On Wed, Aug 21, 2024 at 9:08 AM Christian Göttsche <cgoettsche@xxxxxxxxxxxxx> wrote: > > > From: Christian Göttsche <cgzones@xxxxxxxxxxxxxx> > > > > Add support for extended permission rules in conditional policies. > > Currently the kernel accepts such rules already, but evaluating a > > security decision will hit a BUG() in > > services_compute_xperms_decision(). Thus reject extended permission > > rules in conditional policies for current policy versions. > > > > Add a new policy version for this feature. > > > > Signed-off-by: Christian Göttsche <cgzones@xxxxxxxxxxxxxx> > > --- > > Userspace patches are available at: > > https://github.com/SELinuxProject/selinux/pull/432 > > > > Maybe the policy version 34 can be reused for the prefix/suffix filetrans > > feature to avoid two new versions? > > Kindly ping. > > Any comments? > > This affects (improves?) also the netlink xperm proposal. Do you know of anyone who plans to use this feature? Android does not use conditional policies and it is the primary user of the current extended permissions feature. I haven't seen any usage in refpolicy to date.
