On 10/8/2020 1:56 PM, Olga Kornievskaia wrote: > On Thu, Oct 8, 2020 at 2:44 PM Casey Schaufler <casey@xxxxxxxxxxxxxxxx> wrote: >> On 10/8/2020 8:15 AM, Olga Kornievskaia wrote: >>> On Thu, Oct 8, 2020 at 10:08 AM Ondrej Mosnacek <omosnace@xxxxxxxxxx> wrote: >>>> On Thu, Oct 8, 2020 at 3:50 PM Olga Kornievskaia <aglo@xxxxxxxxx> wrote: >>>>> On Wed, Oct 7, 2020 at 9:07 PM Paul Moore <paul@xxxxxxxxxxxxxx> wrote: >>>>>> On Wed, Oct 7, 2020 at 8:41 PM Olga Kornievskaia <aglo@xxxxxxxxx> wrote: >>>>>>> Hi folks, >>>>>>> >>>>>>> From some linux kernel module, is it possible to query and find out >>>>>>> whether or not selinux is currently enabled or not? >>>>>>> >>>>>>> Thank you. >>>>>> [NOTE: CC'ing the SELinux list as it's probably a bit more relevant >>>>>> that the LSM list] >>>>>> >>>>>> In general most parts of the kernel shouldn't need to worry about what >>>>>> LSMs are active and/or enabled; the simply interact with the LSM(s) >>>>>> via the interfaces defined in include/linux/security.h (there are some >>>>>> helpful comments in include/linux/lsm_hooks.h). Can you elaborate a >>>>>> bit more on what you are trying to accomplish? >>>>> Hi Paul, >>>>> >>>>> Thank you for the response. What I'm trying to accomplish is the >>>>> following. Within a file system (NFS), typically any queries for >>>>> security labels are triggered by the SElinux (or I guess an LSM in >>>>> general) (thru the xattr_handler hooks). However, when the VFS is >>>>> calling to get directory entries NFS will always get the labels >>>>> (baring server not supporting it). However this is useless and affects >>>>> performance (ie., this makes servers do extra work and adds to the >>>>> network traffic) when selinux is disabled. It would be useful if NFS >>>>> can check if there is anything that requires those labels, if SElinux >>>>> is enabled or disabled. >>>> Isn't this already accomplished by the security_ismaclabel() checks >>>> that NFS is already doing? >>> No it is not (for the readdir). Yes security_ismaclabel() is used >>> during the calls triggers thru the xattr_handle when a security_label >>> is queried on a specific file system object (inode). >>> >>> This is done thru the xattr_handler interface which supplies things >>> like a "key" (which I'm not exactly sure that is but LSM(selinux) >>> uses). The only thing that we have in VFS readdir call is a >>> dentry(inode). (inode)->i_security isn't NULL (I already checked as I >>> was hoping that would be null when selinux is disabled). So I need >>> something else to check to see if selinux/LSM is active. >> The NFS labeling is supposed to work for any security module, not >> just SELinux. security_ismaclabel() should be the interface you need >> to use. Checking inode->i_security would NOT give you a definitive >> answer, as a security module may very well have an inode attribute >> that is not related to Mandatory Access Control (MAC). > Can you suggest what should be passed into security_ismaclabel()? > Typically this is driven by a call into the kernel module that > registered an xattr_handler and LSM passes into it an attribute name > to use to lookup (basically what is passed into the xatrr_handler for > key/name is passed to security_ismaclabel()). VFS readdir doesn't have > anything like that. I'm not convinced that the question makes sense. Are you trying to avoid in the VFS layer a call in the NFS layer to fetch an attribute the NFS layer isn't supporting? Is that reasonable? I could see changing the NFS implementation to be more careful about the calls it is making, but not the VFS layer. Or am I (once again) missing the point?
