diff --git a/surfaceflinger.te b/surfaceflinger.te
index 7d73696ab653f9560a008e15bc9f9b4b2fc95182..126824791bbf3e5b2ec14d35abe379e94a5a62cd 100644
--- a/surfaceflinger.te
+++ b/surfaceflinger.te
@@ -11,11 +11,17 @@ unix_socket_connect(surfaceflinger, property, init)
 
 # Perform Binder IPC.
 binder_use(surfaceflinger)
-binder_call(surfaceflinger, system_server)
-binder_call(surfaceflinger, nfc)
-binder_call(surfaceflinger, mediaserver)
+binder_call(surfaceflinger, binderservicedomain)
+binder_call(surfaceflinger, appdomain)
 binder_service(surfaceflinger)
 
+# Binder IPC to bu, presently runs in adbd domain.
+binder_call(surfaceflinger, adbd)
+
+# Read /proc/pid files for Binder clients.
+r_dir_file(surfaceflinger, binderservicedomain)
+r_dir_file(surfaceflinger, appdomain)
+
 # Access the GPU.
 allow surfaceflinger gpu_device:chr_file rw_file_perms;
 
@@ -50,3 +56,13 @@ binder_call(surfaceflinger, shell)
 # but seems expected and appropriate for all devices.
 allow surfaceflinger tee:unix_stream_socket connectto;
 allow surfaceflinger tee_device:chr_file rw_file_perms;
+
+###
+### Neverallow rules
+###
+### surfaceflinger should NEVER do any of this
+
+# Do not allow accessing SDcard files as unsafe ejection could
+# cause the kernel to kill the process.
+# TODO: Remove -unconfineddomain when we remove permissive_or_unconfined above.
+neverallow { surfaceflinger -unconfineddomain } sdcard_type:file rw_file_perms;