diff --git a/private/sdk_sandbox.te b/private/sdk_sandbox.te
index 782bb468d..4a7a9bb8d 100644
--- a/private/sdk_sandbox.te
+++ b/private/sdk_sandbox.te
@@ -85,3 +85,5 @@ neverallow sdk_sandbox { media_rw_data_file }:dir no_rw_file_perms;
 neverallow sdk_sandbox { media_rw_data_file }:file no_rw_file_perms;
 
 neverallow { sdk_sandbox } tmpfs:dir no_rw_file_perms;
+
+neverallow sdk_sandbox hal_drm_service:service_manager find;
diff --git a/private/technical_debt.cil b/private/technical_debt.cil
index 4c746fbd9..fcd4fe793 100644
--- a/private/technical_debt.cil
+++ b/private/technical_debt.cil
@@ -20,9 +20,9 @@
 ; Unfortunately, we can't currently express this in module policy language:
 (typeattributeset hal_codec2_client ((and (appdomain) ((not (isolated_app))))))
 
-; Apps, except isolated apps, are clients of Drm-related services
+; Apps, except isolated apps and SDK sandboxes, are clients of Drm-related services
 ; Unfortunately, we can't currently express this in module policy language:
-(typeattributeset hal_drm_client ((and (appdomain) ((not (isolated_app))))))
+(typeattributeset hal_drm_client ((and (appdomain) ((not (or (isolated_app) (sdk_sandbox)))))))
 
 ; Apps, except isolated apps, are clients of Configstore HAL
 ; Unfortunately, we can't currently express this in module policy language: