Trusted Solaris Developer's Guide

Security Attributes on Communication Endpoints

The first part of this example sets only the sensitivity label security attribute specified in sendattrs on the communication endpoint by using a different mask (endptmask) with sendattrs. This way, when privileged process sends a message over the communication endpoint using a form of transmission other than the t6sendto(3NSL) routine, or using the t6sendto(3NSL) routine with an attribute set that does not specify the sensitivity label, the sensitivity label is picked up from the communication endpoint. Because the process setting security attributes on the communication endpoint is running at Secret, it needs the net_upgrade_sl privilege in its effective set. The code comments indicate where privilege bracketing as described in Chapter 3, Privileges should take place.

The next statements change the mask on the communication endpoint to sendmask, retrieve the endpoint mask and put it in getmask, allocate getattrs to hold a clearance, and get the binary clearance from the communication endpoint defaults and store it in getattrs.

Security attributes on the communication endpoint override the attributes acquired from the sending process. The security attributes on the message override the attributes from the communication endpoint.

#include <tsix/t6attrs.h>
include <tsol/label.h>
#include <tsol/priv.h>
main()
{ t6mask_t sendmask, endptmask, getmask;
	int fd, sock, retval;
	t6attr_t sendattrs, getattrs;
	sendmask = T6M_SL | T6M_CLEARANCE;
	sendattrs = t6alloc_blk(sendmask);


	if ((sock = socket(AF_INET, SOCK_STREAM, 0)) < 0) {
		perror("socket");
		exit(1);
	}
/* Initialize a mask with the sensitivity label field */
	endptmask = T6M_SL;
/* Set the attribute in sendattrs indicated by the mask */
/* Turn net_upgrade_sl on in the effective set */
	set_effective_priv(PRIV_ON, 1, PRIV_NET_UPGRADE_SL);

	retval = t6set_endpt_default(sock, endptmask, &sendattrs;);

	set_effective_priv(PRIV_OFF, 1, PRIV_NET_UPGRADE_SL);
	printf("t6set_endpt_default return val: %d\n", retval);
/* Turn off the net_upgrade_sl privilege */
/* Change the endpoint mask to a different mask */

	retval = t6set_endpt_mask(sock, sendmask);

	printf("t6set_endpt_mask return val: %d\n", retval);
/* Get the current endpoint mask */

	retval = t6get_endpt_mask(sock, &getmask;);

	printf("t6get_endpt_mask return val: %d\n", retval);
/* Get the default clearance on the endpoint */

	getmask = T6M_CLEARANCE;
	getattrs = t6alloc_blk(getmask);
	retval = t6get_endpt_default(sock, &getmask;, getattrs);

	printf("t6get_endpt_default return val: %d\n", retval);
}