Merge "Allow llkd to stat() /proc/sysrq-trigger"
diff --git a/prebuilts/api/31.0/private/access_vectors b/prebuilts/api/31.0/private/access_vectors
index 22f2ffa..5ff7aef 100644
--- a/prebuilts/api/31.0/private/access_vectors
+++ b/prebuilts/api/31.0/private/access_vectors
@@ -726,6 +726,7 @@
 	get_state
 	list
 	lock
+	pull_metrics
 	report_off_body
 	reset
 	unlock
diff --git a/prebuilts/api/31.0/private/apexd.te b/prebuilts/api/31.0/private/apexd.te
index 32b2594..b923cdb 100644
--- a/prebuilts/api/31.0/private/apexd.te
+++ b/prebuilts/api/31.0/private/apexd.te
@@ -209,4 +209,5 @@
 allow apexd otapreopt_chroot:fd use;
 allow apexd postinstall_apex_mnt_dir:dir { create_dir_perms mounton };
 allow apexd postinstall_apex_mnt_dir:file { create_file_perms relabelfrom };
+allow apexd postinstall_apex_mnt_dir:lnk_file create;
 allow apexd proc_filesystems:file r_file_perms;
diff --git a/prebuilts/api/31.0/private/atrace.te b/prebuilts/api/31.0/private/atrace.te
index d4aed40..d9e351c 100644
--- a/prebuilts/api/31.0/private/atrace.te
+++ b/prebuilts/api/31.0/private/atrace.te
@@ -27,15 +27,16 @@
 allow atrace {
   service_manager_type
   -apex_service
-  -incident_service
-  -iorapd_service
-  -netd_service
   -dnsresolver_service
-  -stats_service
   -dumpstate_service
+  -incident_service
   -installd_service
-  -vold_service
+  -iorapd_service
   -lpdump_service
+  -netd_service
+  -stats_service
+  -tracingproxy_service
+  -vold_service
   -default_android_service
 }:service_manager { find };
 allow atrace servicemanager:service_manager list;
diff --git a/prebuilts/api/31.0/private/compat/30.0/30.0.ignore.cil b/prebuilts/api/31.0/private/compat/30.0/30.0.ignore.cil
index be59151..4484823 100644
--- a/prebuilts/api/31.0/private/compat/30.0/30.0.ignore.cil
+++ b/prebuilts/api/31.0/private/compat/30.0/30.0.ignore.cil
@@ -65,12 +65,15 @@
     hal_remotelyprovisionedcomponent_service
     hal_secureclock_service
     hal_sharedsecret_service
+    hal_uwb_service
     hal_weaver_service
     hw_timeout_multiplier_prop
     keystore_compat_hal_service
     keystore_maintenance_service
+    keystore_metrics_service
     keystore2_key_contexts_file
     legacy_permission_service
+    legacykeystore_service
     location_time_zone_manager_service
     media_communication_service
     media_metrics_service
@@ -139,7 +142,6 @@
     vibrator_manager_service
     virtualization_service
     vpn_management_service
-    vpnprofilestore_service
     watchdog_metadata_file
     wifi_key
     zygote_config_prop))
diff --git a/prebuilts/api/31.0/private/incidentd.te b/prebuilts/api/31.0/private/incidentd.te
index ef191a2..e20e6ca 100644
--- a/prebuilts/api/31.0/private/incidentd.te
+++ b/prebuilts/api/31.0/private/incidentd.te
@@ -161,6 +161,7 @@
   system_server_service
   app_api_service
   system_api_service
+  -tracingproxy_service
 }:service_manager find;
 
 # Only incidentd can publish the binder service
diff --git a/prebuilts/api/31.0/private/service_contexts b/prebuilts/api/31.0/private/service_contexts
index 02f326d..6d2b6a8 100644
--- a/prebuilts/api/31.0/private/service_contexts
+++ b/prebuilts/api/31.0/private/service_contexts
@@ -37,9 +37,10 @@
 android.security.compat                   u:object_r:keystore_compat_hal_service:s0
 android.security.identity                 u:object_r:credstore_service:s0
 android.security.keystore                 u:object_r:keystore_service:s0
+android.security.legacykeystore           u:object_r:legacykeystore_service:s0
 android.security.maintenance              u:object_r:keystore_maintenance_service:s0
+android.security.metrics                  u:object_r:keystore_metrics_service:s0
 android.security.remoteprovisioning       u:object_r:remoteprovisioning_service:s0
-android.security.vpnprofilestore          u:object_r:vpnprofilestore_service:s0
 android.service.gatekeeper.IGateKeeperService    u:object_r:gatekeeper_service:s0
 app_binding                               u:object_r:app_binding_service:s0
 app_hibernation                           u:object_r:app_hibernation_service:s0
diff --git a/prebuilts/api/31.0/private/system_app.te b/prebuilts/api/31.0/private/system_app.te
index 10b8177..239686e 100644
--- a/prebuilts/api/31.0/private/system_app.te
+++ b/prebuilts/api/31.0/private/system_app.te
@@ -90,6 +90,7 @@
   -netd_service
   -system_suspend_control_internal_service
   -system_suspend_control_service
+  -tracingproxy_service
   -virtual_touchpad_service
   -vold_service
   -vr_hwc_service
diff --git a/prebuilts/api/31.0/private/system_server.te b/prebuilts/api/31.0/private/system_server.te
index f35f9a8..73301c1 100644
--- a/prebuilts/api/31.0/private/system_server.te
+++ b/prebuilts/api/31.0/private/system_server.te
@@ -853,6 +853,7 @@
 allow system_server installd_service:service_manager find;
 allow system_server iorapd_service:service_manager find;
 allow system_server keystore_maintenance_service:service_manager find;
+allow system_server keystore_metrics_service:service_manager find;
 allow system_server keystore_service:service_manager find;
 allow system_server mediaserver_service:service_manager find;
 allow system_server mediametrics_service:service_manager find;
@@ -903,6 +904,7 @@
 	clear_uid
 	get_state
 	lock
+	pull_metrics
 	reset
 	unlock
 };
diff --git a/prebuilts/api/31.0/private/traced.te b/prebuilts/api/31.0/private/traced.te
index 6e3ad46..fc9a245 100644
--- a/prebuilts/api/31.0/private/traced.te
+++ b/prebuilts/api/31.0/private/traced.te
@@ -116,3 +116,6 @@
 # Only init is allowed to enter the traced domain via exec()
 neverallow { domain -init } traced:process transition;
 neverallow * traced:process dyntransition;
+
+# Limit the processes that can access tracingproxy_service.
+neverallow { domain -traced -dumpstate -traceur_app -shell -system_server } tracingproxy_service:service_manager find;
diff --git a/prebuilts/api/31.0/private/wificond.te b/prebuilts/api/31.0/private/wificond.te
index 8bf37ca..3fdaca2 100644
--- a/prebuilts/api/31.0/private/wificond.te
+++ b/prebuilts/api/31.0/private/wificond.te
@@ -6,4 +6,6 @@
 
 get_prop(wificond, hwservicemanager_prop)
 
+allow wificond legacykeystore_service:service_manager find;
+
 init_daemon_domain(wificond)
diff --git a/prebuilts/api/31.0/public/attributes b/prebuilts/api/31.0/public/attributes
index daef4bb..2e01f1e 100644
--- a/prebuilts/api/31.0/public/attributes
+++ b/prebuilts/api/31.0/public/attributes
@@ -358,6 +358,7 @@
 hal_attribute(tv_tuner);
 hal_attribute(usb);
 hal_attribute(usb_gadget);
+hal_attribute(uwb);
 hal_attribute(vehicle);
 hal_attribute(vibrator);
 hal_attribute(vr);
diff --git a/prebuilts/api/31.0/public/domain.te b/prebuilts/api/31.0/public/domain.te
index d84abf1..799a2f1 100644
--- a/prebuilts/api/31.0/public/domain.te
+++ b/prebuilts/api/31.0/public/domain.te
@@ -677,6 +677,7 @@
     -credstore_service
     -keystore_maintenance_service
     -keystore_service
+    -legacykeystore_service
     -mediadrmserver_service
     -mediaextractor_service
     -mediametrics_service
@@ -684,7 +685,6 @@
     -nfc_service
     -radio_service
     -virtual_touchpad_service
-    -vpnprofilestore_service
     -vr_hwc_service
     -vr_manager_service
     userdebug_or_eng(`-hal_face_service')
diff --git a/prebuilts/api/31.0/public/hal_neverallows.te b/prebuilts/api/31.0/public/hal_neverallows.te
index 0214e2a..faec074 100644
--- a/prebuilts/api/31.0/public/hal_neverallows.te
+++ b/prebuilts/api/31.0/public/hal_neverallows.te
@@ -8,6 +8,7 @@
   -hal_wifi_hostapd_server
   -hal_wifi_supplicant_server
   -hal_telephony_server
+  -hal_uwb_server
 } self:global_capability_class_set { net_admin net_raw };
 
 # Unless a HAL's job is to communicate over the network, or control network
@@ -25,6 +26,7 @@
   -hal_wifi_hostapd_server
   -hal_wifi_supplicant_server
   -hal_telephony_server
+  -hal_uwb_server
 } domain:{ udp_socket rawip_socket } *;
 
 neverallow {
@@ -36,11 +38,20 @@
   -hal_wifi_hostapd_server
   -hal_wifi_supplicant_server
   -hal_telephony_server
+  -hal_uwb_server
 } {
   domain
   userdebug_or_eng(`-su')
 }:tcp_socket *;
 
