问题1:系统是如何把安全服务器作出新的决策缓存到AVC中?这里的netlink广播都有什么用?
问题2:在内核代码中 security/selinux/ss/services.c 中的security_load_policy函数为什么需要先保存旧的SID表 ,再装入新表,最后释放旧表呢?不保存直接释放旧表有何不妥?
int security_load_policy(void *data, size_t len){
...
/* Save the old policydb and SID table to free later. */
memcpy(&oldpolicydb, &policydb, sizeof policydb);
sidtab_set(&oldsidtab, &sidtab);
/* Install the new policydb and SID table. */
POLICY_WRLOCK;
memcpy(&policydb, &newpolicydb, sizeof policydb);
sidtab_set(&sidtab, &newsidtab);
seqno = ++latest_granting;
policydb_loaded_version = policydb.policyvers;
POLICY_WRUNLOCK;
LOAD_UNLOCK;
/* Free the old policydb and SID table. */
policydb_destroy(&oldpolicydb);
sidtab_destroy(&oldsidtab);
...
}
