diff --git a/private/compat/26.0/26.0.cil b/private/compat/26.0/26.0.cil
index 208b941f6b9328ac948ba68fc48db45eb86ca200..92390af9cccb5081e75d26abf4ab9d6d286e4d2d 100644
--- a/private/compat/26.0/26.0.cil
+++ b/private/compat/26.0/26.0.cil
@@ -563,7 +563,9 @@
 (typeattributeset runas_exec_26_0 (runas_exec))
 (typeattributeset runtime_event_log_tags_file_26_0 (runtime_event_log_tags_file))
 (typeattributeset safemode_prop_26_0 (safemode_prop))
-(typeattributeset same_process_hal_file_26_0 (same_process_hal_file))
+(typeattributeset same_process_hal_file_26_0
+  ( same_process_hal_file
+    vendor_public_lib_file))
 (typeattributeset samplingprofiler_service_26_0 (samplingprofiler_service))
 (typeattributeset scheduling_policy_service_26_0 (scheduling_policy_service))
 (typeattributeset sdcardd_26_0 (sdcardd))
diff --git a/private/compat/27.0/27.0.cil b/private/compat/27.0/27.0.cil
index 055ffe20b1d6bb4334f18dd822c60688852f8a6b..0077fa9495d4f3d81e3540d0e27bab94be3ec5b1 100644
--- a/private/compat/27.0/27.0.cil
+++ b/private/compat/27.0/27.0.cil
@@ -1278,7 +1278,9 @@
 (typeattributeset runas_exec_27_0 (runas_exec))
 (typeattributeset runtime_event_log_tags_file_27_0 (runtime_event_log_tags_file))
 (typeattributeset safemode_prop_27_0 (safemode_prop))
-(typeattributeset same_process_hal_file_27_0 (same_process_hal_file))
+(typeattributeset same_process_hal_file_27_0
+  ( same_process_hal_file
+    vendor_public_lib_file))
 (typeattributeset samplingprofiler_service_27_0 (samplingprofiler_service))
 (typeattributeset scheduling_policy_service_27_0 (scheduling_policy_service))
 (typeattributeset sdcardd_27_0 (sdcardd))
diff --git a/public/app.te b/public/app.te
index cb405c2e2040c44e37eb73d9f891e34a8fe71119..3157f710c909ac60be4846cebf68ae8314327e34 100644
--- a/public/app.te
+++ b/public/app.te
@@ -116,6 +116,10 @@ r_dir_file(appdomain, vendor_overlay_file)
 # for vendor provided libraries.
 r_dir_file(appdomain, vendor_framework_file)
 
+# Allow apps read / execute access to vendor public libraries.
+allow appdomain vendor_public_lib_file:dir r_dir_perms;
+allow appdomain vendor_public_lib_file:file { execute read open getattr map };
+
 # Execute dex2oat when apps call dexclassloader
 allow appdomain dex2oat_exec:file rx_file_perms;
 
diff --git a/public/domain.te b/public/domain.te
index 4df353c13eb97b2255b3c49c357880703406c407..3597d8ba54f4fa3d346200c99edfcf5cc34d4e09 100644
--- a/public/domain.te
+++ b/public/domain.te
@@ -1026,6 +1026,7 @@ full_treble_only(`
       -same_process_hal_file
       -vndk_sp_file
       -vendor_app_file
+      -vendor_public_lib_file
     }:file execute;
 ')
 
@@ -1404,3 +1405,11 @@ neverallow {
   coredomain
   -init
 } mnt_vendor_file:dir *;
+
+# Only apps are allowed access to vendor public libraries.
+full_treble_only(`
+  neverallow {
+    coredomain
+    -appdomain
+  } vendor_public_lib_file:file { execute execute_no_trans };
+')
diff --git a/public/file.te b/public/file.te
index 3298b2657ac306325c55f7dd8ab9ddce791a7d97..35f6163b4a2f2606fb450f758e628bbe40896638 100644
--- a/public/file.te
+++ b/public/file.te
@@ -149,6 +149,9 @@ type vndk_sp_file, vendor_file_type, file_type;
 type vendor_framework_file, vendor_file_type, file_type;
 # Default type for everything in /vendor/overlay
 type vendor_overlay_file, vendor_file_type, file_type;
+# Type for all vendor public libraries. These libs should only be exposed to
+# apps. ABI stability of these libs is vendor's responsibility.
+type vendor_public_lib_file, vendor_file_type, file_type;
 
 # /metadata partition itself
 type metadata_file, file_type;