diff --git a/private/adbd.te b/private/adbd.te
index 7dff8bc86c6df8dc905954d1a2a78290b48dfaf4..23f3c92e35fb17c0a7802c3cb7c7790246ed795d 100644
--- a/private/adbd.te
+++ b/private/adbd.te
@@ -98,6 +98,7 @@ allow adbd system_file:file rx_file_perms;
 # XXX Run screencap in a separate domain?
 binder_use(adbd)
 binder_call(adbd, surfaceflinger)
+binder_call(adbd, gpuservice)
 # b/13188914
 allow adbd gpu_device:chr_file rw_file_perms;
 allow adbd ion_device:chr_file rw_file_perms;
@@ -140,6 +141,7 @@ allow adbd sepolicy_file:file r_file_perms;
 # Allow pulling config.gz for CTS purposes
 allow adbd config_gz:file r_file_perms;
 
+allow adbd gpu_service:service_manager find;
 allow adbd surfaceflinger_service:service_manager find;
 allow adbd bootchart_data_file:dir search;
 allow adbd bootchart_data_file:file r_file_perms;
diff --git a/private/file_contexts b/private/file_contexts
index 0f5dad3d4a6b6a0b53d7ea8706cf882e0e6ea9a1..e5c778481bff05e86154446798ac4289680ca2e4 100644
--- a/private/file_contexts
+++ b/private/file_contexts
@@ -211,6 +211,7 @@
 /system/bin/servicemanager	u:object_r:servicemanager_exec:s0
 /system/bin/hwservicemanager	u:object_r:hwservicemanager_exec:s0
 /system/bin/surfaceflinger	u:object_r:surfaceflinger_exec:s0
+/system/bin/gpuservice	u:object_r:gpuservice_exec:s0
 /system/bin/bufferhubd	u:object_r:bufferhubd_exec:s0
 /system/bin/performanced	u:object_r:performanced_exec:s0
 /system/bin/drmserver	u:object_r:drmserver_exec:s0
diff --git a/private/gpuservice.te b/private/gpuservice.te
new file mode 100644
index 0000000000000000000000000000000000000000..6cbd89c287713c543527697751a9f9d998268462
--- /dev/null
+++ b/private/gpuservice.te
@@ -0,0 +1,31 @@
+# gpu service
+type gpuservice, domain, coredomain;
+type gpuservice_exec, system_file_type, exec_type, file_type;
+
+init_daemon_domain(gpuservice)
+
+binder_call(gpuservice, adbd)
+binder_call(gpuservice, shell)
+binder_use(gpuservice)
+
+# Access the GPU.
+allow gpuservice gpu_device:chr_file rw_file_perms;
+
+# GPU service will need to load GPU driver, for example Vulkan driver in order
+# to get the capability of the driver.
+allow gpuservice same_process_hal_file:file { open read getattr execute map };
+allow gpuservice ion_device:chr_file r_file_perms;
+get_prop(gpuservice, hwservicemanager_prop)
+hwbinder_use(gpuservice)
+
+# Access /dev/graphics/fb0.
+allow gpuservice graphics_device:dir search;
+allow gpuservice graphics_device:chr_file rw_file_perms;
+
+# Use socket supplied by adbd, for cmd gpu vkjson etc.
+allow gpuservice adbd:unix_stream_socket { read write getattr };
+
+add_service(gpuservice, gpu_service)
+
+# Only uncomment below line when in development
+# userdebug_or_eng(`permissive gpuservice;')
diff --git a/private/service_contexts b/private/service_contexts
index 458c43abea61390fc6ebddb9ffe080b3adad36cd..de1c2e0aff0a14c0f122c8b938a3e121e0b87ce2 100644
--- a/private/service_contexts
+++ b/private/service_contexts
@@ -62,7 +62,7 @@ font                                      u:object_r:font_service:s0
 android.hardware.fingerprint.IFingerprintDaemon u:object_r:fingerprintd_service:s0
 gfxinfo                                   u:object_r:gfxinfo_service:s0
 graphicsstats                             u:object_r:graphicsstats_service:s0
-gpu                                       u:object_r:gpu_service:s0
+gpuservice                                u:object_r:gpu_service:s0
 hardware                                  u:object_r:hardware_service:s0
 hardware_properties                       u:object_r:hardware_properties_service:s0
 hdmi_control                              u:object_r:hdmi_control_service:s0
diff --git a/private/surfaceflinger.te b/private/surfaceflinger.te
index 000ebe1c3bcffc777db8efae6f1b8756e9b0ec05..8652ee850b669d8b0f46f4c9c3303dc3a99e81c5 100644
--- a/private/surfaceflinger.te
+++ b/private/surfaceflinger.te
@@ -75,9 +75,7 @@ r_dir_file(surfaceflinger, dumpstate)
 # but seems expected and appropriate for all devices.
 allow surfaceflinger tee_device:chr_file rw_file_perms;
 
-
 # media.player service
-add_service(surfaceflinger, gpu_service)
 
 # do not use add_service() as hal_graphics_composer_default may be the
 # provider as well
diff --git a/private/system_server.te b/private/system_server.te
index a96b82be61a64da5fa30879f79d239aac5be3bd4..1edea50aabf045a8d5b0f4b8c0a970302e56b210 100644
--- a/private/system_server.te
+++ b/private/system_server.te
@@ -173,6 +173,8 @@ unix_socket_send(system_server, statsdw, statsd)
 # Communicate over a socket created by surfaceflinger.
 allow system_server surfaceflinger:unix_stream_socket { read write setopt };
 
+allow system_server gpuservice:unix_stream_socket { read write setopt };
+
 # Communicate over a socket created by webview_zygote.
 allow system_server webview_zygote:unix_stream_socket { read write connectto setopt };
 
@@ -254,6 +256,7 @@ allow system_server {
   audioserver
   cameraserver
   drmserver
+  gpuservice
   inputflinger
   mediadrmserver
   mediaextractor
@@ -651,6 +654,7 @@ allow system_server dumpstate_service:service_manager find;
 allow system_server fingerprintd_service:service_manager find;
 allow system_server hal_fingerprint_service:service_manager find;
 allow system_server gatekeeper_service:service_manager find;
+allow system_server gpu_service:service_manager find;
 allow system_server incident_service:service_manager find;
 allow system_server installd_service:service_manager find;
 allow system_server keystore_service:service_manager find;