diff --git a/private/asan_extract.te b/private/asan_extract.te
new file mode 100644
index 0000000000000000000000000000000000000000..1c20d78ecdb055d2ca26614dc4d5584883715af8
--- /dev/null
+++ b/private/asan_extract.te
@@ -0,0 +1,8 @@
+# type_transition must be private policy the domain_trans rules could stay
+# public, but conceptually should go with this
+# Technically not a daemon but we do want the transition from init domain to
+# asan_extract to occur.
+with_asan(`
+typeattribute asan_extract coredomain;
+init_daemon_domain(asan_extract)
+')
diff --git a/private/file_contexts b/private/file_contexts
index 00d0e4cc38b9c5e5a9b64caeef063d7e46bd4acb..9feeef9cfad621f4ef0a32430645fc20b5dac8fc 100644
--- a/private/file_contexts
+++ b/private/file_contexts
@@ -259,7 +259,20 @@
 #############################
 # Vendor files
 #
-/vendor(/.*)?		u:object_r:system_file:s0
+/(vendor|system/vendor)(/.*)?                  u:object_r:vendor_file:s0
+/(vendor|system/vendor)/etc(/.*)?              u:object_r:vendor_configs_file:s0
+
+/(vendor|system/vendor)/lib(64)?/egl(/.*)?     u:object_r:same_process_hal_file:s0
+
+# TODO: b/36790901 move this to /vendor/etc
+/(vendor|system/vendor)/manifest.xml           u:object_r:vendor_configs_file:s0
+/(vendor|system/vendor)/app(/.*)?              u:object_r:vendor_app_file:s0
+/(vendor|system/vendor)/overlay(/.*)?          u:object_r:vendor_overlay_file:s0
+/(vendor|system/vendor)/framework(/.*)?        u:object_r:vendor_framework_file:s0
+
+# HAL location
+/(vendor|system/vendor)/lib(64)?/hw            u:object_r:vendor_hal_file:s0
+
 /vendor/etc/selinux/mapping_sepolicy.cil       u:object_r:sepolicy_file:s0
 /vendor/etc/selinux/nonplat_mac_permissions.xml u:object_r:mac_perms_file:s0
 /vendor/etc/selinux/nonplat_property_contexts   u:object_r:property_contexts_file:s0
diff --git a/private/file_contexts_asan b/private/file_contexts_asan
index 5e756fc7906cde37761166254d7ce688d4cf1183..d35cd3c947d95fae218bf54ceb2c6e320f4795e9 100644
--- a/private/file_contexts_asan
+++ b/private/file_contexts_asan
@@ -2,3 +2,4 @@
 /data/asan/system/lib64(/.*)?              u:object_r:system_file:s0
 /data/asan/vendor/lib(/.*)?                u:object_r:system_file:s0
 /data/asan/vendor/lib64(/.*)?              u:object_r:system_file:s0
+/system/bin/asan_extract       u:object_r:asan_extract_exec:s0
diff --git a/private/property_contexts b/private/property_contexts
index 23150343f13181084f4aec044fc5befb89bda66f..4c27b35d6b3d9cadd8853f9d6814fc52e77a7383 100644
--- a/private/property_contexts
+++ b/private/property_contexts
@@ -111,3 +111,6 @@ wlan.                   u:object_r:wifi_prop:s0
 
 # hwservicemanager properties
 hwservicemanager.       u:object_r:hwservicemanager_prop:s0
+
+# ASAN install trigger
+asan.restore_reboot  u:object_r:asan_reboot_prop:s0
diff --git a/private/system_server.te b/private/system_server.te
index 6f19e38b20d7a728c90e2187854a492fe7c55669..430234313c684d99e635f72cf2c7fb576a083196 100644
--- a/private/system_server.te
+++ b/private/system_server.te
@@ -294,6 +294,9 @@ allow system_server apk_data_file:{ file lnk_file } { create_file_perms link };
 allow system_server apk_tmp_file:dir create_dir_perms;
 allow system_server apk_tmp_file:file create_file_perms;
 
