From 2fbb955545faec0ad37a674e912f856e76adb309 Mon Sep 17 00:00:00 2001 From: chris Date: Mon, 31 Mar 2003 08:10:10 +0000 Subject: [PATCH] Document the new mac_portacl(4) policy. Sponsored by: DARPA, Network Associates Laboratories Obtained from: TrustedBSD Project --- share/man/man4/mac_portacl.4 | 156 +++++++++++++++++++++++++++++++++++ 1 file changed, 156 insertions(+) create mode 100644 share/man/man4/mac_portacl.4 diff --git a/share/man/man4/mac_portacl.4 b/share/man/man4/mac_portacl.4 new file mode 100644 index 000000000000..41a2fd8b9db5 --- /dev/null +++ b/share/man/man4/mac_portacl.4 @@ -0,0 +1,156 @@ +.\" Copyright (c) 2003 Networks Associates Technology, Inc. +.\" All rights reserved. +.\" +.\" This software was developed for the FreeBSD Project by Chris Costello +.\" at Safeport Network Services and Network Associates Labs, the +.\" Security Research Division of Network Associates, Inc. under +.\" DARPA/SPAWAR contract N66001-01-C-8035 ("CBOSS"), as part of the +.\" DARPA CHATS research program. +.\" +.\" Redistribution and use in source and binary forms, with or without +.\" modification, are permitted provided that the following conditions +.\" are met: +.\" 1. Redistributions of source code must retain the above copyright +.\" notice, this list of conditions and the following disclaimer. +.\" 2. Redistributions in binary form must reproduce the above copyright +.\" notice, this list of conditions and the following disclaimer in the +.\" documentation and/or other materials provided with the distribution. +.\" +.\" THIS SOFTWARE IS PROVIDED BY THE AUTHORS AND CONTRIBUTORS ``AS IS'' AND +.\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE +.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE +.\" ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHORS OR CONTRIBUTORS BE LIABLE +.\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL +.\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS +.\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) +.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT +.\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY +.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF +.\" SUCH DAMAGE. +.\" +.\" $FreeBSD$ +.Dd MARCH 11, 2003 +.Dt MAC_PORTACL 4 +.Sh NAME +.Nm mac_portacl +.Nd network port access control policy +.Sh SYNOPSIS +To compile the port access control policy into your kernel, +place the following lines in your kernel +configuration file: +.Cd "options MAC" +.Cd "options MAC_PORTACL" +.Pp +Alternately, to load the port access control policy module at boot time, +place the following line in your kernel configuration file: +.Cd "options MAC" +.Pp +and in +.Xr loader.conf 5 : +.Cd mac_portacl_load= Ns \&"YES" +.Sh DESCRIPTION +The +.Nm +policy allows administrators to administratively limit binding to +local UDP and TCP ports via the +.Xr sysctl 8 +interface. +.Pp +In order to enable the +.Nm +policy, MAC policy must be enforced on sockets +(see +.Xr mac 4 ) , +and the port(s) protected by +.Nm +must not be included in the range specified by +the +.Va net.inet.ip.portrange.reservedlow +and +.Va net.inet.ip.portrange.reservedhigh +.Xr sysctl 8 +MIBs. +.Ss Runtime Configuration +The port access control list is specified in the +.Va security.mac.portacl.rules +.Xr sysctl 8 +MIB in the following format: +.Pp +.Sm off +.Bd -literal -offset indent +.Sy idtype +.Li : +.Sy id +.Li : +.Sy protocol +.Li : +.Sy port +.Li [, +.Sy idtype +.Li : +.Sy id +.Li : +.Sy protocol +.Li : +.Sy port +.Li ,...] +.Ed +.Sm on +.Pp +.Bl -tag -width protocol +.It Sy idtype +Describes the type of subject match to be performed. +Either +.Li uid +for userid matching, or +.Li gid +for group ID matching. +.It Sy id +The user or group ID (depending on +.Sy idtype ) +allowed to bind to the specified port. +.Bf -emphasis +NOTE: User and group names are not valid; only the actual ID numbers +may be used. +.Ef +.It Sy protocol +Describes which protocol this entry applies to. +Either +.Li tcp +or +.Li udp +are supported. +.It Sy port +Describes which port this entry applies to. +.Bf -emphasis +NOTE: MAC security policies may not override other security system policies +by allowing accesses that they may deny, such as +.Va net.inet.ip.portrange.reservedlow / +.Va net.inet.ip.portrange.reservedhigh . +.Ef +If the specified port falls within the range specified, the +.Nm +entry will not function +(i.e. even the specified user/group may not be able to bind to the specified +port). +.El +.Sh SEE ALSO +.Xr mac 3 , +.Xr mac_biba 4 , +.Xr mac_bsdextended 4 , +.Xr mac_ifoff 4 , +.Xr mac_mls 4 , +.Xr mac_none 4 , +.Xr mac_partition 4 , +.Xr mac_seeotheruids 4 , +.Xr mac_test 4 , +.Xr mac 9 +.Sh HISTORY +MAC first appeared in +.Fx 5.0 . +.Sh AUTHORS +This software was contributed to the +.Fx +Project by NAI Labs, the Security Research Division of Network Associates +Inc. under DARPA/SPAWAR contract N66001-01-C-8035 ("CBOSS"), +as part of the DARPA CHATS research program.