1a3ffb0bbSRobert Watson.\"- 23a67af38SRobert Watson.\" Copyright (c) 2000, 2009 Robert N. M. Watson 3a3ffb0bbSRobert Watson.\" All rights reserved. 4a3ffb0bbSRobert Watson.\" 5a3ffb0bbSRobert Watson.\" Redistribution and use in source and binary forms, with or without 6a3ffb0bbSRobert Watson.\" modification, are permitted provided that the following conditions 7a3ffb0bbSRobert Watson.\" are met: 8a3ffb0bbSRobert Watson.\" 1. Redistributions of source code must retain the above copyright 9a3ffb0bbSRobert Watson.\" notice, this list of conditions and the following disclaimer. 10a3ffb0bbSRobert Watson.\" 2. Redistributions in binary form must reproduce the above copyright 11a3ffb0bbSRobert Watson.\" notice, this list of conditions and the following disclaimer in the 12a3ffb0bbSRobert Watson.\" documentation and/or other materials provided with the distribution. 13a3ffb0bbSRobert Watson.\" 14a3ffb0bbSRobert Watson.\" THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND 15a3ffb0bbSRobert Watson.\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 16a3ffb0bbSRobert Watson.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 17a3ffb0bbSRobert Watson.\" ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE 18a3ffb0bbSRobert Watson.\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 19a3ffb0bbSRobert Watson.\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 20a3ffb0bbSRobert Watson.\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 21a3ffb0bbSRobert Watson.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 22a3ffb0bbSRobert Watson.\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 23a3ffb0bbSRobert Watson.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 24a3ffb0bbSRobert Watson.\" SUCH DAMAGE. 25a3ffb0bbSRobert Watson.\" 26c501d73cSMariusz Zaborski.Dd February 25, 2016 27a3ffb0bbSRobert Watson.Dt POSIX1E 3 28a307d598SRuslan Ermilov.Os 29a3ffb0bbSRobert Watson.Sh NAME 30c32381adSMike Pritchard.Nm posix1e 31c32381adSMike Pritchard.Nd introduction to the POSIX.1e security API 32f75b050cSAlexey Zelkin.Sh LIBRARY 3331acc836SRuslan Ermilov.Lb libc 34a3ffb0bbSRobert Watson.Sh SYNOPSIS 3532eef9aeSRuslan Ermilov.In sys/types.h 3632eef9aeSRuslan Ermilov.In sys/acl.h 3719eab74aSRobert Watson.In sys/mac.h 38a3ffb0bbSRobert Watson.Sh DESCRIPTION 393a67af38SRobert WatsonPOSIX.1e describes five security extensions to the POSIX.1 API: Access 403a67af38SRobert WatsonControl Lists (ACLs), Auditing, Capabilities, Mandatory Access Control, and 413a67af38SRobert WatsonInformation Flow Labels. 423a67af38SRobert WatsonWhile IEEE POSIX.1e D17 specification has not been standardized, several of 433a67af38SRobert Watsonits interfaces are widely used. 4442635956SRuslan Ermilov.Pp 451ccff0f4SRobert Watson.Fx 463a67af38SRobert Watsonimplements POSIX.1e interface for access control lists, described in 473a67af38SRobert Watson.Xr acl 3 , 483a67af38SRobert Watsonand supports ACLs on the 49*1a720cbeSAlexander Ziaee.Xr ffs 4 503a67af38SRobert Watsonfile system; ACLs must be administratively enabled using 513a67af38SRobert Watson.Xr tunefs 8 . 