diff --git a/Android.bp b/Android.bp
index 038d92f..88107cc 100644
--- a/Android.bp
+++ b/Android.bp
@@ -833,3 +833,45 @@
         "-p $(location :precompiled_sepolicy) && " +
         "touch $(out)",
 }
+
+//////////////////////////////////
+// TestDevTypeViolations can't run on old devices (V or before)
+//////////////////////////////////
+
+soong_config_module_type {
+    name: "dev_type_test_genrule",
+    module_type: "genrule",
+    config_namespace: "ANDROID",
+    bool_variables: ["CHECK_DEV_TYPE_VIOLATIONS"],
+    properties: ["cmd"],
+}
+
+dev_type_test_genrule {
+    name: "sepolicy_dev_type_test",
+    srcs: [
+        ":plat_file_contexts",
+        ":vendor_file_contexts",
+        ":system_ext_file_contexts",
+        ":product_file_contexts",
+        ":odm_file_contexts",
+        ":precompiled_sepolicy",
+    ],
+    tools: ["sepolicy_tests"],
+    out: ["sepolicy_dev_type_test"],
+    soong_config_variables: {
+        CHECK_DEV_TYPE_VIOLATIONS: {
+            cmd: "$(location sepolicy_tests) " +
+                "-f $(location :plat_file_contexts) " +
+                "-f $(location :vendor_file_contexts) " +
+                "-f $(location :system_ext_file_contexts) " +
+                "-f $(location :product_file_contexts) " +
+                "-f $(location :odm_file_contexts) " +
+                "-p $(location :precompiled_sepolicy) " +
+                "-t TestDevTypeViolations && " +
+                "touch $(out)",
+            conditions_default: {
+                cmd: "touch $(out)",
+            },
+        },
+    },
+}
diff --git a/Android.mk b/Android.mk
index 384c416..63b74aa 100644
--- a/Android.mk
+++ b/Android.mk
@@ -240,6 +240,7 @@
 # genrule modules aren't installable, so LOCAL_REQUIRED_MODULES doesn't work.
 # Instead, use LOCAL_ADDITIONAL_DEPENDENCIES with intermediate output
 LOCAL_ADDITIONAL_DEPENDENCIES += $(call intermediates-dir-for,ETC,sepolicy_test)/sepolicy_test
+LOCAL_ADDITIONAL_DEPENDENCIES += $(call intermediates-dir-for,ETC,sepolicy_dev_type_test)/sepolicy_dev_type_test
 
 LOCAL_REQUIRED_MODULES += \
     $(addprefix treble_sepolicy_tests_,$(PLATFORM_SEPOLICY_COMPAT_VERSIONS)) \
diff --git a/apex/Android.bp b/apex/Android.bp
index 21054fc..04fd5f6 100644
--- a/apex/Android.bp
+++ b/apex/Android.bp
@@ -205,11 +205,10 @@
   ],
 }
 
-filegroup {
+file_contexts {
   name: "com.android.virt-file_contexts",
-  srcs: [
-    "com.android.virt-file_contexts",
-  ],
+  defaults: ["contexts_flags_defaults"],
+  srcs: ["com.android.virt-file_contexts"],
 }
 
 filegroup {
diff --git a/apex/com.android.virt-file_contexts b/apex/com.android.virt-file_contexts
index afe9f51..78720aa 100644
--- a/apex/com.android.virt-file_contexts
+++ b/apex/com.android.virt-file_contexts
@@ -3,4 +3,6 @@
 /bin/fd_server             u:object_r:fd_server_exec:s0
 /bin/virtmgr               u:object_r:virtualizationmanager_exec:s0
 /bin/virtualizationservice u:object_r:virtualizationservice_exec:s0
-/bin/vfio_handler          u:object_r:vfio_handler_exec:s0
+is_flag_enabled(RELEASE_AVF_ENABLE_DEVICE_ASSIGNMENT, `
+    /bin/vfio_handler          u:object_r:vfio_handler_exec:s0
+')
diff --git a/build/soong/selinux_contexts.go b/build/soong/selinux_contexts.go
index e542c3a..5cc9c70 100644
--- a/build/soong/selinux_contexts.go
+++ b/build/soong/selinux_contexts.go
@@ -388,7 +388,7 @@
 		cmd.Flag("--strict")
 	}
 
