diff --git a/private/compat/26.0/26.0.ignore.cil b/private/compat/26.0/26.0.ignore.cil
index 54edb40b8d8e0a2bb73a1058abf615ebcd482f12..3cf086b0525559c9e9001824669a8578f7f9e813 100644
--- a/private/compat/26.0/26.0.ignore.cil
+++ b/private/compat/26.0/26.0.ignore.cil
@@ -104,6 +104,9 @@
lowpan_device
lowpan_prop
lowpan_service
+ mediaswcodec
+ mediaswcodec_exec
+ mediaswcodec_tmpfs
mediaextractor_update_service
mediaprovider_tmpfs
metadata_file
diff --git a/private/compat/27.0/27.0.ignore.cil b/private/compat/27.0/27.0.ignore.cil
index 1df6a0e5219532355fd3b7c89f22339c4c67aa57..3fccdf32f256a4051fe666a43c327e4ce58d7f38 100644
--- a/private/compat/27.0/27.0.ignore.cil
+++ b/private/compat/27.0/27.0.ignore.cil
@@ -95,6 +95,9 @@
lowpan_prop
lowpan_service
mediaextractor_update_service
+ mediaswcodec
+ mediaswcodec_exec
+ mediaswcodec_tmpfs
metadata_file
mnt_product_file
mnt_vendor_file
diff --git a/private/compat/28.0/28.0.ignore.cil b/private/compat/28.0/28.0.ignore.cil
index e02421d90f26db86eb2e3249bb26284e3c652715..3404dd5e637680f975fa4022629a546fdbd329cb 100644
--- a/private/compat/28.0/28.0.ignore.cil
+++ b/private/compat/28.0/28.0.ignore.cil
@@ -36,6 +36,9 @@
iorapd_data_file
iorapd_service
iorapd_tmpfs
+ mediaswcodec
+ mediaswcodec_exec
+ mediaswcodec_tmpfs
mnt_product_file
overlayfs_file
recovery_socket
diff --git a/private/file_contexts b/private/file_contexts
index 3b852136f02151e82ab2ad9a27171649c380aa23..a70f61bcb0e2a2f9ed51dfbaebbeccc90c8b3686 100644
--- a/private/file_contexts
+++ b/private/file_contexts
@@ -229,6 +229,7 @@
/system/bin/mediametrics u:object_r:mediametrics_exec:s0
/system/bin/cameraserver u:object_r:cameraserver_exec:s0
/system/bin/mediaextractor u:object_r:mediaextractor_exec:s0
+/system/bin/mediaswcodec u:object_r:mediaswcodec_exec:s0
/system/bin/mdnsd u:object_r:mdnsd_exec:s0
/system/bin/installd u:object_r:installd_exec:s0
/system/bin/otapreopt_chroot u:object_r:otapreopt_chroot_exec:s0
diff --git a/private/mediaswcodec.te b/private/mediaswcodec.te
new file mode 100644
index 0000000000000000000000000000000000000000..50f569875184611993d11bf62958f91a3d56da94
--- /dev/null
+++ b/private/mediaswcodec.te
@@ -0,0 +1,4 @@
+typeattribute mediaswcodec coredomain;
+
+init_daemon_domain(mediaswcodec)
+
diff --git a/public/attributes b/public/attributes
index 79cc20d09c85c8c6ed166527ab48cb44cf030406..f56919a8b51689d3447559f065e8515b7b795907 100644
--- a/public/attributes
+++ b/public/attributes
@@ -302,3 +302,4 @@ hal_attribute(wifi_supplicant);
attribute display_service_server;
attribute wifi_keystore_service_server;
+attribute mediaswcodec_server;
diff --git a/public/domain.te b/public/domain.te
index 244e08948e24c4961a91d2cbbb3e274f139a8c44..0f17fab1355910ce6f6d252afb303fc3e51a0270 100644
--- a/public/domain.te
+++ b/public/domain.te
@@ -1197,6 +1197,7 @@ neverallow {
# Processes that can't exec crash_dump
-hal_omx_server
+ -mediaswcodec_server
-mediaextractor
} tombstoned_crash_socket:unix_stream_socket connectto;
@@ -1551,3 +1552,10 @@ full_treble_only(`
-incidentd
} sysfs_batteryinfo:file { open read };
')
+
+neverallow {
+ domain
+ -mediaswcodec_server
+ -hal_omx_server
+} hal_codec2_hwservice:hwservice_manager add;
+
diff --git a/public/hal_omx.te b/public/hal_omx.te
index a477875b2131e3b9326363a3d92efcc5bfbdbc9d..656b03ac8a168f537010c0558491bf39662287e5 100644
