diff --git a/private/app_neverallows.te b/private/app_neverallows.te
index 8b53ff57ab0d723be3387ca2f34464d482cfcf12..0f0f5776616e5a072c7f67d72b6242c51c66155f 100644
--- a/private/app_neverallows.te
+++ b/private/app_neverallows.te
@@ -108,6 +108,10 @@ neverallow all_untrusted_apps preloads_data_file:file no_rw_file_perms;
 # against privileged system components
 neverallow all_untrusted_apps system_file:file lock;
 
+# Do not permit untrusted apps to perform actions on HwBinder service_manager
+# other than find actions for services listed below
+neverallow all_untrusted_apps *:hwservice_manager ~find;
+
 # Do not permit access from apps which host arbitrary code to HwBinder services,
 # except those considered sufficiently safe for access from such apps.
 # The two main reasons for this are: