Hi, We have merged the latest AOSP master including the 4.3 changes into our seandroid branch, and have created a seandroid-4.3 branch from android-4.3_r1. The local_manifest.xml files have been updated for master and 4.3, and the wiki instructions have been updated.
In order to use 4.3 on the Nexus 10, we had to extract additional files from the factory image, see: https://groups.google.com/forum/#!topic/android-building/OvPkVsjp63Y It is no longer strictly necessary to build your own device kernels for the Nexus devices, as the prebuilt kernels include SELinux support. Consequently, we have switched the default in our device/* projects to use the prebuilt kernel. You can however override via TARGET_PREBUILT_KERNEL, and we have provided kernel branches for 4.3 that include some other changes such as enabling pathname collection for syscall auditing by default and rootfs file labeling support that you can build if you want those additional features. It is also not necessary to build your own emulator (goldfish) kernel on master, as the prebuilt emulator kernel on master includes SELinux support, but you do still need to build it on 4.3. The 4.3 and AOSP master policy have diverged from our policy in a substantial way. For the time being we have essentially reverted all of Google's changes to the policy and switched it back to our policy (aside from a few fixes that we cherry-picked) because there are significant conflicts between their changes and ours and because at a certain point, they switched over to making all domains in their policy fully permissive and unconfined. Thus, by default, their policy neither enforces anything (even in global enforcing mode, due to per-domain permissive enabled for every domain) nor logs anything (due to making all domains unconfined). We will be trying to improve the situation in AOSP going forward. Also, the alternative location for policy files has been changed in 4.3 and AOSP master from /data/security to /data/security/current. That only seems to be true at present for the SELinux policy files, not the mac_permissions.xml configuration. -- This message was distributed to subscribers of the seandroid-list mailing list. If you no longer wish to subscribe, send mail to [email protected] with the words "unsubscribe seandroid-list" without quotes as the message.
