Merge "Disallow untrusted apps to read ro.debuggable and ro.secure"
diff --git a/Android.mk b/Android.mk
index fae4cba..50c265d 100644
--- a/Android.mk
+++ b/Android.mk
@@ -477,7 +477,6 @@
 LOCAL_REQUIRED_MODULES += precompiled_sepolicy.product_sepolicy_and_mapping.sha256
 endif
 
-LOCAL_REQUIRED_MODULES += precompiled_sepolicy.apex_sepolicy.sha256
 endif # ($(PRODUCT_PRECOMPILED_SEPOLICY),false)
 
 
diff --git a/apex/Android.bp b/apex/Android.bp
index 8f11771..8c9db86 100644
--- a/apex/Android.bp
+++ b/apex/Android.bp
@@ -21,6 +21,8 @@
     default_applicable_licenses: ["system_sepolicy_license"],
 }
 
+// TODO(b/236681553): Remove com.android.bluetooth-file_contexts
+
 filegroup {
   name: "apex_file_contexts_files",
   srcs: ["*-file_contexts"],
@@ -263,3 +265,10 @@
     "com.android.ondevicepersonalization-file_contexts",
   ],
 }
+
+filegroup {
+  name: "com.android.healthconnect-file_contexts",
+  srcs: [
+    "com.android.healthconnect-file_contexts",
+  ],
+}
diff --git a/apex/com.android.btservices-file_contexts b/apex/com.android.btservices-file_contexts
new file mode 100644
index 0000000..f6b21da
--- /dev/null
+++ b/apex/com.android.btservices-file_contexts
@@ -0,0 +1,2 @@
+(/.*)?                u:object_r:system_file:s0
+/lib(64)?(/.*)        u:object_r:system_lib_file:s0
diff --git a/apex/com.android.healthconnect-file_contexts b/apex/com.android.healthconnect-file_contexts
new file mode 100644
index 0000000..9398505
--- /dev/null
+++ b/apex/com.android.healthconnect-file_contexts
@@ -0,0 +1 @@
+(/.*)?           u:object_r:system_file:s0
diff --git a/mac_permissions.mk b/mac_permissions.mk
index 43c98c9..ad17b8f 100644
--- a/mac_permissions.mk
+++ b/mac_permissions.mk
@@ -22,7 +22,7 @@
 	$(hide) $(M4) --fatal-warnings -s $(PRIVATE_ADDITIONAL_M4DEFS) $(PRIVATE_KEYS) > $@
 
 # Should be synced with keys.conf.
-all_plat_keys := platform media networkstack sdk_sandbox shared testkey
+all_plat_keys := platform sdk_sandbox media networkstack shared testkey bluetooth
 all_plat_keys := $(all_plat_keys:%=$(dir $(DEFAULT_SYSTEM_DEV_CERTIFICATE))/%.x509.pem)
 
 $(LOCAL_BUILT_MODULE): PRIVATE_MAC_PERMS_FILES := $(all_plat_mac_perms_files)
diff --git a/microdroid/system/private/microdroid_manager.te b/microdroid/system/private/microdroid_manager.te
index 37ffadb..8f4b2c1 100644
--- a/microdroid/system/private/microdroid_manager.te
+++ b/microdroid/system/private/microdroid_manager.te
@@ -36,12 +36,6 @@
 # Let microdroid_manager kernel-log.
 allow microdroid_manager kmsg_device:chr_file w_file_perms;
 
-# Let microdroid_manager read a config file from /mnt/apk (fusefs)
-# TODO(b/188400186) remove the below rule
-userdebug_or_eng(`
-  r_dir_file(microdroid_manager, fuse)
-')
-
 # Let microdroid_manager to create a vsock connection back to the host VM
 allow microdroid_manager self:vsock_socket { create_socket_perms_no_ioctl };
 
diff --git a/prebuilts/api/33.0/private/compat/32.0/32.0.ignore.cil b/prebuilts/api/33.0/private/compat/32.0/32.0.ignore.cil
index a07f5ae..c1fc736 100644
--- a/prebuilts/api/33.0/private/compat/32.0/32.0.ignore.cil
+++ b/prebuilts/api/33.0/private/compat/32.0/32.0.ignore.cil
@@ -18,6 +18,7 @@
     device_config_nnapi_native_prop
     device_config_surface_flinger_native_boot_prop
     device_config_vendor_system_native_prop
+    device_config_vendor_system_native_boot_prop
     dice_maintenance_service
     dice_node_service
     diced
diff --git a/prebuilts/api/33.0/private/composd.te b/prebuilts/api/33.0/private/composd.te
index 5f99a92..d007d66 100644
--- a/prebuilts/api/33.0/private/composd.te
+++ b/prebuilts/api/33.0/private/composd.te
@@ -31,6 +31,7 @@
 
 # Read ART's properties
 get_prop(composd, dalvik_config_prop)
+get_prop(composd, device_config_runtime_native_boot_prop)
 
 # We never create any artifact files directly
 neverallow composd apex_art_data_file:file ~unlink;
diff --git a/prebuilts/api/33.0/private/flags_health_check.te b/prebuilts/api/33.0/private/flags_health_check.te
index 54ecd45..58275ff 100644
--- a/prebuilts/api/33.0/private/flags_health_check.te
+++ b/prebuilts/api/33.0/private/flags_health_check.te
@@ -24,6 +24,7 @@
 set_prop(flags_health_check, device_config_connectivity_prop)
 set_prop(flags_health_check, device_config_surface_flinger_native_boot_prop)
 set_prop(flags_health_check, device_config_vendor_system_native_prop)
+set_prop(flags_health_check, device_config_vendor_system_native_boot_prop)
 set_prop(flags_health_check, device_config_virtualization_framework_native_prop)
 
