how to change process domain from untrusted_app to system_app

This post shows how to sign your own app as system_app

and this method wont affect original system_app by OEM

I also record some method failed in this post, you will need to read all to know what I did

 

add user system_app, group system_app in init.rc, not work

/data/system/packages.xml add sharedUserId="1000″, not work

concept of keys:

http://nelenkov.blogspot.hk/2013/05/code-signing-in-androids-security-model.html?m=1

Speaking of system apps, most of those are signed by a number of so called ‘platform keys’. There are four different keys in the current AOSP tree, named platform, shared, media and testkey (releasekey for release builds). All packages considered part of the core platform (System UI, Settings, Phone, Bluetooth etc.) are signed with the platform key, launcher and contacts related packages — with the shared key, the gallery app and media related providers — with the media key, and everything else (including packages that don’t explicitly specify the signing key) — with the testkey. One thing to note is that the keys distributed with AOSP are in no way special, even though they have ‘Google’ in the certificate DN. Using them to sign your apps will not give you any specific privileges, you will need the actual keys Google or your carrier/device manufacturer uses. Even though the associated certificates may happen to have the same DN as the ones in AOSP, they are different and very unlikely to be publicly accessible. Custom ROMs are often an exception though, and some, including CyanogenMod, use the AOSP keys, or publicly available keys, as is (there are plans to change this for CyanogenMod though). Sharing the signing key allows packages to work together and establish trust relationships, which we will discuss next

The only APK file in the framework directory is framework-res.apk. As the name implies, it packages framework resources (animation, drawables, layouts, etc.), but no actual code. Most importantly, it defines the android package and system permissions. Thus any app trying to request a system-level signature permission needs to be signed with the same certificate as the framework resource package. Not surprisingly, it is signed by the platform key discussed in the previous section (usually found in build/target/product/security/platform.pk8|.x509.pem).

