diff --git a/audioserver.te b/audioserver.te
new file mode 100644
index 0000000000000000000000000000000000000000..28da2939baed5705a048f75260672cf13c0be2e7
--- /dev/null
+++ b/audioserver.te
@@ -0,0 +1,119 @@
+# audioserver - audio services daemon
+type audioserver, domain, domain_deprecated;
+type audioserver_exec, exec_type, file_type;
+
+typeattribute audioserver mlstrustedsubject;
+
+net_domain(audioserver)
+init_daemon_domain(audioserver)
+
+r_dir_file(audioserver, sdcard_type)
+
+binder_use(audioserver)
+binder_call(audioserver, binderservicedomain)
+binder_call(audioserver, { appdomain autoplay_app })
+binder_service(audioserver)
+
+# Required by Widevine DRM (b/22990512)
+allow audioserver self:process execmem;
+
+allow audioserver kernel:system module_request;
+allow audioserver media_data_file:dir create_dir_perms;
+allow audioserver media_data_file:file create_file_perms;
+allow audioserver app_data_file:dir search;
+allow audioserver app_data_file:file rw_file_perms;
+allow audioserver sdcard_type:file write;
+allow audioserver gpu_device:chr_file rw_file_perms;
+allow audioserver video_device:dir r_dir_perms;
+allow audioserver video_device:chr_file rw_file_perms;
+allow audioserver audio_device:dir r_dir_perms;
+allow audioserver tee_device:chr_file rw_file_perms;
+
+set_prop(audioserver, audio_prop)
+
+# Access audio devices at all.
+allow audioserver audio_device:chr_file rw_file_perms;
+
+# XXX Label with a specific type?
+allow audioserver sysfs:file r_file_perms;
+
+# Read resources from open apk files passed over Binder.
+allow audioserver apk_data_file:file { read getattr };
+allow audioserver asec_apk_file:file { read getattr };
+
+# Read /data/data/com.android.providers.telephony files passed over Binder.
+allow audioserver radio_data_file:file { read getattr };
+
+# Use pipes passed over Binder from app domains.
+allow audioserver { appdomain autoplay_app }:fifo_file { getattr read write };
+
+# Access camera device.
+allow audioserver camera_device:chr_file rw_file_perms;
+allow audioserver rpmsg_device:chr_file rw_file_perms;
+
+# Inter System processes communicate over named pipe (FIFO)
+allow audioserver system_server:fifo_file r_file_perms;
+
+# Camera data
+r_dir_file(audioserver, camera_data_file)
+r_dir_file(audioserver, media_rw_data_file)
+
+# Grant access to audio files to audioserver
+allow audioserver audio_data_file:dir ra_dir_perms;
+allow audioserver audio_data_file:file create_file_perms;
+
+# Read/[write] to /proc/net/xt_qtaguid/ctrl and /dev/xt_qtaguid
+allow audioserver qtaguid_proc:file rw_file_perms;
+allow audioserver qtaguid_device:chr_file r_file_perms;
+
+# Allow abstract socket connection
+allow audioserver rild:unix_stream_socket { connectto read write setopt };
+
+# Needed on some devices for playing DRM protected content,
+# but seems expected and appropriate for all devices.
+unix_socket_connect(audioserver, drmserver, drmserver)
+
+# Needed on some devices for playing audio on paired BT device,
+# but seems appropriate for all devices.
+unix_socket_connect(audioserver, bluetooth, bluetooth)
+
+# Connect to tee service.
+allow audioserver tee:unix_stream_socket connectto;
+
+allow audioserver activity_service:service_manager find;
+allow audioserver appops_service:service_manager find;
+allow audioserver audioserver_service:service_manager { add find };
+allow audioserver cameraproxy_service:service_manager find;
+allow audioserver batterystats_service:service_manager find;
+allow audioserver drmserver_service:service_manager find;
+allow audioserver mediaextractor_service:service_manager find;
+allow audioserver mediaserver_service:service_manager find;
+allow audioserver permission_service:service_manager find;
+allow audioserver power_service:service_manager find;
+allow audioserver processinfo_service:service_manager find;
+allow audioserver scheduling_policy_service:service_manager find;
+allow audioserver surfaceflinger_service:service_manager find;
+
+# /oem access
+allow audioserver oemfs:dir search;
+allow audioserver oemfs:file r_file_perms;
+
+use_drmservice(audioserver)
+allow audioserver drmserver:drmservice {
+    consumeRights
+    setPlaybackStatus
+    openDecryptSession
+    closeDecryptSession
+    initializeDecryptUnit
+    decrypt
+    finalizeDecryptUnit
+    pread
+};
+
+###
+### neverallow rules
+###
+
+# audioserver should never execute any executable without a
+# domain transition
+neverallow audioserver { file_type fs_type }:file execute_no_trans;
diff --git a/bluetooth.te b/bluetooth.te
index fbd2a937a93956cadebc5409c7c5d9f18e37f017..e4b3ff71dc86fbfbd6776d9bef82a173d82edd45 100644
--- a/bluetooth.te
+++ b/bluetooth.te
@@ -33,6 +33,7 @@ set_prop(bluetooth, bluetooth_prop)
 set_prop(bluetooth, pan_result_prop)
 set_prop(bluetooth, ctl_dhcp_pan_prop)
 
