diff --git a/bluetooth.te b/bluetooth.te
index 6a329b70c3cbb75bd0fa32f805e1eb89a4df09a3..0c42eb52e78679314dd6f816d7d5d8e5d9f0e218 100644
--- a/bluetooth.te
+++ b/bluetooth.te
@@ -37,6 +37,7 @@ set_prop(bluetooth, ctl_dhcp_pan_prop)
 
 allow bluetooth audioserver_service:service_manager find;
 allow bluetooth bluetooth_service:service_manager find;
+allow bluetooth cameraserver_service:service_manager find;
 allow bluetooth drmserver_service:service_manager find;
 allow bluetooth mediaserver_service:service_manager find;
 allow bluetooth radio_service:service_manager find;
diff --git a/cameraserver.te b/cameraserver.te
new file mode 100644
index 0000000000000000000000000000000000000000..3a5dff370339a6df83f8e1dc3a3bd274b684d012
--- /dev/null
+++ b/cameraserver.te
@@ -0,0 +1,120 @@
+# cameraserver - camera daemon
+type cameraserver, domain, domain_deprecated;
+type cameraserver_exec, exec_type, file_type;
+
+typeattribute cameraserver mlstrustedsubject;
+
+net_domain(cameraserver)
+init_daemon_domain(cameraserver)
+
+r_dir_file(cameraserver, sdcard_type)
+
+binder_use(cameraserver)
+binder_call(cameraserver, binderservicedomain)
+binder_call(cameraserver, appdomain)
+binder_service(cameraserver)
+
+# Required by Widevine DRM (b/22990512)
+allow cameraserver self:process execmem;
+
+allow cameraserver kernel:system module_request;
+allow cameraserver media_data_file:dir create_dir_perms;
+allow cameraserver media_data_file:file create_file_perms;
+allow cameraserver camera_data_file:dir create_dir_perms;
+allow cameraserver camera_data_file:file create_file_perms;
+allow cameraserver app_data_file:dir search;
+allow cameraserver app_data_file:file rw_file_perms;
+allow cameraserver sdcard_type:file write;
+allow cameraserver gpu_device:chr_file rw_file_perms;
+allow cameraserver video_device:dir r_dir_perms;
+allow cameraserver video_device:chr_file rw_file_perms;
+allow cameraserver audio_device:dir r_dir_perms;
+allow cameraserver tee_device:chr_file rw_file_perms;
+
+set_prop(cameraserver, audio_prop)
+
+# Access audio devices at all.
+allow cameraserver audio_device:chr_file rw_file_perms;
+
+# XXX Label with a specific type?
+allow cameraserver sysfs:file r_file_perms;
+
+# Read resources from open apk files passed over Binder.
+allow cameraserver apk_data_file:file { read getattr };
+allow cameraserver asec_apk_file:file { read getattr };
+
+# Read /data/data/com.android.providers.telephony files passed over Binder.
+allow cameraserver radio_data_file:file { read getattr };
+
+# Use pipes passed over Binder from app domains.
+allow cameraserver appdomain:fifo_file { getattr read write };
+
+allow cameraserver rpmsg_device:chr_file rw_file_perms;
+
+# Inter System processes communicate over named pipe (FIFO)
+allow cameraserver system_server:fifo_file r_file_perms;
+
+# Camera data
+r_dir_file(cameraserver, camera_data_file)
+r_dir_file(cameraserver, media_rw_data_file)
+
+# Grant access to audio files to cameraserver
+allow cameraserver audio_data_file:dir ra_dir_perms;
+allow cameraserver audio_data_file:file create_file_perms;
+
+# Read/[write] to /proc/net/xt_qtaguid/ctrl and /dev/xt_qtaguid
+allow cameraserver qtaguid_proc:file rw_file_perms;
+allow cameraserver qtaguid_device:chr_file r_file_perms;
+
+# Allow abstract socket connection
+allow cameraserver rild:unix_stream_socket { connectto read write setopt };
+
+# Needed on some devices for playing DRM protected content,
+# but seems expected and appropriate for all devices.
+unix_socket_connect(cameraserver, drmserver, drmserver)
+
+# Needed on some devices for playing audio on paired BT device,
+# but seems appropriate for all devices.
+unix_socket_connect(cameraserver, bluetooth, bluetooth)
+
+# Connect to tee service.
+allow cameraserver tee:unix_stream_socket connectto;
+
+allow cameraserver activity_service:service_manager find;
+allow cameraserver appops_service:service_manager find;
+allow cameraserver audioserver_service:service_manager find;
+allow cameraserver cameraproxy_service:service_manager find;
+allow cameraserver cameraserver_service:service_manager { add find };
+allow cameraserver batterystats_service:service_manager find;
+allow cameraserver drmserver_service:service_manager find;
+allow cameraserver mediaextractor_service:service_manager find;
+allow cameraserver mediaserver_service:service_manager find;
+allow cameraserver permission_service:service_manager find;
+allow cameraserver power_service:service_manager find;
+allow cameraserver processinfo_service:service_manager find;
+allow cameraserver scheduling_policy_service:service_manager find;
+allow cameraserver surfaceflinger_service:service_manager find;
+
+# /oem access
+allow cameraserver oemfs:dir search;
+allow cameraserver oemfs:file r_file_perms;
+
+use_drmservice(cameraserver)
+allow cameraserver drmserver:drmservice {
+    consumeRights
+    setPlaybackStatus
+    openDecryptSession
+    closeDecryptSession
+    initializeDecryptUnit
+    decrypt
+    finalizeDecryptUnit
+    pread
+};
+
+###
+### neverallow rules
+###
+
+# cameraserver should never execute any executable without a
+# domain transition
+neverallow cameraserver { file_type fs_type }:file execute_no_trans;
diff --git a/debuggerd.te b/debuggerd.te
index 576c76f335f65a926bab2319563e62f1cf10905a..917c88c917e52da6cc11570435036bdd1b4b838e 100644
--- a/debuggerd.te
+++ b/debuggerd.te
@@ -22,7 +22,8 @@ allow debuggerd system_data_file:file open;
 # Allow debuggerd to redirect a dump_backtrace request to itself.
 # This only happens on 64 bit systems, where all requests go to the 64 bit
 # debuggerd and get redirected to the 32 bit debuggerd if the process is 32 bit.
-allow debuggerd { audioserver drmserver mediaserver sdcardd surfaceflinger inputflinger }:debuggerd dump_backtrace;
+
+allow debuggerd { audioserver cameraserver drmserver mediaserver sdcardd surfaceflinger inputflinger }:debuggerd dump_backtrace;
 
