Merge "Allow compos and virt APEXes to use private APIs"
diff --git a/apex/Android.bp b/apex/Android.bp
index 1b0abf4..c06740a 100644
--- a/apex/Android.bp
+++ b/apex/Android.bp
@@ -48,6 +48,7 @@
     binaries: [
         "fd_server",
         "vm",
+        "compos_key_cmd",
 
         // tools to create composite images
         "mk_cdisk",
diff --git a/compos/Android.bp b/compos/Android.bp
index 858f64c..0cb6894 100644
--- a/compos/Android.bp
+++ b/compos/Android.bp
@@ -66,6 +66,24 @@
     ],
 }
 
+rust_binary {
+    name: "compos_key_service",
+    srcs: ["src/compos_key_service.rs"],
+    edition: "2018",
+    rustlibs: [
+        "compos_aidl_interface-rust",
+        "android.system.keystore2-V1-rust",
+        "android.hardware.security.keymint-V1-rust",
+        "libandroid_logger",
+        "libanyhow",
+        "liblog_rust",
+        "libring",
+        "libscopeguard",
+    ],
+    prefer_rlib: true,
+    apex_available: ["com.android.compos"],
+}
+
 // TODO(b/190503456) Remove this when vm/virtualizationservice generates payload.img from vm_config
 prebuilt_etc {
     name: "compos_payload_config",
diff --git a/compos/aidl/Android.bp b/compos/aidl/Android.bp
index 3639775..07bec09 100644
--- a/compos/aidl/Android.bp
+++ b/compos/aidl/Android.bp
@@ -15,5 +15,10 @@
                 "com.android.compos",
             ],
         },
+        ndk: {
+            apex_available: [
+                "com.android.virt",
+            ],
+        },
     },
 }
diff --git a/compos/aidl/com/android/compos/CompOsKeyData.aidl b/compos/aidl/com/android/compos/CompOsKeyData.aidl
new file mode 100644
index 0000000..381ec0d
--- /dev/null
+++ b/compos/aidl/com/android/compos/CompOsKeyData.aidl
@@ -0,0 +1,30 @@
+/*
+ * Copyright (C) 2021 The Android Open Source Project
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package com.android.compos;
+
+/** {@hide} */
+parcelable CompOsKeyData {
+    /**
+     * Self-signed certificate (X.509 DER) containing the public key.
+     */
+    byte[] certificate;
+
+    /**
+     * Opaque encrypted blob containing the private key and related metadata.
+     */
+    byte[] keyBlob;
+}
diff --git a/compos/aidl/com/android/compos/ICompOsKeyService.aidl b/compos/aidl/com/android/compos/ICompOsKeyService.aidl
new file mode 100644
index 0000000..2ddae58
--- /dev/null
+++ b/compos/aidl/com/android/compos/ICompOsKeyService.aidl
@@ -0,0 +1,40 @@
+/*
+ * Copyright (C) 2021 The Android Open Source Project
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package com.android.compos;
+
+import com.android.compos.CompOsKeyData;
+
+/** {@hide} */
+interface ICompOsKeyService {
+    /**
+     * Generate a new public/private key pair suitable for signing CompOs output files.
+     *
+     * @return a certificate for the public key and the encrypted private key
+     */
+    CompOsKeyData generateSigningKey();
+
+    /**
+     * Check that the supplied encrypted private key is valid for signing CompOs output files, and
+     * corresponds to the public key.
+     *
+     * @param keyBlob The encrypted blob containing the private key, as returned by
+     *                generateSigningKey().
+     * @param publicKey The public key, as a DER encoded RSAPublicKey (RFC 3447 Appendix-A.1.1).
+     * @return whether the inputs are valid and correspond to each other.
+     */
+    boolean verifySigningKey(in byte[] keyBlob, in byte[] publicKey);
+}
diff --git a/compos/apex/Android.bp b/compos/apex/Android.bp
index 51a5861..9942e09 100644
--- a/compos/apex/Android.bp
+++ b/compos/apex/Android.bp
@@ -37,6 +37,7 @@
     platform_apis: true,
 
     binaries: [
+        "compos_key_service",
         "compsvc",
         "compsvc_worker",
         "pvm_exec",
diff --git a/compos/compos_key_cmd/Android.bp b/compos/compos_key_cmd/Android.bp
new file mode 100644
index 0000000..e03dfdf
--- /dev/null
+++ b/compos/compos_key_cmd/Android.bp
@@ -0,0 +1,16 @@
+package {
+    default_applicable_licenses: ["Android-Apache-2.0"],
+}
+
+cc_binary {
+    name: "compos_key_cmd",
+    srcs: ["compos_key_cmd.cpp"],
+    apex_available: ["com.android.virt"],
+
+    shared_libs: [
+        "compos_aidl_interface-ndk_platform",
+        "libbase",
+        "libbinder_ndk",
+        "libcrypto",
+    ],
+}
diff --git a/compos/compos_key_cmd/compos_key_cmd.cpp b/compos/compos_key_cmd/compos_key_cmd.cpp
new file mode 100644
index 0000000..d98dac5
--- /dev/null
+++ b/compos/compos_key_cmd/compos_key_cmd.cpp
@@ -0,0 +1,163 @@
+/*
+ * Copyright (C) 2021 The Android Open Source Project
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+#include <aidl/com/android/compos/ICompOsKeyService.h>
+#include <android-base/file.h>
+#include <android-base/result.h>
+#include <android/binder_auto_utils.h>
+#include <android/binder_manager.h>
+#include <openssl/evp.h>
+#include <openssl/mem.h>
+#include <openssl/rsa.h>
+#include <openssl/x509.h>
+
+#include <iostream>
+#include <string>
+
+using android::base::Error;
+using android::base::Result;
+
+using aidl::com::android::compos::CompOsKeyData;
+using aidl::com::android::compos::ICompOsKeyService;
+
+static bool writeBytesToFile(const std::vector<uint8_t>& bytes, const std::string& path) {
+    std::string str(bytes.begin(), bytes.end());
+    return android::base::WriteStringToFile(str, path);
+}
+
+static Result<std::vector<uint8_t>> readBytesFromFile(const std::string& path) {
+    std::string str;
+    if (!android::base::ReadFileToString(path, &str)) {
+        return Error() << "Failed to read " << path;
+    }
+    return std::vector<uint8_t>(str.begin(), str.end());
+}
+
+static Result<std::vector<uint8_t>> extractRsaPublicKey(
+        const std::vector<uint8_t>& der_certificate) {
+    auto data = der_certificate.data();
+    bssl::UniquePtr<X509> x509(d2i_X509(nullptr, &data, der_certificate.size()));
+    if (!x509) {
+        return Error() << "Failed to parse certificate";
+    }
+    if (data != der_certificate.data() + der_certificate.size()) {
+        return Error() << "Certificate has unexpected trailing data";
+    }
+
+    bssl::UniquePtr<EVP_PKEY> pkey(X509_get_pubkey(x509.get()));
+    if (EVP_PKEY_base_id(pkey.get()) != EVP_PKEY_RSA) {
+        return Error() << "Subject key is not RSA";
+    }
+    RSA* rsa = EVP_PKEY_get0_RSA(pkey.get());
+    if (!rsa) {
+        return Error() << "Failed to extract RSA key";
+    }
+
+    uint8_t* out = nullptr;
+    int size = i2d_RSAPublicKey(rsa, &out);
+    if (size < 0 || !out) {
+        return Error() << "Failed to convert to RSAPublicKey";
+    }
+
+    bssl::UniquePtr<uint8_t> buffer(out);
+    std::vector<uint8_t> result(out, out + size);
+    return result;
+}
+
+static Result<void> generate(const std::string& blob_file, const std::string& public_key_file) {
+    ndk::SpAIBinder binder(AServiceManager_getService("android.system.composkeyservice"));
+    auto service = ICompOsKeyService::fromBinder(binder);
+    if (!service) {
+        return Error() << "No service";
+    }
+
+    CompOsKeyData key_data;
+    auto status = service->generateSigningKey(&key_data);
+    if (!status.isOk()) {
+        return Error() << "Failed to generate key: " << status.getDescription();
+    }
+
+    auto public_key = extractRsaPublicKey(key_data.certificate);
+    if (!public_key.ok()) {
+        return Error() << "Failed to extract public key from cert: " << public_key.error();
+    }
+    if (!writeBytesToFile(key_data.keyBlob, blob_file)) {
+        return Error() << "Failed to write keyBlob to " << blob_file;
+    }
+
+    if (!writeBytesToFile(public_key.value(), public_key_file)) {
+        return Error() << "Failed to write public key to " << public_key_file;
+    }
+
+    return {};
+}
+
+static Result<bool> verify(const std::string& blob_file, const std::string& public_key_file) {
+    ndk::SpAIBinder binder(AServiceManager_getService("android.system.composkeyservice"));
+    auto service = ICompOsKeyService::fromBinder(binder);
+    if (!service) {
+        return Error() << "No service";
+    }
+
+    auto blob = readBytesFromFile(blob_file);
+    if (!blob.ok()) {
+        return blob.error();
+    }
+
+    auto public_key = readBytesFromFile(public_key_file);
+    if (!public_key.ok()) {
+        return public_key.error();
+    }
+
+    bool result = false;
+    auto status = service->verifySigningKey(blob.value(), public_key.value(), &result);
+    if (!status.isOk()) {
+        return Error() << "Failed to verify key: " << status.getDescription();
+    }
+
+    return result;
+}
+
+int main(int argc, char** argv) {
+    if (argc == 4 && std::string(argv[1]) == "--generate") {
+        auto result = generate(argv[2], argv[3]);
+        if (result.ok()) {
+            return 0;
+        } else {
+            std::cerr << result.error() << '\n';
+        }
+    } else if (argc == 4 && std::string(argv[1]) == "--verify") {
+        auto result = verify(argv[2], argv[3]);
+        if (result.ok()) {
+            if (result.value()) {
+                std::cerr << "Key files are valid.\n";
+                return 0;
+            } else {
+                std::cerr << "Key files are not valid.\n";
+            }
+        } else {
+            std::cerr << result.error() << '\n';
+        }
+    } else {
+        std::cerr << "Usage: \n"
+                  << "  --generate <blob file> <public key file> Generate new key pair and "
+                     "write\n"
+                  << "    the private key blob and public key to the specified files.\n "
+                  << "  --verify <blob file> <public key file> Verify that the content of the\n"
+                  << "    specified private key blob and public key files are valid.\n ";
+    }
+    return 1;
+}
diff --git a/compos/src/compos_key_service.rs b/compos/src/compos_key_service.rs
new file mode 100644
index 0000000..97fd855
--- /dev/null
+++ b/compos/src/compos_key_service.rs
@@ -0,0 +1,196 @@
+// Copyright 2021, The Android Open Source Project
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//     http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+//! Provides a binder service for key generation & verification for CompOs. We assume we have
+//! access to Keystore in the VM, but not persistent storage; instead the host stores the key
+//! on our behalf via this service.
+
+use android_hardware_security_keymint::aidl::android::hardware::security::keymint::{
+    Algorithm::Algorithm, Digest::Digest, KeyParameter::KeyParameter,
+    KeyParameterValue::KeyParameterValue, KeyPurpose::KeyPurpose, PaddingMode::PaddingMode,
+    SecurityLevel::SecurityLevel, Tag::Tag,
+};
+use android_system_keystore2::aidl::android::system::keystore2::{
+    Domain::Domain, IKeystoreSecurityLevel::IKeystoreSecurityLevel,
+    IKeystoreService::IKeystoreService, KeyDescriptor::KeyDescriptor,
+};
+use anyhow::{anyhow, Context, Result};
+use compos_aidl_interface::aidl::com::android::compos::{
+    CompOsKeyData::CompOsKeyData,
+    ICompOsKeyService::{BnCompOsKeyService, ICompOsKeyService},
+};
+use compos_aidl_interface::binder::{
+    self, add_service, get_interface, BinderFeatures, ExceptionCode, Interface, ProcessState,
+    Status, Strong,
+};
+use log::{info, warn, Level};
+use ring::rand::{SecureRandom, SystemRandom};
+use ring::signature;
+use scopeguard::ScopeGuard;
+use std::ffi::CString;
+use std::sync::Mutex;
+
+const LOG_TAG: &str = "CompOsKeyService";
+const OUR_SERVICE_NAME: &str = "android.system.composkeyservice";
+
+const KEYSTORE_SERVICE_NAME: &str = "android.system.keystore2.IKeystoreService/default";
+const COMPOS_NAMESPACE: i64 = 101;
+const PURPOSE_SIGN: KeyParameter =
+    KeyParameter { tag: Tag::PURPOSE, value: KeyParameterValue::KeyPurpose(KeyPurpose::SIGN) };
+const ALGORITHM: KeyParameter =
+    KeyParameter { tag: Tag::ALGORITHM, value: KeyParameterValue::Algorithm(Algorithm::RSA) };
+const PADDING: KeyParameter = KeyParameter {
+    tag: Tag::PADDING,
+    value: KeyParameterValue::PaddingMode(PaddingMode::RSA_PKCS1_1_5_SIGN),
+};
+const DIGEST: KeyParameter =
+    KeyParameter { tag: Tag::DIGEST, value: KeyParameterValue::Digest(Digest::SHA_2_256) };
+const KEY_SIZE: KeyParameter =
+    KeyParameter { tag: Tag::KEY_SIZE, value: KeyParameterValue::Integer(2048) };
+const EXPONENT: KeyParameter =
+    KeyParameter { tag: Tag::RSA_PUBLIC_EXPONENT, value: KeyParameterValue::LongInteger(65537) };
+const NO_AUTH_REQUIRED: KeyParameter =
+    KeyParameter { tag: Tag::NO_AUTH_REQUIRED, value: KeyParameterValue::BoolValue(true) };
+
+const KEY_DESCRIPTOR: KeyDescriptor =
+    KeyDescriptor { domain: Domain::BLOB, nspace: COMPOS_NAMESPACE, alias: None, blob: None };
+
+struct CompOsKeyService {
+    random: SystemRandom,
+    state: Mutex<State>,
+}
+
+struct State {
+    security_level: Strong<dyn IKeystoreSecurityLevel>,
+}
+
+impl Interface for CompOsKeyService {}
+
+impl ICompOsKeyService for CompOsKeyService {
+    fn generateSigningKey(&self) -> binder::Result<CompOsKeyData> {
+        self.do_generate()
+            .map_err(|e| new_binder_exception(ExceptionCode::ILLEGAL_STATE, e.to_string()))
+    }
+
+    fn verifySigningKey(&self, key_blob: &[u8], public_key: &[u8]) -> binder::Result<bool> {
+        Ok(if let Err(e) = self.do_verify(key_blob, public_key) {
+            warn!("Signing key verification failed: {}", e.to_string());
+            false
+        } else {
+            true
+        })
+    }
+}
+
+/// Constructs a new Binder error `Status` with the given `ExceptionCode` and message.
+fn new_binder_exception<T: AsRef<str>>(exception: ExceptionCode, message: T) -> Status {
+    Status::new_exception(exception, CString::new(message.as_ref()).ok().as_deref())
+}
+
+impl CompOsKeyService {
+    fn new(keystore_service: &Strong<dyn IKeystoreService>) -> Self {
+        Self {
+            random: SystemRandom::new(),
+            state: Mutex::new(State {
+                security_level: keystore_service
+                    .getSecurityLevel(SecurityLevel::TRUSTED_ENVIRONMENT)
+                    .unwrap(),
+            }),
+        }
+    }
+
+    fn security_level(&self) -> Strong<dyn IKeystoreSecurityLevel> {
+        // We need the Mutex because Strong<_> isn't sync. But we don't need to keep it locked
+        // to make the call, once we've cloned the pointer.
+        self.state.lock().unwrap().security_level.clone()
+    }
+
+    fn do_generate(&self) -> Result<CompOsKeyData> {
+        let key_parameters =
+            [PURPOSE_SIGN, ALGORITHM, PADDING, DIGEST, KEY_SIZE, EXPONENT, NO_AUTH_REQUIRED];
+        let attestation_key = None;
+        let flags = 0;
+        let entropy = [];
+
+        let key_metadata = self
+            .security_level()
+            .generateKey(&KEY_DESCRIPTOR, attestation_key, &key_parameters, flags, &entropy)
+            .context("Generating key failed")?;
+
+        if let (Some(certificate), Some(blob)) = (key_metadata.certificate, key_metadata.key.blob) {
+            Ok(CompOsKeyData { certificate, keyBlob: blob })
+        } else {
+            Err(anyhow!("Missing cert or blob"))
+        }
+    }
+
+    fn do_verify(&self, key_blob: &[u8], public_key: &[u8]) -> Result<()> {
+        let mut data = [0u8; 32];
+        self.random.fill(&mut data).context("No random data")?;
+
+        let signature = self.sign(key_blob, &data)?;
+
+        let public_key =
+            signature::UnparsedPublicKey::new(&signature::RSA_PKCS1_2048_8192_SHA256, public_key);
+        public_key.verify(&data, &signature).context("Signature verification failed")?;
+
+        Ok(())
+    }
+
+    fn sign(&self, key_blob: &[u8], data: &[u8]) -> Result<Vec<u8>> {
+        let key_descriptor = KeyDescriptor { blob: Some(key_blob.to_vec()), ..KEY_DESCRIPTOR };
+        let operation_parameters = [PURPOSE_SIGN, ALGORITHM, PADDING, DIGEST];
+        let forced = false;
+
+        let response = self
+            .security_level()
+            .createOperation(&key_descriptor, &operation_parameters, forced)
+            .context("Creating key failed")?;
+        let operation = scopeguard::guard(
+            response.iOperation.ok_or_else(|| anyhow!("No operation created"))?,
+            |op| op.abort().unwrap_or_default(),
+        );
+
+        if response.operationChallenge.is_some() {
+            return Err(anyhow!("Key requires user authorization"));
+        }
+
+        let signature = operation.finish(Some(&data), None).context("Signing failed")?;
+        // Operation has finished, we're no longer responsible for aborting it
+        ScopeGuard::into_inner(operation);
+
+        signature.ok_or_else(|| anyhow!("No signature returned"))
+    }
+}
+
+fn main() -> Result<()> {
+    android_logger::init_once(
+        android_logger::Config::default().with_tag(LOG_TAG).with_min_level(Level::Trace),
+    );
+
+    // We need to start the thread pool for Binder to work properly.
+    ProcessState::start_thread_pool();
+
+    let keystore_service = get_interface::<dyn IKeystoreService>(KEYSTORE_SERVICE_NAME)
+        .context("No Keystore service")?;
+    let service = CompOsKeyService::new(&keystore_service);
+    let service = BnCompOsKeyService::new_binder(service, BinderFeatures::default());
+
+    add_service(OUR_SERVICE_NAME, service.as_binder()).context("Adding service failed")?;
+    info!("It's alive!");
+
+    ProcessState::join_thread_pool();
+
+    Ok(())
+}
diff --git a/launcher/Android.bp b/launcher/Android.bp
index 2c3f093..93cae96 100644
--- a/launcher/Android.bp
+++ b/launcher/Android.bp
@@ -5,5 +5,8 @@
 cc_binary {
     name: "microdroid_launcher",
     srcs: ["main.cpp"],
-    shared_libs: ["libdl"],
+    shared_libs: [
+        "libdl",
+        "libdl_android",
+    ],
 }
diff --git a/launcher/main.cpp b/launcher/main.cpp
index fc9477d..4ecef3f 100644
--- a/launcher/main.cpp
+++ b/launcher/main.cpp
@@ -18,6 +18,24 @@
 
