Return-Path: Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1754376AbdDLM2G (ORCPT ); Wed, 12 Apr 2017 08:28:06 -0400 Received: from smtp.nsa.gov ([8.44.101.9]:52937 "EHLO emsm-gh1-uea11.nsa.gov" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1753885AbdDLM2B (ORCPT ); Wed, 12 Apr 2017 08:28:01 -0400 X-IronPort-AV: E=Sophos;i="5.37,190,1488844800"; d="scan'208";a="4819996" IronPort-PHdr: =?us-ascii?q?9a23=3AC/kG+xRQjPtBgL1sdJYep5IGx9psv+yvbD5Q0YIu?= =?us-ascii?q?jvd0So/mwa67ZxCHt8tkgFKBZ4jH8fUM07OQ6PG+HzVeqsrQ+Fk5M7V0Hycfjs?= =?us-ascii?q?sXmwFySOWkMmbcaMDQUiohAc5ZX0Vk9XzoeWJcGcL5ekGA6ibqtW1aFRrwLxd6?= =?us-ascii?q?KfroEYDOkcu3y/qy+5rOaAlUmTaxe71/IRG3oAnLq8UbgIRuJ6k1xxDUvnZGZu?= =?us-ascii?q?NayH9yK1mOhRj8/MCw/JBi8yRUpf0s8tNLXLv5caolU7FWFSwqPG8p6sLlsxnD?= =?us-ascii?q?VhaP6WAHUmoKiBpIAhPK4w/8U5zsryb1rOt92C2dPc3rUbA5XCmp4ql3RBP0ji?= =?us-ascii?q?oMKiU0+3/LhMNukK1boQqhpx1hzI7SfIGVL+d1cqfEcd8HWWZNQsNdWipPDYOm?= =?us-ascii?q?a4sEEvQPM+BWoYLgo1cCtAWyCRWpCO7p1zRGhGL53bci3uoiDA/I3BIuEdwMv3?= =?us-ascii?q?Taq9X6KKAcXu+6wqTT0TXObOlb1Svn5YTUcB0sp+yHU7JqccrWzEkiDx7LjkmO?= =?us-ascii?q?poz9PzOayOINuHWG4eplT+2vj2onpB9xozOywcoskZTGhpkOx1DY9SR23IY1Jd?= =?us-ascii?q?qiRE59et6rCoFcty6dN4toW84vRXxjtiUiyrAepJK2cycHxI4nyhLCcfCLbYeF?= =?us-ascii?q?7gz5WOqMJzpzmWhrd6ilhxmo9Eit0uj8Vs6p31lUtidFidzMtmwV1xzU98iHVu?= =?us-ascii?q?Nx/ke/1jaL0ADe8v1ELloularaNp4h2aQ8loYTsEvfHi/2n1/6jKmKeUU/5uek?= =?us-ascii?q?8eHnYrTippOENo90jB/xMrg2l8CiDuk1PRICUmiG9eimyrHu8lP1TK9XgvEul6?= =?us-ascii?q?nWqpHaJcAVpq6jBA9V154u6w2iADe9y9kYgXkGI05FeBKAlYTpPUrOL+riAfew?= =?us-ascii?q?hFSsji9nx+raMb35HpXNMn/Dna/6fblm9k5cyREzzctY55JSEbwOPe/8WknruN?= =?us-ascii?q?PECR85NhS+w/z7B9VlyoMeRWWPD7eBMKzIrF+I4vkiI/GWa48IvDbxMv0l5/np?= =?us-ascii?q?jX8jh1ARZ7Wm3ZwSaHqgBPRpP12ZYWbwgtcGCWoFoBI+Q/bwiF2DSj5efG6yUL?= =?us-ascii?q?gm5jE6E4KmFYPDSZqxj7Ofxiu7GYdWZm9eAFCWDXjob5mEW+sLaC+KIM9uiDkE?= =?us-ascii?q?Wqa6S4M70RGirgr6y719LurO+y0Yronu1N9v5+LJiR4y8SJ7A96B3GGKSmF+hn?= =?us-ascii?q?kISCMu3KBjvUx9zU+O0bNmjPxCGtxc+ehEUgcgOp7Yy+x7C9byVhjdcdeOTVas?= =?us-ascii?q?Ws+mDi0pTtIt398OZF5wG9GjjhDFwiqrDKYZl7+VC5wu9KLTwXzxKt1jy3bJyq?= =?us-ascii?q?YhlUMqQshROm28gK5w6QzTC5TOk0WDmKagbb4c0zLV9Gef0WqOu1lVUApxUaXD?= =?us-ascii?q?QHAeaVLarc/n6UzeUr+uE7UnMhdByMKbL6tKbcDmjUhCRPj9I9nefW2xlHmqBR?= =?us-ascii?q?qSxbODcpDqe2MD0yXZEkQElBoT/XmePwgkGiihu37eDCBpFV/3eEPj6vR+qHKg?= =?us-ascii?q?Tk8vyAGKaVdt2Keo9R4TnvGcRPYT0agFuCclsTl7AFG939eFQ+aH8jFsdqxHfd?= =?us-ascii?q?Iw5h9tyGPCrAt7dsi7Jb1jnUUZdUJ7s0XG2BB+C4EGms8v+jdiyAt0NLLdy15K?= =?us-ascii?q?aimZwYG1P7rbN23/1A6gZrSQ2VzE1tuSvKAV57Bwr1TloRHsFUc49Xhj+8da3m?= =?us-ascii?q?Ha5ZjQCgcWF5XrXQJ/7BV+prfHcgEh9ojU0jtqKqDyvTjciPwzA+5w8QqtZ9dS?= =?us-ascii?q?Nuu/EQb2F8ALT5y1JPcCh0mibhVCOvtbsqEzIZX1JLO9xKe3MbM4z3qdhmNd7d?= =?us-ascii?q?U4ixjU+g=3D=3D?= X-IPAS-Result: =?us-ascii?q?A2HTBACUHO5Y/wHyM5BcGwEBAQMBAQEJAQEBFwEBBAEBCgE?= =?us-ascii?q?Bgn8pgWyDZpo0AQEBAQEBBoEjkH2Ga4YkAoN1VwEBAQEBAQEBAgECaCiCMyIBg?= =?us-ascii?q?kABBSMECwFGEAkCDQEKAgImAgJXBgESiAWCBA2LL51dgWw6JgKKTwEBAQEBBQE?