diff --git a/Android.mk b/Android.mk
index 618f7f0..d496f1d 100644
--- a/Android.mk
+++ b/Android.mk
@@ -113,12 +113,6 @@
     ) \
 )))
 
-ifdef BOARD_ODM_SEPOLICY_DIRS
-ifneq ($(PRODUCT_SEPOLICY_SPLIT),true)
-$(error PRODUCT_SEPOLICY_SPLIT needs to be true when using BOARD_ODM_SEPOLICY_DIRS)
-endif
-endif
-
 ###########################################################
 # Compute policy files to be used in policy build.
 # $(1): files to include
@@ -315,15 +309,6 @@
     plat_bug_map \
     searchpolicy \
 
-# This conditional inclusion closely mimics the conditional logic
-# inside init/init.cpp for loading SELinux policy from files.
-ifneq ($(PRODUCT_SEPOLICY_SPLIT),true)
-# The following files are only allowed for non-Treble devices.
-LOCAL_REQUIRED_MODULES += \
-    sepolicy \
-
-endif # ($(PRODUCT_SEPOLICY_SPLIT),true)
-
 ifneq ($(with_asan),true)
 ifneq ($(SELINUX_IGNORE_NEVERALLOWS),true)
 LOCAL_REQUIRED_MODULES += \
@@ -334,11 +319,9 @@
 # Instead, use LOCAL_ADDITIONAL_DEPENDENCIES with intermediate output
 LOCAL_ADDITIONAL_DEPENDENCIES += $(call intermediates-dir-for,ETC,sepolicy_test)/sepolicy_test
 
-ifeq ($(PRODUCT_SEPOLICY_SPLIT),true)
 LOCAL_REQUIRED_MODULES += \
     $(addprefix treble_sepolicy_tests_,$(PLATFORM_SEPOLICY_COMPAT_VERSIONS)) \
 
-endif  # PRODUCT_SEPOLICY_SPLIT
 endif  # SELINUX_IGNORE_NEVERALLOWS
 endif  # with_asan
 
@@ -532,24 +515,6 @@
 built_sepolicy_neverallows := $(call intermediates-dir-for,ETC,sepolicy_neverallows)/sepolicy_neverallows
 built_sepolicy_neverallows += $(call intermediates-dir-for,ETC,sepolicy_neverallows_vendor)/sepolicy_neverallows_vendor
 
-#################################
-# sepolicy is also built with Android.bp.
-# This module is to keep compatibility with monolithic sepolicy devices.
-include $(CLEAR_VARS)
-
-LOCAL_MODULE := sepolicy
-LOCAL_LICENSE_KINDS := SPDX-license-identifier-Apache-2.0 legacy_unencumbered
-LOCAL_LICENSE_CONDITIONS := notice unencumbered
-LOCAL_NOTICE_FILE := $(LOCAL_PATH)/NOTICE
-LOCAL_MODULE_CLASS := ETC
-LOCAL_MODULE_TAGS := optional
-LOCAL_MODULE_PATH := $(TARGET_ROOT_OUT)
-
-include $(BUILD_SYSTEM)/base_rules.mk
-
-$(LOCAL_BUILT_MODULE): $(built_sepolicy)
-	$(copy-file-to-target)
-
 ##################################
 # TODO - remove this.   Keep around until we get the filesystem creation stuff taken care of.
 #
@@ -667,7 +632,6 @@
 ##################################
 # Tests for Treble compatibility of current platform policy and vendor policy of
 # given release version.
-ifeq ($(PRODUCT_SEPOLICY_SPLIT),true)
 
 built_plat_sepolicy       := $(call intermediates-dir-for,ETC,base_plat_sepolicy)/base_plat_sepolicy
 built_system_ext_sepolicy := $(call intermediates-dir-for,ETC,base_system_ext_sepolicy)/base_system_ext_sepolicy
@@ -681,7 +645,6 @@
   $(eval version_under_treble_tests := $(v)) \
   $(eval include $(LOCAL_PATH)/treble_sepolicy_tests_for_release.mk) \
 )
-endif  # PRODUCT_SEPOLICY_SPLIT
 
 built_plat_sepolicy :=
 built_system_ext_sepolicy :=
diff --git a/apex/Android.bp b/apex/Android.bp
index 2dcae6f..22de5d4 100644
--- a/apex/Android.bp
+++ b/apex/Android.bp
@@ -43,6 +43,13 @@
 }
 
