On Mon, 2017-10-09 at 14:10 +1100, James Morris wrote: > On Mon, 2 Oct 2017, Stephen Smalley wrote: > > > Move the access vector cache (AVC) into the selinux namespace > > structure and pass it explicitly to all AVC functions. The > > AVC private state is encapsulated in a selinux_avc structure > > that is allocated and freed by the AVC during selinux namespace > > creation and destruction. > > > > This is necessary to support multiple selinux namespaces since > > the AVC caches state (e.g. SIDs, policy sequence number) that > > is maintained and provided by the security server on a per- > > namespace > > basis. > > What about per-namespace AVC stats? > > At the moment, it seems that the stats for all AVCs are combined in > the > existing percpu stats, which could be confusing for someone trying to > tune > the host or a guest, as the hash stats & config are per- > namespace. Also, > a user likely wants to see only their own AVC stats generally. Yes, we should likely split those too; something else to add to the TODO list for this patch series.
