diff --git a/app.te b/app.te
index 5ba0e74adcc3d7b01f95a50cdc4e72234f2a5bc9..ae3a24099b42f344ba1eebdd4a76095808098dcb 100644
--- a/app.te
+++ b/app.te
@@ -116,6 +116,9 @@ allow appdomain shell_data_file:file { write getattr };
 # Write profiles /data/misc/profiles
 allow appdomain user_profile_data_file:dir { search write add_name };
 allow appdomain user_profile_data_file:file create_file_perms;
+# Profiles for foreign dex files are just markers and only need create permissions.
+allow appdomain user_profile_foreign_dex_data_file:dir { search write add_name };
+allow appdomain user_profile_foreign_dex_data_file:file create;
 
 # Send heap dumps to system_server via an already open file descriptor
 # % adb shell am set-watch-heap com.android.systemui 1048576
@@ -419,3 +422,7 @@ neverallow appdomain {
   security_file
   tmpfs
 }:lnk_file no_w_file_perms;
+
+# Foreign dex profiles are just markers. Prevent apps to do anything but touch them.
+neverallow appdomain user_profile_foreign_dex_data_file:file rw_file_perms;
+neverallow appdomain user_profile_foreign_dex_data_file:dir { open getattr read ioctl remove_name };
diff --git a/file.te b/file.te
index 1efdc58f6e4e1dcb24b54a2e1e169992817a4513..48d68024a7b87e629c9a5b9ff70feb8f4c2be11d 100644
--- a/file.te
+++ b/file.te
@@ -88,6 +88,7 @@ type dalvikcache_data_file, file_type, data_file_type;
 type ota_data_file, file_type, data_file_type;
 # /data/misc/profiles
 type user_profile_data_file, file_type, data_file_type, mlstrustedobject;
+type user_profile_foreign_dex_data_file, file_type, data_file_type, mlstrustedobject;
 # /data/resource-cache
 type resourcecache_data_file, file_type, data_file_type;
 # /data/local - writable by shell
diff --git a/file_contexts b/file_contexts
index e94c95ea53293d009df9d75e116b64e6384ea309..d777ba1a58b38482b4a3ebcb6d04932813f5627b 100644
--- a/file_contexts
+++ b/file_contexts
@@ -294,6 +294,7 @@
 # TODO(calin) label profile reference differently so that only
 # profman run as a special user can write to them
 /data/misc/profiles/cur(/.*)?       u:object_r:user_profile_data_file:s0
+/data/misc/profiles/cur/[0-9]+/foreign-dex(/.*)? u:object_r:user_profile_foreign_dex_data_file:s0
 /data/misc/profiles/ref(/.*)?       u:object_r:user_profile_data_file:s0
 
 # Fingerprint data
diff --git a/installd.te b/installd.te
index 688a7e6c07f4fc6b748d9c57b7fd729aa91afafb..f4ea424c3924e622bf21ec277329d58248948161 100644
--- a/installd.te
+++ b/installd.te
@@ -115,6 +115,8 @@ allow installd {
 # Similar for the files under /data/misc/profiles/
 allow installd user_profile_data_file:dir create_dir_perms;
 allow installd user_profile_data_file:file create_file_perms;
+allow installd user_profile_data_file:dir rmdir;
+allow installd user_profile_data_file:file unlink;
 
 # Create and use pty created by android_fork_execvp().
 allow installd devpts:chr_file rw_file_perms;
diff --git a/system_server.te b/system_server.te
index 1dd7a6ed474792e5acdbe29981280b94df293931..456691af72f52c29361f47f56cd92b01942161e9 100644
--- a/system_server.te
+++ b/system_server.te
@@ -11,6 +11,13 @@ tmpfs_domain(system_server)
 allow system_server dalvikcache_data_file:file execute;
 allow system_server dalvikcache_data_file:dir r_dir_perms;
 
+# Enable system server to check the foreign dex usage markers.
+# We need search on top level directories so that we can get to the files
+allow system_server user_profile_data_file:dir search;
+allow system_server user_profile_data_file:file getattr;
+allow system_server user_profile_foreign_dex_data_file:dir search;
+allow system_server user_profile_foreign_dex_data_file:file getattr;
+
 # /data/resource-cache
 allow system_server resourcecache_data_file:file r_file_perms;
 allow system_server resourcecache_data_file:dir r_dir_perms;
diff --git a/untrusted_app.te b/untrusted_app.te
index 8672f585de6fa2eb81c27335a67c41a7620bb910..bc062beff085ed95bba3b1ca96ac2cde04ae18bc 100644
--- a/untrusted_app.te
+++ b/untrusted_app.te
@@ -173,6 +173,7 @@ neverallow untrusted_app {
   -media_rw_data_file       # Internal storage. Known that apps can
                             # leave artfacts here after uninstall.
   -user_profile_data_file   # Access to profile files
+  -user_profile_foreign_dex_data_file   # Access to profile files
   userdebug_or_eng(`
     -method_trace_data_file # only on ro.debuggable=1
     -coredump_file          # userdebug/eng only