diff --git a/autoplay_app.te b/autoplay_app.te
new file mode 100644
index 0000000000000000000000000000000000000000..c34207c15f9b03ba631efbaeb669004f72530c46
--- /dev/null
+++ b/autoplay_app.te
@@ -0,0 +1,13 @@
+###
+### AutoPlay apps.
+###
+### This file defines the security policy for apps with the autoplay
+### feature.
+###
+### The autoplay_app domain is a reduced permissions sandbox allowing
+### ephemeral applications to be safely installed and run. Non ephemeral
+### applications may also opt-in to autoplay to take advantage of the
+### additional security features.
+###
+### PackageManager flags an app as autoplay at install time.
+type autoplay_app, domain;
diff --git a/file.te b/file.te
index 383c3c5a947a6469475bd5aae4f592dd67763b09..c67b0bf71135ace2924954e76d3d4f927554145a 100644
--- a/file.te
+++ b/file.te
@@ -131,6 +131,7 @@ type perfprofd_data_file, file_type, data_file_type, mlstrustedobject;
 typealias audio_data_file alias audio_firmware_file;
 # /data/data subdirectories - app sandboxes
 type app_data_file, file_type, data_file_type;
+type autoplay_data_file, file_type, data_file_type;
 # /data/data subdirectory for system UID apps.
 type system_app_data_file, file_type, data_file_type, mlstrustedobject;
 # Compatibility with type name used in Android 4.3 and 4.4.
diff --git a/seapp_contexts b/seapp_contexts
index d8d224038188409bd36c9b21e14ff86e73dc9063..5d5ad751228ef3657ea80db0f0850a6a559d58b0 100644
--- a/seapp_contexts
+++ b/seapp_contexts
@@ -1,5 +1,6 @@
 # Input selectors:
 #	isSystemServer (boolean)
+#	isAutoPlayApp (boolean)
 #	isOwner (boolean)
 #	user (string)
 #	seinfo (string)
@@ -8,6 +9,7 @@
 #	isPrivApp (boolean)
 # isSystemServer=true can only be used once.
 # An unspecified isSystemServer defaults to false.
+# isAutoPlayApp=true will match apps marked by PackageManager as AutoPlay
 # isOwner=true will only match for the owner/primary user.
 # isOwner=false will only match for secondary users.
 # If unspecified, the entry can match either case.
@@ -22,15 +24,16 @@
 #
 # Precedence rules:
 # 	  (1) isSystemServer=true before isSystemServer=false.
-# 	  (2) Specified isOwner= before unspecified isOwner= boolean.
-#	  (3) Specified user= string before unspecified user= string.
-#	  (4) Fixed user= string before user= prefix (i.e. ending in *).
-#	  (5) Longer user= prefix before shorter user= prefix.
-#	  (6) Specified seinfo= string before unspecified seinfo= string.
+# 	  (2) Specified isAutoPlayApp= before unspecified isAutoPlayApp= boolean.
+# 	  (3) Specified isOwner= before unspecified isOwner= boolean.
+#	  (4) Specified user= string before unspecified user= string.
+#	  (5) Fixed user= string before user= prefix (i.e. ending in *).
+#	  (6) Longer user= prefix before shorter user= prefix.
+#	  (7) Specified seinfo= string before unspecified seinfo= string.
 #	      ':' character is reserved and may not be used.
-#	  (7) Specified name= string before unspecified name= string.
-#	  (8) Specified path= string before unspecified path= string.
-# 	  (9) Specified isPrivApp= before unspecified isPrivApp= boolean.
+#	  (8) Specified name= string before unspecified name= string.
+#	  (9) Specified path= string before unspecified path= string.
+# 	  (10) Specified isPrivApp= before unspecified isPrivApp= boolean.
 #
 # Outputs:
 #	domain (string)
@@ -79,6 +82,9 @@ neverallow user=((?!_isolated).)* domain=isolated_app
 # uid's can be in shell domain
 neverallow user=shell domain=((?!shell).)*
 
+# AutoPlay Apps must run in the autoplay_app domain
+neverallow isAutoPlayApp=true domain=((?!autoplay_app).)*
+
 isSystemServer=true domain=system_server
 user=system seinfo=platform domain=system_app type=system_app_data_file
 user=bluetooth seinfo=platform domain=bluetooth type=bluetooth_data_file
@@ -88,5 +94,6 @@ user=shared_relro domain=shared_relro
 user=shell seinfo=platform domain=shell type=shell_data_file
 user=_isolated domain=isolated_app levelFrom=user
 user=_app seinfo=platform domain=platform_app type=app_data_file levelFrom=user
+user=_app isAutoPlayApp=true domain=autoplay_app type=autoplay_data_file levelFrom=all
 user=_app isPrivApp=true domain=priv_app type=app_data_file levelFrom=user
 user=_app domain=untrusted_app type=app_data_file levelFrom=user
diff --git a/tools/check_seapp.c b/tools/check_seapp.c
index 5a03b7f365884a379dfb944f71db3eb7b9152cba..d5853aedee7da1dd4f83f1822f9e125273b96d86 100644
--- a/tools/check_seapp.c
+++ b/tools/check_seapp.c
@@ -204,6 +204,7 @@ static list nallow_list = list_init(line_order_list_freefn);
 key_map rules[] = {
                 /*Inputs*/
                 { .name = "isSystemServer", .type = dt_bool,   .dir = dir_in,  .data = NULL },
+                { .name = "isAutoPlayApp",  .type = dt_bool,   .dir = dir_in,  .data = NULL },
                 { .name = "isOwner",        .type = dt_bool,   .dir = dir_in,  .data = NULL },
                 { .name = "user",           .type = dt_string, .dir = dir_in,  .data = NULL },
                 { .name = "seinfo",         .type = dt_string, .dir = dir_in,  .data = NULL },