1.\"- 2.\" Copyright (c) 2000, 2009 Robert N. M. Watson 3.\" All rights reserved. 4.\" 5.\" Redistribution and use in source and binary forms, with or without 6.\" modification, are permitted provided that the following conditions 7.\" are met: 8.\" 1. Redistributions of source code must retain the above copyright 9.\" notice, this list of conditions and the following disclaimer. 10.\" 2. Redistributions in binary form must reproduce the above copyright 11.\" notice, this list of conditions and the following disclaimer in the 12.\" documentation and/or other materials provided with the distribution. 13.\" 14.\" THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND 15.\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 16.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 17.\" ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE 18.\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 19.\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 20.\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 21.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 22.\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 23.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 24.\" SUCH DAMAGE. 25.\" 26.\" $FreeBSD$ 27.\" 28.Dd April 15, 2014 29.Dt POSIX1E 3 30.Os 31.Sh NAME 32.Nm posix1e 33.Nd introduction to the POSIX.1e security API 34.Sh LIBRARY 35.Lb libc 36.Sh SYNOPSIS 37.In sys/types.h 38.In sys/acl.h 39.In sys/mac.h 40.Sh DESCRIPTION 41POSIX.1e describes five security extensions to the POSIX.1 API: Access 42Control Lists (ACLs), Auditing, Capabilities, Mandatory Access Control, and 43Information Flow Labels. 44While IEEE POSIX.1e D17 specification has not been standardized, several of 45its interfaces are widely used. 46.Pp 47.Fx 48implements POSIX.1e interface for access control lists, described in 49.Xr acl 3 , 50and supports ACLs on the 51.Xr ffs 7 52file system; ACLs must be administratively enabled using 53.Xr tunefs 8 . 54.Pp 55.Fx 56implements a POSIX.1e-like mandatory access control interface, described in 57.Xr mac 3 , 58although with a number of extensions and important semantic differences. 59.Pp 60.Fx 61does not implement the POSIX.1e audit, privilege (capability), or information 62flow label APIs. 63However, 64.Fx 65does implement the 66.Xr libbsm 67audit API. 68It also provides 69.Xr capsicum 4 , 70a lightweight OS capability and sandbox framework implementing a 71hybrid capability system model. 72.Sh ENVIRONMENT 73POSIX.1e assigns security attributes to all objects, extending the security 74functionality described in POSIX.1. 75These additional attributes store fine-grained discretionary access control 76information and mandatory access control labels; for files, they are stored 77in extended attributes, described in 78.Xr extattr 3 . 79.Pp 80POSIX.2c describes 81a set of userland utilities for manipulating these attributes, including 82.Xr getfacl 1 83and 84.Xr setfacl 1 85for access control lists, and 86.Xr getfmac 8 87and 88.Xr setfmac 8 89for mandatory access control labels. 90.Sh SEE ALSO 91.Xr getfacl 1 , 92.Xr setfacl 1 , 93.Xr extattr 2 , 94.Xr acl 3 , 95.Xr extattr 3 , 96.Xr libbsm 3 , 97.Xr libcapsicum 3 , 98.Xr mac 3 , 99.Xr capsicum 4 , 100.Xr ffs 7 , 101.Xr getfmac 8 , 102.Xr setfmac 8 , 103.Xr tunefs 8 , 104.Xr acl 9 , 105.Xr extattr 9 , 106.Xr mac 9 107.Sh STANDARDS 108POSIX.1e is described in IEEE POSIX.1e draft 17. 109.Sh HISTORY 110POSIX.1e support was introduced in 111.Fx 4.0 ; 112most features were available as of 113.Fx 5.0 . 114.Sh AUTHORS 115.An Robert N M Watson 116.An Chris D. Faulhaber 117.An Thomas Moestl 118.An Ilmar S Habibulin 119