prebuilts/api/202404/private/rkpd_app.te - LeafOS-Project/android_system_sepolicy - Gitiles

 ###
 ### A domain for sandboxing the remote key provisioning daemon
 ### app that is shipped via mainline.
 ###
 typeattribute rkpdapp coredomain;

 app_domain(rkpdapp)
 net_domain(rkpdapp)

 # RKPD needs to be able to call the remote provisioning HALs
 hal_client_domain(rkpdapp, hal_keymint)
 hal_client_domain(rkpdapp, hal_remotelyprovisionedcomponent_avf)

 # Grant access to certain system properties related to RKP
 get_prop(rkpdapp, device_config_remote_key_provisioning_native_prop)
 set_prop(rkpdapp, remote_prov_prop)

 # Grant access to the normal services that are available to all apps
 allow rkpdapp app_api_service:service_manager find;

 # Grant access to media.metrics service, needed for widevine. This
 # access is granted to all other apps already (e.g. untrusted_app_all).
 allow rkpdapp mediametrics_service:service_manager find;

 # Grant access to statsd
 allow rkpdapp statsmanager_service:service_manager find;
 binder_call(rkpdapp, statsd)
	###
	### A domain for sandboxing the remote key provisioning daemon
	### app that is shipped via mainline.
	###
	typeattribute rkpdapp coredomain;

	app_domain(rkpdapp)
	net_domain(rkpdapp)

	# RKPD needs to be able to call the remote provisioning HALs
	hal_client_domain(rkpdapp, hal_keymint)
	hal_client_domain(rkpdapp, hal_remotelyprovisionedcomponent_avf)

	# Grant access to certain system properties related to RKP
	get_prop(rkpdapp, device_config_remote_key_provisioning_native_prop)
	set_prop(rkpdapp, remote_prov_prop)

	# Grant access to the normal services that are available to all apps
	allow rkpdapp app_api_service:service_manager find;

	# Grant access to media.metrics service, needed for widevine. This
	# access is granted to all other apps already (e.g. untrusted_app_all).
	allow rkpdapp mediametrics_service:service_manager find;

	# Grant access to statsd
	allow rkpdapp statsmanager_service:service_manager find;
	binder_call(rkpdapp, statsd)