* [PATCH] secilc/docs: document expandtypeattribute @ 2020-07-30 9:23 Dominick Grift 2020-07-30 11:45 ` [PATCH v2] " Dominick Grift 0 siblings, 1 reply; 20+ messages in thread From: Dominick Grift @ 2020-07-30 9:23 UTC (permalink / raw) To: selinux; +Cc: Dominick Grift This was added for Androids Treble in 2017. I was unsure whether this belongs in type_statements or in conditional_statements. Signed-off-by: Dominick Grift <dominick.grift@defensec.nl> --- secilc/docs/cil_type_statements.md | 38 ++++++++++++++++++++++++++++++ 1 file changed, 38 insertions(+) diff --git a/secilc/docs/cil_type_statements.md b/secilc/docs/cil_type_statements.md index f9dd3a76..4ac1dcb9 100644 --- a/secilc/docs/cil_type_statements.md +++ b/secilc/docs/cil_type_statements.md @@ -213,6 +213,44 @@ This example is equivalent to `{ domain -kernel.process -ueventd.process -init.p ) ) +expandtypeattribute +---------------- + +Allows expansion compiler defaults for one or more previously declared [`typeattribute`](cil_type_statements.md#typeattribute) identifiers to be overriden. + +**Statement definition:** + + (expandtypeattribute typeattribute_id true|false) + +**Where:** + +<table> +<colgroup> +<col width="25%" /> +<col width="75%" /> +</colgroup> +<tbody> +<tr class="odd"> +<td align="left"><p><code>expandtypeattribute</code></p></td> +<td align="left"><p>The <code>expandtypeattribute</code> keyword.</p></td> +</tr> +<tr class="even"> +<td align="left"><p><code>typeattribute_id</code></p></td> +<td align="left"><p>One or more previously declared <code>typeattribute</code> identifiers.</p></td> +</tr> +<tr class="odd"> +<td align="left"><p><code>true | false</code></p></td> +<td align="left"><p>Either true or false.</p></td> +</tr> +</tbody> +</table> + +**Example:** + +This example will use the expandtypeattribute statement to forcibly expand a previously declared `domain` type attribute. + + (expandtypeattribute domain true) + typebounds ---------- -- 2.28.0.rc1 ^ permalink raw reply related [flat|nested] 20+ messages in thread
* [PATCH v2] secilc/docs: document expandtypeattribute 2020-07-30 9:23 [PATCH] secilc/docs: document expandtypeattribute Dominick Grift @ 2020-07-30 11:45 ` Dominick Grift 2020-07-30 13:11 ` [PATCH v3] " Dominick Grift 0 siblings, 1 reply; 20+ messages in thread From: Dominick Grift @ 2020-07-30 11:45 UTC (permalink / raw) To: selinux; +Cc: Dominick Grift This was added for Androids Treble in 2017. I was unsure whether this belongs in type_statements or in conditional_statements. Signed-off-by: Dominick Grift <dominick.grift@defensec.nl> --- v2: overriden is overridden secilc/docs/cil_type_statements.md | 38 ++++++++++++++++++++++++++++++ 1 file changed, 38 insertions(+) diff --git a/secilc/docs/cil_type_statements.md b/secilc/docs/cil_type_statements.md index f9dd3a76..24498755 100644 --- a/secilc/docs/cil_type_statements.md +++ b/secilc/docs/cil_type_statements.md @@ -213,6 +213,44 @@ This example is equivalent to `{ domain -kernel.process -ueventd.process -init.p ) ) +expandtypeattribute +---------------- + +Allows expansion compiler defaults for one or more previously declared [`typeattribute`](cil_type_statements.md#typeattribute) identifiers to be overridden. + +**Statement definition:** + + (expandtypeattribute typeattribute_id true|false) + +**Where:** + +<table> +<colgroup> +<col width="25%" /> +<col width="75%" /> +</colgroup> +<tbody> +<tr class="odd"> +<td align="left"><p><code>expandtypeattribute</code></p></td> +<td align="left"><p>The <code>expandtypeattribute</code> keyword.</p></td> +</tr> +<tr class="even"> +<td align="left"><p><code>typeattribute_id</code></p></td> +<td align="left"><p>One or more previously declared <code>typeattribute</code> identifiers.</p></td> +</tr> +<tr class="odd"> +<td align="left"><p><code>true | false</code></p></td> +<td align="left"><p>Either true or false.</p></td> +</tr> +</tbody> +</table> + +**Example:** + +This example will use the expandtypeattribute statement to forcibly expand a previously declared `domain` type attribute. + + (expandtypeattribute domain true) + typebounds ---------- -- 2.28.0.rc1 ^ permalink raw reply related [flat|nested] 20+ messages in thread
* [PATCH v3] secilc/docs: document expandtypeattribute 2020-07-30 11:45 ` [PATCH v2] " Dominick Grift @ 2020-07-30 13:11 ` Dominick Grift 2020-07-30 22:22 ` James Carter 0 siblings, 1 reply; 20+ messages in thread From: Dominick Grift @ 2020-07-30 13:11 UTC (permalink / raw) To: selinux; +Cc: Dominick Grift This was added for Androids Treble in 2017. I was unsure whether this belongs in type_statements or in conditional_statements. Signed-off-by: Dominick Grift <dominick.grift@defensec.nl> --- v2: overriden is overridden v3: add link to README.md secilc/docs/README.md | 1 + secilc/docs/cil_type_statements.md | 38 ++++++++++++++++++++++++++++++ 2 files changed, 39 insertions(+) diff --git a/secilc/docs/README.md b/secilc/docs/README.md index 3f1838e6..efab2a71 100644 --- a/secilc/docs/README.md +++ b/secilc/docs/README.md @@ -126,6 +126,7 @@ CIL (Common Intermediate Language) * [typealiasactual](cil_type_statements.md#typealiasactual) * [typeattribute](cil_type_statements.md#typeattribute) * [typeattributeset](cil_type_statements.md#typeattributeset) + * [expandtypeattribute](cil_type_statements.md#expandtypeattribute) * [typebounds](cil_type_statements.md#typebounds) * [typechange](cil_type_statements.md#typechange) * [typemember](cil_type_statements.md#typemember) diff --git a/secilc/docs/cil_type_statements.md b/secilc/docs/cil_type_statements.md index f9dd3a76..f819b3c6 100644 --- a/secilc/docs/cil_type_statements.md +++ b/secilc/docs/cil_type_statements.md @@ -213,6 +213,44 @@ This example is equivalent to `{ domain -kernel.process -ueventd.process -init.p ) ) +expandtypeattribute +------------------- + +Allows expansion compiler defaults for one or more previously declared [`typeattribute`](cil_type_statements.md#typeattribute) identifiers to be overridden. + +**Statement definition:** + + (expandtypeattribute typeattribute_id true|false) + +**Where:** + +<table> +<colgroup> +<col width="25%" /> +<col width="75%" /> +</colgroup> +<tbody> +<tr class="odd"> +<td align="left"><p><code>expandtypeattribute</code></p></td> +<td align="left"><p>The <code>expandtypeattribute</code> keyword.</p></td> +</tr> +<tr class="even"> +<td align="left"><p><code>typeattribute_id</code></p></td> +<td align="left"><p>One or more previously declared <code>typeattribute</code> identifiers.</p></td> +</tr> +<tr class="odd"> +<td align="left"><p><code>true | false</code></p></td> +<td align="left"><p>Either true or false.</p></td> +</tr> +</tbody> +</table> + +**Example:** + +This example will use the expandtypeattribute statement to forcibly expand a previously declared `domain` type attribute. + + (expandtypeattribute domain true) + typebounds ---------- -- 2.28.0.rc1 ^ permalink raw reply related [flat|nested] 20+ messages in thread
* Re: [PATCH v3] secilc/docs: document expandtypeattribute 2020-07-30 13:11 ` [PATCH v3] " Dominick Grift @ 2020-07-30 22:22 ` James Carter 2020-07-31 7:26 ` Dominick Grift 2020-08-02 12:34 ` [PATCH v4] " Dominick Grift 0 siblings, 2 replies; 20+ messages in thread From: James Carter @ 2020-07-30 22:22 UTC (permalink / raw) To: Dominick Grift; +Cc: SElinux list On Thu, Jul 30, 2020 at 9:14 AM Dominick Grift <dominick.grift@defensec.nl> wrote: > > This was added for Androids Treble in 2017. > > I was unsure whether this belongs in type_statements or in conditional_statements. > I think that it fits best with the type statements as you have it. > Signed-off-by: Dominick Grift <dominick.grift@defensec.nl> > --- > v2: overriden is overridden > v3: add link to README.md > > secilc/docs/README.md | 1 + > secilc/docs/cil_type_statements.md | 38 ++++++++++++++++++++++++++++++ > 2 files changed, 39 insertions(+) > > diff --git a/secilc/docs/README.md b/secilc/docs/README.md > index 3f1838e6..efab2a71 100644 > --- a/secilc/docs/README.md > +++ b/secilc/docs/README.md > @@ -126,6 +126,7 @@ CIL (Common Intermediate Language) > * [typealiasactual](cil_type_statements.md#typealiasactual) > * [typeattribute](cil_type_statements.md#typeattribute) > * [typeattributeset](cil_type_statements.md#typeattributeset) > + * [expandtypeattribute](cil_type_statements.md#expandtypeattribute) > * [typebounds](cil_type_statements.md#typebounds) > * [typechange](cil_type_statements.md#typechange) > * [typemember](cil_type_statements.md#typemember) > diff --git a/secilc/docs/cil_type_statements.md b/secilc/docs/cil_type_statements.md > index f9dd3a76..f819b3c6 100644 > --- a/secilc/docs/cil_type_statements.md > +++ b/secilc/docs/cil_type_statements.md > @@ -213,6 +213,44 @@ This example is equivalent to `{ domain -kernel.process -ueventd.process -init.p > ) > ) > > +expandtypeattribute > +------------------- > + > +Allows expansion compiler defaults for one or more previously declared [`typeattribute`](cil_type_statements.md#typeattribute) identifiers to be overridden. The wording confused me at first. I think "Overrides the compiler defaults for the expansion of one ... identifiers." would be clearer. > + > +**Statement definition:** > + > + (expandtypeattribute typeattribute_id true|false) > + > +**Where:** > + > +<table> > +<colgroup> > +<col width="25%" /> > +<col width="75%" /> > +</colgroup> > +<tbody> > +<tr class="odd"> > +<td align="left"><p><code>expandtypeattribute</code></p></td> > +<td align="left"><p>The <code>expandtypeattribute</code> keyword.</p></td> > +</tr> > +<tr class="even"> > +<td align="left"><p><code>typeattribute_id</code></p></td> > +<td align="left"><p>One or more previously declared <code>typeattribute</code> identifiers.</p></td> > +</tr> > +<tr class="odd"> > +<td align="left"><p><code>true | false</code></p></td> > +<td align="left"><p>Either true or false.</p></td> > +</tr> > +</tbody> > +</table> > + > +**Example:** > + > +This example will use the expandtypeattribute statement to forcibly expand a previously declared `domain` type attribute. > + > + (expandtypeattribute domain true) > + It would be nice to have another example that shows a list of type attributes, so there is an example of that syntax as well. Thanks for doing this. Jim > typebounds > ---------- > > -- > 2.28.0.rc1 > ^ permalink raw reply [flat|nested] 20+ messages in thread
