From: KaiGai Kohei <kaigai@ak.jp.nec.com>
To: SELinux-NSA <selinux@tycho.nsa.gov>
Cc: Kohei KaiGai <kaigai@kaigai.gr.jp>
Subject: Re: libselinux: add selinux_status_* interfaces for /selinux/status
Date: Thu, 27 Jan 2011 10:02:34 +0900 [thread overview]
Message-ID: <4D40C42A.2080903@ak.jp.nec.com> (raw)
In-Reply-To: <AANLkTi=WqUp8FFkqo7eooUUP7qLju=WQQyf6qWsd1+4E@mail.gmail.com>
[-- Attachment #1: Type: text/plain, Size: 1209 bytes --]
I updated my patch to reference /selinux/status entry.
The interface of selinux_status_open() and selinux_status_updated() was
revised to eliminate an argument of 'last_seqlock' that holds a sequence
value when we call this function last time.
At first, I tried to give this storage externally for thread-safing, but
fallback routine was not thread-safe anyway, so it became nonsense.
The attached status.c is an example program to call these APIs.
Any comments please. Thanks,
(2011/01/22 22:42), Kohei KaiGai wrote:
> The attached patch adds several interfaces to reference /selinux/status
> according to sequential-lock logic.
>
> selinux_status_open() open the kernel status page and mmap it with
> read-only mode, or open netlink socket as a fallback in older kernels.
>
> Then, we can obtain status information from the mmap'ed page using
> selinux_status_updated(), selinux_status_getenfoce(),
> selinux_status_policyload() or selinux_status_deny_unknown().
>
> It enables to help to implement userspace avc with heavy access control
> decision; that we cannot ignore the cost to communicate with kernel for
> validation of userspace caches.
>
> Thanks,
--
KaiGai Kohei <kaigai@ak.jp.nec.com>
[-- Attachment #2: libselinux-status.2.patch --]
[-- Type: application/octect-stream, Size: 14887 bytes --]
[-- Attachment #3: status.c --]
[-- Type: text/plain, Size: 754 bytes --]
#include <stdio.h>
#include <selinux/avc.h>
int main(int argc, char *argv[])
{
int fallback = 1;
int rc;
if (argc > 1)
fallback = atoi(argv[1]);
rc = selinux_status_open(1);
if (rc < 0)
return 1;
printf("-- selinux kernel status page %s--\n"
"policyload = %d, enforcing = %d, deny_unknown = %d\n",
!rc ? "" : "(netlink fallback)",
selinux_status_policyload(),
selinux_status_getenforce(),
selinux_status_deny_unknown());
while (1)
{
usleep(100000);
if (!selinux_status_updated())
continue;
printf("policyload = %d, enforcing = %d, deny_unknown = %d\n",
selinux_status_policyload(),
selinux_status_getenforce(),
selinux_status_deny_unknown());
}
return 0;
}
next prev parent reply other threads:[~2011-01-27 1:02 UTC|newest]
Thread overview: 7+ messages / expand[flat|nested] mbox.gz Atom feed top
2011-01-22 13:42 libselinux: add selinux_status_* interfaces for /selinux/status Kohei KaiGai
2011-01-27 1:02 ` KaiGai Kohei [this message]
2011-02-09 14:05 ` Kohei Kaigai
2011-02-11 20:27 ` Steve Lawrence
2011-02-11 21:09 ` Kohei KaiGai
2011-03-01 17:53 ` Steve Lawrence
2011-03-07 17:07 ` Kohei Kaigai
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=4D40C42A.2080903@ak.jp.nec.com \
--to=kaigai@ak.jp.nec.com \
--cc=kaigai@kaigai.gr.jp \
--cc=selinux@tycho.nsa.gov \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.