The unlocked_security_sid_to_context function panics if it is called before the security server has initialized, unless the SID is predefined. In this case, this function returns a string containing the name of the initial SID. This permits the AVC to call this function for a SID pair when writing an audit record prior to the initialization of the security server.
If the security server has initialized, then this function looks up the security context for the SID in the SID hash table. It then calls the services.c:context_struct_to_string function. This function computes the length of the security context string, calling mls.c:mls_compute_context_len to obtain the length of the MLS fields of the string if the MLS policy is enabled. It then allocates a buffer of that length using kmalloc, copies the user, role, and type names into the buffer, and calls mls.c:mls_sid_to_context to write the MLS attributes into the buffer. The function then returns.