Sockets and TLI

The Trusted Solaris environment supports network communication using Berkeley sockets and Transport Layer Interface (TLI) over single-level and multilevel ports. The UNIX address family of system calls establishes process-to-process connections on the same host using a special file specified with a fully resolved pathname. The internet address family of system calls establishes process-to-process connections across the network using IP addresses and port numbers.

The PAF_DISKLESS_BOOT process attribute flag supports diskless boot servers. When this flag is on, the security attribute information in network packet headers is not sent. Getting and setting process attribute flags is covered in Chapter 2, Getting Started.

UNIX Address Family

In the UNIX address family of interfaces, only one server bind can be established to a single file. The server process needs the net_mac_read privilege in its effective set if a multilevel port connection is desired. If a single-level port connection is made instead, the server process needs mandatory read-equal access to the socket, and the client process needs mandatory write-equal access. Both processes need mandatory and discretionary access to the file. If access to the file is denied, the process denied access needs the appropriate file privilege in its effective set to gain access.

A server process can establish multiple single-level binds with files of the same name residing in different SLDs within the same MLD. This approach differs from a multilevel port connection in that it sets up parallel single-level port connections (polyinstantiated ports) and does not require privilege unless mandatory or discretionary access is denied to the specified single-level directory. See Chapter 7, Multilevel Directories.

Internet Address Family

In the internet address family, the process can establish a single-label or multilabel connection to privileged or unprivileged port numbers. To connect to privileged port numbers, the net_priv_addr privilege is required in addition to the net_mac_read privilege if a multilevel port connection is desired.