diff --git a/prebuilts/api/30.0/private/apexd.te b/prebuilts/api/30.0/private/apexd.te
index 9e702dd..7c7ddc6 100644
--- a/prebuilts/api/30.0/private/apexd.te
+++ b/prebuilts/api/30.0/private/apexd.te
@@ -37,6 +37,7 @@
   LOOP_SET_DIRECT_IO
   LOOP_CLR_FD
   BLKFLSBUF
+  LOOP_CONFIGURE
 };
 # allow apexd to access /dev/block
 allow apexd block_device:dir r_dir_perms;
diff --git a/prebuilts/api/30.0/private/system_server.te b/prebuilts/api/30.0/private/system_server.te
index 0082827..7968b79 100644
--- a/prebuilts/api/30.0/private/system_server.te
+++ b/prebuilts/api/30.0/private/system_server.te
@@ -29,7 +29,7 @@
 allowxperm system_server incremental_control_file:file ioctl { INCFS_IOCTL_CREATE_FILE INCFS_IOCTL_PERMIT_FILL };
 
 # To get signature of an APK installed on Incremental File System and fill in data blocks
-allowxperm system_server apk_data_file:file ioctl { INCFS_IOCTL_READ_SIGNATURE INCFS_IOCTL_FILL_BLOCKS };
+allowxperm system_server apk_data_file:file ioctl { INCFS_IOCTL_READ_SIGNATURE INCFS_IOCTL_FILL_BLOCKS INCFS_IOCTL_GET_FILLED_BLOCKS };
 
 # For art.
 allow system_server dalvikcache_data_file:dir r_dir_perms;
diff --git a/prebuilts/api/30.0/public/ioctl_defines b/prebuilts/api/30.0/public/ioctl_defines
index 4cc3bba..3c7758a 100644
--- a/prebuilts/api/30.0/public/ioctl_defines
+++ b/prebuilts/api/30.0/public/ioctl_defines
@@ -1059,6 +1059,7 @@
 define(`INCFS_IOCTL_READ_SIGNATURE', `0x0000671f')
 define(`INCFS_IOCTL_FILL_BLOCKS', `0x00006720')
 define(`INCFS_IOCTL_PERMIT_FILL', `0x00006721')
+define(`INCFS_IOCTL_GET_FILLED_BLOCKS', `0x00006722')
 define(`IOCTL_EVTCHN_BIND_INTERDOMAIN', `0x00084501')
 define(`IOCTL_EVTCHN_BIND_UNBOUND_PORT', `0x00044502')
 define(`IOCTL_EVTCHN_BIND_VIRQ', `0x00044500')
@@ -1370,6 +1371,7 @@
 define(`LOGGER_SET_VERSION', `0x0000ae06')
 define(`LOOP_CHANGE_FD', `0x00004c06')
 define(`LOOP_CLR_FD', `0x00004c01')
+define(`LOOP_CONFIGURE', `0x00004c0a')
 define(`LOOP_CTL_ADD', `0x00004c80')
 define(`LOOP_CTL_GET_FREE', `0x00004c82')
 define(`LOOP_CTL_REMOVE', `0x00004c81')
diff --git a/private/apexd.te b/private/apexd.te
index eb0adb8..b7d6702 100644
--- a/private/apexd.te
+++ b/private/apexd.te
@@ -37,6 +37,7 @@
   LOOP_SET_DIRECT_IO
   LOOP_CLR_FD
   BLKFLSBUF
+  LOOP_CONFIGURE
 };
 # allow apexd to access /dev/block
 allow apexd block_device:dir r_dir_perms;
diff --git a/private/binder_in_vendor_violators.te b/private/binder_in_vendor_violators.te
deleted file mode 100644
index 4a1218e..0000000
--- a/private/binder_in_vendor_violators.te
+++ /dev/null
@@ -1 +0,0 @@
-allow binder_in_vendor_violators binder_device:chr_file rw_file_perms;
diff --git a/private/bug_map b/private/bug_map
index c2670ef..eaa1593 100644
--- a/private/bug_map
+++ b/private/bug_map
@@ -1,6 +1,5 @@
 dnsmasq netd fifo_file b/77868789
 dnsmasq netd unix_stream_socket b/77868789
-gmscore_app ashmem_device chr_file b/160984921
 gmscore_app system_data_file dir b/146166941
 init app_data_file file b/77873135
 init cache_file blk_file b/77873135
diff --git a/private/canhalconfigurator.te b/private/canhalconfigurator.te
new file mode 100644
index 0000000..171f68a
--- /dev/null
+++ b/private/canhalconfigurator.te
@@ -0,0 +1,11 @@
+type canhalconfigurator, domain, coredomain;
+type canhalconfigurator_exec, exec_type, system_file_type, file_type;
+init_daemon_domain(canhalconfigurator)
+
+# This allows the configurator to look up the CAN HAL controller via
+# hwservice_manager and communicate with it.
+allow canhalconfigurator hal_can_controller_hwservice:hwservice_manager find;
+binder_call(canhalconfigurator, hal_can_controller);
+allow canhalconfigurator hidl_manager_hwservice:hwservice_manager find;
+hwbinder_use(canhalconfigurator);
+get_prop(canhalconfigurator, hwservicemanager_prop);
diff --git a/private/compat/30.0/30.0.cil b/private/compat/30.0/30.0.cil
index 44d7535..d16d9ed 100644
--- a/private/compat/30.0/30.0.cil
+++ b/private/compat/30.0/30.0.cil
@@ -1,4 +1,5 @@
 ;; types removed from current policy
+(type cgroup_bpf)
 (type exported_audio_prop)
 (type exported_dalvik_prop)
 (type exported_ffs_prop)
@@ -17,6 +18,8 @@
 (type ffs_prop)
 (type system_radio_prop)
 
