[2/2] sestatus: show checkreqprot status

Commit Message

Christian Göttsche April 12, 2017, 10 p.m. UTC

From: cgzones <cgzones@googlemail.com>

Show the current active checkreqprot state in sestatus
---
 policycoreutils/sestatus/sestatus.c | 14 ++++++++++++++
 1 file changed, 14 insertions(+)

Comments

Stephen Smalley April 13, 2017, 5:35 p.m. UTC | #1

On Thu, 2017-04-13 at 00:00 +0200, Christian Göttsche wrote:
> From: cgzones <cgzones@googlemail.com>
> 
> Show the current active checkreqprot state in sestatus
> ---
>  policycoreutils/sestatus/sestatus.c | 14 ++++++++++++++
>  1 file changed, 14 insertions(+)
> 
> diff --git a/policycoreutils/sestatus/sestatus.c
> b/policycoreutils/sestatus/sestatus.c
> index 2111b15d..f9ed5b66 100644
> --- a/policycoreutils/sestatus/sestatus.c
> +++ b/policycoreutils/sestatus/sestatus.c
> @@ -330,6 +330,20 @@ int main(int argc, char **argv)
>  			break;
>  	}
>  
> +	printf_tab("Policy checkreqprot status:");

checkreqprot isn't defined by the policy (like Current mode/enforcing),
so it isn't really the "Policy checkreqprot status", unlike MLS or
deny_unknown.  It is more like Current mode (i.e. enforcing).

> +	rc = security_checkreqprot();
> +	switch (rc) {
> +		case 0:
> +			printf("kernel\n");
> +			break;
> +		case 1:
> +			printf("application\n");
> +			break;
> +		default:
> +			printf("error (%s)\n", strerror(errno));
> +			break;
> +	}
> +

Trying to think how understandable and meaningful this would be to a
user.  Possible alternatives:
Check requested protection: false/true
Memory protection checking: actual/requested

Or if we want to convey a value judgment on preferred settings:
Memory protection checking: secure/insecure

Open to discussion on it, just not sure that
checkreqprot status: kernel/application
will make sense to users.

>  	rc = security_policyvers();
>  	printf_tab("Max kernel policy version:");
>  	if (rc < 0)

Patch

diff --git a/policycoreutils/sestatus/sestatus.c b/policycoreutils/sestatus/sestatus.c
index 2111b15d..f9ed5b66 100644
--- a/policycoreutils/sestatus/sestatus.c
+++ b/policycoreutils/sestatus/sestatus.c
@@ -330,6 +330,20 @@  int main(int argc, char **argv)
 			break;
 	}
 
+	printf_tab("Policy checkreqprot status:");
+	rc = security_checkreqprot();
+	switch (rc) {
+		case 0:
+			printf("kernel\n");
+			break;
+		case 1:
+			printf("application\n");
+			break;
+		default:
+			printf("error (%s)\n", strerror(errno));
+			break;
+	}
+
 	rc = security_policyvers();
 	printf_tab("Max kernel policy version:");
 	if (rc < 0)