On Wed, Oct 3, 2012 at 8:56 AM, William Roberts
<bill.c.robe...@gmail.com> wrote:
> On Wed, Oct 3, 2012 at 6:08 AM, Stephen Smalley <s...@tycho.nsa.gov> wrote:
>> On Tue, 2012-10-02 at 21:34 -0700, William Roberts wrote:
>>> The file class sets could not always be used with a file
>>> permission macro. Having finer control over file class set
>>> and permission strings will make it easier to declare rules
>>> for apps the may do large tree walks getting attributes of
>>> files.
>>> For instance, one could declare:
>>> allow system appdomain:generic_file_class_set attr_file_dir_perms;
>>
>> Presently we'd write this as:
>> r_dir_file(system, appdomain)
>>
>> See te_macros.
>>
>> Not adverse to defining new macros but not clear if this truly is a
>> helpful grouping.
>>
>>> Change-Id: I4d243d31f93e2d9f54367eea2c265d8a829a0c48
>>> ---
>>> global_macros | 10 +++++++---
>>> 1 files changed, 7 insertions(+), 3 deletions(-)
>>>
>>> diff --git a/global_macros b/global_macros
>>> index 6d71c0c..b4ca72b 100644
>>> --- a/global_macros
>>> +++ b/global_macros
>>> @@ -3,10 +3,13 @@
>>> #
>>> define(`capability_class_set', `{ capability capability2 }')
>>>
>>> -define(`dir_file_class_set', `{ dir file lnk_file sock_file fifo_file
>>> chr_file blk_file }')
>>> -define(`file_class_set', `{ file lnk_file sock_file fifo_file chr_file
>>> blk_file }')
>>> -define(`notdevfile_class_set', `{ file lnk_file sock_file fifo_file }')
>>> +define(`file_class_set', `{ file lnk_file }')
>>> define(`devfile_class_set', `{ chr_file blk_file }')
>>> +define(`ipcfile_class_set', `{ sock_file fifo_file }')
>>> +define(`generic_file_class_set', `{ file_class_set devfile_class_set }')
>>> +define(`notdevfile_class_set', `{ file_class_set ipcfile_class_set }')
>>> +define(`allfiles_class_set', `{ file_class_set ipcfile_class_set }')
>>> +define(`dir_file_class_set', `{ dir allfiles_class_set }')
>>>
>>> define(`socket_class_set', `{ socket tcp_socket udp_socket rawip_socket
>>> netlink_socket packet_socket key_socket unix_stream_socket
>>> unix_dgram_socket appletalk_socket netlink_route_socket
>>> netlink_firewall_socket netlink_tcpdiag_socket netlink_nflog_socket
>>> netlink_xfrm_socket netlink_selinux_socket netlink_audit_socket
>>> netlink_ip6fw_socket netlink_dnrt_socket netlink_kobject_uevent_socket
>>> tun_socket }')
>>> define(`dgram_socket_class_set', `{ udp_socket unix_dgram_socket }')
>>> @@ -18,6 +21,7 @@ define(`ipc_class_set', `{ sem msgq shm ipc }')
>>> #####################################
>>> # Common groupings of permissions.
>>> #
>>> +define(`attr_file_perms', `{ open getattr }')
>>> define(`x_file_perms', `{ getattr execute execute_no_trans }')
>>> define(`r_file_perms', `{ getattr open read ioctl lock }')
>>> define(`w_file_perms', `{ open append write }')
>>
>> --
>> Stephen Smalley
>> National Security Agency
>>
>
> I did not see those te macros....thanks. Those do exactly what I was
> looking for.
>
One other thing that patch did was collapse the macros into eachother
so you didn't have all these redefinitions. This would be consistent
with the file_perms macros.
For instance look at:
define(`dir_file_class_set', `{ dir file lnk_file sock_file fifo_file
chr_file blk_file }')
define(`file_class_set', `{ file lnk_file sock_file fifo_file chr_file
blk_file }')
dir_file_class_set is a superset of file_class_set and thus could be
condensed with the macro of the other.
Also file class set is the union of the below to sets and could be
condensed to use these macros:
define(`notdevfile_class_set', `{ file lnk_file sock_file fifo_file }')
define(`devfile_class_set', `{ chr_file blk_file }')
Would a patch to clean these up be accepted?
--
Respectfully,
William C Roberts
--
This message was distributed to subscribers of the seandroid-list mailing list.
If you no longer wish to subscribe, send mail to majord...@tycho.nsa.gov with
the words "unsubscribe seandroid-list" without quotes as the message.
