diff --git a/private/ephemeral_app.te b/private/ephemeral_app.te
index b4a21814b00863e0f08a472b2529f1701685a5a8..2b94827b297b1bb252ec7e78e5c5a5e5d16cc10d 100644
--- a/private/ephemeral_app.te
+++ b/private/ephemeral_app.te
@@ -20,8 +20,7 @@ allow ephemeral_app { sdcard_type media_rw_data_file }:file {read write getattr
 # services
 allow ephemeral_app surfaceflinger_service:service_manager find;
 allow ephemeral_app radio_service:service_manager find;
-# TODO: Replace app_api_service with a smaller ephemeral_api_service
-allow ephemeral_app app_api_service:service_manager find;
+allow ephemeral_app ephemeral_app_api_service:service_manager find;
 
 ###
 ### neverallow rules
diff --git a/public/attributes b/public/attributes
index 55f87ca683f6f1e2cabe8f93783173f476da2029..0fd94443d2b0150541d54c96b16930cd990b1ac6 100644
--- a/public/attributes
+++ b/public/attributes
@@ -76,6 +76,9 @@ attribute system_server_service;
 # services which should be available to all but isolated apps
 attribute app_api_service;
 
+# services which should be available to all ephemeral apps
+attribute ephemeral_app_api_service;
+
 # services which export only system_api
 attribute system_api_service;
 
diff --git a/public/service.te b/public/service.te
index ec53bb9a6eef8cf1bab48ca077efb9558df31933..a6e36ba1f1199e68bdc0de725965c17bd5e7d3dc 100644
--- a/public/service.te
+++ b/public/service.te
@@ -1,5 +1,5 @@
 type audioserver_service,       service_manager_type;
-type batteryproperties_service, app_api_service, service_manager_type;
+type batteryproperties_service, app_api_service, ephemeral_app_api_service, service_manager_type;
 type bluetooth_service,         service_manager_type;
 type cameraserver_service,      service_manager_type;
 type default_android_service,   service_manager_type;
@@ -29,113 +29,113 @@ type update_engine_service,     service_manager_type;
 type virtual_touchpad_service,  service_manager_type;
 
