Background:
I'm building a service into the Android OS and I would like it to be accessible only to apps published by my company. This service is implemented as a component of a Java-based system app, and said system app must be signed by the platform certificate in order to use several system permissions it requires (protectionLevel="signature|privileged" in frameworks/base/core/res/AndroidManifest.xml). The app(s) that will be accessing it need to be signed by my company certificate (different from the platform cert), so AFAIK the service needs to be remote and exported. The apps will communicate with the service across processes by using a messenger (though AIDL is also an option).
Question:
How can I lock down an exported system service to only my company's apps?
I've already had to implement a custom SELinux domain for my company's apps for another project, so an SELinux policy solution (e.g. only members of a given SELinux domain are allowed to bind to a given service) would be ideal.