[automerger skipped] Allow platform_app:systemui to write protolog file am: 95f1221fc1 -s ours

am skip reason: Merged-In I9f77f8995e4bf671616ce6c49eeb93720e31430e with SHA-1 9372026ad2 is already in history

Original change: https://googleplex-android-review.googlesource.com/c/platform/system/sepolicy/+/21160895

Change-Id: I0c69f6e627dcf268195a730737abd987ba2b0672
Signed-off-by: Automerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com>
diff --git a/Android.bp b/Android.bp
index 8e2a966..4028215 100644
--- a/Android.bp
+++ b/Android.bp
@@ -44,156 +44,6 @@
 
 cc_defaults { name: "selinux_policy_version", cflags: ["-DSEPOLICY_VERSION=30"], }
 
-se_filegroup {
-    name: "28.0.board.compat.map",
-    srcs: [
-        "compat/28.0/28.0.cil",
-    ],
-}
-
-se_filegroup {
-    name: "29.0.board.compat.map",
-    srcs: [
-        "compat/29.0/29.0.cil",
-    ],
-}
-
-se_filegroup {
-    name: "30.0.board.compat.map",
-    srcs: [
-        "compat/30.0/30.0.cil",
-    ],
-}
-
-se_filegroup {
-    name: "31.0.board.compat.map",
-    srcs: [
-        "compat/31.0/31.0.cil",
-    ],
-}
-
-se_filegroup {
-    name: "32.0.board.compat.map",
-    srcs: [
-        "compat/32.0/32.0.cil",
-    ],
-}
-
-se_filegroup {
-    name: "28.0.board.compat.cil",
-    srcs: [
-        "compat/28.0/28.0.compat.cil",
-    ],
-}
-
-se_filegroup {
-    name: "29.0.board.compat.cil",
-    srcs: [
-        "compat/29.0/29.0.compat.cil",
-    ],
-}
-
-se_filegroup {
-    name: "30.0.board.compat.cil",
-    srcs: [
-        "compat/30.0/30.0.compat.cil",
-    ],
-}
-
-se_filegroup {
-    name: "31.0.board.compat.cil",
-    srcs: [
-        "compat/31.0/31.0.compat.cil",
-    ],
-}
-
-se_filegroup {
-    name: "32.0.board.compat.cil",
-    srcs: [
-        "compat/32.0/32.0.compat.cil",
-    ],
-}
-
-se_filegroup {
-    name: "28.0.board.ignore.map",
-    srcs: [
-        "compat/28.0/28.0.ignore.cil",
-    ],
-}
-
-se_filegroup {
-    name: "29.0.board.ignore.map",
-    srcs: [
-        "compat/29.0/29.0.ignore.cil",
-    ],
-}
-
-se_filegroup {
-    name: "30.0.board.ignore.map",
-    srcs: [
-        "compat/30.0/30.0.ignore.cil",
-    ],
-}
-
-se_filegroup {
-    name: "31.0.board.ignore.map",
-    srcs: [
-        "compat/31.0/31.0.ignore.cil",
-    ],
-}
-
-se_filegroup {
-    name: "32.0.board.ignore.map",
-    srcs: [
-        "compat/32.0/32.0.ignore.cil",
-    ],
-}
-
-se_build_files {
-    name: "file_contexts_files",
-    srcs: ["file_contexts"],
-}
-
-se_build_files {
-    name: "file_contexts_asan_files",
-    srcs: ["file_contexts_asan"],
-}
-
-se_build_files {
-    name: "file_contexts_overlayfs_files",
-    srcs: ["file_contexts_overlayfs"],
-}
-
-se_build_files {
-    name: "hwservice_contexts_files",
-    srcs: ["hwservice_contexts"],
-}
-
-se_build_files {
-    name: "property_contexts_files",
-    srcs: ["property_contexts"],
-}
-
-se_build_files {
-    name: "service_contexts_files",
-    srcs: ["service_contexts"],
-}
-
-se_build_files {
-    name: "keystore2_key_contexts_files",
-    srcs: ["keystore2_key_contexts"],
-}
-
-se_build_files {
-    name: "seapp_contexts_files",
-    srcs: ["seapp_contexts"],
-}
-
-se_build_files {
-    name: "vndservice_contexts_files",
-    srcs: ["vndservice_contexts"],
-}
-
 // For vts_treble_sys_prop_test
 filegroup {
     name: "private_property_contexts",
@@ -367,6 +217,22 @@
     stem: "apex_sepolicy.cil",
 }
 
+se_policy_cil {
+    name: "decompiled_sepolicy-without_apex.cil",
+    src: ":precompiled_sepolicy-without_apex",
+    decompile_binary: true,
+}
+
+se_policy_cil {
+    name: "apex_sepolicy-33.decompiled.cil",
+    src: ":precompiled_sepolicy",
+    decompile_binary: true,
+    filter_out: [":decompiled_sepolicy-without_apex.cil"],
+    additional_cil_files: ["com.android.sepolicy/33/definitions/definitions.cil"],
+    secilc_check: false,
+    stem: "apex_sepolicy.decompiled.cil",
+}
+
 // userdebug_plat_policy.conf - the userdebug version plat_sepolicy.cil
 se_policy_conf {
     name: "userdebug_plat_sepolicy.conf",
@@ -875,6 +741,50 @@
     },
 }
 
+precompiled_se_policy_binary {
+    name: "precompiled_sepolicy-without_apex",
+    srcs: [
+        ":plat_sepolicy.cil",
+        ":plat_pub_versioned.cil",
+        ":system_ext_sepolicy.cil",
+        ":product_sepolicy.cil",
+        ":vendor_sepolicy.cil",
+        ":odm_sepolicy.cil",
+    ],
+    soong_config_variables: {
+        BOARD_USES_ODMIMAGE: {
+            device_specific: true,
+            conditions_default: {
+                vendor: true,
+            },
+        },
+        IS_TARGET_MIXED_SEPOLICY: {
+            ignore_neverallow: true,
+        },
+        MIXED_SEPOLICY_VERSION: {
+            srcs: [
+                ":plat_%s.cil",
+                ":system_ext_%s.cil",
+                ":product_%s.cil",
+            ],
+            conditions_default: {
+                srcs: [
+                    ":plat_mapping_file",
+                    ":system_ext_mapping_file",
+                    ":product_mapping_file",
+                ],
+            },
+        },
+    },
+    required: [
+        "sepolicy_neverallows",
+        "sepolicy_neverallows_vendor",
+    ],
+    dist: {
+        targets: ["base-sepolicy-files-for-mapping"],
+    },
+}
+
 // policy for recovery
 se_policy_conf {
     name: "recovery_sepolicy.conf",
@@ -1055,27 +965,27 @@
 }
 
 // bug_map - Bug tracking information for selinux denials loaded by auditd.
-se_filegroup {
+se_build_files {
     name: "bug_map_files",
     srcs: ["bug_map"],
 }
 
 se_bug_map {
     name: "plat_bug_map",
-    srcs: [":bug_map_files"],
+    srcs: [":bug_map_files{.plat_private}"],
     stem: "bug_map",
 }
 
 se_bug_map {
     name: "system_ext_bug_map",
-    srcs: [":bug_map_files"],
+    srcs: [":bug_map_files{.system_ext_private}"],
     stem: "bug_map",
     system_ext_specific: true,
 }
 
 se_bug_map {
     name: "vendor_bug_map",
-    srcs: [":bug_map_files"],
+    srcs: [":bug_map_files{.vendor}", ":bug_map_files{.plat_vendor_for_vendor}"],
     // Legacy file name of the vendor partition bug_map.
     stem: "selinux_denial_metadata",
     vendor: true,
diff --git a/Android.mk b/Android.mk
index 8fd90b0..8220fd5 100644
--- a/Android.mk
+++ b/Android.mk
@@ -54,15 +54,7 @@
 REQD_MASK_POLICY := $(LOCAL_PATH)/reqd_mask
 
 SYSTEM_EXT_PUBLIC_POLICY := $(SYSTEM_EXT_PUBLIC_SEPOLICY_DIRS)
-ifneq (,$(BOARD_PLAT_PUBLIC_SEPOLICY_DIR))
-  # TODO: Disallow BOARD_PLAT_*
-  SYSTEM_EXT_PUBLIC_POLICY += $(BOARD_PLAT_PUBLIC_SEPOLICY_DIR)
-endif
 SYSTEM_EXT_PRIVATE_POLICY := $(SYSTEM_EXT_PRIVATE_SEPOLICY_DIRS)
-ifneq (,$(BOARD_PLAT_PRIVATE_SEPOLICY_DIR))
-  # TODO: Disallow BOARD_PLAT_*
-  SYSTEM_EXT_PRIVATE_POLICY += $(BOARD_PLAT_PRIVATE_SEPOLICY_DIR)
-endif
 
 PRODUCT_PUBLIC_POLICY := $(PRODUCT_PUBLIC_SEPOLICY_DIRS)
 PRODUCT_PRIVATE_POLICY := $(PRODUCT_PRIVATE_SEPOLICY_DIRS)
@@ -332,6 +324,7 @@
     plat_service_contexts_test \
     plat_hwservice_contexts \
     plat_hwservice_contexts_test \
+    fuzzer_bindings_test \
     plat_bug_map \
     searchpolicy \
 
@@ -518,6 +511,8 @@
     odm_seapp_contexts \
     odm_property_contexts \
     odm_property_contexts_test \
+    odm_service_contexts \
+    odm_service_contexts_test \
     odm_hwservice_contexts \
     odm_hwservice_contexts_test \
     odm_mac_permissions.xml
@@ -668,7 +663,6 @@
 file_contexts.modules.tmp :=
 
 ##################################
-include $(LOCAL_PATH)/mac_permissions.mk
 
 all_fc_files := $(TARGET_OUT)/etc/selinux/plat_file_contexts
 all_fc_files += $(TARGET_OUT_VENDOR)/etc/selinux/vendor_file_contexts
diff --git a/TEST_MAPPING b/TEST_MAPPING
index cf99902..efcdb36 100644
--- a/TEST_MAPPING
+++ b/TEST_MAPPING
@@ -11,8 +11,10 @@
                 },
                 {
                     "include-filter": "android.security.cts.SELinuxHostTest#testGMSCoreDomain"
+                },
+                {
+                    "include-filter": "android.security.cts.SeamendcHostTest"
                 }
-
             ]
         },
         {
diff --git a/apex/Android.bp b/apex/Android.bp
index dda949f..c4080ca 100644
--- a/apex/Android.bp
+++ b/apex/Android.bp
@@ -99,6 +99,13 @@
 }
 
 filegroup {
+  name: "com.android.federatedcompute-file_contexts",
+  srcs: [
+    "com.android.federatedcompute-file_contexts",
+  ],
+}
+
+filegroup {
   name: "com.android.geotz-file_contexts",
   srcs: [
     "com.android.geotz-file_contexts",
@@ -265,3 +272,24 @@
     "com.android.ondevicepersonalization-file_contexts",
   ],
 }
+
+filegroup {
+  name: "com.android.healthconnect-file_contexts",
+  srcs: [
+    "com.android.healthconnect-file_contexts",
+  ],
+}
+
+filegroup {
+  name: "com.android.rkpd-file_contexts",
+  srcs: [
+    "com.android.rkpd-file_contexts",
+  ],
+}
+
+filegroup {
+  name: "com.android.devicelock-file_contexts",
+  srcs: [
+    "com.android.devicelock-file_contexts",
+  ],
+}
diff --git a/apex/com.android.art-file_contexts b/apex/com.android.art-file_contexts
index 2533cac..f1aa92b 100644
--- a/apex/com.android.art-file_contexts
+++ b/apex/com.android.art-file_contexts
@@ -1,10 +1,11 @@
 #############################
 # System files
 #
-(/.*)?                   u:object_r:system_file:s0
-/bin/artd                u:object_r:artd_exec:s0
-/bin/dex2oat(32|64)?     u:object_r:dex2oat_exec:s0
-/bin/dexoptanalyzer      u:object_r:dexoptanalyzer_exec:s0
-/bin/odrefresh           u:object_r:odrefresh_exec:s0
-/bin/profman             u:object_r:profman_exec:s0
-/lib(64)?(/.*)?          u:object_r:system_lib_file:s0
+(/.*)?                         u:object_r:system_file:s0
+/bin/art_exec                  u:object_r:art_exec_exec:s0
+/bin/artd                      u:object_r:artd_exec:s0
+/bin/dex2oat(32|64)?           u:object_r:dex2oat_exec:s0
+/bin/dexoptanalyzer            u:object_r:dexoptanalyzer_exec:s0
+/bin/odrefresh                 u:object_r:odrefresh_exec:s0
+/bin/profman                   u:object_r:profman_exec:s0
+/lib(64)?(/.*)?                u:object_r:system_lib_file:s0
diff --git a/apex/com.android.art.debug-file_contexts b/apex/com.android.art.debug-file_contexts
index a0e9ea0..cc60b70 100644
--- a/apex/com.android.art.debug-file_contexts
+++ b/apex/com.android.art.debug-file_contexts
@@ -2,6 +2,8 @@
 # System files
 #
 (/.*)?                         u:object_r:system_file:s0
+/bin/art_exec                  u:object_r:art_exec_exec:s0
+/bin/artd                      u:object_r:artd_exec:s0
 /bin/dex2oat(d)?(32|64)?       u:object_r:dex2oat_exec:s0
 /bin/dexoptanalyzer(d)?        u:object_r:dexoptanalyzer_exec:s0
 /bin/odrefresh                 u:object_r:odrefresh_exec:s0
diff --git a/apex/com.android.conscrypt-file_contexts b/apex/com.android.conscrypt-file_contexts
index abf0085..7b81ab8 100644
--- a/apex/com.android.conscrypt-file_contexts
+++ b/apex/com.android.conscrypt-file_contexts
@@ -4,3 +4,4 @@
 (/.*)?                          u:object_r:system_file:s0
 /lib(64)?(/.*)?                 u:object_r:system_lib_file:s0
 /bin/boringssl_self_test(32|64) u:object_r:boringssl_self_test_exec:s0
+/cacerts(/.*)?                  u:object_r:system_security_cacerts_file:s0
diff --git a/apex/com.android.devicelock-file_contexts b/apex/com.android.devicelock-file_contexts
new file mode 100644
index 0000000..83b4b58
--- /dev/null
+++ b/apex/com.android.devicelock-file_contexts
@@ -0,0 +1 @@
+(/.*)?                   u:object_r:system_file:s0
diff --git a/apex/com.android.federatedcompute-file_contexts b/apex/com.android.federatedcompute-file_contexts
new file mode 100644
index 0000000..9398505
--- /dev/null
+++ b/apex/com.android.federatedcompute-file_contexts
@@ -0,0 +1 @@
+(/.*)?           u:object_r:system_file:s0
diff --git a/apex/com.android.healthconnect-file_contexts b/apex/com.android.healthconnect-file_contexts
new file mode 100644
index 0000000..9398505
--- /dev/null
+++ b/apex/com.android.healthconnect-file_contexts
@@ -0,0 +1 @@
+(/.*)?           u:object_r:system_file:s0
diff --git a/apex/com.android.rkpd-file_contexts b/apex/com.android.rkpd-file_contexts
new file mode 100644
index 0000000..4424c8a
--- /dev/null
+++ b/apex/com.android.rkpd-file_contexts
@@ -0,0 +1,2 @@
+(/.*)?              u:object_r:system_file:s0
+/bin/rkpd           u:object_r:rkpd_exec:s0
diff --git a/apex/com.android.virt-file_contexts b/apex/com.android.virt-file_contexts
index cc712ff..9c13bd5 100644
--- a/apex/com.android.virt-file_contexts
+++ b/apex/com.android.virt-file_contexts
@@ -1,4 +1,5 @@
 (/.*)?                     u:object_r:system_file:s0
 /bin/crosvm                u:object_r:crosvm_exec:s0
 /bin/fd_server             u:object_r:fd_server_exec:s0
+/bin/virtmgr               u:object_r:virtualizationmanager_exec:s0
 /bin/virtualizationservice u:object_r:virtualizationservice_exec:s0
diff --git a/build/soong/Android.bp b/build/soong/Android.bp
index 8518d4d..83b31b4 100644
--- a/build/soong/Android.bp
+++ b/build/soong/Android.bp
@@ -35,7 +35,7 @@
         "build_files.go",
         "cil_compat_map.go",
         "compat_cil.go",
-        "filegroup.go",
+        "mac_permissions.go",
         "policy.go",
         "selinux.go",
         "selinux_contexts.go",
@@ -43,6 +43,8 @@
         "sepolicy_neverallow.go",
         "sepolicy_vers.go",
         "versioned_policy.go",
+        "service_fuzzer_bindings.go",
+        "validate_bindings.go",
     ],
     pluginFor: ["soong_build"],
 }
diff --git a/build/soong/bug_map.go b/build/soong/bug_map.go
index 00df33c..e24a21b 100644
--- a/build/soong/bug_map.go
+++ b/build/soong/bug_map.go
@@ -40,7 +40,7 @@
 }
 
 type bugMapProperties struct {
-	// List of source files. Can reference se_filegroup type modules with the ":module" syntax.
+	// List of source files or se_build_files modules.
 	Srcs []string `android:"path"`
 
 	// Output file name. Defaults to module name if unspecified.
@@ -52,31 +52,7 @@
 }
 
 func (b *bugMap) expandSeSources(ctx android.ModuleContext) android.Paths {
-	srcPaths := make(android.Paths, 0, len(b.properties.Srcs))
-	for _, src := range b.properties.Srcs {
-		if m := android.SrcIsModule(src); m != "" {
-			module := android.GetModuleFromPathDep(ctx, m, "")
-			if module == nil {
-				// Error would have been handled by ExtractSourcesDeps
-				continue
-			}
-			if fg, ok := module.(*fileGroup); ok {
-				if b.SocSpecific() {
-					srcPaths = append(srcPaths, fg.VendorSrcs()...)
-					srcPaths = append(srcPaths, fg.SystemVendorSrcs()...)
-				} else if b.SystemExtSpecific() {
-					srcPaths = append(srcPaths, fg.SystemExtPrivateSrcs()...)
-				} else {
-					srcPaths = append(srcPaths, fg.SystemPrivateSrcs()...)
-				}
-			} else {
-				ctx.PropertyErrorf("srcs", "%q is not an se_filegroup", m)
-			}
-		} else {
-			srcPaths = append(srcPaths, android.PathForModuleSrc(ctx, src))
-		}
-	}
-	return android.FirstUniquePaths(srcPaths)
+	return android.PathsForModuleSrc(ctx, b.properties.Srcs)
 }
 
 func (b *bugMap) GenerateAndroidBuildActions(ctx android.ModuleContext) {
diff --git a/build/soong/build_files.go b/build/soong/build_files.go
index 6cc40c6..383a282 100644
--- a/build/soong/build_files.go
+++ b/build/soong/build_files.go
@@ -92,10 +92,10 @@
 
 func (b *buildFiles) GenerateAndroidBuildActions(ctx android.ModuleContext) {
 	b.srcs = make(map[string]android.Paths)
-	b.srcs[".reqd_mask"] = b.findSrcsInDirs(ctx, filepath.Join(ctx.ModuleDir(), "reqd_mask"))
-	b.srcs[".plat_public"] = b.findSrcsInDirs(ctx, filepath.Join(ctx.ModuleDir(), "public"))
-	b.srcs[".plat_private"] = b.findSrcsInDirs(ctx, filepath.Join(ctx.ModuleDir(), "private"))
-	b.srcs[".plat_vendor"] = b.findSrcsInDirs(ctx, filepath.Join(ctx.ModuleDir(), "vendor"))
+	b.srcs[".reqd_mask"] = b.findSrcsInDirs(ctx, filepath.Join("system", "sepolicy", "reqd_mask"))
+	b.srcs[".plat_public"] = b.findSrcsInDirs(ctx, filepath.Join("system", "sepolicy", "public"))
+	b.srcs[".plat_private"] = b.findSrcsInDirs(ctx, filepath.Join("system", "sepolicy", "private"))
+	b.srcs[".plat_vendor"] = b.findSrcsInDirs(ctx, filepath.Join("system", "sepolicy", "vendor"))
 	b.srcs[".system_ext_public"] = b.findSrcsInDirs(ctx, ctx.DeviceConfig().SystemExtPublicSepolicyDirs()...)
 	b.srcs[".system_ext_private"] = b.findSrcsInDirs(ctx, ctx.DeviceConfig().SystemExtPrivateSepolicyDirs()...)
 	b.srcs[".product_public"] = b.findSrcsInDirs(ctx, ctx.Config().ProductPublicSepolicyDirs()...)
@@ -117,8 +117,8 @@
 		// use vendor-supplied plat prebuilts
 		b.srcs[".reqd_mask_for_vendor"] = b.findSrcsInDirs(ctx, ctx.DeviceConfig().BoardReqdMaskPolicy()...)
 		b.srcs[".plat_vendor_for_vendor"] = b.findSrcsInDirs(ctx, ctx.DeviceConfig().BoardPlatVendorPolicy()...)
-		b.srcs[".plat_public_for_vendor"] = b.findSrcsInDirs(ctx, filepath.Join(ctx.ModuleDir(), "prebuilts", "api", ctx.DeviceConfig().BoardSepolicyVers(), "public"))
-		b.srcs[".plat_private_for_vendor"] = b.findSrcsInDirs(ctx, filepath.Join(ctx.ModuleDir(), "prebuilts", "api", ctx.DeviceConfig().BoardSepolicyVers(), "private"))
+		b.srcs[".plat_public_for_vendor"] = b.findSrcsInDirs(ctx, filepath.Join("system", "sepolicy", "prebuilts", "api", ctx.DeviceConfig().BoardSepolicyVers(), "public"))
+		b.srcs[".plat_private_for_vendor"] = b.findSrcsInDirs(ctx, filepath.Join("system", "sepolicy", "prebuilts", "api", ctx.DeviceConfig().BoardSepolicyVers(), "private"))
 		b.srcs[".system_ext_public_for_vendor"] = b.findSrcsInDirs(ctx, ctx.DeviceConfig().BoardSystemExtPublicPrebuiltDirs()...)
 		b.srcs[".system_ext_private_for_vendor"] = b.findSrcsInDirs(ctx, ctx.DeviceConfig().BoardSystemExtPrivatePrebuiltDirs()...)
 		b.srcs[".product_public_for_vendor"] = b.findSrcsInDirs(ctx, ctx.DeviceConfig().BoardProductPublicPrebuiltDirs()...)
@@ -127,8 +127,8 @@
 
 	// directories used for compat tests and Treble tests
 	for _, ver := range ctx.DeviceConfig().PlatformSepolicyCompatVersions() {
-		b.srcs[".plat_public_"+ver] = b.findSrcsInDirs(ctx, filepath.Join(ctx.ModuleDir(), "prebuilts", "api", ver, "public"))
-		b.srcs[".plat_private_"+ver] = b.findSrcsInDirs(ctx, filepath.Join(ctx.ModuleDir(), "prebuilts", "api", ver, "private"))
+		b.srcs[".plat_public_"+ver] = b.findSrcsInDirs(ctx, filepath.Join("system", "sepolicy", "prebuilts", "api", ver, "public"))
+		b.srcs[".plat_private_"+ver] = b.findSrcsInDirs(ctx, filepath.Join("system", "sepolicy", "prebuilts", "api", ver, "private"))
 		b.srcs[".system_ext_public_"+ver] = b.findSrcsInDirs(ctx, filepath.Join(ctx.DeviceConfig().SystemExtSepolicyPrebuiltApiDir(), "prebuilts", "api", ver, "public"))
 		b.srcs[".system_ext_private_"+ver] = b.findSrcsInDirs(ctx, filepath.Join(ctx.DeviceConfig().SystemExtSepolicyPrebuiltApiDir(), "prebuilts", "api", ver, "private"))
 		b.srcs[".product_public_"+ver] = b.findSrcsInDirs(ctx, filepath.Join(ctx.DeviceConfig().ProductSepolicyPrebuiltApiDir(), "prebuilts", "api", ver, "public"))
diff --git a/build/soong/cil_compat_map.go b/build/soong/cil_compat_map.go
index 78e870e..c9daf7c 100644
--- a/build/soong/cil_compat_map.go
+++ b/build/soong/cil_compat_map.go
@@ -59,7 +59,7 @@
 	// se_cil_compat_map module representing a compatibility mapping file for
 	// platform versions (x->y). Bottom half represents a mapping (y->z).
 	// Together the halves are used to generate a (x->z) mapping.
-	Top_half *string
+	Top_half *string `android:"path"`
 	// list of source (.cil) files used to build an the bottom half of sepolicy
 	// compatibility mapping file. bottom_half may reference the outputs of
 	// other modules that produce source files like genrule or filegroup using
@@ -94,31 +94,7 @@
 }
 
 func expandSeSources(ctx android.ModuleContext, srcFiles []string) android.Paths {
-	expandedSrcFiles := make(android.Paths, 0, len(srcFiles))
-	for _, s := range srcFiles {
-		if m := android.SrcIsModule(s); m != "" {
-			module := android.GetModuleFromPathDep(ctx, m, "")
-			if module == nil {
-				// Error will have been handled by ExtractSourcesDeps
-				continue
-			}
-			if fg, ok := module.(*fileGroup); ok {
-				if ctx.ProductSpecific() {
-					expandedSrcFiles = append(expandedSrcFiles, fg.ProductPrivateSrcs()...)
-				} else if ctx.SystemExtSpecific() {
-					expandedSrcFiles = append(expandedSrcFiles, fg.SystemExtPrivateSrcs()...)
-				} else {
-					expandedSrcFiles = append(expandedSrcFiles, fg.SystemPrivateSrcs()...)
-				}
-			} else {
-				ctx.ModuleErrorf("srcs dependency %q is not an selinux filegroup", m)
-			}
-		} else {
-			p := android.PathForModuleSrc(ctx, s)
-			expandedSrcFiles = append(expandedSrcFiles, p)
-		}
-	}
-	return expandedSrcFiles
+	return android.PathsForModuleSrc(ctx, srcFiles)
 }
 
 func (c *cilCompatMap) GenerateAndroidBuildActions(ctx android.ModuleContext) {
diff --git a/build/soong/compat_cil.go b/build/soong/compat_cil.go
index e7b3af2..afd2396 100644
--- a/build/soong/compat_cil.go
+++ b/build/soong/compat_cil.go
@@ -48,7 +48,7 @@
 }
 
 type compatCilProperties struct {
-	// List of source files. Can reference se_filegroup type modules with the ":module" syntax.
+	// List of source files. Can reference se_build_files type modules with the ":module" syntax.
 	Srcs []string `android:"path"`
 
 	// Output file name. Defaults to module name if unspecified.
@@ -60,28 +60,7 @@
 }
 
 func (c *compatCil) expandSeSources(ctx android.ModuleContext) android.Paths {
-	srcPaths := make(android.Paths, 0, len(c.properties.Srcs))
-	for _, src := range c.properties.Srcs {
-		if m := android.SrcIsModule(src); m != "" {
-			module := android.GetModuleFromPathDep(ctx, m, "")
-			if module == nil {
-				// Error would have been handled by ExtractSourcesDeps
-				continue
-			}
-			if fg, ok := module.(*fileGroup); ok {
-				if c.SystemExtSpecific() {
-					srcPaths = append(srcPaths, fg.SystemExtPrivateSrcs()...)
-				} else {
-					srcPaths = append(srcPaths, fg.SystemPrivateSrcs()...)
-				}
-			} else {
-				ctx.PropertyErrorf("srcs", "%q is not an se_filegroup", m)
-			}
-		} else {
-			srcPaths = append(srcPaths, android.PathForModuleSrc(ctx, src))
-		}
-	}
-	return srcPaths
+	return android.PathsForModuleSrc(ctx, c.properties.Srcs)
 }
 
 func (c *compatCil) GenerateAndroidBuildActions(ctx android.ModuleContext) {
diff --git a/build/soong/filegroup.go b/build/soong/filegroup.go
deleted file mode 100644
index 9dd4bd9..0000000
--- a/build/soong/filegroup.go
+++ /dev/null
@@ -1,156 +0,0 @@
-// Copyright 2018 Google Inc. All rights reserved.
-//
-// Licensed under the Apache License, Version 2.0 (the "License");
-// you may not use this file except in compliance with the License.
-// You may obtain a copy of the License at
-//
-//     http://www.apache.org/licenses/LICENSE-2.0
-//
-// Unless required by applicable law or agreed to in writing, software
-// distributed under the License is distributed on an "AS IS" BASIS,
-// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-// See the License for the specific language governing permissions and
-// limitations under the License.
-
-package selinux
-
-import (
-	"android/soong/android"
-	"path/filepath"
-)
-
-func init() {
-	android.RegisterModuleType("se_filegroup", FileGroupFactory)
-}
-
-func FileGroupFactory() android.Module {
-	module := &fileGroup{}
-	module.AddProperties(&module.properties)
-	android.InitAndroidModule(module)
-	return module
-}
-
-type fileGroupProperties struct {
-	// list of source file suffixes used to collect selinux policy files.
-	// Source files will be looked up in the following local directories:
-	// system/sepolicy/{public, private, vendor, reqd_mask}
-	// and directories specified by following config variables:
-	// BOARD_SEPOLICY_DIRS, BOARD_ODM_SEPOLICY_DIRS
-	// SYSTEM_EXT_PUBLIC_SEPOLICY_DIR, SYSTEM_EXT_PRIVATE_SEPOLICY_DIR
-	Srcs []string
-}
-
-type fileGroup struct {
-	android.ModuleBase
-	properties fileGroupProperties
-
-	systemPublicSrcs   android.Paths
-	systemPrivateSrcs  android.Paths
-	systemVendorSrcs   android.Paths
-	systemReqdMaskSrcs android.Paths
-
-	systemExtPublicSrcs  android.Paths
-	systemExtPrivateSrcs android.Paths
-
-	productPublicSrcs  android.Paths
-	productPrivateSrcs android.Paths
-
-	vendorSrcs         android.Paths
-	vendorReqdMaskSrcs android.Paths
-	odmSrcs            android.Paths
-}
-
-// Source files from system/sepolicy/public
-func (fg *fileGroup) SystemPublicSrcs() android.Paths {
-	return fg.systemPublicSrcs
-}
-
-// Source files from system/sepolicy/private
-func (fg *fileGroup) SystemPrivateSrcs() android.Paths {
-	return fg.systemPrivateSrcs
-}
-
-// Source files from system/sepolicy/vendor
-func (fg *fileGroup) SystemVendorSrcs() android.Paths {
-	return fg.systemVendorSrcs
-}
-
-// Source files from system/sepolicy/reqd_mask
-func (fg *fileGroup) SystemReqdMaskSrcs() android.Paths {
-	return fg.systemReqdMaskSrcs
-}
-
-// Source files from SYSTEM_EXT_PUBLIC_SEPOLICY_DIR
-func (fg *fileGroup) SystemExtPublicSrcs() android.Paths {
-	return fg.systemExtPublicSrcs
-}
-
-// Source files from SYSTEM_EXT_PRIVATE_SEPOLICY_DIR
-func (fg *fileGroup) SystemExtPrivateSrcs() android.Paths {
-	return fg.systemExtPrivateSrcs
-}
-
-// Source files from PRODUCT_PUBLIC_SEPOLICY_DIRS
-func (fg *fileGroup) ProductPublicSrcs() android.Paths {
-	return fg.productPublicSrcs
-}
-
-// Source files from PRODUCT_PRIVATE_SEPOLICY_DIRS
-func (fg *fileGroup) ProductPrivateSrcs() android.Paths {
-	return fg.productPrivateSrcs
-}
-
-// Source files from BOARD_VENDOR_SEPOLICY_DIRS
-func (fg *fileGroup) VendorSrcs() android.Paths {
-	return fg.vendorSrcs
-}
-
-func (fg *fileGroup) VendorReqdMaskSrcs() android.Paths {
-	return fg.vendorReqdMaskSrcs
-}
-
-// Source files from BOARD_ODM_SEPOLICY_DIRS
-func (fg *fileGroup) OdmSrcs() android.Paths {
-	return fg.odmSrcs
-}
-
-func (fg *fileGroup) findSrcsInDirs(ctx android.ModuleContext, dirs []string) android.Paths {
-	result := android.Paths{}
-	for _, f := range fg.properties.Srcs {
-		for _, d := range dirs {
-			path := filepath.Join(d, f)
-			files, _ := ctx.GlobWithDeps(path, nil)
-			for _, f := range files {
-				result = append(result, android.PathForSource(ctx, f))
-			}
-		}
-	}
-	return result
-}
-
-func (fg *fileGroup) findSrcsInDir(ctx android.ModuleContext, dir string) android.Paths {
-	return fg.findSrcsInDirs(ctx, []string{dir})
-}
-
-func (fg *fileGroup) DepsMutator(ctx android.BottomUpMutatorContext) {}
-
-func (fg *fileGroup) GenerateAndroidBuildActions(ctx android.ModuleContext) {
-	fg.systemPublicSrcs = fg.findSrcsInDir(ctx, filepath.Join(ctx.ModuleDir(), "public"))
-	fg.systemPrivateSrcs = fg.findSrcsInDir(ctx, filepath.Join(ctx.ModuleDir(), "private"))
-	fg.systemReqdMaskSrcs = fg.findSrcsInDir(ctx, filepath.Join(ctx.ModuleDir(), "reqd_mask"))
-
-	fg.systemExtPublicSrcs = fg.findSrcsInDirs(ctx, ctx.DeviceConfig().SystemExtPublicSepolicyDirs())
-	fg.systemExtPrivateSrcs = fg.findSrcsInDirs(ctx, ctx.DeviceConfig().SystemExtPrivateSepolicyDirs())
-
-	fg.productPublicSrcs = fg.findSrcsInDirs(ctx, ctx.Config().ProductPublicSepolicyDirs())
-	fg.productPrivateSrcs = fg.findSrcsInDirs(ctx, ctx.Config().ProductPrivateSepolicyDirs())
-
-	systemVendorDirs := ctx.DeviceConfig().BoardPlatVendorPolicy()
-	if len(systemVendorDirs) == 0 || ctx.DeviceConfig().PlatformSepolicyVersion() == ctx.DeviceConfig().BoardSepolicyVers() {
-		systemVendorDirs = []string{filepath.Join(ctx.ModuleDir(), "vendor")}
-	}
-	fg.systemVendorSrcs = fg.findSrcsInDirs(ctx, systemVendorDirs)
-	fg.vendorReqdMaskSrcs = fg.findSrcsInDirs(ctx, ctx.DeviceConfig().BoardReqdMaskPolicy())
-	fg.vendorSrcs = fg.findSrcsInDirs(ctx, ctx.DeviceConfig().VendorSepolicyDirs())
-	fg.odmSrcs = fg.findSrcsInDirs(ctx, ctx.DeviceConfig().OdmSepolicyDirs())
-}
diff --git a/build/soong/go.mod b/build/soong/go.mod
new file mode 100644
index 0000000..37bc985
--- /dev/null
+++ b/build/soong/go.mod
@@ -0,0 +1,23 @@
+module android/soong/sepolicy
+
+require (
+	android/soong v0.0.0
+	github.com/google/blueprint v0.0.0
+	golang.org/x/xerrors v0.0.0-20220609144429-65e65417b02f // indirect
+)
+
+replace android/soong v0.0.0 => ../../../../build/soong
+
+replace google.golang.org/protobuf v0.0.0 => ../../../../external/golang-protobuf
+
+replace github.com/google/blueprint v0.0.0 => ../../../../build/blueprint
+
+// Indirect deps from golang-protobuf
+exclude github.com/golang/protobuf v1.5.0
+
+replace github.com/google/go-cmp v0.5.5 => ../../../../external/go-cmp
+
+// Indirect dep from go-cmp
+exclude golang.org/x/xerrors v0.0.0-20191204190536-9bdfabe68543
+
+go 1.13
diff --git a/build/soong/go.sum b/build/soong/go.sum
new file mode 100644
index 0000000..cbe76d9
--- /dev/null
+++ b/build/soong/go.sum
@@ -0,0 +1,2 @@
+golang.org/x/xerrors v0.0.0-20220609144429-65e65417b02f h1:uF6paiQQebLeSXkrTqHqz0MXhXXS1KgF41eUdBNvxK0=
+golang.org/x/xerrors v0.0.0-20220609144429-65e65417b02f/go.mod h1:K8+ghG5WaK9qNqU5K3HdILfMLy1f3aNYFI/wnl100a8=
diff --git a/build/soong/mac_permissions.go b/build/soong/mac_permissions.go
new file mode 100644
index 0000000..9615d12
--- /dev/null
+++ b/build/soong/mac_permissions.go
@@ -0,0 +1,144 @@
+// Copyright (C) 2019 The Android Open Source Project
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//     http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+package selinux
+
+import (
+	"fmt"
+	"io"
+
+	"github.com/google/blueprint/proptools"
+
+	"android/soong/android"
+)
+
+var (
+	// Should be synced with keys.conf.
+	AllPlatformKeys = []string{
+		"platform",
+		"sdk_sandbox",
+		"media",
+		"networkstack",
+		"shared",
+		"testkey",
+		"bluetooth",
+	}
+)
+
+type macPermissionsProperties struct {
+	// keys.conf files to control the mapping of "tags" found in the mac_permissions.xml files.
+	Keys []string `android:"path"`
+
+	// Source files for the generated mac_permissions.xml file.
+	Srcs []string `android:"path"`
+
+	// Output file name. Defaults to module name
+	Stem *string
+}
+
+type macPermissionsModule struct {
+	android.ModuleBase
+
+	properties  macPermissionsProperties
+	outputPath  android.ModuleOutPath
+	installPath android.InstallPath
+}
+
+func init() {
+	android.RegisterModuleType("mac_permissions", macPermissionsFactory)
+}
+
+func getAllPlatformKeyPaths(ctx android.ModuleContext) android.Paths {
+	var platformKeys android.Paths
+
+	defaultCertificateDir := ctx.Config().DefaultAppCertificateDir(ctx)
+	for _, key := range AllPlatformKeys {
+		platformKeys = append(platformKeys, defaultCertificateDir.Join(ctx, key+".x509.pem"))
+	}
+
+	return platformKeys
+}
+
+func (m *macPermissionsModule) DepsMutator(ctx android.BottomUpMutatorContext) {
+	// do nothing
+}
+
+func (m *macPermissionsModule) stem() string {
+	return proptools.StringDefault(m.properties.Stem, m.Name())
+}
+
+func buildVariant(ctx android.ModuleContext) string {
+	if ctx.Config().Eng() {
+		return "eng"
+	}
+	if ctx.Config().Debuggable() {
+		return "userdebug"
+	}
+	return "user"
+}
+
+func (m *macPermissionsModule) GenerateAndroidBuildActions(ctx android.ModuleContext) {
+	platformKeys := getAllPlatformKeyPaths(ctx)
+	keys := android.PathsForModuleSrc(ctx, m.properties.Keys)
+	srcs := android.PathsForModuleSrc(ctx, m.properties.Srcs)
+
+	m4Keys := android.PathForModuleGen(ctx, "mac_perms_keys.tmp")
+	rule := android.NewRuleBuilder(pctx, ctx)
+	rule.Command().
+		Tool(ctx.Config().PrebuiltBuildTool(ctx, "m4")).
+		Text("--fatal-warnings -s").
+		FlagForEachArg("-D", ctx.DeviceConfig().SepolicyM4Defs()).
+		Inputs(keys).
+		FlagWithOutput("> ", m4Keys).
+		Implicits(platformKeys)
+
+	m.outputPath = android.PathForModuleOut(ctx, m.stem())
+	rule.Command().Text("DEFAULT_SYSTEM_DEV_CERTIFICATE="+ctx.Config().DefaultAppCertificateDir(ctx).String()).
+		Text("MAINLINE_SEPOLICY_DEV_CERTIFICATES="+ctx.Config().MainlineSepolicyDevCertificatesDir(ctx).String()).
+		BuiltTool("insertkeys").
+		FlagWithArg("-t ", buildVariant(ctx)).
+		Input(m4Keys).
+		FlagWithOutput("-o ", m.outputPath).
+		Inputs(srcs)
+
+	rule.Build("mac_permission", "build "+m.Name())
+
+	m.installPath = android.PathForModuleInstall(ctx, "etc", "selinux")
+	ctx.InstallFile(m.installPath, m.stem(), m.outputPath)
+}
+
+func (m *macPermissionsModule) AndroidMk() android.AndroidMkData {
+	return android.AndroidMkData{
+		Class:      "ETC",
+		OutputFile: android.OptionalPathForPath(m.outputPath),
+		Extra: []android.AndroidMkExtraFunc{
+			func(w io.Writer, outputFile android.Path) {
+				fmt.Fprintln(w, "LOCAL_MODULE_PATH :=", m.installPath.String())
+				fmt.Fprintln(w, "LOCAL_INSTALLED_MODULE_STEM :=", m.stem())
+			},
+		},
+	}
+}
+
+// mac_permissions module generates a mac_permissions.xml file from given keys.conf and
+// source files. The following variables are supported for keys.conf files.
+//
+//	DEFAULT_SYSTEM_DEV_CERTIFICATE
+//	MAINLINE_SEPOLICY_DEV_CERTIFICATES
+func macPermissionsFactory() android.Module {
+	m := &macPermissionsModule{}
+	m.AddProperties(&m.properties)
+	android.InitAndroidArchModule(m, android.DeviceSupported, android.MultilibCommon)
+	return m
+}
diff --git a/build/soong/policy.go b/build/soong/policy.go
index b1840da..aea8e09 100644
--- a/build/soong/policy.go
+++ b/build/soong/policy.go
@@ -45,10 +45,9 @@
 	"mls",
 	"policy_capabilities",
 	"te_macros",
-	"attributes",
 	"ioctl_defines",
 	"ioctl_macros",
-	"*.te",
+	"attributes|*.te",
 	"roles_decl",
 	"roles",
 	"users",
@@ -198,7 +197,10 @@
 
 func findPolicyConfOrder(name string) int {
 	for idx, pattern := range policyConfOrder {
-		if pattern == name || (pattern == "*.te" && strings.HasSuffix(name, ".te")) {
+		// We could use regexp but it seems like an overkill
+		if pattern == "attributes|*.te" && (name == "attributes" || strings.HasSuffix(name, ".te")) {
+			return idx
+		} else if pattern == name {
 			return idx
 		}
 	}
@@ -285,6 +287,10 @@
 	// Policy file to be compiled to cil file.
 	Src *string `android:"path"`
 
+	// If true, the input policy file is a binary policy that will be decompiled to a cil file.
+	// Defaults to false.
+	Decompile_binary *bool
+
 	// Additional cil files to be added in the end of the output. This is to support workarounds
 	// which are not supported by the policy language.
 	Additional_cil_files []string `android:"path"`
@@ -336,17 +342,15 @@
 func (c *policyCil) compileConfToCil(ctx android.ModuleContext, conf android.Path) android.OutputPath {
 	cil := android.PathForModuleOut(ctx, c.stem()).OutputPath
 	rule := android.NewRuleBuilder(pctx, ctx)
-	rule.Command().BuiltTool("checkpolicy").
+	checkpolicyCmd := rule.Command().BuiltTool("checkpolicy").
 		Flag("-C"). // Write CIL
 		Flag("-M"). // Enable MLS
 		FlagWithArg("-c ", strconv.Itoa(PolicyVers)).
 		FlagWithOutput("-o ", cil).
 		Input(conf)
 
-	if len(c.properties.Additional_cil_files) > 0 {
-		rule.Command().Text("cat").
-			Inputs(android.PathsForModuleSrc(ctx, c.properties.Additional_cil_files)).
-			Text(">> ").Output(cil)
+	if proptools.Bool(c.properties.Decompile_binary) {
+		checkpolicyCmd.Flag("-b") // Read binary
 	}
 
 	if len(c.properties.Filter_out) > 0 {
@@ -357,6 +361,12 @@
 			FlagWithOutput("-t ", cil)
 	}
 
+	if len(c.properties.Additional_cil_files) > 0 {
+		rule.Command().Text("cat").
+			Inputs(android.PathsForModuleSrc(ctx, c.properties.Additional_cil_files)).
+			Text(">> ").Output(cil)
+	}
+
 	if proptools.Bool(c.properties.Remove_line_marker) {
 		rule.Command().Text("grep -v").
 			Text(proptools.ShellEscape(";;")).
@@ -446,6 +456,9 @@
 
 	// Whether this module is directly installable to one of the partitions. Default is true
 	Installable *bool
+
+	// List of domains that are allowed to be in permissive mode on user builds.
+	Permissive_domains_on_user_builds []string
 }
 
 type policyBinary struct {
@@ -502,11 +515,19 @@
 	// permissive check is performed only in user build (not debuggable).
 	if !ctx.Config().Debuggable() {
 		permissiveDomains := android.PathForModuleOut(ctx, c.stem()+"_permissive")
-		rule.Command().BuiltTool("sepolicy-analyze").
+		cmd := rule.Command().BuiltTool("sepolicy-analyze").
 			Input(bin).
-			Text("permissive").
-			Text(" > ").
-			Output(permissiveDomains)
+			Text("permissive")
+		// Filter-out domains listed in permissive_domains_on_user_builds
+		allowedDomains := c.properties.Permissive_domains_on_user_builds
+		if len(allowedDomains) != 0 {
+			cmd.Text("| { grep -Fxv")
+			for _, d := range allowedDomains {
+				cmd.FlagWithArg("-e ", proptools.ShellEscape(d))
+			}
+			cmd.Text(" || true; }") // no match doesn't fail the cmd
+		}
+		cmd.Text(" > ").Output(permissiveDomains)
 		rule.Temporary(permissiveDomains)
 
 		msg := `==========\n` +
diff --git a/build/soong/selinux_contexts.go b/build/soong/selinux_contexts.go
index 463a978..6a971da 100644
--- a/build/soong/selinux_contexts.go
+++ b/build/soong/selinux_contexts.go
@@ -247,11 +247,21 @@
 
 	rule := android.NewRuleBuilder(pctx, ctx)
 
+	newlineFile := android.PathForModuleGen(ctx, "newline")
+
+	rule.Command().Text("echo").FlagWithOutput("> ", newlineFile)
+	rule.Temporary(newlineFile)
+
+	var inputsWithNewline android.Paths
+	for _, input := range inputs {
+		inputsWithNewline = append(inputsWithNewline, input, newlineFile)
+	}
+
 	rule.Command().
 		Tool(ctx.Config().PrebuiltBuildTool(ctx, "m4")).
 		Text("--fatal-warnings -s").
 		FlagForEachArg("-D", ctx.DeviceConfig().SepolicyM4Defs()).
-		Inputs(inputs).
+		Inputs(inputsWithNewline).
 		FlagWithOutput("> ", builtContext)
 
 	if proptools.Bool(m.properties.Remove_comment) {
diff --git a/build/soong/service_fuzzer_bindings.go b/build/soong/service_fuzzer_bindings.go
new file mode 100644
index 0000000..8e11850
--- /dev/null
+++ b/build/soong/service_fuzzer_bindings.go
@@ -0,0 +1,465 @@
+// Copyright (C) 2022 The Android Open Source Project
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//     http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+package selinux
+
+var EXCEPTION_NO_FUZZER = []string{}
+
+//
+// To add a fuzzer for service, add your service name and fuzzer name in ServiceFuzzerBindings
+// example of entry -
+//	"android.hardware.health.IHealth/default": []string{"android.hardware.health-service.aidl_fuzzer"},
+
+var (
+	ServiceFuzzerBindings = map[string][]string{
+		"android.hardware.audio.core.IConfig/default":                             EXCEPTION_NO_FUZZER,
+		"android.hardware.audio.core.IModule/default":                             EXCEPTION_NO_FUZZER,
+		"android.hardware.audio.core.IModule/a2dp":                                EXCEPTION_NO_FUZZER,
+		"android.hardware.audio.core.IModule/bluetooth":                           EXCEPTION_NO_FUZZER,
+		"android.hardware.audio.core.IModule/hearing_aid":                         EXCEPTION_NO_FUZZER,
+		"android.hardware.audio.core.IModule/msd":                                 EXCEPTION_NO_FUZZER,
+		"android.hardware.audio.core.IModule/r_submix":                            EXCEPTION_NO_FUZZER,
+		"android.hardware.audio.core.IModule/stub":                                EXCEPTION_NO_FUZZER,
+		"android.hardware.audio.core.IModule/usb":                                 EXCEPTION_NO_FUZZER,
+		"android.hardware.audio.effect.IFactory/default":                          EXCEPTION_NO_FUZZER,
+		"android.hardware.audio.sounddose.ISoundDoseFactory/default":              EXCEPTION_NO_FUZZER,
+		"android.hardware.authsecret.IAuthSecret/default":                         EXCEPTION_NO_FUZZER,
+		"android.hardware.automotive.evs.IEvsEnumerator/hw/0":                     EXCEPTION_NO_FUZZER,
+		"android.hardware.boot.IBootControl/default":                              EXCEPTION_NO_FUZZER,
+		"android.hardware.automotive.can.ICanController/default":                  EXCEPTION_NO_FUZZER,
+		"android.hardware.automotive.evs.IEvsEnumerator/hw/1":                     EXCEPTION_NO_FUZZER,
+		"android.hardware.automotive.remoteaccess.IRemoteAccess/default":          EXCEPTION_NO_FUZZER,
+		"android.hardware.automotive.vehicle.IVehicle/default":                    EXCEPTION_NO_FUZZER,
+		"android.hardware.automotive.audiocontrol.IAudioControl/default":          EXCEPTION_NO_FUZZER,
+		"android.hardware.biometrics.face.IFace/default":                          EXCEPTION_NO_FUZZER,
+		"android.hardware.biometrics.fingerprint.IFingerprint/default":            EXCEPTION_NO_FUZZER,
+		"android.hardware.biometrics.fingerprint.IFingerprint/virtual":            EXCEPTION_NO_FUZZER,
+		"android.hardware.bluetooth.audio.IBluetoothAudioProviderFactory/default": EXCEPTION_NO_FUZZER,
+		"android.hardware.broadcastradio.IBroadcastRadio/amfm":                    EXCEPTION_NO_FUZZER,
+		"android.hardware.broadcastradio.IBroadcastRadio/dab":                     EXCEPTION_NO_FUZZER,
+		"android.hardware.bluetooth.IBluetoothHci/default":                        EXCEPTION_NO_FUZZER,
+		"android.hardware.camera.provider.ICameraProvider/internal/0":             EXCEPTION_NO_FUZZER,
+		"android.hardware.cas.IMediaCasService/default":                           EXCEPTION_NO_FUZZER,
+		"android.hardware.confirmationui.IConfirmationUI/default":                 []string{"android.hardware.confirmationui-service.trusty_fuzzer"},
+		"android.hardware.contexthub.IContextHub/default":                         EXCEPTION_NO_FUZZER,
+		"android.hardware.drm.IDrmFactory/clearkey":                               EXCEPTION_NO_FUZZER,
+		"android.hardware.drm.ICryptoFactory/clearkey":                            EXCEPTION_NO_FUZZER,
+		"android.hardware.dumpstate.IDumpstateDevice/default":                     EXCEPTION_NO_FUZZER,
+		"android.hardware.fastboot.IFastboot/default":                             EXCEPTION_NO_FUZZER,
+		"android.hardware.gatekeeper.IGatekeeper/default":                         EXCEPTION_NO_FUZZER,
+		"android.hardware.gnss.IGnss/default":                                     EXCEPTION_NO_FUZZER,
+		"android.hardware.graphics.allocator.IAllocator/default":                  EXCEPTION_NO_FUZZER,
+		"android.hardware.graphics.composer3.IComposer/default":                   EXCEPTION_NO_FUZZER,
+		"android.hardware.health.storage.IStorage/default":                        EXCEPTION_NO_FUZZER,
+		"android.hardware.health.IHealth/default":                                 []string{"android.hardware.health-service.aidl_fuzzer"},
+		"android.hardware.identity.IIdentityCredentialStore/default":              EXCEPTION_NO_FUZZER,
+		"android.hardware.input.processor.IInputProcessor/default":                EXCEPTION_NO_FUZZER,
+		"android.hardware.ir.IConsumerIr/default":                                 EXCEPTION_NO_FUZZER,
+		"android.hardware.light.ILights/default":                                  EXCEPTION_NO_FUZZER,
+		"android.hardware.memtrack.IMemtrack/default":                             EXCEPTION_NO_FUZZER,
+		"android.hardware.net.nlinterceptor.IInterceptor/default":                 EXCEPTION_NO_FUZZER,
+		"android.hardware.nfc.INfc/default":                                       EXCEPTION_NO_FUZZER,
+		"android.hardware.oemlock.IOemLock/default":                               EXCEPTION_NO_FUZZER,
+		"android.hardware.power.IPower/default":                                   EXCEPTION_NO_FUZZER,
+		"android.hardware.power.stats.IPowerStats/default":                        EXCEPTION_NO_FUZZER,
+		"android.hardware.radio.config.IRadioConfig/default":                      EXCEPTION_NO_FUZZER,
+		"android.hardware.radio.data.IRadioData/slot1":                            EXCEPTION_NO_FUZZER,
+		"android.hardware.radio.data.IRadioData/slot2":                            EXCEPTION_NO_FUZZER,
+		"android.hardware.radio.data.IRadioData/slot3":                            EXCEPTION_NO_FUZZER,
+		"android.hardware.radio.ims.IRadioIms/slot1":                              EXCEPTION_NO_FUZZER,
+		"android.hardware.radio.ims.IRadioIms/slot2":                              EXCEPTION_NO_FUZZER,
+		"android.hardware.radio.ims.IRadioIms/slot3":                              EXCEPTION_NO_FUZZER,
+		"android.hardware.radio.ims.media.IImsMedia/default":                      EXCEPTION_NO_FUZZER,
+		"android.hardware.radio.messaging.IRadioMessaging/slot1":                  EXCEPTION_NO_FUZZER,
+		"android.hardware.radio.messaging.IRadioMessaging/slot2":                  EXCEPTION_NO_FUZZER,
+		"android.hardware.radio.messaging.IRadioMessaging/slot3":                  EXCEPTION_NO_FUZZER,
+		"android.hardware.radio.modem.IRadioModem/slot1":                          EXCEPTION_NO_FUZZER,
+		"android.hardware.radio.modem.IRadioModem/slot2":                          EXCEPTION_NO_FUZZER,
+		"android.hardware.radio.modem.IRadioModem/slot3":                          EXCEPTION_NO_FUZZER,
+		"android.hardware.radio.network.IRadioNetwork/slot1":                      EXCEPTION_NO_FUZZER,
+		"android.hardware.radio.network.IRadioNetwork/slot2":                      EXCEPTION_NO_FUZZER,
+		"android.hardware.radio.network.IRadioNetwork/slot3":                      EXCEPTION_NO_FUZZER,
+		"android.hardware.radio.satellite.IRadioSatellite/slot1":                  EXCEPTION_NO_FUZZER,
+		"android.hardware.radio.satellite.IRadioSatellite/slot2":                  EXCEPTION_NO_FUZZER,
+		"android.hardware.radio.satellite.IRadioSatellite/slot3":                  EXCEPTION_NO_FUZZER,
+		"android.hardware.radio.sim.IRadioSim/slot1":                              EXCEPTION_NO_FUZZER,
+		"android.hardware.radio.sim.IRadioSim/slot2":                              EXCEPTION_NO_FUZZER,
+		"android.hardware.radio.sim.IRadioSim/slot3":                              EXCEPTION_NO_FUZZER,
+		"android.hardware.radio.sap.ISap/slot1":                                   EXCEPTION_NO_FUZZER,
+		"android.hardware.radio.sap.ISap/slot2":                                   EXCEPTION_NO_FUZZER,
+		"android.hardware.radio.sap.ISap/slot3":                                   EXCEPTION_NO_FUZZER,
+		"android.hardware.radio.voice.IRadioVoice/slot1":                          EXCEPTION_NO_FUZZER,
+		"android.hardware.radio.voice.IRadioVoice/slot2":                          EXCEPTION_NO_FUZZER,
+		"android.hardware.radio.voice.IRadioVoice/slot3":                          EXCEPTION_NO_FUZZER,
+		"android.hardware.rebootescrow.IRebootEscrow/default":                     EXCEPTION_NO_FUZZER,
+		"android.hardware.secure_element.ISecureElement/eSE1":                     EXCEPTION_NO_FUZZER,
+		"android.hardware.secure_element.ISecureElement/eSE2":                     EXCEPTION_NO_FUZZER,
+		"android.hardware.secure_element.ISecureElement/eSE3":                     EXCEPTION_NO_FUZZER,
+		"android.hardware.secure_element.ISecureElement/SIM1":                     EXCEPTION_NO_FUZZER,
+		"android.hardware.secure_element.ISecureElement/SIM2":                     EXCEPTION_NO_FUZZER,
+		"android.hardware.secure_element.ISecureElement/SIM3":                     EXCEPTION_NO_FUZZER,
+		"android.hardware.security.dice.IDiceDevice/default":                      EXCEPTION_NO_FUZZER,
+		"android.hardware.security.keymint.IKeyMintDevice/default":                EXCEPTION_NO_FUZZER,
+		"android.hardware.security.keymint.IRemotelyProvisionedComponent/default": EXCEPTION_NO_FUZZER,
+		"android.hardware.security.secureclock.ISecureClock/default":              EXCEPTION_NO_FUZZER,
+		"android.hardware.security.sharedsecret.ISharedSecret/default":            EXCEPTION_NO_FUZZER,
+		"android.hardware.sensors.ISensors/default":                               EXCEPTION_NO_FUZZER,
+		"android.hardware.soundtrigger3.ISoundTriggerHw/default":                  EXCEPTION_NO_FUZZER,
+		"android.hardware.tetheroffload.IOffload/default":                         EXCEPTION_NO_FUZZER,
+		"android.hardware.thermal.IThermal/default":                               EXCEPTION_NO_FUZZER,
+		"android.hardware.tv.hdmi.cec.IHdmiCec/default":                           EXCEPTION_NO_FUZZER,
+		"android.hardware.tv.hdmi.connection.IHdmiConnection/default":             EXCEPTION_NO_FUZZER,
+		"android.hardware.tv.hdmi.earc.IEArc/default":                             EXCEPTION_NO_FUZZER,
+		"android.hardware.tv.input.ITvInput/default":                              EXCEPTION_NO_FUZZER,
+		"android.hardware.tv.tuner.ITuner/default":                                EXCEPTION_NO_FUZZER,
+		"android.hardware.usb.IUsb/default":                                       EXCEPTION_NO_FUZZER,
+		"android.hardware.usb.gadget.IUsbGadget/default":                          EXCEPTION_NO_FUZZER,
+		"android.hardware.uwb.IUwb/default":                                       EXCEPTION_NO_FUZZER,
+		"android.hardware.vibrator.IVibrator/default":                             EXCEPTION_NO_FUZZER,
+		"android.hardware.vibrator.IVibratorManager/default":                      []string{"android.hardware.vibrator-service.example_fuzzer"},
+		"android.hardware.weaver.IWeaver/default":                                 EXCEPTION_NO_FUZZER,
+		"android.hardware.wifi.IWifi/default":                                     EXCEPTION_NO_FUZZER,
+		"android.hardware.wifi.hostapd.IHostapd/default":                          EXCEPTION_NO_FUZZER,
+		"android.hardware.wifi.supplicant.ISupplicant/default":                    EXCEPTION_NO_FUZZER,
+		"android.frameworks.cameraservice.service.ICameraService/default":         EXCEPTION_NO_FUZZER,
+		"android.frameworks.location.altitude.IAltitudeService/default":           EXCEPTION_NO_FUZZER,
+		"android.frameworks.sensorservice.ISensorManager/default":                 []string{"libsensorserviceaidl_fuzzer"},
+		"android.frameworks.stats.IStats/default":                                 EXCEPTION_NO_FUZZER,
+		"android.se.omapi.ISecureElementService/default":                          EXCEPTION_NO_FUZZER,
+		"android.system.keystore2.IKeystoreService/default":                       EXCEPTION_NO_FUZZER,
+		"android.system.net.netd.INetd/default":                                   EXCEPTION_NO_FUZZER,
+		"android.system.suspend.ISystemSuspend/default":                           EXCEPTION_NO_FUZZER,
+		"accessibility":      EXCEPTION_NO_FUZZER,
+		"account":            EXCEPTION_NO_FUZZER,
+		"activity":           EXCEPTION_NO_FUZZER,
+		"activity_task":      EXCEPTION_NO_FUZZER,
+		"adb":                EXCEPTION_NO_FUZZER,
+		"adservices_manager": EXCEPTION_NO_FUZZER,
+		"aidl_lazy_test_1":   EXCEPTION_NO_FUZZER,
+		"aidl_lazy_test_2":   EXCEPTION_NO_FUZZER,
+		"aidl_lazy_cb_test":  EXCEPTION_NO_FUZZER,
+		"alarm":              EXCEPTION_NO_FUZZER,
+		"android.hardware.automotive.evs.IEvsEnumerator/default":          EXCEPTION_NO_FUZZER,
+		"android.os.UpdateEngineService":                                  EXCEPTION_NO_FUZZER,
+		"android.os.UpdateEngineStableService":                            EXCEPTION_NO_FUZZER,
+		"android.frameworks.automotive.display.ICarDisplayProxy/default":  EXCEPTION_NO_FUZZER,
+		"android.security.apc":                                            EXCEPTION_NO_FUZZER,
+		"android.security.authorization":                                  EXCEPTION_NO_FUZZER,
+		"android.security.compat":                                         EXCEPTION_NO_FUZZER,
+		"android.security.dice.IDiceMaintenance":                          EXCEPTION_NO_FUZZER,
+		"android.security.dice.IDiceNode":                                 EXCEPTION_NO_FUZZER,
+		"android.security.identity":                                       EXCEPTION_NO_FUZZER,
+		"android.security.keystore":                                       EXCEPTION_NO_FUZZER,
+		"android.security.legacykeystore":                                 EXCEPTION_NO_FUZZER,
+		"android.security.maintenance":                                    EXCEPTION_NO_FUZZER,
+		"android.security.metrics":                                        EXCEPTION_NO_FUZZER,
+		"android.security.remoteprovisioning":                             EXCEPTION_NO_FUZZER,
+		"android.security.remoteprovisioning.IRemotelyProvisionedKeyPool": EXCEPTION_NO_FUZZER,
+		"android.service.gatekeeper.IGateKeeperService":                   EXCEPTION_NO_FUZZER,
+		"android.system.composd":                                          EXCEPTION_NO_FUZZER,
+		"android.system.virtualizationservice":                            EXCEPTION_NO_FUZZER,
+		"ambient_context":                                                 EXCEPTION_NO_FUZZER,
+		"app_binding":                                                     EXCEPTION_NO_FUZZER,
+		"app_hibernation":                                                 EXCEPTION_NO_FUZZER,
+		"app_integrity":                                                   EXCEPTION_NO_FUZZER,
+		"app_prediction":                                                  EXCEPTION_NO_FUZZER,
+		"app_search":                                                      EXCEPTION_NO_FUZZER,
+		"apexservice":                                                     EXCEPTION_NO_FUZZER,
+		"attestation_verification":                                        EXCEPTION_NO_FUZZER,
+		"blob_store":                                                      EXCEPTION_NO_FUZZER,
+		"gsiservice":                                                      EXCEPTION_NO_FUZZER,
+		"appops":                                                          EXCEPTION_NO_FUZZER,
+		"appwidget":                                                       EXCEPTION_NO_FUZZER,
+		"artd":                                                            EXCEPTION_NO_FUZZER,
+		"assetatlas":                                                      EXCEPTION_NO_FUZZER,
+		"attention":                                                       EXCEPTION_NO_FUZZER,
+		"audio":                                                           EXCEPTION_NO_FUZZER,
+		"auth":                                                            EXCEPTION_NO_FUZZER,
+		"autofill":                                                        EXCEPTION_NO_FUZZER,
+		"background_install_control":                                      EXCEPTION_NO_FUZZER,
+		"backup":                                                          EXCEPTION_NO_FUZZER,
+		"batteryproperties":                                               EXCEPTION_NO_FUZZER,
+		"batterystats":                                                    EXCEPTION_NO_FUZZER,
+		"battery":                                                         EXCEPTION_NO_FUZZER,
+		"binder_calls_stats":                                              EXCEPTION_NO_FUZZER,
+		"biometric":                                                       EXCEPTION_NO_FUZZER,
+		"bluetooth_manager":                                               EXCEPTION_NO_FUZZER,
+		"bluetooth":                                                       EXCEPTION_NO_FUZZER,
+		"broadcastradio":                                                  EXCEPTION_NO_FUZZER,
+		"bugreport":                                                       EXCEPTION_NO_FUZZER,
+		"cacheinfo":                                                       EXCEPTION_NO_FUZZER,
+		"carrier_config":                                                  EXCEPTION_NO_FUZZER,
+		"clipboard":                                                       EXCEPTION_NO_FUZZER,
+		"cloudsearch":                                                     EXCEPTION_NO_FUZZER,
+		"cloudsearch_service":                                             EXCEPTION_NO_FUZZER,
+		"com.android.net.IProxyService":                                   EXCEPTION_NO_FUZZER,
+		"companiondevice":                                                 EXCEPTION_NO_FUZZER,
+		"communal":                                                        EXCEPTION_NO_FUZZER,
+		"platform_compat":                                                 EXCEPTION_NO_FUZZER,
+		"platform_compat_native":                                          EXCEPTION_NO_FUZZER,
+		"connectivity":                                                    EXCEPTION_NO_FUZZER,
+		"connectivity_native":                                             EXCEPTION_NO_FUZZER,
+		"connmetrics":                                                     EXCEPTION_NO_FUZZER,
+		"consumer_ir":                                                     EXCEPTION_NO_FUZZER,
+		"content":                                                         EXCEPTION_NO_FUZZER,
+		"content_capture":                                                 EXCEPTION_NO_FUZZER,
+		"content_suggestions":                                             EXCEPTION_NO_FUZZER,
+		"contexthub":                                                      EXCEPTION_NO_FUZZER,
+		"country_detector":                                                EXCEPTION_NO_FUZZER,
+		"coverage":                                                        EXCEPTION_NO_FUZZER,
+		"cpuinfo":                                                         EXCEPTION_NO_FUZZER,
+		"credential":                                                      EXCEPTION_NO_FUZZER,
+		"crossprofileapps":                                                EXCEPTION_NO_FUZZER,
+		"dataloader_manager":                                              EXCEPTION_NO_FUZZER,
+		"dbinfo":                                                          EXCEPTION_NO_FUZZER,
+		"device_config":                                                   EXCEPTION_NO_FUZZER,
+		"device_policy":                                                   EXCEPTION_NO_FUZZER,
+		"device_identifiers":                                              EXCEPTION_NO_FUZZER,
+		"deviceidle":                                                      EXCEPTION_NO_FUZZER,
+		"device_lock":                                                     EXCEPTION_NO_FUZZER,
+		"device_state":                                                    EXCEPTION_NO_FUZZER,
+		"devicestoragemonitor":                                            EXCEPTION_NO_FUZZER,
+		"diskstats":                                                       EXCEPTION_NO_FUZZER,
+		"display":                                                         EXCEPTION_NO_FUZZER,
+		"dnsresolver":                                                     EXCEPTION_NO_FUZZER,
+		"domain_verification":                                             EXCEPTION_NO_FUZZER,
+		"color_display":                                                   EXCEPTION_NO_FUZZER,
+		"netd_listener":                                                   EXCEPTION_NO_FUZZER,
+		"network_watchlist":                                               EXCEPTION_NO_FUZZER,
+		"DockObserver":                                                    EXCEPTION_NO_FUZZER,
+		"dreams":                                                          EXCEPTION_NO_FUZZER,
+		"drm.drmManager":                                                  EXCEPTION_NO_FUZZER,
+		"dropbox":                                                         EXCEPTION_NO_FUZZER,
+		"dumpstate":                                                       EXCEPTION_NO_FUZZER,
+		"dynamic_system":                                                  EXCEPTION_NO_FUZZER,
+		"econtroller":                                                     EXCEPTION_NO_FUZZER,
+		"emergency_affordance":                                            EXCEPTION_NO_FUZZER,
+		"euicc_card_controller":                                           EXCEPTION_NO_FUZZER,
+		"external_vibrator_service":                                       EXCEPTION_NO_FUZZER,
+		"ethernet":                                                        EXCEPTION_NO_FUZZER,
+		"face":                                                            EXCEPTION_NO_FUZZER,
+		"file_integrity":                                                  EXCEPTION_NO_FUZZER,
+		"fingerprint":                                                     EXCEPTION_NO_FUZZER,
+		"font":                                                            EXCEPTION_NO_FUZZER,
+		"android.hardware.fingerprint.IFingerprintDaemon": EXCEPTION_NO_FUZZER,
+		"game":                         EXCEPTION_NO_FUZZER,
+		"gfxinfo":                      EXCEPTION_NO_FUZZER,
+		"gnss_time_update_service":     EXCEPTION_NO_FUZZER,
+		"grammatical_inflection":       EXCEPTION_NO_FUZZER,
+		"graphicsstats":                EXCEPTION_NO_FUZZER,
+		"gpu":                          EXCEPTION_NO_FUZZER,
+		"hardware":                     EXCEPTION_NO_FUZZER,
+		"hardware_properties":          EXCEPTION_NO_FUZZER,
+		"hdmi_control":                 EXCEPTION_NO_FUZZER,
+		"healthconnect":                EXCEPTION_NO_FUZZER,
+		"ions":                         EXCEPTION_NO_FUZZER,
+		"idmap":                        EXCEPTION_NO_FUZZER,
+		"incident":                     EXCEPTION_NO_FUZZER,
+		"incidentcompanion":            EXCEPTION_NO_FUZZER,
+		"inputflinger":                 EXCEPTION_NO_FUZZER,
+		"input_method":                 EXCEPTION_NO_FUZZER,
+		"input":                        EXCEPTION_NO_FUZZER,
+		"installd":                     EXCEPTION_NO_FUZZER,
+		"iphonesubinfo_msim":           EXCEPTION_NO_FUZZER,
+		"iphonesubinfo2":               EXCEPTION_NO_FUZZER,
+		"iphonesubinfo":                EXCEPTION_NO_FUZZER,
+		"ims":                          EXCEPTION_NO_FUZZER,
+		"imms":                         EXCEPTION_NO_FUZZER,
+		"incremental":                  EXCEPTION_NO_FUZZER,
+		"ipsec":                        EXCEPTION_NO_FUZZER,
+		"ircsmessage":                  EXCEPTION_NO_FUZZER,
+		"iris":                         EXCEPTION_NO_FUZZER,
+		"isms_msim":                    EXCEPTION_NO_FUZZER,
+		"isms2":                        EXCEPTION_NO_FUZZER,
+		"isms":                         EXCEPTION_NO_FUZZER,
+		"isub":                         EXCEPTION_NO_FUZZER,
+		"jobscheduler":                 EXCEPTION_NO_FUZZER,
+		"launcherapps":                 EXCEPTION_NO_FUZZER,
+		"legacy_permission":            EXCEPTION_NO_FUZZER,
+		"lights":                       EXCEPTION_NO_FUZZER,
+		"locale":                       EXCEPTION_NO_FUZZER,
+		"location":                     EXCEPTION_NO_FUZZER,
+		"location_time_zone_manager":   EXCEPTION_NO_FUZZER,
+		"lock_settings":                EXCEPTION_NO_FUZZER,
+		"logcat":                       EXCEPTION_NO_FUZZER,
+		"logd":                         EXCEPTION_NO_FUZZER,
+		"looper_stats":                 EXCEPTION_NO_FUZZER,
+		"lpdump_service":               EXCEPTION_NO_FUZZER,
+		"mdns":                         EXCEPTION_NO_FUZZER,
+		"media.aaudio":                 EXCEPTION_NO_FUZZER,
+		"media.audio_flinger":          EXCEPTION_NO_FUZZER,
+		"media.audio_policy":           EXCEPTION_NO_FUZZER,
+		"media.camera":                 EXCEPTION_NO_FUZZER,
+		"media.camera.proxy":           EXCEPTION_NO_FUZZER,
+		"media.log":                    EXCEPTION_NO_FUZZER,
+		"media.player":                 EXCEPTION_NO_FUZZER,
+		"media.metrics":                EXCEPTION_NO_FUZZER,
+		"media.extractor":              EXCEPTION_NO_FUZZER,
+		"media.transcoding":            EXCEPTION_NO_FUZZER,
+		"media.resource_manager":       EXCEPTION_NO_FUZZER,
+		"media.resource_observer":      EXCEPTION_NO_FUZZER,
+		"media.sound_trigger_hw":       EXCEPTION_NO_FUZZER,
+		"media.drm":                    EXCEPTION_NO_FUZZER,
+		"media.tuner":                  EXCEPTION_NO_FUZZER,
+		"media_communication":          EXCEPTION_NO_FUZZER,
+		"media_metrics":                EXCEPTION_NO_FUZZER,
+		"media_projection":             EXCEPTION_NO_FUZZER,
+		"media_resource_monitor":       EXCEPTION_NO_FUZZER,
+		"media_router":                 EXCEPTION_NO_FUZZER,
+		"media_session":                EXCEPTION_NO_FUZZER,
+		"meminfo":                      EXCEPTION_NO_FUZZER,
+		"memtrack.proxy":               EXCEPTION_NO_FUZZER,
+		"midi":                         EXCEPTION_NO_FUZZER,
+		"mount":                        EXCEPTION_NO_FUZZER,
+		"music_recognition":            EXCEPTION_NO_FUZZER,
+		"nearby":                       EXCEPTION_NO_FUZZER,
+		"netd":                         EXCEPTION_NO_FUZZER,
+		"netpolicy":                    EXCEPTION_NO_FUZZER,
+		"netstats":                     EXCEPTION_NO_FUZZER,
+		"network_stack":                EXCEPTION_NO_FUZZER,
+		"network_management":           EXCEPTION_NO_FUZZER,
+		"network_score":                EXCEPTION_NO_FUZZER,
+		"network_time_update_service":  EXCEPTION_NO_FUZZER,
+		"nfc":                          EXCEPTION_NO_FUZZER,
+		"notification":                 EXCEPTION_NO_FUZZER,
+		"oem_lock":                     EXCEPTION_NO_FUZZER,
+		"ondevicepersonalization_system_service": EXCEPTION_NO_FUZZER,
+		"otadexopt":                    EXCEPTION_NO_FUZZER,
+		"overlay":                      EXCEPTION_NO_FUZZER,
+		"pac_proxy":                    EXCEPTION_NO_FUZZER,
+		"package":                      EXCEPTION_NO_FUZZER,
+		"package_native":               EXCEPTION_NO_FUZZER,
+		"people":                       EXCEPTION_NO_FUZZER,
+		"performance_hint":             EXCEPTION_NO_FUZZER,
+		"permission":                   EXCEPTION_NO_FUZZER,
+		"permissionmgr":                EXCEPTION_NO_FUZZER,
+		"permission_checker":           EXCEPTION_NO_FUZZER,
+		"persistent_data_block":        EXCEPTION_NO_FUZZER,
+		"phone_msim":                   EXCEPTION_NO_FUZZER,
+		"phone1":                       EXCEPTION_NO_FUZZER,
+		"phone2":                       EXCEPTION_NO_FUZZER,
+		"phone":                        EXCEPTION_NO_FUZZER,
+		"pinner":                       EXCEPTION_NO_FUZZER,
+		"powerstats":                   EXCEPTION_NO_FUZZER,
+		"power":                        EXCEPTION_NO_FUZZER,
+		"print":                        EXCEPTION_NO_FUZZER,
+		"processinfo":                  EXCEPTION_NO_FUZZER,
+		"procstats":                    EXCEPTION_NO_FUZZER,
+		"profcollectd":                 EXCEPTION_NO_FUZZER,
+		"radio.phonesubinfo":           EXCEPTION_NO_FUZZER,
+		"radio.phone":                  EXCEPTION_NO_FUZZER,
+		"radio.sms":                    EXCEPTION_NO_FUZZER,
+		"rcs":                          EXCEPTION_NO_FUZZER,
+		"reboot_readiness":             EXCEPTION_NO_FUZZER,
+		"recovery":                     EXCEPTION_NO_FUZZER,
+		"remote_provisioning":          EXCEPTION_NO_FUZZER,
+		"resolver":                     EXCEPTION_NO_FUZZER,
+		"resources":                    EXCEPTION_NO_FUZZER,
+		"restrictions":                 EXCEPTION_NO_FUZZER,
+		"rkpd.registrar":               EXCEPTION_NO_FUZZER,
+		"rkpd.refresh":                 EXCEPTION_NO_FUZZER,
+		"role":                         EXCEPTION_NO_FUZZER,
+		"rollback":                     EXCEPTION_NO_FUZZER,
+		"rttmanager":                   EXCEPTION_NO_FUZZER,
+		"runtime":                      EXCEPTION_NO_FUZZER,
+		"safety_center":                EXCEPTION_NO_FUZZER,
+		"samplingprofiler":             EXCEPTION_NO_FUZZER,
+		"scheduling_policy":            EXCEPTION_NO_FUZZER,
+		"search":                       EXCEPTION_NO_FUZZER,
+		"search_ui":                    EXCEPTION_NO_FUZZER,
+		"secure_element":               EXCEPTION_NO_FUZZER,
+		"sec_key_att_app_id_provider":  EXCEPTION_NO_FUZZER,
+		"selection_toolbar":            EXCEPTION_NO_FUZZER,
+		"sensorservice":                EXCEPTION_NO_FUZZER,
+		"sensor_privacy":               EXCEPTION_NO_FUZZER,
+		"serial":                       EXCEPTION_NO_FUZZER,
+		"servicediscovery":             EXCEPTION_NO_FUZZER,
+		"manager":                      []string{"servicemanager_fuzzer"},
+		"settings":                     EXCEPTION_NO_FUZZER,
+		"shortcut":                     EXCEPTION_NO_FUZZER,
+		"simphonebook_msim":            EXCEPTION_NO_FUZZER,
+		"simphonebook2":                EXCEPTION_NO_FUZZER,
+		"simphonebook":                 EXCEPTION_NO_FUZZER,
+		"sip":                          EXCEPTION_NO_FUZZER,
+		"slice":                        EXCEPTION_NO_FUZZER,
+		"smartspace":                   EXCEPTION_NO_FUZZER,
+		"speech_recognition":           EXCEPTION_NO_FUZZER,
+		"stats":                        EXCEPTION_NO_FUZZER,
+		"statsbootstrap":               EXCEPTION_NO_FUZZER,
+		"statscompanion":               EXCEPTION_NO_FUZZER,
+		"statsmanager":                 EXCEPTION_NO_FUZZER,
+		"soundtrigger":                 EXCEPTION_NO_FUZZER,
+		"soundtrigger_middleware":      EXCEPTION_NO_FUZZER,
+		"statusbar":                    EXCEPTION_NO_FUZZER,
+		"storaged":                     EXCEPTION_NO_FUZZER,
+		"storaged_pri":                 EXCEPTION_NO_FUZZER,
+		"storagestats":                 EXCEPTION_NO_FUZZER,
+		"sdk_sandbox":                  EXCEPTION_NO_FUZZER,
+		"SurfaceFlinger":               EXCEPTION_NO_FUZZER,
+		"SurfaceFlingerAIDL":           EXCEPTION_NO_FUZZER,
+		"suspend_control":              EXCEPTION_NO_FUZZER,
+		"suspend_control_internal":     EXCEPTION_NO_FUZZER,
+		"system_config":                EXCEPTION_NO_FUZZER,
+		"system_server_dumper":         EXCEPTION_NO_FUZZER,
+		"system_update":                EXCEPTION_NO_FUZZER,
+		"tare":                         EXCEPTION_NO_FUZZER,
+		"task":                         EXCEPTION_NO_FUZZER,
+		"telecom":                      EXCEPTION_NO_FUZZER,
+		"telephony.registry":           EXCEPTION_NO_FUZZER,
+		"telephony_ims":                EXCEPTION_NO_FUZZER,
+		"testharness":                  EXCEPTION_NO_FUZZER,
+		"tethering":                    EXCEPTION_NO_FUZZER,
+		"textclassification":           EXCEPTION_NO_FUZZER,
+		"textservices":                 EXCEPTION_NO_FUZZER,
+		"texttospeech":                 EXCEPTION_NO_FUZZER,
+		"time_detector":                EXCEPTION_NO_FUZZER,
+		"time_zone_detector":           EXCEPTION_NO_FUZZER,
+		"thermalservice":               EXCEPTION_NO_FUZZER,
+		"tracing.proxy":                EXCEPTION_NO_FUZZER,
+		"translation":                  EXCEPTION_NO_FUZZER,
+		"transparency":                 EXCEPTION_NO_FUZZER,
+		"trust":                        EXCEPTION_NO_FUZZER,
+		"tv_interactive_app":           EXCEPTION_NO_FUZZER,
+		"tv_input":                     EXCEPTION_NO_FUZZER,
+		"tv_tuner_resource_mgr":        EXCEPTION_NO_FUZZER,
+		"uce":                          EXCEPTION_NO_FUZZER,
+		"uimode":                       EXCEPTION_NO_FUZZER,
+		"updatelock":                   EXCEPTION_NO_FUZZER,
+		"uri_grants":                   EXCEPTION_NO_FUZZER,
+		"usagestats":                   EXCEPTION_NO_FUZZER,
+		"usb":                          EXCEPTION_NO_FUZZER,
+		"user":                         EXCEPTION_NO_FUZZER,
+		"uwb":                          EXCEPTION_NO_FUZZER,
+		"vcn_management":               EXCEPTION_NO_FUZZER,
+		"vibrator":                     EXCEPTION_NO_FUZZER,
+		"vibrator_manager":             EXCEPTION_NO_FUZZER,
+		"virtualdevice":                EXCEPTION_NO_FUZZER,
+		"virtual_touchpad":             EXCEPTION_NO_FUZZER,
+		"voiceinteraction":             EXCEPTION_NO_FUZZER,
+		"vold":                         EXCEPTION_NO_FUZZER,
+		"vpn_management":               EXCEPTION_NO_FUZZER,
+		"vrmanager":                    EXCEPTION_NO_FUZZER,
+		"wallpaper":                    EXCEPTION_NO_FUZZER,
+		"wallpaper_effects_generation": EXCEPTION_NO_FUZZER,
+		"webviewupdate":                EXCEPTION_NO_FUZZER,
+		"wifip2p":                      EXCEPTION_NO_FUZZER,
+		"wifiscanner":                  EXCEPTION_NO_FUZZER,
+		"wifi":                         EXCEPTION_NO_FUZZER,
+		"wifinl80211":                  EXCEPTION_NO_FUZZER,
+		"wifiaware":                    EXCEPTION_NO_FUZZER,
+		"wifirtt":                      EXCEPTION_NO_FUZZER,
+		"window":                       EXCEPTION_NO_FUZZER,
+		"*":                            EXCEPTION_NO_FUZZER,
+	}
+)
diff --git a/build/soong/validate_bindings.go b/build/soong/validate_bindings.go
new file mode 100644
index 0000000..7ba6453
--- /dev/null
+++ b/build/soong/validate_bindings.go
@@ -0,0 +1,109 @@
+// Copyright (C) 2022 The Android Open Source Project
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//     http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+package selinux
+
+import (
+	"encoding/json"
+	"fmt"
+
+	"android/soong/android"
+)
+
+func init() {
+	android.RegisterModuleType("fuzzer_bindings_test", fuzzerBindingsTestFactory)
+	android.PreArchMutators(registerFuzzerMutators)
+}
+
+func registerFuzzerMutators(ctx android.RegisterMutatorsContext) {
+	ctx.BottomUp("addFuzzerConfigDeps", addFuzzerConfigDeps).Parallel()
+}
+
+func addFuzzerConfigDeps(ctx android.BottomUpMutatorContext) {
+	if _, ok := ctx.Module().(*fuzzerBindingsTestModule); ok {
+		for _, fuzzers := range ServiceFuzzerBindings {
+			for _, fuzzer := range fuzzers {
+				if !ctx.OtherModuleExists(fuzzer) && !ctx.Config().AllowMissingDependencies() {
+					panic(fmt.Errorf("Fuzzer doesn't exist : %s", fuzzer))
+				}
+			}
+		}
+	}
+}
+
+type bindingsTestProperties struct {
+	// Contexts files to be tested.
+	Srcs []string `android:"path"`
+}
+
+type fuzzerBindingsTestModule struct {
+	android.ModuleBase
+	tool          string
+	properties    bindingsTestProperties
+	testTimestamp android.ModuleOutPath
+}
+
+// fuzzer_bindings_test checks if a fuzzer is implemented for every service in service_contexts
+func fuzzerBindingsTestFactory() android.Module {
+	m := &fuzzerBindingsTestModule{tool: "fuzzer_bindings_check"}
+	m.AddProperties(&m.properties)
+	android.InitAndroidArchModule(m, android.DeviceSupported, android.MultilibCommon)
+	return m
+}
+
+func (m *fuzzerBindingsTestModule) GenerateAndroidBuildActions(ctx android.ModuleContext) {
+	tool := m.tool
+	if tool != "fuzzer_bindings_check" {
+		panic(fmt.Errorf("%q: unknown tool name: %q", ctx.ModuleName(), tool))
+	}
+
+	if len(m.properties.Srcs) == 0 {
+		ctx.PropertyErrorf("srcs", "can't be empty")
+		return
+	}
+
+	// Generate a json file which contains existing bindings
+	rootPath := android.PathForIntermediates(ctx, "bindings.json")
+	jsonString, parseError := json.Marshal(ServiceFuzzerBindings)
+	if parseError != nil {
+		panic(fmt.Errorf("Error while marshalling ServiceFuzzerBindings dict. Check Format"))
+	}
+	android.WriteFileRule(ctx, rootPath, string(jsonString))
+
+	//input module json, service context and binding files here
+	srcs := android.PathsForModuleSrc(ctx, m.properties.Srcs)
+	rule := android.NewRuleBuilder(pctx, ctx)
+
+	rule.Command().BuiltTool(tool).Flag("-s").Inputs(srcs).Flag("-b").Input(rootPath)
+
+	// Every Soong module needs to generate an output even if it doesn't require it
+	m.testTimestamp = android.PathForModuleOut(ctx, "timestamp")
+	rule.Command().Text("touch").Output(m.testTimestamp)
+	rule.Build("fuzzer_bindings_test", "running service:fuzzer bindings test: "+ctx.ModuleName())
+}
+
+func (m *fuzzerBindingsTestModule) AndroidMkEntries() []android.AndroidMkEntries {
+	return []android.AndroidMkEntries{android.AndroidMkEntries{
+		Class: "FAKE",
+		// OutputFile is needed, even though BUILD_PHONY_PACKAGE doesn't use it.
+		// Without OutputFile this module won't be exported to Makefile.
+		OutputFile: android.OptionalPathForPath(m.testTimestamp),
+		Include:    "$(BUILD_PHONY_PACKAGE)",
+		ExtraEntries: []android.AndroidMkExtraEntriesFunc{
+			func(ctx android.AndroidMkExtraEntriesContext, entries *android.AndroidMkEntries) {
+				entries.SetString("LOCAL_ADDITIONAL_DEPENDENCIES", m.testTimestamp.String())
+			},
+		},
+	}}
+}
diff --git a/com.android.sepolicy/33/definitions/definitions.cil b/com.android.sepolicy/33/definitions/definitions.cil
new file mode 100644
index 0000000..ffe4660
--- /dev/null
+++ b/com.android.sepolicy/33/definitions/definitions.cil
@@ -0,0 +1,15 @@
+; This file is required for sepolicy amend (go/seamendc).
+; The seamendc binary reads an amend SELinux policy as input in CIL format and applies its rules to
+; a binary SELinux policy. To parse the input correctly, we require the amend policy to be a valid
+; standalone policy. This file contains the preliminary statements(sid, sidorder, etc.) and
+; definitions (type, typeattribute, class, etc.) necessary to make the amend policy compile
+; successfully.
+(sid amend)
+(sidorder (amend))
+
+(classorder (file))
+
+;;;;;;;;;;;;;;;;;;;;;; shell.te ;;;;;;;;;;;;;;;;;;;;;;
+(type shell)
+(type sepolicy_test_file)
+(class file (ioctl read getattr lock map open watch watch_reads))
diff --git a/compat/Android.bp b/compat/Android.bp
index bc8409a..61acd40 100644
--- a/compat/Android.bp
+++ b/compat/Android.bp
@@ -23,45 +23,177 @@
     default_applicable_licenses: ["system_sepolicy_license"],
 }
 
+se_build_files {
+    name: "28.0.board.compat.map",
+    srcs: [
+        "compat/28.0/28.0.cil",
+    ],
+}
+
+se_build_files {
+    name: "29.0.board.compat.map",
+    srcs: [
+        "compat/29.0/29.0.cil",
+    ],
+}
+
+se_build_files {
+    name: "30.0.board.compat.map",
+    srcs: [
+        "compat/30.0/30.0.cil",
+    ],
+}
+
+se_build_files {
+    name: "31.0.board.compat.map",
+    srcs: [
+        "compat/31.0/31.0.cil",
+    ],
+}
+
+se_build_files {
+    name: "32.0.board.compat.map",
+    srcs: [
+        "compat/32.0/32.0.cil",
+    ],
+}
+
+se_build_files {
+    name: "33.0.board.compat.map",
+    srcs: [
+        "compat/33.0/33.0.cil",
+    ],
+}
+
+se_build_files {
+    name: "28.0.board.compat.cil",
+    srcs: [
+        "compat/28.0/28.0.compat.cil",
+    ],
+}
+
+se_build_files {
+    name: "29.0.board.compat.cil",
+    srcs: [
+        "compat/29.0/29.0.compat.cil",
+    ],
+}
+
+se_build_files {
+    name: "30.0.board.compat.cil",
+    srcs: [
+        "compat/30.0/30.0.compat.cil",
+    ],
+}
+
+se_build_files {
+    name: "31.0.board.compat.cil",
+    srcs: [
+        "compat/31.0/31.0.compat.cil",
+    ],
+}
+
+se_build_files {
+    name: "32.0.board.compat.cil",
+    srcs: [
+        "compat/32.0/32.0.compat.cil",
+    ],
+}
+
+se_build_files {
+    name: "33.0.board.compat.cil",
+    srcs: [
+        "compat/33.0/33.0.compat.cil",
+    ],
+}
+
+se_build_files {
+    name: "28.0.board.ignore.map",
+    srcs: [
+        "compat/28.0/28.0.ignore.cil",
+    ],
+}
+
+se_build_files {
+    name: "29.0.board.ignore.map",
+    srcs: [
+        "compat/29.0/29.0.ignore.cil",
+    ],
+}
+
+se_build_files {
+    name: "30.0.board.ignore.map",
+    srcs: [
+        "compat/30.0/30.0.ignore.cil",
+    ],
+}
+
+se_build_files {
+    name: "31.0.board.ignore.map",
+    srcs: [
+        "compat/31.0/31.0.ignore.cil",
+    ],
+}
+
+se_build_files {
+    name: "32.0.board.ignore.map",
+    srcs: [
+        "compat/32.0/32.0.ignore.cil",
+    ],
+}
+
+se_build_files {
+    name: "33.0.board.ignore.map",
+    srcs: [
+        "compat/33.0/33.0.ignore.cil",
+    ],
+}
+
 se_cil_compat_map {
     name: "plat_28.0.cil",
     stem: "28.0.cil",
-    bottom_half: [":28.0.board.compat.map"],
+    bottom_half: [":28.0.board.compat.map{.plat_private}"],
     top_half: "plat_29.0.cil",
 }
 
 se_cil_compat_map {
     name: "plat_29.0.cil",
     stem: "29.0.cil",
-    bottom_half: [":29.0.board.compat.map"],
+    bottom_half: [":29.0.board.compat.map{.plat_private}"],
     top_half: "plat_30.0.cil",
 }
 
 se_cil_compat_map {
     name: "plat_30.0.cil",
     stem: "30.0.cil",
-    bottom_half: [":30.0.board.compat.map"],
+    bottom_half: [":30.0.board.compat.map{.plat_private}"],
     top_half: "plat_31.0.cil",
 }
 
 se_cil_compat_map {
     name: "plat_31.0.cil",
     stem: "31.0.cil",
-    bottom_half: [":31.0.board.compat.map"],
+    bottom_half: [":31.0.board.compat.map{.plat_private}"],
     top_half: "plat_32.0.cil",
 }
 
 se_cil_compat_map {
     name: "plat_32.0.cil",
     stem: "32.0.cil",
-    bottom_half: [":32.0.board.compat.map"],
-    // top_half: "plat_33.0.cil",
+    bottom_half: [":32.0.board.compat.map{.plat_private}"],
+    top_half: "plat_33.0.cil",
+}
+
+se_cil_compat_map {
+    name: "plat_33.0.cil",
+    stem: "33.0.cil",
+    bottom_half: [":33.0.board.compat.map{.plat_private}"],
 }
 
 se_cil_compat_map {
     name: "system_ext_28.0.cil",
     stem: "28.0.cil",
-    bottom_half: [":28.0.board.compat.map"],
+    bottom_half: [":28.0.board.compat.map{.system_ext_private}"],
     top_half: "system_ext_29.0.cil",
     system_ext_specific: true,
 }
@@ -69,7 +201,7 @@
 se_cil_compat_map {
     name: "system_ext_29.0.cil",
     stem: "29.0.cil",
-    bottom_half: [":29.0.board.compat.map"],
+    bottom_half: [":29.0.board.compat.map{.system_ext_private}"],
     top_half: "system_ext_30.0.cil",
     system_ext_specific: true,
 }
@@ -77,7 +209,7 @@
 se_cil_compat_map {
     name: "system_ext_30.0.cil",
     stem: "30.0.cil",
-    bottom_half: [":30.0.board.compat.map"],
+    bottom_half: [":30.0.board.compat.map{.system_ext_private}"],
     top_half: "system_ext_31.0.cil",
     system_ext_specific: true,
 }
@@ -85,7 +217,7 @@
 se_cil_compat_map {
     name: "system_ext_31.0.cil",
     stem: "31.0.cil",
-    bottom_half: [":31.0.board.compat.map"],
+    bottom_half: [":31.0.board.compat.map{.system_ext_private}"],
     top_half: "system_ext_32.0.cil",
     system_ext_specific: true,
 }
@@ -93,15 +225,22 @@
 se_cil_compat_map {
     name: "system_ext_32.0.cil",
     stem: "32.0.cil",
-    bottom_half: [":32.0.board.compat.map"],
-    // top_half: "system_ext_33.0.cil",
+    bottom_half: [":32.0.board.compat.map{.system_ext_private}"],
+    top_half: "system_ext_33.0.cil",
+    system_ext_specific: true,
+}
+
+se_cil_compat_map {
+    name: "system_ext_33.0.cil",
+    stem: "33.0.cil",
+    bottom_half: [":33.0.board.compat.map{.system_ext_private}"],
     system_ext_specific: true,
 }
 
 se_cil_compat_map {
     name: "product_28.0.cil",
     stem: "28.0.cil",
-    bottom_half: [":28.0.board.compat.map"],
+    bottom_half: [":28.0.board.compat.map{.product_private}"],
     top_half: "product_29.0.cil",
     product_specific: true,
 }
@@ -109,7 +248,7 @@
 se_cil_compat_map {
     name: "product_29.0.cil",
     stem: "29.0.cil",
-    bottom_half: [":29.0.board.compat.map"],
+    bottom_half: [":29.0.board.compat.map{.product_private}"],
     top_half: "product_30.0.cil",
     product_specific: true,
 }
@@ -117,7 +256,7 @@
 se_cil_compat_map {
     name: "product_30.0.cil",
     stem: "30.0.cil",
-    bottom_half: [":30.0.board.compat.map"],
+    bottom_half: [":30.0.board.compat.map{.product_private}"],
     top_half: "product_31.0.cil",
     product_specific: true,
 }
@@ -125,7 +264,7 @@
 se_cil_compat_map {
     name: "product_31.0.cil",
     stem: "31.0.cil",
-    bottom_half: [":31.0.board.compat.map"],
+    bottom_half: [":31.0.board.compat.map{.product_private}"],
     top_half: "product_32.0.cil",
     product_specific: true,
 }
@@ -133,143 +272,179 @@
 se_cil_compat_map {
     name: "product_32.0.cil",
     stem: "32.0.cil",
-    bottom_half: [":32.0.board.compat.map"],
-    // top_half: "product_33.0.cil",
+    bottom_half: [":32.0.board.compat.map{.product_private}"],
+    top_half: "product_33.0.cil",
+    product_specific: true,
+}
+
+se_cil_compat_map {
+    name: "product_33.0.cil",
+    stem: "33.0.cil",
+    bottom_half: [":33.0.board.compat.map{.product_private}"],
     product_specific: true,
 }
 
 se_cil_compat_map {
     name: "28.0.ignore.cil",
-    bottom_half: [":28.0.board.ignore.map"],
+    bottom_half: [":28.0.board.ignore.map{.plat_private}"],
     top_half: "29.0.ignore.cil",
 }
 
 se_cil_compat_map {
     name: "29.0.ignore.cil",
-    bottom_half: [":29.0.board.ignore.map"],
+    bottom_half: [":29.0.board.ignore.map{.plat_private}"],
     top_half: "30.0.ignore.cil",
 }
 
 se_cil_compat_map {
     name: "30.0.ignore.cil",
-    bottom_half: [":30.0.board.ignore.map"],
+    bottom_half: [":30.0.board.ignore.map{.plat_private}"],
     top_half: "31.0.ignore.cil",
 }
 
 se_cil_compat_map {
     name: "31.0.ignore.cil",
-    bottom_half: [":31.0.board.ignore.map"],
+    bottom_half: [":31.0.board.ignore.map{.plat_private}"],
     top_half: "32.0.ignore.cil",
 }
 
 se_cil_compat_map {
     name: "32.0.ignore.cil",
-    bottom_half: [":32.0.board.ignore.map"],
-    // top_half: "33.0.ignore.cil",
+    bottom_half: [":32.0.board.ignore.map{.plat_private}"],
+    top_half: "33.0.ignore.cil",
+}
+
+se_cil_compat_map {
+    name: "33.0.ignore.cil",
+    bottom_half: [":33.0.board.ignore.map{.plat_private}"],
 }
 
 se_cil_compat_map {
     name: "system_ext_30.0.ignore.cil",
-    bottom_half: [":30.0.board.ignore.map"],
+    bottom_half: [":30.0.board.ignore.map{.system_ext_private}"],
     top_half: "system_ext_31.0.ignore.cil",
     system_ext_specific: true,
 }
 
 se_cil_compat_map {
     name: "system_ext_31.0.ignore.cil",
-    bottom_half: [":31.0.board.ignore.map"],
+    bottom_half: [":31.0.board.ignore.map{.system_ext_private}"],
     top_half: "system_ext_32.0.ignore.cil",
     system_ext_specific: true,
 }
 
 se_cil_compat_map {
     name: "system_ext_32.0.ignore.cil",
-    bottom_half: [":32.0.board.ignore.map"],
-    // top_half: "system_ext_33.0.ignore.cil",
+    bottom_half: [":32.0.board.ignore.map{.system_ext_private}"],
+    top_half: "system_ext_33.0.ignore.cil",
+    system_ext_specific: true,
+}
+
+se_cil_compat_map {
+    name: "system_ext_33.0.ignore.cil",
+    bottom_half: [":33.0.board.ignore.map{.system_ext_private}"],
     system_ext_specific: true,
 }
 
 se_cil_compat_map {
     name: "product_30.0.ignore.cil",
-    bottom_half: [":30.0.board.ignore.map"],
+    bottom_half: [":30.0.board.ignore.map{.product_private}"],
     top_half: "product_31.0.ignore.cil",
     product_specific: true,
 }
 
 se_cil_compat_map {
     name: "product_31.0.ignore.cil",
-    bottom_half: [":31.0.board.ignore.map"],
+    bottom_half: [":31.0.board.ignore.map{.product_private}"],
     top_half: "product_32.0.ignore.cil",
     product_specific: true,
 }
 
 se_cil_compat_map {
     name: "product_32.0.ignore.cil",
-    bottom_half: [":32.0.board.ignore.map"],
-    // top_half: "product_33.0.ignore.cil",
+    bottom_half: [":32.0.board.ignore.map{.product_private}"],
+    top_half: "product_33.0.ignore.cil",
+    product_specific: true,
+}
+
+se_cil_compat_map {
+    name: "product_33.0.ignore.cil",
+    bottom_half: [":33.0.board.ignore.map{.product_private}"],
     product_specific: true,
 }
 
 se_compat_cil {
     name: "28.0.compat.cil",
-    srcs: [":28.0.board.compat.cil"],
+    srcs: [":28.0.board.compat.cil{.plat_private}"],
 }
 
 se_compat_cil {
     name: "29.0.compat.cil",
-    srcs: [":29.0.board.compat.cil"],
+    srcs: [":29.0.board.compat.cil{.plat_private}"],
 }
 
 se_compat_cil {
     name: "30.0.compat.cil",
-    srcs: [":30.0.board.compat.cil"],
+    srcs: [":30.0.board.compat.cil{.plat_private}"],
 }
 
 se_compat_cil {
     name: "31.0.compat.cil",
-    srcs: [":31.0.board.compat.cil"],
+    srcs: [":31.0.board.compat.cil{.plat_private}"],
 }
 
 se_compat_cil {
     name: "32.0.compat.cil",
-    srcs: [":32.0.board.compat.cil"],
+    srcs: [":32.0.board.compat.cil{.plat_private}"],
+}
+
+se_compat_cil {
+    name: "33.0.compat.cil",
+    srcs: [":33.0.board.compat.cil{.plat_private}"],
 }
 
 se_compat_cil {
     name: "system_ext_28.0.compat.cil",
-    srcs: [":28.0.board.compat.cil"],
+    srcs: [":28.0.board.compat.cil{.system_ext_private}"],
     stem: "28.0.compat.cil",
     system_ext_specific: true,
 }
 
 se_compat_cil {
     name: "system_ext_29.0.compat.cil",
-    srcs: [":29.0.board.compat.cil"],
+    srcs: [":29.0.board.compat.cil{.system_ext_private}"],
     stem: "29.0.compat.cil",
     system_ext_specific: true,
 }
 
 se_compat_cil {
     name: "system_ext_30.0.compat.cil",
-    srcs: [":30.0.board.compat.cil"],
+    srcs: [":30.0.board.compat.cil{.system_ext_private}"],
     stem: "30.0.compat.cil",
     system_ext_specific: true,
 }
 
 se_compat_cil {
     name: "system_ext_31.0.compat.cil",
-    srcs: [":31.0.board.compat.cil"],
+    srcs: [":31.0.board.compat.cil{.system_ext_private}"],
     stem: "31.0.compat.cil",
     system_ext_specific: true,
 }
 
 se_compat_cil {
     name: "system_ext_32.0.compat.cil",
-    srcs: [":32.0.board.compat.cil"],
+    srcs: [":32.0.board.compat.cil{.system_ext_private}"],
     stem: "32.0.compat.cil",
     system_ext_specific: true,
 }
 
