Merge "Allow files to be created /metadata/ota"
diff --git a/apex/com.android.conscrypt-file_contexts b/apex/com.android.conscrypt-file_contexts
index abf0085..7b81ab8 100644
--- a/apex/com.android.conscrypt-file_contexts
+++ b/apex/com.android.conscrypt-file_contexts
@@ -4,3 +4,4 @@
 (/.*)?                          u:object_r:system_file:s0
 /lib(64)?(/.*)?                 u:object_r:system_lib_file:s0
 /bin/boringssl_self_test(32|64) u:object_r:boringssl_self_test_exec:s0
+/cacerts(/.*)?                  u:object_r:system_security_cacerts_file:s0
diff --git a/apex/com.android.virt-file_contexts b/apex/com.android.virt-file_contexts
index cc712ff..9c13bd5 100644
--- a/apex/com.android.virt-file_contexts
+++ b/apex/com.android.virt-file_contexts
@@ -1,4 +1,5 @@
 (/.*)?                     u:object_r:system_file:s0
 /bin/crosvm                u:object_r:crosvm_exec:s0
 /bin/fd_server             u:object_r:fd_server_exec:s0
+/bin/virtmgr               u:object_r:virtualizationmanager_exec:s0
 /bin/virtualizationservice u:object_r:virtualizationservice_exec:s0
diff --git a/build/soong/policy.go b/build/soong/policy.go
index 4161bb3..aea8e09 100644
--- a/build/soong/policy.go
+++ b/build/soong/policy.go
@@ -456,6 +456,9 @@
 
 	// Whether this module is directly installable to one of the partitions. Default is true
 	Installable *bool
+
+	// List of domains that are allowed to be in permissive mode on user builds.
+	Permissive_domains_on_user_builds []string
 }
 
 type policyBinary struct {
@@ -512,11 +515,19 @@
 	// permissive check is performed only in user build (not debuggable).
 	if !ctx.Config().Debuggable() {
 		permissiveDomains := android.PathForModuleOut(ctx, c.stem()+"_permissive")
-		rule.Command().BuiltTool("sepolicy-analyze").
+		cmd := rule.Command().BuiltTool("sepolicy-analyze").
 			Input(bin).
-			Text("permissive").
-			Text(" > ").
-			Output(permissiveDomains)
+			Text("permissive")
+		// Filter-out domains listed in permissive_domains_on_user_builds
+		allowedDomains := c.properties.Permissive_domains_on_user_builds
+		if len(allowedDomains) != 0 {
+			cmd.Text("| { grep -Fxv")
+			for _, d := range allowedDomains {
+				cmd.FlagWithArg("-e ", proptools.ShellEscape(d))
+			}
+			cmd.Text(" || true; }") // no match doesn't fail the cmd
+		}
+		cmd.Text(" > ").Output(permissiveDomains)
 		rule.Temporary(permissiveDomains)
 
 		msg := `==========\n` +
diff --git a/build/soong/selinux_contexts.go b/build/soong/selinux_contexts.go
index 463a978..6a971da 100644
--- a/build/soong/selinux_contexts.go
+++ b/build/soong/selinux_contexts.go
@@ -247,11 +247,21 @@
 
 	rule := android.NewRuleBuilder(pctx, ctx)
 
+	newlineFile := android.PathForModuleGen(ctx, "newline")
+
+	rule.Command().Text("echo").FlagWithOutput("> ", newlineFile)
+	rule.Temporary(newlineFile)
+
+	var inputsWithNewline android.Paths
+	for _, input := range inputs {
+		inputsWithNewline = append(inputsWithNewline, input, newlineFile)
+	}
+
 	rule.Command().
 		Tool(ctx.Config().PrebuiltBuildTool(ctx, "m4")).
 		Text("--fatal-warnings -s").
 		FlagForEachArg("-D", ctx.DeviceConfig().SepolicyM4Defs()).
-		Inputs(inputs).
+		Inputs(inputsWithNewline).
 		FlagWithOutput("> ", builtContext)
 
 	if proptools.Bool(m.properties.Remove_comment) {
diff --git a/build/soong/service_fuzzer_bindings.go b/build/soong/service_fuzzer_bindings.go
index 1bb6eb6..f13c23c 100644
--- a/build/soong/service_fuzzer_bindings.go
+++ b/build/soong/service_fuzzer_bindings.go
@@ -25,10 +25,19 @@
 	ServiceFuzzerBindings = map[string][]string{
 		"android.hardware.audio.core.IConfig/default":                             EXCEPTION_NO_FUZZER,
 		"android.hardware.audio.core.IModule/default":                             EXCEPTION_NO_FUZZER,
+		"android.hardware.audio.core.IModule/a2dp":                                EXCEPTION_NO_FUZZER,
+		"android.hardware.audio.core.IModule/bluetooth":                           EXCEPTION_NO_FUZZER,
+		"android.hardware.audio.core.IModule/hearing_aid":                         EXCEPTION_NO_FUZZER,
+		"android.hardware.audio.core.IModule/msd":                                 EXCEPTION_NO_FUZZER,
+		"android.hardware.audio.core.IModule/r_submix":                            EXCEPTION_NO_FUZZER,
+		"android.hardware.audio.core.IModule/stub":                                EXCEPTION_NO_FUZZER,
+		"android.hardware.audio.core.IModule/usb":                                 EXCEPTION_NO_FUZZER,
 		"android.hardware.audio.effect.IFactory/default":                          EXCEPTION_NO_FUZZER,
+		"android.hardware.audio.sounddose.ISoundDoseFactory/default":              EXCEPTION_NO_FUZZER,
 		"android.hardware.authsecret.IAuthSecret/default":                         EXCEPTION_NO_FUZZER,
 		"android.hardware.automotive.evs.IEvsEnumerator/hw/0":                     EXCEPTION_NO_FUZZER,
 		"android.hardware.boot.IBootControl/default":                              EXCEPTION_NO_FUZZER,
+		"android.hardware.automotive.can.ICanController/default":                  EXCEPTION_NO_FUZZER,
 		"android.hardware.automotive.evs.IEvsEnumerator/hw/1":                     EXCEPTION_NO_FUZZER,
 		"android.hardware.automotive.remoteaccess.IRemoteAccess/default":          EXCEPTION_NO_FUZZER,
 		"android.hardware.automotive.vehicle.IVehicle/default":                    EXCEPTION_NO_FUZZER,
@@ -39,6 +48,7 @@
 		"android.hardware.bluetooth.audio.IBluetoothAudioProviderFactory/default": EXCEPTION_NO_FUZZER,
 		"android.hardware.broadcastradio.IBroadcastRadio/amfm":                    EXCEPTION_NO_FUZZER,
 		"android.hardware.broadcastradio.IBroadcastRadio/dab":                     EXCEPTION_NO_FUZZER,
+		"android.hardware.bluetooth.IBluetoothHci/default":                        EXCEPTION_NO_FUZZER,
 		"android.hardware.camera.provider.ICameraProvider/internal/0":             EXCEPTION_NO_FUZZER,
 		"android.hardware.cas.IMediaCasService/default":                           EXCEPTION_NO_FUZZER,
 		"android.hardware.confirmationui.IConfirmationUI/default":                 []string{"android.hardware.confirmationui-service.trusty_fuzzer"},
@@ -80,13 +90,25 @@
 		"android.hardware.radio.network.IRadioNetwork/slot1":                      EXCEPTION_NO_FUZZER,
 		"android.hardware.radio.network.IRadioNetwork/slot2":                      EXCEPTION_NO_FUZZER,
 		"android.hardware.radio.network.IRadioNetwork/slot3":                      EXCEPTION_NO_FUZZER,
+		"android.hardware.radio.satellite.IRadioSatellite/slot1":                  EXCEPTION_NO_FUZZER,
+		"android.hardware.radio.satellite.IRadioSatellite/slot2":                  EXCEPTION_NO_FUZZER,
+		"android.hardware.radio.satellite.IRadioSatellite/slot3":                  EXCEPTION_NO_FUZZER,
 		"android.hardware.radio.sim.IRadioSim/slot1":                              EXCEPTION_NO_FUZZER,
 		"android.hardware.radio.sim.IRadioSim/slot2":                              EXCEPTION_NO_FUZZER,
 		"android.hardware.radio.sim.IRadioSim/slot3":                              EXCEPTION_NO_FUZZER,
+		"android.hardware.radio.sap.ISap/slot1":                                   EXCEPTION_NO_FUZZER,
+		"android.hardware.radio.sap.ISap/slot2":                                   EXCEPTION_NO_FUZZER,
+		"android.hardware.radio.sap.ISap/slot3":                                   EXCEPTION_NO_FUZZER,
 		"android.hardware.radio.voice.IRadioVoice/slot1":                          EXCEPTION_NO_FUZZER,
 		"android.hardware.radio.voice.IRadioVoice/slot2":                          EXCEPTION_NO_FUZZER,
 		"android.hardware.radio.voice.IRadioVoice/slot3":                          EXCEPTION_NO_FUZZER,
 		"android.hardware.rebootescrow.IRebootEscrow/default":                     EXCEPTION_NO_FUZZER,
+		"android.hardware.secure_element.ISecureElement/eSE1":                     EXCEPTION_NO_FUZZER,
+		"android.hardware.secure_element.ISecureElement/eSE2":                     EXCEPTION_NO_FUZZER,
+		"android.hardware.secure_element.ISecureElement/eSE3":                     EXCEPTION_NO_FUZZER,
+		"android.hardware.secure_element.ISecureElement/SIM1":                     EXCEPTION_NO_FUZZER,
+		"android.hardware.secure_element.ISecureElement/SIM2":                     EXCEPTION_NO_FUZZER,
+		"android.hardware.secure_element.ISecureElement/SIM3":                     EXCEPTION_NO_FUZZER,
 		"android.hardware.security.dice.IDiceDevice/default":                      EXCEPTION_NO_FUZZER,
 		"android.hardware.security.keymint.IKeyMintDevice/default":                EXCEPTION_NO_FUZZER,
 		"android.hardware.security.keymint.IRemotelyProvisionedComponent/default": EXCEPTION_NO_FUZZER,
@@ -95,8 +117,9 @@
 		"android.hardware.sensors.ISensors/default":                               EXCEPTION_NO_FUZZER,
 		"android.hardware.soundtrigger3.ISoundTriggerHw/default":                  EXCEPTION_NO_FUZZER,
 		"android.hardware.thermal.IThermal/default":                               EXCEPTION_NO_FUZZER,
-		"android.hardware.tv.cec.IHdmiCec/default":                                EXCEPTION_NO_FUZZER,
-		"android.hardware.tv.hdmi.IHdmi/default":                                  EXCEPTION_NO_FUZZER,
+		"android.hardware.tv.hdmi.cec.IHdmiCec/default":                           EXCEPTION_NO_FUZZER,
+		"android.hardware.tv.hdmi.connection.IHdmiConnection/default":             EXCEPTION_NO_FUZZER,
+		"android.hardware.tv.hdmi.earc.IEArc/default":                             EXCEPTION_NO_FUZZER,
 		"android.hardware.tv.input.ITvInput/default":                              EXCEPTION_NO_FUZZER,
 		"android.hardware.tv.tuner.ITuner/default":                                EXCEPTION_NO_FUZZER,
 		"android.hardware.usb.IUsb/default":                                       EXCEPTION_NO_FUZZER,
@@ -108,6 +131,7 @@
 		"android.hardware.wifi.IWifi/default":                                     EXCEPTION_NO_FUZZER,
 		"android.hardware.wifi.hostapd.IHostapd/default":                          EXCEPTION_NO_FUZZER,
 		"android.hardware.wifi.supplicant.ISupplicant/default":                    EXCEPTION_NO_FUZZER,
+		"android.frameworks.cameraservice.service.ICameraService/default":         EXCEPTION_NO_FUZZER,
 		"android.frameworks.sensorservice.ISensorManager/default":                 []string{"libsensorserviceaidl_fuzzer"},
 		"android.frameworks.stats.IStats/default":                                 EXCEPTION_NO_FUZZER,
 		"android.se.omapi.ISecureElementService/default":                          EXCEPTION_NO_FUZZER,
@@ -230,6 +254,7 @@
 		"game":                         EXCEPTION_NO_FUZZER,
 		"gfxinfo":                      EXCEPTION_NO_FUZZER,
 		"gnss_time_update_service":     EXCEPTION_NO_FUZZER,
+		"grammatical_inflection":       EXCEPTION_NO_FUZZER,
 		"graphicsstats":                EXCEPTION_NO_FUZZER,
 		"gpu":                          EXCEPTION_NO_FUZZER,
 		"hardware":                     EXCEPTION_NO_FUZZER,
@@ -335,6 +360,7 @@
 		"rcs":                          EXCEPTION_NO_FUZZER,
 		"reboot_readiness":             EXCEPTION_NO_FUZZER,
 		"recovery":                     EXCEPTION_NO_FUZZER,
+		"remote_provisioning":          EXCEPTION_NO_FUZZER,
 		"resolver":                     EXCEPTION_NO_FUZZER,
 		"resources":                    EXCEPTION_NO_FUZZER,
 		"restrictions":                 EXCEPTION_NO_FUZZER,
diff --git a/microdroid/Android.bp b/microdroid/Android.bp
index d1dcff0..12bb8f7 100644
--- a/microdroid/Android.bp
+++ b/microdroid/Android.bp
@@ -241,6 +241,11 @@
         ":microdroid_vendor_sepolicy.cil",
     ],
     installable: false,
+
+    // b/259729287. In Microdroid, su is allowed to be in permissive mode.
+    // This is to support fully debuggable VMs on user builds. This is safe
+    // because we don't start adbd at all on non-debuggable VMs.
+    permissive_domains_on_user_builds: ["su"],
 }
 
 genrule {
diff --git a/microdroid/system/private/adbd.te b/microdroid/system/private/adbd.te
index ed74ddd..9a50f67 100644
--- a/microdroid/system/private/adbd.te
+++ b/microdroid/system/private/adbd.te
@@ -4,10 +4,12 @@
 
 domain_auto_trans(adbd, shell_exec, shell)
 
-userdebug_or_eng(`
-  allow adbd self:process setcurrent;
-  allow adbd su:process dyntransition;
-')
+# Allow adbd to transition to su. In Android, this is disallowed in user builds.
+# However, Microdroid allows it even in user builds because apps should be able
+# to adb root into their "debuggable" VMs in user builds. Disabling adbd for
+# non debuggable VMs are done by not starting adbd at all using sysprops.
+allow adbd self:process setcurrent;
+allow adbd su:process dyntransition;
 
 # Do not sanitize the environment or open fds of the shell. Allow signaling
 # created processes.
@@ -55,3 +57,6 @@
 # adbd tries to run mdnsd, but mdnsd doesn't exist. Just dontaudit ctl permissions.
 # TODO(b/200902288): patch adb and remove this rule
 dontaudit adbd { ctl_default_prop ctl_start_prop }:property_service set;
+
+# only adbd can transition to su.
+neverallow {domain -adbd} su:process { transition dyntransition };
diff --git a/microdroid/system/private/domain.te b/microdroid/system/private/domain.te
index 04a9859..13e359a 100644
--- a/microdroid/system/private/domain.te
+++ b/microdroid/system/private/domain.te
@@ -233,6 +233,9 @@
 allow domain task_profiles_file:file r_file_perms;
 allow domain task_profiles_api_file:file r_file_perms;
 
+# Allow all processes to connect to PRNG seeder daemon.
+unix_socket_connect(domain, prng_seeder, prng_seeder)
+
 # cgroupfs directories can be created, but not files within them.
 neverallow domain cgroup:file create;
 neverallow domain cgroup_v2:file create;
@@ -323,6 +326,7 @@
 # Only the kernel hwrng thread should be able to read from the HW RNG.
 neverallow {
   domain
+  -prng_seeder # PRNG seeder daemon periodically reseeds itself from HW RNG
   -shell # For CTS, restricted to just getattr in shell.te
   -ueventd # To create the /dev/hw_random file
 } hw_random_device:chr_file *;
@@ -383,9 +387,9 @@
 # Ensure that context mount types are not writable, to ensure that
 # the write to /system restriction above is not bypassed via context=
 # mount to another type.
-neverallow * { contextmount_type -authfs_fuse }:dir_file_class_set
+neverallow * { contextmount_type -authfs_fuse -encryptedstore_file }:dir_file_class_set
     { create relabelfrom relabelto append link rename };
-neverallow domain { contextmount_type -authfs_fuse }:dir_file_class_set { write unlink };
+neverallow domain { contextmount_type -authfs_fuse -encryptedstore_file }:dir_file_class_set { write unlink };
 
 neverallow { domain -init -vendor_init } vendor_default_prop:property_service set;
 