+# The UWB HAL is not actually a networking HAL but may need to bring up and down
+# interfaces. Restrict it to only these networking operations.
+neverallow hal_uwb_server self:global_capability_class_set { net_raw };
+
+# Subset of socket_class_set likely to be usable for communication or accessible through net_admin.
+# udp_socket is required to use interface ioctls.
+neverallow hal_uwb_server domain:{ socket tcp_socket rawip_socket netlink_socket packet_socket key_socket netlink_route_socket netlink_tcpdiag_socket netlink_nflog_socket netlink_xfrm_socket netlink_selinux_socket netlink_audit_socket netlink_dnrt_socket netlink_kobject_uevent_socket tun_socket netlink_iscsi_socket netlink_fib_lookup_socket netlink_connector_socket netlink_netfilter_socket netlink_scsitransport_socket netlink_rdma_socket netlink_crypto_socket qipcrtr_socket xdp_socket } *;
+
 ###
 # HALs are defined as an attribute and so a given domain could hypothetically
 # have multiple HALs in it (or even all of them) with the subsequent policy of
diff --git a/prebuilts/api/31.0/public/keystore.te b/prebuilts/api/31.0/public/keystore.te
index 155322c..b7d5090 100644
--- a/prebuilts/api/31.0/public/keystore.te
+++ b/prebuilts/api/31.0/public/keystore.te
@@ -20,7 +20,8 @@
 add_service(keystore, keystore_compat_hal_service)
 add_service(keystore, authorization_service)
 add_service(keystore, keystore_maintenance_service)
-add_service(keystore, vpnprofilestore_service)
+add_service(keystore, keystore_metrics_service)
+add_service(keystore, legacykeystore_service)
 
 # Check SELinux permissions.
 selinux_check_access(keystore)
diff --git a/prebuilts/api/31.0/public/service.te b/prebuilts/api/31.0/public/service.te
index a0d77c1..8121d04 100644
--- a/prebuilts/api/31.0/public/service.te
+++ b/prebuilts/api/31.0/public/service.te
@@ -20,7 +20,9 @@
 type credstore_service,         app_api_service, service_manager_type;
 type keystore_compat_hal_service, service_manager_type;
 type keystore_maintenance_service, service_manager_type;
+type keystore_metrics_service, service_manager_type;
 type keystore_service,          service_manager_type;
+type legacykeystore_service,    service_manager_type;
 type lpdump_service,            service_manager_type;
 type mediaserver_service,       service_manager_type;
 type mediametrics_service,      service_manager_type;
@@ -43,7 +45,6 @@
 type virtualization_service,    service_manager_type;
 type virtual_touchpad_service,  service_manager_type;
 type vold_service,              service_manager_type;
-type vpnprofilestore_service,   service_manager_type;
 type vr_hwc_service,            service_manager_type;
 type vrflinger_vsync_service,   service_manager_type;
 
diff --git a/prebuilts/api/31.0/public/te_macros b/prebuilts/api/31.0/public/te_macros
index 2a218cb..200b2e3 100644
--- a/prebuilts/api/31.0/public/te_macros
+++ b/prebuilts/api/31.0/public/te_macros
@@ -635,7 +635,7 @@
   allow keystore $1:process getattr;
   allow $1 apc_service:service_manager find;
   allow $1 keystore_service:service_manager find;
-  allow $1 vpnprofilestore_service:service_manager find;
+  allow $1 legacykeystore_service:service_manager find;
   binder_call($1, keystore)
   binder_call(keystore, $1)
 ')
diff --git a/private/access_vectors b/private/access_vectors
index 22f2ffa..3732a52 100644
--- a/private/access_vectors
+++ b/private/access_vectors
@@ -395,6 +395,7 @@
 	nlmsg_read
 	nlmsg_write
 	nlmsg_readpriv
+	nlmsg_getneigh
 }
 
 class netlink_tcpdiag_socket
@@ -726,6 +727,7 @@
 	get_state
 	list
 	lock
+	pull_metrics
 	report_off_body
 	reset
 	unlock
diff --git a/private/adbd.te b/private/adbd.te
index c2c6164..c19630f 100644
--- a/private/adbd.te
+++ b/private/adbd.te
@@ -77,8 +77,8 @@
 allow adbd tmpfs:dir search;
 allow adbd rootfs:lnk_file r_file_perms;  # /sdcard symlink
 allow adbd tmpfs:lnk_file r_file_perms;   # /mnt/sdcard symlink
-allow adbd sdcard_type:dir create_dir_perms;
-allow adbd sdcard_type:file create_file_perms;
+allow adbd { sdcard_type fuse }:dir create_dir_perms;
+allow adbd { sdcard_type fuse }:file create_file_perms;
 
 # adb pull /data/anr/traces.txt
 allow adbd anr_data_file:dir r_dir_perms;
diff --git a/private/apexd.te b/private/apexd.te
index 32b2594..b923cdb 100644
--- a/private/apexd.te
+++ b/private/apexd.te
@@ -209,4 +209,5 @@
 allow apexd otapreopt_chroot:fd use;
 allow apexd postinstall_apex_mnt_dir:dir { create_dir_perms mounton };
 allow apexd postinstall_apex_mnt_dir:file { create_file_perms relabelfrom };
+allow apexd postinstall_apex_mnt_dir:lnk_file create;
 allow apexd proc_filesystems:file r_file_perms;
diff --git a/private/app_neverallows.te b/private/app_neverallows.te
index 096a41b..5c41b02 100644
--- a/private/app_neverallows.te
+++ b/private/app_neverallows.te
@@ -11,6 +11,7 @@
   untrusted_app_25
   untrusted_app_27
   untrusted_app_29
+  untrusted_app_30
   untrusted_app_all
 }')
 # Receive or send uevent messages.
@@ -119,6 +120,15 @@
 # Disallow sending RTM_GETLINK messages on netlink sockets.
 neverallow all_untrusted_apps domain:netlink_route_socket { bind nlmsg_readpriv };
 
+# Disallow sending RTM_GETNEIGH{TBL} messages on netlink sockets.
+neverallow {
+  all_untrusted_apps
+  -untrusted_app_25
+  -untrusted_app_27
+  -untrusted_app_29
+  -untrusted_app_30
+} domain:netlink_route_socket nlmsg_getneigh;
+
 # Do not allow untrusted apps access to /cache
 neverallow { all_untrusted_apps -mediaprovider } { cache_file cache_recovery_file }:dir ~{ r_dir_perms };
 neverallow { all_untrusted_apps -mediaprovider } { cache_file cache_recovery_file }:file ~{ read getattr };
@@ -131,6 +141,7 @@
 neverallow { all_untrusted_apps -mediaprovider } {
   fs_type
   -sdcard_type
+  -fuse
   file_type
   -app_data_file            # The apps sandbox itself
   -privapp_data_file
diff --git a/private/app_zygote.te b/private/app_zygote.te
index 4ee3af7..004c108 100644
--- a/private/app_zygote.te
+++ b/private/app_zygote.te
@@ -41,6 +41,9 @@
 # Check SELinux permissions.
 selinux_check_access(app_zygote)
 
+# Read and inspect temporary files managed by zygote.
+allow app_zygote zygote_tmpfs:file { read getattr };
+
 ######
 ###### Policy below is shared with regular zygote-spawned apps
 ######
@@ -79,6 +82,9 @@
 get_prop(app_zygote, device_config_runtime_native_prop)
 get_prop(app_zygote, device_config_runtime_native_boot_prop)
 
+# Allow app_zygote to access odsign verification status
+get_prop(app_zygote, odsign_prop)
+
 #####
 ##### Neverallow
 #####
diff --git a/private/atrace.te b/private/atrace.te
index d4aed40..d9e351c 100644
--- a/private/atrace.te
+++ b/private/atrace.te
@@ -27,15 +27,16 @@
 allow atrace {
   service_manager_type
   -apex_service
-  -incident_service
-  -iorapd_service
-  -netd_service
   -dnsresolver_service
-  -stats_service
   -dumpstate_service
+  -incident_service
   -installd_service
-  -vold_service
+  -iorapd_service
   -lpdump_service
+  -netd_service
+  -stats_service
+  -tracingproxy_service
+  -vold_service
   -default_android_service
 }:service_manager { find };
 allow atrace servicemanager:service_manager list;
diff --git a/private/audioserver.te b/private/audioserver.te
index feda8d4..ca29373 100644
--- a/private/audioserver.te
+++ b/private/audioserver.te
@@ -7,6 +7,7 @@
 tmpfs_domain(audioserver)
 
 r_dir_file(audioserver, sdcard_type)
+r_dir_file(audioserver, fuse)
 
 binder_use(audioserver)
 binder_call(audioserver, binderservicedomain)
diff --git a/private/compat/30.0/30.0.ignore.cil b/private/compat/30.0/30.0.ignore.cil
index 7c508cd..c943973 100644
--- a/private/compat/30.0/30.0.ignore.cil
+++ b/private/compat/30.0/30.0.ignore.cil
@@ -73,8 +73,10 @@
     hw_timeout_multiplier_prop
     keystore_compat_hal_service
     keystore_maintenance_service
+    keystore_metrics_service
     keystore2_key_contexts_file
     legacy_permission_service
+    legacykeystore_service
     location_time_zone_manager_service
     media_communication_service
     media_metrics_service
@@ -145,7 +147,6 @@
     vibrator_manager_service
     virtualization_service
     vpn_management_service
-    vpnprofilestore_service
     watchdog_metadata_file
     wifi_key
     zygote_config_prop))
diff --git a/private/compat/31.0/31.0.ignore.cil b/private/compat/31.0/31.0.ignore.cil
index f9e073e..9cb5c92 100644
--- a/private/compat/31.0/31.0.ignore.cil
+++ b/private/compat/31.0/31.0.ignore.cil
@@ -9,4 +9,6 @@
     camera2_extensions_prop
     power_stats_service
     transformer_service
+    proc_watermark_boost_factor
+    untrusted_app_30
   ))
diff --git a/private/crosvm.te b/private/crosvm.te
index f7729fd..b139286 100644
--- a/private/crosvm.te
+++ b/private/crosvm.te
@@ -14,3 +14,10 @@
 # Most other domains shouldn't access /dev/kvm.
 neverallow { domain -crosvm -ueventd -shell } kvm_device:chr_file getattr;
 neverallow { domain -crosvm -ueventd } kvm_device:chr_file ~getattr;
+
+# Let crosvm read and write files from clients of virtualizationservice, but not open them directly
+# as they must be passed via virtualizationservice.
+allow crosvm apk_data_file:file { getattr read };
+allow crosvm app_data_file:file { getattr read write };
+# shell_data_file is used for automated tests and manual debugging.
+allow crosvm shell_data_file:file { getattr read write };
diff --git a/private/dex2oat.te b/private/dex2oat.te
index 28d8b9a..e7cdd5f 100644
--- a/private/dex2oat.te
+++ b/private/dex2oat.te
@@ -79,6 +79,7 @@
 
