Hi, We've updated the project wiki with some documentation of this policy update mechanism, see: http://selinuxproject.org/page/SEforAndroid#Policy_Updates
On 08/28/2013 01:54 PM, rpcraig wrote: > Hi, > > We've recently released new code to a couple of our projects that > allow for policy reloading via Android's new UpdateConfig mechanism. For > those of you unaware, Android 4.3 has brought a new set of OTA update > hooks for various policy files including some of the SELinux ones. We > see this as a way forward with reloadable policy support and as such > have updated our SEAdmin project (master and seandroid-4.3 branches) > with a new but limited reload option as well as updated our sepolicy > project (seandroid and seandroid-4.3 branches) with new tooling. Some > things to note: > > * In order for SEAdmin to reload policy there is a required format > imposed by the backed ConfigUpdate code. A new signed policy 'bundle' > and metadata file are required; the bundle being a packed version of > various selinux policy files. Because of this new format, we developed a > new tool called buildsebundle that will help with the construction of > such files. You'll need to 'make buildsebundle' first and then invoke > buildsebundle for a help menu after syncing your tree. > > * buildsebundle actually outputs a zip file containing the packed bundle > and metadata file. The zip file isn't a direct requirement for the > ConfigUpdate code but merely serves as a convenient packaging format to > deliver both files to the device. This zip file will need to be pushed > to /sdcard for SEAdmin to reload it. > > * There is a requirement that the resulting bundle be signed for > integrity purposes. The buildsebundle tool will help with this but a few > caveats are in order. The back end code on the phone requires that an > approved OTA cert already be loaded into the Settings.Secure database to > verify the incoming reload request. This means that the cert on the > phone must match the key fed the buildsebundle tool. SEAdmin has been > changed to insert a key by first reading the entries in otacerts.zip on > boot. The otacerts.zip file will include the correct teskey/relasekey > when building your system image. > > * There is no support for reloading mac_permissions.xml via this new > reload mechanism. This is a limitation of the back end code which only > supports reloading file_contexts, sepolicy, property_contexts and > seapp_contexts policy files. The previous option for reloading > mac_permissions.xml remains supported in the SEAdmin app however. We > will also continue to support the SEAdmin app as the ConfigUpdate code > doesn't presently offer the abilities to switch to enforcing mode or > toggle booleans. > > * AOSP code for the new update mechanism can be found at > frameworks/base/services/java/com/android/server/updates/* for the > curious among you. > > * Since the ConfigUpdate code seems to still be under development, we > will most likely move in-step with that code in order to bring our ideas > together whenever possible. So, updates to both the SEAdmin and sepolicy > tooling are possible in the future. > > > We welcome any feedback and ideas in this space concerning reloadable > policy support. Thanks. > > -- > This message was distributed to subscribers of the seandroid-list > mailing list. > If you no longer wish to subscribe, send mail to [email protected] > with > the words "unsubscribe seandroid-list" without quotes as the message. > > -- This message was distributed to subscribers of the seandroid-list mailing list. If you no longer wish to subscribe, send mail to [email protected] with the words "unsubscribe seandroid-list" without quotes as the message.
