diff --git a/private/app_neverallows.te b/private/app_neverallows.te
index 05ec95cc0..e5c6aee2c 100644
--- a/private/app_neverallows.te
+++ b/private/app_neverallows.te
@@ -205,11 +205,11 @@ neverallow all_untrusted_apps system_file:file lock;
 # other than find actions for services listed below
 neverallow all_untrusted_apps *:hwservice_manager ~find;
 
-# Do not permit access from apps which host arbitrary code to HwBinder services,
-# except those considered sufficiently safe for access from such apps.
+# Do not permit access from apps which host arbitrary code to the protected HwBinder
+# services.
 # The two main reasons for this are:
-# 1. HwBinder servers do not perform client authentication because HIDL
-#    currently does not expose caller UID information and, even if it did, many
+# 1. Protected HwBinder servers do not perform client authentication because HIDL
+#    currently does not expose caller UID information and, even if it did, those
 #    HwBinder services either operate at a level below that of apps (e.g., HALs)
 #    or must not rely on app identity for authorization. Thus, to be safe, the
 #    default assumption is that every HwBinder service treats all its clients as
@@ -218,37 +218,7 @@ neverallow all_untrusted_apps *:hwservice_manager ~find;
 #    incidence rate of security issues than system/core components and have
 #    access to lower layes of the stack (all the way down to hardware) thus
 #    increasing opportunities for bypassing the Android security model.
-#
-# Safe services include:
-# - same process services: because they by definition run in the process
-#   of the client and thus have the same access as the client domain in which
-#   the process runs
-# - coredomain_hwservice: are considered safe because they do not pose risks
-#   associated with reason #2 above.
-# - hal_configstore_ISurfaceFlingerConfigs:  becuase it has specifically been
-#   designed for use by any domain.
-# - hal_graphics_allocator_hwservice: because these operations are also offered
-#   by surfaceflinger Binder service, which apps are permitted to access
-# - hal_omx_hwservice: because this is a HwBinder version of the mediacodec
-#   Binder service which apps were permitted to access.
-# - hal_codec2_hwservice: because this is a newer version of hal_omx_hwservice.
-neverallow all_untrusted_apps {
-  hwservice_manager_type
-  -fwk_bufferhub_hwservice
-  -hal_cas_hwservice
-  -hal_codec2_hwservice
-  -hal_configstore_ISurfaceFlingerConfigs
-  -hal_graphics_allocator_hwservice
-  -hal_graphics_mapper_hwservice
-  -hal_neuralnetworks_hwservice
-  -hal_omx_hwservice
-  -hal_renderscript_hwservice
-  -hidl_allocator_hwservice
-  -hidl_manager_hwservice
-  -hidl_memory_hwservice
-  -hidl_token_hwservice
-  -untrusted_app_visible_hwservice_violators
-}:hwservice_manager find;
+neverallow all_untrusted_apps protected_hwservice:hwservice_manager find;
 
 neverallow all_untrusted_apps {
   vendor_service
@@ -257,24 +227,6 @@ neverallow all_untrusted_apps {
 # SELinux is not an API for untrusted apps to use
 neverallow all_untrusted_apps selinuxfs:file no_rw_file_perms;
 
-# Restrict *Binder access from apps to HAL domains. We can only do this on full
-# Treble devices where *Binder communications between apps and HALs are tightly
-# restricted.
-full_treble_only(`
-  neverallow all_untrusted_apps {
-    halserverdomain
-    -coredomain
-    -hal_cas_server
-    -hal_codec2_server
-    -hal_configstore_server
-    -hal_graphics_allocator_server
-    -hal_neuralnetworks_server
-    -hal_omx_server
-    -binder_in_vendor_violators # TODO(b/35870313): Remove once all violations are gone
-    -untrusted_app_visible_halserver_violators
-  }:binder { call transfer };
-')
