63 lines
2.2 KiB
Groff
63 lines
2.2 KiB
Groff
.TH "getcon" "3" "1 January 2004" "russell@coker.com.au" "SE Linux API documentation"
|
|
.SH "NAME"
|
|
getcon, getprevcon, getpidcon \- get SE Linux security context of a process.
|
|
.br
|
|
getpeercon - get security context of a peer socket.
|
|
.br
|
|
setcon - set current security context of a process.
|
|
.SH "SYNOPSIS"
|
|
.B #include <selinux/selinux.h>
|
|
.sp
|
|
.BI "int getcon(security_context_t *" context );
|
|
.br
|
|
.BI "int getprevcon(security_context_t *" context );
|
|
.br
|
|
.BI "int getpidcon(pid_t " pid ", security_context_t *" context );
|
|
.br
|
|
.BI "int getpeercon(int " fd ", security_context_t *" context);
|
|
.br
|
|
.BI "int setcon(security_context_t " context);
|
|
|
|
.SH "DESCRIPTION"
|
|
.B getcon
|
|
retrieves the context of the current process, which must be free'd with
|
|
freecon.
|
|
|
|
.B getprevcon
|
|
same as getcon but gets the context before the last exec.
|
|
|
|
.B getpidcon
|
|
returns the process context for the specified PID.
|
|
|
|
.B getpeercon
|
|
retrieves context of peer socket, and set *context to refer to it, which must be free'd with freecon.
|
|
|
|
.B setcon
|
|
sets the current security context of the process to a new value. Note
|
|
that use of this function requires that the entire application be
|
|
trusted to maintain any desired separation between the old and new
|
|
security contexts, unlike exec-based transitions performed via
|
|
setexeccon(3). When possible, decompose your applicaiton and use
|
|
setexeccon() and execve() instead.
|
|
|
|
Since access to file descriptors is revalidated upon use by SELinux,
|
|
the new context must be explicitly authorized in the policy to use the
|
|
descriptors opened by the old context if that is desired. Otherwise,
|
|
attempts by the process to use any existing descriptors (including
|
|
stdin, stdout, and stderr) after performing the setcon() will fail.
|
|
|
|
A multi-threaded application can perform a setcon() prior to creating
|
|
any child threads, in which case all of the child threads will inherit
|
|
the new context. However, setcon() will fail if there are any other
|
|
threads running in the same process.
|
|
|
|
If the process was being ptraced at the time of the setcon()
|
|
operation, ptrace permission will be revalidated against the new
|
|
context and the setcon() will fail if it is not allowed by policy.
|
|
|
|
.SH "RETURN VALUE"
|
|
On error -1 is returned. On success 0 is returned.
|
|
|
|
.SH "SEE ALSO"
|
|
.BR freecon "(3), " setexeccon "(3)"
|