+(typeattribute binder_in_vendor_violators)
+
 (expandtypeattribute (DockObserver_service_30_0) true)
 (expandtypeattribute (IProxyService_service_30_0) true)
 (expandtypeattribute (accessibility_service_30_0) true)
diff --git a/private/compat/30.0/30.0.ignore.cil b/private/compat/30.0/30.0.ignore.cil
index 1ebfe88..1441a5b 100644
--- a/private/compat/30.0/30.0.ignore.cil
+++ b/private/compat/30.0/30.0.ignore.cil
@@ -11,6 +11,7 @@
     gki_apex_prepostinstall
     gki_apex_prepostinstall_exec
     gnss_device
+    hal_dumpstate_config_prop
     keystore2_key_contexts_file
     mediatranscoding_tmpfs
     people_service
@@ -18,5 +19,6 @@
     profcollectd_data_file
     profcollectd_exec
     profcollectd_service
-    update_engine_stable_service))
-
+    update_engine_stable_service
+    cgroup_v2
+    userspace_reboot_metadata_file))
diff --git a/private/file_contexts b/private/file_contexts
index 08e9e2f..5cc5b9b 100644
--- a/private/file_contexts
+++ b/private/file_contexts
@@ -202,6 +202,7 @@
 /system/bin/blank_screen	u:object_r:blank_screen_exec:s0
 /system/bin/boringssl_self_test(32|64) u:object_r:boringssl_self_test_exec:s0
 /system/bin/charger		u:object_r:charger_exec:s0
+/system/bin/canhalconfigurator  u:object_r:canhalconfigurator_exec:s0
 /system/bin/e2fsdroid		u:object_r:e2fs_exec:s0
 /system/bin/mke2fs		u:object_r:e2fs_exec:s0
 /system/bin/e2fsck	--	u:object_r:fsck_exec:s0
@@ -259,6 +260,7 @@
 /system/bin/art_apex_boot_integrity   u:object_r:art_apex_boot_integrity_exec:s0
 /system/bin/credstore	u:object_r:credstore_exec:s0
 /system/bin/keystore	u:object_r:keystore_exec:s0
+/system/bin/keystore2	u:object_r:keystore_exec:s0
 /system/bin/fingerprintd u:object_r:fingerprintd_exec:s0
 /system/bin/gatekeeperd u:object_r:gatekeeperd_exec:s0
 /system/bin/tombstoned u:object_r:tombstoned_exec:s0
@@ -733,6 +735,7 @@
 /metadata/ota(/.*)?       u:object_r:ota_metadata_file:s0
 /metadata/bootstat(/.*)?  u:object_r:metadata_bootstat_file:s0
 /metadata/staged-install(/.*)?    u:object_r:staged_install_file:s0
+/metadata/userspacereboot(/.*)?    u:object_r:userspace_reboot_metadata_file:s0
 