* Re: [PATCH v3] secilc/docs: document expandtypeattribute 2020-07-30 22:22 ` James Carter @ 2020-07-31 7:26 ` Dominick Grift 2020-07-31 19:50 ` James Carter 2020-08-02 12:34 ` [PATCH v4] " Dominick Grift 1 sibling, 1 reply; 20+ messages in thread From: Dominick Grift @ 2020-07-31 7:26 UTC (permalink / raw) To: James Carter; +Cc: SElinux list James Carter <jwcart2@gmail.com> writes: > On Thu, Jul 30, 2020 at 9:14 AM Dominick Grift > <dominick.grift@defensec.nl> wrote: >> >> This was added for Androids Treble in 2017. >> >> I was unsure whether this belongs in type_statements or in conditional_statements. >> > > I think that it fits best with the type statements as you have it. > >> Signed-off-by: Dominick Grift <dominick.grift@defensec.nl> >> --- >> v2: overriden is overridden >> v3: add link to README.md >> >> secilc/docs/README.md | 1 + >> secilc/docs/cil_type_statements.md | 38 ++++++++++++++++++++++++++++++ >> 2 files changed, 39 insertions(+) >> >> diff --git a/secilc/docs/README.md b/secilc/docs/README.md >> index 3f1838e6..efab2a71 100644 >> --- a/secilc/docs/README.md >> +++ b/secilc/docs/README.md >> @@ -126,6 +126,7 @@ CIL (Common Intermediate Language) >> * [typealiasactual](cil_type_statements.md#typealiasactual) >> * [typeattribute](cil_type_statements.md#typeattribute) >> * [typeattributeset](cil_type_statements.md#typeattributeset) >> + * [expandtypeattribute](cil_type_statements.md#expandtypeattribute) >> * [typebounds](cil_type_statements.md#typebounds) >> * [typechange](cil_type_statements.md#typechange) >> * [typemember](cil_type_statements.md#typemember) >> diff --git a/secilc/docs/cil_type_statements.md b/secilc/docs/cil_type_statements.md >> index f9dd3a76..f819b3c6 100644 >> --- a/secilc/docs/cil_type_statements.md >> +++ b/secilc/docs/cil_type_statements.md >> @@ -213,6 +213,44 @@ This example is equivalent to `{ domain -kernel.process -ueventd.process -init.p >> ) >> ) >> >> +expandtypeattribute >> +------------------- >> + >> +Allows expansion compiler defaults for one or more previously declared [`typeattribute`](cil_type_statements.md#typeattribute) identifiers to be overridden. > > The wording confused me at first. > I think "Overrides the compiler defaults for the expansion of one ... > identifiers." would be clearer. > >> + >> +**Statement definition:** >> + >> + (expandtypeattribute typeattribute_id true|false) >> + >> +**Where:** >> + >> +<table> >> +<colgroup> >> +<col width="25%" /> >> +<col width="75%" /> >> +</colgroup> >> +<tbody> >> +<tr class="odd"> >> +<td align="left"><p><code>expandtypeattribute</code></p></td> >> +<td align="left"><p>The <code>expandtypeattribute</code> keyword.</p></td> >> +</tr> >> +<tr class="even"> >> +<td align="left"><p><code>typeattribute_id</code></p></td> >> +<td align="left"><p>One or more previously declared <code>typeattribute</code> identifiers.</p></td> >> +</tr> >> +<tr class="odd"> >> +<td align="left"><p><code>true | false</code></p></td> >> +<td align="left"><p>Either true or false.</p></td> >> +</tr> >> +</tbody> >> +</table> >> + >> +**Example:** >> + >> +This example will use the expandtypeattribute statement to forcibly expand a previously declared `domain` type attribute. >> + >> + (expandtypeattribute domain true) >> + > > It would be nice to have another example that shows a list of type > attributes, so there is an example of that syntax as well. I was looking into an example but turns out that either i am misunderstanding this functionality or that it does not work as advertised: Example: 1. compiler defaults to expand typeattributes with less than four members 2. override pets and dogs expansion in policy # cat > mytest.cil <<EOF (sid mysid) (sidorder (mysid)) (class myclass (mypermission)) (classorder (unordered myclass)) (type blue) (type green) (type red) (typeattribute colors) (typeattributeset colors (blue green red)) (type dog) (type cat) (type goldfish) (typeattribute pets) (typeattributeset pets (dog cat goldfish)) (dontaudit pets colors (myclass (mypermission))) (expandtypeattribute (colors pets) false) EOF # secilc -v -X 4 mytest.cil # sesearch policy.32 --dontaudit > > Thanks for doing this. > Jim > >> typebounds >> ---------- >> >> -- >> 2.28.0.rc1 >> -- gpg --locate-keys dominick.grift@defensec.nl Key fingerprint = FCD2 3660 5D6B 9D27 7FC6 E0FF DA7E 521F 10F6 4098 https://sks-keyservers.net/pks/lookup?op=get&search=0xDA7E521F10F64098 Dominick Grift ^ permalink raw reply [flat|nested] 20+ messages in thread
* Re: [PATCH v3] secilc/docs: document expandtypeattribute 2020-07-31 7:26 ` Dominick Grift @ 2020-07-31 19:50 ` James Carter 2020-07-31 20:12 ` Dominick Grift 0 siblings, 1 reply; 20+ messages in thread From: James Carter @ 2020-07-31 19:50 UTC (permalink / raw) To: Dominick Grift; +Cc: SElinux list On Fri, Jul 31, 2020 at 3:26 AM Dominick Grift <dominick.grift@defensec.nl> wrote: > > James Carter <jwcart2@gmail.com> writes: > > > On Thu, Jul 30, 2020 at 9:14 AM Dominick Grift > > <dominick.grift@defensec.nl> wrote: > >> > >> This was added for Androids Treble in 2017. > >> > >> I was unsure whether this belongs in type_statements or in conditional_statements. > >> > > > > I think that it fits best with the type statements as you have it. > > > >> Signed-off-by: Dominick Grift <dominick.grift@defensec.nl> > >> --- > >> v2: overriden is overridden > >> v3: add link to README.md > >> > >> secilc/docs/README.md | 1 + > >> secilc/docs/cil_type_statements.md | 38 ++++++++++++++++++++++++++++++ > >> 2 files changed, 39 insertions(+) > >> > >> diff --git a/secilc/docs/README.md b/secilc/docs/README.md > >> index 3f1838e6..efab2a71 100644 > >> --- a/secilc/docs/README.md > >> +++ b/secilc/docs/README.md > >> @@ -126,6 +126,7 @@ CIL (Common Intermediate Language) > >> * [typealiasactual](cil_type_statements.md#typealiasactual) > >> * [typeattribute](cil_type_statements.md#typeattribute) > >> * [typeattributeset](cil_type_statements.md#typeattributeset) > >> + * [expandtypeattribute](cil_type_statements.md#expandtypeattribute) > >> * [typebounds](cil_type_statements.md#typebounds) > >> * [typechange](cil_type_statements.md#typechange) > >> * [typemember](cil_type_statements.md#typemember) > >> diff --git a/secilc/docs/cil_type_statements.md b/secilc/docs/cil_type_statements.md > >> index f9dd3a76..f819b3c6 100644 > >> --- a/secilc/docs/cil_type_statements.md > >> +++ b/secilc/docs/cil_type_statements.md > >> @@ -213,6 +213,44 @@ This example is equivalent to `{ domain -kernel.process -ueventd.process -init.p > >> ) > >> ) > >> > >> +expandtypeattribute > >> +------------------- > >> + > >> +Allows expansion compiler defaults for one or more previously declared [`typeattribute`](cil_type_statements.md#typeattribute) identifiers to be overridden. > > > > The wording confused me at first. > > I think "Overrides the compiler defaults for the expansion of one ... > > identifiers." would be clearer. > > > >> + > >> +**Statement definition:** > >> + > >> + (expandtypeattribute typeattribute_id true|false) > >> + > >> +**Where:** > >> + > >> +<table> > >> +<colgroup> > >> +<col width="25%" /> > >> +<col width="75%" /> > >> +</colgroup> > >> +<tbody> > >> +<tr class="odd"> > >> +<td align="left"><p><code>expandtypeattribute</code></p></td> > >> +<td align="left"><p>The <code>expandtypeattribute</code> keyword.</p></td> > >> +</tr> > >> +<tr class="even"> > >> +<td align="left"><p><code>typeattribute_id</code></p></td> > >> +<td align="left"><p>One or more previously declared <code>typeattribute</code> identifiers.</p></td> > >> +</tr> > >> +<tr class="odd"> > >> +<td align="left"><p><code>true | false</code></p></td> > >> +<td align="left"><p>Either true or false.</p></td> > >> +</tr> > >> +</tbody> > >> +</table> > >> + > >> +**Example:** > >> + > >> +This example will use the expandtypeattribute statement to forcibly expand a previously declared `domain` type attribute. > >> + > >> + (expandtypeattribute domain true) > >> + > > > > It would be nice to have another example that shows a list of type > > attributes, so there is an example of that syntax as well. > > I was looking into an example but turns out that either i am > misunderstanding this functionality or that it does not work as advertised: > > Example: > > 1. compiler defaults to expand typeattributes with less > than four members > 2. override pets and dogs expansion in policy > > # cat > mytest.cil <<EOF > (sid mysid) > (sidorder (mysid)) > > (class myclass (mypermission)) > (classorder (unordered myclass)) > > (type blue) > (type green) > (type red) > (typeattribute colors) > (typeattributeset colors (blue green red)) > > (type dog) > (type cat) > (type goldfish) > (typeattribute pets) > (typeattributeset pets (dog cat goldfish)) > > (dontaudit pets colors (myclass (mypermission))) > > (expandtypeattribute (colors pets) false) > EOF > > # secilc -v -X 4 mytest.cil > # sesearch policy.32 --dontaudit > The key is that expandtypeattribute works differently for the default behavior than when you ask for attributes to be expanded. The default rules for removing attributes are complex. In general, attributes automatically created when converting a binary module to CIL; attributes that are not used in allow and dontaudit rules; and attributes that have only one type assigned are all removed. This means that the attribute rule and the typeattributeset rules for the attribute are removed and all rules using the attribute are expanded. Using expandtypeattribute in this case will keep the attribute declaration, the typeattributeset rules, and any allow rules. When you use "-X SIZE" all allow rules with attributes that contain less than SIZE types will be expanded and the attribute removed. Using expandtypeattribute in this case will cause the attribute declaration and the typeattributeset rules to be retained, but the allow rules will still be expanded. I just verified that everything does work like that. It is a bit of a mess, but it is working as intended. I probably need to document how the default expansion works. ;) Thanks, Jim > > > > Thanks for doing this. > > Jim > > > >> typebounds > >> ---------- > >> > >> -- > >> 2.28.0.rc1 > >> > > -- > gpg --locate-keys dominick.grift@defensec.nl > Key fingerprint = FCD2 3660 5D6B 9D27 7FC6 E0FF DA7E 521F 10F6 4098 > https://sks-keyservers.net/pks/lookup?op=get&search=0xDA7E521F10F64098 > Dominick Grift ^ permalink raw reply [flat|nested] 20+ messages in thread
* Re: [PATCH v3] secilc/docs: document expandtypeattribute 2020-07-31 19:50 ` James Carter @ 2020-07-31 20:12 ` Dominick Grift 2020-07-31 20:22 ` James Carter 0 siblings, 1 reply; 20+ messages in thread From: Dominick Grift @ 2020-07-31 20:12 UTC (permalink / raw) To: James Carter; +Cc: SElinux list James Carter <jwcart2@gmail.com> writes: > On Fri, Jul 31, 2020 at 3:26 AM Dominick Grift > <dominick.grift@defensec.nl> wrote: >> >> James Carter <jwcart2@gmail.com> writes: >> >> > On Thu, Jul 30, 2020 at 9:14 AM Dominick Grift >> > <dominick.grift@defensec.nl> wrote: >> >> >> >> This was added for Androids Treble in 2017. >> >> >> >> I was unsure whether this belongs in type_statements or in conditional_statements. >> >> >> > >> > I think that it fits best with the type statements as you have it. >> > >> >> Signed-off-by: Dominick Grift <dominick.grift@defensec.nl> >> >> --- >> >> v2: overriden is overridden >> >> v3: add link to README.md >> >> >> >> secilc/docs/README.md | 1 + >> >> secilc/docs/cil_type_statements.md | 38 ++++++++++++++++++++++++++++++ >> >> 2 files changed, 39 insertions(+) >> >> >> >> diff --git a/secilc/docs/README.md b/secilc/docs/README.md >> >> index 3f1838e6..efab2a71 100644 >> >> --- a/secilc/docs/README.md >> >> +++ b/secilc/docs/README.md >> >> @@ -126,6 +126,7 @@ CIL (Common Intermediate Language) >> >> * [typealiasactual](cil_type_statements.md#typealiasactual) >> >> * [typeattribute](cil_type_statements.md#typeattribute) >> >> * [typeattributeset](cil_type_statements.md#typeattributeset) >> >> + * [expandtypeattribute](cil_type_statements.md#expandtypeattribute) >> >> * [typebounds](cil_type_statements.md#typebounds) >> >> * [typechange](cil_type_statements.md#typechange) >> >> * [typemember](cil_type_statements.md#typemember) >> >> diff --git a/secilc/docs/cil_type_statements.md b/secilc/docs/cil_type_statements.md >> >> index f9dd3a76..f819b3c6 100644 >> >> --- a/secilc/docs/cil_type_statements.md >> >> +++ b/secilc/docs/cil_type_statements.md >> >> @@ -213,6 +213,44 @@ This example is equivalent to `{ domain -kernel.process -ueventd.process -init.p >> >> ) >> >> ) >> >> >> >> +expandtypeattribute >> >> +------------------- >> >> + >> >> +Allows expansion compiler defaults for one or more previously declared [`typeattribute`](cil_type_statements.md#typeattribute) identifiers to be overridden. >> > >> > The wording confused me at first. >> > I think "Overrides the compiler defaults for the expansion of one ... >> > identifiers." would be clearer. >> > >> >> + >> >> +**Statement definition:** >> >> + >> >> + (expandtypeattribute typeattribute_id true|false) >> >> + >> >> +**Where:** >> >> + >> >> +<table> >> >> +<colgroup> >> >> +<col width="25%" /> >> >> +<col width="75%" /> >> >> +</colgroup> >> >> +<tbody> >> >> +<tr class="odd"> >> >> +<td align="left"><p><code>expandtypeattribute</code></p></td> >> >> +<td align="left"><p>The <code>expandtypeattribute</code> keyword.</p></td> >> >> +</tr> >> >> +<tr class="even"> >> >> +<td align="left"><p><code>typeattribute_id</code></p></td> >> >> +<td align="left"><p>One or more previously declared <code>typeattribute</code> identifiers.</p></td> >> >> +</tr> >> >> +<tr class="odd"> >> >> +<td align="left"><p><code>true | false</code></p></td> >> >> +<td align="left"><p>Either true or false.