| Main index | Section 4 | Options |
Alternately, to load the port access control policy module at boot time, place the following line in your kernel configuration file: options MAC
and in loader.conf(5):
mac_portacl_load= YES""
In order to enable the mac_portacl policy, MAC policy must be enforced on sockets (see mac(4)), and the port(s) protected by mac_portacl must not be included in the range specified by the net.inet.ip.portrange.reservedlow and net.inet.ip.portrange.reservedhigh sysctl(8) MIBs.
The mac_portacl policy only affects ports explicitly bound by a user process (either for a listen/outgoing TCP socket, or a send/receive UDP socket). This policy will not limit ports bound implicitly for outgoing connections where the process has not explicitly selected a port: these are automatically selected by the IP stack.
When mac_portacl is enabled, it will control binding access to ports up to the port number set in the security.mac.portacl.port_high sysctl(8) variable. By default, all attempts to bind to mac_portacl controlled ports will fail if not explicitly allowed by the port access control list, though binding by the superuser will be allowed, if the sysctl(8) variable security.mac.portacl.suser_exempt is set to a non-zero value.
| security.mac.portacl.enabled | |
| Enforce the mac_portacl policy. (Default: 1). | |
| security.mac.portacl.port_high | |
| The highest port number mac_portacl will enforce rules for. (Default: 1023). | |
| security.mac.portacl.rules | |
|
The port access control list is specified in the following format:
| |
| idtype | Describes the type of subject match to be performed. Either uid for user ID matching, or gid for group ID matching. |
| id | The user or group ID (depending on idtype) allowed to bind to the specified port. NOTE: User and group names are not valid; only the actual ID numbers may be used. |
| protocol | |
| Describes which protocol this entry applies to. Either tcp or udp are supported. | |
| port | Describes which port this entry applies to. NOTE: MAC security policies may not override other security system policies by allowing accesses that they may deny, such as net.inet.ip.portrange.reservedlow / net.inet.ip.portrange.reservedhigh. If the specified port falls within the range specified, the mac_portacl entry will not function (i.e., even the specified user/group may not be able to bind to the specified port). |
| security.mac.portacl.suser_exempt | |
| Allow superuser (i.e., root) to bind to all mac_portacl protected ports, even if the port access control list does not explicitly allow this. (Default: 1). | |
| security.mac.portacl.autoport_exempt | |
| Allow applications to use automatic binding to port 0. Applications use port 0 as a request for automatic port allocation when binding an IP address to a socket. This tunable will exempt port 0 allocation from rule checking. (Default: 1). | |
| MAC_PORTACL (4) | December 9, 2004 |
| Main index | Section 4 | Options |
Please direct any comments about this manual page service to Ben Bullock. Privacy policy.
| “ | When people say "Drive safe!" I'm like no, a safe is for keeping money, I drive car. | ” |
| — Artur Bagyants | ||