On Sat, Jan 28, 2023 at 2:33 PM Paul Moore <paul@xxxxxxxxxxxxxx> wrote:
>
> I'll take a look, although just a heads-up that I don't generally
> merge patches into selinux/next at this point in the -rc cycle unless
> they are bug fixes, or some other critical patch; it's likely this
> will need to wait until after the upcoming merge window closes.
Yeah, that patch was not some kind of "please apply this urgent fix",
more of a "I'm looking at path walking again, and the selinux code is
more expensive than the *actual* path walk is" heads up.
> > Comments? Is there some case I've missed?
>
> You're correct in that selinux_state parameters currently always point
> back to the single global instance, however there was, and still is, a
> point to that patch ... although I will admit it is a long time
> coming.
Honestly, considering that the selinux code is literally more
expensive than THE REAL WORKLOAD it is checking, I really want people
to take a second look.
If some new feature makes that crazy-expensive thing *worse*, we have issues.
If it's been that way for five years with no progress, and no clear
indication that it's even some high-priority issue that lots of people
are asking for, maybe that should be a big hint.
Linus