 #############################
 # asec containers
diff --git a/private/genfs_contexts b/private/genfs_contexts
index e67c5d3..433abbc 100644
--- a/private/genfs_contexts
+++ b/private/genfs_contexts
@@ -103,7 +103,7 @@
 # selinuxfs booleans can be individually labeled.
 genfscon selinuxfs / u:object_r:selinuxfs:s0
 genfscon cgroup / u:object_r:cgroup:s0
-genfscon cgroup2 / u:object_r:cgroup_bpf:s0
+genfscon cgroup2 / u:object_r:cgroup_v2:s0
 # sysfs labels can be set by userspace.
 genfscon sysfs / u:object_r:sysfs:s0
 genfscon sysfs /devices/system/cpu u:object_r:sysfs_devices_system_cpu:s0
diff --git a/private/gsid.te b/private/gsid.te
index 3ff9d67..9d07adb 100644
--- a/private/gsid.te
+++ b/private/gsid.te
@@ -133,7 +133,10 @@
 allowxperm gsid {
       gsi_data_file
       ota_image_data_file
-}:file ioctl FS_IOC_FIEMAP;
+}:file ioctl {
+      FS_IOC_FIEMAP
+      FS_IOC_GETFLAGS
+};
 
 allow gsid system_server:binder call;
 
diff --git a/private/property.te b/private/property.te
index d62ea9c..2d3d861 100644
--- a/private/property.te
+++ b/private/property.te
@@ -446,3 +446,10 @@
   -dumpstate
   -appdomain
 } camera_calibration_prop:file no_rw_file_perms;
+
+neverallow {
+  -init
+  -dumpstate
+  -hal_dumpstate_server
+  not_compatible_property(`-vendor_init')
+} hal_dumpstate_config_prop:file no_rw_file_perms;
diff --git a/private/property_contexts b/private/property_contexts
index 0c563fd..2397150 100644
--- a/private/property_contexts
+++ b/private/property_contexts
@@ -517,6 +517,7 @@
 
 dumpstate.dry_run u:object_r:exported_dumpstate_prop:s0 exact bool
 dumpstate.unroot  u:object_r:exported_dumpstate_prop:s0 exact bool
+persist.dumpstate.verbose_logging.enabled u:object_r:hal_dumpstate_config_prop:s0 exact bool
 
 hal.instrumentation.enable u:object_r:hal_instrumentation_prop:s0 exact bool
 
diff --git a/private/service_contexts b/private/service_contexts
index 51161c0..808edcc 100644
--- a/private/service_contexts
+++ b/private/service_contexts
@@ -16,6 +16,7 @@
 android.os.UpdateEngineStableService      u:object_r:update_engine_stable_service:s0
 android.security.identity                 u:object_r:credstore_service:s0
 android.security.keystore                 u:object_r:keystore_service:s0
+android.security.keystore2                u:object_r:keystore_service:s0
 android.service.gatekeeper.IGateKeeperService    u:object_r:gatekeeper_service:s0
 app_binding                               u:object_r:app_binding_service:s0
 app_integrity                             u:object_r:app_integrity_service:s0
diff --git a/private/system_server.te b/private/system_server.te
index 23b710a..8191b6a 100644
--- a/private/system_server.te
+++ b/private/system_server.te
@@ -29,7 +29,7 @@
 allowxperm system_server incremental_control_file:file ioctl { INCFS_IOCTL_CREATE_FILE INCFS_IOCTL_PERMIT_FILL };
 