+se_compat_cil {
+    name: "system_ext_33.0.compat.cil",
+    srcs: [":33.0.board.compat.cil{.system_ext_private}"],
+    stem: "33.0.compat.cil",
+    system_ext_specific: true,
+}
+
 se_compat_test {
     name: "sepolicy_compat_test",
 }
diff --git a/contexts/Android.bp b/contexts/Android.bp
index 2a5a058..d5cd8ae 100644
--- a/contexts/Android.bp
+++ b/contexts/Android.bp
@@ -23,6 +23,51 @@
     default_applicable_licenses: ["system_sepolicy_license"],
 }
 
+se_build_files {
+    name: "file_contexts_files",
+    srcs: ["file_contexts"],
+}
+
+se_build_files {
+    name: "file_contexts_asan_files",
+    srcs: ["file_contexts_asan"],
+}
+
+se_build_files {
+    name: "file_contexts_overlayfs_files",
+    srcs: ["file_contexts_overlayfs"],
+}
+
+se_build_files {
+    name: "hwservice_contexts_files",
+    srcs: ["hwservice_contexts"],
+}
+
+se_build_files {
+    name: "property_contexts_files",
+    srcs: ["property_contexts"],
+}
+
+se_build_files {
+    name: "service_contexts_files",
+    srcs: ["service_contexts"],
+}
+
+se_build_files {
+    name: "keystore2_key_contexts_files",
+    srcs: ["keystore2_key_contexts"],
+}
+
+se_build_files {
+    name: "seapp_contexts_files",
+    srcs: ["seapp_contexts"],
+}
+
+se_build_files {
+    name: "vndservice_contexts_files",
+    srcs: ["vndservice_contexts"],
+}
+
 file_contexts {
     name: "plat_file_contexts",
     srcs: [":file_contexts_files{.plat_private}"],
@@ -232,6 +277,15 @@
     recovery_available: true,
 }
 
+service_contexts {
+    name: "odm_service_contexts",
+    srcs: [
+        ":service_contexts_files{.odm}",
+    ],
+    device_specific: true,
+    recovery_available: true,
+}
+
 keystore2_key_contexts {
     name: "plat_keystore2_key_contexts",
     srcs: [":keystore2_key_contexts_files{.plat_private}"],
@@ -470,8 +524,19 @@
     sepolicy: ":precompiled_sepolicy",
 }
 
+service_contexts_test {
+    name: "odm_service_contexts_test",
+    srcs: [":odm_service_contexts"],
+    sepolicy: ":precompiled_sepolicy",
+}
+
 vndservice_contexts_test {
     name: "vndservice_contexts_test",
     srcs: [":vndservice_contexts"],
     sepolicy: ":precompiled_sepolicy",
 }
+
+fuzzer_bindings_test {
+    name: "fuzzer_bindings_test",
+    srcs: [":plat_service_contexts"],
+}
diff --git a/mac_permissions.mk b/mac_permissions.mk
deleted file mode 100644
index ad17b8f..0000000
--- a/mac_permissions.mk
+++ /dev/null
@@ -1,175 +0,0 @@
-include $(CLEAR_VARS)
-
-LOCAL_MODULE := plat_mac_permissions.xml
-LOCAL_LICENSE_KINDS := SPDX-license-identifier-Apache-2.0 legacy_unencumbered
-LOCAL_LICENSE_CONDITIONS := notice unencumbered
-LOCAL_NOTICE_FILE := $(LOCAL_PATH)/NOTICE
-LOCAL_MODULE_CLASS := ETC
-LOCAL_MODULE_TAGS := optional
-LOCAL_MODULE_PATH := $(TARGET_OUT)/etc/selinux
-
-include $(BUILD_SYSTEM)/base_rules.mk
-
-all_plat_mac_perms_keys := $(call build_policy, keys.conf, $(PLAT_PRIVATE_POLICY) $(SYSTEM_EXT_PRIVATE_POLICY) $(PRODUCT_PRIVATE_POLICY))
-all_plat_mac_perms_files := $(call build_policy, mac_permissions.xml, $(PLAT_PRIVATE_POLICY))
-
-# Build keys.conf
-plat_mac_perms_keys.tmp := $(intermediates)/plat_keys.tmp
-$(plat_mac_perms_keys.tmp): PRIVATE_ADDITIONAL_M4DEFS := $(LOCAL_ADDITIONAL_M4DEFS)
-$(plat_mac_perms_keys.tmp): PRIVATE_KEYS := $(all_plat_mac_perms_keys)
-$(plat_mac_perms_keys.tmp): $(all_plat_mac_perms_keys) $(M4)
-	@mkdir -p $(dir $@)
-	$(hide) $(M4) --fatal-warnings -s $(PRIVATE_ADDITIONAL_M4DEFS) $(PRIVATE_KEYS) > $@
-
-# Should be synced with keys.conf.
-all_plat_keys := platform sdk_sandbox media networkstack shared testkey bluetooth
-all_plat_keys := $(all_plat_keys:%=$(dir $(DEFAULT_SYSTEM_DEV_CERTIFICATE))/%.x509.pem)
-
-$(LOCAL_BUILT_MODULE): PRIVATE_MAC_PERMS_FILES := $(all_plat_mac_perms_files)
-$(LOCAL_BUILT_MODULE): $(plat_mac_perms_keys.tmp) $(HOST_OUT_EXECUTABLES)/insertkeys \
-$(all_plat_mac_perms_files) $(all_plat_keys)
-	@mkdir -p $(dir $@)
-	$(hide) DEFAULT_SYSTEM_DEV_CERTIFICATE="$(dir $(DEFAULT_SYSTEM_DEV_CERTIFICATE))" \
-		MAINLINE_SEPOLICY_DEV_CERTIFICATES="$(MAINLINE_SEPOLICY_DEV_CERTIFICATES)" \
-		$(HOST_OUT_EXECUTABLES)/insertkeys -t $(TARGET_BUILD_VARIANT) -c $(TOP) $< -o $@ $(PRIVATE_MAC_PERMS_FILES)
-
-all_plat_keys :=
-all_plat_mac_perms_files :=
-all_plat_mac_perms_keys :=
-plat_mac_perms_keys.tmp :=
-
-##################################
-include $(CLEAR_VARS)
-
-LOCAL_MODULE := system_ext_mac_permissions.xml
-LOCAL_LICENSE_KINDS := SPDX-license-identifier-Apache-2.0 legacy_unencumbered
-LOCAL_LICENSE_CONDITIONS := notice unencumbered
-LOCAL_NOTICE_FILE := $(LOCAL_PATH)/NOTICE
-LOCAL_MODULE_CLASS := ETC
-LOCAL_MODULE_TAGS := optional
-LOCAL_MODULE_PATH := $(TARGET_OUT_SYSTEM_EXT)/etc/selinux
-
-include $(BUILD_SYSTEM)/base_rules.mk
-
-all_system_ext_mac_perms_keys := $(call build_policy, keys.conf, $(SYSTEM_EXT_PRIVATE_POLICY) $(REQD_MASK_POLICY))
-all_system_ext_mac_perms_files := $(call build_policy, mac_permissions.xml, $(SYSTEM_EXT_PRIVATE_POLICY) $(REQD_MASK_POLICY))
-
-# Build keys.conf
-system_ext_mac_perms_keys.tmp := $(intermediates)/system_ext_keys.tmp
-$(system_ext_mac_perms_keys.tmp): PRIVATE_ADDITIONAL_M4DEFS := $(LOCAL_ADDITIONAL_M4DEFS)
-$(system_ext_mac_perms_keys.tmp): PRIVATE_KEYS := $(all_system_ext_mac_perms_keys)
-$(system_ext_mac_perms_keys.tmp): $(all_system_ext_mac_perms_keys) $(M4)
-	@mkdir -p $(dir $@)
-	$(hide) $(M4) --fatal-warnings -s $(PRIVATE_ADDITIONAL_M4DEFS) $(PRIVATE_KEYS) > $@
-
-$(LOCAL_BUILT_MODULE): PRIVATE_MAC_PERMS_FILES := $(all_system_ext_mac_perms_files)
-$(LOCAL_BUILT_MODULE): $(system_ext_mac_perms_keys.tmp) $(HOST_OUT_EXECUTABLES)/insertkeys \
-$(all_system_ext_mac_perms_files)
-	@mkdir -p $(dir $@)
-	$(hide) $(HOST_OUT_EXECUTABLES)/insertkeys -t $(TARGET_BUILD_VARIANT) -c $(TOP) $< -o $@ $(PRIVATE_MAC_PERMS_FILES)
-
-system_ext_mac_perms_keys.tmp :=
-all_system_ext_mac_perms_files :=
-all_system_ext_mac_perms_keys :=
-
-##################################
-include $(CLEAR_VARS)
-
-LOCAL_MODULE := product_mac_permissions.xml
-LOCAL_LICENSE_KINDS := SPDX-license-identifier-Apache-2.0 legacy_unencumbered
-LOCAL_LICENSE_CONDITIONS := notice unencumbered
-LOCAL_NOTICE_FILE := $(LOCAL_PATH)/NOTICE
-LOCAL_MODULE_CLASS := ETC
-LOCAL_MODULE_TAGS := optional
-LOCAL_MODULE_PATH := $(TARGET_OUT_PRODUCT)/etc/selinux
-
-include $(BUILD_SYSTEM)/base_rules.mk
-
-all_product_mac_perms_keys := $(call build_policy, keys.conf, $(PRODUCT_PRIVATE_POLICY) $(REQD_MASK_POLICY))
-all_product_mac_perms_files := $(call build_policy, mac_permissions.xml, $(PRODUCT_PRIVATE_POLICY) $(REQD_MASK_POLICY))
-
-# Build keys.conf
-product_mac_perms_keys.tmp := $(intermediates)/product_keys.tmp
-$(product_mac_perms_keys.tmp): PRIVATE_ADDITIONAL_M4DEFS := $(LOCAL_ADDITIONAL_M4DEFS)
-$(product_mac_perms_keys.tmp): PRIVATE_KEYS := $(all_product_mac_perms_keys)
-$(product_mac_perms_keys.tmp): $(all_product_mac_perms_keys) $(M4)
-	@mkdir -p $(dir $@)
-	$(hide) $(M4) --fatal-warnings -s $(PRIVATE_ADDITIONAL_M4DEFS) $(PRIVATE_KEYS) > $@
-
-$(LOCAL_BUILT_MODULE): PRIVATE_MAC_PERMS_FILES := $(all_product_mac_perms_files)
-$(LOCAL_BUILT_MODULE): $(product_mac_perms_keys.tmp) $(HOST_OUT_EXECUTABLES)/insertkeys \
-$(all_product_mac_perms_files)
-	@mkdir -p $(dir $@)
-	$(hide) $(HOST_OUT_EXECUTABLES)/insertkeys -t $(TARGET_BUILD_VARIANT) -c $(TOP) $< -o $@ $(PRIVATE_MAC_PERMS_FILES)
-
-product_mac_perms_keys.tmp :=
-all_product_mac_perms_files :=
-all_product_mac_perms_keys :=
-
-##################################
-include $(CLEAR_VARS)
-
-LOCAL_MODULE := vendor_mac_permissions.xml
-LOCAL_LICENSE_KINDS := SPDX-license-identifier-Apache-2.0 legacy_unencumbered
-LOCAL_LICENSE_CONDITIONS := notice unencumbered
-LOCAL_NOTICE_FILE := $(LOCAL_PATH)/NOTICE
-LOCAL_MODULE_CLASS := ETC
-LOCAL_MODULE_TAGS := optional
-LOCAL_MODULE_PATH := $(TARGET_OUT_VENDOR)/etc/selinux
-
-include $(BUILD_SYSTEM)/base_rules.mk
-
-all_vendor_mac_perms_keys := $(call build_policy, keys.conf, $(BOARD_PLAT_VENDOR_POLICY) $(BOARD_VENDOR_SEPOLICY_DIRS) $(BOARD_REQD_MASK_POLICY))
-all_vendor_mac_perms_files := $(call build_policy, mac_permissions.xml, $(BOARD_PLAT_VENDOR_POLICY) $(BOARD_VENDOR_SEPOLICY_DIRS) $(BOARD_REQD_MASK_POLICY))
-
-# Build keys.conf
-vendor_mac_perms_keys.tmp := $(intermediates)/vendor_keys.tmp
-$(vendor_mac_perms_keys.tmp): PRIVATE_ADDITIONAL_M4DEFS := $(LOCAL_ADDITIONAL_M4DEFS)
-$(vendor_mac_perms_keys.tmp): PRIVATE_KEYS := $(all_vendor_mac_perms_keys)
-$(vendor_mac_perms_keys.tmp): $(all_vendor_mac_perms_keys) $(M4)
-	@mkdir -p $(dir $@)
-	$(hide) $(M4) --fatal-warnings -s $(PRIVATE_ADDITIONAL_M4DEFS) $(PRIVATE_KEYS) > $@
-
-$(LOCAL_BUILT_MODULE): PRIVATE_MAC_PERMS_FILES := $(all_vendor_mac_perms_files)
-$(LOCAL_BUILT_MODULE): $(vendor_mac_perms_keys.tmp) $(HOST_OUT_EXECUTABLES)/insertkeys \
-$(all_vendor_mac_perms_files)
-	@mkdir -p $(dir $@)
-	$(hide) DEFAULT_SYSTEM_DEV_CERTIFICATE="$(dir $(DEFAULT_SYSTEM_DEV_CERTIFICATE))" \
-		$(HOST_OUT_EXECUTABLES)/insertkeys -t $(TARGET_BUILD_VARIANT) -c $(TOP) $< -o $@ $(PRIVATE_MAC_PERMS_FILES)
-
-vendor_mac_perms_keys.tmp :=
-all_vendor_mac_perms_files :=
-all_vendor_mac_perms_keys :=
-
-##################################
-include $(CLEAR_VARS)
-
-LOCAL_MODULE := odm_mac_permissions.xml
-LOCAL_LICENSE_KINDS := SPDX-license-identifier-Apache-2.0 legacy_unencumbered
-LOCAL_LICENSE_CONDITIONS := notice unencumbered
-LOCAL_NOTICE_FILE := $(LOCAL_PATH)/NOTICE
-LOCAL_MODULE_CLASS := ETC
-LOCAL_MODULE_TAGS := optional
-LOCAL_MODULE_PATH := $(TARGET_OUT_ODM)/etc/selinux
-
-include $(BUILD_SYSTEM)/base_rules.mk
-
-all_odm_mac_perms_keys := $(call build_policy, keys.conf, $(BOARD_ODM_SEPOLICY_DIRS) $(REQD_MASK_POLICY))
-all_odm_mac_perms_files := $(call build_policy, mac_permissions.xml, $(BOARD_ODM_SEPOLICY_DIRS) $(REQD_MASK_POLICY))
-
-# Build keys.conf
-odm_mac_perms_keys.tmp := $(intermediates)/odm_keys.tmp
-$(odm_mac_perms_keys.tmp): PRIVATE_ADDITIONAL_M4DEFS := $(LOCAL_ADDITIONAL_M4DEFS)
-$(odm_mac_perms_keys.tmp): PRIVATE_KEYS := $(all_odm_mac_perms_keys)
-$(odm_mac_perms_keys.tmp): $(all_odm_mac_perms_keys) $(M4)
-	@mkdir -p $(dir $@)
-	$(hide) $(M4) --fatal-warnings -s $(PRIVATE_ADDITIONAL_M4DEFS) $(PRIVATE_KEYS) > $@
-
-$(LOCAL_BUILT_MODULE): PRIVATE_MAC_PERMS_FILES := $(all_odm_mac_perms_files)
-$(LOCAL_BUILT_MODULE): $(odm_mac_perms_keys.tmp) $(HOST_OUT_EXECUTABLES)/insertkeys \
-$(all_odm_mac_perms_files)
-	@mkdir -p $(dir $@)
-	$(hide) $(HOST_OUT_EXECUTABLES)/insertkeys -t $(TARGET_BUILD_VARIANT) -c $(TOP) $< -o $@ $(PRIVATE_MAC_PERMS_FILES)
-
-odm_mac_perms_keys.tmp :=
-all_odm_mac_perms_files :=
diff --git a/mac_permissions/Android.bp b/mac_permissions/Android.bp
new file mode 100644
index 0000000..401f78c
--- /dev/null
+++ b/mac_permissions/Android.bp
@@ -0,0 +1,98 @@
+// Copyright (C) 2022 The Android Open Source Project
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//     http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+// This file contains module definitions for mac_permissions.xml files.
+
+package {
+    // See: http://go/android-license-faq
+    // A large-scale-change added 'default_applicable_licenses' to import
+    // all of the 'license_kinds' from "system_sepolicy_license"
+    // to get the below license kinds:
+    //   SPDX-license-identifier-Apache-2.0
+    default_applicable_licenses: ["system_sepolicy_license"],
+}
+
+se_build_files {
+    name: "keys.conf",
+    srcs: ["keys.conf"],
+}
+
+se_build_files {
+    name: "mac_permissions.xml",
+    srcs: ["mac_permissions.xml"],
+}
+
+mac_permissions {
+    name: "plat_mac_permissions.xml",
+    keys: [
+        ":keys.conf{.plat_private}",
+        ":keys.conf{.system_ext_private}",
+        ":keys.conf{.product_private}",
+    ],
+    srcs: [":mac_permissions.xml{.plat_private}"],
+}
+
+mac_permissions {
+    name: "system_ext_mac_permissions.xml",
+    keys: [
+        ":keys.conf{.system_ext_private}",
+        ":keys.conf{.reqd_mask}",
+    ],
+    srcs: [
+        ":mac_permissions.xml{.system_ext_private}",
+        ":mac_permissions.xml{.reqd_mask}",
+    ],
+    system_ext_specific: true,
+}
+
+mac_permissions {
+    name: "product_mac_permissions.xml",
+    keys: [
+        ":keys.conf{.product_private}",
+        ":keys.conf{.reqd_mask}",
+    ],
+    srcs: [
+        ":mac_permissions.xml{.product_private}",
+        ":mac_permissions.xml{.reqd_mask}",
+    ],
+    product_specific: true,
+}
+
+mac_permissions {
+    name: "vendor_mac_permissions.xml",
+    keys: [
+        ":keys.conf{.plat_vendor_for_vendor}",
+        ":keys.conf{.vendor}",
+        ":keys.conf{.reqd_mask_for_vendor}",
+    ],
+    srcs: [
+        ":mac_permissions.xml{.plat_vendor_for_vendor}",
+        ":mac_permissions.xml{.vendor}",
+        ":mac_permissions.xml{.reqd_mask_for_vendor}",
+    ],
+    vendor: true,
+}
+
+mac_permissions {
+    name: "odm_mac_permissions.xml",
+    keys: [
+        ":keys.conf{.odm}",
+        ":keys.conf{.reqd_mask_for_vendor}",
+    ],
+    srcs: [
+        ":mac_permissions.xml{.odm}",
+        ":mac_permissions.xml{.reqd_mask_for_vendor}",
+    ],
+    device_specific: true,
+}
diff --git a/microdroid/Android.bp b/microdroid/Android.bp
index 0628a5b..12bb8f7 100644
--- a/microdroid/Android.bp
+++ b/microdroid/Android.bp
@@ -241,6 +241,11 @@
         ":microdroid_vendor_sepolicy.cil",
     ],
     installable: false,
+
+    // b/259729287. In Microdroid, su is allowed to be in permissive mode.
+    // This is to support fully debuggable VMs on user builds. This is safe
+    // because we don't start adbd at all on non-debuggable VMs.
+    permissive_domains_on_user_builds: ["su"],
 }
 
 genrule {
@@ -277,14 +282,6 @@
     installable: false,
 }
 
-prebuilt_etc {
-    name: "microdroid_service_contexts",
-    filename: "plat_service_contexts",
-    src: "system/private/service_contexts",
-    relative_install_path: "selinux",
-    installable: false,
-}
-
 // For CTS
 se_policy_conf {
     name: "microdroid_general_sepolicy.conf",
diff --git a/microdroid/system/private/adbd.te b/microdroid/system/private/adbd.te
index ed74ddd..9a50f67 100644
--- a/microdroid/system/private/adbd.te
+++ b/microdroid/system/private/adbd.te
@@ -4,10 +4,12 @@
 
 domain_auto_trans(adbd, shell_exec, shell)
 
-userdebug_or_eng(`
-  allow adbd self:process setcurrent;
-  allow adbd su:process dyntransition;
-')
+# Allow adbd to transition to su. In Android, this is disallowed in user builds.
+# However, Microdroid allows it even in user builds because apps should be able
+# to adb root into their "debuggable" VMs in user builds. Disabling adbd for
+# non debuggable VMs are done by not starting adbd at all using sysprops.
+allow adbd self:process setcurrent;
+allow adbd su:process dyntransition;
 
 # Do not sanitize the environment or open fds of the shell. Allow signaling
 # created processes.
@@ -55,3 +57,6 @@
 # adbd tries to run mdnsd, but mdnsd doesn't exist. Just dontaudit ctl permissions.
 # TODO(b/200902288): patch adb and remove this rule
 dontaudit adbd { ctl_default_prop ctl_start_prop }:property_service set;
+
+# only adbd can transition to su.
+neverallow {domain -adbd} su:process { transition dyntransition };
diff --git a/microdroid/system/private/apkdmverity.te b/microdroid/system/private/apkdmverity.te
index 0545744..ce29abc 100644
--- a/microdroid/system/private/apkdmverity.te
+++ b/microdroid/system/private/apkdmverity.te
@@ -32,6 +32,9 @@
 # allow apkdmverity to log to the kernel
 allow apkdmverity kmsg_device:chr_file w_file_perms;
 
+# allow apkdmverity to write kmsg_debug (stdio_to_kmsg) inherited from microdroid_manager.
+allow apkdmverity kmsg_debug_device:chr_file w_file_perms;
+
 # apkdmverity is forked from microdroid_manager
 allow apkdmverity microdroid_manager:fd use;
 
diff --git a/microdroid/system/private/authfs_service.te b/microdroid/system/private/authfs_service.te
index e7e9ef0..05dea40 100644
--- a/microdroid/system/private/authfs_service.te
+++ b/microdroid/system/private/authfs_service.te
@@ -9,10 +9,6 @@
 # Allow domain transition from init.
 init_daemon_domain(authfs_service)
 
-# Allow running as a binder service.
-binder_call(authfs_service, servicemanager)
-add_service(authfs_service, authfs_binder_service)
-
 # Allow domain transition into authfs.
 domain_auto_trans(authfs_service, authfs_exec, authfs)
 
diff --git a/microdroid/system/private/compos.te b/microdroid/system/private/compos.te
index 386f11e..f4bb79b 100644
--- a/microdroid/system/private/compos.te
+++ b/microdroid/system/private/compos.te
@@ -2,21 +2,6 @@
 type compos, domain, coredomain, microdroid_payload;
 type compos_exec, exec_type, file_type, system_file_type;
 
-# Expose RPC Binder service over vsock
-allow compos self:vsock_socket { create_socket_perms_no_ioctl listen accept };
-
-# Allow using various binder services
-binder_use(compos);
-allow compos authfs_binder_service:service_manager find;
-binder_call(compos, authfs_service);
-
-# Read artifacts created by odrefresh and create signature files.
-allow compos authfs_fuse:dir rw_dir_perms;
-allow compos authfs_fuse:file create_file_perms;
-
-# Allow locating the authfs mount directory.
-allow compos authfs_data_file:dir search;
-
 # Run derive_classpath in our domain
 allow compos derive_classpath_exec:file rx_file_perms;
 allow compos apex_mnt_dir:dir r_dir_perms;
diff --git a/microdroid/system/private/compos_key_helper.te b/microdroid/system/private/compos_key_helper.te
index 56f8d2a..0d617fb 100644
--- a/microdroid/system/private/compos_key_helper.te
+++ b/microdroid/system/private/compos_key_helper.te
@@ -6,15 +6,12 @@
 # Block crash dumps to ensure the secrets are not leaked.
 typeattribute compos_key_helper no_crash_dump_domain;
 
-# Allow using DICE binder service
-binder_use(compos_key_helper);
-allow compos_key_helper dice_node_service:service_manager find;
-binder_call(compos_key_helper, diced);
-allow compos_key_helper diced:diced { get_attestation_chain derive };
-
 # Communicate with compos via stdin/stdout pipes
 allow compos_key_helper compos:fd use;
 allow compos_key_helper compos:fifo_file { getattr read write };
 
 # Write to /dev/kmsg.
 allow compos_key_helper kmsg_device:chr_file rw_file_perms;
+
+# Communicate with microdroid manager to get DICE information
+unix_socket_connect(compos_key_helper, vm_payload_service, microdroid_manager)
diff --git a/microdroid/system/private/crash_dump.te b/microdroid/system/private/crash_dump.te
index 61dfa0b..8dcb4b1 100644
--- a/microdroid/system/private/crash_dump.te
+++ b/microdroid/system/private/crash_dump.te
@@ -28,10 +28,6 @@
 # Append to tombstone files.
 allow crash_dump tombstone_data_file:file { append getattr };
 
-# crash_dump writes out logcat logs at the bottom of tombstones,
-# which is super useful in some cases.
-unix_socket_connect(crash_dump, logdr, logd)
-
 # Crash dump is not intended to access the following files. Since these
 # are WAI, suppress the denials to clean up the logs.
 dontaudit crash_dump {
@@ -56,7 +52,6 @@
   -crash_dump
   -init
   -kernel
-  -logd
   -no_crash_dump_domain
   -ueventd
   -vendor_init
@@ -65,7 +60,6 @@
 userdebug_or_eng(`
   allow crash_dump {
     apexd
-    logd
   }:process { ptrace signal sigchld sigstop sigkill };
 ')
 
diff --git a/microdroid/system/private/dex2oat.te b/microdroid/system/private/dex2oat.te
index d259e1c..bd93f6e 100644
--- a/microdroid/system/private/dex2oat.te
+++ b/microdroid/system/private/dex2oat.te
@@ -30,7 +30,10 @@
 # Allow dex2oat to read /apex/apex-info-list.xml
 allow dex2oat apex_info_file:file r_file_perms;
 
-# Don't audit because we don't configure the compiler through system properties
-# in the VM.
-dontaudit dex2oat dalvik_config_prop:file { open read getattr map };
+# Allow reading dalvik system properties that may affect compilation
+get_prop(dex2oat, dalvik_config_prop)
+get_prop(dex2oat, device_config_runtime_native_boot_prop)
+
+# Don't audit because we don't configure the compiler through these
+# properties in the VM.
 dontaudit dex2oat device_config_runtime_native_prop:file { open read getattr map };
diff --git a/microdroid/system/private/diced.te b/microdroid/system/private/diced.te
deleted file mode 100644
index 2dba244..0000000
--- a/microdroid/system/private/diced.te
+++ /dev/null
@@ -1,23 +0,0 @@
-type diced, domain, coredomain;
-type diced_exec, system_file_type, exec_type, file_type;
-
-# Block crash dumps to ensure the DICE secrets are not leaked.
-typeattribute diced no_crash_dump_domain;
-
-# diced can be started by init
-init_daemon_domain(diced)
-
-# diced can talk to dice HAL
-hal_client_domain(diced, hal_dice)
-
-# diced hosts AIDL services
-binder_use(diced)
-binder_service(diced)
-add_service(diced, dice_node_service)
-add_service(diced, dice_maintenance_service)
-
-# diced can check SELinux permissions.
-selinux_check_access(diced)
-
-# diced is using bootstrap bionic
-use_bootstrap_libs(diced)
diff --git a/microdroid/system/private/domain.te b/microdroid/system/private/domain.te
index d87df40..4251a9e 100644
--- a/microdroid/system/private/domain.te
+++ b/microdroid/system/private/domain.te
@@ -46,18 +46,6 @@
 allow domain null_device:chr_file rw_file_perms;
 allow domain zero_device:chr_file rw_file_perms;
 
-# /dev/binder can be accessed by ... everyone! :)
-allow domain binder_device:chr_file rw_file_perms;
-
-# Restrict binder ioctls to an allowlist. Additional ioctl commands may be
-# added to individual domains, but this sets safe defaults for all processes.
-allowxperm domain binder_device:chr_file ioctl { unpriv_binder_ioctls };
-
-# /dev/binderfs needs to be accessed by everyone too!
-allow domain binderfs:dir { getattr search };
-allow domain binderfs_logs_proc:dir search;
-
-allow { domain -servicemanager } hwbinder_device:chr_file rw_file_perms;
 allow domain ptmx_device:chr_file rw_file_perms;
 allow domain random_device:chr_file rw_file_perms;
 allow domain proc_random:dir r_dir_perms;
@@ -72,8 +60,9 @@
 
 allow domain init:key search;
 
-# logd access
-unix_socket_send(domain, logdw, logd)
+# Everyone can send log and read ro.log.file_logger.* properties
+allow domain log_device:chr_file ra_file_perms;
+get_prop(domain, log_prop)
 
 # Directory/link file access for path resolution.
 allow domain {
@@ -215,9 +204,6 @@
 allow domain apex_mnt_dir:dir { getattr search };
 allow domain apex_mnt_dir:lnk_file r_file_perms;
 
-allow domain self:global_capability_class_set audit_control;
-allow domain self:netlink_audit_socket { create_socket_perms_no_ioctl nlmsg_write };
-
 # globally readable properties
 get_prop(domain, arm64_memtag_prop)
 get_prop(domain, bootloader_prop)
@@ -227,7 +213,6 @@
 get_prop(domain, init_service_status_prop)
 get_prop(domain, libc_debug_prop)
 get_prop(domain, log_tag_prop)
-get_prop(domain, logd_prop)
 get_prop(domain, property_service_version_prop)
 
 allow domain linkerconfig_file:dir search;
@@ -248,6 +233,9 @@
 allow domain task_profiles_file:file r_file_perms;
 allow domain task_profiles_api_file:file r_file_perms;
 
+# Allow all processes to connect to PRNG seeder daemon.
+unix_socket_connect(domain, prng_seeder, prng_seeder)
+
 # cgroupfs directories can be created, but not files within them.
 neverallow domain cgroup:file create;
 neverallow domain cgroup_v2:file create;
@@ -338,6 +326,7 @@
 # Only the kernel hwrng thread should be able to read from the HW RNG.
 neverallow {
   domain
+  -prng_seeder # PRNG seeder daemon periodically reseeds itself from HW RNG
   -shell # For CTS, restricted to just getattr in shell.te
   -ueventd # To create the /dev/hw_random file
 } hw_random_device:chr_file *;
@@ -374,16 +363,13 @@
 # These partitions are intended to be read-only and must never be
 # modified. Doing so would violate important Android security guarantees
 # and invalidate dm-verity signatures.
-neverallow {
-    domain
-    with_asan(`-asan_extract')
-} {
+neverallow domain {
     system_file_type
     vendor_file_type
     exec_type
 }:dir_file_class_set { create write setattr relabelfrom append unlink link rename };
 
-neverallow { domain -kernel with_asan(`-asan_extract') } { system_file_type vendor_file_type exec_type }:dir_file_class_set relabelto;
+neverallow { domain -kernel } { system_file_type vendor_file_type exec_type }:dir_file_class_set relabelto;
 
 # Don't allow mounting on top of /system files or directories
 neverallow * exec_type:dir_file_class_set mounton;
@@ -398,31 +384,14 @@
 # Ensure that context mount types are not writable, to ensure that
 # the write to /system restriction above is not bypassed via context=
 # mount to another type.
-neverallow * { contextmount_type -authfs_fuse }:dir_file_class_set
+neverallow * { contextmount_type -authfs_fuse -encryptedstore_file }:dir_file_class_set
     { create relabelfrom relabelto append link rename };
-neverallow domain { contextmount_type -authfs_fuse }:dir_file_class_set { write unlink };
-
-# Do not allow service_manager add for default service labels.
-# Instead domains should use a more specific type such as
-# system_app_service rather than the generic type.
-# New service_types are defined in {,hw,vnd}service.te and new mappings
-# from service name to service_type are defined in {,hw,vnd}service_contexts.
-neverallow * default_android_service:service_manager *;
+neverallow domain { contextmount_type -authfs_fuse -encryptedstore_file }:dir_file_class_set { write unlink };
 
 neverallow { domain -init -vendor_init } vendor_default_prop:property_service set;
 
 neverallow { domain -init } build_prop:property_service set;
 
-# Only (hw|vnd|)servicemanager should be able to register with binder as the context manager
-# The service managers are only allowed to access their own device node
-neverallow servicemanager hwbinder_device:chr_file no_rw_file_perms;
-neverallow servicemanager vndbinder_device:chr_file no_rw_file_perms;
-
-# system services cant add vendor services
-neverallow {
-  coredomain
-} vendor_service:service_manager add;
-
 # Never allow anyone to connect or write to
 # the tombstoned intercept socket.
 neverallow { domain } tombstoned_intercept_socket:sock_file write;
@@ -450,11 +419,6 @@
 # Feature parity with Chromium LSM.
 neverallow * { file_type fs_type dev_type }:{ lnk_file fifo_file sock_file } mounton;
 
-# Nobody should be able to execute su on user builds.
-# On userdebug/eng builds, only shell, and
-# su itself execute su.
-neverallow { domain userdebug_or_eng(`-shell -su') } su_exec:file no_x_file_perms;
-
 neverallow { domain -init } proc:{ file dir } mounton;
 
 # Ensure that all types assigned to processes are included
@@ -478,7 +442,6 @@
   -init
   -vendor_init
   -toolbox # TODO(b/141108496) We want to remove toolbox
-  with_asan(`-asan_extract')
 } system_data_file:file no_w_file_perms;
 
 #
@@ -519,15 +482,6 @@
   -shell
 } shell_data_file:dir { open search };
 
-# servicemanager is the only process which handles the
-# service_manager list request
-neverallow * ~{
-    servicemanager
-    }:service_manager list;
-
-# only service_manager_types can be added to service_manager
-# TODO - rework this: neverallow * ~service_manager_type:service_manager { add find };
-
 # Prevent assigning non property types to properties
 # TODO - rework this: neverallow * ~property_type:property_service set;
 
@@ -596,3 +550,6 @@
 # These domains must not be crash dumped
 neverallow no_crash_dump_domain crash_dump_exec:file no_x_file_perms;
 neverallow no_crash_dump_domain crash_dump:process { transition dyntransition };
+
+# Ensure that no one can execute from encrypted storage, which is a writable partition in VM.
+neverallow domain encryptedstore_file:file no_x_file_perms;
diff --git a/microdroid/system/private/encryptedstore.te b/microdroid/system/private/encryptedstore.te
new file mode 100644
index 0000000..5fa2e3a
--- /dev/null
+++ b/microdroid/system/private/encryptedstore.te
@@ -0,0 +1,48 @@
+# encryptedstore is a program that provides (encrypted) storage solution in a VM based on dm-crypt
+
+type encryptedstore, domain, coredomain;
+type encryptedstore_exec, exec_type, file_type, system_file_type;
+
+# encryptedstore is using bootstrap bionic
+use_bootstrap_libs(encryptedstore)
+
+# encryptedstore require access to block device directory to map dm-crypt
+r_dir_file(encryptedstore, block_device)
+
+# encryptedstore accesses /dev/vd* block device file.
+allow encryptedstore vd_device:blk_file rw_file_perms;
+
+# allow encryptedstore to create dm-crypt devices
+allow encryptedstore dm_device:{ chr_file blk_file } rw_file_perms;
+
+# sys_admin is required to access the device-mapper and mount
+allow encryptedstore self:global_capability_class_set sys_admin;
+
+# encryptedstore is forked from microdroid_manager
+allow encryptedstore microdroid_manager:fd use;
+
+# For formatting encrypted storage device
+allow encryptedstore e2fs_exec:file { rx_file_perms };
+allowxperm encryptedstore dm_device:blk_file ioctl {
+  BLKPBSZGET BLKDISCARDZEROES BLKROGET BLKDISCARD
+};
+
+# access /sys/fs/ext4/features - required because encryptedstore runs mkfs.ext4 in its own domain
+allow encryptedstore sysfs_fs_ext4_features:dir search;
+allow encryptedstore sysfs_fs_ext4_features:file r_file_perms;
+
+# encryptedstore to mount on tmpfs bases directory (/mnt/)
+allow encryptedstore tmpfs:dir  { add_name create mounton write };
+
+# encryptedstore relabels the labeledfs to encryptedstore_fs, then mounts on the later
+allow encryptedstore labeledfs:filesystem { relabelfrom };
+allow encryptedstore encryptedstore_fs:filesystem { mount unmount relabelto relabelfrom };
+
+# allow encryptedstore to log to the kernel
+allow encryptedstore kmsg_device:chr_file w_file_perms;
+
+# Allow encryptedstore to write kmsg_debug (stdio_to_kmsg).
+allow encryptedstore kmsg_debug_device:chr_file w_file_perms;
+
+# Only microdroid_manager can run encryptedstore
+neverallow { domain -microdroid_manager } encryptedstore:process { transition dyntransition };
diff --git a/microdroid/system/private/file.te b/microdroid/system/private/file.te
index d15f9ba..6f037a3 100644
--- a/microdroid/system/private/file.te
+++ b/microdroid/system/private/file.te
@@ -4,6 +4,7 @@
 allow cgroup_rc_file tmpfs:filesystem associate;
 allow debugfs_type { debugfs debugfs_tracing debugfs_tracing_debug }:filesystem associate;
 allow dev_type tmpfs:filesystem associate;
+allow encryptedstore_file encryptedstore_fs:filesystem associate;
 allow extra_apk_file zipfusefs:filesystem associate;
 allow file_type labeledfs:filesystem associate;
 allow file_type tmpfs:filesystem associate;
@@ -17,3 +18,12 @@
 # /dev/selinux/test - used to verify that apex sepolicy is loaded and
 # property labeled.
 type sepolicy_test_file, file_type;
+
+# /system/bin/mke2fs - used to format encryptedstore block device
+type e2fs_exec, system_file_type, exec_type, file_type;
+
+type encryptedstore_file, file_type;
+type encryptedstore_fs, fs_type, contextmount_type;
+
+# Filesystem entry for for PRNG seeder socket.
+type prng_seeder_socket, file_type, coredomain_socket;
diff --git a/microdroid/system/private/file_contexts b/microdroid/system/private/file_contexts
index 83eceb0..8d9ad85 100644
--- a/microdroid/system/private/file_contexts
+++ b/microdroid/system/private/file_contexts
@@ -34,7 +34,6 @@
 /dev(/.*)?		u:object_r:device:s0
 /dev/ashmem		u:object_r:ashmem_device:s0
 /dev/ashmem(.*)?	u:object_r:ashmem_libcutils_device:s0
-/dev/binder		u:object_r:binder_device:s0
 /dev/block(/.*)?	u:object_r:block_device:s0
 /dev/block/dm-[0-9]+	u:object_r:dm_device:s0
 /dev/block/loop[0-9]*	u:object_r:loop_device:s0
@@ -53,9 +52,8 @@
 /dev/fuse		u:object_r:fuse_device:s0
 /dev/hvc0               u:object_r:serial_device:s0
 /dev/hvc1               u:object_r:serial_device:s0
-/dev/hvc2               u:object_r:serial_device:s0
+/dev/hvc2               u:object_r:log_device:s0
 /dev/hw_random		u:object_r:hw_random_device:s0
-/dev/hwbinder		u:object_r:hwbinder_device:s0
 /dev/loop-control	u:object_r:loop_control_device:s0
 /dev/ppp		u:object_r:ppp_device:s0
 /dev/ptmx		u:object_r:ptmx_device:s0
@@ -68,14 +66,14 @@
 /dev/rtc[0-9]      u:object_r:rtc_device:s0
 /dev/socket(/.*)?	u:object_r:socket_device:s0
 /dev/socket/adbd	u:object_r:adbd_socket:s0
-/dev/socket/logd	u:object_r:logd_socket:s0
-/dev/socket/logdr	u:object_r:logdr_socket:s0
-/dev/socket/logdw	u:object_r:logdw_socket:s0
+/dev/socket/prng_seeder u:object_r:prng_seeder_socket:s0
 /dev/socket/property_service	u:object_r:property_socket:s0
 /dev/socket/statsdw	u:object_r:statsdw_socket:s0
 /dev/socket/tombstoned_crash u:object_r:tombstoned_crash_socket:s0
 /dev/socket/tombstoned_java_trace u:object_r:tombstoned_java_trace_socket:s0
 /dev/socket/tombstoned_intercept u:object_r:tombstoned_intercept_socket:s0
+/dev/socket/authfs_service u:object_r:authfs_service_socket:s0
+/dev/socket/vm_payload_service u:object_r:vm_payload_service_socket:s0
 /dev/sys/block/by-name/userdata(/.*)?	u:object_r:userdata_sysdev:s0
 /dev/sys/fs/by-name/userdata(/.*)?	u:object_r:userdata_sysdev:s0
 /dev/tty		u:object_r:owntty_device:s0
@@ -87,7 +85,6 @@
 /dev/uio[0-9]*		u:object_r:uio_device:s0
 /dev/urandom		u:object_r:random_device:s0
 /dev/vhost-vsock	u:object_r:kvm_device:s0
-/dev/vndbinder		u:object_r:vndbinder_device:s0
 /dev/vsock		u:object_r:vsock_device:s0
 /dev/zero		u:object_r:zero_device:s0
 /dev/__properties__ u:object_r:properties_device:s0
@@ -108,13 +105,11 @@
 /system/bin/linkerconfig u:object_r:linkerconfig_exec:s0
 /system/bin/bootstrap/linker(64)? u:object_r:system_linker_exec:s0
 /system/bin/bootstrap/linkerconfig u:object_r:linkerconfig_exec:s0
-/system/bin/diced.microdroid		u:object_r:diced_exec:s0
-/system/bin/servicemanager.microdroid	u:object_r:servicemanager_exec:s0
 /system/bin/init		u:object_r:init_exec:s0
 /system/bin/logcat	--	u:object_r:logcat_exec:s0
 /system/bin/logd        u:object_r:logd_exec:s0
 /system/bin/sh		--	u:object_r:shell_exec:s0
-/system/bin/tombstoned u:object_r:tombstoned_exec:s0
+/system/bin/tombstoned.microdroid u:object_r:tombstoned_exec:s0
 /system/bin/toolbox	--	u:object_r:toolbox_exec:s0
 /system/bin/toybox	--	u:object_r:toolbox_exec:s0
 /system/bin/zipfuse              u:object_r:zipfuse_exec:s0
@@ -123,6 +118,10 @@
 /system/bin/apkdmverity          u:object_r:apkdmverity_exec:s0
 /system/bin/authfs               u:object_r:authfs_exec:s0
 /system/bin/authfs_service       u:object_r:authfs_service_exec:s0
+/system/bin/encryptedstore       u:object_r:encryptedstore_exec:s0
+/system/bin/mke2fs		u:object_r:e2fs_exec:s0
+/system/bin/kexec_load           u:object_r:kexec_exec:s0
+/system/bin/prng_seeder          u:object_r:prng_seeder_exec:s0
 /system/etc/cgroups\.json               u:object_r:cgroup_desc_file:s0
 /system/etc/task_profiles/cgroups_[0-9]+\.json               u:object_r:cgroup_desc_api_file:s0
 /system/etc/event-log-tags              u:object_r:system_event_log_tags_file:s0
@@ -170,3 +169,7 @@
 #############################
 # Directory for extra apks
 /mnt/extra-apk	u:object_r:extra_apk_file:s0
+
+#############################
+# Directory for encrypted storage (persistent across boot)
+/mnt/encryptedstore	u:object_r:encryptedstore_file:s0
diff --git a/microdroid/system/private/genfs_contexts b/microdroid/system/private/genfs_contexts
index 254dbe8..ce28471 100644
--- a/microdroid/system/private/genfs_contexts
+++ b/microdroid/system/private/genfs_contexts
@@ -42,7 +42,6 @@
 genfscon proc /sys/fs/protected_hardlinks u:object_r:proc_security:s0
 genfscon proc /sys/fs/protected_symlinks u:object_r:proc_security:s0
 genfscon proc /sys/fs/suid_dumpable u:object_r:proc_security:s0
-genfscon proc /sys/fs/verity/require_signatures u:object_r:proc_fs_verity:s0
 genfscon proc /sys/kernel/core_pattern u:object_r:usermodehelper:s0
 genfscon proc /sys/kernel/core_pipe_limit u:object_r:usermodehelper:s0
 genfscon proc /sys/kernel/domainname u:object_r:proc_hostname:s0
@@ -357,15 +356,8 @@
 
 genfscon securityfs / u:object_r:securityfs:s0
 
-genfscon binder /binder u:object_r:binder_device:s0
-genfscon binder /hwbinder u:object_r:hwbinder_device:s0
-genfscon binder /vndbinder u:object_r:vndbinder_device:s0
-genfscon binder /binder_logs u:object_r:binderfs_logs:s0
-genfscon binder /binder_logs/proc u:object_r:binderfs_logs_proc:s0
-
 genfscon inotifyfs / u:object_r:inotify:s0
 genfscon vfat / u:object_r:vfat:s0
-genfscon binder / u:object_r:binderfs:s0
 genfscon exfat / u:object_r:exfat:s0
 genfscon debugfs / u:object_r:debugfs:s0
 genfscon fuse / u:object_r:fuse:s0
diff --git a/microdroid/system/private/init.te b/microdroid/system/private/init.te
index 708d537..5ad30e5 100644
--- a/microdroid/system/private/init.te
+++ b/microdroid/system/private/init.te
@@ -230,11 +230,9 @@
 allow init { fs_type -contextmount_type -fusefs_type -rootfs }:dir  { open read setattr search };
 
 allow init {
-  binder_device
   console_device
   devpts
   dm_device
-  hwbinder_device
   kmsg_device
   null_device
   owntty_device
@@ -435,3 +433,8 @@
 allow init fuse:dir { search getattr };
 
 set_prop(init, property_type)
+
+allow init self:netlink_audit_socket { create_socket_perms_no_ioctl nlmsg_relay };
+
+# PRNG seeder daemon socket is created and listened on by init before forking.
+allow init prng_seeder:unix_stream_socket { create bind listen };
diff --git a/microdroid/system/private/kexec.te b/microdroid/system/private/kexec.te
new file mode 100644
index 0000000..8d40986
--- /dev/null
+++ b/microdroid/system/private/kexec.te
@@ -0,0 +1,15 @@
+# kexec loads a crashdump kernel into memory using the kexec_file_load syscall.
+type kexec, domain, coredomain;
+type kexec_exec, exec_type, file_type, system_file_type;
+
+# allow kexec to write into /dev/kmsg for logging
+allow kexec kmsg_device:chr_file w_file_perms;
+
+# kexec is launched by microdroid_manager with fork/execvp.
+allow kexec microdroid_manager:fd use;
+
+# allow kexec to have SYS_BOOT
+allow kexec self:capability sys_boot;
+
+# allow kexec to write kmsg_debug
+allow kexec kmsg_debug_device:chr_file w_file_perms;
diff --git a/microdroid/system/private/logcat.te b/microdroid/system/private/logcat.te
deleted file mode 100644
index a26cff3..0000000
--- a/microdroid/system/private/logcat.te
+++ /dev/null
@@ -1,19 +0,0 @@
-# logcat in Microdroid runs as a daemon process. It reads logs from logd and
-# emits the logs to the virtual serial console.
-typeattribute logcat coredomain;
-
-# logcat can be executed from init
-init_daemon_domain(logcat)
-
-# logcat can append to the virtual console devices
-allow logcat device:dir r_dir_perms;
-allow logcat serial_device:chr_file ra_file_perms;
-
-# logcat can get logs from logd
-read_logd(logcat)
-
-# Allow logcat to read ro.logd.ready so that it waits until logd is ready to
-# accept commands
-get_prop(logcat, logd_prop)
-
-allow logcat self:global_capability_class_set { sys_nice };
diff --git a/microdroid/system/private/logd.te b/microdroid/system/private/logd.te
deleted file mode 100644
index 46cdb7d..0000000
--- a/microdroid/system/private/logd.te
+++ /dev/null
@@ -1,44 +0,0 @@
-typeattribute logd coredomain;
-
-init_daemon_domain(logd)
-
-allow logd adbd:dir search;
-allow logd adbd:file { getattr open read };
-allow logd device:dir search;
-allow logd init:dir search;
-allow logd init:fd use;
-allow logd init:file { getattr open read };
-allow logd kernel:dir search;
-allow logd kernel:file { getattr open read };
-allow logd kernel:system { syslog_mod syslog_read };
-allow logd linkerconfig_file:dir search;
-allow logd microdroid_manager:dir search;
-allow logd microdroid_manager:file { getattr open read };
-allow logd null_device:chr_file { open read };
-#allow logd proc_kmsg:file read;
-r_dir_file(logd, cgroup)
-r_dir_file(logd, cgroup_v2)
-r_dir_file(logd, proc_kmsg)
-r_dir_file(logd, proc_meminfo)
-allow logd self:fifo_file { read write };
-allow logd self:file { getattr open read };
-allow logd self:global_capability_class_set { setuid setgid setpcap sys_nice audit_control };
-allow logd self:global_capability2_class_set syslog;
-#allow logd self:netlink_audit_socket getopt;
-allow logd self:netlink_audit_socket { create_socket_perms_no_ioctl nlmsg_write };
-allow logd kmsg_device:chr_file { getattr w_file_perms };
-r_dir_file(logd, domain)
-allow logd self:unix_stream_socket { accept getopt setopt shutdown };
-allow logd servicemanager:dir search;
-allow logd servicemanager:file { open read };
-allow logd tombstoned:dir search;
-allow logd tombstoned:file { getattr open read };
-allow logd ueventd:dir search;
-allow logd ueventd:file { getattr open read };
-control_logd(logd)
-read_runtime_log_tags(logd)
-
-# Logd sets defaults if certain properties are empty.
-set_prop(logd, logd_prop)
-
-dontaudit domain runtime_event_log_tags_file:file { map open read };
diff --git a/microdroid/system/private/microdroid_app.te b/microdroid/system/private/microdroid_app.te
index de58326..d26154a 100644
--- a/microdroid/system/private/microdroid_app.te
+++ b/microdroid/system/private/microdroid_app.te
@@ -8,10 +8,3 @@
 
 type microdroid_app, domain, coredomain, microdroid_payload;
 type microdroid_app_exec, exec_type, file_type, system_file_type;
-
-# Talk to binder services (for diced)
-binder_use(microdroid_app);
-
-allow microdroid_app dice_node_service:service_manager find;
-binder_call(microdroid_app, diced);
-allow microdroid_app diced:diced { get_attestation_chain derive };
diff --git a/microdroid/system/private/microdroid_manager.te b/microdroid/system/private/microdroid_manager.te
index 21731cc..51372ad 100644
--- a/microdroid/system/private/microdroid_manager.te
+++ b/microdroid/system/private/microdroid_manager.te
@@ -6,6 +6,9 @@
 # allow domain transition from init
 init_daemon_domain(microdroid_manager)
 
+# Allow microdroid_manager to set boot status
+set_prop(microdroid_manager, boot_status_prop)
+
 # microdroid_manager accesses a virtual disk block device to read VM payload
 # It needs write access as it updates the instance image
 allow microdroid_manager block_device:dir r_dir_perms;
@@ -17,11 +20,20 @@
 # microdroid_manager can query AVF flags in the device tree
 allow microdroid_manager sysfs_dt_avf:file r_file_perms;
 
+# Read config from the open-dice driver.
+allow microdroid_manager open_dice_device:chr_file rw_file_perms;
+
+# Block crash dumps to ensure the DICE secrets are not leaked.
+typeattribute microdroid_manager no_crash_dump_domain;
+
 # Allow microdroid_manager to do blkflsbuf on instance disk image. The ioctl
 # requires sys_admin cap as well.
 allowxperm microdroid_manager vd_device:blk_file ioctl BLKFLSBUF;
 allow microdroid_manager self:global_capability_class_set sys_admin;
 
+# Allow microdroid_manager to remove capabilities from it's capability bounding set.
+allow microdroid_manager self:global_capability_class_set setpcap;
+
 # Allow microdroid_manager to start payload tasks
 domain_auto_trans(microdroid_manager, microdroid_app_exec, microdroid_app)
 domain_auto_trans(microdroid_manager, compos_exec, compos)
@@ -30,45 +42,58 @@
 domain_auto_trans(microdroid_manager, apkdmverity_exec, apkdmverity)
 domain_auto_trans(microdroid_manager, zipfuse_exec, zipfuse)
 
+# Allow microdroid_manager to start encryptedstore binary
+domain_auto_trans(microdroid_manager, encryptedstore_exec, encryptedstore)
+
+# Microdroid Manager needs read related permission for syncing encrypted storage fs
+allow microdroid_manager encryptedstore_file:dir r_dir_perms;
+
+# Allow microdroid_manager to run kexec to load crashkernel
+domain_auto_trans(microdroid_manager, kexec_exec, kexec)
+
 # Let microdroid_manager kernel-log.
 allow microdroid_manager kmsg_device:chr_file w_file_perms;
 
-# Let microdroid_manager read a config file from /mnt/apk (fusefs)
-# TODO(b/188400186) remove the below rule
-userdebug_or_eng(`
-  r_dir_file(microdroid_manager, fuse)
-')
-
 # Let microdroid_manager to create a vsock connection back to the host VM
 allow microdroid_manager self:vsock_socket { create_socket_perms_no_ioctl };
 
+# Allow microdroid_manager to read the CID of the VM.
+allow microdroid_manager vsock_device:chr_file { ioctl open read };
+
 # microdroid_manager is using bootstrap bionic
 use_bootstrap_libs(microdroid_manager)
 
-# microdroid_manager can talk to diced over binder
-binder_use(microdroid_manager)
-binder_call(microdroid_manager, diced)
-allow microdroid_manager { dice_node_service dice_maintenance_service }:service_manager find;
-allow microdroid_manager diced:diced { derive demote_self };
-
 # microdroid_manager create /apex/vm-payload-metadata for apexd
 # TODO(b/199371341) create a new label for the file so that only microdroid_manager can create it.
 allow microdroid_manager apex_mnt_dir:dir w_dir_perms;
 allow microdroid_manager apex_mnt_dir:file create_file_perms;
 
-# Allow microdroid_manager to start the services apexd-vm, apkdmverity,tombstone_transmit & zipfuse
+# Allow microdroid_manager to start various services
 set_prop(microdroid_manager, ctl_apexd_vm_prop)
 set_prop(microdroid_manager, ctl_apkdmverity_prop)
+set_prop(microdroid_manager, ctl_authfs_prop)
 set_prop(microdroid_manager, ctl_seriallogging_prop)
 set_prop(microdroid_manager, ctl_tombstone_transmit_prop)
 set_prop(microdroid_manager, ctl_zipfuse_prop)
 
+# Allow microdroid_manager to stop tombstoned
+set_prop(microdroid_manager, ctl_tombstoned_prop)
+
 # Allow microdroid_manager to wait for linkerconfig to be ready
 get_prop(microdroid_manager, apex_config_prop)
 
+# Allow microdroid_manager to wait for zipfuse to be ready
+get_prop(microdroid_manager, microdroid_manager_zipfuse_prop)
+
 # Allow microdroid_manager to pass the roothash to apkdmverity
 set_prop(microdroid_manager, microdroid_manager_roothash_prop)
 
+# Allow microdroid_manager to set sysprops calculated from the payload config
+set_prop(microdroid_manager, microdroid_config_prop)
+
+# Allow microdroid_manager to set sysprops related to microdroid_lifecycle (ex. init_done)
+set_prop(microdroid_manager, microdroid_lifecycle_prop)
+
 # Allow microdroid_manager to shutdown the device when verification fails
 set_prop(microdroid_manager, powerctl_prop)
 
@@ -76,11 +101,47 @@
 # that is different from what is recorded in the instance.img file.
 allow microdroid_manager proc_bootconfig:file r_file_perms;
 
+# microdroid_manager needs to read /proc/cmdline to see if crashkernel= parameter is set
+# or not; if set, it executes kexec to load the crashkernel into memory.
+allow microdroid_manager proc_cmdline:file r_file_perms;
+
+# microdroid_manager needs to read /proc/stat and /proc_meminfo to collect CPU & memory usage
+# for creating atoms used in AVF telemetry metrics
+allow microdroid_manager proc_meminfo:file r_file_perms;
+allow microdroid_manager proc_stat:file r_file_perms;
+
+# Allow microdroid_manager to set up zram-backed swap:
+#  - Read & Write zram properties in sysfs to set/get zram disksize
+#  - Read & Write to zram block device needed for mkswap and swapon
+allow microdroid_manager sysfs_zram:dir { search };
+allow microdroid_manager sysfs_zram:file rw_file_perms;
+allow microdroid_manager ram_device:blk_file rw_file_perms;
+
+# Allow microdroid_manager to read/write failure serial device
+allow microdroid_manager serial_device:chr_file w_file_perms;
+
 # Allow microdroid_manager to handle extra_apks
 allow microdroid_manager extra_apk_file:dir create_dir_perms;
 
+# Allow microdroid_manager to write kmsg_debug (stdio_to_kmsg).
+allow microdroid_manager kmsg_debug_device:chr_file w_file_perms;
+
+# Read tombstone_transmit_status_prop to wait for initialization of tombstone_transmit
+get_prop(microdroid_manager, tombstone_transmit_status_prop)
+
 # Domains other than microdroid can't write extra_apks
 neverallow { domain -microdroid_manager -init -vendor_init } extra_apk_file:file no_w_file_perms;
 neverallow { domain -microdroid_manager -init -vendor_init } extra_apk_file:dir no_w_dir_perms;
 
+# Only microdroid_payload and a few other critical binaries can be run by microdroid_manager,
+# in their own domains.
 neverallow microdroid_manager { file_type fs_type }:file execute_no_trans;
+neverallow microdroid_manager {
+  domain
+  -crash_dump
+  -microdroid_payload
+  -apkdmverity
+  -encryptedstore
+  -zipfuse
+  -kexec
+}:process transition;
diff --git a/microdroid/system/private/microdroid_payload.te b/microdroid/system/private/microdroid_payload.te
index fea0768..c1974c7 100644
--- a/microdroid/system/private/microdroid_payload.te
+++ b/microdroid/system/private/microdroid_payload.te
@@ -27,11 +27,38 @@
 # Write to /dev/kmsg.
 allow microdroid_payload kmsg_device:chr_file rw_file_perms;
 
-# Only microdroid_payload and apk verity binaries can be run by microdroid_manager
-neverallow microdroid_manager { domain -crash_dump -microdroid_payload -apkdmverity -zipfuse }:process transition;
-
-# Allow microdroid_payload to open binder servers via vsock.
-allow microdroid_payload self:vsock_socket { create_socket_perms_no_ioctl listen accept };
+# Allow microdroid_payload to host binder servers via vsock. Listening
+# for connections from the host is permitted, but connecting out to
+# the host is not. Inbound connections are mediated by
+# virtualiationservice which ensures a process can only connect to a
+# VM that it owns.
+allow microdroid_payload self:vsock_socket {
+ create listen accept read getattr write setattr lock append bind
+ getopt setopt shutdown map
+};
 
 # Payload can read extra apks
 r_dir_file(microdroid_payload, extra_apk_file)
+
+# Payload can read /proc/meminfo.
+allow microdroid_payload proc_meminfo:file r_file_perms;
+
+# Allow payload to communicate with authfs_service
+unix_socket_connect(microdroid_payload, authfs_service, authfs_service)
+
+# Allow locating the authfs mount directory.
+allow microdroid_payload authfs_data_file:dir search;
+
+# Read and write files authfs-proxied files.
+allow microdroid_payload authfs_fuse:dir rw_dir_perms;
+allow microdroid_payload authfs_fuse:file create_file_perms;
+
+# Allow payload to communicate with microdroid manager
+unix_socket_connect(microdroid_payload, vm_payload_service, microdroid_manager)
+
+# Payload can read, write into encrypted storage directory
+allow microdroid_payload encryptedstore_file:dir create_dir_perms;
+allow microdroid_payload encryptedstore_file:file create_file_perms;
+
+# Never allow microdroid_payload to connect to vsock
+neverallow microdroid_payload self:vsock_socket connect;
diff --git a/microdroid/system/private/net.te b/microdroid/system/private/net.te
index 1b2fd41..8e783cb 100644
--- a/microdroid/system/private/net.te
+++ b/microdroid/system/private/net.te
@@ -2,15 +2,3 @@
 type node, node_type;
 type netif, netif_type;
 type port, port_type;
-
-###
-### Domain with network access
-###
-
-allow netdomain self:tcp_socket create_stream_socket_perms;
-allow netdomain self:{ icmp_socket udp_socket rawip_socket } create_socket_perms;
-
-allow netdomain port_type:tcp_socket name_connect;
-allow netdomain node_type:{ icmp_socket rawip_socket tcp_socket udp_socket } node_bind;
-allow netdomain port_type:udp_socket name_bind;
-allow netdomain port_type:tcp_socket name_bind;
diff --git a/microdroid/system/private/prng_seeder.te b/microdroid/system/private/prng_seeder.te
new file mode 100644
index 0000000..ab4e275
--- /dev/null
+++ b/microdroid/system/private/prng_seeder.te
@@ -0,0 +1,17 @@
+# PRNG seeder daemon
+# Started from early init, maintains a FIPS approved DRBG which it periodically reseeds from
+# /dev/hw_random.  When BoringSSL (libcrypto) in other processes needs seeding data for its
+# internal DRBGs it will connect to /dev/socket/prng_seeder and the daemon will write a
+# fixed size block of entropy then disconnect.  No other IO is performed.
+type prng_seeder, domain, coredomain;
+
+type prng_seeder_exec, system_file_type, exec_type, file_type;
+init_daemon_domain(prng_seeder)
+
+# prng_seeder is using bootstrap bionic
+use_bootstrap_libs(prng_seeder)
+
+# Socket open and listen are performed by init.
+allow prng_seeder prng_seeder:unix_stream_socket { read write getattr accept };
+allow prng_seeder hw_random_device:chr_file { read open };
+allow prng_seeder kmsg_debug_device:chr_file { w_file_perms getattr ioctl };
diff --git a/microdroid/system/private/property.te b/microdroid/system/private/property.te
index 6e795dc..1bbe2a9 100644
--- a/microdroid/system/private/property.te
+++ b/microdroid/system/private/property.te
@@ -1,3 +1,8 @@
+system_internal_prop(ctl_tombstoned_prop)
+system_restricted_prop(tombstone_transmit_status_prop)
+
+system_restricted_prop(boot_status_prop)
+
 # Declare ART properties for CompOS
 system_public_prop(dalvik_config_prop)
 system_restricted_prop(device_config_runtime_native_prop)
@@ -35,3 +40,16 @@
   domain
   -init
 } apexd_payload_metadata_prop:property_service set;
+
+# Only microdroid_manager and init can set the microdroid_config_prop sysprops
+neverallow {
+    domain
+    -init
+    -microdroid_manager
+} {microdroid_config_prop microdroid_lifecycle_prop}:property_service set;
+
+neverallow {
+    domain
+    -init
+    -microdroid_manager
+} {microdroid_config_prop microdroid_lifecycle_prop}:file no_rw_file_perms;
diff --git a/microdroid/system/private/property_contexts b/microdroid/system/private/property_contexts
index 6f65eff..235ab14 100644
--- a/microdroid/system/private/property_contexts
+++ b/microdroid/system/private/property_contexts
@@ -1,7 +1,6 @@
 # property contexts for microdroid
-# microdroid only uses much fewer properties than normal Android, so every property is listed as
-# an exact entry. The only wildcards are "debug.*", "init.svc_debug_pid.*", "ctl.*", and
-# process-dependent properties like "arm64.memtag.*" and "log.tag.*".
+# microdroid uses far fewer properties than normal Android, so almost
+# every property is listed as an exact entry.
 
 debug.         u:object_r:debug_prop:s0 prefix
 persist.debug. u:object_r:debug_prop:s0 prefix
@@ -23,8 +22,11 @@
 
 ctl.stop$apexd u:object_r:ctl_apexd_prop:s0
 
+ctl.stop$tombstoned u:object_r:ctl_tombstoned_prop:s0
+
 ctl.start$apexd-vm      u:object_r:ctl_apexd_vm_prop:s0
 ctl.start$apkdmverity   u:object_r:ctl_apkdmverity_prop:s0
+ctl.start$authfs_service u:object_r:ctl_authfs_prop:s0
 ctl.start$seriallogging u:object_r:ctl_seriallogging_prop:s0
 ctl.start$tombstone_transmit     u:object_r:ctl_tombstone_transmit_prop:s0
 ctl.start$zipfuse       u:object_r:ctl_zipfuse_prop:s0
@@ -38,8 +40,7 @@
 
 service.adb.root u:object_r:shell_prop:s0 exact bool
 
-ro.logd.kernel u:object_r:logd_prop:s0 exact bool
-logd.ready     u:object_r:logd_prop:s0 exact bool
+dev.bootcomplete   u:object_r:boot_status_prop:s0 exact bool
 
 ro.config.low_ram u:object_r:build_prop:s0 exact bool
 
@@ -52,10 +53,7 @@
 ro.boottime.init.first_stage          u:object_r:boottime_prop:s0 exact int
 ro.boottime.init.modules              u:object_r:boottime_prop:s0 exact int
 ro.boottime.init.selinux              u:object_r:boottime_prop:s0 exact int
-ro.boottime.logd                      u:object_r:boottime_prop:s0 exact int
-ro.boottime.logd-reinit               u:object_r:boottime_prop:s0 exact int
 ro.boottime.microdroid_manager        u:object_r:boottime_prop:s0 exact int
-ro.boottime.servicemanager            u:object_r:boottime_prop:s0 exact int
 ro.boottime.tombstoned                u:object_r:boottime_prop:s0 exact int
 ro.boottime.ueventd                   u:object_r:boottime_prop:s0 exact int
 ro.boottime.zipfuse                   u:object_r:boottime_prop:s0 exact int
@@ -73,10 +71,7 @@
 init.svc.apexd-vm           u:object_r:init_service_status_private_prop:s0 exact string
 init.svc.apkdmverity        u:object_r:init_service_status_private_prop:s0 exact string
 init.svc.authfs_service     u:object_r:init_service_status_private_prop:s0 exact string
-init.svc.logd               u:object_r:init_service_status_private_prop:s0 exact string
-init.svc.logd-reinit        u:object_r:init_service_status_private_prop:s0 exact string
 init.svc.microdroid_manager u:object_r:init_service_status_private_prop:s0 exact string
-init.svc.servicemanager     u:object_r:init_service_status_private_prop:s0 exact string
 init.svc.ueventd            u:object_r:init_service_status_private_prop:s0 exact string
 init.svc.zipfuse            u:object_r:init_service_status_private_prop:s0 exact string
 
@@ -89,8 +84,6 @@
 ro.boot.first_stage_console        u:object_r:bootloader_prop:s0 exact string
 ro.boot.force_normal_boot          u:object_r:bootloader_prop:s0 exact string
 ro.boot.hardware                   u:object_r:bootloader_prop:s0 exact string
-ro.boot.logd.enabled               u:object_r:bootloader_prop:s0 exact bool
-ro.boot.microdroid.app_debuggable  u:object_r:bootloader_prop:s0 exact bool
 ro.boot.microdroid.debuggable      u:object_r:bootloader_prop:s0 exact bool
 ro.boot.slot_suffix                u:object_r:bootloader_prop:s0 exact string
 ro.boot.tombstone_transmit.enabled u:object_r:bootloader_prop:s0 exact bool
@@ -114,6 +107,7 @@
 ro.build.version.release        u:object_r:build_prop:s0 exact string
 ro.build.version.sdk            u:object_r:build_prop:s0 exact int
 ro.build.version.security_patch u:object_r:build_prop:s0 exact string
+ro.build.version.known_codenames u:object_r:build_prop:s0 exact string
 ro.debuggable                   u:object_r:build_prop:s0 exact bool
 ro.product.cpu.abilist          u:object_r:build_prop:s0 exact string
 ro.adb.secure                   u:object_r:build_prop:s0 exact bool
@@ -123,6 +117,13 @@
 apex_config.done u:object_r:apex_config_prop:s0 exact bool
 
 microdroid_manager.apk_root_hash u:object_r:microdroid_manager_roothash_prop:s0 exact string
+microdroid_manager.apk.mounted u:object_r:microdroid_manager_zipfuse_prop:s0 exact bool
+microdroid_manager.extra_apk.mounted. u:object_r:microdroid_manager_zipfuse_prop:s0 prefix bool
+
+microdroid_manager.authfs.enabled u:object_r:microdroid_config_prop:s0 exact bool
+
+microdroid_manager.config_done u:object_r:microdroid_lifecycle_prop:s0 exact bool
+microdroid_manager.init_done u:object_r:microdroid_lifecycle_prop:s0 exact bool
 
 dev.mnt.blk.root   u:object_r:dev_mnt_prop:s0 exact string
 dev.mnt.blk.vendor u:object_r:dev_mnt_prop:s0 exact string
@@ -136,6 +137,8 @@
 
 persist.adb.wifi.guid  u:object_r:adbd_prop:s0 exact string
 
+ro.log.file_logger.path    u:object_r:log_prop:s0 exact string
+
 log.tag          u:object_r:log_tag_prop:s0 prefix
 persist.log.tag  u:object_r:log_tag_prop:s0 prefix
 
@@ -158,3 +161,9 @@
 persist.device_config.runtime_native_boot.  u:object_r:device_config_runtime_native_boot_prop:s0 prefix
 
 apexd.payload_metadata.path u:object_r:apexd_payload_metadata_prop:s0 exact string
+
+tombstone_transmit.init_done u:object_r:tombstone_transmit_status_prop:s0 exact bool
+
+# tombstone_transmit.start starts tombstone_transmit after creating a directory
+# assigning the same label as ctl.start$tombstone_transmit
+tombstone_transmit.start u:object_r:ctl_tombstone_transmit_prop:s0 exact bool
diff --git a/microdroid/system/private/service_contexts b/microdroid/system/private/service_contexts
deleted file mode 100644
index 9a27306..0000000
--- a/microdroid/system/private/service_contexts
+++ /dev/null
@@ -1,9 +0,0 @@
-android.hardware.security.dice.IDiceDevice/default                   u:object_r:hal_dice_service:s0
-
-adb                                       u:object_r:adb_service:s0
-android.security.dice.IDiceMaintenance    u:object_r:dice_maintenance_service:s0
-android.security.dice.IDiceNode           u:object_r:dice_node_service:s0
-apexservice                               u:object_r:apex_service:s0
-authfs_service                            u:object_r:authfs_binder_service:s0
-manager                                   u:object_r:service_manager_service:s0
-*                                         u:object_r:default_android_service:s0
diff --git a/microdroid/system/private/servicemanager.te b/microdroid/system/private/servicemanager.te
deleted file mode 100644
index d51c827..0000000
--- a/microdroid/system/private/servicemanager.te
+++ /dev/null
@@ -1,29 +0,0 @@
-typeattribute servicemanager coredomain;
-
-init_daemon_domain(servicemanager)
-
-selinux_check_access(servicemanager)
-
-# Note that we do not use the binder_* macros here.
-# servicemanager is unique in that it only provides
-# name service (aka context manager) for Binder.
-# As such, it only ever receives and transfers other references
-# created by other domains.  It never passes its own references
-# or initiates a Binder IPC.
-allow servicemanager self:binder set_context_mgr;
-allow servicemanager {
-  domain
-  -init
-  -vendor_init
-}:binder transfer;
-
-allow servicemanager service_contexts_file:file r_file_perms;
-
-allow servicemanager vendor_service_contexts_file:file r_file_perms;
-
-add_service(servicemanager, service_manager_service)
-
-set_prop(servicemanager, ctl_interface_start_prop)
-
-# servicemanager is using bootstrap bionic
-use_bootstrap_libs(servicemanager)
diff --git a/microdroid/system/private/shell.te b/microdroid/system/private/shell.te
index c93b488..d6c3c0d 100644
--- a/microdroid/system/private/shell.te
+++ b/microdroid/system/private/shell.te
@@ -35,6 +35,7 @@
 dontaudit shell sysfs:dir r_dir_perms;
 
 # Test tool tries to read various service status properties.
+get_prop(shell, boot_status_prop)
 get_prop(shell, init_service_status_prop)
 get_prop(shell, init_service_status_private_prop)
 
diff --git a/microdroid/system/private/su.te b/microdroid/system/private/su.te
index 1196262..533b328 100644
--- a/microdroid/system/private/su.te
+++ b/microdroid/system/private/su.te
@@ -1,9 +1,4 @@
-userdebug_or_eng(`
-  typeattribute su coredomain;
+typeattribute su coredomain;
 
-  domain_auto_trans(shell, su_exec, su)
-
-  # su is also permissive to permit setenforce.
-  permissive su;
-
-')
+# su is also permissive to permit setenforce.
+permissive su;
diff --git a/microdroid/system/private/tombstone_transmit.te b/microdroid/system/private/tombstone_transmit.te
index 588ebff..4f2b5ab 100644
--- a/microdroid/system/private/tombstone_transmit.te
+++ b/microdroid/system/private/tombstone_transmit.te
@@ -3,6 +3,14 @@
 
 init_daemon_domain(tombstone_transmit)
 
-r_dir_file(tombstone_transmit, tombstone_data_file)
+# permission required to read the file & remove it from directory
+allow tombstone_transmit tombstone_data_file:dir { r_dir_perms write remove_name };
+allow tombstone_transmit tombstone_data_file:file { r_file_perms unlink };
 
 allow tombstone_transmit self:{ vsock_socket } create_socket_perms_no_ioctl;
+
+# allow tombstone_transmit to notify its initialization
+set_prop(tombstone_transmit, tombstone_transmit_status_prop)
+
+# Only tombstone_transmit can set its status
+neverallow { domain -init -tombstone_transmit } tombstone_transmit_status_prop:property_service set;
diff --git a/microdroid/system/private/zipfuse.te b/microdroid/system/private/zipfuse.te
index 6652e27..0cb6daf 100644
--- a/microdroid/system/private/zipfuse.te
+++ b/microdroid/system/private/zipfuse.te
@@ -36,6 +36,9 @@
 # allow zipfuse to log to the kernel
 allow zipfuse kmsg_device:chr_file w_file_perms;
 
+# allow zipfuse to write kmsg_debug (stdio_to_kmsg) inherited from microdroid_manager.
+allow zipfuse kmsg_debug_device:chr_file w_file_perms;
+
 # allow zipfuse to handle extra apks
 r_dir_file(zipfuse, extra_apk_file)
 allow zipfuse extra_apk_file:dir mounton;
@@ -43,6 +46,9 @@
 # zipfuse is forked from microdroid_manager
 allow zipfuse microdroid_manager:fd use;
 
+# allow signalling when the mount is ready
+set_prop(zipfuse, microdroid_manager_zipfuse_prop)
+
 # Only microdroid_manager can run zipfuse
 neverallow { domain -microdroid_manager } zipfuse:process { transition dyntransition };
 
diff --git a/microdroid/system/public/apexd.te b/microdroid/system/public/apexd.te
index f80c1da..d14da93 100644
--- a/microdroid/system/public/apexd.te
+++ b/microdroid/system/public/apexd.te
@@ -1,5 +1,2 @@
 type apexd, domain, coredomain;
 type apexd_exec, file_type, exec_type, system_file_type;
-
-binder_use(apexd)
-add_service(apexd, apex_service)
diff --git a/microdroid/system/public/attributes b/microdroid/system/public/attributes
index 00b5f2b..61bf8fb 100644
--- a/microdroid/system/public/attributes
+++ b/microdroid/system/public/attributes
@@ -7,9 +7,6 @@
 # in tools/checkfc.c
 attribute dev_type;
 
-# TODO(b/202520796) Remove this attribute once the sc-dev branch stops using it.
-attribute bdev_type;
-
 # All types used for processes.
 attribute domain;
 
@@ -123,20 +120,6 @@
 attribute vendor_public_property_type;
 expandattribute vendor_public_property_type false;
 
-# services which served by vendor and also using the copy of libbinder on
-# system (for instance via libbinder_ndk). services using a different copy
-# of libbinder currently need their own context manager (e.g.
-# vndservicemanager)
-attribute vendor_service;
-
-# All types used for services managed by servicemanager.
-# On change, update CHECK_SC_ASSERT_ATTRS
-# definition in tools/checkfc.c.
-attribute service_manager_type;
-
-# All domains used for apps with network access.
-attribute netdomain;
-
 # All domains used for apps with bluetooth access.
 attribute bluetoothdomain;
 
diff --git a/microdroid/system/public/device.te b/microdroid/system/public/device.te
index f99084c..8c6f777 100644
--- a/microdroid/system/public/device.te
+++ b/microdroid/system/public/device.te
@@ -1,6 +1,5 @@
 type ashmem_device, dev_type;
 type ashmem_libcutils_device, dev_type;
-type binder_device, dev_type;
 type block_device, dev_type;
 type console_device, dev_type;
 type device, dev_type, fs_type;
@@ -11,7 +10,6 @@
 type dmabuf_system_secure_heap_device, dev_type, dmabuf_heap_device_type;
 type fuse_device, dev_type;
 type hw_random_device, dev_type;
-type hwbinder_device, dev_type;
 type kmsg_debug_device, dev_type;
 type kmsg_device, dev_type;
 type kvm_device, dev_type;
@@ -29,6 +27,7 @@
 type random_device, dev_type;
 type rtc_device, dev_type;
 type serial_device, dev_type;
+type log_device, dev_type;
 type socket_device, dev_type;
 type tty_device, dev_type;
 type tun_device, dev_type;
@@ -36,6 +35,5 @@
 type uio_device, dev_type;
 type userdata_sysdev, dev_type;
 type vd_device, dev_type;
-type vndbinder_device, dev_type;
 type vsock_device, dev_type;
 type zero_device, dev_type;
diff --git a/microdroid/system/public/file.te b/microdroid/system/public/file.te
index 57be060..fe269d7 100644
--- a/microdroid/system/public/file.te
+++ b/microdroid/system/public/file.te
@@ -5,15 +5,13 @@
 type apex_info_file, file_type;
 type apex_mnt_dir, file_type;
 type authfs_data_file, file_type, data_file_type, core_data_file_type;
+type authfs_service_socket, file_type, coredomain_socket;
 type cgroup_desc_api_file, file_type, system_file_type;
 type cgroup_desc_file, file_type, system_file_type;
 type cgroup_rc_file, file_type;
 type extra_apk_file, file_type;
 type file_contexts_file, file_type, system_file_type;
 type linkerconfig_file, file_type;
-type logd_socket, file_type, coredomain_socket;
-type logdr_socket, file_type, coredomain_socket;
-type logdw_socket, file_type, coredomain_socket;
 type nativetest_data_file, file_type, data_file_type, core_data_file_type;
 type property_contexts_file, file_type, system_file_type;
 type property_socket, file_type, coredomain_socket;
@@ -46,11 +44,9 @@
 type vendor_data_file, file_type, data_file_type;
 type vendor_file, file_type, vendor_file_type;
 type vendor_service_contexts_file, vendor_file_type, file_type;
+type vm_payload_service_socket, file_type, coredomain_socket;
 
 # file system types
-type binderfs, fs_type;
-type binderfs_logs, fs_type;
-type binderfs_logs_proc, fs_type;
 type binfmt_miscfs, fs_type;
 type cgroup, fs_type;
 type cgroup_v2, fs_type;
@@ -93,7 +89,6 @@
 type proc_drop_caches, fs_type, proc_type;
 type proc_extra_free_kbytes, fs_type, proc_type;
 type proc_filesystems, fs_type, proc_type;
-type proc_fs_verity, fs_type, proc_type;
 type proc_hostname, fs_type, proc_type;
 type proc_hung_task, fs_type, proc_type;
 type proc_interrupts, fs_type, proc_type;
diff --git a/microdroid/system/public/hal_dice.te b/microdroid/system/public/hal_dice.te
deleted file mode 100644
index 92222c5..0000000
--- a/microdroid/system/public/hal_dice.te
+++ /dev/null
@@ -1,4 +0,0 @@
-binder_call(hal_dice_client, hal_dice_server)
-
-hal_attribute_service(hal_dice, hal_dice_service)
-binder_call(hal_dice_server, servicemanager)
diff --git a/microdroid/system/public/logcat.te b/microdroid/system/public/logcat.te
deleted file mode 100644
index cf2bb7e..0000000
--- a/microdroid/system/public/logcat.te
+++ /dev/null
@@ -1,2 +0,0 @@
-type logcat, domain;
-type logcat_exec, file_type, exec_type, system_file_type;
diff --git a/microdroid/system/public/logd.te b/microdroid/system/public/logd.te
deleted file mode 100644
index 67f601c..0000000
--- a/microdroid/system/public/logd.te
+++ /dev/null
@@ -1,2 +0,0 @@
-type logd, domain;
-type logd_exec, file_type, exec_type, system_file_type;
diff --git a/microdroid/system/public/property.te b/microdroid/system/public/property.te
index f85ba76..a2c3b77 100644
--- a/microdroid/system/public/property.te
+++ b/microdroid/system/public/property.te
@@ -11,6 +11,7 @@
 type ctl_apexd_prop, property_type;
 type ctl_apexd_vm_prop, property_type;
 type ctl_apkdmverity_prop, property_type;
+type ctl_authfs_prop, property_type;
 type ctl_console_prop, property_type;
 type ctl_default_prop, property_type;
 type ctl_fuse_prop, property_type;
@@ -35,9 +36,12 @@
 type init_service_status_prop, property_type;
 type init_svc_debug_prop, property_type;
 type libc_debug_prop, property_type;
+type log_prop, property_type;
 type log_tag_prop, property_type;
-type logd_prop, property_type;
 type microdroid_manager_roothash_prop, property_type;
+type microdroid_manager_zipfuse_prop, property_type;
+type microdroid_config_prop, property_type;
+type microdroid_lifecycle_prop, property_type;
 type property_service_version_prop, property_type;
 type shell_prop, property_type;
 type timezone_prop, property_type;
diff --git a/microdroid/system/public/servicemanager.te b/microdroid/system/public/servicemanager.te
deleted file mode 100644
index 41a1096..0000000
--- a/microdroid/system/public/servicemanager.te
+++ /dev/null
@@ -1,2 +0,0 @@
-type servicemanager, domain;
-type servicemanager_exec, file_type, exec_type, system_file_type;
diff --git a/microdroid/system/public/shell.te b/microdroid/system/public/shell.te
index 00c2d0b..0bcb29d 100644
--- a/microdroid/system/public/shell.te
+++ b/microdroid/system/public/shell.te
@@ -2,13 +2,6 @@
 type shell, domain;
 type shell_exec, system_file_type, exec_type, file_type;
 
-# Create and use network sockets.
-net_domain(shell)
-
-# logcat
-read_logd(shell)
-control_logd(shell)
-
 # Root fs.
 allow shell rootfs:dir r_dir_perms;
 
diff --git a/microdroid/system/public/statsd.te b/microdroid/system/public/statsd.te
index ea8ffa0..0807126 100644
--- a/microdroid/system/public/statsd.te
+++ b/microdroid/system/public/statsd.te
@@ -1,7 +1,6 @@
 type statsd, domain;
 
 type statsd_exec, system_file_type, exec_type, file_type;
-binder_use(statsd)
 
 # Allow statsd to scan through /proc/pid for all processes.
 r_dir_file(statsd, domain)
@@ -15,10 +14,6 @@
 allow statsd system_file:file execute_no_trans;
 allow statsd toolbox_exec:file rx_file_perms;
 
-# Allow logd access.
-read_logd(statsd)
-control_logd(statsd)
-
 # Allow 'adb shell cmd' to upload configs and download output.
 allow statsd adbd:fd use;
 allow statsd adbd:unix_stream_socket { getattr read write };
diff --git a/microdroid/system/public/su.te b/microdroid/system/public/su.te
index aded9ae..5f41e37 100644
--- a/microdroid/system/public/su.te
+++ b/microdroid/system/public/su.te
@@ -2,45 +2,36 @@
 # after performing an adb root command.
 
 # All types must be defined regardless of build variant to ensure
-# policy compilation succeeds with userdebug/user combination at boot
+# that adb root works on debuggable VMs even for user builds.
 type su, domain;
 
-# File types must be defined for file_contexts.
-type su_exec, system_file_type, exec_type, file_type;
-
-userdebug_or_eng(`
-  # Add su to various domains
-  net_domain(su)
-
-  dontaudit su self:capability_class_set *;
-  dontaudit su self:capability2 *;
-  dontaudit su kernel:security *;
-  dontaudit su { kernel file_type }:system *;
-  dontaudit su self:memprotect *;
-  dontaudit su domain:{ process process2 } *;
-  dontaudit su domain:fd *;
-  dontaudit su domain:dir *;
-  dontaudit su domain:lnk_file *;
-  dontaudit su domain:{ fifo_file file } *;
-  dontaudit su domain:socket_class_set *;
-  dontaudit su domain:ipc_class_set *;
-  dontaudit su domain:key *;
-  dontaudit su fs_type:filesystem *;
-  dontaudit su {fs_type dev_type file_type}:dir_file_class_set *;
-  dontaudit su node_type:node *;
-  dontaudit su node_type:{ tcp_socket udp_socket rawip_socket } *;
-  dontaudit su netif_type:netif *;
-  dontaudit su port_type:socket_class_set *;
-  dontaudit su port_type:{ tcp_socket dccp_socket } *;
-  dontaudit su domain:peer *;
-  dontaudit su domain:binder *;
-  dontaudit su property_type:property_service *;
-  dontaudit su property_type:file *;
-  dontaudit su service_manager_type:service_manager *;
-  dontaudit su servicemanager:service_manager list;
-  dontaudit su domain:drmservice *;
-  dontaudit su unlabeled:filesystem *;
-  dontaudit su domain:bpf *;
-  dontaudit su unlabeled:vsock_socket *;
-  dontaudit su self:perf_event *;
-')
+# Add su to various domains
+dontaudit su self:capability_class_set *;
+dontaudit su self:capability2 *;
+dontaudit su kernel:security *;
+dontaudit su { kernel file_type }:system *;
+dontaudit su self:memprotect *;
+dontaudit su domain:{ process process2 } *;
+dontaudit su domain:fd *;
+dontaudit su domain:dir *;
+dontaudit su domain:lnk_file *;
+dontaudit su domain:{ fifo_file file } *;
+dontaudit su domain:socket_class_set *;
+dontaudit su domain:ipc_class_set *;
+dontaudit su domain:key *;
+dontaudit su fs_type:filesystem *;
+dontaudit su {fs_type dev_type file_type}:dir_file_class_set *;
+dontaudit su node_type:node *;
+dontaudit su node_type:{ tcp_socket udp_socket rawip_socket } *;
+dontaudit su netif_type:netif *;
+dontaudit su port_type:socket_class_set *;
+dontaudit su port_type:{ tcp_socket dccp_socket } *;
+dontaudit su domain:peer *;
+dontaudit su domain:binder *;
+dontaudit su property_type:property_service *;
+dontaudit su property_type:file *;
+dontaudit su domain:drmservice *;
+dontaudit su unlabeled:filesystem *;
+dontaudit su domain:bpf *;
+dontaudit su unlabeled:vsock_socket *;
+dontaudit su self:perf_event *;
diff --git a/microdroid/system/public/te_macros b/microdroid/system/public/te_macros
index 6db0d70..b274417 100644
--- a/microdroid/system/public/te_macros
+++ b/microdroid/system/public/te_macros
@@ -590,41 +590,6 @@
 define(`with_dexpreopt', ifelse(target_with_dexpreopt, `true', $1))
 
 #####################################
-# write_logd(domain)
-# Ability to write to android log
-# daemon via sockets
-define(`write_logd', `
-unix_socket_send($1, logdw, logd)
-allow $1 pmsg_device:chr_file w_file_perms;
-')
-
-#####################################
-# read_logd(domain)
-# Ability to run logcat and read from android
-# log daemon via sockets
-define(`read_logd', `
-allow $1 logcat_exec:file rx_file_perms;
-unix_socket_connect($1, logdr, logd)
-')
-
-#####################################
-# read_runtime_log_tags(domain)
-# ability to directly map the runtime event log tags
-define(`read_runtime_log_tags', `
-allow $1 runtime_event_log_tags_file:file r_file_perms;
-')
-
-#####################################
-# control_logd(domain)
-# Ability to control
-# android log daemon via sockets
-define(`control_logd', `
-# Group AID_LOG checked by filesystem & logd
-# to permit control commands
-unix_socket_connect($1, logd, logd)
-')
-
-#####################################
 # use_keystore(domain)
 # Ability to use keystore.
 # Keystore is requires the following permissions
@@ -995,3 +960,11 @@
   allow $1 system_bootstrap_lib_file:dir r_dir_perms;
   allow $1 system_bootstrap_lib_file:file { execute read open getattr map };
 ')
+
+######################################
+# use_apex_info(domain)
+# Allow access to apex information
+define(`use_apex_info', `
+  allow $1 apex_mnt_dir:dir r_dir_perms;
+  allow $1 apex_info_file:file r_file_perms;
+')
diff --git a/microdroid/system/public/type.te b/microdroid/system/public/type.te
index b21b2dd..efc1aa3 100644
--- a/microdroid/system/public/type.te
+++ b/microdroid/system/public/type.te
@@ -1,11 +1,3 @@
 # Miscellaneous types
-type adb_service, service_manager_type;
-type apex_service, service_manager_type;
-type authfs_binder_service, service_manager_type;
-type default_android_service, service_manager_type;
-type dice_maintenance_service,  service_manager_type;
-type dice_node_service,         service_manager_type;
-type hal_dice_service, vendor_service, service_manager_type;
-type service_manager_service, service_manager_type;
 type system_linker;
 type vm_payload_key;
diff --git a/microdroid/vendor/file_contexts b/microdroid/vendor/file_contexts
index 002fb14..533814c 100644
--- a/microdroid/vendor/file_contexts
+++ b/microdroid/vendor/file_contexts
@@ -3,6 +3,3 @@
 #
 (/.*)?                  u:object_r:vendor_file:s0
 /etc(/.*)?              u:object_r:vendor_configs_file:s0
-
-# HAL location
-/bin/hw/android\.hardware\.security\.dice-service\.microdroid u:object_r:hal_dice_default_exec:s0
diff --git a/microdroid/vendor/hal_dice_default.te b/microdroid/vendor/hal_dice_default.te
deleted file mode 100644
index 9fbf90d..0000000
--- a/microdroid/vendor/hal_dice_default.te
+++ /dev/null
@@ -1,14 +0,0 @@
-type hal_dice_default, domain;
-hal_server_domain(hal_dice_default, hal_dice)
-
-# Block crash dumps to ensure the DICE secrets are not leaked.
-typeattribute hal_dice_default no_crash_dump_domain;
-
-type hal_dice_default_exec, exec_type, vendor_file_type, file_type;
-init_daemon_domain(hal_dice_default)
-
-# hal_dice_default is using bootstrap bionic
-use_bootstrap_libs(hal_dice_default)
-
-allow hal_dice_default sysfs_dt_avf:file r_file_perms;
-allow hal_dice_default open_dice_device:chr_file rw_file_perms;
diff --git a/prebuilts/api/33.0/private/compat/32.0/32.0.cil b/prebuilts/api/33.0/private/compat/32.0/32.0.cil
index d916a13..a99b628 100644
--- a/prebuilts/api/33.0/private/compat/32.0/32.0.cil
+++ b/prebuilts/api/33.0/private/compat/32.0/32.0.cil
@@ -1378,7 +1378,6 @@
 (typeattributeset build_config_prop_32_0 (build_config_prop))
 (typeattributeset build_odm_prop_32_0 (build_odm_prop))
 (typeattributeset build_prop_32_0 (build_prop))
-(typeattributeset build_prop_32_0 (userdebug_or_eng_prop))
 (typeattributeset build_vendor_prop_32_0 (build_vendor_prop))
 (typeattributeset cache_backup_file_32_0 (cache_backup_file))
 (typeattributeset cache_block_device_32_0 (cache_block_device))
diff --git a/prebuilts/api/33.0/private/compat/32.0/32.0.ignore.cil b/prebuilts/api/33.0/private/compat/32.0/32.0.ignore.cil
index 076d642..7294656 100644
--- a/prebuilts/api/33.0/private/compat/32.0/32.0.ignore.cil
+++ b/prebuilts/api/33.0/private/compat/32.0/32.0.ignore.cil
@@ -60,9 +60,9 @@
     mdns_service
     nearby_service
     persist_wm_debug_prop
-    prng_seeder
     proc_watermark_boost_factor
     proc_watermark_scale_factor
+    prng_seeder
     remotelyprovisionedkeypool_service
     resources_manager_service
     rootdisk_sysdev
diff --git a/prebuilts/api/33.0/private/crosvm.te b/prebuilts/api/33.0/private/crosvm.te
index e47abd7..167ad2f 100644
--- a/prebuilts/api/33.0/private/crosvm.te
+++ b/prebuilts/api/33.0/private/crosvm.te
@@ -66,12 +66,9 @@
 # For ACPI
 allow crosvm self:netlink_generic_socket create_socket_perms_no_ioctl;
 
-# crosvm can write files in /data/local/tmp which are usually used for instance.img and logging by
-# compliance tests and demo apps. Write access to instance.img is particularily important because
-# the VM has to initialize the disk image on its first boot. Note that open access is still not
-# granted because the files are expected to be opened by the owner of the VM (apps or shell in case
-# when the vm is created by the `vm` tool) and handed over to crosvm as FD.
-allow crosvm shell_data_file:file write;
+# The console log can also be written to /data/local/tmp. This is not safe as the log then can be
+# visible to the processes which don't own the VM. Therefore, this is a debugging only feature.
+userdebug_or_eng(`allow crosvm shell_data_file:file w_file_perms;')
 
 # Don't allow crosvm to have access to ordinary vendor files that are not for VMs.
 full_treble_only(`
diff --git a/prebuilts/api/33.0/private/heapprofd.te b/prebuilts/api/33.0/private/heapprofd.te
index 36d2938..246f936 100644
--- a/prebuilts/api/33.0/private/heapprofd.te
+++ b/prebuilts/api/33.0/private/heapprofd.te
@@ -41,14 +41,11 @@
 # executables/libraries/etc to do stack unwinding.
 r_dir_file(heapprofd, nativetest_data_file)
 r_dir_file(heapprofd, system_file_type)
+r_dir_file(heapprofd, apex_art_data_file)
 r_dir_file(heapprofd, apk_data_file)
 r_dir_file(heapprofd, dalvikcache_data_file)
 r_dir_file(heapprofd, vendor_file_type)
 r_dir_file(heapprofd, shell_test_data_file)
-# ART apex files and directory access to the containing /data/misc/apexdata.
-r_dir_file(heapprofd, apex_art_data_file)
-allow heapprofd apex_module_data_file:dir { getattr search };
-
 # Some dex files are not world-readable.
 # We are still constrained by the SELinux rules above.
 allow heapprofd self:global_capability_class_set dac_read_search;
diff --git a/prebuilts/api/33.0/private/kernel.te b/prebuilts/api/33.0/private/kernel.te
index 6775b3b..03ba79f 100644
--- a/prebuilts/api/33.0/private/kernel.te
+++ b/prebuilts/api/33.0/private/kernel.te
@@ -32,6 +32,19 @@
 allow kernel kmsg_device:chr_file write;
 allow kernel gsid:fd use;
 
+dontaudit kernel metadata_file:dir search;
+dontaudit kernel ota_metadata_file:dir rw_dir_perms;
+dontaudit kernel sysfs:dir r_dir_perms;
+dontaudit kernel sysfs:file { open read write };
+dontaudit kernel sysfs:chr_file { open read write };
+dontaudit kernel dm_device:chr_file ioctl;
+dontaudit kernel self:capability { sys_admin setgid mknod };
+
+dontaudit kernel dm_user_device:dir { write add_name };
+dontaudit kernel dm_user_device:chr_file { create setattr };
+dontaudit kernel tmpfs:lnk_file read;
+dontaudit kernel tmpfs:blk_file { open read };
+
 # Some contexts are changed before the device is flipped into enforcing mode
 # during the setup of Apex sepolicy. These denials can be suppressed since
 # the permissions should not be allowed after the device is flipped into
diff --git a/prebuilts/api/33.0/private/property_contexts b/prebuilts/api/33.0/private/property_contexts
index ac288f0..3841fd5 100644
--- a/prebuilts/api/33.0/private/property_contexts
+++ b/prebuilts/api/33.0/private/property_contexts
@@ -815,7 +815,7 @@
 
 ro.actionable_compatible_property.enabled u:object_r:build_prop:s0 exact bool
 
-ro.debuggable u:object_r:userdebug_or_eng_prop:s0 exact bool
+ro.debuggable u:object_r:build_prop:s0 exact bool
 
 ro.treble.enabled u:object_r:build_prop:s0 exact bool
 
@@ -842,7 +842,7 @@
 ro.system.build.version.sdk                 u:object_r:build_prop:s0 exact int
 
 ro.adb.secure u:object_r:build_prop:s0 exact bool
-ro.secure     u:object_r:userdebug_or_eng_prop:s0 exact int
+ro.secure     u:object_r:build_prop:s0 exact int
 
 ro.product.system_ext.brand        u:object_r:build_prop:s0 exact string
 ro.product.system_ext.device       u:object_r:build_prop:s0 exact string
diff --git a/prebuilts/api/33.0/private/sdk_sandbox.te b/prebuilts/api/33.0/private/sdk_sandbox.te
index 20d3adf..7ca323f 100644
--- a/prebuilts/api/33.0/private/sdk_sandbox.te
+++ b/prebuilts/api/33.0/private/sdk_sandbox.te
@@ -12,86 +12,20 @@
 
 # Allow finding services. This is different from ephemeral_app policy.
 # Adding services manually to the allowlist is preferred hence app_api_service is not used.
+allow sdk_sandbox activity_service:service_manager find;
+allow sdk_sandbox activity_task_service:service_manager find;
+allow sdk_sandbox audio_service:service_manager find;
 # Audit the access to signal that we are still investigating whether sdk_sandbox
 # should have access to audio_service
 # TODO(b/211632068): remove this line
 auditallow sdk_sandbox audio_service:service_manager find;
-
-allow sdk_sandbox activity_service:service_manager find;
-allow sdk_sandbox activity_task_service:service_manager find;
-allow sdk_sandbox appops_service:service_manager find;
-allow sdk_sandbox audio_service:service_manager find;
-allow sdk_sandbox audioserver_service:service_manager find;
-allow sdk_sandbox batteryproperties_service:service_manager find;
-allow sdk_sandbox batterystats_service:service_manager find;
-allow sdk_sandbox connectivity_service:service_manager find;
-allow sdk_sandbox connmetrics_service:service_manager find;
-allow sdk_sandbox deviceidle_service:service_manager find;
-allow sdk_sandbox display_service:service_manager find;
-allow sdk_sandbox dropbox_service:service_manager find;
-allow sdk_sandbox font_service:service_manager find;
-allow sdk_sandbox game_service:service_manager find;
-allow sdk_sandbox gpu_service:service_manager find;
-allow sdk_sandbox graphicsstats_service:service_manager find;
-allow sdk_sandbox hardware_properties_service:service_manager find;
 allow sdk_sandbox hint_service:service_manager find;
-allow sdk_sandbox imms_service:service_manager find;
-allow sdk_sandbox input_method_service:service_manager find;
-allow sdk_sandbox input_service:service_manager find;
-allow sdk_sandbox IProxyService_service:service_manager find;
-allow sdk_sandbox ipsec_service:service_manager find;
-allow sdk_sandbox launcherapps_service:service_manager find;
-allow sdk_sandbox legacy_permission_service:service_manager find;
-allow sdk_sandbox light_service:service_manager find;
-allow sdk_sandbox locale_service:service_manager find;
-allow sdk_sandbox media_communication_service:service_manager find;
-allow sdk_sandbox mediaextractor_service:service_manager find;
-allow sdk_sandbox mediametrics_service:service_manager find;
-allow sdk_sandbox media_projection_service:service_manager find;
-allow sdk_sandbox media_router_service:service_manager find;
-allow sdk_sandbox mediaserver_service:service_manager find;
-allow sdk_sandbox media_session_service:service_manager find;
-allow sdk_sandbox memtrackproxy_service:service_manager find;
-allow sdk_sandbox midi_service:service_manager find;
-allow sdk_sandbox netpolicy_service:service_manager find;
-allow sdk_sandbox netstats_service:service_manager find;
-allow sdk_sandbox network_management_service:service_manager find;
-allow sdk_sandbox notification_service:service_manager find;
-allow sdk_sandbox package_service:service_manager find;
-allow sdk_sandbox permission_checker_service:service_manager find;
-allow sdk_sandbox permission_service:service_manager find;
-allow sdk_sandbox permissionmgr_service:service_manager find;
-allow sdk_sandbox platform_compat_service:service_manager find;
-allow sdk_sandbox power_service:service_manager find;
-allow sdk_sandbox procstats_service:service_manager find;
-allow sdk_sandbox registry_service:service_manager find;
-allow sdk_sandbox restrictions_service:service_manager find;
-allow sdk_sandbox rttmanager_service:service_manager find;
-allow sdk_sandbox search_service:service_manager find;
-allow sdk_sandbox selection_toolbar_service:service_manager find;
-allow sdk_sandbox sensor_privacy_service:service_manager find;
-allow sdk_sandbox sensorservice_service:service_manager find;
-allow sdk_sandbox servicediscovery_service:service_manager find;
-allow sdk_sandbox settings_service:service_manager find;
-allow sdk_sandbox speech_recognition_service:service_manager find;
-allow sdk_sandbox statusbar_service:service_manager find;
-allow sdk_sandbox storagestats_service:service_manager find;
 allow sdk_sandbox surfaceflinger_service:service_manager find;
-allow sdk_sandbox telecom_service:service_manager find;
-allow sdk_sandbox tethering_service:service_manager find;
-allow sdk_sandbox textclassification_service:service_manager find;
-allow sdk_sandbox textservices_service:service_manager find;
-allow sdk_sandbox texttospeech_service:service_manager find;
 allow sdk_sandbox thermal_service:service_manager find;
-allow sdk_sandbox translation_service:service_manager find;
-allow sdk_sandbox tv_iapp_service:service_manager find;
-allow sdk_sandbox tv_input_service:service_manager find;
+allow sdk_sandbox trust_service:service_manager find;
 allow sdk_sandbox uimode_service:service_manager find;
-allow sdk_sandbox vcn_management_service:service_manager find;
 allow sdk_sandbox webviewupdate_service:service_manager find;
 
-allow sdk_sandbox system_linker_exec:file execute_no_trans;
-
 # Write app-specific trace data to the Perfetto traced damon. This requires
 # connecting to its producer socket and obtaining a (per-process) tmpfs fd.
 perfetto_producer(sdk_sandbox)
@@ -116,7 +50,7 @@
 ### neverallow rules
 ###
 
-neverallow sdk_sandbox { app_data_file privapp_data_file sdk_sandbox_data_file }:file { execute execute_no_trans };
+neverallow sdk_sandbox { app_data_file privapp_data_file }:file { execute execute_no_trans };
 
 # Receive or send uevent messages.
 neverallow sdk_sandbox domain:netlink_kobject_uevent_socket *;
diff --git a/prebuilts/api/33.0/private/system_suspend.te b/prebuilts/api/33.0/private/system_suspend.te
index bef7c6d..d924187 100644
--- a/prebuilts/api/33.0/private/system_suspend.te
+++ b/prebuilts/api/33.0/private/system_suspend.te
@@ -29,14 +29,6 @@
 allow system_suspend dumpstate:fd use;
 allow system_suspend dumpstate:fifo_file write;
 
