Multilevel Operations
Write-down policy in the global zone
Default security attributes
Default network policy
Multilevel ports
MAC-exempt sockets
When you create an operation that runs at multiple security levels, you must consider the following issues:
Operations that run at multiple security levels are controlled by the global zone because only processes in the global zone can initiate processes at specified labels.
Write-Down Policy in the Global Zone
The ability of a subject, such as a process, to write an object whose label it dominates is referred to as writing down. The write-down policy in the global zone is specified administratively. Because global zone processes run at the ADMIN_HIGH label, certain file systems that are associated with other labels can be mounted read-write in the global zone. However, these special file system mounts must be administratively specified in automount maps, and they must be mounted by the global zone automounter. These mounts must have mount points within the zone path of the zone that has the same label as the exported file system. However, these mount points must not be visible from within the labeled zone.
For example, if the PUBLIC zone has a zone path of /zone/public, a writable mount point of /zone/public/home/mydir is permitted. However, a writable mount point of /zone/public/root/home/mydir is not permitted because it can be accessed by the labeled zone and not by the global zone. No cross-zone NFS mounts are permitted, which means that the NFS-mounted files can only be accessed by processes that run in the zone that mounted the file system. Global zone processes can write down to such files, subject to the standard discretionary access control (DAC) policy.
Local file systems associated with zones are protected from access by global zone processes by DAC, which uses file permissions and access control lists (ACLs). The parent directory of each zone's root (/) directory is only accessible by root processes or by processes that assert the file_dac_search privilege.
In general, the ability to write down from the global zone is restricted. Typically, writing down is used only when a file is reclassified by using the setflabel() interface or when privileged users drag and drop files between File Browser applications in different zones.
Default Security Attributes
Default security attributes are assigned to messages that arrive on Trusted Extensions hosts from other host types. The attributes are assigned according to settings in the network database files. For information about host types, their supported security attributes, and network database file defaults, see Trusted Extensions Configuration and Administration .
Default Network Policy
For network operations that send or receive data, the default policy is that the local process and the remote peer must have the same label. This policy applies to all zones, including the global zone, whose network label is ADMIN_LOW. However, the default network policy is more flexible than the policy for mounting file systems. Trusted Extensions provides administrative interfaces and programmatic interfaces for overriding the default network policy. For example, a system administrator can create an MLP in the global zone or in a labeled zone to enable listening at different labels.
Multilevel Ports
 | Caution - Use extreme caution when using a multilevel port to violate MAC policy. When you must use this mechanism, ensure that your server application enforces MAC policy. |
Multilevel ports (MLPs) are listed in the tnzonecfg administrative database. Processes within the zone can bind to MLPs if these processes assert the net_bindmlp privilege. If the port number is less than 1024, the net_privaddr privilege must also be asserted. Such bindings allow a process to accept connections at all labels that are associated with the IP addresses to which the process is bound. The labels that are associated with a network interface are specified in the tnrhdb database and the tnrhtp database. The labels can be specified by a range, by a set of explicit enumerated labels, or by a combination of both.
When a privileged process that is bound to an MLP receives a TCP request, the reply is automatically sent with the label of the requester. For UDP datagrams, the reply is sent with the label that is specified by the SO_RECVUCRED option.
The privileged process can implement a more restrictive MAC policy by comparing the label of the request to other parameters. For example, a web server could compare the label of the requesting process with the label of the file specified in the URL. The remote label can be determined by using the getpeerucred() function, which returns the credentials of the remote peer. If the peer is running in a zone on the same host, the ucred_get() library routine returns a full set of credentials. Regardless of whether the peer is local or remote, the label of the peer is accessible from the ucred data structure by using the ucred_getlabel() function. This label can be compared with other labels by using functions such as bldominates().
A zone can have single-level ports and multilevel ports. See Multilevel Port Information.
MAC-Exempt Sockets
The Trusted Extensions software provides an explicit socket option, SO_MAC_EXEMPT, to specify that the socket can be used to communicate with an endpoint at a lower label.
| Caution - The SO_MAC_EXEMPT socket option must never be used unintentionally. Use extreme caution when using this socket option to disable MAC policy. When you must use this mechanism, ensure that your client application enforces MAC policy. |
To explicitly set the socket option, a process must assert the net_mac_aware privilege.
To further restrict the use of this socket option, the net_mac_aware privilege can be removed from the limit set for ordinary users.
The Trusted Extensions software restricts the use of the SO_MAC_EXEMPT option in these ways:
See the user_attr(4) man page for details.
Sometimes, explicitly setting the socket option is not practical, such as when the socket is managed by a library. In such circumstances, the socket option can be set implicitly. The setpflags() system call enables you to set the NET_MAC_AWARE process flag. Setting this process flag also requires the net_mac_aware privilege. All sockets that are opened while the process flag is enabled automatically have the SO_MAC_EXEMPT socket option set. See the setpflags(2) and getpflags(2) man pages.
For applications that cannot be modified or recompiled, use the ppriv -M command to pass the net_mac_aware process flag to the application. In this case, all sockets that are opened by the application have the SO_MAC_EXEMPT option set. However, child processes of the application do not have this process flag or the related privilege.
Whenever you can, scrutinize and modify the source code of an application when you need to use the SO_MAC_EXEMPT socket option. If you cannot make such modifications to the code or if a safer method is not available to you, you may use the ppriv -M command.
The SO_MAC_EXEMPT socket option has been used sparingly by the Oracle Solaris OS. This option has been used by the NFS client. An NFS client might need to communicate with an NFS server that runs at a different label on an untrusted operating system. The NFS client enforces MAC policy to ensure that inappropriate requests are not granted.
In the Oracle Solaris OS, both the NFS server and client code include and enforce MAC policy so that communications between the Oracle Solaris client or server and an untrusted client or server has MAC policy enabled. To enable an untrusted host to communicate with a system that runs Trusted Extensions, the untrusted host must have an entry in the tnrhdb database. For more information, see Labeling Hosts and Networks in Trusted Extensions Configuration and Administration .