Documentation Home
> Trusted Solaris Developer's Guide
Trusted Solaris Developer's Guide
Book Information
Preface
Chapter 1 Introduction to the API and Security Policy
Operating Environment Features
Data Objects
File System Objects
X11 Windows Objects
Process Objects
IPC Objects
Network Communication Endpoints
STREAMS Objects
Application Programming Interfaces
Privileges
User Authorizations
CMW Labels
Process Clearance
Multilevel Directories
Application Auditing
User and Rights Profile Database Access
Interprocess Communications
Trusted X Window System
Application User Interface
Label Builder
System Security Configuration Settings
Security Attributes
File System Security Attributes and Flags
Process Security Attributes and Flags
Endpoint Communications Security Attributes
Trusted X Window System Security Attributes
Security Policy
Discretionary Access Policy
Mandatory Access Policy
Read Access
Write Access
When to Use Privileges
Administrative and User Applications
Policy Enforcement
File System Security Policy
Discretionary Access
Mandatory Access
File System Access Privileges
When Access Checks are Performed
File System Policy Examples
Sensitivity Labels
Open the File
Write to the File
Execute a File
Chapter 2 Getting Started
System Security Configuration and Attribute Information
Programming Interfaces
System Security Configuration
File System Security Attributes
File System Security Attribute Flags
Process Security Attribute Flags
Query System Security Configuration
Query File System Security Attributes
Get Attributes from Adjunct File
Get Attributes from inode
Manifest Constant Values
Manifest Constant Descriptions
Get and Set File System Security Attribute Flags
Get and Set Process Security Attribute Flags
Manifest Constant Values
Trusted Solaris Security Mechanisms
Privileges and Authorizations
CMW Labels and Clearances
Multilevel Directories
Application Auditing
User and Rights Profile Databases
Chapter 3 Privileges
Types of Privileges
Privilege Sets
File Privilege Sets
Allowed Set
Forced Set
Interpreted Files
Process Privilege Sets
Inheritable Set
Saved Set
Permitted Set
Effective Set
Change in User ID
Types of Privileged Applications
Privilege Names and Descriptions
Privileged Operations
Setting File Privilege Sets
Keeping File Privilege Sets on an Executable File
Core Files
Setting IDs
Privilege Guidelines
Use Privilege Bracketing
Avoid Shell Escapes
Avoid Command Line Execution
Eliminate Covert Channels
Data Types, Header Files, and Libraries
Single Privileges
Privilege Set Structure
File Privilege Sets
Process Privilege Sets
Operations on File and Process Sets
Privilege Macros
Interface Declarations
System Calls
File Sets
Process Sets
Library Routines
Process Privilege Sets
Binary and Text Privilege Translation
Privilege Description Text
Translating Privileges
Privilege ID to String
String to Privilege ID
Get Description Text for Privilege ID
Setting and Getting File Privilege Sets
Commands for File Sets
Programming Interfaces for File Sets
Turn Allowed Privileges Off
Assert Privileges in Privilege Set Structure
Contents of Privilege Sets
Bracketing Effective Privileges
Procedure for Bracketing Privileges
Clear Effective Set
Continue Application Code
Bracketing the Call
Bracketing in Example
Checking and Modifying Privileges
Check Permitted Privileges
Remove a Permitted Privilege
Check Saved Privileges
Clear and Set the Inheritable Set
Fork a Process
Parent Process Privilege Sets
System Call and Code
New Process Privilege Sets
Execute a File
Privilege Sets
System Call
New Process Privilege Sets
Set User ID
Chapter 4 Labels
CMW Label Description
Sensitivity Label
CMW Label Display
Acquiring CMW labels
Process CMW Label
Object CMW Label
Privileged Operations
Translating Binary Labels
Setting Process Labels
Downgrading and Upgrading Sensitivity Labels
Downgrading Sensitivity Labels
Upgrading Sensitivity Labels
Label Guidelines
Sensitivity Labels
Bypassing Mandatory Access Controls
Upgrading or Downgrading Sensitivity Labels
Creating a Process at Another Sensitivity Label
Data Types, Header Files, and Libraries
CMW label
Setting Flag