-# Allow init to take kernel wakelock and system suspend to
-# remove kenel wakelocks and the capability to access these
-# files
-allow init sysfs_wake_lock:file rw_file_perms;
-allow init self:global_capability2_class_set block_suspend;
-allow system_suspend sysfs_wake_lock:file rw_file_perms;
-allow system_suspend self:global_capability2_class_set block_suspend;
-
 neverallow {
     domain
     -atrace # tracing
diff --git a/prebuilts/api/33.0/private/toolbox.te b/prebuilts/api/33.0/private/toolbox.te
index 1e53d72..a2b958d 100644
--- a/prebuilts/api/33.0/private/toolbox.te
+++ b/prebuilts/api/33.0/private/toolbox.te
@@ -1,7 +1,3 @@
 typeattribute toolbox coredomain;
 
 init_daemon_domain(toolbox)
-
-# rm -rf in /data/misc/virtualizationservice
-allow toolbox virtualizationservice_data_file:dir { rmdir rw_dir_perms };
-allow toolbox virtualizationservice_data_file:file { getattr unlink };
diff --git a/prebuilts/api/33.0/private/traced_perf.te b/prebuilts/api/33.0/private/traced_perf.te
index 811bf48..96a7263 100644
--- a/prebuilts/api/33.0/private/traced_perf.te
+++ b/prebuilts/api/33.0/private/traced_perf.te
@@ -28,12 +28,10 @@
 # Allow reading files for stack unwinding and symbolization.
 r_dir_file(traced_perf, nativetest_data_file)
 r_dir_file(traced_perf, system_file_type)
+r_dir_file(traced_perf, apex_art_data_file)
 r_dir_file(traced_perf, apk_data_file)
 r_dir_file(traced_perf, dalvikcache_data_file)
 r_dir_file(traced_perf, vendor_file_type)
-# ART apex files and directory access to the containing /data/misc/apexdata.
-r_dir_file(traced_perf, apex_art_data_file)
-allow traced_perf apex_module_data_file:dir { getattr search };
 
 # Allow to temporarily lift the kptr_restrict setting and build a symbolization
 # map reading /proc/kallsyms.
diff --git a/prebuilts/api/33.0/private/untrusted_app.te b/prebuilts/api/33.0/private/untrusted_app.te
index 63b095a..62d458d 100644
--- a/prebuilts/api/33.0/private/untrusted_app.te
+++ b/prebuilts/api/33.0/private/untrusted_app.te
@@ -14,10 +14,3 @@
 untrusted_app_domain(untrusted_app)
 net_domain(untrusted_app)
 bluetooth_domain(untrusted_app)
-
-# Allow webview to access fd shared by sdksandbox for experiments data
-# TODO(b/229249719): Will not be supported in Android U
-allow untrusted_app sdk_sandbox_data_file:fd use;
-allow untrusted_app sdk_sandbox_data_file:file write;
-
-neverallow untrusted_app sdk_sandbox_data_file:file { open create };
diff --git a/prebuilts/api/33.0/private/untrusted_app_25.te b/prebuilts/api/33.0/private/untrusted_app_25.te
index b40fad0..4235d7e 100644
--- a/prebuilts/api/33.0/private/untrusted_app_25.te
+++ b/prebuilts/api/33.0/private/untrusted_app_25.te
@@ -52,6 +52,3 @@
 # allow sending RTM_GETNEIGH{TBL} messages.
 allow untrusted_app_25 self:netlink_route_socket nlmsg_getneigh;
 auditallow untrusted_app_25 self:netlink_route_socket nlmsg_getneigh;
-
-# Allow hidden build props
-get_prop({ untrusted_app_25 userdebug_or_eng(`-untrusted_app_25') }, userdebug_or_eng_prop)
diff --git a/prebuilts/api/33.0/private/untrusted_app_27.te b/prebuilts/api/33.0/private/untrusted_app_27.te
index dd9b4a8..c747af1 100644
--- a/prebuilts/api/33.0/private/untrusted_app_27.te
+++ b/prebuilts/api/33.0/private/untrusted_app_27.te
@@ -40,6 +40,3 @@
 # allow sending RTM_GETNEIGH{TBL} messages.
 allow untrusted_app_27 self:netlink_route_socket nlmsg_getneigh;
 auditallow untrusted_app_27 self:netlink_route_socket nlmsg_getneigh;
-
-# Allow hidden build props
-get_prop({ untrusted_app_27 userdebug_or_eng(`-untrusted_app_27') }, userdebug_or_eng_prop)
diff --git a/prebuilts/api/33.0/private/untrusted_app_29.te b/prebuilts/api/33.0/private/untrusted_app_29.te
index 0cc2bea..6bb2606 100644
--- a/prebuilts/api/33.0/private/untrusted_app_29.te
+++ b/prebuilts/api/33.0/private/untrusted_app_29.te
@@ -18,6 +18,3 @@
 # allow sending RTM_GETNEIGH{TBL} messages.
 allow untrusted_app_29 self:netlink_route_socket nlmsg_getneigh;
 auditallow untrusted_app_29 self:netlink_route_socket nlmsg_getneigh;
-
-# Allow hidden build props
-get_prop({ untrusted_app_29 userdebug_or_eng(`-untrusted_app_29') }, userdebug_or_eng_prop)
diff --git a/prebuilts/api/33.0/private/untrusted_app_30.te b/prebuilts/api/33.0/private/untrusted_app_30.te
index 7b23be7..e0a71ef 100644
--- a/prebuilts/api/33.0/private/untrusted_app_30.te
+++ b/prebuilts/api/33.0/private/untrusted_app_30.te
@@ -20,6 +20,3 @@
 # allow sending RTM_GETNEIGH{TBL} messages.
 allow untrusted_app_30 self:netlink_route_socket nlmsg_getneigh;
 auditallow untrusted_app_30 self:netlink_route_socket nlmsg_getneigh;
-
-# Allow hidden build props
-get_prop({ untrusted_app_30 userdebug_or_eng(`-untrusted_app_30') }, userdebug_or_eng_prop)
diff --git a/prebuilts/api/33.0/private/untrusted_app_all.te b/prebuilts/api/33.0/private/untrusted_app_all.te
index 26077f3..ceee544 100644
--- a/prebuilts/api/33.0/private/untrusted_app_all.te
+++ b/prebuilts/api/33.0/private/untrusted_app_all.te
@@ -176,7 +176,9 @@
 # permission. The protection level of the permission is `signature|development`
 # so that it can only be granted to either platform-key signed apps or
 # test-only apps having `android:testOnly="true"` in its manifest.
-virtualizationservice_use(untrusted_app_all)
+userdebug_or_eng(`
+  virtualizationservice_use(untrusted_app_all)
+')
 
 with_native_coverage(`
   # Allow writing coverage information to /data/misc/trace
diff --git a/prebuilts/api/33.0/private/update_verifier.te b/prebuilts/api/33.0/private/update_verifier.te
index a8cef37..5e1b27b 100644
--- a/prebuilts/api/33.0/private/update_verifier.te
+++ b/prebuilts/api/33.0/private/update_verifier.te
@@ -7,10 +7,3 @@
 
 # Allow to set the OTA related properties e.g. ota.warm_reset.
 set_prop(update_verifier, ota_prop)
-
-# allow update_verifier to connect to snapuserd daemon
-allow update_verifier snapuserd_socket:sock_file write;
-allow update_verifier snapuserd:unix_stream_socket connectto;
-
-# virtual a/b properties
-get_prop(update_verifier, virtual_ab_prop)
diff --git a/prebuilts/api/33.0/private/zygote.te b/prebuilts/api/33.0/private/zygote.te
index b1c3d44..41245c2 100644
--- a/prebuilts/api/33.0/private/zygote.te
+++ b/prebuilts/api/33.0/private/zygote.te
@@ -229,10 +229,6 @@
 # Allow zygote to read qemu.sf.lcd_density
 get_prop(zygote, qemu_sf_lcd_density_prop)
 
-# Allow zygote to read persist.wm.debug.* to toggle experimental window manager features in
-# preloaded classes
-get_prop(zygote, persist_wm_debug_prop)
-
 # Allow zygote to read /apex/apex-info-list.xml
 allow zygote apex_info_file:file r_file_perms;
 
diff --git a/prebuilts/api/33.0/public/domain.te b/prebuilts/api/33.0/public/domain.te
index 46e9456..de529f5 100644
--- a/prebuilts/api/33.0/public/domain.te
+++ b/prebuilts/api/33.0/public/domain.te
@@ -129,7 +129,6 @@
 get_prop(domain, socket_hook_prop)
 get_prop(domain, surfaceflinger_prop)
 get_prop(domain, telephony_status_prop)
-get_prop({domain -untrusted_app_all userdebug_or_eng(`-isolated_app -ephemeral_app') },  userdebug_or_eng_prop)
 get_prop(domain, vendor_socket_hook_prop)
 get_prop(domain, vndk_prop)
 get_prop(domain, vold_status_prop)
@@ -565,7 +564,6 @@
 
 neverallow { domain -init } aac_drc_prop:property_service set;
 neverallow { domain -init } build_prop:property_service set;
-neverallow { domain -init } userdebug_or_eng_prop:property_service set;
 
 # Do not allow reading device's serial number from system properties except form
 # a few allowed domains.
diff --git a/prebuilts/api/33.0/public/dumpstate.te b/prebuilts/api/33.0/public/dumpstate.te
index 5eb3d27..f1c6d72 100644
--- a/prebuilts/api/33.0/public/dumpstate.te
+++ b/prebuilts/api/33.0/public/dumpstate.te
@@ -113,9 +113,6 @@
   sysfs_zram
 }:file r_file_perms;
 
-# Ignore other file access under /sys.
-dontaudit dumpstate sysfs:file r_file_perms;
-
 # Other random bits of data we want to collect
 no_debugfs_restriction(`
   allow dumpstate debugfs:file r_file_perms;
diff --git a/prebuilts/api/33.0/public/init.te b/prebuilts/api/33.0/public/init.te
index ce0d130..8dcdd33 100644
--- a/prebuilts/api/33.0/public/init.te
+++ b/prebuilts/api/33.0/public/init.te
@@ -158,7 +158,6 @@
 # Mounting filesystems from block devices.
 allow init dev_type:blk_file r_file_perms;
 allowxperm init dev_type:blk_file ioctl BLKROSET;
-allowxperm init system_data_root_file:dir ioctl F2FS_IOC_SHUTDOWN;
 
 # Mounting filesystems.
 # Only allow relabelto for types used in context= mount options,
diff --git a/prebuilts/api/33.0/public/ioctl_defines b/prebuilts/api/33.0/public/ioctl_defines
index d46e485..0e22670 100644
--- a/prebuilts/api/33.0/public/ioctl_defines
+++ b/prebuilts/api/33.0/public/ioctl_defines
@@ -722,7 +722,6 @@
 define(`F2FS_IOC_SET_COMPRESS_OPTION', `0xf516')
 define(`F2FS_IOC_DECOMPRESS_FILE', `0xf517')
 define(`F2FS_IOC_COMPRESS_FILE', `0xf518')
-define(`F2FS_IOC_SHUTDOWN', `0x587d')
 define(`FAT_IOCTL_GET_ATTRIBUTES', `0x80047210')
 define(`FAT_IOCTL_GET_VOLUME_ID', `0x80047213')
 define(`FAT_IOCTL_SET_ATTRIBUTES', `0x40047211')
diff --git a/prebuilts/api/33.0/public/property.te b/prebuilts/api/33.0/public/property.te
index deb166b..763a80a 100644
--- a/prebuilts/api/33.0/public/property.te
+++ b/prebuilts/api/33.0/public/property.te
@@ -73,7 +73,6 @@
 system_restricted_prop(fingerprint_prop)
 system_restricted_prop(gwp_asan_prop)
 system_restricted_prop(hal_instrumentation_prop)
-system_restricted_prop(userdebug_or_eng_prop)
 system_restricted_prop(hypervisor_prop)
 system_restricted_prop(init_service_status_prop)
 system_restricted_prop(libc_debug_prop)
diff --git a/private/access_vectors b/private/access_vectors
index 6cd8c4e..adb3a61 100644
--- a/private/access_vectors
+++ b/private/access_vectors
@@ -789,3 +789,10 @@
 	integrity
 	confidentiality
 }
+
+class io_uring
+{
+	override_creds
+	sqpoll
+	cmd
+}
diff --git a/private/adbd.te b/private/adbd.te
index 48fa849..d72d5b1 100644
--- a/private/adbd.te
+++ b/private/adbd.te
@@ -49,6 +49,8 @@
 
 # Create and use network sockets.
 net_domain(adbd)
+# Connect to mdnsd via mdnsd socket.
+unix_socket_connect(adbd, mdnsd, mdnsd)
 
 # Access /dev/usb-ffs/adb/ep0
 allow adbd functionfs:dir search;
diff --git a/private/apexd.te b/private/apexd.te
index 040651d..b74d4ee 100644
--- a/private/apexd.te
+++ b/private/apexd.te
@@ -33,9 +33,12 @@
 allow apexd apex_rollback_data_file:dir create_dir_perms;
 allow apexd apex_rollback_data_file:file create_file_perms;
 
-# Allow apexd to read directories under /data/misc_de in order to snapshot and
-# restore apex data for all users.
-allow apexd system_data_file:dir r_dir_perms;
+# Allow apexd to read /data/misc_de and the directories under it, in order to
+# snapshot and restore apex data for all users.
+allow apexd {
+    system_userdir_file
+    system_data_file
+}:dir r_dir_perms;
 
 # allow apexd to create loop devices with /dev/loop-control
 allow apexd loop_control_device:chr_file rw_file_perms;
@@ -86,7 +89,6 @@
 allow apexd apex_info_file:file relabelto;
 # apexd needs to update /apex/apex-info-list.xml after non-staged APEX update.
 allow apexd apex_info_file:file rw_file_perms;
-allow apexd apex_info_file:file mounton;
 
 # allow apexd to unlink apex files in /data/apex/active
 # note that apexd won't be able to unlink files in /data/app-staging/session_XXXX,
@@ -129,6 +131,9 @@
 # Allow apexd to stop itself
 set_prop(apexd, ctl_apexd_prop)
 
+# Allow apexd to send control messages to load/unload apex from init
+set_prop(apexd, ctl_apex_load_prop)
+
 # Find the vold service, and call into vold to manage FS checkpoints
 allow apexd vold_service:service_manager find;
 binder_call(apexd, vold)
@@ -204,3 +209,6 @@
 
 # Allow calling derive_classpath to gather BCP information for staged sessions
 domain_auto_trans(apexd, derive_classpath_exec, apexd_derive_classpath);
+
+# Allow set apex ready property
+set_prop(apexd, apex_ready_prop)
diff --git a/private/app.te b/private/app.te
index 86180b0..49b8cde 100644
--- a/private/app.te
+++ b/private/app.te
@@ -5,7 +5,7 @@
 r_dir_file({
   appdomain
   -ephemeral_app
-  -isolated_app
+  -isolated_app_all
   -platform_app
   -priv_app
   -shell
@@ -18,7 +18,7 @@
   auditallow {
     appdomain
     -ephemeral_app
-    -isolated_app
+    -isolated_app_all
     -platform_app
     -priv_app
     -shell
@@ -52,7 +52,11 @@
 get_prop(appdomain, device_config_runtime_native_prop)
 get_prop(appdomain, device_config_runtime_native_boot_prop)
 
-userdebug_or_eng(`perfetto_producer({ appdomain })')
+# Allow to read ro.vendor.camera.extensions.enabled
+get_prop(appdomain, camera2_extensions_prop)
+
+# Allow to ro.camerax.extensions.enabled
+get_prop(appdomain, camerax_extensions_prop)
 
 # Prevent apps from causing presubmit failures.
 # Apps can cause selinux denials by accessing CE storage
@@ -89,8 +93,9 @@
 # Exception for crash_dump to allow for app crash reporting.
 # Exception for renderscript binaries (/system/bin/bcc, /system/bin/ld.mc)
 # to allow renderscript to create privileged executable files.
+# Exception for virtualizationmanager to allow running VMs as child processes.
 neverallow { appdomain -shell userdebug_or_eng(`-su') }
-    { domain -appdomain -crash_dump -rs }:process { transition };
+    { domain -appdomain -crash_dump -rs -virtualizationmanager }:process { transition };
 neverallow { appdomain -shell userdebug_or_eng(`-su') }
     { domain -appdomain }:process { dyntransition };
 
@@ -109,6 +114,9 @@
 # Allow to read db.log.detailed, db.log.slow_query_threshold*
 get_prop(appdomain, sqlite_log_prop)
 
+# Allow to read system_user_mode_emulation_prop, which is used by UserManager.java
+userdebug_or_eng(`get_prop(appdomain, system_user_mode_emulation_prop)')
+
 # Allow font file read by apps.
 allow appdomain font_data_file:file r_file_perms;
 allow appdomain font_data_file:dir r_dir_perms;
@@ -139,53 +147,53 @@
 
 # Allow access to external storage; we have several visible mount points under /storage
 # and symlinks to primary storage at places like /storage/sdcard0 and /mnt/user/0/primary
-allow { appdomain -isolated_app -ephemeral_app -sdk_sandbox } storage_file:dir r_dir_perms;
-allow { appdomain -isolated_app -ephemeral_app -sdk_sandbox } storage_file:lnk_file r_file_perms;
-allow { appdomain -isolated_app -ephemeral_app -sdk_sandbox } mnt_user_file:dir r_dir_perms;
-allow { appdomain -isolated_app -ephemeral_app -sdk_sandbox } mnt_user_file:lnk_file r_file_perms;
+allow { appdomain -isolated_app_all -ephemeral_app -sdk_sandbox } storage_file:dir r_dir_perms;
+allow { appdomain -isolated_app_all -ephemeral_app -sdk_sandbox } storage_file:lnk_file r_file_perms;
+allow { appdomain -isolated_app_all -ephemeral_app -sdk_sandbox } mnt_user_file:dir r_dir_perms;
+allow { appdomain -isolated_app_all -ephemeral_app -sdk_sandbox } mnt_user_file:lnk_file r_file_perms;
 
 # Read/write visible storage
-allow { appdomain -isolated_app -ephemeral_app -sdk_sandbox } { sdcard_type fuse }:dir create_dir_perms;
-allow { appdomain -isolated_app -ephemeral_app -sdk_sandbox } { sdcard_type fuse }:file create_file_perms;
+allow { appdomain -isolated_app_all -ephemeral_app -sdk_sandbox } { sdcard_type fuse }:dir create_dir_perms;
+allow { appdomain -isolated_app_all -ephemeral_app -sdk_sandbox } { sdcard_type fuse }:file create_file_perms;
 # This should be removed if sdcardfs is modified to alter the secontext for its
 # accesses to the underlying FS.
-allow { appdomain -isolated_app -ephemeral_app -sdk_sandbox } media_rw_data_file:dir create_dir_perms;
-allow { appdomain -isolated_app -ephemeral_app -sdk_sandbox } media_rw_data_file:file create_file_perms;
+allow { appdomain -isolated_app_all -ephemeral_app -sdk_sandbox } media_rw_data_file:dir create_dir_perms;
+allow { appdomain -isolated_app_all -ephemeral_app -sdk_sandbox } media_rw_data_file:file create_file_perms;
 
 # Allow apps to use the USB Accessory interface.
 # http://developer.android.com/guide/topics/connectivity/usb/accessory.html
 #
 # USB devices are first opened by the system server (USBDeviceManagerService)
 # and the file descriptor is passed to the right Activity via binder.
-allow { appdomain -isolated_app -ephemeral_app -sdk_sandbox } usb_device:chr_file { read write getattr ioctl };
-allow { appdomain -isolated_app -ephemeral_app -sdk_sandbox } usbaccessory_device:chr_file { read write getattr };
+allow { appdomain -isolated_app_all -ephemeral_app -sdk_sandbox } usb_device:chr_file { read write getattr ioctl };
+allow { appdomain -isolated_app_all -ephemeral_app -sdk_sandbox } usbaccessory_device:chr_file { read write getattr };
 
 #logd access
 control_logd({ appdomain -ephemeral_app -sdk_sandbox })
 
 # application inherit logd write socket (urge is to deprecate this long term)
-allow { appdomain -isolated_app -ephemeral_app -sdk_sandbox } keystore:keystore_key { get_state get insert delete exist list sign verify };
-allow { appdomain -isolated_app -ephemeral_app -sdk_sandbox } keystore:keystore2_key { delete use get_info rebind update };
+allow { appdomain -isolated_app_all -ephemeral_app -sdk_sandbox } keystore:keystore_key { get_state get insert delete exist list sign verify };
+allow { appdomain -isolated_app_all -ephemeral_app -sdk_sandbox } keystore:keystore2_key { delete use get_info rebind update };
 
-allow { appdomain -isolated_app -ephemeral_app -sdk_sandbox } keystore_maintenance_service:service_manager find;
-allow { appdomain -isolated_app -ephemeral_app -sdk_sandbox } keystore:keystore2 get_state;
+allow { appdomain -isolated_app_all -ephemeral_app -sdk_sandbox } keystore_maintenance_service:service_manager find;
+allow { appdomain -isolated_app_all -ephemeral_app -sdk_sandbox } keystore:keystore2 get_state;
 
-use_keystore({ appdomain -isolated_app -ephemeral_app -sdk_sandbox })
+use_keystore({ appdomain -isolated_app_all -ephemeral_app -sdk_sandbox })
 
-use_credstore({ appdomain -isolated_app -ephemeral_app -sdk_sandbox })
+use_credstore({ appdomain -isolated_app_all -ephemeral_app -sdk_sandbox })
 
 # For app fuse.
-pdx_client({ appdomain -isolated_app -ephemeral_app -sdk_sandbox }, display_client)
-pdx_client({ appdomain -isolated_app -ephemeral_app -sdk_sandbox }, display_manager)
-pdx_client({ appdomain -isolated_app -ephemeral_app -sdk_sandbox }, display_vsync)
-pdx_client({ appdomain -isolated_app -ephemeral_app -sdk_sandbox }, performance_client)
+pdx_client({ appdomain -isolated_app_all -ephemeral_app -sdk_sandbox }, display_client)
+pdx_client({ appdomain -isolated_app_all -ephemeral_app -sdk_sandbox }, display_manager)
+pdx_client({ appdomain -isolated_app_all -ephemeral_app -sdk_sandbox }, display_vsync)
+pdx_client({ appdomain -isolated_app_all -ephemeral_app -sdk_sandbox }, performance_client)
 # Apps do not directly open the IPC socket for bufferhubd.
-pdx_use({ appdomain -isolated_app -ephemeral_app -sdk_sandbox }, bufferhub_client)
+pdx_use({ appdomain -isolated_app_all -ephemeral_app -sdk_sandbox }, bufferhub_client)
 
 # Apps receive an open tun fd from the framework for
 # device traffic. Do not allow untrusted app to directly open tun_device
-allow { appdomain -isolated_app -ephemeral_app -sdk_sandbox } tun_device:chr_file { read write getattr append ioctl };
-allowxperm { appdomain -isolated_app -ephemeral_app -sdk_sandbox } tun_device:chr_file ioctl TUNGETIFF;
+allow { appdomain -isolated_app_all -ephemeral_app -sdk_sandbox } tun_device:chr_file { read write getattr append ioctl };
+allowxperm { appdomain -isolated_app_all -ephemeral_app -sdk_sandbox } tun_device:chr_file ioctl TUNGETIFF;
 
 
 # WebView and other application-specific JIT compilers
@@ -211,8 +219,8 @@
 allow appdomain dalvikcache_data_file:file r_file_perms;
 
 # Read the /sdcard and /mnt/sdcard symlinks
-allow { appdomain -isolated_app -sdk_sandbox } rootfs:lnk_file r_file_perms;
-allow { appdomain -isolated_app -sdk_sandbox } tmpfs:lnk_file r_file_perms;
+allow { appdomain -isolated_app_all -sdk_sandbox } rootfs:lnk_file r_file_perms;
+allow { appdomain -isolated_app_all -sdk_sandbox } tmpfs:lnk_file r_file_perms;
 
 # Search /storage/emulated tmpfs mount.
 allow { appdomain -sdk_sandbox } tmpfs:dir r_dir_perms;
@@ -249,11 +257,11 @@
 allow appdomain surfaceflinger:unix_stream_socket { read write setopt getattr getopt shutdown };
 
 # App sandbox file accesses.
-allow { appdomain -isolated_app -mlstrustedsubject -sdk_sandbox } { app_data_file privapp_data_file }:dir create_dir_perms;
-allow { appdomain -isolated_app -mlstrustedsubject -sdk_sandbox } { app_data_file privapp_data_file }:file create_file_perms;
+allow { appdomain -isolated_app_all -mlstrustedsubject -sdk_sandbox } { app_data_file privapp_data_file }:dir create_dir_perms;
+allow { appdomain -isolated_app_all -mlstrustedsubject -sdk_sandbox } { app_data_file privapp_data_file }:file create_file_perms;
 
 # Access via already open fds is ok even for mlstrustedsubject.
-allow { appdomain -isolated_app -sdk_sandbox } { app_data_file privapp_data_file system_app_data_file }:file { getattr map read write };
+allow { appdomain -isolated_app_all -sdk_sandbox } { app_data_file privapp_data_file system_app_data_file }:file { getattr map read write };
 
 # Traverse into expanded storage
 allow appdomain mnt_expand_file:dir r_dir_perms;
@@ -264,7 +272,7 @@
 allow appdomain misc_user_data_file:file r_file_perms;
 
 # TextClassifier
-r_dir_file({ appdomain -isolated_app }, textclassifier_data_file)
+r_dir_file({ appdomain -isolated_app_all }, textclassifier_data_file)
 
 # Access to OEM provided data and apps
 allow appdomain oemfs:dir r_dir_perms;
@@ -283,7 +291,7 @@
 
 full_treble_only(`
     # For looking up Renderscript vendor drivers
-    allow { appdomain -isolated_app } vendor_file:dir { open read };
+    allow { appdomain -isolated_app_all } vendor_file:dir { open read };
 ')
 
 # Allow apps access to /vendor/overlay
@@ -345,9 +353,15 @@
 
 # Write profiles /data/misc/profiles
 allow appdomain user_profile_root_file:dir search;
-allow appdomain user_profile_data_file:dir { search write add_name };
+allow appdomain user_profile_data_file:dir w_dir_perms;
 allow appdomain user_profile_data_file:file create_file_perms;
 
+# Allow writing performance tracing data into the perfetto traced daemon.
+# Needed for java heap graph ART plugin (perfetto_hprof).
+# The perfetto profiling daemon will check for the specific application's
+# opt-in/opt-out.
+perfetto_producer(appdomain)
+
 # Send heap dumps to system_server via an already open file descriptor
 # % adb shell am set-watch-heap com.android.systemui 1048576
 # % adb shell dumpsys procstats --start-testing
@@ -358,9 +372,9 @@
 
 # Grant GPU access to all processes started by Zygote.
 # They need that to render the standard UI.
-allow { appdomain -isolated_app } gpu_device:chr_file rw_file_perms;
-allow { appdomain -isolated_app } gpu_device:dir r_dir_perms;
-allow { appdomain -isolated_app } sysfs_gpu:file r_file_perms;
+allow { appdomain -isolated_app_all } gpu_device:chr_file rw_file_perms;
+allow { appdomain -isolated_app_all } gpu_device:dir r_dir_perms;
+allow { appdomain -isolated_app_all } sysfs_gpu:file r_file_perms;
 
 
 # Use the Binder.
@@ -372,7 +386,7 @@
 # Perform binder IPC to ephemeral apps.
 binder_call(appdomain, ephemeral_app)
 # Perform binder IPC to gpuservice.
-binder_call({ appdomain -isolated_app }, gpuservice)
+binder_call({ appdomain -isolated_app_all }, gpuservice)
 
 # Talk with graphics composer fences
 allow appdomain hal_graphics_composer:fd use;
@@ -393,10 +407,10 @@
 allow appdomain system_data_file:file { getattr read map };
 
 # Allow read/stat of /data/media files passed by Binder or local socket IPC.
-allow { appdomain -isolated_app -sdk_sandbox } media_rw_data_file:file { read getattr };
+allow { appdomain -isolated_app_all -sdk_sandbox } media_rw_data_file:file { read getattr };
 
 # Read and write /data/data/com.android.providers.telephony files passed over Binder.
-allow { appdomain -isolated_app } radio_data_file:file { read write getattr };
+allow { appdomain -isolated_app_all } radio_data_file:file { read write getattr };
 
 # For art.
 allow appdomain dalvikcache_data_file:file execute;
@@ -425,21 +439,21 @@
 allowxperm { appdomain -bluetooth } self:{ rawip_socket tcp_socket udp_socket }
   ioctl { unpriv_sock_ioctls unpriv_tty_ioctls };
 
-allow { appdomain -isolated_app } ion_device:chr_file r_file_perms;
-allow { appdomain -isolated_app } dmabuf_system_heap_device:chr_file r_file_perms;
-allow { appdomain -isolated_app } dmabuf_system_secure_heap_device:chr_file r_file_perms;
+allow { appdomain -isolated_app_all } ion_device:chr_file r_file_perms;
+allow { appdomain -isolated_app_all } dmabuf_system_heap_device:chr_file r_file_perms;
+allow { appdomain -isolated_app_all } dmabuf_system_secure_heap_device:chr_file r_file_perms;
 
 # Allow AAudio apps to use shared memory file descriptors from the HAL
-allow { appdomain -isolated_app } hal_audio:fd use;
+allow { appdomain -isolated_app_all } hal_audio:fd use;
 
 # Allow app to access shared memory created by camera HAL1
-allow { appdomain -isolated_app } hal_camera:fd use;
+allow { appdomain -isolated_app_all } hal_camera:fd use;
 
 # Allow apps to access shared memory file descriptor from the tuner HAL
-allow {appdomain -isolated_app} hal_tv_tuner_server:fd use;
+allow {appdomain -isolated_app_all} hal_tv_tuner_server:fd use;
 
 # RenderScript always-passthrough HAL
-allow { appdomain -isolated_app } hal_renderscript_hwservice:hwservice_manager find;
+allow { appdomain -isolated_app_all } hal_renderscript_hwservice:hwservice_manager find;
 allow appdomain same_process_hal_file:file { execute read open getattr map };
 
 # TODO: switch to meminfo service
@@ -481,7 +495,7 @@
 # from read-only locations.
 neverallow {
   bluetooth
-  isolated_app
+  isolated_app_all
   nfc
   radio
   shared_relro
@@ -495,6 +509,18 @@
   -apk_data_file
 }:file no_x_file_perms;
 
-# For now, don't allow apps other than gmscore to access /data/misc_ce/<userid>/checkin
-neverallow { appdomain -gmscore_app } checkin_data_file:dir *;
-neverallow { appdomain -gmscore_app } checkin_data_file:file *;
+# Don't allow apps access to any of the following character devices.
+neverallow appdomain {
+    audio_device
+    camera_device
+    dm_device
+    radio_device
+    rpmsg_device
+}:chr_file { read write };
+
+# Block video device access for all apps except the DeviceAsWebcam Service which
+# needs access to /dev/video* for interfacing with the host
+neverallow {
+    appdomain
+    -device_as_webcam
+} video_device:chr_file { read write };
diff --git a/private/app_neverallows.te b/private/app_neverallows.te
index 304f5a2..ea10df5 100644
--- a/private/app_neverallows.te
+++ b/private/app_neverallows.te
@@ -5,6 +5,8 @@
 define(`all_untrusted_apps',`{
   ephemeral_app
   isolated_app
+  isolated_app_all
+  isolated_compute_app
   mediaprovider
   mediaprovider_app
   untrusted_app
@@ -123,10 +125,11 @@
 # Apps can read/write an already open vsock (e.g. created by
 # virtualizationservice) but nothing more than that (e.g. creating a
 # new vsock, etc.)
-neverallow all_untrusted_apps *:vsock_socket ~{ getattr read write };
+neverallow all_untrusted_apps *:vsock_socket ~{ getattr getopt read write };
 
 # Disallow sending RTM_GETLINK messages on netlink sockets.
 neverallow all_untrusted_apps domain:netlink_route_socket { bind nlmsg_readpriv };
+neverallow priv_app domain:netlink_route_socket { bind nlmsg_readpriv };
 
 # Disallow sending RTM_GETNEIGH{TBL} messages on netlink sockets.
 neverallow {
@@ -254,3 +257,41 @@
 
 # Only privileged apps may find the incident service
 neverallow all_untrusted_apps incident_service:service_manager find;
+
+# Do not allow untrusted app to read hidden system proprerties.
+# We do not include in the exclusions other normally untrusted applications such as mediaprovider
+#  due to the specific logging use cases.
+# Context: b/193912100
+neverallow {
+  all_untrusted_apps
+  -mediaprovider
+  -mediaprovider_app
+} { userdebug_or_eng_prop }:file read;
+
+# Do not allow untrusted app to access /dev/socket/mdnsd since U. The socket is
+# used to communicate to the mdnsd responder. The mdnsd responder will be
+# replaced by a java implementation which is integrated into the system server.
+# For untrusted apps running with API level 33-, they still have access to
+# /dev/socket/mdnsd for backward compatibility.
+neverallow {
+  all_untrusted_apps
+  -untrusted_app_25
+  -untrusted_app_27
+  -untrusted_app_29
+  -untrusted_app_30
+  -untrusted_app_32
+} mdnsd_socket:sock_file write;
+neverallow {
+  all_untrusted_apps
+  -untrusted_app_25
+  -untrusted_app_27
+  -untrusted_app_29
+  -untrusted_app_30
+  -untrusted_app_32
+} mdnsd:unix_stream_socket connectto;
+
+# Do not allow untrusted apps to use anonymous inodes. At the moment,
+# type transitions are the only way to distinguish between different
+# anon_inode usages like userfaultfd and io_uring. This prevents us from
+# creating a more fine-grained neverallow policy for each anon_inode usage.
+neverallow all_untrusted_apps domain:anon_inode *;
diff --git a/private/app_zygote.te b/private/app_zygote.te
index 8aa288e..6552d63 100644
--- a/private/app_zygote.te
+++ b/private/app_zygote.te
@@ -142,18 +142,15 @@
   alg_socket nfc_socket vsock_socket kcm_socket qipcrtr_socket smc_socket
 } *;
 
-# Only allow app_zygote to talk to the logd socket, and
-# su/heapprofd/traced_perf on eng/userdebug. This is because
-# cap_setuid/cap_setgid allow to forge uid/gid in SCM_CREDENTIALS.
-# Think twice before changing.
+# Only allow app_zygote to talk to the logd socket, and su on eng/userdebug.
+# This is because cap_setuid/cap_setgid allow to forge uid/gid in
+# SCM_CREDENTIALS. Think twice before changing.
 neverallow app_zygote {
   domain
   -app_zygote
   -logd
   -system_server
   userdebug_or_eng(`-su')
-  userdebug_or_eng(`-heapprofd')
-  userdebug_or_eng(`-traced_perf')
 }:unix_dgram_socket *;
 
 neverallow app_zygote {
@@ -161,8 +158,6 @@
   -app_zygote
   -prng_seeder
   userdebug_or_eng(`-su')
-  userdebug_or_eng(`-heapprofd')
-  userdebug_or_eng(`-traced_perf')
 }:unix_stream_socket *;
 
 # Never allow ptrace
diff --git a/private/artd.te b/private/artd.te
index 0aa12dc..ef54d8c 100644
--- a/private/artd.te
+++ b/private/artd.te
@@ -1,16 +1,136 @@
-# art service daemon
-type artd, domain;
+# ART service daemon.
+typeattribute artd coredomain;
+typeattribute artd mlstrustedsubject;
 type artd_exec, system_file_type, exec_type, file_type;
+type artd_tmpfs, file_type;
 
 # Allow artd to publish a binder service and make binder calls.
 binder_use(artd)
 add_service(artd, artd_service)
 allow artd dumpstate:fifo_file  { getattr write };
 
-typeattribute artd coredomain;
-
 init_daemon_domain(artd)
 
 # Allow query ART device config properties
 get_prop(artd, device_config_runtime_native_prop)
 get_prop(artd, device_config_runtime_native_boot_prop)
+
+# Access to "odsign.verification.success" for deciding whether to deny files in
+# the ART APEX data directory.
+get_prop(artd, odsign_prop)
+
+# Reading an APK opens a ZipArchive, which unpack to tmpfs.
+# Use tmpfs_domain() which will give tmpfs files created by artd their
+# own label, which differs from other labels created by other processes.
+# This allows to distinguish in policy files created by artd vs other
+# processes.
+tmpfs_domain(artd)
+
+# Allow testing userfaultfd support.
+userfaultfd_use(artd)
+
+# Read access to primary dex'es on writable partitions
+# ({/data,/mnt/expand/<volume-uuid>}/app/...).
+# Also allow creating the "oat" directory before restorecon.
+allow artd mnt_expand_file:dir { getattr search };
+allow artd apk_data_file:dir { rw_dir_perms create setattr relabelfrom };
+allow artd apk_data_file:file r_file_perms;
+
+# Read access to vendor APKs ({/vendor,/odm}/{app,priv-app}/...).
+r_dir_file(artd, vendor_app_file)
+
+# Read access to vendor overlay APKs ({/vendor,/odm,/oem}/overlay/...).
+allow artd oemfs:dir { getattr search };
+r_dir_file(artd, vendor_overlay_file)
+
+# Read access to vendor shared libraries ({/vendor,/odm}/framework/...).
+r_dir_file(artd, vendor_framework_file)
+
+# Read/write access to all compilation artifacts generated on device for apps'
+# primary dex'es. (/data/dalvik-cache/..., /data/app/.../oat/..., etc.)
+allow artd dalvikcache_data_file:dir { create_dir_perms relabelto };
+allow artd dalvikcache_data_file:file { create_file_perms relabelto };
+
+# Read access to the ART APEX data directory.
+# Needed for reading the boot image generated on device.
+allow artd apex_module_data_file:dir { getattr search };
+r_dir_file(artd, apex_art_data_file)
+
+# Read access to /apex/apex-info-list.xml
+# Needed for getting APEX versions.
+allow artd apex_info_file:file r_file_perms;
+
+# Allow getting root capabilities to bypass permission checks.
+# - "dac_override" and "dac_read_search" are for
+#   - reading secondary dex'es in app data directories (reading primary dex'es
+#     doesn't need root capabilities)
+#   - managing (CRUD) compilation artifacts in both APK directories for primary
+#     dex'es and in app data directories for secondary dex'es
+#   - managing (CRUD) profile files for both primary dex'es and secondary dex'es
+# - "fowner" is for adjusting the file permissions of compilation artifacts and
+#   profile files based on whether they include user data or not.
+# - "chown" is for transferring the ownership of compilation artifacts and
+#   profile files to the system or apps.
+allow artd self:global_capability_class_set { dac_override dac_read_search fowner chown };
+
+# Read/write access to profiles (/data/misc/profiles/{ref,cur}/...). Also allow
+# scanning /data/misc/profiles/cur, for cleaning up obsolete managed files.
+allow artd user_profile_root_file:dir r_dir_perms;
+allow artd user_profile_data_file:dir rw_dir_perms;
+allow artd user_profile_data_file:file create_file_perms;
+
+# Read/write access to secondary dex files, their profiles, and their
+# compilation artifacts
+# ({/data,/mnt/expand/<volume-uuid>}/{user,user_de}/<user-id>/<package-name>/...).
+allow artd app_data_file_type:dir { create_dir_perms relabelfrom relabelto };
+allow artd app_data_file_type:file { create_file_perms relabelfrom relabelto };
+
+# Allow symlinks for secondary dex files. This has be to restricted because
+# symlinks can cause various security issues. We allow "privapp_data_file" just
+# for GMS because so far we only see GMS using symlinks.
+allow artd privapp_data_file:lnk_file { getattr read };
+
+# Read access to SELinux context files, for restorecon.
+allow artd file_contexts_file:file r_file_perms;
+allow artd seapp_contexts_file:file r_file_perms;
+
+# Check validity of SELinux context, for restorecon.
+selinux_check_context(artd)
+
+# Allow scanning /, for cleaning up obsolete managed files.
+allow artd rootfs:dir r_dir_perms;
+
+# Allow scanning /data, for cleaning up obsolete managed files.
+allow artd system_data_root_file:dir r_dir_perms;
+
+# Allow scanning /mnt, for cleaning up obsolete managed files.
+allow artd tmpfs:dir r_dir_perms;
+
+# Allow scanning /mnt/expand, for cleaning up obsolete managed files.
+allow artd mnt_expand_file:dir r_dir_perms;
+
+# Allow scanning {/data,/mnt/expand/<volume-uuid>}/{user,user_de}, for cleaning
+# up obsolete managed files.
+allow artd system_userdir_file:dir r_dir_perms;
+
+# Allow scanning {/data,/mnt/expand/<volume-uuid>}/{user,user_de}/<user-id> and
+# /mnt/expand/<volume-uuid>, for cleaning up obsolete managed files.
+allow artd system_data_file:dir r_dir_perms;
+
+# Never allow running other binaries without a domain transition.
+# The only exception is art_exec. It is allowed to use the artd domain because
+# it is a thin wrapper that executes other binaries on behalf of artd.
+neverallow artd ~{art_exec_exec}:file execute_no_trans;
+allow artd art_exec_exec:file rx_file_perms;
+
+# Allow running other binaries in their own domains.
+domain_auto_trans(artd, profman_exec, profman)
+domain_auto_trans(artd, dex2oat_exec, dex2oat)
+
+# Allow sending sigkill to subprocesses.
+allow artd { profman dex2oat }:process sigkill;
+
+# Allow reading process info (/proc/<pid>/...).
+# This is needed for getting CPU time and wall time spent on subprocesses.
+r_dir_file(artd, profman);
+r_dir_file(artd, dex2oat);
diff --git a/private/atrace.te b/private/atrace.te
index ca0e527..50ab392 100644
--- a/private/atrace.te
+++ b/private/atrace.te
@@ -31,7 +31,6 @@
   -dumpstate_service
   -incident_service
   -installd_service
-  -iorapd_service
   -lpdump_service
   -mdns_service
   -netd_service
diff --git a/private/audioserver.te b/private/audioserver.te
index ca29373..7a5e8bc 100644
--- a/private/audioserver.te
+++ b/private/audioserver.te
@@ -43,6 +43,7 @@
 allow audioserver mediametrics_service:service_manager find;
 allow audioserver sensor_privacy_service:service_manager find;
 allow audioserver soundtrigger_middleware_service:service_manager find;
+allow audioserver audio_service:service_manager find;
 
 # Allow read/write access to bluetooth-specific properties
 set_prop(audioserver, bluetooth_a2dp_offload_prop)
diff --git a/private/binderservicedomain.te b/private/binderservicedomain.te
index 7275954..fa9dd7d 100644
--- a/private/binderservicedomain.te
+++ b/private/binderservicedomain.te
@@ -22,3 +22,5 @@
 allow binderservicedomain keystore:keystore2_key { delete get_info rebind use };
 
 use_keystore(binderservicedomain)
+# binderservicedomain is using apex_info via libvintf
+use_apex_info(binderservicedomain)
diff --git a/private/bpfdomain.te b/private/bpfdomain.te
index 2be7f88..7c8f5c0 100644
--- a/private/bpfdomain.te
+++ b/private/bpfdomain.te
@@ -12,3 +12,14 @@
 neverallow { domain -bpfdomain } *:bpf *;
 
 allow bpfdomain fs_bpf:dir search;
+
+# genfscon doesn't seem to trigger during symlink creation,
+# and thus any created symlinks end up as 'fs_bpf:lnk_type',
+# however this feels like a kernel bug / missing feature,
+# so let's allow all bpffs_type's instead,
+# this will keep things working even if this is fixed.
+allow bpfdomain bpffs_type:lnk_file read;
+
+# Needed for //frameworks/libs/net:
+# common/native/bpf_headers/include/bpf/WaitForProgsLoaded.h
+get_prop(bpfdomain, bpf_progs_loaded_prop)
diff --git a/private/bpfloader.te b/private/bpfloader.te
index 54cc916..6bdc259 100644
--- a/private/bpfloader.te
+++ b/private/bpfloader.te
@@ -7,7 +7,8 @@
 
 # These permissions are required to pin ebpf maps & programs.
 allow bpfloader bpffs_type:dir { add_name create remove_name search write };
-allow bpfloader bpffs_type:file { create read rename setattr };
+allow bpfloader bpffs_type:file { create getattr read rename setattr };
+allow bpfloader bpffs_type:lnk_file { create getattr read };
 allow { bpffs_type -fs_bpf } fs_bpf:filesystem associate;
 
 # Allow bpfloader to create bpf maps and programs.
@@ -17,6 +18,8 @@
 
 allow bpfloader sysfs_fs_fuse_bpf:file r_file_perms;
 
+allow bpfloader proc_bpf:file w_file_perms;
+
 set_prop(bpfloader, bpf_progs_loaded_prop)
 
 allow bpfloader bpfloader_exec:file execute_no_trans;
@@ -25,25 +28,30 @@
 ### Neverallow rules
 ###
 
-# TODO: get rid of init & vendor_init; Note: we don't care about getattr/mounton/search
-neverallow { domain -init -vendor_init } bpffs_type:dir { open read setattr };
+# Note: we don't care about getattr/mounton/search
+neverallow { domain            } bpffs_type:dir ~{ add_name create getattr mounton remove_name search write };
 neverallow { domain -bpfloader } bpffs_type:dir { add_name create remove_name write };
-neverallow domain bpffs_type:dir ~{ add_name create getattr mounton open read remove_name search setattr write };
 
-# TODO: get rid of init & vendor_init
-neverallow { domain -bpfloader -init -vendor_init } bpffs_type:file { map open setattr };
-neverallow { domain -bpfloader } bpffs_type:file { create rename };
-neverallow { domain -bpfloader -gpuservice -init -lmkd -mediaprovider_app -netd -netutils_wrapper                -system_server -vendor_init } fs_bpf:file               read;
-neverallow { domain -bpfloader             -init                                                  -network_stack                -vendor_init } fs_bpf_net_private:file   read;
-neverallow { domain -bpfloader             -init                                                  -network_stack -system_server -vendor_init } fs_bpf_net_shared:file    read;
-neverallow { domain -bpfloader             -init                          -netd                   -network_stack -system_server -vendor_init } fs_bpf_netd_readonly:file read;
-neverallow { domain -bpfloader             -init                          -netd -netutils_wrapper -network_stack -system_server -vendor_init } fs_bpf_netd_shared:file   read;
-neverallow { domain -bpfloader             -init                                                  -network_stack                -vendor_init } fs_bpf_tethering:file     read;
-neverallow { domain -bpfloader -gpuservice                                -netd -netutils_wrapper -network_stack -system_server              } { bpffs_type -fs_bpf_vendor }:file write;
-neverallow domain bpffs_type:file ~{ create map open read rename setattr write };
+neverallow { domain            } bpffs_type:file ~{ create getattr map open read rename setattr write };
+neverallow { domain -bpfloader } bpffs_type:file { create getattr map open rename setattr };
+neverallow { domain -bpfloader -gpuservice -lmkd -mediaprovider_app -netd -netutils_wrapper                -system_server } fs_bpf:file               read;
+neverallow { domain -bpfloader                                                                                            } fs_bpf_loader:file        read;
+neverallow { domain -bpfloader                                                              -network_stack                } fs_bpf_net_private:file   read;
+neverallow { domain -bpfloader                                                              -network_stack -system_server } fs_bpf_net_shared:file    read;
+neverallow { domain -bpfloader                                      -netd                   -network_stack -system_server } fs_bpf_netd_readonly:file read;
+neverallow { domain -bpfloader                                      -netd -netutils_wrapper -network_stack -system_server } fs_bpf_netd_shared:file   read;
+neverallow { domain -bpfloader                                                              -network_stack                } fs_bpf_tethering:file     read;
+neverallow { domain -bpfloader -gpuservice                          -netd -netutils_wrapper -network_stack -system_server } { bpffs_type -fs_bpf_vendor }:file write;
+
+neverallow { domain -bpfloader } bpffs_type:lnk_file ~read;
+neverallow { domain -bpfdomain } bpffs_type:lnk_file read;
 
 neverallow { domain -bpfloader } *:bpf { map_create prog_load };
 
+# 'fs_bpf_loader' is for internal use of the BpfLoader oneshot boot time process.
+neverallow { domain -bpfloader } fs_bpf_loader:bpf *;
+neverallow { domain -bpfloader } fs_bpf_loader:file *;
+
 neverallow {
   domain
   -bpfloader
@@ -58,13 +66,11 @@
 neverallow { domain -bpfloader -gpuservice -lmkd -mediaprovider_app -netd -network_stack -system_server } *:bpf { map_read map_write };
 neverallow { domain -bpfloader -init } bpfloader_exec:file { execute execute_no_trans };
 
-neverallow { coredomain -bpfloader -init } fs_bpf_vendor:file *;
+neverallow { coredomain -bpfloader } fs_bpf_vendor:file *;
 
 neverallow bpfloader *:{ tcp_socket udp_socket rawip_socket } *;
 
 # No domain should be allowed to ptrace bpfloader
 neverallow { domain userdebug_or_eng(`-llkd') } bpfloader:process ptrace;
 
-# Currently only bpfloader.rc (which runs as init) can do bpf sysctl setup
-# this should perhaps be moved to the bpfloader binary itself.  Allow both.
-neverallow { domain -bpfloader -init } proc_bpf:file write;
+neverallow { domain -bpfloader } proc_bpf:file write;
diff --git a/private/canhalconfigurator.te b/private/canhalconfigurator.te
index 9ba60ac..5673ccd 100644
--- a/private/canhalconfigurator.te
+++ b/private/canhalconfigurator.te
@@ -5,3 +5,6 @@
 # This allows the configurator to look up the CAN HAL controller via
 # hwservice_manager and communicate with it.
 hal_client_domain(canhalconfigurator, hal_can_controller)
+
+binder_use(canhalconfigurator)
+binder_call(hal_can_controller, canhalconfigurator)
diff --git a/private/compat/28.0/28.0.cil b/private/compat/28.0/28.0.cil
index 321e938..d79d2f8 100644
--- a/private/compat/28.0/28.0.cil
+++ b/private/compat/28.0/28.0.cil
@@ -30,6 +30,7 @@
 ;; mapping file compiles with vendor policies without exported_audio_prop type.
 (typeattribute exported_audio_prop_28_0)
 
+;; mapping information from ToT policy's types to 28.0 policy's types.
 (expandtypeattribute (accessibility_service_28_0) true)
 (expandtypeattribute (account_service_28_0) true)
 (expandtypeattribute (activity_service_28_0) true)
diff --git a/private/compat/28.0/28.0.compat.cil b/private/compat/28.0/28.0.compat.cil
index 2e85b23..783950c 100644
--- a/private/compat/28.0/28.0.compat.cil
+++ b/private/compat/28.0/28.0.compat.cil
@@ -1,3 +1,7 @@
+;; complement CIL file for compatibility between ToT policy and 28.0 vendors.
+;; will be compiled along with other normal policy files, on 28.0 vendors.
+;;
+
 (typeattribute vendordomain)
 (typeattributeset vendordomain ((and (domain) ((not (coredomain))))))
 (allowx vendordomain dev_type (ioctl blk_file ((range 0x0000 0xffff))))
diff --git a/private/compat/28.0/28.0.ignore.cil b/private/compat/28.0/28.0.ignore.cil
index e7ddf48..7213f95 100644
--- a/private/compat/28.0/28.0.ignore.cil
+++ b/private/compat/28.0/28.0.ignore.cil
@@ -1,6 +1,6 @@
-;; new_objects - a collection of types that have been introduced that have no
-;;   analogue in older policy.  Thus, we do not need to map these types to
-;;   previous ones.  Add here to pass checkapi tests.
+;; new_objects - a collection of types that have been introduced with ToT policy
+;;   that have no analogue in 28.0 policy.  Thus, we do not need to map
+;;   these types to previous ones.  Add here to pass checkapi tests.
 (type new_objects)
 (typeattribute new_objects)
 (typeattributeset new_objects
diff --git a/private/compat/29.0/29.0.cil b/private/compat/29.0/29.0.cil
index 0fb0a1c..7315687 100644
--- a/private/compat/29.0/29.0.cil
+++ b/private/compat/29.0/29.0.cil
@@ -14,6 +14,7 @@
 (type sysfs_mac_address)
 (type wificond_service)
 
+;; mapping information from ToT policy's types to 29.0 policy's types.
 (expandtypeattribute (accessibility_service_29_0) true)
 (expandtypeattribute (account_service_29_0) true)
 (expandtypeattribute (activity_service_29_0) true)
@@ -1577,7 +1578,8 @@
 (typeattributeset proc_29_0
   ( proc
     proc_kpageflags
-    proc_lowmemorykiller))
+    proc_lowmemorykiller
+    proc_watermark_scale_factor))
 (typeattributeset proc_abi_29_0 (proc_abi))
 (typeattributeset proc_asound_29_0 (proc_asound))
 (typeattributeset proc_bluetooth_writable_29_0 (proc_bluetooth_writable))
diff --git a/private/compat/29.0/29.0.compat.cil b/private/compat/29.0/29.0.compat.cil
index ccd9d1a..0bb2ae8 100644
--- a/private/compat/29.0/29.0.compat.cil
+++ b/private/compat/29.0/29.0.compat.cil
@@ -1,3 +1,7 @@
+;; complement CIL file for compatibility between ToT policy and 29.0 vendors.
+;; will be compiled along with other normal policy files, on 29.0 vendors.
+;;
+
 (typeattribute vendordomain)
 (typeattributeset vendordomain ((and (domain) ((not (coredomain))))))
 (allow vendordomain self (netlink_route_socket (nlmsg_readpriv)))
diff --git a/private/compat/29.0/29.0.ignore.cil b/private/compat/29.0/29.0.ignore.cil
index 1079046..e40888d 100644
--- a/private/compat/29.0/29.0.ignore.cil
+++ b/private/compat/29.0/29.0.ignore.cil
@@ -1,6 +1,6 @@
-;; new_objects - a collection of types that have been introduced that have no
-;;   analogue in older policy.  Thus, we do not need to map these types to
-;;   previous ones.  Add here to pass checkapi tests.
+;; new_objects - a collection of types that have been introduced with ToT policy
+;;   that have no analogue in 29.0 policy.  Thus, we do not need to map
+;;   these types to previous ones.  Add here to pass checkapi tests.
 (type new_objects)
 (typeattribute new_objects)
 (typeattributeset new_objects
diff --git a/private/compat/30.0/30.0.cil b/private/compat/30.0/30.0.cil
index 9f40876..83d83ff 100644
--- a/private/compat/30.0/30.0.cil
+++ b/private/compat/30.0/30.0.cil
@@ -21,6 +21,7 @@
 
 (typeattribute binder_in_vendor_violators)
 
+;; mapping information from ToT policy's types to 30.0 policy's types.
 (expandtypeattribute (DockObserver_service_30_0) true)
 (expandtypeattribute (IProxyService_service_30_0) true)
 (expandtypeattribute (accessibility_service_30_0) true)
@@ -1820,7 +1821,8 @@
 (typeattributeset privapp_data_file_30_0 (privapp_data_file))
 (typeattributeset proc_30_0
   ( proc
-    proc_bootconfig))
+    proc_bootconfig
+    proc_watermark_scale_factor))
 (typeattributeset proc_abi_30_0 (proc_abi))
 (typeattributeset proc_asound_30_0 (proc_asound))
 (typeattributeset proc_bluetooth_writable_30_0 (proc_bluetooth_writable))
diff --git a/private/compat/30.0/30.0.compat.cil b/private/compat/30.0/30.0.compat.cil
index 97c5874..b8bd755 100644
--- a/private/compat/30.0/30.0.compat.cil
+++ b/private/compat/30.0/30.0.compat.cil
@@ -1,3 +1,7 @@
+;; complement CIL file for compatibility between ToT policy and 30.0 vendors.
+;; will be compiled along with other normal policy files, on 30.0 vendors.
+;;
+
 (typeattribute vendordomain)
 (typeattributeset vendordomain ((and (domain) ((not (coredomain))))))
 
diff --git a/private/compat/30.0/30.0.ignore.cil b/private/compat/30.0/30.0.ignore.cil
index ba0a494..0a3d2e9 100644
--- a/private/compat/30.0/30.0.ignore.cil
+++ b/private/compat/30.0/30.0.ignore.cil
@@ -1,6 +1,6 @@
-;; new_objects - a collection of types that have been introduced that have no
-;;   analogue in older policy.  Thus, we do not need to map these types to
-;;   previous ones.  Add here to pass checkapi tests.
+;; new_objects - a collection of types that have been introduced with ToT policy
+;;   that have no analogue in 30.0 policy.  Thus, we do not need to map
+;;   these types to previous ones.  Add here to pass checkapi tests.
 (type new_objects)
 (typeattribute new_objects)
 (typeattributeset new_objects
diff --git a/private/compat/31.0/31.0.cil b/private/compat/31.0/31.0.cil
index ba6944e..b0df314 100644
--- a/private/compat/31.0/31.0.cil
+++ b/private/compat/31.0/31.0.cil
@@ -9,6 +9,7 @@
 (type vr_hwc)
 (type vr_hwc_exec)
 
+;; mapping information from ToT policy's types to 31.0 policy's types.
 (expandtypeattribute (DockObserver_service_31_0) true)
 (expandtypeattribute (IProxyService_service_31_0) true)
 (expandtypeattribute (aac_drc_prop_31_0) true)
@@ -1974,6 +1975,7 @@
   ( proc
     proc_bpf
     proc_cpu_alignment
+    proc_watermark_scale_factor
 ))
 (typeattributeset proc_abi_31_0 (proc_abi))
 (typeattributeset proc_asound_31_0 (proc_asound))
diff --git a/private/compat/31.0/31.0.compat.cil b/private/compat/31.0/31.0.compat.cil
index 628abfc..787c92a 100644
--- a/private/compat/31.0/31.0.compat.cil
+++ b/private/compat/31.0/31.0.compat.cil
@@ -1 +1,3 @@
-;; This file can't be empty.
+;; complement CIL file for compatibility between ToT policy and 31.0 vendors.
+;; will be compiled along with other normal policy files, on 31.0 vendors.
+;;
diff --git a/private/compat/31.0/31.0.ignore.cil b/private/compat/31.0/31.0.ignore.cil
index 496832e..0e39f3e 100644
--- a/private/compat/31.0/31.0.ignore.cil
+++ b/private/compat/31.0/31.0.ignore.cil
@@ -1,6 +1,6 @@
-;; new_objects - a collection of types that have been introduced that have no
-;;   analogue in older policy.  Thus, we do not need to map these types to
-;;   previous ones.  Add here to pass checkapi tests.
+;; new_objects - a collection of types that have been introduced with ToT policy
+;;   that have no analogue in 31.0 policy.  Thus, we do not need to map
+;;   these types to previous ones.  Add here to pass checkapi tests.
 (type new_objects)
 (typeattribute new_objects)
 (typeattributeset new_objects
@@ -39,7 +39,6 @@
     tare_service
     transformer_service
     proc_watermark_boost_factor
-    proc_watermark_scale_factor
     untrusted_app_30
     proc_vendor_sched
     sdk_sandbox_service
diff --git a/private/compat/32.0/32.0.cil b/private/compat/32.0/32.0.cil
index d916a13..171f0ad 100644
--- a/private/compat/32.0/32.0.cil
+++ b/private/compat/32.0/32.0.cil
@@ -9,6 +9,7 @@
 (type vr_hwc)
 (type vr_hwc_exec)
 
