|
Chris PeBenito |
473ea7 |
.TH "getexeccon" "3" "1 January 2004" "russell@coker.com.au" "SE Linux API documentation"
|
|
Chris PeBenito |
473ea7 |
.SH "NAME"
|
|
Chris PeBenito |
473ea7 |
getexeccon, setexeccon \- get or set the SE Linux security context used for executing a new process.
|
|
Chris PeBenito |
473ea7 |
.br
|
|
Chris PeBenito |
473ea7 |
rpm_execcon \- run a helper for rpm in an appropriate security context
|
|
Chris PeBenito |
473ea7 |
|
|
Chris PeBenito |
473ea7 |
.SH "SYNOPSIS"
|
|
Chris PeBenito |
473ea7 |
.B #include <selinux/selinux.h>
|
|
Chris PeBenito |
473ea7 |
.sp
|
|
Chris PeBenito |
473ea7 |
.BI "int getexeccon(security_context_t *" context );
|
|
Chris PeBenito |
473ea7 |
.br
|
|
Chris PeBenito |
473ea7 |
.BI "int setexeccon(security_context_t "context );
|
|
Chris PeBenito |
473ea7 |
.br
|
|
Chris PeBenito |
473ea7 |
.BI "int rpm_execcon(unsigned int " verified ", const char *" filename ", char *const " argv "[] , char *const " envp "[]);
|
|
Chris PeBenito |
473ea7 |
|
|
Chris PeBenito |
473ea7 |
.SH "DESCRIPTION"
|
|
Chris PeBenito |
473ea7 |
.B getexeccon
|
|
Chris PeBenito |
473ea7 |
retrieves the context used for executing a new process.
|
|
Chris PeBenito |
473ea7 |
This returned context should be freed with freecon if non-NULL.
|
|
Chris PeBenito |
473ea7 |
getexeccon sets *con to NULL if no exec context has been explicitly
|
|
Chris PeBenito |
473ea7 |
set by the program (i.e. using the default policy behavior).
|
|
Chris PeBenito |
473ea7 |
|
|
Chris PeBenito |
473ea7 |
.B setexeccon
|
|
Chris PeBenito |
473ea7 |
sets the context used for the next execve call.
|
|
Chris PeBenito |
473ea7 |
NULL can be passed to
|
|
Chris PeBenito |
473ea7 |
setexeccon to reset to the default policy behavior.
|
|
Chris PeBenito |
473ea7 |
The exec context is automatically reset after the next execve, so a
|
|
Chris PeBenito |
473ea7 |
program doesn't need to explicitly sanitize it upon startup.
|
|
Chris PeBenito |
473ea7 |
.br
|
|
Chris PeBenito |
473ea7 |
|
|
Chris PeBenito |
473ea7 |
setexeccon can be applied prior to library
|
|
Chris PeBenito |
473ea7 |
functions that internally perform an execve, e.g. execl*, execv*, popen,
|
|
Chris PeBenito |
473ea7 |
in order to set an exec context for that operation.
|
|
Chris PeBenito |
473ea7 |
.br
|
|
Chris PeBenito |
473ea7 |
|
|
Chris PeBenito |
473ea7 |
Note: Signal handlers that perform an execve must take care to
|
|
Chris PeBenito |
473ea7 |
save, reset, and restore the exec context to avoid unexpected behaviors.
|
|
Chris PeBenito |
473ea7 |
.br
|
|
Chris PeBenito |
473ea7 |
|
|
Chris PeBenito |
473ea7 |
.B rpm_execcon
|
|
Chris PeBenito |
473ea7 |
runs a helper for rpm in an appropriate security context. The
|
|
Chris PeBenito |
473ea7 |
verified parameter should contain the return code from the signature
|
|
Chris PeBenito |
473ea7 |
verification (0 == ok, 1 == notfound, 2 == verifyfail, 3 ==
|
|
Chris PeBenito |
473ea7 |
nottrusted, 4 == nokey), although this information is not yet used by
|
|
Chris PeBenito |
473ea7 |
the function. The function determines the proper security context for
|
|
Chris PeBenito |
473ea7 |
the helper based on policy, sets the exec context accordingly, and
|
|
Chris PeBenito |
473ea7 |
then executes the specified filename with the provided argument and
|
|
Chris PeBenito |
473ea7 |
environment arrays.
|
|
Chris PeBenito |
473ea7 |
|
|
Chris PeBenito |
473ea7 |
|
|
Chris PeBenito |
473ea7 |
.SH "RETURN VALUE"
|
|
Chris PeBenito |
473ea7 |
On error -1 is returned.
|
|
Chris PeBenito |
473ea7 |
|
|
Chris PeBenito |
473ea7 |
On success getexeccon and setexeccon returns 0.
|
|
Chris PeBenito |
473ea7 |
rpm_execcon only returns upon errors, as it calls execve(2).
|
|
Chris PeBenito |
473ea7 |
|
|
Chris PeBenito |
473ea7 |
.SH "SEE ALSO"
|
|
Chris PeBenito |
473ea7 |
.BR freecon "(3), " getcon "(3)"
|
|
Chris PeBenito |
473ea7 |
|
|
Chris PeBenito |
473ea7 |
|