diff --git a/private/apexd.te b/private/apexd.te
index 5b27101..3282cfc 100644
--- a/private/apexd.te
+++ b/private/apexd.te
@@ -10,6 +10,11 @@
 allow apexd apex_data_file:dir create_dir_perms;
 allow apexd apex_data_file:file create_file_perms;
 
+# Allow creating, reading and writing of APEX files/dirs in the APEX metadata dir
+allow apexd metadata_file:dir search;
+allow apexd apex_metadata_file:dir create_dir_perms;
+allow apexd apex_metadata_file:file create_file_perms;
+
 # allow apexd to create loop devices with /dev/loop-control
 allow apexd loop_control_device:chr_file rw_file_perms;
 # allow apexd to access loop devices
@@ -99,5 +104,7 @@
 ')
 
 neverallow { domain -apexd -init } apex_data_file:dir no_w_dir_perms;
+neverallow { domain -apexd -init } apex_metadata_file:dir no_w_dir_perms;
 neverallow { domain -apexd -init -kernel } apex_data_file:file no_w_file_perms;
+neverallow { domain -apexd -init -kernel } apex_metadata_file:file no_w_file_perms;
 neverallow { domain -apexd } apex_mnt_dir:lnk_file no_w_file_perms;
diff --git a/private/art_apex_boot_integrity.te b/private/art_apex_boot_integrity.te
new file mode 100644
index 0000000..14feee6
--- /dev/null
+++ b/private/art_apex_boot_integrity.te
@@ -0,0 +1,34 @@
+# This command set moves the artifact corresponding to the current slot
+# from /data/ota to /data/dalvik-cache.
+
+type art_apex_boot_integrity, domain, coredomain;
+type art_apex_boot_integrity_exec, system_file_type, exec_type, file_type;
+
+# Technically not a daemon but we do want the transition from init domain to
+# art_apex_boot_integrity to occur.
+init_daemon_domain(art_apex_boot_integrity)
+
+# Read dalvik cache directories, remove entries.
+allow art_apex_boot_integrity dalvikcache_data_file:dir  { r_dir_perms write remove_name };
+# Read and possibly delete dalvik cache files.
+allow art_apex_boot_integrity dalvikcache_data_file:file { r_file_perms unlink };
+
+# Allow art_apex_boot_integrity to execute itself using #!/system/bin/sh
+allow art_apex_boot_integrity shell_exec:file rx_file_perms;
+
+# Allow running the mv and rm/rmdir commands using art_apex_boot_integrity
+# permissions.
+allow art_apex_boot_integrity toolbox_exec:file rx_file_perms;
+
+# Fsverity in the same domain.
+allow art_apex_boot_integrity system_file:file execute_no_trans;
+# Fsverity work.
+allowxperm art_apex_boot_integrity ota_data_file:file ioctl {
+  FS_IOC_ENABLE_VERITY FS_IOC_MEASURE_VERITY
+};
+
+allow art_apex_boot_integrity kernel:key search;
+# For testing purposes, allow keys installed with su.
+userdebug_or_eng(`
+  allow art_apex_boot_integrity su:key search;
+')
diff --git a/private/art_apex_postinstall.te b/private/art_apex_postinstall.te
index 314fb7c..40b09d2 100644
--- a/private/art_apex_postinstall.te
+++ b/private/art_apex_postinstall.te
@@ -17,6 +17,7 @@
 
 # Required for relabel.
 allow art_apex_postinstall file_contexts_file:file r_file_perms;
+allow art_apex_postinstall self:global_capability_class_set sys_admin;
 