 filegroup {
+  name: "com.android.threadnetwork-file_contexts",
+  srcs: [
+    "com.android.threadnetwork-file_contexts",
+  ],
+}
+
+filegroup {
   name: "com.android.sdkext-file_contexts",
   srcs: [
     "com.android.sdkext-file_contexts",
diff --git a/apex/com.android.art-file_contexts b/apex/com.android.art-file_contexts
index f1aa92b..ada6c3b 100644
--- a/apex/com.android.art-file_contexts
+++ b/apex/com.android.art-file_contexts
@@ -2,6 +2,7 @@
 # System files
 #
 (/.*)?                         u:object_r:system_file:s0
+/bin/art_boot                  u:object_r:art_boot_exec:s0
 /bin/art_exec                  u:object_r:art_exec_exec:s0
 /bin/artd                      u:object_r:artd_exec:s0
 /bin/dex2oat(32|64)?           u:object_r:dex2oat_exec:s0
diff --git a/apex/com.android.art.debug-file_contexts b/apex/com.android.art.debug-file_contexts
index cc60b70..a3fc35d 100644
--- a/apex/com.android.art.debug-file_contexts
+++ b/apex/com.android.art.debug-file_contexts
@@ -2,6 +2,7 @@
 # System files
 #
 (/.*)?                         u:object_r:system_file:s0
+/bin/art_boot                  u:object_r:art_boot_exec:s0
 /bin/art_exec                  u:object_r:art_exec_exec:s0
 /bin/artd                      u:object_r:artd_exec:s0
 /bin/dex2oat(d)?(32|64)?       u:object_r:dex2oat_exec:s0
diff --git a/apex/com.android.threadnetwork-file_contexts b/apex/com.android.threadnetwork-file_contexts
new file mode 100644
index 0000000..1aabee9
--- /dev/null
+++ b/apex/com.android.threadnetwork-file_contexts
@@ -0,0 +1,4 @@
+(/.*)?                         u:object_r:system_file:s0
+/bin/otbr-agent                u:object_r:ot_daemon_exec:s0
+/bin/ot-ctl                    u:object_r:ot_ctl_exec:s0
+/bin/ot-rcp                    u:object_r:ot_rcp_exec:s0
diff --git a/build/soong/policy.go b/build/soong/policy.go
index 7c1aab2..d8c3ffb 100644
--- a/build/soong/policy.go
+++ b/build/soong/policy.go
@@ -151,7 +151,7 @@
 	if c.isTargetRecovery() {
 		return "false"
 	}
-	return strconv.FormatBool(ctx.DeviceConfig().SepolicySplit())
+	return strconv.FormatBool(true)
 }
 
 func (c *policyConf) compatibleProperty(ctx android.ModuleContext) string {
diff --git a/build/soong/service_fuzzer_bindings.go b/build/soong/service_fuzzer_bindings.go
index 711e6d8..2150d83 100644
--- a/build/soong/service_fuzzer_bindings.go
+++ b/build/soong/service_fuzzer_bindings.go
@@ -307,7 +307,7 @@
 		"media.log":                    EXCEPTION_NO_FUZZER,
 		"media.player":                 EXCEPTION_NO_FUZZER,
 		"media.metrics":                []string{"mediametrics_aidl_fuzzer"},
-		"media.extractor":              EXCEPTION_NO_FUZZER,
+		"media.extractor":              []string{"mediaextractor_service_fuzzer"},
 		"media.transcoding":            EXCEPTION_NO_FUZZER,
 		"media.resource_manager":       EXCEPTION_NO_FUZZER,
 		"media.resource_observer":      EXCEPTION_NO_FUZZER,
@@ -458,7 +458,7 @@
 		"wifip2p":                      EXCEPTION_NO_FUZZER,
 		"wifiscanner":                  EXCEPTION_NO_FUZZER,
 		"wifi":                         EXCEPTION_NO_FUZZER,
-		"wifinl80211":                  EXCEPTION_NO_FUZZER,
+		"wifinl80211":                  []string{"wificond_service_fuzzer"},
 		"wifiaware":                    EXCEPTION_NO_FUZZER,
 		"wifirtt":                      EXCEPTION_NO_FUZZER,
 		"window":                       EXCEPTION_NO_FUZZER,
diff --git a/private/apexd.te b/private/apexd.te
index b74d4ee..f158ef6 100644
--- a/private/apexd.te
+++ b/private/apexd.te
@@ -102,8 +102,8 @@
 allow apexd staging_data_file:file relabelto;
 
 # allow apexd to read files from /vendor/apex
-allow apexd vendor_apex_file:dir r_dir_perms;
-allow apexd vendor_apex_file:file r_file_perms;
+r_dir_file(apexd, vendor_apex_file)
+r_dir_file(apexd, vendor_apex_metadata_file)
 
 # Unmount and mount filesystems
 allow apexd labeledfs:filesystem { mount unmount };
diff --git a/private/app.te b/private/app.te
index 754c802..3f8560a 100644
--- a/private/app.te
+++ b/private/app.te
@@ -47,6 +47,7 @@
 get_prop(appdomain, dck_prop)
 get_prop(appdomain, persist_wm_debug_prop)
 get_prop(appdomain, persist_sysui_builder_extras_prop)
+get_prop(appdomain, persist_sysui_ranking_update_prop)
 
