The OpenNET Project / Index page

[ новости/++ | форум | wiki | теги | ]

Интерактивная система просмотра системных руководств (man-ов)

 ТемаНаборКатегория 
 
 [Cписок руководств | Печать]

mac_portacl (4)
  • >> mac_portacl (4) ( FreeBSD man: Специальные файлы /dev/* )

  • BSD mandoc
     

    NAME

    
    
    mac_portacl
    
     - network port access control policy
    
     
    

    SYNOPSIS

    To compile the port access control policy into your kernel, place the following lines in your kernel configuration file:
    options MAC options MAC_PORTACL

    Alternately, to load the port access control policy module at boot time, place the following line in your kernel configuration file:

    options MAC

    and in loader.conf5:

    "mac_portacl_load=""YES"""
     

    DESCRIPTION

    The policy allows administrators to administratively limit binding to local UDP and TCP ports via the sysctl(8) interface.

    In order to enable the policy, MAC policy must be enforced on sockets (see mac(4)), and the port(s) protected by must not be included in the range specified by the net.inet.ip.portrange.reservedlow and net.inet.ip.portrange.reservedhigh sysctl(8) MIBs.

    The policy only affects ports explicitly bound by a user process (either for a listen/outgoing TCP socket, or a send/receive UDP socket). This policy will not limit ports bound implicitly for outgoing connections where the process has not explicitly selected a port: these are automatically selected by the IP stack.

    When is enabled, it will control binding access to ports up to the port number set in the security.mac.portacl.port_high sysctl(8) variable. By default, all attempts to bind to controlled ports will fail if not explicitly allowed by the port access control list, though binding by the superuser will be allowed, if the sysctl(8) variable security.mac.portacl.suser_exempt is set to a non-zero value.  

    Runtime Configuration

    The following sysctl(8) MIBs are available for fine-tuning the enforcement of this MAC policy. All sysctl(8) variables, except security.mac.portacl.rules can also be set as loader(8) tunables in loader.conf5.

    security.mac.portacl.enabled
    Enforce the policy. (Default: 1).
    security.mac.portacl.port_high
    The highest port number will enforce rules for. (Default: 1023).
    security.mac.portacl.rules
    The port access control list is specified in the following format:

    idtype
    Describes the type of subject match to be performed. Either uid for user ID matching, or gid for group ID matching.
    id
    The user or group ID (depending on idtype allowed to bind to the specified port. Bf -emphasis NOTE: User and group names are not valid; only the actual ID numbers may be used. Ef
    protocol
    Describes which protocol this entry applies to. Either tcp or udp are supported.
    port
    Describes which port this entry applies to. Bf -emphasis NOTE: MAC security policies may not override other security system policies by allowing accesses that they may deny, such as net.inet.ip.portrange.reservedlow net.inet.ip.portrange.reservedhigh Ef If the specified port falls within the range specified, the entry will not function (i.e., even the specified user/group may not be able to bind to the specified port).

    security.mac.portacl.suser_exempt
    Allow superuser (i.e., root) to bind to all protected ports, even if the port access control list does not explicitly allow this. (Default: 1).
    security.mac.portacl.autoport_exempt
    Allow applications to use automatic binding to port 0. Applications use port 0 as a request for automatic port allocation when binding an IP address to a socket. This tunable will exempt port 0 allocation from rule checking. (Default: 1).

     

    SEE ALSO

    mac(3), ip(4), mac_biba4, mac_bsdextended4, mac_ifoff4, mac_mls4, mac_none4, mac_partition4, mac_seeotheruids4, mac_test4, mac(9)  

    HISTORY

    MAC first appeared in Fx 5.0 and first appeared in Fx 5.1 .  

    AUTHORS

    This software was contributed to the Fx Project by NAI Labs, the Security Research Division of Network Associates Inc. under DARPA/SPAWAR contract N66001-01-C-8035 (``CBOSS'' ) as part of the DARPA CHATS research program.


     

    Index

    NAME
    SYNOPSIS
    DESCRIPTION
    Runtime Configuration
    SEE ALSO
    HISTORY
    AUTHORS


    Поиск по тексту MAN-ов: 



      Закладки на сайте
      Проследить за страницей
    Created 1996-2017 by Maxim Chirkov  
    ДобавитьРекламаВебмастеруГИД  
    Hosting by Ihor