試試看把 /data/system/packages.xml 裡面所有 sharedUserId="1000″ 都用一樣的 key sign

$ grep 'sharedUserId="1000"' /data/system/packages.xml

<package name="jp.co.sharp.android.brightkeep" codePath="/system/app/BrightKeep" nativeLibraryPath="/system/app/BrightKeep/lib" primaryCpuAbi="armeabi-v7a" publicFlags="940097093" privateFlags="0" ft="11e8d8ee980" it="11e8d8ee980" ut="11e8d8ee980" version="1" sharedUserId="1000">
<package name="jp.co.sharp.android.longenergymode" codePath="/system/priv-app/LongEnergyMode" nativeLibraryPath="/system/priv-app/LongEnergyMode/lib" primaryCpuAbi="armeabi-v7a" publicFlags="940097029" privateFlags="8" ft="11e8d8ee980" it="11e8d8ee980" ut="11e8d8ee980" version="1" sharedUserId="1000">
<package name="com.qti.service.colorservice" codePath="/vendor/app/colorservice" nativeLibraryPath="/vendor/app/colorservice/lib" primaryCpuAbi="armeabi-v7a" publicFlags="940097093" privateFlags="0" ft="11e8d8ee980" it="11e8d8ee980" ut="11e8d8ee980" version="1" sharedUserId="1000">
<package name="com.quicinc.cne.CNEService" codePath="/system/priv-app/CNEService" nativeLibraryPath="/system/priv-app/CNEService/lib" primaryCpuAbi="armeabi-v7a" publicFlags="940097101" privateFlags="8" ft="11e8d8ee980" it="11e8d8ee980" ut="11e8d8ee980" version="1" sharedUserId="1000">
<package name="jp.co.sharp.android.kittingservice" codePath="/system/app/KittingService" nativeLibraryPath="/system/app/KittingService/lib" primaryCpuAbi="armeabi-v7a" publicFlags="940097093" privateFlags="0" ft="11e8d8ee980" it="11e8d8ee980" ut="11e8d8ee980" version="1" sharedUserId="1000">
<package name="jp.co.sharp.android.clipboardhelper" codePath="/system/app/ClipBoardHelper" nativeLibraryPath="/system/app/ClipBoardHelper/lib" primaryCpuAbi="armeabi-v7a" publicFlags="940064325" privateFlags="0" ft="11e8d8ee980" it="11e8d8ee980" ut="11e8d8ee980" version="1" sharedUserId="1000">
<package name="com.qualcomm.svi" codePath="/vendor/app/SVIService" nativeLibraryPath="/vendor/app/SVIService/lib" primaryCpuAbi="armeabi-v7a" publicFlags="940097093" privateFlags="0" ft="11e8d8ee980" it="11e8d8ee980" ut="11e8d8ee980" version="1" sharedUserId="1000">
<package name="jp.co.sharp.android.providers.settingsex" codePath="/system/priv-app/SettingsProviderEX" nativeLibraryPath="/system/priv-app/SettingsProviderEX/lib" primaryCpuAbi="armeabi-v7a" publicFlags="940097029" privateFlags="8" ft="11e8d8ee980" it="11e8d8ee980" ut="11e8d8ee980" version="3" sharedUserId="1000">
<package name="com.qualcomm.qti.auth.fidocryptoservice" codePath="/system/app/FidoCryptoService" nativeLibraryPath="/system/app/FidoCryptoService/lib" primaryCpuAbi="armeabi-v7a" publicFlags="940064325" privateFlags="0" ft="11e8d8ee980" it="11e8d8ee980" ut="11e8d8ee980" version="1" sharedUserId="1000">
<package name="android" codePath="/system/framework/framework-res.apk" nativeLibraryPath="/system/lib/framework-res" primaryCpuAbi="armeabi-v7a" publicFlags="944291337" privateFlags="8" ft="11e8d8ee980" it="11e8d8ee980" ut="11e8d8ee980" version="23" sharedUserId="1000">
<package name="com.qualcomm.wfd.service" codePath="/system/app/WfdService" nativeLibraryPath="/system/app/WfdService/lib" primaryCpuAbi="armeabi-v7a" publicFlags="940097093" privateFlags="0" ft="11e8d8ee980" it="11e8d8ee980" ut="11e8d8ee980" version="2" sharedUserId="1000">
<package name="com.qualcomm.qti.GBAHttpAuthentication.auth" codePath="/system/app/QtiGbaAuthService" nativeLibraryPath="/system/app/QtiGbaAuthService/lib" primaryCpuAbi="armeabi-v7a" publicFlags="940097101" privateFlags="0" ft="11e8d8ee980" it="11e8d8ee980" ut="11e8d8ee980" version="23" sharedUserId="1000">
<package name="com.qualcomm.qti.auth.secureextauthservice" codePath="/system/app/SecureExtAuthService" nativeLibraryPath="/system/app/SecureExtAuthService/lib" primaryCpuAbi="armeabi-v7a" publicFlags="940064325" privateFlags="0" ft="11e8d8ee980" it="11e8d8ee980" ut="11e8d8ee980" version="1" sharedUserId="1000">