 # Allow the heap dump ART plugin to the count of sessions waiting for OOME
 get_prop(appdomain, traced_oome_heap_session_count_prop)
diff --git a/private/art_boot.te b/private/art_boot.te
new file mode 100644
index 0000000..0922931
--- /dev/null
+++ b/private/art_boot.te
@@ -0,0 +1,13 @@
+# ART boot oneshot service
+type art_boot, domain, coredomain;
+type art_boot_exec, exec_type, file_type, system_file_type;
+
+init_daemon_domain(art_boot)
+
+# Allow query of device config properties, typically experiment flags.
+get_prop(art_boot, device_config_runtime_native_boot_prop)
+get_prop(art_boot, device_config_runtime_native_prop)
+
+# Allow ART to set its config properties at boot, mainly to be able to propagate
+# experiment flags to properties that only may change at boot.
+set_prop(art_boot, dalvik_config_prop_type)
diff --git a/private/atrace.te b/private/atrace.te
index 50ab392..1712648 100644
--- a/private/atrace.te
+++ b/private/atrace.te
@@ -77,3 +77,5 @@
   allow atrace debugfs_tracing_debug:dir r_dir_perms;
   allow atrace debugfs_tracing_debug:file rw_file_perms;
 ')
+
+dontaudit atrace debugfs_tracing_debug:file audit_access;
diff --git a/private/compat/33.0/33.0.cil b/private/compat/33.0/33.0.cil
index 8fa3985..204048e 100644
--- a/private/compat/33.0/33.0.cil
+++ b/private/compat/33.0/33.0.cil
@@ -2544,7 +2544,10 @@
 (typeattributeset vendor_apex_file_33_0 (vendor_apex_file))
 (typeattributeset vendor_app_file_33_0 (vendor_app_file))
 (typeattributeset vendor_cgroup_desc_file_33_0 (vendor_cgroup_desc_file))
-(typeattributeset vendor_configs_file_33_0 (vendor_configs_file))
+(typeattributeset vendor_configs_file_33_0
+  ( vendor_configs_file
+    vendor_apex_metadata_file
+))
 (typeattributeset vendor_data_file_33_0 (vendor_data_file vendor_userdir_file))
 (typeattributeset vendor_default_prop_33_0 (vendor_default_prop))
 (typeattributeset vendor_file_33_0 (vendor_file))
diff --git a/private/compat/33.0/33.0.ignore.cil b/private/compat/33.0/33.0.ignore.cil
index aa42c19..d84d8ea 100644
--- a/private/compat/33.0/33.0.ignore.cil
+++ b/private/compat/33.0/33.0.ignore.cil
@@ -7,6 +7,8 @@
   ( new_objects
     adaptive_haptics_prop
     apex_ready_prop
+    art_boot
+    art_boot_exec
     artd
     bt_device
     build_attestation_prop
@@ -55,6 +57,7 @@
     ota_build_prop
     permissive_mte_prop
     persist_sysui_builder_extras_prop
+    persist_sysui_ranking_update_prop
     prng_seeder
     recovery_usb_config_prop
     remote_provisioning_service
diff --git a/private/derive_classpath.te b/private/derive_classpath.te
index 2299ba0..4f15d5a 100644
--- a/private/derive_classpath.te
+++ b/private/derive_classpath.te
@@ -6,6 +6,7 @@
 
 # Read /apex
 allow derive_classpath apex_mnt_dir:dir r_dir_perms;
+allow derive_classpath vendor_apex_metadata_file:dir r_dir_perms;
 
 # Create /data/system/environ/classpath file
 allow derive_classpath environ_system_data_file:dir rw_dir_perms;
diff --git a/private/derive_sdk.te b/private/derive_sdk.te
index f46c614..c47f0a5 100644
--- a/private/derive_sdk.te
+++ b/private/derive_sdk.te
@@ -6,6 +6,7 @@
 
 # Read /apex
 allow derive_sdk apex_mnt_dir:dir r_dir_perms;
+allow derive_sdk vendor_apex_metadata_file:dir r_dir_perms;
 
 # Prop rules: writable by derive_sdk, readable by bootclasspath (apps)
 set_prop(derive_sdk, module_sdkextensions_prop)
diff --git a/private/dex2oat.te b/private/dex2oat.te
index ea9ab9c..23f7444 100644
--- a/private/dex2oat.te
+++ b/private/dex2oat.te
@@ -110,4 +110,4 @@
 # Neverallow #
 ##############
 
-neverallow dex2oat { privapp_data_file app_data_file }:notdevfile_class_set open;
+neverallow dex2oat app_data_file_type:notdevfile_class_set open;
diff --git a/private/domain.te b/private/domain.te
index 2cffdd8..692c962 100644
--- a/private/domain.te
+++ b/private/domain.te
@@ -539,6 +539,10 @@
 # Do not allow reading the last boot timestamp from system properties
 neverallow { domain -init -system_server -dumpstate } firstboot_prop:file r_file_perms;
 
+# Allow ART to set its config properties in its oneshot boot service, in
+# addition to the common init and vendor_init access.
+neverallow { domain -art_boot -init -vendor_init } dalvik_config_prop:property_service set;
+
 # Kprobes should only be used by adb root
 neverallow { domain -init -vendor_init } debugfs_kprobes:file *;
 
@@ -605,6 +609,7 @@
     -same_process_hal_file
     -vendor_app_file
     -vendor_apex_file
+    -vendor_apex_metadata_file
     -vendor_configs_file
     -vendor_service_contexts_file
     -vendor_framework_file
diff --git a/private/ephemeral_app.te b/private/ephemeral_app.te
index 0491a33..4e1417b 100644
--- a/private/ephemeral_app.te
+++ b/private/ephemeral_app.te
@@ -56,7 +56,7 @@
 ### neverallow rules
 ###
 
