diff --git a/private/compat/28.0/28.0.ignore.cil b/private/compat/28.0/28.0.ignore.cil
index abb796faf..6c97fe2b8 100644
--- a/private/compat/28.0/28.0.ignore.cil
+++ b/private/compat/28.0/28.0.ignore.cil
@@ -48,6 +48,8 @@
     flags_health_check_exec
     fwk_bufferhub_hwservice
     fwk_stats_hwservice
+    gsi_data_file
+    gsi_metadata_file
     gsi_service
     gsid
     gsid_exec
diff --git a/private/file_contexts b/private/file_contexts
index d616285e6..233d5f48c 100644
--- a/private/file_contexts
+++ b/private/file_contexts
@@ -438,6 +438,7 @@
 /data/app/vmdl[^/]+\.tmp/oat(/.*)?           u:object_r:dalvikcache_data_file:s0
 /data/app-private(/.*)?               u:object_r:apk_private_data_file:s0
 /data/app-private/vmdl.*\.tmp(/.*)?   u:object_r:apk_private_tmp_file:s0
+/data/gsi(/.*)?        u:object_r:gsi_data_file:s0
 /data/tombstones(/.*)?	u:object_r:tombstone_data_file:s0
 /data/vendor/tombstones/wifi(/.*)? u:object_r:tombstone_wifi_data_file:s0
 /data/local/tmp(/.*)?	u:object_r:shell_data_file:s0
@@ -612,6 +613,7 @@
 #
 /metadata(/.*)?           u:object_r:metadata_file:s0
 /metadata/vold(/.*)?      u:object_r:vold_metadata_file:s0
+/metadata/gsi(/.*)?       u:object_r:gsi_metadata_file:s0
 
 #############################
 # asec containers
diff --git a/private/gsid.te b/private/gsid.te
index 5ac1c2521..0c2e50c78 100644
--- a/private/gsid.te
+++ b/private/gsid.te
@@ -7,4 +7,101 @@ typeattribute gsid coredomain;
 init_daemon_domain(gsid)
 
 binder_use(gsid)
+binder_service(gsid)
 add_service(gsid, gsi_service)
+
+# Needed to create/delete device-mapper nodes, and read/write to them.
+allow gsid dm_device:chr_file rw_file_perms;
+allow gsid dm_device:blk_file rw_file_perms;
+allow gsid self:global_capability_class_set sys_admin;
+dontaudit gsid self:global_capability_class_set dac_override;
+
+# libfiemap_writer uses sysfs to derive the bottom of a device-mapper stacking.
+# This requires traversing /sys/block/dm-N/slaves/* and reading the list of
+# file names.
+allow gsid sysfs_dm:dir r_dir_perms;
+
+# Needed to stat /data/gsi/* and realpath on /dev/block/by-name/*
+allow gsid block_device:dir r_dir_perms;
+
+# liblp queries these block alignment properties.
+allowxperm gsid userdata_block_device:blk_file ioctl {
+  BLKIOMIN
+  BLKALIGNOFF
+};
+
+# gsi_tool passes the system image over the adb connection, via stdin.
+allow gsid adbd:fd use;
+
+# gsid needs to store images on /data, but cannot use file I/O. If it did, the
+# underlying blocks would be encrypted, and we couldn't mount the GSI image in
+# first-stage init. So instead of directly writing to /data, we:
+#
+#   1. fallocate a file large enough to hold the signed GSI
+#   2. extract its block layout with FIEMAP
+#   3. create a dm-linear device using the FIEMAP, targeting /dev/block/by-name/userdata
+#   4. write system_gsi into that dm device
+#
+# To make this process work, we need to unwrap the device-mapper stacking for
+# userdata to reach the underlying block device. To verify the result we use
+# stat(), which requires read access.
+allow gsid userdata_block_device:blk_file r_file_perms;
+
+# gsid uses /metadata/gsi to communicate GSI boot information to first-stage
+# init. It cannot use userdata since data cannot be decrypted during this
+# stage.
+#
+# gsid uses /metadata/gsi to store three files:
+#   install_status - A short string indicating whether a GSI image is bootable.
+#   lp_metadata    - LpMetadata blob describing the block ranges on userdata
+#                    where system_gsi resides.
+#   booted         - An empty file that, if exists, indicates that a GSI is
+#                    currently running.
+#
+allow gsid metadata_file:dir search;
+allow gsid gsi_metadata_file:dir rw_dir_perms;
+allow gsid gsi_metadata_file:file create_file_perms;
+
+allow gsid gsi_data_file:dir rw_dir_perms;
+allow gsid gsi_data_file:file create_file_perms;
+allowxperm gsid gsi_data_file:file ioctl FS_IOC_FIEMAP;
+
+neverallow {
+    domain
+    -init
+    -gsid
+    -fastbootd
+    -vold
+} gsi_metadata_file:dir *;
+
+neverallow {
+    domain
+    -init
+    -gsid
+    -fastbootd
+    -vold
+} gsi_metadata_file:notdevfile_class_set ~{ relabelto getattr };
+
+neverallow {
+    domain
+    -init
+    -gsid
+    -fastbootd
+    -vold
+} { gsi_data_file gsi_metadata_file }:notdevfile_class_set *;
+
+neverallow {
+    domain
+    -gsid
+} gsi_data_file:dir ~{ open create read getattr setattr search relabelto ioctl };
+
+neverallow {
+    domain
+    -init
+    -gsid
+} gsi_data_file:dir *;
+
+neverallow {
+    domain
+    -gsid
+} gsi_data_file:notdevfile_class_set ~{ relabelto getattr };
diff --git a/public/fastbootd.te b/public/fastbootd.te
index 1d77fd16b..5827c506f 100644
--- a/public/fastbootd.te
+++ b/public/fastbootd.te
@@ -47,6 +47,13 @@ recovery_only(`
     userdata_block_device
   }:blk_file { w_file_perms getattr ioctl };
 
