diff options
| author | Alejandro Colomar <alx@kernel.org> | 2025-11-25 00:32:05 +0100 |
|---|---|---|
| committer | Alejandro Colomar <alx@kernel.org> | 2025-11-25 01:10:35 +0100 |
| commit | 582fce4c02b32ecfc75351c3494cbf4f307f5b6b (patch) | |
| tree | 65621bce4517dfb0392efbeeb2bb68ac26a88c49 /man/man2const/SO_PEERSEC.2const | |
| parent | e11a82a6f7098b94bcd00fb767a1db269e3a83db (diff) | |
| parent | 869bbbf4705313f690e85ad09b9b300b9f846165 (diff) | |
| download | man-pages-master.tar.gz | |
Signed-off-by: Alejandro Colomar <alx@kernel.org>
Diffstat (limited to 'man/man2const/SO_PEERSEC.2const')
| -rw-r--r-- | man/man2const/SO_PEERSEC.2const | 96 |
1 files changed, 96 insertions, 0 deletions
diff --git a/man/man2const/SO_PEERSEC.2const b/man/man2const/SO_PEERSEC.2const new file mode 100644 index 0000000000..bf6f9a34e3 --- /dev/null +++ b/man/man2const/SO_PEERSEC.2const @@ -0,0 +1,96 @@ +.\" Copyright, the authors of the Linux man-pages project +.\" +.\" SPDX-License-Identifier: Linux-man-pages-copyleft +.\" +.TH SO_PEERSEC 2const (date) "Linux man-pages (unreleased)" +.SH NAME +SO_PEERSEC +\- +get the security context of a peer socker +.SH LIBRARY +Standard C library +.RI ( libc ,\~ \-lc ) +.SH SYNOPSIS +.nf +.BR "#include <netinet/in.h>" " /* Definition of " IP* " constants */" +.B #include <sys/socket.h> +.P +.BI int\~getsockopt(int\~ sockfd ,\~IPPROTO_IP,\~SO_PEERSEC, +.BI " void\~" buf [ size ],\~size_t\~ size ); +.fi +.SH DESCRIPTION +If labeled IPSEC or NetLabel is configured on both the sending and +receiving hosts, this read-only socket option returns the security +context of the peer socket connected to this socket. +By default, +this will be the same as the security context of the process that created +the peer socket unless overridden by the policy or by a process with +the required permissions. +.P +The argument to +.BR getsockopt (2) +is a pointer to a buffer of the specified length in bytes +into which the security context string will be copied. +If the buffer length is less than the length of the security +context string, then +.BR getsockopt (2) +returns \-1, sets +.I errno +to +.BR ERANGE , +and returns the required length via +.IR size . +The caller should allocate at least +.B NAME_MAX +bytes for the buffer initially, although this is not guaranteed +to be sufficient. +Resizing the buffer to the returned length +and retrying may be necessary. +.P +The security context string may include a terminating null character +in the returned length, but is not guaranteed to do so: a security +context "foo" might be represented as either {'f','o','o'} of length 3 +or {'f','o','o','\[rs]0'} of length 4, which are considered to be +interchangeable. +The string is printable, +does not contain non-terminating null characters, +and is in an unspecified encoding +(in particular, +it is not guaranteed to be ASCII or UTF-8). +.P +The use of this option for sockets in the +.B AF_INET +address family is supported since Linux 2.6.17 +.\" commit 2c7946a7bf45ae86736ab3b43d0085e43947945c +for TCP sockets, +and since Linux 4.17 +.\" commit d452930fd3b9031e59abfeddb2fa383f1403d61a +for SCTP sockets. +.P +For SELinux, NetLabel conveys only the MLS portion of the security +context of the peer across the wire, defaulting the rest of the +security context to the values defined in the policy for the +netmsg initial security identifier (SID). +However, NetLabel can +be configured to pass full security contexts over loopback. +Labeled IPSEC always passes full security contexts as part of establishing +the security association (SA) and looks them up based on the association +for each packet. +.SH ERRORS +See +.BR IPPROTO_IP (2const). +See +.BR setsockopt (2). +See +.BR ip (7). +.TP +.B ERANGE +The buffer +.I size +is not enough. +.SH HISTORY +Linux 2.6.17. +.SH SEE ALSO +.BR IPPROTO_IP (2const), +.BR setsockopt (2), +.BR ip (7) |