diff --git a/domain.te b/domain.te
index 06959a5d2f3bd8cf5242b10b506e06c6d0890f62..a67a8554f40cb76d33426f39e73f2170899c6327 100644
--- a/domain.te
+++ b/domain.te
@@ -370,3 +370,8 @@ neverallow domain domain:{ shm sem msg msgq } *;
 # Do not mount on top of symlinks, fifos, or sockets.
 # Feature parity with Chromium LSM.
 neverallow domain { file_type fs_type dev_type }:{ lnk_file fifo_file sock_file } mounton;
+
+# Nobody should be able to execute su on user builds.
+# On userdebug/eng builds, only dumpstate, shell, and
+# su itself execute su.
+neverallow { domain userdebug_or_eng(`-dumpstate -shell -su') } su_exec:file no_x_file_perms;