test

Trusted Solaris Developer's Guide

Check Accreditation Range

Use the blinset() routine to check whether a sensitivity label is within the system or user accreditation range. The system accreditation range is all the labels valid for the system including ADMIN_HIGH and ADMIN_LOW. The classification and compartments of all sensitivity labels processed by a system must dominate the minimum sensitivity label of the system accreditation range and be dominated by the maximum sensitivity label of the system accreditation range. The system administrator defines the system accreditation range in the label_encodings(4) file.

The user accreditation range is all the sensitivity labels valid for a user and never includes ADMIN_HIGH or ADMIN_LOW. The classification and compartments of all sensitivity labels assigned to a user must dominate the minimum sensitivity label of the system accreditation range and be dominated by the maximum sensitivity label of the system accreditation range. The system administrator assigns the sensitivity label range (user accreditation range) to users and roles through the administrative user interface.

In this example the sensitivity label is checked against the system accreditation range (id.type = SYSTEM_ACCREDITATION_RANGE) and user accreditation range (id.type = USER_ACCREDITATION_RANGE). 

#include <tsol/label.h>

main()
{
	char *string = "CONFIDENTIAL", *string1 = "UNCLASSIFIED";
	int sysval, userval, error, retval;
	bslabel_t senslabel;
	set_id id;

	retval = stobsl(string, &senslabel, NEW_LABEL, &error);
	id.type = SYSTEM_ACCREDITATION_RANGE;
	sysval = blinset(&senslabel, &id);
	id.type = USER_ACCREDITATION_RANGE;
	userval = blinset(&senslabel, &id);

	printf("System Range? = %d User Range? %d\n", sysval, userval);
}

The printf statement prints the following where 1 indicates the sensitivity label is within range, and 0 indicates one of the following: the sensitivity label is not a valid label, not in the specified range, or the calling process's sensitivity label does not dominate the sensitivity label and the calling process does not have the sys_trans_label privilege in its effective set.


System Range? = 1 User Range? = 1