diff --git a/private/app_neverallows.te b/private/app_neverallows.te
index b050e52abebdb484b59b41292829d022748ce496..a05baa005d2f5e4fb18f23fc1890c96c8b4c81eb 100644
--- a/private/app_neverallows.te
+++ b/private/app_neverallows.te
@@ -154,6 +154,7 @@ neverallow all_untrusted_apps {
   # HwBinder version of mediacodec Binder service which apps were permitted to
   # access
   -hal_omx_hwservice
+  -hal_cas_hwservice
 }:hwservice_manager find;
 # HwBinder services offered by core components (as opposed to vendor components)
 # are considered somewhat safer due to point #2 above.
@@ -178,6 +179,7 @@ full_treble_only(`
     -coredomain
     -hal_configstore_server
     -hal_graphics_allocator_server
+    -hal_cas_server
     -binder_in_vendor_violators # TODO(b/35870313): Remove once all violations are gone
   }:binder { call transfer };
 ')
diff --git a/private/ephemeral_app.te b/private/ephemeral_app.te
index d664a5027ff50d2ef1d7e17c2ae354327343b605..de5c53c479963b0066d01382e7ad3d8420bf2067 100644
--- a/private/ephemeral_app.te
+++ b/private/ephemeral_app.te
@@ -27,7 +27,6 @@ allow ephemeral_app mediaextractor_service:service_manager find;
 allow ephemeral_app mediacodec_service:service_manager find;
 allow ephemeral_app mediametrics_service:service_manager find;
 allow ephemeral_app mediadrmserver_service:service_manager find;
-allow ephemeral_app mediacasserver_service:service_manager find;
 allow ephemeral_app surfaceflinger_service:service_manager find;
 allow ephemeral_app radio_service:service_manager find;
 allow ephemeral_app ephemeral_app_api_service:service_manager find;
diff --git a/private/hwservice_contexts b/private/hwservice_contexts
index 397a3b165edd4abe50e6263714d46916e0bcdeda..702795d8b20700538931610999d64f4625671443 100644
--- a/private/hwservice_contexts
+++ b/private/hwservice_contexts
@@ -10,6 +10,7 @@ android.hardware.broadcastradio::IBroadcastRadioFactory         u:object_r:hal_a
 android.hardware.camera.provider::ICameraProvider               u:object_r:hal_camera_hwservice:s0
 android.hardware.configstore::ISurfaceFlingerConfigs            u:object_r:hal_configstore_ISurfaceFlingerConfigs:s0
 android.hardware.contexthub::IContexthub                        u:object_r:hal_contexthub_hwservice:s0
+android.hardware.cas::IMediaCasService                          u:object_r:hal_cas_hwservice:s0
 android.hardware.drm::ICryptoFactory                            u:object_r:hal_drm_hwservice:s0
 android.hardware.drm::IDrmFactory                               u:object_r:hal_drm_hwservice:s0
 android.hardware.dumpstate::IDumpstateDevice                    u:object_r:hal_dumpstate_hwservice:s0
diff --git a/private/platform_app.te b/private/platform_app.te
index fd4634a30aa132da435fd15f876231fbe78330c3..d1168934bd2f1771b20a36ee7e2af8f6cc573a58 100644
--- a/private/platform_app.te
+++ b/private/platform_app.te
@@ -46,7 +46,6 @@ allow platform_app mediametrics_service:service_manager find;
 allow platform_app mediaextractor_service:service_manager find;
 allow platform_app mediacodec_service:service_manager find;
 allow platform_app mediadrmserver_service:service_manager find;
-allow platform_app mediacasserver_service:service_manager find;
 allow platform_app persistent_data_block_service:service_manager find;
 allow platform_app radio_service:service_manager find;
 allow platform_app surfaceflinger_service:service_manager find;
diff --git a/private/priv_app.te b/private/priv_app.te
index 654264a457fda2225353b803be58077295f00401..14ef07d16d26426b6441c4887255103162019164 100644
--- a/private/priv_app.te
+++ b/private/priv_app.te
@@ -27,7 +27,6 @@ allow priv_app drmserver_service:service_manager find;
 allow priv_app mediacodec_service:service_manager find;
 allow priv_app mediametrics_service:service_manager find;
 allow priv_app mediadrmserver_service:service_manager find;
-allow priv_app mediacasserver_service:service_manager find;
 allow priv_app mediaextractor_service:service_manager find;
 allow priv_app mediaserver_service:service_manager find;
 allow priv_app nfc_service:service_manager find;
diff --git a/private/service_contexts b/private/service_contexts
index dc77cb9c32237fa454056031dfde8124050525c0..1eac338d8a0a3e60d67057079d6815cdab1e9635 100644
--- a/private/service_contexts
+++ b/private/service_contexts
@@ -89,7 +89,6 @@ media.resource_manager                    u:object_r:mediaserver_service:s0
 media.radio                               u:object_r:audioserver_service:s0
 media.sound_trigger_hw                    u:object_r:audioserver_service:s0
 media.drm                                 u:object_r:mediadrmserver_service:s0
-media.cas                                 u:object_r:mediacasserver_service:s0
 media_projection                          u:object_r:media_projection_service:s0
 media_resource_monitor                    u:object_r:media_session_service:s0
 media_router                              u:object_r:media_router_service:s0
diff --git a/private/system_server.te b/private/system_server.te
index 99dc66314f2310ef033cbc31fc4948f122e972d3..dd19ff80bbfd323f3e0b58aa99e2f545916b2c35 100644
--- a/private/system_server.te
+++ b/private/system_server.te
@@ -554,7 +554,6 @@ allow system_server mediametrics_service:service_manager find;
 allow system_server mediaextractor_service:service_manager find;
 allow system_server mediacodec_service:service_manager find;
 allow system_server mediadrmserver_service:service_manager find;
-allow system_server mediacasserver_service:service_manager find;
 allow system_server netd_service:service_manager find;
 allow system_server nfc_service:service_manager find;
 allow system_server radio_service:service_manager find;
diff --git a/private/technical_debt.cil b/private/technical_debt.cil
index ccbae108881effbbdae7a1291a0064c5d3e26f92..974f32831fe3a6ed6ff13cd5b10a2c656359c18f 100644
--- a/private/technical_debt.cil
+++ b/private/technical_debt.cil
@@ -22,6 +22,11 @@
 ;     typeattribute { appdomain -isolated_app } hal_graphics_allocator_client;
 (typeattributeset hal_graphics_allocator_client ((and (appdomain) ((not (isolated_app))))))
 
