I updated my patch to reference /selinux/status entry. The interface of selinux_status_open() and selinux_status_updated() was revised to eliminate an argument of 'last_seqlock' that holds a sequence value when we call this function last time. At first, I tried to give this storage externally for thread-safing, but fallback routine was not thread-safe anyway, so it became nonsense. The attached status.c is an example program to call these APIs. Any comments please. Thanks, (2011/01/22 22:42), Kohei KaiGai wrote: > The attached patch adds several interfaces to reference /selinux/status > according to sequential-lock logic. > > selinux_status_open() open the kernel status page and mmap it with > read-only mode, or open netlink socket as a fallback in older kernels. > > Then, we can obtain status information from the mmap'ed page using > selinux_status_updated(), selinux_status_getenfoce(), > selinux_status_policyload() or selinux_status_deny_unknown(). > > It enables to help to implement userspace avc with heavy access control > decision; that we cannot ignore the cost to communicate with kernel for > validation of userspace caches. > > Thanks, -- KaiGai Kohei <kaigai@xxxxxxxxxxxxx>
Attachment:
libselinux-status.2.patch
Description: application/octect-stream
#include <stdio.h>
#include <selinux/avc.h>
int main(int argc, char *argv[])
{
int fallback = 1;
int rc;
if (argc > 1)
fallback = atoi(argv[1]);
rc = selinux_status_open(1);
if (rc < 0)
return 1;
printf("-- selinux kernel status page %s--\n"
"policyload = %d, enforcing = %d, deny_unknown = %d\n",
!rc ? "" : "(netlink fallback)",
selinux_status_policyload(),
selinux_status_getenforce(),
selinux_status_deny_unknown());
while (1)
{
usleep(100000);
if (!selinux_status_updated())
continue;
printf("policyload = %d, enforcing = %d, deny_unknown = %d\n",
selinux_status_policyload(),
selinux_status_getenforce(),
selinux_status_deny_unknown());
}
return 0;
}
