On Thu, Aug 6, 2020 at 8:05 AM Stephen Smalley
<stephen.smalley.work@xxxxxxxxx> wrote:
>
> On 8/5/20 3:43 PM, Mike Palmiotto wrote:
>
> > Commit bc2a8f418e3b ("libselinux: add selinux_status_* interfaces for
> > /selinux/status") introduced the sestatus mechanism, which allows for
> > mmap()'ing of the kernel status page as a replacement for avc_netlink.
> >
> > The mechanism was initially intended for userspace object managers that
> > were calculating access decisions within their application and did not
> > rely on the libselinux AVC implementation. In order to properly make use
> > of sestatus within avc_has_perm(), the status mechanism needs to
> > properly set avc internals during status events; else, avc_enforcing is
> > never updated upon sestatus changes.
> >
> > This commit gets rid of the default avc_netlink_open() in
> > avc_init_internal(), replacing it with selinux_status_open(). In the
> > event that the kernel status page cannot be mapped, the netlink fallback
> > will be used. By default, avc_has_perm_noaudit() and
> > selinux_check_access() will now attempt to read the kernel status page,
> > which removes a system call from two critical code paths.
> >
> > Since the AVC thread create/stop callbacks were intended to avoid a
> > system call in the critical code path, they no longer need to be created
> > by default. In the event that the kernel status page is successfully
> > mapped, threads will not be created. Threads will still be
> > created/stopped for the sestatus fallback codepaths.
> >
> > Userspace object managers that still need a netlink socket can call
> > avc_netlink_acquire_fd() to open and/or obtain one.
> >
> > Update the manpage to reflect the new avc_netlink_acquire_fd()
> > functionality.
> >
> > Signed-off-by: Mike Palmiotto <mike.palmiotto@xxxxxxxxxxxxxxx>
>
> Acked-by: Stephen Smalley <stephen.smalley.work@xxxxxxxxx>
Applied.
