diff --git a/private/compat/26.0/26.0.ignore.cil b/private/compat/26.0/26.0.ignore.cil
index ec7b136084e3c4cd989182a4e395ef72d1085c25..3d243d419795d191b96bf50e63d57a4bdeb4ba44 100644
--- a/private/compat/26.0/26.0.ignore.cil
+++ b/private/compat/26.0/26.0.ignore.cil
@@ -123,6 +123,7 @@
     untrusted_app_all_devpts
     update_engine_log_data_file
     vendor_default_prop
+    vendor_security_patch_level_prop
     usbd
     usbd_exec
     usbd_tmpfs
diff --git a/private/compat/27.0/27.0.ignore.cil b/private/compat/27.0/27.0.ignore.cil
index 0fa35472d7900d53801e2e447ea017431530fbb4..dbb277bd984c430b5fd8b06c6493f194b3e8c1aa 100644
--- a/private/compat/27.0/27.0.ignore.cil
+++ b/private/compat/27.0/27.0.ignore.cil
@@ -105,6 +105,7 @@
     usbd_tmpfs
     vendor_default_prop
     vendor_init
+    vendor_security_patch_level_prop
     vendor_shell
     vold_metadata_file
     vold_prepare_subdirs
diff --git a/public/property.te b/public/property.te
index 42fce04c38cc355ac08f11bc32f7db4088b43119..5dd88dccbaafab4e0ae7790dbecba7eceade9ead 100644
--- a/public/property.te
+++ b/public/property.te
@@ -55,6 +55,7 @@ type traced_enabled_prop, property_type;
 type vold_prop, property_type, core_property_type;
 type wifi_log_prop, property_type, log_property_type;
 type wifi_prop, property_type;
+type vendor_security_patch_level_prop, property_type;
 
 # Properties for whitelisting
 type exported_bluetooth_prop, property_type;
diff --git a/public/property_contexts b/public/property_contexts
index 618c52d46d2c0f4bd2376f75905fcdc214efb699..c644181d1f5837c4d4bd13634fce35463bdb5aa7 100644
--- a/public/property_contexts
+++ b/public/property_contexts
@@ -107,6 +107,7 @@ ro.telephony.default_cdma_sub u:object_r:exported3_default_prop:s0 exact int
 ro.telephony.default_network u:object_r:exported3_default_prop:s0 exact int
 ro.url.legal u:object_r:exported3_default_prop:s0 exact string
 ro.url.legal.android_privacy u:object_r:exported3_default_prop:s0 exact string
+ro.vendor.build.security_patch u:object_r:vendor_security_patch_level_prop:s0 exact string
 ro.zygote u:object_r:exported3_default_prop:s0 exact string
 sendbug.preferred.domain u:object_r:exported3_default_prop:s0 exact string
 sys.usb.controller u:object_r:exported2_system_prop:s0 exact string
diff --git a/public/shell.te b/public/shell.te
index 7b676770e0d0488faade160d242d68f5a0d25bc5..2c6ce4430d6e7066a2b5f31625871eb5036dae68 100644
--- a/public/shell.te
+++ b/public/shell.te
@@ -84,6 +84,9 @@ userdebug_or_eng(`
 # Read device's serial number from system properties
 get_prop(shell, serialno_prop)
 
+# Allow shell to read the vendor security patch level for CTS
+get_prop(shell, vendor_security_patch_level_prop)
+
 # Read state of logging-related properties
 get_prop(shell, device_logging_prop)
 
diff --git a/public/vendor_init.te b/public/vendor_init.te
index b025fc88a97384830b9d2d20652a4d4a30c9f07d..d079873252583e0c820de9920a8ef1a8106f3d0f 100644
--- a/public/vendor_init.te
+++ b/public/vendor_init.te
@@ -190,6 +190,7 @@ set_prop(vendor_init, log_tag_prop)
 set_prop(vendor_init, log_prop)
 set_prop(vendor_init, serialno_prop)
 set_prop(vendor_init, vendor_default_prop)
+set_prop(vendor_init, vendor_security_patch_level_prop)
 set_prop(vendor_init, wifi_log_prop)
 
 get_prop(vendor_init, exported2_radio_prop)