On Wed, Feb 18, 2015 at 10:10 AM, Elena Reshetova <[email protected] > wrote:
> Hi, > > In Android.mk under sepolicy/external, there is a definition that seems > illogical to us: > > FORCE_PERMISSIVE_TO_UNCONFINED:=true > > ifeq ($(TARGET_BUILD_VARIANT),user) > # User builds are always forced unconfined+enforcing > FORCE_PERMISSIVE_TO_UNCONFINED:=true > endif > > Would it be instead better to have it this way: > > FORCE_PERMISSIVE_TO_UNCONFINED:=true > > ifeq ($(TARGET_BUILD_VARIANT),userdebug) > # Userdebug builds are not forced to unconfined+enforcing > FORCE_PERMISSIVE_TO_UNCONFINED:=false > endif > > It would allow userdebug builds to have permissive domains, which greatly > helps if you need to run some special debug/logging utilities and don't > want to waste time on creating policies for them. > > Opinions? > > The most up-to-date in Android.mk is as follows: # Force permissive domains to be unconfined+enforcing? # # During development, this should be set to false. # Permissive means permissive. # # When we're close to a release and SELinux new policy development # is frozen, we should flip this to true. This forces any currently # permissive domains into unconfined+enforcing. # FORCE_PERMISSIVE_TO_UNCONFINED ?= false ifeq ($(TARGET_BUILD_VARIANT),user) # User builds are always forced unconfined+enforcing FORCE_PERMISSIVE_TO_UNCONFINED := true endif So permissive domains are allowed on everything BUT user builds, but if you wanted to make permissive domains unconfined for some reason, notably to silence the logs, you can override FORCE_PERMISSIVE_TO_UNCONFINED This then gets pased to m4 as a macro definition in the Android.mk as: -D force_permissive_to_unconfined=$(FORCE_PERMISSIVE_TO_UNCONFINED) \ Which later is expanded in te_macros: ##################################### # permissive_or_unconfined # Returns "permissive $1" if FORCE_PERMISSIVE_TO_UNCONFINED is false, # and "unconfined($1)" otherwise. # # This is used for experimental domains, where we want to ensure # the domain is unconfined+enforcing once new SELinux policy development # has ceased. # define(`permissive_or_unconfined', ifelse(force_permissive_to_unconfined, `false', permissive $1;, unconfined_domain($1))) So if you want domains to follow this, make sure to use permissive_or_unconfined macro on that domain type. > Best Regards, > Elena. > > _______________________________________________ > Seandroid-list mailing list > [email protected] > To unsubscribe, send email to [email protected]. > To get help, send an email containing "help" to > [email protected]. > -- Respectfully, William C Roberts
_______________________________________________ Seandroid-list mailing list [email protected] To unsubscribe, send email to [email protected]. To get help, send an email containing "help" to [email protected].
