Put in sepolicies for Codec2.0 services
Test: Builds
Bug: 64121714
Bug: 31973802
Change-Id: Id37be8726a8bb297e35bca494964fdbcc48c6a73
(cherry picked from commit 4be28894772bccf5604fd36a75d07bb64e826c88)
diff --git a/private/app_neverallows.te b/private/app_neverallows.te
index ca18c03..819408a 100644
--- a/private/app_neverallows.te
+++ b/private/app_neverallows.te
@@ -173,10 +173,12 @@
# by surfaceflinger Binder service, which apps are permitted to access
# - hal_omx_hwservice: because this is a HwBinder version of the mediacodec
# Binder service which apps were permitted to access.
+# - hal_codec2_hwservice: because this is a newer version of hal_omx_hwservice.
neverallow all_untrusted_apps {
hwservice_manager_type
-same_process_hwservice
-coredomain_hwservice
+ -hal_codec2_hwservice
-hal_configstore_ISurfaceFlingerConfigs
-hal_graphics_allocator_hwservice
-hal_omx_hwservice
diff --git a/private/compat/26.0/26.0.ignore.cil b/private/compat/26.0/26.0.ignore.cil
index d4de3b9..0cd9d0e 100644
--- a/private/compat/26.0/26.0.ignore.cil
+++ b/private/compat/26.0/26.0.ignore.cil
@@ -47,6 +47,7 @@
hal_authsecret_hwservice
hal_broadcastradio_hwservice
hal_cas_hwservice
+ hal_codec2_hwservice
hal_confirmationui_hwservice
hal_lowpan_hwservice
hal_neuralnetworks_hwservice
diff --git a/private/compat/27.0/27.0.ignore.cil b/private/compat/27.0/27.0.ignore.cil
index fc00e95..a375dc8 100644
--- a/private/compat/27.0/27.0.ignore.cil
+++ b/private/compat/27.0/27.0.ignore.cil
@@ -42,6 +42,7 @@
fingerprint_vendor_data_file
fs_bpf
hal_authsecret_hwservice
+ hal_codec2_hwservice
hal_confirmationui_hwservice
hal_lowpan_hwservice
hal_secure_element_hwservice
diff --git a/private/mediaserver.te b/private/mediaserver.te
index a9b85be..a5fa9e1 100644
--- a/private/mediaserver.te
+++ b/private/mediaserver.te
@@ -7,4 +7,5 @@
# TODO(b/36375899): Remove this once OMX HAL is attributized and mediaserver is marked as a client
# of OMX HAL.
+allow mediaserver hal_codec2_hwservice:hwservice_manager find;
allow mediaserver hal_omx_hwservice:hwservice_manager find;
diff --git a/private/system_server.te b/private/system_server.te
index 72d408a..48ec634 100644
--- a/private/system_server.te
+++ b/private/system_server.te
@@ -199,6 +199,7 @@
hal_client_domain(system_server, hal_memtrack)
hal_client_domain(system_server, hal_neuralnetworks)
hal_client_domain(system_server, hal_oemlock)
+allow system_server hal_codec2_hwservice:hwservice_manager find;
allow system_server hal_omx_hwservice:hwservice_manager find;
allow system_server hidl_token_hwservice:hwservice_manager find;
hal_client_domain(system_server, hal_power)