Purpose
Modifies
multiple device attributes in the privileged device database.
Library
Security
Library (libc.a)
Description
The putdevattrs subroutine
modifies one or more attributes from the privileged device database.
If the database is not open, this subroutine does an implicit open
for reading and writing. The device specified by the Device parameter
must include the full path to the device and exist in the privileged
device database.
The putdevattrs subroutine is only
used to modify attributes of existing devices in the database. To
create or remove device entries, use the putdevattr subroutine
instead. Data changed by the putdevattrs subroutine must be
explicitly committed by calling the putdevattr subroutine with
a Type parameter specifying SEC_COMMIT. Until all the
data is committed, only the getdevattr and getdevattrs subroutines
within the process return the modified data. Changes made to the privileged
device database do not impact security considerations until the entire
database is sent to the Kernel Security Tables using the setkst device.
The
Attributes parameter
contains information about each attribute that is to be updated. Each
value specified in the
Attributes parameter
must be examined on a successful call to the
putdevattrs subroutine
to determine if the
Attributes parameter
was successfully written. The
dbattr_t data structure contains
the following fields:
Item |
Description |
attr_name |
The name of the device attribute
to update. |
attr_idx |
This attribute is used internally
by the putdevattrs subroutine. |
attr_type |
The type of the attribute being
updated. |
attr _flag |
The result of the request to
update the desired attribute. On success, a value of zero is returned.
Otherwise, a nonzero value is returned. |
attr_un |
A union containing the value
to update the requested attribute with. |
attr_domain |
This field is ignored by the putdevattrs subroutine. |
The following valid privileged device attributes for
the
putdevattrs subroutine are defined in the
usersec.h file:
Name |
Description |
Type |
S_READPRIVS |
Privileges
required to read from the device. Eight privileges can be defined.
A process with any of the read privileges is allowed to read from
the device. |
SEC_LIST |
S_WRITEPRIVS |
Privileges
required to write to the device. Eight privileges can be defined.
A process with any of the write privileges is allowed to write to
the device. |
SEC_LIST |
The union members that follow correspond to the definitions
of the
attr_char, attr_int, attr_long and
attr_llong macros
in the
usersec.h file respectively.
Item |
Description |
au_char |
A character
pointer to the value to be written for attributes of the SEC_CHAR and SEC_LIST types. |
au_int |
Integer
value to be written for attributes of the SEC_INT type. |
au_long |
Long
value to be written for attributes of the SEC_LONG type. |
au_llong |
Long
long value to be written for attributes of the SEC_LLONG type. |
Parameters
Item |
Description |
Device |
Specifies the device name for which the attributes
are to be updated. |
Attributes |
A pointer to an array of zero or more elements
of the dbattr_t type. The list of device attributes is defined
in the usersec.h header file. |
Count |
The number of array elements in the Attributes parameter. |
Security
Files
Accessed: File |
Mode |
/etc/security/privdevs |
rw |
Return Values
If
the device specified by the Device parameter exists in the
privileged device database, the putdevattrs subroutine returns
zero, even in the case when no attributes in the Attributes parameter
were successfully updated. On success, the attr_flag attribute
of each element in the Attributes parameter
must be examined to determine if it was successfully updated. On failure,
a value of -1 is returned and the errno value is set to indicate
the error.
Error Codes
If the
putdevattrs subroutine
returns -1, one of the following
errno values can be set:
Item |
Description |
EINVAL |
The Device parameter is NULL, default or ALL. |
EINVAL |
The Count parameter is less than zero. |
EINVAL |
The Attributes parameter is NULL and
the Count parameter is greater than zero. |
EINVAL |
The Attributes parameter does not point
to valid data for the requested attribute. |
ENOENT |
The device specified in the Device parameter
does not exist. |
EPERM |
The operation is not permitted. |
If the
putdevattrs subroutine fails to update
an attribute, one of the following errors is returned in the
attr_flag field
of the corresponding to the value specified by the Attributes entry:
Item |
Description |
EACCES |
The invoker does not have write access to the
privileged device database. |
EINVAL |
The attr_name field in the Attributes entry
is not a recognized privileged device attribute. |
EINVAL |
The attr_type field in the Attributes entry
contains a type that is not valid. |
EINVAL |
The attr_un field in the Attributes entry
does not point to a valid buffer or to valid data for this type of
attribute. |