On Wed, Mar 12, 2025 at 3:56 AM Takaya Saeki <takayas@xxxxxxxxxxxx> wrote: > > Thank you for feedbacks. > > On Tue, Mar 11, 2025 at 7:39 PM Christian Göttsche > <cgzones@xxxxxxxxxxxxxx> wrote: > > > > Mar 11, 2025 10:42:22 Takaya Saeki <takayas@xxxxxxxxxxxx>: > > > > > Hello, now this patch no longer appends "*" in the kernel space. > > > I tested this patch on Debian by creating a modified SELinux policy > > > where all genfs rules were followed by a trailing '*" and the new > > > genfs_seclabel_wildcard cap were enabled. Both the new policy with the > > > capability enabled and Debian's default policy without that policy > > > capability made correct labels. > > > > > >> + bool wildcard = 0; > > > I overlooked that this should be `= true`. I can fix it. > > > > Or maybe drop this assignment, since tge variable is always assigned later on (and modern compilers are good at warning about uninitialized local variables). > > I agree. Let me drop the initialization. > > > > > On another point maybe this feature can be combined under the new policy capability netif_wildcard, to avoid adding two? > > So, do we rename POLICYDB_CAP_NETIF_WILDCARD to POLICYDB_CAP_WILDCARD > to control both wildcard capabilities? That should be fine for > Android's use cases. > However, it will mean users who want to enable the wildcard feature > for network cards also have to take care of incompatibility of > genfscon at the same time. I'd like to ask for opinions from > maintainers. It is Paul's call to make, but I would recommend keeping them separate.
