diff --git a/private/file_contexts b/private/file_contexts
index 94a2a53047d0ebdfe0f8aedd54f2d62fb02ee0ed..d5cf3f781372b536885de36cf2600e943ab2005f 100644
--- a/private/file_contexts
+++ b/private/file_contexts
@@ -155,6 +155,7 @@
 /dev/usb_accessory	u:object_r:usbaccessory_device:s0
 /dev/vcs[0-9a-z]*	u:object_r:vcs_device:s0
 /dev/video[0-9]*	u:object_r:video_device:s0
+/dev/vndbinder		u:object_r:vndbinder_device:s0
 /dev/watchdog		u:object_r:watchdog_device:s0
 /dev/xt_qtaguid	u:object_r:qtaguid_device:s0
 /dev/zero		u:object_r:zero_device:s0
diff --git a/public/device.te b/public/device.te
index c9c64dc00dd0639c1772619cd8e89ec47612be7d..53414e2cf518915676d2665c10e95c707916eb19 100644
--- a/public/device.te
+++ b/public/device.te
@@ -7,6 +7,7 @@ type audio_timer_device, dev_type;
 type audio_seq_device, dev_type;
 type binder_device, dev_type, mlstrustedobject;
 type hwbinder_device, dev_type, mlstrustedobject;
+type vndbinder_device, dev_type;
 type block_device, dev_type;
 type camera_device, dev_type;
 type dm_device, dev_type;
diff --git a/public/domain.te b/public/domain.te
index 9631c9c76a580eaa52295131e287ead5b8c653da..5f7da0bf369972fe348163859c537e3145b431ea 100644
--- a/public/domain.te
+++ b/public/domain.te
@@ -66,8 +66,8 @@ allow domain owntty_device:chr_file rw_file_perms;
 allow domain null_device:chr_file rw_file_perms;
 allow domain zero_device:chr_file rw_file_perms;
 allow domain ashmem_device:chr_file rw_file_perms;
-allow { domain -hwservicemanager } binder_device:chr_file rw_file_perms;
-allow { domain -servicemanager } hwbinder_device:chr_file rw_file_perms;
+allow { domain -hwservicemanager -vndservicemanager } binder_device:chr_file rw_file_perms;
+allow { domain -servicemanager -vndservicemanager } hwbinder_device:chr_file rw_file_perms;
 allow domain ptmx_device:chr_file rw_file_perms;
 allow domain alarm_device:chr_file r_file_perms;
 allow domain random_device:chr_file rw_file_perms;
@@ -410,11 +410,15 @@ neverallow {
   -ueventd
 } misc_block_device:blk_file { append link relabelfrom rename write open read ioctl lock };
 
-# Only servicemanager/hwservicemanager should be able to register with binder as the context manager
-neverallow { domain -servicemanager -hwservicemanager} *:binder set_context_mgr;
+# Only (hw|vnd|)servicemanager should be able to register with binder as the context manager
+neverallow { domain -servicemanager -hwservicemanager -vndservicemanager } *:binder set_context_mgr;
 # The service managers are only allowed to access their own device node
 neverallow servicemanager hwbinder_device:chr_file no_rw_file_perms;
+neverallow servicemanager vndbinder_device:chr_file no_rw_file_perms;
 neverallow hwservicemanager binder_device:chr_file no_rw_file_perms;
+neverallow hwservicemanager vndbinder_device:chr_file no_rw_file_perms;
+neverallow vndservicemanager binder_device:chr_file no_rw_file_perms;
+neverallow vndservicemanager hwbinder_device:chr_file no_rw_file_perms;
 
 # Only authorized processes should be writing to files in /data/dalvik-cache
 neverallow {
diff --git a/public/te_macros b/public/te_macros
index d31bb1dcedc96be6fe2ca3f1777ef3f6ad1e2138..aeb291613b98910a04a204cc2b2aa52b61844f51 100644
--- a/public/te_macros
+++ b/public/te_macros
@@ -293,6 +293,20 @@ get_prop($1, vold_prop)
 # all domains in domain.te.
 ')
 
+#####################################
+# vndbinder_use(domain)
+# Allow domain to use Binder IPC.
+define(`vndbinder_use', `
+# Talk to the vndbinder device node
+allow $1 vndbinder_device:chr_file rw_file_perms;
+# Call the vndservicemanager and transfer references to it.
+allow $1 vndservicemanager:binder { call transfer };
+# vndservicemanager performs getpidcon on clients.
+allow vndservicemanager $1:dir search;
+allow vndservicemanager $1:file { read open };
+allow vndservicemanager $1:process getattr;
+')
+
 #####################################
 # binder_call(clientdomain, serverdomain)
 # Allow clientdomain to perform binder IPC to serverdomain.
diff --git a/public/vndservicemanager.te b/public/vndservicemanager.te
new file mode 100644
index 0000000000000000000000000000000000000000..6b9f73dc00b51adcf9a2f31713e285c009490a78
--- /dev/null
+++ b/public/vndservicemanager.te
@@ -0,0 +1,2 @@
+# vndservicemanager - the Binder context manager for vendor processes
+type vndservicemanager, domain;
diff --git a/vendor/file_contexts b/vendor/file_contexts
index 4e74f009e457a2f493b1e468ebf9ed0893159463..a78134107f5ff1c357125eb92f56408257ec3f93 100644
--- a/vendor/file_contexts
+++ b/vendor/file_contexts
@@ -28,4 +28,5 @@
 /(vendor|system/vendor)/bin/hw/android\.hardware\.vibrator@1\.0-service       u:object_r:hal_vibrator_default_exec:s0
 /(vendor|system/vendor)/bin/hw/android\.hardware\.vr@1\.0-service             u:object_r:hal_vr_default_exec:s0
 /(vendor|system/vendor)/bin/hw/android\.hardware\.wifi@1\.0-service           u:object_r:hal_wifi_default_exec:s0
-/(vendor|system/vendor)/bin/hw/wpa_supplicant           u:object_r:hal_wifi_supplicant_default_exec:s0
+/(vendor|system/vendor)/bin/hw/wpa_supplicant                                 u:object_r:hal_wifi_supplicant_default_exec:s0
+/(vendor|system/vendor)/bin/vndservicemanager                                 u:object_r:vndservicemanager_exec:s0
diff --git a/vendor/vndservicemanager.te b/vendor/vndservicemanager.te
new file mode 100644
index 0000000000000000000000000000000000000000..9357042f5d987fe91d21c67dcc2163c96840b927
--- /dev/null
+++ b/vendor/vndservicemanager.te
@@ -0,0 +1,14 @@
+# vndservicemanager - the Binder context manager for vendor processes
+type vndservicemanager_exec, exec_type, file_type;
+
+init_daemon_domain(vndservicemanager);
+
+allow vndservicemanager self:binder set_context_mgr;
+
+# transfer binder objects to other processes (TODO b/35870313 limit this to vendor-only)
+allow vndservicemanager { domain -init }:binder transfer;
+
+allow vndservicemanager vndbinder_device:chr_file rw_file_perms;
+
+# Check SELinux permissions.
+selinux_check_access(vndservicemanager)