Museum

Home

Lab Overview

Retrotechnology Articles

Online Manuals

⇒ dg_settmpomac(2) — DG/UX R4.11MU05

Media Vault

Software Library

Restoration Projects

Artifacts Sought

Related Articles

setmac(1M)



dg_settmpomac(2)         DG/UX B2 Security R4.12MU02        dg_settmpomac(2)


NAME
       dgsettmpomac - temporarily set object's mandatory access control
       (MAC) label

SYNOPSIS
       #include <sys/types.h>
       #include <sys/dgtparms.h>
       #include <sys/mac.h>

       int  dgsettmpomac(targtype, targ, label, labsize)
       int  targtype;
       const void     *targ;
       maclabelstructt *label;
       int  labsize;

   where:
       targtype  A token that identifies the type of object whose MAC label
                  is to be temporarily set.  The available tokens are
                  defined in sys/dgtparms.h as follows:
                     TFILE  The object is a device identified by a
                             pathname.
                     TFD    The object is a device identified by a file
                             descriptor.

       targ       The address of the identifier of the object whose MAC
                  label is to be temporarily set.  The value of targtype
                  determines the type of entity that targ points to as
                  follows:
                     TFILE  targ points to a pathname string.
                     TFD    targ points to a file descriptor.

       label      The address of a maclabelstructt structure that
                  contains the valid MAC label to be temporarily set on the
                  object.

       labsize    An integer containing the size in bytes of the MAC label
                  structure.  The labsize parameter is currently ignored.

DESCRIPTION
       The dgsettmpomac system call is used to set a temporary MAC label on
       a device that is governed by a MAC range. This call does not support
       non-device objects (e.g., regular files, directories, IPC objects).
       Once the temporary MAC label is set, the system treats the object as
       it would an object with a normal (or "permanent") MAC label, in that
       the temporary MAC label would govern access to the object, blocking
       the MAC range.  However, when the number of processes referencing the
       object again falls to zero, the temporary MAC label is removed, and
       the object is again governed by the MAC range.

ACCESS CONTROL
       The object must be governed by a MAC range (i.e., a dggetomac call
       will return a label with type MACTYPENOLABEL), and the calling
       process must have appropriate privilege.

       For systems supporting the DG/UX Capability Option, appropriate
       privilege is defined as having one or more specific capabilities
       enabled in the effective capability set of the calling process.  See
       capdefaults(5) for the default capability for this system call.  On
       systems without the DG/UX Capability Option, appropriate privilege
       means that the process has an effective UID of root. See the
       appropriateprivilege(5) man page for more information.

       To set the MAC label of an object, the process must have MAC write
       access to the new label. The process must also have MAC read access
       to the file's parent directory, and have search access to the file's
       parent directory path.

RETURN VALUE
       0      Successful completion

       -1     An error occurred.  The errno vbariable is set to indicate the
              error.

ERRORS
       The errno variable may be set to one of the following error codes:

       EPERM         The caller does not have appropriate privilege.

       ENOENT        The file does not exist.

       ENAMETOOLONG  If targtype is TFILE, a component of the pathname
                     pointed at by targ exceeds the length limit for
                     filenames.

       EFAULT        The label parameter specified an area of memory not
                     accessible to the calling process.

       ENOMEM        The operating system was unable to allocate sufficient
                     internal memory to process the system call.

       EINVAL        The file is not governed by a MAC range, or an invalid
                     parameter was passed, or the label to be set is outside
                     the MAC range of the object.

       EOPNOTSUPP    This operation is not supported for the given object.

       ENOSYS        MAC is not configured in the system.

       EACCES        The caller does not have read/ write access to the
                     object or does not have MAC write access to the new
                     label.

       EBUSY         The file object named by path is currently in use by
                     another process.

SEE ALSO
       setmac(1M), dgsetomac(2), dgsetorange(2), dgsetomaconly(2),
       dggetomac(2), capdefaults(5), macdefs(5).


Licensed material--property of copyright holder(s)

Typewritten Software • bear@typewritten.org • Edmonds, WA 98026