diff --git a/private/compat/28.0/28.0.ignore.cil b/private/compat/28.0/28.0.ignore.cil
index 73679f662..1879468af 100644
--- a/private/compat/28.0/28.0.ignore.cil
+++ b/private/compat/28.0/28.0.ignore.cil
@@ -30,6 +30,7 @@
     content_capture_service
     content_suggestions_service
     cpu_variant_prop
+    ctl_gsid_prop
     dev_cpu_variant
     device_config_activity_manager_native_boot_prop
     device_config_boot_count_prop
diff --git a/private/property_contexts b/private/property_contexts
index a34a52c3f..b3214c8e0 100644
--- a/private/property_contexts
+++ b/private/property_contexts
@@ -127,6 +127,11 @@ ctl.start$adbd             u:object_r:ctl_adbd_prop:s0
 ctl.stop$adbd              u:object_r:ctl_adbd_prop:s0
 ctl.restart$adbd           u:object_r:ctl_adbd_prop:s0
 
+# Restrict access to starting/stopping gsid.
+ctl.start$gsid          u:object_r:ctl_gsid_prop:s0
+ctl.stop$gsid           u:object_r:ctl_gsid_prop:s0
+ctl.restart$gsid        u:object_r:ctl_gsid_prop:s0
+
 # NFC properties
 nfc.                    u:object_r:nfc_prop:s0
 
diff --git a/private/system_server.te b/private/system_server.te
index 22dcac879..7540d5671 100644
--- a/private/system_server.te
+++ b/private/system_server.te
@@ -585,6 +585,7 @@ userdebug_or_eng(`set_prop(system_server, wifi_log_prop)')
 # ctl interface
 set_prop(system_server, ctl_default_prop)
 set_prop(system_server, ctl_bugreport_prop)
+set_prop(system_server, ctl_gsid_prop)
 
 # cppreopt property
 set_prop(system_server, cppreopt_prop)
diff --git a/public/property.te b/public/property.te
index 74c9bc5fd..a549ef130 100644
--- a/public/property.te
+++ b/public/property.te
@@ -15,6 +15,7 @@ type ctl_console_prop, property_type;
 type ctl_default_prop, property_type;
 type ctl_dumpstate_prop, property_type;
 type ctl_fuse_prop, property_type;
+type ctl_gsid_prop, property_type;
 type ctl_interface_restart_prop, property_type;
 type ctl_interface_start_prop, property_type;
 type ctl_interface_stop_prop, property_type;
@@ -362,6 +363,7 @@ compatible_property_only(`
     -ctl_default_prop
     -ctl_dumpstate_prop
     -ctl_fuse_prop
+    -ctl_gsid_prop
     -ctl_interface_restart_prop
     -ctl_interface_start_prop
     -ctl_interface_stop_prop
diff --git a/public/shell.te b/public/shell.te
index dc530497b..4c76059b7 100644
--- a/public/shell.te
+++ b/public/shell.te
@@ -78,6 +78,8 @@ userdebug_or_eng(`set_prop(shell, logpersistd_logging_prop)')
 # Allow shell to start/stop heapprofd via the persist.heapprofd.enable
 # property.
 set_prop(shell, heapprofd_enabled_prop)
+# Allow shell to start/stop gsid via ctl.start|stop|restart gsid.
+set_prop(shell, ctl_gsid_prop)
 
 userdebug_or_eng(`
   # "systrace --boot" support - allow boottrace service to run