suzanne.soy/man-pages
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
4c89183f2b
man-pages/man3/avc_add_callback.3.html
Suzanne Soy 4c89183f2b Added man pages from my system
2021-03-31 01:06:50 +01:00

323 lines
7.1 KiB
HTML
Raw Blame History

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<HTML><HEAD><TITLE>Man page of avc_add_callback</TITLE>
</HEAD><BODY>
<H1>avc_add_callback</H1>
Section: SELinux API documentation (3)<BR>Updated: 9 June 2004<BR><A HREF="#index">Index</A>
<A HREF="/cgi-bin/man/man2html">Return to Main Contents</A><HR>
<A NAME="lbAB">&nbsp;</A>
<H2>NAME</H2>
avc_add_callback - additional event notification for SELinux userspace object managers
<A NAME="lbAC">&nbsp;</A>
<H2>SYNOPSIS</H2>
<B>#include &lt;<A HREF="file:///usr/include/selinux/selinux.h">selinux/selinux.h</A>&gt;</B>
<BR>
<B>#include &lt;<A HREF="file:///usr/include/selinux/avc.h">selinux/avc.h</A>&gt;</B>
<P>
<B>int avc_add_callback(int (*</B><I>callback</I><B>)(uint32_t </B><I>event</I><B>,</B>
<B>security_id_t </B><I>ssid</I><B>,</B>
<BR>
<B>security_id_t </B><I>tsid</I><B>,</B>
<BR>
<B>security_class_t </B><I>tclass</I><B>,</B>
<BR>
<B>access_vector_t </B><I>perms</I><B>,</B>
<BR>
<B>access_vector_t *</B><I>out_retained</I><B>),</B>
<B>uint32_t </B><I>events</I><B>, security_id_t </B><I>ssid</I><B>,</B>
<BR>
<B>security_id_t </B><I>tsid</I><B>, security_class_t </B><I>tclass</I><B>,</B>
<BR>
<B>access_vector_t </B><I>perms</I><B>);</B>
<A NAME="lbAD">&nbsp;</A>
<H2>DESCRIPTION</H2>
<B>avc_add_callback</B>()
is used to register callback functions on security events. The purpose of this functionality is to allow userspace object managers to take additional action when a policy change, usually a policy reload, causes permissions to be granted or revoked.
<P>
<I>events</I>
is the
bitwise-<I>or</I>
of security events on which to register the callback; see
<B>SECURITY EVENTS</B>
below.
<P>
<I>ssid</I>,
<I>tsid</I>,
<I>tclass</I>,
and
<I>perms</I>
specify the source and target SID's, target class, and specific permissions that the callback wishes to monitor. The special symbol
<B>SECSID_WILD</B>
may be passed as the
<I>source</I>
or
<I>target</I>
and will cause any SID to match.
<P>
<I>callback</I>
is the callback function provided by the userspace object manager. The
<I>event</I>
argument indicates the security event which occurred; the remaining arguments
are interpreted according to the event as described below. The return value
of the callback should be zero on success, -1 on error with
<I>errno</I>
set appropriately (but see
<B>RETURN VALUE</B>
below).
<A NAME="lbAE">&nbsp;</A>
<H2>SECURITY EVENTS</H2>
In all cases below,
<I>ssid</I>
and/or
<I>tsid</I>
may be set to
<B>SECSID_WILD</B>,
indicating that the change applies to all source and/or target SID's. Unless otherwise indicated, the
<I>out_retained</I>
parameter is unused.
<DL COMPACT>
<DT id="1"><B>AVC_CALLBACK_GRANT</B>
<DD>
Previously denied permissions are now granted for
<I>ssid</I>,
<I>tsid</I>
with respect to
<I>tclass</I>.
<I>perms</I>
indicates the permissions to grant.
<DT id="2"><B>AVC_CALLBACK_TRY_REVOKE</B>
<DD>
Previously granted permissions are now conditionally revoked for
<I>ssid</I>,
<I>tsid</I>
with respect to
<I>tclass</I>.
<I>perms</I>
indicates the permissions to revoke. The callback should set
<I>out_retained</I>
to the subset of
<I>perms</I>
which are retained as migrated permissions. Note that
<I>out_retained</I>
is ignored if the callback returns -1.
<DT id="3"><B>AVC_CALLBACK_REVOKE</B>
<DD>
Previously granted permissions are now unconditionally revoked for
<I>ssid</I>,
<I>tsid</I>
with respect to
<I>tclass</I>.
<I>perms</I>
indicates the permissions to revoke.
<DT id="4"><B>AVC_CALLBACK_RESET</B>
<DD>
Indicates that the cache was flushed. The SID, class, and permission arguments are unused and are set to NULL.
