1selinux_status_open(3) SELinux API documentation selinux_status_open(3)
2
6 selinux_status_open, selinux_status_close, selinux_status_updated,
7 selinux_status_getenforce, selinux_status_policyload and selinux_sta‐
8 tus_deny_unknown - reference the SELinux kernel status without invoca‐
9 tion of system calls
10
12 #include <selinux/avc.h>
13 int selinux_status_open(int fallback);
15 void selinux_status_close(void);
17 int selinux_status_updated(void);
19 int selinux_status_getenforce(void);
21 int selinux_status_policyload(void);
23 int selinux_status_deny_unknown(void);
25
27 Linux 2.6.37 or later provides a SELinux kernel status page; being
28 mostly placed on /sys/fs/selinux/status entry. It enables userspace ap‐
29 plications to mmap this page with read-only mode, then it informs some
30 status without system call invocations.
31 In some cases that a userspace application tries to apply heavy fre‐
33 quent access control; such as row-level security in databases, it will
34 face unignorable cost to communicate with kernel space to check invali‐
35 dation of userspace avc.
36 These functions provides applications a way to know some kernel events
38 without system-call invocation or worker thread for monitoring.
39 selinux_status_open() tries to open(2) /sys/fs/selinux/status and
41 mmap(2) it in read-only mode. The file-descriptor and pointer to the
42 page shall be stored internally; Don't touch them directly. Set 1 on
43 the fallback argument to handle a case of older kernels without kernel
44 status page support. In this case, this function tries to open a
45 netlink socket using avc_netlink_open(3) and overwrite corresponding
46 callbacks (setenforce and policyload). Thus, we need to pay attention
47 to the interaction with these interfaces, when fallback mode is en‐
48 abled.
49 selinux_status_close() unmap the kernel status page and close its file
51 descriptor, or close the netlink socket if fallbacked.
52 selinux_status_updated() processes status update events. There are two
54 kinds of status updates. setenforce events will change the effective
55 enforcing state used within the AVC, and policyload events will result
56 in a cache flush.
57 This function returns 0 if there have been no updates since the last
59 call, 1 if there have been updates since the last call, or -1 on error.
60 selinux_status_getenforce() returns 0 if SELinux is running in permis‐
62 sive mode, 1 if enforcing mode, or -1 on error. Same as secu‐
63 rity_getenforce(3) except with or without system call invocation.
64 selinux_status_policyload() returns times of policy reloaded on the
66 running system, or -1 on error. Note that it is not a reliable value
67 on fallback-mode until it receive the first event message via netlink
68 socket. Thus, don't use this value to know actual times of policy
69 reloaded.
70 selinux_status_deny_unknown() returns 0 if SELinux treats policy
72 queries on undefined object classes or permissions as being allowed, 1
73 if such queries are denied, or -1 on error.
74 Also note that these interfaces are not thread-safe, so you have to
76 protect them from concurrent calls using exclusive locks when multiple
77 threads are performing.
78
80 selinux_status_open() returns 0 or 1 on success. 1 means we are ready
81 to use these interfaces, but netlink socket was opened as fallback in‐
82 stead of the kernel status page. On error, -1 shall be returned.
83 Any other functions with a return value shall return its characteristic
85 value as described above, or -1 on errors.
86
88 mmap(2), avc_netlink_open(3), security_getenforce(3),
89 security_deny_unknown(3)
90kaigai@ak.jp.nec.com 22 January 2011 selinux_status_open(3)