</p></td> >> >> +</tr> >> >> +</tbody> >> >> +</table> >> >> + >> >> +**Example:** >> >> + >> >> +This example will use the expandtypeattribute statement to forcibly expand a previously declared `domain` type attribute. >> >> + >> >> + (expandtypeattribute domain true) >> >> + >> > >> > It would be nice to have another example that shows a list of type >> > attributes, so there is an example of that syntax as well. >> >> I was looking into an example but turns out that either i am >> misunderstanding this functionality or that it does not work as advertised: >> >> Example: >> >> 1. compiler defaults to expand typeattributes with less >> than four members >> 2. override pets and dogs expansion in policy >> >> # cat > mytest.cil <<EOF >> (sid mysid) >> (sidorder (mysid)) >> >> (class myclass (mypermission)) >> (classorder (unordered myclass)) >> >> (type blue) >> (type green) >> (type red) >> (typeattribute colors) >> (typeattributeset colors (blue green red)) >> >> (type dog) >> (type cat) >> (type goldfish) >> (typeattribute pets) >> (typeattributeset pets (dog cat goldfish)) >> >> (dontaudit pets colors (myclass (mypermission))) >> >> (expandtypeattribute (colors pets) false) >> EOF >> >> # secilc -v -X 4 mytest.cil >> # sesearch policy.32 --dontaudit >> > > The key is that expandtypeattribute works differently for the default > behavior than when you ask for attributes to be expanded. > > The default rules for removing attributes are complex. In general, > attributes automatically created when converting a binary module to > CIL; attributes that are not used in allow and dontaudit rules; and > attributes that have only one type assigned are all removed. This > means that the attribute rule and the typeattributeset rules for the > attribute are removed and all rules using the attribute are expanded. > Using expandtypeattribute in this case will keep the attribute > declaration, the typeattributeset rules, and any allow rules. > > When you use "-X SIZE" all allow rules with attributes that contain > less than SIZE types will be expanded and the attribute removed. Using > expandtypeattribute in this case will cause the attribute declaration > and the typeattributeset rules to be retained, but the allow rules > will still be expanded. > > I just verified that everything does work like that. > > It is a bit of a mess, but it is working as intended. > > I probably need to document how the default expansion works. ;) So that makes the "false" scenario practically irrelevant? when would one ever use "false" instead of "true"? > > Thanks, > Jim > > >> > >> > Thanks for doing this. >> > Jim >> > >> >> typebounds >> >> ---------- >> >> >> >> -- >> >> 2.28.0.rc1 >> >> >> >> -- >> gpg --locate-keys dominick.grift@defensec.nl >> Key fingerprint = FCD2 3660 5D6B 9D27 7FC6 E0FF DA7E 521F 10F6 4098 >> https://sks-keyservers.net/pks/lookup?op=get&search=0xDA7E521F10F64098 >> Dominick Grift -- gpg --locate-keys dominick.grift@defensec.nl Key fingerprint = FCD2 3660 5D6B 9D27 7FC6 E0FF DA7E 521F 10F6 4098 https://sks-keyservers.net/pks/lookup?op=get&search=0xDA7E521F10F64098 Dominick Grift ^ permalink raw reply [flat|nested] 20+ messages in thread
* Re: [PATCH v3] secilc/docs: document expandtypeattribute 2020-07-31 20:12 ` Dominick Grift @ 2020-07-31 20:22 ` James Carter 2020-07-31 21:07 ` Dominick Grift 0 siblings, 1 reply; 20+ messages in thread From: James Carter @ 2020-07-31 20:22 UTC (permalink / raw) To: Dominick Grift; +Cc: SElinux list On Fri, Jul 31, 2020 at 4:12 PM Dominick Grift <dominick.grift@defensec.nl> wrote: > > James Carter <jwcart2@gmail.com> writes: > > > On Fri, Jul 31, 2020 at 3:26 AM Dominick Grift > > <dominick.grift@defensec.nl> wrote: > >> > >> James Carter <jwcart2@gmail.com> writes: > >> > >> > On Thu, Jul 30, 2020 at 9:14 AM Dominick Grift > >> > <dominick.grift@defensec.nl> wrote: > >> >> > >> >> This was added for Androids Treble in 2017. > >> >> > >> >> I was unsure whether this belongs in type_statements or in conditional_statements. > >> >> > >> > > >> > I think that it fits best with the type statements as you have it. > >> > > >> >> Signed-off-by: Dominick Grift <dominick.grift@defensec.nl> > >> >> --- > >> >> v2: overriden is overridden > >> >> v3: add link to README.md > >> >> > >> >> secilc/docs/README.md | 1 + > >> >> secilc/docs/cil_type_statements.md | 38 ++++++++++++++++++++++++++++++ > >> >> 2 files changed, 39 insertions(+) > >> >> > >> >> diff --git a/secilc/docs/README.md b/secilc/docs/README.md > >> >> index 3f1838e6..efab2a71 100644 > >> >> --- a/secilc/docs/README.md > >> >> +++ b/secilc/docs/README.md > >> >> @@ -126,6 +126,7 @@ CIL (Common Intermediate Language) > >> >> * [typealiasactual](cil_type_statements.md#typealiasactual) > >> >> * [typeattribute](cil_type_statements.md#typeattribute) > >> >> * [typeattributeset](cil_type_statements.md#typeattributeset) > >> >> + * [expandtypeattribute](cil_type_statements.md#expandtypeattribute) > >> >> * [typebounds](cil_type_statements.md#typebounds) > >> >> * [typechange](cil_type_statements.md#typechange) > >> >> * [typemember](cil_type_statements.md#typemember) > >> >> diff --git a/secilc/docs/cil_type_statements.md b/secilc/docs/cil_type_statements.md > >> >> index f9dd3a76..f819b3c6 100644 > >> >> --- a/secilc/docs/cil_type_statements.md > >> >> +++ b/secilc/docs/cil_type_statements.md > >> >> @@ -213,6 +213,44 @@ This example is equivalent to `{ domain -kernel.process -ueventd.process -init.p > >> >> ) > >> >> ) > >> >> > >> >> +expandtypeattribute > >> >> +------------------- > >> >> + > >> >> +Allows expansion compiler defaults for one or more previously declared [`typeattribute`](cil_type_statements.md#typeattribute) identifiers to be overridden. > >> > > >> > The wording confused me at first. > >> > I think "Overrides the compiler defaults for the expansion of one ... > >> > identifiers." would be clearer. > >> > > >> >> + > >> >> +**Statement definition:** > >> >> + > >> >> + (expandtypeattribute typeattribute_id true|false) > >> >> + > >> >> +**Where:** > >> >> + > >> >> +<table> > >> >> +<colgroup> > >> >> +<col width="25%" /> > >> >> +<col width="75%" /> > >> >> +</colgroup> > >> >> +<tbody> > >> >> +<tr class="odd"> > >> >> +<td align="left"><p><code>expandtypeattribute</code></p></td> > >> >> +<td align="left"><p>The <code>expandtypeattribute</code> keyword.</p></td> > >> >> +</tr> > >> >> +<tr class="even"> > >> >> +<td align="left"><p><code>typeattribute_id</code></p></td> > >> >> +<td align="left"><p>One or more previously declared <code>typeattribute</code> identifiers.</p></td> > >> >> +</tr> > >> >> +<tr class="odd"> > >> >> +<td align="left"><p><code>true | false</code></p></td> > >> >> +<td align="left"><p>Either true or false.</p></td> > >> >> +</tr> > >> >> +</tbody> > >> >> +</table> > >> >> + > >> >> +**Example:** > >> >> + > >> >> +This example will use the expandtypeattribute statement to forcibly expand a previously declared `domain` type attribute. > >> >> + > >> >> + (expandtypeattribute domain true) > >> >> + > >> > > >> > It would be nice to have another example that shows a list of type > >> > attributes, so there is an example of that syntax as well. > >> > >> I was looking into an example but turns out that either i am > >> misunderstanding this functionality or that it does not work as advertised: > >> > >> Example: > >> > >> 1. compiler defaults to expand typeattributes with less > >> than four members > >> 2. override pets and dogs expansion in policy > >> > >> # cat > mytest.cil <<EOF > >> (sid mysid) > >> (sidorder (mysid)) > >> > >> (class myclass (mypermission)) > >> (classorder (unordered myclass)) > >> > >> (type blue) > >> (type green) > >> (type red) > >> (typeattribute colors) > >> (typeattributeset colors (blue green red)) > >> > >> (type dog) > >> (type cat) > >> (type goldfish) > >> (typeattribute pets) > >> (typeattributeset pets (dog cat goldfish)) > >> > >> (dontaudit pets colors (myclass (mypermission))) > >> > >> (expandtypeattribute (colors pets) false) > >> EOF > >> > >> # secilc -v -X 4 mytest.cil > >> # sesearch policy.32 --dontaudit > >> > > > > The key is that expandtypeattribute works differently for the default > > behavior than when you ask for attributes to be expanded. > > > > The default rules for removing attributes are complex. In general, > > attributes automatically created when converting a binary module to > > CIL; attributes that are not used in allow and dontaudit rules; and > > attributes that have only one type assigned are all removed. This > > means that the attribute rule and the typeattributeset rules for the > > attribute are removed and all rules using the attribute are expanded. > > Using expandtypeattribute in this case will keep the attribute > > declaration, the typeattributeset rules, and any allow rules. > > > > When you use "-X SIZE" all allow rules with attributes that contain > > less than SIZE types will be expanded and the attribute removed. Using > > expandtypeattribute in this case will cause the attribute declaration > > and the typeattributeset rules to be retained, but the allow rules > > will still be expanded. > > > > I just verified that everything does work like that. > > > > It is a bit of a mess, but it is working as intended. > > > > I probably need to document how the default expansion works. ;) > > > So that makes the "false" scenario practically irrelevant? when would > one ever use "false" instead of "true"? > That is actually the most valuable option. It is the way to ensure that an attribute definition is not removed. It is being used, for example, by Google to keep attributes that are used in the neverallow rules in their compatibility test suite from being expanded. Jim > > > > Thanks, > > Jim > > > > > >> > > >> > Thanks for doing this. > >> > Jim > >> > > >> >> typebounds > >> >> ---------- > >> >> > >> >> -- > >> >> 2.28.0.rc1 > >> >> > >> > >> -- > >> gpg --locate-keys dominick.grift@defensec.nl > >> Key fingerprint = FCD2 3660 5D6B 9D27 7FC6 E0FF DA7E 521F 10F6 4098 > >> https://sks-keyservers.net/pks/lookup?op=get&search=0xDA7E521F10F64098 > >> Dominick Grift > > -- > gpg --locate-keys dominick.grift@defensec.nl > Key fingerprint = FCD2 3660 5D6B 9D27 7FC6 E0FF DA7E 521F 10F6 4098 > https://sks-keyservers.net/pks/lookup?op=get&search=0xDA7E521F10F64098 > Dominick Grift ^ permalink raw reply [flat|nested] 20+ messages in thread
