diff --git a/blkid.te b/blkid.te
index 54f6bc205..15b6a85eb 100644
--- a/blkid.te
+++ b/blkid.te
@@ -2,15 +2,19 @@
 type blkid, domain;
 type blkid_exec, exec_type, file_type;
 
-# Allowed read-only access to vold block devices to extract UUID/label
+# Allowed read-only access to encrypted devices to extract UUID/label
 allow blkid block_device:dir search;
-allow blkid vold_device:blk_file r_file_perms;
+allow blkid userdata_block_device:blk_file r_file_perms;
+allow blkid dm_device:blk_file r_file_perms;
 
 # Allow stdin/out back to vold
 allow blkid vold:fd use;
 allow blkid vold:fifo_file { read write getattr };
 
+# For blkid launched through popen()
+allow blkid blkid_exec:file rx_file_perms;
+
 # Only allow entry from vold
 neverallow { domain -vold } blkid:process transition;
 neverallow domain blkid:process dyntransition;
-neverallow blkid { file_type fs_type -blkid_exec }:file entrypoint;
+neverallow blkid { file_type fs_type -blkid_exec -shell_exec }:file entrypoint;
diff --git a/blkid_untrusted.te b/blkid_untrusted.te
new file mode 100644
index 000000000..df8e447f9
--- /dev/null
+++ b/blkid_untrusted.te
@@ -0,0 +1,36 @@
+# blkid for untrusted block devices
+type blkid_untrusted, domain;
+
+# Allowed read-only access to vold block devices to extract UUID/label
+allow blkid_untrusted block_device:dir search;
+allow blkid_untrusted vold_device:blk_file r_file_perms;
+
+# Allow stdin/out back to vold
+allow blkid_untrusted vold:fd use;
+allow blkid_untrusted vold:fifo_file { read write getattr };
+
+# For blkid launched through popen()
+allow blkid_untrusted blkid_exec:file rx_file_perms;
+
+###
+### neverallow rules
+###
+
+# Untrusted blkid should never be run on block devices holding sensitive data
+neverallow blkid_untrusted {
+  boot_block_device
+  frp_block_device
+  metadata_block_device
+  recovery_block_device
+  root_block_device
+  swap_block_device
+  system_block_device
+  userdata_block_device
+  cache_block_device
+  dm_device
+}:blk_file no_rw_file_perms;
+
+# Only allow entry from vold via blkid binary
+neverallow { domain -vold } blkid_untrusted:process transition;
+neverallow domain blkid_untrusted:process dyntransition;
+neverallow blkid_untrusted { file_type fs_type -blkid_exec -shell_exec }:file entrypoint;
diff --git a/fsck.te b/fsck.te
index 6a3d1ee44..8c1aaf361 100644
--- a/fsck.te
+++ b/fsck.te
@@ -11,10 +11,15 @@ allow fsck tmpfs:chr_file { read write ioctl };
 # Inherit and use pty created by android_fork_execvp_ext().
 allow fsck devpts:chr_file { read write ioctl getattr };
 
+# Allow stdin/out back to vold
+allow fsck vold:fd use;
+allow fsck vold:fifo_file { read write getattr };
+
 # Run fsck on certain block devices
 allow fsck block_device:dir search;
 allow fsck userdata_block_device:blk_file rw_file_perms;
 allow fsck cache_block_device:blk_file rw_file_perms;
+allow fsck dm_device:blk_file rw_file_perms;
 
