diff --git a/prebuilts/api/202404/private/aconfigd.te b/prebuilts/api/202404/private/aconfigd.te
new file mode 100644
index 0000000..43a08ce
--- /dev/null
+++ b/prebuilts/api/202404/private/aconfigd.te
@@ -0,0 +1,36 @@
+# aconfigd -- manager for aconfig flags
+type aconfigd, domain;
+type aconfigd_exec, exec_type, file_type, system_file_type;
+
+typeattribute aconfigd coredomain;
+
+init_daemon_domain(aconfigd)
+
+# only init is allowed to enter the aconfigd domain
+neverallow { domain -init } aconfigd:process transition;
+neverallow * aconfigd:process dyntransition;
+
+allow aconfigd metadata_file:dir search;
+
+allow aconfigd {
+    aconfig_storage_metadata_file
+    aconfig_storage_flags_metadata_file
+}:dir create_dir_perms;
+
+allow aconfigd {
+    aconfig_storage_metadata_file
+    aconfig_storage_flags_metadata_file
+}:file create_file_perms;
+
+allow aconfigd aconfigd_socket:sock_file rw_file_perms;
+
+# allow aconfigd to log to the kernel.
+allow aconfigd kmsg_device:chr_file w_file_perms;
+
+# allow aconfigd to read system/system_ext/product partition storage files
+allow aconfigd system_aconfig_storage_file:file r_file_perms;
+allow aconfigd system_aconfig_storage_file:dir r_dir_perms;
+
+# allow aconfigd to read vendor partition storage files
+allow aconfigd vendor_aconfig_storage_file:file r_file_perms;
+allow aconfigd vendor_aconfig_storage_file:dir r_dir_perms;
diff --git a/prebuilts/api/202404/private/adbd.te b/prebuilts/api/202404/private/adbd.te
index d72d5b1..e735222 100644
--- a/prebuilts/api/202404/private/adbd.te
+++ b/prebuilts/api/202404/private/adbd.te
@@ -226,6 +226,10 @@
 # Allow adbd to pull /apex/apex-info-list.xml for CTS tests.
 allow adbd apex_info_file:file r_file_perms;
 
+# allow reading tombstones. users can already use bugreports to get those.
+allow adbd tombstone_data_file:dir r_dir_perms;
+allow adbd tombstone_data_file:file r_file_perms;
+
 ###
 ### Neverallow rules
 ###
diff --git a/prebuilts/api/202404/private/app.te b/prebuilts/api/202404/private/app.te
index 1ef6ceb..95b85db 100644
--- a/prebuilts/api/202404/private/app.te
+++ b/prebuilts/api/202404/private/app.te
@@ -132,9 +132,9 @@
 allow appdomain apex_art_data_file:file rx_file_perms;
 
 # Allow access to tombstones if an fd to one is given to you.
-# This is restricted by unix permissions, so an app must go through system_server to get one.
+# An app cannot open the tombstone itself because it lacks `open`.
 allow appdomain tombstone_data_file:file { getattr read };
-neverallow appdomain tombstone_data_file:file ~{ getattr read };
+neverallow { appdomain -shell } tombstone_data_file:file ~{ getattr read };
 
 # Execute the shell or other system executables.
 allow { appdomain -ephemeral_app -sdk_sandbox_all } shell_exec:file rx_file_perms;
diff --git a/prebuilts/api/202404/private/app_zygote.te b/prebuilts/api/202404/private/app_zygote.te
index e3869cd..b51f633 100644
--- a/prebuilts/api/202404/private/app_zygote.te
+++ b/prebuilts/api/202404/private/app_zygote.te
@@ -93,6 +93,10 @@
 # Allow app_zygote to access odsign verification status
 get_prop(app_zygote, odsign_prop)
 
+# /data/resource-cache
+allow app_zygote resourcecache_data_file:file r_file_perms;
+allow app_zygote resourcecache_data_file:dir r_dir_perms;
+
 #####
 ##### Neverallow
 #####
diff --git a/prebuilts/api/202404/private/compat/34.0/34.0.ignore.cil b/prebuilts/api/202404/private/compat/34.0/34.0.ignore.cil
index 351d647..5f835a4 100644
--- a/prebuilts/api/202404/private/compat/34.0/34.0.ignore.cil
+++ b/prebuilts/api/202404/private/compat/34.0/34.0.ignore.cil
@@ -23,6 +23,7 @@
     hal_threadnetwork_service
     hidl_memory_prop
     hidraw_device
+    input_device_config_prop
     virtual_camera_service
     ot_daemon_service
     ot_daemon_socket
@@ -45,4 +46,7 @@
     profiling_service
     aconfig_storage_metadata_file
     aconfig_storage_flags_metadata_file
+    aconfigd
+    aconfigd_exec
+    aconfigd_socket
   ))
diff --git a/prebuilts/api/202404/private/domain.te b/prebuilts/api/202404/private/domain.te
index 2f107dd..66bce05 100644
--- a/prebuilts/api/202404/private/domain.te
+++ b/prebuilts/api/202404/private/domain.te
@@ -179,6 +179,35 @@
 # Allow all processes to connect to PRNG seeder daemon.
 unix_socket_connect(domain, prng_seeder, prng_seeder)
 