Sensitivity Label
Binary Levels
Type Compatibility
Range of Sensitivity Labels
Accreditation Range
Label Information
Banner Fields
Programming Interface Declarations
System Calls
File CMW Label
Process CMW Label
File System Label Range
Library Routines
CMW Label Initialization
CMW Label Portions
Sensitivity Label Initialization
Level Comparison
Label Types
Level Bounds
Label Encodings File
Valid Sensitivity Label
Accreditation range
Binary Translation
Binary and Hexadecimal Translation
Chapter 5 Label Code Examples
Retrieving Version String
Initialize Binary Labels and Check Types
Get Process CMW Label
Set SL Portion of Process CMW Label
Get File CMW Label
Set SL Portion of File CMW Label
File System Label Range
Test Range Before Changing File CMW Label
Test Range before Routing Data to Device
Test Label Relationships
Find Relationship Between Two Levels
Accessing CMW Label Portions
Finding Binary Level Bounds
Check Accreditation Range
Validating Labels
Getting Character-Coded Color Names
Label Encodings Information
Translating Labels
Binary and Text Label Translation
Binary to Text Label Translation Routines
CMW Labels
Sensitivity and Information Labels
Text to Binary and Hexadecimal Label Translation Routines
CMW Labels
Sensitivity and Information Labels
Code Examples
Binary and Hexadecimal Label Translation
Binary and Hexadecimal Label Translation Routines
Reentrant Binary and Hexadecimal Label Translation Routines
Printer Banner Information
Chapter 6 Process Clearance
Use of Process Clearance
Privileged Operations
Data Types, Header Files, and Libraries
Process Clearances
Binary Levels
Type Compatibility
Programming Interface Declarations
System Calls
Library Routines
Initialization
Comparisons
Clearance Type
Level Bounds
Valid Clearance
Binary and Text Translation
Binary and Hexadecimal Translation
Process Clearance Operations
Set Process Clearance
Initialize Clearance Structure
Find Relationships Between Two Levels
Find Greatest Level and Lowest Level
Valid Clearance
Translating Process Clearances
Binary and Text
Binary and Hexadecimal
Regular
Reentrant
Chapter 7 Multilevel Directories
Directory Structure
Temporary Directory
Symbolic Links
Adorned Names
Privileged Operations
Data Types, Header Files, and Libraries
Sensitivity Label
Status
Programming Interface Declarations
System Calls
Get SLD Name
Get MLD Adornment
Get Attribute Information for SLD or MLD
Get MLD Attribute Flags
Library Routines
Get Current Working Directory
Get Adorned Name
Find the Real Path Name
Query MLD and SLD Name
Using Path Names with Adornments
Open a File
Create a file
Chapter 8 Application Auditing
Third-Party User Activities
Privileged Operations
Header Files and Libraries
Declaration and Argument Types
Preliminary Setup for Code Examples
Audit File Setup
Audit Classes and Audit Events
Audit Control (Process Preselection Mask)
Viewing the Audit Trail Setup
Executable Code Setup
Creating an Audit Record
Making Invalid and Valid Calls
Invalid Call
Valid Call
Creating a Minimum Audit Record
Token Structure
Return Token
Queueing Audit Records
Specifying a Preselection Mask
Creating Audit Records in Parallel
Using the Save Area
Using the Server Area and Adding a Sensitivity Label
Argument Information
Command Line Arguments
Privilege Sets
Interprocess Communications Identifier
Chapter 9 Accessing User and Rights Profile Data
The User Databases
Accessing the User Databases
Working with User Data
Working with Rights Header Data
Working with Rights Profile Execution Data
Chapter 10 Interprocess Communications
Privileges and Communications
Unnamed Pipes
Named Pipes (FIFOs)
Pseudo-Terminal Devices (PTYs)
Signals
Process Tracing
Mapped Memory
System V IPC
Communication Endpoints
Multilevel Ports
Sockets and TLI
UNIX Address Family
Internet Address Family
TSIX
RPC
Chapter 11 System V Interprocess Communication
Privileged Operations
Discretionary Access and Ownership Controls
Mandatory Access Controls
Data Types, Header Files, and Libraries
Labels
Programming Interface Declarations
Message Queues
Semaphore Sets
Shared Memory Regions
Using Shared Memory Labels
