From owner-cvs-all Sun Mar 2 15: 1:46 2003 Delivered-To: cvs-all@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 9862537B401; Sun, 2 Mar 2003 15:01:43 -0800 (PST) Received: from repoman.freebsd.org (repoman.freebsd.org [216.136.204.115]) by mx1.FreeBSD.org (Postfix) with ESMTP id 40C4243F3F; Sun, 2 Mar 2003 15:01:43 -0800 (PST) (envelope-from rwatson@FreeBSD.org) Received: from repoman.freebsd.org (localhost [127.0.0.1]) by repoman.freebsd.org (8.12.6/8.12.6) with ESMTP id h22N1h0U096426; Sun, 2 Mar 2003 15:01:43 -0800 (PST) (envelope-from rwatson@repoman.freebsd.org) Received: (from rwatson@localhost) by repoman.freebsd.org (8.12.6/8.12.6/Submit) id h22N1gds096425; Sun, 2 Mar 2003 15:01:42 -0800 (PST) Message-Id: <200303022301.h22N1gds096425@repoman.freebsd.org> From: Robert Watson Date: Sun, 2 Mar 2003 15:01:42 -0800 (PST) To: src-committers@FreeBSD.org, cvs-src@FreeBSD.org, cvs-all@FreeBSD.org Subject: cvs commit: src/sys/conf NOTES files options src/sys/modules Makefile src/sys/modules/mac_portacl Makefile src/sys/security/mac_portacl mac_portacl.c X-FreeBSD-CVS-Branch: HEAD Sender: owner-cvs-all@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG rwatson 2003/03/02 15:01:42 PST FreeBSD src repository Modified files: sys/conf NOTES files options sys/modules Makefile Added files: sys/modules/mac_portacl Makefile sys/security/mac_portacl mac_portacl.c Log: A cute yet small MAC policy that provides a simple ACL mechanism to permit users and groups to bind ports for TCP or UDP, and is intended to be combined with the recently committed support for net.inet.ip.portrange.reservedhigh. The policy is twiddled using sysctl(8). To use this module, you will need to compile in MAC support, and probably set reservedhigh to 0, then twiddle security.mac.portacl.rules to set things as desired. This policy module only restricts ports explicitly bound using bind(), not implicitly bound ports where the port number is selected by the IP stack. It appears to work properly in my local configuration, but needs more broad testing. A sample policy might be: # sysctl security.mac.portacl.rules="uid:425:tcp:80,uid:425:tcp:79" This permits uid 425 to bind TCP sockets to ports 79 and 80. Currently no distinction is made for incoming vs. outgoing ports with TCP, although that would probably be easy to add. Obtained from: TrustedBSD Project Sponsored by: DARPA, Network Associates Laboratories Revision Changes Path 1.1132 +1 -0 src/sys/conf/NOTES 1.764 +1 -0 src/sys/conf/files 1.376 +1 -0 src/sys/conf/options 1.307 +1 -0 src/sys/modules/Makefile 1.1 +9 -0 src/sys/modules/mac_portacl/Makefile (new) 1.1 +485 -0 src/sys/security/mac_portacl/mac_portacl.c (new) To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe cvs-all" in the body of the message