diff --git a/prebuilts/api/31.0/private/access_vectors b/prebuilts/api/31.0/private/access_vectors
index 22f2ffa1d..5ff7aef53 100644
--- a/prebuilts/api/31.0/private/access_vectors
+++ b/prebuilts/api/31.0/private/access_vectors
@@ -726,6 +726,7 @@ class keystore2
 	get_state
 	list
 	lock
+	pull_metrics
 	report_off_body
 	reset
 	unlock
diff --git a/prebuilts/api/31.0/private/compat/30.0/30.0.ignore.cil b/prebuilts/api/31.0/private/compat/30.0/30.0.ignore.cil
index 11260ba99..448482318 100644
--- a/prebuilts/api/31.0/private/compat/30.0/30.0.ignore.cil
+++ b/prebuilts/api/31.0/private/compat/30.0/30.0.ignore.cil
@@ -70,6 +70,7 @@
     hw_timeout_multiplier_prop
     keystore_compat_hal_service
     keystore_maintenance_service
+    keystore_metrics_service
     keystore2_key_contexts_file
     legacy_permission_service
     legacykeystore_service
diff --git a/prebuilts/api/31.0/private/service_contexts b/prebuilts/api/31.0/private/service_contexts
index f3bddd9fc..6d2b6a8c4 100644
--- a/prebuilts/api/31.0/private/service_contexts
+++ b/prebuilts/api/31.0/private/service_contexts
@@ -39,6 +39,7 @@ android.security.identity                 u:object_r:credstore_service:s0
 android.security.keystore                 u:object_r:keystore_service:s0
 android.security.legacykeystore           u:object_r:legacykeystore_service:s0
 android.security.maintenance              u:object_r:keystore_maintenance_service:s0
+android.security.metrics                  u:object_r:keystore_metrics_service:s0
 android.security.remoteprovisioning       u:object_r:remoteprovisioning_service:s0
 android.service.gatekeeper.IGateKeeperService    u:object_r:gatekeeper_service:s0
 app_binding                               u:object_r:app_binding_service:s0
diff --git a/prebuilts/api/31.0/private/system_server.te b/prebuilts/api/31.0/private/system_server.te
index f35f9a8d9..73301c1e9 100644
--- a/prebuilts/api/31.0/private/system_server.te
+++ b/prebuilts/api/31.0/private/system_server.te
@@ -853,6 +853,7 @@ allow system_server incremental_service:service_manager find;
 allow system_server installd_service:service_manager find;
 allow system_server iorapd_service:service_manager find;
 allow system_server keystore_maintenance_service:service_manager find;
+allow system_server keystore_metrics_service:service_manager find;
 allow system_server keystore_service:service_manager find;
 allow system_server mediaserver_service:service_manager find;
 allow system_server mediametrics_service:service_manager find;
@@ -903,6 +904,7 @@ allow system_server keystore:keystore2 {
 	clear_uid
 	get_state
 	lock
+	pull_metrics
 	reset
 	unlock
 };
diff --git a/prebuilts/api/31.0/public/keystore.te b/prebuilts/api/31.0/public/keystore.te
index 43ee28d27..b7d509059 100644
--- a/prebuilts/api/31.0/public/keystore.te
+++ b/prebuilts/api/31.0/public/keystore.te
@@ -20,6 +20,7 @@ add_service(keystore, apc_service)
 add_service(keystore, keystore_compat_hal_service)
 add_service(keystore, authorization_service)
 add_service(keystore, keystore_maintenance_service)
+add_service(keystore, keystore_metrics_service)
 add_service(keystore, legacykeystore_service)
 