 # Allow dex2oat access to /postinstall/apex.
 allow dex2oat postinstall_apex_mnt_dir:dir { getattr search };
+allow dex2oat postinstall_apex_mnt_dir:file r_file_perms;
 
 # Allow dex2oat access to files in /data/ota.
 allow dex2oat ota_data_file:dir ra_dir_perms;
diff --git a/private/dexoptanalyzer.te b/private/dexoptanalyzer.te
index b99349e..8eb1d29 100644
--- a/private/dexoptanalyzer.te
+++ b/private/dexoptanalyzer.te
@@ -53,4 +53,4 @@
 get_prop(dexoptanalyzer, device_config_runtime_native_boot_prop)
 
 # Allow dexoptanalyzer to read /apex/apex-info-list.xml
-allow dex2oat apex_info_file:file r_file_perms;
+allow dexoptanalyzer apex_info_file:file r_file_perms;
diff --git a/private/domain.te b/private/domain.te
index b91d36d..63e1bde 100644
--- a/private/domain.te
+++ b/private/domain.te
@@ -354,8 +354,8 @@
 } self:global_capability_class_set dac_read_search;
 
 # Limit what domains can mount filesystems or change their mount flags.
-# sdcard_type / vfat is exempt as a larger set of domains need
-# this capability, including device-specific domains.
+# sdcard_type (including vfat and exfat) and fusefs_type are exempt as a larger
+# set of domains need this capability, including device-specific domains.
 neverallow {
     domain
     -apexd
@@ -369,6 +369,7 @@
     -zygote
 } { fs_type
     -sdcard_type
+    -fusefs_type
 }:filesystem { mount remount relabelfrom relabelto };
 
 enforce_debugfs_restriction(`
diff --git a/private/ephemeral_app.te b/private/ephemeral_app.te
index e004891..3b916e2 100644
--- a/private/ephemeral_app.te
+++ b/private/ephemeral_app.te
@@ -17,7 +17,7 @@
 app_domain(ephemeral_app)
 
 # Allow ephemeral apps to read/write files in visible storage if provided fds
-allow ephemeral_app { sdcard_type media_rw_data_file }:file {read write getattr ioctl lock append};
+allow ephemeral_app { sdcard_type fuse media_rw_data_file }:file {read write getattr ioctl lock append};
 
 # Some apps ship with shared libraries and binaries that they write out
 # to their sandbox directory and then execute.
@@ -87,8 +87,8 @@
 neverallow ephemeral_app proc:file { no_rw_file_perms no_x_file_perms };
 
 # Directly access external storage
-neverallow ephemeral_app { sdcard_type media_rw_data_file }:file {open create};
-neverallow ephemeral_app { sdcard_type media_rw_data_file }:dir search;
+neverallow ephemeral_app { sdcard_type fuse media_rw_data_file }:file {open create};
+neverallow ephemeral_app { sdcard_type fuse media_rw_data_file }:dir search;
 
 # Avoid reads to proc_net, it contains too much device wide information about
 # ongoing connections.
diff --git a/private/file_contexts b/private/file_contexts
index d34f64f..2ac0981 100644
--- a/private/file_contexts
+++ b/private/file_contexts
@@ -370,6 +370,7 @@
 /system/bin/android\.frameworks\.automotive\.display@1\.0-service u:object_r:automotive_display_service_exec:s0
 /system/bin/snapuserd            u:object_r:snapuserd_exec:s0
 /system/bin/odsign               u:object_r:odsign_exec:s0
+/system/bin/vehicle_binding_util     u:object_r:vehicle_binding_util_exec:s0
 
 #############################
 # Vendor files
diff --git a/private/flags_health_check.te b/private/flags_health_check.te
index 55d1a9a..f6675ac 100644
--- a/private/flags_health_check.te
+++ b/private/flags_health_check.te
@@ -19,6 +19,7 @@
 set_prop(flags_health_check, device_config_window_manager_native_boot_prop)
 set_prop(flags_health_check, device_config_configuration_prop)
 set_prop(flags_health_check, device_config_connectivity_prop)
+set_prop(flags_health_check, device_config_surface_flinger_native_boot_prop)
 
 # system property device_config_boot_count_prop is used for deciding when to perform server
 # configurable flags related disaster recovery. Mistakenly set up by unrelated components can, at a
diff --git a/private/genfs_contexts b/private/genfs_contexts
index 3499aa0..b890ba6 100644
--- a/private/genfs_contexts
+++ b/private/genfs_contexts
@@ -86,6 +86,7 @@
 genfscon proc /sys/vm/drop_caches u:object_r:proc_drop_caches:s0
 genfscon proc /sys/vm/overcommit_memory u:object_r:proc_overcommit_memory:s0
 genfscon proc /sys/vm/min_free_order_shift u:object_r:proc_min_free_order_shift:s0
+genfscon proc /sys/vm/watermark_boost_factor u:object_r:proc_watermark_boost_factor:s0
 genfscon proc /timer_list u:object_r:proc_timer:s0
 genfscon proc /timer_stats u:object_r:proc_timer:s0
 genfscon proc /tty/drivers u:object_r:proc_tty_drivers:s0
diff --git a/private/gsid.te b/private/gsid.te
index 8a13cb1..2ccc51c 100644
--- a/private/gsid.te
+++ b/private/gsid.te
@@ -84,7 +84,7 @@
   # gsi_tool passes a FIFO to gsid if invoked with pipe redirection.
   allow gsid { shell su }:fifo_file r_file_perms;
   # Allow installing images from /storage/emulated/...
-  allow gsid sdcard_type:file r_file_perms;
+  allow gsid { sdcard_type fuse }:file r_file_perms;
 ')
 
 neverallow {
diff --git a/private/incidentd.te b/private/incidentd.te
index ef191a2..918ffda 100644
--- a/private/incidentd.te
+++ b/private/incidentd.te
@@ -140,6 +140,8 @@
 # Access the runtime feature flag properties.
 get_prop(incidentd, device_config_runtime_native_prop)
 get_prop(incidentd, device_config_runtime_native_boot_prop)
+# Access odsign verification status.
+get_prop(incidentd, odsign_prop)
 # ART locks profile files.
 allow incidentd system_file:file lock;
 # Incidentd should never exec from the memory (e.g. JIT cache). These denials are expected.
@@ -161,6 +163,7 @@
   system_server_service
   app_api_service
   system_api_service
+  -tracingproxy_service
 }:service_manager find;
 
 # Only incidentd can publish the binder service
diff --git a/private/installd.te b/private/installd.te
index c89ba8b..726e5aa 100644
--- a/private/installd.te
+++ b/private/installd.te
@@ -40,6 +40,9 @@
 # Allow installd to access apk verity feature flag (for legacy case).
 get_prop(installd, apk_verity_prop)
 
+# Allow installd to access odsign verification status
+get_prop(installd, odsign_prop)
+
 # Allow installd to delete files in /data/staging
 allow installd staging_data_file:file unlink;
 allow installd staging_data_file:dir { open read remove_name rmdir search write };
diff --git a/private/isolated_app.te b/private/isolated_app.te
index 71749c0..800775b 100644
--- a/private/isolated_app.te
+++ b/private/isolated_app.te
@@ -33,7 +33,7 @@
 # neverallow rules below.
 # media_rw_data_file is included for sdcardfs, and can be removed if sdcardfs
 # is modified to change the secontext when accessing the lower filesystem.
-allow isolated_app { sdcard_type media_rw_data_file }:file { read write append getattr lock map };
+allow isolated_app { sdcard_type fuse media_rw_data_file }:file { read write append getattr lock map };
 
 # For webviews, isolated_app processes can be forked from the webview_zygote
 # in addition to the zygote. Allow access to resources inherited from the
@@ -110,10 +110,10 @@
 
 # Do not allow isolated_app to access external storage, except for files passed
 # via file descriptors (b/32896414).
-neverallow isolated_app { storage_file mnt_user_file sdcard_type }:dir ~getattr;
+neverallow isolated_app { storage_file mnt_user_file sdcard_type fuse }:dir ~getattr;
 neverallow isolated_app { storage_file mnt_user_file }:file_class_set *;
-neverallow isolated_app sdcard_type:{ devfile_class_set lnk_file sock_file fifo_file } *;
-neverallow isolated_app sdcard_type:file ~{ read write append getattr lock map };
+neverallow isolated_app { sdcard_type fuse }:{ devfile_class_set lnk_file sock_file fifo_file } *;
+neverallow isolated_app { sdcard_type fuse }:file ~{ read write append getattr lock map };
 
 # Do not allow USB access
 neverallow isolated_app { usb_device usbaccessory_device }:chr_file *;
diff --git a/private/mediaprovider_app.te b/private/mediaprovider_app.te
index 0e4a50e..e8a85e5 100644
--- a/private/mediaprovider_app.te
+++ b/private/mediaprovider_app.te
@@ -21,6 +21,9 @@
 # Talk to the MediaServer service
 allow mediaprovider_app mediaserver_service:service_manager find;
 
+# Talk to the AudioServer service
+allow mediaprovider_app audioserver_service:service_manager find;
+
 # Talk to regular app services
 allow mediaprovider_app app_api_service:service_manager find;
 
diff --git a/private/odsign.te b/private/odsign.te
index 0ff3b7b..57ca048 100644
--- a/private/odsign.te
+++ b/private/odsign.te
@@ -41,7 +41,7 @@
 # For ART apex data dir access
 allow odsign apex_module_data_file:dir { getattr search };
 
-allow odsign apex_art_data_file:dir { rw_dir_perms rmdir };
+allow odsign apex_art_data_file:dir { rw_dir_perms rmdir rename };
 allow odsign apex_art_data_file:file { rw_file_perms unlink };
 
 # Run odrefresh to refresh ART artifacts
diff --git a/private/platform_app.te b/private/platform_app.te
index f746f1c..55ccbde 100644
--- a/private/platform_app.te
+++ b/private/platform_app.te
@@ -71,6 +71,12 @@
 # Allow platform apps to log via statsd.
 binder_call(platform_app, statsd)
 
