diff --git a/public/domain.te b/public/domain.te
index 787bc6175f18d955576a46bef25db4af4e721211..c9f7f6f0df5feb842ca37d75b1336f34db420366 100644
--- a/public/domain.te
+++ b/public/domain.te
@@ -383,6 +383,12 @@ neverallow {
   -ueventd # Further restricted in ueventd.te
 } frp_block_device:blk_file rw_file_perms;
 
+# The metadata block device is set aside for device encryption and
+# verified boot metadata. It may be reset at will and should not
+# be used by other domains.
+neverallow { domain -init -recovery -vold } metadata_block_device:blk_file
+  { append link rename write open read ioctl lock };
+
 # No domain other than recovery and update_engine can write to system partition(s).
 neverallow { domain -recovery -update_engine } system_block_device:blk_file write;