 # Connect to system_server via /data/system/ndebugsocket.
 unix_socket_connect(debuggerd, system_ndebug, system_server)
diff --git a/dumpstate.te b/dumpstate.te
index 28541209987bb64b37bfd601258dbd8c13bfec6d..f7a84f6bcb8eee2d71a1756c99d40d45eb090ad5 100644
--- a/dumpstate.te
+++ b/dumpstate.te
@@ -48,9 +48,9 @@ allow dumpstate { appdomain autoplay_app system_server }:process signal;
 
 # Signal native processes to dump their stack.
 # This list comes from native_processes_to_dump in dumpstate/utils.c
-allow dumpstate { audioserver drmserver mediaserver mediacodec mediaextractor sdcardd surfaceflinger }:process signal;
+allow dumpstate { audioserver cameraserver drmserver mediaserver mediacodec mediaextractor sdcardd surfaceflinger }:process signal;
 # Ask debuggerd for the backtraces of these processes.
-allow dumpstate { audioserver drmserver mediaserver mediacodec mediaextractor sdcardd surfaceflinger }:debuggerd dump_backtrace;
+allow dumpstate { audioserver cameraserver drmserver mediaserver mediacodec mediaextractor sdcardd surfaceflinger }:debuggerd dump_backtrace;
 
