diff --git a/private/compat/28.0/28.0.ignore.cil b/private/compat/28.0/28.0.ignore.cil
index 9df4f120db58fc010dedde94ab448ddcb7b70727..824761481332028dc056b8f050dd0e5112c81601 100644
--- a/private/compat/28.0/28.0.ignore.cil
+++ b/private/compat/28.0/28.0.ignore.cil
@@ -35,6 +35,7 @@
     fwk_stats_hwservice
     color_display_service
     hal_atrace_hwservice
+    hal_face_hwservice
     hal_health_storage_hwservice
     hal_power_stats_hwservice
     hal_system_suspend_default
diff --git a/private/hwservice_contexts b/private/hwservice_contexts
index f64eccd0bb4a06c806e9a3ea5ed015d39f92af53..1fead4098f1ee1135851e4f6dc8c6f49dc1019de 100644
--- a/private/hwservice_contexts
+++ b/private/hwservice_contexts
@@ -10,6 +10,7 @@ android.hardware.authsecret::IAuthSecret                        u:object_r:hal_a
 android.hardware.automotive.audiocontrol::IAudioControl         u:object_r:hal_audiocontrol_hwservice:s0
 android.hardware.automotive.evs::IEvsEnumerator                 u:object_r:hal_evs_hwservice:s0
 android.hardware.automotive.vehicle::IVehicle                   u:object_r:hal_vehicle_hwservice:s0
+android.hardware.biometrics.face::IBiometricsFace               u:object_r:hal_face_hwservice:s0
 android.hardware.biometrics.fingerprint::IBiometricsFingerprint u:object_r:hal_fingerprint_hwservice:s0
 android.hardware.bluetooth::IBluetoothHci                       u:object_r:hal_bluetooth_hwservice:s0
 android.hardware.bluetooth.a2dp::IBluetoothAudioOffload         u:object_r:hal_audio_hwservice:s0
diff --git a/private/system_server.te b/private/system_server.te
index ed864f5898925dd50b6e955d73f007cc56f7370b..b8e051117cccc06eb4661c2e2c88e11c3bc6adee 100644
--- a/private/system_server.te
+++ b/private/system_server.te
@@ -205,6 +205,7 @@ hal_client_domain(system_server, hal_authsecret)
 hal_client_domain(system_server, hal_broadcastradio)
 hal_client_domain(system_server, hal_configstore)
 hal_client_domain(system_server, hal_contexthub)
+hal_client_domain(system_server, hal_face)
 hal_client_domain(system_server, hal_fingerprint)
 hal_client_domain(system_server, hal_gnss)
 hal_client_domain(system_server, hal_graphics_allocator)
diff --git a/public/attributes b/public/attributes
index 37c2b94c0f831fe8abf01e346d8c0a0caf4becb9..bc3723c5f83afe77cf2c398191f5cf57fd487491 100644
--- a/public/attributes
+++ b/public/attributes
@@ -258,6 +258,7 @@ hal_attribute(contexthub);
 hal_attribute(drm);
 hal_attribute(dumpstate);
 hal_attribute(evs);
+hal_attribute(face);
 hal_attribute(fingerprint);
 hal_attribute(gatekeeper);
 hal_attribute(gnss);
diff --git a/public/hal_face.te b/public/hal_face.te
new file mode 100644
index 0000000000000000000000000000000000000000..b250586427a2530b2bfd67f716e35ecc88112ccc
--- /dev/null
+++ b/public/hal_face.te
@@ -0,0 +1,12 @@
+# Allow HwBinder IPC from client to server, and vice versa for callbacks.
+binder_call(hal_face_client, hal_face_server)
+binder_call(hal_face_server, hal_face_client)
+
+hal_attribute_hwservice(hal_face, hal_face_hwservice)
+
+# Allow access to the ion memory allocation device.
+allow hal_face ion_device:chr_file r_file_perms;
+
+# Allow read/write access to the face template directory.
+allow hal_face face_vendor_data_file:file create_file_perms;
+allow hal_face face_vendor_data_file:dir rw_dir_perms;
diff --git a/public/hwservice.te b/public/hwservice.te
index 09808b33aed4cd179fbfecf4ec6394ce5db8cdce..a51198164246eedaa4c290316627e9764f219b38 100644
--- a/public/hwservice.te
+++ b/public/hwservice.te
@@ -20,6 +20,7 @@ type hal_drm_hwservice, hwservice_manager_type;
 type hal_cas_hwservice, hwservice_manager_type;
 type hal_dumpstate_hwservice, hwservice_manager_type;
 type hal_evs_hwservice, hwservice_manager_type;
+type hal_face_hwservice, hwservice_manager_type;
 type hal_fingerprint_hwservice, hwservice_manager_type;
 type hal_gatekeeper_hwservice, hwservice_manager_type;
 type hal_gnss_hwservice, hwservice_manager_type;
diff --git a/vendor/hal_face_default.te b/vendor/hal_face_default.te
new file mode 100644
index 0000000000000000000000000000000000000000..891d1f4fdfed1aa7384cf2c6abdc6dc1aa51d900
--- /dev/null
+++ b/vendor/hal_face_default.te
@@ -0,0 +1,5 @@
+type hal_face_default, domain;
+hal_server_domain(hal_face_default, hal_face)
+
+type hal_face_default_exec, exec_type, vendor_file_type, file_type;
+init_daemon_domain(hal_face_default)