Provided by: freebsd-manpages_12.2-1_all bug


     mac_portacl — network port access control policy


     To compile the port access control policy into your kernel, place the following lines in
     your kernel configuration file:

           options MAC
           options MAC_PORTACL

     Alternately, to load the port access control policy module at boot time, place the following
     line in your kernel configuration file:

           options MAC

     and in loader.conf(5):



     The mac_portacl policy allows administrators to administratively limit binding to local UDP
     and TCP ports via the sysctl(8) interface.

     In order to enable the mac_portacl policy, MAC policy must be enforced on sockets (see
     mac(4)), and the port(s) protected by mac_portacl must not be included in the range
     specified by the net.inet.ip.portrange.reservedlow and net.inet.ip.portrange.reservedhigh
     sysctl(8) MIBs.

     The mac_portacl policy only affects ports explicitly bound by a user process (either for a
     listen/outgoing TCP socket, or a send/receive UDP socket).  This policy will not limit ports
     bound implicitly for outgoing connections where the process has not explicitly selected a
     port: these are automatically selected by the IP stack.

     When mac_portacl is enabled, it will control binding access to ports up to the port number
     set in the security.mac.portacl.port_high sysctl(8) variable.  By default, all attempts to
     bind to mac_portacl controlled ports will fail if not explicitly allowed by the port access
     control list, though binding by the superuser will be allowed, if the sysctl(8) variable
     security.mac.portacl.suser_exempt is set to a non-zero value.

   Runtime Configuration
     The following sysctl(8) MIBs are available for fine-tuning the enforcement of this MAC
     policy.  All sysctl(8) variables, except security.mac.portacl.rules, can also be set as
     loader(8) tunables in loader.conf(5).

             Enforce the mac_portacl policy.  (Default: 1).

             The highest port number mac_portacl will enforce rules for.  (Default: 1023).

             The port access control list is specified in the following format:


             idtype    Describes the type of subject match to be performed.  Either uid for user
                       ID matching, or gid for group ID matching.

             id        The user or group ID (depending on idtype) allowed to bind to the
                       specified port.  NOTE: User and group names are not valid; only the actual
                       ID numbers may be used.

             protocol  Describes which protocol this entry applies to.  Either tcp or udp are

             port      Describes which port this entry applies to.  NOTE: MAC security policies
                       may not override other security system policies by allowing accesses that
                       they may deny, such as net.inet.ip.portrange.reservedlow /
                       net.inet.ip.portrange.reservedhigh.  If the specified port falls within
                       the range specified, the mac_portacl entry will not function (i.e., even
                       the specified user/group may not be able to bind to the specified port).

             Allow superuser (i.e., root) to bind to all mac_portacl protected ports, even if the
             port access control list does not explicitly allow this.  (Default: 1).

             Allow applications to use automatic binding to port 0.  Applications use port 0 as a
             request for automatic port allocation when binding an IP address to a socket.  This
             tunable will exempt port 0 allocation from rule checking.  (Default: 1).


     mac(3), ip(4), mac_biba(4), mac_bsdextended(4), mac_ifoff(4), mac_mls(4), mac_none(4),
     mac_partition(4), mac_seeotheruids(4), mac_test(4), mac(9)


     MAC first appeared in FreeBSD 5.0 and mac_portacl first appeared in FreeBSD 5.1.


     This software was contributed to the FreeBSD Project by NAI Labs, the Security Research
     Division of Network Associates Inc. under DARPA/SPAWAR contract N66001-01-C-8035 (“CBOSS”),
     as part of the DARPA CHATS research program.