dg_settmpomac(2) DG/UX B2 Security R4.12MU02 dg_settmpomac(2)
NAME
dgsettmpomac - temporarily set object's mandatory access control
(MAC) label
SYNOPSIS
#include <sys/types.h>
#include <sys/dgtparms.h>
#include <sys/mac.h>
int dgsettmpomac(targtype, targ, label, labsize)
int targtype;
const void *targ;
maclabelstructt *label;
int labsize;
where:
targtype A token that identifies the type of object whose MAC label
is to be temporarily set. The available tokens are
defined in sys/dgtparms.h as follows:
TFILE The object is a device identified by a
pathname.
TFD The object is a device identified by a file
descriptor.
targ The address of the identifier of the object whose MAC
label is to be temporarily set. The value of targtype
determines the type of entity that targ points to as
follows:
TFILE targ points to a pathname string.
TFD targ points to a file descriptor.
label The address of a maclabelstructt structure that
contains the valid MAC label to be temporarily set on the
object.
labsize An integer containing the size in bytes of the MAC label
structure. The labsize parameter is currently ignored.
DESCRIPTION
The dgsettmpomac system call is used to set a temporary MAC label on
a device that is governed by a MAC range. This call does not support
non-device objects (e.g., regular files, directories, IPC objects).
Once the temporary MAC label is set, the system treats the object as
it would an object with a normal (or "permanent") MAC label, in that
the temporary MAC label would govern access to the object, blocking
the MAC range. However, when the number of processes referencing the
object again falls to zero, the temporary MAC label is removed, and
the object is again governed by the MAC range.
ACCESS CONTROL
The object must be governed by a MAC range (i.e., a dggetomac call
will return a label with type MACTYPENOLABEL), and the calling
process must have appropriate privilege.
For systems supporting the DG/UX Capability Option, appropriate
privilege is defined as having one or more specific capabilities
enabled in the effective capability set of the calling process. See
capdefaults(5) for the default capability for this system call. On
systems without the DG/UX Capability Option, appropriate privilege
means that the process has an effective UID of root. See the
appropriateprivilege(5) man page for more information.
To set the MAC label of an object, the process must have MAC write
access to the new label. The process must also have MAC read access
to the file's parent directory, and have search access to the file's
parent directory path.
RETURN VALUE
0 Successful completion
-1 An error occurred. The errno vbariable is set to indicate the
error.
ERRORS
The errno variable may be set to one of the following error codes:
EPERM The caller does not have appropriate privilege.
ENOENT The file does not exist.
ENAMETOOLONG If targtype is TFILE, a component of the pathname
pointed at by targ exceeds the length limit for
filenames.
EFAULT The label parameter specified an area of memory not
accessible to the calling process.
ENOMEM The operating system was unable to allocate sufficient
internal memory to process the system call.
EINVAL The file is not governed by a MAC range, or an invalid
parameter was passed, or the label to be set is outside
the MAC range of the object.
EOPNOTSUPP This operation is not supported for the given object.
ENOSYS MAC is not configured in the system.
EACCES The caller does not have read/ write access to the
object or does not have MAC write access to the new
label.
EBUSY The file object named by path is currently in use by
another process.
SEE ALSO
setmac(1M), dgsetomac(2), dgsetorange(2), dgsetomaconly(2),
dggetomac(2), capdefaults(5), macdefs(5).
Licensed material--property of copyright holder(s)