posix1e
—
introduction to the POSIX.1e security API
Standard C Library (libc, -lc)
POSIX.1e describes five security extensions to the POSIX.1 API: Access Control
Lists (ACLs), Auditing, Capabilities, Mandatory Access Control, and
Information Flow Labels. While IEEE POSIX.1e D17 specification has not been
standardized, several of its interfaces are widely used.
NetBSD implements POSIX.1e interface for
access control lists, described in
acl(3), and supports ACLs on the
ffs(7) file system; ACLs must be
administratively enabled using
tunefs(8) or via
mount(8) options.
NetBSD does not implement the POSIX.1e
mac, audit, privilege (capability), or information flow label APIs.
POSIX.1e assigns security attributes to all objects, extending the security
functionality described in POSIX.1. These additional attributes store
fine-grained discretionary access control information; for files, they are
stored in extended attributes, described in
extattr(3).
POSIX.2c describes a set of userland utilities for manipulating
these attributes, including
getfacl(1) and
setfacl(1).
POSIX.1e is described in IEEE POSIX.1e draft 17.
POSIX.1e support was introduced in NetBSD 10.0.
Robert N M Watson
Chris D. Faulhaber
Thomas Moestl
Ilmar S Habibulin