+allow bluetooth audioserver_service:service_manager find;
 allow bluetooth bluetooth_service:service_manager find;
 allow bluetooth drmserver_service:service_manager find;
 allow bluetooth mediaserver_service:service_manager find;
diff --git a/debuggerd.te b/debuggerd.te
index 0e3cf68055f8406ea53a72d66441f35a8ebe70ff..95fff1b227036673a4fdfd087bdbbbbdf65795c9 100644
--- a/debuggerd.te
+++ b/debuggerd.te
@@ -25,7 +25,7 @@ allow debuggerd system_data_file:file open;
 # Allow debuggerd to redirect a dump_backtrace request to itself.
 # This only happens on 64 bit systems, where all requests go to the 64 bit
 # debuggerd and get redirected to the 32 bit debuggerd if the process is 32 bit.
-allow debuggerd { drmserver mediaserver sdcardd surfaceflinger inputflinger }:debuggerd dump_backtrace;
+allow debuggerd { audioserver drmserver mediaserver sdcardd surfaceflinger inputflinger }:debuggerd dump_backtrace;
 
 # Connect to system_server via /data/system/ndebugsocket.
 unix_socket_connect(debuggerd, system_ndebug, system_server)
diff --git a/dumpstate.te b/dumpstate.te
index 89a41c65c0f4ff362741f363101597c274efe70f..4faa0cca2f6ae74c1467427ccaf4f82f948ca239 100644
--- a/dumpstate.te
+++ b/dumpstate.te
@@ -48,9 +48,9 @@ allow dumpstate { appdomain autoplay_app system_server }:process signal;
 
 # Signal native processes to dump their stack.
 # This list comes from native_processes_to_dump in dumpstate/utils.c
-allow dumpstate { drmserver mediaserver mediaextractor sdcardd surfaceflinger }:process signal;
+allow dumpstate { audioserver drmserver mediaserver mediaextractor sdcardd surfaceflinger }:process signal;
 # Ask debuggerd for the backtraces of these processes.
-allow dumpstate { drmserver mediaserver mediaextractor sdcardd surfaceflinger }:debuggerd dump_backtrace;
+allow dumpstate { audioserver drmserver mediaserver mediaextractor sdcardd surfaceflinger }:debuggerd dump_backtrace;
 
 # Execute and transition to the vdc domain
 domain_auto_trans(dumpstate, vdc_exec, vdc)
diff --git a/file_contexts b/file_contexts
index 3e12ac7b5219a4f7e670aa3b74c755083041dae4..201c4bf40aea43647500997eebed42efad7724d5 100644
--- a/file_contexts
+++ b/file_contexts
@@ -163,6 +163,7 @@
 /system/bin/vold	u:object_r:vold_exec:s0
 /system/bin/netd	u:object_r:netd_exec:s0
 /system/bin/rild	u:object_r:rild_exec:s0
+/system/bin/audioserver	u:object_r:audioserver_exec:s0
 /system/bin/mediaserver	u:object_r:mediaserver_exec:s0
 /system/bin/mediaextractor	u:object_r:mediaextractor_exec:s0
 /system/bin/mdnsd	u:object_r:mdnsd_exec:s0
diff --git a/mediaserver.te b/mediaserver.te
index d924b021d148658b392f11b2df61811c2d5cafda..c23cda1dee76ebdbe4860a396dc34be7643a67a6 100644
--- a/mediaserver.te
+++ b/mediaserver.te
@@ -82,6 +82,7 @@ allow mediaserver tee:unix_stream_socket connectto;
 
