diff --git a/prebuilts/api/29.0/private/domain.te b/prebuilts/api/29.0/private/domain.te
index 037a7d52e..3265faf7a 100644
--- a/prebuilts/api/29.0/private/domain.te
+++ b/prebuilts/api/29.0/private/domain.te
@@ -257,6 +257,7 @@ define(`dac_override_allowed', `{
   install_recovery
   userdebug_or_eng(`llkd')
   lmkd
+  migrate_legacy_obb_data
   netd
   perfprofd
   postinstall_dexopt
diff --git a/prebuilts/api/29.0/private/file_contexts b/prebuilts/api/29.0/private/file_contexts
index 3f432f2be..530bd45fa 100644
--- a/prebuilts/api/29.0/private/file_contexts
+++ b/prebuilts/api/29.0/private/file_contexts
@@ -326,6 +326,7 @@
 /system/bin/gsid                 u:object_r:gsid_exec:s0
 /system/bin/simpleperf_app_runner    u:object_r:simpleperf_app_runner_exec:s0
 /system/bin/notify_traceur\.sh       u:object_r:notify_traceur_exec:s0
+/system/bin/migrate_legacy_obb_data\.sh u:object_r:migrate_legacy_obb_data_exec:s0
 
 #############################
 # Vendor files
diff --git a/prebuilts/api/29.0/private/installd.te b/prebuilts/api/29.0/private/installd.te
index 3693c5931..b9e67ae39 100644
--- a/prebuilts/api/29.0/private/installd.te
+++ b/prebuilts/api/29.0/private/installd.te
@@ -17,6 +17,10 @@ domain_auto_trans(installd, profman_exec, profman)
 # Run idmap in its own sandbox.
 domain_auto_trans(installd, idmap_exec, idmap)
 
+# Run migrate_legacy_obb_data.sh in its own sandbox.
+domain_auto_trans(installd, migrate_legacy_obb_data_exec, migrate_legacy_obb_data)
+allow installd shell_exec:file rx_file_perms;
+
 # Create /data/.layout_version.* file
 type_transition installd system_data_file:file install_data_file;
 
diff --git a/prebuilts/api/29.0/private/migrate_legacy_obb_data.te b/prebuilts/api/29.0/private/migrate_legacy_obb_data.te
new file mode 100644
index 000000000..4bc1e2c60
--- /dev/null
+++ b/prebuilts/api/29.0/private/migrate_legacy_obb_data.te
@@ -0,0 +1,20 @@
+type migrate_legacy_obb_data, domain, coredomain;
+type migrate_legacy_obb_data_exec, system_file_type, exec_type, file_type;
+
+allow migrate_legacy_obb_data media_rw_data_file:dir create_dir_perms;
+allow migrate_legacy_obb_data media_rw_data_file:file create_file_perms;
+
+allow migrate_legacy_obb_data shell_exec:file rx_file_perms;
+
+allow migrate_legacy_obb_data toolbox_exec:file rx_file_perms;
+
+allow migrate_legacy_obb_data self:capability { chown dac_override dac_read_search fowner fsetid };
+
+# TODO: This should not be necessary. We don't deliberately hand over
+# any open file descriptors to this domain, so anything that triggers this
+# should be a candidate for O_CLOEXEC.
+allow migrate_legacy_obb_data installd:fd use;
+
+# This rule is required to let this process read /proc/{parent_pid}/mount.
+# TODO: Why is this required ?
+allow migrate_legacy_obb_data installd:file read;
diff --git a/private/domain.te b/private/domain.te
index 037a7d52e..3265faf7a 100644
--- a/private/domain.te
+++ b/private/domain.te
@@ -257,6 +257,7 @@ define(`dac_override_allowed', `{
   install_recovery
   userdebug_or_eng(`llkd')
   lmkd
+  migrate_legacy_obb_data
   netd
   perfprofd
   postinstall_dexopt
diff --git a/private/file_contexts b/private/file_contexts
index 3f432f2be..530bd45fa 100644
--- a/private/file_contexts
+++ b/private/file_contexts
@@ -326,6 +326,7 @@
 /system/bin/gsid                 u:object_r:gsid_exec:s0
 /system/bin/simpleperf_app_runner    u:object_r:simpleperf_app_runner_exec:s0
 /system/bin/notify_traceur\.sh       u:object_r:notify_traceur_exec:s0
+/system/bin/migrate_legacy_obb_data\.sh u:object_r:migrate_legacy_obb_data_exec:s0
 
 #############################
 # Vendor files
diff --git a/private/installd.te b/private/installd.te
index 3693c5931..b9e67ae39 100644
--- a/private/installd.te
+++ b/private/installd.te
@@ -17,6 +17,10 @@ domain_auto_trans(installd, profman_exec, profman)
 # Run idmap in its own sandbox.
 domain_auto_trans(installd, idmap_exec, idmap)
 
+# Run migrate_legacy_obb_data.sh in its own sandbox.
+domain_auto_trans(installd, migrate_legacy_obb_data_exec, migrate_legacy_obb_data)
+allow installd shell_exec:file rx_file_perms;
+
 # Create /data/.layout_version.* file
 type_transition installd system_data_file:file install_data_file;
 
diff --git a/private/migrate_legacy_obb_data.te b/private/migrate_legacy_obb_data.te
new file mode 100644
index 000000000..4bc1e2c60
--- /dev/null
+++ b/private/migrate_legacy_obb_data.te
@@ -0,0 +1,20 @@
+type migrate_legacy_obb_data, domain, coredomain;
+type migrate_legacy_obb_data_exec, system_file_type, exec_type, file_type;
+
+allow migrate_legacy_obb_data media_rw_data_file:dir create_dir_perms;
+allow migrate_legacy_obb_data media_rw_data_file:file create_file_perms;
+
+allow migrate_legacy_obb_data shell_exec:file rx_file_perms;
+
+allow migrate_legacy_obb_data toolbox_exec:file rx_file_perms;
+
+allow migrate_legacy_obb_data self:capability { chown dac_override dac_read_search fowner fsetid };
+
+# TODO: This should not be necessary. We don't deliberately hand over
+# any open file descriptors to this domain, so anything that triggers this
+# should be a candidate for O_CLOEXEC.
+allow migrate_legacy_obb_data installd:fd use;
+
+# This rule is required to let this process read /proc/{parent_pid}/mount.
+# TODO: Why is this required ?
+allow migrate_legacy_obb_data installd:file read;