The examples in this section illustrate the kinds of things you need to think about when a process accesses a file system object for read, write, search, and execute operations.
The process accesses /export/home/heartyann/somefile for reading and writing, and /export/home/heartyann/filetoexec for execution. These files are both protected at Confidential. The process sensitivity label is Secret and the process clearance is Top Secret. Confidential is lower than Secret and Secret is lower than Top Secret.
As shown in the following figure, the path /export/home has a sensitivity label of ADMIN_LOW and the heartyann directory and somefile have a sensitivity label of Confidential.
The process does not own somefile or the directories in somefile's path.
Discretionary access permissions on /export allow the owner and group read, write, and search access; and allow others read and search access.
Discretionary access permission on /export/home allow the owner read, write, and search access; and allow the group and others read and search access.
Discretionary access permissions on /export/home/heartyann allow the owner and group read, write, and search access; and allow others read and search access.
Discretionary access permissions on somefile allow the owner read and write access; and the group and others read access only.
Discretionary access permissions on filetoexec allow the owner read, write, and execute access; and allow the group and others read and execute access.
If the process fails a mandatory or discretionary access check, the program needs to assert an error or the proper privilege if the program is intended to run with privilege.
See Chapter 4, Labels in "Label Guidelines" for information on handling sensitivity labels when privileges are used to bypass access controls.
The Secret process opens somefile for reading, performs a read operation, and closes the file. The fully adorned pathname is used so somefile in the Confidential /export/home/heartyann single-level directory is accessed.
A fully adorned pathname uses the multilevel directory adornment and specifies precisely which single-level directory is wanted. If a regular pathname was used instead, the Secret single-level directory would be accessed because the process is running at Secret.
See "Adorned Names" for a discussion on fully adorned pathnames. Chapter 7, Multilevel Directories presents interfaces for handling multilevel and single-level directories so fully adorned pathnames are not hardcoded the way they have been for clarity in these examples.
#include <sys/types.h> #include <sys/stat.h> #include <fcntl.h> #include <unistd.h> main() { int filedes, retval; ssize_t size; char readbuf[1024]; char *buffer = "Write to File."; char *file = "/export/home/.MLD.heartyann/.SLD.1/filetoexec"; char *argv[10] = {"filetoexec"}; filedes = open("/export/home/.MLD.heartyann/.SLD.1/somefile", O_RDONLY); size = read(filedes, readbuf, 29); retval = close(filedes);
Mandatory access checks on the open(2) system call - The process needs mandatory search access to /export/home/heartyann, and mandatory read access to somefile. The process running at Secret passes both mandatory access checks.
Discretionary access checks on the open(2) system call - The process needs discretionary search access to /export/home/heartyann, and discretionary read access to somefile. The permission bits for other on the directory path and somefile allow the required discretionary search and read access.
Mandatory access checks on the read(2) system call - The mandatory access checks were performed when somefile opened. No other access checks are performed.
Discretionary access checks on the read(2) system call - The discretionary access checks were performed when somefile was opened. No other access checks are performed.
The Secret process opens somefile for writing in the Confidential /export/home/heartyann single-level directory, performs a write operation, and closes the file.
filedes = open("/export/home/.MLD.heartyann/.SLD.1/somefile", O_WRONLY); size = write(filedes, buffer, 14); retval = close(filedes);
Mandatory access checks on the open(2) system call - The process needs mandatory search access to /export/home/heartyann, and mandatory write access to somefile. The process running at Secret passes the mandatory search access check, but does not pass the mandatory write access check. For mandatory write access, somefile's sensitivity label must dominate the process sensitivity label and it does not (Confidential does not dominate Secret). The process can assert the file_mac_write privilege to override this restriction or assert an error.
Discretionary access checks on the open(2) system call - The process needs discretionary search access to /export/home/heartyann, and discretionary write access to somefile. The permission bits for other on the directory path and somefile allow the discretionary search access, but do not pass the discretionary write access check. The process can assert the file_dac_write privilege to override this restriction or assert an error.
Mandatory access checks on the write(2) system call - The mandatory access checks were performed when somefile opened. No other access checks are performed.
Discretionary access checks on the write(2) system call - The discretionary access checks were performed when somefile was opened. No other access checks are performed.
The Secret process executes an executable file in the Confidential /export/home/heartyann single-level directory.
retval = execv(file, argv);
Mandatory access checks on the execv(2) system call - The process needs mandatory search access to /export/home/heartyann, and mandatory read access to file. Mandatory read access to a file is needed to execute the file. The process running at Secret passes both of these mandatory access checks.
Discretionary access checks on the execv(2) system call - The process needs discretionary search access to /export/home/heartyann, and discretionary execute access to file. The permission bits on the directory path and on file allow discretionary search and execute access to file.