[SELinux-notebook PATCH v2] type_statements: document expandattribute

From: Dominick Grift <dominick.grift@defensec.nl>
To: selinux@vger.kernel.org
Cc: Dominick Grift <dominick.grift@defensec.nl>
Subject: [SELinux-notebook PATCH v2] type_statements: document expandattribute
Date: Thu, 30 Jul 2020 11:31:25 +0200	[thread overview]
Message-ID: <20200730093125.896974-1-dominick.grift@defensec.nl> (raw)
In-Reply-To: <20200730085542.895297-1-dominick.grift@defensec.nl>

This functionality was added for Androids Treble in 2017.

I was not sure whether this belong here or in conditional_statements.md

Signed-off-by: Dominick Grift <dominick.grift@defensec.nl>
---
v2: change expandtypeattribute to expandattribute

 src/type_statements.md | 70 ++++++++++++++++++++++++++++++++++++++++++
 1 file changed, 70 insertions(+)

diff --git a/src/type_statements.md b/src/type_statements.md
index 61c7191..1ca655d 100644
--- a/src/type_statements.md
+++ b/src/type_statements.md
@@ -201,6 +201,76 @@ attribute non_security_file_type;
 
 <br>
 
+## `expandattribute`
+
+The `expandattribute` statement allows type attribute expansion
+compiler defaults to be overriden.
+
+**The statement definition is:**
+
+`expandattribute attribute_id default_value;`
+
+**Where:**
+
+<table>
+<tbody>
+<tr>
+<td><code>expandattribute</code></td>
+<td>The <code>expandattribute</code> keyword.</td>
+</tr>
+<tr>
+<td><code>attribute_id</code></td>
+<td>One or more previously declared <code>attribute</code>. Multiple entries consist of a space separated list enclosed in braces '{}'.</td>
+</tr>
+<tr>
+<td><code>default_value</code></td>
+<td>Either true or false</td>
+</tr>
+</tbody>
+</table>
+
+**The statement is valid in:**
+
+<table style="text-align:center">
+<tbody>
+<tr style="background-color:#D3D3D3;">
+<td><strong>Monolithic Policy</strong></td>
+<td><strong>Base Policy</strong></td>
+<td><strong>Module Policy</strong></td>
+</tr>
+<tr>
+<td>Yes</td>
+<td>Yes</td>
+<td>Yes</td>
+</tr>
+<tr style="background-color:#D3D3D3;">
+<td><strong>Conditional Policy <code>if</code> Statement</strong></td>
+<td><strong><code>optional</code> Statement</strong></td>
+<td><strong><code>require</code> Statement</strong></td>
+</tr>
+<tr>
+<td>No</td>
+<td>Yes</td>
+<td>No</td>
+</tr>
+</tbody>
+</table>
+
+**Example:**
+
+```
+# Using the expandattribute statement to forcibly expand a
+# previously declared domain attribute.
+
+# The previously declared attribute:
+attribute domain;
+
+# The attribute stripping using the expandattribute statement:
+expandattribute domain true;
+```
+
+<br>
+
 ## `typeattribute`
 
 The `typeattribute` statement allows the association of previously
-- 
2.28.0.rc1