+# Allow calls to system(3), popen(3), ...
+allow {
+  domain
+  # Except domains that explicitly neverallow it.
+  -kernel
+  -init
+  -vendor_init
+  -app_zygote
+  -webview_zygote
+  -system_server
+  -artd
+  -audioserver
+  -cameraserver
+  -mediadrmserver
+  -mediaextractor
+  -mediametrics
+  -mediaserver
+  -mediatuner
+  -mediatranscoding
+  -ueventd
+  -hal_audio_server
+  -hal_camera_server
+  -hal_cas_server
+  -hal_codec2_server
+  -hal_configstore_server
+  -hal_drm_server
+  -hal_omx_server
+} {shell_exec toolbox_exec}:file rx_file_perms;
+
 # No domains other than a select few can access the misc_block_device. This
 # block device is reserved for OTA use.
 # Do not assert this rule on userdebug/eng builds, due to some devices using
@@ -197,6 +226,7 @@
   -recovery
   -ueventd
   -mtectrl
+  -misctrl
 } misc_block_device:blk_file { append link relabelfrom rename write open read ioctl lock };
 
 # Limit ability to ptrace or read sensitive /proc/pid files of processes
@@ -622,6 +652,7 @@
     -vendor_task_profiles_file
     -vendor_uuid_mapping_config_file
     -vndk_sp_file
+    -vendor_aconfig_storage_file
   }:file *;
 ')
 
@@ -778,3 +809,7 @@
 
 # For now, don't allow processes other than gmscore to access /data/misc_ce/<userid>/checkin
 neverallow { domain -gmscore_app -init -vold_prepare_subdirs } checkin_data_file:{dir file} *;
+
+# Do not allow write access to aconfig flag value files except init and aconfigd
+neverallow { domain -init -aconfigd } aconfig_storage_metadata_file:dir *;
+neverallow { domain -init -aconfigd } aconfig_storage_metadata_file:file no_w_file_perms;
diff --git a/prebuilts/api/202404/private/dumpstate.te b/prebuilts/api/202404/private/dumpstate.te
index 6798667..29cd454 100644
--- a/prebuilts/api/202404/private/dumpstate.te
+++ b/prebuilts/api/202404/private/dumpstate.te
@@ -68,6 +68,8 @@
 # Collect metrics on boot time created by init
 get_prop(dumpstate, boottime_prop)
 
+get_prop(dumpstate, misctrl_prop)
+
 # Signal native processes to dump their stack.
 allow dumpstate {
   mediatranscoding
diff --git a/prebuilts/api/202404/private/file.te b/prebuilts/api/202404/private/file.te
index 450fe2c..c4341af 100644
--- a/prebuilts/api/202404/private/file.te
+++ b/prebuilts/api/202404/private/file.te
@@ -25,6 +25,9 @@
 # /data/misc/perfetto-traces/bugreport for perfetto traces for bugreports.
 type perfetto_traces_bugreport_data_file, file_type, data_file_type, core_data_file_type;
 
+# /data/misc/perfetto-traces/profiling for perfetto traces from profiling apis.
+type perfetto_traces_profiling_data_file, file_type, data_file_type, core_data_file_type;
+
 # /data/misc/perfetto-configs for perfetto configs
 type perfetto_configs_data_file, file_type, data_file_type, core_data_file_type;
 
@@ -145,3 +148,12 @@
 
 # Type for /sys/devices/uprobe.
 type sysfs_uprobe, fs_type, sysfs_type;
+
+# Type for aconfig daemon socket
+type aconfigd_socket, file_type, coredomain_socket;
+
+# Type for /(system|system_ext|product)/etc/aconfig
+type system_aconfig_storage_file, system_file_type, file_type;
+
+# Type for /vendor/etc/aconfig
+type vendor_aconfig_storage_file, vendor_file_type, file_type;
diff --git a/prebuilts/api/202404/private/file_contexts b/prebuilts/api/202404/private/file_contexts
index 3a65d81..63b3d1e 100644
--- a/prebuilts/api/202404/private/file_contexts
+++ b/prebuilts/api/202404/private/file_contexts
@@ -155,6 +155,7 @@
 /dev/snd(/.*)?		u:object_r:audio_device:s0
 /dev/socket(/.*)?	u:object_r:socket_device:s0
 /dev/socket/adbd	u:object_r:adbd_socket:s0
+/dev/socket/aconfigd	u:object_r:aconfigd_socket:s0
 /dev/socket/dnsproxyd	u:object_r:dnsproxyd_socket:s0
 /dev/socket/dumpstate	u:object_r:dumpstate_socket:s0
 /dev/socket/fwmarkd	u:object_r:fwmarkd_socket:s0
@@ -332,6 +333,7 @@
 /system/bin/rss_hwm_reset	u:object_r:rss_hwm_reset_exec:s0
 /system/bin/perfetto        u:object_r:perfetto_exec:s0
 /system/bin/mtectrl         u:object_r:mtectrl_exec:s0
+/system/bin/misctrl         u:object_r:misctrl_exec:s0
 /system/bin/traced        u:object_r:traced_exec:s0
 /system/bin/traced_perf        u:object_r:traced_perf_exec:s0
 /system/bin/traced_probes        u:object_r:traced_probes_exec:s0
@@ -356,6 +358,7 @@
 /system/bin/virtual_camera       u:object_r:virtual_camera_exec:s0
 /system/bin/hw/android\.frameworks\.bufferhub@1\.0-service    u:object_r:fwk_bufferhub_exec:s0
 /system/bin/hw/android\.system\.suspend-service               u:object_r:system_suspend_exec:s0
+/(system|system_ext|product)/etc/aconfig(/.*)?                u:object_r:system_aconfig_storage_file:s0
 /system/etc/cgroups\.json               u:object_r:cgroup_desc_file:s0
 /system/etc/task_profiles/cgroups_[0-9]+\.json               u:object_r:cgroup_desc_api_file:s0
 /system/etc/event-log-tags              u:object_r:system_event_log_tags_file:s0
@@ -385,6 +388,7 @@
 /system/bin/bpfloader            u:object_r:bpfloader_exec:s0
 /system/bin/netbpfload           u:object_r:bpfloader_exec:s0
 /system/bin/watchdogd            u:object_r:watchdogd_exec:s0
+/system/bin/aconfigd             u:object_r:aconfigd_exec:s0
 /system/bin/apexd                u:object_r:apexd_exec:s0
 /system/bin/gsid                 u:object_r:gsid_exec:s0
 /system/bin/simpleperf           u:object_r:simpleperf_exec:s0
@@ -427,6 +431,8 @@
 /(vendor|system/vendor)/bin/misc_writer                        u:object_r:vendor_misc_writer_exec:s0
 /(vendor|system/vendor)/bin/boringssl_self_test(32|64)         u:object_r:vendor_boringssl_self_test_exec:s0
 
