and what about brodcast do they use binder and goes thourgh system servers?
On Wed, Sep 30, 2015 at 10:45 AM, Tal Palant <[email protected]> wrote: > does explicit intent also goes through a system process, meaning is it > also not direct between processes? > > On Tue, Sep 29, 2015 at 6:48 AM, William Roberts <[email protected] > > wrote: > >> >> On Sep 28, 2015 8:40 PM, "Tal Palant" <[email protected]> wrote: >> > >> > So just to sum up Seandroid can only help in case there s a direct >> binder between two processes? >> >> Yes. >> >> > >> > Which is less common if I understand correctly >> > >> > On Tue, 29 Sep 2015 at 04:09 William Roberts <[email protected]> >> wrote: >> >> >> >> >> >> On Sep 28, 2015 8:10 AM, "Tal Palant" <[email protected]> wrote: >> >> > >> >> > Thanks for the detailed answer. >> >> > >> >> > A follow up question if for instance intent is used it means that >> the communication is done using a system process, and you mentioned that >> the SEAndroid works on the process level, can SEAndroid also control the >> system process? can SEAndroid control IPC in this case? or SEAndroid can >> only control when the communication is direct between two processes? >> >> >> >> Intents are sent from one process through the system server process >> and delivered to another process. So you would need to cut off binder >> access to the system server, however this is not feasible. Applications >> will not work without binder access to system server. >> >> >> >> You need to make activity manager service (ams), which runs inside of >> system server process, smart enough to control intents. AMS is already >> smart enough to check against android permissions, you could also add logic >> to check other things. IIRC Intent mac branch out of the seandroid project >> has support for intent controls. >> >> >> >> > >> >> > On Mon, Aug 31, 2015 at 1:29 AM, William Roberts < >> [email protected]> wrote: >> >> >> >> >> >> >> >> >> On Aug 29, 2015 9:17 AM, "Tal Palant" <[email protected]> wrote: >> >> >> > >> >> >> > Hi, >> >> >> > >> >> >> > I have a question regrading the usage of SEAndroid on the binder >> class. >> >> >> > >> >> >> > can it be used to control which applications access other >> applications components? >> >> >> >> >> >> Yes and no. It controls access at the the process level. If N >> components run in a process than you grant at N components. >> >> >> > >> >> >> > does all ipc Android communication is done using binder? are >> there other ways? >> >> >> >> >> >> Unix domain socket is prevalent .. See installd or property service >> as an example. Also, intents and broadcasts count as ipc that built on top >> of binder. >> >> >> Think of binder as an ipc primitive. >> >> >> > >> >> >> > does the communication done not directly like using the system or >> something? >> >> >> >> >> >> Binder is direct between processes. Intents and broadcasts are >> middle manned by system server. >> >> >> > >> >> >> > in this case the rules on the binder can't prevent communication >> between applications components? >> >> >> >> >> >> If you name components you can use mac_permissions.xml and >> seapp_contexts to isolate xomponents. Iirc. I don't do a whole lot this >> high up in the stack. >> >> >> >> >> >> > >> >> >> > Thanks. >> >> >> > >> >> >> > _______________________________________________ >> >> >> > Seandroid-list mailing list >> >> >> > [email protected] >> >> >> > To unsubscribe, send email to [email protected]. >> >> >> > To get help, send an email containing "help" to >> [email protected]. >> >> > >> >> > >> >> > >> >> > >> >> > -- >> >> > טל פולו פלנט >> >> > כי שם כזה יש רק אחד >> > > > > -- > טל פולו פלנט > כי שם כזה יש רק אחד > -- טל פולו פלנט כי שם כזה יש רק אחד
_______________________________________________ Seandroid-list mailing list [email protected] To unsubscribe, send email to [email protected]. To get help, send an email containing "help" to [email protected].
