Chapter 6. Programming in a Trusted Environment

This chapter describes the special requirements of programming in a trusted environment, and lists new system and library calls available under Trusted IRIX/CMW.

Trusted IRIX/CMW conforms to the specifications in POSIX P1003.1eD15.

Sections in this chapter include:


There are a number of guidelines that anyone who programs in a secure environment should follow:

  • In order to simplify your work, do not duplicate the work done by the I&A programs of the Trusted IRIX/CMW system.

  • Make sure that all variables are in bounds.

  • Reduce global variable usage wherever possible.

  • Limit the functionality of each module to only one distinct task.

  • Do not create a procedure that circumvents any of the programmatic flow.

  • If overrides must be added, document them thoroughly in the code.

  • By design and principle, minimize the use of privilege required or permitted by your programs.

Trusted IRIX/CMW System and Library Calls

The following system and library calls are relevant to Trusted IRIX/CMW. Man pages exist for each of these calls in man page sections 2 and 3. Table 6-1 below lists each call and its corresponding action.

Table 6-1. Trusted IRIX/CMW System and Library Calls

System/Library Call



Set the MAC label of a file

satgetid(2), satsetid(2)

Get or set the audit identity of the calling process

saton(2), satoff(2)

Turn on or off auditing of the specified audit type


Read a block of audit record data


Query state of the specified audit type


Write a block of audit record data


Write a block of audit record data


 Copy ACL from system to user space or from user to system space


Delete the default ACL for a named directory


Make a copy of an ACL


Free memory allocated by ACL interface calls


Convert a POSIX ACL string to a struct acl or a struct acl to a POSIX ACL string

acl_get_fd(3C), acl_set_fd(3C)

Get or set the ACL associated with an open file

acl_get_file(3C), acl_set_file(3C)

Get or set the ACL for a pathname


Return the size of an ACL


Convert a binary format ACL to a short form ASCII ACL string


Convert a binary format ACL to an ASCII ACL string


Validate an ACL


Make permitted set capabilities effective or remove effective capabilities


Clear the fields of a capability


Copy capability from system to user space or from user to system space


Make a copy of a capability

cap_envl(3C), cap_envp(3C)

Ensure that the calling process has sufficient privilege to perform actions requiring the specified capabilities


Free allocated capability


Convert a POSIX capabilities string to internal form

cap_get_fd(3C), cap_set_fd

Get or set the capabilities for an open file

cap_get_file(3C), cap_set_file

Get or set the capabilities for a pathname

cap_get_flag(3C), cap_set_flag

Get or set the value of a capability flag in a capability

cap_get_proc(3C), cap_set_proc

Get or set process capabilities


Allocate a capability structure


Set the capability state flags for the current process


Return the size of a capability


Remove capabilities from the effective set


Convert capabilities to a POSIX capabilities string


Return the POSIX name for a capability value


Get a user's name from the administrative database

getuserinfonam(3), getuserinfouid(3)

Get information about a user.


Create and write an audit record, using satwrite 

mac_cleared(3C), mac_clearedlbl(3C)

Report on user's clearance


Compare two MAC labels for dominance relationship


Produce a duplicate copy of a MAC label


Compare two MAC labels for the equality relationship


Free allocated MAC object


Convert an ASCII MAC label string to a binary format MAC label

mac_get_fd(3C), mac_set_fd(3C)

Get or set the MAC label associated with an open file

mac_get_file(3C), mac_set_file(3C)

Get or set the MAC label for a pathname

mac_get_proc(3C), mac_set_proc(3C)

Get or set the MAC label for the current process


Get the size of a MAC label


Convert a binary format MAC label to an ASCII MAC label string


Convert a binary format MAC label to a long form ASCII MAC label string


Test a MAC label for validity

sat_eventtostr(3), sat_strtoevent(3)

Convert an audit event index to or from an audit event string


Portable interface to interpret sat_pathname structs

sat_read_file_info(3), sat_write_file_info(3), sat_free_file_info(3)

Portable interfaces to read audit file headers

sat_read_header_info(3), sat_free_header_info(3)

Portable interfaces to read audit record headers


Get the default and allowed capability sets for a named user

Identifying System Security Options from within a Compiled Program

The following program code fragment will identify whether your Trusted IRIX/CMW system currently supports capabilities, mandatory access control, and the secure audit trail.

if (sysconf(_SC_CAP)) {
   							/* capabilities are supported.
      Perform actions required to comply
      with capability rules. */
if (sysconf(_SC_MAC)) {
   /* mandatory access control is supported.
      Perform actions required to comply
      with MAC rules. */
if (sysconf(_SC_SAT)) {
   /* secure audit trail is supported.
      Perform actions required to comply
      with auditing rules. */

The following program code fragment demonstrates how to temporarily enable a specific capability to perform a particular task.

cap_value_t capv = CAP_XTCB;

cap = cap_acquire(1,&capv);
/* Now perform capability dependent tasks
   before releasing the capability. */ 