 # system property device_config_boot_count_prop is used for deciding when to perform server
diff --git a/prebuilts/api/33.0/private/property_contexts b/prebuilts/api/33.0/private/property_contexts
index 2a9ed78..4eda4a1 100644
--- a/prebuilts/api/33.0/private/property_contexts
+++ b/prebuilts/api/33.0/private/property_contexts
@@ -257,6 +257,7 @@
 persist.device_config.surface_flinger_native_boot.  u:object_r:device_config_surface_flinger_native_boot_prop:s0
 persist.device_config.swcodec_native.               u:object_r:device_config_swcodec_native_prop:s0
 persist.device_config.vendor_system_native.         u:object_r:device_config_vendor_system_native_prop:s0
+persist.device_config.vendor_system_native_boot.    u:object_r:device_config_vendor_system_native_boot_prop:s0
 persist.device_config.virtualization_framework_native. u:object_r:device_config_virtualization_framework_native_prop:s0
 persist.device_config.window_manager_native_boot.   u:object_r:device_config_window_manager_native_boot_prop:s0
 
diff --git a/prebuilts/api/33.0/private/system_server.te b/prebuilts/api/33.0/private/system_server.te
index 0f72c7f..8a7947d 100644
--- a/prebuilts/api/33.0/private/system_server.te
+++ b/prebuilts/api/33.0/private/system_server.te
@@ -752,6 +752,7 @@
 set_prop(system_server, device_config_connectivity_prop)
 set_prop(system_server, device_config_surface_flinger_native_boot_prop)
 set_prop(system_server, device_config_vendor_system_native_prop)
+set_prop(system_server, device_config_vendor_system_native_boot_prop)
 set_prop(system_server, device_config_virtualization_framework_native_prop)
 set_prop(system_server, smart_idle_maint_enabled_prop)
 
diff --git a/prebuilts/api/33.0/private/vehicle_binding_util.te b/prebuilts/api/33.0/private/vehicle_binding_util.te
index 76d0756..f527944 100644
--- a/prebuilts/api/33.0/private/vehicle_binding_util.te
+++ b/prebuilts/api/33.0/private/vehicle_binding_util.te
@@ -8,8 +8,10 @@
 # allow writing to kmsg during boot
 allow vehicle_binding_util kmsg_device:chr_file { getattr w_file_perms };
 
-# allow reading the binding property from vhal
+# allow reading the binding property from HIDL VHAL.
 hwbinder_use(vehicle_binding_util)
+# allow reading the binding property from AIDL VHAL.
+binder_use(vehicle_binding_util)
 hal_client_domain(vehicle_binding_util, hal_vehicle)
 
 # allow executing vdc
diff --git a/prebuilts/api/33.0/public/dumpstate.te b/prebuilts/api/33.0/public/dumpstate.te
index 05a7317..8d3e556 100644
--- a/prebuilts/api/33.0/public/dumpstate.te
+++ b/prebuilts/api/33.0/public/dumpstate.te
@@ -113,6 +113,9 @@
   sysfs_zram
 }:file r_file_perms;
 
+# Ignore other file access under /sys.
+dontaudit dumpstate sysfs:file r_file_perms;
+
 # Other random bits of data we want to collect
 no_debugfs_restriction(`
   allow dumpstate debugfs:file r_file_perms;
diff --git a/prebuilts/api/33.0/public/property.te b/prebuilts/api/33.0/public/property.te
index a235634..42fe979 100644
--- a/prebuilts/api/33.0/public/property.te
+++ b/prebuilts/api/33.0/public/property.te
@@ -68,6 +68,7 @@
 system_restricted_prop(device_config_runtime_native_prop)
 system_restricted_prop(device_config_surface_flinger_native_boot_prop)
 system_restricted_prop(device_config_vendor_system_native_prop)
+system_restricted_prop(device_config_vendor_system_native_boot_prop)
 system_restricted_prop(fingerprint_prop)
 system_restricted_prop(gwp_asan_prop)
 system_restricted_prop(hal_instrumentation_prop)
diff --git a/prebuilts/api/33.0/public/vendor_init.te b/prebuilts/api/33.0/public/vendor_init.te
index b7302d4..57df54c 100644
--- a/prebuilts/api/33.0/public/vendor_init.te
+++ b/prebuilts/api/33.0/public/vendor_init.te
@@ -274,6 +274,7 @@
 
 # Allow vendor_init to read vendor_system_native device config changes
 get_prop(vendor_init, device_config_vendor_system_native_prop)
+get_prop(vendor_init, device_config_vendor_system_native_boot_prop)
 
 ###
 ### neverallow rules
diff --git a/private/app.te b/private/app.te
index 269609a..69ec868 100644
--- a/private/app.te
+++ b/private/app.te
@@ -1,3 +1,34 @@
+# /proc/net access.
+# TODO(b/9496886) Audit access for removal.
+# proc_net access for the negated domains below is granted (or not) in their
+# individual .te files.
+r_dir_file({
+  appdomain
+  -ephemeral_app
+  -isolated_app
+  -platform_app
+  -priv_app
+  -shell
+  -sdk_sandbox
+  -system_app
+  -untrusted_app_all
+}, proc_net_type)
+# audit access for all these non-core app domains.
+userdebug_or_eng(`
+  auditallow {
+    appdomain
+    -ephemeral_app
+    -isolated_app
+    -platform_app
+    -priv_app
+    -shell
+    -su
+    -sdk_sandbox
+    -system_app
+    -untrusted_app_all
+  } proc_net_type:{ dir file lnk_file } { getattr open read };
+')
+
 # Allow apps to read the Test Harness Mode property. This property is used in
 # the implementation of ActivityManager.isDeviceInTestHarnessMode()
 get_prop(appdomain, test_harness_prop)
@@ -96,6 +127,70 @@
 allow appdomain tombstone_data_file:file { getattr read };
 neverallow appdomain tombstone_data_file:file ~{ getattr read };
 
