diff --git a/public/domain.te b/public/domain.te
index 431324504..329d54f43 100644
--- a/public/domain.te
+++ b/public/domain.te
@@ -389,6 +389,7 @@ neverallow * init:process ptrace;
 # Init can't do anything with binder calls. If this neverallow rule is being
 # triggered, it's probably due to a service with no SELinux domain.
 neverallow * init:binder *;
+neverallow * vendor_init:binder *;
 
 # Don't allow raw read/write/open access to block_device
 # Rather force a relabel to a more specific type
diff --git a/public/servicemanager.te b/public/servicemanager.te
index c7cd738ba..87e3a2217 100644
--- a/public/servicemanager.te
+++ b/public/servicemanager.te
@@ -12,6 +12,7 @@ allow servicemanager self:binder set_context_mgr;
 allow servicemanager {
   domain
   -init
+  -vendor_init
   -hwservicemanager
   -vndservicemanager
 }:binder transfer;
diff --git a/public/vendor_init.te b/public/vendor_init.te
index dbb20fd7b..dd7479fcb 100644
--- a/public/vendor_init.te
+++ b/public/vendor_init.te
@@ -4,6 +4,9 @@ type vendor_init, domain, mlstrustedsubject;
 # Communication to the main init process
 allow vendor_init init:unix_stream_socket { read write };
 
+# Vendor init shouldn't communicate with any vendor process, nor most system processes.
+neverallow_establish_socket_comms(vendor_init, { domain -init -logd -su -vendor_init });
+
 # Logging to kmsg
 allow vendor_init kmsg_device:chr_file { open write };
 
diff --git a/vendor/vndservicemanager.te b/vendor/vndservicemanager.te
index f956af82b..dbc88faed 100644
--- a/vendor/vndservicemanager.te
+++ b/vendor/vndservicemanager.te
@@ -6,7 +6,7 @@ init_daemon_domain(vndservicemanager);
 allow vndservicemanager self:binder set_context_mgr;
 
 # transfer binder objects to other processes (TODO b/35870313 limit this to vendor-only)
-allow vndservicemanager { domain -coredomain -init }:binder transfer;
+allow vndservicemanager { domain -coredomain -init -vendor_init }:binder transfer;
 
 allow vndservicemanager vndbinder_device:chr_file rw_file_perms;