diff --git a/private/compat/26.0/26.0.ignore.cil b/private/compat/26.0/26.0.ignore.cil
index cfda7483f0c7361bca2e0bd91c391dae8e1334a6..3e22734798dd9722885c09e439dc527acba30a71 100644
--- a/private/compat/26.0/26.0.ignore.cil
+++ b/private/compat/26.0/26.0.ignore.cil
@@ -112,6 +112,7 @@
     untrusted_app_all_devpts
     update_engine_log_data_file
     vendor_default_prop
+    vendor_security_patch_level_prop
     usbd
     usbd_exec
     usbd_tmpfs
diff --git a/private/compat/27.0/27.0.ignore.cil b/private/compat/27.0/27.0.ignore.cil
index a3f7bb5ad58dc53efdc90dc245530179fa406831..5428d83238f892dfe6806da0bce8a1c36eca73fb 100644
--- a/private/compat/27.0/27.0.ignore.cil
+++ b/private/compat/27.0/27.0.ignore.cil
@@ -91,6 +91,7 @@
     usbd_tmpfs
     vendor_default_prop
     vendor_init
+    vendor_security_patch_level_prop
     vendor_shell
     vold_metadata_file
     vold_prepare_subdirs
diff --git a/public/property.te b/public/property.te
index 64f309d5dcfd2c3f749d821f92845c46a123cbbe..6fa85dc902d22e5b4782f95c06d7389f8cd19a5e 100644
--- a/public/property.te
+++ b/public/property.te
@@ -53,6 +53,7 @@ type system_radio_prop, property_type, core_property_type;
 type vold_prop, property_type, core_property_type;
 type wifi_log_prop, property_type, log_property_type;
 type wifi_prop, property_type;
+type vendor_security_patch_level_prop, property_type;
 
 # Properties for whitelisting
 type exported_config_prop, property_type;
diff --git a/public/property_contexts b/public/property_contexts
index 20f63485d0f50ee1fe087e830f29ca911e0abb52..48e91a74dd6e5ea2d76163d794feb613b26f69d8 100644
--- a/public/property_contexts
+++ b/public/property_contexts
@@ -102,6 +102,7 @@ ro.telephony.default_cdma_sub u:object_r:exported3_default_prop:s0 exact int
 ro.telephony.default_network u:object_r:exported3_default_prop:s0 exact int
 ro.url.legal u:object_r:exported3_default_prop:s0 exact string
 ro.url.legal.android_privacy u:object_r:exported3_default_prop:s0 exact string
+ro.vendor.build.security_patch u:object_r:vendor_security_patch_level_prop:s0 exact string
 ro.zygote u:object_r:exported3_default_prop:s0 exact string
 sendbug.preferred.domain u:object_r:exported3_default_prop:s0 exact string
 sys.usb.controller u:object_r:exported2_system_prop:s0 exact string
diff --git a/public/shell.te b/public/shell.te
index c5033ecfc04c327346a83cb48f6ac0d9d7e707d5..66415978659ed214b227965319d2fa95c306d4e1 100644
--- a/public/shell.te
+++ b/public/shell.te
@@ -81,6 +81,9 @@ userdebug_or_eng(`
 # Read device's serial number from system properties
 get_prop(shell, serialno_prop)
 
+# Allow shell to read the vendor security patch level for CTS
+get_prop(shell, vendor_security_patch_level_prop)
+
 # Read state of logging-related properties
 get_prop(shell, device_logging_prop)
 
diff --git a/public/vendor_init.te b/public/vendor_init.te
index 6a13f6913e8874c9711a28dca301cf9b4eb64dcd..dee2006a8c721e4d3992ef554d428c4f7b37c00d 100644
--- a/public/vendor_init.te
+++ b/public/vendor_init.te
@@ -178,6 +178,7 @@ set_prop(vendor_init, log_tag_prop)
 set_prop(vendor_init, log_prop)
 set_prop(vendor_init, serialno_prop)
 set_prop(vendor_init, vendor_default_prop)
+set_prop(vendor_init, vendor_security_patch_level_prop)
 set_prop(vendor_init, wifi_log_prop)
 
 get_prop(vendor_init, exported2_radio_prop)