diff --git a/private/atrace.te b/private/atrace.te
index 37e9702a3..a60370d78 100644
--- a/private/atrace.te
+++ b/private/atrace.te
@@ -33,6 +33,7 @@ allow atrace {
   service_manager_type
   -apex_service
   -incident_service
+  -iorapd_service
   -netd_service
   -stats_service
   -dumpstate_service
diff --git a/private/compat/26.0/26.0.ignore.cil b/private/compat/26.0/26.0.ignore.cil
index f985d958c..54edb40b8 100644
--- a/private/compat/26.0/26.0.ignore.cil
+++ b/private/compat/26.0/26.0.ignore.cil
@@ -89,6 +89,11 @@
     hal_wifi_offload_hwservice
     incident_helper
     incident_helper_exec
+    iorapd
+    iorapd_data_file
+    iorapd_exec
+    iorapd_service
+    iorapd_tmpfs
     kmsg_debug_device
     last_boot_reason_prop
     llkd
diff --git a/private/compat/27.0/27.0.ignore.cil b/private/compat/27.0/27.0.ignore.cil
index df3f95aed..1df6a0e52 100644
--- a/private/compat/27.0/27.0.ignore.cil
+++ b/private/compat/27.0/27.0.ignore.cil
@@ -80,6 +80,11 @@
     hal_wifi_hostapd_hwservice
     incident_helper
     incident_helper_exec
+    iorapd
+    iorapd_data_file
+    iorapd_exec
+    iorapd_service
+    iorapd_tmpfs
     last_boot_reason_prop
     llkd
     llkd_exec
diff --git a/private/compat/28.0/28.0.ignore.cil b/private/compat/28.0/28.0.ignore.cil
index c1b126b20..e02421d90 100644
--- a/private/compat/28.0/28.0.ignore.cil
+++ b/private/compat/28.0/28.0.ignore.cil
@@ -31,6 +31,11 @@
     llkd_prop
     llkd_tmpfs
     looper_stats_service
+    iorapd
+    iorapd_exec
+    iorapd_data_file
+    iorapd_service
+    iorapd_tmpfs
     mnt_product_file
     overlayfs_file
     recovery_socket
diff --git a/private/file_contexts b/private/file_contexts
index 264735d6d..3b852136f 100644
--- a/private/file_contexts
+++ b/private/file_contexts
@@ -273,6 +273,7 @@
 # patchoat executable has (essentially) the same requirements as dex2oat.
 /system/bin/patchoat(d)?    u:object_r:dex2oat_exec:s0
 /system/bin/profman(d)?     u:object_r:profman_exec:s0
+/system/bin/iorapd          u:object_r:iorapd_exec:s0
 /system/bin/sgdisk      u:object_r:sgdisk_exec:s0
 /system/bin/blkid       u:object_r:blkid_exec:s0
 /system/bin/tzdatacheck u:object_r:tzdatacheck_exec:s0
@@ -451,6 +452,7 @@
 /data/misc/wifi/sockets/wpa_ctrl.*   u:object_r:system_wpa_socket:s0
 /data/misc/zoneinfo(/.*)?       u:object_r:zoneinfo_data_file:s0
 /data/misc/vold(/.*)?           u:object_r:vold_data_file:s0
+/data/misc/iorapd(/.*)?         u:object_r:iorapd_data_file:s0
 /data/misc/perfprofd(/.*)?      u:object_r:perfprofd_data_file:s0
 /data/misc/update_engine(/.*)?  u:object_r:update_engine_data_file:s0
 /data/misc/update_engine_log(/.*)?  u:object_r:update_engine_log_data_file:s0
@@ -516,6 +518,9 @@
 /data/misc_de/[0-9]+/vold(/.*)?           u:object_r:vold_data_file:s0
 /data/misc_ce/[0-9]+/vold(/.*)?           u:object_r:vold_data_file:s0
 
+# iorapd per-user data
+/data/misc_ce/[0-9]+/iorapd(/.*)?           u:object_r:iorapd_data_file:s0
+
 #############################
 # efs files
 #
diff --git a/private/iorapd.te b/private/iorapd.te
new file mode 100644
index 000000000..602da03de
--- /dev/null
+++ b/private/iorapd.te
@@ -0,0 +1,3 @@
+typeattribute iorapd coredomain;
+
+init_daemon_domain(iorapd)
diff --git a/private/service_contexts b/private/service_contexts
index b68ab8e26..1398b1936 100644
--- a/private/service_contexts
+++ b/private/service_contexts
@@ -70,6 +70,7 @@ inputflinger                              u:object_r:inputflinger_service:s0
 input_method                              u:object_r:input_method_service:s0
