dg_mac_access(2) DG/UX B2 Security R4.12MU02 dg_mac_access(2)
NAME
dgmacaccess - check mandatory access control (MAC) access rights to
an object
SYNOPSIS
#include <sys/types.h>
#include <sys/dgtparms.h>
#include <sys/mac.h>
int dgmacaccess(targtype, targ, intent, label, labsize)
int targtype;
void *targ;
int intent;
maclabelstructt *label;
int labsize;
where:
targtype A token that identifies the type of object to which MAC
access rights are being checked. The available tokens are
defined in sys/dgtparms.h as follows:
TFILE The object is a file identified by a pathname.
TFD The object is a file identified by a file
descriptor.
targ The address of the identifier of the object to which MAC
access rights are being checked. The value of targtype
determines the type of entity that targ points to as
follows:
TFILE targ points to a pathname string.
TFD targ points to a file descriptor.
intent The intended access to the object. These values are
defined in sys/fcntl.h. The values allowed are:
ORDONLY Read only access
OWRONLY Write only access
ORDWR Read/write access
label The address of a maclabelstructt structure containing
the MAC label of the subject whose MAC access rights are
being determined.
labsize The size in bytes of the MAC label structure. The labsize
parameter is currently ignored.
DESCRIPTION
The dgmacaccess system call is used to determine the MAC access
rights to the object specified by targtype and targ, by a
hypothetical subject with the MAC label specified in label. The
hypothetical subject is assumed to have no privileges when
determining the MAC access rights, but the calling process's
privileges are considered when attempting to determine the governing
MAC label or range of the object.
ACCESS CONTROL
The calling process must have appropriate privilege.
For systems supporting the DG/UX Capability Option, appropriate
privilege is defined as having one or more specific capabilities
enabled in the effective capability set of the calling process. See
capdefaults(5) for the default capability for this system call. On
systems without the DG/UX Capability Option, appropriate privilege
means that the process has an effective UID of root. See the
appropriateprivilege(5) man page for more information.
RETURN VALUE
0 Successful completion
-1 An error occurred. errno is set to indicate the error.
ERRORS
Errno may be set to one of the following error codes:
ENOENT The caller does not have MAC read access to the object
if governed by a MAC label, or does not have read or
write MAC access if governed by a MAC range, or the
file does not exist.
ENAMETOOLONG If targtype is TFILE, a component of the pathname
pointed at by targ exceeds the length limit for
filenames.
EFAULT The range parameter specified as area of memory not
accessible to the calling process.
ENOMEM The operating system was unable to allocate sufficient
internal memory to process the system call.
EINVAL Invalid parameter passed.
EOPNOTSUPP This operation is not supported for the targtype or
object passed.
ENOSYS MAC is not configured on the system.
SEE ALSO
access(2), capdefaults(5).
NOTES
The access(2) system call checks all types of access, including DAC.
dgmacaccess should be called when only the MAC access rights are
desired. MAC access alone does not guarantee that the object can be
accessed.
Licensed material--property of copyright holder(s)