Museum

Home

Lab Overview

Retrotechnology Articles

Online Manuals

⇒ dg_refmon(2) — DG/UX R4.11MU05

Media Vault

Software Library

Restoration Projects

Artifacts Sought

Related Articles

access(2)



dg_refmon(2)             DG/UX B2 Security R4.12MU02            dg_refmon(2)


NAME
       dgrefmon - check the access rights

SYNOPSIS
       #include <sys/types.h>
       #include <sys/dgtparms.h>
       #include <sys/dgaccess.h>

       int  dg_refmon(cred_p, obj_p, intent, attr_p)
              dg_credentials_type * cred_p;
              dg_object_attrs_type     * obj_p;
              dg_access_type        intent;
              dg_attr_descriptor_type *attr_p;

       where:
       credp      Points to a structure containing the subject credentials
                   to be used for the access check.  These credentials do
                   not necessarily belong to an existing process.
       objp       Points to a structure containing the object security
                   attributes to be used for the access check.  These
                   attributes are not necessarily associated with an
                   existing object.
       intent      Describes the types of access checks being requested.
                   This parameter is a combination (logical OR) of one or
                   more of the following values, defined in sys/dgaccess.h:
                   DGACWRITE    Check for write access to the data
                                  contained in the object.
                   DGACREAD     Check for read access to the data
                                  contained in the object.
                   DGACEXECUTE  Check for execute access. This request is
                                  valid only when the object type is TFILE,
                                  and the SIFMT bits of its modet is set
                                  to SIFREG (i.e., a regular file).  The
                                  encoding of the fields of the modet type
                                  are given in sys/stat.h.
                   DGACSEARCH   Check for search access. This request is
                                  valid only when the object type is TFILE,
                                  and SIFMT bits of the modet is set to
                                  SIFDIR (i.e., a directory type).  The
                                  encoding of the fields of the modet type
                                  are given in sys/stat.h.
                   DGACATTRGET Check for read access to the object's
                                  attributes.  Since the access checks for
                                  reading the object's data are different
                                  than for reading attributes, this test may
                                  produce different results than DGACREAD,
                                  even when performed for the same object
                                  attributes and subject credentials.
                   DGACATTRSET Check for write access to the object's
                                  attributes.  This option determines
                                  whether a process with the credentials
                                  given by * credp can access the object to
                                  change a particular attribute.  The type
                                  and value of the attribute are given in *
                                  attrp.  Note that in cases where the
                                  right to change a particular attribute
                                  allows any value of that attribute to be
                                  set, only the type is needed in attrp and
                                  the attribute pointer must be set to NULL.
                                  Access to data contained in an object is
                                  determined by different access checks than
                                  those used to determine access to the
                                  attributes of the object.  Therefore, this
                                  check may produce different results than
                                  DGACWRITE, even when performed for the
                                  same object attributes and subject
                                  credentials.
                   The access types DGACEXECUTE and DGACSEARCH are
                   mutually exclusive.
       attrp      A pointer to a structure that identifies the type and,
                   optionally, the value of the attribute referred to when
                   DGACATTRSET or DGACATTRGET is enabled in intent.
                   This call will fail when either DGACATTRSET or
                   DGACATTRGET is enabled in intent and a
                   attrp->attrtype is invalid or isn't given.  The
                   attribute types are defined in sys/dgaccess.h.

DESCRIPTION
       The dgrefmon system call invokes the Reference Monitor to determine
       if a process with the credentials pointed to by credp, has access
       rights specified in intent, to an object with the attributes pointed
       to by objp.

       For the DGACATTRSET queries that specify attributes for which
       appropriate privilege is required, the privilege check will be made
       in addition to the access check performed by the reference monitor.

       The access intents, specified by intent, are tested in an unspecified
       order until one is denied, at which time an error is immediately
       returned.  This call succeeds only if all specified access rights are
       granted by the credentials. When the object type does not support a
       given access intent, the call fails without testing any supported
       intents that may be specified.

       All access control attributes that are supported by processes are
       required to be in the credentials when the system is configured to
       support the attribute type.  All object attributes, except MAC
       labels, are optional.  This call will fail if a required attribute is
       missing or invalid.

