The unlocked_security_compute_sid function is used for the security_transition_sid, security_member_sid, and security_change_sid interfaces. It returns the current process SID or the related object SID if the security server is not yet initialized depending on the security class. Although there are currently no situations where the function is called prior to initialization, it is possible that future development will introduce such cases. If such cases do arise in the future, a better solution would be to preload the security server state with the SIDs that are required to initialize.
If the security server has initialized, then the unlocked_security_compute_sid function looks up the security contexts for the SID pair in the SID hash table. The function then sets the user identity for the new context based on which interface is being used, and it initializes the role and type based on the security class. The function then looks for a type rule in the policy configuration. If a type rule exists, then the type is changed accordingly.
The function then applies class-specific logic. For a process, if a transition is being requested, the function checks for a role transition rule and changes the role if a rule is found. If there is no change in the process atributes, then the function simply returns the SID of the process. For an object, if there is no change in the object attributes from the related object, then the function simply returns the SID of the related object.
The function then sets the MLS attributes from the process context. It then calls the policydb.c:policydb_context_isvalid function to verify that the security context is valid. If the context is not valid, then the function returns an error. Otherwise, it calls the sidtab_context_to_sid function to obtain a SID that corresponds to the context and returns.