1.\"- 2.\" Copyright (c) 2000, 2009 Robert N. M. Watson 3.\" All rights reserved. 4.\" 5.\" Redistribution and use in source and binary forms, with or without 6.\" modification, are permitted provided that the following conditions 7.\" are met: 8.\" 1. Redistributions of source code must retain the above copyright 9.\" notice, this list of conditions and the following disclaimer. 10.\" 2. Redistributions in binary form must reproduce the above copyright 11.\" notice, this list of conditions and the following disclaimer in the 12.\" documentation and/or other materials provided with the distribution. 13.\" 14.\" THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND 15.\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 16.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 17.\" ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE 18.\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 19.\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 20.\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 21.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 22.\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 23.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 24.\" SUCH DAMAGE. 25.\" 26.\" $FreeBSD$ 27.\" 28.Dd August 7, 2009 29.Dt POSIX1E 3 30.Os 31.Sh NAME 32.Nm posix1e 33.Nd introduction to the POSIX.1e security API 34.Sh LIBRARY 35.Lb libc 36.Sh SYNOPSIS 37.In sys/types.h 38.In sys/acl.h 39.In sys/mac.h 40.Sh DESCRIPTION 41POSIX.1e describes five security extensions to the POSIX.1 API: Access 42Control Lists (ACLs), Auditing, Capabilities, Mandatory Access Control, and 43Information Flow Labels. 44While IEEE POSIX.1e D17 specification has not been standardized, several of 45its interfaces are widely used. 46.Pp 47.Fx 48implements POSIX.1e interface for access control lists, described in 49.Xr acl 3 , 50and supports ACLs on the 51.Xr ffs 7 52file system; ACLs must be administratively enabled using 53.Xr tunefs 8 . 54.Pp 55.Fx 56implements a POSIX.1e-like mandatory access control interface, described in 57.Xr mac 3 , 58although with a number of extensions and important semantic differences. 59.Pp 60.Fx 61does not implement the POSIX.1e audit, privilege (capability), or information 62flow label APIs. 63However, 64.Fx 65does implement the 66.Xr libbsm 67audit API. 68.Sh ENVIRONMENT 69POSIX.1e assigns security attributes to all objects, extending the security 70functionality described in POSIX.1. 71These additional attributes store fine-grained discretionary access control 72information and mandatory access control labels; for files, they are stored 73in extended attributes, described in 74.Xr extattr 3 . 75.Pp 76POSIX.2c describes 77a set of userland utilities for manipulating these attributes, including 78.Xr getfacl 1 79and 80.Xr setfacl 1 81for access control lists, and 82.Xr getfmac 8 83and 84.Xr setfmac 8 85for mandatory access control labels. 86.Sh SEE ALSO 87.Xr getfacl 1 , 88.Xr setfacl 1 , 89.Xr extattr 2 , 90.Xr acl 3 , 91.Xr extattr 3 , 92.Xr libbsm 3 , 93.Xr mac 3 , 94.Xr ffs 7 , 95.Xr getfmac 8 , 96.Xr setfmac 8 , 97.Xr tunefs 8 , 98.Xr acl 9 , 99.Xr extattr 9 , 100.Xr mac 9 101.Sh STANDARDS 102POSIX.1e is described in IEEE POSIX.1e draft 17. 103.Sh HISTORY 104POSIX.1e support was introduced in 105.Fx 4.0 ; 106most features were available as of 107.Fx 5.0 . 108.Sh AUTHORS 109.An Robert N M Watson 110.An Chris D. Faulhaber 111.An Thomas Moestl 112.An Ilmar S Habibulin 113