On 08/26/2013 09:19 AM, William Roberts wrote: > On Aug 26, 2013 8:53 AM, "Stephen Smalley" <[email protected]> wrote: >> >> On 08/23/2013 04:41 PM, William Roberts wrote: >>> On Fri, Aug 23, 2013 at 1:40 PM, Stephen Smalley <[email protected]> > wrote: >>>> Ok, I don't think that is too hard, just a matter of having libselinux >>>> use the appropriate library for accessing zip files and adding the >>>> corresponding logic on that side. >>>> >>>> >>>> My biggest concern is having another library added to init... >>> >>> What do you think will have the smallest, easiest signed format to work >>> with? >> >> It seems like reusing the whole-file signed zip format already used for >> OTA updates would be simplest as it is already in use within Android and >> is already security-critical. >> >> However, one additional complication to work out is how we want to >> handle mac_permissions.xml. It presently gets installed under /system >> rather than / and is only used by the system_server, not by the kernel >> or init. And the current SELinuxPolicyInstallReceiver does not handle >> it at all. >> >> > I think you keep the packaging the same... But drop the data path in the > reload code for Mac perms.
I'm ok with using a different approach for handling updates to mac_permissions.xml, but we still need a way to do it. Being able to override the default mac_permissions.xml is a requirement for us. -- This message was distributed to subscribers of the seandroid-list mailing list. If you no longer wish to subscribe, send mail to [email protected] with the words "unsubscribe seandroid-list" without quotes as the message.
