diff --git a/private/compat/26.0/26.0.ignore.cil b/private/compat/26.0/26.0.ignore.cil
index 790133efa938370fa71e875e6e2afaf1ff8187ea..e359935debc77d9af458a2479256413b35f90894 100644
--- a/private/compat/26.0/26.0.ignore.cil
+++ b/private/compat/26.0/26.0.ignore.cil
@@ -27,6 +27,7 @@
     netd_stable_secret_prop
     network_watchlist_service
     package_native_service
+    perfprofd_service
     property_info
     slice_service
     stats
diff --git a/private/service_contexts b/private/service_contexts
index 10d8d0995fc4c4fb70d6b0e5cbbb95efadeb0c94..b8d05e25081fbac449f4cb797a8baf25e719777f 100644
--- a/private/service_contexts
+++ b/private/service_contexts
@@ -111,6 +111,7 @@ otadexopt                                 u:object_r:otadexopt_service:s0
 overlay                                   u:object_r:overlay_service:s0
 package                                   u:object_r:package_service:s0
 package_native                            u:object_r:package_native_service:s0
+perfprofd                                 u:object_r:perfprofd_service:s0
 permission                                u:object_r:permission_service:s0
 persistent_data_block                     u:object_r:persistent_data_block_service:s0
 phone_msim                                u:object_r:radio_service:s0
diff --git a/public/perfprofd.te b/public/perfprofd.te
index cb4a14409e29d18ad069dcb77ae6b2ea7a16fbd4..1f4de3163ce3fbc6752c18c7367d8503e86021f1 100644
--- a/public/perfprofd.te
+++ b/public/perfprofd.te
@@ -96,4 +96,22 @@ userdebug_or_eng(`
   dontaudit perfprofd shell_data_file:dir *;
   dontaudit perfprofd shell_data_file:file *;
 
+  # Allow perfprofd to publish a binder service and make binder calls.
+  binder_use(perfprofd)
+  add_service(perfprofd, perfprofd_service)
+
+  # Use devpts for streams from cmd.
+  #
+  # This is normally granted to binderservicedomain, but this service
+  # has tighter restrictions on the callers (see below), so must enable
+  # this manually.
+  allow perfprofd devpts:chr_file rw_file_perms;
+
+  # Use socket & pipe supplied by su, for cmd perfprofd dump.
+  allow perfprofd su:unix_stream_socket { read write getattr sendto };
+  allow perfprofd su:fifo_file r_file_perms;
+
+  # For now, only allow su to communicate with us.
+  neverallow domain perfprofd:binder call;
+  neverallow perfprofd { domain -servicemanager -su }:binder call;
 ')
diff --git a/public/service.te b/public/service.te
index e48d4b7058065409712f4dc68109b42639c41079..704e2452ecb34ff6a1ff3a5a4b27436181fdfe22 100644
--- a/public/service.te
+++ b/public/service.te
@@ -20,6 +20,7 @@ type mediacodec_service,        service_manager_type;
 type mediadrmserver_service,    service_manager_type;
 type netd_service,              service_manager_type;
 type nfc_service,               service_manager_type;
+type perfprofd_service,         service_manager_type;
 type radio_service,             service_manager_type;
 type storaged_service,          service_manager_type;
 type surfaceflinger_service,    app_api_service, ephemeral_app_api_service, service_manager_type;