diff --git a/file_contexts b/file_contexts
index 0fc096dcb..e4b6b157e 100644
--- a/file_contexts
+++ b/file_contexts
@@ -159,6 +159,8 @@
 /system/bin/racoon	u:object_r:racoon_exec:s0
 /system/xbin/su		u:object_r:su_exec:s0
 /system/xbin/procrank   u:object_r:procrank_exec:s0
+/system/xbin/perfprofd  u:object_r:perfprofd_exec:s0
+/system/xbin/simpleperf u:object_r:system_file:s0
 /system/vendor/bin/gpsd u:object_r:gpsd_exec:s0
 /system/bin/dnsmasq     u:object_r:dnsmasq_exec:s0
 /system/bin/hostapd     u:object_r:hostapd_exec:s0
diff --git a/perfprofd.te b/perfprofd.te
new file mode 100644
index 000000000..30b438b30
--- /dev/null
+++ b/perfprofd.te
@@ -0,0 +1,45 @@
+# perfprofd - perf profile collection daemon
+type perfprofd_exec, exec_type, file_type;
+
+userdebug_or_eng(`
+
+  type perfprofd, domain, mlstrustedsubject;
+
+  init_daemon_domain(perfprofd)
+
+  # perfprofd needs to control CPU hot-plug in order to avoid kernel
+  # perfevents problems in cases where CPU goes on/off during measurement;
+  # this means read access to /sys/devices/system/cpu/possible
+  # and read/write access to /sys/devices/system/cpu/cpu*/online
+  allow perfprofd sysfs_devices_system_cpu:file rw_file_perms;
+
+  # perfprofd checks for the existence of and then invokes simpleperf;
+  # simpleperf retains perfprofd domain after exec
+  allow perfprofd system_file:file rx_file_perms;
+
+  # perfprofd reads a config file from /data/data/com.google.android.gms/files
+  # opens a file for writing in the same directory
+  allow perfprofd app_data_file:file rw_file_perms;
+  allow perfprofd app_data_file:dir rw_dir_perms;
+
+  # perfprofd looks for the existence of a semaphore file to determine
+  # whether collection is enabled/disabled (where the semphore file is
+  # created by some other entity, e.g. gms)
+  allow perfprofd app_data_file:dir search;
+  allow perfprofd self:capability { dac_override };
+
+  # perfprofd reads profiles from /data/data/..., encodes them,
+  # and then dumps the encoded profiles back to /data/data/....
+  allow perfprofd app_data_file:dir_file_class_set create_file_perms;
+
+  # perfprofd uses the system log
+  read_logd(perfprofd);
+  write_logd(perfprofd);
+
+  # simpleperf uses ioctl() to turn on kernel perf events measurements
+  allow perfprofd self:capability sys_admin;
+
+  # simpleperf is going to execute "sleep"
+  allow perfprofd toolbox_exec:file x_file_perms;
+
+')