introduction to the POSIX.1e security API
Standard C Library (libc, -lc)
POSIX.1e describes five security extensions to the POSIX.1 API: Access Control
Lists (ACLs), Auditing, Capabilities, Mandatory Access Control, and
Information Flow Labels. While IEEE POSIX.1e D17 specification has not been
standardized, several of its interfaces are widely used.
FreeBSD implements POSIX.1e interface for
access control lists, described in
and supports ACLs on the
file system; ACLs must be administratively enabled using
FreeBSD implements a POSIX.1e-like
mandatory access control interface, described in
although with a number of extensions and important semantic differences.
FreeBSD does not implement the POSIX.1e
audit, privilege (capability), or information flow label APIs. However,
FreeBSD does implement the
audit API. It also provides
a lightweight OS capability and sandbox framework implementing a hybrid
capability system model.
POSIX.1e assigns security attributes to all objects, extending the security
functionality described in POSIX.1. These additional attributes store
fine-grained discretionary access control information and mandatory access
control labels; for files, they are stored in extended attributes, described
POSIX.2c describes a set of userland utilities for manipulating
these attributes, including
for access control lists, and
for mandatory access control labels.
POSIX.1e is described in IEEE POSIX.1e draft 17.
POSIX.1e support was introduced in FreeBSD 4.0; most
features were available as of FreeBSD 5.0.
Robert N M Watson
Chris D. Faulhaber
Ilmar S Habibulin