 input                                     u:object_r:input_service:s0
 installd                                  u:object_r:installd_service:s0
+iorapd                                    u:object_r:iorapd_service:s0
 iphonesubinfo_msim                        u:object_r:radio_service:s0
 iphonesubinfo2                            u:object_r:radio_service:s0
 iphonesubinfo                             u:object_r:radio_service:s0
diff --git a/private/system_app.te b/private/system_app.te
index 245496f8f..40fec6acf 100644
--- a/private/system_app.te
+++ b/private/system_app.te
@@ -73,6 +73,7 @@ allow system_app {
   -apex_service
   -dumpstate_service
   -installd_service
+  -iorapd_service
   -netd_service
   -virtual_touchpad_service
   -vold_service
@@ -82,6 +83,7 @@ allow system_app {
 dontaudit system_app {
   dumpstate_service
   installd_service
+  iorapd_service
   netd_service
   virtual_touchpad_service
   vold_service
diff --git a/public/dumpstate.te b/public/dumpstate.te
index 5663e80ea..79faafa7e 100644
--- a/public/dumpstate.te
+++ b/public/dumpstate.te
@@ -209,6 +209,7 @@ allow dumpstate {
   -dumpstate_service
   -gatekeeper_service
   -incident_service
+  -iorapd_service
   -virtual_touchpad_service
   -vold_service
   -vr_hwc_service
@@ -218,6 +219,7 @@ dontaudit dumpstate {
   dumpstate_service
   gatekeeper_service
   incident_service
+  iorapd_service
   virtual_touchpad_service
   vold_service
   vr_hwc_service
diff --git a/public/file.te b/public/file.te
index 8e31f2cda..48c2a693d 100644
--- a/public/file.te
+++ b/public/file.te
@@ -296,6 +296,7 @@ type vpn_data_file, file_type, data_file_type, core_data_file_type;
 type wifi_data_file, file_type, data_file_type, core_data_file_type;
 type zoneinfo_data_file, file_type, data_file_type, core_data_file_type;
 type vold_data_file, file_type, data_file_type, core_data_file_type;
+type iorapd_data_file, file_type, data_file_type, core_data_file_type;
 type perfprofd_data_file, file_type, data_file_type, core_data_file_type, mlstrustedobject;
 type tee_data_file, file_type, data_file_type;
 type update_engine_data_file, file_type, data_file_type, core_data_file_type;
diff --git a/public/init.te b/public/init.te
index 42d364f02..18d11b6c6 100644
--- a/public/init.te
+++ b/public/init.te
@@ -158,6 +158,7 @@ allow init {
   file_type
   -app_data_file
   -exec_type
+  -iorapd_data_file
   -keystore_data_file
   -misc_logd_file
   -nativetest_data_file
@@ -173,6 +174,7 @@ allow init {
   file_type
   -app_data_file
   -exec_type
+  -iorapd_data_file
   -keystore_data_file
   -misc_logd_file
   -nativetest_data_file
@@ -189,6 +191,7 @@ allow init {
   file_type
   -app_data_file
   -exec_type
+  -iorapd_data_file
   -keystore_data_file
   -misc_logd_file
   -nativetest_data_file
@@ -204,6 +207,7 @@ allow init {
   file_type
   -app_data_file
   -exec_type
+  -iorapd_data_file
   -keystore_data_file
   -misc_logd_file
   -nativetest_data_file
diff --git a/public/iorapd.te b/public/iorapd.te
new file mode 100644
index 000000000..c056943f8
--- /dev/null
+++ b/public/iorapd.te
@@ -0,0 +1,75 @@
+# volume manager
+type iorapd, domain;
+type iorapd_exec, exec_type, file_type, system_file_type;
+
+r_dir_file(iorapd, rootfs)
+
+# Allow read/write /proc/sys/vm/drop/caches
+allow iorapd proc_drop_caches:file rw_file_perms;
+
+# Give iorapd a place where only iorapd can store files; everyone else is off limits
+allow iorapd iorapd_data_file:dir create_dir_perms;
+allow iorapd iorapd_data_file:file create_file_perms;
+
+# Allow iorapd to publish a binder service and make binder calls.
