Print this page
9728 3secdb man pages need some tlc
| Split |
Close |
| Expand all |
| Collapse all |
--- old/usr/src/man/man3secdb/getexecattr.3secdb.man.txt
+++ new/usr/src/man/man3secdb/getexecattr.3secdb.man.txt
1 1 GETEXECATTR(3SECDB) Security Attributes Database Library Functions
2 2
3 3
4 4
5 5 NAME
6 6 getexecattr, free_execattr, setexecattr, endexecattr, getexecuser,
7 7 getexecprof, match_execattr - get execution profile entry
8 8
9 9 SYNOPSIS
10 10 cc [ flag... ] file... -lsecdb -lsocket -lnsl [ library... ]
11 11 #include <exec_attr.h>
12 12 #include <secdb.h>
13 13
14 14 execattr_t *getexecattr(void);
15 15
16 16
17 17 void free_execattr(execattr_t *ep);
18 18
19 19
20 20 void setexecattr(void);
21 21
22 22
23 23 void endexecattr(void);
24 24
25 25
26 26 execattr_t *getexecuser(const char *username, const char *type,
27 27 const char *id, int search_flag);
28 28
29 29
30 30 execattr_t *getexecprof(const char *profname, const char *type,
31 31 const char *id, int search_flag);
32 32
33 33
34 34 execattr_t *match_execattr(execattr_t *ep, char *profname,
35 35 char *type, char *id);
|
↓ open down ↓ |
35 lines elided |
↑ open up ↑ |
36 36
37 37
38 38 DESCRIPTION
39 39 The getexecattr() function returns a single exec_attr(4) entry.
40 40 Entries can come from any of the sources specified in the
41 41 nsswitch.conf(4) file.
42 42
43 43
44 44 Successive calls to getexecattr() return either successive exec_attr
45 45 entries or NULL. Because getexecattr() always returns a single entry,
46 - the next pointer in the execattr_t data structure points to NULL.
46 + the next pointer in the execattr_t data structure points to NULL.
47 47
48 48
49 49 The internal representation of an exec_attr entry is an execattr_t
50 - structure defined in <exec_attr.h> with the following members:
50 + structure defined in <exec_attr.h> with the following members:
51 51
52 52 char *name; /* name of the profile */
53 - char *type; /* type of profile */
54 53 char *policy; /* policy under which the attributes are */
55 54 /* relevant*/
55 + char *type; /* type of profile */
56 56 char *res1; /* reserved for future use */
57 57 char *res2; /* reserved for future use */
58 58 char *id; /* unique identifier */
59 59 kva_t *attr; /* attributes */
60 60 struct execattr_s *next; /* optional pointer to next profile */
61 61
62 62
63 63
64 64 The free_execattr() function releases memory. It follows the next
65 65 pointers in the execattr_t structure so that the entire linked list is
66 66 released.
67 67
68 68
69 69 The setexecattr() function "rewinds" to the beginning of the
70 70 enumeration of exec_attr entries. Calls to getexecuser() can leave the
71 71 enumeration in an indeterminate state. Therefore, setexecattr() should
72 72 be called before the first call to getexecattr().
73 73
74 74
75 75 The endexecattr() function can be called to indicate that exec_attr
76 76 processing is complete; the library can then close any open exec_attr
77 77 file, deallocate any internal storage, and so forth.
78 78
79 79
80 80 The getexecuser() function returns a linked list of entries that match
81 81 the type and id arguments and have a profile that has been assigned to
82 82 the user specified by username, as described in passwd(4). Profiles
83 83 for the user are obtained from the list of default profiles in
84 84 /etc/security/policy.conf (see policy.conf(4)) and the user_attr(4)
85 85 database. Only entries in the name service scope for which the
86 86 corresponding profile entry is found in the prof_attr(4) database are
|
↓ open down ↓ |
21 lines elided |
↑ open up ↑ |
87 87 returned.
88 88
89 89
90 90 The getexecprof() function returns a linked list of entries that match
91 91 the type and id arguments and have the profile specified by the
92 92 profname argument. Only entries in the name service scope for which the
93 93 corresponding profile entry is found in the prof_attr database are
94 94 returned.
95 95
96 96
97 - Using getexecuser() and getexecprof(), programmers can search for any
97 + Using getexecuser() and getexecprof(), programmers can search for any
98 98 type argument, such as the manifest constant KV_COMMAND. The arguments
99 99 are logically AND-ed together so that only entries exactly matching all
100 100 of the arguments are returned. Wildcard matching applies if there is no
101 101 exact match for an ID. Any argument can be assigned the NULL value to
102 102 indicate that it is not used as part of the matching criteria. The
103 103 search_flag controls whether the function returns the first match
104 104 (GET_ONE), setting the next pointer to NULL or all matching entries
105 105 (GET_ALL), using the next pointer to create a linked list of all
106 - entries that meet the search criteria. See EXAMPLES.
