endexecattr(3secdb)

1getexecattr(3SECDSBe)curity Attributes Database Library Functiognestexecattr(3SECDB)
2
3
4

NAME

6       getexecattr,   free_execattr,  setexecattr,  endexecattr,  getexecuser,
7       getexecprof, match_execattr - get execution profile entry
8

SYNOPSIS

10       cc [ flag... ] file... -lsecdb  -lsocket  -lnsl  [ library... ]
11       #include <exec_attr.h>
12       #include <secdb.h>
13
14       execattr_t *getexecattr(void);
15
16
17       void free_execattr(execattr_t *ep);
18
19
20       void setexecattr(void);
21
22
23       void endexecattr(void);
24
25
26       execattr_t *getexecuser(const char *username, const char *type,
27            const char *id, int search_flag);
28
29
30       execattr_t *getexecprof(const char *profname, const char *type,
31            const char *id, int search_flag);
32
33
34       execattr_t *match_execattr(execattr_t *ep, char *profname,
35            char *type, char *id);
36
37

DESCRIPTION

39       The getexecattr() function returns a single exec_attr(4) entry. Entries
40       can  come  from  any  of  the sources specified in the nsswitch.conf(4)
41       file.
42
43
44       Successive calls to getexecattr() return  either  successive  exec_attr
45       entries  or  NULL. Because getexecattr() always returns a single entry,
46       the next pointer in the  execattr_t data structure points to NULL.
47
48
49       The internal representation of an  exec_attr  entry  is  an  execattr_t
50       structure defined in  <exec_attr.h> with the following members:
51
52         char              *name;   /* name of the profile */
53         char              *type;   /* type of profile */
54         char              *policy; /* policy under which the attributes are */
55                                    /* relevant*/
56         char              *res1;   /* reserved for future use */
57         char              *res2;   /* reserved for future use */
58         char              *id;     /* unique identifier */
59         kva_t             *attr;   /* attributes */
60         struct execattr_s *next;   /* optional pointer to next profile */
61
62
63
64       The  free_execattr()  function  releases  memory.  It  follows the next
65       pointers in the execattr_t structure so that the entire linked list  is
66       released.
67
68
69       The  setexecattr()  function "rewinds" to the beginning of the enumera‐
70       tion of exec_attr entries. Calls to getexecuser() can leave the enumer‐
71       ation  in  an  indeterminate  state. Therefore, setexecattr() should be
72       called before the first call to getexecattr().
73
74
75       The endexecattr() function can be called  to  indicate  that  exec_attr
76       processing  is  complete; the library can then close any open exec_attr
77       file, deallocate any internal storage, and so forth.
78
79
80       The getexecuser() function returns a linked list of entries that  match
81       the  type and id arguments and have a profile that has been assigned to
82       the user specified by username, as described in passwd(4). Profiles for
83       the  user  are obtained from the list of default profiles in /etc/secu‐
84       rity/policy.conf (see policy.conf(4)) and  the  user_attr(4)  database.
85       Only entries in the name service scope for which the corresponding pro‐
86       file entry is found in the prof_attr(4) database are returned.
87
88
89       The getexecprof() function returns a linked list of entries that  match
90       the  type  and id arguments and have the profile specified by the prof‐
91       name argument. Only entries in the name service  scope  for  which  the
92       corresponding  profile  entry  is  found  in the prof_attr database are
93       returned.
94
95
96       Using getexecuser() and getexecprof(), programmers can search  for  any
97       type  argument, such as the manifest constant KV_COMMAND. The arguments
98       are logically AND-ed together so that only entries exactly matching all
99       of the arguments are returned. Wildcard matching applies if there is no
100       exact match for an ID. Any argument can be assigned the NULL  value  to
101       indicate  that  it  is  not  used as part of the matching criteria. The
102       search_flag controls whether  the  function  returns  the  first  match
103       (GET_ONE),  setting  the  next  pointer to NULL or all matching entries
104       (GET_ALL), using the next pointer  to  create  a  linked  list  of  all
105       entries that meet the search criteria. See  EXAMPLES.
106
107
108       Once  a  list of entries is returned by getexecuser() or getexecprof(),
109       the convenience function match_execattr() can be used  to  identify  an
110       individual  entry.  It returns a pointer to the individual element with
111       the same profile name ( profname), type name ( type),  and id. Function
112       parameters  set  to NULL are not used as part of the matching criteria.
113       In the event that multiple entries meet the matching criteria,  only  a
114       pointer  to the first entry is returned. The kva_match(3SECDB) function
115       can be used to look up a key in a key-value array.
116

RETURN VALUES

118       Those functions returning data only return data related to  the  active
119       policy.  The  getexecattr() function returns a pointer to a  execattr_t
120       if it successfully enumerates an  entry;  otherwise  it  returns  NULL,
121       indicating the end of the enumeration.
122

USAGE

124       The getexecattr(), getexecuser(), and getexecprof() functions all allo‐
125       cate memory for the pointers they return. This memory should be deallo‐
126       cated  with  the  free_execattr()  call. The match_execattr()( function
127       does not allocate any memory.  Therefore,  pointers  returned  by  this
128       function should not be deallocated.
129
130
131       Individual  attributes may be referenced in the attr structure by call‐
132       ing the kva_match(3SECDB) function.
133

EXAMPLES

135       Example 1 Find all profiles that have the  ping command.
136
137         if ((execprof=getexecprof(NULL, KV_COMMAND, "/usr/sbin/ping",
138             GET_ONE)) == NULL) {
139                 /* do error */
140         }
141
142
143       Example 2 Find the entry for the ping command in the  Network  Adminis‐
144       tration Profile.
145
146         if ((execprof=getexecprof("Network Administration", KV_COMMAND,
147             "/usr/sbin/ping", GET_ALL))==NULL) {
148                 /* do error */
149         }
150
151
152       Example  3  Tell everything that can be done in the Filesystem Security
153       profile.
154
155         if ((execprof=getexecprof("Filesystem Security", KV_NULL, NULL,
156             GET_ALL))==NULL)) {
157                 /* do error */
158         }
159
160
161       Example 4 Tell if the tar utility is in a profile assigned to user wet‐
162       more. If there is no exact profile entry, the wildcard (*), if defined,
163       is returned.
164
165
166       The following tells if the tar utility is in a profile assigned to user
167       wetmore.  If  there  is  no  exact  profile entry, the wildcard (*), if
168       defined, is returned.
169
170
171         if ((execprof=getexecuser("wetmore", KV_COMMAND, "/usr/bin/tar",
172             GET_ONE))==NULL) {
173                 /* do error */
174         }
175
176

FILES

178       /etc/nsswitch.conf           configuration file lookup information  for
179                                    the name server switch
180
181
182       /etc/user_attr               extended user attributes
183
184
185       /etc/security/exec_attr      execution profiles
186
187
188       /etc/security/policy.conf    policy definitions
189
190

ATTRIBUTES

192       See attributes(5) for descriptions of the following attributes:
193
194
195
196
197       ┌─────────────────────────────┬─────────────────────────────┐
198       │      ATTRIBUTE TYPE         │      ATTRIBUTE VALUE        │
199       ├─────────────────────────────┼─────────────────────────────┤
200       │MT-Level                     │MT-Safe                      │
201       └─────────────────────────────┴─────────────────────────────┘
202