diff --git a/whitechapel_pro/mediacodec_samsung.te b/whitechapel_pro/mediacodec_samsung.te
index 253a8615..446693e6 100644
--- a/whitechapel_pro/mediacodec_samsung.te
+++ b/whitechapel_pro/mediacodec_samsung.te
@@ -15,3 +15,13 @@ allow mediacodec_samsung dmabuf_system_heap_device:chr_file r_file_perms;
 hal_client_domain(mediacodec_samsung, hal_graphics_allocator)
 
 crash_dump_fallback(mediacodec_samsung)
+
+# mediacodec_samsung should never execute any executable without a domain transition
+neverallow mediacodec_samsung { file_type fs_type }:file execute_no_trans;
+
+# Media processing code is inherently risky and thus should have limited
+# permissions and be isolated from the rest of the system and network.
+# Lengthier explanation here:
+# https://android-developers.googleblog.com/2016/05/hardening-media-stack.html
+neverallow mediacodec_samsung domain:{ udp_socket rawip_socket } *;
+neverallow mediacodec_samsung { domain userdebug_or_eng(`-su') }:tcp_socket *;