test

Trusted Solaris Developer's Guide

File System Label Range

The file system label range specifies the upper and lower bounds to the sensitivity of data contained in the file system. The getcmwfsrange() and fgetcmwfsrange() system calls return a structure that contains the upper and lower bound of the file system sensitivity label range.

How to query the file system security attributes in the inode or in the vfstab_adjunct(4) is described in "Query File System Security Attributes" in Chapter 2, Getting Started.

The following sections describe two situations where a program might get the file system label range and test a sensitivity label against it before taking further action.

Test Range Before Changing File CMW Label

Before upgrading a file CMW label (as was done in the previous example), it is a good idea to test the file system label range to be sure the file's new sensitivity label is within the sensitivity label range of the file.

This example converts text strings to a new binary sensitivity label, gets the file system label range, and checks if the new sensitivity label is within the file system's label range. 

#include <tsol/label.h>

main()
{
	int retval, error;
	bclabel_t fileCMWlabel;
	bslabel_t fsenslabel;
	brange_t range;
	char *string = "TOP SECRET";

/* Create new sensitivity label value */
	retval = stobsl(string, &fsenslabel, NEW_LABEL, &error);

/* Get file system label range */
	retval = getcmwfsrange("/export/home/zelda/afile", range);

/* Test new sensitivity label against label range */
	retval = blinrange(&fsenslabel, range);
	if(retval > 0)
		{/* Proceed with file CMW label upgrade. */}
}

Test Range before Routing Data to Device

Always check the label range on a device special file before using the Trusted Solaris interfaces to allocate a device and route input to the device. The input routed to the device should be within the label range of the device-special file.