+/(vendor|system/vendor)/etc/aconfig(/.*)?                      u:object_r:vendor_aconfig_storage_file:s0
+
 # HAL location
 /(vendor|system/vendor)/lib(64)?/hw            u:object_r:vendor_hal_file:s0
 
@@ -660,9 +666,10 @@
 /data/misc/odrefresh(/.*)?      u:object_r:odrefresh_data_file:s0
 /data/misc/odsign(/.*)?         u:object_r:odsign_data_file:s0
 /data/misc/odsign/metrics(/.*)? u:object_r:odsign_metrics_file:s0
-/data/misc/perfetto-traces(/.*)?          u:object_r:perfetto_traces_data_file:s0
-/data/misc/perfetto-traces/bugreport(.*)? u:object_r:perfetto_traces_bugreport_data_file:s0
-/data/misc/perfetto-configs(/.*)?         u:object_r:perfetto_configs_data_file:s0
+/data/misc/perfetto-traces(/.*)?           u:object_r:perfetto_traces_data_file:s0
+/data/misc/perfetto-traces/bugreport(.*)?  u:object_r:perfetto_traces_bugreport_data_file:s0
+/data/misc/perfetto-traces/profiling(/.*)? u:object_r:perfetto_traces_profiling_data_file:s0
+/data/misc/perfetto-configs(/.*)?          u:object_r:perfetto_configs_data_file:s0
 /data/misc/uprobestats-configs(/.*)?      u:object_r:uprobestats_configs_data_file:s0
 /data/misc/prereboot(/.*)?      u:object_r:prereboot_data_file:s0
 /data/misc/profcollectd(/.*)?   u:object_r:profcollectd_data_file:s0
diff --git a/prebuilts/api/202404/private/misctrl.te b/prebuilts/api/202404/private/misctrl.te
new file mode 100644
index 0000000..2352067
--- /dev/null
+++ b/prebuilts/api/202404/private/misctrl.te
@@ -0,0 +1,17 @@
+# binary for generic misc partition management
+type misctrl, domain, coredomain;
+type misctrl_exec, system_file_type, exec_type, file_type;
+
+init_daemon_domain(misctrl)
+
+allow misctrl misc_block_device:blk_file rw_file_perms;
+allow misctrl block_device:dir r_dir_perms;
+read_fstab(misctrl)
+
+set_prop(misctrl, misctrl_prop)
+
+# bootloader_message tries to find the fstab in the device config path first,
+# but because we've already booted up we can use the ro.boot properties instead,
+# so we can just ignore the SELinux denial.
+dontaudit misctrl sysfs_dt_firmware_android:dir search;
+dontaudit misctrl vendor_property_type:file read;
diff --git a/prebuilts/api/202404/private/perfetto.te b/prebuilts/api/202404/private/perfetto.te
index aae61a6..d0088ef 100644
--- a/prebuilts/api/202404/private/perfetto.te
+++ b/prebuilts/api/202404/private/perfetto.te
@@ -26,6 +26,10 @@
 allow perfetto perfetto_traces_bugreport_data_file:file create_file_perms;
 allow perfetto perfetto_traces_bugreport_data_file:dir rw_dir_perms;
 
