On Wed, Mar 12, 2025 at 9:34 PM Stephen Smalley <stephen.smalley.work@xxxxxxxxx> wrote: > > On Wed, Mar 12, 2025 at 3:56 AM Takaya Saeki <takayas@xxxxxxxxxxxx> wrote: > > > > Thank you for feedbacks. > > > > On Tue, Mar 11, 2025 at 7:39 PM Christian Göttsche > > <cgzones@xxxxxxxxxxxxxx> wrote: > > > > > > Mar 11, 2025 10:42:22 Takaya Saeki <takayas@xxxxxxxxxxxx>: > > > > > > > Hello, now this patch no longer appends "*" in the kernel space. > > > > I tested this patch on Debian by creating a modified SELinux policy > > > > where all genfs rules were followed by a trailing '*" and the new > > > > genfs_seclabel_wildcard cap were enabled. Both the new policy with the > > > > capability enabled and Debian's default policy without that policy > > > > capability made correct labels. > > > > > > > >> + bool wildcard = 0; > > > > I overlooked that this should be `= true`. I can fix it. > > > > > > Or maybe drop this assignment, since tge variable is always assigned later on (and modern compilers are good at warning about uninitialized local variables). > > > > I agree. Let me drop the initialization. > > > > > > > > On another point maybe this feature can be combined under the new policy capability netif_wildcard, to avoid adding two? > > > > So, do we rename POLICYDB_CAP_NETIF_WILDCARD to POLICYDB_CAP_WILDCARD > > to control both wildcard capabilities? That should be fine for > > Android's use cases. > > However, it will mean users who want to enable the wildcard feature > > for network cards also have to take care of incompatibility of > > genfscon at the same time. I'd like to ask for opinions from > > maintainers. > > It is Paul's call to make, but I would recommend keeping them separate. I agree that the idea of separating it is more reasonable. I will wait for Paul's feedback and will send a v3 patch that will at least do a minor fix of the variable initialization.