 # Execute and transition to the vdc domain
 domain_auto_trans(dumpstate, vdc_exec, vdc)
diff --git a/file_contexts b/file_contexts
index 8f42ce2bd631ffeae739668536afb33064d82d1f..17979dc349b0682d10c442d150fd48d5538975b8 100644
--- a/file_contexts
+++ b/file_contexts
@@ -166,6 +166,7 @@
 /system/bin/rild	u:object_r:rild_exec:s0
 /system/bin/audioserver	u:object_r:audioserver_exec:s0
 /system/bin/mediaserver	u:object_r:mediaserver_exec:s0
+/system/bin/cameraserver	u:object_r:cameraserver_exec:s0
 /system/bin/mediaextractor	u:object_r:mediaextractor_exec:s0
 /system/bin/mediacodec	u:object_r:mediacodec_exec:s0
 /system/bin/mdnsd	u:object_r:mdnsd_exec:s0
diff --git a/mediaserver.te b/mediaserver.te
index ccd633bc6a9ee8fc16912b10aa8a75fc79f5662e..257c1c27099d322065f12a27a2e221d4c54f7a50 100644
--- a/mediaserver.te
+++ b/mediaserver.te
@@ -81,6 +81,7 @@ allow mediaserver tee:unix_stream_socket connectto;
 allow mediaserver activity_service:service_manager find;
 allow mediaserver appops_service:service_manager find;
 allow mediaserver audioserver_service:service_manager find;
+allow mediaserver cameraserver_service:service_manager find;
 allow mediaserver cameraproxy_service:service_manager find;
 allow mediaserver batterystats_service:service_manager find;
 allow mediaserver drmserver_service:service_manager find;
diff --git a/nfc.te b/nfc.te
index 9cf8c5de60dba1900550b96818586b7ab6725af4..87c68a784d99430fbda04ee1ecd8501854b53b74 100644
--- a/nfc.te
+++ b/nfc.te
@@ -18,6 +18,7 @@ allow nfc sysfs_nfc_power_writable:file rw_file_perms;
 allow nfc sysfs:file write;
 
 allow nfc audioserver_service:service_manager find;
+allow nfc cameraserver_service:service_manager find;
 allow nfc drmserver_service:service_manager find;
 allow nfc mediaserver_service:service_manager find;
 allow nfc mediaextractor_service:service_manager find;
diff --git a/platform_app.te b/platform_app.te
index 0c983840f298a58e59d41758bce8a989d9bb19c4..3d46f7f87871b9a663b7d42c1e97e7aeb24edd04 100644
--- a/platform_app.te
+++ b/platform_app.te
@@ -39,6 +39,7 @@ allow platform_app vfat:dir create_dir_perms;
 allow platform_app vfat:file create_file_perms;
 
 allow platform_app audioserver_service:service_manager find;
+allow platform_app cameraserver_service:service_manager find;
 allow platform_app drmserver_service:service_manager find;
 allow platform_app mediaserver_service:service_manager find;
 allow platform_app mediaextractor_service:service_manager find;
diff --git a/priv_app.te b/priv_app.te
index a6cdeca922582059ee7eeb9869c525200114fc9c..9a3d0ac523d1c9711aed91d93f69b6572ca2a8ff 100644
--- a/priv_app.te
+++ b/priv_app.te
@@ -20,6 +20,7 @@ allow priv_app mtp_device:chr_file rw_file_perms;
 create_pty(priv_app)
 
 allow priv_app audioserver_service:service_manager find;
+allow priv_app cameraserver_service:service_manager find;
 allow priv_app drmserver_service:service_manager find;
 allow priv_app mediaserver_service:service_manager find;
 allow priv_app mediaextractor_service:service_manager find;
diff --git a/radio.te b/radio.te
index 0da43a6d28f7005bad6e7031ec9cd27e90b610df..c4df1f7d11dbb960d9ad6b626c719b9bee68736d 100644
--- a/radio.te
+++ b/radio.te
@@ -28,6 +28,7 @@ auditallow radio system_radio_prop:property_service set;
 set_prop(radio, ctl_rildaemon_prop)
 
 allow radio audioserver_service:service_manager find;
+allow radio cameraserver_service:service_manager find;
 allow radio drmserver_service:service_manager find;
 allow radio mediaserver_service:service_manager find;
 allow radio radio_service:service_manager { add find };
diff --git a/service.te b/service.te
index 28689a3877f0e820bdf6a6637e2fa31cfe662e3b..7c771d2fc6f65de007e9e08abe6d681c7df00909 100644
--- a/service.te
+++ b/service.te
@@ -1,5 +1,6 @@
 type audioserver_service,       service_manager_type;
 type bluetooth_service,         service_manager_type;
+type cameraserver_service,      service_manager_type;
 type default_android_service,   service_manager_type;
 type drmserver_service,         service_manager_type;
 type gatekeeper_service,        app_api_service, service_manager_type;
diff --git a/service_contexts b/service_contexts
index d570371544c167514aaebf4f71f3a13de5e9dacf..972718a62905bd91d4dc0b8d0b31b1492341c8ce 100644
--- a/service_contexts
+++ b/service_contexts
@@ -63,7 +63,7 @@ location                                  u:object_r:location_service:s0
 lock_settings                             u:object_r:lock_settings_service:s0
 media.audio_flinger                       u:object_r:audioserver_service:s0
 media.audio_policy                        u:object_r:audioserver_service:s0
-media.camera                              u:object_r:mediaserver_service:s0
+media.camera                              u:object_r:cameraserver_service:s0
 media.camera.proxy                        u:object_r:cameraproxy_service:s0
 media.log                                 u:object_r:audioserver_service:s0
 media.player                              u:object_r:mediaserver_service:s0
diff --git a/surfaceflinger.te b/surfaceflinger.te
index 8fb6463ff4684929d3265b52d699c6d42c6bf842..31f7de66db08b8405ae899f83330dfdd1e23f8f7 100644
--- a/surfaceflinger.te
+++ b/surfaceflinger.te
@@ -54,6 +54,7 @@ allow surfaceflinger tee_device:chr_file rw_file_perms;
 