-
 # Access to /proc/tty/drivers, to allow apps to determine if they
 # are running in an emulated environment.
 # b/33214085 b/33814662 b/33791054 b/33211769
diff --git a/public/attributes b/public/attributes
index 3bf04cf5f..62ccd4a26 100644
--- a/public/attributes
+++ b/public/attributes
@@ -120,6 +120,9 @@ attribute same_process_hwservice;
 # All HwBinder services guaranteed to be offered only by core domain components
 attribute coredomain_hwservice;
 
+# All HwBinder services that untrusted apps can't directly access
+attribute protected_hwservice;
+
 # All types used for services managed by vndservicemanager
 attribute vndservice_manager_type;
 
diff --git a/public/hwservice.te b/public/hwservice.te
index 7d395d95f..b86dcd734 100644
--- a/public/hwservice.te
+++ b/public/hwservice.te
@@ -1,77 +1,94 @@
-type default_android_hwservice, hwservice_manager_type;
+# hwservice types. By default most of the HALs are protected_hwservice, which means
+# access from untrusted apps is prohibited.
+type default_android_hwservice, hwservice_manager_type, protected_hwservice;
+type fwk_camera_hwservice, hwservice_manager_type, coredomain_hwservice, protected_hwservice;
+type fwk_display_hwservice, hwservice_manager_type, coredomain_hwservice, protected_hwservice;
+type fwk_scheduler_hwservice, hwservice_manager_type, coredomain_hwservice, protected_hwservice;
+type fwk_sensor_hwservice, hwservice_manager_type, coredomain_hwservice, protected_hwservice;
+type fwk_stats_hwservice, hwservice_manager_type, coredomain_hwservice, protected_hwservice;
+type hal_atrace_hwservice, hwservice_manager_type, protected_hwservice;
+type hal_audio_hwservice, hwservice_manager_type, protected_hwservice;
+type hal_audiocontrol_hwservice, hwservice_manager_type, protected_hwservice;
+type hal_authsecret_hwservice, hwservice_manager_type, protected_hwservice;
+type hal_bluetooth_hwservice, hwservice_manager_type, protected_hwservice;
+type hal_bootctl_hwservice, hwservice_manager_type, protected_hwservice;
+type hal_broadcastradio_hwservice, hwservice_manager_type, protected_hwservice;
+type hal_camera_hwservice, hwservice_manager_type, protected_hwservice;
+type hal_can_bus_hwservice, hwservice_manager_type, protected_hwservice;
+type hal_can_controller_hwservice, hwservice_manager_type, protected_hwservice;
+type hal_confirmationui_hwservice, hwservice_manager_type, protected_hwservice;
+type hal_contexthub_hwservice, hwservice_manager_type, protected_hwservice;
+type hal_drm_hwservice, hwservice_manager_type, protected_hwservice;
+type hal_dumpstate_hwservice, hwservice_manager_type, protected_hwservice;
+type hal_evs_hwservice, hwservice_manager_type, protected_hwservice;
+type hal_face_hwservice, hwservice_manager_type, protected_hwservice;
+type hal_fingerprint_hwservice, hwservice_manager_type, protected_hwservice;
+type hal_gatekeeper_hwservice, hwservice_manager_type, protected_hwservice;
+type hal_gnss_hwservice, hwservice_manager_type, protected_hwservice;
+type hal_graphics_composer_hwservice, hwservice_manager_type, protected_hwservice;
+type hal_health_hwservice, hwservice_manager_type, protected_hwservice;
+type hal_health_storage_hwservice, hwservice_manager_type, protected_hwservice;
+type hal_input_classifier_hwservice, hwservice_manager_type, protected_hwservice;
