As stated in the IEEE Draft Standard P1003.6.1 Enhancements to Protection, Audit and Control Interfaces to the Portable Operating System Interface Standard, ``The goal of this standard is to specify an interface to security functions for a POSIX system in order to promote application portability. The security mechanisms supported by this standard were chosen for their generality - they satisfy most of the key functional requirements prevalent in modern trusted systems. The specific interfaces defined were selected because they were perceived to be generally useful to applications (trusted and untrusted). Two mechanisms - discretionary access control and appropriate privilege - are defined specifically to address areas in the P1003.1 standard that were deferred to this standard.'' The interfaces specified can support the implementation of the following:
Specifications for an ACL mechanism is provided because it was felt that the permission bit mechanism provided by P1003.1 as the discretionary access control mechanism was not robust enough to meet certain security requirements. The permission bit mechanism does not provide access granularity to a specific user, nor does it not allow for additional file permissions beyond read, write and execute.
The introduction of ACLs into the POSIX set of interfaces was planned for during the development of the base P1003.1 standard. While the permission bit mechanism is required by the P1003.1 standard, it also allows for an ``additional access control mechanism.'' As stated in IEEE Standard 1003.1-1990 ``an additional access control mechanism shall only further restrict the access permissions defined by the file permission bits.'' The ACL mechanism defined by P1003.6 was designed to coexist with the permission bit mechanism on order to support backward compatibility with older applications and allow the use of either or both mechanisms. The P1003.1 interfaces that were designated to be used with the permission bit mechanism will also work with the ACL mechanism.
The interfaces to support a security auditing mechanism were designed to promote portability for two types of applications with respect to auditing. The first type of application is an audit tool that reads the audit data and incorporates it into meaningful reports. The second type of application is one that would generate audit data based on its interaction with the system. This type of application may be trusted or untrusted. The interfaces specify how data can be written to and read from the area where audit data is stored.
The privilege mechanism used on Unix systems today is a two-state mechanism. As superuser (UID 0), the user has all privileges. If the user has a UID that is not 0, then the user has no privileges. POSIX.6 developed interfaces that can support a fine-grained privilege mechanism. Privileges can be controlled on a per process level. The specification also defines privileges (generally read-overrides and write-overrides) that must be supported by the implementation.
Specifications for a mandatory access control mechanism is provided for environments that require a mandatory access control policy. With this type of policy, the system determines object (file) access based on clearances of users and classifications of files. This policy is used primarily in Department of Defense (DOD) environments. The specifications provide for a labeling mechanism to be used on a per file basis. The interfaces standardize on how the label of a file can be created, read, or modified. It should be noted that MAC does not address mounted file systems, a major area of interest in this discussion.
Information labels appear to be much like MAC labels. However they are not. Information labels describe the information contained in a file, whereas a MAC label defines the classification of a file. Information labels do not play a role in access decisions, they merely provide indications concerning the type of information contained in a file.
For a more complete description of P1003.6, see Chapter 4.