HP UX Whitelisting 2.3.2.$WLI_POLICY$, 2.3.1.$WLI_FSPARMS$, 2.3.3.$WLI_SIGNATURE$, auto, /tmp, /tmp, NOTE:, NOTE:, pseudo, pseudo, wlisign, wlitool, wlisign, wlipolicy

2.3.1.$WLI_FSPARMS$

These metadata files are regular files containing metadata storage types for the file system where they reside. This file always appears in the root directory of a file system that also contains WLI metadata. The metadata storage type is indicated by the wmdstoretype parameter. For details, see wlisys(1M). The following storage types are available:

auto	If the file system is VxFS at revision 5.0.1 or later, metadata is stored in a named
	stream. A named stream is associated with the protected file inode and not accessible
	to most commands. For VxFS file systems at revision 5.0 or earlier and all other file
	system types, metadata storage is the same as described in the following entry for
	pseudo.
pseudo	Metadata is stored separately in files within directories always named
	.$WLI_POLICY$, described in the following section. These metadata directories
	always reside in the parent directory of the policy protected files.

2.3.2.$WLI_POLICY$

Directories named .$WLI_POLICY$ contain policy metadata files, and appear if the wmdstoretype parameter has value pseudo, or the file system type is VxFS 5.0 or earlier. These directories also appear for all non-VxFS file systems. In addition to write protection, WLI does not allow read access to all files under directories with this name.

Each file in this directory has the same name as a file that is assigned an access policy through wlipolicy in the parent directory. For example, if /tmp contains the following files with WLI access policies:

%ls -l /tmp/JdMB4NJ1 /tmp/T1df07xe

-rw-------	1	joe	users	2723	May	4	14:49	/tmp/JdMB4NJ1
-rw-------	1	joe	users	8199	Jun	3	20:46	/tmp/T1df07xe

Then, /tmp/ .$WLI_POLICY$ contains the corresponding policy metadata files:

%ls -l /tmp/.\$WLI_POLICY\$

-rw-------	1	joe	users	2048	Jul	15	15:29	JdMB4NJ1
-rw-------	1	joe	users	2048	Jun	3	20:47	T1df07xe

NOTE: The ’\’ escape character is used to escape ‘$’, a special character to shell interpreters.

2.3.3.$WLI_SIGNATURE$

Directories named .$WLI_SIGNATURE$ contain signature metadata files. In addition to write protection, WLI does not allow read access to all files under directories with this name.

Each file in this directory has the same name as a non ELF binary that is signed with wlisign in the parent directory. For example, if /tmp contains non ELF binaries:

%ls -l CXkiELYm wpSzpxzI

-rw-------	1	joe	users	1809	Dec	9	2009	/tmp/CXkiELYm
-rw-------	1	joe	users	1809	Mar	21	03:13	/tmp/wpSzpxzI

Then, /tmp/ .$WLI_SIGNATURE$ contains the corresponding signature metadata files:

%ls -l /tmp/.\$WLI_SIGNATURE\$

-rw-------	1	joe	users	2048	Jul	15	01:33	/tmp/CXkiELYm
-rw-------	1	joe	users	2048	Jul	15	01:36	/tmp/wpSzpxzI

NOTE: The ’\’ escape character is used to escape ‘$’, a special character to shell interpreters.

ELF-formatted binaries signed by wlitool or wlisign store their signature metadata within a section of the binary file and do not have separate metadata files.

2.3 WLI metadata files 17