@@ -418,11 +422,6 @@
 # Feature parity with Chromium LSM.
 neverallow * { file_type fs_type dev_type }:{ lnk_file fifo_file sock_file } mounton;
 
-# Nobody should be able to execute su on user builds.
-# On userdebug/eng builds, only shell, and
-# su itself execute su.
-neverallow { domain userdebug_or_eng(`-shell -su') } su_exec:file no_x_file_perms;
-
 neverallow { domain -init } proc:{ file dir } mounton;
 
 # Ensure that all types assigned to processes are included
@@ -555,3 +554,6 @@
 # These domains must not be crash dumped
 neverallow no_crash_dump_domain crash_dump_exec:file no_x_file_perms;
 neverallow no_crash_dump_domain crash_dump:process { transition dyntransition };
+
+# Ensure that no one can execute from encrypted storage, which is a writable partition in VM.
+neverallow domain encryptedstore_file:file no_x_file_perms;
diff --git a/microdroid/system/private/encryptedstore.te b/microdroid/system/private/encryptedstore.te
index 522f090..5fa2e3a 100644
--- a/microdroid/system/private/encryptedstore.te
+++ b/microdroid/system/private/encryptedstore.te
@@ -31,11 +31,12 @@
 allow encryptedstore sysfs_fs_ext4_features:dir search;
 allow encryptedstore sysfs_fs_ext4_features:file r_file_perms;
 
-# encryptedstore to mount on /mnt/ directory
+# encryptedstore to mount on tmpfs bases directory (/mnt/)
 allow encryptedstore tmpfs:dir  { add_name create mounton write };
 
-# Unmount and mount filesystem
-allow encryptedstore labeledfs:filesystem { mount unmount };
+# encryptedstore relabels the labeledfs to encryptedstore_fs, then mounts on the later
+allow encryptedstore labeledfs:filesystem { relabelfrom };
+allow encryptedstore encryptedstore_fs:filesystem { mount unmount relabelto relabelfrom };
 
 # allow encryptedstore to log to the kernel
 allow encryptedstore kmsg_device:chr_file w_file_perms;
diff --git a/microdroid/system/private/file.te b/microdroid/system/private/file.te
index b94571d..6f037a3 100644
--- a/microdroid/system/private/file.te
+++ b/microdroid/system/private/file.te
@@ -4,6 +4,7 @@
 allow cgroup_rc_file tmpfs:filesystem associate;
 allow debugfs_type { debugfs debugfs_tracing debugfs_tracing_debug }:filesystem associate;
 allow dev_type tmpfs:filesystem associate;
+allow encryptedstore_file encryptedstore_fs:filesystem associate;
 allow extra_apk_file zipfusefs:filesystem associate;
 allow file_type labeledfs:filesystem associate;
 allow file_type tmpfs:filesystem associate;
@@ -20,3 +21,9 @@
 
 # /system/bin/mke2fs - used to format encryptedstore block device
 type e2fs_exec, system_file_type, exec_type, file_type;
+
+type encryptedstore_file, file_type;
+type encryptedstore_fs, fs_type, contextmount_type;
+
+# Filesystem entry for for PRNG seeder socket.
+type prng_seeder_socket, file_type, coredomain_socket;
diff --git a/microdroid/system/private/file_contexts b/microdroid/system/private/file_contexts
index ae9b095..8d9ad85 100644
--- a/microdroid/system/private/file_contexts
+++ b/microdroid/system/private/file_contexts
@@ -66,6 +66,7 @@
 /dev/rtc[0-9]      u:object_r:rtc_device:s0
 /dev/socket(/.*)?	u:object_r:socket_device:s0
 /dev/socket/adbd	u:object_r:adbd_socket:s0
+/dev/socket/prng_seeder u:object_r:prng_seeder_socket:s0
 /dev/socket/property_service	u:object_r:property_socket:s0
 /dev/socket/statsdw	u:object_r:statsdw_socket:s0
 /dev/socket/tombstoned_crash u:object_r:tombstoned_crash_socket:s0
@@ -120,6 +121,7 @@
 /system/bin/encryptedstore       u:object_r:encryptedstore_exec:s0
 /system/bin/mke2fs		u:object_r:e2fs_exec:s0
 /system/bin/kexec_load           u:object_r:kexec_exec:s0
+/system/bin/prng_seeder          u:object_r:prng_seeder_exec:s0
 /system/etc/cgroups\.json               u:object_r:cgroup_desc_file:s0
 /system/etc/task_profiles/cgroups_[0-9]+\.json               u:object_r:cgroup_desc_api_file:s0
 /system/etc/event-log-tags              u:object_r:system_event_log_tags_file:s0
@@ -167,3 +169,7 @@
 #############################
 # Directory for extra apks
 /mnt/extra-apk	u:object_r:extra_apk_file:s0
+
+#############################
+# Directory for encrypted storage (persistent across boot)
+/mnt/encryptedstore	u:object_r:encryptedstore_file:s0
diff --git a/microdroid/system/private/genfs_contexts b/microdroid/system/private/genfs_contexts
index 40decfe..ce28471 100644
--- a/microdroid/system/private/genfs_contexts
+++ b/microdroid/system/private/genfs_contexts
@@ -42,7 +42,6 @@
 genfscon proc /sys/fs/protected_hardlinks u:object_r:proc_security:s0
 genfscon proc /sys/fs/protected_symlinks u:object_r:proc_security:s0
 genfscon proc /sys/fs/suid_dumpable u:object_r:proc_security:s0
-genfscon proc /sys/fs/verity/require_signatures u:object_r:proc_fs_verity:s0
 genfscon proc /sys/kernel/core_pattern u:object_r:usermodehelper:s0
 genfscon proc /sys/kernel/core_pipe_limit u:object_r:usermodehelper:s0
 genfscon proc /sys/kernel/domainname u:object_r:proc_hostname:s0
diff --git a/microdroid/system/private/init.te b/microdroid/system/private/init.te
index 283775e..5ad30e5 100644
--- a/microdroid/system/private/init.te
+++ b/microdroid/system/private/init.te
@@ -435,3 +435,6 @@
 set_prop(init, property_type)
 
 allow init self:netlink_audit_socket { create_socket_perms_no_ioctl nlmsg_relay };
+
+# PRNG seeder daemon socket is created and listened on by init before forking.
+allow init prng_seeder:unix_stream_socket { create bind listen };
diff --git a/microdroid/system/private/microdroid_manager.te b/microdroid/system/private/microdroid_manager.te
index 8765f75..a5b71f0 100644
--- a/microdroid/system/private/microdroid_manager.te
+++ b/microdroid/system/private/microdroid_manager.te
@@ -31,6 +31,9 @@
 allowxperm microdroid_manager vd_device:blk_file ioctl BLKFLSBUF;
 allow microdroid_manager self:global_capability_class_set sys_admin;
 
+# Allow microdroid_manager to remove capabilities from it's capability bounding set.
+allow microdroid_manager self:global_capability_class_set setpcap;
+
 # Allow microdroid_manager to start payload tasks
 domain_auto_trans(microdroid_manager, microdroid_app_exec, microdroid_app)
 domain_auto_trans(microdroid_manager, compos_exec, compos)
@@ -82,6 +85,12 @@
 # Allow microdroid_manager to pass the roothash to apkdmverity
 set_prop(microdroid_manager, microdroid_manager_roothash_prop)
 
+# Allow microdroid_manager to set sysprops calculated from the payload config
+set_prop(microdroid_manager, microdroid_config_prop)
+
+# Allow microdroid_manager to set sysprops related to microdroid_lifecycle (ex. init_done)
+set_prop(microdroid_manager, microdroid_lifecycle_prop)
+
 # Allow microdroid_manager to shutdown the device when verification fails
 set_prop(microdroid_manager, powerctl_prop)
 
diff --git a/microdroid/system/private/microdroid_payload.te b/microdroid/system/private/microdroid_payload.te
index 309210c..c1974c7 100644
--- a/microdroid/system/private/microdroid_payload.te
+++ b/microdroid/system/private/microdroid_payload.te
@@ -36,7 +36,6 @@
  create listen accept read getattr write setattr lock append bind
  getopt setopt shutdown map
 };
-neverallow microdroid_payload self:vsock_socket connect;
 
 # Payload can read extra apks
 r_dir_file(microdroid_payload, extra_apk_file)
@@ -56,3 +55,10 @@
 
 # Allow payload to communicate with microdroid manager
 unix_socket_connect(microdroid_payload, vm_payload_service, microdroid_manager)
+
+# Payload can read, write into encrypted storage directory
+allow microdroid_payload encryptedstore_file:dir create_dir_perms;
+allow microdroid_payload encryptedstore_file:file create_file_perms;
+
+# Never allow microdroid_payload to connect to vsock
+neverallow microdroid_payload self:vsock_socket connect;
diff --git a/microdroid/system/private/net.te b/microdroid/system/private/net.te
index 1b2fd41..8e783cb 100644
--- a/microdroid/system/private/net.te
+++ b/microdroid/system/private/net.te
@@ -2,15 +2,3 @@
 type node, node_type;
 type netif, netif_type;
 type port, port_type;
-
-###
-### Domain with network access
-###
-
-allow netdomain self:tcp_socket create_stream_socket_perms;
-allow netdomain self:{ icmp_socket udp_socket rawip_socket } create_socket_perms;
-
-allow netdomain port_type:tcp_socket name_connect;
-allow netdomain node_type:{ icmp_socket rawip_socket tcp_socket udp_socket } node_bind;
-allow netdomain port_type:udp_socket name_bind;
-allow netdomain port_type:tcp_socket name_bind;
diff --git a/microdroid/system/private/prng_seeder.te b/microdroid/system/private/prng_seeder.te
new file mode 100644
index 0000000..ab4e275
--- /dev/null
+++ b/microdroid/system/private/prng_seeder.te
@@ -0,0 +1,17 @@
+# PRNG seeder daemon
+# Started from early init, maintains a FIPS approved DRBG which it periodically reseeds from
+# /dev/hw_random.  When BoringSSL (libcrypto) in other processes needs seeding data for its
+# internal DRBGs it will connect to /dev/socket/prng_seeder and the daemon will write a
+# fixed size block of entropy then disconnect.  No other IO is performed.
+type prng_seeder, domain, coredomain;
+
+type prng_seeder_exec, system_file_type, exec_type, file_type;
+init_daemon_domain(prng_seeder)
+
+# prng_seeder is using bootstrap bionic
+use_bootstrap_libs(prng_seeder)
+
+# Socket open and listen are performed by init.
+allow prng_seeder prng_seeder:unix_stream_socket { read write getattr accept };
+allow prng_seeder hw_random_device:chr_file { read open };
+allow prng_seeder kmsg_debug_device:chr_file { w_file_perms getattr ioctl };
diff --git a/microdroid/system/private/property.te b/microdroid/system/private/property.te
index a02a7f2..d983775 100644
--- a/microdroid/system/private/property.te
+++ b/microdroid/system/private/property.te
@@ -39,3 +39,16 @@
   domain
   -init
 } apexd_payload_metadata_prop:property_service set;
+
+# Only microdroid_manager and init can set the microdroid_config_prop sysprops
+neverallow {
+    domain
+    -init
+    -microdroid_manager
+} {microdroid_config_prop microdroid_lifecycle_prop}:property_service set;
+
+neverallow {
+    domain
+    -init
+    -microdroid_manager
+} {microdroid_config_prop microdroid_lifecycle_prop}:file no_rw_file_perms;
diff --git a/microdroid/system/private/property_contexts b/microdroid/system/private/property_contexts
index c8d3c01..0d5786c 100644
--- a/microdroid/system/private/property_contexts
+++ b/microdroid/system/private/property_contexts
@@ -1,7 +1,6 @@
 # property contexts for microdroid
-# microdroid only uses much fewer properties than normal Android, so every property is listed as
-# an exact entry. The only wildcards are "debug.*", "init.svc_debug_pid.*", "ctl.*", and
-# process-dependent properties like "arm64.memtag.*" and "log.tag.*".
+# microdroid uses far fewer properties than normal Android, so almost
+# every property is listed as an exact entry.
 
 debug.         u:object_r:debug_prop:s0 prefix
 persist.debug. u:object_r:debug_prop:s0 prefix
@@ -85,7 +84,6 @@
 ro.boot.first_stage_console        u:object_r:bootloader_prop:s0 exact string
 ro.boot.force_normal_boot          u:object_r:bootloader_prop:s0 exact string
 ro.boot.hardware                   u:object_r:bootloader_prop:s0 exact string
-ro.boot.microdroid.app_debuggable  u:object_r:bootloader_prop:s0 exact bool
 ro.boot.microdroid.debuggable      u:object_r:bootloader_prop:s0 exact bool
 ro.boot.slot_suffix                u:object_r:bootloader_prop:s0 exact string
 ro.boot.tombstone_transmit.enabled u:object_r:bootloader_prop:s0 exact bool
@@ -120,6 +118,12 @@
 
 microdroid_manager.apk_root_hash u:object_r:microdroid_manager_roothash_prop:s0 exact string
 microdroid_manager.apk.mounted u:object_r:microdroid_manager_zipfuse_prop:s0 exact bool
+microdroid_manager.extra_apk.mounted. u:object_r:microdroid_manager_zipfuse_prop:s0 prefix bool
+
+microdroid_manager.authfs.enabled u:object_r:microdroid_config_prop:s0 exact bool
+
+microdroid_manager.config_done u:object_r:microdroid_lifecycle_prop:s0 exact bool
+microdroid_manager.init_done u:object_r:microdroid_lifecycle_prop:s0 exact bool
 
 dev.mnt.blk.root   u:object_r:dev_mnt_prop:s0 exact string
 dev.mnt.blk.vendor u:object_r:dev_mnt_prop:s0 exact string
diff --git a/microdroid/system/private/su.te b/microdroid/system/private/su.te
index 1196262..533b328 100644
--- a/microdroid/system/private/su.te
+++ b/microdroid/system/private/su.te
@@ -1,9 +1,4 @@
-userdebug_or_eng(`
-  typeattribute su coredomain;
+typeattribute su coredomain;
 
-  domain_auto_trans(shell, su_exec, su)
-
-  # su is also permissive to permit setenforce.
-  permissive su;
-
-')
+# su is also permissive to permit setenforce.
+permissive su;
diff --git a/microdroid/system/public/attributes b/microdroid/system/public/attributes
index 419caa1..61bf8fb 100644
--- a/microdroid/system/public/attributes
+++ b/microdroid/system/public/attributes
@@ -120,9 +120,6 @@
 attribute vendor_public_property_type;
 expandattribute vendor_public_property_type false;
 
-# All domains used for apps with network access.
-attribute netdomain;
-
 # All domains used for apps with bluetooth access.
 attribute bluetoothdomain;
 
diff --git a/microdroid/system/public/file.te b/microdroid/system/public/file.te
index 5616160..fe269d7 100644
--- a/microdroid/system/public/file.te
+++ b/microdroid/system/public/file.te
@@ -89,7 +89,6 @@
 type proc_drop_caches, fs_type, proc_type;
 type proc_extra_free_kbytes, fs_type, proc_type;
 type proc_filesystems, fs_type, proc_type;
-type proc_fs_verity, fs_type, proc_type;
 type proc_hostname, fs_type, proc_type;
 type proc_hung_task, fs_type, proc_type;
 type proc_interrupts, fs_type, proc_type;
diff --git a/microdroid/system/public/property.te b/microdroid/system/public/property.te
index 5008bc7..a2c3b77 100644
--- a/microdroid/system/public/property.te
+++ b/microdroid/system/public/property.te
@@ -40,6 +40,8 @@
 type log_tag_prop, property_type;
 type microdroid_manager_roothash_prop, property_type;
 type microdroid_manager_zipfuse_prop, property_type;
+type microdroid_config_prop, property_type;
+type microdroid_lifecycle_prop, property_type;
 type property_service_version_prop, property_type;
 type shell_prop, property_type;
 type timezone_prop, property_type;
diff --git a/microdroid/system/public/shell.te b/microdroid/system/public/shell.te
index bde9cd9..0bcb29d 100644
--- a/microdroid/system/public/shell.te
+++ b/microdroid/system/public/shell.te
@@ -2,9 +2,6 @@
 type shell, domain;
 type shell_exec, system_file_type, exec_type, file_type;
 
-# Create and use network sockets.
-net_domain(shell)
-
 # Root fs.
 allow shell rootfs:dir r_dir_perms;
 
diff --git a/microdroid/system/public/su.te b/microdroid/system/public/su.te
index dbb3158..5f41e37 100644
--- a/microdroid/system/public/su.te
+++ b/microdroid/system/public/su.te
@@ -2,43 +2,36 @@
 # after performing an adb root command.
 
