RepoMirrors/selinux
1
0
Fork 0
mirror of https://github.com/SELinuxProject/selinux synced 2024-12-13 17:44:54 +00:00
Code Issues Packages Projects Releases Wiki Activity
a07493d1a1
selinux/libselinux/man/man3/avc_netlink_loop.3
KaiGai Kohei 318748d659 The attached patch enables userspace object managers to handle notification 
messages via netlink socket from SELinux.

* Two new callbacks were added to selinux_set_callback(3)
  - SELINUX_CB_SETENFORCE
     is invoked when it got SELNL_MSG_SETENFORCE message in the
     avc_netlink_process().
  - SELINUX_CB_POLICYLOAD
     is invoked when it got SELNL_MSG_POLICYLOAD message in the
     avc_netlink_process().

* Three functions were exposed to applications.
  - int avc_netlink_open(int blocking);
  - void avc_netlink_loop(void);
  - void avc_netlink_close(void);

Due to a few reasons, SE-PostgreSQL implements its own userspace
avc, so it needs to copy and paste some of avc_internal.c.
This update enables to share common part from such kind of application.

Signed-off-by: KaiGai Kohei <kaigai@ak.jp.nec.com>
2009-04-07 22:08:48 -04:00

89 lines
2.8 KiB
Groff
Raw Blame History

.\" Hey Emacs! This file is -*- nroff -*- source.
.\"
.\" Author: KaiGai Kohei (kaigai@ak.jp.nec.com) 2009
.TH "avc_netlink_loop" "3" "30 Mar 2009" "" "SELinux API documentation"
.SH "NAME"
avc_netlink_open, avc_netlink_close, avc_netlink_acquire_fd,
avc_netlink_release_fd, avc_netlink_check_nb, avc_netlink_loop \- SELinux
netlink processing.
.SH "SYNOPSIS"
.B #include <selinux/selinux.h>
.B #include <selinux/avc.h>
.sp
.BI "int avc_netlink_open(int " blocking ");"
.sp
.BI "void avc_netlink_close(void);"
.sp
.BI "int avc_netlink_acquire_fd(void);"
.sp
.BI "void avc_netlink_release_fd(void);"
.sp
.BI "void avc_netlink_loop(void);"
.sp
.BI "int avc_netlink_check_nb(void);"
.sp
.SH "DESCRIPTION"
These functions enable applications to handle notification of SELinux events
via netlink. The userspace AVC normally checks for netlink messages on each
call to
.BR avc_has_perm (3).
Applications may wish to override this behavior and check for notification
separately, for example in a
.BR select (2)
loop. These functions also permit netlink monitoring without requiring a
call to
.BR avc_open (3).
.B avc_netlink_open
opens a netlink socket to receive SELinux notifications. The socket
descriptor is stored internally; use
.BR avc_netlink_acquire_fd (3)
to take ownership of it in application code. The
.I blocking
argument specifies whether read operations on the socket will block.
.BR avc_open (3)
calls this function internally, specifying non-blocking behavior (unless
threading callbacks were explicitly set using the deprecated
.BR avc_init (3)
interface, in which case blocking behavior is set).
.B avc_netlink_close
closes the netlink socket. This function is called automatically by
.BR avc_destroy (3).
.B avc_netlink_acquire_fd
returns the netlink socket descriptor number and informs the userspace AVC
not to check the socket descriptor automatically on calls to
.BR avc_has_perm (3).
.B avc_netlink_release_fd
returns control of the netlink socket to the userspace AVC, re-enabling
automatic processing of notifications.
.B avc_netlink_check_nb
checks the netlink socket for pending messages and processes them.
Callbacks for policyload and enforcing changes will be called;
see
.BR selinux_set_callback (3).
This function does not block unless
.BR avc_netlink_open (3)
specified blocking behavior.
.B avc_netlink_loop
enters a loop blocking on the netlink socket and processing messages as they
are received. This function will not return unless an error occurs on
the socket, in which case the socket is closed.
.SH "RETURN VALUE"
.B avc_netlink_acquire_fd
returns a non-negative file descriptor number on success. Other functions
with a return value return zero on success. On error, -1 is returned and
.I errno
is set appropriately.
.SH "SEE ALSO"
.BR avc_open (3),
.BR selinux_set_callback (3),
.BR selinux (8)
Reference in New Issue View Git Blame Copy Permalink