On Aug 26, 2013 8:53 AM, "Stephen Smalley" <[email protected]> wrote:
>
> On 08/23/2013 04:41 PM, William Roberts wrote:
> > On Fri, Aug 23, 2013 at 1:40 PM, Stephen Smalley <[email protected]>
wrote:
> >> Ok, I don't think that is too hard, just a matter of having libselinux
> >> use the appropriate library for accessing zip files and adding the
> >> corresponding logic on that side.
> >>
> >>
> >> My biggest concern is having another library added to init...
> >
> > What do you think will have the smallest, easiest signed format to work
> > with?
>
> It seems like reusing the whole-file signed zip format already used for
> OTA updates would be simplest as it is already in use within Android and
> is already security-critical.
>
> However, one additional complication to work out is how we want to
> handle mac_permissions.xml. It presently gets installed under /system
> rather than / and is only used by the system_server, not by the kernel
> or init. And the current SELinuxPolicyInstallReceiver does not handle
> it at all.
>
>
I think you keep the packaging the same... But drop the data path in the
reload code for Mac perms.
