Hi Stephen, Thanks for taking time to reply.
> 2. If you need to assign a specific domain to a system app, you can use > seapp_contexts for that purpose. > > This is precisely what I need help with. I would like to keep a system apk, instead of a daemon. I have written an apk that implements my service, its own aidl etc. This service is meant to be called from apps, which might come from play-store etc (i.e. will be untrusted/third party, but might consider signature security etc). Ideally I would like the service to be started or bound from these apps, but, if required, I can also start the service from BOOT_COMPLETED intent if it helps. Can you please guide me on what to modify in seapp_contexts file? I do not fully understand this file. In AOSP, following are the contents of file externals/sepolicy/seapp_contexts: .... isSystemServer=true domain=system_server user=system domain=system_app type=system_app_data_file user=bluetooth domain=bluetooth type=bluetooth_data_file user=nfc domain=nfc type=nfc_data_file ... What does it represent? Do all apps started by "system" user get "system_app" context? How to ensure that a specific *user* owns the process of the service I am interested in? Or is it the other way around? Thanks -- You received this message because you are subscribed to the Google Groups "Android Security Discussions" group. To unsubscribe from this group and stop receiving emails from it, send an email to android-security-discuss+unsubscr...@googlegroups.com. Visit this group at http://groups.google.com/group/android-security-discuss. For more options, visit https://groups.google.com/d/optout.