 ###
 ### neverallow rules
@@ -32,7 +37,7 @@ neverallow fsck {
   vold_device
 }:blk_file no_rw_file_perms;
 
-# Only allow entry from init via fsck binaries
-neverallow { domain -init } fsck:process transition;
+# Only allow entry from init or vold via fsck binaries
+neverallow { domain -init -vold } fsck:process transition;
 neverallow domain fsck:process dyntransition;
 neverallow fsck { file_type fs_type -fsck_exec }:file entrypoint;
diff --git a/fsck_untrusted.te b/fsck_untrusted.te
new file mode 100644
index 000000000..67c67b762
--- /dev/null
+++ b/fsck_untrusted.te
@@ -0,0 +1,36 @@
+# Any fsck program run on untrusted block devices
+type fsck_untrusted, domain;
+
+# Inherit and use pty created by android_fork_execvp_ext().
+allow fsck_untrusted devpts:chr_file { read write ioctl getattr };
+
+# Allow stdin/out back to vold
+allow fsck_untrusted vold:fd use;
+allow fsck_untrusted vold:fifo_file { read write getattr };
+
+# Run fsck on vold block devices
+allow fsck_untrusted block_device:dir search;
+allow fsck_untrusted vold_device:blk_file rw_file_perms;
+
+###
+### neverallow rules
+###
+
+# Untrusted fsck should never be run on block devices holding sensitive data
+neverallow fsck_untrusted {
+  boot_block_device
+  frp_block_device
+  metadata_block_device
+  recovery_block_device
+  root_block_device
+  swap_block_device
+  system_block_device
+  userdata_block_device
+  cache_block_device
+  dm_device
+}:blk_file no_rw_file_perms;
+
+# Only allow entry from vold via fsck binaries
+neverallow { domain -vold } fsck_untrusted:process transition;
+neverallow domain fsck_untrusted:process dyntransition;
+neverallow fsck_untrusted { file_type fs_type -fsck_exec }:file entrypoint;
diff --git a/vold.te b/vold.te
index c2bd06487..dfdc3d977 100644
--- a/vold.te
+++ b/vold.te
@@ -6,9 +6,20 @@ init_daemon_domain(vold)
 
 # Switch to more restrictive domains when executing common tools
 domain_auto_trans(vold, sgdisk_exec, sgdisk);
-domain_auto_trans(vold, blkid_exec, blkid);
 domain_auto_trans(vold, sdcardd_exec, sdcardd);
-domain_auto_trans(vold, fsck_exec, vold_fsck);
+
+# For a handful of probing tools, we choose an even more restrictive
+# domain when working with untrusted block devices
+domain_trans(vold, shell_exec, blkid);
+domain_trans(vold, shell_exec, blkid_untrusted);
+domain_trans(vold, fsck_exec, fsck);
+domain_trans(vold, fsck_exec, fsck_untrusted);
+
+# Allow us to jump into execution domains of above tools
+allow vold self:process setexec;
+
+# For sgdisk launched through popen()
+allow vold shell_exec:file rx_file_perms;
 
 typeattribute vold mlstrustedsubject;
 allow vold self:process setfscreate;
@@ -58,9 +69,6 @@ allow vold domain:{ file lnk_file } r_file_perms;
 allow vold domain:process { signal sigkill };
 allow vold self:capability { sys_ptrace kill };
 
-# For blkid and sgdisk
-allow vold shell_exec:file rx_file_perms;
-
 # XXX Label sysfs files with a specific type?
 allow vold sysfs:file rw_file_perms;
 
diff --git a/vold_fsck.te b/vold_fsck.te
deleted file mode 100644
index e45c52710..000000000
--- a/vold_fsck.te
+++ /dev/null
@@ -1,35 +0,0 @@
-# Any fsck program run by vold
-type vold_fsck, domain;
-
-# Inherit and use pty created by android_fork_execvp_ext().
-allow vold_fsck devpts:chr_file { read write ioctl getattr };
-
-# Run fsck on certain block devices
-allow vold_fsck block_device:dir search;
-allow vold_fsck vold_device:blk_file rw_file_perms;
-
-# Allow stdin/out back to vold
-allow vold_fsck vold:fd use;
-allow vold_fsck vold:fifo_file { read write getattr };
-
-###
-### neverallow rules
-###
-
-# fsck should never be run on these block devices
-neverallow vold_fsck {
-  boot_block_device
-  frp_block_device
-  metadata_block_device
-  recovery_block_device
-  root_block_device
-  swap_block_device
-  system_block_device
-  userdata_block_device
-  cache_block_device
-}:blk_file no_rw_file_perms;
-
-# Only allow entry from vold via fsck binaries
-neverallow { domain -vold } vold_fsck:process transition;
-neverallow domain vold_fsck:process dyntransition;
-neverallow vold_fsck { file_type fs_type -fsck_exec }:file entrypoint;