RepoMirrors/selinux
1
0
Fork 0
mirror of https://github.com/SELinuxProject/selinux synced 2024-12-13 09:34:54 +00:00
Code Issues Packages Projects Releases Wiki Activity
9eb9c93275
selinux/libselinux/man/man3/getcon.3
Stephen Smalley 9eb9c93275 Get rid of security_context_t and fix const declarations. 
In attempting to enable building various part of Android with -Wall -Werror,
we found that the const security_context_t declarations in libselinux
are incorrect; const char * was intended, but const security_context_t
translates to char * const and triggers warnings on passing
const char * from the caller.   Easiest fix is to replace them all with
const char *.  And while we are at it, just get rid of all usage of
security_context_t itself as it adds no value - there is no true
encapsulation of the security context strings and callers already
directly use string functions on them.  typedef left to permit
building legacy users until such a time as all are updated.

This is a port of Change-Id I2f9df7bb9f575f76024c3e5f5b660345da2931a7
from Android, augmented to deal with all of the other code in upstream
libselinux and updating the man pages too.

Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
Acked-by: Eric Paris <eparis@redhat.com>
2014-02-19 16:11:48 -05:00

119 lines
3.0 KiB
Groff
Raw Blame History

.TH "getcon" "3" "21 December 2011" "russell@coker.com.au" "SELinux API documentation"
.SH "NAME"
getcon, getprevcon, getpidcon \- get SELinux security context of a process
freecon, freeconary \- free memory associated with SELinux security contexts
getpeercon \- get security context of a peer socket
setcon \- set current security context of a process
.
.SH "SYNOPSIS"
.B #include <selinux/selinux.h>
.sp
.BI "int getcon(char **" context );
.sp
.BI "int getcon_raw(char **" context );
.sp
.BI "int getprevcon(char **" context );
.sp
.BI "int getprevcon_raw(char **" context );
.sp
.BI "int getpidcon(pid_t " pid ", char **" context );
.sp
.BI "int getpidcon_raw(pid_t " pid ", char **" context );
.sp
.BI "int getpeercon(int " fd ", char **" context );
.sp
.BI "int getpeercon_raw(int " fd ", char **" context );
.sp
.BI "void freecon(char * "con );
.sp
.BI "void freeconary(char **" con );
.sp
.BI "int setcon(char * " context );
.sp
.BI "int setcon_raw(char * " context );
.
.SH "DESCRIPTION"
.BR getcon ()
retrieves the context of the current process, which must be free'd with
freecon.
.BR getprevcon ()
same as getcon but gets the context before the last exec.
.BR getpidcon ()
returns the process context for the specified PID.
.BR getpeercon ()
retrieves context of peer socket, and set
.BI * context
to refer to it, which must be free'd with
.BR freecon ().
.BR freecon ()
frees the memory allocated for a security context.
.BR freeconary ()
frees the memory allocated for a context array.
If
.I con
is NULL, no operation is performed.
.BR setcon ()
sets the current security context of the process to a new value. Note
that use of this function requires that the entire application be
trusted to maintain any desired separation between the old and new
security contexts, unlike exec-based transitions performed via
.BR setexeccon (3).
When possible, decompose your application and use
.BR setexeccon (3)
and
.BR execve (3)
instead.
Since access to file descriptors is revalidated upon use by SELinux,
the new context must be explicitly authorized in the policy to use the
descriptors opened by the old context if that is desired. Otherwise,
attempts by the process to use any existing descriptors (including
.IR stdin ,
.IR stdout ,
and
.IR stderr )
after performing the
.BR setcon ()
will fail.
A multi-threaded application can perform a
.BR setcon ()
prior to creating
any child threads, in which case all of the child threads will inherit
the new context. However,
.BR setcon ()
will fail if there are any other
threads running in the same process.
If the process was being ptraced at the time of the
.BR setcon ()
operation, ptrace permission will be revalidated against the new
context and the
.BR setcon ()
will fail if it is not allowed by policy.
.BR getcon_raw (),
.BR getprevcon_raw (),
.BR getpidcon_raw (),
.BR getpeercon_raw ()
and
.BR setcon_raw ()
behave identically to their non-raw counterparts but do not perform context
translation.
.
.SH "RETURN VALUE"
On error \-1 is returned. On success 0 is returned.
.
.SH "SEE ALSO"
.BR selinux "(8), " setexeccon "(3)"
Reference in New Issue View Git Blame Copy Permalink