blob: e7809e9f1e4ed1d8d4a1ebf8c0672b5b3b0126a1 [file] [log] [blame]
Seth Moore71fa94e2022-10-28 13:46:16 -07001###
2### A domain for sandboxing the remote key provisioning daemon
3### app that is shipped via mainline.
4###
5typeattribute rkpdapp coredomain;
6
7app_domain(rkpdapp)
Vikram Gaur592b3452022-12-01 18:53:36 +00008net_domain(rkpdapp)
Seth Moore71fa94e2022-10-28 13:46:16 -07009
10# RKPD needs to be able to call the remote provisioning HALs
11hal_client_domain(rkpdapp, hal_keymint)
Alice Wange79bbf92023-11-14 07:38:18 +000012hal_client_domain(rkpdapp, hal_remotelyprovisionedcomponent_avf)
Seth Moore71fa94e2022-10-28 13:46:16 -070013
14# Grant access to certain system properties related to RKP
15get_prop(rkpdapp, device_config_remote_key_provisioning_native_prop)
Vikram Gaur01390082023-03-16 01:41:29 +000016set_prop(rkpdapp, remote_prov_prop)
Seth Moore71fa94e2022-10-28 13:46:16 -070017
18# Grant access to the normal services that are available to all apps
19allow rkpdapp app_api_service:service_manager find;
20
Vikram Gaur91f5c532022-12-15 06:11:49 +000021# Grant access to media.metrics service, needed for widevine. This
22# access is granted to all other apps already (e.g. untrusted_app_all).
23allow rkpdapp mediametrics_service:service_manager find;
24
Seth Moore71fa94e2022-10-28 13:46:16 -070025# Grant access to statsd
26allow rkpdapp statsmanager_service:service_manager find;
27binder_call(rkpdapp, statsd)