diff --git a/aoc/aoc.mk b/aoc/aoc.mk
index 13d849c..2a0a449 100644
--- a/aoc/aoc.mk
+++ b/aoc/aoc.mk
@@ -1,4 +1,6 @@
-BOARD_VENDOR_SEPOLICY_DIRS += device/google/gs-common/aoc/sepolicy
+BOARD_VENDOR_SEPOLICY_DIRS += \
+    device/google/gs-common/aoc/sepolicy \
+    device/google/gs-common/aoc/sepolicy/allowlist
 
 PRODUCT_PACKAGES += dump_aoc \
 		    aocd \
diff --git a/aoc/sepolicy/allowlist/aocxd_neverallow.te b/aoc/sepolicy/allowlist/aocxd_neverallow.te
new file mode 100644
index 0000000..50170a2
--- /dev/null
+++ b/aoc/sepolicy/allowlist/aocxd_neverallow.te
@@ -0,0 +1,11 @@
+# set up rule to control the access to aocxd
+neverallow {
+  domain
+  -hwservicemanager
+  -servicemanager
+  -vndservicemanager
+  -system_suspend_server
+  -dumpstate
+  -hal_audio_default
+  -aocxdallowdomain
+} aocxd:binder { call transfer };
diff --git a/aoc/sepolicy/allowlist/aocxdallowdomain.te b/aoc/sepolicy/allowlist/aocxdallowdomain.te
new file mode 100644
index 0000000..9637c04
--- /dev/null
+++ b/aoc/sepolicy/allowlist/aocxdallowdomain.te
@@ -0,0 +1,6 @@
+# Aocx AIDL service
+allow aocxdallowdomain aocx:service_manager find;
+
+binder_call(aocxdallowdomain, aocxd)
+# Allow aocxd asynchronous callback to aocxdallowdomain
+binder_call(aocxd, aocxdallowdomain)
diff --git a/aoc/sepolicy/allowlist/attributes b/aoc/sepolicy/allowlist/attributes
new file mode 100644
index 0000000..b0440ca
--- /dev/null
+++ b/aoc/sepolicy/allowlist/attributes
@@ -0,0 +1,2 @@
+# Allow domain to access aocx HAL API
+attribute aocxdallowdomain;