       The dgrunningwith*(3) family of library routines should be used to
       determine which attributes are supported by the system. Based on the
       supported attributes, the * credp and * objp must be assigned
       attributes as follows:


              When dgrunningwithmac(3) is true, both a MAC label and a
                  MAC label range must be present in the credentials. Either
                  a MAC label or range or both must be present on the
                  object. When both are present on an object, the MAC label
                  will govern access and the MAC range will be ignored.  The
                  subject MAC label must be dominated by the subject range
                  high and must dominate range low.


              When dgrunningwithcap(3) is true, a capability state must
                  be
                  present in the credentials and a required capability set
                  is optional on the object.


              When dgrunningwithacl(3) is true, an extended ACL
                  is optional on the object.


              When an attribute is optional and is not provided, its pointer
                  must be set to NULL.

       The dgobjectattrstype pointed to by objp contains two classes of
       attributes:  a "standard" set of security attributes and "extended"
       security attributes. The standard attributes are the set of user and
       group identifiers, and permissions, defined for each object type. The
       extended attributes are those, described above, that are present on
       the system only when the corresponding dgrunningwith*(3) function
       returns true.

       The attributes defined in * objp will be treated as belonging to one
       of the following object types defined in sys/dgtparms.h. The type of
       the object that the attributes are to be interpreted as belonging to
       is given by objp->objtype.

              TFILE  The object is a generic "file" type with standard
                      attributes defined by the file member of the stdattrs
                      union in sys/dgaccess.h.  The standard attributes of
                      this type of object are defined by the file element of
                      the stdattrs union in dgobjectattrstype.

              TFIFO  The object is a fifo or pipe. This class of object is
                      different from files in that reads are destructive
                      (the size of the object is reduced by the number of
                      bytes read.)  The standard attributes of this type of
                      object are defined by the file element of the
                      stdattrs union in dgobjectattrstype.

              TPROC  The object is a process, and the standard attributes
                      are of type credt, defined in sys/cred.h.

              TMSG   The object is a message queue, and the standard
                      attributes are defined by struct ipcperm in
                      sys/ipc.h.

              TSHM   The object is a shared memory region and the standard
                      attributes are defined by struct ipcperm in
                      sys/ipc.h.

              TSEM   The object is a semaphore, and the standard attributes
                      are defined by struct ipcperm in sys/ipc.h.

ACCESS CONTROL
       When MAC is configured, the MAC label of the calling process must
       dominate the labels in *credp and * objp; or the caller must have
       appropriate privilege.

       For systems supporting the DG/UX Capability Option, appropriate
       privilege is defined as having one or more specific capabilities
       enabled in the effective capability set of the calling process.  See
       capdefaults(5) for the default capability for this system call.

       On systems without the DG/UX Capability Option, appropriate privilege
       means that the process has an effective UID of 0.

RETURN VALUE
       1      The call completed successfully, but only because the
              credentials has appropriate privilege.

       0      The call completed successfully without using privilege.

       -1     An error occurred.  errno is set to indicate the error.

ERRORS
       errno may be set to one of the following error codes:

       EACCES        The caller does not have read access to the MAC label
                     in *credp and/or in * objp.

       EACCES        The credentials, *credp, does not give the requested
                     access to the attributes *objp.

       EPERM         The credentials, * credp, do not have appropriate
                     privilege to set the requested attribute.

       EFAULT        The parameter credp or objp points to an area of
                     memory not accessible to the calling process.

       ENOMEM        The operating system was unable to allocate sufficient
                     internal memory to process the system call.

       EINVAL        An access intent is specified that is not supported by
                     the object. For example, DGACEXECUTE is specified and
                     the type is TMSG.

       EINVAL        One or more parameter(s) are set to an invalid value,
                     or DGACATTRSET or DGACATTRGET is enabled in
                     intent, and a valid attribute type isn't given in *
                     attrp.

SEE ALSO
       dgaccess(2), access(2), dgrunningwith(3) and capdefaults(5).



Licensed material--property of copyright holder(s)

Typewritten Software • bear@typewritten.org • Edmonds, WA 98026