diff --git a/private/app_neverallows.te b/private/app_neverallows.te
index b050e52ab..a05baa005 100644
--- a/private/app_neverallows.te
+++ b/private/app_neverallows.te
@@ -154,6 +154,7 @@ neverallow all_untrusted_apps {
   # HwBinder version of mediacodec Binder service which apps were permitted to
   # access
   -hal_omx_hwservice
+  -hal_cas_hwservice
 }:hwservice_manager find;
 # HwBinder services offered by core components (as opposed to vendor components)
 # are considered somewhat safer due to point #2 above.
@@ -178,6 +179,7 @@ full_treble_only(`
     -coredomain
     -hal_configstore_server
     -hal_graphics_allocator_server
+    -hal_cas_server
     -binder_in_vendor_violators # TODO(b/35870313): Remove once all violations are gone
   }:binder { call transfer };
 ')
diff --git a/private/ephemeral_app.te b/private/ephemeral_app.te
index d664a5027..de5c53c47 100644
--- a/private/ephemeral_app.te
+++ b/private/ephemeral_app.te
@@ -27,7 +27,6 @@ allow ephemeral_app mediaextractor_service:service_manager find;
 allow ephemeral_app mediacodec_service:service_manager find;
 allow ephemeral_app mediametrics_service:service_manager find;
 allow ephemeral_app mediadrmserver_service:service_manager find;
-allow ephemeral_app mediacasserver_service:service_manager find;
 allow ephemeral_app surfaceflinger_service:service_manager find;
 allow ephemeral_app radio_service:service_manager find;
 allow ephemeral_app ephemeral_app_api_service:service_manager find;
diff --git a/private/hwservice_contexts b/private/hwservice_contexts
index 397a3b165..702795d8b 100644
--- a/private/hwservice_contexts
+++ b/private/hwservice_contexts
@@ -10,6 +10,7 @@ android.hardware.broadcastradio::IBroadcastRadioFactory         u:object_r:hal_a
 android.hardware.camera.provider::ICameraProvider               u:object_r:hal_camera_hwservice:s0
 android.hardware.configstore::ISurfaceFlingerConfigs            u:object_r:hal_configstore_ISurfaceFlingerConfigs:s0
 android.hardware.contexthub::IContexthub                        u:object_r:hal_contexthub_hwservice:s0
+android.hardware.cas::IMediaCasService                          u:object_r:hal_cas_hwservice:s0
 android.hardware.drm::ICryptoFactory                            u:object_r:hal_drm_hwservice:s0
 android.hardware.drm::IDrmFactory                               u:object_r:hal_drm_hwservice:s0
 android.hardware.dumpstate::IDumpstateDevice                    u:object_r:hal_dumpstate_hwservice:s0
diff --git a/private/platform_app.te b/private/platform_app.te
index fd4634a30..d1168934b 100644
--- a/private/platform_app.te
+++ b/private/platform_app.te
@@ -46,7 +46,6 @@ allow platform_app mediametrics_service:service_manager find;
 allow platform_app mediaextractor_service:service_manager find;
 allow platform_app mediacodec_service:service_manager find;
 allow platform_app mediadrmserver_service:service_manager find;
-allow platform_app mediacasserver_service:service_manager find;
 allow platform_app persistent_data_block_service:service_manager find;
 allow platform_app radio_service:service_manager find;
 allow platform_app surfaceflinger_service:service_manager find;
diff --git a/private/priv_app.te b/private/priv_app.te
index 654264a45..14ef07d16 100644
--- a/private/priv_app.te
+++ b/private/priv_app.te
@@ -27,7 +27,6 @@ allow priv_app drmserver_service:service_manager find;
 allow priv_app mediacodec_service:service_manager find;
 allow priv_app mediametrics_service:service_manager find;
 allow priv_app mediadrmserver_service:service_manager find;
-allow priv_app mediacasserver_service:service_manager find;
 allow priv_app mediaextractor_service:service_manager find;
 allow priv_app mediaserver_service:service_manager find;
 allow priv_app nfc_service:service_manager find;
diff --git a/private/service_contexts b/private/service_contexts
index dc77cb9c3..1eac338d8 100644
--- a/private/service_contexts
+++ b/private/service_contexts
@@ -89,7 +89,6 @@ media.resource_manager                    u:object_r:mediaserver_service:s0
 media.radio                               u:object_r:audioserver_service:s0
 media.sound_trigger_hw                    u:object_r:audioserver_service:s0
 media.drm                                 u:object_r:mediadrmserver_service:s0
-media.cas                                 u:object_r:mediacasserver_service:s0
 media_projection                          u:object_r:media_projection_service:s0
 media_resource_monitor                    u:object_r:media_session_service:s0
 media_router                              u:object_r:media_router_service:s0
diff --git a/private/system_server.te b/private/system_server.te
index 99dc66314..dd19ff80b 100644
--- a/private/system_server.te
+++ b/private/system_server.te
@@ -554,7 +554,6 @@ allow system_server mediametrics_service:service_manager find;
 allow system_server mediaextractor_service:service_manager find;
 allow system_server mediacodec_service:service_manager find;
 allow system_server mediadrmserver_service:service_manager find;
-allow system_server mediacasserver_service:service_manager find;
 allow system_server netd_service:service_manager find;
 allow system_server nfc_service:service_manager find;
 allow system_server radio_service:service_manager find;
diff --git a/private/technical_debt.cil b/private/technical_debt.cil
index ccbae1088..974f32831 100644
--- a/private/technical_debt.cil
+++ b/private/technical_debt.cil
@@ -22,6 +22,11 @@
 ;     typeattribute { appdomain -isolated_app } hal_graphics_allocator_client;
 (typeattributeset hal_graphics_allocator_client ((and (appdomain) ((not (isolated_app))))))
 