-neverallow ephemeral_app { app_data_file privapp_data_file }:file execute_no_trans;
+neverallow ephemeral_app app_data_file_type:file execute_no_trans;
 
 # Receive or send uevent messages.
 neverallow ephemeral_app domain:netlink_kobject_uevent_socket *;
diff --git a/private/file.te b/private/file.te
index f6781b0..e48fc4c 100644
--- a/private/file.te
+++ b/private/file.te
@@ -131,5 +131,8 @@
 # in to satisfy MLS constraints for trusted domains.
 type prng_seeder_socket, file_type, coredomain_socket, mlstrustedobject;
 
+# /data/misc/threadnetwork
+type threadnetwork_data_file, file_type, data_file_type, core_data_file_type;
+
 # /sys/firmware/devicetree/base/avf
 type sysfs_dt_avf, fs_type, sysfs_type;
diff --git a/private/file_contexts b/private/file_contexts
index c9c51e4..123e4ed 100644
--- a/private/file_contexts
+++ b/private/file_contexts
@@ -655,6 +655,7 @@
 /data/misc/stats-metadata(/.*)? u:object_r:stats_data_file:s0
 /data/misc/systemkeys(/.*)?     u:object_r:systemkeys_data_file:s0
 /data/misc/textclassifier(/.*)?       u:object_r:textclassifier_data_file:s0
+/data/misc/threadnetwork(/.*)?        u:object_r:threadnetwork_data_file:s0
 /data/misc/train-info(/.*)?     u:object_r:stats_data_file:s0
 /data/misc/user(/.*)?           u:object_r:misc_user_data_file:s0
 /data/misc/virtualizationservice(/.*)? u:object_r:virtualizationservice_data_file:s0
diff --git a/private/isolated_app_all.te b/private/isolated_app_all.te
index 0617a57..189d064 100644
--- a/private/isolated_app_all.te
+++ b/private/isolated_app_all.te
@@ -37,7 +37,7 @@
 #####
 
 # Isolated apps should not directly open app data files themselves.
-neverallow isolated_app_all { app_data_file privapp_data_file sdk_sandbox_data_file}:file open;
+neverallow isolated_app_all app_data_file_type:file open;
 
 # Only allow appending to /data/anr/traces.txt (b/27853304, b/18340553)
 # TODO: are there situations where isolated_apps write to this file?
diff --git a/private/linkerconfig.te b/private/linkerconfig.te
index 7e78c19..bd46ca4 100644
--- a/private/linkerconfig.te
+++ b/private/linkerconfig.te
@@ -19,6 +19,9 @@
 # Allow linkerconfig to read apex-info-list.xml
 allow linkerconfig apex_info_file:file r_file_perms;
 
+# Allow linkerconfig to read apex_manifest.pb file from vendor apex
+r_dir_file(linkerconfig, vendor_apex_metadata_file)
+
 # Allow linkerconfig to be called in the otapreopt_chroot
 allow linkerconfig otapreopt_chroot:fd use;
 allow linkerconfig postinstall_apex_mnt_dir:dir r_dir_perms;
diff --git a/private/ot_ctl.te b/private/ot_ctl.te
new file mode 100644
index 0000000..12e7ce2
--- /dev/null
+++ b/private/ot_ctl.te
@@ -0,0 +1,11 @@
+#
+# ot_ctl is the commandline tool for controling the native Thread network daemon (ot_daemon).
+#
+
+type ot_ctl, domain, coredomain;
+type ot_ctl_exec, exec_type, system_file_type, file_type;
+
+init_daemon_domain(ot_ctl)
+
+# Allow the ot_ctl to read/write the socket file.
+allow ot_ctl threadnetwork_data_file:sock_file {read write};
diff --git a/private/ot_daemon.te b/private/ot_daemon.te
new file mode 100644
index 0000000..98e1a0a
--- /dev/null
+++ b/private/ot_daemon.te
@@ -0,0 +1,24 @@
+#
+# ot_daemon is the native Thread network stack on the host (Android) side.
+# Refer to https://www.threadgroup.org for Thread network knowledge.
+#
+
+# ot_daemon
+type ot_daemon, domain, coredomain;
+type ot_daemon_exec, exec_type, file_type, system_file_type;
+
+# Allow init ot_daemon
+init_daemon_domain(ot_daemon)
+# Allow the ot_daemon to use the net domain.
+net_domain(ot_daemon)
+
+# Allow the ot_daemon to access the folder "/data/misc/threadnetwork".
+allow ot_daemon threadnetwork_data_file:dir rw_dir_perms;
+allow ot_daemon threadnetwork_data_file:file create_file_perms;
+allow ot_daemon threadnetwork_data_file:sock_file {create unlink};
+
+# used for simulation
+userdebug_or_eng(`
+create_pty(ot_daemon);
+domain_auto_trans(ot_daemon, ot_rcp_exec, ot_rcp);
+')
diff --git a/private/ot_rcp.te b/private/ot_rcp.te
new file mode 100644
index 0000000..0f6f1d3
--- /dev/null
+++ b/private/ot_rcp.te
@@ -0,0 +1,15 @@
+#
+# ot_rcp is the simulated Thread Radio Coprocessor device which is used by ot_daemon.
+#
+
+type ot_rcp, domain, coredomain;
+type ot_rcp_exec, exec_type, file_type, system_file_type;
+
+userdebug_or_eng(`
+allow ot_rcp ot_daemon:fd use;
+allow ot_rcp ot_daemon:fifo_file rw_file_perms;
+allow ot_rcp ot_daemon_devpts:chr_file {read write};
+allow ot_rcp self:udp_socket create_socket_perms_no_ioctl;
+allow ot_rcp port:udp_socket name_bind;
+allow ot_rcp node:udp_socket node_bind;
+')
diff --git a/private/platform_app.te b/private/platform_app.te
index 6d49502..1bd0020 100644
--- a/private/platform_app.te
+++ b/private/platform_app.te
@@ -48,6 +48,9 @@
 userdebug_or_eng(`
   set_prop(platform_app, persist_sysui_builder_extras_prop)
 ')
+userdebug_or_eng(`
+  set_prop(platform_app, persist_sysui_ranking_update_prop)
+')
 
