On Wed, Mar 19, 2025 at 11:13 PM Inseob Kim <inseob@xxxxxxxxxx> wrote: > > > > or introducing a new syntax that does > > > wildcard full match such as `genfsconwildcard`? > > > > That seems pretty awful to me too. > > > > If you can't be bothered to actually update the policy as you should > > be doing when enabling a new policy capability, add the same hack you > > were proposing for the kernel to the compiler/linker toolchain and > > just start adding the '*' wildcard at the end of the paths. > > I think adding a new syntax is cleaner than adding a knob or breaking the > compatibility. On Android, property_contexts introduced a new syntax adding > '<prefix|exact> <type>' at the end of the entries. How about a syntax like > 'genfs sysfs /devices/*/wakeup/ u:object_r:wakeup:s0 wildcard'? If an entry > have 'wildcard' at the end, it's a new type of entry. Entries without wildcard > are not affected. > > -- > Inseob Kim | Software Engineer | inseob@xxxxxxxxxx I and Inseob synced offline and I let him know we have newer v2 and v3 patches. While we might discuss backward-compatibility efforts for user-space libselinux, we settled down the design in the kernel space.