 # All types must be defined regardless of build variant to ensure
-# policy compilation succeeds with userdebug/user combination at boot
+# that adb root works on debuggable VMs even for user builds.
 type su, domain;
 
-# File types must be defined for file_contexts.
-type su_exec, system_file_type, exec_type, file_type;
-
-userdebug_or_eng(`
-  # Add su to various domains
-  net_domain(su)
-
-  dontaudit su self:capability_class_set *;
-  dontaudit su self:capability2 *;
-  dontaudit su kernel:security *;
-  dontaudit su { kernel file_type }:system *;
-  dontaudit su self:memprotect *;
-  dontaudit su domain:{ process process2 } *;
-  dontaudit su domain:fd *;
-  dontaudit su domain:dir *;
-  dontaudit su domain:lnk_file *;
-  dontaudit su domain:{ fifo_file file } *;
-  dontaudit su domain:socket_class_set *;
-  dontaudit su domain:ipc_class_set *;
-  dontaudit su domain:key *;
-  dontaudit su fs_type:filesystem *;
-  dontaudit su {fs_type dev_type file_type}:dir_file_class_set *;
-  dontaudit su node_type:node *;
-  dontaudit su node_type:{ tcp_socket udp_socket rawip_socket } *;
-  dontaudit su netif_type:netif *;
-  dontaudit su port_type:socket_class_set *;
-  dontaudit su port_type:{ tcp_socket dccp_socket } *;
-  dontaudit su domain:peer *;
-  dontaudit su domain:binder *;
-  dontaudit su property_type:property_service *;
-  dontaudit su property_type:file *;
-  dontaudit su domain:drmservice *;
-  dontaudit su unlabeled:filesystem *;
-  dontaudit su domain:bpf *;
-  dontaudit su unlabeled:vsock_socket *;
-  dontaudit su self:perf_event *;
-')
+# Add su to various domains
+dontaudit su self:capability_class_set *;
+dontaudit su self:capability2 *;
+dontaudit su kernel:security *;
+dontaudit su { kernel file_type }:system *;
+dontaudit su self:memprotect *;
+dontaudit su domain:{ process process2 } *;
+dontaudit su domain:fd *;
+dontaudit su domain:dir *;
+dontaudit su domain:lnk_file *;
+dontaudit su domain:{ fifo_file file } *;
+dontaudit su domain:socket_class_set *;
+dontaudit su domain:ipc_class_set *;
+dontaudit su domain:key *;
+dontaudit su fs_type:filesystem *;
+dontaudit su {fs_type dev_type file_type}:dir_file_class_set *;
+dontaudit su node_type:node *;
+dontaudit su node_type:{ tcp_socket udp_socket rawip_socket } *;
+dontaudit su netif_type:netif *;
+dontaudit su port_type:socket_class_set *;
+dontaudit su port_type:{ tcp_socket dccp_socket } *;
+dontaudit su domain:peer *;
+dontaudit su domain:binder *;
+dontaudit su property_type:property_service *;
+dontaudit su property_type:file *;
+dontaudit su domain:drmservice *;
+dontaudit su unlabeled:filesystem *;
+dontaudit su domain:bpf *;
+dontaudit su unlabeled:vsock_socket *;
+dontaudit su self:perf_event *;
diff --git a/prebuilts/api/33.0/private/compat/32.0/32.0.ignore.cil b/prebuilts/api/33.0/private/compat/32.0/32.0.ignore.cil
index b5aa501..767bfe3 100644
--- a/prebuilts/api/33.0/private/compat/32.0/32.0.ignore.cil
+++ b/prebuilts/api/33.0/private/compat/32.0/32.0.ignore.cil
@@ -59,6 +59,7 @@
     mdns_service
     nearby_service
     persist_wm_debug_prop
+    prng_seeder
     proc_watermark_boost_factor
     proc_watermark_scale_factor
     prng_seeder
diff --git a/prebuilts/api/33.0/private/property_contexts b/prebuilts/api/33.0/private/property_contexts
index 4eda4a1..db71be4 100644
--- a/prebuilts/api/33.0/private/property_contexts
+++ b/prebuilts/api/33.0/private/property_contexts
@@ -347,6 +347,11 @@
 audio.offload.video             u:object_r:audio_config_prop:s0 exact bool
 audio.offload.min.duration.secs u:object_r:audio_config_prop:s0 exact int
 
+# spatializer tuning
+audio.spatializer.priority               u:object_r:audio_config_prop:s0 exact int
+audio.spatializer.effect.affinity        u:object_r:audio_config_prop:s0 exact int
+audio.spatializer.effect.util_clamp_min  u:object_r:audio_config_prop:s0 exact int
+
 ro.audio.ignore_effects   u:object_r:audio_config_prop:s0 exact bool
 ro.audio.monitorRotation  u:object_r:audio_config_prop:s0 exact bool
 ro.audio.offload_wakelock u:object_r:audio_config_prop:s0 exact bool
diff --git a/prebuilts/api/33.0/private/system_server.te b/prebuilts/api/33.0/private/system_server.te
index 8a7947d..6d3bc78 100644
--- a/prebuilts/api/33.0/private/system_server.te
+++ b/prebuilts/api/33.0/private/system_server.te
@@ -396,6 +396,7 @@
   hal_graphics_allocator_server
   hal_graphics_composer_server
   hal_health_server
+  hal_input_processor_server
   hal_light_server
   hal_neuralnetworks_server
   hal_omx_server
diff --git a/prebuilts/api/33.0/public/dumpstate.te b/prebuilts/api/33.0/public/dumpstate.te
index 8d3e556..05a7317 100644
--- a/prebuilts/api/33.0/public/dumpstate.te
+++ b/prebuilts/api/33.0/public/dumpstate.te
@@ -113,9 +113,6 @@
   sysfs_zram
 }:file r_file_perms;
 
-# Ignore other file access under /sys.
-dontaudit dumpstate sysfs:file r_file_perms;
-
 # Other random bits of data we want to collect
 no_debugfs_restriction(`
   allow dumpstate debugfs:file r_file_perms;
diff --git a/prebuilts/api/33.0/public/hal_audio.te b/prebuilts/api/33.0/public/hal_audio.te
index 52caa00..aabc884 100644
--- a/prebuilts/api/33.0/public/hal_audio.te
+++ b/prebuilts/api/33.0/public/hal_audio.te
@@ -23,6 +23,9 @@
 # Needed to allow sound trigger hal to access shared memory from apps.
 allow hal_audio_server appdomain:fd use;
 
+# allow self to set scheduler (and allows Binder RT PI)
+allow hal_audio_server self:global_capability_class_set sys_nice;
+
 # allow hal audio to use vnbinder
 vndbinder_use(hal_audio)
 
diff --git a/private/app.te b/private/app.te
index ae8b206..8838782 100644
--- a/private/app.te
+++ b/private/app.te
@@ -95,8 +95,9 @@
 # Exception for crash_dump to allow for app crash reporting.
 # Exception for renderscript binaries (/system/bin/bcc, /system/bin/ld.mc)
 # to allow renderscript to create privileged executable files.
+# Exception for virtualizationmanager to allow running VMs as child processes.
 neverallow { appdomain -shell userdebug_or_eng(`-su') }
-    { domain -appdomain -crash_dump -rs }:process { transition };
+    { domain -appdomain -crash_dump -rs -virtualizationmanager }:process { transition };
 neverallow { appdomain -shell userdebug_or_eng(`-su') }
     { domain -appdomain }:process { dyntransition };
 
diff --git a/private/artd.te b/private/artd.te
index 63045af..c887258 100644
--- a/private/artd.te
+++ b/private/artd.te
@@ -29,12 +29,21 @@
 # Allow testing userfaultfd support.
 userfaultfd_use(artd)
 
-# Read access to primary dex'es on writable partitions (e.g., /data/app/...).
+# Read access to primary dex'es on writable partitions
+# ({/data,/mnt/expand/<volume-uuid>}/app/...).
+allow artd mnt_expand_file:dir { getattr search };
 r_dir_file(artd, apk_data_file)
 
-# Read access to /vendor/app.
+# Read access to vendor APKs ({/vendor,/odm}/{app,priv-app}/...).
 r_dir_file(artd, vendor_app_file)
 
+# Read access to vendor overlay APKs ({/vendor,/odm,/oem}/overlay/...).
+allow artd oemfs:dir { getattr search };
+r_dir_file(artd, vendor_overlay_file)
+
+# Read access to vendor shared libraries ({/vendor,/odm}/framework/...).
+r_dir_file(artd, vendor_framework_file)
+
 # Read/write access to all compilation artifacts generated on device for apps'
 # primary dex'es. (/data/dalvik-cache/..., /data/app/.../oat/..., etc.)
 allow artd dalvikcache_data_file:dir create_dir_perms;
@@ -62,8 +71,9 @@
 #   profile files to the system or apps.
 allow artd self:global_capability_class_set { dac_override dac_read_search fowner chown };
 
-# Read/write access to profiles (/data/misc/profiles/{ref,cur}/...).
-allow artd user_profile_root_file:dir { getattr search };
+# Read/write access to profiles (/data/misc/profiles/{ref,cur}/...). Also allow
+# scanning /data/misc/profiles/cur, for cleaning up obsolete managed files.
+allow artd user_profile_root_file:dir r_dir_perms;
 allow artd user_profile_data_file:dir rw_dir_perms;
 allow artd user_profile_data_file:file create_file_perms;
 
@@ -73,6 +83,38 @@
 allow artd app_data_file_type:dir { create_dir_perms relabelfrom relabelto };
 allow artd app_data_file_type:file { create_file_perms relabelfrom relabelto };
 
+# Allow symlinks for secondary dex files. This has be to restricted because
+# symlinks can cause various security issues. We allow "privapp_data_file" just
+# for GMS because so far we only see GMS using symlinks.
+allow artd privapp_data_file:lnk_file { getattr read };
+
+# Read access to SELinux context files, for restorecon.
+allow artd file_contexts_file:file r_file_perms;
+allow artd seapp_contexts_file:file r_file_perms;
+
+# Check validity of SELinux context, for restorecon.
+selinux_check_context(artd)
+
+# Allow scanning /, for cleaning up obsolete managed files.
+allow artd rootfs:dir r_dir_perms;
+
+# Allow scanning /data, for cleaning up obsolete managed files.
+allow artd system_data_root_file:dir r_dir_perms;
+
+# Allow scanning /mnt, for cleaning up obsolete managed files.
+allow artd tmpfs:dir r_dir_perms;
+
+# Allow scanning /mnt/expand, for cleaning up obsolete managed files.
+allow artd mnt_expand_file:dir r_dir_perms;
+
+# Allow scanning {/data,/mnt/expand/<volume-uuid>}/{user,user_de}, for cleaning
+# up obsolete managed files.
+allow artd system_userdir_file:dir r_dir_perms;
+
+# Allow scanning {/data,/mnt/expand/<volume-uuid>}/{user,user_de}/<user-id> and
+# /mnt/expand/<volume-uuid>, for cleaning up obsolete managed files.
+allow artd system_data_file:dir r_dir_perms;
+
 # Never allow running other binaries without a domain transition.
 # The only exception is art_exec. It is allowed to use the artd domain because
 # it is a thin wrapper that executes other binaries on behalf of artd.
diff --git a/private/bpfloader.te b/private/bpfloader.te
index 7c009ec..6bdc259 100644
--- a/private/bpfloader.te
+++ b/private/bpfloader.te
@@ -18,6 +18,8 @@
 
 allow bpfloader sysfs_fs_fuse_bpf:file r_file_perms;
 
+allow bpfloader proc_bpf:file w_file_perms;
+
 set_prop(bpfloader, bpf_progs_loaded_prop)
 
 allow bpfloader bpfloader_exec:file execute_no_trans;
@@ -26,28 +28,30 @@
 ### Neverallow rules
 ###
 
-# TODO: get rid of init & vendor_init; Note: we don't care about getattr/mounton/search
-neverallow { domain -init -vendor_init } bpffs_type:dir { open read setattr };
+# Note: we don't care about getattr/mounton/search
+neverallow { domain            } bpffs_type:dir ~{ add_name create getattr mounton remove_name search write };
 neverallow { domain -bpfloader } bpffs_type:dir { add_name create remove_name write };
-neverallow domain bpffs_type:dir ~{ add_name create getattr mounton open read remove_name search setattr write };
 
-# TODO: get rid of init & vendor_init
-neverallow { domain -bpfloader -init -vendor_init } bpffs_type:file { map open setattr };
-neverallow { domain -bpfloader } bpffs_type:file { create getattr rename };
-neverallow { domain -bpfloader -gpuservice -init -lmkd -mediaprovider_app -netd -netutils_wrapper                -system_server -vendor_init } fs_bpf:file               read;
-neverallow { domain -bpfloader             -init                                                  -network_stack                -vendor_init } fs_bpf_net_private:file   read;
-neverallow { domain -bpfloader             -init                                                  -network_stack -system_server -vendor_init } fs_bpf_net_shared:file    read;
-neverallow { domain -bpfloader             -init                          -netd                   -network_stack -system_server -vendor_init } fs_bpf_netd_readonly:file read;
-neverallow { domain -bpfloader             -init                          -netd -netutils_wrapper -network_stack -system_server -vendor_init } fs_bpf_netd_shared:file   read;
-neverallow { domain -bpfloader             -init                                                  -network_stack                -vendor_init } fs_bpf_tethering:file     read;
-neverallow { domain -bpfloader -gpuservice                                -netd -netutils_wrapper -network_stack -system_server              } { bpffs_type -fs_bpf_vendor }:file write;
-neverallow domain bpffs_type:file ~{ create getattr map open read rename setattr write };
+neverallow { domain            } bpffs_type:file ~{ create getattr map open read rename setattr write };
+neverallow { domain -bpfloader } bpffs_type:file { create getattr map open rename setattr };
+neverallow { domain -bpfloader -gpuservice -lmkd -mediaprovider_app -netd -netutils_wrapper                -system_server } fs_bpf:file               read;
+neverallow { domain -bpfloader                                                                                            } fs_bpf_loader:file        read;
+neverallow { domain -bpfloader                                                              -network_stack                } fs_bpf_net_private:file   read;
+neverallow { domain -bpfloader                                                              -network_stack -system_server } fs_bpf_net_shared:file    read;
+neverallow { domain -bpfloader                                      -netd                   -network_stack -system_server } fs_bpf_netd_readonly:file read;
+neverallow { domain -bpfloader                                      -netd -netutils_wrapper -network_stack -system_server } fs_bpf_netd_shared:file   read;
+neverallow { domain -bpfloader                                                              -network_stack                } fs_bpf_tethering:file     read;
+neverallow { domain -bpfloader -gpuservice                          -netd -netutils_wrapper -network_stack -system_server } { bpffs_type -fs_bpf_vendor }:file write;
 
 neverallow { domain -bpfloader } bpffs_type:lnk_file ~read;
 neverallow { domain -bpfdomain } bpffs_type:lnk_file read;
 
 neverallow { domain -bpfloader } *:bpf { map_create prog_load };
 
+# 'fs_bpf_loader' is for internal use of the BpfLoader oneshot boot time process.
+neverallow { domain -bpfloader } fs_bpf_loader:bpf *;
+neverallow { domain -bpfloader } fs_bpf_loader:file *;
+
 neverallow {
   domain
   -bpfloader
@@ -62,13 +66,11 @@
 neverallow { domain -bpfloader -gpuservice -lmkd -mediaprovider_app -netd -network_stack -system_server } *:bpf { map_read map_write };
 neverallow { domain -bpfloader -init } bpfloader_exec:file { execute execute_no_trans };
 
-neverallow { coredomain -bpfloader -init } fs_bpf_vendor:file *;
+neverallow { coredomain -bpfloader } fs_bpf_vendor:file *;
 
 neverallow bpfloader *:{ tcp_socket udp_socket rawip_socket } *;
 
 # No domain should be allowed to ptrace bpfloader
 neverallow { domain userdebug_or_eng(`-llkd') } bpfloader:process ptrace;
 
