POSIX.1e Implementation for FreeBSD

POSIX.1e defines a set of security extensions to the POSIX.1 specification, including Capabilities, file system ACLs, Information Labels, Mandatory Access Control, and Auditing. Implementation of these extensions for FreeBSD 4.0 is underway, and as it becomes available, this web site is the place to look.


More information can be found by visiting http://wt.xpilot.org/publications/posix.1e/, maintained by Winfried Truemper. The cross-platform POSIX.1e discussion list may be subscribed to by emailing posix1e-request@cyrus.watson.org.




With the advent of the TrustedBSD Project, future versions of the POSIX.1e implementation will be available from the TrustedBSD downloads page


The ACL and Extended Attribute interfaces have recently been commited to 4.0-CURRENT of FreeBSD. The libraries and documention will follow shortly; for those interested, the extended attribute code for UFS, as well as ACLs in UFS based on that functionality, will be available in the near future also.


We're please to announce the availability of an initial pass at Access Control List support for FreeBSD 3.3-RELEASE, written by Robert Watson. You can find a copy of it here .


We're pleased to announce the availability of an initial pass at Mandatory Access Control support for FreeBSD 3.3-RELEASE, written by Ilmar Habibulin. You can find a copy of it here .


Support for file system Access Control Lists (ACLs) is now underway, and support for everything but storage in FFS and other disk stores should be done in the near future. A first pass at modifications to the vnode layers and a modified MFS supporting ACLs should be available shortly.


SRI will be funding a redevelopment of the kernel auditing code, and this project is now underway. We hope to make code available in a few months once it has stablized. The changes are largely based on the outcome of a discussion on the freebsd-security mailing list, and included improvement in performance and consistency, as well as providing a framework for handling more syscalls. The communication between the kernel and audit daemon will now speak a higher performance FreeBSD-specific protocol, while the daemon will provide an IDS interface and generate POSIX.1e-capable records.


Ilmar Habibulin has made significant progress in implementing the Mandatory Access Control POSIX.1e specification in FreeBSD, and we hope to have that source online shortly.


Currently discussion is ongoing as to ways to more tightly integrate auditing into FreeBSD kernel infrastructure. An audit record filter language has been developed, and another revision of the auditing code (significantly more complete) should be available by the end of September.


The auditing extensions are now available for alpha test, in a far from complete form. Please see the POSIX.1E Auditing page for more information and downloads. Comments on the implementation and how to properly integrate auditing support into the kernel are now being solicited. Please send email to the address listed below, or to freebsd-security@freebsd.org.

Email Contact

Email Robert Watson for more information or to suggest changes to this page.

Back to the FreeBSD Hardening Project

Last modified: Fri Nov 26 22:26:50 EST 1999