The printing service is designed to work in labeled and unlabeled environments. Therefore, the printing application must determine when the label of a remote host should be requested and whether the label should be applied. The printing process first checks its own environment. Is the process running in a label-aware environment?
Note that the application does not first determine whether the remote request is labeled. Instead, the printing application determines if its own environment is labeled. If the application is not running on a labeled host, the MAC policy prevents the printing application from receiving labeled requests.
The printing service uses the is_system_labeled() function to determine whether the process is running in a labeled environment. For information about this function, see the is_system_labeled(3C) man page.
This code excerpt shows how to determine whether the application is running in a labeled environment:
if (is_system_labeled()) { ucred_t *uc = NULL; m_label_t *sl; char *pslabel = NULL; /* peer's slabel */ if ((fd < 0) || (slabel == NULL)) { errno = EINVAL; return (-1); }
If the printing adapter process is running on a system configured with Trusted Extensions, the is_system_labeled() function obtains the ucred_t credential abstraction from the remote process. The ucred_t data structure for the remote process and the peer's label are then set to NULL
. The functions that return values for the credential and the peer's label fill the data structures. These data structures are discussed in the following sections.
See get_peer_label() Label-Aware Function to view the source of the entire get_peer_label() routine.