<package name="jp.co.sharp.android.intent" codePath="/system/app/shintent" nativeLibraryPath="/system/app/shintent/lib" primaryCpuAbi="armeabi-v7a" publicFlags="940097093" privateFlags="0" ft="11e8d8ee980" it="11e8d8ee980" ut="11e8d8ee980" version="1" sharedUserId="1000">
<package name="com.android.providers.settings" codePath="/system/priv-app/SettingsProvider" nativeLibraryPath="/system/priv-app/SettingsProvider/lib" primaryCpuAbi="armeabi-v7a" publicFlags="940097029" privateFlags="8" ft="11e8d8ee980" it="11e8d8ee980" ut="11e8d8ee980" version="23" sharedUserId="1000">
<package name="com.android.inputdevices" codePath="/system/priv-app/InputDevices" nativeLibraryPath="/system/priv-app/InputDevices/lib" primaryCpuAbi="armeabi-v7a" publicFlags="940097029" privateFlags="8" ft="11e8d8ee980" it="11e8d8ee980" ut="11e8d8ee980" version="23" sharedUserId="1000">
<package name="com.qualcomm.qti.auth.securesampleauthservice" codePath="/system/app/SecureSampleAuthService" nativeLibraryPath="/system/app/SecureSampleAuthService/lib" primaryCpuAbi="armeabi-v7a" publicFlags="940064325" privateFlags="0" ft="11e8d8ee980" it="11e8d8ee980" ut="11e8d8ee980" version="1" sharedUserId="1000">
<package name="com.qti.dpmserviceapp" codePath="/system/priv-app/dpmserviceapp" nativeLibraryPath="/system/priv-app/dpmserviceapp/lib" primaryCpuAbi="armeabi-v7a" publicFlags="940097101" privateFlags="8" ft="11e8d8ee980" it="11e8d8ee980" ut="11e8d8ee980" version="23" sharedUserId="1000">
<package name="jp.co.sharp.android.kittingapp" codePath="/system/app/KittingApp" nativeLibraryPath="/system/app/KittingApp/lib" primaryCpuAbi="armeabi-v7a" publicFlags="940097093" privateFlags="0" ft="11e8d8ee980" it="11e8d8ee980" ut="11e8d8ee980" version="1" sharedUserId="1000">
<package name="com.android.server.telecom" codePath="/system/priv-app/Telecom" nativeLibraryPath="/system/priv-app/Telecom/lib" primaryCpuAbi="armeabi-v7a" publicFlags="810040901" privateFlags="8" ft="11e8d8ee980" it="11e8d8ee980" ut="11e8d8ee980" version="23" sharedUserId="1000">
<package name="com.android.keychain" codePath="/system/app/KeyChain" nativeLibraryPath="/system/app/KeyChain/lib" primaryCpuAbi="armeabi-v7a" publicFlags="805846597" privateFlags="0" ft="11e8d8ee980" it="11e8d8ee980" ut="11e8d8ee980" version="23" sharedUserId="1000">
<package name="org.codeaurora.btmultisim" codePath="/system/app/btmultisim" nativeLibraryPath="/system/app/btmultisim/lib" primaryCpuAbi="armeabi-v7a" publicFlags="940097093" privateFlags="0" ft="11e8d8ee980" it="11e8d8ee980" ut="11e8d8ee980" version="1" sharedUserId="1000">
<package name="jp.co.sharp.android.lopt" codePath="/system/app/LoptService" nativeLibraryPath="/system/app/LoptService/lib" primaryCpuAbi="armeabi-v7a" publicFlags="940097093" privateFlags="0" ft="11e8d8ee980" it="11e8d8ee980" ut="11e8d8ee980" version="23" sharedUserId="1000">
<package name="jp.co.sharp.android.sgsc" codePath="/system/app/Sgsc" nativeLibraryPath="/system/app/Sgsc/lib" primaryCpuAbi="armeabi-v7a" publicFlags="940064269" privateFlags="0" ft="11e8d8ee980" it="11e8d8ee980" ut="11e8d8ee980" version="1" sharedUserId="1000">
<package name="jp.co.sharp.android.emopa.systemservice" codePath="/system/priv-app/EmopaSystemService" nativeLibraryPath="/system/priv-app/EmopaSystemService/lib" primaryCpuAbi="armeabi-v7a" publicFlags="940097101" privateFlags="8" ft="11e8d8ee980" it="11e8d8ee980" ut="11e8d8ee980" version="100" sharedUserId="1000">
<package name="jp.co.sharp.android.appframework.backyard" codePath="/system/app/appframework" nativeLibraryPath="/system/app/appframework/lib" primaryCpuAbi="armeabi-v7a" publicFlags="940097101" privateFlags="0" ft="11e8d8ee980" it="11e8d8ee980" ut="11e8d8ee980" version="1" sharedUserId="1000">
<package name="com.android.settings" codePath="/system/priv-app/Settings" nativeLibraryPath="/system/priv-app/Settings/lib" primaryCpuAbi="armeabi-v7a" publicFlags="944258629" privateFlags="8" ft="11e8d8ee980" it="11e8d8ee980" ut="11e8d8ee980" version="23" sharedUserId="1000">