+# Allow platform applications to find and call artd for testing
+userdebug_or_eng(`
+  allow platform_app artd_service:service_manager find;
+  binder_call(platform_app, artd)
+')
+
 # Access to /data/preloads
 allow platform_app preloads_data_file:file r_file_perms;
 allow platform_app preloads_data_file:dir r_dir_perms;
diff --git a/private/property.te b/private/property.te
index 01d4fd9..d6ddbdf 100644
--- a/private/property.te
+++ b/private/property.te
@@ -10,6 +10,7 @@
 system_internal_prop(device_config_configuration_prop)
 system_internal_prop(device_config_connectivity_prop)
 system_internal_prop(device_config_swcodec_native_prop)
+system_internal_prop(device_config_surface_flinger_native_boot_prop)
 system_internal_prop(fastbootd_protocol_prop)
 system_internal_prop(gsid_prop)
 system_internal_prop(init_perf_lsm_hooks_prop)
diff --git a/private/property_contexts b/private/property_contexts
index 62862e9..593274f 100644
--- a/private/property_contexts
+++ b/private/property_contexts
@@ -52,6 +52,7 @@
 
 persist.audio.          u:object_r:audio_prop:s0
 persist.bluetooth.      u:object_r:bluetooth_prop:s0
+persist.nfc.            u:object_r:nfc_prop:s0
 persist.nfc_cfg.        u:object_r:nfc_prop:s0
 persist.debug.          u:object_r:persist_debug_prop:s0
 logd.                   u:object_r:logd_prop:s0
@@ -241,6 +242,7 @@
 persist.device_config.statsd_native.                u:object_r:device_config_statsd_native_prop:s0
 persist.device_config.statsd_native_boot.           u:object_r:device_config_statsd_native_boot_prop:s0
 persist.device_config.storage_native_boot.          u:object_r:device_config_storage_native_boot_prop:s0
+persist.device_config.surface_flinger_native_boot.  u:object_r:device_config_surface_flinger_native_boot_prop:s0
 persist.device_config.swcodec_native.               u:object_r:device_config_swcodec_native_prop:s0
 persist.device_config.window_manager_native_boot.   u:object_r:device_config_window_manager_native_boot_prop:s0
 
@@ -438,6 +440,8 @@
 persist.bluetooth.bluetooth_audio_hal.disabled u:object_r:bluetooth_audio_hal_prop:s0 exact bool
 persist.bluetooth.btsnoopenable                u:object_r:exported_bluetooth_prop:s0 exact bool
 
+persist.nfc.debug_enabled                      u:object_r:nfc_prop:s0 exact bool
+
 persist.radio.multisim.config u:object_r:radio_control_prop:s0 exact string
 
 persist.sys.hdmi.keep_awake                                        u:object_r:hdmi_config_prop:s0 exact bool
diff --git a/private/recovery.te b/private/recovery.te
index 00d7132..bba2a0d 100644
--- a/private/recovery.te
+++ b/private/recovery.te
@@ -43,4 +43,7 @@
   set_prop(recovery, fastbootd_protocol_prop)
 
   get_prop(recovery, recovery_config_prop)
+
+  # Needed to read bootconfig parameters through libfs_mgr
+  allow recovery proc_bootconfig:file r_file_perms;
 ')
diff --git a/private/seapp_contexts b/private/seapp_contexts
index 1d38fd9..c7daf6b 100644
--- a/private/seapp_contexts
+++ b/private/seapp_contexts
@@ -5,11 +5,9 @@
 # Input selectors:
 #       isSystemServer (boolean)
 #       isEphemeralApp (boolean)
-#       isOwner (boolean)
 #       user (string)
 #       seinfo (string)
 #       name (string)
-#       path (string)
 #       isPrivApp (boolean)
 #       minTargetSdkVersion (unsigned integer)
 #       fromRunAs (boolean)
@@ -17,7 +15,7 @@
 # All specified input selectors in an entry must match (i.e. logical AND).
 # An unspecified string or boolean selector with no default will match any
 # value.
-# A user, name, or path string selector that ends in * will perform a prefix
+# A user, or name string selector that ends in * will perform a prefix
 # match.
 # String matching is case-insensitive.
 # See external/selinux/libselinux/src/android/android_platform.c,
@@ -26,7 +24,6 @@
 # isSystemServer=true only matches the system server.
 # An unspecified isSystemServer defaults to false.
 # isEphemeralApp=true will match apps marked by PackageManager as Ephemeral
-# isOwner=true will only match for the owner/primary user.
 # user=_app will match any regular app process.
 # user=_isolated will match any isolated service process.
 # Other values of user are matched against the name associated with the process
@@ -35,7 +32,6 @@
 # mac_permissions.xml files.
 # The ':' character is reserved and may not be used in seinfo.
 # name= matches against the package name of the app.
-# path= matches against the directory path when labeling app directories.
 # isPrivApp=true will only match for applications preinstalled in
 #       /system/priv-app.
 # minTargetSdkVersion will match applications with a targetSdkVersion
@@ -50,19 +46,16 @@
 #       (1) isSystemServer=true before isSystemServer=false.
 #       (2) Specified isEphemeralApp= before unspecified isEphemeralApp=
 #             boolean.
-#       (3) Specified isOwner= before unspecified isOwner= boolean.
-#       (4) Specified user= string before unspecified user= string;
+#       (3) Specified user= string before unspecified user= string;
 #             more specific user= string before less specific user= string.
-#       (5) Specified seinfo= string before unspecified seinfo= string.
-#       (6) Specified name= string before unspecified name= string;
+#       (4) Specified seinfo= string before unspecified seinfo= string.
+#       (5) Specified name= string before unspecified name= string;
 #             more specific name= string before less specific name= string.
-#       (7) Specified path= string before unspecified path= string.
-#             more specific name= string before less specific name= string.
-#       (8) Specified isPrivApp= before unspecified isPrivApp= boolean.
-#       (9) Higher value of minTargetSdkVersion= before lower value of
+#       (6) Specified isPrivApp= before unspecified isPrivApp= boolean.
+#       (7) Higher value of minTargetSdkVersion= before lower value of
 #              minTargetSdkVersion= integer. Note that minTargetSdkVersion=
 #              defaults to 0 if unspecified.
-#       (10) fromRunAs=true before fromRunAs=false.
+#       (8) fromRunAs=true before fromRunAs=false.
 # (A fixed selector is more specific than a prefix, i.e. ending in *, and a
 # longer prefix is more specific than a shorter prefix.)
 # Apps are checked against entries in precedence order until the first match,
@@ -168,7 +161,8 @@
 user=_app isPrivApp=true name=com.google.android.gms.* domain=gmscore_app type=privapp_data_file levelFrom=user
 user=_app isPrivApp=true name=com.google.android.gms:* domain=gmscore_app type=privapp_data_file levelFrom=user
 user=_app isPrivApp=true name=com.google.android.gsf domain=gmscore_app type=privapp_data_file levelFrom=user
-user=_app minTargetSdkVersion=30 domain=untrusted_app type=app_data_file levelFrom=all
+user=_app minTargetSdkVersion=32 domain=untrusted_app type=app_data_file levelFrom=all
+user=_app minTargetSdkVersion=30 domain=untrusted_app_30 type=app_data_file levelFrom=all
 user=_app minTargetSdkVersion=29 domain=untrusted_app_29 type=app_data_file levelFrom=all
 user=_app minTargetSdkVersion=28 domain=untrusted_app_27 type=app_data_file levelFrom=all
 user=_app minTargetSdkVersion=26 domain=untrusted_app_27 type=app_data_file levelFrom=user
diff --git a/private/service_contexts b/private/service_contexts
index c020a04..f8c1607 100644
--- a/private/service_contexts
+++ b/private/service_contexts
@@ -37,9 +37,10 @@
 android.security.compat                   u:object_r:keystore_compat_hal_service:s0
 android.security.identity                 u:object_r:credstore_service:s0
 android.security.keystore                 u:object_r:keystore_service:s0
+android.security.legacykeystore           u:object_r:legacykeystore_service:s0
 android.security.maintenance              u:object_r:keystore_maintenance_service:s0
+android.security.metrics                  u:object_r:keystore_metrics_service:s0
 android.security.remoteprovisioning       u:object_r:remoteprovisioning_service:s0
-android.security.vpnprofilestore          u:object_r:vpnprofilestore_service:s0
 android.service.gatekeeper.IGateKeeperService    u:object_r:gatekeeper_service:s0
 app_binding                               u:object_r:app_binding_service:s0
 app_hibernation                           u:object_r:app_hibernation_service:s0
diff --git a/private/simpleperf.te b/private/simpleperf.te
index 0639c11..9c70060 100644
--- a/private/simpleperf.te
+++ b/private/simpleperf.te
@@ -5,7 +5,16 @@
 typeattribute simpleperf coredomain;
 type simpleperf_exec, system_file_type, exec_type, file_type;
 
-domain_auto_trans({ untrusted_app_all -runas_app }, simpleperf_exec, simpleperf)
+# Define apps that can be marked debuggable/profileable and be profiled by simpleperf.
+define(`simpleperf_profileable_apps', `{
+  ephemeral_app
+  isolated_app
+  platform_app
+  priv_app
+  untrusted_app_all
+}')
+
+domain_auto_trans({ simpleperf_profileable_apps -runas_app }, simpleperf_exec, simpleperf)
 
 # When running in this domain, simpleperf is scoped to profiling an individual
 # app. The necessary MAC permissions for profiling are more maintainable and
@@ -16,14 +25,19 @@
 
 # Allow ptrace attach to the target app, for reading JIT debug info (using
 # process_vm_readv) during unwinding and symbolization.
-allow simpleperf untrusted_app_all:process ptrace;
+allow simpleperf simpleperf_profileable_apps:process ptrace;
 
 # Allow using perf_event_open syscall for profiling the target app.
 allow simpleperf self:perf_event { open read write kernel };
 
