On Sun, Aug 2, 2020 at 8:39 AM Dominick Grift
<dominick.grift@xxxxxxxxxxx> wrote:
>
> This was added for Androids Treble in 2017.
>
> Signed-off-by: Dominick Grift <dominick.grift@xxxxxxxxxxx>
> ---
> v2: overriden is overridden
> v3: add link to README.md
> v4: rephrase and add another example
>
> secilc/docs/README.md | 1 +
> secilc/docs/cil_type_statements.md | 44 ++++++++++++++++++++++++++++++
> 2 files changed, 45 insertions(+)
>
> diff --git a/secilc/docs/README.md b/secilc/docs/README.md
> index 3f1838e6..efab2a71 100644
> --- a/secilc/docs/README.md
> +++ b/secilc/docs/README.md
> @@ -126,6 +126,7 @@ CIL (Common Intermediate Language)
> * [typealiasactual](cil_type_statements.md#typealiasactual)
> * [typeattribute](cil_type_statements.md#typeattribute)
> * [typeattributeset](cil_type_statements.md#typeattributeset)
> + * [expandtypeattribute](cil_type_statements.md#expandtypeattribute)
> * [typebounds](cil_type_statements.md#typebounds)
> * [typechange](cil_type_statements.md#typechange)
> * [typemember](cil_type_statements.md#typemember)
> diff --git a/secilc/docs/cil_type_statements.md b/secilc/docs/cil_type_statements.md
> index f9dd3a76..41f0f01a 100644
> --- a/secilc/docs/cil_type_statements.md
> +++ b/secilc/docs/cil_type_statements.md
> @@ -213,6 +213,50 @@ This example is equivalent to `{ domain -kernel.process -ueventd.process -init.p
> )
> )
>
> +expandtypeattribute
> +-------------------
> +
> +Overrides the compiler defaults for the expansion of one or more previously declared [`typeattribute`](cil_type_statements.md#typeattribute) identifiers.
> +
> +Note that this statement can be overridden at compile-time with `secilc -X SIZE` and that this functionality is not intended to override `secilc -X SIZE` for individual type attributes!
> +
I didn't mention the "-X" option in my reply to the selinux notebook patch.
This is like what I mentioned in the selinux notebook, but mentions
the "-X" option.
Gives more control over type attribute expansion and removal. When the
value is true, all rules involving the type attribute will be expanded
and the type attribute will be removed from the policy. When the value
is false, the type attribute will not be removed from the policy, even
if the default expand rules or "-X" option cause the rules involving
the type attribute to be expanded.
Thanks,
Jim
> +**Statement definition:**
> +
> + (expandtypeattribute typeattribute_id true|false)
> +
> +**Where:**
> +
> +<table>
> +<colgroup>
> +<col width="25%" />
> +<col width="75%" />
> +</colgroup>
> +<tbody>
> +<tr class="odd">
> +<td align="left"><p><code>expandtypeattribute</code></p></td>
> +<td align="left"><p>The <code>expandtypeattribute</code> keyword.</p></td>
> +</tr>
> +<tr class="even">
> +<td align="left"><p><code>typeattribute_id</code></p></td>
> +<td align="left"><p>One or more previously declared <code>typeattribute</code> identifiers. Multiple entries consist of a space separated list enclosed in parentheses '()'.</p></td>
> +</tr>
> +<tr class="odd">
> +<td align="left"><p><code>true | false</code></p></td>
> +<td align="left"><p>Either true or false.</p></td>
> +</tr>
> +</tbody>
> +</table>
> +
> +**Examples:**
> +
> +This example uses the expandtypeattribute statement to forcibly expand a previously declared `domain` type attribute.
> +
> + (expandtypeattribute domain true)
> +
> +This example uses the expandtypeattribute statement to not expand previously declared `file_type` and `port_type` type attributes regardless of compiler defaults.
> +
> + (expandtypeattribute (file_type port_type) false)
> +
> typebounds
> ----------
>
> --
> 2.28.0
>
