I like that, but I wonder at its scope. Would an update to the OS be allowed to update the policy? For example, Microsoft ships updates to the Windows O/S 2 times (at least) per month. Would that type of update to Android allow policy updates?
Another question involves the list of authoritative CSPs. That can now be updated in most O/S available on the market. Is that still allowed to be updated, or is that already allowed by policy?
..tom
On Fri, Apr 7, 2017 at 10:34 AM, Nick Kralevich <nnk@xxxxxxxxxx> wrote:
I wanted to draw people's attention to the following proposed change:In the case of Android, it's common for security policy to be loaded once, and never reloaded again. In that case, the locking / unlocking surrounding the in-kernel policy is unnecessary and can be avoided. The patch above turns the locks into no-ops and ensures that the kernel cannot load a policy more than once. End result is that locking and preemption overhead is avoided and there's less attack surface / code compiled into the kernel.I would appreciate comments on the change. This feels like a worthwhile change for the entire SELinux community.-- Nick--Nick Kralevich | Android Security | nnk@xxxxxxxxxx | 650.214.4037
_______________________________________________
Seandroid-list mailing list
Seandroid-list@xxxxxxxxxxxxx
To unsubscribe, send email to Seandroid-list-leave@tycho.nsa.gov .
To get help, send an email containing "help" to Seandroid-list-request@tycho.nsa.gov .
--
..tom
_______________________________________________ Selinux mailing list Selinux@xxxxxxxxxxxxx To unsubscribe, send email to Selinux-leave@xxxxxxxxxxxxx. To get help, send an email containing "help" to Selinux-request@xxxxxxxxxxxxx.