Home
QNX Software Development Platform
QNX SDP is a cross-compiling and debugging environment, including an IDE and command-line tools, for building binary images and programs for target boards running the QNX OS 8.0.
System Security Guide
The QNX System Security Guide is intended for both system integrators who are responsible for the security of a QNX OS system and developers who want to create a QNX OS resource manager free from vulnerabilities.
Security Policies
The libsecpol API (secpol.h)
The libsecpol library API provides functions for systems that use security policies.
secpol_get_permission()
Returns a handle to a permission associated with a custom class

QNX Momentics IDE User's Guide
This User's Guide describes version 8.0 of the Integrated Development Environment (IDE) that's part of the QNX Tool Suite.
QNX Software Development Platform
QNX SDP is a cross-compiling and debugging environment, including an IDE and command-line tools, for building binary images and programs for target boards running the QNX OS 8.0.
- Quickstart Guide
- System Architecture
  The System Architecture guide accompanies the QNX OS and is intended for both application developers and end-users.
- OS Components & Operations
- Graphics
- Programming
- System Security Guide
  The QNX System Security Guide is intended for both system integrators who are responsible for the security of a QNX OS system and developers who want to create a QNX OS resource manager free from vulnerabilities.
  - Security Matrix
    The following table describes security problems and cyberattacks and the QNX OS security features that can mitigate them.
  - Security Features Overview
  - Security Features for Developers
  - Security Features for System Integrators
  - Security Policies
    - Using security policies
    - Security policy language
    - Named range file
    - Monitoring security policy events
    - Tutorial: Build a system that uses a security policy
      The steps for developing a QNX OS system that uses a security policy include adding security types and generating a policy using the secpolgenerate utility.
    - The libsecpol API (secpol.h)
      The libsecpol library API provides functions for systems that use security policies.
      - Specifying the security policy file handle
        For convenience, the API functions that specify a handle to the security policy file allow you to specify NULL for handle.
      - Checking custom permissions when no policy is used
      - Customizing permissions using a security policy
        The secpol_get_permission() and secpol_check_permission() functions allow you to support fine-grained permission checking in a system that uses security policies.
      - get_ids_from_arg()
        Get identifiers from an argument string, or the string and /etc/passwd and /etc/group
      - secpol_check_permission()
        Check if a requesting process has a specified permission
      - secpol_close()
        Close the security policy file
      - secpol_flags_e
        Flags for secpol_transition_type(), secpol_posix_spawnattr_settypeid() and secpol_resolve_name()
      - secpol_get_permission()
        Returns a handle to a permission associated with a custom class
      - secpol_get_permission_flags_e
        Flags for secpol_get_permission()
      - secpol_get_policy_id()
        Return the policy ID of any policy that has been pushed to procnto
      - secpol_get_type_id()
        Return the type ID associated with a type name
      - secpol_get_type_name()
        Return the type name associated with a type ID
      - secpol_open()
        Open a security policy file
      - secpol_open_flags_e
        Flags for secpol_open()
      - secpol_posix_spawnattr_settypeid()
        Update a spawn attribute object to spawn a child with a different type
      - secpol_resmgr_attach()
        Attach a path to the pathname space with permissions set via a security policy
      - secpol_resolve_name()
        Resolve a type name to a type ID
      - secpol_transition_type()
        Transition to a new type
      - secpol_type_id()
        Return the type ID of the process
      - set_ids_from_arg()
        Change the caller's identifiers based on a given string
    - The libsecpolev API (libsecpolev.h)
      The libsecpolev library API provides functions that allow a program to monitor system trace events that relate to the successful or failed use of privileges covered by security policies.
  - Fortified System Functions
  - QNX Cryptography Library
    The QNX cryptography library (qcrypto library) is a generic cryptographic shim layer that provides a consistent API to the various cryptographic primitives offered by third-party libraries.
  - The devcrypto service
    The devcrypto service is a legacy system driver interface and is mainly provided for backwards compatibility.
  - Pathtrust
    The pathtrust feature prevents processes from executing untrusted code. If a process is compromised, pathtrust mitigates the threat of the system being further compromised by an attacker using chained-together exploits.
  - PAM
    Systems that need authentication can use pluggable authentication module (PAM), a configurable standard library.
  - Using mkqnximage to Display Security Features
- Utilities & Libraries
- Migrating to QNX OS 8.0
QNX Software in the Cloud
QNX Software in the Cloud enables developers to use the QNX OS in the Amazon cloud environment.
QNX Toolkit for Visual Studio Code
This User's Guide describes the QNX^® Toolkit for Visual Studio Code. The guide introduces you to the QNX Toolkit by explaining the QNX development environment and how to build, run, and debug your QNX^® Operating System (OS) applications and systems.
QNX Hypervisor User's Guide
This User's Guide explains the QNX hypervisor architecture and provides instructions for installing and running a QNX Hypervisor system, changing system components and configuration, and using hypervisor features such as virtual devices (vdevs).
Typographical Conventions, Support, and Licensing
This section describes the typographical conventions used throughout the documentation, explains how to obtain technical support, and provides some information about licensing.

secpol_get_permission()

QNX SDP8.0QNX OS System Security GuideAPIConfiguration

Returns a handle to a permission associated with a custom class

Synopsis:

#include <secpol/secpol.h>

secpol_permission_t* secpol_get_permission(secpol_file_t *handle,
                                           const char *class,
                                           const char *permission,
                                           unsigned flags)

Arguments:

handle: Handle to the security policy file. Usually NULL, which specifies that the default security policy file is used (either the system default or one set using secpol_open()).
class: Name of the class associated with the permission.
permission: Name of the permission.
flags: Zero or more flags taken from the secpol_get_permission_flags_e enumeration.

Library:

libsecpol

Description:

The secpol_get_permission() function returns a permission object that secpol_check_permission() uses to determine whether a request from a process is permitted. By default, the secpol_get_permission() function succeeds even when no security policy is in use or if the class or permission cannot be found. However, if the system uses security policies, the permission is always denied.

If the system is not using security policies, permission checking is performed by evaluating the class and permission name that secpol_get_permission() provides against environment variables. For more information, see Checking custom permissions when no policy is used.

Returns:

A handle to the permission, or NULL if the call failed. On failure, errno is set to one of the following values:

ENOTSUP No security policy is in use.
ENOSYS The class or permission is not in the policy file or the policy ID is wrong.
EINVAL Parameters are not valid for the specified policy file.
ENOMEM Out of memory.
ENOENT Unable to open the policy file.

Page updated: March 05, 2025