-	out := pathForModuleOut(ctx, "namespace_checked").Join(ctx, input.String())
+	out := pathForModuleOut(ctx, ctx.ModuleName()+"_namespace_checked")
 	rule.Command().Text("cp -f").Input(input).Output(out)
 	rule.Build("check_namespace", "checking namespace of "+ctx.ModuleName())
 	return out
diff --git a/build/soong/service_fuzzer_bindings.go b/build/soong/service_fuzzer_bindings.go
index 81d90d4..9e047df 100644
--- a/build/soong/service_fuzzer_bindings.go
+++ b/build/soong/service_fuzzer_bindings.go
@@ -119,6 +119,7 @@
 		"android.hardware.security.dice.IDiceDevice/default":                      EXCEPTION_NO_FUZZER,
 		"android.hardware.security.keymint.IKeyMintDevice/default":                EXCEPTION_NO_FUZZER,
 		"android.hardware.security.keymint.IRemotelyProvisionedComponent/default": EXCEPTION_NO_FUZZER,
+		"android.hardware.security.secretkeeper.ISecretkeeper/nonsecure":          EXCEPTION_NO_FUZZER,
 		"android.hardware.security.secureclock.ISecureClock/default":              EXCEPTION_NO_FUZZER,
 		"android.hardware.security.sharedsecret.ISharedSecret/default":            EXCEPTION_NO_FUZZER,
 		"android.hardware.sensors.ISensors/default":                               EXCEPTION_NO_FUZZER,
@@ -144,6 +145,7 @@
 		"android.frameworks.location.altitude.IAltitudeService/default":           EXCEPTION_NO_FUZZER,
 		"android.frameworks.sensorservice.ISensorManager/default":                 []string{"libsensorserviceaidl_fuzzer"},
 		"android.frameworks.stats.IStats/default":                                 EXCEPTION_NO_FUZZER,
+                "android.frameworks.vibrator.IVibratorControlService/default":             EXCEPTION_NO_FUZZER,
 		"android.se.omapi.ISecureElementService/default":                          EXCEPTION_NO_FUZZER,
 		"android.system.keystore2.IKeystoreService/default":                       EXCEPTION_NO_FUZZER,
 		"android.system.net.netd.INetd/default":                                   []string{"netd_hw_service_fuzzer"},
@@ -176,6 +178,7 @@
 		"android.service.gatekeeper.IGateKeeperService":                   []string{"gatekeeperd_service_fuzzer"},
 		"android.system.composd":                                          EXCEPTION_NO_FUZZER,
 		// TODO(b/294158658): add fuzzer
+		"android.hardware.security.keymint.IRemotelyProvisionedComponent/avf": EXCEPTION_NO_FUZZER,
 		"android.system.virtualizationservice":                            EXCEPTION_NO_FUZZER,
 		"android.system.virtualizationservice_internal.IVfioHandler":      EXCEPTION_NO_FUZZER,
 		"ambient_context":                                                 EXCEPTION_NO_FUZZER,
@@ -309,7 +312,7 @@
 		"logd":                         EXCEPTION_NO_FUZZER,
 		"looper_stats":                 EXCEPTION_NO_FUZZER,
 		"lpdump_service":               EXCEPTION_NO_FUZZER,
-		"mdns":                         []string{"mdns_service_fuzzer"},
+		"mdns":                         EXCEPTION_NO_FUZZER,
 		"media.aaudio":                 EXCEPTION_NO_FUZZER,
 		"media.audio_flinger":          []string{"audioflinger_aidl_fuzzer"},
 		"media.audio_policy":           []string{"audiopolicy_aidl_fuzzer"},
@@ -447,6 +450,7 @@
 		"translation":                  EXCEPTION_NO_FUZZER,
 		"transparency":                 EXCEPTION_NO_FUZZER,
 		"trust":                        EXCEPTION_NO_FUZZER,
+		"tv_ad":                        EXCEPTION_NO_FUZZER,
 		"tv_interactive_app":           EXCEPTION_NO_FUZZER,
 		"tv_input":                     EXCEPTION_NO_FUZZER,
 		"tv_tuner_resource_mgr":        EXCEPTION_NO_FUZZER,
@@ -460,11 +464,10 @@
 		"uwb":                          EXCEPTION_NO_FUZZER,
 		"vcn_management":               EXCEPTION_NO_FUZZER,
 		"vibrator":                     EXCEPTION_NO_FUZZER,
-		"vibrator_control":             EXCEPTION_NO_FUZZER,
 		"vibrator_manager":             EXCEPTION_NO_FUZZER,
 		"virtualdevice":                EXCEPTION_NO_FUZZER,
 		"virtualdevice_native":         EXCEPTION_NO_FUZZER,
-		"virtual_camera_service":       EXCEPTION_NO_FUZZER,
+		"virtual_camera":               EXCEPTION_NO_FUZZER,
 		"virtual_touchpad":             EXCEPTION_NO_FUZZER,
 		"voiceinteraction":             EXCEPTION_NO_FUZZER,
 		"vold":                         []string{"vold_native_service_fuzzer"},
diff --git a/contexts/plat_file_contexts_test b/contexts/plat_file_contexts_test
index 50d9de4..d9767ed 100644
--- a/contexts/plat_file_contexts_test
+++ b/contexts/plat_file_contexts_test
@@ -538,6 +538,8 @@
 /vendor/framework/test                                            vendor_framework_file
 /system/vendor/framework                                          vendor_framework_file
 /system/vendor/framework/test                                     vendor_framework_file
+/vendor/etc/avf/microdroid                                        vendor_microdroid_file
+/vendor/etc/avf/microdroid/test                                   vendor_microdroid_file
 
 /vendor/apex                                                      vendor_apex_file
 /vendor/apex/test                                                 vendor_apex_file
diff --git a/flagging/Android.bp b/flagging/Android.bp
index babd034..b61b41d 100644
--- a/flagging/Android.bp
+++ b/flagging/Android.bp
@@ -16,14 +16,14 @@
 se_policy_conf_defaults {
     name: "se_policy_conf_flags_defaults",
     srcs: [":sepolicy_flagging_macros"],
-    flags: [],
+    flags: ["RELEASE_AVF_ENABLE_DEVICE_ASSIGNMENT"],
 }
 
 contexts_defaults {
     name: "contexts_flags_defaults",
     srcs: [":sepolicy_flagging_macros"],
     neverallow_files: [":sepolicy_flagging_macros"], // for seapp_contexts
-    flags: [],
+    flags: ["RELEASE_AVF_ENABLE_DEVICE_ASSIGNMENT"],
 }
 
 filegroup {
diff --git a/flagging/te_macros b/flagging/te_macros
index a81ec1b..3464502 100644
--- a/flagging/te_macros
+++ b/flagging/te_macros
@@ -1,9 +1,9 @@
 ####################################
 # is_flag_enabled(flag, rules)
 # SELinux rules which apply only if given feature is turned on
-define(`is_flag_enabled', `ifelse(target_flag_$1, `true', $2, )')
+define(`is_flag_enabled', `ifelse(target_flag_$1, `true', `$2')')
 
 ####################################
 # is_flag_disabled(flag, rules)
 # SELinux rules which apply only if given feature is turned off
-define(`is_flag_disabled', `ifelse(target_flag_$1, `true', , $2)')
+define(`is_flag_disabled', `ifelse(target_flag_$1, `true', , `$2')')
diff --git a/private/compat/34.0/34.0.ignore.cil b/private/compat/34.0/34.0.ignore.cil
index ddaa7e2..5bbfecc 100644
--- a/private/compat/34.0/34.0.ignore.cil
+++ b/private/compat/34.0/34.0.ignore.cil
@@ -9,16 +9,20 @@
     dtbo_block_device
     ota_build_prop
     snapuserd_log_data_file
+    fwk_vibrator_control_service
     hal_authgraph_service
-    vibrator_control_service
+    hal_secretkeeper_service
     hal_codec2_service
     hal_macsec_service
+    hal_remotelyprovisionedcomponent_avf_service
     hal_threadnetwork_service
     virtual_camera_service
     ot_daemon_service
     remote_auth_service
     security_state_service
+    setupwizard_mode_prop
     sysfs_sync_on_suspend
+    tv_ad_service
     threadnetwork_service
     device_config_aconfig_flags_prop
     proc_memhealth
@@ -27,4 +31,5 @@
     binderfs_logs_stats
     drm_forcel3_prop
     proc_percpu_pagelist_high_fraction
+    vendor_microdroid_file
   ))
diff --git a/private/coredomain.te b/private/coredomain.te
index f9b47df..5442ea3 100644
--- a/private/coredomain.te
+++ b/private/coredomain.te
@@ -15,6 +15,7 @@
 get_prop(coredomain, radio_control_prop)
 get_prop(coredomain, rollback_test_prop)
 get_prop(coredomain, setupwizard_prop)
+get_prop(coredomain, setupwizard_mode_prop)
 get_prop(coredomain, sqlite_log_prop)
 get_prop(coredomain, storagemanager_config_prop)
 get_prop(coredomain, surfaceflinger_color_prop)
@@ -150,7 +151,7 @@
     -apexd
     -init
     -ueventd
-    -vfio_handler
+    is_flag_enabled(RELEASE_AVF_ENABLE_DEVICE_ASSIGNMENT, `-vfio_handler')
     -vold
   } sysfs:file no_rw_file_perms;
 
diff --git a/private/crosvm.te b/private/crosvm.te
index afcaa3d..ed89b87 100644
--- a/private/crosvm.te
+++ b/private/crosvm.te
@@ -27,7 +27,7 @@
 
 # Let crosvm read the composite disk images (virtualizationservice_data_file), APEXes
 # (staging_data_file), APKs (apk_data_file and shell_data_file where the latter is for test apks in
-# /data/local/tmp), and instance.img (app_data_file).
+# /data/local/tmp), instance.img (app_data_file), and microdroid vendor image (vendor_microdroid_file).
 # Allow crosvm to read the instance image of the service VM saved in apex_virt_data_file.
 # Note that the open permission is not given as the files are passed as file descriptors.
 allow crosvm {
@@ -39,6 +39,7 @@
   apex_compos_data_file
   apex_virt_data_file
   shell_data_file
+  vendor_microdroid_file
 }:file { getattr read ioctl lock };
 
 # Allow searching the directory where the composite disk images are.
@@ -126,6 +127,7 @@
     # These types are not required for crosvm, but the access is granted to globally in domain.te
     # thus should be exempted here.
     -vendor_configs_file
+    -vendor_microdroid_file
     -vndk_sp_file
     -vendor_task_profiles_file
   }:file *;
diff --git a/private/domain.te b/private/domain.te
index 0861fa5..2f107dd 100644
--- a/private/domain.te
+++ b/private/domain.te
@@ -610,6 +610,7 @@
     -vendor_apex_file
     -vendor_apex_metadata_file
     -vendor_configs_file
+    -vendor_microdroid_file
     -vendor_service_contexts_file
     -vendor_framework_file
     -vendor_idc_file
diff --git a/private/file_contexts b/private/file_contexts
index b7f1a34..32092da 100644
--- a/private/file_contexts
+++ b/private/file_contexts
@@ -412,6 +412,7 @@
 /(vendor|system/vendor)/etc(/.*)?              u:object_r:vendor_configs_file:s0
 /(vendor|system/vendor)/etc/cgroups\.json      u:object_r:vendor_cgroup_desc_file:s0
 /(vendor|system/vendor)/etc/task_profiles\.json    u:object_r:vendor_task_profiles_file:s0
+/(vendor|system/vendor)/etc/avf/microdroid(/.*)?   u:object_r:vendor_microdroid_file:s0
 
 /(vendor|system/vendor)/lib(64)?/egl(/.*)?     u:object_r:same_process_hal_file:s0
 
diff --git a/private/keystore.te b/private/keystore.te
index 73961ac..b81ccfa 100644
--- a/private/keystore.te
+++ b/private/keystore.te
@@ -11,6 +11,11 @@
 # talk to keymint
 hal_client_domain(keystore, hal_keymint)
 
+# Ignore keystore attempts to access the AVF RKP Hal but keystore is not suppose to
+# access it.
+# TODO(b/312427637): Investigate the reason and fix the denial.
+dontaudit keystore hal_remotelyprovisionedcomponent_avf_service:service_manager { find };
+
 # This is used for the ConfirmationUI async callback.
 allow keystore platform_app:binder call;
 
diff --git a/private/property.te b/private/property.te
index e1b42a0..d599751 100644
--- a/private/property.te
+++ b/private/property.te
@@ -27,6 +27,7 @@
 system_internal_prop(keystore_listen_prop)
 system_internal_prop(last_boot_reason_prop)
 system_internal_prop(localization_prop)
+system_internal_prop(logd_auditrate_prop)
 system_internal_prop(lower_kptr_restrict_prop)
 system_internal_prop(net_464xlat_fromvendor_prop)
 system_internal_prop(net_connectivity_prop)
@@ -605,6 +606,12 @@
 neverallow {
   domain
   -init
+  -vendor_init
+} setupwizard_mode_prop:property_service set;
+
+neverallow {
+  domain
+  -init
 } setupwizard_prop:property_service set;
 
 # ro.product.property_source_order is useless after initialization of ro.product.* props.
diff --git a/private/property_contexts b/private/property_contexts
index 56ccb40..3771873 100644
--- a/private/property_contexts
+++ b/private/property_contexts
@@ -62,6 +62,7 @@
 logd.                   u:object_r:logd_prop:s0
 persist.logd.           u:object_r:logd_prop:s0
 ro.logd.                u:object_r:logd_prop:s0
+persist.logd.audit.rate u:object_r:logd_auditrate_prop:s0
 persist.logd.security   u:object_r:device_logging_prop:s0
 persist.logd.logpersistd        u:object_r:logpersistd_logging_prop:s0
 logd.logpersistd        u:object_r:logpersistd_logging_prop:s0
@@ -338,6 +339,10 @@
 ro.virtual_ab.io_uring.enabled u:object_r:virtual_ab_prop:s0 exact bool
 ro.virtual_ab.compression.threads u:object_r:virtual_ab_prop:s0 exact bool
 ro.virtual_ab.batch_writes u:object_r:virtual_ab_prop:s0 exact bool
+# OEMs can set this prop at build time to configure how many seconds to delay
+# merge after installing a Virtual AB OTA. The default behavior is to start
+# merge immediately.
+ro.virtual_ab.merge_delay_seconds u:object_r:virtual_ab_prop:s0 exact int
 snapuserd.ready         u:object_r:snapuserd_prop:s0 exact bool
 snapuserd.proxy_ready   u:object_r:snapuserd_prop:s0 exact bool
 snapuserd.test.dm.snapshots u:object_r:snapuserd_prop:s0 exact bool
@@ -618,6 +623,7 @@
 
 bluetooth.core.le.vendor_capabilities.enabled        u:object_r:bluetooth_config_prop:s0 exact bool
 bluetooth.sco.disable_enhanced_connection            u:object_r:bluetooth_config_prop:s0 exact bool
+bluetooth.core.le.dsa_transport_preference           u:object_r:bluetooth_config_prop:s0 exact string
 
 persist.nfc.debug_enabled                      u:object_r:nfc_prop:s0 exact bool
 persist.nfc.vendor_debug_enabled               u:object_r:nfc_prop:s0 exact bool
@@ -1136,6 +1142,7 @@
 ro.board.first_api_level u:object_r:build_vendor_prop:s0 exact int
 ro.board.api_level       u:object_r:build_vendor_prop:s0 exact int
 ro.board.api_frozen      u:object_r:build_vendor_prop:s0 exact bool
+ro.llndk.api_level       u:object_r:build_vendor_prop:s0 exact int
 ro.vendor.api_level      u:object_r:build_vendor_prop:s0 exact int
 
 # Boot image build props set by /{second_stage_resources/,}boot/etc/build.prop
@@ -1430,6 +1437,8 @@
 
 ro.cpuvulkan.version u:object_r:graphics_config_prop:s0 exact int
 
+ro.vulkan.apex          u:object_r:graphics_config_prop:s0 exact string
+
 # surfaceflinger-settable
 graphics.display.kernel_idle_timer.enabled u:object_r:surfaceflinger_display_prop:s0 exact bool
 
@@ -1480,6 +1489,8 @@
 ro.setupwizard.rotation_locked u:object_r:setupwizard_prop:s0 exact bool
 ro.setupwizard.wifi_on_exit    u:object_r:setupwizard_prop:s0 exact bool
 
+ro.setupwizard.mode            u:object_r:setupwizard_mode_prop:s0 exact string
+
 setupwizard.enable_assist_gesture_training                         u:object_r:setupwizard_prop:s0 exact bool
 setupwizard.feature.avoid_duplicate_tos                            u:object_r:setupwizard_prop:s0 exact bool
 setupwizard.feature.baseline_setupwizard_enabled                   u:object_r:setupwizard_prop:s0 exact bool
diff --git a/private/rkpd_app.te b/private/rkpd_app.te
index 509a96e..e7809e9 100644
--- a/private/rkpd_app.te
+++ b/private/rkpd_app.te
@@ -9,6 +9,7 @@
 
 # RKPD needs to be able to call the remote provisioning HALs
 hal_client_domain(rkpdapp, hal_keymint)
+hal_client_domain(rkpdapp, hal_remotelyprovisionedcomponent_avf)
 
 # Grant access to certain system properties related to RKP
 get_prop(rkpdapp, device_config_remote_key_provisioning_native_prop)
diff --git a/private/seapp_contexts b/private/seapp_contexts
index 74701df..957d005 100644
--- a/private/seapp_contexts
+++ b/private/seapp_contexts
@@ -56,6 +56,12 @@
 # as the current dessert release, with additional auditing rules for the accesses
 # we are considering forbidding in the upcoming release.
 #
+# The sdk_sandbox_next and sdk_sandbox_audit domains are special domains for the
+# SDK sandbox process. sdk_sandbox_next defines the set of restrictions proposed
+# for the upcoming dessert release. sdk_sandbox_audit uses the same restrictions
+# as the current dessert release, with additional auditing rules for the accesses
+# we are considering forbidding in the upcoming release.
+#
 # isSdkSandboxNext=true means sdk sandbox processes will get
 # sdk_sandbox_next sepolicy applied to them.
 # An unspecified isSdkSandboxNext defaults to false.
@@ -64,6 +70,10 @@
 # sdk_sandbox_audit sepolicy applied to them.
 # An unspecified isSdkSandboxAudit defaults to false.
 #
+# isSdkSandboxAudit=true means sdk sandbox processes will get
+# sdk_sandbox_audit sepolicy applied to them.
+# An unspecified isSdkSandboxAudit defaults to false.
+#
 # Precedence: entries are compared using the following rules, in the order shown
 # (see external/selinux/libselinux/src/android/android_platform.c,
 # seapp_context_cmp()).
@@ -172,7 +182,6 @@
 user=_app seinfo=platform name=com.android.traceur domain=traceur_app type=app_data_file levelFrom=all
 user=system seinfo=platform domain=system_app type=system_app_data_file
 user=system seinfo=platform isPrivApp=true name=com.android.DeviceAsWebcam domain=device_as_webcam type=system_app_data_file levelFrom=all
-user=system seinfo=platform isPrivApp=true name=com.android.virtualcamera domain=virtual_camera type=app_data_file levelFrom=all
 user=bluetooth seinfo=bluetooth domain=bluetooth type=bluetooth_data_file
 user=network_stack seinfo=network_stack domain=network_stack type=radio_data_file
 user=nfc seinfo=platform domain=nfc type=nfc_data_file
diff --git a/private/service.te b/private/service.te
index f2febc9..2f5241c 100644
--- a/private/service.te
+++ b/private/service.te
@@ -21,6 +21,10 @@
 type statsmanager_service,          system_api_service, system_server_service, service_manager_type;
 type tracingproxy_service,          system_server_service, service_manager_type;
 type transparency_service,          system_server_service, service_manager_type;
-type vfio_handler_service,          service_manager_type;
+
+is_flag_enabled(RELEASE_AVF_ENABLE_DEVICE_ASSIGNMENT, `
+    type vfio_handler_service,          service_manager_type;
+')
+
 type uce_service,                   service_manager_type;
 type wearable_sensing_service,      system_api_service, system_server_service, service_manager_type;
diff --git a/private/service_contexts b/private/service_contexts
index 898cb14..90fb943 100644
--- a/private/service_contexts
+++ b/private/service_contexts
@@ -2,6 +2,7 @@
 android.frameworks.location.altitude.IAltitudeService/default        u:object_r:fwk_altitude_service:s0
 android.frameworks.stats.IStats/default                              u:object_r:fwk_stats_service:s0
 android.frameworks.sensorservice.ISensorManager/default              u:object_r:fwk_sensor_service:s0
+android.frameworks.vibrator.IVibratorControlService/default          u:object_r:fwk_vibrator_control_service:s0
 android.hardware.audio.core.IConfig/default                          u:object_r:hal_audio_service:s0
 # 'default' IModule is equivalent to 'primary' in HIDL
 android.hardware.audio.core.IModule/default                          u:object_r:hal_audio_service:s0
@@ -93,6 +94,7 @@
 android.hardware.security.authgraph.IAuthGraphKeyExchange/nonsecure  u:object_r:hal_authgraph_service:s0
 android.hardware.security.keymint.IKeyMintDevice/default             u:object_r:hal_keymint_service:s0
 android.hardware.security.keymint.IRemotelyProvisionedComponent/default u:object_r:hal_remotelyprovisionedcomponent_service:s0
+android.hardware.security.keymint.IRemotelyProvisionedComponent/avf     u:object_r:hal_remotelyprovisionedcomponent_avf_service:s0
 android.hardware.gatekeeper.IGatekeeper/default                      u:object_r:hal_gatekeeper_service:s0
 android.hardware.security.secureclock.ISecureClock/default             u:object_r:hal_secureclock_service:s0
 android.hardware.security.sharedsecret.ISharedSecret/default             u:object_r:hal_sharedsecret_service:s0
@@ -122,6 +124,7 @@
 android.hardware.secure_element.ISecureElement/SIM1                  u:object_r:hal_secure_element_service:s0
 android.hardware.secure_element.ISecureElement/SIM2                  u:object_r:hal_secure_element_service:s0
 android.hardware.secure_element.ISecureElement/SIM3                  u:object_r:hal_secure_element_service:s0
+android.hardware.security.secretkeeper.ISecretkeeper/nonsecure       u:object_r:hal_secretkeeper_service:s0
 android.system.keystore2.IKeystoreService/default                    u:object_r:keystore_service:s0
 android.system.net.netd.INetd/default                                u:object_r:system_net_netd_service:s0
 android.system.suspend.ISystemSuspend/default                        u:object_r:hal_system_suspend_service:s0
@@ -152,7 +155,9 @@
 android.service.gatekeeper.IGateKeeperService    u:object_r:gatekeeper_service:s0
 android.system.composd                    u:object_r:compos_service:s0
 android.system.virtualizationservice      u:object_r:virtualization_service:s0
-android.system.virtualizationservice_internal.IVfioHandler u:object_r:vfio_handler_service:s0
+is_flag_enabled(RELEASE_AVF_ENABLE_DEVICE_ASSIGNMENT, `
+    android.system.virtualizationservice_internal.IVfioHandler u:object_r:vfio_handler_service:s0
+')
 ambient_context                           u:object_r:ambient_context_service:s0
 app_binding                               u:object_r:app_binding_service:s0
 app_hibernation                           u:object_r:app_hibernation_service:s0
@@ -423,6 +428,7 @@
 translation                               u:object_r:translation_service:s0
 transparency                              u:object_r:transparency_service:s0
 trust                                     u:object_r:trust_service:s0
+tv_ad                                     u:object_r:tv_ad_service:s0
 tv_interactive_app                        u:object_r:tv_iapp_service:s0
 tv_input                                  u:object_r:tv_input_service:s0
 tv_tuner_resource_mgr                     u:object_r:tv_tuner_resource_mgr_service:s0
@@ -436,8 +442,8 @@
 uwb                                       u:object_r:uwb_service:s0
 vcn_management                            u:object_r:vcn_management_service:s0
 vibrator                                  u:object_r:vibrator_service:s0
-vibrator_control               	  	  u:object_r:vibrator_control_service:s0
 vibrator_manager                          u:object_r:vibrator_manager_service:s0
+virtual_camera                            u:object_r:virtual_camera_service:s0
 virtualdevice                             u:object_r:virtual_device_service:s0
 virtualdevice_native                      u:object_r:virtual_device_native_service:s0
 virtual_touchpad                          u:object_r:virtual_touchpad_service:s0
diff --git a/private/shell.te b/private/shell.te
index aa6bef8..f32395e 100644
--- a/private/shell.te
+++ b/private/shell.te
@@ -132,6 +132,9 @@
 allow shell self:perf_event { open read write kernel };
 neverallow shell self:perf_event ~{ open read write kernel };
 
+# Allow shell to read microdroid vendor image
+r_dir_file(shell, vendor_microdroid_file)
+
 # Allow shell to read /apex/apex-info-list.xml and the vendor apexes
 allow shell apex_info_file:file r_file_perms;
 allow shell vendor_apex_file:file r_file_perms;
@@ -156,6 +159,8 @@
 # Allow shell to start/stop traced via the persist.traced.enable
 # property (which also takes care of /data/misc initialization).
 set_prop(shell, traced_enabled_prop)
+# adjust SELinux audit rates
+set_prop(shell, logd_auditrate_prop)
 # adjust is_loggable properties
 userdebug_or_eng(`set_prop(shell, log_prop)')
 # logpersist script
diff --git a/private/system_server.te b/private/system_server.te
index 97e64af..8c26cc7 100644
--- a/private/system_server.te
+++ b/private/system_server.te
@@ -298,6 +298,7 @@
 binder_call(system_server, statsd)
 binder_call(system_server, storaged)
 binder_call(system_server, update_engine)
+binder_call(system_server, virtual_camera)
 binder_call(system_server, vold)
 binder_call(system_server, logd)
 binder_call(system_server, wificond)
@@ -329,6 +330,7 @@
 hal_client_domain(system_server, hal_power)
 hal_client_domain(system_server, hal_power_stats)
 hal_client_domain(system_server, hal_rebootescrow)
+hal_client_domain(system_server, hal_remotelyprovisionedcomponent_avf)
 hal_client_domain(system_server, hal_sensors)
 hal_client_domain(system_server, hal_tetheroffload)
 hal_client_domain(system_server, hal_thermal)
diff --git a/private/vfio_handler.te b/private/vfio_handler.te
index 1b553e9..963809e 100644
--- a/private/vfio_handler.te
+++ b/private/vfio_handler.te
@@ -1,35 +1,37 @@
-# vfio_handler is a helper service for VFIO tasks, like binding platform devices to VFIO driver.
-# vfio_handler is separate from virtualizationservice as VFIO tasks require root.
-type vfio_handler, domain, coredomain;
-type vfio_handler_exec, system_file_type, exec_type, file_type;
+is_flag_enabled(RELEASE_AVF_ENABLE_DEVICE_ASSIGNMENT, `
+    # vfio_handler is a helper service for VFIO tasks, like binding platform devices to VFIO driver.
+    # vfio_handler is separate from virtualizationservice as VFIO tasks require root.
+    type vfio_handler, domain, coredomain;
+    type vfio_handler_exec, system_file_type, exec_type, file_type;
 
