On Tue, 2006-03-21 at 08:32 -0500, Stephen Smalley wrote:
> > I don't expect security_sk_sid() to be terribly expensive. It's not
> > an AVC check, it's just propagating a label. But I've not done any
> > benchmarking on that.
>
> No permission check there, but it looks like it does read lock
> sk_callback_lock. Not sure if that is truly justified here.
Ah, that is because it is also called from the xfrm code, introduced by
Trent's patches. But that locking shouldn't be necessary from scm_send,
right? So she likely wants a separate hook for it to avoid that
overhead, or even just a direct SELinux interface?
--
Stephen Smalley
National Security Agency
-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to [email protected]
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/
[Index of Archives]
[Kernel Newbies]
[Netfilter]
[Bugtraq]
[Photo]
[Stuff]
[Gimp]
[Yosemite News]
[MIPS Linux]
[ARM Linux]
[Linux Security]
[Linux RAID]
[Video 4 Linux]
[Linux for the blind]
[Linux Resources]
