Solaris Trusted Extensions Developer's Guide

Multilevel Ports

Caution – Caution –

Use extreme caution when using a multilevel port to violate MAC policy. When you must use this mechanism, ensure that your server application enforces MAC policy.

Multilevel ports (MLPs) are listed in the tnzonecfg administrative database. Processes within the zone can bind to MLPs if these processes assert the net_bindmlp privilege. If the port number is less than 1024, the net_privaddr privilege must also be asserted. Such bindings allow a process to accept connections at all labels that are associated with the IP addresses to which the process is bound. The labels that are associated with a network interface are specified in the tnrhdb database and the tnrhtp database. The labels can be specified by a range, by a set of explicit enumerated labels, or by a combination of both.

When a privileged process that is bound to an MLP receives a TCP request, the reply is automatically sent with the label of the requester. For UDP datagrams, the reply is sent with the label that is specified by the SO_RECVUCRED option.

The privileged process can implement a more restrictive MAC policy by comparing the label of the request to other parameters. For example, a web server could compare the label of the requesting process with the label of the file specified in the URL. The remote label can be determined by using the getpeerucred() function, which returns the credentials of the remote peer. If the peer is running in a zone on the same host, the ucred_get() library routine returns a full set of credentials. Regardless of whether the peer is local or remote, the label of the peer is accessible from the ucred data structure by using the ucred_getlabel() function. This label can be compared with other labels by using functions such as bldominates().

A zone can have single-level ports and multilevel ports. See Multilevel Port Information.