+;; mapping information from ToT policy's types to 32.0 policy's types.
 (expandtypeattribute (DockObserver_service_32_0) true)
 (expandtypeattribute (IProxyService_service_32_0) true)
 (expandtypeattribute (aac_drc_prop_32_0) true)
@@ -1378,7 +1379,6 @@
 (typeattributeset build_config_prop_32_0 (build_config_prop))
 (typeattributeset build_odm_prop_32_0 (build_odm_prop))
 (typeattributeset build_prop_32_0 (build_prop))
-(typeattributeset build_prop_32_0 (userdebug_or_eng_prop))
 (typeattributeset build_vendor_prop_32_0 (build_vendor_prop))
 (typeattributeset cache_backup_file_32_0 (cache_backup_file))
 (typeattributeset cache_block_device_32_0 (cache_block_device))
@@ -1973,7 +1973,10 @@
 (typeattributeset print_service_32_0 (print_service))
 (typeattributeset priv_app_32_0 (priv_app))
 (typeattributeset privapp_data_file_32_0 (privapp_data_file))
-(typeattributeset proc_32_0 (proc proc_bpf proc_cpu_alignment))
+(typeattributeset proc_32_0 (proc))
+(typeattributeset proc_32_0 (proc_bpf))
+(typeattributeset proc_32_0 (proc_cpu_alignment))
+(typeattributeset proc_32_0 (proc_watermark_scale_factor))
 (typeattributeset proc_abi_32_0 (proc_abi))
 (typeattributeset proc_asound_32_0 (proc_asound))
 (typeattributeset proc_bluetooth_writable_32_0 (proc_bluetooth_writable))
diff --git a/private/compat/32.0/32.0.compat.cil b/private/compat/32.0/32.0.compat.cil
index 628abfc..00ac11f 100644
--- a/private/compat/32.0/32.0.compat.cil
+++ b/private/compat/32.0/32.0.compat.cil
@@ -1 +1,3 @@
-;; This file can't be empty.
+;; complement CIL file for compatibility between ToT policy and 32.0 vendors.
+;; will be compiled along with other normal policy files, on 32.0 vendors.
+;;
diff --git a/private/compat/32.0/32.0.ignore.cil b/private/compat/32.0/32.0.ignore.cil
index 076d642..43ce0a1 100644
--- a/private/compat/32.0/32.0.ignore.cil
+++ b/private/compat/32.0/32.0.ignore.cil
@@ -1,6 +1,6 @@
-;; new_objects - a collection of types that have been introduced that have no
-;;   analogue in older policy.  Thus, we do not need to map these types to
-;;   previous ones.  Add here to pass checkapi tests.
+;; new_objects - a collection of types that have been introduced with ToT policy
+;;   that have no analogue in 32.0 policy.  Thus, we do not need to map
+;;   these types to previous ones.  Add here to pass checkapi tests.
 (type new_objects)
 (typeattribute new_objects)
 (typeattributeset new_objects
@@ -60,9 +60,7 @@
     mdns_service
     nearby_service
     persist_wm_debug_prop
-    prng_seeder
     proc_watermark_boost_factor
-    proc_watermark_scale_factor
     remotelyprovisionedkeypool_service
     resources_manager_service
     rootdisk_sysdev
@@ -74,6 +72,7 @@
     sysfs_gpu
     sysfs_lru_gen_enabled
     system_dlkm_file
+    system_user_mode_emulation_prop
     tare_service
     tv_iapp_service
     untrusted_app_30
diff --git a/private/compat/33.0/33.0.cil b/private/compat/33.0/33.0.cil
new file mode 100644
index 0000000..56da496
--- /dev/null
+++ b/private/compat/33.0/33.0.cil
@@ -0,0 +1,2636 @@
+;; types removed from current policy
+(type iorap_inode2filename)
+(type iorap_inode2filename_exec)
+(type iorap_inode2filename_tmpfs)
+(type iorap_prefetcherd)
+(type iorap_prefetcherd_exec)
+(type iorap_prefetcherd_tmpfs)
+(type iorapd)
+(type iorapd_data_file)
+(type iorapd_exec)
+(type iorapd_service)
+(type iorapd_tmpfs)
+(type lowpan_service)
+(type timezone_service)
+(type tzdatacheck)
+(type tzdatacheck_exec)
+(type wpantund)
+(type wpantund_exec)
+(type wpantund_service)
+(type zoneinfo_data_file)
+
+;; mapping information from ToT policy's types to 33.0 policy's types.
+(expandtypeattribute (DockObserver_service_33_0) true)
+(expandtypeattribute (IProxyService_service_33_0) true)
+(expandtypeattribute (aac_drc_prop_33_0) true)
+(expandtypeattribute (aaudio_config_prop_33_0) true)
+(expandtypeattribute (ab_update_gki_prop_33_0) true)
+(expandtypeattribute (accessibility_service_33_0) true)
+(expandtypeattribute (account_service_33_0) true)
+(expandtypeattribute (activity_service_33_0) true)
+(expandtypeattribute (activity_task_service_33_0) true)
+(expandtypeattribute (adb_data_file_33_0) true)
+(expandtypeattribute (adb_keys_file_33_0) true)
+(expandtypeattribute (adb_service_33_0) true)
+(expandtypeattribute (adbd_33_0) true)
+(expandtypeattribute (adbd_config_prop_33_0) true)
+(expandtypeattribute (adbd_exec_33_0) true)
+(expandtypeattribute (adbd_socket_33_0) true)
+(expandtypeattribute (adservices_manager_service_33_0) true)
+(expandtypeattribute (aidl_lazy_test_server_33_0) true)
+(expandtypeattribute (aidl_lazy_test_server_exec_33_0) true)
+(expandtypeattribute (aidl_lazy_test_service_33_0) true)
+(expandtypeattribute (alarm_service_33_0) true)
+(expandtypeattribute (anr_data_file_33_0) true)
+(expandtypeattribute (apc_service_33_0) true)
+(expandtypeattribute (apex_data_file_33_0) true)
+(expandtypeattribute (apex_info_file_33_0) true)
+(expandtypeattribute (apex_metadata_file_33_0) true)
+(expandtypeattribute (apex_mnt_dir_33_0) true)
+(expandtypeattribute (apex_module_data_file_33_0) true)
+(expandtypeattribute (apex_ota_reserved_file_33_0) true)
+(expandtypeattribute (apex_rollback_data_file_33_0) true)
+(expandtypeattribute (apex_service_33_0) true)
+(expandtypeattribute (apex_system_server_data_file_33_0) true)
+(expandtypeattribute (apexd_33_0) true)
+(expandtypeattribute (apexd_config_prop_33_0) true)
+(expandtypeattribute (apexd_exec_33_0) true)
+(expandtypeattribute (apexd_prop_33_0) true)
+(expandtypeattribute (apexd_select_prop_33_0) true)
+(expandtypeattribute (apk_data_file_33_0) true)
+(expandtypeattribute (apk_private_data_file_33_0) true)
+(expandtypeattribute (apk_private_tmp_file_33_0) true)
+(expandtypeattribute (apk_tmp_file_33_0) true)
+(expandtypeattribute (apk_verity_prop_33_0) true)
+(expandtypeattribute (app_binding_service_33_0) true)
+(expandtypeattribute (app_data_file_33_0) true)
+(expandtypeattribute (app_fuse_file_33_0) true)
+(expandtypeattribute (app_fusefs_33_0) true)
+(expandtypeattribute (app_hibernation_service_33_0) true)
+(expandtypeattribute (app_integrity_service_33_0) true)
+(expandtypeattribute (app_prediction_service_33_0) true)
+(expandtypeattribute (app_search_service_33_0) true)
+(expandtypeattribute (app_zygote_33_0) true)
+(expandtypeattribute (app_zygote_tmpfs_33_0) true)
+(expandtypeattribute (appcompat_data_file_33_0) true)
+(expandtypeattribute (appdomain_tmpfs_33_0) true)
+(expandtypeattribute (appops_service_33_0) true)
+(expandtypeattribute (appwidget_service_33_0) true)
+(expandtypeattribute (arm64_memtag_prop_33_0) true)
+(expandtypeattribute (art_apex_dir_33_0) true)
+(expandtypeattribute (artd_service_33_0) true)
+(expandtypeattribute (asec_apk_file_33_0) true)
+(expandtypeattribute (asec_image_file_33_0) true)
+(expandtypeattribute (asec_public_file_33_0) true)
+(expandtypeattribute (ashmem_device_33_0) true)
+(expandtypeattribute (ashmem_libcutils_device_33_0) true)
+(expandtypeattribute (assetatlas_service_33_0) true)
+(expandtypeattribute (atrace_33_0) true)
+(expandtypeattribute (attestation_verification_service_33_0) true)
+(expandtypeattribute (audio_config_prop_33_0) true)
+(expandtypeattribute (audio_data_file_33_0) true)
+(expandtypeattribute (audio_device_33_0) true)
+(expandtypeattribute (audio_prop_33_0) true)
+(expandtypeattribute (audio_service_33_0) true)
+(expandtypeattribute (audiohal_data_file_33_0) true)
+(expandtypeattribute (audioserver_33_0) true)
+(expandtypeattribute (audioserver_data_file_33_0) true)
+(expandtypeattribute (audioserver_service_33_0) true)
+(expandtypeattribute (audioserver_tmpfs_33_0) true)
+(expandtypeattribute (auth_service_33_0) true)
+(expandtypeattribute (authorization_service_33_0) true)
+(expandtypeattribute (autofill_service_33_0) true)
+(expandtypeattribute (backup_data_file_33_0) true)
+(expandtypeattribute (backup_service_33_0) true)
+(expandtypeattribute (battery_service_33_0) true)
+(expandtypeattribute (batteryproperties_service_33_0) true)
+(expandtypeattribute (batterystats_service_33_0) true)
+(expandtypeattribute (binder_cache_bluetooth_server_prop_33_0) true)
+(expandtypeattribute (binder_cache_system_server_prop_33_0) true)
+(expandtypeattribute (binder_cache_telephony_server_prop_33_0) true)
+(expandtypeattribute (binder_calls_stats_service_33_0) true)
+(expandtypeattribute (binder_device_33_0) true)
+(expandtypeattribute (binderfs_33_0) true)
+(expandtypeattribute (binderfs_features_33_0) true)
+(expandtypeattribute (binderfs_logs_33_0) true)
+(expandtypeattribute (binderfs_logs_proc_33_0) true)
+(expandtypeattribute (binfmt_miscfs_33_0) true)
+(expandtypeattribute (biometric_service_33_0) true)
+(expandtypeattribute (blkid_33_0) true)
+(expandtypeattribute (blkid_untrusted_33_0) true)
+(expandtypeattribute (blob_store_service_33_0) true)
+(expandtypeattribute (block_device_33_0) true)
+(expandtypeattribute (bluetooth_33_0) true)
+(expandtypeattribute (bluetooth_a2dp_offload_prop_33_0) true)
+(expandtypeattribute (bluetooth_audio_hal_prop_33_0) true)
+(expandtypeattribute (bluetooth_config_prop_33_0) true)
+(expandtypeattribute (bluetooth_data_file_33_0) true)
+(expandtypeattribute (bluetooth_efs_file_33_0) true)
+(expandtypeattribute (bluetooth_logs_data_file_33_0) true)
+(expandtypeattribute (bluetooth_manager_service_33_0) true)
+(expandtypeattribute (bluetooth_prop_33_0) true)
+(expandtypeattribute (bluetooth_service_33_0) true)
+(expandtypeattribute (bluetooth_socket_33_0) true)
+(expandtypeattribute (boot_block_device_33_0) true)
+(expandtypeattribute (boot_status_prop_33_0) true)
+(expandtypeattribute (bootanim_33_0) true)
+(expandtypeattribute (bootanim_config_prop_33_0) true)
+(expandtypeattribute (bootanim_exec_33_0) true)
+(expandtypeattribute (bootanim_system_prop_33_0) true)
+(expandtypeattribute (bootchart_data_file_33_0) true)
+(expandtypeattribute (bootloader_boot_reason_prop_33_0) true)
+(expandtypeattribute (bootloader_prop_33_0) true)
+(expandtypeattribute (bootstat_33_0) true)
+(expandtypeattribute (bootstat_data_file_33_0) true)
+(expandtypeattribute (bootstat_exec_33_0) true)
+(expandtypeattribute (boottime_prop_33_0) true)
+(expandtypeattribute (boottime_public_prop_33_0) true)
+(expandtypeattribute (boottrace_data_file_33_0) true)
+(expandtypeattribute (bpf_progs_loaded_prop_33_0) true)
+(expandtypeattribute (bpfloader_33_0) true)
+(expandtypeattribute (bq_config_prop_33_0) true)
+(expandtypeattribute (broadcastradio_service_33_0) true)
+(expandtypeattribute (bufferhubd_33_0) true)
+(expandtypeattribute (bufferhubd_exec_33_0) true)
+(expandtypeattribute (bugreport_service_33_0) true)
+(expandtypeattribute (build_bootimage_prop_33_0) true)
+(expandtypeattribute (build_config_prop_33_0) true)
+(expandtypeattribute (build_odm_prop_33_0) true)
+(expandtypeattribute (build_prop_33_0) true)
+(expandtypeattribute (build_vendor_prop_33_0) true)
+(expandtypeattribute (cache_backup_file_33_0) true)
+(expandtypeattribute (cache_block_device_33_0) true)
+(expandtypeattribute (cache_file_33_0) true)
+(expandtypeattribute (cache_private_backup_file_33_0) true)
+(expandtypeattribute (cache_recovery_file_33_0) true)
+(expandtypeattribute (cacheinfo_service_33_0) true)
+(expandtypeattribute (camera2_extensions_prop_33_0) true)
+(expandtypeattribute (camera_calibration_prop_33_0) true)
+(expandtypeattribute (camera_config_prop_33_0) true)
+(expandtypeattribute (camera_data_file_33_0) true)
+(expandtypeattribute (camera_device_33_0) true)
+(expandtypeattribute (cameraproxy_service_33_0) true)
+(expandtypeattribute (cameraserver_33_0) true)
+(expandtypeattribute (cameraserver_exec_33_0) true)
+(expandtypeattribute (cameraserver_service_33_0) true)
+(expandtypeattribute (cameraserver_tmpfs_33_0) true)
+(expandtypeattribute (camerax_extensions_prop_33_0) true)
+(expandtypeattribute (cgroup_33_0) true)
+(expandtypeattribute (cgroup_desc_api_file_33_0) true)
+(expandtypeattribute (cgroup_desc_file_33_0) true)
+(expandtypeattribute (cgroup_rc_file_33_0) true)
+(expandtypeattribute (cgroup_v2_33_0) true)
+(expandtypeattribute (charger_33_0) true)
+(expandtypeattribute (charger_config_prop_33_0) true)
+(expandtypeattribute (charger_exec_33_0) true)
+(expandtypeattribute (charger_prop_33_0) true)
+(expandtypeattribute (charger_status_prop_33_0) true)
+(expandtypeattribute (charger_vendor_33_0) true)
+(expandtypeattribute (clipboard_service_33_0) true)
+(expandtypeattribute (cloudsearch_service_33_0) true)
+(expandtypeattribute (codec2_config_prop_33_0) true)
+(expandtypeattribute (cold_boot_done_prop_33_0) true)
+(expandtypeattribute (color_display_service_33_0) true)
+(expandtypeattribute (companion_device_service_33_0) true)
+(expandtypeattribute (config_prop_33_0) true)
+(expandtypeattribute (configfs_33_0) true)
+(expandtypeattribute (connectivity_native_service_33_0) true)
+(expandtypeattribute (connectivity_service_33_0) true)
+(expandtypeattribute (connmetrics_service_33_0) true)
+(expandtypeattribute (console_device_33_0) true)
+(expandtypeattribute (consumer_ir_service_33_0) true)
+(expandtypeattribute (content_capture_service_33_0) true)
+(expandtypeattribute (content_service_33_0) true)
+(expandtypeattribute (content_suggestions_service_33_0) true)
+(expandtypeattribute (contexthub_service_33_0) true)
+(expandtypeattribute (coredump_file_33_0) true)
+(expandtypeattribute (country_detector_service_33_0) true)
+(expandtypeattribute (coverage_service_33_0) true)
+(expandtypeattribute (cppreopt_prop_33_0) true)
+(expandtypeattribute (cpu_variant_prop_33_0) true)
+(expandtypeattribute (cpuinfo_service_33_0) true)
+(expandtypeattribute (crash_dump_33_0) true)
+(expandtypeattribute (crash_dump_exec_33_0) true)
+(expandtypeattribute (credstore_33_0) true)
+(expandtypeattribute (credstore_data_file_33_0) true)
+(expandtypeattribute (credstore_exec_33_0) true)
+(expandtypeattribute (credstore_service_33_0) true)
+(expandtypeattribute (crossprofileapps_service_33_0) true)
+(expandtypeattribute (ctl_adbd_prop_33_0) true)
+(expandtypeattribute (ctl_apexd_prop_33_0) true)
+(expandtypeattribute (ctl_bootanim_prop_33_0) true)
+(expandtypeattribute (ctl_bugreport_prop_33_0) true)
+(expandtypeattribute (ctl_console_prop_33_0) true)
+(expandtypeattribute (ctl_default_prop_33_0) true)
+(expandtypeattribute (ctl_dumpstate_prop_33_0) true)
+(expandtypeattribute (ctl_fuse_prop_33_0) true)
+(expandtypeattribute (ctl_gsid_prop_33_0) true)
+(expandtypeattribute (ctl_interface_restart_prop_33_0) true)
+(expandtypeattribute (ctl_interface_start_prop_33_0) true)
+(expandtypeattribute (ctl_interface_stop_prop_33_0) true)
+(expandtypeattribute (ctl_mdnsd_prop_33_0) true)
+(expandtypeattribute (ctl_restart_prop_33_0) true)
+(expandtypeattribute (ctl_rildaemon_prop_33_0) true)
+(expandtypeattribute (ctl_sigstop_prop_33_0) true)
+(expandtypeattribute (ctl_start_prop_33_0) true)
+(expandtypeattribute (ctl_stop_prop_33_0) true)
+(expandtypeattribute (dalvik_config_prop_33_0) true)
+(expandtypeattribute (dalvik_prop_33_0) true)
+(expandtypeattribute (dalvik_runtime_prop_33_0) true)
+(expandtypeattribute (dalvikcache_data_file_33_0) true)
+(expandtypeattribute (dataloader_manager_service_33_0) true)
+(expandtypeattribute (dbinfo_service_33_0) true)
+(expandtypeattribute (dck_prop_33_0) true)
+(expandtypeattribute (debug_prop_33_0) true)
+(expandtypeattribute (debugfs_33_0) true)
+(expandtypeattribute (debugfs_bootreceiver_tracing_33_0) true)
+(expandtypeattribute (debugfs_kprobes_33_0) true)
+(expandtypeattribute (debugfs_mm_events_tracing_33_0) true)
+(expandtypeattribute (debugfs_mmc_33_0) true)
+(expandtypeattribute (debugfs_restriction_prop_33_0) true)
+(expandtypeattribute (debugfs_trace_marker_33_0) true)
+(expandtypeattribute (debugfs_tracing_33_0) true)
+(expandtypeattribute (debugfs_tracing_debug_33_0) true)
+(expandtypeattribute (debugfs_tracing_instances_33_0) true)
+(expandtypeattribute (debugfs_tracing_printk_formats_33_0) true)
+(expandtypeattribute (debugfs_wakeup_sources_33_0) true)
+(expandtypeattribute (debugfs_wifi_tracing_33_0) true)
+(expandtypeattribute (debuggerd_prop_33_0) true)
+(expandtypeattribute (default_android_hwservice_33_0) true)
+(expandtypeattribute (default_android_service_33_0) true)
+(expandtypeattribute (default_android_vndservice_33_0) true)
+(expandtypeattribute (default_prop_33_0) true)
+(expandtypeattribute (dev_cpu_variant_33_0) true)
+(expandtypeattribute (device_33_0) true)
+(expandtypeattribute (device_config_activity_manager_native_boot_prop_33_0) true)
+(expandtypeattribute (device_config_boot_count_prop_33_0) true)
+(expandtypeattribute (device_config_input_native_boot_prop_33_0) true)
+(expandtypeattribute (device_config_media_native_prop_33_0) true)
+(expandtypeattribute (device_config_netd_native_prop_33_0) true)
+(expandtypeattribute (device_config_nnapi_native_prop_33_0) true)
+(expandtypeattribute (device_config_reset_performed_prop_33_0) true)
+(expandtypeattribute (device_config_runtime_native_boot_prop_33_0) true)
+(expandtypeattribute (device_config_runtime_native_prop_33_0) true)
+(expandtypeattribute (device_config_service_33_0) true)
+(expandtypeattribute (device_config_surface_flinger_native_boot_prop_33_0) true)
+(expandtypeattribute (device_identifiers_service_33_0) true)
+(expandtypeattribute (device_logging_prop_33_0) true)
+(expandtypeattribute (device_policy_service_33_0) true)
+(expandtypeattribute (device_state_service_33_0) true)
+(expandtypeattribute (deviceidle_service_33_0) true)
+(expandtypeattribute (devicestoragemonitor_service_33_0) true)
+(expandtypeattribute (devpts_33_0) true)
+(expandtypeattribute (dhcp_33_0) true)
+(expandtypeattribute (dhcp_data_file_33_0) true)
+(expandtypeattribute (dhcp_exec_33_0) true)
+(expandtypeattribute (dhcp_prop_33_0) true)
+(expandtypeattribute (dice_maintenance_service_33_0) true)
+(expandtypeattribute (dice_node_service_33_0) true)
+(expandtypeattribute (diced_33_0) true)
+(expandtypeattribute (diced_exec_33_0) true)
+(expandtypeattribute (diskstats_service_33_0) true)
+(expandtypeattribute (display_service_33_0) true)
+(expandtypeattribute (dm_device_33_0) true)
+(expandtypeattribute (dm_user_device_33_0) true)
+(expandtypeattribute (dmabuf_heap_device_33_0) true)
+(expandtypeattribute (dmabuf_system_heap_device_33_0) true)
+(expandtypeattribute (dmabuf_system_secure_heap_device_33_0) true)
+(expandtypeattribute (dnsmasq_33_0) true)
+(expandtypeattribute (dnsmasq_exec_33_0) true)
+(expandtypeattribute (dnsproxyd_socket_33_0) true)
+(expandtypeattribute (dnsresolver_service_33_0) true)
+(expandtypeattribute (domain_verification_service_33_0) true)
+(expandtypeattribute (dreams_service_33_0) true)
+(expandtypeattribute (drm_data_file_33_0) true)
+(expandtypeattribute (drm_service_config_prop_33_0) true)
+(expandtypeattribute (drmserver_33_0) true)
+(expandtypeattribute (drmserver_exec_33_0) true)
+(expandtypeattribute (drmserver_service_33_0) true)
+(expandtypeattribute (drmserver_socket_33_0) true)
+(expandtypeattribute (dropbox_data_file_33_0) true)
+(expandtypeattribute (dropbox_service_33_0) true)
+(expandtypeattribute (dumpstate_33_0) true)
+(expandtypeattribute (dumpstate_exec_33_0) true)
+(expandtypeattribute (dumpstate_options_prop_33_0) true)
+(expandtypeattribute (dumpstate_prop_33_0) true)
+(expandtypeattribute (dumpstate_service_33_0) true)
+(expandtypeattribute (dumpstate_socket_33_0) true)
+(expandtypeattribute (dynamic_system_prop_33_0) true)
+(expandtypeattribute (e2fs_33_0) true)
+(expandtypeattribute (e2fs_exec_33_0) true)
+(expandtypeattribute (efs_file_33_0) true)
+(expandtypeattribute (emergency_affordance_service_33_0) true)
+(expandtypeattribute (ephemeral_app_33_0) true)
+(expandtypeattribute (ethernet_service_33_0) true)
+(expandtypeattribute (evsmanagerd_33_0) true)
+(expandtypeattribute (evsmanagerd_service_33_0) true)
+(expandtypeattribute (exfat_33_0) true)
+(expandtypeattribute (exported3_system_prop_33_0) true)
+(expandtypeattribute (exported_bluetooth_prop_33_0) true)
+(expandtypeattribute (exported_camera_prop_33_0) true)
+(expandtypeattribute (exported_config_prop_33_0) true)
+(expandtypeattribute (exported_default_prop_33_0) true)
+(expandtypeattribute (exported_dumpstate_prop_33_0) true)
+(expandtypeattribute (exported_overlay_prop_33_0) true)
+(expandtypeattribute (exported_pm_prop_33_0) true)
+(expandtypeattribute (exported_secure_prop_33_0) true)
+(expandtypeattribute (exported_system_prop_33_0) true)
+(expandtypeattribute (external_vibrator_service_33_0) true)
+(expandtypeattribute (extra_free_kbytes_33_0) true)
+(expandtypeattribute (extra_free_kbytes_exec_33_0) true)
+(expandtypeattribute (face_service_33_0) true)
+(expandtypeattribute (face_vendor_data_file_33_0) true)
+(expandtypeattribute (fastbootd_33_0) true)
+(expandtypeattribute (ffs_config_prop_33_0) true)
+(expandtypeattribute (ffs_control_prop_33_0) true)
+(expandtypeattribute (file_contexts_file_33_0) true)
+(expandtypeattribute (file_integrity_service_33_0) true)
+(expandtypeattribute (fingerprint_prop_33_0) true)
+(expandtypeattribute (fingerprint_service_33_0) true)
+(expandtypeattribute (fingerprint_vendor_data_file_33_0) true)
+(expandtypeattribute (fingerprintd_33_0) true)
+(expandtypeattribute (fingerprintd_data_file_33_0) true)
+(expandtypeattribute (fingerprintd_exec_33_0) true)
+(expandtypeattribute (fingerprintd_service_33_0) true)
+(expandtypeattribute (firstboot_prop_33_0) true)
+(expandtypeattribute (flags_health_check_33_0) true)
+(expandtypeattribute (flags_health_check_exec_33_0) true)
+(expandtypeattribute (font_service_33_0) true)
+(expandtypeattribute (framework_watchdog_config_prop_33_0) true)
+(expandtypeattribute (frp_block_device_33_0) true)
+(expandtypeattribute (fs_bpf_33_0) true)
+(expandtypeattribute (fs_bpf_tethering_33_0) true)
+(expandtypeattribute (fs_bpf_vendor_33_0) true)
+(expandtypeattribute (fsck_33_0) true)
+(expandtypeattribute (fsck_exec_33_0) true)
+(expandtypeattribute (fsck_untrusted_33_0) true)
+(expandtypeattribute (fscklogs_33_0) true)
+(expandtypeattribute (functionfs_33_0) true)
+(expandtypeattribute (fuse_33_0) true)
+(expandtypeattribute (fuse_device_33_0) true)
+(expandtypeattribute (fusectlfs_33_0) true)
+(expandtypeattribute (fwk_automotive_display_hwservice_33_0) true)
+(expandtypeattribute (fwk_automotive_display_service_33_0) true)
+(expandtypeattribute (fwk_bufferhub_hwservice_33_0) true)
+(expandtypeattribute (fwk_camera_hwservice_33_0) true)
+(expandtypeattribute (fwk_display_hwservice_33_0) true)
+(expandtypeattribute (fwk_scheduler_hwservice_33_0) true)
+(expandtypeattribute (fwk_sensor_hwservice_33_0) true)
+(expandtypeattribute (fwk_stats_hwservice_33_0) true)
+(expandtypeattribute (fwk_stats_service_33_0) true)
+(expandtypeattribute (fwmarkd_socket_33_0) true)
+(expandtypeattribute (game_mode_intervention_list_file_33_0) true)
+(expandtypeattribute (game_service_33_0) true)
+(expandtypeattribute (gatekeeper_data_file_33_0) true)
+(expandtypeattribute (gatekeeper_service_33_0) true)
+(expandtypeattribute (gatekeeperd_33_0) true)
+(expandtypeattribute (gatekeeperd_exec_33_0) true)
+(expandtypeattribute (gesture_prop_33_0) true)
+(expandtypeattribute (gfxinfo_service_33_0) true)
+(expandtypeattribute (gmscore_app_33_0) true)
+(expandtypeattribute (gnss_device_33_0) true)
+(expandtypeattribute (gnss_time_update_service_33_0) true)
+(expandtypeattribute (gps_control_33_0) true)
+(expandtypeattribute (gpu_device_33_0) true)
+(expandtypeattribute (gpu_service_33_0) true)
+(expandtypeattribute (gpuservice_33_0) true)
+(expandtypeattribute (graphics_config_prop_33_0) true)
+(expandtypeattribute (graphics_device_33_0) true)
+(expandtypeattribute (graphicsstats_service_33_0) true)
+(expandtypeattribute (gsi_data_file_33_0) true)
+(expandtypeattribute (gsi_metadata_file_33_0) true)
+(expandtypeattribute (gsi_public_metadata_file_33_0) true)
+(expandtypeattribute (gwp_asan_prop_33_0) true)
+(expandtypeattribute (hal_atrace_hwservice_33_0) true)
+(expandtypeattribute (hal_audio_hwservice_33_0) true)
+(expandtypeattribute (hal_audio_service_33_0) true)
+(expandtypeattribute (hal_audiocontrol_hwservice_33_0) true)
+(expandtypeattribute (hal_audiocontrol_service_33_0) true)
+(expandtypeattribute (hal_authsecret_hwservice_33_0) true)
+(expandtypeattribute (hal_authsecret_service_33_0) true)
+(expandtypeattribute (hal_bluetooth_hwservice_33_0) true)
+(expandtypeattribute (hal_bootctl_hwservice_33_0) true)
+(expandtypeattribute (hal_broadcastradio_hwservice_33_0) true)
+(expandtypeattribute (hal_camera_hwservice_33_0) true)
+(expandtypeattribute (hal_camera_service_33_0) true)
+(expandtypeattribute (hal_can_bus_hwservice_33_0) true)
+(expandtypeattribute (hal_can_controller_hwservice_33_0) true)
+(expandtypeattribute (hal_cas_hwservice_33_0) true)
+(expandtypeattribute (hal_codec2_hwservice_33_0) true)
+(expandtypeattribute (hal_configstore_ISurfaceFlingerConfigs_33_0) true)
+(expandtypeattribute (hal_confirmationui_hwservice_33_0) true)
+(expandtypeattribute (hal_contexthub_hwservice_33_0) true)
+(expandtypeattribute (hal_contexthub_service_33_0) true)
+(expandtypeattribute (hal_dice_service_33_0) true)
+(expandtypeattribute (hal_drm_hwservice_33_0) true)
+(expandtypeattribute (hal_drm_service_33_0) true)
+(expandtypeattribute (hal_dumpstate_config_prop_33_0) true)
+(expandtypeattribute (hal_dumpstate_hwservice_33_0) true)
+(expandtypeattribute (hal_dumpstate_service_33_0) true)
+(expandtypeattribute (hal_evs_hwservice_33_0) true)
+(expandtypeattribute (hal_evs_service_33_0) true)
+(expandtypeattribute (hal_face_hwservice_33_0) true)
+(expandtypeattribute (hal_face_service_33_0) true)
+(expandtypeattribute (hal_fingerprint_hwservice_33_0) true)
+(expandtypeattribute (hal_fingerprint_service_33_0) true)
+(expandtypeattribute (hal_gatekeeper_hwservice_33_0) true)
+(expandtypeattribute (hal_gnss_hwservice_33_0) true)
+(expandtypeattribute (hal_gnss_service_33_0) true)
+(expandtypeattribute (hal_graphics_allocator_hwservice_33_0) true)
+(expandtypeattribute (hal_graphics_allocator_service_33_0) true)
+(expandtypeattribute (hal_graphics_composer_hwservice_33_0) true)
+(expandtypeattribute (hal_graphics_composer_server_tmpfs_33_0) true)
+(expandtypeattribute (hal_graphics_composer_service_33_0) true)
+(expandtypeattribute (hal_graphics_mapper_hwservice_33_0) true)
+(expandtypeattribute (hal_health_hwservice_33_0) true)
+(expandtypeattribute (hal_health_service_33_0) true)
+(expandtypeattribute (hal_health_storage_hwservice_33_0) true)
+(expandtypeattribute (hal_health_storage_service_33_0) true)
+(expandtypeattribute (hal_identity_service_33_0) true)
+(expandtypeattribute (hal_input_classifier_hwservice_33_0) true)
+(expandtypeattribute (hal_input_processor_service_33_0) true)
+(expandtypeattribute (hal_instrumentation_prop_33_0) true)
+(expandtypeattribute (hal_ir_hwservice_33_0) true)
+(expandtypeattribute (hal_ir_service_33_0) true)
+(expandtypeattribute (hal_keymaster_hwservice_33_0) true)
+(expandtypeattribute (hal_keymint_service_33_0) true)
+(expandtypeattribute (hal_light_hwservice_33_0) true)
+(expandtypeattribute (hal_light_service_33_0) true)
+(expandtypeattribute (hal_lowpan_hwservice_33_0) true)
+(expandtypeattribute (hal_memtrack_hwservice_33_0) true)
+(expandtypeattribute (hal_memtrack_service_33_0) true)
+(expandtypeattribute (hal_neuralnetworks_hwservice_33_0) true)
+(expandtypeattribute (hal_neuralnetworks_service_33_0) true)
+(expandtypeattribute (hal_nfc_hwservice_33_0) true)
+(expandtypeattribute (hal_nfc_service_33_0) true)
+(expandtypeattribute (hal_nlinterceptor_service_33_0) true)
+(expandtypeattribute (hal_oemlock_hwservice_33_0) true)
+(expandtypeattribute (hal_oemlock_service_33_0) true)
+(expandtypeattribute (hal_omx_hwservice_33_0) true)
+(expandtypeattribute (hal_power_hwservice_33_0) true)
+(expandtypeattribute (hal_power_service_33_0) true)
+(expandtypeattribute (hal_power_stats_hwservice_33_0) true)
+(expandtypeattribute (hal_power_stats_service_33_0) true)
+(expandtypeattribute (hal_radio_service_33_0) true)
+(expandtypeattribute (hal_rebootescrow_service_33_0) true)
+(expandtypeattribute (hal_remotelyprovisionedcomponent_service_33_0) true)
+(expandtypeattribute (hal_renderscript_hwservice_33_0) true)
+(expandtypeattribute (hal_secure_element_hwservice_33_0) true)
+(expandtypeattribute (hal_secureclock_service_33_0) true)
+(expandtypeattribute (hal_sensors_hwservice_33_0) true)
+(expandtypeattribute (hal_sensors_service_33_0) true)
+(expandtypeattribute (hal_sharedsecret_service_33_0) true)
+(expandtypeattribute (hal_system_suspend_service_33_0) true)
+(expandtypeattribute (hal_telephony_hwservice_33_0) true)
+(expandtypeattribute (hal_tetheroffload_hwservice_33_0) true)
+(expandtypeattribute (hal_thermal_hwservice_33_0) true)
+(expandtypeattribute (hal_tv_cec_hwservice_33_0) true)
+(expandtypeattribute (hal_tv_input_hwservice_33_0) true)
+(expandtypeattribute (hal_tv_tuner_hwservice_33_0) true)
+(expandtypeattribute (hal_tv_tuner_service_33_0) true)
+(expandtypeattribute (hal_usb_gadget_hwservice_33_0) true)
+(expandtypeattribute (hal_usb_hwservice_33_0) true)
+(expandtypeattribute (hal_usb_service_33_0) true)
+(expandtypeattribute (hal_uwb_service_33_0) true)
+(expandtypeattribute (hal_vehicle_hwservice_33_0) true)
+(expandtypeattribute (hal_vehicle_service_33_0) true)
+(expandtypeattribute (hal_vibrator_hwservice_33_0) true)
+(expandtypeattribute (hal_vibrator_service_33_0) true)
+(expandtypeattribute (hal_vr_hwservice_33_0) true)
+(expandtypeattribute (hal_weaver_hwservice_33_0) true)
+(expandtypeattribute (hal_weaver_service_33_0) true)
+(expandtypeattribute (hal_wifi_hostapd_hwservice_33_0) true)
+(expandtypeattribute (hal_wifi_hostapd_service_33_0) true)
+(expandtypeattribute (hal_wifi_hwservice_33_0) true)
+(expandtypeattribute (hal_wifi_supplicant_hwservice_33_0) true)
+(expandtypeattribute (hal_wifi_supplicant_service_33_0) true)
+(expandtypeattribute (hardware_properties_service_33_0) true)
+(expandtypeattribute (hardware_service_33_0) true)
+(expandtypeattribute (hci_attach_dev_33_0) true)
+(expandtypeattribute (hdmi_config_prop_33_0) true)
+(expandtypeattribute (hdmi_control_service_33_0) true)
+(expandtypeattribute (healthd_33_0) true)
+(expandtypeattribute (heapdump_data_file_33_0) true)
+(expandtypeattribute (heapprofd_33_0) true)
+(expandtypeattribute (heapprofd_enabled_prop_33_0) true)
+(expandtypeattribute (heapprofd_prop_33_0) true)
+(expandtypeattribute (heapprofd_socket_33_0) true)
+(expandtypeattribute (hidl_allocator_hwservice_33_0) true)
+(expandtypeattribute (hidl_base_hwservice_33_0) true)
+(expandtypeattribute (hidl_manager_hwservice_33_0) true)
+(expandtypeattribute (hidl_memory_hwservice_33_0) true)
+(expandtypeattribute (hidl_token_hwservice_33_0) true)
+(expandtypeattribute (hint_service_33_0) true)
+(expandtypeattribute (hw_random_device_33_0) true)
+(expandtypeattribute (hw_timeout_multiplier_prop_33_0) true)
+(expandtypeattribute (hwbinder_device_33_0) true)
+(expandtypeattribute (hwservice_contexts_file_33_0) true)
+(expandtypeattribute (hwservicemanager_33_0) true)
+(expandtypeattribute (hwservicemanager_exec_33_0) true)
+(expandtypeattribute (hwservicemanager_prop_33_0) true)
+(expandtypeattribute (hypervisor_prop_33_0) true)
+(expandtypeattribute (icon_file_33_0) true)
+(expandtypeattribute (idmap_33_0) true)
+(expandtypeattribute (idmap_exec_33_0) true)
+(expandtypeattribute (idmap_service_33_0) true)
+(expandtypeattribute (iio_device_33_0) true)
+(expandtypeattribute (imms_service_33_0) true)
+(expandtypeattribute (incident_33_0) true)
+(expandtypeattribute (incident_data_file_33_0) true)
+(expandtypeattribute (incident_helper_33_0) true)
+(expandtypeattribute (incident_service_33_0) true)
+(expandtypeattribute (incidentd_33_0) true)
+(expandtypeattribute (incremental_control_file_33_0) true)
+(expandtypeattribute (incremental_prop_33_0) true)
+(expandtypeattribute (incremental_service_33_0) true)
+(expandtypeattribute (init_33_0) true)
+(expandtypeattribute (init_exec_33_0) true)
+(expandtypeattribute (init_service_status_prop_33_0) true)
+(expandtypeattribute (init_tmpfs_33_0) true)
+(expandtypeattribute (inotify_33_0) true)
+(expandtypeattribute (input_device_33_0) true)
+(expandtypeattribute (input_method_service_33_0) true)
+(expandtypeattribute (input_service_33_0) true)
+(expandtypeattribute (inputflinger_33_0) true)
+(expandtypeattribute (inputflinger_exec_33_0) true)
+(expandtypeattribute (inputflinger_service_33_0) true)
+(expandtypeattribute (install_data_file_33_0) true)
+(expandtypeattribute (installd_33_0) true)
+(expandtypeattribute (installd_exec_33_0) true)
+(expandtypeattribute (installd_service_33_0) true)
+(expandtypeattribute (ion_device_33_0) true)
+(expandtypeattribute (iorap_inode2filename_33_0) true)
+(expandtypeattribute (iorap_inode2filename_exec_33_0) true)
+(expandtypeattribute (iorap_inode2filename_tmpfs_33_0) true)
+(expandtypeattribute (iorap_prefetcherd_33_0) true)
+(expandtypeattribute (iorap_prefetcherd_exec_33_0) true)
+(expandtypeattribute (iorap_prefetcherd_tmpfs_33_0) true)
+(expandtypeattribute (iorapd_33_0) true)
+(expandtypeattribute (iorapd_data_file_33_0) true)
+(expandtypeattribute (iorapd_exec_33_0) true)
+(expandtypeattribute (iorapd_service_33_0) true)
+(expandtypeattribute (iorapd_tmpfs_33_0) true)
+(expandtypeattribute (ipsec_service_33_0) true)
+(expandtypeattribute (iris_service_33_0) true)
+(expandtypeattribute (iris_vendor_data_file_33_0) true)
+(expandtypeattribute (isolated_app_33_0) true)
+(expandtypeattribute (jobscheduler_service_33_0) true)
+(expandtypeattribute (kernel_33_0) true)
+(expandtypeattribute (keychain_data_file_33_0) true)
+(expandtypeattribute (keychord_device_33_0) true)
+(expandtypeattribute (keyguard_config_prop_33_0) true)
+(expandtypeattribute (keystore2_key_contexts_file_33_0) true)
+(expandtypeattribute (keystore_33_0) true)
+(expandtypeattribute (keystore_compat_hal_service_33_0) true)
+(expandtypeattribute (keystore_data_file_33_0) true)
+(expandtypeattribute (keystore_exec_33_0) true)
+(expandtypeattribute (keystore_maintenance_service_33_0) true)
+(expandtypeattribute (keystore_metrics_service_33_0) true)
+(expandtypeattribute (keystore_service_33_0) true)
+(expandtypeattribute (kmsg_debug_device_33_0) true)
+(expandtypeattribute (kmsg_device_33_0) true)
+(expandtypeattribute (labeledfs_33_0) true)
+(expandtypeattribute (launcherapps_service_33_0) true)
+(expandtypeattribute (legacy_permission_service_33_0) true)
+(expandtypeattribute (legacykeystore_service_33_0) true)
+(expandtypeattribute (libc_debug_prop_33_0) true)
+(expandtypeattribute (light_service_33_0) true)
+(expandtypeattribute (linkerconfig_file_33_0) true)
+(expandtypeattribute (llkd_33_0) true)
+(expandtypeattribute (llkd_exec_33_0) true)
+(expandtypeattribute (llkd_prop_33_0) true)
+(expandtypeattribute (lmkd_33_0) true)
+(expandtypeattribute (lmkd_config_prop_33_0) true)
+(expandtypeattribute (lmkd_exec_33_0) true)
+(expandtypeattribute (lmkd_prop_33_0) true)
+(expandtypeattribute (lmkd_socket_33_0) true)
+(expandtypeattribute (locale_service_33_0) true)
+(expandtypeattribute (location_service_33_0) true)
+(expandtypeattribute (location_time_zone_manager_service_33_0) true)
+(expandtypeattribute (lock_settings_service_33_0) true)
+(expandtypeattribute (log_prop_33_0) true)
+(expandtypeattribute (log_tag_prop_33_0) true)
+(expandtypeattribute (logcat_exec_33_0) true)
+(expandtypeattribute (logd_33_0) true)
+(expandtypeattribute (logd_exec_33_0) true)
+(expandtypeattribute (logd_prop_33_0) true)
+(expandtypeattribute (logd_socket_33_0) true)
+(expandtypeattribute (logdr_socket_33_0) true)
+(expandtypeattribute (logdw_socket_33_0) true)
+(expandtypeattribute (logpersist_33_0) true)
+(expandtypeattribute (logpersistd_logging_prop_33_0) true)
+(expandtypeattribute (loop_control_device_33_0) true)
+(expandtypeattribute (loop_device_33_0) true)
+(expandtypeattribute (looper_stats_service_33_0) true)
+(expandtypeattribute (lowpan_device_33_0) true)
+(expandtypeattribute (lowpan_prop_33_0) true)
+(expandtypeattribute (lowpan_service_33_0) true)
+(expandtypeattribute (lpdump_service_33_0) true)
+(expandtypeattribute (lpdumpd_prop_33_0) true)
+(expandtypeattribute (mac_perms_file_33_0) true)
+(expandtypeattribute (mdns_service_33_0) true)
+(expandtypeattribute (mdns_socket_33_0) true)
+(expandtypeattribute (mdnsd_33_0) true)
+(expandtypeattribute (mdnsd_socket_33_0) true)
+(expandtypeattribute (media_communication_service_33_0) true)
+(expandtypeattribute (media_config_prop_33_0) true)
+(expandtypeattribute (media_data_file_33_0) true)
+(expandtypeattribute (media_metrics_service_33_0) true)
+(expandtypeattribute (media_projection_service_33_0) true)
+(expandtypeattribute (media_router_service_33_0) true)
+(expandtypeattribute (media_rw_data_file_33_0) true)
+(expandtypeattribute (media_session_service_33_0) true)
+(expandtypeattribute (media_variant_prop_33_0) true)
+(expandtypeattribute (mediadrm_config_prop_33_0) true)
+(expandtypeattribute (mediadrmserver_33_0) true)
+(expandtypeattribute (mediadrmserver_exec_33_0) true)
+(expandtypeattribute (mediadrmserver_service_33_0) true)
+(expandtypeattribute (mediaextractor_33_0) true)
+(expandtypeattribute (mediaextractor_exec_33_0) true)
+(expandtypeattribute (mediaextractor_service_33_0) true)
+(expandtypeattribute (mediaextractor_tmpfs_33_0) true)
+(expandtypeattribute (mediametrics_33_0) true)
+(expandtypeattribute (mediametrics_exec_33_0) true)
+(expandtypeattribute (mediametrics_service_33_0) true)
+(expandtypeattribute (mediaprovider_33_0) true)
+(expandtypeattribute (mediaserver_33_0) true)
+(expandtypeattribute (mediaserver_exec_33_0) true)
+(expandtypeattribute (mediaserver_service_33_0) true)
+(expandtypeattribute (mediaserver_tmpfs_33_0) true)
+(expandtypeattribute (mediaswcodec_33_0) true)
+(expandtypeattribute (mediaswcodec_exec_33_0) true)
+(expandtypeattribute (mediatranscoding_33_0) true)
+(expandtypeattribute (mediatranscoding_service_33_0) true)
+(expandtypeattribute (meminfo_service_33_0) true)
+(expandtypeattribute (memtrackproxy_service_33_0) true)
+(expandtypeattribute (metadata_block_device_33_0) true)
+(expandtypeattribute (metadata_bootstat_file_33_0) true)
+(expandtypeattribute (metadata_file_33_0) true)
+(expandtypeattribute (method_trace_data_file_33_0) true)
+(expandtypeattribute (midi_service_33_0) true)
+(expandtypeattribute (mirror_data_file_33_0) true)
+(expandtypeattribute (misc_block_device_33_0) true)
+(expandtypeattribute (misc_logd_file_33_0) true)
+(expandtypeattribute (misc_user_data_file_33_0) true)
+(expandtypeattribute (mm_events_config_prop_33_0) true)
+(expandtypeattribute (mmc_prop_33_0) true)
+(expandtypeattribute (mnt_expand_file_33_0) true)
+(expandtypeattribute (mnt_media_rw_file_33_0) true)
+(expandtypeattribute (mnt_media_rw_stub_file_33_0) true)
+(expandtypeattribute (mnt_pass_through_file_33_0) true)
+(expandtypeattribute (mnt_product_file_33_0) true)
+(expandtypeattribute (mnt_sdcard_file_33_0) true)
+(expandtypeattribute (mnt_user_file_33_0) true)
+(expandtypeattribute (mnt_vendor_file_33_0) true)
+(expandtypeattribute (mock_ota_prop_33_0) true)
+(expandtypeattribute (modprobe_33_0) true)
+(expandtypeattribute (module_sdkextensions_prop_33_0) true)
+(expandtypeattribute (mount_service_33_0) true)
+(expandtypeattribute (mqueue_33_0) true)
+(expandtypeattribute (mtp_33_0) true)
+(expandtypeattribute (mtp_device_33_0) true)
+(expandtypeattribute (mtp_exec_33_0) true)
+(expandtypeattribute (mtpd_socket_33_0) true)
+(expandtypeattribute (music_recognition_service_33_0) true)
+(expandtypeattribute (nativetest_data_file_33_0) true)
+(expandtypeattribute (nearby_service_33_0) true)
+(expandtypeattribute (net_data_file_33_0) true)
+(expandtypeattribute (net_dns_prop_33_0) true)
+(expandtypeattribute (net_radio_prop_33_0) true)
+(expandtypeattribute (netd_33_0) true)
+(expandtypeattribute (netd_exec_33_0) true)
+(expandtypeattribute (netd_listener_service_33_0) true)
+(expandtypeattribute (netd_service_33_0) true)
+(expandtypeattribute (netif_33_0) true)
+(expandtypeattribute (netpolicy_service_33_0) true)
+(expandtypeattribute (netstats_service_33_0) true)
+(expandtypeattribute (netutils_wrapper_33_0) true)
+(expandtypeattribute (netutils_wrapper_exec_33_0) true)
+(expandtypeattribute (network_management_service_33_0) true)
+(expandtypeattribute (network_score_service_33_0) true)
+(expandtypeattribute (network_stack_33_0) true)
+(expandtypeattribute (network_stack_service_33_0) true)
+(expandtypeattribute (network_time_update_service_33_0) true)
+(expandtypeattribute (network_watchlist_data_file_33_0) true)
+(expandtypeattribute (network_watchlist_service_33_0) true)
+(expandtypeattribute (nfc_33_0) true)
+(expandtypeattribute (nfc_data_file_33_0) true)
+(expandtypeattribute (nfc_device_33_0) true)
+(expandtypeattribute (nfc_logs_data_file_33_0) true)
+(expandtypeattribute (nfc_prop_33_0) true)
+(expandtypeattribute (nfc_service_33_0) true)
+(expandtypeattribute (nnapi_ext_deny_product_prop_33_0) true)
+(expandtypeattribute (node_33_0) true)
+(expandtypeattribute (notification_service_33_0) true)
+(expandtypeattribute (null_device_33_0) true)
+(expandtypeattribute (oem_lock_service_33_0) true)
+(expandtypeattribute (oem_unlock_prop_33_0) true)
+(expandtypeattribute (oemfs_33_0) true)
+(expandtypeattribute (ota_data_file_33_0) true)
+(expandtypeattribute (ota_metadata_file_33_0) true)
+(expandtypeattribute (ota_package_file_33_0) true)
+(expandtypeattribute (ota_prop_33_0) true)
+(expandtypeattribute (otadexopt_service_33_0) true)
+(expandtypeattribute (otapreopt_chroot_33_0) true)
+(expandtypeattribute (overlay_prop_33_0) true)
+(expandtypeattribute (overlay_service_33_0) true)
+(expandtypeattribute (overlayfs_file_33_0) true)
+(expandtypeattribute (owntty_device_33_0) true)
+(expandtypeattribute (pac_proxy_service_33_0) true)
+(expandtypeattribute (package_native_service_33_0) true)
+(expandtypeattribute (package_service_33_0) true)
+(expandtypeattribute (packagemanager_config_prop_33_0) true)
+(expandtypeattribute (packages_list_file_33_0) true)
+(expandtypeattribute (pan_result_prop_33_0) true)
+(expandtypeattribute (password_slot_metadata_file_33_0) true)
+(expandtypeattribute (pdx_bufferhub_client_channel_socket_33_0) true)
+(expandtypeattribute (pdx_bufferhub_client_endpoint_socket_33_0) true)
+(expandtypeattribute (pdx_bufferhub_dir_33_0) true)
+(expandtypeattribute (pdx_display_client_channel_socket_33_0) true)
+(expandtypeattribute (pdx_display_client_endpoint_socket_33_0) true)
+(expandtypeattribute (pdx_display_dir_33_0) true)
+(expandtypeattribute (pdx_display_manager_channel_socket_33_0) true)
+(expandtypeattribute (pdx_display_manager_endpoint_socket_33_0) true)
+(expandtypeattribute (pdx_display_screenshot_channel_socket_33_0) true)
+(expandtypeattribute (pdx_display_screenshot_endpoint_socket_33_0) true)
+(expandtypeattribute (pdx_display_vsync_channel_socket_33_0) true)
+(expandtypeattribute (pdx_display_vsync_endpoint_socket_33_0) true)
+(expandtypeattribute (pdx_performance_client_channel_socket_33_0) true)
+(expandtypeattribute (pdx_performance_client_endpoint_socket_33_0) true)
+(expandtypeattribute (pdx_performance_dir_33_0) true)
+(expandtypeattribute (people_service_33_0) true)
+(expandtypeattribute (perfetto_33_0) true)
+(expandtypeattribute (performanced_33_0) true)
+(expandtypeattribute (performanced_exec_33_0) true)
+(expandtypeattribute (permission_checker_service_33_0) true)
+(expandtypeattribute (permission_service_33_0) true)
+(expandtypeattribute (permissionmgr_service_33_0) true)
+(expandtypeattribute (persist_debug_prop_33_0) true)
+(expandtypeattribute (persist_vendor_debug_wifi_prop_33_0) true)
+(expandtypeattribute (persist_wm_debug_prop_33_0) true)
+(expandtypeattribute (persistent_data_block_service_33_0) true)
+(expandtypeattribute (persistent_properties_ready_prop_33_0) true)
+(expandtypeattribute (pinner_service_33_0) true)
+(expandtypeattribute (pipefs_33_0) true)
+(expandtypeattribute (platform_app_33_0) true)
+(expandtypeattribute (platform_compat_service_33_0) true)
+(expandtypeattribute (pmsg_device_33_0) true)
+(expandtypeattribute (port_33_0) true)
+(expandtypeattribute (port_device_33_0) true)
+(expandtypeattribute (postinstall_33_0) true)
+(expandtypeattribute (postinstall_apex_mnt_dir_33_0) true)
+(expandtypeattribute (postinstall_file_33_0) true)
+(expandtypeattribute (postinstall_mnt_dir_33_0) true)
+(expandtypeattribute (power_debug_prop_33_0) true)
+(expandtypeattribute (power_service_33_0) true)
+(expandtypeattribute (powerctl_prop_33_0) true)
+(expandtypeattribute (powerstats_service_33_0) true)
+(expandtypeattribute (ppp_33_0) true)
+(expandtypeattribute (ppp_device_33_0) true)
+(expandtypeattribute (ppp_exec_33_0) true)
+(expandtypeattribute (preloads_data_file_33_0) true)
+(expandtypeattribute (preloads_media_file_33_0) true)
+(expandtypeattribute (prereboot_data_file_33_0) true)
+(expandtypeattribute (print_service_33_0) true)
+(expandtypeattribute (priv_app_33_0) true)
+(expandtypeattribute (privapp_data_file_33_0) true)
+(expandtypeattribute (proc_33_0) true)
+(expandtypeattribute (proc_abi_33_0) true)
+(expandtypeattribute (proc_asound_33_0) true)
+(expandtypeattribute (proc_bluetooth_writable_33_0) true)
+(expandtypeattribute (proc_bootconfig_33_0) true)
+(expandtypeattribute (proc_bpf_33_0) true)
+(expandtypeattribute (proc_buddyinfo_33_0) true)
+(expandtypeattribute (proc_cmdline_33_0) true)
+(expandtypeattribute (proc_cpu_alignment_33_0) true)
+(expandtypeattribute (proc_cpuinfo_33_0) true)
+(expandtypeattribute (proc_dirty_33_0) true)
+(expandtypeattribute (proc_diskstats_33_0) true)
+(expandtypeattribute (proc_drop_caches_33_0) true)
+(expandtypeattribute (proc_extra_free_kbytes_33_0) true)
+(expandtypeattribute (proc_filesystems_33_0) true)
+(expandtypeattribute (proc_fs_verity_33_0) true)
+(expandtypeattribute (proc_hostname_33_0) true)
+(expandtypeattribute (proc_hung_task_33_0) true)
+(expandtypeattribute (proc_interrupts_33_0) true)
+(expandtypeattribute (proc_iomem_33_0) true)
+(expandtypeattribute (proc_kallsyms_33_0) true)
+(expandtypeattribute (proc_keys_33_0) true)
+(expandtypeattribute (proc_kmsg_33_0) true)
+(expandtypeattribute (proc_kpageflags_33_0) true)
+(expandtypeattribute (proc_loadavg_33_0) true)
+(expandtypeattribute (proc_locks_33_0) true)
+(expandtypeattribute (proc_lowmemorykiller_33_0) true)
+(expandtypeattribute (proc_max_map_count_33_0) true)
+(expandtypeattribute (proc_meminfo_33_0) true)
+(expandtypeattribute (proc_min_free_order_shift_33_0) true)
+(expandtypeattribute (proc_misc_33_0) true)
+(expandtypeattribute (proc_modules_33_0) true)
+(expandtypeattribute (proc_mounts_33_0) true)
+(expandtypeattribute (proc_net_33_0) true)
+(expandtypeattribute (proc_net_tcp_udp_33_0) true)
+(expandtypeattribute (proc_overcommit_memory_33_0) true)
+(expandtypeattribute (proc_page_cluster_33_0) true)
+(expandtypeattribute (proc_pagetypeinfo_33_0) true)
+(expandtypeattribute (proc_panic_33_0) true)
+(expandtypeattribute (proc_perf_33_0) true)
+(expandtypeattribute (proc_pid_max_33_0) true)
+(expandtypeattribute (proc_pipe_conf_33_0) true)
+(expandtypeattribute (proc_pressure_cpu_33_0) true)
+(expandtypeattribute (proc_pressure_io_33_0) true)
+(expandtypeattribute (proc_pressure_mem_33_0) true)
+(expandtypeattribute (proc_qtaguid_ctrl_33_0) true)
+(expandtypeattribute (proc_qtaguid_stat_33_0) true)
+(expandtypeattribute (proc_random_33_0) true)
+(expandtypeattribute (proc_sched_33_0) true)
+(expandtypeattribute (proc_security_33_0) true)
+(expandtypeattribute (proc_slabinfo_33_0) true)
+(expandtypeattribute (proc_stat_33_0) true)
+(expandtypeattribute (proc_swaps_33_0) true)
+(expandtypeattribute (proc_sysrq_33_0) true)
+(expandtypeattribute (proc_timer_33_0) true)
+(expandtypeattribute (proc_tty_drivers_33_0) true)
+(expandtypeattribute (proc_uid_concurrent_active_time_33_0) true)
+(expandtypeattribute (proc_uid_concurrent_policy_time_33_0) true)
+(expandtypeattribute (proc_uid_cpupower_33_0) true)
+(expandtypeattribute (proc_uid_cputime_removeuid_33_0) true)
+(expandtypeattribute (proc_uid_cputime_showstat_33_0) true)
+(expandtypeattribute (proc_uid_io_stats_33_0) true)
+(expandtypeattribute (proc_uid_procstat_set_33_0) true)
+(expandtypeattribute (proc_uid_time_in_state_33_0) true)
+(expandtypeattribute (proc_uptime_33_0) true)
+(expandtypeattribute (proc_vendor_sched_33_0) true)
+(expandtypeattribute (proc_version_33_0) true)
+(expandtypeattribute (proc_vmallocinfo_33_0) true)
+(expandtypeattribute (proc_vmstat_33_0) true)
+(expandtypeattribute (proc_watermark_boost_factor_33_0) true)
+(expandtypeattribute (proc_watermark_scale_factor_33_0) true)
+(expandtypeattribute (proc_zoneinfo_33_0) true)
+(expandtypeattribute (processinfo_service_33_0) true)
+(expandtypeattribute (procstats_service_33_0) true)
+(expandtypeattribute (profman_33_0) true)
+(expandtypeattribute (profman_dump_data_file_33_0) true)
+(expandtypeattribute (profman_exec_33_0) true)
+(expandtypeattribute (properties_device_33_0) true)
+(expandtypeattribute (properties_serial_33_0) true)
+(expandtypeattribute (property_contexts_file_33_0) true)
+(expandtypeattribute (property_data_file_33_0) true)
+(expandtypeattribute (property_info_33_0) true)
+(expandtypeattribute (property_service_version_prop_33_0) true)
+(expandtypeattribute (property_socket_33_0) true)
+(expandtypeattribute (provisioned_prop_33_0) true)
+(expandtypeattribute (pstorefs_33_0) true)
+(expandtypeattribute (ptmx_device_33_0) true)
+(expandtypeattribute (qemu_hw_prop_33_0) true)
+(expandtypeattribute (qemu_sf_lcd_density_prop_33_0) true)
+(expandtypeattribute (qtaguid_device_33_0) true)
+(expandtypeattribute (racoon_33_0) true)
+(expandtypeattribute (racoon_exec_33_0) true)
+(expandtypeattribute (racoon_socket_33_0) true)
+(expandtypeattribute (radio_33_0) true)
+(expandtypeattribute (radio_control_prop_33_0) true)
+(expandtypeattribute (radio_core_data_file_33_0) true)
+(expandtypeattribute (radio_data_file_33_0) true)
+(expandtypeattribute (radio_device_33_0) true)
+(expandtypeattribute (radio_prop_33_0) true)
+(expandtypeattribute (radio_service_33_0) true)
+(expandtypeattribute (ram_device_33_0) true)
+(expandtypeattribute (random_device_33_0) true)
+(expandtypeattribute (reboot_readiness_service_33_0) true)
+(expandtypeattribute (rebootescrow_hal_prop_33_0) true)
+(expandtypeattribute (recovery_33_0) true)
+(expandtypeattribute (recovery_block_device_33_0) true)
+(expandtypeattribute (recovery_config_prop_33_0) true)
+(expandtypeattribute (recovery_data_file_33_0) true)
+(expandtypeattribute (recovery_persist_33_0) true)
+(expandtypeattribute (recovery_persist_exec_33_0) true)
+(expandtypeattribute (recovery_refresh_33_0) true)
+(expandtypeattribute (recovery_refresh_exec_33_0) true)
+(expandtypeattribute (recovery_service_33_0) true)
+(expandtypeattribute (recovery_socket_33_0) true)
+(expandtypeattribute (registry_service_33_0) true)
+(expandtypeattribute (remotelyprovisionedkeypool_service_33_0) true)
+(expandtypeattribute (remoteprovisioning_service_33_0) true)
+(expandtypeattribute (resourcecache_data_file_33_0) true)
+(expandtypeattribute (resources_manager_service_33_0) true)
+(expandtypeattribute (restorecon_prop_33_0) true)
+(expandtypeattribute (restrictions_service_33_0) true)
+(expandtypeattribute (retaildemo_prop_33_0) true)
+(expandtypeattribute (rild_debug_socket_33_0) true)
+(expandtypeattribute (rild_socket_33_0) true)
+(expandtypeattribute (ringtone_file_33_0) true)
+(expandtypeattribute (role_service_33_0) true)
+(expandtypeattribute (rollback_service_33_0) true)
+(expandtypeattribute (root_block_device_33_0) true)
+(expandtypeattribute (rootdisk_sysdev_33_0) true)
+(expandtypeattribute (rootfs_33_0) true)
+(expandtypeattribute (rpmsg_device_33_0) true)
+(expandtypeattribute (rs_33_0) true)
+(expandtypeattribute (rs_exec_33_0) true)
+(expandtypeattribute (rss_hwm_reset_33_0) true)
+(expandtypeattribute (rtc_device_33_0) true)
+(expandtypeattribute (rttmanager_service_33_0) true)
+(expandtypeattribute (runas_33_0) true)
+(expandtypeattribute (runas_app_33_0) true)
+(expandtypeattribute (runas_exec_33_0) true)
+(expandtypeattribute (runtime_event_log_tags_file_33_0) true)
+(expandtypeattribute (runtime_service_33_0) true)
+(expandtypeattribute (safemode_prop_33_0) true)
+(expandtypeattribute (same_process_hal_file_33_0) true)
+(expandtypeattribute (samplingprofiler_service_33_0) true)
+(expandtypeattribute (scheduling_policy_service_33_0) true)
+(expandtypeattribute (sdcard_block_device_33_0) true)
+(expandtypeattribute (sdcardd_33_0) true)
+(expandtypeattribute (sdcardd_exec_33_0) true)
+(expandtypeattribute (sdcardfs_33_0) true)
+(expandtypeattribute (sdk_sandbox_service_33_0) true)
+(expandtypeattribute (seapp_contexts_file_33_0) true)
+(expandtypeattribute (search_service_33_0) true)
+(expandtypeattribute (search_ui_service_33_0) true)
+(expandtypeattribute (sec_key_att_app_id_provider_service_33_0) true)
+(expandtypeattribute (secure_element_33_0) true)
+(expandtypeattribute (secure_element_device_33_0) true)
+(expandtypeattribute (secure_element_service_33_0) true)
+(expandtypeattribute (securityfs_33_0) true)
+(expandtypeattribute (selection_toolbar_service_33_0) true)
+(expandtypeattribute (selinuxfs_33_0) true)
+(expandtypeattribute (sendbug_config_prop_33_0) true)
+(expandtypeattribute (sensor_privacy_service_33_0) true)
+(expandtypeattribute (sensors_device_33_0) true)
+(expandtypeattribute (sensorservice_service_33_0) true)
+(expandtypeattribute (sepolicy_file_33_0) true)
+(expandtypeattribute (serial_device_33_0) true)
+(expandtypeattribute (serial_service_33_0) true)
+(expandtypeattribute (serialno_prop_33_0) true)
+(expandtypeattribute (server_configurable_flags_data_file_33_0) true)
+(expandtypeattribute (service_contexts_file_33_0) true)
+(expandtypeattribute (service_manager_service_33_0) true)
+(expandtypeattribute (service_manager_vndservice_33_0) true)
+(expandtypeattribute (servicediscovery_service_33_0) true)
+(expandtypeattribute (servicemanager_33_0) true)
+(expandtypeattribute (servicemanager_exec_33_0) true)
+(expandtypeattribute (settings_service_33_0) true)
+(expandtypeattribute (sgdisk_33_0) true)
+(expandtypeattribute (sgdisk_exec_33_0) true)
+(expandtypeattribute (shared_relro_33_0) true)
+(expandtypeattribute (shared_relro_file_33_0) true)
+(expandtypeattribute (shell_33_0) true)
+(expandtypeattribute (shell_data_file_33_0) true)
+(expandtypeattribute (shell_exec_33_0) true)
+(expandtypeattribute (shell_prop_33_0) true)
+(expandtypeattribute (shell_test_data_file_33_0) true)
+(expandtypeattribute (shm_33_0) true)
+(expandtypeattribute (shortcut_manager_icons_33_0) true)
+(expandtypeattribute (shortcut_service_33_0) true)
+(expandtypeattribute (simpleperf_33_0) true)
+(expandtypeattribute (simpleperf_app_runner_33_0) true)
+(expandtypeattribute (simpleperf_app_runner_exec_33_0) true)
+(expandtypeattribute (slice_service_33_0) true)
+(expandtypeattribute (slideshow_33_0) true)
+(expandtypeattribute (smart_idle_maint_enabled_prop_33_0) true)
+(expandtypeattribute (smartspace_service_33_0) true)
+(expandtypeattribute (snapshotctl_log_data_file_33_0) true)
+(expandtypeattribute (snapuserd_proxy_socket_33_0) true)
+(expandtypeattribute (snapuserd_socket_33_0) true)
+(expandtypeattribute (soc_prop_33_0) true)
+(expandtypeattribute (socket_device_33_0) true)
+(expandtypeattribute (socket_hook_prop_33_0) true)
+(expandtypeattribute (sockfs_33_0) true)
+(expandtypeattribute (sota_prop_33_0) true)
+(expandtypeattribute (soundtrigger_middleware_service_33_0) true)
+(expandtypeattribute (speech_recognition_service_33_0) true)
+(expandtypeattribute (sqlite_log_prop_33_0) true)
+(expandtypeattribute (staged_install_file_33_0) true)
+(expandtypeattribute (staging_data_file_33_0) true)
+(expandtypeattribute (stats_data_file_33_0) true)
+(expandtypeattribute (statsd_33_0) true)
+(expandtypeattribute (statsd_exec_33_0) true)
+(expandtypeattribute (statsdw_socket_33_0) true)
+(expandtypeattribute (statusbar_service_33_0) true)
+(expandtypeattribute (storage_config_prop_33_0) true)
+(expandtypeattribute (storage_file_33_0) true)
+(expandtypeattribute (storage_stub_file_33_0) true)
+(expandtypeattribute (storaged_service_33_0) true)
+(expandtypeattribute (storagemanager_config_prop_33_0) true)
+(expandtypeattribute (storagestats_service_33_0) true)
+(expandtypeattribute (su_33_0) true)
+(expandtypeattribute (su_exec_33_0) true)
+(expandtypeattribute (super_block_device_33_0) true)
+(expandtypeattribute (surfaceflinger_33_0) true)
+(expandtypeattribute (surfaceflinger_color_prop_33_0) true)
+(expandtypeattribute (surfaceflinger_display_prop_33_0) true)
+(expandtypeattribute (surfaceflinger_prop_33_0) true)
+(expandtypeattribute (surfaceflinger_service_33_0) true)
+(expandtypeattribute (surfaceflinger_tmpfs_33_0) true)
+(expandtypeattribute (suspend_prop_33_0) true)
+(expandtypeattribute (swap_block_device_33_0) true)
+(expandtypeattribute (sysfs_33_0) true)
+(expandtypeattribute (sysfs_android_usb_33_0) true)
+(expandtypeattribute (sysfs_batteryinfo_33_0) true)
+(expandtypeattribute (sysfs_bluetooth_writable_33_0) true)
+(expandtypeattribute (sysfs_devfreq_cur_33_0) true)
+(expandtypeattribute (sysfs_devfreq_dir_33_0) true)
+(expandtypeattribute (sysfs_devices_block_33_0) true)
+(expandtypeattribute (sysfs_devices_cs_etm_33_0) true)
+(expandtypeattribute (sysfs_devices_system_cpu_33_0) true)
+(expandtypeattribute (sysfs_dm_33_0) true)
+(expandtypeattribute (sysfs_dm_verity_33_0) true)
+(expandtypeattribute (sysfs_dma_heap_33_0) true)
+(expandtypeattribute (sysfs_dmabuf_stats_33_0) true)
+(expandtypeattribute (sysfs_dt_firmware_android_33_0) true)
+(expandtypeattribute (sysfs_extcon_33_0) true)
+(expandtypeattribute (sysfs_fs_ext4_features_33_0) true)
+(expandtypeattribute (sysfs_fs_f2fs_33_0) true)
+(expandtypeattribute (sysfs_fs_fuse_bpf_33_0) true)
+(expandtypeattribute (sysfs_fs_incfs_features_33_0) true)
+(expandtypeattribute (sysfs_fs_incfs_metrics_33_0) true)
+(expandtypeattribute (sysfs_gpu_33_0) true)
+(expandtypeattribute (sysfs_hwrandom_33_0) true)
+(expandtypeattribute (sysfs_ion_33_0) true)
+(expandtypeattribute (sysfs_ipv4_33_0) true)
+(expandtypeattribute (sysfs_kernel_notes_33_0) true)
+(expandtypeattribute (sysfs_leds_33_0) true)
+(expandtypeattribute (sysfs_loop_33_0) true)
+(expandtypeattribute (sysfs_lowmemorykiller_33_0) true)
+(expandtypeattribute (sysfs_lru_gen_enabled_33_0) true)
+(expandtypeattribute (sysfs_net_33_0) true)
+(expandtypeattribute (sysfs_nfc_power_writable_33_0) true)
+(expandtypeattribute (sysfs_power_33_0) true)
+(expandtypeattribute (sysfs_rtc_33_0) true)
+(expandtypeattribute (sysfs_suspend_stats_33_0) true)
+(expandtypeattribute (sysfs_switch_33_0) true)
+(expandtypeattribute (sysfs_thermal_33_0) true)
+(expandtypeattribute (sysfs_transparent_hugepage_33_0) true)
+(expandtypeattribute (sysfs_uhid_33_0) true)
+(expandtypeattribute (sysfs_uio_33_0) true)
+(expandtypeattribute (sysfs_usb_33_0) true)
+(expandtypeattribute (sysfs_usermodehelper_33_0) true)
+(expandtypeattribute (sysfs_vendor_sched_33_0) true)
+(expandtypeattribute (sysfs_vibrator_33_0) true)
+(expandtypeattribute (sysfs_wake_lock_33_0) true)
+(expandtypeattribute (sysfs_wakeup_33_0) true)
+(expandtypeattribute (sysfs_wakeup_reasons_33_0) true)
+(expandtypeattribute (sysfs_wlan_fwpath_33_0) true)
+(expandtypeattribute (sysfs_zram_33_0) true)
+(expandtypeattribute (sysfs_zram_uevent_33_0) true)
+(expandtypeattribute (system_app_33_0) true)
+(expandtypeattribute (system_app_data_file_33_0) true)
+(expandtypeattribute (system_app_service_33_0) true)
+(expandtypeattribute (system_asan_options_file_33_0) true)
+(expandtypeattribute (system_block_device_33_0) true)
+(expandtypeattribute (system_boot_reason_prop_33_0) true)
+(expandtypeattribute (system_bootstrap_lib_file_33_0) true)
+(expandtypeattribute (system_config_service_33_0) true)
+(expandtypeattribute (system_data_file_33_0) true)
+(expandtypeattribute (system_data_root_file_33_0) true)
+(expandtypeattribute (system_dlkm_file_33_0) true)
+(expandtypeattribute (system_event_log_tags_file_33_0) true)
+(expandtypeattribute (system_file_33_0) true)
+(expandtypeattribute (system_group_file_33_0) true)
+(expandtypeattribute (system_jvmti_agent_prop_33_0) true)
+(expandtypeattribute (system_lib_file_33_0) true)
+(expandtypeattribute (system_linker_config_file_33_0) true)
+(expandtypeattribute (system_linker_exec_33_0) true)
+(expandtypeattribute (system_lmk_prop_33_0) true)
+(expandtypeattribute (system_ndebug_socket_33_0) true)
+(expandtypeattribute (system_net_netd_hwservice_33_0) true)
+(expandtypeattribute (system_passwd_file_33_0) true)
+(expandtypeattribute (system_prop_33_0) true)
+(expandtypeattribute (system_seccomp_policy_file_33_0) true)
+(expandtypeattribute (system_security_cacerts_file_33_0) true)
+(expandtypeattribute (system_server_33_0) true)
+(expandtypeattribute (system_server_dumper_service_33_0) true)
+(expandtypeattribute (system_server_tmpfs_33_0) true)
+(expandtypeattribute (system_suspend_control_internal_service_33_0) true)
+(expandtypeattribute (system_suspend_control_service_33_0) true)
+(expandtypeattribute (system_suspend_hwservice_33_0) true)
+(expandtypeattribute (system_trace_prop_33_0) true)
+(expandtypeattribute (system_unsolzygote_socket_33_0) true)
+(expandtypeattribute (system_update_service_33_0) true)
+(expandtypeattribute (system_wifi_keystore_hwservice_33_0) true)
+(expandtypeattribute (system_wpa_socket_33_0) true)
+(expandtypeattribute (system_zoneinfo_file_33_0) true)
+(expandtypeattribute (systemkeys_data_file_33_0) true)
+(expandtypeattribute (systemsound_config_prop_33_0) true)
+(expandtypeattribute (tare_service_33_0) true)
+(expandtypeattribute (task_profiles_api_file_33_0) true)
+(expandtypeattribute (task_profiles_file_33_0) true)
+(expandtypeattribute (task_service_33_0) true)
+(expandtypeattribute (tcpdump_exec_33_0) true)
+(expandtypeattribute (tee_33_0) true)
+(expandtypeattribute (tee_data_file_33_0) true)
+(expandtypeattribute (tee_device_33_0) true)
+(expandtypeattribute (telecom_service_33_0) true)
+(expandtypeattribute (telephony_config_prop_33_0) true)
+(expandtypeattribute (telephony_status_prop_33_0) true)
+(expandtypeattribute (test_boot_reason_prop_33_0) true)
+(expandtypeattribute (test_harness_prop_33_0) true)
+(expandtypeattribute (testharness_service_33_0) true)
+(expandtypeattribute (tethering_service_33_0) true)
+(expandtypeattribute (textclassification_service_33_0) true)
+(expandtypeattribute (textclassifier_data_file_33_0) true)
+(expandtypeattribute (textservices_service_33_0) true)
+(expandtypeattribute (texttospeech_service_33_0) true)
+(expandtypeattribute (theme_prop_33_0) true)
+(expandtypeattribute (thermal_service_33_0) true)
+(expandtypeattribute (time_prop_33_0) true)
+(expandtypeattribute (timedetector_service_33_0) true)
+(expandtypeattribute (timezone_service_33_0) true)
+(expandtypeattribute (timezonedetector_service_33_0) true)
+(expandtypeattribute (tmpfs_33_0) true)
+(expandtypeattribute (tombstone_config_prop_33_0) true)
+(expandtypeattribute (tombstone_data_file_33_0) true)
+(expandtypeattribute (tombstone_wifi_data_file_33_0) true)
+(expandtypeattribute (tombstoned_33_0) true)
+(expandtypeattribute (tombstoned_crash_socket_33_0) true)
+(expandtypeattribute (tombstoned_exec_33_0) true)
+(expandtypeattribute (tombstoned_intercept_socket_33_0) true)
+(expandtypeattribute (tombstoned_java_trace_socket_33_0) true)
+(expandtypeattribute (toolbox_33_0) true)
+(expandtypeattribute (toolbox_exec_33_0) true)
+(expandtypeattribute (trace_data_file_33_0) true)
+(expandtypeattribute (traced_33_0) true)
+(expandtypeattribute (traced_consumer_socket_33_0) true)
+(expandtypeattribute (traced_enabled_prop_33_0) true)
+(expandtypeattribute (traced_lazy_prop_33_0) true)
+(expandtypeattribute (traced_perf_33_0) true)
+(expandtypeattribute (traced_perf_socket_33_0) true)
+(expandtypeattribute (traced_probes_33_0) true)
+(expandtypeattribute (traced_producer_socket_33_0) true)
+(expandtypeattribute (traced_tmpfs_33_0) true)
+(expandtypeattribute (traceur_app_33_0) true)
+(expandtypeattribute (translation_service_33_0) true)
+(expandtypeattribute (trust_service_33_0) true)
+(expandtypeattribute (tty_device_33_0) true)
+(expandtypeattribute (tun_device_33_0) true)
+(expandtypeattribute (tv_iapp_service_33_0) true)
+(expandtypeattribute (tv_input_service_33_0) true)
+(expandtypeattribute (tv_tuner_resource_mgr_service_33_0) true)
+(expandtypeattribute (tzdatacheck_33_0) true)
+(expandtypeattribute (tzdatacheck_exec_33_0) true)
+(expandtypeattribute (ueventd_33_0) true)
+(expandtypeattribute (ueventd_tmpfs_33_0) true)
+(expandtypeattribute (uhid_device_33_0) true)
+(expandtypeattribute (uimode_service_33_0) true)
+(expandtypeattribute (uio_device_33_0) true)
+(expandtypeattribute (uncrypt_33_0) true)
+(expandtypeattribute (uncrypt_exec_33_0) true)
+(expandtypeattribute (uncrypt_socket_33_0) true)
+(expandtypeattribute (unencrypted_data_file_33_0) true)
+(expandtypeattribute (unlabeled_33_0) true)
+(expandtypeattribute (untrusted_app_25_33_0) true)
+(expandtypeattribute (untrusted_app_27_33_0) true)
+(expandtypeattribute (untrusted_app_29_33_0) true)
+(expandtypeattribute (untrusted_app_30_33_0) true)
+(expandtypeattribute (untrusted_app_33_0) true)
+(expandtypeattribute (update_engine_33_0) true)
+(expandtypeattribute (update_engine_data_file_33_0) true)
+(expandtypeattribute (update_engine_exec_33_0) true)
+(expandtypeattribute (update_engine_log_data_file_33_0) true)
+(expandtypeattribute (update_engine_service_33_0) true)
+(expandtypeattribute (update_engine_stable_service_33_0) true)
+(expandtypeattribute (update_verifier_33_0) true)
+(expandtypeattribute (update_verifier_exec_33_0) true)
+(expandtypeattribute (updatelock_service_33_0) true)
+(expandtypeattribute (uri_grants_service_33_0) true)
+(expandtypeattribute (usagestats_service_33_0) true)
+(expandtypeattribute (usb_config_prop_33_0) true)
+(expandtypeattribute (usb_control_prop_33_0) true)
+(expandtypeattribute (usb_device_33_0) true)
+(expandtypeattribute (usb_prop_33_0) true)
+(expandtypeattribute (usb_serial_device_33_0) true)
+(expandtypeattribute (usb_service_33_0) true)
+(expandtypeattribute (usbaccessory_device_33_0) true)
+(expandtypeattribute (usbd_33_0) true)
+(expandtypeattribute (usbd_exec_33_0) true)
+(expandtypeattribute (usbfs_33_0) true)
+(expandtypeattribute (use_memfd_prop_33_0) true)
+(expandtypeattribute (user_profile_data_file_33_0) true)
+(expandtypeattribute (user_profile_root_file_33_0) true)
+(expandtypeattribute (user_service_33_0) true)
+(expandtypeattribute (userdata_block_device_33_0) true)
+(expandtypeattribute (userdata_sysdev_33_0) true)
+(expandtypeattribute (usermodehelper_33_0) true)
+(expandtypeattribute (userspace_reboot_config_prop_33_0) true)
+(expandtypeattribute (userspace_reboot_exported_prop_33_0) true)
+(expandtypeattribute (userspace_reboot_metadata_file_33_0) true)
+(expandtypeattribute (uwb_service_33_0) true)
+(expandtypeattribute (vcn_management_service_33_0) true)
+(expandtypeattribute (vd_device_33_0) true)
+(expandtypeattribute (vdc_33_0) true)
+(expandtypeattribute (vdc_exec_33_0) true)
+(expandtypeattribute (vehicle_hal_prop_33_0) true)
+(expandtypeattribute (vendor_apex_file_33_0) true)
+(expandtypeattribute (vendor_app_file_33_0) true)
+(expandtypeattribute (vendor_cgroup_desc_file_33_0) true)
+(expandtypeattribute (vendor_configs_file_33_0) true)
+(expandtypeattribute (vendor_data_file_33_0) true)
+(expandtypeattribute (vendor_default_prop_33_0) true)
+(expandtypeattribute (vendor_file_33_0) true)
+(expandtypeattribute (vendor_framework_file_33_0) true)
+(expandtypeattribute (vendor_hal_file_33_0) true)
+(expandtypeattribute (vendor_idc_file_33_0) true)
+(expandtypeattribute (vendor_init_33_0) true)
+(expandtypeattribute (vendor_kernel_modules_33_0) true)
+(expandtypeattribute (vendor_keychars_file_33_0) true)
+(expandtypeattribute (vendor_keylayout_file_33_0) true)
+(expandtypeattribute (vendor_misc_writer_33_0) true)
+(expandtypeattribute (vendor_misc_writer_exec_33_0) true)
+(expandtypeattribute (vendor_modprobe_33_0) true)
+(expandtypeattribute (vendor_overlay_file_33_0) true)
+(expandtypeattribute (vendor_public_framework_file_33_0) true)
+(expandtypeattribute (vendor_public_lib_file_33_0) true)
+(expandtypeattribute (vendor_security_patch_level_prop_33_0) true)
+(expandtypeattribute (vendor_service_contexts_file_33_0) true)
+(expandtypeattribute (vendor_shell_33_0) true)
+(expandtypeattribute (vendor_shell_exec_33_0) true)
+(expandtypeattribute (vendor_socket_hook_prop_33_0) true)
+(expandtypeattribute (vendor_task_profiles_file_33_0) true)
+(expandtypeattribute (vendor_toolbox_exec_33_0) true)
+(expandtypeattribute (vendor_uuid_mapping_config_file_33_0) true)
+(expandtypeattribute (vendor_vm_data_file_33_0) true)
+(expandtypeattribute (vendor_vm_file_33_0) true)
+(expandtypeattribute (vfat_33_0) true)
+(expandtypeattribute (vibrator_manager_service_33_0) true)
+(expandtypeattribute (vibrator_service_33_0) true)
+(expandtypeattribute (video_device_33_0) true)
+(expandtypeattribute (virtual_ab_prop_33_0) true)
+(expandtypeattribute (virtual_device_service_33_0) true)
+(expandtypeattribute (virtual_touchpad_33_0) true)
+(expandtypeattribute (virtual_touchpad_exec_33_0) true)
+(expandtypeattribute (virtual_touchpad_service_33_0) true)
+(expandtypeattribute (virtualization_service_33_0) true)
+(expandtypeattribute (vndbinder_device_33_0) true)
+(expandtypeattribute (vndk_prop_33_0) true)
+(expandtypeattribute (vndk_sp_file_33_0) true)
+(expandtypeattribute (vndservice_contexts_file_33_0) true)
+(expandtypeattribute (vndservicemanager_33_0) true)
+(expandtypeattribute (voiceinteraction_service_33_0) true)
+(expandtypeattribute (vold_33_0) true)
+(expandtypeattribute (vold_config_prop_33_0) true)
+(expandtypeattribute (vold_data_file_33_0) true)
+(expandtypeattribute (vold_device_33_0) true)
+(expandtypeattribute (vold_exec_33_0) true)
+(expandtypeattribute (vold_metadata_file_33_0) true)
+(expandtypeattribute (vold_post_fs_data_prop_33_0) true)
+(expandtypeattribute (vold_prepare_subdirs_33_0) true)
+(expandtypeattribute (vold_prepare_subdirs_exec_33_0) true)
+(expandtypeattribute (vold_prop_33_0) true)
+(expandtypeattribute (vold_service_33_0) true)
+(expandtypeattribute (vold_status_prop_33_0) true)
+(expandtypeattribute (vpn_data_file_33_0) true)
+(expandtypeattribute (vpn_management_service_33_0) true)
+(expandtypeattribute (vr_hwc_service_33_0) true)
+(expandtypeattribute (vr_manager_service_33_0) true)
+(expandtypeattribute (vrflinger_vsync_service_33_0) true)
+(expandtypeattribute (vts_config_prop_33_0) true)
+(expandtypeattribute (vts_status_prop_33_0) true)
+(expandtypeattribute (wallpaper_effects_generation_service_33_0) true)
+(expandtypeattribute (wallpaper_file_33_0) true)
+(expandtypeattribute (wallpaper_service_33_0) true)
+(expandtypeattribute (watchdog_device_33_0) true)
+(expandtypeattribute (watchdog_metadata_file_33_0) true)
+(expandtypeattribute (watchdogd_33_0) true)
+(expandtypeattribute (watchdogd_exec_33_0) true)
+(expandtypeattribute (webview_zygote_33_0) true)
+(expandtypeattribute (webview_zygote_exec_33_0) true)
+(expandtypeattribute (webview_zygote_tmpfs_33_0) true)
+(expandtypeattribute (webviewupdate_service_33_0) true)
+(expandtypeattribute (wifi_config_prop_33_0) true)
+(expandtypeattribute (wifi_data_file_33_0) true)
+(expandtypeattribute (wifi_hal_prop_33_0) true)
+(expandtypeattribute (wifi_key_33_0) true)
+(expandtypeattribute (wifi_log_prop_33_0) true)
+(expandtypeattribute (wifi_prop_33_0) true)
+(expandtypeattribute (wifi_service_33_0) true)
+(expandtypeattribute (wifiaware_service_33_0) true)
+(expandtypeattribute (wificond_33_0) true)
+(expandtypeattribute (wificond_exec_33_0) true)
+(expandtypeattribute (wifinl80211_service_33_0) true)
+(expandtypeattribute (wifip2p_service_33_0) true)
+(expandtypeattribute (wifiscanner_service_33_0) true)
+(expandtypeattribute (window_service_33_0) true)
+(expandtypeattribute (wpa_socket_33_0) true)
+(expandtypeattribute (wpantund_33_0) true)
+(expandtypeattribute (wpantund_exec_33_0) true)
+(expandtypeattribute (wpantund_service_33_0) true)
+(expandtypeattribute (zero_device_33_0) true)
+(expandtypeattribute (zoneinfo_data_file_33_0) true)
+(expandtypeattribute (zram_config_prop_33_0) true)
+(expandtypeattribute (zram_control_prop_33_0) true)
+(expandtypeattribute (zygote_33_0) true)
+(expandtypeattribute (zygote_config_prop_33_0) true)
+(expandtypeattribute (zygote_exec_33_0) true)
+(expandtypeattribute (zygote_socket_33_0) true)
+(expandtypeattribute (zygote_tmpfs_33_0) true)
+(typeattributeset DockObserver_service_33_0 (DockObserver_service))
+(typeattributeset IProxyService_service_33_0 (IProxyService_service))
+(typeattributeset aac_drc_prop_33_0 (aac_drc_prop))
+(typeattributeset aaudio_config_prop_33_0 (aaudio_config_prop))
+(typeattributeset ab_update_gki_prop_33_0 (ab_update_gki_prop))
+(typeattributeset accessibility_service_33_0 (accessibility_service))
+(typeattributeset account_service_33_0 (account_service))
+(typeattributeset activity_service_33_0 (activity_service))
+(typeattributeset activity_task_service_33_0 (activity_task_service))
+(typeattributeset adb_data_file_33_0 (adb_data_file))
+(typeattributeset adb_keys_file_33_0 (adb_keys_file))
+(typeattributeset adb_service_33_0 (adb_service))
+(typeattributeset adbd_33_0 (adbd))
+(typeattributeset adbd_config_prop_33_0 (adbd_config_prop))
+(typeattributeset adbd_exec_33_0 (adbd_exec))
+(typeattributeset adbd_socket_33_0 (adbd_socket))
+(typeattributeset adservices_manager_service_33_0 (adservices_manager_service))
+(typeattributeset aidl_lazy_test_server_33_0 (aidl_lazy_test_server))
+(typeattributeset aidl_lazy_test_server_exec_33_0 (aidl_lazy_test_server_exec))
+(typeattributeset aidl_lazy_test_service_33_0 (aidl_lazy_test_service))
+(typeattributeset alarm_service_33_0 (alarm_service))
+(typeattributeset anr_data_file_33_0 (anr_data_file))
+(typeattributeset apc_service_33_0 (apc_service))
+(typeattributeset apex_data_file_33_0 (apex_data_file))
+(typeattributeset apex_info_file_33_0 (apex_info_file))
+(typeattributeset apex_metadata_file_33_0 (apex_metadata_file))
+(typeattributeset apex_mnt_dir_33_0 (apex_mnt_dir))
+(typeattributeset apex_module_data_file_33_0 (apex_module_data_file))
+(typeattributeset apex_ota_reserved_file_33_0 (apex_ota_reserved_file))
+(typeattributeset apex_rollback_data_file_33_0 (apex_rollback_data_file))
+(typeattributeset apex_service_33_0 (apex_service))
+(typeattributeset apex_system_server_data_file_33_0 (apex_system_server_data_file))
+(typeattributeset apexd_33_0 (apexd))
+(typeattributeset apexd_config_prop_33_0 (apexd_config_prop))
+(typeattributeset apexd_exec_33_0 (apexd_exec))
+(typeattributeset apexd_prop_33_0 (apexd_prop))
+(typeattributeset apexd_select_prop_33_0 (apexd_select_prop))
+(typeattributeset apk_data_file_33_0 (apk_data_file))
+(typeattributeset apk_private_data_file_33_0 (apk_private_data_file))
+(typeattributeset apk_private_tmp_file_33_0 (apk_private_tmp_file))
+(typeattributeset apk_tmp_file_33_0 (apk_tmp_file))
+(typeattributeset apk_verity_prop_33_0 (apk_verity_prop))
+(typeattributeset app_binding_service_33_0 (app_binding_service))
+(typeattributeset app_data_file_33_0 (app_data_file))
+(typeattributeset app_fuse_file_33_0 (app_fuse_file))
+(typeattributeset app_fusefs_33_0 (app_fusefs))
+(typeattributeset app_hibernation_service_33_0 (app_hibernation_service))
+(typeattributeset app_integrity_service_33_0 (app_integrity_service))
+(typeattributeset app_prediction_service_33_0 (app_prediction_service))
+(typeattributeset app_search_service_33_0 (app_search_service))
+(typeattributeset app_zygote_33_0 (app_zygote))
+(typeattributeset app_zygote_tmpfs_33_0 (app_zygote_tmpfs))
+(typeattributeset appcompat_data_file_33_0 (appcompat_data_file))
+(typeattributeset appdomain_tmpfs_33_0 (appdomain_tmpfs))
+(typeattributeset appops_service_33_0 (appops_service))
+(typeattributeset appwidget_service_33_0 (appwidget_service))
+(typeattributeset arm64_memtag_prop_33_0 (arm64_memtag_prop))
+(typeattributeset art_apex_dir_33_0 (art_apex_dir))
+(typeattributeset artd_service_33_0 (artd_service))
+(typeattributeset asec_apk_file_33_0 (asec_apk_file))
+(typeattributeset asec_image_file_33_0 (asec_image_file))
+(typeattributeset asec_public_file_33_0 (asec_public_file))
+(typeattributeset ashmem_device_33_0 (ashmem_device))
+(typeattributeset ashmem_libcutils_device_33_0 (ashmem_libcutils_device))
+(typeattributeset assetatlas_service_33_0 (assetatlas_service))
+(typeattributeset atrace_33_0 (atrace))
+(typeattributeset attestation_verification_service_33_0 (attestation_verification_service))
+(typeattributeset audio_config_prop_33_0 (audio_config_prop))
+(typeattributeset audio_data_file_33_0 (audio_data_file))
+(typeattributeset audio_device_33_0 (audio_device))
+(typeattributeset audio_prop_33_0 (audio_prop))
+(typeattributeset audio_service_33_0 (audio_service))
+(typeattributeset audiohal_data_file_33_0 (audiohal_data_file))
+(typeattributeset audioserver_33_0 (audioserver))
+(typeattributeset audioserver_data_file_33_0 (audioserver_data_file))
+(typeattributeset audioserver_service_33_0 (audioserver_service))
+(typeattributeset audioserver_tmpfs_33_0 (audioserver_tmpfs))
+(typeattributeset auth_service_33_0 (auth_service))
+(typeattributeset authorization_service_33_0 (authorization_service))
+(typeattributeset autofill_service_33_0 (autofill_service))
+(typeattributeset backup_data_file_33_0 (backup_data_file))
+(typeattributeset backup_service_33_0 (backup_service))
+(typeattributeset battery_service_33_0 (battery_service))
+(typeattributeset batteryproperties_service_33_0 (batteryproperties_service))
+(typeattributeset batterystats_service_33_0 (batterystats_service))
+(typeattributeset binder_cache_bluetooth_server_prop_33_0 (binder_cache_bluetooth_server_prop))
+(typeattributeset binder_cache_system_server_prop_33_0 (binder_cache_system_server_prop))
+(typeattributeset binder_cache_telephony_server_prop_33_0 (binder_cache_telephony_server_prop))
+(typeattributeset binder_calls_stats_service_33_0 (binder_calls_stats_service))
+(typeattributeset binder_device_33_0 (binder_device))
+(typeattributeset binderfs_33_0 (binderfs))
+(typeattributeset binderfs_features_33_0 (binderfs_features))
+(typeattributeset binderfs_logs_33_0 (binderfs_logs))
+(typeattributeset binderfs_logs_proc_33_0 (binderfs_logs_proc))
+(typeattributeset binfmt_miscfs_33_0 (binfmt_miscfs))
+(typeattributeset biometric_service_33_0 (biometric_service))
+(typeattributeset blkid_33_0 (blkid))
+(typeattributeset blkid_untrusted_33_0 (blkid_untrusted))
+(typeattributeset blob_store_service_33_0 (blob_store_service))
+(typeattributeset block_device_33_0 (block_device))
+(typeattributeset bluetooth_33_0 (bluetooth))
+(typeattributeset bluetooth_a2dp_offload_prop_33_0 (bluetooth_a2dp_offload_prop))
+(typeattributeset bluetooth_audio_hal_prop_33_0 (bluetooth_audio_hal_prop))
+(typeattributeset bluetooth_config_prop_33_0 (bluetooth_config_prop))
+(typeattributeset bluetooth_data_file_33_0 (bluetooth_data_file))
+(typeattributeset bluetooth_efs_file_33_0 (bluetooth_efs_file))
+(typeattributeset bluetooth_logs_data_file_33_0 (bluetooth_logs_data_file))
+(typeattributeset bluetooth_manager_service_33_0 (bluetooth_manager_service))
+(typeattributeset bluetooth_prop_33_0 (bluetooth_prop))
+(typeattributeset bluetooth_service_33_0 (bluetooth_service))
+(typeattributeset bluetooth_socket_33_0 (bluetooth_socket))
+(typeattributeset boot_block_device_33_0 (boot_block_device))
+(typeattributeset boot_status_prop_33_0 (boot_status_prop))
+(typeattributeset bootanim_33_0 (bootanim))
+(typeattributeset bootanim_config_prop_33_0 (bootanim_config_prop))
+(typeattributeset bootanim_exec_33_0 (bootanim_exec))
+(typeattributeset bootanim_system_prop_33_0 (bootanim_system_prop))
+(typeattributeset bootchart_data_file_33_0 (bootchart_data_file))
+(typeattributeset bootloader_boot_reason_prop_33_0 (bootloader_boot_reason_prop))
+(typeattributeset bootloader_prop_33_0 (bootloader_prop))
+(typeattributeset bootstat_33_0 (bootstat))
+(typeattributeset bootstat_data_file_33_0 (bootstat_data_file))
+(typeattributeset bootstat_exec_33_0 (bootstat_exec))
+(typeattributeset boottime_prop_33_0 (boottime_prop))
+(typeattributeset boottime_public_prop_33_0 (boottime_public_prop))
+(typeattributeset boottrace_data_file_33_0 (boottrace_data_file))
+(typeattributeset bpf_progs_loaded_prop_33_0 (bpf_progs_loaded_prop))
+(typeattributeset bpfloader_33_0 (bpfloader))
+(typeattributeset bq_config_prop_33_0 (bq_config_prop))
+(typeattributeset broadcastradio_service_33_0 (broadcastradio_service))
+(typeattributeset bufferhubd_33_0 (bufferhubd))
+(typeattributeset bufferhubd_exec_33_0 (bufferhubd_exec))
+(typeattributeset bugreport_service_33_0 (bugreport_service))
+(typeattributeset build_bootimage_prop_33_0 (build_bootimage_prop))
+(typeattributeset build_config_prop_33_0 (build_config_prop))
+(typeattributeset build_odm_prop_33_0 (build_odm_prop))
+(typeattributeset build_prop_33_0 (build_prop))
+(typeattributeset build_prop_33_0 (userdebug_or_eng_prop))
+(typeattributeset build_vendor_prop_33_0 (build_vendor_prop))
+(typeattributeset cache_backup_file_33_0 (cache_backup_file))
+(typeattributeset cache_block_device_33_0 (cache_block_device))
+(typeattributeset cache_file_33_0 (cache_file))
+(typeattributeset cache_private_backup_file_33_0 (cache_private_backup_file))
+(typeattributeset cache_recovery_file_33_0 (cache_recovery_file))
+(typeattributeset cacheinfo_service_33_0 (cacheinfo_service))
+(typeattributeset camera2_extensions_prop_33_0 (camera2_extensions_prop))
+(typeattributeset camera_calibration_prop_33_0 (camera_calibration_prop))
+(typeattributeset camera_config_prop_33_0 (camera_config_prop))
+(typeattributeset camera_data_file_33_0 (camera_data_file))
+(typeattributeset camera_device_33_0 (camera_device))
+(typeattributeset cameraproxy_service_33_0 (cameraproxy_service))
+(typeattributeset cameraserver_33_0 (cameraserver))
+(typeattributeset cameraserver_exec_33_0 (cameraserver_exec))
+(typeattributeset cameraserver_service_33_0 (cameraserver_service))
+(typeattributeset cameraserver_tmpfs_33_0 (cameraserver_tmpfs))
+(typeattributeset camerax_extensions_prop_33_0 (camerax_extensions_prop))
+(typeattributeset cgroup_33_0 (cgroup))
+(typeattributeset cgroup_desc_api_file_33_0 (cgroup_desc_api_file))
+(typeattributeset cgroup_desc_file_33_0 (cgroup_desc_file))
+(typeattributeset cgroup_rc_file_33_0 (cgroup_rc_file))
+(typeattributeset cgroup_v2_33_0 (cgroup_v2))
+(typeattributeset charger_33_0 (charger))
+(typeattributeset charger_config_prop_33_0 (charger_config_prop))
+(typeattributeset charger_exec_33_0 (charger_exec))
+(typeattributeset charger_prop_33_0 (charger_prop))
+(typeattributeset charger_status_prop_33_0 (charger_status_prop))
+(typeattributeset charger_vendor_33_0 (charger_vendor))
+(typeattributeset clipboard_service_33_0 (clipboard_service))
+(typeattributeset cloudsearch_service_33_0 (cloudsearch_service))
+(typeattributeset codec2_config_prop_33_0 (codec2_config_prop))
+(typeattributeset cold_boot_done_prop_33_0 (cold_boot_done_prop))
+(typeattributeset color_display_service_33_0 (color_display_service))
+(typeattributeset companion_device_service_33_0 (companion_device_service))
+(typeattributeset config_prop_33_0 (config_prop))
+(typeattributeset configfs_33_0 (configfs))
+(typeattributeset connectivity_native_service_33_0 (connectivity_native_service))
+(typeattributeset connectivity_service_33_0 (connectivity_service))
+(typeattributeset connmetrics_service_33_0 (connmetrics_service))
+(typeattributeset console_device_33_0 (console_device))
+(typeattributeset consumer_ir_service_33_0 (consumer_ir_service))
+(typeattributeset content_capture_service_33_0 (content_capture_service))
+(typeattributeset content_service_33_0 (content_service))
+(typeattributeset content_suggestions_service_33_0 (content_suggestions_service))
+(typeattributeset contexthub_service_33_0 (contexthub_service))
+(typeattributeset coredump_file_33_0 (coredump_file))
+(typeattributeset country_detector_service_33_0 (country_detector_service))
+(typeattributeset coverage_service_33_0 (coverage_service))
+(typeattributeset cppreopt_prop_33_0 (cppreopt_prop))
+(typeattributeset cpu_variant_prop_33_0 (cpu_variant_prop))
+(typeattributeset cpuinfo_service_33_0 (cpuinfo_service))
+(typeattributeset crash_dump_33_0 (crash_dump))
+(typeattributeset crash_dump_exec_33_0 (crash_dump_exec))
+(typeattributeset credstore_33_0 (credstore))
+(typeattributeset credstore_data_file_33_0 (credstore_data_file))
+(typeattributeset credstore_exec_33_0 (credstore_exec))
+(typeattributeset credstore_service_33_0 (credstore_service))
+(typeattributeset crossprofileapps_service_33_0 (crossprofileapps_service))
+(typeattributeset ctl_adbd_prop_33_0 (ctl_adbd_prop))
+(typeattributeset ctl_apexd_prop_33_0 (ctl_apexd_prop))
+(typeattributeset ctl_bootanim_prop_33_0 (ctl_bootanim_prop))
+(typeattributeset ctl_bugreport_prop_33_0 (ctl_bugreport_prop))
+(typeattributeset ctl_console_prop_33_0 (ctl_console_prop))
+(typeattributeset ctl_default_prop_33_0 (ctl_default_prop))
+(typeattributeset ctl_dumpstate_prop_33_0 (ctl_dumpstate_prop))
+(typeattributeset ctl_fuse_prop_33_0 (ctl_fuse_prop))
+(typeattributeset ctl_gsid_prop_33_0 (ctl_gsid_prop))
+(typeattributeset ctl_interface_restart_prop_33_0 (ctl_interface_restart_prop))
+(typeattributeset ctl_interface_start_prop_33_0 (ctl_interface_start_prop))
+(typeattributeset ctl_interface_stop_prop_33_0 (ctl_interface_stop_prop))
+(typeattributeset ctl_mdnsd_prop_33_0 (ctl_mdnsd_prop))
+(typeattributeset ctl_restart_prop_33_0 (ctl_restart_prop))
+(typeattributeset ctl_rildaemon_prop_33_0 (ctl_rildaemon_prop))
+(typeattributeset ctl_sigstop_prop_33_0 (ctl_sigstop_prop))
+(typeattributeset ctl_start_prop_33_0 (ctl_start_prop))
+(typeattributeset ctl_stop_prop_33_0 (ctl_stop_prop))
+(typeattributeset dalvik_config_prop_33_0 (dalvik_config_prop))
+(typeattributeset dalvik_prop_33_0 (dalvik_prop))
+(typeattributeset dalvik_runtime_prop_33_0 (dalvik_runtime_prop))
+(typeattributeset dalvikcache_data_file_33_0 (dalvikcache_data_file))
+(typeattributeset dataloader_manager_service_33_0 (dataloader_manager_service))
+(typeattributeset dbinfo_service_33_0 (dbinfo_service))
+(typeattributeset dck_prop_33_0 (dck_prop))
+(typeattributeset debug_prop_33_0 (debug_prop))
+(typeattributeset debugfs_33_0 (debugfs))
+(typeattributeset debugfs_bootreceiver_tracing_33_0 (debugfs_bootreceiver_tracing))
+(typeattributeset debugfs_kprobes_33_0 (debugfs_kprobes))
+(typeattributeset debugfs_mm_events_tracing_33_0 (debugfs_mm_events_tracing))
+(typeattributeset debugfs_mmc_33_0 (debugfs_mmc))
+(typeattributeset debugfs_restriction_prop_33_0 (debugfs_restriction_prop))
+(typeattributeset debugfs_trace_marker_33_0 (debugfs_trace_marker))
+(typeattributeset debugfs_tracing_33_0 (debugfs_tracing))
+(typeattributeset debugfs_tracing_debug_33_0 (debugfs_tracing_debug))
+(typeattributeset debugfs_tracing_instances_33_0 (debugfs_tracing_instances))
+(typeattributeset debugfs_tracing_printk_formats_33_0 (debugfs_tracing_printk_formats))
+(typeattributeset debugfs_wakeup_sources_33_0 (debugfs_wakeup_sources))
+(typeattributeset debugfs_wifi_tracing_33_0 (debugfs_wifi_tracing))
+(typeattributeset debuggerd_prop_33_0 (debuggerd_prop))
+(typeattributeset default_android_hwservice_33_0 (default_android_hwservice))
+(typeattributeset default_android_service_33_0 (default_android_service))
+(typeattributeset default_android_vndservice_33_0 (default_android_vndservice))
+(typeattributeset default_prop_33_0 (default_prop))
+(typeattributeset dev_cpu_variant_33_0 (dev_cpu_variant))
+(typeattributeset device_33_0 (device))
+(typeattributeset device_config_activity_manager_native_boot_prop_33_0 (device_config_activity_manager_native_boot_prop))
+(typeattributeset device_config_boot_count_prop_33_0 (device_config_boot_count_prop))
+(typeattributeset device_config_input_native_boot_prop_33_0 (device_config_input_native_boot_prop))
+(typeattributeset device_config_media_native_prop_33_0 (device_config_media_native_prop))
+(typeattributeset device_config_netd_native_prop_33_0 (device_config_netd_native_prop))
+(typeattributeset device_config_nnapi_native_prop_33_0 (device_config_nnapi_native_prop))
+(typeattributeset device_config_reset_performed_prop_33_0 (device_config_reset_performed_prop))
+(typeattributeset device_config_runtime_native_boot_prop_33_0 (device_config_runtime_native_boot_prop))
+(typeattributeset device_config_runtime_native_prop_33_0 (device_config_runtime_native_prop))
+(typeattributeset device_config_service_33_0 (device_config_service))
+(typeattributeset device_config_surface_flinger_native_boot_prop_33_0 (device_config_surface_flinger_native_boot_prop))
+(typeattributeset device_identifiers_service_33_0 (device_identifiers_service))
+(typeattributeset device_logging_prop_33_0 (device_logging_prop))
+(typeattributeset device_policy_service_33_0 (device_policy_service))
+(typeattributeset device_state_service_33_0 (device_state_service))
+(typeattributeset deviceidle_service_33_0 (deviceidle_service))
+(typeattributeset devicestoragemonitor_service_33_0 (devicestoragemonitor_service))
+(typeattributeset devpts_33_0 (devpts))
+(typeattributeset dhcp_33_0 (dhcp))
+(typeattributeset dhcp_data_file_33_0 (dhcp_data_file))
+(typeattributeset dhcp_exec_33_0 (dhcp_exec))
+(typeattributeset dhcp_prop_33_0 (dhcp_prop))
+(typeattributeset dice_maintenance_service_33_0 (dice_maintenance_service))
+(typeattributeset dice_node_service_33_0 (dice_node_service))
+(typeattributeset diced_33_0 (diced))
+(typeattributeset diced_exec_33_0 (diced_exec))
+(typeattributeset diskstats_service_33_0 (diskstats_service))
+(typeattributeset display_service_33_0 (display_service))
+(typeattributeset dm_device_33_0 (dm_device))
+(typeattributeset dm_user_device_33_0 (dm_user_device))
+(typeattributeset dmabuf_heap_device_33_0 (dmabuf_heap_device))
+(typeattributeset dmabuf_system_heap_device_33_0 (dmabuf_system_heap_device))
+(typeattributeset dmabuf_system_secure_heap_device_33_0 (dmabuf_system_secure_heap_device))
+(typeattributeset dnsmasq_33_0 (dnsmasq))
+(typeattributeset dnsmasq_exec_33_0 (dnsmasq_exec))
+(typeattributeset dnsproxyd_socket_33_0 (dnsproxyd_socket))
+(typeattributeset dnsresolver_service_33_0 (dnsresolver_service))
+(typeattributeset domain_verification_service_33_0 (domain_verification_service))
+(typeattributeset dreams_service_33_0 (dreams_service))
+(typeattributeset drm_data_file_33_0 (drm_data_file))
+(typeattributeset drm_service_config_prop_33_0 (drm_service_config_prop))
+(typeattributeset drmserver_33_0 (drmserver))
+(typeattributeset drmserver_exec_33_0 (drmserver_exec))
+(typeattributeset drmserver_service_33_0 (drmserver_service))
+(typeattributeset drmserver_socket_33_0 (drmserver_socket))
+(typeattributeset dropbox_data_file_33_0 (dropbox_data_file))
+(typeattributeset dropbox_service_33_0 (dropbox_service))
+(typeattributeset dumpstate_33_0 (dumpstate))
+(typeattributeset dumpstate_exec_33_0 (dumpstate_exec))
+(typeattributeset dumpstate_options_prop_33_0 (dumpstate_options_prop))
+(typeattributeset dumpstate_prop_33_0 (dumpstate_prop))
+(typeattributeset dumpstate_service_33_0 (dumpstate_service))
+(typeattributeset dumpstate_socket_33_0 (dumpstate_socket))
+(typeattributeset dynamic_system_prop_33_0 (dynamic_system_prop))
+(typeattributeset e2fs_33_0 (e2fs))
+(typeattributeset e2fs_exec_33_0 (e2fs_exec))
+(typeattributeset efs_file_33_0 (efs_file))
+(typeattributeset emergency_affordance_service_33_0 (emergency_affordance_service))
+(typeattributeset ephemeral_app_33_0 (ephemeral_app))
+(typeattributeset ethernet_service_33_0 (ethernet_service))
+(typeattributeset evsmanagerd_33_0 (evsmanagerd))
+(typeattributeset evsmanagerd_service_33_0 (evsmanagerd_service))
+(typeattributeset exfat_33_0 (exfat))
+(typeattributeset exported3_system_prop_33_0 (exported3_system_prop))
+(typeattributeset exported_bluetooth_prop_33_0 (exported_bluetooth_prop))
+(typeattributeset exported_camera_prop_33_0 (exported_camera_prop))
+(typeattributeset exported_config_prop_33_0 (exported_config_prop))
+(typeattributeset exported_default_prop_33_0 (exported_default_prop))
+(typeattributeset exported_dumpstate_prop_33_0 (exported_dumpstate_prop))
+(typeattributeset exported_overlay_prop_33_0 (exported_overlay_prop))
+(typeattributeset exported_pm_prop_33_0 (exported_pm_prop))
+(typeattributeset exported_secure_prop_33_0 (exported_secure_prop))
+(typeattributeset exported_system_prop_33_0
+  ( exported_system_prop
+    locale_prop
+    timezone_prop
+))
+(typeattributeset external_vibrator_service_33_0 (external_vibrator_service))
+(typeattributeset extra_free_kbytes_33_0 (extra_free_kbytes))
+(typeattributeset extra_free_kbytes_exec_33_0 (extra_free_kbytes_exec))
+(typeattributeset face_service_33_0 (face_service))
+(typeattributeset face_vendor_data_file_33_0 (face_vendor_data_file))
+(typeattributeset fastbootd_33_0 (fastbootd))
+(typeattributeset ffs_config_prop_33_0 (ffs_config_prop))
+(typeattributeset ffs_control_prop_33_0 (ffs_control_prop))
+(typeattributeset file_contexts_file_33_0 (file_contexts_file))
+(typeattributeset file_integrity_service_33_0 (file_integrity_service))
+(typeattributeset fingerprint_prop_33_0 (fingerprint_prop))
+(typeattributeset fingerprint_service_33_0 (fingerprint_service))
+(typeattributeset fingerprint_vendor_data_file_33_0 (fingerprint_vendor_data_file))
+(typeattributeset fingerprintd_33_0 (fingerprintd))
+(typeattributeset fingerprintd_data_file_33_0 (fingerprintd_data_file))
+(typeattributeset fingerprintd_exec_33_0 (fingerprintd_exec))
+(typeattributeset fingerprintd_service_33_0 (fingerprintd_service))
+(typeattributeset firstboot_prop_33_0 (firstboot_prop))
+(typeattributeset flags_health_check_33_0 (flags_health_check))
+(typeattributeset flags_health_check_exec_33_0 (flags_health_check_exec))
+(typeattributeset font_service_33_0 (font_service))
+(typeattributeset framework_watchdog_config_prop_33_0 (framework_watchdog_config_prop))
+(typeattributeset frp_block_device_33_0 (frp_block_device))
+(typeattributeset fs_bpf_33_0 (fs_bpf))
+(typeattributeset fs_bpf_tethering_33_0 (fs_bpf_tethering))
+(typeattributeset fs_bpf_vendor_33_0 (fs_bpf_vendor))
+(typeattributeset fsck_33_0 (fsck))
+(typeattributeset fsck_exec_33_0 (fsck_exec))
+(typeattributeset fsck_untrusted_33_0 (fsck_untrusted))
+(typeattributeset fscklogs_33_0 (fscklogs))
+(typeattributeset functionfs_33_0 (functionfs))
+(typeattributeset fuse_33_0 (fuse))
+(typeattributeset fuse_device_33_0 (fuse_device))
+(typeattributeset fusectlfs_33_0 (fusectlfs))
+(typeattributeset fwk_automotive_display_hwservice_33_0 (fwk_automotive_display_hwservice))
+(typeattributeset fwk_automotive_display_service_33_0 (fwk_automotive_display_service))
+(typeattributeset fwk_bufferhub_hwservice_33_0 (fwk_bufferhub_hwservice))
+(typeattributeset fwk_camera_hwservice_33_0 (fwk_camera_hwservice))
+(typeattributeset fwk_display_hwservice_33_0 (fwk_display_hwservice))
+(typeattributeset fwk_scheduler_hwservice_33_0 (fwk_scheduler_hwservice))
+(typeattributeset fwk_sensor_hwservice_33_0 (fwk_sensor_hwservice))
+(typeattributeset fwk_stats_hwservice_33_0 (fwk_stats_hwservice))
+(typeattributeset fwk_stats_service_33_0 (fwk_stats_service))
+(typeattributeset fwmarkd_socket_33_0 (fwmarkd_socket))
+(typeattributeset game_mode_intervention_list_file_33_0 (game_mode_intervention_list_file))
+(typeattributeset game_service_33_0 (game_service))
+(typeattributeset gatekeeper_data_file_33_0 (gatekeeper_data_file))
+(typeattributeset gatekeeper_service_33_0 (gatekeeper_service))
+(typeattributeset gatekeeperd_33_0 (gatekeeperd))
+(typeattributeset gatekeeperd_exec_33_0 (gatekeeperd_exec))
+(typeattributeset gesture_prop_33_0 (gesture_prop))
+(typeattributeset gfxinfo_service_33_0 (gfxinfo_service))
+(typeattributeset gmscore_app_33_0 (gmscore_app))
+(typeattributeset gnss_device_33_0 (gnss_device))
+(typeattributeset gnss_time_update_service_33_0 (gnss_time_update_service))
+(typeattributeset gps_control_33_0 (gps_control))
+(typeattributeset gpu_device_33_0 (gpu_device))
+(typeattributeset gpu_service_33_0 (gpu_service))
+(typeattributeset gpuservice_33_0 (gpuservice))
+(typeattributeset graphics_config_prop_33_0 (graphics_config_prop))
+(typeattributeset graphics_device_33_0 (graphics_device))
+(typeattributeset graphicsstats_service_33_0 (graphicsstats_service))
+(typeattributeset gsi_data_file_33_0 (gsi_data_file))
+(typeattributeset gsi_metadata_file_33_0 (gsi_metadata_file))
+(typeattributeset gsi_public_metadata_file_33_0 (gsi_public_metadata_file))
+(typeattributeset gwp_asan_prop_33_0 (gwp_asan_prop))
+(typeattributeset hal_atrace_hwservice_33_0 (hal_atrace_hwservice))
+(typeattributeset hal_audio_hwservice_33_0 (hal_audio_hwservice))
+(typeattributeset hal_audio_service_33_0 (hal_audio_service))
+(typeattributeset hal_audiocontrol_hwservice_33_0 (hal_audiocontrol_hwservice))
+(typeattributeset hal_audiocontrol_service_33_0 (hal_audiocontrol_service))
+(typeattributeset hal_authsecret_hwservice_33_0 (hal_authsecret_hwservice))
+(typeattributeset hal_authsecret_service_33_0 (hal_authsecret_service))
+(typeattributeset hal_bluetooth_hwservice_33_0 (hal_bluetooth_hwservice))
+(typeattributeset hal_bootctl_hwservice_33_0 (hal_bootctl_hwservice))
+(typeattributeset hal_broadcastradio_hwservice_33_0 (hal_broadcastradio_hwservice))
+(typeattributeset hal_camera_hwservice_33_0 (hal_camera_hwservice))
+(typeattributeset hal_camera_service_33_0 (hal_camera_service))
+(typeattributeset hal_can_bus_hwservice_33_0 (hal_can_bus_hwservice))
+(typeattributeset hal_can_controller_hwservice_33_0 (hal_can_controller_hwservice))
+(typeattributeset hal_cas_hwservice_33_0 (hal_cas_hwservice))
+(typeattributeset hal_codec2_hwservice_33_0 (hal_codec2_hwservice))
+(typeattributeset hal_configstore_ISurfaceFlingerConfigs_33_0 (hal_configstore_ISurfaceFlingerConfigs))
+(typeattributeset hal_confirmationui_hwservice_33_0 (hal_confirmationui_hwservice))
+(typeattributeset hal_contexthub_hwservice_33_0 (hal_contexthub_hwservice))
+(typeattributeset hal_contexthub_service_33_0 (hal_contexthub_service))
+(typeattributeset hal_dice_service_33_0 (hal_dice_service))
+(typeattributeset hal_drm_hwservice_33_0 (hal_drm_hwservice))
+(typeattributeset hal_drm_service_33_0 (hal_drm_service))
+(typeattributeset hal_dumpstate_config_prop_33_0 (hal_dumpstate_config_prop))
+(typeattributeset hal_dumpstate_hwservice_33_0 (hal_dumpstate_hwservice))
+(typeattributeset hal_dumpstate_service_33_0 (hal_dumpstate_service))
+(typeattributeset hal_evs_hwservice_33_0 (hal_evs_hwservice))
+(typeattributeset hal_evs_service_33_0 (hal_evs_service))
+(typeattributeset hal_face_hwservice_33_0 (hal_face_hwservice))
+(typeattributeset hal_face_service_33_0 (hal_face_service))
+(typeattributeset hal_fingerprint_hwservice_33_0 (hal_fingerprint_hwservice))
+(typeattributeset hal_fingerprint_service_33_0 (hal_fingerprint_service))
+(typeattributeset hal_gatekeeper_hwservice_33_0 (hal_gatekeeper_hwservice))
+(typeattributeset hal_gnss_hwservice_33_0 (hal_gnss_hwservice))
+(typeattributeset hal_gnss_service_33_0 (hal_gnss_service))
+(typeattributeset hal_graphics_allocator_hwservice_33_0 (hal_graphics_allocator_hwservice))
+(typeattributeset hal_graphics_allocator_service_33_0 (hal_graphics_allocator_service))
+(typeattributeset hal_graphics_composer_hwservice_33_0 (hal_graphics_composer_hwservice))
+(typeattributeset hal_graphics_composer_server_tmpfs_33_0 (hal_graphics_composer_server_tmpfs))
+(typeattributeset hal_graphics_composer_service_33_0 (hal_graphics_composer_service))
+(typeattributeset hal_graphics_mapper_hwservice_33_0 (hal_graphics_mapper_hwservice))
+(typeattributeset hal_health_hwservice_33_0 (hal_health_hwservice))
+(typeattributeset hal_health_service_33_0 (hal_health_service))
+(typeattributeset hal_health_storage_hwservice_33_0 (hal_health_storage_hwservice))
+(typeattributeset hal_health_storage_service_33_0 (hal_health_storage_service))
+(typeattributeset hal_identity_service_33_0 (hal_identity_service))
+(typeattributeset hal_input_classifier_hwservice_33_0 (hal_input_classifier_hwservice))
+(typeattributeset hal_input_processor_service_33_0 (hal_input_processor_service))
+(typeattributeset hal_instrumentation_prop_33_0 (hal_instrumentation_prop))
+(typeattributeset hal_ir_hwservice_33_0 (hal_ir_hwservice))
+(typeattributeset hal_ir_service_33_0 (hal_ir_service))
+(typeattributeset hal_keymaster_hwservice_33_0 (hal_keymaster_hwservice))
+(typeattributeset hal_keymint_service_33_0 (hal_keymint_service))
+(typeattributeset hal_light_hwservice_33_0 (hal_light_hwservice))
+(typeattributeset hal_light_service_33_0 (hal_light_service))
+(typeattributeset hal_lowpan_hwservice_33_0 (hal_lowpan_hwservice))
+(typeattributeset hal_memtrack_hwservice_33_0 (hal_memtrack_hwservice))
+(typeattributeset hal_memtrack_service_33_0 (hal_memtrack_service))
+(typeattributeset hal_neuralnetworks_hwservice_33_0 (hal_neuralnetworks_hwservice))
+(typeattributeset hal_neuralnetworks_service_33_0 (hal_neuralnetworks_service))
+(typeattributeset hal_nfc_hwservice_33_0 (hal_nfc_hwservice))
+(typeattributeset hal_nfc_service_33_0 (hal_nfc_service))
+(typeattributeset hal_nlinterceptor_service_33_0 (hal_nlinterceptor_service))
+(typeattributeset hal_oemlock_hwservice_33_0 (hal_oemlock_hwservice))
+(typeattributeset hal_oemlock_service_33_0 (hal_oemlock_service))
+(typeattributeset hal_omx_hwservice_33_0 (hal_omx_hwservice))
+(typeattributeset hal_power_hwservice_33_0 (hal_power_hwservice))
+(typeattributeset hal_power_service_33_0 (hal_power_service))
+(typeattributeset hal_power_stats_hwservice_33_0 (hal_power_stats_hwservice))
+(typeattributeset hal_power_stats_service_33_0 (hal_power_stats_service))
+(typeattributeset hal_radio_service_33_0 (hal_radio_service))
+(typeattributeset hal_rebootescrow_service_33_0 (hal_rebootescrow_service))
+(typeattributeset hal_remotelyprovisionedcomponent_service_33_0 (hal_remotelyprovisionedcomponent_service))
+(typeattributeset hal_renderscript_hwservice_33_0 (hal_renderscript_hwservice))
+(typeattributeset hal_secure_element_hwservice_33_0 (hal_secure_element_hwservice))
+(typeattributeset hal_secureclock_service_33_0 (hal_secureclock_service))
+(typeattributeset hal_sensors_hwservice_33_0 (hal_sensors_hwservice))
+(typeattributeset hal_sensors_service_33_0 (hal_sensors_service))
+(typeattributeset hal_sharedsecret_service_33_0 (hal_sharedsecret_service))
+(typeattributeset hal_system_suspend_service_33_0 (hal_system_suspend_service))
+(typeattributeset hal_telephony_hwservice_33_0 (hal_telephony_hwservice))
+(typeattributeset hal_tetheroffload_hwservice_33_0 (hal_tetheroffload_hwservice))
+(typeattributeset hal_thermal_hwservice_33_0 (hal_thermal_hwservice))
+(typeattributeset hal_tv_cec_hwservice_33_0 (hal_tv_cec_hwservice))
+(typeattributeset hal_tv_input_hwservice_33_0 (hal_tv_input_hwservice))
+(typeattributeset hal_tv_tuner_hwservice_33_0 (hal_tv_tuner_hwservice))
+(typeattributeset hal_tv_tuner_service_33_0 (hal_tv_tuner_service))
+(typeattributeset hal_usb_gadget_hwservice_33_0 (hal_usb_gadget_hwservice))
+(typeattributeset hal_usb_hwservice_33_0 (hal_usb_hwservice))
+(typeattributeset hal_usb_service_33_0 (hal_usb_service))
+(typeattributeset hal_uwb_service_33_0 (hal_uwb_service))
+(typeattributeset hal_vehicle_hwservice_33_0 (hal_vehicle_hwservice))
+(typeattributeset hal_vehicle_service_33_0 (hal_vehicle_service))
+(typeattributeset hal_vibrator_hwservice_33_0 (hal_vibrator_hwservice))
+(typeattributeset hal_vibrator_service_33_0 (hal_vibrator_service))
+(typeattributeset hal_vr_hwservice_33_0 (hal_vr_hwservice))
+(typeattributeset hal_weaver_hwservice_33_0 (hal_weaver_hwservice))
+(typeattributeset hal_weaver_service_33_0 (hal_weaver_service))
+(typeattributeset hal_wifi_hostapd_hwservice_33_0 (hal_wifi_hostapd_hwservice))
+(typeattributeset hal_wifi_hostapd_service_33_0 (hal_wifi_hostapd_service))
+(typeattributeset hal_wifi_hwservice_33_0 (hal_wifi_hwservice))
+(typeattributeset hal_wifi_supplicant_hwservice_33_0 (hal_wifi_supplicant_hwservice))
+(typeattributeset hal_wifi_supplicant_service_33_0 (hal_wifi_supplicant_service))
+(typeattributeset hardware_properties_service_33_0 (hardware_properties_service))
+(typeattributeset hardware_service_33_0 (hardware_service))
+(typeattributeset hci_attach_dev_33_0 (hci_attach_dev))
+(typeattributeset hdmi_config_prop_33_0 (hdmi_config_prop))
+(typeattributeset hdmi_control_service_33_0 (hdmi_control_service))
+(typeattributeset healthd_33_0 (healthd))
+(typeattributeset heapdump_data_file_33_0 (heapdump_data_file))
+(typeattributeset heapprofd_33_0 (heapprofd))
+(typeattributeset heapprofd_enabled_prop_33_0 (heapprofd_enabled_prop))
+(typeattributeset heapprofd_prop_33_0 (heapprofd_prop))
+(typeattributeset heapprofd_socket_33_0 (heapprofd_socket))
+(typeattributeset hidl_allocator_hwservice_33_0 (hidl_allocator_hwservice))
+(typeattributeset hidl_base_hwservice_33_0 (hidl_base_hwservice))
+(typeattributeset hidl_manager_hwservice_33_0 (hidl_manager_hwservice))
+(typeattributeset hidl_memory_hwservice_33_0 (hidl_memory_hwservice))
+(typeattributeset hidl_token_hwservice_33_0 (hidl_token_hwservice))
+(typeattributeset hint_service_33_0 (hint_service))
+(typeattributeset hw_random_device_33_0 (hw_random_device))
+(typeattributeset hw_timeout_multiplier_prop_33_0 (hw_timeout_multiplier_prop))
+(typeattributeset hwbinder_device_33_0 (hwbinder_device))
+(typeattributeset hwservice_contexts_file_33_0 (hwservice_contexts_file))
+(typeattributeset hwservicemanager_33_0 (hwservicemanager))
+(typeattributeset hwservicemanager_exec_33_0 (hwservicemanager_exec))
+(typeattributeset hwservicemanager_prop_33_0 (hwservicemanager_prop))
+(typeattributeset hypervisor_prop_33_0 (hypervisor_prop))
+(typeattributeset icon_file_33_0 (icon_file))
+(typeattributeset idmap_33_0 (idmap))
+(typeattributeset idmap_exec_33_0 (idmap_exec))
+(typeattributeset idmap_service_33_0 (idmap_service))
+(typeattributeset iio_device_33_0 (iio_device))
+(typeattributeset imms_service_33_0 (imms_service))
+(typeattributeset incident_33_0 (incident))
+(typeattributeset incident_data_file_33_0 (incident_data_file))
+(typeattributeset incident_helper_33_0 (incident_helper))
+(typeattributeset incident_service_33_0 (incident_service))
+(typeattributeset incidentd_33_0 (incidentd))
+(typeattributeset incremental_control_file_33_0 (incremental_control_file))
+(typeattributeset incremental_prop_33_0 (incremental_prop))
+(typeattributeset incremental_service_33_0 (incremental_service))
+(typeattributeset init_33_0 (init))
+(typeattributeset init_exec_33_0 (init_exec))
+(typeattributeset init_service_status_prop_33_0 (init_service_status_prop))
+(typeattributeset init_tmpfs_33_0 (init_tmpfs))
+(typeattributeset inotify_33_0 (inotify))
+(typeattributeset input_device_33_0 (input_device))
+(typeattributeset input_method_service_33_0 (input_method_service))
+(typeattributeset input_service_33_0 (input_service))
+(typeattributeset inputflinger_33_0 (inputflinger))
+(typeattributeset inputflinger_exec_33_0 (inputflinger_exec))
+(typeattributeset inputflinger_service_33_0 (inputflinger_service))
+(typeattributeset install_data_file_33_0 (install_data_file))
+(typeattributeset installd_33_0 (installd))
+(typeattributeset installd_exec_33_0 (installd_exec))
+(typeattributeset installd_service_33_0 (installd_service))
+(typeattributeset ion_device_33_0 (ion_device))
+(typeattributeset iorap_inode2filename_33_0 (iorap_inode2filename))
+(typeattributeset iorap_inode2filename_exec_33_0 (iorap_inode2filename_exec))
+(typeattributeset iorap_inode2filename_tmpfs_33_0 (iorap_inode2filename_tmpfs))
+(typeattributeset iorap_prefetcherd_33_0 (iorap_prefetcherd))
+(typeattributeset iorap_prefetcherd_exec_33_0 (iorap_prefetcherd_exec))
+(typeattributeset iorap_prefetcherd_tmpfs_33_0 (iorap_prefetcherd_tmpfs))
+(typeattributeset iorapd_33_0 (iorapd))
+(typeattributeset iorapd_data_file_33_0 (iorapd_data_file))
+(typeattributeset iorapd_exec_33_0 (iorapd_exec))
+(typeattributeset iorapd_service_33_0 (iorapd_service))
+(typeattributeset iorapd_tmpfs_33_0 (iorapd_tmpfs))
+(typeattributeset ipsec_service_33_0 (ipsec_service))
+(typeattributeset iris_service_33_0 (iris_service))
+(typeattributeset iris_vendor_data_file_33_0 (iris_vendor_data_file))
+(typeattributeset isolated_app_33_0 (isolated_app))
+(typeattributeset jobscheduler_service_33_0 (jobscheduler_service))
+(typeattributeset kernel_33_0 (kernel))
+(typeattributeset keychain_data_file_33_0 (keychain_data_file))
+(typeattributeset keychord_device_33_0 (keychord_device))
+(typeattributeset keyguard_config_prop_33_0 (keyguard_config_prop))
+(typeattributeset keystore2_key_contexts_file_33_0 (keystore2_key_contexts_file))
+(typeattributeset keystore_33_0 (keystore))
+(typeattributeset keystore_compat_hal_service_33_0 (keystore_compat_hal_service))
+(typeattributeset keystore_data_file_33_0 (keystore_data_file))
+(typeattributeset keystore_exec_33_0 (keystore_exec))
+(typeattributeset keystore_maintenance_service_33_0 (keystore_maintenance_service))
+(typeattributeset keystore_metrics_service_33_0 (keystore_metrics_service))
+(typeattributeset keystore_service_33_0 (keystore_service))
+(typeattributeset kmsg_debug_device_33_0 (kmsg_debug_device))
+(typeattributeset kmsg_device_33_0 (kmsg_device))
+(typeattributeset labeledfs_33_0 (labeledfs))
+(typeattributeset launcherapps_service_33_0 (launcherapps_service))
+(typeattributeset legacy_permission_service_33_0 (legacy_permission_service))
+(typeattributeset legacykeystore_service_33_0 (legacykeystore_service))
+(typeattributeset libc_debug_prop_33_0 (libc_debug_prop))
+(typeattributeset light_service_33_0 (light_service))
+(typeattributeset linkerconfig_file_33_0 (linkerconfig_file))
+(typeattributeset llkd_33_0 (llkd))
+(typeattributeset llkd_exec_33_0 (llkd_exec))
+(typeattributeset llkd_prop_33_0 (llkd_prop))
+(typeattributeset lmkd_33_0 (lmkd))
+(typeattributeset lmkd_config_prop_33_0 (lmkd_config_prop))
+(typeattributeset lmkd_exec_33_0 (lmkd_exec))
+(typeattributeset lmkd_prop_33_0 (lmkd_prop))
+(typeattributeset lmkd_socket_33_0 (lmkd_socket))
+(typeattributeset locale_service_33_0 (locale_service))
+(typeattributeset location_service_33_0 (location_service))
+(typeattributeset location_time_zone_manager_service_33_0 (location_time_zone_manager_service))
+(typeattributeset lock_settings_service_33_0 (lock_settings_service))
+(typeattributeset log_prop_33_0 (log_prop))
+(typeattributeset log_tag_prop_33_0 (log_tag_prop))
+(typeattributeset logcat_exec_33_0 (logcat_exec))
+(typeattributeset logd_33_0 (logd))
+(typeattributeset logd_exec_33_0 (logd_exec))
+(typeattributeset logd_prop_33_0 (logd_prop))
+(typeattributeset logd_socket_33_0 (logd_socket))
+(typeattributeset logdr_socket_33_0 (logdr_socket))
+(typeattributeset logdw_socket_33_0 (logdw_socket))
+(typeattributeset logpersist_33_0 (logpersist))
+(typeattributeset logpersistd_logging_prop_33_0 (logpersistd_logging_prop))
+(typeattributeset loop_control_device_33_0 (loop_control_device))
+(typeattributeset loop_device_33_0 (loop_device))
+(typeattributeset looper_stats_service_33_0 (looper_stats_service))
+(typeattributeset lowpan_device_33_0 (lowpan_device))
+(typeattributeset lowpan_prop_33_0 (lowpan_prop))
+(typeattributeset lowpan_service_33_0 (lowpan_service))
+(typeattributeset lpdump_service_33_0 (lpdump_service))
+(typeattributeset lpdumpd_prop_33_0 (lpdumpd_prop))
+(typeattributeset mac_perms_file_33_0 (mac_perms_file))
+(typeattributeset mdns_service_33_0 (mdns_service))
+(typeattributeset mdns_socket_33_0 (mdns_socket))
+(typeattributeset mdnsd_33_0 (mdnsd))
+(typeattributeset mdnsd_socket_33_0 (mdnsd_socket))
+(typeattributeset media_communication_service_33_0 (media_communication_service))
+(typeattributeset media_config_prop_33_0 (media_config_prop))
+(typeattributeset media_data_file_33_0 (media_data_file))
+(typeattributeset media_metrics_service_33_0 (media_metrics_service))
+(typeattributeset media_projection_service_33_0 (media_projection_service))
+(typeattributeset media_router_service_33_0 (media_router_service))
+(typeattributeset media_rw_data_file_33_0 (media_rw_data_file media_userdir_file))
+(typeattributeset media_session_service_33_0 (media_session_service))
+(typeattributeset media_variant_prop_33_0 (media_variant_prop))
+(typeattributeset mediadrm_config_prop_33_0 (mediadrm_config_prop))
+(typeattributeset mediadrmserver_33_0 (mediadrmserver))
+(typeattributeset mediadrmserver_exec_33_0 (mediadrmserver_exec))
+(typeattributeset mediadrmserver_service_33_0 (mediadrmserver_service))
+(typeattributeset mediaextractor_33_0 (mediaextractor))
+(typeattributeset mediaextractor_exec_33_0 (mediaextractor_exec))
+(typeattributeset mediaextractor_service_33_0 (mediaextractor_service))
+(typeattributeset mediaextractor_tmpfs_33_0 (mediaextractor_tmpfs))
+(typeattributeset mediametrics_33_0 (mediametrics))
+(typeattributeset mediametrics_exec_33_0 (mediametrics_exec))
+(typeattributeset mediametrics_service_33_0 (mediametrics_service))
+(typeattributeset mediaprovider_33_0 (mediaprovider))
+(typeattributeset mediaserver_33_0 (mediaserver))
+(typeattributeset mediaserver_exec_33_0 (mediaserver_exec))
+(typeattributeset mediaserver_service_33_0 (mediaserver_service))
+(typeattributeset mediaserver_tmpfs_33_0 (mediaserver_tmpfs))
+(typeattributeset mediaswcodec_33_0 (mediaswcodec))
+(typeattributeset mediaswcodec_exec_33_0 (mediaswcodec_exec))
+(typeattributeset mediatranscoding_33_0 (mediatranscoding))
+(typeattributeset mediatranscoding_service_33_0 (mediatranscoding_service))
+(typeattributeset meminfo_service_33_0 (meminfo_service))
+(typeattributeset memtrackproxy_service_33_0 (memtrackproxy_service))
+(typeattributeset metadata_block_device_33_0 (metadata_block_device))
+(typeattributeset metadata_bootstat_file_33_0 (metadata_bootstat_file))
+(typeattributeset metadata_file_33_0 (metadata_file))
+(typeattributeset method_trace_data_file_33_0 (method_trace_data_file))
+(typeattributeset midi_service_33_0 (midi_service))
+(typeattributeset mirror_data_file_33_0 (mirror_data_file))
+(typeattributeset misc_block_device_33_0 (misc_block_device))
+(typeattributeset misc_logd_file_33_0 (misc_logd_file))
+(typeattributeset misc_user_data_file_33_0 (misc_user_data_file))
+(typeattributeset mm_events_config_prop_33_0 (mm_events_config_prop))
+(typeattributeset mmc_prop_33_0 (mmc_prop))
+(typeattributeset mnt_expand_file_33_0 (mnt_expand_file))
+(typeattributeset mnt_media_rw_file_33_0 (mnt_media_rw_file))
+(typeattributeset mnt_media_rw_stub_file_33_0 (mnt_media_rw_stub_file))
+(typeattributeset mnt_pass_through_file_33_0 (mnt_pass_through_file))
+(typeattributeset mnt_product_file_33_0 (mnt_product_file))
+(typeattributeset mnt_sdcard_file_33_0 (mnt_sdcard_file))
+(typeattributeset mnt_user_file_33_0 (mnt_user_file))
+(typeattributeset mnt_vendor_file_33_0 (mnt_vendor_file))
+(typeattributeset mock_ota_prop_33_0 (mock_ota_prop))
+(typeattributeset modprobe_33_0 (modprobe))
+(typeattributeset module_sdkextensions_prop_33_0 (module_sdkextensions_prop))
+(typeattributeset mount_service_33_0 (mount_service))
+(typeattributeset mqueue_33_0 (mqueue))
+(typeattributeset mtp_33_0 (mtp))
+(typeattributeset mtp_device_33_0 (mtp_device))
+(typeattributeset mtp_exec_33_0 (mtp_exec))
+(typeattributeset mtpd_socket_33_0 (mtpd_socket))
+(typeattributeset music_recognition_service_33_0 (music_recognition_service))
+(typeattributeset nativetest_data_file_33_0 (nativetest_data_file))
+(typeattributeset nearby_service_33_0 (nearby_service))
+(typeattributeset net_data_file_33_0 (net_data_file))
+(typeattributeset net_dns_prop_33_0 (net_dns_prop))
+(typeattributeset net_radio_prop_33_0 (net_radio_prop))
+(typeattributeset netd_33_0 (netd))
+(typeattributeset netd_exec_33_0 (netd_exec))
+(typeattributeset netd_listener_service_33_0 (netd_listener_service))
+(typeattributeset netd_service_33_0 (netd_service))
+(typeattributeset netif_33_0 (netif))
+(typeattributeset netpolicy_service_33_0 (netpolicy_service))
+(typeattributeset netstats_service_33_0 (netstats_service))
+(typeattributeset netutils_wrapper_33_0 (netutils_wrapper))
+(typeattributeset netutils_wrapper_exec_33_0 (netutils_wrapper_exec))
+(typeattributeset network_management_service_33_0 (network_management_service))
+(typeattributeset network_score_service_33_0 (network_score_service))
+(typeattributeset network_stack_33_0 (network_stack))
+(typeattributeset network_stack_service_33_0 (network_stack_service))
+(typeattributeset network_time_update_service_33_0 (network_time_update_service))
+(typeattributeset network_watchlist_data_file_33_0 (network_watchlist_data_file))
+(typeattributeset network_watchlist_service_33_0 (network_watchlist_service))
+(typeattributeset nfc_33_0 (nfc))
+(typeattributeset nfc_data_file_33_0 (nfc_data_file))
+(typeattributeset nfc_device_33_0 (nfc_device))
+(typeattributeset nfc_logs_data_file_33_0 (nfc_logs_data_file))
+(typeattributeset nfc_prop_33_0 (nfc_prop))
+(typeattributeset nfc_service_33_0 (nfc_service))
+(typeattributeset nnapi_ext_deny_product_prop_33_0 (nnapi_ext_deny_product_prop))
+(typeattributeset node_33_0 (node))
+(typeattributeset notification_service_33_0 (notification_service))
+(typeattributeset null_device_33_0 (null_device))
+(typeattributeset oem_lock_service_33_0 (oem_lock_service))
+(typeattributeset oem_unlock_prop_33_0 (oem_unlock_prop))
+(typeattributeset oemfs_33_0 (oemfs))
+(typeattributeset ota_data_file_33_0 (ota_data_file))
+(typeattributeset ota_metadata_file_33_0 (ota_metadata_file))
+(typeattributeset ota_package_file_33_0 (ota_package_file))
+(typeattributeset ota_prop_33_0 (ota_prop))
+(typeattributeset otadexopt_service_33_0 (otadexopt_service))
+(typeattributeset otapreopt_chroot_33_0 (otapreopt_chroot))
+(typeattributeset overlay_prop_33_0 (overlay_prop))
+(typeattributeset overlay_service_33_0 (overlay_service))
+(typeattributeset overlayfs_file_33_0 (overlayfs_file))
+(typeattributeset owntty_device_33_0 (owntty_device))
+(typeattributeset pac_proxy_service_33_0 (pac_proxy_service))
+(typeattributeset package_native_service_33_0 (package_native_service))
+(typeattributeset package_service_33_0 (package_service))
+(typeattributeset packagemanager_config_prop_33_0 (packagemanager_config_prop))
+(typeattributeset packages_list_file_33_0 (packages_list_file))
+(typeattributeset pan_result_prop_33_0 (pan_result_prop))
+(typeattributeset password_slot_metadata_file_33_0 (password_slot_metadata_file))
+(typeattributeset pdx_bufferhub_client_channel_socket_33_0 (pdx_bufferhub_client_channel_socket))
+(typeattributeset pdx_bufferhub_client_endpoint_socket_33_0 (pdx_bufferhub_client_endpoint_socket))
+(typeattributeset pdx_bufferhub_dir_33_0 (pdx_bufferhub_dir))
+(typeattributeset pdx_display_client_channel_socket_33_0 (pdx_display_client_channel_socket))
+(typeattributeset pdx_display_client_endpoint_socket_33_0 (pdx_display_client_endpoint_socket))
+(typeattributeset pdx_display_dir_33_0 (pdx_display_dir))
+(typeattributeset pdx_display_manager_channel_socket_33_0 (pdx_display_manager_channel_socket))
+(typeattributeset pdx_display_manager_endpoint_socket_33_0 (pdx_display_manager_endpoint_socket))
+(typeattributeset pdx_display_screenshot_channel_socket_33_0 (pdx_display_screenshot_channel_socket))
+(typeattributeset pdx_display_screenshot_endpoint_socket_33_0 (pdx_display_screenshot_endpoint_socket))
+(typeattributeset pdx_display_vsync_channel_socket_33_0 (pdx_display_vsync_channel_socket))
+(typeattributeset pdx_display_vsync_endpoint_socket_33_0 (pdx_display_vsync_endpoint_socket))
+(typeattributeset pdx_performance_client_channel_socket_33_0 (pdx_performance_client_channel_socket))
+(typeattributeset pdx_performance_client_endpoint_socket_33_0 (pdx_performance_client_endpoint_socket))
+(typeattributeset pdx_performance_dir_33_0 (pdx_performance_dir))
+(typeattributeset people_service_33_0 (people_service))
+(typeattributeset perfetto_33_0 (perfetto))
+(typeattributeset performanced_33_0 (performanced))
+(typeattributeset performanced_exec_33_0 (performanced_exec))
+(typeattributeset permission_checker_service_33_0 (permission_checker_service))
+(typeattributeset permission_service_33_0 (permission_service))
+(typeattributeset permissionmgr_service_33_0 (permissionmgr_service))
+(typeattributeset persist_debug_prop_33_0 (persist_debug_prop))
+(typeattributeset persist_vendor_debug_wifi_prop_33_0 (persist_vendor_debug_wifi_prop))
+(typeattributeset persist_wm_debug_prop_33_0 (persist_wm_debug_prop))
+(typeattributeset persistent_data_block_service_33_0 (persistent_data_block_service))
+(typeattributeset persistent_properties_ready_prop_33_0 (persistent_properties_ready_prop))
+(typeattributeset pinner_service_33_0 (pinner_service))
+(typeattributeset pipefs_33_0 (pipefs))
+(typeattributeset platform_app_33_0 (platform_app))
+(typeattributeset platform_compat_service_33_0 (platform_compat_service))
+(typeattributeset pmsg_device_33_0 (pmsg_device))
+(typeattributeset port_33_0 (port))
+(typeattributeset port_device_33_0 (port_device))
+(typeattributeset postinstall_33_0 (postinstall))
+(typeattributeset postinstall_apex_mnt_dir_33_0 (postinstall_apex_mnt_dir))
+(typeattributeset postinstall_file_33_0 (postinstall_file))
+(typeattributeset postinstall_mnt_dir_33_0 (postinstall_mnt_dir))
+(typeattributeset power_debug_prop_33_0 (power_debug_prop))
+(typeattributeset power_service_33_0 (power_service))
+(typeattributeset powerctl_prop_33_0 (powerctl_prop))
+(typeattributeset powerstats_service_33_0 (powerstats_service))
+(typeattributeset ppp_33_0 (ppp))
+(typeattributeset ppp_device_33_0 (ppp_device))
+(typeattributeset ppp_exec_33_0 (ppp_exec))
+(typeattributeset preloads_data_file_33_0 (preloads_data_file))
+(typeattributeset preloads_media_file_33_0 (preloads_media_file))
+(typeattributeset prereboot_data_file_33_0 (prereboot_data_file))
+(typeattributeset print_service_33_0 (print_service))
+(typeattributeset priv_app_33_0 (priv_app))
+(typeattributeset privapp_data_file_33_0 (privapp_data_file))
+(typeattributeset proc_33_0 (proc))
+(typeattributeset proc_abi_33_0 (proc_abi))
+(typeattributeset proc_asound_33_0 (proc_asound))
+(typeattributeset proc_bluetooth_writable_33_0 (proc_bluetooth_writable))
+(typeattributeset proc_bootconfig_33_0 (proc_bootconfig))
+(typeattributeset proc_bpf_33_0 (proc_bpf))
+(typeattributeset proc_buddyinfo_33_0 (proc_buddyinfo))
+(typeattributeset proc_cmdline_33_0 (proc_cmdline))
+(typeattributeset proc_cpu_alignment_33_0 (proc_cpu_alignment))
+(typeattributeset proc_cpuinfo_33_0 (proc_cpuinfo))
+(typeattributeset proc_dirty_33_0 (proc_dirty))
+(typeattributeset proc_diskstats_33_0 (proc_diskstats))
+(typeattributeset proc_drop_caches_33_0 (proc_drop_caches))
+(typeattributeset proc_extra_free_kbytes_33_0 (proc_extra_free_kbytes))
+(typeattributeset proc_filesystems_33_0 (proc_filesystems))
+(typeattributeset proc_fs_verity_33_0 (proc))
+(typeattributeset proc_hostname_33_0 (proc_hostname))
+(typeattributeset proc_hung_task_33_0 (proc_hung_task))
+(typeattributeset proc_interrupts_33_0 (proc_interrupts))
+(typeattributeset proc_iomem_33_0 (proc_iomem))
+(typeattributeset proc_kallsyms_33_0 (proc_kallsyms))
+(typeattributeset proc_keys_33_0 (proc_keys))
+(typeattributeset proc_kmsg_33_0 (proc_kmsg))
+(typeattributeset proc_kpageflags_33_0 (proc_kpageflags))
+(typeattributeset proc_loadavg_33_0 (proc_loadavg))
+(typeattributeset proc_locks_33_0 (proc_locks))
+(typeattributeset proc_lowmemorykiller_33_0 (proc_lowmemorykiller))
+(typeattributeset proc_max_map_count_33_0 (proc_max_map_count))
+(typeattributeset proc_meminfo_33_0 (proc_meminfo))
+(typeattributeset proc_min_free_order_shift_33_0 (proc_min_free_order_shift))
+(typeattributeset proc_misc_33_0 (proc_misc))
+(typeattributeset proc_modules_33_0 (proc_modules))
+(typeattributeset proc_mounts_33_0 (proc_mounts))
+(typeattributeset proc_net_33_0 (proc_net))
+(typeattributeset proc_net_tcp_udp_33_0 (proc_net_tcp_udp))
+(typeattributeset proc_overcommit_memory_33_0 (proc_overcommit_memory))
+(typeattributeset proc_page_cluster_33_0 (proc_page_cluster))
+(typeattributeset proc_pagetypeinfo_33_0 (proc_pagetypeinfo))
+(typeattributeset proc_panic_33_0 (proc_panic))
+(typeattributeset proc_perf_33_0 (proc_perf))
+(typeattributeset proc_pid_max_33_0 (proc_pid_max))
+(typeattributeset proc_pipe_conf_33_0 (proc_pipe_conf))
+(typeattributeset proc_pressure_cpu_33_0 (proc_pressure_cpu))
+(typeattributeset proc_pressure_io_33_0 (proc_pressure_io))
+(typeattributeset proc_pressure_mem_33_0 (proc_pressure_mem))
+(typeattributeset proc_qtaguid_ctrl_33_0 (proc_qtaguid_ctrl))
+(typeattributeset proc_qtaguid_stat_33_0 (proc_qtaguid_stat))
+(typeattributeset proc_random_33_0 (proc_random))
+(typeattributeset proc_sched_33_0 (proc_sched))
+(typeattributeset proc_security_33_0 (proc_security))
+(typeattributeset proc_slabinfo_33_0 (proc_slabinfo))
+(typeattributeset proc_stat_33_0 (proc_stat))
+(typeattributeset proc_swaps_33_0 (proc_swaps))
+(typeattributeset proc_sysrq_33_0 (proc_sysrq))
+(typeattributeset proc_timer_33_0 (proc_timer))
+(typeattributeset proc_tty_drivers_33_0 (proc_tty_drivers))
+(typeattributeset proc_uid_concurrent_active_time_33_0 (proc_uid_concurrent_active_time))
+(typeattributeset proc_uid_concurrent_policy_time_33_0 (proc_uid_concurrent_policy_time))
+(typeattributeset proc_uid_cpupower_33_0 (proc_uid_cpupower))
+(typeattributeset proc_uid_cputime_removeuid_33_0 (proc_uid_cputime_removeuid))
+(typeattributeset proc_uid_cputime_showstat_33_0 (proc_uid_cputime_showstat))
+(typeattributeset proc_uid_io_stats_33_0 (proc_uid_io_stats))
+(typeattributeset proc_uid_procstat_set_33_0 (proc_uid_procstat_set))
+(typeattributeset proc_uid_time_in_state_33_0 (proc_uid_time_in_state))
+(typeattributeset proc_uptime_33_0 (proc_uptime))
+(typeattributeset proc_vendor_sched_33_0 (proc_vendor_sched))
+(typeattributeset proc_version_33_0 (proc_version))
+(typeattributeset proc_vmallocinfo_33_0 (proc_vmallocinfo))
+(typeattributeset proc_vmstat_33_0 (proc_vmstat))
+(typeattributeset proc_watermark_boost_factor_33_0 (proc_watermark_boost_factor))
+(typeattributeset proc_watermark_scale_factor_33_0 (proc_watermark_scale_factor))
+(typeattributeset proc_zoneinfo_33_0 (proc_zoneinfo))
+(typeattributeset processinfo_service_33_0 (processinfo_service))
+(typeattributeset procstats_service_33_0 (procstats_service))
+(typeattributeset profman_33_0 (profman))
+(typeattributeset profman_dump_data_file_33_0 (profman_dump_data_file))
+(typeattributeset profman_exec_33_0 (profman_exec))
+(typeattributeset properties_device_33_0 (properties_device))
+(typeattributeset properties_serial_33_0 (properties_serial))
+(typeattributeset property_contexts_file_33_0 (property_contexts_file))
+(typeattributeset property_data_file_33_0 (property_data_file))
+(typeattributeset property_info_33_0 (property_info))
+(typeattributeset property_service_version_prop_33_0 (property_service_version_prop))
+(typeattributeset property_socket_33_0 (property_socket))
+(typeattributeset provisioned_prop_33_0 (provisioned_prop))
+(typeattributeset pstorefs_33_0 (pstorefs))
+(typeattributeset ptmx_device_33_0 (ptmx_device))
+(typeattributeset qemu_hw_prop_33_0 (qemu_hw_prop))
+(typeattributeset qemu_sf_lcd_density_prop_33_0 (qemu_sf_lcd_density_prop))
+(typeattributeset qtaguid_device_33_0 (qtaguid_device))
+(typeattributeset racoon_33_0 (racoon))
+(typeattributeset racoon_exec_33_0 (racoon_exec))
+(typeattributeset racoon_socket_33_0 (racoon_socket))
+(typeattributeset radio_33_0 (radio))
+(typeattributeset radio_control_prop_33_0 (radio_control_prop))
+(typeattributeset radio_core_data_file_33_0 (radio_core_data_file))
+(typeattributeset radio_data_file_33_0 (radio_data_file))
+(typeattributeset radio_device_33_0 (radio_device))
+(typeattributeset radio_prop_33_0 (radio_prop))
+(typeattributeset radio_service_33_0 (radio_service))
+(typeattributeset ram_device_33_0 (ram_device))
+(typeattributeset random_device_33_0 (random_device))
+(typeattributeset reboot_readiness_service_33_0 (reboot_readiness_service))
+(typeattributeset rebootescrow_hal_prop_33_0 (rebootescrow_hal_prop))
+(typeattributeset recovery_33_0 (recovery))
+(typeattributeset recovery_block_device_33_0 (recovery_block_device))
+(typeattributeset recovery_config_prop_33_0 (recovery_config_prop))
+(typeattributeset recovery_data_file_33_0 (recovery_data_file))
+(typeattributeset recovery_persist_33_0 (recovery_persist))
+(typeattributeset recovery_persist_exec_33_0 (recovery_persist_exec))
+(typeattributeset recovery_refresh_33_0 (recovery_refresh))
+(typeattributeset recovery_refresh_exec_33_0 (recovery_refresh_exec))
+(typeattributeset recovery_service_33_0 (recovery_service))
+(typeattributeset recovery_socket_33_0 (recovery_socket))
+(typeattributeset registry_service_33_0 (registry_service))
+(typeattributeset remotelyprovisionedkeypool_service_33_0 (remotelyprovisionedkeypool_service))
+(typeattributeset remoteprovisioning_service_33_0 (remoteprovisioning_service))
+(typeattributeset resourcecache_data_file_33_0 (resourcecache_data_file))
+(typeattributeset resources_manager_service_33_0 (resources_manager_service))
+(typeattributeset restorecon_prop_33_0 (restorecon_prop))
+(typeattributeset restrictions_service_33_0 (restrictions_service))
+(typeattributeset retaildemo_prop_33_0 (retaildemo_prop))
+(typeattributeset rild_debug_socket_33_0 (rild_debug_socket))
+(typeattributeset rild_socket_33_0 (rild_socket))
+(typeattributeset ringtone_file_33_0 (ringtone_file))
+(typeattributeset role_service_33_0 (role_service))
+(typeattributeset rollback_service_33_0 (rollback_service))
+(typeattributeset root_block_device_33_0 (root_block_device))
+(typeattributeset rootdisk_sysdev_33_0 (rootdisk_sysdev))
+(typeattributeset rootfs_33_0 (rootfs))
+(typeattributeset rpmsg_device_33_0 (rpmsg_device))
+(typeattributeset rs_33_0 (rs))
+(typeattributeset rs_exec_33_0 (rs_exec))
+(typeattributeset rss_hwm_reset_33_0 (rss_hwm_reset))
+(typeattributeset rtc_device_33_0 (rtc_device))
+(typeattributeset rttmanager_service_33_0 (rttmanager_service))
+(typeattributeset runas_33_0 (runas))
+(typeattributeset runas_app_33_0 (runas_app))
+(typeattributeset runas_exec_33_0 (runas_exec))
+(typeattributeset runtime_event_log_tags_file_33_0 (runtime_event_log_tags_file))
+(typeattributeset runtime_service_33_0 (runtime_service))
+(typeattributeset safemode_prop_33_0 (safemode_prop))
+(typeattributeset same_process_hal_file_33_0 (same_process_hal_file))
+(typeattributeset samplingprofiler_service_33_0 (samplingprofiler_service))
+(typeattributeset scheduling_policy_service_33_0 (scheduling_policy_service))
+(typeattributeset sdcard_block_device_33_0 (sdcard_block_device))
+(typeattributeset sdcardd_33_0 (sdcardd))
+(typeattributeset sdcardd_exec_33_0 (sdcardd_exec))
+(typeattributeset sdcardfs_33_0 (sdcardfs))
+(typeattributeset sdk_sandbox_service_33_0 (sdk_sandbox_service))
+(typeattributeset seapp_contexts_file_33_0 (seapp_contexts_file))
+(typeattributeset search_service_33_0 (search_service))
+(typeattributeset search_ui_service_33_0 (search_ui_service))
+(typeattributeset sec_key_att_app_id_provider_service_33_0 (sec_key_att_app_id_provider_service))
+(typeattributeset secure_element_33_0 (secure_element))
+(typeattributeset secure_element_device_33_0 (secure_element_device))
+(typeattributeset secure_element_service_33_0 (secure_element_service))
+(typeattributeset securityfs_33_0 (securityfs))
+(typeattributeset selection_toolbar_service_33_0 (selection_toolbar_service))
+(typeattributeset selinuxfs_33_0 (selinuxfs))
+(typeattributeset sendbug_config_prop_33_0 (sendbug_config_prop))
+(typeattributeset sensor_privacy_service_33_0 (sensor_privacy_service))
+(typeattributeset sensors_device_33_0 (sensors_device))
+(typeattributeset sensorservice_service_33_0 (sensorservice_service))
+(typeattributeset sepolicy_file_33_0 (sepolicy_file))
+(typeattributeset serial_device_33_0 (serial_device))
+(typeattributeset serial_service_33_0 (serial_service))
+(typeattributeset serialno_prop_33_0 (serialno_prop))
+(typeattributeset server_configurable_flags_data_file_33_0 (server_configurable_flags_data_file))
+(typeattributeset service_contexts_file_33_0 (service_contexts_file))
+(typeattributeset service_manager_service_33_0 (service_manager_service))
+(typeattributeset service_manager_vndservice_33_0 (service_manager_vndservice))
+(typeattributeset servicediscovery_service_33_0 (servicediscovery_service))
+(typeattributeset servicemanager_33_0 (servicemanager))
+(typeattributeset servicemanager_exec_33_0 (servicemanager_exec))
+(typeattributeset settings_service_33_0 (settings_service))
+(typeattributeset sgdisk_33_0 (sgdisk))
+(typeattributeset sgdisk_exec_33_0 (sgdisk_exec))
+(typeattributeset shared_relro_33_0 (shared_relro))
+(typeattributeset shared_relro_file_33_0 (shared_relro_file))
+(typeattributeset shell_33_0 (shell))
+(typeattributeset shell_data_file_33_0 (shell_data_file))
+(typeattributeset shell_exec_33_0 (shell_exec))
+(typeattributeset shell_prop_33_0 (shell_prop))
+(typeattributeset shell_test_data_file_33_0 (shell_test_data_file))
+(typeattributeset shm_33_0 (shm))
+(typeattributeset shortcut_manager_icons_33_0 (shortcut_manager_icons))
+(typeattributeset shortcut_service_33_0 (shortcut_service))
+(typeattributeset simpleperf_33_0 (simpleperf))
+(typeattributeset simpleperf_app_runner_33_0 (simpleperf_app_runner))
+(typeattributeset simpleperf_app_runner_exec_33_0 (simpleperf_app_runner_exec))
+(typeattributeset slice_service_33_0 (slice_service))
+(typeattributeset slideshow_33_0 (slideshow))
+(typeattributeset smart_idle_maint_enabled_prop_33_0 (smart_idle_maint_enabled_prop))
+(typeattributeset smartspace_service_33_0 (smartspace_service))
+(typeattributeset snapshotctl_log_data_file_33_0 (snapshotctl_log_data_file))
+(typeattributeset snapuserd_proxy_socket_33_0 (snapuserd_proxy_socket))
+(typeattributeset snapuserd_socket_33_0 (snapuserd_socket))
+(typeattributeset soc_prop_33_0 (soc_prop))
+(typeattributeset socket_device_33_0 (socket_device))
+(typeattributeset socket_hook_prop_33_0 (socket_hook_prop))
+(typeattributeset sockfs_33_0 (sockfs))
+(typeattributeset sota_prop_33_0 (sota_prop))
+(typeattributeset soundtrigger_middleware_service_33_0 (soundtrigger_middleware_service))
+(typeattributeset speech_recognition_service_33_0 (speech_recognition_service))
+(typeattributeset sqlite_log_prop_33_0 (sqlite_log_prop))
+(typeattributeset staged_install_file_33_0 (staged_install_file))
+(typeattributeset staging_data_file_33_0 (staging_data_file))
+(typeattributeset stats_data_file_33_0 (stats_data_file))
+(typeattributeset statsd_33_0 (statsd))
+(typeattributeset statsd_exec_33_0 (statsd_exec))
+(typeattributeset statsdw_socket_33_0 (statsdw_socket))
+(typeattributeset statusbar_service_33_0 (statusbar_service))
+(typeattributeset storage_config_prop_33_0 (storage_config_prop))
+(typeattributeset storage_file_33_0 (storage_file))
+(typeattributeset storage_stub_file_33_0 (storage_stub_file))
+(typeattributeset storaged_service_33_0 (storaged_service))
+(typeattributeset storagemanager_config_prop_33_0 (storagemanager_config_prop))
+(typeattributeset storagestats_service_33_0 (storagestats_service))
+(typeattributeset su_33_0 (su))
+(typeattributeset su_exec_33_0 (su_exec))
+(typeattributeset super_block_device_33_0 (super_block_device))
+(typeattributeset surfaceflinger_33_0 (surfaceflinger))
+(typeattributeset surfaceflinger_color_prop_33_0 (surfaceflinger_color_prop))
+(typeattributeset surfaceflinger_display_prop_33_0 (surfaceflinger_display_prop))
+(typeattributeset surfaceflinger_prop_33_0 (surfaceflinger_prop))
+(typeattributeset surfaceflinger_service_33_0 (surfaceflinger_service))
+(typeattributeset surfaceflinger_tmpfs_33_0 (surfaceflinger_tmpfs))
+(typeattributeset suspend_prop_33_0 (suspend_prop))
+(typeattributeset swap_block_device_33_0 (swap_block_device))
+(typeattributeset sysfs_33_0 (sysfs))
+(typeattributeset sysfs_android_usb_33_0 (sysfs_android_usb))
+(typeattributeset sysfs_batteryinfo_33_0 (sysfs_batteryinfo))
+(typeattributeset sysfs_bluetooth_writable_33_0 (sysfs_bluetooth_writable))
+(typeattributeset sysfs_devfreq_cur_33_0 (sysfs_devfreq_cur))
+(typeattributeset sysfs_devfreq_dir_33_0 (sysfs_devfreq_dir))
+(typeattributeset sysfs_devices_block_33_0 (sysfs_devices_block))
+(typeattributeset sysfs_devices_cs_etm_33_0 (sysfs_devices_cs_etm))
+(typeattributeset sysfs_devices_system_cpu_33_0 (sysfs_devices_system_cpu))
+(typeattributeset sysfs_dm_33_0 (sysfs_dm))
+(typeattributeset sysfs_dm_verity_33_0 (sysfs_dm_verity))
+(typeattributeset sysfs_dma_heap_33_0 (sysfs_dma_heap))
+(typeattributeset sysfs_dmabuf_stats_33_0 (sysfs_dmabuf_stats))
+(typeattributeset sysfs_dt_firmware_android_33_0 (sysfs_dt_firmware_android))
+(typeattributeset sysfs_extcon_33_0 (sysfs_extcon))
+(typeattributeset sysfs_fs_ext4_features_33_0 (sysfs_fs_ext4_features))
+(typeattributeset sysfs_fs_f2fs_33_0 (sysfs_fs_f2fs))
+(typeattributeset sysfs_fs_fuse_bpf_33_0 (sysfs_fs_fuse_bpf))
+(typeattributeset sysfs_fs_incfs_features_33_0 (sysfs_fs_incfs_features))
+(typeattributeset sysfs_fs_incfs_metrics_33_0 (sysfs_fs_incfs_metrics))
+(typeattributeset sysfs_gpu_33_0 (sysfs_gpu))
+(typeattributeset sysfs_hwrandom_33_0 (sysfs_hwrandom))
+(typeattributeset sysfs_ion_33_0 (sysfs_ion))
+(typeattributeset sysfs_ipv4_33_0 (sysfs_ipv4))
+(typeattributeset sysfs_kernel_notes_33_0 (sysfs_kernel_notes))
+(typeattributeset sysfs_leds_33_0 (sysfs_leds))
+(typeattributeset sysfs_loop_33_0 (sysfs_loop))
+(typeattributeset sysfs_lowmemorykiller_33_0 (sysfs_lowmemorykiller))
+(typeattributeset sysfs_lru_gen_enabled_33_0 (sysfs_lru_gen_enabled))
+(typeattributeset sysfs_net_33_0 (sysfs_net))
+(typeattributeset sysfs_nfc_power_writable_33_0 (sysfs_nfc_power_writable))
+(typeattributeset sysfs_power_33_0 (sysfs_power))
+(typeattributeset sysfs_rtc_33_0 (sysfs_rtc))
+(typeattributeset sysfs_suspend_stats_33_0 (sysfs_suspend_stats))
+(typeattributeset sysfs_switch_33_0 (sysfs_switch))
+(typeattributeset sysfs_thermal_33_0 (sysfs_thermal))
+(typeattributeset sysfs_transparent_hugepage_33_0 (sysfs_transparent_hugepage))
+(typeattributeset sysfs_uhid_33_0 (sysfs_uhid))
+(typeattributeset sysfs_uio_33_0 (sysfs_uio))
+(typeattributeset sysfs_usb_33_0 (sysfs_usb))
+(typeattributeset sysfs_usermodehelper_33_0 (sysfs_usermodehelper))
+(typeattributeset sysfs_vendor_sched_33_0 (sysfs_vendor_sched))
+(typeattributeset sysfs_vibrator_33_0 (sysfs_vibrator))
+(typeattributeset sysfs_wake_lock_33_0 (sysfs_wake_lock))
+(typeattributeset sysfs_wakeup_33_0 (sysfs_wakeup))
+(typeattributeset sysfs_wakeup_reasons_33_0 (sysfs_wakeup_reasons))
+(typeattributeset sysfs_wlan_fwpath_33_0 (sysfs_wlan_fwpath))
+(typeattributeset sysfs_zram_33_0 (sysfs_zram))
+(typeattributeset sysfs_zram_uevent_33_0 (sysfs_zram_uevent))
+(typeattributeset system_app_33_0 (system_app))
+(typeattributeset system_app_data_file_33_0 (system_app_data_file))
+(typeattributeset system_app_service_33_0 (system_app_service))
+(typeattributeset system_asan_options_file_33_0 (system_asan_options_file))
+(typeattributeset system_block_device_33_0 (system_block_device))
+(typeattributeset system_boot_reason_prop_33_0 (system_boot_reason_prop))
+(typeattributeset system_bootstrap_lib_file_33_0 (system_bootstrap_lib_file))
+(typeattributeset system_config_service_33_0 (system_config_service))
+(typeattributeset system_data_file_33_0 (system_data_file system_userdir_file))
+(typeattributeset system_data_root_file_33_0 (system_data_root_file))
+(typeattributeset system_dlkm_file_33_0 (system_dlkm_file))
+(typeattributeset system_event_log_tags_file_33_0 (system_event_log_tags_file))
+(typeattributeset system_file_33_0 (system_file))
+(typeattributeset system_group_file_33_0 (system_group_file))
+(typeattributeset system_jvmti_agent_prop_33_0 (system_jvmti_agent_prop))
+(typeattributeset system_lib_file_33_0 (system_lib_file))
+(typeattributeset system_linker_config_file_33_0 (system_linker_config_file))
+(typeattributeset system_linker_exec_33_0 (system_linker_exec))
+(typeattributeset system_lmk_prop_33_0 (system_lmk_prop))
+(typeattributeset system_ndebug_socket_33_0 (system_ndebug_socket))
+(typeattributeset system_net_netd_hwservice_33_0 (system_net_netd_hwservice))
+(typeattributeset system_passwd_file_33_0 (system_passwd_file))
+(typeattributeset system_prop_33_0 (system_prop))
+(typeattributeset system_seccomp_policy_file_33_0 (system_seccomp_policy_file))
+(typeattributeset system_security_cacerts_file_33_0 (system_security_cacerts_file))
+(typeattributeset system_server_33_0 (system_server))
+(typeattributeset system_server_dumper_service_33_0 (system_server_dumper_service))
+(typeattributeset system_server_tmpfs_33_0 (system_server_tmpfs))
+(typeattributeset system_suspend_control_internal_service_33_0 (system_suspend_control_internal_service))
+(typeattributeset system_suspend_control_service_33_0 (system_suspend_control_service))
+(typeattributeset system_suspend_hwservice_33_0 (system_suspend_hwservice))
+(typeattributeset system_trace_prop_33_0 (system_trace_prop))
+(typeattributeset system_unsolzygote_socket_33_0 (system_unsolzygote_socket))
+(typeattributeset system_update_service_33_0 (system_update_service))
+(typeattributeset system_wifi_keystore_hwservice_33_0 (system_wifi_keystore_hwservice))
+(typeattributeset system_wpa_socket_33_0 (system_wpa_socket))
+(typeattributeset system_zoneinfo_file_33_0 (system_zoneinfo_file))
+(typeattributeset systemkeys_data_file_33_0 (systemkeys_data_file))
+(typeattributeset systemsound_config_prop_33_0 (systemsound_config_prop))
+(typeattributeset tare_service_33_0 (tare_service))
+(typeattributeset task_profiles_api_file_33_0 (task_profiles_api_file))
+(typeattributeset task_profiles_file_33_0 (task_profiles_file))
+(typeattributeset task_service_33_0 (task_service))
+(typeattributeset tcpdump_exec_33_0 (tcpdump_exec))
+(typeattributeset tee_33_0 (tee))
+(typeattributeset tee_data_file_33_0 (tee_data_file))
+(typeattributeset tee_device_33_0 (tee_device))
+(typeattributeset telecom_service_33_0 (telecom_service))
+(typeattributeset telephony_config_prop_33_0 (telephony_config_prop))
+(typeattributeset telephony_status_prop_33_0 (telephony_status_prop))
+(typeattributeset test_boot_reason_prop_33_0 (test_boot_reason_prop))
+(typeattributeset test_harness_prop_33_0 (test_harness_prop))
+(typeattributeset testharness_service_33_0 (testharness_service))
+(typeattributeset tethering_service_33_0 (tethering_service))
+(typeattributeset textclassification_service_33_0 (textclassification_service))
+(typeattributeset textclassifier_data_file_33_0 (textclassifier_data_file))
+(typeattributeset textservices_service_33_0 (textservices_service))
+(typeattributeset texttospeech_service_33_0 (texttospeech_service))
+(typeattributeset theme_prop_33_0 (theme_prop))
+(typeattributeset thermal_service_33_0 (thermal_service))
+(typeattributeset time_prop_33_0 (time_prop))
+(typeattributeset timedetector_service_33_0 (timedetector_service))
+(typeattributeset timezone_service_33_0 (timezone_service))
+(typeattributeset timezonedetector_service_33_0 (timezonedetector_service))
+(typeattributeset tmpfs_33_0 (tmpfs))
+(typeattributeset tombstone_config_prop_33_0 (tombstone_config_prop))
+(typeattributeset tombstone_data_file_33_0 (tombstone_data_file))
+(typeattributeset tombstone_wifi_data_file_33_0 (tombstone_wifi_data_file))
+(typeattributeset tombstoned_33_0 (tombstoned))
+(typeattributeset tombstoned_crash_socket_33_0 (tombstoned_crash_socket))
+(typeattributeset tombstoned_exec_33_0 (tombstoned_exec))
+(typeattributeset tombstoned_intercept_socket_33_0 (tombstoned_intercept_socket))
+(typeattributeset tombstoned_java_trace_socket_33_0 (tombstoned_java_trace_socket))
+(typeattributeset toolbox_33_0 (toolbox))
+(typeattributeset toolbox_exec_33_0 (toolbox_exec))
+(typeattributeset trace_data_file_33_0 (trace_data_file))
+(typeattributeset traced_33_0 (traced))
+(typeattributeset traced_consumer_socket_33_0 (traced_consumer_socket))
+(typeattributeset traced_enabled_prop_33_0 (traced_enabled_prop))
+(typeattributeset traced_lazy_prop_33_0 (traced_lazy_prop))
+(typeattributeset traced_perf_33_0 (traced_perf))
+(typeattributeset traced_perf_socket_33_0 (traced_perf_socket))
+(typeattributeset traced_probes_33_0 (traced_probes))
+(typeattributeset traced_producer_socket_33_0 (traced_producer_socket))
+(typeattributeset traced_tmpfs_33_0 (traced_tmpfs))
+(typeattributeset traceur_app_33_0 (traceur_app))
+(typeattributeset translation_service_33_0 (translation_service))
+(typeattributeset trust_service_33_0 (trust_service))
+(typeattributeset tty_device_33_0 (tty_device))
+(typeattributeset tun_device_33_0 (tun_device))
+(typeattributeset tv_iapp_service_33_0 (tv_iapp_service))
+(typeattributeset tv_input_service_33_0 (tv_input_service))
+(typeattributeset tv_tuner_resource_mgr_service_33_0 (tv_tuner_resource_mgr_service))
+(typeattributeset tzdatacheck_33_0 (tzdatacheck))
+(typeattributeset tzdatacheck_exec_33_0 (tzdatacheck_exec))
+(typeattributeset ueventd_33_0 (ueventd))
+(typeattributeset ueventd_tmpfs_33_0 (ueventd_tmpfs))
+(typeattributeset uhid_device_33_0 (uhid_device))
+(typeattributeset uimode_service_33_0 (uimode_service))
+(typeattributeset uio_device_33_0 (uio_device))
+(typeattributeset uncrypt_33_0 (uncrypt))
+(typeattributeset uncrypt_exec_33_0 (uncrypt_exec))
+(typeattributeset uncrypt_socket_33_0 (uncrypt_socket))
+(typeattributeset unencrypted_data_file_33_0 (unencrypted_data_file))
+(typeattributeset unlabeled_33_0 (unlabeled))
+(typeattributeset untrusted_app_25_33_0 (untrusted_app_25))
+(typeattributeset untrusted_app_27_33_0 (untrusted_app_27))
+(typeattributeset untrusted_app_29_33_0 (untrusted_app_29))
+(typeattributeset untrusted_app_30_33_0 (untrusted_app_30))
+(typeattributeset untrusted_app_33_0
+  ( untrusted_app
+    untrusted_app_32
+))
+(typeattributeset update_engine_33_0 (update_engine))
+(typeattributeset update_engine_data_file_33_0 (update_engine_data_file))
+(typeattributeset update_engine_exec_33_0 (update_engine_exec))
+(typeattributeset update_engine_log_data_file_33_0 (update_engine_log_data_file))
+(typeattributeset update_engine_service_33_0 (update_engine_service))
+(typeattributeset update_engine_stable_service_33_0 (update_engine_stable_service))
+(typeattributeset update_verifier_33_0 (update_verifier))
+(typeattributeset update_verifier_exec_33_0 (update_verifier_exec))
+(typeattributeset updatelock_service_33_0 (updatelock_service))
+(typeattributeset uri_grants_service_33_0 (uri_grants_service))
+(typeattributeset usagestats_service_33_0 (usagestats_service))
+(typeattributeset usb_config_prop_33_0 (usb_config_prop))
+(typeattributeset usb_control_prop_33_0 (usb_control_prop))
+(typeattributeset usb_device_33_0 (usb_device))
+(typeattributeset usb_prop_33_0 (usb_prop))
+(typeattributeset usb_serial_device_33_0 (usb_serial_device))
+(typeattributeset usb_service_33_0 (usb_service))
+(typeattributeset usbaccessory_device_33_0 (usbaccessory_device))
+(typeattributeset usbd_33_0 (usbd))
+(typeattributeset usbd_exec_33_0 (usbd_exec))
+(typeattributeset usbfs_33_0 (usbfs))
+(typeattributeset use_memfd_prop_33_0 (use_memfd_prop))
+(typeattributeset user_profile_data_file_33_0 (user_profile_data_file))
+(typeattributeset user_profile_root_file_33_0 (user_profile_root_file))
+(typeattributeset user_service_33_0 (user_service))
+(typeattributeset userdata_block_device_33_0 (userdata_block_device))
+(typeattributeset userdata_sysdev_33_0 (userdata_sysdev))
+(typeattributeset usermodehelper_33_0 (usermodehelper))
+(typeattributeset userspace_reboot_config_prop_33_0 (userspace_reboot_config_prop))
+(typeattributeset userspace_reboot_exported_prop_33_0 (userspace_reboot_exported_prop))
+(typeattributeset userspace_reboot_metadata_file_33_0 (userspace_reboot_metadata_file))
+(typeattributeset uwb_service_33_0 (uwb_service))
+(typeattributeset vcn_management_service_33_0 (vcn_management_service))
+(typeattributeset vd_device_33_0 (vd_device))
+(typeattributeset vdc_33_0 (vdc))
+(typeattributeset vdc_exec_33_0 (vdc_exec))
+(typeattributeset vehicle_hal_prop_33_0 (vehicle_hal_prop))
+(typeattributeset vendor_apex_file_33_0 (vendor_apex_file))
+(typeattributeset vendor_app_file_33_0 (vendor_app_file))
+(typeattributeset vendor_cgroup_desc_file_33_0 (vendor_cgroup_desc_file))
+(typeattributeset vendor_configs_file_33_0 (vendor_configs_file))
+(typeattributeset vendor_data_file_33_0 (vendor_data_file vendor_userdir_file))
+(typeattributeset vendor_default_prop_33_0 (vendor_default_prop))
+(typeattributeset vendor_file_33_0 (vendor_file))
+(typeattributeset vendor_framework_file_33_0 (vendor_framework_file))
+(typeattributeset vendor_hal_file_33_0 (vendor_hal_file))
+(typeattributeset vendor_idc_file_33_0 (vendor_idc_file))
+(typeattributeset vendor_init_33_0 (vendor_init))
+(typeattributeset vendor_kernel_modules_33_0 (vendor_kernel_modules))
+(typeattributeset vendor_keychars_file_33_0 (vendor_keychars_file))
+(typeattributeset vendor_keylayout_file_33_0 (vendor_keylayout_file))
+(typeattributeset vendor_misc_writer_33_0 (vendor_misc_writer))
+(typeattributeset vendor_misc_writer_exec_33_0 (vendor_misc_writer_exec))
+(typeattributeset vendor_modprobe_33_0 (vendor_modprobe))
+(typeattributeset vendor_overlay_file_33_0 (vendor_overlay_file))
+(typeattributeset vendor_public_framework_file_33_0 (vendor_public_framework_file))
+(typeattributeset vendor_public_lib_file_33_0 (vendor_public_lib_file))
+(typeattributeset vendor_security_patch_level_prop_33_0 (vendor_security_patch_level_prop))
+(typeattributeset vendor_service_contexts_file_33_0 (vendor_service_contexts_file))
+(typeattributeset vendor_shell_33_0 (vendor_shell))
+(typeattributeset vendor_shell_exec_33_0 (vendor_shell_exec))
+(typeattributeset vendor_socket_hook_prop_33_0 (vendor_socket_hook_prop))
+(typeattributeset vendor_task_profiles_file_33_0 (vendor_task_profiles_file))
+(typeattributeset vendor_toolbox_exec_33_0 (vendor_toolbox_exec))
+(typeattributeset vendor_uuid_mapping_config_file_33_0 (vendor_uuid_mapping_config_file))
+(typeattributeset vendor_vm_data_file_33_0 (vendor_vm_data_file))
+(typeattributeset vendor_vm_file_33_0 (vendor_vm_file))
+(typeattributeset vfat_33_0 (vfat))
+(typeattributeset vibrator_manager_service_33_0 (vibrator_manager_service))
+(typeattributeset vibrator_service_33_0 (vibrator_service))
+(typeattributeset video_device_33_0 (video_device))
+(typeattributeset virtual_ab_prop_33_0 (virtual_ab_prop))
+(typeattributeset virtual_device_service_33_0 (virtual_device_service))
+(typeattributeset virtual_touchpad_33_0 (virtual_touchpad))
+(typeattributeset virtual_touchpad_exec_33_0 (virtual_touchpad_exec))
+(typeattributeset virtual_touchpad_service_33_0 (virtual_touchpad_service))
+(typeattributeset virtualization_service_33_0 (virtualization_service))
+(typeattributeset vndbinder_device_33_0 (vndbinder_device))
+(typeattributeset vndk_prop_33_0 (vndk_prop))
+(typeattributeset vndk_sp_file_33_0 (vndk_sp_file))
+(typeattributeset vndservice_contexts_file_33_0 (vndservice_contexts_file))
+(typeattributeset vndservicemanager_33_0 (vndservicemanager))
+(typeattributeset voiceinteraction_service_33_0 (voiceinteraction_service))
+(typeattributeset vold_33_0 (vold))
+(typeattributeset vold_config_prop_33_0 (vold_config_prop))
+(typeattributeset vold_data_file_33_0 (vold_data_file))
+(typeattributeset vold_device_33_0 (vold_device))
+(typeattributeset vold_exec_33_0 (vold_exec))
+(typeattributeset vold_metadata_file_33_0 (vold_metadata_file))
+(typeattributeset vold_post_fs_data_prop_33_0 (vold_post_fs_data_prop))
+(typeattributeset vold_prepare_subdirs_33_0 (vold_prepare_subdirs))
+(typeattributeset vold_prepare_subdirs_exec_33_0 (vold_prepare_subdirs_exec))
+(typeattributeset vold_prop_33_0 (vold_prop))
+(typeattributeset vold_service_33_0 (vold_service))
+(typeattributeset vold_status_prop_33_0 (vold_status_prop))
+(typeattributeset vpn_data_file_33_0 (vpn_data_file))
+(typeattributeset vpn_management_service_33_0 (vpn_management_service))
+(typeattributeset vr_hwc_service_33_0 (vr_hwc_service))
+(typeattributeset vr_manager_service_33_0 (vr_manager_service))
+(typeattributeset vrflinger_vsync_service_33_0 (vrflinger_vsync_service))
+(typeattributeset vts_config_prop_33_0 (vts_config_prop))
+(typeattributeset vts_status_prop_33_0 (vts_status_prop))
+(typeattributeset wallpaper_effects_generation_service_33_0 (wallpaper_effects_generation_service))
+(typeattributeset wallpaper_file_33_0 (wallpaper_file))
+(typeattributeset wallpaper_service_33_0 (wallpaper_service))
+(typeattributeset watchdog_device_33_0 (watchdog_device))
+(typeattributeset watchdog_metadata_file_33_0 (watchdog_metadata_file))
+(typeattributeset watchdogd_33_0 (watchdogd))
+(typeattributeset watchdogd_exec_33_0 (watchdogd_exec))
+(typeattributeset webview_zygote_33_0 (webview_zygote))
+(typeattributeset webview_zygote_exec_33_0 (webview_zygote_exec))
+(typeattributeset webview_zygote_tmpfs_33_0 (webview_zygote_tmpfs))
+(typeattributeset webviewupdate_service_33_0 (webviewupdate_service))
+(typeattributeset wifi_config_prop_33_0 (wifi_config_prop))
+(typeattributeset wifi_data_file_33_0 (wifi_data_file))
+(typeattributeset wifi_hal_prop_33_0 (wifi_hal_prop))
+(typeattributeset wifi_key_33_0 (wifi_key))
+(typeattributeset wifi_log_prop_33_0 (wifi_log_prop))
+(typeattributeset wifi_prop_33_0 (wifi_prop))
+(typeattributeset wifi_service_33_0 (wifi_service))
+(typeattributeset wifiaware_service_33_0 (wifiaware_service))
+(typeattributeset wificond_33_0 (wificond))
+(typeattributeset wificond_exec_33_0 (wificond_exec))
+(typeattributeset wifinl80211_service_33_0 (wifinl80211_service))
+(typeattributeset wifip2p_service_33_0 (wifip2p_service))
+(typeattributeset wifiscanner_service_33_0 (wifiscanner_service))
+(typeattributeset window_service_33_0 (window_service))
+(typeattributeset wpa_socket_33_0 (wpa_socket))
+(typeattributeset wpantund_33_0 (wpantund))
+(typeattributeset wpantund_exec_33_0 (wpantund_exec))
+(typeattributeset wpantund_service_33_0 (wpantund_service))
+(typeattributeset zero_device_33_0 (zero_device))
+(typeattributeset zoneinfo_data_file_33_0 (zoneinfo_data_file))
+(typeattributeset zram_config_prop_33_0 (zram_config_prop))
+(typeattributeset zram_control_prop_33_0 (zram_control_prop))
+(typeattributeset zygote_33_0 (zygote))
+(typeattributeset zygote_config_prop_33_0 (zygote_config_prop))
+(typeattributeset zygote_exec_33_0 (zygote_exec))
+(typeattributeset zygote_socket_33_0 (zygote_socket))
+(typeattributeset zygote_tmpfs_33_0 (zygote_tmpfs))
diff --git a/private/compat/33.0/33.0.compat.cil b/private/compat/33.0/33.0.compat.cil
new file mode 100644
index 0000000..53ee8ff
--- /dev/null
+++ b/private/compat/33.0/33.0.compat.cil
@@ -0,0 +1,3 @@
+;; complement CIL file for compatibility between ToT policy and 33.0 vendors.
+;; will be compiled along with other normal policy files, on 33.0 vendors.
+;;
diff --git a/private/compat/33.0/33.0.ignore.cil b/private/compat/33.0/33.0.ignore.cil
new file mode 100644
index 0000000..30a7e35
--- /dev/null
+++ b/private/compat/33.0/33.0.ignore.cil
@@ -0,0 +1,63 @@
+;; new_objects - a collection of types that have been introduced with ToT policy
+;;   that have no analogue in 33.0 policy.  Thus, we do not need to map
+;;   these types to previous ones.  Add here to pass checkapi tests.
+(type new_objects)
+(typeattribute new_objects)
+(typeattributeset new_objects
+  ( new_objects
+    adaptive_haptics_prop
+    apex_ready_prop
+    artd
+    bt_device
+    build_attestation_prop
+    credential_service
+    device_as_webcam
+    device_config_camera_native_prop
+    device_config_memory_safety_native_boot_prop
+    device_config_memory_safety_native_prop
+    device_config_vendor_system_native_prop
+    devicelock_service
+    fwk_altitude_service
+    fwk_camera_service
+    fwk_sensor_service
+    grammatical_inflection_service
+    hal_bluetooth_service
+    hal_bootctl_service
+    hal_cas_service
+    hal_remoteaccess_service
+    hal_secure_element_service
+    hal_tetheroffload_service
+    hal_thermal_service
+    hal_usb_gadget_service
+    hal_tv_input_service
+    hal_tv_hdmi_cec_service
+    hal_tv_hdmi_connection_service
+    hal_tv_hdmi_earc_service
+    hal_wifi_service
+    healthconnect_service
+    hypervisor_restricted_prop
+    isolated_compute_app
+    keystore_config_prop
+    ntfs
+    ondevicepersonalization_system_service
+    permissive_mte_prop
+    prng_seeder
+    recovery_usb_config_prop
+    remote_provisioning_service
+    rkpdapp
+    servicemanager_prop
+    system_net_netd_service
+    timezone_metadata_prop
+    tuner_config_prop
+    tuner_server_ctl_prop
+    usb_uvc_enabled_prop
+    virtual_face_hal_prop
+    virtual_fingerprint_hal_prop
+    hal_gatekeeper_service
+    hal_broadcastradio_service
+    hal_confirmationui_service
+    hal_fastboot_service
+    hal_can_controller_service
+    zoned_block_device
+    future_pm_prop
+  ))
diff --git a/private/compos_verify.te b/private/compos_verify.te
index 0a281f8..5b3615e 100644
--- a/private/compos_verify.te
+++ b/private/compos_verify.te
@@ -6,9 +6,10 @@
 binder_use(compos_verify);
 virtualizationservice_use(compos_verify);
 