+# Execute the shell or other system executables.
+allow { appdomain -ephemeral_app -sdk_sandbox } shell_exec:file rx_file_perms;
+allow { appdomain -ephemeral_app -sdk_sandbox } toolbox_exec:file rx_file_perms;
+not_full_treble(`allow { appdomain -ephemeral_app -sdk_sandbox } vendor_file:file x_file_perms;')
+
+# Allow apps access to /vendor/app except for privileged
+# apps which cannot be in /vendor.
+r_dir_file({ appdomain -ephemeral_app -sdk_sandbox }, vendor_app_file)
+allow { appdomain -ephemeral_app -sdk_sandbox } vendor_app_file:file execute;
+
+# Perform binder IPC to sdk sandbox.
+binder_call(appdomain, sdk_sandbox)
+
+# Allow access to external storage; we have several visible mount points under /storage
+# and symlinks to primary storage at places like /storage/sdcard0 and /mnt/user/0/primary
+allow { appdomain -isolated_app -ephemeral_app -sdk_sandbox } storage_file:dir r_dir_perms;
+allow { appdomain -isolated_app -ephemeral_app -sdk_sandbox } storage_file:lnk_file r_file_perms;
+allow { appdomain -isolated_app -ephemeral_app -sdk_sandbox } mnt_user_file:dir r_dir_perms;
+allow { appdomain -isolated_app -ephemeral_app -sdk_sandbox } mnt_user_file:lnk_file r_file_perms;
+
+# Read/write visible storage
+allow { appdomain -isolated_app -ephemeral_app -sdk_sandbox } { sdcard_type fuse }:dir create_dir_perms;
+allow { appdomain -isolated_app -ephemeral_app -sdk_sandbox } { sdcard_type fuse }:file create_file_perms;
+# This should be removed if sdcardfs is modified to alter the secontext for its
+# accesses to the underlying FS.
+allow { appdomain -isolated_app -ephemeral_app -sdk_sandbox } media_rw_data_file:dir create_dir_perms;
+allow { appdomain -isolated_app -ephemeral_app -sdk_sandbox } media_rw_data_file:file create_file_perms;
+
+# Allow apps to use the USB Accessory interface.
+# http://developer.android.com/guide/topics/connectivity/usb/accessory.html
+#
+# USB devices are first opened by the system server (USBDeviceManagerService)
+# and the file descriptor is passed to the right Activity via binder.
+allow { appdomain -isolated_app -ephemeral_app -sdk_sandbox } usb_device:chr_file { read write getattr ioctl };
+allow { appdomain -isolated_app -ephemeral_app -sdk_sandbox } usbaccessory_device:chr_file { read write getattr };
+
+#logd access
+control_logd({ appdomain -ephemeral_app -sdk_sandbox })
+
+# application inherit logd write socket (urge is to deprecate this long term)
+allow { appdomain -isolated_app -ephemeral_app -sdk_sandbox } keystore:keystore_key { get_state get insert delete exist list sign verify };
+allow { appdomain -isolated_app -ephemeral_app -sdk_sandbox } keystore:keystore2_key { delete use get_info rebind update };
+
+allow { appdomain -isolated_app -ephemeral_app -sdk_sandbox } keystore_maintenance_service:service_manager find;
+allow { appdomain -isolated_app -ephemeral_app -sdk_sandbox } keystore:keystore2 get_state;
+
+use_keystore({ appdomain -isolated_app -ephemeral_app -sdk_sandbox })
+
+use_credstore({ appdomain -isolated_app -ephemeral_app -sdk_sandbox })
+
+# For app fuse.
+pdx_client({ appdomain -isolated_app -ephemeral_app -sdk_sandbox }, display_client)
+pdx_client({ appdomain -isolated_app -ephemeral_app -sdk_sandbox }, display_manager)
+pdx_client({ appdomain -isolated_app -ephemeral_app -sdk_sandbox }, display_vsync)
+pdx_client({ appdomain -isolated_app -ephemeral_app -sdk_sandbox }, performance_client)
+# Apps do not directly open the IPC socket for bufferhubd.
+pdx_use({ appdomain -isolated_app -ephemeral_app -sdk_sandbox }, bufferhub_client)
+
+# Apps receive an open tun fd from the framework for
+# device traffic. Do not allow untrusted app to directly open tun_device
+allow { appdomain -isolated_app -ephemeral_app -sdk_sandbox } tun_device:chr_file { read write getattr append ioctl };
+allowxperm { appdomain -isolated_app -ephemeral_app -sdk_sandbox } tun_device:chr_file ioctl TUNGETIFF;
+
+
 # WebView and other application-specific JIT compilers
 allow appdomain self:process execmem;
 
@@ -178,11 +273,7 @@
 allow appdomain oemfs:dir r_dir_perms;
 allow appdomain oemfs:file rx_file_perms;
 
-# Execute the shell or other system executables.
-allow { appdomain -ephemeral_app -sdk_sandbox } shell_exec:file rx_file_perms;
-allow { appdomain -ephemeral_app -sdk_sandbox } toolbox_exec:file rx_file_perms;
 allow appdomain system_file:file x_file_perms;
-not_full_treble(`allow { appdomain -ephemeral_app -sdk_sandbox } vendor_file:file x_file_perms;')
 
 # Renderscript needs the ability to read directories on /system
 allow appdomain system_file:dir r_dir_perms;
@@ -198,14 +289,6 @@
     allow { appdomain -isolated_app } vendor_file:dir { open read };
 ')
 