+# Access /vendor/app
+r_dir_file(system_server, vendor_app_file)
+
 # Manage /data/app-private.
 allow system_server apk_private_data_file:dir create_dir_perms;
 allow system_server apk_private_data_file:file create_file_perms;
diff --git a/public/asan_extract.te b/public/asan_extract.te
new file mode 100644
index 0000000000000000000000000000000000000000..6d0de6cf1fd517067cb55aeb27874028a4e98dfb
--- /dev/null
+++ b/public/asan_extract.te
@@ -0,0 +1,36 @@
+# asan_extract
+#
+# This command set moves the artifact corresponding to the current slot
+# from /data/ota to /data/dalvik-cache.
+
+with_asan(`
+  type asan_extract, domain, coredomain;
+  type asan_extract_exec, exec_type, file_type;
+
+  # Allow asan_extract to execute itself using #!/system/bin/sh
+  allow asan_extract shell_exec:file rx_file_perms;
+
+  # We execute log, rm, gzip and tar.
+  allow asan_extract toolbox_exec:file rx_file_perms;
+  allow asan_extract system_file:file execute_no_trans;
+
+  # asan_extract deletes old /data/lib.
+  allow asan_extract system_file:dir { open read remove_name rmdir write };
+  allow asan_extract system_file:file unlink;
+
+  # asan_extract untars ASAN libraries into /data.
+  allow asan_extract system_data_file:dir create_dir_perms ;
+  allow asan_extract system_data_file:{ file lnk_file } create_file_perms ;
+
+  # Relabel the libraries with restorecon.
+  allow asan_extract file_contexts_file:file r_file_perms;
+  allow asan_extract system_data_file:{ dir file } relabelfrom;
+  allow asan_extract system_file:dir { relabelto setattr };
+  allow asan_extract system_file:file relabelto;
+
+  # Restorecon will actually already try to run with sanitized libraries (libpackagelistparser).
+  allow asan_extract system_data_file:file execute;
+
+  # We use asan.restore_reboot to signal a reboot is required.
+  set_prop(asan_extract, asan_reboot_prop)
+')
diff --git a/public/attributes b/public/attributes
index b7f0701ce7e8e3ce9ffa749590f99aeb0545ff4e..852dcd75c87eb57dd13144778b35c678d6521af6 100644
--- a/public/attributes
+++ b/public/attributes
@@ -41,6 +41,9 @@ attribute exec_type;
 attribute data_file_type;
 # All types in /data, not in /data/vendor
 attribute core_data_file_type;
+# All types in /vendor
+attribute vendor_file_type;
+
 # All vendor domains which violate the requirement of not accessing
 # data outside /data/vendor.
 # TODO(b/34980020): Remove this once there are no violations
diff --git a/public/crash_dump.te b/public/crash_dump.te
index a0e278a1347ba1d78265222228df4465e097f5be..ee617a171cf7fdc90531093b61943d88e65ede2f 100644
--- a/public/crash_dump.te
+++ b/public/crash_dump.te
@@ -34,6 +34,9 @@ allow crash_dump dalvikcache_data_file:file r_file_perms;
 # Read APK files.
 r_dir_file(crash_dump, apk_data_file);
 
+# Read all /vendor
+r_dir_file(crash_dump, { vendor_file same_process_hal_file })
+
 # Talk to tombstoned
 unix_socket_connect(crash_dump, tombstoned_crash, tombstoned)
 
diff --git a/public/domain.te b/public/domain.te
index 30b3a98e0b998f4405a399c1a14dac9b8c172cc7..4fc3bc03c73aaa7c0e83e5e64f25c21b1455f951 100644
--- a/public/domain.te
+++ b/public/domain.te
@@ -102,6 +102,61 @@ allow domain system_file:dir { search getattr };
 allow domain system_file:file { execute read open getattr };
 allow domain system_file:lnk_file { getattr read };
 