-# Currently only bpfloader.rc (which runs as init) can do bpf sysctl setup
-# this should perhaps be moved to the bpfloader binary itself.  Allow both.
-neverallow { domain -bpfloader -init } proc_bpf:file write;
+neverallow { domain -bpfloader } proc_bpf:file write;
diff --git a/private/canhalconfigurator.te b/private/canhalconfigurator.te
index 9ba60ac..5673ccd 100644
--- a/private/canhalconfigurator.te
+++ b/private/canhalconfigurator.te
@@ -5,3 +5,6 @@
 # This allows the configurator to look up the CAN HAL controller via
 # hwservice_manager and communicate with it.
 hal_client_domain(canhalconfigurator, hal_can_controller)
+
+binder_use(canhalconfigurator)
+binder_call(hal_can_controller, canhalconfigurator)
diff --git a/private/compat/32.0/32.0.ignore.cil b/private/compat/32.0/32.0.ignore.cil
index 50e3be7..d810e0a 100644
--- a/private/compat/32.0/32.0.ignore.cil
+++ b/private/compat/32.0/32.0.ignore.cil
@@ -59,6 +59,7 @@
     mdns_service
     nearby_service
     persist_wm_debug_prop
+    prng_seeder
     proc_watermark_boost_factor
     remotelyprovisionedkeypool_service
     resources_manager_service
diff --git a/private/compat/33.0/33.0.cil b/private/compat/33.0/33.0.cil
index 849be82..2f8887b 100644
--- a/private/compat/33.0/33.0.cil
+++ b/private/compat/33.0/33.0.cil
@@ -2116,7 +2116,7 @@
 (typeattributeset proc_drop_caches_33_0 (proc_drop_caches))
 (typeattributeset proc_extra_free_kbytes_33_0 (proc_extra_free_kbytes))
 (typeattributeset proc_filesystems_33_0 (proc_filesystems))
-(typeattributeset proc_fs_verity_33_0 (proc_fs_verity))
+(typeattributeset proc_fs_verity_33_0 (proc))
 (typeattributeset proc_hostname_33_0 (proc_hostname))
 (typeattributeset proc_hung_task_33_0 (proc_hung_task))
 (typeattributeset proc_interrupts_33_0 (proc_interrupts))
diff --git a/private/compat/33.0/33.0.ignore.cil b/private/compat/33.0/33.0.ignore.cil
index 3750e7d..11bff79 100644
--- a/private/compat/33.0/33.0.ignore.cil
+++ b/private/compat/33.0/33.0.ignore.cil
@@ -9,18 +9,24 @@
     apex_ready_prop
     artd
     credential_service
+    device_config_camera_native_prop
     device_config_memory_safety_native_prop
     device_config_vendor_system_native_prop
     devicelock_service
+    fwk_camera_service
     fwk_sensor_service
+    grammatical_inflection_service
+    hal_bluetooth_service
     hal_bootctl_service
     hal_cas_service
     hal_remoteaccess_service
+    hal_secure_element_service
     hal_thermal_service
     hal_usb_gadget_service
     hal_tv_input_service
-    hal_tv_hdmi_service
     hal_tv_hdmi_cec_service
+    hal_tv_hdmi_connection_service
+    hal_tv_hdmi_earc_service
     hal_wifi_service
     healthconnect_service
     hypervisor_restricted_prop
@@ -28,6 +34,7 @@
     ntfs
     permissive_mte_prop
     prng_seeder
+    remote_provisioning_service
     rkpdapp
     servicemanager_prop
     system_net_netd_service
@@ -40,4 +47,5 @@
     hal_broadcastradio_service
     hal_confirmationui_service
     hal_fastboot_service
+    hal_can_controller_service
   ))
diff --git a/private/coredomain.te b/private/coredomain.te
index c041ca3..55f715d 100644
--- a/private/coredomain.te
+++ b/private/coredomain.te
@@ -92,6 +92,7 @@
     neverallow {
         coredomain
         -appdomain
+        -artd
         -idmap
         -init
         -installd
@@ -110,6 +111,7 @@
     neverallow {
         coredomain
         -appdomain
+        -artd
         -idmap
         -init
         -installd
diff --git a/private/crosvm.te b/private/crosvm.te
index 9c45131..c682bb5 100644
--- a/private/crosvm.te
+++ b/private/crosvm.te
@@ -14,10 +14,10 @@
 tmpfs_domain(crosvm)
 
 # Let crosvm receive file descriptors from VirtualizationService.
-allow crosvm virtualizationservice:fd use;
+allow crosvm virtualizationmanager:fd use;
 
 # Allow sending VirtualizationService the failure reason from the VM via pipe.
-allow crosvm virtualizationservice:fifo_file write;
+allow crosvm virtualizationmanager:fifo_file write;
 
 # Let crosvm read the composite disk images (virtualizationservice_data_file), APEXes
 # (staging_data_file), APKs (apk_data_file and shell_data_file where the latter is for test apks in
@@ -36,11 +36,20 @@
 # Allow searching the directory where the composite disk images are.
 allow crosvm virtualizationservice_data_file:dir search;
 
+# Allow crosvm to mlock guest memory.
+allow crosvm self:capability ipc_lock;
+
 # Let crosvm access its control socket as created by VS.
 #   read, write, getattr: listener socket polling
 #   accept: listener socket accepting new connection
 # Note that the open permission is not given as the socket is passed by FD.
-allow crosvm virtualizationservice:unix_stream_socket { accept read write getattr getopt };
+allow crosvm virtualizationmanager:unix_stream_socket { accept read write getattr getopt };
+
+# Let crosvm open test artifacts under /data/local/tmp with file path. (e.g. custom pvmfw.img)
+userdebug_or_eng(`
+  allow crosvm shell_data_file:dir search;
+  allow crosvm shell_data_file:file open;
+')
 
 # The instance image and the composite image should be writable as well because they could represent
 # mutable disks.
@@ -104,9 +113,9 @@
   -shell_data_file
 }:file read;
 
-# Only virtualizationservice can run crosvm
+# Only virtualizationmanager can run crosvm
 neverallow {
   domain
   -crosvm
-  -virtualizationservice
+  -virtualizationmanager
 } crosvm_exec:file no_x_file_perms;
diff --git a/private/domain.te b/private/domain.te
index 9de23ba..e0ba975 100644
--- a/private/domain.te
+++ b/private/domain.te
@@ -2,7 +2,9 @@
 # This occurs when the process crashes.
 # We do not apply this to the su domain to avoid interfering with
 # tests (b/114136122)
-domain_auto_trans({ domain userdebug_or_eng(`-su') }, crash_dump_exec, crash_dump);
+# We exempt crosvm because parts of its memory are inaccessible to the
+# kernel. TODO(b/238324526): Remove this.
+domain_auto_trans({ domain userdebug_or_eng(`-su') -crosvm }, crash_dump_exec, crash_dump);
 allow domain crash_dump:process sigchld;
 
 # Allow every process to check the heapprofd.enable properties to determine
@@ -288,7 +290,7 @@
   -apexd
   -installd
   -priv_app
-  -virtualizationservice
+  -virtualizationmanager
 } staging_data_file:dir *;
 neverallow {
   domain
@@ -301,7 +303,7 @@
   -installd
   -priv_app
   -shell
-  -virtualizationservice
+  -virtualizationmanager
   -crosvm
 } staging_data_file:file *;
 neverallow { domain -init -system_server -installd} staging_data_file:dir no_w_dir_perms;
@@ -650,7 +652,7 @@
 # Restrict write access to etm sysfs interface.
 neverallow { domain -ueventd -vendor_init } sysfs_devices_cs_etm:file no_w_file_perms;
 
-# Restrict write access to shell owned files. The /data/local/tmp directory is
+# Restrict direct access to shell owned files. The /data/local/tmp directory is
 # untrustworthy, and non-allowed domains should not be trusting any content in
 # those directories. We allow shell files to be passed around by file
 # descriptor, but not directly opened.
@@ -669,6 +671,51 @@
   userdebug_or_eng(`-crosvm')
 } shell_data_file:file open;
 
+# In addition to the symlink reading restrictions above, restrict
+# write access to shell owned directories. The /data/local/tmp
+# directory is untrustworthy, and non-allowed domains should
+# not be trusting any content in those directories.
+# artd doesn't need to access /data/local/tmp, but it needs to access
+# /data/{user,user_de}/<user-id>/com.android.shell/... for compiling secondary
+# dex files.
+neverallow {
+  domain
+  -adbd
+  -artd
+  -dumpstate
+  -installd
+  -init
+  -shell
+  -vold
+} shell_data_file:dir no_w_dir_perms;
+
+neverallow {
+  domain
+  -adbd
+  -appdomain
+  -artd
+  -dumpstate
+  -init
+  -installd
+  -simpleperf_app_runner
+  -system_server # why?
+  userdebug_or_eng(`-uncrypt')
+} shell_data_file:dir open;
+
+neverallow {
+  domain
+  -adbd
+  -appdomain
+  -artd
+  -dumpstate
+  -init
+  -installd
+  -simpleperf_app_runner
+  -system_server # why?
+  userdebug_or_eng(`-uncrypt')
+  userdebug_or_eng(`-crosvm')
+} shell_data_file:dir search;
+
 # respect system_app sandboxes
 neverallow {
   domain
diff --git a/private/dumpstate.te b/private/dumpstate.te
index ee59cb7..fe442b3 100644
--- a/private/dumpstate.te
+++ b/private/dumpstate.te
@@ -30,6 +30,9 @@
 # Allow dumpstate to make binder calls to incidentd
 binder_call(dumpstate, incidentd)
 
+# Kill incident in case of a timeout
+allow dumpstate incident:process { signal sigkill };
+
 # Allow dumpstate to make binder calls to storaged service
 binder_call(dumpstate, storaged)
 
diff --git a/private/file.te b/private/file.te
index 60e2274..e33469f 100644
--- a/private/file.te
+++ b/private/file.te
@@ -7,6 +7,7 @@
 type fs_bpf_net_shared, fs_type, bpffs_type;
 type fs_bpf_netd_readonly, fs_type, bpffs_type;
 type fs_bpf_netd_shared, fs_type, bpffs_type;
+type fs_bpf_loader, fs_type, bpffs_type;
 
 # /data/misc/storaged
 type storaged_data_file, file_type, data_file_type, core_data_file_type;
@@ -90,7 +91,9 @@
 type odsign_metrics_file, file_type, data_file_type, core_data_file_type;
 
 # /data/misc/virtualizationservice
-type virtualizationservice_data_file, file_type, data_file_type, core_data_file_type;
+# The type needs to be mlstrustedobject to allow for being accessed from
+# virtualizationmanager, which runs at a more constrained MLS level.
+type virtualizationservice_data_file, file_type, data_file_type, core_data_file_type, mlstrustedobject;
 
 # /data/system/environ
 type environ_system_data_file, file_type, data_file_type, core_data_file_type;
@@ -99,7 +102,9 @@
 type bootanim_data_file, file_type, data_file_type, core_data_file_type;
 
 # /dev/kvm
-type kvm_device, dev_type;
+# The type needs to be mlstrustedobject to allow for being accessed from
+# crosvm, which runs at a more constrained MLS level.
+type kvm_device, dev_type, mlstrustedobject;
 
 # /apex/com.android.virt/bin/fd_server
 type fd_server_exec, system_file_type, exec_type, file_type;
diff --git a/private/file_contexts b/private/file_contexts
index 72fae62..632e069 100644
--- a/private/file_contexts
+++ b/private/file_contexts
@@ -223,7 +223,7 @@
 /system/bin/boringssl_self_test(32|64) u:object_r:boringssl_self_test_exec:s0
 /system/bin/prng_seeder		u:object_r:prng_seeder_exec:s0
 /system/bin/charger		u:object_r:charger_exec:s0
-/system/bin/canhalconfigurator  u:object_r:canhalconfigurator_exec:s0
+/system/bin/canhalconfigurator(-aidl)?  u:object_r:canhalconfigurator_exec:s0
 /system/bin/e2fsdroid		u:object_r:e2fs_exec:s0
 /system/bin/mke2fs		u:object_r:e2fs_exec:s0
 /system/bin/e2fsck	--	u:object_r:fsck_exec:s0
diff --git a/private/flags_health_check.te b/private/flags_health_check.te
index a26726d..0cc450d 100644
--- a/private/flags_health_check.te
+++ b/private/flags_health_check.te
@@ -28,6 +28,7 @@
 set_prop(flags_health_check, device_config_virtualization_framework_native_prop)
 set_prop(flags_health_check, device_config_memory_safety_native_prop)
 set_prop(flags_health_check, device_config_remote_key_provisioning_native_prop)
+set_prop(flags_health_check, device_config_camera_native_prop)
 
 # system property device_config_boot_count_prop is used for deciding when to perform server
 # configurable flags related disaster recovery. Mistakenly set up by unrelated components can, at a
diff --git a/private/fsverity_init.te b/private/fsverity_init.te
index e069233..2e5089c 100644
--- a/private/fsverity_init.te
+++ b/private/fsverity_init.te
@@ -11,9 +11,6 @@
 allow fsverity_init kernel:key { view search write setattr };
 allow fsverity_init fsverity_init:key { view search write };
 
-# Allow init to write to /proc/sys/fs/verity/require_signatures
-allow fsverity_init proc_fs_verity:file w_file_perms;
-
 # Read the on-device signing certificate, to be able to add it to the keyring
 allow fsverity_init odsign:fd use;
 allow fsverity_init odsign_data_file:file { getattr read };
diff --git a/private/genfs_contexts b/private/genfs_contexts
index 29d8561..6fa98ea 100644
--- a/private/genfs_contexts
+++ b/private/genfs_contexts
@@ -43,7 +43,6 @@
 genfscon proc /sys/fs/protected_hardlinks u:object_r:proc_security:s0
 genfscon proc /sys/fs/protected_symlinks u:object_r:proc_security:s0
 genfscon proc /sys/fs/suid_dumpable u:object_r:proc_security:s0
-genfscon proc /sys/fs/verity/require_signatures u:object_r:proc_fs_verity:s0
 genfscon proc /sys/kernel/bpf_ u:object_r:proc_bpf:s0
 genfscon proc /sys/kernel/core_pattern u:object_r:usermodehelper:s0
 genfscon proc /sys/kernel/core_pipe_limit u:object_r:usermodehelper:s0
@@ -395,7 +394,9 @@
 genfscon functionfs / u:object_r:functionfs:s0
 genfscon usbfs / u:object_r:usbfs:s0
 genfscon binfmt_misc / u:object_r:binfmt_miscfs:s0
+
 genfscon bpf / u:object_r:fs_bpf:s0
+genfscon bpf /loader u:object_r:fs_bpf_loader:s0
 genfscon bpf /net_private u:object_r:fs_bpf_net_private:s0
 genfscon bpf /net_shared u:object_r:fs_bpf_net_shared:s0
 genfscon bpf /netd_readonly u:object_r:fs_bpf_netd_readonly:s0
diff --git a/private/network_stack.te b/private/network_stack.te
index 3cdf884..dfee019 100644
--- a/private/network_stack.te
+++ b/private/network_stack.te
@@ -75,44 +75,27 @@
 # This place is as good as any for these rules,
 # and it is probably the most appropriate because
 # network_stack itself is entirely mainline code.
-#
-# Unfortunately init/vendor_init have all sorts of extra privs
 
 # T+: Only the bpfloader and the network_stack should ever touch 'fs_bpf_net_private' programs/maps.
-neverallow { domain -bpfloader -init -network_stack -vendor_init } fs_bpf_net_private:dir ~getattr;
-neverallow { domain -bpfloader -init -network_stack -vendor_init } fs_bpf_net_private:file *;
-
-neverallow { domain -bpfloader -network_stack } fs_bpf_net_private:dir ~{ getattr open read search setattr };
-neverallow { domain -bpfloader -network_stack } fs_bpf_net_private:file ~{ map open read setattr };
+neverallow { domain -bpfloader -network_stack } fs_bpf_net_private:dir ~getattr;
+neverallow { domain -bpfloader -network_stack } fs_bpf_net_private:file *;
 
 # T+: Only the bpfloader, network_stack and system_server should ever touch 'fs_bpf_net_shared' programs/maps.
-neverallow { domain -bpfloader -init -network_stack -system_server -vendor_init } fs_bpf_net_shared:dir ~getattr;
-neverallow { domain -bpfloader -init -network_stack -system_server -vendor_init } fs_bpf_net_shared:file *;
-
-neverallow { domain -bpfloader -network_stack -system_server } fs_bpf_net_shared:dir ~{ getattr open read search setattr };
-neverallow { domain -bpfloader -network_stack -system_server } fs_bpf_net_shared:file ~{ map open read setattr };
+neverallow { domain -bpfloader -network_stack -system_server } fs_bpf_net_shared:dir ~getattr;
+neverallow { domain -bpfloader -network_stack -system_server } fs_bpf_net_shared:file *;
 
