1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
|
.TH GETPLAB 2
.SH NAME
getplab, setplab \- get or set process security
label and privilege
.SH SYNOPSIS
.B #include <sys/label.h>
.PP
.B getplab(labp, ceilp)
.br
.B struct label *labp, *ceilp;
.PP
.B setplab(labp, ceilp)
.br
.B struct label *labp, *ceilp;
.SH DESCRIPTION
.I Getplab
copies the security label and the ceiling label,
usually simply called `the ceiling',
of the current process
into the structures pointed to by
.IR labp
and
.IR ceilp.
No copy happens for a zero pointer.
The structure and meaning of labels are described in
.IR getflab (2).
The ceiling is a security lid;
the process can only access files with labels dominated
by the ceiling.
.PP
A process may have special security `capabilities', in which case
it is called `trusted'.
The capabilities are obtained from the file it is executing, usually
as `licensed' from its parent process; see
.IR exec (2).
The capabilities and corresponding licenses
are given by bits in the fields
.IB labp ->lb_t
and
.IB labp ->lb_u
respectively.
The bits are defined by the masks
.TF T_SETPRIV
.PD
.TP
.B T_SETPRIV
The process can change the privileges of files; see
.IR getflab (2).
.TP
.B T_SETLIC
The process can increase its own licenses; see below.
.TP
.B T_EXTERN
The process can bring new data sources into
view by mounting file systems or setting labels
of (open) special files; see
.IR getflab (2).
.TP
.B T_NOCHK
Ordinary checks and changes of lattice values are not made
when reading or writing files or inodes or when setting the
process label.
.TP
.B T_UAREA
The process can change certain information that
may be accessed by descendent processes without label checks; see
.IR setuid (2)
and
.IR stream (4).
.TP
.B T_LOG
The process can change logging status; see
.IR syslog (2).
.PP
.I Setplab
copies the structures pointed to by
.IR labp
and
.IR ceilp
into the process label and the ceiling label.
Unless the process has capability
.BR T_NOCHK ,
the new lattice value of the process label must dominate the
old and the old lattice value of the ceiling must dominate the new.
.PP
The new label flag must be
.BR L_BITS ,
and the lattice value of the new ceiling label must dominate the
lattice value of the new process label.
.PP
Capabilities
may not increase.
Licenses
may increase only if the process has capability
.BR T_SETLIC .
.PP
The fixity,
.BR lb_fix ,
of a process may be set only to
.B F_LOOSE
or
.BR F_FROZEN .
In the latter case the process label can not change
as a side effect of label checking.
.PP
The bits of the ceiling pointer are themselves labeled as
if they were a minifile.
When the ceiling is set by
.I setplab,
the minifile label is set to the old value of the process label,
unless the process has capability
.BR T_SETLIC ,
in which the minifile label is set to bottom.
When the ceiling is read by
.I getplab,
the minifile label is checked as if read by
.IR read (2).
.SH DIAGNOSTICS
.BR EFAULT ,
.BR ELAB ,
.BR EPRIV
.br
If
.I getplab
cannot raise the process label to dominate the minifile label,
the requested labels are filled in, with the ceiling being censored
to flag
.B L_NO ,
and
.B ELAB
is returned.
.SH SEE ALSO
.IR getflab (2),
.IR unsafe (2),
.IR exec (2),
.IR session (1),
.IR setlab (8)
|
