diff options
Diffstat (limited to 'man/man2const/SO_PEERSEC.2const')
| -rw-r--r-- | man/man2const/SO_PEERSEC.2const | 96 |
1 files changed, 96 insertions, 0 deletions
diff --git a/man/man2const/SO_PEERSEC.2const b/man/man2const/SO_PEERSEC.2const new file mode 100644 index 0000000000..bf6f9a34e3 --- /dev/null +++ b/man/man2const/SO_PEERSEC.2const @@ -0,0 +1,96 @@ +.\" Copyright, the authors of the Linux man-pages project +.\" +.\" SPDX-License-Identifier: Linux-man-pages-copyleft +.\" +.TH SO_PEERSEC 2const (date) "Linux man-pages (unreleased)" +.SH NAME +SO_PEERSEC +\- +get the security context of a peer socker +.SH LIBRARY +Standard C library +.RI ( libc ,\~ \-lc ) +.SH SYNOPSIS +.nf +.BR "#include <netinet/in.h>" " /* Definition of " IP* " constants */" +.B #include <sys/socket.h> +.P +.BI int\~getsockopt(int\~ sockfd ,\~IPPROTO_IP,\~SO_PEERSEC, +.BI " void\~" buf [ size ],\~size_t\~ size ); +.fi +.SH DESCRIPTION +If labeled IPSEC or NetLabel is configured on both the sending and +receiving hosts, this read-only socket option returns the security +context of the peer socket connected to this socket. +By default, +this will be the same as the security context of the process that created +the peer socket unless overridden by the policy or by a process with +the required permissions. +.P +The argument to +.BR getsockopt (2) +is a pointer to a buffer of the specified length in bytes +into which the security context string will be copied. +If the buffer length is less than the length of the security +context string, then +.BR getsockopt (2) +returns \-1, sets +.I errno +to +.BR ERANGE , +and returns the required length via +.IR size . +The caller should allocate at least +.B NAME_MAX +bytes for the buffer initially, although this is not guaranteed +to be sufficient. +Resizing the buffer to the returned length +and retrying may be necessary. +.P +The security context string may include a terminating null character +in the returned length, but is not guaranteed to do so: a security +context "foo" might be represented as either {'f','o','o'} of length 3 +or {'f','o','o','\[rs]0'} of length 4, which are considered to be +interchangeable. +The string is printable, +does not contain non-terminating null characters, +and is in an unspecified encoding +(in particular, +it is not guaranteed to be ASCII or UTF-8). +.P +The use of this option for sockets in the +.B AF_INET +address family is supported since Linux 2.6.17 +.\" commit 2c7946a7bf45ae86736ab3b43d0085e43947945c +for TCP sockets, +and since Linux 4.17 +.\" commit d452930fd3b9031e59abfeddb2fa383f1403d61a +for SCTP sockets. +.P +For SELinux, NetLabel conveys only the MLS portion of the security +context of the peer across the wire, defaulting the rest of the +security context to the values defined in the policy for the +netmsg initial security identifier (SID). +However, NetLabel can +be configured to pass full security contexts over loopback. +Labeled IPSEC always passes full security contexts as part of establishing +the security association (SA) and looks them up based on the association +for each packet. +.SH ERRORS +See +.BR IPPROTO_IP (2const). +See +.BR setsockopt (2). +See +.BR ip (7). +.TP +.B ERANGE +The buffer +.I size +is not enough. +.SH HISTORY +Linux 2.6.17. +.SH SEE ALSO +.BR IPPROTO_IP (2const), +.BR setsockopt (2), +.BR ip (7) |