Интерактивная система просмотра системных руководств (man-ов)
mac_portacl (4)
>> mac_portacl (4) ( FreeBSD man: Специальные файлы /dev/* )
BSD mandoc
NAME
mac_portacl
- network port access control policy
SYNOPSIS
To compile the port access control policy into your kernel,
place the following lines in your kernel
configuration file:
options MACoptions MAC_PORTACL
Alternately, to load the port access control policy module at boot time,
place the following line in your kernel configuration file:
options MAC
and in
loader.conf5:
"mac_portacl_load=""YES"""
DESCRIPTION
The
policy allows administrators to administratively limit binding to
local
UDP
and
TCP
ports via the
sysctl(8)
interface.
In order to enable the
policy, MAC policy must be enforced on sockets
(see
mac(4)),
and the port(s) protected by
must not be included in the range specified by
the
net.inet.ip.portrange.reservedlow
and
net.inet.ip.portrange.reservedhighsysctl(8)
MIBs.
The
policy only affects ports explicitly bound by a user process (either
for a listen/outgoing
TCP
socket, or a send/receive
UDP
socket).
This policy will not limit ports bound implicitly for outgoing
connections where the process has not explicitly selected a port:
these are automatically selected by the IP stack.
When
is enabled, it will control binding access to ports up to the port
number set in the
security.mac.portacl.port_highsysctl(8)
variable.
By default, all attempts to bind to
controlled ports will fail if not explicitly allowed by the port
access control list, though binding by the superuser will be allowed,
if the
sysctl(8)
variable
security.mac.portacl.suser_exempt
is set to a non-zero value.
Runtime Configuration
The following
sysctl(8)
MIBs are available for fine-tuning the enforcement of this MAC policy.
All
sysctl(8)
variables, except
security.mac.portacl.rules
can also be set as
loader(8)
tunables in
loader.conf5.
security.mac.portacl.enabled
Enforce the
policy.
(Default: 1).
security.mac.portacl.port_high
The highest port number
will enforce rules for.
(Default: 1023).
security.mac.portacl.rules
The port access control list is specified in the following format:
idtype
Describes the type of subject match to be performed.
Either
uid
for user ID matching, or
gid
for group ID matching.
id
The user or group ID (depending on
idtype
allowed to bind to the specified port.
Bf -emphasis
NOTE: User and group names are not valid; only the actual ID numbers
may be used.
Ef
protocol
Describes which protocol this entry applies to.
Either
tcp
or
udp
are supported.
port
Describes which port this entry applies to.
Bf -emphasis
NOTE: MAC security policies may not override other security system policies
by allowing accesses that they may deny, such as
net.inet.ip.portrange.reservedlownet.inet.ip.portrange.reservedhigh
Ef If the specified port falls within the range specified, the
entry will not function
(i.e., even the specified user/group may not be able to bind to the specified
port).
security.mac.portacl.suser_exempt
Allow superuser (i.e., root) to bind to all
protected ports, even if the port access control list does not
explicitly allow this.
(Default: 1).
security.mac.portacl.autoport_exempt
Allow applications to use automatic binding to port 0.
Applications use port 0 as a request for automatic port allocation when
binding an IP address to a socket.
This tunable will exempt port 0 allocation from rule checking.
(Default: 1).
MAC first appeared in
Fx 5.0
and
first appeared in
Fx 5.1 .
AUTHORS
This software was contributed to the
Fx Project by NAI Labs, the Security Research Division of Network Associates
Inc. under DARPA/SPAWAR contract N66001-01-C-8035
(``CBOSS''
)
as part of the DARPA CHATS research program.
