This chapter describes the special requirements of programming in a trusted environment, and lists new system and library calls available under Trusted IRIX/CMW.
Trusted IRIX/CMW conforms to the specifications in POSIX P1003.1eD15.
Sections in this chapter include:
There are a number of guidelines that anyone who programs in a secure environment should follow:
In order to simplify your work, do not duplicate the work done by the I&A programs of the Trusted IRIX/CMW system.
Make sure that all variables are in bounds.
Reduce global variable usage wherever possible.
Limit the functionality of each module to only one distinct task.
Do not create a procedure that circumvents any of the programmatic flow.
If overrides must be added, document them thoroughly in the code.
By design and principle, minimize the use of privilege required or permitted by your programs.
The following system and library calls are relevant to Trusted IRIX/CMW. Man pages exist for each of these calls in man page sections 2 and 3. Table 6-1 below lists each call and its corresponding action.
Table 6-1. Trusted IRIX/CMW System and Library Calls
System/Library Call | Action |
|---|---|
setlabel(2) | Set the MAC label of a file |
satgetid(2), satsetid(2) | Get or set the audit identity of the calling process |
saton(2), satoff(2) | Turn on or off auditing of the specified audit type |
satread(2) | Read a block of audit record data |
satstate(2) | Query state of the specified audit type |
satvwrite(2) | Write a block of audit record data |
satwrite(2) | Write a block of audit record data |
acl_copy_ext(3C) | Copy ACL from system to user space or from user to system space |
acl_delete_def_file(3C) | Delete the default ACL for a named directory |
acl_dup(3C) | Make a copy of an ACL |
acl_free(3C) | Free memory allocated by ACL interface calls |
acl_from_text(3C) | Convert a POSIX ACL string to a struct acl or a struct acl to a POSIX ACL string |
acl_get_fd(3C), acl_set_fd(3C) | Get or set the ACL associated with an open file |
acl_get_file(3C), acl_set_file(3C) | Get or set the ACL for a pathname |
acl_size(3C) | Return the size of an ACL |
acl_to_short_text(3C) | Convert a binary format ACL to a short form ASCII ACL string |
acl_to_text(3C) | Convert a binary format ACL to an ASCII ACL string |
acl_valid(3C) | Validate an ACL |
cap_acquire(3C) | Make permitted set capabilities effective or remove effective capabilities |
cap_clear(3C) | Clear the fields of a capability |
cap_copy_ext(3C) | Copy capability from system to user space or from user to system space |
cap_dup(3C) | Make a copy of a capability |
cap_envl(3C), cap_envp(3C) | Ensure that the calling process has sufficient privilege to perform actions requiring the specified capabilities |
cap_free(3C) | Free allocated capability |
cap_from_text(3C) | Convert a POSIX capabilities string to internal form |
cap_get_fd(3C), cap_set_fd | Get or set the capabilities for an open file |
cap_get_file(3C), cap_set_file | Get or set the capabilities for a pathname |
cap_get_flag(3C), cap_set_flag | Get or set the value of a capability flag in a capability |
cap_get_proc(3C), cap_set_proc | Get or set process capabilities |
cap_init(3C) | Allocate a capability structure |
cap_set_proc_flags(3C) | Set the capability state flags for the current process |
cap_size(3C) | Return the size of a capability |
cap_surrender(3C) | Remove capabilities from the effective set |
cap_to_text(3C) | Convert capabilities to a POSIX capabilities string |
cap_value_to_text(3C) | Return the POSIX name for a capability value |
getspwnam(3) | Get a user's name from the administrative database |
getuserinfonam(3), getuserinfouid(3) | Get information about a user. |
ia_audit(3) | Create and write an audit record, using satwrite |
mac_cleared(3C), mac_clearedlbl(3C) | Report on user's clearance |
mac_dominate(3C) | Compare two MAC labels for dominance relationship |
mac_dup(3C) | Produce a duplicate copy of a MAC label |
mac_equal(3C) | Compare two MAC labels for the equality relationship |
mac_free(3C) | Free allocated MAC object |
mac_from_text(3C) | Convert an ASCII MAC label string to a binary format MAC label |
mac_get_fd(3C), mac_set_fd(3C) | Get or set the MAC label associated with an open file |
mac_get_file(3C), mac_set_file(3C) | Get or set the MAC label for a pathname |
mac_get_proc(3C), mac_set_proc(3C) | Get or set the MAC label for the current process |
mac_size(3C) | Get the size of a MAC label |
mac_to_text(3) | Convert a binary format MAC label to an ASCII MAC label string |
mac_to_text_long(3C) | Convert a binary format MAC label to a long form ASCII MAC label string |
mac_valid(3C) | Test a MAC label for validity |
sat_eventtostr(3), sat_strtoevent(3) | Convert an audit event index to or from an audit event string |
sat_intrp_pathname(3) | Portable interface to interpret sat_pathname structs |
sat_read_file_info(3), sat_write_file_info(3), sat_free_file_info(3) | Portable interfaces to read audit file headers |
sat_read_header_info(3), sat_free_header_info(3) | Portable interfaces to read audit record headers |
sgi_getcapabilitybyname(3C) | Get the default and allowed capability sets for a named user |
The following program code fragment will identify whether your Trusted IRIX/CMW system currently supports capabilities, mandatory access control, and the secure audit trail.
if (sysconf(_SC_CAP)) {
/* capabilities are supported.
Perform actions required to comply
with capability rules. */
}
if (sysconf(_SC_MAC)) {
/* mandatory access control is supported.
Perform actions required to comply
with MAC rules. */
}
if (sysconf(_SC_SAT)) {
/* secure audit trail is supported.
Perform actions required to comply
with auditing rules. */
}
|
The following program code fragment demonstrates how to temporarily enable a specific capability to perform a particular task.
cap_value_t capv = CAP_XTCB; cap = cap_aquire(1,&capv); /* Now perform capability dependent tasks before releasing the capability. */ cap_surrender(cap); |