diff --git a/prebuilts/api/28.0/public/app.te b/prebuilts/api/28.0/public/app.te
index ac11a3a108eeb4f449a1c21304752a2bdf5c07c1..439c1f80f8460e5526c9f704f21446936456252f 100644
--- a/prebuilts/api/28.0/public/app.te
+++ b/prebuilts/api/28.0/public/app.te
@@ -87,7 +87,7 @@ allow appdomain oemfs:file rx_file_perms;
 # Execute the shell or other system executables.
 allow { appdomain -ephemeral_app -untrusted_v2_app } shell_exec:file rx_file_perms;
 allow { appdomain -ephemeral_app -untrusted_v2_app } toolbox_exec:file rx_file_perms;
-allow { appdomain -ephemeral_app -untrusted_v2_app } system_file:file x_file_perms;
+allow { appdomain -untrusted_v2_app } system_file:file x_file_perms;
 not_full_treble(`allow { appdomain -ephemeral_app -untrusted_v2_app } vendor_file:file x_file_perms;')
 
 # Renderscript needs the ability to read directories on /system
@@ -178,7 +178,6 @@ userdebug_or_eng(`
 allow {
     untrusted_app_25
     untrusted_app_27
-    ephemeral_app
     priv_app
     system_app
     platform_app
@@ -190,7 +189,6 @@ r_dir_file({ appdomain -ephemeral_app -isolated_app }, proc_net)
 r_dir_file({
     untrusted_app_25
     untrusted_app_27
-    ephemeral_app
     priv_app
     system_app
     platform_app
@@ -201,7 +199,6 @@ r_dir_file({
 allow {
     untrusted_app_25
     untrusted_app_27
-    ephemeral_app
     priv_app
     system_app
     platform_app
diff --git a/prebuilts/api/28.0/public/property.te b/prebuilts/api/28.0/public/property.te
index afff2fa05a04ae09a205bd2c9db80425fb5853c8..09200b836925496d4c1d0423ac39aad4cbc51765 100644
--- a/prebuilts/api/28.0/public/property.te
+++ b/prebuilts/api/28.0/public/property.te
@@ -309,3 +309,104 @@ compatible_property_only(`
     wifi_prop
   }:file no_rw_file_perms;
 ')
+
+compatible_property_only(`
+  # Neverallow coredomain to set vendor properties
+  neverallow {
+    coredomain
+    -init
+    -system_writes_vendor_properties_violators
+  } {
+    property_type
+    -audio_prop
+    -bluetooth_a2dp_offload_prop
+    -bluetooth_prop
+    -bootloader_boot_reason_prop
+    -boottime_prop
+    -config_prop
+    -cppreopt_prop
+    -ctl_bootanim_prop
+    -ctl_bugreport_prop
+    -ctl_console_prop
+    -ctl_default_prop
+    -ctl_dumpstate_prop
+    -ctl_fuse_prop
+    -ctl_interface_restart_prop
+    -ctl_interface_start_prop
+    -ctl_interface_stop_prop
+    -ctl_mdnsd_prop
+    -ctl_restart_prop
+    -ctl_rildaemon_prop
+    -ctl_sigstop_prop
+    -ctl_start_prop
+    -ctl_stop_prop
+    -dalvik_prop
+    -debug_prop
+    -debuggerd_prop
+    -default_prop
+    -device_logging_prop
+    -dhcp_prop
+    -dumpstate_options_prop
+    -dumpstate_prop
+    -exported2_config_prop
+    -exported2_default_prop
+    -exported2_radio_prop
+    -exported2_system_prop
+    -exported2_vold_prop
+    -exported3_default_prop
+    -exported3_radio_prop
+    -exported3_system_prop
+    -exported_bluetooth_prop
+    -exported_config_prop
+    -exported_dalvik_prop
+    -exported_default_prop
+    -exported_dumpstate_prop
+    -exported_ffs_prop
+    -exported_fingerprint_prop
+    -exported_overlay_prop
+    -exported_pm_prop
+    -exported_radio_prop
+    -exported_secure_prop
+    -exported_system_prop
+    -exported_system_radio_prop
+    -exported_vold_prop
+    -exported_wifi_prop
+    -extended_core_property_type
+    -ffs_prop
+    -fingerprint_prop
+    -firstboot_prop
+    -hwservicemanager_prop
+    -last_boot_reason_prop
+    -log_prop
+    -log_tag_prop
+    -logd_prop
+    -logpersistd_logging_prop
+    -lowpan_prop
+    -mmc_prop
+    -net_dns_prop
+    -net_radio_prop
+    -netd_stable_secret_prop
+    -nfc_prop
+    -overlay_prop
+    -pan_result_prop
+    -persist_debug_prop
+    -persistent_properties_ready_prop
+    -pm_prop
+    -powerctl_prop
+    -radio_prop
+    -restorecon_prop
+    -safemode_prop
+    -serialno_prop
+    -shell_prop
+    -system_boot_reason_prop
+    -system_prop
+    -system_radio_prop
+    -test_boot_reason_prop
+    -traced_enabled_prop
+    -vendor_default_prop
+    -vendor_security_patch_level_prop
+    -vold_prop
+    -wifi_log_prop
+    -wifi_prop
+  }:property_service set;
+')
diff --git a/public/app.te b/public/app.te
index ac11a3a108eeb4f449a1c21304752a2bdf5c07c1..439c1f80f8460e5526c9f704f21446936456252f 100644
--- a/public/app.te
+++ b/public/app.te
@@ -87,7 +87,7 @@ allow appdomain oemfs:file rx_file_perms;