 # Check SELinux permissions.
diff --git a/prebuilts/api/31.0/public/service.te b/prebuilts/api/31.0/public/service.te
index 967e6c4e3..8121d04b9 100644
--- a/prebuilts/api/31.0/public/service.te
+++ b/prebuilts/api/31.0/public/service.te
@@ -20,6 +20,7 @@ type installd_service,          service_manager_type;
 type credstore_service,         app_api_service, service_manager_type;
 type keystore_compat_hal_service, service_manager_type;
 type keystore_maintenance_service, service_manager_type;
+type keystore_metrics_service, service_manager_type;
 type keystore_service,          service_manager_type;
 type legacykeystore_service,    service_manager_type;
 type lpdump_service,            service_manager_type;
diff --git a/private/access_vectors b/private/access_vectors
index 22f2ffa1d..5ff7aef53 100644
--- a/private/access_vectors
+++ b/private/access_vectors
@@ -726,6 +726,7 @@ class keystore2
 	get_state
 	list
 	lock
+	pull_metrics
 	report_off_body
 	reset
 	unlock
diff --git a/private/compat/30.0/30.0.ignore.cil b/private/compat/30.0/30.0.ignore.cil
index 3eabcb0cf..c943973da 100644
--- a/private/compat/30.0/30.0.ignore.cil
+++ b/private/compat/30.0/30.0.ignore.cil
@@ -73,6 +73,7 @@
     hw_timeout_multiplier_prop
     keystore_compat_hal_service
     keystore_maintenance_service
+    keystore_metrics_service
     keystore2_key_contexts_file
     legacy_permission_service
     legacykeystore_service
diff --git a/private/service_contexts b/private/service_contexts
index e6b88c277..f8c160774 100644
--- a/private/service_contexts
+++ b/private/service_contexts
@@ -39,6 +39,7 @@ android.security.identity                 u:object_r:credstore_service:s0
 android.security.keystore                 u:object_r:keystore_service:s0
 android.security.legacykeystore           u:object_r:legacykeystore_service:s0
 android.security.maintenance              u:object_r:keystore_maintenance_service:s0
+android.security.metrics                  u:object_r:keystore_metrics_service:s0
 android.security.remoteprovisioning       u:object_r:remoteprovisioning_service:s0
 android.service.gatekeeper.IGateKeeperService    u:object_r:gatekeeper_service:s0
 app_binding                               u:object_r:app_binding_service:s0
diff --git a/private/system_server.te b/private/system_server.te
index d76a2a8ef..bea51d71f 100644
--- a/private/system_server.te
+++ b/private/system_server.te
@@ -853,6 +853,7 @@ allow system_server incremental_service:service_manager find;
 allow system_server installd_service:service_manager find;
 allow system_server iorapd_service:service_manager find;
 allow system_server keystore_maintenance_service:service_manager find;
+allow system_server keystore_metrics_service:service_manager find;
 allow system_server keystore_service:service_manager find;
 allow system_server mediaserver_service:service_manager find;
 allow system_server mediametrics_service:service_manager find;
@@ -903,6 +904,7 @@ allow system_server keystore:keystore2 {
 	clear_uid
 	get_state
 	lock
+	pull_metrics
 	reset
 	unlock
 };
diff --git a/public/keystore.te b/public/keystore.te
index 43ee28d27..b7d509059 100644
--- a/public/keystore.te
+++ b/public/keystore.te
@@ -20,6 +20,7 @@ add_service(keystore, apc_service)
 add_service(keystore, keystore_compat_hal_service)
 add_service(keystore, authorization_service)
 add_service(keystore, keystore_maintenance_service)
+add_service(keystore, keystore_metrics_service)
 add_service(keystore, legacykeystore_service)
 
 # Check SELinux permissions.
diff --git a/public/service.te b/public/service.te
index f7b2ef51b..756c31cc9 100644
--- a/public/service.te
+++ b/public/service.te
@@ -21,6 +21,7 @@ type installd_service,          service_manager_type;
 type credstore_service,         app_api_service, service_manager_type;
 type keystore_compat_hal_service, service_manager_type;
 type keystore_maintenance_service, service_manager_type;
+type keystore_metrics_service, service_manager_type;
 type keystore_service,          service_manager_type;
 type legacykeystore_service,    service_manager_type;
 type lpdump_service,            service_manager_type;