diff --git a/adbd.te b/adbd.te
index 2734a331a92c854eea232f27a27985cbe6f7f7cb..68a37a74d1b26c4365dd08088cf1a299df157fd3 100644
--- a/adbd.te
+++ b/adbd.te
@@ -100,3 +100,13 @@ allow adbd storage_file:dir r_dir_perms;
 allow adbd storage_file:lnk_file r_file_perms;
 allow adbd mnt_user_file:dir r_dir_perms;
 allow adbd mnt_user_file:lnk_file r_file_perms;
+
+###
+### Neverallow rules
+###
+
+# No transitions from adbd to non-shell domains. adbd only ever
+# transitions to the shell domain. In particular, we never want
+# to see a transition from adbd to su (aka "adb root")
+neverallow adbd { domain -shell }:process transition;
+neverallow adbd { domain userdebug_or_eng(`-su') }:process dyntransition;