| SO_PEERSEC(2const) | SO_PEERSEC(2const) |
NAME
SO_PEERSEC - get the security context of a peer socker
LIBRARY
Standard C library (libc, -lc)
SYNOPSIS
#include <sys/socket.h>
int getsockopt(int sockfd, SOL_SOCKET, SO_PEERSEC,
void buf[size], size_t size);
DESCRIPTION
If labeled IPSEC or NetLabel is configured on both the sending and receiving hosts, this read-only socket option returns the security context of the peer socket connected to this socket. By default, this will be the same as the security context of the process that created the peer socket unless overridden by the policy or by a process with the required permissions.
The argument to getsockopt(2) is a pointer to a buffer of the specified length in bytes into which the security context string will be copied. If the buffer length is less than the length of the security context string, then getsockopt(2) returns -1, sets errno to ERANGE, and returns the required length via size. The caller should allocate at least NAME_MAX bytes for the buffer initially, although this is not guaranteed to be sufficient. Resizing the buffer to the returned length and retrying may be necessary.
The security context string may include a terminating null character in the returned length, but is not guaranteed to do so: a security context "foo" might be represented as either {'f','o','o'} of length 3 or {'f','o','o','\0'} of length 4, which are considered to be interchangeable. The string is printable, does not contain non-terminating null characters, and is in an unspecified encoding (in particular, it is not guaranteed to be ASCII or UTF-8).
AF_UNIX
The use of this option for sockets in the AF_UNIX address family is supported since Linux 2.6.2 for connected stream sockets, and since Linux 4.18 also for stream and datagram socket pairs created using socketpair(2).
AF_INET
For AF_INET sockets, labeled IPSEC or NetLabel needs to be configured on both the sending and receiving hosts.
The use of this option for sockets in the AF_INET address family is supported since Linux 2.6.17 for TCP sockets, and since Linux 4.17 for SCTP sockets.
For SELinux, NetLabel conveys only the MLS portion of the security context of the peer across the wire, defaulting the rest of the security context to the values defined in the policy for the netmsg initial security identifier (SID). However, NetLabel can be configured to pass full security contexts over loopback. Labeled IPSEC always passes full security contexts as part of establishing the security association (SA) and looks them up based on the association for each packet.
ERRORS
See SOL_SOCKET(2const). See setsockopt(2). See socket(7).
- ERANGE
- The buffer size is not enough.
HISTORY
Linux 2.6.2.
SEE ALSO
SOL_SOCKET(2const), setsockopt(2), socket(7)
| 2025-12-01 | Linux man-pages 6.17 |