 # T+: Only the bpfloader, netd, network_stack and system_server should ever touch 'fs_bpf_netd_readonly' programs/maps.
 # netd's access should be readonly
-neverallow { domain -bpfloader -init -netd -network_stack -system_server -vendor_init } fs_bpf_netd_readonly:dir ~getattr;
-neverallow { domain -bpfloader -init -netd -network_stack -system_server -vendor_init } fs_bpf_netd_readonly:file *;
+neverallow { domain -bpfloader -netd -network_stack -system_server } fs_bpf_netd_readonly:dir ~getattr;
+neverallow { domain -bpfloader -netd -network_stack -system_server } fs_bpf_netd_readonly:file *;
 neverallow netd fs_bpf_netd_readonly:file write;
 
-neverallow { domain -bpfloader -netd -network_stack -system_server } fs_bpf_netd_readonly:dir ~{ getattr open read search setattr };
-neverallow { domain -bpfloader -netd -network_stack -system_server } fs_bpf_netd_readonly:file ~{ map open read setattr };
-
 # T+: Only the bpfloader, netd, netutils_wrapper, network_stack and system_server should ever touch 'fs_bpf_netd_shared' programs/maps.
 # netutils_wrapper requires access to be able to run iptables and only needs readonly access
-neverallow { domain -bpfloader -init -netd -netutils_wrapper -network_stack -system_server -vendor_init } fs_bpf_netd_shared:dir ~getattr;
-neverallow { domain -bpfloader -init -netd -netutils_wrapper -network_stack -system_server -vendor_init } fs_bpf_netd_shared:file *;
+neverallow { domain -bpfloader -netd -netutils_wrapper -network_stack -system_server } fs_bpf_netd_shared:dir ~getattr;
+neverallow { domain -bpfloader -netd -netutils_wrapper -network_stack -system_server } fs_bpf_netd_shared:file *;
 neverallow netutils_wrapper fs_bpf_netd_shared:file write;
 
-neverallow { domain -bpfloader -netd -netutils_wrapper -network_stack -system_server } fs_bpf_netd_shared:dir ~{ getattr open read search setattr };
-neverallow { domain -bpfloader -netd -netutils_wrapper -network_stack -system_server } fs_bpf_netd_shared:file ~{ map open read setattr };
-
 # S+: Only the bpfloader and the network_stack should ever touch 'fs_bpf_tethering' programs/maps.
-neverallow { domain -bpfloader -init -network_stack -vendor_init } fs_bpf_tethering:dir ~getattr;
-neverallow { domain -bpfloader -init -network_stack -vendor_init } fs_bpf_tethering:file *;
-
-neverallow { domain -bpfloader -network_stack } fs_bpf_tethering:dir ~{ getattr open read search setattr };
-neverallow { domain -bpfloader -network_stack } fs_bpf_tethering:file ~{ map open read setattr };
+neverallow { domain -bpfloader -network_stack } fs_bpf_tethering:dir ~getattr;
+neverallow { domain -bpfloader -network_stack } fs_bpf_tethering:file *;
diff --git a/private/property.te b/private/property.te
index cac04d3..dee6369 100644
--- a/private/property.te
+++ b/private/property.te
@@ -432,6 +432,7 @@
   -init
   -shell
   -system_app
+  -system_server
   -mtectrl
 } {
   arm64_memtag_prop
diff --git a/private/property_contexts b/private/property_contexts
index 823fa2f..f208e52 100644
--- a/private/property_contexts
+++ b/private/property_contexts
@@ -247,6 +247,7 @@
 device_config.reset_performed                       u:object_r:device_config_reset_performed_prop:s0
 persist.device_config.activity_manager_native_boot. u:object_r:device_config_activity_manager_native_boot_prop:s0
 persist.device_config.attempted_boot_count          u:object_r:device_config_boot_count_prop:s0
+persist.device_config.camera_native.                u:object_r:device_config_camera_native_prop:s0
 persist.device_config.configuration.                u:object_r:device_config_configuration_prop:s0
 persist.device_config.connectivity.                 u:object_r:device_config_connectivity_prop:s0
 persist.device_config.input_native_boot.            u:object_r:device_config_input_native_boot_prop:s0
@@ -321,6 +322,8 @@
 ro.virtual_ab.compression.xor.enabled   u:object_r:virtual_ab_prop:s0 exact bool
 ro.virtual_ab.userspace.snapshots.enabled u:object_r:virtual_ab_prop:s0 exact bool
 ro.virtual_ab.io_uring.enabled u:object_r:virtual_ab_prop:s0 exact bool
+ro.virtual_ab.compression.threads u:object_r:virtual_ab_prop:s0 exact bool
+ro.virtual_ab.batch_writes u:object_r:virtual_ab_prop:s0 exact bool
 snapuserd.ready         u:object_r:snapuserd_prop:s0 exact bool
 snapuserd.proxy_ready   u:object_r:snapuserd_prop:s0 exact bool
 snapuserd.test.dm.snapshots u:object_r:snapuserd_prop:s0 exact bool
@@ -360,6 +363,11 @@
 audio.offload.video             u:object_r:audio_config_prop:s0 exact bool
 audio.offload.min.duration.secs u:object_r:audio_config_prop:s0 exact int
 
+# spatializer tuning
+audio.spatializer.priority               u:object_r:audio_config_prop:s0 exact int
+audio.spatializer.effect.affinity        u:object_r:audio_config_prop:s0 exact int
+audio.spatializer.effect.util_clamp_min  u:object_r:audio_config_prop:s0 exact int
+
 ro.audio.ignore_effects   u:object_r:audio_config_prop:s0 exact bool
 ro.audio.monitorRotation  u:object_r:audio_config_prop:s0 exact bool
 ro.audio.offload_wakelock u:object_r:audio_config_prop:s0 exact bool
@@ -377,6 +385,7 @@
 camera.disable_preview_scheduler u:object_r:camera_config_prop:s0 exact bool
 camera.disable_zsl_mode       u:object_r:camera_config_prop:s0 exact bool
 camera.fifo.disable           u:object_r:camera_config_prop:s0 exact bool
+camera.enable_landscape_to_portrait u:object_r:camera_config_prop:s0 exact bool
 ro.camera.notify_nfc          u:object_r:camera_config_prop:s0 exact bool
 ro.camera.enableLazyHal       u:object_r:camera_config_prop:s0 exact bool
 ro.camera.enableCamera1MaxZsl u:object_r:camera_config_prop:s0 exact bool
@@ -465,7 +474,6 @@
 dalvik.vm.restore-dex2oat-cpu-set             u:object_r:dalvik_config_prop:s0 exact string
 dalvik.vm.restore-dex2oat-threads             u:object_r:dalvik_config_prop:s0 exact int
 dalvik.vm.usejit                              u:object_r:dalvik_config_prop:s0 exact bool
-dalvik.vm.usejitprofiles                      u:object_r:dalvik_config_prop:s0 exact bool
 dalvik.vm.zygote.max-boot-retry               u:object_r:dalvik_config_prop:s0 exact int
 
 persist.sys.dalvik.vm.lib.2 u:object_r:dalvik_runtime_prop:s0 exact string
@@ -504,6 +512,7 @@
 
 bluetooth.core.gap.le.privacy.enabled                u:object_r:bluetooth_config_prop:s0 exact bool
 bluetooth.core.gap.le.conn.min.limit                 u:object_r:bluetooth_config_prop:s0 exact int
+bluetooth.core.gap.le.conn.only_init_1m_phy.enabled  u:object_r:bluetooth_config_prop:s0 exact bool
 
 bluetooth.device.default_name                        u:object_r:bluetooth_config_prop:s0 exact string
 bluetooth.device.class_of_device                     u:object_r:bluetooth_config_prop:s0 exact string
@@ -639,6 +648,7 @@
 external_storage.sdcardfs.enabled u:object_r:storage_config_prop:s0 exact bool
 external_storage.cross_user.enabled u:object_r:storage_config_prop:s0 exact bool
 ro.fuse.bpf.enabled u:object_r:storage_config_prop:s0 exact bool
+ro.fuse.bpf.is_running u:object_r:vold_status_prop:s0 exact bool
 
 # hypervisor.*: configured by the vendor to advertise capabilities of their
 # hypervisor to virtualizationservice.
diff --git a/private/rkpd_app.te b/private/rkpd_app.te
index 535f324..21f9b0c 100644
--- a/private/rkpd_app.te
+++ b/private/rkpd_app.te
@@ -5,6 +5,7 @@
 typeattribute rkpdapp coredomain;
 
 app_domain(rkpdapp)
+net_domain(rkpdapp)
 
 # RKPD needs to be able to call the remote provisioning HALs
 hal_client_domain(rkpdapp, hal_keymint)
@@ -15,6 +16,10 @@
 # Grant access to the normal services that are available to all apps
 allow rkpdapp app_api_service:service_manager find;
 
+# Grant access to media.metrics service, needed for widevine. This
+# access is granted to all other apps already (e.g. untrusted_app_all).
+allow rkpdapp mediametrics_service:service_manager find;
+
 # Grant access to statsd
 allow rkpdapp statsmanager_service:service_manager find;
 binder_call(rkpdapp, statsd)
diff --git a/private/sdk_sandbox.te b/private/sdk_sandbox.te
index 12310d2..a0e77a2 100644
--- a/private/sdk_sandbox.te
+++ b/private/sdk_sandbox.te
@@ -213,6 +213,10 @@
 
 allow sdk_sandbox system_linker_exec:file execute_no_trans;
 
+# Required to read CTS tests data from the shell_data_file location.
+allow sdk_sandbox shell_data_file:file r_file_perms;
+allow sdk_sandbox shell_data_file:dir r_dir_perms;
+
 # Write app-specific trace data to the Perfetto traced damon. This requires
 # connecting to its producer socket and obtaining a (per-process) tmpfs fd.
 perfetto_producer(sdk_sandbox)
diff --git a/private/seapp_contexts b/private/seapp_contexts
index 81563a5..d3f065b 100644
--- a/private/seapp_contexts
+++ b/private/seapp_contexts
@@ -165,6 +165,7 @@
 user=_app seinfo=platform isPrivApp=true name=com.android.permissioncontroller domain=permissioncontroller_app type=privapp_data_file levelFrom=all
 user=_app isPrivApp=true name=com.android.vzwomatrigger domain=vzwomatrigger_app type=privapp_data_file levelFrom=all
 user=_app isPrivApp=true name=com.android.rkpdapp domain=rkpdapp type=privapp_data_file levelFrom=user
+user=_app isPrivApp=true name=com.google.android.rkpdapp domain=rkpdapp type=privapp_data_file levelFrom=user
 user=_app isPrivApp=true name=com.google.android.gms domain=gmscore_app type=privapp_data_file levelFrom=user
 user=_app isPrivApp=true name=com.google.android.gms.* domain=gmscore_app type=privapp_data_file levelFrom=user
 user=_app isPrivApp=true name=com.google.android.gms:* domain=gmscore_app type=privapp_data_file levelFrom=user
diff --git a/private/service_contexts b/private/service_contexts
index 562e3d4..a144db1 100644
--- a/private/service_contexts
+++ b/private/service_contexts
@@ -1,11 +1,22 @@
+android.frameworks.cameraservice.service.ICameraService/default      u:object_r:fwk_camera_service:s0
 android.frameworks.stats.IStats/default                              u:object_r:fwk_stats_service:s0
 android.frameworks.sensorservice.ISensorManager/default              u:object_r:fwk_sensor_service:s0
 android.hardware.audio.core.IConfig/default                          u:object_r:hal_audio_service:s0
+# 'default' IModule is equivalent to 'primary' in HIDL
 android.hardware.audio.core.IModule/default                          u:object_r:hal_audio_service:s0
+android.hardware.audio.core.IModule/a2dp                             u:object_r:hal_audio_service:s0
+android.hardware.audio.core.IModule/bluetooth                        u:object_r:hal_audio_service:s0
+android.hardware.audio.core.IModule/hearing_aid                      u:object_r:hal_audio_service:s0
+android.hardware.audio.core.IModule/msd                              u:object_r:hal_audio_service:s0
+android.hardware.audio.core.IModule/r_submix                         u:object_r:hal_audio_service:s0
+android.hardware.audio.core.IModule/stub                             u:object_r:hal_audio_service:s0
+android.hardware.audio.core.IModule/usb                              u:object_r:hal_audio_service:s0
 android.hardware.audio.effect.IFactory/default                       u:object_r:hal_audio_service:s0
+android.hardware.audio.sounddose.ISoundDoseFactory/default           u:object_r:hal_audio_service:s0
 android.hardware.authsecret.IAuthSecret/default                      u:object_r:hal_authsecret_service:s0
 android.hardware.automotive.evs.IEvsEnumerator/hw/0                  u:object_r:hal_evs_service:s0
 android.hardware.boot.IBootControl/default                           u:object_r:hal_bootctl_service:s0
+android.hardware.automotive.can.ICanController/default               u:object_r:hal_can_controller_service:s0
 android.hardware.automotive.evs.IEvsEnumerator/hw/1                  u:object_r:hal_evs_service:s0
 android.hardware.automotive.audiocontrol.IAudioControl/default       u:object_r:hal_audiocontrol_service:s0
 android.hardware.automotive.remoteaccess.IRemoteAccess/default       u:object_r:hal_remoteaccess_service:s0
@@ -13,6 +24,7 @@
 android.hardware.biometrics.face.IFace/default                       u:object_r:hal_face_service:s0
 android.hardware.biometrics.fingerprint.IFingerprint/default         u:object_r:hal_fingerprint_service:s0
 android.hardware.biometrics.fingerprint.IFingerprint/virtual         u:object_r:hal_fingerprint_service:s0
+android.hardware.bluetooth.IBluetoothHci/default                     u:object_r:hal_bluetooth_service:s0
 android.hardware.bluetooth.audio.IBluetoothAudioProviderFactory/default u:object_r:hal_audio_service:s0
 android.hardware.broadcastradio.IBroadcastRadio/amfm                 u:object_r:hal_broadcastradio_service:s0
 android.hardware.broadcastradio.IBroadcastRadio/dab                  u:object_r:hal_broadcastradio_service:s0
@@ -58,9 +70,15 @@
 android.hardware.radio.network.IRadioNetwork/slot1                   u:object_r:hal_radio_service:s0
 android.hardware.radio.network.IRadioNetwork/slot2                   u:object_r:hal_radio_service:s0
 android.hardware.radio.network.IRadioNetwork/slot3                   u:object_r:hal_radio_service:s0
+android.hardware.radio.satellite.IRadioSatellite/slot1               u:object_r:hal_radio_service:s0
+android.hardware.radio.satellite.IRadioSatellite/slot2               u:object_r:hal_radio_service:s0
+android.hardware.radio.satellite.IRadioSatellite/slot3               u:object_r:hal_radio_service:s0
 android.hardware.radio.sim.IRadioSim/slot1                           u:object_r:hal_radio_service:s0
 android.hardware.radio.sim.IRadioSim/slot2                           u:object_r:hal_radio_service:s0
 android.hardware.radio.sim.IRadioSim/slot3                           u:object_r:hal_radio_service:s0
+android.hardware.radio.sap.ISap/slot1                                u:object_r:hal_radio_service:s0
+android.hardware.radio.sap.ISap/slot2                                u:object_r:hal_radio_service:s0
+android.hardware.radio.sap.ISap/slot3                                u:object_r:hal_radio_service:s0
 android.hardware.radio.voice.IRadioVoice/slot1                       u:object_r:hal_radio_service:s0
 android.hardware.radio.voice.IRadioVoice/slot2                       u:object_r:hal_radio_service:s0
 android.hardware.radio.voice.IRadioVoice/slot3                       u:object_r:hal_radio_service:s0
@@ -74,8 +92,9 @@
 android.hardware.sensors.ISensors/default                            u:object_r:hal_sensors_service:s0
 android.hardware.soundtrigger3.ISoundTriggerHw/default               u:object_r:hal_audio_service:s0
 android.hardware.thermal.IThermal/default                            u:object_r:hal_thermal_service:s0
-android.hardware.tv.cec.IHdmiCec/default                             u:object_r:hal_tv_hdmi_cec_service:s0
-android.hardware.tv.hdmi.IHdmi/default                               u:object_r:hal_tv_hdmi_service:s0
+android.hardware.tv.hdmi.cec.IHdmiCec/default                        u:object_r:hal_tv_hdmi_cec_service:s0
+android.hardware.tv.hdmi.connection.IHdmiConnection/default          u:object_r:hal_tv_hdmi_connection_service:s0
+android.hardware.tv.hdmi.earc.IEArc/default                          u:object_r:hal_tv_hdmi_earc_service:s0
 android.hardware.tv.tuner.ITuner/default                             u:object_r:hal_tv_tuner_service:s0
 android.hardware.tv.input.ITvInput/default                           u:object_r:hal_tv_input_service:s0
 android.hardware.usb.IUsb/default                                    u:object_r:hal_usb_service:s0
@@ -88,6 +107,12 @@
 android.hardware.wifi.hostapd.IHostapd/default                       u:object_r:hal_wifi_hostapd_service:s0
 android.hardware.wifi.supplicant.ISupplicant/default                 u:object_r:hal_wifi_supplicant_service:s0
 android.se.omapi.ISecureElementService/default                       u:object_r:secure_element_service:s0
+android.hardware.secure_element.ISecureElement/eSE1                  u:object_r:hal_secure_element_service:s0
+android.hardware.secure_element.ISecureElement/eSE2                  u:object_r:hal_secure_element_service:s0
+android.hardware.secure_element.ISecureElement/eSE3                  u:object_r:hal_secure_element_service:s0
+android.hardware.secure_element.ISecureElement/SIM1                  u:object_r:hal_secure_element_service:s0
+android.hardware.secure_element.ISecureElement/SIM2                  u:object_r:hal_secure_element_service:s0
+android.hardware.secure_element.ISecureElement/SIM3                  u:object_r:hal_secure_element_service:s0
 android.system.keystore2.IKeystoreService/default                    u:object_r:keystore_service:s0
 android.system.net.netd.INetd/default                                u:object_r:system_net_netd_service:s0
 android.system.suspend.ISystemSuspend/default                        u:object_r:hal_system_suspend_service:s0
@@ -208,6 +233,7 @@
 game                                      u:object_r:game_service:s0
 gfxinfo                                   u:object_r:gfxinfo_service:s0
 gnss_time_update_service                  u:object_r:gnss_time_update_service:s0
+grammatical_inflection                    u:object_r:grammatical_inflection_service:s0
 graphicsstats                             u:object_r:graphicsstats_service:s0
 gpu                                       u:object_r:gpu_service:s0
 hardware                                  u:object_r:hardware_service:s0
@@ -313,6 +339,7 @@
 rcs                                       u:object_r:radio_service:s0
 reboot_readiness                          u:object_r:reboot_readiness_service:s0
 recovery                                  u:object_r:recovery_service:s0
+remote_provisioning                       u:object_r:remote_provisioning_service:s0
 resolver                                  u:object_r:resolver_service:s0
 resources                                 u:object_r:resources_manager_service:s0
 restrictions                              u:object_r:restrictions_service:s0
diff --git a/private/su.te b/private/su.te
index 2496473..cc00e10 100644
--- a/private/su.te
+++ b/private/su.te
@@ -19,6 +19,9 @@
   # Put the perfetto command into its domain so it is the same on user, userdebug and eng.
   domain_auto_trans(su, perfetto_exec, perfetto)
 
