The Android IntentFirewall works fine for me! Thank you for your advice. But I need to push the ifw.xml file to the device with each new build. In my Android 4.3 environment this isn't covered through the build process. Is it possible to include the copy job into the android build process? Can you provide an information how this could be done?
Thanks! Heiko Stumpf > On 02/17/2014 07:55 AM, Heiko Stumpf wrote: >> Hello SEAndroid Community, >> >> i am using Android 4.3 with SEAndroid revision "seandroid-4.3_r2". So >> far >> my SEAndroid environment works perfectly. Additionaly I want to use the >> intent mac feature from the intent_mac branch. Therefore I merged the >> external/sepolicy and frameworks/base repositories into my working >> copies. >> >> Building was done without errors. I tried to to activate the intent-mac >> feature by setting "persist.mmac.enforce 1". Testing the feature with >> "persist.mac_intent_allowSig 1" did not worked. >> >> What has to be done to activate the intent-mac feature? >> >> Thank you for advice! >> >> >> _______________________________________________ >> Seandroid-list mailing list >> [email protected] >> To unsubscribe, send email to [email protected]. >> To get help, send an email containing "help" to >> [email protected]. > > First, the intent_mac code is no longer being maintained (as you have > undoubtedly seen). In 4.3, Android "released" IntentFirewall which > attempts to achieve similar results, placing restrictions on ICC. We > have decided to leverage the IntentFirewall code as a means to control > ICC moving forward. In our sepolicy project (external/sepolicy) there is > a sample policy file (ifw.xml) that will allow you to restrict certain > ICC along with a small amount of documentation attempting to describe > the policy syntax. The ifw.xml file is supported with our 4.4 and master > branches and the IntentFirewall code is supported with our 4.3, 4.4 and > master branches. I would first determine if the new IntentFirewall code > could achieve the same results and restrictions you seek. Our outside > wiki also has some additional info regarding this topic such as the > policy loading mechanism. > > If you still want to use the intent_mac code then you'll want to set > persist.mmac.enforce to 1 (true) which will run the mechanism in > enforcing mode. There are other tunables as well which all default to > true. In particular, the persist.mac_intent_allowSig which allows a > component to send any intent to another component, as long as both > components belong to packages signed with the same key, should already > be set to true. Not sure what the issue is based on the info you've > given. Do you have any example policy you've written which shows that > the feature isn't working? > _______________________________________________ Seandroid-list mailing list [email protected] To unsubscribe, send email to [email protected]. To get help, send an email containing "help" to [email protected].
