Document the new mac_portacl(4) policy.

Sponsored by:   DARPA, Network Associates Laboratories
Obtained from:  TrustedBSD Project

1 files changed, 156 insertions, 0 deletions

diff --git a/share/man/man4/mac_portacl.4 b/share/man/man4/mac_portacl.4
new file mode 100644
index 0000000..41a2fd8
--- /dev/null
+++ b/share/man/man4/mac_portacl.4
@@ -0,0 +1,156 @@
+.\" Copyright (c) 2003 Networks Associates Technology, Inc.
+.\" All rights reserved.
+.\" 
+.\" This software was developed for the FreeBSD Project by Chris Costello
+.\" at Safeport Network Services and Network Associates Labs, the
+.\" Security Research Division of Network Associates, Inc. under
+.\" DARPA/SPAWAR contract N66001-01-C-8035 ("CBOSS"), as part of the
+.\" DARPA CHATS research program.
+.\" 
+.\" Redistribution and use in source and binary forms, with or without
+.\" modification, are permitted provided that the following conditions
+.\" are met:
+.\" 1. Redistributions of source code must retain the above copyright
+.\"    notice, this list of conditions and the following disclaimer.
+.\" 2. Redistributions in binary form must reproduce the above copyright
+.\"    notice, this list of conditions and the following disclaimer in the
+.\"    documentation and/or other materials provided with the distribution.
+.\" 
+.\" THIS SOFTWARE IS PROVIDED BY THE AUTHORS AND CONTRIBUTORS ``AS IS'' AND
+.\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+.\" ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHORS OR CONTRIBUTORS BE LIABLE
+.\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+.\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+.\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+.\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+.\" SUCH DAMAGE.
+.\" 
+.\" $FreeBSD$
+.Dd MARCH 11, 2003
+.Dt MAC_PORTACL 4
+.Sh NAME
+.Nm mac_portacl
+.Nd network port access control policy
+.Sh SYNOPSIS
+To compile the port access control policy into your kernel,
+place the following lines in your kernel
+configuration file:
+.Cd "options MAC"
+.Cd "options MAC_PORTACL"
+.Pp
+Alternately, to load the port access control policy module at boot time,
+place the following line in your kernel configuration file:
+.Cd "options MAC"
+.Pp
+and in   
+.Xr loader.conf 5 :
+.Cd mac_portacl_load= Ns \&"YES"
+.Sh DESCRIPTION
+The
+.Nm
+policy allows administrators to administratively limit binding to
+local UDP and TCP ports via the
+.Xr sysctl 8
+interface.
+.Pp
+In order to enable the
+.Nm
+policy, MAC policy must be enforced on sockets
+(see
+.Xr mac 4 ) ,
+and the port(s) protected by
+.Nm
+must not be included in the range specified by
+the
+.Va net.inet.ip.portrange.reservedlow
+and
+.Va net.inet.ip.portrange.reservedhigh
+.Xr sysctl 8
+MIBs.
+.Ss Runtime Configuration
+The port access control list is specified in the
+.Va security.mac.portacl.rules
+.Xr sysctl 8
+MIB in the following format:
+.Pp
+.Sm off
+.Bd -literal -offset indent
+.Sy idtype
+.Li :
+.Sy id
+.Li :
+.Sy protocol
+.Li :
+.Sy port
+.Li [,
+.Sy idtype
+.Li :
+.Sy id
+.Li :
+.Sy protocol
+.Li :
+.Sy port
+.Li ,...]
+.Ed
+.Sm on
+.Pp
+.Bl -tag -width protocol
+.It Sy idtype
+Describes the type of subject match to be performed.
+Either
+.Li uid
+for userid matching, or
+.Li gid
+for group ID matching.
+.It Sy id
+The user or group ID (depending on
+.Sy idtype )
+allowed to bind to the specified port.
+.Bf -emphasis
+NOTE: User and group names are not valid; only the actual ID numbers
+may be used.
+.Ef
+.It Sy protocol
+Describes which protocol this entry applies to.
+Either
+.Li tcp
+or
+.Li udp
+are supported.
+.It Sy port
+Describes which port this entry applies to.
+.Bf -emphasis
+NOTE: MAC security policies may not override other security system policies
+by allowing accesses that they may deny, such as
+.Va net.inet.ip.portrange.reservedlow /
+.Va net.inet.ip.portrange.reservedhigh .
+.Ef
+If the specified port falls within the range specified, the
+.Nm
+entry will not function
+(i.e. even the specified user/group may not be able to bind to the specified
+port).
+.El
+.Sh SEE ALSO
+.Xr mac 3 ,
+.Xr mac_biba 4 ,
+.Xr mac_bsdextended 4 ,
+.Xr mac_ifoff 4 ,
+.Xr mac_mls 4 ,
+.Xr mac_none 4 ,
+.Xr mac_partition 4 ,
+.Xr mac_seeotheruids 4 ,
+.Xr mac_test 4 ,
+.Xr mac 9
+.Sh HISTORY
+MAC first appeared in
+.Fx 5.0 .
+.Sh AUTHORS
+This software was contributed to the
+.Fx
+Project by NAI Labs, the Security Research Division of Network Associates
+Inc. under DARPA/SPAWAR contract N66001-01-C-8035 ("CBOSS"),
+as part of the DARPA CHATS research program.