On Fri, 2010-06-11 at 12:37 -0400, Eric Paris wrote:
> There is interest in being able to see what the actual policy is that was
> loaded into the kernel. The patch creates a new selinuxfs file
> /selinux/policy which can be read by userspace. The actual policy that is
> loaded into the kernel will be written back out to userspace.
Why a new node vs a read op for /selinux/load?
> Signed-off-by: Eric Paris <eparis@xxxxxxxxxx>
> ---
>
> diff --git a/security/selinux/ss/services.c b/security/selinux/ss/services.c
> index 1de60ce..2e022db 100644
> --- a/security/selinux/ss/services.c
> +++ b/security/selinux/ss/services.c
> @@ -3126,3 +3125,27 @@ netlbl_sid_to_secattr_failure:
> return rc;
> }
> #endif /* CONFIG_NETLABEL */
> +
> +/**
> + * security_read_policy - read the policy.
> + * @data: binary policy data
> + * @len: length of data in bytes
> + *
> + */
> +int security_read_policy(void *data, ssize_t *len)
> +{
> + int rc = 0;
> + struct policy_file file = { data, *len }, *fp = &file;
> +
> + if (!ss_initialized)
> + return -EINVAL;
> +
> + read_lock_irq(&policy_rwlock);
> + rc = policydb_write(&policydb, fp);
> + read_unlock_irq(&policy_rwlock);
> +
> + *len = (unsigned long)fp->data - (unsigned long)data;
> +
> + return rc;
> +
> +}
Why _irq?
--
Stephen Smalley
National Security Agency
--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@xxxxxxxxxxxxx with
the words "unsubscribe selinux" without quotes as the message.
