Bug 273208 - An rc script for mac_portacl(4)
Summary: An rc script for mac_portacl(4)
Status: Open
Alias: None
Product: Base System
Classification: Unclassified
Component: conf (show other bugs)
Version: Unspecified
Hardware: Any Any
: --- Affects Only Me
Assignee: freebsd-rc (Nobody)
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2023-08-18 16:13 UTC by Thomas Hurst
Modified: 2023-08-22 02:19 UTC (History)
2 users (show)

See Also:

Attachments
Dreaming of being /etc/rc.d/portacl (4.19 KB, application/x-shellscript)
2023-08-18 16:13 UTC, Thomas Hurst 		no flags Details
Updated script (4.69 KB, application/x-shellscript)
2023-08-20 15:39 UTC, Thomas Hurst 		no flags Details
Show Obsolete (1) View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Thomas Hurst 2023-08-18 16:13:07 UTC 
Created attachment 244195 [details]
Dreaming of being /etc/rc.d/portacl

mac_portacl(4) is a kernel module providing access control policy for network service port binding, allowing for specified users and groups to bind to otherwise root-privileged ports.

Currently to make use of this, the module must be loaded, the rules set in a sysctl in a single line with only numeric ID's allowed, and the stock reserved ports sysctl needs to be set to disable enforcement.

For example, allowing user www, uid 80 to bind to ports http and https:

  net.inet.ip.portrange.reservedhigh=0
  security.mac.portacl.rules="uid:80:tcp:80,uid:80:tcp:443"

Attached is the first-cut of an rc script which allows for configuration using only rc.conf variables, including mapping user and service names to their numeric equivalents.

For example the above configuration would be achieved with:

  portacl_enable="YES"
  portacl_users="www"
  portacl_user_www_tcp="http https"

This uses dynamic variables of the form portacl_{user,group}_${name}_{tcp,udp} to configure each portion of the ruleset.

Existing raw rules can be combined:

  portacl_additional_rules="uid:143:tcp:993"

Existing rules and other relevant oids set in /etc/sysctl.conf{,.local} are overridden, but a warning is issued if any are found.

Development is currently taking place here: https://github.com/Freaky/portacl
Comment 1 Mina Galić freebsd_triage 2023-08-18 17:49:49 UTC 
Thank you so much for opening this issue!
can you add the documentation to `rc.conf(5)` and the defaults to `/etc/defaults/rc.conf` ?

maybe it'd be easier to do this on GitHub?
Comment 2 Thomas Hurst 2023-08-20 15:39:38 UTC 
Created attachment 244227 [details]
Updated script

* Add printrules command
* Support aliases in /etc/services
* Validate rules, warn about and filter out invalid ones so one bad rule does not invalidate the entire ruleset
* Add options for all other mac_portacl settings
* Various cleanups
Comment 3 Thomas Hurst 2023-08-22 02:19:49 UTC 
(In reply to Mina Galić from comment #1)

Github has a first cut of an updated rc.conf(5).

I've put together a port so it can get some wider use, and once I'm sure I'm done with the churn I'll see about putting together a full patch for review.