On 02/26/2015 12:46 AM, Dong Zhou wrote: > Hi, SE Gurus > > > Got a few questions regarding policy update. > > > 1) we will have no SEAdmin on the device, so do we still need to > use buildsebundle to create policy update?
Neither SEAdmin nor buildsebundle are part of AOSP, so I guess you are building one of our branches? If you want to ship a policy update to a device without performing an OTA, you need to construct a policy update bundles in the expected format (that's what buildsebundle does) and you need an app on the device that can receive such bundles and generate the android.intent.action.UPDATE_SEPOLICY intent to install the bundle (that's what SEAdmin demonstrates). You are free of course to roll your own tool and app if you wish; buildsebundle and SEAdmin are just examples. I don't know what (if anything) Google uses. IIRC, we had offered to upload buildsebundle to AOSP but they weren't interested. > 2) Once we we push the new policy files into /data/security/current, is > system reboot a mandatory(or recommended) operation? The ConfigUpdate SELinuxPolicyInstallReceiver in the system_server will unpack the bundle under a subdirectory of /data/security, symlink /data/security/current to it, and then setprop selinux.reload_policy 1 when it receives the intent, causing an immediate reload. However, mac_permissions.xml changes do not take effect without a reboot, and labeling changes in file_contexts are not retroactively applied without a reboot (and no changes to /system labeling are possible without an OTA upgrade). > 3) How to ensure updated sepolicy binary are from the original policy > issuer and not be tampered with? The bundle has to be signed by a certificate from otacerts.zip or it will be rejected by the ConfigUpdate mechanism. > BTW, we are using Lollipop, with both external/sepolicy and > device/<device-name>/sepolicy _______________________________________________ Seandroid-list mailing list [email protected] To unsubscribe, send email to [email protected]. To get help, send an email containing "help" to [email protected].