 #include <cstdlib>
 #include <iostream>
+#include <string>
+
+#include <android/dlext.h>
+
+extern "C" {
+enum {
+    ANDROID_NAMESPACE_TYPE_REGULAR = 0,
+    ANDROID_NAMESPACE_TYPE_ISOLATED = 1,
+    ANDROID_NAMESPACE_TYPE_SHARED = 2,
+};
+
+extern struct android_namespace_t* android_create_namespace(
+        const char* name, const char* ld_library_path, const char* default_library_path,
+        uint64_t type, const char* permitted_when_isolated_path,
+        struct android_namespace_t* parent);
+} // extern "C"
+
+static void* load(const std::string& libname);
 
 int main(int argc, char* argv[]) {
     if (argc < 2) {
@@ -27,7 +45,7 @@
     }
 
     const char* libname = argv[1];
-    void* handle = dlopen(libname, RTLD_NOW);
+    void* handle = load(libname);
     if (handle == nullptr) {
         std::cerr << "Failed to load " << libname << ": " << dlerror() << "\n";
         return EXIT_FAILURE;
@@ -42,3 +60,31 @@
 
     return entry(argc - 1, argv + 1);
 }
+
+// Create a new linker namespace whose search path is set to the directory of the library. Then
+// load it from there. Returns the handle to the loaded library if successful. Returns nullptr
+// if failed.
+void* load(const std::string& libname) {
+    // Parent as nullptr means the default namespace
+    android_namespace_t* parent = nullptr;
+    // The search paths of the new namespace are inherited from the parent namespace.
+    const uint64_t type = ANDROID_NAMESPACE_TYPE_SHARED;
+    // The directory of the library is appended to the search paths
+    const std::string libdir = libname.substr(0, libname.find_last_of("/"));
+    const char* ld_library_path = libdir.c_str();
+    const char* default_library_path = libdir.c_str();
+
+    android_namespace_t* new_ns = nullptr;
+    new_ns = android_create_namespace("microdroid_app", ld_library_path, default_library_path, type,
+                                      /* permitted_when_isolated_path */ nullptr, parent);
+    if (new_ns == nullptr) {
+        std::cerr << "Failed to create linker namespace: " << dlerror() << "\n";
+        return nullptr;
+    }
+
+    const android_dlextinfo info = {
+            .flags = ANDROID_DLEXT_USE_NAMESPACE,
+            .library_namespace = new_ns,
+    };
+    return android_dlopen_ext(libname.c_str(), RTLD_NOW, &info);
+}
diff --git a/microdroid/Android.bp b/microdroid/Android.bp
index e9eb2ef..f942349 100644
--- a/microdroid/Android.bp
+++ b/microdroid/Android.bp
@@ -76,8 +76,6 @@
         "cgroups.json",
         "public.libraries.android.txt",
 
-        "android.system.keystore2-V1-ndk_platform",
-
         // TODO(b/185767624): remove hidl after full keymint support
         "hwservicemanager",
 
diff --git a/microdroid/sepolicy/system/private/domain.te b/microdroid/sepolicy/system/private/domain.te
index 4a59f73..e979f3e 100644
--- a/microdroid/sepolicy/system/private/domain.te
+++ b/microdroid/sepolicy/system/private/domain.te
@@ -216,7 +216,7 @@
     -appdomain # for oemfs
     -bootanim # for oemfs
     -recovery # for /tmp/update_binary in tmpfs
-    -microdroid_launcher -microdroid_manager # for executing shared libs on /mnt/apk in Microdroid
+    -microdroid_app -microdroid_manager # for executing shared libs on /mnt/apk in Microdroid
 } { fs_type -rootfs }:file execute;
 
 #
diff --git a/microdroid/sepolicy/system/private/file_contexts b/microdroid/sepolicy/system/private/file_contexts
index 7e6048e..4318bb0 100644
--- a/microdroid/sepolicy/system/private/file_contexts
+++ b/microdroid/sepolicy/system/private/file_contexts
@@ -114,7 +114,7 @@
 /system/bin/toolbox	--	u:object_r:toolbox_exec:s0
 /system/bin/toybox	--	u:object_r:toolbox_exec:s0
 /system/bin/zipfuse              u:object_r:zipfuse_exec:s0
-/system/bin/microdroid_launcher  u:object_r:microdroid_launcher_exec:s0
+/system/bin/microdroid_launcher  u:object_r:microdroid_app_exec:s0
 /system/bin/microdroid_manager   u:object_r:microdroid_manager_exec:s0
 /system/bin/apkdmverity          u:object_r:apkdmverity_exec:s0
 /system/etc/cgroups\.json               u:object_r:cgroup_desc_file:s0
diff --git a/microdroid/sepolicy/system/private/microdroid_app.te b/microdroid/sepolicy/system/private/microdroid_app.te
new file mode 100644
index 0000000..eff9120
--- /dev/null
+++ b/microdroid/sepolicy/system/private/microdroid_app.te
@@ -0,0 +1,45 @@
+# microdroid_app is a domain for microdroid_launcher, which is a binary that
+# loads a shared library from an apk and executes it by calling an entry point
+# in the library. This can be considered as the native counterpart of
+# app_process for Java.
+#
+# Both microdroid_launcher and payload from the shared library run in the
+# context of microdroid_app.
+
+type microdroid_app, domain, coredomain;
+type microdroid_app_exec, exec_type, file_type, system_file_type;
+
+# Allow to communicate use, read and write over the adb connection.
+allow microdroid_app adbd:fd use;
+allow microdroid_app adbd:unix_stream_socket { read write };
+
+# microdroid_launcher is launched by microdroid_manager with fork/execvp.
+allow microdroid_app microdroid_manager:fd use;
+
+# Allow to use FDs inherited from the shell. This includes the FD opened for
+# the microdroid_launcher executable itself and the FD for adb connection.
+# TODO(b/186396070) remove this when this is executed from microdroid_manager
+userdebug_or_eng(`
+  allow microdroid_app shell:fd use;
+')
+
+# Allow to use terminal
+allow microdroid_app devpts:chr_file rw_file_perms;
+
+# Allow to set debug prop
+set_prop(microdroid_app, debug_prop)
+
+# Talk to binder services (for keystore)
+binder_use(microdroid_app);
+
+# Allow payloads to use keystore
+use_keystore(microdroid_app);
+
+# Allow payloads to use and manage their keys
+allow microdroid_app vm_payload_key:keystore2_key {
+    delete
+    get_info
+    manage_blob
+    rebind
+    use
+};
diff --git a/microdroid/sepolicy/system/private/microdroid_launcher.te b/microdroid/sepolicy/system/private/microdroid_launcher.te
deleted file mode 100644
index 6bcd4f1..0000000
--- a/microdroid/sepolicy/system/private/microdroid_launcher.te
+++ /dev/null
@@ -1,41 +0,0 @@
-# microdroid_launcher is a binary that loads a shared library from an apk and
-# executes it by calling an entry point in the library. This can be considered
-# as the native counterpart of app_process for Java.
-
-type microdroid_launcher, domain, coredomain;
-type microdroid_launcher_exec, exec_type, file_type, system_file_type;
-
-# Allow to communicate use, read and write over the adb connection.
-allow microdroid_launcher adbd:fd use;
-allow microdroid_launcher adbd:unix_stream_socket { read write };
-
-# microdroid_launcher is launched by microdroid_manager with fork/execvp.
-allow microdroid_launcher microdroid_manager:fd use;
-
-# Allow to use FDs inherited from the shell. This includes the FD opened for
-# the microdroid_launcher executable itself and the FD for adb connection.
-# TODO(b/186396070) remove this when this is executed from microdroid_manager
-userdebug_or_eng(`
-  allow microdroid_launcher shell:fd use;
-')
-
-# Allow to use terminal
-allow microdroid_launcher devpts:chr_file rw_file_perms;
-
-# Allow to set debug prop
-set_prop(microdroid_launcher, debug_prop)
-
-# Talk to binder services (for keystore)
-binder_use(microdroid_launcher);
-
-# Allow payloads to use keystore
-use_keystore(microdroid_launcher);
-
-# Allow payloads to use and manage their keys
-allow microdroid_launcher vm_payload_key:keystore2_key {
-    delete
-    get_info
-    manage_blob
-    rebind
-    use
-};
diff --git a/microdroid/sepolicy/system/private/microdroid_manager.te b/microdroid/sepolicy/system/private/microdroid_manager.te
index deb969c..fba3e71 100644
--- a/microdroid/sepolicy/system/private/microdroid_manager.te
+++ b/microdroid/sepolicy/system/private/microdroid_manager.te
@@ -13,7 +13,7 @@
 allow microdroid_manager vd_device:blk_file r_file_perms;
 
 # microdroid_manager start payload task via microdroid_launcher
-domain_auto_trans(microdroid_manager, microdroid_launcher_exec, microdroid_launcher);
+domain_auto_trans(microdroid_manager, microdroid_app_exec, microdroid_app);
 
 # Let microdroid_manager exec other files (e.g. payload command) in the same domain.
 # TODO(b/189706019) we need to a domain for the app process.
diff --git a/microdroid/sepolicy/system/private/property_contexts b/microdroid/sepolicy/system/private/property_contexts
index 605e912..1483f6f 100644
--- a/microdroid/sepolicy/system/private/property_contexts
+++ b/microdroid/sepolicy/system/private/property_contexts
@@ -1,151 +1,11 @@
-##########################
-# property service keys
-#
-#
-net.rmnet               u:object_r:net_radio_prop:s0
-net.gprs                u:object_r:net_radio_prop:s0
-net.ppp                 u:object_r:net_radio_prop:s0
-net.qmi                 u:object_r:net_radio_prop:s0
-net.lte                 u:object_r:net_radio_prop:s0
-net.cdma                u:object_r:net_radio_prop:s0
-net.dns                 u:object_r:net_dns_prop:s0
-ril.                    u:object_r:radio_prop:s0
-ro.ril.                 u:object_r:radio_prop:s0
-gsm.                    u:object_r:radio_prop:s0
-persist.radio           u:object_r:radio_prop:s0
+# property contexts for microdroid
+# microdroid only uses much fewer properties than normal Android, so every property is listed here.
+# The only exceptions are "debug.", "init.svc_debug_pid.", and "ctl." properties.
 
-net.                    u:object_r:system_prop:s0
-dev.                    u:object_r:system_prop:s0
-ro.runtime.             u:object_r:system_prop:s0
-ro.runtime.firstboot    u:object_r:firstboot_prop:s0
-hw.                     u:object_r:system_prop:s0
-ro.hw.                  u:object_r:system_prop:s0
-sys.                    u:object_r:system_prop:s0
-sys.audio.              u:object_r:audio_prop:s0
-sys.init.perf_lsm_hooks u:object_r:init_perf_lsm_hooks_prop:s0
-sys.cppreopt            u:object_r:cppreopt_prop:s0
-sys.lpdumpd             u:object_r:lpdumpd_prop:s0
-sys.powerctl            u:object_r:powerctl_prop:s0
-service.                u:object_r:system_prop:s0
-dhcp.                   u:object_r:dhcp_prop:s0
-dhcp.bt-pan.result      u:object_r:pan_result_prop:s0
-bluetooth.              u:object_r:bluetooth_prop:s0
+debug. u:object_r:debug_prop:s0 prefix
 
-debug.                  u:object_r:debug_prop:s0
-debug.db.               u:object_r:debuggerd_prop:s0
-dumpstate.              u:object_r:dumpstate_prop:s0
-dumpstate.options       u:object_r:dumpstate_options_prop:s0
-init.svc_debug_pid.     u:object_r:init_svc_debug_prop:s0
-llk.                    u:object_r:llkd_prop:s0
-khungtask.              u:object_r:llkd_prop:s0
-ro.llk.                 u:object_r:llkd_prop:s0
-ro.khungtask.           u:object_r:llkd_prop:s0
-log.                    u:object_r:log_prop:s0
-log.tag                 u:object_r:log_tag_prop:s0
-log.tag.WifiHAL         u:object_r:wifi_log_prop:s0
-security.perf_harden    u:object_r:shell_prop:s0
-security.lower_kptr_restrict u:object_r:lower_kptr_restrict_prop:s0
-service.adb.root        u:object_r:shell_prop:s0
-service.adb.tls.port    u:object_r:adbd_prop:s0
-persist.adb.wifi.       u:object_r:adbd_prop:s0
-persist.adb.tls_server.enable  u:object_r:system_adbd_prop:s0
+init.svc_debug_pid. u:object_r:init_svc_debug_prop:s0 prefix int
 
