System Security Configuration and Attribute Information
System security configuration variables provide system-wide information on the system configuration. Some applications query system variables before taking actions that might be affected by the status of the system's security configuration.
File system security attributes and flags provide security-related information for specified local and mounted file systems. Applications might need to know the status of file system security attributes and flags. For example, an application can query the file system default access control list (ACL) before performing a directory operation, or can find out if a directory is a multilevel directory before creating a new file in it.
Process security attribute flags provide information on the calling process. Applications might need to know the status of a process security attribute flag to, for example, know whether the process was started from an administrative role (trusted path flag set) or by a normal user (trusted path flag not set).
Programming Interfaces
The programming interfaces and code examples to check system security configuration and security attribute information are provided here. Descriptions of the data handled by these calls are in the appropriate chapter. For example, Chapter 4, Labels covers labels and Chapter 3, Privileges covers privileges.
In cases where there is one set of interfaces to access a file using the pathname and another to access a file by the file descriptor, the examples that follow show the pathname only because the syntax is nearly identical.
All examples in this section compile with the -ltsol library.
System Security Configuration
This system call gets information on the system security configuration. Refer to the secconf(2) man page.
long secconf(int name);
File System Security Attributes
These system calls get information on file system security attributes using a path name or file descriptor. Refer to the getfsattr(2) man page.
int getfsattr(char *path, u_long type, void *buf_P, int len); int fgetfsattr(int fd, u_long type, void *buf_P);
File System Security Attribute Flags
These system calls get information on file system security attribute flags using a path name or file descriptor. Refer to the getfattrflag(2) man page.
int fgetfattrflag(const char *path, secflgs_t *flags); int setfattrflag(const char *path, secflgs_t which, secflgs_t flags); int fsetfattrflag(int fildes, secflgs_t *flags); int getfattrflag(int fildes, secflgs_t *flags); int mldgetfattrflag(const char *path, secflgs_t *flags) int mldsetfattrflag(const char * path, secflgs_t which, secflgs_t flags)
Process Security Attribute Flags
These system calls get and set process security attribute flags. Refer to the getpattr(2) man page.
int getpattr(pattr_type_t type, pattr_flag_t *value); int setpattr(pattr_type_t type, pattr_flag_t value);
Query System Security Configuration
System variables provide information on how the system is configured. The system variables are initialized at system start up, and when there is no entry in system(4), default values are used. An application can query the system variables with the secconf(2) system call. The following variables are defined in /etc/system and have the default values listed:
_TSOL_HIDE_UPGRADED_NAMES - When a directory contains a file or subdirectory that has had its sensitivity label upgraded by a privileged process, this variable determines whether or not those upgraded files or subdirectories can be listed or obtained by system call requests such as getdents(2). Default is off. When off, names of upgraded files and subdirectories are visible when listing directories. When on, names of upgraded files or subdirectories are hidden.
_TSOL_PRIVS_DEBUG - Enable privilege debugging. Default is off. See Trusted Solaris Administrator's Procedures or "Privilege Debugging" for information on how to enable and use privilege debugging.
This code queries the system variables to show their current values.
#include <tsol/secconf.h>
main()
{
long retval;
retval = secconf(_TSOL_HIDE_UPGRADED_NAMES);
printf("Hide Names = %d\n", retval);
retval = secconf(_TSOL_PRIVS_DEBUG);
printf("Priv Debug = %d\n", retval);
}
The printf statements print the following. A retval of 1 means the variable is on; 0 means off; and -1 means an error has occurred. errno is set only when the input variable is invalid.
Hide Names = 0 Priv Debug = 0 |
Query File System Security Attributes
File system security attributes fill in absent security attributes on local and mounted file system objects that were not assigned a full set of security attributes by the system administrator or did not acquire them from their creating process. You can get file system security attributes from the vfstab(4) and vfstab_adjunct(4) files, or from the file or directory inode.
Get Attributes from Adjunct File
The vfstab_adjunct(4) file contains remote mount points and their related security information. This file is set up and maintained by the system administrator so that file systems mounted to local workstations from remote workstations have the correct security attributes.
This example retrieves and displays lines from vfstab_adjunct(4). The getvfsaent(3TSOL) routine first reads the top line of the file and with each subsequent call reads the next lines one-by-one. The getvfsaent(3TSOL) routine reads the line for the mount point specified by the input file.
Note -
Be sure to include stdio.h as shown in the example code below.
