On Thu, May 14, 2020 at 12:36 PM Stephen Smalley <stephen.smalley.work@xxxxxxxxx> wrote: > On Thu, May 14, 2020 at 12:09 PM Christian Göttsche > <cgzones@xxxxxxxxxxxxxx> wrote: > > > > The suffix "_perms" is used in Referency Policy style policies for > > permission macros, bundling several single raw permissions. > > > > Add a note to not confuse policy writers/readers. > > I don't really see a valid justification and I wouldn't recommend > doing this via a comment alone if it were justified. > The kernel shouldn't be tied to refpolicy since refpolicy is merely > one SELinux policy configuration albeit widely used as the base for > most Linux distros (but not Android). If we were going to enforce a > naming convention on the classes/permissions, we should do it via a > build-time check using the existing scripts/selinux/genheaders program > that generates the symbols from classmap.h that are used by the kernel > code. And this particular case seems highly improbable - who would > name a permission with a "_perms" (plural) suffix especially since no > other kernel permission has been so named to date. The comment is > also a bit confusing since it occurs immediately before a macro that > ends in _PERMS is defined, but that macro presents no problem since it > is purely kernel-internal. Absent some motivating example of where we > have broken refpolicy in the past, I can't see why we need this. Not that Stephen's points really need a "+1", but yes, +1. -- paul moore www.paul-moore.com
