dg_setorange(2) DG/UX B2 Security R4.12MU02 dg_setorange(2)
NAME
dgsetorange - set the mandatory access control (MAC) range of an
object
SYNOPSIS
#include <sys/types.h>
#include <sys/dgtparms.h>
#include <sys/mac.h>
int dgsetorange(targtype, targ, range, rangesize, textrange,
textrangesize)
int targtype;
const void *targ;
macrangestructt *range;
int rangesize;
char *textrange;
int textrangesize;
where:
targtype A token that identifies the type of object whose MAC
range is set. The available tokens are defined in
sys/dgtparms.h as follows:
TPROC The object is an existing process on the
system.
TFILE The object is a file identified by a
pathname.
TFD The object is a file, socket or pipe
identified by a descriptor.
TMSG The object is a message queue identified by
a message queue identifier.
TSHM The object is a shared memory segment
identified by a shared memory segment
identifier.
TSEM The object is a semaphore identified by a
semaphore set identifier.
targ The address of the identifier of the object whose MAC
range is to be set. The targtype parameter values
are defined in sys/tparms.h. The value of targtype
determines the type of entity that targ points to as
follows:
TPROC targ points to a process id (type pidt).
TFILE targ points to a pathname string.
TFD targ points to a file, socket or pipe
descriptor.
TMSG targ points to a message queue identifier.
TSHM targ points to shared memory segment
identifier.
TSEM targ points to a semaphore set identifier.
range The address of a macrangestructt that contains the
valid MAC range being set on the object.
rangesize An integer containing the size in bytes of the MAC
range structure.
textrange Currently unused. This should be a NULL pointer.
textrangesize Currently unused. This should be zero.
DESCRIPTION
This interface is obsolete, but is retained for compatibility with
existing applications. New applications should use dgsettuple
instead. The dgsetorange system call converts the
macrangestructt structure pointed to by range into a MAC range
tuple and sets this tuple on the object identified by targtype and
targ. The conversion process splits the range between the various MAC
regions, if necessary.
Note that if the target of dgsetorange is not a directory, then any
MAC label on the target will be removed.
ACCESS CONTROL
To set the MAC range of an object, a process must have MAC read/write
access to the object and must have MAC write access to the entire
range being set. In addition to this, the process must have
appropriate privilege.
For systems supporting the DG/UX Capability Option, appropriate
privilege is defined as having one or more specific capabilities
enabled in the effective capability set of the calling process. See
capdefaults(5) for the default capability for this system call. On
systems without the DG/UX Capability Option, appropriate privilege
means that the process has an effective UID of root. See the
appropriateprivilege(5) man page for more information.
When setting a MAC range on a process, the new MAC range (tuple) must
include the MAC label of the process and can be no larger than the
existing MAC range tuple on the process.
RETURN VALUE
0 Successful completion.
-1 An error occurred. errno is set to indicate the error.
ERRORS
Errno may be set to one of the following error codes:
EPERM The caller does not have appropriate privilege.
EACCES The caller does not have the required access rights to
the object.
ENOENT The object does not exist.
ENAMETOOLONG A component of the pathname pointed at by targ exceeds
the length limit for filenames.
EFAULT The range parameter specified an area of memory not
accessible to the calling process.
ENOMEM The operating system was unable to allocate sufficient
internal memory to process the system call.
EINVAL Invalid parameter passed.
EOPNOTSUPP This operation is not supported on the targtype or
object passed.
ENOSYS MAC is not configured on the system.
EBUSY The file object named by path is currently in use by
another process.
SEE ALSO
gettuple(1), settuple(1M), dggetorange(2), dgsettmpomac(2),
dggettuple(2), dgsettuple(2), dggetomac(2), dgsetomac(2),
capdefaults(5), macdef(5).
NOTES
Setting a MAC range which does not include any portion of the the
Virus Prevention region on a process will likely deny the process any
further access to the filesystem, including system executables.
Licensed material--property of copyright holder(s)