diff options
| author | Alex Klyubin <klyubin@google.com> | 2017-02-28 12:32:20 -0800 |
|---|---|---|
| committer | Alex Klyubin <klyubin@google.com> | 2017-03-01 14:07:40 -0800 |
| commit | 16696e201b20010d7de97265224e83401861d9ad (patch) | |
| tree | 84c4d10a0b10575c06aeb4fc22388af63ac60b9f /libutils/ProcessCallStack.cpp | |
| parent | dfbae6ddbbc1dfaf9ba2b712f0de2cba786b092c (diff) | |
Use split SELinux policy at boot, if available
This modifies init's loading of SELinux policy into the kernel to
load the split (platform/system vs non-platform/vendor) policy if it's
present. If the split policy is not present, the usual monolithic
policy is loaded into the kernel, same as before.
Split policy is loaded by first compiling it from CIL form using
secilc compiler into the conventional monolithic/compiled form which
is then loaded into the kernel.
The build system has not yet been modified to place split policy onto
devices. Thus, this commit currently has no effect. For testing split
policy, build plat_sepolicy.cil, nonplat_sepolicy.cil, and
mapping_sepolicy.cil, and place them into the root directory of the
device.
The following tests were performed for a device with monolithic policy
and for the same device with split policy.
Test: Device boots, no new denials
Test: Play Movies plays back movies
Test: Load ip6.me im Chrome
Bug: 31363362
Change-Id: I9a75a48ac88f3392abc36669f91b0803e88cd147
Diffstat (limited to 'libutils/ProcessCallStack.cpp')
0 files changed, 0 insertions, 0 deletions