diff --git a/domain.te b/domain.te
index 93314571f0160652c8e5009d24e674cc4ca8266b..c115f87b0594d48b8f5f1da490082f530a8911f5 100644
--- a/domain.te
+++ b/domain.te
@@ -456,3 +456,20 @@ neverallow {
   -runas
   -zygote
 } shell:process { transition dyntransition };
+
+# Minimize read access to shell- or app-writable symlinks.
+# This is to prevent malicious symlink attacks.
+neverallow {
+  domain
+  -appdomain
+  -installd
+  -uncrypt  # TODO: see if we can remove
+} app_data_file:lnk_file read;
+
+neverallow {
+  domain
+  -shell
+  userdebug_or_eng(`-uncrypt')
+  -installd
+  -surfaceflinger # TODO: see if we can remove from mako sepolicy
+} shell_data_file:lnk_file read;