* Re: [PATCH v3] secilc/docs: document expandtypeattribute 2020-07-31 20:22 ` James Carter @ 2020-07-31 21:07 ` Dominick Grift 0 siblings, 0 replies; 20+ messages in thread From: Dominick Grift @ 2020-07-31 21:07 UTC (permalink / raw) To: James Carter; +Cc: SElinux list James Carter <jwcart2@gmail.com> writes: > On Fri, Jul 31, 2020 at 4:12 PM Dominick Grift > <dominick.grift@defensec.nl> wrote: >> >> James Carter <jwcart2@gmail.com> writes: >> >> > On Fri, Jul 31, 2020 at 3:26 AM Dominick Grift >> > <dominick.grift@defensec.nl> wrote: >> >> >> >> James Carter <jwcart2@gmail.com> writes: >> >> >> >> > On Thu, Jul 30, 2020 at 9:14 AM Dominick Grift >> >> > <dominick.grift@defensec.nl> wrote: >> >> >> >> >> >> This was added for Androids Treble in 2017. >> >> >> >> >> >> I was unsure whether this belongs in type_statements or in conditional_statements. >> >> >> >> >> > >> >> > I think that it fits best with the type statements as you have it. >> >> > >> >> >> Signed-off-by: Dominick Grift <dominick.grift@defensec.nl> >> >> >> --- >> >> >> v2: overriden is overridden >> >> >> v3: add link to README.md >> >> >> >> >> >> secilc/docs/README.md | 1 + >> >> >> secilc/docs/cil_type_statements.md | 38 ++++++++++++++++++++++++++++++ >> >> >> 2 files changed, 39 insertions(+) >> >> >> >> >> >> diff --git a/secilc/docs/README.md b/secilc/docs/README.md >> >> >> index 3f1838e6..efab2a71 100644 >> >> >> --- a/secilc/docs/README.md >> >> >> +++ b/secilc/docs/README.md >> >> >> @@ -126,6 +126,7 @@ CIL (Common Intermediate Language) >> >> >> * [typealiasactual](cil_type_statements.md#typealiasactual) >> >> >> * [typeattribute](cil_type_statements.md#typeattribute) >> >> >> * [typeattributeset](cil_type_statements.md#typeattributeset) >> >> >> + * [expandtypeattribute](cil_type_statements.md#expandtypeattribute) >> >> >> * [typebounds](cil_type_statements.md#typebounds) >> >> >> * [typechange](cil_type_statements.md#typechange) >> >> >> * [typemember](cil_type_statements.md#typemember) >> >> >> diff --git a/secilc/docs/cil_type_statements.md b/secilc/docs/cil_type_statements.md >> >> >> index f9dd3a76..f819b3c6 100644 >> >> >> --- a/secilc/docs/cil_type_statements.md >> >> >> +++ b/secilc/docs/cil_type_statements.md >> >> >> @@ -213,6 +213,44 @@ This example is equivalent to `{ domain -kernel.process -ueventd.process -init.p >> >> >> ) >> >> >> ) >> >> >> >> >> >> +expandtypeattribute >> >> >> +------------------- >> >> >> + >> >> >> +Allows expansion compiler defaults for one or more previously declared [`typeattribute`](cil_type_statements.md#typeattribute) identifiers to be overridden. >> >> > >> >> > The wording confused me at first. >> >> > I think "Overrides the compiler defaults for the expansion of one ... >> >> > identifiers." would be clearer. >> >> > >> >> >> + >> >> >> +**Statement definition:** >> >> >> + >> >> >> + (expandtypeattribute typeattribute_id true|false) >> >> >> + >> >> >> +**Where:** >> >> >> + >> >> >> +<table> >> >> >> +<colgroup> >> >> >> +<col width="25%" /> >> >> >> +<col width="75%" /> >> >> >> +</colgroup> >> >> >> +<tbody> >> >> >> +<tr class="odd"> >> >> >> +<td align="left"><p><code>expandtypeattribute</code></p></td> >> >> >> +<td align="left"><p>The <code>expandtypeattribute</code> keyword.</p></td> >> >> >> +</tr> >> >> >> +<tr class="even"> >> >> >> +<td align="left"><p><code>typeattribute_id</code></p></td> >> >> >> +<td align="left"><p>One or more previously declared <code>typeattribute</code> identifiers.</p></td> >> >> >> +</tr> >> >> >> +<tr class="odd"> >> >> >> +<td align="left"><p><code>true | false</code></p></td> >> >> >> +<td align="left"><p>Either true or false.</p></td> >> >> >> +</tr> >> >> >> +</tbody> >> >> >> +</table> >> >> >> + >> >> >> +**Example:** >> >> >> + >> >> >> +This example will use the expandtypeattribute statement to forcibly expand a previously declared `domain` type attribute. >> >> >> + >> >> >> + (expandtypeattribute domain true) >> >> >> + >> >> > >> >> > It would be nice to have another example that shows a list of type >> >> > attributes, so there is an example of that syntax as well. >> >> >> >> I was looking into an example but turns out that either i am >> >> misunderstanding this functionality or that it does not work as advertised: >> >> >> >> Example: >> >> >> >> 1. compiler defaults to expand typeattributes with less >> >> than four members >> >> 2. override pets and dogs expansion in policy >> >> >> >> # cat > mytest.cil <<EOF >> >> (sid mysid) >> >> (sidorder (mysid)) >> >> >> >> (class myclass (mypermission)) >> >> (classorder (unordered myclass)) >> >> >> >> (type blue) >> >> (type green) >> >> (type red) >> >> (typeattribute colors) >> >> (typeattributeset colors (blue green red)) >> >> >> >> (type dog) >> >> (type cat) >> >> (type goldfish) >> >> (typeattribute pets) >> >> (typeattributeset pets (dog cat goldfish)) >> >> >> >> (dontaudit pets colors (myclass (mypermission))) >> >> >> >> (expandtypeattribute (colors pets) false) >> >> EOF >> >> >> >> # secilc -v -X 4 mytest.cil >> >> # sesearch policy.32 --dontaudit >> >> >> > >> > The key is that expandtypeattribute works differently for the default >> > behavior than when you ask for attributes to be expanded. >> > >> > The default rules for removing attributes are complex. In general, >> > attributes automatically created when converting a binary module to >> > CIL; attributes that are not used in allow and dontaudit rules; and >> > attributes that have only one type assigned are all removed. This >> > means that the attribute rule and the typeattributeset rules for the >> > attribute are removed and all rules using the attribute are expanded. >> > Using expandtypeattribute in this case will keep the attribute >> > declaration, the typeattributeset rules, and any allow rules. >> > >> > When you use "-X SIZE" all allow rules with attributes that contain >> > less than SIZE types will be expanded and the attribute removed. Using >> > expandtypeattribute in this case will cause the attribute declaration >> > and the typeattributeset rules to be retained, but the allow rules >> > will still be expanded. >> > >> > I just verified that everything does work like that. >> > >> > It is a bit of a mess, but it is working as intended. >> > >> > I probably need to document how the default expansion works. ;) >> >> >> So that makes the "false" scenario practically irrelevant? when would >> one ever use "false" instead of "true"? >> > > That is actually the most valuable option. It is the way to ensure > that an attribute definition is not removed. It is being used, for > example, by Google to keep attributes that are used in the neverallow > rules in their compatibility test suite from being expanded. Good thing it is friday. I think i need to sleep on this a couple of day's and see if I can make some sense out of all of this. > > Jim > >> > >> > Thanks, >> > Jim >> > >> > >> >> > >> >> > Thanks for doing this. >> >> > Jim >> >> > >> >> >> typebounds >> >> >> ---------- >> >> >> >> >> >> -- >> >> >> 2.28.0.rc1 >> >> >> >> >> >> >> -- >> >> gpg --locate-keys dominick.grift@defensec.nl >> >> Key fingerprint = FCD2 3660 5D6B 9D27 7FC6 E0FF DA7E 521F 10F6 4098 >> >> https://sks-keyservers.net/pks/lookup?op=get&search=0xDA7E521F10F64098 >> >> Dominick Grift >> >> -- >> gpg --locate-keys dominick.grift@defensec.nl >> Key fingerprint = FCD2 3660 5D6B 9D27 7FC6 E0FF DA7E 521F 10F6 4098 >> https://sks-keyservers.net/pks/lookup?op=get&search=0xDA7E521F10F64098 >> Dominick Grift -- gpg --locate-keys dominick.grift@defensec.nl Key fingerprint = FCD2 3660 5D6B 9D27 7FC6 E0FF DA7E 521F 10F6 4098 https://sks-keyservers.net/pks/lookup?op=get&search=0xDA7E521F10F64098 Dominick Grift ^ permalink raw reply [flat|nested] 20+ messages in thread
* [PATCH v4] secilc/docs: document expandtypeattribute 2020-07-30 22:22 ` James Carter 2020-07-31 7:26 ` Dominick Grift @ 2020-08-02 12:34 ` Dominick Grift 2020-08-03 20:56 ` James Carter 1 sibling, 1 reply; 20+ messages in thread From: Dominick Grift @ 2020-08-02 12:34 UTC (permalink / raw) To: selinux; +Cc: Dominick Grift This was added for Androids Treble in 2017. Signed-off-by: Dominick Grift <dominick.grift@defensec.nl> --- v2: overriden is overridden v3: add link to README.md v4: rephrase and add another example secilc/docs/README.md | 1 + secilc/docs/cil_type_statements.md | 44 ++++++++++++++++++++++++++++++ 2 files changed, 45 insertions(+) diff --git a/secilc/docs/README.md b/secilc/docs/README.md index 3f1838e6..efab2a71 100644 --- a/secilc/docs/README.md +++ b/secilc/docs/README.md @@ -126,6 +126,7 @@ CIL (Common Intermediate Language) * [typealiasactual](cil_type_statements.md#typealiasactual) * [typeattribute](cil_type_statements.md#typeattribute) * [typeattributeset](cil_type_statements.md#typeattributeset) + * [expandtypeattribute](cil_type_statements.md#expandtypeattribute) * [typebounds](cil_type_statements.md#typebounds) * [typechange](cil_type_statements.md#typechange) * [typemember](cil_type_statements.md#typemember) diff --git a/secilc/docs/cil_type_statements.md b/secilc/docs/cil_type_statements.md index f9dd3a76..41f0f01a 100644 --- a/secilc/docs/cil_type_statements.md +++ b/secilc/docs/cil_type_statements.md @@ -213,6 +213,50 @@ This example is equivalent to `{ domain -kernel.process -ueventd.process -init.p ) ) +expandtypeattribute +------------------- + +Overrides the compiler defaults for the expansion of one or more previously declared [`typeattribute`](cil_type_statements.md#typeattribute) identifiers. + +Note that this statement can be overridden at compile-time with `secilc -X SIZE` and that this functionality is not intended to override `secilc -X SIZE` for individual type attributes! + +**Statement definition:** + + (expandtypeattribute typeattribute_id true|false) + +**Where:** + +<table> +<colgroup> +<col width="25%" /> +<col width="75%" /> +</colgroup> +<tbody> +<tr class="odd"> +<td align="left"><p><code>expandtypeattribute</code></p></td> +<td align="left"><p>The <code>expandtypeattribute</code> keyword.</p></td> +</tr> +<tr class="even"> +<td align="left"><p><code>typeattribute_id</code></p></td> +<td align="left"><p>One or more previously declared <code>typeattribute</code> identifiers. Multiple entries consist of a space separated list enclosed in parentheses '()'.</p></td> +</tr> +<tr class="odd"> +<td align="left"><p><code>true | false</code></p></td> +<td align="left"><p>Either true or false.</p></td> +</tr> +</tbody> +</table> + +**Examples:** + +This example uses the expandtypeattribute statement to forcibly expand a previously declared `domain` type attribute. + + (expandtypeattribute domain true) + +This example uses the expandtypeattribute statement to not expand previously declared `file_type` and `port_type` type attributes regardless of compiler defaults. + + (expandtypeattribute (file_type port_type) false) + typebounds ---------- -- 2.28.0 ^ permalink raw reply related [flat|nested] 20+ messages in thread
* Re: [PATCH v4] secilc/docs: document expandtypeattribute 2020-08-02 12:34 ` [PATCH v4] " Dominick Grift @ 2020-08-03 20:56 ` James Carter 2020-08-04 7:18 ` Dominick Grift 0 siblings, 1 reply; 20+ messages in thread From: James Carter @ 2020-08-03 20:56 UTC (permalink / raw) To: Dominick Grift; +Cc: SElinux list On Sun, Aug 2, 2020 at 8:39 AM Dominick Grift <dominick.grift@defensec.nl> wrote: > > This was added for Androids Treble in 2017. > > Signed-off-by: Dominick Grift <dominick.grift@defensec.nl> > --- > v2: overriden is overridden > v3: add link to README.md > v4: rephrase and add another example > > secilc/docs/README.md | 1 + > secilc/docs/cil_type_statements.md | 44 ++++++++++++++++++++++++++++++ > 2 files changed, 45 insertions(+) > > diff --git a/secilc/docs/README.md b/secilc/docs/README.md > index 3f1838e6..efab2a71 100644 > --- a/secilc/docs/README.md > +++ b/secilc/docs/README.md > @@ -126,6 +126,7 @@ CIL (Common Intermediate Language) > * [typealiasactual](cil_type_statements.md#typealiasactual) > * [typeattribute](cil_type_statements.md#typeattribute) > * [typeattributeset](cil_type_statements.md#typeattributeset) > + * [expandtypeattribute](cil_type_statements.md#expandtypeattribute) > * [typebounds](cil_type_statements.md#typebounds) > * [typechange](cil_type_statements.md#typechange) > * [typemember](cil_type_statements.md#typemember) > diff --git a/secilc/docs/cil_type_statements.md b/secilc/docs/cil_type_statements.md > index f9dd3a76..41f0f01a 100644 > --- a/secilc/docs/cil_type_statements.md > +++ b/secilc/docs/cil_type_statements.md > @@ -213,6 +213,50 @@ This example is equivalent to `{ domain -kernel.process -ueventd.process -init.p > ) > ) > > +expandtypeattribute > +------------------- > + > +Overrides the compiler defaults for the expansion of one or more previously declared [`typeattribute`](cil_type_statements.md#typeattribute) identifiers. > + > +Note that this statement can be overridden at compile-time with `secilc -X SIZE` and that this functionality is not intended to override `secilc -X SIZE` for individual type attributes! > + I didn't mention the "-X" option in my reply to the selinux notebook patch. This is like what I mentioned in the selinux notebook, but mentions the "-X" option. Gives more control over type attribute expansion and removal. When the value is true, all rules involving the type attribute will be expanded and the type attribute will be removed from the policy. When the value is false, the type attribute will not be removed from the policy, even if the default expand rules or "-X" option cause the rules involving the type attribute to be expanded. Thanks, Jim > +**Statement definition:** > + > + (expandtypeattribute typeattribute_id true|false) > + > +**Where:** > + > +<table> > +<colgroup> > +<col width="25%" /> > +<col width="75%" /> > +</colgroup> > +<tbody> > +<tr class="odd"> > +<td align="left"><p><code>expandtypeattribute</code></p></td> > +<td align="left"><p>The <code>expandtypeattribute</code> keyword.</p></td> > +</tr> > +<tr class="even"> > +<td align="left"><p><code>typeattribute_id</code></p></td> > +<td align="left"><p>One or more previously declared <code>typeattribute</code> identifiers. Multiple entries consist of a space separated list enclosed in parentheses '()'.</p></td> > +</tr> > +<tr class="odd"> > +<td align="left"><p><code>true | false</code></p></td> > +<td align="left"><p>Either true or false.</p></td> > +</tr> > +</tbody> > +</table> > + > +**Examples:** > + > +This example uses the expandtypeattribute statement to forcibly expand a previously declared `domain` type attribute. > + > + (expandtypeattribute domain true) > + > +This example uses the expandtypeattribute statement to not expand previously declared `file_type` and `port_type` type attributes regardless of compiler defaults. > + > + (expandtypeattribute (file_type port_type) false) > + > typebounds > ---------- > > -- > 2.28.0 > ^ permalink raw reply [flat|nested] 20+ messages in thread