+; Apps, except isolated apps, are clients of Cas HAL
+; Unfortunately, we can't currently express this in module policy language:
+;     typeattribute { appdomain -isolated_app } hal_cas_client;
+(typeattributeset hal_cas_client ((and (appdomain) ((not (isolated_app))))))
+
 ; Domains hosting Camera HAL implementations are clients of Allocator HAL
 ; Unfortunately, we can't currently express this in module policy language:
 ;     typeattribute hal_camera hal_allocator_client;
diff --git a/private/untrusted_app_all.te b/private/untrusted_app_all.te
index fc80129a7..6218b0bb7 100644
--- a/private/untrusted_app_all.te
+++ b/private/untrusted_app_all.te
@@ -70,7 +70,6 @@ allow untrusted_app_all mediaextractor_service:service_manager find;
 allow untrusted_app_all mediacodec_service:service_manager find;
 allow untrusted_app_all mediametrics_service:service_manager find;
 allow untrusted_app_all mediadrmserver_service:service_manager find;
-allow untrusted_app_all mediacasserver_service:service_manager find;
 allow untrusted_app_all nfc_service:service_manager find;
 allow untrusted_app_all radio_service:service_manager find;
 allow untrusted_app_all surfaceflinger_service:service_manager find;
diff --git a/private/untrusted_v2_app.te b/private/untrusted_v2_app.te
index ef628414d..7ed388188 100644
--- a/private/untrusted_v2_app.te
+++ b/private/untrusted_v2_app.te
@@ -32,7 +32,6 @@ allow untrusted_v2_app mediaextractor_service:service_manager find;
 allow untrusted_v2_app mediacodec_service:service_manager find;
 allow untrusted_v2_app mediametrics_service:service_manager find;
 allow untrusted_v2_app mediadrmserver_service:service_manager find;
-allow untrusted_v2_app mediacasserver_service:service_manager find;
 allow untrusted_v2_app nfc_service:service_manager find;
 allow untrusted_v2_app radio_service:service_manager find;
 allow untrusted_v2_app surfaceflinger_service:service_manager find;
diff --git a/public/attributes b/public/attributes
index 268f1386b..aefc9c242 100644
--- a/public/attributes
+++ b/public/attributes
@@ -212,6 +212,12 @@ attribute hal_drm_client;
 expandattribute hal_drm_client true;
 attribute hal_drm_server;
 expandattribute hal_drm_server true;
+attribute hal_cas;
+expandattribute hal_cas true;
+attribute hal_cas_client;
+expandattribute hal_cas_client true;
+attribute hal_cas_server;
+expandattribute hal_cas_server true;
 attribute hal_dumpstate;
 expandattribute hal_dumpstate true;
 attribute hal_dumpstate_client;
diff --git a/public/domain.te b/public/domain.te
index 6b59d6a52..0c474b85d 100644
--- a/public/domain.te
+++ b/public/domain.te