-persist.audio.          u:object_r:audio_prop:s0
-persist.bluetooth.      u:object_r:bluetooth_prop:s0
-persist.nfc_cfg.        u:object_r:nfc_prop:s0
-persist.debug.          u:object_r:persist_debug_prop:s0
-logd.                   u:object_r:logd_prop:s0
-persist.logd.           u:object_r:logd_prop:s0
-ro.logd.                u:object_r:logd_prop:s0
-persist.logd.security   u:object_r:device_logging_prop:s0
-persist.logd.logpersistd        u:object_r:logpersistd_logging_prop:s0
-logd.logpersistd        u:object_r:logpersistd_logging_prop:s0
-persist.log.tag         u:object_r:log_tag_prop:s0
-persist.mmc.            u:object_r:mmc_prop:s0
-persist.netd.stable_secret      u:object_r:netd_stable_secret_prop:s0
-persist.pm.mock-upgrade u:object_r:mock_ota_prop:s0
-persist.profcollectd.node_id    u:object_r:profcollectd_node_id_prop:s0     exact   string
-persist.sys.            u:object_r:system_prop:s0
-persist.sys.safemode    u:object_r:safemode_prop:s0
-persist.sys.theme       u:object_r:theme_prop:s0
-persist.sys.fflag.override.settings_dynamic_system    u:object_r:dynamic_system_prop:s0
-ro.sys.safemode         u:object_r:safemode_prop:s0
-persist.sys.audit_safemode      u:object_r:safemode_prop:s0
-persist.sys.dalvik.jvmtiagent   u:object_r:system_jvmti_agent_prop:s0
-persist.service.        u:object_r:system_prop:s0
-persist.service.bdroid. u:object_r:bluetooth_prop:s0
-persist.security.       u:object_r:system_prop:s0
-persist.traced.enable   u:object_r:traced_enabled_prop:s0
-traced.lazy.            u:object_r:traced_lazy_prop:s0
-persist.heapprofd.enable u:object_r:heapprofd_enabled_prop:s0
-persist.traced_perf.enable u:object_r:traced_perf_enabled_prop:s0
-persist.vendor.debug.wifi. u:object_r:persist_vendor_debug_wifi_prop:s0
-persist.vendor.overlay.  u:object_r:overlay_prop:s0
-ro.boot.vendor.overlay.  u:object_r:overlay_prop:s0
-ro.boottime.             u:object_r:boottime_prop:s0
-ro.serialno             u:object_r:serialno_prop:s0
-ro.boot.btmacaddr       u:object_r:bluetooth_prop:s0
-ro.boot.serialno        u:object_r:serialno_prop:s0
-ro.bt.                  u:object_r:bluetooth_prop:s0
-ro.boot.bootreason      u:object_r:bootloader_boot_reason_prop:s0
-persist.sys.boot.reason u:object_r:last_boot_reason_prop:s0
-sys.boot.reason         u:object_r:system_boot_reason_prop:s0
-sys.boot.reason.last    u:object_r:last_boot_reason_prop:s0
-pm.                     u:object_r:pm_prop:s0
-test.sys.boot.reason    u:object_r:test_boot_reason_prop:s0
-test.userspace_reboot.requested u:object_r:userspace_reboot_test_prop:s0
-sys.lmk.                u:object_r:system_lmk_prop:s0
-sys.trace.              u:object_r:system_trace_prop:s0
-wrap.                   u:object_r:zygote_wrap_prop:s0 prefix string
-
-# Suspend service properties
-suspend.max_sleep_time_millis u:object_r:suspend_prop:s0 exact uint
-suspend.base_sleep_time_millis u:object_r:suspend_prop:s0 exact uint
-suspend.backoff_threshold_count u:object_r:suspend_prop:s0 exact uint
-suspend.short_suspend_threshold_millis u:object_r:suspend_prop:s0 exact uint
-suspend.sleep_time_scale_factor u:object_r:suspend_prop:s0 exact double
-suspend.failed_suspend_backoff_enabled u:object_r:suspend_prop:s0 exact bool
-suspend.short_suspend_backoff_enabled u:object_r:suspend_prop:s0 exact bool
-
-# Fastbootd protocol control property
-fastbootd.protocol    u:object_r:fastbootd_protocol_prop:s0 exact enum usb tcp
-
-# adbd protoctl configuration property
-service.adb.tcp.port    u:object_r:adbd_config_prop:s0 exact int
-service.adb.transport   u:object_r:adbd_config_prop:s0 exact string
-
-# Boolean property set by system server upon boot indicating
-# if device is fully owned by organization instead of being
-# a personal device.
-ro.organization_owned   u:object_r:device_logging_prop:s0
-
-# selinux non-persistent properties
-selinux.restorecon_recursive   u:object_r:restorecon_prop:s0
-
-# default property context
-*                       u:object_r:default_prop:s0
-
-# data partition encryption properties
-vold.                   u:object_r:vold_prop:s0
-ro.crypto.              u:object_r:vold_prop:s0
-
-# ro.build.fingerprint is either set in /system/build.prop, or is
-# set at runtime by system_server.
-ro.build.fingerprint    u:object_r:fingerprint_prop:s0 exact string
-
-ro.persistent_properties.ready  u:object_r:persistent_properties_ready_prop:s0
-
-# ctl properties
-ctl.bootanim            u:object_r:ctl_bootanim_prop:s0
-ctl.dumpstate           u:object_r:ctl_dumpstate_prop:s0
-ctl.fuse_               u:object_r:ctl_fuse_prop:s0
-ctl.mdnsd               u:object_r:ctl_mdnsd_prop:s0
-ctl.ril-daemon          u:object_r:ctl_rildaemon_prop:s0
-ctl.bugreport           u:object_r:ctl_bugreport_prop:s0
-ctl.console             u:object_r:ctl_console_prop:s0
-ctl.                    u:object_r:ctl_default_prop:s0
-
-# Don't allow uncontrolled access to all services
 ctl.sigstop_on$         u:object_r:ctl_sigstop_prop:s0
 ctl.sigstop_off$        u:object_r:ctl_sigstop_prop:s0
 ctl.start$              u:object_r:ctl_start_prop:s0
@@ -155,1045 +15,86 @@
 ctl.interface_stop$     u:object_r:ctl_interface_stop_prop:s0
 ctl.interface_restart$  u:object_r:ctl_interface_restart_prop:s0
 
- # Restrict access to starting/stopping adbd
-ctl.start$adbd             u:object_r:ctl_adbd_prop:s0
-ctl.stop$adbd              u:object_r:ctl_adbd_prop:s0
-ctl.restart$adbd           u:object_r:ctl_adbd_prop:s0
+ctl.start$adbd   u:object_r:ctl_adbd_prop:s0
+ctl.stop$adbd    u:object_r:ctl_adbd_prop:s0
+ctl.restart$adbd u:object_r:ctl_adbd_prop:s0
 
-# Restrict access to starting/stopping gsid.
-ctl.start$gsid          u:object_r:ctl_gsid_prop:s0
-ctl.stop$gsid           u:object_r:ctl_gsid_prop:s0
-ctl.restart$gsid        u:object_r:ctl_gsid_prop:s0
+ctl.stop$apexd u:object_r:ctl_apexd_prop:s0
 
-# Restrict access to stopping apexd.
-ctl.stop$apexd          u:object_r:ctl_apexd_prop:s0
+ctl.fuse_   u:object_r:ctl_fuse_prop:s0
+ctl.console u:object_r:ctl_console_prop:s0
+ctl.        u:object_r:ctl_default_prop:s0
 
-# Restrict access to starting media.transcoding.
-ctl.start$media.transcoding  u:object_r:ctl_mediatranscoding_prop:s0
+dev.mnt.blk.root   u:object_r:system_prop:s0 exact string
+dev.mnt.blk.vendor u:object_r:system_prop:s0 exact string
 
-# Restrict access to restart dumpstate
-ctl.interface_restart$android.hardware.dumpstate u:object_r:ctl_dumpstate_prop:s0
+sys.init.perf_lsm_hooks u:object_r:init_perf_lsm_hooks_prop:s0 exact bool
 
-# Restrict access to control snapuserd
-ctl.start$snapuserd     u:object_r:ctl_snapuserd_prop:s0
-ctl.stop$snapuserd      u:object_r:ctl_snapuserd_prop:s0
-ctl.restart$snapuserd   u:object_r:ctl_snapuserd_prop:s0
+service.adb.root u:object_r:shell_prop:s0 exact bool
 
-# NFC properties
-nfc.                    u:object_r:nfc_prop:s0
+ro.logd.kernel u:object_r:logd_prop:s0 exact bool
 
-# These properties are not normally set by processes other than init.
-# They are only distinguished here for setting by qemu-props on the
-# emulator/goldfish.
-config.                 u:object_r:config_prop:s0
-ro.config.              u:object_r:config_prop:s0
-dalvik.                 u:object_r:dalvik_prop:s0
-ro.dalvik.              u:object_r:dalvik_prop:s0
+ro.boottime.adbd                      u:object_r:boottime_prop:s0 exact int
+ro.boottime.derive_sdk                u:object_r:boottime_prop:s0 exact int
+ro.boottime.hwservicemanager          u:object_r:boottime_prop:s0 exact int
+ro.boottime.init                      u:object_r:boottime_prop:s0 exact int
+ro.boottime.init.cold_boot_wait       u:object_r:boottime_prop:s0 exact int
+ro.boottime.init.first_stage          u:object_r:boottime_prop:s0 exact int
+ro.boottime.init.modules              u:object_r:boottime_prop:s0 exact int
+ro.boottime.init.selinux              u:object_r:boottime_prop:s0 exact int
+ro.boottime.keystore2                 u:object_r:boottime_prop:s0 exact int
+ro.boottime.logd                      u:object_r:boottime_prop:s0 exact int
+ro.boottime.logd-reinit               u:object_r:boottime_prop:s0 exact int
+ro.boottime.microdroid_manager        u:object_r:boottime_prop:s0 exact int
+ro.boottime.servicemanager            u:object_r:boottime_prop:s0 exact int
+ro.boottime.tombstoned                u:object_r:boottime_prop:s0 exact int
+ro.boottime.ueventd                   u:object_r:boottime_prop:s0 exact int
+ro.boottime.vendor.keymint-microdroid u:object_r:boottime_prop:s0 exact int
+ro.boottime.zipfuse                   u:object_r:boottime_prop:s0 exact int
 
-# qemu_hw_prop is read/written by both system and vendor.
-qemu.hw.mainkeys        u:object_r:qemu_hw_prop:s0 exact string
+ro.build.fingerprint u:object_r:fingerprint_prop:s0 exact string
 
-# qemu_sf_lcd_density_prop is read/written by both system and vendor.
-qemu.sf.lcd_density     u:object_r:qemu_sf_lcd_density_prop:s0 exact int
-
-# Shared between system server and wificond
-wifi.                   u:object_r:wifi_prop:s0
-wlan.                   u:object_r:wifi_prop:s0
-
-# Lowpan properties
-lowpan.                 u:object_r:lowpan_prop:s0
-ro.lowpan.              u:object_r:lowpan_prop:s0
-
-# heapprofd properties
-heapprofd.              u:object_r:heapprofd_prop:s0
-
-# hwservicemanager properties
-hwservicemanager.       u:object_r:hwservicemanager_prop:s0
-
-# Common default properties for vendor, odm, vendor_dlkm, and odm_dlkm.
-init.svc.odm.           u:object_r:vendor_default_prop:s0
-init.svc.vendor.        u:object_r:vendor_default_prop:s0
-ro.hardware.            u:object_r:vendor_default_prop:s0
-ro.odm.                 u:object_r:vendor_default_prop:s0
-ro.vendor.              u:object_r:vendor_default_prop:s0
-ro.vendor_dlkm.         u:object_r:vendor_default_prop:s0
-ro.odm_dlkm.            u:object_r:vendor_default_prop:s0
-odm.                    u:object_r:vendor_default_prop:s0
-persist.odm.            u:object_r:vendor_default_prop:s0
-persist.vendor.         u:object_r:vendor_default_prop:s0
-vendor.                 u:object_r:vendor_default_prop:s0
-
-# Properties that relate to time / time zone detection behavior.
-persist.time.           u:object_r:time_prop:s0
-
-# Properties that relate to server configurable flags
-device_config.reset_performed                       u:object_r:device_config_reset_performed_prop:s0
-persist.device_config.activity_manager_native_boot. u:object_r:device_config_activity_manager_native_boot_prop:s0
-persist.device_config.attempted_boot_count          u:object_r:device_config_boot_count_prop:s0
-persist.device_config.configuration.                u:object_r:device_config_configuration_prop:s0
-persist.device_config.connectivity.                 u:object_r:device_config_connectivity_prop:s0
-persist.device_config.input_native_boot.            u:object_r:device_config_input_native_boot_prop:s0
-persist.device_config.media_native.                 u:object_r:device_config_media_native_prop:s0
-persist.device_config.netd_native.                  u:object_r:device_config_netd_native_prop:s0
-persist.device_config.profcollect_native_boot.      u:object_r:device_config_profcollect_native_boot_prop:s0
-persist.device_config.runtime_native.               u:object_r:device_config_runtime_native_prop:s0
-persist.device_config.runtime_native_boot.          u:object_r:device_config_runtime_native_boot_prop:s0
-persist.device_config.statsd_native.                u:object_r:device_config_statsd_native_prop:s0
-persist.device_config.statsd_native_boot.           u:object_r:device_config_statsd_native_boot_prop:s0
-persist.device_config.storage_native_boot.          u:object_r:device_config_storage_native_boot_prop:s0
-persist.device_config.swcodec_native.               u:object_r:device_config_swcodec_native_prop:s0
-persist.device_config.window_manager_native_boot.   u:object_r:device_config_window_manager_native_boot_prop:s0
-
-# MM Events config props
-persist.mm_events.enabled                           u:object_r:mm_events_config_prop:s0 exact bool
-
-# Properties that relate to legacy server configurable flags
-persist.device_config.global_settings.sys_traced u:object_r:device_config_sys_traced_prop:s0
-
-apexd.                  u:object_r:apexd_prop:s0
-apexd.config.dm_delete.timeout           u:object_r:apexd_config_prop:s0 exact uint
-apexd.config.dm_create.timeout           u:object_r:apexd_config_prop:s0 exact uint
-persist.apexd.          u:object_r:apexd_prop:s0
-
-bpf.progs_loaded        u:object_r:bpf_progs_loaded_prop:s0
-
-gsid.                   u:object_r:gsid_prop:s0
-ro.gsid.                u:object_r:gsid_prop:s0
-
-# Property for disabling NNAPI vendor extensions on product image (used on GSI /product image,
-# which can't use NNAPI vendor extensions).
-ro.nnapi.extensions.deny_on_product                u:object_r:nnapi_ext_deny_product_prop:s0
-
-# Property that is set once ueventd finishes cold boot.
-ro.cold_boot_done       u:object_r:cold_boot_done_prop:s0
-
-# Properties that control performance operations.
-# Leave space to later set drop_caches to 1, 2, and 4.
-perf.drop_caches        u:object_r:perf_drop_caches_prop:s0 exact enum 0 3
-
-# Charger properties
-ro.charger.                 u:object_r:charger_prop:s0
-sys.boot_from_charger_mode  u:object_r:charger_status_prop:s0 exact int
-ro.enable_boot_charger_mode u:object_r:charger_config_prop:s0 exact bool
-
-# Virtual A/B properties
-ro.virtual_ab.enabled   u:object_r:virtual_ab_prop:s0 exact bool
-ro.virtual_ab.retrofit  u:object_r:virtual_ab_prop:s0 exact bool
-ro.virtual_ab.compression.enabled  u:object_r:virtual_ab_prop:s0 exact bool
-
-ro.product.ab_ota_partitions u:object_r:ota_prop:s0 exact string
-# Property to set/clear the warm reset flag after an OTA update.
-ota.warm_reset  u:object_r:ota_prop:s0
-# The vbmeta digest for the inactive slot. It can be set after installing
-# ota updates to the b partition of a/b devices.
-ota.other.vbmeta_digest  u:object_r:ota_prop:s0 exact string
-
-# Module properties
-com.android.sdkext.                  u:object_r:module_sdkextensions_prop:s0
-persist.com.android.sdkext.          u:object_r:module_sdkextensions_prop:s0
-
-# Connectivity module
-net.464xlat.cellular.enabled         u:object_r:net_464xlat_fromvendor_prop:s0 exact bool
-net.tcp_def_init_rwnd                u:object_r:net_connectivity_prop:s0 exact int
-
-# Userspace reboot properties
-sys.userspace_reboot.log.         u:object_r:userspace_reboot_log_prop:s0
-persist.sys.userspace_reboot.log. u:object_r:userspace_reboot_log_prop:s0
-
-# Integer property which is used in libgui to configure the number of frames
-# tracked by buffer queue's frame event timing history. The property is set
-# by devices with video decoding pipelines long enough to overflow the default
-# history size.
-ro.lib_gui.frame_event_history_size u:object_r:bq_config_prop:s0
-
-af.fast_track_multiplier         u:object_r:audio_config_prop:s0 exact int
-ro.af.client_heap_size_kbyte     u:object_r:audio_config_prop:s0 exact int
-ro.audio.flinger_standbytime_ms  u:object_r:audio_config_prop:s0 exact int
-
-audio.camerasound.force         u:object_r:audio_config_prop:s0 exact bool
-audio.deep_buffer.media         u:object_r:audio_config_prop:s0 exact bool
-audio.offload.video             u:object_r:audio_config_prop:s0 exact bool
-audio.offload.min.duration.secs u:object_r:audio_config_prop:s0 exact int
-
-ro.audio.ignore_effects   u:object_r:audio_config_prop:s0 exact bool
-ro.audio.monitorRotation  u:object_r:audio_config_prop:s0 exact bool
-ro.audio.offload_wakelock u:object_r:audio_config_prop:s0 exact bool
-
-persist.config.calibration_fac u:object_r:camera_calibration_prop:s0 exact string
-
-config.disable_cameraservice u:object_r:camera_config_prop:s0 exact bool
-
-camera.disable_zsl_mode u:object_r:camera_config_prop:s0 exact bool
-camera.fifo.disable     u:object_r:camera_config_prop:s0 exact bool
-ro.camera.notify_nfc    u:object_r:camera_config_prop:s0 exact bool
-ro.camera.enableLazyHal u:object_r:camera_config_prop:s0 exact bool
-
-ro.camerax.extensions.enabled u:object_r:camerax_extensions_prop:s0 exact bool
-
-# ART properties
-dalvik.vm.                 u:object_r:dalvik_config_prop:s0
-ro.dalvik.vm.              u:object_r:dalvik_config_prop:s0
-ro.zygote                  u:object_r:dalvik_config_prop:s0 exact string
-
-# A set of ART properties listed explicitly for compatibility purposes.
-ro.dalvik.vm.native.bridge u:object_r:dalvik_config_prop:s0 exact string
-dalvik.vm.always_debuggable                   u:object_r:dalvik_config_prop:s0 exact int
-dalvik.vm.appimageformat                      u:object_r:dalvik_config_prop:s0 exact string
-dalvik.vm.backgroundgctype                    u:object_r:dalvik_config_prop:s0 exact string
-dalvik.vm.boot-dex2oat-cpu-set                u:object_r:dalvik_config_prop:s0 exact string
-dalvik.vm.boot-dex2oat-threads                u:object_r:dalvik_config_prop:s0 exact int
-dalvik.vm.boot-image                          u:object_r:dalvik_config_prop:s0 exact string
-dalvik.vm.bgdexopt.new-classes-percent        u:object_r:dalvik_config_prop:s0 exact int
-dalvik.vm.bgdexopt.new-methods-percent        u:object_r:dalvik_config_prop:s0 exact int
-dalvik.vm.checkjni                            u:object_r:dalvik_config_prop:s0 exact bool
-dalvik.vm.dex2oat-Xms                         u:object_r:dalvik_config_prop:s0 exact string
-dalvik.vm.dex2oat-Xmx                         u:object_r:dalvik_config_prop:s0 exact string
-dalvik.vm.dex2oat-cpu-set                     u:object_r:dalvik_config_prop:s0 exact string
-dalvik.vm.dex2oat-filter                      u:object_r:dalvik_config_prop:s0 exact string
-dalvik.vm.dex2oat-flags                       u:object_r:dalvik_config_prop:s0 exact string
-dalvik.vm.dex2oat-max-image-block-size        u:object_r:dalvik_config_prop:s0 exact int
-dalvik.vm.dex2oat-minidebuginfo               u:object_r:dalvik_config_prop:s0 exact bool
-dalvik.vm.dex2oat-resolve-startup-strings     u:object_r:dalvik_config_prop:s0 exact bool
-dalvik.vm.dex2oat-threads                     u:object_r:dalvik_config_prop:s0 exact int
-dalvik.vm.dex2oat-updatable-bcp-packages-file u:object_r:dalvik_config_prop:s0 exact string
-dalvik.vm.dex2oat-very-large                  u:object_r:dalvik_config_prop:s0 exact int
-dalvik.vm.dex2oat-swap                        u:object_r:dalvik_config_prop:s0 exact bool
-dalvik.vm.dex2oat64.enabled                   u:object_r:dalvik_config_prop:s0 exact bool
-dalvik.vm.dexopt.secondary                    u:object_r:dalvik_config_prop:s0 exact bool
-dalvik.vm.dexopt.thermal-cutoff               u:object_r:dalvik_config_prop:s0 exact int
-dalvik.vm.execution-mode                      u:object_r:dalvik_config_prop:s0 exact string
-dalvik.vm.extra-opts                          u:object_r:dalvik_config_prop:s0 exact string
-dalvik.vm.foreground-heap-growth-multiplier   u:object_r:dalvik_config_prop:s0 exact string
-dalvik.vm.gctype                              u:object_r:dalvik_config_prop:s0 exact string
-dalvik.vm.heapgrowthlimit                     u:object_r:dalvik_config_prop:s0 exact string
-dalvik.vm.heapmaxfree                         u:object_r:dalvik_config_prop:s0 exact string
-dalvik.vm.heapminfree                         u:object_r:dalvik_config_prop:s0 exact string
-dalvik.vm.heapsize                            u:object_r:dalvik_config_prop:s0 exact string
-dalvik.vm.heapstartsize                       u:object_r:dalvik_config_prop:s0 exact string
-dalvik.vm.heaptargetutilization               u:object_r:dalvik_config_prop:s0 exact string
-dalvik.vm.hot-startup-method-samples          u:object_r:dalvik_config_prop:s0 exact int
-dalvik.vm.image-dex2oat-Xms                   u:object_r:dalvik_config_prop:s0 exact string
-dalvik.vm.image-dex2oat-Xmx                   u:object_r:dalvik_config_prop:s0 exact string
-dalvik.vm.image-dex2oat-cpu-set               u:object_r:dalvik_config_prop:s0 exact string
-dalvik.vm.image-dex2oat-filter                u:object_r:dalvik_config_prop:s0 exact string
-dalvik.vm.image-dex2oat-flags                 u:object_r:dalvik_config_prop:s0 exact string
-dalvik.vm.image-dex2oat-threads               u:object_r:dalvik_config_prop:s0 exact int
-dalvik.vm.isa.arm.features                    u:object_r:dalvik_config_prop:s0 exact string
-dalvik.vm.isa.arm.variant                     u:object_r:dalvik_config_prop:s0 exact string
-dalvik.vm.isa.arm64.features                  u:object_r:dalvik_config_prop:s0 exact string
-dalvik.vm.isa.arm64.variant                   u:object_r:dalvik_config_prop:s0 exact string
-dalvik.vm.isa.mips.features                   u:object_r:dalvik_config_prop:s0 exact string
-dalvik.vm.isa.mips.variant                    u:object_r:dalvik_config_prop:s0 exact string
-dalvik.vm.isa.mips64.features                 u:object_r:dalvik_config_prop:s0 exact string
-dalvik.vm.isa.mips64.variant                  u:object_r:dalvik_config_prop:s0 exact string
-dalvik.vm.isa.unknown.features                u:object_r:dalvik_config_prop:s0 exact string
-dalvik.vm.isa.unknown.variant                 u:object_r:dalvik_config_prop:s0 exact string
-dalvik.vm.isa.x86.features                    u:object_r:dalvik_config_prop:s0 exact string
-dalvik.vm.isa.x86.variant                     u:object_r:dalvik_config_prop:s0 exact string
-dalvik.vm.isa.x86_64.features                 u:object_r:dalvik_config_prop:s0 exact string
-dalvik.vm.isa.x86_64.variant                  u:object_r:dalvik_config_prop:s0 exact string
-dalvik.vm.jitinitialsize                      u:object_r:dalvik_config_prop:s0 exact string
-dalvik.vm.jitmaxsize                          u:object_r:dalvik_config_prop:s0 exact string
-dalvik.vm.jitprithreadweight                  u:object_r:dalvik_config_prop:s0 exact int
-dalvik.vm.jitthreshold                        u:object_r:dalvik_config_prop:s0 exact int
-dalvik.vm.jittransitionweight                 u:object_r:dalvik_config_prop:s0 exact int
-dalvik.vm.jniopts                             u:object_r:dalvik_config_prop:s0 exact string
-dalvik.vm.lockprof.threshold                  u:object_r:dalvik_config_prop:s0 exact int
-dalvik.vm.method-trace                        u:object_r:dalvik_config_prop:s0 exact bool
-dalvik.vm.method-trace-file                   u:object_r:dalvik_config_prop:s0 exact string
-dalvik.vm.method-trace-file-siz               u:object_r:dalvik_config_prop:s0 exact int
-dalvik.vm.method-trace-stream                 u:object_r:dalvik_config_prop:s0 exact bool
-dalvik.vm.profilesystemserver                 u:object_r:dalvik_config_prop:s0 exact bool
-dalvik.vm.profilebootclasspath                u:object_r:dalvik_config_prop:s0 exact bool
-dalvik.vm.ps-min-save-period-ms               u:object_r:dalvik_config_prop:s0 exact int
-dalvik.vm.ps-resolved-classes-delay-ms        u:object_r:dalvik_config_prop:s0 exact int
-dalvik.vm.restore-dex2oat-cpu-set             u:object_r:dalvik_config_prop:s0 exact string
-dalvik.vm.restore-dex2oat-threads             u:object_r:dalvik_config_prop:s0 exact int
-dalvik.vm.usejit                              u:object_r:dalvik_config_prop:s0 exact bool
-dalvik.vm.usejitprofiles                      u:object_r:dalvik_config_prop:s0 exact bool
-dalvik.vm.zygote.max-boot-retry               u:object_r:dalvik_config_prop:s0 exact int
-
-persist.sys.dalvik.vm.lib.2 u:object_r:dalvik_runtime_prop:s0 exact string
-
-keyguard.no_require_sim u:object_r:keyguard_config_prop:s0 exact bool
-
-media.c2.dmabuf.padding                      u:object_r:codec2_config_prop:s0 exact int
-
-media.recorder.show_manufacturer_and_model   u:object_r:media_config_prop:s0 exact bool
-media.stagefright.cache-params               u:object_r:media_config_prop:s0 exact string
-media.stagefright.enable-aac                 u:object_r:media_config_prop:s0 exact bool
-media.stagefright.enable-fma2dp              u:object_r:media_config_prop:s0 exact bool
-media.stagefright.enable-http                u:object_r:media_config_prop:s0 exact bool
-media.stagefright.enable-player              u:object_r:media_config_prop:s0 exact bool
-media.stagefright.enable-qcp                 u:object_r:media_config_prop:s0 exact bool
-media.stagefright.enable-scan                u:object_r:media_config_prop:s0 exact bool
-media.stagefright.thumbnail.prefer_hw_codecs u:object_r:media_config_prop:s0 exact bool
-persist.sys.media.avsync                     u:object_r:media_config_prop:s0 exact bool
-
-persist.bluetooth.a2dp_offload.cap             u:object_r:bluetooth_a2dp_offload_prop:s0 exact string
-persist.bluetooth.a2dp_offload.disabled        u:object_r:bluetooth_a2dp_offload_prop:s0 exact bool
-persist.bluetooth.bluetooth_audio_hal.disabled u:object_r:bluetooth_audio_hal_prop:s0 exact bool
-persist.bluetooth.btsnoopenable                u:object_r:exported_bluetooth_prop:s0 exact bool
-
-persist.radio.multisim.config u:object_r:radio_control_prop:s0 exact string
-
-persist.sys.hdmi.keep_awake                                        u:object_r:hdmi_config_prop:s0 exact bool
-ro.hdmi.cec_device_types                                           u:object_r:hdmi_config_prop:s0 exact string
-ro.hdmi.device_type                                                u:object_r:hdmi_config_prop:s0 exact string
-ro.hdmi.set_menu_language                                          u:object_r:hdmi_config_prop:s0 exact bool
-ro.hdmi.cec.source.set_menu_language.enabled                       u:object_r:hdmi_config_prop:s0 exact bool
-ro.hdmi.property_sytem_audio_device_arc_port                       u:object_r:hdmi_config_prop:s0 exact string
-ro.hdmi.cec_audio_device_forward_volume_keys_system_audio_mode_off u:object_r:hdmi_config_prop:s0 exact bool
-ro.hdmi.property_is_device_hdmi_cec_switch                         u:object_r:hdmi_config_prop:s0 exact bool
-ro.hdmi.wake_on_hotplug                                            u:object_r:hdmi_config_prop:s0 exact bool
-ro.hdmi.cec.source.send_standby_on_sleep                           u:object_r:hdmi_config_prop:s0 exact enum to_tv broadcast none
-ro.hdmi.cec.source.playback_device_action_on_routing_control       u:object_r:hdmi_config_prop:s0 exact enum none wake_up_only wake_up_and_send_active_source
-
-pm.dexopt.ab-ota                            u:object_r:exported_pm_prop:s0 exact string
-pm.dexopt.bg-dexopt                         u:object_r:exported_pm_prop:s0 exact string
-pm.dexopt.boot                              u:object_r:exported_pm_prop:s0 exact string
-pm.dexopt.cmdline                           u:object_r:exported_pm_prop:s0 exact string
-pm.dexopt.disable_bg_dexopt                 u:object_r:exported_pm_prop:s0 exact bool
-pm.dexopt.downgrade_after_inactive_days     u:object_r:exported_pm_prop:s0 exact int
-pm.dexopt.first-boot                        u:object_r:exported_pm_prop:s0 exact string
-pm.dexopt.inactive                          u:object_r:exported_pm_prop:s0 exact string
-pm.dexopt.install                           u:object_r:exported_pm_prop:s0 exact string
-pm.dexopt.install-fast                      u:object_r:exported_pm_prop:s0 exact string
-pm.dexopt.install-bulk                      u:object_r:exported_pm_prop:s0 exact string
-pm.dexopt.install-bulk-secondary            u:object_r:exported_pm_prop:s0 exact string
-pm.dexopt.install-bulk-downgraded           u:object_r:exported_pm_prop:s0 exact string
-pm.dexopt.install-bulk-secondary-downgraded u:object_r:exported_pm_prop:s0 exact string
-pm.dexopt.shared                            u:object_r:exported_pm_prop:s0 exact string
-
-ro.apk_verity.mode u:object_r:apk_verity_prop:s0 exact int
-
-ro.bluetooth.a2dp_offload.supported u:object_r:bluetooth_a2dp_offload_prop:s0 exact bool
-
-ro.boot.vendor.overlay.theme u:object_r:exported_overlay_prop:s0 exact string
-
-ro.bt.bdaddr_path u:object_r:exported_bluetooth_prop:s0 exact string
-
-ro.config.alarm_alert         u:object_r:systemsound_config_prop:s0 exact string
-ro.config.alarm_vol_default   u:object_r:systemsound_config_prop:s0 exact int
-ro.config.alarm_vol_steps     u:object_r:systemsound_config_prop:s0 exact int
-ro.config.media_vol_default   u:object_r:systemsound_config_prop:s0 exact int
-ro.config.media_vol_steps     u:object_r:systemsound_config_prop:s0 exact int
-ro.config.notification_sound  u:object_r:systemsound_config_prop:s0 exact string
-ro.config.ringtone            u:object_r:systemsound_config_prop:s0 exact string
-ro.config.system_vol_default  u:object_r:systemsound_config_prop:s0 exact int
-ro.config.system_vol_steps    u:object_r:systemsound_config_prop:s0 exact int
-ro.config.vc_call_vol_default u:object_r:systemsound_config_prop:s0 exact int
-
-ro.control_privapp_permissions u:object_r:packagemanager_config_prop:s0 exact enum disable enforce log
-ro.cp_system_other_odex        u:object_r:packagemanager_config_prop:s0 exact bool
-
-ro.crypto.allow_encrypt_override                u:object_r:vold_config_prop:s0 exact bool
-ro.crypto.dm_default_key.options_format.version u:object_r:vold_config_prop:s0 exact int
-ro.crypto.fde_algorithm                         u:object_r:vold_config_prop:s0 exact string
-ro.crypto.fde_sector_size                       u:object_r:vold_config_prop:s0 exact int
-ro.crypto.scrypt_params                         u:object_r:vold_config_prop:s0 exact string
-ro.crypto.set_dun                               u:object_r:vold_config_prop:s0 exact bool
-ro.crypto.volume.contents_mode                  u:object_r:vold_config_prop:s0 exact string
-ro.crypto.volume.filenames_mode                 u:object_r:vold_config_prop:s0 exact string
-ro.crypto.volume.metadata.encryption            u:object_r:vold_config_prop:s0 exact string
-ro.crypto.volume.metadata.method                u:object_r:vold_config_prop:s0 exact string
-ro.crypto.volume.options                        u:object_r:vold_config_prop:s0 exact string
-
-external_storage.projid.enabled   u:object_r:storage_config_prop:s0 exact bool
-external_storage.casefold.enabled u:object_r:storage_config_prop:s0 exact bool
-external_storage.sdcardfs.enabled u:object_r:storage_config_prop:s0 exact bool
-external_storage.cross_user.enabled u:object_r:storage_config_prop:s0 exact bool
-
-ro.config.per_app_memcg         u:object_r:lmkd_config_prop:s0 exact bool
-ro.lmk.critical                 u:object_r:lmkd_config_prop:s0 exact int
-ro.lmk.critical_upgrade         u:object_r:lmkd_config_prop:s0 exact bool
-ro.lmk.debug                    u:object_r:lmkd_config_prop:s0 exact bool
-ro.lmk.downgrade_pressure       u:object_r:lmkd_config_prop:s0 exact int
-ro.lmk.kill_heaviest_task       u:object_r:lmkd_config_prop:s0 exact bool
-ro.lmk.kill_timeout_ms          u:object_r:lmkd_config_prop:s0 exact int
-ro.lmk.log_stats                u:object_r:lmkd_config_prop:s0 exact bool
-ro.lmk.low                      u:object_r:lmkd_config_prop:s0 exact int
-ro.lmk.medium                   u:object_r:lmkd_config_prop:s0 exact int
-ro.lmk.psi_partial_stall_ms     u:object_r:lmkd_config_prop:s0 exact int
-ro.lmk.psi_complete_stall_ms    u:object_r:lmkd_config_prop:s0 exact int
-ro.lmk.swap_free_low_percentage u:object_r:lmkd_config_prop:s0 exact int
-ro.lmk.swap_util_max            u:object_r:lmkd_config_prop:s0 exact int
-ro.lmk.thrashing_limit          u:object_r:lmkd_config_prop:s0 exact int
-ro.lmk.thrashing_limit_critical u:object_r:lmkd_config_prop:s0 exact int
-ro.lmk.thrashing_limit_decay    u:object_r:lmkd_config_prop:s0 exact int
-ro.lmk.use_minfree_levels       u:object_r:lmkd_config_prop:s0 exact bool
-ro.lmk.upgrade_pressure         u:object_r:lmkd_config_prop:s0 exact int
-lmkd.reinit                     u:object_r:lmkd_prop:s0 exact int
-
-ro.media.xml_variant.codecs             u:object_r:media_variant_prop:s0 exact string
-ro.media.xml_variant.codecs_performance u:object_r:media_variant_prop:s0 exact string
-ro.media.xml_variant.profiles           u:object_r:media_variant_prop:s0 exact string
-
-ro.minui.default_rotation u:object_r:recovery_config_prop:s0 exact string
-ro.minui.overscan_percent u:object_r:recovery_config_prop:s0 exact int
-ro.minui.pixel_format     u:object_r:recovery_config_prop:s0 exact string
-
-ro.oem_unlock_supported u:object_r:oem_unlock_prop:s0 exact int
-
-ro.rebootescrow.device u:object_r:rebootescrow_hal_prop:s0 exact string
-
-ro.storage_manager.enabled     u:object_r:storagemanager_config_prop:s0 exact bool
-ro.storage_manager.show_opt_in u:object_r:storagemanager_config_prop:s0 exact bool
-
-ro.vehicle.hal u:object_r:vehicle_hal_prop:s0 exact string
-
-ro.vendor.build.security_patch u:object_r:vendor_security_patch_level_prop:s0 exact string
-
-ro.zram.mark_idle_delay_mins    u:object_r:zram_config_prop:s0 exact int
-ro.zram.first_wb_delay_mins     u:object_r:zram_config_prop:s0 exact int
-ro.zram.periodic_wb_delay_hours u:object_r:zram_config_prop:s0 exact int
-zram.force_writeback            u:object_r:zram_config_prop:s0 exact bool
-persist.sys.zram_enabled        u:object_r:zram_control_prop:s0 exact bool
-
-sendbug.preferred.domain u:object_r:sendbug_config_prop:s0 exact string
-
-persist.sys.usb.usbradio.config u:object_r:usb_control_prop:s0 exact string
-
-sys.usb.config     u:object_r:usb_control_prop:s0 exact string
-sys.usb.configfs   u:object_r:usb_control_prop:s0 exact int
-sys.usb.controller u:object_r:usb_control_prop:s0 exact string
-sys.usb.state      u:object_r:usb_control_prop:s0 exact string
-
-sys.usb.mtp.device_type u:object_r:usb_config_prop:s0 exact int
-
-sys.usb.config. u:object_r:usb_prop:s0
-
-sys.usb.ffs.aio_compat u:object_r:ffs_config_prop:s0 exact bool
-sys.usb.ffs.max_read   u:object_r:ffs_config_prop:s0 exact int
-sys.usb.ffs.max_write  u:object_r:ffs_config_prop:s0 exact int
-
-sys.usb.ffs.ready     u:object_r:ffs_control_prop:s0 exact bool
-sys.usb.ffs.mtp.ready u:object_r:ffs_control_prop:s0 exact bool
-
-tombstoned.max_tombstone_count u:object_r:tombstone_config_prop:s0 exact int
-
-vold.post_fs_data_done u:object_r:vold_post_fs_data_prop:s0 exact int
+hwservicemanager.ready u:object_r:hwservicemanager_prop:s0 exact bool
 