-# Allow apps access to /vendor/app except for privileged
-# apps which cannot be in /vendor.
-r_dir_file({ appdomain -ephemeral_app -sdk_sandbox }, vendor_app_file)
-allow { appdomain -ephemeral_app -sdk_sandbox } vendor_app_file:file execute;
-
-# Perform binder IPC to sdk sandbox.
-binder_call(appdomain, sdk_sandbox)
-
 # Allow apps access to /vendor/overlay
 r_dir_file(appdomain, vendor_overlay_file)
 
@@ -276,37 +359,6 @@
   allow appdomain heapdump_data_file:file append;
 ')
 
-# /proc/net access.
-# TODO(b/9496886) Audit access for removal.
-# proc_net access for the negated domains below is granted (or not) in their
-# individual .te files.
-r_dir_file({
-  appdomain
-  -ephemeral_app
-  -isolated_app
-  -platform_app
-  -priv_app
-  -sdk_sandbox
-  -shell
-  -system_app
-  -untrusted_app_all
-}, proc_net_type)
-# audit access for all these non-core app domains.
-userdebug_or_eng(`
-  auditallow {
-    appdomain
-    -ephemeral_app
-    -isolated_app
-    -platform_app
-    -priv_app
-    -sdk_sandbox
-    -shell
-    -su
-    -system_app
-    -untrusted_app_all
-  } proc_net_type:{ dir file lnk_file } { getattr open read };
-')
-
 # Grant GPU access to all processes started by Zygote.
 # They need that to render the standard UI.
 allow { appdomain -isolated_app } gpu_device:chr_file rw_file_perms;
@@ -349,29 +401,6 @@
 # Read and write /data/data/com.android.providers.telephony files passed over Binder.
 allow { appdomain -isolated_app } radio_data_file:file { read write getattr };
 
-# Allow access to external storage; we have several visible mount points under /storage
-# and symlinks to primary storage at places like /storage/sdcard0 and /mnt/user/0/primary
-allow { appdomain -isolated_app -ephemeral_app -sdk_sandbox } storage_file:dir r_dir_perms;
-allow { appdomain -isolated_app -ephemeral_app -sdk_sandbox } storage_file:lnk_file r_file_perms;
-allow { appdomain -isolated_app -ephemeral_app -sdk_sandbox } mnt_user_file:dir r_dir_perms;
-allow { appdomain -isolated_app -ephemeral_app -sdk_sandbox } mnt_user_file:lnk_file r_file_perms;
-
-# Read/write visible storage
-allow { appdomain -isolated_app -ephemeral_app -sdk_sandbox } { sdcard_type fuse }:dir create_dir_perms;
-allow { appdomain -isolated_app -ephemeral_app -sdk_sandbox } { sdcard_type fuse }:file create_file_perms;
-# This should be removed if sdcardfs is modified to alter the secontext for its
-# accesses to the underlying FS.
-allow { appdomain -isolated_app -ephemeral_app -sdk_sandbox } media_rw_data_file:dir create_dir_perms;
-allow { appdomain -isolated_app -ephemeral_app -sdk_sandbox } media_rw_data_file:file create_file_perms;
-
-# Allow apps to use the USB Accessory interface.
-# http://developer.android.com/guide/topics/connectivity/usb/accessory.html
-#
-# USB devices are first opened by the system server (USBDeviceManagerService)
-# and the file descriptor is passed to the right Activity via binder.
-allow { appdomain -isolated_app -ephemeral_app -sdk_sandbox } usb_device:chr_file { read write getattr ioctl };
-allow { appdomain -isolated_app -ephemeral_app -sdk_sandbox } usbaccessory_device:chr_file { read write getattr };
-
 # For art.
 allow appdomain dalvikcache_data_file:file execute;
 allow appdomain dalvikcache_data_file:lnk_file r_file_perms;
@@ -390,20 +419,9 @@
 
 # logd access
 read_logd(appdomain)
-control_logd({ appdomain -ephemeral_app -sdk_sandbox })
-# application inherit logd write socket (urge is to deprecate this long term)
+
 allow appdomain zygote:unix_dgram_socket write;
 
-allow { appdomain -isolated_app -ephemeral_app -sdk_sandbox } keystore:keystore_key { get_state get insert delete exist list sign verify };
-allow { appdomain -isolated_app -ephemeral_app -sdk_sandbox } keystore:keystore2_key { delete use get_info rebind update };
-
-allow { appdomain -isolated_app -ephemeral_app -sdk_sandbox } keystore_maintenance_service:service_manager find;
-allow { appdomain -isolated_app -ephemeral_app -sdk_sandbox } keystore:keystore2 get_state;
-
-use_keystore({ appdomain -isolated_app -ephemeral_app -sdk_sandbox })
-
-use_credstore({ appdomain -isolated_app -ephemeral_app -sdk_sandbox })
-
 allow appdomain console_device:chr_file { read write };
 
 # only allow unprivileged socket ioctl commands
@@ -433,13 +451,6 @@
 # For app fuse.
 allow appdomain app_fuse_file:file { getattr read append write map };
 
-pdx_client({ appdomain -isolated_app -ephemeral_app -sdk_sandbox }, display_client)
-pdx_client({ appdomain -isolated_app -ephemeral_app -sdk_sandbox }, display_manager)
-pdx_client({ appdomain -isolated_app -ephemeral_app -sdk_sandbox }, display_vsync)
-pdx_client({ appdomain -isolated_app -ephemeral_app -sdk_sandbox }, performance_client)
-# Apps do not directly open the IPC socket for bufferhubd.
-pdx_use({ appdomain -isolated_app -ephemeral_app -sdk_sandbox }, bufferhub_client)
-
 ###
 ### CTS-specific rules
 ###
@@ -449,11 +460,6 @@
 allow appdomain runas_exec:file getattr;
 # Others are either allowed elsewhere or not desired.
 
