posix1e - introduction to the POSIX.1e security API
The IEEE POSIX.1e specification never left draft form, but
the interfaces
it describes are now widely used despite inherent limitations. Currently,
only a few of the interfaces and features are implemented in OpenBSD,
although efforts are underway to complete the integration at
this time.
POSIX.1e describes five security extensions to the base
POSIX.1 API: Access
Control Lists (ACLs), Auditing, Capabilities, Mandatory
Access Control,
and Information Flow Labels.
POSIX.1e defines both syntax and semantics for these features, but fairly
substantial changes are required to implement these features
in the operating
system.
FreeBSD's support for POSIX.1e interfaces and features is
still under development
at this time.
POSIX.1e assigns security labels to all objects, extending
the security
functionality described in POSIX.1. These additional labels
provide
fine-grained discretionary access control, fine-grained capabilities, and
labels necessary for mandatory access control. POSIX.2c describes a set
of userland utilities for manipulating these labels.
extattr(9)
POSIX.1e is described in IEEE POSIX.1e draft 17. Discussion
of the draft
continues on the cross-platform POSIX.1e implementation
mailing list. To
join this list, see the OpenBSD POSIX.1e implementation page
for more information.
POSIX.1e support was introduced in OpenBSD 3.1 and development continues.
Robert N M Watson
Chris D. Faulhaber
Thomas Moestl
Ilmar S Habibulin
These features are not yet fully implemented.
OpenBSD 3.6 January 17, 2000
[ Back ] | 