posix1e(3)
NAME
posix1e - introduction to the POSIX.1e security API
LIBRARY
Standard C Library (libc, -lc)
SYNOPSIS
#include <sys/types.h> #include <sys/acl.h> #include <sys/capability.h> #include <sys/mac.h>
DESCRIPTION
- The IEEE POSIX.1e specification never left draft form, but
- the interfaces
it describes are now widely used despite inherent limita - tions. Currently, only a few of the interfaces and features are imple
- mented in
FreeBSD, although efforts are underway to complete the inte - gration at
this time. - POSIX.1e describes five security extensions to the base
- POSIX.1 API:
Access Control Lists (ACLs), Auditing, Capabilities, Manda - tory Access
Control, and Information Flow Labels. FreeBSD supports - POSIX.1e ACL
interfaces, as well as POSIX.1e-like MAC interfaces. The - TrustedBSD Project has produced but not integrated an implementation of
- POSIX.1e Capabilities.
- POSIX.1e defines both syntax and semantics for these fea
- tures, but fairly
substantial changes are required to implement these features - in the operating system.
- As shipped, FreeBSD 4.0 provides API and VFS support for
- ACLs, but not an
implementation on any native file system. FreeBSD 5.0 in - cludes support
for ACLs as part of UFS1 and UFS2, as well as necessary VFS - support for
additional file systems to export ACLs as appropriate. - Available API
calls relating to ACLs are described in detail in acl(3). - As shipped, FreeBSD 5.0 includes support for Mandatory Ac
- cess Control as
well as POSIX.1e-like APIs for label management. More in - formation on API
calls relating to MAC is available in mac(3). - Additional patches supporting POSIX.1e features are provided
- by the
TrustedBSD project: - http://www.TrustedBSD.org/
IMPLEMENTATION NOTES
- FreeBSD's support for POSIX.1e interfaces and features is
- still under
development at this time, and many of these features are - considered new
or experimental.
ENVIRONMENT
- POSIX.1e assigns security labels to all objects, extending
- the security
functionality described in POSIX.1. These additional labels - provide
fine-grained discretionary access control, fine-grained ca - pabilities, and
labels necessary for mandatory access control. POSIX.2c de - scribes a set
of userland utilities for manipulating these labels. - Many of these services are supported by extended attributes,
- documented
in extattr(2) and extattr(9). While these APIs are not doc - umented in
POSIX.1e, they are similar in structure.
SEE ALSO
extattr(2), acl(3), mac(3), acl(9), extattr(9), mac(9)
STANDARDS
- POSIX.1e is described in IEEE POSIX.1e draft 17. Discussion
- of the draft
continues on the cross-platform POSIX.1e implementation - mailing list. To
join this list, see the FreeBSD POSIX.1e implementation page - for more
information.
HISTORY
- POSIX.1e support was introduced in FreeBSD 4.0; most of the
- features are
available as of FreeBSD 5.0. Development continues.
AUTHORS
Robert N M Watson
Chris D. Faulhaber
Thomas Moestl
Ilmar S Habibulin
BUGS
- Many of these features are considered new or experimental in
- FreeBSD 5.0
and should be deployed with appropriate caution. - BSD January 17, 2000