+# Allow to write and unlink traces into /data/misc/perfetto-traces/profiling.
+allow perfetto perfetto_traces_profiling_data_file:dir rw_dir_perms;
+allow perfetto perfetto_traces_profiling_data_file:file create_file_perms;
+
 # Allow perfetto to access the proxy service for reporting traces.
 allow perfetto tracingproxy_service:service_manager find;
 binder_use(perfetto)
@@ -86,6 +90,7 @@
   -dumpstate # For attaching traces to bugreports.
   -incidentd # For receiving reported traces. TODO(lalitm): remove this.
   -priv_app  # For stating traces for bug-report UI.
+  -system_server # For accessing traces started by profiling apis.
 } perfetto_traces_data_file:dir *;
 neverallow {
   domain
@@ -122,14 +127,20 @@
   -vendor_data_file
   -perfetto_traces_data_file
   -perfetto_traces_bugreport_data_file
+  -perfetto_traces_profiling_data_file
   -perfetto_configs_data_file
   with_native_coverage(`-method_trace_data_file')
 }:dir *;
-neverallow perfetto { system_data_file -perfetto_traces_data_file }:dir ~{ getattr search };
+neverallow perfetto {
+  system_data_file
+  -perfetto_traces_data_file
+  -perfetto_traces_profiling_data_file
+}:dir ~{ getattr search };
 neverallow perfetto {
   data_file_type
   -perfetto_traces_data_file
   -perfetto_traces_bugreport_data_file
+  -perfetto_traces_profiling_data_file
   -perfetto_configs_data_file
   with_native_coverage(`-method_trace_data_file')
 }:file ~write;
diff --git a/prebuilts/api/202404/private/property.te b/prebuilts/api/202404/private/property.te
index d21df55..2d030ab 100644
--- a/prebuilts/api/202404/private/property.te
+++ b/prebuilts/api/202404/private/property.te
@@ -35,6 +35,7 @@
 system_internal_prop(netd_stable_secret_prop)
 system_internal_prop(next_boot_prop)
 system_internal_prop(odsign_prop)
+system_internal_prop(misctrl_prop)
 system_internal_prop(perf_drop_caches_prop)
 system_internal_prop(pm_prop)
 system_internal_prop(profcollectd_node_id_prop)
@@ -185,6 +186,21 @@
   userdebug_or_eng(`-su')
 } init_svc_debug_prop:file no_rw_file_perms;
 
+# DO NOT ADD: compat risk
+neverallow {
+  domain
+  -init
+  -dumpstate
+  -misctrl
+  userdebug_or_eng(`-su')
+} misctrl_prop:file no_rw_file_perms;
+neverallow {
+  domain
+  -init
+  -misctrl
+  userdebug_or_eng(`-su')
+} misctrl_prop:property_service set;
+
 compatible_property_only(`
 # Prevent properties from being set
   neverallow {
diff --git a/prebuilts/api/202404/private/property_contexts b/prebuilts/api/202404/private/property_contexts
index 568bdc1..1ddde23 100644
--- a/prebuilts/api/202404/private/property_contexts
+++ b/prebuilts/api/202404/private/property_contexts
@@ -98,6 +98,7 @@
 ro.boot.serialno        u:object_r:serialno_prop:s0
 ro.bt.                  u:object_r:bluetooth_prop:s0
 ro.boot.bootreason      u:object_r:bootloader_boot_reason_prop:s0
+ro.misctrl.             u:object_r:misctrl_prop:s0
 persist.sys.boot.reason u:object_r:last_boot_reason_prop:s0
 sys.boot.reason         u:object_r:system_boot_reason_prop:s0
 sys.boot.reason.last    u:object_r:last_boot_reason_prop:s0
@@ -287,6 +288,9 @@
 persist.device_config.memory_safety_native.         u:object_r:device_config_memory_safety_native_prop:s0
 persist.device_config.tethering_u_or_later_native.  u:object_r:device_config_tethering_u_or_later_native_prop:s0
 
+# Prop indicates the apex that bundles input configuration files (*.idc,*.kl,*.kcm)
+input_device.config_file.apex    u:object_r:input_device_config_prop:s0 exact string
+
 # Properties that is for staging
 next_boot.  u:object_r:next_boot_prop:s0
 
@@ -1192,8 +1196,12 @@
 
 ro.vendor.redirect_socket_calls u:object_r:vendor_socket_hook_prop:s0 exact bool
 
-service.bootanim.exit u:object_r:bootanim_system_prop:s0 exact int
-service.bootanim.progress u:object_r:bootanim_system_prop:s0 exact int
+service.bootanim.exit       u:object_r:bootanim_system_prop:s0 exact int
+service.bootanim.progress   u:object_r:bootanim_system_prop:s0 exact int
+persist.bootanim.color1     u:object_r:bootanim_system_prop:s0 exact int
+persist.bootanim.color2     u:object_r:bootanim_system_prop:s0 exact int
+persist.bootanim.color3     u:object_r:bootanim_system_prop:s0 exact int
+persist.bootanim.color4     u:object_r:bootanim_system_prop:s0 exact int
 
