diff --git a/private/property_contexts b/private/property_contexts
index 53a3d4bf9..61a3aedfd 100644
--- a/private/property_contexts
+++ b/private/property_contexts
@@ -1547,6 +1547,12 @@ persist.vendor.face.virtual.type u:object_r:virtual_face_hal_prop:s0 exact strin
 persist.vendor.face.virtual.strength u:object_r:virtual_face_hal_prop:s0 exact string
 persist.vendor.face.virtual.enrollments u:object_r:virtual_face_hal_prop:s0 exact string
 persist.vendor.face.virtual.features u:object_r:virtual_face_hal_prop:s0 exact string
+persist.vendor.face.virtual.lockout_enable u:object_r:virtual_face_hal_prop:s0 exact bool
+persist.vendor.face.virtual.lockout_timed_enable u:object_r:virtual_face_hal_prop:s0 exact bool
+persist.vendor.face.virtual.lockout_timed_threshold u:object_r:virtual_face_hal_prop:s0 exact int
+persist.vendor.face.virtual.lockout_timed_duration u:object_r:virtual_face_hal_prop:s0 exact int
+persist.vendor.face.virtual.lockout_permanent_threshold u:object_r:virtual_face_hal_prop:s0 exact int
+vendor.face.virtual.no_human_face_detected u:object_r:virtual_face_hal_prop:s0 exact bool
 vendor.face.virtual.enrollment_hit u:object_r:virtual_face_hal_prop:s0 exact int
 vendor.face.virtual.operation_start_enroll_latency u:object_r:virtual_face_hal_prop:s0 exact int
 vendor.face.virtual.next_enrollment u:object_r:virtual_face_hal_prop:s0 exact string
diff --git a/vendor/hal_face_default.te b/vendor/hal_face_default.te
index 66ce40caa..3d608cd10 100644
--- a/vendor/hal_face_default.te
+++ b/vendor/hal_face_default.te
@@ -7,4 +7,9 @@ init_daemon_domain(hal_face_default)
 # android.frameworks.sensorservice through libsensorndkbridge
 allow hal_face_default fwk_sensor_service:service_manager find;
 
-set_prop(hal_face_default, virtual_face_hal_prop)
+# virtual_face_hal_prop is only for debuggable builds
+userdebug_or_eng(`set_prop(hal_face_default, virtual_face_hal_prop)');
+neverallow { domain -init -dumpstate userdebug_or_eng(`-hal_face_default') not_compatible_property(`-vendor_init') } virtual_face_hal_prop:file no_rw_file_perms;
+neverallow { domain -init userdebug_or_eng(`-hal_face_default') not_compatible_property(`-vendor_init') } virtual_face_hal_prop:property_service set;
+
+