Clarify language relating to ACLs, Capabtilities, and MAC, since the

implementation status of these services has changed substantially
since this man page was last updated.

1 files changed, 36 insertions, 28 deletions

diff --git a/lib/libc/posix1e/posix1e.3 b/lib/libc/posix1e/posix1e.3
index bd47b96..fd606cd 100644
--- a/lib/libc/posix1e/posix1e.3
+++ b/lib/libc/posix1e/posix1e.3
@@ -49,40 +49,42 @@ although efforts are underway to complete the integration at this time.
 POSIX.1e describes five security extensions to the base POSIX.1 API:
 Access Control Lists (ACLs), Auditing, Capabilities, Mandatory Access
 Control, and Information Flow Labels.
-Of these, the ACL interfaces are
-currently included with
-.Fx ,
-Auditing, Capabilities, and Mandatory
-Access Control are in the wings, and Information Flow Labels are not on
-the calendar.
+.Fx
+supports POSIX.1e ACL interfaces, as well as POSIX.1e-like MAC
+interfaces.
+The TrustedBSD Project has produced but not integrated an implementation
+of POSIX.1e Capabilities.
 .Pp
 POSIX.1e defines both syntax and semantics for these features, but fairly
 substantial changes are required to implement these features in the
 operating system.
+.Pp
 As shipped,
 .Fx 4.0
-permits file systems to export
-Access Control Lists via the VFS, and provides a library for userland
-access to and manipulation of these ACLs, but support for ACLs is not
-provided by any file systems shipped in the base operating system.
+provides API and VFS support for ACLs, but not an implementation on any
+native file system.
+.Fx 5.0
+includes support for ACLs as part of UFS1 and UFS2, as well as necessary
+VFS support for additional file systems to export ACLs as appropriate.
 Available API calls relating to ACLs are described in detail in
 .Xr acl 3 .
 .Pp
-.Fx
-currently provides documentation and APIs for fine-grained capability
-support, but implementation is currently not included in the base
-system.
-Documentation of these API calls is provided in
-.Xr cap 3 .
+As shipped,
+.Fx 5.0
+includes support for Mandatory Access Control as well as POSIX.1e-like
+APIs for label management.
+More information on API calls relating to MAC is available in
+.Xr mac 3 .
 .Pp
 Additional patches supporting POSIX.1e features are provided by the
 TrustedBSD project:
 .Pp
-http://www.trustedbsd.org
+http://www.TrustedBSD.org/
 .Sh IMPLEMENTATION NOTES
 .Fx Ns 's
 support for POSIX.1e interfaces and features is still under
-development at this time.
+development at this time, and many of these features are considered new
+or experimental.
 .Sh ENVIRONMENT
 POSIX.1e assigns security labels to all objects, extending the security
 functionality described in POSIX.1.
@@ -91,17 +93,19 @@ fine-grained discretionary access control, fine-grained capabilities,
 and labels necessary for mandatory access control.
 POSIX.2c describes
 a set of userland utilities for manipulating these labels.
-These userland
-utilities are not bundled with
-.Fx 4.0
-so as to discourage their
-use in the short term.
+.Pp
+Many of these services are supported by extended attributes, documented
+in
+.Xr extattr 2
+and
+.Xr extattr 9 .
+While these APIs are not documented in POSIX.1e, they are similar in
+structure.
 .Sh SEE ALSO
 .Xr acl 3 ,
-.Xr cap 3 ,
+.Xr extattr 2 ,
 .Xr mac 3 ,
 .Xr acl 9 ,
-.Xr cap 9 ,
 .Xr extattr 9 ,
 .Xr mac 9
 .Sh STANDARDS
@@ -115,12 +119,16 @@ POSIX.1e implementation
 page for more information.
 .Sh HISTORY
 POSIX.1e support was introduced in
-.Fx 4.0 ,
-and development continues.
+.Fx 4.0 ;
+most of the features are available as of
+.Fx 5.0 .
+Development continues.
 .Sh AUTHORS
 .An Robert N M Watson
 .An Chris D. Faulhaber
 .An Thomas Moestl
 .An Ilmar S Habibulin
 .Sh BUGS
-These features are not yet fully implemented.
+Many of these features are considered new or experimental in
+.Fx 5.0
+and should be deployed with appropriate caution.