Museum

Home

Lab Overview

Retrotechnology Articles

Online Manuals

⇒ dg_setomac(2) — DG/UX R4.11MU05

Media Vault

Software Library

Restoration Projects

Artifacts Sought



dg_setomac(2)            DG/UX B2 Security R4.12MU02           dg_setomac(2)


NAME
       dgsetomac - set the mandatory access control (MAC) label on an
       object

SYNOPSIS
       #include <sys/types.h>
       #include <sys/dgtparms.h>
       #include <sys/mac.h>

       int dgsetomac(targtype, targ, label, labsize, textmac, textmacsize)
       int    targtype;
       const void    *targ;
       maclabelstructt *label;
       int    labsize;
       char   *textmac;
       int    textmacsize;

   where:
       targtype   A token that identifies the type of object whose MAC
                   label is to be set.  The available tokens are defined in
                   sys/dgtparms.h as follows:
                     TPROC  The object is an existing process on the
                             system.
                     TFILE  The object is a file identified by a pathname.
                     TFD    The object is a file, socket or pipe identified
                             by a descriptor.
                     TSYMLINK
                             The object is a symbolic link identified by a
                             pathname.
                     TMSG   The object is a message queue identified by a
                             messsage queue identifier.
                     TSHM   The object is a shared memory segment
                             identified by a memory segment identifier.
                     TSEM   The object is a semaphore identified by a
                             semaphore set identifier.

       targ        The address of the identifier of the object whose MAC
                   label is to be set.  The value of targtype determines
                   the type of entity that targ points to as follows:
                     TPROC  targ points to a process id (type pidt).
                     TFILE  targ points to a pathname string.
                     TFD    targ points to a file, socket or pipe
                             descriptor.
                     TSYMLINK
                             targ points to a pathname string.
                     TMSG   targ points to a message queue identifier.
                     TSHM   targ points to shared memory segment
                             identifier.
                     TSEM   targ points to a semaphore set identifier.

       label       The address of a maclabelstructt structure that
                   contains the valid MAC label being set on the object.

       labsize     The size in bytes of the binary MAC label structure.

       textmac     A pointer to the optional ASCII text version of the
                   binary MAC label.  If no text MAC label is being set, the
                   textmacsize parameter must be set to zero, and textmac is
                   not dereferenced.

                   Note that there is no assurance that the binary MAC label
                   stored with the object would match the binary MAC label
                   generated by converting the ASCII text MAC label to
                   binary.  Only the binary MAC label is used by the
                   reference monitor for access control decisions.

       textmacsize The size in bytes of the text MAC label.  If this
                   parameter is zero (0), dgsetomac assumes that there is
                   no text MAC label to be set.

       The labsize, textmac, and textmacsize parameters are currently
       ignored.

DESCRIPTION
       The dgsetomac system call sets the MAC label for the object
       identified by targtype and targ to the label pointed to by label.
       dgsetomac will fail if the target is a hidden directory.

       If the object is a directory, this call converts the labels of the
       directory's children, with implicit labels, to explicit labels before
       changing the directory. Therefore, any child whose MAC label is
       implicit will have its label converted to an explicit label.

ACCESS CONTROL
       To set the MAC label of an object, a process must have MAC read/write
       access to the object and must have appropriate privilege.

       For systems supporting the DG/UX Capability Option, appropriate
       privilege is defined as having one or more specific capabilities
       enabled in the effective capability set of the calling process.  See
       capdefaults(5) for the default capability for this system call.  On
       systems without the DG/UX Capability Option, appropriate privilege
       means that the process has an effective UID of root. See the
       appropriateprivilege(5) man page for more information.

       To set the MAC label of a process, the label cannot be in the Virus
       Protection region;  The MAC label can be a label in the
       Administrative region for which the process does not have write
       access.  Otherwise if the MAC label is in the User region the label
       must be within the process MAC range and the process must have write
       access to the new label.

       To set the MAC label of a non-process object, a process must have MAC
       write access to the new label.

       Refer to Managing Security on the DG/UX System for more information
       on MAC regions.

RETURN VALUE
       0      Successful completion.

       -1     An error occurred.  errno is set to indicate the error.

EXCEPTIONS
       Errno may be set to one of the following error codes:

       EINVAL        Invalid parameter passed.

       EPERM         The caller does not have appropriate privilege.

       ENOENT        The target object was not found.

       EROFS         The file resides on a read-only file system.

       ENAMETOOLONG  A component of the pathname pointed at by targ exceeds
                     the length limit for filenames.

       EFAULT        The label parameter specified an area of memory not
                     accessible to the calling process.

       ENOMEM        The operating system was unable to allocate internal
                     memory to process the system call.

       EOPNOTSUPP    The target type targtype does not support a MAC label.

       EACCES        The caller does not have read/ write access to the
                     object or does not have write access to the new label.

       ENOSYS        MAC is not configured on the system.

       EBUSY         The file object named by path is currently in use by
                     another process.

SEE ALSO
       dggetomac(2), dggetorange(2), dgsetorange(2), dgsetomaconly(2),
       dgsettmpomac(2), dgcvttoimplicit(2), capdefaults(5),
       macdefs(5).

NOTES
       If dgsetorange is used to set a MAC range on any object other than a
       directory or device type, the MAC label will be removed.  Setting a
       MAC range on a directory or device  will not remove its MAC label.


Licensed material--property of copyright holder(s)

Typewritten Software • bear@typewritten.org • Edmonds, WA 98026