what do you mean by intent firewall? and how can i tell if applications talk using system_server over binder?
On Tue, Oct 21, 2014 at 5:53 PM, Joshua Brindle <[email protected]> wrote: > William Roberts wrote: > >> >> On Oct 21, 2014 7:37 AM, "Tal Palant" <[email protected] >> <mailto:[email protected]>> wrote: >> > >> > How can i block specific ipc calls between processes (in theory)? >> > >> > what kind of policy do i need to define in order to do so? >> > >> > >> > On Mon, Oct 20, 2014 at 4:10 PM, Stephen Smalley <[email protected] >> <mailto:[email protected]>> wrote: >> >> >> >> On 10/18/2014 05:24 AM, Tal Palant wrote: >> >> > Hello all, >> >> > >> >> > i'm trying to get a better understanding on how SEAndroid can >> effect the >> >> > ipc in Android. >> >> > >> >> > Can SEAndroid prevent applications from sending binder to other >> >> > applications? >> >> > >> >> > Thanks in advance, >> >> >> >> Yes, we added security hooks to the kernel binder driver, and >> therefore >> >> SELinux can mediate binder IPC. However, in practice, apps are >> expected >> >> to be able to call each other, and much IPC is indirect through the >> >> system_server, so the current policy is not enforcing a particular >> goal >> >> in this regard >> >> You can either use type enforcement by placing the apps in new domains >> and not allowing any binder class permissions. >> >> You can use mls, and enable the mls constraint in the policy file mls. >> Look for a commented out constraint that references binder. >> >> > Of course, none of that stops apps from talking through system_server over > binder. For that you'll need to use the intent firewall. > -- טל פולו פלנט כי שם כזה יש רק אחד
_______________________________________________ Seandroid-list mailing list [email protected] To unsubscribe, send email to [email protected]. To get help, send an email containing "help" to [email protected].
