Add new appdomain for RKPD mainline app This app talks to the remote provisioning HALs, and therefore requires access to the tee_device domain. Bug: 254112668 Test: Manually verify rkpd can run and find remote provisioning hals Change-Id: I876b0890f3d4e8956406d73e956084b99488ce56

commit: 71fa94edaea6c2f87b386df78b3c7e09acc06c75 [log] [tgz]
author: Seth Moore <sethmo@google.com> Fri Oct 28 13:46:16 2022 -0700
committer: Seth Moore <sethmo@google.com> Wed Nov 16 12:55:31 2022 -0800
tree: bb6926755cdf7811a08d483e3d852203dacaa5db
parent: f4ab6c9f3c21617b5f313804d1df4a32192c573d [diff] [blame]
diff --git a/private/rkpd_app.te b/private/rkpd_app.te
new file mode 100644
index 0000000..535f324
--- /dev/null
+++ b/private/rkpd_app.te

@@ -0,0 +1,20 @@
+###
+### A domain for sandboxing the remote key provisioning daemon
+### app that is shipped via mainline.
+###
+typeattribute rkpdapp coredomain;
+
+app_domain(rkpdapp)
+
+# RKPD needs to be able to call the remote provisioning HALs
+hal_client_domain(rkpdapp, hal_keymint)
+
+# Grant access to certain system properties related to RKP
+get_prop(rkpdapp, device_config_remote_key_provisioning_native_prop)
+
+# Grant access to the normal services that are available to all apps
+allow rkpdapp app_api_service:service_manager find;
+
+# Grant access to statsd
+allow rkpdapp statsmanager_service:service_manager find;
+binder_call(rkpdapp, statsd)
commit	71fa94edaea6c2f87b386df78b3c7e09acc06c75	[log] [tgz]
author	Seth Moore <sethmo@google.com>	Fri Oct 28 13:46:16 2022 -0700
committer	Seth Moore <sethmo@google.com>	Wed Nov 16 12:55:31 2022 -0800
tree	bb6926755cdf7811a08d483e3d852203dacaa5db
parent	f4ab6c9f3c21617b5f313804d1df4a32192c573d [diff] [blame]