dg_refmon(2) DG/UX B2 Security R4.12MU02 dg_refmon(2)
NAME
dgrefmon - check the access rights
SYNOPSIS
#include <sys/types.h>
#include <sys/dgtparms.h>
#include <sys/dgaccess.h>
int dg_refmon(cred_p, obj_p, intent, attr_p)
dg_credentials_type * cred_p;
dg_object_attrs_type * obj_p;
dg_access_type intent;
dg_attr_descriptor_type *attr_p;
where:
credp Points to a structure containing the subject credentials
to be used for the access check. These credentials do
not necessarily belong to an existing process.
objp Points to a structure containing the object security
attributes to be used for the access check. These
attributes are not necessarily associated with an
existing object.
intent Describes the types of access checks being requested.
This parameter is a combination (logical OR) of one or
more of the following values, defined in sys/dgaccess.h:
DGACWRITE Check for write access to the data
contained in the object.
DGACREAD Check for read access to the data
contained in the object.
DGACEXECUTE Check for execute access. This request is
valid only when the object type is TFILE,
and the SIFMT bits of its modet is set
to SIFREG (i.e., a regular file). The
encoding of the fields of the modet type
are given in sys/stat.h.
DGACSEARCH Check for search access. This request is
valid only when the object type is TFILE,
and SIFMT bits of the modet is set to
SIFDIR (i.e., a directory type). The
encoding of the fields of the modet type
are given in sys/stat.h.
DGACATTRGET Check for read access to the object's
attributes. Since the access checks for
reading the object's data are different
than for reading attributes, this test may
produce different results than DGACREAD,
even when performed for the same object
attributes and subject credentials.
DGACATTRSET Check for write access to the object's
attributes. This option determines
whether a process with the credentials
given by * credp can access the object to
change a particular attribute. The type
and value of the attribute are given in *
attrp. Note that in cases where the
right to change a particular attribute
allows any value of that attribute to be
set, only the type is needed in attrp and
the attribute pointer must be set to NULL.
Access to data contained in an object is
determined by different access checks than
those used to determine access to the
attributes of the object. Therefore, this
check may produce different results than
DGACWRITE, even when performed for the
same object attributes and subject
credentials.
The access types DGACEXECUTE and DGACSEARCH are
mutually exclusive.
attrp A pointer to a structure that identifies the type and,
optionally, the value of the attribute referred to when
DGACATTRSET or DGACATTRGET is enabled in intent.
This call will fail when either DGACATTRSET or
DGACATTRGET is enabled in intent and a
attrp->attrtype is invalid or isn't given. The
attribute types are defined in sys/dgaccess.h.
DESCRIPTION
The dgrefmon system call invokes the Reference Monitor to determine
if a process with the credentials pointed to by credp, has access
rights specified in intent, to an object with the attributes pointed
to by objp.
For the DGACATTRSET queries that specify attributes for which
appropriate privilege is required, the privilege check will be made
in addition to the access check performed by the reference monitor.
The access intents, specified by intent, are tested in an unspecified
order until one is denied, at which time an error is immediately
returned. This call succeeds only if all specified access rights are
granted by the credentials. When the object type does not support a
given access intent, the call fails without testing any supported
intents that may be specified.
All access control attributes that are supported by processes are
required to be in the credentials when the system is configured to
support the attribute type. All object attributes, except MAC
labels, are optional. This call will fail if a required attribute is
missing or invalid.
The dgrunningwith*(3) family of library routines should be used to
determine which attributes are supported by the system. Based on the
supported attributes, the * credp and * objp must be assigned
attributes as follows:
When dgrunningwithmac(3) is true, both a MAC label and a
MAC label range must be present in the credentials. Either
a MAC label or range or both must be present on the
object. When both are present on an object, the MAC label
will govern access and the MAC range will be ignored. The
subject MAC label must be dominated by the subject range
high and must dominate range low.
When dgrunningwithcap(3) is true, a capability state must
be
present in the credentials and a required capability set
is optional on the object.
When dgrunningwithacl(3) is true, an extended ACL
is optional on the object.
When an attribute is optional and is not provided, its pointer
must be set to NULL.
The dgobjectattrstype pointed to by objp contains two classes of
attributes: a "standard" set of security attributes and "extended"
security attributes. The standard attributes are the set of user and
group identifiers, and permissions, defined for each object type. The
extended attributes are those, described above, that are present on
the system only when the corresponding dgrunningwith*(3) function
returns true.
The attributes defined in * objp will be treated as belonging to one
of the following object types defined in sys/dgtparms.h. The type of
the object that the attributes are to be interpreted as belonging to
is given by objp->objtype.
TFILE The object is a generic "file" type with standard
attributes defined by the file member of the stdattrs
union in sys/dgaccess.h. The standard attributes of
this type of object are defined by the file element of
the stdattrs union in dgobjectattrstype.
TFIFO The object is a fifo or pipe. This class of object is
different from files in that reads are destructive
(the size of the object is reduced by the number of
bytes read.) The standard attributes of this type of
object are defined by the file element of the
stdattrs union in dgobjectattrstype.
TPROC The object is a process, and the standard attributes
are of type credt, defined in sys/cred.h.
TMSG The object is a message queue, and the standard
attributes are defined by struct ipcperm in
sys/ipc.h.
TSHM The object is a shared memory region and the standard
attributes are defined by struct ipcperm in
sys/ipc.h.
TSEM The object is a semaphore, and the standard attributes
are defined by struct ipcperm in sys/ipc.h.
ACCESS CONTROL
When MAC is configured, the MAC label of the calling process must
dominate the labels in *credp and * objp; or the caller must have
appropriate privilege.
For systems supporting the DG/UX Capability Option, appropriate
privilege is defined as having one or more specific capabilities
enabled in the effective capability set of the calling process. See
capdefaults(5) for the default capability for this system call.
On systems without the DG/UX Capability Option, appropriate privilege
means that the process has an effective UID of 0.
RETURN VALUE
1 The call completed successfully, but only because the
credentials has appropriate privilege.
0 The call completed successfully without using privilege.
-1 An error occurred. errno is set to indicate the error.
ERRORS
errno may be set to one of the following error codes:
EACCES The caller does not have read access to the MAC label
in *credp and/or in * objp.
EACCES The credentials, *credp, does not give the requested
access to the attributes *objp.
EPERM The credentials, * credp, do not have appropriate
privilege to set the requested attribute.
EFAULT The parameter credp or objp points to an area of
memory not accessible to the calling process.
ENOMEM The operating system was unable to allocate sufficient
internal memory to process the system call.
EINVAL An access intent is specified that is not supported by
the object. For example, DGACEXECUTE is specified and
the type is TMSG.
EINVAL One or more parameter(s) are set to an invalid value,
or DGACATTRSET or DGACATTRGET is enabled in
intent, and a valid attribute type isn't given in *
attrp.
SEE ALSO
dgaccess(2), access(2), dgrunningwith(3) and capdefaults(5).
Licensed material--property of copyright holder(s)