+; Apps, except isolated apps, are clients of Cas HAL
+; Unfortunately, we can't currently express this in module policy language:
+;     typeattribute { appdomain -isolated_app } hal_cas_client;
+(typeattributeset hal_cas_client ((and (appdomain) ((not (isolated_app))))))
+
 ; Domains hosting Camera HAL implementations are clients of Allocator HAL
 ; Unfortunately, we can't currently express this in module policy language:
 ;     typeattribute hal_camera hal_allocator_client;
diff --git a/private/untrusted_app_all.te b/private/untrusted_app_all.te
index fc80129a76b558946c46f995720ac4428573e51d..6218b0bb70347233df6a9324408eb3bb3f7c21c6 100644
--- a/private/untrusted_app_all.te
+++ b/private/untrusted_app_all.te
@@ -70,7 +70,6 @@ allow untrusted_app_all mediaextractor_service:service_manager find;
 allow untrusted_app_all mediacodec_service:service_manager find;
 allow untrusted_app_all mediametrics_service:service_manager find;
 allow untrusted_app_all mediadrmserver_service:service_manager find;
-allow untrusted_app_all mediacasserver_service:service_manager find;
 allow untrusted_app_all nfc_service:service_manager find;
 allow untrusted_app_all radio_service:service_manager find;
 allow untrusted_app_all surfaceflinger_service:service_manager find;
diff --git a/private/untrusted_v2_app.te b/private/untrusted_v2_app.te
index ef628414d746f2b5a2997fb76c40c2f9e8e5d7fb..7ed3881882d65afa672b62ae6acba571f2e0b45e 100644
--- a/private/untrusted_v2_app.te
+++ b/private/untrusted_v2_app.te
@@ -32,7 +32,6 @@ allow untrusted_v2_app mediaextractor_service:service_manager find;
 allow untrusted_v2_app mediacodec_service:service_manager find;
 allow untrusted_v2_app mediametrics_service:service_manager find;
 allow untrusted_v2_app mediadrmserver_service:service_manager find;
-allow untrusted_v2_app mediacasserver_service:service_manager find;
 allow untrusted_v2_app nfc_service:service_manager find;
 allow untrusted_v2_app radio_service:service_manager find;
 allow untrusted_v2_app surfaceflinger_service:service_manager find;
diff --git a/public/attributes b/public/attributes
index 268f1386bb357084a46360ad2b330af5181c9c58..aefc9c24229533ba60170892c03a232b13c9d95c 100644
--- a/public/attributes
+++ b/public/attributes
@@ -212,6 +212,12 @@ attribute hal_drm_client;
 expandattribute hal_drm_client true;
 attribute hal_drm_server;
 expandattribute hal_drm_server true;
+attribute hal_cas;
+expandattribute hal_cas true;
+attribute hal_cas_client;
+expandattribute hal_cas_client true;
+attribute hal_cas_server;
+expandattribute hal_cas_server true;
 attribute hal_dumpstate;
 expandattribute hal_dumpstate true;
 attribute hal_dumpstate_client;
diff --git a/public/domain.te b/public/domain.te
index 6b59d6a52681e9898987a6fa459f6d7257957d28..0c474b85dce4af5f51bb40e9eca2eb2108709e9e 100644
--- a/public/domain.te