+  # Put the virtmgr command into its domain.
+  domain_auto_trans(su, virtualizationmanager_exec, virtualizationmanager)
+
   # su is also permissive to permit setenforce.
   permissive su;
 
diff --git a/private/system_server.te b/private/system_server.te
index 3a7dd8a..53acab0 100644
--- a/private/system_server.te
+++ b/private/system_server.te
@@ -5,6 +5,7 @@
 
 typeattribute system_server coredomain;
 typeattribute system_server mlstrustedsubject;
+typeattribute system_server remote_provisioning_service_server;
 typeattribute system_server scheduler_service_server;
 typeattribute system_server sensor_service_server;
 typeattribute system_server stats_service_server;
@@ -330,8 +331,9 @@
 hal_client_domain(system_server, hal_tetheroffload)
 hal_client_domain(system_server, hal_thermal)
 hal_client_domain(system_server, hal_tv_cec)
-hal_client_domain(system_server, hal_tv_hdmi)
 hal_client_domain(system_server, hal_tv_hdmi_cec)
+hal_client_domain(system_server, hal_tv_hdmi_connection)
+hal_client_domain(system_server, hal_tv_hdmi_earc)
 hal_client_domain(system_server, hal_tv_input)
 hal_client_domain(system_server, hal_usb)
 hal_client_domain(system_server, hal_usb_gadget)
@@ -743,6 +745,7 @@
 set_prop(system_server, device_config_runtime_native_prop)
 set_prop(system_server, device_config_lmkd_native_prop)
 set_prop(system_server, device_config_media_native_prop)
+set_prop(system_server, device_config_camera_native_prop)
 set_prop(system_server, device_config_mglru_native_prop)
 set_prop(system_server, device_config_profcollect_native_boot_prop)
 set_prop(system_server, device_config_statsd_native_prop)
@@ -760,6 +763,7 @@
 set_prop(system_server, device_config_memory_safety_native_prop)
 set_prop(system_server, device_config_remote_key_provisioning_native_prop)
 set_prop(system_server, smart_idle_maint_enabled_prop)
+set_prop(system_server, arm64_memtag_prop)
 
 # Allow query ART device config properties
 get_prop(system_server, device_config_runtime_native_boot_prop)
@@ -1084,7 +1088,7 @@
 allow system_server toolbox_exec:file rx_file_perms;
 
 # Allow system process to setup fs-verity
-allowxperm system_server apk_data_file:file ioctl FS_IOC_ENABLE_VERITY;
+allowxperm system_server { apk_data_file system_data_file apex_system_server_data_file }:file ioctl FS_IOC_ENABLE_VERITY;
 
 # Allow system process to measure fs-verity for apps, apps being installed and system files
 allowxperm system_server { apk_data_file apk_tmp_file system_file }:file ioctl FS_IOC_MEASURE_VERITY;
@@ -1180,8 +1184,9 @@
 
 # System server may dump profile data for debuggable apps in the /data/misc/profman.
 # As such it needs to be able create files but it should never read from them.
+# It also needs to stat the directory to check if it has the right permissions.
 allow system_server profman_dump_data_file:file { create getattr setattr w_file_perms};
-allow system_server profman_dump_data_file:dir w_dir_perms;
+allow system_server profman_dump_data_file:dir rw_dir_perms;
 
 # On userdebug build we may profile system server. Allow it to write and create its own profile.
 userdebug_or_eng(`
diff --git a/private/system_suspend.te b/private/system_suspend.te
index d924187..bef7c6d 100644
--- a/private/system_suspend.te
+++ b/private/system_suspend.te
@@ -29,6 +29,14 @@
 allow system_suspend dumpstate:fd use;
 allow system_suspend dumpstate:fifo_file write;
 
+# Allow init to take kernel wakelock and system suspend to
+# remove kenel wakelocks and the capability to access these
+# files
+allow init sysfs_wake_lock:file rw_file_perms;
+allow init self:global_capability2_class_set block_suspend;
+allow system_suspend sysfs_wake_lock:file rw_file_perms;
+allow system_suspend self:global_capability2_class_set block_suspend;
+
 neverallow {
     domain
     -atrace # tracing
diff --git a/private/virtualizationmanager.te b/private/virtualizationmanager.te
new file mode 100644
index 0000000..4cd32b7
--- /dev/null
+++ b/private/virtualizationmanager.te
@@ -0,0 +1,77 @@
+# Domain for a child process that manages virtual machines on behalf of its parent.
+
+type virtualizationmanager, domain, coredomain;
+type virtualizationmanager_exec, system_file_type, exec_type, file_type;
+
+# Allow virtualizationmanager to communicate use, read and write over the adb connection.
+allow virtualizationmanager adbd:fd use;
+allow virtualizationmanager adbd:unix_stream_socket { read write };
+
+# Let the virtualizationmanager domain use Binder.
+binder_use(virtualizationmanager)
+
+# Let virtualizationmanager find and communicate with virtualizationservice.
+allow virtualizationmanager virtualization_service:service_manager find;
+binder_call(virtualizationmanager, virtualizationservice)
+
+# Allow calling into the system server to find native services. "permission_service" to check
+# permissions, and "package_native" for staged apex info.
+binder_call(virtualizationmanager, system_server)
+allow virtualizationmanager { package_native_service permission_service }:service_manager find;
+
+# When virtualizationmanager execs a file with the crosvm_exec label, run it in the crosvm domain.
+domain_auto_trans(virtualizationmanager, crosvm_exec, crosvm)
+
+# Let virtualizationmanager kill crosvm.
+allow virtualizationmanager crosvm:process sigkill;
+
+# Let virtualizationmanager create files inside virtualizationservice's temporary directories.
+allow virtualizationmanager virtualizationservice_data_file:dir rw_dir_perms;
+allow virtualizationmanager virtualizationservice_data_file:{ file sock_file } create_file_perms;
+
+# Let virtualizationmanager read and write files from its various clients, but not open them
+# directly as they must be passed over Binder by the client.
+allow virtualizationmanager apk_data_file:file { getattr read };
+
+# Write access is needed for mutable partitions like instance.img
+allow virtualizationmanager {
+  app_data_file
+  apex_compos_data_file
+  privapp_data_file
+}:file { getattr read write };
+
+# shell_data_file is used for automated tests and manual debugging.
+allow virtualizationmanager shell_data_file:file { getattr read write };
+
+# Allow virtualizationmanager to read apex-info-list.xml and access the APEX files listed there.
+allow virtualizationmanager apex_info_file:file r_file_perms;
+allow virtualizationmanager apex_data_file:dir search;
+allow virtualizationmanager staging_data_file:file r_file_perms;
+allow virtualizationmanager staging_data_file:dir search;
+
+# Run derive_classpath in our domain
+allow virtualizationmanager derive_classpath_exec:file rx_file_perms;
+allow virtualizationmanager apex_mnt_dir:dir r_dir_perms;
+# Ignore harmless denials on /proc/self/fd
+dontaudit virtualizationmanager self:dir write;
+
+# Let virtualizationmanager to accept vsock connection from the guest VMs
+allow virtualizationmanager self:vsock_socket { create_socket_perms_no_ioctl listen accept };
+
+# Allow virtualizationmanager to inspect all hypervisor capabilities.
+get_prop(virtualizationmanager, hypervisor_prop)
+get_prop(virtualizationmanager, hypervisor_restricted_prop)
+
+# Allow virtualizationmanager service to talk to tombstoned to push guest ramdumps
+unix_socket_connect(virtualizationmanager, tombstoned_crash, tombstoned)
+
+# Append ramdumps to tombstone files passed as fds from tombstoned
+allow virtualizationmanager tombstone_data_file:file { append getattr };
+allow virtualizationmanager tombstoned:fd use;
+
+# Allow reading files under /proc/[crosvm pid]/, for collecting CPU & memory usage inside VM.
+r_dir_file(virtualizationmanager, crosvm);
+
+# For debug purposes we try to get the canonical path from /proc/self/fd/N. That triggers
+# a harmless denial for CompOS log files, so ignore that.
+dontaudit virtualizationmanager apex_module_data_file:dir search;
diff --git a/private/virtualizationservice.te b/private/virtualizationservice.te
index 883ff56..28982bc 100644
--- a/private/virtualizationservice.te
+++ b/private/virtualizationservice.te
@@ -1,80 +1,45 @@
 type virtualizationservice, domain, coredomain;
 type virtualizationservice_exec, system_file_type, exec_type, file_type;
 
+# The domain needs to be a 'mlstrustedsubject' to change the memlock rlimit of
+# the virtualizationmanager domain running at a more constrained MLS level.
+typeattribute virtualizationservice mlstrustedsubject;
+
 # When init runs a file labelled with virtualizationservice_exec, run it in the
 # virtualizationservice domain.
 init_daemon_domain(virtualizationservice)
 
 # Let the virtualizationservice domain use Binder.
 binder_use(virtualizationservice)
-# ... and host a binder service
-binder_service(virtualizationservice)
-
-# Allow calling into the system server so that it can check permissions.
-binder_call(virtualizationservice, system_server)
-allow virtualizationservice permission_service:service_manager find;
-# Allow virtualizationservice to access "package_native" service for staged apex info.
-allow virtualizationservice package_native_service:service_manager find;
 
 # Let the virtualizationservice domain register the virtualization_service with ServiceManager.
 add_service(virtualizationservice, virtualization_service)
 
-# When virtualizationservice execs a file with the crosvm_exec label, run it in the crosvm domain.
-domain_auto_trans(virtualizationservice, crosvm_exec, crosvm)
-
-# Let virtualizationservice (and specifically its children) mlock VM memory and page tables.
+# Let virtualizationservice remove memlock rlimit of virtualizationmanager. This is necessary
+# to mlock VM memory and page tables.
 allow virtualizationservice self:capability sys_resource;
+allow virtualizationservice virtualizationmanager:process setrlimit;
 
-# Let virtualizationservice kill crosvm.
-allow virtualizationservice crosvm:process sigkill;
+# Let virtualizationservice set the owner of a VM's temporary directory.
+allow virtualizationservice self:capability chown;
 
-# Let virtualizationservice access its data directory.
-allow virtualizationservice virtualizationservice_data_file:file create_file_perms;
+# Let virtualizationservice create and delete temporary directories of VMs. To remove old
+# directories, it needs the permission to unlink the files created by virtualizationmanager.
 allow virtualizationservice virtualizationservice_data_file:dir create_dir_perms;
-
-# Let virtualizationservice manage crosvm control sockets.
-allow virtualizationservice virtualizationservice_data_file:sock_file create_file_perms;
+allow virtualizationservice virtualizationservice_data_file:{ file sock_file } unlink;
 
 # Allow to use fd (e.g. /dev/pts/0) inherited from adbd so that we can redirect output from
 # crosvm to the console
 allow virtualizationservice adbd:fd use;
 allow virtualizationservice adbd:unix_stream_socket { read write };
 
-# Let virtualizationservice read and write files from its various clients, but not open them
-# directly as they must be passed over Binder by the client.
-allow virtualizationservice apk_data_file:file { getattr read };
-# Write access is needed for mutable partitions like instance.img
-allow virtualizationservice {
-  app_data_file
-  apex_compos_data_file
-  privapp_data_file
-}:file { getattr read write };
-
-# shell_data_file is used for automated tests and manual debugging.
-allow virtualizationservice shell_data_file:file { getattr read write };
-
-# Allow virtualizationservice to read apex-info-list.xml and access the APEX files listed there.
-allow virtualizationservice apex_info_file:file r_file_perms;
-allow virtualizationservice apex_data_file:dir search;
-allow virtualizationservice staging_data_file:file r_file_perms;
-allow virtualizationservice staging_data_file:dir search;
-
-# Run derive_classpath in our domain
-allow virtualizationservice derive_classpath_exec:file rx_file_perms;
-allow virtualizationservice apex_mnt_dir:dir r_dir_perms;
-# Ignore harmless denials on /proc/self/fd
-dontaudit virtualizationservice self:dir write;
-
-# Let virtualizationservice to accept vsock connection from the guest VMs
+# Let virtualizationservice to accept vsock connection from the guest VMs to singleton services
+# such as the guest tombstone server.
 allow virtualizationservice self:vsock_socket { create_socket_perms_no_ioctl listen accept };
 
 # Allow virtualizationservice to read/write its own sysprop. Only the process can do so.
 set_prop(virtualizationservice, virtualizationservice_prop)
 
-# Allow virtualizationservice to inspect all hypervisor capabilities.
-get_prop(virtualizationservice, hypervisor_prop)
-get_prop(virtualizationservice, hypervisor_restricted_prop)
-
 # Allow writing stats to statsd
 unix_socket_send(virtualizationservice, statsdw, statsd)
 
@@ -85,9 +50,6 @@
 allow virtualizationservice tombstone_data_file:file { append getattr };
 allow virtualizationservice tombstoned:fd use;
 
