The Trusted Solaris environment enforces mandatory access controls and discretionary access controls between communicating processes on the same host and across the network. This chapter summarizes the interprocess communication (IPC) mechanisms available in the Trusted Solaris environment and how access controls and privileges apply.
Interprocess communications might involve several types of privileges depending on the type of interprocess communication in use. The following guidelines can help you know which type of privilege to use. This chapter and the chapters that follow describe specific privileges in detail. Refer to the priv_desc(4) man page for a complete list of privileges with descriptions.
Access and ownership controls between processes are overridden by process privileges such as proc_mac_read and proc_owner.
Access controls between a process and a file are overridden by file privileges such as file_mac_read and file_dac_write.
Access and ownership controls between a process and a System V IPC object are overridden by IPC privileges such as ipc_mac_read and ipc_owner).
Access and ownership controls between two communication endpoints are overridden by network privileges such as net_mac_read and net_upgrade_sl.
Unnamed pipes form a one-way flow of data between two or more related processes. Because all processes communicating over a pipe share a common ancestor, they all have the same user ID, group ID, and sensitivity label inherited from the ancestor process unless privileges have been used to change those attributes. No mandatory or discretionary access checks are done when a pipe is opened, and no access checks are done for read and writes to a pipe.
If a process with an open pipe uses privilege to change its user ID, group ID, or sensitivity label, subsequent communication over the pipe effectively bypasses discretionary and mandatory access controls and the privileged process must apply its own controls to the communication.
The sensitivity label of the process writing the data is associated with each byte of data in the pipe. See the appropriate man page for specific information on security policy and applicable privileges.
Named pipes (FIFOs) are similar to unnamed pipes except they are associated with a file system entry that allows unrelated processes to find and open a named pipe for communication. Discretionary and mandatory access controls are enforced when the named pipe is opened and FIFO special file created based on the named pipe's permission bits and sensitivity label.
The sensitivity label of the process writing the data is associated with each byte of data send down the pipe. The mandatory access policy for writing to and reading from a named pipe is read-equal and write-equal. See the appropriate man page for specific information on security policy and applicable privileges.
Pseudo-terminal devices (PTYs) are automatically allocated special device files that operate in controller/slave pairs. A process opening one member of a pair communicates with a process opening the other member of the pair. The PTY pair emulates a terminal interface. PTYs are used for cmdtool windows and to support remote login services. Discretionary and mandatory access controls are enforced when the PTY is opened.
If neither the slave nor the controller device is already open, the device special files for both devices are modified to set their user ID and sensitivity label to the opening process's effective user ID and sensitivity label with permission bits initialized to 600.
If either the slave or the controller device is already open, discretionary and mandatory access controls use the user ID, permission bits, and sensitivity label already set on the device special file.
Data written to the controller device is read from the slave device after undergoing terminal input processing such as erase/kill. Data written to the slave device is read from the controller device after undergoing terminal output processing such as NL to CR-LF translation. The mandatory access policy to read from and write to a PTY is read-down and write-up. See the appropriate man page for specific information on security policy and applicable privileges.
Signals inform processes of asynchronous events. Discretionary access policy requires the sender's real or effective user ID to equal the receiver's real or effective user ID. The mandatory access policy is read-down and write-up. See the appropriate man page for specific information on security policy and applicable privileges.
Process tracing is a debugging tool where one process manipulates the contents of another process by doing such things as reading from and writing to its address space and registers, altering its flow of control, and setting breakpoints. The discretionary access policy requires the effective user IDs of the processes be equal. The mandatory access policy for manipulating the contents of another process is read-equal and write-equal. See the appropriate man page for specific information on security policy and applicable privileges.
Mapped memory allows a process to map part or all of a file's contents into its address space. Once the file has been mapped, direct addressing of the file's contents is done through machine instruction accesses to the mapped memory region. A process can map multiple files, and the same file can be mapped into multiple processes.
Discretionary and mandatory access checks are performed when the file is opened. If a file is opened for read only, it may be mapped for reading only even when the file's attributes permit write access. See the appropriate man page for specific information on security policy and applicable privileges.