 # system_server_services broken down
-type accessibility_service, app_api_service, system_server_service, service_manager_type;
-type account_service, app_api_service, system_server_service, service_manager_type;
-type activity_service, app_api_service, system_server_service, service_manager_type;
-type alarm_service, app_api_service, system_server_service, service_manager_type;
-type appops_service, app_api_service, system_server_service, service_manager_type;
-type appwidget_service, app_api_service, system_server_service, service_manager_type;
-type assetatlas_service, app_api_service, system_server_service, service_manager_type;
-type audio_service, app_api_service, system_server_service, service_manager_type;
-type autofill_service, app_api_service, system_server_service, service_manager_type;
-type backup_service, app_api_service, system_server_service, service_manager_type;
-type batterystats_service, app_api_service, system_server_service, service_manager_type;
+type accessibility_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
+type account_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
+type activity_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
+type alarm_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
+type appops_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
+type appwidget_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
+type assetatlas_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
+type audio_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
+type autofill_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
+type backup_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
+type batterystats_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
 type battery_service, system_server_service, service_manager_type;
-type bluetooth_manager_service, app_api_service, system_server_service, service_manager_type;
+type bluetooth_manager_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
 type cameraproxy_service, system_server_service, service_manager_type;
-type clipboard_service, app_api_service, system_server_service, service_manager_type;
-type contexthub_service, app_api_service, system_server_service, service_manager_type;
-type IProxyService_service, app_api_service, system_server_service, service_manager_type;
+type clipboard_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
+type contexthub_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
+type IProxyService_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
 type commontime_management_service, system_server_service, service_manager_type;
-type companion_device_service, app_api_service, system_server_service, service_manager_type;
-type connectivity_service, app_api_service, system_server_service, service_manager_type;
-type connmetrics_service, app_api_service, system_server_service, service_manager_type;
-type consumer_ir_service, app_api_service, system_server_service, service_manager_type;
-type content_service, app_api_service, system_server_service, service_manager_type;
-type country_detector_service, app_api_service, system_server_service, service_manager_type;
+type companion_device_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
+type connectivity_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
+type connmetrics_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
+type consumer_ir_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
+type content_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
+type country_detector_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
 # Note: The coverage_service should only be enabled for userdebug / eng builds that were compiled
 # with EMMA_INSTRUMENT=true. We should consider locking this down in the future.
 type coverage_service, system_server_service, service_manager_type;
 type cpuinfo_service, system_api_service, system_server_service, service_manager_type;
 type dbinfo_service, system_api_service, system_server_service, service_manager_type;
-type device_policy_service, app_api_service, system_server_service, service_manager_type;
-type deviceidle_service, app_api_service, system_server_service, service_manager_type;
-type device_identifiers_service, app_api_service, system_server_service, service_manager_type;
+type device_policy_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
+type deviceidle_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
+type device_identifiers_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
 type devicestoragemonitor_service, system_server_service, service_manager_type;
 type diskstats_service, system_api_service, system_server_service, service_manager_type;
-type display_service, app_api_service, system_server_service, service_manager_type;
-type font_service, app_api_service, system_server_service, service_manager_type;
+type display_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
+type font_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
 type netd_listener_service, system_server_service, service_manager_type;
 type DockObserver_service, system_server_service, service_manager_type;
-type dreams_service, app_api_service, system_server_service, service_manager_type;
-type dropbox_service, app_api_service, system_server_service, service_manager_type;
-type ethernet_service, app_api_service, system_server_service, service_manager_type;
-type fingerprint_service, app_api_service, system_server_service, service_manager_type;
+type dreams_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
+type dropbox_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
+type ethernet_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
+type fingerprint_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
 type gfxinfo_service, system_api_service, system_server_service, service_manager_type;
-type graphicsstats_service, app_api_service, system_server_service, service_manager_type;
+type graphicsstats_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
 type hardware_service, system_server_service, service_manager_type;
-type hardware_properties_service, app_api_service, system_server_service, service_manager_type;
+type hardware_properties_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
 type hdmi_control_service, system_api_service, system_server_service, service_manager_type;
-type input_method_service, app_api_service, system_server_service, service_manager_type;
-type input_service, app_api_service, system_server_service, service_manager_type;
-type imms_service, app_api_service, system_server_service, service_manager_type;
-type jobscheduler_service, app_api_service, system_server_service, service_manager_type;
-type launcherapps_service, app_api_service, system_server_service, service_manager_type;
-type location_service, app_api_service, system_server_service, service_manager_type;
+type input_method_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
+type input_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
+type imms_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
+type jobscheduler_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
+type launcherapps_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
+type location_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
 type lock_settings_service, system_api_service, system_server_service, service_manager_type;
-type media_projection_service, app_api_service, system_server_service, service_manager_type;
-type media_router_service, app_api_service, system_server_service, service_manager_type;
-type media_session_service, app_api_service, system_server_service, service_manager_type;
+type media_projection_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
+type media_router_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
+type media_session_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
 type meminfo_service, system_api_service, system_server_service, service_manager_type;
-type midi_service, app_api_service, system_server_service, service_manager_type;
-type mount_service, app_api_service, system_server_service, service_manager_type;
-type netpolicy_service, app_api_service, system_server_service, service_manager_type;
-type netstats_service, app_api_service, system_server_service, service_manager_type;
-type network_management_service, app_api_service, system_server_service, service_manager_type;
+type midi_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
+type mount_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
+type netpolicy_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
+type netstats_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
+type network_management_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
 type network_score_service, system_api_service, system_server_service, service_manager_type;
 type network_time_update_service, system_server_service, service_manager_type;
-type notification_service, app_api_service, system_server_service, service_manager_type;
+type notification_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
 type otadexopt_service, system_server_service, service_manager_type;
 type overlay_service, system_server_service, service_manager_type;
-type package_service, app_api_service, system_server_service, service_manager_type;
-type permission_service, app_api_service, system_server_service, service_manager_type;
+type package_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
+type permission_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
 type persistent_data_block_service, system_api_service, system_server_service, service_manager_type;
 type pinner_service, system_server_service, service_manager_type;
-type power_service, app_api_service, system_server_service, service_manager_type;
-type print_service, app_api_service, system_server_service, service_manager_type;
+type power_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
+type print_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
 type processinfo_service, system_server_service, service_manager_type;
-type procstats_service, app_api_service, system_server_service, service_manager_type;
+type procstats_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
 type recovery_service, system_server_service, service_manager_type;
-type registry_service, app_api_service, system_server_service, service_manager_type;
-type restrictions_service, app_api_service, system_server_service, service_manager_type;
-type rttmanager_service, app_api_service, system_server_service, service_manager_type;
+type registry_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
+type restrictions_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
+type rttmanager_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
 type samplingprofiler_service, system_server_service, service_manager_type;
 type scheduling_policy_service, system_server_service, service_manager_type;
-type search_service, app_api_service, system_server_service, service_manager_type;
+type search_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
 type sec_key_att_app_id_provider_service, app_api_service, system_server_service, service_manager_type;
-type sensorservice_service, app_api_service, system_server_service, service_manager_type;
+type sensorservice_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
 type serial_service, system_api_service, system_server_service, service_manager_type;
-type servicediscovery_service, app_api_service, system_server_service, service_manager_type;
-type settings_service, app_api_service, system_server_service, service_manager_type;
-type shortcut_service, app_api_service, system_server_service, service_manager_type;
-type statusbar_service, app_api_service, system_server_service, service_manager_type;
-type storagestats_service, app_api_service, system_server_service, service_manager_type;
+type servicediscovery_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
+type settings_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
+type shortcut_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
+type statusbar_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
+type storagestats_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
 type task_service, system_server_service, service_manager_type;
-type textclassification_service, app_api_service, system_server_service, service_manager_type;
-type textservices_service, app_api_service, system_server_service, service_manager_type;
-type telecom_service, app_api_service, system_server_service, service_manager_type;
-type trust_service, app_api_service, system_server_service, service_manager_type;
-type tv_input_service, app_api_service, system_server_service, service_manager_type;
-type uimode_service, app_api_service, system_server_service, service_manager_type;
+type textclassification_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
+type textservices_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
+type telecom_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
+type trust_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
+type tv_input_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
+type uimode_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
 type updatelock_service, system_api_service, system_server_service, service_manager_type;
-type usagestats_service, app_api_service, system_server_service, service_manager_type;
-type usb_service, app_api_service, system_server_service, service_manager_type;
-type user_service, app_api_service, system_server_service, service_manager_type;
-type vibrator_service, app_api_service, system_server_service, service_manager_type;
-type voiceinteraction_service, app_api_service, system_server_service, service_manager_type;
+type usagestats_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
+type usb_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
+type user_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
+type vibrator_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
+type voiceinteraction_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
 type vr_manager_service, system_server_service, service_manager_type;
 type wallpaper_service, app_api_service, system_server_service, service_manager_type;
-type webviewupdate_service, app_api_service, system_server_service, service_manager_type;
+type webviewupdate_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
 type wifip2p_service, app_api_service, system_server_service, service_manager_type;
 type wifiscanner_service, system_api_service, system_server_service, service_manager_type;
 type wifi_service, app_api_service, system_server_service, service_manager_type;