+type hal_ir_hwservice, hwservice_manager_type, protected_hwservice;
+type hal_keymaster_hwservice, hwservice_manager_type, protected_hwservice;
+type hal_light_hwservice, hwservice_manager_type, protected_hwservice;
+type hal_lowpan_hwservice, hwservice_manager_type, protected_hwservice;
+type hal_memtrack_hwservice, hwservice_manager_type, protected_hwservice;
+type hal_nfc_hwservice, hwservice_manager_type, protected_hwservice;
+type hal_oemlock_hwservice, hwservice_manager_type, protected_hwservice;
+type hal_power_hwservice, hwservice_manager_type, protected_hwservice;
+type hal_power_stats_hwservice, hwservice_manager_type, protected_hwservice;
+type hal_secure_element_hwservice, hwservice_manager_type, protected_hwservice;
+type hal_sensors_hwservice, hwservice_manager_type, protected_hwservice;
+type hal_telephony_hwservice, hwservice_manager_type, protected_hwservice;
+type hal_tetheroffload_hwservice, hwservice_manager_type, protected_hwservice;
+type hal_thermal_hwservice, hwservice_manager_type, protected_hwservice;
+type hal_tv_cec_hwservice, hwservice_manager_type, protected_hwservice;
+type hal_tv_input_hwservice, hwservice_manager_type, protected_hwservice;
+type hal_tv_tuner_hwservice, hwservice_manager_type, protected_hwservice;
+type hal_usb_gadget_hwservice, hwservice_manager_type, protected_hwservice;
+type hal_usb_hwservice, hwservice_manager_type, protected_hwservice;
+type hal_vehicle_hwservice, hwservice_manager_type, protected_hwservice;
+type hal_vibrator_hwservice, hwservice_manager_type, protected_hwservice;
+type hal_vr_hwservice, hwservice_manager_type, protected_hwservice;
+type hal_weaver_hwservice, hwservice_manager_type, protected_hwservice;
+type hal_wifi_hostapd_hwservice, hwservice_manager_type, protected_hwservice;
+type hal_wifi_hwservice, hwservice_manager_type, protected_hwservice;
+type hal_wifi_supplicant_hwservice, hwservice_manager_type, protected_hwservice;
+type system_ashmem_hwservice, hwservice_manager_type, coredomain_hwservice, protected_hwservice;
+type system_net_netd_hwservice, hwservice_manager_type, coredomain_hwservice, protected_hwservice;
+type system_suspend_hwservice, hwservice_manager_type, coredomain_hwservice, protected_hwservice;
+type system_wifi_keystore_hwservice, hwservice_manager_type, coredomain_hwservice, protected_hwservice;
+type thermalcallback_hwservice, hwservice_manager_type, protected_hwservice;
+
+# Following is the hwservices that are explicitly not marked with protected_hwservice.
+# These are directly accessible from untrusted apps.
+# - same process services: because they by definition run in the process
+#   of the client and thus have the same access as the client domain in which
+#   the process runs
+# - coredomain_hwservice: are considered safer than ordinary hwservices which
+#   are from vendor partition
+# - hal_configstore_ISurfaceFlingerConfigs:  becuase it has specifically been
+#   designed for use by any domain.
+# - hal_graphics_allocator_hwservice: because these operations are also offered
+#   by surfaceflinger Binder service, which apps are permitted to access
+# - hal_omx_hwservice: because this is a HwBinder version of the mediacodec
+#   Binder service which apps were permitted to access.
+# - hal_codec2_hwservice: because this is a newer version of hal_omx_hwservice.
