:man| Alphabetical   Categories   About us 
 
POSIX1E (3) | C library functions | Unix Manual Pages | :man

NAME

posix1e - introduction to the POSIX.1e security API

CONTENTS

Library
Synopsis
Description
Implementation Notes
Environment
See Also
Standards
History
Authors
Bugs

LIBRARY


.Lb libc

SYNOPSIS


.In sys/types.h
.In sys/acl.h
.In sys/capability.h
.In sys/mac.h

DESCRIPTION

The IEEE POSIX.1e specification never left draft form, but the interfaces it describes are now widely used despite inherent limitations. Currently, only a few of the interfaces and features are implemented in
.Fx , although efforts are underway to complete the integration at this time.

POSIX.1e describes five security extensions to the base POSIX.1 API: Access Control Lists (ACLs), Auditing, Capabilities, Mandatory Access Control, and Information Flow Labels.
.Fx supports POSIX.1e ACL interfaces, as well as POSIX.1e-like MAC interfaces. The TrustedBSD Project has produced but not integrated an implementation of POSIX.1e Capabilities.

POSIX.1e defines both syntax and semantics for these features, but fairly substantial changes are required to implement these features in the operating system.

As shipped,
.Fx 4.0 provides API and VFS support for ACLs, but not an implementation on any native file system.
.Fx 5.0 includes support for ACLs as part of UFS1 and UFS2, as well as necessary VFS support for additional file systems to export ACLs as appropriate. Available API calls relating to ACLs are described in detail in acl(3).

As shipped,
.Fx 5.0 includes support for Mandatory Access Control as well as POSIX.1e-like APIs for label management. More information on API calls relating to MAC is available in mac(3).

Additional patches supporting POSIX.1e features are provided by the TrustedBSD project:

http://www.TrustedBSD.org/

IMPLEMENTATION NOTES


.Fx Ns ’s support for POSIX.1e interfaces and features is still under development at this time, and many of these features are considered new or experimental.

ENVIRONMENT

POSIX.1e assigns security labels to all objects, extending the security functionality described in POSIX.1. These additional labels provide fine-grained discretionary access control, fine-grained capabilities, and labels necessary for mandatory access control. POSIX.2c describes a set of userland utilities for manipulating these labels.

Many of these services are supported by extended attributes, documented in extattr(2) and extattr(9). While these APIs are not documented in POSIX.1e, they are similar in structure.

SEE ALSO

extattr(2), acl(3), mac(3), acl(9), extattr(9), mac(9)

STANDARDS

HISTORY

AUTHORS

BUGS


Share this page

     Follow us

Facebook Twitter Google+ LinkedIn


 
Created by Blin Media, 2008-2013