<package name="com.quicinc.wbcserviceapp" codePath="/system/app/com.quicinc.wbcserviceapp" nativeLibraryPath="/system/app/com.quicinc.wbcserviceapp/lib" primaryCpuAbi="armeabi-v7a" publicFlags="940097101" privateFlags="0" ft="11e8d8ee980" it="11e8d8ee980" ut="11e8d8ee980" version="1" sharedUserId="1000">
<package name="com.qualcomm.location" codePath="/system/priv-app/com.qualcomm.location" nativeLibraryPath="/system/priv-app/com.qualcomm.location/lib" primaryCpuAbi="armeabi-v7a" publicFlags="940064325" privateFlags="8" ft="11e8d8ee980" it="11e8d8ee980" ut="11e8d8ee980" version="1" sharedUserId="1000">
<package name="com.qualcomm.qti.tetherservice" codePath="/system/priv-app/QtiTetherService" nativeLibraryPath="/system/priv-app/QtiTetherService/lib" primaryCpuAbi="armeabi-v7a" publicFlags="940097101" privateFlags="8" ft="11e8d8ee980" it="11e8d8ee980" ut="11e8d8ee980" version="1" sharedUserId="1000">
<package name="jp.co.sharp.android.zoomanywhere" codePath="/system/app/ZoomAnywhere" nativeLibraryPath="/system/app/ZoomAnywhere/lib" primaryCpuAbi="armeabi-v7a" publicFlags="941145669" privateFlags="0" ft="11e8d8ee980" it="11e8d8ee980" ut="11e8d8ee980" version="1" sharedUserId="1000">
<package name="jp.co.sharp.android.interactivesetup" codePath="/system/priv-app/InteractiveSetup" nativeLibraryPath="/system/priv-app/InteractiveSetup/lib" primaryCpuAbi="armeabi-v7a" publicFlags="941112901" privateFlags="8" ft="11e8d8ee980" it="11e8d8ee980" ut="11e8d8ee980" version="501" sharedUserId="1000">
<package name="jp.co.sharp.android.dun" codePath="/system/app/DunService" nativeLibraryPath="/system/app/DunService/lib" primaryCpuAbi="armeabi-v7a" publicFlags="940097101" privateFlags="0" ft="11e8d8ee980" it="11e8d8ee980" ut="11e8d8ee980" version="23" sharedUserId="1000">
<package name="jp.co.sharp.android.scrollauto" codePath="/system/app/ScrollAuto" nativeLibraryPath="/system/app/ScrollAuto/lib" primaryCpuAbi="armeabi-v7a" publicFlags="940064325" privateFlags="0" ft="11e8d8ee980" it="11e8d8ee980" ut="11e8d8ee980" version="1" sharedUserId="1000">
<package name="jp.co.sharp.android.downloadfont" codePath="/system/app/FontManager" nativeLibraryPath="/system/app/FontManager/lib" primaryCpuAbi="armeabi-v7a" publicFlags="940097093" privateFlags="0" ft="11e8d8ee980" it="11e8d8ee980" ut="11e8d8ee980" version="20000" sharedUserId="1000">
<package name="com.android.location.fused" codePath="/system/priv-app/FusedLocation" nativeLibraryPath="/system/priv-app/FusedLocation/lib" primaryCpuAbi="armeabi-v7a" publicFlags="940097093" privateFlags="8" ft="11e8d8ee980" it="11e8d8ee980" ut="11e8d8ee980" version="23" sharedUserId="1000">
<package name="com.qualcomm.fastdormancy" codePath="/system/app/fastdormancy" nativeLibraryPath="/system/app/fastdormancy/lib" primaryCpuAbi="armeabi-v7a" publicFlags="940097093" privateFlags="0" ft="11e8d8ee980" it="11e8d8ee980" ut="11e8d8ee980" version="23" sharedUserId="1000">
<package name="com.qualcomm.qti.auth.fidosuiservice" codePath="/system/app/FidoSuiService" nativeLibraryPath="/system/app/FidoSuiService/lib" primaryCpuAbi="armeabi-v7a" publicFlags="940064325" privateFlags="0" ft="11e8d8ee980" it="11e8d8ee980" ut="11e8d8ee980" version="1" sharedUserId="1000">
<package name="jp.co.sharp.android.fotarecovery" codePath="/system/priv-app/FotaRecovery" nativeLibraryPath="/system/priv-app/FotaRecovery/lib" primaryCpuAbi="armeabi-v7a" publicFlags="940097093" privateFlags="8" ft="11e8d8ee980" it="11e8d8ee980" ut="11e8d8ee980" version="4" sharedUserId="1000">
<package name="com.qualcomm.timeservice" codePath="/system/app/TimeService" nativeLibraryPath="/system/app/TimeService/lib" primaryCpuAbi="armeabi-v7a" publicFlags="940097093" privateFlags="0" ft="11e8d8ee980" it="11e8d8ee980" ut="11e8d8ee980" version="23" sharedUserId="1000">

