libwliapi.3 (2011 03)

ManualsBrandsHP ManualsSoftwareHP-UX Manpages

libwliapi(3)

Optional WLI Product Required

libwliapi(3)

the ﬁrst policy was added. The policy metadata generated by this call is indis-

tinguishable from that generated by wlipolicy (1).

If an IBAC policy is created, the calling executable is added as an authorized

executable to the policy metadata. If an IBAC policy already exists for

ﬁlename and the calling executable is not one of its authorized executables,

the IBAC will be updated to include the calling executable, provided access

requirements are met.

If the calling executable is signed with a product ID string, that product-id is

added to the policy metadata along with the calling executable signature. This

allows access to other executables with the same product ID.

wli_del_fap()

Allows an executable to remove the policy of type policy_type from the regular

ﬁle given by ﬁlename . The calling executable is authenticated by verifying its

signature, as described by wlisign (1). The policy may have been created

through wlipolicy (1) or

wli_add_fap()

If the policy is of type IBAC and there are authorized executables other than

the calling executable listed in the IBAC metadata, only the calling executable

is deleted. This call will not delete other authorized executables from an

IBAC.

If the policy is of type IBAC and a product ID string is present in metadata for

authenticating the calling executable, the product string will be deleted. This

has the effect of removing access to all executables that are authenticated

through the product ID.

wli_check_fap() Allows an executable to determine if it is allowed access to ﬁlename based on

the policy type speciﬁed by policy_type . The calling executable is authenti-

cated by verifying its signature, as described by wlisign (1).

The value of argument rw is compared with access rights in policy metadata

for IBAC policies. If there is a FLAC policy, write is not allowed. File permis-

sion bits are not checked.

RETURN VALUE

The function returns the following:

Success

WLIAPI_SUCCESS is returned.

Failure A non-zero code is returned that will match one of the values in the following

enumeration:

typedef enum {

WLIAPI_SUCCESS = 0, /* Success */

WLIAPI_ERR_INIT, /* Initialization */

WLIAPI_ERR_EINVAL, /* Invalid input parameter */

WLIAPI_ERR_EACCES, /* Access denied */

WLIAPI_ERR_EPERM, /* Permission denied */

WLIAPI_ERR_ENOMEM, /* Memory allocation failed */

WLIAPI_ERR_NOT_OWNER, /* Not a policy owner */

WLIAPI_ERR_SIGN, /* Binary is not signed */

WLIAPI_ERR_INTEG, /* Application integrity fail*/

WLIAPI_ERR_FPID, /* Invalid Fingerprint */

WLIAPI_ERR_CAP, /* Not API capable */

WLIAPI_ERR_IOC, /* syscall operation failed */

WLIAPI_ERR_KEYACCES, /* Key access failed */

WLIAPI_ERR_PROC /* Failed to get proc info */

} wliapi_err_t;

EXAMPLES

Use program

myapp to add an IBAC record to /tmp/myfile:

#include <stdio.h>

#include <wli.h>

/* myapp.c routine to generate an IBAC record on a file */

2 Hewlett-Packard Company − 2 − HP-UX 11iv3: Sep 2010 Web Release