NAME
avc_add_callback - additional event notification for SELinux userspace object managersSYNOPSIS
#include <selinux/selinux.h>security_id_t ssid,
uint32_t events, security_id_t ssid,
DESCRIPTION
avc_add_callback() is used to register callback functions on security events. The purpose of this functionality is to allow userspace object managers to take additional action when a policy change, usually a policy reload, causes permissions to be granted or revoked.SECURITY EVENTS
In all cases below, ssid and/or tsid may be set to SECSID_WILD, indicating that the change applies to all source and/or target SID's. Unless otherwise indicated, the out_retained parameter is unused.- AVC_CALLBACK_GRANT
- Previously denied permissions are now granted for ssid, tsid with respect to tclass. perms indicates the permissions to grant.
- AVC_CALLBACK_TRY_REVOKE
- Previously granted permissions are now conditionally revoked for ssid, tsid with respect to tclass. perms indicates the permissions to revoke. The callback should set out_retained to the subset of perms which are retained as migrated permissions. Note that out_retained is ignored if the callback returns -1.
- AVC_CALLBACK_REVOKE
- Previously granted permissions are now unconditionally revoked for ssid, tsid with respect to tclass. perms indicates the permissions to revoke.
- AVC_CALLBACK_RESET
- Indicates that the cache was flushed. The SID, class, and permission arguments are unused and are set to NULL.
- AVC_CALLBACK_AUDITALLOW_ENABLE
- The permissions given by perms should now be audited when granted for ssid, tsid with respect to tclass.
- AVC_CALLBACK_AUDITALLOW_DISABLE
- The permissions given by perms should no longer be audited when granted for ssid, tsid with respect to tclass.
- AVC_CALLBACK_AUDITDENY_ENABLE
- The permissions given by perms should now be audited when denied for ssid, tsid with respect to tclass.
- AVC_CALLBACK_AUDITDENY_DISABLE
- The permissions given by perms should no longer be audited when denied for ssid, tsid with respect to tclass.
RETURN VALUE
On success, avc_add_callback() returns zero. On error, -1 is returned and errno is set appropriately.ERRORS
- ENOMEM
- An attempt to allocate memory failed.
NOTES
If the userspace AVC is running in threaded mode, callbacks registered via avc_add_callback() may be executed in the context of the netlink handler thread. This will likely introduce synchronization issues requiring the use of locks. See avc_init(3).AUTHOR
Eamon Walsh <[email protected]>SEE ALSO
avc_init(3), avc_has_perm(3), avc_context_to_sid(3), avc_cache_stats(3), security_compute_av(3) selinux(8)9 June 2004 |