libselinux: add selinux_status_* interfaces for /selinux/status

libselinux: add selinux_status_* interfaces for /selinux/status

[Kohei KaiGai]

[-- Attachment #1: Type: text/plain, Size: 656 bytes --]

The attached patch adds several interfaces to reference /selinux/status
according to sequential-lock logic.

selinux_status_open() open the kernel status page and mmap it with
read-only mode, or open netlink socket as a fallback in older kernels.

Then, we can obtain status information from the mmap'ed page using
selinux_status_updated(), selinux_status_getenfoce(),
selinux_status_policyload() or selinux_status_deny_unknown().

It enables to help to implement userspace avc with heavy access control
decision; that we cannot ignore the cost to communicate with kernel for
validation of userspace caches.

Thanks,
-- 
KaiGai Kohei <kaigai@kaigai.gr.jp>

[-- Attachment #2: libselinux-status.1.patch --]
[-- Type: application/octet-stream, Size: 14212 bytes --]

 Signed-off-by: KaiGai Kohei <kaigai@ak.jp.nec.com>
--
 libselinux/include/selinux/avc.h                  |   36 +++
 libselinux/man/man3/selinux_status_close.3        |    1 +
 libselinux/man/man3/selinux_status_deny_unknown.3 |    1 +
 libselinux/man/man3/selinux_status_getenforce.3   |    1 +
 libselinux/man/man3/selinux_status_open.3         |   92 ++++++
 libselinux/man/man3/selinux_status_policyload.3   |    1 +
 libselinux/man/man3/selinux_status_updated.3      |    1 +
 libselinux/src/sestatus.c                         |  325 +++++++++++++++++++++
 8 files changed, 458 insertions(+), 0 deletions(-)

diff --git a/libselinux/include/selinux/avc.h b/libselinux/include/selinux/avc.h
index 37dd279..41b4fee 100644
--- a/libselinux/include/selinux/avc.h
+++ b/libselinux/include/selinux/avc.h
@@ -465,6 +465,42 @@ void avc_netlink_release_fd(void);
  */
 int avc_netlink_check_nb(void);
 
