man pages section 4: File Formats

device_allocate(4)

NAME

device_allocate- device allocate information file

SYNOPSIS

/etc/security/device_allocate

DESCRIPTION

The device_allocate file contains information about allocatable devices. Corresponding entries in device_maps(4) list the device special files associated with the allocatable device.

This file is normally created using the mkdevdb(1M) command, run by the init.d(4) scripts during a system's initial bootload or when the system is booted with the -r (reconfigure) option. The mkdevdb command creates a set of entries for the system's audio and removable media devices.

The preferred method of modifying the device_allocate file is to use the Device Administration dialog box of the Device Allocation Manager.

Each device is represented by a one-line entry of the form:

device-name;device-type;attributes;reserved;device-authorization;device-clean

where

device-name

is the name used to identify the device for allocations. The allocation name is an arbitrary text string, containing no embedded white space or non-printable characters. Note, however, that the init.d(4) scripts assume that the allocation names will not be changed for entries they created using mkdevdb(1M). If these entries are renamed, the init.d scripts will create new (and possibly conflicting) entries when the system is rebooted with the -r option. Also, the /etc/security/lib/device_clean script depends on the names of disk devices having the names assigned by mkdevdb.

device-type

is the generic device type, used to identify and group together devices of like type. This field is an arbitrary text string, containing no embedded white space or non-printable characters.

attributes

is a colon-separated string of key=value pairs.

device-authorization

is a comma-separated list of authorizations. A user must have at least one of these authorizations to allocate the device. In place of the authorization list, this field may contain an * to indicate that the device is not allocatable, or an @ to indicate that no explicit authorization is needed to allocate the device.

An optional colon (:) plus a second list of authorizations may be used to provide different authorizations for allocations from the trusted path (primarily through the Device Allocation Manager) and for allocations that do not come from the trusted path (primarily by command-line use of the allocate(1) command). The syntax for this form of the authorizations field is tp_auths:nontp_auths. If a device allocation request comes from the trusted path, the user must have one of the authorizations specified in tp_auths. For requests not from the trusted path, the user must have one of the authorizations specified in nontp_auths. Either of these may be * or @.

device-clean

is the path of a device cleaning program to be run any time the device is allocated or deallocated. The cleaning program ensures that all usable data is purged from the physical drive before it is reused.

The device cleaning program may interact with the user via prompts and responses on stdout/stdin.

An alternate version of the cleaning program for use in a windowing environment may be supplied by using the same path with the suffix .windowing appended. The windowing version may use the window system to interact with the user via dialogs.

Lines in device_allocate can end with a \ to continue an entry on the next line.

Leading and trailing blanks are allowed in any of the fields.

The recommended method of modifying the device_allocate file is through the Add Allocatable Device action and the Device Allocation Manager. A designated administrative role uses the Add Allocatable Device action to add a device with default attributes. The Device Allocation Manager's Configure dialog box is used for modifications to a device. These tools handle the formatting of entries (including translation of plain text sensitivity labels to hex), and audit all changes. They preserve the correct permissions, ownership, and label of the device_allocate file.

EXAMPLES

Example 1 Sample Device Allocate File

# Allow local (trusted path) allocation of audio to any user,
# Disallow all remote (non-trusted path) allocation of audio.

audio; \
     audio; \
     minsl=0x000000000000000000000000000000000000000\
          00000000000000000000000000000: \
     maxsl=0x7ffffffffffffffffffffffffffffffffffffff\
          fffffffffffffffffffffffffffff; \
     reserved; \
     @:*; \
     /etc/security/audio_clean_wrapper; \

# Allow tape drive use by users with either the
# solaris.device.allocate or com.xyzcompany.tape authorization.

mag_tape_0; \
     st; \
     minsl=0x000000000000000000000000000000000000000\
          00000000000000000000000000000: \
     maxsl=0x7ffffffffffffffffffffffffffffffffffffff\
          fffffffffffffffffffffffffffff; \
     reserved; \
     solaris.device.allocate,com.xyzcompany.tape; \
     /etc/security/lib/disk_clean; \

# Allow CD use by anyone at [SECRET] or above.

cdrom_0; \
     sr; \
     minsl=0x00050c000000000000000000000000000000000\
          0000000000000003ffffffffffff0: \
     maxsl=0x7ffffffffffffffffffffffffffffffffffffff\
          fffffffffffffffffffffffffffff; \
     reserved; \
@; \
/etc/security/lib/disk_clean;

FILES

/etc/security/device_allocate: Administrative file defining parameters for device allocation.

SUMMARY OF TRUSTED SOLARIS CHANGES

Devices are labeled, and by default require authorization for allocating and deallocating. The authorization field can optionally specify separate authorizations for allocations made from the trusted path and allocations not made from the trusted path. Special entries for framebuffer and printers are used by the window system and the printing system.

Trusted Solaris 8 4/01 Reference Manual

allocate(1), deallocate(1), list_devices(1), mkdevdb(1M), device_deallocate(4), device_maps(4)

SunOS 5.8 Reference Manual

auth_attr(4)

NOTES

A special entry for the framebuffer device is used to specify the minimum, and maximum labels at which users may log in to the workstation. This entry is used by the window system rather than by the allocate(1) command.

Special entries for printers are used to specify the minimum and maximum labels at which users may submit print requests for a printer. The device-name field contains the name of the printer. This entry is used by the printing system rather than by the allocate(1) command. There need not be a corresponding entry in the device_maps file; if it exists, its contents are ignored by the printing system. Serial line entries may be similarly specified.

Trusted Solaris 8 4/01 Last Revised 18 May 2001