Some projects, i.e. http://forum.xda-developers.com/nexus-6/themes-apps/viper4android-t2952137 require ability to add persistent changes to sepolicy. While it is certainly possible to add workarounds for specific projects in an as-needed basis, such as 213b4d9 , this solution is not sustainable long term.
Reasons;
- Unknown number of projects may require such changes,
- Such policy changes always introduce some security compromise by definition, even if not serious.
- Potential for two or more policy changes working together to create an unexpected significant hole in security.
- Causes harm through weakening of selinux policy to end users who don't need those compromises.
- Requires maintenance on THIS end.
Solution;
Have a list of custom policy changes required by end-users.
Read that list during execution of this update package.
Append them.
Might be appropriate to use the Superuser android application for maintenance of this list, having an appropriate intent for end user application to call in order to add policy change, and requiring user-authentication to complete the request. Superuser application can periodically check the installed applications to verify that all those with current policy changes are still installed, clear out policy changes for removed applications. It is also possible for Superuser application to initiate a reboot and update cycle.
http://android.stackexchange.com/questions/67622/shell-script-to-reboot-into-recovery-and-install-zip
Some projects, i.e. http://forum.xda-developers.com/nexus-6/themes-apps/viper4android-t2952137 require ability to add persistent changes to sepolicy. While it is certainly possible to add workarounds for specific projects in an as-needed basis, such as 213b4d9 , this solution is not sustainable long term.
Reasons;
Solution;
Have a list of custom policy changes required by end-users.
Read that list during execution of this update package.
Append them.
Might be appropriate to use the Superuser android application for maintenance of this list, having an appropriate intent for end user application to call in order to add policy change, and requiring user-authentication to complete the request. Superuser application can periodically check the installed applications to verify that all those with current policy changes are still installed, clear out policy changes for removed applications. It is also possible for Superuser application to initiate a reboot and update cycle.
http://android.stackexchange.com/questions/67622/shell-script-to-reboot-into-recovery-and-install-zip