Fx permits administrators to define Mandatory Access Control labels
defining levels for the privacy and integrity of data,
overriding discretionary policies
for those objects.
Not all objects currently provide support for MAC labels,
and MAC support must be explicitly enabled by the administrator.
The library calls include routines to retrieve, duplicate,
and set MAC labels associated with files and processes.
POSIX.1e describes a set of MAC manipulation routines
to manage the contents of MAC labels,
as well as their relationships with
files and processes;
almost all of these support routines
are implemented in
Fx .
Available functions, sorted by behavior, include:
Fn mac_get_fd
This function is described in
mac_get3,
and may be used to retrieve the
MAC label associated with
a specific file descriptor.
Fn mac_get_file
This function is described in
mac_get3,
and may be used to retrieve the
MAC label associated with
a named file.
Fn mac_get_proc
This function is described in
mac_get3,
and may be used to retrieve the
MAC label associated with
the calling process.
Fn mac_set_fd
This function is described in
mac_set3,
and may be used to set the
MAC label associated with
a specific file descriptor.
Fn mac_set_file
This function is described in
mac_set3,
and may be used to set the
MAC label associated with
a named file.
Fn mac_set_proc
This function is described in
mac_set3,
and may be used to set the
MAC label associated with
the calling process.
Fn mac_free
This function is described in
mac_free3,
and may be used to free
userland working MAC label storage.
Fn mac_from_text
This function is described in
mac_text3,
and may be used to convert
a text-form MAC label
into a working
Vt mac_t .
Fn mac_prepare
Fn mac_prepare_file_label
Fn mac_prepare_ifnet_label
Fn mac_prepare_process_label
These functions are described in
mac_prepare3,
and may be used to preallocate storage for MAC label retrieval.
mac_prepare3
prepares a label based on caller-specified label names; the other calls
rely on the default configuration specified in
mac.conf5.
Fn mac_to_text
This function is described in
mac_text3,
and may be used to convert a
Vt mac_t
into a text-form MAC label.
The behavior of some of these calls is influenced by the configuration
settings found in
mac.conf5,
the MAC library run-time configuration file.
IMPLEMENTATION NOTES
Fx Ns 's
support for POSIX.1e interfaces and features
is
Ud .
FILES
/etc/mac.conf
MAC library configuration file, documented in
mac.conf5.
Provides default behavior for applications aware of MAC labels on
system objects, but without policy-specific knowledge.
These APIs are loosely based on the APIs described in POSIX.1e.
POSIX.1e is described in IEEE POSIX.1e draft 17.
Discussion of the draft
continues on the cross-platform POSIX.1e implementation mailing list.
To join this list, see the
Fx POSIX.1e implementation page
for more information.
However, the resemblance of these APIs to the POSIX APIs is only loose,
as the POSIX APIs were unable to express many notions required for
flexible and extensible access control.
HISTORY
Support for Mandatory Access Control was introduced in
Fx 5.0
as part of the
TrustedBSD
Project.
BUGS
The
TrustedBSD
MAC Framework and associated policies, interfaces, and
applications are considered to be an experimental feature in
Fx .
Sites considering production deployment should keep the experimental
status of these services in mind during any deployment process.
See also
mac(9)
for related considerations regarding the kernel framework.
