Restrict sandbox access to drmservice Bug: 226390597 Test: atest SdkSandboxRestrictionsTest Change-Id: I49b55d66f1cdc1e8d65e3419460615822c3c3ef3

commit: 85dfe313e58d619c545a67f9b8093b2dca42e02f [log] [tgz]
author: Bram Bonne <brambonne@google.com> Wed Mar 23 17:48:48 2022 +0100
committer: Bram Bonne <brambonne@google.com> Thu Mar 24 14:09:46 2022 +0100
tree: 84ca6d4b3490c7149adc4012a3a0e089223fa638
parent: ee0b51e09900a73fbc89841f3dd7b3680dbfb7ed [diff] [blame]
diff --git a/private/technical_debt.cil b/private/technical_debt.cil
index 4c746fb..fcd4fe7 100644
--- a/private/technical_debt.cil
+++ b/private/technical_debt.cil

@@ -20,9 +20,9 @@
 ; Unfortunately, we can't currently express this in module policy language:
 (typeattributeset hal_codec2_client ((and (appdomain) ((not (isolated_app))))))
 
-; Apps, except isolated apps, are clients of Drm-related services
+; Apps, except isolated apps and SDK sandboxes, are clients of Drm-related services
 ; Unfortunately, we can't currently express this in module policy language:
-(typeattributeset hal_drm_client ((and (appdomain) ((not (isolated_app))))))
+(typeattributeset hal_drm_client ((and (appdomain) ((not (or (isolated_app) (sdk_sandbox)))))))
 
 ; Apps, except isolated apps, are clients of Configstore HAL
 ; Unfortunately, we can't currently express this in module policy language:
commit	85dfe313e58d619c545a67f9b8093b2dca42e02f	[log] [tgz]
author	Bram Bonne <brambonne@google.com>	Wed Mar 23 17:48:48 2022 +0100
committer	Bram Bonne <brambonne@google.com>	Thu Mar 24 14:09:46 2022 +0100
tree	84ca6d4b3490c7149adc4012a3a0e089223fa638
parent	ee0b51e09900a73fbc89841f3dd7b3680dbfb7ed [diff] [blame]