1### 2### A domain for sandboxing the remote key provisioning daemon 3### app that is shipped via mainline. 4### 5typeattribute rkpdapp coredomain; 6 7app_domain(rkpdapp) 8net_domain(rkpdapp) 9 10# RKPD needs to be able to call the remote provisioning HALs 11hal_client_domain(rkpdapp, hal_keymint) 12hal_client_domain(rkpdapp, hal_remotelyprovisionedcomponent_avf) 13 14# Grant access to certain system properties related to RKP 15get_prop(rkpdapp, device_config_remote_key_provisioning_native_prop) 16set_prop(rkpdapp, remote_prov_prop) 17 18# Grant access to the normal services that are available to all apps 19allow rkpdapp app_api_service:service_manager find; 20 21# Grant access to media.metrics service, needed for widevine. This 22# access is granted to all other apps already (e.g. untrusted_app_all). 23allow rkpdapp mediametrics_service:service_manager find; 24 25# Grant access to statsd 26allow rkpdapp statsmanager_service:service_manager find; 27binder_call(rkpdapp, statsd) 28