diff --git a/public/domain.te b/public/domain.te
index 5c483848f92e495d1e459d55086e7930b346838b..09958f0a5cdea7491e2902a0def6c3f29176616b 100644
--- a/public/domain.te
+++ b/public/domain.te
@@ -279,6 +279,11 @@ neverallow * init:binder *;
 # Rather force a relabel to a more specific type
 neverallow { domain -kernel -init -recovery } block_device:blk_file { open read write };
 
+# Do not allow renaming of block files or character files
+# Ability to do so can lead to possible use in an exploit chain
+# e.g. https://googleprojectzero.blogspot.com/2016/12/chrome-os-exploit-one-byte-overflow-and.html
+neverallow * *:{ blk_file chr_file } rename;
+
 # Don't allow raw read/write/open access to generic devices.
 # Rather force a relabel to a more specific type.
 # init is exempt from this as there are character devices that only it uses.
diff --git a/public/init.te b/public/init.te
index a6fa6d7c8ebbe2cc29e4f8be32421d283bdcd142..1d984c2505442f4059a3978c0e2eab73a7406288 100644
--- a/public/init.te
+++ b/public/init.te
@@ -5,7 +5,7 @@ type init, domain, domain_deprecated, mlstrustedsubject;
 type init_exec, exec_type, file_type;
 
 # /dev/__null__ node created by init.
-allow init tmpfs:chr_file create_file_perms;
+allow init tmpfs:chr_file { create setattr unlink rw_file_perms };
 
 #
 # init direct restorecon calls.
diff --git a/public/vold.te b/public/vold.te
index 6baba08dab9a34ef4d20bc27c25f6ecf38a2ecb1..798d542f5bc803580f3805d7626f76ad68acc20c 100644
--- a/public/vold.te
+++ b/public/vold.te
@@ -64,8 +64,8 @@ allow vold self:capability { net_admin dac_override mknod sys_admin chown fowner
 allow vold self:netlink_kobject_uevent_socket create_socket_perms_no_ioctl;
 allow vold app_data_file:dir search;
 allow vold app_data_file:file rw_file_perms;
-allow vold loop_device:blk_file create_file_perms;
-allow vold vold_device:blk_file create_file_perms;
+allow vold loop_device:blk_file { create setattr unlink rw_file_perms };
+allow vold vold_device:blk_file { create setattr unlink rw_file_perms };
 allow vold dm_device:chr_file rw_file_perms;
 allow vold dm_device:blk_file rw_file_perms;
 # For vold Process::killProcessesWithOpenFiles function.