POSIX1E(3) BSD Library Functions Manual POSIX1E(3)NAMEposix1e — introduction to the POSIX.1e security API
LIBRARY
library “libposix1e”
SYNOPSIS
#include <sys/types.h>
#include <sys/acl.h>
#include <sys/audit.h>
#include <sys/capability.h>
#include <sys/mac.h>
DESCRIPTION
The IEEE POSIX.1e specification never left draft form, but the interfaces
it describes are now widely used despite inherent limitations. Cur‐
rently, only a few of the interfaces and features are implemented in
DragonFly, although efforts are underway to complete the integration at
this time.
POSIX.1e describes five security extensions to the base POSIX.1 API:
Access Control Lists (ACLs), Auditing, Capabilities, Mandatory Access
Control, and Information Flow Labels. Of these, the ACL interfaces are
currently included with DragonFly, Auditing, Capabilities, and Mandatory
Access Control are in the wings, and Information Flow Labels are not on
the calendar.
POSIX.1e defines both syntax and semantics for these features, but fairly
substantial changes are required to implement these features in the oper‐
ating system. As shipped, DragonFly permits file systems to export
Access Control Lists via the VFS, and provides a library for userland
access to and manipulation of these ACLs, but support for ACLs is not
provided by any file systems shipped in the base operating system.
Available API calls relating to ACLs are described in detail in acl(3).
The patches supporting other POSIX.1e features are not available in the
base operating system at this time--however, more information on them may
be found on the FreeBSD POSIX.1e implementation web page:
http://www.watson.org/fbsd-hardening/posix1e/
IMPLEMENTATION NOTES
DragonFly's support for POSIX.1e interfaces and features is still under
development at this time.
ENVIRONMENT
POSIX.1e assigns security labels to all objects, extending the security
functionality described in POSIX.1. These additional labels provide
fine-grained discretionary access control, fine-grained capabilities, and
labels necessary for mandatory access control. POSIX.2c describes a set
of userland utilities for manipulating these labels. These userland
utilities are not bundled with DragonFly so as to discourage their use in
the short term.
SEE ALSOacl(3), acl(9), extattr(9)STANDARDS
POSIX.1e is described in IEEE POSIX.1e draft 17. Discussion of the draft
continues on the cross-platform POSIX.1e implementation mailing list. To
join this list, see the FreeBSD POSIX.1e implementation page for more
information.
HISTORY
POSIX.1e support was introduced in FreeBSD 4.0, and development contin‐
ues.
AUTHORS
Robert N M Watson,
Ilmar S Habibulin
BUGS
These features are not yet fully implemented. In particular, the shipped
version of UFS/FFS does not support storage of additional security
labels, and so is unable to (easily) provide support for most of these
features.
BSD January 17, 2000 BSD