Chapter 11 System V Interprocess Communication

The Trusted Solaris environment supports the System V interprocess communication (IPC) mechanism and provides security features for labeled communications between System V IPC objects and both privileged and unprivileged processes. The chapter covers the following topics:

• "Privileged Operations"

• "Data Types, Header Files, and Libraries "

• "Programming Interface Declarations"

• "Using Shared Memory Labels"

Privileged Operations

System V IPC objects are subject to discretionary and mandatory access controls, and discretionary ownership controls.

A System V IPC object is created from a key and accessed by an object descriptor returned when the IPC object is created. The object descriptor, like a file descriptor, is used for future operations on the object. The sensitivity label of the System V IPC object is the same as the sensitivity label of its creating process unless the creating process has the privilege to create the System V IPC object at a different label. A process can access a System V IPC object at its same sensitivity label unless the process has the privilege to access a System V IPC object at another label. Because keys are qualified by the sensitivity label at which they are created, there can be many objects that use the same key, but no more than one instance of a key (object ID) at a given sensitivity label.

• Message queues allow processes to place messages into a queue where any process can retrieve the message.

• Semaphore sets synchronize processes and are often used to control concurrent access to shared memory regions.

• Shared memory regions allow multiple processes to attach to the same region of memory to access changes to the memory.

Discretionary Access and Ownership Controls

Discretionary access to a System V IPC object is granted or denied according to the read and write modes associated with the object for owner, group, and other in much the same way as file access. System V IPC objects also have the creator user and creator group sets that control attribute change requests. The process that creates a System V IPC object is the owner and can set the discretionary permission bits to any value. To override discretionary access and ownership restrictions, the process needs the ipc_dac_read, ipc_dac_write, or ipc_owner privilege in its effective set, depending on the interface used or operation requested.

Mandatory Access Controls

Unprivileged processes can only refer to System V IPC objects and return an IPC descriptor at the process's correct sensitivity label. This makes the mandatory access controls read-equal and write-equal and eliminates naming and access conflicts when an unmodified base Solaris application using System V IPC runs at multiple sensitivity labels. To override mandatory access restrictions, the process needs the ipc_mac_read or ipc_mac_write privilege in its effective set, depending on the interface used.

You cannot change the sensitivity label once it has been created.

Data Types, Header Files, and Libraries

To use the programming interfaces described in this chapter, you need the following header file:

#include <sys/ipcl.h>

The examples in this chapter compile with the following library:

-ltsol

Labels

Data structures for labels (bclabel_t and bslabel_t) are described in Chapter 4, Labels.

Programming Interface Declarations

These programming interfaces let you manage labels on System V IPC objects. The original unlabeled interfaces are still valid and available. These Trusted Solaris extensions provide access to the label information.

Message Queues

The getmsgqcmwlabel(2) routine gets the message queue CMW label.

The msggetl(2) routine creates a message descriptor at the specified sensitivity label.

See the msgget(2) and msgctl(2) man pages.

 int  getmsgqcmwlabel(int msqid, bclabel_t *cmwlabel);
 int  msggetl(key_t key, int msgflg, bslabel_t *senslabel);

Semaphore Sets

The getsemcmwlabel(2) routine gets the semaphore set CMW label.

The semgetl(2) routine creates a semaphore set at the specified sensitivity label.

 int  getsemcmwlabel(int semid, bclabel_t *cmwlabel);

 int  semgetl(key_t key,
    int nsems,
    int semflg,
    bslabel_t *senslabel);

Shared Memory Regions

The getshmcmwlabel(2) routine gets the shared memory region CMW label.

The shmgetl(2) routine creates a shared memory region at the specified sensitivity label.

 int  getshmcmwlabel(int shmid, bclabel_t *cmwlabel);
 int  shmgetl(key_t key, size_t size, int shmflg, bslabel_t *senslabel);

Using Shared Memory Labels

This example creates an identifier for a shared memory region at Confidential and gets the CMW label on the same shared memory region. The program is running at Top Secret.

 #include <sys/ipc.h>
 #include <sys/types.h>
 #include <tsol/label.h>
 #include <sys/shm.h>

 main()
 {
 	int          id, retval, error, pid;
 	bclabel_t    cmwlabel;
 	bslabel_t    senslabel;
 	char        *string = (char *)0;

 	retval = stobsl("CONFIDENTIAL", &senslabel, NEW_LABEL, &error);

 /* Create shared memory region at Confidential */
 /* Turn ipc_mac_write on in the effective set */
 	id = shmgetl(IPC_PRIVATE, 256, IPC_CREAT|0666, &senslabel);
 /* Turn off ipc_mac_write */

 /* Get CMW label of shared memory region */
 /* Turn ipc_mac_read on in the effective set */
 	retval = getshmcmwlabel(id, &cmwlabel);
 /* Turn off ipc_mac_read */

 /* Print CMW label */
 	bcltos(&cmwlabel, &string, 0, LONG_WORDS);
 	printf("CMW label = %s\n", string);
 }

The printf(1) statement prints the following:

CMW label = UNCLASSIFIED[C]