From: Dominick Grift <dominick.grift@defensec.nl>
To: James Carter <jwcart2@gmail.com>
Cc: SElinux list <selinux@vger.kernel.org>
Subject: Re: [PATCH v4] secilc/docs: document expandtypeattribute
Date: Tue, 04 Aug 2020 17:48:46 +0200 [thread overview]
Message-ID: <ypjlbljq8l9d.fsf@defensec.nl> (raw)
In-Reply-To: <CAP+JOzRgJmD8NE-_nY118G_h7B70Y70=jT1n8TimcMGPjDYFxw@mail.gmail.com> (James Carter's message of "Tue, 4 Aug 2020 10:45:06 -0400")
James Carter <jwcart2@gmail.com> writes:
> On Tue, Aug 4, 2020 at 3:18 AM Dominick Grift
> <dominick.grift@defensec.nl> wrote:
>>
>> James Carter <jwcart2@gmail.com> writes:
>>
>> > On Sun, Aug 2, 2020 at 8:39 AM Dominick Grift
>> > <dominick.grift@defensec.nl> wrote:
>> >>
>> >> This was added for Androids Treble in 2017.
>> >>
>> >> Signed-off-by: Dominick Grift <dominick.grift@defensec.nl>
>> >> ---
>> >> v2: overriden is overridden
>> >> v3: add link to README.md
>> >> v4: rephrase and add another example
>> >>
>> >> secilc/docs/README.md | 1 +
>> >> secilc/docs/cil_type_statements.md | 44 ++++++++++++++++++++++++++++++
>> >> 2 files changed, 45 insertions(+)
>> >>
>> >> diff --git a/secilc/docs/README.md b/secilc/docs/README.md
>> >> index 3f1838e6..efab2a71 100644
>> >> --- a/secilc/docs/README.md
>> >> +++ b/secilc/docs/README.md
>> >> @@ -126,6 +126,7 @@ CIL (Common Intermediate Language)
>> >> * [typealiasactual](cil_type_statements.md#typealiasactual)
>> >> * [typeattribute](cil_type_statements.md#typeattribute)
>> >> * [typeattributeset](cil_type_statements.md#typeattributeset)
>> >> + * [expandtypeattribute](cil_type_statements.md#expandtypeattribute)
>> >> * [typebounds](cil_type_statements.md#typebounds)
>> >> * [typechange](cil_type_statements.md#typechange)
>> >> * [typemember](cil_type_statements.md#typemember)
>> >> diff --git a/secilc/docs/cil_type_statements.md b/secilc/docs/cil_type_statements.md
>> >> index f9dd3a76..41f0f01a 100644
>> >> --- a/secilc/docs/cil_type_statements.md
>> >> +++ b/secilc/docs/cil_type_statements.md
>> >> @@ -213,6 +213,50 @@ This example is equivalent to `{ domain -kernel.process -ueventd.process -init.p
>> >> )
>> >> )
>> >>
>> >> +expandtypeattribute
>> >> +-------------------
>> >> +
>> >> +Overrides the compiler defaults for the expansion of one or more previously declared [`typeattribute`](cil_type_statements.md#typeattribute) identifiers.
>> >> +
>> >> +Note that this statement can be overridden at compile-time with `secilc -X SIZE` and that this functionality is not intended to override `secilc -X SIZE` for individual type attributes!
>> >> +
>>
>> <snip>
>> > When the value
>> > is false, the type attribute will not be removed from the policy, even
>> > if the default expand rules or "-X" option cause the rules involving
>> > the type attribute to be expanded.
>>
>> Yes but I cannot produce that. In my earlier test the type attribute
>> was expanded regardless of the -X option.
>>
>> In my test I instructed secilc to expand all attributes with more than 3
>> members (-X 4), then I added a expandtypeattribute statement telling
>> secilc to not expand pets and colors.
>>
>> The result was that it expanded pets and colors anyway.
>>
>
> I see the source of your confusion now. "-X 4" means that all
> attributes with LESS than 4 types associated with it will be expanded.
