diff --git a/dumpstate.te b/dumpstate.te
index 963f8cde3d7f50314f5aeec8833e901c7f01aa22..7fe78e32e4acc1e041537b8a21dbd687359bf1d0 100644
--- a/dumpstate.te
+++ b/dumpstate.te
@@ -48,9 +48,9 @@ allow dumpstate { appdomain system_server }:process signal;
 
 # Signal native processes to dump their stack.
 # This list comes from native_processes_to_dump in dumpstate/utils.c
-allow dumpstate { drmserver mediaserver sdcardd surfaceflinger }:process signal;
+allow dumpstate { drmserver mediaserver mediaextractor sdcardd surfaceflinger }:process signal;
 # Ask debuggerd for the backtraces of these processes.
-allow dumpstate { drmserver mediaserver sdcardd surfaceflinger }:debuggerd dump_backtrace;
+allow dumpstate { drmserver mediaserver mediaextractor sdcardd surfaceflinger }:debuggerd dump_backtrace;
 
 # Execute and transition to the vdc domain
 domain_auto_trans(dumpstate, vdc_exec, vdc)
diff --git a/file_contexts b/file_contexts
index 6b7f8519249e120d8981a4170425dcb1e27e9f21..b86feba666a1ac61093a15336e1200a2fd0f1609 100644
--- a/file_contexts
+++ b/file_contexts
@@ -163,6 +163,7 @@
 /system/bin/netd	u:object_r:netd_exec:s0
 /system/bin/rild	u:object_r:rild_exec:s0
 /system/bin/mediaserver	u:object_r:mediaserver_exec:s0
+/system/bin/mediaextractor	u:object_r:mediaextractor_exec:s0
 /system/bin/mdnsd	u:object_r:mdnsd_exec:s0
 /system/bin/installd	u:object_r:installd_exec:s0
 /system/bin/keystore	u:object_r:keystore_exec:s0
diff --git a/mediaextractor.te b/mediaextractor.te
new file mode 100644
index 0000000000000000000000000000000000000000..68ab2f6ca4873607f0a49ecef6765c8d563ca8b1
--- /dev/null
+++ b/mediaextractor.te
@@ -0,0 +1,45 @@
+# mediaextractor - multimedia daemon
+type mediaextractor, domain;
+type mediaextractor_exec, exec_type, file_type;
+
+typeattribute mediaextractor mlstrustedsubject;
+
+init_daemon_domain(mediaextractor)
+
+binder_use(mediaextractor)
+binder_call(mediaextractor, binderservicedomain)
+binder_call(mediaextractor, appdomain)
+binder_service(mediaextractor)
+
+# Required by Widevine DRM (b/22990512)
+allow mediaextractor self:process execmem;
+
+allow mediaextractor kernel:system module_request;
+
+# Needed on some devices for playing DRM protected content,
+# but seems expected and appropriate for all devices.
+unix_socket_connect(mediaextractor, drmserver, drmserver)
+
+allow mediaextractor drmserver_service:service_manager find;
+allow mediaextractor mediaextractor_service:service_manager { add find };
+allow mediaextractor processinfo_service:service_manager find;
+
+use_drmservice(mediaextractor)
+allow mediaextractor drmserver:drmservice {
+    consumeRights
+    setPlaybackStatus
+    openDecryptSession
+    closeDecryptSession
+    initializeDecryptUnit
+    decrypt
+    finalizeDecryptUnit
+    pread
+};
+
+###
+### neverallow rules
+###
+
+# mediaextractor should never execute any executable without a
+# domain transition
+neverallow mediaextractor { file_type fs_type }:file execute_no_trans;
diff --git a/mediaserver.te b/mediaserver.te
index 7c180cb52b360b1fe6b1f6a48da9f27863d58a97..9ced4d37a97a5a610b945af0f3bc08c8ee26ae7c 100644
--- a/mediaserver.te
+++ b/mediaserver.te
@@ -85,6 +85,7 @@ allow mediaserver appops_service:service_manager find;
 allow mediaserver cameraproxy_service:service_manager find;
 allow mediaserver batterystats_service:service_manager find;
 allow mediaserver drmserver_service:service_manager find;
+allow mediaserver mediaextractor_service:service_manager find;
 allow mediaserver mediaserver_service:service_manager { add find };
 allow mediaserver permission_service:service_manager find;
 allow mediaserver power_service:service_manager find;
diff --git a/nfc.te b/nfc.te
index 71841be369ede557d8242059897e8c345d95c377..882725f5948c49d63513edeac29034c36b587b75 100644
--- a/nfc.te
+++ b/nfc.te
@@ -19,6 +19,7 @@ allow nfc sysfs:file write;
 
 allow nfc drmserver_service:service_manager find;
 allow nfc mediaserver_service:service_manager find;
+allow nfc mediaextractor_service:service_manager find;
 allow nfc nfc_service:service_manager { add find };
 allow nfc radio_service:service_manager find;
 allow nfc surfaceflinger_service:service_manager find;
diff --git a/platform_app.te b/platform_app.te
index 2afe4d8ac6fd25e959a2431ca7887f63e334238f..f65548bd2f20075afcbb440fc386047a33d59ff9 100644
--- a/platform_app.te
+++ b/platform_app.te
@@ -36,6 +36,7 @@ allow platform_app vfat:file create_file_perms;
 
