On 02/18/2015 01:10 PM, Elena Reshetova wrote: > Hi, > > In Android.mk under sepolicy/external, there is a definition that seems > illogical to us: > > FORCE_PERMISSIVE_TO_UNCONFINED:=true > > ifeq ($(TARGET_BUILD_VARIANT),user) > # User builds are always forced unconfined+enforcing > FORCE_PERMISSIVE_TO_UNCONFINED:=true > endif > > Would it be instead better to have it this way: > > FORCE_PERMISSIVE_TO_UNCONFINED:=true > > ifeq ($(TARGET_BUILD_VARIANT),userdebug) > # Userdebug builds are not forced to unconfined+enforcing > FORCE_PERMISSIVE_TO_UNCONFINED:=false > endif > > It would allow userdebug builds to have permissive domains, which > greatly helps if you need to run some special debug/logging utilities > and don't want to waste time on creating policies for them. > > Opinions?
In AOSP master, external/sepolicy/Android.mk has: # Force permissive domains to be unconfined+enforcing? # # During development, this should be set to false. # Permissive means permissive. # # When we're close to a release and SELinux new policy development # is frozen, we should flip this to true. This forces any currently # permissive domains into unconfined+enforcing. # FORCE_PERMISSIVE_TO_UNCONFINED ?= false ifeq ($(TARGET_BUILD_VARIANT),user) # User builds are always forced unconfined+enforcing FORCE_PERMISSIVE_TO_UNCONFINED := true endif When they forked master for Lollipop, at some point they flipped it to force permissive to unconfined even in userdebug builds to ensure proper testing. That was this commit on lollipop-dev/lollipop-release: commit 2aa727e3f01f814384bd4a49281c7c39cf562ff6 Author: Nick Kralevich <[email protected]> Date: Mon Jul 14 09:15:08 2014 -0700 DO NOT MERGE: Flip FORCE_PERMISSIVE_TO_UNCONFINED to true Force any experimental SELinux domains (ones tagged with "permissive_or_unconfined") into unconfined. This flag is intended to be flipped when we're preparing a release, to eliminate inconsistencies between user and userdebug devices, and to ensure that we're enforcing a minimal set of rules for all SELinux domains. Without this change, our user builds will behave differently than userdebug builds, complicating testing. Change-Id: I52fd5fbe30a7f52f1143f176915ce55fb6a33f87 So I think you are free to flip it internally for development purposes but you need to make sure you switch it over for testing well before testing your final user builds. _______________________________________________ Seandroid-list mailing list [email protected] To unsubscribe, send email to [email protected]. To get help, send an email containing "help" to [email protected].
