1.\"- 2.\" Copyright (c) 2000, 2009 Robert N. M. Watson 3.\" All rights reserved. 4.\" 5.\" Redistribution and use in source and binary forms, with or without 6.\" modification, are permitted provided that the following conditions 7.\" are met: 8.\" 1. Redistributions of source code must retain the above copyright 9.\" notice, this list of conditions and the following disclaimer. 10.\" 2. Redistributions in binary form must reproduce the above copyright 11.\" notice, this list of conditions and the following disclaimer in the 12.\" documentation and/or other materials provided with the distribution. 13.\" 14.\" THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND 15.\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 16.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 17.\" ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE 18.\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 19.\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 20.\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 21.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 22.\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 23.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 24.\" SUCH DAMAGE. 25.\" 26.Dd February 25, 2016 27.Dt POSIX1E 3 28.Os 29.Sh NAME 30.Nm posix1e 31.Nd introduction to the POSIX.1e security API 32.Sh LIBRARY 33.Lb libc 34.Sh SYNOPSIS 35.In sys/types.h 36.In sys/acl.h 37.In sys/mac.h 38.Sh DESCRIPTION 39POSIX.1e describes five security extensions to the POSIX.1 API: Access 40Control Lists (ACLs), Auditing, Capabilities, Mandatory Access Control, and 41Information Flow Labels. 42While IEEE POSIX.1e D17 specification has not been standardized, several of 43its interfaces are widely used. 44.Pp 45.Fx 46implements POSIX.1e interface for access control lists, described in 47.Xr acl 3 , 48and supports ACLs on the 49.Xr ffs 7 50file system; ACLs must be administratively enabled using 51.Xr tunefs 8 . 52.Pp 53.Fx 54implements a POSIX.1e-like mandatory access control interface, described in 55.Xr mac 3 , 56although with a number of extensions and important semantic differences. 57.Pp 58.Fx 59does not implement the POSIX.1e audit, privilege (capability), or information 60flow label APIs. 61However, 62.Fx 63does implement the 64.Xr libbsm 3 65audit API. 66It also provides 67.Xr capsicum 4 , 68a lightweight OS capability and sandbox framework implementing a 69hybrid capability system model. 70.Sh ENVIRONMENT 71POSIX.1e assigns security attributes to all objects, extending the security 72functionality described in POSIX.1. 73These additional attributes store fine-grained discretionary access control 74information and mandatory access control labels; for files, they are stored 75in extended attributes, described in 76.Xr extattr 3 . 77.Pp 78POSIX.2c describes 79a set of userland utilities for manipulating these attributes, including 80.Xr getfacl 1 81and 82.Xr setfacl 1 83for access control lists, and 84.Xr getfmac 8 85and 86.Xr setfmac 8 87for mandatory access control labels. 88.Sh SEE ALSO 89.Xr getfacl 1 , 90.Xr setfacl 1 , 91.Xr extattr 2 , 92.Xr acl 3 , 93.Xr extattr 3 , 94.Xr libbsm 3 , 95.Xr libcasper 3 , 96.Xr mac 3 , 97.Xr capsicum 4 , 98.Xr ffs 7 , 99.Xr getfmac 8 , 100.Xr setfmac 8 , 101.Xr tunefs 8 , 102.Xr acl 9 , 103.Xr extattr 9 , 104.Xr mac 9 105.Sh STANDARDS 106POSIX.1e is described in IEEE POSIX.1e draft 17. 107.Sh HISTORY 108POSIX.1e support was introduced in 109.Fx 4.0 ; 110most features were available as of 111.Fx 5.0 . 112.Sh AUTHORS 113.An Robert N M Watson 114.An Chris D. Faulhaber 115.An Thomas Moestl 116.An Ilmar S Habibulin 117