Chapter 12 Trusted Security Information Exchange Library
Security Attributes
Privileged Operations
Replying with Same Sensitivity Label
Changing Sensitivity Label
Changing Security Attribute Information
Sensitivity Labels
Process Clearance
User and Group IDs
Privileges
Data Types, Header Files, and Libraries
Attribute Structure
Attribute Enumerations
Attribute Mask
Programming Interface Declarations
Get Attribute Masks
Allocate and Free Space
Send and Receive Data
Get and Set Security Attributes
Examine Security Attributes
Get the Size of One Security Attribute
Copy and Duplicate Security Attributes
Compare Security Attributes
Clear Security Attributes
Get and Set Endpoint Attributes
Turn Extended Security Operations On and Off
Getting and Setting Security Attributes
Security Attributes on Messages
Security Attributes on Communication Endpoints
Receiving and Retrieving Security Attributes
Examining Attributes
Getting Attribute Size
Copying and Duplicating Attribute Structures
Compare Attribute Structures
Clear Attribute Structure
Creating Attribute Masks
Free Space
Client-Server Application
TCP/IP Server
TCP/IP Client
Running the Programs
Chapter 13 Remote Procedure Calls
Mapping
Single-Level Mapping
Multilevel Mapping
Multilevel Ports
Security Attributes
Servers
Clients
Header Files and Libraries
Programming Interfaces
Client-Server Application
Header File
Client Program
Server Program
Remote Procedure
Running the Simple Application
Chapter 14 Trusted X Window System
X Windows Environment
Security Attributes
Security Policy
Root Window
Client Windows
Override-Redirect Windows
Keyboard, Pointer, and Server Control
Selection Manager
Default Resources
Moving Data Between Windows
Privileged Operations
Configuring and Destroying Resources
Input Devices
Direct Graphics Access
Downgrading labels
Upgrading Labels
Setting a Font Path
Data Types, Header Files, and Libraries
Object Type
Object Attributes
Property Attributes
Client Attributes
Setting Flag
CMW Label
Clearance
Programming Interface Declarations
Window Attributes
Property Attributes
Client Connection Attributes
Window CMW Label
Window User ID
Property CMW Label
Property User ID
Workstation Owner ID
X Window Server Clearance and Minimum Label
Trusted Path Window
Screen Stripe Height
Polyinstantiation Information
X11 Windows Label Clipping Interfaces
Example Motif Application
Getting Window Attributes
Translate Label with Font List
Getting a Window CMW Label
Setting a Window CMW Label
Getting the Window User ID
Getting the X Window Server Workstation Owner ID
Source Code
Resource File
Compile Command
Code
Changing Window Configuration
Chapter 15 Label Builder
Header Files and Libraries
Programming Interfaces
Creating an Interactive User Interface
Label Builder Behavior
Keyboard Entry
Selecting Options
Reset Pushbutton
Cancel Pushbutton
Application-Specific Functionality
Privileged Operations
Create Routine
Extended Operations
ModLabelData Structure
Online Help
Appendix A Programmer's Reference
Man Pages
Reading Man Pages
Making Shared Libraries Trusted
Header File Locations
Abbreviations in Names
Developing, Testing, and Debugging
Privilege Debugging
Assigning File Privileges using a Script
Releasing an Application
Creating a CDE Action
Creating a Software Package
Package Files
MAC Security Attributes
Description
Edit Existing Package
Add New Package
Create Required files
Create Optional Files and Scripts
Create the Package
Prototype File
Appendix B Trusted Solaris Interfaces Reference
System Security Configuration
File System Security Attributes and Flags
Process Security Attribute Flags
Privileges
Privilege Macros
Labels
File Systems
Label Encodings File
Reentrant Routines
Levels
Label Types
Sensitivity Labels
CMW Labels
Label Clipping Interfaces
Clearances
Application Auditing
Multilevel Directories
Database Access
System V IPC
Message Queues
Semaphore Sets
Shared Memory Regions
TSIX
RPC
Label Builder
X Window System
Trusted Streams
System Calls
Trusted Kernel Functions for Drivers
Library Routines
Index
A
B
C
D
E
F
G
H
I
L
M
N
O
P
R
S
T
U
V
W
X
© 2010, Oracle Corporation and/or its affiliates