 # To get signature of an APK installed on Incremental File System and fill in data blocks
-allowxperm system_server apk_data_file:file ioctl { INCFS_IOCTL_READ_SIGNATURE INCFS_IOCTL_FILL_BLOCKS };
+allowxperm system_server apk_data_file:file ioctl { INCFS_IOCTL_READ_SIGNATURE INCFS_IOCTL_FILL_BLOCKS INCFS_IOCTL_GET_FILLED_BLOCKS };
 
 # For art.
 allow system_server dalvikcache_data_file:dir r_dir_perms;
@@ -930,6 +930,8 @@
 
 r_dir_file(system_server, cgroup)
 allow system_server ion_device:chr_file r_file_perms;
+allow system_server cgroup_v2:dir rw_dir_perms;
+allow system_server cgroup_v2:file rw_file_perms;
 
 r_dir_file(system_server, proc_asound)
 r_dir_file(system_server, proc_net_type)
@@ -1159,6 +1161,9 @@
 allow system_server password_slot_metadata_file:dir rw_dir_perms;
 allow system_server password_slot_metadata_file:file create_file_perms;
 
+allow system_server userspace_reboot_metadata_file:dir create_dir_perms;
+allow system_server userspace_reboot_metadata_file:file create_file_perms;
+
 # Allow system server rw access to files in /metadata/staged-install folder
 allow system_server staged_install_file:dir rw_dir_perms;
 allow system_server staged_install_file:file create_file_perms;
@@ -1200,6 +1205,10 @@
 } password_slot_metadata_file:notdevfile_class_set ~{ relabelto getattr };
 neverallow { domain -init -system_server } password_slot_metadata_file:notdevfile_class_set *;
 
+# Only system_server/init should access /metadata/userspacereboot.
+neverallow { domain -init -system_server } userspace_reboot_metadata_file:dir *;
+neverallow { domain -init -system_server } userspace_reboot_metadata_file:file no_rw_file_perms;
+
 # Allow systemserver to read/write the invalidation property
 set_prop(system_server, binder_cache_system_server_prop)
 neverallow { domain -system_server -init }
diff --git a/public/attributes b/public/attributes
index f5663a9..ce6e540 100644
--- a/public/attributes
+++ b/public/attributes
@@ -108,9 +108,9 @@
 # Currently there are no enforcements between /system and /product, so for now
 # /product attributes are just replaced to /system attributes.
 define(`product_property_type',   `system_property_type')
-define(`product_internal_type',   `system_internal_property_type')
-define(`product_restricted_type', `system_restricted_property_type')
-define(`product_public_type',     `system_public_property_type')
+define(`product_internal_property_type',   `system_internal_property_type')
+define(`product_restricted_property_type', `system_restricted_property_type')
+define(`product_public_property_type',     `system_public_property_type')
 
 # All properties defined by /vendor.
 attribute vendor_property_type;
@@ -200,11 +200,6 @@
 attribute coredomain_socket;
 expandattribute coredomain_socket false;
 