= =?us-ascii?q?BAQEBASKBC4UAhTqHXIJfAQSdCpJhin6GRkiTOliBBRwJAhQIHg+FHByBfyQ1i?= =?us-ascii?q?SIBAQE?= Message-ID: <1492000307.3881.5.camel@tycho.nsa.gov> Subject: Re: [PATCH] selinux: add selinux_status_get_seq() function From: Stephen Smalley To: Sebastien Buisson , linux-security-module@vger.kernel.org, linux-kernel@vger.kernel.org, selinux@tycho.nsa.gov Cc: serge@hallyn.com, james.l.morris@oracle.com, eparis@parisplace.org, paul@paul-moore.com, Sebastien Buisson Date: Wed, 12 Apr 2017 08:31:47 -0400 In-Reply-To: <1491988335-4181-1-git-send-email-sbuisson@ddn.com> References: <1491988335-4181-1-git-send-email-sbuisson@ddn.com> Organization: National Security Agency Content-Type: text/plain; charset="UTF-8" X-Mailer: Evolution 3.22.6 (3.22.6-2.fc25) Mime-Version: 1.0 Content-Transfer-Encoding: 8bit Sender: linux-kernel-owner@vger.kernel.org List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Content-Length: 2115 Lines: 71 On Wed, 2017-04-12 at 18:12 +0900, Sebastien Buisson wrote: > Add selinux_status_get_seq() function to give access to sequence > number of current SELinux policy loaded to the rest of the kernel. > > Signed-off-by: Sebastien Buisson > --- >  include/linux/selinux.h      |  7 +++++++ >  security/selinux/ss/status.c | 21 +++++++++++++++++++++ >  2 files changed, 28 insertions(+) > > diff --git a/include/linux/selinux.h b/include/linux/selinux.h > index 44f4596..926f9f0 100644 > --- a/include/linux/selinux.h > +++ b/include/linux/selinux.h > @@ -24,12 +24,19 @@ >   * selinux_is_enabled - is SELinux enabled? >   */ >  bool selinux_is_enabled(void); > +u32 selinux_status_get_seq(void); >  #else >   >  static inline bool selinux_is_enabled(void) >  { >   return false; >  } > + > +static inline u32 selinux_status_get_seq(void) > +{ > + return 0; > +} > + >  #endif /* CONFIG_SECURITY_SELINUX */ >   >  #endif /* _LINUX_SELINUX_H */ > diff --git a/security/selinux/ss/status.c > b/security/selinux/ss/status.c > index d982365..a0670d3 100644 > --- a/security/selinux/ss/status.c > +++ b/security/selinux/ss/status.c > @@ -124,3 +124,24 @@ void selinux_status_update_policyload(int seqno) >   } >   mutex_unlock(&selinux_status_lock); >  } > + > +/* > + * selinux_status_get_seq > + * > + * It gets current sequence of policy loaded. > + */ > +u32 selinux_status_get_seq(void) > +{ > + struct selinux_kernel_status   *status; > + u32 seq = 0; > + > + mutex_lock(&selinux_status_lock); > + if (selinux_status_page) { > + status = page_address(selinux_status_page); > + seq = status->sequence; > + } > + mutex_unlock(&selinux_status_lock); > + > + return seq; > +} > +EXPORT_SYMBOL_GPL(selinux_status_get_seq); status->sequence is a sequence number for the seqlock logic, not the policy sequence number. You likely want avc_policy_seqno() instead, although I can't tell without seeing the user of this function. Regardless, as with the other patch, there needs to be an in-tree user and a LSM hook interface to use this outside of the SELinux code itself.