A few more touchups:

- clean up unneeded AFS ID type
- Add Coda, NTFS, NWFS ACL types
- Add acl_dup() prototype
- Remove acl_calc_mask, which belongs in the editing library
- Introduce posix1e.3, a man page introducing POSIX.1e library calls
  (more man pages to follow)

3 files changed, 94 insertions, 73 deletions

diff --git a/lib/libposix1e/Makefile b/lib/libposix1e/Makefile
index e31e7d6..7762f73 100644
--- a/lib/libposix1e/Makefile
+++ b/lib/libposix1e/Makefile
@@ -1,8 +1,7 @@
 #	$FreeBSD$
 
 LIB=	posix1e
-SRCS+=	acl_calc_mask.c			\
-	acl_delete.c			\
+SRCS+=	acl_delete.c			\
 	acl_free.c			\
 	acl_from_text.c			\
 	acl_get.c			\
@@ -12,4 +11,6 @@ SRCS+=	acl_calc_mask.c			\
 	acl_to_text.c			\
 	acl_valid.c
 
+MAN3=	posix1e.3
+
 .include <bsd.lib.mk>
diff --git a/lib/libposix1e/acl_calc_mask.c b/lib/libposix1e/acl_calc_mask.c
deleted file mode 100644
index ff7b1ac..0000000
--- a/lib/libposix1e/acl_calc_mask.c
+++ /dev/null
@@ -1,71 +0,0 @@
-/*-
- * Copyright (c) 1999 Robert N. M. Watson
- * All rights reserved.
- *
- * Redistribution and use in source and binary forms, with or without
- * modification, are permitted provided that the following conditions
- * are met:
- * 1. Redistributions of source code must retain the above copyright
- *    notice, this list of conditions and the following disclaimer.
- * 2. Redistributions in binary form must reproduce the above copyright
- *    notice, this list of conditions and the following disclaimer in the
- *    documentation and/or other materials provided with the distribution.
- *
- * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
- * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
- * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
- * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
- * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
- * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
- * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
- * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
- * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
- * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
- * SUCH DAMAGE.
- *
- *	$FreeBSD$
- */
-/*
- * acl_calc_mask(): POSIX.1e routine to recalculate the mask value
- */
-
-#include <sys/types.h>
-#include <sys/acl.h>
-#include <sys/errno.h>
-#include <string.h>
-
-#include "acl_support.h"
-
-/*
- * POSIX.1e ACL semantics:
- *
- * acl_calc_mask(): calculate an ACL_MASK entry for the ACL, then either
- * insert into the ACL if there is none already, or replace the existing
- * one.  This will act up if called on a non-POSIX.1e semantics ACL.
- */
-int
-acl_calc_mask(acl_t *acl_p)
-{
-	acl_perm_t	perm_union = ACL_PERM_NONE;
-	acl_t	acl = *acl_p;
-	int	mask_entry = -1;
-	int	i;
-
-	/* search for ACL_MASK */
-	for (i = 0; i < acl->acl_cnt; i++)
-		if (acl->acl_entry[i].ae_tag == ACL_MASK)
-			mask_entry = i;
-		else
-			perm_union |= acl->acl_entry[i].ae_perm;
-
-	if (mask_entry != -1) {
-		/* already have a mask, replace */
-		acl->acl_entry[mask_entry].ae_perm = perm_union;
-	} else {
-		/* must add a new mask */
-		if (acl_add_entry(acl, ACL_MASK, 0, perm_union) == -1)
-			return (-1);
-	}
-
-	return (0);
-}
diff --git a/lib/libposix1e/posix1e.3 b/lib/libposix1e/posix1e.3
new file mode 100644
index 0000000..0935404
--- /dev/null
+++ b/lib/libposix1e/posix1e.3
@@ -0,0 +1,91 @@
+.\"-
+.\" Copyright (c) 2000 Robert N. M. Watson
+.\" All rights reserved.
+.\"
+.\" Redistribution and use in source and binary forms, with or without
+.\" modification, are permitted provided that the following conditions
+.\" are met:
+.\" 1. Redistributions of source code must retain the above copyright
+.\"    notice, this list of conditions and the following disclaimer.
+.\" 2. Redistributions in binary form must reproduce the above copyright
+.\"    notice, this list of conditions and the following disclaimer in the
+.\"    documentation and/or other materials provided with the distribution.
+.\"
+.\" THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
+.\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+.\" ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
+.\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+.\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+.\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+.\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+.\" SUCH DAMAGE.
+.\"
+.\"       $FreeBSD$
+.\"
+.Dd January 17, 2000
+.Dt POSIX1E 3
+.Os FreeBSD 4.0
+.Sh NAME
+.Nm posix1e \- introduction to the POSIX.1e security API
+.Sh SYNOPSIS
+.Fd #include <sys/acl.h>
+.Fd #include <sys/audit.h>
+.Fd #include <sys/capability.h>
+.Fd #include <sys/mac.h>
+.Sh DESCRIPTION
+The IEEE POSIX.1e specification never left draft form, but the interfaces
+it describes are now widely used despite inherrent limitations.  Currently,
+only a few of the interfaces and features are implemented in FreeBSD,
+although efforts are underway to complete the integration at this time.
+
+POSIX.1e describes five security extensions to the base POSIX.1 API:
+Access Control Lists (ACLs), Auditing, Capabilities, Mandatory Access
+Control, and Information Flow Labels.  Of these, the ACL interfaces are
+currently included with FreeBSD, Auditing, Capabilities, and Mandatory
+Access Control are in the wings, and Information Flow Labels are not on
+the calendar.
+
+POSIX.1e defines both syntax and semantics for these features, but fairly
+substantial changes are required to implement these features in the 
+operating system.  As shipped, FreeBSD 4.0 permits file systems to export
+Access Control Lists via the VFS, and provides a library for userland
+access to and manipulation of these ACLs, but support for ACLs is not
+provided by any file systems shipped in the base operating system.
+
+The patches supporting other POSIX.1e features are not available in the
+base operating system at this time--however, more information on them
+may be found on the FreeBSD POSIX.1e implementation web page:
+
+http://www.watson.org/fbsd-hardening/posix1e/
+.Sh IMPLEMENTATION NOTES
+FreeBSD's support for POSIX.1e interfaces and features is still under
+development at this time.
+.Sh ENVIRONMENT
+POSIX.1e assigns security labels to all objects, extending the security
+functionality described in POSIX.1.  These additional labels provide
+fine-grained discretionary access control, fine-grained capabilities,
+and labels necessary for mandatory access control.  POSIX.2c describes
+a set of userland utilities for manipulating these labels.  These userland
+utilities are not bundled with FreeBSD 4.0 so as to discourage their
+use in the short term.
+.Sh FILES
+.Sh SEE ALSO
+.Xr acl 3 ,
+.Xr acl 9 ,
+.Xr extattr 9
+.Sh STANDARDS
+POSIX.1e is described in IEEE POSIX.1e draft 17.  Discussion
+of the draft continues on the cross-platform POSIX.1e implementation
+mailing list.  To join this list, see the FreeBSD POSIX.1e implementation
+page for more information.
+.Sh HISTORY
+POSIX.1e support was introduced in FreeBSD 4.0, and development continues.
+.Sh AUTHORS
+Robert N M Watson, Ilmar S Habibulin
+.Sh BUGS
+These features are not yet fully implemented.  In particular, the shipped
+version of UFS/FFS does not support storage of additional security labels,
+and so is unable to (easily) provide support for most of these features.