要改的太多了

不確定是不是只要 ps -Z 看到是 system_app 先 resign 就可行

$ ps -Z | grep system_app

u:r:system_app:s0 system 1968 615 com.quicinc.cne.CNEService
u:r:system_app:s0 system 1995 615 com.qualcomm.qti.GBAHttpAuthentication.auth
u:r:system_app:s0 system 2072 615 com.quicinc.wbcserviceapp
u:r:system_app:s0 system 4231 615 com.android.settings
u:r:system_app:s0 system 6482 615 com.qualcomm.display
u:r:system_app:s0 system 7811 615 com.qualcomm.timeservice

 

換了 owen sign 之後首先遇到了這個問題

看起來應該是要再想辦法讓 android.uid.system 變成 owen sign

W PackageManager: Failed to parse /system/framework/framework-res.apk: Signature mismatch for shared user : SharedUserSetting{748506 android.uid.system/1000}
W PackageManager: Failed to parse /system/priv-app/CNEService: Signature mismatch for shared user : SharedUserSetting{748506 android.uid.system/1000}

在找結果的過程先看到了 frameworks/base/services/core/java/com/android/server/pm/PackageManagerService.java 這邊是檢查 apk signature 的地方

下面這個連結裡面的註解值得一看，大意是說如果 signature 換了的話預計修復即可，但是如果是 shared user，則必須失敗

http://androidxref.com/6.0.1_r10/xref/frameworks/base/services/core/java/com/android/server/pm/PackageManagerService.java#6755

 

下面這篇文章說，把apk 用 codeabse 裡面那把 key sign 就可以是 system_app ，但我目前的問題就是沒有 codebase

https://boundarydevices.com/android-security-part-1-application-signatures-permissions/

 

 

在另外一台機器上面把所有 system apk resign 推進去之後遇到的問題

F/SystemServer( 954): BOOT FAILURE starting BackgroundDexOptService
F/SystemServer( 954): java.lang.IllegalArgumentException: No such service ComponentInfo{android/com.android.server.pm.BackgroundDexOptService}
F/SystemServer( 954): >at com.android.server.job.JobSchedulerService$JobSchedulerStub.enforceValidJobRequest(JobSchedulerService.java:720)
F/SystemServer( 954): >at com.android.server.job.JobSchedulerService$JobSchedulerStub.schedule(JobSchedulerService.java:765)
F/SystemServer( 954): >at android.app.JobSchedulerImpl.schedule(JobSchedulerImpl.java:42)
F/SystemServer( 954): >at com.android.server.pm.BackgroundDexOptService.schedule(BackgroundDexOptService.java:55)
F/SystemServer( 954): >at com.android.server.SystemServer.startOtherServices(SystemServer.java:1172)
F/SystemServer( 954): >at com.android.server.SystemServer.run(SystemServer.java:343)
F/SystemServer( 954): >at com.android.server.SystemServer.main(SystemServer.java:244)
F/SystemServer( 954): >at java.lang.reflect.Method.invoke(Native Method)
F/SystemServer( 954): >at java.lang.reflect.Method.invoke(Method.java:372)
F/SystemServer( 954): >at com.android.internal.os.ZygoteInit$MethodAndArgsCaller.run(ZygoteInit.java:1018)
F/SystemServer( 954): >at com.android.internal.os.ZygoteInit.main(ZygoteInit.java:813)
F/SystemServer( 954): >at de.robv.android.xposed.XposedBridge.main(XposedBridge.java:134)

感覺要從 PackageManagerService 搭配 Xposed 下去修改某些 Method

硬 resign 可能無法在每個平台上面通用

 

總算找到什麼地方判斷一個 app 是 什麼 domain

http://www.hackblog.cn/post/43.html

http://blog.csdn.net/vma_lma/article/details/29569139 這個說明比較完整，大意如下

frameworks/base/services/core/java/com/android/server/pm/SELinuxMMAC.java::assignSeinfoValue 這裡面會在安裝 apk 的時候比較 apk 裡面的簽名跟 mac_permission.xml 裡面的簽名，藉此來分類這個 apk 是 system, platform or untrusted_app

mac_permission.xml 是 build time 產生的

針對我的需求「把我自己的 apk 變成 system_app 」，應該可以得知至少要

1) 把原本 system_app 跟我自己的 apk 都用我自己的 key resign

2) 把 build 裡面的 key 換掉之後重新編譯產生 mac_permission.xml

 

