Get and Set Process Security Attribute Flags

Use getpattr(2) to query the attribute flags of the calling process.

#include <tsol/pattr.h>

main()
{
	int retval;
	pattr_flag_t value;

	retval = getpattr(PAF_TRUSTED_PATH, &value);
	printf("Trusted Path Value = %d\n", value);

	retval = getpattr(PAF_PRIV_DBG, &value);
	printf("Priv Debug value = %d\n", value);

	retval = getpattr(PAF_TOKMAPPER, &value);
	printf("Trusted Network Value = %d\n", value);

	retval = getpattr(PAF_DISKLESS_BOOT, &value);
	printf("Diskless Boot Value = %d\n", value);

	retval = getpattr(PAF_SELAGNT, &value);
	printf("Bypass Selection Agent Value = %d\n", value);

	retval = getpattr(PAF_PRINT_SYSTEM, &value);
	printf("Print System Value = %d\n", value);

	retval = getpattr(PAF_LABEL_VIEW, &value);
	printf("Label View Value = %d\n", value);

	retval = getpattr(PAF_LABEL_XLATE, &value);
	printf("Label Translate Value = %x\n", value);

	retval = getpattr(PAF_AUTOMOUNT, &value);
	printf("Automounter Value = %x\n", value);
}

The printf statements print the following where a value of 0 means the flag is off, and a value of 1 means it is on. The label translation value is 0 when off and a hexadecimal value representing the label translation flags when on. See "Manifest Constant Values" for a description of the process attribute flags.

Trusted Path Value = 0
Priv Debug Value = 0
Trusted Network Value = 0
Diskless Boot value = 0
Bypass Selection Agent Value = 0
Print System Value = 0
Label View Value = 1
Label Translate Value = 1
Automounter Value = 1

Manifest Constant Values

PAF_TRUSTED_PATH: The trusted path flag is set for all administrative roles. Any process started from an administrative role has this flag set to 1. All other processes have this flag set to 0. This flag can be queried and cleared, but not set.

PAF_PRIV_DEBUG: The privilege debug flag is set to 1 when the process is started in privilege debugging mode. This flag can be queried by any process, but set only by a trusted path process. Enabling and using privilege debugging mode is described in Trusted Solaris Administrator's Procedures and "Privilege Debugging" in Appendix A, Programmer's Reference.

PAF_NO_TOKMAP: The trusted computing base network flag is set to 1 only on trusted computing base applications that send packets without security attributes to workstations that expect packets with security attributes.

PAF_DISKLESS_BOOT: The diskless boot flag supports diskless boot servers. When this flag is set to 1, the security attribute information in network packet headers is not sent.

PAF_SELAGNT: The selection agent flag when set to 1 permits a process to bypass the Selection Manager when moving data from one window to another. See "Moving Data Between Windows" for more information.

PAF_PRINT_SYSTEM: The print system flag when set to 1 identifies a client process as a member of the printing subsystem.

PAF_LABEL_VIEW: When a user or role starts a process, this flag is set according to the label view specification in the label_encodings file or user label view setting in the /etc/security/tsol/tsoluser file. The label view applies to how the ADMIN_HIGH and ADMIN_LOW administrative labels are viewed in the system by users. The setting in the tsoluser file (if one exists) takes precedence over the setting in the label_encodings file.

A value of zero indicates the external view is in use and a value of 1 indicates the internal view is in use. Regardless of the value of this flag, a text to binary label translation can request the text string output for an administrative label to use the internal or external name. See Chapter 5, Label Code Examples in "Binary to Text Label Translation Routines" for details.

• Internal view - Show ADMIN_HIGH and ADMIN_LOW.

• External view - Set ADMIN_LOW to the next lowest label and ADMIN_HIGH to the next highest label as defined in label_encodings(4) .

PAF_LABEL_XLATE: The label translation flag when set to 1 indicates the flags= keyword option is in use in the label_encodings(4) file. This optional flag setting specifies which of 15 flags are associated with the word using this optional flag. Flags are not used by the system, but can be used by applications specifically written to use them to do such things as define certain words that appear only in printer banner labels (not in normal labels), or to define certain words that appear only in labels embedded in formal message traffic. This flag can be queried and set by a trusted path process only.