On 02/17/2014 07:55 AM, Heiko Stumpf wrote:
Hello SEAndroid Community,
i am using Android 4.3 with SEAndroid revision "seandroid-4.3_r2". So far
my SEAndroid environment works perfectly. Additionaly I want to use the
intent mac feature from the intent_mac branch. Therefore I merged the
external/sepolicy and frameworks/base repositories into my working copies.
Building was done without errors. I tried to to activate the intent-mac
feature by setting "persist.mmac.enforce 1". Testing the feature with
"persist.mac_intent_allowSig 1" did not worked.
What has to be done to activate the intent-mac feature?
Thank you for advice!
_______________________________________________
Seandroid-list mailing list
[email protected]
To unsubscribe, send email to [email protected].
To get help, send an email containing "help" to
[email protected].
First, the intent_mac code is no longer being maintained (as you have
undoubtedly seen). In 4.3, Android "released" IntentFirewall which
attempts to achieve similar results, placing restrictions on ICC. We
have decided to leverage the IntentFirewall code as a means to control
ICC moving forward. In our sepolicy project (external/sepolicy) there is
a sample policy file (ifw.xml) that will allow you to restrict certain
ICC along with a small amount of documentation attempting to describe
the policy syntax. The ifw.xml file is supported with our 4.4 and master
branches and the IntentFirewall code is supported with our 4.3, 4.4 and
master branches. I would first determine if the new IntentFirewall code
could achieve the same results and restrictions you seek. Our outside
wiki also has some additional info regarding this topic such as the
policy loading mechanism.
If you still want to use the intent_mac code then you'll want to set
persist.mmac.enforce to 1 (true) which will run the mechanism in
enforcing mode. There are other tunables as well which all default to
true. In particular, the persist.mac_intent_allowSig which allows a
component to send any intent to another component, as long as both
components belong to packages signed with the same key, should already
be set to true. Not sure what the issue is based on the info you've
given. Do you have any example policy you've written which shows that
the feature isn't working?
_______________________________________________
Seandroid-list mailing list
[email protected]
To unsubscribe, send email to [email protected].
To get help, send an email containing "help" to
[email protected].
