On Thu, 31 Oct 2024 at 23:20, Paul Moore <paul@xxxxxxxxxxxxxx> wrote: > > On Wed, Oct 23, 2024 at 11:27 AM Christian Göttsche > <cgoettsche@xxxxxxxxxxxxx> wrote: > > > > From: Christian Göttsche <cgzones@xxxxxxxxxxxxxx> > > > > Add support for extended permission rules in conditional policies. > > Currently the kernel accepts such rules already, but evaluating a > > security decision will hit a BUG() in > > services_compute_xperms_decision(). Thus reject extended permission > > rules in conditional policies for current policy versions. > > > > Add a new policy version for this feature. > > > > Signed-off-by: Christian Göttsche <cgzones@xxxxxxxxxxxxxx> > > --- > > v2: > > rebased onto the netlink xperm patch > > --- > > security/selinux/include/security.h | 3 ++- > > security/selinux/ss/avtab.c | 11 +++++++++-- > > security/selinux/ss/avtab.h | 2 +- > > security/selinux/ss/conditional.c | 2 +- > > security/selinux/ss/policydb.c | 5 +++++ > > security/selinux/ss/services.c | 12 ++++++++---- > > 6 files changed, 26 insertions(+), 9 deletions(-) > > This looks fine to me, but I believe there are some outstanding > userspace issues that need to be resolved? Hi, I know it's very late in the development cycle, but I wanted to ask if there is a chance this could be merged for 6.13? The userspace patches are merged and currently part of 3.8-rc1, and these kernel changes are quite simple, since most of the needed functionality was already in place. I created a testsuite patch over at https://github.com/SELinuxProject/selinux-testsuite/pull/98. > > -- > paul-moore.com
