Date: Thu, 18 May 2017 12:10:52 +0000 From: bugzilla-noreply@freebsd.org To: freebsd-ports-bugs@FreeBSD.org Subject: [Bug 219376] [NEW PORT] sysutils/mac_nonet: Simple MAC framework policy to disable access to networking for certain group Message-ID: <bug-219376-13@https.bugs.freebsd.org/bugzilla/>
next in thread | raw e-mail | index | archive | help
https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=3D219376 Bug ID: 219376 Summary: [NEW PORT] sysutils/mac_nonet: Simple MAC framework policy to disable access to networking for certain group Product: Ports & Packages Version: Latest Hardware: Any OS: Any Status: New Severity: Affects Only Me Priority: --- Component: Individual Port(s) Assignee: freebsd-ports-bugs@FreeBSD.org Reporter: amutu@amutu.com Created attachment 182693 --> https://bugs.freebsd.org/bugzilla/attachment.cgi?id=3D182693&action= =3Dedit new port shar file Simple MAC framework policy to disable access to networking for certain gro= up. Running kldload mac_nonet.ko to load the kernel module. The load action req= uire root permissions. Set gid that shouldn't access the network:=20 sysctl security.mac.nonet.gid=3D31337 and enable enforcing: sysctl security.mac.nonet.enabled=3D1 Any call to socket(2) from user in this group will end with EPERM. You can = also select group that can access only AF_UNIX sockets with security.mac.nonet.local_gid. WWW: https://github.com/pbiernacki/mac_nonet --=20 You are receiving this mail because: You are the assignee for the bug.=
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?bug-219376-13>