diff --git a/private/file_contexts b/private/file_contexts
index 9a1c4967634213da542d1ee7bcbc66cf94d9191d..4d62109260161c3934d606bd380fdd5e120f3c51 100644
--- a/private/file_contexts
+++ b/private/file_contexts
@@ -155,6 +155,7 @@
 /dev/usb_accessory	u:object_r:usbaccessory_device:s0
 /dev/vcs[0-9a-z]*	u:object_r:vcs_device:s0
 /dev/video[0-9]*	u:object_r:video_device:s0
+/dev/vndbinder		u:object_r:vndbinder_device:s0
 /dev/watchdog		u:object_r:watchdog_device:s0
 /dev/xt_qtaguid	u:object_r:qtaguid_device:s0
 /dev/zero		u:object_r:zero_device:s0
diff --git a/public/device.te b/public/device.te
index c9c64dc00dd0639c1772619cd8e89ec47612be7d..53414e2cf518915676d2665c10e95c707916eb19 100644
--- a/public/device.te
+++ b/public/device.te
@@ -7,6 +7,7 @@ type audio_timer_device, dev_type;
 type audio_seq_device, dev_type;
 type binder_device, dev_type, mlstrustedobject;
 type hwbinder_device, dev_type, mlstrustedobject;
+type vndbinder_device, dev_type;
 type block_device, dev_type;
 type camera_device, dev_type;
 type dm_device, dev_type;
diff --git a/public/domain.te b/public/domain.te
index 9631c9c76a580eaa52295131e287ead5b8c653da..5f7da0bf369972fe348163859c537e3145b431ea 100644
--- a/public/domain.te
+++ b/public/domain.te
@@ -66,8 +66,8 @@ allow domain owntty_device:chr_file rw_file_perms;
 allow domain null_device:chr_file rw_file_perms;
 allow domain zero_device:chr_file rw_file_perms;
 allow domain ashmem_device:chr_file rw_file_perms;
-allow { domain -hwservicemanager } binder_device:chr_file rw_file_perms;
-allow { domain -servicemanager } hwbinder_device:chr_file rw_file_perms;
+allow { domain -hwservicemanager -vndservicemanager } binder_device:chr_file rw_file_perms;
+allow { domain -servicemanager -vndservicemanager } hwbinder_device:chr_file rw_file_perms;
 allow domain ptmx_device:chr_file rw_file_perms;
 allow domain alarm_device:chr_file r_file_perms;
 allow domain random_device:chr_file rw_file_perms;
@@ -410,11 +410,15 @@ neverallow {
   -ueventd
 } misc_block_device:blk_file { append link relabelfrom rename write open read ioctl lock };
 
-# Only servicemanager/hwservicemanager should be able to register with binder as the context manager
-neverallow { domain -servicemanager -hwservicemanager} *:binder set_context_mgr;
+# Only (hw|vnd|)servicemanager should be able to register with binder as the context manager
+neverallow { domain -servicemanager -hwservicemanager -vndservicemanager } *:binder set_context_mgr;
 # The service managers are only allowed to access their own device node
 neverallow servicemanager hwbinder_device:chr_file no_rw_file_perms;
+neverallow servicemanager vndbinder_device:chr_file no_rw_file_perms;
 neverallow hwservicemanager binder_device:chr_file no_rw_file_perms;
+neverallow hwservicemanager vndbinder_device:chr_file no_rw_file_perms;
+neverallow vndservicemanager binder_device:chr_file no_rw_file_perms;
+neverallow vndservicemanager hwbinder_device:chr_file no_rw_file_perms;
 
 # Only authorized processes should be writing to files in /data/dalvik-cache
 neverallow {
diff --git a/public/te_macros b/public/te_macros
index 60de5684e9532b8ae530da69bd7fc601d3d929f8..103b73b3e74114dcc4bd36d70d881e267b62d8ec 100644
--- a/public/te_macros
+++ b/public/te_macros
@@ -313,6 +313,20 @@ get_prop($1, vold_prop)
 # all domains in domain.te.
 ')
 
+#####################################
+# vndbinder_use(domain)
+# Allow domain to use Binder IPC.
+define(`vndbinder_use', `
+# Talk to the vndbinder device node
+allow $1 vndbinder_device:chr_file rw_file_perms;
+# Call the vndservicemanager and transfer references to it.
+allow $1 vndservicemanager:binder { call transfer };
+# vndservicemanager performs getpidcon on clients.
+allow vndservicemanager $1:dir search;
+allow vndservicemanager $1:file { read open };
+allow vndservicemanager $1:process getattr;
+')
+
 #####################################
 # binder_call(clientdomain, serverdomain)
 # Allow clientdomain to perform binder IPC to serverdomain.
diff --git a/public/vndservicemanager.te b/public/vndservicemanager.te
new file mode 100644
index 0000000000000000000000000000000000000000..6b9f73dc00b51adcf9a2f31713e285c009490a78
--- /dev/null
+++ b/public/vndservicemanager.te
@@ -0,0 +1,2 @@
+# vndservicemanager - the Binder context manager for vendor processes
+type vndservicemanager, domain;
diff --git a/vendor/file_contexts b/vendor/file_contexts
index 2c24d5fefc35e25e69116e4794c08afdd43ef420..6e6ea371c636f016f56ad06cc69f1d1711f17757 100644
--- a/vendor/file_contexts
+++ b/vendor/file_contexts
@@ -30,7 +30,7 @@
 /(vendor|system/vendor)/bin/hw/android\.hardware\.wifi@1\.0-service           u:object_r:hal_wifi_default_exec:s0
 /(vendor|system/vendor)/bin/hw/wpa_supplicant                                 u:object_r:hal_wifi_supplicant_default_exec:s0
 /(vendor|system/vendor)/bin/hostapd                                           u:object_r:hostapd_exec:s0
-
+/(vendor|system/vendor)/bin/vndservicemanager                                 u:object_r:vndservicemanager_exec:s0
 #############################
 # Data files
 #
diff --git a/vendor/vndservicemanager.te b/vendor/vndservicemanager.te
new file mode 100644
index 0000000000000000000000000000000000000000..9357042f5d987fe91d21c67dcc2163c96840b927
--- /dev/null
+++ b/vendor/vndservicemanager.te
@@ -0,0 +1,14 @@
+# vndservicemanager - the Binder context manager for vendor processes
+type vndservicemanager_exec, exec_type, file_type;
+
+init_daemon_domain(vndservicemanager);
+
+allow vndservicemanager self:binder set_context_mgr;
+
+# transfer binder objects to other processes (TODO b/35870313 limit this to vendor-only)
+allow vndservicemanager { domain -init }:binder transfer;
+
+allow vndservicemanager vndbinder_device:chr_file rw_file_perms;
+
+# Check SELinux permissions.
+selinux_check_access(vndservicemanager)