-# When init runs a file labelled with vfio_handler_exec, run it in the vfio_handler domain.
-init_daemon_domain(vfio_handler)
+    # When init runs a file labelled with vfio_handler_exec, run it in the vfio_handler domain.
+    init_daemon_domain(vfio_handler)
 
-# Let the vfio_handler domain register the vfio_handler_service with ServiceManager.
-add_service(vfio_handler, vfio_handler_service)
+    # Let the vfio_handler domain register the vfio_handler_service with ServiceManager.
+    add_service(vfio_handler, vfio_handler_service)
 
-# Let the vfio_handler domain use Binder.
-binder_use(vfio_handler)
+    # Let the vfio_handler domain use Binder.
+    binder_use(vfio_handler)
 
-# Allow vfio_handler to check if VFIO is supported
-allow vfio_handler vfio_device:chr_file getattr;
-allow vfio_handler vfio_device:dir r_dir_perms;
+    # Allow vfio_handler to check if VFIO is supported
+    allow vfio_handler vfio_device:chr_file getattr;
+    allow vfio_handler vfio_device:dir r_dir_perms;
 
-# Allow vfio_handler to bind/unbind platform devices
-allow vfio_handler sysfs:dir r_dir_perms;
-allow vfio_handler sysfs:file rw_file_perms;
+    # Allow vfio_handler to bind/unbind platform devices
+    allow vfio_handler sysfs:dir r_dir_perms;
+    allow vfio_handler sysfs:file rw_file_perms;
 
-# Allow vfio_handler to write to VM DTBO via a file created by virtualizationservice.
-allow vfio_handler virtualizationservice:fd use;
-allow vfio_handler virtualizationservice_data_file:file write;
+    # Allow vfio_handler to write to VM DTBO via a file created by virtualizationservice.
+    allow vfio_handler virtualizationservice:fd use;
+    allow vfio_handler virtualizationservice_data_file:file write;
 
-# vfio_handler can only use fd from virtualizationservice, and can't open files itself
-neverallow vfio_handler virtualizationservice_data_file:file { open create };
+    # vfio_handler can only use fd from virtualizationservice, and cannot open files itself
+    neverallow vfio_handler virtualizationservice_data_file:file { open create };
 
-# Allow vfio_handler to search /dev/block for accessing dtbo.img
-allow vfio_handler block_device:dir search;
-allow vfio_handler dtbo_block_device:blk_file r_file_perms;
+    # Allow vfio_handler to search /dev/block for accessing dtbo.img
+    allow vfio_handler block_device:dir search;
+    allow vfio_handler dtbo_block_device:blk_file r_file_perms;
 
-# Only vfio_handler can add vfio_handler_service
-neverallow { domain -vfio_handler } vfio_handler_service:service_manager add;
+    # Only vfio_handler can add vfio_handler_service
+    neverallow { domain -vfio_handler } vfio_handler_service:service_manager add;
+') # is_flag_enabled(RELEASE_AVF_ENABLE_DEVICE_ASSIGNMENT)
diff --git a/private/virtual_camera.te b/private/virtual_camera.te
index 765a59f..5739d5f 100644
--- a/private/virtual_camera.te
+++ b/private/virtual_camera.te
@@ -9,6 +9,8 @@
 # hal_server_domain(virtual_camera, hal_camera) macro but only the rules that
 # we actually need from halserverdomain and hal_camera_server:
 binder_use(virtual_camera)
+binder_call(virtual_camera, cameraserver)
+binder_call(virtual_camera, system_server)
 
 # Allow virtual_camera to use fd from apps
 allow virtual_camera { appdomain -isolated_app }:fd use;
@@ -18,3 +20,7 @@
 
 # Allow virtual_camera to map graphic buffers
 hal_client_domain(virtual_camera, hal_graphics_allocator)
+
+# Allow virtual_camera to use GPU
+allow virtual_camera gpu_device:chr_file rw_file_perms;
+allow virtual_camera gpu_device:dir r_dir_perms;
diff --git a/private/virtualizationmanager.te b/private/virtualizationmanager.te
index d6f0e19..871d3f2 100644
--- a/private/virtualizationmanager.te
+++ b/private/virtualizationmanager.te
@@ -94,6 +94,9 @@
   allow virtualizationmanager shell_data_file:file open;
 ')
 
+# Allow virtualizationmanager to read microdroid related files in vendor partition
+r_dir_file(virtualizationmanager, vendor_microdroid_file)
+
 # Allow reading files under /proc/[crosvm pid]/, for collecting CPU & memory usage inside VM.
 r_dir_file(virtualizationmanager, crosvm);
 
diff --git a/private/virtualizationservice.te b/private/virtualizationservice.te
index 93cd04c..e17797e 100644
--- a/private/virtualizationservice.te
+++ b/private/virtualizationservice.te
@@ -15,9 +15,15 @@
 # Let the virtualizationservice domain register the virtualization_service with ServiceManager.
 add_service(virtualizationservice, virtualization_service)
 
-# Let virtualizationservice find and communicate with vfio_handler.
-allow virtualizationservice vfio_handler_service:service_manager find;
-binder_call(virtualizationservice, vfio_handler)
+is_flag_enabled(RELEASE_AVF_ENABLE_DEVICE_ASSIGNMENT, `
+    # Let virtualizationservice find and communicate with vfio_handler.
+    allow virtualizationservice vfio_handler_service:service_manager find;
+    binder_call(virtualizationservice, vfio_handler)
+')
+
+# Allow the virtualizationservice domain to serve a remotely provisioned component for
+# pVM remote attestation.
+hal_server_domain(virtualizationservice, hal_remotelyprovisionedcomponent_avf)
 
 # Allow calling into the system server to find "permission_service".
 binder_call(virtualizationservice, system_server)
@@ -97,5 +103,7 @@
   -virtualizationservice
 }:process setrlimit;
 
