Museum

Home

Lab Overview

Retrotechnology Articles

Online Manuals

⇒ dg_mac_access(2) — DG/UX R4.11MU05

Media Vault

Software Library

Restoration Projects

Artifacts Sought

Related Articles

access(2)



dg_mac_access(2)         DG/UX B2 Security R4.12MU02        dg_mac_access(2)


NAME
       dgmacaccess - check mandatory access control (MAC) access rights to
       an object

SYNOPSIS
       #include <sys/types.h>
       #include <sys/dgtparms.h>
       #include <sys/mac.h>
       int  dgmacaccess(targtype, targ, intent, label, labsize)
       int  targtype;
       void *targ;
       int  intent;
       maclabelstructt *label;
       int  labsize;

   where:
       targtype  A token that identifies the type of object to which MAC
                  access rights are being checked.  The available tokens are
                  defined in sys/dgtparms.h as follows:
                     TFILE  The object is a file identified by a pathname.
                     TFD    The object is a file identified by a file
                             descriptor.

       targ       The address of the identifier of the object to which MAC
                  access rights are being checked.  The value of targtype
                  determines the type of entity that targ points to as
                  follows:
                     TFILE  targ points to a pathname string.
                     TFD    targ points to a file descriptor.

       intent     The intended access to the object.  These values are
                  defined in sys/fcntl.h.  The values allowed are:
                     ORDONLY  Read only access
                     OWRONLY  Write only access
                     ORDWR    Read/write access

       label      The address of a maclabelstructt structure containing
                  the MAC label of the subject whose MAC access rights are
                  being determined.

       labsize    The size in bytes of the MAC label structure.  The labsize
                  parameter is currently ignored.

DESCRIPTION
       The dgmacaccess system call is used to determine the MAC access
       rights to the object specified by targtype and targ, by a
       hypothetical subject with the MAC label specified in label.  The
       hypothetical subject is assumed to have no privileges when
       determining the MAC access rights, but the calling process's
       privileges are considered when attempting to determine the governing
       MAC label or range of the object.

ACCESS CONTROL
       The calling process must have appropriate privilege.

       For systems supporting the DG/UX Capability Option, appropriate
       privilege is defined as having one or more specific capabilities
       enabled in the effective capability set of the calling process.  See
       capdefaults(5) for the default capability for this system call.  On
       systems without the DG/UX Capability Option, appropriate privilege
       means that the process has an effective UID of root. See the
       appropriateprivilege(5) man page for more information.

RETURN VALUE
       0      Successful completion

       -1     An error occurred.  errno is set to indicate the error.

ERRORS
       Errno may be set to one of the following error codes:

       ENOENT        The caller does not have MAC read access to the object
                     if governed by a MAC label, or does not have read or
                     write MAC access if governed by a MAC range, or the
                     file does not exist.

       ENAMETOOLONG  If targtype is TFILE, a component of the pathname
                     pointed at by targ exceeds the length limit for
                     filenames.

       EFAULT        The range parameter specified as area of memory not
                     accessible to the calling process.

       ENOMEM        The operating system was unable to allocate sufficient
                     internal memory to process the system call.

       EINVAL        Invalid parameter passed.

       EOPNOTSUPP    This operation is not supported for the targtype or
                     object passed.

       ENOSYS        MAC is not configured on the system.

SEE ALSO
       access(2), capdefaults(5).

NOTES
       The access(2) system call checks all types of access, including DAC.
       dgmacaccess should be called when only the MAC access rights are
       desired.  MAC access alone does not guarantee that the object can be
       accessed.


Licensed material--property of copyright holder(s)

Typewritten Software • bear@typewritten.org • Edmonds, WA 98026