diff --git a/private/isolated_app.te b/private/isolated_app.te
index 418a3224e5695c8ad1323267b0fc0b8efe602e62..ac9dc04ba309e1d401aed22043f1fc7069cefbd2 100644
--- a/private/isolated_app.te
+++ b/private/isolated_app.te
@@ -62,6 +62,17 @@ neverallow isolated_app app_data_file:file open;
 neverallow isolated_app anr_data_file:file ~{ open append };
 neverallow isolated_app anr_data_file:dir ~search;
 
+# Isolated apps must not be permitted to use HwBinder
+neverallow isolated_app hwbinder_device:chr_file *;
+neverallow isolated_app *:hwservice_manager *;
+
+# Isolated apps must not be permitted to use VndBinder
+neverallow isolated_app vndbinder_device:chr_file *;
+
+# Isolated apps must not be permitted to perform actions on Binder and VndBinder service_manager
+# except the find actions for services whitelisted below.
+neverallow isolated_app *:service_manager ~find;
+
 # b/17487348
 # Isolated apps can only access three services,
 # activity_service, display_service and webviewupdate_service.
diff --git a/public/domain.te b/public/domain.te
index 7976c1472c7c00cfdacf0965b91ebf0c141525fc..acd5341fd5cc2a16187e51dd9977eb82ba0e3486 100644
--- a/public/domain.te
+++ b/public/domain.te
@@ -75,7 +75,7 @@ allow {
 } binder_device:chr_file rw_file_perms;
 # Devices which are not full TREBLE have fewer restrictions on access to /dev/binder
 not_full_treble(`allow { domain -hwservicemanager -vndservicemanager } binder_device:chr_file rw_file_perms;')
-allow { domain -servicemanager -vndservicemanager } hwbinder_device:chr_file rw_file_perms;
+allow { domain -servicemanager -vndservicemanager -isolated_app } hwbinder_device:chr_file rw_file_perms;
 allow domain ptmx_device:chr_file rw_file_perms;
 allow domain alarm_device:chr_file r_file_perms;
 allow domain random_device:chr_file rw_file_perms;