-# Only virtualizationservice can communicate to vfio_handler
-neverallow { domain -virtualizationservice -servicemanager } vfio_handler:binder call;
+is_flag_enabled(RELEASE_AVF_ENABLE_DEVICE_ASSIGNMENT, `
+    # Only virtualizationservice can communicate to vfio_handler
+    neverallow { domain -virtualizationservice -servicemanager } vfio_handler:binder call;
+')
diff --git a/public/attributes b/public/attributes
index fa47b25..759b773 100644
--- a/public/attributes
+++ b/public/attributes
@@ -376,6 +376,8 @@
 hal_attribute(power_stats);
 hal_attribute(rebootescrow);
 hal_attribute(remoteaccess);
+hal_attribute(secretkeeper);
+hal_attribute(remotelyprovisionedcomponent_avf);
 hal_attribute(secure_element);
 hal_attribute(sensors);
 hal_attribute(telephony);
diff --git a/public/dumpstate.te b/public/dumpstate.te
index 496d95974..549e6c6 100644
--- a/public/dumpstate.te
+++ b/public/dumpstate.te
@@ -178,6 +178,7 @@
 dump_hal(hal_power)
 dump_hal(hal_power_stats)
 dump_hal(hal_rebootescrow)
+dump_hal(hal_secretkeeper)
 dump_hal(hal_sensors)
 dump_hal(hal_thermal)
 dump_hal(hal_vehicle)
diff --git a/public/file.te b/public/file.te
index 091c557..142e167 100644
--- a/public/file.te
+++ b/public/file.te
@@ -255,6 +255,8 @@
 # Type for all vendor public libraries for system. These libs should only be exposed to
 # system. ABI stability of these libs is vendor's responsibility.
 type vendor_public_framework_file, vendor_file_type, file_type;
+# Type for all microdroid related files in the vendor partition.
+type vendor_microdroid_file, vendor_file_type, file_type;
 
 # Input configuration
 type vendor_keylayout_file, vendor_file_type, file_type;
diff --git a/public/hal_remotelyprovisionedcomponent_avf.te b/public/hal_remotelyprovisionedcomponent_avf.te
new file mode 100644
index 0000000..8cc7ce5
--- /dev/null
+++ b/public/hal_remotelyprovisionedcomponent_avf.te
@@ -0,0 +1,8 @@
+# allow binder connection from client to server
+binder_call(hal_remotelyprovisionedcomponent_avf_client, hal_remotelyprovisionedcomponent_avf_server)
+
+# allow client to find the service, allow server to register the service
+hal_attribute_service(hal_remotelyprovisionedcomponent_avf, hal_remotelyprovisionedcomponent_avf_service)
+
+# allow binder communication from server to service_manager
+binder_use(hal_remotelyprovisionedcomponent_avf_server)
diff --git a/public/hal_secretkeeper.te b/public/hal_secretkeeper.te
new file mode 100644
index 0000000..809ed77
--- /dev/null
+++ b/public/hal_secretkeeper.te
@@ -0,0 +1,8 @@
+# Domains for the Secretkeeper HAL, which provides secure (tamper evident, rollback protected)
+# storage of secrets guarded by DICE policies.
+binder_call(hal_secretkeeper_client, hal_secretkeeper_server)
+
+hal_attribute_service(hal_secretkeeper, hal_secretkeeper_service)
+
+binder_use(hal_secretkeeper_server)
+binder_use(hal_secretkeeper_client)
diff --git a/public/hal_vibrator.te b/public/hal_vibrator.te
index 85b8e8c..6909ff2 100644
--- a/public/hal_vibrator.te
+++ b/public/hal_vibrator.te
@@ -14,4 +14,4 @@
 allow hal_vibrator sysfs_vibrator:dir search;
 
 # Allow HAL vibrator to control some parameters of a vibration, such as scaling.
-allow hal_vibrator vibrator_control_service:service_manager find;
+allow hal_vibrator fwk_vibrator_control_service:service_manager find;
diff --git a/public/property.te b/public/property.te
index 1a5b105..44b0aef 100644
--- a/public/property.te
+++ b/public/property.te
@@ -197,6 +197,7 @@
 system_vendor_config_prop(dck_prop)
 system_vendor_config_prop(tuner_config_prop)
 system_vendor_config_prop(usb_uvc_enabled_prop)
+system_vendor_config_prop(setupwizard_mode_prop)
 
 # Properties with no restrictions
 system_public_prop(adbd_config_prop)
diff --git a/public/service.te b/public/service.te
index a208dcf..f2850a1 100644
--- a/public/service.te
+++ b/public/service.te
@@ -117,7 +117,7 @@
 type diskstats_service, system_api_service, system_server_service, service_manager_type;
 type display_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
 type domain_verification_service, app_api_service, system_server_service, service_manager_type;
-type color_display_service, system_api_service, system_server_service, service_manager_type;
+type color_display_service, app_api_service, system_api_service, system_server_service, service_manager_type;
 type external_vibrator_service, system_server_service, service_manager_type;
 type file_integrity_service, app_api_service, system_server_service, service_manager_type;
 type font_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
@@ -136,6 +136,7 @@
 type fwk_altitude_service, system_server_service, service_manager_type;
 type fwk_stats_service, app_api_service, system_server_service, service_manager_type;
 type fwk_sensor_service, system_server_service, service_manager_type;
+type fwk_vibrator_control_service, system_server_service, service_manager_type;
 type game_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
 type gfxinfo_service, system_api_service, system_server_service, service_manager_type;
 type gnss_time_update_service, system_server_service, service_manager_type;
@@ -243,6 +244,7 @@
 type timezonedetector_service, app_api_service, system_server_service, service_manager_type;
 type translation_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
 type trust_service, app_api_service, system_server_service, service_manager_type;
+type tv_ad_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
 type tv_iapp_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
 type tv_input_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
 type tv_tuner_resource_mgr_service, app_api_service, system_server_service, service_manager_type;
@@ -254,7 +256,6 @@
 type user_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
 type uwb_service, app_api_service, system_server_service, service_manager_type;
 type vcn_management_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
-type vibrator_control_service, system_server_service, service_manager_type;
 type vibrator_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
 type vibrator_manager_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
 type virtual_device_service, app_api_service, system_server_service, service_manager_type;
@@ -319,8 +320,10 @@
 type hal_radio_service, protected_service, hal_service_type, service_manager_type;
 type hal_rebootescrow_service, protected_service, hal_service_type, service_manager_type;
 type hal_remoteaccess_service, protected_service, hal_service_type, service_manager_type;
+type hal_remotelyprovisionedcomponent_avf_service, protected_service, hal_service_type, service_manager_type;
 type hal_remotelyprovisionedcomponent_service, protected_service, hal_service_type, service_manager_type;
 type hal_sensors_service, protected_service, hal_service_type, service_manager_type;
+type hal_secretkeeper_service, protected_service, hal_service_type, service_manager_type;
 type hal_secureclock_service, protected_service, hal_service_type, service_manager_type;
 type hal_secure_element_service, protected_service, hal_service_type, service_manager_type;
 type hal_sharedsecret_service, protected_service, hal_service_type, service_manager_type;
diff --git a/public/su.te b/public/su.te
index 2887740..a893cdb 100644
--- a/public/su.te
+++ b/public/su.te
@@ -90,6 +90,7 @@
   typeattribute su hal_oemlock_client;
   typeattribute su hal_power_client;
   typeattribute su hal_rebootescrow_client;
+  typeattribute su hal_secretkeeper_client;
   typeattribute su hal_secure_element_client;
   typeattribute su hal_sensors_client;
   typeattribute su hal_telephony_client;
diff --git a/tests/policy.py b/tests/policy.py
index 8fc2ef7..98133b7 100644
--- a/tests/policy.py
+++ b/tests/policy.py
@@ -146,9 +146,9 @@
     # DoNotMatchPrefix have the attribute Attr.
     # For example assert that all types in /sys, and not in /sys/kernel/debugfs
     # have the sysfs_type attribute.
-    def AssertPathTypesHaveAttr(self, MatchPrefix, DoNotMatchPrefix, Attr):
+    def AssertPathTypesHaveAttr(self, MatchPrefix, DoNotMatchPrefix, Attr, ExcludedTypes = []):
         # Query policy for the types associated with Attr
-        TypesPol = self.QueryTypeAttribute(Attr, True)
+        TypesPol = self.QueryTypeAttribute(Attr, True) | set(ExcludedTypes)
         # Search file_contexts to find paths/types that should be associated with
         # Attr.
         PathTypes = self.__GetTypesAndFilesByFilePathPrefix(MatchPrefix, DoNotMatchPrefix)
diff --git a/tests/sepolicy_tests.py b/tests/sepolicy_tests.py
index 4ef161b..7a341cb 100644
--- a/tests/sepolicy_tests.py
+++ b/tests/sepolicy_tests.py
@@ -265,6 +265,22 @@
             "\"-isolated_app_all\". Violations are shown as the following: \n")  + ret
     return ret
 
