3

Background:
I'm building a service into the Android OS and I would like it to be accessible only to apps published by my company. This service is implemented as a component of a Java-based system app, and said system app must be signed by the platform certificate in order to use several system permissions it requires (protectionLevel="signature|privileged" in frameworks/base/core/res/AndroidManifest.xml). The app(s) that will be accessing it need to be signed by my company certificate (different from the platform cert), so AFAIK the service needs to be remote and exported. The apps will communicate with the service across processes by using a messenger (though AIDL is also an option).

Question:
How can I lock down an exported system service to only my company's apps?
I've already had to implement a custom SELinux domain for my company's apps for another project, so an SELinux policy solution (e.g. only members of a given SELinux domain are allowed to bind to a given service) would be ideal.

CCJ
  • 1,619
  • 26
  • 41
  • 1
    Ideally, your service will be signed by the same signing key that the client apps will be signed with. In that case, you can use a custom `signature`-level permission, with the service using `android:permission` to require that clients hold that permission. With that permission being `signature`, the signing keys would need to match. – CommonsWare Jul 06 '16 at 22:45

1 Answers1

1

If I understand your situation, you have:

  • a service inside a system app, therefore it has system app permissions.

  • apps that needs to talk to this service, and you know how to create a separated selinux domain for them.

In that case, you can implement a service in init.rc with the same selinux context as your apps and a domain socket with system permission. Now, only your apps can access init.rc service, which can communicate with java service using the socket.

Daniel
  • 573
  • 6
  • 14
  • Interesting proposition... can you provide or link to code examples and documentation detailing how to implement this solution? – CCJ Jul 08 '16 at 17:34