test

Trusted Solaris Developer's Guide

Query File System Security Attributes

File system security attributes fill in absent security attributes on local and mounted file system objects that were not assigned a full set of security attributes by the system administrator or did not acquire them from their creating process. You can get file system security attributes from the vfstab(4) and vfstab_adjunct(4) files, or from the file or directory inode.

Get Attributes from Adjunct File

The vfstab_adjunct(4) file contains remote mount points and their related security information. This file is set up and maintained by the system administrator so that file systems mounted to local workstations from remote workstations have the correct security attributes.

This example retrieves and displays lines from vfstab_adjunct(4). The getvfsaent(3TSOL) routine first reads the top line of the file and with each subsequent call reads the next lines one-by-one. The getvfsaent(3TSOL) routine reads the line for the mount point specified by the input file.

Note -

Be sure to include stdio.h as shown in the example code below.

#include <stdio.h>
#include <tsol/vfstab_adjunct.h>

main()
{
	struct vfsaent *entry;
	char *vfsfile = "/etc/security/tsol/vfstab_adjunct";
	char *file = "/shark/doc";
	int retval;
	FILE *fp;

	fp = fopen(vfsfile, "r");
	if (fp == NULL) {
 		printf("Can't open %s\n", vfsfile);
 		exit(1);
	}

/* Step through file line-by-line. */
	retval = getvfsaent(fp, &entry);
	if (retval == 0) {
 		printf("Mount Point is %s \n Security Info is %s\n",
 		entry->vfsa_fsname, entry->vfsa_attr);
 		free(entry);
	}
	else
		 printf("No entries!\n");

	fseek(fp, 0, 0);

/* Retrieve specific mount point. */
	retval = getvfsafile(fp, &entry, file);
	if (retval == 0) {
		 printf("Mount Point is %s \nSecurity Info is %s\n",
		 entry->vfsa_fsname, entry->vfsa_attr);
		 free(entry);
	}
	else
		 printf("Mount point not found.\n");
	fclose(fp);
}

The printf statements print the following. There is only one entry in this vfstab_adjunct file for the /opt/SUNWspro mount point:


Mount Point is /opt/SUNWspro
Security Info is slabel=[C]:allowed all
Mount Point not found

Get Attributes from inode

The following code gets the CMW label (FSA_LABEL) of file and returns it in buffer. 

#include <tsol/fsattr.h>
#include <tsol/label.h>

main()
{
	char *file = "/export";
	char buffer [3*1024], *string = (char *)0;
	int length, retval;

	length = sizeof(buffer);
	retval = getfsattr(file, FSA_LABEL, buffer, length);
	retval = bcltos((bclabel_t *)buffer, &string, 0, VIEW_INTERNAL);
	printf("/export CMW label = %s \n", buffer);
}

The printf statement prints the following:

/export CMW label = [ADMIN_LOW]

Manifest Constant Values

Manifest constant values can be any one of the following:

FSA_ACLCNT - File system access Access Control List (ACL) count.

FSA_ACL - File system access ACL.

FSA_APRIV - File system allowed privilege set.

FSA_FPRIV - File system forced privilege set.

FSA_LABEL - File system CMW label.

FSA_AFLAGS - File system attribute flags as described in "Get and Set File System Security Attribute Flags".

FSA_LBLRNG - File system label range.

FSA_MLDPFX - File system MLD prefix string.

FSA_APSACNT - Number of classes in the process audit preselection mask.

FSA_APSA - Classes in the process audit preselection mask. The process needs the file_audit privilege in its effective set to get this information. See "Privileges and Authorizations" for more information.

Manifest Constant Descriptions

The programming interfaces for accessing CMW labels, file system label ranges, file privileges, and multilevel directories are described briefly in "Trusted Solaris Security Mechanisms" and in more detail in their respective chapters in this guide.