根據 mac_permission.xml 裡面的註解得知

至少有三種 tag 可以設定 signer/default/package，每一種 tag 只可以有一個 seinfo

但不確定是不是可以多新增一個 <signer signature="@owenwen"> 來新增 <seinfo value="owenwen">

<?xml version="1.0" encoding="utf-8"?>
<policy>

<!--

* A signature is a hex encoded X.509 certificate or a tag defined in
keys.conf and is required for each signer tag.
* A signer tag may contain a seinfo tag and multiple package stanzas.
* A default tag is allowed that can contain policy for all apps not signed with a
previously listed cert. It may not contain any inner package stanzas.
* Each signer/default/package tag is allowed to contain one seinfo tag. This tag
represents additional info that each app can use in setting a SELinux security
context on the eventual process.
* When a package is installed the following logic is used to determine what seinfo
value, if any, is assigned.
- All signatures used to sign the app are checked first.
- If a signer stanza has inner package stanzas, those stanza will be checked
to try and match the package name of the app. If the package name matches
then that seinfo tag is used. If no inner package matches then the outer
seinfo tag is assigned.
- The default tag is consulted last if needed.
-->

<!-- Platform dev key in AOSP -->
<signer signature="@PLATFORM" >
<seinfo value="platform" />
</signer>

<!-- All other keys -->
<default>
<seinfo value="default" />
</default>

</policy>

這個 mac_permission.xml 編譯完成之後長相如下，超長一行
並且可以觀察到 @platform 被置換成 hex encoded X.509 certificate
而且 encodeing 也從 utf-8 變成 iso-8859-1，但這應該不重要…

<?xml version="1.0" encoding="iso-8859-1"?><!-- AUTOGENERATED FILE DO NOT MODIFY --><policy><signer signature="308204a830820390a003020102020900b3998086d056cffa300d06092a864886f70d0101040500308194310b3009060355040613025553311330110603550408130a43616c69666f726e6961311630140603550407130d4d6f756e7461696e20566965773110300e060355040a1307416e64726f69643110300e060355040b1307416e64726f69643110300e06035504031307416e64726f69643122302006092a864886f70d0109011613616e64726f696440616e64726f69642e636f6d301e170d3038303431353232343035305a170d3335303930313232343035305a308194310b3009060355040613025553311330110603550408130a43616c69666f726e6961311630140603550407130d4d6f756e7461696e20566965773110300e060355040a1307416e64726f69643110300e060355040b1307416e64726f69643110300e06035504031307416e64726f69643122302006092a864886f70d0109011613616e64726f696440616e64726f69642e636f6d30820120300d06092a864886f70d01010105000382010d003082010802820101009c780592ac0d5d381cdeaa65ecc8a6006e36480c6d7207b12011be50863aabe2b55d009adf7146d6f2202280c7cd4d7bdb26243b8a806c26b34b137523a49268224904dc01493e7c0acf1a05c874f69b037b60309d9074d24280e16bad2a8734361951eaf72a482d09b204b1875e12ac98c1aa773d6800b9eafde56d58bed8e8da16f9a360099c37a834a6dfedb7b6b44a049e07a269fccf2c5496f2cf36d64df90a3b8d8f34a3baab4cf53371ab27719b3ba58754ad0c53fc14e1db45d51e234fbbe93c9ba4edf9ce54261350ec535607bf69a2ff4aa07db5f7ea200d09a6c1b49e21402f89ed1190893aab5a9180f152e82f85a45753cf5fc19071c5eec827020103a381fc3081f9301d0603551d0e041604144fe4a0b3dd9cba29f71d7287c4e7c38f2086c2993081c90603551d230481c13081be80144fe4a0b3dd9cba29f71d7287c4e7c38f2086c299a1819aa48197308194310b3009060355040613025553311330110603550408130a43616c69666f726e6961311630140603550407130d4d6f756e7461696e20566965773110300e060355040a1307416e64726f69643110300e060355040b1307416e64726f69643110300e06035504031307416e64726f69643122302006092a864886f70d0109011613616e64726f696440616e64726f69642e636f6d820900b3998086d056cffa300c0603551d13040530030101ff300d06092a864886f70d01010405000382010100572551b8d93a1f73de0f6d469f86dad6701400293c88a0cd7cd778b73dafcc197fab76e6212e56c1c761cfc42fd733de52c50ae08814cefc0a3b5a1a4346054d829f1d82b42b2048bf88b5d14929ef85f60edd12d72d55657e22e3e85d04c831d613d19938bb8982247fa321256ba12d1d6a8f92ea1db1c373317ba0c037f0d1aff645aef224979fba6e7a14bc025c71b98138cef3ddfc059617cf24845cf7b40d6382f7275ed738495ab6e5931b9421765c491b72fb68e080dbdb58c2029d347c8b328ce43ef6a8b15533edfbe989bd6a48dd4b202eda94c6ab8dd5b8399203daae2ed446232e4fe9bd961394c6300e5138e3cfd285e6e4e483538cb8b1b357"><seinfo value="platform"/></signer><default><seinfo value="default"/></default></policy>

