proc_rbac_op Subroutine

Purpose

Sets, unsets, and queries a process' RBAC properties.

Library

Standard C Library (libc.a)

Syntax

#include <sys/cred.h>
#include <sys/types.h>

int proc_rbac_op (Pid,Cmd, Param)
pid_t Pid
int Cmd
int *Param

Description

The proc_rbac_op subroutine is used to set, unset, and query a process' Role Based Access Control (RBAC) awareness.

To use the proc_rbac_op subroutine, the calling process must have the ACT_P_SET_PAGRBAC privilege. If running in a Trusted AIX® environment, the calling process must have the appropriate label properties to perform the operation on the target process specified by the Pid parameter.

Parameters

Item	Description
Cmd	Specifies the command to run on the target process. The Cmd parameter has the following values: PROC_RBAC_SET Sets the flag that is specified in the Param parameter for the target process. PROC_RBAC_UNSET Clears the flag that is specified in the Param parameter for the target process. PROC_RBAC_GET Returns the status of the process's security flags in regards to the SEC_NOEXEC, SEC_RBACAWARE, and SEC_PRIVCMD.
Pid	Specifies the Pid for the target process. A negative Pid value denotes the current process.
Param	This parameter is dependent on the command that the Cmd parameter specifies. PROC_RBAC_SET and PROC_RBAC_UNSET: Can only be SEC_NOEXEC or SEC_RBACAWARE. Only one flag can be specified for a call. PROC_RBAC_GET: Upon return, holds the status of SEC_NOEXEC, SEC_RBACAWARE, and SEC_PRIVCMD.

Item

Description

Cmd

Specifies the command to run on the target process. The Cmd parameter has the following values:

PROC_RBAC_SET: Sets the flag that is specified in the Param parameter for the target process.
PROC_RBAC_UNSET: Clears the flag that is specified in the Param parameter for the target process.
PROC_RBAC_GET: Returns the status of the process's security flags in regards to the SEC_NOEXEC, SEC_RBACAWARE, and SEC_PRIVCMD.

Pid

Specifies the Pid for the target process. A negative Pid value denotes the current process.

Param

This parameter is dependent on the command that the Cmd parameter specifies.

PROC_RBAC_SET and PROC_RBAC_UNSET: Can only be SEC_NOEXEC or SEC_RBACAWARE. Only one flag can be specified for a call.

PROC_RBAC_GET: Upon return, holds the status of SEC_NOEXEC, SEC_RBACAWARE, and SEC_PRIVCMD.

Return Values

On successful completion, the proc_rbac_op subroutine returns the value of zero. If the subroutine fails, it returns a value of 1, and the errno will be set.

Error Codes

The proc_rbac_op subroutine fails if one of the following values is true:

Item	Description
EINVAL	An invalid Cmd value was given or a NULL pointer was given for the Status parameter with the PROC_RBAC_GET command.
ESRCH	The pid value does not correspond to a valid process.
EPERM	The calling process does not have the appropriate RBAC privilege. Or, if the Trusted AIX is enabled, the calling process does not have the appropriate label information.
EFAULT	The copy operation to the Param buffer fails.
ENOSYS	The system is not running in the enhanced RBAC mode.