 # Script helpers.
 allow art_apex_postinstall shell_exec:file rx_file_perms;
diff --git a/private/compat/26.0/26.0.ignore.cil b/private/compat/26.0/26.0.ignore.cil
index f8efdb2..d8c6e0a 100644
--- a/private/compat/26.0/26.0.ignore.cil
+++ b/private/compat/26.0/26.0.ignore.cil
@@ -10,6 +10,7 @@
     adbd_exec
     app_binding_service
     apex_data_file
+    apex_metadata_file
     apex_mnt_dir
     apex_key_file
     apex_service
diff --git a/private/compat/27.0/27.0.ignore.cil b/private/compat/27.0/27.0.ignore.cil
index 1129259..fbd26a1 100644
--- a/private/compat/27.0/27.0.ignore.cil
+++ b/private/compat/27.0/27.0.ignore.cil
@@ -9,6 +9,7 @@
     adb_service
     app_binding_service
     apex_data_file
+    apex_metadata_file
     apex_mnt_dir
     apex_key_file
     apex_service
diff --git a/private/compat/28.0/28.0.ignore.cil b/private/compat/28.0/28.0.ignore.cil
index 70ceaca..1b76c38 100644
--- a/private/compat/28.0/28.0.ignore.cil
+++ b/private/compat/28.0/28.0.ignore.cil
@@ -8,6 +8,7 @@
     activity_task_service
     adb_service
     apex_data_file
+    apex_metadata_file
     apex_mnt_dir
     apex_key_file
     apex_service
diff --git a/private/domain.te b/private/domain.te
index 3b340c5..d6b233f 100644
--- a/private/domain.te
+++ b/private/domain.te
@@ -221,6 +221,7 @@
   -dex2oat
   -otapreopt_slot
   -art_apex_postinstall
+  -art_apex_boot_integrity
 } dalvikcache_data_file:file no_w_file_perms;
 
 neverallow {
@@ -232,6 +233,7 @@
   -dex2oat
   -zygote
   -otapreopt_slot
+  -art_apex_boot_integrity
   -art_apex_postinstall
 } dalvikcache_data_file:dir no_w_dir_perms;
 
diff --git a/private/file_contexts b/private/file_contexts
index 33b4e18..f81f399 100644
--- a/private/file_contexts
+++ b/private/file_contexts
@@ -238,6 +238,7 @@
 /system/bin/installd	u:object_r:installd_exec:s0
 /system/bin/otapreopt_chroot   u:object_r:otapreopt_chroot_exec:s0
 /system/bin/otapreopt_slot   u:object_r:otapreopt_slot_exec:s0
+/system/bin/art_apex_boot_integrity   u:object_r:art_apex_boot_integrity_exec:s0
 /system/bin/keystore	u:object_r:keystore_exec:s0
 /system/bin/fingerprintd u:object_r:fingerprintd_exec:s0
 /system/bin/gatekeeperd u:object_r:gatekeeperd_exec:s0
@@ -617,6 +618,7 @@
 # Metadata files
 #
 /metadata(/.*)?           u:object_r:metadata_file:s0
+/metadata/apex(/.*)?      u:object_r:apex_metadata_file:s0
 /metadata/vold(/.*)?      u:object_r:vold_metadata_file:s0
 /metadata/gsi(/.*)?       u:object_r:gsi_metadata_file:s0
 /metadata/password_slots(/.*)?    u:object_r:password_slot_metadata_file:s0
diff --git a/private/mini_keyctl.te b/private/mini_keyctl.te
index c81a17c..53dbfce 100644
--- a/private/mini_keyctl.te
+++ b/private/mini_keyctl.te
@@ -8,7 +8,7 @@
 # Kernel only prints the keys that can be accessed and only kernel keyring is needed here.
 dontaudit mini-keyctl init:key view;
 dontaudit mini-keyctl vold:key view;
-allow mini-keyctl kernel:key { view search write };
+allow mini-keyctl kernel:key { view search write setattr };
 allow mini-keyctl mini-keyctl:key { view search write };
 
 # When kernel requests an algorithm, the crypto API first looks for an
diff --git a/private/system_server.te b/private/system_server.te
index a2cbc6f..082351d 100644
--- a/private/system_server.te
+++ b/private/system_server.te
@@ -120,12 +120,8 @@
 allow system_server mediaserver:process { getsched setsched };
 allow system_server bootanim:process { getsched setsched };
 