I think its important to clarify this in the documentation. ie:
expandattribute false will not work if you use -X (-X will override the
false statement)
I think that is unintuitive, I would actually want to be able to for
example expand all attributes with less then 4 members except a few
specific ones.
>
> Jim
>
>> >
>> > Thanks,
>> > Jim
>> >
>> >> +**Statement definition:**
>> >> +
>> >> + (expandtypeattribute typeattribute_id true|false)
>> >> +
>> >> +**Where:**
>> >> +
>> >> +<table>
>> >> +<colgroup>
>> >> +<col width="25%" />
>> >> +<col width="75%" />
>> >> +</colgroup>
>> >> +<tbody>
>> >> +<tr class="odd">
>> >> +<td align="left"><p><code>expandtypeattribute</code></p></td>
>> >> +<td align="left"><p>The <code>expandtypeattribute</code> keyword.</p></td>
>> >> +</tr>
>> >> +<tr class="even">
>> >> +<td align="left"><p><code>typeattribute_id</code></p></td>
>> >> +<td align="left"><p>One or more previously declared
>> >> <code>typeattribute</code> identifiers. Multiple entries consist of
>> >> a space separated list enclosed in parentheses '()'.</p></td>
>> >> +</tr>
>> >> +<tr class="odd">
>> >> +<td align="left"><p><code>true | false</code></p></td>
>> >> +<td align="left"><p>Either true or false.</p></td>
>> >> +</tr>
>> >> +</tbody>
>> >> +</table>
>> >> +
>> >> +**Examples:**
>> >> +
>> >> +This example uses the expandtypeattribute statement to forcibly expand a previously declared `domain` type attribute.
>> >> +
>> >> + (expandtypeattribute domain true)
>> >> +
>> >> +This example uses the expandtypeattribute statement to not expand
>> >> previously declared `file_type` and `port_type` type attributes
>> >> regardless of compiler defaults.
>> >> +
>> >> + (expandtypeattribute (file_type port_type) false)
>> >> +
>> >> typebounds
>> >> ----------
>> >>
>> >> --
>> >> 2.28.0
>> >>
>>
>> --
>> gpg --locate-keys dominick.grift@defensec.nl
>> Key fingerprint = FCD2 3660 5D6B 9D27 7FC6 E0FF DA7E 521F 10F6 4098
>> https://sks-keyservers.net/pks/lookup?op=get&search=0xDA7E521F10F64098
>> Dominick Grift
--
gpg --locate-keys dominick.grift@defensec.nl
Key fingerprint = FCD2 3660 5D6B 9D27 7FC6 E0FF DA7E 521F 10F6 4098
https://sks-keyservers.net/pks/lookup?op=get&search=0xDA7E521F10F64098
Dominick Grift
next prev parent reply other threads:[~2020-08-04 15:48 UTC|newest]
Thread overview: 20+ messages / expand[flat|nested] mbox.gz Atom feed top
2020-07-30 9:23 [PATCH] secilc/docs: document expandtypeattribute Dominick Grift
2020-07-30 11:45 ` [PATCH v2] " Dominick Grift
2020-07-30 13:11 ` [PATCH v3] " Dominick Grift
2020-07-30 22:22 ` James Carter
2020-07-31 7:26 ` Dominick Grift
2020-07-31 19:50 ` James Carter
2020-07-31 20:12 ` Dominick Grift
2020-07-31 20:22 ` James Carter
2020-07-31 21:07 ` Dominick Grift
2020-08-02 12:34 ` [PATCH v4] " Dominick Grift
2020-08-03 20:56 ` James Carter
2020-08-04 7:18 ` Dominick Grift
2020-08-04 14:45 ` James Carter
2020-08-04 15:48 ` Dominick Grift [this message]
2020-08-04 20:23 ` James Carter
2020-08-04 20:29 ` Dominick Grift
2020-08-05 19:23 ` James Carter
2020-08-05 19:48 ` [PATCH v5] " Dominick Grift
2020-08-05 20:22 ` James Carter
2020-08-17 15:57 ` Stephen Smalley
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=ypjlbljq8l9d.fsf@defensec.nl \
--to=dominick.grift@defensec.nl \
--cc=jwcart2@gmail.com \
--cc=selinux@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.