 sys.init.userspace_reboot.in_progress u:object_r:userspace_reboot_exported_prop:s0 exact bool
 sys.use_memfd                         u:object_r:use_memfd_prop:s0 exact bool
diff --git a/prebuilts/api/202404/private/service.te b/prebuilts/api/202404/private/service.te
index 36d6ccf..c4e7cbc 100644
--- a/prebuilts/api/202404/private/service.te
+++ b/prebuilts/api/202404/private/service.te
@@ -26,6 +26,9 @@
 is_flag_enabled(RELEASE_AVF_ENABLE_DEVICE_ASSIGNMENT, `
     type vfio_handler_service,          service_manager_type;
 ')
+is_flag_enabled(RELEASE_AVF_ENABLE_LLPVM_CHANGES, `
+    type virtualization_maintenance_service, service_manager_type;
+')
 
 type uce_service,                   service_manager_type;
 type wearable_sensing_service,      app_api_service, system_server_service, service_manager_type;
diff --git a/prebuilts/api/202404/private/service_contexts b/prebuilts/api/202404/private/service_contexts
index 82af95e..3138d90 100644
--- a/prebuilts/api/202404/private/service_contexts
+++ b/prebuilts/api/202404/private/service_contexts
@@ -165,6 +165,9 @@
 is_flag_enabled(RELEASE_AVF_ENABLE_DEVICE_ASSIGNMENT, `
     android.system.virtualizationservice_internal.IVfioHandler u:object_r:vfio_handler_service:s0
 ')
+is_flag_enabled(RELEASE_AVF_ENABLE_LLPVM_CHANGES, `
+    android.system.virtualizationmaintenance u:object_r:virtualization_maintenance_service:s0
+')
 ambient_context                           u:object_r:ambient_context_service:s0
 app_binding                               u:object_r:app_binding_service:s0
 app_hibernation                           u:object_r:app_hibernation_service:s0
diff --git a/prebuilts/api/202404/private/shell.te b/prebuilts/api/202404/private/shell.te
index bfcd5ac..60684f4 100644
--- a/prebuilts/api/202404/private/shell.te
+++ b/prebuilts/api/202404/private/shell.te
@@ -17,6 +17,10 @@
 # read config.gz for CTS purposes
 allow shell config_gz:file r_file_perms;
 
+# allow reading tombstones. users can already use bugreports to get those.
+allow shell tombstone_data_file:dir r_dir_perms;
+allow shell tombstone_data_file:file r_file_perms;
+
 # Run app_process.
 # XXX Transition into its own domain?
 app_domain(shell)
diff --git a/prebuilts/api/202404/private/system_server.te b/prebuilts/api/202404/private/system_server.te
index b58315d..886499e 100644
--- a/prebuilts/api/202404/private/system_server.te
+++ b/prebuilts/api/202404/private/system_server.te
@@ -520,6 +520,7 @@
 r_dir_file(system_server, vendor_keylayout_file)
 r_dir_file(system_server, vendor_keychars_file)
 r_dir_file(system_server, vendor_idc_file)
+get_prop(system_server, input_device_config_prop)
 
 # Access /vendor/{app,framework,overlay}
 r_dir_file(system_server, vendor_app_file)
@@ -582,6 +583,11 @@
 domain_auto_trans(system_server, perfetto_exec, perfetto);
 allow system_server perfetto:fifo_file { read write };
 
+# Allow system server to manage perfetto traces for ProfilingService.
+allow system_server perfetto_traces_profiling_data_file:dir rw_dir_perms;
+allow system_server perfetto_traces_profiling_data_file:file { rw_file_perms unlink };
+allow system_server perfetto_traces_data_file:dir search;
+
 # Manage /data/backup.
 allow system_server backup_data_file:dir create_dir_perms;
 allow system_server backup_data_file:file create_file_perms;
@@ -982,6 +988,9 @@
 allow system_server surfaceflinger_service:service_manager find;
 allow system_server update_engine_service:service_manager find;
 allow system_server virtual_camera_service:service_manager find;
+is_flag_enabled(RELEASE_AVF_ENABLE_LLPVM_CHANGES, `
+    allow system_server virtualization_maintenance_service:service_manager find;
+')
 allow system_server vold_service:service_manager find;
 allow system_server wifinl80211_service:service_manager find;
 allow system_server logd_service:service_manager find;
@@ -1299,6 +1308,9 @@
 neverallow system_server { domain -clatd -crash_dump -perfetto }:process transition;
 neverallow system_server *:process dyntransition;
 
+# Ensure that system_server doesn't access anything but search in perfetto_traces_data_file:dir.
+neverallow system_server perfetto_traces_data_file:dir ~search;
+
 # Only allow crash_dump to connect to system_ndebug_socket.
 neverallow { domain -init -system_server -crash_dump } system_ndebug_socket:sock_file { open write };
 
@@ -1516,9 +1528,8 @@
 neverallow { domain -init -system_server } userspace_reboot_metadata_file:file no_rw_file_perms;
 
 # Only system server should access /metadata/aconfig
-# TODO: add storage daemon to neverallow exception when it is introduced
-neverallow { domain -init -system_server } aconfig_storage_flags_metadata_file:dir *;
-neverallow { domain -init -system_server } aconfig_storage_flags_metadata_file:file no_rw_file_perms;
+neverallow { domain -init -system_server -aconfigd } aconfig_storage_flags_metadata_file:dir *;
+neverallow { domain -init -system_server -aconfigd } aconfig_storage_flags_metadata_file:file no_rw_file_perms;
 