+/**
+ * selinux_status_open - Open and map SELinux kernel status page
+ *
+ */
+int selinux_status_open(int fallback, uint32_t *last_seqno);
+
+/**
+ * selinux_status_close - Unmap and close SELinux kernel status page
+ *
+ */
+void selinux_status_close(void);
+
+/**
+ * selinux_status_updated - Inform us whether the kernel status has been updated
+ *
+ */
+int selinux_status_updated(uint32_t *last_seqno);
+
+/**
+ * selinux_status_getenforce - Get the enforce flag value
+ *
+ */
+int selinux_status_getenforce(void);
+
+/**
+ * selinux_status_policyload - Get the number of policy reloaded
+ *
+ */
+int selinux_status_policyload(void);
+
+/**
+ * selinux_status_deny_unknown - Get the  behavior for undefined classes/permissions
+ *
+ */
+int selinux_status_deny_unknown(void);
+
 #ifdef __cplusplus
 }
 #endif
diff --git a/libselinux/man/man3/selinux_status_close.3 b/libselinux/man/man3/selinux_status_close.3
new file mode 100644
index 0000000..52a4169
--- /dev/null
+++ b/libselinux/man/man3/selinux_status_close.3
@@ -0,0 +1 @@
+.so man3/selinux_status_open.3
diff --git a/libselinux/man/man3/selinux_status_deny_unknown.3 b/libselinux/man/man3/selinux_status_deny_unknown.3
new file mode 100644
index 0000000..52a4169
--- /dev/null
+++ b/libselinux/man/man3/selinux_status_deny_unknown.3
@@ -0,0 +1 @@
+.so man3/selinux_status_open.3
diff --git a/libselinux/man/man3/selinux_status_getenforce.3 b/libselinux/man/man3/selinux_status_getenforce.3
new file mode 100644
index 0000000..52a4169
--- /dev/null
+++ b/libselinux/man/man3/selinux_status_getenforce.3
@@ -0,0 +1 @@
+.so man3/selinux_status_open.3
diff --git a/libselinux/man/man3/selinux_status_open.3 b/libselinux/man/man3/selinux_status_open.3
new file mode 100644
index 0000000..1af4259
--- /dev/null
+++ b/libselinux/man/man3/selinux_status_open.3
@@ -0,0 +1,92 @@
+.TH "selinux_status_open" "3" "22 January 2011" "kaigai@ak.jp.nec.com" "SELinux API documentation"
+.SH "NAME"
+selinux_status_open, selinux_status_close, selinux_status_updated,
+selinux_status_getenforce, selinux_status_policyload and
+selinux_status_deny_unknown \- reference the SELinux kernel status
+without invocation of system calls.
+.SH "SYNOPSIS"
+.B #include <selinux/avc.h>
+.sp
+.BI "int selinux_status_open(int " fallback, " uint32_t * " last_seqno ");"
+.sp
+.BI "void selinux_status_close(void);"
+.sp
+.BI "int selinux_status_updated(uint32_t * " last_seqno ");"
+.sp
+.BI "int selinux_status_getenforce(void);"
+.sp
+.BI "int selinux_status_policyload(void);"
+.sp
+.BI "int selinux_status_deny_unknown(void);"
+.sp
+.SH "DESCRIPTION"
+Linux 2.6.37 or later provides a SELinux kernel status page; being mostly
+placed on
+.I /selinux/status
+entry. It enables userspace applications to mmap this page with read-only
+mode, then it informs some status without system call invocations.
+.sp
+In some cases that a userspace application tries to apply heavy frequest
+access control; such as row\-level security in databases, it becomes
+unignorable cost to communicate with kernel space for invalidation check
+on userspace avc.
+.sp
+These functions provides applications a way to know some kernel events
+without system\-call invocation or worker thread for monitoring.
+.sp
+.BR selinux_status_open
+tries to
+.BR open (2)
+.I /selinux/status
+and
+.BR mmap (2)
+it with read-only mode. The file-descriptor and pointer to the page shall
+be stored internally; Don't touch them directly.
+Set 1 on the
+.I fallback
+argument to handle a case of older kernels without kernel status page support.
+In this case, this function tries to open a netlink socket using
+.BR avc_netlink_open (3)
+and overwrite callback settings on setenforce and policyreload.
+So, please pay attention to the interaction with these interfaces.
+The
+.I last_seqno
+is a pointer to store sequencial number of the kernel page on references;
+.B NULL
+is acceptable, if you never use
+.BR selinux_status_updated .
+.sp
+.BR selinux_status_close
+unmap the kernel status page and close its file descriptor, or close the
+netlink socket if fallbacked.
+.sp
+.BR selinux_status_updated
+returns 0 if nothing were happened since the last call, 1 if something has
+been happened, or -1 on error.
+The
+.I last_seqno
+is a pointer to the variable being initialized at
+.BR selinux_status_open .
+.sp
+.BR selinux_status_getenforce
+returns 0 if SELinux is running in permissive mode, 1 if enforcing mode,
