1 GETEXECATTR(3SECDB) Security Attributes Database Library Functions
2
3
4
5 NAME
6 getexecattr, free_execattr, setexecattr, endexecattr, getexecuser,
7 getexecprof, match_execattr - get execution profile entry
8
9 SYNOPSIS
10 cc [ flag... ] file... -lsecdb -lsocket -lnsl [ library... ]
11 #include <exec_attr.h>
12 #include <secdb.h>
13
14 execattr_t *getexecattr(void);
15
16
17 void free_execattr(execattr_t *ep);
18
19
20 void setexecattr(void);
21
22
23 void endexecattr(void);
24
25
26 execattr_t *getexecuser(const char *username, const char *type,
27 const char *id, int search_flag);
28
29
30 execattr_t *getexecprof(const char *profname, const char *type,
31 const char *id, int search_flag);
32
33
34 execattr_t *match_execattr(execattr_t *ep, char *profname,
35 char *type, char *id);
36
37
38 DESCRIPTION
39 The getexecattr() function returns a single exec_attr(4) entry.
40 Entries can come from any of the sources specified in the
41 nsswitch.conf(4) file.
42
43
44 Successive calls to getexecattr() return either successive exec_attr
45 entries or NULL. Because getexecattr() always returns a single entry,
46 the next pointer in the execattr_t data structure points to NULL.
47
48
49 The internal representation of an exec_attr entry is an execattr_t
50 structure defined in <exec_attr.h> with the following members:
51
52 char *name; /* name of the profile */
53 char *policy; /* policy under which the attributes are */
54 /* relevant*/
55 char *type; /* type of profile */
56 char *res1; /* reserved for future use */
57 char *res2; /* reserved for future use */
58 char *id; /* unique identifier */
59 kva_t *attr; /* attributes */
60 struct execattr_s *next; /* optional pointer to next profile */
61
62
63
64 The free_execattr() function releases memory. It follows the next
65 pointers in the execattr_t structure so that the entire linked list is
66 released.
67
68
69 The setexecattr() function "rewinds" to the beginning of the
70 enumeration of exec_attr entries. Calls to getexecuser() can leave the
71 enumeration in an indeterminate state. Therefore, setexecattr() should
72 be called before the first call to getexecattr().
73
74
75 The endexecattr() function can be called to indicate that exec_attr
76 processing is complete; the library can then close any open exec_attr
77 file, deallocate any internal storage, and so forth.
78
79
80 The getexecuser() function returns a linked list of entries that match
81 the type and id arguments and have a profile that has been assigned to
82 the user specified by username, as described in passwd(4). Profiles
83 for the user are obtained from the list of default profiles in
84 /etc/security/policy.conf (see policy.conf(4)) and the user_attr(4)
85 database. Only entries in the name service scope for which the
86 corresponding profile entry is found in the prof_attr(4) database are
87 returned.
88
89
90 The getexecprof() function returns a linked list of entries that match
91 the type and id arguments and have the profile specified by the
92 profname argument. Only entries in the name service scope for which the
93 corresponding profile entry is found in the prof_attr database are
94 returned.
95
96
97 Using getexecuser() and getexecprof(), programmers can search for any
98 type argument, such as the manifest constant KV_COMMAND. The arguments
99 are logically AND-ed together so that only entries exactly matching all
100 of the arguments are returned. Wildcard matching applies if there is no
101 exact match for an ID. Any argument can be assigned the NULL value to
102 indicate that it is not used as part of the matching criteria. The
103 search_flag controls whether the function returns the first match
104 (GET_ONE), setting the next pointer to NULL or all matching entries
105 (GET_ALL), using the next pointer to create a linked list of all
106 entries that meet the search criteria. See EXAMPLES.
107
108
109 Once a list of entries is returned by getexecuser() or getexecprof(),
110 the convenience function match_execattr() can be used to identify an
111 individual entry. It returns a pointer to the individual element with
112 the same profile name (profname), type name (type), and id. Function
113 parameters set to NULL are not used as part of the matching criteria.
114 In the event that multiple entries meet the matching criteria, only a
115 pointer to the first entry is returned. The kva_match(3SECDB) function
116 can be used to look up a key in a key-value array.
117
118 RETURN VALUES
119 Those functions returning data only return data related to the active
120 policy. The getexecattr() function returns a pointer to a execattr_t
121 if it successfully enumerates an entry; otherwise it returns NULL,
122 indicating the end of the enumeration.
123
124 USAGE
125 The getexecattr(), getexecuser(), and getexecprof() functions all
126 allocate memory for the pointers they return. This memory should be
127 deallocated with the free_execattr() call. The match_execattr()
128 function does not allocate any memory. Therefore, pointers returned by
129 this function should not be deallocated.
130
131
132 Individual attributes may be referenced in the attr structure by
133 calling the kva_match(3SECDB) function.
134
135 EXAMPLES
136 Example 1 Find all profiles that have the ping command.
137
138 if ((execprof=getexecprof(NULL, KV_COMMAND, "/usr/sbin/ping",
139 GET_ONE)) == NULL) {
140 /* do error */
141 }
142
143
144 Example 2 Find the entry for the ping command in the Network
145 Administration Profile.
146
147 if ((execprof=getexecprof("Network Administration", KV_COMMAND,
148 "/usr/sbin/ping", GET_ALL))==NULL) {
149 /* do error */
150 }
151
152
153 Example 3 Tell everything that can be done in the Filesystem Security
154 profile.
155
156 if ((execprof=getexecprof("Filesystem Security", NULL, NULL,
157 GET_ALL))==NULL)) {
158 /* do error */
159 }
160
161
162 Example 4 Tell if the tar utility is in a profile assigned to user
163 wetmore. If there is no exact profile entry, the wildcard (*), if
164 defined, is returned.
165
166 if ((execprof=getexecuser("wetmore", KV_COMMAND, "/usr/bin/tar",
167 GET_ONE))==NULL) {
168 /* do error */
169 }
170
171
172 FILES
173 /etc/nsswitch.conf
174 configuration file lookup information for
175 the name service switch
176
177
178 /etc/user_attr
179 extended user attributes
180
181
182 /etc/security/exec_attr
183 execution profiles
184
185
186 /etc/security/policy.conf
187 policy definitions
188
189
190 /etc/security/prof_attr
191 profile information
192
193
194 ATTRIBUTES
195 See attributes(5) for descriptions of the following attributes:
196
197
198
199
200 +---------------+-----------------+
201 |ATTRIBUTE TYPE | ATTRIBUTE VALUE |
202 +---------------+-----------------+
203 |MT-Level | MT-Safe |
204 +---------------+-----------------+
205
206 SEE ALSO
207 getauthattr(3SECDB), getprofattr(3SECDB), getuserattr(3SECDB),
208 kva_match(3SECDB), exec_attr(4), passwd(4), policy.conf(4),
209 prof_attr(4), user_attr(4), attributes(5)
210
211
212
213 August 13, 2018 GETEXECATTR(3SECDB)