libselinux/man/man3/getexeccon.3 - platform/external/selinux - Git at Google

 .TH "getexeccon" "3" "1 January 2004" "[email protected]" "SELinux API documentation"
 .SH "NAME"
 getexeccon, setexeccon \- get or set the SELinux security context used for executing a new process.

 rpm_execcon \- run a helper for rpm in an appropriate security context

 .SH "SYNOPSIS"
 .B #include <selinux/selinux.h>
 .sp
 .BI "int getexeccon(security_context_t *" context );

 .BI "int setexeccon(security_context_t "context );

 .BI "int rpm_execcon(unsigned int " verified ", const char *" filename ", char *const " argv "[] , char *const " envp "[]);

 .SH "DESCRIPTION"
 .B getexeccon
 retrieves the context used for executing a new process.
 This returned context should be freed with freecon if non-NULL.
 getexeccon sets *con to NULL if no exec context has been explicitly
 set by the program (i.e. using the default policy behavior).

 .B setexeccon
 sets the context used for the next execve call.
 NULL can be passed to
 setexeccon to reset to the default policy behavior.
 The exec context is automatically reset after the next execve, so a
 program doesn't need to explicitly sanitize it upon startup.


 setexeccon can be applied prior to library
 functions that internally perform an execve, e.g. execl*, execv*, popen,
 in order to set an exec context for that operation.


 Note: Signal handlers that perform an execve must take care to
 save, reset, and restore the exec context to avoid unexpected behavior.


 .B rpm_execcon
 runs a helper for rpm in an appropriate security context.  The
 verified parameter should contain the return code from the signature
 verification (0 == ok, 1 == notfound, 2 == verifyfail, 3 ==
 nottrusted, 4 == nokey), although this information is not yet used by
 the function.  The function determines the proper security context for
 the helper based on policy, sets the exec context accordingly, and
 then executes the specified filename with the provided argument and
 environment arrays.


 .SH "RETURN VALUE"
 On error -1 is returned.

 On success getexeccon and setexeccon returns 0.
 rpm_execcon only returns upon errors, as it calls execve(2).

 .SH "SEE ALSO"
 .BR selinux "(8), " freecon "(3), " getcon "(3)"
	.TH "getexeccon" "3" "1 January 2004" "[email protected]" "SELinux API documentation"
	.SH "NAME"
	getexeccon, setexeccon \- get or set the SELinux security context used for executing a new process.

	rpm_execcon \- run a helper for rpm in an appropriate security context

	.SH "SYNOPSIS"
	.B #include <selinux/selinux.h>
	.sp
	.BI "int getexeccon(security_context_t *" context );

	.BI "int setexeccon(security_context_t "context );

	.BI "int rpm_execcon(unsigned int " verified ", const char " filename ", char const " argv "[] , char *const " envp "[]);

	.SH "DESCRIPTION"
	.B getexeccon
	retrieves the context used for executing a new process.
	This returned context should be freed with freecon if non-NULL.
	getexeccon sets *con to NULL if no exec context has been explicitly
	set by the program (i.e. using the default policy behavior).

	.B setexeccon
	sets the context used for the next execve call.
	NULL can be passed to
	setexeccon to reset to the default policy behavior.
	The exec context is automatically reset after the next execve, so a
	program doesn't need to explicitly sanitize it upon startup.


	setexeccon can be applied prior to library
	functions that internally perform an execve, e.g. execl, execv, popen,
	in order to set an exec context for that operation.


	Note: Signal handlers that perform an execve must take care to
	save, reset, and restore the exec context to avoid unexpected behavior.


	.B rpm_execcon
	runs a helper for rpm in an appropriate security context. The
	verified parameter should contain the return code from the signature
	verification (0 == ok, 1 == notfound, 2 == verifyfail, 3 ==
	nottrusted, 4 == nokey), although this information is not yet used by
	the function. The function determines the proper security context for
	the helper based on policy, sets the exec context accordingly, and
	then executes the specified filename with the provided argument and
	environment arrays.


	.SH "RETURN VALUE"
	On error -1 is returned.

	On success getexeccon and setexeccon returns 0.
	rpm_execcon only returns upon errors, as it calls execve(2).

	.SH "SEE ALSO"
	.BR selinux "(8), " freecon "(3), " getcon "(3)"