On Thu, Nov 28, 2024 at 7:49 AM Christian Göttsche <cgzones@xxxxxxxxxxxxxx> wrote: > On Thu, 31 Oct 2024 at 23:20, Paul Moore <paul@xxxxxxxxxxxxxx> wrote: > > On Wed, Oct 23, 2024 at 11:27 AM Christian Göttsche > > <cgoettsche@xxxxxxxxxxxxx> wrote: > > > > > > From: Christian Göttsche <cgzones@xxxxxxxxxxxxxx> > > > > > > Add support for extended permission rules in conditional policies. > > > Currently the kernel accepts such rules already, but evaluating a > > > security decision will hit a BUG() in > > > services_compute_xperms_decision(). Thus reject extended permission > > > rules in conditional policies for current policy versions. > > > > > > Add a new policy version for this feature. > > > > > > Signed-off-by: Christian Göttsche <cgzones@xxxxxxxxxxxxxx> > > > --- > > > v2: > > > rebased onto the netlink xperm patch > > > --- > > > security/selinux/include/security.h | 3 ++- > > > security/selinux/ss/avtab.c | 11 +++++++++-- > > > security/selinux/ss/avtab.h | 2 +- > > > security/selinux/ss/conditional.c | 2 +- > > > security/selinux/ss/policydb.c | 5 +++++ > > > security/selinux/ss/services.c | 12 ++++++++---- > > > 6 files changed, 26 insertions(+), 9 deletions(-) > > > > This looks fine to me, but I believe there are some outstanding > > userspace issues that need to be resolved? > > Hi, > > I know it's very late in the development cycle, but I wanted to ask if > there is a chance this could be merged for 6.13? I'm sorry, but it is/was too late for those changes to be merged into the kernel. I'm sure you've seen this already, but the process is documented in the README.md file which is linked below: * https://github.com/SELinuxProject/selinux-kernel/blob/main/README.md The relevant potion is copied below: "During the development cycle that starts with the close of the kernel merge window and ends with the tagged kernel release, patches will be accepted into the stable-X.Y and dev branches as described in their respective sections in this document. While patches will be accepted into the stable-X.Y branch at any point in time, significant changes will likely not be accepted into the dev branch when there are two or less weeks left in the development cycle; this typically means that only critical bugfixes are accepted once the vX.Y-rc6 kernel is released." > The userspace patches are merged and currently part of 3.8-rc1, and > these kernel changes are quite simple, since most of the needed > functionality was already in place. > I created a testsuite patch over at > https://github.com/SELinuxProject/selinux-testsuite/pull/98. Thank you! -- paul-moore.com
