mac(3)
NAME
mac - introduction to the MAC security API
LIBRARY
Standard C Library (libc, -lc)
SYNOPSIS
#include <sys/mac.h> In the kernel configuration file: options MAC
DESCRIPTION
- FreeBSD permits administrators to define Mandatory Access
- Control labels
defining levels for the privacy and integrity of data, over - riding discretionary policies for those objects. Not all objects cur
- rently provide
support for MAC labels, and MAC support must be explicitly - enabled by the
administrator. The library calls include routines to re - trieve, duplicate, and set MAC labels associated with files and process
- es.
- POSIX.1e describes a set of MAC manipulation routines to
- manage the contents of MAC labels, as well as their relationships with
- files and processes; almost all of these support routines are implemented
- in FreeBSD.
- Available functions, sorted by behavior, include:
- mac_get_fd()
- This function is described in mac_get(3), and may be
- used to
retrieve the MAC label associated with a specific - file descriptor.
- mac_get_file()
- This function is described in mac_get(3), and may be
- used to
retrieve the MAC label associated with a named file. - mac_get_proc()
- This function is described in mac_get(3), and may be
- used to
retrieve the MAC label associated with the calling - process.
- mac_set_fd()
- This function is described in mac_set(3), and may be
- used to set
the MAC label associated with a specific file de - scriptor.
- mac_set_file()
- This function is described in mac_set(3), and may be
- used to set
the MAC label associated with a named file. - mac_set_proc()
- This function is described in mac_set(3), and may be
- used to set
the MAC label associated with the calling process. - mac_free()
- This function is described in mac_free(3), and may
- be used to
free userland working MAC label storage. - mac_from_text()
- This function is described in mac_text(3), and may
- be used to
convert a text-form MAC label into a working mac_t. - mac_prepare()
- mac_prepare_file_label()
- mac_prepare_ifnet_label()
- mac_prepare_process_label()
- These functions are described in mac_prepare(3), and
- may be used
to preallocate storage for MAC label retrieval. - mac_prepare(3)
prepares a label based on caller-specified label - names; the other
calls rely on the default configuration specified in - mac.conf(5).
- mac_to_text()
- This function is described in mac_text(3), and may
- be used to
convert a mac_t into a text-form MAC label. - The behavior of some of these calls is influenced by the
- configuration
settings found in mac.conf(5), the MAC library run-time con - figuration
file.
IMPLEMENTATION NOTES
- FreeBSD's support for POSIX.1e interfaces and features is
- currently under
development.
FILES
- /etc/mac.conf MAC library configuration file, document
- ed in
- mac.conf(5). Provides default behavior
- for applications aware of MAC labels on system ob
- jects, but without policy-specific knowledge.
SEE ALSO
STANDARDS
- These APIs are loosely based on the APIs described in
- POSIX.1e. POSIX.1e
is described in IEEE POSIX.1e draft 17. Discussion of the - draft continues on the cross-platform POSIX.1e implementation mailing
- list. To join
this list, see the FreeBSD POSIX.1e implementation page for - more information. However, the resemblance of these APIs to the POSIX
- APIs is only
loose, as the POSIX APIs were unable to express many notions - required for
flexible and extensible access control.
HISTORY
- Support for Mandatory Access Control was introduced in
- FreeBSD 5.0 as
part of the TrustedBSD Project.
BUGS
- The TrustedBSD MAC Framework and associated policies, inter
- faces, and
applications are considered to be an experimental feature in - FreeBSD.
Sites considering production deployment should keep the ex - perimental status of these services in mind during any deployment process.
- See also
mac(9) for related considerations regarding the kernel - framework.
- BSD April 19, 2003