 # Allow systemserver to read/write the invalidation property
 set_prop(system_server, binder_cache_system_server_prop)
diff --git a/prebuilts/api/202404/private/untrusted_app_all.te b/prebuilts/api/202404/private/untrusted_app_all.te
index f666cc8..c646137 100644
--- a/prebuilts/api/202404/private/untrusted_app_all.te
+++ b/prebuilts/api/202404/private/untrusted_app_all.te
@@ -161,9 +161,6 @@
 userdebug_or_eng(`
   allow untrusted_app_all debugfs_kcov:file rw_file_perms;
   allowxperm untrusted_app_all debugfs_kcov:file ioctl { KCOV_INIT_TRACE KCOV_ENABLE KCOV_DISABLE };
-  # The use of debugfs kcov is considered a breach of the kernel integrity
-  # according to the heuristic of lockdown.
-  allow untrusted_app_all self:lockdown integrity;
 ')
 
 # Allow running a VM for test/demo purposes. Note that access to the
diff --git a/prebuilts/api/202404/private/vfio_handler.te b/prebuilts/api/202404/private/vfio_handler.te
index 963809e..fd6499d 100644
--- a/prebuilts/api/202404/private/vfio_handler.te
+++ b/prebuilts/api/202404/private/vfio_handler.te
@@ -31,7 +31,4 @@
     # Allow vfio_handler to search /dev/block for accessing dtbo.img
     allow vfio_handler block_device:dir search;
     allow vfio_handler dtbo_block_device:blk_file r_file_perms;
-
-    # Only vfio_handler can add vfio_handler_service
-    neverallow { domain -vfio_handler } vfio_handler_service:service_manager add;
 ') # is_flag_enabled(RELEASE_AVF_ENABLE_DEVICE_ASSIGNMENT)
diff --git a/prebuilts/api/202404/private/virtual_camera.te b/prebuilts/api/202404/private/virtual_camera.te
index dde98c0..45dc8a1 100644
--- a/prebuilts/api/202404/private/virtual_camera.te
+++ b/prebuilts/api/202404/private/virtual_camera.te
@@ -38,6 +38,9 @@
 allow virtual_camera gpu_device:chr_file rw_file_perms;
 allow virtual_camera gpu_device:dir r_dir_perms;
 
+# Allow virtual camera to use graphics composer fd-s (fences).
+allow virtual_camera hal_graphics_composer:fd use;
+
 # For collecting bugreports.
 allow virtual_camera dumpstate:fd use;
 allow virtual_camera dumpstate:fifo_file write;
diff --git a/prebuilts/api/202404/private/virtualizationservice.te b/prebuilts/api/202404/private/virtualizationservice.te
index fcc7304..ee288f2 100644
--- a/prebuilts/api/202404/private/virtualizationservice.te
+++ b/prebuilts/api/202404/private/virtualizationservice.te
@@ -12,8 +12,11 @@
 # Let the virtualizationservice domain use Binder.
 binder_use(virtualizationservice)
 
-# Let the virtualizationservice domain register the virtualization_service with ServiceManager.
+# Register our services with ServiceManager.
 add_service(virtualizationservice, virtualization_service)
+is_flag_enabled(RELEASE_AVF_ENABLE_LLPVM_CHANGES, `
+    add_service(virtualizationservice, virtualization_maintenance_service)
+')
 
 is_flag_enabled(RELEASE_AVF_ENABLE_DEVICE_ASSIGNMENT, `
     # Let virtualizationservice find and communicate with vfio_handler.
@@ -59,8 +62,9 @@
 virtualizationservice_use(virtualizationservice)
 
 # Allow virtualizationservice to read and write in the apex data directory
-# /data/misc/apexdata/com.android.virt
-allow virtualizationservice apex_module_data_file:dir search;
+# /data/misc/apexdata/com.android.virt. Also allow checking of the parent directory
+# (needed for SQLite database creation).
+allow virtualizationservice apex_module_data_file:dir { search getattr };
 allow virtualizationservice apex_virt_data_file:dir create_dir_perms;
 allow virtualizationservice apex_virt_data_file:file create_file_perms;
 
diff --git a/prebuilts/api/202404/private/webview_zygote.te b/prebuilts/api/202404/private/webview_zygote.te
index 0556950..1e32c1f 100644
--- a/prebuilts/api/202404/private/webview_zygote.te
+++ b/prebuilts/api/202404/private/webview_zygote.te
@@ -93,6 +93,10 @@
 # Allow webview_zygote to access odsign verification status
 get_prop(zygote, odsign_prop)
 
+# /data/resource-cache
+allow webview_zygote resourcecache_data_file:file r_file_perms;
+allow webview_zygote resourcecache_data_file:dir r_dir_perms;
+
 #####
 ##### Neverallow
 #####
diff --git a/prebuilts/api/202404/public/domain.te b/prebuilts/api/202404/public/domain.te
index 755b4b2..0a2a5e5 100644
--- a/prebuilts/api/202404/public/domain.te
+++ b/prebuilts/api/202404/public/domain.te
@@ -259,13 +259,14 @@
 allow domain debugfs_tracing_debug:dir search;
 allow domain debugfs_trace_marker:file w_file_perms;
 
