libwliapi.3 (2011 03)

ManualsBrandsHP ManualsSoftwareHP-UX Manpages

libwliapi(3)

Optional WLI Product Required

libwliapi(3)

NAME

libwliapi - WLI library functions for managing ﬁle access policies

SYNOPSIS

cc -I/opt/wli/include -L/opt/wli/lib -lwliapi

[ﬂag...] ﬁle...

#include <wli.h>

wliapi_err_t wli_add_fap(const char *

ﬁlename , wli_fap_t policy_type );

wliapi_err_t wli_del_fap(const char *

ﬁlename , wli_fap_t

policy_type );

wliapi_err_t wli_check_fap(const char *

ﬁlename

, wli_fap_t policy_type ,

wliapi_rwmode_t

rw);

DESCRIPTION

The libwliapi shared library provides programmable interfaces to create, modify, delete and query

WLI file access policies on a regular ﬁle. A WLI policy restricts access to a ﬁle through either

or both of two policy types:

•

file lock access control (FLAC) - When a FLAC policy is assigned to a ﬁle, it cannot be

modiﬁed, deleted or moved to a different location.

•

identity based access control (IBAC) - When an IBAC policy is assigned to a ﬁle, it can

only be opened through an authorized executable with a valid WLI signature. See wlisign (1) for

details on managing WLI signature metadata.

To create, update, or delete policies through

libwliapi functions, the following requirements are essen-

tial:

• The calling executable must be signed and have been granted

api capability. Refer to wlisign (1) for

details on signing executables and the

api capability.

• The public key extracted from the private key that signed the executable must have been authorized

as a WLI user or administrator key and granted

api capability. The public key is used to verify

authenticity of the calling executable’s WLI signature. See wlicert (1M) for details on authorizing pub-

lic keys.

• The effective user ID (EUID) of the calling executable must match the owner ID of ﬁlename .

See wli(5) for more information on HP-UX Whitelisting (WLI).

FUNCTION ARGUMENTS

There are two arguments for

libwliapi functions that require speciﬁc values to be assigned. The fol-

lowing enumerations in header ﬁle /opt/wli//include/wli.h

deﬁne these values:

The ﬁle access policy types for the policy_type argument are:

typedef enum {

WLIAPI_FAP_NONE = 0,

WLIAPI_FAP_FLAC,

WLIAPI_FAP_IBAC,

WLIAPI_FAP_FLAC_FPID,

WLIAPI_FAP_MAXTYPE = WLIAPI_FAP_FLAC_FPID

} wli_fap_t;

The mode values for the

wli_check_fap() rw argument are:

typedef enum {

WLIAPI_FREAD = FREAD,

WLIAPI_FWRITE = FWRITE,

WLIAPI_FRW = FREAD | FWRITE

} wliapi_rwmode_t;

FUNCTIONS

wli_add_fap() Allows an executable to create the policy of type policy_type for the regular ﬁle

given by ﬁlename . The calling executable is authenticated by verifying its sig-

nature, as described by wlisign (1).

When a ﬁle access policy is created, the owner is the effective user ID (EUID)

of the executing process. The ﬁle owner must be the same as the EUID when

HP-UX 11iv3: Sep 2010 Web Release − 1 − Hewlett-Packard Company 1

Summary of content (4 pages)

PAGE 1
libwliapi(3) libwliapi(3) Optional WLI Product Required NAME libwliapi - WLI library functions for managing file access policies SYNOPSIS cc -I/opt/wli/include -L/opt/wli/lib -lwliapi [flag...] file ... #include
PAGE 2
libwliapi(3) Optional WLI Product Required libwliapi(3) the first policy was added. The policy metadata generated by this call is indistinguishable from that generated by wlipolicy (1). If an IBAC policy is created, the calling executable is added as an authorized executable to the policy metadata.
PAGE 3
libwliapi(3) libwliapi(3) Optional WLI Product Required int myapp_set_ibac(char *filename) { wliapi_err_t rc; rc = (wli_add_fap( filename, WLIAPI_FAP_IBAC); if (rc != WLIAPI_SUCCESS) { fprintf(stderr, "wli_add_fap() failed; rc: %u/n", rc); return(-1); else { printf "An IBAC policy record has been added to %s0, filename); } return(0); } /* Create a file that only can be accessed using this compiled * program (myapp) */ if ((myfd = create("/tmp/myfile", "rw")) == -1)) { fprintf(stderr, "fopen() failed; rc:
PAGE 4
(Notes) 4 Hewlett-Packard Company (Notes) −1− HP-UX 11iv3: Sep 2010 Web Release