getcmwlabel(2)

NAME | SYNOPSIS | DESCRIPTION | RETURN VALUES | ERRORS | NOTES | SEE ALSO

NAME

getcmwlabel, lgetcmwlabel, fgetcmwlabel- Get file CMW label

SYNOPSIS

cc [flags...] file ... -ltsol [library...]


#include <tsol/label.h>

int getcmwlabel(char * path, bclabel_t * label_p);
int lgetcmwlabel(char * path, bclabel_t * label_p);
int fgetcmwlabel(int fd, bclabel_t * label_p);

DESCRIPTION

getcmwlabel() obtains the CMW label of the file named by path . Mandatory read access to the final component of path is required or the calling process must have PRIV_FILE_MAC_READ in its set of effective privileges. Discretionary read, write or execute permission to the final component of path is not required, but all directories in the path prefix of path must be searchable.

If path refers to a FIFO , then the CMW label associated with the FIFO is returned. The information label portion of label_p returned by this interface does not vary with the information label associated with any data that is present in the FIFO .

If path refers to a directory, then the information label portion is undefined.

lgetcmwlabel() is like getcmwlabel() except in the case where the final component of path is a symbolic link, in which case lgetcmwlabel() returns the CMW label of the link, while getcmwlabel() returns the CMW label of the file to which the link refers.

fgetcmwlabel() obtains the CMW label of an open file referred to by the argument descriptor, such as would be obtained by an open(2) call. If the descriptor is only open for writing, then mandatory read access to the object is required or the calling process must have PRIV_FILE_MAC_READ in its set of effective privileges.

label_p is a pointer to an opaque CMW label structure.

An exception to the access rules applies in the case of pty pseudo-terminals ( /dev/ptyp* and /dev/ttyp* ). Normally mandatory read access is required or the calling process must have PRIV_FILE_MAC_READ in its set of effective privileges. If the specified file is a pty device file and the calling process does not have mandatory read access or PRIV_FILE_MAC_READ is not in its set of effective privileges, each function returns success and sets label_p to the ADMIN_LOW sensitivity label and the ADMIN_LOW information label.

RETURN VALUES

getcmwlabel() , lgetcmwlabel() and fgetcmwlabel() return:

0

On success.

-1

On failure, and set errno to indicate the error.

ERRORS

getcmwlabel() and lgetcmwlabel() fail if one or more of the following are true:

EACCES

Search permission is denied for a component of the path prefix of path . To override this restriction, the calling process may assert the PRIV_FILE_DAC_SEARCH privilege and/or the PRIV_FILE_MAC_SEARCH privilege.

The calling process does not have mandatory read access to path because the sensitivity label of the calling process does not dominate the sensitivity label of the final component of path and the calling process does not have PRIV_FILE_MAC_READ in its set of effective privileges.

EFAULT

label_p or path points to an invalid address.

EIO

An I/O error occurred while reading from or writing to the file system.

ELOOP

Too many symbolic links were encountered in translating path .

ENAMETOOLONG

The length of the path argument exceeds PATH_MAX .

A pathname component is longer than NAME_MAX while _POSIX_NO_TRUNC is in effect (see pathconf(2) ).

ENOENT

The file referred to by path does not exist.

ENOTDIR

A component of the path prefix of path is not a directory.

EPERM

The calling process does not have mandatory read access to path because the sensitivity label of path is outside the calling process' clearance and the calling process does not have PRIV_FILE_MAC_READ in its set of effective privileges.

fgetcmwlabel() fails if one or more of the following are true:

EACCES

The descriptor is only open for writing and the calling process does not have mandatory read access to the object referred to by the descriptor because the sensitivity label of the calling process does not dominate the sensitivity label of the object and the calling process does not have PRIV_FILE_MAC_READ in its set of effective privileges.

EBADF

fd is not a valid open file descriptor.

EFAULT

label_p points to an invalid address.

EIO

An I/O error occurred while reading from or writing to the file system.

NOTES

Information labels ( IL s) are not supported in Trusted Solaris 7 and later releases. Trusted Solaris software interprets any IL s on communications and files from systems running earlier releases as ADMIN_LOW .

Objects still have CMW labels, and CMW labels still include the IL component: IL[SL] ; however, the IL component is fixed at ADMIN_LOW .

As a result, Trusted Solaris 7 has the following characteristics:

• IL s do not display in window labels; SL s (Sensitivity Labels) display alone within brackets.

• IL s do not float.

• Setting an IL on an object has no effect.

• Getting an object's IL will always return ADMIN_LOW .

• Although certain utilities, library functions, and system calls can manipulate IL strings, the resulting IL s are always ADMIN_LOW , and cannot be set on any objects.

SEE ALSO

Trusted Solaris 8 Reference Manual

pathconf(2) , open(2) , setcmwlabel(2)

Trusted Solaris 8  Last Revised 30 Sep 1999

NAME | SYNOPSIS | DESCRIPTION | RETURN VALUES | ERRORS | NOTES | SEE ALSO