Date: Sat, 3 May 2003 10:36:58 -0400
To: grsecurity@grsecurity.net
From: spender@grsecurity.net
Subject: [grsec] variable and set operation support in gradm 2.0

Just letting everyone know I've implemented the requested variable
support in gradm 2.0 a couple days ago.  This morning (in a little less
than an hour) I implemented set operation support for the configuration
as well.  Currently it supports unions, intersections, and differences
of sets (of objects in this case).

Here's an example of its use, and what the resulting objects will be
that will be added to your subject:


define objset1 {
	/root/blah rw
	/root/blah2 r
	/root/blah3 x
}

define somename2 {
	/root/test1 rw
	/root/blah2 rw
	/root/test3 h
}

subject /somebinary o
	$objset1 & $somename2


The above would expand to:

subject /somebinary o
	/root/blah2 r

since the & operator takes both sets and returns the files that exist in
both sets, and the permission for those files that exist in both sets.

subject /somebinary o
	$objset1 | $somename2

would expand to:

subject /somebinary o
	/root/blah rw
	/root/blah2 rw
	/root/blah3 x
	/root/test1 rw
	/root/test3 h

since the | operator takes both sets and returns the files that exist in
either set.  If a file exists in both sets, it is returned as well, and
the mode contains the flags that exist in either set.

subject /somebinary o
	$objset1 - $somename2

would expand to:

subject /somebinary o
	/root/blah rw
	/root/blah2 h
	/root/blah3 x

since the - operator takes both sets and returns the files that exist in
the set on the left but not in the match of the file in set on the right.
If a file exists on the left and a match is found on the right (either the 
filenames are the same, or a parent directory exists in the right set), the
file is returned and the mode of the second set is removed from the first 
set, and that file is returned.

So:
if $objset1 contained /tmp/blah rw, and $objset2 contained /tmp/blah r

$objset1 - $objset2 would contain /tmp/blah w

and:
if $objset1 contained /tmp/blah rw, and $objset2 contained / rwx

$objset1 - $objset2 would contain /tmp/blah h

As for order of precedence (from highest to lowest):
-
&
|

If you don't want to bother remembering precedence, parenthesis support
is also included, so you can do things like (($set1 - $set2) | $set3) &
$set4

That's all for now

-Brad