1selinux_status_open(3)     SELinux API documentation    selinux_status_open(3)
2
3
4

NAME

6       selinux_status_open,    selinux_status_close,   selinux_status_updated,
7       selinux_status_getenforce, selinux_status_policyload  and  selinux_sta‐
8       tus_deny_unknown  - reference the SELinux kernel status without invoca‐
9       tion of system calls
10

SYNOPSIS

12       #include <selinux/avc.h>
13
14       int selinux_status_open(int fallback);
15
16       void selinux_status_close(void);
17
18       int selinux_status_updated(void);
19
20       int selinux_status_getenforce(void);
21
22       int selinux_status_policyload(void);
23
24       int selinux_status_deny_unknown(void);
25

DESCRIPTION

27       Linux 2.6.37 or later provides a  SELinux  kernel  status  page;  being
28       mostly  placed  on  /sys/fs/selinux/status  entry. It enables userspace
29       applications to mmap this page with read-only  mode,  then  it  informs
30       some status without system call invocations.
31
32       In  some  cases  that a userspace application tries to apply heavy fre‐
33       quent access control; such as row-level security in databases, it  will
34       face unignorable cost to communicate with kernel space to check invali‐
35       dation of userspace avc.
36
37       These functions provides applications a way to know some kernel  events
38       without system-call invocation or worker thread for monitoring.
39
40       selinux_status_open()   tries  to  open(2)  /sys/fs/selinux/status  and
41       mmap(2) it in read-only mode. The file-descriptor and  pointer  to  the
42       page  shall  be stored internally; Don't touch them directly.  Set 1 on
43       the fallback argument to handle a case of older kernels without  kernel
44       status  page  support.   In  this  case,  this function tries to open a
45       netlink socket using avc_netlink_open(3)  and  overwrite  corresponding
46       callbacks ( setenforce and policyload).  Thus, we need to pay attention
47       to the  interaction  with  these  interfaces,  when  fallback  mode  is
48       enabled.
49
50       selinux_status_close()  unmap the kernel status page and close its file
51       descriptor, or close the netlink socket if fallbacked.
52
53       selinux_status_updated() informs us whether something has been  updated
54       since  the last call.  It returns 0 if nothing was happened, however, 1
55       if something has been updated in this duration, or -1 on error.
56
57       selinux_status_getenforce() returns 0 if SELinux is running in  permis‐
58       sive  mode,  1  if  enforcing  mode,  or  -1  on  error.  Same as secu‐
59       rity_getenforce(3) except with or without system call invocation.
60
61       selinux_status_policyload() returns times of  policy  reloaded  on  the
62       running  system,  or -1 on error.  Note that it is not a reliable value
63       on fallback-mode until it receive the first event message  via  netlink
64       socket.   Thus,  don't  use  this  value to know actual times of policy
65       reloaded.
66
67       selinux_status_deny_unknown()  returns  0  if  SELinux  treats   policy
68       queries  on undefined object classes or permissions as being allowed, 1
69       if such queries are denied, or -1 on error.
70
71       Also note that these interfaces are not thread-safe,  so  you  have  to
72       protect  them from concurrent calls using exclusive locks when multiple
73       threads are performing.
74

RETURN VALUE

76       selinux_status_open() returns 0 or 1 on success. 1 means we  are  ready
77       to  use  these  interfaces,  but  netlink socket was opened as fallback
78       instead of the kernel status page.  On error, -1 shall be returned.
79
80       Any other functions with a return value shall return its characteristic
81       value as described above, or -1 on errors.
82

SEE ALSO

84       mmap(2), avc_netlink_open(3), security_getenforce(3),
85       security_deny_unknown(3)
86
87
88
89kaigai@ak.jp.nec.com            22 January 2011         selinux_status_open(3)
Impressum