-# Allow system_server to write to /proc/<pid>/timerslack_ns
-allow system_server appdomain:file w_file_perms;
-allow system_server audioserver:file w_file_perms;
-allow system_server cameraserver:file w_file_perms;
-allow system_server hal_audio_server:file w_file_perms;
-allow system_server hal_omx_server:file w_file_perms;
+# Allow system_server to write to /proc/<pid>/*
+allow system_server domain:file w_file_perms;
 
 # Read /proc/pid data for all domains. This is used by ProcessCpuTracker
 # within system_server to keep track of memory and CPU usage for
diff --git a/private/traced_probes.te b/private/traced_probes.te
index 8aa475e..689ff5c 100644
--- a/private/traced_probes.te
+++ b/private/traced_probes.te
@@ -66,8 +66,9 @@
   proc_stat
 }:file r_file_perms;
 
-# Allow access to the IHealth HAL service for tracing battery counters.
+# Allow access to the IHealth and IPowerStats HAL service for tracing battery counters.
 hal_client_domain(traced_probes, hal_health)
+hal_client_domain(traced_probes, hal_power_stats)
 
 # On debug builds allow to ingest system logs into the trace.
 userdebug_or_eng(`read_logd(traced_probes)')
diff --git a/public/file.te b/public/file.te
index 65b10d6..256bca5 100644
--- a/public/file.te
+++ b/public/file.te
@@ -201,6 +201,8 @@
 type gsi_metadata_file, file_type;
 # system_server shares Weaver slot information in /metadata
 type password_slot_metadata_file, file_type;
+# APEX files within /metadata
+type apex_metadata_file, file_type;
 
 # Type for /dev/cpu_variant:.*.
 type dev_cpu_variant, file_type;
diff --git a/public/property_contexts b/public/property_contexts
index f56bf53..2589941 100644
--- a/public/property_contexts
+++ b/public/property_contexts
@@ -353,25 +353,25 @@
 sys.shutdown.requested u:object_r:exported_system_prop:s0 exact string
 
