diff --git a/private/adbd.te b/private/adbd.te
index 864358a57..685b2cc24 100644
--- a/private/adbd.te
+++ b/private/adbd.te
@@ -42,6 +42,10 @@ net_domain(adbd)
 # Access /dev/usb-ffs/adb/ep0
 allow adbd functionfs:dir search;
 allow adbd functionfs:file rw_file_perms;
+allowxperm adbd functionfs:file ioctl {
+  FUNCTIONFS_ENDPOINT_DESC
+  FUNCTIONFS_CLEAR_HALT
+};
 
 # Use a pseudo tty.
 allow adbd devpts:chr_file rw_file_perms;
diff --git a/public/domain.te b/public/domain.te
index 16cc09884..db0c8cbb7 100644
--- a/public/domain.te
+++ b/public/domain.te
@@ -291,6 +291,23 @@ allowxperm domain domain:{ unix_dgram_socket unix_stream_socket }
 # separately.
 allowxperm domain devpts:chr_file ioctl unpriv_tty_ioctls;
 
+# All domains must clearly enumerate what ioctls they use
+# on plain files and directories
+allowxperm domain { file_type fs_type }:{ dir file } ioctl { 0 };
+
+# Support sqlite F2FS specific optimizations
+# ioctl permission on the specific file type is still required
+# TODO: consider only compiling these rules if we know the
+# /data partition is F2FS
+allowxperm domain file_type:file ioctl {
+  F2FS_IOC_ABORT_VOLATILE_WRITE
+  F2FS_IOC_COMMIT_ATOMIC_WRITE
+  F2FS_IOC_GET_FEATURES
+  F2FS_IOC_GET_PIN_FILE
+  F2FS_IOC_SET_PIN_FILE
+  F2FS_IOC_START_ATOMIC_WRITE
+};
+
 # Workaround for policy compiler being too aggressive and removing hwservice_manager_type
 # when it's not explicitly used in allow rules
 allow { domain -domain } hwservice_manager_type:hwservice_manager { add find };
diff --git a/public/init.te b/public/init.te
index 18d11b6c6..215246ba9 100644
--- a/public/init.te
+++ b/public/init.te
@@ -500,6 +500,12 @@ allow init init:key { write search setattr };
 # Allow init to create /data/unencrypted
 allow init unencrypted_data_file:dir create_dir_perms;
 
+# Set encryption policy on dirs in /data
+allowxperm init data_file_type:dir ioctl {
+  FS_IOC_GET_ENCRYPTION_POLICY
+  FS_IOC_SET_ENCRYPTION_POLICY
+};
+
 # Allow init to write to /proc/sys/vm/overcommit_memory
 allow init proc_overcommit_memory:file { write };
 
diff --git a/public/vendor_init.te b/public/vendor_init.te
index dfd4d8fa8..01c2f17fd 100644
--- a/public/vendor_init.te
+++ b/public/vendor_init.te
@@ -35,6 +35,12 @@ allow vendor_init self:global_capability_class_set { chown fowner fsetid };
 allow vendor_init unencrypted_data_file:dir search;
 allow vendor_init unencrypted_data_file:file r_file_perms;
 
+# Set encryption policy on dirs in /data
+allowxperm vendor_init data_file_type:dir ioctl {
+  FS_IOC_GET_ENCRYPTION_POLICY
+  FS_IOC_SET_ENCRYPTION_POLICY
+};
+
 allow vendor_init system_data_file:dir getattr;
 
 allow vendor_init {
diff --git a/public/vold.te b/public/vold.te
index cd2d4f745..8f50e6aea 100644
--- a/public/vold.te
+++ b/public/vold.te
@@ -43,6 +43,16 @@ allow vold shell_exec:file rx_file_perms;
 # For formatting adoptable storage devices
 allow vold e2fs_exec:file rx_file_perms;
 
+# Run fstrim on mounted partitions
+# allowxperm still requires the ioctl permission for the individual type
+allowxperm vold { fs_type file_type }:dir ioctl FITRIM;
+
+# Get encryption policy for dirs in /data
+allowxperm vold data_file_type:dir ioctl {
+  FS_IOC_GET_ENCRYPTION_POLICY
+  FS_IOC_SET_ENCRYPTION_POLICY
+};
+
 typeattribute vold mlstrustedsubject;
 allow vold self:process setfscreate;
 allow vold system_file:file x_file_perms;