 # com.android.captiveportallogin reads /proc/vmstat
 allow platform_app {
diff --git a/private/priv_app.te b/private/priv_app.te
index b455732..52077ef 100644
--- a/private/priv_app.te
+++ b/private/priv_app.te
@@ -262,10 +262,10 @@
 # application home directories. Code loading across a security boundary
 # is dangerous and allows a full compromise of a privileged process
 # by an unprivileged process. b/112357170
-neverallow priv_app app_data_file:file no_x_file_perms;
+neverallow priv_app { app_data_file_type -privapp_data_file }:file no_x_file_perms;
 
-# Do not follow untrusted app provided symlinks
-neverallow priv_app app_data_file:lnk_file { open read getattr };
+# Do not follow any app provided symlinks
+neverallow priv_app { app_data_file_type -privapp_data_file }:lnk_file { open read getattr };
 
 # Do not allow getting permission-protected network information from sysfs.
 neverallow priv_app sysfs_net:file *;
diff --git a/private/property.te b/private/property.te
index 35f9bc7..66c9cea 100644
--- a/private/property.te
+++ b/private/property.te
@@ -55,6 +55,7 @@
 system_restricted_prop(device_config_virtualization_framework_native_prop)
 system_restricted_prop(log_file_logger_prop)
 system_restricted_prop(persist_sysui_builder_extras_prop)
+system_restricted_prop(persist_sysui_ranking_update_prop)
 
 ###
 ### Neverallow rules
diff --git a/private/property_contexts b/private/property_contexts
index 2399163..19bd51a 100644
--- a/private/property_contexts
+++ b/private/property_contexts
@@ -1562,4 +1562,5 @@
 ro.usb.uvc.enabled      u:object_r:usb_uvc_enabled_prop:s0 exact bool
 
 # System UI notification properties
+persist.sysui.notification.ranking_update_ashmem u:object_r:persist_sysui_ranking_update_prop:s0 exact bool
 persist.sysui.notification.builder_extras_override u:object_r:persist_sysui_builder_extras_prop:s0 exact bool
diff --git a/private/rs.te b/private/rs.te
index 268f040..a9b2edd 100644
--- a/private/rs.te
+++ b/private/rs.te
@@ -35,6 +35,6 @@
 neverallow rs rs:capability_class_set *;
 neverallow { domain -appdomain } rs:process { dyntransition transition };
 neverallow rs { domain -crash_dump }:process { dyntransition transition };
-neverallow rs app_data_file:file_class_set ~r_file_perms;
+neverallow rs app_data_file_type:file_class_set ~r_file_perms;
 # rs should never use network sockets
 neverallow rs *:network_socket_class_set *;
diff --git a/private/sdk_sandbox_all.te b/private/sdk_sandbox_all.te
index 8e46ca3..b4c655b 100644
--- a/private/sdk_sandbox_all.te
+++ b/private/sdk_sandbox_all.te
@@ -35,7 +35,7 @@
 ### neverallow rules
 ###
 
-neverallow sdk_sandbox_all { app_data_file privapp_data_file sdk_sandbox_data_file }:file { execute execute_no_trans };
+neverallow sdk_sandbox_all app_data_file_type:file { execute execute_no_trans };
 
 # Receive or send uevent messages.
 neverallow sdk_sandbox_all domain:netlink_kobject_uevent_socket *;
@@ -66,8 +66,9 @@
 neverallow sdk_sandbox_all proc_net:file no_rw_file_perms;
 
 # SDK sandbox processes have their own storage not related to app_data_file or privapp_data_file
-neverallow sdk_sandbox_all { app_data_file privapp_data_file }:dir no_rw_file_perms;
-neverallow sdk_sandbox_all { app_data_file privapp_data_file }:file ~{ getattr read };
+# TODO(b/280514080): shell_data_file shouldn't be allowed here
+neverallow sdk_sandbox_all { app_data_file_type -sdk_sandbox_data_file -shell_data_file -radio_data_file }:dir no_rw_file_perms;
+neverallow sdk_sandbox_all { app_data_file_type -sdk_sandbox_data_file -shell_data_file -radio_data_file }:file ~{ getattr read };
 
