.It Va security.mac.portacl.enabled 127Enforce the 128.Nm 129policy. 130(Default: 1). 131.It Va security.mac.portacl.port_high 132The highest port number 133.Nm 134will enforce rules for. 135(Default: 1023). 136.It Va security.mac.portacl.rules 137The port access control list is specified in the following format: 138.Pp 139.Sm off 140.D1 Ar idtype : id : protocol : port Op , Ar idtype : id : protocol : port , ... 141.Sm on 142.Bl -tag -width ".Ar protocol" 143.It Ar idtype 144Describes the type of subject match to be performed. 145Either 146.Li uid 147for user ID matching, or 148.Li gid 149for group ID matching. 150.It Ar id 151The user or group ID (depending on 152.Ar idtype ) 153allowed to bind to the specified port. 154.Bf -emphasis 155NOTE: User and group names are not valid; only the actual ID numbers 156may be used. 157.Ef 158.It Ar protocol 159Describes which protocol this entry applies to. 160Either 161.Li tcp 162or 163.Li udp 164are supported. 165.It Ar port 166Describes which port this entry applies to. 167.Bf -emphasis 168NOTE: MAC security policies may not override other security system policies 169by allowing accesses that they may deny, such as 170.Va net.inet.ip.portrange.reservedlow / 171.Va net.inet.ip.portrange.reservedhigh . 172.Ef 173If the specified port falls within the range specified, the 174.Nm 175entry will not function 176(i.e., even the specified user/group may not be able to bind to the specified 177port). 178.El 179.It Va security.mac.portacl.suser_exempt 180Allow superuser (i.e., root) to bind to all 181.Nm 182protected ports, even if the port access control list does not 183explicitly allow this. 184(Default: 1). 185.It Va security.mac.portacl.autoport_exempt 186Allow applications to use automatic binding to port 0. 187Applications use port 0 as a request for automatic port allocation when 188binding an IP address to a socket. 189This tunable will exempt port 0 allocation from rule checking. 190(Default: 1). 191.El 192.Sh SEE ALSO 193.Xr mac 3 , 194.Xr ip 4 , 195.Xr mac_biba 4 , 196.Xr mac_bsdextended 4 , 197.Xr mac_ifoff 4 , 198.Xr mac_mls 4 , 199.Xr mac_none 4 , 200.Xr mac_partition 4 , 201.Xr mac_seeotheruids 4 , 202.Xr mac_test 4 , 203.Xr mac 9 204.Sh HISTORY 205MAC first appeared in 206.Fx 5.0 207and 208.Nm 209first appeared in 210.Fx 5.1 . 211.Sh AUTHORS 212This software was contributed to the 213.Fx 214Project by NAI Labs, the Security Research Division of Network Associates 215Inc.\& under DARPA/SPAWAR contract N66001-01-C-8035 216.Pq Dq CBOSS , 217as part of the DARPA CHATS research program. 218