The Trusted Solaris environment supports System V IPC and provides additional interfaces for managing the CMW label, sensitivity label, and Access Control List (ACL) on System V IPC objects.
The sensitivity label of the process creating the System V IPC object is associated with each byte of data written to the object. The mandatory access policy is read-equal and write-equal. Privileged processes can access System V IPC objects at sensitivity labels other than the process sensitivity label. Chapter 11, System V Interprocess Communication describes the interfaces, security policy, and privileges for System V IPC objects.
The Trusted Solaris environment supports interprocess communication over communication endpoints using the following socket-based mechanisms:
Multilevel Ports
Berkeley sockets
Transport Layer Interface (TLI)
Trusted Information Exchange (TSIX) library
Remote Procedure Calls (RPC)
This section summarizes the socket communication mechanisms and related security policy. See the appropriate man page for specific information on security policy and applicable privileges.
The Trusted Solaris environment supports single-level and multilevel ports. A multilevel port can receive data at any sensitivity label, and a single-level port can receive data at a designated sensitivity label only.
Single-level port - A communication channel is established between two unprivileged applications. The sensitivity label of the communication endpoints must be equal.
Multilevel port - A communication channel is established between an application with net_mac_read in its effective set and any number of unprivileged applications running at different sensitivity labels. The application with net_mac_read in the effective set of its process can receive all data from the applications regardless of the receiving application's sensitivity label or process clearance. A multilevel communication channel cannot be established where there is already a single-level connection.
See "Client-Server Application" in Chapter 12, Trusted Security Information Exchange Library for a short example application that establishes a multilevel port connection using Berkeley sockets and the TSIX library.
If a connection is multilevel, be sure the application does not make a connection at one sensitivity label and send or receive data at another sensitivity label causing data to reach an unauthorized destination.
The Trusted Solaris environment supports network communication using Berkeley sockets and Transport Layer Interface (TLI) over single-level and multilevel ports. The UNIX address family of system calls establishes process-to-process connections on the same host using a special file specified with a fully resolved pathname. The internet address family of system calls establishes process-to-process connections across the network using IP addresses and port numbers.
The PAF_DISKLESS_BOOT process attribute flag supports diskless boot servers. When this flag is on, the security attribute information in network packet headers is not sent. Getting and setting process attribute flags is covered in Chapter 2, Getting Started.
In the UNIX address family of interfaces, only one server bind can be established to a single file. The server process needs the net_mac_read privilege in its effective set if a multilevel port connection is desired. If a single-level port connection is made instead, the server process needs mandatory read-equal access to the socket, and the client process needs mandatory write-equal access. Both processes need mandatory and discretionary access to the file. If access to the file is denied, the process denied access needs the appropriate file privilege in its effective set to gain access.
A server process can establish multiple single-level binds with files of the same name residing in different SLDs within the same MLD. This approach differs from a multilevel port connection in that it sets up parallel single-level port connections (polyinstantiated ports) and does not require privilege unless mandatory or discretionary access is denied to the specified single-level directory. See Chapter 7, Multilevel Directories.
In the internet address family, the process can establish a single-label or multilabel connection to privileged or unprivileged port numbers. To connect to privileged port numbers, the net_priv_addr privilege is required in addition to the net_mac_read privilege if a multilevel port connection is desired.
The Trusted Security Information Exchange (TSIX) library provides interfaces for receiving security attributes on incoming messages, and changing security attributes on outgoing messages. A message initially has the security attribute information of its sending process. The TSIX library lets you change security attributes directly on the message, on the communication endpoint over which the message is sent, or both. See Chapter 12, Trusted Security Information Exchange Library for the programming interfaces and related privileges.
The Trusted Solaris environment remote procedure call (RPC) mechanism is built on Berkeley internet sockets and the Trusted Security Information Exchange (TSIX) library, and supports Transport Layer Interface (TLI). RPC allows a server process to invoke a procedure on behalf of a client process and handle security attribute information on the message. See Chapter 13, Remote Procedure Calls for a description of the RPC programming interfaces and related privileges.