Multilevel Port Information
A system that is configured with Solaris Trusted Extensions supports single-level and
multilevel ports. These ports are used to create connections between applications. A
multilevel port can receive data within the range of sensitivity labels that
is defined for that port. A single-level port can receive data at
a designated sensitivity label only.
Single-level port – A communication channel is established between two unprivileged applications. The sensitivity label of the communication endpoints must be equal.
Multilevel port – A communication channel is established between an application with the net_bindmlp privilege in its effective set and any number of unprivileged applications that run at different sensitivity labels. The application with the net_bindmlp privilege in the effective set of its process can receive all data from the applications, regardless of the receiving application's sensitivity label.
A multilevel port is a server-side mechanism to establish a connection between two Trusted Extensions applications that are running at different labels. If you want a Trusted Extensions client application to communicate with a service that runs on an untrusted operating system at a different label, you might be able to use the SO_MAC_EXEMPT socket option. For more information, see MAC-Exempt Sockets.
Caution - If a connection is multilevel, ensure that the application does not make
a connection at one sensitivity label, and then send or receive data
at another sensitivity label. Such a configuration would cause data to reach
an unauthorized destination.
The Trusted Network library provides an interface to retrieve the label from
a packet. The programmatic manipulation of network packets is not needed. Specifically,
you cannot change the security attributes of a message before it is
sent. Also, you cannot change the security attributes on the communication endpoint
over which the message is sent. You can read the label of
a packet, just as you read other security information of a packet.
The ucred_getlabel() function is used to retrieve label information.
If your application requires the use of a multilevel port, that port
cannot be created programmatically. Rather, you must tell the system administrator to
create a multilevel port for the application.
For more information about multilevel ports, see the following: