> -----Original Message----- > From: Yeb Havinga [mailto:yebhavi...@gmail.com] > Sent: 22. Juli 2011 10:23 > To: Kohei Kaigai > Cc: Robert Haas; PgHacker; Kohei KaiGai > Subject: Re: [HACKERS] [v9.1] sepgsql - userspace access vector cache > > On 2011-07-21 11:29, Kohei Kaigai wrote: > > The attached patch is revised userspace-avc patch. > > > > List of updates: > > - The GUC of sepgsql.avc_threshold was removed. > > - "char *ucontext" of avc_cache was replaced by "bool tcontext_is_valid". > > - Comments added onto static variables > > - Comments of sepgsql_avc_unlabeled() was revised. > > - Comments of sepgsql_avc_compute() was simplified. > > - Comments of sepgsql_avc_check_perms_label() also mention about > > permissive domain, that performs similar to system's permissive mode. > > - selinux_status_close() become invoked on on_proc_exit() hook. > Thank you for the update, I'm looking at it right now and with a new look > have some more questions. > I took the liberty to supply a patch to be applied after your v5 uavc patch. > > 1) At a few call sites of sepgsql_avc_lookup, a null tcontext is detected, > and then replaced by > "unlabeled". I moved this to sepgsql_avc_lookup itself. > Good improvement.
> 2) Also I thought if it could work to not remember tcontext is valid, but > instead remember the consequence, > which is that it is replaced by "unlabeled". It makes the avc_cache struct > shorter and the code somewhat > simpler. > Here is a reason why we hold tcontext, even if it is not valid. The hash key of avc_cache is combination of scontext, tcontext and tclass. Thus, if we replaced an invalid tcontext by unlabeled context, it would always make cache mishit and performance loss. Thanks, -- NEC Europe Ltd, SAP Global Competence Center KaiGai Kohei <kohei.kai...@emea.nec.com> -- Sent via pgsql-hackers mailing list (pgsql-hackers@postgresql.org) To make changes to your subscription: http://www.postgresql.org/mailpref/pgsql-hackers
