putdevattrs Subroutine

Purpose

Modifies multiple device attributes in the privileged device database.

Library

Security Library (libc.a)

Syntax

#include <usersec.h>

int putdevattrs(Device, Attributes, Count)
    char *Device;
    dbattr_t *Attributes;
    int Count;

Description

The putdevattrs subroutine modifies one or more attributes from the privileged device database. If the database is not open, this subroutine does an implicit open for reading and writing. The device specified by the Device parameter must include the full path to the device and exist in the privileged device database.

The putdevattrs subroutine is only used to modify attributes of existing devices in the database. To create or remove device entries, use the putdevattr subroutine instead. Data changed by the putdevattrs subroutine must be explicitly committed by calling the putdevattr subroutine with a Type parameter specifying SEC_COMMIT. Until all the data is committed, only the getdevattr and getdevattrs subroutines within the process return the modified data. Changes made to the privileged device database do not impact security considerations until the entire database is sent to the Kernel Security Tables using the setkst device.

The Attributes parameter contains information about each attribute that is to be updated. Each value specified in the Attributes parameter must be examined on a successful call to the putdevattrs subroutine to determine if the Attributes parameter was successfully written. The dbattr_t data structure contains the following fields:
Item Description
attr_name The name of the device attribute to update.
attr_idx This attribute is used internally by the putdevattrs subroutine.
attr_type The type of the attribute being updated.
attr _flag The result of the request to update the desired attribute. On success, a value of zero is returned. Otherwise, a nonzero value is returned.
attr_un A union containing the value to update the requested attribute with.
attr_domain This field is ignored by the putdevattrs subroutine.
The following valid privileged device attributes for the putdevattrs subroutine are defined in the usersec.h file:
Name Description Type
S_READPRIVS Privileges required to read from the device. Eight privileges can be defined. A process with any of the read privileges is allowed to read from the device. SEC_LIST
S_WRITEPRIVS Privileges required to write to the device. Eight privileges can be defined. A process with any of the write privileges is allowed to write to the device. SEC_LIST
The union members that follow correspond to the definitions of the attr_char, attr_int, attr_long and attr_llong macros in the usersec.h file respectively.
Item Description
au_char A character pointer to the value to be written for attributes of the SEC_CHAR and SEC_LIST types.
au_int Integer value to be written for attributes of the SEC_INT type.
au_long Long value to be written for attributes of the SEC_LONG type.
au_llong Long long value to be written for attributes of the SEC_LLONG type.

Parameters

Item Description
Device Specifies the device name for which the attributes are to be updated.
Attributes A pointer to an array of zero or more elements of the dbattr_t type. The list of device attributes is defined in the usersec.h header file.
Count The number of array elements in the Attributes parameter.

Security

Files Accessed:
File Mode
/etc/security/privdevs rw

Return Values

If the device specified by the Device parameter exists in the privileged device database, the putdevattrs subroutine returns zero, even in the case when no attributes in the Attributes parameter were successfully updated. On success, the attr_flag attribute of each element in the Attributes parameter must be examined to determine if it was successfully updated. On failure, a value of -1 is returned and the errno value is set to indicate the error.

Error Codes

If the putdevattrs subroutine returns -1, one of the following errno values can be set:
Item Description
EINVAL The Device parameter is NULL, default or ALL.
EINVAL The Count parameter is less than zero.
EINVAL The Attributes parameter is NULL and the Count parameter is greater than zero.
EINVAL The Attributes parameter does not point to valid data for the requested attribute.
ENOENT The device specified in the Device parameter does not exist.
EPERM The operation is not permitted.
If the putdevattrs subroutine fails to update an attribute, one of the following errors is returned in the attr_flag field of the corresponding to the value specified by the Attributes entry:
Item Description
EACCES The invoker does not have write access to the privileged device database.
EINVAL The attr_name field in the Attributes entry is not a recognized privileged device attribute.
EINVAL The attr_type field in the Attributes entry contains a type that is not valid.
EINVAL The attr_un field in the Attributes entry does not point to a valid buffer or to valid data for this type of attribute.