* Re: [PATCH v4] secilc/docs: document expandtypeattribute 2020-08-03 20:56 ` James Carter @ 2020-08-04 7:18 ` Dominick Grift 2020-08-04 14:45 ` James Carter 0 siblings, 1 reply; 20+ messages in thread From: Dominick Grift @ 2020-08-04 7:18 UTC (permalink / raw) To: James Carter; +Cc: SElinux list James Carter <jwcart2@gmail.com> writes: > On Sun, Aug 2, 2020 at 8:39 AM Dominick Grift > <dominick.grift@defensec.nl> wrote: >> >> This was added for Androids Treble in 2017. >> >> Signed-off-by: Dominick Grift <dominick.grift@defensec.nl> >> --- >> v2: overriden is overridden >> v3: add link to README.md >> v4: rephrase and add another example >> >> secilc/docs/README.md | 1 + >> secilc/docs/cil_type_statements.md | 44 ++++++++++++++++++++++++++++++ >> 2 files changed, 45 insertions(+) >> >> diff --git a/secilc/docs/README.md b/secilc/docs/README.md >> index 3f1838e6..efab2a71 100644 >> --- a/secilc/docs/README.md >> +++ b/secilc/docs/README.md >> @@ -126,6 +126,7 @@ CIL (Common Intermediate Language) >> * [typealiasactual](cil_type_statements.md#typealiasactual) >> * [typeattribute](cil_type_statements.md#typeattribute) >> * [typeattributeset](cil_type_statements.md#typeattributeset) >> + * [expandtypeattribute](cil_type_statements.md#expandtypeattribute) >> * [typebounds](cil_type_statements.md#typebounds) >> * [typechange](cil_type_statements.md#typechange) >> * [typemember](cil_type_statements.md#typemember) >> diff --git a/secilc/docs/cil_type_statements.md b/secilc/docs/cil_type_statements.md >> index f9dd3a76..41f0f01a 100644 >> --- a/secilc/docs/cil_type_statements.md >> +++ b/secilc/docs/cil_type_statements.md >> @@ -213,6 +213,50 @@ This example is equivalent to `{ domain -kernel.process -ueventd.process -init.p >> ) >> ) >> >> +expandtypeattribute >> +------------------- >> + >> +Overrides the compiler defaults for the expansion of one or more previously declared [`typeattribute`](cil_type_statements.md#typeattribute) identifiers. >> + >> +Note that this statement can be overridden at compile-time with `secilc -X SIZE` and that this functionality is not intended to override `secilc -X SIZE` for individual type attributes! >> + <snip> > When the value > is false, the type attribute will not be removed from the policy, even > if the default expand rules or "-X" option cause the rules involving > the type attribute to be expanded. Yes but I cannot produce that. In my earlier test the type attribute was expanded regardless of the -X option. In my test I instructed secilc to expand all attributes with more than 3 members (-X 4), then I added a expandtypeattribute statement telling secilc to not expand pets and colors. The result was that it expanded pets and colors anyway. > > Thanks, > Jim > >> +**Statement definition:** >> + >> + (expandtypeattribute typeattribute_id true|false) >> + >> +**Where:** >> + >> +<table> >> +<colgroup> >> +<col width="25%" /> >> +<col width="75%" /> >> +</colgroup> >> +<tbody> >> +<tr class="odd"> >> +<td align="left"><p><code>expandtypeattribute</code></p></td> >> +<td align="left"><p>The <code>expandtypeattribute</code> keyword.</p></td> >> +</tr> >> +<tr class="even"> >> +<td align="left"><p><code>typeattribute_id</code></p></td> >> +<td align="left"><p>One or more previously declared >> <code>typeattribute</code> identifiers. Multiple entries consist of >> a space separated list enclosed in parentheses '()'.</p></td> >> +</tr> >> +<tr class="odd"> >> +<td align="left"><p><code>true | false</code></p></td> >> +<td align="left"><p>Either true or false.</p></td> >> +</tr> >> +</tbody> >> +</table> >> + >> +**Examples:** >> + >> +This example uses the expandtypeattribute statement to forcibly expand a previously declared `domain` type attribute. >> + >> + (expandtypeattribute domain true) >> + >> +This example uses the expandtypeattribute statement to not expand >> previously declared `file_type` and `port_type` type attributes >> regardless of compiler defaults. >> + >> + (expandtypeattribute (file_type port_type) false) >> + >> typebounds >> ---------- >> >> -- >> 2.28.0 >> -- gpg --locate-keys dominick.grift@defensec.nl Key fingerprint = FCD2 3660 5D6B 9D27 7FC6 E0FF DA7E 521F 10F6 4098 https://sks-keyservers.net/pks/lookup?op=get&search=0xDA7E521F10F64098 Dominick Grift ^ permalink raw reply [flat|nested] 20+ messages in thread
* Re: [PATCH v4] secilc/docs: document expandtypeattribute 2020-08-04 7:18 ` Dominick Grift @ 2020-08-04 14:45 ` James Carter 2020-08-04 15:48 ` Dominick Grift 0 siblings, 1 reply; 20+ messages in thread From: James Carter @ 2020-08-04 14:45 UTC (permalink / raw) To: Dominick Grift; +Cc: SElinux list On Tue, Aug 4, 2020 at 3:18 AM Dominick Grift <dominick.grift@defensec.nl> wrote: > > James Carter <jwcart2@gmail.com> writes: > > > On Sun, Aug 2, 2020 at 8:39 AM Dominick Grift > > <dominick.grift@defensec.nl> wrote: > >> > >> This was added for Androids Treble in 2017. > >> > >> Signed-off-by: Dominick Grift <dominick.grift@defensec.nl> > >> --- > >> v2: overriden is overridden > >> v3: add link to README.md > >> v4: rephrase and add another example > >> > >> secilc/docs/README.md | 1 + > >> secilc/docs/cil_type_statements.md | 44 ++++++++++++++++++++++++++++++ > >> 2 files changed, 45 insertions(+) > >> > >> diff --git a/secilc/docs/README.md b/secilc/docs/README.md > >> index 3f1838e6..efab2a71 100644 > >> --- a/secilc/docs/README.md > >> +++ b/secilc/docs/README.md > >> @@ -126,6 +126,7 @@ CIL (Common Intermediate Language) > >> * [typealiasactual](cil_type_statements.md#typealiasactual) > >> * [typeattribute](cil_type_statements.md#typeattribute) > >> * [typeattributeset](cil_type_statements.md#typeattributeset) > >> + * [expandtypeattribute](cil_type_statements.md#expandtypeattribute) > >> * [typebounds](cil_type_statements.md#typebounds) > >> * [typechange](cil_type_statements.md#typechange) > >> * [typemember](cil_type_statements.md#typemember) > >> diff --git a/secilc/docs/cil_type_statements.md b/secilc/docs/cil_type_statements.md > >> index f9dd3a76..41f0f01a 100644 > >> --- a/secilc/docs/cil_type_statements.md > >> +++ b/secilc/docs/cil_type_statements.md > >> @@ -213,6 +213,50 @@ This example is equivalent to `{ domain -kernel.process -ueventd.process -init.p > >> ) > >> ) > >> > >> +expandtypeattribute > >> +------------------- > >> + > >> +Overrides the compiler defaults for the expansion of one or more previously declared [`typeattribute`](cil_type_statements.md#typeattribute) identifiers. > >> + > >> +Note that this statement can be overridden at compile-time with `secilc -X SIZE` and that this functionality is not intended to override `secilc -X SIZE` for individual type attributes! > >> + > > <snip> > > When the value > > is false, the type attribute will not be removed from the policy, even > > if the default expand rules or "-X" option cause the rules involving > > the type attribute to be expanded. > > Yes but I cannot produce that. In my earlier test the type attribute > was expanded regardless of the -X option. > > In my test I instructed secilc to expand all attributes with more than 3 > members (-X 4), then I added a expandtypeattribute statement telling > secilc to not expand pets and colors. > > The result was that it expanded pets and colors anyway. > I see the source of your confusion now. "-X 4" means that all attributes with LESS than 4 types associated with it will be expanded. Jim > > > > Thanks, > > Jim > > > >> +**Statement definition:** > >> + > >> + (expandtypeattribute typeattribute_id true|false) > >> + > >> +**Where:** > >> + > >> +<table> > >> +<colgroup> > >> +<col width="25%" /> > >> +<col width="75%" /> > >> +</colgroup> > >> +<tbody> > >> +<tr class="odd"> > >> +<td align="left"><p><code>expandtypeattribute</code></p></td> > >> +<td align="left"><p>The <code>expandtypeattribute</code> keyword.</p></td> > >> +</tr> > >> +<tr class="even"> > >> +<td align="left"><p><code>typeattribute_id</code></p></td> > >> +<td align="left"><p>One or more previously declared > >> <code>typeattribute</code> identifiers. Multiple entries consist of > >> a space separated list enclosed in parentheses '()'.</p></td> > >> +</tr> > >> +<tr class="odd"> > >> +<td align="left"><p><code>true | false</code></p></td> > >> +<td align="left"><p>Either true or false.</p></td> > >> +</tr> > >> +</tbody> > >> +</table> > >> + > >> +**Examples:** > >> + > >> +This example uses the expandtypeattribute statement to forcibly expand a previously declared `domain` type attribute. > >> + > >> + (expandtypeattribute domain true) > >> + > >> +This example uses the expandtypeattribute statement to not expand > >> previously declared `file_type` and `port_type` type attributes > >> regardless of compiler defaults. > >> + > >> + (expandtypeattribute (file_type port_type) false) > >> + > >> typebounds > >> ---------- > >> > >> -- > >> 2.28.0 > >> > > -- > gpg --locate-keys dominick.grift@defensec.nl > Key fingerprint = FCD2 3660 5D6B 9D27 7FC6 E0FF DA7E 521F 10F6 4098 > https://sks-keyservers.net/pks/lookup?op=get&search=0xDA7E521F10F64098 > Dominick Grift ^ permalink raw reply [flat|nested] 20+ messages in thread
