On Sun, Jan 29, 2023 at 2:37 PM Linus Torvalds <torvalds@xxxxxxxxxxxxxxxxxxxx> wrote: > On Sat, Jan 28, 2023 at 2:33 PM Paul Moore <paul@xxxxxxxxxxxxxx> wrote: > > > > I'll take a look, although just a heads-up that I don't generally > > merge patches into selinux/next at this point in the -rc cycle unless > > they are bug fixes, or some other critical patch; it's likely this > > will need to wait until after the upcoming merge window closes. > > Yeah, that patch was not some kind of "please apply this urgent fix", > more of a "I'm looking at path walking again, and the selinux code is > more expensive than the *actual* path walk is" heads up. Yep, just wanted to set expectations so you wouldn't be surprised to not see this during the upcoming merge window. > > > Comments? Is there some case I've missed? > > > > You're correct in that selinux_state parameters currently always point > > back to the single global instance, however there was, and still is, a > > point to that patch ... although I will admit it is a long time > > coming. > > Honestly, considering that the selinux code is literally more > expensive than THE REAL WORKLOAD it is checking, I really want people > to take a second look. WE WILL > If some new feature makes that crazy-expensive thing *worse*, we have issues. > > If it's been that way for five years with no progress, and no clear > indication that it's even some high-priority issue that lots of people > are asking for, maybe that should be a big hint. To be fair, people *are* asking SELinux namespacing, but there are some very thorny problems that remain unsolved. However, after the merge window we should consider moving away from passing the selinux_state as a parameter and just using it as a global resource. -- paul-moore.com
