Provided by: libselinux1-dev_2.1.0-4.1ubuntu1_amd64
selinux_status_open, selinux_status_close, selinux_status_updated, selinux_status_getenforce, selinux_status_policyload and selinux_status_deny_unknown - reference the SELinux kernel status without invocation of system calls.
#include <selinux/avc.h> int selinux_status_open(int fallback,); void selinux_status_close(void); int selinux_status_updated(void); int selinux_status_getenforce(void); int selinux_status_policyload(void); int selinux_status_deny_unknown(void);
Linux 2.6.37 or later provides a SELinux kernel status page; being mostly placed on /selinux/status entry. It enables userspace applications to mmap this page with read-only mode, then it informs some status without system call invocations. In some cases that a userspace application tries to apply heavy frequest access control; such as row-level security in databases, it will face unignorable cost to communicate with kernel space to check invalidation of userspace avc. These functions provides applications a way to know some kernel events without system-call invocation or worker thread for monitoring. selinux_status_open tries to open(2) /selinux/status and mmap(2) it in read-only mode. The file-descriptor and pointer to the page shall be stored internally; Don't touch them directly. Set 1 on the fallback argument to handle a case of older kernels without kernel status page support. In this case, this function tries to open a netlink socket using avc_netlink_open(3) and overwrite corresponding callbacks ( setenforce and policyload). Thus, we need to pay attention to the interaction with these interfaces, when fallback mode is enabled. selinux_status_close unmap the kernel status page and close its file descriptor, or close the netlink socket if fallbacked. selinux_status_updated informs us whether something has been updated since the last call. It returns 0 if nothing was happened, however, 1 if something has been updated in this duration, or -1 on error. selinux_status_getenforce returns 0 if SELinux is running in permissive mode, 1 if enforcing mode, or -1 on error. Same as security_getenforce(3) except with or without system call invocation. selinux_status_policyload returns times of policy reloaded on the running system, or -1 on error. Note that it is not a reliable value on fallback-mode until it receive the first event message via netlink socket. Thus, don't use this value to know actual times of policy reloaded. selinux_status_deny_unknown returns 0 if SELinux treats policy queries on undefined object classes or permissions as being allowed, 1 if such queries are denied, or -1 on error. Also note that these interfaces are not thread-safe, so you have to protect them from concurrent calls using exclusive locks when multiple threads are performing.
selinux_status_open returns 0 or 1 on success. 1 means we are ready to use these interfaces, but netlink socket was opened as fallback instead of the kernel status page. On error, -1 shall be returned. Any other functions with a return value shall return its characteristic value as described above, or -1 on errors.
mmap(2) avc_netlink_open(3) security_getenforce(3) security_deny_unknown(3)