The file system label range specifies the upper and lower bounds to the sensitivity of data contained in the file system. The getcmwfsrange() and fgetcmwfsrange() system calls return a structure that contains the upper and lower bound of the file system sensitivity label range.
When the upper and lower bounds are not equal, the file system has a label range and is a multilabel file system. A multilabel file system supports all security attributes distinctly for every file system object.
When the upper and lower bounds are equal, the file system is a single-label file system. This type of file system supports all security attributes distinctly for every file system object.
Fixed file system - When the upper and lower bounds are equal, the file system is a single-label file system. The file system's system sensitivity label comes from the mount specified in vfstab_adjunct(4). A single-label file system supports security attributes for the file system, but not for every file system object.
How to query the file system security attributes in the inode or in the vfstab_adjunct(4) is described in "Query File System Security Attributes" in Chapter 2, Getting Started.
The following sections describe two situations where a program might get the file system label range and test a sensitivity label against it before taking further action.
Before upgrading a file CMW label (as was done in the previous example), it is a good idea to test the file system label range to be sure the file's new sensitivity label is within the sensitivity label range of the file.
This example converts text strings to a new binary sensitivity label, gets the file system label range, and checks if the new sensitivity label is within the file system's label range.
#include <tsol/label.h> main() { int retval, error; bclabel_t fileCMWlabel; bslabel_t fsenslabel; brange_t range; char *string = "TOP SECRET"; /* Create new sensitivity label value */ retval = stobsl(string, &fsenslabel, NEW_LABEL, &error); /* Get file system label range */ retval = getcmwfsrange("/export/home/zelda/afile", range); /* Test new sensitivity label against label range */ retval = blinrange(&fsenslabel, range); if(retval > 0) {/* Proceed with file CMW label upgrade. */} }
Always check the label range on a device special file before using the Trusted Solaris interfaces to allocate a device and route input to the device. The input routed to the device should be within the label range of the device-special file.