Program Statements

There are two types of program statements in the Privilege Management for Unix and Linux Security Policy Scripting Language, executable and non-executable.

Executable Program Statements

Executable program statements allow security administrators to define and implement security rules. These types of statements have two major functions:

  • Set the environment in which security profile files run
  • Control the logic flow within security policy files

The following table summarizes the executable program statements:

Statement Description
accept

Terminates security policy file processing and passes control to pblocald.

Version 4.0 and earlier: statements do not support ACL.

Version 5.0 and later: statements support ACL.

Assignment Used to assign a value to a variable.
break

Terminates the processing of cases within a loop and exits the loop.

Version 3.2 and earlier: statements are limited to ending a case clause in a switch statement.

Version 3.5 and later: statements are expanded for use within loops.

continue Allows the remaining loop body to be skipped. Returns to the next iteration of the loop.
do-while Creates do-while loops which follow the C language syntax.
for C-style for. Used to create for loops which follow the C language syntax.
for-in Creates loops that execute the loop body for each element in an argument list.
function Stand-alone subroutines that are used to modularize a company’s security policy file.
if Determines which program statement to execute next based on whether an expression is true or false.
include Passes the flow of control to another file.
procedure Stand-alone subroutines used to modularize a company’s security policy files.
readonly Freezes the value of a variable so it cannot be changed by a security policy file.
reject

Immediately terminates security policy file checking and cancels the current job request before it can execute.

Version 4.0 and earlier: statements do not support ACL.

Version 5.0 and later: statements support ACL.

switch Provides a way to execute a specific set of program statements based on an expression value.
while Builds while loops which follow the C language syntax.

Type your executable program statements in lowercase because the Security Policy Scripting Language interpreter is case sensitive. For example, the word If is recognized as a variable name by the interpreter whereas the word if is recognized as an executable program statement.

Some general rules for creating program statements are as follows:

  • Terminate program statements with a semicolon.
  • A single statement can be multiple lines.
  • Multiple statements can be included on one line if each statement terminates with a semicolon.
  • Enclosing groups of program statements within curly brackets creates a compound statement. Each statement within the group must terminate with a semicolon.

Executable program statements have a special meaning to the Security Policy Scripting Language interpreter. Therefore, you cannot use them for other purposes. For instance, using an executable program statement as a variable name generates an error.

Many administrators desire a nonprogrammatic way of using Privilege Management for Unix and Linux. To accomplish this goal, the Privilege Management for Unix and Linux policy language was extended in Privilege Management for Unix and Linux version 5.0 to include an Access Control List structure. This structure extends the accept and reject statements to provide a simple nonprogrammatic way of specifying access data. It can be used exclusively to provide control, or it can be used in combination with the rest of the Privilege Management for Unix and Linux policy language to provide greater control.

For more information, please see the following: