next up previous contents
Next: Implementation Up: Design Previous: Control Requirements   Contents


API extensions

Figure 17 shows the new Linux socket system calls that must be added for security-aware applications. The getsockname_secure, getpeername_secure, accept_secure, recvfrom_secure, and recvmsg_secure calls permit applications to obtain the SIDs of local and peer sockets and the SIDs of messages. The socket_secure and listen_secure calls permit applications to specify a particular SID to use when a new socket is created. The listen_secure call also permits applications to specify that server sockets created by a connection should be labeled with the SID of the client socket. The sendto_secure and sendmsg_secure calls permit applications to specify a particular SID to use for a message.

The connect_secure, sendto_secure, and sendmsg_secure calls also permit applications to specify a desired SID for the peer socket. For connection requests and outbound datagrams, this restriction can only be enforced by the destination node. However, a destination node may not be capable of enforcing the restriction or it may not be trusted to enforce the restriction. Consequently, the source node performs an enforce_dest permission check between the desired SID and the destination node SID. This check is not necessary for AF_UNIX sockets, since the communication is local.

Figure: New Linux socket system calls for security-aware applications.
\begin{figure}\begin{footnotesize}
\begin{center}
\begin{description}
\item[{\tt...
... sendmsg} interface.
\end{description}\end{center}\end{footnotesize}\end{figure}

When used with stream sockets, connect_secure specifies the desired SID of the listening socket. The SID of the server socket created by the connection may differ from this SID since the server application may have used listen_secure. If a client wishes to ensure that the server socket has a particular SID prior to sending data, then it may obtain the SID using getpeername_secure. Alternatively, a client may specify the desired server socket SID with sendto_secure. In this case, since the server socket SID was obtained by the client node during connection establishment, the client node may check the desired SID against it.

Since sockets are accessed through file descriptions, the fstat_secure call may also be used to obtain the SID of a socket. The fchsid call may be used to relabel UDP sockets, raw IP sockets, Unix datagram sockets or Unix stream sockets. Relabeling of TCP sockets is not supported in the current design because there is no mechanism for synchronizing the change with the peer transport layer. The change might also need to be synchronized with the peer application, because the peer application may be relying on the socket SID provided by the extended socket calls. No mechanism is provided for such synchronization with the peer application for either TCP sockets or Unix stream sockets.


next up previous contents
Next: Implementation Up: Design Previous: Control Requirements   Contents