table of contents
avc_add_callback(3) | SELinux API documentation | avc_add_callback(3) |
NAME¶
avc_add_callback - additional event notification for SELinux userspace object managers.SYNOPSIS¶
#include <selinux/selinux.h>security_id_t ssid,
uint32_t events, security_id_t ssid,
DESCRIPTION¶
avc_add_callback is used to register callback functions on security events. The purpose of this functionality is to allow userspace object managers to take additional action when a policy change, usually a policy reload, causes permissions to be granted or revoked.SECURITY EVENTS¶
In all cases below, ssid and/or tsid may be set to SECSID_WILD, indicating that the change applies to all source and/or target SID's. Unless otherwise indicated, the out_retained parameter is unused.- AVC_CALLBACK_GRANT
- Previously denied permissions are now granted for ssid, tsid with respect to tclass. perms indicates the permissions to grant.
- AVC_CALLBACK_TRY_REVOKE
- Previously granted permissions are now conditionally revoked for ssid, tsid with respect to tclass. perms indicates the permissions to revoke. The callback should set out_retained to the subset of perms which are retained as migrated permissions. Note that out_retained is ignored if the callback returns -1.
- AVC_CALLBACK_REVOKE
- Previously granted permissions are now unconditionally revoked for ssid, tsid with respect to tclass. perms indicates the permissions to revoke.
- AVC_CALLBACK_RESET
- Indicates that the cache was flushed. The SID, class, and permission arguments are unused and are set to NULL.
- AVC_CALLBACK_AUDITALLOW_ENABLE
- The permissions given by perms should now be audited when granted for ssid, tsid with respect to tclass.
- AVC_CALLBACK_AUDITALLOW_DISABLE
- The permissions given by perms should no longer be audited when granted for ssid, tsid with respect to tclass.
- AVC_CALLBACK_AUDITDENY_ENABLE
- The permissions given by perms should now be audited when denied for ssid, tsid with respect to tclass.
- AVC_CALLBACK_AUDITDENY_DISABLE
- The permissions given by perms should no longer be
audited when denied for ssid, tsid with respect to
tclass.
RETURN VALUE¶
On success, avc_add_callback returns zero. On error, -1 is returned and errno is set appropriately.ERRORS¶
- ENOMEM
- An attempt to allocate memory failed.
NOTES¶
If the userspace AVC is running in threaded mode, callbacks registered via avc_add_callback may be executed in the context of the netlink handler thread. This will likely introduce synchronization issues requiring the use of locks. See avc_init(3).AUTHOR¶
Eamon Walsh <ewalsh@tycho.nsa.gov>SEE ALSO¶
avc_init(3), avc_has_perm(3), avc_context_to_sid(3), avc_cache_stats(3), security_compute_av(3) selinux(8)9 June 2004 |