|
Nack… use Booleans Allow Android to have 1 boolean that init trips, once innit trips it, the allow to load policy is removed and also the rule to allow toggling that Boolean is
removed I wanted to draw people's attention to the following proposed change: In the case of Android, it's common for security policy to be loaded once, and never reloaded again. In that case, the locking / unlocking surrounding the in-kernel policy is unnecessary and can be avoided. The patch above turns the locks
into no-ops and ensures that the kernel cannot load a policy more than once. End result is that locking and preemption overhead is avoided and there's less attack surface / code compiled into the kernel. I would appreciate comments on the change. This feels like a worthwhile change for the entire SELinux community. -- Nick -- Nick Kralevich | Android Security |
nnk@xxxxxxxxxx | 650.214.4037 |
_______________________________________________ Selinux mailing list Selinux@xxxxxxxxxxxxx To unsubscribe, send email to Selinux-leave@xxxxxxxxxxxxx. To get help, send an email containing "help" to Selinux-request@xxxxxxxxxxxxx.