 type fwk_bufferhub_hwservice, hwservice_manager_type, coredomain_hwservice;
-type fwk_camera_hwservice, hwservice_manager_type, coredomain_hwservice;
-type fwk_display_hwservice, hwservice_manager_type, coredomain_hwservice;
-type fwk_scheduler_hwservice, hwservice_manager_type, coredomain_hwservice;
-type fwk_sensor_hwservice, hwservice_manager_type, coredomain_hwservice;
-type fwk_stats_hwservice, hwservice_manager_type, coredomain_hwservice;
-type hal_atrace_hwservice, hwservice_manager_type;
-type hal_audiocontrol_hwservice, hwservice_manager_type;
-type hal_audio_hwservice, hwservice_manager_type;
-type hal_authsecret_hwservice, hwservice_manager_type;
-type hal_bluetooth_hwservice, hwservice_manager_type;
-type hal_bootctl_hwservice, hwservice_manager_type;
-type hal_broadcastradio_hwservice, hwservice_manager_type;
-type hal_camera_hwservice, hwservice_manager_type;
-type hal_can_bus_hwservice, hwservice_manager_type;
-type hal_can_controller_hwservice, hwservice_manager_type;
+type hal_cas_hwservice, hwservice_manager_type;
 type hal_codec2_hwservice, hwservice_manager_type;
 type hal_configstore_ISurfaceFlingerConfigs, hwservice_manager_type;
-type hal_confirmationui_hwservice, hwservice_manager_type;
-type hal_contexthub_hwservice, hwservice_manager_type;
-type hal_drm_hwservice, hwservice_manager_type;
-type hal_cas_hwservice, hwservice_manager_type;
-type hal_dumpstate_hwservice, hwservice_manager_type;
-type hal_evs_hwservice, hwservice_manager_type;
-type hal_face_hwservice, hwservice_manager_type;
-type hal_fingerprint_hwservice, hwservice_manager_type;
-type hal_gatekeeper_hwservice, hwservice_manager_type;
-type hal_gnss_hwservice, hwservice_manager_type;
 type hal_graphics_allocator_hwservice, hwservice_manager_type;
-type hal_graphics_composer_hwservice, hwservice_manager_type;
 type hal_graphics_mapper_hwservice, hwservice_manager_type, same_process_hwservice;
-type hal_health_hwservice, hwservice_manager_type;
-type hal_health_storage_hwservice, hwservice_manager_type;
-type hal_input_classifier_hwservice, hwservice_manager_type;
-type hal_ir_hwservice, hwservice_manager_type;
-type hal_keymaster_hwservice, hwservice_manager_type;
-type hal_light_hwservice, hwservice_manager_type;
-type hal_lowpan_hwservice, hwservice_manager_type;
-type hal_memtrack_hwservice, hwservice_manager_type;
 type hal_neuralnetworks_hwservice, hwservice_manager_type;
-type hal_nfc_hwservice, hwservice_manager_type;
-type hal_oemlock_hwservice, hwservice_manager_type;
 type hal_omx_hwservice, hwservice_manager_type;
-type hal_power_hwservice, hwservice_manager_type;
-type hal_power_stats_hwservice, hwservice_manager_type;
 type hal_renderscript_hwservice, hwservice_manager_type, same_process_hwservice;
-type hal_secure_element_hwservice, hwservice_manager_type;
-type hal_sensors_hwservice, hwservice_manager_type;
-type hal_telephony_hwservice, hwservice_manager_type;
-type hal_tetheroffload_hwservice, hwservice_manager_type;
-type hal_thermal_hwservice, hwservice_manager_type;
-type hal_tv_cec_hwservice, hwservice_manager_type;
-type hal_tv_input_hwservice, hwservice_manager_type;
-type hal_tv_tuner_hwservice, hwservice_manager_type;
-type hal_usb_hwservice, hwservice_manager_type;
-type hal_usb_gadget_hwservice, hwservice_manager_type;
-type hal_vehicle_hwservice, hwservice_manager_type;
-type hal_vibrator_hwservice, hwservice_manager_type;
-type hal_vr_hwservice, hwservice_manager_type;
-type hal_weaver_hwservice, hwservice_manager_type;
-type hal_wifi_hwservice, hwservice_manager_type;
-type hal_wifi_hostapd_hwservice, hwservice_manager_type;
-type hal_wifi_supplicant_hwservice, hwservice_manager_type;
 type hidl_allocator_hwservice, hwservice_manager_type, coredomain_hwservice;
 type hidl_base_hwservice, hwservice_manager_type;
 type hidl_manager_hwservice, hwservice_manager_type, coredomain_hwservice;
 type hidl_memory_hwservice, hwservice_manager_type, coredomain_hwservice;
 type hidl_token_hwservice, hwservice_manager_type, coredomain_hwservice;
-type system_ashmem_hwservice, hwservice_manager_type, coredomain_hwservice;
-type system_net_netd_hwservice, hwservice_manager_type, coredomain_hwservice;
-type system_suspend_hwservice, hwservice_manager_type, coredomain_hwservice;
-type system_wifi_keystore_hwservice, hwservice_manager_type, coredomain_hwservice;
-type thermalcallback_hwservice, hwservice_manager_type;
 
 ###
 ### Neverallow rules