|
NAMEmac —
introduction to the MAC security API
LIBRARYStandard C Library (libc, -lc)SYNOPSIS#include <sys/mac.h>
In the kernel configuration file:
DESCRIPTIONMandatory Access Control labels describe confidentiality, integrity, and other security attributes of operating system objects, overriding discretionary access control. Not all system objects support MAC labeling, and MAC policies must be explicitly enabled by the administrator. This API, based on POSIX.1e, includes routines to retrieve, manipulate, set, and convert to and from text the MAC labels on files and processes.MAC labels consist of a set of (name, value) tuples, representing security attributes from MAC policies. For example, this label contains security labels defined by two policies, mac_biba(4) and mac_mls(4): biba/low,mls/low Further syntax and semantics of MAC labels may be found in maclabel(7). Applications operate on labels stored in mac_t, but can convert between this internal format and a text format for the purposes of presentation to uses or external storage. When querying a label on an object, a mac_t must first be prepared using the interfaces described in mac_prepare(3), allowing the application to declare which policies it wishes to interrogate. The application writer can also rely on default label names declared in mac.conf(5). When finished with a mac_t, the application must call mac_free(3) to release its storage. The following functions are defined:
FILES
SEE ALSOmac_free(3), mac_get(3), mac_is_present(3), mac_prepare(3), mac_set(3), mac_text(3), posix1e(3), mac(4), mac.conf(5), mac(9)STANDARDSThese APIs are loosely based on the APIs described in POSIX.1e, as described in IEEE POSIX.1e draft 17. However, the resemblance of these APIs to the POSIX APIs is loose, as the POSIX APIs were unable to express some notions required for flexible and extensible access control.HISTORYSupport for Mandatory Access Control was introduced in FreeBSD 5.0 as part of the TrustedBSD Project.
Visit the GSP FreeBSD Man Page Interface. |