diff --git a/private/file_contexts b/private/file_contexts
index 00d0e4cc38b9c5e5a9b64caeef063d7e46bd4acb..9feeef9cfad621f4ef0a32430645fc20b5dac8fc 100644
--- a/private/file_contexts
+++ b/private/file_contexts
@@ -259,7 +259,20 @@
 #############################
 # Vendor files
 #
-/vendor(/.*)?		u:object_r:system_file:s0
+/(vendor|system/vendor)(/.*)?                  u:object_r:vendor_file:s0
+/(vendor|system/vendor)/etc(/.*)?              u:object_r:vendor_configs_file:s0
+
+/(vendor|system/vendor)/lib(64)?/egl(/.*)?     u:object_r:same_process_hal_file:s0
+
+# TODO: b/36790901 move this to /vendor/etc
+/(vendor|system/vendor)/manifest.xml           u:object_r:vendor_configs_file:s0
+/(vendor|system/vendor)/app(/.*)?              u:object_r:vendor_app_file:s0
+/(vendor|system/vendor)/overlay(/.*)?          u:object_r:vendor_overlay_file:s0
+/(vendor|system/vendor)/framework(/.*)?        u:object_r:vendor_framework_file:s0
+
+# HAL location
+/(vendor|system/vendor)/lib(64)?/hw            u:object_r:vendor_hal_file:s0
+
 /vendor/etc/selinux/mapping_sepolicy.cil       u:object_r:sepolicy_file:s0
 /vendor/etc/selinux/nonplat_mac_permissions.xml u:object_r:mac_perms_file:s0
 /vendor/etc/selinux/nonplat_property_contexts   u:object_r:property_contexts_file:s0
diff --git a/private/system_server.te b/private/system_server.te
index 6f19e38b20d7a728c90e2187854a492fe7c55669..430234313c684d99e635f72cf2c7fb576a083196 100644
--- a/private/system_server.te
+++ b/private/system_server.te
@@ -294,6 +294,9 @@ allow system_server apk_data_file:{ file lnk_file } { create_file_perms link };
 allow system_server apk_tmp_file:dir create_dir_perms;
 allow system_server apk_tmp_file:file create_file_perms;
 
+# Access /vendor/app
+r_dir_file(system_server, vendor_app_file)
+
 # Manage /data/app-private.
 allow system_server apk_private_data_file:dir create_dir_perms;
 allow system_server apk_private_data_file:file create_file_perms;
diff --git a/public/attributes b/public/attributes
index b7f0701ce7e8e3ce9ffa749590f99aeb0545ff4e..852dcd75c87eb57dd13144778b35c678d6521af6 100644
--- a/public/attributes
+++ b/public/attributes
@@ -41,6 +41,9 @@ attribute exec_type;
 attribute data_file_type;
 # All types in /data, not in /data/vendor
 attribute core_data_file_type;
+# All types in /vendor
+attribute vendor_file_type;
+
 # All vendor domains which violate the requirement of not accessing
 # data outside /data/vendor.
 # TODO(b/34980020): Remove this once there are no violations
diff --git a/public/crash_dump.te b/public/crash_dump.te
index a0e278a1347ba1d78265222228df4465e097f5be..ee617a171cf7fdc90531093b61943d88e65ede2f 100644
--- a/public/crash_dump.te
+++ b/public/crash_dump.te
@@ -34,6 +34,9 @@ allow crash_dump dalvikcache_data_file:file r_file_perms;
 # Read APK files.
 r_dir_file(crash_dump, apk_data_file);
 
+# Read all /vendor
+r_dir_file(crash_dump, { vendor_file same_process_hal_file })
+
 # Talk to tombstoned
 unix_socket_connect(crash_dump, tombstoned_crash, tombstoned)
 
diff --git a/public/domain.te b/public/domain.te
index 4a0ee76c84dd373e0ef9aca34df425c54cb8fa1f..4fc3bc03c73aaa7c0e83e5e64f25c21b1455f951 100644
--- a/public/domain.te
+++ b/public/domain.te
@@ -102,6 +102,61 @@ allow domain system_file:dir { search getattr };
 allow domain system_file:file { execute read open getattr };
 allow domain system_file:lnk_file { getattr read };
 
