On Wed, Aug 21, 2024 at 10:57 AM Stephen Smalley <stephen.smalley.work@xxxxxxxxx> wrote: > > On Wed, Aug 21, 2024 at 9:08 AM Christian Göttsche > <cgoettsche@xxxxxxxxxxxxx> wrote: > > > > > From: Christian Göttsche <cgzones@xxxxxxxxxxxxxx> > > > > > > Add support for extended permission rules in conditional policies. > > > Currently the kernel accepts such rules already, but evaluating a > > > security decision will hit a BUG() in > > > services_compute_xperms_decision(). Thus reject extended permission > > > rules in conditional policies for current policy versions. > > > > > > Add a new policy version for this feature. > > > > > > Signed-off-by: Christian Göttsche <cgzones@xxxxxxxxxxxxxx> > > > --- > > > Userspace patches are available at: > > > https://github.com/SELinuxProject/selinux/pull/432 > > > > > > Maybe the policy version 34 can be reused for the prefix/suffix filetrans > > > feature to avoid two new versions? > > > > Kindly ping. > > > > Any comments? > > > > This affects (improves?) also the netlink xperm proposal. > > Do you know of anyone who plans to use this feature? Android does not > use conditional policies and it is the primary user of the current > extended permissions feature. I haven't seen any usage in refpolicy to > date. Not opposed to adding this support but absent an immediate user and with the requirement to introduce a new policy version for it, I would defer merging this until after the netlink_xperm proposal. I would encourage you to re-base on that once it lands and also to post the selinux userspace patches to the list if possible (breaking them up if necessary). Agree it would be nice if we could combine with the prefix/suffix support to avoid two policy version bumps but unclear that one is going to move forward any time soon.
