Create mac_portacl subsystem to allow binding of privileged ports for non privileged users.

[Monviech]

Important notices

Before you add a new report, we ask you kindly to acknowledge the following:

• I have read the contributing guide lines at https://github.com/opnsense/core/blob/master/CONTRIBUTING.md
• I am convinced that my issue is new after having checked both open and closed issues at https://github.com/opnsense/core/issues?q=is%3Aissue

Is your feature request related to a problem? Please describe.

All FreeBSD ports (especially webservers) that run on ports below >1024, can't bind their ports (e.g. 80 and 443) as non-root superusers. For security, a webserver shouldn't need to run as root, and should run as non privileged user and group, for example www:www

Describe the solution you like

• mac_portacl(4)
• portacl-rc

With mac_portacl, an application running with non privileged users like www:www can be allowed to bind ports >1024. portacl-rc can be used to control the needed rules easily via rc.d files.

Core would need to implement the following:

1. Tunables to enable mac_portacl:

mac_portacl_load="YES" - This would enable the load of mac_portacl.
security.mac.portacl.enabled="1" - This enables the mac_portacl policy.
security.mac.portacl.suser_exempt="1" - Exempts applications running with root from mac_portacl.
security.mac.portacl.autoport_exempt="1" - Exempts applications binding to port 0 from mac_portacl.
sysctl security.mac.portacl.port_high="1023" - Sets the highest port, which mac_portacl controls with its policy.
net.inet.ip.portrange.reservedlow="0"
net.inet.ip.portrange.reservedhigh="0" - These two tunables have to be set for the policy to work. https://docs.freebsd.org/en/books/handbook/mac/#mac-portacl

2. portacl-rc has to be installed and configured, it exists in the OPNsense ports:

root@OPNsense:~ # cat /etc/rc.conf.d/portacl 
portacl_enable="YES"
portacl_users="www"
portacl_user_www_tcp="http https"
portacl_user_www_udp="https"

• That's all. Now, this change is transparent for all existing superuser applications, but enables the www:www user to run applications that bind to port 80 and 443.
• More portacl_users can be easily added, allowing other applications and users to leverage this security subsystem.

Describe alternatives you considered

Leaving all applications running with root:wheel that require privileged ports (like 80,443...)

Additional context

Related to this:
opnsense/plugins#3946

With this subsystem in place, the only change I would need for caddy (or others would have to change in their plugins) is this in the rc.d.conf:

root@OPNsense:~ # cat /etc/rc.conf.d/caddy
caddy_enable="YES"
caddy_user="www"
caddy_group="www"

This whole addition can be leveraged by multiple plugins in present and future for a more secure OPNsense environment.

[Monviech]

Update: options MAC are not needed in sysctl.conf since it's enabled by default since FreeBSD 7.2.

https://en.wikipedia.org/wiki/Mandatory_access_control

Update 2: Setting security.mac.portacl.port_high to 0 instead of 1023 will allow any unprivileged user to bind to any port, which makes the user ruleset management redundant. So it gets even easier and there is literally no maintanance needed anymore. mac_portacl is not needed anymore with that. I guess not... would have been too easy.