diff --git a/Android.mk b/Android.mk
index 3f691e904d0edfe2a0ac5b9cddc64ce2bc06524e..04379ed6bbfe789e3e87ddb1157e8d75b5658566 100644
--- a/Android.mk
+++ b/Android.mk
@@ -1091,7 +1091,7 @@ $(LOCAL_BUILT_MODULE): PRIVATE_SEPOLICY := $(built_sepolicy)
 $(LOCAL_BUILT_MODULE): $(vndservice_contexts.tmp) $(built_sepolicy) $(HOST_OUT_EXECUTABLES)/checkfc $(ACP)
 	@mkdir -p $(dir $@)
 	sed -e 's/#.*$$//' -e '/^$$/d' $< > $@
-	$(hide) $(HOST_OUT_EXECUTABLES)/checkfc -s $(PRIVATE_SEPOLICY) $@
+	$(hide) $(HOST_OUT_EXECUTABLES)/checkfc -v $(PRIVATE_SEPOLICY) -e $@
 
 vnd_svcfiles :=
 vndservice_contexts.tmp :=
diff --git a/public/su.te b/public/su.te
index 8cb386d4b8127cb67f0ac2ec17e770473a49e53d..f410c4d81ff75def4c1dada77fdf4b892a9afc60 100644
--- a/public/su.te
+++ b/public/su.te
@@ -10,6 +10,9 @@ userdebug_or_eng(`
   # Add su to various domains
   net_domain(su)
 
+  # grant su access to vndbinder
+  vndbinder_use(su)
+
   dontaudit su self:capability_class_set *;
   dontaudit su kernel:security *;
   dontaudit su kernel:system *;
@@ -34,6 +37,8 @@ userdebug_or_eng(`
   dontaudit su property_type:property_service *;
   dontaudit su property_type:file *;
   dontaudit su service_manager_type:service_manager *;
+  dontaudit su hwservice_manager_type:hwservice_manager *;
+  dontaudit su vndservice_manager_type:vndservice_manager *;
   dontaudit su servicemanager:service_manager list;
   dontaudit su keystore:keystore_key *;
   dontaudit su domain:drmservice *;
diff --git a/tools/checkfc.c b/tools/checkfc.c
index 8a28f3c13baf630895f89e42f3aebe65656f6b6f..9cbd912f072ed28e24c25ff2bed59c2ebef1840d 100644
--- a/tools/checkfc.c
+++ b/tools/checkfc.c
@@ -15,12 +15,16 @@
 static const char * const CHECK_FC_ASSERT_ATTRS[] = { "fs_type", "dev_type", "file_type", NULL };
 static const char * const CHECK_PC_ASSERT_ATTRS[] = { "property_type", NULL };
 static const char * const CHECK_SC_ASSERT_ATTRS[] = { "service_manager_type", NULL };
+static const char * const CHECK_HW_SC_ASSERT_ATTRS[] = { "hwservice_manager_type", NULL };
+static const char * const CHECK_VND_SC_ASSERT_ATTRS[] = { "vndservice_manager_type", NULL };
 
 typedef enum filemode filemode;
 enum filemode {
     filemode_file_contexts = 0,
     filemode_property_contexts,
-    filemode_service_contexts
+    filemode_service_contexts,
+    filemode_hw_service_contexts,
+    filemode_vendor_service_contexts
 };
 
 static struct {
@@ -55,6 +59,10 @@ static const char * const *filemode_to_assert_attrs(filemode mode)
         return CHECK_PC_ASSERT_ATTRS;
     case filemode_service_contexts:
         return CHECK_SC_ASSERT_ATTRS;
+    case filemode_hw_service_contexts:
+        return CHECK_HW_SC_ASSERT_ATTRS;
+    case filemode_vendor_service_contexts:
+        return CHECK_VND_SC_ASSERT_ATTRS;
     }
     /* die on invalid parameters */
     fprintf(stderr, "Error: Invalid mode of operation: %d\n", mode);
@@ -185,10 +193,13 @@ static int validate(char **contextp)
 }
 
 static void usage(char *name) {
-    fprintf(stderr, "usage1:  %s [-p|-s] [-e] sepolicy context_file\n\n"
+    fprintf(stderr, "usage1:  %s [-l|-p|-s|-v] [-e] sepolicy context_file\n\n"
         "Parses a context file and checks for syntax errors.\n"
-        "The context_file is assumed to be a file_contexts file\n"
-        "unless the -p or -s option is used to indicate the property or service backend respectively.\n"
+        "If -p is specified, the property backend is used.\n"
+        "If -s is specified, the service backend is used to verify binder services.\n"
+        "If -l is specified, the service backend is used to verify hwbinder services.\n"
+        "If -v is specified, the service backend is used to verify vndbinder services.\n"
+        "Otherwise, context_file is assumed to be a file_contexts file\n"
         "If -e is specified, then the context_file is allowed to be empty.\n\n"
 
         "usage2:  %s -c file_contexts1 file_contexts2\n\n"
@@ -332,7 +343,7 @@ int main(int argc, char **argv)
 
   filemode mode = filemode_file_contexts;
 
-  while ((c = getopt(argc, argv, "cpse")) != -1) {
+  while ((c = getopt(argc, argv, "clpsve")) != -1) {
     switch (c) {
       case 'c':
         compare = true;
@@ -348,6 +359,14 @@ int main(int argc, char **argv)
         mode = filemode_service_contexts;
         backend = SELABEL_CTX_ANDROID_SERVICE;
         break;
+      case 'l':
+        mode = filemode_hw_service_contexts;
+        backend = SELABEL_CTX_ANDROID_SERVICE;
+        break;
+      case 'v':
+        mode = filemode_vendor_service_contexts;
+        backend = SELABEL_CTX_ANDROID_SERVICE;
+        break;
       case 'h':
       default:
         usage(argv[0]);