diff --git a/private/property_contexts b/private/property_contexts
index 340756033b4670649ef1e8a94073db9dbaac30cc..a27b7566fc7493924efeb848979dd1f0eaf8e65e 100644
--- a/private/property_contexts
+++ b/private/property_contexts
@@ -59,6 +59,8 @@ persist.security.       u:object_r:system_prop:s0
 persist.vendor.overlay.  u:object_r:overlay_prop:s0
 ro.boot.vendor.overlay.  u:object_r:overlay_prop:s0
 ro.boottime.             u:object_r:boottime_prop:s0
+ro.serialno             u:object_r:serialno_prop:s0
+ro.boot.serialno        u:object_r:serialno_prop:s0
 
 # Boolean property set by system server upon boot indicating
 # if device owner is provisioned.
diff --git a/public/adbd.te b/public/adbd.te
index 675219a6139781490b101d8bc8d4389b8954db25..59ee3e13124380bab6a20d0061fcd652862cf9b2 100644
--- a/public/adbd.te
+++ b/public/adbd.te
@@ -55,6 +55,9 @@ set_prop(adbd, ffs_prop)
 # Access device logging gating property
 get_prop(adbd, device_logging_prop)
 
+# Read device's serial number from system properties
+get_prop(adbd, serialno_prop)
+
 # Run /system/bin/bu
 allow adbd system_file:file rx_file_perms;
 
diff --git a/public/domain.te b/public/domain.te
index c9f7f6f0df5feb842ca37d75b1336f34db420366..47b3e5a4632485f46c8bbe1f136bf69cfc928eff 100644
--- a/public/domain.te
+++ b/public/domain.te
@@ -374,6 +374,18 @@ neverallow * default_android_service:service_manager add;
 neverallow { domain -init } default_prop:property_service set;
 neverallow { domain -init } mmc_prop:property_service set;
 
+# Do not allow reading device's serial number from system properties except form
+# a few whitelisted domains.
+neverallow {
+  domain
+  -adbd
+  -dumpstate
+  -init
+  -mediadrmserver
+  -recovery
+  -system_server
+} serialno_prop:file r_file_perms;
+
 neverallow {
   domain
   -init
diff --git a/public/dumpstate.te b/public/dumpstate.te
index 08d24ae5ea1043cf0f6ca26d6c0e469463e360be..ee617e5ff8754be1f8f490f98c4a60352c15cdfc 100644
--- a/public/dumpstate.te
+++ b/public/dumpstate.te
@@ -187,6 +187,9 @@ set_prop(dumpstate, dumpstate_prop)
 # dumpstate_options_prop is used to pass extra command-line args.
 set_prop(dumpstate, dumpstate_options_prop)
 
+# Read device's serial number from system properties
+get_prop(dumpstate, serialno_prop)
+
 # Access to /data/media.
 # This should be removed if sdcardfs is modified to alter the secontext for its
 # accesses to the underlying FS.
diff --git a/public/mediadrmserver.te b/public/mediadrmserver.te
index b08664f27c97a66887f17ca0e69ab41e7230cea0..c9e28d775c78cb50697329191d2de1541ea0c99a 100644
--- a/public/mediadrmserver.te
+++ b/public/mediadrmserver.te
@@ -55,6 +55,9 @@ allow mediadrmserver surfaceflinger_service:service_manager find;
 allowxperm mediadrmserver self:{ rawip_socket tcp_socket udp_socket }
   ioctl { unpriv_sock_ioctls unpriv_tty_ioctls };
 
+# Permit reading device's serial number from system properties
+get_prop(mediadrmserver, serialno_prop)
+
 ###
 ### neverallow rules
 ###
diff --git a/public/property.te b/public/property.te
index 731eee518daf1e041018711fc6219d484e598fd8..0bba50d3a91f1e34178367855301fd852e4f9a5c 100644
--- a/public/property.te
+++ b/public/property.te
@@ -36,6 +36,7 @@ type powerctl_prop, property_type, core_property_type;
 type radio_prop, property_type, core_property_type;
 type restorecon_prop, property_type, core_property_type;
 type safemode_prop, property_type;
+type serialno_prop, property_type;
 type shell_prop, property_type, core_property_type;
 type system_prop, property_type, core_property_type;
 type system_radio_prop, property_type, core_property_type;
diff --git a/public/recovery.te b/public/recovery.te
index 32601e39a28d389a62ae2ec02d98a58c36ddf33e..bbee92823d1977bca61fb64283cd189cde4ecb1e 100644
--- a/public/recovery.te
+++ b/public/recovery.te
@@ -92,6 +92,9 @@ recovery_only(`
   # Start/stop adbd via ctl.start adbd
   set_prop(recovery, ctl_default_prop)
 
+  # Read device's serial number from system properties
+  get_prop(recovery, serialno_prop)
+
   # Use setfscreatecon() to label files for OTA updates.
   allow recovery self:process setfscreate;
 
diff --git a/public/system_server.te b/public/system_server.te
index 6bbe9913c9ceef268da699b8ec07039376783cc8..bc1dd9f34489956df99dc7739ebf061c24adc52e 100644
--- a/public/system_server.te
+++ b/public/system_server.te
@@ -388,6 +388,9 @@ set_prop(system_server, cppreopt_prop)
 # Collect metrics on boot time created by init
 get_prop(system_server, boottime_prop)
 
+# Read device's serial number from system properties
+get_prop(system_server, serialno_prop)
+
 # Create a socket for receiving info from wpa.
 allow system_server wpa_socket:dir rw_dir_perms;
 allow system_server system_wpa_socket:sock_file create_file_perms;