106 + entries that meet the search criteria. See EXAMPLES.
107 107
108 108
109 109 Once a list of entries is returned by getexecuser() or getexecprof(),
110 110 the convenience function match_execattr() can be used to identify an
111 111 individual entry. It returns a pointer to the individual element with
112 112 the same profile name (profname), type name (type), and id. Function
113 113 parameters set to NULL are not used as part of the matching criteria.
114 114 In the event that multiple entries meet the matching criteria, only a
115 115 pointer to the first entry is returned. The kva_match(3SECDB) function
116 116 can be used to look up a key in a key-value array.
117 117
118 118 RETURN VALUES
119 119 Those functions returning data only return data related to the active
120 - policy. The getexecattr() function returns a pointer to a execattr_t
120 + policy. The getexecattr() function returns a pointer to a execattr_t
121 121 if it successfully enumerates an entry; otherwise it returns NULL,
122 122 indicating the end of the enumeration.
123 123
124 124 USAGE
125 125 The getexecattr(), getexecuser(), and getexecprof() functions all
126 126 allocate memory for the pointers they return. This memory should be
127 127 deallocated with the free_execattr() call. The match_execattr()
128 128 function does not allocate any memory. Therefore, pointers returned by
129 129 this function should not be deallocated.
130 130
131 131
132 132 Individual attributes may be referenced in the attr structure by
133 133 calling the kva_match(3SECDB) function.
134 134
135 135 EXAMPLES
136 - Example 1 Find all profiles that have the ping command.
136 + Example 1 Find all profiles that have the ping command.
137 137
138 138 if ((execprof=getexecprof(NULL, KV_COMMAND, "/usr/sbin/ping",
139 139 GET_ONE)) == NULL) {
140 140 /* do error */
141 141 }
142 142
143 143
144 144 Example 2 Find the entry for the ping command in the Network
145 145 Administration Profile.
146 146
147 147 if ((execprof=getexecprof("Network Administration", KV_COMMAND,
148 148 "/usr/sbin/ping", GET_ALL))==NULL) {
149 149 /* do error */
150 150 }
151 151
152 152
153 153 Example 3 Tell everything that can be done in the Filesystem Security
154 154 profile.
155 155
156 - if ((execprof=getexecprof("Filesystem Security", KV_NULL, NULL,
156 + if ((execprof=getexecprof("Filesystem Security", NULL, NULL,
157 157 GET_ALL))==NULL)) {
158 158 /* do error */
159 159 }
160 160
161 161
162 162 Example 4 Tell if the tar utility is in a profile assigned to user
163 163 wetmore. If there is no exact profile entry, the wildcard (*), if
164 164 defined, is returned.
165 165
166 -
167 - The following tells if the tar utility is in a profile assigned to user
168 - wetmore. If there is no exact profile entry, the wildcard (*), if
169 - defined, is returned.
170 -
171 -
172 166 if ((execprof=getexecuser("wetmore", KV_COMMAND, "/usr/bin/tar",
173 167 GET_ONE))==NULL) {
174 168 /* do error */
175 169 }
176 170
177 171
178 172 FILES
179 173 /etc/nsswitch.conf
180 174 configuration file lookup information for
181 - the name server switch
175 + the name service switch
182 176
183 177
184 178 /etc/user_attr
185 179 extended user attributes
186 180
187 181
188 182 /etc/security/exec_attr
189 183 execution profiles
190 184
191 185
192 186 /etc/security/policy.conf
193 187 policy definitions
194 188
195 189
190 + /etc/security/prof_attr
191 + profile information
192 +
193 +
196 194 ATTRIBUTES
197 195 See attributes(5) for descriptions of the following attributes:
198 196
199 197
200 198
201 199
202 200 +---------------+-----------------+
203 201 |ATTRIBUTE TYPE | ATTRIBUTE VALUE |
204 202 +---------------+-----------------+
205 203 |MT-Level | MT-Safe |
206 204 +---------------+-----------------+
207 205
208 206 SEE ALSO
209 - getauthattr(3SECDB), getuserattr(3SECDB), kva_match(3SECDB),
210 - exec_attr(4), passwd(4), policy.conf(4), prof_attr(4), user_attr(4),
211 - attributes(5)
207 + getauthattr(3SECDB), getprofattr(3SECDB), getuserattr(3SECDB),
208 + kva_match(3SECDB), exec_attr(4), passwd(4), policy.conf(4),
209 + prof_attr(4), user_attr(4), attributes(5)
212 210
213 211
214 212
215 - May 27, 2014 GETEXECATTR(3SECDB)
213 + August 13, 2018 GETEXECATTR(3SECDB)
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX