Skip to content
Snippets Groups Projects
Commit 356df327 authored by Nick Kralevich's avatar Nick Kralevich
Browse files

init.te: delete kernel load policy support 

Remove the ability to dynamically update SELinux policy on the
device.

1) This functionality has never been used, so we have no idea if
it works or not.

2) If system_server is compromised, this functionality allows a
complete bypass of the SELinux policy on the device. In particular,
an attacker can force a regression of the following patch
  * https://android-review.googlesource.com/138510
see also https://code.google.com/p/android/issues/detail?id=181826

3) Dynamic policy update can be used to bypass neverallow protections
enforced in CTS, by pushing a policy to the device after certification.
Such an updated policy could bring the device out of compliance or
deliberately introduce security weaknesses.

Bug: 22885422
Bug: 8949824
Change-Id: Id98b5e09d79254816d920b92003efe8dcbe6cd2e
parent 301555e6
No related branches found
No related tags found
Hide whitespace changes
Inline Side-by-side
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment