On Wed, Oct 23, 2024 at 11:27 AM Christian Göttsche <cgoettsche@xxxxxxxxxxxxx> wrote: > > From: Christian Göttsche <cgzones@xxxxxxxxxxxxxx> > > Add support for extended permission rules in conditional policies. > Currently the kernel accepts such rules already, but evaluating a > security decision will hit a BUG() in > services_compute_xperms_decision(). Thus reject extended permission > rules in conditional policies for current policy versions. > > Add a new policy version for this feature. > > Signed-off-by: Christian Göttsche <cgzones@xxxxxxxxxxxxxx> > --- > v2: > rebased onto the netlink xperm patch > --- > security/selinux/include/security.h | 3 ++- > security/selinux/ss/avtab.c | 11 +++++++++-- > security/selinux/ss/avtab.h | 2 +- > security/selinux/ss/conditional.c | 2 +- > security/selinux/ss/policydb.c | 5 +++++ > security/selinux/ss/services.c | 12 ++++++++---- > 6 files changed, 26 insertions(+), 9 deletions(-) This looks fine to me, but I believe there are some outstanding userspace issues that need to be resolved? -- paul-moore.com