+binder_use(iorapd)
+add_service(iorapd, iorapd_service)
+
+# Allow iorapd to call into the system server so it can check permissions.
+binder_call(iorapd, system_server)
+allow iorapd permission_service:service_manager find;
+# IUserManager
+allow iorapd user_service:service_manager find;
+# IPackageManagerNative
+allow iorapd package_native_service:service_manager find;
+
+# talk to batteryservice
+binder_call(iorapd, healthd)
+
+# TODO: does each of the service_manager allow finds above need the binder_call?
+
+# iorapd temporarily changes its priority when running benchmarks
+allow iorapd self:global_capability_class_set sys_nice;
+
+
+###
+### neverallow rules
+###
+
+neverallow {
+    domain
+    -iorapd
+} iorapd_data_file:dir ~{ open create read getattr setattr search relabelto ioctl };
+
+neverallow {
+    domain
+    -init
+    -iorapd
+} iorapd_data_file:dir *;
+
+neverallow {
+    domain
+    -kernel
+    -iorapd
+} iorapd_data_file:notdevfile_class_set ~{ relabelto getattr };
+
+neverallow {
+    domain
+    -init
+    -kernel
+    -vendor_init
+    -iorapd
+} { iorapd_data_file }:notdevfile_class_set *;
+
+# Only system_server can interact with iorapd over binder
+neverallow { domain -system_server -iorapd } iorapd_service:service_manager find;
+neverallow iorapd {
+  domain
+  -healthd
+  -servicemanager
+  -system_server
+  userdebug_or_eng(`-su')
+}:binder call;
+
+neverallow { domain -init } iorapd:process { transition dyntransition };
+neverallow iorapd domain:{ tcp_socket udp_socket rawip_socket } *;
diff --git a/public/service.te b/public/service.te
index 7a60ad405..dd80f92bc 100644
--- a/public/service.te
+++ b/public/service.te
@@ -10,6 +10,7 @@ type fingerprintd_service,      service_manager_type;
 type hal_fingerprint_service,   service_manager_type;
 type gatekeeper_service,        app_api_service, service_manager_type;
 type gpu_service,               service_manager_type;
+type iorapd_service,            service_manager_type;
 type inputflinger_service,      service_manager_type;
 type incident_service,          service_manager_type;
 type installd_service,          service_manager_type;
diff --git a/public/shell.te b/public/shell.te
index 339b58632..cef1b0a35 100644
--- a/public/shell.te
+++ b/public/shell.te
@@ -108,6 +108,7 @@ allow shell {
   -gatekeeper_service
   -incident_service
   -installd_service
+  -iorapd_service
   -netd_service
   -virtual_touchpad_service
   -vold_service
diff --git a/public/traceur_app.te b/public/traceur_app.te
index c18984e2f..aea13ef70 100644
--- a/public/traceur_app.te
+++ b/public/traceur_app.te
@@ -11,6 +11,7 @@ allow traceur_app {
   -gatekeeper_service
   -incident_service
   -installd_service
+  -iorapd_service
   -netd_service
   -virtual_touchpad_service
   -vold_service
diff --git a/public/vold.te b/public/vold.te
index 8db19fcef..cd2d4f745 100644
--- a/public/vold.te
+++ b/public/vold.te
@@ -272,6 +272,7 @@ neverallow vold {
   -hal_bootctl
   -healthd
   -hwservicemanager
+  -iorapd_service
   -servicemanager
   -system_server
   userdebug_or_eng(`-su')