Date: Mon, 12 Mar 2018 07:05:24 +0000 (UTC) From: Tobias Kortkamp <tobik@FreeBSD.org> To: ports-committers@freebsd.org, svn-ports-all@freebsd.org, svn-ports-head@freebsd.org Subject: svn commit: r464226 - in head/sysutils: . mac_nonet Message-ID: <201803120705.w2C75Od0092600@repo.freebsd.org>
next in thread | raw e-mail | index | archive | help
Author: tobik Date: Mon Mar 12 07:05:24 2018 New Revision: 464226 URL: https://svnweb.freebsd.org/changeset/ports/464226 Log: New port: sysutils/mac_nonet Simple MAC framework policy to disable access to networking for certain group. Running kldload mac_nonet.ko to load the kernel module. The load action require root permissions. Set gid that shouldn't access the network: sysctl security.mac.nonet.gid=31337 and enable enforcing: sysctl security.mac.nonet.enabled=1 Any call to socket(2) from user in this group will end with EPERM. You can also select group that can access only AF_UNIX sockets with security.mac.nonet.local_gid. WWW: https://github.com/pbiernacki/mac_nonet PR: 219376 Submitted by: amutu@amutu.com Reviewed by: bapt Added: head/sysutils/mac_nonet/ head/sysutils/mac_nonet/Makefile (contents, props changed) head/sysutils/mac_nonet/distinfo (contents, props changed) head/sysutils/mac_nonet/pkg-descr (contents, props changed) Modified: head/sysutils/Makefile Modified: head/sysutils/Makefile ============================================================================== --- head/sysutils/Makefile Mon Mar 12 06:58:02 2018 (r464225) +++ head/sysutils/Makefile Mon Mar 12 07:05:24 2018 (r464226) @@ -603,6 +603,7 @@ SUBDIR += lxsplit SUBDIR += lxtask SUBDIR += lxterminal + SUBDIR += mac_nonet SUBDIR += mac_rtprio SUBDIR += magicrescue SUBDIR += manck Added: head/sysutils/mac_nonet/Makefile ============================================================================== --- /dev/null 00:00:00 1970 (empty, because file is newly added) +++ head/sysutils/mac_nonet/Makefile Mon Mar 12 07:05:24 2018 (r464226) @@ -0,0 +1,23 @@ +# Created by: Jov <amutu@amutu.com> +# $FreeBSD$ + +PORTNAME= mac_nonet +DISTVERSION= g20150821 +CATEGORIES= sysutils +PKGNAMESUFFIX= -kmod + +MAINTAINER= amutu@amutu.com +COMMENT= MAC policy to disable access to networking for certain group + +LICENSE= BSD2CLAUSE +LICENSE_FILE= ${WRKSRC}/LICENSE + +USES= kmod uidfix + +USE_GITHUB= yes +GH_ACCOUNT= pbiernacki +GH_TAGNAME= f7e008a + +PLIST_FILES= ${KMODDIR}/mac_nonet.ko + +.include <bsd.port.mk> Added: head/sysutils/mac_nonet/distinfo ============================================================================== --- /dev/null 00:00:00 1970 (empty, because file is newly added) +++ head/sysutils/mac_nonet/distinfo Mon Mar 12 07:05:24 2018 (r464226) @@ -0,0 +1,3 @@ +TIMESTAMP = 1495107566 +SHA256 (pbiernacki-mac_nonet-g20150821-f7e008a_GH0.tar.gz) = 996281aa2e26528cbc4c265101e5f3996958cc816cb3434d412c5b6f51df6604 +SIZE (pbiernacki-mac_nonet-g20150821-f7e008a_GH0.tar.gz) = 1862 Added: head/sysutils/mac_nonet/pkg-descr ============================================================================== --- /dev/null 00:00:00 1970 (empty, because file is newly added) +++ head/sysutils/mac_nonet/pkg-descr Mon Mar 12 07:05:24 2018 (r464226) @@ -0,0 +1,14 @@ +Simple MAC framework policy to disable access to networking for +certain group. Running kldload mac_nonet.ko to load the kernel +module. The load action require root permissions. + +Set gid that shouldn't access the network: + sysctl security.mac.nonet.gid=31337 +and enable enforcing: + sysctl security.mac.nonet.enabled=1 + +Any call to socket(2) from user in this group will end with EPERM. +You can also select group that can access only AF_UNIX sockets with +security.mac.nonet.local_gid. + +WWW: https://github.com/pbiernacki/mac_nonet
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?201803120705.w2C75Od0092600>