Doug / smarc-fsl-linux-kernel

21 Oct, 2010

2 commits

  • 36f7f2841   selinux: fix up style problem on /selinux/status ... Browse Code »

    This patch fixes up coding-style problem at this commit:

    4f27a7d49789b04404eca26ccde5f527231d01d5
    selinux: fast status update interface (/selinux/status)

    Signed-off-by: KaiGai Kohei
    Signed-off-by: James Morris

    KaiGai Kohei
     
  • 119041672   selinux: fast status update interface (/selinux/status) ... Browse Code »

    This patch provides a new /selinux/status entry which allows applications
    read-only mmap(2).
    This region reflects selinux_kernel_status structure in kernel space.
    struct selinux_kernel_status
    {
    u32 length; /* length of this structure */
    u32 sequence; /* sequence number of seqlock logic */
    u32 enforcing; /* current setting of enforcing mode */
    u32 policyload; /* times of policy reloaded */
    u32 deny_unknown; /* current setting of deny_unknown */
    };

    When userspace object manager caches access control decisions provided
    by SELinux, it needs to invalidate the cache on policy reload and setenforce
    to keep consistency.
    However, the applications need to check the kernel state for each accesses
    on userspace avc, or launch a background worker process.
    In heuristic, frequency of invalidation is much less than frequency of
    making access control decision, so it is annoying to invoke a system call
    to check we don't need to invalidate the userspace cache.
    If we can use a background worker thread, it allows to receive invalidation
    messages from the kernel. But it requires us an invasive coding toward the
    base application in some cases; E.g, when we provide a feature performing
    with SELinux as a plugin module, it is unwelcome manner to launch its own
    worker thread from the module.

    If we could map /selinux/status to process memory space, application can
    know updates of selinux status; policy reload or setenforce.

    A typical application checks selinux_kernel_status::sequence when it tries
    to reference userspace avc. If it was changed from the last time when it
    checked userspace avc, it means something was updated in the kernel space.
    Then, the application can reset userspace avc or update current enforcing
    mode, without any system call invocations.
    This sequence number is updated according to the seqlock logic, so we need
    to wait for a while if it is odd number.

    Signed-off-by: KaiGai Kohei
    Acked-by: Eric Paris
    --
    security/selinux/include/security.h | 21 ++++++
    security/selinux/selinuxfs.c | 56 +++++++++++++++
    security/selinux/ss/Makefile | 2 +-
    security/selinux/ss/services.c | 3 +
    security/selinux/ss/status.c | 129 +++++++++++++++++++++++++++++++++++
    5 files changed, 210 insertions(+), 1 deletions(-)
    Signed-off-by: James Morris

    KaiGai Kohei