Login or Register to Ask a Question and Join Our Community

Linux and UNIX Man Pages

Linux & Unix Commands - Search Man Pages

posix1e(3) [freebsd man page]

POSIX1E(3)						   BSD Library Functions Manual 						POSIX1E(3)

NAME

     posix1e -- introduction to the POSIX.1e security API

LIBRARY

     Standard C Library (libc, -lc)

SYNOPSIS

     #include <sys/types.h>
     #include <sys/acl.h>
     #include <sys/mac.h>

DESCRIPTION

     POSIX.1e describes five security extensions to the POSIX.1 API: Access Control Lists (ACLs), Auditing, Capabilities, Mandatory Access Con-
     trol, and Information Flow Labels.  While IEEE POSIX.1e D17 specification has not been standardized, several of its interfaces are widely
     used.

     FreeBSD implements POSIX.1e interface for access control lists, described in acl(3), and supports ACLs on the ffs(7) file system; ACLs must
     be administratively enabled using tunefs(8).

     FreeBSD implements a POSIX.1e-like mandatory access control interface, described in mac(3), although with a number of extensions and impor-
     tant semantic differences.

     FreeBSD does not implement the POSIX.1e audit, privilege (capability), or information flow label APIs.  However, FreeBSD does implement the
     libbsm audit API.	It also provides capsicum(4), a lightweight OS capability and sandbox framework implementing a hybrid capability system
     model.

ENVIRONMENT

     POSIX.1e assigns security attributes to all objects, extending the security functionality described in POSIX.1.  These additional attributes
     store fine-grained discretionary access control information and mandatory access control labels; for files, they are stored in extended
     attributes, described in extattr(3).

     POSIX.2c describes a set of userland utilities for manipulating these attributes, including getfacl(1) and setfacl(1) for access control
     lists, and getfmac(8) and setfmac(8) for mandatory access control labels.

SEE ALSO

     getfacl(1), setfacl(1), extattr(2), acl(3), extattr(3), libbsm(3), libcapsicum(3), mac(3), capsicum(4), ffs(7), getfmac(8), setfmac(8),
     tunefs(8), acl(9), extattr(9), mac(9)

STANDARDS

     POSIX.1e is described in IEEE POSIX.1e draft 17.

HISTORY

     POSIX.1e support was introduced in FreeBSD 4.0; most features were available as of FreeBSD 5.0.

AUTHORS

     Robert N M Watson
     Chris D. Faulhaber
     Thomas Moestl
     Ilmar S Habibulin

BSD
								  April 15, 2014							       BSD

Check Out this Related Man Page

ACL_SET(3)						   BSD Library Functions Manual 						ACL_SET(3)

NAME

     acl_set_fd, acl_set_fd_np, acl_set_file, acl_set_link_np -- set an ACL for a file

LIBRARY

     Standard C Library (libc, -lc)

SYNOPSIS

     #include <sys/types.h>
     #include <sys/acl.h>

     int
     acl_set_fd(int fd, acl_t acl);

     int
     acl_set_fd_np(int fd, acl_t acl, acl_type_t type);

     int
     acl_set_file(const char *path_p, acl_type_t type, acl_t acl);

     int
     acl_set_link_np(const char *path_p, acl_type_t type, acl_t acl);

DESCRIPTION

     The acl_set_fd(), acl_set_fd_np(), acl_set_file(), and acl_set_link_np() each associate an ACL with an object referred to by fd or path_p.
     The acl_set_fd_np() and acl_set_link_np() functions are not POSIX.1e calls.  The acl_set_fd() function allows only the setting of ACLs of
     type ACL_TYPE_ACCESS where as acl_set_fd_np() allows the setting of ACLs of any type.  The acl_set_link_np() function acts on a symlink
     rather than its target, if the target of the path is a symlink.

     Valid values for the type argument are:

	ACL_TYPE_ACCESS     POSIX.1e access ACL
	ACL_TYPE_DEFAULT    POSIX.1e default ACL
	ACL_TYPE_NFS4	    NFSv4 ACL

     Trying to set ACL_TYPE_NFS4 with acl branded as POSIX.1e, or ACL_TYPE_ACCESS or ACL_TYPE_DEFAULT with ACL branded as NFSv4, will result in
     error.

IMPLEMENTATION NOTES

     FreeBSD's support for POSIX.1e interfaces and features is still under development at this time.

RETURN VALUES

     Upon successful completion, the value 0 is returned; otherwise the value -1 is returned and the global variable errno is set to indicate the
     error.

ERRORS

     If any of the following conditions occur, these functions shall return -1 and set errno to the corresponding value:

     [EACCES]		Search permission is denied for a component of the path prefix, or the object exists and the process does not have appro-
			priate access rights.

     [EBADF]		The fd argument is not a valid file descriptor.

     [EINVAL]		Argument acl does not point to a valid ACL for this object, or the ACL type specified in type is invalid for this object,
			or there is branding mismatch.

     [ENAMETOOLONG]	A component of a pathname exceeded 255 characters, or an entire path name exceeded 1023 characters.

     [ENOENT]		The named object does not exist, or the path_p argument points to an empty string.

     [ENOMEM]		Insufficient memory available to fulfill request.

     [ENOSPC]		The directory or file system that would contain the new ACL cannot be extended, or the file system is out of file alloca-
			tion resources.

     [EOPNOTSUPP]	The file system does not support ACL retrieval.

     [EROFS]		This function requires modification of a file system which is currently read-only.

SEE ALSO

     acl(3), acl_delete(3), acl_get(3), acl_get_brand_np(3), acl_valid(3), posix1e(3)

STANDARDS

     POSIX.1e is described in IEEE POSIX.1e draft 17.  Discussion of the draft continues on the cross-platform POSIX.1e implementation mailing
     list.  To join this list, see the FreeBSD POSIX.1e implementation page for more information.

HISTORY

     POSIX.1e support was introduced in FreeBSD 4.0, and development continues.

AUTHORS

     Robert N M Watson

BSD
								   June 25, 2009							       BSD
Man Page