 # SDK sandbox processes don't  have any access to external storage
 neverallow sdk_sandbox_all { media_rw_data_file }:dir no_rw_file_perms;
diff --git a/private/seapp_contexts b/private/seapp_contexts
index 4454bd7..abd6c7b 100644
--- a/private/seapp_contexts
+++ b/private/seapp_contexts
@@ -183,8 +183,8 @@
 user=_app isPrivApp=true name=com.google.android.providers.media.module:* domain=mediaprovider_app type=privapp_data_file levelFrom=all
 user=_app seinfo=platform isPrivApp=true name=com.android.permissioncontroller domain=permissioncontroller_app type=privapp_data_file levelFrom=all
 user=_app isPrivApp=true name=com.android.vzwomatrigger domain=vzwomatrigger_app type=privapp_data_file levelFrom=all
-user=_app isPrivApp=true name=com.android.rkpdapp domain=rkpdapp type=privapp_data_file levelFrom=user
-user=_app isPrivApp=true name=com.google.android.rkpdapp domain=rkpdapp type=privapp_data_file levelFrom=user
+user=_app isPrivApp=true name=com.android.rkpdapp domain=rkpdapp type=privapp_data_file levelFrom=all
+user=_app isPrivApp=true name=com.google.android.rkpdapp domain=rkpdapp type=privapp_data_file levelFrom=all
 user=_app isPrivApp=true name=com.google.android.gms domain=gmscore_app type=privapp_data_file levelFrom=user
 user=_app isPrivApp=true name=com.google.android.gms.* domain=gmscore_app type=privapp_data_file levelFrom=user
 user=_app isPrivApp=true name=com.google.android.gms:* domain=gmscore_app type=privapp_data_file levelFrom=user
diff --git a/private/shell.te b/private/shell.te
index 85d09f9..1b859d1 100644
--- a/private/shell.te
+++ b/private/shell.te
@@ -136,6 +136,7 @@
 allow shell apex_info_file:file r_file_perms;
 allow shell vendor_apex_file:file r_file_perms;
 allow shell vendor_apex_file:dir r_dir_perms;
+allow shell vendor_apex_metadata_file:dir r_dir_perms;
 
 # Allow shell to read updated APEXes under /data/apex
 allow shell apex_data_file:dir search;
@@ -246,4 +247,6 @@
 
 # Allow shell to set persist.sysui.notification.builder_extras_override property
 userdebug_or_eng(`set_prop(shell, persist_sysui_builder_extras_prop)')
+# Allow shell to set persist.sysui.notification.ranking_update_ashmem property
+userdebug_or_eng(`set_prop(shell, persist_sysui_ranking_update_prop)')
 
diff --git a/private/system_server.te b/private/system_server.te
index 4356c26..d30f657 100644
--- a/private/system_server.te
+++ b/private/system_server.te
@@ -842,6 +842,8 @@
 
 # Read persist.sysui.notification.builder_extras_override property
 get_prop(system_server, persist_sysui_builder_extras_prop)
+# Read persist.sysui.notification.ranking_update_ashmem property
+get_prop(system_server, persist_sysui_ranking_update_prop)
 
 # Read ro.tuner.lazyhal
 get_prop(system_server, tuner_config_prop)
diff --git a/private/traced_perf.te b/private/traced_perf.te
index 640b054..c7e81cd 100644
--- a/private/traced_perf.te
+++ b/private/traced_perf.te
@@ -58,7 +58,7 @@
 dontaudit traced_perf domain:process signal;
 
 # Never allow access to app data files
-neverallow traced_perf { app_data_file privapp_data_file system_app_data_file }:file *;
+neverallow traced_perf app_data_file_type:file *;
 
 # Never allow profiling privileged or otherwise incompatible domains.
 # Corresponding allow-rule is in private/domain.te.
diff --git a/private/webview_zygote.te b/private/webview_zygote.te
index 3473eca..0556950 100644
--- a/private/webview_zygote.te
+++ b/private/webview_zygote.te
@@ -35,6 +35,9 @@
 allow webview_zygote { apex_art_data_file dalvikcache_data_file }:file { r_file_perms execute };
 allow webview_zygote apex_module_data_file:dir search;
 
+# To load overlay from /apex (vendor APEXes)
+allow webview_zygote vendor_apex_metadata_file:dir search;
+
 # Allow webview_zygote to create JIT memory.
 allow webview_zygote self:process execmem;
 
diff --git a/private/zygote.te b/private/zygote.te
index d61a431..c5cc73a 100644
--- a/private/zygote.te
+++ b/private/zygote.te
@@ -247,9 +247,11 @@
 # preloaded classes
 get_prop(zygote, persist_wm_debug_prop)
 
-# Allow zygote to read persist_sysui_builder_extras_prop to toggle experimental features in
-# core preloaded classes
+# Allow zygote to read persist_sysui_builder_extras_prop
+# and persist_sysui_ranking_update_prop
+# to toggle experimental features in core preloaded classes
 get_prop(zygote, persist_sysui_builder_extras_prop)
+get_prop(zygote, persist_sysui_ranking_update_prop)
 
