Communication Endpoints

The Trusted Solaris environment supports interprocess communication over communication endpoints using the following socket-based mechanisms:

• Multilevel Ports

• Berkeley sockets

• Transport Layer Interface (TLI)

• Trusted Information Exchange (TSIX) library

• Remote Procedure Calls (RPC)

This section summarizes the socket communication mechanisms and related security policy. See the appropriate man page for specific information on security policy and applicable privileges.

Multilevel Ports

The Trusted Solaris environment supports single-level and multilevel ports. A multilevel port can receive data at any sensitivity label, and a single-level port can receive data at a designated sensitivity label only.

• Single-level port - A communication channel is established between two unprivileged applications. The sensitivity label of the communication endpoints must be equal.

• Multilevel port - A communication channel is established between an application with net_mac_read in its effective set and any number of unprivileged applications running at different sensitivity labels. The application with net_mac_read in the effective set of its process can receive all data from the applications regardless of the receiving application's sensitivity label or process clearance. A multilevel communication channel cannot be established where there is already a single-level connection.

See "Client-Server Application" in Chapter 12, Trusted Security Information Exchange Library for a short example application that establishes a multilevel port connection using Berkeley sockets and the TSIX library.

If a connection is multilevel, be sure the application does not make a connection at one sensitivity label and send or receive data at another sensitivity label causing data to reach an unauthorized destination.

Sockets and TLI

The Trusted Solaris environment supports network communication using Berkeley sockets and Transport Layer Interface (TLI) over single-level and multilevel ports. The UNIX address family of system calls establishes process-to-process connections on the same host using a special file specified with a fully resolved pathname. The internet address family of system calls establishes process-to-process connections across the network using IP addresses and port numbers.

The PAF_DISKLESS_BOOT process attribute flag supports diskless boot servers. When this flag is on, the security attribute information in network packet headers is not sent. Getting and setting process attribute flags is covered in Chapter 2, Getting Started.

UNIX Address Family

In the UNIX address family of interfaces, only one server bind can be established to a single file. The server process needs the net_mac_read privilege in its effective set if a multilevel port connection is desired. If a single-level port connection is made instead, the server process needs mandatory read-equal access to the socket, and the client process needs mandatory write-equal access. Both processes need mandatory and discretionary access to the file. If access to the file is denied, the process denied access needs the appropriate file privilege in its effective set to gain access.

A server process can establish multiple single-level binds with files of the same name residing in different SLDs within the same MLD. This approach differs from a multilevel port connection in that it sets up parallel single-level port connections (polyinstantiated ports) and does not require privilege unless mandatory or discretionary access is denied to the specified single-level directory. See Chapter 7, Multilevel Directories.

Internet Address Family

In the internet address family, the process can establish a single-label or multilabel connection to privileged or unprivileged port numbers. To connect to privileged port numbers, the net_priv_addr privilege is required in addition to the net_mac_read privilege if a multilevel port connection is desired.

TSIX

The Trusted Security Information Exchange (TSIX) library provides interfaces for receiving security attributes on incoming messages, and changing security attributes on outgoing messages. A message initially has the security attribute information of its sending process. The TSIX library lets you change security attributes directly on the message, on the communication endpoint over which the message is sent, or both. See Chapter 12, Trusted Security Information Exchange Library for the programming interfaces and related privileges.

RPC

The Trusted Solaris environment remote procedure call (RPC) mechanism is built on Berkeley internet sockets and the Trusted Security Information Exchange (TSIX) library, and supports Transport Layer Interface (TLI). RPC allows a server process to invoke a procedure on behalf of a client process and handle security attribute information on the message. See Chapter 13, Remote Procedure Calls for a description of the RPC programming interfaces and related privileges.