MAC-Exempt Sockets

The Trusted Extensions software provides an explicit socket option, SO_MAC_EXEMPT, to specify that the socket can be used to communicate with an endpoint at a lower label.

The SO_MAC_EXEMPT socket option must never be used unintentionally. Use extreme caution when using this socket option to disable MAC policy. When you must use this mechanism, ensure that your client application enforces MAC policy.

The Trusted Extensions software restricts the use of the SO_MAC_EXEMPT option in these ways:

• To explicitly set the socket option, a process must assert the net_mac_aware privilege.

• To further restrict the use of this socket option, the net_mac_aware privilege can be removed from the limit set for ordinary users.

See the user_attr(4) man page for details.

Sometimes, explicitly setting the socket option is not practical, such as when the socket is managed by a library. In such circumstances, the socket option can be set implicitly. The setpflags() system call enables you to set the NET_MAC_AWARE process flag. Setting this process flag also requires the net_mac_aware privilege. All sockets that are opened while the process flag is enabled automatically have the SO_MAC_EXEMPT socket option set. See the setpflags(2) and getpflags(2) man pages.

For applications that cannot be modified or recompiled, use the ppriv -M command to pass the net_mac_aware process flag to the application. In this case, all sockets that are opened by the application have the SO_MAC_EXEMPT option set. However, child processes of the application do not have this process flag or the related privilege.

Whenever you can, scrutinize and modify the source code of an application when you need to use the SO_MAC_EXEMPT socket option. If you cannot make such modifications to the code or if a safer method is not available to you, you may use the ppriv -M command.

The SO_MAC_EXEMPT socket option has been used sparingly by the Oracle Solaris OS. This option has been used by the NFS client. An NFS client might need to communicate with an NFS server that runs at a different label on an untrusted operating system. The NFS client enforces MAC policy to ensure that inappropriate requests are not granted.

In the Oracle Solaris OS, both the NFS server and client code include and enforce MAC policy so that communications between the Oracle Solaris client or server and an untrusted client or server has MAC policy enabled. To enable an untrusted host to communicate with a system that runs Trusted Extensions, the untrusted host must have an entry in the tnrhdb database. For more information, see Configuring Trusted Network Databases (Task Map) in Oracle Solaris Trusted Extensions Administrator’s Procedures.

For examples of how the Trusted Extensions APIs are used in the Oracle Solaris OS, see the Oracle Solaris source code. Go to the OpenSolaris web site and click Source Browser in the left navigation bar. Use the Source Browser to search through the Oracle Solaris source code.