diff --git a/microdroid/system/private/file.te b/microdroid/system/private/file.te
index cbbd37919..18fa8bb2c 100644
--- a/microdroid/system/private/file.te
+++ b/microdroid/system/private/file.te
@@ -4,6 +4,7 @@ allow cgroup_v2 tmpfs:filesystem associate;
 allow cgroup_rc_file tmpfs:filesystem associate;
 allow debugfs_type { debugfs debugfs_tracing debugfs_tracing_debug }:filesystem associate;
 allow dev_type tmpfs:filesystem associate;
+allow extra_apk_file zipfusefs:filesystem associate;
 allow file_type labeledfs:filesystem associate;
 allow file_type tmpfs:filesystem associate;
 allow file_type rootfs:filesystem associate;
diff --git a/microdroid/system/private/file_contexts b/microdroid/system/private/file_contexts
index 8a5f6289c..933c63f7d 100644
--- a/microdroid/system/private/file_contexts
+++ b/microdroid/system/private/file_contexts
@@ -171,3 +171,7 @@
 # microdroid doesn't use anr, but tombstoned tries to read this.
 # So marking /data/anr as tombstone_data_file
 /data/anr(/.*)?		u:object_r:tombstone_data_file:s0
+
+#############################
+# Directory for extra apks
+/mnt/extra-apk	u:object_r:extra_apk_file:s0
diff --git a/microdroid/system/private/microdroid_manager.te b/microdroid/system/private/microdroid_manager.te
index b91477534..36a5f5310 100644
--- a/microdroid/system/private/microdroid_manager.te
+++ b/microdroid/system/private/microdroid_manager.te
@@ -77,4 +77,11 @@ set_prop(microdroid_manager, powerctl_prop)
 # that is different from what is recorded in the instance.img file.
 allow microdroid_manager proc_bootconfig:file r_file_perms;
 
+# Allow microdroid_manager to handle extra_apks
+allow microdroid_manager extra_apk_file:dir create_dir_perms;
+
+# Domains other than microdroid can't write extra_apks
+neverallow { domain -microdroid_manager -init -vendor_init } extra_apk_file:file no_w_file_perms;
+neverallow { domain -microdroid_manager -init -vendor_init } extra_apk_file:dir no_w_dir_perms;
+
 neverallow microdroid_manager { file_type fs_type }:file execute_no_trans;
diff --git a/microdroid/system/private/microdroid_payload.te b/microdroid/system/private/microdroid_payload.te
index 7c50db72d..5419f5226 100644
--- a/microdroid/system/private/microdroid_payload.te
+++ b/microdroid/system/private/microdroid_payload.te
@@ -39,3 +39,6 @@ allow microdroid_payload vsock_device:chr_file r_file_perms;
 allowxperm microdroid_payload vsock_device:chr_file ioctl {
     IOCTL_VM_SOCKETS_GET_LOCAL_CID
 };
+
+# Payload can read extra apks
+r_dir_file(microdroid_payload, extra_apk_file)
diff --git a/microdroid/system/private/zipfuse.te b/microdroid/system/private/zipfuse.te
index 04cdadf79..b88c01453 100644
--- a/microdroid/system/private/zipfuse.te
+++ b/microdroid/system/private/zipfuse.te
@@ -37,9 +37,16 @@ allow system_file zipfusefs:filesystem associate;
 # allow zipfuse to log to the kernel
 allow zipfuse kmsg_device:chr_file w_file_perms;
 
+# allow zipfuse to handle extra apks
+r_dir_file(zipfuse, extra_apk_file)
+allow zipfuse extra_apk_file:dir mounton;
+
 # zipfuse is forked from microdroid_manager
 # TODO(inseob): remove this
 allow zipfuse microdroid_manager:fd use;
 
 # Only microdroid_manager can run zipfuse
 neverallow { domain -microdroid_manager } zipfuse:process { transition dyntransition };
+
+# only zipfuse can mount on extra_apk_file
+neverallow { domain -zipfuse } extra_apk_file:dir mounton;
diff --git a/microdroid/system/public/file.te b/microdroid/system/public/file.te
index c750ccc25..5b678ba0f 100644
--- a/microdroid/system/public/file.te
+++ b/microdroid/system/public/file.te
@@ -10,6 +10,7 @@ type authfs_data_file, file_type, data_file_type, core_data_file_type;
 type cgroup_desc_api_file, file_type, system_file_type;
 type cgroup_desc_file, file_type, system_file_type;
 type cgroup_rc_file, file_type;
+type extra_apk_file, file_type;
 type file_contexts_file, file_type, system_file_type;
 type hwservice_contexts_file, file_type, system_file_type;
 type keystore2_key_contexts_file, file_type, system_file_type;