On 04/09/2014 11:04 PM, Arun Chandrasekaran wrote: > Hi, > I would like to know if policies can be defined in the kernel > module in such a way that I can disallow an app installation based on > the key (used for the certificate by the developer) related to it?
If using our seandroid or seandroid-4.x.y branches (in particular, our frameworks/base project), then you can just remove the <default> stanza from mac_permissions.xml and then any app with a certificate not explicitly whitelisted in mac_permissions.xml won't be installed/loaded. That includes even pre-installed apps. That is the install-time MAC feature. The AOSP implementation however doesn't support that; it only supports mapping of app certificates to seinfo values for labeling of the app process and data directory, not install-time MAC enforcement. You could alternatively configure mac_permissions.xml and seapp_contexts such that apps that are not whitelisted in mac_permissions.xml either end up not matching any entry in seapp_contexts or match an entry that assigns a domain without sufficient permissions to run, and then the app process would abort immediately. But it would still be installed/loaded by the PMS.
