On Wed, Apr 13, 2016 at 3:31 PM, Stephen Smalley <sds@xxxxxxxxxxxxx> wrote: > Looking at the sel_netport_sid_slow() code, I don't see why we need to > fail hard if the kzalloc() of the new node fails; we just won't be able > to cache the result but can still obtain and return the SID. Paul, do > you see any reason we can't just move up the call to security_port_sid() > and only fail if that fails? In the common case, that won't require > memory allocation at all (only needs it if it hasn't previously mapped > the resulting context to a SID). In the same manner, we do not fail > just because we cannot add an entry to the AVC. The same should apply > to netnode and netif caches. Sounds reasonable to me, I'll post a RFC patch in just a minute ... it will be RFC because it will be completely untested, once I've had a chance to test it I'll merge it. > That said, it seems hard to envision that kzalloc() failing and being > able to complete the bind() operation at all, but maybe it is a > transient failure. Agreed, although it might be that the rest of the allocations in the network stack are done with something other than GFP_ATOMIC, not sure off the top of my head. -- paul moore www.paul-moore.com _______________________________________________ Selinux mailing list Selinux@xxxxxxxxxxxxx To unsubscribe, send email to Selinux-leave@xxxxxxxxxxxxx. To get help, send an email containing "help" to Selinux-request@xxxxxxxxxxxxx.
