Ok, I have finished a revision that addresses your comments (will email out shortly). You'll be happy to hear that I am using "extended permissions" instead of "operations." I tried to focus on: -Creating a stable binary policy format that will work for ioctls and netlink (and others) such that the policy version XPERMS_IOCTL will remain valid if/when version XPERMS_NETLINK is added -Keeping the current version simple, don’t partially add logic for selecting between ioctl/netlink in the AVC. I originally started adding additional components to the avc structures, but a few questions came up that Stephen and I did not know the answer to. It makes sense to punt these decisions to if/when the netlink extended permissions capability is actually added (saves memory in the meantime). The internals can change as long as the binary policy is stable. On Fri, May 22, 2015 at 11:03 AM, Paul Moore <paul@xxxxxxxxxxxxxx> wrote: > On Thu, May 21, 2015 at 11:14 AM, Jeffrey Vander Stoep <jeffv@xxxxxxxxxx> wrote: >> I selected operation because it is not ioctl specific. Stephen and I >> had discussed the possibility of this being used for other things but >> ultimately decided to focus on ioctls because that was my intended >> use-case. I would be ok with other names, but I also thing the naming >> could be kept the same and I could add clearer in-code comments to >> better convey the extended operations or extended permissions idea. > > <grumble> <grumble> <grumble> > > Okay, it's been a day and I can't think of anything else beyond what > we've discussed so just stick with operation for now and add some > better comments. It's all internal anyway so renaming in the future > is a non-issue (minus the usual code churn arguments). > > -- > paul moore > www.paul-moore.com _______________________________________________ Selinux mailing list Selinux@xxxxxxxxxxxxx To unsubscribe, send email to Selinux-leave@xxxxxxxxxxxxx. To get help, send an email containing "help" to Selinux-request@xxxxxxxxxxxxx.
