diff --git a/private/compat/26.0/26.0.ignore.cil b/private/compat/26.0/26.0.ignore.cil
index 5e314618114114483223179cdfbb5f913a9e4c2e..696d630de830d438402786609780f7f2b552b505 100644
--- a/private/compat/26.0/26.0.ignore.cil
+++ b/private/compat/26.0/26.0.ignore.cil
@@ -112,6 +112,7 @@
     untrusted_app_all_devpts
     update_engine_log_data_file
     vendor_default_prop
+    vendor_security_patch_level_prop
     usbd
     usbd_exec
     usbd_tmpfs
diff --git a/private/compat/27.0/27.0.ignore.cil b/private/compat/27.0/27.0.ignore.cil
index 226caff0a7b20f3206961bd7670b2a0bc592b37b..19d547fa4b25c6b136cdcf8ab23c99722d3427aa 100644
--- a/private/compat/27.0/27.0.ignore.cil
+++ b/private/compat/27.0/27.0.ignore.cil
@@ -94,6 +94,7 @@
     usbd_tmpfs
     vendor_default_prop
     vendor_init
+    vendor_security_patch_level_prop
     vendor_shell
     vold_metadata_file
     vold_prepare_subdirs
diff --git a/public/property.te b/public/property.te
index 64f309d5dcfd2c3f749d821f92845c46a123cbbe..6fa85dc902d22e5b4782f95c06d7389f8cd19a5e 100644
--- a/public/property.te
+++ b/public/property.te
@@ -53,6 +53,7 @@ type system_radio_prop, property_type, core_property_type;
 type vold_prop, property_type, core_property_type;
 type wifi_log_prop, property_type, log_property_type;
 type wifi_prop, property_type;
+type vendor_security_patch_level_prop, property_type;
 
 # Properties for whitelisting
 type exported_config_prop, property_type;
diff --git a/public/property_contexts b/public/property_contexts
index efc6d6ff17f5437a9204dcb919db52916528415f..5aea752db3e984939b74248981b3b693a6187c35 100644
--- a/public/property_contexts
+++ b/public/property_contexts
@@ -102,6 +102,7 @@ ro.telephony.default_cdma_sub u:object_r:exported3_default_prop:s0 exact int
 ro.telephony.default_network u:object_r:exported3_default_prop:s0 exact int
 ro.url.legal u:object_r:exported3_default_prop:s0 exact string
 ro.url.legal.android_privacy u:object_r:exported3_default_prop:s0 exact string
+ro.vendor.build.security_patch u:object_r:vendor_security_patch_level_prop:s0 exact string
 ro.zygote u:object_r:exported3_default_prop:s0 exact string
 sendbug.preferred.domain u:object_r:exported3_default_prop:s0 exact string
 sys.usb.controller u:object_r:exported2_system_prop:s0 exact string
diff --git a/public/shell.te b/public/shell.te
index c5033ecfc04c327346a83cb48f6ac0d9d7e707d5..66415978659ed214b227965319d2fa95c306d4e1 100644
--- a/public/shell.te
+++ b/public/shell.te
@@ -81,6 +81,9 @@ userdebug_or_eng(`
 # Read device's serial number from system properties
 get_prop(shell, serialno_prop)
 
+# Allow shell to read the vendor security patch level for CTS
+get_prop(shell, vendor_security_patch_level_prop)
+
 # Read state of logging-related properties
 get_prop(shell, device_logging_prop)
 
diff --git a/public/vendor_init.te b/public/vendor_init.te
index 6a13f6913e8874c9711a28dca301cf9b4eb64dcd..dee2006a8c721e4d3992ef554d428c4f7b37c00d 100644
--- a/public/vendor_init.te
+++ b/public/vendor_init.te
@@ -178,6 +178,7 @@ set_prop(vendor_init, log_tag_prop)
 set_prop(vendor_init, log_prop)
 set_prop(vendor_init, serialno_prop)
 set_prop(vendor_init, vendor_default_prop)
+set_prop(vendor_init, vendor_security_patch_level_prop)
 set_prop(vendor_init, wifi_log_prop)
 
 get_prop(vendor_init, exported2_radio_prop)