* Re: [PATCH v4] secilc/docs: document expandtypeattribute 2020-08-04 14:45 ` James Carter @ 2020-08-04 15:48 ` Dominick Grift 2020-08-04 20:23 ` James Carter 0 siblings, 1 reply; 20+ messages in thread From: Dominick Grift @ 2020-08-04 15:48 UTC (permalink / raw) To: James Carter; +Cc: SElinux list James Carter <jwcart2@gmail.com> writes: > On Tue, Aug 4, 2020 at 3:18 AM Dominick Grift > <dominick.grift@defensec.nl> wrote: >> >> James Carter <jwcart2@gmail.com> writes: >> >> > On Sun, Aug 2, 2020 at 8:39 AM Dominick Grift >> > <dominick.grift@defensec.nl> wrote: >> >> >> >> This was added for Androids Treble in 2017. >> >> >> >> Signed-off-by: Dominick Grift <dominick.grift@defensec.nl> >> >> --- >> >> v2: overriden is overridden >> >> v3: add link to README.md >> >> v4: rephrase and add another example >> >> >> >> secilc/docs/README.md | 1 + >> >> secilc/docs/cil_type_statements.md | 44 ++++++++++++++++++++++++++++++ >> >> 2 files changed, 45 insertions(+) >> >> >> >> diff --git a/secilc/docs/README.md b/secilc/docs/README.md >> >> index 3f1838e6..efab2a71 100644 >> >> --- a/secilc/docs/README.md >> >> +++ b/secilc/docs/README.md >> >> @@ -126,6 +126,7 @@ CIL (Common Intermediate Language) >> >> * [typealiasactual](cil_type_statements.md#typealiasactual) >> >> * [typeattribute](cil_type_statements.md#typeattribute) >> >> * [typeattributeset](cil_type_statements.md#typeattributeset) >> >> + * [expandtypeattribute](cil_type_statements.md#expandtypeattribute) >> >> * [typebounds](cil_type_statements.md#typebounds) >> >> * [typechange](cil_type_statements.md#typechange) >> >> * [typemember](cil_type_statements.md#typemember) >> >> diff --git a/secilc/docs/cil_type_statements.md b/secilc/docs/cil_type_statements.md >> >> index f9dd3a76..41f0f01a 100644 >> >> --- a/secilc/docs/cil_type_statements.md >> >> +++ b/secilc/docs/cil_type_statements.md >> >> @@ -213,6 +213,50 @@ This example is equivalent to `{ domain -kernel.process -ueventd.process -init.p >> >> ) >> >> ) >> >> >> >> +expandtypeattribute >> >> +------------------- >> >> + >> >> +Overrides the compiler defaults for the expansion of one or more previously declared [`typeattribute`](cil_type_statements.md#typeattribute) identifiers. >> >> + >> >> +Note that this statement can be overridden at compile-time with `secilc -X SIZE` and that this functionality is not intended to override `secilc -X SIZE` for individual type attributes! >> >> + >> >> <snip> >> > When the value >> > is false, the type attribute will not be removed from the policy, even >> > if the default expand rules or "-X" option cause the rules involving >> > the type attribute to be expanded. >> >> Yes but I cannot produce that. In my earlier test the type attribute >> was expanded regardless of the -X option. >> >> In my test I instructed secilc to expand all attributes with more than 3 >> members (-X 4), then I added a expandtypeattribute statement telling >> secilc to not expand pets and colors. >> >> The result was that it expanded pets and colors anyway. >> > > I see the source of your confusion now. "-X 4" means that all > attributes with LESS than 4 types associated with it will be expanded. I think its important to clarify this in the documentation. ie: expandattribute false will not work if you use -X (-X will override the false statement) I think that is unintuitive, I would actually want to be able to for example expand all attributes with less then 4 members except a few specific ones. > > Jim > >> > >> > Thanks, >> > Jim >> > >> >> +**Statement definition:** >> >> + >> >> + (expandtypeattribute typeattribute_id true|false) >> >> + >> >> +**Where:** >> >> + >> >> +<table> >> >> +<colgroup> >> >> +<col width="25%" /> >> >> +<col width="75%" /> >> >> +</colgroup> >> >> +<tbody> >> >> +<tr class="odd"> >> >> +<td align="left"><p><code>expandtypeattribute</code></p></td> >> >> +<td align="left"><p>The <code>expandtypeattribute</code> keyword.</p></td> >> >> +</tr> >> >> +<tr class="even"> >> >> +<td align="left"><p><code>typeattribute_id</code></p></td> >> >> +<td align="left"><p>One or more previously declared >> >> <code>typeattribute</code> identifiers. Multiple entries consist of >> >> a space separated list enclosed in parentheses '()'.</p></td> >> >> +</tr> >> >> +<tr class="odd"> >> >> +<td align="left"><p><code>true | false</code></p></td> >> >> +<td align="left"><p>Either true or false.</p></td> >> >> +</tr> >> >> +</tbody> >> >> +</table> >> >> + >> >> +**Examples:** >> >> + >> >> +This example uses the expandtypeattribute statement to forcibly expand a previously declared `domain` type attribute. >> >> + >> >> + (expandtypeattribute domain true) >> >> + >> >> +This example uses the expandtypeattribute statement to not expand >> >> previously declared `file_type` and `port_type` type attributes >> >> regardless of compiler defaults. >> >> + >> >> + (expandtypeattribute (file_type port_type) false) >> >> + >> >> typebounds >> >> ---------- >> >> >> >> -- >> >> 2.28.0 >> >> >> >> -- >> gpg --locate-keys dominick.grift@defensec.nl >> Key fingerprint = FCD2 3660 5D6B 9D27 7FC6 E0FF DA7E 521F 10F6 4098 >> https://sks-keyservers.net/pks/lookup?op=get&search=0xDA7E521F10F64098 >> Dominick Grift -- gpg --locate-keys dominick.grift@defensec.nl Key fingerprint = FCD2 3660 5D6B 9D27 7FC6 E0FF DA7E 521F 10F6 4098 https://sks-keyservers.net/pks/lookup?op=get&search=0xDA7E521F10F64098 Dominick Grift ^ permalink raw reply [flat|nested] 20+ messages in thread
* Re: [PATCH v4] secilc/docs: document expandtypeattribute 2020-08-04 15:48 ` Dominick Grift @ 2020-08-04 20:23 ` James Carter 2020-08-04 20:29 ` Dominick Grift 0 siblings, 1 reply; 20+ messages in thread From: James Carter @ 2020-08-04 20:23 UTC (permalink / raw) To: Dominick Grift; +Cc: SElinux list On Tue, Aug 4, 2020 at 11:48 AM Dominick Grift <dominick.grift@defensec.nl> wrote: > > James Carter <jwcart2@gmail.com> writes: > > > On Tue, Aug 4, 2020 at 3:18 AM Dominick Grift > > <dominick.grift@defensec.nl> wrote: > >> > >> James Carter <jwcart2@gmail.com> writes: > >> > >> > On Sun, Aug 2, 2020 at 8:39 AM Dominick Grift > >> > <dominick.grift@defensec.nl> wrote: > >> >> > >> >> This was added for Androids Treble in 2017. > >> >> > >> >> Signed-off-by: Dominick Grift <dominick.grift@defensec.nl> > >> >> --- > >> >> v2: overriden is overridden > >> >> v3: add link to README.md > >> >> v4: rephrase and add another example > >> >> > >> >> secilc/docs/README.md | 1 + > >> >> secilc/docs/cil_type_statements.md | 44 ++++++++++++++++++++++++++++++ > >> >> 2 files changed, 45 insertions(+) > >> >> > >> >> diff --git a/secilc/docs/README.md b/secilc/docs/README.md > >> >> index 3f1838e6..efab2a71 100644 > >> >> --- a/secilc/docs/README.md > >> >> +++ b/secilc/docs/README.md > >> >> @@ -126,6 +126,7 @@ CIL (Common Intermediate Language) > >> >> * [typealiasactual](cil_type_statements.md#typealiasactual) > >> >> * [typeattribute](cil_type_statements.md#typeattribute) > >> >> * [typeattributeset](cil_type_statements.md#typeattributeset) > >> >> + * [expandtypeattribute](cil_type_statements.md#expandtypeattribute) > >> >> * [typebounds](cil_type_statements.md#typebounds) > >> >> * [typechange](cil_type_statements.md#typechange) > >> >> * [typemember](cil_type_statements.md#typemember) > >> >> diff --git a/secilc/docs/cil_type_statements.md b/secilc/docs/cil_type_statements.md > >> >> index f9dd3a76..41f0f01a 100644 > >> >> --- a/secilc/docs/cil_type_statements.md > >> >> +++ b/secilc/docs/cil_type_statements.md > >> >> @@ -213,6 +213,50 @@ This example is equivalent to `{ domain -kernel.process -ueventd.process -init.p > >> >> ) > >> >> ) > >> >> > >> >> +expandtypeattribute > >> >> +------------------- > >> >> + > >> >> +Overrides the compiler defaults for the expansion of one or more previously declared [`typeattribute`](cil_type_statements.md#typeattribute) identifiers. > >> >> + > >> >> +Note that this statement can be overridden at compile-time with `secilc -X SIZE` and that this functionality is not intended to override `secilc -X SIZE` for individual type attributes! > >> >> + > >> > >> <snip> > >> > When the value > >> > is false, the type attribute will not be removed from the policy, even > >> > if the default expand rules or "-X" option cause the rules involving > >> > the type attribute to be expanded. > >> > >> Yes but I cannot produce that. In my earlier test the type attribute > >> was expanded regardless of the -X option. > >> > >> In my test I instructed secilc to expand all attributes with more than 3 > >> members (-X 4), then I added a expandtypeattribute statement telling > >> secilc to not expand pets and colors. > >> > >> The result was that it expanded pets and colors anyway. > >> > > > > I see the source of your confusion now. "-X 4" means that all > > attributes with LESS than 4 types associated with it will be expanded. > > I think its important to clarify this in the documentation. ie: > expandattribute false will not work if you use -X (-X will override the > false statement) > > I think that is unintuitive, I would actually want to be able to for > example expand all attributes with less then 4 members except a few > specific ones. > It is poorly named at this point. I think it was a victim of multiple changes over time. A better name now would be removeattribute. That would be more accurate, because what is really being controlled is whether the attribute is kept as defined in the policy or not. I am not sure what advantage there would be to expanding and removing all except a few selected attributes with less than 4 members, except for the case when you needed those selected attributes to remain defined in the policy. Not much space is going to be saved by not expanding them. Ok, I guess the advantage would be that the name of the rule would make more sense. I will grant that. At any rate, the name stinks, but the functionality is exactly what is needed. I can trade a large policy for quicker access checks by using the "-X SIZE" option and I can retain the definitions of the attributes that need to be defined using expandattribute false. This whole discussion is why keeping the selinux-notebook in sync with language changes will be very valuable practice. Thanks, Jim > > > > Jim > > > >> > > >> > Thanks, > >> > Jim > >> > > >> >> +**Statement definition:** > >> >> + > >> >> + (expandtypeattribute typeattribute_id true|false) > >> >> + > >> >> +**Where:** > >> >> + > >> >> +<table> > >> >> +<colgroup> > >> >> +<col width="25%" /> > >> >> +<col width="75%" /> > >> >> +</colgroup> > >> >> +<tbody> > >> >> +<tr class="odd"> > >> >> +<td align="left"><p><code>expandtypeattribute</code></p></td> > >> >> +<td align="left"><p>The <code>expandtypeattribute</code> keyword.</p></td> > >> >> +</tr> > >> >> +<tr class="even"> > >> >> +<td align="left"><p><code>typeattribute_id</code></p></td> > >> >> +<td align="left"><p>One or more previously declared > >> >> <code>typeattribute</code> identifiers. Multiple entries consist of > >> >> a space separated list enclosed in parentheses '()'.</p></td> > >> >> +</tr> > >> >> +<tr class="odd"> > >> >> +<td align="left"><p><code>true | false</code></p></td> > >> >> +<td align="left"><p>Either true or false.</p></td> > >> >> +</tr> > >> >> +</tbody> > >> >> +</table> > >> >> + > >> >> +**Examples:** > >> >> + > >> >> +This example uses the expandtypeattribute statement to forcibly expand a previously declared `domain` type attribute. > >> >> + > >> >> + (expandtypeattribute domain true) > >> >> + > >> >> +This example uses the expandtypeattribute statement to not expand > >> >> previously declared `file_type` and `port_type` type attributes > >> >> regardless of compiler defaults. > >> >> + > >> >> + (expandtypeattribute (file_type port_type) false) > >> >> + > >> >> typebounds > >> >> ---------- > >> >> > >> >> -- > >> >> 2.28.0 > >> >> > >> > >> -- > >> gpg --locate-keys dominick.grift@defensec.nl > >> Key fingerprint = FCD2 3660 5D6B 9D27 7FC6 E0FF DA7E 521F 10F6 4098 > >> https://sks-keyservers.net/pks/lookup?op=get&search=0xDA7E521F10F64098 > >> Dominick Grift > > -- > gpg --locate-keys dominick.grift@defensec.nl > Key fingerprint = FCD2 3660 5D6B 9D27 7FC6 E0FF DA7E 521F 10F6 4098 > https://sks-keyservers.net/pks/lookup?op=get&search=0xDA7E521F10F64098 > Dominick Grift ^ permalink raw reply [flat|nested] 20+ messages in thread
