On Sat, 2019-04-27 at 12:57 +0200, Pablo Neira Ayuso wrote: > But they all point to the same nested_policy, ie. these nested > atributes represent instances of the same object class. To some extent, yes. > I think this is meaningful to userspace in terms of providing a > description of the interface, rather than making it look. Sure. > Without the ID, it is not possible from userspace to see that MY_ATTR > and MY_OTHER_ATTR refer to the same object, right? There is an ID, and if you reference the same sub-policy multiple times for nested / nested array attribute types (even at different levels of nesting btw) then this sub-policy will only be dumped to userspace multiple times, given an ID, and be referenced by that ID from the appropriate attribute types in other root/sub-policies. The only thing is that between kernel versions that ID may change as it's computed while walking the policy graph, and that graph may change and thus the walk may reach nodes in the graph in a different order and thereby label them differently. johannes