+or -1 on error.
+Same as
+.BR security_getenforce (3)
+except with or without system call invocation.
+.sp
+.BR selinux_status_policyload
+returns times of policy reloaded on the running system, or -1 on error.
+Note that it is not a reliable value on fallback-mode until it receive
+the first event message via netlink socket.
+So, don't use this value to know actual times of policy reloaded.
+.sp
+.BR selinux_status_deny_unknown
+returns 0 if SELinux treats policy queries on undefined object classes or
+permissions as being allowed, 1 if such queries are denied, or -1 on error.
+.sp
+.SH "SEE ALSO"
+.BR mmap (2)
+.BR avc_netlink_open (3)
+.BR security_getenforce (3)
+.BR security_deny_unknown (3)
diff --git a/libselinux/man/man3/selinux_status_policyload.3 b/libselinux/man/man3/selinux_status_policyload.3
new file mode 100644
index 0000000..52a4169
--- /dev/null
+++ b/libselinux/man/man3/selinux_status_policyload.3
@@ -0,0 +1 @@
+.so man3/selinux_status_open.3
diff --git a/libselinux/man/man3/selinux_status_updated.3 b/libselinux/man/man3/selinux_status_updated.3
new file mode 100644
index 0000000..52a4169
--- /dev/null
+++ b/libselinux/man/man3/selinux_status_updated.3
@@ -0,0 +1 @@
+.so man3/selinux_status_open.3
diff --git a/libselinux/src/sestatus.c b/libselinux/src/sestatus.c
new file mode 100644
index 0000000..b764c9d
--- /dev/null
+++ b/libselinux/src/sestatus.c
@@ -0,0 +1,325 @@
+/*
+ * sestatus.c
+ *
+ * APIs to reference SELinux kernel status page (/selinux/status)
+ *
+ * Author: KaiGai Kohei <kaigai@ak.jp.nec.com>
+ *
+ */
+#include <fcntl.h>
+#include <limits.h>
+#include <sched.h>
+#include <sys/mman.h>
+#include <sys/stat.h>
+#include <sys/types.h>
+#include <unistd.h>
+#include "avc_internal.h"
+#include "policy.h"
+
+/*
+ * copied from the selinux/include/security.h
+ */
+struct selinux_status_t
+{
+	uint32_t	version;	/* version number of thie structure */
+	uint32_t	sequence;	/* sequence number of seqlock logic */
+	uint32_t	enforcing;	/* current setting of enforcing mode */
+	uint32_t	policyload;	/* times of policy reloaded */
+	uint32_t	deny_unknown;	/* current setting of deny_unknown */
+	/* version > 0 support above status */
+} __attribute((packed));
+
+/*
+ * `selinux_status'
+ *
+ * NULL : not initialized yet
+ * MAP_FAILED : opened, but fallback-mode
+ * Valid Pointer : opened and mapped correctly
+ */
+static struct selinux_status_t *selinux_status = NULL;
+static int			selinux_status_fd;
+
+static uint32_t			fallback_sequence;
+static int			fallback_enforcing;
+static int			fallback_policyload;
+
+/*
+ * read_sequence
+ *
+ * A utility routine to reference kernel status page according to
+ * seqlock logic. Since selinux_status->sequence is an odd value during
+ * the kernel status page being updated, we try to synchronize completion
+ * of this updating, but we assume it is rare.
+ * The sequence is almost even number.
+ *
+ * __sync_synchronize is a portable memory barrier for various kind
+ * of architecture that is supported by GCC.
+ */
+static inline uint32_t read_sequence(struct selinux_status_t *status)
+{
+	uint32_t	seqno;
+
+repeat:
+	seqno = status->sequence;
+
+	__sync_synchronize();
+
+	if (seqno & 0x0001) {
+		sched_yield();
+		goto repeat;
+	}
+	return seqno;
+}
+
+/*
+ * selinux_status_updated
+ *
+ * It returns whether something has been happened since the last call.
+ * Because `selinux_status->sequence' shall be always incremented on
+ * both of setenforce/policyreload events, so differences from the last
+ * value informs us something has been happened.
+ */
+int selinux_status_updated(uint32_t *last_seqno)
+{
+	uint32_t	curr_seqno;
+	int		result = 0;
+
+	if (selinux_status == NULL) {
+		errno = EINVAL;
+		return -1;
+	}
+
+	if (selinux_status == MAP_FAILED) {
+		if (avc_netlink_check_nb() < 0)
+			return -1;
+
+		curr_seqno = fallback_sequence;
+	} else {
+		curr_seqno = read_sequence(selinux_status);
+	}
+
+	if (curr_seqno != *last_seqno)
+	{
+		*last_seqno = curr_seqno;
+		result = 1;
+	}
+	return result;
+}
+
+/*
+ * selinux_status_getenforce
+ *
+ * It returns the current performing mode of SELinux.
+ * 1 means currently we run in enforcing mode, or 0 means permissive mode.
+ */
+int selinux_status_getenforce(void)
+{
+	uint32_t	seqno;
+	uint32_t	enforcing;
+
+	if (selinux_status == NULL) {
+		errno = EINVAL;
+		return -1;
+	}
+
+	if (selinux_status == MAP_FAILED) {
+		if (avc_netlink_check_nb() < 0)
+			return -1;
