Re: Exposing secid to secctx mapping to user-space

2015-12-15 Thread Stephen Smalley
On 12/15/2015 11:06 AM, Casey Schaufler wrote: On 12/15/2015 7:00 AM, Stephen Smalley wrote: On 12/14/2015 05:57 PM, Roberts, William C wrote: If I understand correctly, the goal here is to avoid the lookup from pid to context. If we somehow Had the context or a token to a context during

Re: Exposing secid to secctx mapping to user-space

2015-12-15 Thread Stephen Smalley
On 12/15/2015 12:19 PM, Joe Nall wrote: On Dec 15, 2015, at 10:06 AM, Casey Schaufler wrote: ... I have long wondered why SELinux generates the context string of the secid more than once. Audit performance alone would justify keeping it around. The variable length

Re: Exposing secid to secctx mapping to user-space

2015-12-15 Thread Joe Nall
> On Dec 15, 2015, at 10:06 AM, Casey Schaufler wrote: > > ... > I have long wondered why SELinux generates the context string > of the secid more than once. Audit performance alone would > justify keeping it around. The variable length issue isn't > so difficult as you

Re: Exposing secid to secctx mapping to user-space

2015-12-15 Thread Casey Schaufler
On 12/15/2015 8:55 AM, Stephen Smalley wrote: > On 12/15/2015 11:06 AM, Casey Schaufler wrote: >> On 12/15/2015 7:00 AM, Stephen Smalley wrote: >>> On 12/14/2015 05:57 PM, Roberts, William C wrote: >> >> If I understand correctly, the goal here is to avoid the lookup from >> pid

Re: Exposing secid to secctx mapping to user-space

2015-12-15 Thread Joe Nall
> On Dec 15, 2015, at 12:03 PM, Stephen Smalley wrote: > > On 12/15/2015 12:19 PM, Joe Nall wrote: >> >>> On Dec 15, 2015, at 10:06 AM, Casey Schaufler >>> wrote: >>> >>> ... >>> I have long wondered why SELinux generates the context string >>> of

Re: Exposing secid to secctx mapping to user-space

2015-12-15 Thread Daniel Cashman
On 12/15/2015 07:00 AM, Stephen Smalley wrote: > On 12/14/2015 05:57 PM, Roberts, William C wrote: >> If I understand correctly, the goal here is to avoid the lookup from pid to context. If we somehow Had the context or a token to a context during the ipc transaction to

Re: Exposing secid to secctx mapping to user-space

2015-12-15 Thread Stephen Smalley
On 12/14/2015 05:57 PM, Roberts, William C wrote: If I understand correctly, the goal here is to avoid the lookup from pid to context. If we somehow Had the context or a token to a context during the ipc transaction to userspace, we could just use that In computing the access decision. If