On 02/18/2015 02:04 PM, Stephen Smalley wrote: > On 02/18/2015 01:56 PM, Webb, Russell wrote: >> We have lots of tools that we run only on userdebug and eng builds and >> are now being forced to write (ugly) policy for tools we never intend to >> ship (my company restricts making changes to AOSP projects so changing >> this internally isn’t as simple as it could be). >> >> >> >> Would you be open to a patch that sets this variable with ?= so that >> board files can override? Any chance this change, marked prominently >> with “DO NOT MERGE”, was not actually intended to be merged and can be >> reverted? > > It is already that way in AOSP master, so there is nothing to patch there. > > I believe the DO NOT MERGE was to prevent it from being merged to > master, as it was only for lollipop. > > It wouldn't hurt to suggest it to the Google Android security team for > future releases, but it can't be retroactively done for an existing > release obviously.
BTW, you do have another option - you can just declare the domain permissive without using the permissive_or_unconfined() macro. And then you aren't subject to the setting of this variable. See su.te for an example. Obviously you must exert great care to remove all such definitions from your final product or it will fail the CTS check for permissive domains. Wrap it with the userdebug_or_eng() macro, as also shown in su.te, so that it does not accidentally get included in any -user build. _______________________________________________ Seandroid-list mailing list [email protected] To unsubscribe, send email to [email protected]. To get help, send an email containing "help" to [email protected].