+
+		return fallback_enforcing;
+	}
+
+	/* sequence must not be changed during references */
+	do {
+		seqno = read_sequence(selinux_status);
+
+		enforcing = selinux_status->enforcing;
+
+	} while (seqno != read_sequence(selinux_status));
+
+	return enforcing ? 1 : 0;
+}
+
+/*
+ * selinux_status_policyload
+ *
+ * It returns times of policy reloaded on the running system.
+ * Note that it is not a reliable value on fallback-mode until it receives
+ * the first event message via netlink socket, so, a correct usage of this
+ * value is to compare it with the previous value to detect policy reloaded
+ * event.
+ */
+int selinux_status_policyload(void)
+{
+	uint32_t	seqno;
+	uint32_t	policyload;
+
+	if (selinux_status == NULL) {
+		errno = EINVAL;
+		return -1;
+	}
+
+	if (selinux_status == MAP_FAILED) {
+		if (avc_netlink_check_nb() < 0)
+			return -1;
+
+		return fallback_policyload;
+	}
+
+	/* sequence must not be changed during references */
+	do {
+		seqno = read_sequence(selinux_status);
+
+		policyload = selinux_status->policyload;
+
+	} while (seqno != read_sequence(selinux_status));
+
+	return policyload;
+}
+
+/*
+ * selinux_status_deny_unknown
+ *
+ * It returns a guideline to handle undefined object classes or permissions.
+ * 0 means SELinux treats policy queries on undefined stuff being allowed,
+ * however, 1 means such queries are denied.
+ */
+int selinux_status_deny_unknown(void)
+{
+	uint32_t	seqno;
+	uint32_t	deny_unknown;
+
+	if (selinux_status == NULL) {
+		errno = EINVAL;
+		return -1;
+	}
+
+	if (selinux_status == MAP_FAILED)
+		return security_deny_unknown();
+
+	/* sequence must not be changed during references */
+	do {
+		seqno = read_sequence(selinux_status);
+
+		deny_unknown = selinux_status->deny_unknown;
+
+	} while (seqno != read_sequence(selinux_status));
+
+	return deny_unknown ? 1 : 0;
+}
+
+/*
+ * callback routines for fallback case using netlink socket
+ */
+static int fallback_cb_setenforce(int enforcing)
+{
+	fallback_sequence++;
+	fallback_enforcing = enforcing;
+
+	return 0;
+}
+
+static int fallback_cb_policyload(int policyload)
+{
+	fallback_sequence++;
+	fallback_policyload = policyload;
+
+	return 0;
+}
+
+/*
+ * selinux_status_open
+ *
+ * It tries to open and mmap kernel status page (/selinux/status).
+ * Since Linux 2.6.37 or later supports this feature, we may run
+ * fallback routine using a netlink socket on older kernels, if
+ * the supplied `fallback' is not zero.
+ * It returns 0 on success, or -1 on error.
+ */
+int selinux_status_open(int fallback, uint32_t *last_seqno)
+{
+	int	fd;
+	char	path[PATH_MAX];
+
+	if (!selinux_mnt) {
+		errno = ENOENT;
+		return -1;
+	}
+
+	snprintf(path, sizeof(path), "%s/status", selinux_mnt);
+	fd = open(path, O_RDONLY);
+	if (fd < 0)
+		goto error;
+
+	selinux_status = mmap(NULL, sysconf(_SC_PAGESIZE),
+			      PROT_READ, MAP_SHARED, fd, 0);
+	if (selinux_status == MAP_FAILED) {
+		close(fd);
+		goto error;
+	}
+	selinux_status_fd = fd;
+	if (last_seqno)
+		*last_seqno = read_sequence(selinux_status);
+
+	return 0;
+
+error:
+	/*
+	 * If caller wants fallback routine, we try to provide
+	 * an equivalent functionality using existing netlink
+	 * socket, although it needs system call invocation to
+	 * receive event notification.
+	 */
+	if (fallback && avc_netlink_open(0) == 0) {
+		union selinux_callback	cb;
+
+		/* register my callbacks */
+		cb.func_setenforce = fallback_cb_setenforce;
+		selinux_set_callback(SELINUX_CB_SETENFORCE, cb);
+		cb.func_policyload = fallback_cb_policyload;
+		selinux_set_callback(SELINUX_CB_POLICYLOAD, cb);
+
+		/* mark as fallback mode */
+		selinux_status = MAP_FAILED;
+		selinux_status_fd = avc_netlink_acquire_fd();
+
+		fallback_sequence = 0;
+		fallback_enforcing = security_getenforce();
+		fallback_policyload = 0;
+		if (last_seqno)
+			*last_seqno = 0;
+
+		return 0;
+	}
+	selinux_status = NULL;
+
+	return -1;
+}
+
+/*
+ * selinux_status_close
+ *
+ * It unmap and close the kernel status page, or close netlink socket
+ * if fallback mode.
+ */
+void selinux_status_close(void)
+{
+	/* not opened */
+	if (selinux_status == NULL)
+		return;
+
+	/* fallback-mode */
+	if (selinux_status == MAP_FAILED)
+	{
+		avc_netlink_release_fd();
+		avc_netlink_close();
+		selinux_status = NULL;
+		return;
+	}
+
+	munmap(selinux_status, sysconf(_SC_PAGESIZE));
+	selinux_status = NULL;
+
+	close(selinux_status_fd);
+	selinux_status_fd = -1;
+}

