mac -- introduction to the MAC security API
Standard C Library (libc, -lc)
#include <sys/mac.h>
In the kernel configuration file:
options MAC
FreeBSD permits administrators to define Mandatory Access Control labels
defining levels for the privacy and integrity of data, overriding discretionary
policies for those objects. Not all objects currently provide
support for MAC labels, and MAC support must be explicitly enabled by the
administrator. The library calls include routines to retrieve, duplicate,
and set MAC labels associated with files and processes.
POSIX.1e describes a set of MAC manipulation routines to manage the contents
of MAC labels, as well as their relationships with files and processes;
almost all of these support routines are implemented in FreeBSD.
Available functions, sorted by behavior, include:
mac_get_fd()
This function is described in mac_get(3), and may be used to
retrieve the MAC label associated with a specific file descriptor.
mac_get_file()
This function is described in mac_get(3), and may be used to
retrieve the MAC label associated with a named file.
mac_get_proc()
This function is described in mac_get(3), and may be used to
retrieve the MAC label associated with the calling process.
mac_set_fd()
This function is described in mac_set(3), and may be used to set
the MAC label associated with a specific file descriptor.
mac_set_file()
This function is described in mac_set(3), and may be used to set
the MAC label associated with a named file.
mac_set_proc()
This function is described in mac_set(3), and may be used to set
the MAC label associated with the calling process.
mac_free()
This function is described in mac_free(3), and may be used to
free userland working MAC label storage.
mac_from_text()
This function is described in mac_text(3), and may be used to
convert a text-form MAC label into a working mac_t.
mac_prepare()
mac_prepare_file_label()
mac_prepare_ifnet_label()
mac_prepare_process_label()
These functions are described in mac_prepare(3), and may be used
to preallocate storage for MAC label retrieval. mac_prepare(3)
prepares a label based on caller-specified label names; the other
calls rely on the default configuration specified in mac.conf(5).
mac_to_text()
This function is described in mac_text(3), and may be used to
convert a mac_t into a text-form MAC label.
The behavior of some of these calls is influenced by the configuration
settings found in mac.conf(5), the MAC library run-time configuration
file.
/etc/mac.conf MAC library configuration file, documented in mac.conf(5).
Provides default behavior for applications aware of MAC
labels on system objects, but without policy-specific
knowledge.
FreeBSD's support for POSIX.1e interfaces and features is currently under
development.
mac_free(3), mac_get(3), mac_prepare(3), mac_set(3), mac_text(3), mac(4),
mac.conf(5), mac(9)
These APIs are loosely based on the APIs described in POSIX.1e. POSIX.1e
is described in IEEE POSIX.1e draft 17. Discussion of the draft continues
on the cross-platform POSIX.1e implementation mailing list. To join
this list, see the FreeBSD POSIX.1e implementation page for more information.
However, the resemblence of these APIs to the POSIX APIs is only
loose, as the POSIX APIs were unable to express many notions required for
flexible and extensible access control.
Support for Mandatory Access Control was introduced in FreeBSD 5.0 as
part of the TrustedBSD Project.
The TrustedBSD MAC Framework and associated policies, interfaces, and
applications are considered to be an experimental feature in FreeBSD.
Sites considering production deployment should keep the experimental status
of these services in mind during any deployment process. See also
mac(9) for related considerations regarding the kernel framework.
FreeBSD 5.2.1 April 19, 2003 FreeBSD 5.2.1 [ Back ] |