diff --git a/public/domain.te b/public/domain.te
index 7a422216f0632b949f8e6861ea23684653e57fd2..412c93d7d59405de58b752a1368bc55a9f2b10d1 100644
--- a/public/domain.te
+++ b/public/domain.te
@@ -592,6 +592,7 @@ neverallow {
-vold
-e2fs
-fsck
+ -fastbootd
} metadata_block_device:blk_file { append link rename write open read ioctl lock };
# No domain other than recovery, update_engine and fastbootd can write to system partition(s).
diff --git a/public/fastbootd.te b/public/fastbootd.te
index f2134e0aba6c5f5fffd64731e2ad7d9276113db9..a1c407be094030f4a4767f3ddaa4a2539b252d36 100644
--- a/public/fastbootd.te
+++ b/public/fastbootd.te
@@ -39,20 +39,27 @@ recovery_only(`
allow fastbootd dm_device:blk_file rw_file_perms;
allow fastbootd super_block_device:blk_file rw_file_perms;
- allow fastbootd system_block_device:blk_file { w_file_perms ioctl };
- allowxperm fastbootd system_block_device:blk_file ioctl { BLKGETSIZE64 };
-
-
- allow fastbootd boot_block_device:blk_file { w_file_perms ioctl };
- allowxperm fastbootd boot_block_device:blk_file ioctl { BLKGETSIZE64 };
+ allow fastbootd {
+ boot_block_device
+ metadata_block_device
+ system_block_device
+ userdata_block_device
+ }:blk_file { w_file_perms getattr ioctl };
+
+ allowxperm fastbootd {
+ boot_block_device
+ metadata_block_device
+ system_block_device
+ userdata_block_device
+ }:blk_file ioctl { BLKGETSIZE64 };
+
+ allowxperm fastbootd {
+ metadata_block_device
+ userdata_block_device
+ }:blk_file ioctl { BLKSECDISCARD BLKDISCARD };
allow fastbootd misc_block_device:blk_file rw_file_perms;
- # Required to wipe userdata
- allow fastbootd userdata_block_device:blk_file { w_file_perms getattr ioctl };
- allowxperm fastbootd userdata_block_device:blk_file ioctl { BLKGETSIZE64 BLKSECDISCARD
- BLKDISCARD };
-
allow fastbootd proc_cmdline:file r_file_perms;
allow fastbootd rootfs:dir r_dir_perms;
allow fastbootd sysfs_dt_firmware_android:file r_file_perms;