1*870c2f7aSEnji Cooper#!/bin/sh 2*870c2f7aSEnji Cooper 3*870c2f7aSEnji Cooperdir=`dirname $0` 4*870c2f7aSEnji Cooper. ${dir}/misc.sh 5*870c2f7aSEnji Cooper 6*870c2f7aSEnji Cooperecho "1..64" 7*870c2f7aSEnji Cooper 8*870c2f7aSEnji Cooper# security.mac.portacl.suser_exempt value doesn't affect unprivileged users 9*870c2f7aSEnji Cooper# behaviour. 10*870c2f7aSEnji Cooper# mac_portacl has no impact on ports <= net.inet.ip.portrange.reservedhigh. 11*870c2f7aSEnji Cooper 12*870c2f7aSEnji Coopertrap restore_settings EXIT INT TERM 13*870c2f7aSEnji Cooper 14*870c2f7aSEnji Coopersysctl security.mac.portacl.suser_exempt=1 >/dev/null 15*870c2f7aSEnji Coopersysctl net.inet.ip.portrange.reservedhigh=78 >/dev/null 16*870c2f7aSEnji Cooper 17*870c2f7aSEnji Cooperbind_test fl fl uid nobody tcp 77 18*870c2f7aSEnji Cooperbind_test ok ok uid nobody tcp 7777 19*870c2f7aSEnji Cooperbind_test fl fl uid nobody udp 77 20*870c2f7aSEnji Cooperbind_test ok ok uid nobody udp 7777 21*870c2f7aSEnji Cooper 22*870c2f7aSEnji Cooperbind_test fl fl gid nobody tcp 77 23*870c2f7aSEnji Cooperbind_test ok ok gid nobody tcp 7777 24*870c2f7aSEnji Cooperbind_test fl fl gid nobody udp 77 25*870c2f7aSEnji Cooperbind_test ok ok gid nobody udp 7777 26*870c2f7aSEnji Cooper 27*870c2f7aSEnji Coopersysctl security.mac.portacl.suser_exempt=0 >/dev/null 28*870c2f7aSEnji Cooper 29*870c2f7aSEnji Cooperbind_test fl fl uid nobody tcp 77 30*870c2f7aSEnji Cooperbind_test ok ok uid nobody tcp 7777 31*870c2f7aSEnji Cooperbind_test fl fl uid nobody udp 77 32*870c2f7aSEnji Cooperbind_test ok ok uid nobody udp 7777 33*870c2f7aSEnji Cooper 34*870c2f7aSEnji Cooperbind_test fl fl gid nobody tcp 77 35*870c2f7aSEnji Cooperbind_test ok ok gid nobody tcp 7777 36*870c2f7aSEnji Cooperbind_test fl fl gid nobody udp 77 37*870c2f7aSEnji Cooperbind_test ok ok gid nobody udp 7777 38*870c2f7aSEnji Cooper 39*870c2f7aSEnji Cooper# Verify if security.mac.portacl.port_high works. 40*870c2f7aSEnji Cooper 41*870c2f7aSEnji Coopersysctl security.mac.portacl.port_high=7778 >/dev/null 42*870c2f7aSEnji Cooper 43*870c2f7aSEnji Cooperbind_test fl fl uid nobody tcp 77 44*870c2f7aSEnji Cooperbind_test fl ok uid nobody tcp 7777 45*870c2f7aSEnji Cooperbind_test fl fl uid nobody udp 77 46*870c2f7aSEnji Cooperbind_test fl ok uid nobody udp 7777 47*870c2f7aSEnji Cooper 48*870c2f7aSEnji Cooperbind_test fl fl gid nobody tcp 77 49*870c2f7aSEnji Cooperbind_test fl ok gid nobody tcp 7777 50*870c2f7aSEnji Cooperbind_test fl fl gid nobody udp 77 51*870c2f7aSEnji Cooperbind_test fl ok gid nobody udp 7777 52*870c2f7aSEnji Cooper 53*870c2f7aSEnji Cooper# Verify if mac_portacl rules work. 54*870c2f7aSEnji Cooper 55*870c2f7aSEnji Coopersysctl net.inet.ip.portrange.reservedhigh=76 >/dev/null 56*870c2f7aSEnji Coopersysctl security.mac.portacl.port_high=7776 >/dev/null 57*870c2f7aSEnji Cooper 58*870c2f7aSEnji Cooperbind_test fl ok uid nobody tcp 77 59*870c2f7aSEnji Cooperbind_test ok ok uid nobody tcp 7777 60*870c2f7aSEnji Cooperbind_test fl ok uid nobody udp 77 61*870c2f7aSEnji Cooperbind_test ok ok uid nobody udp 7777 62*870c2f7aSEnji Cooper 63*870c2f7aSEnji Cooperbind_test fl ok gid nobody tcp 77 64*870c2f7aSEnji Cooperbind_test ok ok gid nobody tcp 7777 65*870c2f7aSEnji Cooperbind_test fl ok gid nobody udp 77 66*870c2f7aSEnji Cooperbind_test ok ok gid nobody udp 7777 67