Put in sepolicies for Codec2.0 services
Test: Builds
Bug: 64121714
Bug: 31973802
Change-Id: Id37be8726a8bb297e35bca494964fdbcc48c6a73
diff --git a/private/app_neverallows.te b/private/app_neverallows.te
index c9e5c80..5e27384 100644
--- a/private/app_neverallows.te
+++ b/private/app_neverallows.te
@@ -165,10 +165,12 @@
# by surfaceflinger Binder service, which apps are permitted to access
# - hal_omx_hwservice: because this is a HwBinder version of the mediacodec
# Binder service which apps were permitted to access.
+# - hal_codec2_hwservice: because this is a newer version of hal_omx_hwservice.
neverallow all_untrusted_apps {
hwservice_manager_type
-same_process_hwservice
-coredomain_hwservice
+ -hal_codec2_hwservice
-hal_configstore_ISurfaceFlingerConfigs
-hal_graphics_allocator_hwservice
-hal_omx_hwservice
diff --git a/private/compat/26.0/26.0.ignore.cil b/private/compat/26.0/26.0.ignore.cil
index ef8e266..83c8218 100644
--- a/private/compat/26.0/26.0.ignore.cil
+++ b/private/compat/26.0/26.0.ignore.cil
@@ -43,6 +43,7 @@
hal_authsecret_hwservice
hal_broadcastradio_hwservice
hal_cas_hwservice
+ hal_codec2_hwservice
hal_confirmationui_hwservice
hal_lowpan_hwservice
hal_neuralnetworks_hwservice
diff --git a/private/compat/27.0/27.0.ignore.cil b/private/compat/27.0/27.0.ignore.cil
index 5dd0f16..33777e2 100644
--- a/private/compat/27.0/27.0.ignore.cil
+++ b/private/compat/27.0/27.0.ignore.cil
@@ -37,6 +37,7 @@
fingerprint_vendor_data_file
fs_bpf
hal_authsecret_hwservice
+ hal_codec2_hwservice
hal_confirmationui_hwservice
hal_lowpan_hwservice
hal_secure_element_hwservice
diff --git a/private/mediaserver.te b/private/mediaserver.te
index a9b85be..a5fa9e1 100644
--- a/private/mediaserver.te
+++ b/private/mediaserver.te
@@ -7,4 +7,5 @@
# TODO(b/36375899): Remove this once OMX HAL is attributized and mediaserver is marked as a client
# of OMX HAL.
+allow mediaserver hal_codec2_hwservice:hwservice_manager find;
allow mediaserver hal_omx_hwservice:hwservice_manager find;
diff --git a/private/system_server.te b/private/system_server.te
index 0c9067d..152ea6b 100644
--- a/private/system_server.te
+++ b/private/system_server.te
@@ -195,6 +195,7 @@
hal_client_domain(system_server, hal_memtrack)
hal_client_domain(system_server, hal_neuralnetworks)
hal_client_domain(system_server, hal_oemlock)
+allow system_server hal_codec2_hwservice:hwservice_manager find;
allow system_server hal_omx_hwservice:hwservice_manager find;
allow system_server hidl_token_hwservice:hwservice_manager find;
hal_client_domain(system_server, hal_power)