[Bug 273208] An rc script for mac_portacl(4)

From: <bugzilla-noreply_at_freebsd.org>
Date: Fri, 18 Aug 2023 16:13:07 UTC
https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=273208

            Bug ID: 273208
           Summary: An rc script for mac_portacl(4)
           Product: Base System
           Version: Unspecified
          Hardware: Any
                OS: Any
            Status: New
          Severity: Affects Only Me
          Priority: ---
         Component: conf
          Assignee: bugs@FreeBSD.org
          Reporter: tom@hur.st

Created attachment 244195
  --> https://bugs.freebsd.org/bugzilla/attachment.cgi?id=244195&action=edit
Dreaming of being /etc/rc.d/portacl

mac_portacl(4) is a kernel module providing access control policy for network
service port binding, allowing for specified users and groups to bind to
otherwise root-privileged ports.

Currently to make use of this, the module must be loaded, the rules set in a
sysctl in a single line with only numeric ID's allowed, and the stock reserved
ports sysctl needs to be set to disable enforcement.

For example, allowing user www, uid 80 to bind to ports http and https:

  net.inet.ip.portrange.reservedhigh=0
  security.mac.portacl.rules="uid:80:tcp:80,uid:80:tcp:443"

Attached is the first-cut of an rc script which allows for configuration using
only rc.conf variables, including mapping user and service names to their
numeric equivalents.

For example the above configuration would be achieved with:

  portacl_enable="YES"
  portacl_users="www"
  portacl_user_www_tcp="http https"

This uses dynamic variables of the form portacl_{user,group}_${name}_{tcp,udp}
to configure each portion of the ruleset.

Existing raw rules can be combined:

  portacl_additional_rules="uid:143:tcp:993"

Existing rules and other relevant oids set in /etc/sysctl.conf{,.local} are
overridden, but a warning is issued if any are found.

Development is currently taking place here: https://github.com/Freaky/portacl

-- 
You are receiving this mail because:
You are the assignee for the bug.