#include <stdio.h>
#include <tsol/vfstab_adjunct.h>
main()
{
struct vfsaent *entry;
char *vfsfile = "/etc/security/tsol/vfstab_adjunct";
char *file = "/shark/doc";
int retval;
FILE *fp;
fp = fopen(vfsfile, "r");
if (fp == NULL) {
printf("Can't open %s\n", vfsfile);
exit(1);
}
/* Step through file line-by-line. */
retval = getvfsaent(fp, &entry);
if (retval == 0) {
printf("Mount Point is %s \n Security Info is %s\n",
entry->vfsa_fsname, entry->vfsa_attr);
free(entry);
}
else
printf("No entries!\n");
fseek(fp, 0, 0);
/* Retrieve specific mount point. */
retval = getvfsafile(fp, &entry, file);
if (retval == 0) {
printf("Mount Point is %s \nSecurity Info is %s\n",
entry->vfsa_fsname, entry->vfsa_attr);
free(entry);
}
else
printf("Mount point not found.\n");
fclose(fp);
}
The printf statements print the following. There is only one entry in this vfstab_adjunct file for the /opt/SUNWspro mount point:
Mount Point is /opt/SUNWspro Security Info is slabel=[C]:allowed all Mount Point not found |
Get Attributes from inode
The following code gets the CMW label (FSA_LABEL) of file and returns it in buffer.
#include <tsol/fsattr.h>
#include <tsol/label.h>
main()
{
char *file = "/export";
char buffer [3*1024], *string = (char *)0;
int length, retval;
length = sizeof(buffer);
retval = getfsattr(file, FSA_LABEL, buffer, length);
retval = bcltos((bclabel_t *)buffer, &string, 0, VIEW_INTERNAL);
printf("/export CMW label = %s \n", buffer);
}
The printf statement prints the following:
/export CMW label = [ADMIN_LOW]
Manifest Constant Values
Manifest constant values can be any one of the following:
FSA_ACLCNT - File system access Access Control List (ACL) count.
FSA_ACL - File system access ACL.
FSA_APRIV - File system allowed privilege set.
FSA_FPRIV - File system forced privilege set.
FSA_LABEL - File system CMW label.
FSA_AFLAGS - File system attribute flags as described in "Get and Set File System Security Attribute Flags".
FSA_LBLRNG - File system label range.
FSA_MLDPFX - File system MLD prefix string.
FSA_APSACNT - Number of classes in the process audit preselection mask.
FSA_APSA - Classes in the process audit preselection mask. The process needs the file_audit privilege in its effective set to get this information. See "Privileges and Authorizations" for more information.
Manifest Constant Descriptions
The programming interfaces for accessing CMW labels, file system label ranges, file privileges, and multilevel directories are described briefly in "Trusted Solaris Security Mechanisms" and in more detail in their respective chapters in this guide.
-
ACLs - Because ACLs are part of the Solaris operating environment, they are not described in this guide.
-
Audit preselection attributes - Audit preselection attributes are specified for a file system from the command line by the system administrator with setfsattr(1M). File system audit preselection attributes specify auditing on file permission bits. A file system can be configured so its files and directories are audited when access (read, write, or execute) succeeds or fails.
Audit preselection attributes are specified for a process from the command line by the system administrator with auditconfig(1M). File system preselection attributes override the process preselection attributes. For example, a process that is audited for reads on files is not audited for reads on files that have file system preselection audit attributes that specify not to audit reads. See Trusted Solaris Audit Administration for more information.
Get and Set File System Security Attribute Flags
This example sets the public attribute flag on a regular directory and gets the MLD flag of a multi-level directory. The process needs the file_owner and file_audit privileges for this example to work. Use setfpriv(1) to set the privileges as follows. The file_setpriv privilege is required with setfpriv(1) so this command must be executed from the profile shell with this privilege.
phoenix% setfpriv -s -a file_owner,file_audit executable |
#include <tsol/secflgs.h>
main()
{
secflgs_t value;
char *file = "/opt/SUNWspro"; /* Not MLD */
char *file1 = "/export/home/zelda"; /* MLD */
int retval;
retval = setfattrflag(file, FAF_PUBLIC, FAF_PUBLIC);
retval = getfattrflag(file, &value);
printf("Public Attribute Flag = %d\n", value);
retval = mldgetfattrflag(file1, &value);
printf("MLD Attribute Flag = %d\n", value);
}
The printf statements print the following where 1 equals True and 0 equals false.
Public Attribute Flag = 0 MLD Attribute Flag = 1 |
FAF_MLD - Directory is a multi-level directory. FAF_MLD may be set without privilege if the directory is empty, the effective user ID of the process matches the directory owner, and the process has mandatory write access.
FAF_SLD - Directory is a single-level directory. This flag cannot be set programmatically.
If an adorned pathname is passed to getfattrflag(1), FAF_MLD is returned if the directory is an MLD. If an unadorned pathname is passed and if the directory is an MLD, FAF_SLD is returned.
If an adorned pathname is passed to mldgetfattrflag(2), FAF_SLD is returned if the directory is an MLD. If an unadorned pathname is passed and if the directory is an MLD, FAF_MLD is returned.
Adorned names are described in Chapter 7, Multilevel Directories.
