0407c993d8
Revert submission 2812435-revert-2778549-expose-avf-rkp-hal-GTFGLMUUKQ Reason for revert: This change relands the topic https://r.android.com/q/topic:%22expose-avf-rkp-hal%22 The SELinux denial has been fixed in system/sepolicy Reverted changes: /q/submissionid:2812435-revert-2778549-expose-avf-rkp-hal-GTFGLMUUKQ Bug: 308596709 Bug: 274881098 Change-Id: Ib23ac4680b0f37b760bff043e1f42ce61a58c3e2
30 lines
1 KiB
Text
30 lines
1 KiB
Text
###
|
|
### A domain for sandboxing the remote key provisioning daemon
|
|
### app that is shipped via mainline.
|
|
###
|
|
typeattribute rkpdapp coredomain;
|
|
|
|
app_domain(rkpdapp)
|
|
net_domain(rkpdapp)
|
|
|
|
# RKPD needs to be able to call the remote provisioning HALs
|
|
hal_client_domain(rkpdapp, hal_keymint)
|
|
|
|
# Grant access to AVF IRPC service
|
|
allow rkpdapp avf_remotelyprovisionedcomponent_service:service_manager find;
|
|
binder_call(rkpdapp, virtualizationservice)
|
|
|
|
# Grant access to certain system properties related to RKP
|
|
get_prop(rkpdapp, device_config_remote_key_provisioning_native_prop)
|
|
set_prop(rkpdapp, remote_prov_prop)
|
|
|
|
# Grant access to the normal services that are available to all apps
|
|
allow rkpdapp app_api_service:service_manager find;
|
|
|
|
# Grant access to media.metrics service, needed for widevine. This
|
|
# access is granted to all other apps already (e.g. untrusted_app_all).
|
|
allow rkpdapp mediametrics_service:service_manager find;
|
|
|
|
# Grant access to statsd
|
|
allow rkpdapp statsmanager_service:service_manager find;
|
|
binder_call(rkpdapp, statsd)
|