@@ -457,6 +457,7 @@ neverallow {
   -adbd
   -dumpstate
   -hal_drm
+  -hal_cas
   -init
   -mediadrmserver
   -recovery
@@ -543,7 +544,6 @@ full_treble_only(`
     -cameraserver_service
     -drmserver_service
     -keystore_service
-    -mediacasserver_service
     -mediadrmserver_service
     -mediaextractor_service
     -mediametrics_service
diff --git a/public/hal_cas.te b/public/hal_cas.te
new file mode 100644
index 000000000..fd5d63bb4
--- /dev/null
+++ b/public/hal_cas.te
@@ -0,0 +1,37 @@
+# HwBinder IPC from client to server, and callbacks
+binder_call(hal_cas_client, hal_cas_server)
+binder_call(hal_cas_server, hal_cas_client)
+
+add_hwservice(hal_cas_server, hal_cas_hwservice)
+allow hal_cas_client hal_cas_hwservice:hwservice_manager find;
+allow hal_cas_server hidl_memory_hwservice:hwservice_manager find;
+
+# Permit reading device's serial number from system properties
+get_prop(hal_cas, serialno_prop)
+
+# Read files already opened under /data
+allow hal_cas system_data_file:dir { search getattr };
+allow hal_cas system_data_file:file { getattr read };
+allow hal_cas system_data_file:lnk_file r_file_perms;
+
+# Read access to pseudo filesystems
+r_dir_file(hal_cas, cgroup)
+allow hal_cas cgroup:dir { search write };
+allow hal_cas cgroup:file w_file_perms;
+
+# Allow access to ion memory allocation device
+allow hal_cas ion_device:chr_file rw_file_perms;
+allow hal_cas hal_graphics_allocator:fd use;
+
+allow hal_cas tee_device:chr_file rw_file_perms;
+
+###
+### neverallow rules
+###
+
+# hal_cas should never execute any executable without a
+# domain transition
+neverallow hal_cas { file_type fs_type }:file execute_no_trans;
+
+# do not allow privileged socket ioctl commands
+neverallowxperm hal_cas domain:{ rawip_socket tcp_socket udp_socket } ioctl priv_sock_ioctls;
diff --git a/public/hwservice.te b/public/hwservice.te
index c3f30771b..7b6906832 100644
--- a/public/hwservice.te
+++ b/public/hwservice.te
@@ -9,6 +9,7 @@ type hal_camera_hwservice, hwservice_manager_type;
 type hal_configstore_ISurfaceFlingerConfigs, hwservice_manager_type;
 type hal_contexthub_hwservice, hwservice_manager_type;
 type hal_drm_hwservice, hwservice_manager_type;
+type hal_cas_hwservice, hwservice_manager_type;
 type hal_dumpstate_hwservice, hwservice_manager_type;
 type hal_fingerprint_hwservice, hwservice_manager_type;
 type hal_gatekeeper_hwservice, hwservice_manager_type;
diff --git a/public/mediacodec.te b/public/mediacodec.te
index 5ca41fcf1..bcccbb81a 100644
--- a/public/mediacodec.te
+++ b/public/mediacodec.te
@@ -37,6 +37,8 @@ add_hwservice(mediacodec, hal_omx_hwservice)
 
