man pages section 2: System Calls

setpattr(2)

NAME

getpattr, setpattr- Get/set process attribute flags

SYNOPSIS

cc

flags

file

-ltsol

#include <tsol/pattr.h>

type

value

type

value

DESCRIPTION

Process attribute flags are a set of flags that describe additional attributes that the process has. Each flag in the set is separately addressable although all flags share the getpattr() and the setpattr() system call interfaces. Likewise, each flag in the set has its own protection policy although all flags use the same protection mechanism. In the set are seven types of flags, specified in <tsol/pattr.h> , and addressed by the type argument. These are the values for type :

PAF_TRUSTED_PATH: Trusted path flag
PAF_PRIV_DBG: Privilege debugging flag
PAF_TOKMAPPER: Network token mapping process flag
PAF_LABEL_VIEW: Label view flags
PAF_LABEL_XLATE: Label translation flags
PAF_DISKLESS_BOOT: Part of diskless boot flag
PAF_SELAGNT: Part of selection agent flag
PAF_PRINT_SYSTEM: Part of trusted printing system flag A description of each type of process attribute flag follows:

Trusted path flag

This one-bit flag marks a trusted path process. This flag can be viewed and cleared, but cannot be set. In other words, the call to setpattr ( PAF_TRUSTED_PATH , PAF_TP_OFF ) will always fail. A process inherits the trusted path flag from its parent process. The init process receives the trusted path flag from the system. A user session creator, such as login , clears this flag before starting a user session.

setpattr(PAF_TRUSTED_PATH, PAF_TP_OFF)

Privilege debugging flag

This one-bit flag indicates that the process is in privilege-debugging mode--a process-operation mode in which privilege requirement is logged but not enforced. This flag can be viewed or cleared, but cannot be set except by a trusted path process.

Network token mapping process flag

This one-bit flag, when set, identifies the process as the network token mapping process. The network token mapping process is exempt from network token mapping. This flag can be viewed and cleared, but cannot be set except by a trusted path process.

Label view flags

These two-bit flags support per-process label translation. These flags are viewable and modifiable without restriction.

Label translation flags

These fifteen-bit flags support the GFI FLAGS= option in the label_encodings file. Only a trusted path process can view or modify these flags.

Part of diskless boot flag

This one-bit flag identifies the process as taking part in diskless booting. This flag can be viewed and cleared, but cannot be set except by a trusted path process.

Part of selection agent flag

This one-bit flag identifies the process as part of the "cut and paste" selection agent. This flag can be viewed and cleared, but cannot be set except by a trusted path process.

Part of trusted printing system flag

This one-bit flag identifies the process as a member of the Trusted Printing System. This flag can be viewed and cleared, but cannot be set except by a trusted path process.

In short, these flag-related protection policies apply. Any process may view or clear any process attribute flag except the label translation flags; viewing or clearing the label translation flags requires that a process have the trusted path attribute. Any process may set label view flags; setting other flags requires that the setting process have the trusted path attribute.

getpattr() copies the type process flag of the calling process into the pattr_flag_t variable addressed by value . Only the lower n bits are copied, where n is the width of the flag. The higher bits are cleared.

setpattr() copies the lower n bits of value to the type process flag of the calling process, where n is the width of the selected process flag.

RETURN VALUES

getpattr() and setpattr() return:

0: On success.
-1: On failure, and sets errno to indicate the error.

ERRORS

getpattr() may fail for one of these reasons:

EFAULT: The value argument points to a bad address.
EINVAL: The type argument is not one of the listed type constants.
EACCES: The calling process is not a trusted path process as required to view the type flag.

setpattr() may fail for one of these reasons:

EFAULT: The value argument points to a bad address.
EINVAL: The type argument is not one of the listed type constants.
EACCES: The calling process is not a trusted path process as required to modify the type flag.

Trusted Solaris 8 Reference Manual

pattr(1)

Trusted Solaris 8 Last Revised 1 Nov 1999