summaryrefslogtreecommitdiffstats
path: root/lib/libc/posix1e/mac.3
diff options
context:
space:
mode:
Diffstat (limited to 'lib/libc/posix1e/mac.3')
-rw-r--r--lib/libc/posix1e/mac.3187
1 files changed, 187 insertions, 0 deletions
diff --git a/lib/libc/posix1e/mac.3 b/lib/libc/posix1e/mac.3
new file mode 100644
index 0000000..ac6affd
--- /dev/null
+++ b/lib/libc/posix1e/mac.3
@@ -0,0 +1,187 @@
+.\" Copyright (c) 2001, 2003 Networks Associates Technology, Inc.
+.\" All rights reserved.
+.\"
+.\" This software was developed for the FreeBSD Project by Chris
+.\" Costello at Safeport Network Services and Network Associates
+.\" Laboratories, the Security Research Division of Network Associates,
+.\" Inc. under DARPA/SPAWAR contract N66001-01-C-8035 ("CBOSS"), as part
+.\" of the DARPA CHATS research program.
+.\"
+.\" Redistribution and use in source and binary forms, with or without
+.\" modification, are permitted provided that the following conditions
+.\" are met:
+.\" 1. Redistributions of source code must retain the above copyright
+.\" notice, this list of conditions and the following disclaimer.
+.\" 2. Redistributions in binary form must reproduce the above copyright
+.\" notice, this list of conditions and the following disclaimer in the
+.\" documentation and/or other materials provided with the distribution.
+.\"
+.\" THIS SOFTWARE IS PROVIDED BY THE AUTHORS AND CONTRIBUTORS ``AS IS'' AND
+.\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+.\" ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHORS OR CONTRIBUTORS BE LIABLE
+.\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+.\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+.\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+.\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+.\" SUCH DAMAGE.
+.\"
+.\" $FreeBSD$
+.\"
+.Dd April 19, 2003
+.Dt MAC 3
+.Os
+.Sh NAME
+.Nm mac
+.Nd introduction to the MAC security API
+.Sh LIBRARY
+.Lb libc
+.Sh SYNOPSIS
+.In sys/mac.h
+.Pp
+In the kernel configuration file:
+.Cd "options MAC"
+.Sh DESCRIPTION
+.Fx
+permits administrators to define Mandatory Access Control labels
+defining levels for the privacy and integrity of data,
+overriding discretionary policies
+for those objects.
+Not all objects currently provide support for MAC labels,
+and MAC support must be explicitly enabled by the administrator.
+The library calls include routines to retrieve, duplicate,
+and set MAC labels associated with files and processes.
+.Pp
+POSIX.1e describes a set of MAC manipulation routines
+to manage the contents of MAC labels,
+as well as their relationships with
+files and processes;
+almost all of these support routines
+are implemented in
+.Fx .
+.Pp
+Available functions, sorted by behavior, include:
+.Bl -tag -width indent
+.It Fn mac_get_fd
+This function is described in
+.Xr mac_get 3 ,
+and may be used to retrieve the
+MAC label associated with
+a specific file descriptor.
+.It Fn mac_get_file
+This function is described in
+.Xr mac_get 3 ,
+and may be used to retrieve the
+MAC label associated with
+a named file.
+.It Fn mac_get_proc
+This function is described in
+.Xr mac_get 3 ,
+and may be used to retrieve the
+MAC label associated with
+the calling process.
+.It Fn mac_set_fd
+This function is described in
+.Xr mac_set 3 ,
+and may be used to set the
+MAC label associated with
+a specific file descriptor.
+.It Fn mac_set_file
+This function is described in
+.Xr mac_set 3 ,
+and may be used to set the
+MAC label associated with
+a named file.
+.It Fn mac_set_proc
+This function is described in
+.Xr mac_set 3 ,
+and may be used to set the
+MAC label associated with
+the calling process.
+.It Fn mac_free
+This function is described in
+.Xr mac_free 3 ,
+and may be used to free
+userland working MAC label storage.
+.It Fn mac_from_text
+This function is described in
+.Xr mac_text 3 ,
+and may be used to convert
+a text-form MAC label
+into a working
+.Vt mac_t .
+.It Fn mac_prepare
+.It Fn mac_prepare_file_label
+.It Fn mac_prepare_ifnet_label
+.It Fn mac_prepare_process_label
+These functions are described in
+.Xr mac_prepare 3 ,
+and may be used to preallocate storage for MAC label retrieval.
+.Xr mac_prepare 3
+prepares a label based on caller-specified label names; the other calls
+rely on the default configuration specified in
+.Xr mac.conf 5 .
+.It Fn mac_to_text
+This function is described in
+.Xr mac_text 3 ,
+and may be used to convert a
+.Vt mac_t
+into a text-form MAC label.
+.El
+The behavior of some of these calls is influenced by the configuration
+settings found in
+.Xr mac.conf 5 ,
+the MAC library run-time configuration file.
+.Sh IMPLEMENTATION NOTES
+.Fx Ns 's
+support for POSIX.1e interfaces and features
+is
+.Ud .
+.Sh FILES
+.Bl -tag -width ".Pa /etc/mac.conf" -compact
+.It Pa /etc/mac.conf
+MAC library configuration file, documented in
+.Xr mac.conf 5 .
+Provides default behavior for applications aware of MAC labels on
+system objects, but without policy-specific knowledge.
+.El
+.Sh SEE ALSO
+.Xr mac_free 3 ,
+.Xr mac_get 3 ,
+.Xr mac_prepare 3 ,
+.Xr mac_set 3 ,
+.Xr mac_text 3 ,
+.Xr mac 4 ,
+.Xr mac.conf 5 ,
+.Xr mac 9
+.Sh STANDARDS
+These APIs are loosely based on the APIs described in POSIX.1e.
+POSIX.1e is described in IEEE POSIX.1e draft 17.
+Discussion of the draft
+continues on the cross-platform POSIX.1e implementation mailing list.
+To join this list, see the
+.Fx
+POSIX.1e implementation page
+for more information.
+However, the resemblance of these APIs to the POSIX APIs is only loose,
+as the POSIX APIs were unable to express many notions required for
+flexible and extensible access control.
+.Sh HISTORY
+Support for Mandatory Access Control was introduced in
+.Fx 5.0
+as part of the
+.Tn TrustedBSD
+Project.
+.Sh BUGS
+The
+.Tn TrustedBSD
+MAC Framework and associated policies, interfaces, and
+applications are considered to be an experimental feature in
+.Fx .
+Sites considering production deployment should keep the experimental
+status of these services in mind during any deployment process.
+See also
+.Xr mac 9
+for related considerations regarding the kernel framework.
OpenPOWER on IntegriCloud