Nackā¦ use Booleans Allow Android to have 1 boolean that init trips, once innit trips it, the allow to load policy is removed and also the rule to allow toggling that Boolean is removed
From: Seandroid-list [mailto:[email protected]] On Behalf Of Nick Kralevich Sent: Friday, April 7, 2017 10:34 AM To: SELinux <[email protected]>; [email protected] Subject: add CONFIG_SECURITY_SELINUX_LOAD_ONCE I wanted to draw people's attention to the following proposed change: https://android-review.googlesource.com/367695 In the case of Android, it's common for security policy to be loaded once, and never reloaded again. In that case, the locking / unlocking surrounding the in-kernel policy is unnecessary and can be avoided. The patch above turns the locks into no-ops and ensures that the kernel cannot load a policy more than once. End result is that locking and preemption overhead is avoided and there's less attack surface / code compiled into the kernel. I would appreciate comments on the change. This feels like a worthwhile change for the entire SELinux community. -- Nick -- Nick Kralevich | Android Security | [email protected]<mailto:[email protected]> | 650.214.4037
_______________________________________________ Seandroid-list mailing list [email protected] To unsubscribe, send email to [email protected]. To get help, send an email containing "help" to [email protected].
