xref: /freebsd/lib/libc/posix1e/posix1e.3 (revision 2e3507c25e42292b45a5482e116d278f5515d04d)
1.\"-
2.\" Copyright (c) 2000, 2009 Robert N. M. Watson
3.\" All rights reserved.
4.\"
5.\" Redistribution and use in source and binary forms, with or without
6.\" modification, are permitted provided that the following conditions
7.\" are met:
8.\" 1. Redistributions of source code must retain the above copyright
9.\"    notice, this list of conditions and the following disclaimer.
10.\" 2. Redistributions in binary form must reproduce the above copyright
11.\"    notice, this list of conditions and the following disclaimer in the
12.\"    documentation and/or other materials provided with the distribution.
13.\"
14.\" THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
15.\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
16.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
17.\" ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
18.\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
19.\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
20.\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
21.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
22.\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
23.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
24.\" SUCH DAMAGE.
25.\"
26.Dd February 25, 2016
27.Dt POSIX1E 3
28.Os
29.Sh NAME
30.Nm posix1e
31.Nd introduction to the POSIX.1e security API
32.Sh LIBRARY
33.Lb libc
34.Sh SYNOPSIS
35.In sys/types.h
36.In sys/acl.h
37.In sys/mac.h
38.Sh DESCRIPTION
39POSIX.1e describes five security extensions to the POSIX.1 API: Access
40Control Lists (ACLs), Auditing, Capabilities, Mandatory Access Control, and
41Information Flow Labels.
42While IEEE POSIX.1e D17 specification has not been standardized, several of
43its interfaces are widely used.
44.Pp
45.Fx
46implements POSIX.1e interface for access control lists, described in
47.Xr acl 3 ,
48and supports ACLs on the
49.Xr ffs 7
50file system; ACLs must be administratively enabled using
51.Xr tunefs 8 .
52.Pp
53.Fx
54implements a POSIX.1e-like mandatory access control interface, described in
55.Xr mac 3 ,
56although with a number of extensions and important semantic differences.
57.Pp
58.Fx
59does not implement the POSIX.1e audit, privilege (capability), or information
60flow label APIs.
61However,
62.Fx
63does implement the
64.Xr libbsm 3
65audit API.
66It also provides
67.Xr capsicum 4 ,
68a lightweight OS capability and sandbox framework implementing a
69hybrid capability system model.
70.Sh ENVIRONMENT
71POSIX.1e assigns security attributes to all objects, extending the security
72functionality described in POSIX.1.
73These additional attributes store fine-grained discretionary access control
74information and mandatory access control labels; for files, they are stored
75in extended attributes, described in
76.Xr extattr 3 .
77.Pp
78POSIX.2c describes
79a set of userland utilities for manipulating these attributes, including
80.Xr getfacl 1
81and
82.Xr setfacl 1
83for access control lists, and
84.Xr getfmac 8
85and
86.Xr setfmac 8
87for mandatory access control labels.
88.Sh SEE ALSO
89.Xr getfacl 1 ,
90.Xr setfacl 1 ,
91.Xr extattr 2 ,
92.Xr acl 3 ,
93.Xr extattr 3 ,
94.Xr libbsm 3 ,
95.Xr libcasper 3 ,
96.Xr mac 3 ,
97.Xr capsicum 4 ,
98.Xr ffs 7 ,
99.Xr getfmac 8 ,
100.Xr setfmac 8 ,
101.Xr tunefs 8 ,
102.Xr acl 9 ,
103.Xr extattr 9 ,
104.Xr mac 9
105.Sh STANDARDS
106POSIX.1e is described in IEEE POSIX.1e draft 17.
107.Sh HISTORY
108POSIX.1e support was introduced in
109.Fx 4.0 ;
110most features were available as of
111.Fx 5.0 .
112.Sh AUTHORS
113.An Robert N M Watson
114.An Chris D. Faulhaber
115.An Thomas Moestl
116.An Ilmar S Habibulin
117