Allow all and complement permission sets in constraints, e.g.:
constrain service ~ { status } (...);
constrain service * (...);
Signed-off-by: Christian Göttsche <cgzones@xxxxxxxxxxxxxx>
---
checkpolicy/policy_define.c | 10 ++++++++++
1 file changed, 10 insertions(+)
diff --git a/checkpolicy/policy_define.c b/checkpolicy/policy_define.c
index b2ae3263..ded19570 100644
--- a/checkpolicy/policy_define.c
+++ b/checkpolicy/policy_define.c
@@ -3590,6 +3590,16 @@ int define_constraint(constraint_expr_t * expr)
cladatum = policydbp->class_val_to_struct[i];
node = cladatum->constraints;
+ if (strcmp(id, "*") == 0) {
+ node->permissions = ~UINT32_C(0);
+ continue;
+ }
+
+ if (strcmp(id, "~") == 0) {
+ node->permissions = ~node->permissions;
+ continue;
+ }
+
perdatum =
(perm_datum_t *) hashtab_search(cladatum->
permissions.
--
2.34.1