+# Make sure system/vendor split doesn not affect non-treble
+# devices
+not_full_treble(`
+    allow domain vendor_file_type:dir { search getattr };
+    allow domain vendor_file_type:file { execute read open getattr };
+    allow domain vendor_file_type:lnk_file { getattr read };
+')
+
+# All domains are allowed to open and read directories
+# that contain HAL implementations (e.g. passthrough
+# HALs require clients to have these permissions)
+allow domain vendor_hal_file:dir r_dir_perms;
+
+# Everyone can read and execute all same process HALs
+allow domain same_process_hal_file:dir r_dir_perms;
+allow domain same_process_hal_file:file { execute read open getattr };
+
+# All domains get access to /vendor/etc
+allow domain vendor_configs_file:dir r_dir_perms;
+allow domain vendor_configs_file:file { read open getattr };
+
+# TODO: (b/36681074) - Remove after this is resolved
+# TODO: (b/36680116, b/36656392, b/36681210) All need directory
+# lookup to find / open their libraries
+full_treble_only(`
+    # Everyone needs to lookup libraries in /vendor/lib(64)
+    # through linker/loader.
+    allow domain vendor_file:dir { getattr search };
+
+    # TODO: b/36681210, find out who needs access and only allow
+    # specific domains for Treble
+    allow domain vendor_app_file:dir r_dir_perms;
+    allow domain vendor_app_file:file { read open getattr };
+
+    # Some apps (com.android.phone) need to be able to open
+    # symlinked libraries
+    # TODO: b/36806861
+    allow domain vendor_app_file:lnk_file { open read };
+
+    # TODO: b/36656392, find out who needs access and only allow
+    # specific domains.
+    allow domain vendor_overlay_file:dir r_dir_perms;
+    allow domain vendor_overlay_file:file { read open getattr };
+
+    # TODO: b/36680116, find out who neeeds access and only allow
+    # specific domains
+    allow domain vendor_framework_file:dir r_dir_perms;
+    allow domain vendor_framework_file:file { read open getattr };
+
+    # Allow reading and executing out of /vendor to all vendor domains
+    allow { domain -coredomain } vendor_file_type:dir r_dir_perms;
+    allow { domain -coredomain } vendor_file_type:file { read open getattr execute };
+    allow { domain -coredomain } vendor_file_type:lnk_file { getattr read };
+')
+
 # read any sysfs symlinks
 allow domain sysfs:lnk_file read;
 
@@ -307,7 +362,14 @@ neverallow {
     -system_server
     -webview_zygote
     -zygote
-} { file_type -system_file -exec_type -postinstall_file }:file execute;
+} {
+    file_type
+    -system_file
+    -vendor_file_type
+    -exec_type
+    -postinstall_file
+}:file execute;
+
 neverallow {
     domain
     -appdomain # for oemfs
@@ -336,14 +398,22 @@ neverallow { domain -init } property_type:file { no_w_file_perms no_x_file_perms
 neverallow { domain -init } properties_device:file { no_w_file_perms no_x_file_perms };
 neverallow { domain -init } properties_serial:file { no_w_file_perms no_x_file_perms };
 
-# Only recovery should be doing writes to /system
-neverallow { domain -recovery with_asan(`-asan_extract') } { system_file exec_type }:dir_file_class_set
-    { create write setattr relabelfrom append unlink link rename };
-neverallow { domain -recovery -kernel with_asan(`-asan_extract') } { system_file exec_type }:dir_file_class_set relabelto;
+# Only recovery should be doing writes to /system & /vendor
+neverallow {
+    domain
+    -recovery
+    with_asan(`-asan_extract')
+} {
+    system_file
+    vendor_file_type
+    exec_type
+}:dir_file_class_set { create write setattr relabelfrom append unlink link rename };
+
+neverallow { domain -recovery -kernel with_asan(`-asan_extract') } { system_file vendor_file_type exec_type }:dir_file_class_set relabelto;
 