 # Allow zygote to read /apex/apex-info-list.xml
 allow zygote apex_info_file:file r_file_perms;
@@ -258,6 +260,7 @@
 # preinstalled path of APEXes that contain runtime resource overlays for the 'android' package.
 allow zygote vendor_apex_file:dir { getattr search };
 allow zygote vendor_apex_file:file { getattr };
+allow zygote vendor_apex_metadata_file:dir { search };
 
 # Allow zygote to query for compression/features.
 r_dir_file(zygote, sysfs_fs_f2fs)
diff --git a/public/domain.te b/public/domain.te
index 4336770..4ad73f1 100644
--- a/public/domain.te
+++ b/public/domain.te
@@ -334,6 +334,10 @@
 allow domain apex_mnt_dir:dir { getattr search };
 allow domain apex_mnt_dir:lnk_file r_file_perms;
 
+# Allow everyone to read media server-configurable flags, so that libstagefright can be
+# configured using server-configurable flags
+get_prop(domain, device_config_media_native_prop)
+
 ###
 ### neverallow rules
 ###
diff --git a/public/file.te b/public/file.te
index 7aad936..f7fafcb 100644
--- a/public/file.te
+++ b/public/file.te
@@ -381,6 +381,8 @@
 type staging_data_file, file_type, data_file_type, core_data_file_type;
 # /vendor/apex
 type vendor_apex_file, vendor_file_type, file_type;
+# apex_manifest.pb in vendor apex
+type vendor_apex_metadata_file, vendor_file_type, file_type;
 # /data/system/shutdown-checkpoints
 type shutdown_checkpoints_system_data_file, file_type, data_file_type, core_data_file_type;
 
diff --git a/public/init.te b/public/init.te
index a399b3a..c01dc93 100644
--- a/public/init.te
+++ b/public/init.te
@@ -660,7 +660,7 @@
 
 # Never read/follow symlinks created by shell or untrusted apps.
 neverallow init shell_data_file:lnk_file read;
-neverallow init { app_data_file privapp_data_file }:lnk_file read;
+neverallow init app_data_file_type:lnk_file read;
 
 # init should never execute a program without changing to another domain.
 neverallow init { file_type fs_type }:file execute_no_trans;
diff --git a/public/logd.te b/public/logd.te
index 7f3c7bc..aaf3900 100644
--- a/public/logd.te
+++ b/public/logd.te
@@ -60,7 +60,12 @@
 neverallow logd system_file_type:dir_file_class_set write;
 
 # Write to files in /data/data or system files on /data
-neverallow logd { app_data_file privapp_data_file system_data_file packages_list_file }:dir_file_class_set write;
+neverallow logd {
+    app_data_file_type
+    system_data_file
+    packages_list_file
+    -shell_data_file # for bugreports
+}:dir_file_class_set write;
 
 # Only init is allowed to enter the logd domain via exec()
 neverallow { domain -init } logd:process transition;
diff --git a/public/logpersist.te b/public/logpersist.te
index c8e6af4..6c1c404 100644
--- a/public/logpersist.te
+++ b/public/logpersist.te
@@ -17,7 +17,7 @@
 neverallow logpersist domain:process ptrace;
 
 # Write to files in /data/data or system files on /data except misc_logd_file
-neverallow logpersist { privapp_data_file app_data_file system_data_file }:dir_file_class_set write;
+neverallow logpersist { app_data_file_type system_data_file }:dir_file_class_set write;
 
 # Only init should be allowed to enter the logpersist domain via exec()
 # Following is a list of debug domains we know that transition to logpersist
diff --git a/public/profman.te b/public/profman.te
index 727daee..85cdc1e 100644
--- a/public/profman.te
+++ b/public/profman.te
@@ -28,4 +28,4 @@
 ### neverallow rules
 ###
 
-neverallow profman { privapp_data_file app_data_file }:notdevfile_class_set open;
+neverallow profman app_data_file_type:notdevfile_class_set open;
diff --git a/public/property.te b/public/property.te
index a1f4ab5..c11264b 100644
--- a/public/property.te
+++ b/public/property.te
@@ -8,7 +8,6 @@
 system_internal_prop(device_config_activity_manager_native_boot_prop)
 system_internal_prop(device_config_boot_count_prop)
 system_internal_prop(device_config_input_native_boot_prop)
-system_internal_prop(device_config_media_native_prop)
 system_internal_prop(device_config_netd_native_prop)
 system_internal_prop(device_config_reset_performed_prop)
 system_internal_prop(firstboot_prop)
@@ -68,6 +67,7 @@
 system_restricted_prop(composd_vm_art_prop)
 system_restricted_prop(device_config_camera_native_prop)
 system_restricted_prop(device_config_edgetpu_native_prop)
+system_restricted_prop(device_config_media_native_prop)
 system_restricted_prop(device_config_nnapi_native_prop)
 system_restricted_prop(device_config_runtime_native_boot_prop)
 system_restricted_prop(device_config_runtime_native_prop)
@@ -146,7 +146,6 @@
 system_vendor_config_prop(codec2_config_prop)
 system_vendor_config_prop(composd_vm_vendor_prop)
 system_vendor_config_prop(cpu_variant_prop)
-system_vendor_config_prop(dalvik_config_prop)
 system_vendor_config_prop(debugfs_restriction_prop)
 system_vendor_config_prop(drm_service_config_prop)
 system_vendor_config_prop(exported_camera_prop)
@@ -209,6 +208,7 @@
 system_public_prop(ctl_interface_start_prop)
 system_public_prop(ctl_start_prop)
 system_public_prop(ctl_stop_prop)
+system_public_prop(dalvik_config_prop)
 system_public_prop(dalvik_dynamic_config_prop)
 system_public_prop(dalvik_runtime_prop)
 system_public_prop(debug_prop)
diff --git a/public/recovery_persist.te b/public/recovery_persist.te
index b59d538..7224e87 100644
--- a/public/recovery_persist.te
+++ b/public/recovery_persist.te
@@ -28,5 +28,5 @@
 neverallow recovery_persist system_file_type:dir_file_class_set write;
 