 # Execute the shell or other system executables.
 allow { appdomain -ephemeral_app -untrusted_v2_app } shell_exec:file rx_file_perms;
 allow { appdomain -ephemeral_app -untrusted_v2_app } toolbox_exec:file rx_file_perms;
-allow { appdomain -ephemeral_app -untrusted_v2_app } system_file:file x_file_perms;
+allow { appdomain -untrusted_v2_app } system_file:file x_file_perms;
 not_full_treble(`allow { appdomain -ephemeral_app -untrusted_v2_app } vendor_file:file x_file_perms;')
 
 # Renderscript needs the ability to read directories on /system
@@ -178,7 +178,6 @@ userdebug_or_eng(`
 allow {
     untrusted_app_25
     untrusted_app_27
-    ephemeral_app
     priv_app
     system_app
     platform_app
@@ -190,7 +189,6 @@ r_dir_file({ appdomain -ephemeral_app -isolated_app }, proc_net)
 r_dir_file({
     untrusted_app_25
     untrusted_app_27
-    ephemeral_app
     priv_app
     system_app
     platform_app
@@ -201,7 +199,6 @@ r_dir_file({
 allow {
     untrusted_app_25
     untrusted_app_27
-    ephemeral_app
     priv_app
     system_app
     platform_app
diff --git a/public/property.te b/public/property.te
index afff2fa05a04ae09a205bd2c9db80425fb5853c8..09200b836925496d4c1d0423ac39aad4cbc51765 100644
--- a/public/property.te
+++ b/public/property.te
@@ -309,3 +309,104 @@ compatible_property_only(`
     wifi_prop
   }:file no_rw_file_perms;
 ')
+
+compatible_property_only(`
+  # Neverallow coredomain to set vendor properties
+  neverallow {
+    coredomain
+    -init
+    -system_writes_vendor_properties_violators
+  } {
+    property_type
+    -audio_prop
+    -bluetooth_a2dp_offload_prop
+    -bluetooth_prop
+    -bootloader_boot_reason_prop
+    -boottime_prop
+    -config_prop
+    -cppreopt_prop
+    -ctl_bootanim_prop
+    -ctl_bugreport_prop
+    -ctl_console_prop
+    -ctl_default_prop
+    -ctl_dumpstate_prop
+    -ctl_fuse_prop
+    -ctl_interface_restart_prop
+    -ctl_interface_start_prop
+    -ctl_interface_stop_prop
+    -ctl_mdnsd_prop
+    -ctl_restart_prop
+    -ctl_rildaemon_prop
+    -ctl_sigstop_prop
+    -ctl_start_prop
+    -ctl_stop_prop
+    -dalvik_prop
+    -debug_prop
+    -debuggerd_prop
+    -default_prop
+    -device_logging_prop
+    -dhcp_prop
+    -dumpstate_options_prop
+    -dumpstate_prop
+    -exported2_config_prop
+    -exported2_default_prop
+    -exported2_radio_prop
+    -exported2_system_prop
+    -exported2_vold_prop
+    -exported3_default_prop
+    -exported3_radio_prop
+    -exported3_system_prop
+    -exported_bluetooth_prop
+    -exported_config_prop
+    -exported_dalvik_prop
+    -exported_default_prop
+    -exported_dumpstate_prop
+    -exported_ffs_prop
+    -exported_fingerprint_prop
+    -exported_overlay_prop
+    -exported_pm_prop
+    -exported_radio_prop
+    -exported_secure_prop
+    -exported_system_prop
+    -exported_system_radio_prop
+    -exported_vold_prop
+    -exported_wifi_prop
+    -extended_core_property_type
+    -ffs_prop
+    -fingerprint_prop
+    -firstboot_prop
+    -hwservicemanager_prop
+    -last_boot_reason_prop
+    -log_prop
+    -log_tag_prop
+    -logd_prop
+    -logpersistd_logging_prop
+    -lowpan_prop
+    -mmc_prop
+    -net_dns_prop
+    -net_radio_prop
+    -netd_stable_secret_prop
+    -nfc_prop
+    -overlay_prop
+    -pan_result_prop
+    -persist_debug_prop
+    -persistent_properties_ready_prop
+    -pm_prop
+    -powerctl_prop
+    -radio_prop
+    -restorecon_prop
+    -safemode_prop
+    -serialno_prop
+    -shell_prop
+    -system_boot_reason_prop
+    -system_prop
+    -system_radio_prop
+    -test_boot_reason_prop
+    -traced_enabled_prop
+    -vendor_default_prop
+    -vendor_security_patch_level_prop
+    -vold_prop
+    -wifi_log_prop
+    -wifi_prop
+  }:property_service set;
+')