 

編譯 mac_permission.xml 的 Android.mk 在 external/sepolicy/Android.mk

##################################
include $(CLEAR_VARS)

LOCAL_MODULE := mac_permissions.xml
LOCAL_MODULE_CLASS := ETC
LOCAL_MODULE_TAGS := optional
LOCAL_MODULE_PATH := $(TARGET_OUT_ETC)/security

include $(BUILD_SYSTEM)/base_rules.mk

# Build keys.conf
mac_perms_keys.tmp := $(intermediates)/keys.tmp
$(mac_perms_keys.tmp) : $(call build_policy, keys.conf)
>---@mkdir -p $(dir $@)
>---$(hide) m4 -s $^ > $@

ALL_MAC_PERMS_FILES := $(call build_policy, $(LOCAL_MODULE))

$(LOCAL_BUILT_MODULE) : $(mac_perms_keys.tmp) $(HOST_OUT_EXECUTABLES)/insertkeys.py $(ALL_MAC_PERMS_FILES)
>---@mkdir -p $(dir $@)
>---$(hide) DEFAULT_SYSTEM_DEV_CERTIFICATE="$(dir $(DEFAULT_SYSTEM_DEV_CERTIFICATE))" \
>--->---$(HOST_OUT_EXECUTABLES)/insertkeys.py -t $(TARGET_BUILD_VARIANT) -c $(TOP) $< -o $@ $(ALL_MAC_PERMS_FILES)

mac_perms_keys.tmp :=
##################################

解析這個 Android.mk 可以得知最終是透過下面這個指令得到編譯後的 mac_permission.xml

DEFAULT_SYSTEM_DEV_CERTIFICATE="build/target/product/security/"
out/host/linux-x86/bin/insertkeys.py
-t eng
-c . out/target/product/generic_arm64/obj/ETC/mac_permissions.xml_intermediates/keys.tmp
-o out/target/product/generic_arm64/obj/ETC/mac_permissions.xml_intermediates/mac_permissions.xml
external/sepolicy/mac_permissions.xml

 

Finally, I use below command to create my own mac_permission.xml (named owen.xml)

./out/host/linux-x86/bin/insertkeys.py -t release -c . external/sepolicy/keys.conf -o owen.xml external/sepolicy/mac_permissions.xml

And my external/sepolicy/keys.conf as below, this path “owen/owen.x509.pem" is related to $TOP

#
# Maps an arbitrary tag [TAGNAME] with the string contents found in
# TARGET_BUILD_VARIANT. Common convention is to start TAGNAME with an @ and
# name it after the base file name of the pem file.
#
# Each tag (section) then allows one to specify any string found in
# TARGET_BUILD_VARIANT. Typcially this is user, eng, and userdebug. Another
# option is to use ALL which will match ANY TARGET_BUILD_VARIANT string.
#

[@PLATFORM]
ALL : $DEFAULT_SYSTEM_DEV_CERTIFICATE/platform.x509.pem

[@MEDIA]
ALL : $DEFAULT_SYSTEM_DEV_CERTIFICATE/media.x509.pem

[@SHARED]
ALL : $DEFAULT_SYSTEM_DEV_CERTIFICATE/shared.x509.pem

[@HANDY]
ALL : owen/owen.x509.pem

# Example of ALL TARGET_BUILD_VARIANTS
[@RELEASE]
ENG : $DEFAULT_SYSTEM_DEV_CERTIFICATE/testkey.x509.pem
USER : $DEFAULT_SYSTEM_DEV_CERTIFICATE/testkey.x509.pem
USERDEBUG : $DEFAULT_SYSTEM_DEV_CERTIFICATE/testkey.x509.pem