 # Write to files in /data/data
-neverallow recovery_persist { privapp_data_file app_data_file system_data_file }:dir_file_class_set write;
+neverallow recovery_persist { app_data_file_type system_data_file }:dir_file_class_set write;
 
diff --git a/public/recovery_refresh.te b/public/recovery_refresh.te
index 78f93db..d20cd44 100644
--- a/public/recovery_refresh.te
+++ b/public/recovery_refresh.te
@@ -21,4 +21,4 @@
 neverallow recovery_refresh system_file_type:dir_file_class_set write;
 
 # Write to files in /data/data or system files on /data
-neverallow recovery_refresh { app_data_file privapp_data_file system_data_file }:dir_file_class_set write;
+neverallow recovery_refresh { app_data_file_type system_data_file }:dir_file_class_set write;
diff --git a/public/te_macros b/public/te_macros
index 63805de..c4ebc63 100644
--- a/public/te_macros
+++ b/public/te_macros
@@ -1047,6 +1047,7 @@
 define(`use_apex_info', `
   allow $1 apex_mnt_dir:dir r_dir_perms;
   allow $1 apex_info_file:file r_file_perms;
+  r_dir_file($1, vendor_apex_metadata_file)
 ')
 
 ####################################
diff --git a/public/vendor_init.te b/public/vendor_init.te
index 3942c27..a9d1b5d 100644
--- a/public/vendor_init.te
+++ b/public/vendor_init.te
@@ -235,6 +235,7 @@
 set_prop(vendor_init, camera2_extensions_prop)
 set_prop(vendor_init, camerax_extensions_prop)
 set_prop(vendor_init, cpu_variant_prop)
+set_prop(vendor_init, dalvik_config_prop)
 set_prop(vendor_init, dalvik_dynamic_config_prop)
 set_prop(vendor_init, dalvik_runtime_prop)
 set_prop(vendor_init, debug_prop)
@@ -301,7 +302,7 @@
 neverallow vendor_init { file_type fs_type -init_exec }:file entrypoint;
 
 # Never read/follow symlinks created by shell or untrusted apps.
-neverallow vendor_init { app_data_file privapp_data_file }:lnk_file read;
+neverallow vendor_init app_data_file_type:lnk_file read;
 neverallow vendor_init shell_data_file:lnk_file read;
 # Init should not be creating subdirectories in /data/local/tmp
 neverallow vendor_init shell_data_file:dir { write add_name remove_name };
diff --git a/tests/apex_sepolicy_tests.py b/tests/apex_sepolicy_tests.py
index 0bcc998..518ebbc 100644
--- a/tests/apex_sepolicy_tests.py
+++ b/tests/apex_sepolicy_tests.py
@@ -81,16 +81,20 @@
 
 def check_rule(pol, path: str, tcontext: str, rule: Rule) -> List[str]:
     """Returns error message if scontext can't read the target"""
+    errors = []
     match rule:
         case AllowRead(tclass, scontext):
-            te_rules = list(pol.QueryTERule(scontext=scontext,
-                                            tcontext={tcontext},
-                                            tclass={tclass},
-                                            perms={'read'}))
-            if len(te_rules) > 0:
-                return []  # no errors
+            # Test every source in scontext(set)
+            for s in scontext:
+                te_rules = list(pol.QueryTERule(scontext={s},
+                                                tcontext={tcontext},
+                                                tclass={tclass},
+                                                perms={'read'}))
+                if len(te_rules) > 0:
+                    continue  # no errors
 
-            return [f"Error: {path}: {scontext} can't read. (tcontext={tcontext})"]
+                errors.append(f"Error: {path}: {s} can't read. (tcontext={tcontext})")
+    return errors
 
 
 rules = [
diff --git a/tests/apex_sepolicy_tests_test.py b/tests/apex_sepolicy_tests_test.py
index 9b427a0..9c87a00 100644
--- a/tests/apex_sepolicy_tests_test.py
+++ b/tests/apex_sepolicy_tests_test.py
@@ -93,6 +93,8 @@
         self.assert_ok('./etc/linker.config.pb u:object_r:linkerconfig_file:s0')
         self.assert_error('./etc/linker.config.pb u:object_r:vendor_file:s0',
                         r'Error: .*linkerconfig.* can\'t read')
+        self.assert_error('./ u:object_r:apex_data_file:s0',
+                        r'Error: .*linkerconfig.* can\'t read')
 
 if __name__ == '__main__':
     unittest.main(verbosity=2)