 apexd.status u:object_r:apexd_prop:s0 exact enum starting activated ready
 
-odsign.key.done u:object_r:odsign_prop:s0 exact bool
-odsign.verification.done u:object_r:odsign_prop:s0 exact bool
-odsign.verification.success u:object_r:odsign_prop:s0 exact bool
+ro.cold_boot_done u:object_r:cold_boot_done_prop:s0 exact bool
 
-dev.bootcomplete   u:object_r:boot_status_prop:s0 exact bool
-sys.boot_completed u:object_r:boot_status_prop:s0 exact bool
+sys.usb.controller u:object_r:usb_control_prop:s0 exact string
 
-persist.sys.device_provisioned u:object_r:provisioned_prop:s0 exact string
+init.svc.derive_sdk                u:object_r:init_service_status_private_prop:s0 exact string
+init.svc.hwservicemanager          u:object_r:init_service_status_private_prop:s0 exact string
+init.svc.keystore2                 u:object_r:init_service_status_private_prop:s0 exact string
+init.svc.logd                      u:object_r:init_service_status_private_prop:s0 exact string
+init.svc.logd-reinit               u:object_r:init_service_status_private_prop:s0 exact string
+init.svc.microdroid_manager        u:object_r:init_service_status_private_prop:s0 exact string
+init.svc.servicemanager            u:object_r:init_service_status_private_prop:s0 exact string
+init.svc.ueventd                   u:object_r:init_service_status_private_prop:s0 exact string
+init.svc.zipfuse                   u:object_r:init_service_status_private_prop:s0 exact string
 
-persist.sys.theme               u:object_r:theme_prop:s0 exact string
+init.svc.adbd       u:object_r:init_service_status_prop:s0 exact string
+init.svc.tombstoned u:object_r:init_service_status_prop:s0 exact string
 
-sys.retaildemo.enabled u:object_r:retaildemo_prop:s0 exact int
+init.svc.vendor.keymint-microdroid u:object_r:vendor_default_prop:s0 exact string
 
-sys.user.0.ce_available u:object_r:exported3_system_prop:s0 exact bool
+ro.boot.hardware u:object_r:bootloader_prop:s0 exact string
+ro.baseband      u:object_r:bootloader_prop:s0 exact string
+ro.bootloader    u:object_r:bootloader_prop:s0 exact string
+ro.bootmode      u:object_r:bootloader_prop:s0 exact string
+ro.hardware      u:object_r:bootloader_prop:s0 exact string
+ro.revision      u:object_r:bootloader_prop:s0 exact string
 