 

My mac_permissions.xml as below, and I add a new seinfo named “owenwen", which means apk signed with my own key will have seinfo as “owenwen", then

<?xml version="1.0" encoding="utf-8"?>
<policy>

<!--

* A signature is a hex encoded X.509 certificate or a tag defined in
keys.conf and is required for each signer tag.
* A signer tag may contain a seinfo tag and multiple package stanzas.
* A default tag is allowed that can contain policy for all apps not signed with a
previously listed cert. It may not contain any inner package stanzas.
* Each signer/default/package tag is allowed to contain one seinfo tag. This tag
represents additional info that each app can use in setting a SELinux security
context on the eventual process.
* When a package is installed the following logic is used to determine what seinfo
value, if any, is assigned.
- All signatures used to sign the app are checked first.
- If a signer stanza has inner package stanzas, those stanza will be checked
to try and match the package name of the app. If the package name matches
then that seinfo tag is used. If no inner package matches then the outer
seinfo tag is assigned.
- The default tag is consulted last if needed.
-->

<!-- Platform dev key in AOSP -->
<signer signature="@OWENWEN" >
<seinfo value="owenwen" />
</signer>

<!-- All other keys -->
<default>
<seinfo value="default" />
</default>

</policy>

 

My way to sign the apk

$ java -jar signapk.jar platform.x509.pem platform.pk8 app.apk signed_app.apk

 

to create my own key

$ ./development/tools/make_key
Usage: ./development/tools/make_key <name> <subject> [<keytype>]
Creates <name>.pk8 key and <name>.x509.pem cert. Cert contains the
given <subject>. A keytype of "rsa" or "ec" is accepted.

$ subject='/C=US/ST=California/L=Mountain View/O=Android/OU=Android/CN=Android/emailAddress=owen.wen@tinklabs.com'
$ ./development/tools/make_key ~/.android-certs/owenwen "$subject"

refer http://jmlinnik.blogspot.hk/2011/12/keystores.html for more key usage

to now, you will have ~/.android-certs/owen.pk8 and ~/.android-certs/owen.x509.pem

copy these two file to your AOSP $TOP and then execute insertkeys.py to generate owen.xml (mentioned above)

then

merge owen.xml and /system/etc/security/mac_permissions.xml manually

and

add one line into seapp_context in your boot.img, e.g.:

# cat /seapp_contexts
isSystemServer=true domain=system_server
user=system domain=system_app type=system_app_data_file
user=bluetooth domain=bluetooth type=bluetooth_data_file
user=nfc domain=nfc type=nfc_data_file
user=radio domain=radio type=radio_data_file
user=shared_relro domain=shared_relro
user=shell domain=shell type=shell_data_file
user=_isolated domain=isolated_app
user=_app seinfo=platform domain=platform_app type=app_data_file
user=_app seinfo=owenwen domain=system_app type=app_data_file
user=_app domain=untrusted_app type=app_data_file

Then, finally, all apk signed with owenwen key will start as platform_app domain process, refer below

# ps -Z | grep owenwen
u:r:system_app:s0 u0_a40 1516 437 com.owenwen.launcher

Convert android key from keystore to PEM format

	1. Convert our ".jks" file to ".p12" (PKCS12 key store format):
	keytool -importkeystore -srckeystore oldkeystore.jks -destkeystore newkeystore.p12 -deststoretype PKCS12
	1.1. List new keystore file contents:
	keytool -deststoretype PKCS12 -keystore newkeystore.p12 -list
	2. Extract pem (certificate) from ".p12" keysotre file:
	openssl pkcs12 -nokeys -in newkeystore.p12 -out certfile.pem
	3. Extract unencrypted key file from ".p12" keysotre file:
	openssl pkcs12 -nocerts -nodes -in newkeystore.p12 -out keyfile.key

view raw

gistfile1.txt

hosted with ❤ by GitHub

 

The way to create your own mac_permissions.xml and merge OEM mac_permissions.xml

$ out/host/linux-x86/bin/insertkeys.py -t release -c . keys.conf -o merged.xml external/sepolicy/mac_permissions.xml mac_permissions.xml