Skip site navigation (1)Skip section navigation (2)

FreeBSD Manual Pages

  
 
  

home | help
getexecattr(3SECDB)					   getexecattr(3SECDB)

NAME
       getexecattr,  free_execattr, setexecattr, endexecattr, getexecuser, ge-
       texecprof, match_execattr - get execution profile entry

SYNOPSIS
       cc [ flag... ] file... -lsecdb  -lsocket	 -lnsl	[ library... ]
       #include	<exec_attr.h>
       #include	<secdb.h>

       execattr_t *getexecattr(void);

       void free_execattr(execattr_t *ep);

       void setexecattr(void);

       void endexecattr(void);

       execattr_t *getexecuser(const char *username, const char	 *type,	 const
       char *id, int search_flag);

       execattr_t  *getexecprof(const  char *profname, const char *type, const
       char *id, int search_flag);

       execattr_t *match_execattr(execattr_t *ep, char *profname, char	*type,
       char *id);

       The getexecattr() function returns a single exec_attr(4)	entry. Entries
       can come	from any of the	 sources  specified  in	 the  nsswitch.conf(4)
       file.

       Successive  calls  to  getexecattr() return either successive exec_attr
       entries or NULL.	Because	getexecattr() always returns a	single	entry,
       the next	pointer	in the	execattr_t data	structure points to NULL.

       The  internal  representation  of  an  exec_attr	entry is an execattr_t
       structure defined in  <exec_attr.h> with	the following members:

       char		 *name;	  /* name of the profile */
       char		 *type;	  /* type of profile */
       char		 *policy; /* policy under which	the attributes are */
				  /* relevant*/
       char		 *res1;	  /* reserved for future use */
       char		 *res2;	  /* reserved for future use */
       char		 *id;	  /* unique identifier */
       kva_t		 *attr;	  /* attributes	*/
       struct execattr_s *next;	  /* optional pointer to next profile */

       The free_execattr() function  releases  memory.	It  follows  the  next
       pointers	 in the	execattr_t structure so	that the entire	linked list is
       released.

       The setexecattr() function "rewinds" to the beginning of	 the  enumera-
       tion of exec_attr entries. Calls	to getexecuser() can leave the enumer-
       ation in	an indeterminate state.	 Therefore,  setexecattr()  should  be
       called before the first call to getexecattr().

       The  endexecattr()  function  can  be called to indicate	that exec_attr
       processing is complete; the library can then close any  open  exec_attr
       file, deallocate	any internal storage, and so forth.

       The  getexecuser() function returns a linked list of entries that match
       the type	and id arguments and have a profile that has been assigned  to
       the user	specified by username, as described in passwd(4). Profiles for
       the user	are obtained from the list of default profiles	in  /etc/secu-
       rity/policy.conf	 (see  policy.conf(4))	and the	user_attr(4) database.
       Only entries in the name	service	scope for which	the corresponding pro-
       file entry is found in the prof_attr(4) database	are returned.

       The  getexecprof() function returns a linked list of entries that match
       the type	and id arguments and have the profile specified	by  the	 prof-
       name  argument.	Only  entries  in the name service scope for which the
       corresponding profile entry is found in the prof_attr database are  re-
       turned.

       Using  getexecuser() and	getexecprof(), programmers can search  for any
       type argument, such as the manifest constant KV_COMMAND.	The  arguments
       are logically AND-ed together so	that only entries exactly matching all
       of the arguments	are returned. Wildcard matching	applies	if there is no
       exact  match  for an ID.	Any argument can be assigned the NULL value to
       indicate	that it	is not used as part  of	 the  matching	criteria.  The
       search_flag  controls  whether  the  function  returns  the first match
       (GET_ONE), setting the next pointer to NULL  or	all  matching  entries
       (GET_ALL),  using  the  next pointer to create a	linked list of all en-
       tries that meet the search criteria. See	 EXAMPLES.

       Once a list of entries is returned by getexecuser()  or	getexecprof(),
       the  convenience	 function  match_execattr() can	be used	to identify an
       individual entry. It returns a pointer to the individual	 element  with
       the same	profile	name ( profname), type name ( type),  and id. Function
       parameters set to NULL are not used as part of the  matching  criteria.
       In  the	event that multiple entries meet the matching criteria,	only a
       pointer to the first entry is returned. The kva_match(3SECDB)  function
       can be used to look up a	key in a key-value array.

       Those  functions	 returning data	only return data related to the	active
       policy. The getexecattr() function returns a pointer to	a   execattr_t
       if  it successfully enumerates an entry;	otherwise it returns NULL, in-
       dicating	the end	of the enumeration.

USAGE
       The getexecattr(), getexecuser(), and getexecprof() functions all allo-
       cate memory for the pointers they return. This memory should be deallo-
       cated with the free_execattr()  call.  The  match_execattr()(  function
       does  not  allocate  any	 memory.  Therefore, pointers returned by this
       function	should not be deallocated.

       Individual attributes may be referenced in the attr structure by	 call-
       ing the kva_match(3SECDB) function.

       Example 1: Find all profiles that have the  ping	command.

       if ((execprof=getexecprof(NULL, KV_COMMAND, "/usr/sbin/ping",
	   GET_ONE)) ==	NULL) {
	       /* do error */
       }

       Example	2: Find	the entry for the ping command in the Network Adminis-
       tration Profile.

       if ((execprof=getexecprof("Network Administration", KV_COMMAND,
	   "/usr/sbin/ping", GET_ALL))==NULL) {
	       /* do error */
       }

       Example 3: Tell everything that can be done in the Filesystem  Security
       profile.

       if ((execprof=getexecprof("Filesystem Security",	KV_NULL, NULL,
	   GET_ALL))==NULL)) {
	       /* do error */
       }

       Example	4:  Tell  if  the tar utility is in a profile assigned to user
       wetmore.	If there is no exact profile entry, the	wildcard (*),  if  de-
       fined, is returned.

       The following tells if the tar utility is in a profile assigned to user
       wetmore.	If there is no exact profile entry, the	wildcard (*),  if  de-
       fined, is returned.

       if ((execprof=getexecuser("wetmore", KV_COMMAND,	"/usr/bin/tar",
	   GET_ONE))==NULL) {
	       /* do error */
       }

       /etc/nsswitch.conf	       configuration  file  lookup information
				       for the name server switch

       /etc/user_attr		       extended	user attributes

       /etc/security/exec_attr	       execution profiles

       /etc/security/policy.conf       policy definitions

       See attributes(5) for descriptions of the following attributes:

       +-----------------------------+-----------------------------+
       |      ATTRIBUTE	TYPE	     |	    ATTRIBUTE VALUE	   |
       +-----------------------------+-----------------------------+
       |MT-Level		     |MT-Safe			   |
       +-----------------------------+-----------------------------+

       getauthattr(3SECDB),	 getuserattr(3SECDB),	    kva_match(3SECDB),
       exec_attr(4),  passwd(4),  policy.conf(4),  prof_attr(4), user_attr(4),
       attributes(5)

				  31 Mar 2005		   getexecattr(3SECDB)

NAME | SYNOPSIS | USAGE

Want to link to this manual page? Use this URL:
<https://www.freebsd.org/cgi/man.cgi?query=getexecattr&sektion=3secdb&manpath=SunOS+5.10>

home | help