 hal_client_domain(mediacodec, hal_allocator)
 
+hal_client_domain(mediacodec, hal_cas)
+
 # allocate and use graphic buffers
 hal_client_domain(mediacodec, hal_graphics_allocator)
 
diff --git a/public/mediadrmserver.te b/public/mediadrmserver.te
index cef81212a..123cb29a5 100644
--- a/public/mediadrmserver.te
+++ b/public/mediadrmserver.te
@@ -18,8 +18,6 @@ allow mediadrmserver processinfo_service:service_manager find;
 allow mediadrmserver surfaceflinger_service:service_manager find;
 allow mediadrmserver system_file:dir r_dir_perms;
 
-add_service(mediadrmserver, mediacasserver_service)
-
 binder_call(mediadrmserver, mediacodec)
 ###
 ### neverallow rules
diff --git a/public/mediaextractor.te b/public/mediaextractor.te
index 94824b75e..05e65bf94 100644
--- a/public/mediaextractor.te
+++ b/public/mediaextractor.te
@@ -11,10 +11,12 @@ binder_service(mediaextractor)
 
 add_service(mediaextractor, mediaextractor_service)
 allow mediaextractor mediametrics_service:service_manager find;
-allow mediaextractor mediacasserver_service:service_manager find;
+allow mediaextractor hidl_token_hwservice:hwservice_manager find;
 
 allow mediaextractor system_server:fd use;
 
+hal_client_domain(mediaextractor, hal_cas)
+
 r_dir_file(mediaextractor, cgroup)
 allow mediaextractor proc_meminfo:file r_file_perms;
 
diff --git a/public/service.te b/public/service.te
index ee3ffe5fe..0a67011d4 100644
--- a/public/service.te
+++ b/public/service.te
@@ -18,7 +18,6 @@ type mediametrics_service,      service_manager_type;
 type mediaextractor_service,    service_manager_type;
 type mediacodec_service,        service_manager_type;
 type mediadrmserver_service,    service_manager_type;
-type mediacasserver_service,    service_manager_type;
 type netd_service,              service_manager_type;
 type nfc_service,               service_manager_type;
 type radio_service,             service_manager_type;
diff --git a/vendor/file_contexts b/vendor/file_contexts
index fbaa7e408..da5cbf581 100644
--- a/vendor/file_contexts
+++ b/vendor/file_contexts
@@ -9,6 +9,7 @@
 /(vendor|system/vendor)/bin/hw/android\.hardware\.configstore@1\.[0-9]+-service    u:object_r:hal_configstore_default_exec:s0
 /(vendor|system/vendor)/bin/hw/android\.hardware\.contexthub@1\.0-service     u:object_r:hal_contexthub_default_exec:s0
 /(vendor|system/vendor)/bin/hw/android\.hardware\.drm@1\.0-service            u:object_r:hal_drm_default_exec:s0
+/(vendor|system/vendor)/bin/hw/android\.hardware\.cas@1\.0-service            u:object_r:hal_cas_default_exec:s0
 /(vendor|system/vendor)/bin/hw/android\.hardware\.dumpstate@1\.0-service      u:object_r:hal_dumpstate_default_exec:s0
 /(vendor|system/vendor)/bin/hw/android\.hardware\.gatekeeper@1\.0-service     u:object_r:hal_gatekeeper_default_exec:s0
 /(vendor|system/vendor)/bin/hw/android\.hardware\.gnss@1\.0-service           u:object_r:hal_gnss_default_exec:s0
diff --git a/vendor/hal_cas_default.te b/vendor/hal_cas_default.te
new file mode 100644
index 000000000..c7a858c5d
--- /dev/null
+++ b/vendor/hal_cas_default.te
@@ -0,0 +1,6 @@
+type hal_cas_default, domain;
+hal_server_domain(hal_cas_default, hal_cas)
+
+type hal_cas_default_exec, exec_type, vendor_file_type, file_type;
+init_daemon_domain(hal_cas_default)
+