+# Make sure system/vendor split doesn not affect non-treble
+# devices
+not_full_treble(`
+    allow domain vendor_file_type:dir { search getattr };
+    allow domain vendor_file_type:file { execute read open getattr };
+    allow domain vendor_file_type:lnk_file { getattr read };
+')
+
+# All domains are allowed to open and read directories
+# that contain HAL implementations (e.g. passthrough
+# HALs require clients to have these permissions)
+allow domain vendor_hal_file:dir r_dir_perms;
+
+# Everyone can read and execute all same process HALs
+allow domain same_process_hal_file:dir r_dir_perms;
+allow domain same_process_hal_file:file { execute read open getattr };
+
+# All domains get access to /vendor/etc
+allow domain vendor_configs_file:dir r_dir_perms;
+allow domain vendor_configs_file:file { read open getattr };
+
+# TODO: (b/36681074) - Remove after this is resolved
+# TODO: (b/36680116, b/36656392, b/36681210) All need directory
+# lookup to find / open their libraries
+full_treble_only(`
+    # Everyone needs to lookup libraries in /vendor/lib(64)
+    # through linker/loader.
+    allow domain vendor_file:dir { getattr search };
+
+    # TODO: b/36681210, find out who needs access and only allow
+    # specific domains for Treble
+    allow domain vendor_app_file:dir r_dir_perms;
+    allow domain vendor_app_file:file { read open getattr };
+
+    # Some apps (com.android.phone) need to be able to open
+    # symlinked libraries
+    # TODO: b/36806861
+    allow domain vendor_app_file:lnk_file { open read };
+
+    # TODO: b/36656392, find out who needs access and only allow
+    # specific domains.
+    allow domain vendor_overlay_file:dir r_dir_perms;
+    allow domain vendor_overlay_file:file { read open getattr };
+
+    # TODO: b/36680116, find out who neeeds access and only allow
+    # specific domains
+    allow domain vendor_framework_file:dir r_dir_perms;
+    allow domain vendor_framework_file:file { read open getattr };
+
+    # Allow reading and executing out of /vendor to all vendor domains
+    allow { domain -coredomain } vendor_file_type:dir r_dir_perms;
+    allow { domain -coredomain } vendor_file_type:file { read open getattr execute };
+    allow { domain -coredomain } vendor_file_type:lnk_file { getattr read };
+')
+
 # read any sysfs symlinks
 allow domain sysfs:lnk_file read;
 
@@ -300,13 +355,21 @@ neverallow { domain -kernel -init -recovery -vold -zygote -update_engine -otapre
 neverallow {
     domain
     -appdomain
+    with_asan(`-asan_extract')
     -dumpstate
     -shell
     userdebug_or_eng(`-su')
     -system_server
     -webview_zygote
     -zygote
-} { file_type -system_file -exec_type -postinstall_file }:file execute;
+} {
+    file_type
+    -system_file
+    -vendor_file_type
+    -exec_type
+    -postinstall_file
+}:file execute;
+
 neverallow {
     domain
     -appdomain # for oemfs
@@ -335,14 +398,22 @@ neverallow { domain -init } property_type:file { no_w_file_perms no_x_file_perms
 neverallow { domain -init } properties_device:file { no_w_file_perms no_x_file_perms };
 neverallow { domain -init } properties_serial:file { no_w_file_perms no_x_file_perms };
 
-# Only recovery should be doing writes to /system
-neverallow { domain -recovery } { system_file exec_type }:dir_file_class_set
-    { create write setattr relabelfrom append unlink link rename };
-neverallow { domain -recovery -kernel } { system_file exec_type }:dir_file_class_set relabelto;
+# Only recovery should be doing writes to /system & /vendor
+neverallow {
+    domain
+    -recovery
+    with_asan(`-asan_extract')
+} {
+    system_file
+    vendor_file_type
+    exec_type
+}:dir_file_class_set { create write setattr relabelfrom append unlink link rename };
+
+neverallow { domain -recovery -kernel with_asan(`-asan_extract') } { system_file vendor_file_type exec_type }:dir_file_class_set relabelto;
 
 # Don't allow mounting on top of /system files or directories
 neverallow * exec_type:dir_file_class_set mounton;
-neverallow { domain -init } system_file:dir_file_class_set mounton;
+neverallow { domain -init } { system_file vendor_file_type }:dir_file_class_set mounton;
 