 # Allow /proc/<pid> access for the target app (for example, when trying to
 # discover it by cmdline).
-r_dir_file(simpleperf, untrusted_app_all)
+r_dir_file(simpleperf, simpleperf_profileable_apps)
+
+# Allow apps signalling simpleperf domain, which is the domain that the simpleperf
+# profiler runs as when executed by the app. The signals are used to control
+# the profiler (which would be profiling the app that is sending the signal).
+allow simpleperf_profileable_apps simpleperf:process signal;
 
 # Suppress denial logspam when simpleperf is trying to find a matching process
 # by scanning /proc/<pid>/cmdline files. The /proc/<pid> directories are within
diff --git a/private/simpleperf_app_runner.te b/private/simpleperf_app_runner.te
index 8501826..184a80a 100644
--- a/private/simpleperf_app_runner.te
+++ b/private/simpleperf_app_runner.te
@@ -1,3 +1,45 @@
 typeattribute simpleperf_app_runner coredomain;
 
 domain_auto_trans(shell, simpleperf_app_runner_exec, simpleperf_app_runner)
+
+# run simpleperf_app_runner in adb shell.
+allow simpleperf_app_runner adbd:fd use;
+allow simpleperf_app_runner shell:fd use;
+allow simpleperf_app_runner devpts:chr_file { read write ioctl };
+
+# simpleperf_app_runner reads package information.
+allow simpleperf_app_runner system_data_file:file r_file_perms;
+allow simpleperf_app_runner system_data_file:lnk_file getattr;
+allow simpleperf_app_runner packages_list_file:file r_file_perms;
+
+# The app's data dir may be accessed through a symlink.
+allow simpleperf_app_runner system_data_file:lnk_file read;
+
+# simpleperf_app_runner switches to the app UID/GID.
+allow simpleperf_app_runner self:global_capability_class_set { setuid setgid };
+
+# simpleperf_app_runner switches to the app security context.
+selinux_check_context(simpleperf_app_runner) # validate context
+allow simpleperf_app_runner self:process setcurrent;
+allow simpleperf_app_runner { ephemeral_app isolated_app platform_app priv_app untrusted_app_all }:process dyntransition; # setcon
+
+# simpleperf_app_runner/libselinux needs access to seapp_contexts_file to
+# determine which domain to transition to.
+allow simpleperf_app_runner seapp_contexts_file:file r_file_perms;
+
+# simpleperf_app_runner passes pipe fds.
+# simpleperf_app_runner writes app type (debuggable or profileable) to pipe fds.
+allow simpleperf_app_runner shell:fifo_file { read write };
+
+# simpleperf_app_runner checks shell data paths.
+# simpleperf_app_runner passes shell data fds.
+allow simpleperf_app_runner shell_data_file:dir { getattr search };
+allow simpleperf_app_runner shell_data_file:file { getattr write };
+
+###
+### neverallow rules
+###
+
+# simpleperf_app_runner cannot have capabilities other than CAP_SETUID and CAP_SETGID
+neverallow simpleperf_app_runner self:global_capability_class_set ~{ setuid setgid };
+neverallow simpleperf_app_runner self:global_capability2_class_set *;
diff --git a/private/surfaceflinger.te b/private/surfaceflinger.te
index 7a92bd4..9900600 100644
--- a/private/surfaceflinger.te
+++ b/private/surfaceflinger.te
@@ -61,6 +61,7 @@
 
 # Get properties.
 get_prop(surfaceflinger, qemu_sf_lcd_density_prop)
+get_prop(surfaceflinger, device_config_surface_flinger_native_boot_prop)
 
 # Use open files supplied by an app.
 allow surfaceflinger appdomain:fd use;
@@ -142,7 +143,7 @@
 
 # Do not allow accessing SDcard files as unsafe ejection could
 # cause the kernel to kill the process.
-neverallow surfaceflinger sdcard_type:file rw_file_perms;
+neverallow surfaceflinger { sdcard_type fuse }:file rw_file_perms;
 
 # b/68864350
 dontaudit surfaceflinger unlabeled:dir search;
diff --git a/private/system_app.te b/private/system_app.te
index 10b8177..239686e 100644
--- a/private/system_app.te
+++ b/private/system_app.te
@@ -90,6 +90,7 @@
   -netd_service
   -system_suspend_control_internal_service
   -system_suspend_control_service
+  -tracingproxy_service
   -virtual_touchpad_service
   -vold_service
   -vr_hwc_service
diff --git a/private/system_server.te b/private/system_server.te
index f35f9a8..5d685c3 100644
--- a/private/system_server.te
+++ b/private/system_server.te
@@ -708,7 +708,7 @@
 set_prop(system_server, device_config_window_manager_native_boot_prop)
 set_prop(system_server, device_config_configuration_prop)
 set_prop(system_server, device_config_connectivity_prop)
-
+set_prop(system_server, device_config_surface_flinger_native_boot_prop)
 
 # Allow query ART device config properties
 get_prop(system_server, device_config_runtime_native_boot_prop)
@@ -853,6 +853,7 @@
 allow system_server installd_service:service_manager find;
 allow system_server iorapd_service:service_manager find;
 allow system_server keystore_maintenance_service:service_manager find;
+allow system_server keystore_metrics_service:service_manager find;
 allow system_server keystore_service:service_manager find;
 allow system_server mediaserver_service:service_manager find;
 allow system_server mediametrics_service:service_manager find;
@@ -903,6 +904,7 @@
 	clear_uid
 	get_state
 	lock
+	pull_metrics
 	reset
 	unlock
 };
@@ -965,7 +967,7 @@
 
 # Allow statfs() on storage devices, which happens fast enough that
 # we shouldn't be killed during unsafe removal
-allow system_server sdcard_type:dir { getattr search };
+allow system_server { sdcard_type fuse }:dir { getattr search };
 
 # Traverse into expanded storage
 allow system_server mnt_expand_file:dir r_dir_perms;
@@ -1159,8 +1161,8 @@
 
 # Do not allow opening files from external storage as unsafe ejection
 # could cause the kernel to kill the system_server.
-neverallow system_server sdcard_type:dir { open read write };
-neverallow system_server sdcard_type:file rw_file_perms;
+neverallow system_server { sdcard_type fuse }:dir { open read write };
+neverallow system_server { sdcard_type fuse }:file rw_file_perms;
 
 # system server should never be operating on zygote spawned app data
 # files directly. Rather, they should always be passed via a
@@ -1216,6 +1218,7 @@
   device_config_runtime_native_prop
   device_config_media_native_prop
   device_config_storage_native_boot_prop
+  device_config_surface_flinger_native_boot_prop
   device_config_sys_traced_prop
   device_config_swcodec_native_prop
   device_config_window_manager_native_boot_prop
diff --git a/private/system_server_startup.te b/private/system_server_startup.te
index 3301304..064e038 100644
--- a/private/system_server_startup.te
+++ b/private/system_server_startup.te
@@ -7,6 +7,10 @@
 allow system_server_startup self:process execmem;
 allow system_server_startup system_server_startup_tmpfs:file { execute read write open map };
 
+# Allow to pick up integrity-checked artifacts from the ART APEX dalvik cache.
+allow system_server_startup apex_art_data_file:dir r_dir_perms;
+allow system_server_startup apex_art_data_file:file { r_file_perms execute };
+
 # Allow system_server_startup to run setcon() and enter the
 # system_server domain
 allow system_server_startup self:process setcurrent;
diff --git a/private/toolbox.te b/private/toolbox.te
index 6077f0b..b4a3466 100644
--- a/private/toolbox.te
+++ b/private/toolbox.te
@@ -3,5 +3,5 @@
 init_daemon_domain(toolbox)
 
 # rm -rf /data/misc/virtualizationservice
-allow toolbox virtualizationservice_data_file:dir { remove_name rmdir };
-allow toolbox virtualizationservice_data_file:file { getattr unlink };
+allow toolbox virtualizationservice_data_file:dir create_dir_perms;
+allow toolbox virtualizationservice_data_file:file create_file_perms;
diff --git a/private/traced.te b/private/traced.te
index 6e3ad46..fc9a245 100644
--- a/private/traced.te
+++ b/private/traced.te
@@ -116,3 +116,6 @@
 # Only init is allowed to enter the traced domain via exec()
 neverallow { domain -init } traced:process transition;
 neverallow * traced:process dyntransition;
+
+# Limit the processes that can access tracingproxy_service.
+neverallow { domain -traced -dumpstate -traceur_app -shell -system_server } tracingproxy_service:service_manager find;
diff --git a/private/untrusted_app.te b/private/untrusted_app.te
index 6e7a99c..62d458d 100644
--- a/private/untrusted_app.te
+++ b/private/untrusted_app.te
@@ -2,7 +2,7 @@
 ### Untrusted apps.
 ###
 ### This file defines the rules for untrusted apps running with
-### targetSdkVersion >= 30.
+### targetSdkVersion >= 32.
 ###
 ### See public/untrusted_app.te for more information about which apps are
 ### placed in this selinux domain.
diff --git a/private/untrusted_app_25.te b/private/untrusted_app_25.te
index 82c07ff..4235d7e 100644
--- a/private/untrusted_app_25.te
+++ b/private/untrusted_app_25.te
@@ -48,3 +48,7 @@
 
 # Read /mnt/sdcard symlink.
 allow untrusted_app_25 mnt_sdcard_file:lnk_file r_file_perms;
+
+# allow sending RTM_GETNEIGH{TBL} messages.
+allow untrusted_app_25 self:netlink_route_socket nlmsg_getneigh;
+auditallow untrusted_app_25 self:netlink_route_socket nlmsg_getneigh;
diff --git a/private/untrusted_app_27.te b/private/untrusted_app_27.te
index 7a326a5..c747af1 100644
--- a/private/untrusted_app_27.te
+++ b/private/untrusted_app_27.te
@@ -36,3 +36,7 @@
 
