I'd like to restrict a range of udp ports to a single application (or a user). What I'd like to achieve is not simply blocking a bind() from other uids, but also remove the range from a pool that can be auto-assigned.
For example, if someone tries to explicitly bind 12345, but doesn't run the specified app, they should get EPERM. If someone tries to bind an unspecified port, they should never try to bind 12345 at random.
Is there any system that can help here? I tried browsing apparmor / selinux docs, but they seem to do the blocking part only.
The easiest way to do this on Linux is if you reserve a chunk at the top or bottom range of the standard ephemeral port range.
Find out what your current range is by running
Then set it by echoing something different into it (and modifying sysctl.conf or similar to make it happen on boot as well). My system uses 32768-61000, so I could change that to 32768-60000 in conjunction with SELinux/AppArmor to reserve 60001-61000 for my application.
I'm not aware of a way to carve out a gap in the middle of the ephemeral range.
Have a look at portreserve utility. But the actual service must ask portreserve to release the port before the service can use it.
Install portreserve and then only your program that requests them via portrelease can have the sockets.