-# Apps receive an open tun fd from the framework for
-# device traffic. Do not allow untrusted app to directly open tun_device
-allow { appdomain -isolated_app -ephemeral_app -sdk_sandbox } tun_device:chr_file { read write getattr append ioctl };
-allowxperm { appdomain -isolated_app -ephemeral_app -sdk_sandbox } tun_device:chr_file ioctl TUNGETIFF;
-
 # Connect to adbd and use a socket transferred from it.
 # This is used for e.g. adb backup/restore.
 allow appdomain adbd:unix_stream_socket connectto;
@@ -481,8 +487,8 @@
   isolated_app
   nfc
   radio
-  sdk_sandbox
   shared_relro
+  sdk_sandbox
   system_app
 } {
   data_file_type
diff --git a/private/compat/31.0/31.0.ignore.cil b/private/compat/31.0/31.0.ignore.cil
index 22381b5..496832e 100644
--- a/private/compat/31.0/31.0.ignore.cil
+++ b/private/compat/31.0/31.0.ignore.cil
@@ -9,6 +9,7 @@
     artd_service
     attestation_verification_service
     camera2_extensions_prop
+    communal_service
     device_config_nnapi_native_prop
     dice_maintenance_service
     dice_node_service
diff --git a/private/compat/32.0/32.0.ignore.cil b/private/compat/32.0/32.0.ignore.cil
index 805ca7c..18de796 100644
--- a/private/compat/32.0/32.0.ignore.cil
+++ b/private/compat/32.0/32.0.ignore.cil
@@ -18,6 +18,7 @@
     device_config_nnapi_native_prop
     device_config_surface_flinger_native_boot_prop
     device_config_vendor_system_native_prop
+    device_config_vendor_system_native_boot_prop
     dice_maintenance_service
     dice_node_service
     diced
diff --git a/private/domain.te b/private/domain.te
index 81e781e..c585613 100644
--- a/private/domain.te
+++ b/private/domain.te
@@ -612,7 +612,7 @@
 # respect system_app sandboxes
 neverallow {
   domain
-  -appdomain # finer-grained rules for appdomain are listed below
+  -appdomain
   -system_server #populate com.android.providers.settings/databases/settings.db.
   -installd # creation of app sandbox
   -traced_probes # resolve inodes for i/o tracing.
@@ -621,8 +621,8 @@
 } system_app_data_file:dir_file_class_set { create unlink open };
 neverallow {
   isolated_app
-  untrusted_app_all # finer-grained rules for appdomain are listed below
   ephemeral_app
   priv_app
   sdk_sandbox
+  untrusted_app_all
 } system_app_data_file:dir_file_class_set { create unlink open };
diff --git a/private/flags_health_check.te b/private/flags_health_check.te
index cef7bde..64b595d 100644
--- a/private/flags_health_check.te
+++ b/private/flags_health_check.te
@@ -24,6 +24,7 @@
 set_prop(flags_health_check, device_config_connectivity_prop)
 set_prop(flags_health_check, device_config_surface_flinger_native_boot_prop)
 set_prop(flags_health_check, device_config_vendor_system_native_prop)
+set_prop(flags_health_check, device_config_vendor_system_native_boot_prop)
 set_prop(flags_health_check, device_config_virtualization_framework_native_prop)
 set_prop(flags_health_check, device_config_memory_safety_native_prop)
 
diff --git a/private/gmscore_app.te b/private/gmscore_app.te
index e2d16cc..8795798 100644
--- a/private/gmscore_app.te
+++ b/private/gmscore_app.te
@@ -6,8 +6,6 @@
 app_domain(gmscore_app)
 
 allow gmscore_app sysfs_type:dir search;
-# Read access to /sys/class/net/wlan*/address
-r_dir_file(gmscore_app, sysfs_net)
 # Read access to /sys/block/zram*/mm_stat
 r_dir_file(gmscore_app, sysfs_zram)
 
@@ -60,6 +58,8 @@
 dontaudit gmscore_app sysfs_android_usb:file r_file_perms;
 dontaudit gmscore_app sysfs_dm:file r_file_perms;
 dontaudit gmscore_app sysfs_loop:file r_file_perms;
+dontaudit gmscore_app sysfs_net:file r_file_perms;
+dontaudit gmscore_app sysfs_net:dir r_dir_perms;
 dontaudit gmscore_app { wifi_prop wifi_hal_prop }:file r_file_perms;
 dontaudit gmscore_app mirror_data_file:dir search;
 dontaudit gmscore_app mnt_vendor_file:dir search;
@@ -148,3 +148,24 @@
 