--- a/public/hal_omx.te
+++ b/public/hal_omx.te
@@ -2,18 +2,12 @@
# since OMX must always be in its own process.
-# can route /dev/binder traffic to /dev/vndbinder
-vndbinder_use(hal_omx_server)
-
binder_call(hal_omx_server, binderservicedomain)
binder_call(hal_omx_server, { appdomain -isolated_app })
# Allow hal_omx_server access to composer sync fences
allow hal_omx_server hal_graphics_composer:fd use;
-allow hal_omx_server gpu_device:chr_file rw_file_perms;
-allow hal_omx_server video_device:chr_file rw_file_perms;
-allow hal_omx_server video_device:dir search;
allow hal_omx_server ion_device:chr_file rw_file_perms;
allow hal_omx_server hal_camera:fd use;
@@ -26,7 +20,9 @@ crash_dump_fallback(hal_omx_server)
allow hal_omx_server bufferhubd:fd use;
hal_attribute_hwservice(hal_omx, hal_omx_hwservice)
-hal_attribute_hwservice(hal_omx, hal_codec2_hwservice)
+
+allow hal_omx_client hal_codec2_hwservice:hwservice_manager find;
+allow hal_omx_server hal_codec2_hwservice:hwservice_manager { add find };
allow hal_omx_client hidl_token_hwservice:hwservice_manager find;
diff --git a/public/mediaswcodec.te b/public/mediaswcodec.te
new file mode 100644
index 0000000000000000000000000000000000000000..1b1097be9fa22377373a4bbeffc733a4aa731ff1
--- /dev/null
+++ b/public/mediaswcodec.te
@@ -0,0 +1,9 @@
+type mediaswcodec, domain;
+type mediaswcodec_exec, system_file_type, exec_type, file_type;
+
+typeattribute mediaswcodec halserverdomain;
+typeattribute mediaswcodec mediaswcodec_server;
+
+hal_client_domain(mediaswcodec, hal_allocator)
+hal_client_domain(mediaswcodec, hal_graphics_allocator)
+
diff --git a/public/swcodec_service_server.te b/public/swcodec_service_server.te
new file mode 100644
index 0000000000000000000000000000000000000000..f20d9904cb20349df53824c25547384d3129433d
--- /dev/null
+++ b/public/swcodec_service_server.te
@@ -0,0 +1,40 @@
+# Add hal_codec2_hwservice to mediaswcodec_server
+allow mediaswcodec_server hal_codec2_hwservice:hwservice_manager { add find };
+allow mediaswcodec_server hidl_base_hwservice:hwservice_manager add;
+
+# Allow mediaswcodec_server access to composer sync fences
+allow mediaswcodec_server hal_graphics_composer:fd use;
+
+allow mediaswcodec_server ion_device:chr_file r_file_perms;
+allow mediaswcodec_server hal_camera:fd use;
+
+crash_dump_fallback(mediaswcodec_server)
+
+# Recieve gralloc buffer FDs from bufferhubd. Note that mediaswcodec_server never
+# directly connects to bufferhubd via PDX. Instead, a VR app acts as a bridge
+# between those two: it talks to hal_omx_server via Binder and talks to bufferhubd
+# via PDX. Thus, there is no need to use pdx_client macro.
+allow mediaswcodec_server bufferhubd:fd use;
+
+binder_call(mediaswcodec_server, hal_omx_client)
+binder_call(hal_omx_client, mediaswcodec_server)
+
+###
+### neverallow rules
+###
+
+# mediaswcodec_server should never execute any executable without a
+# domain transition
+neverallow mediaswcodec_server { file_type fs_type }:file execute_no_trans;
+
+# The goal of the mediaserver/codec split is to place media processing code into
+# restrictive sandboxes with limited responsibilities and thus limited
+# permissions. Example: Audioserver is only responsible for controlling audio
+# hardware and processing audio content. Cameraserver does the same for camera
+# hardware/content. Etc.
+#
+# Media processing code is inherently risky and thus should have limited
+# permissions and be isolated from the rest of the system and network.
+# Lengthier explanation here:
+# https://android-developers.googleblog.com/2016/05/hardening-media-stack.html
+neverallow mediaswcodec_server domain:{ tcp_socket udp_socket rawip_socket } *;
diff --git a/vendor/mediacodec.te b/vendor/mediacodec.te
index a235145ccf42b8eb10df7f148ef6d4567d4526b9..29e1a90154506d8070efaf38556a34b292deb388 100644
--- a/vendor/mediacodec.te
+++ b/vendor/mediacodec.te
@@ -12,8 +12,15 @@ not_full_treble(`
allow mediacodec surfaceflinger_service:service_manager find;
')
+# can route /dev/binder traffic to /dev/vndbinder
+vndbinder_use(mediacodec)
+
hal_server_domain(mediacodec, hal_omx)
hal_client_domain(mediacodec, hal_allocator)
-hal_client_domain(mediacodec, hal_cas)
hal_client_domain(mediacodec, hal_graphics_allocator)
+
+allow mediacodec gpu_device:chr_file rw_file_perms;
+allow mediacodec video_device:chr_file rw_file_perms;
+allow mediacodec video_device:dir search;
+