<DT id="5"><B>AVC_CALLBACK_AUDITALLOW_ENABLE</B>
<DD>
The permissions given by
<I>perms</I>
should now be audited when granted for
<I>ssid</I>,
<I>tsid</I>
with respect to
<I>tclass</I>.
<DT id="6"><B>AVC_CALLBACK_AUDITALLOW_DISABLE</B>
<DD>
The permissions given by
<I>perms</I>
should no longer be audited when granted for
<I>ssid</I>,
<I>tsid</I>
with respect to
<I>tclass</I>.
<DT id="7"><B>AVC_CALLBACK_AUDITDENY_ENABLE</B>
<DD>
The permissions given by
<I>perms</I>
should now be audited when denied for
<I>ssid</I>,
<I>tsid</I>
with respect to
<I>tclass</I>.
<DT id="8"><B>AVC_CALLBACK_AUDITDENY_DISABLE</B>
<DD>
The permissions given by
<I>perms</I>
should no longer be audited when denied for
<I>ssid</I>,
<I>tsid</I>
with respect to
<I>tclass</I>.
</DL>
<A NAME="lbAF">&nbsp;</A>
<H2>RETURN VALUE</H2>
On success,
<B>avc_add_callback</B>()
returns zero. On error, -1 is returned and
<I>errno</I>
is set appropriately.
<P>
A return value of -1 from a callback is interpreted as a failed policy operation. If such a return value is encountered, all remaining callbacks registered on the event are called. In threaded mode, the netlink handler thread may then terminate and cause the userspace AVC to return
<B>EINVAL</B>
on all further permission checks until
<B><A HREF="/cgi-bin/man/man2html?3+avc_destroy">avc_destroy</A></B>(3)
is called. In non-threaded mode, the permission check on which the error occurred will return -1 and the value of
<I>errno</I>
encountered to the caller. In both cases, a log message is produced and the kernel may be notified of the error.
<A NAME="lbAG">&nbsp;</A>
<H2>ERRORS</H2>
<DL COMPACT>
<DT id="9"><B>ENOMEM</B>
<DD>
An attempt to allocate memory failed.
</DL>
<A NAME="lbAH">&nbsp;</A>
<H2>NOTES</H2>
If the userspace AVC is running in threaded mode, callbacks registered via
<B>avc_add_callback</B>()
may be executed in the context of the netlink handler thread. This will likely introduce synchronization issues requiring the use of locks. See
<B><A HREF="/cgi-bin/man/man2html?3+avc_init">avc_init</A></B>(3).
<P>
Support for dynamic revocation and retained permissions is mostly unimplemented in the SELinux kernel module. The only security event that currently gets exercised is
<B>AVC_CALLBACK_RESET</B>.
<A NAME="lbAI">&nbsp;</A>
<H2>AUTHOR</H2>
Eamon Walsh &lt;<A HREF="mailto:ewalsh@tycho.nsa.gov">ewalsh@tycho.nsa.gov</A>&gt;
<A NAME="lbAJ">&nbsp;</A>
<H2>SEE ALSO</H2>
<B><A HREF="/cgi-bin/man/man2html?3+avc_init">avc_init</A></B>(3),
<B><A HREF="/cgi-bin/man/man2html?3+avc_has_perm">avc_has_perm</A></B>(3),
<B><A HREF="/cgi-bin/man/man2html?3+avc_context_to_sid">avc_context_to_sid</A></B>(3),
<B><A HREF="/cgi-bin/man/man2html?3+avc_cache_stats">avc_cache_stats</A></B>(3),
<B><A HREF="/cgi-bin/man/man2html?3+security_compute_av">security_compute_av</A></B>(3)
<B><A HREF="/cgi-bin/man/man2html?8+selinux">selinux</A></B>(8)
<P>
<HR>
<A NAME="index">&nbsp;</A><H2>Index</H2>
<DL>
<DT id="10"><A HREF="#lbAB">NAME</A><DD>
<DT id="11"><A HREF="#lbAC">SYNOPSIS</A><DD>
<DT id="12"><A HREF="#lbAD">DESCRIPTION</A><DD>
<DT id="13"><A HREF="#lbAE">SECURITY EVENTS</A><DD>
<DT id="14"><A HREF="#lbAF">RETURN VALUE</A><DD>
<DT id="15"><A HREF="#lbAG">ERRORS</A><DD>
<DT id="16"><A HREF="#lbAH">NOTES</A><DD>
<DT id="17"><A HREF="#lbAI">AUTHOR</A><DD>
<DT id="18"><A HREF="#lbAJ">SEE ALSO</A><DD>
</DL>
<HR>
This document was created by
<A HREF="/cgi-bin/man/man2html">man2html</A>,
using the manual pages.<BR>
Time: 00:05:36 GMT, March 31, 2021
</BODY>
</HTML>
Reference in New Issue View Git Blame Copy Permalink