Add basic documentation for the File System Firewall Policy,

mac_bsdextended.

en_US.ISO8859-1/books/handbook/security/chapter.sgml

@@ -3631,6 +3631,33 @@ user@unfirewalled.myserver.com's password: <userinput>*******</userinput></scree
 	provides ubiquitous labeling, the Biba integrity policy
 	must be compiled into the kernel or loaded at boot.</para>
     </sect2>
+    <sect2 id="mac-policy-bsdextended">
+      <title>File System Firewall Policy (mac_bsdextended)</title>
+      <indexterm>
+	<primary>File System Firewall Policy</primary>
+      </indexterm>
+      <para>Vendor: TrustedBSD Project</para>
+      <para>Module name: mac_bsdextended.ko</para>
+      <para>Kernel option: MAC_BSDEXTENDED</para>
+      <para> The File System Firewall Policy (&man.mac.bsdextended.4;)
+	provides an extension to the BSD file system permission model,
+	permitting the administrator to define a set of firewall-like
+	rules for limiting access to file system objects owned by
+	other users and groups.  Managed using &man.ugidfw.8;, rules
+	may limits access to files and directories based on the uid
+	and gids of the process attempting the access, and the owner
+	and group of the target of the access attempt.  All rules
+	are restrictive, so may be placed in any order.  This policy
+	requires no prior configuration or labeling, and may be
+	appropriate in multi-user environments where mandatory limits
+	on inter-user data exchange are required.  Caution should be
+	exercised in limiting access to files owned by the root or
+	other system user ids, as many useful programs and directories
+	are owned by these users.  As with a network firewall,
+	improper application of file system firewall rules may render
+	the system unusable.  New tools to manage the rule set may be
+	easily written using the &man.libugidfw.3; library.</para>
+    </sect2>
     <sect2 id="mac-policy-ifoff">
       <title>Interface Silencing Policy (mac_ifoff)</title>
       <indexterm>