 # Read /mnt/sdcard symlink.
 allow untrusted_app_27 mnt_sdcard_file:lnk_file r_file_perms;
+
+# allow sending RTM_GETNEIGH{TBL} messages.
+allow untrusted_app_27 self:netlink_route_socket nlmsg_getneigh;
+auditallow untrusted_app_27 self:netlink_route_socket nlmsg_getneigh;
diff --git a/private/untrusted_app_29.te b/private/untrusted_app_29.te
index d03f399..6bb2606 100644
--- a/private/untrusted_app_29.te
+++ b/private/untrusted_app_29.te
@@ -14,3 +14,7 @@
 untrusted_app_domain(untrusted_app_29)
 net_domain(untrusted_app_29)
 bluetooth_domain(untrusted_app_29)
+
+# allow sending RTM_GETNEIGH{TBL} messages.
+allow untrusted_app_29 self:netlink_route_socket nlmsg_getneigh;
+auditallow untrusted_app_29 self:netlink_route_socket nlmsg_getneigh;
diff --git a/private/untrusted_app_30.te b/private/untrusted_app_30.te
new file mode 100644
index 0000000..e0a71ef
--- /dev/null
+++ b/private/untrusted_app_30.te
@@ -0,0 +1,22 @@
+###
+### Untrusted apps.
+###
+### This file defines the rules for untrusted apps running with
+### 29 < targetSdkVersion <= 31.
+###
+### See public/untrusted_app.te for more information about which apps are
+### placed in this selinux domain.
+###
+### TODO(b/192334803): Merge this policy into untrusted_app_29 when possible
+###
+
+typeattribute untrusted_app_30 coredomain;
+
+app_domain(untrusted_app_30)
+untrusted_app_domain(untrusted_app_30)
+net_domain(untrusted_app_30)
+bluetooth_domain(untrusted_app_30)
+
+# allow sending RTM_GETNEIGH{TBL} messages.
+allow untrusted_app_30 self:netlink_route_socket nlmsg_getneigh;
+auditallow untrusted_app_30 self:netlink_route_socket nlmsg_getneigh;
diff --git a/private/untrusted_app_all.te b/private/untrusted_app_all.te
index 6064c14..f7dfdeb 100644
--- a/private/untrusted_app_all.te
+++ b/private/untrusted_app_all.te
@@ -170,8 +170,3 @@
   # according to the heuristic of lockdown.
   allow untrusted_app_all self:lockdown integrity;
 ')
-
-# Allow signalling simpleperf domain, which is the domain that the simpleperf
-# profiler runs as when executed by the app. The signals are used to control
-# the profiler (which would be profiling the app that is sending the signal).
-allow untrusted_app_all simpleperf:process signal;
diff --git a/private/vdc.te b/private/vdc.te
index bc7409e..63c9c2a 100644
--- a/private/vdc.te
+++ b/private/vdc.te
@@ -1,3 +1,6 @@
 typeattribute vdc coredomain;
 
 init_daemon_domain(vdc)
+
+# Allow stdin/out back to vehicle_binding_util
+allow vdc vehicle_binding_util:fd use;
diff --git a/private/vehicle_binding_util.te b/private/vehicle_binding_util.te
new file mode 100644
index 0000000..76d0756
--- /dev/null
+++ b/private/vehicle_binding_util.te
@@ -0,0 +1,20 @@
+# vehicle binding util startup application
+type vehicle_binding_util, domain, coredomain;
+
+# allow init to start vehicle_binding_util
+type vehicle_binding_util_exec, exec_type, file_type, system_file_type;
+init_daemon_domain(vehicle_binding_util)
+
+# allow writing to kmsg during boot
+allow vehicle_binding_util kmsg_device:chr_file { getattr w_file_perms };
+
+# allow reading the binding property from vhal
+hwbinder_use(vehicle_binding_util)
+hal_client_domain(vehicle_binding_util, hal_vehicle)
+
+# allow executing vdc
+domain_auto_trans(vehicle_binding_util, vdc_exec, vdc)
+
+# devpts is needed to redirect output from vdc
+allow vehicle_binding_util devpts:chr_file rw_file_perms;
+
diff --git a/private/virtualizationservice.te b/private/virtualizationservice.te
index 4c6f1f9..9b82e01 100644
--- a/private/virtualizationservice.te
+++ b/private/virtualizationservice.te
@@ -23,3 +23,21 @@
 # Let virtualizationservice access its data directory.
 allow virtualizationservice virtualizationservice_data_file:file create_file_perms;
 allow virtualizationservice virtualizationservice_data_file:dir create_dir_perms;
+
+# virtualizationservice_use(client)
+define(`virtualizationservice_use', `
+# Let the client call virtualizationservice.
+binder_call($1, virtualizationservice)
+# Let the client pass file descriptors to virtualizationservice.
+allow virtualizationservice $1:fd use;
+')
+
+# Let the shell user call virtualizationservice for debugging.
+virtualizationservice_use(shell)
+
+# Let virtualizationservice read and write files from its various clients, but not open them
+# directly as they must be passed over Binder by the client.
+allow virtualizationservice apk_data_file:file { getattr read };
+allow virtualizationservice app_data_file:file { getattr read write };
+# shell_data_file is used for automated tests and manual debugging.
+allow virtualizationservice shell_data_file:file { getattr read write };
diff --git a/private/webview_zygote.te b/private/webview_zygote.te
index 10bcf1c..3473eca 100644
--- a/private/webview_zygote.te
+++ b/private/webview_zygote.te
@@ -87,6 +87,9 @@
 get_prop(webview_zygote, device_config_runtime_native_prop)
 get_prop(webview_zygote, device_config_runtime_native_boot_prop)
 
+# Allow webview_zygote to access odsign verification status
+get_prop(zygote, odsign_prop)
+
 #####
 ##### Neverallow
 #####
diff --git a/private/wificond.te b/private/wificond.te
index 8bf37ca..3fdaca2 100644
--- a/private/wificond.te
+++ b/private/wificond.te
@@ -6,4 +6,6 @@
 
 get_prop(wificond, hwservicemanager_prop)
 
+allow wificond legacykeystore_service:service_manager find;
+
 init_daemon_domain(wificond)
diff --git a/private/zygote.te b/private/zygote.te
index dd42a81..651fb10 100644
--- a/private/zygote.te
+++ b/private/zygote.te
@@ -152,8 +152,8 @@
 allow zygote storage_file:dir { search mounton };
 
 # Allow mounting and creating files, dirs on sdcardfs.
-allow zygote { sdcard_type }:dir { create_dir_perms mounton };
-allow zygote { sdcard_type }:file { create_file_perms };
+allow zygote { sdcard_type fuse }:dir { create_dir_perms mounton };
+allow zygote { sdcard_type fuse }:file { create_file_perms };
 
 # Handle --invoke-with command when launching Zygote with a wrapper command.
 allow zygote zygote_exec:file rx_file_perms;
@@ -217,6 +217,9 @@
 # Allow zygote to access media_variant_prop for static initialization
 get_prop(zygote, media_variant_prop)
 
+# Allow zygote to access odsign verification status
+get_prop(zygote, odsign_prop)
+
 # Allow zygote to read ro.control_privapp_permissions and ro.cp_system_other_odex
 get_prop(zygote, packagemanager_config_prop)
 
diff --git a/public/app.te b/public/app.te
index 5527f99..7de9c00 100644
--- a/public/app.te
+++ b/public/app.te
@@ -261,8 +261,8 @@
 allow { appdomain -isolated_app -ephemeral_app } mnt_user_file:lnk_file r_file_perms;
 
 # Read/write visible storage
-allow { appdomain -isolated_app -ephemeral_app } sdcard_type:dir create_dir_perms;
-allow { appdomain -isolated_app -ephemeral_app } sdcard_type:file create_file_perms;
+allow { appdomain -isolated_app -ephemeral_app } { sdcard_type fuse }:dir create_dir_perms;
+allow { appdomain -isolated_app -ephemeral_app } { sdcard_type fuse }:file create_file_perms;
 # This should be removed if sdcardfs is modified to alter the secontext for its
 # accesses to the underlying FS.
 allow { appdomain -isolated_app -ephemeral_app } media_rw_data_file:dir create_dir_perms;
@@ -569,6 +569,9 @@
   -system_app
 } { bluetooth_audio_hal_prop bluetooth_a2dp_offload_prop bluetooth_prop exported_bluetooth_prop }:file create_file_perms;
 
+# allow system_app to access Nfc-related system properties.
+set_prop(system_app, nfc_prop)
+
 # Apps cannot access proc_uid_time_in_state
 neverallow appdomain proc_uid_time_in_state:file *;
 
diff --git a/public/attributes b/public/attributes
index 2e01f1e..15c5000 100644
--- a/public/attributes
+++ b/public/attributes
@@ -18,6 +18,12 @@
 # All types used for context= mounts.
 attribute contextmount_type;
 
+# All types referencing a FUSE filesystem.
+# When mounting a new FUSE filesystem, the fscontext= option should be used to
+# set a domain-specific type with this attribute. See app_fusefs for an
+# example.
+attribute fusefs_type;
+
 # All types used for files that can exist on a labeled fs.
 # Do not use for pseudo file types.
 # On change, update CHECK_FC_ASSERT_ATTRS
diff --git a/public/domain.te b/public/domain.te
index d84abf1..799a2f1 100644
--- a/public/domain.te
+++ b/public/domain.te
@@ -677,6 +677,7 @@
     -credstore_service
     -keystore_maintenance_service
     -keystore_service
+    -legacykeystore_service
     -mediadrmserver_service
     -mediaextractor_service
     -mediametrics_service
@@ -684,7 +685,6 @@
     -nfc_service
     -radio_service
     -virtual_touchpad_service
-    -vpnprofilestore_service
     -vr_hwc_service
     -vr_manager_service
     userdebug_or_eng(`-hal_face_service')
diff --git a/public/drmserver.te b/public/drmserver.te
index eede0fc..d515079 100644
--- a/public/drmserver.te
+++ b/public/drmserver.te
@@ -18,11 +18,11 @@
 # Perform Binder IPC to mediaserver
 binder_call(drmserver, mediaserver)
 
