libselinux/man/man3/getcon.3 - platform/external/selinux - Git at Google

 .TH "getcon" "3" "1 January 2004" "russell@coker.com.au" "SELinux API documentation"
 .SH "NAME"
 getcon, getprevcon, getpidcon \- get SELinux security context of a process.

 getpeercon - get security context of a peer socket.

 setcon - set current security context of a process.
 .SH "SYNOPSIS"
 .B #include <selinux/selinux.h>
 .sp
 .BI "int getcon(security_context_t *" context );

 .BI "int getprevcon(security_context_t *" context );

 .BI "int getpidcon(pid_t " pid ", security_context_t *" context );

 .BI "int getpeercon(int " fd ", security_context_t *" context);

 .BI "int setcon(security_context_t " context);

 .SH "DESCRIPTION"
 .B getcon
 retrieves the context of the current process, which must be free'd with
 freecon.

 .B getprevcon
 same as getcon but gets the context before the last exec.

 .B getpidcon
 returns the process context for the specified PID.

 .B getpeercon
 retrieves context of peer socket, and set *context to refer to it, which must be free'd with freecon.

 .B setcon
 sets the current security context of the process to a new value.  Note
 that use of this function requires that the entire application be
 trusted to maintain any desired separation between the old and new
 security contexts, unlike exec-based transitions performed via
 setexeccon(3).  When possible, decompose your applicaiton and use
 setexeccon() and execve() instead.

 Since access to file descriptors is revalidated upon use by SELinux,
 the new context must be explicitly authorized in the policy to use the
 descriptors opened by the old context if that is desired.  Otherwise,
 attempts by the process to use any existing descriptors (including
 stdin, stdout, and stderr) after performing the setcon() will fail.

 A multi-threaded application can perform a setcon() prior to creating
 any child threads, in which case all of the child threads will inherit
 the new context.  However, setcon() will fail if there are any other
 threads running in the same process.

 If the process was being ptraced at the time of the setcon()
 operation, ptrace permission will be revalidated against the new
 context and the setcon() will fail if it is not allowed by policy.

 .SH "RETURN VALUE"
 On error -1 is returned.  On success 0 is returned.

 .SH "SEE ALSO"
 .BR selinux "(8), " freecon "(3), " setexeccon "(3)"
	.TH "getcon" "3" "1 January 2004" "russell@coker.com.au" "SELinux API documentation"
	.SH "NAME"
	getcon, getprevcon, getpidcon \- get SELinux security context of a process.

	getpeercon - get security context of a peer socket.

	setcon - set current security context of a process.
	.SH "SYNOPSIS"
	.B #include <selinux/selinux.h>
	.sp
	.BI "int getcon(security_context_t *" context );

	.BI "int getprevcon(security_context_t *" context );

	.BI "int getpidcon(pid_t " pid ", security_context_t *" context );

	.BI "int getpeercon(int " fd ", security_context_t *" context);

	.BI "int setcon(security_context_t " context);

	.SH "DESCRIPTION"
	.B getcon
	retrieves the context of the current process, which must be free'd with
	freecon.

	.B getprevcon
	same as getcon but gets the context before the last exec.

	.B getpidcon
	returns the process context for the specified PID.

	.B getpeercon
	retrieves context of peer socket, and set *context to refer to it, which must be free'd with freecon.

	.B setcon
	sets the current security context of the process to a new value. Note
	that use of this function requires that the entire application be
	trusted to maintain any desired separation between the old and new
	security contexts, unlike exec-based transitions performed via
	setexeccon(3). When possible, decompose your applicaiton and use
	setexeccon() and execve() instead.

	Since access to file descriptors is revalidated upon use by SELinux,
	the new context must be explicitly authorized in the policy to use the
	descriptors opened by the old context if that is desired. Otherwise,
	attempts by the process to use any existing descriptors (including
	stdin, stdout, and stderr) after performing the setcon() will fail.

	A multi-threaded application can perform a setcon() prior to creating
	any child threads, in which case all of the child threads will inherit
	the new context. However, setcon() will fail if there are any other
	threads running in the same process.

	If the process was being ptraced at the time of the setcon()
	operation, ptrace permission will be revalidated against the new
	context and the setcon() will fail if it is not allowed by policy.

	.SH "RETURN VALUE"
	On error -1 is returned. On success 0 is returned.

	.SH "SEE ALSO"
	.BR selinux "(8), " freecon "(3), " setexeccon "(3)"