OpenBSD Network ACLs for i386

About

Many system administrators want to restrict their local users even more, i. e. you want deny network access for a user or you want to allow a bind on port 994 for your ircd. You cant do this with the OpenBSD packet filter pf. Therefore I started to write a kernel patch to restrict bind() and connect() for specific users.

Thereforce I created an object (void*) to define a rule. To tell the kernel about this new rule you use the ioctl() function on the /dev/acl pseudo device. This userdefined object can now be checked with the kernel function aclcheck(). aclcheck() will now compare variables or data. It depends on the mode what and how the data will be compared. To add this check to a kernel function you simply include kern/aclvar.h in the kernel source file and call the function aclcheck() and check the return code.

Details

The ACL is realized with a pseudo device and an internal rule list (like pf). The communication between userland and kernel is done via ioctl. The major number I used for the device is 78 (well it was the next free number). For more details have a look at README

Examples

Here you can find an example for ACL.

Install

Download src from cvs or from the OpenBSD ftp server and openbsdacl-3.1-0.0.1.tar.gz. Then do the following steps: 
# cd /tmp
# tar xfz openbsdacl-3.1-0.0.1.tar.gz
# cd /usr
# patch -p0 < /tmp/openbsdacl-3.1-0.0.1/src-3.1-ubf.diff
# cp /tmp/openbsdacl-3.1-0.0.1/acl.c /tmp/openbsdacl-3.1-0.0.1/aclvar.h /usr/src/sys/kern
# cd /usr/src/sys/arch/i386/conf
# cp GENERIC MYKERNEL
Edit MYKERNEL and add the line 
pseudo-device   acl             1
The "1" stands for one device. 
# config MYKERNEL 
# cd ../compile/MYKERNEL
# make
# make install
# reboot
Now create the ubf device 
# mknod /dev/acl 78 0
# chmod 600 /dev/acl
And now test it: 
# ./aclctl -e
Enable UPF ...
#

History

  • version 0.0.2
  • version 0.0.1
    • andi@segfault.net