William Roberts wrote:
On Oct 21, 2014 7:37 AM, "Tal Palant" <[email protected] <mailto:[email protected]>> wrote: > > How can i block specific ipc calls between processes (in theory)? > > what kind of policy do i need to define in order to do so? > > > On Mon, Oct 20, 2014 at 4:10 PM, Stephen Smalley <[email protected] <mailto:[email protected]>> wrote: >> >> On 10/18/2014 05:24 AM, Tal Palant wrote: >> > Hello all, >> > >> > i'm trying to get a better understanding on how SEAndroid can effect the >> > ipc in Android. >> > >> > Can SEAndroid prevent applications from sending binder to other >> > applications? >> > >> > Thanks in advance, >> >> Yes, we added security hooks to the kernel binder driver, and therefore >> SELinux can mediate binder IPC. However, in practice, apps are expected >> to be able to call each other, and much IPC is indirect through the >> system_server, so the current policy is not enforcing a particular goal >> in this regard You can either use type enforcement by placing the apps in new domains and not allowing any binder class permissions. You can use mls, and enable the mls constraint in the policy file mls. Look for a commented out constraint that references binder.
Of course, none of that stops apps from talking through system_server over binder. For that you'll need to use the intent firewall.
_______________________________________________ Seandroid-list mailing list [email protected] To unsubscribe, send email to [email protected]. To get help, send an email containing "help" to [email protected].