-allow drmserver sdcard_type:dir search;
+allow drmserver { sdcard_type fuse }:dir search;
 allow drmserver drm_data_file:dir create_dir_perms;
 allow drmserver drm_data_file:file create_file_perms;
 allow drmserver { app_data_file privapp_data_file }:file { read write getattr map };
-allow drmserver sdcard_type:file { read write getattr map };
+allow drmserver { sdcard_type fuse }:file { read write getattr map };
 r_dir_file(drmserver, efs_file)
 
 type drmserver_socket, file_type;
diff --git a/public/file.te b/public/file.te
index 20348b5..cfac66d 100644
--- a/public/file.te
+++ b/public/file.te
@@ -13,6 +13,7 @@
 type proc_overcommit_memory, fs_type, proc_type;
 type proc_min_free_order_shift, fs_type, proc_type;
 type proc_kpageflags, fs_type, proc_type;
+type proc_watermark_boost_factor, fs_type, proc_type;
 # proc, sysfs, or other nodes that permit configuration of kernel usermodehelpers.
 type usermodehelper, fs_type, proc_type;
 type sysfs_usermodehelper, fs_type, sysfs_type;
@@ -138,7 +139,7 @@
 type tmpfs, fs_type;
 type shm, fs_type;
 type mqueue, fs_type;
-type fuse, sdcard_type, fs_type, mlstrustedobject;
+type fuse, fusefs_type, fs_type, mlstrustedobject;
 type sdcardfs, sdcard_type, fs_type, mlstrustedobject;
 type vfat, sdcard_type, fs_type, mlstrustedobject;
 type exfat, sdcard_type, fs_type, mlstrustedobject;
@@ -160,7 +161,7 @@
 type oemfs, fs_type, contextmount_type;
 type usbfs, fs_type;
 type binfmt_miscfs, fs_type;
-type app_fusefs, fs_type, contextmount_type;
+type app_fusefs, fs_type, fusefs_type, contextmount_type;
 
 # File types
 type unlabeled, file_type;
diff --git a/public/hal_keymint.te b/public/hal_keymint.te
index e56ab99..9c65e22 100644
--- a/public/hal_keymint.te
+++ b/public/hal_keymint.te
@@ -3,3 +3,6 @@
 hal_attribute_service(hal_keymint, hal_keymint_service)
 hal_attribute_service(hal_keymint, hal_remotelyprovisionedcomponent_service)
 binder_call(hal_keymint_server, servicemanager)
+
+allow hal_keymint tee_device:chr_file rw_file_perms;
+allow hal_keymint ion_device:chr_file r_file_perms;
diff --git a/public/hal_neverallows.te b/public/hal_neverallows.te
index a895ad0..faec074 100644
--- a/public/hal_neverallows.te
+++ b/public/hal_neverallows.te
@@ -44,6 +44,14 @@
   userdebug_or_eng(`-su')
 }:tcp_socket *;
 
+# The UWB HAL is not actually a networking HAL but may need to bring up and down
+# interfaces. Restrict it to only these networking operations.
+neverallow hal_uwb_server self:global_capability_class_set { net_raw };
+
+# Subset of socket_class_set likely to be usable for communication or accessible through net_admin.
+# udp_socket is required to use interface ioctls.
+neverallow hal_uwb_server domain:{ socket tcp_socket rawip_socket netlink_socket packet_socket key_socket netlink_route_socket netlink_tcpdiag_socket netlink_nflog_socket netlink_xfrm_socket netlink_selinux_socket netlink_audit_socket netlink_dnrt_socket netlink_kobject_uevent_socket tun_socket netlink_iscsi_socket netlink_fib_lookup_socket netlink_connector_socket netlink_netfilter_socket netlink_scsitransport_socket netlink_rdma_socket netlink_crypto_socket qipcrtr_socket xdp_socket } *;
+
 ###
 # HALs are defined as an attribute and so a given domain could hypothetically
 # have multiple HALs in it (or even all of them) with the subsequent policy of
diff --git a/public/hal_wifi_hostapd.te b/public/hal_wifi_hostapd.te
index 12d72b6..55efc3c 100644
--- a/public/hal_wifi_hostapd.te
+++ b/public/hal_wifi_hostapd.te
@@ -23,5 +23,5 @@
 ###
 
 # hal_wifi_hostapd should not trust any data from sdcards
-neverallow hal_wifi_hostapd_server sdcard_type:dir ~getattr;
-neverallow hal_wifi_hostapd_server sdcard_type:file *;
+neverallow hal_wifi_hostapd_server { sdcard_type fuse }:dir ~getattr;
+neverallow hal_wifi_hostapd_server { sdcard_type fuse }:file *;
diff --git a/public/hal_wifi_supplicant.te b/public/hal_wifi_supplicant.te
index 7361af1..f7c444e 100644
--- a/public/hal_wifi_supplicant.te
+++ b/public/hal_wifi_supplicant.te
@@ -34,5 +34,5 @@
 ###
 
 # wpa_supplicant should not trust any data from sdcards
-neverallow hal_wifi_supplicant_server sdcard_type:dir ~getattr;
-neverallow hal_wifi_supplicant_server sdcard_type:file *;
+neverallow hal_wifi_supplicant_server { sdcard_type fuse }:dir ~getattr;
+neverallow hal_wifi_supplicant_server { sdcard_type fuse }:file *;
diff --git a/public/init.te b/public/init.te
index ea5a979..5fd1715 100644
--- a/public/init.te
+++ b/public/init.te
@@ -313,11 +313,12 @@
   -keychord_device
   -proc_type
   -sdcard_type
+  -fusefs_type
   -sysfs_type
   -rootfs
   enforce_debugfs_restriction(`-debugfs_type')
 }:file { open read setattr };
-allow init { fs_type -contextmount_type -sdcard_type -rootfs }:dir  { open read setattr search };
+allow init { fs_type -contextmount_type -sdcard_type -fusefs_type -rootfs }:dir  { open read setattr search };
 
 allow init {
   binder_device
@@ -383,6 +384,7 @@
   proc_perf
   proc_sched
   proc_sysrq
+  proc_watermark_boost_factor
 }:file w_file_perms;
 
 allow init {
diff --git a/public/installd.te b/public/installd.te
index 08060e3..1134aaa 100644
--- a/public/installd.te
+++ b/public/installd.te
@@ -71,8 +71,8 @@
 # Delete /data/media files through sdcardfs, instead of going behind its back
 allow installd tmpfs:dir r_dir_perms;
 allow installd storage_file:dir search;
-allow installd sdcard_type:dir { search open read write remove_name getattr rmdir };
-allow installd sdcard_type:file { getattr unlink };
+allow installd { sdcard_type fuse }:dir { search open read write remove_name getattr rmdir };
+allow installd { sdcard_type fuse }:file { getattr unlink };
 
 # Create app's mirror data directory in /data_mirror, and bind mount the real directory to it
 allow installd mirror_data_file:dir { create_dir_perms mounton };
diff --git a/public/kernel.te b/public/kernel.te
index 9aa40cc..09d2480 100644
--- a/public/kernel.te
+++ b/public/kernel.te
@@ -56,7 +56,7 @@
 allow kernel self:security setcheckreqprot;
 
 # kernel thread "loop0", used by the loop block device, for ASECs (b/17158723)
-allow kernel sdcard_type:file { read write };
+allow kernel { sdcard_type fuse }:file { read write };
 
 # f_mtp driver accesses files from kernel context.
 allow kernel mediaprovider:fd use;
@@ -95,6 +95,11 @@
   staging_data_file
   vendor_apex_file
 }:file read;
+# Also allow the kernel to read /data/local/tmp files via loop device
+# for ApexTestCases
+userdebug_or_eng(`
+  allow kernel shell_data_file:file read;
+')
 
 # Allow the first-stage init (which is running in the kernel domain) to execute the
 # dynamic linker when it re-executes /init to switch into the second stage.
diff --git a/public/keystore.te b/public/keystore.te
index 155322c..b7d5090 100644
--- a/public/keystore.te
+++ b/public/keystore.te
@@ -20,7 +20,8 @@
 add_service(keystore, keystore_compat_hal_service)
 add_service(keystore, authorization_service)
 add_service(keystore, keystore_maintenance_service)
-add_service(keystore, vpnprofilestore_service)
+add_service(keystore, keystore_metrics_service)
+add_service(keystore, legacykeystore_service)
 
 # Check SELinux permissions.
 selinux_check_access(keystore)
diff --git a/public/mediaextractor.te b/public/mediaextractor.te
index a29e5dc..1315b8f 100644
--- a/public/mediaextractor.te
+++ b/public/mediaextractor.te
@@ -26,7 +26,7 @@
 crash_dump_fallback(mediaextractor)
 
 # allow mediaextractor read permissions for file sources
-allow mediaextractor sdcard_type:file { getattr read };
+allow mediaextractor { sdcard_type fuse }:file { getattr read };
 allow mediaextractor media_rw_data_file:file { getattr read };
 allow mediaextractor { app_data_file privapp_data_file }:file { getattr read };
 
diff --git a/public/mediaserver.te b/public/mediaserver.te
index ad460e1..0275532 100644
--- a/public/mediaserver.te
+++ b/public/mediaserver.te
@@ -8,6 +8,7 @@
 net_domain(mediaserver)
 
 r_dir_file(mediaserver, sdcard_type)
+r_dir_file(mediaserver, fuse)
 r_dir_file(mediaserver, cgroup)
 r_dir_file(mediaserver, cgroup_v2)
 
@@ -30,7 +31,7 @@
 allow mediaserver media_data_file:dir create_dir_perms;
 allow mediaserver media_data_file:file create_file_perms;
 allow mediaserver { app_data_file privapp_data_file }:file { append getattr ioctl lock map read write };
-allow mediaserver sdcard_type:file write;
+allow mediaserver { sdcard_type fuse }:file write;
 allow mediaserver gpu_device:chr_file rw_file_perms;
 allow mediaserver video_device:dir r_dir_perms;
 allow mediaserver video_device:chr_file rw_file_perms;
diff --git a/public/net.te b/public/net.te
index e90715e..714bcde 100644
--- a/public/net.te
+++ b/public/net.te
@@ -20,14 +20,16 @@
 # See changes to the routing table.
 allow netdomain self:netlink_route_socket { create read getattr write setattr lock append connect getopt setopt shutdown nlmsg_read };
 # b/141455849 gate RTM_GETLINK with a new permission nlmsg_readpriv and block access from
-# untrusted_apps. Some untrusted apps (e.g. untrusted_app_25-29) are granted access elsewhere
+# untrusted_apps.
+# b/171572148 gate RTM_GETNEIGH{TBL} with a new permission nlmsg_getneigh and block access from
+# untrusted_apps. Some untrusted apps (e.g. untrusted_app_25-30) are granted access elsewhere
 # to avoid app-compat breakage.
 allow {
   netdomain
   -ephemeral_app
   -mediaprovider
   -untrusted_app_all
-} self:netlink_route_socket { bind nlmsg_readpriv };
+} self:netlink_route_socket { bind nlmsg_readpriv nlmsg_getneigh };
 