 # Nothing should be writing to files in the rootfs.
 neverallow * rootfs:file { create write setattr relabelto append unlink link rename };
@@ -739,6 +810,7 @@ neverallow {
   -system_app
   -init
   -installd # for relabelfrom and unlink, check for this in explicit neverallow
+  with_asan(`-asan_extract')
 } system_data_file:file no_w_file_perms;
 # do not grant anything greater than r_file_perms and relabelfrom unlink
 # to installd
@@ -895,7 +967,7 @@ neverallow {
 # Enforce restrictions on kernel module origin.
 # Do not allow kernel module loading except from system,
 # vendor, and boot partitions.
-neverallow * ~{ system_file rootfs }:system module_load;
+neverallow * ~{ system_file vendor_file_type rootfs }:system module_load;
 
 # Only allow filesystem caps to be set at build time or
 # during upgrade by recovery.
diff --git a/public/file.te b/public/file.te
index 0ee1500ad9ee6ed18b192d46dc7e236a660f2bea..6468d16af23b3514033e0829d5367b82e0c93bf2 100644
--- a/public/file.te
+++ b/public/file.te
@@ -78,8 +78,27 @@ type app_fusefs, fs_type, contextmount_type;
 
 # File types
 type unlabeled, file_type;
+
 # Default type for anything under /system.
 type system_file, file_type;
+
+# Default type for directories search for
+# HAL implementations
+type vendor_hal_file, vendor_file_type, file_type;
+# Default type for under /vendor or /system/vendor
+type vendor_file, vendor_file_type, file_type;
+# Default type for everything in /vendor/app
+type vendor_app_file, vendor_file_type, file_type;
+# Default type for everything under /vendor/etc/
+type vendor_configs_file, vendor_file_type, file_type;
+# Default type for all *same process* HALs.
+# e.g. libEGL_xxx.so, android.hardware.graphics.mapper@2.0-impl.so
+type same_process_hal_file, vendor_file_type, file_type;
+# Default type for everything in /vendor/framework
+type vendor_framework_file, vendor_file_type, file_type;
+# Default type for everything in /vendor/overlay
+type vendor_overlay_file, vendor_file_type, file_type;
+
 # Speedup access for trusted applications to the runtime event tags
 type runtime_event_log_tags_file, file_type;
 # Type for /system/bin/logcat.
diff --git a/public/init.te b/public/init.te
index 4af41ec978db4f9e72160665050d46ce89365341..0deb8cdc9b914d8e2d13a5032f2b45abc08b6574 100644
--- a/public/init.te
+++ b/public/init.te
@@ -60,7 +60,7 @@ allow init self:capability sys_admin;
 
 # Create and mount on directories in /.
 allow init rootfs:dir create_dir_perms;
-allow init { rootfs cache_file cgroup storage_file system_data_file system_file postinstall_mnt_dir }:dir mounton;
+allow init { rootfs cache_file cgroup storage_file system_data_file system_file vendor_file postinstall_mnt_dir }:dir mounton;
 
 # Mount on /dev/usb-ffs/adb.
 allow init device:dir mounton;
@@ -127,6 +127,7 @@ allow init {
   -misc_logd_file
   -system_app_data_file
   -system_file
+  -vendor_file_type
 }:dir { create search getattr open read setattr ioctl };
 
 allow init {
@@ -138,6 +139,7 @@ allow init {
   -shell_data_file
   -system_app_data_file
   -system_file
+  -vendor_file_type
   -vold_data_file
 }:dir { write add_name remove_name rmdir relabelfrom };
 
@@ -151,6 +153,7 @@ allow init {
   -shell_data_file
   -system_app_data_file
   -system_file
+  -vendor_file_type
   -vold_data_file
 }:file { create getattr open read write setattr relabelfrom unlink };
 
@@ -163,6 +166,7 @@ allow init {
   -shell_data_file
   -system_app_data_file
   -system_file
+  -vendor_file_type
   -vold_data_file
 }:{ sock_file fifo_file } { create getattr open read setattr relabelfrom unlink };
 
@@ -175,12 +179,13 @@ allow init {
   -shell_data_file
   -system_app_data_file
   -system_file
+  -vendor_file_type
   -vold_data_file
 }:lnk_file { create getattr setattr relabelfrom unlink };
 
 allow init cache_file:lnk_file r_file_perms;
 