-# Access instance image files
+# Read instance image & write VM logs
 allow compos_verify apex_module_data_file:dir search;
-r_dir_file(compos_verify, apex_compos_data_file)
+allow compos_verify apex_compos_data_file:dir rw_dir_perms;
+allow compos_verify apex_compos_data_file:file { rw_file_perms create };
 
 # Read CompOS info & signature files
 allow compos_verify apex_art_data_file:dir search;
diff --git a/private/coredomain.te b/private/coredomain.te
index e4c9a52..96ce488 100644
--- a/private/coredomain.te
+++ b/private/coredomain.te
@@ -1,3 +1,4 @@
+get_prop(coredomain, apex_ready_prop)
 get_prop(coredomain, boot_status_prop)
 get_prop(coredomain, camera_config_prop)
 get_prop(coredomain, dalvik_config_prop)
@@ -50,6 +51,7 @@
     neverallow {
         coredomain
         -appdomain
+        -artd
         -dex2oat
         -dexoptanalyzer
         -idmap
@@ -67,6 +69,7 @@
     neverallow {
         coredomain
         -appdomain
+        -artd
         -dex2oat
         -dexoptanalyzer
         -idmap
@@ -75,6 +78,7 @@
         -heapprofd
         userdebug_or_eng(`-profcollectd')
         -postinstall_dexopt
+        -profman
         -rs # spawned by appdomain, so carryover the exception above
         userdebug_or_eng(`-simpleperf_boot')
         -system_server
@@ -88,11 +92,12 @@
     neverallow {
         coredomain
         -appdomain
+        -artd
+        -dex2oat
+        -dexoptanalyzer
         -idmap
         -init
         -installd
-        -iorap_inode2filename
-        -iorap_prefetcherd
         -postinstall_dexopt
         -rs # spawned by appdomain, so carryover the exception above
         -system_server
@@ -108,11 +113,12 @@
     neverallow {
         coredomain
         -appdomain
+        -artd
+        -dex2oat
+        -dexoptanalyzer
         -idmap
         -init
         -installd
-        -iorap_inode2filename
-        -iorap_prefetcherd
         -postinstall_dexopt
         -rs # spawned by appdomain, so carryover the exception above
         -system_server
diff --git a/private/crash_dump.te b/private/crash_dump.te
index 82ca403..bc6020e 100644
--- a/private/crash_dump.te
+++ b/private/crash_dump.te
@@ -20,7 +20,6 @@
   -vold
 }:process { ptrace signal sigchld sigstop sigkill };
 
-# TODO(b/186868271): Remove the keystore exception soon-ish (maybe by May 14, 2021?)
 userdebug_or_eng(`
   allow crash_dump {
     apexd
@@ -31,13 +30,16 @@
   }:process { ptrace signal sigchld sigstop sigkill };
 ')
 
+# Read ART APEX data directory
+allow crash_dump apex_art_data_file:dir { getattr search };
+allow crash_dump apex_art_data_file:file r_file_perms;
+
 ###
 ### neverallow assertions
 ###
 
-# ptrace neverallow assertions are spread throughout the other policy
-# files, so we avoid adding redundant assertions here
-
+# sigchld not explicitly forbidden since it's part of the
+# domain-transition-on-exec macros, and is by itself not sensitive
 neverallow crash_dump {
   apexd
   userdebug_or_eng(`-apexd')
@@ -55,11 +57,7 @@
   vendor_init
   vold
   userdebug_or_eng(`-vold')
-}:process { signal sigstop sigkill };
+}:process { ptrace signal sigstop sigkill };
 
 neverallow crash_dump self:process ptrace;
 neverallow crash_dump gpu_device:chr_file *;
-
-# Read ART APEX data directory
-allow crash_dump apex_art_data_file:dir { getattr search };
-allow crash_dump apex_art_data_file:file r_file_perms;
diff --git a/private/credstore.te b/private/credstore.te
index c410d76..434808f 100644
--- a/private/credstore.te
+++ b/private/credstore.te
@@ -10,3 +10,8 @@
 
 # credstore needs to get keys from the remotely provisioned pool
 allow credstore remotelyprovisionedkeypool_service:service_manager find;
+allow credstore keystore:keystore2 get_attestation_key;
+
+# credstore needs to get keys from the RKPD
+get_prop(credstore, remote_prov_prop)
+allow credstore remote_provisioning_service:service_manager find;
diff --git a/private/crosvm.te b/private/crosvm.te
index e47abd7..aae8323 100644
--- a/private/crosvm.te
+++ b/private/crosvm.te
@@ -10,17 +10,14 @@
 neverallow { domain -crosvm -ueventd } kvm_device:chr_file ~getattr;
 neverallowxperm { domain -crosvm } kvm_device:chr_file ioctl ~{ KVM_CHECK_EXTENSION };
 
-# Let crosvm mlock VM memory and page tables.
-allow crosvm self:capability ipc_lock;
-
 # Let crosvm create temporary files.
 tmpfs_domain(crosvm)
 
 # Let crosvm receive file descriptors from VirtualizationService.
-allow crosvm virtualizationservice:fd use;
+allow crosvm virtualizationmanager:fd use;
 
-# Allow sending VirtualizationService the failure reason from the VM via pipe.
-allow crosvm virtualizationservice:fifo_file write;
+# Allow sending VirtualizationService the failure reason and console/log from the VM via pipe.
+allow crosvm virtualizationmanager:fifo_file write;
 
 # Let crosvm read the composite disk images (virtualizationservice_data_file), APEXes
 # (staging_data_file), APKs (apk_data_file and shell_data_file where the latter is for test apks in
@@ -31,6 +28,7 @@
   staging_data_file
   apk_data_file
   app_data_file
+  privapp_data_file
   apex_compos_data_file
   shell_data_file
 }:file { getattr read ioctl lock };
@@ -38,6 +36,49 @@
 # Allow searching the directory where the composite disk images are.
 allow crosvm virtualizationservice_data_file:dir search;
 
+# Allow crosvm to mlock guest memory.
+allow crosvm self:capability ipc_lock;
+
+# Let crosvm access its control socket as created by VS.
+#   read, write, getattr: listener socket polling
+#   accept: listener socket accepting new connection
+# Note that the open permission is not given as the socket is passed by FD.
+allow crosvm virtualizationmanager:unix_stream_socket { accept read write getattr getopt };
+
+# Let crosvm open test artifacts under /data/local/tmp with file path. (e.g. custom pvmfw.img)
+userdebug_or_eng(`
+  allow crosvm shell_data_file:dir search;
+  allow crosvm shell_data_file:file open;
+')
+
+# The instance image and the composite image should be writable as well because they could represent
+# mutable disks.
+allow crosvm {
+  virtualizationservice_data_file
+  app_data_file
+  privapp_data_file
+  apex_compos_data_file
+}:file write;
+
+# Allow crosvm to pipe console log to shell or app which could be the owner of a VM.
+allow crosvm adbd:fd use;
+allow crosvm adbd:unix_stream_socket { read write };
+
+# crosvm tries to use netlink sockets as part its APCI implementation, but we don't need it for AVF (b/228077254)
+dontaudit crosvm self:netlink_generic_socket create_socket_perms_no_ioctl;
+
+# crosvm can write files in /data/local/tmp which are usually used for instance.img and logging by
+# compliance tests and demo apps. Write access to instance.img is particularily important because
+# the VM has to initialize the disk image on its first boot. Note that open access is still not
+# granted because the files are expected to be opened by the owner of the VM (apps or shell in case
+# when the vm is created by the `vm` tool) and handed over to crosvm as FD.
+allow crosvm shell_data_file:file write;
+
+# crosvm tries to read serial device, including the write-only pipe from virtualizationmanager (to
+# forward console/log to the host logcat).
+# crosvm only needs write permission, so dontaudit read
+dontaudit crosvm virtualizationmanager:fifo_file read;
+
 # Don't allow crosvm to open files that it doesn't own.
 # This is important because a malicious application could try to start a VM with a composite disk
 # image referring by name to files which it doesn't have permission to open, trying to get crosvm to
@@ -48,31 +89,10 @@
   staging_data_file
   apk_data_file
   app_data_file
+  privapp_data_file
   userdebug_or_eng(`-shell_data_file')
 }:file open;
 
-# The instance image and the composite image should be writable as well because they could represent
-# mutable disks.
-allow crosvm {
-  virtualizationservice_data_file
-  app_data_file
-  apex_compos_data_file
-}:file write;
-
-# Allow crosvm to pipe console log to shell or app which could be the owner of a VM.
-allow crosvm adbd:fd use;
-allow crosvm adbd:unix_stream_socket { read write };
-
-# For ACPI
-allow crosvm self:netlink_generic_socket create_socket_perms_no_ioctl;
-
-# crosvm can write files in /data/local/tmp which are usually used for instance.img and logging by
-# compliance tests and demo apps. Write access to instance.img is particularily important because
-# the VM has to initialize the disk image on its first boot. Note that open access is still not
-# granted because the files are expected to be opened by the owner of the VM (apps or shell in case
-# when the vm is created by the `vm` tool) and handed over to crosvm as FD.
-allow crosvm shell_data_file:file write;
-
 # Don't allow crosvm to have access to ordinary vendor files that are not for VMs.
 full_treble_only(`
   neverallow crosvm {
@@ -87,19 +107,20 @@
   }:file *;
 ')
 
-# app_data_file and shell_data_file is the only app_data_file_type that is
-# allowed for crosvm to read.  Note that the use of app_data_file is allowed
-# only for the instance disk image.  This is enforced inside the
-# virtualizationservice by checking the file context of all disk image files.
+# Only allow crosvm to read app data files for clients that can start
+# VMs. Note that the use of app data files is further restricted
+# inside the virtualizationservice by checking the label of all disk
+# image files.
 neverallow crosvm {
   app_data_file_type
   -app_data_file
+  -privapp_data_file
   -shell_data_file
 }:file read;
 
-# Only virtualizationservice can run crosvm
+# Only virtualizationmanager can run crosvm
 neverallow {
   domain
   -crosvm
-  -virtualizationservice
+  -virtualizationmanager
 } crosvm_exec:file no_x_file_perms;
diff --git a/private/derive_sdk.te b/private/derive_sdk.te
index 1f60e34..f46c614 100644
--- a/private/derive_sdk.te
+++ b/private/derive_sdk.te
@@ -10,3 +10,11 @@
 # Prop rules: writable by derive_sdk, readable by bootclasspath (apps)
 set_prop(derive_sdk, module_sdkextensions_prop)
 neverallow { domain -init -derive_sdk } module_sdkextensions_prop:property_service set;
+
+# Allow derive_sdk to write data back to dumpstate when forked from dumpstate.
+# The shell_data_file permissions are needed when a bugreport is taken:
+# dumpstate will redirect its stdout to a temporary shell_data_file:file, and
+# this makes derive_sdk append to that file.
+allow derive_sdk dumpstate:fd use;
+allow derive_sdk dumpstate:unix_stream_socket { read write };
+allow derive_sdk shell_data_file:file { getattr append read write };
diff --git a/private/device_as_webcam.te b/private/device_as_webcam.te
new file mode 100644
index 0000000..98c91c2
--- /dev/null
+++ b/private/device_as_webcam.te
@@ -0,0 +1,21 @@
+# Domain for DeviceAsWebcam Service
+type device_as_webcam, domain, coredomain, mlstrustedsubject;
+
+app_domain(device_as_webcam)
+
+allow device_as_webcam system_app_data_file:dir create_dir_perms;
+allow device_as_webcam system_app_data_file:file create_file_perms;
+
+allow device_as_webcam { app_api_service cameraserver_service }:service_manager find;
+
+# Allow DeviceAsWebcam Service needs to access ro.usb.uvc.enabled property to
+# enale/disable itself
+get_prop(device_as_webcam, usb_uvc_enabled_prop)
+
+# need to access /dev to list all devices
+allow device_as_webcam device:dir r_dir_perms;
+
+# UVC nodes are mounted as V4L2 nodes (/dev/video*) on the device. These need to
+# be accessed by the DeviceAsWebcam Service.
+allow device_as_webcam video_device:dir r_dir_perms;
+allow device_as_webcam video_device:chr_file rw_file_perms;
diff --git a/private/dex2oat.te b/private/dex2oat.te
index e7cdd5f..ea9ab9c 100644
--- a/private/dex2oat.te
+++ b/private/dex2oat.te
@@ -10,12 +10,13 @@
 # Access /vendor/framework
 allow dex2oat vendor_framework_file:dir { getattr search };
 allow dex2oat vendor_framework_file:file { getattr open read map };
+# Access /vendor/overlay
+r_dir_file(dex2oat, vendor_overlay_file);
 
 allow dex2oat tmpfs:file { read getattr map };
 
 r_dir_file(dex2oat, dalvikcache_data_file)
 allow dex2oat dalvikcache_data_file:file write;
-allow dex2oat installd:fd use;
 
 # Acquire advisory lock on /system/framework/arm/*
 allow dex2oat system_file:file lock;
@@ -38,12 +39,8 @@
 # Allow dex2oat to find files and directories under /data/misc/apexdata/com.android.runtime.
 allow dex2oat apex_module_data_file:dir search;
 
-# Allow dex2oat to use file descriptors passed from odrefresh.
-allow dex2oat odrefresh:fd use;
-
-# Allow dex2oat to use devpts and file descriptors passed from odsign
+# Allow dex2oat to use devpts passed from odsign.
 allow dex2oat odsign_devpts:chr_file { read write };
-allow dex2oat odsign:fd use;
 
 # Allow dex2oat to write to file descriptors from odrefresh for files
 # in the staging area.
@@ -61,6 +58,12 @@
 # Allow dex2oat to read /apex/apex-info-list.xml
 allow dex2oat apex_info_file:file r_file_perms;
 
+# Allow dex2oat to use file descriptors passed from privileged programs.
+allow dex2oat { artd installd odrefresh odsign }:fd use;
+
+# Allow dex2oat to read the /proc filesystem for CPU features, etc.
+allow dex2oat proc_filesystems:file r_file_perms;
+
 ##################
 # A/B OTA Dexopt #
 ##################
diff --git a/private/dexoptanalyzer.te b/private/dexoptanalyzer.te
index 8eb1d29..ca715c1 100644
--- a/private/dexoptanalyzer.te
+++ b/private/dexoptanalyzer.te
@@ -45,6 +45,10 @@
 # package manager.
 allow dexoptanalyzer { privapp_data_file app_data_file }:file { getattr read map };
 
+# dexoptanalyzer checks the DM files next to dex files. We don't need this check
+# for secondary dex files, but it's not harmful. Just deny it and ignore it.
+dontaudit dexoptanalyzer { privapp_data_file app_data_file }:dir search;
+
 # Allow testing /data/user/0 which symlinks to /data/data
 allow dexoptanalyzer system_data_file:lnk_file { getattr };
 
diff --git a/private/domain.te b/private/domain.te
index bcb9d52..4ad7298 100644
--- a/private/domain.te
+++ b/private/domain.te
@@ -2,7 +2,9 @@
 # This occurs when the process crashes.
 # We do not apply this to the su domain to avoid interfering with
 # tests (b/114136122)
-domain_auto_trans({ domain userdebug_or_eng(`-su') }, crash_dump_exec, crash_dump);
+# We exempt crosvm because parts of its memory are inaccessible to the
+# kernel. TODO(b/238324526): Remove this.
+domain_auto_trans({ domain userdebug_or_eng(`-su') -crosvm }, crash_dump_exec, crash_dump);
 allow domain crash_dump:process sigchld;
 
 # Allow every process to check the heapprofd.enable properties to determine
@@ -10,44 +12,49 @@
 # heap profiling, as initialization will fail if it does not have the
 # necessary SELinux permissions.
 get_prop(domain, heapprofd_prop);
-# Allow heap profiling on debug builds.
-userdebug_or_eng(`can_profile_heap({
-  domain
-  -bpfloader
-  -init
-  -kernel
-  -keystore
-  -llkd
-  -logd
-  -logpersist
-  -recovery
-  -recovery_persist
-  -recovery_refresh
-  -ueventd
-  -vendor_init
-  -vold
-})')
 
-# As above, allow perf profiling most processes on debug builds.
-# zygote is excluded as system-wide profiling could end up with it
-# (unexpectedly) holding an open fd across a fork.
-userdebug_or_eng(`can_profile_perf({
+# See private/crash_dump.te
+define(`dumpable_domain',`{
   domain
+  -apexd
   -bpfloader
+  -crash_dump
+  -crosvm # TODO(b/236672526): Remove exception for crosvm
+  -diced
   -init
   -kernel
   -keystore
   -llkd
   -logd
+  -ueventd
+  -vendor_init
+  -vold
+}')
+
+# Allow heap profiling by heapprofd.
+# Zygotes are excluded due to potential issues with holding open file
+# descriptors or other state across forks. Other exclusions conflict with
+# neverallows, and are not considered important to profile.
+can_profile_heap({
+  dumpable_domain
+  -app_zygote
+  -hal_configstore
   -logpersist
   -recovery
   -recovery_persist
   -recovery_refresh
-  -ueventd
-  -vendor_init
-  -vold
+  -webview_zygote
   -zygote
-})')
+})
+
+# Allow profiling using perf_event_open by traced_perf.
+can_profile_perf({
+  dumpable_domain
+  -app_zygote
+  -hal_configstore
+  -webview_zygote
+  -zygote
+})
 
 # Everyone can access the IncFS list of features.
 r_dir_file(domain, sysfs_fs_incfs_features);
@@ -77,6 +84,12 @@
 # Read access to bq configuration values
 get_prop(domain, bq_config_prop);
 
+# Allow all domains to check whether MTE is set to permissive mode.
+get_prop(domain, permissive_mte_prop);
+
+get_prop(domain, device_config_memory_safety_native_boot_prop);
+get_prop(domain, device_config_memory_safety_native_prop);
+
 # For now, everyone can access core property files
 # Device specific properties are not granted by default
 not_compatible_property(`
@@ -96,6 +109,48 @@
     get_prop({domain -coredomain -appdomain}, vendor_default_prop)
 ')
 
+# Public readable properties
+get_prop(domain, aaudio_config_prop)
+get_prop(domain, apexd_select_prop)
+get_prop(domain, arm64_memtag_prop)
+get_prop(domain, bluetooth_config_prop)
+get_prop(domain, bootloader_prop)
+get_prop(domain, build_odm_prop)
+get_prop(domain, build_prop)
+get_prop(domain, build_vendor_prop)
+get_prop(domain, debug_prop)
+get_prop(domain, exported_config_prop)
+get_prop(domain, exported_default_prop)
+get_prop(domain, exported_dumpstate_prop)
+get_prop(domain, exported_secure_prop)
+get_prop(domain, exported_system_prop)
+get_prop(domain, fingerprint_prop)
+get_prop(domain, framework_status_prop)
+get_prop(domain, gwp_asan_prop)
+get_prop(domain, hal_instrumentation_prop)
+get_prop(domain, hw_timeout_multiplier_prop)
+get_prop(domain, init_service_status_prop)
+get_prop(domain, libc_debug_prop)
+get_prop(domain, locale_prop)
+get_prop(domain, logd_prop)
+get_prop(domain, mediadrm_config_prop)
+get_prop(domain, property_service_version_prop)
+get_prop(domain, soc_prop)
+get_prop(domain, socket_hook_prop)
+get_prop(domain, surfaceflinger_prop)
+get_prop(domain, telephony_status_prop)
+get_prop(domain, timezone_prop)
+get_prop({domain -untrusted_app_all -isolated_app_all -ephemeral_app },  userdebug_or_eng_prop)
+get_prop(domain, vendor_socket_hook_prop)
+get_prop(domain, vndk_prop)
+get_prop(domain, vold_status_prop)
+get_prop(domain, vts_config_prop)
+
+# Binder cache properties are world-readable
+get_prop(domain, binder_cache_bluetooth_server_prop)
+get_prop(domain, binder_cache_system_server_prop)
+get_prop(domain, binder_cache_telephony_server_prop)
+
 # Allow access to fsverity keyring.
 allow domain kernel:key search;
 # Allow access to keys in the fsverity keyring that were installed at boot.
@@ -112,6 +167,10 @@
 # Allow all processes to check for the existence of the boringssl_self_test_marker files.
 allow domain boringssl_self_test_marker:dir search;
 
+# Allow all processes to read the file_logger property that liblog uses to check if file_logger
+# should be used.
+get_prop(domain, log_file_logger_prop)
+
 # Allow all processes to connect to PRNG seeder daemon.
 unix_socket_connect(domain, prng_seeder, prng_seeder)
 
@@ -172,6 +231,7 @@
 neverallow {
   domain
   -appdomain
+  -artd # compile secondary dex files
   -installd # creation of sandbox
 } { privapp_data_file app_data_file }:dir_file_class_set { create unlink };
 
@@ -182,10 +242,9 @@
   -adbd
   -appdomain
   -app_zygote
+  -artd # compile secondary dex files
   -dexoptanalyzer
   -installd
-  -iorap_inode2filename
-  -iorap_prefetcherd
   -profman
   -rs # spawned by appdomain, so carryover the exception above
   -runas
@@ -199,6 +258,7 @@
 neverallow {
   domain
   -appdomain
+  -artd # compile secondary dex files
   -installd
   -rs # spawned by appdomain, so carryover the exception above
 } { privapp_data_file app_data_file }:dir ~r_dir_perms;
@@ -207,19 +267,21 @@
   domain
   -appdomain
   -app_zygote
+  -artd # compile secondary dex files
   -installd
-  -iorap_prefetcherd
   -rs # spawned by appdomain, so carryover the exception above
 } { privapp_data_file app_data_file }:file_class_set open;
 
 neverallow {
   domain
   -appdomain
+  -artd # compile secondary dex files
   -installd # creation of sandbox
 } { privapp_data_file app_data_file }:dir_file_class_set { create unlink };
 
 neverallow {
   domain
+  -artd # compile secondary dex files
   -installd
 } { privapp_data_file app_data_file }:dir_file_class_set { relabelfrom relabelto };
 
@@ -233,9 +295,8 @@
   -system_server
   -apexd
   -installd
-  -iorap_inode2filename
   -priv_app
-  -virtualizationservice
+  -virtualizationmanager
 } staging_data_file:dir *;
 neverallow {
   domain
@@ -246,10 +307,9 @@
   -adbd
   -kernel
   -installd
-  -iorap_inode2filename
   -priv_app
   -shell
-  -virtualizationservice
+  -virtualizationmanager
   -crosvm
 } staging_data_file:file *;
 neverallow { domain -init -system_server -installd} staging_data_file:dir no_w_dir_perms;
@@ -276,7 +336,6 @@
     domain
     -appdomain
     with_asan(`-asan_extract')
-    -iorap_prefetcherd
     -shell
     userdebug_or_eng(`-su')
     -system_server_startup # for memfd backed executable regions
@@ -312,6 +371,7 @@
   -cppreopts
   -dex2oat
   -otapreopt_slot
+  -artd
 } dalvikcache_data_file:file no_w_file_perms;
 
 neverallow {
@@ -323,6 +383,7 @@
   -dex2oat
   -zygote
   -otapreopt_slot
+  -artd
 } dalvikcache_data_file:dir no_w_dir_perms;
 
 # Only authorized processes should be writing to /data/misc/apexdata/com.android.art as it
@@ -370,6 +431,7 @@
 # a Unix group or change the permissions of a file.
 define(`dac_override_allowed', `{
   apexd
+  artd
   dnsmasq
   dumpstate
   init
@@ -397,8 +459,6 @@
 # this list should be a superset of the one above.
 neverallow ~{
   dac_override_allowed
-  iorap_inode2filename
-  iorap_prefetcherd
   traced_perf
   traced_probes
   heapprofd
@@ -478,8 +538,6 @@
     -heapprofd
     userdebug_or_eng(`-profcollectd')
     -init
-    -iorap_inode2filename
-    -iorap_prefetcherd
     -kernel
     userdebug_or_eng(`-simpleperf_boot')
     -traced_perf
@@ -503,9 +561,9 @@
     userdebug_or_eng(`-su') # communications with su are permitted only on userdebug or eng builds
     -init
     -tombstoned # linker to tombstoned
-    userdebug_or_eng(`-heapprofd')
-    userdebug_or_eng(`-traced')
-    userdebug_or_eng(`-traced_perf')
+    -heapprofd
+    -traced
+    -traced_perf
   });
 ')
 
@@ -518,8 +576,6 @@
     -crash_dump
     -crosvm # loads vendor-specific disk images
     -init # starts vendor executables
-    -iorap_inode2filename
-    -iorap_prefetcherd
     -kernel # loads /vendor/firmware
     -heapprofd
     userdebug_or_eng(`-profcollectd')
@@ -602,14 +658,18 @@
 # Restrict write access to etm sysfs interface.
 neverallow { domain -ueventd -vendor_init } sysfs_devices_cs_etm:file no_w_file_perms;
 
-# Restrict write access to shell owned files. The /data/local/tmp directory is
+# Restrict direct access to shell owned files. The /data/local/tmp directory is
 # untrustworthy, and non-allowed domains should not be trusting any content in
 # those directories. We allow shell files to be passed around by file
 # descriptor, but not directly opened.
+# artd doesn't need to access /data/local/tmp, but it needs to access
+# /data/{user,user_de}/<user-id>/com.android.shell/... for compiling secondary
+# dex files.
 neverallow {
   domain
   -adbd
   -appdomain
+  -artd
   -dumpstate
   -installd
   userdebug_or_eng(`-uncrypt')
@@ -617,21 +677,71 @@
   userdebug_or_eng(`-crosvm')
 } shell_data_file:file open;
 
+# In addition to the symlink reading restrictions above, restrict
+# write access to shell owned directories. The /data/local/tmp
+# directory is untrustworthy, and non-allowed domains should
+# not be trusting any content in those directories.
+# artd doesn't need to access /data/local/tmp, but it needs to access
+# /data/{user,user_de}/<user-id>/com.android.shell/... for compiling secondary
+# dex files.
+neverallow {
+  domain
+  -adbd
+  -artd
+  -dumpstate
+  -installd
+  -init
+  -shell
+  -vold
+} shell_data_file:dir no_w_dir_perms;
+
+neverallow {
+  domain
+  -adbd
+  -appdomain
+  -artd
+  -dumpstate
+  -init
+  -installd
+  -simpleperf_app_runner
+  -system_server # why?
+  userdebug_or_eng(`-uncrypt')
+} shell_data_file:dir open;
+
+neverallow {
+  domain
+  -adbd
+  -appdomain
+  -artd
+  -dumpstate
+  -init
+  -installd
+  -simpleperf_app_runner
+  -system_server # why?
+  userdebug_or_eng(`-uncrypt')
+  userdebug_or_eng(`-crosvm')
+} shell_data_file:dir search;
+
 # respect system_app sandboxes
 neverallow {
   domain
   -appdomain
+  -artd # compile secondary dex files
   -system_server #populate com.android.providers.settings/databases/settings.db.
   -installd # creation of app sandbox
-  -iorap_inode2filename
   -traced_probes # resolve inodes for i/o tracing.
                  # only needs open and read, the rest is neverallow in
                  # traced_probes.te.
 } system_app_data_file:dir_file_class_set { create unlink open };
 neverallow {
-  isolated_app
+  isolated_app_all
   ephemeral_app
   priv_app
   sdk_sandbox
   untrusted_app_all
 } system_app_data_file:dir_file_class_set { create unlink open };
+
+neverallow { domain -init } mtectrl:process { dyntransition transition };
+
+# For now, don't allow processes other than gmscore to access /data/misc_ce/<userid>/checkin
+neverallow { domain -gmscore_app -init -vold_prepare_subdirs } checkin_data_file:{dir file} *;
\ No newline at end of file
diff --git a/private/dumpstate.te b/private/dumpstate.te
index 149d389..fe442b3 100644
--- a/private/dumpstate.te
+++ b/private/dumpstate.te
@@ -30,6 +30,9 @@
 # Allow dumpstate to make binder calls to incidentd
 binder_call(dumpstate, incidentd)
 
+# Kill incident in case of a timeout
+allow dumpstate incident:process { signal sigkill };
+
 # Allow dumpstate to make binder calls to storaged service
 binder_call(dumpstate, storaged)
 
@@ -123,3 +126,6 @@
 
 # system_dlkm_file for /system_dlkm partition
 allow dumpstate system_dlkm_file:dir getattr;
+
+# Allow dumpstate to execute derive_sdk in its own domain
+domain_auto_trans(dumpstate, derive_sdk_exec, derive_sdk)
diff --git a/private/ephemeral_app.te b/private/ephemeral_app.te
index 3b916e2..9f2b1d5 100644
--- a/private/ephemeral_app.te
+++ b/private/ephemeral_app.te
@@ -45,14 +45,6 @@
 allow ephemeral_app radio_service:service_manager find;
 allow ephemeral_app ephemeral_app_api_service:service_manager find;
 
-# Write app-specific trace data to the Perfetto traced damon. This requires
-# connecting to its producer socket and obtaining a (per-process) tmpfs fd.
-perfetto_producer(ephemeral_app)
-
-# Allow profiling if the app opts in by being marked profileable/debuggable.
-can_profile_heap(ephemeral_app)
-can_profile_perf(ephemeral_app)
-
 # allow ephemeral apps to use UDP sockets provided by the system server but not
 # modify them other than to connect
 allow ephemeral_app system_server:udp_socket {
diff --git a/private/extra_free_kbytes.te b/private/extra_free_kbytes.te
index af3088b..d210884 100644
--- a/private/extra_free_kbytes.te
+++ b/private/extra_free_kbytes.te
@@ -1,3 +1,6 @@
 typeattribute extra_free_kbytes coredomain;
 
 init_daemon_domain(extra_free_kbytes)
+
+# Only extra_free_kbytes script is allowed to store these properties
+set_prop(extra_free_kbytes, init_storage_prop)
diff --git a/private/fastbootd.te b/private/fastbootd.te
index 2c65281..7dc1741 100644
--- a/private/fastbootd.te
+++ b/private/fastbootd.te
@@ -45,4 +45,12 @@
 
   # Needed for reading boot properties.
   allow fastbootd proc_bootconfig:file r_file_perms;
+  # Let this domain use the hal fastboot service
+  binder_use(fastbootd)
+  hal_client_domain(fastbootd, hal_fastboot)
 ')
+
+# This capability allows fastbootd to circumvent memlock rlimits while using
+# io_uring. An Alternative would be to up the memlock rlimit for the fastbootd service.
+allow fastbootd self:capability ipc_lock;
+io_uring_use(fastbootd)
diff --git a/private/file.te b/private/file.te
index c5837f9..539e63e 100644
--- a/private/file.te
+++ b/private/file.te
@@ -7,6 +7,7 @@
 type fs_bpf_net_shared, fs_type, bpffs_type;
 type fs_bpf_netd_readonly, fs_type, bpffs_type;
 type fs_bpf_netd_shared, fs_type, bpffs_type;
+type fs_bpf_loader, fs_type, bpffs_type;
 
 # /data/misc/storaged
 type storaged_data_file, file_type, data_file_type, core_data_file_type;
@@ -90,7 +91,9 @@
 type odsign_metrics_file, file_type, data_file_type, core_data_file_type;
 
 # /data/misc/virtualizationservice
-type virtualizationservice_data_file, file_type, data_file_type, core_data_file_type;
+# The type needs to be mlstrustedobject to allow for being accessed from
+# virtualizationmanager, which runs at a more constrained MLS level.
+type virtualizationservice_data_file, file_type, data_file_type, core_data_file_type, mlstrustedobject;
 
 # /data/system/environ
 type environ_system_data_file, file_type, data_file_type, core_data_file_type;
@@ -99,7 +102,9 @@
 type bootanim_data_file, file_type, data_file_type, core_data_file_type;
 
 # /dev/kvm
-type kvm_device, dev_type;
+# The type needs to be mlstrustedobject to allow for being accessed from
+# crosvm, which runs at a more constrained MLS level.
+type kvm_device, dev_type, mlstrustedobject;
 
 # /apex/com.android.virt/bin/fd_server
 type fd_server_exec, system_file_type, exec_type, file_type;
@@ -116,7 +121,15 @@
 # property labeled.
 type sepolicy_test_file, file_type;
 
+# /apex/com.android.art/bin/art_exec
+# This executable does not have its own domain because it is executed in the caller's domain. For
+# example, it is executed in the `artd` domain when artd calls it.
+type art_exec_exec, system_file_type, exec_type, file_type;
+
 # Filesystem entry for for PRNG seeder socket.  Processes require
 # write permission on this to connect, and needs to be mlstrustedobject
 # in to satisfy MLS constraints for trusted domains.
 type prng_seeder_socket, file_type, coredomain_socket, mlstrustedobject;
+
+# /sys/firmware/devicetree/base/avf
+type sysfs_dt_avf, fs_type, sysfs_type;
diff --git a/private/file_contexts b/private/file_contexts
index 65baa5d..4c3f108 100644
--- a/private/file_contexts
+++ b/private/file_contexts
@@ -79,6 +79,7 @@
 /dev/audio.*		u:object_r:audio_device:s0
 /dev/binder		u:object_r:binder_device:s0
 /dev/block(/.*)?	u:object_r:block_device:s0
+/dev/block/by-name/zoned_device	u:object_r:zoned_block_device:s0
 /dev/block/dm-[0-9]+	u:object_r:dm_device:s0
 /dev/block/loop[0-9]*	u:object_r:loop_device:s0
 /dev/block/vd[a-z][0-9]*  u:object_r:vd_device:s0
@@ -223,13 +224,13 @@
 /system/bin/boringssl_self_test(32|64) u:object_r:boringssl_self_test_exec:s0
 /system/bin/prng_seeder		u:object_r:prng_seeder_exec:s0
 /system/bin/charger		u:object_r:charger_exec:s0
-/system/bin/canhalconfigurator  u:object_r:canhalconfigurator_exec:s0
 /system/bin/e2fsdroid		u:object_r:e2fs_exec:s0
 /system/bin/mke2fs		u:object_r:e2fs_exec:s0
 /system/bin/e2fsck	--	u:object_r:fsck_exec:s0
 /system/bin/extra_free_kbytes\.sh u:object_r:extra_free_kbytes_exec:s0
 /system/bin/fsck\.exfat	--	u:object_r:fsck_exec:s0
 /system/bin/fsck\.f2fs	--	u:object_r:fsck_exec:s0
+/system/bin/ntfsfix	--	u:object_r:fsck_exec:s0
 /system/bin/init		u:object_r:init_exec:s0
 # TODO(/123600489): merge mini-keyctl into toybox
 /system/bin/mini-keyctl	--	u:object_r:toolbox_exec:s0
@@ -270,6 +271,8 @@
 /system/bin/audioserver	u:object_r:audioserver_exec:s0
 /system/bin/mediadrmserver	u:object_r:mediadrmserver_exec:s0
 /system/bin/mediaserver	u:object_r:mediaserver_exec:s0
+/system/bin/mediaserver32	u:object_r:mediaserver_exec:s0
+/system/bin/mediaserver64	u:object_r:mediaserver_exec:s0
 /system/bin/mediametrics	u:object_r:mediametrics_exec:s0
 /system/bin/cameraserver	u:object_r:cameraserver_exec:s0
 /system/bin/mediaextractor	u:object_r:mediaextractor_exec:s0
@@ -325,24 +328,18 @@
 /system/bin/preloads_copy\.sh u:object_r:preloads_copy_exec:s0
 /system/bin/preopt2cachename u:object_r:preopt2cachename_exec:s0
 /system/bin/viewcompiler     u:object_r:viewcompiler_exec:s0
-/system/bin/iorapd          u:object_r:iorapd_exec:s0
-/system/bin/iorap\.inode2filename u:object_r:iorap_inode2filename_exec:s0
-/system/bin/iorap\.prefetcherd u:object_r:iorap_prefetcherd_exec:s0
 /system/bin/sgdisk      u:object_r:sgdisk_exec:s0
 /system/bin/blkid       u:object_r:blkid_exec:s0
-/system/bin/tzdatacheck u:object_r:tzdatacheck_exec:s0
 /system/bin/flags_health_check -- u:object_r:flags_health_check_exec:s0
-/system/bin/idmap u:object_r:idmap_exec:s0
 /system/bin/idmap2(d)?           u:object_r:idmap_exec:s0
 /system/bin/update_engine        u:object_r:update_engine_exec:s0
 /system/bin/profcollectd         u:object_r:profcollectd_exec:s0
 /system/bin/profcollectctl       u:object_r:profcollectd_exec:s0
 /system/bin/storaged             u:object_r:storaged_exec:s0
-/system/bin/wpantund             u:object_r:wpantund_exec:s0
 /system/bin/virtual_touchpad     u:object_r:virtual_touchpad_exec:s0
 /system/bin/hw/android\.frameworks\.bufferhub@1\.0-service    u:object_r:fwk_bufferhub_exec:s0
 /system/bin/hw/android\.hidl\.allocator@1\.0-service          u:object_r:hal_allocator_default_exec:s0
-/system/bin/hw/android\.system\.suspend@1\.0-service          u:object_r:system_suspend_exec:s0
+/system/bin/hw/android\.system\.suspend-service               u:object_r:system_suspend_exec:s0
 /system/etc/cgroups\.json               u:object_r:cgroup_desc_file:s0
 /system/etc/task_profiles/cgroups_[0-9]+\.json               u:object_r:cgroup_desc_api_file:s0
 /system/etc/event-log-tags              u:object_r:system_event_log_tags_file:s0
@@ -375,8 +372,7 @@
 /system/bin/gsid                 u:object_r:gsid_exec:s0
 /system/bin/simpleperf           u:object_r:simpleperf_exec:s0
 /system/bin/simpleperf_app_runner    u:object_r:simpleperf_app_runner_exec:s0
-/system/bin/migrate_legacy_obb_data\.sh u:object_r:migrate_legacy_obb_data_exec:s0
-/system/bin/android\.frameworks\.automotive\.display@1\.0-service u:object_r:automotive_display_service_exec:s0
+/system/bin/migrate_legacy_obb_data u:object_r:migrate_legacy_obb_data_exec:s0
 /system/bin/snapuserd            u:object_r:snapuserd_exec:s0
 /system/bin/odsign               u:object_r:odsign_exec:s0
 /system/bin/vehicle_binding_util     u:object_r:vehicle_binding_util_exec:s0
@@ -447,13 +443,14 @@
 /odm/etc/selinux/precompiled_sepolicy                           u:object_r:sepolicy_file:s0
 /odm/etc/selinux/precompiled_sepolicy\.plat_and_mapping\.sha256 u:object_r:sepolicy_file:s0
 
-/(odm|vendor/odm)/etc/selinux/odm_sepolicy\.cil                  u:object_r:sepolicy_file:s0
+/(odm|vendor/odm)/etc/selinux/odm_sepolicy\.cil                 u:object_r:sepolicy_file:s0
 /(odm|vendor/odm)/etc/selinux/odm_file_contexts                 u:object_r:file_contexts_file:s0
 /(odm|vendor/odm)/etc/selinux/odm_seapp_contexts                u:object_r:seapp_contexts_file:s0
 /(odm|vendor/odm)/etc/selinux/odm_property_contexts             u:object_r:property_contexts_file:s0
+/(odm|vendor/odm)/etc/selinux/odm_service_contexts              u:object_r:vendor_service_contexts_file:s0
 /(odm|vendor/odm)/etc/selinux/odm_hwservice_contexts            u:object_r:hwservice_contexts_file:s0
-/(odm|vendor/odm)/etc/selinux/odm_keystore2_key_contexts         u:object_r:keystore2_key_contexts_file:s0
-/(odm|vendor/odm)/etc/selinux/odm_mac_permissions\.xml           u:object_r:mac_perms_file:s0
+/(odm|vendor/odm)/etc/selinux/odm_keystore2_key_contexts        u:object_r:keystore2_key_contexts_file:s0
+/(odm|vendor/odm)/etc/selinux/odm_mac_permissions\.xml          u:object_r:mac_perms_file:s0
 
 #############################
 # Product files
@@ -495,6 +492,9 @@
 /(system_ext|system/system_ext)/bin/hidl_lazy_test_server    u:object_r:hidl_lazy_test_server_exec:s0
 /(system_ext|system/system_ext)/bin/hidl_lazy_cb_test_server u:object_r:hidl_lazy_test_server_exec:s0
 
+/(system_ext|system/system_ext)/bin/android\.frameworks\.automotive\.display@1\.0-service u:object_r:automotive_display_service_exec:s0
+/(system_ext|system/system_ext)/bin/canhalconfigurator(-aidl)? u:object_r:canhalconfigurator_exec:s0
+
 /(system_ext|system/system_ext)/lib(64)?(/.*)?      u:object_r:system_lib_file:s0
 
 #############################
@@ -565,7 +565,8 @@
 /data/local/tmp(/.*)?	u:object_r:shell_data_file:s0
 /data/local/tmp/ltp(/.*)?   u:object_r:nativetest_data_file:s0
 /data/local/traces(/.*)?	u:object_r:trace_data_file:s0
-/data/media(/.*)?	u:object_r:media_rw_data_file:s0
+/data/media             u:object_r:media_userdir_file:s0
+/data/media/.*          u:object_r:media_rw_data_file:s0
 /data/mediadrm(/.*)?	u:object_r:media_data_file:s0
 /data/nativetest(/.*)?	u:object_r:nativetest_data_file:s0
 /data/nativetest64(/.*)?	u:object_r:nativetest_data_file:s0
@@ -582,6 +583,12 @@
 /data/rollback/\d+/[^/]+/.*\.apk  u:object_r:apk_data_file:s0
 /data/rollback/\d+/[^/]+/.*\.apex u:object_r:staging_data_file:s0
 /data/fonts/files(/.*)?     u:object_r:font_data_file:s0
+/data/misc_ce             u:object_r:system_userdir_file:s0
+/data/misc_de             u:object_r:system_userdir_file:s0
+/data/system_ce           u:object_r:system_userdir_file:s0
+/data/system_de           u:object_r:system_userdir_file:s0
+/data/user                u:object_r:system_userdir_file:s0
+/data/user_de             u:object_r:system_userdir_file:s0
 
 # Misc data
 /data/misc/adb(/.*)?            u:object_r:adb_keys_file:s0
@@ -651,9 +658,7 @@
 /data/misc_ce/[0-9]+/wifi(/.*)? u:object_r:wifi_data_file:s0
 /data/misc/wifi/sockets(/.*)?   u:object_r:wpa_socket:s0
 /data/misc/wifi/sockets/wpa_ctrl.*   u:object_r:system_wpa_socket:s0
-/data/misc/zoneinfo(/.*)?       u:object_r:zoneinfo_data_file:s0
 /data/misc/vold(/.*)?           u:object_r:vold_data_file:s0
-/data/misc/iorapd(/.*)?         u:object_r:iorapd_data_file:s0
 /data/misc/update_engine(/.*)?  u:object_r:update_engine_data_file:s0
 /data/misc/update_engine_log(/.*)?  u:object_r:update_engine_log_data_file:s0
 /data/system/dropbox(/.*)?      u:object_r:dropbox_data_file:s0
@@ -667,8 +672,10 @@
 /data/misc/profiles/ref(/.*)?       u:object_r:user_profile_data_file:s0
 /data/misc/profman(/.*)?        u:object_r:profman_dump_data_file:s0
 /data/vendor(/.*)?              u:object_r:vendor_data_file:s0
-/data/vendor_ce(/.*)?           u:object_r:vendor_data_file:s0
-/data/vendor_de(/.*)?           u:object_r:vendor_data_file:s0
+/data/vendor_ce                 u:object_r:vendor_userdir_file:s0
+/data/vendor_ce/.*              u:object_r:vendor_data_file:s0
+/data/vendor_de                 u:object_r:vendor_userdir_file:s0
+/data/vendor_de/.*              u:object_r:vendor_data_file:s0
 
 # storaged proto files
 /data/misc_de/[0-9]+/storaged(/.*)?       u:object_r:storaged_data_file:s0
@@ -727,8 +734,17 @@
 #############################
 # Expanded data files
 #
-/mnt/expand(/.*)?                                   u:object_r:mnt_expand_file:s0
-/mnt/expand/[^/]+(/.*)?                             u:object_r:system_data_file:s0
+/mnt/expand                                         u:object_r:mnt_expand_file:s0
+# CAREFUL: the two system_data_file patterns below can't be replaced with one
+# pattern "/mnt/expand/[^/]+(/.*)?", since SELinux would prioritize that over
+# "/mnt/expand/[^/]+/user".  This is because when a path is matched by two
+# patterns that contain regex meta-characters, SELinux just chooses the longer
+# pattern (or the later pattern if the patterns are the same length), rather
+# than the pattern containing fewer regex meta-characters.  Splitting the
+# pattern into "/mnt/expand/[^/]+" and "/mnt/expand/[^/]+/.*" works around this
+# problem, except for 1-character filenames which we aren't using.
+/mnt/expand/[^/]+                                   u:object_r:system_data_file:s0
+/mnt/expand/[^/]+/.*                                u:object_r:system_data_file:s0
 /mnt/expand/[^/]+/app(/.*)?                         u:object_r:apk_data_file:s0
 /mnt/expand/[^/]+/app/[^/]+/oat(/.*)?               u:object_r:dalvikcache_data_file:s0
 # /mnt/expand/..../app/[randomStringA]/[packageName]-[randomStringB]/base.apk layout
@@ -736,8 +752,13 @@
 /mnt/expand/[^/]+/app/vmdl[^/]+\.tmp(/.*)?          u:object_r:apk_tmp_file:s0
 /mnt/expand/[^/]+/app/vmdl[^/]+\.tmp/oat(/.*)?      u:object_r:dalvikcache_data_file:s0
 /mnt/expand/[^/]+/local/tmp(/.*)?                   u:object_r:shell_data_file:s0
-/mnt/expand/[^/]+/media(/.*)?                       u:object_r:media_rw_data_file:s0
+/mnt/expand/[^/]+/media                             u:object_r:media_userdir_file:s0
+/mnt/expand/[^/]+/media/.*                          u:object_r:media_rw_data_file:s0
 /mnt/expand/[^/]+/misc/vold(/.*)?                   u:object_r:vold_data_file:s0
+/mnt/expand/[^/]+/misc_ce                           u:object_r:system_userdir_file:s0
+/mnt/expand/[^/]+/misc_de                           u:object_r:system_userdir_file:s0
+/mnt/expand/[^/]+/user                              u:object_r:system_userdir_file:s0
+/mnt/expand/[^/]+/user_de                           u:object_r:system_userdir_file:s0
 
 # coredump directory for userdebug/eng devices
 /cores(/.*)?                    u:object_r:coredump_file:s0
@@ -762,9 +783,6 @@
 /data/misc_de/[0-9]+/vold(/.*)?           u:object_r:vold_data_file:s0
 /data/misc_ce/[0-9]+/vold(/.*)?           u:object_r:vold_data_file:s0
 
-# iorapd per-user data
-/data/misc_ce/[0-9]+/iorapd(/.*)?           u:object_r:iorapd_data_file:s0
-
 # Backup service persistent per-user bookkeeping
 /data/system_ce/[0-9]+/backup(/.*)?		u:object_r:backup_data_file:s0
 # Backup service temporary per-user data for inter-change with apps
diff --git a/private/flags_health_check.te b/private/flags_health_check.te
index 58275ff..cc4a5ca 100644
--- a/private/flags_health_check.te
+++ b/private/flags_health_check.te
@@ -26,6 +26,10 @@
 set_prop(flags_health_check, device_config_vendor_system_native_prop)
 set_prop(flags_health_check, device_config_vendor_system_native_boot_prop)
 set_prop(flags_health_check, device_config_virtualization_framework_native_prop)
+set_prop(flags_health_check, device_config_memory_safety_native_boot_prop)
+set_prop(flags_health_check, device_config_memory_safety_native_prop)
+set_prop(flags_health_check, device_config_remote_key_provisioning_native_prop)
+set_prop(flags_health_check, device_config_camera_native_prop)
 
 # system property device_config_boot_count_prop is used for deciding when to perform server
 # configurable flags related disaster recovery. Mistakenly set up by unrelated components can, at a
diff --git a/private/fsverity_init.te b/private/fsverity_init.te
index e069233..2e5089c 100644
--- a/private/fsverity_init.te
+++ b/private/fsverity_init.te
@@ -11,9 +11,6 @@
 allow fsverity_init kernel:key { view search write setattr };
 allow fsverity_init fsverity_init:key { view search write };
 
-# Allow init to write to /proc/sys/fs/verity/require_signatures
-allow fsverity_init proc_fs_verity:file w_file_perms;
-
 # Read the on-device signing certificate, to be able to add it to the keyring
 allow fsverity_init odsign:fd use;
 allow fsverity_init odsign_data_file:file { getattr read };
diff --git a/private/genfs_contexts b/private/genfs_contexts
index 6578470..77e3954 100644
--- a/private/genfs_contexts
+++ b/private/genfs_contexts
@@ -43,7 +43,6 @@
 genfscon proc /sys/fs/protected_hardlinks u:object_r:proc_security:s0
 genfscon proc /sys/fs/protected_symlinks u:object_r:proc_security:s0
 genfscon proc /sys/fs/suid_dumpable u:object_r:proc_security:s0
-genfscon proc /sys/fs/verity/require_signatures u:object_r:proc_fs_verity:s0
 genfscon proc /sys/kernel/bpf_ u:object_r:proc_bpf:s0
 genfscon proc /sys/kernel/core_pattern u:object_r:usermodehelper:s0
 genfscon proc /sys/kernel/core_pipe_limit u:object_r:usermodehelper:s0
@@ -146,6 +145,7 @@
 genfscon sysfs /devices/virtual/net             u:object_r:sysfs_net:s0
 genfscon sysfs /devices/virtual/switch          u:object_r:sysfs_switch:s0
 genfscon sysfs /devices/virtual/wakeup          u:object_r:sysfs_wakeup:s0
+genfscon sysfs /firmware/devicetree/base/avf u:object_r:sysfs_dt_avf:s0
 genfscon sysfs /firmware/devicetree/base/firmware/android u:object_r:sysfs_dt_firmware_android:s0
 genfscon sysfs /fs/ext4/features                  u:object_r:sysfs_fs_ext4_features:s0
 genfscon sysfs /fs/f2fs                           u:object_r:sysfs_fs_f2fs:s0
@@ -385,6 +385,7 @@
 genfscon vfat / u:object_r:vfat:s0
 genfscon binder / u:object_r:binderfs:s0
 genfscon exfat / u:object_r:exfat:s0
+genfscon ntfs / u:object_r:ntfs:s0
 genfscon debugfs / u:object_r:debugfs:s0
 genfscon fuse / u:object_r:fuse:s0
 genfscon configfs / u:object_r:configfs:s0
@@ -394,7 +395,9 @@
 genfscon functionfs / u:object_r:functionfs:s0
 genfscon usbfs / u:object_r:usbfs:s0
 genfscon binfmt_misc / u:object_r:binfmt_miscfs:s0
+
 genfscon bpf / u:object_r:fs_bpf:s0
+genfscon bpf /loader u:object_r:fs_bpf_loader:s0
 genfscon bpf /net_private u:object_r:fs_bpf_net_private:s0
 genfscon bpf /net_shared u:object_r:fs_bpf_net_shared:s0
 genfscon bpf /netd_readonly u:object_r:fs_bpf_netd_readonly:s0
diff --git a/private/gpuservice.te b/private/gpuservice.te
index 76a2370..8388e89 100644
--- a/private/gpuservice.te
+++ b/private/gpuservice.te
@@ -59,9 +59,6 @@
 # Needed for enabling bpf programs and accessing bpf maps (read-only and read/write).
 allow gpuservice bpfloader:bpf { map_read map_write prog_run };
 
-# Needed for getting a prop to ensure bpf programs loaded.
-get_prop(gpuservice, bpf_progs_loaded_prop)
-
 add_service(gpuservice, gpu_service)
 
 # Only uncomment below line when in development
diff --git a/private/heapprofd.te b/private/heapprofd.te
index 36d2938..1b41823 100644
--- a/private/heapprofd.te
+++ b/private/heapprofd.te
@@ -1,14 +1,4 @@
 # Android heap profiling daemon. go/heapprofd.
-#
-# On user builds, this daemon is responsible for receiving the initial
-# profiling configuration, finding matching target processes (if profiling by
-# process name), and sending the activation signal to them (+ setting system
-# properties for new processes to start profiling from startup). When profiling
-# is triggered in a process, it spawns a private heapprofd subprocess (in its
-# own SELinux domain), which will exclusively handle profiling of its parent.
-#
-# On debug builds, this central daemon performs profiling for all target
-# processes (which talk directly to this daemon).
 type heapprofd_exec, exec_type, file_type, system_file_type;
 type heapprofd_tmpfs, file_type;
 
@@ -56,23 +46,28 @@
 # For checking profileability.
 allow heapprofd packages_list_file:file r_file_perms;
 
-# This is going to happen on user but is benign because central heapprofd
-# does not actually need these permission.
-# If the dac_read_search capability check is rejected, the kernel then tries
-# to perform a dac_override capability check, so we need to dontaudit that
-# as well.
-dontaudit heapprofd self:global_capability_class_set { dac_read_search dac_override };
-
+# Never allow profiling privileged or otherwise incompatible domains.
+# Corresponding allow-rule is in private/domain.te.
 never_profile_heap(`{
+  apexd
+  app_zygote
   bpfloader
+  diced
+  hal_configstore
   init
   kernel
   keystore
   llkd
   logd
+  logpersist
+  recovery
+  recovery_persist
+  recovery_refresh
   ueventd
   vendor_init
   vold
+  webview_zygote
+  zygote
 }')
 
 full_treble_only(`
diff --git a/private/hwservicemanager.te b/private/hwservicemanager.te
index e1fde43..ecc8a40 100644
--- a/private/hwservicemanager.te
+++ b/private/hwservicemanager.te
@@ -7,3 +7,9 @@
 
 set_prop(hwservicemanager, ctl_interface_start_prop)
 set_prop(hwservicemanager, hwservicemanager_prop)
+
+# hwservicemanager is using bootstrap bionic
+use_bootstrap_libs(hwservicemanager)
+
+# hwservicemanager is using apex_info via libvintf
+use_apex_info(hwservicemanager)
diff --git a/private/incidentd.te b/private/incidentd.te
index c1314a8..e86b3bf 100644
--- a/private/incidentd.te
+++ b/private/incidentd.te
@@ -193,6 +193,9 @@
   get_prop(incidentd, last_boot_reason_prop);
 ')
 
+# Allow incident to read the build properties for attestation feature
+get_prop(incidentd, build_attestation_prop);
+
 ###
 ### neverallow rules
 ###
diff --git a/private/init.te b/private/init.te
index 17e25f8..72dedd2 100644
--- a/private/init.te
+++ b/private/init.te
@@ -11,8 +11,10 @@
 recovery_only(`
   # Files in recovery image are labeled as rootfs.
   domain_trans(init, rootfs, adbd)
+  domain_trans(init, rootfs, hal_bootctl_server)
   domain_trans(init, rootfs, charger)
   domain_trans(init, rootfs, fastbootd)
+  domain_trans(init, rootfs, hal_fastboot_server)
   domain_trans(init, rootfs, hal_health_server)
   domain_trans(init, rootfs, recovery)
   domain_trans(init, rootfs, linkerconfig)
@@ -93,9 +95,6 @@
 # Only init can write normal ro.boot. properties
 neverallow { domain -init } bootloader_prop:property_service set;
 
-# Only init can write ro.boot.hypervisor properties
-neverallow { domain -init } hypervisor_prop:property_service set;
-
 # Only init can write hal.instrumentation.enable
 neverallow { domain -init } hal_instrumentation_prop:property_service set;
 
diff --git a/private/installd.te b/private/installd.te
index 538641d..7615c92 100644
--- a/private/installd.te
+++ b/private/installd.te
@@ -45,9 +45,12 @@
 
 # Allow installd to delete files in /data/staging
 allow installd staging_data_file:file unlink;
-allow installd staging_data_file:dir { open read remove_name rmdir search write };
+allow installd staging_data_file:dir { open read remove_name rmdir search write getattr };
 
-allow installd { dex2oat dexoptanalyzer }:process { sigkill signal };
+allow installd { dex2oat dexoptanalyzer }:process signal;
+
+# installd kills subprocesses if they time out.
+allow installd { dex2oat dexoptanalyzer profman }:process sigkill;
 
 # Allow installd manage dirs in /data/misc_ce/0/sdksandbox
 allow installd sdk_sandbox_system_data_file:dir { create_dir_perms relabelfrom };
diff --git a/private/iorap_inode2filename.te b/private/iorap_inode2filename.te
deleted file mode 100644
index 5acb262..0000000
--- a/private/iorap_inode2filename.te
+++ /dev/null
@@ -1,11 +0,0 @@
-typeattribute iorap_inode2filename coredomain;
-
-# Grant access to open most of the files under /
-allow iorap_inode2filename { apex_module_data_file apex_art_data_file }:dir r_dir_perms;
-allow iorap_inode2filename apex_data_file:file { getattr };
-allow iorap_inode2filename dalvikcache_data_file:dir { getattr open read search };
-allow iorap_inode2filename dalvikcache_data_file:file { getattr };
-allow iorap_inode2filename dex2oat_exec:lnk_file { getattr open read };
-allow iorap_inode2filename dexoptanalyzer_exec:file { getattr };
-allow iorap_inode2filename storaged_data_file:dir { getattr open read search };
-allow iorap_inode2filename storaged_data_file:file { getattr };
diff --git a/private/iorap_prefecherd.te b/private/iorap_prefecherd.te
deleted file mode 100644
index 9ddb512..0000000
--- a/private/iorap_prefecherd.te
+++ /dev/null
@@ -1,4 +0,0 @@
-typeattribute iorap_prefetcherd coredomain;
-
-init_daemon_domain(iorap_prefetcherd)
-tmpfs_domain(iorap_prefetcherd)
diff --git a/private/iorapd.te b/private/iorapd.te
deleted file mode 100644
index 73acec9..0000000
--- a/private/iorapd.te
+++ /dev/null
@@ -1,10 +0,0 @@
-typeattribute iorapd coredomain;
-
-init_daemon_domain(iorapd)
-tmpfs_domain(iorapd)
-
-domain_auto_trans(iorapd, iorap_prefetcherd_exec, iorap_prefetcherd)
-domain_auto_trans(iorapd, iorap_inode2filename_exec, iorap_inode2filename)
-
-# Allow iorapd to access the runtime native boot feature flag properties.
-get_prop(iorapd, device_config_runtime_native_boot_prop)
diff --git a/private/isolated_app.te b/private/isolated_app.te
index 828ffb1..9d0fd73 100644
--- a/private/isolated_app.te
+++ b/private/isolated_app.te
@@ -1,36 +1,24 @@
 ###
-### Services with isolatedProcess=true in their manifest.
+### isolated_apps.
 ###
-### This file defines the rules for isolated apps. An "isolated
-### app" is an APP with UID between AID_ISOLATED_START (99000)
-### and AID_ISOLATED_END (99999).
+### This file defines the rules for isolated apps that does not wish to use
+### service managers and does not require extra computational resources.
 ###
 
 typeattribute isolated_app coredomain;
 
 app_domain(isolated_app)
+isolated_app_domain(isolated_app)
 
-# Access already open app data files received over Binder or local socket IPC.
-allow isolated_app { app_data_file privapp_data_file sdk_sandbox_data_file}:file { append read write getattr lock map };
+allow isolated_app webviewupdate_service:service_manager find;
 
 # Allow access to network sockets received over IPC. New socket creation is not
 # permitted.
 allow isolated_app { ephemeral_app priv_app untrusted_app_all }:{ tcp_socket udp_socket } { rw_socket_perms_no_ioctl };
 