-# All vendor domains which violate the requirement of not using Binder
-# TODO(b/35870313): Remove this once there are no violations
-attribute binder_in_vendor_violators;
-expandattribute binder_in_vendor_violators false;
-
 # All vendor domains which violate the requirement of not using sockets for
 # communicating with core components
 # TODO(b/36577153): Remove this once there are no violations
diff --git a/public/domain.te b/public/domain.te
index f23e832..58b2d98 100644
--- a/public/domain.te
+++ b/public/domain.te
@@ -644,7 +644,6 @@
   neverallow {
     domain
     -coredomain
-    -binder_in_vendor_violators # TODO(b/131617943) remove once all violators are gone
   } {
     service_manager_type
     -vendor_service
diff --git a/public/file.te b/public/file.te
index 3cf2ff0..4144956 100644
--- a/public/file.te
+++ b/public/file.te
@@ -77,7 +77,7 @@
 type selinuxfs, fs_type, mlstrustedobject;
 type fusectlfs, fs_type;
 type cgroup, fs_type, mlstrustedobject;
-type cgroup_bpf, fs_type;
+type cgroup_v2, fs_type;
 type sysfs, fs_type, sysfs_type, mlstrustedobject;
 type sysfs_android_usb, fs_type, sysfs_type;
 type sysfs_uio, sysfs_type, fs_type;
@@ -233,6 +233,8 @@
 type ota_metadata_file, file_type;
 # property files within /metadata/bootstat
 type metadata_bootstat_file, file_type;
+# userspace reboot files within /metadata/userspacereboot
+type userspace_reboot_metadata_file, file_type;
 # Staged install files within /metadata/staged-install
 type staged_install_file, file_type;
 
@@ -529,7 +531,7 @@
 # Allow files to be created in their appropriate filesystems.
 allow fs_type self:filesystem associate;
 allow cgroup tmpfs:filesystem associate;
-allow cgroup_bpf tmpfs:filesystem associate;
+allow cgroup_v2 tmpfs:filesystem associate;
 allow cgroup_rc_file tmpfs:filesystem associate;
 allow sysfs_type sysfs:filesystem associate;
 allow debugfs_type { debugfs debugfs_tracing debugfs_tracing_debug }:filesystem associate;
diff --git a/public/hal_dumpstate.te b/public/hal_dumpstate.te
index b7676ed..9f854e3 100644
--- a/public/hal_dumpstate.te
+++ b/public/hal_dumpstate.te
@@ -2,6 +2,8 @@
 binder_call(hal_dumpstate_client, hal_dumpstate_server)
 binder_call(hal_dumpstate_server, hal_dumpstate_client)
 
+set_prop(hal_dumpstate_server, hal_dumpstate_config_prop)
+
 hal_attribute_hwservice(hal_dumpstate, hal_dumpstate_hwservice)
 
 # write bug reports in /data/data/com.android.shell/files/bugreports/bugreport
diff --git a/public/init.te b/public/init.te
index 7dc522a..f84bacb 100644
--- a/public/init.te
+++ b/public/init.te
@@ -96,7 +96,7 @@
     postinstall_mnt_dir
     mirror_data_file
 }:dir mounton;
-allow init cgroup_bpf:dir { create mounton };
+allow init cgroup_v2:dir { mounton create_dir_perms };
 
 # Mount bpf fs on sys/fs/bpf
 allow init fs_bpf:dir mounton;
@@ -579,6 +579,7 @@
 allow init vold_metadata_file:file getattr;
 allow init metadata_bootstat_file:dir create_dir_perms;
 allow init metadata_bootstat_file:file w_file_perms;
+allow init userspace_reboot_metadata_file:file w_file_perms;
 
