Hi,
We've recently released new code to a couple of our projects that
allow for policy reloading via Android's new UpdateConfig mechanism. For
those of you unaware, Android 4.3 has brought a new set of OTA update
hooks for various policy files including some of the SELinux ones. We
see this as a way forward with reloadable policy support and as such
have updated our SEAdmin project (master and seandroid-4.3 branches)
with a new but limited reload option as well as updated our sepolicy
project (seandroid and seandroid-4.3 branches) with new tooling. Some
things to note:
* In order for SEAdmin to reload policy there is a required format
imposed by the backed ConfigUpdate code. A new signed policy 'bundle'
and metadata file are required; the bundle being a packed version of
various selinux policy files. Because of this new format, we developed a
new tool called buildsebundle that will help with the construction of
such files. You'll need to 'make buildsebundle' first and then invoke
buildsebundle for a help menu after syncing your tree.
* buildsebundle actually outputs a zip file containing the packed bundle
and metadata file. The zip file isn't a direct requirement for the
ConfigUpdate code but merely serves as a convenient packaging format to
deliver both files to the device. This zip file will need to be pushed
to /sdcard for SEAdmin to reload it.
* There is a requirement that the resulting bundle be signed for
integrity purposes. The buildsebundle tool will help with this but a few
caveats are in order. The back end code on the phone requires that an
approved OTA cert already be loaded into the Settings.Secure database to
verify the incoming reload request. This means that the cert on the
phone must match the key fed the buildsebundle tool. SEAdmin has been
changed to insert a key by first reading the entries in otacerts.zip on
boot. The otacerts.zip file will include the correct teskey/relasekey
when building your system image.
* There is no support for reloading mac_permissions.xml via this new
reload mechanism. This is a limitation of the back end code which only
supports reloading file_contexts, sepolicy, property_contexts and
seapp_contexts policy files. The previous option for reloading
mac_permissions.xml remains supported in the SEAdmin app however. We
will also continue to support the SEAdmin app as the ConfigUpdate code
doesn't presently offer the abilities to switch to enforcing mode or
toggle booleans.
* AOSP code for the new update mechanism can be found at
frameworks/base/services/java/com/android/server/updates/* for the
curious among you.
* Since the ConfigUpdate code seems to still be under development, we
will most likely move in-step with that code in order to bring our ideas
together whenever possible. So, updates to both the SEAdmin and sepolicy
tooling are possible in the future.
We welcome any feedback and ideas in this space concerning reloadable
policy support. Thanks.
--
This message was distributed to subscribers of the seandroid-list mailing list.
If you no longer wish to subscribe, send mail to [email protected] with
the words "unsubscribe seandroid-list" without quotes as the message.