-allow isolated_app activity_service:service_manager find;
-allow isolated_app display_service:service_manager find;
-allow isolated_app webviewupdate_service:service_manager find;
-
-# Google Breakpad (crash reporter for Chrome) relies on ptrace
-# functionality. Without the ability to ptrace, the crash reporter
-# tool is broken.
-# b/20150694
-# https://code.google.com/p/chromium/issues/detail?id=475270
-allow isolated_app self:process ptrace;
-
 # b/32896414: Allow accessing sdcard file descriptors passed to isolated_apps
 # by other processes. Open should never be allowed, and is blocked by
-# neverallow rules below.
+# neverallow rules in isolated_app_all attribute.
 # media_rw_data_file is included for sdcardfs, and can be removed if sdcardfs
 # is modified to change the secontext when accessing the lower filesystem.
 allow isolated_app { sdcard_type fuse media_rw_data_file }:file { read write append getattr lock map };
@@ -46,108 +34,3 @@
 allow isolated_app webview_zygote:unix_dgram_socket write;
 # Read system properties managed by webview_zygote.
 allow isolated_app webview_zygote_tmpfs:file read;
-
-# Inherit FDs from the app_zygote.
-allow isolated_app app_zygote:fd use;
-# Notify app_zygote of child death.
-allow isolated_app app_zygote:process sigchld;
-# Inherit logd write socket.
-allow isolated_app app_zygote:unix_dgram_socket write;
-
-# TODO (b/63631799) fix this access
-# suppress denials to /data/local/tmp
-dontaudit isolated_app shell_data_file:dir search;
-
-# Write app-specific trace data to the Perfetto traced damon. This requires
-# connecting to its producer socket and obtaining a (per-process) tmpfs fd.
-perfetto_producer(isolated_app)
-
-# Allow profiling if the main app has been marked as profileable or
-# debuggable.
-can_profile_heap(isolated_app)
-can_profile_perf(isolated_app)
-
-#####
-##### Neverallow
-#####
-
-# Isolated apps should not directly open app data files themselves.
-neverallow isolated_app { app_data_file privapp_data_file sdk_sandbox_data_file}:file open;
-
-# Only allow appending to /data/anr/traces.txt (b/27853304, b/18340553)
-# TODO: are there situations where isolated_apps write to this file?
-# TODO: should we tighten these restrictions further?
-neverallow isolated_app anr_data_file:file ~{ open append };
-neverallow isolated_app anr_data_file:dir ~search;
-
-# Isolated apps must not be permitted to use HwBinder
-neverallow isolated_app hwbinder_device:chr_file *;
-neverallow isolated_app *:hwservice_manager *;
-
-# Isolated apps must not be permitted to use VndBinder
-neverallow isolated_app vndbinder_device:chr_file *;
-
-# Isolated apps must not be permitted to perform actions on Binder and VndBinder service_manager
-# except the find actions for services allowlisted below.
-neverallow isolated_app *:service_manager ~find;
-
-# b/17487348
-# Isolated apps can only access three services,
-# activity_service, display_service, webviewupdate_service.
-neverallow isolated_app {
-    service_manager_type
-    -activity_service
-    -display_service
-    -webviewupdate_service
-}:service_manager find;
-
-# Isolated apps shouldn't be able to access the driver directly.
-neverallow isolated_app gpu_device:chr_file { rw_file_perms execute };
-
-# Do not allow isolated_app access to /cache
-neverallow isolated_app cache_file:dir ~{ r_dir_perms };
-neverallow isolated_app cache_file:file ~{ read getattr };
-
-# Do not allow isolated_app to access external storage, except for files passed
-# via file descriptors (b/32896414).
-neverallow isolated_app { storage_file mnt_user_file sdcard_type fuse }:dir ~getattr;
-neverallow isolated_app { storage_file mnt_user_file }:file_class_set *;
-neverallow isolated_app { sdcard_type fuse }:{ devfile_class_set lnk_file sock_file fifo_file } *;
-neverallow isolated_app { sdcard_type fuse }:file ~{ read write append getattr lock map };
-
-# Do not allow USB access
-neverallow isolated_app { usb_device usbaccessory_device }:chr_file *;
-
-# Restrict the webview_zygote control socket.
-neverallow isolated_app webview_zygote:sock_file write;
-
-# Limit the /sys files which isolated_app can access. This is important
-# for controlling isolated_app attack surface.
-neverallow isolated_app {
-  sysfs_type
-  -sysfs_devices_system_cpu
-  -sysfs_transparent_hugepage
-  -sysfs_usb # TODO: check with audio team if needed for isolated_app (b/28417852)
-  -sysfs_fs_incfs_features
-}:file no_rw_file_perms;
-
-# No creation of sockets families other than AF_UNIX sockets.
-# List taken from system/sepolicy/public/global_macros - socket_class_set
-# excluding unix_stream_socket and unix_dgram_socket.
-# Many of these are socket families which have never and will never
-# be compiled into the Android kernel.
-neverallow isolated_app { self ephemeral_app priv_app sdk_sandbox untrusted_app_all }:{
-  socket tcp_socket udp_socket rawip_socket netlink_socket packet_socket
-  key_socket appletalk_socket netlink_route_socket
-  netlink_tcpdiag_socket netlink_nflog_socket netlink_xfrm_socket
-  netlink_selinux_socket netlink_audit_socket netlink_dnrt_socket
-  netlink_kobject_uevent_socket tun_socket netlink_iscsi_socket
-  netlink_fib_lookup_socket netlink_connector_socket netlink_netfilter_socket
-  netlink_generic_socket netlink_scsitransport_socket netlink_rdma_socket
-  netlink_crypto_socket sctp_socket icmp_socket ax25_socket ipx_socket
-  netrom_socket atmpvc_socket x25_socket rose_socket decnet_socket atmsvc_socket
-  rds_socket irda_socket pppox_socket llc_socket can_socket tipc_socket
-  bluetooth_socket iucv_socket rxrpc_socket isdn_socket phonet_socket
-  ieee802154_socket caif_socket alg_socket nfc_socket vsock_socket kcm_socket
-  qipcrtr_socket smc_socket xdp_socket
-} create;
diff --git a/private/isolated_app_all.te b/private/isolated_app_all.te
new file mode 100644
index 0000000..bb9da6c
--- /dev/null
+++ b/private/isolated_app_all.te
@@ -0,0 +1,120 @@
+###
+### isolated_app_all.
+###
+### Services with isolatedProcess=true in their manifest.
+###
+### This file defines the rules shared by all isolated apps. An "isolated
+### app" is an APP with UID between AID_ISOLATED_START (99000)
+### and AID_ISOLATED_END (99999).
+###
+
+# Access already open app data files received over Binder or local socket IPC.
+allow isolated_app_all { app_data_file privapp_data_file sdk_sandbox_data_file}:file { append read write getattr lock map };
+
+allow isolated_app_all activity_service:service_manager find;
+allow isolated_app_all display_service:service_manager find;
+
+# Google Breakpad (crash reporter for Chrome) relies on ptrace
+# functionality. Without the ability to ptrace, the crash reporter
+# tool is broken.
+# b/20150694
+# https://code.google.com/p/chromium/issues/detail?id=475270
+allow isolated_app_all self:process ptrace;
+
+# Inherit FDs from the app_zygote.
+allow isolated_app_all app_zygote:fd use;
+# Notify app_zygote of child death.
+allow isolated_app_all app_zygote:process sigchld;
+# Inherit logd write socket.
+allow isolated_app_all app_zygote:unix_dgram_socket write;
+
+# TODO (b/63631799) fix this access
+# suppress denials to /data/local/tmp
+dontaudit isolated_app_all shell_data_file:dir search;
+
+#####
+##### Neverallow
+#####
+
+# Isolated apps should not directly open app data files themselves.
+neverallow isolated_app_all { app_data_file privapp_data_file sdk_sandbox_data_file}:file open;
+
+# Only allow appending to /data/anr/traces.txt (b/27853304, b/18340553)
+# TODO: are there situations where isolated_apps write to this file?
+# TODO: should we tighten these restrictions further?
+neverallow isolated_app_all anr_data_file:file ~{ open append };
+neverallow isolated_app_all anr_data_file:dir ~search;
+
+# Isolated apps must not be permitted to use HwBinder
+neverallow { isolated_app_all -isolated_compute_app } hwbinder_device:chr_file *;
+neverallow { isolated_app_all -isolated_compute_app } *:hwservice_manager *;
+
+# Isolated apps must not be permitted to use VndBinder
+neverallow isolated_app_all vndbinder_device:chr_file *;
+
+# Isolated apps must not be permitted to perform actions on Binder and VndBinder service_manager
+# except the find actions for services allowlisted below.
+neverallow { isolated_app_all -isolated_compute_app } *:service_manager ~find;
+
+# b/17487348
+# Isolated apps can only access three services,
+# activity_service, display_service, webviewupdate_service.
+neverallow { isolated_app_all -isolated_compute_app } {
+    service_manager_type
+    -activity_service
+    -display_service
+    -webviewupdate_service
+}:service_manager find;
+
+# Isolated apps shouldn't be able to access the driver directly.
+neverallow isolated_app_all gpu_device:chr_file { rw_file_perms execute };
+
+# Do not allow isolated_apps access to /cache
+neverallow isolated_app_all cache_file:dir ~{ r_dir_perms };
+neverallow isolated_app_all cache_file:file ~{ read getattr };
+
+# Do not allow isolated_app_all to access external storage, except for files passed
+# via file descriptors (b/32896414).
+neverallow isolated_app_all { storage_file mnt_user_file sdcard_type fuse }:dir ~getattr;
+neverallow isolated_app_all { storage_file mnt_user_file }:file_class_set *;
+neverallow isolated_app_all { sdcard_type fuse }:{ devfile_class_set lnk_file sock_file fifo_file } *;
+neverallow isolated_app_all { sdcard_type fuse }:file ~{ read write append getattr lock map };
+
+# Do not allow USB access
+neverallow isolated_app_all { usb_device usbaccessory_device }:chr_file *;
+
+# Restrict the webview_zygote control socket.
+neverallow isolated_app_all webview_zygote:sock_file write;
+
+# Limit the /sys files which isolated_app_all can access. This is important
+# for controlling isolated_app_all attack surface.
+# TODO (b/266555480): The permission should be guarded by compliance test.
+# Remove the negation for member domains when refactorization is done.
+neverallow { isolated_app_all -isolated_compute_app } {
+  sysfs_type
+  -sysfs_devices_system_cpu
+  -sysfs_transparent_hugepage
+  -sysfs_usb # TODO: check with audio team if needed for isolated_apps (b/28417852)
+  -sysfs_fs_incfs_features
+}:file no_rw_file_perms;
+
+# No creation of sockets families other than AF_UNIX sockets.
+# List taken from system/sepolicy/public/global_macros - socket_class_set
+# excluding unix_stream_socket and unix_dgram_socket.
+# Many of these are socket families which have never and will never
+# be compiled into the Android kernel.
+neverallow isolated_app_all { self ephemeral_app priv_app sdk_sandbox untrusted_app_all }:{
+  socket tcp_socket udp_socket rawip_socket netlink_socket packet_socket
+  key_socket appletalk_socket netlink_route_socket
+  netlink_tcpdiag_socket netlink_nflog_socket netlink_xfrm_socket
+  netlink_selinux_socket netlink_audit_socket netlink_dnrt_socket
+  netlink_kobject_uevent_socket tun_socket netlink_iscsi_socket
+  netlink_fib_lookup_socket netlink_connector_socket netlink_netfilter_socket
+  netlink_generic_socket netlink_scsitransport_socket netlink_rdma_socket
+  netlink_crypto_socket sctp_socket icmp_socket ax25_socket ipx_socket
+  netrom_socket atmpvc_socket x25_socket rose_socket decnet_socket atmsvc_socket
+  rds_socket irda_socket pppox_socket llc_socket can_socket tipc_socket
+  bluetooth_socket iucv_socket rxrpc_socket isdn_socket phonet_socket
+  ieee802154_socket caif_socket alg_socket nfc_socket vsock_socket kcm_socket
+  qipcrtr_socket smc_socket xdp_socket
+} create;
diff --git a/private/isolated_compute_app.te b/private/isolated_compute_app.te
new file mode 100644
index 0000000..536261f
--- /dev/null
+++ b/private/isolated_compute_app.te
@@ -0,0 +1,43 @@
+###
+### isolated_compute_apps.
+###
+### This file defines the rules for isolated apps that requires the permission
+### to gather data with service manager and require computational resources to
+### improve the performance to process data under a sandbox. This
+### isolated_compute_app restricts data egress to protect the privacy.
+###
+### TODO(b/266923392): Clean rules for isolated_compute_app characteristics
+###
+type isolated_compute_app, domain;
+
+typeattribute isolated_compute_app coredomain;
+
+app_domain(isolated_compute_app)
+isolated_app_domain(isolated_compute_app)
+
+allow isolated_compute_app audioserver_service:service_manager find;
+allow isolated_compute_app cameraserver_service:service_manager find;
+allow isolated_compute_app content_capture_service:service_manager find;
+allow isolated_compute_app device_state_service:service_manager find;
+allow isolated_compute_app speech_recognition_service:service_manager find;
+
+# Enable access to hardware services for camera functionalilites
+hal_client_domain(isolated_compute_app, hal_allocator)
+hwbinder_use(isolated_compute_app)
+
+#####
+##### Neverallow
+#####
+
+# Do not allow isolated_compute_app to access hardware service except for the
+# ones necessary for camera service.
+# TODO (b/266555480): The permission should be guarded by compliance test.
+# Remove the negation for member domains when refactorization is done.
+# neverallow isolated_compute_app {
+# hwservice_manager_type
+#  -hal_graphics_allocator_hwservice
+#  -hal_graphics_mapper_hwservice
+#  -hidl_allocator_hwservice
+#  -hidl_manager_hwservice
+#  -hidl_memory_hwservice
+# }:hwservice_manager *;
diff --git a/private/kernel.te b/private/kernel.te
index 6775b3b..03ba79f 100644
--- a/private/kernel.te
+++ b/private/kernel.te
@@ -32,6 +32,19 @@
 allow kernel kmsg_device:chr_file write;
 allow kernel gsid:fd use;
 
+dontaudit kernel metadata_file:dir search;
+dontaudit kernel ota_metadata_file:dir rw_dir_perms;
+dontaudit kernel sysfs:dir r_dir_perms;
+dontaudit kernel sysfs:file { open read write };
+dontaudit kernel sysfs:chr_file { open read write };
+dontaudit kernel dm_device:chr_file ioctl;
+dontaudit kernel self:capability { sys_admin setgid mknod };
+
+dontaudit kernel dm_user_device:dir { write add_name };
+dontaudit kernel dm_user_device:chr_file { create setattr };
+dontaudit kernel tmpfs:lnk_file read;
+dontaudit kernel tmpfs:blk_file { open read };
+
 # Some contexts are changed before the device is flipped into enforcing mode
 # during the setup of Apex sepolicy. These denials can be suppressed since
 # the permissions should not be allowed after the device is flipped into
diff --git a/private/keystore.te b/private/keystore.te
index 78c0198..cd2ef76 100644
--- a/private/keystore.te
+++ b/private/keystore.te
@@ -20,12 +20,16 @@
 # Allow keystore to check if the system is rkp only.
 get_prop(keystore, remote_prov_prop)
 
+# Allow keystore to check rkpd feature flags
+get_prop(keystore, device_config_remote_key_provisioning_native_prop)
+
 # Allow keystore to write to statsd.
 unix_socket_send(keystore, statsdw, statsd)
 
 # Keystore need access to the keystore_key context files to load the keystore key backend.
 allow keystore keystore2_key_contexts_file:file r_file_perms;
 
+# Allow keystore to listen to changing boot levels
 get_prop(keystore, keystore_listen_prop)
 
 # Keystore needs to transfer binder references to vold so that it
@@ -36,3 +40,6 @@
 # system property, an exception is added for init as well.
 set_prop(keystore, keystore_crash_prop)
 neverallow { domain -keystore -init } keystore_crash_prop:property_service set;
+
+# keystore is using apex_info via libvintf
+use_apex_info(keystore)
diff --git a/private/mediaprovider_app.te b/private/mediaprovider_app.te
index a9a52bb..dc6882b 100644
--- a/private/mediaprovider_app.te
+++ b/private/mediaprovider_app.te
@@ -12,6 +12,7 @@
 allow mediaprovider_app fuse_device:chr_file { read write ioctl getattr };
 
 # Allow MediaProvider to read/write media_rw_data_file files and dirs
+allow mediaprovider_app media_userdir_file:dir r_dir_perms;
 allow mediaprovider_app media_rw_data_file:file create_file_perms;
 allow mediaprovider_app media_rw_data_file:dir create_dir_perms;
 
diff --git a/private/mediaserver.te b/private/mediaserver.te
index 6fe460c..aaf49f6 100644
--- a/private/mediaserver.te
+++ b/private/mediaserver.te
@@ -18,3 +18,8 @@
 
 # Allow mediaserver to start media.transcoding service via ctl.start.
 set_prop(mediaserver, ctl_mediatranscoding_prop);
+
+# Needed for stats callback registration to statsd.
+allow mediaserver stats_service:service_manager find;
+allow mediaserver statsmanager_service:service_manager find;
+binder_call(mediaserver, statsd)
diff --git a/private/mediatuner.te b/private/mediatuner.te
index 413d2e5..bfb264e 100644
--- a/private/mediatuner.te
+++ b/private/mediatuner.te
@@ -17,6 +17,9 @@
 allow mediatuner package_native_service:service_manager find;
 binder_call(mediatuner, system_server)
 
+# Read ro.tuner.lazyhal
+get_prop(mediatuner, tuner_config_prop)
+
 ###
 ### neverallow rules
 ###
diff --git a/private/mlstrustedsubject.te b/private/mlstrustedsubject.te
index 22482d9..67bd113 100644
--- a/private/mlstrustedsubject.te
+++ b/private/mlstrustedsubject.te
@@ -6,23 +6,20 @@
 
 neverallow {
   mlstrustedsubject
+  -artd # compile secondary dex files
   -installd
-  -iorap_prefetcherd
-  -iorap_inode2filename
 } { app_data_file privapp_data_file }:file ~{ read write map getattr ioctl lock append };
 
 neverallow {
   mlstrustedsubject
+  -artd # compile secondary dex files
   -installd
-  -iorap_prefetcherd
-  -iorap_inode2filename
 } { app_data_file privapp_data_file }:dir ~{ read getattr search };
 
 neverallow {
   mlstrustedsubject
+  -artd # compile secondary dex files
   -installd
-  -iorap_prefetcherd
-  -iorap_inode2filename
   -system_server
   -adbd
   -runas
diff --git a/private/mtectrl.te b/private/mtectrl.te
index 436dcae..e0418bc 100644
--- a/private/mtectrl.te
+++ b/private/mtectrl.te
@@ -4,7 +4,18 @@
 
 init_daemon_domain(mtectrl)
 
+# to set the sys prop to match the bootloader message state.
+set_prop(mtectrl, arm64_memtag_prop)
+
 # mtectrl communicates the request to the bootloader via the misc partition.
-allow mtectrl misc_block_device:blk_file w_file_perms;
+# needs to write to update the request in misc partition, and read to sync
+# back to the property.
+allow mtectrl misc_block_device:blk_file rw_file_perms;
 allow mtectrl block_device:dir r_dir_perms;
 read_fstab(mtectrl)
+
+# bootloader_message tries to find the fstab in the device config path first,
+# but because we've already booted up we can use the ro.boot properties instead,
+# so we can just ignore the SELinux denial.
+dontaudit mtectrl sysfs_dt_firmware_android:dir search;
+dontaudit mtectrl vendor_property_type:file read;
diff --git a/private/net.te b/private/net.te
index 9e15f41..07e4271 100644
--- a/private/net.te
+++ b/private/net.te
@@ -12,6 +12,7 @@
   netdomain
   -ephemeral_app
   -mediaprovider
+  -priv_app
   -sdk_sandbox
   -untrusted_app_all
 } self:netlink_route_socket { bind nlmsg_readpriv nlmsg_getneigh };
diff --git a/private/netd.te b/private/netd.te
index 4aa288b..ae43e47 100644
--- a/private/netd.te
+++ b/private/netd.te
@@ -23,7 +23,6 @@
 set_prop(netd, netd_stable_secret_prop)
 
 get_prop(netd, adbd_config_prop)
-get_prop(netd, bpf_progs_loaded_prop)
 get_prop(netd, hwservicemanager_prop)
 get_prop(netd, device_config_netd_native_prop)
 
diff --git a/private/network_stack.te b/private/network_stack.te
index 3cdf884..dfee019 100644
--- a/private/network_stack.te
+++ b/private/network_stack.te
@@ -75,44 +75,27 @@
 # This place is as good as any for these rules,
 # and it is probably the most appropriate because
 # network_stack itself is entirely mainline code.
-#
-# Unfortunately init/vendor_init have all sorts of extra privs
 
 # T+: Only the bpfloader and the network_stack should ever touch 'fs_bpf_net_private' programs/maps.
-neverallow { domain -bpfloader -init -network_stack -vendor_init } fs_bpf_net_private:dir ~getattr;
-neverallow { domain -bpfloader -init -network_stack -vendor_init } fs_bpf_net_private:file *;
-
-neverallow { domain -bpfloader -network_stack } fs_bpf_net_private:dir ~{ getattr open read search setattr };
-neverallow { domain -bpfloader -network_stack } fs_bpf_net_private:file ~{ map open read setattr };
+neverallow { domain -bpfloader -network_stack } fs_bpf_net_private:dir ~getattr;
+neverallow { domain -bpfloader -network_stack } fs_bpf_net_private:file *;
 
 # T+: Only the bpfloader, network_stack and system_server should ever touch 'fs_bpf_net_shared' programs/maps.
-neverallow { domain -bpfloader -init -network_stack -system_server -vendor_init } fs_bpf_net_shared:dir ~getattr;
-neverallow { domain -bpfloader -init -network_stack -system_server -vendor_init } fs_bpf_net_shared:file *;
-
-neverallow { domain -bpfloader -network_stack -system_server } fs_bpf_net_shared:dir ~{ getattr open read search setattr };
-neverallow { domain -bpfloader -network_stack -system_server } fs_bpf_net_shared:file ~{ map open read setattr };
+neverallow { domain -bpfloader -network_stack -system_server } fs_bpf_net_shared:dir ~getattr;
+neverallow { domain -bpfloader -network_stack -system_server } fs_bpf_net_shared:file *;
 
 # T+: Only the bpfloader, netd, network_stack and system_server should ever touch 'fs_bpf_netd_readonly' programs/maps.
 # netd's access should be readonly
-neverallow { domain -bpfloader -init -netd -network_stack -system_server -vendor_init } fs_bpf_netd_readonly:dir ~getattr;
-neverallow { domain -bpfloader -init -netd -network_stack -system_server -vendor_init } fs_bpf_netd_readonly:file *;
+neverallow { domain -bpfloader -netd -network_stack -system_server } fs_bpf_netd_readonly:dir ~getattr;
+neverallow { domain -bpfloader -netd -network_stack -system_server } fs_bpf_netd_readonly:file *;
 neverallow netd fs_bpf_netd_readonly:file write;
 
-neverallow { domain -bpfloader -netd -network_stack -system_server } fs_bpf_netd_readonly:dir ~{ getattr open read search setattr };
-neverallow { domain -bpfloader -netd -network_stack -system_server } fs_bpf_netd_readonly:file ~{ map open read setattr };
-
 # T+: Only the bpfloader, netd, netutils_wrapper, network_stack and system_server should ever touch 'fs_bpf_netd_shared' programs/maps.
 # netutils_wrapper requires access to be able to run iptables and only needs readonly access
-neverallow { domain -bpfloader -init -netd -netutils_wrapper -network_stack -system_server -vendor_init } fs_bpf_netd_shared:dir ~getattr;
-neverallow { domain -bpfloader -init -netd -netutils_wrapper -network_stack -system_server -vendor_init } fs_bpf_netd_shared:file *;
+neverallow { domain -bpfloader -netd -netutils_wrapper -network_stack -system_server } fs_bpf_netd_shared:dir ~getattr;
+neverallow { domain -bpfloader -netd -netutils_wrapper -network_stack -system_server } fs_bpf_netd_shared:file *;
 neverallow netutils_wrapper fs_bpf_netd_shared:file write;
 
-neverallow { domain -bpfloader -netd -netutils_wrapper -network_stack -system_server } fs_bpf_netd_shared:dir ~{ getattr open read search setattr };
-neverallow { domain -bpfloader -netd -netutils_wrapper -network_stack -system_server } fs_bpf_netd_shared:file ~{ map open read setattr };
-
 # S+: Only the bpfloader and the network_stack should ever touch 'fs_bpf_tethering' programs/maps.
-neverallow { domain -bpfloader -init -network_stack -vendor_init } fs_bpf_tethering:dir ~getattr;
-neverallow { domain -bpfloader -init -network_stack -vendor_init } fs_bpf_tethering:file *;
-
-neverallow { domain -bpfloader -network_stack } fs_bpf_tethering:dir ~{ getattr open read search setattr };
-neverallow { domain -bpfloader -network_stack } fs_bpf_tethering:file ~{ map open read setattr };
+neverallow { domain -bpfloader -network_stack } fs_bpf_tethering:dir ~getattr;
+neverallow { domain -bpfloader -network_stack } fs_bpf_tethering:file *;
diff --git a/private/perfetto.te b/private/perfetto.te
index 5897aed..45fa60b 100644
--- a/private/perfetto.te
+++ b/private/perfetto.te
@@ -110,20 +110,19 @@
   data_file_type
   -system_data_file
   -system_data_root_file
+  -media_userdir_file
+  -system_userdir_file
+  -vendor_userdir_file
   # TODO(b/72998741) Remove exemption. Further restricted in a subsequent
   # neverallow. Currently only getattr and search are allowed.
   -vendor_data_file
-  -zoneinfo_data_file
   -perfetto_traces_data_file
   -perfetto_configs_data_file
   with_native_coverage(`-method_trace_data_file')
 }:dir *;
 neverallow perfetto { system_data_file -perfetto_traces_data_file }:dir ~{ getattr search };
-neverallow perfetto zoneinfo_data_file:dir ~r_dir_perms;
-neverallow perfetto { data_file_type -zoneinfo_data_file -perfetto_traces_data_file }:lnk_file *;
 neverallow perfetto {
   data_file_type
-  -zoneinfo_data_file
   -perfetto_traces_data_file
   -perfetto_configs_data_file
   with_native_coverage(`-method_trace_data_file')
diff --git a/private/platform_app.te b/private/platform_app.te
index b40f6b9..5d16d85 100644
--- a/private/platform_app.te
+++ b/private/platform_app.te
@@ -73,7 +73,6 @@
 allow platform_app persistent_data_block_service:service_manager find;
 allow platform_app radio_service:service_manager find;
 allow platform_app thermal_service:service_manager find;
-allow platform_app timezone_service:service_manager find;
 allow platform_app app_api_service:service_manager find;
 allow platform_app system_api_service:service_manager find;
 allow platform_app vr_manager_service:service_manager find;
@@ -116,9 +115,6 @@
 # suppress denials caused by debugfs_tracing
 dontaudit platform_app debugfs_tracing:file rw_file_perms;
 
-# Allow platform apps to act as Perfetto producers.
-perfetto_producer(platform_app)
-
 # Allow platform apps to create VMs
 virtualizationservice_use(platform_app)
 
diff --git a/private/priv_app.te b/private/priv_app.te
index 9d7a0f6..cfd8721 100644
--- a/private/priv_app.te
+++ b/private/priv_app.te
@@ -126,20 +126,12 @@
 
 read_runtime_log_tags(priv_app)
 
-# Write app-specific trace data to the Perfetto traced damon. This requires
-# connecting to its producer socket and obtaining a (per-process) tmpfs fd.
-perfetto_producer(priv_app)
-
 # Allow priv_apps to request and collect incident reports.
 # (Also requires DUMP and PACKAGE_USAGE_STATS permissions)
 allow priv_app incident_service:service_manager find;
 binder_call(priv_app, incidentd)
 allow priv_app incidentd:fifo_file { read write };
 
-# Allow profiling if the app opts in by being marked profileable/debuggable.
-can_profile_heap(priv_app)
-can_profile_perf(priv_app)
-
 # Allow priv_apps to check whether Dynamic System Update is enabled
 get_prop(priv_app, dynamic_system_prop)
 
@@ -190,6 +182,11 @@
 # Required for Phonesky to be able to read staged files under /data/app-staging.
 allow priv_app staging_data_file:dir r_dir_perms;
 
+# Allow com.android.vending to access files under vendor/apex as well as system apex files.
+# This is required for com.android.vending to handle APEXes for e.g. delta patch optimization.
+allow priv_app vendor_apex_file:dir r_dir_perms;
+allow priv_app vendor_apex_file:file r_file_perms;
+
 # allow priv app to access the system app data files for ContentProvider case.
 allow priv_app system_app_data_file:file { read getattr };
 
@@ -201,6 +198,11 @@
 # created by things like renderscript or via other mechanisms.
 allow priv_app app_exec_data_file:file { r_file_perms execute unlink };
 
+# Allow privileged apps to create a VM. Note that access is still
+# guarded with the `android.permission.MANAGE_VIRTUAL_MACHINE`
+# permission.
+virtualizationservice_use(priv_app)
+
 ###
 ### neverallow rules
 ###
diff --git a/private/profman.te b/private/profman.te
index f61d05e..390f83e 100644
--- a/private/profman.te
+++ b/private/profman.te
@@ -1 +1,12 @@
 typeattribute profman coredomain;
+
+# Allow profman to read APKs and profile files next to them by FDs passed from
+# other programs. In addition, allow profman to acquire flocks on those files.
+allow profman {
+  system_file
+  apk_data_file
+  vendor_app_file
+}:file { getattr read map lock };
+
+# Allow profman to use file descriptors passed from privileged programs.
+allow profman { artd installd }:fd use;
diff --git a/private/property.te b/private/property.te
index 41a4c2f..4f806d4 100644
--- a/private/property.te
+++ b/private/property.te
@@ -5,6 +5,7 @@
 system_internal_prop(device_config_lmkd_native_prop)
 system_internal_prop(device_config_mglru_native_prop)
 system_internal_prop(device_config_profcollect_native_boot_prop)
+system_internal_prop(device_config_remote_key_provisioning_native_prop)
 system_internal_prop(device_config_statsd_native_prop)
 system_internal_prop(device_config_statsd_native_boot_prop)
 system_internal_prop(device_config_storage_native_boot_prop)
@@ -18,6 +19,7 @@
 system_internal_prop(gsid_prop)
 system_internal_prop(init_perf_lsm_hooks_prop)
 system_internal_prop(init_service_status_private_prop)
+system_internal_prop(init_storage_prop)
 system_internal_prop(init_svc_debug_prop)
 system_internal_prop(keystore_crash_prop)
 system_internal_prop(keystore_listen_prop)
@@ -37,7 +39,9 @@
 system_internal_prop(setupwizard_prop)
 system_internal_prop(snapuserd_prop)
 system_internal_prop(system_adbd_prop)
+system_internal_prop(timezone_metadata_prop)
 system_internal_prop(traced_perf_enabled_prop)
+system_internal_prop(tuner_server_ctl_prop)
 system_internal_prop(userspace_reboot_log_prop)
 system_internal_prop(userspace_reboot_test_prop)
 system_internal_prop(verity_status_prop)
@@ -45,10 +49,11 @@
 system_internal_prop(ctl_mediatranscoding_prop)
 system_internal_prop(ctl_odsign_prop)
 system_internal_prop(virtualizationservice_prop)
+system_internal_prop(ctl_apex_load_prop)
 
 # Properties which can't be written outside system
 system_restricted_prop(device_config_virtualization_framework_native_prop)
-system_restricted_prop(system_user_mode_emulation_prop)
+system_restricted_prop(log_file_logger_prop)
 
 ###
 ### Neverallow rules
@@ -121,7 +126,6 @@
   -restorecon_prop
   -shell_prop
   -system_prop
-  -system_user_mode_emulation_prop
   -usb_prop
   -vold_prop
 }:file no_rw_file_perms;
@@ -150,6 +154,12 @@
 neverallow {
   domain
   -init
+  -extra_free_kbytes
+} init_storage_prop:property_service set;
+
+neverallow {
+  domain
+  -init
 } init_svc_debug_prop:property_service set;
 
 neverallow {
@@ -422,6 +432,8 @@
   -init
   -shell
   -system_app
+  -system_server
+  -mtectrl
 } {
   arm64_memtag_prop
   gwp_asan_prop
@@ -616,7 +628,7 @@
 neverallow domain system_and_vendor_property_type:{file property_service} *;
 
 neverallow {
-  # Only init and the remote provisioner can set the ro.remote_provisioning.* props
+  # Only init and the remote provisioner can set the remote_provisioning props
   domain
   -init
   -remote_prov_app
@@ -630,6 +642,34 @@
 } rollback_test_prop:property_service set;
 
 neverallow {
+  domain
+  -init
+  -apexd
+} ctl_apex_load_prop:property_service set;
+
+neverallow {
+  domain
+  -coredomain
+  -init
+  -dumpstate
+  -apexd
+} ctl_apex_load_prop:file no_rw_file_perms;
+
+neverallow {
+  domain
+  -init
+  -apexd
+} apex_ready_prop:property_service set;
+
+neverallow {
+  domain
+  -coredomain
+  -dumpstate
+  -apexd
+  -vendor_init
+} apex_ready_prop:file no_rw_file_perms;
+
+neverallow {
   # Only allow init and profcollectd to access profcollectd_node_id_prop
   domain
   -init
@@ -637,3 +677,20 @@
   -profcollectd
 } profcollectd_node_id_prop:file r_file_perms;
 
+neverallow {
+  domain
+  -init
+} log_file_logger_prop:property_service set;
+
+neverallow {
+  domain
+  -init
+  -vendor_init
+} usb_uvc_enabled_prop:property_service set;
+
+# Disallow non system apps from reading ro.usb.uvc.enabled
+neverallow {
+  appdomain
+  -system_app
+  -device_as_webcam
+} usb_uvc_enabled_prop:file no_rw_file_perms;
diff --git a/private/property_contexts b/private/property_contexts
index ac288f0..a343a82 100644
--- a/private/property_contexts
+++ b/private/property_contexts
@@ -43,6 +43,7 @@
 log.                    u:object_r:log_prop:s0
 log.tag                 u:object_r:log_tag_prop:s0
 log.tag.WifiHAL         u:object_r:wifi_log_prop:s0
+ro.log.file_logger.path    u:object_r:log_file_logger_prop:s0 exact string
 security.perf_harden    u:object_r:shell_prop:s0
 persist.simpleperf.profile_app_uid              u:object_r:shell_prop:s0
 persist.simpleperf.profile_app_expiration_time  u:object_r:shell_prop:s0
@@ -162,6 +163,8 @@
 ctl.interface_start$    u:object_r:ctl_interface_start_prop:s0
 ctl.interface_stop$     u:object_r:ctl_interface_stop_prop:s0
 ctl.interface_restart$  u:object_r:ctl_interface_restart_prop:s0
+ctl.apex_load$          u:object_r:ctl_apex_load_prop:s0
+ctl.apex_unload$        u:object_r:ctl_apex_load_prop:s0
 
  # Restrict access to starting/stopping adbd
 ctl.start$adbd             u:object_r:ctl_adbd_prop:s0
@@ -218,6 +221,9 @@
 # heapprofd properties
 heapprofd.              u:object_r:heapprofd_prop:s0
 
+# servicemanager properties
+servicemanager.ready    u:object_r:servicemanager_prop:s0 exact bool
+
 # hwservicemanager properties
 hwservicemanager.       u:object_r:hwservicemanager_prop:s0
 
@@ -241,6 +247,7 @@
 device_config.reset_performed                       u:object_r:device_config_reset_performed_prop:s0
 persist.device_config.activity_manager_native_boot. u:object_r:device_config_activity_manager_native_boot_prop:s0
 persist.device_config.attempted_boot_count          u:object_r:device_config_boot_count_prop:s0
+persist.device_config.camera_native.                u:object_r:device_config_camera_native_prop:s0
 persist.device_config.configuration.                u:object_r:device_config_configuration_prop:s0
 persist.device_config.connectivity.                 u:object_r:device_config_connectivity_prop:s0
 persist.device_config.input_native_boot.            u:object_r:device_config_input_native_boot_prop:s0
@@ -249,6 +256,7 @@
 persist.device_config.netd_native.                  u:object_r:device_config_netd_native_prop:s0
 persist.device_config.nnapi_native.                 u:object_r:device_config_nnapi_native_prop:s0
 persist.device_config.profcollect_native_boot.      u:object_r:device_config_profcollect_native_boot_prop:s0
+persist.device_config.remote_key_provisioning_native.  u:object_r:device_config_remote_key_provisioning_native_prop:s0
 persist.device_config.runtime_native.               u:object_r:device_config_runtime_native_prop:s0
 persist.device_config.runtime_native_boot.          u:object_r:device_config_runtime_native_boot_prop:s0
 persist.device_config.statsd_native.                u:object_r:device_config_statsd_native_prop:s0
@@ -260,6 +268,8 @@
 persist.device_config.vendor_system_native_boot.    u:object_r:device_config_vendor_system_native_boot_prop:s0
 persist.device_config.virtualization_framework_native. u:object_r:device_config_virtualization_framework_native_prop:s0
 persist.device_config.window_manager_native_boot.   u:object_r:device_config_window_manager_native_boot_prop:s0
+persist.device_config.memory_safety_native_boot.    u:object_r:device_config_memory_safety_native_boot_prop:s0
+persist.device_config.memory_safety_native.         u:object_r:device_config_memory_safety_native_prop:s0
 
 # F2FS smart idle maint prop
 persist.device_config.storage_native_boot.smart_idle_maint_enabled u:object_r:smart_idle_maint_enabled_prop:s0 exact bool
@@ -274,12 +284,17 @@
 persist.device_config.global_settings.sys_traced u:object_r:device_config_sys_traced_prop:s0
 
 apexd.                  u:object_r:apexd_prop:s0
+apexd.config.           u:object_r:apexd_config_prop:s0
 apexd.config.dm_delete.timeout           u:object_r:apexd_config_prop:s0 exact uint
 apexd.config.dm_create.timeout           u:object_r:apexd_config_prop:s0 exact uint
+apexd.config.loop_wait.attempts          u:object_r:apexd_config_prop:s0 exact uint
 persist.apexd.          u:object_r:apexd_prop:s0
 persist.vendor.apex.    u:object_r:apexd_select_prop:s0
 ro.boot.vendor.apex.    u:object_r:apexd_select_prop:s0
 
+# Property that indicates if an apex is ready: apex.<apex-name>.ready
+apex.                   u:object_r:apex_ready_prop:s0 prefix bool
+
 bpf.progs_loaded        u:object_r:bpf_progs_loaded_prop:s0 exact bool
 
 gsid.                   u:object_r:gsid_prop:s0
@@ -308,6 +323,8 @@
 ro.virtual_ab.compression.xor.enabled   u:object_r:virtual_ab_prop:s0 exact bool
 ro.virtual_ab.userspace.snapshots.enabled u:object_r:virtual_ab_prop:s0 exact bool
 ro.virtual_ab.io_uring.enabled u:object_r:virtual_ab_prop:s0 exact bool
+ro.virtual_ab.compression.threads u:object_r:virtual_ab_prop:s0 exact bool
+ro.virtual_ab.batch_writes u:object_r:virtual_ab_prop:s0 exact bool
 snapuserd.ready         u:object_r:snapuserd_prop:s0 exact bool
 snapuserd.proxy_ready   u:object_r:snapuserd_prop:s0 exact bool
 snapuserd.test.dm.snapshots u:object_r:snapuserd_prop:s0 exact bool
@@ -358,6 +375,9 @@
 # Boolean property used in AudioService to configure whether
 # spatializer functionality should be initialized
 ro.audio.spatializer_enabled u:object_r:audio_config_prop:s0 exact bool
+# Boolean property used in AudioService to configure whether
+# to enable head tracking for spatial audio
+ro.audio.headtracking_enabled u:object_r:audio_config_prop:s0 exact bool
 
 persist.config.calibration_fac u:object_r:camera_calibration_prop:s0 exact string
 
@@ -455,7 +475,6 @@
 dalvik.vm.restore-dex2oat-cpu-set             u:object_r:dalvik_config_prop:s0 exact string
 dalvik.vm.restore-dex2oat-threads             u:object_r:dalvik_config_prop:s0 exact int
 dalvik.vm.usejit                              u:object_r:dalvik_config_prop:s0 exact bool
-dalvik.vm.usejitprofiles                      u:object_r:dalvik_config_prop:s0 exact bool
 dalvik.vm.zygote.max-boot-retry               u:object_r:dalvik_config_prop:s0 exact int
 
 persist.sys.dalvik.vm.lib.2 u:object_r:dalvik_runtime_prop:s0 exact string
@@ -476,13 +495,18 @@
 media.stagefright.thumbnail.prefer_hw_codecs u:object_r:media_config_prop:s0 exact bool
 persist.sys.media.avsync                     u:object_r:media_config_prop:s0 exact bool
 
-persist.bluetooth.a2dp_offload.cap             u:object_r:bluetooth_a2dp_offload_prop:s0 exact string
-persist.bluetooth.a2dp_offload.disabled        u:object_r:bluetooth_a2dp_offload_prop:s0 exact bool
-persist.bluetooth.bluetooth_audio_hal.disabled u:object_r:bluetooth_audio_hal_prop:s0 exact bool
-persist.bluetooth.btsnoopenable                u:object_r:exported_bluetooth_prop:s0 exact bool
-persist.bluetooth.btsnoopdefaultmode           u:object_r:bluetooth_prop:s0 exact enum empty disabled filtered full
-persist.bluetooth.btsnooplogmode               u:object_r:bluetooth_prop:s0 exact enum empty disabled filtered full
-persist.bluetooth.factoryreset                 u:object_r:bluetooth_prop:s0 exact bool
+persist.bluetooth.a2dp_offload.cap                          u:object_r:bluetooth_a2dp_offload_prop:s0 exact string
+persist.bluetooth.a2dp_offload.disabled                     u:object_r:bluetooth_a2dp_offload_prop:s0 exact bool
+persist.bluetooth.bluetooth_audio_hal.disabled              u:object_r:bluetooth_audio_hal_prop:s0 exact bool
+persist.bluetooth.btsnoopenable                             u:object_r:exported_bluetooth_prop:s0 exact bool
+persist.bluetooth.btsnoopdefaultmode                        u:object_r:bluetooth_prop:s0 exact enum empty disabled filtered full
+persist.bluetooth.btsnooplogmode                            u:object_r:bluetooth_prop:s0 exact enum empty disabled filtered full
+persist.bluetooth.snooplogfilter.headers.enabled            u:object_r:bluetooth_prop:s0 exact bool
+persist.bluetooth.snooplogfilter.profiles.a2dp.enabled      u:object_r:bluetooth_prop:s0 exact bool
+persist.bluetooth.snooplogfilter.profiles.map               u:object_r:bluetooth_prop:s0 exact enum empty disabled fullfilter header magic
+persist.bluetooth.snooplogfilter.profiles.pbap              u:object_r:bluetooth_prop:s0 exact enum empty disabled fullfilter header magic
+persist.bluetooth.snooplogfilter.profiles.rfcomm.enabled    u:object_r:bluetooth_prop:s0 exact bool
+persist.bluetooth.factoryreset                              u:object_r:bluetooth_prop:s0 exact bool
 
 bluetooth.hardware.power.operating_voltage_mv        u:object_r:bluetooth_config_prop:s0 exact int
 bluetooth.hardware.power.idle_cur_ma                 u:object_r:bluetooth_config_prop:s0 exact int
@@ -493,6 +517,8 @@
 bluetooth.framework.adapter_address_validation       u:object_r:bluetooth_config_prop:s0 exact bool
 
 bluetooth.core.gap.le.privacy.enabled                u:object_r:bluetooth_config_prop:s0 exact bool
+bluetooth.core.gap.le.conn.min.limit                 u:object_r:bluetooth_config_prop:s0 exact int
+bluetooth.core.gap.le.conn.only_init_1m_phy.enabled  u:object_r:bluetooth_config_prop:s0 exact bool
 
 bluetooth.device.default_name                        u:object_r:bluetooth_config_prop:s0 exact string
 bluetooth.device.class_of_device                     u:object_r:bluetooth_config_prop:s0 exact string
@@ -526,6 +552,36 @@
 bluetooth.profile.sap.server.enabled                 u:object_r:bluetooth_config_prop:s0 exact bool
 bluetooth.profile.vcp.controller.enabled             u:object_r:bluetooth_config_prop:s0 exact bool
 
+bluetooth.core.acl.link_supervision_timeout          u:object_r:bluetooth_config_prop:s0 exact uint
+bluetooth.core.classic.page_scan_type                u:object_r:bluetooth_config_prop:s0 exact uint
+bluetooth.core.classic.page_scan_interval            u:object_r:bluetooth_config_prop:s0 exact uint
+bluetooth.core.classic.page_scan_window              u:object_r:bluetooth_config_prop:s0 exact uint
+bluetooth.core.classic.inq_scan_type                 u:object_r:bluetooth_config_prop:s0 exact uint
+bluetooth.core.classic.inq_scan_interval             u:object_r:bluetooth_config_prop:s0 exact uint
+bluetooth.core.classic.inq_scan_window               u:object_r:bluetooth_config_prop:s0 exact uint
+bluetooth.core.classic.page_timeout                  u:object_r:bluetooth_config_prop:s0 exact uint
+bluetooth.core.classic.sniff_max_intervals           u:object_r:bluetooth_config_prop:s0 exact string
+bluetooth.core.classic.sniff_min_intervals           u:object_r:bluetooth_config_prop:s0 exact string
+bluetooth.core.classic.sniff_attempts                u:object_r:bluetooth_config_prop:s0 exact string
+bluetooth.core.classic.sniff_timeouts                u:object_r:bluetooth_config_prop:s0 exact string
+
+bluetooth.core.le.min_connection_interval            u:object_r:bluetooth_config_prop:s0 exact uint
+bluetooth.core.le.max_connection_interval            u:object_r:bluetooth_config_prop:s0 exact uint
+bluetooth.core.le.connection_latency                 u:object_r:bluetooth_config_prop:s0 exact uint
+bluetooth.core.le.connection_supervision_timeout     u:object_r:bluetooth_config_prop:s0 exact uint
+bluetooth.core.le.direct_connection_timeout          u:object_r:bluetooth_config_prop:s0 exact uint
+bluetooth.core.le.connection_scan_interval_fast      u:object_r:bluetooth_config_prop:s0 exact uint
+bluetooth.core.le.connection_scan_window_fast        u:object_r:bluetooth_config_prop:s0 exact uint
+bluetooth.core.le.connection_scan_window_2m_fast     u:object_r:bluetooth_config_prop:s0 exact uint
+bluetooth.core.le.connection_scan_window_coded_fast  u:object_r:bluetooth_config_prop:s0 exact uint
+bluetooth.core.le.connection_scan_interval_slow      u:object_r:bluetooth_config_prop:s0 exact uint
+bluetooth.core.le.connection_scan_window_slow        u:object_r:bluetooth_config_prop:s0 exact uint
+bluetooth.core.le.inquiry_scan_interval              u:object_r:bluetooth_config_prop:s0 exact uint
+bluetooth.core.le.inquiry_scan_window                u:object_r:bluetooth_config_prop:s0 exact uint
+
+bluetooth.core.le.vendor_capabilities.enabled        u:object_r:bluetooth_config_prop:s0 exact bool
+bluetooth.sco.disable_enhanced_connection            u:object_r:bluetooth_config_prop:s0 exact bool
+
 persist.nfc.debug_enabled                      u:object_r:nfc_prop:s0 exact bool
 
 persist.radio.multisim.config u:object_r:radio_control_prop:s0 exact string
@@ -543,21 +599,32 @@
 ro.hdmi.cec.source.send_standby_on_sleep                           u:object_r:hdmi_config_prop:s0 exact enum to_tv broadcast none
 ro.hdmi.cec.source.playback_device_action_on_routing_control       u:object_r:hdmi_config_prop:s0 exact enum none wake_up_only wake_up_and_send_active_source
 
-pm.dexopt.ab-ota                            u:object_r:exported_pm_prop:s0 exact string
-pm.dexopt.bg-dexopt                         u:object_r:exported_pm_prop:s0 exact string
-pm.dexopt.boot                              u:object_r:exported_pm_prop:s0 exact string
-pm.dexopt.cmdline                           u:object_r:exported_pm_prop:s0 exact string
-pm.dexopt.disable_bg_dexopt                 u:object_r:exported_pm_prop:s0 exact bool
-pm.dexopt.downgrade_after_inactive_days     u:object_r:exported_pm_prop:s0 exact int
-pm.dexopt.first-boot                        u:object_r:exported_pm_prop:s0 exact string
-pm.dexopt.inactive                          u:object_r:exported_pm_prop:s0 exact string
-pm.dexopt.install                           u:object_r:exported_pm_prop:s0 exact string
-pm.dexopt.install-fast                      u:object_r:exported_pm_prop:s0 exact string
-pm.dexopt.install-bulk                      u:object_r:exported_pm_prop:s0 exact string
-pm.dexopt.install-bulk-secondary            u:object_r:exported_pm_prop:s0 exact string
-pm.dexopt.install-bulk-downgraded           u:object_r:exported_pm_prop:s0 exact string
-pm.dexopt.install-bulk-secondary-downgraded u:object_r:exported_pm_prop:s0 exact string
-pm.dexopt.shared                            u:object_r:exported_pm_prop:s0 exact string
+pm.dexopt.bg-dexopt                                     u:object_r:exported_pm_prop:s0 exact string
+pm.dexopt.bg-dexopt.concurrency                         u:object_r:exported_pm_prop:s0 exact int
+pm.dexopt.first-boot                                    u:object_r:exported_pm_prop:s0 exact string
+pm.dexopt.first-boot.concurrency                        u:object_r:exported_pm_prop:s0 exact int
+pm.dexopt.boot-after-ota                                u:object_r:exported_pm_prop:s0 exact string
+pm.dexopt.boot-after-ota.concurrency                    u:object_r:exported_pm_prop:s0 exact int
+pm.dexopt.boot-after-mainline-update                    u:object_r:exported_pm_prop:s0 exact string
+pm.dexopt.boot-after-mainline-update.concurrency        u:object_r:exported_pm_prop:s0 exact int
+
+pm.dexopt.post-boot                                     u:object_r:exported_pm_prop:s0 exact string
+pm.dexopt.ab-ota                                        u:object_r:exported_pm_prop:s0 exact string
+pm.dexopt.cmdline                                       u:object_r:exported_pm_prop:s0 exact string
+pm.dexopt.inactive                                      u:object_r:exported_pm_prop:s0 exact string
+pm.dexopt.install                                       u:object_r:exported_pm_prop:s0 exact string
+pm.dexopt.install-fast                                  u:object_r:exported_pm_prop:s0 exact string
+pm.dexopt.install-bulk                                  u:object_r:exported_pm_prop:s0 exact string
+pm.dexopt.install-bulk-secondary                        u:object_r:exported_pm_prop:s0 exact string
+pm.dexopt.install-bulk-downgraded                       u:object_r:exported_pm_prop:s0 exact string
+pm.dexopt.install-bulk-secondary-downgraded             u:object_r:exported_pm_prop:s0 exact string
+
+pm.dexopt.shared                                        u:object_r:exported_pm_prop:s0 exact string
+
+pm.dexopt.disable_bg_dexopt                             u:object_r:exported_pm_prop:s0 exact bool
+pm.dexopt.downgrade_after_inactive_days                 u:object_r:exported_pm_prop:s0 exact int
+
+pm.dexopt.                                              u:object_r:future_pm_prop:s0 prefix
 
 ro.apk_verity.mode u:object_r:apk_verity_prop:s0 exact int
 
@@ -599,6 +666,11 @@
 external_storage.sdcardfs.enabled u:object_r:storage_config_prop:s0 exact bool
 external_storage.cross_user.enabled u:object_r:storage_config_prop:s0 exact bool
 ro.fuse.bpf.enabled u:object_r:storage_config_prop:s0 exact bool
+ro.fuse.bpf.is_running u:object_r:vold_status_prop:s0 exact bool
+
+# hypervisor.*: configured by the vendor to advertise capabilities of their
+# hypervisor to virtualizationservice.
+hypervisor.memory_reclaim.supported u:object_r:hypervisor_restricted_prop:s0 exact bool
 
 ro.config.per_app_memcg         u:object_r:lmkd_config_prop:s0 exact bool
 ro.lmk.critical                 u:object_r:lmkd_config_prop:s0 exact int
@@ -636,6 +708,10 @@
 
 ro.rebootescrow.device u:object_r:rebootescrow_hal_prop:s0 exact string
 
+ro.recovery.usb.vid          u:object_r:recovery_usb_config_prop:s0 exact string
+ro.recovery.usb.adb.pid      u:object_r:recovery_usb_config_prop:s0 exact string
+ro.recovery.usb.fastboot.pid u:object_r:recovery_usb_config_prop:s0 exact string
+
 ro.storage_manager.enabled     u:object_r:storagemanager_config_prop:s0 exact bool
 ro.storage_manager.show_opt_in u:object_r:storagemanager_config_prop:s0 exact bool
 
@@ -664,6 +740,7 @@
 sys.usb.config. u:object_r:usb_prop:s0
 
 sys.usb.ffs.aio_compat u:object_r:ffs_config_prop:s0 exact bool
+sys.usb.ffs.io_uring_enabled u:object_r:ffs_config_prop:s0 exact bool
 sys.usb.ffs.max_read   u:object_r:ffs_config_prop:s0 exact int
 sys.usb.ffs.max_write  u:object_r:ffs_config_prop:s0 exact int
 
@@ -745,8 +822,26 @@
 
 net.redirect_socket_calls.hooked u:object_r:socket_hook_prop:s0 exact bool
 
-persist.sys.locale       u:object_r:exported_system_prop:s0 exact string
-persist.sys.timezone     u:object_r:exported_system_prop:s0 exact string
+# Settings system properties containing mutable "global" device settings.
+#
+# These can't be Android settings because they are also read by low-level
+# binaries that don't have access to "real" SettingsProvider settings. This
+# will usually be because of when they execute, e.g. during boot when Android
+# services are not yet running, and/or because they are needed by binaries that
+# are not "Android aware", i.e. they have light integration with the Android
+# platform via the low-level system properties lib.  Processes like shell may
+# modify these for testing purposes, but doing so is generally discouraged;
+# updates to these props will generally require intents to be sent to
+# long-running Android apps so they can update cached data and their UI state.
+persist.sys.locale       u:object_r:locale_prop:s0 exact string
+persist.sys.timezone     u:object_r:timezone_prop:s0 exact string
+
+# Time zone metadata system properties. Holds information associated with the
+# device's time zone and will therefore be written to at the same time.  Unlike
+# timezone_prop props, these do not need to be read by other processes.
+persist.sys.timezone_confidence u:object_r:timezone_metadata_prop:s0 exact uint
+
+persist.sys.mte.permissive u:object_r:permissive_mte_prop:s0 exact string
 persist.sys.test_harness u:object_r:test_harness_prop:s0 exact bool
 
 ro.arch u:object_r:build_prop:s0 exact string
@@ -759,6 +854,7 @@
 ro.boot.bootloader         u:object_r:bootloader_prop:s0 exact string
 ro.boot.boottime           u:object_r:bootloader_prop:s0 exact string
 ro.boot.console            u:object_r:bootloader_prop:s0 exact string
+ro.boot.ddr_size           u:object_r:bootloader_prop:s0 exact string
 ro.boot.hardware           u:object_r:bootloader_prop:s0 exact string
 ro.boot.hardware.color     u:object_r:bootloader_prop:s0 exact string
 ro.boot.hardware.sku       u:object_r:bootloader_prop:s0 exact string
@@ -815,7 +911,8 @@
 
 ro.actionable_compatible_property.enabled u:object_r:build_prop:s0 exact bool
 
-ro.debuggable u:object_r:userdebug_or_eng_prop:s0 exact bool
+ro.debuggable       u:object_r:userdebug_or_eng_prop:s0 exact bool
+ro.force.debuggable u:object_r:build_prop:s0 exact bool
 
 ro.treble.enabled u:object_r:build_prop:s0 exact bool
 
@@ -976,6 +1073,11 @@
 ro.product.vendor_dlkm.model        u:object_r:build_vendor_prop:s0 exact string
 ro.product.vendor_dlkm.name         u:object_r:build_vendor_prop:s0 exact string
 
+# build props for attestation feature are set by property_service
+ro.product.brand_for_attestation u:object_r:build_attestation_prop:s0 exact string
+ro.product.model_for_attestation u:object_r:build_attestation_prop:s0 exact string
+ro.product.name_for_attestation  u:object_r:build_attestation_prop:s0 exact string
+
 # GRF property for the first api level of the vendor partition
 ro.board.first_api_level u:object_r:build_vendor_prop:s0 exact int
 ro.board.api_level       u:object_r:build_vendor_prop:s0 exact int
@@ -1069,6 +1171,7 @@
 ro.hardware.consumerir           u:object_r:exported_default_prop:s0 exact string
 ro.hardware.context_hub          u:object_r:exported_default_prop:s0 exact string
 ro.hardware.egl                  u:object_r:exported_default_prop:s0 exact string
+ro.hardware.egl_legacy           u:object_r:graphics_config_prop:s0 exact string
 ro.hardware.fingerprint          u:object_r:exported_default_prop:s0 exact string
 ro.hardware.flp                  u:object_r:exported_default_prop:s0 exact string
 ro.hardware.gatekeeper           u:object_r:exported_default_prop:s0 exact string
@@ -1108,6 +1211,9 @@
 ro.kernel.qemu.            u:object_r:exported_default_prop:s0
 ro.kernel.android.bootanim u:object_r:exported_default_prop:s0 exact int
 
+# This property is used by init to store the original value or /proc/sys/vm/watermark_scale_factor
+ro.kernel.watermark_scale_factor          u:object_r:init_storage_prop:s0 exact int
+
 ro.oem.key1 u:object_r:exported_default_prop:s0 exact string
 
 ro.product.vndk.version u:object_r:vndk_prop:s0 exact string
@@ -1179,6 +1285,7 @@
 ro.surface_flinger.color_space_agnostic_dataspace         u:object_r:surfaceflinger_prop:s0 exact int
 ro.surface_flinger.refresh_rate_switching                 u:object_r:surfaceflinger_prop:s0 exact bool
 ro.surface_flinger.update_device_product_info_on_hotplug_reconnect u:object_r:surfaceflinger_prop:s0 exact bool
+ro.surface_flinger.enable_adpf_cpu_hint                   u:object_r:surfaceflinger_prop:s0 exact bool
 ro.surface_flinger.enable_frame_rate_override             u:object_r:surfaceflinger_prop:s0 exact bool
 ro.surface_flinger.enable_layer_caching                   u:object_r:surfaceflinger_prop:s0 exact bool
 ro.surface_flinger.display_update_imminent_timeout_ms     u:object_r:surfaceflinger_prop:s0 exact int
@@ -1251,6 +1358,9 @@
 # Graphics related properties
 ro.opengles.version u:object_r:graphics_config_prop:s0 exact int
 
+ro.egl.blobcache.multifile       u:object_r:graphics_config_prop:s0 exact bool
+ro.egl.blobcache.multifile_limit u:object_r:graphics_config_prop:s0 exact int
+
 ro.gfx.driver.0          u:object_r:graphics_config_prop:s0 exact string
 ro.gfx.driver.1          u:object_r:graphics_config_prop:s0 exact string
 ro.gfx.angle.supported   u:object_r:graphics_config_prop:s0 exact bool
@@ -1276,12 +1386,21 @@
 remote_provisioning.strongbox.rkp_only u:object_r:remote_prov_prop:s0 exact bool
 remote_provisioning.tee.rkp_only u:object_r:remote_prov_prop:s0 exact bool
 
+# Hostname for the remote provisioning server a device should communicate with
+remote_provisioning.hostname u:object_r:remote_prov_prop:s0 exact string
+
+# Indicates the system should use rkpd instead of RemoteProvisioner
+remote_provisioning.enable_rkpd u:object_r:remote_prov_prop:s0 exact bool
+
 # Broadcast boot stages, which keystore listens to
 keystore.boot_level u:object_r:keystore_listen_prop:s0 exact int
 
 # Property that tracks keystore crash counts during a boot cycle.
 keystore.crash_count u:object_r:keystore_crash_prop:s0 exact int
 
+# Configure the means by which we protect the L0 key from the future
+ro.keystore.boot_level_key.strategy u:object_r:keystore_config_prop:s0 exact string
+
 partition.system.verified     u:object_r:verity_status_prop:s0 exact string
 partition.system_ext.verified u:object_r:verity_status_prop:s0 exact string
 partition.product.verified    u:object_r:verity_status_prop:s0 exact string
@@ -1348,5 +1467,58 @@
 # virtualization service properties
 virtualizationservice.state.last_cid u:object_r:virtualizationservice_prop:s0 exact uint
 
+# properties for the virtual Face HAL
+persist.vendor.face.virtual.type u:object_r:virtual_face_hal_prop:s0 exact string
+persist.vendor.face.virtual.strength u:object_r:virtual_face_hal_prop:s0 exact string
+persist.vendor.face.virtual.enrollments u:object_r:virtual_face_hal_prop:s0 exact string
+persist.vendor.face.virtual.features u:object_r:virtual_face_hal_prop:s0 exact string
+vendor.face.virtual.enrollment_hit u:object_r:virtual_face_hal_prop:s0 exact int
+vendor.face.virtual.operation_start_enroll_latency u:object_r:virtual_face_hal_prop:s0 exact int
+vendor.face.virtual.next_enrollment u:object_r:virtual_face_hal_prop:s0 exact string
+vendor.face.virtual.authenticator_id u:object_r:virtual_face_hal_prop:s0 exact int
+vendor.face.virtual.challenge u:object_r:virtual_face_hal_prop:s0 exact int
+vendor.face.virtual.lockout u:object_r:virtual_face_hal_prop:s0 exact bool
+vendor.face.virtual.operation_authenticate_fails u:object_r:virtual_face_hal_prop:s0 exact bool
+vendor.face.virtual.operation_detect_interaction_fails u:object_r:virtual_face_hal_prop:s0 exact bool
+vendor.face.virtual.operation_enroll_fails u:object_r:virtual_face_hal_prop:s0 exact bool
+vendor.face.virtual.operation_authenticate_latency u:object_r:virtual_face_hal_prop:s0 exact int
+vendor.face.virtual.operation_detect_interaction_latency u:object_r:virtual_face_hal_prop:s0 exact int
+vendor.face.virtual.operation_authenticate_duration u:object_r:virtual_face_hal_prop:s0 exact int
+
+# properties for the virtual Fingerprint HAL
+persist.vendor.fingerprint.virtual.type u:object_r:virtual_fingerprint_hal_prop:s0 exact string
+persist.vendor.fingerprint.virtual.enrollments u:object_r:virtual_fingerprint_hal_prop:s0 exact string
+persist.vendor.fingerprint.virtual.lockout u:object_r:virtual_fingerprint_hal_prop:s0 exact bool
+persist.vendor.fingerprint.virtual.authenticator_id u:object_r:virtual_fingerprint_hal_prop:s0 exact int
+persist.vendor.fingerprint.virtual.sensor_location u:object_r:virtual_fingerprint_hal_prop:s0 exact string
+persist.vendor.fingerprint.virtual.sensor_id u:object_r:virtual_fingerprint_hal_prop:s0 exact int
+persist.vendor.fingerprint.virtual.sensor_strength u:object_r:virtual_fingerprint_hal_prop:s0 exact int
+persist.vendor.fingerprint.virtual.max_enrollments u:object_r:virtual_fingerprint_hal_prop:s0 exact int
+persist.vendor.fingerprint.virtual.navigation_guesture u:object_r:virtual_fingerprint_hal_prop:s0 exact bool
+persist.vendor.fingerprint.virtual.detect_interaction u:object_r:virtual_fingerprint_hal_prop:s0 exact bool
+persist.vendor.fingerprint.virtual.udfps.display_touch u:object_r:virtual_fingerprint_hal_prop:s0 exact bool
+persist.vendor.fingerprint.virtual.udfps.control_illumination u:object_r:virtual_fingerprint_hal_prop:s0 exact bool
+persist.vendor.fingerprint.virtual.lockout_enable u:object_r:virtual_fingerprint_hal_prop:s0 exact bool
+persist.vendor.fingerprint.virtual.lockout_timed_threshold u:object_r:virtual_fingerprint_hal_prop:s0 exact int
+persist.vendor.fingerprint.virtual.lockout_timed_duration u:object_r:virtual_fingerprint_hal_prop:s0 exact int
+persist.vendor.fingerprint.virtual.lockout_permanent_threshold u:object_r:virtual_fingerprint_hal_prop:s0 exact int
+vendor.fingerprint.virtual.enrollment_hit u:object_r:virtual_fingerprint_hal_prop:s0 exact int
+vendor.fingerprint.virtual.next_enrollment u:object_r:virtual_fingerprint_hal_prop:s0 exact string
+vendor.fingerprint.virtual.challenge u:object_r:virtual_fingerprint_hal_prop:s0 exact int
+vendor.fingerprint.virtual.operation_authenticate_fails u:object_r:virtual_fingerprint_hal_prop:s0 exact bool
+vendor.fingerprint.virtual.operation_detect_interaction_fails u:object_r:virtual_fingerprint_hal_prop:s0 exact bool
+vendor.fingerprint.virtual.operation_enroll_fails u:object_r:virtual_fingerprint_hal_prop:s0 exact bool
+vendor.fingerprint.virtual.operation_authenticate_latency u:object_r:virtual_fingerprint_hal_prop:s0 exact string
+vendor.fingerprint.virtual.operation_detect_interaction_latency u:object_r:virtual_fingerprint_hal_prop:s0 exact string
+vendor.fingerprint.virtual.operation_enroll_latency u:object_r:virtual_fingerprint_hal_prop:s0 exact string
+vendor.fingerprint.virtual.operation_authenticate_duration u:object_r:virtual_fingerprint_hal_prop:s0 exact int
+
+# properties for tuner
+ro.tuner.lazyhal    u:object_r:tuner_config_prop:s0 exact bool
+tuner.server.enable u:object_r:tuner_server_ctl_prop:s0 exact bool
+
 # Adaptive haptics settings property
 vibrator.adaptive_haptics.enabled u:object_r:adaptive_haptics_prop:s0 exact string
+
+# UVC Gadget property
+ro.usb.uvc.enabled      u:object_r:usb_uvc_enabled_prop:s0 exact bool
diff --git a/private/remote_prov_app.te b/private/remote_prov_app.te
index f49eb63..d5f8e3f 100644
--- a/private/remote_prov_app.te
+++ b/private/remote_prov_app.te
@@ -8,6 +8,9 @@
 # The app needs access to properly build a DeviceInfo package for the verifying server
 get_prop(remote_prov_app, vendor_security_patch_level_prop)
 
+# if rkpd is enabled, remote provisioner is a noop
+get_prop(remote_prov_app, device_config_remote_key_provisioning_native_prop)
+
 allow remote_prov_app {
     app_api_service
     mediametrics_service
diff --git a/private/rkpd.te b/private/rkpd.te
new file mode 100644
index 0000000..45e3e8d
--- /dev/null
+++ b/private/rkpd.te
@@ -0,0 +1,15 @@
+# Policies for Remote Key Provisioning Daemon (rkpd)
+type rkpd, domain;
+type rkpd_exec, system_file_type, exec_type, file_type;
+
+typeattribute rkpd coredomain;
+
+binder_use(rkpd)
+binder_service(rkpd)
+
+init_daemon_domain(rkpd)
+
+add_service(rkpd, rkpd_registrar_service)
+add_service(rkpd, rkpd_refresh_service)
+
+get_prop(rkpd, device_config_remote_key_provisioning_native_prop)
diff --git a/private/rkpd_app.te b/private/rkpd_app.te
new file mode 100644
index 0000000..2d25540
--- /dev/null
+++ b/private/rkpd_app.te
@@ -0,0 +1,26 @@
+###
+### A domain for sandboxing the remote key provisioning daemon
+### app that is shipped via mainline.
+###
+typeattribute rkpdapp coredomain;
+
+app_domain(rkpdapp)
+net_domain(rkpdapp)
+
+# RKPD needs to be able to call the remote provisioning HALs
+hal_client_domain(rkpdapp, hal_keymint)
+
+# Grant access to certain system properties related to RKP
+get_prop(rkpdapp, device_config_remote_key_provisioning_native_prop)
+get_prop(rkpdapp, remote_prov_prop)
+
+# Grant access to the normal services that are available to all apps
+allow rkpdapp app_api_service:service_manager find;
+
+# Grant access to media.metrics service, needed for widevine. This
+# access is granted to all other apps already (e.g. untrusted_app_all).
+allow rkpdapp mediametrics_service:service_manager find;
+
+# Grant access to statsd
+allow rkpdapp statsmanager_service:service_manager find;
+binder_call(rkpdapp, statsd)
diff --git a/private/runas_app.te b/private/runas_app.te
index c1b354a..a5f47f4 100644
--- a/private/runas_app.te
+++ b/private/runas_app.te
@@ -14,7 +14,7 @@
 r_dir_file(runas_app, untrusted_app_all)
 
 # Allow lldb/ndk-gdb/simpleperf to ptrace attach to debuggable app processes.
-allow runas_app untrusted_app_all:process { ptrace signal sigstop };
+allow runas_app untrusted_app_all:process { ptrace sigkill signal sigstop };
 allow runas_app untrusted_app_all:unix_stream_socket connectto;
 
 # Allow executing system image simpleperf without a domain transition.
diff --git a/private/sdk_sandbox.te b/private/sdk_sandbox.te
index 20d3adf..cfcf2a4 100644
--- a/private/sdk_sandbox.te
+++ b/private/sdk_sandbox.te
@@ -10,12 +10,134 @@
 net_domain(sdk_sandbox)
 app_domain(sdk_sandbox)
 
+# TODO(b/252967582): remove this rule if it generates too much logs traffic.
+auditallow sdk_sandbox {
+    property_type
+    # remove expected properties to reduce noise.
+    -servicemanager_prop
+    -hwservicemanager_prop
+    -use_memfd_prop
+    -binder_cache_system_server_prop
+    -graphics_config_prop
+    -persist_wm_debug_prop
+    -aaudio_config_prop
+    -adbd_config_prop
+    -apex_ready_prop
+    -apexd_select_prop
+    -arm64_memtag_prop
+    -audio_prop
+    -binder_cache_bluetooth_server_prop
+    -binder_cache_telephony_server_prop
+    -bluetooth_config_prop
+    -boot_status_prop
+    -bootloader_prop
+    -bq_config_prop
+    -build_odm_prop
+    -build_prop
+    -build_vendor_prop
+    -camera2_extensions_prop
+    -camera_calibration_prop
+    -camera_config_prop
+    -camerax_extensions_prop
+    -codec2_config_prop
+    -config_prop
+    -cppreopt_prop
+    -dalvik_config_prop
+    -dalvik_prop
+    -dalvik_runtime_prop
+    -dck_prop
+    -debug_prop
+    -debuggerd_prop
+    -default_prop
+    -device_config_memory_safety_native_boot_prop
+    -device_config_memory_safety_native_prop
+    -device_config_nnapi_native_prop
+    -device_config_runtime_native_boot_prop
+    -device_config_runtime_native_prop
+    -dhcp_prop
+    -dumpstate_prop
+    -exported3_system_prop
+    -exported_config_prop
+    -exported_default_prop
+    -exported_dumpstate_prop
+    -exported_pm_prop
+    -exported_system_prop
+    -ffs_config_prop
+    -fingerprint_prop
+    -framework_status_prop
+    -gwp_asan_prop
+    -hal_instrumentation_prop
+    -hdmi_config_prop
+    -heapprofd_prop
+    -hw_timeout_multiplier_prop
+    -init_service_status_private_prop
+    -init_service_status_prop
+    -libc_debug_prop
+    -lmkd_config_prop
+    -locale_prop
+    -localization_prop
+    -log_file_logger_prop
+    -log_prop
+    -log_tag_prop
+    -logd_prop
+    -media_config_prop
+    -media_variant_prop
+    -mediadrm_config_prop
+    -module_sdkextensions_prop
+    -net_radio_prop
+    -nfc_prop
+    -nnapi_ext_deny_product_prop
+    -ota_prop
+    -packagemanager_config_prop
+    -pan_result_prop
+    -permissive_mte_prop
+    -persist_debug_prop
+    -pm_prop
+    -powerctl_prop
+    -property_service_version_prop
+    -radio_control_prop
+    -radio_prop
+    -restorecon_prop
+    -rollback_test_prop
+    -sendbug_config_prop
+    -setupwizard_prop
+    -shell_prop
+    -soc_prop
+    -socket_hook_prop
+    -sqlite_log_prop
+    -storagemanager_config_prop
+    -surfaceflinger_color_prop
+    -surfaceflinger_prop
+    -system_prop
+    -system_user_mode_emulation_prop
+    -systemsound_config_prop
+    -telephony_config_prop
+    -telephony_status_prop
+    -test_harness_prop
+    -timezone_prop
+    -usb_config_prop
+    -usb_control_prop
+    -usb_prop
+    -userdebug_or_eng_prop
+    -userspace_reboot_config_prop
+    -userspace_reboot_exported_prop
+    -userspace_reboot_log_prop
+    -userspace_reboot_test_prop
+    -vendor_socket_hook_prop
+    -vndk_prop
+    -vold_config_prop
+    -vold_prop
+    -vold_status_prop
+    -vts_config_prop
+    -vts_status_prop
+    -wifi_log_prop
+    -zygote_config_prop
+    -zygote_wrap_prop
+    -init_service_status_prop
+}:file { getattr open read map };
+
 # Allow finding services. This is different from ephemeral_app policy.
 # Adding services manually to the allowlist is preferred hence app_api_service is not used.
-# Audit the access to signal that we are still investigating whether sdk_sandbox
-# should have access to audio_service
-# TODO(b/211632068): remove this line
-auditallow sdk_sandbox audio_service:service_manager find;
 
 allow sdk_sandbox activity_service:service_manager find;
 allow sdk_sandbox activity_task_service:service_manager find;
@@ -92,13 +214,9 @@
 
 allow sdk_sandbox system_linker_exec:file execute_no_trans;
 
-# Write app-specific trace data to the Perfetto traced damon. This requires
-# connecting to its producer socket and obtaining a (per-process) tmpfs fd.
-perfetto_producer(sdk_sandbox)
-
-# Allow profiling if the app opts in by being marked profileable/debuggable.
-can_profile_heap(sdk_sandbox)
-can_profile_perf(sdk_sandbox)
+# Required to read CTS tests data from the shell_data_file location.
+allow sdk_sandbox shell_data_file:file r_file_perms;
+allow sdk_sandbox shell_data_file:dir r_dir_perms;
 
 # allow sdk sandbox to use UDP sockets provided by the system server but not
 # modify them other than to connect
diff --git a/private/seapp_contexts b/private/seapp_contexts
index b26d977..878d50e 100644
--- a/private/seapp_contexts
+++ b/private/seapp_contexts
@@ -11,6 +11,7 @@
 #       isPrivApp (boolean)
 #       minTargetSdkVersion (unsigned integer)
 #       fromRunAs (boolean)
+#       isIsolatedComputeApp (boolean)
 #
 # All specified input selectors in an entry must match (i.e. logical AND).
 # An unspecified string or boolean selector with no default will match any
@@ -40,6 +41,11 @@
 #       it has a default value of 0.
 # fromRunAs=true means the process being labeled is started by run-as. Default
 # is false.
+# isIsolatedComputeApp=true means the process re-uses an isolated Uid but not
+# restricted to run in an isolated_app domain. Processes match this selector will
+# be mapped to isolated_compute_app by default. It is expected to be used together
+# with user=_isolated. This selector should not be used unless it is intended
+# to provide isolated processes with relaxed security restrictions.
 #
 # Precedence: entries are compared using the following rules, in the order shown
 # (see external/selinux/libselinux/src/android/android_platform.c,
@@ -57,6 +63,7 @@
 #              minTargetSdkVersion= integer. Note that minTargetSdkVersion=
 #              defaults to 0 if unspecified.
 #       (8) fromRunAs=true before fromRunAs=false.
+#       (9) isIsolatedComputeApp=true before isIsolatedComputeApp=false
 # (A fixed selector is more specific than a prefix, i.e. ending in *, and a
 # longer prefix is more specific than a shorter prefix.)
 # Apps are checked against entries in precedence order until the first match,
@@ -122,9 +129,12 @@
 
 # neverallow non-isolated uids into isolated_app domain
 # and vice versa
-neverallow user=_isolated domain=((?!isolated_app).)*
+neverallow user=_isolated isIsolatedComputeApp=false domain=((?!isolated_app).)*
 neverallow user=((?!_isolated).)* domain=isolated_app
 
+# neverallow isolatedComputeApp into domains other than isolated_compute_app
+neverallow user=_isolated isIsolatedComputeApp=true domain=((?!isolated_compute_app).)*
+
 # uid shell should always be in shell domain, however non-shell
 # uid's can be in shell domain
 neverallow user=shell domain=((?!shell).)*
@@ -144,6 +154,7 @@
 user=_app seinfo=platform name=com.android.traceur domain=traceur_app type=app_data_file levelFrom=all
 user=_app isPrivApp=true name=com.android.remoteprovisioner domain=remote_prov_app type=app_data_file levelFrom=all
 user=system seinfo=platform domain=system_app type=system_app_data_file
+user=system seinfo=platform isPrivApp=true name=com.android.DeviceAsWebcam domain=device_as_webcam type=system_app_data_file levelFrom=all
 user=bluetooth seinfo=bluetooth domain=bluetooth type=bluetooth_data_file
 user=network_stack seinfo=network_stack domain=network_stack type=radio_data_file
 user=nfc seinfo=platform domain=nfc type=nfc_data_file
@@ -153,6 +164,7 @@
 user=shell seinfo=platform domain=shell name=com.android.shell type=shell_data_file
 user=webview_zygote seinfo=webview_zygote domain=webview_zygote
 user=_isolated domain=isolated_app levelFrom=user
+user=_isolated isIsolatedComputeApp=true domain=isolated_compute_app levelFrom=user
 user=_sdksandbox domain=sdk_sandbox type=sdk_sandbox_data_file levelFrom=all
 user=_app seinfo=app_zygote domain=app_zygote levelFrom=user
 user=_app seinfo=media domain=mediaprovider type=app_data_file levelFrom=user
@@ -164,11 +176,14 @@
 user=_app isPrivApp=true name=com.google.android.providers.media.module domain=mediaprovider_app type=privapp_data_file levelFrom=all
 user=_app seinfo=platform isPrivApp=true name=com.android.permissioncontroller domain=permissioncontroller_app type=privapp_data_file levelFrom=all
 user=_app isPrivApp=true name=com.android.vzwomatrigger domain=vzwomatrigger_app type=privapp_data_file levelFrom=all
+user=_app isPrivApp=true name=com.android.rkpdapp domain=rkpdapp type=privapp_data_file levelFrom=user
+user=_app isPrivApp=true name=com.google.android.rkpdapp domain=rkpdapp type=privapp_data_file levelFrom=user
 user=_app isPrivApp=true name=com.google.android.gms domain=gmscore_app type=privapp_data_file levelFrom=user
 user=_app isPrivApp=true name=com.google.android.gms.* domain=gmscore_app type=privapp_data_file levelFrom=user
 user=_app isPrivApp=true name=com.google.android.gms:* domain=gmscore_app type=privapp_data_file levelFrom=user
 user=_app isPrivApp=true name=com.google.android.gsf domain=gmscore_app type=privapp_data_file levelFrom=user
-user=_app minTargetSdkVersion=32 domain=untrusted_app type=app_data_file levelFrom=all
+user=_app minTargetSdkVersion=34 domain=untrusted_app type=app_data_file levelFrom=all
+user=_app minTargetSdkVersion=32 domain=untrusted_app_32 type=app_data_file levelFrom=all
 user=_app minTargetSdkVersion=30 domain=untrusted_app_30 type=app_data_file levelFrom=all
 user=_app minTargetSdkVersion=29 domain=untrusted_app_29 type=app_data_file levelFrom=all
 user=_app minTargetSdkVersion=28 domain=untrusted_app_27 type=app_data_file levelFrom=all
@@ -176,4 +191,3 @@
 user=_app domain=untrusted_app_25 type=app_data_file levelFrom=user
 user=_app minTargetSdkVersion=28 fromRunAs=true domain=runas_app levelFrom=all
 user=_app fromRunAs=true domain=runas_app levelFrom=user
-
diff --git a/private/security_classes b/private/security_classes
index 0d3cc80..99f947f 100644
--- a/private/security_classes
+++ b/private/security_classes
@@ -142,6 +142,8 @@
 
 class perf_event
 
+class io_uring
+
 # Introduced in https://github.com/torvalds/linux/commit/59438b46471ae6cdfb761afc8c9beaf1e428a331
 class lockdown
 
diff --git a/private/service.te b/private/service.te
index 1f407a6..8059bfb 100644
--- a/private/service.te
+++ b/private/service.te
@@ -1,7 +1,8 @@
 type ambient_context_service,       app_api_service, system_server_service, service_manager_type;
 type attention_service,             system_server_service, service_manager_type;
+type bg_install_control_service,    system_server_service, service_manager_type;
 type compos_service,                service_manager_type;
-type communal_service,      app_api_service, system_server_service, service_manager_type;
+type communal_service,              app_api_service, system_server_service, service_manager_type;
 type dynamic_system_service,        system_api_service, system_server_service, service_manager_type;
 type gsi_service,                   service_manager_type;
 type incidentcompanion_service,     app_api_service, system_api_service, system_server_service, service_manager_type;
@@ -10,6 +11,8 @@
 type mediatuner_service,            app_api_service, service_manager_type;
 type profcollectd_service,          service_manager_type;
 type resolver_service,              system_server_service, service_manager_type;
+type rkpd_registrar_service,        service_manager_type;
+type rkpd_refresh_service,          service_manager_type;
 type safety_center_service,         app_api_service, system_api_service, system_server_service, service_manager_type;
 type stats_service,                 service_manager_type;
 type statsbootstrap_service,        system_server_service, service_manager_type;
diff --git a/private/service_contexts b/private/service_contexts
index 72fa166..6af5eab 100644
--- a/private/service_contexts
+++ b/private/service_contexts
@@ -1,20 +1,44 @@
+android.frameworks.cameraservice.service.ICameraService/default      u:object_r:fwk_camera_service:s0
+android.frameworks.location.altitude.IAltitudeService/default        u:object_r:fwk_altitude_service:s0
+android.frameworks.stats.IStats/default                              u:object_r:fwk_stats_service:s0
+android.frameworks.sensorservice.ISensorManager/default              u:object_r:fwk_sensor_service:s0
 android.hardware.audio.core.IConfig/default                          u:object_r:hal_audio_service:s0
+# 'default' IModule is equivalent to 'primary' in HIDL
 android.hardware.audio.core.IModule/default                          u:object_r:hal_audio_service:s0
+android.hardware.audio.core.IModule/a2dp                             u:object_r:hal_audio_service:s0
+android.hardware.audio.core.IModule/bluetooth                        u:object_r:hal_audio_service:s0
+android.hardware.audio.core.IModule/hearing_aid                      u:object_r:hal_audio_service:s0
+android.hardware.audio.core.IModule/msd                              u:object_r:hal_audio_service:s0
+android.hardware.audio.core.IModule/r_submix                         u:object_r:hal_audio_service:s0
+android.hardware.audio.core.IModule/stub                             u:object_r:hal_audio_service:s0
+android.hardware.audio.core.IModule/usb                              u:object_r:hal_audio_service:s0
+android.hardware.audio.effect.IFactory/default                       u:object_r:hal_audio_service:s0
+android.hardware.audio.sounddose.ISoundDoseFactory/default           u:object_r:hal_audio_service:s0
 android.hardware.authsecret.IAuthSecret/default                      u:object_r:hal_authsecret_service:s0
 android.hardware.automotive.evs.IEvsEnumerator/hw/0                  u:object_r:hal_evs_service:s0
+android.hardware.boot.IBootControl/default                           u:object_r:hal_bootctl_service:s0
+android.hardware.automotive.can.ICanController/default               u:object_r:hal_can_controller_service:s0
 android.hardware.automotive.evs.IEvsEnumerator/hw/1                  u:object_r:hal_evs_service:s0
-android.hardware.automotive.vehicle.IVehicle/default                 u:object_r:hal_vehicle_service:s0
 android.hardware.automotive.audiocontrol.IAudioControl/default       u:object_r:hal_audiocontrol_service:s0
+android.hardware.automotive.remoteaccess.IRemoteAccess/default       u:object_r:hal_remoteaccess_service:s0
+android.hardware.automotive.vehicle.IVehicle/default                 u:object_r:hal_vehicle_service:s0
 android.hardware.biometrics.face.IFace/default                       u:object_r:hal_face_service:s0
 android.hardware.biometrics.fingerprint.IFingerprint/default         u:object_r:hal_fingerprint_service:s0
+android.hardware.biometrics.fingerprint.IFingerprint/virtual         u:object_r:hal_fingerprint_service:s0
+android.hardware.bluetooth.IBluetoothHci/default                     u:object_r:hal_bluetooth_service:s0
 android.hardware.bluetooth.audio.IBluetoothAudioProviderFactory/default u:object_r:hal_audio_service:s0
+android.hardware.broadcastradio.IBroadcastRadio/amfm                 u:object_r:hal_broadcastradio_service:s0
+android.hardware.broadcastradio.IBroadcastRadio/dab                  u:object_r:hal_broadcastradio_service:s0
 # The instance here is internal/0 following naming convention for ICameraProvider.
 # It advertises internal camera devices.
 android.hardware.camera.provider.ICameraProvider/internal/0          u:object_r:hal_camera_service:s0
+android.hardware.cas.IMediaCasService/default                        u:object_r:hal_cas_service:s0
+android.hardware.confirmationui.IConfirmationUI/default              u:object_r:hal_confirmationui_service:s0
 android.hardware.contexthub.IContextHub/default                      u:object_r:hal_contexthub_service:s0
 android.hardware.drm.IDrmFactory/clearkey                            u:object_r:hal_drm_service:s0
 android.hardware.drm.ICryptoFactory/clearkey                         u:object_r:hal_drm_service:s0
 android.hardware.dumpstate.IDumpstateDevice/default                  u:object_r:hal_dumpstate_service:s0
+android.hardware.fastboot.IFastboot/default                          u:object_r:hal_fastboot_service:s0
 android.hardware.gnss.IGnss/default                                  u:object_r:hal_gnss_service:s0
 android.hardware.graphics.allocator.IAllocator/default               u:object_r:hal_graphics_allocator_service:s0
 android.hardware.graphics.composer3.IComposer/default                u:object_r:hal_graphics_composer_service:s0
@@ -34,6 +58,10 @@
 android.hardware.radio.data.IRadioData/slot1                         u:object_r:hal_radio_service:s0
 android.hardware.radio.data.IRadioData/slot2                         u:object_r:hal_radio_service:s0
 android.hardware.radio.data.IRadioData/slot3                         u:object_r:hal_radio_service:s0
+android.hardware.radio.ims.IRadioIms/slot1                           u:object_r:hal_radio_service:s0
+android.hardware.radio.ims.IRadioIms/slot2                           u:object_r:hal_radio_service:s0
+android.hardware.radio.ims.IRadioIms/slot3                           u:object_r:hal_radio_service:s0
+android.hardware.radio.ims.media.IImsMedia/default                   u:object_r:hal_radio_service:s0
 android.hardware.radio.messaging.IRadioMessaging/slot1               u:object_r:hal_radio_service:s0
 android.hardware.radio.messaging.IRadioMessaging/slot2               u:object_r:hal_radio_service:s0
 android.hardware.radio.messaging.IRadioMessaging/slot3               u:object_r:hal_radio_service:s0
@@ -43,9 +71,15 @@
 android.hardware.radio.network.IRadioNetwork/slot1                   u:object_r:hal_radio_service:s0
 android.hardware.radio.network.IRadioNetwork/slot2                   u:object_r:hal_radio_service:s0
 android.hardware.radio.network.IRadioNetwork/slot3                   u:object_r:hal_radio_service:s0
+android.hardware.radio.satellite.IRadioSatellite/slot1               u:object_r:hal_radio_service:s0
+android.hardware.radio.satellite.IRadioSatellite/slot2               u:object_r:hal_radio_service:s0
+android.hardware.radio.satellite.IRadioSatellite/slot3               u:object_r:hal_radio_service:s0
 android.hardware.radio.sim.IRadioSim/slot1                           u:object_r:hal_radio_service:s0
 android.hardware.radio.sim.IRadioSim/slot2                           u:object_r:hal_radio_service:s0
 android.hardware.radio.sim.IRadioSim/slot3                           u:object_r:hal_radio_service:s0
+android.hardware.radio.sap.ISap/slot1                                u:object_r:hal_radio_service:s0
+android.hardware.radio.sap.ISap/slot2                                u:object_r:hal_radio_service:s0
+android.hardware.radio.sap.ISap/slot3                                u:object_r:hal_radio_service:s0
 android.hardware.radio.voice.IRadioVoice/slot1                       u:object_r:hal_radio_service:s0
 android.hardware.radio.voice.IRadioVoice/slot2                       u:object_r:hal_radio_service:s0
 android.hardware.radio.voice.IRadioVoice/slot3                       u:object_r:hal_radio_service:s0
@@ -53,21 +87,36 @@
 android.hardware.security.dice.IDiceDevice/default                   u:object_r:hal_dice_service:s0
 android.hardware.security.keymint.IKeyMintDevice/default             u:object_r:hal_keymint_service:s0
 android.hardware.security.keymint.IRemotelyProvisionedComponent/default u:object_r:hal_remotelyprovisionedcomponent_service:s0
+android.hardware.gatekeeper.IGatekeeper/default                      u:object_r:hal_gatekeeper_service:s0
 android.hardware.security.secureclock.ISecureClock/default             u:object_r:hal_secureclock_service:s0
 android.hardware.security.sharedsecret.ISharedSecret/default             u:object_r:hal_sharedsecret_service:s0
 android.hardware.sensors.ISensors/default                            u:object_r:hal_sensors_service:s0
 android.hardware.soundtrigger3.ISoundTriggerHw/default               u:object_r:hal_audio_service:s0
+android.hardware.tetheroffload.IOffload/default                      u:object_r:hal_tetheroffload_service:s0
+android.hardware.thermal.IThermal/default                            u:object_r:hal_thermal_service:s0
+android.hardware.tv.hdmi.cec.IHdmiCec/default                        u:object_r:hal_tv_hdmi_cec_service:s0
+android.hardware.tv.hdmi.connection.IHdmiConnection/default          u:object_r:hal_tv_hdmi_connection_service:s0
+android.hardware.tv.hdmi.earc.IEArc/default                          u:object_r:hal_tv_hdmi_earc_service:s0
 android.hardware.tv.tuner.ITuner/default                             u:object_r:hal_tv_tuner_service:s0
+android.hardware.tv.input.ITvInput/default                           u:object_r:hal_tv_input_service:s0
 android.hardware.usb.IUsb/default                                    u:object_r:hal_usb_service:s0
+android.hardware.usb.gadget.IUsbGadget/default                       u:object_r:hal_usb_gadget_service:s0
 android.hardware.uwb.IUwb/default                                    u:object_r:hal_uwb_service:s0
 android.hardware.vibrator.IVibrator/default                          u:object_r:hal_vibrator_service:s0
 android.hardware.vibrator.IVibratorManager/default                   u:object_r:hal_vibrator_service:s0
 android.hardware.weaver.IWeaver/default                              u:object_r:hal_weaver_service:s0
+android.hardware.wifi.IWifi/default                                  u:object_r:hal_wifi_service:s0
 android.hardware.wifi.hostapd.IHostapd/default                       u:object_r:hal_wifi_hostapd_service:s0
 android.hardware.wifi.supplicant.ISupplicant/default                 u:object_r:hal_wifi_supplicant_service:s0
-android.frameworks.stats.IStats/default                              u:object_r:fwk_stats_service:s0
 android.se.omapi.ISecureElementService/default                       u:object_r:secure_element_service:s0
+android.hardware.secure_element.ISecureElement/eSE1                  u:object_r:hal_secure_element_service:s0
+android.hardware.secure_element.ISecureElement/eSE2                  u:object_r:hal_secure_element_service:s0
+android.hardware.secure_element.ISecureElement/eSE3                  u:object_r:hal_secure_element_service:s0
+android.hardware.secure_element.ISecureElement/SIM1                  u:object_r:hal_secure_element_service:s0
+android.hardware.secure_element.ISecureElement/SIM2                  u:object_r:hal_secure_element_service:s0
+android.hardware.secure_element.ISecureElement/SIM3                  u:object_r:hal_secure_element_service:s0
 android.system.keystore2.IKeystoreService/default                    u:object_r:keystore_service:s0
+android.system.net.netd.INetd/default                                u:object_r:system_net_netd_service:s0
 android.system.suspend.ISystemSuspend/default                        u:object_r:hal_system_suspend_service:s0
 
 accessibility                             u:object_r:accessibility_service:s0
@@ -117,6 +166,7 @@
 audio                                     u:object_r:audio_service:s0
 auth                                      u:object_r:auth_service:s0
 autofill                                  u:object_r:autofill_service:s0
+background_install_control                u:object_r:bg_install_control_service:s0
 backup                                    u:object_r:backup_service:s0
 batteryproperties                         u:object_r:batteryproperties_service:s0
 batterystats                              u:object_r:batterystats_service:s0
@@ -135,6 +185,7 @@
 com.android.net.IProxyService             u:object_r:IProxyService_service:s0
 companiondevice                           u:object_r:companion_device_service:s0
 communal                                  u:object_r:communal_service:s0
+credential                                u:object_r:credential_service:s0
 platform_compat                           u:object_r:platform_compat_service:s0
 platform_compat_native                    u:object_r:platform_compat_service:s0
 connectivity                              u:object_r:connectivity_service:s0
@@ -155,6 +206,7 @@
 device_policy                             u:object_r:device_policy_service:s0
 device_identifiers                        u:object_r:device_identifiers_service:s0
 deviceidle                                u:object_r:deviceidle_service:s0
+device_lock                               u:object_r:devicelock_service:s0
 device_state                              u:object_r:device_state_service:s0
 devicestoragemonitor                      u:object_r:devicestoragemonitor_service:s0
 diskstats                                 u:object_r:diskstats_service:s0
@@ -174,7 +226,6 @@
 emergency_affordance                      u:object_r:emergency_affordance_service:s0
 euicc_card_controller                     u:object_r:radio_service:s0
 external_vibrator_service                 u:object_r:external_vibrator_service:s0
-lowpan                                    u:object_r:lowpan_service:s0
 ethernet                                  u:object_r:ethernet_service:s0
 face                                      u:object_r:face_service:s0
 file_integrity                            u:object_r:file_integrity_service:s0
@@ -184,11 +235,13 @@
 game                                      u:object_r:game_service:s0
 gfxinfo                                   u:object_r:gfxinfo_service:s0
 gnss_time_update_service                  u:object_r:gnss_time_update_service:s0
+grammatical_inflection                    u:object_r:grammatical_inflection_service:s0
 graphicsstats                             u:object_r:graphicsstats_service:s0
 gpu                                       u:object_r:gpu_service:s0
 hardware                                  u:object_r:hardware_service:s0
 hardware_properties                       u:object_r:hardware_properties_service:s0
 hdmi_control                              u:object_r:hdmi_control_service:s0
+healthconnect                             u:object_r:healthconnect_service:s0
 ions                                      u:object_r:radio_service:s0
 idmap                                     u:object_r:idmap_service:s0
 incident                                  u:object_r:incident_service:s0
@@ -197,7 +250,6 @@
 input_method                              u:object_r:input_method_service:s0
 input                                     u:object_r:input_service:s0
 installd                                  u:object_r:installd_service:s0
-iorapd                                    u:object_r:iorapd_service:s0
 iphonesubinfo_msim                        u:object_r:radio_service:s0
 iphonesubinfo2                            u:object_r:radio_service:s0
 iphonesubinfo                             u:object_r:radio_service:s0
@@ -261,6 +313,7 @@
 nfc                                       u:object_r:nfc_service:s0
 notification                              u:object_r:notification_service:s0
 oem_lock                                  u:object_r:oem_lock_service:s0
+ondevicepersonalization_system_service    u:object_r:ondevicepersonalization_system_service:s0
 otadexopt                                 u:object_r:otadexopt_service:s0
 overlay                                   u:object_r:overlay_service:s0
 pac_proxy                                 u:object_r:pac_proxy_service:s0
@@ -289,9 +342,12 @@
 rcs                                       u:object_r:radio_service:s0
 reboot_readiness                          u:object_r:reboot_readiness_service:s0
 recovery                                  u:object_r:recovery_service:s0
+remote_provisioning                       u:object_r:remote_provisioning_service:s0
 resolver                                  u:object_r:resolver_service:s0
 resources                                 u:object_r:resources_manager_service:s0
 restrictions                              u:object_r:restrictions_service:s0
+rkpd.registrar                            u:object_r:rkpd_registrar_service:s0
+rkpd.refresh                              u:object_r:rkpd_refresh_service:s0
 role                                      u:object_r:role_service:s0
 rollback                                  u:object_r:rollback_service:s0
 rttmanager                                u:object_r:rttmanager_service:s0
@@ -348,7 +404,6 @@
 texttospeech                              u:object_r:texttospeech_service:s0
 time_detector                             u:object_r:timedetector_service:s0
 time_zone_detector                        u:object_r:timezonedetector_service:s0
-timezone                                  u:object_r:timezone_service:s0
 thermalservice                            u:object_r:thermal_service:s0
 tracing.proxy                             u:object_r:tracingproxy_service:s0
 translation                               u:object_r:translation_service:s0
diff --git a/private/servicemanager.te b/private/servicemanager.te
index 6294452..5a69a43 100644
--- a/private/servicemanager.te
+++ b/private/servicemanager.te
@@ -5,3 +5,10 @@
 read_runtime_log_tags(servicemanager)
 
 set_prop(servicemanager, ctl_interface_start_prop)
+set_prop(servicemanager, servicemanager_prop)
+
+# servicemanager is using bootstrap bionic
+use_bootstrap_libs(servicemanager)
+
+# servicemanager is using apex_info via libvintf
+use_apex_info(servicemanager)
diff --git a/private/shell.te b/private/shell.te
index c20e612..02105a9 100644
--- a/private/shell.te
+++ b/private/shell.te
@@ -121,6 +121,9 @@
   allow shell profcollectd:binder call;
 ')
 
+# Allow shell to run remount command.
+allow shell remount_exec:file rx_file_perms;
+
 # Allow shell to call perf_event_open for profiling other shell processes, but
 # not the whole system.
 allow shell self:perf_event { open read write kernel };
@@ -181,6 +184,9 @@
 get_prop(shell, last_boot_reason_prop)
 get_prop(shell, system_boot_reason_prop)
 
+# Allow shell to execute the remote key provisioning factory tool
+binder_call(shell, hal_keymint)
+
 # Allow reading the outcome of perf_event_open LSM support test for CTS.
 get_prop(shell, init_perf_lsm_hooks_prop)
 
diff --git a/private/snapuserd.te b/private/snapuserd.te
index 2e2c473..797a6c2 100644
--- a/private/snapuserd.te
+++ b/private/snapuserd.te
@@ -8,8 +8,6 @@
 
 allow snapuserd kmsg_device:chr_file rw_file_perms;
 
-allow snapuserd self:capability ipc_lock;
-
 # Allow snapuserd to reach block devices in /dev/block.
 allow snapuserd block_device:dir search;
 
@@ -53,3 +51,13 @@
   -snapuserd
   -init
 } snapuserd_prop:property_service set;
+
+# Allow to read/write/create OTA metadata files
+allow snapuserd metadata_file:dir search;
+allow snapuserd ota_metadata_file:dir rw_dir_perms;
+allow snapuserd ota_metadata_file:file create_file_perms;
+
+# This capability allows snapuserd to circumvent memlock rlimits while using
+# io_uring. An Alternative would be to up the memlock rlimit for the snapuserd service.
+allow snapuserd self:capability ipc_lock;
+io_uring_use(snapuserd)
diff --git a/private/stats.te b/private/stats.te
index db29072..89b9488 100644
--- a/private/stats.te
+++ b/private/stats.te
@@ -45,8 +45,10 @@
   -incidentd
   -keystore
   -mediametrics
+  -mediaserver
   -platform_app
   -priv_app
+  -rkpdapp
   -shell
   -stats
   -statsd
diff --git a/private/su.te b/private/su.te
index 587f449..cc00e10 100644
--- a/private/su.te
+++ b/private/su.te
@@ -19,6 +19,9 @@
   # Put the perfetto command into its domain so it is the same on user, userdebug and eng.
   domain_auto_trans(su, perfetto_exec, perfetto)
 
+  # Put the virtmgr command into its domain.
+  domain_auto_trans(su, virtualizationmanager_exec, virtualizationmanager)
+
   # su is also permissive to permit setenforce.
   permissive su;
 
@@ -27,4 +30,6 @@
   # Do not audit accesses to keystore2 namespace for the su domain.
   dontaudit su keystore2_key_type:{ keystore2 keystore2_key } *;
 
+  # Allow root to set MTE permissive mode.
+  set_prop(su, permissive_mte_prop);
 ')
diff --git a/private/surfaceflinger.te b/private/surfaceflinger.te
index bb16f20..91e9aba 100644
--- a/private/surfaceflinger.te
+++ b/private/surfaceflinger.te
@@ -49,6 +49,9 @@
 allow surfaceflinger video_device:dir r_dir_perms;
 allow surfaceflinger video_device:chr_file rw_file_perms;
 
+# Access the secure heap.
+allow surfaceflinger dmabuf_system_secure_heap_device:chr_file r_file_perms;
+
 # Create and use netlink kobject uevent sockets.
 allow surfaceflinger self:netlink_kobject_uevent_socket create_socket_perms_no_ioctl;
 
@@ -58,7 +61,9 @@
 set_prop(surfaceflinger, exported_system_prop)
 set_prop(surfaceflinger, exported3_system_prop)
 set_prop(surfaceflinger, ctl_bootanim_prop)
+set_prop(surfaceflinger, locale_prop)
 set_prop(surfaceflinger, surfaceflinger_display_prop)
+set_prop(surfaceflinger, timezone_prop)
 
 # Get properties.
 get_prop(surfaceflinger, qemu_sf_lcd_density_prop)
@@ -130,6 +135,9 @@
 # Allow to use files supplied by hal_evs
 allow surfaceflinger hal_evs:fd use;
 
+# Allow to use release fence fds supplied by hal_camera
+allow surfaceflinger hal_camera:fd use;
+
 # Allow pushing jank event atoms to statsd
 userdebug_or_eng(`
     unix_socket_send(surfaceflinger, statsdw, statsd)
diff --git a/private/system_app.te b/private/system_app.te
index 76e5f7d..e2bec30 100644
--- a/private/system_app.te
+++ b/private/system_app.te
@@ -45,8 +45,10 @@
 set_prop(system_app, exported_system_prop)
 set_prop(system_app, exported3_system_prop)
 set_prop(system_app, gesture_prop)
+set_prop(system_app, locale_prop)
 set_prop(system_app, logd_prop)
 set_prop(system_app, net_radio_prop)
+set_prop(system_app, timezone_prop)
 set_prop(system_app, usb_control_prop)
 set_prop(system_app, usb_prop)
 set_prop(system_app, log_tag_prop)
@@ -88,7 +90,6 @@
   -dnsresolver_service
   -dumpstate_service
   -installd_service
-  -iorapd_service
   -lpdump_service
   -mdns_service
   -netd_service
@@ -104,7 +105,6 @@
   dnsresolver_service
   dumpstate_service
   installd_service
-  iorapd_service
   mdns_service
   netd_service
   virtual_touchpad_service
@@ -114,6 +114,9 @@
 # suppress denials caused by debugfs_tracing
 dontaudit system_app debugfs_tracing:file rw_file_perms;
 