 # b/186488185: Allow GMSCore to read dck properties
 get_prop(gmscore_app, dck_prop)
+
+# Do not allow getting permission-protected network information from sysfs.
+neverallow gmscore_app sysfs_net:file *;
+
+# Restrict socket ioctls. Either 1. disallow privileged ioctls, 2. disallow the
+# ioctl permission, or 3. disallow the socket class.
+neverallowxperm gmscore_app domain:{ icmp_socket rawip_socket tcp_socket udp_socket } ioctl priv_sock_ioctls;
+neverallow gmscore_app *:{ netlink_route_socket netlink_selinux_socket } ioctl;
+neverallow gmscore_app *:{
+  socket netlink_socket packet_socket key_socket appletalk_socket
+  netlink_tcpdiag_socket netlink_nflog_socket
+  netlink_xfrm_socket netlink_audit_socket
+  netlink_dnrt_socket netlink_kobject_uevent_socket tun_socket
+  netlink_iscsi_socket netlink_fib_lookup_socket netlink_connector_socket
+  netlink_netfilter_socket netlink_generic_socket netlink_scsitransport_socket
+  netlink_rdma_socket netlink_crypto_socket sctp_socket
+  ax25_socket ipx_socket netrom_socket atmpvc_socket x25_socket rose_socket decnet_socket
+  atmsvc_socket rds_socket irda_socket pppox_socket llc_socket can_socket tipc_socket
+  bluetooth_socket iucv_socket rxrpc_socket isdn_socket phonet_socket ieee802154_socket caif_socket
+  alg_socket nfc_socket kcm_socket qipcrtr_socket smc_socket xdp_socket
+} *;
diff --git a/private/keys.conf b/private/keys.conf
index 30739f9..18c1a8c 100644
--- a/private/keys.conf
+++ b/private/keys.conf
@@ -14,6 +14,9 @@
 [@SDK_SANDBOX]
 ALL : $MAINLINE_SEPOLICY_DEV_CERTIFICATES/sdk_sandbox.x509.pem
 
+[@BLUETOOTH]
+ALL : $MAINLINE_SEPOLICY_DEV_CERTIFICATES/bluetooth.x509.pem
+
 [@MEDIA]
 ALL : $DEFAULT_SYSTEM_DEV_CERTIFICATE/media.x509.pem
 
diff --git a/private/mac_permissions.xml b/private/mac_permissions.xml
index ec3df0f..c9a9aca 100644
--- a/private/mac_permissions.xml
+++ b/private/mac_permissions.xml
@@ -56,6 +56,11 @@
       <seinfo value="sdk_sandbox" />
     </signer>
 
+    <!-- Bluetooth key in AOSP -->
+    <signer signature="@BLUETOOTH" >
+      <seinfo value="bluetooth" />
+    </signer>
+
     <!-- Media key in AOSP -->
     <signer signature="@MEDIA" >
       <seinfo value="media" />
diff --git a/private/net.te b/private/net.te
index c2bac03..07e4271 100644
--- a/private/net.te
+++ b/private/net.te
@@ -16,3 +16,4 @@
   -sdk_sandbox
   -untrusted_app_all
 } self:netlink_route_socket { bind nlmsg_readpriv nlmsg_getneigh };
+
diff --git a/private/priv_app.te b/private/priv_app.te
index c7d6ab1..9d7a0f6 100644
--- a/private/priv_app.te
+++ b/private/priv_app.te
@@ -107,16 +107,11 @@
 }:file r_file_perms;
 
 allow priv_app sysfs_type:dir search;
-# Read access to /sys/class/net/wlan*/address
-r_dir_file(priv_app, sysfs_net)
 # Read access to /sys/block/zram*/mm_stat
 r_dir_file(priv_app, sysfs_zram)
 
 r_dir_file(priv_app, rootfs)
 
-# access the mac address
-allowxperm priv_app self:udp_socket ioctl SIOCGIFHWADDR;
-
 # Allow com.android.vending to communicate with statsd.
 binder_call(priv_app, statsd)
 
@@ -270,5 +265,26 @@
 # Do not follow untrusted app provided symlinks
 neverallow priv_app app_data_file:lnk_file { open read getattr };
 
-# Allow reporting off body events to keystore.
+# Do not allow getting permission-protected network information from sysfs.
+neverallow priv_app sysfs_net:file *;
+
+# Restrict socket ioctls. Either 1. disallow privileged ioctls, 2. disallow the
+# ioctl permission, or 3. disallow the socket class.
+neverallowxperm priv_app domain:{ icmp_socket rawip_socket tcp_socket udp_socket } ioctl priv_sock_ioctls;
+neverallow priv_app *:{ netlink_route_socket netlink_selinux_socket } ioctl;
+neverallow priv_app *:{
+  socket netlink_socket packet_socket key_socket appletalk_socket
+  netlink_tcpdiag_socket netlink_nflog_socket
+  netlink_xfrm_socket netlink_audit_socket
+  netlink_dnrt_socket netlink_kobject_uevent_socket tun_socket
+  netlink_iscsi_socket netlink_fib_lookup_socket netlink_connector_socket
+  netlink_netfilter_socket netlink_generic_socket netlink_scsitransport_socket
+  netlink_rdma_socket netlink_crypto_socket sctp_socket
+  ax25_socket ipx_socket netrom_socket atmpvc_socket x25_socket rose_socket decnet_socket
+  atmsvc_socket rds_socket irda_socket pppox_socket llc_socket can_socket tipc_socket
+  bluetooth_socket iucv_socket rxrpc_socket isdn_socket phonet_socket ieee802154_socket caif_socket
+  alg_socket nfc_socket kcm_socket qipcrtr_socket smc_socket xdp_socket
+} *;
+
+# Allow priv apps to report off body events to keystore2.
 allow priv_app keystore:keystore2 report_off_body;
diff --git a/private/property_contexts b/private/property_contexts
index 57e48a6..7ded7cc 100644
--- a/private/property_contexts
+++ b/private/property_contexts
@@ -262,6 +262,7 @@
 persist.device_config.surface_flinger_native_boot.  u:object_r:device_config_surface_flinger_native_boot_prop:s0
 persist.device_config.swcodec_native.               u:object_r:device_config_swcodec_native_prop:s0
 persist.device_config.vendor_system_native.         u:object_r:device_config_vendor_system_native_prop:s0
+persist.device_config.vendor_system_native_boot.    u:object_r:device_config_vendor_system_native_boot_prop:s0
 persist.device_config.virtualization_framework_native. u:object_r:device_config_virtualization_framework_native_prop:s0
 persist.device_config.window_manager_native_boot.   u:object_r:device_config_window_manager_native_boot_prop:s0
 persist.device_config.memory_safety_native.         u:object_r:device_config_memory_safety_native_prop:s0
@@ -539,6 +540,22 @@
 bluetooth.core.classic.inq_scan_interval             u:object_r:bluetooth_config_prop:s0 exact uint
 bluetooth.core.classic.inq_scan_window               u:object_r:bluetooth_config_prop:s0 exact uint
 bluetooth.core.classic.page_timeout                  u:object_r:bluetooth_config_prop:s0 exact uint
+bluetooth.core.classic.sniff_max_intervals           u:object_r:bluetooth_config_prop:s0 exact string
+bluetooth.core.classic.sniff_min_intervals           u:object_r:bluetooth_config_prop:s0 exact string
+bluetooth.core.classic.sniff_attempts                u:object_r:bluetooth_config_prop:s0 exact string
+bluetooth.core.classic.sniff_timeouts                u:object_r:bluetooth_config_prop:s0 exact string
+
+bluetooth.core.le.min_connection_interval            u:object_r:bluetooth_config_prop:s0 exact uint
+bluetooth.core.le.max_connection_interval            u:object_r:bluetooth_config_prop:s0 exact uint
+bluetooth.core.le.connection_latency                 u:object_r:bluetooth_config_prop:s0 exact uint
+bluetooth.core.le.connection_supervision_timeout     u:object_r:bluetooth_config_prop:s0 exact uint
+bluetooth.core.le.direct_connection_timeout          u:object_r:bluetooth_config_prop:s0 exact uint
+bluetooth.core.le.connection_scan_interval_fast      u:object_r:bluetooth_config_prop:s0 exact uint
+bluetooth.core.le.connection_scan_window_fast        u:object_r:bluetooth_config_prop:s0 exact uint
+bluetooth.core.le.connection_scan_window_2m_fast     u:object_r:bluetooth_config_prop:s0 exact uint
+bluetooth.core.le.connection_scan_window_coded_fast  u:object_r:bluetooth_config_prop:s0 exact uint
+bluetooth.core.le.connection_scan_interval_slow      u:object_r:bluetooth_config_prop:s0 exact uint
+bluetooth.core.le.connection_scan_window_slow        u:object_r:bluetooth_config_prop:s0 exact uint
 
