Date: Sun, 2 Mar 2003 15:01:42 -0800 (PST) From: Robert Watson <rwatson@FreeBSD.org> To: src-committers@FreeBSD.org, cvs-src@FreeBSD.org, cvs-all@FreeBSD.org Subject: cvs commit: src/sys/conf NOTES files options src/sys/modules Makefile src/sys/modules/mac_portacl Makefile src/sys/security/mac_portacl mac_portacl.c Message-ID: <200303022301.h22N1gds096425@repoman.freebsd.org>
next in thread | raw e-mail | index | archive | help
rwatson 2003/03/02 15:01:42 PST FreeBSD src repository Modified files: sys/conf NOTES files options sys/modules Makefile Added files: sys/modules/mac_portacl Makefile sys/security/mac_portacl mac_portacl.c Log: A cute yet small MAC policy that provides a simple ACL mechanism to permit users and groups to bind ports for TCP or UDP, and is intended to be combined with the recently committed support for net.inet.ip.portrange.reservedhigh. The policy is twiddled using sysctl(8). To use this module, you will need to compile in MAC support, and probably set reservedhigh to 0, then twiddle security.mac.portacl.rules to set things as desired. This policy module only restricts ports explicitly bound using bind(), not implicitly bound ports where the port number is selected by the IP stack. It appears to work properly in my local configuration, but needs more broad testing. A sample policy might be: # sysctl security.mac.portacl.rules="uid:425:tcp:80,uid:425:tcp:79" This permits uid 425 to bind TCP sockets to ports 79 and 80. Currently no distinction is made for incoming vs. outgoing ports with TCP, although that would probably be easy to add. Obtained from: TrustedBSD Project Sponsored by: DARPA, Network Associates Laboratories Revision Changes Path 1.1132 +1 -0 src/sys/conf/NOTES 1.764 +1 -0 src/sys/conf/files 1.376 +1 -0 src/sys/conf/options 1.307 +1 -0 src/sys/modules/Makefile 1.1 +9 -0 src/sys/modules/mac_portacl/Makefile (new) 1.1 +485 -0 src/sys/security/mac_portacl/mac_portacl.c (new) To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe cvs-src" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200303022301.h22N1gds096425>