dg_setomac(2) DG/UX B2 Security R4.12MU02 dg_setomac(2)
NAME
dgsetomac - set the mandatory access control (MAC) label on an
object
SYNOPSIS
#include <sys/types.h>
#include <sys/dgtparms.h>
#include <sys/mac.h>
int dgsetomac(targtype, targ, label, labsize, textmac, textmacsize)
int targtype;
const void *targ;
maclabelstructt *label;
int labsize;
char *textmac;
int textmacsize;
where:
targtype A token that identifies the type of object whose MAC
label is to be set. The available tokens are defined in
sys/dgtparms.h as follows:
TPROC The object is an existing process on the
system.
TFILE The object is a file identified by a pathname.
TFD The object is a file, socket or pipe identified
by a descriptor.
TSYMLINK
The object is a symbolic link identified by a
pathname.
TMSG The object is a message queue identified by a
messsage queue identifier.
TSHM The object is a shared memory segment
identified by a memory segment identifier.
TSEM The object is a semaphore identified by a
semaphore set identifier.
targ The address of the identifier of the object whose MAC
label is to be set. The value of targtype determines
the type of entity that targ points to as follows:
TPROC targ points to a process id (type pidt).
TFILE targ points to a pathname string.
TFD targ points to a file, socket or pipe
descriptor.
TSYMLINK
targ points to a pathname string.
TMSG targ points to a message queue identifier.
TSHM targ points to shared memory segment
identifier.
TSEM targ points to a semaphore set identifier.
label The address of a maclabelstructt structure that
contains the valid MAC label being set on the object.
labsize The size in bytes of the binary MAC label structure.
textmac A pointer to the optional ASCII text version of the
binary MAC label. If no text MAC label is being set, the
textmacsize parameter must be set to zero, and textmac is
not dereferenced.
Note that there is no assurance that the binary MAC label
stored with the object would match the binary MAC label
generated by converting the ASCII text MAC label to
binary. Only the binary MAC label is used by the
reference monitor for access control decisions.
textmacsize The size in bytes of the text MAC label. If this
parameter is zero (0), dgsetomac assumes that there is
no text MAC label to be set.
The labsize, textmac, and textmacsize parameters are currently
ignored.
DESCRIPTION
The dgsetomac system call sets the MAC label for the object
identified by targtype and targ to the label pointed to by label.
dgsetomac will fail if the target is a hidden directory.
If the object is a directory, this call converts the labels of the
directory's children, with implicit labels, to explicit labels before
changing the directory. Therefore, any child whose MAC label is
implicit will have its label converted to an explicit label.
ACCESS CONTROL
To set the MAC label of an object, a process must have MAC read/write
access to the object and must have appropriate privilege.
For systems supporting the DG/UX Capability Option, appropriate
privilege is defined as having one or more specific capabilities
enabled in the effective capability set of the calling process. See
capdefaults(5) for the default capability for this system call. On
systems without the DG/UX Capability Option, appropriate privilege
means that the process has an effective UID of root. See the
appropriateprivilege(5) man page for more information.
To set the MAC label of a process, the label cannot be in the Virus
Protection region; The MAC label can be a label in the
Administrative region for which the process does not have write
access. Otherwise if the MAC label is in the User region the label
must be within the process MAC range and the process must have write
access to the new label.
To set the MAC label of a non-process object, a process must have MAC
write access to the new label.
Refer to Managing Security on the DG/UX System for more information
on MAC regions.
RETURN VALUE
0 Successful completion.
-1 An error occurred. errno is set to indicate the error.
EXCEPTIONS
Errno may be set to one of the following error codes:
EINVAL Invalid parameter passed.
EPERM The caller does not have appropriate privilege.
ENOENT The target object was not found.
EROFS The file resides on a read-only file system.
ENAMETOOLONG A component of the pathname pointed at by targ exceeds
the length limit for filenames.
EFAULT The label parameter specified an area of memory not
accessible to the calling process.
ENOMEM The operating system was unable to allocate internal
memory to process the system call.
EOPNOTSUPP The target type targtype does not support a MAC label.
EACCES The caller does not have read/ write access to the
object or does not have write access to the new label.
ENOSYS MAC is not configured on the system.
EBUSY The file object named by path is currently in use by
another process.
SEE ALSO
dggetomac(2), dggetorange(2), dgsetorange(2), dgsetomaconly(2),
dgsettmpomac(2), dgcvttoimplicit(2), capdefaults(5),
macdefs(5).
NOTES
If dgsetorange is used to set a MAC range on any object other than a
directory or device type, the MAC label will be removed. Setting a
MAC range on a directory or device will not remove its MAC label.
Licensed material--property of copyright holder(s)