###
### A domain for sandboxing the remote key provisioning daemon
### app that is shipped via mainline.
###
typeattribute rkpdapp coredomain;

app_domain(rkpdapp)
net_domain(rkpdapp)

# RKPD needs to be able to call the remote provisioning HALs
hal_client_domain(rkpdapp, hal_keymint)
hal_client_domain(rkpdapp, hal_remotelyprovisionedcomponent_avf)

# Grant access to certain system properties related to RKP
get_prop(rkpdapp, device_config_remote_key_provisioning_native_prop)
set_prop(rkpdapp, remote_prov_prop)

# Grant access to the normal services that are available to all apps
allow rkpdapp app_api_service:service_manager find;

# Grant access to media.metrics service, needed for widevine. This
# access is granted to all other apps already (e.g. untrusted_app_all).
allow rkpdapp mediametrics_service:service_manager find;

# Grant access to statsd
allow rkpdapp statsmanager_service:service_manager find;
binder_call(rkpdapp, statsd)