+++ b/public/domain.te
@@ -457,6 +457,7 @@ neverallow {
   -adbd
   -dumpstate
   -hal_drm
+  -hal_cas
   -init
   -mediadrmserver
   -recovery
@@ -543,7 +544,6 @@ full_treble_only(`
     -cameraserver_service
     -drmserver_service
     -keystore_service
-    -mediacasserver_service
     -mediadrmserver_service
     -mediaextractor_service
     -mediametrics_service
diff --git a/public/hal_cas.te b/public/hal_cas.te
new file mode 100644
index 0000000000000000000000000000000000000000..fd5d63bb4832e705082ae691aa373cc3ecd3cfd4
--- /dev/null
+++ b/public/hal_cas.te
@@ -0,0 +1,37 @@
+# HwBinder IPC from client to server, and callbacks
+binder_call(hal_cas_client, hal_cas_server)
+binder_call(hal_cas_server, hal_cas_client)
+
+add_hwservice(hal_cas_server, hal_cas_hwservice)
+allow hal_cas_client hal_cas_hwservice:hwservice_manager find;
+allow hal_cas_server hidl_memory_hwservice:hwservice_manager find;
+
+# Permit reading device's serial number from system properties
+get_prop(hal_cas, serialno_prop)
+
+# Read files already opened under /data
+allow hal_cas system_data_file:dir { search getattr };
+allow hal_cas system_data_file:file { getattr read };
+allow hal_cas system_data_file:lnk_file r_file_perms;
+
+# Read access to pseudo filesystems
+r_dir_file(hal_cas, cgroup)
+allow hal_cas cgroup:dir { search write };
+allow hal_cas cgroup:file w_file_perms;
+
+# Allow access to ion memory allocation device
+allow hal_cas ion_device:chr_file rw_file_perms;
+allow hal_cas hal_graphics_allocator:fd use;
+
+allow hal_cas tee_device:chr_file rw_file_perms;
+
+###
+### neverallow rules
+###
+
+# hal_cas should never execute any executable without a
+# domain transition
+neverallow hal_cas { file_type fs_type }:file execute_no_trans;
+
+# do not allow privileged socket ioctl commands
+neverallowxperm hal_cas domain:{ rawip_socket tcp_socket udp_socket } ioctl priv_sock_ioctls;
diff --git a/public/hwservice.te b/public/hwservice.te
index c3f30771b2086f7acc731dad688b3880fc18640d..7b6906832959c32cf9dee74eae78c460476bd1fe 100644
--- a/public/hwservice.te
+++ b/public/hwservice.te
@@ -9,6 +9,7 @@ type hal_camera_hwservice, hwservice_manager_type;
 type hal_configstore_ISurfaceFlingerConfigs, hwservice_manager_type;
 type hal_contexthub_hwservice, hwservice_manager_type;
 type hal_drm_hwservice, hwservice_manager_type;
+type hal_cas_hwservice, hwservice_manager_type;
 type hal_dumpstate_hwservice, hwservice_manager_type;
 type hal_fingerprint_hwservice, hwservice_manager_type;
 type hal_gatekeeper_hwservice, hwservice_manager_type;
diff --git a/public/mediacodec.te b/public/mediacodec.te
index 5ca41fcf11719b2812a70d775ce1b7b1cec3547d..bcccbb81ac0255c4e086e109e4b74d687259b357 100644
--- a/public/mediacodec.te
+++ b/public/mediacodec.te
@@ -37,6 +37,8 @@ add_hwservice(mediacodec, hal_omx_hwservice)
 