Re: libselinux: add selinux_status_* interfaces for /selinux/status

[KaiGai Kohei]

[-- Attachment #1: Type: text/plain, Size: 1209 bytes --]

I updated my patch to reference /selinux/status entry.

The interface of selinux_status_open() and selinux_status_updated() was
revised to eliminate an argument of 'last_seqlock' that holds a sequence
value when we call this function last time.
At first, I tried to give this storage externally for thread-safing, but
fallback routine was not thread-safe anyway, so it became nonsense.

The attached status.c is an example program to call these APIs.

Any comments please. Thanks,

(2011/01/22 22:42), Kohei KaiGai wrote:
> The attached patch adds several interfaces to reference /selinux/status
> according to sequential-lock logic.
> 
> selinux_status_open() open the kernel status page and mmap it with
> read-only mode, or open netlink socket as a fallback in older kernels.
> 
> Then, we can obtain status information from the mmap'ed page using
> selinux_status_updated(), selinux_status_getenfoce(),
> selinux_status_policyload() or selinux_status_deny_unknown().
> 
> It enables to help to implement userspace avc with heavy access control
> decision; that we cannot ignore the cost to communicate with kernel for
> validation of userspace caches.
> 
> Thanks,
-- 
KaiGai Kohei <kaigai@ak.jp.nec.com>

[-- Attachment #2: libselinux-status.2.patch --]
[-- Type: application/octect-stream, Size: 14887 bytes --]

[-- Attachment #3: status.c --]
[-- Type: text/plain, Size: 754 bytes --]

#include <stdio.h>
#include <selinux/avc.h>

int main(int argc, char *argv[])
{
	int	fallback = 1;
	int	rc;

	if (argc > 1)
		fallback = atoi(argv[1]);

	rc = selinux_status_open(1);
	if (rc < 0)
		return 1;

	printf("-- selinux kernel status page %s--\n"
	       "policyload = %d, enforcing = %d, deny_unknown = %d\n",
	       !rc ? "" : "(netlink fallback)",
	       selinux_status_policyload(),
	       selinux_status_getenforce(),
	       selinux_status_deny_unknown());

	while (1)
	{
		usleep(100000);

		if (!selinux_status_updated())
			continue;

		printf("policyload = %d, enforcing = %d, deny_unknown = %d\n",
		       selinux_status_policyload(),
		       selinux_status_getenforce(),
		       selinux_status_deny_unknown());
	}
	return 0;
}

RE: libselinux: add selinux_status_* interfaces for /selinux/status

[Kohei Kaigai]

How about getting inclusion of these patches that I submitted before?