5242635956SRuslan Ermilov.Pp 533a67af38SRobert Watson.Fx 543a67af38SRobert Watsonimplements a POSIX.1e-like mandatory access control interface, described in 553a67af38SRobert Watson.Xr mac 3 , 563a67af38SRobert Watsonalthough with a number of extensions and important semantic differences. 571ccff0f4SRobert Watson.Pp 583a67af38SRobert Watson.Fx 593a67af38SRobert Watsondoes not implement the POSIX.1e audit, privilege (capability), or information 603a67af38SRobert Watsonflow label APIs. 613a67af38SRobert WatsonHowever, 623a67af38SRobert Watson.Fx 633a67af38SRobert Watsondoes implement the 64b4b5c4a6SEnji Cooper.Xr libbsm 3 653a67af38SRobert Watsonaudit API. 66e27a4d58SChristian BruefferIt also provides 67e27a4d58SChristian Brueffer.Xr capsicum 4 , 68e27a4d58SChristian Brueffera lightweight OS capability and sandbox framework implementing a 69e27a4d58SChristian Bruefferhybrid capability system model. 70a3ffb0bbSRobert Watson.Sh ENVIRONMENT 713a67af38SRobert WatsonPOSIX.1e assigns security attributes to all objects, extending the security 72b90b17d3SChris Costellofunctionality described in POSIX.1. 733a67af38SRobert WatsonThese additional attributes store fine-grained discretionary access control 743a67af38SRobert Watsoninformation and mandatory access control labels; for files, they are stored 753a67af38SRobert Watsonin extended attributes, described in 763a67af38SRobert Watson.Xr extattr 3 . 771ccff0f4SRobert Watson.Pp 783a67af38SRobert WatsonPOSIX.2c describes 793a67af38SRobert Watsona set of userland utilities for manipulating these attributes, including 803a67af38SRobert Watson.Xr getfacl 1 811ccff0f4SRobert Watsonand 823a67af38SRobert Watson.Xr setfacl 1 833a67af38SRobert Watsonfor access control lists, and 843a67af38SRobert Watson.Xr getfmac 8 853a67af38SRobert Watsonand 863a67af38SRobert Watson.Xr setfmac 8 873a67af38SRobert Watsonfor mandatory access control labels. 88a3ffb0bbSRobert Watson.Sh SEE ALSO 893a67af38SRobert Watson.Xr getfacl 1 , 903a67af38SRobert Watson.Xr setfacl 1 , 911ccff0f4SRobert Watson.Xr extattr 2 , 92c8d40b7dSRuslan Ermilov.Xr acl 3 , 933a67af38SRobert Watson.Xr extattr 3 , 94a9ffff74SChristian Brueffer.Xr libbsm 3 , 95c501d73cSMariusz Zaborski.Xr libcasper 3 , 961355f6d0SRobert Watson.Xr mac 3 , 97e27a4d58SChristian Brueffer.Xr capsicum 4 , 98*1a720cbeSAlexander Ziaee.Xr ffs 4 , 993a67af38SRobert Watson.Xr getfmac 8 , 1003a67af38SRobert Watson.Xr setfmac 8 , 1013a67af38SRobert Watson.Xr tunefs 8 , 1025521ff5aSRuslan Ermilov.Xr acl 9 , 10319eab74aSRobert Watson.Xr extattr 9 , 10419eab74aSRobert Watson.Xr mac 9 105a3ffb0bbSRobert Watson.Sh STANDARDS 106b90b17d3SChris CostelloPOSIX.1e is described in IEEE POSIX.1e draft 17. 107a3ffb0bbSRobert Watson.Sh HISTORY 108c32381adSMike PritchardPOSIX.1e support was introduced in 1091ccff0f4SRobert Watson.Fx 4.0 ; 1103a67af38SRobert Watsonmost features were available as of 1111ccff0f4SRobert Watson.Fx 5.0 . 112a3ffb0bbSRobert Watson.Sh AUTHORS 1139cbf4a21SRuslan Ermilov.An Robert N M Watson 1149cbf4a21SRuslan Ermilov.An Chris D. Faulhaber 1159cbf4a21SRuslan Ermilov.An Thomas Moestl 116c32381adSMike Pritchard.An Ilmar S Habibulin 117