 # Using Sysprop as API. So the ro.surface_flinger.* are guaranteed to be API-stable
-ro.surface_flinger.default_composition_dataspace u:object_r:exported_default_prop:s0 int
-ro.surface_flinger.default_composition_pixel_format u:object_r:exported_default_prop:s0 int
-ro.surface_flinger.force_hwc_copy_for_virtual_displays u:object_r:exported_default_prop:s0 bool
-ro.surface_flinger.has_HDR_display u:object_r:exported_default_prop:s0 bool
-ro.surface_flinger.has_wide_color_display u:object_r:exported_default_prop:s0 bool
-ro.surface_flinger.max_frame_buffer_acquired_buffers u:object_r:exported_default_prop:s0 int
-ro.surface_flinger.max_virtual_display_dimension u:object_r:exported_default_prop:s0 int
-ro.surface_flinger.primary_display_orientation u:object_r:exported_default_prop:s0 string
-ro.surface_flinger.present_time_offset_from_vsync_ns u:object_r:exported_default_prop:s0 int
-ro.surface_flinger.running_without_sync_framework u:object_r:exported_default_prop:s0 bool
-ro.surface_flinger.start_graphics_allocator_service u:object_r:exported_default_prop:s0 bool
-ro.surface_flinger.use_color_management u:object_r:exported_default_prop:s0 bool
-ro.surface_flinger.use_context_priority u:object_r:exported_default_prop:s0 bool
-ro.surface_flinger.use_vr_flinger u:object_r:exported_default_prop:s0 bool
-ro.surface_flinger.vsync_event_phase_offset_ns u:object_r:exported_default_prop:s0 int
-ro.surface_flinger.vsync_sf_event_phase_offset_ns u:object_r:exported_default_prop:s0 int
-ro.surface_flinger.wcg_composition_dataspace u:object_r:exported_default_prop:s0 int
-ro.surface_flinger.wcg_composition_pixel_format u:object_r:exported_default_prop:s0 int
-ro.surface_flinger.display_primary_red u:object_r:exported_default_prop:s0 string
-ro.surface_flinger.display_primary_green u:object_r:exported_default_prop:s0 string
-ro.surface_flinger.display_primary_blue u:object_r:exported_default_prop:s0 string
-ro.surface_flinger.display_primary_white u:object_r:exported_default_prop:s0 string
+ro.surface_flinger.default_composition_dataspace u:object_r:exported_default_prop:s0 exact int
+ro.surface_flinger.default_composition_pixel_format u:object_r:exported_default_prop:s0 exact int
+ro.surface_flinger.force_hwc_copy_for_virtual_displays u:object_r:exported_default_prop:s0 exact bool
+ro.surface_flinger.has_HDR_display u:object_r:exported_default_prop:s0 exact bool
+ro.surface_flinger.has_wide_color_display u:object_r:exported_default_prop:s0 exact bool
+ro.surface_flinger.max_frame_buffer_acquired_buffers u:object_r:exported_default_prop:s0 exact int
+ro.surface_flinger.max_virtual_display_dimension u:object_r:exported_default_prop:s0 exact int
+ro.surface_flinger.primary_display_orientation u:object_r:exported_default_prop:s0 exact string
+ro.surface_flinger.present_time_offset_from_vsync_ns u:object_r:exported_default_prop:s0 exact int
+ro.surface_flinger.running_without_sync_framework u:object_r:exported_default_prop:s0 exact bool
+ro.surface_flinger.start_graphics_allocator_service u:object_r:exported_default_prop:s0 exact bool
+ro.surface_flinger.use_color_management u:object_r:exported_default_prop:s0 exact bool
+ro.surface_flinger.use_context_priority u:object_r:exported_default_prop:s0 exact bool
+ro.surface_flinger.use_vr_flinger u:object_r:exported_default_prop:s0 exact bool
+ro.surface_flinger.vsync_event_phase_offset_ns u:object_r:exported_default_prop:s0 exact int
+ro.surface_flinger.vsync_sf_event_phase_offset_ns u:object_r:exported_default_prop:s0 exact int
+ro.surface_flinger.wcg_composition_dataspace u:object_r:exported_default_prop:s0 exact int
+ro.surface_flinger.wcg_composition_pixel_format u:object_r:exported_default_prop:s0 exact int
+ro.surface_flinger.display_primary_red u:object_r:exported_default_prop:s0 exact string
+ro.surface_flinger.display_primary_green u:object_r:exported_default_prop:s0 exact string
+ro.surface_flinger.display_primary_blue u:object_r:exported_default_prop:s0 exact string
+ro.surface_flinger.display_primary_white u:object_r:exported_default_prop:s0 exact string
diff --git a/public/vendor_init.te b/public/vendor_init.te
index 528d8ba..fd0d6e3 100644
--- a/public/vendor_init.te
+++ b/public/vendor_init.te
@@ -55,6 +55,7 @@
   -vendor_file_type
   -vold_metadata_file
   -gsi_metadata_file
+  -apex_metadata_file
 }:dir { create search getattr open read setattr ioctl write add_name remove_name rmdir relabelfrom };
 
 allow vendor_init unlabeled:{ dir notdevfile_class_set } { getattr relabelfrom };
@@ -70,6 +71,7 @@
   -vendor_file_type
   -vold_metadata_file
   -gsi_metadata_file
+  -apex_metadata_file
 }:file { create getattr open read write setattr relabelfrom unlink map };
 
 allow vendor_init {
@@ -82,6 +84,7 @@
   -vendor_file_type
   -vold_metadata_file
   -gsi_metadata_file
+  -apex_metadata_file
 }:{ sock_file fifo_file } { create getattr open read setattr relabelfrom unlink };
 
 allow vendor_init {
@@ -95,6 +98,7 @@
   -vendor_file_type
   -vold_metadata_file
   -gsi_metadata_file
+  -apex_metadata_file
 }:lnk_file { create getattr setattr relabelfrom unlink };
 
 allow vendor_init {
@@ -107,6 +111,7 @@
   -vendor_file_type
   -vold_metadata_file
   -gsi_metadata_file
+  -apex_metadata_file
 }:dir_file_class_set relabelto;
 
 allow vendor_init dev_type:dir create_dir_perms;