1) Cross-profile perms
Exactly, this is a syntax we already have.
2) Granting perms for an address and its children/
Clean handling of 2) is a must.
Based on your previous question, this could actually mean 3 different
a) only the resource and not its children
b) the resource and its children
c) only the resource's children, not the resource itself
I think /subsystem=logging could be used for a) or b). For c), I was
briefly thinking about /subsystem=logging/*=*, but I thought that we
surely don't support that, so I didn't bother trying and directly went
to the 'children-only' attribute. I tried it now and indeed we don't
support .../*=* :-)
But if we had to support all of a), b) and c), a multi-valued attribute
like children=yes|no|only (or recursive=yes|no|children-only, I didn't
give it much thought) could work.