-aac_drc_boost            u:object_r:aac_drc_prop:s0 exact int
-aac_drc_cut              u:object_r:aac_drc_prop:s0 exact int
-aac_drc_enc_target_level u:object_r:aac_drc_prop:s0 exact int
-aac_drc_heavy            u:object_r:aac_drc_prop:s0 exact int
-aac_drc_reference_level  u:object_r:aac_drc_prop:s0 exact int
-ro.aac_drc_effect_type   u:object_r:aac_drc_prop:s0 exact int
-
-build.version.extensions. u:object_r:module_sdkextensions_prop:s0 prefix int
-
-drm.64bit.enabled            u:object_r:mediadrm_config_prop:s0 exact bool
-media.mediadrmservice.enable u:object_r:mediadrm_config_prop:s0 exact bool
-
-drm.service.enabled u:object_r:drm_service_config_prop:s0 exact bool
-
-dumpstate.dry_run u:object_r:exported_dumpstate_prop:s0 exact bool
-dumpstate.unroot  u:object_r:exported_dumpstate_prop:s0 exact bool
-persist.dumpstate.verbose_logging.enabled u:object_r:hal_dumpstate_config_prop:s0 exact bool
-
-hal.instrumentation.enable u:object_r:hal_instrumentation_prop:s0 exact bool
-
-# default contexts only accessible by coredomain
-init.svc. u:object_r:init_service_status_private_prop:s0 prefix string
-
-# Globally-readable init service props
-init.svc.adbd           u:object_r:init_service_status_prop:s0 exact string
-init.svc.bugreport      u:object_r:init_service_status_prop:s0 exact string
-init.svc.bugreportd     u:object_r:init_service_status_prop:s0 exact string
-init.svc.console        u:object_r:init_service_status_prop:s0 exact string
-init.svc.dumpstatez     u:object_r:init_service_status_prop:s0 exact string
-init.svc.mediadrm       u:object_r:init_service_status_prop:s0 exact string
-init.svc.statsd         u:object_r:init_service_status_prop:s0 exact string
-init.svc.surfaceflinger u:object_r:init_service_status_prop:s0 exact string
-init.svc.tombstoned     u:object_r:init_service_status_prop:s0 exact string
-init.svc.zygote         u:object_r:init_service_status_prop:s0 exact string
-
-libc.debug.malloc.options u:object_r:libc_debug_prop:s0 exact string
-libc.debug.malloc.program u:object_r:libc_debug_prop:s0 exact string
-libc.debug.hooks.enable   u:object_r:libc_debug_prop:s0 exact string
-
-# shell-only props for ARM memory tagging (MTE).
-arm64.memtag. u:object_r:arm64_memtag_prop:s0 prefix string
-
-net.redirect_socket_calls.hooked u:object_r:socket_hook_prop:s0 exact bool
-
-persist.sys.locale       u:object_r:exported_system_prop:s0 exact string
-persist.sys.timezone     u:object_r:exported_system_prop:s0 exact string
-persist.sys.test_harness u:object_r:test_harness_prop:s0 exact bool
-
-ro.arch u:object_r:build_prop:s0 exact string
-
-# ro.boot. properties are set based on kernel commandline arguments, which are vendor owned.
-ro.boot.                   u:object_r:bootloader_prop:s0
-ro.boot.avb_version        u:object_r:bootloader_prop:s0 exact string
-ro.boot.baseband           u:object_r:bootloader_prop:s0 exact string
-ro.boot.bootdevice         u:object_r:bootloader_prop:s0 exact string
-ro.boot.bootloader         u:object_r:bootloader_prop:s0 exact string
-ro.boot.boottime           u:object_r:bootloader_prop:s0 exact string
-ro.boot.console            u:object_r:bootloader_prop:s0 exact string
-ro.boot.hardware           u:object_r:bootloader_prop:s0 exact string
-ro.boot.hardware.color     u:object_r:bootloader_prop:s0 exact string
-ro.boot.hardware.sku       u:object_r:bootloader_prop:s0 exact string
-ro.boot.keymaster          u:object_r:bootloader_prop:s0 exact string
-ro.boot.mode               u:object_r:bootloader_prop:s0 exact string
-# Populated on Android Studio Emulator (for emulator specific workarounds)
-ro.boot.qemu               u:object_r:bootloader_prop:s0 exact bool
-ro.boot.revision           u:object_r:bootloader_prop:s0 exact string
-ro.boot.vbmeta.avb_version u:object_r:bootloader_prop:s0 exact string
-ro.boot.verifiedbootstate  u:object_r:bootloader_prop:s0 exact string
-ro.boot.veritymode         u:object_r:bootloader_prop:s0 exact string
-
-# These ro.X properties are set to values of ro.boot.X by property_service.
-ro.baseband   u:object_r:bootloader_prop:s0 exact string
-ro.bootloader u:object_r:bootloader_prop:s0 exact string
-ro.bootmode   u:object_r:bootloader_prop:s0 exact string
-ro.hardware   u:object_r:bootloader_prop:s0 exact string
-ro.revision   u:object_r:bootloader_prop:s0 exact string
-
-ro.boot.dynamic_partitions          u:object_r:exported_default_prop:s0 exact string
-ro.boot.dynamic_partitions_retrofit u:object_r:exported_default_prop:s0 exact string
-
-ro.boottime.init.mount.data u:object_r:boottime_public_prop:s0 exact string
-ro.boottime.init.fsck.data  u:object_r:boottime_public_prop:s0 exact string
-
-ro.build.characteristics                  u:object_r:build_prop:s0 exact string
-ro.build.date                             u:object_r:build_prop:s0 exact string
-ro.build.date.utc                         u:object_r:build_prop:s0 exact int
-ro.build.description                      u:object_r:build_prop:s0 exact string
-ro.build.display.id                       u:object_r:build_prop:s0 exact string
-ro.build.flavor                           u:object_r:build_prop:s0 exact string
-ro.build.host                             u:object_r:build_prop:s0 exact string
-ro.build.id                               u:object_r:build_prop:s0 exact string
-ro.build.product                          u:object_r:build_prop:s0 exact string
-ro.build.system_root_image                u:object_r:build_prop:s0 exact bool
-ro.build.tags                             u:object_r:build_prop:s0 exact string
-ro.build.type                             u:object_r:build_prop:s0 exact string
-ro.build.user                             u:object_r:build_prop:s0 exact string
-ro.build.version.all_codenames            u:object_r:build_prop:s0 exact string
-ro.build.version.base_os                  u:object_r:build_prop:s0 exact string
-ro.build.version.codename                 u:object_r:build_prop:s0 exact string
-ro.build.version.incremental              u:object_r:build_prop:s0 exact string
-ro.build.version.min_supported_target_sdk u:object_r:build_prop:s0 exact int
-ro.build.version.preview_sdk              u:object_r:build_prop:s0 exact int
-ro.build.version.preview_sdk_fingerprint  u:object_r:build_prop:s0 exact string
-ro.build.version.release                  u:object_r:build_prop:s0 exact string
-ro.build.version.release_or_codename      u:object_r:build_prop:s0 exact string
-ro.build.version.sdk                      u:object_r:build_prop:s0 exact int
-ro.build.version.security_patch           u:object_r:build_prop:s0 exact string
-
-ro.actionable_compatible_property.enabled u:object_r:build_prop:s0 exact bool
-
-ro.debuggable u:object_r:build_prop:s0 exact bool
-
-ro.treble.enabled u:object_r:build_prop:s0 exact bool
-
-ro.product.cpu.abi       u:object_r:build_prop:s0 exact string
-ro.product.cpu.abilist   u:object_r:build_prop:s0 exact string
-ro.product.cpu.abilist32 u:object_r:build_prop:s0 exact string
-ro.product.cpu.abilist64 u:object_r:build_prop:s0 exact string
-
-ro.product.system.brand        u:object_r:build_prop:s0 exact string
-ro.product.system.device       u:object_r:build_prop:s0 exact string
-ro.product.system.manufacturer u:object_r:build_prop:s0 exact string
-ro.product.system.model        u:object_r:build_prop:s0 exact string
-ro.product.system.name         u:object_r:build_prop:s0 exact string
-
-ro.system.build.date                        u:object_r:build_prop:s0 exact string
-ro.system.build.date.utc                    u:object_r:build_prop:s0 exact int
-ro.system.build.fingerprint                 u:object_r:build_prop:s0 exact string
-ro.system.build.id                          u:object_r:build_prop:s0 exact string
-ro.system.build.tags                        u:object_r:build_prop:s0 exact string
-ro.system.build.type                        u:object_r:build_prop:s0 exact string
-ro.system.build.version.incremental         u:object_r:build_prop:s0 exact string
-ro.system.build.version.release             u:object_r:build_prop:s0 exact string
-ro.system.build.version.release_or_codename u:object_r:build_prop:s0 exact string
-ro.system.build.version.sdk                 u:object_r:build_prop:s0 exact int
-
-ro.adb.secure u:object_r:build_prop:s0 exact bool
-ro.secure     u:object_r:build_prop:s0 exact int
-
-ro.product.system_ext.brand        u:object_r:build_prop:s0 exact string
-ro.product.system_ext.device       u:object_r:build_prop:s0 exact string
-ro.product.system_ext.manufacturer u:object_r:build_prop:s0 exact string
-ro.product.system_ext.model        u:object_r:build_prop:s0 exact string
-ro.product.system_ext.name         u:object_r:build_prop:s0 exact string
-
-ro.system_ext.build.date                        u:object_r:build_prop:s0 exact string
-ro.system_ext.build.date.utc                    u:object_r:build_prop:s0 exact int
-ro.system_ext.build.fingerprint                 u:object_r:build_prop:s0 exact string
-ro.system_ext.build.id                          u:object_r:build_prop:s0 exact string
-ro.system_ext.build.tags                        u:object_r:build_prop:s0 exact string
-ro.system_ext.build.type                        u:object_r:build_prop:s0 exact string
-ro.system_ext.build.version.incremental         u:object_r:build_prop:s0 exact string
-ro.system_ext.build.version.release             u:object_r:build_prop:s0 exact string
-ro.system_ext.build.version.release_or_codename u:object_r:build_prop:s0 exact string
-ro.system_ext.build.version.sdk                 u:object_r:build_prop:s0 exact int
-
-# These ro.product.product.* and ro.product.build.* are set by /product/etc/build.prop
-ro.product.product.brand        u:object_r:build_prop:s0 exact string
-ro.product.product.device       u:object_r:build_prop:s0 exact string
-ro.product.product.manufacturer u:object_r:build_prop:s0 exact string
-ro.product.product.model        u:object_r:build_prop:s0 exact string
-ro.product.product.name         u:object_r:build_prop:s0 exact string
-
-ro.product.build.date                        u:object_r:build_prop:s0 exact string
-ro.product.build.date.utc                    u:object_r:build_prop:s0 exact int
-ro.product.build.fingerprint                 u:object_r:build_prop:s0 exact string
-ro.product.build.id                          u:object_r:build_prop:s0 exact string
-ro.product.build.tags                        u:object_r:build_prop:s0 exact string
-ro.product.build.type                        u:object_r:build_prop:s0 exact string
-ro.product.build.version.incremental         u:object_r:build_prop:s0 exact string
-ro.product.build.version.release             u:object_r:build_prop:s0 exact string
-ro.product.build.version.release_or_codename u:object_r:build_prop:s0 exact string
-ro.product.build.version.sdk                 u:object_r:build_prop:s0 exact int
-
-# These 5 properties are set by property_service
-ro.product.brand         u:object_r:build_prop:s0 exact string
-ro.product.device        u:object_r:build_prop:s0 exact string
-ro.product.manufacturer  u:object_r:build_prop:s0 exact string
-ro.product.model         u:object_r:build_prop:s0 exact string
-ro.product.name          u:object_r:build_prop:s0 exact string
-
-# Sanitizer properties
-ro.sanitize.address          u:object_r:build_prop:s0 exact bool
-ro.sanitize.cfi              u:object_r:build_prop:s0 exact bool
-ro.sanitize.default-ub       u:object_r:build_prop:s0 exact bool
-ro.sanitize.fuzzer           u:object_r:build_prop:s0 exact bool
-ro.sanitize.hwaddress        u:object_r:build_prop:s0 exact bool
-ro.sanitize.integer_overflow u:object_r:build_prop:s0 exact bool
-ro.sanitize.safe-stack       u:object_r:build_prop:s0 exact bool
-ro.sanitize.scudo            u:object_r:build_prop:s0 exact bool
-ro.sanitize.thread           u:object_r:build_prop:s0 exact bool
-ro.sanitize.undefined        u:object_r:build_prop:s0 exact bool
-
-# All odm build props are set by /odm/build.prop
-ro.odm.build.date                u:object_r:build_odm_prop:s0 exact string
-ro.odm.build.date.utc            u:object_r:build_odm_prop:s0 exact int
-ro.odm.build.fingerprint         u:object_r:build_odm_prop:s0 exact string
-ro.odm.build.version.incremental u:object_r:build_odm_prop:s0 exact string
-ro.odm.build.media_performance_class   u:object_r:build_odm_prop:s0 exact int
-
-ro.product.odm.brand        u:object_r:build_odm_prop:s0 exact string
-ro.product.odm.device       u:object_r:build_odm_prop:s0 exact string
-ro.product.odm.manufacturer u:object_r:build_odm_prop:s0 exact string
-ro.product.odm.model        u:object_r:build_odm_prop:s0 exact string
-ro.product.odm.name         u:object_r:build_odm_prop:s0 exact string
-
-# All vendor_dlkm build props are set by /vendor_dlkm/etc/build.prop
-ro.vendor_dlkm.build.date                        u:object_r:build_vendor_prop:s0 exact string
-ro.vendor_dlkm.build.date.utc                    u:object_r:build_vendor_prop:s0 exact int
-ro.vendor_dlkm.build.fingerprint                 u:object_r:build_vendor_prop:s0 exact string
-ro.vendor_dlkm.build.id                          u:object_r:build_vendor_prop:s0 exact string
-ro.vendor_dlkm.build.tags                        u:object_r:build_vendor_prop:s0 exact string
-ro.vendor_dlkm.build.type                        u:object_r:build_vendor_prop:s0 exact string
-ro.vendor_dlkm.build.version.incremental         u:object_r:build_vendor_prop:s0 exact string
-ro.vendor_dlkm.build.version.release             u:object_r:build_vendor_prop:s0 exact string
-ro.vendor_dlkm.build.version.release_or_codename u:object_r:build_vendor_prop:s0 exact string
-ro.vendor_dlkm.build.version.sdk                 u:object_r:build_vendor_prop:s0 exact int
-
-# All odm_dlkm build props are set by /odm_dlkm/etc/build.prop
-ro.product.odm_dlkm.brand        u:object_r:build_odm_prop:s0 exact string
-ro.product.odm_dlkm.device       u:object_r:build_odm_prop:s0 exact string
-ro.product.odm_dlkm.manufacturer u:object_r:build_odm_prop:s0 exact string
-ro.product.odm_dlkm.model        u:object_r:build_odm_prop:s0 exact string
-ro.product.odm_dlkm.name         u:object_r:build_odm_prop:s0 exact string
-
-ro.odm_dlkm.build.date                        u:object_r:build_odm_prop:s0 exact string
-ro.odm_dlkm.build.date.utc                    u:object_r:build_odm_prop:s0 exact int
-ro.odm_dlkm.build.fingerprint                 u:object_r:build_odm_prop:s0 exact string
-ro.odm_dlkm.build.id                          u:object_r:build_odm_prop:s0 exact string
-ro.odm_dlkm.build.tags                        u:object_r:build_odm_prop:s0 exact string
-ro.odm_dlkm.build.type                        u:object_r:build_odm_prop:s0 exact string
-ro.odm_dlkm.build.version.incremental         u:object_r:build_odm_prop:s0 exact string
-ro.odm_dlkm.build.version.release             u:object_r:build_odm_prop:s0 exact string
-ro.odm_dlkm.build.version.release_or_codename u:object_r:build_odm_prop:s0 exact string
-ro.odm_dlkm.build.version.sdk                 u:object_r:build_odm_prop:s0 exact int
-
-# enforces debugfs restrictions in non-user builds, set by /vendor/build.prop
-ro.product.debugfs_restrictions.enabled u:object_r:debugfs_restriction_prop:s0 exact bool
-
-# All vendor build props are set by /vendor/build.prop
-ro.vendor.build.date                        u:object_r:build_vendor_prop:s0 exact string
-ro.vendor.build.date.utc                    u:object_r:build_vendor_prop:s0 exact int
-ro.vendor.build.fingerprint                 u:object_r:build_vendor_prop:s0 exact string
-ro.vendor.build.fingerprint_has_digest      u:object_r:build_vendor_prop:s0 exact bool
-ro.vendor.build.id                          u:object_r:build_vendor_prop:s0 exact string
-ro.vendor.build.tags                        u:object_r:build_vendor_prop:s0 exact string
-ro.vendor.build.type                        u:object_r:build_vendor_prop:s0 exact string
-ro.vendor.build.version.incremental         u:object_r:build_vendor_prop:s0 exact string
-ro.vendor.build.version.release             u:object_r:build_vendor_prop:s0 exact string
-ro.vendor.build.version.release_or_codename u:object_r:build_vendor_prop:s0 exact string
-ro.vendor.build.version.sdk                 u:object_r:build_vendor_prop:s0 exact int
-
-# All vendor CPU abilist props are set by /vendor/build.prop
-ro.vendor.product.cpu.abilist   u:object_r:build_vendor_prop:s0 exact string
-ro.vendor.product.cpu.abilist32 u:object_r:build_vendor_prop:s0 exact string
-ro.vendor.product.cpu.abilist64 u:object_r:build_vendor_prop:s0 exact string
-
-ro.product.board                    u:object_r:build_vendor_prop:s0 exact string
-ro.product.first_api_level          u:object_r:build_vendor_prop:s0 exact int
-ro.product.vendor.brand             u:object_r:build_vendor_prop:s0 exact string
-ro.product.vendor.device            u:object_r:build_vendor_prop:s0 exact string
-ro.product.vendor.manufacturer      u:object_r:build_vendor_prop:s0 exact string
-ro.product.vendor.model             u:object_r:build_vendor_prop:s0 exact string
-ro.product.vendor.name              u:object_r:build_vendor_prop:s0 exact string
-ro.product.vendor_dlkm.brand        u:object_r:build_vendor_prop:s0 exact string
-ro.product.vendor_dlkm.device       u:object_r:build_vendor_prop:s0 exact string
-ro.product.vendor_dlkm.manufacturer u:object_r:build_vendor_prop:s0 exact string
-ro.product.vendor_dlkm.model        u:object_r:build_vendor_prop:s0 exact string
-ro.product.vendor_dlkm.name         u:object_r:build_vendor_prop:s0 exact string
-
-# GRF property for the first api level of the vendor partition
-ro.board.first_api_level u:object_r:build_vendor_prop:s0 exact int
-ro.board.api_level       u:object_r:build_vendor_prop:s0 exact int
-
-# Boot image build props set by /{second_stage_resources/,}boot/etc/build.prop
-ro.bootimage.build.date                        u:object_r:build_bootimage_prop:s0 exact string
-ro.bootimage.build.date.utc                    u:object_r:build_bootimage_prop:s0 exact int
-ro.bootimage.build.fingerprint                 u:object_r:build_bootimage_prop:s0 exact string
-ro.bootimage.build.id                          u:object_r:build_bootimage_prop:s0 exact string
-ro.bootimage.build.tags                        u:object_r:build_bootimage_prop:s0 exact string
-ro.bootimage.build.type                        u:object_r:build_bootimage_prop:s0 exact string
-ro.bootimage.build.version.incremental         u:object_r:build_bootimage_prop:s0 exact string
-ro.bootimage.build.version.release             u:object_r:build_bootimage_prop:s0 exact string
-ro.bootimage.build.version.release_or_codename u:object_r:build_bootimage_prop:s0 exact string
-ro.bootimage.build.version.sdk                 u:object_r:build_bootimage_prop:s0 exact int
-
-ro.product.bootimage.brand        u:object_r:build_bootimage_prop:s0 exact string
-ro.product.bootimage.device       u:object_r:build_bootimage_prop:s0 exact string
-ro.product.bootimage.manufacturer u:object_r:build_bootimage_prop:s0 exact string
-ro.product.bootimage.model        u:object_r:build_bootimage_prop:s0 exact string
-ro.product.bootimage.name         u:object_r:build_bootimage_prop:s0 exact string
-
-# ro.product.property_source_order is settable from any build.prop
-ro.product.property_source_order u:object_r:build_config_prop:s0 exact string
-
-ro.crypto.state u:object_r:vold_status_prop:s0 exact enum encrypted unencrypted unsupported
-ro.crypto.type  u:object_r:vold_status_prop:s0 exact enum block file none
+ro.build.id                     u:object_r:build_prop:s0 exact string
+ro.build.version.release        u:object_r:build_prop:s0 exact string
+ro.build.version.security_patch u:object_r:build_prop:s0 exact string
+ro.debuggable                   u:object_r:build_prop:s0 exact bool
+ro.product.cpu.abilist          u:object_r:build_prop:s0 exact string
+ro.adb.secure                   u:object_r:build_prop:s0 exact bool
 
 ro.property_service.version u:object_r:property_service_version_prop:s0 exact int
 
