Skip site navigation (1)Skip section navigation (2)
Date:      Sun, 2 Mar 2003 15:01:42 -0800 (PST)
From:      Robert Watson <rwatson@FreeBSD.org>
To:        src-committers@FreeBSD.org, cvs-src@FreeBSD.org, cvs-all@FreeBSD.org
Subject:   cvs commit: src/sys/conf NOTES files options src/sys/modules Makefile src/sys/modules/mac_portacl Makefile src/sys/security/mac_portacl mac_portacl.c
Message-ID:  <200303022301.h22N1gds096425@repoman.freebsd.org>

next in thread | raw e-mail | index | archive | help
rwatson     2003/03/02 15:01:42 PST

  FreeBSD src repository

  Modified files:
    sys/conf             NOTES files options 
    sys/modules          Makefile 
  Added files:
    sys/modules/mac_portacl Makefile 
    sys/security/mac_portacl mac_portacl.c 
  Log:
  A cute yet small MAC policy that provides a simple ACL mechanism to
  permit users and groups to bind ports for TCP or UDP, and is intended
  to be combined with the recently committed support for
  net.inet.ip.portrange.reservedhigh.  The policy is twiddled using
  sysctl(8).  To use this module, you will need to compile in MAC
  support, and probably set reservedhigh to 0, then twiddle
  security.mac.portacl.rules to set things as desired.  This policy
  module only restricts ports explicitly bound using bind(), not
  implicitly bound ports where the port number is selected by the
  IP stack.  It appears to work properly in my local configuration,
  but needs more broad testing.
  
  A sample policy might be:
  
    # sysctl security.mac.portacl.rules="uid:425:tcp:80,uid:425:tcp:79"
  
  This permits uid 425 to bind TCP sockets to ports 79 and 80.  Currently
  no distinction is made for incoming vs. outgoing ports with TCP,
  although that would probably be easy to add.
  
  Obtained from:  TrustedBSD Project
  Sponsored by:   DARPA, Network Associates Laboratories
  
  Revision  Changes    Path
  1.1132    +1 -0      src/sys/conf/NOTES
  1.764     +1 -0      src/sys/conf/files
  1.376     +1 -0      src/sys/conf/options
  1.307     +1 -0      src/sys/modules/Makefile
  1.1       +9 -0      src/sys/modules/mac_portacl/Makefile (new)
  1.1       +485 -0    src/sys/security/mac_portacl/mac_portacl.c (new)

To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe cvs-src" in the body of the message




Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200303022301.h22N1gds096425>