Re: [v9.1] sepgsql - userspace access vector cache

On 2011-07-21 11:29, Kohei Kaigai wrote:
> The attached patch is revised userspace-avc patch.
>
> List of updates:
> - The GUC of sepgsql.avc_threshold was removed.
> - "char *ucontext" of avc_cache was replaced by "bool tcontext_is_valid".
> - Comments added onto static variables
> - Comments of sepgsql_avc_unlabeled() was revised.
> - Comments of sepgsql_avc_compute() was simplified.
> - Comments of sepgsql_avc_check_perms_label() also mention about
> permissive domain, that performs similar to system's permissive mode.
> - selinux_status_close() become invoked on on_proc_exit() hook.
Thank you for the update, I'm looking at it right now and with a new
look have some more questions. I took the liberty to supply a patch to
be applied after your v5 uavc patch.

1) At a few call sites of sepgsql_avc_lookup, a null tcontext is
detected, and then replaced by "unlabeled". I moved this to
sepgsql_avc_lookup itself.
2) Also I thought if it could work to not remember tcontext is valid,
but instead remember the consequence, which is that it is replaced by
"unlabeled". It makes the avc_cache struct shorter and the code somewhat
simpler.

regards,
--

Yeb Havinga
http://www.mgrid.net/
Mastering Medical Data