On Tue, Sep 8, 2020 at 2:37 PM Stephen Smalley <stephen.smalley.work@xxxxxxxxx> wrote: > On Mon, Sep 7, 2020 at 5:39 PM Lakshmi Ramasubramanian > <nramas@xxxxxxxxxxxxxxxxxxx> wrote: <snip> > > diff --git a/security/selinux/measure.c b/security/selinux/measure.c > > new file mode 100644 > > index 000000000000..caf9107937d9 > > --- /dev/null > > +++ b/security/selinux/measure.c > <snip> > > +static int read_selinux_state(char **state_str, int *state_str_len, > > + struct selinux_state *state) > > +{ > > + char *buf, *str_fmt = "%s=%d;"; > > + int i, buf_len, curr; > <snip> > > + for (i = 0; i < __POLICYDB_CAPABILITY_MAX; i++) { > > + buf_len += snprintf(NULL, 0, str_fmt, > > + selinux_policycap_names[i], > > + state->policycap[i]); > > + } > > This will need to be converted to use > security_policycap_supported(state, i) rather than state->policycap[i] > since the latter is going to be removed by Ondrej's patches I think. Based on my testing so far, even with just moving the array under struct selinux_policy, the RCU accessing still brings a significant overhead (relative to the whole syscalls it is probably negligible, but relative to the rest of the simpler hooks it is about 30%), so I don't think it is necessary to adapt other patches to it yet. It will be my responsibility to adapt to the newly added code when/if I rebase and respin my patch. > > > + for (i = 0; i < __POLICYDB_CAPABILITY_MAX; i++) { > > + curr += snprintf((buf + curr), (buf_len - curr), str_fmt, > > + selinux_policycap_names[i], > > + state->policycap[i]); > > Ditto. > -- Ondrej Mosnacek Software Engineer, Platform Security - SELinux kernel Red Hat, Inc.