diff --git a/app.te b/app.te
index 9431fd1dfc17974ec0b6465b97ae3776e7b2f6d4..37ab9a30569b9815e10642e3a304258cb1516568 100644
--- a/app.te
+++ b/app.te
@@ -7,8 +7,9 @@
 ### zygote spawned apps should be added here.
 ###
 
-# Dalvik Compiler JIT Mapping.
+# WebView and other application-specific JIT compilers
 allow appdomain self:process execmem;
+
 allow appdomain ashmem_device:chr_file execute;
 
 # Receive and use open file descriptors inherited from zygote.
diff --git a/mediaserver.te b/mediaserver.te
index f38a3ec6f1cf2a4592af09c61bc869a576ab64ba..65438ba89f91f2a78a9d2c8ca673fe5cd3c3d683 100644
--- a/mediaserver.te
+++ b/mediaserver.te
@@ -14,7 +14,9 @@ binder_call(mediaserver, binderservicedomain)
 binder_call(mediaserver, appdomain)
 binder_service(mediaserver)
 
+# Required by Widevine DRM (b/22990512)
 allow mediaserver self:process execmem;
+
 allow mediaserver kernel:system module_request;
 allow mediaserver media_data_file:dir create_dir_perms;
 allow mediaserver media_data_file:file create_file_perms;