-# Linux lockdown mode offers coarse-grained definitions for access controls.
-# The "confidentiality" level detects access to tracefs or the perf subsystem.
-# This overlaps with more precise declarations in Android's policy. The
-# debugfs_trace_marker above is an example in which all processes should have
-# some access to tracefs. Therefore, allow all domains to access this level.
-# The "integrity" level is however enforced.
-allow domain self:lockdown confidentiality;
+# Linux lockdown mode offered coarse-grained definitions for access controls. In
+# previous versions of the policy, the integrity permission was neverallowed.
+# It was found that this permission mainly duplicates pre-existing rules in
+# the policy (see b/285443587). Additionally, some access were found to be
+# required (b/269377822). The access vector was removed from kernel 5.16
+# onwards. Grant unconditional access, these rules should be removed from the
+# policy once no kernel <5.16 are supported.
+allow domain self:lockdown { confidentiality integrity };
 
 # Filesystem access.
 allow domain fs_type:filesystem getattr;
@@ -629,11 +630,6 @@
 neverallow vndservicemanager binder_device:chr_file no_rw_file_perms;
 neverallow vndservicemanager hwbinder_device:chr_file no_rw_file_perms;
 
-# Do not allow write access to the general aconfig pb file and boot flag value files except init
-# TODO: need to add storage daemon into this exception list once it is created
-neverallow { domain -init } aconfig_storage_metadata_file:dir *;
-neverallow { domain -init } aconfig_storage_metadata_file:file no_w_file_perms;
-
 full_treble_only(`
   # Vendor apps are permited to use only stable public services. If they were to use arbitrary
   # services which can change any time framework/core is updated, breakage is likely.
@@ -1310,6 +1306,3 @@
 } ashmem_device:chr_file open;
 
 neverallow { domain -traced_probes -init -vendor_init } debugfs_tracing_printk_formats:file *;
-
-# Linux lockdown "integrity" level is enforced for user builds.
-neverallow { domain userdebug_or_eng(`-domain') } self:lockdown integrity;
diff --git a/prebuilts/api/202404/public/property.te b/prebuilts/api/202404/public/property.te
index c513434..453a467 100644
--- a/prebuilts/api/202404/public/property.te
+++ b/prebuilts/api/202404/public/property.te
@@ -160,6 +160,7 @@
 system_vendor_config_prop(hypervisor_prop)
 system_vendor_config_prop(hypervisor_restricted_prop)
 system_vendor_config_prop(incremental_prop)
+system_vendor_config_prop(input_device_config_prop)
 system_vendor_config_prop(keyguard_config_prop)
 system_vendor_config_prop(keystore_config_prop)
 system_vendor_config_prop(lmkd_config_prop)
diff --git a/private/bpfloader.te b/private/bpfloader.te
index be6f77c..87fed1a 100644
--- a/private/bpfloader.te
+++ b/private/bpfloader.te
@@ -48,24 +48,12 @@
 neverallow { domain -bpfdomain } bpffs_type:lnk_file read;
 
 neverallow { domain -bpfloader } *:bpf { map_create prog_load };
+neverallow { domain -bpfdomain } *:bpf { map_read map_write prog_run };
 
 # 'fs_bpf_loader' is for internal use of the BpfLoader oneshot boot time process.
 neverallow { domain -bpfloader } fs_bpf_loader:bpf *;
 neverallow { domain -bpfloader } fs_bpf_loader:file *;
 
-neverallow {
-  domain
-  -bpfloader
-  -gpuservice
-  -hal_health_server
-  -mediaprovider_app
-  -netd
-  -netutils_wrapper
-  -network_stack
-  -system_server
-  -uprobestats
-} *:bpf prog_run;
-neverallow { domain -bpfloader -gpuservice -lmkd -mediaprovider_app -netd -network_stack -system_server -uprobestats } *:bpf { map_read map_write };
 neverallow { domain -bpfloader -init } bpfloader_exec:file { execute execute_no_trans };
 
 neverallow { coredomain -bpfloader -netd -netutils_wrapper } fs_bpf_vendor:file *;
diff --git a/private/compat/202404/202404.cil b/private/compat/202404/202404.cil
index 7a2db41..02bbced 100644
--- a/private/compat/202404/202404.cil
+++ b/private/compat/202404/202404.cil
@@ -591,6 +591,7 @@
 (expandtypeattribute (init_tmpfs_202404) true)
 (expandtypeattribute (inotify_202404) true)
 (expandtypeattribute (input_device_202404) true)
+(expandtypeattribute (input_device_config_prop_202404) true)
 (expandtypeattribute (input_method_service_202404) true)
 (expandtypeattribute (input_service_202404) true)
 (expandtypeattribute (inputflinger_202404) true)
@@ -1982,6 +1983,7 @@
 (typeattributeset init_tmpfs_202404 (init_tmpfs))
 (typeattributeset inotify_202404 (inotify))
 (typeattributeset input_device_202404 (input_device))
+(typeattributeset input_device_config_prop_202404 (input_device_config_prop))
 (typeattributeset input_method_service_202404 (input_method_service))
 (typeattributeset input_service_202404 (input_service))
 (typeattributeset inputflinger_202404 (inputflinger))
diff --git a/private/compat/202404/202404.ignore.cil b/private/compat/202404/202404.ignore.cil
index 1e61ae0..dbc2a1d 100644
--- a/private/compat/202404/202404.ignore.cil
+++ b/private/compat/202404/202404.ignore.cil
@@ -5,5 +5,4 @@
 (typeattribute new_objects)
 (typeattributeset new_objects
   ( new_objects
-    input_device_config_prop
   ))
diff --git a/private/domain.te b/private/domain.te
index 4692eda..8dd8c89 100644
--- a/private/domain.te
+++ b/private/domain.te
@@ -813,5 +813,5 @@
 neverallow { domain -gmscore_app -init -vold_prepare_subdirs } checkin_data_file:{dir file} *;
 