 # Don't allow mounting on top of /system files or directories
 neverallow * exec_type:dir_file_class_set mounton;
-neverallow { domain -init } system_file:dir_file_class_set mounton;
+neverallow { domain -init } { system_file vendor_file_type }:dir_file_class_set mounton;
 
 # Nothing should be writing to files in the rootfs.
 neverallow * rootfs:file { create write setattr relabelto append unlink link rename };
@@ -897,7 +967,7 @@ neverallow {
 # Enforce restrictions on kernel module origin.
 # Do not allow kernel module loading except from system,
 # vendor, and boot partitions.
-neverallow * ~{ system_file rootfs }:system module_load;
+neverallow * ~{ system_file vendor_file_type rootfs }:system module_load;
 
 # Only allow filesystem caps to be set at build time or
 # during upgrade by recovery.
diff --git a/public/file.te b/public/file.te
index 0ee1500ad9ee6ed18b192d46dc7e236a660f2bea..6468d16af23b3514033e0829d5367b82e0c93bf2 100644
--- a/public/file.te
+++ b/public/file.te
@@ -78,8 +78,27 @@ type app_fusefs, fs_type, contextmount_type;
 
 # File types
 type unlabeled, file_type;
+
 # Default type for anything under /system.
 type system_file, file_type;
+
+# Default type for directories search for
+# HAL implementations
+type vendor_hal_file, vendor_file_type, file_type;
+# Default type for under /vendor or /system/vendor
+type vendor_file, vendor_file_type, file_type;
+# Default type for everything in /vendor/app
+type vendor_app_file, vendor_file_type, file_type;
+# Default type for everything under /vendor/etc/
+type vendor_configs_file, vendor_file_type, file_type;
+# Default type for all *same process* HALs.
+# e.g. libEGL_xxx.so, android.hardware.graphics.mapper@2.0-impl.so
+type same_process_hal_file, vendor_file_type, file_type;
+# Default type for everything in /vendor/framework
+type vendor_framework_file, vendor_file_type, file_type;
+# Default type for everything in /vendor/overlay
+type vendor_overlay_file, vendor_file_type, file_type;
+
 # Speedup access for trusted applications to the runtime event tags
 type runtime_event_log_tags_file, file_type;
 # Type for /system/bin/logcat.
diff --git a/public/init.te b/public/init.te
index 4af41ec978db4f9e72160665050d46ce89365341..0deb8cdc9b914d8e2d13a5032f2b45abc08b6574 100644
--- a/public/init.te
+++ b/public/init.te
@@ -60,7 +60,7 @@ allow init self:capability sys_admin;
 
 # Create and mount on directories in /.
 allow init rootfs:dir create_dir_perms;
-allow init { rootfs cache_file cgroup storage_file system_data_file system_file postinstall_mnt_dir }:dir mounton;
+allow init { rootfs cache_file cgroup storage_file system_data_file system_file vendor_file postinstall_mnt_dir }:dir mounton;
 
 # Mount on /dev/usb-ffs/adb.
 allow init device:dir mounton;
@@ -127,6 +127,7 @@ allow init {
   -misc_logd_file
   -system_app_data_file
   -system_file
+  -vendor_file_type
 }:dir { create search getattr open read setattr ioctl };
 
 allow init {
@@ -138,6 +139,7 @@ allow init {
   -shell_data_file
   -system_app_data_file
   -system_file
+  -vendor_file_type
   -vold_data_file
 }:dir { write add_name remove_name rmdir relabelfrom };
 
@@ -151,6 +153,7 @@ allow init {
   -shell_data_file
   -system_app_data_file
   -system_file
+  -vendor_file_type
   -vold_data_file
 }:file { create getattr open read write setattr relabelfrom unlink };
 
@@ -163,6 +166,7 @@ allow init {
   -shell_data_file
   -system_app_data_file
   -system_file
+  -vendor_file_type
   -vold_data_file
 }:{ sock_file fifo_file } { create getattr open read setattr relabelfrom unlink };
 