FAF_PUBLIC - File or directory is public. Audit records are not generated for read operations on public files and directories even when the read operations are part of a preselected audit class. This applies to the following read operations: access(2), fstatvfs(2), lstat(2), open(2) (read only), pathconf(2), readlink(2), stat(2), and statvfs(2).
Note -
If the AUE_MAC or AUE_UPRIV audit pseudo events are in a preselected audit class, an audit record for those events is always generated regardless of the public attribute flag setting. See Trusted Solaris Audit Administration for more information on these pseudo audit events.
The process needs the file_audit and file_owner privileges in its effective set to get or set the public attribute flag for a file or directory. See "Privileges and Authorizations" for more information. This flag can also be administratively set as described in Trusted Solaris Administrator's Procedures.
FAF_ALL - The directory is a public MLD.
Get and Set Process Security Attribute Flags
Use getpattr(2) to query the attribute flags of the calling process.
#include <tsol/pattr.h>
main()
{
int retval;
pattr_flag_t value;
retval = getpattr(PAF_TRUSTED_PATH, &value);
printf("Trusted Path Value = %d\n", value);
retval = getpattr(PAF_PRIV_DBG, &value);
printf("Priv Debug value = %d\n", value);
retval = getpattr(PAF_TOKMAPPER, &value);
printf("Trusted Network Value = %d\n", value);
retval = getpattr(PAF_DISKLESS_BOOT, &value);
printf("Diskless Boot Value = %d\n", value);
retval = getpattr(PAF_SELAGNT, &value);
printf("Bypass Selection Agent Value = %d\n", value);
retval = getpattr(PAF_PRINT_SYSTEM, &value);
printf("Print System Value = %d\n", value);
retval = getpattr(PAF_LABEL_VIEW, &value);
printf("Label View Value = %d\n", value);
retval = getpattr(PAF_LABEL_XLATE, &value);
printf("Label Translate Value = %x\n", value);
retval = getpattr(PAF_AUTOMOUNT, &value);
printf("Automounter Value = %x\n", value);
}
The printf statements print the following where a value of 0 means the flag is off, and a value of 1 means it is on. The label translation value is 0 when off and a hexadecimal value representing the label translation flags when on. See "Manifest Constant Values" for a description of the process attribute flags.
Trusted Path Value = 0 Priv Debug Value = 0 Trusted Network Value = 0 Diskless Boot value = 0 Bypass Selection Agent Value = 0 Print System Value = 0 Label View Value = 1 Label Translate Value = 1 Automounter Value = 1 |
Manifest Constant Values
PAF_TRUSTED_PATH: The trusted path flag is set for all administrative roles. Any process started from an administrative role has this flag set to 1. All other processes have this flag set to 0. This flag can be queried and cleared, but not set.
PAF_PRIV_DEBUG: The privilege debug flag is set to 1 when the process is started in privilege debugging mode. This flag can be queried by any process, but set only by a trusted path process. Enabling and using privilege debugging mode is described in Trusted Solaris Administrator's Procedures and "Privilege Debugging" in Appendix A, Programmer's Reference.
PAF_NO_TOKMAP: The trusted computing base network flag is set to 1 only on trusted computing base applications that send packets without security attributes to workstations that expect packets with security attributes.
PAF_DISKLESS_BOOT: The diskless boot flag supports diskless boot servers. When this flag is set to 1, the security attribute information in network packet headers is not sent.
PAF_SELAGNT: The selection agent flag when set to 1 permits a process to bypass the Selection Manager when moving data from one window to another. See "Moving Data Between Windows" for more information.
PAF_PRINT_SYSTEM: The print system flag when set to 1 identifies a client process as a member of the printing subsystem.
PAF_LABEL_VIEW: When a user or role starts a process, this flag is set according to the label view specification in the label_encodings file or user label view setting in the /etc/security/tsol/tsoluser file. The label view applies to how the ADMIN_HIGH and ADMIN_LOW administrative labels are viewed in the system by users. The setting in the tsoluser file (if one exists) takes precedence over the setting in the label_encodings file.
A value of zero indicates the external view is in use and a value of 1 indicates the internal view is in use. Regardless of the value of this flag, a text to binary label translation can request the text string output for an administrative label to use the internal or external name. See Chapter 5, Label Code Examples in "Binary to Text Label Translation Routines" for details.
-
Internal view - Show ADMIN_HIGH and ADMIN_LOW.
-
External view - Set ADMIN_LOW to the next lowest label and ADMIN_HIGH to the next highest label as defined in label_encodings(4) .
PAF_LABEL_XLATE: The label translation flag when set to 1 indicates the flags= keyword option is in use in the label_encodings(4) file. This optional flag setting specifies which of 15 flags are associated with the word using this optional flag. Flags are not used by the system, but can be used by applications specifically written to use them to do such things as define certain words that appear only in printer banner labels (not in normal labels), or to define certain words that appear only in labels embedded in formal message traffic. This flag can be queried and set by a trusted path process only.
- © 2010, Oracle Corporation and/or its affiliates