+# Ignore access to zram when Debug.getMemInfo is called.
+dontaudit system_app sysfs_zram:dir search;
+
 allow system_app keystore:keystore_key {
     get_state
     get
@@ -174,8 +177,8 @@
 # Settings app reads ro.oem_unlock_supported
 get_prop(system_app, oem_unlock_prop)
 
-# Allow system apps to act as Perfetto producers.
-perfetto_producer(system_app)
+# Settings app reads ro.usb.uvc.enabled
+get_prop(system_app, usb_uvc_enabled_prop)
 
 ###
 ### Neverallow rules
diff --git a/private/system_server.te b/private/system_server.te
index 6d3bc78..4e5b2e8 100644
--- a/private/system_server.te
+++ b/private/system_server.te
@@ -5,6 +5,7 @@
 
 typeattribute system_server coredomain;
 typeattribute system_server mlstrustedsubject;
+typeattribute system_server remote_provisioning_service_server;
 typeattribute system_server scheduler_service_server;
 typeattribute system_server sensor_service_server;
 typeattribute system_server stats_service_server;
@@ -282,6 +283,7 @@
 # Perform Binder IPC.
 binder_use(system_server)
 binder_call(system_server, appdomain)
+binder_call(system_server, artd)
 binder_call(system_server, binderservicedomain)
 binder_call(system_server, composd)
 binder_call(system_server, dumpstate)
@@ -291,7 +293,6 @@
 binder_call(system_server, idmap)
 binder_call(system_server, installd)
 binder_call(system_server, incidentd)
-binder_call(system_server, iorapd)
 binder_call(system_server, netd)
 userdebug_or_eng(`binder_call(system_server, profcollectd)')
 binder_call(system_server, statsd)
@@ -300,7 +301,6 @@
 binder_call(system_server, vold)
 binder_call(system_server, logd)
 binder_call(system_server, wificond)
-binder_call(system_server, wpantund)
 binder_service(system_server)
 
 # Use HALs
@@ -331,6 +331,9 @@
 hal_client_domain(system_server, hal_tetheroffload)
 hal_client_domain(system_server, hal_thermal)
 hal_client_domain(system_server, hal_tv_cec)
+hal_client_domain(system_server, hal_tv_hdmi_cec)
+hal_client_domain(system_server, hal_tv_hdmi_connection)
+hal_client_domain(system_server, hal_tv_hdmi_earc)
 hal_client_domain(system_server, hal_tv_input)
 hal_client_domain(system_server, hal_usb)
 hal_client_domain(system_server, hal_usb_gadget)
@@ -418,7 +421,9 @@
 allow system_server mediadrmserver:tcp_socket rw_socket_perms;
 allow system_server mediadrmserver:udp_socket rw_socket_perms;
 
-userdebug_or_eng(`perfetto_producer({ system_server })')
+# Write trace data to the Perfetto traced daemon. This requires connecting to
+# its producer socket and obtaining a (per-process) tmpfs fd.
+perfetto_producer(system_server)
 
 # Get file context
 allow system_server file_contexts_file:file r_file_perms;
@@ -491,6 +496,10 @@
 allow system_server keychain_data_file:file create_file_perms;
 allow system_server keychain_data_file:lnk_file create_file_perms;
 
+# Read the user parent directories like /data/user.  Don't allow write access,
+# as vold is responsible for creating and deleting the subdirectories.
+allow system_server system_userdir_file:dir r_dir_perms;
+
 # Manage /data/app.
 allow system_server apk_data_file:dir create_dir_perms;
 allow system_server apk_data_file:{ file lnk_file } { create_file_perms link };
@@ -600,12 +609,9 @@
 allow system_server textclassifier_data_file:dir create_dir_perms;
 allow system_server textclassifier_data_file:file create_file_perms;
 
-# Access /data/tombstones.
-allow system_server tombstone_data_file:dir r_dir_perms;
-allow system_server tombstone_data_file:file r_file_perms;
-
-# Allow write access to be able to truncate tombstones.
-allow system_server tombstone_data_file:file write;
+# Manage /data/tombstones.
+allow system_server tombstone_data_file:dir rw_dir_perms;
+allow system_server tombstone_data_file:file create_file_perms;
 
 # Manage /data/misc/vpn.
 allow system_server vpn_data_file:dir create_dir_perms;
@@ -615,10 +621,6 @@
 allow system_server wifi_data_file:dir create_dir_perms;
 allow system_server wifi_data_file:file create_file_perms;
 
-# Manage /data/misc/zoneinfo.
-allow system_server zoneinfo_data_file:dir create_dir_perms;
-allow system_server zoneinfo_data_file:file create_file_perms;
-
 # Manage /data/app-staging.
 allow system_server staging_data_file:dir create_dir_perms;
 allow system_server staging_data_file:file create_file_perms;
@@ -695,6 +697,7 @@
 # Property Service write
 set_prop(system_server, system_prop)
 set_prop(system_server, bootanim_system_prop)
+set_prop(system_server, bluetooth_prop)
 set_prop(system_server, exported_system_prop)
 set_prop(system_server, exported3_system_prop)
 set_prop(system_server, safemode_prop)
@@ -721,6 +724,9 @@
 set_prop(system_server, provisioned_prop)
 set_prop(system_server, retaildemo_prop)
 set_prop(system_server, dmesgd_start_prop)
+set_prop(system_server, locale_prop)
+set_prop(system_server, timezone_metadata_prop)
+set_prop(system_server, timezone_prop)
 userdebug_or_eng(`set_prop(system_server, wifi_log_prop)')
 userdebug_or_eng(`set_prop(system_server, system_user_mode_emulation_prop)')
 
@@ -741,6 +747,7 @@
 set_prop(system_server, device_config_runtime_native_prop)
 set_prop(system_server, device_config_lmkd_native_prop)
 set_prop(system_server, device_config_media_native_prop)
+set_prop(system_server, device_config_camera_native_prop)
 set_prop(system_server, device_config_mglru_native_prop)
 set_prop(system_server, device_config_profcollect_native_boot_prop)
 set_prop(system_server, device_config_statsd_native_prop)
@@ -755,7 +762,11 @@
 set_prop(system_server, device_config_vendor_system_native_prop)
 set_prop(system_server, device_config_vendor_system_native_boot_prop)
 set_prop(system_server, device_config_virtualization_framework_native_prop)
+set_prop(system_server, device_config_memory_safety_native_boot_prop)
+set_prop(system_server, device_config_memory_safety_native_prop)
+set_prop(system_server, device_config_remote_key_provisioning_native_prop)
 set_prop(system_server, smart_idle_maint_enabled_prop)
+set_prop(system_server, arm64_memtag_prop)
 
 # Allow query ART device config properties
 get_prop(system_server, device_config_runtime_native_boot_prop)
@@ -822,6 +833,11 @@
 # Read persist.wm.debug. properties
 get_prop(system_server, persist_wm_debug_prop)
 
+# Read ro.tuner.lazyhal
+get_prop(system_server, tuner_config_prop)
+# Write tuner.server.enable
+set_prop(system_server, tuner_server_ctl_prop)
+
 # Create a socket for connections from debuggerd.
 allow system_server system_ndebug_socket:sock_file create_file_perms;
 
@@ -861,8 +877,8 @@
 
 # Read and delete files under /dev/fscklogs.
 r_dir_file(system_server, fscklogs)
-allow system_server fscklogs:dir { write remove_name };
-allow system_server fscklogs:file unlink;
+allow system_server fscklogs:dir { write remove_name add_name };
+allow system_server fscklogs:file rename;
 
 # logd access, system_server inherit logd write socket
 # (urge is to deprecate this long term)
@@ -888,6 +904,7 @@
 allow system_server sysfs_zram:file rw_file_perms;
 
 add_service(system_server, system_server_service);
+allow system_server artd_service:service_manager find;
 allow system_server audioserver_service:service_manager find;
 allow system_server authorization_service:service_manager find;
 allow system_server batteryproperties_service:service_manager find;
@@ -905,7 +922,6 @@
 allow system_server incident_service:service_manager find;
 allow system_server incremental_service:service_manager find;
 allow system_server installd_service:service_manager find;
-allow system_server iorapd_service:service_manager find;
 allow system_server keystore_maintenance_service:service_manager find;
 allow system_server keystore_metrics_service:service_manager find;
 allow system_server keystore_service:service_manager find;
@@ -1074,10 +1090,11 @@
 # Allow invoking tools like "timeout"
 allow system_server toolbox_exec:file rx_file_perms;
 
-# Allow system process to setup and measure fs-verity
-allowxperm system_server apk_data_file:file ioctl {
-  FS_IOC_ENABLE_VERITY FS_IOC_MEASURE_VERITY
-};
+# Allow system process to setup fs-verity
+allowxperm system_server { apk_data_file system_data_file apex_system_server_data_file }:file ioctl FS_IOC_ENABLE_VERITY;
+
+# Allow system process to measure fs-verity for apps, apps being installed and system files
+allowxperm system_server { apk_data_file apk_tmp_file system_file }:file ioctl FS_IOC_MEASURE_VERITY;
 
 # Postinstall
 #
@@ -1170,8 +1187,9 @@
 
 # System server may dump profile data for debuggable apps in the /data/misc/profman.
 # As such it needs to be able create files but it should never read from them.
+# It also needs to stat the directory to check if it has the right permissions.
 allow system_server profman_dump_data_file:file { create getattr setattr w_file_perms};
-allow system_server profman_dump_data_file:dir w_dir_perms;
+allow system_server profman_dump_data_file:dir rw_dir_perms;
 
 # On userdebug build we may profile system server. Allow it to write and create its own profile.
 userdebug_or_eng(`
@@ -1207,8 +1225,8 @@
 # Font files are written by system server
 allow system_server font_data_file:file create_file_perms;
 allow system_server font_data_file:dir create_dir_perms;
-# Allow system process to setup fs-verity for font files
-allowxperm system_server font_data_file:file ioctl FS_IOC_ENABLE_VERITY;
+# Allow system process to setup and measure fs-verity for font files
+allowxperm system_server font_data_file:file ioctl { FS_IOC_ENABLE_VERITY FS_IOC_MEASURE_VERITY };
 
 # Read qemu.hw.mainkeys property
 get_prop(system_server, qemu_hw_prop)
@@ -1282,6 +1300,7 @@
   device_config_runtime_native_prop
   device_config_media_native_prop
   device_config_mglru_native_prop
+  device_config_remote_key_provisioning_native_prop
   device_config_storage_native_boot_prop
   device_config_surface_flinger_native_boot_prop
   device_config_sys_traced_prop
@@ -1289,6 +1308,13 @@
   device_config_window_manager_native_boot_prop
 }:property_service set;
 
+# Only allow system_server and init to set tuner_server_ctl_prop
+neverallow {
+  domain
+  -system_server
+  -init
+} tuner_server_ctl_prop:property_service set;
+
 # system_server should never be executing dex2oat. This is either
 # a bug (for example, bug 16317188), or represents an attempt by
 # system server to dynamically load a dex file, something we do not
@@ -1422,6 +1448,8 @@
 
 # Read/Write /proc/pressure/memory
 allow system_server proc_pressure_mem:file rw_file_perms;
+# Read /proc/pressure/cpu and /proc/pressure/io
+allow system_server { proc_pressure_cpu proc_pressure_io }:file r_file_perms;
 
 # dexoptanalyzer is currently used only for secondary dex files which
 # system_server should never access.
diff --git a/private/technical_debt.cil b/private/technical_debt.cil
index fcd4fe7..069bb10 100644
--- a/private/technical_debt.cil
+++ b/private/technical_debt.cil
@@ -7,27 +7,27 @@
 
 ; Apps, except isolated apps, are clients of Allocator HAL
 ; Unfortunately, we can't currently express this in module policy language:
-;     typeattribute { appdomain -isolated_app } hal_allocator_client;
+;     typeattribute { appdomain -isolated_app_all } hal_allocator_client;
 ;     typeattribute hal_allocator_client halclientdomain;
-(typeattributeset hal_allocator_client ((and (appdomain) ((not (isolated_app))))))
+(typeattributeset hal_allocator_client ((and (appdomain) ((not (isolated_app_all))))))
 (typeattributeset halclientdomain (hal_allocator_client))
 
 ; Apps, except isolated apps, are clients of OMX-related services
 ; Unfortunately, we can't currently express this in module policy language:
-(typeattributeset hal_omx_client ((and (appdomain) ((not (isolated_app))))))
+(typeattributeset hal_omx_client ((and (appdomain) ((not (isolated_app_all))))))
 
 ; Apps, except isolated apps, are clients of Codec2-related services
 ; Unfortunately, we can't currently express this in module policy language:
-(typeattributeset hal_codec2_client ((and (appdomain) ((not (isolated_app))))))
+(typeattributeset hal_codec2_client ((and (appdomain) ((not (isolated_app_all))))))
 
 ; Apps, except isolated apps and SDK sandboxes, are clients of Drm-related services
 ; Unfortunately, we can't currently express this in module policy language:
-(typeattributeset hal_drm_client ((and (appdomain) ((not (or (isolated_app) (sdk_sandbox)))))))
+(typeattributeset hal_drm_client ((and (appdomain) ((not (or (isolated_app_all) (sdk_sandbox)))))))
 
 ; Apps, except isolated apps, are clients of Configstore HAL
 ; Unfortunately, we can't currently express this in module policy language:
-;     typeattribute { appdomain -isolated_app } hal_configstore_client;
-(typeattributeset hal_configstore_client ((and (appdomain) ((not (isolated_app))))))
+;     typeattribute { appdomain -isolated_app_all } hal_configstore_client;
+(typeattributeset hal_configstore_client ((and (appdomain) ((not (isolated_app_all))))))
 
 ; Apps, except isolated apps, are clients of Graphics Allocator HAL
 ; Unfortunately, we can't currently express this in module policy language:
@@ -36,8 +36,8 @@
 
 ; Apps, except isolated apps, are clients of Cas HAL
 ; Unfortunately, we can't currently express this in module policy language:
-;     typeattribute { appdomain -isolated_app } hal_cas_client;
-(typeattributeset hal_cas_client ((and (appdomain) ((not (isolated_app))))))
+;     typeattribute { appdomain -isolated_app_all } hal_cas_client;
+(typeattributeset hal_cas_client ((and (appdomain) ((not (isolated_app_all))))))
 
 ; Domains hosting Camera HAL implementations are clients of Allocator HAL
 ; Unfortunately, we can't currently express this in module policy language:
@@ -46,8 +46,8 @@
 
 ; Apps, except isolated apps, are clients of Neuralnetworks HAL
 ; Unfortunately, we can't currently express this in module policy language:
-;     typeattribute { appdomain -isolated_app } hal_neuralnetworks_client;
-(typeattributeset hal_neuralnetworks_client ((and (appdomain) ((not (isolated_app))))))
+;     typeattribute { appdomain -isolated_app_all } hal_neuralnetworks_client;
+(typeattributeset hal_neuralnetworks_client ((and (appdomain) ((not (isolated_app_all))))))
 
 ; TODO(b/112056006): move these to mapping files when/if we implement 'versioned' attributes.
 ; Rename untrusted_app_visible_* to untrusted_app_visible_*_violators.
diff --git a/private/toolbox.te b/private/toolbox.te
index 1e53d72..5878997 100644
--- a/private/toolbox.te
+++ b/private/toolbox.te
@@ -5,3 +5,8 @@
 # rm -rf in /data/misc/virtualizationservice
 allow toolbox virtualizationservice_data_file:dir { rmdir rw_dir_perms };
 allow toolbox virtualizationservice_data_file:file { getattr unlink };
+
+# If we can't remove these directories we try to chmod them. That
+# doesn't work, but it doesn't matter as virtualizationservice itself
+# will delete them when it starts. See b/235338094#comment39
+dontaudit toolbox virtualizationservice_data_file:dir setattr;
diff --git a/private/traced.te b/private/traced.te
index a6e200e..3029094 100644
--- a/private/traced.te
+++ b/private/traced.te
@@ -1,7 +1,4 @@
 # Perfetto user-space tracing daemon (unprivileged)
-
-# type traced is defined under /public (because iorapd rules
-# under public/ need to refer to it).
 type traced_exec, system_file_type, exec_type, file_type;
 
 # Allow init to exec the daemon.
@@ -41,11 +38,6 @@
 binder_use(traced);
 binder_call(traced, system_server);
 
-# Allow iorapd to pass memfd descriptors to traced, so traced can directly
-# write into the shmem buffer file without doing roundtrips over IPC.
-allow traced iorapd:fd use;
-allow traced iorapd_tmpfs:file { read write };
-
 # Allow traced to use shared memory supplied by producers. Typically, traced
 # (i.e. the tracing service) creates the shared memory used for data transfer
 # from the producer. This rule allows an alternative scheme, where the producer
@@ -95,18 +87,17 @@
   -perfetto_traces_bugreport_data_file
   -system_data_file
   -system_data_root_file
+  -media_userdir_file
+  -system_userdir_file
+  -vendor_userdir_file
   # TODO(b/72998741) Remove vendor_data_file exemption. Further restricted in a
   # subsequent neverallow. Currently only getattr and search are allowed.
   -vendor_data_file
-  -zoneinfo_data_file
   with_native_coverage(`-method_trace_data_file')
 }:dir *;
 neverallow traced { system_data_file }:dir ~{ getattr search };
-neverallow traced zoneinfo_data_file:dir ~r_dir_perms;
-neverallow traced { data_file_type -zoneinfo_data_file }:lnk_file *;
 neverallow traced {
   data_file_type
-  -zoneinfo_data_file
   -perfetto_traces_data_file
   -perfetto_traces_bugreport_data_file
   -trace_data_file
diff --git a/private/traced_perf.te b/private/traced_perf.te
index 811bf48..080b6fe 100644
--- a/private/traced_perf.te
+++ b/private/traced_perf.te
@@ -60,9 +60,14 @@
 # Never allow access to app data files
 neverallow traced_perf { app_data_file privapp_data_file system_app_data_file }:file *;
 
-# Never allow profiling highly privileged processes.
+# Never allow profiling privileged or otherwise incompatible domains.
+# Corresponding allow-rule is in private/domain.te.
 never_profile_perf(`{
+  apexd
+  app_zygote
   bpfloader
+  diced
+  hal_configstore
   init
   kernel
   keystore
@@ -71,4 +76,6 @@
   ueventd
   vendor_init
   vold
+  webview_zygote
+  zygote
 }')
diff --git a/private/traced_probes.te b/private/traced_probes.te
index 66d5ac4..5cc271c 100644
--- a/private/traced_probes.te
+++ b/private/traced_probes.te
@@ -83,6 +83,7 @@
   proc_meminfo
   proc_vmstat
   proc_stat
+  proc_buddyinfo
 }:file r_file_perms;
 
 # Allow access to read /sys/class/devfreq/ and /$DEVICE/cur_freq files
@@ -126,6 +127,9 @@
   -dalvikcache_data_file
   -system_data_file
   -system_data_root_file
+  -media_userdir_file
+  -system_userdir_file
+  -vendor_userdir_file
   -system_app_data_file
   -backup_data_file
   -bootstat_data_file
@@ -136,15 +140,11 @@
   # TODO(b/72998741) Remove vendor_data_file exemption. Further restricted in a
   # subsequent neverallow. Currently only getattr and search are allowed.
   -vendor_data_file
-  -zoneinfo_data_file
   with_native_coverage(`-method_trace_data_file')
 }:dir *;
 neverallow traced_probes system_data_file:dir ~{ getattr userdebug_or_eng(`open read') search };
-neverallow traced_probes zoneinfo_data_file:dir ~r_dir_perms;
-neverallow traced_probes { data_file_type -zoneinfo_data_file }:lnk_file *;
 neverallow traced_probes {
   data_file_type
-  -zoneinfo_data_file
   -packages_list_file
   with_native_coverage(`-method_trace_data_file')
   -game_mode_intervention_list_file
diff --git a/private/tzdatacheck.te b/private/tzdatacheck.te
deleted file mode 100644
index 502735c..0000000
--- a/private/tzdatacheck.te
+++ /dev/null
@@ -1,3 +0,0 @@
-typeattribute tzdatacheck coredomain;
-
-init_daemon_domain(tzdatacheck)
diff --git a/private/untrusted_app.te b/private/untrusted_app.te
index 63b095a..d0f9b24 100644
--- a/private/untrusted_app.te
+++ b/private/untrusted_app.te
@@ -2,7 +2,7 @@
 ### Untrusted apps.
 ###
 ### This file defines the rules for untrusted apps running with
-### targetSdkVersion >= 32.
+### targetSdkVersion >= 34.
 ###
 ### See public/untrusted_app.te for more information about which apps are
 ### placed in this selinux domain.
diff --git a/private/untrusted_app_25.te b/private/untrusted_app_25.te
index b40fad0..2c0391f 100644
--- a/private/untrusted_app_25.te
+++ b/private/untrusted_app_25.te
@@ -53,5 +53,9 @@
 allow untrusted_app_25 self:netlink_route_socket nlmsg_getneigh;
 auditallow untrusted_app_25 self:netlink_route_socket nlmsg_getneigh;
 
-# Allow hidden build props
-get_prop({ untrusted_app_25 userdebug_or_eng(`-untrusted_app_25') }, userdebug_or_eng_prop)
+# Connect to mdnsd via mdnsd socket.
+unix_socket_connect(untrusted_app_25, mdnsd, mdnsd)
+userdebug_or_eng(`
+  auditallow untrusted_app_25 mdnsd_socket:sock_file write;
+  auditallow untrusted_app_25 mdnsd:unix_stream_socket connectto;
+')
diff --git a/private/untrusted_app_27.te b/private/untrusted_app_27.te
index dd9b4a8..163803a 100644
--- a/private/untrusted_app_27.te
+++ b/private/untrusted_app_27.te
@@ -41,5 +41,9 @@
 allow untrusted_app_27 self:netlink_route_socket nlmsg_getneigh;
 auditallow untrusted_app_27 self:netlink_route_socket nlmsg_getneigh;
 
-# Allow hidden build props
-get_prop({ untrusted_app_27 userdebug_or_eng(`-untrusted_app_27') }, userdebug_or_eng_prop)
+# Connect to mdnsd via mdnsd socket.
+unix_socket_connect(untrusted_app_27, mdnsd, mdnsd)
+userdebug_or_eng(`
+  auditallow untrusted_app_27 mdnsd_socket:sock_file write;
+  auditallow untrusted_app_27 mdnsd:unix_stream_socket connectto;
+')
diff --git a/private/untrusted_app_29.te b/private/untrusted_app_29.te
index 0cc2bea..758ed23 100644
--- a/private/untrusted_app_29.te
+++ b/private/untrusted_app_29.te
@@ -19,5 +19,9 @@
 allow untrusted_app_29 self:netlink_route_socket nlmsg_getneigh;
 auditallow untrusted_app_29 self:netlink_route_socket nlmsg_getneigh;
 
-# Allow hidden build props
-get_prop({ untrusted_app_29 userdebug_or_eng(`-untrusted_app_29') }, userdebug_or_eng_prop)
+# Connect to mdnsd via mdnsd socket.
+unix_socket_connect(untrusted_app_29, mdnsd, mdnsd)
+userdebug_or_eng(`
+  auditallow untrusted_app_29 mdnsd_socket:sock_file write;
+  auditallow untrusted_app_29 mdnsd:unix_stream_socket connectto;
+')
diff --git a/private/untrusted_app_30.te b/private/untrusted_app_30.te
index 7b23be7..830106d 100644
--- a/private/untrusted_app_30.te
+++ b/private/untrusted_app_30.te
@@ -21,5 +21,9 @@
 allow untrusted_app_30 self:netlink_route_socket nlmsg_getneigh;
 auditallow untrusted_app_30 self:netlink_route_socket nlmsg_getneigh;
 
-# Allow hidden build props
-get_prop({ untrusted_app_30 userdebug_or_eng(`-untrusted_app_30') }, userdebug_or_eng_prop)
+# Connect to mdnsd via mdnsd socket.
+unix_socket_connect(untrusted_app_30, mdnsd, mdnsd)
+userdebug_or_eng(`
+  auditallow untrusted_app_30 mdnsd_socket:sock_file write;
+  auditallow untrusted_app_30 mdnsd:unix_stream_socket connectto;
+')
diff --git a/private/untrusted_app_32.te b/private/untrusted_app_32.te
new file mode 100644
index 0000000..643c122
--- /dev/null
+++ b/private/untrusted_app_32.te
@@ -0,0 +1,30 @@
+###
+### Untrusted apps.
+###
+### This file defines the rules for untrusted apps running with
+### 31 < targetSdkVersion <= 33.
+###
+### See public/untrusted_app.te for more information about which apps are
+### placed in this selinux domain.
+###
+
+typeattribute untrusted_app_32 coredomain;
+
+app_domain(untrusted_app_32)
+untrusted_app_domain(untrusted_app_32)
+net_domain(untrusted_app_32)
+bluetooth_domain(untrusted_app_32)
+
+# Allow webview to access fd shared by sdksandbox for experiments data
+# TODO(b/229249719): Will not be supported in Android U
+allow untrusted_app_32 sdk_sandbox_data_file:fd use;
+allow untrusted_app_32 sdk_sandbox_data_file:file write;
+
+neverallow untrusted_app_32 sdk_sandbox_data_file:file { open create };
+
+# Connect to mdnsd via mdnsd socket.
+unix_socket_connect(untrusted_app_32, mdnsd, mdnsd)
+userdebug_or_eng(`
+  auditallow untrusted_app_32 mdnsd_socket:sock_file write;
+  auditallow untrusted_app_32 mdnsd:unix_stream_socket connectto;
+')
diff --git a/private/untrusted_app_all.te b/private/untrusted_app_all.te
index 26077f3..f666cc8 100644
--- a/private/untrusted_app_all.te
+++ b/private/untrusted_app_all.te
@@ -129,14 +129,6 @@
 allow untrusted_app_all vendor_app_file:file { r_file_perms execute };
 allow untrusted_app_all vendor_app_file:lnk_file { open getattr read };
 
-# Write app-specific trace data to the Perfetto traced damon. This requires
-# connecting to its producer socket and obtaining a (per-process) tmpfs fd.
-perfetto_producer(untrusted_app_all)
-
-# Allow profiling if the app opts in by being marked profileable/debuggable.
-can_profile_heap(untrusted_app_all)
-can_profile_perf(untrusted_app_all)
-
 # allow untrusted apps to use UDP sockets provided by the system server but not
 # modify them other than to connect
 allow untrusted_app_all system_server:udp_socket {
@@ -153,9 +145,12 @@
 
 # These have been disallowed since Android O.
 # For P, we assume that apps are safely handling the denial.
-dontaudit untrusted_app_all proc_stat:file read;
-dontaudit untrusted_app_all proc_vmstat:file read;
-dontaudit untrusted_app_all proc_uptime:file read;
+dontaudit untrusted_app_all {
+  proc_stat
+  proc_uptime
+  proc_vmstat
+  proc_zoneinfo
+}:file read;
 
 # Allow the allocation and use of ptys
 # Used by: https://play.google.com/store/apps/details?id=jackpal.androidterm
@@ -171,11 +166,13 @@
   allow untrusted_app_all self:lockdown integrity;
 ')
 
-# Allow running a VM for test/demo purposes. Note that access the service is
-# still guarded with the `android.permission.MANAGE_VIRTUAL_MACHINE`
-# permission. The protection level of the permission is `signature|development`
-# so that it can only be granted to either platform-key signed apps or
-# test-only apps having `android:testOnly="true"` in its manifest.
+# Allow running a VM for test/demo purposes. Note that access to the
+# service is still guarded with the
+# `android.permission.MANAGE_VIRTUAL_MACHINE` permission. The
+# protection level of the permission is
+# `signature|privileged|development` so that it can only be granted to
+# either platform-key signed apps, privileged apps, or test-only apps
+# having `android:testOnly="true"` in their manifest.
 virtualizationservice_use(untrusted_app_all)
 
 with_native_coverage(`
diff --git a/private/update_engine.te b/private/update_engine.te
index c3f575f..8d6341c 100644
--- a/private/update_engine.te
+++ b/private/update_engine.te
@@ -30,3 +30,7 @@
 # capex decompression
 allow update_engine apex_service:service_manager find;
 binder_call(update_engine, apexd)
+
+# let this domain use the hal service
+binder_use(update_engine)
+hal_client_domain(update_engine, hal_bootctl)
diff --git a/private/vendor_init.te b/private/vendor_init.te
index 70b3ef9..acbd84e 100644
--- a/private/vendor_init.te
+++ b/private/vendor_init.te
@@ -12,6 +12,9 @@
 # Let vendor_init react to AVF device config changes
 get_prop(vendor_init, device_config_virtualization_framework_native_prop)
 
+# Let vendor_init use apex.<name>.ready to start services from vendor APEX
+get_prop(vendor_init, apex_ready_prop)
+
 # chown/chmod on devices, e.g. /dev/ttyHS0
 allow vendor_init {
   dev_type
diff --git a/private/virtualizationmanager.te b/private/virtualizationmanager.te
new file mode 100644
index 0000000..946c783
--- /dev/null
+++ b/private/virtualizationmanager.te
@@ -0,0 +1,81 @@
+# Domain for a child process that manages virtual machines on behalf of its parent.
+
+type virtualizationmanager, domain, coredomain;
+type virtualizationmanager_exec, system_file_type, exec_type, file_type;
+
+# Allow virtualizationmanager to communicate use, read and write over the adb connection.
+allow virtualizationmanager adbd:fd use;
+allow virtualizationmanager adbd:unix_stream_socket { read write };
+
+# Let the virtualizationmanager domain use Binder.
+binder_use(virtualizationmanager)
+
+# Let virtualizationmanager find and communicate with virtualizationservice.
+allow virtualizationmanager virtualization_service:service_manager find;
+binder_call(virtualizationmanager, virtualizationservice)
+
+# Allow calling into the system server to find native services. "permission_service" to check
+# permissions, and "package_native" for staged apex info.
+binder_call(virtualizationmanager, system_server)
+allow virtualizationmanager { package_native_service permission_service }:service_manager find;
+
+# When virtualizationmanager execs a file with the crosvm_exec label, run it in the crosvm domain.
+domain_auto_trans(virtualizationmanager, crosvm_exec, crosvm)
+
+# Let virtualizationmanager kill crosvm.
+allow virtualizationmanager crosvm:process sigkill;
+
+# Let virtualizationmanager create files inside virtualizationservice's temporary directories.
+allow virtualizationmanager virtualizationservice_data_file:dir rw_dir_perms;
+allow virtualizationmanager virtualizationservice_data_file:{ file sock_file } create_file_perms;
+
+# Let virtualizationmanager read and write files from its various clients, but not open them
+# directly as they must be passed over Binder by the client.
+allow virtualizationmanager apk_data_file:file { getattr read };
+
+# Write access is needed for mutable partitions like instance.img
+allow virtualizationmanager {
+  app_data_file
+  apex_compos_data_file
+  privapp_data_file
+}:file { getattr read write };
+
+# shell_data_file is used for automated tests and manual debugging.
+allow virtualizationmanager shell_data_file:file { getattr read write };
+
+# Allow virtualizationmanager to read apex-info-list.xml and access the APEX files listed there.
+allow virtualizationmanager apex_info_file:file r_file_perms;
+allow virtualizationmanager apex_data_file:dir search;
+allow virtualizationmanager staging_data_file:file r_file_perms;
+allow virtualizationmanager staging_data_file:dir search;
+
+# Run derive_classpath in our domain
+allow virtualizationmanager derive_classpath_exec:file rx_file_perms;
+allow virtualizationmanager apex_mnt_dir:dir r_dir_perms;
+# Ignore harmless denials on /proc/self/fd
+dontaudit virtualizationmanager self:dir write;
+
+# Let virtualizationmanager to accept vsock connection from the guest VMs
+allow virtualizationmanager self:vsock_socket { create_socket_perms_no_ioctl listen accept };
+
+# Allow virtualizationmanager to inspect all hypervisor capabilities.
+get_prop(virtualizationmanager, hypervisor_prop)
+get_prop(virtualizationmanager, hypervisor_restricted_prop)
+
+# Allow virtualizationmanager service to talk to tombstoned to push guest ramdumps
+unix_socket_connect(virtualizationmanager, tombstoned_crash, tombstoned)
+
+# Append ramdumps to tombstone files passed as fds from tombstoned
+allow virtualizationmanager tombstone_data_file:file { append getattr };
+allow virtualizationmanager tombstoned:fd use;
+
+# Allow virtualizationservice to read AVF debug policy
+allow virtualizationmanager sysfs_dt_avf:dir search;
+allow virtualizationmanager sysfs_dt_avf:file { open read };
+
+# Allow reading files under /proc/[crosvm pid]/, for collecting CPU & memory usage inside VM.
+r_dir_file(virtualizationmanager, crosvm);
+
+# For debug purposes we try to get the canonical path from /proc/self/fd/N. That triggers
+# a harmless denial for CompOS log files, so ignore that.
+dontaudit virtualizationmanager apex_module_data_file:dir search;
diff --git a/private/virtualizationservice.te b/private/virtualizationservice.te
index c369a90..561e778 100644
--- a/private/virtualizationservice.te
+++ b/private/virtualizationservice.te
@@ -1,72 +1,49 @@
 type virtualizationservice, domain, coredomain;
 type virtualizationservice_exec, system_file_type, exec_type, file_type;
 
+# The domain needs to be a 'mlstrustedsubject' to change the memlock rlimit of
+# the virtualizationmanager domain running at a more constrained MLS level.
+typeattribute virtualizationservice mlstrustedsubject;
+
 # When init runs a file labelled with virtualizationservice_exec, run it in the
 # virtualizationservice domain.
 init_daemon_domain(virtualizationservice)
 
 # Let the virtualizationservice domain use Binder.
 binder_use(virtualizationservice)
-# ... and host a binder service
-binder_service(virtualizationservice)
-
-# Allow calling into the system server so that it can check permissions.
-binder_call(virtualizationservice, system_server)
-allow virtualizationservice permission_service:service_manager find;
-# Allow virtualizationservice to access "package_native" service for staged apex info.
-allow virtualizationservice package_native_service:service_manager find;
 
 # Let the virtualizationservice domain register the virtualization_service with ServiceManager.
 add_service(virtualizationservice, virtualization_service)
 
-# When virtualizationservice execs a file with the crosvm_exec label, run it in the crosvm domain.
-domain_auto_trans(virtualizationservice, crosvm_exec, crosvm)
+# Allow calling into the system server to find "permission_service".
+binder_call(virtualizationservice, system_server)
+allow virtualizationservice permission_service:service_manager find;
 
-# Let virtualizationservice kill crosvm.
-allow virtualizationservice crosvm:process sigkill;
+# Let virtualizationservice remove memlock rlimit of virtualizationmanager. This is necessary
+# to mlock VM memory and page tables.
+allow virtualizationservice self:capability sys_resource;
+allow virtualizationservice virtualizationmanager:process setrlimit;
 
-# Let virtualizationservice access its data directory.
-allow virtualizationservice virtualizationservice_data_file:file create_file_perms;
+# Let virtualizationservice set the owner of a VM's temporary directory.
+allow virtualizationservice self:capability chown;
+
+# Let virtualizationservice create and delete temporary directories of VMs. To remove old
+# directories, it needs the permission to unlink the files created by virtualizationmanager.
 allow virtualizationservice virtualizationservice_data_file:dir create_dir_perms;
+allow virtualizationservice virtualizationservice_data_file:{ file sock_file } unlink;
 
 # Allow to use fd (e.g. /dev/pts/0) inherited from adbd so that we can redirect output from
 # crosvm to the console
 allow virtualizationservice adbd:fd use;
 allow virtualizationservice adbd:unix_stream_socket { read write };
 
-# Let virtualizationservice read and write files from its various clients, but not open them
-# directly as they must be passed over Binder by the client.
-allow virtualizationservice apk_data_file:file { getattr read };
-# Write access is needed for mutable partitions like instance.img
-allow virtualizationservice {
-  app_data_file
-  apex_compos_data_file
-}:file { getattr read write };
-
-# shell_data_file is used for automated tests and manual debugging.
-allow virtualizationservice shell_data_file:file { getattr read write };
-
-# Allow virtualizationservice to read apex-info-list.xml and access the APEX files listed there.
-allow virtualizationservice apex_info_file:file r_file_perms;
-allow virtualizationservice apex_data_file:dir search;
-allow virtualizationservice staging_data_file:file r_file_perms;
-allow virtualizationservice staging_data_file:dir search;
-
-# Run derive_classpath in our domain
-allow virtualizationservice derive_classpath_exec:file rx_file_perms;
-allow virtualizationservice apex_mnt_dir:dir r_dir_perms;
-# Ignore harmless denials on /proc/self/fd
-dontaudit virtualizationservice self:dir write;
-
-# Let virtualizationservice to accept vsock connection from the guest VMs
+# Let virtualizationservice to accept vsock connection from the guest VMs to singleton services
+# such as the guest tombstone server.
 allow virtualizationservice self:vsock_socket { create_socket_perms_no_ioctl listen accept };
 
 # Allow virtualizationservice to read/write its own sysprop. Only the process can do so.
 set_prop(virtualizationservice, virtualizationservice_prop)
 
-# Allow virtualizationservice to inspect hypervisor capabilities.
-get_prop(virtualizationservice, hypervisor_prop)
-
 # Allow writing stats to statsd
 unix_socket_send(virtualizationservice, statsdw, statsd)
 
@@ -82,3 +59,16 @@
   -init
   -virtualizationservice
 } virtualizationservice_prop:property_service set;
+
+neverallow {
+  domain
+  -init
+  -virtualizationmanager
+  -virtualizationservice
+} virtualizationservice_data_file:file { open create };
+
+neverallow virtualizationservice {
+  domain
+  -virtualizationmanager
+  -virtualizationservice
+}:process setrlimit;
diff --git a/private/vold.te b/private/vold.te
index cb7b1bc..40c1a57 100644
--- a/private/vold.te
+++ b/private/vold.te
@@ -66,3 +66,31 @@
     -apexd
     -gsid
 } vold_service:service_manager find;
+
+# Allow vold to create and delete per-user directories like /data/user/$userId.
+allow vold {
+    media_userdir_file
+    system_userdir_file
+    vendor_userdir_file
+}:dir {
+    add_name
+    remove_name
+    write
+};
+
+# Only vold should create (and delete) per-user directories like
+# /data/user/$userId.  This is very important, as these directories need to be
+# encrypted with per-user keys, which only vold can do.  Encryption can only be
+# set up on empty directories, so creation and encryption must happen together.
+neverallow {
+    domain
+    -vold
+} {
+    media_userdir_file
+    system_userdir_file
+    vendor_userdir_file
+}:dir {
+    add_name
+    remove_name
+    write
+};
diff --git a/private/wpantund.te b/private/wpantund.te
deleted file mode 100644
index e91662c..0000000
--- a/private/wpantund.te
+++ /dev/null
@@ -1,3 +0,0 @@
-typeattribute wpantund coredomain;
-
-init_daemon_domain(wpantund)
diff --git a/private/zygote.te b/private/zygote.te
index b1c3d44..9c47468 100644
--- a/private/zygote.te
+++ b/private/zygote.te
@@ -36,6 +36,9 @@
 allow zygote system_data_file:dir r_dir_perms;
 allow zygote system_data_file:file r_file_perms;
 
+# Get attributes of /mnt/expand, needed by cacheNonBootClasspathClassLoaders.
+allow zygote mnt_expand_file:dir getattr;
+
 # Write to /data/dalvik-cache.
 allow zygote dalvikcache_data_file:dir create_dir_perms;
 allow zygote dalvikcache_data_file:file create_file_perms;
@@ -59,45 +62,53 @@
 allow zygote apex_art_data_file:dir { getattr search };
 allow zygote apex_art_data_file:file { r_file_perms execute };
 
-# Bind mount on /data/data and mounted volumes
-allow zygote { system_data_file mnt_expand_file }:dir mounton;
+# Mount tmpfs over various directories containing per-app directories, to hide
+# them for app data isolation.  Also traverse these directories (via
+# /data_mirror) to find the allowlisted per-app directories to bind-mount in.
+allow zygote {
+    # /data/user{,_de}, /mnt/expand/$volume/user{,_de}
+    system_userdir_file
+    # /data/data
+    system_data_file
+    # /data/misc/profiles/cur
+    user_profile_root_file
+    # /data/misc/profiles/ref
+    user_profile_data_file
+    # /storage/emulated/$userId/Android/{data,obb}
+    media_rw_data_file
+}:dir { mounton search };
 
-# Relabel /data/user /data/user_de /data/data and /data/misc_{ce,de}/<user-id>/sdksandbox
-allow zygote tmpfs:{ dir lnk_file } relabelfrom;
-allow zygote system_data_file:{ dir lnk_file } relabelto;
-allow zygote sdk_sandbox_system_data_file:dir { search relabelto };
+# Traverse /data_mirror to get to the above directories while their normal paths
+# are hidden, in order to bind-mount allowlisted per-app directories.
+allow zygote mirror_data_file:dir search;
 
-# Zygote opens /mnt/expand to mount CE DE storage on each vol
-allow zygote mnt_expand_file:dir { open read search relabelto };
+# List /mnt/expand to find all /mnt/expand/$volume/user{,_de} directories that
+# need to be hidden by app data isolation, and traverse /mnt/expand to get to
+# any allowlisted per-app directories within these directories.
+allow zygote mnt_expand_file:dir { open read search };
 
-# Bind mount subdirectories on /data/misc/profiles/cur and /data/misc/profiles/ref
-allow zygote { user_profile_root_file user_profile_data_file }:dir { mounton search };
+# Get the inode number of app CE data directories to find them by inode number
+# when CE storage is locked.  Needed for app data isolation.
+allow zygote app_data_file_type:dir getattr;
 
-# Create and bind dirs on /data/data
+# Create dirs in the app data isolation tmpfs mounts and bind mount on them.
 allow zygote tmpfs:dir { create_dir_perms mounton };
 
-# Goes into media directory and bind mount obb directory
-allow zygote media_rw_data_file:dir { getattr search };
+# Create the '/data/user/0 => /data/data' symlink in the /data/user tmpfs mount
+# when setting up app data isolation.
+allow zygote tmpfs:lnk_file create;
 
-# Bind mount on top of existing mounted obb and data directory
-allow zygote media_rw_data_file:dir { mounton };
+# Relabel dirs and symlinks in the app and sdk sandbox data isolation tmpfs mounts to their
+# standard labels.  Note: it seems that not all dirs are actually relabeled yet,
+# but it works anyway since all domains can search tmpfs:dir.
+allow zygote tmpfs:{ dir lnk_file } relabelfrom;
+allow zygote system_userdir_file:dir relabelto;
+allow zygote system_data_file:{ dir lnk_file } relabelto;
+allow zygote sdk_sandbox_system_data_file:dir { getattr relabelto search };
 
 # Read if sdcardfs is supported
 allow zygote proc_filesystems:file r_file_perms;
 
-# Create symlink for /data/user/0
-allow zygote tmpfs:lnk_file create;
-
-allow zygote mirror_data_file:dir r_dir_perms;
-
-# Get inode of directories for app data isolation
-allow zygote {
-  app_data_file_type
-  system_data_file
-  mnt_expand_file
-  sdk_sandbox_system_data_file
-}:dir getattr;
-
 # Allow zygote to create JIT memory.
 allow zygote self:process execmem;
 allow zygote zygote_tmpfs:file execute;
@@ -184,6 +195,9 @@
 
 allow zygote same_process_hal_file:file { execute read open getattr map };
 
+# Allow zygote to read build properties for attestation feature
+get_prop(zygote, build_attestation_prop)
+
 # Allow the zygote to access storage properties to check if sdcardfs is enabled.
 get_prop(zygote, storage_config_prop);
 
diff --git a/public/app.te b/public/app.te
index de3d0ca..da59f32 100644
--- a/public/app.te
+++ b/public/app.te
@@ -21,16 +21,6 @@
 # Block device access.
 neverallow appdomain dev_type:blk_file { read write };
 
-# Access to any of the following character devices.
-neverallow appdomain {
-    audio_device
-    camera_device
-    dm_device
-    radio_device
-    rpmsg_device
-    video_device
-}:chr_file { read write };
-
 # Note: Try expanding list of app domains in the future.
 neverallow { untrusted_app isolated_app shell } graphics_device:chr_file { read write };
 
@@ -233,9 +223,3 @@
     { open read write append execute execute_no_trans map };
 neverallow appdomain system_bootstrap_lib_file:dir
     { open read getattr search };
-
-# Allow to read ro.vendor.camera.extensions.enabled
-get_prop(appdomain, camera2_extensions_prop)
-
-# Allow to ro.camerax.extensions.enabled
-get_prop(appdomain, camerax_extensions_prop)
diff --git a/public/artd.te b/public/artd.te
new file mode 100644
index 0000000..0731adc
--- /dev/null
+++ b/public/artd.te
@@ -0,0 +1,2 @@
+# ART service daemon.
+type artd, domain;
diff --git a/public/attributes b/public/attributes
index 742264a..4897be5 100644
--- a/public/attributes
+++ b/public/attributes
@@ -7,9 +7,6 @@
 # in tools/checkfc.c
 attribute dev_type;
 
-# TODO(b/202520796) Remove this attribute once the sc-dev branch stops using it.
-attribute bdev_type;
-
 # Attribute for all bpf filesystem subtypes.
 attribute bpffs_type;
 
@@ -74,9 +71,6 @@
 # All types used for sysfs files.
 attribute sysfs_type;
 
-# TODO(b/202520796) Remove this attribute once the sc-dev branch stops using it.
-attribute sysfs_block_type;
-
 # All types use for debugfs files.
 attribute debugfs_type;
 
@@ -173,12 +167,6 @@
 # services which are explicitly disallowed for untrusted apps to access
 attribute protected_service;
 
-# services which served by vendor and also using the copy of libbinder on
-# system (for instance via libbinder_ndk). services using a different copy
-# of libbinder currently need their own context manager (e.g.
-# vndservicemanager)
-attribute vendor_service;
-
 # All types used for services managed by servicemanager.
 # On change, update CHECK_SC_ASSERT_ATTRS
 # definition in tools/checkfc.c.
@@ -218,6 +206,9 @@
 # All third party apps (except isolated_app and ephemeral_app)
 attribute untrusted_app_all;
 
+# All apps with UID between AID_ISOLATED_START (99000) and AID_ISOLATED_END (99999).
+attribute isolated_app_all;
+
 # All domains used for apps with network access.
 attribute netdomain;
 
@@ -350,6 +341,7 @@
 hal_attribute(dumpstate);
 hal_attribute(evs);
 hal_attribute(face);
+hal_attribute(fastboot);
 hal_attribute(fingerprint);
 hal_attribute(gatekeeper);
 hal_attribute(gnss);
@@ -374,12 +366,16 @@
 hal_attribute(power);
 hal_attribute(power_stats);
 hal_attribute(rebootescrow);
+hal_attribute(remoteaccess);
 hal_attribute(secure_element);
 hal_attribute(sensors);
 hal_attribute(telephony);
 hal_attribute(tetheroffload);
 hal_attribute(thermal);
 hal_attribute(tv_cec);
+hal_attribute(tv_hdmi_cec);
+hal_attribute(tv_hdmi_connection);
+hal_attribute(tv_hdmi_earc);
 hal_attribute(tv_input);
 hal_attribute(tv_tuner);
 hal_attribute(usb);
@@ -407,6 +403,7 @@
 attribute camera_service_server;
 attribute display_service_server;
 attribute evsmanager_service_server;
+attribute remote_provisioning_service_server;
 attribute scheduler_service_server;
 attribute sensor_service_server;
 attribute stats_service_server;
diff --git a/public/cameraserver.te b/public/cameraserver.te
index d41339a..c88e3f0 100644
--- a/public/cameraserver.te
+++ b/public/cameraserver.te
@@ -19,6 +19,7 @@
 allow cameraserver hal_graphics_composer:fd use;
 
 add_service(cameraserver, cameraserver_service)
+add_service(cameraserver, fwk_camera_service)
 add_hwservice(cameraserver, fwk_camera_hwservice)
 
 allow cameraserver activity_service:service_manager find;
diff --git a/public/device.te b/public/device.te
index 1bb386f..ead7fbc 100644
--- a/public/device.te
+++ b/public/device.te
@@ -7,6 +7,7 @@
 type hwbinder_device, dev_type, mlstrustedobject;
 type vndbinder_device, dev_type;
 type block_device, dev_type;
+type bt_device, dev_type;
 type camera_device, dev_type;
 type dm_device, dev_type;
 type dm_user_device, dev_type;
@@ -94,6 +95,9 @@
 # Documented at https://source.android.com/devices/bootloader/partitions
 type userdata_block_device, dev_type;
 
+# Zoned block device.
+type zoned_block_device, dev_type;
+
 # Cache block device mounted on /cache.
 # Documented at https://source.android.com/devices/bootloader/partitions
 type cache_block_device, dev_type;
diff --git a/public/domain.te b/public/domain.te
index 46e9456..56c3142 100644
--- a/public/domain.te
+++ b/public/domain.te
@@ -80,6 +80,7 @@
 
 # /dev/binder can be accessed by ... everyone! :)
 allow { domain -hwservicemanager -vndservicemanager } binder_device:chr_file rw_file_perms;
+get_prop({domain -hwservicemanager -vndservicemanager }, servicemanager_prop)
 
 # Restrict binder ioctls to an allowlist. Additional ioctl commands may be
 # added to individual domains, but this sets safe defaults for all processes.
@@ -100,46 +101,6 @@
 allow domain properties_serial:file r_file_perms;
 allow domain property_info:file r_file_perms;
 
-# Public readable properties
-get_prop(domain, aaudio_config_prop)
-get_prop(domain, apexd_select_prop)
-get_prop(domain, arm64_memtag_prop)
-get_prop(domain, bluetooth_config_prop)
-get_prop(domain, bootloader_prop)
-get_prop(domain, build_odm_prop)
-get_prop(domain, build_prop)
-get_prop(domain, build_vendor_prop)
-get_prop(domain, debug_prop)
-get_prop(domain, exported_config_prop)
-get_prop(domain, exported_default_prop)
-get_prop(domain, exported_dumpstate_prop)
-get_prop(domain, exported_secure_prop)
-get_prop(domain, exported_system_prop)
-get_prop(domain, fingerprint_prop)
-get_prop(domain, framework_status_prop)
-get_prop(domain, gwp_asan_prop)
-get_prop(domain, hal_instrumentation_prop)
-get_prop(domain, hw_timeout_multiplier_prop)
-get_prop(domain, init_service_status_prop)
-get_prop(domain, libc_debug_prop)
-get_prop(domain, logd_prop)
-get_prop(domain, mediadrm_config_prop)
-get_prop(domain, property_service_version_prop)
-get_prop(domain, soc_prop)
-get_prop(domain, socket_hook_prop)
-get_prop(domain, surfaceflinger_prop)
-get_prop(domain, telephony_status_prop)
-get_prop({domain -untrusted_app_all userdebug_or_eng(`-isolated_app -ephemeral_app') },  userdebug_or_eng_prop)
-get_prop(domain, vendor_socket_hook_prop)
-get_prop(domain, vndk_prop)
-get_prop(domain, vold_status_prop)
-get_prop(domain, vts_config_prop)
-
-# Binder cache properties are world-readable
-get_prop(domain, binder_cache_bluetooth_server_prop)
-get_prop(domain, binder_cache_system_server_prop)
-get_prop(domain, binder_cache_telephony_server_prop)
-
 # Let everyone read log properties, so that liblog can avoid sending unloggable
 # messages to logd.
 get_prop(domain, log_property_type)
@@ -228,11 +189,10 @@
 # read and stat any sysfs symlinks
 allow domain sysfs:lnk_file { getattr read };
 
-# libc references /data/misc/zoneinfo and /system/usr/share/zoneinfo for
-# timezone related information.
+# libc references /system/usr/share/zoneinfo for timezone related information.
 # This directory is considered to be a VNDK-stable
-allow domain { system_zoneinfo_file zoneinfo_data_file }:file r_file_perms;
-allow domain { system_zoneinfo_file zoneinfo_data_file }:dir r_dir_perms;
+allow domain { system_zoneinfo_file }:file r_file_perms;
+allow domain { system_zoneinfo_file }:dir r_dir_perms;
 
 # Lots of processes access current CPU information
 r_dir_file(domain, sysfs_devices_system_cpu)
@@ -244,16 +204,30 @@
 allow domain sysfs_transparent_hugepage:dir search;
 allow domain sysfs_transparent_hugepage:file r_file_perms;
 
-# files under /data.
+# Allow search access, and sometimes getattr access, to various directories
+# under /data.  We are fairly lenient in allowing search access to top-level
+# dirs that commonly need to be traversed to get access to the "real" files, as
+# this greatly simplifies the policy and doesn't open up much attack surface.
 not_full_treble(`
   allow domain system_data_file:dir getattr;
 ')
 allow { coredomain appdomain } system_data_file:dir getattr;
-# /data has the label system_data_root_file. Vendor components need the search
-# permission on system_data_root_file for path traversal to /data/vendor.
+# Anything that accesses anything in /data needs search access to /data itself.
+# This includes vendor components, as they need to access /data/vendor.
 allow domain system_data_root_file:dir { search getattr } ;
+# system_data_file is the default type for directories in /data.  Anything
+# accessing data files with a more specific type often has to traverse a
+# system_data_file directory such as /data/misc to get there.
 allow domain system_data_file:dir search;
+# Anything that accesses files in /data/user (and /data/user_de, etc.) needs
+# search access to these directories themselves.  getattr access is sometimes
+# needed too.
+allow { coredomain appdomain } system_userdir_file:dir { search getattr };
+# Anything that accesses files in /data/media needs search access to /data/media
+# itself.
+allow { coredomain appdomain } media_userdir_file:dir search;
 # TODO restrict this to non-coredomain
+allow domain vendor_userdir_file:dir { getattr search };
 allow domain vendor_data_file:dir { getattr search };
 
 # required by the dynamic linker
@@ -563,6 +537,14 @@
     neverallow { domain -coredomain -vendor_init } exported_pm_prop:file no_rw_file_perms;
 ')
 
+# New "pm.dexopt." sysprops should be explicitly listed as exported_pm_prop.
+neverallow { domain -init -dumpstate -vendor_init } future_pm_prop:property_service set;
+neverallow { domain -init -dumpstate -vendor_init } future_pm_prop:file no_rw_file_perms;
+
+# ART may introduce new sysprops. SELinux denials due to reading new sysprops on
+# old platforms shouldn't be regarded as a problem.
+dontaudit domain future_pm_prop:file read;
+
 neverallow { domain -init } aac_drc_prop:property_service set;
 neverallow { domain -init } build_prop:property_service set;
 neverallow { domain -init } userdebug_or_eng_prop:property_service set;
@@ -577,6 +559,7 @@
   -hal_camera_server
   -hal_cas_server
   -hal_drm_server
+  -hal_keymint_server
   userdebug_or_eng(`-incidentd')
   -init
   -mediadrmserver
@@ -607,6 +590,7 @@
   -e2fs
   -fsck
   -fastbootd
+  -hal_fastboot_server
 } metadata_block_device:blk_file { append link rename write open read ioctl lock };
 
 # No domain other than recovery, update_engine and fastbootd can write to system partition(s).
@@ -629,22 +613,6 @@
 neverallow vndservicemanager binder_device:chr_file no_rw_file_perms;
 neverallow vndservicemanager hwbinder_device:chr_file no_rw_file_perms;
 
-# system services cant add vendor services
-neverallow {
-  coredomain
-} vendor_service:service_manager add;
-
-full_treble_only(`
-  # vendor services cant add system services
-  neverallow {
-    domain
-    -coredomain
-  } {
-    service_manager_type
-    -vendor_service
-  }:service_manager add;
-')
-
 full_treble_only(`
   # Vendor apps are permited to use only stable public services. If they were to use arbitrary
   # services which can change any time framework/core is updated, breakage is likely.
@@ -657,9 +625,10 @@
     service_manager_type
 
     -app_api_service
-    -vendor_service # must be @VintfStability to be used by an app
     -ephemeral_app_api_service
 
+    -hal_service_type # see app_neverallows.te
+
     -apc_service
     -audioserver_service # TODO(b/36783122) remove exemptions below once app_api_service is fixed
     -cameraserver_service
@@ -825,11 +794,6 @@
     -vendor_init
   } {
     core_data_file_type
-    # libc includes functions like mktime and localtime which attempt to access
-    # files in /data/misc/zoneinfo/tzdata and /system/usr/share/zoneinfo/tzdata.
-    # These functions are considered vndk-stable and thus must be allowed for
-    # all processes.
-    -zoneinfo_data_file
     with_native_coverage(`-method_trace_data_file')
   }:file_class_set ~{ append getattr ioctl read write map };
   neverallow {
@@ -838,7 +802,6 @@
   } {
     core_data_file_type
     -unencrypted_data_file
-    -zoneinfo_data_file
     with_native_coverage(`-method_trace_data_file')
   }:file_class_set ~{ append getattr ioctl read write map };
   # vendor init needs to be able to read unencrypted_data_file to create directories with FBE.
@@ -857,8 +820,8 @@
     core_data_file_type
     -system_data_file # default label for files on /data. Covered below...
     -system_data_root_file
+    -vendor_userdir_file
     -vendor_data_file
-    -zoneinfo_data_file
     with_native_coverage(`-method_trace_data_file')
   }:dir *;
   neverallow {
@@ -869,8 +832,8 @@
     -unencrypted_data_file
     -system_data_file
     -system_data_root_file
+    -vendor_userdir_file
     -vendor_data_file
-    -zoneinfo_data_file
     with_native_coverage(`-method_trace_data_file')
   }:dir *;
   # vendor init needs to be able to read unencrypted_data_file to create directories with FBE.
@@ -938,8 +901,6 @@
         -system_lib_file
         -system_linker_exec
         -crash_dump_exec
-        -iorap_prefetcherd_exec
-        -iorap_inode2filename_exec
         -netutils_wrapper_exec
         userdebug_or_eng(`-tcpdump_exec')
     }:file { entrypoint execute execute_no_trans };
@@ -1007,7 +968,6 @@
     system_file_type
     -crash_dump_exec
     -file_contexts_file
-    -iorap_inode2filename_exec
     -netutils_wrapper_exec
     -property_contexts_file
     -system_event_log_tags_file
@@ -1149,6 +1109,7 @@
 neverallow {
   domain
   -appdomain
+  -artd
   -installd
 } { app_data_file privapp_data_file }:lnk_file read;
 
@@ -1159,33 +1120,6 @@
   -installd
 } shell_data_file:lnk_file read;
 
-# In addition to the symlink reading restrictions above, restrict
-# write access to shell owned directories. The /data/local/tmp
-# directory is untrustworthy, and non-allowed domains should
-# not be trusting any content in those directories.
-neverallow {
-  domain
-  -adbd
-  -dumpstate
-  -installd
-  -init
-  -shell
-  -vold
-} shell_data_file:dir no_w_dir_perms;
-
-neverallow {
-  domain
-  -adbd
-  -appdomain
-  -dumpstate
-  -init
-  -installd
-  -iorap_inode2filename
-  -simpleperf_app_runner
-  -system_server # why?
-  userdebug_or_eng(`-uncrypt')
-} shell_data_file:dir { open search };
-
 # servicemanager and vndservicemanager are the only processes which handle the
 # service_manager list request
 neverallow * ~{
@@ -1230,11 +1164,12 @@
 neverallow { domain -vold -init -vendor_init } fusectlfs:file no_rw_file_perms;
 
 # Profiles contain untrusted data and profman parses that. We should only run
-# in from installd forked processes.
+# it from installd and artd forked processes.
 neverallow {
   domain
   -installd
   -profman
+  -artd
 } profman_exec:file no_x_file_perms;
 
 # Enforce restrictions on kernel module origin.
diff --git a/public/dumpstate.te b/public/dumpstate.te
index 5eb3d27..6b112dc 100644
--- a/public/dumpstate.te
+++ b/public/dumpstate.te
@@ -75,9 +75,11 @@
   vold
 
   # This list comes from hal_interfaces_to_dump in dumputils/dump_utils.c
+  evsmanagerd
   hal_audio_server
   hal_audiocontrol_server
   hal_bluetooth_server
+  hal_broadcastradio_server
   hal_camera_server
   hal_codec2_server
   hal_drm_server
@@ -147,22 +149,29 @@
 binder_call(dumpstate, { appdomain netd wificond })
 
 # Allow dumpstate to call dump() on specific hals.
+dump_hal(hal_authsecret)
+dump_hal(hal_bluetooth)
+dump_hal(hal_contexthub)
+dump_hal(hal_drm)
 dump_hal(hal_dumpstate)
-dump_hal(hal_wifi)
-dump_hal(hal_graphics_allocator)
-dump_hal(hal_input_processor)
-dump_hal(hal_light)
-dump_hal(hal_neuralnetworks)
-dump_hal(hal_nfc)
-dump_hal(hal_thermal)
-dump_hal(hal_power)
-dump_hal(hal_power_stats)
-dump_hal(hal_identity)
 dump_hal(hal_face)
 dump_hal(hal_fingerprint)
 dump_hal(hal_gnss)
-dump_hal(hal_contexthub)
-dump_hal(hal_drm)
+dump_hal(hal_graphics_allocator)
+dump_hal(hal_identity)
+dump_hal(hal_input_processor)
+dump_hal(hal_keymint)
+dump_hal(hal_light)
+dump_hal(hal_memtrack)
+dump_hal(hal_neuralnetworks)
+dump_hal(hal_nfc)
+dump_hal(hal_oemlock)
+dump_hal(hal_power)
+dump_hal(hal_power_stats)
+dump_hal(hal_rebootescrow)
+dump_hal(hal_thermal)
+dump_hal(hal_weaver)
+dump_hal(hal_wifi)
 
 # Vibrate the device after we are done collecting the bugreport
 hal_client_domain(dumpstate, hal_vibrator)
@@ -236,9 +245,9 @@
 allow dumpstate recovery_data_file:dir r_dir_perms;
 allow dumpstate recovery_data_file:file r_file_perms;
 
-#Access /data/misc/update_engine_log
-allow dumpstate update_engine_log_data_file:dir r_dir_perms;
-allow dumpstate update_engine_log_data_file:file r_file_perms;
+# Access /data/misc/update_engine & /data/misc/update_engine_log
+allow dumpstate { update_engine_data_file update_engine_log_data_file }:dir r_dir_perms;
+allow dumpstate { update_engine_data_file update_engine_log_data_file }:file r_file_perms;
 
 # Access /data/misc/profiles/{cur,ref}/
 userdebug_or_eng(`
@@ -314,9 +323,6 @@
 # Allow dumpstate to talk to installd over binder
 binder_call(dumpstate, installd);
 
-# Allow dumpstate to talk to iorapd over binder.
-binder_call(dumpstate, iorapd)
-
 # Allow dumpstate to run ip xfrm policy
 allow dumpstate self:netlink_xfrm_socket { create_socket_perms_no_ioctl nlmsg_read };
 
@@ -351,31 +357,6 @@
 # Allow dumpstate to talk to mediaswcodec over binder
 binder_call(dumpstate, mediaswcodec);
 
-# Allow dumpstate to talk to these stable AIDL services over binder
-binder_call(dumpstate, hal_rebootescrow_server)
-allow hal_rebootescrow_server dumpstate:fifo_file write;
-allow hal_rebootescrow_server dumpstate:fd use;
-
-binder_call(dumpstate, hal_authsecret_server)
-allow hal_authsecret_server dumpstate:fifo_file write;
-allow hal_authsecret_server dumpstate:fd use;
-
-binder_call(dumpstate, hal_keymint_server)
-allow hal_keymint_server dumpstate:fifo_file write;
-allow hal_keymint_server dumpstate:fd use;
-
-binder_call(dumpstate, hal_memtrack_server)
-allow hal_memtrack_server dumpstate:fifo_file write;
-allow hal_memtrack_server dumpstate:fd use;
-
-binder_call(dumpstate, hal_oemlock_server)
-allow hal_oemlock_server dumpstate:fifo_file write;
-allow hal_oemlock_server dumpstate:fd use;
-
-binder_call(dumpstate, hal_weaver_server)
-allow hal_weaver_server dumpstate:fifo_file write;
-allow hal_weaver_server dumpstate:fd use;
-
 #Access /data/misc/snapshotctl_log
 allow dumpstate snapshotctl_log_data_file:dir r_dir_perms;
 allow dumpstate snapshotctl_log_data_file:file r_file_perms;
@@ -385,7 +366,7 @@
 allow dumpstate binderfs_logs:file r_file_perms;
 allow dumpstate binderfs_logs_proc:file r_file_perms;
 
-allow dumpstate apex_info_file:file getattr;
+use_apex_info(dumpstate)
 
 ###
 ### neverallow rules
diff --git a/public/e2fs.te b/public/e2fs.te
index dd5bd69..8dcf0cc 100644
--- a/public/e2fs.te
+++ b/public/e2fs.te
@@ -8,8 +8,9 @@
 allow e2fs userdata_block_device:blk_file rw_file_perms;
 allow e2fs metadata_block_device:blk_file rw_file_perms;
 allow e2fs dm_device:blk_file rw_file_perms;
+allow e2fs zoned_block_device:blk_file rw_file_perms;
 allowxperm e2fs { userdata_block_device metadata_block_device dm_device }:blk_file ioctl {
-  BLKSECDISCARD BLKDISCARD BLKPBSZGET BLKDISCARDZEROES BLKROGET
+  BLKSECDISCARD BLKDISCARD BLKPBSZGET BLKDISCARDZEROES BLKROGET BLKREPORTZONE BLKRESETZONE
 };
 
 allow e2fs {
diff --git a/public/fastbootd.te b/public/fastbootd.te
index 0c43a89..8452b97 100644
--- a/public/fastbootd.te
+++ b/public/fastbootd.te
@@ -13,6 +13,7 @@
   # fastbootd can use AIDL HALs in binder mode
   binder_use(fastbootd)
   hal_client_domain(fastbootd, hal_health)
+  hal_client_domain(fastbootd, hal_fastboot)
 
   # Access /dev/usb-ffs/fastbootd/ep0
   allow fastbootd functionfs:dir search;
@@ -103,6 +104,13 @@
     allow fastbootd tmpfs:dir rw_dir_perms;
     # Fetch vendor_boot partition
     allow fastbootd boot_block_device:blk_file r_file_perms;
+
+    # popen(/system/bin/dmesg) and associated permissions. We only allow this
+    # on unlocked devices running userdebug builds.
+    allow fastbootd rootfs:file execute_no_trans;
+    allow fastbootd system_file:file execute_no_trans;
+    allow fastbootd kmsg_device:chr_file read;
+    allow fastbootd kernel:system syslog_read;
   ')
 
   # Allow using libfiemap/gsid directly (no binder in recovery).
diff --git a/public/file.te b/public/file.te
index 2bfa282..8d33a9d3 100644
--- a/public/file.te
+++ b/public/file.te
@@ -157,6 +157,7 @@
 type sdcardfs, sdcard_type, fs_type, mlstrustedobject;
 type vfat, sdcard_type, fs_type, mlstrustedobject;
 type exfat, sdcard_type, fs_type, mlstrustedobject;
+type ntfs, sdcard_type, fs_type, mlstrustedobject;
 type debugfs, fs_type, debugfs_type;
 type debugfs_kprobes, fs_type, debugfs_type;
 type debugfs_mmc, fs_type, debugfs_type;
@@ -300,13 +301,20 @@
 type system_data_root_file, file_type, data_file_type, core_data_file_type;
 # Default type for anything under /data.
 type system_data_file, file_type, data_file_type, core_data_file_type;
+# Default type for directories containing per-user encrypted directories, such
+# as /data/user and /data/user_de.
+type system_userdir_file, file_type, data_file_type, core_data_file_type;
 # Type for /data/system/packages.list.
 # TODO(b/129332765): Narrow down permissions to this.
 # Find out users of system_data_file that should be granted only this.
 type packages_list_file, file_type, data_file_type, core_data_file_type;
 type game_mode_intervention_list_file, file_type, data_file_type, core_data_file_type;
-# Default type for anything under /data/vendor{_ce,_de}.
+# Default type for anything inside /data/vendor_{ce,de}.
 type vendor_data_file, file_type, data_file_type;
+# Type for /data/vendor_{ce,de} themselves.  This has core_data_file_type
+# because these directories themselves are platform-managed; only the files
+# *inside* them are vendor data.  (Somewhat similar to system_data_root_file.)
+type vendor_userdir_file, file_type, data_file_type, core_data_file_type;
 # Unencrypted data
 type unencrypted_data_file, file_type, data_file_type, core_data_file_type;
 # installd-create files in /data/misc/installd such as layout_version
@@ -428,6 +436,7 @@
 type keystore_data_file, file_type, data_file_type, core_data_file_type;
 type media_data_file, file_type, data_file_type, core_data_file_type;
 type media_rw_data_file, file_type, data_file_type, core_data_file_type, mlstrustedobject;
+type media_userdir_file, file_type, data_file_type, core_data_file_type;
 type misc_user_data_file, file_type, data_file_type, core_data_file_type;
 type net_data_file, file_type, data_file_type, core_data_file_type;
 type network_watchlist_data_file, file_type, data_file_type, core_data_file_type;
@@ -443,9 +452,7 @@
 type trace_data_file, file_type, data_file_type, core_data_file_type, mlstrustedobject;
 type vpn_data_file, file_type, data_file_type, core_data_file_type;
 type wifi_data_file, file_type, data_file_type, core_data_file_type;
-type zoneinfo_data_file, file_type, data_file_type, core_data_file_type;
 type vold_data_file, file_type, data_file_type, core_data_file_type;
-type iorapd_data_file, file_type, data_file_type, core_data_file_type;
 type tee_data_file, file_type, data_file_type;
 type update_engine_data_file, file_type, data_file_type, core_data_file_type;
 type update_engine_log_data_file, file_type, data_file_type, core_data_file_type;
diff --git a/public/fsck.te b/public/fsck.te
index 1fb5d0d..1a74ba8 100644
--- a/public/fsck.te
+++ b/public/fsck.te
@@ -17,6 +17,7 @@
 allow fsck userdata_block_device:blk_file rw_file_perms;
 allow fsck cache_block_device:blk_file rw_file_perms;
 allow fsck dm_device:blk_file rw_file_perms;
+allow fsck zoned_block_device:blk_file rw_file_perms;
 userdebug_or_eng(`
 allow fsck system_block_device:blk_file rw_file_perms;
 ')
@@ -32,6 +33,7 @@
 allowxperm fsck dev_type:blk_file ioctl {
   BLKDISCARDZEROES
   BLKROGET
+  BLKREPORTZONE
 };
 
 # To determine if it is safe to run fsck on a filesystem, e2fsck
@@ -48,8 +50,10 @@
 allow fsck {
   proc_mounts
   proc_swaps
+  sysfs_dm
 }:file r_file_perms;
 allow fsck rootfs:dir r_dir_perms;
+allow fsck sysfs_dm:dir r_dir_perms;
 
 ###
 ### neverallow rules
diff --git a/public/hal_bluetooth.te b/public/hal_bluetooth.te
index 97177ba..53bbef2 100644
--- a/public/hal_bluetooth.te
+++ b/public/hal_bluetooth.te
@@ -1,8 +1,10 @@
 # HwBinder IPC from clients into server, and callbacks
 binder_call(hal_bluetooth_client, hal_bluetooth_server)
 binder_call(hal_bluetooth_server, hal_bluetooth_client)
+binder_call(hal_bluetooth_server, servicemanager)
 
 hal_attribute_hwservice(hal_bluetooth, hal_bluetooth_hwservice)
+hal_attribute_service(hal_bluetooth, hal_bluetooth_service)
 
 wakelock_use(hal_bluetooth);
 
diff --git a/public/hal_bootctl.te b/public/hal_bootctl.te
index a1f3d7f..f9b50b0 100644
--- a/public/hal_bootctl.te
+++ b/public/hal_bootctl.te
@@ -1,6 +1,10 @@
 # HwBinder IPC from client to server, and callbacks
 binder_call(hal_bootctl_client, hal_bootctl_server)
 binder_call(hal_bootctl_server, hal_bootctl_client)
+binder_use(hal_bootctl_server)
 
 hal_attribute_hwservice(hal_bootctl, hal_bootctl_hwservice)
 allow hal_bootctl_server proc_bootconfig:file r_file_perms;
+
+# Needed to wait for AIDL hal services
+hal_attribute_service(hal_bootctl, hal_bootctl_service);
diff --git a/public/hal_broadcastradio.te b/public/hal_broadcastradio.te
index 84a2597..bb882c9 100644
--- a/public/hal_broadcastradio.te
+++ b/public/hal_broadcastradio.te
@@ -2,3 +2,6 @@
 binder_call(hal_broadcastradio_server, hal_broadcastradio_client)
 
 hal_attribute_hwservice(hal_broadcastradio, hal_broadcastradio_hwservice)
+hal_attribute_service(hal_broadcastradio, hal_broadcastradio_service)
+
+binder_call(hal_broadcastradio_server, servicemanager)
diff --git a/public/hal_can.te b/public/hal_can.te
index 959d1d9..d48c43f 100644
--- a/public/hal_can.te
+++ b/public/hal_can.te
@@ -7,3 +7,7 @@
 binder_call(hal_can_bus_client, hal_can_bus_server)
 binder_call(hal_can_bus_server, hal_can_bus_client)
 hal_attribute_hwservice(hal_can_bus, hal_can_bus_hwservice)
+
+# AIDL HAL for CAN buses (ICanController)
+hal_attribute_service(hal_can_controller, hal_can_controller_service)
+binder_use(hal_can_controller)
diff --git a/public/hal_cas.te b/public/hal_cas.te
index e699a6b..056b4c9 100644
--- a/public/hal_cas.te
+++ b/public/hal_cas.te
@@ -5,6 +5,11 @@
 hal_attribute_hwservice(hal_cas, hal_cas_hwservice)
 allow hal_cas_server hidl_memory_hwservice:hwservice_manager find;
 
+hal_attribute_service(hal_cas, hal_cas_service)
+
+binder_call(hal_cas_server, servicemanager)
+binder_call(hal_cas_client, servicemanager)
+
 # Permit reading device's serial number from system properties
 get_prop(hal_cas_server, serialno_prop)
 
diff --git a/public/hal_configstore.te b/public/hal_configstore.te
index 23b04c9..8867a8d 100644
--- a/public/hal_configstore.te
+++ b/public/hal_configstore.te
@@ -34,8 +34,6 @@
   -prng_seeder
   userdebug_or_eng(`-su')
   -tombstoned
-  userdebug_or_eng(`-heapprofd')
-  userdebug_or_eng(`-traced_perf')
 }:{ unix_dgram_socket unix_stream_socket } *;
 
 # Should never need access to anything on /data
@@ -43,18 +41,17 @@
   data_file_type
   -anr_data_file # for crash dump collection
   -tombstone_data_file # for crash dump collection
-  -zoneinfo_data_file # granted to domain
   with_native_coverage(`-method_trace_data_file')
 }:{ file fifo_file sock_file } *;
 
 # Should never need sdcard access
 neverallow hal_configstore_server {
     sdcard_type
-    fuse sdcardfs vfat exfat        # manual expansion for completeness
+    fuse sdcardfs vfat exfat ntfs     # manual expansion for completeness
 }:dir ~getattr;
 neverallow hal_configstore_server {
     sdcard_type
-    fuse sdcardfs vfat exfat        # manual expansion for completeness
+    fuse sdcardfs vfat exfat ntfs     # manual expansion for completeness
 }:file *;
 
 # Do not permit access to service_manager and vndservice_manager
diff --git a/public/hal_confirmationui.te b/public/hal_confirmationui.te
index 5d2e4b7..9896e35 100644
--- a/public/hal_confirmationui.te
+++ b/public/hal_confirmationui.te
@@ -2,3 +2,5 @@
 binder_call(hal_confirmationui_client, hal_confirmationui_server)
 
 hal_attribute_hwservice(hal_confirmationui, hal_confirmationui_hwservice)
+hal_attribute_service(hal_confirmationui, hal_confirmationui_service)
+binder_call(hal_confirmationui_server, servicemanager)
diff --git a/public/hal_drm.te b/public/hal_drm.te
index 72fa308..43d0a7c 100644
--- a/public/hal_drm.te
+++ b/public/hal_drm.te
@@ -26,6 +26,12 @@
 allow hal_drm cgroup_v2:dir { search write };
 allow hal_drm cgroup_v2:file w_file_perms;
 
+# Allow dumpsys Widevine without root
+userdebug_or_eng(`
+  allow hal_drm_server shell:fd use;
+  allow hal_drm_server shell:fifo_file write;
+')
+
 # Allow access to ion memory allocation device
 allow hal_drm ion_device:chr_file rw_file_perms;
 allow hal_drm hal_graphics_allocator:fd use;
diff --git a/public/hal_dumpstate.te b/public/hal_dumpstate.te
index aee283a..193b05a 100644
--- a/public/hal_dumpstate.te
+++ b/public/hal_dumpstate.te
@@ -13,3 +13,6 @@
 allow hal_dumpstate shell_data_file:file write;
 # allow reading /proc/interrupts for all hal impls
 allow hal_dumpstate proc_interrupts:file r_file_perms;
+
+# Log fsck results
+r_dir_file(hal_dumpstate, fscklogs)
diff --git a/public/hal_fastboot.te b/public/hal_fastboot.te
new file mode 100644
index 0000000..7aecac1
--- /dev/null
+++ b/public/hal_fastboot.te
@@ -0,0 +1,7 @@
+# allow binder connection from client to server
+binder_call(hal_fastboot_client, hal_fastboot_server)
+# allow client to find the service, allow server to register the service
+hal_attribute_service(hal_fastboot, hal_fastboot_service)
+# allow binder communication from server to service_manager
+binder_call(hal_fastboot_server, servicemanager)
+
diff --git a/public/hal_gatekeeper.te b/public/hal_gatekeeper.te
index b918f88..fc23e64 100644
--- a/public/hal_gatekeeper.te
+++ b/public/hal_gatekeeper.te
@@ -1,6 +1,8 @@
 binder_call(hal_gatekeeper_client, hal_gatekeeper_server)
 
 hal_attribute_hwservice(hal_gatekeeper, hal_gatekeeper_hwservice)
+hal_attribute_service(hal_gatekeeper, hal_gatekeeper_service)
+binder_call(hal_gatekeeper_server, servicemanager)
 
 # TEE access.
 allow hal_gatekeeper tee_device:chr_file rw_file_perms;
diff --git a/public/hal_graphics_allocator.te b/public/hal_graphics_allocator.te
index 7ef27113..35a19de 100644
--- a/public/hal_graphics_allocator.te
+++ b/public/hal_graphics_allocator.te
@@ -11,6 +11,9 @@
 allow hal_graphics_allocator ion_device:chr_file r_file_perms;
 allow hal_graphics_allocator dmabuf_system_heap_device:chr_file r_file_perms;
 
+# Access the secure heap
+allow hal_graphics_allocator dmabuf_system_secure_heap_device:chr_file r_file_perms;
+
 # allow to run with real-time scheduling policy
 allow hal_graphics_allocator self:global_capability_class_set sys_nice;
 
diff --git a/public/hal_input_processor.te b/public/hal_input_processor.te
index 77d1d70..b59b15f 100644
--- a/public/hal_input_processor.te
+++ b/public/hal_input_processor.te
@@ -3,3 +3,6 @@
 binder_call(hal_input_processor_server, servicemanager)
 
 hal_attribute_service(hal_input_processor, hal_input_processor_service)
+
+# Allow dumping of the HAL
+allow hal_input_processor_server dumpstate:fifo_file write;
diff --git a/public/hal_keymint.te b/public/hal_keymint.te
index 9c65e22..ba29956 100644
--- a/public/hal_keymint.te
+++ b/public/hal_keymint.te
@@ -4,5 +4,5 @@
 hal_attribute_service(hal_keymint, hal_remotelyprovisionedcomponent_service)
 binder_call(hal_keymint_server, servicemanager)
 
-allow hal_keymint tee_device:chr_file rw_file_perms;
-allow hal_keymint ion_device:chr_file r_file_perms;
+allow hal_keymint_server tee_device:chr_file rw_file_perms;
+allow hal_keymint_server ion_device:chr_file r_file_perms;
diff --git a/public/hal_neuralnetworks.te b/public/hal_neuralnetworks.te
index 04d0b59..c7049fd 100644
--- a/public/hal_neuralnetworks.te
+++ b/public/hal_neuralnetworks.te
@@ -7,6 +7,8 @@
 allow hal_neuralnetworks hal_allocator:fd use;
 allow hal_neuralnetworks hal_graphics_mapper_hwservice:hwservice_manager find;
 allow hal_neuralnetworks hal_graphics_allocator:fd use;
+allow hal_neuralnetworks gpu_device:chr_file rw_file_perms;
+allow hal_neuralnetworks gpu_device:dir r_dir_perms;
 
 # Allow NN HAL service to use a client-provided fd residing in /data/data/.
 allow hal_neuralnetworks_server app_data_file:file { read write getattr map };
diff --git a/public/hal_remoteaccess.te b/public/hal_remoteaccess.te
new file mode 100644
index 0000000..8a55529
--- /dev/null
+++ b/public/hal_remoteaccess.te
@@ -0,0 +1,6 @@
+# HwBinder IPC from client to server, and callbacks
+binder_call(hal_remoteaccess_client, hal_remoteaccess_server)
+binder_call(hal_remoteaccess_server, hal_remoteaccess_client)
+
+hal_attribute_service(hal_remoteaccess, hal_remoteaccess_service)
+
diff --git a/public/hal_secure_element.te b/public/hal_secure_element.te
index 3724d35..8d3e15c 100644
--- a/public/hal_secure_element.te
+++ b/public/hal_secure_element.te
@@ -3,3 +3,8 @@
 binder_call(hal_secure_element_server, hal_secure_element_client)
 
 hal_attribute_hwservice(hal_secure_element, hal_secure_element_hwservice)
+hal_attribute_service(hal_secure_element, hal_secure_element_service)
+
+binder_use(hal_secure_element_server)
+
+allow hal_secure_element_client hal_secure_element_service:service_manager find;
diff --git a/public/hal_tetheroffload.te b/public/hal_tetheroffload.te
index cf51723..c9553dc 100644
--- a/public/hal_tetheroffload.te
+++ b/public/hal_tetheroffload.te
@@ -3,6 +3,9 @@
 binder_call(hal_tetheroffload_server, hal_tetheroffload_client)
 
 hal_attribute_hwservice(hal_tetheroffload, hal_tetheroffload_hwservice)
+hal_attribute_service(hal_tetheroffload, hal_tetheroffload_service)
+
+binder_use(hal_tetheroffload_server)
 
 # allow the client to pass the server already open netlink sockets
 allow hal_tetheroffload_server hal_tetheroffload_client:netlink_netfilter_socket { getattr read setopt write };
diff --git a/public/hal_thermal.te b/public/hal_thermal.te
index 2115da1..13fed00 100644
--- a/public/hal_thermal.te
+++ b/public/hal_thermal.te
@@ -3,3 +3,8 @@
 binder_call(hal_thermal_server, hal_thermal_client)
 
 hal_attribute_hwservice(hal_thermal, hal_thermal_hwservice)
+hal_attribute_service(hal_thermal, hal_thermal_service)
+
+add_service(hal_thermal_server, hal_thermal_service)
+binder_call(hal_thermal_server, servicemanager)
+binder_call(hal_thermal_client, servicemanager)
diff --git a/public/hal_tv_hdmi_cec.te b/public/hal_tv_hdmi_cec.te
new file mode 100644
index 0000000..eb01b67
--- /dev/null
+++ b/public/hal_tv_hdmi_cec.te
@@ -0,0 +1,7 @@
+# Binder IPC from clients into server, and callbacks
+binder_call(hal_tv_hdmi_cec_client, hal_tv_hdmi_cec_server)
+binder_call(hal_tv_hdmi_cec_server, hal_tv_hdmi_cec_client)
+binder_use(hal_tv_hdmi_cec_client)
+binder_use(hal_tv_hdmi_cec_server)
+
+hal_attribute_service(hal_tv_hdmi_cec, hal_tv_hdmi_cec_service)
diff --git a/public/hal_tv_hdmi_connection.te b/public/hal_tv_hdmi_connection.te
new file mode 100644
index 0000000..f6de27d
--- /dev/null
+++ b/public/hal_tv_hdmi_connection.te
@@ -0,0 +1,7 @@
+# Binder IPC from clients into server, and callbacks
+binder_call(hal_tv_hdmi_connection_client, hal_tv_hdmi_connection_server)
+binder_call(hal_tv_hdmi_connection_server, hal_tv_hdmi_connection_client)
+binder_use(hal_tv_hdmi_connection_client)
+binder_use(hal_tv_hdmi_connection_server)
+
+hal_attribute_service(hal_tv_hdmi_connection, hal_tv_hdmi_connection_service)
diff --git a/public/hal_tv_hdmi_earc.te b/public/hal_tv_hdmi_earc.te
new file mode 100644
index 0000000..2d76fc6
--- /dev/null
+++ b/public/hal_tv_hdmi_earc.te
@@ -0,0 +1,7 @@
+# Binder IPC from clients into server, and callbacks
+binder_call(hal_tv_hdmi_earc_client, hal_tv_hdmi_earc_server)
+binder_call(hal_tv_hdmi_earc_server, hal_tv_hdmi_earc_client)
+binder_use(hal_tv_hdmi_earc_client)
+binder_use(hal_tv_hdmi_earc_server)
+
+hal_attribute_service(hal_tv_hdmi_earc, hal_tv_hdmi_earc_service)
diff --git a/public/hal_tv_input.te b/public/hal_tv_input.te
index 5a5bdda..b345189 100644
--- a/public/hal_tv_input.te
+++ b/public/hal_tv_input.te
@@ -3,3 +3,7 @@
 binder_call(hal_tv_input_server, hal_tv_input_client)
 
 hal_attribute_hwservice(hal_tv_input, hal_tv_input_hwservice)
+hal_attribute_service(hal_tv_input, hal_tv_input_service)
+
+binder_call(hal_tv_input_server, servicemanager)
+binder_call(hal_tv_input_client, servicemanager)
diff --git a/public/hal_usb_gadget.te b/public/hal_usb_gadget.te
index a474652..c0df9a9 100644
--- a/public/hal_usb_gadget.te
+++ b/public/hal_usb_gadget.te
@@ -2,6 +2,9 @@
 binder_call(hal_usb_gadget_client, hal_usb_gadget_server)
 binder_call(hal_usb_gadget_server, hal_usb_gadget_client)
 
+hal_attribute_service(hal_usb_gadget, hal_usb_gadget_service)
+binder_call(hal_usb_gadget_server, servicemanager)
+
 hal_attribute_hwservice(hal_usb_gadget, hal_usb_gadget_hwservice)
 
 # Configuring usb gadget functions
@@ -10,4 +13,7 @@
 allow hal_usb_gadget_server configfs:file create_file_perms;
 allow hal_usb_gadget_server functionfs:dir { read search };
 allow hal_usb_gadget_server functionfs:file read;
+allow hal_usb_gadget_server proc_interrupts:file r_file_perms;
 
+# Read access to ro.usb.uvc.enabled
+get_prop(hal_usb_gadget_server, usb_uvc_enabled_prop)
diff --git a/public/hal_wifi.te b/public/hal_wifi.te
index 2e4fa78..e4f1d21 100644
--- a/public/hal_wifi.te
+++ b/public/hal_wifi.te
@@ -3,6 +3,9 @@
 binder_call(hal_wifi_server, hal_wifi_client)
 
 hal_attribute_hwservice(hal_wifi, hal_wifi_hwservice)
+hal_attribute_service(hal_wifi, hal_wifi_service)
+
+binder_call(hal_wifi_server, servicemanager)
 
 r_dir_file(hal_wifi, proc_net_type)
 r_dir_file(hal_wifi, sysfs_type)
diff --git a/public/idmap.te b/public/idmap.te
index f41f573..76ef622 100644
--- a/public/idmap.te
+++ b/public/idmap.te
@@ -2,15 +2,10 @@
 type idmap, domain;
 type idmap_exec, system_file_type, exec_type, file_type;
 
-# TODO remove /system/bin/idmap and the link between idmap and installd (b/118711077)
-# Use open file to /data/resource-cache file inherited from installd.
-allow idmap installd:fd use;
+# Allow read + write access to /data/resource-cache
 allow idmap resourcecache_data_file:file create_file_perms;
 allow idmap resourcecache_data_file:dir rw_dir_perms;
 
-# Ignore reading /proc/<pid>/maps after a fork.
-dontaudit idmap installd:file read;
-
 # Open and read from target and overlay apk files passed by argument.
 allow idmap apk_data_file:file r_file_perms;
 allow idmap apk_data_file:dir search;
diff --git a/public/init.te b/public/init.te
index ce0d130..a399b3a 100644
--- a/public/init.te
+++ b/public/init.te
@@ -199,6 +199,7 @@
 allow init {
   file_type
   -app_data_file
+  -bpffs_type
   -exec_type
   -misc_logd_file
   -nativetest_data_file
@@ -212,10 +213,11 @@
 allow init {
   file_type
   -app_data_file
-  -exec_type
-  -iorapd_data_file
+  -bpffs_type
   -credstore_data_file
+  -exec_type
   -keystore_data_file
+  -media_userdir_file
   -misc_logd_file
   -nativetest_data_file
   -privapp_data_file
@@ -223,7 +225,9 @@
   -system_app_data_file
   -system_dlkm_file_type
   -system_file_type
+  -system_userdir_file
   -vendor_file_type
+  -vendor_userdir_file
   -vold_data_file
 }:dir { write add_name remove_name rmdir relabelfrom };
 
@@ -231,9 +235,9 @@
   file_type
   -apex_info_file
   -app_data_file
+  -bpffs_type
   -exec_type
   -gsi_data_file
-  -iorapd_data_file
   -credstore_data_file
   -keystore_data_file
   -misc_logd_file
@@ -251,12 +255,16 @@
 
 allow init tracefs_type:file { create_file_perms relabelfrom };
 
+# Allow init to read /apex/apex-info-list.xml for preinstalled paths of APEXes to determine
+# subcontext for action/service defined in APEXes.
+allow init apex_info_file:file r_file_perms;
+
 allow init {
   file_type
   -app_data_file
+  -bpffs_type
   -exec_type
   -gsi_data_file
-  -iorapd_data_file
   -credstore_data_file
   -keystore_data_file
   -misc_logd_file
@@ -274,9 +282,9 @@
   file_type
   -apex_mnt_dir
   -app_data_file
+  -bpffs_type
   -exec_type
   -gsi_data_file
-  -iorapd_data_file
   -credstore_data_file
   -keystore_data_file
   -misc_logd_file
@@ -294,6 +302,7 @@
 
 allow init {
   file_type
+  -bpffs_type
   -system_dlkm_file_type
   -system_file_type
   -vendor_file_type
@@ -318,6 +327,7 @@
 # chown/chmod on pseudo files.
 allow init {
   fs_type
+  -bpffs_type
   -contextmount_type
   -keychord_device
   -proc_type
@@ -327,7 +337,14 @@
   -rootfs
   enforce_debugfs_restriction(`-debugfs_type')
 }:file { open read setattr };
-allow init { fs_type -contextmount_type -sdcard_type -fusefs_type -rootfs }:dir  { open read setattr search };
+allow init {
+  fs_type
+  -bpffs_type
+  -contextmount_type
+  -sdcard_type
+  -fusefs_type
+  -rootfs
+}:dir { open read setattr search };
 
 allow init {
   binder_device
@@ -362,7 +379,8 @@
 userdebug_or_eng(`
   # Overlayfs workdir write access check during mount to permit remount,rw
   allow init overlayfs_file:dir { relabelfrom mounton write };
-  allow init overlayfs_file:file { append };
+  allow init overlayfs_file:file { append rename };
+  allow init overlayfs_file:chr_file unlink;
   allow init system_block_device:blk_file { write };
 ')
 
@@ -380,7 +398,6 @@
 
 allow init {
   proc_abi
-  proc_bpf
   proc_cpu_alignment
   proc_dirty
   proc_hostname
diff --git a/public/installd.te b/public/installd.te
index 46796af..216704d 100644
--- a/public/installd.te
+++ b/public/installd.te
@@ -42,13 +42,12 @@
 allow installd asec_image_file:dir search;
 allow installd asec_image_file:file getattr;
 
-# Create /data/user and /data/user/0 if necessary.
-# Also required to initially create /data/data subdirectories
+# Required to initially create subdirectories of /data/user/$userId
 # and lib symlinks before the setfilecon call.  May want to
 # move symlink creation after setfilecon in installd.
 allow installd system_data_file:dir create_dir_perms;
-# Also, allow read for lnk_file so that we can process /data/user/0 links when
-# optimizing application code.
+# Also, allow read for lnk_file so that we can process symlinks within
+# /data/user/$userId when optimizing application code.
 allow installd system_data_file:lnk_file { create getattr read setattr unlink };
 
 # Manage lower filesystem via pass_through mounts
@@ -62,6 +61,7 @@
 allow installd media_rw_data_file:dir relabelto;
 
 # Delete /data/media files through sdcardfs, instead of going behind its back
+allow installd media_userdir_file:dir r_dir_perms;
 allow installd tmpfs:dir r_dir_perms;
 allow installd storage_file:dir search;
 allow installd { sdcard_type fuse }:dir { search open read write remove_name getattr rmdir };
@@ -71,6 +71,7 @@
 allow installd mirror_data_file:dir { create_dir_perms mounton };
 
 # Upgrade /data/misc/keychain for multi-user if necessary.
+allow installd system_userdir_file:dir r_dir_perms;
 allow installd misc_user_data_file:dir create_dir_perms;
 allow installd misc_user_data_file:file create_file_perms;
 allow installd keychain_data_file:dir create_dir_perms;
diff --git a/public/ioctl_defines b/public/ioctl_defines
index d46e485..e900173 100644
--- a/public/ioctl_defines
+++ b/public/ioctl_defines
@@ -132,6 +132,7 @@
 define(`BC_REPLY', `0x40406301')
 define(`BC_REQUEST_DEATH_NOTIFICATION', `0x400c630e')
 define(`BC_TRANSACTION', `0x40406300')
+define(`BINDER_GET_EXTENDED_ERROR', `0xc0486211')
 define(`BINDER_ENABLE_ONEWAY_SPAM_DETECTION', `0x40046210')
 define(`BINDER_FREEZE', `0x400c620e')
 define(`BINDER_GET_FROZEN_INFO', `0xc00c620f')
@@ -165,6 +166,8 @@
 define(`BLKPG', `0x00001269')
 define(`BLKRAGET', `0x00001263')
 define(`BLKRASET', `0x00001262')
+define(`BLKREPORTZONE', `0xc0101282')
+define(`BLKRESETZONE', `0x40101283')
 define(`BLKROGET', `0x0000125e')
 define(`BLKROSET', `0x0000125d')
 define(`BLKROTATIONAL', `0x0000127e')
diff --git a/public/ioctl_macros b/public/ioctl_macros
index 47a5157..64ee1b0 100644
--- a/public/ioctl_macros
+++ b/public/ioctl_macros
@@ -73,4 +73,5 @@
 BINDER_SET_IDLE_PRIORITY BINDER_SET_CONTEXT_MGR BINDER_THREAD_EXIT
 BINDER_VERSION BINDER_GET_NODE_DEBUG_INFO BINDER_GET_NODE_INFO_FOR_REF
 BINDER_SET_CONTEXT_MGR_EXT BINDER_ENABLE_ONEWAY_SPAM_DETECTION
+BINDER_GET_EXTENDED_ERROR
 }')
diff --git a/public/iorap.te b/public/iorap.te
new file mode 100644
index 0000000..0671c34
--- /dev/null
+++ b/public/iorap.te
@@ -0,0 +1,4 @@
+# Define these types for now, as they may be used in device-specific policy.
+type iorapd;
+type iorap_inode2filename;
+type iorap_prefetcherd;
diff --git a/public/iorap_inode2filename.te b/public/iorap_inode2filename.te
deleted file mode 100644
index 6f119ee..0000000
--- a/public/iorap_inode2filename.te
+++ /dev/null
@@ -1,70 +0,0 @@
-# iorap.inode2filename -> look up file paths from an inode
-type iorap_inode2filename, domain;
-type iorap_inode2filename_exec, exec_type, file_type, system_file_type;
-type iorap_inode2filename_tmpfs, file_type;
-
-r_dir_file(iorap_inode2filename, rootfs)
-
-# Allow usage of pipes (child stdout -> parent pipe).
-allow iorap_inode2filename iorapd:fd use;
-allow iorap_inode2filename iorapd:fifo_file { read write getattr };
-
-# Allow reading most files under / ignoring usual access controls.
-allow iorap_inode2filename self:capability dac_read_search;
-
-typeattribute iorap_inode2filename mlstrustedsubject;
-
-# Grant access to open most of the files under /
-allow iorap_inode2filename apex_data_file:dir { getattr open read search };
-allow iorap_inode2filename apex_data_file:file { getattr };
-allow iorap_inode2filename apex_mnt_dir:dir { getattr open read search };
-allow iorap_inode2filename apex_mnt_dir:file { getattr };
-allow iorap_inode2filename apk_data_file:dir { getattr open read search };
-allow iorap_inode2filename apk_data_file:file { getattr };
-allow iorap_inode2filename app_data_file_type:dir { getattr open read search };
-allow iorap_inode2filename app_data_file_type:file { getattr };
-allow iorap_inode2filename backup_data_file:dir  { getattr open read search };
-allow iorap_inode2filename backup_data_file:file  { getattr };
-allow iorap_inode2filename bootchart_data_file:dir { getattr open read search };
-allow iorap_inode2filename bootchart_data_file:file { getattr };
-allow iorap_inode2filename metadata_file:dir { getattr open read search search };
-allow iorap_inode2filename metadata_file:file { getattr };
-allow iorap_inode2filename packages_list_file:dir { getattr open read search };
-allow iorap_inode2filename packages_list_file:file { getattr };
-allow iorap_inode2filename property_data_file:dir { getattr open read search };
-allow iorap_inode2filename property_data_file:file { getattr };
-allow iorap_inode2filename resourcecache_data_file:dir { getattr open read search };
-allow iorap_inode2filename resourcecache_data_file:file { getattr };
-allow iorap_inode2filename recovery_data_file:dir { getattr open read search };
-allow iorap_inode2filename ringtone_file:dir { getattr open read search };
-allow iorap_inode2filename ringtone_file:file { getattr };
-allow iorap_inode2filename same_process_hal_file:dir { getattr open read search };
-allow iorap_inode2filename same_process_hal_file:file { getattr };
-allow iorap_inode2filename sepolicy_file:file { getattr };
-allow iorap_inode2filename staging_data_file:dir { getattr open read search };
-allow iorap_inode2filename staging_data_file:file { getattr };
-allow iorap_inode2filename system_bootstrap_lib_file:dir { getattr open read search };
-allow iorap_inode2filename system_bootstrap_lib_file:file { getattr };
-allow iorap_inode2filename system_data_file:dir { getattr open read search };
-allow iorap_inode2filename system_data_file:file { getattr };
-allow iorap_inode2filename system_data_file:lnk_file { getattr open read };
-allow iorap_inode2filename system_data_root_file:dir { getattr open read search };
-allow iorap_inode2filename textclassifier_data_file:dir { getattr open read search };
-allow iorap_inode2filename textclassifier_data_file:file { getattr };
-allow iorap_inode2filename toolbox_exec:file getattr;
-allow iorap_inode2filename user_profile_root_file:dir { getattr open read search };
-allow iorap_inode2filename user_profile_data_file:dir { getattr open read search };
-allow iorap_inode2filename user_profile_data_file:file { getattr };
-allow iorap_inode2filename unencrypted_data_file:dir { getattr open read search };
-allow iorap_inode2filename unlabeled:file { getattr };
-allow iorap_inode2filename vendor_file:dir { getattr open read search };
-allow iorap_inode2filename vendor_file:file { getattr };
-allow iorap_inode2filename vendor_overlay_file:file { getattr };
-allow iorap_inode2filename zygote_exec:file { getattr };
-
-###
-### neverallow rules
-###
-
-neverallow { domain -init -iorapd } iorap_inode2filename:process { transition dyntransition };
-neverallow iorap_inode2filename domain:{ tcp_socket udp_socket rawip_socket } *;
diff --git a/public/iorap_prefetcherd.te b/public/iorap_prefetcherd.te
deleted file mode 100644
index 4b218fb..0000000
--- a/public/iorap_prefetcherd.te
+++ /dev/null
@@ -1,55 +0,0 @@
-# volume manager
-type iorap_prefetcherd, domain;
-type iorap_prefetcherd_exec, exec_type, file_type, system_file_type;
-type iorap_prefetcherd_tmpfs, file_type;
-
-r_dir_file(iorap_prefetcherd, rootfs)
-
-# Allow read/write /proc/sys/vm/drop/caches
-allow iorap_prefetcherd proc_drop_caches:file rw_file_perms;
-
-# iorap_prefetcherd temporarily changes its priority when running benchmarks
-allow iorap_prefetcherd self:global_capability_class_set sys_nice;
-
-# Allow usage of pipes (--input-fd=# and --output-fd=# command line parameters).
-allow iorap_prefetcherd iorapd:fd use;
-allow iorap_prefetcherd iorapd:fifo_file { read write };
-
-# Allow reading most files under / ignoring usual access controls.
-allow iorap_prefetcherd self:capability dac_read_search;
-
-typeattribute iorap_prefetcherd mlstrustedsubject;
-
-# Grant logcat access
-allow iorap_prefetcherd logcat_exec:file { open read };
-
-# Grant access to open most of the files under /
-allow iorap_prefetcherd apk_data_file:dir { open read search };
-allow iorap_prefetcherd apk_data_file:file { open read };
-allow iorap_prefetcherd app_data_file:dir { open read search };
-allow iorap_prefetcherd app_data_file:file { open read };
-allow iorap_prefetcherd dalvikcache_data_file:dir { open read search };
-allow iorap_prefetcherd dalvikcache_data_file:file{ open read };
-allow iorap_prefetcherd packages_list_file:dir { open read search };
-allow iorap_prefetcherd packages_list_file:file { open read };
-allow iorap_prefetcherd privapp_data_file:dir { open read search };
-allow iorap_prefetcherd privapp_data_file:file { open read };
-allow iorap_prefetcherd same_process_hal_file:dir{ open read search };
-allow iorap_prefetcherd same_process_hal_file:file { open read };
-allow iorap_prefetcherd system_data_file:dir { open read search };
-allow iorap_prefetcherd system_data_file:file { open read };
-allow iorap_prefetcherd system_data_file:lnk_file { open read };
-allow iorap_prefetcherd user_profile_root_file:dir { open read search };
-allow iorap_prefetcherd user_profile_data_file:dir { open read search };
-allow iorap_prefetcherd user_profile_data_file:file { open read };
-allow iorap_prefetcherd vendor_overlay_file:dir { open read search };
-allow iorap_prefetcherd vendor_overlay_file:file { open read };
-# Note: Do not add any /vendor labels because they can be customized
-# by the vendor and we won't know about them beforehand.
-
-###
-### neverallow rules
-###
-
-neverallow { domain -init -iorapd } iorap_prefetcherd:process { transition dyntransition };
-neverallow iorap_prefetcherd domain:{ tcp_socket udp_socket rawip_socket } *;
diff --git a/public/iorapd.te b/public/iorapd.te
deleted file mode 100644
index 8fded0c..0000000
--- a/public/iorapd.te
+++ /dev/null
@@ -1,94 +0,0 @@
-# volume manager
-type iorapd, domain;
-type iorapd_exec, exec_type, file_type, system_file_type;
-type iorapd_tmpfs, file_type;
-
-r_dir_file(iorapd, rootfs)
-
-# Allow read/write /proc/sys/vm/drop/caches
-allow iorapd proc_drop_caches:file rw_file_perms;
-
-# Give iorapd a place where only iorapd can store files; everyone else is off limits
-allow iorapd iorapd_data_file:dir create_dir_perms;
-allow iorapd iorapd_data_file:file create_file_perms;
-
-# Allow iorapd to publish a binder service and make binder calls.
-binder_use(iorapd)
-add_service(iorapd, iorapd_service)
-
-# Allow iorapd to call into the system server so it can check permissions.
-binder_call(iorapd, system_server)
-allow iorapd permission_service:service_manager find;
-# IUserManager
-allow iorapd user_service:service_manager find;
-# IPackageManagerNative
-allow iorapd package_native_service:service_manager find;
-# Allow dumpstate (bugreport) to call into iorapd.
-allow iorapd dumpstate:fd use;
-allow iorapd dumpstate:fifo_file write;
-
-# TODO: does each of the service_manager allow finds above need the binder_call?
-
-# iorapd temporarily changes its priority when running benchmarks
-allow iorapd self:global_capability_class_set sys_nice;
-
-# Allow to access Perfetto traced's privileged consumer socket to start/stop
-# tracing sessions and read trace data.
-unix_socket_connect(iorapd, traced_consumer, traced)
-
-# Allow iorapd to execute compilation (iorap.cmd.compiler) in idle time.
-allow iorapd system_file:file rx_file_perms;
-
-# Allow iorapd to send signull to iorap_inode2filename and iorap_prefetcherd.
-allow iorapd iorap_inode2filename:process signull;
-allow iorapd iorap_prefetcherd:process signull;
-
-# Allowing system_server to check for the existence and size of files under iorapd
-# dir without collecting any sensitive app data.
-# This is used to predict if iorapd is doing prefetching or not.
-allow system_server iorapd_data_file:dir { getattr open read search };
-allow system_server iorapd_data_file:file getattr;
-
-###
-### neverallow rules
-###
-
-neverallow {
-    domain
-    -iorapd
-} iorapd_data_file:dir ~{ open create read getattr setattr search relabelto ioctl };
-
-neverallow {
-    domain
-    -init
-    -iorapd
-    -system_server
-} iorapd_data_file:dir *;
-
-neverallow {
-    domain
-    -kernel
-    -iorapd
-} iorapd_data_file:notdevfile_class_set ~{ relabelto getattr };
-
-neverallow {
-    domain
-    -init
-    -kernel
-    -vendor_init
-    -iorapd
-    -system_server
-} { iorapd_data_file }:notdevfile_class_set *;
-
-# Only system_server and shell (for dumpsys) can interact with iorapd over binder
-neverallow { domain -dumpstate -system_server -iorapd } iorapd_service:service_manager find;
-neverallow iorapd {
-  domain
-  -servicemanager
-  -system_server
-  userdebug_or_eng(`-su')
-}:binder call;
-
-neverallow { domain -init } iorapd:process { transition dyntransition };
-neverallow iorapd domain:{ udp_socket rawip_socket } *;
-neverallow iorapd { domain userdebug_or_eng(`-su') }:tcp_socket *;
diff --git a/public/kernel.te b/public/kernel.te
index 09d2480..b01c07ad 100644
--- a/public/kernel.te
+++ b/public/kernel.te
@@ -95,10 +95,10 @@
   staging_data_file
   vendor_apex_file
 }:file read;
-# Also allow the kernel to read /data/local/tmp files via loop device
-# for ApexTestCases
+# Also allow the kernel to read/write /data/local/tmp files via loop device
+# for ApexTestCases and fiemap_image_test.
 userdebug_or_eng(`
-  allow kernel shell_data_file:file read;
+  allow kernel shell_data_file:file { read write };
 ')
 
