Solaris Trusted Extensions Developer's Guide
Previous Next

Document Information

Preface

1.  Solaris Trusted Extensions APIs and Security Policy

Understanding Labels

Trusted Extensions APIs

Trusted Extensions Security Policy

2.  Labels and Clearances

3.  Label Code Examples

4.  Printing and the Label APIs

5.  Interprocess Communications

6.  Trusted X Window System

7.  Label Builder APIs

8.  Trusted Web Guard Prototype

9.  Experimental Java Bindings for the Solaris Trusted Extensions Label APIs

A.  Programmer's Reference

B.  Solaris Trusted Extensions API Reference

Index

Trusted Extensions APIs

This section introduces the three Trusted Extensions APIs that are described in this book:

  • Label APIs

  • Trusted X Window System APIs

  • Label Builder APIs

In addition to these Trusted Extensions APIs, you can use the security APIs that are available with the Solaris OS. An application that runs on Trusted Extensions might require the manipulation of other security attributes. For example, the user and profile databases contain information about users, roles, authorizations, and profiles. These databases can restrict who can run a program. Privileges are coded into various Solaris programs and can also be coded into third-party applications.

For more information about these Solaris OS security APIs, see Developing Privileged Applications, in Solaris Security for Developers Guide.

The Solaris OS provides discretionary access control (DAC), in which the owner of the data determines who is permitted access to the data. The Trusted Extensions software provides additional access control, which is called mandatory access control (MAC). In MAC, ordinary users cannot specify or override the security policy. The security administrator sets the security policy.

Applications use Trusted Extensions APIs to obtain labels for hosts, zones, users, and roles. Where the security policy permits, the APIs enable you to set labels on user processes or on role processes. Setting a label on a zone or on a host is an administrative procedure, not a programmatic procedure.

You can write applications to customize window labels. The Trusted Extensions software provides Motif based programming interfaces for adding a basic label-building user interface to an application. The label-building interface enables a user to interactively build valid sensitivity labels and valid clearances.

The label APIs operate on opaque labels. In an opaque label, the internal structure of the label is not exposed. Using an opaque label enables existing programs that are created with the APIs to function even if the internal structure of the label changes. For example, you cannot use the label APIs to locate particular bits in a label. The label APIs enable you to obtain labels and to set labels. You can only set labels if you are permitted to do so by the security policy.

Label APIs

Labels, label ranges, and a label limit determine who can access information on a system that is configured with Trusted Extensions.

The label APIs are used to access, convert, and perform comparisons for labels, label ranges and limits, and the relationship between labels. A label can dominate another label, or a label can be disjoint from another label.

The label_encodings file defines the sensitivity labels, clearance labels, label ranges, and label relationships that pertain to your Trusted Extensions environment. This file also controls the appearance of labels. The security administrator is responsible for creating and maintaining the label_encodings file. See the label_encodings(4) man page.

The label of a process is determined by the zone in which the process executes.

All objects are associated with a label or sometimes with a label range. An object can be accessed at a particular label within the defined label range. The objects that are associated with a label range include the following:

  • All users and all roles

  • All hosts with which communications are permitted

  • Zone interfaces and network interfaces

  • Allocatable devices, such as tape drives, diskette drives, CD-ROM devices, and audio devices

  • Other devices that are not allocatable, such as printers and workstations

    Workstation access is controlled by the label range that is set for the frame buffer or video display device. The security administrator sets this range by using the Device Manager GUI. By default, devices have a range from ADMIN_LOW to ADMIN_HIGH.

For more information about labels, see Label Types.

How Labels Are Used in Access Control Decisions

MAC compares the label of the process that is running an application with the label or the label range of any object that the process tries to access. MAC permits a process to read down to a lower label and permits a process to write to an equal label.

Label[Process] >= Label[Object]

A process bound to a multilevel port (MLP) can listen for requests at multiple labels and send replies to the originator of the request. In Trusted Extensions, such replies are write-equal.

Label[Process] = Label[Object]
Types of Label APIs
Sensitivity Label APIs

Sensitivity label APIs can be used to do the following:

  • Obtain a process label

  • Initialize labels

  • Find the greatest lower bound or the least upper bound between two labels

  • Compare labels for dominance and equality

  • Check and set label types

  • Convert labels to a readable format

  • Obtain information from the label_encodings file

  • Check that a sensitivity label is valid and within the system range

For a description of these APIs, see Chapter 2, Labels and Clearances.

Clearance Label APIs

Users, devices, and network interfaces have label ranges. The upper bound of the range is effectively the clearance. If the upper bound of the range and the lower bound of the range are equal, the range is a single label.

Clearance label APIs can be used to do the following:

  • Find the greatest lower bound or the least upper bound between two labels

  • Compare labels for dominance and equality

  • Convert clearances between the internal format and the hexadecimal format

For a description of these APIs, see Chapter 2, Labels and Clearances.

Label Range APIs

A label range is used to set limits on the following:

  • The labels at which hosts can send and receive information

  • The labels at which processes acting on behalf of users and roles can work on the system

  • The labels at which users can allocate devices

    This use of a label range restricts the labels at which files can be written to storage media on these devices.

Label ranges are assigned administratively. Label ranges can apply to users, roles, hosts, zones, network interfaces, printers, and other objects.

You can use the following methods to obtain information about label ranges:

  • getuserrange() obtains the user's label range.

  • getdevicerange() obtains the label range of a device.

  • tninfo -t template-name shows the label range of a template that is associated with a network interface.

For a description of these APIs, see Chapter 2, Labels and Clearances.

Trusted X Window System APIs

The Trusted X Window System, Version 11, server starts at login. The server handles the workstation windowing system by using a trusted interprocess communication (IPC) path. Windows, properties, selections, and ToolTalkTM sessions are created at multiple sensitivity labels as separate and distinct objects. The creation of distinct objects at multiple sensitivity labels is called polyinstantiation. Applications that are created with Motif widgets, Xt Intrinsics, Xlib, and desktop interfaces run within the constraints of the security policy. These constraints are enforced by extensions to the X11 protocols.

Chapter 6, Trusted X Window System describes the programming interfaces that can access the security attribute information described in Trusted Extensions Security Policy. These programming interfaces can also be used to translate the labels and clearances to text. The text can be constrained by a specified width and font list for display in the Trusted X Window System.

The Trusted X Window System stores the following security attributes:

Audit ID

Trusted Path flag

Group ID

Trusted Path window

Internet address

User ID

Process ID

X Window Server owner ID

Sensitivity label

X Window Server clearance

Session ID

X Window Server minimum label

The Trusted Path flag identifies a window as a Trusted Path window. The Trusted Path window protects the system from being accessed by untrusted programs. This window is always the topmost window, such as the screen stripe or login window.

Appendix B, Solaris Trusted Extensions API Reference lists the extensions that you can use to create an X11 trusted IPC path.

Label Builder APIs

The Trusted Extensions software provides a label builder API that enables you to create a graphical user interface (GUI) for your application. The GUI takes user input and builds a valid label from that input.

A system that is configured with Solaris Trusted Extensions provides Motif based programming interfaces for adding a basic label-building user interface to an application. The label-building interface enables a user to interactively build valid sensitivity labels and valid clearances. For information about these programming interfaces, see Chapter 7, Label Builder APIs.
Previous Next