diff --git a/mediaserver.te b/mediaserver.te
index 6097ccbe625896537bd9c3de89f896bcc2092730..f84a4248cd45bcc2b80af22d90ee29fecb1edb35 100644
--- a/mediaserver.te
+++ b/mediaserver.te
@@ -62,3 +62,7 @@ allow mediaserver qtaguid_device:chr_file r_file_perms;
 
 # Allow abstract socket connection
 allow mediaserver rild:unix_stream_socket { connectto read write setopt };
+
+# Needed on some devices for playing DRM protected content,
+# but seems expected and appropriate for all devices.
+unix_socket_connect(mediaserver, drmserver, drmserver)
diff --git a/surfaceflinger.te b/surfaceflinger.te
index e926bc89c571888d06fc44d37770339fb75896ff..39781fc8a6449a7299554fd8757bca5994d33eea 100644
--- a/surfaceflinger.te
+++ b/surfaceflinger.te
@@ -44,3 +44,8 @@ allow surfaceflinger bootanim:fd use;
 binder_call(surfaceflinger, dumpstate)
 binder_call(surfaceflinger, shell)
 allow surfaceflinger shell_data_file:file write;
+
+# Needed on some devices for playing DRM protected content,
+# but seems expected and appropriate for all devices.
+allow surfaceflinger tee:unix_stream_socket connectto;
+allow surfaceflinger tee_device:chr_file rw_file_perms;