 allow platform_app drmserver_service:service_manager find;
 allow platform_app mediaserver_service:service_manager find;
+allow platform_app mediaextractor_service:service_manager find;
 allow platform_app persistent_data_block_service:service_manager find;
 allow platform_app radio_service:service_manager find;
 allow platform_app surfaceflinger_service:service_manager find;
diff --git a/priv_app.te b/priv_app.te
index 279a933d23625b46872424850b020db1f8b8d0c5..79b059d1de95c406a695c707eca751f8c2e5a409 100644
--- a/priv_app.te
+++ b/priv_app.te
@@ -21,6 +21,7 @@ create_pty(priv_app)
 
 allow priv_app drmserver_service:service_manager find;
 allow priv_app mediaserver_service:service_manager find;
+allow priv_app mediaextractor_service:service_manager find;
 allow priv_app nfc_service:service_manager find;
 allow priv_app radio_service:service_manager find;
 allow priv_app surfaceflinger_service:service_manager find;
diff --git a/service.te b/service.te
index c1772d45426837dceb8ad6104b491060fa919b13..49af9176ae5f0a946bce494ba90f57c19641274a 100644
--- a/service.te
+++ b/service.te
@@ -7,6 +7,7 @@ type healthd_service,           service_manager_type;
 type inputflinger_service,      service_manager_type;
 type keystore_service,          service_manager_type;
 type mediaserver_service,       service_manager_type;
+type mediaextractor_service,    service_manager_type;
 type nfc_service,               service_manager_type;
 type radio_service,             service_manager_type;
 type surfaceflinger_service,    service_manager_type;
diff --git a/service_contexts b/service_contexts
index 85dcd3d0eeb720f8e8c0d99c8c309bb7ad5a7165..f6c458d5fd5a18dbab22198da835f18ebc5394ce 100644
--- a/service_contexts
+++ b/service_contexts
@@ -66,6 +66,7 @@ media.camera                              u:object_r:mediaserver_service:s0
 media.camera.proxy                        u:object_r:cameraproxy_service:s0
 media.log                                 u:object_r:mediaserver_service:s0
 media.player                              u:object_r:mediaserver_service:s0
+media.extractor                           u:object_r:mediaextractor_service:s0
 media.resource_manager                    u:object_r:mediaserver_service:s0
 media.radio                               u:object_r:mediaserver_service:s0
 media.sound_trigger_hw                    u:object_r:mediaserver_service:s0
diff --git a/system_server.te b/system_server.te
index c50498fa4f37177054537a1877c680296fa8a3f9..e63cd52de1430458ece4916df1a33671f518ee58 100644
--- a/system_server.te
+++ b/system_server.te
@@ -133,10 +133,11 @@ binder_call(system_server, dumpstate)
 binder_service(system_server)
 
 # Ask debuggerd to dump backtraces for native stacks of interest.
-allow system_server { mediaserver sdcardd surfaceflinger inputflinger }:debuggerd dump_backtrace;
+allow system_server { mediaserver mediaextractor sdcardd surfaceflinger inputflinger }:debuggerd dump_backtrace;
 
 # Read /proc/pid files for dumping stack traces of native processes.
 r_dir_file(system_server, mediaserver)
+r_dir_file(system_server, mediaextractor)
 r_dir_file(system_server, sdcardd)
 r_dir_file(system_server, surfaceflinger)
 r_dir_file(system_server, inputflinger)
@@ -381,6 +382,7 @@ allow system_server keystore_service:service_manager find;
 allow system_server gatekeeper_service:service_manager find;
 allow system_server fingerprintd_service:service_manager find;
 allow system_server mediaserver_service:service_manager find;
+allow system_server mediaextractor_service:service_manager find;
 allow system_server nfc_service:service_manager find;
 allow system_server radio_service:service_manager find;
 allow system_server system_server_service:service_manager { add find };
diff --git a/untrusted_app.te b/untrusted_app.te
index 7422fb2502d077c9fec419a993e42d3d405d6ed7..fa7152f72d310a0d74180e61a94ad77cee259baf 100644
--- a/untrusted_app.te
+++ b/untrusted_app.te
@@ -80,6 +80,8 @@ allow untrusted_app servicemanager:service_manager list;
 allow untrusted_app drmserver_service:service_manager find;
 allow untrusted_app healthd_service:service_manager find;
 allow untrusted_app mediaserver_service:service_manager find;
+allow untrusted_app mediaextractor_service:service_manager find;
+allow untrusted_app mediaextractor_service:service_manager find;
 allow untrusted_app nfc_service:service_manager find;
 allow untrusted_app radio_service:service_manager find;
 allow untrusted_app surfaceflinger_service:service_manager find;