 # Allow init to touch PSI monitors
 allow init proc_pressure_mem:file { rw_file_perms setattr };
diff --git a/public/ioctl_defines b/public/ioctl_defines
index 4cc3bba..3c7758a 100644
--- a/public/ioctl_defines
+++ b/public/ioctl_defines
@@ -1059,6 +1059,7 @@
 define(`INCFS_IOCTL_READ_SIGNATURE', `0x0000671f')
 define(`INCFS_IOCTL_FILL_BLOCKS', `0x00006720')
 define(`INCFS_IOCTL_PERMIT_FILL', `0x00006721')
+define(`INCFS_IOCTL_GET_FILLED_BLOCKS', `0x00006722')
 define(`IOCTL_EVTCHN_BIND_INTERDOMAIN', `0x00084501')
 define(`IOCTL_EVTCHN_BIND_UNBOUND_PORT', `0x00044502')
 define(`IOCTL_EVTCHN_BIND_VIRQ', `0x00044500')
@@ -1370,6 +1371,7 @@
 define(`LOGGER_SET_VERSION', `0x0000ae06')
 define(`LOOP_CHANGE_FD', `0x00004c06')
 define(`LOOP_CLR_FD', `0x00004c01')
+define(`LOOP_CONFIGURE', `0x00004c0a')
 define(`LOOP_CTL_ADD', `0x00004c80')
 define(`LOOP_CTL_GET_FREE', `0x00004c82')
 define(`LOOP_CTL_REMOVE', `0x00004c81')
diff --git a/public/netd.te b/public/netd.te
index ad2dde9..48e79b7 100644
--- a/public/netd.te
+++ b/public/netd.te
@@ -62,7 +62,7 @@
 # TODO: added to match above sysfs rule. Remove me?
 allow netd sysfs_usb:file write;
 
-r_dir_file(netd, cgroup_bpf)
+r_dir_file(netd, cgroup_v2)
 
 allow netd fs_bpf:dir search;
 allow netd fs_bpf:file { read write };
diff --git a/public/property.te b/public/property.te
index 3c913b1..34ed999 100644
--- a/public/property.te
+++ b/public/property.te
@@ -169,6 +169,7 @@
 system_public_prop(exported_overlay_prop)
 system_public_prop(exported_pm_prop)
 system_public_prop(ffs_control_prop)
+system_public_prop(hal_dumpstate_config_prop)
 system_public_prop(sota_prop)
 system_public_prop(hwservicemanager_prop)
 system_public_prop(lmkd_prop)
diff --git a/public/vendor_init.te b/public/vendor_init.te
index a7de93f..a09d4fc 100644
--- a/public/vendor_init.te
+++ b/public/vendor_init.te
@@ -57,6 +57,7 @@
   -vold_metadata_file
   -gsi_metadata_file
   -apex_metadata_file
+  -userspace_reboot_metadata_file
 }:dir { create search getattr open read setattr ioctl write add_name remove_name rmdir relabelfrom };
 
 allow vendor_init unlabeled:{ dir notdevfile_class_set } { getattr relabelfrom };
@@ -75,6 +76,7 @@
   -gsi_metadata_file
   -apex_metadata_file
   -apex_info_file
+  -userspace_reboot_metadata_file
 }:file { create getattr open read write setattr relabelfrom unlink map };
 
 allow vendor_init {
@@ -89,6 +91,7 @@
   -vold_metadata_file
   -gsi_metadata_file
   -apex_metadata_file
+  -userspace_reboot_metadata_file
 }:{ sock_file fifo_file } { create getattr open read setattr relabelfrom unlink };
 
 allow vendor_init {
@@ -104,6 +107,7 @@
   -vold_metadata_file
   -gsi_metadata_file
   -apex_metadata_file
+  -userspace_reboot_metadata_file
 }:lnk_file { create getattr setattr relabelfrom unlink };
 
 allow vendor_init {
@@ -118,6 +122,7 @@
   -vold_metadata_file
   -gsi_metadata_file
   -apex_metadata_file
+  -userspace_reboot_metadata_file
 }:dir_file_class_set relabelto;
 
 allow vendor_init dev_type:dir create_dir_perms;
diff --git a/tests/treble_sepolicy_tests.py b/tests/treble_sepolicy_tests.py
index 1046fa8..9209b66 100644
--- a/tests/treble_sepolicy_tests.py
+++ b/tests/treble_sepolicy_tests.py
@@ -294,7 +294,7 @@
     return ret
 
 def TestViolatorAttributes():
-    ret = TestViolatorAttribute("binder_in_vendor_violators")
+    ret = ""
     ret += TestViolatorAttribute("socket_between_core_and_vendor_violators")
     ret += TestViolatorAttribute("vendor_executes_system_violators")
     return ret