+  # For disabling/wiping GSI.
+  allow fastbootd metadata_block_device:blk_file r_file_perms;
+  allow fastbootd {rootfs tmpfs}:dir mounton;
+  allow fastbootd metadata_file:dir search;
+  allow fastbootd gsi_metadata_file:dir r_dir_perms;
+  allow fastbootd gsi_metadata_file:file rw_file_perms;
+
   allowxperm fastbootd {
     system_block_device
     super_block_device
diff --git a/public/file.te b/public/file.te
index a8f113b50..073be0421 100644
--- a/public/file.te
+++ b/public/file.te
@@ -190,6 +190,8 @@ type vendor_idc_file, vendor_file_type, file_type;
 type metadata_file, file_type;
 # Vold files within /metadata
 type vold_metadata_file, file_type;
+# GSI files within /metadata
+type gsi_metadata_file, file_type;
 
 # Type for /dev/cpu_variant:.*.
 type dev_cpu_variant, file_type;
@@ -328,6 +330,7 @@ type update_engine_data_file, file_type, data_file_type, core_data_file_type;
 type update_engine_log_data_file, file_type, data_file_type, core_data_file_type;
 # /data/misc/trace for method traces on userdebug / eng builds
 type method_trace_data_file, file_type, data_file_type, core_data_file_type, mlstrustedobject;
+type gsi_data_file, file_type, data_file_type, core_data_file_type;
 
 # /data/data subdirectories - app sandboxes
 type app_data_file, file_type, data_file_type, core_data_file_type;
diff --git a/public/init.te b/public/init.te
index 67e6efa50..02302b2a7 100644
--- a/public/init.te
+++ b/public/init.te
@@ -173,6 +173,7 @@ allow init {
   file_type
   -app_data_file
   -exec_type
+  -gsi_data_file
   -iorapd_data_file
   -keystore_data_file
   -misc_logd_file
@@ -189,6 +190,7 @@ allow init {
   file_type
   -app_data_file
   -exec_type
+  -gsi_data_file
   -iorapd_data_file
   -keystore_data_file
   -misc_logd_file
@@ -206,6 +208,7 @@ allow init {
   file_type
   -app_data_file
   -exec_type
+  -gsi_data_file
   -iorapd_data_file
   -keystore_data_file
   -misc_logd_file
@@ -223,6 +226,7 @@ allow init {
   -apex_mnt_dir
   -app_data_file
   -exec_type
+  -gsi_data_file
   -iorapd_data_file
   -keystore_data_file
   -misc_logd_file
diff --git a/public/vendor_init.te b/public/vendor_init.te
index b7c60c6f4..ba0941efe 100644
--- a/public/vendor_init.te
+++ b/public/vendor_init.te
@@ -53,6 +53,7 @@ allow vendor_init {
   -unlabeled
   -vendor_file_type
   -vold_metadata_file
+  -gsi_metadata_file
 }:dir { create search getattr open read setattr ioctl write add_name remove_name rmdir relabelfrom };
 
 allow vendor_init unlabeled:{ dir notdevfile_class_set } { getattr relabelfrom };
@@ -66,6 +67,7 @@ allow vendor_init {
   -unlabeled
   -vendor_file_type
   -vold_metadata_file
+  -gsi_metadata_file
 }:file { create getattr open read write setattr relabelfrom unlink map };
 
 allow vendor_init {
@@ -76,6 +78,7 @@ allow vendor_init {
   -unlabeled
   -vendor_file_type
   -vold_metadata_file
+  -gsi_metadata_file
 }:{ sock_file fifo_file } { create getattr open read setattr relabelfrom unlink };
 
 allow vendor_init {
@@ -87,6 +90,7 @@ allow vendor_init {
   -unlabeled
   -vendor_file_type
   -vold_metadata_file
+  -gsi_metadata_file
 }:lnk_file { create getattr setattr relabelfrom unlink };
 
 allow vendor_init {
@@ -97,6 +101,7 @@ allow vendor_init {
   -system_file_type
   -vendor_file_type
   -vold_metadata_file
+  -gsi_metadata_file
 }:dir_file_class_set relabelto;
 
 allow vendor_init dev_type:dir create_dir_perms;
diff --git a/public/vold.te b/public/vold.te
index c540dd205..801c2def9 100644
--- a/public/vold.te
+++ b/public/vold.te
@@ -240,6 +240,10 @@ allow vold mnt_vendor_file:dir search;
 
 dontaudit vold self:global_capability_class_set sys_resource;
 
+# vold needs to know whether we're running a GSI.
+allow vold gsi_metadata_file:dir r_dir_perms;
+allow vold gsi_metadata_file:file r_file_perms;
+
 neverallow {
     domain
     -vold