Thanks,

> -----Original Message-----
> From: owner-selinux@tycho.nsa.gov [mailto:owner-selinux@tycho.nsa.gov]
> On Behalf Of KaiGai Kohei
> Sent: 27 January 2011 01:03
> To: SELinux-NSA
> Cc: Kohei KaiGai
> Subject: Re: libselinux: add selinux_status_* interfaces for
> /selinux/status
> 
> I updated my patch to reference /selinux/status entry.
> 
> The interface of selinux_status_open() and selinux_status_updated() was
> revised to eliminate an argument of 'last_seqlock' that holds a
> sequence value when we call this function last time.
> At first, I tried to give this storage externally for thread-safing,
> but fallback routine was not thread-safe anyway, so it became nonsense.
> 
> The attached status.c is an example program to call these APIs.
> 
> Any comments please. Thanks,
> 
> (2011/01/22 22:42), Kohei KaiGai wrote:
> > The attached patch adds several interfaces to reference
> > /selinux/status according to sequential-lock logic.
> >
> > selinux_status_open() open the kernel status page and mmap it with
> > read-only mode, or open netlink socket as a fallback in older kernels.
> >
> > Then, we can obtain status information from the mmap'ed page using
> > selinux_status_updated(), selinux_status_getenfoce(),
> > selinux_status_policyload() or selinux_status_deny_unknown().
> >
> > It enables to help to implement userspace avc with heavy access
> > control decision; that we cannot ignore the cost to communicate with
> > kernel for validation of userspace caches.
> >
> > Thanks,
> --
> KaiGai Kohei <kaigai@ak.jp.nec.com>


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: libselinux: add selinux_status_* interfaces for /selinux/status

[Steve Lawrence]

On 01/26/2011 08:02 PM, KaiGai Kohei wrote:
> I updated my patch to reference /selinux/status entry.
> 
> The interface of selinux_status_open() and selinux_status_updated() was
> revised to eliminate an argument of 'last_seqlock' that holds a sequence
> value when we call this function last time.
> At first, I tried to give this storage externally for thread-safing, but
> fallback routine was not thread-safe anyway, so it became nonsense.
> 
> The attached status.c is an example program to call these APIs.
> 
> Any comments please. Thanks,
> 
> (2011/01/22 22:42), Kohei KaiGai wrote:
>> The attached patch adds several interfaces to reference /selinux/status
>> according to sequential-lock logic.
>>
>> selinux_status_open() open the kernel status page and mmap it with
>> read-only mode, or open netlink socket as a fallback in older kernels.
>>
>> Then, we can obtain status information from the mmap'ed page using
>> selinux_status_updated(), selinux_status_getenfoce(),
>> selinux_status_policyload() or selinux_status_deny_unknown().
>>
>> It enables to help to implement userspace avc with heavy access control
>> decision; that we cannot ignore the cost to communicate with kernel for
>> validation of userspace caches.
>>
>> Thanks,

The patch looks okay to me, but I'm seeing unexpected behavior with the
selinux_status_policyload(). For example, when running your sample
status.c code, I get the following (I'm just calling load_policy after
each line is printed):

   # ./status
   -- selinux kernel status page --
   policyload = 0, enforcing = 1, deny_unknown = 0
   policyload = 2, enforcing = 1, deny_unknown = 0
   policyload = 3, enforcing = 1, deny_unknown = 0
   policyload = 4, enforcing = 1, deny_unknown = 0

policyload jumps from 0 to 2 when reloading policy the first time, but
all other policy loads after that are incremented by 1, as expected. And
it doesn't matter if it's using mmap or falls back to netlink. Same
behavior in both cases.

