Re: [PATCH] selinux: add selinux_is_enforced() function

From: Stephen Smalley
Date: Wed Apr 12 2017 - 12:29:42 EST


On Wed, 2017-04-12 at 17:19 +0200, Sebastien Buisson wrote:
> 2017-04-12 15:58 GMT+02:00 Stephen Smalley <sds@xxxxxxxxxxxxx>:
> > Even your usage of selinux_is_enabled() looks suspect; that should
> > probably go away.ÂÂOnly other user of it seems to be some cred
> > validity
> > checking that could be dropped as well.
>
> Well the main reason for calling selinux_is_enabled() is performance
> optimization.
> Should I propose a patch to add a new security_is_enabled() function
> at the LSM abstraction layer? Or do you consider we should not test
> security enabled at all?

It isn't clear what "is enabled" means in general, particularly with
stacking. I would either drop it or replace it with a LSM hook that is
more precise. For example, NFSv4 introduced a security_ismaclabel()
hook so that it could test whether a given security.* xattr is a MAC
label.