> > or introducing a new syntax that does > > wildcard full match such as `genfsconwildcard`? > > That seems pretty awful to me too. > > If you can't be bothered to actually update the policy as you should > be doing when enabling a new policy capability, add the same hack you > were proposing for the kernel to the compiler/linker toolchain and > just start adding the '*' wildcard at the end of the paths. I think adding a new syntax is cleaner than adding a knob or breaking the compatibility. On Android, property_contexts introduced a new syntax adding '<prefix|exact> <type>' at the end of the entries. How about a syntax like 'genfs sysfs /devices/*/wakeup/ u:object_r:wakeup:s0 wildcard'? If an entry have 'wildcard' at the end, it's a new type of entry. Entries without wildcard are not affected. -- Inseob Kim | Software Engineer | inseob@xxxxxxxxxx
