1

Android has been more restrictive with files, while it is very clear how to share files across apps... How would I share a file between a system service like surfaceflinger/audioflinger and an app? Note that I own both the app and the AOSP code (meaning, I can modify both, in C/C++). In previous Android versions, system services can access /data/data. Currently, via testing, I noticed an app can only access its own data/data and shared sdcard storage, while system services cannot access either. What is the best way about this? Is there a shared directory between apps and services that I do not know of? Or is there a way to subvert checks for this specific file

My last resort that I am trying to avoid is to modify system service and my app to communicate via sockets

Note that my modifications are not for a commercial product, this is a personal AOSP modification project I am working on, so my concern is not "privacy/security" at the moment

John Smith
  • 307
  • 3
  • 14
  • You have to lear "FileProvider" – emandt Jul 28 '23 at 14:16
  • If I use FileProvider in the app, this same file will be accessible universally including by system services? It seems like FP requires intents, which system services like audioflinger (written in C++) would not deal with – John Smith Jul 28 '23 at 18:33
  • There is "android:authorities" FileProvider attribute for this ;) – emandt Jul 30 '23 at 07:55
  • How do you access the file provided by fileprovider from system services? These system services run in the system_server domain and are written in C++ not java – John Smith Aug 07 '23 at 16:43

1 Answers1

1
  1. You have indeed the FileProvider API
  2. The app client can bound with AIDL to the system service, then share data
  3. You can create you own directory, make it open for everyOne, and set the SEPolicy as you please (open for every one, or restrict it). Then you have an entire directory that you can share between Java and system service written in C.
Creating new files:
  • from /device/your_flavor/init.*.rc
  • below "on init"
  • You can add: mkdir /data/my_folder 0666 system system
Changing SEPolicy (get ride of setenforce):

You are the OS, you can adapt any restriction.

Pierre-Emmanuel Mercier
  • 225
  • 2
  • 10
  • How would I modify AOSP to automatically include a directory/file open for all? Seems like if I add a file in data/misc, set it to 666 perms, and set SElinux to permissive, both system services and the app can access it. If I do the same (666+setenforce 0) for the file placed in the app's files dir, system services still cannot access it (perm denied) – John Smith Aug 07 '23 at 17:00
  • Depending on your flavor, there is a "init.rc" in which you can add bellow "on init", then use : (there is example in the file) "mkdir /data/my_folder 0666 system system" or root root at the end – Pierre-Emmanuel Mercier Aug 07 '23 at 22:15
  • If you want to get ride of the "setenforce" permissive, you should update the SEPolicy. It's coming directly from Linux. you can see the logcat filtering with "avc" related to the SEPolicy error. It's inside /device/your_flavor/sepolicy/*.te – Pierre-Emmanuel Mercier Aug 07 '23 at 22:19
  • Last there is a system permission to allow an app to get access to any files. You can find it from the error message – Pierre-Emmanuel Mercier Aug 07 '23 at 22:31