t6get_endpt_mask(3N)t6get_endpt_mask(3N)NAME
t6get_endpt_mask, t6set_endpt_mask, t6get_endpt_default,
t6set_endpt_default - get or set endpoint security attribute mask, get or
set endpoint default security attributes
SYNOPSIS
cc [ flags ... ] file
#include <sys/t6attrs.h>
int t6get_endpt_mask(int fd, t6mask_t *mask)
int t6set_endpt_mask(int fd, t6mask_t mask)
int t6get_endpt_default(int fd, t6mask_t mask, t6attr_t attr_ptr)
int t6set_endpt_default(int fd, t6mask_t mask, const t6attr_t attr_ptr)
DESCRIPTION
The security extensions on the communication endpoint include a set of
default security attributes that may be applied to outgoing data and an
attribute mask that designates which attributes are taken from the
endpoint's default attributes and which are taken from the process's
effective attributes.
By default, data written to an endpoint has associated with it the
security attributes of the process that wrote the data. However, a
privileged process may change the value of the default attribute mask on
an endpoint it had created, and the endpoint's default attributes.
t6get_endpt_mask allows a process to obtain the current setting of the
default attribute mask for the endpoint specified by fd. The attribute
mask is returned in the parameter mask. Note that the following
attributes will silently fail to be returned: T6_NAT_CAVEATS, T6_ACL,
T6_IL, T6_PID, T6_RESV10, T6_AUDIT_INFO, T6_CLEARANCE.
t6set_endpt_mask allows a process to set the bit values of the default
attribute mask for the endpoint specified by fd to the value specified by
mask. A bit value of 0 indicates the attribute is taken from the
process's effective attributes; and a bit value of 1 indicates the the
attribute is taken from the endpoint's default attributes.
t6get_endpt_default allows a process to get the current setting of the
default attributes of the endpoint specified by fd. mask indicates which
attributes are present in the parameter attr_ptr. To access attr_ptr,
see t6get_attr(3N)
t6set_endpt_default allows a process to set the default attributes of the
endpoint specified by fd to the attributes specified by the parameter
attr_ptr. mask indicates which attributes are present in the parameter
attr_ptr. To set up attr_ptr, see t6set_attr(3N).
Page 1
t6get_endpt_mask(3N)t6get_endpt_mask(3N)
Note that the t6set_endpt_default() will fail and return EINVAL if any of
the following attributes are set: T6_NAT_CAVEATS, T6_ACL, T6_IL, T6_PID,
T6_RESV10, T6_AUDIT_INFO ).
CAPABILITIES
t6set_endpt_mask always requires CAP_NETWORK_MGT capability.
t6set_endpt_default requires different capabilities for each different
value of t6mask_t. (listed in following table)
Value of t6mask_t Capability required
T6_SL CAP_MAC_RELABEL_OPEN, CAP_MAC_UPGRADE,
CAP_MAC_DOWNGRADE
T6_INTEG_LABEL CAP_MAC_RELABEL_OPEN, CAP_MAC_UPGRADE,
CAP_MAC_DOWNGRADE
T6_SESSION_ID CAP_NETWORK_MGT
T6_CLEARANCE CAP_MAC_RELABEL_OPEN, CAP_MAC_UPGRADE,
CAP_MAC_DOWNGRADE
T6_PRIVILEGES CAP_SETPCAP
T6_AUDIT_ID CAP_AUDIT_CONTROL
T6_UID CAP_SETUID
T6_GID CAP_SETGID
T6_GROUPS CAP_SETGID
The above table shows the maximum capability that may be required for
each t6mask_t attribute. CAP_MAC_RELABEL_OPEN is only required when
setting a label of type MSEN_EQUAL_LABEL or MINT_EQUAL_LABEL.
CAP_MAC_UPGRADE is required if the new label dominates the old one.
CAP_MAC_DOWNGRADE is required if the new label does not dominate the old
one. Generally the CAP_MAC_UPGRADE and CAP_MAC_DOWNGRADE capabilities
will be necessary.
RETURN VALUE
On successful completion these calls return 0. If either call encounters
an error, the appropriate error code is returned.
ERRORS
[EFAULT] Encountered a bad pointer address.
[ENOTSOCK] Attempted a socket operation on a non-socket.
Page 2
t6get_endpt_mask(3N)t6get_endpt_mask(3N)
[EINVAL] Invalid argument.
SEE ALSOlibt6(3N), t6sendto(3N), t6set_attr(3N)SOURCE
Trusted Systems Interoperability Group
NOTES
Page 3