* Re: [PATCH v4] secilc/docs: document expandtypeattribute 2020-08-04 20:23 ` James Carter @ 2020-08-04 20:29 ` Dominick Grift 2020-08-05 19:23 ` James Carter 0 siblings, 1 reply; 20+ messages in thread From: Dominick Grift @ 2020-08-04 20:29 UTC (permalink / raw) To: James Carter; +Cc: SElinux list James Carter <jwcart2@gmail.com> writes: > On Tue, Aug 4, 2020 at 11:48 AM Dominick Grift > <dominick.grift@defensec.nl> wrote: >> >> James Carter <jwcart2@gmail.com> writes: >> >> > On Tue, Aug 4, 2020 at 3:18 AM Dominick Grift >> > <dominick.grift@defensec.nl> wrote: >> >> >> >> James Carter <jwcart2@gmail.com> writes: >> >> >> >> > On Sun, Aug 2, 2020 at 8:39 AM Dominick Grift >> >> > <dominick.grift@defensec.nl> wrote: >> >> >> >> >> >> This was added for Androids Treble in 2017. >> >> >> >> >> >> Signed-off-by: Dominick Grift <dominick.grift@defensec.nl> >> >> >> --- >> >> >> v2: overriden is overridden >> >> >> v3: add link to README.md >> >> >> v4: rephrase and add another example >> >> >> >> >> >> secilc/docs/README.md | 1 + >> >> >> secilc/docs/cil_type_statements.md | 44 ++++++++++++++++++++++++++++++ >> >> >> 2 files changed, 45 insertions(+) >> >> >> >> >> >> diff --git a/secilc/docs/README.md b/secilc/docs/README.md >> >> >> index 3f1838e6..efab2a71 100644 >> >> >> --- a/secilc/docs/README.md >> >> >> +++ b/secilc/docs/README.md >> >> >> @@ -126,6 +126,7 @@ CIL (Common Intermediate Language) >> >> >> * [typealiasactual](cil_type_statements.md#typealiasactual) >> >> >> * [typeattribute](cil_type_statements.md#typeattribute) >> >> >> * [typeattributeset](cil_type_statements.md#typeattributeset) >> >> >> + * [expandtypeattribute](cil_type_statements.md#expandtypeattribute) >> >> >> * [typebounds](cil_type_statements.md#typebounds) >> >> >> * [typechange](cil_type_statements.md#typechange) >> >> >> * [typemember](cil_type_statements.md#typemember) >> >> >> diff --git a/secilc/docs/cil_type_statements.md b/secilc/docs/cil_type_statements.md >> >> >> index f9dd3a76..41f0f01a 100644 >> >> >> --- a/secilc/docs/cil_type_statements.md >> >> >> +++ b/secilc/docs/cil_type_statements.md >> >> >> @@ -213,6 +213,50 @@ This example is equivalent to `{ domain -kernel.process -ueventd.process -init.p >> >> >> ) >> >> >> ) >> >> >> >> >> >> +expandtypeattribute >> >> >> +------------------- >> >> >> + >> >> >> +Overrides the compiler defaults for the expansion of one or more previously declared [`typeattribute`](cil_type_statements.md#typeattribute) identifiers. >> >> >> + >> >> >> +Note that this statement can be overridden at compile-time with `secilc -X SIZE` and that this functionality is not intended to override `secilc -X SIZE` for individual type attributes! >> >> >> + >> >> >> >> <snip> >> >> > When the value >> >> > is false, the type attribute will not be removed from the policy, even >> >> > if the default expand rules or "-X" option cause the rules involving >> >> > the type attribute to be expanded. >> >> >> >> Yes but I cannot produce that. In my earlier test the type attribute >> >> was expanded regardless of the -X option. >> >> >> >> In my test I instructed secilc to expand all attributes with more than 3 >> >> members (-X 4), then I added a expandtypeattribute statement telling >> >> secilc to not expand pets and colors. >> >> >> >> The result was that it expanded pets and colors anyway. >> >> >> > >> > I see the source of your confusion now. "-X 4" means that all >> > attributes with LESS than 4 types associated with it will be expanded. >> >> I think its important to clarify this in the documentation. ie: >> expandattribute false will not work if you use -X (-X will override the >> false statement) >> >> I think that is unintuitive, I would actually want to be able to for >> example expand all attributes with less then 4 members except a few >> specific ones. >> > > It is poorly named at this point. I think it was a victim of multiple > changes over time. A better name now would be removeattribute. That > would be more accurate, because what is really being controlled is > whether the attribute is kept as defined in the policy or not. > > I am not sure what advantage there would be to expanding and removing > all except a few selected attributes with less than 4 members, except > for the case when you needed those selected attributes to remain > defined in the policy. Not much space is going to be saved by not > expanding them. Ok, I guess the advantage would be that the name of > the rule would make more sense. I will grant that. > > At any rate, the name stinks, but the functionality is exactly what is > needed. I can trade a large policy for quicker access checks by using > the "-X SIZE" option and I can retain the definitions of the > attributes that need to be defined using expandattribute false. > > This whole discussion is why keeping the selinux-notebook in sync with > language changes will be very valuable practice. I agree and that is why I added the "Note", so that readers have some reference when they figure out that they cannot override -X for specified attributes. If you still do not like this v4 patch then tell me (again) what you want in there and I will put it in there without argueing so that we can wrap this up. > > Thanks, > Jim > >> > >> > Jim >> > >> >> > >> >> > Thanks, >> >> > Jim >> >> > >> >> >> +**Statement definition:** >> >> >> + >> >> >> + (expandtypeattribute typeattribute_id true|false) >> >> >> + >> >> >> +**Where:** >> >> >> + >> >> >> +<table> >> >> >> +<colgroup> >> >> >> +<col width="25%" /> >> >> >> +<col width="75%" /> >> >> >> +</colgroup> >> >> >> +<tbody> >> >> >> +<tr class="odd"> >> >> >> +<td align="left"><p><code>expandtypeattribute</code></p></td> >> >> >> +<td align="left"><p>The <code>expandtypeattribute</code> keyword.</p></td> >> >> >> +</tr> >> >> >> +<tr class="even"> >> >> >> +<td align="left"><p><code>typeattribute_id</code></p></td> >> >> >> +<td align="left"><p>One or more previously declared >> >> >> <code>typeattribute</code> identifiers. Multiple entries consist of >> >> >> a space separated list enclosed in parentheses '()'.</p></td> >> >> >> +</tr> >> >> >> +<tr class="odd"> >> >> >> +<td align="left"><p><code>true | false</code></p></td> >> >> >> +<td align="left"><p>Either true or false.</p></td> >> >> >> +</tr> >> >> >> +</tbody> >> >> >> +</table> >> >> >> + >> >> >> +**Examples:** >> >> >> + >> >> >> +This example uses the expandtypeattribute statement to forcibly expand a previously declared `domain` type attribute. >> >> >> + >> >> >> + (expandtypeattribute domain true) >> >> >> + >> >> >> +This example uses the expandtypeattribute statement to not expand >> >> >> previously declared `file_type` and `port_type` type attributes >> >> >> regardless of compiler defaults. >> >> >> + >> >> >> + (expandtypeattribute (file_type port_type) false) >> >> >> + >> >> >> typebounds >> >> >> ---------- >> >> >> >> >> >> -- >> >> >> 2.28.0 >> >> >> >> >> >> >> -- >> >> gpg --locate-keys dominick.grift@defensec.nl >> >> Key fingerprint = FCD2 3660 5D6B 9D27 7FC6 E0FF DA7E 521F 10F6 4098 >> >> https://sks-keyservers.net/pks/lookup?op=get&search=0xDA7E521F10F64098 >> >> Dominick Grift >> >> -- >> gpg --locate-keys dominick.grift@defensec.nl >> Key fingerprint = FCD2 3660 5D6B 9D27 7FC6 E0FF DA7E 521F 10F6 4098 >> https://sks-keyservers.net/pks/lookup?op=get&search=0xDA7E521F10F64098 >> Dominick Grift -- gpg --locate-keys dominick.grift@defensec.nl Key fingerprint = FCD2 3660 5D6B 9D27 7FC6 E0FF DA7E 521F 10F6 4098 https://sks-keyservers.net/pks/lookup?op=get&search=0xDA7E521F10F64098 Dominick Grift ^ permalink raw reply [flat|nested] 20+ messages in thread
* Re: [PATCH v4] secilc/docs: document expandtypeattribute 2020-08-04 20:29 ` Dominick Grift @ 2020-08-05 19:23 ` James Carter 2020-08-05 19:48 ` [PATCH v5] " Dominick Grift 0 siblings, 1 reply; 20+ messages in thread From: James Carter @ 2020-08-05 19:23 UTC (permalink / raw) To: Dominick Grift; +Cc: SElinux list On Tue, Aug 4, 2020 at 4:29 PM Dominick Grift <dominick.grift@defensec.nl> wrote: > > James Carter <jwcart2@gmail.com> writes: > > > On Tue, Aug 4, 2020 at 11:48 AM Dominick Grift > > <dominick.grift@defensec.nl> wrote: > >> > >> James Carter <jwcart2@gmail.com> writes: > >> > >> > On Tue, Aug 4, 2020 at 3:18 AM Dominick Grift > >> > <dominick.grift@defensec.nl> wrote: > >> >> > >> >> James Carter <jwcart2@gmail.com> writes: > >> >> > >> >> > On Sun, Aug 2, 2020 at 8:39 AM Dominick Grift > >> >> > <dominick.grift@defensec.nl> wrote: > >> >> >> > >> >> >> This was added for Androids Treble in 2017. > >> >> >> > >> >> >> Signed-off-by: Dominick Grift <dominick.grift@defensec.nl> > >> >> >> --- > >> >> >> v2: overriden is overridden > >> >> >> v3: add link to README.md > >> >> >> v4: rephrase and add another example > >> >> >> > >> >> >> secilc/docs/README.md | 1 + > >> >> >> secilc/docs/cil_type_statements.md | 44 ++++++++++++++++++++++++++++++ > >> >> >> 2 files changed, 45 insertions(+) > >> >> >> > >> >> >> diff --git a/secilc/docs/README.md b/secilc/docs/README.md > >> >> >> index 3f1838e6..efab2a71 100644 > >> >> >> --- a/secilc/docs/README.md > >> >> >> +++ b/secilc/docs/README.md > >> >> >> @@ -126,6 +126,7 @@ CIL (Common Intermediate Language) > >> >> >> * [typealiasactual](cil_type_statements.md#typealiasactual) > >> >> >> * [typeattribute](cil_type_statements.md#typeattribute) > >> >> >> * [typeattributeset](cil_type_statements.md#typeattributeset) > >> >> >> + * [expandtypeattribute](cil_type_statements.md#expandtypeattribute) > >> >> >> * [typebounds](cil_type_statements.md#typebounds) > >> >> >> * [typechange](cil_type_statements.md#typechange) > >> >> >> * [typemember](cil_type_statements.md#typemember) > >> >> >> diff --git a/secilc/docs/cil_type_statements.md b/secilc/docs/cil_type_statements.md > >> >> >> index f9dd3a76..41f0f01a 100644 > >> >> >> --- a/secilc/docs/cil_type_statements.md > >> >> >> +++ b/secilc/docs/cil_type_statements.md > >> >> >> @@ -213,6 +213,50 @@ This example is equivalent to `{ domain -kernel.process -ueventd.process -init.p > >> >> >> ) > >> >> >> ) > >> >> >> > >> >> >> +expandtypeattribute > >> >> >> +------------------- > >> >> >> + > >> >> >> +Overrides the compiler defaults for the expansion of one or more previously declared [`typeattribute`](cil_type_statements.md#typeattribute) identifiers. > >> >> >> + > >> >> >> +Note that this statement can be overridden at compile-time with `secilc -X SIZE` and that this functionality is not intended to override `secilc -X SIZE` for individual type attributes! > >> >> >> + > >> >> > >> >> <snip> > >> >> > When the value > >> >> > is false, the type attribute will not be removed from the policy, even > >> >> > if the default expand rules or "-X" option cause the rules involving > >> >> > the type attribute to be expanded. > >> >> > >> >> Yes but I cannot produce that. In my earlier test the type attribute > >> >> was expanded regardless of the -X option. > >> >> > >> >> In my test I instructed secilc to expand all attributes with more than 3 > >> >> members (-X 4), then I added a expandtypeattribute statement telling > >> >> secilc to not expand pets and colors. > >> >> > >> >> The result was that it expanded pets and colors anyway. > >> >> > >> > > >> > I see the source of your confusion now. "-X 4" means that all > >> > attributes with LESS than 4 types associated with it will be expanded. > >> > >> I think its important to clarify this in the documentation. ie: > >> expandattribute false will not work if you use -X (-X will override the > >> false statement) > >> > >> I think that is unintuitive, I would actually want to be able to for > >> example expand all attributes with less then 4 members except a few > >> specific ones. > >> > > > > It is poorly named at this point. I think it was a victim of multiple > > changes over time. A better name now would be removeattribute. That > > would be more accurate, because what is really being controlled is > > whether the attribute is kept as defined in the policy or not. > > > > I am not sure what advantage there would be to expanding and removing > > all except a few selected attributes with less than 4 members, except > > for the case when you needed those selected attributes to remain > > defined in the policy. Not much space is going to be saved by not > > expanding them. Ok, I guess the advantage would be that the name of > > the rule would make more sense. I will grant that. > > > > At any rate, the name stinks, but the functionality is exactly what is > > needed. I can trade a large policy for quicker access checks by using > > the "-X SIZE" option and I can retain the definitions of the > > attributes that need to be defined using expandattribute false. > > > > This whole discussion is why keeping the selinux-notebook in sync with > > language changes will be very valuable practice. > > I agree and that is why I added the "Note", so that readers have some > reference when they figure out that they cannot override -X for > specified attributes. > > If you still do not like this v4 patch then tell me (again) what you > want in there and I will put it in there without argueing so that we can > wrap this up. > I would like this: Overrides the compiler defaults for the expansion of one or more previously declared [`typeattribute`](cil_type_statements.md#typeattribute) identifiers. This rule gives more control over type attribute expansion and removal. When the value is true, all rules involving the type attribute will be expanded and the type attribute will be removed from the policy. When the value is false, the type attribute will not be removed from the policy, even if the default expand rules or "-X" option cause the rules involving the type attribute to be expanded. Thanks again, Jim > > > > Thanks, > > Jim > > > >> > > >> > Jim > >> > > >> >> > > >> >> > Thanks, > >> >> > Jim > >> >> > > >> >> >> +**Statement definition:** > >> >> >> + > >> >> >> + (expandtypeattribute typeattribute_id true|false) > >> >> >> + > >> >> >> +**Where:** > >> >> >> + > >> >> >> +<table> > >> >> >> +<colgroup> > >> >> >> +<col width="25%" /> > >> >> >> +<col width="75%" /> > >> >> >> +</colgroup> > >> >> >> +<tbody> > >> >> >> +<tr class="odd"> > >> >> >> +<td align="left"><p><code>expandtypeattribute</code></p></td> > >> >> >> +<td align="left"><p>The <code>expandtypeattribute</code> keyword.