 # Talks to netd via dnsproxyd socket.
 unix_socket_connect(netdomain, dnsproxyd, netd)
diff --git a/public/recovery.te b/public/recovery.te
old mode 100644
new mode 100755
index 3649888..33658e8
--- a/public/recovery.te
+++ b/public/recovery.te
@@ -133,6 +133,10 @@
 
   # Allow mounting /metadata for writing update states
   allow recovery metadata_file:dir { getattr mounton };
+
+  # Recovery uses liblogwrap to write fsck logs to kmsg, liblogwrap requires devpts.
+  allow recovery devpts:chr_file rw_file_perms;
+  allow recovery kmsg_device:chr_file { getattr w_file_perms };
 ')
 
 ###
diff --git a/public/sdcardd.te b/public/sdcardd.te
index bb1c919..220e7d0 100644
--- a/public/sdcardd.te
+++ b/public/sdcardd.te
@@ -10,11 +10,11 @@
 allow sdcardd mnt_media_rw_file:dir r_dir_perms;
 allow sdcardd storage_file:dir search;
 allow sdcardd storage_stub_file:dir { search mounton };
-allow sdcardd sdcard_type:filesystem { mount unmount };
+allow sdcardd { sdcard_type fuse }:filesystem { mount unmount };
 allow sdcardd self:global_capability_class_set { setuid setgid dac_override dac_read_search sys_admin sys_resource };
 
-allow sdcardd sdcard_type:dir create_dir_perms;
-allow sdcardd sdcard_type:file create_file_perms;
+allow sdcardd { sdcard_type fuse }:dir create_dir_perms;
+allow sdcardd { sdcard_type fuse }:file create_file_perms;
 
 allow sdcardd media_rw_data_file:dir create_dir_perms;
 allow sdcardd media_rw_data_file:file create_file_perms;
diff --git a/public/service.te b/public/service.te
index 4fa6a13..756c31c 100644
--- a/public/service.te
+++ b/public/service.te
@@ -21,7 +21,9 @@
 type credstore_service,         app_api_service, service_manager_type;
 type keystore_compat_hal_service, service_manager_type;
 type keystore_maintenance_service, service_manager_type;
+type keystore_metrics_service, service_manager_type;
 type keystore_service,          service_manager_type;
+type legacykeystore_service,    service_manager_type;
 type lpdump_service,            service_manager_type;
 type mediaserver_service,       service_manager_type;
 type mediametrics_service,      service_manager_type;
@@ -44,7 +46,6 @@
 type virtualization_service,    service_manager_type;
 type virtual_touchpad_service,  service_manager_type;
 type vold_service,              service_manager_type;
-type vpnprofilestore_service,   service_manager_type;
 type vr_hwc_service,            service_manager_type;
 type vrflinger_vsync_service,   service_manager_type;
 
diff --git a/public/simpleperf_app_runner.te b/public/simpleperf_app_runner.te
index 2ed007e..3719d9f 100644
--- a/public/simpleperf_app_runner.te
+++ b/public/simpleperf_app_runner.te
@@ -1,44 +1,2 @@
 type simpleperf_app_runner, domain, mlstrustedsubject;
 type simpleperf_app_runner_exec, system_file_type, exec_type, file_type;
-
-# run simpleperf_app_runner in adb shell.
-allow simpleperf_app_runner adbd:fd use;
-allow simpleperf_app_runner shell:fd use;
-allow simpleperf_app_runner devpts:chr_file { read write ioctl };
-
-# simpleperf_app_runner reads package information.
-allow simpleperf_app_runner system_data_file:file r_file_perms;
-allow simpleperf_app_runner system_data_file:lnk_file getattr;
-allow simpleperf_app_runner packages_list_file:file r_file_perms;
-
-# The app's data dir may be accessed through a symlink.
-allow simpleperf_app_runner system_data_file:lnk_file read;
-
-# simpleperf_app_runner switches to the app UID/GID.
-allow simpleperf_app_runner self:global_capability_class_set { setuid setgid };
-
-# simpleperf_app_runner switches to the app security context.
-selinux_check_context(simpleperf_app_runner) # validate context
-allow simpleperf_app_runner self:process setcurrent;
-allow simpleperf_app_runner untrusted_app_all:process dyntransition; # setcon
-
-# simpleperf_app_runner/libselinux needs access to seapp_contexts_file to
-# determine which domain to transition to.
-allow simpleperf_app_runner seapp_contexts_file:file r_file_perms;
-
-# simpleperf_app_runner passes pipe fds.
-# simpleperf_app_runner writes app type (debuggable or profileable) to pipe fds.
-allow simpleperf_app_runner shell:fifo_file { read write };
-
-# simpleperf_app_runner checks shell data paths.
-# simpleperf_app_runner passes shell data fds.
-allow simpleperf_app_runner shell_data_file:dir { getattr search };
-allow simpleperf_app_runner shell_data_file:file { getattr write };
-
-###
-### neverallow rules
-###
-
-# simpleperf_app_runner cannot have capabilities other than CAP_SETUID and CAP_SETGID
-neverallow simpleperf_app_runner self:global_capability_class_set ~{ setuid setgid };
-neverallow simpleperf_app_runner self:global_capability2_class_set *;
diff --git a/public/te_macros b/public/te_macros
index 2a218cb..200b2e3 100644
--- a/public/te_macros
+++ b/public/te_macros
@@ -635,7 +635,7 @@
   allow keystore $1:process getattr;
   allow $1 apc_service:service_manager find;
   allow $1 keystore_service:service_manager find;
-  allow $1 vpnprofilestore_service:service_manager find;
+  allow $1 legacykeystore_service:service_manager find;
   binder_call($1, keystore)
   binder_call(keystore, $1)
 ')
diff --git a/public/untrusted_app.te b/public/untrusted_app.te
index 43fe19a..0a67614 100644
--- a/public/untrusted_app.te
+++ b/public/untrusted_app.te
@@ -17,9 +17,12 @@
 ###
 
 # This file defines the rules for untrusted apps running with
-# targetSdkVersion >= 30.
+# targetSdkVersion >= 32.
 type untrusted_app, domain;
 # This file defines the rules for untrusted apps running with
+# 29 < targetSdkVersion <= 31.
+type untrusted_app_30, domain;
+# This file defines the rules for untrusted apps running with
 # targetSdkVersion = 29.
 type untrusted_app_29, domain;
 # This file defines the rules for untrusted apps running with
diff --git a/public/vendor_init.te b/public/vendor_init.te
index 0999f48..c6e5e82 100644
--- a/public/vendor_init.te
+++ b/public/vendor_init.te
@@ -140,6 +140,7 @@
   -contextmount_type
   -keychord_device
   -sdcard_type
+  -fusefs_type
   -rootfs
   -proc_uid_time_in_state
   -proc_uid_concurrent_active_time
@@ -153,6 +154,7 @@
   fs_type
   -contextmount_type
   -sdcard_type
+  -fusefs_type
   -rootfs
   -proc_uid_time_in_state
   -proc_uid_concurrent_active_time
diff --git a/public/vold.te b/public/vold.te
index 7796ba8..af3152e 100644
--- a/public/vold.te
+++ b/public/vold.te
@@ -86,14 +86,12 @@
 allow vold device:dir write;
 allow vold devpts:chr_file rw_file_perms;
 allow vold rootfs:dir mounton;
-allow vold sdcard_type:dir mounton; # TODO: deprecated in M
-allow vold sdcard_type:filesystem { mount remount unmount }; # TODO: deprecated in M
-allow vold sdcard_type:dir create_dir_perms; # TODO: deprecated in M
-allow vold sdcard_type:file create_file_perms; # TODO: deprecated in M
+allow vold { sdcard_type fuse }:dir mounton; # TODO: deprecated in M
+allow vold { sdcard_type fuse }:filesystem { mount remount unmount }; # TODO: deprecated in M
 
 # Manage locations where storage is mounted
-allow vold { mnt_media_rw_file storage_file sdcard_type }:dir create_dir_perms;
-allow vold { mnt_media_rw_file storage_file sdcard_type }:file create_file_perms;
+allow vold { mnt_media_rw_file storage_file sdcard_type fuse }:dir create_dir_perms;
+allow vold { mnt_media_rw_file storage_file sdcard_type fuse }:file create_file_perms;
 
 # Access to storage that backs emulated FUSE daemons for migration optimization
 allow vold media_rw_data_file:dir create_dir_perms;
diff --git a/tools/check_seapp.c b/tools/check_seapp.c
index 2b06c11..7795e3a 100644
--- a/tools/check_seapp.c
+++ b/tools/check_seapp.c
@@ -207,11 +207,9 @@
                 /*Inputs*/
                 { .name = "isSystemServer", .dir = dir_in, .fn_validate = validate_bool },
                 { .name = "isEphemeralApp",  .dir = dir_in, .fn_validate = validate_bool },
-                { .name = "isOwner",        .dir = dir_in, .fn_validate = validate_bool },
                 { .name = "user",           .dir = dir_in,                              },
                 { .name = "seinfo",         .dir = dir_in,                              },
                 { .name = "name",           .dir = dir_in,                              },
-                { .name = "path",           .dir = dir_in,                              },
                 { .name = "isPrivApp",      .dir = dir_in, .fn_validate = validate_bool },
                 { .name = "minTargetSdkVersion", .dir = dir_in, .fn_validate = validate_uint },
                 { .name = "fromRunAs",       .dir = dir_in, .fn_validate = validate_bool },