 # Allow the first-stage init (which is running in the kernel domain) to execute the
diff --git a/public/keystore.te b/public/keystore.te
index e1c58a4..4cef175 100644
--- a/public/keystore.te
+++ b/public/keystore.te
@@ -5,6 +5,7 @@
 typeattribute keystore mlstrustedsubject;
 binder_use(keystore)
 binder_service(keystore)
+binder_call(keystore, remote_provisioning_service_server)
 binder_call(keystore, system_server)
 binder_call(keystore, wificond)
 
@@ -17,6 +18,7 @@
 add_service(keystore, remoteprovisioning_service)
 allow keystore sec_key_att_app_id_provider_service:service_manager find;
 allow keystore dropbox_service:service_manager find;
+allow keystore remote_provisioning_service:service_manager find;
 add_service(keystore, apc_service)
 add_service(keystore, keystore_compat_hal_service)
 add_service(keystore, authorization_service)
@@ -48,3 +50,6 @@
 # The software KeyMint implementation used in km_compat needs
 # to read the vendor security patch level.
 get_prop(keystore, vendor_security_patch_level_prop);
+
+# Allow keystore to read its vendor configuration
+get_prop(keystore, keystore_config_prop)
diff --git a/public/mediaextractor.te b/public/mediaextractor.te
index 1315b8f..44786fc 100644
--- a/public/mediaextractor.te
+++ b/public/mediaextractor.te
@@ -67,7 +67,6 @@
 # descriptor opened outside the process.
 neverallow mediaextractor {
   data_file_type
-  -zoneinfo_data_file # time zone data from /data/misc/zoneinfo
   userdebug_or_eng(`-apk_data_file') # for loading media extractor plugins
   with_native_coverage(`-method_trace_data_file')
 }:file open;
diff --git a/public/mediaserver.te b/public/mediaserver.te
index 621b6d7..367012c 100644
--- a/public/mediaserver.te
+++ b/public/mediaserver.te
@@ -66,6 +66,9 @@
 # but seems appropriate for all devices.
 unix_socket_connect(mediaserver, bluetooth, bluetooth)
 
+# Needed for mediaserver to send information to statsd socket.
+unix_socket_send(mediaserver, statsdw, statsd)
+
 add_service(mediaserver, mediaserver_service)
 allow mediaserver activity_service:service_manager find;
 allow mediaserver appops_service:service_manager find;
@@ -77,6 +80,7 @@
 allow mediaserver mediaextractor_service:service_manager find;
 allow mediaserver mediametrics_service:service_manager find;
 allow mediaserver media_session_service:service_manager find;
+allow mediaserver package_native_service:service_manager find;
 allow mediaserver permission_service:service_manager find;
 allow mediaserver permission_checker_service:service_manager find;
 allow mediaserver power_service:service_manager find;
diff --git a/public/net.te b/public/net.te
index 31c9c45..aa30b62 100644
--- a/public/net.te
+++ b/public/net.te
@@ -21,6 +21,3 @@
 
 # Talks to netd via fwmarkd socket.
 unix_socket_connect(netdomain, fwmarkd, netd)
-
-# Connect to mdnsd via mdnsd socket.
-unix_socket_connect(netdomain, mdnsd, mdnsd)
diff --git a/public/netd.te b/public/netd.te
index 7c7655e..e3ea1cb 100644
--- a/public/netd.te
+++ b/public/netd.te
@@ -3,6 +3,8 @@
 type netd_exec, system_file_type, exec_type, file_type;
 
 net_domain(netd)
+# Connect to mdnsd via mdnsd socket.
+unix_socket_connect(netd, mdnsd, mdnsd)
 # in addition to ioctls allowlisted for all domains, grant netd priv_sock_ioctls.
 allowxperm netd self:udp_socket ioctl priv_sock_ioctls;
 
@@ -111,6 +113,10 @@
 add_hwservice(netd, system_net_netd_hwservice)
 hwbinder_use(netd)
 
+# AIDL hal server
+binder_call(system_net_netd_service, servicemanager)
+add_service(netd, system_net_netd_service)
+
 ###
 ### Neverallow rules
 ###
diff --git a/public/profman.te b/public/profman.te
index c014d79..727daee 100644
--- a/public/profman.te
+++ b/public/profman.te
@@ -14,8 +14,6 @@
 allow profman tmpfs:file { read map };
 allow profman profman_dump_data_file:file { write map };
 
-allow profman installd:fd use;
-
 # Allow profman to analyze profiles for the secondary dex files. These
 # are application dex files reported back to the framework when using
 # BaseDexClassLoader.
diff --git a/public/property.te b/public/property.te
index deb166b..c41aa91 100644
--- a/public/property.te
+++ b/public/property.te
@@ -53,6 +53,7 @@
 # Properties which can't be written outside system
 system_restricted_prop(aac_drc_prop)
 system_restricted_prop(adaptive_haptics_prop)
+system_restricted_prop(apex_ready_prop)
 system_restricted_prop(arm64_memtag_prop)
 system_restricted_prop(binder_cache_bluetooth_server_prop)
 system_restricted_prop(binder_cache_system_server_prop)
@@ -64,6 +65,7 @@
 system_restricted_prop(bq_config_prop)
 system_restricted_prop(build_bootimage_prop)
 system_restricted_prop(build_prop)
+system_restricted_prop(device_config_camera_native_prop)
 system_restricted_prop(device_config_nnapi_native_prop)
 system_restricted_prop(device_config_runtime_native_boot_prop)
 system_restricted_prop(device_config_runtime_native_prop)
@@ -74,7 +76,6 @@
 system_restricted_prop(gwp_asan_prop)
 system_restricted_prop(hal_instrumentation_prop)
 system_restricted_prop(userdebug_or_eng_prop)
-system_restricted_prop(hypervisor_prop)
 system_restricted_prop(init_service_status_prop)
 system_restricted_prop(libc_debug_prop)
 system_restricted_prop(module_sdkextensions_prop)
@@ -85,6 +86,7 @@
 system_restricted_prop(provisioned_prop)
 system_restricted_prop(restorecon_prop)
 system_restricted_prop(retaildemo_prop)
+system_restricted_prop(servicemanager_prop)
 system_restricted_prop(smart_idle_maint_enabled_prop)
 system_restricted_prop(socket_hook_prop)
 system_restricted_prop(sqlite_log_prop)
@@ -128,6 +130,7 @@
 system_vendor_config_prop(audio_config_prop)
 system_vendor_config_prop(bootanim_config_prop)
 system_vendor_config_prop(bluetooth_config_prop)
+system_vendor_config_prop(build_attestation_prop)
 system_vendor_config_prop(build_config_prop)
 system_vendor_config_prop(build_odm_prop)
 system_vendor_config_prop(build_vendor_prop)
@@ -149,8 +152,11 @@
 system_vendor_config_prop(graphics_config_prop)
 system_vendor_config_prop(hdmi_config_prop)
 system_vendor_config_prop(hw_timeout_multiplier_prop)
+system_vendor_config_prop(hypervisor_prop)
+system_vendor_config_prop(hypervisor_restricted_prop)
 system_vendor_config_prop(incremental_prop)
 system_vendor_config_prop(keyguard_config_prop)
+system_vendor_config_prop(keystore_config_prop)
 system_vendor_config_prop(lmkd_config_prop)
 system_vendor_config_prop(media_config_prop)
 system_vendor_config_prop(media_variant_prop)
@@ -159,6 +165,7 @@
 system_vendor_config_prop(oem_unlock_prop)
 system_vendor_config_prop(packagemanager_config_prop)
 system_vendor_config_prop(recovery_config_prop)
+system_vendor_config_prop(recovery_usb_config_prop)
 system_vendor_config_prop(sendbug_config_prop)
 system_vendor_config_prop(soc_prop)
 system_vendor_config_prop(storage_config_prop)
@@ -181,6 +188,8 @@
 system_vendor_config_prop(zram_config_prop)
 system_vendor_config_prop(zygote_config_prop)
 system_vendor_config_prop(dck_prop)
+system_vendor_config_prop(tuner_config_prop)
+system_vendor_config_prop(usb_uvc_enabled_prop)
 
 # Properties with no restrictions
 system_public_prop(adbd_config_prop)
@@ -196,11 +205,14 @@
 system_public_prop(ctl_stop_prop)
 system_public_prop(dalvik_runtime_prop)
 system_public_prop(debug_prop)
+system_public_prop(device_config_memory_safety_native_boot_prop)
+system_public_prop(device_config_memory_safety_native_prop)
 system_public_prop(dumpstate_options_prop)
 system_public_prop(exported_system_prop)
 system_public_prop(exported_bluetooth_prop)
 system_public_prop(exported_overlay_prop)
 system_public_prop(exported_pm_prop)
+system_public_prop(future_pm_prop)
 system_public_prop(ffs_control_prop)
 system_public_prop(framework_status_prop)
 system_public_prop(gesture_prop)
@@ -208,6 +220,7 @@
 system_public_prop(sota_prop)
 system_public_prop(hwservicemanager_prop)
 system_public_prop(lmkd_prop)
+system_public_prop(locale_prop)
 system_public_prop(logd_prop)
 system_public_prop(logpersistd_logging_prop)
 system_public_prop(log_prop)
@@ -215,6 +228,7 @@
 system_public_prop(lowpan_prop)
 system_public_prop(nfc_prop)
 system_public_prop(ota_prop)
+system_public_prop(permissive_mte_prop)
 system_public_prop(powerctl_prop)
 system_public_prop(qemu_hw_prop)
 system_public_prop(qemu_sf_lcd_density_prop)
@@ -223,7 +237,9 @@
 system_public_prop(serialno_prop)
 system_public_prop(surfaceflinger_color_prop)
 system_public_prop(system_prop)
+system_public_prop(system_user_mode_emulation_prop)
 system_public_prop(telephony_status_prop)
+system_public_prop(timezone_prop)
 system_public_prop(usb_control_prop)
 system_public_prop(vold_post_fs_data_prop)
 system_public_prop(wifi_hal_prop)
@@ -237,6 +253,12 @@
 # Properties used in default HAL implementations
 vendor_internal_prop(rebootescrow_hal_prop)
 
+# Properties used in the default Face HAL implementations
+vendor_internal_prop(virtual_face_hal_prop)
+
+# Properties used in the default Fingerprint HAL implementations
+vendor_internal_prop(virtual_fingerprint_hal_prop)
+
 vendor_public_prop(persist_vendor_debug_wifi_prop)
 
 # Properties which are public for devices launching with Android O or earlier
diff --git a/public/remote_provisioning_service_server.te b/public/remote_provisioning_service_server.te
new file mode 100644
index 0000000..710b43d
--- /dev/null
+++ b/public/remote_provisioning_service_server.te
@@ -0,0 +1,5 @@
+# This service is hosted by system server, and provides a stable aidl
+# front-end for a mainline module that is loaded into system server.
+add_service(remote_provisioning_service_server, remote_provisioning_service)
+
+binder_use(remote_provisioning_service_server)
diff --git a/public/rkpd_app.te b/public/rkpd_app.te
new file mode 100644
index 0000000..2aaf3b8
--- /dev/null
+++ b/public/rkpd_app.te
@@ -0,0 +1,6 @@
+###
+### A domain for sandboxing the remote key provisioning daemon
+### app that is shipped via mainline.
+###
+
+type rkpdapp, domain;
diff --git a/public/service.te b/public/service.te
index e862b40..3d3d98a 100644
--- a/public/service.te
+++ b/public/service.te
@@ -7,6 +7,7 @@
 type batteryproperties_service, app_api_service, ephemeral_app_api_service, service_manager_type;
 type bluetooth_service,         service_manager_type;
 type cameraserver_service,      service_manager_type;
+type fwk_camera_service,        service_manager_type;
 type default_android_service,   service_manager_type;
 type dice_maintenance_service,  service_manager_type;
 type dice_node_service,         service_manager_type;
@@ -19,7 +20,6 @@
 type gatekeeper_service,        app_api_service, service_manager_type;
 type gpu_service,               app_api_service, ephemeral_app_api_service, service_manager_type;
 type idmap_service,             service_manager_type;
-type iorapd_service,            service_manager_type;
 type incident_service,          service_manager_type;
 type installd_service,          service_manager_type;
 type credstore_service,         app_api_service, service_manager_type;
@@ -37,6 +37,7 @@
 type mediatranscoding_service,  app_api_service, service_manager_type;
 type netd_service,              service_manager_type;
 type nfc_service,               service_manager_type;
+type ondevicepersonalization_system_service, system_api_service, system_server_service, service_manager_type;
 type radio_service,             service_manager_type;
 type remotelyprovisionedkeypool_service, service_manager_type;
 type remoteprovisioning_service,   service_manager_type;
@@ -45,6 +46,7 @@
 type storaged_service,          service_manager_type;
 type surfaceflinger_service,    app_api_service, ephemeral_app_api_service, service_manager_type;
 type system_app_service,        service_manager_type;
+type system_net_netd_service,   service_manager_type;
 type system_suspend_control_internal_service, service_manager_type;
 type system_suspend_control_service, service_manager_type;
 type update_engine_service,     service_manager_type;
@@ -102,6 +104,7 @@
 # with EMMA_INSTRUMENT=true. We should consider locking this down in the future.
 type coverage_service, system_server_service, service_manager_type;
 type cpuinfo_service, system_api_service, system_server_service, service_manager_type;
+type credential_service, app_api_service, ephemeral_app_api_service, system_api_service, system_server_service, service_manager_type;
 type dataloader_manager_service, system_server_service, service_manager_type;
 type dbinfo_service, system_api_service, system_server_service, service_manager_type;
 type device_config_service, system_server_service, service_manager_type;
@@ -119,24 +122,28 @@
 type font_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
 type netd_listener_service, system_server_service, service_manager_type;
 type network_watchlist_service, system_server_service, service_manager_type;
+type devicelock_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
 type DockObserver_service, system_server_service, service_manager_type;
 type dreams_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
 type dropbox_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
-type lowpan_service, system_api_service, system_server_service, service_manager_type;
 type ethernet_service, app_api_service, system_server_service, service_manager_type;
 type biometric_service, app_api_service, system_server_service, service_manager_type;
 type bugreport_service, app_api_service, system_server_service, service_manager_type;
 type platform_compat_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
 type face_service, app_api_service, system_server_service, service_manager_type;
 type fingerprint_service, app_api_service, system_server_service, service_manager_type;
+type fwk_altitude_service, system_server_service, service_manager_type;
 type fwk_stats_service, app_api_service, system_server_service, service_manager_type;
+type fwk_sensor_service, system_server_service, service_manager_type;
 type game_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
 type gfxinfo_service, system_api_service, system_server_service, service_manager_type;
 type gnss_time_update_service, system_server_service, service_manager_type;
+type grammatical_inflection_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
 type graphicsstats_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
 type hardware_service, system_server_service, service_manager_type;
 type hardware_properties_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
 type hdmi_control_service, app_api_service, system_server_service, service_manager_type;
+type healthconnect_service, app_api_service, system_server_service, service_manager_type;
 type hint_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
 type imms_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
 type incremental_service, system_server_service, service_manager_type;
@@ -191,6 +198,7 @@
 type reboot_readiness_service, app_api_service, system_server_service, service_manager_type;
 type recovery_service, system_server_service, service_manager_type;
 type registry_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
+type remote_provisioning_service, system_server_service, service_manager_type;
 type resources_manager_service, system_api_service, system_server_service, service_manager_type;
 type restrictions_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
 type role_service, app_api_service, system_server_service, service_manager_type;
@@ -228,7 +236,6 @@
 type telecom_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
 type thermal_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
 type timedetector_service, app_api_service, system_server_service, service_manager_type;
-type timezone_service, system_server_service, service_manager_type;
 type timezonedetector_service, app_api_service, system_server_service, service_manager_type;
 type translation_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
 type trust_service, app_api_service, system_server_service, service_manager_type;
@@ -259,7 +266,6 @@
 type wifiaware_service, app_api_service, system_server_service, service_manager_type;
 type window_service, system_api_service, system_server_service, service_manager_type;
 type inputflinger_service, system_api_service, system_server_service, service_manager_type;
-type wpantund_service, system_api_service, service_manager_type;
 type tethering_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
 type emergency_affordance_service, system_server_service, service_manager_type;
 
@@ -267,49 +273,67 @@
 ### HAL Services
 ###
 
-type hal_audio_service, vendor_service, protected_service, hal_service_type, service_manager_type;
-type hal_audiocontrol_service, vendor_service, hal_service_type, service_manager_type;
-type hal_authsecret_service, vendor_service, protected_service, hal_service_type, service_manager_type;
-type hal_camera_service, vendor_service, protected_service, hal_service_type, service_manager_type;
-type hal_contexthub_service, vendor_service, protected_service, hal_service_type, service_manager_type;
-type hal_dice_service, vendor_service, protected_service, hal_service_type, service_manager_type;
-type hal_drm_service, vendor_service, hal_service_type, service_manager_type;
-type hal_dumpstate_service, vendor_service, protected_service, hal_service_type, service_manager_type;
-type hal_evs_service, vendor_service, protected_service, hal_service_type, service_manager_type;
-type hal_face_service, vendor_service, protected_service, hal_service_type, service_manager_type;
-type hal_fingerprint_service, vendor_service, protected_service, hal_service_type, service_manager_type;
-type hal_gnss_service, vendor_service, protected_service, hal_service_type, service_manager_type;
-type hal_graphics_allocator_service, vendor_service, hal_service_type, service_manager_type;
-type hal_graphics_composer_service, vendor_service, protected_service, hal_service_type, service_manager_type;
-type hal_health_service, vendor_service, protected_service, hal_service_type, service_manager_type;
-type hal_health_storage_service, vendor_service, protected_service, hal_service_type, service_manager_type;
-type hal_identity_service, vendor_service, protected_service, hal_service_type, service_manager_type;
-type hal_input_processor_service, vendor_service, protected_service, hal_service_type, service_manager_type;
-type hal_ir_service, vendor_service, protected_service, hal_service_type, service_manager_type;
-type hal_keymint_service, vendor_service, protected_service, hal_service_type, service_manager_type;
-type hal_light_service, vendor_service, protected_service, hal_service_type, service_manager_type;
-type hal_memtrack_service, vendor_service, protected_service, hal_service_type, service_manager_type;
-type hal_neuralnetworks_service, vendor_service, hal_service_type, service_manager_type;
-type hal_nfc_service, vendor_service, protected_service, hal_service_type, service_manager_type;
-type hal_oemlock_service, vendor_service, protected_service, hal_service_type, service_manager_type;
-type hal_power_service, vendor_service, protected_service, hal_service_type, service_manager_type;
-type hal_power_stats_service, vendor_service, protected_service, hal_service_type, service_manager_type;
-type hal_radio_service, vendor_service, protected_service, hal_service_type, service_manager_type;
-type hal_rebootescrow_service, vendor_service, protected_service, hal_service_type, service_manager_type;
-type hal_remotelyprovisionedcomponent_service, vendor_service, protected_service, hal_service_type, service_manager_type;
-type hal_sensors_service, vendor_service, protected_service, hal_service_type, service_manager_type;
-type hal_secureclock_service, vendor_service, protected_service, hal_service_type, service_manager_type;
-type hal_sharedsecret_service, vendor_service, protected_service, hal_service_type, service_manager_type;
+type hal_audio_service, protected_service, hal_service_type, service_manager_type;
+type hal_audiocontrol_service, hal_service_type, service_manager_type;
+type hal_authsecret_service, protected_service, hal_service_type, service_manager_type;
+type hal_bluetooth_service, protected_service, hal_service_type, service_manager_type;
+type hal_bootctl_service, protected_service, hal_service_type, service_manager_type;
+type hal_broadcastradio_service, protected_service, hal_service_type, service_manager_type;
+type hal_camera_service, protected_service, hal_service_type, service_manager_type;
+type hal_can_controller_service, protected_service, hal_service_type, service_manager_type;
+type hal_cas_service, hal_service_type, service_manager_type;
+type hal_confirmationui_service, protected_service, hal_service_type, service_manager_type;
+type hal_contexthub_service, protected_service, hal_service_type, service_manager_type;
+type hal_dice_service, protected_service, hal_service_type, service_manager_type;
+type hal_drm_service, hal_service_type, service_manager_type;
+type hal_dumpstate_service, protected_service, hal_service_type, service_manager_type;
+type hal_evs_service, protected_service, hal_service_type, service_manager_type;
+type hal_face_service, protected_service, hal_service_type, service_manager_type;
+type hal_fastboot_service, protected_service, hal_service_type, service_manager_type;
+type hal_fingerprint_service, protected_service, hal_service_type, service_manager_type;
+type hal_gnss_service, protected_service, hal_service_type, service_manager_type;
+type hal_graphics_allocator_service, hal_service_type, service_manager_type;
+type hal_graphics_composer_service, protected_service, hal_service_type, service_manager_type;
+type hal_health_service, protected_service, hal_service_type, service_manager_type;
+type hal_health_storage_service, protected_service, hal_service_type, service_manager_type;
+type hal_identity_service, protected_service, hal_service_type, service_manager_type;
+type hal_input_processor_service, protected_service, hal_service_type, service_manager_type;
+type hal_ir_service, protected_service, hal_service_type, service_manager_type;
+type hal_keymint_service, protected_service, hal_service_type, service_manager_type;
+type hal_light_service, protected_service, hal_service_type, service_manager_type;
+type hal_memtrack_service, protected_service, hal_service_type, service_manager_type;
+type hal_neuralnetworks_service, hal_service_type, service_manager_type;
+type hal_nfc_service, protected_service, hal_service_type, service_manager_type;
+type hal_oemlock_service, protected_service, hal_service_type, service_manager_type;
+type hal_power_service, protected_service, hal_service_type, service_manager_type;
+type hal_power_stats_service, protected_service, hal_service_type, service_manager_type;
+type hal_radio_service, protected_service, hal_service_type, service_manager_type;
+type hal_rebootescrow_service, protected_service, hal_service_type, service_manager_type;
+type hal_remoteaccess_service, protected_service, hal_service_type, service_manager_type;
+type hal_remotelyprovisionedcomponent_service, protected_service, hal_service_type, service_manager_type;
+type hal_sensors_service, protected_service, hal_service_type, service_manager_type;
+type hal_secureclock_service, protected_service, hal_service_type, service_manager_type;
+type hal_secure_element_service, protected_service, hal_service_type, service_manager_type;
+type hal_sharedsecret_service, protected_service, hal_service_type, service_manager_type;
 type hal_system_suspend_service, protected_service, hal_service_type, service_manager_type;
-type hal_tv_tuner_service, vendor_service, protected_service, hal_service_type, service_manager_type;
-type hal_usb_service, vendor_service, protected_service, hal_service_type, service_manager_type;
-type hal_uwb_service, vendor_service, protected_service, hal_service_type, service_manager_type;
-type hal_vehicle_service, vendor_service, protected_service, hal_service_type, service_manager_type;
-type hal_vibrator_service, vendor_service, protected_service, hal_service_type, service_manager_type;
-type hal_weaver_service, vendor_service, protected_service, hal_service_type, service_manager_type;
-type hal_nlinterceptor_service, vendor_service, protected_service, hal_service_type, service_manager_type;
-type hal_wifi_hostapd_service, vendor_service, protected_service, hal_service_type, service_manager_type;
-type hal_wifi_supplicant_service, vendor_service, protected_service, hal_service_type, service_manager_type;
+type hal_tetheroffload_service, protected_service, hal_service_type, service_manager_type;
+type hal_thermal_service, protected_service, hal_service_type, service_manager_type;
+type hal_tv_hdmi_cec_service, protected_service, hal_service_type, service_manager_type;
+type hal_tv_hdmi_connection_service, protected_service, hal_service_type, service_manager_type;
+type hal_tv_hdmi_earc_service, protected_service, hal_service_type, service_manager_type;
+type hal_tv_input_service, protected_service, hal_service_type, service_manager_type;
+type hal_tv_tuner_service, protected_service, hal_service_type, service_manager_type;
+type hal_usb_service, protected_service, hal_service_type, service_manager_type;
+type hal_usb_gadget_service, protected_service, hal_service_type, service_manager_type;
+type hal_uwb_service, protected_service, hal_service_type, service_manager_type;
+type hal_vehicle_service, protected_service, hal_service_type, service_manager_type;
+type hal_vibrator_service, protected_service, hal_service_type, service_manager_type;
+type hal_weaver_service, protected_service, hal_service_type, service_manager_type;
+type hal_nlinterceptor_service, protected_service, hal_service_type, service_manager_type;
+type hal_wifi_service, protected_service, hal_service_type, service_manager_type;
+type hal_wifi_hostapd_service, protected_service, hal_service_type, service_manager_type;
+type hal_wifi_supplicant_service, protected_service, hal_service_type, service_manager_type;
+type hal_gatekeeper_service, protected_service, hal_service_type, service_manager_type;
 
 ###
 ### Neverallow rules
diff --git a/public/servicemanager.te b/public/servicemanager.te
index a812338..58153f7 100644
--- a/public/servicemanager.te
+++ b/public/servicemanager.te
@@ -31,10 +31,9 @@
 # Check SELinux permissions.
 selinux_check_access(servicemanager)
 
-recovery_only(`
-  # In recovery, log to kmsg.
-  allow servicemanager kmsg_device:chr_file rw_file_perms;
+allow servicemanager kmsg_device:chr_file rw_file_perms;
 
+recovery_only(`
   # Read VINTF files.
   r_dir_file(servicemanager, rootfs)
 ')
diff --git a/public/shell.te b/public/shell.te
index 4175c86..6c67cea 100644
--- a/public/shell.te
+++ b/public/shell.te
@@ -60,7 +60,6 @@
 r_dir_file(shell, system_file)
 allow shell system_file:file x_file_perms;
 allow shell toolbox_exec:file rx_file_perms;
-allow shell tzdatacheck_exec:file rx_file_perms;
 allow shell shell_exec:file rx_file_perms;
 allow shell zygote_exec:file rx_file_perms;
 
@@ -82,9 +81,11 @@
   -apex_service
   -dnsresolver_service
   -gatekeeper_service
+  -hal_keymint_service
+  -hal_secureclock_service
+  -hal_sharedsecret_service
   -incident_service
   -installd_service
-  -iorapd_service
   -mdns_service
   -netd_service
   -system_suspend_control_internal_service
@@ -198,6 +199,14 @@
 ### Neverallow rules
 ###
 
+# Do not allow shell to talk directly to security HAL services other than
+# hal_remotelyprovisionedcomponent_service
+neverallow shell {
+  hal_keymint_service
+  hal_secureclock_service
+  hal_sharedsecret_service
+}:service_manager find;
+
 # Do not allow shell to hard link to any files.
 # In particular, if shell hard links to app data
 # files, installd will not be able to guarantee the deletion
diff --git a/public/statsd.te b/public/statsd.te
index 1a09586..31d033f 100644
--- a/public/statsd.te
+++ b/public/statsd.te
@@ -40,6 +40,10 @@
 allow statsd mediametrics_service:service_manager find;
 binder_call(statsd, mediametrics)
 
+# Allow statsd to interact with mediametrics
+allow statsd mediaserver_service:service_manager find;
+binder_call(statsd, mediaserver)
+
 # Allow logd access.
 read_logd(statsd)
 control_logd(statsd)
diff --git a/public/su.te b/public/su.te
index 8328140..3473e74 100644
--- a/public/su.te
+++ b/public/su.te
@@ -97,6 +97,9 @@
   typeattribute su hal_tetheroffload_client;
   typeattribute su hal_thermal_client;
   typeattribute su hal_tv_cec_client;
+  typeattribute su hal_tv_hdmi_cec_client;
+  typeattribute su hal_tv_hdmi_connection_client;
+  typeattribute su hal_tv_hdmi_earc_client;
   typeattribute su hal_tv_input_client;
   typeattribute su hal_tv_tuner_client;
   typeattribute su hal_usb_client;
diff --git a/public/te_macros b/public/te_macros
index 58d04b4..63805de 100644
--- a/public/te_macros
+++ b/public/te_macros
@@ -176,32 +176,31 @@
 dontaudit su $1_userfaultfd:anon_inode *;
 # Other domains may not use userfaultfd anon_inodes created by this domain.
 neverallow { domain -$1 } $1_userfaultfd:anon_inode *;
-# This domain may not use userfaultfd anon_inodes created by other domains.
-neverallow $1 ~$1_userfaultfd:anon_inode *;
 ')
 
 ####################################
 # virtualizationservice_use(domain)
 # Allow domain to create and communicate with a virtual machine using
-# virtualizationservice.
+# virtualizationservice and virtualizationmanager.
 define(`virtualizationservice_use', `
-allow $1 virtualization_service:service_manager find;
-# Let the client call virtualizationservice.
-binder_call($1, virtualizationservice)
-# Let virtualizationservice call back to the client.
-binder_call(virtualizationservice, $1)
-# Let the client pass file descriptors to virtualizationservice and on
-# to crosvm
-allow { virtualizationservice crosvm } $1:fd use;
+# Transition to virtualizationmanager when the client executes it.
+domain_auto_trans($1, virtualizationmanager_exec, virtualizationmanager)
+# Allow virtualizationmanager to communicate over UDS with the client.
+allow { virtualizationmanager crosvm } $1:unix_stream_socket { getattr read write };
+# Let the client pass file descriptors to virtualizationmanager and on to crosvm.
+allow { virtualizationmanager crosvm } $1:fd use;
+# Let the client use file descriptors created by virtualizationmanager.
+allow $1 virtualizationmanager:fd use;
 # Allow piping console log to the client
-allow { virtualizationservice crosvm } $1:fifo_file write;
-# Allow client to read/write vsock created by virtualizationservice to
-# communicate with the VM that it created. Notice that we do not grant
-# permission to create a vsock; the client can only connect to VMs
-# that it owns.
-allow $1 virtualizationservice:vsock_socket { getattr read write };
+allow { virtualizationmanager crosvm } $1:fifo_file { getattr read write };
+# Allow client to read/write vsock created by virtualizationmanager to communicate with the VM
+# that it created. Notice that we do not grant permission to create a vsock;
+# the client can only connect to VMs that it owns.
+allow $1 virtualizationmanager:vsock_socket { getattr getopt read write };
 # Allow client to inspect hypervisor capabilities
 get_prop($1, hypervisor_prop)
+# Allow client to read (but not open) the crashdump provided by virtualizationmanager
+allow $1 virtualizationservice_data_file:file { getattr read };
 ')
 
 #####################################
@@ -234,6 +233,13 @@
 ')
 
 #####################################
+# isolated_app_domain(domain)
+# Allow a base set of permissions required for all isolated apps.
+define(`isolated_app_domain', `
+typeattribute $1 isolated_app_all;
+')
+
+#####################################
 # net_domain(domain)
 # Allow a base set of permissions required for network access.
 define(`net_domain', `
@@ -758,7 +764,6 @@
         -$1_server
         # some services are allowed to find all services
         -atrace
-        -dumpstate
         -shell
         -system_app
         -traceur_app
@@ -1035,3 +1040,29 @@
   allow $1 system_bootstrap_lib_file:dir r_dir_perms;
   allow $1 system_bootstrap_lib_file:file { execute read open getattr map };
 ')
+
+######################################
+# use_apex_info(domain)
+# Allow access to apex information
+define(`use_apex_info', `
+  allow $1 apex_mnt_dir:dir r_dir_perms;
+  allow $1 apex_info_file:file r_file_perms;
+')
+
+####################################
+# io_uring_use(domain)
+# Allow domain to create/use io_uring.
+define(`io_uring_use', `
+# Set up a type_transition to "io_uring" named anonymous inode object.
+type $1_iouring;
+type_transition $1 $1:anon_inode $1_iouring "[io_uring]";
+# Allow domain to create/use io_uring anon_inode.
+allow $1 $1_iouring:anon_inode { create map read write };
+allow $1 self:io_uring sqpoll;
+# Other domains may not use iouring anon_inodes created by this domain.
+neverallow { domain -$1 } $1_iouring:anon_inode *;
+# io_uring checks for CAP_IPC_LOCK to determine whether or not to track
+# memory usage per uid against RLIMIT_MEMLOCK. This can lead folks to
+# grant CAP_IPC_LOCK to silence avc denials, which is undesireable.
+dontaudit $1 self:global_capability_class_set ipc_lock;
+')
diff --git a/public/toolbox.te b/public/toolbox.te
index 4c2cc3e..3705a92 100644
--- a/public/toolbox.te
+++ b/public/toolbox.te
@@ -1,5 +1,4 @@
 # Any toolbox command run by init.
-# At present, the only known usage is for running mkswap via fs_mgr.
 # Do NOT use this domain for toolbox when run by any other domain.
 type toolbox, domain;
 type toolbox_exec, system_file_type, exec_type, file_type;
@@ -23,16 +22,11 @@
 neverallow * toolbox:process dyntransition;
 neverallow toolbox { file_type fs_type -toolbox_exec}:file entrypoint;
 
-# rm -rf directories in /data
+# rm -rf /data/per_boot
 allow toolbox system_data_root_file:dir { remove_name write };
 allow toolbox system_data_file:dir { rmdir rw_dir_perms };
 allow toolbox system_data_file:file { getattr unlink };
 
-# chattr +F and chattr +P /data/media in init
-allow toolbox media_rw_data_file:dir { r_dir_perms setattr };
-allowxperm toolbox media_rw_data_file:dir ioctl {
-  FS_IOC_FSGETXATTR
-  FS_IOC_FSSETXATTR
-  FS_IOC_GETFLAGS
-  FS_IOC_SETFLAGS
-};
+# chattr +F /data/media in init
+allow toolbox media_userdir_file:dir { r_dir_perms setattr };
+allowxperm toolbox media_userdir_file:dir ioctl { FS_IOC_SETFLAGS FS_IOC_GETFLAGS };
diff --git a/public/traced.te b/public/traced.te
index 922d46e..48da0d8 100644
--- a/public/traced.te
+++ b/public/traced.te
@@ -1,3 +1,4 @@
 type traced, domain, coredomain, mlstrustedsubject;
 type traced_tmpfs, file_type;
 
+
diff --git a/public/traceur_app.te b/public/traceur_app.te
index 1ab150d..22f6c3b 100644
--- a/public/traceur_app.te
+++ b/public/traceur_app.te
@@ -10,7 +10,6 @@
   -gatekeeper_service
   -incident_service
   -installd_service
-  -iorapd_service
   -lpdump_service
   -mdns_service
   -netd_service
diff --git a/public/tzdatacheck.te b/public/tzdatacheck.te
deleted file mode 100644
index cf9b95d..0000000
--- a/public/tzdatacheck.te
+++ /dev/null
@@ -1,18 +0,0 @@
-# The tzdatacheck command run by init.
-type tzdatacheck, domain;
-type tzdatacheck_exec, system_file_type, exec_type, file_type;
-
-allow tzdatacheck zoneinfo_data_file:dir create_dir_perms;
-allow tzdatacheck zoneinfo_data_file:file unlink;
-
-# Below are strong assertion that only init, system_server and tzdatacheck
-# can modify the /data time zone rules directories. This is to make it very
-# clear that only these domains should modify the actual time zone rules data.
-# The tzdatacheck binary itself may be executed by shell for tests but it must
-# not be able to modify the real rules.
-# If other users / binaries could modify time zone rules on device this might
-# have negative implications for users (who may get incorrect local times)
-# or break assumptions made / invalidate data held by the components actually
-# responsible for updating time zone rules.
-neverallow { domain -system_server -init -tzdatacheck } zoneinfo_data_file:file no_w_file_perms;
-neverallow { domain -system_server -init -tzdatacheck } zoneinfo_data_file:dir no_w_dir_perms;
diff --git a/public/untrusted_app.te b/public/untrusted_app.te
index 0a67614..a4ee6f5 100644
--- a/public/untrusted_app.te
+++ b/public/untrusted_app.te
@@ -17,9 +17,12 @@
 ###
 
 # This file defines the rules for untrusted apps running with
-# targetSdkVersion >= 32.
+# targetSdkVersion >= 34.
 type untrusted_app, domain;
 # This file defines the rules for untrusted apps running with
+# 31 < targetSdkVersion <= 33.
+type untrusted_app_32, domain;
+# This file defines the rules for untrusted apps running with
 # 29 < targetSdkVersion <= 31.
 type untrusted_app_30, domain;
 # This file defines the rules for untrusted apps running with
diff --git a/public/update_engine_common.te b/public/update_engine_common.te
index e8fd29e..12961e7 100644
--- a/public/update_engine_common.te
+++ b/public/update_engine_common.te
@@ -72,6 +72,7 @@
 # read /dev/dm-user, so that we can inotify wait for control devices to be
 # asynchronously created by ueventd.
 allow update_engine dm_user_device:dir r_dir_perms;
+allow update_engine dm_user_device:chr_file r_file_perms;
 
 # read / write metadata on super device to resize partitions
 allow update_engine_common super_block_device_type:blk_file rw_file_perms;
diff --git a/public/usbd.te b/public/usbd.te
index 6f34954..ee36784 100644
--- a/public/usbd.te
+++ b/public/usbd.te
@@ -1,2 +1,4 @@
 type usbd, domain;
 type usbd_exec, system_file_type, exec_type, file_type;
+
+binder_call(usbd, servicemanager)
diff --git a/public/vendor_init.te b/public/vendor_init.te
index 1e221ae..683ab61 100644
--- a/public/vendor_init.te
+++ b/public/vendor_init.te
@@ -48,6 +48,7 @@
 
 allow vendor_init {
   file_type
+  -bpffs_type
   -core_data_file_type
   -exec_type
   -system_dlkm_file_type
@@ -67,6 +68,7 @@
 
 allow vendor_init {
   file_type
+  -bpffs_type
   -core_data_file_type
   -exec_type
   -password_slot_metadata_file
@@ -86,6 +88,7 @@
 
 allow vendor_init {
   file_type
+  -bpffs_type
   -core_data_file_type
   -exec_type
   -password_slot_metadata_file
@@ -103,6 +106,7 @@
 allow vendor_init {
   file_type
   -apex_mnt_dir
+  -bpffs_type
   -core_data_file_type
   -exec_type
   -password_slot_metadata_file
@@ -119,6 +123,7 @@
 
 allow vendor_init {
   file_type
+  -bpffs_type
   -core_data_file_type
   -exec_type
   -mnt_product_file
@@ -142,6 +147,7 @@
 # chown/chmod on pseudo files.
 allow vendor_init {
   fs_type
+  -bpffs_type
   -contextmount_type
   -keychord_device
   -sdcard_type
@@ -157,6 +163,7 @@
 
 allow vendor_init {
   fs_type
+  -bpffs_type
   -contextmount_type
   -sdcard_type
   -fusefs_type
@@ -164,7 +171,7 @@
   -proc_uid_time_in_state
   -proc_uid_concurrent_active_time
   -proc_uid_concurrent_policy_time
-}:dir  { open read setattr search };
+}:dir { open read setattr search };
 
 allow vendor_init dev_type:blk_file getattr;
 
@@ -253,6 +260,7 @@
 set_prop(vendor_init, userspace_reboot_config_prop)
 set_prop(vendor_init, vehicle_hal_prop)
 set_prop(vendor_init, vendor_default_prop)
+set_prop(vendor_init, keystore_config_prop)
 set_prop(vendor_init, vendor_security_patch_level_prop)
 set_prop(vendor_init, vndk_prop)
 set_prop(vendor_init, virtual_ab_prop)
diff --git a/public/vold.te b/public/vold.te
index b0fb6d0..209bf49 100644
--- a/public/vold.te
+++ b/public/vold.te
@@ -99,8 +99,8 @@
 # Allow mounting (lower filesystem) on parts of media for performance
 allow vold media_rw_data_file:dir mounton;
 
-# Allow setting extended attributes (for project quota IDs) on files and dirs
-# and to enable project ID inheritance through FS_IOC_SETFLAGS
+# Allow setting project quota IDs and enabling project ID inheritance on
+# /data/media/$userId/* and /mnt/expand/$volume/media/$userId/*
 allowxperm vold media_rw_data_file:{ dir file } ioctl {
   FS_IOC_FSGETXATTR
   FS_IOC_FSSETXATTR
@@ -124,6 +124,10 @@
 allow vold mnt_expand_file:dir { create_dir_perms mounton };
 allow vold apk_data_file:dir { create getattr setattr };
 allow vold shell_data_file:dir { create getattr setattr };
+allow vold system_userdir_file:dir { create getattr setattr };
+allow vold media_userdir_file:dir { create getattr setattr open read ioctl };
+# Needed to set the casefold flag on /mnt/expand/$volume/media
+allowxperm vold media_userdir_file:dir ioctl { FS_IOC_GETFLAGS FS_IOC_SETFLAGS };
 
 # Allow to mount incremental file system on /data/incremental and create files
 allow vold apk_data_file:dir { mounton rw_dir_perms };
@@ -152,7 +156,7 @@
 allowxperm vold vold_device:blk_file ioctl { BLKDISCARD BLKGETSIZE };
 allow vold dm_device:chr_file rw_file_perms;
 allow vold dm_device:blk_file rw_file_perms;
-allowxperm vold dm_device:blk_file ioctl { BLKDISCARD BLKSECDISCARD };
+allowxperm vold dm_device:blk_file ioctl { BLKDISCARD BLKSECDISCARD BLKREPORTZONE BLKRESETZONE };
 # For vold Process::killProcessesWithOpenFiles function.
 allow vold domain:dir r_dir_perms;
 allow vold domain:{ file lnk_file } r_file_perms;
@@ -223,6 +227,9 @@
 allow vold userdata_block_device:blk_file rw_file_perms;
 allowxperm vold userdata_block_device:blk_file ioctl BLKSECDISCARD;
 
+# Access zoned block device.
+allow vold zoned_block_device:blk_file rw_file_perms;
+
 # Access metadata block device used for encryption meta-data.
 allow vold metadata_block_device:blk_file rw_file_perms;
 allowxperm vold metadata_block_device:blk_file ioctl BLKSECDISCARD;
@@ -330,7 +337,6 @@
   -system_suspend_server
   -hal_bootctl_server
   -hwservicemanager
-  -iorapd_service
   -keystore
   -servicemanager
   -system_server
diff --git a/public/wpantund.te b/public/wpantund.te
deleted file mode 100644
index 8ddd693..0000000
--- a/public/wpantund.te
+++ /dev/null
@@ -1,29 +0,0 @@
-type wpantund, domain;
-type wpantund_exec, system_file_type, exec_type, file_type;
-
-hal_client_domain(wpantund, hal_lowpan)
-net_domain(wpantund)
-
-binder_use(wpantund)
-binder_call(wpantund, system_server)
-
-# wpantund needs to be able to check in with the lowpan_service
-allow wpantund lowpan_service:service_manager find;
-
-# Allow wpantund to call any callbacks that have been registered with it.
-# Generally, only privileged apps are able to register callbacks with
-# wpantund, so we are limiting the scope for callbacks to only privileged
-# apps. We also add shell to allow the command-line utility `lowpanctl`
-# to work properly from `adb shell`.
-allow wpantund {priv_app shell}:binder call;
-
-# create sockets to set interfaces up and down, add multicast groups, etc.
-allow wpantund self:udp_socket create_socket_perms;
-
-# setting interface state up/down and changing MTU are privileged ioctls
-allowxperm wpantund self:udp_socket ioctl { SIOCSIFFLAGS SIOCSIFMTU };
-
-# Allow us to bring up a TUN network interface.
-allow wpantund tun_device:chr_file rw_file_perms;
-allow wpantund self:global_capability_class_set { net_admin net_raw };
-allow wpantund self:tun_socket create;
diff --git a/tests/Android.bp b/tests/Android.bp
index 8ca952d..e271346 100644
--- a/tests/Android.bp
+++ b/tests/Android.bp
@@ -43,6 +43,11 @@
     srcs: [
         "treble_sepolicy_tests.py",
     ],
+    version: {
+        py3: {
+            embedded_launcher: true,
+        },
+    },
     libs: [
         "mini_cil_parser",
         "pysepolwrap",
@@ -55,6 +60,11 @@
     srcs: [
         "sepolicy_tests.py",
     ],
+    version: {
+        py3: {
+            embedded_launcher: true,
+        },
+    },
     libs: ["pysepolwrap"],
     data: [":libsepolwrap"],
 }
diff --git a/tests/fix_policies.sh b/tests/fix_policies.sh
new file mode 100755
index 0000000..6011829
--- /dev/null
+++ b/tests/fix_policies.sh
@@ -0,0 +1,36 @@
+#!/bin/bash
+
+# Copyright (C) 2023 The Android Open Source Project
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#      http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+if [ $# -ne 1 ]; then
+    echo "Usage: $0 <directory>"
+    exit 1
+fi
+
+directory=$1
+
+# This fixes the Neverallow test involving policy violations of isolated_compute_app
+function fix_isolated_policies
+{
+  # Replace make sure we don't wrongly replace the existing occurrence
+  find "$directory" -name "*.te" -print0 | xargs -0 sed -i 's/-\s*isolated_app_all/-isolated_app/g'
+
+  # Replacement
+  find "$directory" -name "*.te" -print0 | xargs -0 sed -i 's/-\s*isolated_app/-isolated_app_all/g'
+
+  echo "Successfully replaced all occurrences of '-isolated_app' to '-isolated_app_all'!"
+}
+
+fix_isolated_policies
diff --git a/tests/policy.py b/tests/policy.py
index 60c6962..910dd3d 100644
--- a/tests/policy.py
+++ b/tests/policy.py
@@ -222,11 +222,15 @@
             scontext = set()
             for sctx in kwargs['scontext']:
                 scontext |= self.ResolveTypeAttribute(sctx)
+            if (len(scontext) == 0):
+                return []
             kwargs['scontext'] = scontext
         if ("tcontext" in kwargs and len(kwargs['tcontext']) > 0):
             tcontext = set()
             for tctx in kwargs['tcontext']:
                 tcontext |= self.ResolveTypeAttribute(tctx)
+            if (len(tcontext) == 0):
+                return []
             kwargs['tcontext'] = tcontext
         for Rule in self.__Rules:
             if self.__TERuleMatch(Rule, **kwargs):
diff --git a/tests/searchpolicy.py b/tests/searchpolicy.py
index 9d2c636..79efecf 100644
--- a/tests/searchpolicy.py
+++ b/tests/searchpolicy.py
@@ -78,10 +78,10 @@
 for r in TERules:
     if len(r.perms) > 1:
         rules.append("allow " + r.sctx + " " + r.tctx + ":" + r.tclass + " { " +
-                " ".join(r.perms) + " };")
+                " ".join(sorted(r.perms)) + " };")
     else:
         rules.append("allow " + r.sctx + " " + r.tctx + ":" + r.tclass + " " +
-                " ".join(r.perms) + ";")
+                " ".join(sorted(r.perms)) + ";")
 
 for r in sorted(rules):
     print(r)
diff --git a/tests/sepolicy_tests.py b/tests/sepolicy_tests.py
index e940681..63144dd 100644
--- a/tests/sepolicy_tests.py
+++ b/tests/sepolicy_tests.py
@@ -15,9 +15,12 @@
 from optparse import OptionParser
 from optparse import Option, OptionValueError
 import os
+import pkgutil
 import policy
 import re
+import shutil
 import sys
+import tempfile
 
 SHARED_LIB_EXTENSION = '.dylib' if sys.platform == 'darwin' else '.so'
 
@@ -146,7 +149,11 @@
     "TestDmaHeapDevTypeViolations",
 ]
 
-if __name__ == '__main__':
+def do_main(libpath):
+    """
+    Args:
+        libpath: string, path to libsepolwrap.so
+    """
     usage = "sepolicy_tests -f vendor_file_contexts -f "
     usage +="plat_file_contexts -p policy [--test test] [--help]"
     parser = OptionParser(option_class=MultipleOption, usage=usage)
@@ -158,11 +165,6 @@
 
     (options, args) = parser.parse_args()
 
-    libpath = os.path.join(os.path.dirname(os.path.realpath(__file__)),
-                           "libsepolwrap" + SHARED_LIB_EXTENSION)
-    if not os.path.exists(libpath):
-        sys.exit("Error: libsepolwrap does not exist. Is this binary corrupted?\n")
-
     if not options.policy:
         sys.exit("Must specify monolithic policy file\n" + parser.usage)
     if not os.path.exists(options.policy):
@@ -207,3 +209,17 @@
 
     if len(results) > 0:
         sys.exit(results)
+
+if __name__ == '__main__':
+    temp_dir = tempfile.mkdtemp()
+    try:
+        libname = "libsepolwrap" + SHARED_LIB_EXTENSION
+        libpath = os.path.join(temp_dir, libname)
+        with open(libpath, "wb") as f:
+            blob = pkgutil.get_data("sepolicy_tests", libname)
+            if not blob:
+                sys.exit("Error: libsepolwrap does not exist. Is this binary corrupted?\n")
+            f.write(blob)
+        do_main(libpath)
+    finally:
+        shutil.rmtree(temp_dir)
diff --git a/tests/treble_sepolicy_tests.py b/tests/treble_sepolicy_tests.py
index 64a9e95..b49f138 100644
--- a/tests/treble_sepolicy_tests.py
+++ b/tests/treble_sepolicy_tests.py
@@ -16,10 +16,13 @@
 from optparse import Option, OptionValueError
 import os
 import mini_parser
+import pkgutil
 import policy
 from policy import MatchPathPrefix
 import re
+import shutil
 import sys
+import tempfile
 
 DEBUG=False
 SHARED_LIB_EXTENSION = '.dylib' if sys.platform == 'darwin' else '.so'
@@ -341,7 +344,13 @@
          "TrebleCompatMapping": TestTrebleCompatMapping,
          "ViolatorAttributes": TestViolatorAttributes}
 
-if __name__ == '__main__':
+def do_main(libpath):
+    """
+    Args:
+        libpath: string, path to libsepolwrap.so
+    """
+    global pol, FakeTreble
+
     usage = "treble_sepolicy_tests "
     usage += "-f nonplat_file_contexts -f plat_file_contexts "
     usage += "-p curr_policy -b base_policy -o old_policy "
@@ -374,11 +383,6 @@
             sys.exit("Error: File_contexts file " + f + " does not exist\n" +
                     parser.usage)
 
-    libpath = os.path.join(os.path.dirname(os.path.realpath(__file__)),
-                           "libsepolwrap" + SHARED_LIB_EXTENSION)
-    if not os.path.exists(libpath):
-        sys.exit("Error: libsepolwrap does not exist. Is this binary corrupted?\n")
-
     # Mapping files and public platform policy are only necessary for the
     # TrebleCompatMapping test.
     if options.tests is None or options.tests == "TrebleCompatMapping":
@@ -428,3 +432,17 @@
 
     if len(results) > 0:
         sys.exit(results)
+
+if __name__ == '__main__':
+    temp_dir = tempfile.mkdtemp()
+    try:
+        libname = "libsepolwrap" + SHARED_LIB_EXTENSION
+        libpath = os.path.join(temp_dir, libname)
+        with open(libpath, "wb") as f:
+            blob = pkgutil.get_data("treble_sepolicy_tests", libname)
+            if not blob:
+                sys.exit("Error: libsepolwrap does not exist. Is this binary corrupted?\n")
+            f.write(blob)
+        do_main(libpath)
+    finally:
+        shutil.rmtree(temp_dir)
diff --git a/tools/Android.bp b/tools/Android.bp
index fcf375d..057b073 100644
--- a/tools/Android.bp
+++ b/tools/Android.bp
@@ -59,6 +59,13 @@
     srcs: ["version_policy.c"],
 }
 
+cc_binary {
+    name: "seamendc",
+    defaults: ["sepolicy_tools_defaults"],
+    srcs: ["seamendc.c"],
+    host_supported: true,
+}
+
 python_binary_host {
     name: "insertkeys",
     srcs: ["insertkeys.py"],
@@ -70,3 +77,8 @@
     libs: ["mini_cil_parser", "pysepolwrap"],
     data: [":libsepolwrap"],
 }
+
+python_binary_host {
+    name: "fuzzer_bindings_check",
+    srcs: ["fuzzer_bindings_check.py"],
+}
diff --git a/tools/README b/tools/README
index 5e340a0..8976c68 100644
--- a/tools/README
+++ b/tools/README
@@ -70,3 +70,15 @@
 sepolicy-analyze
     A tool for performing various kinds of analysis on a sepolicy
     file.
+
+fuzzer_bindings_check
+    Tool to check if fuzzer is added for new services. it is used by fuzzer_bindings_test soong module internally.
+    Error will be generated if there is no fuzzer binding present for service added in service_contexts in
+    system/sepolicy/soong/build/service_fuzzer_bindings.go
+
+    Usage:
+    fuzzer_bindings_check.py -s [SRCs...] -b /path/to/binding.json
+
+    -s [SRCs...]                         list of service_contexts files. Tool will check if there is fuzzer for every service
+                                         in the context file.
+    -b /path/to/binding.json             Path to json file containing "service":[fuzzers...] bindings.
diff --git a/tools/check_seapp.c b/tools/check_seapp.c
index 7795e3a..e57a6b3 100644
--- a/tools/check_seapp.c
+++ b/tools/check_seapp.c
@@ -213,6 +213,7 @@
                 { .name = "isPrivApp",      .dir = dir_in, .fn_validate = validate_bool },
                 { .name = "minTargetSdkVersion", .dir = dir_in, .fn_validate = validate_uint },
                 { .name = "fromRunAs",       .dir = dir_in, .fn_validate = validate_bool },
+                { .name = "isIsolatedComputeApp", .dir = dir_in, .fn_validate = validate_bool },
                 /*Outputs*/
                 { .name = "domain",         .dir = dir_out, .fn_validate = validate_domain  },
                 { .name = "type",           .dir = dir_out, .fn_validate = validate_type  },
diff --git a/tools/fuzzer_bindings_check.py b/tools/fuzzer_bindings_check.py
new file mode 100644
index 0000000..55859ac
--- /dev/null
+++ b/tools/fuzzer_bindings_check.py
@@ -0,0 +1,96 @@
+#!/usr/bin/env python3
+#
+# Copyright 2022 The Android Open Source Project
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+import logging
+import json
+import sys
+import os
+import argparse
+
+def check_file_exists(file_name):
+  if not os.path.exists(file_name):
+    sys.exit("File doesn't exist : {0}".format(file_name))
+
+def read_bindings(binding_file):
+  check_file_exists(binding_file)
+  with open(binding_file) as jsonFile:
+   bindings = json.loads(jsonFile.read())
+  return bindings
+
+def check_fuzzer_exists(context_file, bindings):
+  with open(context_file) as file:
+    for line in file:
+       # Ignore empty lines and comments
+       line = line.strip()
+       if line.startswith("#"):
+         logging.debug("Found a comment..skipping")
+         continue
+
+       tokens = line.split()
+       if len(tokens) == 0:
+         logging.debug("Skipping empty lines in service_contexts")
+         continue
+
+       # For a valid service_context file, there will be only two tokens
+       # First will be service name and second will be its label.
+       service_name = tokens[0]
+       if service_name not in bindings:
+         sys.exit("\nerror: Service '{0}' is being added, but we have no fuzzer on file for it. "
+                  "Fuzzers are listed at $ANDROID_BUILD_TOP/system/sepolicy/build/soong/service_fuzzer_bindings.go \n\n"
+                  "NOTE: automatic service fuzzers are currently not supported in Java (b/232439254) "
+                  "and Rust (b/164122727). In this case, please ignore this for now and add an entry for your"
+                  "new service in service_fuzzer_bindings.go \n\n"
+                  "If you are writing a new service, it may be subject to attack from other "
+                  "potentially malicious processes. A fuzzer can be written automatically "
+                  "by adding these things: \n"
+                  "- a cc_fuzz Android.bp entry \n"
+                  "- a main file that constructs your service and calls 'fuzzService' \n\n"
+                  "An examples can be found here: \n"
+                  "- $ANDROID_BUILD_TOP/hardware/interfaces/vibrator/aidl/default/fuzzer.cpp \n"
+                  "- https://source.android.com/docs/core/architecture/aidl/aidl-fuzzing \n\n"
+                  "This is only ~30 lines of configuration. It requires dependency injection "
+                  "for your service which is a good practice, and (in AOSP) you will get bugs "
+                  "automatically filed on you. You will find out about issues without needing "
+                  "to backport changes years later, and the system will automatically find ways "
+                  "to reproduce difficult to solve issues for you. \n\n"
+                  "This error can be bypassed by adding entry "
+                  "for new service in $ANDROID_BUILD_TOP/system/sepolicy/build/soong/service_fuzzer_bindings.go \n\n"
+                  "- Android Fuzzing and Security teams".format(service_name))
+  return
+
+def validate_bindings(args):
+  bindings = read_bindings(args.bindings)
+  for file in args.srcs:
+    check_file_exists(file)
+    check_fuzzer_exists(file, bindings)
+  return
+
+def get_args():
+  parser =  argparse.ArgumentParser(description="Tool to check if fuzzer is "
+                                                "added for new services")
+  parser.add_argument('-b', help='Path to json file containing '
+                                 '"service":[fuzzers...] bindings.',
+                      required=True, dest='bindings')
+  parser.add_argument('-s', '--list', nargs='+',
+                      help='list of service_contexts files. Tool will check if '
+                           'there is fuzzer for every service in the context '
+                           'file.', required=True, dest='srcs')
+  parsed_args = parser.parse_args()
+  return parsed_args
+
+if __name__ == "__main__":
+  args = get_args()
+  validate_bindings(args)
diff --git a/tools/seamendc.c b/tools/seamendc.c
new file mode 100644
index 0000000..cd79c76
--- /dev/null
+++ b/tools/seamendc.c
@@ -0,0 +1,286 @@
+#include <getopt.h>
+#include <stddef.h>
+#include <stdint.h>
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
+#include <sys/stat.h>
+
+#include <cil/cil.h>
+#include <cil/android.h>
+#include <sepol/policydb.h>
+#include "sepol/handle.h"
+
+void usage(const char *prog)
+{
+    printf("Usage: %s [OPTION]... FILE...\n", prog);
+    printf("Takes a binary policy file as input and applies the rules and definitions specified ");
+    printf("in the provided FILEs. Each FILE must be a policy file in CIL format.\n");
+    printf("\n");
+    printf("Options:\n");
+    printf("  -b, --base=<file>          (required) base binary policy.\n");
+    printf("  -o, --output=<file>        (required) write binary policy to <file>\n");
+    printf("  -v, --verbose              increment verbosity level\n");
+    printf("  -h, --help                 display usage information\n");
+    exit(1);
+}
+
+/*
+ * Read binary policy file from path into the allocated pdb.
+ *
+ * We first read the binary policy into memory, and then we parse it to a
+ * policydb object using sepol_policydb_from_image. This combination is slightly
+ * faster than using sepol_policydb_read that reads the binary file in small
+ * chunks at a time.
+ */
+static int read_binary_policy(char *path, sepol_policydb_t *pdb)
+{
+    int rc = SEPOL_OK;
+    char *buff = NULL;
+    sepol_handle_t *handle = NULL;
+
+    FILE *file = fopen(path, "r");
+    if (!file) {
+        fprintf(stderr, "Could not open %s: %s.\n", path, strerror(errno));
+        rc = SEPOL_ERR;
+        goto exit;
+    }
+
+    struct stat binarydata;
+    rc = stat(path, &binarydata);
+    if (rc == -1) {
+        fprintf(stderr, "Could not stat %s: %s.\n", path, strerror(errno));
+        goto exit;
+    }
+
+    uint32_t file_size = binarydata.st_size;
+    if (!file_size) {
+        fprintf(stderr, "Binary policy file is empty.\n");
+        rc = SEPOL_ERR;
+        goto exit;
+    }
+
+    buff = malloc(file_size);
+    if (buff == NULL) {
+        perror("malloc failed");
+        rc = SEPOL_ERR;
+        goto exit;
+    }
+
+    rc = fread(buff, file_size, 1, file);
+    if (rc != 1) {
+        fprintf(stderr, "Failure reading %s: %s.\n", path, strerror(errno));
+        rc = SEPOL_ERR;
+        goto exit;
+    }
+
+    handle = sepol_handle_create();
+    if (!handle) {
+        perror("Could not create policy handle");
+        rc = SEPOL_ERR;
+        goto exit;
+    }
+
+    rc = sepol_policydb_from_image(handle, buff, file_size, pdb);
+    if (rc != 0) {
+        fprintf(stderr, "Failed to read binary policy: %d.\n", rc);
+    }
+
+exit:
+    if (file != NULL && fclose(file) == EOF && rc == SEPOL_OK) {
+        perror("Failure closing binary file");
+        rc = SEPOL_ERR;
+    }
+    if(handle != NULL) {
+        sepol_handle_destroy(handle);
+    }
+    free(buff);
+    return rc;
+}
+
+/*
+ * read_cil_files - Initialize db and parse CIL input files.
+ */
+static int read_cil_files(struct cil_db **db, char **paths,
+                          unsigned int n_files)
+{
+    int rc = SEPOL_ERR;
+    FILE *file = NULL;
+    char *buff = NULL;
+
+    for (int i = 0; i < n_files; i++) {
+        char *path = paths[i];
+
+        file = fopen(path, "r");
+        if (file == NULL) {
+            rc = SEPOL_ERR;
+            fprintf(stderr, "Could not open %s: %s.\n", path, strerror(errno));
+            goto file_err;
+        }
+
+        struct stat filedata;
+        rc = stat(path, &filedata);
+        if (rc == -1) {
+            fprintf(stderr, "Could not stat %s: %s.\n", path, strerror(errno));
+            goto err;
+        }
+
+        uint32_t file_size = filedata.st_size;
+        buff = malloc(file_size);
+        if (buff == NULL) {
+            perror("malloc failed");
+            rc = SEPOL_ERR;
+            goto err;
+        }
+
+        rc = fread(buff, file_size, 1, file);
+        if (rc != 1) {
+            fprintf(stderr, "Failure reading %s: %s.\n", path, strerror(errno));
+            rc = SEPOL_ERR;
+            goto err;
+        }
+        fclose(file);
+        file = NULL;
+
+        /* create parse_tree */
+        rc = cil_add_file(*db, path, buff, file_size);
+        if (rc != SEPOL_OK) {
+            fprintf(stderr, "Failure adding %s to parse tree.\n", path);
+            goto parse_err;
+        }
+        free(buff);
+        buff = NULL;
+    }
+
+    return SEPOL_OK;
+err:
+    fclose(file);
+parse_err:
+    free(buff);
+file_err:
+    return rc;
+}
+
+/*
+ * Write binary policy in pdb to file at path.
+ */
+static int write_binary_policy(sepol_policydb_t *pdb, char *path)
+{
+    int rc = SEPOL_OK;
+
+    FILE *file = fopen(path, "w");
+    if (file == NULL) {
+        fprintf(stderr, "Could not open %s: %s.\n", path, strerror(errno));
+        rc = SEPOL_ERR;
+        goto exit;
+    }
+
+    struct sepol_policy_file *pf = NULL;
+    rc = sepol_policy_file_create(&pf);
+    if (rc != 0) {
+        fprintf(stderr, "Failed to create policy file: %d.\n", rc);
+        goto exit;
+    }
+    sepol_policy_file_set_fp(pf, file);
+
+    rc = sepol_policydb_write(pdb, pf);
+    if (rc != 0) {
+        fprintf(stderr, "failed to write binary policy: %d.\n", rc);
+        goto exit;
+    }
+
+exit:
+    if (file != NULL && fclose(file) == EOF && rc == SEPOL_OK) {
+        perror("Failure closing binary file");
+        rc = SEPOL_ERR;
+    }
+    return rc;
+}
+
+int main(int argc, char *argv[])
+{
+    char *base = NULL;
+    char *output = NULL;
+    enum cil_log_level log_level = CIL_ERR;
+    static struct option long_opts[] = {{"base", required_argument, 0, 'b'},
+                                        {"output", required_argument, 0, 'o'},
+                                        {"verbose", no_argument, 0, 'v'},
+                                        {"help", no_argument, 0, 'h'},
+                                        {0, 0, 0, 0}};
+
+    while (1) {
+        int opt_index = 0;
+        int opt_char = getopt_long(argc, argv, "b:o:vh", long_opts, &opt_index);
+        if (opt_char == -1) {
+            break;
+        }
+        switch (opt_char)
+        {
+        case 'b':
+            base = optarg;
+            break;
+        case 'o':
+            output = optarg;
+            break;
+        case 'v':
+            log_level++;
+            break;
+        case 'h':
+            usage(argv[0]);
+        default:
+            fprintf(stderr, "Unsupported option: %s.\n", optarg);
+            usage(argv[0]);
+        }
+    }
+    if (base == NULL || output == NULL) {
+        fprintf(stderr, "Please specify required arguments.\n");
+        usage(argv[0]);
+    }
+
+    cil_set_log_level(log_level);
+
+    // Initialize and read input policydb file.
+    sepol_policydb_t *pdb = NULL;
+    int rc = sepol_policydb_create(&pdb);
+    if (rc != 0) {
+        fprintf(stderr, "Could not create policy db: %d.\n", rc);
+        exit(rc);
+    }
+
+    rc = read_binary_policy(base, pdb);
+    if (rc != SEPOL_OK) {
+        fprintf(stderr, "Failed to read binary policy: %d.\n", rc);
+        exit(rc);
+    }
+
+    // Initialize cil_db.
+    struct cil_db *incremental_db = NULL;
+    cil_db_init(&incremental_db);
+    cil_set_attrs_expand_generated(incremental_db, 1);
+
+    // Read input cil files and compile them into cil_db.
+    rc = read_cil_files(&incremental_db, argv + optind, argc - optind);
+    if (rc != SEPOL_OK) {
+        fprintf(stderr, "Failed to read CIL files: %d.\n", rc);
+        exit(rc);
+    }
+
+    rc = cil_compile(incremental_db);
+    if (rc != SEPOL_OK) {
+        fprintf(stderr, "Failed to compile cildb: %d.\n", rc);
+        exit(rc);
+    }
+
+    //  Amend the policydb.
+    rc = cil_amend_policydb(incremental_db, pdb);
+    if (rc != SEPOL_OK) {
+        fprintf(stderr, "Failed to build policydb.\n");
+        exit(rc);
+    }
+
+    rc = write_binary_policy(pdb, output);
+    if (rc != SEPOL_OK) {
+        fprintf(stderr, "Failed to write binary policy: %d.\n", rc);
+        exit(rc);
+    }
+}
diff --git a/tools/sepolicy_generate_compat.py b/tools/sepolicy_generate_compat.py
index 17a4d75..cd61c9a 100644
--- a/tools/sepolicy_generate_compat.py
+++ b/tools/sepolicy_generate_compat.py
@@ -14,8 +14,8 @@
 # See the License for the specific language governing permissions and
 # limitations under the License.
 
+from pathlib import Path
 import argparse
-import distutils.ccompiler
 import glob
 import logging
 import mini_parser
@@ -29,9 +29,13 @@
 """This tool generates a mapping file for {ver} core sepolicy."""
 
 temp_dir = ''
-compat_cil_template = ";; This file can't be empty.\n"
-ignore_cil_template = """;; new_objects - a collection of types that have been introduced that have no
-;;   analogue in older policy.  Thus, we do not need to map these types to
+mapping_cil_footer = ";; mapping information from ToT policy's types to %s policy's types.\n"
+compat_cil_template = """;; complement CIL file for compatibility between ToT policy and %s vendors.
+;; will be compiled along with other normal policy files, on %s vendors.
+;;
+"""
+ignore_cil_template = """;; new_objects - a collection of types that have been introduced with ToT policy
+;;   that have no analogue in %s policy.  Thus, we do not need to map these types to
 ;;   previous ones.  Add here to pass checkapi tests.
 (type new_objects)
 (typeattribute new_objects)
@@ -41,6 +45,7 @@
   ))
 """
 
+SHARED_LIB_EXTENSION = '.dylib' if sys.platform == 'darwin' else '.so'
 
 def check_run(cmd, cwd=None):
     if cwd:
@@ -105,7 +110,7 @@
     path = os.path.join(destination, '%s.cil' % ver)
     with open(path, 'wb') as f:
         logging.debug('Extracting %s.cil to %s' % (ver, destination))
-        f.write(check_output(cmd).stdout.replace(b'10000.0',b'33.0').replace(b'10000_0',b'33_0'))
+        f.write(check_output(cmd).stdout.replace(b'10000_0', ver.replace('.', '_').encode()))
     return path
 
 
@@ -190,6 +195,122 @@
     return versioned_type.removesuffix(old_suffix) + new_suffix
 
 
+def create_target_compat_modules(bp_path, target_ver):
+    """ Creates compat modules to Android.bp.
+
+    Args:
+      bp_path: string, path to Android.bp
+      target_ver: string, api version to generate
+    """
+
+    module_template = """
+se_build_files {{
+    name: "{ver}.board.compat.map",
+    srcs: ["compat/{ver}/{ver}.cil"],
+}}
+
+se_build_files {{
+    name: "{ver}.board.compat.cil",
+    srcs: ["compat/{ver}/{ver}.compat.cil"],
+}}
+
+se_build_files {{
+    name: "{ver}.board.ignore.map",
+    srcs: ["compat/{ver}/{ver}.ignore.cil"],
+}}
+
+se_cil_compat_map {{
+    name: "plat_{ver}.cil",
+    stem: "{ver}.cil",
+    bottom_half: [":{ver}.board.compat.map{{.plat_private}}"],
+}}
+
+se_cil_compat_map {{
+    name: "system_ext_{ver}.cil",
+    stem: "{ver}.cil",
+    bottom_half: [":{ver}.board.compat.map{{.system_ext_private}}"],
+    system_ext_specific: true,
+}}
+
+se_cil_compat_map {{
+    name: "product_{ver}.cil",
+    stem: "{ver}.cil",
+    bottom_half: [":{ver}.board.compat.map{{.product_private}}"],
+    product_specific: true,
+}}
+
+se_cil_compat_map {{
+    name: "{ver}.ignore.cil",
+    bottom_half: [":{ver}.board.ignore.map{{.plat_private}}"],
+}}
+
+se_cil_compat_map {{
+    name: "system_ext_{ver}.ignore.cil",
+    stem: "{ver}.ignore.cil",
+    bottom_half: [":{ver}.board.ignore.map{{.system_ext_private}}"],
+    system_ext_specific: true,
+}}
+
+se_cil_compat_map {{
+    name: "product_{ver}.ignore.cil",
+    stem: "{ver}.ignore.cil",
+    bottom_half: [":{ver}.board.ignore.map{{.product_private}}"],
+    product_specific: true,
+}}
+
+se_compat_cil {{
+    name: "{ver}.compat.cil",
+    srcs: [":{ver}.board.compat.cil{{.plat_private}}"],
+}}
+
+se_compat_cil {{
+    name: "system_ext_{ver}.compat.cil",
+    stem: "{ver}.compat.cil",
+    srcs: [":{ver}.board.compat.cil{{.system_ext_private}}"],
+    system_ext_specific: true,
+}}
+"""
+
+    with open(bp_path, 'a') as f:
+        f.write(module_template.format(ver=target_ver))
+
+
+def patch_top_half_of_latest_compat_modules(bp_path, latest_ver, target_ver):
+    """ Adds top_half property to latest compat modules in Android.bp.
+
+    Args:
+      bp_path: string, path to Android.bp
+      latest_ver: string, previous api version
+      target_ver: string, api version to generate
+    """
+
+    modules_to_patch = [
+        "plat_{ver}.cil",
+        "system_ext_{ver}.cil",
+        "product_{ver}.cil",
+        "{ver}.ignore.cil",
+        "system_ext_{ver}.ignore.cil",
+        "product_{ver}.ignore.cil",
+    ]
+
+    for module in modules_to_patch:
+        # set latest_ver module's top_half property to target_ver
+        # e.g.
+        #
+        # se_cil_compat_map {
+        #    name: "plat_33.0.cil",
+        #    top_half: "plat_34.0.cil", <== this
+        #    ...
+        # }
+        check_run([
+            "bpmodify",
+            "-m", module.format(ver=latest_ver),
+            "-property", "top_half",
+            "-str", module.format(ver=target_ver),
+            "-w",
+            bp_path
+        ])
+
 def get_args():
     parser = argparse.ArgumentParser()
     parser.add_argument(
@@ -227,8 +348,7 @@
 
     try:
         libpath = os.path.join(
-            os.path.dirname(os.path.realpath(__file__)), 'libsepolwrap' +
-            distutils.ccompiler.new_compiler().shared_lib_extension)
+            os.path.dirname(os.path.realpath(__file__)), 'libsepolwrap' + SHARED_LIB_EXTENSION)
         if not os.path.exists(libpath):
             sys.exit(
                 'Error: libsepolwrap does not exist. Is this binary corrupted?\n'
@@ -237,6 +357,26 @@
         build_top = get_android_build_top()
         sepolicy_path = os.path.join(build_top, 'system', 'sepolicy')
 
+        # Step 0. Create a placeholder files and compat modules
+        # These are needed to build base policy files below.
+        compat_bp_path = os.path.join(sepolicy_path, 'compat', 'Android.bp')
+        create_target_compat_modules(compat_bp_path, args.target_version)
+        patch_top_half_of_latest_compat_modules(compat_bp_path, args.latest_version,
+            args.target_version)
+
+        target_compat_path = os.path.join(sepolicy_path, 'private', 'compat',
+                                          args.target_version)
+        target_mapping_file = os.path.join(target_compat_path,
+                                           args.target_version + '.cil')
+        target_compat_file = os.path.join(target_compat_path,
+                                          args.target_version + '.compat.cil')
+        target_ignore_file = os.path.join(target_compat_path,
+                                          args.target_version + '.ignore.cil')
+        Path(target_compat_path).mkdir(parents=True, exist_ok=True)
+        Path(target_mapping_file).touch()
+        Path(target_compat_file).touch()
+        Path(target_ignore_file).touch()
+
         # Step 1. Download system/etc/selinux/mapping/{ver}.cil, and remove types/typeattributes
         mapping_file = download_mapping_file(
             args.branch, args.build, args.target_version, destination=temp_dir)
@@ -342,31 +482,23 @@
             sys.exit(error_msg)
 
         # Step 5. Write to system/sepolicy/private/compat
-        target_compat_path = os.path.join(sepolicy_path, 'private', 'compat',
-                                          args.target_version)
-        target_mapping_file = os.path.join(target_compat_path,
-                                           args.target_version + '.cil')
-        target_compat_file = os.path.join(target_compat_path,
-                                          args.target_version + '.compat.cil')
-        target_ignore_file = os.path.join(target_compat_path,
-                                          args.target_version + '.ignore.cil')
-
         with open(target_mapping_file, 'w') as f:
             logging.info('writing %s' % target_mapping_file)
             if removed_types:
                 f.write(';; types removed from current policy\n')
                 f.write('\n'.join(f'(type {x})' for x in sorted(target_removed_types)))
                 f.write('\n\n')
+            f.write(mapping_cil_footer % args.target_version)
             f.write(mapping_file_cil.unparse())
 
         with open(target_compat_file, 'w') as f:
             logging.info('writing %s' % target_compat_file)
-            f.write(compat_cil_template)
+            f.write(compat_cil_template % (args.target_version, args.target_version))
 
         with open(target_ignore_file, 'w') as f:
             logging.info('writing %s' % target_ignore_file)
             f.write(ignore_cil_template %
-                    ('\n    '.join(sorted(target_ignored_types))))
+                    (args.target_version, '\n    '.join(sorted(target_ignored_types))))
     finally:
         logging.info('Deleting temporary dir: {}'.format(temp_dir))
         shutil.rmtree(temp_dir)
diff --git a/vendor/file_contexts b/vendor/file_contexts
index 392a750..f167e65 100644
--- a/vendor/file_contexts
+++ b/vendor/file_contexts
@@ -4,29 +4,35 @@
 /(vendor|system/vendor)/bin/hw/android\.hardware\.atrace@1\.0-service         u:object_r:hal_atrace_default_exec:s0
 /(vendor|system/vendor)/bin/hw/android\.hardware\.audio(@2\.0-|\.)service     u:object_r:hal_audio_default_exec:s0
 /(vendor|system/vendor)/bin/hw/android\.hardware\.audio@7\.0-service\.example     u:object_r:hal_audio_default_exec:s0
-/(vendor|system/vendor)/bin/hw/android\.hardware\.audio\.service-aidl.example     u:object_r:hal_audio_default_exec:s0
+/(vendor|system/vendor)/bin/hw/android\.hardware\.audio\.service-aidl\.example     u:object_r:hal_audio_default_exec:s0
+/(vendor|system/vendor)/bin/hw/android\.hardware\.audio\.effect\.service-aidl\.example      u:object_r:hal_audio_default_exec:s0
 /(vendor|system/vendor)/bin/hw/android\.hardware\.automotive\.audiocontrol@1\.0-service    u:object_r:hal_audiocontrol_default_exec:s0
 /(vendor|system/vendor)/bin/hw/android\.hardware\.automotive\.audiocontrol@2\.0-service    u:object_r:hal_audiocontrol_default_exec:s0
 /(vendor|system/vendor)/bin/hw/android\.hardware\.automotive\.audiocontrol-service.example u:object_r:hal_audiocontrol_default_exec:s0
 /(vendor|system/vendor)/bin/hw/android\.hardware\.automotive\.can@1\.0-service  u:object_r:hal_can_socketcan_exec:s0
+/(vendor|system/vendor)/bin/hw/android\.hardware\.automotive\.can-service  u:object_r:hal_can_socketcan_exec:s0
 /(vendor|system/vendor)/bin/hw/android\.hardware\.automotive\.evs(.*)?          u:object_r:hal_evs_default_exec:s0
 /(vendor|system/vendor)/bin/hw/android\.hardware\.automotive\.vehicle@2\.0-((default|emulator)-)*(service|protocan-service)  u:object_r:hal_vehicle_default_exec:s0
 /(vendor|system/vendor)/bin/hw/android\.hardware\.automotive\.vehicle@V1-(default|emulator)-service u:object_r:hal_vehicle_default_exec:s0
+/(vendor|system/vendor)/bin/hw/android\.hardware\.automotive\.remoteaccess@V1-(.*)-service u:object_r:hal_remoteaccess_default_exec:s0
 /(vendor|system/vendor)/bin/hw/android\.hardware\.bluetooth@1\.[0-9]+-service      u:object_r:hal_bluetooth_default_exec:s0
 /(vendor|system/vendor)/bin/hw/android\.hardware\.bluetooth@1\.[0-9]+-service\.btlinux    u:object_r:hal_bluetooth_btlinux_exec:s0
+/(vendor|system/vendor)/bin/hw/android\.hardware\.bluetooth-service.default      u:object_r:hal_bluetooth_default_exec:s0
 /(vendor|system/vendor)/bin/hw/android\.hardware\.biometrics\.face@1\.[0-9]+-service\.example u:object_r:hal_face_default_exec:s0
 /(vendor|system/vendor)/bin/hw/android\.hardware\.biometrics\.face-service\.example u:object_r:hal_face_default_exec:s0
 /(vendor|system/vendor)/bin/hw/android\.hardware\.biometrics\.fingerprint@2\.1-service u:object_r:hal_fingerprint_default_exec:s0
 /(vendor|system/vendor)/bin/hw/android\.hardware\.biometrics\.fingerprint@2\.2-service\.example u:object_r:hal_fingerprint_default_exec:s0
 /(vendor|system/vendor)/bin/hw/android\.hardware\.biometrics\.fingerprint-service\.example u:object_r:hal_fingerprint_default_exec:s0
 /(vendor|system/vendor)/bin/hw/android\.hardware\.boot@1\.[0-9]+-service      u:object_r:hal_bootctl_default_exec:s0
+/(vendor|system/vendor)/bin/hw/android\.hardware\.boot-service.default      u:object_r:hal_bootctl_default_exec:s0
 /(vendor|system/vendor)/bin/hw/android\.hardware\.broadcastradio@\d+\.\d+-service u:object_r:hal_broadcastradio_default_exec:s0
-/(vendor|system/vendor)/bin/hw/android\.hardware\.camera\.provider@2\.[0-9]+-service_64       u:object_r:hal_camera_default_exec:s0
-/(vendor|system/vendor)/bin/hw/android\.hardware\.camera\.provider@2\.[0-9]+-service          u:object_r:hal_camera_default_exec:s0
-/(vendor|system/vendor)/bin/hw/android\.hardware\.camera\.provider@2\.[0-9]+-service-lazy_64  u:object_r:hal_camera_default_exec:s0
-/(vendor|system/vendor)/bin/hw/android\.hardware\.camera\.provider@2\.[0-9]+-service-lazy     u:object_r:hal_camera_default_exec:s0
-/(vendor|system/vendor)/bin/hw/android\.hardware\.camera\.provider@2\.[0-9]+-external-service          u:object_r:hal_camera_default_exec:s0
-/(vendor|system/vendor)/bin/hw/android\.hardware\.camera\.provider@2\.[0-9]+-external-service-lazy     u:object_r:hal_camera_default_exec:s0
+/(vendor|system/vendor)/bin/hw/android\.hardware\.broadcastradio-service.default u:object_r:hal_broadcastradio_default_exec:s0
+/(vendor|system/vendor)/bin/hw/android\.hardware\.camera\.provider(@2\.[0-9]+|-V1)-service_64       u:object_r:hal_camera_default_exec:s0
+/(vendor|system/vendor)/bin/hw/android\.hardware\.camera\.provider(@2\.[0-9]+|-V1)-service          u:object_r:hal_camera_default_exec:s0
+/(vendor|system/vendor)/bin/hw/android\.hardware\.camera\.provider(@2\.[0-9]+|-V1)-service-lazy_64  u:object_r:hal_camera_default_exec:s0
+/(vendor|system/vendor)/bin/hw/android\.hardware\.camera\.provider(@2\.[0-9]+|-V1)-service-lazy     u:object_r:hal_camera_default_exec:s0
+/(vendor|system/vendor)/bin/hw/android\.hardware\.camera\.provider(@2\.[0-9]+|-V1)-external-service          u:object_r:hal_camera_default_exec:s0
+/(vendor|system/vendor)/bin/hw/android\.hardware\.camera\.provider(@2\.[0-9]+|-V1)-external-service-lazy     u:object_r:hal_camera_default_exec:s0
 /(vendor|system/vendor)/bin/hw/android\.hardware\.configstore@1\.[0-9]+-service    u:object_r:hal_configstore_default_exec:s0
 /(vendor|sustem/vendor)/bin/hw/android\.hardware\.confirmationui@1\.0-service u:object_r:hal_confirmationui_default_exec:s0
 /(vendor|system/vendor)/bin/hw/android\.hardware\.contexthub@1\.[0-9]+-service     u:object_r:hal_contexthub_default_exec:s0
@@ -36,6 +42,8 @@
 /(vendor|system/vendor)/bin/hw/android\.hardware\.drm-service(-lazy)?\.clearkey u:object_r:hal_drm_clearkey_aidl_exec:s0
 /(vendor|system/vendor)/bin/hw/android\.hardware\.cas@1\.[0-2]-service            u:object_r:hal_cas_default_exec:s0
 /(vendor|system/vendor)/bin/hw/android\.hardware\.cas@1\.[0-2]-service-lazy       u:object_r:hal_cas_default_exec:s0
+/(vendor|system/vendor)/bin/hw/android\.hardware\.cas-service\.example            u:object_r:hal_cas_default_exec:s0
+/(vendor|system/vendor)/bin/hw/android\.hardware\.cas-service\.example-lazy       u:object_r:hal_cas_default_exec:s0
 /(vendor|system/vendor)/bin/hw/android\.hardware\.dumpstate@1\.[0-1]-service\.example      u:object_r:hal_dumpstate_default_exec:s0
 /(vendor|system/vendor)/bin/hw/android\.hardware\.dumpstate-service\.example               u:object_r:hal_dumpstate_default_exec:s0
 /(vendor|system/vendor)/bin/hw/android\.hardware\.gatekeeper@1\.0-service     u:object_r:hal_gatekeeper_default_exec:s0
@@ -45,6 +53,7 @@
 /(vendor|system/vendor)/bin/hw/android\.hardware\.graphics\.allocator@3\.0-service   u:object_r:hal_graphics_allocator_default_exec:s0
 /(vendor|system/vendor)/bin/hw/android\.hardware\.graphics\.allocator@4\.0-service   u:object_r:hal_graphics_allocator_default_exec:s0
 /(vendor|system/vendor)/bin/hw/android\.hardware\.graphics\.allocator-V1-service     u:object_r:hal_graphics_allocator_default_exec:s0
+/(vendor|system/vendor)/bin/hw/android\.hardware\.graphics\.allocator-service     u:object_r:hal_graphics_allocator_default_exec:s0
 /(vendor|system/vendor)/bin/hw/android\.hardware\.graphics\.composer@[0-9]\.[0-9]-service    u:object_r:hal_graphics_composer_default_exec:s0
 /(vendor|system/vendor)/bin/hw/android\.hardware\.graphics\.composer3-service\.example       u:object_r:hal_graphics_composer_default_exec:s0
 /(vendor|system/vendor)/bin/hw/android\.hardware\.health@1\.0-service         u:object_r:hal_health_default_exec:s0
@@ -84,16 +93,24 @@
 /(vendor|system/vendor)/bin/hw/android\.hardware\.sensors-service\.example  u:object_r:hal_sensors_default_exec:s0
 /(vendor|system/vendor)/bin/hw/android\.hardware\.sensors-service(\.multihal)?  u:object_r:hal_sensors_default_exec:s0
 /(vendor|system/vendor)/bin/hw/android\.hardware\.secure_element@1\.0-service u:object_r:hal_secure_element_default_exec:s0
+/(vendor|system/vendor)/bin/hw/android\.hardware\.secure_element-service.example u:object_r:hal_secure_element_default_exec:s0
 /(vendor|system/vendor)/bin/hw/android\.hardware\.security\.dice-service\.non-secure-software   u:object_r:hal_dice_default_exec:s0
 /(vendor|system/vendor)/bin/hw/android\.hardware\.security\.keymint-service   u:object_r:hal_keymint_default_exec:s0
 /(vendor|system/vendor)/bin/hw/rild                                           u:object_r:rild_exec:s0
+/(vendor|system/vendor)/bin/hw/android\.hardware\.tetheroffload-service\.example u:object_r:hal_tetheroffload_default_exec:s0
 /(vendor|system/vendor)/bin/hw/android\.hardware\.thermal@1\.[01]-service        u:object_r:hal_thermal_default_exec:s0
+/(vendor|system/vendor)/bin/hw/android\.hardware\.thermal-service\.example       u:object_r:hal_thermal_default_exec:s0
 /(vendor|system/vendor)/bin/hw/android\.hardware\.tv\.cec@1\.[01]-service        u:object_r:hal_tv_cec_default_exec:s0
+/(vendor|system/vendor)/bin/hw/android\.hardware\.tv\.hdmi.cec-service           u:object_r:hal_tv_hdmi_cec_default_exec:s0
+/(vendor|system/vendor)/bin/hw/android\.hardware\.tv\.hdmi.connection-service    u:object_r:hal_tv_hdmi_connection_default_exec:s0
+/(vendor|system/vendor)/bin/hw/android\.hardware\.tv\.hdmi.earc-service          u:object_r:hal_tv_hdmi_earc_default_exec:s0
 /(vendor|system/vendor)/bin/hw/android\.hardware\.tv\.input@1\.0-service      u:object_r:hal_tv_input_default_exec:s0
+/(vendor|system/vendor)/bin/hw/android\.hardware\.tv\.input-service\.example  u:object_r:hal_tv_input_default_exec:s0
 /(vendor|system/vendor)/bin/hw/android\.hardware\.tv\.tuner@1\.[01]-service   u:object_r:hal_tv_tuner_default_exec:s0
-/(vendor|system/vendor)/bin/hw/android\.hardware\.tv\.tuner-service\.example  u:object_r:hal_tv_tuner_default_exec:s0
+/(vendor|system/vendor)/bin/hw/android\.hardware\.tv\.tuner-service\.example(-lazy)?  u:object_r:hal_tv_tuner_default_exec:s0
 /(vendor|system/vendor)/bin/hw/android\.hardware\.usb@1\.0-service            u:object_r:hal_usb_default_exec:s0
 /(vendor|system/vendor)/bin/hw/android\.hardware\.usb-service\.example        u:object_r:hal_usb_default_exec:s0
+/(vendor|system/vendor)/bin/hw/android\.hardware\.usb\.gadget-service\.example   u:object_r:hal_usb_gadget_default_exec:s0
 /(vendor|system/vendor)/bin/hw/android\.hardware\.usb\.gadget@1\.1-service    u:object_r:hal_usb_gadget_default_exec:s0
 /(vendor|system/vendor)/bin/hw/android\.hardware\.uwb-service                 u:object_r:hal_uwb_default_exec:s0
 /(vendor|system/vendor)/bin/hw/android\.hardware\.vibrator@1\.0-service       u:object_r:hal_vibrator_default_exec:s0
@@ -101,6 +118,8 @@
 /(vendor|system/vendor)/bin/hw/android\.hardware\.vr@1\.0-service             u:object_r:hal_vr_default_exec:s0
 /(vendor|system/vendor)/bin/hw/android\.hardware\.wifi@1\.0-service           u:object_r:hal_wifi_default_exec:s0
 /(vendor|system/vendor)/bin/hw/android\.hardware\.wifi@1\.0-service-lazy      u:object_r:hal_wifi_default_exec:s0
+/(vendor|system/vendor)/bin/hw/android\.hardware\.wifi-service                u:object_r:hal_wifi_default_exec:s0
+/(vendor|system/vendor)/bin/hw/android\.hardware\.wifi-service-lazy           u:object_r:hal_wifi_default_exec:s0
 /(vendor|system/vendor)/bin/hw/hostapd                                        u:object_r:hal_wifi_hostapd_default_exec:s0
 /(vendor|system/vendor)/bin/hw/wpa_supplicant                                 u:object_r:hal_wifi_supplicant_default_exec:s0
 /(vendor|system/vendor)/bin/install-recovery\.sh                              u:object_r:vendor_install_recovery_exec:s0
diff --git a/vendor/hal_audio_default.te b/vendor/hal_audio_default.te
index 82cbf8e..506c7e4 100644
--- a/vendor/hal_audio_default.te
+++ b/vendor/hal_audio_default.te
@@ -6,5 +6,8 @@
 
 hal_client_domain(hal_audio_default, hal_allocator)
 
+# android.frameworks.sensorservice through libsensorndkbridge
+allow hal_audio_default fwk_sensor_service:service_manager find;
+
 # allow audioserver to call hal_audio dump with its own fd to retrieve status
 allow hal_audio_default audioserver:fifo_file write;
diff --git a/vendor/hal_bluetooth_default.te b/vendor/hal_bluetooth_default.te
index 01d60db..efa75a7 100644
--- a/vendor/hal_bluetooth_default.te
+++ b/vendor/hal_bluetooth_default.te
@@ -1,5 +1,8 @@
 type hal_bluetooth_default, domain;
 hal_server_domain(hal_bluetooth_default, hal_bluetooth)
 
+allow hal_bluetooth_default bt_device:chr_file { open read write };
+allow hal_bluetooth_default self:bluetooth_socket { create bind read write };
+
 type hal_bluetooth_default_exec, exec_type, vendor_file_type, file_type;
 init_daemon_domain(hal_bluetooth_default)
diff --git a/vendor/hal_bootctl_default.te b/vendor/hal_bootctl_default.te
index 2b94313..f94cf5f 100644
--- a/vendor/hal_bootctl_default.te
+++ b/vendor/hal_bootctl_default.te
@@ -14,3 +14,7 @@
 # Needed for reading/writing misc partition.
 allow hal_bootctl_default block_device:dir search;
 allow hal_bootctl_default misc_block_device:blk_file rw_file_perms;
+
+# Needed for writing to kernel log
+allow hal_bootctl_default kmsg_device:chr_file open;
+allow hal_bootctl_default kmsg_device:chr_file write;
diff --git a/vendor/hal_camera_default.te b/vendor/hal_camera_default.te
index b0912d4..e7c5886 100644
--- a/vendor/hal_camera_default.te
+++ b/vendor/hal_camera_default.te
@@ -4,7 +4,12 @@
 type hal_camera_default_exec, exec_type, vendor_file_type, file_type;
 init_daemon_domain(hal_camera_default)
 
+# HIDL sensorservice
 allow hal_camera_default fwk_sensor_hwservice:hwservice_manager find;
+# AIDL sensorservice
+allow hal_camera_default fwk_sensor_service:service_manager find;
+
+get_prop(hal_camera_default, device_config_camera_native_prop);
 
 # For collecting bugreports.
 allow hal_camera_default dumpstate:fd use;
diff --git a/vendor/hal_can_socketcan.te b/vendor/hal_can_socketcan.te
index 7498788..12bb028 100644
--- a/vendor/hal_can_socketcan.te
+++ b/vendor/hal_can_socketcan.te
@@ -9,10 +9,12 @@
 allow hal_can_socketcan self:capability net_admin;
 allow hal_can_socketcan self:netlink_route_socket { create bind write nlmsg_write read };
 
-# Calling if_nametoindex(3) to open CAN sockets
+# See man page for netdevice(7) for more info on ioctls
 allow hal_can_socketcan self:udp_socket { create ioctl };
 allowxperm hal_can_socketcan self:udp_socket ioctl {
     SIOCGIFINDEX
+    SIOCGIFFLAGS
+    SIOCSIFFLAGS
 };
 
 # Communicating with SocketCAN interfaces and bringing them up/down
diff --git a/vendor/hal_face_default.te b/vendor/hal_face_default.te
index 891d1f4..66ce40c 100644
--- a/vendor/hal_face_default.te
+++ b/vendor/hal_face_default.te
@@ -3,3 +3,8 @@
 
 type hal_face_default_exec, exec_type, vendor_file_type, file_type;
 init_daemon_domain(hal_face_default)
+
+# android.frameworks.sensorservice through libsensorndkbridge
+allow hal_face_default fwk_sensor_service:service_manager find;
+
+set_prop(hal_face_default, virtual_face_hal_prop)
diff --git a/vendor/hal_fastboot_default.te b/vendor/hal_fastboot_default.te
new file mode 100644
index 0000000..4a52642
--- /dev/null
+++ b/vendor/hal_fastboot_default.te
@@ -0,0 +1,6 @@
+type hal_fastboot_default, domain;
+
+hal_server_domain(hal_fastboot_default, hal_fastboot)
+
+type hal_fastboot_default_exec, exec_type, vendor_file_type, file_type;
+init_daemon_domain(hal_fastboot_default)
diff --git a/vendor/hal_fingerprint_default.te b/vendor/hal_fingerprint_default.te
index 638b603..7173223 100644
--- a/vendor/hal_fingerprint_default.te
+++ b/vendor/hal_fingerprint_default.te
@@ -3,3 +3,8 @@
 
 type hal_fingerprint_default_exec, exec_type, vendor_file_type, file_type;
 init_daemon_domain(hal_fingerprint_default)
+
+# android.frameworks.sensorservice through libsensorndkbridge
+allow hal_fingerprint_default fwk_sensor_service:service_manager find;
+
+set_prop(hal_fingerprint_default, virtual_fingerprint_hal_prop)
diff --git a/vendor/hal_remoteaccess_default.te b/vendor/hal_remoteaccess_default.te
new file mode 100644
index 0000000..475c2e8
--- /dev/null
+++ b/vendor/hal_remoteaccess_default.te
@@ -0,0 +1,9 @@
+type hal_remoteaccess_default, domain;
+hal_server_domain(hal_remoteaccess_default, hal_remoteaccess)
+
+# May be started by init
+type hal_remoteaccess_default_exec, exec_type, vendor_file_type, file_type;
+init_daemon_domain(hal_remoteaccess_default)
+
+# Allow registering with service manager.
+binder_call(hal_remoteaccess_default, servicemanager)
diff --git a/vendor/hal_tv_hdmi_cec_default.te b/vendor/hal_tv_hdmi_cec_default.te
new file mode 100644
index 0000000..2f06c34
--- /dev/null
+++ b/vendor/hal_tv_hdmi_cec_default.te
@@ -0,0 +1,5 @@
+type hal_tv_hdmi_cec_default, domain;
+hal_server_domain(hal_tv_hdmi_cec_default, hal_tv_hdmi_cec)
+
+type hal_tv_hdmi_cec_default_exec, exec_type, vendor_file_type, file_type;
+init_daemon_domain(hal_tv_hdmi_cec_default)
diff --git a/vendor/hal_tv_hdmi_connection_default.te b/vendor/hal_tv_hdmi_connection_default.te
new file mode 100644
index 0000000..bad8961
--- /dev/null
+++ b/vendor/hal_tv_hdmi_connection_default.te
@@ -0,0 +1,5 @@
+type hal_tv_hdmi_connection_default, domain;
+hal_server_domain(hal_tv_hdmi_connection_default, hal_tv_hdmi_connection)
+
+type hal_tv_hdmi_connection_default_exec, exec_type, vendor_file_type, file_type;
+init_daemon_domain(hal_tv_hdmi_connection_default)
diff --git a/vendor/hal_tv_hdmi_earc_default.te b/vendor/hal_tv_hdmi_earc_default.te
new file mode 100644
index 0000000..d2a729d
--- /dev/null
+++ b/vendor/hal_tv_hdmi_earc_default.te
@@ -0,0 +1,5 @@
+type hal_tv_hdmi_earc_default, domain;
+hal_server_domain(hal_tv_hdmi_earc_default, hal_tv_hdmi_earc)
+
+type hal_tv_hdmi_earc_default_exec, exec_type, vendor_file_type, file_type;
+init_daemon_domain(hal_tv_hdmi_earc_default)
diff --git a/vendor/hal_tv_tuner_default.te b/vendor/hal_tv_tuner_default.te
index 639c7bd..e11d4dd 100644
--- a/vendor/hal_tv_tuner_default.te
+++ b/vendor/hal_tv_tuner_default.te
@@ -8,3 +8,6 @@
 
 # Access to /dev/dma_heap/system
 allow hal_tv_tuner_default dmabuf_system_heap_device:chr_file r_file_perms;
+
+# Allow servicemanager to notify hal_tv_tuner_default clients status
+binder_use(hal_tv_tuner_default)
diff --git a/vendor/hal_vehicle_default.te b/vendor/hal_vehicle_default.te
index 52769dd..8adf8d3 100644
--- a/vendor/hal_vehicle_default.te
+++ b/vendor/hal_vehicle_default.te
@@ -11,3 +11,8 @@
 
 # communicate with servicemanager
 binder_call(hal_vehicle_server, servicemanager)
+
+# communicate with statsd
+hwbinder_use(hal_vehicle_default)
+allow hal_vehicle_default fwk_stats_hwservice:hwservice_manager find;
+binder_call(hal_vehicle_default, stats_service_server)
diff --git a/vendor/vndservicemanager.te b/vendor/vndservicemanager.te
index 497e027..2ad0502 100644
--- a/vendor/vndservicemanager.te
+++ b/vendor/vndservicemanager.te
@@ -20,3 +20,6 @@
 
 # Check SELinux permissions.
 selinux_check_access(vndservicemanager)
+
+# Log to kmesg
+allow vndservicemanager kmsg_device:chr_file rw_file_perms;