Add new appdomain for RKPD mainline app
This app talks to the remote provisioning HALs, and therefore requires
access to the tee_device domain.
Bug: 254112668
Test: Manually verify rkpd can run and find remote provisioning hals
Change-Id: I876b0890f3d4e8956406d73e956084b99488ce56
diff --git a/private/compat/33.0/33.0.ignore.cil b/private/compat/33.0/33.0.ignore.cil
index 1bb5557..20791f4 100644
--- a/private/compat/33.0/33.0.ignore.cil
+++ b/private/compat/33.0/33.0.ignore.cil
@@ -27,6 +27,7 @@
ntfs
permissive_mte_prop
prng_seeder
+ rkpdapp
servicemanager_prop
system_net_netd_service
timezone_metadata_prop
diff --git a/private/rkpd_app.te b/private/rkpd_app.te
new file mode 100644
index 0000000..535f324
--- /dev/null
+++ b/private/rkpd_app.te
@@ -0,0 +1,20 @@
+###
+### A domain for sandboxing the remote key provisioning daemon
+### app that is shipped via mainline.
+###
+typeattribute rkpdapp coredomain;
+
+app_domain(rkpdapp)
+
+# RKPD needs to be able to call the remote provisioning HALs
+hal_client_domain(rkpdapp, hal_keymint)
+
+# Grant access to certain system properties related to RKP
+get_prop(rkpdapp, device_config_remote_key_provisioning_native_prop)
+
+# Grant access to the normal services that are available to all apps
+allow rkpdapp app_api_service:service_manager find;
+
+# Grant access to statsd
+allow rkpdapp statsmanager_service:service_manager find;
+binder_call(rkpdapp, statsd)
diff --git a/private/seapp_contexts b/private/seapp_contexts
index b26d977..81563a5 100644
--- a/private/seapp_contexts
+++ b/private/seapp_contexts
@@ -164,6 +164,7 @@
user=_app isPrivApp=true name=com.google.android.providers.media.module domain=mediaprovider_app type=privapp_data_file levelFrom=all
user=_app seinfo=platform isPrivApp=true name=com.android.permissioncontroller domain=permissioncontroller_app type=privapp_data_file levelFrom=all
user=_app isPrivApp=true name=com.android.vzwomatrigger domain=vzwomatrigger_app type=privapp_data_file levelFrom=all
+user=_app isPrivApp=true name=com.android.rkpdapp domain=rkpdapp type=privapp_data_file levelFrom=user
user=_app isPrivApp=true name=com.google.android.gms domain=gmscore_app type=privapp_data_file levelFrom=user
user=_app isPrivApp=true name=com.google.android.gms.* domain=gmscore_app type=privapp_data_file levelFrom=user
user=_app isPrivApp=true name=com.google.android.gms:* domain=gmscore_app type=privapp_data_file levelFrom=user
diff --git a/private/stats.te b/private/stats.te
index db29072..c784145 100644
--- a/private/stats.te
+++ b/private/stats.te
@@ -47,6 +47,7 @@
-mediametrics
-platform_app
-priv_app
+ -rkpdapp
-shell
-stats
-statsd
diff --git a/public/rkpd_app.te b/public/rkpd_app.te
new file mode 100644
index 0000000..2aaf3b8
--- /dev/null
+++ b/public/rkpd_app.te
@@ -0,0 +1,6 @@
+###
+### A domain for sandboxing the remote key provisioning daemon
+### app that is shipped via mainline.
+###
+
+type rkpdapp, domain;