+def TestDevTypeViolations(pol):
+    exceptions = [
+        "/dev/socket",
+    ]
+    exceptionTypes = [
+        "boringssl_self_test_marker",  # /dev/boringssl/selftest
+        "cgroup_rc_file",              # /dev/cgroup.rc
+        "dev_cpu_variant",             # /dev/cpu_variant:{arch}
+        "fscklogs",                    # /dev/fscklogs
+        "properties_serial",           # /dev/__properties__/properties_serial
+        "property_info",               # /dev/__properties__/property_info
+        "runtime_event_log_tags_file", # /dev/event-log-tags
+    ]
+    return pol.AssertPathTypesHaveAttr(["/dev"], exceptions,
+                                       "dev_type", exceptionTypes)
+
 ###
 # extend OptionParser to allow the same option flag to be used multiple times.
 # This is used to allow multiple file_contexts files and tests to be
@@ -298,6 +314,7 @@
     "TestCoredomainViolations",
     "TestViolatorAttributes",
     "TestIsolatedAttributeConsistency",
+    "TestDevTypeViolations",
 ]
 
 def do_main(libpath):
@@ -366,6 +383,10 @@
     if options.test is None or "TestIsolatedAttributeConsistency" in options.test:
         results += TestIsolatedAttributeConsistency(test_policy)
 
+    # dev type test won't be run as default
+    if options.test and "TestDevTypeViolations" in options.test:
+        results += TestDevTypeViolations(pol)
+
     if len(results) > 0:
         sys.exit(results)
 
diff --git a/vendor/file_contexts b/vendor/file_contexts
index 28613c9..6888987 100644
--- a/vendor/file_contexts
+++ b/vendor/file_contexts
@@ -100,6 +100,7 @@
 /(vendor|system/vendor)/bin/hw/android\.hardware\.secure_element-service.example u:object_r:hal_secure_element_default_exec:s0
 /(vendor|system/vendor)/bin/hw/android\.hardware\.security\.authgraph-service\.nonsecure    u:object_r:hal_authgraph_default_exec:s0
 /(vendor|system/vendor)/bin/hw/android\.hardware\.security\.keymint-service   u:object_r:hal_keymint_default_exec:s0
+/(vendor|system/vendor)/bin/hw/android\.hardware\.security\.secretkeeper-service.nonsecure       u:object_r:hal_secretkeeper_default_exec:s0
 /(vendor|system/vendor)/bin/hw/rild                                           u:object_r:rild_exec:s0
 /(vendor|system/vendor)/bin/hw/android\.hardware\.tetheroffload-service\.example u:object_r:hal_tetheroffload_default_exec:s0
 /(vendor|system/vendor)/bin/hw/android\.hardware\.thermal@1\.[01]-service        u:object_r:hal_thermal_default_exec:s0
@@ -171,7 +172,7 @@
 /(vendor|system/vendor)/lib(64)?/android\.hardware\.graphics\.mapper@4\.0\.so u:object_r:same_process_hal_file:s0
 /(vendor|system/vendor)/lib(64)?/android\.hardware\.renderscript@1\.0\.so u:object_r:same_process_hal_file:s0
 /(vendor|system/vendor)/lib(64)?/android\.hidl\.memory\.token@1\.0\.so u:object_r:same_process_hal_file:s0
-/(vendor|system/vendor)/lib(64)?/android\.hidl\.memory@1\.0-impl\.so u:object_r:same_process_hal_file:s0
+/(vendor|system/vendor)/lib(64)?/hw/android\.hidl\.memory@1\.0-impl\.so u:object_r:same_process_hal_file:s0
 /(vendor|system/vendor)/lib(64)?/android\.hidl\.memory@1\.0\.so u:object_r:same_process_hal_file:s0
 /(vendor|system/vendor)/lib(64)?/android\.hidl\.safe_union@1\.0\.so u:object_r:same_process_hal_file:s0
 /(vendor|system/vendor)/lib(64)?/libRSCpuRef\.so u:object_r:same_process_hal_file:s0
diff --git a/vendor/hal_secretkeeper_default.te b/vendor/hal_secretkeeper_default.te
new file mode 100644
index 0000000..50f4ac1
--- /dev/null
+++ b/vendor/hal_secretkeeper_default.te
@@ -0,0 +1,5 @@
+type hal_secretkeeper_default, domain;
+hal_server_domain(hal_secretkeeper_default, hal_secretkeeper)
+
+type hal_secretkeeper_default_exec, exec_type, vendor_file_type, file_type;
+init_daemon_domain(hal_secretkeeper_default)