diff --git a/private/app.te b/private/app.te
index 2ee3bee915f52215ec054c0dc351394624f69b11..b41ebec49be13471f77970fa0bdf1d8666d2ef79 100644
--- a/private/app.te
+++ b/private/app.te
@@ -315,6 +315,9 @@ allow appdomain adbd:unix_stream_socket { getattr getopt ioctl read write shutdo
 
 allow appdomain cache_file:dir getattr;
 
+# Allow apps to run with asanwrapper.
+with_asan(`allow appdomain asanwrapper_exec:file rx_file_perms;')
+
 ###
 ### Neverallow rules
 ###
diff --git a/private/file_contexts_asan b/private/file_contexts_asan
index d35cd3c947d95fae218bf54ceb2c6e320f4795e9..0401ffe41ea73750b1cf12af2ead2e418406a946 100644
--- a/private/file_contexts_asan
+++ b/private/file_contexts_asan
@@ -3,3 +3,7 @@
 /data/asan/vendor/lib(/.*)?                u:object_r:system_file:s0
 /data/asan/vendor/lib64(/.*)?              u:object_r:system_file:s0
 /system/bin/asan_extract       u:object_r:asan_extract_exec:s0
+/system/bin/asanwrapper        u:object_r:asanwrapper_exec:s0
+/system/bin/asan/app_process   u:object_r:zygote_exec:s0
+/system/bin/asan/app_process32 u:object_r:zygote_exec:s0
+/system/bin/asan/app_process64 u:object_r:zygote_exec:s0
diff --git a/private/system_server.te b/private/system_server.te
index d02698cb04ee3f72ffd06cd442d1ed3bf7b49161..89b14a926c72cfdd1ed53f99fc8859d0cd7e5e2f 100644
--- a/private/system_server.te
+++ b/private/system_server.te
@@ -22,6 +22,9 @@ userdebug_or_eng(`
   # Report dalvikcache_data_file:file execute violations.
   auditallow system_server dalvikcache_data_file:file execute;
 ')
+# When running system server under --invoke-with, we'll try to load the boot image under the
+# system server domain, following links to the system partition.
+with_asan(`allow system_server dalvikcache_data_file:lnk_file r_file_perms;')
 
 # /data/resource-cache
 allow system_server resourcecache_data_file:file r_file_perms;
@@ -655,6 +658,7 @@ allow system_server debugfs_wifi_tracing:file rw_file_perms;
 # asanwrapper.
 with_asan(`
   allow system_server shell_exec:file rx_file_perms;
+  allow system_server asanwrapper_exec:file rx_file_perms;
 ')
 
 ###
@@ -682,7 +686,7 @@ neverallow system_server {
   file_type
   -toolbox_exec
   -logcat_exec
-  with_asan(`-shell_exec')
+  with_asan(`-shell_exec -asanwrapper_exec -zygote_exec')
 }:file execute_no_trans;
 
 # Ensure that system_server doesn't perform any domain transitions other than
diff --git a/public/domain.te b/public/domain.te
index 97f75c065f2939dde0c551df0da75585f9fc472c..64539781d5372fb2e548112f84f33891632aec8e 100644
--- a/public/domain.te
+++ b/public/domain.te
@@ -221,6 +221,9 @@ allow { domain -domain } hwservice_manager_type:hwservice_manager { add find };
 # when it's not explicitly used in allow rules
 allow { domain -domain } vndservice_manager_type:service_manager { add find };
 
+# Under ASAN, processes will try to read /data, as the sanitized libraries are there.
+with_asan(`allow domain system_data_file:dir getattr;')
+
 ###
 ### neverallow rules
 ###
diff --git a/public/file.te b/public/file.te
index eacfc2cfd2cd50b010e9f9aebd4c330da3b01379..926fd596cff26f984112d184ded0ccd46c75638a 100644
--- a/public/file.te
+++ b/public/file.te
@@ -315,6 +315,9 @@ allow dev_type tmpfs:filesystem associate;
 allow app_fuse_file app_fusefs:filesystem associate;
 allow postinstall_file self:filesystem associate;
 
+# asanwrapper (run a sanitized app_process, to be used with wrap properties)
+with_asan(`type asanwrapper_exec, exec_type, file_type;')
+
 # It's a bug to assign the file_type attribute and fs_type attribute
 # to any type. Do not allow it.
 #