On 11/06/2013 02:43 PM, ANDREA DURELLI wrote: > Thank you for the reply, > so I understand that to control intent delivery via the system_server I > could use > something like the intent firewall, but I would like to know if I can > archive > the same result by writing directly in the policy files, I'm thinking about > to leave the app.te file > with its rules only for the trusted application and make another domain for > other applications with the same rules used in the app.te file but isolated > from the first one.Maybe something that doesn't allow intents like this > appA-->system_server system_server-->appB.
Don't reply to a different thread. You can't enforce that kind of restriction via the SELinux kernel policy. You need some form of access control in the system_server. So you can either try to use our (now deprecated) intent MAC mechanism (see the intent_mac branch) with its mmac_types.xml and intent_mac.xml configurations or you can have a look at the new IntentFirewall mechanism in 4.3 and later (which is what we are doing). -- This message was distributed to subscribers of the seandroid-list mailing list. If you no longer wish to subscribe, send mail to [email protected] with the words "unsubscribe seandroid-list" without quotes as the message.
