NAME

mac_portacl —

network port access control policy

SYNOPSIS

To compile the port access control policy into your kernel, place the following lines in your kernel configuration file:

options MAC
options MAC_PORTACL

Alternately, to load the port access control policy module at boot time, place the following line in your kernel configuration file:

options MAC

and in loader.conf(5):

mac_portacl_load="YES"

DESCRIPTION

The mac_portacl policy allows administrators to administratively limit binding to local UDP and TCP ports via the sysctl(8) interface.

In order to enable the mac_portacl policy, MAC policy must be enforced on sockets (see mac(4)), and the port(s) protected by mac_portacl must not be included in the range specified by the net.inet.ip.portrange.reservedlow and net.inet.ip.portrange.reservedhigh sysctl(8) MIBs.

The mac_portacl policy only affects ports explicitly bound by a user process (either for a listen/outgoing TCP socket, or a send/receive UDP socket). This policy will not limit ports bound implicitly for outgoing connections where the process has not explicitly selected a port: these are automatically selected by the IP stack.

When mac_portacl is enabled, it will control binding access to ports up to the port number set in the security.mac.portacl.port_high sysctl(8) variable. By default, all attempts to bind to mac_portacl controlled ports will fail if not explicitly allowed by the port access control list, though binding by the superuser will be allowed, if the sysctl(8) variable security.mac.portacl.suser_exempt is set to a non-zero value.

Runtime Configuration

The following sysctl(8) MIBs are available for fine-tuning the enforcement of this MAC policy. All sysctl(8) variables, except security.mac.portacl.rules, can also be set as loader(8) tunables in loader.conf(5).

security.mac.portacl.enabled

Enforce the mac_portacl policy. (Default: 1).

security.mac.portacl.port_high

The highest port number mac_portacl will enforce rules for. (Default: 1023).

security.mac.portacl.rules

The port access control list is specified in the following format:

idtype:id:protocol:port[,idtype:id:protocol:port,...]

idtype: Describes the type of subject match to be performed. Either uid for user ID matching, or gid for group ID matching.
id: The user or group ID (depending on idtype) allowed to bind to the specified port.
NOTE: User and group names are not valid; only the actual ID numbers may be used.
protocol: Describes which protocol this entry applies to. Either tcp or udp are supported.
port: Describes which port this entry applies to.
NOTE: MAC security policies may not override other security system policies by allowing accesses that they may deny, such as net.inet.ip.portrange.reservedlow / net.inet.ip.portrange.reservedhigh.
If the specified port falls within the range specified, the mac_portacl entry will not function (i.e., even the specified user/group may not be able to bind to the specified port).

security.mac.portacl.suser_exempt

Allow superuser (i.e., root) to bind to all mac_portacl protected ports, even if the port access control list does not explicitly allow this. (Default: 1).

security.mac.portacl.autoport_exempt

Allow applications to use automatic binding to port 0. Applications use port 0 as a request for automatic port allocation when binding an IP address to a socket. This tunable will exempt port 0 allocation from rule checking. (Default: 1).

HISTORY

MAC first appeared in FreeBSD 5.0 and mac_portacl first appeared in FreeBSD 5.1.

AUTHORS

This software was contributed to the FreeBSD Project by NAI Labs, the Security Research Division of Network Associates Inc. under DARPA/SPAWAR contract N66001-01-C-8035 (“CBOSS”), as part of the DARPA CHATS research program.