 persist.nfc.debug_enabled                      u:object_r:nfc_prop:s0 exact bool
 
@@ -778,6 +795,7 @@
 ro.boot.bootloader         u:object_r:bootloader_prop:s0 exact string
 ro.boot.boottime           u:object_r:bootloader_prop:s0 exact string
 ro.boot.console            u:object_r:bootloader_prop:s0 exact string
+ro.boot.ddr_size           u:object_r:bootloader_prop:s0 exact string
 ro.boot.hardware           u:object_r:bootloader_prop:s0 exact string
 ro.boot.hardware.color     u:object_r:bootloader_prop:s0 exact string
 ro.boot.hardware.sku       u:object_r:bootloader_prop:s0 exact string
@@ -1205,6 +1223,7 @@
 ro.surface_flinger.enable_layer_caching                   u:object_r:surfaceflinger_prop:s0 exact bool
 ro.surface_flinger.display_update_imminent_timeout_ms     u:object_r:surfaceflinger_prop:s0 exact int
 ro.surface_flinger.uclamp.min                             u:object_r:surfaceflinger_prop:s0 exact int
+ro.surface_flinger.ignore_hdr_camera_layers               u:object_r:surfaceflinger_prop:s0 exact bool
 
 ro.sf.disable_triple_buffer u:object_r:surfaceflinger_prop:s0 exact bool
 ro.sf.lcd_density           u:object_r:surfaceflinger_prop:s0 exact int
diff --git a/private/sdk_sandbox.te b/private/sdk_sandbox.te
index 20d3adf..d851ab7 100644
--- a/private/sdk_sandbox.te
+++ b/private/sdk_sandbox.te
@@ -12,10 +12,6 @@
 
 # Allow finding services. This is different from ephemeral_app policy.
 # Adding services manually to the allowlist is preferred hence app_api_service is not used.
-# Audit the access to signal that we are still investigating whether sdk_sandbox
-# should have access to audio_service
-# TODO(b/211632068): remove this line
-auditallow sdk_sandbox audio_service:service_manager find;
 
