It is analogous to access, however the set of races is smaller. Only the privileged MAC admin user can change the policy, where with access a user may change a files permissions. If you are using this to test whether you can open a file, in hopes that open() won't deny it, then yes this is similar to access, in that permissions can change. If this is being used by a trusted helper to determine check permissions that it enforces then it is different in that it is the trusted helper who ends up enforcing permissions. So it will depend on how/what you are using the interface for. With a split between kernel policy and user space decisions there will always be some potential for races; that even exists in the kernel as opening a file does not guarantee the rights to continue to access the file, those rights can be revoked by a policy replacement and subsequent writes or reads could fail.
With that said, yes we recognize the need for an fd based query, and other improvements to help expand what can be done safely from userspace
It is analogous to access, however the set of races is smaller. Only the privileged MAC admin user can change the policy, where with access a user may change a files permissions. If you are using this to test whether you can open a file, in hopes that open() won't deny it, then yes this is similar to access, in that permissions can change. If this is being used by a trusted helper to determine check permissions that it enforces then it is different in that it is the trusted helper who ends up enforcing permissions. So it will depend on how/what you are using the interface for. With a split between kernel policy and user space decisions there will always be some potential for races; that even exists in the kernel as opening a file does not guarantee the rights to continue to access the file, those rights can be revoked by a policy replacement and subsequent writes or reads could fail.
With that said, yes we recognize the need for an fd based query, and other improvements to help expand what can be done safely from userspace