mac_portacl -- network port access control policy
To compile the port access control policy into your kernel, place the
following lines in your kernel configuration file:
options MAC
options MAC_PORTACL
Alternately, to load the port access control policy module at boot time,
place the following line in your kernel configuration file:
options MAC
and in loader.conf(5):
mac_portacl_load="YES"
The mac_portacl policy allows administrators to administratively limit
binding to local UDP and TCP ports via the sysctl(8) interface.
In order to enable the mac_portacl policy, MAC policy must be enforced on
sockets (see mac(4)), and the port(s) protected by mac_portacl must not
be included in the range specified by the
net.inet.ip.portrange.reservedlow and net.inet.ip.portrange.reservedhigh
sysctl(8) MIBs.
Runtime Configuration [Toc] [Back]
The port access control list is specified in the
security.mac.portacl.rules sysctl(8) MIB in the following format:
idtype:id:protocol:port[,idtype:id:protocol:port,...]
idtype Describes the type of subject match to be performed. Either
uid for user ID matching, or gid for group ID matching.
id The user or group ID (depending on idtype) allowed to bind to
the specified port. NOTE: User and group names are not valid;
only the actual ID numbers may be used.
protocol Describes which protocol this entry applies to. Either tcp or
udp are supported.
port Describes which port this entry applies to. NOTE: MAC security
policies may not override other security system policies by
allowing accesses that they may deny, such as
net.inet.ip.portrange.reservedlow /
net.inet.ip.portrange.reservedhigh. If the specified port
falls within the range specified, the mac_portacl entry will
not function (i.e., even the specified user/group may not be
able to bind to the specified port).
mac(3), mac_biba(4), mac_bsdextended(4), mac_ifoff(4), mac_mls(4),
mac_none(4), mac_partition(4), mac_seeotheruids(4), mac_test(4), mac(9)
MAC first appeared in FreeBSD 5.0.
This software was contributed to the FreeBSD Project by NAI Labs, the
Security Research Division of Network Associates Inc. under DARPA/SPAWAR
contract N66001-01-C-8035 (``CBOSS''), as part of the DARPA CHATS
research program.
FreeBSD 5.2.1 March 11, 2003 FreeBSD 5.2.1 [ Back ] |