 # Do not allow write access to aconfig flag value files except init and aconfigd
-neverallow { domain -init -aconfigd } aconfig_storage_metadata_file:dir *;
-neverallow { domain -init -aconfigd } aconfig_storage_metadata_file:file no_w_file_perms;
+neverallow { domain -init -aconfigd -system_server } aconfig_storage_metadata_file:dir *;
+neverallow { domain -init -aconfigd -system_server } aconfig_storage_metadata_file:file no_w_file_perms;
diff --git a/private/property_contexts b/private/property_contexts
index 7dbb82f..fd1b848 100644
--- a/private/property_contexts
+++ b/private/property_contexts
@@ -766,6 +766,7 @@
 ro.lmk.thrashing_limit_decay    u:object_r:lmkd_config_prop:s0 exact int
 ro.lmk.use_minfree_levels       u:object_r:lmkd_config_prop:s0 exact bool
 ro.lmk.use_new_strategy         u:object_r:lmkd_config_prop:s0 exact bool
+ro.lmk.use_psi                  u:object_r:lmkd_config_prop:s0 exact bool
 ro.lmk.upgrade_pressure         u:object_r:lmkd_config_prop:s0 exact int
 lmkd.reinit                     u:object_r:lmkd_prop:s0 exact int
 
diff --git a/private/system_server.te b/private/system_server.te
index 886499e..c2c30ae 100644
--- a/private/system_server.te
+++ b/private/system_server.te
@@ -1470,6 +1470,7 @@
 
 allow system_server aconfig_storage_flags_metadata_file:dir rw_dir_perms;
 allow system_server aconfig_storage_flags_metadata_file:file create_file_perms;
+allow system_server aconfig_storage_metadata_file:dir search;
 
 allow system_server repair_mode_metadata_file:dir rw_dir_perms;
 allow system_server repair_mode_metadata_file:file create_file_perms;
diff --git a/tests/sepolicy_freeze_test.py b/tests/sepolicy_freeze_test.py
index f72340a..72c8fde 100644
--- a/tests/sepolicy_freeze_test.py
+++ b/tests/sepolicy_freeze_test.py
@@ -37,46 +37,20 @@
 
     current_policy = mini_parser.MiniCilParser(options.current)
     prebuilt_policy = mini_parser.MiniCilParser(options.prebuilt)
-    current_policy.typeattributes = set(filter(lambda x: "base_typeattr_" not in x,
-                                               current_policy.typeattributes))
-    prebuilt_policy.typeattributes = set(filter(lambda x: "base_typeattr_" not in x,
-                                                prebuilt_policy.typeattributes))
 
     results = ""
     removed_types = prebuilt_policy.types - current_policy.types
-    added_types = current_policy.types - prebuilt_policy.types
     removed_attributes = prebuilt_policy.typeattributes - current_policy.typeattributes
-    added_attributes = current_policy.typeattributes - prebuilt_policy.typeattributes
+    removed_attributes = set(filter(lambda x: "base_typeattr_" not in x, removed_attributes))
 
     if removed_types:
         results += "The following public types were removed:\n" + ", ".join(removed_types) + "\n"
 
-    if added_types:
-        results += "The following public types were added:\n" + ", ".join(added_types) + "\n"
-
     if removed_attributes:
         results += "The following public attributes were removed:\n" + ", ".join(removed_attributes) + "\n"
 
-    if added_attributes:
-        results += "The following public attributes were added:\n" + ", ".join(added_attributes) + "\n"
-
-    if results:
-        sys.exit(f'''{results}
-******************************
-You have tried to change system/sepolicy/public after vendor API freeze.
-To make these errors go away, you have two choices:
-    1. You can flag-guard types and attributes listed above, so they won't be
-       included to the release build. See examples of how to flag-guard them:
-           https://android-review.googlesource.com/2854391
-           https://android-review.googlesource.com/2967637
-    2. You can update prebuilts by executing the following command:
-           $ cd $ANDROID_BUILD_TOP
-           $ cp -r system/sepolicy/public system/sepolicy/private \\
-                 system/sepolicy/prebuilts/api/$(get_build_var BOARD_API_LEVEL)
-       To submit the revised prebuilts to the main Android repository,
-       you will need approval.
-******************************
-''')
+    if len(results) > 0:
+        sys.exit(results)
 
 if __name__ == '__main__':
     do_main()