diff options
| author | Robert Watson <rwatson@FreeBSD.org> | 2003-03-02 23:01:42 +0000 |
|---|---|---|
| committer | Robert Watson <rwatson@FreeBSD.org> | 2003-03-02 23:01:42 +0000 |
| commit | 03d031626d8ac843fa47cf5b0bd96938fe7ac04d (patch) | |
| tree | 780d03baf8a24d0bf855233fded296b78d04bcac /sys/conf | |
| parent | 5aaa6729a103825e21bd01413aa25860cb2e5827 (diff) | |
| download | src-03d031626d8ac843fa47cf5b0bd96938fe7ac04d.tar.gz src-03d031626d8ac843fa47cf5b0bd96938fe7ac04d.zip | |
A cute yet small MAC policy that provides a simple ACL mechanism to
permit users and groups to bind ports for TCP or UDP, and is intended
to be combined with the recently committed support for
net.inet.ip.portrange.reservedhigh. The policy is twiddled using
sysctl(8). To use this module, you will need to compile in MAC
support, and probably set reservedhigh to 0, then twiddle
security.mac.portacl.rules to set things as desired. This policy
module only restricts ports explicitly bound using bind(), not
implicitly bound ports where the port number is selected by the
IP stack. It appears to work properly in my local configuration,
but needs more broad testing.
A sample policy might be:
# sysctl security.mac.portacl.rules="uid:425:tcp:80,uid:425:tcp:79"
This permits uid 425 to bind TCP sockets to ports 79 and 80. Currently
no distinction is made for incoming vs. outgoing ports with TCP,
although that would probably be easy to add.
Obtained from: TrustedBSD Project
Sponsored by: DARPA, Network Associates Laboratories
Notes
Notes:
svn path=/head/; revision=111771
Diffstat (limited to 'sys/conf')
| -rw-r--r-- | sys/conf/NOTES | 1 | ||||
| -rw-r--r-- | sys/conf/files | 1 | ||||
| -rw-r--r-- | sys/conf/options | 1 |
3 files changed, 3 insertions, 0 deletions
diff --git a/sys/conf/NOTES b/sys/conf/NOTES index f03279a8396a..c9a38ac0b89e 100644 --- a/sys/conf/NOTES +++ b/sys/conf/NOTES @@ -806,6 +806,7 @@ options MAC_LOMAC options MAC_MLS options MAC_NONE options MAC_PARTITION +options MAC_PORTACL options MAC_SEEOTHERUIDS options MAC_TEST diff --git a/sys/conf/files b/sys/conf/files index b4f8088224ba..4b98441d7ca3 100644 --- a/sys/conf/files +++ b/sys/conf/files @@ -1518,6 +1518,7 @@ security/mac_lomac/mac_lomac.c optional mac_lomac security/mac_mls/mac_mls.c optional mac_mls security/mac_none/mac_none.c optional mac_none security/mac_partition/mac_partition.c optional mac_partition +security/mac_portacl/mac_portacl.c optional mac_portacl security/mac_seeotheruids/mac_seeotheruids.c optional mac_seeotheruids security/mac_test/mac_test.c optional mac_test ufs/ffs/ffs_alloc.c optional ffs diff --git a/sys/conf/options b/sys/conf/options index 854d85b9722f..e097828b9336 100644 --- a/sys/conf/options +++ b/sys/conf/options @@ -159,6 +159,7 @@ MAC_LOMAC opt_dontuse.h MAC_MLS opt_dontuse.h MAC_NONE opt_dontuse.h MAC_PARTITION opt_dontuse.h +MAC_PORTACL opt_dontuse.h MAC_SEEOTHERUIDS opt_dontuse.h MAC_TEST opt_dontuse.h |