selinux_status_open, selinux_status_close, selinux_status_updated,
selinux_status_getenforce, selinux_status_policyload and
selinux_status_deny_unknown - reference the SELinux kernel status without
invocation of system calls
#include <selinux/avc.h>
int selinux_status_open(int fallback);
void selinux_status_close(void);
int selinux_status_updated(void);
int selinux_status_getenforce(void);
int selinux_status_policyload(void);
int selinux_status_deny_unknown(void);
Linux 2.6.37 or later provides a SELinux kernel status page; being mostly placed
on
/sys/fs/selinux/status entry. It enables userspace applications to
mmap this page with read-only mode, then it informs some status without system
call invocations.
In some cases that a userspace application tries to apply heavy frequent access
control; such as row-level security in databases, it will face unignorable
cost to communicate with kernel space to check invalidation of userspace avc.
These functions provides applications a way to know some kernel events without
system-call invocation or worker thread for monitoring.
selinux_status_open() tries to
open(2)
/sys/fs/selinux/status and
mmap(2) it in read-only mode. The
file-descriptor and pointer to the page shall be stored internally; Don't
touch them directly. Set 1 on the
fallback argument to handle a case of
older kernels without kernel status page support. In this case, this function
tries to open a netlink socket using
avc_netlink_open(3) and overwrite
corresponding callbacks (setenforce and policyload). Thus, we need to pay
attention to the interaction with these interfaces, when fallback mode is
enabled.
selinux_status_close() unmap the kernel status page and close its file
descriptor, or close the netlink socket if fallbacked.
selinux_status_updated() processes status update events. There are two
kinds of status updates.
setenforce events will change the effective
enforcing state used within the AVC, and
policyload events will result
in a cache flush.
This function returns 0 if there have been no updates since the last call, 1 if
there have been updates since the last call, or -1 on error.
selinux_status_getenforce() returns 0 if SELinux is running in permissive
mode, 1 if enforcing mode, or -1 on error. Same as
security_getenforce(3) except with or without system call invocation.
selinux_status_policyload() returns times of policy reloaded on the
running system, or -1 on error. Note that it is not a reliable value on
fallback-mode until it receive the first event message via netlink socket.
Thus, don't use this value to know actual times of policy reloaded.
selinux_status_deny_unknown() returns 0 if SELinux treats policy queries
on undefined object classes or permissions as being allowed, 1 if such queries
are denied, or -1 on error.
Also note that these interfaces are not thread-safe, so you have to protect them
from concurrent calls using exclusive locks when multiple threads are
performing.
selinux_status_open() returns 0 or 1 on success. 1 means we are ready to
use these interfaces, but netlink socket was opened as fallback instead of the
kernel status page. On error, -1 shall be returned.
Any other functions with a return value shall return its characteristic value as
described above, or -1 on errors.
mmap(2),
avc_netlink_open(3),
security_getenforce(3),
security_deny_unknown(3)