diff --git a/domain.te b/domain.te
index f787d4a7af9195a3083443683856bbae3a78d934..73043f57ebbd52707e106eab506cdb3b4d09f0fe 100644
--- a/domain.te
+++ b/domain.te
@@ -452,3 +452,20 @@ neverallow {
   -runas
   -zygote
 } shell:process { transition dyntransition };
+
+# Minimize read access to shell- or app-writable symlinks.
+# This is to prevent malicious symlink attacks.
+neverallow {
+  domain
+  -appdomain
+  -installd
+  -uncrypt  # TODO: see if we can remove
+} app_data_file:lnk_file read;
+
+neverallow {
+  domain
+  -shell
+  userdebug_or_eng(`-uncrypt')
+  -installd
+  -surfaceflinger # TODO: see if we can remove from mako sepolicy
+} shell_data_file:lnk_file read;