diff --git a/private/compat/26.0/26.0.cil b/private/compat/26.0/26.0.cil
index 43ff6b41d5d198db0ecb26114644b97195b1b763..61d650061a2e0e14e22343dc163f1036d183ea91 100644
--- a/private/compat/26.0/26.0.cil
+++ b/private/compat/26.0/26.0.cil
@@ -564,7 +564,9 @@
 (typeattributeset runas_exec_26_0 (runas_exec))
 (typeattributeset runtime_event_log_tags_file_26_0 (runtime_event_log_tags_file))
 (typeattributeset safemode_prop_26_0 (safemode_prop))
-(typeattributeset same_process_hal_file_26_0 (same_process_hal_file))
+(typeattributeset same_process_hal_file_26_0
+  ( same_process_hal_file
+    vendor_public_lib_file))
 (typeattributeset samplingprofiler_service_26_0 (samplingprofiler_service))
 (typeattributeset scheduling_policy_service_26_0 (scheduling_policy_service))
 (typeattributeset sdcardd_26_0 (sdcardd))
diff --git a/private/compat/27.0/27.0.cil b/private/compat/27.0/27.0.cil
index 04826d629bef8b100a47451d50f9fe2eac10c31f..ab0e18c9c1aef1fa78aab5ff0fd1abf8ebc667ca 100644
--- a/private/compat/27.0/27.0.cil
+++ b/private/compat/27.0/27.0.cil
@@ -1279,7 +1279,9 @@
 (typeattributeset runas_exec_27_0 (runas_exec))
 (typeattributeset runtime_event_log_tags_file_27_0 (runtime_event_log_tags_file))
 (typeattributeset safemode_prop_27_0 (safemode_prop))
-(typeattributeset same_process_hal_file_27_0 (same_process_hal_file))
+(typeattributeset same_process_hal_file_27_0
+  ( same_process_hal_file
+    vendor_public_lib_file))
 (typeattributeset samplingprofiler_service_27_0 (samplingprofiler_service))
 (typeattributeset scheduling_policy_service_27_0 (scheduling_policy_service))
 (typeattributeset sdcardd_27_0 (sdcardd))
diff --git a/public/app.te b/public/app.te
index 5e39a9f0fd72b366d3a38bd6767a1c959f941c01..4ebf4803ead094c003837d64bad50c5d12e8d586 100644
--- a/public/app.te
+++ b/public/app.te
@@ -116,6 +116,10 @@ r_dir_file(appdomain, vendor_overlay_file)
 # for vendor provided libraries.
 r_dir_file(appdomain, vendor_framework_file)
 
+# Allow apps read / execute access to vendor public libraries.
+allow appdomain vendor_public_lib_file:dir r_dir_perms;
+allow appdomain vendor_public_lib_file:file { execute read open getattr map };
+
 # Execute dex2oat when apps call dexclassloader
 allow appdomain dex2oat_exec:file rx_file_perms;
 
diff --git a/public/domain.te b/public/domain.te
index 62f8bea4046cc215e6d978edacfb40f604142069..b6a0eeca67c2a80167102dc841f0abca56806411 100644
--- a/public/domain.te
+++ b/public/domain.te
@@ -1026,6 +1026,7 @@ full_treble_only(`
       -same_process_hal_file
       -vndk_sp_file
       -vendor_app_file
+      -vendor_public_lib_file
     }:file execute;
 ')
 
@@ -1404,3 +1405,11 @@ neverallow {
   coredomain
   -init
 } mnt_vendor_file:dir *;
+
+# Only apps are allowed access to vendor public libraries.
+full_treble_only(`
+  neverallow {
+    coredomain
+    -appdomain
+  } vendor_public_lib_file:file { execute execute_no_trans };
+')
diff --git a/public/file.te b/public/file.te
index 9954fed03d37f3631850cee1876d0a7833b74dd3..f525cabd08509b7beb0f17fac9662b06e9daeb79 100644
--- a/public/file.te
+++ b/public/file.te
@@ -150,6 +150,9 @@ type vndk_sp_file, vendor_file_type, file_type;
 type vendor_framework_file, vendor_file_type, file_type;
 # Default type for everything in /vendor/overlay
 type vendor_overlay_file, vendor_file_type, file_type;
+# Type for all vendor public libraries. These libs should only be exposed to
+# apps. ABI stability of these libs is vendor's responsibility.
+type vendor_public_lib_file, vendor_file_type, file_type;
 
 # /metadata partition itself
 type metadata_file, file_type;