NAME
mac — introduction to the MAC security API
LIBRARY
Standard C Library (libc, −lc)
SYNOPSIS
#include <sys/mac.h>
In the kernel configuration file:
options MAC
DESCRIPTION
FreeBSD permits administrators to define Mandatory Access Control labels defining levels for the privacy and integrity of data, overriding discretionary policies for those objects. Not all objects currently provide support for MAC labels, and MAC support must be explicitly enabled by the administrator. The library calls include routines to retrieve, duplicate, and set MAC labels associated with files and processes.
POSIX.1e describes a set of MAC manipulation routines to manage the contents of MAC labels, as well as their relationships with files and processes; almost all of these support routines are implemented in FreeBSD.
Available functions, sorted by behavior, include:
mac_get_fd()
This function is described in mac_get(3), and may be used to retrieve the MAC label associated with a specific file descriptor.
mac_get_file()
This function is described in mac_get(3), and may be used to retrieve the MAC label associated with a named file.
mac_get_proc()
This function is described in mac_get(3), and may be used to retrieve the MAC label associated with the calling process.
mac_set_fd()
This function is described in mac_set(3), and may be used to set the MAC label associated with a specific file descriptor.
mac_set_file()
This function is described in mac_set(3), and may be used to set the MAC label associated with a named file.
mac_set_proc()
This function is described in mac_set(3), and may be used to set the MAC label associated with the calling process.
mac_free()
This function is described in mac_free(3), and may be used to free userland working MAC label storage.
mac_from_text()
This function is described in mac_text(3), and may be used to convert a text-form MAC label into a working mac_t.
mac_prepare()
mac_prepare_file_label()
mac_prepare_ifnet_label()
mac_prepare_process_label()
These functions are described in mac_prepare(3), and may be used to preallocate storage for MAC label retrieval. mac_prepare(3) prepares a label based on caller-specified label names; the other calls rely on the default configuration specified in mac.conf(5).
mac_to_text()
This function is described in mac_text(3), and may be used to convert a mac_t into a text-form MAC label.
The behavior of some of these calls is influenced by the configuration settings found in mac.conf(5), the MAC library run-time configuration file.
FILES
/etc/mac.conf
MAC library configuration file, documented in mac.conf(5). Provides default behavior for applications aware of MAC labels on system objects, but without policy-specific knowledge.
IMPLEMENTATION NOTES
FreeBSD’s support for POSIX.1e interfaces and features is currently under development.
SEE ALSO
mac_free(3), mac_get(3), mac_prepare(3), mac_set(3), mac_text(3), mac(4), mac.conf(5), mac(9)
STANDARDS
These APIs are loosely based on the APIs described in POSIX.1e. POSIX.1e is described in IEEE POSIX.1e draft 17. Discussion of the draft continues on the cross-platform POSIX.1e implementation mailing list. To join this list, see the FreeBSD POSIX.1e implementation page for more information. However, the resemblence of these APIs to the POSIX APIs is only loose, as the POSIX APIs were unable to express many notions required for flexible and extensible access control.
HISTORY
Support for Mandatory Access Control was introduced in FreeBSD 5.0 as part of the TrustedBSD Project.
BUGS
The TrustedBSD MAC Framework and associated policies, interfaces, and applications are considered to be an experimental feature in FreeBSD. Sites considering production deployment should keep the experimental status of these services in mind during any deployment process. See also mac(9) for related considerations regarding the kernel framework.
BSD April 19, 2003 BSD