 # media.player service
 allow surfaceflinger audioserver_service:service_manager find;
+allow surfaceflinger cameraserver_service:service_manager find;
 allow surfaceflinger mediaserver_service:service_manager find;
 allow surfaceflinger permission_service:service_manager find;
 allow surfaceflinger power_service:service_manager find;
diff --git a/system_server.te b/system_server.te
index b198005ba47022f43f572858966d6866767f2d15..65be90165a80e4de949205d0d565773c3f0998ec 100644
--- a/system_server.te
+++ b/system_server.te
@@ -78,6 +78,7 @@ allow system_server { appdomain autoplay_app }:process { sigkill signal };
 # Set scheduling info for apps.
 allow system_server { appdomain autoplay_app }:process { getsched setsched };
 allow system_server audioserver:process { getsched setsched };
+allow system_server cameraserver:process { getsched setsched };
 allow system_server mediaserver:process { getsched setsched };
 
 # Read /proc/pid data for all domains. This is used by ProcessCpuTracker
@@ -138,10 +139,11 @@ binder_call(system_server, dumpstate)
 binder_service(system_server)
 
 # Ask debuggerd to dump backtraces for native stacks of interest.
-allow system_server { audioserver mediaserver mediacodec mediaextractor sdcardd surfaceflinger inputflinger }:debuggerd dump_backtrace;
+allow system_server { audioserver cameraserver mediaserver mediacodec mediaextractor sdcardd surfaceflinger inputflinger }:debuggerd dump_backtrace;
 
 # Read /proc/pid files for dumping stack traces of native processes.
 r_dir_file(system_server, audioserver)
+r_dir_file(system_server, cameraserver)
 r_dir_file(system_server, mediaserver)
 r_dir_file(system_server, mediaextractor)
 r_dir_file(system_server, mediacodec)
@@ -152,6 +154,8 @@ r_dir_file(system_server, inputflinger)
 # Use sockets received over binder from various services.
 allow system_server audioserver:tcp_socket rw_socket_perms;
 allow system_server audioserver:udp_socket rw_socket_perms;
+allow system_server cameraserver:tcp_socket rw_socket_perms;
+allow system_server cameraserver:udp_socket rw_socket_perms;
 allow system_server mediaserver:tcp_socket rw_socket_perms;
 allow system_server mediaserver:udp_socket rw_socket_perms;
 
@@ -381,6 +385,7 @@ allow system_server sysfs_zram:dir search;
 allow system_server sysfs_zram:file r_file_perms;
 
 allow system_server audioserver_service:service_manager find;
+allow system_server cameraserver_service:service_manager find;
 allow system_server drmserver_service:service_manager find;
 allow system_server healthd_service:service_manager find;
 allow system_server keystore_service:service_manager find;
diff --git a/untrusted_app.te b/untrusted_app.te
index 459341404fdd0f47909a6b67fcaa7eee26df6e33..33a61711f15af887d555e76d06d53b7d1df8e501 100644
--- a/untrusted_app.te
+++ b/untrusted_app.te
@@ -67,6 +67,7 @@ allow untrusted_app mnt_media_rw_file:dir search;
 allow untrusted_app servicemanager:service_manager list;
 
 allow untrusted_app audioserver_service:service_manager find;
+allow untrusted_app cameraserver_service:service_manager find;
 allow untrusted_app drmserver_service:service_manager find;
 allow untrusted_app healthd_service:service_manager find;
 allow untrusted_app mediaserver_service:service_manager find;