diff --git a/private/domain.te b/private/domain.te
index e33a9cd4d9d5b144e262209398857ffaac0a3fc2..6d62a592e65cfb837e9d1e4248a843d2462e3850 100644
--- a/private/domain.te
+++ b/private/domain.te
@@ -108,6 +108,7 @@ neverallow {
   -rs # spawned by appdomain, so carryover the exception above
   -runas
   -system_server
+  -viewcompiler
 } { privapp_data_file app_data_file }:dir *;
 
 # Only apps should be modifying app data. installd is exempted for
diff --git a/private/file_contexts b/private/file_contexts
index 13cc728425dd4af4f279f0c8f9b9ce9a71e51abd..474c63700ccad153492c246f24365026f60670f2 100644
--- a/private/file_contexts
+++ b/private/file_contexts
@@ -272,6 +272,7 @@
 /system/bin/dexoptanalyzer(d)?     u:object_r:dexoptanalyzer_exec:s0
 # patchoat executable has (essentially) the same requirements as dex2oat.
 /system/bin/patchoat(d)?    u:object_r:dex2oat_exec:s0
+/system/bin/viewcompiler     u:object_r:viewcompiler_exec:s0
 /system/bin/profman(d)?     u:object_r:profman_exec:s0
 /system/bin/iorapd          u:object_r:iorapd_exec:s0
 /system/bin/sgdisk      u:object_r:sgdisk_exec:s0
diff --git a/private/installd.te b/private/installd.te
index 0b7ec4e74b6d6e970e7851549d67c9ae229790d3..c511b804a58f3cac1e798c0f25d0ae0f0c46ebc8 100644
--- a/private/installd.te
+++ b/private/installd.te
@@ -8,6 +8,9 @@ domain_auto_trans(installd, dex2oat_exec, dex2oat)
 # Run dexoptanalyzer in its own sandbox.
 domain_auto_trans(installd, dexoptanalyzer_exec, dexoptanalyzer)
 
+# Run viewcompiler in its own sandbox.
+domain_auto_trans(installd, viewcompiler_exec, viewcompiler)
+
 # Run profman in its own sandbox.
 domain_auto_trans(installd, profman_exec, profman)
 
diff --git a/private/viewcompiler.te b/private/viewcompiler.te
new file mode 100644
index 0000000000000000000000000000000000000000..14009c606139909057b5586d67853c46db21477b
--- /dev/null
+++ b/private/viewcompiler.te
@@ -0,0 +1,24 @@
+# viewcompiler
+type viewcompiler, domain, coredomain, mlstrustedsubject;
+type viewcompiler_exec, system_file_type, exec_type, file_type;
+
+# Reading an APK opens a ZipArchive, which unpack to tmpfs.
+# Use tmpfs_domain() which will give tmpfs files created by viewcompiler their
+# own label, which differs from other labels created by other processes.
+# This allows to distinguish in policy files created by viewcompiler vs other
+# processes.
+tmpfs_domain(viewcompiler)
+
+allow viewcompiler installd:fd use;
+
+# Include write permission for app data files so viewcompiler can generate
+# compiled layout dex files
+allow viewcompiler app_data_file:file { getattr write };
+
+# Allow the view compiler to read resources from the apps APK.
+allow viewcompiler apk_data_file:file read;
+
+# priv-apps are moving to a world where they can only execute
+# signed code. Make sure viewcompiler never can write to privapp
+# directories to avoid introducing unsigned executable code
+neverallow viewcompiler privapp_data_file:file no_w_file_perms;