 hal_client_domain(mediacodec, hal_allocator)
 
+hal_client_domain(mediacodec, hal_cas)
+
 # allocate and use graphic buffers
 hal_client_domain(mediacodec, hal_graphics_allocator)
 
diff --git a/public/mediadrmserver.te b/public/mediadrmserver.te
index cef81212abb52691f8e5f7b3f4c835e593346448..123cb29a5c8a164afbe7aeef00d4b982141c8589 100644
--- a/public/mediadrmserver.te
+++ b/public/mediadrmserver.te
@@ -18,8 +18,6 @@ allow mediadrmserver processinfo_service:service_manager find;
 allow mediadrmserver surfaceflinger_service:service_manager find;
 allow mediadrmserver system_file:dir r_dir_perms;
 
-add_service(mediadrmserver, mediacasserver_service)
-
 binder_call(mediadrmserver, mediacodec)
 ###
 ### neverallow rules
diff --git a/public/mediaextractor.te b/public/mediaextractor.te
index 94824b75e8fa8a063d84e533cf0cc4b2100d96bd..05e65bf94aa4fd6e71db26a64a01017c0f27b6c3 100644
--- a/public/mediaextractor.te
+++ b/public/mediaextractor.te
@@ -11,10 +11,12 @@ binder_service(mediaextractor)
 
 add_service(mediaextractor, mediaextractor_service)
 allow mediaextractor mediametrics_service:service_manager find;
-allow mediaextractor mediacasserver_service:service_manager find;
+allow mediaextractor hidl_token_hwservice:hwservice_manager find;
 
 allow mediaextractor system_server:fd use;
 
+hal_client_domain(mediaextractor, hal_cas)
+
 r_dir_file(mediaextractor, cgroup)
 allow mediaextractor proc_meminfo:file r_file_perms;
 
diff --git a/public/service.te b/public/service.te
index ee3ffe5febc463fba6294482ca97a3d77e40226b..0a67011d4eb68c11d558cd855c9517b281fb5d6e 100644
--- a/public/service.te
+++ b/public/service.te
@@ -18,7 +18,6 @@ type mediametrics_service,      service_manager_type;
 type mediaextractor_service,    service_manager_type;
 type mediacodec_service,        service_manager_type;
 type mediadrmserver_service,    service_manager_type;
-type mediacasserver_service,    service_manager_type;
 type netd_service,              service_manager_type;
 type nfc_service,               service_manager_type;
 type radio_service,             service_manager_type;
diff --git a/vendor/file_contexts b/vendor/file_contexts
index fbaa7e408d1b8cf71a0ca3747fc9fd7391124c44..da5cbf58142c50020ddced6658bb16e97a506066 100644
--- a/vendor/file_contexts
+++ b/vendor/file_contexts
@@ -9,6 +9,7 @@
 /(vendor|system/vendor)/bin/hw/android\.hardware\.configstore@1\.[0-9]+-service    u:object_r:hal_configstore_default_exec:s0
 /(vendor|system/vendor)/bin/hw/android\.hardware\.contexthub@1\.0-service     u:object_r:hal_contexthub_default_exec:s0
 /(vendor|system/vendor)/bin/hw/android\.hardware\.drm@1\.0-service            u:object_r:hal_drm_default_exec:s0
+/(vendor|system/vendor)/bin/hw/android\.hardware\.cas@1\.0-service            u:object_r:hal_cas_default_exec:s0
 /(vendor|system/vendor)/bin/hw/android\.hardware\.dumpstate@1\.0-service      u:object_r:hal_dumpstate_default_exec:s0
 /(vendor|system/vendor)/bin/hw/android\.hardware\.gatekeeper@1\.0-service     u:object_r:hal_gatekeeper_default_exec:s0
 /(vendor|system/vendor)/bin/hw/android\.hardware\.gnss@1\.0-service           u:object_r:hal_gnss_default_exec:s0
diff --git a/vendor/hal_cas_default.te b/vendor/hal_cas_default.te
new file mode 100644
index 0000000000000000000000000000000000000000..c7a858c5dcb1ff6c3f3963e46244abf5b2f6ec67
--- /dev/null
+++ b/vendor/hal_cas_default.te
@@ -0,0 +1,6 @@
+type hal_cas_default, domain;
+hal_server_domain(hal_cas_default, hal_cas)
+
+type hal_cas_default_exec, exec_type, vendor_file_type, file_type;
+init_daemon_domain(hal_cas_default)
+