diff --git a/whitechapel/vendor/google/file_contexts b/whitechapel/vendor/google/file_contexts
index f7d448fd..9f1940db 100644
--- a/whitechapel/vendor/google/file_contexts
+++ b/whitechapel/vendor/google/file_contexts
@@ -412,6 +412,8 @@
 /dev/dma_heap/video_system                                               u:object_r:dmabuf_system_heap_device:s0
 /dev/dma_heap/video_system-uncached                                      u:object_r:dmabuf_system_heap_device:s0
 
+/dev/dma_heap/vstream-secure                                             u:object_r:dmabuf_system_secure_heap_device:s0
+
 # Video sysfs files
 /sys/devices/platform/mfc/video4linux/video6/name                              u:object_r:sysfs_video:s0
 /sys/devices/platform/mfc/video4linux/video7/name                              u:object_r:sysfs_video:s0
diff --git a/whitechapel/vendor/google/untrusted_app_all.te b/whitechapel/vendor/google/untrusted_app_all.te
index 8e79515f..ae7386fc 100644
--- a/whitechapel/vendor/google/untrusted_app_all.te
+++ b/whitechapel/vendor/google/untrusted_app_all.te
@@ -4,3 +4,7 @@ allow untrusted_app_all edgetpu_service:service_manager find;
 # Allows applications to access the EdgeTPU device, except open, which is guarded
 # by the EdgeTPU service.
 allow untrusted_app_all edgetpu_device:chr_file { getattr read write ioctl map };
+
+# Allows Exoplayer(and other applications) access to the vstream-secure DMA-BUF heap
+# for secure video playback
+allow untrusted_app_all dmabuf_system_secure_heap_device:chr_file r_file_perms;