On 08/23/2013 04:41 PM, William Roberts wrote: > On Fri, Aug 23, 2013 at 1:40 PM, Stephen Smalley <[email protected]> wrote: >> Ok, I don't think that is too hard, just a matter of having libselinux >> use the appropriate library for accessing zip files and adding the >> corresponding logic on that side. >> >> >> My biggest concern is having another library added to init... > > What do you think will have the smallest, easiest signed format to work > with?
It seems like reusing the whole-file signed zip format already used for OTA updates would be simplest as it is already in use within Android and is already security-critical. However, one additional complication to work out is how we want to handle mac_permissions.xml. It presently gets installed under /system rather than / and is only used by the system_server, not by the kernel or init. And the current SELinuxPolicyInstallReceiver does not handle it at all. -- This message was distributed to subscribers of the seandroid-list mailing list. If you no longer wish to subscribe, send mail to [email protected] with the words "unsubscribe seandroid-list" without quotes as the message.