It doesn't look like the problem is in this patch, so I'm guessing this
is a problem in the kernel? Or am I missing something and this is the
correct behavior?

- Steve

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: libselinux: add selinux_status_* interfaces for /selinux/status

[Kohei KaiGai]

> The patch looks okay to me, but I'm seeing unexpected behavior with the
> selinux_status_policyload(). For example, when running your sample
> status.c code, I get the following (I'm just calling load_policy after
> each line is printed):
>
>   # ./status
>   -- selinux kernel status page --
>   policyload = 0, enforcing = 1, deny_unknown = 0
>   policyload = 2, enforcing = 1, deny_unknown = 0
>   policyload = 3, enforcing = 1, deny_unknown = 0
>   policyload = 4, enforcing = 1, deny_unknown = 0
>
> policyload jumps from 0 to 2 when reloading policy the first time, but
> all other policy loads after that are incremented by 1, as expected. And
> it doesn't matter if it's using mmap or falls back to netlink. Same
> behavior in both cases.
>
> It doesn't look like the problem is in this patch, so I'm guessing this
> is a problem in the kernel? Or am I missing something and this is the
> correct behavior?
>
It is a specification, not a problem. :-)

See the manpage part of the patch. It says ...

| +.BR selinux_status_policyload
| +returns times of policy reloaded on the running system, or -1 on error.
| +Note that it is not a reliable value on fallback-mode until it receive
| +the first event message via netlink socket.
| +Thus, don't use this value to know actual times of policy reloaded.

When we use this interface with fallback mode, it opens a netlink socket
to receive messages from the kernel space.
The message packet will deliver userspace number of policy reloaded,
so it also means application cannot know the information until it receives
the first message packet.

As the manpage says, our recommendable usage of selinux_status_policyload()
on fall-back mode is detection of the policy reloaded event, not knowing
the actual number of policy reloaded in the system.

Of course, when /selinux/status is available, this interface always returns
the correct number.

Thanks,
-- 
KaiGai Kohei <kaigai@kaigai.gr.jp>


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: libselinux: add selinux_status_* interfaces for /selinux/status

[Steve Lawrence]

On 02/11/2011 04:09 PM, Kohei KaiGai wrote:
>> The patch looks okay to me, but I'm seeing unexpected behavior with the
>> selinux_status_policyload(). For example, when running your sample
>> status.c code, I get the following (I'm just calling load_policy after
>> each line is printed):
>>
>>    # ./status
>>    -- selinux kernel status page --
>>    policyload = 0, enforcing = 1, deny_unknown = 0
>>    policyload = 2, enforcing = 1, deny_unknown = 0
>>    policyload = 3, enforcing = 1, deny_unknown = 0
>>    policyload = 4, enforcing = 1, deny_unknown = 0
>>
>> policyload jumps from 0 to 2 when reloading policy the first time, but
>> all other policy loads after that are incremented by 1, as expected. And
>> it doesn't matter if it's using mmap or falls back to netlink. Same
>> behavior in both cases.
>>
>> It doesn't look like the problem is in this patch, so I'm guessing this
>> is a problem in the kernel? Or am I missing something and this is the
>> correct behavior?
>>
> It is a specification, not a problem. :-)
>
> See the manpage part of the patch. It says ...
>
> | +.BR selinux_status_policyload
> | +returns times of policy reloaded on the running system, or -1 on error.
> | +Note that it is not a reliable value on fallback-mode until it receive
> | +the first event message via netlink socket.
> | +Thus, don't use this value to know actual times of policy reloaded.
>
> When we use this interface with fallback mode, it opens a netlink socket
> to receive messages from the kernel space.
> The message packet will deliver userspace number of policy reloaded,
> so it also means application cannot know the information until it receives
> the first message packet.
>
> As the manpage says, our recommendable usage of selinux_status_policyload()
> on fall-back mode is detection of the policy reloaded event, not knowing
> the actual number of policy reloaded in the system.
>
> Of course, when /selinux/status is available, this interface always returns
> the correct number.
>
> Thanks,

I see, looks good then.

