This example sets up new sensitivity label and clearance attribute values to send with msg. This is done by doing the following:
Defining a mask, sendmask, with only the sensitivity label and clearance defined.
Allocating the security attribute structure sendattrs with sendmask so the attribute structure has room only for these two attributes.
Setting the attribute values of Top Secret for the sensitivity label and clearance in sendattrs.
Setting up communications over a communication endpoint.
Sending msg with the security attributes over the communication endpoint.
Because the process sending msg is at Confidential, it needs the net_setclr and net_upgrade_sl privileges in its effective set to change the clearance and sensitivity label. The new sensitivity label and clearance override the sensitivity label and clearance msg received from its sending process. The code comments indicate where privilege bracketing as described in Chapter 3, Privileges should take place.
#include <tsix/t6attrs.h> #include <label.h> main() { int retval, sock, error; t6attr_t sendattrs; t6mask_t sendmask; char *msg = "Hello World!"; bslabel_t senslabel; bclear_t clearance; struct sockaddr_in sin; /* Initialize a mask with the sensitivity label and */ /* process clearance security attribute fields */ sendmask = T6M_SL | T6M_CLEARANCE; /* Allocate space for two security attribute structures */ /* using the masks so only the space needed is allocated */ sendattrs = t6alloc_blk(sendmask); /* Initialize senslabel and clearance to Top Secret */ stobsl("TOP SECRET", &senslabel;, NEW_LABEL, &error;); stobclear("TOP SECRET", &clearance;, NEW_LABEL, &error;); /* Set attribute values for the security attribute fields */ /* to be sent with the message */ retval = t6set_attr(T6_SL, &senslabel;, sendattrs); printf("Retval1 = %d\n", retval); retval = t6set_attr(T6_CLEARANCE, &clearance;, sendattrs); printf("Retval2 = %d\n", retval); /* Set up socket communications */ /* ... */ /* Send changed security attributes with the message */ /* Turn net_setclr and net_upgrade_sl on in the effective set */ retval = t6sendto(sock, msg, sizeof(msg), 0, (struct sockaddr *) &sin;, sizeof(sin), &sendattrs;); /* Turn off the net_setclr and net_upgrade_sl privileges */ printf("Retval3 = %d\n bytes", retval); }
The printf statements print the following:
Retval1 = 0 Retval2 = 0 Retval3 = 4 bytes |