freebsd-nq/sys/security
Robert Watson 03d031626d A cute yet small MAC policy that provides a simple ACL mechanism to
permit users and groups to bind ports for TCP or UDP, and is intended
to be combined with the recently committed support for
net.inet.ip.portrange.reservedhigh.  The policy is twiddled using
sysctl(8).  To use this module, you will need to compile in MAC
support, and probably set reservedhigh to 0, then twiddle
security.mac.portacl.rules to set things as desired.  This policy
module only restricts ports explicitly bound using bind(), not
implicitly bound ports where the port number is selected by the
IP stack.  It appears to work properly in my local configuration,
but needs more broad testing.

A sample policy might be:

  # sysctl security.mac.portacl.rules="uid:425:tcp:80,uid:425:tcp:79"

This permits uid 425 to bind TCP sockets to ports 79 and 80.  Currently
no distinction is made for incoming vs. outgoing ports with TCP,
although that would probably be easy to add.

Obtained from:	TrustedBSD Project
Sponsored by:	DARPA, Network Associates Laboratories
2003-03-02 23:01:42 +00:00
..
mac Back out M_* changes, per decision of the TRB. 2003-02-19 05:47:46 +00:00
mac_biba Back out M_* changes, per decision of the TRB. 2003-02-19 05:47:46 +00:00
mac_bsdextended Back out M_* changes, per decision of the TRB. 2003-02-19 05:47:46 +00:00
mac_ifoff License and wording updates: NAI has authorized the removal of clause 2002-11-04 01:53:12 +00:00
mac_lomac Back out M_* changes, per decision of the TRB. 2003-02-19 05:47:46 +00:00
mac_mls Back out M_* changes, per decision of the TRB. 2003-02-19 05:47:46 +00:00
mac_none Default policies to on: if you load them or compile them into your 2002-12-10 16:20:34 +00:00
mac_partition Update MAC modules for changes in arguments for exec MAC policy 2002-11-08 18:04:36 +00:00
mac_portacl A cute yet small MAC policy that provides a simple ACL mechanism to 2003-03-02 23:01:42 +00:00
mac_seeotheruids Default policies to on: if you load them or compile them into your 2002-12-10 16:20:34 +00:00
mac_stub Default policies to on: if you load them or compile them into your 2002-12-10 16:20:34 +00:00
mac_test Default policies to on: if you load them or compile them into your 2002-12-10 16:20:34 +00:00