Good to hear! I'd be curios to see a sample of your ifw.xml file.
To get the build system to support loading a default ifw.xml file I
would think a couple of things would have to occur. One is the
IntentFirewall.java code would have to understand that a policy file
exists under some system directory (like /system/etc/security/ifw.xml)
and always read it in on boot. Coding this should be easy. Maybe
consider making some mods to the readRulesDir function. Second, you'll
also need a ifw.xml file to be copied out to the system image on every
build. Maybe something as simple as the following could work when added
to external/sepolicy/Android.mk.
include $(CLEAR_VARS)
LOCAL_MODULE := ifw.xml
LOCAL_SRC_FILES := $(LOCAL_MODULE)
LOCAL_MODULE_CLASS := ETC
LOCAL_MODULE_TAGS := optional
LOCAL_MODULE_PATH := $(TARGET_OUT_ETC)/security
include $(BUILD_PREBUILT)
On 03/10/2014 01:01 PM, Heiko Stumpf wrote:
The Android IntentFirewall works fine for me! Thank you for your advice.
But I need to push the ifw.xml file to the device with each new build. In
my Android 4.3 environment this isn't covered through the build process.
Is it possible to include the copy job into the android build process? Can
you provide an information how this could be done?
Thanks!
Heiko Stumpf
On 02/17/2014 07:55 AM, Heiko Stumpf wrote:
Hello SEAndroid Community,
i am using Android 4.3 with SEAndroid revision "seandroid-4.3_r2". So
far
my SEAndroid environment works perfectly. Additionaly I want to use the
intent mac feature from the intent_mac branch. Therefore I merged the
external/sepolicy and frameworks/base repositories into my working
copies.
Building was done without errors. I tried to to activate the intent-mac
feature by setting "persist.mmac.enforce 1". Testing the feature with
"persist.mac_intent_allowSig 1" did not worked.
What has to be done to activate the intent-mac feature?
Thank you for advice!
_______________________________________________
Seandroid-list mailing list
[email protected]
To unsubscribe, send email to [email protected].
To get help, send an email containing "help" to
[email protected].
First, the intent_mac code is no longer being maintained (as you have
undoubtedly seen). In 4.3, Android "released" IntentFirewall which
attempts to achieve similar results, placing restrictions on ICC. We
have decided to leverage the IntentFirewall code as a means to control
ICC moving forward. In our sepolicy project (external/sepolicy) there is
a sample policy file (ifw.xml) that will allow you to restrict certain
ICC along with a small amount of documentation attempting to describe
the policy syntax. The ifw.xml file is supported with our 4.4 and master
branches and the IntentFirewall code is supported with our 4.3, 4.4 and
master branches. I would first determine if the new IntentFirewall code
could achieve the same results and restrictions you seek. Our outside
wiki also has some additional info regarding this topic such as the
policy loading mechanism.
If you still want to use the intent_mac code then you'll want to set
persist.mmac.enforce to 1 (true) which will run the mechanism in
enforcing mode. There are other tunables as well which all default to
true. In particular, the persist.mac_intent_allowSig which allows a
component to send any intent to another component, as long as both
components belong to packages signed with the same key, should already
be set to true. Not sure what the issue is based on the info you've
given. Do you have any example policy you've written which shows that
the feature isn't working?
_______________________________________________
Seandroid-list mailing list
[email protected]
To unsubscribe, send email to [email protected].
To get help, send an email containing "help" to
[email protected].