 allow sdk_sandbox activity_service:service_manager find;
 allow sdk_sandbox activity_task_service:service_manager find;
diff --git a/private/seapp_contexts b/private/seapp_contexts
index 78a98e1..b26d977 100644
--- a/private/seapp_contexts
+++ b/private/seapp_contexts
@@ -144,7 +144,7 @@
 user=_app seinfo=platform name=com.android.traceur domain=traceur_app type=app_data_file levelFrom=all
 user=_app isPrivApp=true name=com.android.remoteprovisioner domain=remote_prov_app type=app_data_file levelFrom=all
 user=system seinfo=platform domain=system_app type=system_app_data_file
-user=bluetooth seinfo=platform domain=bluetooth type=bluetooth_data_file
+user=bluetooth seinfo=bluetooth domain=bluetooth type=bluetooth_data_file
 user=network_stack seinfo=network_stack domain=network_stack type=radio_data_file
 user=nfc seinfo=platform domain=nfc type=nfc_data_file
 user=secure_element seinfo=platform domain=secure_element levelFrom=all
@@ -176,3 +176,4 @@
 user=_app domain=untrusted_app_25 type=app_data_file levelFrom=user
 user=_app minTargetSdkVersion=28 fromRunAs=true domain=runas_app levelFrom=all
 user=_app fromRunAs=true domain=runas_app levelFrom=user
+
diff --git a/private/service.te b/private/service.te
index cd2cec6..1f407a6 100644
--- a/private/service.te
+++ b/private/service.te
@@ -1,6 +1,7 @@
 type ambient_context_service,       app_api_service, system_server_service, service_manager_type;
 type attention_service,             system_server_service, service_manager_type;
 type compos_service,                service_manager_type;
+type communal_service,      app_api_service, system_server_service, service_manager_type;
 type dynamic_system_service,        system_api_service, system_server_service, service_manager_type;
 type gsi_service,                   service_manager_type;
 type incidentcompanion_service,     app_api_service, system_api_service, system_server_service, service_manager_type;
diff --git a/private/service_contexts b/private/service_contexts
index 8aa7497..aa90983 100644
--- a/private/service_contexts
+++ b/private/service_contexts
@@ -137,6 +137,7 @@
 cloudsearch_service                       u:object_r:cloudsearch_service:s0
 com.android.net.IProxyService             u:object_r:IProxyService_service:s0
 companiondevice                           u:object_r:companion_device_service:s0
+communal                                  u:object_r:communal_service:s0
 platform_compat                           u:object_r:platform_compat_service:s0
 platform_compat_native                    u:object_r:platform_compat_service:s0
 connectivity                              u:object_r:connectivity_service:s0
@@ -300,7 +301,6 @@
 safety_center                             u:object_r:safety_center_service:s0
 samplingprofiler                          u:object_r:samplingprofiler_service:s0
 scheduling_policy                         u:object_r:scheduling_policy_service:s0
-sdk_sandbox                               u:object_r:sdk_sandbox_service:s0
 search                                    u:object_r:search_service:s0
 search_ui                                 u:object_r:search_ui_service:s0
 secure_element                            u:object_r:secure_element_service:s0
@@ -330,6 +330,7 @@
 storaged                                  u:object_r:storaged_service:s0
 storaged_pri                              u:object_r:storaged_service:s0
 storagestats                              u:object_r:storagestats_service:s0
+sdk_sandbox                               u:object_r:sdk_sandbox_service:s0
 SurfaceFlinger                            u:object_r:surfaceflinger_service:s0
 SurfaceFlingerAIDL                        u:object_r:surfaceflinger_service:s0
 suspend_control                           u:object_r:system_suspend_control_service:s0
diff --git a/private/system_server.te b/private/system_server.te
index 7164a2c..a7be343 100644
--- a/private/system_server.te
+++ b/private/system_server.te
@@ -750,6 +750,7 @@
 set_prop(system_server, device_config_connectivity_prop)
 set_prop(system_server, device_config_surface_flinger_native_boot_prop)
 set_prop(system_server, device_config_vendor_system_native_prop)
+set_prop(system_server, device_config_vendor_system_native_boot_prop)
 set_prop(system_server, device_config_virtualization_framework_native_prop)
 set_prop(system_server, device_config_memory_safety_native_prop)
 set_prop(system_server, smart_idle_maint_enabled_prop)
diff --git a/private/vold_prepare_subdirs.te b/private/vold_prepare_subdirs.te
index dcd5a9e..ddb2828 100644
--- a/private/vold_prepare_subdirs.te
+++ b/private/vold_prepare_subdirs.te
@@ -43,8 +43,8 @@
     fingerprint_vendor_data_file
     iris_vendor_data_file
     rollback_data_file
-    sdk_sandbox_data_file
     storaged_data_file
+    sdk_sandbox_data_file
     system_data_file
     vold_data_file
 }:file { getattr unlink };
diff --git a/public/property.te b/public/property.te
index 875281a..b6c365d 100644
--- a/public/property.te
+++ b/public/property.te
@@ -68,6 +68,7 @@
 system_restricted_prop(device_config_runtime_native_prop)
 system_restricted_prop(device_config_surface_flinger_native_boot_prop)
 system_restricted_prop(device_config_vendor_system_native_prop)
+system_restricted_prop(device_config_vendor_system_native_boot_prop)
 system_restricted_prop(fingerprint_prop)
 system_restricted_prop(gwp_asan_prop)
 system_restricted_prop(hal_instrumentation_prop)
diff --git a/public/service.te b/public/service.te
index 2c588d9..b8a628c 100644
--- a/public/service.te
+++ b/public/service.te
@@ -199,7 +199,6 @@
 type rttmanager_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
 type samplingprofiler_service, system_server_service, service_manager_type;
 type scheduling_policy_service, system_server_service, service_manager_type;
-type sdk_sandbox_service, app_api_service, system_server_service, service_manager_type;
 type search_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
 type search_ui_service, app_api_service, system_server_service, service_manager_type;
 type sec_key_att_app_id_provider_service, app_api_service, system_server_service, service_manager_type;
@@ -214,6 +213,7 @@
 type smartspace_service, app_api_service, system_server_service, service_manager_type;
 type statusbar_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
 type storagestats_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
+type sdk_sandbox_service, app_api_service, system_server_service, service_manager_type;
 type system_config_service, system_api_service, system_server_service, service_manager_type;
 type system_server_dumper_service, system_api_service, system_server_service, service_manager_type;
 type system_update_service, system_server_service, service_manager_type;
diff --git a/public/vendor_init.te b/public/vendor_init.te
index b7302d4..57df54c 100644
--- a/public/vendor_init.te
+++ b/public/vendor_init.te
@@ -274,6 +274,7 @@
 
 # Allow vendor_init to read vendor_system_native device config changes
 get_prop(vendor_init, device_config_vendor_system_native_prop)
+get_prop(vendor_init, device_config_vendor_system_native_boot_prop)
 
 ###
 ### neverallow rules