</p></td> > >> >> >> +</tr> > >> >> >> +<tr class="even"> > >> >> >> +<td align="left"><p><code>typeattribute_id</code></p></td> > >> >> >> +<td align="left"><p>One or more previously declared > >> >> >> <code>typeattribute</code> identifiers. Multiple entries consist of > >> >> >> a space separated list enclosed in parentheses '()'.</p></td> > >> >> >> +</tr> > >> >> >> +<tr class="odd"> > >> >> >> +<td align="left"><p><code>true | false</code></p></td> > >> >> >> +<td align="left"><p>Either true or false.</p></td> > >> >> >> +</tr> > >> >> >> +</tbody> > >> >> >> +</table> > >> >> >> + > >> >> >> +**Examples:** > >> >> >> + > >> >> >> +This example uses the expandtypeattribute statement to forcibly expand a previously declared `domain` type attribute. > >> >> >> + > >> >> >> + (expandtypeattribute domain true) > >> >> >> + > >> >> >> +This example uses the expandtypeattribute statement to not expand > >> >> >> previously declared `file_type` and `port_type` type attributes > >> >> >> regardless of compiler defaults. > >> >> >> + > >> >> >> + (expandtypeattribute (file_type port_type) false) > >> >> >> + > >> >> >> typebounds > >> >> >> ---------- > >> >> >> > >> >> >> -- > >> >> >> 2.28.0 > >> >> >> > >> >> > >> >> -- > >> >> gpg --locate-keys dominick.grift@defensec.nl > >> >> Key fingerprint = FCD2 3660 5D6B 9D27 7FC6 E0FF DA7E 521F 10F6 4098 > >> >> https://sks-keyservers.net/pks/lookup?op=get&search=0xDA7E521F10F64098 > >> >> Dominick Grift > >> > >> -- > >> gpg --locate-keys dominick.grift@defensec.nl > >> Key fingerprint = FCD2 3660 5D6B 9D27 7FC6 E0FF DA7E 521F 10F6 4098 > >> https://sks-keyservers.net/pks/lookup?op=get&search=0xDA7E521F10F64098 > >> Dominick Grift > > -- > gpg --locate-keys dominick.grift@defensec.nl > Key fingerprint = FCD2 3660 5D6B 9D27 7FC6 E0FF DA7E 521F 10F6 4098 > https://sks-keyservers.net/pks/lookup?op=get&search=0xDA7E521F10F64098 > Dominick Grift ^ permalink raw reply [flat|nested] 20+ messages in thread
* [PATCH v5] secilc/docs: document expandtypeattribute 2020-08-05 19:23 ` James Carter @ 2020-08-05 19:48 ` Dominick Grift 2020-08-05 20:22 ` James Carter 0 siblings, 1 reply; 20+ messages in thread From: Dominick Grift @ 2020-08-05 19:48 UTC (permalink / raw) To: selinux; +Cc: Dominick Grift This was added for Androids Treble in 2017. Signed-off-by: Dominick Grift <dominick.grift@defensec.nl> --- v2: overriden is overridden v3: add link to README.md v4: rephrase and add another example v5: use description from James Carter secilc/docs/README.md | 1 + secilc/docs/cil_type_statements.md | 51 ++++++++++++++++++++++++++++++ 2 files changed, 52 insertions(+) diff --git a/secilc/docs/README.md b/secilc/docs/README.md index 3f1838e6..efab2a71 100644 --- a/secilc/docs/README.md +++ b/secilc/docs/README.md @@ -126,6 +126,7 @@ CIL (Common Intermediate Language) * [typealiasactual](cil_type_statements.md#typealiasactual) * [typeattribute](cil_type_statements.md#typeattribute) * [typeattributeset](cil_type_statements.md#typeattributeset) + * [expandtypeattribute](cil_type_statements.md#expandtypeattribute) * [typebounds](cil_type_statements.md#typebounds) * [typechange](cil_type_statements.md#typechange) * [typemember](cil_type_statements.md#typemember) diff --git a/secilc/docs/cil_type_statements.md b/secilc/docs/cil_type_statements.md index f9dd3a76..432cede5 100644 --- a/secilc/docs/cil_type_statements.md +++ b/secilc/docs/cil_type_statements.md @@ -213,6 +213,57 @@ This example is equivalent to `{ domain -kernel.process -ueventd.process -init.p ) ) +expandtypeattribute +------------------- + +Overrides the compiler defaults for the expansion of one or more +previously declared [`typeattribute`](cil_type_statements.md#typeattribute) +identifiers. + +This rule gives more control over type attribute expansion and +removal. When the value is true, all rules involving the type +attribute will be expanded and the type attribute will be removed from +the policy. When the value is false, the type attribute will not be +removed from the policy, even if the default expand rules or "-X" +option cause the rules involving the type attribute to be expanded. + +**Statement definition:** + + (expandtypeattribute typeattribute_id expand_value) + +**Where:** + +<table> +<colgroup> +<col width="25%" /> +<col width="75%" /> +</colgroup> +<tbody> +<tr class="odd"> +<td align="left"><p><code>expandtypeattribute</code></p></td> +<td align="left"><p>The <code>expandtypeattribute</code> keyword.</p></td> +</tr> +<tr class="even"> +<td align="left"><p><code>typeattribute_id</code></p></td> +<td align="left"><p>One or more previously declared <code>typeattribute</code> identifiers. Multiple entries consist of a space separated list enclosed in parentheses '()'.</p></td> +</tr> +<tr class="odd"> +<td align="left"><p><code>expand_value</code></p></td> +<td align="left"><p>Either true or false.</p></td> +</tr> +</tbody> +</table> + +**Examples:** + +This example uses the expandtypeattribute statement to forcibly expand a previously declared `domain` type attribute. + + (expandtypeattribute domain true) + +This example uses the expandtypeattribute statement to not expand previously declared `file_type` and `port_type` type attributes regardless of compiler defaults. + + (expandtypeattribute (file_type port_type) false) + typebounds ---------- -- 2.28.0 ^ permalink raw reply related [flat|nested] 20+ messages in thread
* Re: [PATCH v5] secilc/docs: document expandtypeattribute 2020-08-05 19:48 ` [PATCH v5] " Dominick Grift @ 2020-08-05 20:22 ` James Carter 2020-08-17 15:57 ` Stephen Smalley 0 siblings, 1 reply; 20+ messages in thread From: James Carter @ 2020-08-05 20:22 UTC (permalink / raw) To: Dominick Grift; +Cc: SElinux list On Wed, Aug 5, 2020 at 3:50 PM Dominick Grift <dominick.grift@defensec.nl> wrote: > > This was added for Androids Treble in 2017. > > Signed-off-by: Dominick Grift <dominick.grift@defensec.nl> Acked-by: James Carter <jwcart2@gmail.com> > --- > v2: overriden is overridden > v3: add link to README.md > v4: rephrase and add another example > v5: use description from James Carter > > secilc/docs/README.md | 1 + > secilc/docs/cil_type_statements.md | 51 ++++++++++++++++++++++++++++++ > 2 files changed, 52 insertions(+) > > diff --git a/secilc/docs/README.md b/secilc/docs/README.md > index 3f1838e6..efab2a71 100644 > --- a/secilc/docs/README.md > +++ b/secilc/docs/README.md > @@ -126,6 +126,7 @@ CIL (Common Intermediate Language) > * [typealiasactual](cil_type_statements.md#typealiasactual) > * [typeattribute](cil_type_statements.md#typeattribute) > * [typeattributeset](cil_type_statements.md#typeattributeset) > + * [expandtypeattribute](cil_type_statements.md#expandtypeattribute) > * [typebounds](cil_type_statements.md#typebounds) > * [typechange](cil_type_statements.md#typechange) > * [typemember](cil_type_statements.md#typemember) > diff --git a/secilc/docs/cil_type_statements.md b/secilc/docs/cil_type_statements.md > index f9dd3a76..432cede5 100644 > --- a/secilc/docs/cil_type_statements.md > +++ b/secilc/docs/cil_type_statements.md > @@ -213,6 +213,57 @@ This example is equivalent to `{ domain -kernel.process -ueventd.process -init.p > ) > ) > > +expandtypeattribute > +------------------- > + > +Overrides the compiler defaults for the expansion of one or more > +previously declared [`typeattribute`](cil_type_statements.md#typeattribute) > +identifiers. > + > +This rule gives more control over type attribute expansion and > +removal. When the value is true, all rules involving the type > +attribute will be expanded and the type attribute will be removed from > +the policy. When the value is false, the type attribute will not be > +removed from the policy, even if the default expand rules or "-X" > +option cause the rules involving the type attribute to be expanded. > + > +**Statement definition:** > + > + (expandtypeattribute typeattribute_id expand_value) > + > +**Where:** > + > +<table> > +<colgroup> > +<col width="25%" /> > +<col width="75%" /> > +</colgroup> > +<tbody> > +<tr class="odd"> > +<td align="left"><p><code>expandtypeattribute</code></p></td> > +<td align="left"><p>The <code>expandtypeattribute</code> keyword.</p></td> > +</tr> > +<tr class="even"> > +<td align="left"><p><code>typeattribute_id</code></p></td> > +<td align="left"><p>One or more previously declared <code>typeattribute</code> identifiers. Multiple entries consist of a space separated list enclosed in parentheses '()'.</p></td> > +</tr> > +<tr class="odd"> > +<td align="left"><p><code>expand_value</code></p></td> > +<td align="left"><p>Either true or false.</p></td> > +</tr> > +</tbody> > +</table> > + > +**Examples:** > + > +This example uses the expandtypeattribute statement to forcibly expand a previously declared `domain` type attribute. > + > + (expandtypeattribute domain true) > + > +This example uses the expandtypeattribute statement to not expand previously declared `file_type` and `port_type` type attributes regardless of compiler defaults. > + > + (expandtypeattribute (file_type port_type) false) > + > typebounds > ---------- > > -- > 2.28.0 > ^ permalink raw reply [flat|nested] 20+ messages in thread
* Re: [PATCH v5] secilc/docs: document expandtypeattribute 2020-08-05 20:22 ` James Carter @ 2020-08-17 15:57 ` Stephen Smalley 0 siblings, 0 replies; 20+ messages in thread From: Stephen Smalley @ 2020-08-17 15:57 UTC (permalink / raw) To: James Carter, Dominick Grift; +Cc: SElinux list On 8/5/20 4:22 PM, James Carter wrote: > On Wed, Aug 5, 2020 at 3:50 PM Dominick Grift > <dominick.grift@defensec.nl> wrote: >> This was added for Androids Treble in 2017. >> >> Signed-off-by: Dominick Grift <dominick.grift@defensec.nl> > Acked-by: James Carter <jwcart2@gmail.com> Applied. ^ permalink raw reply [flat|nested] 20+ messages in thread
end of thread, other threads:[~2020-08-17 15:58 UTC | newest] Thread overview: 20+ messages (download: mbox.gz / follow: Atom feed) -- links below jump to the message on this page -- 2020-07-30 9:23 [PATCH] secilc/docs: document expandtypeattribute Dominick Grift 2020-07-30 11:45 ` [PATCH v2] " Dominick Grift 2020-07-30 13:11 ` [PATCH v3] " Dominick Grift 2020-07-30 22:22 ` James Carter 2020-07-31 7:26 ` Dominick Grift 2020-07-31 19:50 ` James Carter 2020-07-31 20:12 ` Dominick Grift 2020-07-31 20:22 ` James Carter 2020-07-31 21:07 ` Dominick Grift 2020-08-02 12:34 ` [PATCH v4] " Dominick Grift 2020-08-03 20:56 ` James Carter 2020-08-04 7:18 ` Dominick Grift 2020-08-04 14:45 ` James Carter 2020-08-04 15:48 ` Dominick Grift 2020-08-04 20:23 ` James Carter 2020-08-04 20:29 ` Dominick Grift 2020-08-05 19:23 ` James Carter 2020-08-05 19:48 ` [PATCH v5] " Dominick Grift 2020-08-05 20:22 ` James Carter 2020-08-17 15:57 ` Stephen Smalley
This is a public inbox, see mirroring instructions for how to clone and mirror all data and code used for this inbox; as well as URLs for NNTP newsgroup(s).