17.10 The mac_portacl(4) Module

Module name: mac_portacl.ko

Kernel configuration line: MAC_PORTACL

Boot option: mac_portacl_load="YES"

The mac_portacl(4) module is used to limit binding to local TCP and UDP ports using a variety of sysctl variables. mac_portacl(4) makes it possible to allow non-root users to bind to specified privileged ports below 1024.

Once loaded, this module enables the MAC policy on all sockets. The following tunables are available:

• security.mac.portacl.enabled enables or disables the policy completely.

• security.mac.portacl.port_high sets the highest port number that mac_portacl(4) protects.

• security.mac.portacl.suser_exempt, when set to a non-zero value, exempts the root user from this policy.

• security.mac.portacl.rules specifies the mac_portacl policy, which is a text string of the form: rule[,rule,...] with as many rules as needed. Each rule is of the form: idtype:id:protocol:port. The idtype parameter can be uid or gid and is used to interpret the id parameter as either a user id or group id, respectively. The protocol parameter is used to determine if the rule should apply to TCP or UDP by setting the parameter to tcp or udp. The final port parameter is the port number to allow the specified user or group to bind to.

By default, ports below 1024 can only be used by or bound to privileged processes, which run as root. For mac_portacl(4) to allow non-privileged processes to bind to ports below 1024, this restriction has to be disabled by setting the sysctl(8) variables net.inet.ip.portrange.reservedlow and net.inet.ip.portrange.reservedhigh to zero:

# sysctl security.mac.portacl.port_high=1023
# sysctl net.inet.ip.portrange.reservedlow=0
net.inet.ip.portrange.reservedhigh=0

See the examples below or refer to mac_portacl(4) for further information.

# sysctl security.mac.portacl.suser_exempt=1

# sysctl security.mac.portacl.rules=uid:80:tcp:80

# sysctl security.mac.portacl.rules=uid:1001:tcp:110,uid:1001:tcp:995