 allow mediaserver activity_service:service_manager find;
 allow mediaserver appops_service:service_manager find;
+allow mediaserver audioserver_service:service_manager find;
 allow mediaserver cameraproxy_service:service_manager find;
 allow mediaserver batterystats_service:service_manager find;
 allow mediaserver drmserver_service:service_manager find;
diff --git a/nfc.te b/nfc.te
index e648863ec46f2bd932f760f148f2a67def673601..e02c119d3734ba944ba8bd049d43724a09b183e2 100644
--- a/nfc.te
+++ b/nfc.te
@@ -17,6 +17,7 @@ allow nfc nfc_data_file:notdevfile_class_set create_file_perms;
 allow nfc sysfs_nfc_power_writable:file rw_file_perms;
 allow nfc sysfs:file write;
 
+allow nfc audioserver_service:service_manager find;
 allow nfc drmserver_service:service_manager find;
 allow nfc mediaserver_service:service_manager find;
 allow nfc mediaextractor_service:service_manager find;
diff --git a/platform_app.te b/platform_app.te
index ed28c76948d6df0df460c9dfee8a1b95c2589b0f..16ed2cab280a7236550a8a2fe8de30ccedfffdd2 100644
--- a/platform_app.te
+++ b/platform_app.te
@@ -34,6 +34,7 @@ allow platform_app mnt_media_rw_file:dir r_dir_perms;
 allow platform_app vfat:dir create_dir_perms;
 allow platform_app vfat:file create_file_perms;
 
+allow platform_app audioserver_service:service_manager find;
 allow platform_app drmserver_service:service_manager find;
 allow platform_app mediaserver_service:service_manager find;
 allow platform_app mediaextractor_service:service_manager find;
diff --git a/priv_app.te b/priv_app.te
index c734f58e92bd29c1d38743c29d321795d1e09b24..5ad563e4dd422eda2ffb3ac567488bee19e3590c 100644
--- a/priv_app.te
+++ b/priv_app.te
@@ -19,6 +19,7 @@ allow priv_app mtp_device:chr_file rw_file_perms;
 # Used by: https://play.privileged.com/store/apps/details?id=jackpal.androidterm
 create_pty(priv_app)
 
+allow priv_app audioserver_service:service_manager find;
 allow priv_app drmserver_service:service_manager find;
 allow priv_app mediaserver_service:service_manager find;
 allow priv_app mediaextractor_service:service_manager find;
diff --git a/radio.te b/radio.te
index 448fdb5be8520a0af4a30d3bd819d343fdc03298..0da43a6d28f7005bad6e7031ec9cd27e90b610df 100644
--- a/radio.te
+++ b/radio.te
@@ -27,6 +27,7 @@ auditallow radio system_radio_prop:property_service set;
 # ctl interface
 set_prop(radio, ctl_rildaemon_prop)
 
+allow radio audioserver_service:service_manager find;
 allow radio drmserver_service:service_manager find;
 allow radio mediaserver_service:service_manager find;
 allow radio radio_service:service_manager { add find };
diff --git a/service.te b/service.te
index 15cf349a634bcebdb298486f21beb8d5e92ee160..e770fd87a5892043c4b4680900e406a54c178722 100644
--- a/service.te
+++ b/service.te
@@ -1,3 +1,4 @@
+type audioserver_service,       service_manager_type;
 type bluetooth_service,         service_manager_type;
 type default_android_service,   service_manager_type;
 type drmserver_service,         service_manager_type;
diff --git a/service_contexts b/service_contexts
index f6c458d5fd5a18dbab22198da835f18ebc5394ce..70c52b100b7e2a57e98dbc4183281766496513a6 100644
--- a/service_contexts
+++ b/service_contexts
@@ -60,16 +60,16 @@ jobscheduler                              u:object_r:jobscheduler_service:s0
 launcherapps                              u:object_r:launcherapps_service:s0
 location                                  u:object_r:location_service:s0
 lock_settings                             u:object_r:lock_settings_service:s0
-media.audio_flinger                       u:object_r:mediaserver_service:s0
-media.audio_policy                        u:object_r:mediaserver_service:s0
+media.audio_flinger                       u:object_r:audioserver_service:s0
+media.audio_policy                        u:object_r:audioserver_service:s0
 media.camera                              u:object_r:mediaserver_service:s0
 media.camera.proxy                        u:object_r:cameraproxy_service:s0
-media.log                                 u:object_r:mediaserver_service:s0
+media.log                                 u:object_r:audioserver_service:s0
 media.player                              u:object_r:mediaserver_service:s0
 media.extractor                           u:object_r:mediaextractor_service:s0
 media.resource_manager                    u:object_r:mediaserver_service:s0
-media.radio                               u:object_r:mediaserver_service:s0
-media.sound_trigger_hw                    u:object_r:mediaserver_service:s0
+media.radio                               u:object_r:audioserver_service:s0
+media.sound_trigger_hw                    u:object_r:audioserver_service:s0
 media_projection                          u:object_r:media_projection_service:s0
 media_router                              u:object_r:media_router_service:s0
 media_session                             u:object_r:media_session_service:s0
diff --git a/surfaceflinger.te b/surfaceflinger.te
index 7a30a4776b78511ed0c5041ec98e48c6149da5b1..b0b03579d31c6f75498158b13a8367c712b672ec 100644
--- a/surfaceflinger.te
+++ b/surfaceflinger.te
@@ -56,6 +56,7 @@ allow surfaceflinger tee_device:chr_file rw_file_perms;
 