-allow init { file_type -system_file -exec_type }:dir_file_class_set relabelto;
+allow init { file_type -system_file -vendor_file_type -exec_type }:dir_file_class_set relabelto;
 allow init { sysfs debugfs debugfs_tracing }:{ dir file lnk_file } { getattr relabelfrom };
 allow init { sysfs_type debugfs_type }:{ dir file lnk_file } { relabelto getattr };
 allow init dev_type:dir create_dir_perms;
@@ -384,6 +389,7 @@ unix_socket_connect(init, vold, vold)
 allow init misc_block_device:blk_file w_file_perms;
 
 r_dir_file(init, system_file)
+r_dir_file(init, vendor_file_type)
 allow init proc_meminfo:file r_file_perms;
 
 allow init system_data_file:file { getattr read };
diff --git a/public/property.te b/public/property.te
index daac0fb5c6836f4aaac4add0cf5ed4d3d68e0653..d6fa8680152157be6f43680be33592e120f47bff 100644
--- a/public/property.te
+++ b/public/property.te
@@ -1,3 +1,4 @@
+type asan_reboot_prop, property_type;
 type audio_prop, property_type, core_property_type;
 type boottime_prop, property_type;
 type bluetooth_prop, property_type;
diff --git a/public/te_macros b/public/te_macros
index bf75690b2ecd88a39a3784997b176d43150e97d0..bc672788ee107f254e8e79ecccef27799c47f0a3 100644
--- a/public/te_macros
+++ b/public/te_macros
@@ -181,6 +181,8 @@ typeattribute $1 $2_client;
 typeattribute $1 $2;
 # Find passthrough HAL implementations
 allow $2 system_file:dir r_dir_perms;
+allow $2 vendor_file:dir r_dir_perms;
+allow $2 vendor_file:file { read open getattr execute };
 ')
 
 #####################################
@@ -197,6 +199,8 @@ typeattribute $1 $2_client;
 typeattribute $1 $2;
 # Find passthrough HAL implementations
 allow $2 system_file:dir r_dir_perms;
+allow $2 vendor_file:dir r_dir_perms;
+allow $2 vendor_file:file { read open getattr execute };
 ')
 
 #####################################
diff --git a/public/ueventd.te b/public/ueventd.te
index 512b019d471a33241066b2d531ce003df393241c..8ec667e047a05c86c088fe7c372081314057a6f4 100644
--- a/public/ueventd.te
+++ b/public/ueventd.te
@@ -29,6 +29,9 @@ allow ueventd efs_file:file r_file_perms;
 # Get SELinux enforcing status.
 r_dir_file(ueventd, selinuxfs)
 
+# Access for /vendor/ueventd.rc and /vendor/firmware
+r_dir_file(ueventd, vendor_file)
+
 # Get file contexts for new device nodes
 allow ueventd file_contexts_file:file r_file_perms;
 
diff --git a/vendor/file_contexts b/vendor/file_contexts
index ea0ef29f6f01d9a2d5ba9cc2dde62442b062d228..5ccfab40cbe1e7a8bd7cc42ec49fedaee7bf3747 100644
--- a/vendor/file_contexts
+++ b/vendor/file_contexts
@@ -33,6 +33,13 @@
 /(vendor|system/vendor)/bin/hw/wpa_supplicant                                 u:object_r:hal_wifi_supplicant_default_exec:s0
 /(vendor|system/vendor)/bin/hostapd                                           u:object_r:hostapd_exec:s0
 /(vendor|system/vendor)/bin/vndservicemanager                                 u:object_r:vndservicemanager_exec:s0
+
+#############################
+# Same process HALs installed by platform into /vendor
+#
+/(vendor|system/vendor)/lib(64)?/hw/android\.hardware\.graphics\.mapper@2\.0-impl\.so u:object_r:same_process_hal_file:s0
+/(vendor|system/vendor)/lib(64)?/hw/android\.hardware\.renderscript@1\.0-impl\.so     u:object_r:same_process_hal_file:s0
+
 #############################
 # Data files
 #