Hi, Stephen and James,

Looks like the selinux_sk_ctxid() call implemented in James' patch also 
requires the sk_callback_lock (see below).  I am planning to introduce a 
new exported fucntion selinux_sock_ctxid() which does not require any 
locking.  Comments?

thanks,
Catherine

Stephen Smalley [off-list ref] wrote on 03/21/2006 08:42:08 AM:

On Tue, 2006-03-21 at 08:32 -0500, Stephen Smalley wrote:

quoted

quoted

I don't expect security_sk_sid() to be terribly expensive.  It's not
an AVC check, it's just propagating a label.  But I've not done any
benchmarking on that.

No permission check there, but it looks like it does read lock
sk_callback_lock.  Not sure if that is truly justified here.

Ah, that is because it is also called from the xfrm code, introduced by
Trent's patches.  But that locking shouldn't be necessary from scm_send,
right?  So she likely wants a separate hook for it to avoid that
overhead, or even just a direct SELinux interface?

-- 
Stephen Smalley
National Security Agency