On 11/03/2013 02:22 PM, ANDREA DURELLI wrote: > Hi SEAndroid, > > i've created 2 new domain called DomainA_app and DomainB_app.In each file > called DomainA_app.te and domainB_app.te i've put only this line > > type DomainA_app, domain; > app_domain(DomainA_app) > > same for DomainB_app. > > now if i run the command ps-Z each application have the right domain.If > appA in the domain DomainA_app call appB in the domain domainB_app works > well. > I want to block the call from 2 apps of different domain so i've changed > the file app.te i've substituited: > > binder_call(appdomain, appdomain) > > > with this > > # Perform binder IPC to other apps. > binder_call(shared_app, platform_app) > binder_call(platform_app, shared_app) > binder_call(shared_app, media_app) > binder_call(media_app, shared_app) > binder_call(shared_app, release_app) > binder_call(release_app, shared_app) > > binder_call(platform_app, media_app) > binder_call(media_app, platform_app) > binder_call(platform_app, release_app) > binder_call(release_app, platform_app) > > binder_call(media_app, release_app) > binder_call(release_app, media_app) > > so the system's apps work well,but the appA and appB still work well too,so > i think is the system_server that enable appA call and run appB through an > intent. > I want to know if there is a way to block call from appA to appB,maybe some > neverallow or some modify inside system_server (or in another policy file).
You would need something like Intent MAC (intent_mac) branch to control Intent delivery via the system_server. That's deprecated though; we are looking at replacing it with something based on the new IntentFirewall mechanism that was first released in Android 4.3. -- This message was distributed to subscribers of the seandroid-list mailing list. If you no longer wish to subscribe, send mail to [email protected] with the words "unsubscribe seandroid-list" without quotes as the message.
