SELinux Archive on lore.kernel.org
 help / color / Atom feed
From: Paul Moore <paul@paul-moore.com>
To: Dominick Grift <dominick.grift@defensec.nl>
Cc: selinux@vger.kernel.org
Subject: Re: [SELinux-notebook PATCH v3] type_statements: document expandattribute
Date: Sat, 1 Aug 2020 16:44:40 -0400
Message-ID: <CAHC9VhS5x_YorZw5szDY3tDw=SHkhowujiivCDQy2GQRpASv1A@mail.gmail.com> (raw)
In-Reply-To: <20200730114150.915048-1-dominick.grift@defensec.nl>

On Thu, Jul 30, 2020 at 7:42 AM Dominick Grift
<dominick.grift@defensec.nl> wrote:
>
> This functionality was added for Androids Treble in 2017.
>
> I was not sure whether this belong here or in conditional_statements.md
>
> Signed-off-by: Dominick Grift <dominick.grift@defensec.nl>
> ---
> v2: change expandtypeattribute to expandattribute
> v3: overriden is overridden
>
> src/type_statements.md | 70 ++++++++++++++++++++++++++++++++++++++++++
>  1 file changed, 70 insertions(+)

I'm in the process of converting all of the remaining HTML to markdown
so I would prefer not to add any new HTML tables if it can be avoided;
would you mind trying to write this using markdown's pipe tables (they
render correctly on GitHub)?

Other than that, do any of the policy or SEAndroid folks have any comments?

> diff --git a/src/type_statements.md b/src/type_statements.md
> index 61c7191..04b6f4c 100644
> --- a/src/type_statements.md
> +++ b/src/type_statements.md
> @@ -201,6 +201,76 @@ attribute non_security_file_type;
>
>  <br>
>
> +## `expandattribute`
> +
> +The `expandattribute` statement allows type attribute expansion
> +compiler defaults to be overridden.
> +
> +**The statement definition is:**
> +
> +`expandattribute attribute_id default_value;`
> +
> +**Where:**
> +
> +<table>
> +<tbody>
> +<tr>
> +<td><code>expandattribute</code></td>
> +<td>The <code>expandattribute</code> keyword.</td>
> +</tr>
> +<tr>
> +<td><code>attribute_id</code></td>
> +<td>One or more previously declared <code>attribute</code>. Multiple entries consist of a space separated list enclosed in braces '{}'.</td>
> +</tr>
> +<tr>
> +<td><code>default_value</code></td>
> +<td>Either true or false</td>
> +</tr>
> +</tbody>
> +</table>
> +
> +**The statement is valid in:**
> +
> +<table style="text-align:center">
> +<tbody>
> +<tr style="background-color:#D3D3D3;">
> +<td><strong>Monolithic Policy</strong></td>
> +<td><strong>Base Policy</strong></td>
> +<td><strong>Module Policy</strong></td>
> +</tr>
> +<tr>
> +<td>Yes</td>
> +<td>Yes</td>
> +<td>Yes</td>
> +</tr>
> +<tr style="background-color:#D3D3D3;">
> +<td><strong>Conditional Policy <code>if</code> Statement</strong></td>
> +<td><strong><code>optional</code> Statement</strong></td>
> +<td><strong><code>require</code> Statement</strong></td>
> +</tr>
> +<tr>
> +<td>No</td>
> +<td>Yes</td>
> +<td>No</td>
> +</tr>
> +</tbody>
> +</table>
> +
> +**Example:**
> +
> +```
> +# Using the expandattribute statement to forcibly expand a
> +# previously declared domain attribute.
> +
> +# The previously declared attribute:
> +attribute domain;
> +
> +# The attribute stripping using the expandattribute statement:
> +expandattribute domain true;
> +```
> +
> +<br>
> +
>  ## `typeattribute`
>
>  The `typeattribute` statement allows the association of previously
> --
> 2.28.0.rc1
>


-- 
paul moore
www.paul-moore.com

  reply index

Thread overview: 9+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2020-07-30  8:55 [SELinux-notebook PATCH] " Dominick Grift
2020-07-30  9:31 ` [SELinux-notebook PATCH v2] " Dominick Grift
2020-07-30 11:41   ` [SELinux-notebook PATCH v3] " Dominick Grift
2020-08-01 20:44     ` Paul Moore [this message]
2020-08-02 12:08       ` [SELinux-notebook PATCH v4] " Dominick Grift
2020-08-03 20:51         ` James Carter
2020-08-04  7:33           ` [SELinux-notebook PATCH v5] " Dominick Grift
2020-08-05 19:40             ` [SELinux-notebook PATCH v6] " Dominick Grift
2020-08-05 20:23               ` James Carter

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to='CAHC9VhS5x_YorZw5szDY3tDw=SHkhowujiivCDQy2GQRpASv1A@mail.gmail.com' \
    --to=paul@paul-moore.com \
    --cc=dominick.grift@defensec.nl \
    --cc=selinux@vger.kernel.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

SELinux Archive on lore.kernel.org

Archives are clonable:
	git clone --mirror https://lore.kernel.org/selinux/0 selinux/git/0.git

	# If you have public-inbox 1.1+ installed, you may
	# initialize and index your mirror using the following commands:
	public-inbox-init -V2 selinux selinux/ https://lore.kernel.org/selinux \
		selinux@vger.kernel.org
	public-inbox-index selinux

Example config snippet for mirrors

Newsgroup available over NNTP:
	nntp://nntp.lore.kernel.org/org.kernel.vger.selinux


AGPL code for this site: git clone https://public-inbox.org/public-inbox.git