@@ -175,12 +179,13 @@ allow init {
   -shell_data_file
   -system_app_data_file
   -system_file
+  -vendor_file_type
   -vold_data_file
 }:lnk_file { create getattr setattr relabelfrom unlink };
 
 allow init cache_file:lnk_file r_file_perms;
 
-allow init { file_type -system_file -exec_type }:dir_file_class_set relabelto;
+allow init { file_type -system_file -vendor_file_type -exec_type }:dir_file_class_set relabelto;
 allow init { sysfs debugfs debugfs_tracing }:{ dir file lnk_file } { getattr relabelfrom };
 allow init { sysfs_type debugfs_type }:{ dir file lnk_file } { relabelto getattr };
 allow init dev_type:dir create_dir_perms;
@@ -384,6 +389,7 @@ unix_socket_connect(init, vold, vold)
 allow init misc_block_device:blk_file w_file_perms;
 
 r_dir_file(init, system_file)
+r_dir_file(init, vendor_file_type)
 allow init proc_meminfo:file r_file_perms;
 
 allow init system_data_file:file { getattr read };
diff --git a/public/te_macros b/public/te_macros
index bf75690b2ecd88a39a3784997b176d43150e97d0..bc672788ee107f254e8e79ecccef27799c47f0a3 100644
--- a/public/te_macros
+++ b/public/te_macros
@@ -181,6 +181,8 @@ typeattribute $1 $2_client;
 typeattribute $1 $2;
 # Find passthrough HAL implementations
 allow $2 system_file:dir r_dir_perms;
+allow $2 vendor_file:dir r_dir_perms;
+allow $2 vendor_file:file { read open getattr execute };
 ')
 
 #####################################
@@ -197,6 +199,8 @@ typeattribute $1 $2_client;
 typeattribute $1 $2;
 # Find passthrough HAL implementations
 allow $2 system_file:dir r_dir_perms;
+allow $2 vendor_file:dir r_dir_perms;
+allow $2 vendor_file:file { read open getattr execute };
 ')
 
 #####################################
diff --git a/public/ueventd.te b/public/ueventd.te
index 512b019d471a33241066b2d531ce003df393241c..8ec667e047a05c86c088fe7c372081314057a6f4 100644
--- a/public/ueventd.te
+++ b/public/ueventd.te
@@ -29,6 +29,9 @@ allow ueventd efs_file:file r_file_perms;
 # Get SELinux enforcing status.
 r_dir_file(ueventd, selinuxfs)
 
+# Access for /vendor/ueventd.rc and /vendor/firmware
+r_dir_file(ueventd, vendor_file)
+
 # Get file contexts for new device nodes
 allow ueventd file_contexts_file:file r_file_perms;
 
diff --git a/vendor/file_contexts b/vendor/file_contexts
index ea0ef29f6f01d9a2d5ba9cc2dde62442b062d228..5ccfab40cbe1e7a8bd7cc42ec49fedaee7bf3747 100644
--- a/vendor/file_contexts
+++ b/vendor/file_contexts
@@ -33,6 +33,13 @@
 /(vendor|system/vendor)/bin/hw/wpa_supplicant                                 u:object_r:hal_wifi_supplicant_default_exec:s0
 /(vendor|system/vendor)/bin/hostapd                                           u:object_r:hostapd_exec:s0
 /(vendor|system/vendor)/bin/vndservicemanager                                 u:object_r:vndservicemanager_exec:s0
+
+#############################
+# Same process HALs installed by platform into /vendor
+#
+/(vendor|system/vendor)/lib(64)?/hw/android\.hardware\.graphics\.mapper@2\.0-impl\.so u:object_r:same_process_hal_file:s0
+/(vendor|system/vendor)/lib(64)?/hw/android\.hardware\.renderscript@1\.0-impl\.so     u:object_r:same_process_hal_file:s0
+
 #############################
 # Data files
 #