On Oct 21, 2014 7:37 AM, "Tal Palant" <tal.pal...@gmail.com> wrote: > > How can i block specific ipc calls between processes (in theory)? > > what kind of policy do i need to define in order to do so? > > > On Mon, Oct 20, 2014 at 4:10 PM, Stephen Smalley <s...@tycho.nsa.gov> wrote: >> >> On 10/18/2014 05:24 AM, Tal Palant wrote: >> > Hello all, >> > >> > i'm trying to get a better understanding on how SEAndroid can effect the >> > ipc in Android. >> > >> > Can SEAndroid prevent applications from sending binder to other >> > applications? >> > >> > Thanks in advance, >> >> Yes, we added security hooks to the kernel binder driver, and therefore >> SELinux can mediate binder IPC. However, in practice, apps are expected >> to be able to call each other, and much IPC is indirect through the >> system_server, so the current policy is not enforcing a particular goal >> in this regard
You can either use type enforcement by placing the apps in new domains and not allowing any binder class permissions. You can use mls, and enable the mls constraint in the policy file mls. Look for a commented out constraint that references binder.
_______________________________________________ Seandroid-list mailing list Seandroid-list@tycho.nsa.gov To unsubscribe, send email to seandroid-list-le...@tycho.nsa.gov. To get help, send an email containing "help" to seandroid-list-requ...@tycho.nsa.gov.