-# Allow reading files under /proc/[crosvm pid]/, for collecting CPU & memory usage inside VM.
-r_dir_file(virtualizationservice, crosvm);
-
 neverallow {
   domain
   -init
@@ -97,5 +59,12 @@
 neverallow {
   domain
   -init
+  -virtualizationmanager
   -virtualizationservice
 } virtualizationservice_data_file:file { open create };
+
+neverallow virtualizationservice {
+  domain
+  -virtualizationmanager
+  -virtualizationservice
+}:process setrlimit;
diff --git a/public/attributes b/public/attributes
index ae610e6..5509813 100644
--- a/public/attributes
+++ b/public/attributes
@@ -370,8 +370,9 @@
 hal_attribute(tetheroffload);
 hal_attribute(thermal);
 hal_attribute(tv_cec);
-hal_attribute(tv_hdmi);
 hal_attribute(tv_hdmi_cec);
+hal_attribute(tv_hdmi_connection);
+hal_attribute(tv_hdmi_earc);
 hal_attribute(tv_input);
 hal_attribute(tv_tuner);
 hal_attribute(usb);
@@ -399,6 +400,7 @@
 attribute camera_service_server;
 attribute display_service_server;
 attribute evsmanager_service_server;
+attribute remote_provisioning_service_server;
 attribute scheduler_service_server;
 attribute sensor_service_server;
 attribute stats_service_server;
diff --git a/public/cameraserver.te b/public/cameraserver.te
index d41339a..c88e3f0 100644
--- a/public/cameraserver.te
+++ b/public/cameraserver.te
@@ -19,6 +19,7 @@
 allow cameraserver hal_graphics_composer:fd use;
 
 add_service(cameraserver, cameraserver_service)
+add_service(cameraserver, fwk_camera_service)
 add_hwservice(cameraserver, fwk_camera_hwservice)
 
 allow cameraserver activity_service:service_manager find;
diff --git a/public/domain.te b/public/domain.te
index 217738d..79e62d0 100644
--- a/public/domain.te
+++ b/public/domain.te
@@ -582,6 +582,7 @@
   -e2fs
   -fsck
   -fastbootd
+  -hal_fastboot_server
 } metadata_block_device:blk_file { append link rename write open read ioctl lock };
 
 # No domain other than recovery, update_engine and fastbootd can write to system partition(s).
@@ -1100,6 +1101,7 @@
 neverallow {
   domain
   -appdomain
+  -artd
   -installd
 } { app_data_file privapp_data_file }:lnk_file read;
 
@@ -1110,37 +1112,6 @@
   -installd
 } shell_data_file:lnk_file read;
 
-# In addition to the symlink reading restrictions above, restrict
-# write access to shell owned directories. The /data/local/tmp
-# directory is untrustworthy, and non-allowed domains should
-# not be trusting any content in those directories.
-# artd doesn't need to access /data/local/tmp, but it needs to access
-# /data/{user,user_de}/<user-id>/com.android.shell/... for compiling secondary
-# dex files.
-neverallow {
-  domain
-  -adbd
-  -artd
-  -dumpstate
-  -installd
-  -init
-  -shell
-  -vold
-} shell_data_file:dir no_w_dir_perms;
-
-neverallow {
-  domain
-  -adbd
-  -appdomain
-  -artd
-  -dumpstate
-  -init
-  -installd
-  -simpleperf_app_runner
-  -system_server # why?
-  userdebug_or_eng(`-uncrypt')
-} shell_data_file:dir { open search };
-
 # servicemanager and vndservicemanager are the only processes which handle the
 # service_manager list request
 neverallow * ~{
diff --git a/public/dumpstate.te b/public/dumpstate.te
index c0af235..6b112dc 100644
--- a/public/dumpstate.te
+++ b/public/dumpstate.te
@@ -150,6 +150,7 @@
 
 # Allow dumpstate to call dump() on specific hals.
 dump_hal(hal_authsecret)
+dump_hal(hal_bluetooth)
 dump_hal(hal_contexthub)
 dump_hal(hal_drm)
 dump_hal(hal_dumpstate)
diff --git a/public/hal_audio.te b/public/hal_audio.te
index 52caa00..aabc884 100644
--- a/public/hal_audio.te
+++ b/public/hal_audio.te
@@ -23,6 +23,9 @@
 # Needed to allow sound trigger hal to access shared memory from apps.
 allow hal_audio_server appdomain:fd use;
 
+# allow self to set scheduler (and allows Binder RT PI)
+allow hal_audio_server self:global_capability_class_set sys_nice;
+
 # allow hal audio to use vnbinder
 vndbinder_use(hal_audio)
 
diff --git a/public/hal_bluetooth.te b/public/hal_bluetooth.te
index 97177ba..53bbef2 100644
--- a/public/hal_bluetooth.te
+++ b/public/hal_bluetooth.te
@@ -1,8 +1,10 @@
 # HwBinder IPC from clients into server, and callbacks
 binder_call(hal_bluetooth_client, hal_bluetooth_server)
 binder_call(hal_bluetooth_server, hal_bluetooth_client)
+binder_call(hal_bluetooth_server, servicemanager)
 
 hal_attribute_hwservice(hal_bluetooth, hal_bluetooth_hwservice)
+hal_attribute_service(hal_bluetooth, hal_bluetooth_service)
 
 wakelock_use(hal_bluetooth);
 
diff --git a/public/hal_can.te b/public/hal_can.te
index 959d1d9..d48c43f 100644
--- a/public/hal_can.te
+++ b/public/hal_can.te
@@ -7,3 +7,7 @@
 binder_call(hal_can_bus_client, hal_can_bus_server)
 binder_call(hal_can_bus_server, hal_can_bus_client)
 hal_attribute_hwservice(hal_can_bus, hal_can_bus_hwservice)
+
+# AIDL HAL for CAN buses (ICanController)
+hal_attribute_service(hal_can_controller, hal_can_controller_service)
+binder_use(hal_can_controller)
diff --git a/public/hal_secure_element.te b/public/hal_secure_element.te
index 3724d35..8d3e15c 100644
--- a/public/hal_secure_element.te
+++ b/public/hal_secure_element.te
@@ -3,3 +3,8 @@
 binder_call(hal_secure_element_server, hal_secure_element_client)
 
 hal_attribute_hwservice(hal_secure_element, hal_secure_element_hwservice)
+hal_attribute_service(hal_secure_element, hal_secure_element_service)
+
+binder_use(hal_secure_element_server)
+
+allow hal_secure_element_client hal_secure_element_service:service_manager find;
diff --git a/public/hal_tv_hdmi.te b/public/hal_tv_hdmi.te
deleted file mode 100644
index 8e91aa2..0000000
--- a/public/hal_tv_hdmi.te
+++ /dev/null
@@ -1,7 +0,0 @@
-# Binder IPC from clients into server, and callbacks
-binder_call(hal_tv_hdmi_client, hal_tv_hdmi_server)
-binder_call(hal_tv_hdmi_server, hal_tv_hdmi_client)
-binder_call(hal_tv_hdmi_client, servicemanager)
-binder_call(hal_tv_hdmi_server, servicemanager)
-
-hal_attribute_service(hal_tv_hdmi, hal_tv_hdmi_service)
diff --git a/public/hal_tv_hdmi_cec.te b/public/hal_tv_hdmi_cec.te
index 1b75676..eb01b67 100644
--- a/public/hal_tv_hdmi_cec.te
+++ b/public/hal_tv_hdmi_cec.te
@@ -1,7 +1,7 @@
 # Binder IPC from clients into server, and callbacks
 binder_call(hal_tv_hdmi_cec_client, hal_tv_hdmi_cec_server)
 binder_call(hal_tv_hdmi_cec_server, hal_tv_hdmi_cec_client)
-binder_call(hal_tv_hdmi_cec_client, servicemanager)
-binder_call(hal_tv_hdmi_cec_server, servicemanager)
+binder_use(hal_tv_hdmi_cec_client)
+binder_use(hal_tv_hdmi_cec_server)
 
 hal_attribute_service(hal_tv_hdmi_cec, hal_tv_hdmi_cec_service)
diff --git a/public/hal_tv_hdmi_connection.te b/public/hal_tv_hdmi_connection.te
new file mode 100644
index 0000000..f6de27d
--- /dev/null
+++ b/public/hal_tv_hdmi_connection.te
@@ -0,0 +1,7 @@
+# Binder IPC from clients into server, and callbacks
+binder_call(hal_tv_hdmi_connection_client, hal_tv_hdmi_connection_server)
+binder_call(hal_tv_hdmi_connection_server, hal_tv_hdmi_connection_client)
+binder_use(hal_tv_hdmi_connection_client)
+binder_use(hal_tv_hdmi_connection_server)
+
+hal_attribute_service(hal_tv_hdmi_connection, hal_tv_hdmi_connection_service)
diff --git a/public/hal_tv_hdmi_earc.te b/public/hal_tv_hdmi_earc.te
new file mode 100644
index 0000000..2d76fc6
--- /dev/null
+++ b/public/hal_tv_hdmi_earc.te
@@ -0,0 +1,7 @@
+# Binder IPC from clients into server, and callbacks
+binder_call(hal_tv_hdmi_earc_client, hal_tv_hdmi_earc_server)
+binder_call(hal_tv_hdmi_earc_server, hal_tv_hdmi_earc_client)
+binder_use(hal_tv_hdmi_earc_client)
+binder_use(hal_tv_hdmi_earc_server)
+
+hal_attribute_service(hal_tv_hdmi_earc, hal_tv_hdmi_earc_service)
diff --git a/public/init.te b/public/init.te
index d99172f..a399b3a 100644
--- a/public/init.te
+++ b/public/init.te
@@ -199,6 +199,7 @@
 allow init {
   file_type
   -app_data_file
+  -bpffs_type
   -exec_type
   -misc_logd_file
   -nativetest_data_file
@@ -212,6 +213,7 @@
 allow init {
   file_type
   -app_data_file
+  -bpffs_type
   -credstore_data_file
   -exec_type
   -keystore_data_file
@@ -233,6 +235,7 @@
   file_type
   -apex_info_file
   -app_data_file
+  -bpffs_type
   -exec_type
   -gsi_data_file
   -credstore_data_file
@@ -259,6 +262,7 @@
 allow init {
   file_type
   -app_data_file
+  -bpffs_type
   -exec_type
   -gsi_data_file
   -credstore_data_file
@@ -278,6 +282,7 @@
   file_type
   -apex_mnt_dir
   -app_data_file
+  -bpffs_type
   -exec_type
   -gsi_data_file
   -credstore_data_file
@@ -297,6 +302,7 @@
 
 allow init {
   file_type
+  -bpffs_type
   -system_dlkm_file_type
   -system_file_type
   -vendor_file_type
@@ -321,6 +327,7 @@
 # chown/chmod on pseudo files.
 allow init {
   fs_type
+  -bpffs_type
   -contextmount_type
   -keychord_device
   -proc_type
@@ -330,7 +337,14 @@
   -rootfs
   enforce_debugfs_restriction(`-debugfs_type')
 }:file { open read setattr };
-allow init { fs_type -contextmount_type -sdcard_type -fusefs_type -rootfs }:dir  { open read setattr search };
+allow init {
+  fs_type
+  -bpffs_type
+  -contextmount_type
+  -sdcard_type
+  -fusefs_type
+  -rootfs
+}:dir { open read setattr search };
 
 allow init {
   binder_device
@@ -365,7 +379,8 @@
 userdebug_or_eng(`
   # Overlayfs workdir write access check during mount to permit remount,rw
   allow init overlayfs_file:dir { relabelfrom mounton write };
-  allow init overlayfs_file:file { append };
+  allow init overlayfs_file:file { append rename };
+  allow init overlayfs_file:chr_file unlink;
   allow init system_block_device:blk_file { write };
 ')
 
@@ -383,7 +398,6 @@
 
 allow init {
   proc_abi
-  proc_bpf
   proc_cpu_alignment
   proc_dirty
   proc_hostname
diff --git a/public/keystore.te b/public/keystore.te
index 8ac503e..4cef175 100644
--- a/public/keystore.te
+++ b/public/keystore.te
@@ -5,6 +5,7 @@
 typeattribute keystore mlstrustedsubject;
 binder_use(keystore)
 binder_service(keystore)
+binder_call(keystore, remote_provisioning_service_server)
 binder_call(keystore, system_server)
 binder_call(keystore, wificond)
 
@@ -17,6 +18,7 @@
 add_service(keystore, remoteprovisioning_service)
 allow keystore sec_key_att_app_id_provider_service:service_manager find;
 allow keystore dropbox_service:service_manager find;
+allow keystore remote_provisioning_service:service_manager find;
 add_service(keystore, apc_service)
 add_service(keystore, keystore_compat_hal_service)
 add_service(keystore, authorization_service)
diff --git a/public/property.te b/public/property.te
index 00ae1bb..c0a3a6e 100644
--- a/public/property.te
+++ b/public/property.te
@@ -65,6 +65,7 @@
 system_restricted_prop(bq_config_prop)
 system_restricted_prop(build_bootimage_prop)
 system_restricted_prop(build_prop)
+system_restricted_prop(device_config_camera_native_prop)
 system_restricted_prop(device_config_nnapi_native_prop)
 system_restricted_prop(device_config_runtime_native_boot_prop)
 system_restricted_prop(device_config_runtime_native_prop)
diff --git a/public/remote_provisioning_service_server.te b/public/remote_provisioning_service_server.te
new file mode 100644
index 0000000..710b43d
--- /dev/null
+++ b/public/remote_provisioning_service_server.te
@@ -0,0 +1,5 @@
+# This service is hosted by system server, and provides a stable aidl
+# front-end for a mainline module that is loaded into system server.
+add_service(remote_provisioning_service_server, remote_provisioning_service)
+
+binder_use(remote_provisioning_service_server)
diff --git a/public/service.te b/public/service.te
index 1ff3668..443a4f7 100644
--- a/public/service.te
+++ b/public/service.te
@@ -7,6 +7,7 @@
 type batteryproperties_service, app_api_service, ephemeral_app_api_service, service_manager_type;
 type bluetooth_service,         service_manager_type;
 type cameraserver_service,      service_manager_type;
+type fwk_camera_service,        service_manager_type;
 type default_android_service,   service_manager_type;
 type dice_maintenance_service,  service_manager_type;
 type dice_node_service,         service_manager_type;
@@ -135,6 +136,7 @@
 type game_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
 type gfxinfo_service, system_api_service, system_server_service, service_manager_type;
 type gnss_time_update_service, system_server_service, service_manager_type;
+type grammatical_inflection_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
 type graphicsstats_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
 type hardware_service, system_server_service, service_manager_type;
 type hardware_properties_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
@@ -194,6 +196,7 @@
 type reboot_readiness_service, app_api_service, system_server_service, service_manager_type;
 type recovery_service, system_server_service, service_manager_type;
 type registry_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
+type remote_provisioning_service, system_server_service, service_manager_type;
 type resources_manager_service, system_api_service, system_server_service, service_manager_type;
 type restrictions_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
 type role_service, app_api_service, system_server_service, service_manager_type;
@@ -271,9 +274,11 @@
 type hal_audio_service, protected_service, hal_service_type, service_manager_type;
 type hal_audiocontrol_service, hal_service_type, service_manager_type;
 type hal_authsecret_service, protected_service, hal_service_type, service_manager_type;
+type hal_bluetooth_service, protected_service, hal_service_type, service_manager_type;
 type hal_bootctl_service, protected_service, hal_service_type, service_manager_type;
 type hal_broadcastradio_service, protected_service, hal_service_type, service_manager_type;
 type hal_camera_service, protected_service, hal_service_type, service_manager_type;
+type hal_can_controller_service, protected_service, hal_service_type, service_manager_type;
 type hal_cas_service, hal_service_type, service_manager_type;
 type hal_confirmationui_service, protected_service, hal_service_type, service_manager_type;
 type hal_contexthub_service, protected_service, hal_service_type, service_manager_type;
@@ -306,11 +311,13 @@
 type hal_remotelyprovisionedcomponent_service, protected_service, hal_service_type, service_manager_type;
 type hal_sensors_service, protected_service, hal_service_type, service_manager_type;
 type hal_secureclock_service, protected_service, hal_service_type, service_manager_type;
+type hal_secure_element_service, protected_service, hal_service_type, service_manager_type;
 type hal_sharedsecret_service, protected_service, hal_service_type, service_manager_type;
 type hal_system_suspend_service, protected_service, hal_service_type, service_manager_type;
 type hal_thermal_service, protected_service, hal_service_type, service_manager_type;
-type hal_tv_hdmi_service, protected_service, hal_service_type, service_manager_type;
 type hal_tv_hdmi_cec_service, protected_service, hal_service_type, service_manager_type;
+type hal_tv_hdmi_connection_service, protected_service, hal_service_type, service_manager_type;
+type hal_tv_hdmi_earc_service, protected_service, hal_service_type, service_manager_type;
 type hal_tv_input_service, protected_service, hal_service_type, service_manager_type;
 type hal_tv_tuner_service, protected_service, hal_service_type, service_manager_type;
 type hal_usb_service, protected_service, hal_service_type, service_manager_type;
diff --git a/public/su.te b/public/su.te
index 730c1e0..3473e74 100644
--- a/public/su.te
+++ b/public/su.te
@@ -97,8 +97,9 @@
   typeattribute su hal_tetheroffload_client;
   typeattribute su hal_thermal_client;
   typeattribute su hal_tv_cec_client;
-  typeattribute su hal_tv_hdmi_client;
   typeattribute su hal_tv_hdmi_cec_client;
+  typeattribute su hal_tv_hdmi_connection_client;
+  typeattribute su hal_tv_hdmi_earc_client;
   typeattribute su hal_tv_input_client;
   typeattribute su hal_tv_tuner_client;
   typeattribute su hal_usb_client;
diff --git a/public/te_macros b/public/te_macros
index ab42534..11041b6 100644
--- a/public/te_macros
+++ b/public/te_macros
@@ -183,26 +183,25 @@
 ####################################
 # virtualizationservice_use(domain)
 # Allow domain to create and communicate with a virtual machine using
-# virtualizationservice.
+# virtualizationservice and virtualizationmanager.
 define(`virtualizationservice_use', `
-allow $1 virtualization_service:service_manager find;
-# Let the client call virtualizationservice.
-binder_call($1, virtualizationservice)
-# Let virtualizationservice call back to the client.
-binder_call(virtualizationservice, $1)
-# Let the client pass file descriptors to virtualizationservice and on
-# to crosvm
-allow { virtualizationservice crosvm } $1:fd use;
+# Transition to virtualizationmanager when the client executes it.
+domain_auto_trans($1, virtualizationmanager_exec, virtualizationmanager)
+# Allow virtualizationmanager to communicate over UDS with the client.
+allow { virtualizationmanager crosvm } $1:unix_stream_socket { getattr read write };
+# Let the client pass file descriptors to virtualizationmanager and on to crosvm.
+allow { virtualizationmanager crosvm } $1:fd use;
+# Let the client use file descriptors created by virtualizationmanager.
+allow $1 virtualizationmanager:fd use;
 # Allow piping console log to the client
-allow { virtualizationservice crosvm } $1:fifo_file { getattr write};
-# Allow client to read/write vsock created by virtualizationservice to
-# communicate with the VM that it created. Notice that we do not grant
-# permission to create a vsock; the client can only connect to VMs
-# that it owns.
-allow $1 virtualizationservice:vsock_socket { getattr getopt read write };
+allow { virtualizationmanager crosvm } $1:fifo_file { getattr read write };
+# Allow client to read/write vsock created by virtualizationmanager to communicate with the VM
+# that it created. Notice that we do not grant permission to create a vsock;
+# the client can only connect to VMs that it owns.
+allow $1 virtualizationmanager:vsock_socket { getattr getopt read write };
 # Allow client to inspect hypervisor capabilities
 get_prop($1, hypervisor_prop)
-# Allow client to read (but not open) the crashdump provided by virtualizationservice
+# Allow client to read (but not open) the crashdump provided by virtualizationmanager
 allow $1 virtualizationservice_data_file:file { getattr read };
 ')
 
