1.\" Copyright (c) 2001 Networks Associates Technology, Inc. 2.\" All rights reserved. 3.\" 4.\" This software was developed for the FreeBSD Project by Chris 5.\" Costello at Safeport Network Services and Network Associates 6.\" Laboratories, the Security Research Division of Network Associates, 7.\" Inc. under DARPA/SPAWAR contract N66001-01-C-8035 ("CBOSS"), as part 8.\" of the DARPA CHATS research program. 9.\" 10.\" Redistribution and use in source and binary forms, with or without 11.\" modification, are permitted provided that the following conditions 12.\" are met: 13.\" 1. Redistributions of source code must retain the above copyright 14.\" notice, this list of conditions and the following disclaimer. 15.\" 2. Redistributions in binary form must reproduce the above copyright 16.\" notice, this list of conditions and the following disclaimer in the 17.\" documentation and/or other materials provided with the distribution. 18.\" 19.\" THIS SOFTWARE IS PROVIDED BY THE AUTHORS AND CONTRIBUTORS ``AS IS'' AND 20.\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 21.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 22.\" ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHORS OR CONTRIBUTORS BE LIABLE 23.\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 24.\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 25.\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 26.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 27.\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 28.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 29.\" SUCH DAMAGE. 30.\" 31.\" $FreeBSD$ 32.\" 33.Dd December 21, 2001 34.Dt MAC 3 35.Os 36.Sh NAME 37.Nm mac 38.Nd introduction to the POSIX.1e MAC security API 39.Sh LIBRARY 40.Lb libc 41.Sh SYNOPSIS 42.In sys/mac.h 43.Pp 44In the kernel configuration file: 45.Cd "options MAC" 46.Sh DESCRIPTION 47.Fx 48permits administrators to define Mandatory Access Control labels 49defining levels for the privacy and integrity of data, 50overriding discretionary policies 51for those objects. 52Not all objects currently provide support for MAC labels, 53and MAC support must be explicitly enabled by the administrator. 54The library calls include routines to retrieve, duplicate, 55and set MAC labels associated with files and processes. 56.Pp 57POSIX.1e describes a set of MAC manipulation routines 58to manage the contents of MAC labels, 59as well as their relationships with 60files and processes; 61almost all of these support routines 62are implemented in 63.Fx . 64.Pp 65Available functions, sorted by behavior, include: 66.Bl -tag -width indent 67.It Fn mac_get_fd 68This function is described in 69.Xr mac_get 3 , 70and may be used to retrieve the 71MAC label associated with 72a specific file descriptor. 73.It Fn mac_get_file 74This function is described in 75.Xr mac_get 3 , 76and may be used to retrieve the 77MAC label associated with 78a named file. 79.It Fn mac_get_proc 80This function is described in 81.Xr mac_get 3 , 82and may be used to retrieve the 83MAC label associated with 84the calling process. 85.It Fn mac_set_fd 86This function is described in 87.Xr mac_set 3 , 88and may be used to set the 89MAC label associated with 90a specific file descriptor. 91.It Fn mac_set_file 92This function is described in 93.Xr mac_set 3 , 94and may be used to set the 95MAC label associated with 96a named file. 97.It Fn mac_set_proc 98This function is described in 99.Xr mac_set 3 , 100and may be used to set the 101MAC label associated with 102the calling process. 103.It Fn mac_free 104This function is described in 105.Xr mac_free 3 , 106and may be used to free 107userland working MAC label storage. 108.It Fn mac_from_text 109This function is described in 110.Xr mac_text 3 , 111and may be used to convert 112a text-form MAC label 113into a working 114.Vt mac_t . 115.It Fn mac_to_text 116This function is described in 117.Xr mac_text 3 , 118and may be used to convert a 119.Vt mac_t 120into a text-form MAC label. 121.El 122.Sh IMPLEMENTATION NOTES 123.Fx Ns 's 124support for POSIX.1e interfaces and features 125is 126.Ud . 127.Sh SEE ALSO 128.Xr mac_free 3 , 129.Xr mac_get 3 , 130.Xr mac_prepare 3 , 131.Xr mac_set 3 , 132.Xr mac_text 3 , 133.Xr mac 4 , 134.Xr mac 9 135.Sh STANDARDS 136POSIX.1e is described in IEEE POSIX.1e draft 17. 137Discussion of the draft 138continues on the cross-platform POSIX.1e implementation mailing list. 139To join this list, see the 140.Fx 141POSIX.1e implementation page 142for more information. 143.Sh HISTORY 144Support for Mandatory Access Control was introduced in 145.Fx 5.0 146as part of the 147.Tn TrustedBSD 148Project. 149.Sh BUGS 150The 151.Tn TrustedBSD 152MAC Framework and associated policies, interfaces, and 153applications are considered to be an experimental feature in 154.Fx . 155Sites considering production deployment should keep the experimental 156status of these services in mind during any deployment process. 157See also 158.Xr mac 9 159for related considerations regarding the kernel framework. 160