 
 # media.player service
+allow surfaceflinger audioserver_service:service_manager find;
 allow surfaceflinger mediaserver_service:service_manager find;
 allow surfaceflinger permission_service:service_manager find;
 allow surfaceflinger power_service:service_manager find;
diff --git a/system_server.te b/system_server.te
index f6a89afcbf21d22c918108bac0d0ff21d0f9b80b..e75e11929c978fd8cdc1ef3aebab5807f8a8f5c7 100644
--- a/system_server.te
+++ b/system_server.te
@@ -77,6 +77,7 @@ allow system_server { appdomain autoplay_app }:process { sigkill signal };
 
 # Set scheduling info for apps.
 allow system_server { appdomain autoplay_app }:process { getsched setsched };
+allow system_server audioserver:process { getsched setsched };
 allow system_server mediaserver:process { getsched setsched };
 
 # Read /proc/pid data for all domains. This is used by ProcessCpuTracker
@@ -137,9 +138,10 @@ binder_call(system_server, dumpstate)
 binder_service(system_server)
 
 # Ask debuggerd to dump backtraces for native stacks of interest.
-allow system_server { mediaserver mediaextractor sdcardd surfaceflinger inputflinger }:debuggerd dump_backtrace;
+allow system_server { audioserver mediaserver mediaextractor sdcardd surfaceflinger inputflinger }:debuggerd dump_backtrace;
 
 # Read /proc/pid files for dumping stack traces of native processes.
+r_dir_file(system_server, audioserver)
 r_dir_file(system_server, mediaserver)
 r_dir_file(system_server, mediaextractor)
 r_dir_file(system_server, sdcardd)
@@ -147,6 +149,8 @@ r_dir_file(system_server, surfaceflinger)
 r_dir_file(system_server, inputflinger)
 
 # Use sockets received over binder from various services.
+allow system_server audioserver:tcp_socket rw_socket_perms;
+allow system_server audioserver:udp_socket rw_socket_perms;
 allow system_server mediaserver:tcp_socket rw_socket_perms;
 allow system_server mediaserver:udp_socket rw_socket_perms;
 
@@ -370,6 +374,7 @@ allow system_server sysfs_lowmemorykiller:file { getattr w_file_perms };
 allow system_server pstorefs:dir r_dir_perms;
 allow system_server pstorefs:file r_file_perms;
 
+allow system_server audioserver_service:service_manager find;
 allow system_server drmserver_service:service_manager find;
 allow system_server healthd_service:service_manager find;
 allow system_server keystore_service:service_manager find;
diff --git a/untrusted_app.te b/untrusted_app.te
index 255022b35a3f6231fcd08d46d877cc6f6cde3d1b..e727151806cdd1e0fd3739cbc72f2d1ba10dd3d6 100644
--- a/untrusted_app.te
+++ b/untrusted_app.te
@@ -77,11 +77,11 @@ allow untrusted_app mnt_media_rw_file:dir search;
 # allow cts to query all services
 allow untrusted_app servicemanager:service_manager list;
 
+allow untrusted_app audioserver_service:service_manager find;
 allow untrusted_app drmserver_service:service_manager find;
 allow untrusted_app healthd_service:service_manager find;
 allow untrusted_app mediaserver_service:service_manager find;
 allow untrusted_app mediaextractor_service:service_manager find;
-allow untrusted_app mediaextractor_service:service_manager find;
 allow untrusted_app nfc_service:service_manager find;
 allow untrusted_app radio_service:service_manager find;
 allow untrusted_app surfaceflinger_service:service_manager find;