-ro.vendor.redirect_socket_calls u:object_r:vendor_socket_hook_prop:s0 exact bool
-
-service.bootanim.exit u:object_r:bootanim_system_prop:s0 exact int
-service.bootanim.progress u:object_r:bootanim_system_prop:s0 exact int
-
-sys.init.userspace_reboot.in_progress u:object_r:userspace_reboot_exported_prop:s0 exact bool
-sys.use_memfd                         u:object_r:use_memfd_prop:s0 exact bool
-
-vold.decrypt u:object_r:vold_status_prop:s0 exact string
-
-aaudio.hw_burst_min_usec     u:object_r:aaudio_config_prop:s0 exact int
-aaudio.minimum_sleep_usec    u:object_r:aaudio_config_prop:s0 exact int
-aaudio.mixer_bursts          u:object_r:aaudio_config_prop:s0 exact int
-aaudio.mmap_exclusive_policy u:object_r:aaudio_config_prop:s0 exact int
-aaudio.mmap_policy           u:object_r:aaudio_config_prop:s0 exact int
-aaudio.wakeup_delay_usec     u:object_r:aaudio_config_prop:s0 exact int
-
-persist.rcs.supported u:object_r:exported_default_prop:s0 exact int
-
-ro.bionic.2nd_arch        u:object_r:cpu_variant_prop:s0 exact string
-ro.bionic.2nd_cpu_variant u:object_r:cpu_variant_prop:s0 exact string
-ro.bionic.arch            u:object_r:cpu_variant_prop:s0 exact string
-ro.bionic.cpu_variant     u:object_r:cpu_variant_prop:s0 exact string
-
-ro.board.platform u:object_r:exported_default_prop:s0 exact string
-
-ro.boot.fake_battery         u:object_r:exported_default_prop:s0 exact int
-ro.boot.fstab_suffix         u:object_r:exported_default_prop:s0 exact string
-ro.boot.hardware.revision    u:object_r:exported_default_prop:s0 exact string
-ro.boot.product.hardware.sku u:object_r:exported_default_prop:s0 exact string
-ro.boot.product.vendor.sku   u:object_r:exported_default_prop:s0 exact string
-ro.boot.slot_suffix          u:object_r:exported_default_prop:s0 exact string
-
-ro.boringcrypto.hwrand u:object_r:exported_default_prop:s0 exact bool
-
-# Update related props
-ro.build.ab_update                                u:object_r:exported_default_prop:s0 exact string
-ro.build.ab_update.gki.prevent_downgrade_version  u:object_r:ab_update_gki_prop:s0 exact bool
-ro.build.ab_update.gki.prevent_downgrade_spl      u:object_r:ab_update_gki_prop:s0 exact bool
-
-ro.build.expect.baseband   u:object_r:exported_default_prop:s0 exact string
-ro.build.expect.bootloader u:object_r:exported_default_prop:s0 exact string
-
-ro.carrier u:object_r:exported_default_prop:s0 exact string
-
-ro.config.low_ram           u:object_r:exported_config_prop:s0 exact bool
-ro.config.vc_call_vol_steps u:object_r:exported_config_prop:s0 exact int
-
-ro.frp.pst u:object_r:exported_default_prop:s0 exact string
-
-ro.hardware.activity_recognition u:object_r:exported_default_prop:s0 exact string
-ro.hardware.audio                u:object_r:exported_default_prop:s0 exact string
-ro.hardware.audio.a2dp           u:object_r:exported_default_prop:s0 exact string
-ro.hardware.audio.hearing_aid    u:object_r:exported_default_prop:s0 exact string
-ro.hardware.audio.primary        u:object_r:exported_default_prop:s0 exact string
-ro.hardware.audio.usb            u:object_r:exported_default_prop:s0 exact string
-ro.hardware.audio_policy         u:object_r:exported_default_prop:s0 exact string
-ro.hardware.bootctrl             u:object_r:exported_default_prop:s0 exact string
-ro.hardware.camera               u:object_r:exported_default_prop:s0 exact string
-ro.hardware.consumerir           u:object_r:exported_default_prop:s0 exact string
-ro.hardware.context_hub          u:object_r:exported_default_prop:s0 exact string
-ro.hardware.egl                  u:object_r:exported_default_prop:s0 exact string
-ro.hardware.fingerprint          u:object_r:exported_default_prop:s0 exact string
-ro.hardware.flp                  u:object_r:exported_default_prop:s0 exact string
-ro.hardware.gatekeeper           u:object_r:exported_default_prop:s0 exact string
-ro.hardware.gps                  u:object_r:exported_default_prop:s0 exact string
-ro.hardware.gralloc              u:object_r:exported_default_prop:s0 exact string
-ro.hardware.hdmi_cec             u:object_r:exported_default_prop:s0 exact string
-ro.hardware.hwcomposer           u:object_r:exported_default_prop:s0 exact string
-ro.hardware.input                u:object_r:exported_default_prop:s0 exact string
-ro.hardware.keystore             u:object_r:exported_default_prop:s0 exact string
-ro.hardware.keystore_desede      u:object_r:exported_default_prop:s0 exact string
-ro.hardware.lights               u:object_r:exported_default_prop:s0 exact string
-ro.hardware.local_time           u:object_r:exported_default_prop:s0 exact string
-ro.hardware.memtrack             u:object_r:exported_default_prop:s0 exact string
-ro.hardware.nfc                  u:object_r:exported_default_prop:s0 exact string
-ro.hardware.nfc_nci              u:object_r:exported_default_prop:s0 exact string
-ro.hardware.nfc_tag              u:object_r:exported_default_prop:s0 exact string
-ro.hardware.nvram                u:object_r:exported_default_prop:s0 exact string
-ro.hardware.power                u:object_r:exported_default_prop:s0 exact string
-ro.hardware.radio                u:object_r:exported_default_prop:s0 exact string
-ro.hardware.sensors              u:object_r:exported_default_prop:s0 exact string
-ro.hardware.sound_trigger        u:object_r:exported_default_prop:s0 exact string
-ro.hardware.thermal              u:object_r:exported_default_prop:s0 exact string
-ro.hardware.tv_input             u:object_r:exported_default_prop:s0 exact string
-ro.hardware.type                 u:object_r:exported_default_prop:s0 exact string
-ro.hardware.vehicle              u:object_r:exported_default_prop:s0 exact string
-ro.hardware.vibrator             u:object_r:exported_default_prop:s0 exact string
-ro.hardware.virtual_device       u:object_r:exported_default_prop:s0 exact string
-ro.hardware.vulkan               u:object_r:exported_default_prop:s0 exact string
-
-ro.hw_timeout_multiplier u:object_r:hw_timeout_multiplier_prop:s0 exact int
-
-ro.hwui.use_vulkan u:object_r:exported_default_prop:s0 exact bool
-
-# ro.kernel.* properties are emulator specific and deprecated. Do not use.
-# Should be retired once presubmit allows.
-ro.kernel.qemu             u:object_r:exported_default_prop:s0 exact bool
-ro.kernel.qemu.            u:object_r:exported_default_prop:s0
-ro.kernel.android.bootanim u:object_r:exported_default_prop:s0 exact int
-
-ro.oem.key1 u:object_r:exported_default_prop:s0 exact string
-
-ro.product.vndk.version u:object_r:vndk_prop:s0 exact string
-
-ro.vndk.lite    u:object_r:vndk_prop:s0 exact bool
-ro.vndk.version u:object_r:vndk_prop:s0 exact string
-
-ro.vts.coverage u:object_r:vts_config_prop:s0 exact int
-
-vts.native_server.on u:object_r:vts_status_prop:s0 exact bool
-
-wifi.active.interface     u:object_r:wifi_hal_prop:s0 exact string
-wifi.aware.interface      u:object_r:wifi_hal_prop:s0 exact string
-wifi.concurrent.interface u:object_r:wifi_hal_prop:s0 exact string
-wifi.direct.interface     u:object_r:wifi_hal_prop:s0 exact string
-wifi.interface            u:object_r:wifi_hal_prop:s0 exact string
-wlan.driver.status        u:object_r:wifi_hal_prop:s0 exact enum ok unloaded
-
-ro.boot.wificountrycode u:object_r:wifi_config_prop:s0 exact string
+ro.boot.slot_suffix u:object_r:exported_default_prop:s0 exact string
 
 ro.apex.updatable u:object_r:exported_default_prop:s0 exact bool
 
-# Property to enable incremental feature
-ro.incremental.enable      u:object_r:incremental_prop:s0
-
-# Properties to configure userspace reboot.
-init.userspace_reboot.is_supported u:object_r:userspace_reboot_config_prop:s0 exact bool
-init.userspace_reboot.sigkill.timeoutmillis u:object_r:userspace_reboot_config_prop:s0 exact int
-init.userspace_reboot.sigterm.timeoutmillis u:object_r:userspace_reboot_config_prop:s0 exact int
-init.userspace_reboot.started.timeoutmillis u:object_r:userspace_reboot_config_prop:s0 exact int
-init.userspace_reboot.userdata_remount.timeoutmillis u:object_r:userspace_reboot_config_prop:s0 exact int
-init.userspace_reboot.watchdog.timeoutmillis u:object_r:userspace_reboot_config_prop:s0 exact int
-
-sys.shutdown.requested u:object_r:exported_system_prop:s0 exact string
-
-# surfaceflinger properties
-ro.surface_flinger.default_composition_dataspace          u:object_r:surfaceflinger_prop:s0 exact int
-ro.surface_flinger.default_composition_pixel_format       u:object_r:surfaceflinger_prop:s0 exact int
-ro.surface_flinger.force_hwc_copy_for_virtual_displays    u:object_r:surfaceflinger_prop:s0 exact bool
-ro.surface_flinger.has_HDR_display                        u:object_r:surfaceflinger_prop:s0 exact bool
-ro.surface_flinger.has_wide_color_display                 u:object_r:surfaceflinger_prop:s0 exact bool
-ro.surface_flinger.max_frame_buffer_acquired_buffers      u:object_r:surfaceflinger_prop:s0 exact int
-ro.surface_flinger.max_graphics_height                    u:object_r:surfaceflinger_prop:s0 exact int
-ro.surface_flinger.max_graphics_width                     u:object_r:surfaceflinger_prop:s0 exact int
-ro.surface_flinger.max_virtual_display_dimension          u:object_r:surfaceflinger_prop:s0 exact int
-ro.surface_flinger.primary_display_orientation            u:object_r:surfaceflinger_prop:s0 exact enum ORIENTATION_0 ORIENTATION_180 ORIENTATION_270 ORIENTATION_90
-ro.surface_flinger.present_time_offset_from_vsync_ns      u:object_r:surfaceflinger_prop:s0 exact int
-ro.surface_flinger.running_without_sync_framework         u:object_r:surfaceflinger_prop:s0 exact bool
-ro.surface_flinger.start_graphics_allocator_service       u:object_r:surfaceflinger_prop:s0 exact bool
-ro.surface_flinger.use_color_management                   u:object_r:surfaceflinger_prop:s0 exact bool
-ro.surface_flinger.use_context_priority                   u:object_r:surfaceflinger_prop:s0 exact bool
-ro.surface_flinger.use_vr_flinger                         u:object_r:surfaceflinger_prop:s0 exact bool
-ro.surface_flinger.vsync_event_phase_offset_ns            u:object_r:surfaceflinger_prop:s0 exact int
-ro.surface_flinger.vsync_sf_event_phase_offset_ns         u:object_r:surfaceflinger_prop:s0 exact int
-ro.surface_flinger.wcg_composition_dataspace              u:object_r:surfaceflinger_prop:s0 exact int
-ro.surface_flinger.wcg_composition_pixel_format           u:object_r:surfaceflinger_prop:s0 exact int
-ro.surface_flinger.display_primary_red                    u:object_r:surfaceflinger_prop:s0 exact string
-ro.surface_flinger.display_primary_green                  u:object_r:surfaceflinger_prop:s0 exact string
-ro.surface_flinger.display_primary_blue                   u:object_r:surfaceflinger_prop:s0 exact string
-ro.surface_flinger.display_primary_white                  u:object_r:surfaceflinger_prop:s0 exact string
-ro.surface_flinger.protected_contents                     u:object_r:surfaceflinger_prop:s0 exact bool
-ro.surface_flinger.set_idle_timer_ms                      u:object_r:surfaceflinger_prop:s0 exact int
-ro.surface_flinger.set_touch_timer_ms                     u:object_r:surfaceflinger_prop:s0 exact int
-ro.surface_flinger.set_display_power_timer_ms             u:object_r:surfaceflinger_prop:s0 exact int
-ro.surface_flinger.support_kernel_idle_timer              u:object_r:surfaceflinger_prop:s0 exact bool
-ro.surface_flinger.supports_background_blur               u:object_r:surfaceflinger_prop:s0 exact bool
-ro.surface_flinger.use_smart_90_for_video                 u:object_r:surfaceflinger_prop:s0 exact bool
-ro.surface_flinger.use_content_detection_for_refresh_rate u:object_r:surfaceflinger_prop:s0 exact bool
-ro.surface_flinger.color_space_agnostic_dataspace         u:object_r:surfaceflinger_prop:s0 exact int
-ro.surface_flinger.refresh_rate_switching                 u:object_r:surfaceflinger_prop:s0 exact bool
-ro.surface_flinger.update_device_product_info_on_hotplug_reconnect u:object_r:surfaceflinger_prop:s0 exact bool
-ro.surface_flinger.enable_frame_rate_override             u:object_r:surfaceflinger_prop:s0 exact bool
-ro.surface_flinger.enable_layer_caching                   u:object_r:surfaceflinger_prop:s0 exact bool
-ro.surface_flinger.display_update_imminent_timeout_ms     u:object_r:surfaceflinger_prop:s0 exact int
-
-ro.sf.disable_triple_buffer u:object_r:surfaceflinger_prop:s0 exact bool
-ro.sf.lcd_density           u:object_r:surfaceflinger_prop:s0 exact int
-
-persist.sys.sf.color_mode       u:object_r:surfaceflinger_color_prop:s0 exact int
-persist.sys.sf.color_saturation u:object_r:surfaceflinger_color_prop:s0 exact string
-persist.sys.sf.native_mode      u:object_r:surfaceflinger_color_prop:s0 exact int
-
-# Binder cache properties.  These are world-readable
-cache_key.app_inactive                   u:object_r:binder_cache_system_server_prop:s0
-cache_key.is_compat_change_enabled       u:object_r:binder_cache_system_server_prop:s0
-cache_key.get_packages_for_uid           u:object_r:binder_cache_system_server_prop:s0
-cache_key.has_system_feature             u:object_r:binder_cache_system_server_prop:s0
-cache_key.is_interactive                 u:object_r:binder_cache_system_server_prop:s0
-cache_key.is_power_save_mode             u:object_r:binder_cache_system_server_prop:s0
-cache_key.is_user_unlocked               u:object_r:binder_cache_system_server_prop:s0
-cache_key.volume_list                    u:object_r:binder_cache_system_server_prop:s0
-cache_key.display_info                   u:object_r:binder_cache_system_server_prop:s0
-cache_key.location_enabled               u:object_r:binder_cache_system_server_prop:s0
-cache_key.package_info                   u:object_r:binder_cache_system_server_prop:s0
-
-cache_key.bluetooth.                     u:object_r:binder_cache_bluetooth_server_prop:s0 prefix string
-cache_key.system_server.                 u:object_r:binder_cache_system_server_prop:s0 prefix string
-cache_key.telephony.                     u:object_r:binder_cache_telephony_server_prop:s0 prefix string
-
-# Framework watchdog configuration properties.
-framework_watchdog.fatal_count                u:object_r:framework_watchdog_config_prop:s0 exact int
-framework_watchdog.fatal_window.second        u:object_r:framework_watchdog_config_prop:s0 exact int
-
-gsm.sim.operator.numeric       u:object_r:telephony_status_prop:s0 exact string
-persist.radio.airplane_mode_on u:object_r:telephony_status_prop:s0 exact bool
-
-ro.cdma.home.operator.alpha       u:object_r:telephony_config_prop:s0 exact string
-ro.cdma.home.operator.numeric     u:object_r:telephony_config_prop:s0 exact string
-ro.com.android.dataroaming        u:object_r:telephony_config_prop:s0 exact bool
-ro.com.android.prov_mobiledata    u:object_r:telephony_config_prop:s0 exact bool
-ro.radio.noril                    u:object_r:telephony_config_prop:s0 exact string
-ro.telephony.call_ring.multiple   u:object_r:telephony_config_prop:s0 exact bool
-ro.telephony.default_cdma_sub     u:object_r:telephony_config_prop:s0 exact int
-ro.telephony.default_network      u:object_r:telephony_config_prop:s0 exact string
-ro.telephony.iwlan_operation_mode u:object_r:telephony_config_prop:s0 exact enum default legacy AP-assisted
-telephony.active_modems.max_count u:object_r:telephony_config_prop:s0 exact int
-telephony.lteOnCdmaDevice         u:object_r:telephony_config_prop:s0 exact int
-persist.dbg.volte_avail_ovr       u:object_r:telephony_config_prop:s0 exact int
-persist.dbg.vt_avail_ovr          u:object_r:telephony_config_prop:s0 exact int
-persist.dbg.wfc_avail_ovr         u:object_r:telephony_config_prop:s0 exact int
-
-# System locale list filter configuration
-ro.localization.locale_filter u:object_r:localization_prop:s0 exact string
-
-# Graphics related properties
-ro.opengles.version u:object_r:graphics_config_prop:s0 exact int
-
-ro.gfx.driver.0          u:object_r:graphics_config_prop:s0 exact string
-ro.gfx.driver.1          u:object_r:graphics_config_prop:s0 exact string
-ro.gfx.angle.supported   u:object_r:graphics_config_prop:s0 exact bool
-ro.gfx.driver_build_time u:object_r:graphics_config_prop:s0 exact int
-
-graphics.gpu.profiler.support          u:object_r:graphics_config_prop:s0 exact bool
-graphics.gpu.profiler.vulkan_layer_apk u:object_r:graphics_config_prop:s0 exact string
-
-ro.cpuvulkan.version u:object_r:graphics_config_prop:s0 exact int
-
-# surfaceflinger-settable
-graphics.display.kernel_idle_timer.enabled u:object_r:surfaceflinger_display_prop:s0 exact bool
-
-# Disable/enable charger input
-power.battery_input.suspended u:object_r:power_debug_prop:s0 exact bool
-
-# zygote config property
-zygote.critical_window.minute u:object_r:zygote_config_prop:s0 exact int
-
-ro.zygote.disable_gl_preload u:object_r:zygote_config_prop:s0 exact bool
-
-# Broadcast boot stages, which keystore listens to
 keystore.boot_level u:object_r:keystore_listen_prop:s0 exact int
-
-partition.system.verified     u:object_r:verity_status_prop:s0 exact string
-partition.system_ext.verified u:object_r:verity_status_prop:s0 exact string
-partition.product.verified    u:object_r:verity_status_prop:s0 exact string
-partition.vendor.verified     u:object_r:verity_status_prop:s0 exact string
-
-partition.system.verified.hash_alg     u:object_r:verity_status_prop:s0 exact string
-partition.system_ext.verified.hash_alg u:object_r:verity_status_prop:s0 exact string
-partition.product.verified.hash_alg    u:object_r:verity_status_prop:s0 exact string
-partition.vendor.verified.hash_alg     u:object_r:verity_status_prop:s0 exact string
-
-ro.setupwizard.enterprise_mode u:object_r:setupwizard_prop:s0 exact bool
-ro.setupwizard.esim_cid_ignore u:object_r:setupwizard_prop:s0 exact string
-ro.setupwizard.rotation_locked u:object_r:setupwizard_prop:s0 exact bool
-ro.setupwizard.wifi_on_exit    u:object_r:setupwizard_prop:s0 exact bool
-
-setupwizard.enable_assist_gesture_training                         u:object_r:setupwizard_prop:s0 exact bool
-setupwizard.feature.avoid_duplicate_tos                            u:object_r:setupwizard_prop:s0 exact bool
-setupwizard.feature.baseline_setupwizard_enabled                   u:object_r:setupwizard_prop:s0 exact bool
-setupwizard.feature.day_night_mode_enabled                         u:object_r:setupwizard_prop:s0 exact bool
-setupwizard.feature.deferred_setup_low_ram_filter                  u:object_r:setupwizard_prop:s0 exact bool
-setupwizard.feature.deferred_setup_notification                    u:object_r:setupwizard_prop:s0 exact bool
-setupwizard.feature.deferred_setup_suggestion                      u:object_r:setupwizard_prop:s0 exact bool
-setupwizard.feature.device_default_dark_mode                       u:object_r:setupwizard_prop:s0 exact bool
-setupwizard.feature.esim_enabled                                   u:object_r:setupwizard_prop:s0 exact bool
-setupwizard.feature.google_services_deferred_setup_pretend_not_suw u:object_r:setupwizard_prop:s0 exact bool
-setupwizard.feature.lock_mobile_data                               u:object_r:setupwizard_prop:s0 exact bool
-setupwizard.feature.lock_mobile_data.carrier-1                     u:object_r:setupwizard_prop:s0 exact bool
-setupwizard.feature.portal_notification                            u:object_r:setupwizard_prop:s0 exact bool
-setupwizard.feature.predeferred_enabled                            u:object_r:setupwizard_prop:s0 exact bool
-setupwizard.feature.return_partner_customization_bundle            u:object_r:setupwizard_prop:s0 exact bool
-setupwizard.feature.show_pixel_tos                                 u:object_r:setupwizard_prop:s0 exact bool
-setupwizard.feature.use_biometric_lock                             u:object_r:setupwizard_prop:s0 exact bool
-setupwizard.feature.wallpaper_suggestion_after_restore             u:object_r:setupwizard_prop:s0 exact bool
-setupwizard.logging                                                u:object_r:setupwizard_prop:s0 exact bool
-setupwizard.metrics_debug_mode                                     u:object_r:setupwizard_prop:s0 exact bool
-setupwizard.theme                                                  u:object_r:setupwizard_prop:s0 exact string
-
-db.log.detailed              u:object_r:sqlite_log_prop:s0 exact bool
-db.log.slow_query_threshold  u:object_r:sqlite_log_prop:s0 exact int
-db.log.slow_query_threshold. u:object_r:sqlite_log_prop:s0 prefix int
-
-# SOC related props
-ro.soc.manufacturer u:object_r:soc_prop:s0 exact string
-ro.soc.model        u:object_r:soc_prop:s0 exact string
-
-# set to true when running rollback tests to disable fallback-to-copy when enabling rollbacks
-# to detect failures where hard linking should work otherwise
-persist.rollback.is_test u:object_r:rollback_test_prop:s0 exact bool
-
-# bootanimation properties
-ro.bootanim.quiescent.enabled u:object_r:bootanim_config_prop:s0 exact bool
-
-# dck properties
-ro.gms.dck.eligible_wcc u:object_r:dck_prop:s0 exact int
diff --git a/microdroid/sepolicy/system/private/shell.te b/microdroid/sepolicy/system/private/shell.te
index 7c786c9..03490b0 100644
--- a/microdroid/sepolicy/system/private/shell.te
+++ b/microdroid/sepolicy/system/private/shell.te
@@ -193,7 +193,7 @@
 
