[PATCH] Break file_class sets into smaller groups

Tue, 02 Oct 2012 22:03:50 -0700 

The file class sets could not always be used with a file
permission macro. Having finer control over file class set
and permission strings will make it easier to declare rules
for apps the may do large tree walks getting attributes of
files.
For instance, one could declare:
allow system appdomain:generic_file_class_set attr_file_dir_perms;

Change-Id: I4d243d31f93e2d9f54367eea2c265d8a829a0c48
---
 global_macros |   10 +++++++---
 1 files changed, 7 insertions(+), 3 deletions(-)

diff --git a/global_macros b/global_macros
index 6d71c0c..b4ca72b 100644
--- a/global_macros
+++ b/global_macros
@@ -3,10 +3,13 @@
 #
 define(`capability_class_set', `{ capability capability2 }')
 
-define(`dir_file_class_set', `{ dir file lnk_file sock_file fifo_file chr_file 
blk_file }')
-define(`file_class_set', `{ file lnk_file sock_file fifo_file chr_file 
blk_file }')
-define(`notdevfile_class_set', `{ file lnk_file sock_file fifo_file }')
+define(`file_class_set', `{ file lnk_file }')
 define(`devfile_class_set', `{ chr_file blk_file }')
+define(`ipcfile_class_set', `{ sock_file fifo_file }')
+define(`generic_file_class_set', `{ file_class_set devfile_class_set }')
+define(`notdevfile_class_set', `{ file_class_set ipcfile_class_set }')
+define(`allfiles_class_set', `{ file_class_set ipcfile_class_set }') 
+define(`dir_file_class_set', `{ dir allfiles_class_set }')
 
 define(`socket_class_set', `{ socket tcp_socket udp_socket rawip_socket 
netlink_socket packet_socket key_socket unix_stream_socket unix_dgram_socket 
appletalk_socket netlink_route_socket netlink_firewall_socket 
netlink_tcpdiag_socket netlink_nflog_socket netlink_xfrm_socket 
netlink_selinux_socket netlink_audit_socket netlink_ip6fw_socket 
netlink_dnrt_socket netlink_kobject_uevent_socket tun_socket }')
 define(`dgram_socket_class_set', `{ udp_socket unix_dgram_socket }')
@@ -18,6 +21,7 @@ define(`ipc_class_set', `{ sem msgq shm ipc }')
 #####################################
 # Common groupings of permissions.
 #
+define(`attr_file_perms', `{ open getattr }')
 define(`x_file_perms', `{ getattr execute execute_no_trans }')
 define(`r_file_perms', `{ getattr open read ioctl lock }')
 define(`w_file_perms', `{ open append write }')
-- 
1.7.0.4


--
This message was distributed to subscribers of the seandroid-list mailing list.
If you no longer wish to subscribe, send mail to majord...@tycho.nsa.gov with
the words "unsubscribe seandroid-list" without quotes as the message.

Reply via email to