Gitiles
Code Review Sign In
gerrit-public.fairphone.software / fp2-dev / platform / external / selinux / a2737333c795cae2aa4e31deed95a8e155d64d4a / . / libselinux / man / man3 / getexeccon.3
blob: 1b66ab63699ca30eded97d3e09990cae95b1d8d3 [file] [log] [blame]
Joshua Brindle13cd4c82008-08-19 15:30:36 -0400[diff] [blame]1.TH "getexeccon" "3" "1 January 2004" "russell@coker.com.au" "SELinux API documentation"
2.SH "NAME"
Guillem Jover6ef13ee2012-11-13 21:15:34 +0100[diff] [blame]3getexeccon, setexeccon \- get or set the SELinux security context used for executing a new process
Joshua Brindle13cd4c82008-08-19 15:30:36 -0400[diff] [blame]4
5rpm_execcon \- run a helper for rpm in an appropriate security context
Guillem Jover6ef13ee2012-11-13 21:15:34 +0100[diff] [blame]6.
Joshua Brindle13cd4c82008-08-19 15:30:36 -0400[diff] [blame]7.SH "SYNOPSIS"
8.B #include <selinux/selinux.h>
9.sp
10.BI "int getexeccon(security_context_t *" context );
Guillem Jover6ef13ee2012-11-13 21:15:34 +0100[diff] [blame]11.sp
Guillem Jover9acdd372012-11-10 04:32:07 +0100[diff] [blame]12.BI "int getexeccon_raw(security_context_t *" context );
13.sp
Joshua Brindle13cd4c82008-08-19 15:30:36 -0400[diff] [blame]14.BI "int setexeccon(security_context_t "context );
Guillem Jover6ef13ee2012-11-13 21:15:34 +0100[diff] [blame]15.sp
Guillem Jover9acdd372012-11-10 04:32:07 +0100[diff] [blame]16.BI "int setexeccon_raw(security_context_t "context );
17.sp
Guillem Jovera2737332012-11-20 16:27:55 +0100[diff] [blame^]18.BI "int setexecfilecon(const char *" filename ", const char *" fallback_type );
19.sp
Joshua Brindle13cd4c82008-08-19 15:30:36 -0400[diff] [blame]20.BI "int rpm_execcon(unsigned int " verified ", const char *" filename ", char *const " argv "[] , char *const " envp "[]);
Guillem Jover6ef13ee2012-11-13 21:15:34 +0100[diff] [blame]21.
Joshua Brindle13cd4c82008-08-19 15:30:36 -0400[diff] [blame]22.SH "DESCRIPTION"
Guillem Jover6ef13ee2012-11-13 21:15:34 +0100[diff] [blame]23.BR getexeccon ()
Joshua Brindle13cd4c82008-08-19 15:30:36 -0400[diff] [blame]24retrieves the context used for executing a new process.
Guillem Jover6ef13ee2012-11-13 21:15:34 +0100[diff] [blame]25This returned context should be freed with
26.BR freecon (3)
27if non-NULL.
28.BR getexeccon ()
29sets
30.BI * context
31to NULL if no exec context has been explicitly
Joshua Brindle13cd4c82008-08-19 15:30:36 -0400[diff] [blame]32set by the program (i.e. using the default policy behavior).
33
Guillem Jover6ef13ee2012-11-13 21:15:34 +0100[diff] [blame]34.BR setexeccon ()
35sets the context used for the next
36.BR execve (2)
37call.
Joshua Brindle13cd4c82008-08-19 15:30:36 -0400[diff] [blame]38NULL can be passed to
Guillem Jover6ef13ee2012-11-13 21:15:34 +0100[diff] [blame]39.BR setexeccon ()
40to reset to the default policy behavior.
41The exec context is automatically reset after the next
42.BR execve (2),
43so a program doesn't need to explicitly sanitize it upon startup.
Joshua Brindle13cd4c82008-08-19 15:30:36 -0400[diff] [blame]44
Guillem Jover6ef13ee2012-11-13 21:15:34 +0100[diff] [blame]45.BR setexeccon ()
46can be applied prior to library
47functions that internally perform an
48.BR execve (2),
49e.g.
50.BR execl *(3),
51.BR execv *(3),
52.BR popen (3),
Joshua Brindle13cd4c82008-08-19 15:30:36 -0400[diff] [blame]53in order to set an exec context for that operation.
54
Guillem Jover9acdd372012-11-10 04:32:07 +0100[diff] [blame]55.BR getexeccon_raw ()
56and
57.BR setexeccon_raw ()
58behave identically to their non-raw counterparts but do not perform context
59translation.
60
Guillem Jover6ef13ee2012-11-13 21:15:34 +0100[diff] [blame]61.B Note:
62Signal handlers that perform an
63.BR execve (2)
64must take care to
Joshua Brindle13cd4c82008-08-19 15:30:36 -0400[diff] [blame]65save, reset, and restore the exec context to avoid unexpected behavior.
66
Guillem Jovera2737332012-11-20 16:27:55 +0100[diff] [blame^]67.BR setexecfilecon ()
68sets the context used for the next
69.BR execve (2)
70call, based on the policy for the
71.IR filename ,
72and falling back to a new context with a
73.I fallback_type
74in case there is no transition.
75
Guillem Jover6ef13ee2012-11-13 21:15:34 +0100[diff] [blame]76.BR rpm_execcon ()
Guillem Jovera2737332012-11-20 16:27:55 +0100[diff] [blame^]77is deprecated; please use
78.BR setexecfilecon ()
79in conjunction with
80.BR execve (2)
81in all new code. This function
Joshua Brindle13cd4c82008-08-19 15:30:36 -0400[diff] [blame]82runs a helper for rpm in an appropriate security context. The
83verified parameter should contain the return code from the signature
84verification (0 == ok, 1 == notfound, 2 == verifyfail, 3 ==
85nottrusted, 4 == nokey), although this information is not yet used by
86the function. The function determines the proper security context for
87the helper based on policy, sets the exec context accordingly, and
88then executes the specified filename with the provided argument and
89environment arrays.
Guillem Jover6ef13ee2012-11-13 21:15:34 +0100[diff] [blame]90.
Joshua Brindle13cd4c82008-08-19 15:30:36 -0400[diff] [blame]91.SH "RETURN VALUE"
Guillem Jover6ef13ee2012-11-13 21:15:34 +0100[diff] [blame]92On error \-1 is returned.
Joshua Brindle13cd4c82008-08-19 15:30:36 -0400[diff] [blame]93
Guillem Jover6ef13ee2012-11-13 21:15:34 +0100[diff] [blame]94On success
Guillem Jovera2737332012-11-20 16:27:55 +0100[diff] [blame^]95.BR getexeccon (),
Guillem Jover6ef13ee2012-11-13 21:15:34 +0100[diff] [blame]96.BR setexeccon ()
Guillem Jovera2737332012-11-20 16:27:55 +0100[diff] [blame^]97and
98.BR setexecfilecon ()
99return 0.
Guillem Jover6ef13ee2012-11-13 21:15:34 +0100[diff] [blame]100.BR rpm_execcon ()
101only returns upon errors, as it calls
102.BR execve (2).
103.
Joshua Brindle13cd4c82008-08-19 15:30:36 -0400[diff] [blame]104.SH "SEE ALSO"
105.BR selinux "(8), " freecon "(3), " getcon "(3)"