 # Allow shell to launch microdroid_launcher in its own domain
 # TODO(b/186396070) remove this when microdroid_manager can do this
-domain_auto_trans(shell, microdroid_launcher_exec, microdroid_launcher)
+domain_auto_trans(shell, microdroid_app_exec, microdroid_app)
 domain_auto_trans(shell, microdroid_manager_exec, microdroid_manager)
 
 # Never allow others to set or get the perf.drop_caches property.
diff --git a/tests/Android.bp b/tests/Android.bp
index be6e653..8cfefcc 100644
--- a/tests/Android.bp
+++ b/tests/Android.bp
@@ -29,6 +29,7 @@
         "vsock_test.cc",
     ],
     local_include_dirs: ["include"],
+    compile_multilib: "64",
     data: [
         ":virt_test_kernel",
         ":virt_test_initramfs",
diff --git a/tests/AndroidTest.xml b/tests/AndroidTest.xml
index f170f48..b56c0e8 100644
--- a/tests/AndroidTest.xml
+++ b/tests/AndroidTest.xml
@@ -19,19 +19,6 @@
       a test-only permission, run it without selinux -->
     <target_preparer class="com.android.tradefed.targetprep.DisableSELinuxTargetPreparer"/>
 
-    <!-- Basic checks that the device has all the prerequisites. -->
-    <target_preparer class="com.android.tradefed.targetprep.RunCommandTargetPreparer">
-        <option name="throw-if-cmd-fail" value="true" />
-        <!-- Kernel has KVM enabled. -->
-        <option name="run-command" value="ls /dev/kvm" />
-        <!-- Kernel has vhost-vsock enabled. -->
-        <option name="run-command" value="ls /dev/vhost-vsock" />
-        <!-- CrosVM is installed. -->
-        <option name="run-command" value="ls /apex/com.android.virt/bin/crosvm" />
-        <!-- VirtualizationService is installed. -->
-        <option name="run-command" value="ls /apex/com.android.virt/bin/virtualizationservice" />
-    </target_preparer>
-
     <!-- Push test binaries to the device. -->
     <target_preparer class="com.android.tradefed.targetprep.PushFilePreparer">
         <option name="cleanup" value="true" />
diff --git a/tests/hostside/java/android/virt/test/MicrodroidTestCase.java b/tests/hostside/java/android/virt/test/MicrodroidTestCase.java
index 54541c0..2457797 100644
--- a/tests/hostside/java/android/virt/test/MicrodroidTestCase.java
+++ b/tests/hostside/java/android/virt/test/MicrodroidTestCase.java
@@ -97,6 +97,7 @@
         // Check if the command in vm_config.json was executed by examining the side effect of the
         // command
         assertThat(runOnMicrodroid("getprop", "debug.microdroid.app.run"), is("true"));
+        assertThat(runOnMicrodroid("getprop", "debug.microdroid.app.sublib.run"), is("true"));
 
         // Manually execute the library and check the output
         final String microdroidLauncher = "system/bin/microdroid_launcher";
diff --git a/tests/testapk/Android.bp b/tests/testapk/Android.bp
index f72d616..fc5681e 100644
--- a/tests/testapk/Android.bp
+++ b/tests/testapk/Android.bp
@@ -13,14 +13,20 @@
 // TODO(jiyong): make this a binary, not a shared library
 cc_library_shared {
     name: "MicrodroidTestNativeLib",
-    srcs: ["src/native/*.cpp"],
+    srcs: ["src/native/testbinary.cpp"],
     shared_libs: [
         "android.system.keystore2-V1-ndk_platform",
         "libbase",
         "libbinder_ndk",
+        "MicrodroidTestNativeLibSub",
     ],
 }
 
+cc_library_shared {
+    name: "MicrodroidTestNativeLibSub",
+    srcs: ["src/native/testlib.cpp"],
+}
+
 genrule {
     name: "MicrodroidTestApp.signed",
     out: [
@@ -28,12 +34,12 @@
         "MicrodroidTestApp.apk.idsig",
     ],
     srcs: [":MicrodroidTestApp"],
-    tools:["apksigner"],
+    tools: ["apksigner"],
     tool_files: ["test.keystore"],
     cmd: "$(location apksigner) sign " +
-         "--ks $(location test.keystore) " +
-         "--ks-pass=pass:testkey --key-pass=pass:testkey " +
-         "--in $(in) " +
-         "--out $(genDir)/MicrodroidTestApp.apk",
-         // $(genDir)/MicrodroidTestApp.apk.idsig is generated implicitly
+        "--ks $(location test.keystore) " +
+        "--ks-pass=pass:testkey --key-pass=pass:testkey " +
+        "--in $(in) " +
+        "--out $(genDir)/MicrodroidTestApp.apk",
+    // $(genDir)/MicrodroidTestApp.apk.idsig is generated implicitly
 }
diff --git a/tests/testapk/src/native/testbinary.cpp b/tests/testapk/src/native/testbinary.cpp
index 5510ae1..20519cd 100644
--- a/tests/testapk/src/native/testbinary.cpp
+++ b/tests/testapk/src/native/testbinary.cpp
@@ -38,6 +38,8 @@
 using android::base::Error;
 using android::base::Result;
 
+extern void testlib_sub();
+
 namespace {
 
 Result<void> test_keystore() {
@@ -192,6 +194,7 @@
             printf(" ");
         }
     }
+    testlib_sub();
     printf("\n");
 
     __system_property_set("debug.microdroid.app.run", "true");
diff --git a/tests/testapk/src/native/testlib.cpp b/tests/testapk/src/native/testlib.cpp
new file mode 100644
index 0000000..792c6c8
--- /dev/null
+++ b/tests/testapk/src/native/testlib.cpp
@@ -0,0 +1,5 @@
+#include <sys/system_properties.h>
+
+void testlib_sub() {
+    __system_property_set("debug.microdroid.app.sublib.run", "true");
+}
diff --git a/tests/vsock_test.cc b/tests/vsock_test.cc
index 84827d8..233c6dd 100644
--- a/tests/vsock_test.cc
+++ b/tests/vsock_test.cc
@@ -14,12 +14,16 @@
  * limitations under the License.
  */
 
+#include <linux/kvm.h>
+#include <sys/ioctl.h>
 #include <sys/socket.h>
 #include <unistd.h>
 
 // Needs to be included after sys/socket.h
 #include <linux/vm_sockets.h>
 
+#include <algorithm>
+#include <array>
 #include <iostream>
 #include <optional>
 
@@ -30,6 +34,8 @@
 #include "android/system/virtualizationservice/VirtualMachineConfig.h"
 #include "virt/VirtualizationTest.h"
 
+#define KVM_CAP_ARM_PROTECTED_VM 0xffbadab1
+
 using namespace android::base;
 using namespace android::os;
 
@@ -41,7 +47,24 @@
 static constexpr const char kVmParams[] = "rdinit=/bin/init bin/vsock_client 2 45678 HelloWorld";
 static constexpr const char kTestMessage[] = "HelloWorld";
 
-TEST_F(VirtualizationTest, TestVsock) {
+bool isVmSupported() {
+    const std::array<const char *, 4> needed_files = {
+            "/dev/kvm",
+            "/dev/vhost-vsock",
+            "/apex/com.android.virt/bin/crosvm",
+            "/apex/com.android.virt/bin/virtualizationservice",
+    };
+    return std::all_of(needed_files.begin(), needed_files.end(),
+                       [](const char *file) { return access(file, F_OK) == 0; });
+}
+
+/** Returns true if the kernel supports Protected KVM. */
+bool isPkvmSupported() {
+    unique_fd kvm_fd(open("/dev/kvm", O_NONBLOCK | O_CLOEXEC));
+    return kvm_fd != 0 && ioctl(kvm_fd, KVM_CHECK_EXTENSION, KVM_CAP_ARM_PROTECTED_VM) == 1;
+}
+
+void runTest(sp<IVirtualizationService> virtualization_service, bool protected_vm) {
     binder::Status status;
 
     unique_fd server_fd(TEMP_FAILURE_RETRY(socket(AF_VSOCK, SOCK_STREAM, 0)));
@@ -64,9 +87,10 @@
     config.kernel = ParcelFileDescriptor(unique_fd(open(kVmKernelPath, O_RDONLY | O_CLOEXEC)));
     config.initrd = ParcelFileDescriptor(unique_fd(open(kVmInitrdPath, O_RDONLY | O_CLOEXEC)));
     config.params = String16(kVmParams);
+    config.protected_vm = protected_vm;
 
     sp<IVirtualMachine> vm;
-    status = mVirtualizationService->startVm(config, std::nullopt, &vm);
+    status = virtualization_service->startVm(config, std::nullopt, &vm);
     ASSERT_TRUE(status.isOk()) << "Error starting VM: " << status;
 
     int32_t cid;
@@ -90,4 +114,22 @@
     ASSERT_EQ(msg, kTestMessage);
 }
 
+TEST_F(VirtualizationTest, TestVsock) {
+    if (!isVmSupported()) {
+        GTEST_SKIP() << "Device doesn't support KVM.";
+    }
+
+    runTest(mVirtualizationService, false);
+}
+
+TEST_F(VirtualizationTest, TestVsockProtected) {
+    if (!isVmSupported()) {
+        GTEST_SKIP() << "Device doesn't support KVM.";
+    } else if (!isPkvmSupported()) {
+        GTEST_SKIP() << "Skipping as pKVM is not supported on this device.";
+    }
+
+    runTest(mVirtualizationService, true);
+}
+
 } // namespace virt
diff --git a/virtualizationservice/aidl/android/system/virtualizationservice/VirtualMachineConfig.aidl b/virtualizationservice/aidl/android/system/virtualizationservice/VirtualMachineConfig.aidl
index 6ca9cc7..cb28856 100644
--- a/virtualizationservice/aidl/android/system/virtualizationservice/VirtualMachineConfig.aidl
+++ b/virtualizationservice/aidl/android/system/virtualizationservice/VirtualMachineConfig.aidl
@@ -39,4 +39,7 @@
 
     /** Disk images to be made available to the VM. */
     DiskImage[] disks;
+
+    /** Whether the VM should be a protected VM. */
+    boolean protected_vm;
 }
diff --git a/virtualizationservice/src/aidl.rs b/virtualizationservice/src/aidl.rs
index 0089bfc..b1b0b38 100644
--- a/virtualizationservice/src/aidl.rs
+++ b/virtualizationservice/src/aidl.rs
@@ -115,6 +115,7 @@
             initrd: as_asref(&config.initrd),
             disks,
             params: config.params.to_owned(),
+            protected: config.protected_vm,
         };
         let composite_disk_mappings: Vec<_> = indirect_files
             .iter()
diff --git a/virtualizationservice/src/crosvm.rs b/virtualizationservice/src/crosvm.rs
index 797011c..669c631 100644
--- a/virtualizationservice/src/crosvm.rs
+++ b/virtualizationservice/src/crosvm.rs
@@ -39,6 +39,7 @@
     pub initrd: Option<&'a File>,
     pub disks: Vec<DiskFile>,
     pub params: Option<String>,
+    pub protected: bool,
 }
 
 /// A disk image to pass to crosvm for a VM.
@@ -55,6 +56,8 @@
     child: SharedChild,
     /// The CID assigned to the VM for vsock communication.
     pub cid: Cid,
+    /// Whether the VM is a protected VM.
+    pub protected: bool,
     /// Directory of temporary files used by the VM while it is running.
     pub temporary_directory: PathBuf,
     /// The UID of the process which requested the VM.
@@ -75,6 +78,7 @@
     fn new(
         child: SharedChild,
         cid: Cid,
+        protected: bool,
         temporary_directory: PathBuf,
         requester_uid: u32,
         requester_sid: String,
@@ -83,6 +87,7 @@
         VmInstance {
             child,
             cid,
+            protected,
             temporary_directory,
             requester_uid,
             requester_sid,
@@ -107,6 +112,7 @@
         let instance = Arc::new(VmInstance::new(
             child,
             config.cid,
+            config.protected,
             temporary_directory,
             requester_uid,
             requester_sid,
@@ -163,6 +169,10 @@
     // TODO(qwandor): Remove --disable-sandbox.
     command.arg("run").arg("--disable-sandbox").arg("--cid").arg(config.cid.to_string());
 
+    if config.protected {
+        command.arg("--protected-vm");
+    }
+
     if let Some(log_fd) = log_fd {
         command.stdout(log_fd);
     } else {
diff --git a/vm/src/config.rs b/vm/src/config.rs
index 169fdab..8ea0d8f 100644
--- a/vm/src/config.rs
+++ b/vm/src/config.rs
@@ -43,6 +43,9 @@
     /// Disk images to be made available to the VM.
     #[serde(default)]
     pub disks: Vec<DiskImage>,
+    /// Whether the VM should be a protected VM.
+    #[serde(default)]
+    pub protected: bool,
 }
 
 impl VmConfig {
@@ -80,6 +83,7 @@
             params: self.params.clone(),
             bootloader: maybe_open_parcel_file(&self.bootloader, false)?,
             disks: self.disks.iter().map(DiskImage::to_parcelable).collect::<Result<_, Error>>()?,
+            protected_vm: self.protected,
         })
     }
 }