C2 AIDL sepolicy update
Bug: 251850069
Test: presubmit
Change-Id: Ica39920472de154aa01b8e270297553aedda6782
diff --git a/public/hal_codec2.te b/public/hal_codec2.te
index a379bb3..f05e00a 100644
--- a/public/hal_codec2.te
+++ b/public/hal_codec2.te
@@ -7,6 +7,7 @@
binder_call(hal_codec2_server, hal_codec2_client)
hal_attribute_hwservice(hal_codec2, hal_codec2_hwservice)
+hal_attribute_service(hal_codec2, hal_codec2_service)
# The following permissions are added to hal_codec2_server because vendor and
# vndk libraries provided for Codec2 implementation need them.
diff --git a/public/mediaswcodec.te b/public/mediaswcodec.te
index edbab03..b3b26c1 100644
--- a/public/mediaswcodec.te
+++ b/public/mediaswcodec.te
@@ -21,7 +21,8 @@
# permissions and be isolated from the rest of the system and network.
# Lengthier explanation here:
# https://android-developers.googleblog.com/2016/05/hardening-media-stack.html
-neverallow mediaswcodec domain:{ tcp_socket udp_socket rawip_socket } *;
+neverallow mediaswcodec domain:{ udp_socket rawip_socket } *;
+neverallow mediaswcodec { domain userdebug_or_eng(`-su') }:tcp_socket *;
allow mediaswcodec dmabuf_system_heap_device:chr_file r_file_perms;
allow mediaswcodec dmabuf_system_secure_heap_device:chr_file r_file_perms;
diff --git a/public/service.te b/public/service.te
index d2e6ca3..8cc5acc 100644
--- a/public/service.te
+++ b/public/service.te
@@ -285,6 +285,7 @@
type hal_camera_service, protected_service, hal_service_type, service_manager_type;
type hal_can_controller_service, protected_service, hal_service_type, service_manager_type;
type hal_cas_service, hal_service_type, service_manager_type;
+type hal_codec2_service, hal_service_type, service_manager_type, isolated_compute_allowed_service;
type hal_confirmationui_service, protected_service, hal_service_type, service_manager_type;
type hal_contexthub_service, protected_service, hal_service_type, service_manager_type;
type hal_drm_service, hal_service_type, service_manager_type;