diff --git a/public/domain.te b/public/domain.te
index b773124180261875f3f9e1421bd2f3605e37a32a..2620611d8e0ab76da16f39d3bfab9b82ef555c21 100644
--- a/public/domain.te
+++ b/public/domain.te
@@ -363,6 +363,14 @@ neverallow {
   -system_server
   -ueventd
 } hw_random_device:chr_file *;
+# b/78174219 b/64114943
+neverallow {
+  domain
+  -init
+  -shell # stat of /dev, getattr only
+  -vendor_init
+  -ueventd
+} keychord_device:chr_file *;
 
 # Ensure that all entrypoint executables are in exec_type or postinstall_file.
 neverallow * { file_type -exec_type -postinstall_file }:file entrypoint;