ссылаться на состояние ядра SELinux без вызова системных вызовов (reference the SELinux kernel status without invocation of system calls)
Имя (Name)
selinux_status_open, selinux_status_close,
selinux_status_updated, selinux_status_getenforce,
selinux_status_policyload and selinux_status_deny_unknown -
reference the SELinux kernel status without invocation of system
calls
Синопсис (Synopsis)
#include <selinux/avc.h>
int selinux_status_open(int fallback);
void selinux_status_close(void);
int selinux_status_updated(void);
int selinux_status_getenforce(void);
int selinux_status_policyload(void);
int selinux_status_deny_unknown(void);
Описание (Description)
Linux 2.6.37 or later provides a SELinux kernel status page;
being mostly placed on /sys/fs/selinux/status entry. It enables
userspace applications to mmap this page with read-only mode,
then it informs some status without system call invocations.
In some cases that a userspace application tries to apply heavy
frequent access control; such as row-level security in databases,
it will face unignorable cost to communicate with kernel space to
check invalidation of userspace avc.
These functions provides applications a way to know some kernel
events without system-call invocation or worker thread for
monitoring.
selinux_status_open() tries to open(2) /sys/fs/selinux/status and
mmap(2) it in read-only mode. The file-descriptor and pointer to
the page shall be stored internally; Don't touch them directly.
Set 1 on the fallback argument to handle a case of older kernels
without kernel status page support. In this case, this function
tries to open a netlink socket using avc_netlink_open(3) and
overwrite corresponding callbacks (setenforce and policyload).
Thus, we need to pay attention to the interaction with these
interfaces, when fallback mode is enabled.
selinux_status_close() unmap the kernel status page and close its
file descriptor, or close the netlink socket if fallbacked.
selinux_status_updated() processes status update events. There
are two kinds of status updates. setenforce events will change
the effective enforcing state used within the AVC, and policyload
events will result in a cache flush.
This function returns 0 if there have been no updates since the
last call, 1 if there have been updates since the last call, or
-1 on error.
selinux_status_getenforce() returns 0 if SELinux is running in
permissive mode, 1 if enforcing mode, or -1 on error. Same as
security_getenforce(3) except with or without system call
invocation.
selinux_status_policyload() returns times of policy reloaded on
the running system, or -1 on error. Note that it is not a
reliable value on fallback-mode until it receive the first event
message via netlink socket. Thus, don't use this value to know
actual times of policy reloaded.
selinux_status_deny_unknown() returns 0 if SELinux treats policy
queries on undefined object classes or permissions as being
allowed, 1 if such queries are denied, or -1 on error.
Also note that these interfaces are not thread-safe, so you have
to protect them from concurrent calls using exclusive locks when
multiple threads are performing.
Возвращаемое значение (Return value)
selinux_status_open() returns 0 or 1 on success. 1 means we are
ready to use these interfaces, but netlink socket was opened as
fallback instead of the kernel status page. On error, -1 shall
be returned.
Any other functions with a return value shall return its
characteristic value as described above, or -1 on errors.
Смотри также (See also)
mmap(2), avc_netlink_open(3), security_getenforce(3),
security_deny_unknown(3)