diff --git a/public/usbd.te b/public/usbd.te
index 6f34954..ee36784 100644
--- a/public/usbd.te
+++ b/public/usbd.te
@@ -1,2 +1,4 @@
 type usbd, domain;
 type usbd_exec, system_file_type, exec_type, file_type;
+
+binder_call(usbd, servicemanager)
diff --git a/public/vendor_init.te b/public/vendor_init.te
index 61fa686..683ab61 100644
--- a/public/vendor_init.te
+++ b/public/vendor_init.te
@@ -48,6 +48,7 @@
 
 allow vendor_init {
   file_type
+  -bpffs_type
   -core_data_file_type
   -exec_type
   -system_dlkm_file_type
@@ -67,6 +68,7 @@
 
 allow vendor_init {
   file_type
+  -bpffs_type
   -core_data_file_type
   -exec_type
   -password_slot_metadata_file
@@ -86,6 +88,7 @@
 
 allow vendor_init {
   file_type
+  -bpffs_type
   -core_data_file_type
   -exec_type
   -password_slot_metadata_file
@@ -103,6 +106,7 @@
 allow vendor_init {
   file_type
   -apex_mnt_dir
+  -bpffs_type
   -core_data_file_type
   -exec_type
   -password_slot_metadata_file
@@ -119,6 +123,7 @@
 
 allow vendor_init {
   file_type
+  -bpffs_type
   -core_data_file_type
   -exec_type
   -mnt_product_file
@@ -142,6 +147,7 @@
 # chown/chmod on pseudo files.
 allow vendor_init {
   fs_type
+  -bpffs_type
   -contextmount_type
   -keychord_device
   -sdcard_type
@@ -157,6 +163,7 @@
 
 allow vendor_init {
   fs_type
+  -bpffs_type
   -contextmount_type
   -sdcard_type
   -fusefs_type
@@ -164,7 +171,7 @@
   -proc_uid_time_in_state
   -proc_uid_concurrent_active_time
   -proc_uid_concurrent_policy_time
-}:dir  { open read setattr search };
+}:dir { open read setattr search };
 
 allow vendor_init dev_type:blk_file getattr;
 
diff --git a/vendor/file_contexts b/vendor/file_contexts
index c69b451..b21302c 100644
--- a/vendor/file_contexts
+++ b/vendor/file_contexts
@@ -10,10 +10,11 @@
 /(vendor|system/vendor)/bin/hw/android\.hardware\.automotive\.audiocontrol@2\.0-service    u:object_r:hal_audiocontrol_default_exec:s0
 /(vendor|system/vendor)/bin/hw/android\.hardware\.automotive\.audiocontrol-service.example u:object_r:hal_audiocontrol_default_exec:s0
 /(vendor|system/vendor)/bin/hw/android\.hardware\.automotive\.can@1\.0-service  u:object_r:hal_can_socketcan_exec:s0
+/(vendor|system/vendor)/bin/hw/android\.hardware\.automotive\.can-service  u:object_r:hal_can_socketcan_exec:s0
 /(vendor|system/vendor)/bin/hw/android\.hardware\.automotive\.evs(.*)?          u:object_r:hal_evs_default_exec:s0
 /(vendor|system/vendor)/bin/hw/android\.hardware\.automotive\.vehicle@2\.0-((default|emulator)-)*(service|protocan-service)  u:object_r:hal_vehicle_default_exec:s0
 /(vendor|system/vendor)/bin/hw/android\.hardware\.automotive\.vehicle@V1-(default|emulator)-service u:object_r:hal_vehicle_default_exec:s0
-/(vendor|system/vendor)/bin/hw/android\.hardware\.automotive\.remoteaccess@V1-default-service u:object_r:hal_remoteaccess_default_exec:s0
+/(vendor|system/vendor)/bin/hw/android\.hardware\.automotive\.remoteaccess@V1-(.*)-service u:object_r:hal_remoteaccess_default_exec:s0
 /(vendor|system/vendor)/bin/hw/android\.hardware\.bluetooth@1\.[0-9]+-service      u:object_r:hal_bluetooth_default_exec:s0
 /(vendor|system/vendor)/bin/hw/android\.hardware\.bluetooth@1\.[0-9]+-service\.btlinux    u:object_r:hal_bluetooth_btlinux_exec:s0
 /(vendor|system/vendor)/bin/hw/android\.hardware\.biometrics\.face@1\.[0-9]+-service\.example u:object_r:hal_face_default_exec:s0
@@ -91,14 +92,16 @@
 /(vendor|system/vendor)/bin/hw/android\.hardware\.sensors-service\.example  u:object_r:hal_sensors_default_exec:s0
 /(vendor|system/vendor)/bin/hw/android\.hardware\.sensors-service(\.multihal)?  u:object_r:hal_sensors_default_exec:s0
 /(vendor|system/vendor)/bin/hw/android\.hardware\.secure_element@1\.0-service u:object_r:hal_secure_element_default_exec:s0
+/(vendor|system/vendor)/bin/hw/android\.hardware\.secure_element-service.example u:object_r:hal_secure_element_default_exec:s0
 /(vendor|system/vendor)/bin/hw/android\.hardware\.security\.dice-service\.non-secure-software   u:object_r:hal_dice_default_exec:s0
 /(vendor|system/vendor)/bin/hw/android\.hardware\.security\.keymint-service   u:object_r:hal_keymint_default_exec:s0
 /(vendor|system/vendor)/bin/hw/rild                                           u:object_r:rild_exec:s0
 /(vendor|system/vendor)/bin/hw/android\.hardware\.thermal@1\.[01]-service        u:object_r:hal_thermal_default_exec:s0
 /(vendor|system/vendor)/bin/hw/android\.hardware\.thermal-service\.example       u:object_r:hal_thermal_default_exec:s0
 /(vendor|system/vendor)/bin/hw/android\.hardware\.tv\.cec@1\.[01]-service        u:object_r:hal_tv_cec_default_exec:s0
-/(vendor|system/vendor)/bin/hw/android\.hardware\.tv\.cec-service             u:object_r:hal_tv_hdmi_cec_default_exec:s0
-/(vendor|system/vendor)/bin/hw/android\.hardware\.tv\.hdmi-service            u:object_r:hal_tv_hdmi_default_exec:s0
+/(vendor|system/vendor)/bin/hw/android\.hardware\.tv\.hdmi.cec-service           u:object_r:hal_tv_hdmi_cec_default_exec:s0
+/(vendor|system/vendor)/bin/hw/android\.hardware\.tv\.hdmi.connection-service    u:object_r:hal_tv_hdmi_connection_default_exec:s0
+/(vendor|system/vendor)/bin/hw/android\.hardware\.tv\.hdmi.earc-service          u:object_r:hal_tv_hdmi_earc_default_exec:s0
 /(vendor|system/vendor)/bin/hw/android\.hardware\.tv\.input@1\.0-service      u:object_r:hal_tv_input_default_exec:s0
 /(vendor|system/vendor)/bin/hw/android\.hardware\.tv\.input-service\.example  u:object_r:hal_tv_input_default_exec:s0
 /(vendor|system/vendor)/bin/hw/android\.hardware\.tv\.tuner@1\.[01]-service   u:object_r:hal_tv_tuner_default_exec:s0
@@ -113,6 +116,8 @@
 /(vendor|system/vendor)/bin/hw/android\.hardware\.vr@1\.0-service             u:object_r:hal_vr_default_exec:s0
 /(vendor|system/vendor)/bin/hw/android\.hardware\.wifi@1\.0-service           u:object_r:hal_wifi_default_exec:s0
 /(vendor|system/vendor)/bin/hw/android\.hardware\.wifi@1\.0-service-lazy      u:object_r:hal_wifi_default_exec:s0
+/(vendor|system/vendor)/bin/hw/android\.hardware\.wifi-service                u:object_r:hal_wifi_default_exec:s0
+/(vendor|system/vendor)/bin/hw/android\.hardware\.wifi-service-lazy           u:object_r:hal_wifi_default_exec:s0
 /(vendor|system/vendor)/bin/hw/hostapd                                        u:object_r:hal_wifi_hostapd_default_exec:s0
 /(vendor|system/vendor)/bin/hw/wpa_supplicant                                 u:object_r:hal_wifi_supplicant_default_exec:s0
 /(vendor|system/vendor)/bin/install-recovery\.sh                              u:object_r:vendor_install_recovery_exec:s0
diff --git a/vendor/hal_audio_default.te b/vendor/hal_audio_default.te
index 82cbf8e..506c7e4 100644
--- a/vendor/hal_audio_default.te
+++ b/vendor/hal_audio_default.te
@@ -6,5 +6,8 @@
 
 hal_client_domain(hal_audio_default, hal_allocator)
 
+# android.frameworks.sensorservice through libsensorndkbridge
+allow hal_audio_default fwk_sensor_service:service_manager find;
+
 # allow audioserver to call hal_audio dump with its own fd to retrieve status
 allow hal_audio_default audioserver:fifo_file write;
diff --git a/vendor/hal_camera_default.te b/vendor/hal_camera_default.te
index b0912d4..e7c5886 100644
--- a/vendor/hal_camera_default.te
+++ b/vendor/hal_camera_default.te
@@ -4,7 +4,12 @@
 type hal_camera_default_exec, exec_type, vendor_file_type, file_type;
 init_daemon_domain(hal_camera_default)
 
+# HIDL sensorservice
 allow hal_camera_default fwk_sensor_hwservice:hwservice_manager find;
+# AIDL sensorservice
+allow hal_camera_default fwk_sensor_service:service_manager find;
+
+get_prop(hal_camera_default, device_config_camera_native_prop);
 
 # For collecting bugreports.
 allow hal_camera_default dumpstate:fd use;
diff --git a/vendor/hal_can_socketcan.te b/vendor/hal_can_socketcan.te
index 7498788..12bb028 100644
--- a/vendor/hal_can_socketcan.te
+++ b/vendor/hal_can_socketcan.te
@@ -9,10 +9,12 @@
 allow hal_can_socketcan self:capability net_admin;
 allow hal_can_socketcan self:netlink_route_socket { create bind write nlmsg_write read };
 
-# Calling if_nametoindex(3) to open CAN sockets
+# See man page for netdevice(7) for more info on ioctls
 allow hal_can_socketcan self:udp_socket { create ioctl };
 allowxperm hal_can_socketcan self:udp_socket ioctl {
     SIOCGIFINDEX
+    SIOCGIFFLAGS
+    SIOCSIFFLAGS
 };
 
 # Communicating with SocketCAN interfaces and bringing them up/down
diff --git a/vendor/hal_face_default.te b/vendor/hal_face_default.te
index ddfa62e..66ce40c 100644
--- a/vendor/hal_face_default.te
+++ b/vendor/hal_face_default.te
@@ -4,4 +4,7 @@
 type hal_face_default_exec, exec_type, vendor_file_type, file_type;
 init_daemon_domain(hal_face_default)
 
+# android.frameworks.sensorservice through libsensorndkbridge
+allow hal_face_default fwk_sensor_service:service_manager find;
+
 set_prop(hal_face_default, virtual_face_hal_prop)
diff --git a/vendor/hal_fingerprint_default.te b/vendor/hal_fingerprint_default.te
index 812c528..7173223 100644
--- a/vendor/hal_fingerprint_default.te
+++ b/vendor/hal_fingerprint_default.te
@@ -4,4 +4,7 @@
 type hal_fingerprint_default_exec, exec_type, vendor_file_type, file_type;
 init_daemon_domain(hal_fingerprint_default)
 
+# android.frameworks.sensorservice through libsensorndkbridge
+allow hal_fingerprint_default fwk_sensor_service:service_manager find;
+
 set_prop(hal_fingerprint_default, virtual_fingerprint_hal_prop)
diff --git a/vendor/hal_tv_hdmi_connection_default.te b/vendor/hal_tv_hdmi_connection_default.te
new file mode 100644
index 0000000..bad8961
--- /dev/null
+++ b/vendor/hal_tv_hdmi_connection_default.te
@@ -0,0 +1,5 @@
+type hal_tv_hdmi_connection_default, domain;
+hal_server_domain(hal_tv_hdmi_connection_default, hal_tv_hdmi_connection)
+
+type hal_tv_hdmi_connection_default_exec, exec_type, vendor_file_type, file_type;
+init_daemon_domain(hal_tv_hdmi_connection_default)
diff --git a/vendor/hal_tv_hdmi_default.te b/vendor/hal_tv_hdmi_default.te
deleted file mode 100644
index e974fd8..0000000
--- a/vendor/hal_tv_hdmi_default.te
+++ /dev/null
@@ -1,5 +0,0 @@
-type hal_tv_hdmi_default, domain;
-hal_server_domain(hal_tv_hdmi_default, hal_tv_hdmi)
-
-type hal_tv_hdmi_default_exec, exec_type, vendor_file_type, file_type;
-init_daemon_domain(hal_tv_hdmi_default)
diff --git a/vendor/hal_tv_hdmi_earc_default.te b/vendor/hal_tv_hdmi_earc_default.te
new file mode 100644
index 0000000..d2a729d
--- /dev/null
+++ b/vendor/hal_tv_hdmi_earc_default.te
@@ -0,0 +1,5 @@
+type hal_tv_hdmi_earc_default, domain;
+hal_server_domain(hal_tv_hdmi_earc_default, hal_tv_hdmi_earc)
+
+type hal_tv_hdmi_earc_default_exec, exec_type, vendor_file_type, file_type;
+init_daemon_domain(hal_tv_hdmi_earc_default)