Acked-by: Steve Lawrence <slawrence@tresys.com>

Merged as of libselinux to 2.0.99




--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

RE: libselinux: add selinux_status_* interfaces for /selinux/status

[Kohei Kaigai]

> I see, looks good then.
> 
> Acked-by: Steve Lawrence <slawrence@tresys.com>
> 
> Merged as of libselinux to 2.0.99
>
Thanks for your reviewing.

I also submitted the following patch:
  http://marc.info/?l=selinux&m=129429839717037&w=2

The db_language class represents procedural languages (such as pl/pgsql, ...)
that is already got into refpolicy, so please add libselinux this support also.

Thanks,
--
NEC Europe Ltd, Global Competence Center
KaiGai Kohei <kohei.kaigai@eu.nec.com>


> -----Original Message-----
> From: Steve Lawrence [mailto:slawrence@tresys.com]
> Sent: 1. März 2011 17:54
> To: Kohei KaiGai
> Cc: Kohei Kaigai; SELinux-NSA
> Subject: Re: libselinux: add selinux_status_* interfaces for
> /selinux/status
> 
> On 02/11/2011 04:09 PM, Kohei KaiGai wrote:
> >> The patch looks okay to me, but I'm seeing unexpected behavior with the
> >> selinux_status_policyload(). For example, when running your sample
> >> status.c code, I get the following (I'm just calling load_policy after
> >> each line is printed):
> >>
> >>    # ./status
> >>    -- selinux kernel status page --
> >>    policyload = 0, enforcing = 1, deny_unknown = 0
> >>    policyload = 2, enforcing = 1, deny_unknown = 0
> >>    policyload = 3, enforcing = 1, deny_unknown = 0
> >>    policyload = 4, enforcing = 1, deny_unknown = 0
> >>
> >> policyload jumps from 0 to 2 when reloading policy the first time, but
> >> all other policy loads after that are incremented by 1, as expected.
> And
> >> it doesn't matter if it's using mmap or falls back to netlink. Same
> >> behavior in both cases.
> >>
> >> It doesn't look like the problem is in this patch, so I'm guessing this
> >> is a problem in the kernel? Or am I missing something and this is the
> >> correct behavior?
> >>
> > It is a specification, not a problem. :-)
> >
> > See the manpage part of the patch. It says ...
> >
> > | +.BR selinux_status_policyload
> > | +returns times of policy reloaded on the running system, or -1 on error.
> > | +Note that it is not a reliable value on fallback-mode until it receive
> > | +the first event message via netlink socket.
> > | +Thus, don't use this value to know actual times of policy reloaded.
> >
> > When we use this interface with fallback mode, it opens a netlink socket
> > to receive messages from the kernel space.
> > The message packet will deliver userspace number of policy reloaded,
> > so it also means application cannot know the information until it receives
> > the first message packet.
> >
> > As the manpage says, our recommendable usage of
> selinux_status_policyload()
> > on fall-back mode is detection of the policy reloaded event, not knowing
> > the actual number of policy reloaded in the system.
> >
> > Of course, when /selinux/status is available, this interface always
> returns
> > the correct number.
> >
> > Thanks,
> 
> I see, looks good then.
> 
> Acked-by: Steve Lawrence <slawrence@tresys.com>
> 
> Merged as of libselinux to 2.0.99
> 
> 
> 
> 
> 
>  Click
> https://www.mailcontrol.com/sr/GWdwHubc7EzTndxI!oX7UmPeZu4sclqX2roie2u
> XDQj5Wf!gl9SlFfzJ+GRHJbN7WZXnCqumW0JTEf5tQBqpNg==  to report this email
> as spam.


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.