NAME | DESCRIPTION | ATTRIBUTES | EXAMPLES | FILES | SEE ALSO
The security policy for device files can differ from that for regular files and is configured through the device_policy database file. Rebooting the system in multiuser mode is required to effect the file's contents. Each entry in the file consists of one or more lines and represents the device policy configuration for one or more device files. A backslash (\) at the end of a line continues the next line as part of the current entry. A pound sign (#) as the first character of a line indicates a comment line, which is ignored. Each entry is of the form:
name:minor_name policy_type=value policy_type=value ...
name is the name of a device driver.
minor_name is the actual name of a minor node, or a string of shell metacharacters that represent several minor nodes. See sh(1).
If two or more entries match a device, devpolicy(1M) uses the first matching entry. For example, for the following device_policy entries, the policy for /dev/ptyp0 will differ from the policy for other pty devices.
# # device_policy file # ptc: typ0 data_mac_policy=DR_MAC_EQ,DW_MAC_EQ # ptc:* data_mac_policy=DR_MAC_ANY,DW_MAC_ANY |
policy_type=value specifies a policy for the device nodes. There are four policy types: data_mac_policy, attr_mac_policy, open_priv, and str_type. The policy types and their allowed values are described below.
This policy type specifies what a process's sensitivity label must be to have access to the device. The specified policy is enforced by the open(2) and access(2) system calls. The value for this type is a comma-separated pair of values: a read-MAC value and a write-MAC value:
The read-MAC values are:
Process may have any SL.
Process SL must be equal to device SL.
Process SL must not equal device SL.
Device is not read accessible.
Process SL must dominate device SL.
Process SL must be dominated by device SL.
The write-MAC values are:
Process may have any SL.
Process SL must equal device SL.
Process SL must not equal device SL.
Device is not write accessible.
Process SL must dominate device SL.
Process SL must be dominated by device SL.
The optional read-MAC-modifier or write-MAC-modifier value is:
Automatically allocate the device on behalf of the opening process.
Get label directly from device. This is used only for console-related pseudo-devices, such as /dev/console or /dev/syslog.
data_mac_policy=DR_MAC_EQ,DW_MAC_EQ
This policy type specifies how to handle access to the device's attributes by the operations acl(2), chmod(2), chown(2), and stat(2). The value for this type is a comma-separated set of values: a read-MAC value, a write-MAC value, and an optional read-MAC modifier:
The read-MAC values are:
Process may have any SL.
Process SL must equal device SL.
Process SL must not equal device SL.
Device is not read accessible.
Process SL must dominate device SL.
Process SL must be dominated by device SL.
The write-MAC values are:
Process may have any SL.
Process SL must equal device SL.
Process SL must not equal device SL.
Device is not write accessible.
Process SL must dominate device SL.
Process SL must be dominated by device SL.
The optional read-MAC-modifier value is:
Return fabricated device attributes to the reading process. Fabrication is designed for a process that walks down an array of BSD-style pty's until it encounters an accessible pty (indicated by getting device attributes) or the end of the array.
attr_mac_policy=DR_MAC_SDOM,DW_MAC_EQ
This policy type specifies a privilege required to open the device. The specified privilege is required in addition to the data MAC policy. Privilege names can be in upper or lower case; or an integer ordinal can be used. For example,
open_priv=sys_devices
open_priv=none
The streams type, meaningful only for streams devices, specifies how the kernel streams head should control streams messages. The value can be one of these keywords:
Loop type stream. Unlabeled streams control messages are allowed. Unlabeled data messages are not allowed.
Network type Stream. Unlabeled Stream messages are not allowed.
Device type Stream. Unlabeled Stream messages are allowed.
str_type=DSTR_NET
str_type=STR_DEV
See attributes(5) for descriptions of the following attributes:
ATTRIBUTE TYPE | ATTRIBUTE VALUE |
---|---|
Availability | SUNWtsu |
mm:kmem \ data_mac_policy=DR_MAC_EQ,DW_MAC_EQ \ attr_mac_policy=DR_MAC_SDOM,DW_MAC_EQ mm:null \ data_mac_policy=DR_MAC_ANY,DW_MAC_ANY \ attr_mac_policy=DR_MAC_SDOM,DW_MAC_EQ
NAME | DESCRIPTION | ATTRIBUTES | EXAMPLES | FILES | SEE ALSO